synchronize with latest kame tree.

behavior change: policy syntax was changed.  you may need to update your
setkey(8) configuration files.
This commit is contained in:
Jun-ichiro itojun Hagino
2000-07-04 16:22:05 +00:00
parent c638a74daa
commit 3c62e87aa3
31 changed files with 2242 additions and 1311 deletions
+4 -4
View File
@@ -27,7 +27,7 @@
# $FreeBSD$
LIB= ipsec
SHLIB_MAJOR= 0
SHLIB_MAJOR= 1
SHLIB_MINOR= 0
CFLAGS+=-I${.OBJDIR}
CFLAGS+=-DIPSEC_DEBUG -DIPSEC
@@ -35,11 +35,11 @@ CFLAGS+=-DIPSEC_DEBUG -DIPSEC
CFLAGS+=-DINET6
.endif
.PATH: ${.CURDIR}/../../sys/netkey
SRCS= pfkey.c pfkey_dump.c
#.PATH: ${.CURDIR}/../../sys/netkey
#SRCS= pfkey.c pfkey_dump.c
SRCS+= ipsec_strerror.c policy_parse.y policy_token.l
SRCS+= ipsec_dump_policy.c ipsec_get_policylen.c
SRCS+= key_debug.c
#SRCS+= key_debug.c
CLEANFILES+= y.tab.c y.tab.h
YFLAGS+=-d -p __libipsecyy
LFLAGS+=-P__libipsecyy
+173 -119
View File
@@ -1,3 +1,6 @@
/* $FreeBSD$ */
/* $KAME: ipsec_dump_policy.c,v 1.11 2000/05/07 05:29:47 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
@@ -25,8 +28,6 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#include <sys/types.h>
@@ -39,6 +40,7 @@
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
@@ -53,7 +55,11 @@ static const char *ipsp_policy_strs[] = {
"discard", "none", "ipsec", "entrust", "bypass",
};
static int set_addresses __P((char *buf, caddr_t ptr));
static char *ipsec_dump_ipsecrequest __P((char *, size_t,
struct sadb_x_ipsecrequest *, size_t));
static int set_addresses __P((char *, size_t, struct sockaddr *,
struct sockaddr *));
static char *set_address __P((char *, size_t, struct sockaddr *));
/*
* policy is sadb_x_policy buffer.
@@ -67,15 +73,16 @@ ipsec_dump_policy(policy, delimiter)
{
struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy;
struct sadb_x_ipsecrequest *xisr;
int xtlen, buflen;
size_t off, buflen;
char *buf;
int error;
char isrbuf[1024];
char *newbuf;
/* sanity check */
if (policy == NULL)
return NULL;
if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) {
ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
return NULL;
}
@@ -89,7 +96,7 @@ ipsec_dump_policy(policy, delimiter)
case IPSEC_DIR_OUTBOUND:
break;
default:
ipsec_errcode = EIPSEC_INVAL_DIR;
__ipsec_errcode = EIPSEC_INVAL_DIR;
return NULL;
}
@@ -101,7 +108,7 @@ ipsec_dump_policy(policy, delimiter)
case IPSEC_POLICY_ENTRUST:
break;
default:
ipsec_errcode = EIPSEC_INVAL_POLICY;
__ipsec_errcode = EIPSEC_INVAL_POLICY;
return NULL;
}
@@ -111,143 +118,190 @@ ipsec_dump_policy(policy, delimiter)
+ 1; /* NUL */
if ((buf = malloc(buflen)) == NULL) {
ipsec_errcode = EIPSEC_NO_BUFS;
__ipsec_errcode = EIPSEC_NO_BUFS;
return NULL;
}
strcpy(buf, ipsp_dir_strs[xpl->sadb_x_policy_dir]);
strcat(buf, " ");
strcat(buf, ipsp_policy_strs[xpl->sadb_x_policy_type]);
snprintf(buf, buflen, "%s %s", ipsp_dir_strs[xpl->sadb_x_policy_dir],
ipsp_policy_strs[xpl->sadb_x_policy_type]);
if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
ipsec_errcode = EIPSEC_NO_ERROR;
__ipsec_errcode = EIPSEC_NO_ERROR;
return buf;
}
xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
/* count length of buffer for use */
/* XXX non-seriously */
while (xtlen > 0) {
buflen += 20;
if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL)
buflen += 50;
xtlen -= xisr->sadb_x_ipsecrequest_len;
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
+ xisr->sadb_x_ipsecrequest_len);
off = sizeof(*xpl);
while (off < PFKEY_EXTLEN(xpl)) {
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
off += xisr->sadb_x_ipsecrequest_len;
}
/* validity check */
if (xtlen < 0) {
ipsec_errcode = EIPSEC_INVAL_SADBMSG;
if (off != PFKEY_EXTLEN(xpl)) {
__ipsec_errcode = EIPSEC_INVAL_SADBMSG;
free(buf);
return NULL;
}
if ((buf = realloc(buf, buflen)) == NULL) {
ipsec_errcode = EIPSEC_NO_BUFS;
off = sizeof(*xpl);
while (off < PFKEY_EXTLEN(xpl)) {
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
if (ipsec_dump_ipsecrequest(isrbuf, sizeof(isrbuf), xisr,
PFKEY_EXTLEN(xpl) - off) == NULL) {
free(buf);
return NULL;
}
buflen = strlen(buf) + strlen(delimiter) + strlen(isrbuf) + 1;
newbuf = (char *)realloc(buf, buflen);
if (newbuf == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
free(buf);
return NULL;
}
buf = newbuf;
snprintf(buf, buflen, "%s%s%s", buf, delimiter, isrbuf);
off += xisr->sadb_x_ipsecrequest_len;
}
__ipsec_errcode = EIPSEC_NO_ERROR;
return buf;
}
static char *
ipsec_dump_ipsecrequest(buf, len, xisr, bound)
char *buf;
size_t len;
struct sadb_x_ipsecrequest *xisr;
size_t bound; /* boundary */
{
const char *proto, *mode, *level;
char abuf[NI_MAXHOST * 2 + 2];
if (xisr->sadb_x_ipsecrequest_len > bound) {
__ipsec_errcode = EIPSEC_INVAL_PROTO;
return NULL;
}
xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
while (xtlen > 0) {
strcat(buf, delimiter);
switch (xisr->sadb_x_ipsecrequest_proto) {
case IPPROTO_ESP:
strcat(buf, "esp");
break;
case IPPROTO_AH:
strcat(buf, "ah");
break;
case IPPROTO_IPCOMP:
strcat(buf, "ipcomp");
break;
default:
ipsec_errcode = EIPSEC_INVAL_PROTO;
free(buf);
return NULL;
}
strcat(buf, "/");
switch (xisr->sadb_x_ipsecrequest_mode) {
case IPSEC_MODE_ANY:
strcat(buf, "any");
break;
case IPSEC_MODE_TRANSPORT:
strcat(buf, "transport");
break;
case IPSEC_MODE_TUNNEL:
strcat(buf, "tunnel");
break;
default:
ipsec_errcode = EIPSEC_INVAL_MODE;
free(buf);
return NULL;
}
strcat(buf, "/");
if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
error = set_addresses(buf, (caddr_t)(xisr + 1));
if (error) {
ipsec_errcode = EIPSEC_INVAL_MODE;
free(buf);
return NULL;
}
}
switch (xisr->sadb_x_ipsecrequest_level) {
case IPSEC_LEVEL_DEFAULT:
strcat(buf, "/default");
break;
case IPSEC_LEVEL_USE:
strcat(buf, "/use");
break;
case IPSEC_LEVEL_REQUIRE:
strcat(buf, "/require");
break;
case IPSEC_LEVEL_UNIQUE:
strcat(buf, "/unique");
break;
default:
ipsec_errcode = EIPSEC_INVAL_LEVEL;
free(buf);
return NULL;
}
xtlen -= xisr->sadb_x_ipsecrequest_len;
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
+ xisr->sadb_x_ipsecrequest_len);
switch (xisr->sadb_x_ipsecrequest_proto) {
case IPPROTO_ESP:
proto = "esp";
break;
case IPPROTO_AH:
proto = "ah";
break;
case IPPROTO_IPCOMP:
proto = "ipcomp";
break;
default:
__ipsec_errcode = EIPSEC_INVAL_PROTO;
return NULL;
}
switch (xisr->sadb_x_ipsecrequest_mode) {
case IPSEC_MODE_ANY:
mode = "any";
break;
case IPSEC_MODE_TRANSPORT:
mode = "transport";
break;
case IPSEC_MODE_TUNNEL:
mode = "tunnel";
break;
default:
__ipsec_errcode = EIPSEC_INVAL_MODE;
return NULL;
}
abuf[0] = '\0';
if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
struct sockaddr *sa1, *sa2;
caddr_t p;
p = (caddr_t)(xisr + 1);
sa1 = (struct sockaddr *)p;
sa2 = (struct sockaddr *)(p + sa1->sa_len);
if (sizeof(*xisr) + sa1->sa_len + sa2->sa_len !=
xisr->sadb_x_ipsecrequest_len) {
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
return NULL;
}
if (set_addresses(abuf, sizeof(abuf), sa1, sa2) != 0) {
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
return NULL;
}
}
switch (xisr->sadb_x_ipsecrequest_level) {
case IPSEC_LEVEL_DEFAULT:
level = "default";
break;
case IPSEC_LEVEL_USE:
level = "use";
break;
case IPSEC_LEVEL_REQUIRE:
level = "require";
break;
case IPSEC_LEVEL_UNIQUE:
level = "unique";
break;
default:
__ipsec_errcode = EIPSEC_INVAL_LEVEL;
return NULL;
}
if (xisr->sadb_x_ipsecrequest_reqid == 0)
snprintf(buf, len, "%s/%s/%s/%s", proto, mode, abuf, level);
else {
int ch;
if (xisr->sadb_x_ipsecrequest_reqid > IPSEC_MANUAL_REQID_MAX)
ch = '#';
else
ch = ':';
snprintf(buf, len, "%s/%s/%s/%s%c%d", proto, mode, abuf, level,
ch, xisr->sadb_x_ipsecrequest_reqid);
}
ipsec_errcode = EIPSEC_NO_ERROR;
return buf;
}
static int
set_addresses(buf, ptr)
set_addresses(buf, len, sa1, sa2)
char *buf;
caddr_t ptr;
size_t len;
struct sockaddr *sa1;
struct sockaddr *sa2;
{
char tmp[100]; /* XXX */
struct sockaddr *saddr = (struct sockaddr *)ptr;
getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp),
NULL, 0, NI_NUMERICHOST);
strcat(buf, tmp);
strcat(buf, "-");
saddr = (struct sockaddr *)((caddr_t)saddr + saddr->sa_len);
getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp),
NULL, 0, NI_NUMERICHOST);
strcat(buf, tmp);
char tmp1[NI_MAXHOST], tmp2[NI_MAXHOST];
if (set_address(tmp1, sizeof(tmp1), sa1) == NULL ||
set_address(tmp2, sizeof(tmp2), sa2) == NULL)
return -1;
if (strlen(tmp1) + 1 + strlen(tmp2) + 1 > len)
return -1;
snprintf(buf, len, "%s-%s", tmp1, tmp2);
return 0;
}
static char *
set_address(buf, len, sa)
char *buf;
size_t len;
struct sockaddr *sa;
{
#ifdef NI_WITHSCOPEID
const int niflags = NI_NUMERICHOST | NI_WITHSCOPEID;
#else
const int niflags = NI_NUMERICHOST;
#endif
if (len < 1)
return NULL;
buf[0] = '\0';
if (getnameinfo(sa, sa->sa_len, buf, len, NULL, 0, niflags) != 0)
return NULL;
return buf;
}
+5 -2
View File
@@ -1,3 +1,6 @@
/* $FreeBSD$ */
/* $KAME: ipsec_get_policylen.c,v 1.5 2000/05/07 05:25:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
@@ -25,13 +28,13 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#include <sys/types.h>
#include <sys/param.h>
#include <netinet6/ipsec.h>
#include <net/pfkeyv2.h>
#include "ipsec_strerror.h"
+22 -13
View File
@@ -1,4 +1,7 @@
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" $FreeBSD$
.\" $KAME: ipsec_set_policy.3,v 1.10 2000/05/07 05:25:03 itojun Exp $
.\"
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -25,9 +28,6 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id: ipsec_set_policy.3,v 1.5 1999/10/20 00:21:06 sakane Exp $
.\" $FreeBSD$
.\"
.Dd May 5, 1998
.Dt IPSEC_SET_POLICY 3
.Os
@@ -36,10 +36,10 @@
.Nm ipsec_get_policylen ,
.Nm ipsec_dump_policy
.Nd manipulate IPsec policy specification structure from readable string
.\"
.Sh LIBRARY
.Lb libipsec
.Sh SYNOPSIS
.Fd #include <sys/types.h>
.Fd #include <netinet6/ipsec.h>
.Ft "char *"
.Fn ipsec_set_policy "char *policy" "int len"
@@ -167,9 +167,9 @@ is the other node
.Pp
.Ar level
must be set to one of the following:
.Li default , use
.Li default , use , require
or
.Li require .
.Li unique .
.Li default
means that the kernel should consult the system default policy
defined by
@@ -189,6 +189,19 @@ or encrypted
.Li require
means that a relevant SA is required,
since the kernel must perform IPsec operation against packets.
.Li unique
is the same as
.Li require ,
but adds the restriction that the SA for outbound traffic is used
only for this policy.
You may need the identifier in order to relate the policy and the SA
when you define the SA by manual keying.
You can put the decimal number as the identifier after
.Li unique
like
.Li unique : number .
.Li number
must be between 1 and 32767 .
If the
.Ar request
string is kept unambiguous,
@@ -219,8 +232,8 @@ Here are several examples
in discard
out ipsec esp/transport/10.1.1.1-10.1.1.2/require
in ipsec ah/transport/10.1.1.2-10.1.1.1/require
in ipsec esp/transport/10.1.1.2-10.1.1.1/use
ah/tunnel/10.1.1.2-10.1.1.1/require
out ipsec esp/transport/10.1.1.2-10.1.1.1/use
ah/tunnel/10.1.1.2-10.1.1.1/unique:1000
in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use
esp/transport/10.1.1.2-10.1.1.1/use
.Ed
@@ -238,11 +251,7 @@ and
on errors.
.Sh SEE ALSO
.Xr ipsec_strerror 3 ,
.Xr ipsec 4 ,
.Xr ispec 4 ,
.Xr setkey 8
.Sh HISTORY
The functions first appeared in WIDE/KAME IPv6 protocol stack kit.
.Pp
IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack
was initially integrated into
.Fx 4.0
+26 -12
View File
@@ -1,4 +1,7 @@
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" $FreeBSD$
.\" $KAME: ipsec_strerror.3,v 1.6 2000/05/07 05:25:03 itojun Exp $
.\"
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -25,22 +28,19 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id: ipsec_strerror.3,v 1.2 1999/09/21 03:49:19 itojun Exp $
.\" $FreeBSD$
.\"
.Dd May 6, 1998
.Dt IPSEC_STRERROR 3
.Os
.\"
.Sh NAME
.Nm ipsec_strerror
.Nd error code for IPsec policy manipulation library
.Sh LIBRARY
.Lb libipsec
.\"
.Sh SYNOPSIS
.Fd #include <sys/types.h>
.Fd #include <netinet6/ipsec.h>
.Ft "char *"
.Fn ipsec_strerror void
.Fn ipsec_strerror
.\"
.Sh DESCRIPTION
.Pa netinet6/ipsec.h
declares
@@ -51,16 +51,30 @@ which is used to pass error code from IPsec policy manipulation library
to user program.
.Fn ipsec_strerror
can be used to obtain error message string for the error code.
.Pp
The array pointed to is not to be modified by the program.
Since
.Fn ipsec_strerror
uses
.Xr strerror 3
as underlying function, calling
.Xr strerror 3
after
.Fn ipsec_strerror
would make the return value from
.Fn ipsec_strerror
invalid, or overwritten.
.\"
.Sh RETURN VALUES
.Fn ipsec_strerror
always return a pointer to C string.
The C string must not be overwritten by user programs.
.\"
.\" .Sh SEE ALSO
.Sh SEE ALSO
.Xr ipsec_set_policy 3
.\"
.Sh HISTORY
The functions first appeared in WIDE/KAME IPv6 protocol stack kit.
.Pp
IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack
was initially integrated into
.Fx 4.0
.\"
.\" .Sh BUGS
.\" (to be written)
+9 -8
View File
@@ -1,3 +1,6 @@
/* $FreeBSD$ */
/* $KAME: ipsec_strerror.c,v 1.6 2000/05/07 05:25:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
@@ -25,8 +28,6 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#include <sys/types.h>
@@ -37,7 +38,7 @@
#include "ipsec_strerror.h"
int ipsec_errcode;
int __ipsec_errcode;
static char *ipsec_errlist[] = {
"Success", /*EIPSEC_NO_ERROR*/
@@ -72,15 +73,15 @@ NULL, /*EIPSEC_SYSTEM_ERROR*/
char *ipsec_strerror(void)
{
if (ipsec_errcode < 0 || ipsec_errcode > EIPSEC_MAX)
ipsec_errcode = EIPSEC_MAX;
if (__ipsec_errcode < 0 || __ipsec_errcode > EIPSEC_MAX)
__ipsec_errcode = EIPSEC_MAX;
return ipsec_errlist[ipsec_errcode];
return ipsec_errlist[__ipsec_errcode];
}
void ipsec_set_strerror(char *str)
void __ipsec_set_strerror(char *str)
{
ipsec_errcode = EIPSEC_SYSTEM_ERROR;
__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
ipsec_errlist[EIPSEC_SYSTEM_ERROR] = str;
return;
+33 -32
View File
@@ -1,3 +1,6 @@
/* $FreeBSD$ */
/* $KAME: ipsec_strerror.h,v 1.7 2000/05/07 05:25:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
@@ -25,38 +28,36 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
extern int ipsec_errcode;
extern void ipsec_set_strerror(char *str);
extern int __ipsec_errcode;
extern void __ipsec_set_strerror __P((char *));
#define EIPSEC_NO_ERROR 0 /*success*/
#define EIPSEC_NOT_SUPPORTED 1 /*not supported*/
#define EIPSEC_INVAL_ARGUMENT 2 /*invalid argument*/
#define EIPSEC_INVAL_SADBMSG 3 /*invalid sadb message*/
#define EIPSEC_INVAL_VERSION 4 /*invalid version*/
#define EIPSEC_INVAL_POLICY 5 /*invalid security policy*/
#define EIPSEC_INVAL_ADDRESS 6 /*invalid address specification*/
#define EIPSEC_INVAL_PROTO 7 /*invalid ipsec protocol*/
#define EIPSEC_INVAL_MODE 8 /*Invalid ipsec mode*/
#define EIPSEC_INVAL_LEVEL 9 /*invalid ipsec level*/
#define EIPSEC_INVAL_SATYPE 10 /*invalid SA type*/
#define EIPSEC_INVAL_MSGTYPE 11 /*invalid message type*/
#define EIPSEC_INVAL_EXTTYPE 12 /*invalid extension type*/
#define EIPSEC_INVAL_ALGS 13 /*Invalid algorithm type*/
#define EIPSEC_INVAL_KEYLEN 14 /*invalid key length*/
#define EIPSEC_INVAL_FAMILY 15 /*invalid address family*/
#define EIPSEC_INVAL_PREFIXLEN 16 /*SPI range violation*/
#define EIPSEC_INVAL_DIR 17 /*Invalid direciton*/
#define EIPSEC_INVAL_SPI 18 /*invalid prefixlen*/
#define EIPSEC_NO_PROTO 19 /*no protocol specified*/
#define EIPSEC_NO_ALGS 20 /*No algorithm specified*/
#define EIPSEC_NO_BUFS 21 /*no buffers available*/
#define EIPSEC_DO_GET_SUPP_LIST 22 /*must get supported algorithm first*/
#define EIPSEC_PROTO_MISMATCH 23 /*protocol mismatch*/
#define EIPSEC_FAMILY_MISMATCH 24 /*family mismatch*/
#define EIPSEC_FEW_ARGUMENTS 25 /*Too few arguments*/
#define EIPSEC_SYSTEM_ERROR 26 /*system error*/
#define EIPSEC_MAX 27 /*unknown error*/
#define EIPSEC_NO_ERROR 0 /*success*/
#define EIPSEC_NOT_SUPPORTED 1 /*not supported*/
#define EIPSEC_INVAL_ARGUMENT 2 /*invalid argument*/
#define EIPSEC_INVAL_SADBMSG 3 /*invalid sadb message*/
#define EIPSEC_INVAL_VERSION 4 /*invalid version*/
#define EIPSEC_INVAL_POLICY 5 /*invalid security policy*/
#define EIPSEC_INVAL_ADDRESS 6 /*invalid address specification*/
#define EIPSEC_INVAL_PROTO 7 /*invalid ipsec protocol*/
#define EIPSEC_INVAL_MODE 8 /*Invalid ipsec mode*/
#define EIPSEC_INVAL_LEVEL 9 /*invalid ipsec level*/
#define EIPSEC_INVAL_SATYPE 10 /*invalid SA type*/
#define EIPSEC_INVAL_MSGTYPE 11 /*invalid message type*/
#define EIPSEC_INVAL_EXTTYPE 12 /*invalid extension type*/
#define EIPSEC_INVAL_ALGS 13 /*Invalid algorithm type*/
#define EIPSEC_INVAL_KEYLEN 14 /*invalid key length*/
#define EIPSEC_INVAL_FAMILY 15 /*invalid address family*/
#define EIPSEC_INVAL_PREFIXLEN 16 /*SPI range violation*/
#define EIPSEC_INVAL_DIR 17 /*Invalid direciton*/
#define EIPSEC_INVAL_SPI 18 /*invalid prefixlen*/
#define EIPSEC_NO_PROTO 19 /*no protocol specified*/
#define EIPSEC_NO_ALGS 20 /*No algorithm specified*/
#define EIPSEC_NO_BUFS 21 /*no buffers available*/
#define EIPSEC_DO_GET_SUPP_LIST 22 /*must get supported algorithm first*/
#define EIPSEC_PROTO_MISMATCH 23 /*protocol mismatch*/
#define EIPSEC_FAMILY_MISMATCH 24 /*family mismatch*/
#define EIPSEC_FEW_ARGUMENTS 25 /*Too few arguments*/
#define EIPSEC_SYSTEM_ERROR 26 /*system error*/
#define EIPSEC_MAX 27 /*unknown error*/
+77
View File
@@ -0,0 +1,77 @@
/* $FreeBSD$ */
/* $KAME: libpfkey.h,v 1.1 2000/06/08 21:28:32 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
extern void pfkey_sadump __P((struct sadb_msg *));
extern void pfkey_spdump __P((struct sadb_msg *));
struct sockaddr;
int ipsec_check_keylen __P((u_int, u_int, u_int));
u_int pfkey_set_softrate __P((u_int, u_int));
u_int pfkey_get_softrate __P((u_int));
int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t));
int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
u_int64_t, u_int64_t, u_int32_t));
int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
u_int64_t, u_int64_t, u_int32_t));
int pfkey_send_delete __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
int pfkey_send_get __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
int pfkey_send_register __P((int, u_int));
int pfkey_recv_register __P((int));
int pfkey_send_flush __P((int, u_int));
int pfkey_send_dump __P((int, u_int));
int pfkey_send_promisc_toggle __P((int, int));
int pfkey_send_spdadd __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spdupdate __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spddelete __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spddelete2 __P((int, u_int32_t));
int pfkey_send_spdget __P((int, u_int32_t));
int pfkey_send_spdsetidx __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spdflush __P((int));
int pfkey_send_spddump __P((int));
int pfkey_open __P((void));
void pfkey_close __P((int));
struct sadb_msg *pfkey_recv __P((int));
int pfkey_send __P((int, struct sadb_msg *, int));
int pfkey_align __P((struct sadb_msg *, caddr_t *));
int pfkey_check __P((caddr_t *));
+406 -232
View File
File diff suppressed because it is too large Load Diff
+124 -61
View File
@@ -1,3 +1,6 @@
/* $FreeBSD$ */
/* $KAME: pfkey_dump.c,v 1.19 2000/06/10 06:47:11 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
@@ -25,8 +28,6 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#include <sys/types.h>
@@ -39,9 +40,6 @@
#include <netinet/in.h>
#include <netinet6/ipsec.h>
#ifdef INET6
#include <netinet6/in6.h>
#endif
#include <arpa/inet.h>
#include <stdlib.h>
@@ -49,11 +47,13 @@
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <netdb.h>
#include "ipsec_strerror.h"
#include "libpfkey.h"
#define GETMSGSTR(str, num) \
{ \
#define GETMSGSTR(str, num) \
do { \
if (sizeof((str)[0]) == 0 \
|| num >= sizeof(str)/sizeof((str)[0])) \
printf("%d ", (num)); \
@@ -61,15 +61,12 @@
printf("%d ", (num)); \
else \
printf("%s ", (str)[(num)]); \
}
} while (0)
#define GETAF(p) \
(((struct sockaddr *)(p))->sa_family)
static char *_str_ipaddr __P((u_int family, caddr_t addr));
static char *_str_prefport __P((u_int family, u_int pref, u_int port));
static char *_str_time __P((time_t t));
static void _str_lifetime_byte __P((struct sadb_lifetime *x, char *str));
static char *str_ipaddr __P((struct sockaddr *));
static char *str_prefport __P((u_int, u_int, u_int));
static char *str_time __P((time_t));
static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
/*
* Must to be re-written about following strings.
@@ -151,6 +148,7 @@ pfkey_sadump(m)
{
caddr_t mhp[SADB_EXT_MAX + 1];
struct sadb_sa *m_sa;
struct sadb_x_sa2 *m_sa2;
struct sadb_lifetime *m_lftc, *m_lfth, *m_lfts;
struct sadb_address *m_saddr, *m_daddr, *m_paddr;
struct sadb_key *m_auth, *m_enc;
@@ -168,6 +166,7 @@ pfkey_sadump(m)
}
m_sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
m_sa2 = (struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2];
m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
m_lfts = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT];
@@ -177,7 +176,7 @@ pfkey_sadump(m)
m_auth = (struct sadb_key *)mhp[SADB_EXT_KEY_AUTH];
m_enc = (struct sadb_key *)mhp[SADB_EXT_KEY_ENCRYPT];
m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST];
m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY];
/* source address */
@@ -185,34 +184,36 @@ pfkey_sadump(m)
printf("no ADDRESS_SRC extension.\n");
return;
}
printf("%s ",
_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)));
printf("%s ", str_ipaddr((struct sockaddr *)(m_saddr + 1)));
/* destination address */
if (m_daddr == NULL) {
printf("no ADDRESS_DST extension.\n");
return;
}
printf("%s ",
_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)));
printf("%s ", str_ipaddr((struct sockaddr *)(m_daddr + 1)));
/* SA type */
if (m_sa == NULL) {
printf("no SA extension.\n");
return;
}
if (m_sa2 == NULL) {
printf("no SA2 extension.\n");
return;
}
printf("\n\t");
GETMSGSTR(_str_satype, m->sadb_msg_satype);
printf("mode=");
GETMSGSTR(_str_mode, m->sadb_msg_mode);
GETMSGSTR(_str_mode, m_sa2->sadb_x_sa2_mode);
printf("spi=%u(0x%08x) replay=%u flags=0x%08x\n",
printf("spi=%u(0x%08x) reqid=%u(0x%08x)\n",
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
m_sa->sadb_sa_replay,
m_sa->sadb_sa_flags);
(u_int32_t)m_sa2->sadb_x_sa2_reqid,
(u_int32_t)m_sa2->sadb_x_sa2_reqid);
/* encryption key */
if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
@@ -237,8 +238,13 @@ pfkey_sadump(m)
printf("\n");
}
/* replay windoe size & flags */
printf("\treplay=%u flags=0x%08x ",
m_sa->sadb_sa_replay,
m_sa->sadb_sa_flags);
/* state */
printf("\tstate=");
printf("state=");
GETMSGSTR(_str_state, m_sa->sadb_sa_state);
printf("seq=%lu pid=%lu\n",
@@ -250,8 +256,8 @@ pfkey_sadump(m)
time_t tmp_time = time(0);
printf("\tcreated: %s",
_str_time(m_lftc->sadb_lifetime_addtime));
printf("\tcurrent: %s\n", _str_time(tmp_time));
str_time(m_lftc->sadb_lifetime_addtime));
printf("\tcurrent: %s\n", str_time(tmp_time));
printf("\tdiff: %lu(s)",
(u_long)(m_lftc->sadb_lifetime_addtime == 0 ?
0 : (tmp_time - m_lftc->sadb_lifetime_addtime)));
@@ -264,7 +270,7 @@ pfkey_sadump(m)
0 : m_lfts->sadb_lifetime_addtime));
printf("\tlast: %s",
_str_time(m_lftc->sadb_lifetime_usetime));
str_time(m_lftc->sadb_lifetime_usetime));
printf("\thard: %lu(s)",
(u_long)(m_lfth == NULL ?
0 : m_lfth->sadb_lifetime_usetime));
@@ -272,9 +278,9 @@ pfkey_sadump(m)
(u_long)(m_lfts == NULL ?
0 : m_lfts->sadb_lifetime_usetime));
_str_lifetime_byte(m_lftc, "current");
_str_lifetime_byte(m_lfth, "hard");
_str_lifetime_byte(m_lfts, "soft");
str_lifetime_byte(m_lftc, "current");
str_lifetime_byte(m_lfth, "hard");
str_lifetime_byte(m_lfts, "soft");
printf("\n");
printf("\tallocated: %lu",
@@ -288,7 +294,7 @@ pfkey_sadump(m)
}
/* XXX DEBUG */
printf("\trefcnt=%d\n", m->sadb_msg_reserved);
printf("\trefcnt=%u\n", m->sadb_msg_reserved);
return;
}
@@ -297,9 +303,12 @@ void
pfkey_spdump(m)
struct sadb_msg *m;
{
char pbuf[NI_MAXSERV];
caddr_t mhp[SADB_EXT_MAX + 1];
struct sadb_address *m_saddr, *m_daddr;
struct sadb_x_policy *m_xpl;
struct sockaddr *sa;
u_int16_t port;
/* check pfkey message. */
if (pfkey_align(m, mhp)) {
@@ -320,25 +329,49 @@ pfkey_spdump(m)
printf("no ADDRESS_SRC extension.\n");
return;
}
printf("%s%s ",
_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)),
_str_prefport(GETAF(m_saddr + 1),
m_saddr->sadb_address_prefixlen,
_INPORTBYSA(m_saddr + 1)));
sa = (struct sockaddr *)(m_saddr + 1);
switch (sa->sa_family) {
case AF_INET:
case AF_INET6:
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
NI_NUMERICSERV) != 0)
port = 0; /*XXX*/
else
port = atoi(pbuf);
printf("%s%s ", str_ipaddr(sa),
str_prefport(sa->sa_family,
m_saddr->sadb_address_prefixlen, port));
break;
default:
printf("unknown-af ");
break;
}
/* destination address */
if (m_daddr == NULL) {
printf("no ADDRESS_DST extension.\n");
return;
}
printf("%s%s ",
_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)),
_str_prefport(GETAF(m_daddr + 1),
m_daddr->sadb_address_prefixlen,
_INPORTBYSA(m_daddr + 1)));
sa = (struct sockaddr *)(m_daddr + 1);
switch (sa->sa_family) {
case AF_INET:
case AF_INET6:
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
NI_NUMERICSERV) != 0)
port = 0; /*XXX*/
else
port = atoi(pbuf);
printf("%s%s ", str_ipaddr(sa),
str_prefport(sa->sa_family,
m_daddr->sadb_address_prefixlen, port));
break;
default:
printf("unknown-af ");
break;
}
/* upper layer protocol */
if (m_saddr->sadb_address_proto != m_saddr->sadb_address_proto) {
if (m_saddr->sadb_address_proto != m_daddr->sadb_address_proto) {
printf("upper layer protocol mismatched.\n");
return;
}
@@ -362,12 +395,13 @@ pfkey_spdump(m)
free(d_xpl);
}
printf("\tseq=%ld pid=%ld\n",
printf("\tspid=%ld seq=%ld pid=%ld\n",
(u_long)m_xpl->sadb_x_policy_id,
(u_long)m->sadb_msg_seq,
(u_long)m->sadb_msg_pid);
/* XXX TEST */
printf("\trefcnt=%d\n", m->sadb_msg_reserved);
printf("\trefcnt=%u\n", m->sadb_msg_reserved);
return;
}
@@ -376,35 +410,48 @@ pfkey_spdump(m)
* set "ipaddress" to buffer.
*/
static char *
_str_ipaddr(family, addr)
u_int family;
caddr_t addr;
str_ipaddr(sa)
struct sockaddr *sa;
{
static char buf[128];
char addrbuf[128];
static char buf[NI_MAXHOST];
#ifdef NI_WITHSCOPEID
const int niflag = NI_NUMERICHOST | NI_WITHSCOPEID;
#else
const int niflag = NI_NUMERICHOST;
#endif
if (addr == NULL)
if (sa == NULL)
return "";
inet_ntop(family, addr, addrbuf, sizeof(addrbuf));
snprintf(buf, sizeof(buf), "%s", addrbuf);
return buf;
if (getnameinfo(sa, sa->sa_len, buf, sizeof(buf), NULL, 0, niflag) == 0)
return buf;
return NULL;
}
/*
* set "/prefix[port number]" to buffer.
*/
static char *
_str_prefport(family, pref, port)
str_prefport(family, pref, port)
u_int family, pref, port;
{
static char buf[128];
char prefbuf[10];
char portbuf[10];
int plen;
if (pref == (_INALENBYAF(family) << 3))
switch (family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
default:
return "?";
}
if (pref == plen)
prefbuf[0] = '\0';
else
snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
@@ -412,7 +459,7 @@ _str_prefport(family, pref, port)
if (port == IPSEC_PORT_ANY)
snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
else
snprintf(portbuf, sizeof(portbuf), "[%u]", ntohs(port));
snprintf(portbuf, sizeof(portbuf), "[%u]", port);
snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
@@ -423,7 +470,7 @@ _str_prefport(family, pref, port)
* set "Mon Day Time Year" to buffer
*/
static char *
_str_time(t)
str_time(t)
time_t t;
{
static char buf[128];
@@ -443,7 +490,7 @@ _str_time(t)
}
static void
_str_lifetime_byte(x, str)
str_lifetime_byte(x, str)
struct sadb_lifetime *x;
char *str;
{
@@ -456,8 +503,24 @@ _str_lifetime_byte(x, str)
return;
}
#if 0
if ((x->sadb_lifetime_bytes) / 1024 / 1024) {
y = (x->sadb_lifetime_bytes) * 1.0 / 1024 / 1024;
unit = "M";
w = 1;
} else if ((x->sadb_lifetime_bytes) / 1024) {
y = (x->sadb_lifetime_bytes) * 1.0 / 1024;
unit = "K";
w = 1;
} else {
y = (x->sadb_lifetime_bytes) * 1.0;
unit = "";
w = 0;
}
#else
y = (x->sadb_lifetime_bytes) * 1.0;
unit = "";
w = 0;
#endif
printf("\t%s: %.*f(%sbytes)", str, w, y, unit);
}
+59 -53
View File
@@ -1,3 +1,6 @@
/* $FreeBSD$ */
/* $KAME: policy_parse.y,v 1.10 2000/05/07 05:25:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
@@ -25,10 +28,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
/* KAME $Id: policy_parse.y,v 1.1 1999/10/20 01:26:41 sakane Exp $ */
/*
* IN/OUT bound policy configuration take place such below:
@@ -59,24 +59,24 @@
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include "ipsec_strerror.h"
#define ATOX(c) \
#define ATOX(c) \
(isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
static caddr_t pbuf = NULL; /* sadb_x_policy buffer */
static int tlen = 0; /* total length of pbuf */
static int offset = 0; /* offset of pbuf */
static int p_dir, p_type, p_protocol, p_mode, p_level;
static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid;
static struct sockaddr *p_src = NULL;
static struct sockaddr *p_dst = NULL;
struct _val;
extern void yyerror __P((char *msg));
static struct sockaddr *parse_sockaddr __P((/*struct _val *buf*/));
static struct sockaddr *parse_sockaddr __P((struct _val *buf));
static int rule_check __P((void));
static int init_x_policy __P((void));
static int set_x_request __P((struct sockaddr *src, struct sockaddr *dst));
@@ -85,8 +85,8 @@ static void policy_parse_request_init __P((void));
static caddr_t policy_parse __P((char *msg, int msglen));
extern void __policy__strbuffer__init__ __P((char *msg));
extern int yyparse();
extern int yylex();
extern int yyparse __P((void));
extern int yylex __P((void));
%}
@@ -98,12 +98,12 @@ extern int yylex();
} val;
}
%token DIR ACTION PROTOCOL MODE LEVEL
%token DIR ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY
%token IPADDRESS
%token ME ANY
%token SLASH HYPHEN
%type <num> DIR ACTION PROTOCOL MODE LEVEL
%type <val> IPADDRESS
%type <val> IPADDRESS LEVEL_SPECIFY
%%
policy_spec
@@ -116,6 +116,14 @@ policy_spec
return -1;
}
rules
| DIR
{
p_dir = $1;
p_type = 0; /* ignored it by kernel */
if (init_x_policy())
return -1;
}
;
rules
@@ -139,11 +147,11 @@ rule
| protocol SLASH mode SLASH SLASH level
| protocol SLASH mode
| protocol SLASH {
ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
return -1;
}
| protocol {
ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
return -1;
}
;
@@ -157,7 +165,14 @@ mode
;
level
: LEVEL { p_level = $1; }
: LEVEL {
p_level = $1;
p_reqid = 0;
}
| LEVEL_SPECIFY {
p_level = IPSEC_LEVEL_UNIQUE;
p_reqid = atol($1.buf); /* atol() is good. */
}
;
addresses
@@ -174,13 +189,13 @@ addresses
}
| ME HYPHEN ANY {
if (p_dir != IPSEC_DIR_OUTBOUND) {
ipsec_errcode = EIPSEC_INVAL_DIR;
__ipsec_errcode = EIPSEC_INVAL_DIR;
return -1;
}
}
| ANY HYPHEN ME {
if (p_dir != IPSEC_DIR_INBOUND) {
ipsec_errcode = EIPSEC_INVAL_DIR;
__ipsec_errcode = EIPSEC_INVAL_DIR;
return -1;
}
}
@@ -195,7 +210,10 @@ void
yyerror(msg)
char *msg;
{
fprintf(stderr, "%s\n", msg);
extern char *__libipsecyytext; /*XXX*/
fprintf(stderr, "libipsec: %s while parsing \"%s\"\n",
msg, __libipsecyytext);
return;
}
@@ -213,43 +231,29 @@ parse_sockaddr(buf)
hints.ai_family = PF_UNSPEC;
hints.ai_flags = AI_NUMERICHOST;
error = getaddrinfo(buf->buf, serv, &hints, &res);
if (error != 0 || res->ai_addr == NULL) {
ipsec_set_strerror(error == EAI_SYSTEM ?
gai_strerror(error) : strerror(errno));
if (error != 0) {
yyerror("invalid IP address");
__ipsec_set_strerror(gai_strerror(error));
return NULL;
}
if (res->ai_addr == NULL) {
ipsec_set_strerror(gai_strerror(error));
yyerror("invalid IP address");
__ipsec_set_strerror(gai_strerror(error));
return NULL;
}
newaddr = malloc(res->ai_addr->sa_len);
if (newaddr == NULL) {
ipsec_errcode = EIPSEC_NO_BUFS;
__ipsec_errcode = EIPSEC_NO_BUFS;
freeaddrinfo(res);
return NULL;
}
memcpy(newaddr, res->ai_addr, res->ai_addr->sa_len);
/*
* XXX: If the scope of the destination is link-local,
* embed the scope-id(in this case, interface index)
* into the address.
*/
if (newaddr->sa_family == AF_INET6) {
struct sockaddr_in6 *sin6;
sin6 = (struct sockaddr_in6 *)newaddr;
if(IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) &&
sin6->sin6_scope_id != 0)
*(u_short *)&sin6->sin6_addr.s6_addr[2] =
htons(sin6->sin6_scope_id & 0xffff);
}
freeaddrinfo(res);
ipsec_errcode = EIPSEC_NO_ERROR;
__ipsec_errcode = EIPSEC_NO_ERROR;
return newaddr;
}
@@ -258,29 +262,29 @@ rule_check()
{
if (p_type == IPSEC_POLICY_IPSEC) {
if (p_protocol == IPPROTO_IP) {
ipsec_errcode = EIPSEC_NO_PROTO;
__ipsec_errcode = EIPSEC_NO_PROTO;
return -1;
}
if (p_mode != IPSEC_MODE_TRANSPORT
&& p_mode != IPSEC_MODE_TUNNEL) {
ipsec_errcode = EIPSEC_INVAL_MODE;
__ipsec_errcode = EIPSEC_INVAL_MODE;
return -1;
}
if (p_src == NULL && p_dst == NULL) {
if (p_mode != IPSEC_MODE_TRANSPORT) {
ipsec_errcode = EIPSEC_INVAL_ADDRESS;
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
return -1;
}
}
else if (p_src->sa_family != p_dst->sa_family) {
ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
return -1;
}
}
ipsec_errcode = EIPSEC_NO_ERROR;
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
@@ -293,7 +297,7 @@ init_x_policy()
pbuf = malloc(tlen);
if (pbuf == NULL) {
ipsec_errcode = EIPSEC_NO_BUFS;
__ipsec_errcode = EIPSEC_NO_BUFS;
return -1;
}
p = (struct sadb_x_policy *)pbuf;
@@ -304,7 +308,7 @@ init_x_policy()
p->sadb_x_policy_reserved = 0;
offset = tlen;
ipsec_errcode = EIPSEC_NO_ERROR;
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
@@ -322,7 +326,7 @@ set_x_request(src, dst)
pbuf = realloc(pbuf, tlen);
if (pbuf == NULL) {
ipsec_errcode = EIPSEC_NO_BUFS;
__ipsec_errcode = EIPSEC_NO_BUFS;
return -1;
}
p = (struct sadb_x_ipsecrequest *)&pbuf[offset];
@@ -330,12 +334,13 @@ set_x_request(src, dst)
p->sadb_x_ipsecrequest_proto = p_protocol;
p->sadb_x_ipsecrequest_mode = p_mode;
p->sadb_x_ipsecrequest_level = p_level;
p->sadb_x_ipsecrequest_reqid = p_reqid;
offset += sizeof(*p);
if (set_sockaddr(src) || set_sockaddr(dst))
return -1;
ipsec_errcode = EIPSEC_NO_ERROR;
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
@@ -344,7 +349,7 @@ set_sockaddr(addr)
struct sockaddr *addr;
{
if (addr == NULL) {
ipsec_errcode = EIPSEC_NO_ERROR;
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
@@ -354,7 +359,7 @@ set_sockaddr(addr)
offset += addr->sa_len;
ipsec_errcode = EIPSEC_NO_ERROR;
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
@@ -364,6 +369,7 @@ policy_parse_request_init()
p_protocol = IPPROTO_IP;
p_mode = IPSEC_MODE_ANY;
p_level = IPSEC_LEVEL_DEFAULT;
p_reqid = 0;
if (p_src != NULL) {
free(p_src);
p_src = NULL;
@@ -401,7 +407,7 @@ policy_parse(msg, msglen)
/* update total length */
((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen);
ipsec_errcode = EIPSEC_NO_ERROR;
__ipsec_errcode = EIPSEC_NO_ERROR;
return pbuf;
}
@@ -415,12 +421,12 @@ ipsec_set_policy(msg, msglen)
policy = policy_parse(msg, msglen);
if (policy == NULL) {
if (ipsec_errcode == EIPSEC_NO_ERROR)
ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
if (__ipsec_errcode == EIPSEC_NO_ERROR)
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return NULL;
}
ipsec_errcode = EIPSEC_NO_ERROR;
__ipsec_errcode = EIPSEC_NO_ERROR;
return policy;
}
+19 -8
View File
@@ -1,3 +1,6 @@
/* $FreeBSD$ */
/* $KAME: policy_token.l,v 1.9 2000/05/07 05:25:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
@@ -25,8 +28,6 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
%{
@@ -46,8 +47,14 @@
#include <unistd.h>
#include <errno.h>
#ifndef __NetBSD__
#include "y.tab.h"
#define yylval __libipsecyylval /* XXX */
#else
#include "policy_parse.h"
#endif
#define yylval __libipsecyylval /* XXX */
int yylex __P((void));
%}
%option noyywrap
@@ -56,7 +63,6 @@
nl \n
ws [ \t]+
digit [0-9]
letter [0-9A-Za-z]
hexdigit [0-9A-Fa-f]
special [()+\|\?\*,]
dot \.
@@ -79,9 +85,7 @@ decstring {digit}+
hexpair {hexdigit}{hexdigit}
hexstring 0[xX]{hexdigit}+
octetstring {octet}({dot}{octet})+
ipaddress [a-zA-Z0-9:\._][a-zA-Z0-9:\._]*(%{letter}{letter}+)?
name {letter}(({letter}|{digit}|{hyphen})*({letter}|{digit}))*
hostname {name}(({dot}{name})+{dot}?)?
ipaddress [a-zA-Z0-9:\._][a-zA-Z0-9:\._]*(%[a-zA-Z0-9]+)?
%%
@@ -107,12 +111,17 @@ any { return(ANY); }
default { yylval.num = IPSEC_LEVEL_DEFAULT; return(LEVEL); }
use { yylval.num = IPSEC_LEVEL_USE; return(LEVEL); }
require { yylval.num = IPSEC_LEVEL_REQUIRE; return(LEVEL); }
unique{colon}{decstring} {
yylval.val.len = strlen(yytext + 7);
yylval.val.buf = yytext + 7;
return(LEVEL_SPECIFY);
}
unique { yylval.num = IPSEC_LEVEL_UNIQUE; return(LEVEL); }
{slash} { return(SLASH); }
{ipaddress} {
yylval.val.len = strlen(yytext);
yylval.val.buf = strdup(yytext);
yylval.val.buf = yytext;
return(IPADDRESS);
}
@@ -123,6 +132,8 @@ unique { yylval.num = IPSEC_LEVEL_UNIQUE; return(LEVEL); }
%%
void __policy__strbuffer__init__ __P((char *));
void
__policy__strbuffer__init__(msg)
char *msg;
+211 -73
View File
@@ -1,3 +1,6 @@
/* $FreeBSD$ */
/* $KAME: test-policy.c,v 1.13 2000/05/07 05:25:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
@@ -25,8 +28,6 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#include <sys/types.h>
@@ -34,7 +35,6 @@
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet6/in6.h>
#include <net/pfkeyv2.h>
#include <netkey/key_debug.h>
#include <netinet6/ipsec.h>
@@ -43,90 +43,115 @@
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include <err.h>
char *requests[] = {
"must_error", /* error */
"in ipsec must_error", /* error */
"out ipsec esp/must_error", /* error */
"out discard",
"out none",
"in entrust",
"out entrust",
"in bypass", /* may be error */
"out ipsec esp", /* error */
"in ipsec ah/transport",
"in ipsec ah/tunnel", /* error */
"out ipsec ah/transport/",
"out ipsec ah/tunnel/", /* error */
"in ipsec esp / transport / 10.0.0.1-10.0.0.2",
"in ipsec esp/tunnel/::1-::2",
"in ipsec esp/tunnel/10.0.0.1-::2", /* error */
"in ipsec esp/tunnel/::1-::2/require",
"out ipsec ah/transport//use",
"out ipsec ah/transport esp/use",
"in ipsec ah/transport esp/tunnel", /* error */
"in ipsec
struct req_t {
int result; /* expected result; 0:ok 1:ng */
char *str;
} reqs[] = {
{ 0, "out ipsec" },
{ 1, "must_error" },
{ 1, "in ipsec must_error" },
{ 1, "out ipsec esp/must_error" },
{ 1, "out discard" },
{ 1, "out none" },
{ 0, "in entrust" },
{ 0, "out entrust" },
{ 1, "out ipsec esp" },
{ 0, "in ipsec ah/transport" },
{ 1, "in ipsec ah/tunnel" },
{ 0, "out ipsec ah/transport/" },
{ 1, "out ipsec ah/tunnel/" },
{ 0, "in ipsec esp / transport / 10.0.0.1-10.0.0.2" },
{ 0, "in ipsec esp/tunnel/::1-::2" },
{ 1, "in ipsec esp/tunnel/10.0.0.1-::2" },
{ 0, "in ipsec esp/tunnel/::1-::2/require" },
{ 0, "out ipsec ah/transport//use" },
{ 1, "out ipsec ah/transport esp/use" },
{ 1, "in ipsec ah/transport esp/tunnel" },
{ 0, "in ipsec ah/transport esp/tunnel/::1-::1" },
{ 0, "in ipsec
ah / transport
esp / tunnel / ::1-::2",
"
out ipsec
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
",
"out ipsec esp/transport/fec0::10-fec0::11/use",
esp / tunnel / ::1-::2" },
{ 0, "out ipsec
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
" },
{ 0, "out ipsec esp/transport/fec0::10-fec0::11/use" },
};
int test(char *buf, int family);
int test1 __P((void));
int test1sub1 __P((struct req_t *));
int test1sub2 __P((char *, int));
int test2 __P((void));
int test2sub __P((int));
int
main(ac, av)
int ac;
char **av;
{
int do_setsockopt;
char *buf;
test1();
test2();
exit(0);
}
int
test1()
{
int i;
int result;
if (ac != 1)
do_setsockopt = 1;
else
do_setsockopt = 0;
printf("TEST1\n");
for (i = 0; i < sizeof(reqs)/sizeof(reqs[0]); i++) {
printf("#%d [%s]\n", i + 1, reqs[i].str);
for (i = 0; i < sizeof(requests)/sizeof(requests[0]); i++) {
printf("*** requests ***\n");
printf("\t[%s]\n", requests[i]);
buf = ipsec_set_policy(requests[i], strlen(requests[i]));
if (buf == NULL) {
printf("ipsec_set_policy: %s\n", ipsec_strerror());
continue;
result = test1sub1(&reqs[i]);
if (result == 0 && reqs[i].result == 1) {
errx(1, "ERROR: expecting failure.\n");
} else if (result == 1 && reqs[i].result == 0) {
errx(1, "ERROR: expecting success.\n");
}
printf("\tsetlen:%d\n", ipsec_get_policylen(buf));
if (do_setsockopt) {
printf("\tPF_INET:\n");
test(buf, PF_INET);
printf("\tPF_INET6:\n");
test(buf, PF_INET6);
} else {
kdebug_sadb_x_policy((struct sadb_ext *)buf);
}
free(buf);
}
return 0;
}
int
test(policy, family)
test1sub1(req)
struct req_t *req;
{
char *buf;
buf = ipsec_set_policy(req->str, strlen(req->str));
if (buf == NULL) {
printf("ipsec_set_policy: %s\n", ipsec_strerror());
return 1;
}
if (test1sub2(buf, PF_INET) != 0
|| test1sub2(buf, PF_INET6) != 0) {
free(buf);
return 1;
}
#if 0
kdebug_sadb_x_policy((struct sadb_ext *)buf);
#endif
free(buf);
return 0;
}
int
test1sub2(policy, family)
char *policy;
int family;
{
int so, proto, optname;
int so;
int proto = 0, optname = 0;
int len;
char getbuf[1024];
@@ -145,35 +170,148 @@ test(policy, family)
err(1, "socket");
len = ipsec_get_policylen(policy);
#if 0
printf("\tsetlen:%d\n", len);
#endif
if (setsockopt(so, proto, optname, policy, len) < 0) {
printf("error on setsockopt");
goto end;
printf("fail to set sockopt; %s\n", strerror(errno));
close(so);
return 1;
}
len = sizeof(getbuf);
memset(getbuf, 0, sizeof(getbuf));
memcpy(getbuf, policy, sizeof(struct sadb_x_policy));
if (getsockopt(so, proto, optname, getbuf, &len) < 0) {
printf("error on getsockopt");
goto end;
printf("fail to get sockopt; %s\n", strerror(errno));
close(so);
return 1;
}
{
char *buf = NULL;
#if 0
printf("\tgetlen:%d\n", len);
#endif
if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) {
printf("%s\n", ipsec_strerror());
goto end;
} else {
printf("\t[%s]\n", buf);
free(buf);
close(so);
return 1;
}
#if 0
printf("\t[%s]\n", buf);
#endif
free(buf);
}
end:
close (so);
return 0;
}
char addr[] = {
28, 28, 0, 0,
0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1,
0, 0, 0, 0,
};
int
test2()
{
int so;
char *pol1 = "out ipsec";
char *pol2 = "out ipsec ah/transport//use";
char *sp1, *sp2;
int splen1, splen2;
int spid;
struct sadb_msg *m;
printf("TEST2\n");
if (getuid() != 0)
errx(1, "root privilege required.\n");
sp1 = ipsec_set_policy(pol1, strlen(pol1));
splen1 = ipsec_get_policylen(sp1);
sp2 = ipsec_set_policy(pol2, strlen(pol2));
splen2 = ipsec_get_policylen(sp2);
if ((so = pfkey_open()) < 0)
errx(1, "ERROR: %s\n", ipsec_strerror());
printf("spdflush()\n");
if (pfkey_send_spdflush(so) < 0)
errx(1, "ERROR: %s\n", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("spdsetidx()\n");
if (pfkey_send_spdsetidx(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, sp1, splen1, 0) < 0)
errx(1, "ERROR: %s\n", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("spdupdate()\n");
if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, sp2, splen2, 0) < 0)
errx(1, "ERROR: %s\n", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("spddelete()\n");
if (pfkey_send_spddelete(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, sp1, splen1, 0) < 0)
errx(1, "ERROR: %s\n", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("spdadd()\n");
if (pfkey_send_spdadd(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, sp2, splen2, 0) < 0)
errx(1, "ERROR: %s\n", ipsec_strerror());
spid = test2sub(so);
printf("spdget(%u)\n", spid);
if (pfkey_send_spdget(so, spid) < 0)
errx(1, "ERROR: %s\n", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("spddelete2()\n");
if (pfkey_send_spddelete2(so, spid) < 0)
errx(1, "ERROR: %s\n", ipsec_strerror());
m = pfkey_recv(so);
free(m);
/* expecting failure */
printf("spdupdate()\n");
if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, sp2, splen2, 0) == 0) {
errx(1, "ERROR: expecting failure.\n");
}
return 0;
}
int
test2sub(so)
int so;
{
struct sadb_msg *msg;
caddr_t mhp[SADB_EXT_MAX + 1];
if ((msg = pfkey_recv(so)) == NULL)
errx(1, "ERROR: pfkey_recv failure.\n");
if (pfkey_align(msg, mhp) < 0)
errx(1, "ERROR: pfkey_align failure.\n");
return ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id;
}
+7
View File
@@ -29,11 +29,18 @@
PROG= setkey
SRCS= setkey.c parse.y token.l
CFLAGS+=-g
CFLAGS+=-I${.CURDIR}/../../lib/libipsec
DPADD= ${LIBL} ${LIBY}
LDADD= -ll -ly
CLEANFILES+= y.tab.c y.tab.h key_test.o keytest
YFLAGS+=-d
# libpfkey.
# ipsec_strerror.c is for avoiding shlib reference to non-exported function.
.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey
SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c
CFLAGS+=-I${.CURDIR}/../../lib/libipsec -I${.CURDIR}/../../sys/netkey
SCRIPTS= scriptdump
BINOWN = root
+269 -154
View File
@@ -1,7 +1,10 @@
/* $FreeBSD$ */
/* $KAME: parse.y,v 1.29 2000/06/10 14:17:44 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -13,7 +16,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,10 +28,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
/* KAME $Id: parse.y,v 1.7 1999/10/27 17:08:57 sakane Exp $ */
%{
#include <sys/types.h>
@@ -45,48 +45,52 @@
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <netdb.h>
#include <ctype.h>
#include <errno.h>
#include <netdb.h>
#include "libpfkey.h"
#include "vchar.h"
#define ATOX(c) \
(isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
u_int p_type;
u_int32_t p_spi;
struct sockaddr *p_src, *p_dst;
u_int p_prefs, p_prefd, p_upper;
u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;
u_int p_key_enc_len, p_key_auth_len;
caddr_t p_key_enc, p_key_auth;
time_t p_lt_hard, p_lt_soft;
u_int p_type;
u_int32_t p_spi;
struct sockaddr *p_src, *p_dst;
u_int p_prefs, p_prefd, p_upper;
u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;
u_int32_t p_reqid;
u_int p_key_enc_len, p_key_auth_len;
caddr_t p_key_enc, p_key_auth;
time_t p_lt_hard, p_lt_soft;
u_int p_policy_len;
char *p_policy;
u_int p_policy_len;
char *p_policy;
/* temporary buffer */
static struct sockaddr *pp_addr;
static u_int pp_prefix;
static u_int pp_port;
static caddr_t pp_key;
static struct sockaddr *pp_addr;
static u_int pp_prefix;
static u_int pp_port;
static caddr_t pp_key;
extern u_char m_buf[BUFSIZ];
extern int m_len;
extern char cmdarg[8192];
extern int f_debug;
extern u_char m_buf[BUFSIZ];
extern int m_len;
extern char cmdarg[8192];
extern int f_debug;
int setkeymsg __P((void));
static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int));
void parse_init __P((void));
void free_buffer __P((void));
int setkeymsg __P((void));
static struct addrinfo *parse_addr __P((char *, char *, int));
static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int));
void parse_init __P((void));
void free_buffer __P((void));
extern int setkeymsg __P((void));
extern int sendkeymsg __P((void));
extern int setkeymsg __P((void));
extern int sendkeymsg __P((void));
extern int yylex __P((void));
extern void yyerror __P((char *));
extern int yylex __P((void));
extern void yyfatal __P((const char *));
extern void yyerror __P((const char *));
%}
%union {
@@ -96,11 +100,11 @@ extern void yyerror __P((char *));
%token EOT
%token ADD GET DELETE FLUSH DUMP
%token IP4_ADDRESS IP6_ADDRESS PREFIX PORT PORTANY
%token ADDRESS PREFIX PORT PORTANY
%token UP_PROTO PR_ESP PR_AH PR_IPCOMP
%token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
%token F_MODE MODE
%token F_EXT EXTENSION
%token F_MODE MODE F_REQID
%token F_EXT EXTENSION NOCYCLICSEQ
%token ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP
%token F_LIFETIME_HARD F_LIFETIME_SOFT
%token DECSTRING QUOTEDSTRING HEXSTRING ANY
@@ -108,6 +112,14 @@ extern void yyerror __P((char *));
%token SPDADD SPDDELETE SPDDUMP SPDFLUSH
%token F_POLICY PL_REQUESTS
%type <num> PORT PREFIX EXTENSION MODE
%type <num> UP_PROTO PR_ESP PR_AH PR_IPCOMP
%type <num> ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP
%type <num> DECSTRING
%type <val> ADDRESS PL_REQUESTS
%type <val> key_string policy_requests
%type <val> QUOTEDSTRING HEXSTRING
%%
commands
: /*NOTHING*/
@@ -146,13 +158,23 @@ add_command
/* delete */
delete_command
: DELETE { p_type = SADB_DELETE; }
sa_selector_spec extension_spec EOT
sa_selector_spec extension_spec
{
if (p_mode != IPSEC_MODE_ANY)
yyerror("WARNING: mode is obsoleted.");
}
EOT
;
/* get command */
get_command
: GET { p_type = SADB_GET; }
sa_selector_spec extension_spec EOT
sa_selector_spec extension_spec
{
if (p_mode != IPSEC_MODE_ANY)
yyerror("WARNING: mode is obsoleted.");
}
EOT
;
/* flush */
@@ -179,7 +201,7 @@ protocol_spec
| PR_ESP
{
p_satype = SADB_SATYPE_ESP;
if ($1.num == 1)
if ($1 == 1)
p_ext |= SADB_X_EXT_OLD;
else
p_ext &= ~SADB_X_EXT_OLD;
@@ -187,7 +209,7 @@ protocol_spec
| PR_AH
{
p_satype = SADB_SATYPE_AH;
if ($1.num == 1)
if ($1 == 1)
p_ext |= SADB_X_EXT_OLD;
else
p_ext &= ~SADB_X_EXT_OLD;
@@ -199,18 +221,18 @@ protocol_spec
;
spi
: DECSTRING { p_spi = $1.num; }
: DECSTRING { p_spi = $1; }
| HEXSTRING
{
caddr_t bp;
caddr_t yp = $1.val.buf;
caddr_t yp = $1.buf;
char buf0[4], buf[4];
int i, j;
/* sanity check */
if ($1.val.len > 4) {
if ($1.len > 4) {
yyerror("SPI too big.");
free($1.val.buf);
free($1.buf);
return -1;
}
@@ -223,13 +245,13 @@ spi
/* initialize */
for (i = 0; i < 4; i++) buf[i] = 0;
for (j = $1.val.len - 1, i = 3; j >= 0; j--, i--)
for (j = $1.len - 1, i = 3; j >= 0; j--, i--)
buf[i] = buf0[j];
/* XXX: endian */
p_spi = ntohl(*(u_int32_t *)buf);
free($1.val.buf);
free($1.buf);
}
;
@@ -249,16 +271,16 @@ ah_spec
;
ipcomp_spec
: F_COMP ALG_COMP { p_alg_enc = $2.num; }
| F_COMP ALG_COMP { p_alg_enc = $2.num; }
: F_COMP ALG_COMP { p_alg_enc = $2; }
| F_COMP ALG_COMP { p_alg_enc = $2; }
F_RAWCPI { p_ext |= SADB_X_EXT_RAWCPI; }
;
enc_alg
: ALG_ENC { p_alg_enc = $1.num; }
: ALG_ENC { p_alg_enc = $1; }
| ALG_ENC_DESDERIV
{
p_alg_enc = $1.num;
p_alg_enc = $1;
if (p_ext & SADB_X_EXT_OLD) {
yyerror("algorithm mismatched.");
return -1;
@@ -267,7 +289,7 @@ enc_alg
}
| ALG_ENC_DES32IV
{
p_alg_enc = $1.num;
p_alg_enc = $1;
if (!(p_ext & SADB_X_EXT_OLD)) {
yyerror("algorithm mismatched.");
return -1;
@@ -286,7 +308,7 @@ enc_key
}
| key_string
{
p_key_enc_len = $1.val.len;
p_key_enc_len = $1.len;
p_key_enc = pp_key;
if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
@@ -299,7 +321,7 @@ enc_key
;
auth_alg
: ALG_AUTH { p_alg_auth = $1.num; }
: ALG_AUTH { p_alg_auth = $1; }
;
auth_key
@@ -312,7 +334,7 @@ auth_key
}
| key_string
{
p_key_auth_len = $1.val.len;
p_key_auth_len = $1.len;
p_key_auth = pp_key;
if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
@@ -327,20 +349,20 @@ auth_key
key_string
: QUOTEDSTRING
{
pp_key = $1.val.buf;
pp_key = $1.buf;
/* free pp_key later */
}
| HEXSTRING
{
caddr_t bp;
caddr_t yp = $1.val.buf;
caddr_t yp = $1.buf;
if ((pp_key = malloc($1.val.len)) == 0) {
free($1.val.buf);
yyerror(strerror(errno));
if ((pp_key = malloc($1.len)) == 0) {
free($1.buf);
yyerror("not enough core");
return -1;
}
memset(pp_key, 0, $1.val.len);
memset(pp_key, 0, $1.len);
bp = pp_key;
while (*yp) {
@@ -348,7 +370,7 @@ key_string
yp += 2, bp++;
}
free($1.val.buf);
free($1.buf);
}
;
@@ -358,9 +380,11 @@ extension_spec
;
extension
: F_EXT EXTENSION { p_ext |= $1.num; }
| F_MODE MODE { p_mode = $2.num; }
: F_EXT EXTENSION { p_ext |= $2; }
| F_EXT NOCYCLICSEQ { p_ext &= ~SADB_X_EXT_CYCSEQ; }
| F_MODE MODE { p_mode = $2; }
| F_MODE ANY { p_mode = IPSEC_MODE_ANY; }
| F_REQID DECSTRING { p_reqid = $2; }
| F_REPLAY DECSTRING
{
if (p_ext & SADB_X_EXT_OLD) {
@@ -368,10 +392,10 @@ extension
"only use on new spec.");
return -1;
}
p_replay = $2.num;
p_replay = $2;
}
| F_LIFETIME_HARD DECSTRING { p_lt_hard = $2.num; }
| F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2.num; }
| F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; }
| F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; }
;
/* definition about command for SPD management */
@@ -391,7 +415,7 @@ spddelete_command:
p_type = SADB_X_SPDDELETE;
p_satype = SADB_SATYPE_UNSPEC;
}
sp_selector_spec EOT
sp_selector_spec policy_spec EOT
;
spddump_command:
@@ -416,97 +440,107 @@ spdflush_command:
sp_selector_spec
: ipaddress { p_src = pp_addr; }
prefix { p_prefs = pp_prefix; }
port { _INPORTBYSA(p_src) = htons(pp_port); }
port
{
switch (p_src->sa_family) {
case AF_INET:
((struct sockaddr_in *)p_src)->sin_port =
htons(pp_port);
break;
#ifdef INET6
case AF_INET6:
((struct sockaddr_in6 *)p_src)->sin6_port =
htons(pp_port);
break;
#endif
default:
exit(1); /*XXX*/
}
}
ipaddress { p_dst = pp_addr; }
prefix { p_prefd = pp_prefix; }
port { _INPORTBYSA(p_dst) = htons(pp_port); }
port
{
switch (p_dst->sa_family) {
case AF_INET:
((struct sockaddr_in *)p_dst)->sin_port =
htons(pp_port);
break;
#ifdef INET6
case AF_INET6:
((struct sockaddr_in6 *)p_dst)->sin6_port =
htons(pp_port);
break;
#endif
default:
exit(1); /*XXX*/
}
}
upper_spec
{
/* XXX is it something userland should check? */
#if 0
switch (p_upper) {
case IPPROTO_ICMP:
case IPPROTO_ICMPV6:
if (_INPORTBYSA(p_src) != IPSEC_PORT_ANY
|| _INPORTBYSA(p_dst) != IPSEC_PORT_ANY) {
yyerror("port number must be \"any\".");
return -1;
}
if ((pp_addr->sa_family == AF_INET6
&& p_upper == IPPROTO_ICMP)
|| (pp_addr->sa_family == AF_INET
&& p_upper == IPPROTO_ICMPV6)) {
yyerror("upper layer protocol "
"mismatched.\n");
return -1;
}
break;
default:
break;
}
#endif
}
;
ipaddress
: IP4_ADDRESS
: ADDRESS
{
struct sockaddr_in *in;
u_int sa_len = $1.val.len;
struct addrinfo *res;
if ((in = (struct sockaddr_in *)malloc(sa_len)) == 0) {
yyerror(strerror(errno));
free($1.val.buf);
res = parse_addr($1.buf, NULL, AI_NUMERICHOST);
if (res == NULL) {
free($1.buf);
return -1;
}
memset((caddr_t)in, 0, sa_len);
in->sin_family = PF_INET;
in->sin_len = sa_len;
in->sin_port = IPSEC_PORT_ANY;
(void)inet_pton(PF_INET, $1.val.buf, &in->sin_addr);
pp_addr = (struct sockaddr *)in;
free($1.val.buf);
}
| IP6_ADDRESS
{
#ifdef INET6
struct sockaddr_in6 *in6;
u_int sa_len = $1.val.len;
struct addrinfo hints, *res;
int ret_gai;
if ((in6 = (struct sockaddr_in6 *)malloc(sa_len)) == 0) {
free($1.val.buf);
yyerror(strerror(errno));
return -1;
pp_addr = (struct sockaddr *)malloc(res->ai_addrlen);
if (!pp_addr) {
yyerror("not enough core");
goto end;
}
memset((caddr_t)in6, 0, sa_len);
bzero(&hints, sizeof(struct addrinfo));
hints.ai_flags = AI_NUMERICHOST;
hints.ai_family = AF_INET6;
ret_gai = getaddrinfo($1.val.buf, NULL, &hints, &res);
if (ret_gai) {
free($1.val.buf);
free(in6);
yyerror(gai_strerror(ret_gai));
if (ret_gai == EAI_SYSTEM)
yyerror(strerror(errno));
return -1;
}
(void)memcpy(in6, res->ai_addr, res->ai_addrlen);
/*
* XXX: If the scope of the destination is link-local,
* embed the scope-id(in this case, interface index)
* into the address.
*/
if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr) &&
in6->sin6_scope_id != 0)
*(u_short *)&in6->sin6_addr.s6_addr[2] =
htons(in6->sin6_scope_id & 0xffff);
memcpy(pp_addr, res->ai_addr, res->ai_addrlen);
end:
freeaddrinfo(res);
pp_addr = (struct sockaddr *)in6;
#else
yyerror("IPv6 address not supported");
#endif
free($1.val.buf);
free($1.buf);
}
;
prefix
: /*NOTHING*/ { pp_prefix = ~0; }
| PREFIX { pp_prefix = $1.num; }
| PREFIX { pp_prefix = $1; }
;
port
: /*NOTHING*/ { pp_port = IPSEC_PORT_ANY; }
| PORT { pp_port = $1.num; }
| PORT { pp_port = $1; }
| PORTANY { pp_port = IPSEC_PORT_ANY; }
;
upper_spec
: DECSTRING { p_upper = $1.num; }
| UP_PROTO { p_upper = $1.num; }
: DECSTRING { p_upper = $1; }
| UP_PROTO { p_upper = $1; }
| PR_ESP { p_upper = IPPROTO_ESP; };
| PR_AH { p_upper = IPPROTO_AH; };
| PR_IPCOMP { p_upper = IPPROTO_IPCOMP; };
@@ -516,9 +550,9 @@ upper_spec
policy_spec
: F_POLICY policy_requests
{
p_policy = ipsec_set_policy($2.val.buf, $2.val.len);
p_policy = ipsec_set_policy($2.buf, $2.len);
if (p_policy == NULL) {
free($2.val.buf);
free($2.buf);
p_policy = NULL;
yyerror(ipsec_strerror());
return -1;
@@ -526,13 +560,12 @@ policy_spec
p_policy_len = ipsec_get_policylen(p_policy);
free($2.val.buf);
free($2.buf);
}
;
policy_requests:
/*NOTHING*/
| PL_REQUESTS { $$ = $1; }
policy_requests
: PL_REQUESTS { $$ = $1; }
;
%%
@@ -546,7 +579,6 @@ setkeymsg()
m_msg.sadb_msg_type = p_type;
m_msg.sadb_msg_errno = 0;
m_msg.sadb_msg_satype = p_satype;
m_msg.sadb_msg_mode = p_mode;
m_msg.sadb_msg_reserved = 0;
m_msg.sadb_msg_seq = 0;
m_msg.sadb_msg_pid = getpid();
@@ -629,6 +661,7 @@ setkeymsg()
case SADB_GET:
{
struct sadb_sa m_sa;
struct sadb_x_sa2 m_sa2;
struct sadb_address m_addr;
u_int len;
@@ -645,14 +678,36 @@ setkeymsg()
memcpy(m_buf + m_len, &m_sa, len);
m_len += len;
len = sizeof(struct sadb_x_sa2);
m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len);
m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2;
m_sa2.sadb_x_sa2_mode = p_mode;
m_sa2.sadb_x_sa2_reqid = p_reqid;
memcpy(m_buf + m_len, &m_sa2, len);
m_len += len;
/* set src */
m_addr.sadb_address_len =
PFKEY_UNIT64(sizeof(m_addr)
+ PFKEY_ALIGN8(p_src->sa_len));
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
m_addr.sadb_address_prefixlen =
_INALENBYAF(p_src->sa_family) << 3;
switch (p_src->sa_family) {
case AF_INET:
m_addr.sadb_address_prefixlen =
sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
m_addr.sadb_address_prefixlen =
sizeof(struct in6_addr) << 3;
break;
#endif
default:
yyerror("unsupported address family");
exit(1); /*XXX*/
}
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@@ -665,8 +720,21 @@ setkeymsg()
+ PFKEY_ALIGN8(p_dst->sa_len));
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
m_addr.sadb_address_prefixlen =
_INALENBYAF(p_dst->sa_family) << 3;
switch (p_dst->sa_family) {
case AF_INET:
m_addr.sadb_address_prefixlen =
sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
m_addr.sadb_address_prefixlen =
sizeof(struct in6_addr) << 3;
break;
#endif
default:
yyerror("unsupported address family");
exit(1); /*XXX*/
}
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@@ -681,17 +749,15 @@ setkeymsg()
break;
case SADB_X_SPDADD:
case SADB_X_SPDDELETE:
{
struct sadb_address m_addr;
u_int8_t plen;
memcpy(m_buf + m_len, p_policy, p_policy_len);
m_len += p_policy_len;
free(p_policy);
p_policy = NULL;
}
/* FALLTHROUGH */
case SADB_X_SPDDELETE:
{
struct sadb_address m_addr;
/* set src */
m_addr.sadb_address_len =
@@ -699,9 +765,21 @@ setkeymsg()
+ PFKEY_ALIGN8(p_src->sa_len));
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
m_addr.sadb_address_proto = p_upper;
switch (p_src->sa_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
#endif
default:
yyerror("unsupported address family");
exit(1); /*XXX*/
}
m_addr.sadb_address_prefixlen =
(p_prefs != ~0 ? p_prefs :
_INALENBYAF(p_src->sa_family) << 3);
(p_prefs != ~0 ? p_prefs : plen);
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@@ -714,9 +792,21 @@ setkeymsg()
+ PFKEY_ALIGN8(p_dst->sa_len));
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
m_addr.sadb_address_proto = p_upper;
switch (p_dst->sa_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
#endif
default:
yyerror("unsupported address family");
exit(1); /*XXX*/
}
m_addr.sadb_address_prefixlen =
(p_prefd != ~0 ? p_prefd :
_INALENBYAF(p_dst->sa_family) << 3);
(p_prefd != ~0 ? p_prefd : plen);
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@@ -731,6 +821,30 @@ setkeymsg()
return 0;
}
static struct addrinfo *
parse_addr(host, port, flag)
char *host;
char *port;
int flag;
{
struct addrinfo hints, *res = NULL;
int error;
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_DGRAM;
hints.ai_flags = flag;
error = getaddrinfo(host, port, &hints, &res);
if (error != 0) {
yyerror(gai_strerror(error));
return NULL;
}
if (res->ai_next != NULL) {
yyerror(gai_strerror(error));
}
return res;
}
static int
setvarbuf(off, ebuf, elen, vbuf, vlen)
caddr_t vbuf;
@@ -757,11 +871,12 @@ parse_init()
p_upper = 0;
p_satype = 0;
p_ext = SADB_X_EXT_NONE;
p_ext = SADB_X_EXT_CYCSEQ;
p_alg_enc = SADB_EALG_NONE;
p_alg_auth = SADB_AALG_NONE;
p_mode = IPSEC_MODE_ANY;
p_replay = 4;
p_reqid = 0;
p_replay = 0;
p_key_enc_len = p_key_auth_len = 0;
p_key_enc = p_key_auth = 0;
p_lt_hard = p_lt_soft = 0;
+2 -2
View File
@@ -170,7 +170,7 @@ add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
# Also delete command, you can delete a entry of either SP or SA.
spddelete out fec0:0:0:1::/64 fec0:0:0:2:/64 any ;
spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
# By dump command, you can dump all entry of either SP or SA.
@@ -204,7 +204,7 @@ add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
add ::1 ::1 esp 10015 -m transport -f zero-pad -E simple ;
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E simple ;
add ::1 ::1 esp 10017 -m transport -f seq-pad -f cyclic-seq -E simple ;
add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E simple ;
add ::1 ::1 esp 10018 -m transport -E simple ;
#add ::1 ::1 ah 20000 -m transport -A null ;
add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
+7 -5
View File
@@ -20,8 +20,8 @@ open(IN, "setkey -D |") || die;
foreach $_ (<IN>) {
if (/^[^\t]/) {
($src, $dst) = split(/\s+/, $_);
} elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*replay=(\d+)/) {
($proto, $ipsecmode, $spi, $replay) = ($1, $2, $3, $4);
} elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*reqid=(\d+)/) {
($proto, $ipsecmode, $spi, $reqid) = ($1, $2, $3, $4);
} elsif (/^\tE: (\S+) (.*)/) {
$ealgo = $1;
$ekey = $2;
@@ -32,17 +32,19 @@ foreach $_ (<IN>) {
$akey = $2;
$akey =~ s/\s//g;
$akey =~ s/^/0x/g;
} elsif (/^\tstate=/) {
} elsif (/^\treplay=(\d+) flags=(0x\d+) state=/) {
print "$mode $src $dst $proto $spi -m $ipsecmode";
print " -r $replay" if $replay;
$replay = $1;
print " -u $reqid" if $reqid;
if ($mode eq 'add') {
print " -r $replay" if $replay;
if ($proto eq 'esp') {
print " -E $ealgo $ekey" if $ealgo;
print " -A $aalgo $akey" if $aalgo;
} elsif ($proto eq 'ah') {
print " -A $aalgo $akey" if $aalgo;
}
}
}
print ";\n";
$src = $dst = $upper = $proxy = '';
+73 -64
View File
@@ -1,6 +1,9 @@
.\" $FreeBSD$
.\" $KAME: setkey.8,v 1.28 2000/06/16 12:03:46 sakane Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" All rights reserved.
.\"
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
@@ -12,7 +15,7 @@
.\" 3. Neither the name of the project nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,15 +28,14 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id: setkey.8,v 1.14 1999/10/27 17:08:58 sakane Exp $
.\" $FreeBSD$
.\"
.Dd May 17, 1998
.Dt SETKEY 8
.Os
.Os KAME
.\"
.Sh NAME
.Nm setkey
.Nd manually manipulate the SA/SP database.
.Nd manually manipulate the IPsec SA/SP database.
.\"
.Sh SYNOPSIS
.Nm setkey
.Op Fl dv
@@ -50,19 +52,20 @@
.Nm setkey
.Op Fl h
.Fl x
.\"
.\"
.Sh DESCRIPTION
.Nm
updates, or lists the content of, Security Association Database (SAD) entries
in the kernel as well as Security Policy Database (SPD) entries.
addes, updates, dumpes, or flushes
Security Association Database (SAD) entries
as well as Security Policy Database (SPD) entries in the kernel.
.Pp
.Nm
takes a series of operation from standard input
takes a series of operations from the standard input
.Po
if invoked with
.Fl c
.Pc
or file named
or the file named
.Ar filename
.Po
if invoked with
@@ -75,21 +78,23 @@ If with
.Fl P ,
the SPD entries are dumped.
.It Fl F
Flush the SAD.
Flush the SAD entries.
If with
.Fl P ,
the SPD are flushed.
the SPD entries are flushed.
.It Fl a
.Nm
usually do not display dead SAD entries on
usually does not display dead SAD entries with
.Fl D .
With
If with
.Fl a ,
dead SAD entries will be displayed as well.
Dead SAD entries are kept in the kernel,
when they are referenced from any of SPD entries in the kernel.
the dead SAD entries will be displayed as well.
A dead SAD entry means that
it has been expired but remains
because it is referenced by SPD entries.
.It Fl d
Enable debugging messages.
Enable to print debugging messages for command parser,
without talking to kernel. It is not used usually.
.It Fl x
Loop forever and dump all the messages transmitted to
.Dv PF_KEY
@@ -98,7 +103,6 @@ socket.
Add hexadecimal dump on
.Fl x
mode.
The order is significant.
.It Fl l
Loop forever with short output on
.Fl D .
@@ -111,10 +115,8 @@ including messages sent from other processes
.Pc .
.El
.Pp
Operation has the following grammar.
Note that lines, that start with a
hashmark ('#') are treated as comment lines.
Description of meta-arguments follows.
Operations have the following grammar. Note that lines starting with
hashmarks ('#') are treated as comment lines.
.Bl -tag -width Ds
.It Xo
.Li add
@@ -123,51 +125,49 @@ Description of meta-arguments follows.
.Ar algorithm...
.Li ;
.Xc
Add a SAD entry.
Add an SAD entry.
.\"
.It Xo
.Li get
.Ar src Ar dst Ar protocol Ar spi
.Op Ar mode
.Li ;
.Xc
Show a SAD entry.
Show an SAD entry.
.\"
.It Xo
.Li delete
.Ar src Ar dst Ar protocol Ar spi
.Op Ar mode
.Li ;
.Xc
Remove a SAD entry.
Remove an SAD entry.
.\"
.It Xo
.Li flush
.Op Ar protocol
.Li ;
.Xc
Clear all SAD entries that matches the options.
Clear all SAD entries matched by the options.
.\"
.It Xo
.Li dump
.Op Ar protocol
.Li ;
.Xc
Dumps all SAD entries that matches the options.
Dumps all SAD entries matched by the options.
.\"
.It Xo
.Li spdadd
.Ar src_range Ar dst_range Ar upperspec Ar policy
.Li ;
.Xc
Add a SPD entry.
Add an SPD entry.
.\"
.It Xo
.Li spddelete
.Ar src_range Ar dst_range Ar upperspec
.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction
.Li ;
.Xc
Delete a SPD entry.
Delete an SPD entry.
.\"
.It Xo
.Li spdflush
@@ -215,8 +215,9 @@ IPCOMP
.\"
.Pp
.It Ar spi
Security Parameter Index (SPI) for the SA and SPD.
Security Parameter Index (SPI) for the SAD and the SPD.
It must be decimal number or hexadecimal number
You can not use the set of SPI values in the range 0 through 255.
.Po
with
.Li 0x
@@ -225,30 +226,40 @@ attached
.\"
.Pp
.It Ar extensions
takes some of the following:
.Bl -tag -width Fl -compact
take some of the following:
.Bl -tag -width Fl -compact
.\"
.It Fl m Ar mode
Specify an security protocol mode for use. By default,
.Li any .
Specify a security protocol mode for use.
.Ar mode
is one of following:
.Li transport , tunnel
or
.Li any .
The default value is
.Li any .
.\"
.It Fl r Ar size
Specify window size of bytes for replay prevention.
.Ar size
must be decimal number in 32-bit word. If
.Ar size
is zero or not specified, replay check don't take place.
.\"
.It Fl u Ar id
Specify the identifier of policy. See also
.Xr ipsec_set_policy 3 .
.\"
.It Fl f Ar pad_option
.Ar pad_option
is one of following:
.Li zero-pad , random-pad
or
.Li seq-pad
.It Fl f Li cyclic-seq
Allow cyclic sequence number.
.\"
.It Fl f Li nocyclic-seq
Don't allow cyclic sequence number.
.\"
.It Fl lh Ar time
.It Fl ls Ar time
Specify hard/soft lifetime.
@@ -256,7 +267,7 @@ Specify hard/soft lifetime.
.\"
.Pp
.It Ar algorithm
.Bl -tag -width Fl -compact
.Bl -tag -width Fl -compact
.It Fl E Ar ealgo Ar key
Specify encryption algorithm.
.It Fl A Ar aalgo Ar key
@@ -268,7 +279,7 @@ is used for esp, it will be treated as ESP payload authentication algorithm.
Specify compression algorithm.
If
.Fl R
is specified with
is not specified with
.Li ipcomp
line, the kernel will use well-known IPComp CPI
.Pq compression parameter index
@@ -280,7 +291,7 @@ field is only for kernel internal use in this case.
.\"Therefore, compression protocol number will appear on IPComp CPI field.
If
.Fl R
is not used,
is used,
the value on
.Ar spi
field will appear on IPComp CPI field on outgoing packets.
@@ -311,7 +322,7 @@ SAs accept
only.
.Pp
.Ar key
must be double-quoted character string or a series of hexadecimal digits.
must be double-quoted character string or series of hexadecimal digits.
.Pp
Possible values for
.Ar ealgo ,
@@ -322,7 +333,7 @@ are specified in separate section.
.\"
.It Ar src_range
.It Ar dst_range
These are selection of the secure communication is specified as
These are selections of the secure communication specified as
IPv4/v6 address or IPv4/v6 address range, and it may accompany
TCP/UDP port specification.
This takes the following form:
@@ -365,7 +376,7 @@ NOTE:
.Ar upperspec
does not work against forwarding case at this moment,
as it requires extra reassembly at forwarding node
.Pq not implemented as this moment .
.Pq not implemented at this moment .
.\"
.It Ar policy
.Ar policy
@@ -427,15 +438,15 @@ is to be one of the following:
or
.Li require .
.Li default
means kernel consults to the system wide default against protocol you
means the kernel consults to the system wide default against protocol you
specified, e.g.
.Li esp_trans_deflev
sysctl variable, when kernel processes the packet.
sysctl variable, when the kernel processes the packet.
.Li use
means that kernel use a SA if it's available,
otherwise kernel keeps normal operation.
means that the kernel use a SA if it's available,
otherwise the kernel keeps normal operation.
.Li require
means SA is required whenever kernel deals with the packet.
means SA is required whenever the kernel deals with the packet.
Note that
.Dq Li discard
and
@@ -456,7 +467,7 @@ The following list shows the supported algorithms.
and
.Sy algorithm
are almost orthogonal.
Following are the list of authentication algorithms that can be used as
Followings are the list of authentication algorithms that can be used as
.Ar aalgo
in
.Fl A Ar aalgo
@@ -477,7 +488,7 @@ keyed-sha1 160 ah: 96bit ICV (no document)
null 0 to 2048 for debugging
.Ed
.Pp
Following are the list of encryption algorithms that can be used as
Followings are the list of encryption algorithms that can be used as
.Ar ealgo
in
.Fl E Ar ealgo
@@ -497,7 +508,7 @@ des-deriv 64 ipsec-ciph-des-derived-01 (expired)
3des-deriv 192 no document
.Ed
.Pp
Following are the list of compression algorithms that can be used as
Followings are the list of compression algorithms that can be used as
.Ar calgo
in
.Fl C Ar calgo
@@ -510,7 +521,7 @@ algorithm comment
deflate rfc2394
lzs rfc2395
.Ed
.\"
.\"
.Sh EXAMPLES
.Bd -literal -offset
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
@@ -533,20 +544,18 @@ spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
.Ed
.\"
.\"
.Sh RETURN VALUES
The command exits with 0 on success, and non-zero on errors.
.\"
.\"
.Sh SEE ALSO
.Xr ipsec_set_policy 3 ,
.Xr sysctl 8
.\"
.\"
.Sh HISTORY
The
.Nm
command first appeared in WIDE Hydrangea IPv6 protocol stack kit.
The command was completely re-designed in June 1998.
.Pp
IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack
was initially integrated into
.Fx 4.0
.\"
.\" .Sh BUGS
+52 -40
View File
@@ -1,7 +1,10 @@
/* $FreeBSD$ */
/* $KAME: setkey.c,v 1.14 2000/06/10 06:47:09 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -13,7 +16,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,10 +28,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
/* KAME $Id: setkey.c,v 1.5 1999/10/26 09:39:37 sakane Exp $ */
#include <sys/types.h>
#include <sys/param.h>
@@ -51,40 +51,42 @@
#include <errno.h>
#include <netdb.h>
void Usage __P((void));
int main __P((int, char **));
int get_supported __P((void));
void sendkeyshort __P((u_int));
void promisc __P((void));
int sendkeymsg __P((void));
int postproc __P((struct sadb_msg *, int));
const char *numstr __P((int));
void shortdump_hdr __P((void));
void shortdump __P((struct sadb_msg *));
#include "libpfkey.h"
void Usage __P((void));
int main __P((int, char **));
int get_supported __P((void));
void sendkeyshort __P((u_int));
void promisc __P((void));
int sendkeymsg __P((void));
int postproc __P((struct sadb_msg *, int));
const char *numstr __P((int));
void shortdump_hdr __P((void));
void shortdump __P((struct sadb_msg *));
#define MODE_SCRIPT 1
#define MODE_CMDDUMP 2
#define MODE_CMDFLUSH 3
#define MODE_PROMISC 4
int so;
int f_forever = 0;
int f_all = 0;
int f_debug = 0;
int f_verbose = 0;
int f_mode = 0;
int f_cmddump = 0;
int f_policy = 0;
int f_promisc = 0;
int f_hexdump = 0;
char *pname;
int f_forever = 0;
int f_all = 0;
int f_debug = 0;
int f_verbose = 0;
int f_mode = 0;
int f_cmddump = 0;
int f_policy = 0;
int f_hexdump = 0;
char *pname;
u_char m_buf[BUFSIZ];
u_int m_len;
u_char m_buf[BUFSIZ];
u_int m_len;
extern int lineno;
extern int lineno;
extern int parse __P((FILE **));
extern int parse __P((FILE **));
void
Usage()
@@ -95,7 +97,7 @@ Usage()
printf("\t%s [-Pdv] -F\n", pname);
printf("\t%s [-h] -x\n", pname);
pfkey_close(so);
exit(0);
exit(1);
}
int
@@ -139,9 +141,8 @@ main(ac, av)
f_hexdump = 1;
break;
case 'x':
f_promisc = 1;
promisc();
/*NOTREACHED*/
f_mode = MODE_PROMISC;
break;
case 'P':
f_policy = 1;
break;
@@ -170,10 +171,15 @@ main(ac, av)
errx(-1, "%s", ipsec_strerror());
/*NOTREACHED*/
}
parse(&fp);
if (parse(&fp))
exit (1);
break;
case MODE_PROMISC:
promisc();
/*NOTREACHED*/
default:
Usage();
/*NOTREACHED*/
}
exit(0);
@@ -216,7 +222,6 @@ sendkeyshort(type)
m_msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_seq = 0;
m_msg->sadb_msg_pid = getpid();
@@ -240,7 +245,6 @@ promisc()
m_msg->sadb_msg_satype = 1;
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_seq = 0;
m_msg->sadb_msg_pid = getpid();
@@ -325,8 +329,10 @@ sendkeymsg()
if (f_forever)
shortdump_hdr();
again:
if (f_verbose)
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)m_buf);
printf("\n");
}
if ((len = send(so, m_buf, m_len, 0)) < 0) {
perror("send");
@@ -345,8 +351,10 @@ sendkeymsg()
break;
}
if (f_verbose)
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)rbuf);
printf("\n");
}
if (postproc(msg, len) < 0)
break;
} while (msg->sadb_msg_errno || msg->sadb_msg_seq);
@@ -423,8 +431,10 @@ postproc(msg, len)
pfkey_sadump(msg);
msg = (struct sadb_msg *)((caddr_t)msg +
PFKEY_UNUNIT64(msg->sadb_msg_len));
if (f_verbose)
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)msg);
printf("\n");
}
break;
case SADB_X_SPDDUMP:
@@ -432,8 +442,10 @@ postproc(msg, len)
if (msg->sadb_msg_seq == 0) break;
msg = (struct sadb_msg *)((caddr_t)msg +
PFKEY_UNUNIT64(msg->sadb_msg_len));
if (f_verbose)
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)msg);
printf("\n");
}
break;
}
+83 -32
View File
@@ -1,7 +1,10 @@
/* $FreeBSD$ */
/* $KAME: test-pfkey.c,v 1.4 2000/06/07 00:29:14 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -13,7 +16,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,10 +28,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
/* KAME $Id: test-pfkey.c,v 1.2 1999/10/26 08:09:17 itojun Exp $ */
#include <sys/types.h>
#include <sys/param.h>
@@ -47,23 +47,24 @@
#include <ctype.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
u_char m_buf[BUFSIZ];
u_int m_len;
char *pname;
u_char m_buf[BUFSIZ];
u_int m_len;
char *pname;
void Usage __P((void));
int sendkeymsg __P((void));
void key_setsadbmsg __P((u_int));
void key_setsadbsens __P((void));
void key_setsadbprop __P((void));
void key_setsadbid __P((u_int, caddr_t));
void key_setsadblft __P((u_int, u_int));
void key_setspirange __P((void));
void key_setsadbkey __P((u_int, caddr_t));
void key_setsadbsa __P((void));
void key_setsadbaddr __P((u_int, u_int, caddr_t));
void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int));
void Usage __P((void));
int sendkeymsg __P((void));
void key_setsadbmsg __P((u_int));
void key_setsadbsens __P((void));
void key_setsadbprop __P((void));
void key_setsadbid __P((u_int, caddr_t));
void key_setsadblft __P((u_int, u_int));
void key_setspirange __P((void));
void key_setsadbkey __P((u_int, caddr_t));
void key_setsadbsa __P((void));
void key_setsadbaddr __P((u_int, u_int, caddr_t));
void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int));
void
Usage()
@@ -98,6 +99,18 @@ sendkeymsg()
perror("socket(PF_KEY)");
goto end;
}
#if 0
{
#include <sys/time.h>
struct timeval tv;
tv.tv_sec = 1;
tv.tv_usec = 0;
if (setsockopt(so, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) < 0) {
perror("setsockopt");
goto end;
}
}
#endif
pfkey_sadump((struct sadb_msg *)m_buf);
@@ -124,11 +137,14 @@ key_setsadbmsg(type)
{
struct sadb_msg m_msg;
memset(&m_msg, 0, sizeof(m_msg));
m_msg.sadb_msg_version = PF_KEY_V2;
m_msg.sadb_msg_type = type;
m_msg.sadb_msg_errno = 0;
m_msg.sadb_msg_satype = SADB_SATYPE_ESP;
#if 0
m_msg.sadb_msg_reserved = 0;
#endif
m_msg.sadb_msg_seq = 0;
m_msg.sadb_msg_pid = getpid();
@@ -223,6 +239,24 @@ key_setsadbmsg(type)
break;
case SADB_X_SPDADD:
#if 0
{
struct sadb_x_policy m_policy;
m_policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(m_policy));
m_policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
m_policy.sadb_x_policy_type = SADB_X_PL_IPSEC;
m_policy.sadb_x_policy_esp_trans = 1;
m_policy.sadb_x_policy_ah_trans = 2;
m_policy.sadb_x_policy_esp_network = 3;
m_policy.sadb_x_policy_ah_network = 4;
m_policy.sadb_x_policy_reserved = 0;
memcpy(m_buf + m_len, &m_policy, sizeof(struct sadb_x_policy));
m_len += sizeof(struct sadb_x_policy);
}
#endif
case SADB_X_SPDDELETE:
key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1");
key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4");
@@ -437,32 +471,49 @@ key_setsadbaddr(ext, af, str)
caddr_t str;
{
struct sadb_address m_addr;
u_char abuf[64];
struct sockaddr *a = (struct sockaddr *)abuf;
u_int len;
struct addrinfo hints, *res;
const char *serv;
int plen;
switch (af) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
default:
/* XXX bark */
exit(1);
}
/* make sockaddr buffer */
memset(abuf, 0, sizeof(abuf));
a->sa_len = _SALENBYAF(af);
a->sa_family = af;
_INPORTBYSA(a) =
(ext == SADB_EXT_ADDRESS_PROXY ? 0 : htons(0x1234));
if (inet_pton(af, str, _INADDRBYSA(a)) != 1)
; /* XXX do something */
memset(&hints, 0, sizeof(hints));
hints.ai_family = af;
hints.ai_socktype = SOCK_DGRAM; /*dummy*/
hints.ai_flags = AI_NUMERICHOST;
serv = (ext == SADB_EXT_ADDRESS_PROXY ? "0" : "4660"); /*0x1234*/
if (getaddrinfo(str, serv, &hints, &res) != 0 || res->ai_next) {
/* XXX bark */
exit(1);
}
len = sizeof(struct sadb_address) + PFKEY_ALIGN8(a->sa_len);
len = sizeof(struct sadb_address) + PFKEY_ALIGN8(res->ai_addrlen);
m_addr.sadb_address_len = PFKEY_UNIT64(len);
m_addr.sadb_address_exttype = ext;
m_addr.sadb_address_proto =
(ext == SADB_EXT_ADDRESS_PROXY ? 0 : IPPROTO_TCP);
m_addr.sadb_address_prefixlen = _INALENBYAF(af);
m_addr.sadb_address_prefixlen = plen;
m_addr.sadb_address_reserved = 0;
key_setsadbextbuf(m_buf, m_len,
(caddr_t)&m_addr, sizeof(struct sadb_address),
abuf, a->sa_len);
(caddr_t)res->ai_addr, res->ai_addrlen);
m_len += len;
freeaddrinfo(res);
return;
}
+37 -44
View File
@@ -1,7 +1,10 @@
/* $FreeBSD$ */
/* $KAME: token.l,v 1.13 2000/06/07 00:29:14 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -13,7 +16,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,8 +28,6 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
%{
@@ -63,18 +64,19 @@
#define PREPROC DECHO CMDARG
int lineno = 1;
char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */
int lineno = 1;
char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */
extern u_char m_buf[BUFSIZ];
extern u_int m_len;
extern int f_debug;
extern u_char m_buf[BUFSIZ];
extern u_int m_len;
extern int f_debug;
int yylex __P((void));
void yyerror __P((char *s));
extern void parse_init __P((void));
int parse __P((FILE **));
int yyparse __P((void));
int yylex __P((void));
void yyfatal __P((const char *s));
void yyerror __P((const char *s));
extern void parse_init __P((void));
int parse __P((FILE **));
int yyparse __P((void));
%}
@@ -106,9 +108,7 @@ decstring {digit}+
hexpair {hexdigit}{hexdigit}
hexstring 0[xX]{hexdigit}+
octetstring {octet}({dot}{octet})+
ipaddress {ipv4addr}|{ipv6addr}
ipv4addr {digit}{1,3}({dot}{digit}{1,3}){0,3}
ipv6addr {hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,7}(%{letter}{letter}+)?
ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
ipaddrmask {slash}{digit}{1,3}
ipaddrport {blcl}{decstring}{elcl}
keyword {letter}{letter}+
@@ -186,11 +186,12 @@ lzs { PREPROC; yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); }
{hyphen}m { PREPROC; return(F_MODE); }
transport { PREPROC; yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
tunnel { PREPROC; yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
{hyphen}u { PREPROC; return(F_REQID); }
{hyphen}f { PREPROC; return(F_EXT); }
random-pad { PREPROC; yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); }
seq-pad { PREPROC; yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); }
zero-pad { PREPROC; yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); }
cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); }
nocyclic-seq { PREPROC; return(NOCYCLICSEQ); }
{hyphen}r { PREPROC; return(F_REPLAY); }
{hyphen}lh { PREPROC; return(F_LIFETIME_HARD); }
{hyphen}ls { PREPROC; return(F_LIFETIME_SOFT); }
@@ -214,35 +215,17 @@ any { PREPROC; return(ANY); }
char *bp;
PREPROC;
yylval.num = strtol(yytext, &bp, 10);
yylval.num = strtoul(yytext, &bp, 10);
return(DECSTRING);
}
{ipv4addr} {
/*
* I can't supprt the type without dot,
* because it's umbiguous against {decstring}.
* e.g. 127
*/
{ipaddress} {
PREPROC;
yylval.val.len = sizeof(struct sockaddr_in);
yylval.val.len = yyleng;
yylval.val.buf = strdup(yytext);
return(IP4_ADDRESS);
}
{ipv6addr} {
#ifdef INET6
PREPROC;
yylval.val.len = sizeof(struct sockaddr_in6);
yylval.val.buf = strdup(yytext);
return(IP6_ADDRESS);
#else
yyerror("IPv6 address not supported");
#endif
return(ADDRESS);
}
{ipaddrmask} {
@@ -263,7 +246,6 @@ any { PREPROC; return(ANY); }
}
{blcl}any{elcl} {
char *p = yytext;
PREPROC;
return(PORTANY);
}
@@ -294,12 +276,24 @@ any { PREPROC; return(ANY); }
return(QUOTEDSTRING);
}
. { yyerror("Syntax error"); }
. {
yyfatal("Syntax error");
/*NOTREACHED*/
}
%%
void
yyerror(char *s)
yyfatal(s)
const char *s;
{
yyerror(s);
exit(1);
}
void
yyerror(s)
const char *s;
{
printf("line %d: %s at [%s]\n", lineno, s, yytext);
}
@@ -319,4 +313,3 @@ parse(fp)
return(0);
}
+7 -6
View File
@@ -1,7 +1,10 @@
/* $FreeBSD$ */
/* $KAME: vchar.h,v 1.2 2000/06/07 00:29:14 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -13,7 +16,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,11 +28,9 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
typedef struct {
u_int len;
caddr_t buf;
u_int len;
caddr_t buf;
} vchar_t;
+7
View File
@@ -29,11 +29,18 @@
PROG= setkey
SRCS= setkey.c parse.y token.l
CFLAGS+=-g
CFLAGS+=-I${.CURDIR}/../../lib/libipsec
DPADD= ${LIBL} ${LIBY}
LDADD= -ll -ly
CLEANFILES+= y.tab.c y.tab.h key_test.o keytest
YFLAGS+=-d
# libpfkey.
# ipsec_strerror.c is for avoiding shlib reference to non-exported function.
.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey
SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c
CFLAGS+=-I${.CURDIR}/../../lib/libipsec -I${.CURDIR}/../../sys/netkey
SCRIPTS= scriptdump
BINOWN = root
+269 -154
View File
@@ -1,7 +1,10 @@
/* $FreeBSD$ */
/* $KAME: parse.y,v 1.29 2000/06/10 14:17:44 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -13,7 +16,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,10 +28,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
/* KAME $Id: parse.y,v 1.7 1999/10/27 17:08:57 sakane Exp $ */
%{
#include <sys/types.h>
@@ -45,48 +45,52 @@
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <netdb.h>
#include <ctype.h>
#include <errno.h>
#include <netdb.h>
#include "libpfkey.h"
#include "vchar.h"
#define ATOX(c) \
(isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
u_int p_type;
u_int32_t p_spi;
struct sockaddr *p_src, *p_dst;
u_int p_prefs, p_prefd, p_upper;
u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;
u_int p_key_enc_len, p_key_auth_len;
caddr_t p_key_enc, p_key_auth;
time_t p_lt_hard, p_lt_soft;
u_int p_type;
u_int32_t p_spi;
struct sockaddr *p_src, *p_dst;
u_int p_prefs, p_prefd, p_upper;
u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;
u_int32_t p_reqid;
u_int p_key_enc_len, p_key_auth_len;
caddr_t p_key_enc, p_key_auth;
time_t p_lt_hard, p_lt_soft;
u_int p_policy_len;
char *p_policy;
u_int p_policy_len;
char *p_policy;
/* temporary buffer */
static struct sockaddr *pp_addr;
static u_int pp_prefix;
static u_int pp_port;
static caddr_t pp_key;
static struct sockaddr *pp_addr;
static u_int pp_prefix;
static u_int pp_port;
static caddr_t pp_key;
extern u_char m_buf[BUFSIZ];
extern int m_len;
extern char cmdarg[8192];
extern int f_debug;
extern u_char m_buf[BUFSIZ];
extern int m_len;
extern char cmdarg[8192];
extern int f_debug;
int setkeymsg __P((void));
static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int));
void parse_init __P((void));
void free_buffer __P((void));
int setkeymsg __P((void));
static struct addrinfo *parse_addr __P((char *, char *, int));
static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int));
void parse_init __P((void));
void free_buffer __P((void));
extern int setkeymsg __P((void));
extern int sendkeymsg __P((void));
extern int setkeymsg __P((void));
extern int sendkeymsg __P((void));
extern int yylex __P((void));
extern void yyerror __P((char *));
extern int yylex __P((void));
extern void yyfatal __P((const char *));
extern void yyerror __P((const char *));
%}
%union {
@@ -96,11 +100,11 @@ extern void yyerror __P((char *));
%token EOT
%token ADD GET DELETE FLUSH DUMP
%token IP4_ADDRESS IP6_ADDRESS PREFIX PORT PORTANY
%token ADDRESS PREFIX PORT PORTANY
%token UP_PROTO PR_ESP PR_AH PR_IPCOMP
%token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
%token F_MODE MODE
%token F_EXT EXTENSION
%token F_MODE MODE F_REQID
%token F_EXT EXTENSION NOCYCLICSEQ
%token ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP
%token F_LIFETIME_HARD F_LIFETIME_SOFT
%token DECSTRING QUOTEDSTRING HEXSTRING ANY
@@ -108,6 +112,14 @@ extern void yyerror __P((char *));
%token SPDADD SPDDELETE SPDDUMP SPDFLUSH
%token F_POLICY PL_REQUESTS
%type <num> PORT PREFIX EXTENSION MODE
%type <num> UP_PROTO PR_ESP PR_AH PR_IPCOMP
%type <num> ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP
%type <num> DECSTRING
%type <val> ADDRESS PL_REQUESTS
%type <val> key_string policy_requests
%type <val> QUOTEDSTRING HEXSTRING
%%
commands
: /*NOTHING*/
@@ -146,13 +158,23 @@ add_command
/* delete */
delete_command
: DELETE { p_type = SADB_DELETE; }
sa_selector_spec extension_spec EOT
sa_selector_spec extension_spec
{
if (p_mode != IPSEC_MODE_ANY)
yyerror("WARNING: mode is obsoleted.");
}
EOT
;
/* get command */
get_command
: GET { p_type = SADB_GET; }
sa_selector_spec extension_spec EOT
sa_selector_spec extension_spec
{
if (p_mode != IPSEC_MODE_ANY)
yyerror("WARNING: mode is obsoleted.");
}
EOT
;
/* flush */
@@ -179,7 +201,7 @@ protocol_spec
| PR_ESP
{
p_satype = SADB_SATYPE_ESP;
if ($1.num == 1)
if ($1 == 1)
p_ext |= SADB_X_EXT_OLD;
else
p_ext &= ~SADB_X_EXT_OLD;
@@ -187,7 +209,7 @@ protocol_spec
| PR_AH
{
p_satype = SADB_SATYPE_AH;
if ($1.num == 1)
if ($1 == 1)
p_ext |= SADB_X_EXT_OLD;
else
p_ext &= ~SADB_X_EXT_OLD;
@@ -199,18 +221,18 @@ protocol_spec
;
spi
: DECSTRING { p_spi = $1.num; }
: DECSTRING { p_spi = $1; }
| HEXSTRING
{
caddr_t bp;
caddr_t yp = $1.val.buf;
caddr_t yp = $1.buf;
char buf0[4], buf[4];
int i, j;
/* sanity check */
if ($1.val.len > 4) {
if ($1.len > 4) {
yyerror("SPI too big.");
free($1.val.buf);
free($1.buf);
return -1;
}
@@ -223,13 +245,13 @@ spi
/* initialize */
for (i = 0; i < 4; i++) buf[i] = 0;
for (j = $1.val.len - 1, i = 3; j >= 0; j--, i--)
for (j = $1.len - 1, i = 3; j >= 0; j--, i--)
buf[i] = buf0[j];
/* XXX: endian */
p_spi = ntohl(*(u_int32_t *)buf);
free($1.val.buf);
free($1.buf);
}
;
@@ -249,16 +271,16 @@ ah_spec
;
ipcomp_spec
: F_COMP ALG_COMP { p_alg_enc = $2.num; }
| F_COMP ALG_COMP { p_alg_enc = $2.num; }
: F_COMP ALG_COMP { p_alg_enc = $2; }
| F_COMP ALG_COMP { p_alg_enc = $2; }
F_RAWCPI { p_ext |= SADB_X_EXT_RAWCPI; }
;
enc_alg
: ALG_ENC { p_alg_enc = $1.num; }
: ALG_ENC { p_alg_enc = $1; }
| ALG_ENC_DESDERIV
{
p_alg_enc = $1.num;
p_alg_enc = $1;
if (p_ext & SADB_X_EXT_OLD) {
yyerror("algorithm mismatched.");
return -1;
@@ -267,7 +289,7 @@ enc_alg
}
| ALG_ENC_DES32IV
{
p_alg_enc = $1.num;
p_alg_enc = $1;
if (!(p_ext & SADB_X_EXT_OLD)) {
yyerror("algorithm mismatched.");
return -1;
@@ -286,7 +308,7 @@ enc_key
}
| key_string
{
p_key_enc_len = $1.val.len;
p_key_enc_len = $1.len;
p_key_enc = pp_key;
if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
@@ -299,7 +321,7 @@ enc_key
;
auth_alg
: ALG_AUTH { p_alg_auth = $1.num; }
: ALG_AUTH { p_alg_auth = $1; }
;
auth_key
@@ -312,7 +334,7 @@ auth_key
}
| key_string
{
p_key_auth_len = $1.val.len;
p_key_auth_len = $1.len;
p_key_auth = pp_key;
if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
@@ -327,20 +349,20 @@ auth_key
key_string
: QUOTEDSTRING
{
pp_key = $1.val.buf;
pp_key = $1.buf;
/* free pp_key later */
}
| HEXSTRING
{
caddr_t bp;
caddr_t yp = $1.val.buf;
caddr_t yp = $1.buf;
if ((pp_key = malloc($1.val.len)) == 0) {
free($1.val.buf);
yyerror(strerror(errno));
if ((pp_key = malloc($1.len)) == 0) {
free($1.buf);
yyerror("not enough core");
return -1;
}
memset(pp_key, 0, $1.val.len);
memset(pp_key, 0, $1.len);
bp = pp_key;
while (*yp) {
@@ -348,7 +370,7 @@ key_string
yp += 2, bp++;
}
free($1.val.buf);
free($1.buf);
}
;
@@ -358,9 +380,11 @@ extension_spec
;
extension
: F_EXT EXTENSION { p_ext |= $1.num; }
| F_MODE MODE { p_mode = $2.num; }
: F_EXT EXTENSION { p_ext |= $2; }
| F_EXT NOCYCLICSEQ { p_ext &= ~SADB_X_EXT_CYCSEQ; }
| F_MODE MODE { p_mode = $2; }
| F_MODE ANY { p_mode = IPSEC_MODE_ANY; }
| F_REQID DECSTRING { p_reqid = $2; }
| F_REPLAY DECSTRING
{
if (p_ext & SADB_X_EXT_OLD) {
@@ -368,10 +392,10 @@ extension
"only use on new spec.");
return -1;
}
p_replay = $2.num;
p_replay = $2;
}
| F_LIFETIME_HARD DECSTRING { p_lt_hard = $2.num; }
| F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2.num; }
| F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; }
| F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; }
;
/* definition about command for SPD management */
@@ -391,7 +415,7 @@ spddelete_command:
p_type = SADB_X_SPDDELETE;
p_satype = SADB_SATYPE_UNSPEC;
}
sp_selector_spec EOT
sp_selector_spec policy_spec EOT
;
spddump_command:
@@ -416,97 +440,107 @@ spdflush_command:
sp_selector_spec
: ipaddress { p_src = pp_addr; }
prefix { p_prefs = pp_prefix; }
port { _INPORTBYSA(p_src) = htons(pp_port); }
port
{
switch (p_src->sa_family) {
case AF_INET:
((struct sockaddr_in *)p_src)->sin_port =
htons(pp_port);
break;
#ifdef INET6
case AF_INET6:
((struct sockaddr_in6 *)p_src)->sin6_port =
htons(pp_port);
break;
#endif
default:
exit(1); /*XXX*/
}
}
ipaddress { p_dst = pp_addr; }
prefix { p_prefd = pp_prefix; }
port { _INPORTBYSA(p_dst) = htons(pp_port); }
port
{
switch (p_dst->sa_family) {
case AF_INET:
((struct sockaddr_in *)p_dst)->sin_port =
htons(pp_port);
break;
#ifdef INET6
case AF_INET6:
((struct sockaddr_in6 *)p_dst)->sin6_port =
htons(pp_port);
break;
#endif
default:
exit(1); /*XXX*/
}
}
upper_spec
{
/* XXX is it something userland should check? */
#if 0
switch (p_upper) {
case IPPROTO_ICMP:
case IPPROTO_ICMPV6:
if (_INPORTBYSA(p_src) != IPSEC_PORT_ANY
|| _INPORTBYSA(p_dst) != IPSEC_PORT_ANY) {
yyerror("port number must be \"any\".");
return -1;
}
if ((pp_addr->sa_family == AF_INET6
&& p_upper == IPPROTO_ICMP)
|| (pp_addr->sa_family == AF_INET
&& p_upper == IPPROTO_ICMPV6)) {
yyerror("upper layer protocol "
"mismatched.\n");
return -1;
}
break;
default:
break;
}
#endif
}
;
ipaddress
: IP4_ADDRESS
: ADDRESS
{
struct sockaddr_in *in;
u_int sa_len = $1.val.len;
struct addrinfo *res;
if ((in = (struct sockaddr_in *)malloc(sa_len)) == 0) {
yyerror(strerror(errno));
free($1.val.buf);
res = parse_addr($1.buf, NULL, AI_NUMERICHOST);
if (res == NULL) {
free($1.buf);
return -1;
}
memset((caddr_t)in, 0, sa_len);
in->sin_family = PF_INET;
in->sin_len = sa_len;
in->sin_port = IPSEC_PORT_ANY;
(void)inet_pton(PF_INET, $1.val.buf, &in->sin_addr);
pp_addr = (struct sockaddr *)in;
free($1.val.buf);
}
| IP6_ADDRESS
{
#ifdef INET6
struct sockaddr_in6 *in6;
u_int sa_len = $1.val.len;
struct addrinfo hints, *res;
int ret_gai;
if ((in6 = (struct sockaddr_in6 *)malloc(sa_len)) == 0) {
free($1.val.buf);
yyerror(strerror(errno));
return -1;
pp_addr = (struct sockaddr *)malloc(res->ai_addrlen);
if (!pp_addr) {
yyerror("not enough core");
goto end;
}
memset((caddr_t)in6, 0, sa_len);
bzero(&hints, sizeof(struct addrinfo));
hints.ai_flags = AI_NUMERICHOST;
hints.ai_family = AF_INET6;
ret_gai = getaddrinfo($1.val.buf, NULL, &hints, &res);
if (ret_gai) {
free($1.val.buf);
free(in6);
yyerror(gai_strerror(ret_gai));
if (ret_gai == EAI_SYSTEM)
yyerror(strerror(errno));
return -1;
}
(void)memcpy(in6, res->ai_addr, res->ai_addrlen);
/*
* XXX: If the scope of the destination is link-local,
* embed the scope-id(in this case, interface index)
* into the address.
*/
if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr) &&
in6->sin6_scope_id != 0)
*(u_short *)&in6->sin6_addr.s6_addr[2] =
htons(in6->sin6_scope_id & 0xffff);
memcpy(pp_addr, res->ai_addr, res->ai_addrlen);
end:
freeaddrinfo(res);
pp_addr = (struct sockaddr *)in6;
#else
yyerror("IPv6 address not supported");
#endif
free($1.val.buf);
free($1.buf);
}
;
prefix
: /*NOTHING*/ { pp_prefix = ~0; }
| PREFIX { pp_prefix = $1.num; }
| PREFIX { pp_prefix = $1; }
;
port
: /*NOTHING*/ { pp_port = IPSEC_PORT_ANY; }
| PORT { pp_port = $1.num; }
| PORT { pp_port = $1; }
| PORTANY { pp_port = IPSEC_PORT_ANY; }
;
upper_spec
: DECSTRING { p_upper = $1.num; }
| UP_PROTO { p_upper = $1.num; }
: DECSTRING { p_upper = $1; }
| UP_PROTO { p_upper = $1; }
| PR_ESP { p_upper = IPPROTO_ESP; };
| PR_AH { p_upper = IPPROTO_AH; };
| PR_IPCOMP { p_upper = IPPROTO_IPCOMP; };
@@ -516,9 +550,9 @@ upper_spec
policy_spec
: F_POLICY policy_requests
{
p_policy = ipsec_set_policy($2.val.buf, $2.val.len);
p_policy = ipsec_set_policy($2.buf, $2.len);
if (p_policy == NULL) {
free($2.val.buf);
free($2.buf);
p_policy = NULL;
yyerror(ipsec_strerror());
return -1;
@@ -526,13 +560,12 @@ policy_spec
p_policy_len = ipsec_get_policylen(p_policy);
free($2.val.buf);
free($2.buf);
}
;
policy_requests:
/*NOTHING*/
| PL_REQUESTS { $$ = $1; }
policy_requests
: PL_REQUESTS { $$ = $1; }
;
%%
@@ -546,7 +579,6 @@ setkeymsg()
m_msg.sadb_msg_type = p_type;
m_msg.sadb_msg_errno = 0;
m_msg.sadb_msg_satype = p_satype;
m_msg.sadb_msg_mode = p_mode;
m_msg.sadb_msg_reserved = 0;
m_msg.sadb_msg_seq = 0;
m_msg.sadb_msg_pid = getpid();
@@ -629,6 +661,7 @@ setkeymsg()
case SADB_GET:
{
struct sadb_sa m_sa;
struct sadb_x_sa2 m_sa2;
struct sadb_address m_addr;
u_int len;
@@ -645,14 +678,36 @@ setkeymsg()
memcpy(m_buf + m_len, &m_sa, len);
m_len += len;
len = sizeof(struct sadb_x_sa2);
m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len);
m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2;
m_sa2.sadb_x_sa2_mode = p_mode;
m_sa2.sadb_x_sa2_reqid = p_reqid;
memcpy(m_buf + m_len, &m_sa2, len);
m_len += len;
/* set src */
m_addr.sadb_address_len =
PFKEY_UNIT64(sizeof(m_addr)
+ PFKEY_ALIGN8(p_src->sa_len));
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
m_addr.sadb_address_prefixlen =
_INALENBYAF(p_src->sa_family) << 3;
switch (p_src->sa_family) {
case AF_INET:
m_addr.sadb_address_prefixlen =
sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
m_addr.sadb_address_prefixlen =
sizeof(struct in6_addr) << 3;
break;
#endif
default:
yyerror("unsupported address family");
exit(1); /*XXX*/
}
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@@ -665,8 +720,21 @@ setkeymsg()
+ PFKEY_ALIGN8(p_dst->sa_len));
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
m_addr.sadb_address_prefixlen =
_INALENBYAF(p_dst->sa_family) << 3;
switch (p_dst->sa_family) {
case AF_INET:
m_addr.sadb_address_prefixlen =
sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
m_addr.sadb_address_prefixlen =
sizeof(struct in6_addr) << 3;
break;
#endif
default:
yyerror("unsupported address family");
exit(1); /*XXX*/
}
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@@ -681,17 +749,15 @@ setkeymsg()
break;
case SADB_X_SPDADD:
case SADB_X_SPDDELETE:
{
struct sadb_address m_addr;
u_int8_t plen;
memcpy(m_buf + m_len, p_policy, p_policy_len);
m_len += p_policy_len;
free(p_policy);
p_policy = NULL;
}
/* FALLTHROUGH */
case SADB_X_SPDDELETE:
{
struct sadb_address m_addr;
/* set src */
m_addr.sadb_address_len =
@@ -699,9 +765,21 @@ setkeymsg()
+ PFKEY_ALIGN8(p_src->sa_len));
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
m_addr.sadb_address_proto = p_upper;
switch (p_src->sa_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
#endif
default:
yyerror("unsupported address family");
exit(1); /*XXX*/
}
m_addr.sadb_address_prefixlen =
(p_prefs != ~0 ? p_prefs :
_INALENBYAF(p_src->sa_family) << 3);
(p_prefs != ~0 ? p_prefs : plen);
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@@ -714,9 +792,21 @@ setkeymsg()
+ PFKEY_ALIGN8(p_dst->sa_len));
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
m_addr.sadb_address_proto = p_upper;
switch (p_dst->sa_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
#endif
default:
yyerror("unsupported address family");
exit(1); /*XXX*/
}
m_addr.sadb_address_prefixlen =
(p_prefd != ~0 ? p_prefd :
_INALENBYAF(p_dst->sa_family) << 3);
(p_prefd != ~0 ? p_prefd : plen);
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@@ -731,6 +821,30 @@ setkeymsg()
return 0;
}
static struct addrinfo *
parse_addr(host, port, flag)
char *host;
char *port;
int flag;
{
struct addrinfo hints, *res = NULL;
int error;
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_DGRAM;
hints.ai_flags = flag;
error = getaddrinfo(host, port, &hints, &res);
if (error != 0) {
yyerror(gai_strerror(error));
return NULL;
}
if (res->ai_next != NULL) {
yyerror(gai_strerror(error));
}
return res;
}
static int
setvarbuf(off, ebuf, elen, vbuf, vlen)
caddr_t vbuf;
@@ -757,11 +871,12 @@ parse_init()
p_upper = 0;
p_satype = 0;
p_ext = SADB_X_EXT_NONE;
p_ext = SADB_X_EXT_CYCSEQ;
p_alg_enc = SADB_EALG_NONE;
p_alg_auth = SADB_AALG_NONE;
p_mode = IPSEC_MODE_ANY;
p_replay = 4;
p_reqid = 0;
p_replay = 0;
p_key_enc_len = p_key_auth_len = 0;
p_key_enc = p_key_auth = 0;
p_lt_hard = p_lt_soft = 0;
+2 -2
View File
@@ -170,7 +170,7 @@ add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
# Also delete command, you can delete a entry of either SP or SA.
spddelete out fec0:0:0:1::/64 fec0:0:0:2:/64 any ;
spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
# By dump command, you can dump all entry of either SP or SA.
@@ -204,7 +204,7 @@ add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
add ::1 ::1 esp 10015 -m transport -f zero-pad -E simple ;
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E simple ;
add ::1 ::1 esp 10017 -m transport -f seq-pad -f cyclic-seq -E simple ;
add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E simple ;
add ::1 ::1 esp 10018 -m transport -E simple ;
#add ::1 ::1 ah 20000 -m transport -A null ;
add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
+7 -5
View File
@@ -20,8 +20,8 @@ open(IN, "setkey -D |") || die;
foreach $_ (<IN>) {
if (/^[^\t]/) {
($src, $dst) = split(/\s+/, $_);
} elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*replay=(\d+)/) {
($proto, $ipsecmode, $spi, $replay) = ($1, $2, $3, $4);
} elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*reqid=(\d+)/) {
($proto, $ipsecmode, $spi, $reqid) = ($1, $2, $3, $4);
} elsif (/^\tE: (\S+) (.*)/) {
$ealgo = $1;
$ekey = $2;
@@ -32,17 +32,19 @@ foreach $_ (<IN>) {
$akey = $2;
$akey =~ s/\s//g;
$akey =~ s/^/0x/g;
} elsif (/^\tstate=/) {
} elsif (/^\treplay=(\d+) flags=(0x\d+) state=/) {
print "$mode $src $dst $proto $spi -m $ipsecmode";
print " -r $replay" if $replay;
$replay = $1;
print " -u $reqid" if $reqid;
if ($mode eq 'add') {
print " -r $replay" if $replay;
if ($proto eq 'esp') {
print " -E $ealgo $ekey" if $ealgo;
print " -A $aalgo $akey" if $aalgo;
} elsif ($proto eq 'ah') {
print " -A $aalgo $akey" if $aalgo;
}
}
}
print ";\n";
$src = $dst = $upper = $proxy = '';
+73 -64
View File
@@ -1,6 +1,9 @@
.\" $FreeBSD$
.\" $KAME: setkey.8,v 1.28 2000/06/16 12:03:46 sakane Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" All rights reserved.
.\"
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
@@ -12,7 +15,7 @@
.\" 3. Neither the name of the project nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,15 +28,14 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id: setkey.8,v 1.14 1999/10/27 17:08:58 sakane Exp $
.\" $FreeBSD$
.\"
.Dd May 17, 1998
.Dt SETKEY 8
.Os
.Os KAME
.\"
.Sh NAME
.Nm setkey
.Nd manually manipulate the SA/SP database.
.Nd manually manipulate the IPsec SA/SP database.
.\"
.Sh SYNOPSIS
.Nm setkey
.Op Fl dv
@@ -50,19 +52,20 @@
.Nm setkey
.Op Fl h
.Fl x
.\"
.\"
.Sh DESCRIPTION
.Nm
updates, or lists the content of, Security Association Database (SAD) entries
in the kernel as well as Security Policy Database (SPD) entries.
addes, updates, dumpes, or flushes
Security Association Database (SAD) entries
as well as Security Policy Database (SPD) entries in the kernel.
.Pp
.Nm
takes a series of operation from standard input
takes a series of operations from the standard input
.Po
if invoked with
.Fl c
.Pc
or file named
or the file named
.Ar filename
.Po
if invoked with
@@ -75,21 +78,23 @@ If with
.Fl P ,
the SPD entries are dumped.
.It Fl F
Flush the SAD.
Flush the SAD entries.
If with
.Fl P ,
the SPD are flushed.
the SPD entries are flushed.
.It Fl a
.Nm
usually do not display dead SAD entries on
usually does not display dead SAD entries with
.Fl D .
With
If with
.Fl a ,
dead SAD entries will be displayed as well.
Dead SAD entries are kept in the kernel,
when they are referenced from any of SPD entries in the kernel.
the dead SAD entries will be displayed as well.
A dead SAD entry means that
it has been expired but remains
because it is referenced by SPD entries.
.It Fl d
Enable debugging messages.
Enable to print debugging messages for command parser,
without talking to kernel. It is not used usually.
.It Fl x
Loop forever and dump all the messages transmitted to
.Dv PF_KEY
@@ -98,7 +103,6 @@ socket.
Add hexadecimal dump on
.Fl x
mode.
The order is significant.
.It Fl l
Loop forever with short output on
.Fl D .
@@ -111,10 +115,8 @@ including messages sent from other processes
.Pc .
.El
.Pp
Operation has the following grammar.
Note that lines, that start with a
hashmark ('#') are treated as comment lines.
Description of meta-arguments follows.
Operations have the following grammar. Note that lines starting with
hashmarks ('#') are treated as comment lines.
.Bl -tag -width Ds
.It Xo
.Li add
@@ -123,51 +125,49 @@ Description of meta-arguments follows.
.Ar algorithm...
.Li ;
.Xc
Add a SAD entry.
Add an SAD entry.
.\"
.It Xo
.Li get
.Ar src Ar dst Ar protocol Ar spi
.Op Ar mode
.Li ;
.Xc
Show a SAD entry.
Show an SAD entry.
.\"
.It Xo
.Li delete
.Ar src Ar dst Ar protocol Ar spi
.Op Ar mode
.Li ;
.Xc
Remove a SAD entry.
Remove an SAD entry.
.\"
.It Xo
.Li flush
.Op Ar protocol
.Li ;
.Xc
Clear all SAD entries that matches the options.
Clear all SAD entries matched by the options.
.\"
.It Xo
.Li dump
.Op Ar protocol
.Li ;
.Xc
Dumps all SAD entries that matches the options.
Dumps all SAD entries matched by the options.
.\"
.It Xo
.Li spdadd
.Ar src_range Ar dst_range Ar upperspec Ar policy
.Li ;
.Xc
Add a SPD entry.
Add an SPD entry.
.\"
.It Xo
.Li spddelete
.Ar src_range Ar dst_range Ar upperspec
.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction
.Li ;
.Xc
Delete a SPD entry.
Delete an SPD entry.
.\"
.It Xo
.Li spdflush
@@ -215,8 +215,9 @@ IPCOMP
.\"
.Pp
.It Ar spi
Security Parameter Index (SPI) for the SA and SPD.
Security Parameter Index (SPI) for the SAD and the SPD.
It must be decimal number or hexadecimal number
You can not use the set of SPI values in the range 0 through 255.
.Po
with
.Li 0x
@@ -225,30 +226,40 @@ attached
.\"
.Pp
.It Ar extensions
takes some of the following:
.Bl -tag -width Fl -compact
take some of the following:
.Bl -tag -width Fl -compact
.\"
.It Fl m Ar mode
Specify an security protocol mode for use. By default,
.Li any .
Specify a security protocol mode for use.
.Ar mode
is one of following:
.Li transport , tunnel
or
.Li any .
The default value is
.Li any .
.\"
.It Fl r Ar size
Specify window size of bytes for replay prevention.
.Ar size
must be decimal number in 32-bit word. If
.Ar size
is zero or not specified, replay check don't take place.
.\"
.It Fl u Ar id
Specify the identifier of policy. See also
.Xr ipsec_set_policy 3 .
.\"
.It Fl f Ar pad_option
.Ar pad_option
is one of following:
.Li zero-pad , random-pad
or
.Li seq-pad
.It Fl f Li cyclic-seq
Allow cyclic sequence number.
.\"
.It Fl f Li nocyclic-seq
Don't allow cyclic sequence number.
.\"
.It Fl lh Ar time
.It Fl ls Ar time
Specify hard/soft lifetime.
@@ -256,7 +267,7 @@ Specify hard/soft lifetime.
.\"
.Pp
.It Ar algorithm
.Bl -tag -width Fl -compact
.Bl -tag -width Fl -compact
.It Fl E Ar ealgo Ar key
Specify encryption algorithm.
.It Fl A Ar aalgo Ar key
@@ -268,7 +279,7 @@ is used for esp, it will be treated as ESP payload authentication algorithm.
Specify compression algorithm.
If
.Fl R
is specified with
is not specified with
.Li ipcomp
line, the kernel will use well-known IPComp CPI
.Pq compression parameter index
@@ -280,7 +291,7 @@ field is only for kernel internal use in this case.
.\"Therefore, compression protocol number will appear on IPComp CPI field.
If
.Fl R
is not used,
is used,
the value on
.Ar spi
field will appear on IPComp CPI field on outgoing packets.
@@ -311,7 +322,7 @@ SAs accept
only.
.Pp
.Ar key
must be double-quoted character string or a series of hexadecimal digits.
must be double-quoted character string or series of hexadecimal digits.
.Pp
Possible values for
.Ar ealgo ,
@@ -322,7 +333,7 @@ are specified in separate section.
.\"
.It Ar src_range
.It Ar dst_range
These are selection of the secure communication is specified as
These are selections of the secure communication specified as
IPv4/v6 address or IPv4/v6 address range, and it may accompany
TCP/UDP port specification.
This takes the following form:
@@ -365,7 +376,7 @@ NOTE:
.Ar upperspec
does not work against forwarding case at this moment,
as it requires extra reassembly at forwarding node
.Pq not implemented as this moment .
.Pq not implemented at this moment .
.\"
.It Ar policy
.Ar policy
@@ -427,15 +438,15 @@ is to be one of the following:
or
.Li require .
.Li default
means kernel consults to the system wide default against protocol you
means the kernel consults to the system wide default against protocol you
specified, e.g.
.Li esp_trans_deflev
sysctl variable, when kernel processes the packet.
sysctl variable, when the kernel processes the packet.
.Li use
means that kernel use a SA if it's available,
otherwise kernel keeps normal operation.
means that the kernel use a SA if it's available,
otherwise the kernel keeps normal operation.
.Li require
means SA is required whenever kernel deals with the packet.
means SA is required whenever the kernel deals with the packet.
Note that
.Dq Li discard
and
@@ -456,7 +467,7 @@ The following list shows the supported algorithms.
and
.Sy algorithm
are almost orthogonal.
Following are the list of authentication algorithms that can be used as
Followings are the list of authentication algorithms that can be used as
.Ar aalgo
in
.Fl A Ar aalgo
@@ -477,7 +488,7 @@ keyed-sha1 160 ah: 96bit ICV (no document)
null 0 to 2048 for debugging
.Ed
.Pp
Following are the list of encryption algorithms that can be used as
Followings are the list of encryption algorithms that can be used as
.Ar ealgo
in
.Fl E Ar ealgo
@@ -497,7 +508,7 @@ des-deriv 64 ipsec-ciph-des-derived-01 (expired)
3des-deriv 192 no document
.Ed
.Pp
Following are the list of compression algorithms that can be used as
Followings are the list of compression algorithms that can be used as
.Ar calgo
in
.Fl C Ar calgo
@@ -510,7 +521,7 @@ algorithm comment
deflate rfc2394
lzs rfc2395
.Ed
.\"
.\"
.Sh EXAMPLES
.Bd -literal -offset
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
@@ -533,20 +544,18 @@ spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
.Ed
.\"
.\"
.Sh RETURN VALUES
The command exits with 0 on success, and non-zero on errors.
.\"
.\"
.Sh SEE ALSO
.Xr ipsec_set_policy 3 ,
.Xr sysctl 8
.\"
.\"
.Sh HISTORY
The
.Nm
command first appeared in WIDE Hydrangea IPv6 protocol stack kit.
The command was completely re-designed in June 1998.
.Pp
IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack
was initially integrated into
.Fx 4.0
.\"
.\" .Sh BUGS
+52 -40
View File
@@ -1,7 +1,10 @@
/* $FreeBSD$ */
/* $KAME: setkey.c,v 1.14 2000/06/10 06:47:09 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -13,7 +16,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,10 +28,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
/* KAME $Id: setkey.c,v 1.5 1999/10/26 09:39:37 sakane Exp $ */
#include <sys/types.h>
#include <sys/param.h>
@@ -51,40 +51,42 @@
#include <errno.h>
#include <netdb.h>
void Usage __P((void));
int main __P((int, char **));
int get_supported __P((void));
void sendkeyshort __P((u_int));
void promisc __P((void));
int sendkeymsg __P((void));
int postproc __P((struct sadb_msg *, int));
const char *numstr __P((int));
void shortdump_hdr __P((void));
void shortdump __P((struct sadb_msg *));
#include "libpfkey.h"
void Usage __P((void));
int main __P((int, char **));
int get_supported __P((void));
void sendkeyshort __P((u_int));
void promisc __P((void));
int sendkeymsg __P((void));
int postproc __P((struct sadb_msg *, int));
const char *numstr __P((int));
void shortdump_hdr __P((void));
void shortdump __P((struct sadb_msg *));
#define MODE_SCRIPT 1
#define MODE_CMDDUMP 2
#define MODE_CMDFLUSH 3
#define MODE_PROMISC 4
int so;
int f_forever = 0;
int f_all = 0;
int f_debug = 0;
int f_verbose = 0;
int f_mode = 0;
int f_cmddump = 0;
int f_policy = 0;
int f_promisc = 0;
int f_hexdump = 0;
char *pname;
int f_forever = 0;
int f_all = 0;
int f_debug = 0;
int f_verbose = 0;
int f_mode = 0;
int f_cmddump = 0;
int f_policy = 0;
int f_hexdump = 0;
char *pname;
u_char m_buf[BUFSIZ];
u_int m_len;
u_char m_buf[BUFSIZ];
u_int m_len;
extern int lineno;
extern int lineno;
extern int parse __P((FILE **));
extern int parse __P((FILE **));
void
Usage()
@@ -95,7 +97,7 @@ Usage()
printf("\t%s [-Pdv] -F\n", pname);
printf("\t%s [-h] -x\n", pname);
pfkey_close(so);
exit(0);
exit(1);
}
int
@@ -139,9 +141,8 @@ main(ac, av)
f_hexdump = 1;
break;
case 'x':
f_promisc = 1;
promisc();
/*NOTREACHED*/
f_mode = MODE_PROMISC;
break;
case 'P':
f_policy = 1;
break;
@@ -170,10 +171,15 @@ main(ac, av)
errx(-1, "%s", ipsec_strerror());
/*NOTREACHED*/
}
parse(&fp);
if (parse(&fp))
exit (1);
break;
case MODE_PROMISC:
promisc();
/*NOTREACHED*/
default:
Usage();
/*NOTREACHED*/
}
exit(0);
@@ -216,7 +222,6 @@ sendkeyshort(type)
m_msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_seq = 0;
m_msg->sadb_msg_pid = getpid();
@@ -240,7 +245,6 @@ promisc()
m_msg->sadb_msg_satype = 1;
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_seq = 0;
m_msg->sadb_msg_pid = getpid();
@@ -325,8 +329,10 @@ sendkeymsg()
if (f_forever)
shortdump_hdr();
again:
if (f_verbose)
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)m_buf);
printf("\n");
}
if ((len = send(so, m_buf, m_len, 0)) < 0) {
perror("send");
@@ -345,8 +351,10 @@ sendkeymsg()
break;
}
if (f_verbose)
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)rbuf);
printf("\n");
}
if (postproc(msg, len) < 0)
break;
} while (msg->sadb_msg_errno || msg->sadb_msg_seq);
@@ -423,8 +431,10 @@ postproc(msg, len)
pfkey_sadump(msg);
msg = (struct sadb_msg *)((caddr_t)msg +
PFKEY_UNUNIT64(msg->sadb_msg_len));
if (f_verbose)
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)msg);
printf("\n");
}
break;
case SADB_X_SPDDUMP:
@@ -432,8 +442,10 @@ postproc(msg, len)
if (msg->sadb_msg_seq == 0) break;
msg = (struct sadb_msg *)((caddr_t)msg +
PFKEY_UNUNIT64(msg->sadb_msg_len));
if (f_verbose)
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)msg);
printf("\n");
}
break;
}
+83 -32
View File
@@ -1,7 +1,10 @@
/* $FreeBSD$ */
/* $KAME: test-pfkey.c,v 1.4 2000/06/07 00:29:14 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -13,7 +16,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,10 +28,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
/* KAME $Id: test-pfkey.c,v 1.2 1999/10/26 08:09:17 itojun Exp $ */
#include <sys/types.h>
#include <sys/param.h>
@@ -47,23 +47,24 @@
#include <ctype.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
u_char m_buf[BUFSIZ];
u_int m_len;
char *pname;
u_char m_buf[BUFSIZ];
u_int m_len;
char *pname;
void Usage __P((void));
int sendkeymsg __P((void));
void key_setsadbmsg __P((u_int));
void key_setsadbsens __P((void));
void key_setsadbprop __P((void));
void key_setsadbid __P((u_int, caddr_t));
void key_setsadblft __P((u_int, u_int));
void key_setspirange __P((void));
void key_setsadbkey __P((u_int, caddr_t));
void key_setsadbsa __P((void));
void key_setsadbaddr __P((u_int, u_int, caddr_t));
void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int));
void Usage __P((void));
int sendkeymsg __P((void));
void key_setsadbmsg __P((u_int));
void key_setsadbsens __P((void));
void key_setsadbprop __P((void));
void key_setsadbid __P((u_int, caddr_t));
void key_setsadblft __P((u_int, u_int));
void key_setspirange __P((void));
void key_setsadbkey __P((u_int, caddr_t));
void key_setsadbsa __P((void));
void key_setsadbaddr __P((u_int, u_int, caddr_t));
void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int));
void
Usage()
@@ -98,6 +99,18 @@ sendkeymsg()
perror("socket(PF_KEY)");
goto end;
}
#if 0
{
#include <sys/time.h>
struct timeval tv;
tv.tv_sec = 1;
tv.tv_usec = 0;
if (setsockopt(so, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) < 0) {
perror("setsockopt");
goto end;
}
}
#endif
pfkey_sadump((struct sadb_msg *)m_buf);
@@ -124,11 +137,14 @@ key_setsadbmsg(type)
{
struct sadb_msg m_msg;
memset(&m_msg, 0, sizeof(m_msg));
m_msg.sadb_msg_version = PF_KEY_V2;
m_msg.sadb_msg_type = type;
m_msg.sadb_msg_errno = 0;
m_msg.sadb_msg_satype = SADB_SATYPE_ESP;
#if 0
m_msg.sadb_msg_reserved = 0;
#endif
m_msg.sadb_msg_seq = 0;
m_msg.sadb_msg_pid = getpid();
@@ -223,6 +239,24 @@ key_setsadbmsg(type)
break;
case SADB_X_SPDADD:
#if 0
{
struct sadb_x_policy m_policy;
m_policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(m_policy));
m_policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
m_policy.sadb_x_policy_type = SADB_X_PL_IPSEC;
m_policy.sadb_x_policy_esp_trans = 1;
m_policy.sadb_x_policy_ah_trans = 2;
m_policy.sadb_x_policy_esp_network = 3;
m_policy.sadb_x_policy_ah_network = 4;
m_policy.sadb_x_policy_reserved = 0;
memcpy(m_buf + m_len, &m_policy, sizeof(struct sadb_x_policy));
m_len += sizeof(struct sadb_x_policy);
}
#endif
case SADB_X_SPDDELETE:
key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1");
key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4");
@@ -437,32 +471,49 @@ key_setsadbaddr(ext, af, str)
caddr_t str;
{
struct sadb_address m_addr;
u_char abuf[64];
struct sockaddr *a = (struct sockaddr *)abuf;
u_int len;
struct addrinfo hints, *res;
const char *serv;
int plen;
switch (af) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
default:
/* XXX bark */
exit(1);
}
/* make sockaddr buffer */
memset(abuf, 0, sizeof(abuf));
a->sa_len = _SALENBYAF(af);
a->sa_family = af;
_INPORTBYSA(a) =
(ext == SADB_EXT_ADDRESS_PROXY ? 0 : htons(0x1234));
if (inet_pton(af, str, _INADDRBYSA(a)) != 1)
; /* XXX do something */
memset(&hints, 0, sizeof(hints));
hints.ai_family = af;
hints.ai_socktype = SOCK_DGRAM; /*dummy*/
hints.ai_flags = AI_NUMERICHOST;
serv = (ext == SADB_EXT_ADDRESS_PROXY ? "0" : "4660"); /*0x1234*/
if (getaddrinfo(str, serv, &hints, &res) != 0 || res->ai_next) {
/* XXX bark */
exit(1);
}
len = sizeof(struct sadb_address) + PFKEY_ALIGN8(a->sa_len);
len = sizeof(struct sadb_address) + PFKEY_ALIGN8(res->ai_addrlen);
m_addr.sadb_address_len = PFKEY_UNIT64(len);
m_addr.sadb_address_exttype = ext;
m_addr.sadb_address_proto =
(ext == SADB_EXT_ADDRESS_PROXY ? 0 : IPPROTO_TCP);
m_addr.sadb_address_prefixlen = _INALENBYAF(af);
m_addr.sadb_address_prefixlen = plen;
m_addr.sadb_address_reserved = 0;
key_setsadbextbuf(m_buf, m_len,
(caddr_t)&m_addr, sizeof(struct sadb_address),
abuf, a->sa_len);
(caddr_t)res->ai_addr, res->ai_addrlen);
m_len += len;
freeaddrinfo(res);
return;
}
+37 -44
View File
@@ -1,7 +1,10 @@
/* $FreeBSD$ */
/* $KAME: token.l,v 1.13 2000/06/07 00:29:14 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -13,7 +16,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,8 +28,6 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
%{
@@ -63,18 +64,19 @@
#define PREPROC DECHO CMDARG
int lineno = 1;
char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */
int lineno = 1;
char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */
extern u_char m_buf[BUFSIZ];
extern u_int m_len;
extern int f_debug;
extern u_char m_buf[BUFSIZ];
extern u_int m_len;
extern int f_debug;
int yylex __P((void));
void yyerror __P((char *s));
extern void parse_init __P((void));
int parse __P((FILE **));
int yyparse __P((void));
int yylex __P((void));
void yyfatal __P((const char *s));
void yyerror __P((const char *s));
extern void parse_init __P((void));
int parse __P((FILE **));
int yyparse __P((void));
%}
@@ -106,9 +108,7 @@ decstring {digit}+
hexpair {hexdigit}{hexdigit}
hexstring 0[xX]{hexdigit}+
octetstring {octet}({dot}{octet})+
ipaddress {ipv4addr}|{ipv6addr}
ipv4addr {digit}{1,3}({dot}{digit}{1,3}){0,3}
ipv6addr {hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,7}(%{letter}{letter}+)?
ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
ipaddrmask {slash}{digit}{1,3}
ipaddrport {blcl}{decstring}{elcl}
keyword {letter}{letter}+
@@ -186,11 +186,12 @@ lzs { PREPROC; yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); }
{hyphen}m { PREPROC; return(F_MODE); }
transport { PREPROC; yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
tunnel { PREPROC; yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
{hyphen}u { PREPROC; return(F_REQID); }
{hyphen}f { PREPROC; return(F_EXT); }
random-pad { PREPROC; yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); }
seq-pad { PREPROC; yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); }
zero-pad { PREPROC; yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); }
cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); }
nocyclic-seq { PREPROC; return(NOCYCLICSEQ); }
{hyphen}r { PREPROC; return(F_REPLAY); }
{hyphen}lh { PREPROC; return(F_LIFETIME_HARD); }
{hyphen}ls { PREPROC; return(F_LIFETIME_SOFT); }
@@ -214,35 +215,17 @@ any { PREPROC; return(ANY); }
char *bp;
PREPROC;
yylval.num = strtol(yytext, &bp, 10);
yylval.num = strtoul(yytext, &bp, 10);
return(DECSTRING);
}
{ipv4addr} {
/*
* I can't supprt the type without dot,
* because it's umbiguous against {decstring}.
* e.g. 127
*/
{ipaddress} {
PREPROC;
yylval.val.len = sizeof(struct sockaddr_in);
yylval.val.len = yyleng;
yylval.val.buf = strdup(yytext);
return(IP4_ADDRESS);
}
{ipv6addr} {
#ifdef INET6
PREPROC;
yylval.val.len = sizeof(struct sockaddr_in6);
yylval.val.buf = strdup(yytext);
return(IP6_ADDRESS);
#else
yyerror("IPv6 address not supported");
#endif
return(ADDRESS);
}
{ipaddrmask} {
@@ -263,7 +246,6 @@ any { PREPROC; return(ANY); }
}
{blcl}any{elcl} {
char *p = yytext;
PREPROC;
return(PORTANY);
}
@@ -294,12 +276,24 @@ any { PREPROC; return(ANY); }
return(QUOTEDSTRING);
}
. { yyerror("Syntax error"); }
. {
yyfatal("Syntax error");
/*NOTREACHED*/
}
%%
void
yyerror(char *s)
yyfatal(s)
const char *s;
{
yyerror(s);
exit(1);
}
void
yyerror(s)
const char *s;
{
printf("line %d: %s at [%s]\n", lineno, s, yytext);
}
@@ -319,4 +313,3 @@ parse(fp)
return(0);
}
+7 -6
View File
@@ -1,7 +1,10 @@
/* $FreeBSD$ */
/* $KAME: vchar.h,v 1.2 2000/06/07 00:29:14 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -13,7 +16,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,11 +28,9 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
typedef struct {
u_int len;
caddr_t buf;
u_int len;
caddr_t buf;
} vchar_t;