src - FreeBSD source tree

diff options


context:
space:
mode:

author	Yoshinobu Inoue <shin@FreeBSD.org>	2000-01-06 12:40:54 +0000
committer	Yoshinobu Inoue <shin@FreeBSD.org>	2000-01-06 12:40:54 +0000
commit	9a4365d0e0833374e893c519639bde71756aa104 (patch)
tree	0fa615bec427848e939cbb6c31fed401f162edbb /sbin
parent	171eec1876b8c1cf601856138ec2f53771c1e32b (diff)
download	src-9a4365d0e0833374e893c519639bde71756aa104.tar.gz src-9a4365d0e0833374e893c519639bde71756aa104.zip

libipsec and IPsec related apps. (and some KAME related man pages)

Reviewed by: freebsd-arch, cvs-committers Obtained from: KAME project

Notes

Notes: svn path=/head/; revision=55505

Diffstat (limited to 'sbin')

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

787

-rw-r--r--

sbin/setkey/sample.cf

219

-rw-r--r--

sbin/setkey/scriptdump.pl

-rw-r--r--

sbin/setkey/setkey.8

550

-rw-r--r--

sbin/setkey/setkey.c

566

-rw-r--r--

sbin/setkey/test-pfkey.c

480

-rw-r--r--

sbin/setkey/test-policy.c

161

-rw-r--r--

sbin/setkey/token.l

322

-rw-r--r--

sbin/setkey/vchar.h

13 files changed, 3309 insertions, 5 deletions

diff --git a/sbin/ping/Makefile b/sbin/ping/Makefile
index 1df0d93b0530..2c6b08e0ba10 100644
--- a/sbin/ping/Makefile
+++ b/sbin/ping/Makefile

@@ -8,7 +8,8 @@ COPTS+= -Wall -Wmissing-prototypes

.if ${MACHINE_ARCH} == "alpha"

COPTS+= -fno-builtin # GCC's builtin memcpy doesn't do unaligned copies

.endif

-DPADD= ${LIBM}

-LDADD= -lm

+CFLAGS+=-DIPSEC

+DPADD= ${LIBM} ${LIBIPSEC}

+LDADD= -lm -lipsec

.include <bsd.prog.mk>

diff --git a/sbin/ping/ping.8 b/sbin/ping/ping.8
index 565a5afed962..fca80acb44f8 100644
--- a/sbin/ping/ping.8
+++ b/sbin/ping/ping.8

@@ -47,6 +47,7 @@ packets to network hosts

.Op Fl i Ar wait

.Op Fl l Ar preload

.Op Fl p Ar pattern

+.Op Fl P Ar policy

.Op Fl s Ar packetsize

.Op Fl S Ar src_addr

.Bo

@@ -147,6 +148,13 @@ For example,

.Dq Li \-p ff

will cause the sent packet to be filled with all

ones.

+.It Fl P Ar policy

+.Ar policy

+specifies IPsec policy for the ping session.

+For details please refer to

+.Xr ipsec 4

+and

+.Xr ipsec_set_policy 3 .

.It Fl Q

Somewhat quiet output.

.No Don Ap t

diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c
index 1cd55fa7aa7d..15bac460a394 100644
--- a/sbin/ping/ping.c
+++ b/sbin/ping/ping.c

@@ -92,6 +92,10 @@ static const char rcsid[] =

#include <netinet/ip_var.h>

#include <arpa/inet.h>

+#ifdef IPSEC

+#include <netinet6/ipsec.h>

+#endif /*IPSEC*/

#define PHDR_LEN sizeof(struct timeval)

#define DEFDATALEN (64 - PHDR_LEN) /* default data length */

#define FLOOD_BACKOFF 20000 /* usecs to back off if F_FLOOD mode */

@@ -124,6 +128,11 @@ int options;

#define F_MTTL 0x0800

#define F_MIF 0x1000

#define F_AUDIBLE 0x2000

+#ifdef IPSEC

+#ifdef IPSEC_POLICY_IPSEC

+#define F_POLICY 0x4000

+#endif /*IPSEC_POLICY_IPSEC*/

+#endif /*IPSEC*/

* MAX_DUP_CHK is the number of bits in received table, i.e. the maximum

@@ -204,6 +213,10 @@ main(argc, argv)

struct msghdr msg;

struct sockaddr_in from;

char ctrl[sizeof(struct cmsghdr) + sizeof(struct timeval)];

+#ifdef IPSEC_POLICY_IPSEC

+ char *policy_in = NULL;

+ char *policy_out = NULL;

+#endif

* Do the stuff that we need root priv's for *first*, and

@@ -219,7 +232,14 @@ main(argc, argv)

preload = 0;

datap = &outpack[8 + PHDR_LEN];

- while ((ch = getopt(argc, argv, "I:LQRS:T:c:adfi:l:np:qrs:v")) != -1) {

+#ifndef IPSEC

+ while ((ch = getopt(argc, argv, "I:LQRT:c:adfi:l:np:qrs:v")) != -1)

+#else

+#ifdef IPSEC_POLICY_IPSEC

+ while ((ch = getopt(argc, argv, "I:LQRT:c:adfi:l:np:qrs:vP:")) != -1)

+#endif /*IPSEC_POLICY_IPSEC*/

+#endif

+ {

switch(ch) {

case 'a':

options |= F_AUDIBLE;

@@ -331,6 +351,19 @@ main(argc, argv)

case 'v':

options |= F_VERBOSE;

break;

+#ifdef IPSEC

+#ifdef IPSEC_POLICY_IPSEC

+ case 'P':

+ options |= F_POLICY;

+ if (!strncmp("in", optarg, 2))

+ policy_in = strdup(optarg);

+ else if (!strncmp("out", optarg, 3))

+ policy_out = strdup(optarg);

+ else

+ errx(1, "invalid security policy");

+ break;

+#endif /*IPSEC_POLICY_IPSEC*/

+#endif /*IPSEC*/

default:

usage();

}

@@ -419,6 +452,32 @@ main(argc, argv)

if (options & F_SO_DONTROUTE)

(void)setsockopt(s, SOL_SOCKET, SO_DONTROUTE, (char *)&hold,

sizeof(hold));

+#ifdef IPSEC

+#ifdef IPSEC_POLICY_IPSEC

+ if (options & F_POLICY) {

+ char *buf;

+ if (policy_in != NULL) {

+ buf = ipsec_set_policy(policy_in, strlen(policy_in));

+ if (buf == NULL)

+ errx(EX_CONFIG, ipsec_strerror());

+ if (setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY,

+ buf, ipsec_get_policylen(buf)) < 0)

+ err(EX_CONFIG, "ipsec policy cannot be configured");

+ free(buf);

+ }

+ if (policy_out != NULL) {

+ buf = ipsec_set_policy(policy_out, strlen(policy_out));

+ if (buf == NULL)

+ errx(EX_CONFIG, ipsec_strerror());

+ if (setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY,

+ buf, ipsec_get_policylen(buf)) < 0)

+ err(EX_CONFIG, "ipsec policy cannot be configured");

+ free(buf);

+ }

+#endif /*IPSEC_POLICY_IPSEC*/

+#endif /*IPSEC*/

/* record route option */

if (options & F_RROUTE) {

@@ -1326,7 +1385,13 @@ usage()

{

fprintf(stderr, "%s\n%s\n%s\n",

"usage: ping [-QRadfnqrv] [-c count] [-i wait] [-l preload] [-p pattern]",

-" [-s packetsize] [-S src_addr]",

-" [host | [-L] [-I iface] [-T ttl] mcast-group]");

+" "

+#ifdef IPSEC

+#ifdef IPSEC_POLICY_IPSEC

+"[-P policy] "

+#endif

+"[-s packetsize] [-S src_addr]",

+ "[host | [-L] [-I iface] [-T ttl] mcast-group]");

exit(EX_USAGE);

}

diff --git a/sbin/setkey/Makefile b/sbin/setkey/Makefile
new file mode 100644
index 000000000000..918dbf4cb71c
--- /dev/null
+++ b/sbin/setkey/Makefile

@@ -0,0 +1,56 @@

+# Redistribution and use in source and binary forms, with or without

+# modification, are permitted provided that the following conditions

+# are met:

+# 1. Redistributions of source code must retain the above copyright

+# notice, this list of conditions and the following disclaimer.

+# 2. Redistributions in binary form must reproduce the above copyright

+# notice, this list of conditions and the following disclaimer in the

+# documentation and/or other materials provided with the distribution.

+# 3. Neither the name of the project nor the names of its contributors

+# may be used to endorse or promote products derived from this software

+# without specific prior written permission.

+# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND

+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

+# ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE

+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

+# SUCH DAMAGE.

+# $FreeBSD$

+PROG= setkey

+SRCS= setkey.c parse.y token.l

+CFLAGS+=-g

+LDADD+= -ll -ly

+CLEANFILES+= y.tab.c y.tab.h key_test.o keytest

+YFLAGS+=-d

+SCRIPTS= scriptdump

+BINOWN = root

+BINGRP = bin

+BINMODE = 555

+all: ${PROG} scriptdump

+SRCS+=y.tab.h

+y.tab.h: parse.y

+CFLAGS+=-DIPSEC_DEBUG -DINET6 -DYY_NO_UNPUT -I${.OBJDIR}

+LDADD+= -lipsec

+CLEANFILES+= scriptdump y.tab.h

+MAN8= setkey.8

+LOCALPREFIX= /usr/local

+scriptdump: scriptdump.pl

+ sed -e 's#@LOCALPREFIX@#${LOCALPREFIX}#' < $> > scriptdump

+.include <bsd.prog.mk>

diff --git a/sbin/setkey/parse.y b/sbin/setkey/parse.y
new file mode 100644
index 000000000000..761c34d6e6d8
--- /dev/null
+++ b/sbin/setkey/parse.y

@@ -0,0 +1,787 @@

+/*

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ * 1. Redistributions of source code must retain the above copyright

+ * notice, this list of conditions and the following disclaimer.

+ * 2. Redistributions in binary form must reproduce the above copyright

+ * notice, this list of conditions and the following disclaimer in the

+ * documentation and/or other materials provided with the distribution.

+ * 3. Neither the name of the project nor the names of its contributors

+ * may be used to endorse or promote products derived from this software

+ * without specific prior written permission.

+ *

+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND

+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE

+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

+ * SUCH DAMAGE.

+ *

+ * $FreeBSD$

+ */

+/* KAME $Id: parse.y,v 1.7 1999/10/27 17:08:57 sakane Exp $ */

+%{

+#include <sys/types.h>

+#include <sys/param.h>

+#include <sys/socket.h>

+#include <net/route.h>

+#include <netinet/in.h>

+#include <net/pfkeyv2.h>

+#include <netkey/key_var.h>

+#include <netinet6/ipsec.h>

+#include <arpa/inet.h>

+#include <string.h>

+#include <unistd.h>

+#include <stdio.h>

+#include <ctype.h>

+#include <errno.h>

+#include <netdb.h>

+#include "vchar.h"

+#define ATOX(c) \

+ (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))

+u_int p_type;

+u_int32_t p_spi;

+struct sockaddr *p_src, *p_dst;

+u_int p_prefs, p_prefd, p_upper;

+u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;

+u_int p_key_enc_len, p_key_auth_len;

+caddr_t p_key_enc, p_key_auth;

+time_t p_lt_hard, p_lt_soft;

+u_int p_policy_len;

+char *p_policy;

+/* temporary buffer */

+static struct sockaddr *pp_addr;

+static u_int pp_prefix;

+static u_int pp_port;

+static caddr_t pp_key;

+extern u_char m_buf[BUFSIZ];

+extern int m_len;

+extern char cmdarg[8192];

+extern int f_debug;

+int setkeymsg __P((void));

+static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int));

+void parse_init __P((void));

+void free_buffer __P((void));

+extern int setkeymsg __P((void));

+extern int sendkeymsg __P((void));

+extern int yylex __P((void));

+extern void yyerror __P((char *));

+%}

+%union {

+ unsigned long num;

+ vchar_t val;

+%token EOT

+%token ADD GET DELETE FLUSH DUMP

+%token IP4_ADDRESS IP6_ADDRESS PREFIX PORT PORTANY

+%token UP_PROTO PR_ESP PR_AH PR_IPCOMP

+%token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI

+%token F_MODE MODE

+%token F_EXT EXTENSION

+%token ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP

+%token F_LIFETIME_HARD F_LIFETIME_SOFT

+%token DECSTRING QUOTEDSTRING HEXSTRING ANY

+ /* SPD management */

+%token SPDADD SPDDELETE SPDDUMP SPDFLUSH

+%token F_POLICY PL_REQUESTS

+%%

+commands

+ : /*NOTHING*/

+ | commands command

+ {

+ if (f_debug) {

+ printf("cmdarg:\n%s\n", cmdarg);

+ } else {

+ setkeymsg();

+ sendkeymsg();

+ }

+ free_buffer();

+ parse_init();

+ }

+ ;

+command

+ : add_command

+ | get_command

+ | delete_command

+ | flush_command

+ | dump_command

+ | spdadd_command

+ | spddelete_command

+ | spddump_command

+ | spdflush_command

+ ;

+ /* commands concerned with management, there is in tail of this file. */

+ /* add command */

+add_command

+ : ADD { p_type = SADB_ADD; }

+ sa_selector_spec extension_spec algorithm_spec EOT

+ ;

+ /* delete */

+delete_command

+ : DELETE { p_type = SADB_DELETE; }

+ sa_selector_spec extension_spec EOT

+ ;

+ /* get command */

+get_command

+ : GET { p_type = SADB_GET; }

+ sa_selector_spec extension_spec EOT

+ ;

+ /* flush */

+flush_command

+ : FLUSH { p_type = SADB_FLUSH; }

+ protocol_spec EOT

+ ;

+ /* dump */

+dump_command

+ : DUMP { p_type = SADB_DUMP; }

+ protocol_spec EOT

+ ;

+ /* sa_selector_spec */

+sa_selector_spec

+ : ipaddress { p_src = pp_addr; }

+ ipaddress { p_dst = pp_addr; }

+ protocol_spec spi

+ ;

+protocol_spec

+ : /*NOTHING*/ { p_satype = SADB_SATYPE_UNSPEC; }

+ | PR_ESP

+ {

+ p_satype = SADB_SATYPE_ESP;

+ if ($1.num == 1)

+ p_ext |= SADB_X_EXT_OLD;

+ else

+ p_ext &= ~SADB_X_EXT_OLD;

+ }

+ | PR_AH

+ {

+ p_satype = SADB_SATYPE_AH;

+ if ($1.num == 1)

+ p_ext |= SADB_X_EXT_OLD;

+ else

+ p_ext &= ~SADB_X_EXT_OLD;

+ }

+ | PR_IPCOMP

+ {

+ p_satype = SADB_X_SATYPE_IPCOMP;

+ }

+ ;

+spi

+ : DECSTRING { p_spi = $1.num; }

+ | HEXSTRING

+ {

+ caddr_t bp;

+ caddr_t yp = $1.val.buf;

+ char buf0[4], buf[4];

+ int i, j;

+ /* sanity check */

+ if ($1.val.len > 4) {

+ yyerror("SPI too big.");

+ free($1.val.buf);

+ return -1;

+ }

+ bp = buf0;

+ while (*yp) {

+ *bp = (ATOX(yp[0]) << 4) | ATOX(yp[1]);

+ yp += 2, bp++;

+ }

+ /* initialize */

+ for (i = 0; i < 4; i++) buf[i] = 0;

+ for (j = $1.val.len - 1, i = 3; j >= 0; j--, i--)

+ buf[i] = buf0[j];

+ /* XXX: endian */

+ p_spi = ntohl(*(u_int32_t *)buf);

+ free($1.val.buf);

+ }

+ ;

+algorithm_spec

+ : esp_spec

+ | ah_spec

+ | ipcomp_spec

+ ;

+esp_spec

+ : F_ENC enc_alg enc_key F_AUTH auth_alg auth_key

+ | F_ENC enc_alg enc_key

+ ;

+ah_spec

+ : F_AUTH auth_alg auth_key

+ ;

+ipcomp_spec

+ : F_COMP ALG_COMP { p_alg_enc = $2.num; }

+ | F_COMP ALG_COMP { p_alg_enc = $2.num; }

+ F_RAWCPI { p_ext |= SADB_X_EXT_RAWCPI; }

+ ;

+enc_alg

+ : ALG_ENC { p_alg_enc = $1.num; }

+ | ALG_ENC_DESDERIV

+ {

+ p_alg_enc = $1.num;

+ if (p_ext & SADB_X_EXT_OLD) {

+ yyerror("algorithm mismatched.");

+ return -1;

+ }

+ p_ext |= SADB_X_EXT_DERIV;

+ }

+ | ALG_ENC_DES32IV

+ {

+ p_alg_enc = $1.num;

+ if (!(p_ext & SADB_X_EXT_OLD)) {

+ yyerror("algorithm mismatched.");

+ return -1;

+ }

+ p_ext |= SADB_X_EXT_IV4B;

+ }

+ ;

+enc_key

+ : /*NOTHING*/

+ {

+ if (p_alg_enc != SADB_EALG_NULL) {

+ yyerror("no key found.");

+ return -1;

+ }

+ | key_string

+ {

+ p_key_enc_len = $1.val.len;

+ p_key_enc = pp_key;

+ if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,

+ p_alg_enc,

+ PFKEY_UNUNIT64(p_key_enc_len)) < 0) {

+ yyerror(ipsec_strerror());

+ return -1;

+ }

+ ;

+auth_alg

+ : ALG_AUTH { p_alg_auth = $1.num; }

+ ;

+auth_key

+ : /*NOTHING*/

+ {

+ if (p_alg_auth != SADB_AALG_NULL) {

+ yyerror("no key found.");

+ return -1;

+ }

+ | key_string

+ {

+ p_key_auth_len = $1.val.len;

+ p_key_auth = pp_key;

+ if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,

+ p_alg_auth,

+ PFKEY_UNUNIT64(p_key_auth_len)) < 0) {

+ yyerror(ipsec_strerror());

+ return -1;

+ }

+ ;

+key_string

+ : QUOTEDSTRING

+ {

+ pp_key = $1.val.buf;

+ /* free pp_key later */

+ }

+ | HEXSTRING

+ {

+ caddr_t bp;

+ caddr_t yp = $1.val.buf;

+ if ((pp_key = malloc($1.val.len)) == 0) {

+ free($1.val.buf);

+ yyerror(strerror(errno));

+ return -1;

+ }

+ memset(pp_key, 0, $1.val.len);

+ bp = pp_key;

+ while (*yp) {

+ *bp = (ATOX(yp[0]) << 4) | ATOX(yp[1]);

+ yp += 2, bp++;

+ }

+ free($1.val.buf);

+ }

+ ;

+extension_spec

+ : /*NOTHING*/

+ | extension_spec extension

+ ;

+extension

+ : F_EXT EXTENSION { p_ext |= $1.num; }

+ | F_MODE MODE { p_mode = $2.num; }

+ | F_MODE ANY { p_mode = IPSEC_MODE_ANY; }

+ | F_REPLAY DECSTRING

+ {

+ if (p_ext & SADB_X_EXT_OLD) {

+ yyerror("replay prevention "

+ "only use on new spec.");

+ return -1;

+ }

+ p_replay = $2.num;

+ }

+ | F_LIFETIME_HARD DECSTRING { p_lt_hard = $2.num; }

+ | F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2.num; }

+ ;

+ /* definition about command for SPD management */

+ /* spdadd */

+spdadd_command

+ : SPDADD

+ {

+ p_type = SADB_X_SPDADD;

+ p_satype = SADB_SATYPE_UNSPEC;

+ }

+ sp_selector_spec policy_spec EOT

+ ;

+spddelete_command:

+ SPDDELETE

+ {

+ p_type = SADB_X_SPDDELETE;

+ p_satype = SADB_SATYPE_UNSPEC;

+ }

+ sp_selector_spec EOT

+ ;

+spddump_command:

+ SPDDUMP

+ {

+ p_type = SADB_X_SPDDUMP;

+ p_satype = SADB_SATYPE_UNSPEC;

+ }

+ EOT

+ ;

+spdflush_command:

+ SPDFLUSH

+ {

+ p_type = SADB_X_SPDFLUSH;

+ p_satype = SADB_SATYPE_UNSPEC;

+ }

+ EOT

+ ;

+ /* sp_selector_spec */

+sp_selector_spec

+ : ipaddress { p_src = pp_addr; }

+ prefix { p_prefs = pp_prefix; }

+ port { _INPORTBYSA(p_src) = htons(pp_port); }

+ ipaddress { p_dst = pp_addr; }

+ prefix { p_prefd = pp_prefix; }

+ port { _INPORTBYSA(p_dst) = htons(pp_port); }

+ upper_spec

+ ;

+ipaddress

+ : IP4_ADDRESS

+ {

+ struct sockaddr_in *in;

+ u_int sa_len = $1.val.len;

+ if ((in = (struct sockaddr_in *)malloc(sa_len)) == 0) {

+ yyerror(strerror(errno));

+ free($1.val.buf);

+ return -1;

+ }

+ memset((caddr_t)in, 0, sa_len);

+ in->sin_family = PF_INET;

+ in->sin_len = sa_len;

+ in->sin_port = IPSEC_PORT_ANY;

+ (void)inet_pton(PF_INET, $1.val.buf, &in->sin_addr);

+ pp_addr = (struct sockaddr *)in;

+ free($1.val.buf);

+ }

+ | IP6_ADDRESS

+ {

+#ifdef INET6

+ struct sockaddr_in6 *in6;

+ u_int sa_len = $1.val.len;

+ struct addrinfo hints, *res;

+ int ret_gai;

+ if ((in6 = (struct sockaddr_in6 *)malloc(sa_len)) == 0) {

+ free($1.val.buf);

+ yyerror(strerror(errno));

+ return -1;

+ }

+ memset((caddr_t)in6, 0, sa_len);

+ bzero(&hints, sizeof(struct addrinfo));

+ hints.ai_flags = AI_NUMERICHOST;

+ hints.ai_family = AF_INET6;

+ ret_gai = getaddrinfo($1.val.buf, NULL, &hints, &res);

+ if (ret_gai) {

+ free($1.val.buf);

+ free(in6);

+ yyerror(gai_strerror(ret_gai));

+ if (ret_gai == EAI_SYSTEM)

+ yyerror(strerror(errno));

+ return -1;

+ }

+ (void)memcpy(in6, res->ai_addr, res->ai_addrlen);

+ /*

+ * XXX: If the scope of the destination is link-local,

+ * embed the scope-id(in this case, interface index)

+ * into the address.

+ */

+ if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr) &&

+ in6->sin6_scope_id != 0)

+ *(u_short *)&in6->sin6_addr.s6_addr[2] =

+ htons(in6->sin6_scope_id & 0xffff);

+ freeaddrinfo(res);

+ pp_addr = (struct sockaddr *)in6;

+#else

+ yyerror("IPv6 address not supported");

+#endif

+ free($1.val.buf);

+ }

+ ;

+prefix

+ : /*NOTHING*/ { pp_prefix = ~0; }

+ | PREFIX { pp_prefix = $1.num; }

+ ;

+port

+ : /*NOTHING*/ { pp_port = IPSEC_PORT_ANY; }

+ | PORT { pp_port = $1.num; }

+ | PORTANY { pp_port = IPSEC_PORT_ANY; }

+ ;

+upper_spec

+ : DECSTRING { p_upper = $1.num; }

+ | UP_PROTO { p_upper = $1.num; }

+ | PR_ESP { p_upper = IPPROTO_ESP; };

+ | PR_AH { p_upper = IPPROTO_AH; };

+ | PR_IPCOMP { p_upper = IPPROTO_IPCOMP; };

+ | ANY { p_upper = IPSEC_ULPROTO_ANY; }

+ ;

+policy_spec

+ : F_POLICY policy_requests

+ {

+ p_policy = ipsec_set_policy($2.val.buf, $2.val.len);

+ if (p_policy == NULL) {

+ free($2.val.buf);

+ p_policy = NULL;

+ yyerror(ipsec_strerror());

+ return -1;

+ }

+ p_policy_len = ipsec_get_policylen(p_policy);

+ free($2.val.buf);

+ }

+ ;

+policy_requests:

+ /*NOTHING*/

+ | PL_REQUESTS { $$ = $1; }

+ ;

+%%

+int

+setkeymsg()

+ struct sadb_msg m_msg;

+ m_msg.sadb_msg_version = PF_KEY_V2;

+ m_msg.sadb_msg_type = p_type;

+ m_msg.sadb_msg_errno = 0;

+ m_msg.sadb_msg_satype = p_satype;

+ m_msg.sadb_msg_mode = p_mode;

+ m_msg.sadb_msg_reserved = 0;

+ m_msg.sadb_msg_seq = 0;

+ m_msg.sadb_msg_pid = getpid();

+ m_len = sizeof(struct sadb_msg);

+ memcpy(m_buf, &m_msg, m_len);

+ switch (p_type) {

+ case SADB_FLUSH:

+ case SADB_DUMP:

+ break;

+ case SADB_ADD:

+ /* set encryption algorithm, if present. */

+ if (p_satype != SADB_X_SATYPE_IPCOMP && p_alg_enc != SADB_EALG_NONE) {

+ struct sadb_key m_key;

+ m_key.sadb_key_len =

+ PFKEY_UNIT64(sizeof(m_key)

+ + PFKEY_ALIGN8(p_key_enc_len));

+ m_key.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;

+ m_key.sadb_key_bits = p_key_enc_len * 8;

+ m_key.sadb_key_reserved = 0;

+ setvarbuf(&m_len,

+ (struct sadb_ext *)&m_key, sizeof(m_key),

+ (caddr_t)p_key_enc, p_key_enc_len);

+ }

+ /* set authentication algorithm, if present. */

+ if (p_alg_auth != SADB_AALG_NONE) {

+ struct sadb_key m_key;

+ m_key.sadb_key_len =

+ PFKEY_UNIT64(sizeof(m_key)

+ + PFKEY_ALIGN8(p_key_auth_len));

+ m_key.sadb_key_exttype = SADB_EXT_KEY_AUTH;

+ m_key.sadb_key_bits = p_key_auth_len * 8;

+ m_key.sadb_key_reserved = 0;

+ setvarbuf(&m_len,

+ (struct sadb_ext *)&m_key, sizeof(m_key),

+ (caddr_t)p_key_auth, p_key_auth_len);

+ }

+ /* set lifetime for HARD */

+ if (p_lt_hard != 0) {

+ struct sadb_lifetime m_lt;

+ u_int len = sizeof(struct sadb_lifetime);

+ m_lt.sadb_lifetime_len = PFKEY_UNIT64(len);

+ m_lt.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;

+ m_lt.sadb_lifetime_allocations = 0;

+ m_lt.sadb_lifetime_bytes = 0;

+ m_lt.sadb_lifetime_addtime = p_lt_hard;

+ m_lt.sadb_lifetime_usetime = 0;

+ memcpy(m_buf + m_len, &m_lt, len);

+ m_len += len;

+ }

+ /* set lifetime for SOFT */

+ if (p_lt_soft != 0) {

+ struct sadb_lifetime m_lt;

+ u_int len = sizeof(struct sadb_lifetime);

+ m_lt.sadb_lifetime_len = PFKEY_UNIT64(len);

+ m_lt.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;

+ m_lt.sadb_lifetime_allocations = 0;

+ m_lt.sadb_lifetime_bytes = 0;

+ m_lt.sadb_lifetime_addtime = p_lt_soft;

+ m_lt.sadb_lifetime_usetime = 0;

+ memcpy(m_buf + m_len, &m_lt, len);

+ m_len += len;

+ }

+ /* FALLTHROUGH */

+ case SADB_DELETE:

+ case SADB_GET:

+ {

+ struct sadb_sa m_sa;

+ struct sadb_address m_addr;

+ u_int len;

+ len = sizeof(struct sadb_sa);

+ m_sa.sadb_sa_len = PFKEY_UNIT64(len);

+ m_sa.sadb_sa_exttype = SADB_EXT_SA;

+ m_sa.sadb_sa_spi = htonl(p_spi);

+ m_sa.sadb_sa_replay = p_replay;

+ m_sa.sadb_sa_state = 0;

+ m_sa.sadb_sa_auth = p_alg_auth;

+ m_sa.sadb_sa_encrypt = p_alg_enc;

+ m_sa.sadb_sa_flags = p_ext;

+ memcpy(m_buf + m_len, &m_sa, len);

+ m_len += len;

+ /* set src */

+ m_addr.sadb_address_len =

+ PFKEY_UNIT64(sizeof(m_addr)

+ + PFKEY_ALIGN8(p_src->sa_len));

+ m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;

+ m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;

+ m_addr.sadb_address_prefixlen =

+ _INALENBYAF(p_src->sa_family) << 3;

+ m_addr.sadb_address_reserved = 0;

+ setvarbuf(&m_len,

+ (struct sadb_ext *)&m_addr, sizeof(m_addr),

+ (caddr_t)p_src, p_src->sa_len);

+ /* set dst */

+ m_addr.sadb_address_len =

+ PFKEY_UNIT64(sizeof(m_addr)

+ + PFKEY_ALIGN8(p_dst->sa_len));

+ m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;

+ m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;

+ m_addr.sadb_address_prefixlen =

+ _INALENBYAF(p_dst->sa_family) << 3;

+ m_addr.sadb_address_reserved = 0;

+ setvarbuf(&m_len,

+ (struct sadb_ext *)&m_addr, sizeof(m_addr),

+ (caddr_t)p_dst, p_dst->sa_len);

+ }

+ break;

+ /* for SPD management */

+ case SADB_X_SPDFLUSH:

+ case SADB_X_SPDDUMP:

+ break;

+ case SADB_X_SPDADD:

+ {

+ memcpy(m_buf + m_len, p_policy, p_policy_len);

+ m_len += p_policy_len;

+ free(p_policy);

+ p_policy = NULL;

+ }

+ /* FALLTHROUGH */

+ case SADB_X_SPDDELETE:

+ {

+ struct sadb_address m_addr;

+ /* set src */

+ m_addr.sadb_address_len =

+ PFKEY_UNIT64(sizeof(m_addr)

+ + PFKEY_ALIGN8(p_src->sa_len));

+ m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;

+ m_addr.sadb_address_proto = p_upper;

+ m_addr.sadb_address_prefixlen =

+ (p_prefs != ~0 ? p_prefs :

+ _INALENBYAF(p_src->sa_family) << 3);

+ m_addr.sadb_address_reserved = 0;

+ setvarbuf(&m_len,

+ (struct sadb_ext *)&m_addr, sizeof(m_addr),

+ (caddr_t)p_src, p_src->sa_len);

+ /* set dst */

+ m_addr.sadb_address_len =

+ PFKEY_UNIT64(sizeof(m_addr)

+ + PFKEY_ALIGN8(p_dst->sa_len));

+ m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;

+ m_addr.sadb_address_proto = p_upper;

+ m_addr.sadb_address_prefixlen =

+ (p_prefd != ~0 ? p_prefd :

+ _INALENBYAF(p_dst->sa_family) << 3);

+ m_addr.sadb_address_reserved = 0;

+ setvarbuf(&m_len,

+ (struct sadb_ext *)&m_addr, sizeof(m_addr),

+ (caddr_t)p_dst, p_dst->sa_len);

+ }

+ break;

+ }

+ ((struct sadb_msg *)m_buf)->sadb_msg_len = PFKEY_UNIT64(m_len);

+ return 0;

+static int

+setvarbuf(off, ebuf, elen, vbuf, vlen)

+ caddr_t vbuf;

+ struct sadb_ext *ebuf;

+ int *off, elen, vlen;

+ memset(m_buf + *off, 0, PFKEY_UNUNIT64(ebuf->sadb_ext_len));

+ memcpy(m_buf + *off, (caddr_t)ebuf, elen);

+ memcpy(m_buf + *off + elen, vbuf, vlen);

+ (*off) += PFKEY_ALIGN8(elen + vlen);

+ return 0;

+void

+parse_init()

+ p_type = 0;

+ p_spi = 0;

+ p_src = 0, p_dst = 0;

+ pp_prefix = p_prefs = p_prefd = ~0;

+ pp_port = IPSEC_PORT_ANY;

+ p_upper = 0;

+ p_satype = 0;

+ p_ext = SADB_X_EXT_NONE;

+ p_alg_enc = SADB_EALG_NONE;

+ p_alg_auth = SADB_AALG_NONE;

+ p_mode = IPSEC_MODE_ANY;

+ p_replay = 4;

+ p_key_enc_len = p_key_auth_len = 0;

+ p_key_enc = p_key_auth = 0;

+ p_lt_hard = p_lt_soft = 0;

+ p_policy_len = 0;

+ p_policy = NULL;

+ memset(cmdarg, 0, sizeof(cmdarg));

+ return;

+void

+free_buffer()

+ if (p_src) free(p_src);

+ if (p_dst) free(p_dst);

+ if (p_key_enc) free(p_key_enc);

+ if (p_key_auth) free(p_key_auth);

+ return;

diff --git a/sbin/setkey/sample.cf b/sbin/setkey/sample.cf
new file mode 100644
index 000000000000..886c449a35f1
--- /dev/null
+++ b/sbin/setkey/sample.cf

@@ -0,0 +1,219 @@