diff options
31 files changed, 2235 insertions, 1304 deletions
diff --git a/lib/libipsec/Makefile b/lib/libipsec/Makefile index bac3dd2ec52c..52510f787fc8 100644 --- a/lib/libipsec/Makefile +++ b/lib/libipsec/Makefile @@ -27,7 +27,7 @@ # $FreeBSD$ LIB= ipsec -SHLIB_MAJOR= 0 +SHLIB_MAJOR= 1 SHLIB_MINOR= 0 CFLAGS+=-I${.OBJDIR} CFLAGS+=-DIPSEC_DEBUG -DIPSEC @@ -35,11 +35,11 @@ CFLAGS+=-DIPSEC_DEBUG -DIPSEC CFLAGS+=-DINET6 .endif -.PATH: ${.CURDIR}/../../sys/netkey -SRCS= pfkey.c pfkey_dump.c +#.PATH: ${.CURDIR}/../../sys/netkey +#SRCS= pfkey.c pfkey_dump.c SRCS+= ipsec_strerror.c policy_parse.y policy_token.l SRCS+= ipsec_dump_policy.c ipsec_get_policylen.c -SRCS+= key_debug.c +#SRCS+= key_debug.c CLEANFILES+= y.tab.c y.tab.h YFLAGS+=-d -p __libipsecyy LFLAGS+=-P__libipsecyy diff --git a/lib/libipsec/ipsec_dump_policy.c b/lib/libipsec/ipsec_dump_policy.c index a9ef2f5a7aa0..35b8586dc300 100644 --- a/lib/libipsec/ipsec_dump_policy.c +++ b/lib/libipsec/ipsec_dump_policy.c @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: ipsec_dump_policy.c,v 1.11 2000/05/07 05:29:47 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,8 +28,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ #include <sys/types.h> @@ -39,6 +40,7 @@ #include <arpa/inet.h> +#include <stdio.h> #include <stdlib.h> #include <string.h> #include <netdb.h> @@ -53,7 +55,11 @@ static const char *ipsp_policy_strs[] = { "discard", "none", "ipsec", "entrust", "bypass", }; -static int set_addresses __P((char *buf, caddr_t ptr)); +static char *ipsec_dump_ipsecrequest __P((char *, size_t, + struct sadb_x_ipsecrequest *, size_t)); +static int set_addresses __P((char *, size_t, struct sockaddr *, + struct sockaddr *)); +static char *set_address __P((char *, size_t, struct sockaddr *)); /* * policy is sadb_x_policy buffer. @@ -67,15 +73,16 @@ ipsec_dump_policy(policy, delimiter) { struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy; struct sadb_x_ipsecrequest *xisr; - int xtlen, buflen; + size_t off, buflen; char *buf; - int error; + char isrbuf[1024]; + char *newbuf; /* sanity check */ if (policy == NULL) return NULL; if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) { - ipsec_errcode = EIPSEC_INVAL_EXTTYPE; + __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; return NULL; } @@ -89,7 +96,7 @@ ipsec_dump_policy(policy, delimiter) case IPSEC_DIR_OUTBOUND: break; default: - ipsec_errcode = EIPSEC_INVAL_DIR; + __ipsec_errcode = EIPSEC_INVAL_DIR; return NULL; } @@ -101,7 +108,7 @@ ipsec_dump_policy(policy, delimiter) case IPSEC_POLICY_ENTRUST: break; default: - ipsec_errcode = EIPSEC_INVAL_POLICY; + __ipsec_errcode = EIPSEC_INVAL_POLICY; return NULL; } @@ -111,143 +118,190 @@ ipsec_dump_policy(policy, delimiter) + 1; /* NUL */ if ((buf = malloc(buflen)) == NULL) { - ipsec_errcode = EIPSEC_NO_BUFS; + __ipsec_errcode = EIPSEC_NO_BUFS; return NULL; } - strcpy(buf, ipsp_dir_strs[xpl->sadb_x_policy_dir]); - strcat(buf, " "); - strcat(buf, ipsp_policy_strs[xpl->sadb_x_policy_type]); + snprintf(buf, buflen, "%s %s", ipsp_dir_strs[xpl->sadb_x_policy_dir], + ipsp_policy_strs[xpl->sadb_x_policy_type]); if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return buf; } - xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl); - xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); - /* count length of buffer for use */ - /* XXX non-seriously */ - while (xtlen > 0) { - buflen += 20; - if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL) - buflen += 50; - xtlen -= xisr->sadb_x_ipsecrequest_len; - xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr - + xisr->sadb_x_ipsecrequest_len); + off = sizeof(*xpl); + while (off < PFKEY_EXTLEN(xpl)) { + xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off); + off += xisr->sadb_x_ipsecrequest_len; } /* validity check */ - if (xtlen < 0) { - ipsec_errcode = EIPSEC_INVAL_SADBMSG; + if (off != PFKEY_EXTLEN(xpl)) { + __ipsec_errcode = EIPSEC_INVAL_SADBMSG; free(buf); return NULL; } - if ((buf = realloc(buf, buflen)) == NULL) { - ipsec_errcode = EIPSEC_NO_BUFS; - return NULL; - } + off = sizeof(*xpl); + while (off < PFKEY_EXTLEN(xpl)) { + xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off); - xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl); - xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); - - while (xtlen > 0) { - strcat(buf, delimiter); - - switch (xisr->sadb_x_ipsecrequest_proto) { - case IPPROTO_ESP: - strcat(buf, "esp"); - break; - case IPPROTO_AH: - strcat(buf, "ah"); - break; - case IPPROTO_IPCOMP: - strcat(buf, "ipcomp"); - break; - default: - ipsec_errcode = EIPSEC_INVAL_PROTO; + if (ipsec_dump_ipsecrequest(isrbuf, sizeof(isrbuf), xisr, + PFKEY_EXTLEN(xpl) - off) == NULL) { free(buf); return NULL; } - strcat(buf, "/"); - - switch (xisr->sadb_x_ipsecrequest_mode) { - case IPSEC_MODE_ANY: - strcat(buf, "any"); - break; - case IPSEC_MODE_TRANSPORT: - strcat(buf, "transport"); - break; - case IPSEC_MODE_TUNNEL: - strcat(buf, "tunnel"); - break; - default: - ipsec_errcode = EIPSEC_INVAL_MODE; + buflen = strlen(buf) + strlen(delimiter) + strlen(isrbuf) + 1; + newbuf = (char *)realloc(buf, buflen); + if (newbuf == NULL) { + __ipsec_errcode = EIPSEC_NO_BUFS; free(buf); return NULL; } + buf = newbuf; + snprintf(buf, buflen, "%s%s%s", buf, delimiter, isrbuf); - strcat(buf, "/"); + off += xisr->sadb_x_ipsecrequest_len; + } - if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { - error = set_addresses(buf, (caddr_t)(xisr + 1)); - if (error) { - ipsec_errcode = EIPSEC_INVAL_MODE; - free(buf); - return NULL; - } - } + __ipsec_errcode = EIPSEC_NO_ERROR; + return buf; +} - switch (xisr->sadb_x_ipsecrequest_level) { - case IPSEC_LEVEL_DEFAULT: - strcat(buf, "/default"); - break; - case IPSEC_LEVEL_USE: - strcat(buf, "/use"); - break; - case IPSEC_LEVEL_REQUIRE: - strcat(buf, "/require"); - break; - case IPSEC_LEVEL_UNIQUE: - strcat(buf, "/unique"); - break; - default: - ipsec_errcode = EIPSEC_INVAL_LEVEL; - free(buf); +static char * +ipsec_dump_ipsecrequest(buf, len, xisr, bound) + char *buf; + size_t len; + struct sadb_x_ipsecrequest *xisr; + size_t bound; /* boundary */ +{ + const char *proto, *mode, *level; + char abuf[NI_MAXHOST * 2 + 2]; + + if (xisr->sadb_x_ipsecrequest_len > bound) { + __ipsec_errcode = EIPSEC_INVAL_PROTO; + return NULL; + } + + switch (xisr->sadb_x_ipsecrequest_proto) { + case IPPROTO_ESP: + proto = "esp"; + break; + case IPPROTO_AH: + proto = "ah"; + break; + case IPPROTO_IPCOMP: + proto = "ipcomp"; + break; + default: + __ipsec_errcode = EIPSEC_INVAL_PROTO; + return NULL; + } + + switch (xisr->sadb_x_ipsecrequest_mode) { + case IPSEC_MODE_ANY: + mode = "any"; + break; + case IPSEC_MODE_TRANSPORT: + mode = "transport"; + break; + case IPSEC_MODE_TUNNEL: + mode = "tunnel"; + break; + default: + __ipsec_errcode = EIPSEC_INVAL_MODE; + return NULL; + } + + abuf[0] = '\0'; + if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { + struct sockaddr *sa1, *sa2; + caddr_t p; + + p = (caddr_t)(xisr + 1); + sa1 = (struct sockaddr *)p; + sa2 = (struct sockaddr *)(p + sa1->sa_len); + if (sizeof(*xisr) + sa1->sa_len + sa2->sa_len != + xisr->sadb_x_ipsecrequest_len) { + __ipsec_errcode = EIPSEC_INVAL_ADDRESS; return NULL; } + if (set_addresses(abuf, sizeof(abuf), sa1, sa2) != 0) { + __ipsec_errcode = EIPSEC_INVAL_ADDRESS; + return NULL; + } + } - xtlen -= xisr->sadb_x_ipsecrequest_len; - xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr - + xisr->sadb_x_ipsecrequest_len); + switch (xisr->sadb_x_ipsecrequest_level) { + case IPSEC_LEVEL_DEFAULT: + level = "default"; + break; + case IPSEC_LEVEL_USE: + level = "use"; + break; + case IPSEC_LEVEL_REQUIRE: + level = "require"; + break; + case IPSEC_LEVEL_UNIQUE: + level = "unique"; + break; + default: + __ipsec_errcode = EIPSEC_INVAL_LEVEL; + return NULL; + } + + if (xisr->sadb_x_ipsecrequest_reqid == 0) + snprintf(buf, len, "%s/%s/%s/%s", proto, mode, abuf, level); + else { + int ch; + + if (xisr->sadb_x_ipsecrequest_reqid > IPSEC_MANUAL_REQID_MAX) + ch = '#'; + else + ch = ':'; + snprintf(buf, len, "%s/%s/%s/%s%c%d", proto, mode, abuf, level, + ch, xisr->sadb_x_ipsecrequest_reqid); } - ipsec_errcode = EIPSEC_NO_ERROR; return buf; } static int -set_addresses(buf, ptr) +set_addresses(buf, len, sa1, sa2) char *buf; - caddr_t ptr; + size_t len; + struct sockaddr *sa1; + struct sockaddr *sa2; { - char tmp[100]; /* XXX */ - struct sockaddr *saddr = (struct sockaddr *)ptr; - - getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp), - NULL, 0, NI_NUMERICHOST); - - strcat(buf, tmp); - - strcat(buf, "-"); - - saddr = (struct sockaddr *)((caddr_t)saddr + saddr->sa_len); - getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp), - NULL, 0, NI_NUMERICHOST); + char tmp1[NI_MAXHOST], tmp2[NI_MAXHOST]; + + if (set_address(tmp1, sizeof(tmp1), sa1) == NULL || + set_address(tmp2, sizeof(tmp2), sa2) == NULL) + return -1; + if (strlen(tmp1) + 1 + strlen(tmp2) + 1 > len) + return -1; + snprintf(buf, len, "%s-%s", tmp1, tmp2); + return 0; +} - strcat(buf, tmp); +static char * +set_address(buf, len, sa) + char *buf; + size_t len; + struct sockaddr *sa; +{ +#ifdef NI_WITHSCOPEID + const int niflags = NI_NUMERICHOST | NI_WITHSCOPEID; +#else + const int niflags = NI_NUMERICHOST; +#endif - return 0; + if (len < 1) + return NULL; + buf[0] = '\0'; + if (getnameinfo(sa, sa->sa_len, buf, len, NULL, 0, niflags) != 0) + return NULL; + return buf; } diff --git a/lib/libipsec/ipsec_get_policylen.c b/lib/libipsec/ipsec_get_policylen.c index a8a3e5d05b70..9986de0e5d0a 100644 --- a/lib/libipsec/ipsec_get_policylen.c +++ b/lib/libipsec/ipsec_get_policylen.c @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: ipsec_get_policylen.c,v 1.5 2000/05/07 05:25:03 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,13 +28,13 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ #include <sys/types.h> #include <sys/param.h> +#include <netinet6/ipsec.h> + #include <net/pfkeyv2.h> #include "ipsec_strerror.h" diff --git a/lib/libipsec/ipsec_set_policy.3 b/lib/libipsec/ipsec_set_policy.3 index e8a61ebb74f1..d5d05038cfac 100644 --- a/lib/libipsec/ipsec_set_policy.3 +++ b/lib/libipsec/ipsec_set_policy.3 @@ -1,4 +1,7 @@ .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. +.\" $FreeBSD$ +.\" $KAME: ipsec_set_policy.3,v 1.10 2000/05/07 05:25:03 itojun Exp $ +.\" .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -25,9 +28,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: ipsec_set_policy.3,v 1.5 1999/10/20 00:21:06 sakane Exp $ -.\" $FreeBSD$ -.\" .Dd May 5, 1998 .Dt IPSEC_SET_POLICY 3 .Os @@ -36,10 +36,10 @@ .Nm ipsec_get_policylen , .Nm ipsec_dump_policy .Nd manipulate IPsec policy specification structure from readable string +.\" .Sh LIBRARY .Lb libipsec .Sh SYNOPSIS -.Fd #include <sys/types.h> .Fd #include <netinet6/ipsec.h> .Ft "char *" .Fn ipsec_set_policy "char *policy" "int len" @@ -167,9 +167,9 @@ is the other node .Pp .Ar level must be set to one of the following: -.Li default , use +.Li default , use , require or -.Li require . +.Li unique . .Li default means that the kernel should consult the system default policy defined by @@ -189,6 +189,19 @@ or encrypted .Li require means that a relevant SA is required, since the kernel must perform IPsec operation against packets. +.Li unique +is the same as +.Li require , +but adds the restriction that the SA for outbound traffic is used +only for this policy. +You may need the identifier in order to relate the policy and the SA +when you define the SA by manual keying. +You can put the decimal number as the identifier after +.Li unique +like +.Li unique : number . +.Li number +must be between 1 and 32767 . If the .Ar request string is kept unambiguous, @@ -219,8 +232,8 @@ Here are several examples in discard out ipsec esp/transport/10.1.1.1-10.1.1.2/require in ipsec ah/transport/10.1.1.2-10.1.1.1/require -in ipsec esp/transport/10.1.1.2-10.1.1.1/use - ah/tunnel/10.1.1.2-10.1.1.1/require +out ipsec esp/transport/10.1.1.2-10.1.1.1/use + ah/tunnel/10.1.1.2-10.1.1.1/unique:1000 in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use esp/transport/10.1.1.2-10.1.1.1/use .Ed @@ -238,11 +251,7 @@ and on errors. .Sh SEE ALSO .Xr ipsec_strerror 3 , -.Xr ipsec 4 , +.Xr ispec 4 , .Xr setkey 8 .Sh HISTORY The functions first appeared in WIDE/KAME IPv6 protocol stack kit. -.Pp -IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack -was initially integrated into -.Fx 4.0 diff --git a/lib/libipsec/ipsec_strerror.3 b/lib/libipsec/ipsec_strerror.3 index d1f3c584cb03..d0d39774d364 100644 --- a/lib/libipsec/ipsec_strerror.3 +++ b/lib/libipsec/ipsec_strerror.3 @@ -1,4 +1,7 @@ .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. +.\" $FreeBSD$ +.\" $KAME: ipsec_strerror.3,v 1.6 2000/05/07 05:25:03 itojun Exp $ +.\" .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -25,22 +28,19 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: ipsec_strerror.3,v 1.2 1999/09/21 03:49:19 itojun Exp $ -.\" $FreeBSD$ -.\" .Dd May 6, 1998 .Dt IPSEC_STRERROR 3 .Os +.\" .Sh NAME .Nm ipsec_strerror .Nd error code for IPsec policy manipulation library -.Sh LIBRARY -.Lb libipsec +.\" .Sh SYNOPSIS -.Fd #include <sys/types.h> .Fd #include <netinet6/ipsec.h> .Ft "char *" -.Fn ipsec_strerror void +.Fn ipsec_strerror +.\" .Sh DESCRIPTION .Pa netinet6/ipsec.h declares @@ -51,16 +51,30 @@ which is used to pass error code from IPsec policy manipulation library to user program. .Fn ipsec_strerror can be used to obtain error message string for the error code. +.Pp +The array pointed to is not to be modified by the program. +Since +.Fn ipsec_strerror +uses +.Xr strerror 3 +as underlying function, calling +.Xr strerror 3 +after +.Fn ipsec_strerror +would make the return value from +.Fn ipsec_strerror +invalid, or overwritten. +.\" .Sh RETURN VALUES .Fn ipsec_strerror always return a pointer to C string. The C string must not be overwritten by user programs. .\" -.\" .Sh SEE ALSO +.Sh SEE ALSO +.Xr ipsec_set_policy 3 .\" .Sh HISTORY The functions first appeared in WIDE/KAME IPv6 protocol stack kit. -.Pp -IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack -was initially integrated into -.Fx 4.0 +.\" +.\" .Sh BUGS +.\" (to be written) diff --git a/lib/libipsec/ipsec_strerror.c b/lib/libipsec/ipsec_strerror.c index 601b1d7023f3..1cf4e4c4bd54 100644 --- a/lib/libipsec/ipsec_strerror.c +++ b/lib/libipsec/ipsec_strerror.c @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: ipsec_strerror.c,v 1.6 2000/05/07 05:25:03 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,8 +28,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ #include <sys/types.h> @@ -37,7 +38,7 @@ #include "ipsec_strerror.h" -int ipsec_errcode; +int __ipsec_errcode; static char *ipsec_errlist[] = { "Success", /*EIPSEC_NO_ERROR*/ @@ -72,15 +73,15 @@ NULL, /*EIPSEC_SYSTEM_ERROR*/ char *ipsec_strerror(void) { - if (ipsec_errcode < 0 || ipsec_errcode > EIPSEC_MAX) - ipsec_errcode = EIPSEC_MAX; + if (__ipsec_errcode < 0 || __ipsec_errcode > EIPSEC_MAX) + __ipsec_errcode = EIPSEC_MAX; - return ipsec_errlist[ipsec_errcode]; + return ipsec_errlist[__ipsec_errcode]; } -void ipsec_set_strerror(char *str) +void __ipsec_set_strerror(char *str) { - ipsec_errcode = EIPSEC_SYSTEM_ERROR; + __ipsec_errcode = EIPSEC_SYSTEM_ERROR; ipsec_errlist[EIPSEC_SYSTEM_ERROR] = str; return; diff --git a/lib/libipsec/ipsec_strerror.h b/lib/libipsec/ipsec_strerror.h index 752ba75ba2ab..02448cd630a4 100644 --- a/lib/libipsec/ipsec_strerror.h +++ b/lib/libipsec/ipsec_strerror.h @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: ipsec_strerror.h,v 1.7 2000/05/07 05:25:03 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,38 +28,36 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ -extern int ipsec_errcode; -extern void ipsec_set_strerror(char *str); +extern int __ipsec_errcode; +extern void __ipsec_set_strerror __P((char *)); -#define EIPSEC_NO_ERROR 0 /*success*/ -#define EIPSEC_NOT_SUPPORTED 1 /*not supported*/ -#define EIPSEC_INVAL_ARGUMENT 2 /*invalid argument*/ -#define EIPSEC_INVAL_SADBMSG 3 /*invalid sadb message*/ -#define EIPSEC_INVAL_VERSION 4 /*invalid version*/ -#define EIPSEC_INVAL_POLICY 5 /*invalid security policy*/ -#define EIPSEC_INVAL_ADDRESS 6 /*invalid address specification*/ -#define EIPSEC_INVAL_PROTO 7 /*invalid ipsec protocol*/ -#define EIPSEC_INVAL_MODE 8 /*Invalid ipsec mode*/ -#define EIPSEC_INVAL_LEVEL 9 /*invalid ipsec level*/ -#define EIPSEC_INVAL_SATYPE 10 /*invalid SA type*/ -#define EIPSEC_INVAL_MSGTYPE 11 /*invalid message type*/ -#define EIPSEC_INVAL_EXTTYPE 12 /*invalid extension type*/ -#define EIPSEC_INVAL_ALGS 13 /*Invalid algorithm type*/ -#define EIPSEC_INVAL_KEYLEN 14 /*invalid key length*/ -#define EIPSEC_INVAL_FAMILY 15 /*invalid address family*/ -#define EIPSEC_INVAL_PREFIXLEN 16 /*SPI range violation*/ -#define EIPSEC_INVAL_DIR 17 /*Invalid direciton*/ -#define EIPSEC_INVAL_SPI 18 /*invalid prefixlen*/ -#define EIPSEC_NO_PROTO 19 /*no protocol specified*/ -#define EIPSEC_NO_ALGS 20 /*No algorithm specified*/ -#define EIPSEC_NO_BUFS 21 /*no buffers available*/ -#define EIPSEC_DO_GET_SUPP_LIST 22 /*must get supported algorithm first*/ -#define EIPSEC_PROTO_MISMATCH 23 /*protocol mismatch*/ -#define EIPSEC_FAMILY_MISMATCH 24 /*family mismatch*/ -#define EIPSEC_FEW_ARGUMENTS 25 /*Too few arguments*/ -#define EIPSEC_SYSTEM_ERROR 26 /*system error*/ -#define EIPSEC_MAX 27 /*unknown error*/ +#define EIPSEC_NO_ERROR 0 /*success*/ +#define EIPSEC_NOT_SUPPORTED 1 /*not supported*/ +#define EIPSEC_INVAL_ARGUMENT 2 /*invalid argument*/ +#define EIPSEC_INVAL_SADBMSG 3 /*invalid sadb message*/ +#define EIPSEC_INVAL_VERSION 4 /*invalid version*/ +#define EIPSEC_INVAL_POLICY 5 /*invalid security policy*/ +#define EIPSEC_INVAL_ADDRESS 6 /*invalid address specification*/ +#define EIPSEC_INVAL_PROTO 7 /*invalid ipsec protocol*/ +#define EIPSEC_INVAL_MODE 8 /*Invalid ipsec mode*/ +#define EIPSEC_INVAL_LEVEL 9 /*invalid ipsec level*/ +#define EIPSEC_INVAL_SATYPE 10 /*invalid SA type*/ +#define EIPSEC_INVAL_MSGTYPE 11 /*invalid message type*/ +#define EIPSEC_INVAL_EXTTYPE 12 /*invalid extension type*/ +#define EIPSEC_INVAL_ALGS 13 /*Invalid algorithm type*/ +#define EIPSEC_INVAL_KEYLEN 14 /*invalid key length*/ +#define EIPSEC_INVAL_FAMILY 15 /*invalid address family*/ +#define EIPSEC_INVAL_PREFIXLEN 16 /*SPI range violation*/ +#define EIPSEC_INVAL_DIR 17 /*Invalid direciton*/ +#define EIPSEC_INVAL_SPI 18 /*invalid prefixlen*/ +#define EIPSEC_NO_PROTO 19 /*no protocol specified*/ +#define EIPSEC_NO_ALGS 20 /*No algorithm specified*/ +#define EIPSEC_NO_BUFS 21 /*no buffers available*/ +#define EIPSEC_DO_GET_SUPP_LIST 22 /*must get supported algorithm first*/ +#define EIPSEC_PROTO_MISMATCH 23 /*protocol mismatch*/ +#define EIPSEC_FAMILY_MISMATCH 24 /*family mismatch*/ +#define EIPSEC_FEW_ARGUMENTS 25 /*Too few arguments*/ +#define EIPSEC_SYSTEM_ERROR 26 /*system error*/ +#define EIPSEC_MAX 27 /*unknown error*/ diff --git a/lib/libipsec/libpfkey.h b/lib/libipsec/libpfkey.h new file mode 100644 index 000000000000..ad87700a1301 --- /dev/null +++ b/lib/libipsec/libpfkey.h @@ -0,0 +1,77 @@ +/* $FreeBSD$ */ +/* $KAME: libpfkey.h,v 1.1 2000/06/08 21:28:32 itojun Exp $ */ + +/* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +extern void pfkey_sadump __P((struct sadb_msg *)); +extern void pfkey_spdump __P((struct sadb_msg *)); + +struct sockaddr; +int ipsec_check_keylen __P((u_int, u_int, u_int)); +u_int pfkey_set_softrate __P((u_int, u_int)); +u_int pfkey_get_softrate __P((u_int)); +int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *, + struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t)); +int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *, + struct sockaddr *, u_int32_t, u_int32_t, u_int, + caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t, + u_int64_t, u_int64_t, u_int32_t)); +int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *, + struct sockaddr *, u_int32_t, u_int32_t, u_int, + caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t, + u_int64_t, u_int64_t, u_int32_t)); +int pfkey_send_delete __P((int, u_int, u_int, + struct sockaddr *, struct sockaddr *, u_int32_t)); +int pfkey_send_get __P((int, u_int, u_int, + struct sockaddr *, struct sockaddr *, u_int32_t)); +int pfkey_send_register __P((int, u_int)); +int pfkey_recv_register __P((int)); +int pfkey_send_flush __P((int, u_int)); +int pfkey_send_dump __P((int, u_int)); +int pfkey_send_promisc_toggle __P((int, int)); +int pfkey_send_spdadd __P((int, struct sockaddr *, u_int, + struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t)); +int pfkey_send_spdupdate __P((int, struct sockaddr *, u_int, + struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t)); +int pfkey_send_spddelete __P((int, struct sockaddr *, u_int, + struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t)); +int pfkey_send_spddelete2 __P((int, u_int32_t)); +int pfkey_send_spdget __P((int, u_int32_t)); +int pfkey_send_spdsetidx __P((int, struct sockaddr *, u_int, + struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t)); +int pfkey_send_spdflush __P((int)); +int pfkey_send_spddump __P((int)); + +int pfkey_open __P((void)); +void pfkey_close __P((int)); +struct sadb_msg *pfkey_recv __P((int)); +int pfkey_send __P((int, struct sadb_msg *, int)); +int pfkey_align __P((struct sadb_msg *, caddr_t *)); +int pfkey_check __P((caddr_t *)); diff --git a/lib/libipsec/pfkey.c b/lib/libipsec/pfkey.c index 318be331a9cf..11b67228bc8c 100644 --- a/lib/libipsec/pfkey.c +++ b/lib/libipsec/pfkey.c @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: pfkey.c,v 1.31 2000/06/10 14:17:43 sakane Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,21 +28,14 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ -#ifndef lint -static char *rcsid = "@(#) pfkey.c $Revision: 1.10 $"; -#endif - #include <sys/types.h> #include <sys/param.h> #include <sys/socket.h> #include <net/pfkeyv2.h> #include <netkey/key_var.h> #include <netinet/in.h> -#include <netinet6/in6.h> #include <netinet6/ipsec.h> #include <stdlib.h> @@ -48,31 +44,31 @@ static char *rcsid = "@(#) pfkey.c $Revision: 1.10 $"; #include <errno.h> #include "ipsec_strerror.h" - -#define CALLOC(size, cast) (cast)calloc(1, (size)) - -static int pfkey_send_x1 __P((int so, u_int type, u_int satype, u_int mode, - struct sockaddr *src, struct sockaddr *dst, u_int32_t spi, u_int wsize, - caddr_t keymat, - u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen, - u_int flags, - u_int32_t l_alloc, u_int32_t l_bytes, - u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq)); -static int pfkey_send_x2 __P((int so, u_int type, u_int satype, u_int mode, - struct sockaddr *src, struct sockaddr *dst, u_int32_t spi)); -static int pfkey_send_x3 __P((int so, u_int type, u_int satype)); - -static caddr_t pfkey_setsadbmsg __P((caddr_t buf, u_int type, u_int tlen, - u_int satype, u_int mode, u_int32_t seq, pid_t pid)); -static caddr_t pfkey_setsadbsa __P((caddr_t buf, u_int32_t spi, u_int wsize, - u_int auth, u_int enc, u_int32_t flags)); -static caddr_t pfkey_setsadbaddr __P((caddr_t buf, u_int exttype, - struct sockaddr *saddr, u_int prefixlen, u_int ul_proto)); -static caddr_t pfkey_setsadbkey(caddr_t buf, u_int type, - caddr_t key, u_int keylen); -static caddr_t pfkey_setsadblifetime(caddr_t buf, u_int type, - u_int32_t l_alloc, u_int32_t l_bytes, - u_int32_t l_addtime, u_int32_t l_usetime); +#include "libpfkey.h" + +#define CALLOC(size, cast) (cast)calloc(1, (size)) + +static int pfkey_send_x1 __P((int, u_int, u_int, u_int, struct sockaddr *, + struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t, + u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t, + u_int32_t, u_int32_t, u_int32_t)); +static int pfkey_send_x2 __P((int, u_int, u_int, u_int, + struct sockaddr *, struct sockaddr *, u_int32_t)); +static int pfkey_send_x3 __P((int, u_int, u_int)); +static int pfkey_send_x4 __P((int, u_int, struct sockaddr *, u_int, + struct sockaddr *, u_int, u_int, char *, int, u_int32_t)); +static int pfkey_send_x5 __P((int, u_int, u_int32_t)); + +static caddr_t pfkey_setsadbmsg __P((caddr_t, u_int, u_int, + u_int, u_int32_t, pid_t)); +static caddr_t pfkey_setsadbsa __P((caddr_t, u_int32_t, u_int, + u_int, u_int, u_int32_t)); +static caddr_t pfkey_setsadbaddr __P((caddr_t, u_int, + struct sockaddr *, u_int, u_int)); +static caddr_t pfkey_setsadbkey __P((caddr_t, u_int, caddr_t, u_int)); +static caddr_t pfkey_setsadblifetime __P((caddr_t, u_int, u_int32_t, u_int32_t, + u_int32_t, u_int32_t)); +static caddr_t pfkey_setsadbxsa2 __P((caddr_t, u_int32_t, u_int32_t)); /* * check key length against algorithm specified. @@ -98,7 +94,7 @@ ipsec_check_keylen(supported, alg_id, keylen) /* validity check */ if (ipsec_supported == NULL) { - ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST; + __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST; return -1; } switch (supported) { @@ -106,7 +102,7 @@ ipsec_check_keylen(supported, alg_id, keylen) case SADB_EXT_SUPPORTED_ENCRYPT: break; default: - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } @@ -137,18 +133,18 @@ ipsec_check_keylen(supported, alg_id, keylen) } } - ipsec_errcode = EIPSEC_NOT_SUPPORTED; + __ipsec_errcode = EIPSEC_NOT_SUPPORTED; return -1; /* NOTREACHED */ found: if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) { - ipsec_errcode = EIPSEC_INVAL_KEYLEN; + __ipsec_errcode = EIPSEC_INVAL_KEYLEN; return -1; } - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -165,7 +161,7 @@ u_int pfkey_set_softrate(type, rate) u_int type, rate; { - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; if (rate > 100 || rate == 0) rate = 100; @@ -185,7 +181,7 @@ pfkey_set_softrate(type, rate) return 0; } - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return 1; } @@ -218,33 +214,46 @@ pfkey_get_softrate(type) * -1 : error occured, and set errno. */ int -pfkey_send_getspi(so, satype, mode, src, dst, min, max, seq) +pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) int so; u_int satype, mode; struct sockaddr *src, *dst; - u_int32_t min, max, seq; + u_int32_t min, max, reqid, seq; { struct sadb_msg *newmsg; int len; int need_spirange = 0; caddr_t p; + int plen; /* validity check */ if (src == NULL || dst == NULL) { - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } if (src->sa_family != dst->sa_family) { - ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; return -1; } if (min > max || (min > 0 && min <= 255)) { - ipsec_errcode = EIPSEC_INVAL_SPI; + __ipsec_errcode = EIPSEC_INVAL_SPI; + return -1; + } + switch (src->sa_family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; + default: + __ipsec_errcode = EIPSEC_INVAL_FAMILY; return -1; } /* create new sadb_msg to send. */ len = sizeof(struct sadb_msg) + + sizeof(struct sadb_x_sa2) + sizeof(struct sadb_address) + PFKEY_ALIGN8(src->sa_len) + sizeof(struct sadb_address) @@ -256,32 +265,28 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, seq) } if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return -1; } p = pfkey_setsadbmsg((caddr_t)newmsg, SADB_GETSPI, - len, satype, mode, seq, getpid()); + len, satype, seq, getpid()); + + p = pfkey_setsadbxsa2(p, mode, reqid); /* set sadb_address for source */ - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_SRC, - src, - _INALENBYAF(src->sa_family) << 3, - IPSEC_ULPROTO_ANY); + p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_SRC, src, plen, + IPSEC_ULPROTO_ANY); /* set sadb_address for destination */ - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_DST, - dst, - _INALENBYAF(dst->sa_family) << 3, - IPSEC_ULPROTO_ANY); + p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_DST, dst, plen, + IPSEC_ULPROTO_ANY); /* proccessing spi range */ if (need_spirange) { int _len = sizeof(struct sadb_spirange); -#define _SADB_SPIRANGE(p) ((struct sadb_spirange *)(p)) +#define _SADB_SPIRANGE(p) ((struct sadb_spirange *)(p)) _SADB_SPIRANGE(p)->sadb_spirange_len = PFKEY_UNIT64(_len); _SADB_SPIRANGE(p)->sadb_spirange_exttype = SADB_EXT_SPIRANGE; _SADB_SPIRANGE(p)->sadb_spirange_min = min; @@ -297,7 +302,7 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, seq) if (len < 0) return -1; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return len; } @@ -309,13 +314,13 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, seq) * -1 : error occured, and set errno. */ int -pfkey_send_update(so, satype, mode, src, dst, spi, wsize, +pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize, keymat, e_type, e_keylen, a_type, a_keylen, flags, l_alloc, l_bytes, l_addtime, l_usetime, seq) int so; u_int satype, mode, wsize; struct sockaddr *src, *dst; - u_int32_t spi; + u_int32_t spi, reqid; caddr_t keymat; u_int e_type, e_keylen, a_type, a_keylen, flags; u_int32_t l_alloc; @@ -324,7 +329,8 @@ pfkey_send_update(so, satype, mode, src, dst, spi, wsize, { int len; if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi, - wsize, keymat, e_type, e_keylen, a_type, a_keylen, flags, + reqid, wsize, + keymat, e_type, e_keylen, a_type, a_keylen, flags, l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) return -1; @@ -339,13 +345,13 @@ pfkey_send_update(so, satype, mode, src, dst, spi, wsize, * -1 : error occured, and set errno. */ int -pfkey_send_add(so, satype, mode, src, dst, spi, wsize, +pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize, keymat, e_type, e_keylen, a_type, a_keylen, flags, l_alloc, l_bytes, l_addtime, l_usetime, seq) int so; u_int satype, mode, wsize; struct sockaddr *src, *dst; - u_int32_t spi; + u_int32_t spi, reqid; caddr_t keymat; u_int e_type, e_keylen, a_type, a_keylen, flags; u_int32_t l_alloc; @@ -354,7 +360,8 @@ pfkey_send_add(so, satype, mode, src, dst, spi, wsize, { int len; if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi, - wsize, keymat, e_type, e_keylen, a_type, a_keylen, flags, + reqid, wsize, + keymat, e_type, e_keylen, a_type, a_keylen, flags, l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) return -1; @@ -458,7 +465,7 @@ pfkey_recv_register(so) sup->sadb_supported_len = PFKEY_EXTLEN(sup); break; default: - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; free(newmsg); return -1; } @@ -468,7 +475,7 @@ pfkey_recv_register(so) } if (tlen < 0) { - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; return -1; } @@ -477,7 +484,7 @@ pfkey_recv_register(so) ipsec_supported = newmsg; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -546,7 +553,6 @@ pfkey_send_promisc_toggle(so, flag) /* * sending SADB_X_SPDADD message to the kernel. - * The length of key material is a_keylen + e_keylen. * OUT: * positive: success and return length sent. * -1 : error occured, and set errno. @@ -556,133 +562,140 @@ pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq) int so; struct sockaddr *src, *dst; u_int prefs, prefd, proto; - char *policy; + caddr_t policy; int policylen; u_int32_t seq; { - struct sadb_msg *newmsg; int len; - caddr_t p; - - /* validity check */ - if (src == NULL || dst == NULL) { - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; - return -1; - } - if (src->sa_family != dst->sa_family) { - ipsec_errcode = EIPSEC_FAMILY_MISMATCH; - return -1; - } - if (prefs > (_INALENBYAF(src->sa_family) << 3) - || prefd > (_INALENBYAF(dst->sa_family) << 3)) { - ipsec_errcode = EIPSEC_INVAL_PREFIXLEN; - return -1; - } - - /* create new sadb_msg to reply. */ - len = sizeof(struct sadb_msg) - + sizeof(struct sadb_address) - + PFKEY_ALIGN8(_SALENBYAF(src->sa_family)) - + sizeof(struct sadb_address) - + PFKEY_ALIGN8(_SALENBYAF(src->sa_family)) - + policylen; - if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { - ipsec_set_strerror(strerror(errno)); + if ((len = pfkey_send_x4(so, SADB_X_SPDADD, + src, prefs, dst, prefd, proto, + policy, policylen, seq)) < 0) return -1; - } - p = pfkey_setsadbmsg((caddr_t)newmsg, SADB_X_SPDADD, len, - SADB_SATYPE_UNSPEC, IPSEC_MODE_ANY, seq, getpid()); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_SRC, - src, - prefs, - proto); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_DST, - dst, - prefd, - proto); - memcpy(p, policy, policylen); + return len; +} - /* send message */ - len = pfkey_send(so, newmsg, len); - free(newmsg); +/* + * sending SADB_X_SPDUPDATE message to the kernel. + * OUT: + * positive: success and return length sent. + * -1 : error occured, and set errno. + */ +int +pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq) + int so; + struct sockaddr *src, *dst; + u_int prefs, prefd, proto; + caddr_t policy; + int policylen; + u_int32_t seq; +{ + int len; - if (len < 0) + if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, + src, prefs, dst, prefd, proto, + policy, policylen, seq)) < 0) return -1; - ipsec_errcode = EIPSEC_NO_ERROR; return len; } /* * sending SADB_X_SPDDELETE message to the kernel. - * The length of key material is a_keylen + e_keylen. * OUT: * positive: success and return length sent. * -1 : error occured, and set errno. */ int -pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, seq) +pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq) int so; struct sockaddr *src, *dst; u_int prefs, prefd, proto; + caddr_t policy; + int policylen; u_int32_t seq; { - struct sadb_msg *newmsg; int len; - caddr_t p; - /* validity check */ - if (src == NULL || dst == NULL) { - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + if (policylen != sizeof(struct sadb_x_policy)) { + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } - if (src->sa_family != dst->sa_family) { - ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + + if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE, + src, prefs, dst, prefd, proto, + policy, policylen, seq)) < 0) return -1; - } - if (prefs > (_INALENBYAF(src->sa_family) << 3) - || prefd > (_INALENBYAF(dst->sa_family) << 3)) { - ipsec_errcode = EIPSEC_INVAL_PREFIXLEN; + + return len; +} + +/* + * sending SADB_X_SPDDELETE message to the kernel. + * OUT: + * positive: success and return length sent. + * -1 : error occured, and set errno. + */ +int +pfkey_send_spddelete2(so, spid) + int so; + u_int32_t spid; +{ + int len; + + if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0) return -1; - } - /* create new sadb_msg to reply. */ - len = sizeof(struct sadb_msg) - + sizeof(struct sadb_address) - + PFKEY_ALIGN8(_SALENBYAF(src->sa_family)) - + sizeof(struct sadb_address) - + PFKEY_ALIGN8(_SALENBYAF(src->sa_family)); + return len; +} - if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { - ipsec_set_strerror(strerror(errno)); +/* + * sending SADB_X_SPDGET message to the kernel. + * OUT: + * positive: success and return length sent. + * -1 : error occured, and set errno. + */ +int +pfkey_send_spdget(so, spid) + int so; + u_int32_t spid; +{ + int len; + + if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0) return -1; - } - p = pfkey_setsadbmsg((caddr_t)newmsg, SADB_X_SPDDELETE, len, - SADB_SATYPE_UNSPEC, IPSEC_MODE_ANY, seq, getpid()); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_SRC, - src, - prefs, - proto); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_DST, - dst, - prefd, - proto); + return len; +} - /* send message */ - len = pfkey_send(so, newmsg, len); - free(newmsg); +/* + * sending SADB_X_SPDSETIDX message to the kernel. + * OUT: + * positive: success and return length sent. + * -1 : error occured, and set errno. + */ +int +pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq) + int so; + struct sockaddr *src, *dst; + u_int prefs, prefd, proto; + caddr_t policy; + int policylen; + u_int32_t seq; +{ + int len; - if (len < 0) + if (policylen != sizeof(struct sadb_x_policy)) { + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + return -1; + } + + if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX, + src, prefs, dst, prefd, proto, + policy, policylen, seq)) < 0) return -1; - ipsec_errcode = EIPSEC_NO_ERROR; return len; } @@ -724,13 +737,13 @@ pfkey_send_spddump(so) /* sending SADB_ADD or SADB_UPDATE message to the kernel */ static int -pfkey_send_x1(so, type, satype, mode, src, dst, spi, wsize, +pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, keymat, e_type, e_keylen, a_type, a_keylen, flags, l_alloc, l_bytes, l_addtime, l_usetime, seq) int so; u_int type, satype, mode; struct sockaddr *src, *dst; - u_int32_t spi; + u_int32_t spi, reqid; u_int wsize; caddr_t keymat; u_int e_type, e_keylen, a_type, a_keylen, flags; @@ -739,44 +752,57 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, wsize, struct sadb_msg *newmsg; int len; caddr_t p; + int plen; /* validity check */ if (src == NULL || dst == NULL) { - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } if (src->sa_family != dst->sa_family) { - ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + return -1; + } + switch (src->sa_family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; + default: + __ipsec_errcode = EIPSEC_INVAL_FAMILY; return -1; } switch (satype) { case SADB_SATYPE_ESP: if (e_type == SADB_EALG_NONE) { - ipsec_errcode = EIPSEC_NO_ALGS; + __ipsec_errcode = EIPSEC_NO_ALGS; return -1; } break; case SADB_SATYPE_AH: if (e_type != SADB_EALG_NONE) { - ipsec_errcode = EIPSEC_INVAL_ALGS; + __ipsec_errcode = EIPSEC_INVAL_ALGS; return -1; } if (a_type == SADB_AALG_NONE) { - ipsec_errcode = EIPSEC_NO_ALGS; + __ipsec_errcode = EIPSEC_NO_ALGS; return -1; } break; case SADB_X_SATYPE_IPCOMP: break; default: - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; return -1; } /* create new sadb_msg to reply. */ len = sizeof(struct sadb_msg) + sizeof(struct sadb_sa) + + sizeof(struct sadb_x_sa2) + sizeof(struct sadb_address) + PFKEY_ALIGN8(src->sa_len) + sizeof(struct sadb_address) @@ -790,23 +816,18 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, wsize, len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen)); if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return -1; } p = pfkey_setsadbmsg((caddr_t)newmsg, type, len, - satype, mode, seq, getpid()); + satype, seq, getpid()); p = pfkey_setsadbsa(p, spi, wsize, a_type, e_type, flags); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_SRC, - src, - _INALENBYAF(src->sa_family) << 3, - IPSEC_ULPROTO_ANY); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_DST, - dst, - _INALENBYAF(dst->sa_family) << 3, - IPSEC_ULPROTO_ANY); + p = pfkey_setsadbxsa2(p, mode, reqid); + p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_SRC, src, plen, + IPSEC_ULPROTO_ANY); + p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_DST, dst, plen, + IPSEC_ULPROTO_ANY); if (e_type != SADB_EALG_NONE) p = pfkey_setsadbkey(p, SADB_EXT_KEY_ENCRYPT, @@ -828,7 +849,7 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, wsize, if (len < 0) return -1; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return len; } @@ -843,14 +864,26 @@ pfkey_send_x2(so, type, satype, mode, src, dst, spi) struct sadb_msg *newmsg; int len; caddr_t p; + int plen; /* validity check */ if (src == NULL || dst == NULL) { - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } if (src->sa_family != dst->sa_family) { - ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + return -1; + } + switch (src->sa_family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; + default: + __ipsec_errcode = EIPSEC_INVAL_FAMILY; return -1; } @@ -863,22 +896,16 @@ pfkey_send_x2(so, type, satype, mode, src, dst, spi) + PFKEY_ALIGN8(dst->sa_len); if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return -1; } - p = pfkey_setsadbmsg((caddr_t)newmsg, type, len, satype, mode, 0, getpid()); + p = pfkey_setsadbmsg((caddr_t)newmsg, type, len, satype, 0, getpid()); p = pfkey_setsadbsa(p, spi, 0, 0, 0, 0); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_SRC, - src, - _INALENBYAF(src->sa_family) << 3, - IPSEC_ULPROTO_ANY); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_DST, - dst, - _INALENBYAF(dst->sa_family) << 3, - IPSEC_ULPROTO_ANY); + p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_SRC, src, plen, + IPSEC_ULPROTO_ANY); + p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_DST, dst, plen, + IPSEC_ULPROTO_ANY); /* send message */ len = pfkey_send(so, newmsg, len); @@ -887,7 +914,7 @@ pfkey_send_x2(so, type, satype, mode, src, dst, spi) if (len < 0) return -1; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return len; } @@ -907,7 +934,7 @@ pfkey_send_x3(so, type, satype) switch (type) { case SADB_X_PROMISC: if (satype != 0 && satype != 1) { - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; return -1; } break; @@ -919,7 +946,7 @@ pfkey_send_x3(so, type, satype) case SADB_X_SATYPE_IPCOMP: break; default: - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; return -1; } } @@ -928,11 +955,11 @@ pfkey_send_x3(so, type, satype) len = sizeof(struct sadb_msg); if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return -1; } - (void)pfkey_setsadbmsg((caddr_t)newmsg, type, len, satype, 0, 0, getpid()); + (void)pfkey_setsadbmsg((caddr_t)newmsg, type, len, satype, 0, getpid()); /* send message */ len = pfkey_send(so, newmsg, len); @@ -941,7 +968,128 @@ pfkey_send_x3(so, type, satype) if (len < 0) return -1; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; + return len; +} + +/* sending SADB_X_SPDADD message to the kernel */ +static int +pfkey_send_x4(so, type, src, prefs, dst, prefd, proto, policy, policylen, seq) + int so; + struct sockaddr *src, *dst; + u_int type, prefs, prefd, proto; + char *policy; + int policylen; + u_int32_t seq; +{ + struct sadb_msg *newmsg; + int len; + caddr_t p; + int plen; + + /* validity check */ + if (src == NULL || dst == NULL) { + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + return -1; + } + if (src->sa_family != dst->sa_family) { + __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + return -1; + } + + switch (src->sa_family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; + default: + __ipsec_errcode = EIPSEC_INVAL_FAMILY; + return -1; + } + if (prefs > plen || prefd > plen) { + __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN; + return -1; + } + + /* create new sadb_msg to reply. */ + len = sizeof(struct sadb_msg) + + sizeof(struct sadb_address) + + PFKEY_ALIGN8(src->sa_len) + + sizeof(struct sadb_address) + + PFKEY_ALIGN8(src->sa_len) + + policylen; + + if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { + __ipsec_set_strerror(strerror(errno)); + return -1; + } + + p = pfkey_setsadbmsg((caddr_t)newmsg, type, len, + SADB_SATYPE_UNSPEC, seq, getpid()); + p = pfkey_setsadbaddr(p, + SADB_EXT_ADDRESS_SRC, + src, + prefs, + proto); + p = pfkey_setsadbaddr(p, + SADB_EXT_ADDRESS_DST, + dst, + prefd, + proto); + memcpy(p, policy, policylen); + + /* send message */ + len = pfkey_send(so, newmsg, len); + free(newmsg); + + if (len < 0) + return -1; + + __ipsec_errcode = EIPSEC_NO_ERROR; + return len; +} + +/* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */ +static int +pfkey_send_x5(so, type, spid) + int so; + u_int type; + u_int32_t spid; +{ + struct sadb_msg *newmsg; + struct sadb_x_policy xpl; + int len; + caddr_t p; + + /* create new sadb_msg to reply. */ + len = sizeof(struct sadb_msg) + + sizeof(xpl); + + if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { + __ipsec_set_strerror(strerror(errno)); + return -1; + } + + p = pfkey_setsadbmsg((caddr_t)newmsg, type, len, + SADB_SATYPE_UNSPEC, 0, getpid()); + + memset(&xpl, 0, sizeof(xpl)); + xpl.sadb_x_policy_len = PFKEY_UNUNIT64(sizeof(xpl)); + xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY; + xpl.sadb_x_policy_id = spid; + + memcpy(p, &xpl, sizeof(xpl)); + + /* send message */ + len = pfkey_send(so, newmsg, len); + free(newmsg); + + if (len < 0) + return -1; + + __ipsec_errcode = EIPSEC_NO_ERROR; return len; } @@ -958,7 +1106,7 @@ pfkey_open() const int bufsiz = 128 * 1024; /*is 128K enough?*/ if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) { - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return -1; } @@ -969,7 +1117,7 @@ pfkey_open() (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz)); (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz)); - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return so; } @@ -985,7 +1133,7 @@ pfkey_close(so) { (void)close(so); - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return; } @@ -1005,37 +1153,37 @@ pfkey_recv(so) while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) { if (errno == EINTR) continue; - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return NULL; } if (len < sizeof(buf)) { recv(so, (caddr_t)&buf, sizeof(buf), 0); - ipsec_errcode = EIPSEC_MAX; + __ipsec_errcode = EIPSEC_MAX; return NULL; } /* read real message */ reallen = PFKEY_UNUNIT64(buf.sadb_msg_len); if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == 0) { - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return NULL; } while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) { if (errno == EINTR) continue; - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); free(newmsg); return NULL; } if (len != reallen) { - ipsec_errcode = EIPSEC_SYSTEM_ERROR; + __ipsec_errcode = EIPSEC_SYSTEM_ERROR; free(newmsg); return NULL; } - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return newmsg; } @@ -1052,11 +1200,11 @@ pfkey_send(so, msg, len) int len; { if ((len = send(so, (caddr_t)msg, len, 0)) < 0) { - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return -1; } - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return len; } @@ -1083,7 +1231,7 @@ pfkey_align(msg, mhp) /* validity check */ if (msg == NULL || mhp == NULL) { - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } @@ -1100,7 +1248,7 @@ pfkey_align(msg, mhp) /* duplicate check */ /* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/ if (mhp[ext->sadb_ext_type] != NULL) { - ipsec_errcode = EIPSEC_INVAL_EXTTYPE; + __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; return -1; } @@ -1125,10 +1273,11 @@ pfkey_align(msg, mhp) case SADB_EXT_SUPPORTED_ENCRYPT: case SADB_EXT_SPIRANGE: case SADB_X_EXT_POLICY: + case SADB_X_EXT_SA2: mhp[ext->sadb_ext_type] = (caddr_t)ext; break; default: - ipsec_errcode = EIPSEC_INVAL_EXTTYPE; + __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; return -1; } @@ -1137,7 +1286,7 @@ pfkey_align(msg, mhp) ext = (struct sadb_ext *)((caddr_t)ext + extlen); } - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -1160,7 +1309,7 @@ pfkey_check(mhp) /* validity check */ if (mhp == NULL || mhp[0] == NULL) { - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } @@ -1168,13 +1317,13 @@ pfkey_check(mhp) /* check version */ if (msg->sadb_msg_version != PF_KEY_V2) { - ipsec_errcode = EIPSEC_INVAL_VERSION; + __ipsec_errcode = EIPSEC_INVAL_VERSION; return -1; } /* check type */ if (msg->sadb_msg_type > SADB_MAX) { - ipsec_errcode = EIPSEC_INVAL_MSGTYPE; + __ipsec_errcode = EIPSEC_INVAL_MSGTYPE; return -1; } @@ -1189,7 +1338,7 @@ pfkey_check(mhp) case SADB_GET: case SADB_ACQUIRE: case SADB_EXPIRE: - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; return -1; } break; @@ -1202,7 +1351,7 @@ pfkey_check(mhp) case SADB_X_SPDGET: case SADB_X_SPDDUMP: case SADB_X_SPDFLUSH: - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; return -1; } break; @@ -1210,14 +1359,14 @@ pfkey_check(mhp) case SADB_SATYPE_OSPFV2: case SADB_SATYPE_RIPV2: case SADB_SATYPE_MIP: - ipsec_errcode = EIPSEC_NOT_SUPPORTED; + __ipsec_errcode = EIPSEC_NOT_SUPPORTED; return -1; case 1: /* XXX: What does it do ? */ if (msg->sadb_msg_type == SADB_X_PROMISC) break; /*FALLTHROUGH*/ default: - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; return -1; } @@ -1230,13 +1379,13 @@ pfkey_check(mhp) dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]); if (src0->sadb_address_proto != dst0->sadb_address_proto) { - ipsec_errcode = EIPSEC_PROTO_MISMATCH; + __ipsec_errcode = EIPSEC_PROTO_MISMATCH; return -1; } if (PFKEY_ADDR_SADDR(src0)->sa_family != PFKEY_ADDR_SADDR(dst0)->sa_family) { - ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; return -1; } @@ -1245,7 +1394,7 @@ pfkey_check(mhp) case AF_INET6: break; default: - ipsec_errcode = EIPSEC_INVAL_FAMILY; + __ipsec_errcode = EIPSEC_INVAL_FAMILY; return -1; } @@ -1255,7 +1404,7 @@ pfkey_check(mhp) */ } - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -1264,9 +1413,9 @@ pfkey_check(mhp) * `buf' must has been allocated sufficiently. */ static caddr_t -pfkey_setsadbmsg(buf, type, tlen, satype, mode, seq, pid) +pfkey_setsadbmsg(buf, type, tlen, satype, seq, pid) caddr_t buf; - u_int type, satype, mode; + u_int type, satype; u_int tlen; u_int32_t seq; pid_t pid; @@ -1275,7 +1424,7 @@ pfkey_setsadbmsg(buf, type, tlen, satype, mode, seq, pid) u_int len; p = (struct sadb_msg *)buf; - len = sizeof(struct sadb_sa); + len = sizeof(struct sadb_msg); memset(p, 0, len); p->sadb_msg_version = PF_KEY_V2; @@ -1283,7 +1432,6 @@ pfkey_setsadbmsg(buf, type, tlen, satype, mode, seq, pid) p->sadb_msg_errno = 0; p->sadb_msg_satype = satype; p->sadb_msg_len = PFKEY_UNIT64(tlen); - p->sadb_msg_mode = mode; p->sadb_msg_reserved = 0; p->sadb_msg_seq = seq; p->sadb_msg_pid = (u_int32_t)pid; @@ -1402,7 +1550,7 @@ pfkey_setsadblifetime(buf, type, l_alloc, l_bytes, l_addtime, l_usetime) p->sadb_lifetime_allocations = (l_alloc * soft_lifetime_allocations_rate) /100; p->sadb_lifetime_bytes - = ((l_bytes * soft_lifetime_bytes_rate) /100) << 10; + = (l_bytes * soft_lifetime_bytes_rate) /100; p->sadb_lifetime_addtime = (l_addtime * soft_lifetime_addtime_rate) /100; p->sadb_lifetime_usetime @@ -1410,7 +1558,7 @@ pfkey_setsadblifetime(buf, type, l_alloc, l_bytes, l_addtime, l_usetime) break; case SADB_EXT_LIFETIME_HARD: p->sadb_lifetime_allocations = l_alloc; - p->sadb_lifetime_bytes = l_bytes << 10; + p->sadb_lifetime_bytes = l_bytes; p->sadb_lifetime_addtime = l_addtime; p->sadb_lifetime_usetime = l_usetime; break; @@ -1419,3 +1567,29 @@ pfkey_setsadblifetime(buf, type, l_alloc, l_bytes, l_addtime, l_usetime) return buf + len; } +/* + * copy secasvar data into sadb_address. + * `buf' must has been allocated sufficiently. + */ +static caddr_t +pfkey_setsadbxsa2(buf, mode0, reqid) + caddr_t buf; + u_int32_t mode0; + u_int32_t reqid; +{ + struct sadb_x_sa2 *p; + u_int8_t mode = mode0 & 0xff; + u_int len; + + p = (struct sadb_x_sa2 *)buf; + len = sizeof(struct sadb_x_sa2); + + memset(p, 0, len); + p->sadb_x_sa2_len = PFKEY_UNIT64(len); + p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; + p->sadb_x_sa2_mode = mode; + p->sadb_x_sa2_reqid = reqid; + + return(buf + len); +} + diff --git a/lib/libipsec/pfkey_dump.c b/lib/libipsec/pfkey_dump.c index b7def246f683..6408651470f6 100644 --- a/lib/libipsec/pfkey_dump.c +++ b/lib/libipsec/pfkey_dump.c @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: pfkey_dump.c,v 1.19 2000/06/10 06:47:11 sakane Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,8 +28,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ #include <sys/types.h> @@ -39,9 +40,6 @@ #include <netinet/in.h> #include <netinet6/ipsec.h> -#ifdef INET6 -#include <netinet6/in6.h> -#endif #include <arpa/inet.h> #include <stdlib.h> @@ -49,11 +47,13 @@ #include <stdio.h> #include <string.h> #include <time.h> +#include <netdb.h> #include "ipsec_strerror.h" +#include "libpfkey.h" -#define GETMSGSTR(str, num) \ -{ \ +#define GETMSGSTR(str, num) \ +do { \ if (sizeof((str)[0]) == 0 \ || num >= sizeof(str)/sizeof((str)[0])) \ printf("%d ", (num)); \ @@ -61,15 +61,12 @@ printf("%d ", (num)); \ else \ printf("%s ", (str)[(num)]); \ -} - -#define GETAF(p) \ - (((struct sockaddr *)(p))->sa_family) +} while (0) -static char *_str_ipaddr __P((u_int family, caddr_t addr)); -static char *_str_prefport __P((u_int family, u_int pref, u_int port)); -static char *_str_time __P((time_t t)); -static void _str_lifetime_byte __P((struct sadb_lifetime *x, char *str)); +static char *str_ipaddr __P((struct sockaddr *)); +static char *str_prefport __P((u_int, u_int, u_int)); +static char *str_time __P((time_t)); +static void str_lifetime_byte __P((struct sadb_lifetime *, char *)); /* * Must to be re-written about following strings. @@ -151,6 +148,7 @@ pfkey_sadump(m) { caddr_t mhp[SADB_EXT_MAX + 1]; struct sadb_sa *m_sa; + struct sadb_x_sa2 *m_sa2; struct sadb_lifetime *m_lftc, *m_lfth, *m_lfts; struct sadb_address *m_saddr, *m_daddr, *m_paddr; struct sadb_key *m_auth, *m_enc; @@ -168,6 +166,7 @@ pfkey_sadump(m) } m_sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; + m_sa2 = (struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2]; m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT]; m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD]; m_lfts = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT]; @@ -177,7 +176,7 @@ pfkey_sadump(m) m_auth = (struct sadb_key *)mhp[SADB_EXT_KEY_AUTH]; m_enc = (struct sadb_key *)mhp[SADB_EXT_KEY_ENCRYPT]; m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC]; - m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC]; + m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST]; m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY]; /* source address */ @@ -185,34 +184,36 @@ pfkey_sadump(m) printf("no ADDRESS_SRC extension.\n"); return; } - printf("%s ", - _str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1))); + printf("%s ", str_ipaddr((struct sockaddr *)(m_saddr + 1))); /* destination address */ if (m_daddr == NULL) { printf("no ADDRESS_DST extension.\n"); return; } - printf("%s ", - _str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1))); + printf("%s ", str_ipaddr((struct sockaddr *)(m_daddr + 1))); /* SA type */ if (m_sa == NULL) { printf("no SA extension.\n"); return; } + if (m_sa2 == NULL) { + printf("no SA2 extension.\n"); + return; + } printf("\n\t"); GETMSGSTR(_str_satype, m->sadb_msg_satype); printf("mode="); - GETMSGSTR(_str_mode, m->sadb_msg_mode); + GETMSGSTR(_str_mode, m_sa2->sadb_x_sa2_mode); - printf("spi=%u(0x%08x) replay=%u flags=0x%08x\n", + printf("spi=%u(0x%08x) reqid=%u(0x%08x)\n", (u_int32_t)ntohl(m_sa->sadb_sa_spi), (u_int32_t)ntohl(m_sa->sadb_sa_spi), - m_sa->sadb_sa_replay, - m_sa->sadb_sa_flags); + (u_int32_t)m_sa2->sadb_x_sa2_reqid, + (u_int32_t)m_sa2->sadb_x_sa2_reqid); /* encryption key */ if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) { @@ -237,8 +238,13 @@ pfkey_sadump(m) printf("\n"); } + /* replay windoe size & flags */ + printf("\treplay=%u flags=0x%08x ", + m_sa->sadb_sa_replay, + m_sa->sadb_sa_flags); + /* state */ - printf("\tstate="); + printf("state="); GETMSGSTR(_str_state, m_sa->sadb_sa_state); printf("seq=%lu pid=%lu\n", @@ -250,8 +256,8 @@ pfkey_sadump(m) time_t tmp_time = time(0); printf("\tcreated: %s", - _str_time(m_lftc->sadb_lifetime_addtime)); - printf("\tcurrent: %s\n", _str_time(tmp_time)); + str_time(m_lftc->sadb_lifetime_addtime)); + printf("\tcurrent: %s\n", str_time(tmp_time)); printf("\tdiff: %lu(s)", (u_long)(m_lftc->sadb_lifetime_addtime == 0 ? 0 : (tmp_time - m_lftc->sadb_lifetime_addtime))); @@ -264,7 +270,7 @@ pfkey_sadump(m) 0 : m_lfts->sadb_lifetime_addtime)); printf("\tlast: %s", - _str_time(m_lftc->sadb_lifetime_usetime)); + str_time(m_lftc->sadb_lifetime_usetime)); printf("\thard: %lu(s)", (u_long)(m_lfth == NULL ? 0 : m_lfth->sadb_lifetime_usetime)); @@ -272,9 +278,9 @@ pfkey_sadump(m) (u_long)(m_lfts == NULL ? 0 : m_lfts->sadb_lifetime_usetime)); - _str_lifetime_byte(m_lftc, "current"); - _str_lifetime_byte(m_lfth, "hard"); - _str_lifetime_byte(m_lfts, "soft"); + str_lifetime_byte(m_lftc, "current"); + str_lifetime_byte(m_lfth, "hard"); + str_lifetime_byte(m_lfts, "soft"); printf("\n"); printf("\tallocated: %lu", @@ -288,7 +294,7 @@ pfkey_sadump(m) } /* XXX DEBUG */ - printf("\trefcnt=%d\n", m->sadb_msg_reserved); + printf("\trefcnt=%u\n", m->sadb_msg_reserved); return; } @@ -297,9 +303,12 @@ void pfkey_spdump(m) struct sadb_msg *m; { + char pbuf[NI_MAXSERV]; caddr_t mhp[SADB_EXT_MAX + 1]; struct sadb_address *m_saddr, *m_daddr; struct sadb_x_policy *m_xpl; + struct sockaddr *sa; + u_int16_t port; /* check pfkey message. */ if (pfkey_align(m, mhp)) { @@ -320,25 +329,49 @@ pfkey_spdump(m) printf("no ADDRESS_SRC extension.\n"); return; } - printf("%s%s ", - _str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)), - _str_prefport(GETAF(m_saddr + 1), - m_saddr->sadb_address_prefixlen, - _INPORTBYSA(m_saddr + 1))); + sa = (struct sockaddr *)(m_saddr + 1); + switch (sa->sa_family) { + case AF_INET: + case AF_INET6: + if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf), + NI_NUMERICSERV) != 0) + port = 0; /*XXX*/ + else + port = atoi(pbuf); + printf("%s%s ", str_ipaddr(sa), + str_prefport(sa->sa_family, + m_saddr->sadb_address_prefixlen, port)); + break; + default: + printf("unknown-af "); + break; + } /* destination address */ if (m_daddr == NULL) { printf("no ADDRESS_DST extension.\n"); return; } - printf("%s%s ", - _str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)), - _str_prefport(GETAF(m_daddr + 1), - m_daddr->sadb_address_prefixlen, - _INPORTBYSA(m_daddr + 1))); + sa = (struct sockaddr *)(m_daddr + 1); + switch (sa->sa_family) { + case AF_INET: + case AF_INET6: + if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf), + NI_NUMERICSERV) != 0) + port = 0; /*XXX*/ + else + port = atoi(pbuf); + printf("%s%s ", str_ipaddr(sa), + str_prefport(sa->sa_family, + m_daddr->sadb_address_prefixlen, port)); + break; + default: + printf("unknown-af "); + break; + } /* upper layer protocol */ - if (m_saddr->sadb_address_proto != m_saddr->sadb_address_proto) { + if (m_saddr->sadb_address_proto != m_daddr->sadb_address_proto) { printf("upper layer protocol mismatched.\n"); return; } @@ -362,12 +395,13 @@ pfkey_spdump(m) free(d_xpl); } - printf("\tseq=%ld pid=%ld\n", + printf("\tspid=%ld seq=%ld pid=%ld\n", + (u_long)m_xpl->sadb_x_policy_id, (u_long)m->sadb_msg_seq, (u_long)m->sadb_msg_pid); /* XXX TEST */ - printf("\trefcnt=%d\n", m->sadb_msg_reserved); + printf("\trefcnt=%u\n", m->sadb_msg_reserved); return; } @@ -376,35 +410,48 @@ pfkey_spdump(m) * set "ipaddress" to buffer. */ static char * -_str_ipaddr(family, addr) - u_int family; - caddr_t addr; +str_ipaddr(sa) + struct sockaddr *sa; { - static char buf[128]; - char addrbuf[128]; + static char buf[NI_MAXHOST]; +#ifdef NI_WITHSCOPEID + const int niflag = NI_NUMERICHOST | NI_WITHSCOPEID; +#else + const int niflag = NI_NUMERICHOST; +#endif - if (addr == NULL) + if (sa == NULL) return ""; - inet_ntop(family, addr, addrbuf, sizeof(addrbuf)); - - snprintf(buf, sizeof(buf), "%s", addrbuf); - - return buf; + if (getnameinfo(sa, sa->sa_len, buf, sizeof(buf), NULL, 0, niflag) == 0) + return buf; + return NULL; } /* * set "/prefix[port number]" to buffer. */ static char * -_str_prefport(family, pref, port) +str_prefport(family, pref, port) u_int family, pref, port; { static char buf[128]; char prefbuf[10]; char portbuf[10]; + int plen; + + switch (family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; + default: + return "?"; + } - if (pref == (_INALENBYAF(family) << 3)) + if (pref == plen) prefbuf[0] = '\0'; else snprintf(prefbuf, sizeof(prefbuf), "/%u", pref); @@ -412,7 +459,7 @@ _str_prefport(family, pref, port) if (port == IPSEC_PORT_ANY) snprintf(portbuf, sizeof(portbuf), "[%s]", "any"); else - snprintf(portbuf, sizeof(portbuf), "[%u]", ntohs(port)); + snprintf(portbuf, sizeof(portbuf), "[%u]", port); snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf); @@ -423,7 +470,7 @@ _str_prefport(family, pref, port) * set "Mon Day Time Year" to buffer */ static char * -_str_time(t) +str_time(t) time_t t; { static char buf[128]; @@ -443,7 +490,7 @@ _str_time(t) } static void -_str_lifetime_byte(x, str) +str_lifetime_byte(x, str) struct sadb_lifetime *x; char *str; { @@ -456,8 +503,24 @@ _str_lifetime_byte(x, str) return; } +#if 0 + if ((x->sadb_lifetime_bytes) / 1024 / 1024) { + y = (x->sadb_lifetime_bytes) * 1.0 / 1024 / 1024; + unit = "M"; + w = 1; + } else if ((x->sadb_lifetime_bytes) / 1024) { + y = (x->sadb_lifetime_bytes) * 1.0 / 1024; + unit = "K"; + w = 1; + } else { + y = (x->sadb_lifetime_bytes) * 1.0; + unit = ""; + w = 0; + } +#else y = (x->sadb_lifetime_bytes) * 1.0; unit = ""; w = 0; +#endif printf("\t%s: %.*f(%sbytes)", str, w, y, unit); } diff --git a/lib/libipsec/policy_parse.y b/lib/libipsec/policy_parse.y index ffa1a6f8ae8d..e36d7b70ee5a 100644 --- a/lib/libipsec/policy_parse.y +++ b/lib/libipsec/policy_parse.y @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: policy_parse.y,v 1.10 2000/05/07 05:25:03 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,10 +28,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ -/* KAME $Id: policy_parse.y,v 1.1 1999/10/20 01:26:41 sakane Exp $ */ /* * IN/OUT bound policy configuration take place such below: @@ -59,24 +59,24 @@ #include <stdlib.h> #include <stdio.h> -#include <errno.h> #include <string.h> #include <netdb.h> #include "ipsec_strerror.h" -#define ATOX(c) \ +#define ATOX(c) \ (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) )) static caddr_t pbuf = NULL; /* sadb_x_policy buffer */ static int tlen = 0; /* total length of pbuf */ static int offset = 0; /* offset of pbuf */ -static int p_dir, p_type, p_protocol, p_mode, p_level; +static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid; static struct sockaddr *p_src = NULL; static struct sockaddr *p_dst = NULL; +struct _val; extern void yyerror __P((char *msg)); -static struct sockaddr *parse_sockaddr __P((/*struct _val *buf*/)); +static struct sockaddr *parse_sockaddr __P((struct _val *buf)); static int rule_check __P((void)); static int init_x_policy __P((void)); static int set_x_request __P((struct sockaddr *src, struct sockaddr *dst)); @@ -85,8 +85,8 @@ static void policy_parse_request_init __P((void)); static caddr_t policy_parse __P((char *msg, int msglen)); extern void __policy__strbuffer__init__ __P((char *msg)); -extern int yyparse(); -extern int yylex(); +extern int yyparse __P((void)); +extern int yylex __P((void)); %} @@ -98,12 +98,12 @@ extern int yylex(); } val; } -%token DIR ACTION PROTOCOL MODE LEVEL +%token DIR ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY %token IPADDRESS %token ME ANY %token SLASH HYPHEN %type <num> DIR ACTION PROTOCOL MODE LEVEL -%type <val> IPADDRESS +%type <val> IPADDRESS LEVEL_SPECIFY %% policy_spec @@ -116,6 +116,14 @@ policy_spec return -1; } rules + | DIR + { + p_dir = $1; + p_type = 0; /* ignored it by kernel */ + + if (init_x_policy()) + return -1; + } ; rules @@ -139,11 +147,11 @@ rule | protocol SLASH mode SLASH SLASH level | protocol SLASH mode | protocol SLASH { - ipsec_errcode = EIPSEC_FEW_ARGUMENTS; + __ipsec_errcode = EIPSEC_FEW_ARGUMENTS; return -1; } | protocol { - ipsec_errcode = EIPSEC_FEW_ARGUMENTS; + __ipsec_errcode = EIPSEC_FEW_ARGUMENTS; return -1; } ; @@ -157,7 +165,14 @@ mode ; level - : LEVEL { p_level = $1; } + : LEVEL { + p_level = $1; + p_reqid = 0; + } + | LEVEL_SPECIFY { + p_level = IPSEC_LEVEL_UNIQUE; + p_reqid = atol($1.buf); /* atol() is good. */ + } ; addresses @@ -174,13 +189,13 @@ addresses } | ME HYPHEN ANY { if (p_dir != IPSEC_DIR_OUTBOUND) { - ipsec_errcode = EIPSEC_INVAL_DIR; + __ipsec_errcode = EIPSEC_INVAL_DIR; return -1; } } | ANY HYPHEN ME { if (p_dir != IPSEC_DIR_INBOUND) { - ipsec_errcode = EIPSEC_INVAL_DIR; + __ipsec_errcode = EIPSEC_INVAL_DIR; return -1; } } @@ -195,7 +210,10 @@ void yyerror(msg) char *msg; { - fprintf(stderr, "%s\n", msg); + extern char *__libipsecyytext; /*XXX*/ + + fprintf(stderr, "libipsec: %s while parsing \"%s\"\n", + msg, __libipsecyytext); return; } @@ -213,43 +231,29 @@ parse_sockaddr(buf) hints.ai_family = PF_UNSPEC; hints.ai_flags = AI_NUMERICHOST; error = getaddrinfo(buf->buf, serv, &hints, &res); - if (error != 0 || res->ai_addr == NULL) { - ipsec_set_strerror(error == EAI_SYSTEM ? - gai_strerror(error) : strerror(errno)); + if (error != 0) { + yyerror("invalid IP address"); + __ipsec_set_strerror(gai_strerror(error)); return NULL; } if (res->ai_addr == NULL) { - ipsec_set_strerror(gai_strerror(error)); + yyerror("invalid IP address"); + __ipsec_set_strerror(gai_strerror(error)); return NULL; } newaddr = malloc(res->ai_addr->sa_len); if (newaddr == NULL) { - ipsec_errcode = EIPSEC_NO_BUFS; + __ipsec_errcode = EIPSEC_NO_BUFS; freeaddrinfo(res); return NULL; } memcpy(newaddr, res->ai_addr, res->ai_addr->sa_len); - /* - * XXX: If the scope of the destination is link-local, - * embed the scope-id(in this case, interface index) - * into the address. - */ - if (newaddr->sa_family == AF_INET6) { - struct sockaddr_in6 *sin6; - - sin6 = (struct sockaddr_in6 *)newaddr; - if(IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) && - sin6->sin6_scope_id != 0) - *(u_short *)&sin6->sin6_addr.s6_addr[2] = - htons(sin6->sin6_scope_id & 0xffff); - } - freeaddrinfo(res); - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return newaddr; } @@ -258,29 +262,29 @@ rule_check() { if (p_type == IPSEC_POLICY_IPSEC) { if (p_protocol == IPPROTO_IP) { - ipsec_errcode = EIPSEC_NO_PROTO; + __ipsec_errcode = EIPSEC_NO_PROTO; return -1; } if (p_mode != IPSEC_MODE_TRANSPORT && p_mode != IPSEC_MODE_TUNNEL) { - ipsec_errcode = EIPSEC_INVAL_MODE; + __ipsec_errcode = EIPSEC_INVAL_MODE; return -1; } if (p_src == NULL && p_dst == NULL) { if (p_mode != IPSEC_MODE_TRANSPORT) { - ipsec_errcode = EIPSEC_INVAL_ADDRESS; + __ipsec_errcode = EIPSEC_INVAL_ADDRESS; return -1; } } else if (p_src->sa_family != p_dst->sa_family) { - ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; return -1; } } - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -293,7 +297,7 @@ init_x_policy() pbuf = malloc(tlen); if (pbuf == NULL) { - ipsec_errcode = EIPSEC_NO_BUFS; + __ipsec_errcode = EIPSEC_NO_BUFS; return -1; } p = (struct sadb_x_policy *)pbuf; @@ -304,7 +308,7 @@ init_x_policy() p->sadb_x_policy_reserved = 0; offset = tlen; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -322,7 +326,7 @@ set_x_request(src, dst) pbuf = realloc(pbuf, tlen); if (pbuf == NULL) { - ipsec_errcode = EIPSEC_NO_BUFS; + __ipsec_errcode = EIPSEC_NO_BUFS; return -1; } p = (struct sadb_x_ipsecrequest *)&pbuf[offset]; @@ -330,12 +334,13 @@ set_x_request(src, dst) p->sadb_x_ipsecrequest_proto = p_protocol; p->sadb_x_ipsecrequest_mode = p_mode; p->sadb_x_ipsecrequest_level = p_level; + p->sadb_x_ipsecrequest_reqid = p_reqid; offset += sizeof(*p); if (set_sockaddr(src) || set_sockaddr(dst)) return -1; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -344,7 +349,7 @@ set_sockaddr(addr) struct sockaddr *addr; { if (addr == NULL) { - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -354,7 +359,7 @@ set_sockaddr(addr) offset += addr->sa_len; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -364,6 +369,7 @@ policy_parse_request_init() p_protocol = IPPROTO_IP; p_mode = IPSEC_MODE_ANY; p_level = IPSEC_LEVEL_DEFAULT; + p_reqid = 0; if (p_src != NULL) { free(p_src); p_src = NULL; @@ -401,7 +407,7 @@ policy_parse(msg, msglen) /* update total length */ ((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen); - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return pbuf; } @@ -415,12 +421,12 @@ ipsec_set_policy(msg, msglen) policy = policy_parse(msg, msglen); if (policy == NULL) { - if (ipsec_errcode == EIPSEC_NO_ERROR) - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + if (__ipsec_errcode == EIPSEC_NO_ERROR) + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return NULL; } - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return policy; } diff --git a/lib/libipsec/policy_token.l b/lib/libipsec/policy_token.l index fc11d0982ff2..81d632b41cfa 100644 --- a/lib/libipsec/policy_token.l +++ b/lib/libipsec/policy_token.l @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: policy_token.l,v 1.9 2000/05/07 05:25:03 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,8 +28,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ %{ @@ -46,8 +47,14 @@ #include <unistd.h> #include <errno.h> +#ifndef __NetBSD__ #include "y.tab.h" -#define yylval __libipsecyylval /* XXX */ +#else +#include "policy_parse.h" +#endif +#define yylval __libipsecyylval /* XXX */ + +int yylex __P((void)); %} %option noyywrap @@ -56,7 +63,6 @@ nl \n ws [ \t]+ digit [0-9] -letter [0-9A-Za-z] hexdigit [0-9A-Fa-f] special [()+\|\?\*,] dot \. @@ -79,9 +85,7 @@ decstring {digit}+ hexpair {hexdigit}{hexdigit} hexstring 0[xX]{hexdigit}+ octetstring {octet}({dot}{octet})+ -ipaddress [a-zA-Z0-9:\._][a-zA-Z0-9:\._]*(%{letter}{letter}+)? -name {letter}(({letter}|{digit}|{hyphen})*({letter}|{digit}))* -hostname {name}(({dot}{name})+{dot}?)? +ipaddress [a-zA-Z0-9:\._][a-zA-Z0-9:\._]*(%[a-zA-Z0-9]+)? %% @@ -107,12 +111,17 @@ any { return(ANY); } default { yylval.num = IPSEC_LEVEL_DEFAULT; return(LEVEL); } use { yylval.num = IPSEC_LEVEL_USE; return(LEVEL); } require { yylval.num = IPSEC_LEVEL_REQUIRE; return(LEVEL); } +unique{colon}{decstring} { + yylval.val.len = strlen(yytext + 7); + yylval.val.buf = yytext + 7; + return(LEVEL_SPECIFY); + } unique { yylval.num = IPSEC_LEVEL_UNIQUE; return(LEVEL); } {slash} { return(SLASH); } {ipaddress} { yylval.val.len = strlen(yytext); - yylval.val.buf = strdup(yytext); + yylval.val.buf = yytext; return(IPADDRESS); } @@ -123,6 +132,8 @@ unique { yylval.num = IPSEC_LEVEL_UNIQUE; return(LEVEL); } %% +void __policy__strbuffer__init__ __P((char *)); + void __policy__strbuffer__init__(msg) char *msg; diff --git a/lib/libipsec/test-policy.c b/lib/libipsec/test-policy.c index c8fd72732836..5a4faf5731bc 100644 --- a/lib/libipsec/test-policy.c +++ b/lib/libipsec/test-policy.c @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: test-policy.c,v 1.13 2000/05/07 05:25:03 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,8 +28,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ #include <sys/types.h> @@ -34,7 +35,6 @@ #include <sys/socket.h> #include <netinet/in.h> -#include <netinet6/in6.h> #include <net/pfkeyv2.h> #include <netkey/key_debug.h> #include <netinet6/ipsec.h> @@ -43,90 +43,115 @@ #include <stdlib.h> #include <unistd.h> #include <string.h> +#include <errno.h> #include <err.h> -char *requests[] = { -"must_error", /* error */ -"in ipsec must_error", /* error */ -"out ipsec esp/must_error", /* error */ -"out discard", -"out none", -"in entrust", -"out entrust", -"in bypass", /* may be error */ -"out ipsec esp", /* error */ -"in ipsec ah/transport", -"in ipsec ah/tunnel", /* error */ -"out ipsec ah/transport/", -"out ipsec ah/tunnel/", /* error */ -"in ipsec esp / transport / 10.0.0.1-10.0.0.2", -"in ipsec esp/tunnel/::1-::2", -"in ipsec esp/tunnel/10.0.0.1-::2", /* error */ -"in ipsec esp/tunnel/::1-::2/require", -"out ipsec ah/transport//use", -"out ipsec ah/transport esp/use", -"in ipsec ah/transport esp/tunnel", /* error */ -"in ipsec +struct req_t { + int result; /* expected result; 0:ok 1:ng */ + char *str; +} reqs[] = { +{ 0, "out ipsec" }, +{ 1, "must_error" }, +{ 1, "in ipsec must_error" }, +{ 1, "out ipsec esp/must_error" }, +{ 1, "out discard" }, +{ 1, "out none" }, +{ 0, "in entrust" }, +{ 0, "out entrust" }, +{ 1, "out ipsec esp" }, +{ 0, "in ipsec ah/transport" }, +{ 1, "in ipsec ah/tunnel" }, +{ 0, "out ipsec ah/transport/" }, +{ 1, "out ipsec ah/tunnel/" }, +{ 0, "in ipsec esp / transport / 10.0.0.1-10.0.0.2" }, +{ 0, "in ipsec esp/tunnel/::1-::2" }, +{ 1, "in ipsec esp/tunnel/10.0.0.1-::2" }, +{ 0, "in ipsec esp/tunnel/::1-::2/require" }, +{ 0, "out ipsec ah/transport//use" }, +{ 1, "out ipsec ah/transport esp/use" }, +{ 1, "in ipsec ah/transport esp/tunnel" }, +{ 0, "in ipsec ah/transport esp/tunnel/::1-::1" }, +{ 0, "in ipsec ah / transport - esp / tunnel / ::1-::2", -" -out ipsec -ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require -ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require -ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require -", -"out ipsec esp/transport/fec0::10-fec0::11/use", + esp / tunnel / ::1-::2" }, +{ 0, "out ipsec + ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require + ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require + ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require + " }, +{ 0, "out ipsec esp/transport/fec0::10-fec0::11/use" }, }; -int test(char *buf, int family); +int test1 __P((void)); +int test1sub1 __P((struct req_t *)); +int test1sub2 __P((char *, int)); +int test2 __P((void)); +int test2sub __P((int)); int main(ac, av) int ac; char **av; { - int do_setsockopt; - char *buf; - int i; + test1(); + test2(); - if (ac != 1) - do_setsockopt = 1; - else - do_setsockopt = 0; + exit(0); +} - for (i = 0; i < sizeof(requests)/sizeof(requests[0]); i++) { - printf("*** requests ***\n"); - printf("\t[%s]\n", requests[i]); +int +test1() +{ + int i; + int result; + + printf("TEST1\n"); + for (i = 0; i < sizeof(reqs)/sizeof(reqs[0]); i++) { + printf("#%d [%s]\n", i + 1, reqs[i].str); - buf = ipsec_set_policy(requests[i], strlen(requests[i])); - if (buf == NULL) { - printf("ipsec_set_policy: %s\n", ipsec_strerror()); - continue; + result = test1sub1(&reqs[i]); + if (result == 0 && reqs[i].result == 1) { + errx(1, "ERROR: expecting failure.\n"); + } else if (result == 1 && reqs[i].result == 0) { + errx(1, "ERROR: expecting success.\n"); } + } + + return 0; +} - printf("\tsetlen:%d\n", ipsec_get_policylen(buf)); +int +test1sub1(req) + struct req_t *req; +{ + char *buf; - if (do_setsockopt) { - printf("\tPF_INET:\n"); - test(buf, PF_INET); + buf = ipsec_set_policy(req->str, strlen(req->str)); + if (buf == NULL) { + printf("ipsec_set_policy: %s\n", ipsec_strerror()); + return 1; + } - printf("\tPF_INET6:\n"); - test(buf, PF_INET6); - } else { - kdebug_sadb_x_policy((struct sadb_ext *)buf); - } + if (test1sub2(buf, PF_INET) != 0 + || test1sub2(buf, PF_INET6) != 0) { free(buf); + return 1; } +#if 0 + kdebug_sadb_x_policy((struct sadb_ext *)buf); +#endif + free(buf); return 0; } int -test(policy, family) +test1sub2(policy, family) char *policy; int family; { - int so, proto, optname; + int so; + int proto = 0, optname = 0; int len; char getbuf[1024]; @@ -145,35 +170,148 @@ test(policy, family) err(1, "socket"); len = ipsec_get_policylen(policy); +#if 0 + printf("\tsetlen:%d\n", len); +#endif + if (setsockopt(so, proto, optname, policy, len) < 0) { - printf("error on setsockopt"); - goto end; + printf("fail to set sockopt; %s\n", strerror(errno)); + close(so); + return 1; } - len = sizeof(getbuf); memset(getbuf, 0, sizeof(getbuf)); + memcpy(getbuf, policy, sizeof(struct sadb_x_policy)); if (getsockopt(so, proto, optname, getbuf, &len) < 0) { - printf("error on getsockopt"); - goto end; + printf("fail to get sockopt; %s\n", strerror(errno)); + close(so); + return 1; } { char *buf = NULL; +#if 0 printf("\tgetlen:%d\n", len); +#endif if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) { printf("%s\n", ipsec_strerror()); - goto end; - } else { - printf("\t[%s]\n", buf); - free(buf); + close(so); + return 1; } +#if 0 + printf("\t[%s]\n", buf); +#endif + free(buf); } - end: close (so); + return 0; +} + +char addr[] = { + 28, 28, 0, 0, + 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, + 0, 0, 0, 0, +}; + +int +test2() +{ + int so; + char *pol1 = "out ipsec"; + char *pol2 = "out ipsec ah/transport//use"; + char *sp1, *sp2; + int splen1, splen2; + int spid; + struct sadb_msg *m; + + printf("TEST2\n"); + if (getuid() != 0) + errx(1, "root privilege required.\n"); + + sp1 = ipsec_set_policy(pol1, strlen(pol1)); + splen1 = ipsec_get_policylen(sp1); + sp2 = ipsec_set_policy(pol2, strlen(pol2)); + splen2 = ipsec_get_policylen(sp2); + + if ((so = pfkey_open()) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + + printf("spdflush()\n"); + if (pfkey_send_spdflush(so) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + m = pfkey_recv(so); + free(m); + + printf("spdsetidx()\n"); + if (pfkey_send_spdsetidx(so, (struct sockaddr *)addr, 128, + (struct sockaddr *)addr, 128, + 255, sp1, splen1, 0) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + m = pfkey_recv(so); + free(m); + + printf("spdupdate()\n"); + if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128, + (struct sockaddr *)addr, 128, + 255, sp2, splen2, 0) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + m = pfkey_recv(so); + free(m); + + printf("spddelete()\n"); + if (pfkey_send_spddelete(so, (struct sockaddr *)addr, 128, + (struct sockaddr *)addr, 128, + 255, sp1, splen1, 0) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + m = pfkey_recv(so); + free(m); + + printf("spdadd()\n"); + if (pfkey_send_spdadd(so, (struct sockaddr *)addr, 128, + (struct sockaddr *)addr, 128, + 255, sp2, splen2, 0) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + spid = test2sub(so); + + printf("spdget(%u)\n", spid); + if (pfkey_send_spdget(so, spid) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + m = pfkey_recv(so); + free(m); + + printf("spddelete2()\n"); + if (pfkey_send_spddelete2(so, spid) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + m = pfkey_recv(so); + free(m); + + /* expecting failure */ + printf("spdupdate()\n"); + if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128, + (struct sockaddr *)addr, 128, + 255, sp2, splen2, 0) == 0) { + errx(1, "ERROR: expecting failure.\n"); + } return 0; } +int +test2sub(so) + int so; +{ + struct sadb_msg *msg; + caddr_t mhp[SADB_EXT_MAX + 1]; + + if ((msg = pfkey_recv(so)) == NULL) + errx(1, "ERROR: pfkey_recv failure.\n"); + if (pfkey_align(msg, mhp) < 0) + errx(1, "ERROR: pfkey_align failure.\n"); + + return ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id; +} + diff --git a/sbin/setkey/Makefile b/sbin/setkey/Makefile index e6fbadcdf2aa..8feb0a66e6b5 100644 --- a/sbin/setkey/Makefile +++ b/sbin/setkey/Makefile @@ -29,11 +29,18 @@ PROG= setkey SRCS= setkey.c parse.y token.l CFLAGS+=-g +CFLAGS+=-I${.CURDIR}/../../lib/libipsec DPADD= ${LIBL} ${LIBY} LDADD= -ll -ly CLEANFILES+= y.tab.c y.tab.h key_test.o keytest YFLAGS+=-d +# libpfkey. +# ipsec_strerror.c is for avoiding shlib reference to non-exported function. +.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey +SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c +CFLAGS+=-I${.CURDIR}/../../lib/libipsec -I${.CURDIR}/../../sys/netkey + SCRIPTS= scriptdump BINOWN = root diff --git a/sbin/setkey/parse.y b/sbin/setkey/parse.y index 761c34d6e6d8..0eea4c1faaf2 100644 --- a/sbin/setkey/parse.y +++ b/sbin/setkey/parse.y @@ -1,7 +1,10 @@ +/* $FreeBSD$ */ +/* $KAME: parse.y,v 1.29 2000/06/10 14:17:44 sakane Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +16,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,10 +28,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ -/* KAME $Id: parse.y,v 1.7 1999/10/27 17:08:57 sakane Exp $ */ %{ #include <sys/types.h> @@ -45,48 +45,52 @@ #include <string.h> #include <unistd.h> #include <stdio.h> +#include <netdb.h> #include <ctype.h> #include <errno.h> -#include <netdb.h> +#include "libpfkey.h" #include "vchar.h" #define ATOX(c) \ (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) )) -u_int p_type; -u_int32_t p_spi; -struct sockaddr *p_src, *p_dst; -u_int p_prefs, p_prefd, p_upper; -u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode; -u_int p_key_enc_len, p_key_auth_len; -caddr_t p_key_enc, p_key_auth; -time_t p_lt_hard, p_lt_soft; +u_int p_type; +u_int32_t p_spi; +struct sockaddr *p_src, *p_dst; +u_int p_prefs, p_prefd, p_upper; +u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode; +u_int32_t p_reqid; +u_int p_key_enc_len, p_key_auth_len; +caddr_t p_key_enc, p_key_auth; +time_t p_lt_hard, p_lt_soft; -u_int p_policy_len; -char *p_policy; +u_int p_policy_len; +char *p_policy; /* temporary buffer */ -static struct sockaddr *pp_addr; -static u_int pp_prefix; -static u_int pp_port; -static caddr_t pp_key; - -extern u_char m_buf[BUFSIZ]; -extern int m_len; -extern char cmdarg[8192]; -extern int f_debug; - -int setkeymsg __P((void)); -static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int)); -void parse_init __P((void)); -void free_buffer __P((void)); - -extern int setkeymsg __P((void)); -extern int sendkeymsg __P((void)); - -extern int yylex __P((void)); -extern void yyerror __P((char *)); +static struct sockaddr *pp_addr; +static u_int pp_prefix; +static u_int pp_port; +static caddr_t pp_key; + +extern u_char m_buf[BUFSIZ]; +extern int m_len; +extern char cmdarg[8192]; +extern int f_debug; + +int setkeymsg __P((void)); +static struct addrinfo *parse_addr __P((char *, char *, int)); +static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int)); +void parse_init __P((void)); +void free_buffer __P((void)); + +extern int setkeymsg __P((void)); +extern int sendkeymsg __P((void)); + +extern int yylex __P((void)); +extern void yyfatal __P((const char *)); +extern void yyerror __P((const char *)); %} %union { @@ -96,11 +100,11 @@ extern void yyerror __P((char *)); %token EOT %token ADD GET DELETE FLUSH DUMP -%token IP4_ADDRESS IP6_ADDRESS PREFIX PORT PORTANY +%token ADDRESS PREFIX PORT PORTANY %token UP_PROTO PR_ESP PR_AH PR_IPCOMP %token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI -%token F_MODE MODE -%token F_EXT EXTENSION +%token F_MODE MODE F_REQID +%token F_EXT EXTENSION NOCYCLICSEQ %token ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP %token F_LIFETIME_HARD F_LIFETIME_SOFT %token DECSTRING QUOTEDSTRING HEXSTRING ANY @@ -108,6 +112,14 @@ extern void yyerror __P((char *)); %token SPDADD SPDDELETE SPDDUMP SPDFLUSH %token F_POLICY PL_REQUESTS +%type <num> PORT PREFIX EXTENSION MODE +%type <num> UP_PROTO PR_ESP PR_AH PR_IPCOMP +%type <num> ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP +%type <num> DECSTRING +%type <val> ADDRESS PL_REQUESTS +%type <val> key_string policy_requests +%type <val> QUOTEDSTRING HEXSTRING + %% commands : /*NOTHING*/ @@ -146,13 +158,23 @@ add_command /* delete */ delete_command : DELETE { p_type = SADB_DELETE; } - sa_selector_spec extension_spec EOT + sa_selector_spec extension_spec + { + if (p_mode != IPSEC_MODE_ANY) + yyerror("WARNING: mode is obsoleted."); + } + EOT ; /* get command */ get_command : GET { p_type = SADB_GET; } - sa_selector_spec extension_spec EOT + sa_selector_spec extension_spec + { + if (p_mode != IPSEC_MODE_ANY) + yyerror("WARNING: mode is obsoleted."); + } + EOT ; /* flush */ @@ -179,7 +201,7 @@ protocol_spec | PR_ESP { p_satype = SADB_SATYPE_ESP; - if ($1.num == 1) + if ($1 == 1) p_ext |= SADB_X_EXT_OLD; else p_ext &= ~SADB_X_EXT_OLD; @@ -187,7 +209,7 @@ protocol_spec | PR_AH { p_satype = SADB_SATYPE_AH; - if ($1.num == 1) + if ($1 == 1) p_ext |= SADB_X_EXT_OLD; else p_ext &= ~SADB_X_EXT_OLD; @@ -199,18 +221,18 @@ protocol_spec ; spi - : DECSTRING { p_spi = $1.num; } + : DECSTRING { p_spi = $1; } | HEXSTRING { caddr_t bp; - caddr_t yp = $1.val.buf; + caddr_t yp = $1.buf; char buf0[4], buf[4]; int i, j; /* sanity check */ - if ($1.val.len > 4) { + if ($1.len > 4) { yyerror("SPI too big."); - free($1.val.buf); + free($1.buf); return -1; } @@ -223,13 +245,13 @@ spi /* initialize */ for (i = 0; i < 4; i++) buf[i] = 0; - for (j = $1.val.len - 1, i = 3; j >= 0; j--, i--) + for (j = $1.len - 1, i = 3; j >= 0; j--, i--) buf[i] = buf0[j]; /* XXX: endian */ p_spi = ntohl(*(u_int32_t *)buf); - free($1.val.buf); + free($1.buf); } ; @@ -249,16 +271,16 @@ ah_spec ; ipcomp_spec - : F_COMP ALG_COMP { p_alg_enc = $2.num; } - | F_COMP ALG_COMP { p_alg_enc = $2.num; } + : F_COMP ALG_COMP { p_alg_enc = $2; } + | F_COMP ALG_COMP { p_alg_enc = $2; } F_RAWCPI { p_ext |= SADB_X_EXT_RAWCPI; } ; enc_alg - : ALG_ENC { p_alg_enc = $1.num; } + : ALG_ENC { p_alg_enc = $1; } | ALG_ENC_DESDERIV { - p_alg_enc = $1.num; + p_alg_enc = $1; if (p_ext & SADB_X_EXT_OLD) { yyerror("algorithm mismatched."); return -1; @@ -267,7 +289,7 @@ enc_alg } | ALG_ENC_DES32IV { - p_alg_enc = $1.num; + p_alg_enc = $1; if (!(p_ext & SADB_X_EXT_OLD)) { yyerror("algorithm mismatched."); return -1; @@ -286,7 +308,7 @@ enc_key } | key_string { - p_key_enc_len = $1.val.len; + p_key_enc_len = $1.len; p_key_enc = pp_key; if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT, @@ -299,7 +321,7 @@ enc_key ; auth_alg - : ALG_AUTH { p_alg_auth = $1.num; } + : ALG_AUTH { p_alg_auth = $1; } ; auth_key @@ -312,7 +334,7 @@ auth_key } | key_string { - p_key_auth_len = $1.val.len; + p_key_auth_len = $1.len; p_key_auth = pp_key; if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH, @@ -327,20 +349,20 @@ auth_key key_string : QUOTEDSTRING { - pp_key = $1.val.buf; + pp_key = $1.buf; /* free pp_key later */ } | HEXSTRING { caddr_t bp; - caddr_t yp = $1.val.buf; + caddr_t yp = $1.buf; - if ((pp_key = malloc($1.val.len)) == 0) { - free($1.val.buf); - yyerror(strerror(errno)); + if ((pp_key = malloc($1.len)) == 0) { + free($1.buf); + yyerror("not enough core"); return -1; } - memset(pp_key, 0, $1.val.len); + memset(pp_key, 0, $1.len); bp = pp_key; while (*yp) { @@ -348,7 +370,7 @@ key_string yp += 2, bp++; } - free($1.val.buf); + free($1.buf); } ; @@ -358,9 +380,11 @@ extension_spec ; extension - : F_EXT EXTENSION { p_ext |= $1.num; } - | F_MODE MODE { p_mode = $2.num; } + : F_EXT EXTENSION { p_ext |= $2; } + | F_EXT NOCYCLICSEQ { p_ext &= ~SADB_X_EXT_CYCSEQ; } + | F_MODE MODE { p_mode = $2; } | F_MODE ANY { p_mode = IPSEC_MODE_ANY; } + | F_REQID DECSTRING { p_reqid = $2; } | F_REPLAY DECSTRING { if (p_ext & SADB_X_EXT_OLD) { @@ -368,10 +392,10 @@ extension "only use on new spec."); return -1; } - p_replay = $2.num; + p_replay = $2; } - | F_LIFETIME_HARD DECSTRING { p_lt_hard = $2.num; } - | F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2.num; } + | F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; } + | F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; } ; /* definition about command for SPD management */ @@ -391,7 +415,7 @@ spddelete_command: p_type = SADB_X_SPDDELETE; p_satype = SADB_SATYPE_UNSPEC; } - sp_selector_spec EOT + sp_selector_spec policy_spec EOT ; spddump_command: @@ -416,97 +440,107 @@ spdflush_command: sp_selector_spec : ipaddress { p_src = pp_addr; } prefix { p_prefs = pp_prefix; } - port { _INPORTBYSA(p_src) = htons(pp_port); } + port + { + switch (p_src->sa_family) { + case AF_INET: + ((struct sockaddr_in *)p_src)->sin_port = + htons(pp_port); + break; +#ifdef INET6 + case AF_INET6: + ((struct sockaddr_in6 *)p_src)->sin6_port = + htons(pp_port); + break; +#endif + default: + exit(1); /*XXX*/ + } + } ipaddress { p_dst = pp_addr; } prefix { p_prefd = pp_prefix; } - port { _INPORTBYSA(p_dst) = htons(pp_port); } + port + { + switch (p_dst->sa_family) { + case AF_INET: + ((struct sockaddr_in *)p_dst)->sin_port = + htons(pp_port); + break; +#ifdef INET6 + case AF_INET6: + ((struct sockaddr_in6 *)p_dst)->sin6_port = + htons(pp_port); + break; +#endif + default: + exit(1); /*XXX*/ + } + } upper_spec + { + /* XXX is it something userland should check? */ +#if 0 + switch (p_upper) { + case IPPROTO_ICMP: + case IPPROTO_ICMPV6: + if (_INPORTBYSA(p_src) != IPSEC_PORT_ANY + || _INPORTBYSA(p_dst) != IPSEC_PORT_ANY) { + yyerror("port number must be \"any\"."); + return -1; + } + if ((pp_addr->sa_family == AF_INET6 + && p_upper == IPPROTO_ICMP) + || (pp_addr->sa_family == AF_INET + && p_upper == IPPROTO_ICMPV6)) { + yyerror("upper layer protocol " + "mismatched.\n"); + return -1; + } + break; + default: + break; + } +#endif + } ; ipaddress - : IP4_ADDRESS + : ADDRESS { - struct sockaddr_in *in; - u_int sa_len = $1.val.len; - - if ((in = (struct sockaddr_in *)malloc(sa_len)) == 0) { - yyerror(strerror(errno)); - free($1.val.buf); - return -1; - } - memset((caddr_t)in, 0, sa_len); - - in->sin_family = PF_INET; - in->sin_len = sa_len; - in->sin_port = IPSEC_PORT_ANY; - (void)inet_pton(PF_INET, $1.val.buf, &in->sin_addr); + struct addrinfo *res; - pp_addr = (struct sockaddr *)in; - free($1.val.buf); - } - | IP6_ADDRESS - { -#ifdef INET6 - struct sockaddr_in6 *in6; - u_int sa_len = $1.val.len; - struct addrinfo hints, *res; - int ret_gai; - - if ((in6 = (struct sockaddr_in6 *)malloc(sa_len)) == 0) { - free($1.val.buf); - yyerror(strerror(errno)); + res = parse_addr($1.buf, NULL, AI_NUMERICHOST); + if (res == NULL) { + free($1.buf); return -1; } - memset((caddr_t)in6, 0, sa_len); - - bzero(&hints, sizeof(struct addrinfo)); - hints.ai_flags = AI_NUMERICHOST; - hints.ai_family = AF_INET6; - ret_gai = getaddrinfo($1.val.buf, NULL, &hints, &res); - if (ret_gai) { - free($1.val.buf); - free(in6); - yyerror(gai_strerror(ret_gai)); - if (ret_gai == EAI_SYSTEM) - yyerror(strerror(errno)); - return -1; + pp_addr = (struct sockaddr *)malloc(res->ai_addrlen); + if (!pp_addr) { + yyerror("not enough core"); + goto end; } - (void)memcpy(in6, res->ai_addr, res->ai_addrlen); - - /* - * XXX: If the scope of the destination is link-local, - * embed the scope-id(in this case, interface index) - * into the address. - */ - if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr) && - in6->sin6_scope_id != 0) - *(u_short *)&in6->sin6_addr.s6_addr[2] = - htons(in6->sin6_scope_id & 0xffff); + memcpy(pp_addr, res->ai_addr, res->ai_addrlen); + end: freeaddrinfo(res); - - pp_addr = (struct sockaddr *)in6; -#else - yyerror("IPv6 address not supported"); -#endif - free($1.val.buf); + free($1.buf); } ; prefix : /*NOTHING*/ { pp_prefix = ~0; } - | PREFIX { pp_prefix = $1.num; } + | PREFIX { pp_prefix = $1; } ; port : /*NOTHING*/ { pp_port = IPSEC_PORT_ANY; } - | PORT { pp_port = $1.num; } + | PORT { pp_port = $1; } | PORTANY { pp_port = IPSEC_PORT_ANY; } ; upper_spec - : DECSTRING { p_upper = $1.num; } - | UP_PROTO { p_upper = $1.num; } + : DECSTRING { p_upper = $1; } + | UP_PROTO { p_upper = $1; } | PR_ESP { p_upper = IPPROTO_ESP; }; | PR_AH { p_upper = IPPROTO_AH; }; | PR_IPCOMP { p_upper = IPPROTO_IPCOMP; }; @@ -516,9 +550,9 @@ upper_spec policy_spec : F_POLICY policy_requests { - p_policy = ipsec_set_policy($2.val.buf, $2.val.len); + p_policy = ipsec_set_policy($2.buf, $2.len); if (p_policy == NULL) { - free($2.val.buf); + free($2.buf); p_policy = NULL; yyerror(ipsec_strerror()); return -1; @@ -526,13 +560,12 @@ policy_spec p_policy_len = ipsec_get_policylen(p_policy); - free($2.val.buf); + free($2.buf); } ; -policy_requests: - /*NOTHING*/ - | PL_REQUESTS { $$ = $1; } +policy_requests + : PL_REQUESTS { $$ = $1; } ; %% @@ -546,7 +579,6 @@ setkeymsg() m_msg.sadb_msg_type = p_type; m_msg.sadb_msg_errno = 0; m_msg.sadb_msg_satype = p_satype; - m_msg.sadb_msg_mode = p_mode; m_msg.sadb_msg_reserved = 0; m_msg.sadb_msg_seq = 0; m_msg.sadb_msg_pid = getpid(); @@ -629,6 +661,7 @@ setkeymsg() case SADB_GET: { struct sadb_sa m_sa; + struct sadb_x_sa2 m_sa2; struct sadb_address m_addr; u_int len; @@ -645,14 +678,36 @@ setkeymsg() memcpy(m_buf + m_len, &m_sa, len); m_len += len; + len = sizeof(struct sadb_x_sa2); + m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len); + m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2; + m_sa2.sadb_x_sa2_mode = p_mode; + m_sa2.sadb_x_sa2_reqid = p_reqid; + + memcpy(m_buf + m_len, &m_sa2, len); + m_len += len; + /* set src */ m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) + PFKEY_ALIGN8(p_src->sa_len)); m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY; - m_addr.sadb_address_prefixlen = - _INALENBYAF(p_src->sa_family) << 3; + switch (p_src->sa_family) { + case AF_INET: + m_addr.sadb_address_prefixlen = + sizeof(struct in_addr) << 3; + break; +#ifdef INET6 + case AF_INET6: + m_addr.sadb_address_prefixlen = + sizeof(struct in6_addr) << 3; + break; +#endif + default: + yyerror("unsupported address family"); + exit(1); /*XXX*/ + } m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -665,8 +720,21 @@ setkeymsg() + PFKEY_ALIGN8(p_dst->sa_len)); m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST; m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY; - m_addr.sadb_address_prefixlen = - _INALENBYAF(p_dst->sa_family) << 3; + switch (p_dst->sa_family) { + case AF_INET: + m_addr.sadb_address_prefixlen = + sizeof(struct in_addr) << 3; + break; +#ifdef INET6 + case AF_INET6: + m_addr.sadb_address_prefixlen = + sizeof(struct in6_addr) << 3; + break; +#endif + default: + yyerror("unsupported address family"); + exit(1); /*XXX*/ + } m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -681,17 +749,15 @@ setkeymsg() break; case SADB_X_SPDADD: + case SADB_X_SPDDELETE: { + struct sadb_address m_addr; + u_int8_t plen; + memcpy(m_buf + m_len, p_policy, p_policy_len); m_len += p_policy_len; free(p_policy); p_policy = NULL; - } - /* FALLTHROUGH */ - - case SADB_X_SPDDELETE: - { - struct sadb_address m_addr; /* set src */ m_addr.sadb_address_len = @@ -699,9 +765,21 @@ setkeymsg() + PFKEY_ALIGN8(p_src->sa_len)); m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; m_addr.sadb_address_proto = p_upper; + switch (p_src->sa_family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; +#ifdef INET6 + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; +#endif + default: + yyerror("unsupported address family"); + exit(1); /*XXX*/ + } m_addr.sadb_address_prefixlen = - (p_prefs != ~0 ? p_prefs : - _INALENBYAF(p_src->sa_family) << 3); + (p_prefs != ~0 ? p_prefs : plen); m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -714,9 +792,21 @@ setkeymsg() + PFKEY_ALIGN8(p_dst->sa_len)); m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST; m_addr.sadb_address_proto = p_upper; + switch (p_dst->sa_family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; +#ifdef INET6 + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; +#endif + default: + yyerror("unsupported address family"); + exit(1); /*XXX*/ + } m_addr.sadb_address_prefixlen = - (p_prefd != ~0 ? p_prefd : - _INALENBYAF(p_dst->sa_family) << 3); + (p_prefd != ~0 ? p_prefd : plen); m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -731,6 +821,30 @@ setkeymsg() return 0; } +static struct addrinfo * +parse_addr(host, port, flag) + char *host; + char *port; + int flag; +{ + struct addrinfo hints, *res = NULL; + int error; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_DGRAM; + hints.ai_flags = flag; + error = getaddrinfo(host, port, &hints, &res); + if (error != 0) { + yyerror(gai_strerror(error)); + return NULL; + } + if (res->ai_next != NULL) { + yyerror(gai_strerror(error)); + } + return res; +} + static int setvarbuf(off, ebuf, elen, vbuf, vlen) caddr_t vbuf; @@ -757,11 +871,12 @@ parse_init() p_upper = 0; p_satype = 0; - p_ext = SADB_X_EXT_NONE; + p_ext = SADB_X_EXT_CYCSEQ; p_alg_enc = SADB_EALG_NONE; p_alg_auth = SADB_AALG_NONE; p_mode = IPSEC_MODE_ANY; - p_replay = 4; + p_reqid = 0; + p_replay = 0; p_key_enc_len = p_key_auth_len = 0; p_key_enc = p_key_auth = 0; p_lt_hard = p_lt_soft = 0; diff --git a/sbin/setkey/sample.cf b/sbin/setkey/sample.cf index 886c449a35f1..978289d34a13 100644 --- a/sbin/setkey/sample.cf +++ b/sbin/setkey/sample.cf @@ -170,7 +170,7 @@ add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004 get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; # Also delete command, you can delete a entry of either SP or SA. -spddelete out fec0:0:0:1::/64 fec0:0:0:2:/64 any ; +spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out; delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; # By dump command, you can dump all entry of either SP or SA. @@ -204,7 +204,7 @@ add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ; add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ; add ::1 ::1 esp 10015 -m transport -f zero-pad -E simple ; add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E simple ; -add ::1 ::1 esp 10017 -m transport -f seq-pad -f cyclic-seq -E simple ; +add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E simple ; add ::1 ::1 esp 10018 -m transport -E simple ; #add ::1 ::1 ah 20000 -m transport -A null ; add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234"; diff --git a/sbin/setkey/scriptdump.pl b/sbin/setkey/scriptdump.pl index 5df9b4f4fd7b..aa365449517f 100644 --- a/sbin/setkey/scriptdump.pl +++ b/sbin/setkey/scriptdump.pl @@ -20,8 +20,8 @@ open(IN, "setkey -D |") || die; foreach $_ (<IN>) { if (/^[^\t]/) { ($src, $dst) = split(/\s+/, $_); - } elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*replay=(\d+)/) { - ($proto, $ipsecmode, $spi, $replay) = ($1, $2, $3, $4); + } elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*reqid=(\d+)/) { + ($proto, $ipsecmode, $spi, $reqid) = ($1, $2, $3, $4); } elsif (/^\tE: (\S+) (.*)/) { $ealgo = $1; $ekey = $2; @@ -32,17 +32,19 @@ foreach $_ (<IN>) { $akey = $2; $akey =~ s/\s//g; $akey =~ s/^/0x/g; - } elsif (/^\tstate=/) { + } elsif (/^\treplay=(\d+) flags=(0x\d+) state=/) { print "$mode $src $dst $proto $spi -m $ipsecmode"; - print " -r $replay" if $replay; + $replay = $1; + print " -u $reqid" if $reqid; if ($mode eq 'add') { + print " -r $replay" if $replay; if ($proto eq 'esp') { print " -E $ealgo $ekey" if $ealgo; print " -A $aalgo $akey" if $aalgo; } elsif ($proto eq 'ah') { print " -A $aalgo $akey" if $aalgo; } - } + } print ";\n"; $src = $dst = $upper = $proxy = ''; diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8 index ffe1297872e0..4736657c8356 100644 --- a/sbin/setkey/setkey.8 +++ b/sbin/setkey/setkey.8 @@ -1,6 +1,9 @@ +.\" $FreeBSD$ +.\" $KAME: setkey.8,v 1.28 2000/06/16 12:03:46 sakane Exp $ +.\" .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. .\" All rights reserved. -.\" +.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: @@ -12,7 +15,7 @@ .\" 3. Neither the name of the project nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. -.\" +.\" .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,15 +28,14 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: setkey.8,v 1.14 1999/10/27 17:08:58 sakane Exp $ -.\" $FreeBSD$ -.\" .Dd May 17, 1998 .Dt SETKEY 8 -.Os +.Os KAME +.\" .Sh NAME .Nm setkey -.Nd manually manipulate the SA/SP database. +.Nd manually manipulate the IPsec SA/SP database. +.\" .Sh SYNOPSIS .Nm setkey .Op Fl dv @@ -50,19 +52,20 @@ .Nm setkey .Op Fl h .Fl x -.\" +.\" .Sh DESCRIPTION .Nm -updates, or lists the content of, Security Association Database (SAD) entries -in the kernel as well as Security Policy Database (SPD) entries. +addes, updates, dumpes, or flushes +Security Association Database (SAD) entries +as well as Security Policy Database (SPD) entries in the kernel. .Pp .Nm -takes a series of operation from standard input +takes a series of operations from the standard input .Po if invoked with .Fl c .Pc -or file named +or the file named .Ar filename .Po if invoked with @@ -75,21 +78,23 @@ If with .Fl P , the SPD entries are dumped. .It Fl F -Flush the SAD. +Flush the SAD entries. If with .Fl P , -the SPD are flushed. +the SPD entries are flushed. .It Fl a .Nm -usually do not display dead SAD entries on +usually does not display dead SAD entries with .Fl D . -With +If with .Fl a , -dead SAD entries will be displayed as well. -Dead SAD entries are kept in the kernel, -when they are referenced from any of SPD entries in the kernel. +the dead SAD entries will be displayed as well. +A dead SAD entry means that +it has been expired but remains +because it is referenced by SPD entries. .It Fl d -Enable debugging messages. +Enable to print debugging messages for command parser, +without talking to kernel. It is not used usually. .It Fl x Loop forever and dump all the messages transmitted to .Dv PF_KEY @@ -98,7 +103,6 @@ socket. Add hexadecimal dump on .Fl x mode. -The order is significant. .It Fl l Loop forever with short output on .Fl D . @@ -111,10 +115,8 @@ including messages sent from other processes .Pc . .El .Pp -Operation has the following grammar. -Note that lines, that start with a -hashmark ('#') are treated as comment lines. -Description of meta-arguments follows. +Operations have the following grammar. Note that lines starting with +hashmarks ('#') are treated as comment lines. .Bl -tag -width Ds .It Xo .Li add @@ -123,51 +125,49 @@ Description of meta-arguments follows. .Ar algorithm... .Li ; .Xc -Add a SAD entry. +Add an SAD entry. .\" .It Xo .Li get .Ar src Ar dst Ar protocol Ar spi -.Op Ar mode .Li ; .Xc -Show a SAD entry. +Show an SAD entry. .\" .It Xo .Li delete .Ar src Ar dst Ar protocol Ar spi -.Op Ar mode .Li ; .Xc -Remove a SAD entry. +Remove an SAD entry. .\" .It Xo .Li flush .Op Ar protocol .Li ; .Xc -Clear all SAD entries that matches the options. +Clear all SAD entries matched by the options. .\" .It Xo .Li dump .Op Ar protocol .Li ; .Xc -Dumps all SAD entries that matches the options. +Dumps all SAD entries matched by the options. .\" .It Xo .Li spdadd .Ar src_range Ar dst_range Ar upperspec Ar policy .Li ; .Xc -Add a SPD entry. +Add an SPD entry. .\" .It Xo .Li spddelete -.Ar src_range Ar dst_range Ar upperspec +.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction .Li ; .Xc -Delete a SPD entry. +Delete an SPD entry. .\" .It Xo .Li spdflush @@ -215,8 +215,9 @@ IPCOMP .\" .Pp .It Ar spi -Security Parameter Index (SPI) for the SA and SPD. +Security Parameter Index (SPI) for the SAD and the SPD. It must be decimal number or hexadecimal number +You can not use the set of SPI values in the range 0 through 255. .Po with .Li 0x @@ -225,30 +226,40 @@ attached .\" .Pp .It Ar extensions -takes some of the following: -.Bl -tag -width Fl -compact +take some of the following: +.Bl -tag -width Fl -compact +.\" .It Fl m Ar mode -Specify an security protocol mode for use. By default, -.Li any . +Specify a security protocol mode for use. .Ar mode is one of following: .Li transport , tunnel or .Li any . +The default value is +.Li any . +.\" .It Fl r Ar size Specify window size of bytes for replay prevention. .Ar size must be decimal number in 32-bit word. If .Ar size is zero or not specified, replay check don't take place. +.\" +.It Fl u Ar id +Specify the identifier of policy. See also +.Xr ipsec_set_policy 3 . +.\" .It Fl f Ar pad_option .Ar pad_option is one of following: .Li zero-pad , random-pad or .Li seq-pad -.It Fl f Li cyclic-seq -Allow cyclic sequence number. +.\" +.It Fl f Li nocyclic-seq +Don't allow cyclic sequence number. +.\" .It Fl lh Ar time .It Fl ls Ar time Specify hard/soft lifetime. @@ -256,7 +267,7 @@ Specify hard/soft lifetime. .\" .Pp .It Ar algorithm -.Bl -tag -width Fl -compact +.Bl -tag -width Fl -compact .It Fl E Ar ealgo Ar key Specify encryption algorithm. .It Fl A Ar aalgo Ar key @@ -268,7 +279,7 @@ is used for esp, it will be treated as ESP payload authentication algorithm. Specify compression algorithm. If .Fl R -is specified with +is not specified with .Li ipcomp line, the kernel will use well-known IPComp CPI .Pq compression parameter index @@ -280,7 +291,7 @@ field is only for kernel internal use in this case. .\"Therefore, compression protocol number will appear on IPComp CPI field. If .Fl R -is not used, +is used, the value on .Ar spi field will appear on IPComp CPI field on outgoing packets. @@ -311,7 +322,7 @@ SAs accept only. .Pp .Ar key -must be double-quoted character string or a series of hexadecimal digits. +must be double-quoted character string or series of hexadecimal digits. .Pp Possible values for .Ar ealgo , @@ -322,7 +333,7 @@ are specified in separate section. .\" .It Ar src_range .It Ar dst_range -These are selection of the secure communication is specified as +These are selections of the secure communication specified as IPv4/v6 address or IPv4/v6 address range, and it may accompany TCP/UDP port specification. This takes the following form: @@ -365,7 +376,7 @@ NOTE: .Ar upperspec does not work against forwarding case at this moment, as it requires extra reassembly at forwarding node -.Pq not implemented as this moment . +.Pq not implemented at this moment . .\" .It Ar policy .Ar policy @@ -427,15 +438,15 @@ is to be one of the following: or .Li require . .Li default -means kernel consults to the system wide default against protocol you +means the kernel consults to the system wide default against protocol you specified, e.g. .Li esp_trans_deflev -sysctl variable, when kernel processes the packet. +sysctl variable, when the kernel processes the packet. .Li use -means that kernel use a SA if it's available, -otherwise kernel keeps normal operation. +means that the kernel use a SA if it's available, +otherwise the kernel keeps normal operation. .Li require -means SA is required whenever kernel deals with the packet. +means SA is required whenever the kernel deals with the packet. Note that .Dq Li discard and @@ -456,7 +467,7 @@ The following list shows the supported algorithms. and .Sy algorithm are almost orthogonal. -Following are the list of authentication algorithms that can be used as +Followings are the list of authentication algorithms that can be used as .Ar aalgo in .Fl A Ar aalgo @@ -477,7 +488,7 @@ keyed-sha1 160 ah: 96bit ICV (no document) null 0 to 2048 for debugging .Ed .Pp -Following are the list of encryption algorithms that can be used as +Followings are the list of encryption algorithms that can be used as .Ar ealgo in .Fl E Ar ealgo @@ -497,7 +508,7 @@ des-deriv 64 ipsec-ciph-des-derived-01 (expired) 3des-deriv 192 no document .Ed .Pp -Following are the list of compression algorithms that can be used as +Followings are the list of compression algorithms that can be used as .Ar calgo in .Fl C Ar calgo @@ -510,7 +521,7 @@ algorithm comment deflate rfc2394 lzs rfc2395 .Ed -.\" +.\" .Sh EXAMPLES .Bd -literal -offset add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 @@ -533,20 +544,18 @@ spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ; .Ed -.\" +.\" .Sh RETURN VALUES The command exits with 0 on success, and non-zero on errors. -.\" +.\" .Sh SEE ALSO .Xr ipsec_set_policy 3 , .Xr sysctl 8 -.\" +.\" .Sh HISTORY The .Nm command first appeared in WIDE Hydrangea IPv6 protocol stack kit. The command was completely re-designed in June 1998. -.Pp -IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack -was initially integrated into -.Fx 4.0 +.\" +.\" .Sh BUGS diff --git a/sbin/setkey/setkey.c b/sbin/setkey/setkey.c index 73edc3f2bbc2..b1e1c1e3094b 100644 --- a/sbin/setkey/setkey.c +++ b/sbin/setkey/setkey.c @@ -1,7 +1,10 @@ +/* $FreeBSD$ */ +/* $KAME: setkey.c,v 1.14 2000/06/10 06:47:09 sakane Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +16,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,10 +28,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ -/* KAME $Id: setkey.c,v 1.5 1999/10/26 09:39:37 sakane Exp $ */ #include <sys/types.h> #include <sys/param.h> @@ -51,40 +51,42 @@ #include <errno.h> #include <netdb.h> -void Usage __P((void)); -int main __P((int, char **)); -int get_supported __P((void)); -void sendkeyshort __P((u_int)); -void promisc __P((void)); -int sendkeymsg __P((void)); -int postproc __P((struct sadb_msg *, int)); -const char *numstr __P((int)); -void shortdump_hdr __P((void)); -void shortdump __P((struct sadb_msg *)); +#include "libpfkey.h" + +void Usage __P((void)); +int main __P((int, char **)); +int get_supported __P((void)); +void sendkeyshort __P((u_int)); +void promisc __P((void)); +int sendkeymsg __P((void)); +int postproc __P((struct sadb_msg *, int)); +const char *numstr __P((int)); +void shortdump_hdr __P((void)); +void shortdump __P((struct sadb_msg *)); #define MODE_SCRIPT 1 #define MODE_CMDDUMP 2 #define MODE_CMDFLUSH 3 +#define MODE_PROMISC 4 int so; -int f_forever = 0; -int f_all = 0; -int f_debug = 0; -int f_verbose = 0; -int f_mode = 0; -int f_cmddump = 0; -int f_policy = 0; -int f_promisc = 0; -int f_hexdump = 0; -char *pname; +int f_forever = 0; +int f_all = 0; +int f_debug = 0; +int f_verbose = 0; +int f_mode = 0; +int f_cmddump = 0; +int f_policy = 0; +int f_hexdump = 0; +char *pname; -u_char m_buf[BUFSIZ]; -u_int m_len; +u_char m_buf[BUFSIZ]; +u_int m_len; -extern int lineno; +extern int lineno; -extern int parse __P((FILE **)); +extern int parse __P((FILE **)); void Usage() @@ -95,7 +97,7 @@ Usage() printf("\t%s [-Pdv] -F\n", pname); printf("\t%s [-h] -x\n", pname); pfkey_close(so); - exit(0); + exit(1); } int @@ -139,9 +141,8 @@ main(ac, av) f_hexdump = 1; break; case 'x': - f_promisc = 1; - promisc(); - /*NOTREACHED*/ + f_mode = MODE_PROMISC; + break; case 'P': f_policy = 1; break; @@ -170,10 +171,15 @@ main(ac, av) errx(-1, "%s", ipsec_strerror()); /*NOTREACHED*/ } - parse(&fp); + if (parse(&fp)) + exit (1); break; + case MODE_PROMISC: + promisc(); + /*NOTREACHED*/ default: Usage(); + /*NOTREACHED*/ } exit(0); @@ -216,7 +222,6 @@ sendkeyshort(type) m_msg->sadb_msg_satype = SADB_SATYPE_UNSPEC; m_msg->sadb_msg_len = PFKEY_UNIT64(m_len); m_msg->sadb_msg_reserved = 0; - m_msg->sadb_msg_reserved = 0; m_msg->sadb_msg_seq = 0; m_msg->sadb_msg_pid = getpid(); @@ -240,7 +245,6 @@ promisc() m_msg->sadb_msg_satype = 1; m_msg->sadb_msg_len = PFKEY_UNIT64(m_len); m_msg->sadb_msg_reserved = 0; - m_msg->sadb_msg_reserved = 0; m_msg->sadb_msg_seq = 0; m_msg->sadb_msg_pid = getpid(); @@ -325,8 +329,10 @@ sendkeymsg() if (f_forever) shortdump_hdr(); again: - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)m_buf); + printf("\n"); + } if ((len = send(so, m_buf, m_len, 0)) < 0) { perror("send"); @@ -345,8 +351,10 @@ again: break; } - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)rbuf); + printf("\n"); + } if (postproc(msg, len) < 0) break; } while (msg->sadb_msg_errno || msg->sadb_msg_seq); @@ -423,8 +431,10 @@ postproc(msg, len) pfkey_sadump(msg); msg = (struct sadb_msg *)((caddr_t)msg + PFKEY_UNUNIT64(msg->sadb_msg_len)); - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)msg); + printf("\n"); + } break; case SADB_X_SPDDUMP: @@ -432,8 +442,10 @@ postproc(msg, len) if (msg->sadb_msg_seq == 0) break; msg = (struct sadb_msg *)((caddr_t)msg + PFKEY_UNUNIT64(msg->sadb_msg_len)); - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)msg); + printf("\n"); + } break; } diff --git a/sbin/setkey/test-pfkey.c b/sbin/setkey/test-pfkey.c index 849aba355a99..b1fb238c5a41 100644 --- a/sbin/setkey/test-pfkey.c +++ b/sbin/setkey/test-pfkey.c @@ -1,7 +1,10 @@ +/* $FreeBSD$ */ +/* $KAME: test-pfkey.c,v 1.4 2000/06/07 00:29:14 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +16,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,10 +28,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ -/* KAME $Id: test-pfkey.c,v 1.2 1999/10/26 08:09:17 itojun Exp $ */ #include <sys/types.h> #include <sys/param.h> @@ -47,23 +47,24 @@ #include <ctype.h> #include <unistd.h> #include <errno.h> - -u_char m_buf[BUFSIZ]; -u_int m_len; -char *pname; - -void Usage __P((void)); -int sendkeymsg __P((void)); -void key_setsadbmsg __P((u_int)); -void key_setsadbsens __P((void)); -void key_setsadbprop __P((void)); -void key_setsadbid __P((u_int, caddr_t)); -void key_setsadblft __P((u_int, u_int)); -void key_setspirange __P((void)); -void key_setsadbkey __P((u_int, caddr_t)); -void key_setsadbsa __P((void)); -void key_setsadbaddr __P((u_int, u_int, caddr_t)); -void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int)); +#include <netdb.h> + +u_char m_buf[BUFSIZ]; +u_int m_len; +char *pname; + +void Usage __P((void)); +int sendkeymsg __P((void)); +void key_setsadbmsg __P((u_int)); +void key_setsadbsens __P((void)); +void key_setsadbprop __P((void)); +void key_setsadbid __P((u_int, caddr_t)); +void key_setsadblft __P((u_int, u_int)); +void key_setspirange __P((void)); +void key_setsadbkey __P((u_int, caddr_t)); +void key_setsadbsa __P((void)); +void key_setsadbaddr __P((u_int, u_int, caddr_t)); +void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int)); void Usage() @@ -98,6 +99,18 @@ sendkeymsg() perror("socket(PF_KEY)"); goto end; } +#if 0 + { +#include <sys/time.h> + struct timeval tv; + tv.tv_sec = 1; + tv.tv_usec = 0; + if (setsockopt(so, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) < 0) { + perror("setsockopt"); + goto end; + } + } +#endif pfkey_sadump((struct sadb_msg *)m_buf); @@ -124,11 +137,14 @@ key_setsadbmsg(type) { struct sadb_msg m_msg; + memset(&m_msg, 0, sizeof(m_msg)); m_msg.sadb_msg_version = PF_KEY_V2; m_msg.sadb_msg_type = type; m_msg.sadb_msg_errno = 0; m_msg.sadb_msg_satype = SADB_SATYPE_ESP; +#if 0 m_msg.sadb_msg_reserved = 0; +#endif m_msg.sadb_msg_seq = 0; m_msg.sadb_msg_pid = getpid(); @@ -223,6 +239,24 @@ key_setsadbmsg(type) break; case SADB_X_SPDADD: +#if 0 + { + struct sadb_x_policy m_policy; + + m_policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(m_policy)); + m_policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; + m_policy.sadb_x_policy_type = SADB_X_PL_IPSEC; + m_policy.sadb_x_policy_esp_trans = 1; + m_policy.sadb_x_policy_ah_trans = 2; + m_policy.sadb_x_policy_esp_network = 3; + m_policy.sadb_x_policy_ah_network = 4; + m_policy.sadb_x_policy_reserved = 0; + + memcpy(m_buf + m_len, &m_policy, sizeof(struct sadb_x_policy)); + m_len += sizeof(struct sadb_x_policy); + } +#endif + case SADB_X_SPDDELETE: key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1"); key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4"); @@ -437,32 +471,49 @@ key_setsadbaddr(ext, af, str) caddr_t str; { struct sadb_address m_addr; - u_char abuf[64]; - struct sockaddr *a = (struct sockaddr *)abuf; u_int len; + struct addrinfo hints, *res; + const char *serv; + int plen; + + switch (af) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; + default: + /* XXX bark */ + exit(1); + } /* make sockaddr buffer */ - memset(abuf, 0, sizeof(abuf)); - a->sa_len = _SALENBYAF(af); - a->sa_family = af; - _INPORTBYSA(a) = - (ext == SADB_EXT_ADDRESS_PROXY ? 0 : htons(0x1234)); - if (inet_pton(af, str, _INADDRBYSA(a)) != 1) - ; /* XXX do something */ + memset(&hints, 0, sizeof(hints)); + hints.ai_family = af; + hints.ai_socktype = SOCK_DGRAM; /*dummy*/ + hints.ai_flags = AI_NUMERICHOST; + serv = (ext == SADB_EXT_ADDRESS_PROXY ? "0" : "4660"); /*0x1234*/ + if (getaddrinfo(str, serv, &hints, &res) != 0 || res->ai_next) { + /* XXX bark */ + exit(1); + } - len = sizeof(struct sadb_address) + PFKEY_ALIGN8(a->sa_len); + len = sizeof(struct sadb_address) + PFKEY_ALIGN8(res->ai_addrlen); m_addr.sadb_address_len = PFKEY_UNIT64(len); m_addr.sadb_address_exttype = ext; m_addr.sadb_address_proto = (ext == SADB_EXT_ADDRESS_PROXY ? 0 : IPPROTO_TCP); - m_addr.sadb_address_prefixlen = _INALENBYAF(af); + m_addr.sadb_address_prefixlen = plen; m_addr.sadb_address_reserved = 0; key_setsadbextbuf(m_buf, m_len, (caddr_t)&m_addr, sizeof(struct sadb_address), - abuf, a->sa_len); + (caddr_t)res->ai_addr, res->ai_addrlen); m_len += len; + freeaddrinfo(res); + return; } diff --git a/sbin/setkey/token.l b/sbin/setkey/token.l index 0154beef4388..8916fdd79ee8 100644 --- a/sbin/setkey/token.l +++ b/sbin/setkey/token.l @@ -1,7 +1,10 @@ +/* $FreeBSD$ */ +/* $KAME: token.l,v 1.13 2000/06/07 00:29:14 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +16,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,8 +28,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ %{ @@ -63,18 +64,19 @@ #define PREPROC DECHO CMDARG -int lineno = 1; -char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */ +int lineno = 1; +char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */ -extern u_char m_buf[BUFSIZ]; -extern u_int m_len; -extern int f_debug; +extern u_char m_buf[BUFSIZ]; +extern u_int m_len; +extern int f_debug; -int yylex __P((void)); -void yyerror __P((char *s)); -extern void parse_init __P((void)); -int parse __P((FILE **)); -int yyparse __P((void)); +int yylex __P((void)); +void yyfatal __P((const char *s)); +void yyerror __P((const char *s)); +extern void parse_init __P((void)); +int parse __P((FILE **)); +int yyparse __P((void)); %} @@ -106,9 +108,7 @@ decstring {digit}+ hexpair {hexdigit}{hexdigit} hexstring 0[xX]{hexdigit}+ octetstring {octet}({dot}{octet})+ -ipaddress {ipv4addr}|{ipv6addr} -ipv4addr {digit}{1,3}({dot}{digit}{1,3}){0,3} -ipv6addr {hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,7}(%{letter}{letter}+)? +ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*) ipaddrmask {slash}{digit}{1,3} ipaddrport {blcl}{decstring}{elcl} keyword {letter}{letter}+ @@ -186,11 +186,12 @@ lzs { PREPROC; yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); } {hyphen}m { PREPROC; return(F_MODE); } transport { PREPROC; yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); } tunnel { PREPROC; yylval.num = IPSEC_MODE_TUNNEL; return(MODE); } +{hyphen}u { PREPROC; return(F_REQID); } {hyphen}f { PREPROC; return(F_EXT); } random-pad { PREPROC; yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); } seq-pad { PREPROC; yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); } zero-pad { PREPROC; yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); } -cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); } +nocyclic-seq { PREPROC; return(NOCYCLICSEQ); } {hyphen}r { PREPROC; return(F_REPLAY); } {hyphen}lh { PREPROC; return(F_LIFETIME_HARD); } {hyphen}ls { PREPROC; return(F_LIFETIME_SOFT); } @@ -214,35 +215,17 @@ any { PREPROC; return(ANY); } char *bp; PREPROC; - yylval.num = strtol(yytext, &bp, 10); + yylval.num = strtoul(yytext, &bp, 10); return(DECSTRING); } -{ipv4addr} { - /* - * I can't supprt the type without dot, - * because it's umbiguous against {decstring}. - * e.g. 127 - */ +{ipaddress} { PREPROC; - yylval.val.len = sizeof(struct sockaddr_in); + yylval.val.len = yyleng; yylval.val.buf = strdup(yytext); - return(IP4_ADDRESS); - } - -{ipv6addr} { -#ifdef INET6 - PREPROC; - - yylval.val.len = sizeof(struct sockaddr_in6); - yylval.val.buf = strdup(yytext); - - return(IP6_ADDRESS); -#else - yyerror("IPv6 address not supported"); -#endif + return(ADDRESS); } {ipaddrmask} { @@ -263,7 +246,6 @@ any { PREPROC; return(ANY); } } {blcl}any{elcl} { - char *p = yytext; PREPROC; return(PORTANY); } @@ -294,12 +276,24 @@ any { PREPROC; return(ANY); } return(QUOTEDSTRING); } -. { yyerror("Syntax error"); } +. { + yyfatal("Syntax error"); + /*NOTREACHED*/ + } %% void -yyerror(char *s) +yyfatal(s) + const char *s; +{ + yyerror(s); + exit(1); +} + +void +yyerror(s) + const char *s; { printf("line %d: %s at [%s]\n", lineno, s, yytext); } @@ -319,4 +313,3 @@ parse(fp) return(0); } - diff --git a/sbin/setkey/vchar.h b/sbin/setkey/vchar.h index 977f5f0f60d4..f3251c7bfed3 100644 --- a/sbin/setkey/vchar.h +++ b/sbin/setkey/vchar.h @@ -1,7 +1,10 @@ +/* $FreeBSD$ */ +/* $KAME: vchar.h,v 1.2 2000/06/07 00:29:14 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +16,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,11 +28,9 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ typedef struct { - u_int len; - caddr_t buf; + u_int len; + caddr_t buf; } vchar_t; diff --git a/usr.sbin/setkey/Makefile b/usr.sbin/setkey/Makefile index e6fbadcdf2aa..8feb0a66e6b5 100644 --- a/usr.sbin/setkey/Makefile +++ b/usr.sbin/setkey/Makefile @@ -29,11 +29,18 @@ PROG= setkey SRCS= setkey.c parse.y token.l CFLAGS+=-g +CFLAGS+=-I${.CURDIR}/../../lib/libipsec DPADD= ${LIBL} ${LIBY} LDADD= -ll -ly CLEANFILES+= y.tab.c y.tab.h key_test.o keytest YFLAGS+=-d +# libpfkey. +# ipsec_strerror.c is for avoiding shlib reference to non-exported function. +.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey +SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c +CFLAGS+=-I${.CURDIR}/../../lib/libipsec -I${.CURDIR}/../../sys/netkey + SCRIPTS= scriptdump BINOWN = root diff --git a/usr.sbin/setkey/parse.y b/usr.sbin/setkey/parse.y index 761c34d6e6d8..0eea4c1faaf2 100644 --- a/usr.sbin/setkey/parse.y +++ b/usr.sbin/setkey/parse.y @@ -1,7 +1,10 @@ +/* $FreeBSD$ */ +/* $KAME: parse.y,v 1.29 2000/06/10 14:17:44 sakane Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +16,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,10 +28,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ -/* KAME $Id: parse.y,v 1.7 1999/10/27 17:08:57 sakane Exp $ */ %{ #include <sys/types.h> @@ -45,48 +45,52 @@ #include <string.h> #include <unistd.h> #include <stdio.h> +#include <netdb.h> #include <ctype.h> #include <errno.h> -#include <netdb.h> +#include "libpfkey.h" #include "vchar.h" #define ATOX(c) \ (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) )) -u_int p_type; -u_int32_t p_spi; -struct sockaddr *p_src, *p_dst; -u_int p_prefs, p_prefd, p_upper; -u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode; -u_int p_key_enc_len, p_key_auth_len; -caddr_t p_key_enc, p_key_auth; -time_t p_lt_hard, p_lt_soft; +u_int p_type; +u_int32_t p_spi; +struct sockaddr *p_src, *p_dst; +u_int p_prefs, p_prefd, p_upper; +u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode; +u_int32_t p_reqid; +u_int p_key_enc_len, p_key_auth_len; +caddr_t p_key_enc, p_key_auth; +time_t p_lt_hard, p_lt_soft; -u_int p_policy_len; -char *p_policy; +u_int p_policy_len; +char *p_policy; /* temporary buffer */ -static struct sockaddr *pp_addr; -static u_int pp_prefix; -static u_int pp_port; -static caddr_t pp_key; - -extern u_char m_buf[BUFSIZ]; -extern int m_len; -extern char cmdarg[8192]; -extern int f_debug; - -int setkeymsg __P((void)); -static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int)); -void parse_init __P((void)); -void free_buffer __P((void)); - -extern int setkeymsg __P((void)); -extern int sendkeymsg __P((void)); - -extern int yylex __P((void)); -extern void yyerror __P((char *)); +static struct sockaddr *pp_addr; +static u_int pp_prefix; +static u_int pp_port; +static caddr_t pp_key; + +extern u_char m_buf[BUFSIZ]; +extern int m_len; +extern char cmdarg[8192]; +extern int f_debug; + +int setkeymsg __P((void)); +static struct addrinfo *parse_addr __P((char *, char *, int)); +static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int)); +void parse_init __P((void)); +void free_buffer __P((void)); + +extern int setkeymsg __P((void)); +extern int sendkeymsg __P((void)); + +extern int yylex __P((void)); +extern void yyfatal __P((const char *)); +extern void yyerror __P((const char *)); %} %union { @@ -96,11 +100,11 @@ extern void yyerror __P((char *)); %token EOT %token ADD GET DELETE FLUSH DUMP -%token IP4_ADDRESS IP6_ADDRESS PREFIX PORT PORTANY +%token ADDRESS PREFIX PORT PORTANY %token UP_PROTO PR_ESP PR_AH PR_IPCOMP %token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI -%token F_MODE MODE -%token F_EXT EXTENSION +%token F_MODE MODE F_REQID +%token F_EXT EXTENSION NOCYCLICSEQ %token ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP %token F_LIFETIME_HARD F_LIFETIME_SOFT %token DECSTRING QUOTEDSTRING HEXSTRING ANY @@ -108,6 +112,14 @@ extern void yyerror __P((char *)); %token SPDADD SPDDELETE SPDDUMP SPDFLUSH %token F_POLICY PL_REQUESTS +%type <num> PORT PREFIX EXTENSION MODE +%type <num> UP_PROTO PR_ESP PR_AH PR_IPCOMP +%type <num> ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP +%type <num> DECSTRING +%type <val> ADDRESS PL_REQUESTS +%type <val> key_string policy_requests +%type <val> QUOTEDSTRING HEXSTRING + %% commands : /*NOTHING*/ @@ -146,13 +158,23 @@ add_command /* delete */ delete_command : DELETE { p_type = SADB_DELETE; } - sa_selector_spec extension_spec EOT + sa_selector_spec extension_spec + { + if (p_mode != IPSEC_MODE_ANY) + yyerror("WARNING: mode is obsoleted."); + } + EOT ; /* get command */ get_command : GET { p_type = SADB_GET; } - sa_selector_spec extension_spec EOT + sa_selector_spec extension_spec + { + if (p_mode != IPSEC_MODE_ANY) + yyerror("WARNING: mode is obsoleted."); + } + EOT ; /* flush */ @@ -179,7 +201,7 @@ protocol_spec | PR_ESP { p_satype = SADB_SATYPE_ESP; - if ($1.num == 1) + if ($1 == 1) p_ext |= SADB_X_EXT_OLD; else p_ext &= ~SADB_X_EXT_OLD; @@ -187,7 +209,7 @@ protocol_spec | PR_AH { p_satype = SADB_SATYPE_AH; - if ($1.num == 1) + if ($1 == 1) p_ext |= SADB_X_EXT_OLD; else p_ext &= ~SADB_X_EXT_OLD; @@ -199,18 +221,18 @@ protocol_spec ; spi - : DECSTRING { p_spi = $1.num; } + : DECSTRING { p_spi = $1; } | HEXSTRING { caddr_t bp; - caddr_t yp = $1.val.buf; + caddr_t yp = $1.buf; char buf0[4], buf[4]; int i, j; /* sanity check */ - if ($1.val.len > 4) { + if ($1.len > 4) { yyerror("SPI too big."); - free($1.val.buf); + free($1.buf); return -1; } @@ -223,13 +245,13 @@ spi /* initialize */ for (i = 0; i < 4; i++) buf[i] = 0; - for (j = $1.val.len - 1, i = 3; j >= 0; j--, i--) + for (j = $1.len - 1, i = 3; j >= 0; j--, i--) buf[i] = buf0[j]; /* XXX: endian */ p_spi = ntohl(*(u_int32_t *)buf); - free($1.val.buf); + free($1.buf); } ; @@ -249,16 +271,16 @@ ah_spec ; ipcomp_spec - : F_COMP ALG_COMP { p_alg_enc = $2.num; } - | F_COMP ALG_COMP { p_alg_enc = $2.num; } + : F_COMP ALG_COMP { p_alg_enc = $2; } + | F_COMP ALG_COMP { p_alg_enc = $2; } F_RAWCPI { p_ext |= SADB_X_EXT_RAWCPI; } ; enc_alg - : ALG_ENC { p_alg_enc = $1.num; } + : ALG_ENC { p_alg_enc = $1; } | ALG_ENC_DESDERIV { - p_alg_enc = $1.num; + p_alg_enc = $1; if (p_ext & SADB_X_EXT_OLD) { yyerror("algorithm mismatched."); return -1; @@ -267,7 +289,7 @@ enc_alg } | ALG_ENC_DES32IV { - p_alg_enc = $1.num; + p_alg_enc = $1; if (!(p_ext & SADB_X_EXT_OLD)) { yyerror("algorithm mismatched."); return -1; @@ -286,7 +308,7 @@ enc_key } | key_string { - p_key_enc_len = $1.val.len; + p_key_enc_len = $1.len; p_key_enc = pp_key; if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT, @@ -299,7 +321,7 @@ enc_key ; auth_alg - : ALG_AUTH { p_alg_auth = $1.num; } + : ALG_AUTH { p_alg_auth = $1; } ; auth_key @@ -312,7 +334,7 @@ auth_key } | key_string { - p_key_auth_len = $1.val.len; + p_key_auth_len = $1.len; p_key_auth = pp_key; if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH, @@ -327,20 +349,20 @@ auth_key key_string : QUOTEDSTRING { - pp_key = $1.val.buf; + pp_key = $1.buf; /* free pp_key later */ } | HEXSTRING { caddr_t bp; - caddr_t yp = $1.val.buf; + caddr_t yp = $1.buf; - if ((pp_key = malloc($1.val.len)) == 0) { - free($1.val.buf); - yyerror(strerror(errno)); + if ((pp_key = malloc($1.len)) == 0) { + free($1.buf); + yyerror("not enough core"); return -1; } - memset(pp_key, 0, $1.val.len); + memset(pp_key, 0, $1.len); bp = pp_key; while (*yp) { @@ -348,7 +370,7 @@ key_string yp += 2, bp++; } - free($1.val.buf); + free($1.buf); } ; @@ -358,9 +380,11 @@ extension_spec ; extension - : F_EXT EXTENSION { p_ext |= $1.num; } - | F_MODE MODE { p_mode = $2.num; } + : F_EXT EXTENSION { p_ext |= $2; } + | F_EXT NOCYCLICSEQ { p_ext &= ~SADB_X_EXT_CYCSEQ; } + | F_MODE MODE { p_mode = $2; } | F_MODE ANY { p_mode = IPSEC_MODE_ANY; } + | F_REQID DECSTRING { p_reqid = $2; } | F_REPLAY DECSTRING { if (p_ext & SADB_X_EXT_OLD) { @@ -368,10 +392,10 @@ extension "only use on new spec."); return -1; } - p_replay = $2.num; + p_replay = $2; } - | F_LIFETIME_HARD DECSTRING { p_lt_hard = $2.num; } - | F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2.num; } + | F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; } + | F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; } ; /* definition about command for SPD management */ @@ -391,7 +415,7 @@ spddelete_command: p_type = SADB_X_SPDDELETE; p_satype = SADB_SATYPE_UNSPEC; } - sp_selector_spec EOT + sp_selector_spec policy_spec EOT ; spddump_command: @@ -416,97 +440,107 @@ spdflush_command: sp_selector_spec : ipaddress { p_src = pp_addr; } prefix { p_prefs = pp_prefix; } - port { _INPORTBYSA(p_src) = htons(pp_port); } + port + { + switch (p_src->sa_family) { + case AF_INET: + ((struct sockaddr_in *)p_src)->sin_port = + htons(pp_port); + break; +#ifdef INET6 + case AF_INET6: + ((struct sockaddr_in6 *)p_src)->sin6_port = + htons(pp_port); + break; +#endif + default: + exit(1); /*XXX*/ + } + } ipaddress { p_dst = pp_addr; } prefix { p_prefd = pp_prefix; } - port { _INPORTBYSA(p_dst) = htons(pp_port); } + port + { + switch (p_dst->sa_family) { + case AF_INET: + ((struct sockaddr_in *)p_dst)->sin_port = + htons(pp_port); + break; +#ifdef INET6 + case AF_INET6: + ((struct sockaddr_in6 *)p_dst)->sin6_port = + htons(pp_port); + break; +#endif + default: + exit(1); /*XXX*/ + } + } upper_spec + { + /* XXX is it something userland should check? */ +#if 0 + switch (p_upper) { + case IPPROTO_ICMP: + case IPPROTO_ICMPV6: + if (_INPORTBYSA(p_src) != IPSEC_PORT_ANY + || _INPORTBYSA(p_dst) != IPSEC_PORT_ANY) { + yyerror("port number must be \"any\"."); + return -1; + } + if ((pp_addr->sa_family == AF_INET6 + && p_upper == IPPROTO_ICMP) + || (pp_addr->sa_family == AF_INET + && p_upper == IPPROTO_ICMPV6)) { + yyerror("upper layer protocol " + "mismatched.\n"); + return -1; + } + break; + default: + break; + } +#endif + } ; ipaddress - : IP4_ADDRESS + : ADDRESS { - struct sockaddr_in *in; - u_int sa_len = $1.val.len; - - if ((in = (struct sockaddr_in *)malloc(sa_len)) == 0) { - yyerror(strerror(errno)); - free($1.val.buf); - return -1; - } - memset((caddr_t)in, 0, sa_len); - - in->sin_family = PF_INET; - in->sin_len = sa_len; - in->sin_port = IPSEC_PORT_ANY; - (void)inet_pton(PF_INET, $1.val.buf, &in->sin_addr); + struct addrinfo *res; - pp_addr = (struct sockaddr *)in; - free($1.val.buf); - } - | IP6_ADDRESS - { -#ifdef INET6 - struct sockaddr_in6 *in6; - u_int sa_len = $1.val.len; - struct addrinfo hints, *res; - int ret_gai; - - if ((in6 = (struct sockaddr_in6 *)malloc(sa_len)) == 0) { - free($1.val.buf); - yyerror(strerror(errno)); + res = parse_addr($1.buf, NULL, AI_NUMERICHOST); + if (res == NULL) { + free($1.buf); return -1; } - memset((caddr_t)in6, 0, sa_len); - - bzero(&hints, sizeof(struct addrinfo)); - hints.ai_flags = AI_NUMERICHOST; - hints.ai_family = AF_INET6; - ret_gai = getaddrinfo($1.val.buf, NULL, &hints, &res); - if (ret_gai) { - free($1.val.buf); - free(in6); - yyerror(gai_strerror(ret_gai)); - if (ret_gai == EAI_SYSTEM) - yyerror(strerror(errno)); - return -1; + pp_addr = (struct sockaddr *)malloc(res->ai_addrlen); + if (!pp_addr) { + yyerror("not enough core"); + goto end; } - (void)memcpy(in6, res->ai_addr, res->ai_addrlen); - - /* - * XXX: If the scope of the destination is link-local, - * embed the scope-id(in this case, interface index) - * into the address. - */ - if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr) && - in6->sin6_scope_id != 0) - *(u_short *)&in6->sin6_addr.s6_addr[2] = - htons(in6->sin6_scope_id & 0xffff); + memcpy(pp_addr, res->ai_addr, res->ai_addrlen); + end: freeaddrinfo(res); - - pp_addr = (struct sockaddr *)in6; -#else - yyerror("IPv6 address not supported"); -#endif - free($1.val.buf); + free($1.buf); } ; prefix : /*NOTHING*/ { pp_prefix = ~0; } - | PREFIX { pp_prefix = $1.num; } + | PREFIX { pp_prefix = $1; } ; port : /*NOTHING*/ { pp_port = IPSEC_PORT_ANY; } - | PORT { pp_port = $1.num; } + | PORT { pp_port = $1; } | PORTANY { pp_port = IPSEC_PORT_ANY; } ; upper_spec - : DECSTRING { p_upper = $1.num; } - | UP_PROTO { p_upper = $1.num; } + : DECSTRING { p_upper = $1; } + | UP_PROTO { p_upper = $1; } | PR_ESP { p_upper = IPPROTO_ESP; }; | PR_AH { p_upper = IPPROTO_AH; }; | PR_IPCOMP { p_upper = IPPROTO_IPCOMP; }; @@ -516,9 +550,9 @@ upper_spec policy_spec : F_POLICY policy_requests { - p_policy = ipsec_set_policy($2.val.buf, $2.val.len); + p_policy = ipsec_set_policy($2.buf, $2.len); if (p_policy == NULL) { - free($2.val.buf); + free($2.buf); p_policy = NULL; yyerror(ipsec_strerror()); return -1; @@ -526,13 +560,12 @@ policy_spec p_policy_len = ipsec_get_policylen(p_policy); - free($2.val.buf); + free($2.buf); } ; -policy_requests: - /*NOTHING*/ - | PL_REQUESTS { $$ = $1; } +policy_requests + : PL_REQUESTS { $$ = $1; } ; %% @@ -546,7 +579,6 @@ setkeymsg() m_msg.sadb_msg_type = p_type; m_msg.sadb_msg_errno = 0; m_msg.sadb_msg_satype = p_satype; - m_msg.sadb_msg_mode = p_mode; m_msg.sadb_msg_reserved = 0; m_msg.sadb_msg_seq = 0; m_msg.sadb_msg_pid = getpid(); @@ -629,6 +661,7 @@ setkeymsg() case SADB_GET: { struct sadb_sa m_sa; + struct sadb_x_sa2 m_sa2; struct sadb_address m_addr; u_int len; @@ -645,14 +678,36 @@ setkeymsg() memcpy(m_buf + m_len, &m_sa, len); m_len += len; + len = sizeof(struct sadb_x_sa2); + m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len); + m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2; + m_sa2.sadb_x_sa2_mode = p_mode; + m_sa2.sadb_x_sa2_reqid = p_reqid; + + memcpy(m_buf + m_len, &m_sa2, len); + m_len += len; + /* set src */ m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) + PFKEY_ALIGN8(p_src->sa_len)); m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY; - m_addr.sadb_address_prefixlen = - _INALENBYAF(p_src->sa_family) << 3; + switch (p_src->sa_family) { + case AF_INET: + m_addr.sadb_address_prefixlen = + sizeof(struct in_addr) << 3; + break; +#ifdef INET6 + case AF_INET6: + m_addr.sadb_address_prefixlen = + sizeof(struct in6_addr) << 3; + break; +#endif + default: + yyerror("unsupported address family"); + exit(1); /*XXX*/ + } m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -665,8 +720,21 @@ setkeymsg() + PFKEY_ALIGN8(p_dst->sa_len)); m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST; m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY; - m_addr.sadb_address_prefixlen = - _INALENBYAF(p_dst->sa_family) << 3; + switch (p_dst->sa_family) { + case AF_INET: + m_addr.sadb_address_prefixlen = + sizeof(struct in_addr) << 3; + break; +#ifdef INET6 + case AF_INET6: + m_addr.sadb_address_prefixlen = + sizeof(struct in6_addr) << 3; + break; +#endif + default: + yyerror("unsupported address family"); + exit(1); /*XXX*/ + } m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -681,17 +749,15 @@ setkeymsg() break; case SADB_X_SPDADD: + case SADB_X_SPDDELETE: { + struct sadb_address m_addr; + u_int8_t plen; + memcpy(m_buf + m_len, p_policy, p_policy_len); m_len += p_policy_len; free(p_policy); p_policy = NULL; - } - /* FALLTHROUGH */ - - case SADB_X_SPDDELETE: - { - struct sadb_address m_addr; /* set src */ m_addr.sadb_address_len = @@ -699,9 +765,21 @@ setkeymsg() + PFKEY_ALIGN8(p_src->sa_len)); m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; m_addr.sadb_address_proto = p_upper; + switch (p_src->sa_family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; +#ifdef INET6 + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; +#endif + default: + yyerror("unsupported address family"); + exit(1); /*XXX*/ + } m_addr.sadb_address_prefixlen = - (p_prefs != ~0 ? p_prefs : - _INALENBYAF(p_src->sa_family) << 3); + (p_prefs != ~0 ? p_prefs : plen); m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -714,9 +792,21 @@ setkeymsg() + PFKEY_ALIGN8(p_dst->sa_len)); m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST; m_addr.sadb_address_proto = p_upper; + switch (p_dst->sa_family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; +#ifdef INET6 + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; +#endif + default: + yyerror("unsupported address family"); + exit(1); /*XXX*/ + } m_addr.sadb_address_prefixlen = - (p_prefd != ~0 ? p_prefd : - _INALENBYAF(p_dst->sa_family) << 3); + (p_prefd != ~0 ? p_prefd : plen); m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -731,6 +821,30 @@ setkeymsg() return 0; } +static struct addrinfo * +parse_addr(host, port, flag) + char *host; + char *port; + int flag; +{ + struct addrinfo hints, *res = NULL; + int error; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_DGRAM; + hints.ai_flags = flag; + error = getaddrinfo(host, port, &hints, &res); + if (error != 0) { + yyerror(gai_strerror(error)); + return NULL; + } + if (res->ai_next != NULL) { + yyerror(gai_strerror(error)); + } + return res; +} + static int setvarbuf(off, ebuf, elen, vbuf, vlen) caddr_t vbuf; @@ -757,11 +871,12 @@ parse_init() p_upper = 0; p_satype = 0; - p_ext = SADB_X_EXT_NONE; + p_ext = SADB_X_EXT_CYCSEQ; p_alg_enc = SADB_EALG_NONE; p_alg_auth = SADB_AALG_NONE; p_mode = IPSEC_MODE_ANY; - p_replay = 4; + p_reqid = 0; + p_replay = 0; p_key_enc_len = p_key_auth_len = 0; p_key_enc = p_key_auth = 0; p_lt_hard = p_lt_soft = 0; diff --git a/usr.sbin/setkey/sample.cf b/usr.sbin/setkey/sample.cf index 886c449a35f1..978289d34a13 100644 --- a/usr.sbin/setkey/sample.cf +++ b/usr.sbin/setkey/sample.cf @@ -170,7 +170,7 @@ add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004 get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; # Also delete command, you can delete a entry of either SP or SA. -spddelete out fec0:0:0:1::/64 fec0:0:0:2:/64 any ; +spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out; delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; # By dump command, you can dump all entry of either SP or SA. @@ -204,7 +204,7 @@ add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ; add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ; add ::1 ::1 esp 10015 -m transport -f zero-pad -E simple ; add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E simple ; -add ::1 ::1 esp 10017 -m transport -f seq-pad -f cyclic-seq -E simple ; +add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E simple ; add ::1 ::1 esp 10018 -m transport -E simple ; #add ::1 ::1 ah 20000 -m transport -A null ; add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234"; diff --git a/usr.sbin/setkey/scriptdump.pl b/usr.sbin/setkey/scriptdump.pl index 5df9b4f4fd7b..aa365449517f 100644 --- a/usr.sbin/setkey/scriptdump.pl +++ b/usr.sbin/setkey/scriptdump.pl @@ -20,8 +20,8 @@ open(IN, "setkey -D |") || die; foreach $_ (<IN>) { if (/^[^\t]/) { ($src, $dst) = split(/\s+/, $_); - } elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*replay=(\d+)/) { - ($proto, $ipsecmode, $spi, $replay) = ($1, $2, $3, $4); + } elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*reqid=(\d+)/) { + ($proto, $ipsecmode, $spi, $reqid) = ($1, $2, $3, $4); } elsif (/^\tE: (\S+) (.*)/) { $ealgo = $1; $ekey = $2; @@ -32,17 +32,19 @@ foreach $_ (<IN>) { $akey = $2; $akey =~ s/\s//g; $akey =~ s/^/0x/g; - } elsif (/^\tstate=/) { + } elsif (/^\treplay=(\d+) flags=(0x\d+) state=/) { print "$mode $src $dst $proto $spi -m $ipsecmode"; - print " -r $replay" if $replay; + $replay = $1; + print " -u $reqid" if $reqid; if ($mode eq 'add') { + print " -r $replay" if $replay; if ($proto eq 'esp') { print " -E $ealgo $ekey" if $ealgo; print " -A $aalgo $akey" if $aalgo; } elsif ($proto eq 'ah') { print " -A $aalgo $akey" if $aalgo; } - } + } print ";\n"; $src = $dst = $upper = $proxy = ''; diff --git a/usr.sbin/setkey/setkey.8 b/usr.sbin/setkey/setkey.8 index ffe1297872e0..4736657c8356 100644 --- a/usr.sbin/setkey/setkey.8 +++ b/usr.sbin/setkey/setkey.8 @@ -1,6 +1,9 @@ +.\" $FreeBSD$ +.\" $KAME: setkey.8,v 1.28 2000/06/16 12:03:46 sakane Exp $ +.\" .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. .\" All rights reserved. -.\" +.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: @@ -12,7 +15,7 @@ .\" 3. Neither the name of the project nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. -.\" +.\" .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,15 +28,14 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: setkey.8,v 1.14 1999/10/27 17:08:58 sakane Exp $ -.\" $FreeBSD$ -.\" .Dd May 17, 1998 .Dt SETKEY 8 -.Os +.Os KAME +.\" .Sh NAME .Nm setkey -.Nd manually manipulate the SA/SP database. +.Nd manually manipulate the IPsec SA/SP database. +.\" .Sh SYNOPSIS .Nm setkey .Op Fl dv @@ -50,19 +52,20 @@ .Nm setkey .Op Fl h .Fl x -.\" +.\" .Sh DESCRIPTION .Nm -updates, or lists the content of, Security Association Database (SAD) entries -in the kernel as well as Security Policy Database (SPD) entries. +addes, updates, dumpes, or flushes +Security Association Database (SAD) entries +as well as Security Policy Database (SPD) entries in the kernel. .Pp .Nm -takes a series of operation from standard input +takes a series of operations from the standard input .Po if invoked with .Fl c .Pc -or file named +or the file named .Ar filename .Po if invoked with @@ -75,21 +78,23 @@ If with .Fl P , the SPD entries are dumped. .It Fl F -Flush the SAD. +Flush the SAD entries. If with .Fl P , -the SPD are flushed. +the SPD entries are flushed. .It Fl a .Nm -usually do not display dead SAD entries on +usually does not display dead SAD entries with .Fl D . -With +If with .Fl a , -dead SAD entries will be displayed as well. -Dead SAD entries are kept in the kernel, -when they are referenced from any of SPD entries in the kernel. +the dead SAD entries will be displayed as well. +A dead SAD entry means that +it has been expired but remains +because it is referenced by SPD entries. .It Fl d -Enable debugging messages. +Enable to print debugging messages for command parser, +without talking to kernel. It is not used usually. .It Fl x Loop forever and dump all the messages transmitted to .Dv PF_KEY @@ -98,7 +103,6 @@ socket. Add hexadecimal dump on .Fl x mode. -The order is significant. .It Fl l Loop forever with short output on .Fl D . @@ -111,10 +115,8 @@ including messages sent from other processes .Pc . .El .Pp -Operation has the following grammar. -Note that lines, that start with a -hashmark ('#') are treated as comment lines. -Description of meta-arguments follows. +Operations have the following grammar. Note that lines starting with +hashmarks ('#') are treated as comment lines. .Bl -tag -width Ds .It Xo .Li add @@ -123,51 +125,49 @@ Description of meta-arguments follows. .Ar algorithm... .Li ; .Xc -Add a SAD entry. +Add an SAD entry. .\" .It Xo .Li get .Ar src Ar dst Ar protocol Ar spi -.Op Ar mode .Li ; .Xc -Show a SAD entry. +Show an SAD entry. .\" .It Xo .Li delete .Ar src Ar dst Ar protocol Ar spi -.Op Ar mode .Li ; .Xc -Remove a SAD entry. +Remove an SAD entry. .\" .It Xo .Li flush .Op Ar protocol .Li ; .Xc -Clear all SAD entries that matches the options. +Clear all SAD entries matched by the options. .\" .It Xo .Li dump .Op Ar protocol .Li ; .Xc -Dumps all SAD entries that matches the options. +Dumps all SAD entries matched by the options. .\" .It Xo .Li spdadd .Ar src_range Ar dst_range Ar upperspec Ar policy .Li ; .Xc -Add a SPD entry. +Add an SPD entry. .\" .It Xo .Li spddelete -.Ar src_range Ar dst_range Ar upperspec +.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction .Li ; .Xc -Delete a SPD entry. +Delete an SPD entry. .\" .It Xo .Li spdflush @@ -215,8 +215,9 @@ IPCOMP .\" .Pp .It Ar spi -Security Parameter Index (SPI) for the SA and SPD. +Security Parameter Index (SPI) for the SAD and the SPD. It must be decimal number or hexadecimal number +You can not use the set of SPI values in the range 0 through 255. .Po with .Li 0x @@ -225,30 +226,40 @@ attached .\" .Pp .It Ar extensions -takes some of the following: -.Bl -tag -width Fl -compact +take some of the following: +.Bl -tag -width Fl -compact +.\" .It Fl m Ar mode -Specify an security protocol mode for use. By default, -.Li any . +Specify a security protocol mode for use. .Ar mode is one of following: .Li transport , tunnel or .Li any . +The default value is +.Li any . +.\" .It Fl r Ar size Specify window size of bytes for replay prevention. .Ar size must be decimal number in 32-bit word. If .Ar size is zero or not specified, replay check don't take place. +.\" +.It Fl u Ar id +Specify the identifier of policy. See also +.Xr ipsec_set_policy 3 . +.\" .It Fl f Ar pad_option .Ar pad_option is one of following: .Li zero-pad , random-pad or .Li seq-pad -.It Fl f Li cyclic-seq -Allow cyclic sequence number. +.\" +.It Fl f Li nocyclic-seq +Don't allow cyclic sequence number. +.\" .It Fl lh Ar time .It Fl ls Ar time Specify hard/soft lifetime. @@ -256,7 +267,7 @@ Specify hard/soft lifetime. .\" .Pp .It Ar algorithm -.Bl -tag -width Fl -compact +.Bl -tag -width Fl -compact .It Fl E Ar ealgo Ar key Specify encryption algorithm. .It Fl A Ar aalgo Ar key @@ -268,7 +279,7 @@ is used for esp, it will be treated as ESP payload authentication algorithm. Specify compression algorithm. If .Fl R -is specified with +is not specified with .Li ipcomp line, the kernel will use well-known IPComp CPI .Pq compression parameter index @@ -280,7 +291,7 @@ field is only for kernel internal use in this case. .\"Therefore, compression protocol number will appear on IPComp CPI field. If .Fl R -is not used, +is used, the value on .Ar spi field will appear on IPComp CPI field on outgoing packets. @@ -311,7 +322,7 @@ SAs accept only. .Pp .Ar key -must be double-quoted character string or a series of hexadecimal digits. +must be double-quoted character string or series of hexadecimal digits. .Pp Possible values for .Ar ealgo , @@ -322,7 +333,7 @@ are specified in separate section. .\" .It Ar src_range .It Ar dst_range -These are selection of the secure communication is specified as +These are selections of the secure communication specified as IPv4/v6 address or IPv4/v6 address range, and it may accompany TCP/UDP port specification. This takes the following form: @@ -365,7 +376,7 @@ NOTE: .Ar upperspec does not work against forwarding case at this moment, as it requires extra reassembly at forwarding node -.Pq not implemented as this moment . +.Pq not implemented at this moment . .\" .It Ar policy .Ar policy @@ -427,15 +438,15 @@ is to be one of the following: or .Li require . .Li default -means kernel consults to the system wide default against protocol you +means the kernel consults to the system wide default against protocol you specified, e.g. .Li esp_trans_deflev -sysctl variable, when kernel processes the packet. +sysctl variable, when the kernel processes the packet. .Li use -means that kernel use a SA if it's available, -otherwise kernel keeps normal operation. +means that the kernel use a SA if it's available, +otherwise the kernel keeps normal operation. .Li require -means SA is required whenever kernel deals with the packet. +means SA is required whenever the kernel deals with the packet. Note that .Dq Li discard and @@ -456,7 +467,7 @@ The following list shows the supported algorithms. and .Sy algorithm are almost orthogonal. -Following are the list of authentication algorithms that can be used as +Followings are the list of authentication algorithms that can be used as .Ar aalgo in .Fl A Ar aalgo @@ -477,7 +488,7 @@ keyed-sha1 160 ah: 96bit ICV (no document) null 0 to 2048 for debugging .Ed .Pp -Following are the list of encryption algorithms that can be used as +Followings are the list of encryption algorithms that can be used as .Ar ealgo in .Fl E Ar ealgo @@ -497,7 +508,7 @@ des-deriv 64 ipsec-ciph-des-derived-01 (expired) 3des-deriv 192 no document .Ed .Pp -Following are the list of compression algorithms that can be used as +Followings are the list of compression algorithms that can be used as .Ar calgo in .Fl C Ar calgo @@ -510,7 +521,7 @@ algorithm comment deflate rfc2394 lzs rfc2395 .Ed -.\" +.\" .Sh EXAMPLES .Bd -literal -offset add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 @@ -533,20 +544,18 @@ spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ; .Ed -.\" +.\" .Sh RETURN VALUES The command exits with 0 on success, and non-zero on errors. -.\" +.\" .Sh SEE ALSO .Xr ipsec_set_policy 3 , .Xr sysctl 8 -.\" +.\" .Sh HISTORY The .Nm command first appeared in WIDE Hydrangea IPv6 protocol stack kit. The command was completely re-designed in June 1998. -.Pp -IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack -was initially integrated into -.Fx 4.0 +.\" +.\" .Sh BUGS diff --git a/usr.sbin/setkey/setkey.c b/usr.sbin/setkey/setkey.c index 73edc3f2bbc2..b1e1c1e3094b 100644 --- a/usr.sbin/setkey/setkey.c +++ b/usr.sbin/setkey/setkey.c @@ -1,7 +1,10 @@ +/* $FreeBSD$ */ +/* $KAME: setkey.c,v 1.14 2000/06/10 06:47:09 sakane Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +16,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,10 +28,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ -/* KAME $Id: setkey.c,v 1.5 1999/10/26 09:39:37 sakane Exp $ */ #include <sys/types.h> #include <sys/param.h> @@ -51,40 +51,42 @@ #include <errno.h> #include <netdb.h> -void Usage __P((void)); -int main __P((int, char **)); -int get_supported __P((void)); -void sendkeyshort __P((u_int)); -void promisc __P((void)); -int sendkeymsg __P((void)); -int postproc __P((struct sadb_msg *, int)); -const char *numstr __P((int)); -void shortdump_hdr __P((void)); -void shortdump __P((struct sadb_msg *)); +#include "libpfkey.h" + +void Usage __P((void)); +int main __P((int, char **)); +int get_supported __P((void)); +void sendkeyshort __P((u_int)); +void promisc __P((void)); +int sendkeymsg __P((void)); +int postproc __P((struct sadb_msg *, int)); +const char *numstr __P((int)); +void shortdump_hdr __P((void)); +void shortdump __P((struct sadb_msg *)); #define MODE_SCRIPT 1 #define MODE_CMDDUMP 2 #define MODE_CMDFLUSH 3 +#define MODE_PROMISC 4 int so; -int f_forever = 0; -int f_all = 0; -int f_debug = 0; -int f_verbose = 0; -int f_mode = 0; -int f_cmddump = 0; -int f_policy = 0; -int f_promisc = 0; -int f_hexdump = 0; -char *pname; +int f_forever = 0; +int f_all = 0; +int f_debug = 0; +int f_verbose = 0; +int f_mode = 0; +int f_cmddump = 0; +int f_policy = 0; +int f_hexdump = 0; +char *pname; -u_char m_buf[BUFSIZ]; -u_int m_len; +u_char m_buf[BUFSIZ]; +u_int m_len; -extern int lineno; +extern int lineno; -extern int parse __P((FILE **)); +extern int parse __P((FILE **)); void Usage() @@ -95,7 +97,7 @@ Usage() printf("\t%s [-Pdv] -F\n", pname); printf("\t%s [-h] -x\n", pname); pfkey_close(so); - exit(0); + exit(1); } int @@ -139,9 +141,8 @@ main(ac, av) f_hexdump = 1; break; case 'x': - f_promisc = 1; - promisc(); - /*NOTREACHED*/ + f_mode = MODE_PROMISC; + break; case 'P': f_policy = 1; break; @@ -170,10 +171,15 @@ main(ac, av) errx(-1, "%s", ipsec_strerror()); /*NOTREACHED*/ } - parse(&fp); + if (parse(&fp)) + exit (1); break; + case MODE_PROMISC: + promisc(); + /*NOTREACHED*/ default: Usage(); + /*NOTREACHED*/ } exit(0); @@ -216,7 +222,6 @@ sendkeyshort(type) m_msg->sadb_msg_satype = SADB_SATYPE_UNSPEC; m_msg->sadb_msg_len = PFKEY_UNIT64(m_len); m_msg->sadb_msg_reserved = 0; - m_msg->sadb_msg_reserved = 0; m_msg->sadb_msg_seq = 0; m_msg->sadb_msg_pid = getpid(); @@ -240,7 +245,6 @@ promisc() m_msg->sadb_msg_satype = 1; m_msg->sadb_msg_len = PFKEY_UNIT64(m_len); m_msg->sadb_msg_reserved = 0; - m_msg->sadb_msg_reserved = 0; m_msg->sadb_msg_seq = 0; m_msg->sadb_msg_pid = getpid(); @@ -325,8 +329,10 @@ sendkeymsg() if (f_forever) shortdump_hdr(); again: - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)m_buf); + printf("\n"); + } if ((len = send(so, m_buf, m_len, 0)) < 0) { perror("send"); @@ -345,8 +351,10 @@ again: break; } - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)rbuf); + printf("\n"); + } if (postproc(msg, len) < 0) break; } while (msg->sadb_msg_errno || msg->sadb_msg_seq); @@ -423,8 +431,10 @@ postproc(msg, len) pfkey_sadump(msg); msg = (struct sadb_msg *)((caddr_t)msg + PFKEY_UNUNIT64(msg->sadb_msg_len)); - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)msg); + printf("\n"); + } break; case SADB_X_SPDDUMP: @@ -432,8 +442,10 @@ postproc(msg, len) if (msg->sadb_msg_seq == 0) break; msg = (struct sadb_msg *)((caddr_t)msg + PFKEY_UNUNIT64(msg->sadb_msg_len)); - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)msg); + printf("\n"); + } break; } diff --git a/usr.sbin/setkey/test-pfkey.c b/usr.sbin/setkey/test-pfkey.c index 849aba355a99..b1fb238c5a41 100644 --- a/usr.sbin/setkey/test-pfkey.c +++ b/usr.sbin/setkey/test-pfkey.c @@ -1,7 +1,10 @@ +/* $FreeBSD$ */ +/* $KAME: test-pfkey.c,v 1.4 2000/06/07 00:29:14 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +16,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,10 +28,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ -/* KAME $Id: test-pfkey.c,v 1.2 1999/10/26 08:09:17 itojun Exp $ */ #include <sys/types.h> #include <sys/param.h> @@ -47,23 +47,24 @@ #include <ctype.h> #include <unistd.h> #include <errno.h> - -u_char m_buf[BUFSIZ]; -u_int m_len; -char *pname; - -void Usage __P((void)); -int sendkeymsg __P((void)); -void key_setsadbmsg __P((u_int)); -void key_setsadbsens __P((void)); -void key_setsadbprop __P((void)); -void key_setsadbid __P((u_int, caddr_t)); -void key_setsadblft __P((u_int, u_int)); -void key_setspirange __P((void)); -void key_setsadbkey __P((u_int, caddr_t)); -void key_setsadbsa __P((void)); -void key_setsadbaddr __P((u_int, u_int, caddr_t)); -void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int)); +#include <netdb.h> + +u_char m_buf[BUFSIZ]; +u_int m_len; +char *pname; + +void Usage __P((void)); +int sendkeymsg __P((void)); +void key_setsadbmsg __P((u_int)); +void key_setsadbsens __P((void)); +void key_setsadbprop __P((void)); +void key_setsadbid __P((u_int, caddr_t)); +void key_setsadblft __P((u_int, u_int)); +void key_setspirange __P((void)); +void key_setsadbkey __P((u_int, caddr_t)); +void key_setsadbsa __P((void)); +void key_setsadbaddr __P((u_int, u_int, caddr_t)); +void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int)); void Usage() @@ -98,6 +99,18 @@ sendkeymsg() perror("socket(PF_KEY)"); goto end; } +#if 0 + { +#include <sys/time.h> + struct timeval tv; + tv.tv_sec = 1; + tv.tv_usec = 0; + if (setsockopt(so, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) < 0) { + perror("setsockopt"); + goto end; + } + } +#endif pfkey_sadump((struct sadb_msg *)m_buf); @@ -124,11 +137,14 @@ key_setsadbmsg(type) { struct sadb_msg m_msg; + memset(&m_msg, 0, sizeof(m_msg)); m_msg.sadb_msg_version = PF_KEY_V2; m_msg.sadb_msg_type = type; m_msg.sadb_msg_errno = 0; m_msg.sadb_msg_satype = SADB_SATYPE_ESP; +#if 0 m_msg.sadb_msg_reserved = 0; +#endif m_msg.sadb_msg_seq = 0; m_msg.sadb_msg_pid = getpid(); @@ -223,6 +239,24 @@ key_setsadbmsg(type) break; case SADB_X_SPDADD: +#if 0 + { + struct sadb_x_policy m_policy; + + m_policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(m_policy)); + m_policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; + m_policy.sadb_x_policy_type = SADB_X_PL_IPSEC; + m_policy.sadb_x_policy_esp_trans = 1; + m_policy.sadb_x_policy_ah_trans = 2; + m_policy.sadb_x_policy_esp_network = 3; + m_policy.sadb_x_policy_ah_network = 4; + m_policy.sadb_x_policy_reserved = 0; + + memcpy(m_buf + m_len, &m_policy, sizeof(struct sadb_x_policy)); + m_len += sizeof(struct sadb_x_policy); + } +#endif + case SADB_X_SPDDELETE: key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1"); key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4"); @@ -437,32 +471,49 @@ key_setsadbaddr(ext, af, str) caddr_t str; { struct sadb_address m_addr; - u_char abuf[64]; - struct sockaddr *a = (struct sockaddr *)abuf; u_int len; + struct addrinfo hints, *res; + const char *serv; + int plen; + + switch (af) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; + default: + /* XXX bark */ + exit(1); + } /* make sockaddr buffer */ - memset(abuf, 0, sizeof(abuf)); - a->sa_len = _SALENBYAF(af); - a->sa_family = af; - _INPORTBYSA(a) = - (ext == SADB_EXT_ADDRESS_PROXY ? 0 : htons(0x1234)); - if (inet_pton(af, str, _INADDRBYSA(a)) != 1) - ; /* XXX do something */ + memset(&hints, 0, sizeof(hints)); + hints.ai_family = af; + hints.ai_socktype = SOCK_DGRAM; /*dummy*/ + hints.ai_flags = AI_NUMERICHOST; + serv = (ext == SADB_EXT_ADDRESS_PROXY ? "0" : "4660"); /*0x1234*/ + if (getaddrinfo(str, serv, &hints, &res) != 0 || res->ai_next) { + /* XXX bark */ + exit(1); + } - len = sizeof(struct sadb_address) + PFKEY_ALIGN8(a->sa_len); + len = sizeof(struct sadb_address) + PFKEY_ALIGN8(res->ai_addrlen); m_addr.sadb_address_len = PFKEY_UNIT64(len); m_addr.sadb_address_exttype = ext; m_addr.sadb_address_proto = (ext == SADB_EXT_ADDRESS_PROXY ? 0 : IPPROTO_TCP); - m_addr.sadb_address_prefixlen = _INALENBYAF(af); + m_addr.sadb_address_prefixlen = plen; m_addr.sadb_address_reserved = 0; key_setsadbextbuf(m_buf, m_len, (caddr_t)&m_addr, sizeof(struct sadb_address), - abuf, a->sa_len); + (caddr_t)res->ai_addr, res->ai_addrlen); m_len += len; + freeaddrinfo(res); + return; } diff --git a/usr.sbin/setkey/token.l b/usr.sbin/setkey/token.l index 0154beef4388..8916fdd79ee8 100644 --- a/usr.sbin/setkey/token.l +++ b/usr.sbin/setkey/token.l @@ -1,7 +1,10 @@ +/* $FreeBSD$ */ +/* $KAME: token.l,v 1.13 2000/06/07 00:29:14 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +16,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,8 +28,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ %{ @@ -63,18 +64,19 @@ #define PREPROC DECHO CMDARG -int lineno = 1; -char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */ +int lineno = 1; +char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */ -extern u_char m_buf[BUFSIZ]; -extern u_int m_len; -extern int f_debug; +extern u_char m_buf[BUFSIZ]; +extern u_int m_len; +extern int f_debug; -int yylex __P((void)); -void yyerror __P((char *s)); -extern void parse_init __P((void)); -int parse __P((FILE **)); -int yyparse __P((void)); +int yylex __P((void)); +void yyfatal __P((const char *s)); +void yyerror __P((const char *s)); +extern void parse_init __P((void)); +int parse __P((FILE **)); +int yyparse __P((void)); %} @@ -106,9 +108,7 @@ decstring {digit}+ hexpair {hexdigit}{hexdigit} hexstring 0[xX]{hexdigit}+ octetstring {octet}({dot}{octet})+ -ipaddress {ipv4addr}|{ipv6addr} -ipv4addr {digit}{1,3}({dot}{digit}{1,3}){0,3} -ipv6addr {hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,7}(%{letter}{letter}+)? +ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*) ipaddrmask {slash}{digit}{1,3} ipaddrport {blcl}{decstring}{elcl} keyword {letter}{letter}+ @@ -186,11 +186,12 @@ lzs { PREPROC; yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); } {hyphen}m { PREPROC; return(F_MODE); } transport { PREPROC; yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); } tunnel { PREPROC; yylval.num = IPSEC_MODE_TUNNEL; return(MODE); } +{hyphen}u { PREPROC; return(F_REQID); } {hyphen}f { PREPROC; return(F_EXT); } random-pad { PREPROC; yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); } seq-pad { PREPROC; yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); } zero-pad { PREPROC; yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); } -cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); } +nocyclic-seq { PREPROC; return(NOCYCLICSEQ); } {hyphen}r { PREPROC; return(F_REPLAY); } {hyphen}lh { PREPROC; return(F_LIFETIME_HARD); } {hyphen}ls { PREPROC; return(F_LIFETIME_SOFT); } @@ -214,35 +215,17 @@ any { PREPROC; return(ANY); } char *bp; PREPROC; - yylval.num = strtol(yytext, &bp, 10); + yylval.num = strtoul(yytext, &bp, 10); return(DECSTRING); } -{ipv4addr} { - /* - * I can't supprt the type without dot, - * because it's umbiguous against {decstring}. - * e.g. 127 - */ +{ipaddress} { PREPROC; - yylval.val.len = sizeof(struct sockaddr_in); + yylval.val.len = yyleng; yylval.val.buf = strdup(yytext); - return(IP4_ADDRESS); - } - -{ipv6addr} { -#ifdef INET6 - PREPROC; - - yylval.val.len = sizeof(struct sockaddr_in6); - yylval.val.buf = strdup(yytext); - - return(IP6_ADDRESS); -#else - yyerror("IPv6 address not supported"); -#endif + return(ADDRESS); } {ipaddrmask} { @@ -263,7 +246,6 @@ any { PREPROC; return(ANY); } } {blcl}any{elcl} { - char *p = yytext; PREPROC; return(PORTANY); } @@ -294,12 +276,24 @@ any { PREPROC; return(ANY); } return(QUOTEDSTRING); } -. { yyerror("Syntax error"); } +. { + yyfatal("Syntax error"); + /*NOTREACHED*/ + } %% void -yyerror(char *s) +yyfatal(s) + const char *s; +{ + yyerror(s); + exit(1); +} + +void +yyerror(s) + const char *s; { printf("line %d: %s at [%s]\n", lineno, s, yytext); } @@ -319,4 +313,3 @@ parse(fp) return(0); } - diff --git a/usr.sbin/setkey/vchar.h b/usr.sbin/setkey/vchar.h index 977f5f0f60d4..f3251c7bfed3 100644 --- a/usr.sbin/setkey/vchar.h +++ b/usr.sbin/setkey/vchar.h @@ -1,7 +1,10 @@ +/* $FreeBSD$ */ +/* $KAME: vchar.h,v 1.2 2000/06/07 00:29:14 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +16,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,11 +28,9 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ typedef struct { - u_int len; - caddr_t buf; + u_int len; + caddr_t buf; } vchar_t; |