From 6b2922d06b0e64b73aa5c5f6863fb46034691238 Mon Sep 17 00:00:00 2001 From: itojun Date: Mon, 31 Jan 2000 14:22:41 +0000 Subject: [PATCH] catch up with latest libipsec/kernel. --- usr.sbin/setkey/Makefile | 38 +- usr.sbin/setkey/parse.y | 656 ++++++++++++++-------------------- usr.sbin/setkey/sample.cf | 246 +++++++++---- usr.sbin/setkey/scriptdump.pl | 18 +- usr.sbin/setkey/setkey.8 | 452 ++++++++++++----------- usr.sbin/setkey/setkey.c | 149 ++++---- usr.sbin/setkey/test-pfkey.c | 7 +- usr.sbin/setkey/token.l | 99 +++-- 8 files changed, 860 insertions(+), 805 deletions(-) diff --git a/usr.sbin/setkey/Makefile b/usr.sbin/setkey/Makefile index 8fc46850ab92..d4e0b2363f77 100644 --- a/usr.sbin/setkey/Makefile +++ b/usr.sbin/setkey/Makefile @@ -1,39 +1,31 @@ -# $NetBSD: Makefile,v 1.2 1999/07/10 11:31:28 tron Exp $ +# $NetBSD: Makefile,v 1.3 2000/01/31 14:22:41 itojun Exp $ PROG= setkey SRCS= setkey.c parse.y token.l +CFLAGS+=-g LDADD+= -ll -ly -CLEANFILES+= parse.c parse.h key_test.o keytest -YFLAGS+= +DPADD+= ${LIBL} ${LIBY} +CLEANFILES+= y.tab.c y.tab.h key_test.o keytest +YFLAGS+=-d -CPPFLAGS+=-DIPSEC_DEBUG -DYY_NO_UNPUT -DINET6 -CPPFLAGS+=-I. +SCRIPTS= scriptdump -#SCRIPTS= scriptdump +BINOWN=root +BINGRP=bin +BINMODE=555 -BINOWN = root -BINGRP = bin -BINMODE = 555 - -all: ${PROG} ${SCRIPTS} - -# FreeBSD -#SRCS+=y.tab.h -#y.tab.h: parse.y +all: ${PROG} scriptdump +CPPFLAGS+=-DIPSEC_DEBUG -DINET6 -DYY_NO_UNPUT +CPPFLAGS+=-I. -I${.CURDIR} LDADD+= -lipsec DPADD+= ${LIBIPSEC} -#CLEANFILES+= scriptdump +CLEANFILES+= scriptdump MAN= setkey.8 LOCALPREFIX= /usr/pkg -#scriptdump: scriptdump.pl -# sed -e 's#@LOCALPREFIX@#${LOCALPREFIX}#' < ${.CURDIR}/scriptdump.pl > scriptdump - -parse.c parse.h: parse.y - ${YACC.y} -d ${.ALLSRC} - mv -f y.tab.c parse.c - mv -f y.tab.h parse.h +scriptdump: scriptdump.pl + sed -e 's#@LOCALPREFIX@#${LOCALPREFIX}#' < $> > scriptdump .include diff --git a/usr.sbin/setkey/parse.y b/usr.sbin/setkey/parse.y index c04bfc541104..bad95b5fc1e0 100644 --- a/usr.sbin/setkey/parse.y +++ b/usr.sbin/setkey/parse.y @@ -1,4 +1,4 @@ -/* $NetBSD: parse.y,v 1.2 1999/07/06 13:13:03 itojun Exp $ */ +/* $NetBSD: parse.y,v 1.3 2000/01/31 14:22:42 itojun Exp $ */ /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. @@ -28,7 +28,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ -/* KAME Id: parse.y,v 1.1.2.18.2.7.4.12 1999/07/01 20:19:03 sakane Exp */ +/* KAME Id: parse.y,v 1.14 1999/12/30 15:13:27 sakane Exp */ %{ #include @@ -55,9 +55,10 @@ u_int p_type; u_int32_t p_spi; -struct sockaddr *p_src, *p_dst, *p_proxy; -u_int p_ports, p_portd, p_prefs, p_prefd, p_upper; -u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay; +struct sockaddr *p_src, *p_dst; +u_int p_prefs, p_prefd, p_upper; +u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode; +u_int32_t p_reqid; u_int p_key_enc_len, p_key_auth_len; caddr_t p_key_enc, p_key_auth; time_t p_lt_hard, p_lt_soft; @@ -67,8 +68,8 @@ char *p_policy; /* temporary buffer */ static struct sockaddr *pp_addr; -static u_int pp_prefix = ~0; -static u_int pp_port = 0; +static u_int pp_prefix; +static u_int pp_port; static caddr_t pp_key; extern u_char m_buf[BUFSIZ]; @@ -95,19 +96,29 @@ extern void yyerror __P((char *)); %token EOT %token ADD GET DELETE FLUSH DUMP -%token IP4_ADDRESS IP6_ADDRESS PREFIX PORT HOSTNAME +%token IP4_ADDRESS IP6_ADDRESS PREFIX PORT PORTANY %token UP_PROTO PR_ESP PR_AH PR_IPCOMP -%token DECSTRING QUOTEDSTRING HEXSTRING %token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI -%token ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP EXTENSION +%token F_MODE MODE F_REQID +%token F_EXT EXTENSION NOCYCLICSEQ +%token ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP %token F_LIFETIME_HARD F_LIFETIME_SOFT +%token DECSTRING QUOTEDSTRING HEXSTRING ANY /* SPD management */ %token SPDADD SPDDELETE SPDDUMP SPDFLUSH %token F_POLICY PL_REQUESTS +%type PORT PREFIX EXTENSION MODE +%type UP_PROTO PR_ESP PR_AH PR_IPCOMP +%type ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP +%type DECSTRING +%type IP4_ADDRESS IP6_ADDRESS PL_REQUESTS +%type key_string policy_requests +%type QUOTEDSTRING HEXSTRING + %% -commands: - /* empty */ +commands + : /*NOTHING*/ | commands command { if (f_debug) { @@ -121,8 +132,8 @@ commands: } ; -command: - add_command +command + : add_command | get_command | delete_command | flush_command @@ -135,120 +146,79 @@ command: /* commands concerned with management, there is in tail of this file. */ /* add command */ -add_command: - ADD - { - p_type = yylval.num; - } - selector_spec protocol_spec lifetime_hard lifetime_soft EOT +add_command + : ADD { p_type = SADB_ADD; } + sa_selector_spec extension_spec algorithm_spec EOT ; /* delete */ -delete_command: - DELETE - { - p_type = yylval.num; - } - selector_spec protocol_spec0 EOT +delete_command + : DELETE { p_type = SADB_DELETE; } + sa_selector_spec extension_spec EOT ; /* get command */ -get_command: - GET - { - p_type = yylval.num; - } - selector_spec protocol_spec0 EOT +get_command + : GET { p_type = SADB_GET; } + sa_selector_spec extension_spec EOT ; /* flush */ -flush_command: - FLUSH - { - p_type = yylval.num; - } - protocol_spec0 EOT +flush_command + : FLUSH { p_type = SADB_FLUSH; } + protocol_spec EOT ; /* dump */ -dump_command: - DUMP - { - p_type = yylval.num; - } - protocol_spec0 EOT +dump_command + : DUMP { p_type = SADB_DUMP; } + protocol_spec EOT ; - /* selector_spec */ -selector_spec: - src_spec dst_spec upper_spec spi proxy_spec + /* sa_selector_spec */ +sa_selector_spec + : ipaddress { p_src = pp_addr; } + ipaddress { p_dst = pp_addr; } + protocol_spec spi ; -src_spec: - ip_address +protocol_spec + : /*NOTHING*/ { p_satype = SADB_SATYPE_UNSPEC; } + | PR_ESP { - p_src = pp_addr; + p_satype = SADB_SATYPE_ESP; + if ($1 == 1) + p_ext |= SADB_X_EXT_OLD; + else + p_ext &= ~SADB_X_EXT_OLD; } - prefix + | PR_AH { - p_prefs = pp_prefix; - /* initialize */ - pp_prefix = ~0; + p_satype = SADB_SATYPE_AH; + if ($1 == 1) + p_ext |= SADB_X_EXT_OLD; + else + p_ext &= ~SADB_X_EXT_OLD; } - port + | PR_IPCOMP { - _INPORTBYSA(p_src) = pp_port; - p_ports = pp_port; - - /* initialize */ - pp_port = 0; + p_satype = SADB_X_SATYPE_IPCOMP; } ; - -dst_spec: - ip_address - { - p_dst = pp_addr; - } - prefix - { - p_prefd = pp_prefix; - /* initialize */ - pp_prefix = ~0; - } - port - { - _INPORTBYSA(p_dst) = pp_port; - p_portd = pp_port; - - /* initialize */ - pp_port = 0; - } - ; - -upper_spec: - DECSTRING { p_upper = $1.num; } - | UP_PROTO { p_upper = $1.num; } - | PR_ESP { p_upper = IPPROTO_ESP; }; - | PR_AH { p_upper = IPPROTO_AH; }; - | PR_IPCOMP { p_upper = IPPROTO_IPCOMP; }; - ; - -spi: - DECSTRING - { - p_spi = yylval.num; - } + +spi + : DECSTRING { p_spi = $1; } | HEXSTRING { caddr_t bp; - caddr_t yp = yylval.val.buf; + caddr_t yp = $1.buf; char buf0[4], buf[4]; int i, j; /* sanity check */ - if (yylval.val.len > 4) { + if ($1.len > 4) { yyerror("SPI too big."); + free($1.buf); return -1; } @@ -261,114 +231,42 @@ spi: /* initialize */ for (i = 0; i < 4; i++) buf[i] = 0; - for (j = yylval.val.len - 1, i = 3; j >= 0; j--, i--) + for (j = $1.len - 1, i = 3; j >= 0; j--, i--) buf[i] = buf0[j]; /* XXX: endian */ p_spi = ntohl(*(u_int32_t *)buf); + + free($1.buf); } ; -proxy_spec: - /* empty */ - | ip_address - { - p_proxy = pp_addr; - } +algorithm_spec + : esp_spec + | ah_spec + | ipcomp_spec ; -protocol_spec0: - /* empty */ - | F_PROTOCOL PR_ESP - { - p_satype = SADB_SATYPE_ESP; - } - | F_PROTOCOL PR_AH - { - p_satype = SADB_SATYPE_AH; - } - | F_PROTOCOL PR_IPCOMP - { - p_satype = SADB_X_SATYPE_IPCOMP; - } +esp_spec + : F_ENC enc_alg enc_key F_AUTH auth_alg auth_key + | F_ENC enc_alg enc_key ; -protocol_spec: - F_PROTOCOL PR_ESP - { - p_satype = SADB_SATYPE_ESP; - if (yylval.num == 1) - p_ext |= SADB_X_EXT_OLD; - else - p_ext &= ~SADB_X_EXT_OLD; - } - extensions esp_specification - | F_PROTOCOL PR_AH - { - p_satype = SADB_SATYPE_AH; - if (yylval.num == 1) - p_ext |= SADB_X_EXT_OLD; - else - p_ext &= ~SADB_X_EXT_OLD; - } - ah_specification - | F_PROTOCOL PR_IPCOMP - { - p_satype = SADB_X_SATYPE_IPCOMP; - } - ipcomp_specification - ; - -extensions: - /* empty */ - | extensions extension +ah_spec + : F_AUTH auth_alg auth_key ; -extension: - EXTENSION - { - p_ext |= yylval.num; - } +ipcomp_spec + : F_COMP ALG_COMP { p_alg_enc = $2; } + | F_COMP ALG_COMP { p_alg_enc = $2; } + F_RAWCPI { p_ext |= SADB_X_EXT_RAWCPI; } ; -esp_specification: - /* empty */ - | esp_specification esp_spec - ; - -esp_spec: - F_ENC alg_enc - enc_keys - | F_AUTH ALG_AUTH - { - if (p_ext & SADB_X_EXT_OLD) { - yyerror("algorithm mismatched."); - return -1; - } - - p_alg_auth = yylval.num; - } - auth_key - | F_REPLAY DECSTRING - { - if (p_ext & SADB_X_EXT_OLD) { - yyerror("algorithm mismatched."); - return -1; - } - - p_replay = yylval.num; - } - ; - - /* XXX: I wanna delete it. */ -alg_enc: - ALG_ENC - { - p_alg_enc = yylval.num; - } +enc_alg + : ALG_ENC { p_alg_enc = $1; } | ALG_ENC_DESDERIV { - p_alg_enc = yylval.num; + p_alg_enc = $1; if (p_ext & SADB_X_EXT_OLD) { yyerror("algorithm mismatched."); return -1; @@ -377,7 +275,7 @@ alg_enc: } | ALG_ENC_DES32IV { - p_alg_enc = yylval.num; + p_alg_enc = $1; if (!(p_ext & SADB_X_EXT_OLD)) { yyerror("algorithm mismatched."); return -1; @@ -386,52 +284,17 @@ alg_enc: } ; -ah_specification: - /* empty */ - | ah_specification ah_spec - ; - -ah_spec: - F_AUTH ALG_AUTH +enc_key + : /*NOTHING*/ { - p_alg_auth = yylval.num; - } auth_key - | F_REPLAY DECSTRING - { - if (p_ext & SADB_X_EXT_OLD) { - yyerror("algorithm mismatched."); + if (p_alg_enc != SADB_EALG_NULL) { + yyerror("no key found."); return -1; } - - p_replay = yylval.num; } - ; - -ipcomp_specification - : /* empty */ - | ipcomp_specification ipcomp_spec - ; - -ipcomp_spec - : F_COMP ALG_COMP + | key_string { - p_alg_enc = yylval.num; - } - | F_RAWCPI - { - p_ext |= SADB_X_EXT_RAWCPI; - } - ; - -enc_keys: - /* empty */ - | enc_keys enc_key - ; - -enc_key: - key_string - { - p_key_enc_len = yylval.val.len; + p_key_enc_len = $1.len; p_key_enc = pp_key; if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT, @@ -443,11 +306,21 @@ enc_key: } ; -auth_key: - /* empty */ +auth_alg + : ALG_AUTH { p_alg_auth = $1; } + ; + +auth_key + : /*NOTHING*/ + { + if (p_alg_auth != SADB_AALG_NULL) { + yyerror("no key found."); + return -1; + } + } | key_string { - p_key_auth_len = yylval.val.len; + p_key_auth_len = $1.len; p_key_auth = pp_key; if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH, @@ -459,156 +332,82 @@ auth_key: } ; -key_string: - QUOTEDSTRING +key_string + : QUOTEDSTRING { - if ((pp_key = malloc(yylval.val.len)) == 0) - return -1; - memcpy(pp_key, yylval.val.buf, yylval.val.len); + pp_key = $1.buf; + /* free pp_key later */ } | HEXSTRING { caddr_t bp; - caddr_t yp = yylval.val.buf; + caddr_t yp = $1.buf; - if ((pp_key = malloc(yylval.val.len)) == 0) + if ((pp_key = malloc($1.len)) == 0) { + free($1.buf); + yyerror(strerror(errno)); return -1; - memset(pp_key, 0, yylval.val.len); + } + memset(pp_key, 0, $1.len); bp = pp_key; while (*yp) { *bp = (ATOX(yp[0]) << 4) | ATOX(yp[1]); yp += 2, bp++; } + + free($1.buf); } ; - /* lifetime */ -lifetime_hard: - /* empty */ - | F_LIFETIME_HARD DECSTRING - { - p_lt_hard = yylval.num; - } +extension_spec + : /*NOTHING*/ + | extension_spec extension ; -lifetime_soft: - /* empty */ - | F_LIFETIME_SOFT DECSTRING +extension + : F_EXT EXTENSION { p_ext |= $2; } + | F_EXT NOCYCLICSEQ { p_ext ^= SADB_X_EXT_CYCSEQ; } + | F_MODE MODE { p_mode = $2; } + | F_MODE ANY { p_mode = IPSEC_MODE_ANY; } + | F_REQID DECSTRING { p_reqid = $2; } + | F_REPLAY DECSTRING { - p_lt_soft = yylval.num; - } - ; - -ip_address: - IP4_ADDRESS - { - struct sockaddr_in *in; - u_int sa_len = yylval.val.len; - - if ((in = (struct sockaddr_in *)malloc(sa_len)) == 0) + if (p_ext & SADB_X_EXT_OLD) { + yyerror("replay prevention " + "only use on new spec."); return -1; - memset((caddr_t)in, 0, sa_len); - - in->sin_family = PF_INET; - in->sin_len = sa_len; - (void)inet_pton(PF_INET, yylval.val.buf, &in->sin_addr); - - pp_addr = (struct sockaddr *)in; - } - | IP6_ADDRESS - { -#ifdef INET6 - struct sockaddr_in6 *in6; - u_int sa_len = yylval.val.len; - - if ((in6 = (struct sockaddr_in6 *)malloc(sa_len)) == 0) - return -1; - memset((caddr_t)in6, 0, sa_len); - - in6->sin6_family = PF_INET6; - in6->sin6_len = sa_len; - (void)inet_pton(PF_INET6, yylval.val.buf, - &in6->sin6_addr); - - pp_addr = (struct sockaddr *)in6; -#else - yyerror("IPv6 address not supported"); -#endif - } - ; - -prefix: - /* empty */ - | PREFIX - { - pp_prefix = yylval.num; - } - ; - -port: - /* empty */ - | PORT - { - pp_port = htons(yylval.num); + } + p_replay = $2; } + | F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; } + | F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; } ; /* definition about command for SPD management */ /* spdadd */ -spdadd_command: - SPDADD +spdadd_command + : SPDADD { - p_type = yylval.num; + p_type = SADB_X_SPDADD; p_satype = SADB_SATYPE_UNSPEC; } - src_spec dst_spec upper_spec policy_spec EOT - ; - -policy_spec: - F_POLICY policy_requests - { - int len; - - if ((len = ipsec_get_policylen($2.val.buf)) < 0) { - yyerror(ipsec_strerror()); - return -1; - } - - if ((p_policy = malloc(len)) == NULL) { - yyerror("malloc"); - return -1; - } - - if ((len = ipsec_set_policy(p_policy, len, $2.val.buf)) < 0) { - yyerror(ipsec_strerror()); - free(p_policy); - p_policy = NULL; - return -1; - } - - p_policy_len += len; - } - ; - -policy_requests: - /* empty */ - | PL_REQUESTS { $$ = $1; } + sp_selector_spec policy_spec EOT ; spddelete_command: SPDDELETE { - p_type = yylval.num; + p_type = SADB_X_SPDDELETE; p_satype = SADB_SATYPE_UNSPEC; } - src_spec dst_spec upper_spec EOT + sp_selector_spec EOT ; spddump_command: SPDDUMP { - p_type = yylval.num; + p_type = SADB_X_SPDDUMP; p_satype = SADB_SATYPE_UNSPEC; } EOT @@ -617,12 +416,126 @@ spddump_command: spdflush_command: SPDFLUSH { - p_type = yylval.num; + p_type = SADB_X_SPDFLUSH; p_satype = SADB_SATYPE_UNSPEC; } EOT ; + /* sp_selector_spec */ +sp_selector_spec + : ipaddress { p_src = pp_addr; } + prefix { p_prefs = pp_prefix; } + port { _INPORTBYSA(p_src) = htons(pp_port); } + ipaddress { p_dst = pp_addr; } + prefix { p_prefd = pp_prefix; } + port { _INPORTBYSA(p_dst) = htons(pp_port); } + upper_spec + { + switch (p_upper) { + case IPPROTO_ICMP: + case IPPROTO_ICMPV6: + if (_INPORTBYSA(p_src) != IPSEC_PORT_ANY + || _INPORTBYSA(p_dst) != IPSEC_PORT_ANY) { + yyerror("port number must be \"any\"."); + return -1; + } + break; + default: + break; + } + } + ; + +ipaddress + : IP4_ADDRESS + { + struct sockaddr_in *in; + u_int sa_len = $1.len; + + if ((in = (struct sockaddr_in *)malloc(sa_len)) == 0) { + yyerror(strerror(errno)); + free($1.buf); + return -1; + } + memset((caddr_t)in, 0, sa_len); + + in->sin_family = PF_INET; + in->sin_len = sa_len; + in->sin_port = IPSEC_PORT_ANY; + (void)inet_pton(PF_INET, $1.buf, &in->sin_addr); + + pp_addr = (struct sockaddr *)in; + free($1.buf); + } + | IP6_ADDRESS + { +#ifdef INET6 + struct sockaddr_in6 *in6; + u_int sa_len = $1.len; + + if ((in6 = (struct sockaddr_in6 *)malloc(sa_len)) == 0) { + free($1.buf); + yyerror(strerror(errno)); + return -1; + } + memset((caddr_t)in6, 0, sa_len); + + in6->sin6_family = PF_INET6; + in6->sin6_len = sa_len; + in6->sin6_port = IPSEC_PORT_ANY; + (void)inet_pton(PF_INET6, $1.buf, + &in6->sin6_addr); + + pp_addr = (struct sockaddr *)in6; +#else + yyerror("IPv6 address not supported"); +#endif + free($1.buf); + } + ; + +prefix + : /*NOTHING*/ { pp_prefix = ~0; } + | PREFIX { pp_prefix = $1; } + ; + +port + : /*NOTHING*/ { pp_port = IPSEC_PORT_ANY; } + | PORT { pp_port = $1; } + | PORTANY { pp_port = IPSEC_PORT_ANY; } + ; + +upper_spec + : DECSTRING { p_upper = $1; } + | UP_PROTO { p_upper = $1; } + | PR_ESP { p_upper = IPPROTO_ESP; }; + | PR_AH { p_upper = IPPROTO_AH; }; + | PR_IPCOMP { p_upper = IPPROTO_IPCOMP; }; + | ANY { p_upper = IPSEC_ULPROTO_ANY; } + ; + +policy_spec + : F_POLICY policy_requests + { + p_policy = ipsec_set_policy($2.buf, $2.len); + if (p_policy == NULL) { + free($2.buf); + p_policy = NULL; + yyerror(ipsec_strerror()); + return -1; + } + + p_policy_len = ipsec_get_policylen(p_policy); + + free($2.buf); + } + ; + +policy_requests + : PL_REQUESTS { $$ = $1; } + ; + %% int @@ -634,9 +547,12 @@ setkeymsg() m_msg.sadb_msg_type = p_type; m_msg.sadb_msg_errno = 0; m_msg.sadb_msg_satype = p_satype; - m_msg.sadb_msg_reserved = 0; + m_msg.sadb_msg_mode = p_mode; + m_msg.sadb_msg_reserved1 = 0; m_msg.sadb_msg_seq = 0; m_msg.sadb_msg_pid = getpid(); + m_msg.sadb_msg_reqid = p_reqid; + m_msg.sadb_msg_reserved2 = 0; m_len = sizeof(struct sadb_msg); memcpy(m_buf, &m_msg, m_len); @@ -732,31 +648,14 @@ setkeymsg() memcpy(m_buf + m_len, &m_sa, len); m_len += len; - /* set proxy, if present. */ - if (p_proxy != 0) { - m_addr.sadb_address_len = - PFKEY_UNIT64(sizeof(m_addr) - + PFKEY_ALIGN8(p_proxy->sa_len)); - m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_PROXY; - m_addr.sadb_address_proto = 0; - m_addr.sadb_address_prefixlen = - (p_proxy->sa_family == PF_INET ? 32 : 128); - m_addr.sadb_address_reserved = 0; - - setvarbuf(&m_len, - (struct sadb_ext *)&m_addr, sizeof(m_addr), - (caddr_t)p_proxy, p_proxy->sa_len); - } - /* set src */ m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) + PFKEY_ALIGN8(p_src->sa_len)); m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; - m_addr.sadb_address_proto = p_upper; + m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY; m_addr.sadb_address_prefixlen = - (p_prefs != ~0 ? - p_prefs : (p_src->sa_family == PF_INET ? 32 : 128)); + _INALENBYAF(p_src->sa_family) << 3; m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -768,10 +667,9 @@ setkeymsg() PFKEY_UNIT64(sizeof(m_addr) + PFKEY_ALIGN8(p_dst->sa_len)); m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST; - m_addr.sadb_address_proto = p_upper; + m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY; m_addr.sadb_address_prefixlen = - (p_prefd != ~0 ? - p_prefd : (p_dst->sa_family == PF_INET ? 32 : 128)); + _INALENBYAF(p_dst->sa_family) << 3; m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -787,9 +685,6 @@ setkeymsg() case SADB_X_SPDADD: { - ((struct sadb_x_policy *)p_policy)->sadb_x_policy_len = - PFKEY_UNIT64(p_policy_len); - memcpy(m_buf + m_len, p_policy, p_policy_len); m_len += p_policy_len; free(p_policy); @@ -808,8 +703,8 @@ setkeymsg() m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; m_addr.sadb_address_proto = p_upper; m_addr.sadb_address_prefixlen = - (p_prefs != ~0 ? - p_prefs : (p_src->sa_family == PF_INET ? 32 : 128)); + (p_prefs != ~0 ? p_prefs : + _INALENBYAF(p_src->sa_family) << 3); m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -823,8 +718,8 @@ setkeymsg() m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST; m_addr.sadb_address_proto = p_upper; m_addr.sadb_address_prefixlen = - (p_prefd != ~0 ? - p_prefd : (p_dst->sa_family == PF_INET ? 32 : 128)); + (p_prefd != ~0 ? p_prefd : + _INALENBYAF(p_dst->sa_family) << 3); m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -859,16 +754,18 @@ parse_init() p_type = 0; p_spi = 0; - p_src = 0, p_dst = 0, p_proxy = 0; - p_ports = p_portd = 0; - p_prefs = p_prefd = 0; + p_src = 0, p_dst = 0; + pp_prefix = p_prefs = p_prefd = ~0; + pp_port = IPSEC_PORT_ANY; p_upper = 0; p_satype = 0; - p_ext = SADB_X_EXT_NONE; + p_ext = SADB_X_EXT_CYCSEQ; p_alg_enc = SADB_EALG_NONE; p_alg_auth = SADB_AALG_NONE; - p_replay = 0; + p_mode = IPSEC_MODE_ANY; + p_reqid = 0; + p_replay = 4; p_key_enc_len = p_key_auth_len = 0; p_key_enc = p_key_auth = 0; p_lt_hard = p_lt_soft = 0; @@ -886,7 +783,6 @@ free_buffer() { if (p_src) free(p_src); if (p_dst) free(p_dst); - if (p_proxy) free(p_proxy); if (p_key_enc) free(p_key_enc); if (p_key_auth) free(p_key_auth); diff --git a/usr.sbin/setkey/sample.cf b/usr.sbin/setkey/sample.cf index b7244302f067..38507c502497 100644 --- a/usr.sbin/setkey/sample.cf +++ b/usr.sbin/setkey/sample.cf @@ -1,3 +1,5 @@ +# $NetBSD: sample.cf,v 1.2 2000/01/31 14:22:42 itojun Exp $ +# # Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. # All rights reserved. # @@ -25,79 +27,193 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. -# There are sample scripts to configure IPsec. - -# Both src and dst are 127.0.0.1 and spi=0x10001. Serurity protocol is ESP -# with blowfish-cbc whose key is "kamekame" as encryption algorithm, and -# with hmac-sha1 whose key is "this is the test key" as authentication -# algorithm. -add 127.0.0.1 127.0.0.1 any 0x10001 - -p esp -E blowfish-cbc "kamekame" - -A hmac-sha1 "this is the test key" ; - -# Security protocol is old AH, i.e. RFC1826, with keyed-md5 whose key -# is "test" as authentication algorithm. -add 127.0.0.2 127.0.0.1 any 0x10002 - -p ah-old -A keyed-md5 "this is the test" ; - -# This is how to specify the upper layer protocol. -# This may not work as this has not been tested. -add 127.0.0.1/24 10.0.2.0/24 udp 0x10003 - -p ah -A hmac-md5 "this is the test" ; - -# On "get" command you can specify target entries. -# This command needs src/dst, (upper layer protocol, src/dst port if any), -# spi and security protocol. -# For "delete" command one must specify the target in the same way. -get 10.0.1.0/24 10.0.2.0/24 any 0x10001 -p esp ; -delete 10.0.1.0/24 10.0.2.0/24 any 0x10001 -p esp ; - -# "flush" and "dump" commands can specify a security protocol. -dump -p esp ; -flush -p esp ; -# By default, those commands will handle all entries. -dump ; -flush ; - -# This is planned to display the script for configuration. -#dumpscript ; - -# NEVER to define with proxy address, i.g. 202.249.11.41, -# that will cause kernel to hang up, may be.. -# Those are near future available. -#add 10.0.11.41/32[21] 10.0.11.33/32[0] tcp 0x10001 202.249.11.41 -# -p esp -E des-cbc "hogehoge" -A hmac-md5 "hogehogehogehoge" ; - -#add ::1 ::1 udp 0x20010 203.178.141.215 -# -p esp-old -E des-cbc "hahahaha" ; - -#add 10.0.11.41/32[21] 10.0.11.33/32[0] tcp 0x10001 202.249.11.41 -p esp; +# There are sample scripts for IPsec configuration by manual keying. +# A security association is uniquely identified by a triple consisting +# of a Security Parameter Index (SPI), an IP Destination Address, and a +# security protocol (AH or ESP) identifier. You must take care of these +# parameters when you configure by manual keying. +# ESP transport mode is recommended for TCP port number 110 between +# Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key +# is "kamekame", and authentication algorithm is hmac-sha1 whose key +# is "this is the test key". # -# There are some command for SPD management as follows: +# ============ ESP ============ +# | | +# Host-A Host-B +# fec0::10 -------------------- fec0::11 +# +# At Host-A and Host-B, +spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec + esp/transport/fec0::10-fec0::11/use ; +spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec + esp/transport/fec0::11-fec0::10/use ; +add fec0::10 fec0::11 esp 0x10001 + -m transport + -E blowfish-cbc "kamekame" + -A hmac-sha1 "this is the test key" ; +add fec0::11 fec0::10 esp 0x10002 + -m transport + -E blowfish-cbc "kamekame" + -A hmac-sha1 "this is the test key" ; -# "spdadd" is to add a new SPD entry following by a policy indicator -# with `-P'. The policy indicator is the one of follows: -# "discard" for discarding packet, "none" for nothing to do, and "ipsec" -# for doing IPsec. "ipsec" is followed by the requests for IPsec protocol. -# These requests is consisted, "protocol/level[/end-point]". -# There are three directive for level as following: "default", "use" and -# "require". -spdadd 10.0.0.0/24 127.0.0.1 any -P discard ; -spdadd 192.168.1.1 192.168.1.2 any -P bypass ; +# "[any]" is wildcard of port number. Note that "[0]" is the number of +# zero in port number. -# To do IP|AH loosely, i.e. it doesn't do IPsec when there is no AH-SA. -spdadd 172.16.10.1 172.16.11.1[21] tcp -P ipsec ah/use ; +# Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5 +# whose key is "this is the test" as authentication algorithm. +# That protocol takes place between Gateway-A and Gateway-B. +# +# ======= AH ======= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24 +# +# At Gateway-A: +spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec + ah/tunnel/172.16.0.1-172.16.0.2/require ; +spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec + ah/tunnel/172.16.0.2-172.16.0.1/require ; +add 172.16.0.1 172.16.0.2 ah-old 0x10003 + -m any + -A keyed-md5 "this is the test" ; +add 172.16.0.2 172.16.0.1 ah-old 0x10004 + -m any + -A keyed-md5 "this is the test" ; -# To request IP1|ESP|IP2|AH|ESP, -spdadd 172.16.10.0/24 172.16.11.0/24 any -P ipsec - esp/require ah/require esp/require/203.178.141.194 ; +# If port number field is omitted such above then "[any]" is employed. +# -m specifies the mode of SA to be used. "-m any" means wildcard of +# mode of security protocol. You can use this SAs for both tunnel and +# transport mode. -# "spddelete" is to delete a SPD entry. -spddelete 172.16.10.0/24 172.16.11.0/24 any ; +# At Gateway-B. Attention to the selector and peer's IP address for tunnel. +spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec + ah/tunnel/172.16.0.2-172.16.0.1/require ; +spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec + ah/tunnel/172.16.0.1-172.16.0.2/require ; +add 172.16.0.1 172.16.0.2 ah-old 0x10003 + -m tunnel + -A keyed-md5 "this is the test" ; +add 172.16.0.2 172.16.0.1 ah-old 0x10004 + -m tunnel + -A keyed-md5 "this is the test" ; -# To dump and to flush all SPD entry, "spddump" and "spdflush" are ready. +# AH transport mode followed by ESP tunnel mode is required between +# Gateway-A and Gateway-B. +# Encryption algorithm is 3des-cbc, and authentication algorithm for ESP +# is hmac-sha1. Authentication algorithm for AH is hmac-md5. +# +# ========== AH ========= +# | ======= ESP ===== | +# | | | | +# Network-A Gateway-A Gateway-B Network-B +# fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64 +# +# At Gateway-A: +spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec + esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require + ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ; +spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec + esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require + ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ; +add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 + -m tunnel + -E 3des-cbc "kamekame12341234kame1234" + -A hmac-sha1 "this is the test key" ; +add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 + -m transport + -A hmac-md5 "this is the test" ; +add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 + -m tunnel + -E 3des-cbc "kamekame12341234kame1234" + -A hmac-sha1 "this is the test key" ; +add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 + -m transport + -A hmac-md5 "this is the test" ; + +# ESP tunnel mode is required between Host-A and Gateway-A. +# Encryption algorithm is cast128-cbc, and authentication algorithm +# for ESP is hmac-sha1. +# ESP transport mode is recommended between Host-A and Host-B. +# Encryption algorithm is rc5-cbc, and authentication algorithm +# for ESP is hmac-md5. +# +# ================== ESP ================= +# | ======= ESP ======= | +# | | | | +# Host-A Gateway-A Host-B +# fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2 +# +# At Host-A: +spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec + esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use + esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ; +spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec + esp/transport/fec0:0:0:2::2-fec0:0:0:1::1/use + esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ; +add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001 + -m transport + -E cast128-cbc "12341234" + -A hmac-sha1 "this is the test key" ; +add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002 + -E rc5-cbc "kamekame" + -A hmac-md5 "this is the test" ; +add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003 + -m transport + -E cast128-cbc "12341234" + -A hmac-sha1 "this is the test key" ; +add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004 + -E rc5-cbc "kamekame" + -A hmac-md5 "this is the test" ; + +# By "get" command, you can get a entry of either SP or SA. +get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; + +# Also delete command, you can delete a entry of either SP or SA. +spddelete out fec0:0:0:1::/64 fec0:0:0:2:/64 any ; +delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; + +# By dump command, you can dump all entry of either SP or SA. +dump ; spddump ; +dump esp ; +flush esp ; + +# By flush command, you can flush all entry of either SP or SA. +flush ; spdflush ; +# "flush" and "dump" commands can specify a security protocol. +dump esp ; +flush ah ; + +# XXX +add ::1 ::1 esp 10001 -m transport -E simple ; +add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ; +add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ; +add ::1 ::1 esp 10004 -m transport -E simple -A null ; +add ::1 ::1 esp 10005 -m transport -E simple -A hmac-md5 "1234123412341234" ; +add ::1 ::1 esp 10006 -m tunnel -E simple -A hmac-sha1 "12341234123412341234" ; +add ::1 ::1 esp 10007 -m transport -E simple -A keyed-md5 "1234123412341234" ; +add ::1 ::1 esp 10008 -m any -E simple -A keyed-sha1 "12341234123412341234" ; +add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ; +add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ; +add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ; +add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ; +add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ; +add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ; +add ::1 ::1 esp 10015 -m transport -f zero-pad -E simple ; +add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E simple ; +add ::1 ::1 esp 10017 -m transport -f seq-pad -f cyclic-seq -E simple ; +add ::1 ::1 esp 10018 -m transport -E simple ; +#add ::1 ::1 ah 20000 -m transport -A null ; +add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234"; +add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234"; +add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234"; +add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234"; +add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234"; +#add ::1 ::1 ipcomp 30000 -C oui ; +add ::1 ::1 ipcomp 30001 -C deflate ; +#add ::1 ::1 ipcomp 30002 -C lzs ; + # enjoy. diff --git a/usr.sbin/setkey/scriptdump.pl b/usr.sbin/setkey/scriptdump.pl index fd53d0ee1cbe..d9799b4586c3 100644 --- a/usr.sbin/setkey/scriptdump.pl +++ b/usr.sbin/setkey/scriptdump.pl @@ -1,6 +1,6 @@ #! @LOCALPREFIX@/bin/perl # -# $NetBSD: scriptdump.pl,v 1.2 1999/07/06 13:13:03 itojun Exp $ +# $NetBSD: scriptdump.pl,v 1.3 2000/01/31 14:22:43 itojun Exp $ # if ($< != 0) { @@ -21,9 +21,9 @@ while ($i = shift @ARGV) { open(IN, "setkey -D |") || die; foreach $_ () { if (/^[^\t]/) { - ($src, $dst, $upper, $proxy) = split(/\s+/, $_); - } elsif (/^\t(esp|ah) spi=(\d+).*replay=(\d+)/) { - ($proto, $spi, $replay) = ($1, $2, $3); + ($src, $dst) = split(/\s+/, $_); + } elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*reqid=(\d+)/) { + ($proto, $ipsecmode, $spi, $reqid) = ($1, $2, $3, $4); } elsif (/^\tE: (\S+) (.*)/) { $ealgo = $1; $ekey = $2; @@ -34,17 +34,19 @@ foreach $_ () { $akey = $2; $akey =~ s/\s//g; $akey =~ s/^/0x/g; - } elsif (/^\tstate=/) { - print "$mode $src $src $upper $spi $proxy -p $proto"; + } elsif (/^\treplay=(\d+) flags=(0x\d+) state=/) { + print "$mode $src $dst $proto $spi -m $ipsecmode"; + $replay = $1; + print " -u $reqid" if $reqid; if ($mode eq 'add') { + print " -r $replay" if $replay; if ($proto eq 'esp') { print " -E $ealgo $ekey" if $ealgo; print " -A $aalgo $akey" if $aalgo; } elsif ($proto eq 'ah') { print " -A $aalgo $akey" if $aalgo; } - print " -r $replay" if $replay; - } + } print ";\n"; $src = $dst = $upper = $proxy = ''; diff --git a/usr.sbin/setkey/setkey.8 b/usr.sbin/setkey/setkey.8 index 5c2bd5701551..bbb785b14d14 100644 --- a/usr.sbin/setkey/setkey.8 +++ b/usr.sbin/setkey/setkey.8 @@ -25,12 +25,12 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $NetBSD: setkey.8,v 1.5 1999/09/07 06:49:37 itojun Exp $ -.\" KAME Id: setkey.8,v 1.1.1.1 1999/08/08 23:31:51 itojun Exp +.\" $NetBSD: setkey.8,v 1.6 2000/01/31 14:22:43 itojun Exp $ +.\" KAME Id: setkey.8,v 1.18 2000/01/14 01:28:27 itojun Exp .\" .Dd May 17, 1998 .Dt SETKEY 8 -.Os +.Os KAME .\" .Sh NAME .Nm setkey @@ -118,57 +118,53 @@ Description of meta-arguments follows. .Bl -tag -width Ds .It Xo .Li add -.Ar src Ar dst Ar upperspec Ar spi -.Op Ar proxyspec -.Ar protocol -.\" .Op Ar depend_on_sa +.Ar src Ar dst Ar protocol Ar spi +.Op Ar extensions +.Ar algorithm... .Li ; .Xc Add a SAD entry. .\" .It Xo .Li get -.Ar src Ar dst Ar upperspec Ar spi -.Op Ar proxyspec -.Op Ar protocol0 +.Ar src Ar dst Ar protocol Ar spi +.Op Fl m Ar mode .Li ; .Xc Show a SAD entry. .\" .It Xo .Li delete -.Ar src Ar dst Ar upperspec Ar spi -.Op Ar proxyspec -.Op Ar protocol0 +.Ar src Ar dst Ar protocol Ar spi +.Op Fl m Ar mode .Li ; .Xc Remove a SAD entry. .\" .It Xo .Li flush -.Op Ar protocol0 +.Op Ar protocol .Li ; .Xc Clear all SAD entries that matches the options. .\" .It Xo .Li dump -.Op Ar protocol0 +.Op Ar protocol .Li ; .Xc Dumps all SAD entries that matches the options. .\" .It Xo .Li spdadd -.Ar src Ar dst Ar upperspec -.Op Ar policy +.Ar src_range Ar dst_range Ar upperspec Ar policy .Li ; .Xc Add a SPD entry. .\" .It Xo .Li spddelete -.Ar src Ar dst Ar upperspec +.Ar src_range Ar dst_range Ar upperspec .Li ; .Xc Delete a SPD entry. @@ -184,14 +180,158 @@ Clear all SPD entries. .Li ; .Xc Dumps all SAD entries. -.\" .El +.\" .Pp Meta-arguments are as follows: -.Bl -tag -width Ds +.Bl -tag -compact -width Ds .It Ar src .It Ar dst Source/destination of the secure communication is specified as +IPv4/v6 address. +.Nm +does not consult hostname-to-address for arguments +.Ar src +and +.Ar dst . +They must be in numeric form. +.\" +.Pp +.It Ar protocol +.Ar protocol +is one of following: +.Bl -tag -width Fl -compact +.It Li esp +ESP based on rfc2405 +.It Li esp-old +ESP based on rfc1827 +.It Li ah +AH based on rfc2402 +.It Li ah-old +AH based on rfc1826 +.It Li ipcomp +IPCOMP +.El +.\" +.Pp +.It Ar spi +Security Parameter Index (SPI) for the SA and SPD. +It must be decimal number or hexadecimal number +.Po +with +.Li 0x +attached +.Pc . +.\" +.Pp +.It Ar extensions +takes some of the following: +.Bl -tag -width Fl -compact +.\" +.It Fl m Ar mode +Specify an security protocol mode for use. By default, +.Li any . +.Ar mode +is one of following: +.Li transport , tunnel +or +.Li any . +.\" +.It Fl r Ar size +Specify window size of bytes for replay prevention. +.Ar size +must be decimal number in 32-bit word. If +.Ar size +is zero or not specified, replay check don't take place. +.\" +.It Fl u Ar id +Specify the identifier of policy. See also +.Xr ipsec_set_policy 3 . +.\" +.It Fl f Ar pad_option +.Ar pad_option +is one of following: +.Li zero-pad , random-pad +or +.Li seq-pad +.\" +.It Fl f Li nocyclic-seq +Don't allow cyclic sequence number. +.\" +.It Fl lh Ar time +.It Fl ls Ar time +Specify hard/soft lifetime. +.El +.\" +.Pp +.It Ar algorithm +.Bl -tag -width Fl -compact +.It Fl E Ar ealgo Ar key +Specify encryption algorithm. +.It Fl A Ar ealgo Ar key +Specify authentication algorithm. +If +.Fl A +is used for esp, it will be treated as ESP payload authentication algorithm. +.It Fl C Ar calgo Op Fl R +Specify compression algorithm. +If +.Fl R +is not specified with +.Li ipcomp +line, the kernel will use well-known IPComp CPI +.Pq compression parameter index +on IPComp CPI field on packets, and +.Ar spi +field will be ignored. +.Ar spi +field is only for kernel internal use in this case. +.\"Therefore, compression protocol number will appear on IPComp CPI field. +If +.Fl R +is used, +the value on +.Ar spi +field will appear on IPComp CPI field on outgoing packets. +.Ar spi +field needs to be smaller than +.Li 0x10000 +in this case. +.El +.Pp +.Li esp +SAs accept +.Fl E +and +.Fl A . +.Li esp-old +SAs accept +.Fl E +only. +.Li ah +and +.Li ah-old +SAs accept +.Fl A +only. +.Li ipcomp +SAs accept +.Fl C +only. +.Pp +.Ar key +must be double-quoted character string or a series of hexadecimal digits. +.Pp +Possible values for +.Ar ealgo , +.Ar aalgo +and +.Ar calgo +are specified in separate section. +.\" +.It Ar src_range +.It Ar dst_range +These are selection of the secure communication is specified as IPv4/v6 address or IPv4/v6 address range, and it may accompany TCP/UDP port specification. This takes the following form: @@ -209,8 +349,7 @@ must be decimal number. The square bracket around .Ar port is really necessary. -They are not manpage metacharacters -.Li :-) +They are not manpage metacharacters. .Pp .Nm does not consult hostname-to-address for arguments @@ -228,148 +367,14 @@ and .Li any can be specified. .Li any -is as the wildcard. +stands for +.Dq any protocol . +.Pp NOTE: .Ar upperspec -of forwarding packet has no effect at this moment, since kernel code fragment to handle -.Ar upperspec -is disabled. -.\" -.It Ar spi -Security Parameter Index (SPI) for the SA and SPD. -It must be decimal number or hexadecimal number -.Po -with -.Li 0x -attached -.Pc . -.\" -.It Ar proxyspec -.Ar proxyspec -can be specified as either an IPv4 or IPv6 address. -If specified, the SAD entry will be used for tunnel mode IPsec processing. -.\" -.It Ar protocol -.Ar protocol -takes the following forms: -.Bl -tag -width Ds -.It Xo -.Fl p -.Li esp -.Op Ar extensions -.Op Fl E Ar ealgo Ar key -.Op Fl A Ar aalgo Ar key -.Op Fl r Ar replay -.Xc -.It Xo -.Fl p -.Li ah -.Op Ar extensions -.Op Fl A Ar aalgo Ar key -.Op Fl r Ar replay -.Xc -.It Xo -.Fl p -.Li esp-old -.Op Ar extensions -.Op Fl E Ar ealgo Ar key -.Op Fl A Ar aalgo Ar key -.Op Fl r Ar replay -.Xc -.It Xo -.Fl p -.Li ah-old -.Op Ar extensions -.Op Fl A Ar aalgo Ar key -.Op Fl r Ar replay -.Xc -.It Xo -.Fl p -.Li ipcomp -.Op Fl C Ar calgo -.Op Fl R -.Xc -.El -.Pp -.Fl p -is always mandatory. -Optional flag, -.Ar extensions , -can be -.Li cyclic-seq , -and one of the following: -.Li random-pad , -.Li seq-pad , -.Li zero-pad . -.Fl E -specifies encryption algorithm, and -.Fl A -specifies authentication algorithm. -If -.Fl A -is used for -.Fl p Li esp -or -.Fl p Li esp-old , -it will be treated as ESP payload authentication algorithm. -Possible values for -.Ar ealgo , -.Ar aalgo -and -.Ar calgo -are specified in separete section. -.Ar key -must be double-quoted character string or a series of hexadecimal digits. -.Fl r Ar replay -is used for checking replay attacks. -.Ar replay -must be decimal number in 32-bit word. If -.Ar replay -is zero or not specified, repley check don't take place. -.Fl R -is used only with -.Li ipcomp . -If -.Fl R -is specified with -.Li ipcomp -line, the kernel will use well-known IPComp CPI -.Pq compression parameter index -on IPComp CPI field on packets, and -.Ar spi -field will be ignored. -.Ar spi -field is only for kernel internal use in this case. -.\"Therefore, compression protocol number will appear on IPComp CPI field. -If -.Fl R -is not used, -the value on -.Ar spi -field will appear on IPComp CPI field on outgoing packets. -.Ar spi -field needs to be smaller than -.Li 0x10000 -in this case. -.\" -.It Ar protocol0 -This is a subset of -.Ar protocol , -which takes no optional arguments: -.Bd -literal -offset -.Xo -.Fl p -.Li esp -.Xc -.Xo -.Fl p -.Li ah -.Xc -.Xo -.Fl p -.Li ipcomp -.Xc -.Ed +does not work against forwarding case at this moment, +as it requires extra reassembly at forwarding node +.Pq not implemented as this moment . .\" .It Ar policy .Ar policy @@ -377,20 +382,29 @@ is the one of following: .Bd -literal -offset .Xo .Fl P +.Ar direction .Li discard .Xc .Xo .Fl P +.Ar direction .Li none .Xc .Xo .Fl P +.Ar direction .Li ipsec -.Ar protocol/level -.Op Ar /peer +.Ar protocol/mode/src-dst/level .Xc .Ed .Pp +You must specify the direction of its policy as +.Ar direction . +Either +.Li out +or +.Li in +are used. .Li discard means the packet matching indexes will be discarded. .Li none @@ -404,6 +418,18 @@ or .Li ipcomp is to be set as .Ar protocol . +.Ar mode +is either +.Li transport +or +.Li tunnel . +You must specify the end-points addresses of the SA as +.Ar src +and +.Ar dst +with +.Sq - +between these addresses which is used to specify the SA to use. .Ar level is to be one of the following: .Li default , use @@ -419,10 +445,17 @@ means that kernel use a SA if it's available, otherwise kernel keeps normal operation. .Li require means SA is required whenever kernel deals with the packet. -If you plan to set up the tunnel mode of IPsec, you can specify the end-point a -ddress of the tunnel as -.Ar peer -which will be hint when IPsec system set up SAs by Key management automatically. +Note that +.Dq Li discard +and +.Dq Li none +are not in the syntax described in +.Xr ipsec_set_policy 3 . +There are little differences in the syntax. +See +.Xr ipsec_set_policy 3 +for detail. +.Pp .El .Pp .\" @@ -440,18 +473,18 @@ of .Ar protocol parameter: .Pp -.Bl -column "algorithmxx" -column "keylengthxx" -offset -.It Sy algorithm key length (bits) comment -.It hmac-md5 128 ah: rfc2403 -.It 128 ah-old: rfc2085 -.It hmac-sha1 160 ah: rfc2404 -.It 160 ah-old: 128bit ICV (no document) -.It keyed-md5 128 ah: 96bit ICV (no document) -.It 128 ah-old: rfc1828 -.It keyed-sha1 160 ah: 96bit ICV (no document) -.It 160 ah-old: 128bit ICV (no document) -.It null 0 to 2048 for debugging -.El +.Bd -literal -offset indent +algorithm keylen (bits) comment +hmac-md5 128 ah: rfc2403 + 128 ah-old: rfc2085 +hmac-sha1 160 ah: rfc2404 + 160 ah-old: 128bit ICV (no document) +keyed-md5 128 ah: 96bit ICV (no document) + 128 ah-old: rfc1828 +keyed-sha1 160 ah: 96bit ICV (no document) + 160 ah-old: 128bit ICV (no document) +null 0 to 2048 for debugging +.Ed .Pp Following are the list of encryption algorithms that can be used as .Ar ealgo @@ -461,17 +494,17 @@ of .Ar protocol parameter: .Pp -.Bl -column "algorithmxx" -column "keylengthxx" -offset -.It Sy algorithm key length(bits) comment -.It des-cbc 64 esp-old: rfc1829, esp: rfc2405 -.It 3des-cbc 192 rfc2451 -.It simple 0 to 2048 rfc2410 -.It blowfish-cbc 40 to 448 rfc2451 -.It cast128-cbc 40 to 128 rfc2451 -.It rc5-cbc 40 to 2040 rfc2451 -.It des-deriv 64 ipsec-ciph-des-derived-01 (expired) -.It 3des-deriv 192 no document -.El +.Bd -literal -offset indent +algorithm keylen (bits) comment +des-cbc 64 esp-old: rfc1829, esp: rfc2405 +3des-cbc 192 rfc2451 +simple 0 to 2048 rfc2410 +blowfish-cbc 40 to 448 rfc2451 +cast128-cbc 40 to 128 rfc2451 +rc5-cbc 40 to 2040 rfc2451 +des-deriv 64 ipsec-ciph-des-derived-01 (expired) +3des-deriv 192 no document +.Ed .Pp Following are the list of compression algorithms that can be used as .Ar calgo @@ -481,37 +514,32 @@ of .Ar protocol parameter: .Pp -.Bl -column "algorithmxx" -offset -.It Sy algorithm comment -.It deflate rfc2394 -.It lzs rfc2395 -.El +.Bd -literal -offset indent +algorithm comment +deflate rfc2394 +lzs rfc2395 +.Ed .\" .Sh EXAMPLES .Bd -literal -offset -add 10.0.11.41/32[21] 10.0.11.33/32[0] tcp 0x10001 202.249.11.41 - -p esp -E des-cbc "hogehoge" - -A hmac-md5 "hagehogehogehoge" ; +add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 + -E des-cbc "ESP SA!!" -add 127.0.0.1 127.0.0.1 any 0x10001 - -p esp -E blowfish-cbc "kamekame" - -A hmac-sha1 "hogehogehogehogehoge" ; +add 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 + -A hmac-sha1 "AH SA configuration!" ; -add 127.0.0.1 127.0.0.1 any 0x10001 - -p ah-old -A keyed-md5 "testtesttesttest" ; +add 10.0.11.41 10.0.11.33 esp 0x10001 + -E des-cbc "ESP with" + -A hmac-md5 "authentication!!" ; -add 10.0.0.1 10.0.0.2 udp 0x10002 203.178.141.215 - -p ah -A keyed-md5 "testtesttesttest" ; - -get 10.0.11.41/32[21] 10.0.11.33/32[0] tcp 0x10001 202.249.11.41 - -p esp ; +get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ; flush ; -dump -p esp ; +dump esp ; -spdadd 10.0.11.41/32[21] 10.0.11.33/32[0] any - -P ipsec ah/use esp/require/192.168.0.1 ; +spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any + -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ; .Ed .\" diff --git a/usr.sbin/setkey/setkey.c b/usr.sbin/setkey/setkey.c index f3792a65c6b3..226400fb46fb 100644 --- a/usr.sbin/setkey/setkey.c +++ b/usr.sbin/setkey/setkey.c @@ -1,4 +1,4 @@ -/* $NetBSD: setkey.c,v 1.2 1999/07/06 13:13:03 itojun Exp $ */ +/* $NetBSD: setkey.c,v 1.3 2000/01/31 14:22:44 itojun Exp $ */ /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. @@ -28,7 +28,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ -/* KAME Id: setkey.c,v 1.1.4.1.2.5.2.21.2.19.4.16 1999/07/02 17:15:32 itojun Exp */ +/* KAME Id: setkey.c,v 1.8 1999/12/02 05:23:59 sakane Exp */ #include #include @@ -62,14 +62,18 @@ const char *numstr __P((int)); void shortdump_hdr __P((void)); void shortdump __P((struct sadb_msg *)); +#define MODE_SCRIPT 1 +#define MODE_CMDDUMP 2 +#define MODE_CMDFLUSH 3 + +int so; + int f_forever = 0; int f_all = 0; int f_debug = 0; int f_verbose = 0; -int f_command = 0; -int f_script = 0; +int f_mode = 0; int f_cmddump = 0; -int f_cmdflush = 0; int f_policy = 0; int f_promisc = 0; int f_hexdump = 0; @@ -85,12 +89,13 @@ extern int parse __P((FILE **)); void Usage() { - printf("Usage:\t%s [-dv] -c", pname); + printf("Usage:\t%s [-dv] -c\n", pname); printf("\t%s [-dv] -f (file)\n", pname); printf("\t%s [-Padlv] -D\n", pname); printf("\t%s [-Pdv] -F\n", pname); printf("\t%s [-h] -x\n", pname); - exit(0); + pfkey_close(so); + exit(1); } int @@ -107,67 +112,69 @@ main(ac, av) while ((c = getopt(ac, av, "acdf:hlvxDFP")) != EOF) { switch (c) { - case 'a': - f_all = 1; - break; case 'c': - f_script = 1; + f_mode = MODE_SCRIPT; fp = stdin; break; - case 'd': - f_debug = 1; - break; case 'f': - f_script = 1; + f_mode = MODE_SCRIPT; if ((fp = fopen(optarg, "r")) == NULL) { - perror("fopen"); - exit(-1); + err(-1, "fopen"); + /*NOTREACHED*/ } break; + case 'D': + f_mode = MODE_CMDDUMP; + break; + case 'F': + f_mode = MODE_CMDFLUSH; + break; + case 'a': + f_all = 1; + break; case 'l': f_forever = 1; break; case 'h': f_hexdump = 1; break; - case 'v': - f_verbose = 1; - break; case 'x': f_promisc = 1; promisc(); /*NOTREACHED*/ - case 'D': - f_cmddump = 1; - break; - case 'F': - f_cmdflush = 1; - break; case 'P': f_policy = 1; break; + case 'd': + f_debug = 1; + break; + case 'v': + f_verbose = 1; + break; default: Usage(); /*NOTREACHED*/ } } - if (get_supported() < 0) { - printf("%s\n", ipsec_strerror()); - exit(-1); - } - - if (f_cmdflush) - sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH); - else - if (f_cmddump) + switch (f_mode) { + case MODE_CMDDUMP: sendkeyshort(f_policy ? SADB_X_SPDDUMP: SADB_DUMP); - else - if (f_script) - parse(&fp); - else { + break; + case MODE_CMDFLUSH: + sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH); + pfkey_close(so); + break; + case MODE_SCRIPT: + if (get_supported() < 0) { + errx(-1, "%s", ipsec_strerror()); + /*NOTREACHED*/ + } + if (parse(&fp)) + exit (1); + break; + default: Usage(); - /*NOTREACHED*/ } exit(0); @@ -178,14 +185,14 @@ get_supported() { int so; -#if 0 + if ((so = pfkey_open()) < 0) { + perror("pfkey_open"); + return -1; + } + /* debug mode ? */ if (f_debug) return 0; -#endif - - if ((so = pfkey_open()) < 0) - return -1; if (pfkey_send_register(so, PF_UNSPEC) < 0) return -1; @@ -193,14 +200,12 @@ get_supported() if (pfkey_recv_register(so) < 0) return -1; - pfkey_close(so); - return 0; } void sendkeyshort(type) - u_int type; + u_int type; { struct sadb_msg *m_msg = (struct sadb_msg *)m_buf; @@ -211,10 +216,12 @@ sendkeyshort(type) m_msg->sadb_msg_errno = 0; m_msg->sadb_msg_satype = SADB_SATYPE_UNSPEC; m_msg->sadb_msg_len = PFKEY_UNIT64(m_len); - m_msg->sadb_msg_reserved = 0; - m_msg->sadb_msg_reserved = 0; + m_msg->sadb_msg_mode = IPSEC_MODE_ANY; + m_msg->sadb_msg_reserved1 = 0; m_msg->sadb_msg_seq = 0; m_msg->sadb_msg_pid = getpid(); + m_msg->sadb_msg_reqid = 0; + m_msg->sadb_msg_reserved2 = 0; sendkeymsg(); @@ -235,10 +242,12 @@ promisc() m_msg->sadb_msg_errno = 0; m_msg->sadb_msg_satype = 1; m_msg->sadb_msg_len = PFKEY_UNIT64(m_len); - m_msg->sadb_msg_reserved = 0; - m_msg->sadb_msg_reserved = 0; + m_msg->sadb_msg_mode = IPSEC_MODE_ANY; + m_msg->sadb_msg_reserved1 = 0; m_msg->sadb_msg_seq = 0; m_msg->sadb_msg_pid = getpid(); + m_msg->sadb_msg_reqid = 0; + m_msg->sadb_msg_reserved2 = 0; if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) { err(1, "socket(PF_KEY)"); @@ -297,13 +306,15 @@ promisc() int sendkeymsg() { + int so; + u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */ - int so, len; + int len; struct sadb_msg *msg; if ((so = pfkey_open()) < 0) { - printf("%s\n", ipsec_strerror()); - return 0; + perror("pfkey_open"); + return -1; } { @@ -319,8 +330,10 @@ sendkeymsg() if (f_forever) shortdump_hdr(); again: - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)m_buf); + printf("\n"); + } if ((len = send(so, m_buf, m_len, 0)) < 0) { perror("send"); @@ -335,12 +348,14 @@ again: } if (PFKEY_UNUNIT64(msg->sadb_msg_len) != len) { - fprintf(stderr, "invalid keymsg length\n"); + warnx("invalid keymsg length"); break; } - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)rbuf); + printf("\n"); + } if (postproc(msg, len) < 0) break; } while (msg->sadb_msg_errno || msg->sadb_msg_seq); @@ -366,7 +381,7 @@ postproc(msg, len) char inf[80]; char *errmsg = NULL; - if (f_script) + if (f_mode == MODE_SCRIPT) snprintf(inf, sizeof(inf), "The result of line %d: ", lineno); else inf[0] = '\0'; @@ -404,7 +419,8 @@ postproc(msg, len) if (!f_all) { caddr_t mhp[SADB_EXT_MAX + 1]; struct sadb_sa *sa; - pfkey_check(msg, mhp); + pfkey_align(msg, mhp); + pfkey_check(mhp); if ((sa = (struct sadb_sa *)mhp[SADB_EXT_SA]) != NULL) { if (sa->sadb_sa_state == SADB_SASTATE_DEAD) break; @@ -416,8 +432,10 @@ postproc(msg, len) pfkey_sadump(msg); msg = (struct sadb_msg *)((caddr_t)msg + PFKEY_UNUNIT64(msg->sadb_msg_len)); - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)msg); + printf("\n"); + } break; case SADB_X_SPDDUMP: @@ -425,8 +443,10 @@ postproc(msg, len) if (msg->sadb_msg_seq == 0) break; msg = (struct sadb_msg *)((caddr_t)msg + PFKEY_UNUNIT64(msg->sadb_msg_len)); - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)msg); + printf("\n"); + } break; } @@ -452,7 +472,7 @@ static char *ipproto[] = { /*40*/ NULL, "ip6", NULL, "rt6", "frag6", NULL, "rsvp", "gre", NULL, NULL, /*50*/ "esp", "ah", NULL, NULL, NULL, - NULL, NULL, "icmp6", "none", NULL, + NULL, NULL, NULL, "icmp6", "none", /*60*/ "dst6", }; @@ -488,7 +508,8 @@ shortdump(msg) u_int t; time_t cur = time(0); - pfkey_check(msg, mhp); + pfkey_align(msg, mhp); + pfkey_check(mhp); printf("%02lu%02lu", (u_long)(cur % 3600) / 60, (u_long)(cur % 60)); diff --git a/usr.sbin/setkey/test-pfkey.c b/usr.sbin/setkey/test-pfkey.c index 953411ca2ae3..2e2313e8e916 100644 --- a/usr.sbin/setkey/test-pfkey.c +++ b/usr.sbin/setkey/test-pfkey.c @@ -1,4 +1,4 @@ -/* $NetBSD: test-pfkey.c,v 1.2 1999/07/06 13:13:03 itojun Exp $ */ +/* $NetBSD: test-pfkey.c,v 1.3 2000/01/31 14:22:44 itojun Exp $ */ /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. @@ -28,7 +28,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ -/* KAME Id: test-pfkey.c,v 1.1.4.3 1999/05/28 19:44:38 sakane Exp */ +/* KAME Id: test-pfkey.c,v 1.2 1999/10/26 08:09:17 itojun Exp */ #include #include @@ -477,7 +477,8 @@ key_setsadbaddr(ext, af, str) a->sa_family = af; _INPORTBYSA(a) = (ext == SADB_EXT_ADDRESS_PROXY ? 0 : htons(0x1234)); - inet_pton(af, str, _INADDRBYSA(a)); + if (inet_pton(af, str, _INADDRBYSA(a)) != 1) + ; /* XXX do something */ len = sizeof(struct sadb_address) + PFKEY_ALIGN8(a->sa_len); m_addr.sadb_address_len = PFKEY_UNIT64(len); diff --git a/usr.sbin/setkey/token.l b/usr.sbin/setkey/token.l index 0d1828519241..55d586a9d40d 100644 --- a/usr.sbin/setkey/token.l +++ b/usr.sbin/setkey/token.l @@ -1,4 +1,4 @@ -/* $NetBSD: token.l,v 1.3 1999/07/06 13:13:03 itojun Exp $ */ +/* $NetBSD: token.l,v 1.4 2000/01/31 14:22:45 itojun Exp $ */ /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. @@ -46,7 +46,7 @@ #include #include #include "vchar.h" -#include "parse.h" +#include "y.tab.h" #define DECHO \ if (f_debug) {printf("<%d>", yy_start); ECHO ; printf("\n"); } @@ -108,7 +108,7 @@ hexstring 0[xX]{hexdigit}+ octetstring {octet}({dot}{octet})+ ipaddress {ipv4addr}|{ipv6addr} ipv4addr {digit}{1,3}({dot}{digit}{1,3}){0,3} -ipv6addr {hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,7} +ipv6addr ({hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,7}|{hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,5}{colon}{ipv4addr}) ipaddrmask {slash}{digit}{1,3} ipaddrport {blcl}{decstring}{elcl} keyword {letter}{letter}+ @@ -119,19 +119,19 @@ hostname {name}(({dot}{name})+{dot}?)? %% -add { PREPROC; yylval.num = SADB_ADD; return(ADD); } -delete { PREPROC; yylval.num = SADB_DELETE; return(DELETE); } -get { PREPROC; yylval.num = SADB_GET; return(GET); } -flush { PREPROC; yylval.num = SADB_FLUSH; return(FLUSH); } -dump { PREPROC; yylval.num = SADB_DUMP; return(DUMP); } +add { PREPROC; return(ADD); } +delete { PREPROC; return(DELETE); } +get { PREPROC; return(GET); } +flush { PREPROC; return(FLUSH); } +dump { PREPROC; return(DUMP); } /* for management SPD */ -spdadd { PREPROC; yylval.num = SADB_X_SPDADD; return(SPDADD); } -spddelete { PREPROC; yylval.num = SADB_X_SPDDELETE; return(SPDDELETE); } -spddump { PREPROC; yylval.num = SADB_X_SPDDUMP; return(SPDDUMP); } -spdflush { PREPROC; yylval.num = SADB_X_SPDFLUSH; return(SPDFLUSH); } +spdadd { PREPROC; return(SPDADD); } +spddelete { PREPROC; return(SPDDELETE); } +spddump { PREPROC; return(SPDDUMP); } +spdflush { PREPROC; return(SPDFLUSH); } {hyphen}P { BEGIN S_PL; PREPROC; return(F_POLICY); } -[a-zA-Z0-9:\._/ \n\t][a-zA-Z0-9:\._/ \n\t]* { +[a-zA-Z0-9:\.\-_/ \n\t][a-zA-Z0-9:\.\-_/ \n\t]* { yymore(); /* count up for nl */ @@ -149,21 +149,6 @@ spdflush { PREPROC; yylval.num = SADB_X_SPDFLUSH; return(SPDFLUSH); } } {semi} { PREPROC; BEGIN INITIAL; return(EOT); } - /* flags */ -{hyphen}p { PREPROC; return(F_PROTOCOL); } -{hyphen}r { PREPROC; return(F_REPLAY); } -{hyphen}E { PREPROC; return(F_ENC); } -{hyphen}A { PREPROC; return(F_AUTH); } -{hyphen}C { PREPROC; return(F_COMP); } -{hyphen}R { PREPROC; return(F_RAWCPI); } - - /* upper layer protocols */ -any { PREPROC; yylval.num = IPPROTO_IP; return(UP_PROTO); } -icmp { PREPROC; yylval.num = IPPROTO_ICMP; return(UP_PROTO); } -icmp6 { PREPROC; yylval.num = IPPROTO_ICMPV6; return(UP_PROTO); } -tcp { PREPROC; yylval.num = IPPROTO_TCP; return(UP_PROTO); } -udp { PREPROC; yylval.num = IPPROTO_UDP; return(UP_PROTO); } - /* security protocols */ ah { PREPROC; yylval.num = 0; return(PR_AH); } esp { PREPROC; yylval.num = 0; return(PR_ESP); } @@ -172,6 +157,7 @@ esp-old { PREPROC; yylval.num = 1; return(PR_ESP); } ipcomp { PREPROC; yylval.num = 0; return(PR_IPCOMP); } /* authentication alogorithm */ +{hyphen}A { PREPROC; return(F_AUTH); } hmac-md5 { PREPROC; yylval.num = SADB_AALG_MD5HMAC; return(ALG_AUTH); } hmac-sha1 { PREPROC; yylval.num = SADB_AALG_SHA1HMAC; return(ALG_AUTH); } keyed-md5 { PREPROC; yylval.num = SADB_AALG_MD5; return(ALG_AUTH); } @@ -179,31 +165,48 @@ keyed-sha1 { PREPROC; yylval.num = SADB_AALG_SHA; return(ALG_AUTH); } null { PREPROC; yylval.num = SADB_AALG_NULL; return(ALG_AUTH); } /* encryption alogorithm */ +{hyphen}E { PREPROC; return(F_ENC); } des-cbc { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC); } 3des-cbc { PREPROC; yylval.num = SADB_EALG_3DESCBC; return(ALG_ENC); } simple { PREPROC; yylval.num = SADB_EALG_NULL; return(ALG_ENC); } blowfish-cbc { PREPROC; yylval.num = SADB_EALG_BLOWFISHCBC; return(ALG_ENC); } cast128-cbc { PREPROC; yylval.num = SADB_EALG_CAST128CBC; return(ALG_ENC); } - /* rc5-cbc { PREPROC; yylval.num = SADB_EALG_RC5CBC; return(ALG_ENC); } */ + /* +rc5-cbc { PREPROC; yylval.num = SADB_EALG_RC5CBC; return(ALG_ENC); } + */ des-deriv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DESDERIV); } des-32iv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DES32IV); } /* compression algorithms */ +{hyphen}C { PREPROC; return(F_COMP); } oui { PREPROC; yylval.num = SADB_X_CALG_OUI; return(ALG_COMP); } deflate { PREPROC; yylval.num = SADB_X_CALG_DEFLATE; return(ALG_COMP); } lzs { PREPROC; yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); } +{hyphen}R { PREPROC; return(F_RAWCPI); } /* extension */ +{hyphen}m { PREPROC; return(F_MODE); } +transport { PREPROC; yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); } +tunnel { PREPROC; yylval.num = IPSEC_MODE_TUNNEL; return(MODE); } +{hyphen}u { PREPROC; return(F_REQID); } +{hyphen}f { PREPROC; return(F_EXT); } random-pad { PREPROC; yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); } seq-pad { PREPROC; yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); } zero-pad { PREPROC; yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); } -cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); } - - /* SA dependent */ +nocyclic-seq { PREPROC; return(NOCYCLICSEQ); } +{hyphen}r { PREPROC; return(F_REPLAY); } {hyphen}lh { PREPROC; return(F_LIFETIME_HARD); } {hyphen}ls { PREPROC; return(F_LIFETIME_SOFT); } + + /* upper layer protocols */ +icmp { PREPROC; yylval.num = IPPROTO_ICMP; return(UP_PROTO); } +icmp6 { PREPROC; yylval.num = IPPROTO_ICMPV6; return(UP_PROTO); } +tcp { PREPROC; yylval.num = IPPROTO_TCP; return(UP_PROTO); } +udp { PREPROC; yylval.num = IPPROTO_UDP; return(UP_PROTO); } + /* ... */ +any { PREPROC; return(ANY); } {ws} { PREPROC; } {nl} { lineno++; } {comment} @@ -214,7 +217,7 @@ cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); } char *bp; PREPROC; - yylval.num = strtol(yytext, &bp, 10); + yylval.num = strtoul(yytext, &bp, 10); return(DECSTRING); } @@ -227,7 +230,7 @@ cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); } PREPROC; yylval.val.len = sizeof(struct sockaddr_in); - yylval.val.buf = yytext; + yylval.val.buf = strdup(yytext); return(IP4_ADDRESS); } @@ -237,7 +240,7 @@ cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); } PREPROC; yylval.val.len = sizeof(struct sockaddr_in6); - yylval.val.buf = yytext; + yylval.val.buf = strdup(yytext); return(IP6_ADDRESS); #else @@ -262,19 +265,21 @@ cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); } return(PORT); } +{blcl}any{elcl} { + PREPROC; + return(PORTANY); + } + {hexstring} { int len = yyleng - 2; /* (str - "0x") */ - - PREPROC; - + PREPROC; yylval.val.len = (len & 1) + (len / 2); - /* fixed string if length is odd. */ if (len & 1) { yytext[1] = '0'; - yylval.val.buf = yytext + 1; + yylval.val.buf = strdup(yytext + 1); } else - yylval.val.buf = yytext + 2; + yylval.val.buf = strdup(yytext + 2); return(HEXSTRING); } @@ -285,16 +290,10 @@ cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); } while (*++p != '"') ; *p = NULL; yytext++; - yylval.val.len = yyleng-2; - yylval.val.buf = yytext; - return(QUOTEDSTRING); - } + yylval.val.len = yyleng - 2; + yylval.val.buf = strdup(yytext); -{hostname} { - PREPROC; - yylval.val.len = yyleng; - yylval.val.buf = yytext; - return(HOSTNAME); + return(QUOTEDSTRING); } . { yyerror("Syntax error"); }