Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

catch up with latest libipsec/kernel.

Browse Source
This commit is contained in:
itojun 2000-01-31 14:22:41 +00:00
parent 2a5b88bffb
commit 6b2922d06b
8 changed files with 860 additions and 805 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
usr.sbin/setkey/Makefile
View File

@ -1,39 +1,31 @@
# $NetBSD: Makefile,v 1.2 1999/07/10 11:31:28 tron Exp $
# $NetBSD: Makefile,v 1.3 2000/01/31 14:22:41 itojun Exp $
PROG= setkey
SRCS= setkey.c parse.y token.l
CFLAGS+=-g
LDADD+= -ll -ly
CLEANFILES+= parse.c parse.h key_test.o keytest
YFLAGS+=
DPADD+= ${LIBL} ${LIBY}
CLEANFILES+= y.tab.c y.tab.h key_test.o keytest
YFLAGS+=-d
CPPFLAGS+=-DIPSEC_DEBUG -DYY_NO_UNPUT -DINET6
CPPFLAGS+=-I.
SCRIPTS= scriptdump
#SCRIPTS= scriptdump
BINOWN=root
BINGRP=bin
BINMODE=555
BINOWN = root
BINGRP = bin
BINMODE = 555
all: ${PROG} ${SCRIPTS}
# FreeBSD
#SRCS+=y.tab.h
#y.tab.h: parse.y
all: ${PROG} scriptdump
CPPFLAGS+=-DIPSEC_DEBUG -DINET6 -DYY_NO_UNPUT
CPPFLAGS+=-I. -I${.CURDIR}
LDADD+= -lipsec
DPADD+= ${LIBIPSEC}
#CLEANFILES+= scriptdump
CLEANFILES+= scriptdump
MAN= setkey.8
LOCALPREFIX= /usr/pkg
#scriptdump: scriptdump.pl
# sed -e 's#@LOCALPREFIX@#${LOCALPREFIX}#' < ${.CURDIR}/scriptdump.pl > scriptdump
parse.c parse.h: parse.y
${YACC.y} -d ${.ALLSRC}
mv -f y.tab.c parse.c
mv -f y.tab.h parse.h
scriptdump: scriptdump.pl
sed -e 's#@LOCALPREFIX@#${LOCALPREFIX}#' < $> > scriptdump
.include <bsd.prog.mk>

656
usr.sbin/setkey/parse.y
View File

@ -1,4 +1,4 @@
/* $NetBSD: parse.y,v 1.2 1999/07/06 13:13:03 itojun Exp $ */
/* $NetBSD: parse.y,v 1.3 2000/01/31 14:22:42 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -28,7 +28,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* KAME Id: parse.y,v 1.1.2.18.2.7.4.12 1999/07/01 20:19:03 sakane Exp */
/* KAME Id: parse.y,v 1.14 1999/12/30 15:13:27 sakane Exp */
%{
#include <sys/types.h>
@ -55,9 +55,10 @@
u_int p_type;
u_int32_t p_spi;
struct sockaddr *p_src, *p_dst, *p_proxy;
u_int p_ports, p_portd, p_prefs, p_prefd, p_upper;
u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay;
struct sockaddr *p_src, *p_dst;
u_int p_prefs, p_prefd, p_upper;
u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;
u_int32_t p_reqid;
u_int p_key_enc_len, p_key_auth_len;
caddr_t p_key_enc, p_key_auth;
time_t p_lt_hard, p_lt_soft;
@ -67,8 +68,8 @@ char *p_policy;
/* temporary buffer */
static struct sockaddr *pp_addr;
static u_int pp_prefix = ~0;
static u_int pp_port = 0;
static u_int pp_prefix;
static u_int pp_port;
static caddr_t pp_key;
extern u_char m_buf[BUFSIZ];
@ -95,19 +96,29 @@ extern void yyerror __P((char *));
%token EOT
%token ADD GET DELETE FLUSH DUMP
%token IP4_ADDRESS IP6_ADDRESS PREFIX PORT HOSTNAME
%token IP4_ADDRESS IP6_ADDRESS PREFIX PORT PORTANY
%token UP_PROTO PR_ESP PR_AH PR_IPCOMP
%token DECSTRING QUOTEDSTRING HEXSTRING
%token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
%token ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP EXTENSION
%token F_MODE MODE F_REQID
%token F_EXT EXTENSION NOCYCLICSEQ
%token ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP
%token F_LIFETIME_HARD F_LIFETIME_SOFT
%token DECSTRING QUOTEDSTRING HEXSTRING ANY
/* SPD management */
%token SPDADD SPDDELETE SPDDUMP SPDFLUSH
%token F_POLICY PL_REQUESTS
%type <num> PORT PREFIX EXTENSION MODE
%type <num> UP_PROTO PR_ESP PR_AH PR_IPCOMP
%type <num> ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP
%type <num> DECSTRING
%type <val> IP4_ADDRESS IP6_ADDRESS PL_REQUESTS
%type <val> key_string policy_requests
%type <val> QUOTEDSTRING HEXSTRING
%%
commands:
/* empty */
commands
: /*NOTHING*/
| commands command
{
if (f_debug) {
@ -121,8 +132,8 @@ commands:
}
;
command:
add_command
command
: add_command
| get_command
| delete_command
| flush_command
@ -135,120 +146,79 @@ command:
/* commands concerned with management, there is in tail of this file. */
/* add command */
add_command:
ADD
{
p_type = yylval.num;
}
selector_spec protocol_spec lifetime_hard lifetime_soft EOT
add_command
: ADD { p_type = SADB_ADD; }
sa_selector_spec extension_spec algorithm_spec EOT
;
/* delete */
delete_command:
DELETE
{
p_type = yylval.num;
}
selector_spec protocol_spec0 EOT
delete_command
: DELETE { p_type = SADB_DELETE; }
sa_selector_spec extension_spec EOT
;
/* get command */
get_command:
GET
{
p_type = yylval.num;
}
selector_spec protocol_spec0 EOT
get_command
: GET { p_type = SADB_GET; }
sa_selector_spec extension_spec EOT
;
/* flush */
flush_command:
FLUSH
{
p_type = yylval.num;
}
protocol_spec0 EOT
flush_command
: FLUSH { p_type = SADB_FLUSH; }
protocol_spec EOT
;
/* dump */
dump_command:
DUMP
{
p_type = yylval.num;
}
protocol_spec0 EOT
dump_command
: DUMP { p_type = SADB_DUMP; }
protocol_spec EOT
;
/* selector_spec */
selector_spec:
src_spec dst_spec upper_spec spi proxy_spec
/* sa_selector_spec */
sa_selector_spec
: ipaddress { p_src = pp_addr; }
ipaddress { p_dst = pp_addr; }
protocol_spec spi
;
src_spec:
ip_address
protocol_spec
: /*NOTHING*/ { p_satype = SADB_SATYPE_UNSPEC; }
| PR_ESP
{
p_src = pp_addr;
p_satype = SADB_SATYPE_ESP;
if ($1 == 1)
p_ext |= SADB_X_EXT_OLD;
else
p_ext &= ~SADB_X_EXT_OLD;
}
prefix
| PR_AH
{
p_prefs = pp_prefix;
/* initialize */
pp_prefix = ~0;
p_satype = SADB_SATYPE_AH;
if ($1 == 1)
p_ext |= SADB_X_EXT_OLD;
else
p_ext &= ~SADB_X_EXT_OLD;
}
port
| PR_IPCOMP
{
_INPORTBYSA(p_src) = pp_port;
p_ports = pp_port;
/* initialize */
pp_port = 0;
p_satype = SADB_X_SATYPE_IPCOMP;
}
;
dst_spec:
ip_address
{
p_dst = pp_addr;
}
prefix
{
p_prefd = pp_prefix;
/* initialize */
pp_prefix = ~0;
}
port
{
_INPORTBYSA(p_dst) = pp_port;
p_portd = pp_port;
/* initialize */
pp_port = 0;
}
;
upper_spec:
DECSTRING { p_upper = $1.num; }
| UP_PROTO { p_upper = $1.num; }
| PR_ESP { p_upper = IPPROTO_ESP; };
| PR_AH { p_upper = IPPROTO_AH; };
| PR_IPCOMP { p_upper = IPPROTO_IPCOMP; };
;
spi:
DECSTRING
{
p_spi = yylval.num;
}
spi
: DECSTRING { p_spi = $1; }
| HEXSTRING
{
caddr_t bp;
caddr_t yp = yylval.val.buf;
caddr_t yp = $1.buf;
char buf0[4], buf[4];
int i, j;
/* sanity check */
if (yylval.val.len > 4) {
if ($1.len > 4) {
yyerror("SPI too big.");
free($1.buf);
return -1;
}
@ -261,114 +231,42 @@ spi:
/* initialize */
for (i = 0; i < 4; i++) buf[i] = 0;
for (j = yylval.val.len - 1, i = 3; j >= 0; j--, i--)
for (j = $1.len - 1, i = 3; j >= 0; j--, i--)
buf[i] = buf0[j];
/* XXX: endian */
p_spi = ntohl(*(u_int32_t *)buf);
free($1.buf);
}
;
proxy_spec:
/* empty */
| ip_address
{
p_proxy = pp_addr;
}
algorithm_spec
: esp_spec
| ah_spec
| ipcomp_spec
;
protocol_spec0:
/* empty */
| F_PROTOCOL PR_ESP
{
p_satype = SADB_SATYPE_ESP;
}
| F_PROTOCOL PR_AH
{
p_satype = SADB_SATYPE_AH;
}
| F_PROTOCOL PR_IPCOMP
{
p_satype = SADB_X_SATYPE_IPCOMP;
}
esp_spec
: F_ENC enc_alg enc_key F_AUTH auth_alg auth_key
| F_ENC enc_alg enc_key
;
protocol_spec:
F_PROTOCOL PR_ESP
{
p_satype = SADB_SATYPE_ESP;
if (yylval.num == 1)
p_ext |= SADB_X_EXT_OLD;
else
p_ext &= ~SADB_X_EXT_OLD;
}
extensions esp_specification
| F_PROTOCOL PR_AH
{
p_satype = SADB_SATYPE_AH;
if (yylval.num == 1)
p_ext |= SADB_X_EXT_OLD;
else
p_ext &= ~SADB_X_EXT_OLD;
}
ah_specification
| F_PROTOCOL PR_IPCOMP
{
p_satype = SADB_X_SATYPE_IPCOMP;
}
ipcomp_specification
;
extensions:
/* empty */
| extensions extension
ah_spec
: F_AUTH auth_alg auth_key
;
extension:
EXTENSION
{
p_ext |= yylval.num;
}
ipcomp_spec
: F_COMP ALG_COMP { p_alg_enc = $2; }
| F_COMP ALG_COMP { p_alg_enc = $2; }
F_RAWCPI { p_ext |= SADB_X_EXT_RAWCPI; }
;
esp_specification:
/* empty */
| esp_specification esp_spec
;
esp_spec:
F_ENC alg_enc
enc_keys
| F_AUTH ALG_AUTH
{
if (p_ext & SADB_X_EXT_OLD) {
yyerror("algorithm mismatched.");
return -1;
}
p_alg_auth = yylval.num;
}
auth_key
| F_REPLAY DECSTRING
{
if (p_ext & SADB_X_EXT_OLD) {
yyerror("algorithm mismatched.");
return -1;
}
p_replay = yylval.num;
}
;
/* XXX: I wanna delete it. */
alg_enc:
ALG_ENC
{
p_alg_enc = yylval.num;
}
enc_alg
: ALG_ENC { p_alg_enc = $1; }
| ALG_ENC_DESDERIV
{
p_alg_enc = yylval.num;
p_alg_enc = $1;
if (p_ext & SADB_X_EXT_OLD) {
yyerror("algorithm mismatched.");
return -1;
@ -377,7 +275,7 @@ alg_enc:
}
| ALG_ENC_DES32IV
{
p_alg_enc = yylval.num;
p_alg_enc = $1;
if (!(p_ext & SADB_X_EXT_OLD)) {
yyerror("algorithm mismatched.");
return -1;
@ -386,52 +284,17 @@ alg_enc:
}
;
ah_specification:
/* empty */
| ah_specification ah_spec
;
ah_spec:
F_AUTH ALG_AUTH
enc_key
: /*NOTHING*/
{
p_alg_auth = yylval.num;
} auth_key
| F_REPLAY DECSTRING
{
if (p_ext & SADB_X_EXT_OLD) {
yyerror("algorithm mismatched.");
if (p_alg_enc != SADB_EALG_NULL) {
yyerror("no key found.");
return -1;
}
p_replay = yylval.num;
}
;
ipcomp_specification
: /* empty */
| ipcomp_specification ipcomp_spec
;
ipcomp_spec
: F_COMP ALG_COMP
| key_string
{
p_alg_enc = yylval.num;
}
| F_RAWCPI
{
p_ext |= SADB_X_EXT_RAWCPI;
}
;
enc_keys:
/* empty */
| enc_keys enc_key
;
enc_key:
key_string
{
p_key_enc_len = yylval.val.len;
p_key_enc_len = $1.len;
p_key_enc = pp_key;
if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
@ -443,11 +306,21 @@ enc_key:
}
;
auth_key:
/* empty */
auth_alg
: ALG_AUTH { p_alg_auth = $1; }
;
auth_key
: /*NOTHING*/
{
if (p_alg_auth != SADB_AALG_NULL) {
yyerror("no key found.");
return -1;
}
}
| key_string
{
p_key_auth_len = yylval.val.len;
p_key_auth_len = $1.len;
p_key_auth = pp_key;
if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
@ -459,156 +332,82 @@ auth_key:
}
;
key_string:
QUOTEDSTRING
key_string
: QUOTEDSTRING
{
if ((pp_key = malloc(yylval.val.len)) == 0)
return -1;
memcpy(pp_key, yylval.val.buf, yylval.val.len);
pp_key = $1.buf;
/* free pp_key later */
}
| HEXSTRING
{
caddr_t bp;
caddr_t yp = yylval.val.buf;
caddr_t yp = $1.buf;
if ((pp_key = malloc(yylval.val.len)) == 0)
if ((pp_key = malloc($1.len)) == 0) {
free($1.buf);
yyerror(strerror(errno));
return -1;
memset(pp_key, 0, yylval.val.len);
}
memset(pp_key, 0, $1.len);
bp = pp_key;
while (*yp) {
*bp = (ATOX(yp[0]) << 4) | ATOX(yp[1]);
yp += 2, bp++;
}
free($1.buf);
}
;
/* lifetime */
lifetime_hard:
/* empty */
| F_LIFETIME_HARD DECSTRING
{
p_lt_hard = yylval.num;
}
extension_spec
: /*NOTHING*/
| extension_spec extension
;
lifetime_soft:
/* empty */
| F_LIFETIME_SOFT DECSTRING
extension
: F_EXT EXTENSION { p_ext |= $2; }
| F_EXT NOCYCLICSEQ { p_ext ^= SADB_X_EXT_CYCSEQ; }
| F_MODE MODE { p_mode = $2; }
| F_MODE ANY { p_mode = IPSEC_MODE_ANY; }
| F_REQID DECSTRING { p_reqid = $2; }
| F_REPLAY DECSTRING
{
p_lt_soft = yylval.num;
}
;
ip_address:
IP4_ADDRESS
{
struct sockaddr_in *in;
u_int sa_len = yylval.val.len;
if ((in = (struct sockaddr_in *)malloc(sa_len)) == 0)
if (p_ext & SADB_X_EXT_OLD) {
yyerror("replay prevention "
"only use on new spec.");
return -1;
memset((caddr_t)in, 0, sa_len);
in->sin_family = PF_INET;
in->sin_len = sa_len;
(void)inet_pton(PF_INET, yylval.val.buf, &in->sin_addr);
pp_addr = (struct sockaddr *)in;
}
| IP6_ADDRESS
{
#ifdef INET6
struct sockaddr_in6 *in6;
u_int sa_len = yylval.val.len;
if ((in6 = (struct sockaddr_in6 *)malloc(sa_len)) == 0)
return -1;
memset((caddr_t)in6, 0, sa_len);
in6->sin6_family = PF_INET6;
in6->sin6_len = sa_len;
(void)inet_pton(PF_INET6, yylval.val.buf,
&in6->sin6_addr);
pp_addr = (struct sockaddr *)in6;
#else
yyerror("IPv6 address not supported");
#endif
}
;
prefix:
/* empty */
| PREFIX
{
pp_prefix = yylval.num;
}
;
port:
/* empty */
| PORT
{
pp_port = htons(yylval.num);
}
p_replay = $2;
}
| F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; }
| F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; }
;
/* definition about command for SPD management */
/* spdadd */
spdadd_command:
SPDADD
spdadd_command
: SPDADD
{
p_type = yylval.num;
p_type = SADB_X_SPDADD;
p_satype = SADB_SATYPE_UNSPEC;
}
src_spec dst_spec upper_spec policy_spec EOT
;
policy_spec:
F_POLICY policy_requests
{
int len;
if ((len = ipsec_get_policylen($2.val.buf)) < 0) {
yyerror(ipsec_strerror());
return -1;
}
if ((p_policy = malloc(len)) == NULL) {
yyerror("malloc");
return -1;
}
if ((len = ipsec_set_policy(p_policy, len, $2.val.buf)) < 0) {
yyerror(ipsec_strerror());
free(p_policy);
p_policy = NULL;
return -1;
}
p_policy_len += len;
}
;
policy_requests:
/* empty */
| PL_REQUESTS { $$ = $1; }
sp_selector_spec policy_spec EOT
;
spddelete_command:
SPDDELETE
{
p_type = yylval.num;
p_type = SADB_X_SPDDELETE;
p_satype = SADB_SATYPE_UNSPEC;
}
src_spec dst_spec upper_spec EOT
sp_selector_spec EOT
;
spddump_command:
SPDDUMP
{
p_type = yylval.num;
p_type = SADB_X_SPDDUMP;
p_satype = SADB_SATYPE_UNSPEC;
}
EOT
@ -617,12 +416,126 @@ spddump_command:
spdflush_command:
SPDFLUSH
{
p_type = yylval.num;
p_type = SADB_X_SPDFLUSH;
p_satype = SADB_SATYPE_UNSPEC;
}
EOT
;
/* sp_selector_spec */
sp_selector_spec
: ipaddress { p_src = pp_addr; }
prefix { p_prefs = pp_prefix; }
port { _INPORTBYSA(p_src) = htons(pp_port); }
ipaddress { p_dst = pp_addr; }
prefix { p_prefd = pp_prefix; }
port { _INPORTBYSA(p_dst) = htons(pp_port); }
upper_spec
{
switch (p_upper) {
case IPPROTO_ICMP:
case IPPROTO_ICMPV6:
if (_INPORTBYSA(p_src) != IPSEC_PORT_ANY
|| _INPORTBYSA(p_dst) != IPSEC_PORT_ANY) {
yyerror("port number must be \"any\".");
return -1;
}
break;
default:
break;
}
}
;
ipaddress
: IP4_ADDRESS
{
struct sockaddr_in *in;
u_int sa_len = $1.len;
if ((in = (struct sockaddr_in *)malloc(sa_len)) == 0) {
yyerror(strerror(errno));
free($1.buf);
return -1;
}
memset((caddr_t)in, 0, sa_len);
in->sin_family = PF_INET;
in->sin_len = sa_len;
in->sin_port = IPSEC_PORT_ANY;
(void)inet_pton(PF_INET, $1.buf, &in->sin_addr);
pp_addr = (struct sockaddr *)in;
free($1.buf);
}
| IP6_ADDRESS
{
#ifdef INET6
struct sockaddr_in6 *in6;
u_int sa_len = $1.len;
if ((in6 = (struct sockaddr_in6 *)malloc(sa_len)) == 0) {
free($1.buf);
yyerror(strerror(errno));
return -1;
}
memset((caddr_t)in6, 0, sa_len);
in6->sin6_family = PF_INET6;
in6->sin6_len = sa_len;
in6->sin6_port = IPSEC_PORT_ANY;
(void)inet_pton(PF_INET6, $1.buf,
&in6->sin6_addr);
pp_addr = (struct sockaddr *)in6;
#else
yyerror("IPv6 address not supported");
#endif
free($1.buf);
}
;
prefix
: /*NOTHING*/ { pp_prefix = ~0; }
| PREFIX { pp_prefix = $1; }
;
port
: /*NOTHING*/ { pp_port = IPSEC_PORT_ANY; }
| PORT { pp_port = $1; }
| PORTANY { pp_port = IPSEC_PORT_ANY; }
;
upper_spec
: DECSTRING { p_upper = $1; }
| UP_PROTO { p_upper = $1; }
| PR_ESP { p_upper = IPPROTO_ESP; };
| PR_AH { p_upper = IPPROTO_AH; };
| PR_IPCOMP { p_upper = IPPROTO_IPCOMP; };
| ANY { p_upper = IPSEC_ULPROTO_ANY; }
;
policy_spec
: F_POLICY policy_requests
{
p_policy = ipsec_set_policy($2.buf, $2.len);
if (p_policy == NULL) {
free($2.buf);
p_policy = NULL;
yyerror(ipsec_strerror());
return -1;
}
p_policy_len = ipsec_get_policylen(p_policy);
free($2.buf);
}
;
policy_requests
: PL_REQUESTS { $$ = $1; }
;
%%
int
@ -634,9 +547,12 @@ setkeymsg()
m_msg.sadb_msg_type = p_type;
m_msg.sadb_msg_errno = 0;
m_msg.sadb_msg_satype = p_satype;
m_msg.sadb_msg_reserved = 0;
m_msg.sadb_msg_mode = p_mode;
m_msg.sadb_msg_reserved1 = 0;
m_msg.sadb_msg_seq = 0;
m_msg.sadb_msg_pid = getpid();
m_msg.sadb_msg_reqid = p_reqid;
m_msg.sadb_msg_reserved2 = 0;
m_len = sizeof(struct sadb_msg);
memcpy(m_buf, &m_msg, m_len);
@ -732,31 +648,14 @@ setkeymsg()
memcpy(m_buf + m_len, &m_sa, len);
m_len += len;
/* set proxy, if present. */
if (p_proxy != 0) {
m_addr.sadb_address_len =
PFKEY_UNIT64(sizeof(m_addr)
+ PFKEY_ALIGN8(p_proxy->sa_len));
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_PROXY;
m_addr.sadb_address_proto = 0;
m_addr.sadb_address_prefixlen =
(p_proxy->sa_family == PF_INET ? 32 : 128);
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
(struct sadb_ext *)&m_addr, sizeof(m_addr),
(caddr_t)p_proxy, p_proxy->sa_len);
}
/* set src */
m_addr.sadb_address_len =
PFKEY_UNIT64(sizeof(m_addr)
+ PFKEY_ALIGN8(p_src->sa_len));
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
m_addr.sadb_address_proto = p_upper;
m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
m_addr.sadb_address_prefixlen =
(p_prefs != ~0 ?
p_prefs : (p_src->sa_family == PF_INET ? 32 : 128));
_INALENBYAF(p_src->sa_family) << 3;
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@ -768,10 +667,9 @@ setkeymsg()
PFKEY_UNIT64(sizeof(m_addr)
+ PFKEY_ALIGN8(p_dst->sa_len));
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
m_addr.sadb_address_proto = p_upper;
m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
m_addr.sadb_address_prefixlen =
(p_prefd != ~0 ?
p_prefd : (p_dst->sa_family == PF_INET ? 32 : 128));
_INALENBYAF(p_dst->sa_family) << 3;
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@ -787,9 +685,6 @@ setkeymsg()
case SADB_X_SPDADD:
{
((struct sadb_x_policy *)p_policy)->sadb_x_policy_len =
PFKEY_UNIT64(p_policy_len);
memcpy(m_buf + m_len, p_policy, p_policy_len);
m_len += p_policy_len;
free(p_policy);
@ -808,8 +703,8 @@ setkeymsg()
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
m_addr.sadb_address_proto = p_upper;
m_addr.sadb_address_prefixlen =
(p_prefs != ~0 ?
p_prefs : (p_src->sa_family == PF_INET ? 32 : 128));
(p_prefs != ~0 ? p_prefs :
_INALENBYAF(p_src->sa_family) << 3);
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@ -823,8 +718,8 @@ setkeymsg()
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
m_addr.sadb_address_proto = p_upper;
m_addr.sadb_address_prefixlen =
(p_prefd != ~0 ?
p_prefd : (p_dst->sa_family == PF_INET ? 32 : 128));
(p_prefd != ~0 ? p_prefd :
_INALENBYAF(p_dst->sa_family) << 3);
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@ -859,16 +754,18 @@ parse_init()
p_type = 0;
p_spi = 0;
p_src = 0, p_dst = 0, p_proxy = 0;
p_ports = p_portd = 0;
p_prefs = p_prefd = 0;
p_src = 0, p_dst = 0;
pp_prefix = p_prefs = p_prefd = ~0;
pp_port = IPSEC_PORT_ANY;
p_upper = 0;
p_satype = 0;
p_ext = SADB_X_EXT_NONE;
p_ext = SADB_X_EXT_CYCSEQ;
p_alg_enc = SADB_EALG_NONE;
p_alg_auth = SADB_AALG_NONE;
p_replay = 0;
p_mode = IPSEC_MODE_ANY;
p_reqid = 0;
p_replay = 4;
p_key_enc_len = p_key_auth_len = 0;
p_key_enc = p_key_auth = 0;
p_lt_hard = p_lt_soft = 0;
@ -886,7 +783,6 @@ free_buffer()
{
if (p_src) free(p_src);
if (p_dst) free(p_dst);
if (p_proxy) free(p_proxy);
if (p_key_enc) free(p_key_enc);
if (p_key_auth) free(p_key_auth);

246
usr.sbin/setkey/sample.cf
View File

@ -1,3 +1,5 @@
# $NetBSD: sample.cf,v 1.2 2000/01/31 14:22:42 itojun Exp $
#
# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
# All rights reserved.
#
@ -25,79 +27,193 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
# There are sample scripts to configure IPsec.
# Both src and dst are 127.0.0.1 and spi=0x10001. Serurity protocol is ESP
# with blowfish-cbc whose key is "kamekame" as encryption algorithm, and
# with hmac-sha1 whose key is "this is the test key" as authentication
# algorithm.
add 127.0.0.1 127.0.0.1 any 0x10001
-p esp -E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
# Security protocol is old AH, i.e. RFC1826, with keyed-md5 whose key
# is "test" as authentication algorithm.
add 127.0.0.2 127.0.0.1 any 0x10002
-p ah-old -A keyed-md5 "this is the test" ;
# This is how to specify the upper layer protocol.
# This may not work as this has not been tested.
add 127.0.0.1/24 10.0.2.0/24 udp 0x10003
-p ah -A hmac-md5 "this is the test" ;
# On "get" command you can specify target entries.
# This command needs src/dst, (upper layer protocol, src/dst port if any),
# spi and security protocol.
# For "delete" command one must specify the target in the same way.
get 10.0.1.0/24 10.0.2.0/24 any 0x10001 -p esp ;
delete 10.0.1.0/24 10.0.2.0/24 any 0x10001 -p esp ;
# "flush" and "dump" commands can specify a security protocol.
dump -p esp ;
flush -p esp ;
# By default, those commands will handle all entries.
dump ;
flush ;
# This is planned to display the script for configuration.
#dumpscript ;
# NEVER to define with proxy address, i.g. 202.249.11.41,
# that will cause kernel to hang up, may be..
# Those are near future available.
#add 10.0.11.41/32[21] 10.0.11.33/32[0] tcp 0x10001 202.249.11.41
# -p esp -E des-cbc "hogehoge" -A hmac-md5 "hogehogehogehoge" ;
#add ::1 ::1 udp 0x20010 203.178.141.215
# -p esp-old -E des-cbc "hahahaha" ;
#add 10.0.11.41/32[21] 10.0.11.33/32[0] tcp 0x10001 202.249.11.41 -p esp;
# There are sample scripts for IPsec configuration by manual keying.
# A security association is uniquely identified by a triple consisting
# of a Security Parameter Index (SPI), an IP Destination Address, and a
# security protocol (AH or ESP) identifier. You must take care of these
# parameters when you configure by manual keying.
# ESP transport mode is recommended for TCP port number 110 between
# Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key
# is "kamekame", and authentication algorithm is hmac-sha1 whose key
# is "this is the test key".
#
# There are some command for SPD management as follows:
# ============ ESP ============
# | |
# Host-A Host-B
# fec0::10 -------------------- fec0::11
#
# At Host-A and Host-B,
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
esp/transport/fec0::10-fec0::11/use ;
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
esp/transport/fec0::11-fec0::10/use ;
add fec0::10 fec0::11 esp 0x10001
-m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
add fec0::11 fec0::10 esp 0x10002
-m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
# "spdadd" is to add a new SPD entry following by a policy indicator
# with `-P'. The policy indicator is the one of follows:
# "discard" for discarding packet, "none" for nothing to do, and "ipsec"
# for doing IPsec. "ipsec" is followed by the requests for IPsec protocol.
# These requests is consisted, "protocol/level[/end-point]".
# There are three directive for level as following: "default", "use" and
# "require".
spdadd 10.0.0.0/24 127.0.0.1 any -P discard ;
spdadd 192.168.1.1 192.168.1.2 any -P bypass ;
# "[any]" is wildcard of port number. Note that "[0]" is the number of
# zero in port number.
# To do IP|AH loosely, i.e. it doesn't do IPsec when there is no AH-SA.
spdadd 172.16.10.1 172.16.11.1[21] tcp -P ipsec ah/use ;
# Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5
# whose key is "this is the test" as authentication algorithm.
# That protocol takes place between Gateway-A and Gateway-B.
#
# ======= AH =======
# | |
# Network-A Gateway-A Gateway-B Network-B
# 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
#
# At Gateway-A:
spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
ah/tunnel/172.16.0.1-172.16.0.2/require ;
spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
ah/tunnel/172.16.0.2-172.16.0.1/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003
-m any
-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004
-m any
-A keyed-md5 "this is the test" ;
# To request IP1|ESP|IP2|AH|ESP,
spdadd 172.16.10.0/24 172.16.11.0/24 any -P ipsec
esp/require ah/require esp/require/203.178.141.194 ;
# If port number field is omitted such above then "[any]" is employed.
# -m specifies the mode of SA to be used. "-m any" means wildcard of
# mode of security protocol. You can use this SAs for both tunnel and
# transport mode.
# "spddelete" is to delete a SPD entry.
spddelete 172.16.10.0/24 172.16.11.0/24 any ;
# At Gateway-B. Attention to the selector and peer's IP address for tunnel.
spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
ah/tunnel/172.16.0.2-172.16.0.1/require ;
spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
ah/tunnel/172.16.0.1-172.16.0.2/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003
-m tunnel
-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004
-m tunnel
-A keyed-md5 "this is the test" ;
# To dump and to flush all SPD entry, "spddump" and "spdflush" are ready.
# AH transport mode followed by ESP tunnel mode is required between
# Gateway-A and Gateway-B.
# Encryption algorithm is 3des-cbc, and authentication algorithm for ESP
# is hmac-sha1. Authentication algorithm for AH is hmac-md5.
#
# ========== AH =========
# | ======= ESP ===== |
# | | | |
# Network-A Gateway-A Gateway-B Network-B
# fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
#
# At Gateway-A:
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
-m tunnel
-E 3des-cbc "kamekame12341234kame1234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001
-m transport
-A hmac-md5 "this is the test" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001
-m tunnel
-E 3des-cbc "kamekame12341234kame1234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
-m transport
-A hmac-md5 "this is the test" ;
# ESP tunnel mode is required between Host-A and Gateway-A.
# Encryption algorithm is cast128-cbc, and authentication algorithm
# for ESP is hmac-sha1.
# ESP transport mode is recommended between Host-A and Host-B.
# Encryption algorithm is rc5-cbc, and authentication algorithm
# for ESP is hmac-md5.
#
# ================== ESP =================
# | ======= ESP ======= |
# | | | |
# Host-A Gateway-A Host-B
# fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
#
# At Host-A:
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
esp/transport/fec0:0:0:2::2-fec0:0:0:1::1/use
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
-m transport
-E cast128-cbc "12341234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
-m transport
-E cast128-cbc "12341234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
# By "get" command, you can get a entry of either SP or SA.
get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
# Also delete command, you can delete a entry of either SP or SA.
spddelete out fec0:0:0:1::/64 fec0:0:0:2:/64 any ;
delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
# By dump command, you can dump all entry of either SP or SA.
dump ;
spddump ;
dump esp ;
flush esp ;
# By flush command, you can flush all entry of either SP or SA.
flush ;
spdflush ;
# "flush" and "dump" commands can specify a security protocol.
dump esp ;
flush ah ;
# XXX
add ::1 ::1 esp 10001 -m transport -E simple ;
add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
add ::1 ::1 esp 10004 -m transport -E simple -A null ;
add ::1 ::1 esp 10005 -m transport -E simple -A hmac-md5 "1234123412341234" ;
add ::1 ::1 esp 10006 -m tunnel -E simple -A hmac-sha1 "12341234123412341234" ;
add ::1 ::1 esp 10007 -m transport -E simple -A keyed-md5 "1234123412341234" ;
add ::1 ::1 esp 10008 -m any -E simple -A keyed-sha1 "12341234123412341234" ;
add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
add ::1 ::1 esp 10015 -m transport -f zero-pad -E simple ;
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E simple ;
add ::1 ::1 esp 10017 -m transport -f seq-pad -f cyclic-seq -E simple ;
add ::1 ::1 esp 10018 -m transport -E simple ;
#add ::1 ::1 ah 20000 -m transport -A null ;
add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234";
add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234";
add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234";
#add ::1 ::1 ipcomp 30000 -C oui ;
add ::1 ::1 ipcomp 30001 -C deflate ;
#add ::1 ::1 ipcomp 30002 -C lzs ;
# enjoy.

18
usr.sbin/setkey/scriptdump.pl
View File

@ -1,6 +1,6 @@
#! @LOCALPREFIX@/bin/perl
#
# $NetBSD: scriptdump.pl,v 1.2 1999/07/06 13:13:03 itojun Exp $
# $NetBSD: scriptdump.pl,v 1.3 2000/01/31 14:22:43 itojun Exp $
#
if ($< != 0) {
@ -21,9 +21,9 @@ while ($i = shift @ARGV) {
open(IN, "setkey -D |") || die;
foreach $_ (<IN>) {
if (/^[^\t]/) {
($src, $dst, $upper, $proxy) = split(/\s+/, $_);
} elsif (/^\t(esp|ah) spi=(\d+).*replay=(\d+)/) {
($proto, $spi, $replay) = ($1, $2, $3);
($src, $dst) = split(/\s+/, $_);
} elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*reqid=(\d+)/) {
($proto, $ipsecmode, $spi, $reqid) = ($1, $2, $3, $4);
} elsif (/^\tE: (\S+) (.*)/) {
$ealgo = $1;
$ekey = $2;
@ -34,17 +34,19 @@ foreach $_ (<IN>) {
$akey = $2;
$akey =~ s/\s//g;
$akey =~ s/^/0x/g;
} elsif (/^\tstate=/) {
print "$mode $src $src $upper $spi $proxy -p $proto";
} elsif (/^\treplay=(\d+) flags=(0x\d+) state=/) {
print "$mode $src $dst $proto $spi -m $ipsecmode";
$replay = $1;
print " -u $reqid" if $reqid;
if ($mode eq 'add') {
print " -r $replay" if $replay;
if ($proto eq 'esp') {
print " -E $ealgo $ekey" if $ealgo;
print " -A $aalgo $akey" if $aalgo;
} elsif ($proto eq 'ah') {
print " -A $aalgo $akey" if $aalgo;
}
print " -r $replay" if $replay;
}
}
print ";\n";
$src = $dst = $upper = $proxy = '';

452
usr.sbin/setkey/setkey.8
View File

@ -25,12 +25,12 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $NetBSD: setkey.8,v 1.5 1999/09/07 06:49:37 itojun Exp $
.\" KAME Id: setkey.8,v 1.1.1.1 1999/08/08 23:31:51 itojun Exp
.\" $NetBSD: setkey.8,v 1.6 2000/01/31 14:22:43 itojun Exp $
.\" KAME Id: setkey.8,v 1.18 2000/01/14 01:28:27 itojun Exp
.\"
.Dd May 17, 1998
.Dt SETKEY 8
.Os
.Os KAME
.\"
.Sh NAME
.Nm setkey
@ -118,57 +118,53 @@ Description of meta-arguments follows.
.Bl -tag -width Ds
.It Xo
.Li add
.Ar src Ar dst Ar upperspec Ar spi
.Op Ar proxyspec
.Ar protocol
.\" .Op Ar depend_on_sa
.Ar src Ar dst Ar protocol Ar spi
.Op Ar extensions
.Ar algorithm...
.Li ;
.Xc
Add a SAD entry.
.\"
.It Xo
.Li get
.Ar src Ar dst Ar upperspec Ar spi
.Op Ar proxyspec
.Op Ar protocol0
.Ar src Ar dst Ar protocol Ar spi
.Op Fl m Ar mode
.Li ;
.Xc
Show a SAD entry.
.\"
.It Xo
.Li delete
.Ar src Ar dst Ar upperspec Ar spi
.Op Ar proxyspec
.Op Ar protocol0
.Ar src Ar dst Ar protocol Ar spi
.Op Fl m Ar mode
.Li ;
.Xc
Remove a SAD entry.
.\"
.It Xo
.Li flush
.Op Ar protocol0
.Op Ar protocol
.Li ;
.Xc
Clear all SAD entries that matches the options.
.\"
.It Xo
.Li dump
.Op Ar protocol0
.Op Ar protocol
.Li ;
.Xc
Dumps all SAD entries that matches the options.
.\"
.It Xo
.Li spdadd
.Ar src Ar dst Ar upperspec
.Op Ar policy
.Ar src_range Ar dst_range Ar upperspec Ar policy
.Li ;
.Xc
Add a SPD entry.
.\"
.It Xo
.Li spddelete
.Ar src Ar dst Ar upperspec
.Ar src_range Ar dst_range Ar upperspec
.Li ;
.Xc
Delete a SPD entry.
@ -184,14 +180,158 @@ Clear all SPD entries.
.Li ;
.Xc
Dumps all SAD entries.
.\"
.El
.\"
.Pp
Meta-arguments are as follows:
.Bl -tag -width Ds
.Bl -tag -compact -width Ds
.It Ar src
.It Ar dst
Source/destination of the secure communication is specified as
IPv4/v6 address.
.Nm
does not consult hostname-to-address for arguments
.Ar src
and
.Ar dst .
They must be in numeric form.
.\"
.Pp
.It Ar protocol
.Ar protocol
is one of following:
.Bl -tag -width Fl -compact
.It Li esp
ESP based on rfc2405
.It Li esp-old
ESP based on rfc1827
.It Li ah
AH based on rfc2402
.It Li ah-old
AH based on rfc1826
.It Li ipcomp
IPCOMP
.El
.\"
.Pp
.It Ar spi
Security Parameter Index (SPI) for the SA and SPD.
It must be decimal number or hexadecimal number
.Po
with
.Li 0x
attached
.Pc .
.\"
.Pp
.It Ar extensions
takes some of the following:
.Bl -tag -width Fl -compact
.\"
.It Fl m Ar mode
Specify an security protocol mode for use. By default,
.Li any .
.Ar mode
is one of following:
.Li transport , tunnel
or
.Li any .
.\"
.It Fl r Ar size
Specify window size of bytes for replay prevention.
.Ar size
must be decimal number in 32-bit word. If
.Ar size
is zero or not specified, replay check don't take place.
.\"
.It Fl u Ar id
Specify the identifier of policy. See also
.Xr ipsec_set_policy 3 .
.\"
.It Fl f Ar pad_option
.Ar pad_option
is one of following:
.Li zero-pad , random-pad
or
.Li seq-pad
.\"
.It Fl f Li nocyclic-seq
Don't allow cyclic sequence number.
.\"
.It Fl lh Ar time
.It Fl ls Ar time
Specify hard/soft lifetime.
.El
.\"
.Pp
.It Ar algorithm
.Bl -tag -width Fl -compact
.It Fl E Ar ealgo Ar key
Specify encryption algorithm.
.It Fl A Ar ealgo Ar key
Specify authentication algorithm.
If
.Fl A
is used for esp, it will be treated as ESP payload authentication algorithm.
.It Fl C Ar calgo Op Fl R
Specify compression algorithm.
If
.Fl R
is not specified with
.Li ipcomp
line, the kernel will use well-known IPComp CPI
.Pq compression parameter index
on IPComp CPI field on packets, and
.Ar spi
field will be ignored.
.Ar spi
field is only for kernel internal use in this case.
.\"Therefore, compression protocol number will appear on IPComp CPI field.
If
.Fl R
is used,
the value on
.Ar spi
field will appear on IPComp CPI field on outgoing packets.
.Ar spi
field needs to be smaller than
.Li 0x10000
in this case.
.El
.Pp
.Li esp
SAs accept
.Fl E
and
.Fl A .
.Li esp-old
SAs accept
.Fl E
only.
.Li ah
and
.Li ah-old
SAs accept
.Fl A
only.
.Li ipcomp
SAs accept
.Fl C
only.
.Pp
.Ar key
must be double-quoted character string or a series of hexadecimal digits.
.Pp
Possible values for
.Ar ealgo ,
.Ar aalgo
and
.Ar calgo
are specified in separate section.
.\"
.It Ar src_range
.It Ar dst_range
These are selection of the secure communication is specified as
IPv4/v6 address or IPv4/v6 address range, and it may accompany
TCP/UDP port specification.
This takes the following form:
@ -209,8 +349,7 @@ must be decimal number.
The square bracket around
.Ar port
is really necessary.
They are not manpage metacharacters
.Li :-)
They are not manpage metacharacters.
.Pp
.Nm
does not consult hostname-to-address for arguments
@ -228,148 +367,14 @@ and
.Li any
can be specified.
.Li any
is as the wildcard.
stands for
.Dq any protocol .
.Pp
NOTE:
.Ar upperspec
of forwarding packet has no effect at this moment, since kernel code fragment to handle
.Ar upperspec
is disabled.
.\"
.It Ar spi
Security Parameter Index (SPI) for the SA and SPD.
It must be decimal number or hexadecimal number
.Po
with
.Li 0x
attached
.Pc .
.\"
.It Ar proxyspec
.Ar proxyspec
can be specified as either an IPv4 or IPv6 address.
If specified, the SAD entry will be used for tunnel mode IPsec processing.
.\"
.It Ar protocol
.Ar protocol
takes the following forms:
.Bl -tag -width Ds
.It Xo
.Fl p
.Li esp
.Op Ar extensions
.Op Fl E Ar ealgo Ar key
.Op Fl A Ar aalgo Ar key
.Op Fl r Ar replay
.Xc
.It Xo
.Fl p
.Li ah
.Op Ar extensions
.Op Fl A Ar aalgo Ar key
.Op Fl r Ar replay
.Xc
.It Xo
.Fl p
.Li esp-old
.Op Ar extensions
.Op Fl E Ar ealgo Ar key
.Op Fl A Ar aalgo Ar key
.Op Fl r Ar replay
.Xc
.It Xo
.Fl p
.Li ah-old
.Op Ar extensions
.Op Fl A Ar aalgo Ar key
.Op Fl r Ar replay
.Xc
.It Xo
.Fl p
.Li ipcomp
.Op Fl C Ar calgo
.Op Fl R
.Xc
.El
.Pp
.Fl p
is always mandatory.
Optional flag,
.Ar extensions ,
can be
.Li cyclic-seq ,
and one of the following:
.Li random-pad ,
.Li seq-pad ,
.Li zero-pad .
.Fl E
specifies encryption algorithm, and
.Fl A
specifies authentication algorithm.
If
.Fl A
is used for
.Fl p Li esp
or
.Fl p Li esp-old ,
it will be treated as ESP payload authentication algorithm.
Possible values for
.Ar ealgo ,
.Ar aalgo
and
.Ar calgo
are specified in separete section.
.Ar key
must be double-quoted character string or a series of hexadecimal digits.
.Fl r Ar replay
is used for checking replay attacks.
.Ar replay
must be decimal number in 32-bit word. If
.Ar replay
is zero or not specified, repley check don't take place.
.Fl R
is used only with
.Li ipcomp .
If
.Fl R
is specified with
.Li ipcomp
line, the kernel will use well-known IPComp CPI
.Pq compression parameter index
on IPComp CPI field on packets, and
.Ar spi
field will be ignored.
.Ar spi
field is only for kernel internal use in this case.
.\"Therefore, compression protocol number will appear on IPComp CPI field.
If
.Fl R
is not used,
the value on
.Ar spi
field will appear on IPComp CPI field on outgoing packets.
.Ar spi
field needs to be smaller than
.Li 0x10000
in this case.
.\"
.It Ar protocol0
This is a subset of
.Ar protocol ,
which takes no optional arguments:
.Bd -literal -offset
.Xo
.Fl p
.Li esp
.Xc
.Xo
.Fl p
.Li ah
.Xc
.Xo
.Fl p
.Li ipcomp
.Xc
.Ed
does not work against forwarding case at this moment,
as it requires extra reassembly at forwarding node
.Pq not implemented as this moment .
.\"
.It Ar policy
.Ar policy
@ -377,20 +382,29 @@ is the one of following:
.Bd -literal -offset
.Xo
.Fl P
.Ar direction
.Li discard
.Xc
.Xo
.Fl P
.Ar direction
.Li none
.Xc
.Xo
.Fl P
.Ar direction
.Li ipsec
.Ar protocol/level
.Op Ar /peer
.Ar protocol/mode/src-dst/level
.Xc
.Ed
.Pp
You must specify the direction of its policy as
.Ar direction .
Either
.Li out
or
.Li in
are used.
.Li discard
means the packet matching indexes will be discarded.
.Li none
@ -404,6 +418,18 @@ or
.Li ipcomp
is to be set as
.Ar protocol .
.Ar mode
is either
.Li transport
or
.Li tunnel .
You must specify the end-points addresses of the SA as
.Ar src
and
.Ar dst
with
.Sq -
between these addresses which is used to specify the SA to use.
.Ar level
is to be one of the following:
.Li default , use
@ -419,10 +445,17 @@ means that kernel use a SA if it's available,
otherwise kernel keeps normal operation.
.Li require
means SA is required whenever kernel deals with the packet.
If you plan to set up the tunnel mode of IPsec, you can specify the end-point a
ddress of the tunnel as
.Ar peer
which will be hint when IPsec system set up SAs by Key management automatically.
Note that
.Dq Li discard
and
.Dq Li none
are not in the syntax described in
.Xr ipsec_set_policy 3 .
There are little differences in the syntax.
See
.Xr ipsec_set_policy 3
for detail.
.Pp
.El
.Pp
.\"
@ -440,18 +473,18 @@ of
.Ar protocol
parameter:
.Pp
.Bl -column "algorithmxx" -column "keylengthxx" -offset
.It Sy algorithm key length (bits) comment
.It hmac-md5 128 ah: rfc2403
.It 128 ah-old: rfc2085
.It hmac-sha1 160 ah: rfc2404
.It 160 ah-old: 128bit ICV (no document)
.It keyed-md5 128 ah: 96bit ICV (no document)
.It 128 ah-old: rfc1828
.It keyed-sha1 160 ah: 96bit ICV (no document)
.It 160 ah-old: 128bit ICV (no document)
.It null 0 to 2048 for debugging
.El
.Bd -literal -offset indent
algorithm keylen (bits) comment
hmac-md5 128 ah: rfc2403
128 ah-old: rfc2085
hmac-sha1 160 ah: rfc2404
160 ah-old: 128bit ICV (no document)
keyed-md5 128 ah: 96bit ICV (no document)
128 ah-old: rfc1828
keyed-sha1 160 ah: 96bit ICV (no document)
160 ah-old: 128bit ICV (no document)
null 0 to 2048 for debugging
.Ed
.Pp
Following are the list of encryption algorithms that can be used as
.Ar ealgo
@ -461,17 +494,17 @@ of
.Ar protocol
parameter:
.Pp
.Bl -column "algorithmxx" -column "keylengthxx" -offset
.It Sy algorithm key length(bits) comment
.It des-cbc 64 esp-old: rfc1829, esp: rfc2405
.It 3des-cbc 192 rfc2451
.It simple 0 to 2048 rfc2410
.It blowfish-cbc 40 to 448 rfc2451
.It cast128-cbc 40 to 128 rfc2451
.It rc5-cbc 40 to 2040 rfc2451
.It des-deriv 64 ipsec-ciph-des-derived-01 (expired)
.It 3des-deriv 192 no document
.El
.Bd -literal -offset indent
algorithm keylen (bits) comment
des-cbc 64 esp-old: rfc1829, esp: rfc2405
3des-cbc 192 rfc2451
simple 0 to 2048 rfc2410
blowfish-cbc 40 to 448 rfc2451
cast128-cbc 40 to 128 rfc2451
rc5-cbc 40 to 2040 rfc2451
des-deriv 64 ipsec-ciph-des-derived-01 (expired)
3des-deriv 192 no document
.Ed
.Pp
Following are the list of compression algorithms that can be used as
.Ar calgo
@ -481,37 +514,32 @@ of
.Ar protocol
parameter:
.Pp
.Bl -column "algorithmxx" -offset
.It Sy algorithm comment
.It deflate rfc2394
.It lzs rfc2395
.El
.Bd -literal -offset indent
algorithm comment
deflate rfc2394
lzs rfc2395
.Ed
.\"
.Sh EXAMPLES
.Bd -literal -offset
add 10.0.11.41/32[21] 10.0.11.33/32[0] tcp 0x10001 202.249.11.41
-p esp -E des-cbc "hogehoge"
-A hmac-md5 "hagehogehogehoge" ;
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
-E des-cbc "ESP SA!!"
add 127.0.0.1 127.0.0.1 any 0x10001
-p esp -E blowfish-cbc "kamekame"
-A hmac-sha1 "hogehogehogehogehoge" ;
add 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456
-A hmac-sha1 "AH SA configuration!" ;
add 127.0.0.1 127.0.0.1 any 0x10001
-p ah-old -A keyed-md5 "testtesttesttest" ;
add 10.0.11.41 10.0.11.33 esp 0x10001
-E des-cbc "ESP with"
-A hmac-md5 "authentication!!" ;
add 10.0.0.1 10.0.0.2 udp 0x10002 203.178.141.215
-p ah -A keyed-md5 "testtesttesttest" ;
get 10.0.11.41/32[21] 10.0.11.33/32[0] tcp 0x10001 202.249.11.41
-p esp ;
get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
flush ;
dump -p esp ;
dump esp ;
spdadd 10.0.11.41/32[21] 10.0.11.33/32[0] any
-P ipsec ah/use esp/require/192.168.0.1 ;
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
.Ed
.\"

149
usr.sbin/setkey/setkey.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: setkey.c,v 1.2 1999/07/06 13:13:03 itojun Exp $ */
/* $NetBSD: setkey.c,v 1.3 2000/01/31 14:22:44 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -28,7 +28,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* KAME Id: setkey.c,v 1.1.4.1.2.5.2.21.2.19.4.16 1999/07/02 17:15:32 itojun Exp */
/* KAME Id: setkey.c,v 1.8 1999/12/02 05:23:59 sakane Exp */
#include <sys/types.h>
#include <sys/param.h>
@ -62,14 +62,18 @@ const char *numstr __P((int));
void shortdump_hdr __P((void));
void shortdump __P((struct sadb_msg *));
#define MODE_SCRIPT 1
#define MODE_CMDDUMP 2
#define MODE_CMDFLUSH 3
int so;
int f_forever = 0;
int f_all = 0;
int f_debug = 0;
int f_verbose = 0;
int f_command = 0;
int f_script = 0;
int f_mode = 0;
int f_cmddump = 0;
int f_cmdflush = 0;
int f_policy = 0;
int f_promisc = 0;
int f_hexdump = 0;
@ -85,12 +89,13 @@ extern int parse __P((FILE **));
void
Usage()
{
printf("Usage:\t%s [-dv] -c", pname);
printf("Usage:\t%s [-dv] -c\n", pname);
printf("\t%s [-dv] -f (file)\n", pname);
printf("\t%s [-Padlv] -D\n", pname);
printf("\t%s [-Pdv] -F\n", pname);
printf("\t%s [-h] -x\n", pname);
exit(0);
pfkey_close(so);
exit(1);
}
int
@ -107,67 +112,69 @@ main(ac, av)
while ((c = getopt(ac, av, "acdf:hlvxDFP")) != EOF) {
switch (c) {
case 'a':
f_all = 1;
break;
case 'c':
f_script = 1;
f_mode = MODE_SCRIPT;
fp = stdin;
break;
case 'd':
f_debug = 1;
break;
case 'f':
f_script = 1;
f_mode = MODE_SCRIPT;
if ((fp = fopen(optarg, "r")) == NULL) {
perror("fopen");
exit(-1);
err(-1, "fopen");
/*NOTREACHED*/
}
break;
case 'D':
f_mode = MODE_CMDDUMP;
break;
case 'F':
f_mode = MODE_CMDFLUSH;
break;
case 'a':
f_all = 1;
break;
case 'l':
f_forever = 1;
break;
case 'h':
f_hexdump = 1;
break;
case 'v':
f_verbose = 1;
break;
case 'x':
f_promisc = 1;
promisc();
/*NOTREACHED*/
case 'D':
f_cmddump = 1;
break;
case 'F':
f_cmdflush = 1;
break;
case 'P':
f_policy = 1;
break;
case 'd':
f_debug = 1;
break;
case 'v':
f_verbose = 1;
break;
default:
Usage();
/*NOTREACHED*/
}
}
if (get_supported() < 0) {
printf("%s\n", ipsec_strerror());
exit(-1);
}
if (f_cmdflush)
sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH);
else
if (f_cmddump)
switch (f_mode) {
case MODE_CMDDUMP:
sendkeyshort(f_policy ? SADB_X_SPDDUMP: SADB_DUMP);
else
if (f_script)
parse(&fp);
else {
break;
case MODE_CMDFLUSH:
sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH);
pfkey_close(so);
break;
case MODE_SCRIPT:
if (get_supported() < 0) {
errx(-1, "%s", ipsec_strerror());
/*NOTREACHED*/
}
if (parse(&fp))
exit (1);
break;
default:
Usage();
/*NOTREACHED*/
}
exit(0);
@ -178,14 +185,14 @@ get_supported()
{
int so;
#if 0
if ((so = pfkey_open()) < 0) {
perror("pfkey_open");
return -1;
}
/* debug mode ? */
if (f_debug)
return 0;
#endif
if ((so = pfkey_open()) < 0)
return -1;
if (pfkey_send_register(so, PF_UNSPEC) < 0)
return -1;
@ -193,14 +200,12 @@ get_supported()
if (pfkey_recv_register(so) < 0)
return -1;
pfkey_close(so);
return 0;
}
void
sendkeyshort(type)
u_int type;
u_int type;
{
struct sadb_msg *m_msg = (struct sadb_msg *)m_buf;
@ -211,10 +216,12 @@ sendkeyshort(type)
m_msg->sadb_msg_errno = 0;
m_msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_mode = IPSEC_MODE_ANY;
m_msg->sadb_msg_reserved1 = 0;
m_msg->sadb_msg_seq = 0;
m_msg->sadb_msg_pid = getpid();
m_msg->sadb_msg_reqid = 0;
m_msg->sadb_msg_reserved2 = 0;
sendkeymsg();
@ -235,10 +242,12 @@ promisc()
m_msg->sadb_msg_errno = 0;
m_msg->sadb_msg_satype = 1;
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_mode = IPSEC_MODE_ANY;
m_msg->sadb_msg_reserved1 = 0;
m_msg->sadb_msg_seq = 0;
m_msg->sadb_msg_pid = getpid();
m_msg->sadb_msg_reqid = 0;
m_msg->sadb_msg_reserved2 = 0;
if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
err(1, "socket(PF_KEY)");
@ -297,13 +306,15 @@ promisc()
int
sendkeymsg()
{
int so;
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
int so, len;
int len;
struct sadb_msg *msg;
if ((so = pfkey_open()) < 0) {
printf("%s\n", ipsec_strerror());
return 0;
perror("pfkey_open");
return -1;
}
{
@ -319,8 +330,10 @@ sendkeymsg()
if (f_forever)
shortdump_hdr();
again:
if (f_verbose)
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)m_buf);
printf("\n");
}
if ((len = send(so, m_buf, m_len, 0)) < 0) {
perror("send");
@ -335,12 +348,14 @@ again:
}
if (PFKEY_UNUNIT64(msg->sadb_msg_len) != len) {
fprintf(stderr, "invalid keymsg length\n");
warnx("invalid keymsg length");
break;
}
if (f_verbose)
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)rbuf);
printf("\n");
}
if (postproc(msg, len) < 0)
break;
} while (msg->sadb_msg_errno || msg->sadb_msg_seq);
@ -366,7 +381,7 @@ postproc(msg, len)
char inf[80];
char *errmsg = NULL;
if (f_script)
if (f_mode == MODE_SCRIPT)
snprintf(inf, sizeof(inf), "The result of line %d: ", lineno);
else
inf[0] = '\0';
@ -404,7 +419,8 @@ postproc(msg, len)
if (!f_all) {
caddr_t mhp[SADB_EXT_MAX + 1];
struct sadb_sa *sa;
pfkey_check(msg, mhp);
pfkey_align(msg, mhp);
pfkey_check(mhp);
if ((sa = (struct sadb_sa *)mhp[SADB_EXT_SA]) != NULL) {
if (sa->sadb_sa_state == SADB_SASTATE_DEAD)
break;
@ -416,8 +432,10 @@ postproc(msg, len)
pfkey_sadump(msg);
msg = (struct sadb_msg *)((caddr_t)msg +
PFKEY_UNUNIT64(msg->sadb_msg_len));
if (f_verbose)
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)msg);
printf("\n");
}
break;
case SADB_X_SPDDUMP:
@ -425,8 +443,10 @@ postproc(msg, len)
if (msg->sadb_msg_seq == 0) break;
msg = (struct sadb_msg *)((caddr_t)msg +
PFKEY_UNUNIT64(msg->sadb_msg_len));
if (f_verbose)
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)msg);
printf("\n");
}
break;
}
@ -452,7 +472,7 @@ static char *ipproto[] = {
/*40*/ NULL, "ip6", NULL, "rt6", "frag6",
NULL, "rsvp", "gre", NULL, NULL,
/*50*/ "esp", "ah", NULL, NULL, NULL,
NULL, NULL, "icmp6", "none", NULL,
NULL, NULL, NULL, "icmp6", "none",
/*60*/ "dst6",
};
@ -488,7 +508,8 @@ shortdump(msg)
u_int t;
time_t cur = time(0);
pfkey_check(msg, mhp);
pfkey_align(msg, mhp);
pfkey_check(mhp);
printf("%02lu%02lu", (u_long)(cur % 3600) / 60, (u_long)(cur % 60));

7
usr.sbin/setkey/test-pfkey.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: test-pfkey.c,v 1.2 1999/07/06 13:13:03 itojun Exp $ */
/* $NetBSD: test-pfkey.c,v 1.3 2000/01/31 14:22:44 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -28,7 +28,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* KAME Id: test-pfkey.c,v 1.1.4.3 1999/05/28 19:44:38 sakane Exp */
/* KAME Id: test-pfkey.c,v 1.2 1999/10/26 08:09:17 itojun Exp */
#include <sys/types.h>
#include <sys/param.h>
@ -477,7 +477,8 @@ key_setsadbaddr(ext, af, str)
a->sa_family = af;
_INPORTBYSA(a) =
(ext == SADB_EXT_ADDRESS_PROXY ? 0 : htons(0x1234));
inet_pton(af, str, _INADDRBYSA(a));
if (inet_pton(af, str, _INADDRBYSA(a)) != 1)
; /* XXX do something */
len = sizeof(struct sadb_address) + PFKEY_ALIGN8(a->sa_len);
m_addr.sadb_address_len = PFKEY_UNIT64(len);

99
usr.sbin/setkey/token.l
View File

@ -1,4 +1,4 @@
/* $NetBSD: token.l,v 1.3 1999/07/06 13:13:03 itojun Exp $ */
/* $NetBSD: token.l,v 1.4 2000/01/31 14:22:45 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -46,7 +46,7 @@
#include <unistd.h>
#include <errno.h>
#include "vchar.h"
#include "parse.h"
#include "y.tab.h"
#define DECHO \
if (f_debug) {printf("<%d>", yy_start); ECHO ; printf("\n"); }
@ -108,7 +108,7 @@ hexstring 0[xX]{hexdigit}+
octetstring {octet}({dot}{octet})+
ipaddress {ipv4addr}|{ipv6addr}
ipv4addr {digit}{1,3}({dot}{digit}{1,3}){0,3}
ipv6addr {hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,7}
ipv6addr ({hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,7}|{hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,5}{colon}{ipv4addr})
ipaddrmask {slash}{digit}{1,3}
ipaddrport {blcl}{decstring}{elcl}
keyword {letter}{letter}+
@ -119,19 +119,19 @@ hostname {name}(({dot}{name})+{dot}?)?
%%
add { PREPROC; yylval.num = SADB_ADD; return(ADD); }
delete { PREPROC; yylval.num = SADB_DELETE; return(DELETE); }
get { PREPROC; yylval.num = SADB_GET; return(GET); }
flush { PREPROC; yylval.num = SADB_FLUSH; return(FLUSH); }
dump { PREPROC; yylval.num = SADB_DUMP; return(DUMP); }
add { PREPROC; return(ADD); }
delete { PREPROC; return(DELETE); }
get { PREPROC; return(GET); }
flush { PREPROC; return(FLUSH); }
dump { PREPROC; return(DUMP); }
/* for management SPD */
spdadd { PREPROC; yylval.num = SADB_X_SPDADD; return(SPDADD); }
spddelete { PREPROC; yylval.num = SADB_X_SPDDELETE; return(SPDDELETE); }
spddump { PREPROC; yylval.num = SADB_X_SPDDUMP; return(SPDDUMP); }
spdflush { PREPROC; yylval.num = SADB_X_SPDFLUSH; return(SPDFLUSH); }
spdadd { PREPROC; return(SPDADD); }
spddelete { PREPROC; return(SPDDELETE); }
spddump { PREPROC; return(SPDDUMP); }
spdflush { PREPROC; return(SPDFLUSH); }
{hyphen}P { BEGIN S_PL; PREPROC; return(F_POLICY); }
<S_PL>[a-zA-Z0-9:\._/ \n\t][a-zA-Z0-9:\._/ \n\t]* {
<S_PL>[a-zA-Z0-9:\.\-_/ \n\t][a-zA-Z0-9:\.\-_/ \n\t]* {
yymore();
/* count up for nl */
@ -149,21 +149,6 @@ spdflush { PREPROC; yylval.num = SADB_X_SPDFLUSH; return(SPDFLUSH); }
}
<S_PL>{semi} { PREPROC; BEGIN INITIAL; return(EOT); }
/* flags */
{hyphen}p { PREPROC; return(F_PROTOCOL); }
{hyphen}r { PREPROC; return(F_REPLAY); }
{hyphen}E { PREPROC; return(F_ENC); }
{hyphen}A { PREPROC; return(F_AUTH); }
{hyphen}C { PREPROC; return(F_COMP); }
{hyphen}R { PREPROC; return(F_RAWCPI); }
/* upper layer protocols */
any { PREPROC; yylval.num = IPPROTO_IP; return(UP_PROTO); }
icmp { PREPROC; yylval.num = IPPROTO_ICMP; return(UP_PROTO); }
icmp6 { PREPROC; yylval.num = IPPROTO_ICMPV6; return(UP_PROTO); }
tcp { PREPROC; yylval.num = IPPROTO_TCP; return(UP_PROTO); }
udp { PREPROC; yylval.num = IPPROTO_UDP; return(UP_PROTO); }
/* security protocols */
ah { PREPROC; yylval.num = 0; return(PR_AH); }
esp { PREPROC; yylval.num = 0; return(PR_ESP); }
@ -172,6 +157,7 @@ esp-old { PREPROC; yylval.num = 1; return(PR_ESP); }
ipcomp { PREPROC; yylval.num = 0; return(PR_IPCOMP); }
/* authentication alogorithm */
{hyphen}A { PREPROC; return(F_AUTH); }
hmac-md5 { PREPROC; yylval.num = SADB_AALG_MD5HMAC; return(ALG_AUTH); }
hmac-sha1 { PREPROC; yylval.num = SADB_AALG_SHA1HMAC; return(ALG_AUTH); }
keyed-md5 { PREPROC; yylval.num = SADB_AALG_MD5; return(ALG_AUTH); }
@ -179,31 +165,48 @@ keyed-sha1 { PREPROC; yylval.num = SADB_AALG_SHA; return(ALG_AUTH); }
null { PREPROC; yylval.num = SADB_AALG_NULL; return(ALG_AUTH); }
/* encryption alogorithm */
{hyphen}E { PREPROC; return(F_ENC); }
des-cbc { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC); }
3des-cbc { PREPROC; yylval.num = SADB_EALG_3DESCBC; return(ALG_ENC); }
simple { PREPROC; yylval.num = SADB_EALG_NULL; return(ALG_ENC); }
blowfish-cbc { PREPROC; yylval.num = SADB_EALG_BLOWFISHCBC; return(ALG_ENC); }
cast128-cbc { PREPROC; yylval.num = SADB_EALG_CAST128CBC; return(ALG_ENC); }
/* rc5-cbc { PREPROC; yylval.num = SADB_EALG_RC5CBC; return(ALG_ENC); } */
/*
rc5-cbc { PREPROC; yylval.num = SADB_EALG_RC5CBC; return(ALG_ENC); }
*/
des-deriv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DESDERIV); }
des-32iv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DES32IV); }
/* compression algorithms */
{hyphen}C { PREPROC; return(F_COMP); }
oui { PREPROC; yylval.num = SADB_X_CALG_OUI; return(ALG_COMP); }
deflate { PREPROC; yylval.num = SADB_X_CALG_DEFLATE; return(ALG_COMP); }
lzs { PREPROC; yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); }
{hyphen}R { PREPROC; return(F_RAWCPI); }
/* extension */
{hyphen}m { PREPROC; return(F_MODE); }
transport { PREPROC; yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
tunnel { PREPROC; yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
{hyphen}u { PREPROC; return(F_REQID); }
{hyphen}f { PREPROC; return(F_EXT); }
random-pad { PREPROC; yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); }
seq-pad { PREPROC; yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); }
zero-pad { PREPROC; yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); }
cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); }
/* SA dependent */
nocyclic-seq { PREPROC; return(NOCYCLICSEQ); }
{hyphen}r { PREPROC; return(F_REPLAY); }
{hyphen}lh { PREPROC; return(F_LIFETIME_HARD); }
{hyphen}ls { PREPROC; return(F_LIFETIME_SOFT); }
/* upper layer protocols */
icmp { PREPROC; yylval.num = IPPROTO_ICMP; return(UP_PROTO); }
icmp6 { PREPROC; yylval.num = IPPROTO_ICMPV6; return(UP_PROTO); }
tcp { PREPROC; yylval.num = IPPROTO_TCP; return(UP_PROTO); }
udp { PREPROC; yylval.num = IPPROTO_UDP; return(UP_PROTO); }
/* ... */
any { PREPROC; return(ANY); }
{ws} { PREPROC; }
{nl} { lineno++; }
{comment}
@ -214,7 +217,7 @@ cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); }
char *bp;
PREPROC;
yylval.num = strtol(yytext, &bp, 10);
yylval.num = strtoul(yytext, &bp, 10);
return(DECSTRING);
}
@ -227,7 +230,7 @@ cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); }
PREPROC;
yylval.val.len = sizeof(struct sockaddr_in);
yylval.val.buf = yytext;
yylval.val.buf = strdup(yytext);
return(IP4_ADDRESS);
}
@ -237,7 +240,7 @@ cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); }
PREPROC;
yylval.val.len = sizeof(struct sockaddr_in6);
yylval.val.buf = yytext;
yylval.val.buf = strdup(yytext);
return(IP6_ADDRESS);
#else
@ -262,19 +265,21 @@ cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); }
return(PORT);
}
{blcl}any{elcl} {
PREPROC;
return(PORTANY);
}
{hexstring} {
int len = yyleng - 2; /* (str - "0x") */
PREPROC;
PREPROC;
yylval.val.len = (len & 1) + (len / 2);
/* fixed string if length is odd. */
if (len & 1) {
yytext[1] = '0';
yylval.val.buf = yytext + 1;
yylval.val.buf = strdup(yytext + 1);
} else
yylval.val.buf = yytext + 2;
yylval.val.buf = strdup(yytext + 2);
return(HEXSTRING);
}
@ -285,16 +290,10 @@ cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); }
while (*++p != '"') ;
*p = NULL;
yytext++;
yylval.val.len = yyleng-2;
yylval.val.buf = yytext;
return(QUOTEDSTRING);
}
yylval.val.len = yyleng - 2;
yylval.val.buf = strdup(yytext);
{hostname} {
PREPROC;
yylval.val.len = yyleng;
yylval.val.buf = yytext;
return(HOSTNAME);
return(QUOTEDSTRING);
}
. { yyerror("Syntax error"); }