sync with almost-latest KAME IPsec. full changelog would be too big

to mention here.  notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
  it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
  in struct sadb_msg.  we cannot just change these standard structs.
  sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
  these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
  specify it)
- spddelete takes direction specification
This commit is contained in:
itojun 2000-06-12 10:40:37 +00:00
parent 0c0d0ee98e
commit 92e64a4a0d
29 changed files with 3927 additions and 2560 deletions

View File

@ -1,4 +1,5 @@
/* $NetBSD: ipsec_dump_policy.c,v 1.2 2000/03/13 21:23:55 itojun Exp $ */
/* $NetBSD: ipsec_dump_policy.c,v 1.3 2000/06/12 10:40:52 itojun Exp $ */
/* $KAME: ipsec_dump_policy.c,v 1.11 2000/05/07 05:29:47 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -42,13 +43,10 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include "ipsec_strerror.h"
#ifdef USE_GETNAMEINFO
#undef USE_GETNAMEINFO
#endif
static const char *ipsp_dir_strs[] = {
"any", "in", "out",
};
@ -57,7 +55,11 @@ static const char *ipsp_policy_strs[] = {
"discard", "none", "ipsec", "entrust", "bypass",
};
static int set_addresses __P((char *buf, caddr_t ptr));
static char *ipsec_dump_ipsecrequest __P((char *, size_t,
struct sadb_x_ipsecrequest *, size_t));
static int set_addresses __P((char *, size_t, struct sockaddr *,
struct sockaddr *));
static char *set_address __P((char *, size_t, struct sockaddr *));
/*
* policy is sadb_x_policy buffer.
@ -71,9 +73,10 @@ ipsec_dump_policy(policy, delimiter)
{
struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy;
struct sadb_x_ipsecrequest *xisr;
int xtlen, buflen;
size_t off, buflen;
char *buf;
int error;
char isrbuf[1024];
char *newbuf;
/* sanity check */
if (policy == NULL)
@ -118,159 +121,187 @@ ipsec_dump_policy(policy, delimiter)
__ipsec_errcode = EIPSEC_NO_BUFS;
return NULL;
}
strcpy(buf, ipsp_dir_strs[xpl->sadb_x_policy_dir]);
strcat(buf, " ");
strcat(buf, ipsp_policy_strs[xpl->sadb_x_policy_type]);
snprintf(buf, buflen, "%s %s", ipsp_dir_strs[xpl->sadb_x_policy_dir],
ipsp_policy_strs[xpl->sadb_x_policy_type]);
if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
__ipsec_errcode = EIPSEC_NO_ERROR;
return buf;
}
xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
/* count length of buffer for use */
/* XXX non-seriously */
while (xtlen > 0) {
/* protocol/mode/addresses/level */
buflen += (10 + 10 + 82 + 20);
xtlen -= xisr->sadb_x_ipsecrequest_len;
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
+ xisr->sadb_x_ipsecrequest_len);
off = sizeof(*xpl);
while (off < PFKEY_EXTLEN(xpl)) {
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
off += xisr->sadb_x_ipsecrequest_len;
}
/* validity check */
if (xtlen < 0) {
if (off != PFKEY_EXTLEN(xpl)) {
__ipsec_errcode = EIPSEC_INVAL_SADBMSG;
free(buf);
return NULL;
}
if ((buf = realloc(buf, buflen)) == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
return NULL;
}
off = sizeof(*xpl);
while (off < PFKEY_EXTLEN(xpl)) {
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
while (xtlen > 0) {
strcat(buf, delimiter);
switch (xisr->sadb_x_ipsecrequest_proto) {
case IPPROTO_ESP:
strcat(buf, "esp");
break;
case IPPROTO_AH:
strcat(buf, "ah");
break;
case IPPROTO_IPCOMP:
strcat(buf, "ipcomp");
break;
default:
__ipsec_errcode = EIPSEC_INVAL_PROTO;
if (ipsec_dump_ipsecrequest(isrbuf, sizeof(isrbuf), xisr,
PFKEY_EXTLEN(xpl) - off) == NULL) {
free(buf);
return NULL;
}
strcat(buf, "/");
switch (xisr->sadb_x_ipsecrequest_mode) {
case IPSEC_MODE_ANY:
strcat(buf, "any");
break;
case IPSEC_MODE_TRANSPORT:
strcat(buf, "transport");
break;
case IPSEC_MODE_TUNNEL:
strcat(buf, "tunnel");
break;
default:
__ipsec_errcode = EIPSEC_INVAL_MODE;
buflen = strlen(buf) + strlen(delimiter) + strlen(isrbuf) + 1;
newbuf = (char *)realloc(buf, buflen);
if (newbuf == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
free(buf);
return NULL;
}
buf = newbuf;
snprintf(buf, buflen, "%s%s%s", buf, delimiter, isrbuf);
strcat(buf, "/");
if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
error = set_addresses(buf, (caddr_t)(xisr + 1));
if (error) {
__ipsec_errcode = EIPSEC_INVAL_MODE;
free(buf);
return NULL;
}
}
switch (xisr->sadb_x_ipsecrequest_level) {
case IPSEC_LEVEL_DEFAULT:
strcat(buf, "/default");
break;
case IPSEC_LEVEL_USE:
strcat(buf, "/use");
break;
case IPSEC_LEVEL_REQUIRE:
strcat(buf, "/require");
break;
case IPSEC_LEVEL_UNIQUE:
strcat(buf, "/unique");
break;
default:
__ipsec_errcode = EIPSEC_INVAL_LEVEL;
free(buf);
return NULL;
}
if (xisr->sadb_x_ipsecrequest_reqid != 0) {
char id[16];
if (xisr->sadb_x_ipsecrequest_reqid
> IPSEC_MANUAL_REQID_MAX)
strcat(buf, "#");
else
strcat(buf, ":");
snprintf(id, sizeof(id), "%d",
xisr->sadb_x_ipsecrequest_reqid);
strcat(buf, id);
}
xtlen -= xisr->sadb_x_ipsecrequest_len;
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
+ xisr->sadb_x_ipsecrequest_len);
off += xisr->sadb_x_ipsecrequest_len;
}
__ipsec_errcode = EIPSEC_NO_ERROR;
return buf;
}
static int
set_addresses(buf, ptr)
static char *
ipsec_dump_ipsecrequest(buf, len, xisr, bound)
char *buf;
caddr_t ptr;
size_t len;
struct sadb_x_ipsecrequest *xisr;
size_t bound; /* boundary */
{
char tmp[100]; /* XXX */
struct sockaddr *saddr = (struct sockaddr *)ptr;
const char *proto, *mode, *level;
char abuf[NI_MAXHOST * 2 + 2];
#ifdef USE_GETNAMEINFO
getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp),
NULL, 0, NI_NUMERICHOST);
#else
inet_ntop(saddr->sa_family, _INADDRBYSA(saddr),
tmp, sizeof(tmp));
#endif
strcat(buf, tmp);
if (xisr->sadb_x_ipsecrequest_len > bound) {
__ipsec_errcode = EIPSEC_INVAL_PROTO;
return NULL;
}
strcat(buf, "-");
switch (xisr->sadb_x_ipsecrequest_proto) {
case IPPROTO_ESP:
proto = "esp";
break;
case IPPROTO_AH:
proto = "ah";
break;
case IPPROTO_IPCOMP:
proto = "ipcomp";
break;
default:
__ipsec_errcode = EIPSEC_INVAL_PROTO;
return NULL;
}
saddr = (struct sockaddr *)((caddr_t)saddr + saddr->sa_len);
#ifdef USE_GETNAMEINFO
getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp),
NULL, 0, NI_NUMERICHOST);
#else
inet_ntop(saddr->sa_family, _INADDRBYSA(saddr),
tmp, sizeof(tmp));
#endif
strcat(buf, tmp);
switch (xisr->sadb_x_ipsecrequest_mode) {
case IPSEC_MODE_ANY:
mode = "any";
break;
case IPSEC_MODE_TRANSPORT:
mode = "transport";
break;
case IPSEC_MODE_TUNNEL:
mode = "tunnel";
break;
default:
__ipsec_errcode = EIPSEC_INVAL_MODE;
return NULL;
}
abuf[0] = '\0';
if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
struct sockaddr *sa1, *sa2;
caddr_t p;
p = (caddr_t)(xisr + 1);
sa1 = (struct sockaddr *)p;
sa2 = (struct sockaddr *)(p + sa1->sa_len);
if (sizeof(*xisr) + sa1->sa_len + sa2->sa_len !=
xisr->sadb_x_ipsecrequest_len) {
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
return NULL;
}
if (set_addresses(abuf, sizeof(abuf), sa1, sa2) != 0) {
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
return NULL;
}
}
switch (xisr->sadb_x_ipsecrequest_level) {
case IPSEC_LEVEL_DEFAULT:
level = "default";
break;
case IPSEC_LEVEL_USE:
level = "use";
break;
case IPSEC_LEVEL_REQUIRE:
level = "require";
break;
case IPSEC_LEVEL_UNIQUE:
level = "unique";
break;
default:
__ipsec_errcode = EIPSEC_INVAL_LEVEL;
return NULL;
}
if (xisr->sadb_x_ipsecrequest_reqid == 0)
snprintf(buf, len, "%s/%s/%s/%s", proto, mode, abuf, level);
else {
int ch;
if (xisr->sadb_x_ipsecrequest_reqid > IPSEC_MANUAL_REQID_MAX)
ch = '#';
else
ch = ':';
snprintf(buf, len, "%s/%s/%s/%s%c%d", proto, mode, abuf, level,
ch, xisr->sadb_x_ipsecrequest_reqid);
}
return buf;
}
static int
set_addresses(buf, len, sa1, sa2)
char *buf;
size_t len;
struct sockaddr *sa1;
struct sockaddr *sa2;
{
char tmp1[NI_MAXHOST], tmp2[NI_MAXHOST];
if (set_address(tmp1, sizeof(tmp1), sa1) == NULL ||
set_address(tmp2, sizeof(tmp2), sa2) == NULL)
return -1;
if (strlen(tmp1) + 1 + strlen(tmp2) + 1 > len)
return -1;
snprintf(buf, len, "%s-%s", tmp1, tmp2);
return 0;
}
static char *
set_address(buf, len, sa)
char *buf;
size_t len;
struct sockaddr *sa;
{
#ifdef NI_WITHSCOPEID
const int niflags = NI_NUMERICHOST | NI_WITHSCOPEID;
#else
const int niflags = NI_NUMERICHOST;
#endif
if (len < 1)
return NULL;
buf[0] = '\0';
if (getnameinfo(sa, sa->sa_len, buf, len, NULL, 0, niflags) != 0)
return NULL;
return buf;
}

View File

@ -1,4 +1,5 @@
/* $NetBSD: ipsec_get_policylen.c,v 1.2 2000/02/08 13:17:51 itojun Exp $ */
/* $NetBSD: ipsec_get_policylen.c,v 1.3 2000/06/12 10:40:52 itojun Exp $ */
/* $KAME: ipsec_get_policylen.c,v 1.5 2000/05/07 05:25:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.

View File

@ -1,4 +1,7 @@
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" $NetBSD: ipsec_set_policy.3,v 1.7 2000/06/12 10:40:52 itojun Exp $
.\" $KAME: ipsec_set_policy.3,v 1.10 2000/05/07 05:25:03 itojun Exp $
.\"
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@ -25,13 +28,9 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $NetBSD: ipsec_set_policy.3,v 1.6 2000/01/31 14:15:31 itojun Exp $
.\" KAME Id: ipsec_set_policy.3,v 1.8 2000/01/27 17:59:12 itojun Exp
.\"
.Dd May 5, 1998
.Dt IPSEC_SET_POLICY 3
.Os
.\"
.Sh NAME
.Nm ipsec_set_policy ,
.Nm ipsec_get_policylen ,
@ -40,7 +39,6 @@
.\"
.Sh LIBRARY
.Lb libipsec
.\"
.Sh SYNOPSIS
.Fd #include <netinet6/ipsec.h>
.Ft "char *"
@ -49,7 +47,6 @@
.Fn ipsec_get_policylen "char *buf"
.Ft "char *"
.Fn ipsec_dump_policy "char *buf" "char *delim"
.\"
.Sh DESCRIPTION
.Fn ipsec_set_policy
generates IPsec policy specification structure, namely
@ -92,7 +89,6 @@ returns pointer to dynamically allocated string.
It is caller's responsibility to reclaim the region, by using
.Xr free 3 .
.Pp
.\"
.Fa policy
is formatted as either of the following:
.Bl -tag -width "discard"
@ -110,9 +106,7 @@ means to consult to SPD defined by
.It Ar direction Li bypass
.Li bypass
means to be bypassed the IPsec processing.
.Po
packet will be transmitted in clear
.Pc .
.Pq packet will be transmitted in clear .
This is for privileged socket.
.It Xo
.Ar direction
@ -243,7 +237,6 @@ out ipsec esp/transport/10.1.1.2-10.1.1.1/use
in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use
esp/transport/10.1.1.2-10.1.1.1/use
.Ed
.\"
.Sh RETURN VALUES
.Fn ipsec_set_policy
returns a pointer to the allocated buffer of policy specification if successful; otherwise a NULL pointer is returned.
@ -256,14 +249,9 @@ returns a pointer to dynamically allocated region on success,
and
.Dv NULL
on errors.
.\"
.Sh SEE ALSO
.Xr ipsec_strerror 3 ,
.Xr ispec 4 ,
.Xr setkey 8
.\"
.Sh HISTORY
The functions first appeared in WIDE/KAME IPv6 protocol stack kit.
.\"
.\" .Sh BUGS
.\" (to be written)

View File

@ -1,4 +1,7 @@
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" $NetBSD: ipsec_strerror.3,v 1.7 2000/06/12 10:40:52 itojun Exp $
.\" $KAME: ipsec_strerror.3,v 1.6 2000/05/07 05:25:03 itojun Exp $
.\"
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@ -25,9 +28,6 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $NetBSD: ipsec_strerror.3,v 1.6 2000/01/31 14:15:31 itojun Exp $
.\" KAME Id: ipsec_strerror.3,v 1.4 2000/01/27 17:59:13 itojun Exp
.\"
.Dd May 6, 1998
.Dt IPSEC_STRERROR 3
.Os
@ -73,7 +73,8 @@ invalid, or overwritten.
always return a pointer to C string.
The C string must not be overwritten by user programs.
.\"
.\" .Sh SEE ALSO
.Sh SEE ALSO
.Xr ipsec_set_policy 3
.\"
.Sh HISTORY
The functions first appeared in WIDE/KAME IPv6 protocol stack kit.

View File

@ -1,4 +1,5 @@
/* $NetBSD: ipsec_strerror.c,v 1.5 2000/03/13 21:23:55 itojun Exp $ */
/* $NetBSD: ipsec_strerror.c,v 1.6 2000/06/12 10:40:52 itojun Exp $ */
/* $KAME: ipsec_strerror.c,v 1.6 2000/05/07 05:25:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.

View File

@ -1,4 +1,5 @@
/* $NetBSD: ipsec_strerror.h,v 1.5 2000/03/13 21:23:56 itojun Exp $ */
/* $NetBSD: ipsec_strerror.h,v 1.6 2000/06/12 10:40:52 itojun Exp $ */
/* $KAME: ipsec_strerror.h,v 1.7 2000/05/07 05:25:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.

77
lib/libipsec/libpfkey.h Normal file
View File

@ -0,0 +1,77 @@
/* $NetBSD: libpfkey.h,v 1.1 2000/06/12 10:40:52 itojun Exp $ */
/* $KAME: libpfkey.h,v 1.1 2000/06/08 21:28:32 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
extern void pfkey_sadump __P((struct sadb_msg *));
extern void pfkey_spdump __P((struct sadb_msg *));
struct sockaddr;
int ipsec_check_keylen __P((u_int, u_int, u_int));
u_int pfkey_set_softrate __P((u_int, u_int));
u_int pfkey_get_softrate __P((u_int));
int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t));
int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
u_int64_t, u_int64_t, u_int32_t));
int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
u_int64_t, u_int64_t, u_int32_t));
int pfkey_send_delete __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
int pfkey_send_get __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
int pfkey_send_register __P((int, u_int));
int pfkey_recv_register __P((int));
int pfkey_send_flush __P((int, u_int));
int pfkey_send_dump __P((int, u_int));
int pfkey_send_promisc_toggle __P((int, int));
int pfkey_send_spdadd __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spdupdate __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spddelete __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spddelete2 __P((int, u_int32_t));
int pfkey_send_spdget __P((int, u_int32_t));
int pfkey_send_spdsetidx __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spdflush __P((int));
int pfkey_send_spddump __P((int));
int pfkey_open __P((void));
void pfkey_close __P((int));
struct sadb_msg *pfkey_recv __P((int));
int pfkey_send __P((int, struct sadb_msg *, int));
int pfkey_align __P((struct sadb_msg *, caddr_t *));
int pfkey_check __P((caddr_t *));

View File

@ -1,4 +1,5 @@
/* $NetBSD: pfkey.c,v 1.9 2000/03/13 21:23:56 itojun Exp $ */
/* $NetBSD: pfkey.c,v 1.10 2000/06/12 10:40:52 itojun Exp $ */
/* $KAME: pfkey.c,v 1.31 2000/06/10 14:17:43 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -43,32 +44,31 @@
#include <errno.h>
#include "ipsec_strerror.h"
#include "libpfkey.h"
#define CALLOC(size, cast) (cast)calloc(1, (size))
static int pfkey_send_x1 __P((int so, u_int type, u_int satype, u_int mode,
struct sockaddr *src, struct sockaddr *dst, u_int32_t spi,
u_int32_t reqid, u_int wsize,
caddr_t keymat,
u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen,
u_int flags,
u_int32_t l_alloc, u_int32_t l_bytes,
u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq));
static int pfkey_send_x2 __P((int so, u_int type, u_int satype, u_int mode,
struct sockaddr *src, struct sockaddr *dst, u_int32_t spi));
static int pfkey_send_x3 __P((int so, u_int type, u_int satype));
static int pfkey_send_x1 __P((int, u_int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t,
u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t,
u_int32_t, u_int32_t, u_int32_t));
static int pfkey_send_x2 __P((int, u_int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
static int pfkey_send_x3 __P((int, u_int, u_int));
static int pfkey_send_x4 __P((int, u_int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, char *, int, u_int32_t));
static int pfkey_send_x5 __P((int, u_int, u_int32_t));
static caddr_t pfkey_setsadbmsg __P((caddr_t buf, u_int type, u_int tlen,
u_int satype, u_int mode, u_int32_t reqid, u_int32_t seq, pid_t pid));
static caddr_t pfkey_setsadbsa __P((caddr_t buf, u_int32_t spi, u_int wsize,
u_int auth, u_int enc, u_int32_t flags));
static caddr_t pfkey_setsadbaddr __P((caddr_t buf, u_int exttype,
struct sockaddr *saddr, u_int prefixlen, u_int ul_proto));
static caddr_t pfkey_setsadbkey(caddr_t buf, u_int type,
caddr_t key, u_int keylen);
static caddr_t pfkey_setsadblifetime(caddr_t buf, u_int type,
u_int32_t l_alloc, u_int32_t l_bytes,
u_int32_t l_addtime, u_int32_t l_usetime);
static caddr_t pfkey_setsadbmsg __P((caddr_t, u_int, u_int,
u_int, u_int32_t, pid_t));
static caddr_t pfkey_setsadbsa __P((caddr_t, u_int32_t, u_int,
u_int, u_int, u_int32_t));
static caddr_t pfkey_setsadbaddr __P((caddr_t, u_int,
struct sockaddr *, u_int, u_int));
static caddr_t pfkey_setsadbkey __P((caddr_t, u_int, caddr_t, u_int));
static caddr_t pfkey_setsadblifetime __P((caddr_t, u_int, u_int32_t, u_int32_t,
u_int32_t, u_int32_t));
static caddr_t pfkey_setsadbxsa2 __P((caddr_t, u_int32_t, u_int32_t));
/*
* check key length against algorithm specified.
@ -224,6 +224,7 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
int len;
int need_spirange = 0;
caddr_t p;
int plen;
/* validity check */
if (src == NULL || dst == NULL) {
@ -238,9 +239,21 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
__ipsec_errcode = EIPSEC_INVAL_SPI;
return -1;
}
switch (src->sa_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
default:
__ipsec_errcode = EIPSEC_INVAL_FAMILY;
return -1;
}
/* create new sadb_msg to send. */
len = sizeof(struct sadb_msg)
+ sizeof(struct sadb_x_sa2)
+ sizeof(struct sadb_address)
+ PFKEY_ALIGN8(src->sa_len)
+ sizeof(struct sadb_address)
@ -257,21 +270,17 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
}
p = pfkey_setsadbmsg((caddr_t)newmsg, SADB_GETSPI,
len, satype, mode, reqid, seq, getpid());
len, satype, seq, getpid());
p = pfkey_setsadbxsa2(p, mode, reqid);
/* set sadb_address for source */
p = pfkey_setsadbaddr(p,
SADB_EXT_ADDRESS_SRC,
src,
_INALENBYAF(src->sa_family) << 3,
IPSEC_ULPROTO_ANY);
p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_SRC, src, plen,
IPSEC_ULPROTO_ANY);
/* set sadb_address for destination */
p = pfkey_setsadbaddr(p,
SADB_EXT_ADDRESS_DST,
dst,
_INALENBYAF(dst->sa_family) << 3,
IPSEC_ULPROTO_ANY);
p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_DST, dst, plen,
IPSEC_ULPROTO_ANY);
/* proccessing spi range */
if (need_spirange) {
@ -544,7 +553,6 @@ pfkey_send_promisc_toggle(so, flag)
/*
* sending SADB_X_SPDADD message to the kernel.
* The length of key material is a_keylen + e_keylen.
* OUT:
* positive: success and return length sent.
* -1 : error occured, and set errno.
@ -554,135 +562,140 @@ pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
int so;
struct sockaddr *src, *dst;
u_int prefs, prefd, proto;
char *policy;
caddr_t policy;
int policylen;
u_int32_t seq;
{
struct sadb_msg *newmsg;
int len;
caddr_t p;
/* validity check */
if (src == NULL || dst == NULL) {
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return -1;
}
if (src->sa_family != dst->sa_family) {
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
return -1;
}
if (prefs > (_INALENBYAF(src->sa_family) << 3)
|| prefd > (_INALENBYAF(dst->sa_family) << 3)) {
__ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
return -1;
}
/* create new sadb_msg to reply. */
len = sizeof(struct sadb_msg)
+ sizeof(struct sadb_address)
+ PFKEY_ALIGN8(_SALENBYAF(src->sa_family))
+ sizeof(struct sadb_address)
+ PFKEY_ALIGN8(_SALENBYAF(src->sa_family))
+ policylen;
if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
__ipsec_set_strerror(strerror(errno));
return -1;
}
p = pfkey_setsadbmsg((caddr_t)newmsg, SADB_X_SPDADD, len,
SADB_SATYPE_UNSPEC, IPSEC_MODE_ANY, 0,
seq, getpid());
p = pfkey_setsadbaddr(p,
SADB_EXT_ADDRESS_SRC,
src,
prefs,
proto);
p = pfkey_setsadbaddr(p,
SADB_EXT_ADDRESS_DST,
dst,
prefd,
proto);
memcpy(p, policy, policylen);
/* send message */
len = pfkey_send(so, newmsg, len);
free(newmsg);
if (len < 0)
if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
src, prefs, dst, prefd, proto,
policy, policylen, seq)) < 0)
return -1;
__ipsec_errcode = EIPSEC_NO_ERROR;
return len;
}
/*
* sending SADB_X_SPDDELETE message to the kernel.
* The length of key material is a_keylen + e_keylen.
* sending SADB_X_SPDUPDATE message to the kernel.
* OUT:
* positive: success and return length sent.
* -1 : error occured, and set errno.
*/
int
pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, seq)
pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
int so;
struct sockaddr *src, *dst;
u_int prefs, prefd, proto;
caddr_t policy;
int policylen;
u_int32_t seq;
{
struct sadb_msg *newmsg;
int len;
caddr_t p;
/* validity check */
if (src == NULL || dst == NULL) {
if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
src, prefs, dst, prefd, proto,
policy, policylen, seq)) < 0)
return -1;
return len;
}
/*
* sending SADB_X_SPDDELETE message to the kernel.
* OUT:
* positive: success and return length sent.
* -1 : error occured, and set errno.
*/
int
pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
int so;
struct sockaddr *src, *dst;
u_int prefs, prefd, proto;
caddr_t policy;
int policylen;
u_int32_t seq;
{
int len;
if (policylen != sizeof(struct sadb_x_policy)) {
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return -1;
}
if (src->sa_family != dst->sa_family) {
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE,
src, prefs, dst, prefd, proto,
policy, policylen, seq)) < 0)
return -1;
}
if (prefs > (_INALENBYAF(src->sa_family) << 3)
|| prefd > (_INALENBYAF(dst->sa_family) << 3)) {
__ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
return len;
}
/*
* sending SADB_X_SPDDELETE message to the kernel.
* OUT:
* positive: success and return length sent.
* -1 : error occured, and set errno.
*/
int
pfkey_send_spddelete2(so, spid)
int so;
u_int32_t spid;
{
int len;
if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0)
return -1;
return len;
}
/*
* sending SADB_X_SPDGET message to the kernel.
* OUT:
* positive: success and return length sent.
* -1 : error occured, and set errno.
*/
int
pfkey_send_spdget(so, spid)
int so;
u_int32_t spid;
{
int len;
if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0)
return -1;
return len;
}
/*
* sending SADB_X_SPDSETIDX message to the kernel.
* OUT:
* positive: success and return length sent.
* -1 : error occured, and set errno.
*/
int
pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
int so;
struct sockaddr *src, *dst;
u_int prefs, prefd, proto;
caddr_t policy;
int policylen;
u_int32_t seq;
{
int len;
if (policylen != sizeof(struct sadb_x_policy)) {
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return -1;
}
/* create new sadb_msg to reply. */
len = sizeof(struct sadb_msg)
+ sizeof(struct sadb_address)
+ PFKEY_ALIGN8(_SALENBYAF(src->sa_family))
+ sizeof(struct sadb_address)
+ PFKEY_ALIGN8(_SALENBYAF(src->sa_family));
if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
__ipsec_set_strerror(strerror(errno));
return -1;
}
p = pfkey_setsadbmsg((caddr_t)newmsg, SADB_X_SPDDELETE, len,
SADB_SATYPE_UNSPEC, IPSEC_MODE_ANY, 0,
seq, getpid());
p = pfkey_setsadbaddr(p,
SADB_EXT_ADDRESS_SRC,
src,
prefs,
proto);
p = pfkey_setsadbaddr(p,
SADB_EXT_ADDRESS_DST,
dst,
prefd,
proto);
/* send message */
len = pfkey_send(so, newmsg, len);
free(newmsg);
if (len < 0)
if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX,
src, prefs, dst, prefd, proto,
policy, policylen, seq)) < 0)
return -1;
__ipsec_errcode = EIPSEC_NO_ERROR;
return len;
}
@ -739,6 +752,7 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
struct sadb_msg *newmsg;
int len;
caddr_t p;
int plen;
/* validity check */
if (src == NULL || dst == NULL) {
@ -749,6 +763,17 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
return -1;
}
switch (src->sa_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
default:
__ipsec_errcode = EIPSEC_INVAL_FAMILY;
return -1;
}
switch (satype) {
case SADB_SATYPE_ESP:
@ -777,6 +802,7 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
/* create new sadb_msg to reply. */
len = sizeof(struct sadb_msg)
+ sizeof(struct sadb_sa)
+ sizeof(struct sadb_x_sa2)
+ sizeof(struct sadb_address)
+ PFKEY_ALIGN8(src->sa_len)
+ sizeof(struct sadb_address)
@ -795,18 +821,13 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
}
p = pfkey_setsadbmsg((caddr_t)newmsg, type, len,
satype, mode, reqid, seq, getpid());
satype, seq, getpid());
p = pfkey_setsadbsa(p, spi, wsize, a_type, e_type, flags);
p = pfkey_setsadbaddr(p,
SADB_EXT_ADDRESS_SRC,
src,
_INALENBYAF(src->sa_family) << 3,
IPSEC_ULPROTO_ANY);
p = pfkey_setsadbaddr(p,
SADB_EXT_ADDRESS_DST,
dst,
_INALENBYAF(dst->sa_family) << 3,
IPSEC_ULPROTO_ANY);
p = pfkey_setsadbxsa2(p, mode, reqid);
p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_SRC, src, plen,
IPSEC_ULPROTO_ANY);
p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_DST, dst, plen,
IPSEC_ULPROTO_ANY);
if (e_type != SADB_EALG_NONE)
p = pfkey_setsadbkey(p, SADB_EXT_KEY_ENCRYPT,
@ -843,6 +864,7 @@ pfkey_send_x2(so, type, satype, mode, src, dst, spi)
struct sadb_msg *newmsg;
int len;
caddr_t p;
int plen;
/* validity check */
if (src == NULL || dst == NULL) {
@ -853,6 +875,17 @@ pfkey_send_x2(so, type, satype, mode, src, dst, spi)
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
return -1;
}
switch (src->sa_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
default:
__ipsec_errcode = EIPSEC_INVAL_FAMILY;
return -1;
}
/* create new sadb_msg to reply. */
len = sizeof(struct sadb_msg)
@ -867,18 +900,12 @@ pfkey_send_x2(so, type, satype, mode, src, dst, spi)
return -1;
}
p = pfkey_setsadbmsg((caddr_t)newmsg, type, len, satype, mode, 0, 0, getpid());
p = pfkey_setsadbmsg((caddr_t)newmsg, type, len, satype, 0, getpid());
p = pfkey_setsadbsa(p, spi, 0, 0, 0, 0);
p = pfkey_setsadbaddr(p,
SADB_EXT_ADDRESS_SRC,
src,
_INALENBYAF(src->sa_family) << 3,
IPSEC_ULPROTO_ANY);
p = pfkey_setsadbaddr(p,
SADB_EXT_ADDRESS_DST,
dst,
_INALENBYAF(dst->sa_family) << 3,
IPSEC_ULPROTO_ANY);
p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_SRC, src, plen,
IPSEC_ULPROTO_ANY);
p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_DST, dst, plen,
IPSEC_ULPROTO_ANY);
/* send message */
len = pfkey_send(so, newmsg, len);
@ -932,7 +959,128 @@ pfkey_send_x3(so, type, satype)
return -1;
}
(void)pfkey_setsadbmsg((caddr_t)newmsg, type, len, satype, 0, 0, 0, getpid());
(void)pfkey_setsadbmsg((caddr_t)newmsg, type, len, satype, 0, getpid());
/* send message */
len = pfkey_send(so, newmsg, len);
free(newmsg);
if (len < 0)
return -1;
__ipsec_errcode = EIPSEC_NO_ERROR;
return len;
}
/* sending SADB_X_SPDADD message to the kernel */
static int
pfkey_send_x4(so, type, src, prefs, dst, prefd, proto, policy, policylen, seq)
int so;
struct sockaddr *src, *dst;
u_int type, prefs, prefd, proto;
char *policy;
int policylen;
u_int32_t seq;
{
struct sadb_msg *newmsg;
int len;
caddr_t p;
int plen;
/* validity check */
if (src == NULL || dst == NULL) {
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return -1;
}
if (src->sa_family != dst->sa_family) {
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
return -1;
}
switch (src->sa_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
default:
__ipsec_errcode = EIPSEC_INVAL_FAMILY;
return -1;
}
if (prefs > plen || prefd > plen) {
__ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
return -1;
}
/* create new sadb_msg to reply. */
len = sizeof(struct sadb_msg)
+ sizeof(struct sadb_address)
+ PFKEY_ALIGN8(src->sa_len)
+ sizeof(struct sadb_address)
+ PFKEY_ALIGN8(src->sa_len)
+ policylen;
if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
__ipsec_set_strerror(strerror(errno));
return -1;
}
p = pfkey_setsadbmsg((caddr_t)newmsg, type, len,
SADB_SATYPE_UNSPEC, seq, getpid());
p = pfkey_setsadbaddr(p,
SADB_EXT_ADDRESS_SRC,
src,
prefs,
proto);
p = pfkey_setsadbaddr(p,
SADB_EXT_ADDRESS_DST,
dst,
prefd,
proto);
memcpy(p, policy, policylen);
/* send message */
len = pfkey_send(so, newmsg, len);
free(newmsg);
if (len < 0)
return -1;
__ipsec_errcode = EIPSEC_NO_ERROR;
return len;
}
/* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */
static int
pfkey_send_x5(so, type, spid)
int so;
u_int type;
u_int32_t spid;
{
struct sadb_msg *newmsg;
struct sadb_x_policy xpl;
int len;
caddr_t p;
/* create new sadb_msg to reply. */
len = sizeof(struct sadb_msg)
+ sizeof(xpl);
if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
__ipsec_set_strerror(strerror(errno));
return -1;
}
p = pfkey_setsadbmsg((caddr_t)newmsg, type, len,
SADB_SATYPE_UNSPEC, 0, getpid());
memset(&xpl, 0, sizeof(xpl));
xpl.sadb_x_policy_len = PFKEY_UNUNIT64(sizeof(xpl));
xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
xpl.sadb_x_policy_id = spid;
memcpy(p, &xpl, sizeof(xpl));
/* send message */
len = pfkey_send(so, newmsg, len);
@ -1125,6 +1273,7 @@ pfkey_align(msg, mhp)
case SADB_EXT_SUPPORTED_ENCRYPT:
case SADB_EXT_SPIRANGE:
case SADB_X_EXT_POLICY:
case SADB_X_EXT_SA2:
mhp[ext->sadb_ext_type] = (caddr_t)ext;
break;
default:
@ -1264,11 +1413,11 @@ pfkey_check(mhp)
* `buf' must has been allocated sufficiently.
*/
static caddr_t
pfkey_setsadbmsg(buf, type, tlen, satype, mode, reqid, seq, pid)
pfkey_setsadbmsg(buf, type, tlen, satype, seq, pid)
caddr_t buf;
u_int type, satype, mode;
u_int type, satype;
u_int tlen;
u_int32_t reqid, seq;
u_int32_t seq;
pid_t pid;
{
struct sadb_msg *p;
@ -1283,12 +1432,9 @@ pfkey_setsadbmsg(buf, type, tlen, satype, mode, reqid, seq, pid)
p->sadb_msg_errno = 0;
p->sadb_msg_satype = satype;
p->sadb_msg_len = PFKEY_UNIT64(tlen);
p->sadb_msg_mode = mode;
p->sadb_msg_reserved1 = 0;
p->sadb_msg_reserved = 0;
p->sadb_msg_seq = seq;
p->sadb_msg_pid = (u_int32_t)pid;
p->sadb_msg_reqid = reqid;
p->sadb_msg_reserved2 = 0;
return(buf + len);
}
@ -1421,3 +1567,29 @@ pfkey_setsadblifetime(buf, type, l_alloc, l_bytes, l_addtime, l_usetime)
return buf + len;
}
/*
* copy secasvar data into sadb_address.
* `buf' must has been allocated sufficiently.
*/
static caddr_t
pfkey_setsadbxsa2(buf, mode0, reqid)
caddr_t buf;
u_int32_t mode0;
u_int32_t reqid;
{
struct sadb_x_sa2 *p;
u_int8_t mode = mode0 & 0xff;
u_int len;
p = (struct sadb_x_sa2 *)buf;
len = sizeof(struct sadb_x_sa2);
memset(p, 0, len);
p->sadb_x_sa2_len = PFKEY_UNIT64(len);
p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
p->sadb_x_sa2_mode = mode;
p->sadb_x_sa2_reqid = reqid;
return(buf + len);
}

View File

@ -1,4 +1,5 @@
/* $NetBSD: pfkey_dump.c,v 1.6 2000/02/08 13:17:52 itojun Exp $ */
/* $NetBSD: pfkey_dump.c,v 1.7 2000/06/12 10:40:52 itojun Exp $ */
/* $KAME: pfkey_dump.c,v 1.19 2000/06/10 06:47:11 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -46,8 +47,10 @@
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <netdb.h>
#include "ipsec_strerror.h"
#include "libpfkey.h"
#define GETMSGSTR(str, num) \
do { \
@ -60,13 +63,10 @@ do { \
printf("%s ", (str)[(num)]); \
} while (0)
#define GETAF(p) \
(((struct sockaddr *)(p))->sa_family)
static char *_str_ipaddr __P((u_int family, caddr_t addr));
static char *_str_prefport __P((u_int family, u_int pref, u_int port));
static char *_str_time __P((time_t t));
static void _str_lifetime_byte __P((struct sadb_lifetime *x, char *str));
static char *str_ipaddr __P((struct sockaddr *));
static char *str_prefport __P((u_int, u_int, u_int));
static char *str_time __P((time_t));
static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
/*
* Must to be re-written about following strings.
@ -148,6 +148,7 @@ pfkey_sadump(m)
{
caddr_t mhp[SADB_EXT_MAX + 1];
struct sadb_sa *m_sa;
struct sadb_x_sa2 *m_sa2;
struct sadb_lifetime *m_lftc, *m_lfth, *m_lfts;
struct sadb_address *m_saddr, *m_daddr, *m_paddr;
struct sadb_key *m_auth, *m_enc;
@ -165,6 +166,7 @@ pfkey_sadump(m)
}
m_sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
m_sa2 = (struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2];
m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
m_lfts = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT];
@ -182,34 +184,36 @@ pfkey_sadump(m)
printf("no ADDRESS_SRC extension.\n");
return;
}
printf("%s ",
_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)));
printf("%s ", str_ipaddr((struct sockaddr *)(m_saddr + 1)));
/* destination address */
if (m_daddr == NULL) {
printf("no ADDRESS_DST extension.\n");
return;
}
printf("%s ",
_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)));
printf("%s ", str_ipaddr((struct sockaddr *)(m_daddr + 1)));
/* SA type */
if (m_sa == NULL) {
printf("no SA extension.\n");
return;
}
if (m_sa2 == NULL) {
printf("no SA2 extension.\n");
return;
}
printf("\n\t");
GETMSGSTR(_str_satype, m->sadb_msg_satype);
printf("mode=");
GETMSGSTR(_str_mode, m->sadb_msg_mode);
GETMSGSTR(_str_mode, m_sa2->sadb_x_sa2_mode);
printf("spi=%u(0x%08x) reqid=%u(0x%08x)\n",
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
(u_int32_t)m->sadb_msg_reqid,
(u_int32_t)m->sadb_msg_reqid);
(u_int32_t)m_sa2->sadb_x_sa2_reqid,
(u_int32_t)m_sa2->sadb_x_sa2_reqid);
/* encryption key */
if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
@ -252,8 +256,8 @@ pfkey_sadump(m)
time_t tmp_time = time(0);
printf("\tcreated: %s",
_str_time(m_lftc->sadb_lifetime_addtime));
printf("\tcurrent: %s\n", _str_time(tmp_time));
str_time(m_lftc->sadb_lifetime_addtime));
printf("\tcurrent: %s\n", str_time(tmp_time));
printf("\tdiff: %lu(s)",
(u_long)(m_lftc->sadb_lifetime_addtime == 0 ?
0 : (tmp_time - m_lftc->sadb_lifetime_addtime)));
@ -266,7 +270,7 @@ pfkey_sadump(m)
0 : m_lfts->sadb_lifetime_addtime));
printf("\tlast: %s",
_str_time(m_lftc->sadb_lifetime_usetime));
str_time(m_lftc->sadb_lifetime_usetime));
printf("\thard: %lu(s)",
(u_long)(m_lfth == NULL ?
0 : m_lfth->sadb_lifetime_usetime));
@ -274,9 +278,9 @@ pfkey_sadump(m)
(u_long)(m_lfts == NULL ?
0 : m_lfts->sadb_lifetime_usetime));
_str_lifetime_byte(m_lftc, "current");
_str_lifetime_byte(m_lfth, "hard");
_str_lifetime_byte(m_lfts, "soft");
str_lifetime_byte(m_lftc, "current");
str_lifetime_byte(m_lfth, "hard");
str_lifetime_byte(m_lfts, "soft");
printf("\n");
printf("\tallocated: %lu",
@ -290,7 +294,7 @@ pfkey_sadump(m)
}
/* XXX DEBUG */
printf("\trefcnt=%u\n", m->sadb_msg_reserved2);
printf("\trefcnt=%u\n", m->sadb_msg_reserved);
return;
}
@ -299,9 +303,12 @@ void
pfkey_spdump(m)
struct sadb_msg *m;
{
char pbuf[NI_MAXSERV];
caddr_t mhp[SADB_EXT_MAX + 1];
struct sadb_address *m_saddr, *m_daddr;
struct sadb_x_policy *m_xpl;
struct sockaddr *sa;
u_int16_t port;
/* check pfkey message. */
if (pfkey_align(m, mhp)) {
@ -322,22 +329,46 @@ pfkey_spdump(m)
printf("no ADDRESS_SRC extension.\n");
return;
}
printf("%s%s ",
_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)),
_str_prefport(GETAF(m_saddr + 1),
m_saddr->sadb_address_prefixlen,
_INPORTBYSA(m_saddr + 1)));
sa = (struct sockaddr *)(m_saddr + 1);
switch (sa->sa_family) {
case AF_INET:
case AF_INET6:
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
NI_NUMERICSERV) != 0)
port = 0; /*XXX*/
else
port = atoi(pbuf);
printf("%s%s ", str_ipaddr(sa),
str_prefport(sa->sa_family,
m_saddr->sadb_address_prefixlen, port));
break;
default:
printf("unknown-af ");
break;
}
/* destination address */
if (m_daddr == NULL) {
printf("no ADDRESS_DST extension.\n");
return;
}
printf("%s%s ",
_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)),
_str_prefport(GETAF(m_daddr + 1),
m_daddr->sadb_address_prefixlen,
_INPORTBYSA(m_daddr + 1)));
sa = (struct sockaddr *)(m_daddr + 1);
switch (sa->sa_family) {
case AF_INET:
case AF_INET6:
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
NI_NUMERICSERV) != 0)
port = 0; /*XXX*/
else
port = atoi(pbuf);
printf("%s%s ", str_ipaddr(sa),
str_prefport(sa->sa_family,
m_daddr->sadb_address_prefixlen, port));
break;
default:
printf("unknown-af ");
break;
}
/* upper layer protocol */
if (m_saddr->sadb_address_proto != m_daddr->sadb_address_proto) {
@ -364,12 +395,13 @@ pfkey_spdump(m)
free(d_xpl);
}
printf("\tseq=%ld pid=%ld\n",
printf("\tspid=%ld seq=%ld pid=%ld\n",
(u_long)m_xpl->sadb_x_policy_id,
(u_long)m->sadb_msg_seq,
(u_long)m->sadb_msg_pid);
/* XXX TEST */
printf("\trefcnt=%u\n", m->sadb_msg_reserved2);
printf("\trefcnt=%u\n", m->sadb_msg_reserved);
return;
}
@ -378,35 +410,48 @@ pfkey_spdump(m)
* set "ipaddress" to buffer.
*/
static char *
_str_ipaddr(family, addr)
u_int family;
caddr_t addr;
str_ipaddr(sa)
struct sockaddr *sa;
{
static char buf[128];
char addrbuf[128];
static char buf[NI_MAXHOST];
#ifdef NI_WITHSCOPEID
const int niflag = NI_NUMERICHOST | NI_WITHSCOPEID;
#else
const int niflag = NI_NUMERICHOST;
#endif
if (addr == NULL)
if (sa == NULL)
return "";
inet_ntop(family, addr, addrbuf, sizeof(addrbuf));
snprintf(buf, sizeof(buf), "%s", addrbuf);
return buf;
if (getnameinfo(sa, sa->sa_len, buf, sizeof(buf), NULL, 0, niflag) == 0)
return buf;
return NULL;
}
/*
* set "/prefix[port number]" to buffer.
*/
static char *
_str_prefport(family, pref, port)
str_prefport(family, pref, port)
u_int family, pref, port;
{
static char buf[128];
char prefbuf[10];
char portbuf[10];
int plen;
if (pref == (_INALENBYAF(family) << 3))
switch (family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
default:
return "?";
}
if (pref == plen)
prefbuf[0] = '\0';
else
snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
@ -414,7 +459,7 @@ _str_prefport(family, pref, port)
if (port == IPSEC_PORT_ANY)
snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
else
snprintf(portbuf, sizeof(portbuf), "[%u]", ntohs(port));
snprintf(portbuf, sizeof(portbuf), "[%u]", port);
snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
@ -425,7 +470,7 @@ _str_prefport(family, pref, port)
* set "Mon Day Time Year" to buffer
*/
static char *
_str_time(t)
str_time(t)
time_t t;
{
static char buf[128];
@ -445,7 +490,7 @@ _str_time(t)
}
static void
_str_lifetime_byte(x, str)
str_lifetime_byte(x, str)
struct sadb_lifetime *x;
char *str;
{

View File

@ -1,4 +1,5 @@
/* $NetBSD: policy_parse.y,v 1.2 2000/03/13 21:23:56 itojun Exp $ */
/* $NetBSD: policy_parse.y,v 1.3 2000/06/12 10:40:52 itojun Exp $ */
/* $KAME: policy_parse.y,v 1.10 2000/05/07 05:25:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -28,7 +29,6 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* KAME Id: policy_parse.y,v 1.7 2000/01/27 17:59:13 itojun Exp */
/*
* IN/OUT bound policy configuration take place such below:
@ -116,6 +116,14 @@ policy_spec
return -1;
}
rules
| DIR
{
p_dir = $1;
p_type = 0; /* ignored it by kernel */
if (init_x_policy())
return -1;
}
;
rules

View File

@ -1,4 +1,5 @@
/* $NetBSD: policy_token.l,v 1.3 2000/03/13 21:23:56 itojun Exp $ */
/* $NetBSD: policy_token.l,v 1.4 2000/06/12 10:40:52 itojun Exp $ */
/* $KAME: policy_token.l,v 1.9 2000/05/07 05:25:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.

View File

@ -1,4 +1,5 @@
/* $NetBSD: pfkeyv2.h,v 1.4 2000/02/09 03:27:29 itojun Exp $ */
/* $NetBSD: pfkeyv2.h,v 1.5 2000/06/12 10:40:37 itojun Exp $ */
/* $KAME: pfkeyv2.h,v 1.16 2000/06/10 06:39:54 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -29,8 +30,6 @@
* SUCH DAMAGE.
*/
/* KAME Id: keyv2.h,v 1.14 2000/01/29 06:21:03 itojun Exp */
/*
* This file has been derived rfc 2367,
* And added some flags of SADB_KEY_FLAGS_ as SADB_X_EXT_.
@ -66,16 +65,17 @@ you leave this credit intact on any copies of this file.
#define SADB_X_PROMISC 11
#define SADB_X_PCHANGE 12
#define SADB_X_SPDUPDATE 13 /* not yet */
#define SADB_X_SPDUPDATE 13
#define SADB_X_SPDADD 14
#define SADB_X_SPDDELETE 15
#define SADB_X_SPDGET 16 /* not yet */
#define SADB_X_SPDACQUIRE 17 /* not yet */
#define SADB_X_SPDDELETE 15 /* by policy index */
#define SADB_X_SPDGET 16
#define SADB_X_SPDACQUIRE 17
#define SADB_X_SPDDUMP 18
#define SADB_X_SPDFLUSH 19
#define SADB_X_SPDSETIDX 20 /* add only SPD selector */
#define SADB_X_SPDSETIDX 20
#define SADB_X_SPDEXPIRE 21 /* not yet */
#define SADB_MAX 21
#define SADB_X_SPDDELETE2 22 /* by policy id */
#define SADB_MAX 22
struct sadb_msg {
u_int8_t sadb_msg_version;
@ -83,13 +83,9 @@ struct sadb_msg {
u_int8_t sadb_msg_errno;
u_int8_t sadb_msg_satype;
u_int16_t sadb_msg_len;
u_int8_t sadb_msg_mode; /* XXX */
u_int8_t sadb_msg_reserved1;
u_int16_t sadb_msg_reserved;
u_int32_t sadb_msg_seq;
u_int32_t sadb_msg_pid;
u_int32_t sadb_msg_reqid; /* XXX */
/* when policy mng, value is zero. */
u_int32_t sadb_msg_reserved2;
};
struct sadb_ext {
@ -214,14 +210,32 @@ struct sadb_x_kmprivate {
u_int32_t sadb_x_kmprivate_reserved;
};
/*
* XXX Additional SA Extension.
* mode: tunnel or transport
* reqid: to make SA unique nevertheless the address pair of SA are same.
* Mainly it's for VPN.
*/
struct sadb_x_sa2 {
u_int16_t sadb_x_sa2_len;
u_int16_t sadb_x_sa2_exttype;
u_int8_t sadb_x_sa2_mode;
u_int8_t sadb_x_sa2_reserved1;
u_int16_t sadb_x_sa2_reserved2;
u_int32_t sadb_x_sa2_reserved3;
u_int32_t sadb_x_sa2_reqid;
};
/* XXX Policy Extension */
/* sizeof(struct sadb_x_policy) == 8 */
/* sizeof(struct sadb_x_policy) == 16 */
struct sadb_x_policy {
u_int16_t sadb_x_policy_len;
u_int16_t sadb_x_policy_exttype;
u_int16_t sadb_x_policy_type; /* See policy type of ipsec.h */
u_int8_t sadb_x_policy_dir; /* direction, see ipsec.h */
u_int8_t sadb_x_policy_reserved;
u_int32_t sadb_x_policy_id;
u_int32_t sadb_x_policy_reserved2;
};
/*
* When policy_type == IPSEC, it is followed by some of
@ -271,7 +285,8 @@ struct sadb_x_ipsecrequest {
#define SADB_EXT_SPIRANGE 16
#define SADB_X_EXT_KMPRIVATE 17
#define SADB_X_EXT_POLICY 18
#define SADB_EXT_MAX 18
#define SADB_X_EXT_SA2 19
#define SADB_EXT_MAX 19
#define SADB_SATYPE_UNSPEC 0
#define SADB_SATYPE_AH 2
@ -281,7 +296,8 @@ struct sadb_x_ipsecrequest {
#define SADB_SATYPE_RIPV2 7
#define SADB_SATYPE_MIP 8
#define SADB_X_SATYPE_IPCOMP 9
#define SADB_SATYPE_MAX 9
#define SADB_X_SATYPE_POLICY 10
#define SADB_SATYPE_MAX 11
#define SADB_SASTATE_LARVAL 0
#define SADB_SASTATE_MATURE 1
@ -370,57 +386,9 @@ struct sadb_x_ipsecrequest {
#define PFKEY_ADDR_SADDR(ext) \
((struct sockaddr *)((caddr_t)(ext) + sizeof(struct sadb_address)))
#if 1
/* in 64bits */
#define PFKEY_UNUNIT64(a) ((a) << 3)
#define PFKEY_UNIT64(a) ((a) >> 3)
#else
#define PFKEY_UNUNIT64(a) (a)
#define PFKEY_UNIT64(a) (a)
#endif
#ifndef _KERNEL
extern void pfkey_sadump __P((struct sadb_msg *));
extern void pfkey_spdump __P((struct sadb_msg *));
struct sockaddr;
int ipsec_check_keylen __P((u_int, u_int, u_int));
u_int pfkey_set_softrate __P((u_int, u_int));
u_int pfkey_get_softrate __P((u_int));
int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t));
int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
u_int64_t, u_int64_t, u_int32_t));
int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
u_int64_t, u_int64_t, u_int32_t));
int pfkey_send_delete __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
int pfkey_send_get __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
int pfkey_send_register __P((int, u_int));
int pfkey_recv_register __P((int));
int pfkey_send_flush __P((int, u_int));
int pfkey_send_dump __P((int, u_int));
int pfkey_send_promisc_toggle __P((int, int));
int pfkey_send_spdadd __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spddelete __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, u_int32_t));
int pfkey_send_spdflush __P((int));
int pfkey_send_spddump __P((int));
int pfkey_open __P((void));
void pfkey_close __P((int));
struct sadb_msg *pfkey_recv __P((int));
int pfkey_send __P((int, struct sadb_msg *, int));
int pfkey_align __P((struct sadb_msg *, caddr_t *));
int pfkey_check __P((caddr_t *));
#endif /*!_KERNEL*/
#endif /* __PFKEY_V2_H */

View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsec.c,v 1.21 2000/06/03 16:14:02 itojun Exp $ */
/* $NetBSD: ipsec.c,v 1.22 2000/06/12 10:40:46 itojun Exp $ */
/* $KAME: ipsec.c,v 1.65 2000/06/03 15:51:28 itojun Exp $ */
/*
@ -1891,7 +1891,7 @@ ipsec4_encapsulate(m, sav)
}
#if 0
/* XXX if the dst is myself, perform nothing. */
if (key_ismyaddr(AF_INET, _INADDRBYSA(&sav->sah->saidx.dst))) {
if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
m_freem(m);
return EINVAL;
}
@ -2008,7 +2008,7 @@ ipsec6_encapsulate(m, sav)
}
#if 0
/* XXX if the dst is myself, perform nothing. */
if (key_ismyaddr(AF_INET6, _INADDRBYSA(&sav->sah->saidx.dst))) {
if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
m_freem(m);
return EINVAL;
}

File diff suppressed because it is too large Load Diff

View File

@ -1,4 +1,5 @@
/* $NetBSD: key.h,v 1.5 2000/01/31 14:19:12 itojun Exp $ */
/* $NetBSD: key.h,v 1.6 2000/06/12 10:40:47 itojun Exp $ */
/* $KAME: key.h,v 1.17 2000/06/12 07:01:13 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -29,8 +30,6 @@
* SUCH DAMAGE.
*/
/* KAME Id: key.h,v 1.8 2000/01/29 06:21:01 itojun Exp */
#ifndef _NETKEY_KEY_H_
#define _NETKEY_KEY_H_
@ -47,38 +46,30 @@ struct socket;
struct sadb_msg;
struct sadb_x_policy;
extern struct secpolicy *key_allocsp __P((struct secpolicyindex *spidx,
u_int dir));
extern struct secpolicy *key_allocsp __P((struct secpolicyindex *, u_int));
extern int key_checkrequest
__P((struct ipsecrequest *isr, struct secasindex *saidx));
extern struct secasvar *key_allocsa __P((u_int family, caddr_t src, caddr_t dst,
u_int proto, u_int32_t spi));
extern void key_freesp __P((struct secpolicy *sp));
extern void key_freeso __P((struct socket *so));
extern void key_freesav __P((struct secasvar *sav));
__P((struct ipsecrequest *isr, struct secasindex *));
extern struct secasvar *key_allocsa __P((u_int, caddr_t, caddr_t,
u_int, u_int32_t));
extern void key_freesp __P((struct secpolicy *));
extern void key_freeso __P((struct socket *));
extern void key_freesav __P((struct secasvar *));
extern struct secpolicy *key_newsp __P((void));
extern struct secpolicy *key_msg2sp __P((struct sadb_x_policy *xpl0,
size_t len, int *error));
extern struct mbuf *key_sp2msg __P((struct secpolicy *sp));
extern int key_ismyaddr __P((u_int family, caddr_t addr));
extern struct secpolicy *key_msg2sp __P((struct sadb_x_policy *,
size_t, int *));
extern struct mbuf *key_sp2msg __P((struct secpolicy *));
extern int key_ismyaddr __P((struct sockaddr *));
extern int key_spdacquire __P((struct secpolicy *));
extern void key_timehandler __P((void));
extern void key_srandom __P((void));
extern void key_freereg __P((struct socket *so));
extern int key_parse __P((struct sadb_msg **msgp, struct socket *so,
int *targetp));
extern void key_freereg __P((struct socket *));
extern int key_parse __P((struct mbuf *, struct socket *));
extern void key_init __P((void));
extern int key_checktunnelsanity __P((struct secasvar *sav, u_int family,
caddr_t src, caddr_t dst));
extern void key_sa_recordxfer __P((struct secasvar *sav, struct mbuf *m));
extern void key_sa_routechange __P((struct sockaddr *dst));
extern int key_checktunnelsanity __P((struct secasvar *, u_int,
caddr_t, caddr_t));
extern void key_sa_recordxfer __P((struct secasvar *, struct mbuf *));
extern void key_sa_routechange __P((struct sockaddr *));
#ifdef MALLOC_DECLARE
MALLOC_DECLARE(M_SECA);
#endif /* MALLOC_DECLARE */
#if defined(__bsdi__) || defined(__NetBSD__)
extern int key_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
#endif
#endif /* defined(_KERNEL) */
#endif /* _NETKEY_KEY_H_ */

View File

@ -1,4 +1,5 @@
/* $NetBSD: key_debug.c,v 1.9 2000/02/06 12:49:50 itojun Exp $ */
/* $NetBSD: key_debug.c,v 1.10 2000/06/12 10:40:47 itojun Exp $ */
/* $KAME: key_debug.c,v 1.20 2000/06/10 06:39:54 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -29,8 +30,6 @@
* SUCH DAMAGE.
*/
/* KAME Id: key_debug.c,v 1.10 2000/01/29 06:21:01 itojun Exp */
#ifdef _KERNEL
#include "opt_inet.h"
#endif
@ -66,6 +65,7 @@ static void kdebug_sadb_lifetime __P((struct sadb_ext *));
static void kdebug_sadb_sa __P((struct sadb_ext *));
static void kdebug_sadb_address __P((struct sadb_ext *));
static void kdebug_sadb_key __P((struct sadb_ext *));
static void kdebug_sadb_x_sa2 __P((struct sadb_ext *));
#ifdef _KERNEL
static void kdebug_secreplay __P((struct secreplay *));
@ -92,11 +92,9 @@ kdebug_sadb(base)
printf("sadb_msg{ version=%u type=%u errno=%u satype=%u\n",
base->sadb_msg_version, base->sadb_msg_type,
base->sadb_msg_errno, base->sadb_msg_satype);
printf(" len=%u mode=%u seq=%u pid=%u reqid=%u\n",
base->sadb_msg_len, base->sadb_msg_mode,
base->sadb_msg_seq, base->sadb_msg_pid, base->sadb_msg_reqid);
printf(" reserved1=%u reserved2=%u\n",
base->sadb_msg_reserved1, base->sadb_msg_reserved2);
printf(" len=%u reserved=%u seq=%u pid=%u\n",
base->sadb_msg_len, base->sadb_msg_reserved,
base->sadb_msg_seq, base->sadb_msg_pid);
tlen = PFKEY_UNUNIT64(base->sadb_msg_len) - sizeof(struct sadb_msg);
ext = (struct sadb_ext *)((caddr_t)base + sizeof(struct sadb_msg));
@ -151,6 +149,9 @@ kdebug_sadb(base)
case SADB_X_EXT_POLICY:
kdebug_sadb_x_policy(ext);
break;
case SADB_X_EXT_SA2:
kdebug_sadb_x_sa2(ext);
break;
default:
printf("kdebug_sadb: invalid ext_type %u was passed.\n",
ext->sadb_ext_type);
@ -383,6 +384,25 @@ kdebug_sadb_key(ext)
return;
}
static void
kdebug_sadb_x_sa2(ext)
struct sadb_ext *ext;
{
struct sadb_x_sa2 *sa2 = (struct sadb_x_sa2 *)ext;
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_x_sa2: NULL pointer was passed.\n");
printf("sadb_x_sa2{ mode=%u reqid=%u\n",
sa2->sadb_x_sa2_mode, sa2->sadb_x_sa2_reqid);
printf(" reserved1=%u reserved2=%u reserved3=%u }\n",
sa2->sadb_x_sa2_reserved1, sa2->sadb_x_sa2_reserved1,
sa2->sadb_x_sa2_reserved1);
return;
}
void
kdebug_sadb_x_policy(ext)
struct sadb_ext *ext;
@ -394,9 +414,9 @@ kdebug_sadb_x_policy(ext)
if (ext == NULL)
panic("kdebug_sadb_x_policy: NULL pointer was passed.\n");
printf("sadb_x_policy{ type=%u dir=%u reserved=%x }\n",
printf("sadb_x_policy{ type=%u dir=%u id=%x }\n",
xpl->sadb_x_policy_type, xpl->sadb_x_policy_dir,
xpl->sadb_x_policy_reserved);
xpl->sadb_x_policy_id);
if (xpl->sadb_x_policy_type == IPSEC_POLICY_IPSEC) {
int tlen;
@ -617,7 +637,7 @@ kdebug_mbufhdr(m)
{
/* sanity check */
if (m == NULL)
panic("debug_mbufhdr: NULL pointer was passed.\n");
return;
printf("mbuf(%p){ m_next:%p m_nextpkt:%p m_data:%p "
"m_len:%d m_type:0x%02x m_flags:0x%02x }\n",
@ -661,23 +681,35 @@ void
kdebug_sockaddr(addr)
struct sockaddr *addr;
{
struct sockaddr_in *sin;
#ifdef INET6
struct sockaddr_in6 *sin6;
#endif
/* sanity check */
if (addr == NULL)
panic("kdebug_sockaddr: NULL pointer was passed.\n");
/* NOTE: We deal with port number as host byte order. */
printf("sockaddr{ len=%u family=%u port=%u\n",
addr->sa_len, addr->sa_family, ntohs(_INPORTBYSA(addr)));
printf("sockaddr{ len=%u family=%u", addr->sa_len, addr->sa_family);
switch (addr->sa_family) {
case AF_INET:
sin = (struct sockaddr_in *)addr;
printf(" port=%u\n", ntohs(sin->sin_port));
ipsec_hexdump((caddr_t)&sin->sin_addr, sizeof(sin->sin_addr));
break;
#ifdef INET6
if (addr->sa_family == PF_INET6) {
struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)addr;
case AF_INET6:
sin6 = (struct sockaddr_in6 *)addr;
printf(" port=%u\n", ntohs(sin6->sin6_port));
printf(" flowinfo=0x%08x, scope_id=0x%08x\n",
in6->sin6_flowinfo, in6->sin6_scope_id);
}
sin6->sin6_flowinfo, sin6->sin6_scope_id);
ipsec_hexdump((caddr_t)&sin6->sin6_addr,
sizeof(sin6->sin6_addr));
break;
#endif
ipsec_hexdump(_INADDRBYSA(addr), _INALENBYAF(addr->sa_family));
}
printf(" }\n");

View File

@ -1,4 +1,5 @@
/* $NetBSD: key_debug.h,v 1.5 2000/01/31 14:19:12 itojun Exp $ */
/* $NetBSD: key_debug.h,v 1.6 2000/06/12 10:40:48 itojun Exp $ */
/* $KAME: key_debug.h,v 1.6 2000/03/27 05:11:05 sumikawa Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -29,8 +30,6 @@
* SUCH DAMAGE.
*/
/* KAME Id: key_debug.h,v 1.3 2000/01/29 06:21:02 itojun Exp */
#ifndef _NETKEY_KEY_DEBUG_H_
#define _NETKEY_KEY_DEBUG_H_

View File

@ -1,4 +1,5 @@
/* $NetBSD: key_var.h,v 1.7 2000/01/31 14:19:12 itojun Exp $ */
/* $NetBSD: key_var.h,v 1.8 2000/06/12 10:40:48 itojun Exp $ */
/* $KAME: key_var.h,v 1.8 2000/05/24 17:28:23 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -87,47 +88,11 @@
}
#endif
#ifdef _KERNEL
#define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0]))
#define _KEYLEN(key) ((u_int)((key)->sadb_key_bits >> 3))
#define _KEYBITS(key) ((u_int)((key)->sadb_key_bits))
#define _KEYBUF(key) ((caddr_t)((caddr_t)(key) + sizeof(struct sadb_key)))
#define _INADDR(in) ((struct sockaddr_in *)(in))
#ifdef INET6
#define _IN6ADDR(in6) ((struct sockaddr_in6 *)(in6))
#define _SALENBYAF(family) \
(((family) == AF_INET) ? \
(u_int)sizeof(struct sockaddr_in) : \
(u_int)sizeof(struct sockaddr_in6))
#define _INALENBYAF(family) \
(((family) == AF_INET) ? \
(u_int)sizeof(struct in_addr) : \
(u_int)sizeof(struct in6_addr))
#define _INADDRBYSA(saddr) \
((((struct sockaddr *)(saddr))->sa_family == AF_INET) ? \
(caddr_t)&((struct sockaddr_in *)(saddr))->sin_addr : \
(caddr_t)&((struct sockaddr_in6 *)(saddr))->sin6_addr)
#define _INPORTBYSA(saddr) \
((((struct sockaddr *)(saddr))->sa_family == AF_INET) ? \
((struct sockaddr_in *)(saddr))->sin_port : \
((struct sockaddr_in6 *)(saddr))->sin6_port)
#if 0
#define _SADDRBYSA(saddr) \
((((struct sockaddr *)(saddr))->sa_family == AF_INET) ? \
(caddr_t)&((struct sockaddr_in *)(saddr))->sin_addr.s_addr : \
(caddr_t)&((struct sockaddr_in6 *)(saddr))->sin6_addr.s6_addr)
#endif
#else
#define _IN6ADDR(in6) "#error"
#define _SALENBYAF(family) sizeof(struct sockaddr_in)
#define _INALENBYAF(family) sizeof(struct in_addr)
#define _INADDRBYSA(saddr) ((caddr_t)&((struct sockaddr_in *)(saddr))->sin_addr)
#define _INPORTBYSA(saddr) (((struct sockaddr_in *)(saddr))->sin_port)
#if 0
#define _SADDRBYSA(saddr) \
((caddr_t)&((struct sockaddr_in *)(saddr))->sin_addr.s_addr)
#endif
#endif /* defined(INET6) */
#endif /*_KERNEL*/
#endif /* _NETKEY_KEY_VAR_H_ */

View File

@ -1,4 +1,5 @@
/* $NetBSD: keydb.c,v 1.2 2000/02/06 12:49:50 itojun Exp $ */
/* $NetBSD: keydb.c,v 1.3 2000/06/12 10:40:48 itojun Exp $ */
/* $KAME: keydb.c,v 1.64 2000/05/11 17:02:30 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -29,8 +30,6 @@
* SUCH DAMAGE.
*/
/* KAME Id: keydb.c,v 1.58 2000/01/17 14:11:16 itojun Exp */
#include "opt_inet.h"
#include "opt_ipsec.h"
@ -138,9 +137,14 @@ keydb_freesecasvar(p)
{
int s;
#ifdef __NetBSD__
s = splsoftnet();
#else
s = splnet();
#endif
p->refcnt--;
if (p->refcnt == 0)
/* negative refcnt will cause panic intentionally */
if (p->refcnt <= 0)
keydb_delsecasvar(p);
splx(s);
}

View File

@ -1,4 +1,5 @@
/* $NetBSD: keydb.h,v 1.4 2000/01/31 14:19:13 itojun Exp $ */
/* $NetBSD: keydb.h,v 1.5 2000/06/12 10:40:48 itojun Exp $ */
/* $KAME: keydb.h,v 1.10 2000/03/25 07:24:13 sumikawa Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.

View File

@ -1,4 +1,5 @@
/* $NetBSD: keysock.c,v 1.9 2000/03/30 13:03:58 augustss Exp $ */
/* $NetBSD: keysock.c,v 1.10 2000/06/12 10:40:48 itojun Exp $ */
/* $KAME: keysock.c,v 1.22 2000/05/23 13:19:21 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -29,8 +30,6 @@
* SUCH DAMAGE.
*/
/* KAME Id: keysock.c,v 1.10 2000/01/29 06:21:02 itojun Exp */
#include "opt_inet.h"
/* This code has derived from sys/net/rtsock.c on FreeBSD2.2.5 */
@ -61,7 +60,6 @@
struct sockaddr key_dst = { 2, PF_KEY, };
struct sockaddr key_src = { 2, PF_KEY, };
struct sockproto key_proto = { PF_KEY, PF_KEY_V2 };
static int key_sendup0 __P((struct rawcb *, struct mbuf *, int));
@ -71,18 +69,30 @@ struct pfkeystat pfkeystat;
* key_usrreq()
* derived from net/rtsock.c:route_usrreq()
*/
#ifndef __NetBSD__
int
key_usrreq(so, req, m, nam, control)
register struct socket *so;
int req;
struct mbuf *m, *nam, *control;
#else
int
key_usrreq(so, req, m, nam, control, p)
struct socket *so;
register struct socket *so;
int req;
struct mbuf *m, *nam, *control;
struct proc *p;
#endif /*__NetBSD__*/
{
int error = 0;
struct keycb *kp = (struct keycb *)sotorawcb(so);
register int error = 0;
register struct keycb *kp = (struct keycb *)sotorawcb(so);
int s;
#ifdef __NetBSD__
s = splsoftnet();
#else
s = splnet();
#endif
if (req == PRU_ATTACH) {
kp = (struct keycb *)malloc(sizeof(*kp), M_PCB, M_WAITOK);
so->so_pcb = (caddr_t)kp;
@ -140,10 +150,9 @@ key_output(m, va_alist)
va_dcl
#endif
{
struct sadb_msg *msg = NULL;
struct sadb_msg *msg;
int len, error = 0;
int s;
int target;
struct socket *so;
va_list ap;
@ -183,7 +192,7 @@ key_output(m, va_alist)
#ifdef IPSEC_DEBUG
KEYDEBUG(KEYDEBUG_KEY_DUMP, kdebug_mbuf(m));
#endif /* defined(IPSEC_DEBUG) */
#endif
msg = mtod(m, struct sadb_msg *);
pfkeystat.out_msgtype[msg->sadb_msg_type]++;
@ -196,39 +205,19 @@ key_output(m, va_alist)
goto end;
}
/*
* allocate memory for sadb_msg, and copy to sadb_msg from mbuf
* XXX: To be processed directly without a copy.
*/
msg = (struct sadb_msg *)malloc(len, M_SECA, M_NOWAIT);
if (msg == NULL) {
#ifdef IPSEC_DEBUG
printf("key_output: No more memory.\n");
#endif
error = ENOBUFS;
pfkeystat.out_nomem++;
goto end;
/* or do panic ? */
}
m_copydata(m, 0, len, (caddr_t)msg);
/*XXX giant lock*/
#ifdef __NetBSD__
s = splsoftnet();
if ((len = key_parse(&msg, so, &target)) == 0) {
/* discard. i.e. no need to reply. */
/* msg has been freed at key_parse() */
error = 0;
splx(s);
goto end;
}
/* send up message to the socket */
error = key_sendup(so, msg, len, target);
#else
s = splnet();
#endif
error = key_parse(m, so);
m = NULL;
splx(s);
free(msg, M_SECA);
end:
m_freem(m);
return (error);
if (m)
m_freem(m);
return error;
}
/*
@ -250,7 +239,7 @@ key_sendup0(rp, m, promisc)
#ifdef IPSEC_DEBUG
printf("key_sendup0: cannot pullup\n");
#endif
pfkeystat.in_nomem++;
pfkeystat.in_nomem++;
m_freem(m);
return ENOBUFS;
}
@ -309,7 +298,7 @@ key_sendup(so, msg, len, target)
/*
* Get mbuf chain whenever possible (not clusters),
* to save socket buffer. We'll be generating many SADB_ACQUIRE
* messages to listening key sockets. If we simmply allocate clusters,
* messages to listening key sockets. If we simply allocate clusters,
* sbappendaddr() will raise ENOBUFS due to too little sbspace().
* sbspace() computes # of actual data bytes AND mbuf region.
*
@ -364,6 +353,7 @@ key_sendup(so, msg, len, target)
return key_sendup_mbuf(so, m, target);
}
/* so can be NULL if target != KEY_SENDUP_ONE */
int
key_sendup_mbuf(so, m, target)
struct socket *so;
@ -374,9 +364,11 @@ key_sendup_mbuf(so, m, target)
struct keycb *kp;
int sendup;
struct rawcb *rp;
int error;
int error = 0;
if (so == NULL || m == NULL)
if (m == NULL)
panic("key_sendup_mbuf: NULL pointer was passed.\n");
if (so == NULL && target == KEY_SENDUP_ONE)
panic("key_sendup_mbuf: NULL pointer was passed.\n");
pfkeystat.in_total++;
@ -422,14 +414,14 @@ key_sendup_mbuf(so, m, target)
}
/* the exact target will be processed later */
if (sotorawcb(so) == rp)
if (so && sotorawcb(so) == rp)
continue;
sendup = 0;
switch (target) {
case KEY_SENDUP_ONE:
/* the statement has no effect */
if (sotorawcb(so) == rp)
if (so && sotorawcb(so) == rp)
sendup++;
break;
case KEY_SENDUP_ALL:
@ -462,8 +454,13 @@ key_sendup_mbuf(so, m, target)
n = NULL;
}
error = key_sendup0(sotorawcb(so), m, 0);
m = NULL;
if (so) {
error = key_sendup0(sotorawcb(so), m, 0);
m = NULL;
} else {
error = 0;
m_freem(m);
}
return error;
}

View File

@ -1,4 +1,5 @@
/* $NetBSD: keysock.h,v 1.5 2000/01/31 14:19:13 itojun Exp $ */
/* $NetBSD: keysock.h,v 1.6 2000/06/12 10:40:48 itojun Exp $ */
/* $KAME: keysock.h,v 1.8 2000/03/27 05:11:06 sumikawa Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -29,8 +30,6 @@
* SUCH DAMAGE.
*/
/* KAME Id: keysock.h,v 1.5 2000/01/29 06:21:03 itojun Exp */
#ifndef _NETKEY_KEYSOCK_H_
#define _NETKEY_KEYSOCK_H_

View File

@ -1,9 +1,10 @@
# $NetBSD: Makefile,v 1.5 2000/03/13 21:04:07 itojun Exp $
# $NetBSD: Makefile,v 1.6 2000/06/12 10:40:50 itojun Exp $
PROG= setkey
SRCS= setkey.c parse.y token.l
CFLAGS+=-g
CPPFLAGS+=-I${.CURDIR}/../../lib/libipsec
LDADD+= -ll -ly
DPADD+= ${LIBL} ${LIBY}
CLEANFILES+= y.tab.c y.tab.h key_test.o keytest

View File

@ -1,4 +1,5 @@
/* $NetBSD: parse.y,v 1.5 2000/03/06 22:19:27 itojun Exp $ */
/* $NetBSD: parse.y,v 1.6 2000/06/12 10:40:50 itojun Exp $ */
/* $KAME: parse.y,v 1.29 2000/06/10 14:17:44 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -28,7 +29,6 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* KAME Id: parse.y,v 1.14 1999/12/30 15:13:27 sakane Exp */
%{
#include <sys/types.h>
@ -45,9 +45,11 @@
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <netdb.h>
#include <ctype.h>
#include <errno.h>
#include "libpfkey.h"
#include "vchar.h"
#define ATOX(c) \
@ -78,6 +80,7 @@ extern char cmdarg[8192];
extern int f_debug;
int setkeymsg __P((void));
static struct addrinfo *parse_addr __P((char *, char *, int));
static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int));
void parse_init __P((void));
void free_buffer __P((void));
@ -86,7 +89,8 @@ extern int setkeymsg __P((void));
extern int sendkeymsg __P((void));
extern int yylex __P((void));
extern void yyerror __P((char *));
extern void yyfatal __P((const char *));
extern void yyerror __P((const char *));
%}
%union {
@ -96,7 +100,7 @@ extern void yyerror __P((char *));
%token EOT
%token ADD GET DELETE FLUSH DUMP
%token IP4_ADDRESS IP6_ADDRESS PREFIX PORT PORTANY
%token ADDRESS PREFIX PORT PORTANY
%token UP_PROTO PR_ESP PR_AH PR_IPCOMP
%token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
%token F_MODE MODE F_REQID
@ -112,7 +116,7 @@ extern void yyerror __P((char *));
%type <num> UP_PROTO PR_ESP PR_AH PR_IPCOMP
%type <num> ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP
%type <num> DECSTRING
%type <val> IP4_ADDRESS IP6_ADDRESS PL_REQUESTS
%type <val> ADDRESS PL_REQUESTS
%type <val> key_string policy_requests
%type <val> QUOTEDSTRING HEXSTRING
@ -154,13 +158,23 @@ add_command
/* delete */
delete_command
: DELETE { p_type = SADB_DELETE; }
sa_selector_spec extension_spec EOT
sa_selector_spec extension_spec
{
if (p_mode != IPSEC_MODE_ANY)
yyerror("WARNING: mode is obsoleted.");
}
EOT
;
/* get command */
get_command
: GET { p_type = SADB_GET; }
sa_selector_spec extension_spec EOT
sa_selector_spec extension_spec
{
if (p_mode != IPSEC_MODE_ANY)
yyerror("WARNING: mode is obsoleted.");
}
EOT
;
/* flush */
@ -345,7 +359,7 @@ key_string
if ((pp_key = malloc($1.len)) == 0) {
free($1.buf);
yyerror(strerror(errno));
yyerror("not enough core");
return -1;
}
memset(pp_key, 0, $1.len);
@ -367,7 +381,7 @@ extension_spec
extension
: F_EXT EXTENSION { p_ext |= $2; }
| F_EXT NOCYCLICSEQ { p_ext ^= SADB_X_EXT_CYCSEQ; }
| F_EXT NOCYCLICSEQ { p_ext &= ~SADB_X_EXT_CYCSEQ; }
| F_MODE MODE { p_mode = $2; }
| F_MODE ANY { p_mode = IPSEC_MODE_ANY; }
| F_REQID DECSTRING { p_reqid = $2; }
@ -401,7 +415,7 @@ spddelete_command:
p_type = SADB_X_SPDDELETE;
p_satype = SADB_SATYPE_UNSPEC;
}
sp_selector_spec EOT
sp_selector_spec policy_spec EOT
;
spddump_command:
@ -426,12 +440,46 @@ spdflush_command:
sp_selector_spec
: ipaddress { p_src = pp_addr; }
prefix { p_prefs = pp_prefix; }
port { _INPORTBYSA(p_src) = htons(pp_port); }
port
{
switch (p_src->sa_family) {
case AF_INET:
((struct sockaddr_in *)p_src)->sin_port =
htons(pp_port);
break;
#ifdef INET6
case AF_INET6:
((struct sockaddr_in6 *)p_src)->sin6_port =
htons(pp_port);
break;
#endif
default:
exit(1); /*XXX*/
}
}
ipaddress { p_dst = pp_addr; }
prefix { p_prefd = pp_prefix; }
port { _INPORTBYSA(p_dst) = htons(pp_port); }
port
{
switch (p_dst->sa_family) {
case AF_INET:
((struct sockaddr_in *)p_dst)->sin_port =
htons(pp_port);
break;
#ifdef INET6
case AF_INET6:
((struct sockaddr_in6 *)p_dst)->sin6_port =
htons(pp_port);
break;
#endif
default:
exit(1); /*XXX*/
}
}
upper_spec
{
/* XXX is it something userland should check? */
#if 0
switch (p_upper) {
case IPPROTO_ICMP:
case IPPROTO_ICMPV6:
@ -440,57 +488,41 @@ sp_selector_spec
yyerror("port number must be \"any\".");
return -1;
}
if ((pp_addr->sa_family == AF_INET6
&& p_upper == IPPROTO_ICMP)
|| (pp_addr->sa_family == AF_INET
&& p_upper == IPPROTO_ICMPV6)) {
yyerror("upper layer protocol "
"mismatched.\n");
return -1;
}
break;
default:
break;
}
#endif
}
;
ipaddress
: IP4_ADDRESS
: ADDRESS
{
struct sockaddr_in *in;
u_int sa_len = $1.len;
struct addrinfo *res;
if ((in = (struct sockaddr_in *)malloc(sa_len)) == 0) {
yyerror(strerror(errno));
res = parse_addr($1.buf, NULL, AI_NUMERICHOST);
if (res == NULL) {
free($1.buf);
return -1;
}
memset((caddr_t)in, 0, sa_len);
in->sin_family = PF_INET;
in->sin_len = sa_len;
in->sin_port = IPSEC_PORT_ANY;
(void)inet_pton(PF_INET, $1.buf, &in->sin_addr);
pp_addr = (struct sockaddr *)in;
free($1.buf);
}
| IP6_ADDRESS
{
#ifdef INET6
struct sockaddr_in6 *in6;
u_int sa_len = $1.len;
if ((in6 = (struct sockaddr_in6 *)malloc(sa_len)) == 0) {
free($1.buf);
yyerror(strerror(errno));
return -1;
pp_addr = (struct sockaddr *)malloc(res->ai_addrlen);
if (!pp_addr) {
yyerror("not enough core");
goto end;
}
memset((caddr_t)in6, 0, sa_len);
in6->sin6_family = PF_INET6;
in6->sin6_len = sa_len;
in6->sin6_port = IPSEC_PORT_ANY;
(void)inet_pton(PF_INET6, $1.buf,
&in6->sin6_addr);
pp_addr = (struct sockaddr *)in6;
#else
yyerror("IPv6 address not supported");
#endif
memcpy(pp_addr, res->ai_addr, res->ai_addrlen);
end:
freeaddrinfo(res);
free($1.buf);
}
;
@ -547,12 +579,9 @@ setkeymsg()
m_msg.sadb_msg_type = p_type;
m_msg.sadb_msg_errno = 0;
m_msg.sadb_msg_satype = p_satype;
m_msg.sadb_msg_mode = p_mode;
m_msg.sadb_msg_reserved1 = 0;
m_msg.sadb_msg_reserved = 0;
m_msg.sadb_msg_seq = 0;
m_msg.sadb_msg_pid = getpid();
m_msg.sadb_msg_reqid = p_reqid;
m_msg.sadb_msg_reserved2 = 0;
m_len = sizeof(struct sadb_msg);
memcpy(m_buf, &m_msg, m_len);
@ -632,6 +661,7 @@ setkeymsg()
case SADB_GET:
{
struct sadb_sa m_sa;
struct sadb_x_sa2 m_sa2;
struct sadb_address m_addr;
u_int len;
@ -648,14 +678,36 @@ setkeymsg()
memcpy(m_buf + m_len, &m_sa, len);
m_len += len;
len = sizeof(struct sadb_x_sa2);
m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len);
m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2;
m_sa2.sadb_x_sa2_mode = p_mode;
m_sa2.sadb_x_sa2_reqid = p_reqid;
memcpy(m_buf + m_len, &m_sa2, len);
m_len += len;
/* set src */
m_addr.sadb_address_len =
PFKEY_UNIT64(sizeof(m_addr)
+ PFKEY_ALIGN8(p_src->sa_len));
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
m_addr.sadb_address_prefixlen =
_INALENBYAF(p_src->sa_family) << 3;
switch (p_src->sa_family) {
case AF_INET:
m_addr.sadb_address_prefixlen =
sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
m_addr.sadb_address_prefixlen =
sizeof(struct in6_addr) << 3;
break;
#endif
default:
yyerror("unsupported address family");
exit(1); /*XXX*/
}
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@ -668,8 +720,21 @@ setkeymsg()
+ PFKEY_ALIGN8(p_dst->sa_len));
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
m_addr.sadb_address_prefixlen =
_INALENBYAF(p_dst->sa_family) << 3;
switch (p_dst->sa_family) {
case AF_INET:
m_addr.sadb_address_prefixlen =
sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
m_addr.sadb_address_prefixlen =
sizeof(struct in6_addr) << 3;
break;
#endif
default:
yyerror("unsupported address family");
exit(1); /*XXX*/
}
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@ -684,17 +749,15 @@ setkeymsg()
break;
case SADB_X_SPDADD:
case SADB_X_SPDDELETE:
{
struct sadb_address m_addr;
u_int8_t plen;
memcpy(m_buf + m_len, p_policy, p_policy_len);
m_len += p_policy_len;
free(p_policy);
p_policy = NULL;
}
/* FALLTHROUGH */
case SADB_X_SPDDELETE:
{
struct sadb_address m_addr;
/* set src */
m_addr.sadb_address_len =
@ -702,9 +765,21 @@ setkeymsg()
+ PFKEY_ALIGN8(p_src->sa_len));
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
m_addr.sadb_address_proto = p_upper;
switch (p_src->sa_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
#endif
default:
yyerror("unsupported address family");
exit(1); /*XXX*/
}
m_addr.sadb_address_prefixlen =
(p_prefs != ~0 ? p_prefs :
_INALENBYAF(p_src->sa_family) << 3);
(p_prefs != ~0 ? p_prefs : plen);
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@ -717,9 +792,21 @@ setkeymsg()
+ PFKEY_ALIGN8(p_dst->sa_len));
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
m_addr.sadb_address_proto = p_upper;
switch (p_dst->sa_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
#endif
default:
yyerror("unsupported address family");
exit(1); /*XXX*/
}
m_addr.sadb_address_prefixlen =
(p_prefd != ~0 ? p_prefd :
_INALENBYAF(p_dst->sa_family) << 3);
(p_prefd != ~0 ? p_prefd : plen);
m_addr.sadb_address_reserved = 0;
setvarbuf(&m_len,
@ -734,6 +821,30 @@ setkeymsg()
return 0;
}
static struct addrinfo *
parse_addr(host, port, flag)
char *host;
char *port;
int flag;
{
struct addrinfo hints, *res = NULL;
int error;
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_DGRAM;
hints.ai_flags = flag;
error = getaddrinfo(host, port, &hints, &res);
if (error != 0) {
yyerror(gai_strerror(error));
return NULL;
}
if (res->ai_next != NULL) {
yyerror(gai_strerror(error));
}
return res;
}
static int
setvarbuf(off, ebuf, elen, vbuf, vlen)
caddr_t vbuf;

View File

@ -1,5 +1,5 @@
.\" $NetBSD: setkey.8,v 1.10 2000/05/15 16:26:16 itojun Exp $
.\" $KAME: setkey.8,v 1.26 2000/05/15 16:23:55 itojun Exp $
.\" $NetBSD: setkey.8,v 1.11 2000/06/12 10:40:50 itojun Exp $
.\" $KAME: setkey.8,v 1.27 2000/06/10 14:17:44 sakane Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" All rights reserved.
@ -130,7 +130,6 @@ Add an SAD entry.
.It Xo
.Li get
.Ar src Ar dst Ar protocol Ar spi
.Op Fl m Ar mode
.Li ;
.Xc
Show an SAD entry.
@ -138,7 +137,6 @@ Show an SAD entry.
.It Xo
.Li delete
.Ar src Ar dst Ar protocol Ar spi
.Op Fl m Ar mode
.Li ;
.Xc
Remove an SAD entry.

View File

@ -1,4 +1,5 @@
/* $NetBSD: setkey.c,v 1.6 2000/04/16 16:15:59 itojun Exp $ */
/* $NetBSD: setkey.c,v 1.7 2000/06/12 10:40:50 itojun Exp $ */
/* $KAME: setkey.c,v 1.14 2000/06/10 06:47:09 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -28,7 +29,6 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* KAME Id: setkey.c,v 1.11 2000/04/16 16:14:09 itojun Exp */
#include <sys/types.h>
#include <sys/param.h>
@ -51,6 +51,8 @@
#include <errno.h>
#include <netdb.h>
#include "libpfkey.h"
void Usage __P((void));
int main __P((int, char **));
int get_supported __P((void));
@ -219,12 +221,9 @@ sendkeyshort(type)
m_msg->sadb_msg_errno = 0;
m_msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
m_msg->sadb_msg_mode = IPSEC_MODE_ANY;
m_msg->sadb_msg_reserved1 = 0;
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_seq = 0;
m_msg->sadb_msg_pid = getpid();
m_msg->sadb_msg_reqid = 0;
m_msg->sadb_msg_reserved2 = 0;
sendkeymsg();
@ -245,12 +244,9 @@ promisc()
m_msg->sadb_msg_errno = 0;
m_msg->sadb_msg_satype = 1;
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
m_msg->sadb_msg_mode = IPSEC_MODE_ANY;
m_msg->sadb_msg_reserved1 = 0;
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_seq = 0;
m_msg->sadb_msg_pid = getpid();
m_msg->sadb_msg_reqid = 0;
m_msg->sadb_msg_reserved2 = 0;
if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
err(1, "socket(PF_KEY)");

View File

@ -1,4 +1,5 @@
/* $NetBSD: test-pfkey.c,v 1.3 2000/01/31 14:22:44 itojun Exp $ */
/* $NetBSD: test-pfkey.c,v 1.4 2000/06/12 10:40:50 itojun Exp $ */
/* $KAME: test-pfkey.c,v 1.4 2000/06/07 00:29:14 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -28,7 +29,6 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* KAME Id: test-pfkey.c,v 1.2 1999/10/26 08:09:17 itojun Exp */
#include <sys/types.h>
#include <sys/param.h>
@ -47,6 +47,7 @@
#include <ctype.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
u_char m_buf[BUFSIZ];
u_int m_len;
@ -136,11 +137,14 @@ key_setsadbmsg(type)
{
struct sadb_msg m_msg;
memset(&m_msg, 0, sizeof(m_msg));
m_msg.sadb_msg_version = PF_KEY_V2;
m_msg.sadb_msg_type = type;
m_msg.sadb_msg_errno = 0;
m_msg.sadb_msg_satype = SADB_SATYPE_ESP;
#if 0
m_msg.sadb_msg_reserved = 0;
#endif
m_msg.sadb_msg_seq = 0;
m_msg.sadb_msg_pid = getpid();
@ -467,32 +471,49 @@ key_setsadbaddr(ext, af, str)
caddr_t str;
{
struct sadb_address m_addr;
u_char abuf[64];
struct sockaddr *a = (struct sockaddr *)abuf;
u_int len;
struct addrinfo hints, *res;
const char *serv;
int plen;
switch (af) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
default:
/* XXX bark */
exit(1);
}
/* make sockaddr buffer */
memset(abuf, 0, sizeof(abuf));
a->sa_len = _SALENBYAF(af);
a->sa_family = af;
_INPORTBYSA(a) =
(ext == SADB_EXT_ADDRESS_PROXY ? 0 : htons(0x1234));
if (inet_pton(af, str, _INADDRBYSA(a)) != 1)
; /* XXX do something */
memset(&hints, 0, sizeof(hints));
hints.ai_family = af;
hints.ai_socktype = SOCK_DGRAM; /*dummy*/
hints.ai_flags = AI_NUMERICHOST;
serv = (ext == SADB_EXT_ADDRESS_PROXY ? "0" : "4660"); /*0x1234*/
if (getaddrinfo(str, serv, &hints, &res) != 0 || res->ai_next) {
/* XXX bark */
exit(1);
}
len = sizeof(struct sadb_address) + PFKEY_ALIGN8(a->sa_len);
len = sizeof(struct sadb_address) + PFKEY_ALIGN8(res->ai_addrlen);
m_addr.sadb_address_len = PFKEY_UNIT64(len);
m_addr.sadb_address_exttype = ext;
m_addr.sadb_address_proto =
(ext == SADB_EXT_ADDRESS_PROXY ? 0 : IPPROTO_TCP);
m_addr.sadb_address_prefixlen = _INALENBYAF(af);
m_addr.sadb_address_prefixlen = plen;
m_addr.sadb_address_reserved = 0;
key_setsadbextbuf(m_buf, m_len,
(caddr_t)&m_addr, sizeof(struct sadb_address),
abuf, a->sa_len);
(caddr_t)res->ai_addr, res->ai_addrlen);
m_len += len;
freeaddrinfo(res);
return;
}

View File

@ -1,4 +1,5 @@
/* $NetBSD: token.l,v 1.6 2000/03/15 00:24:31 itojun Exp $ */
/* $NetBSD: token.l,v 1.7 2000/06/12 10:40:51 itojun Exp $ */
/* $KAME: token.l,v 1.13 2000/06/07 00:29:14 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -71,7 +72,8 @@ extern u_int m_len;
extern int f_debug;
int yylex __P((void));
void yyerror __P((char *s));
void yyfatal __P((const char *s));
void yyerror __P((const char *s));
extern void parse_init __P((void));
int parse __P((FILE **));
int yyparse __P((void));
@ -106,9 +108,7 @@ decstring {digit}+
hexpair {hexdigit}{hexdigit}
hexstring 0[xX]{hexdigit}+
octetstring {octet}({dot}{octet})+
ipaddress {ipv4addr}|{ipv6addr}
ipv4addr {digit}{1,3}({dot}{digit}{1,3}){0,3}
ipv6addr ({hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,7}|{hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,7}%{letter}+|{hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,5}{colon}{ipv4addr})
ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
ipaddrmask {slash}{digit}{1,3}
ipaddrport {blcl}{decstring}{elcl}
keyword {letter}{letter}+
@ -171,9 +171,6 @@ des-cbc { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC); }
simple { PREPROC; yylval.num = SADB_EALG_NULL; return(ALG_ENC); }
blowfish-cbc { PREPROC; yylval.num = SADB_EALG_BLOWFISHCBC; return(ALG_ENC); }
cast128-cbc { PREPROC; yylval.num = SADB_EALG_CAST128CBC; return(ALG_ENC); }
/*
rc5-cbc { PREPROC; yylval.num = SADB_EALG_RC5CBC; return(ALG_ENC); }
*/
des-deriv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DESDERIV); }
des-32iv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DES32IV); }
@ -221,31 +218,13 @@ any { PREPROC; return(ANY); }
return(DECSTRING);
}
{ipv4addr} {
/*
* I can't supprt the type without dot,
* because it's umbiguous against {decstring}.
* e.g. 127
*/
{ipaddress} {
PREPROC;
yylval.val.len = sizeof(struct sockaddr_in);
yylval.val.len = yyleng;
yylval.val.buf = strdup(yytext);
return(IP4_ADDRESS);
}
{ipv6addr} {
#ifdef INET6
PREPROC;
yylval.val.len = sizeof(struct sockaddr_in6);
yylval.val.buf = strdup(yytext);
return(IP6_ADDRESS);
#else
yyerror("IPv6 address not supported");
#endif
return(ADDRESS);
}
{ipaddrmask} {
@ -296,12 +275,24 @@ any { PREPROC; return(ANY); }
return(QUOTEDSTRING);
}
. { yyerror("Syntax error"); }
. {
yyfatal("Syntax error");
/*NOTREACHED*/
}
%%
void
yyerror(char *s)
yyfatal(s)
const char *s;
{
yyerror(s);
exit(1);
}
void
yyerror(s)
const char *s;
{
printf("line %d: %s at [%s]\n", lineno, s, yytext);
}
@ -321,4 +312,3 @@ parse(fp)
return(0);
}

View File

@ -1,4 +1,5 @@
/* $NetBSD: vchar.h,v 1.2 1999/07/06 13:13:03 itojun Exp $ */
/* $NetBSD: vchar.h,v 1.3 2000/06/12 10:40:51 itojun Exp $ */
/* $KAME: vchar.h,v 1.2 2000/06/07 00:29:14 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.