upgrade libipsec to the latest.
- parser now uses yacc/lex (there'll be no symbol conflict). - outbound policy and inbound policy is now separate - policy specification for tunnel SA is improved - api changed, bump shlib major XXX some of programs will become not buildable - will commit shortly
This commit is contained in:
parent
2a29f83468
commit
e5e6464767
@ -1,4 +1,4 @@
|
|||||||
# $NetBSD: shl.elf,v 1.14 1999/11/23 11:20:29 blymn Exp $
|
# $NetBSD: shl.elf,v 1.15 2000/01/31 14:15:34 itojun Exp $
|
||||||
./usr/lib/libamu.so.1
|
./usr/lib/libamu.so.1
|
||||||
./usr/lib/libbfd.so.3
|
./usr/lib/libbfd.so.3
|
||||||
./usr/lib/libbz2.so.0
|
./usr/lib/libbz2.so.0
|
||||||
@ -8,7 +8,7 @@
|
|||||||
./usr/lib/libedit.so.2
|
./usr/lib/libedit.so.2
|
||||||
./usr/lib/libg2c.so.0
|
./usr/lib/libg2c.so.0
|
||||||
./usr/lib/libgnumalloc.so.0
|
./usr/lib/libgnumalloc.so.0
|
||||||
./usr/lib/libipsec.so.0
|
./usr/lib/libipsec.so.1
|
||||||
./usr/lib/libkvm.so.5
|
./usr/lib/libkvm.so.5
|
||||||
./usr/lib/libm.so.0
|
./usr/lib/libm.so.0
|
||||||
./usr/lib/libmenu.so.0
|
./usr/lib/libmenu.so.0
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# $NetBSD: shl.mi,v 1.52 2000/01/28 17:40:41 itojun Exp $
|
# $NetBSD: shl.mi,v 1.53 2000/01/31 14:15:34 itojun Exp $
|
||||||
./usr/lib/libamu.so.1.1
|
./usr/lib/libamu.so.1.1
|
||||||
./usr/lib/libbfd.so.3.0
|
./usr/lib/libbfd.so.3.0
|
||||||
./usr/lib/libbz2.so.0.0
|
./usr/lib/libbz2.so.0.0
|
||||||
@ -8,7 +8,7 @@
|
|||||||
./usr/lib/libedit.so.2.3
|
./usr/lib/libedit.so.2.3
|
||||||
./usr/lib/libg2c.so.0.0
|
./usr/lib/libg2c.so.0.0
|
||||||
./usr/lib/libgnumalloc.so.0.0
|
./usr/lib/libgnumalloc.so.0.0
|
||||||
./usr/lib/libipsec.so.0.0
|
./usr/lib/libipsec.so.1.0
|
||||||
./usr/lib/libkvm.so.5.0
|
./usr/lib/libkvm.so.5.0
|
||||||
./usr/lib/libm.so.0.1
|
./usr/lib/libm.so.0.1
|
||||||
./usr/lib/libmenu.so.0.1
|
./usr/lib/libmenu.so.0.1
|
||||||
|
@ -1,17 +1,24 @@
|
|||||||
# $NetBSD: Makefile,v 1.2 1999/07/03 06:59:28 itojun Exp $
|
# $NetBSD: Makefile,v 1.3 2000/01/31 14:15:30 itojun Exp $
|
||||||
|
|
||||||
LIB= ipsec
|
LIB= ipsec
|
||||||
#CFLAGS+=-g
|
CFLAGS+=-g
|
||||||
CPPFLAGS+=-DIPSEC_DEBUG
|
CPPFLAGS+=-DIPSEC_DEBUG -DIPSEC -DINET6 -I. -DYY_NO_UNPUT
|
||||||
CPPFLAGS+=-DIPSEC
|
|
||||||
CPPFLAGS+=-DINET6
|
|
||||||
|
|
||||||
.PATH: ${.CURDIR}/../../sys/netkey
|
.PATH: ${.CURDIR}/../../sys/netkey
|
||||||
SRCS= pfkey.c pfkey_dump.c
|
SRCS= pfkey.c pfkey_dump.c
|
||||||
SRCS+= ipsec_policy.c ipsec_strerror.c key_debug.c
|
SRCS+= ipsec_strerror.c policy_parse.y policy_token.l
|
||||||
|
SRCS+= ipsec_get_policylen.c ipsec_dump_policy.c
|
||||||
|
SRCS+= key_debug.c
|
||||||
|
LPREFIX+=__libyy
|
||||||
|
YPREFIX+=__libyy
|
||||||
|
YHEADER=1
|
||||||
|
|
||||||
|
#LFLAGS+= -olex.yy.c
|
||||||
|
|
||||||
MAN= ipsec_set_policy.3 ipsec_strerror.3
|
MAN= ipsec_set_policy.3 ipsec_strerror.3
|
||||||
MLINKS+=ipsec_set_policy.3 ipsec_get_policylen.3 \
|
MLINKS+=ipsec_set_policy.3 ipsec_get_policylen.3 \
|
||||||
ipsec_set_policy.3 ipsec_dump_policy.3
|
ipsec_set_policy.3 ipsec_dump_policy.3
|
||||||
|
|
||||||
|
CLEANFILES+= y.tab.h
|
||||||
|
|
||||||
.include <bsd.lib.mk>
|
.include <bsd.lib.mk>
|
||||||
|
@ -1,667 +0,0 @@
|
|||||||
/* $NetBSD: ipsec_policy.c,v 1.3 1999/07/04 01:36:12 itojun Exp $ */
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
|
||||||
* All rights reserved.
|
|
||||||
*
|
|
||||||
* Redistribution and use in source and binary forms, with or without
|
|
||||||
* modification, are permitted provided that the following conditions
|
|
||||||
* are met:
|
|
||||||
* 1. Redistributions of source code must retain the above copyright
|
|
||||||
* notice, this list of conditions and the following disclaimer.
|
|
||||||
* 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
* notice, this list of conditions and the following disclaimer in the
|
|
||||||
* documentation and/or other materials provided with the distribution.
|
|
||||||
* 3. Neither the name of the project nor the names of its contributors
|
|
||||||
* may be used to endorse or promote products derived from this software
|
|
||||||
* without specific prior written permission.
|
|
||||||
*
|
|
||||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
|
||||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
||||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
||||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
|
||||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
||||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
||||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
||||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
||||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
||||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
||||||
* SUCH DAMAGE.
|
|
||||||
*/
|
|
||||||
|
|
||||||
#if 0
|
|
||||||
static char *rcsid = "@(#) ipsec_policy.c KAME Revision: 1.1.4.8";
|
|
||||||
#else
|
|
||||||
#include <sys/cdefs.h>
|
|
||||||
#ifndef lint
|
|
||||||
__RCSID("$NetBSD: ipsec_policy.c,v 1.3 1999/07/04 01:36:12 itojun Exp $");
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
* The following requests are accepted:
|
|
||||||
* protocol parsed as protocol/default/
|
|
||||||
* protocol/level/proxy
|
|
||||||
* protocol/ parsed as protocol/default/
|
|
||||||
* protocol/level parsed as protocol/level/
|
|
||||||
* protocol/level/ parsed as protocol/level/
|
|
||||||
* protocol/proxy parsed as protocol/default/proxy
|
|
||||||
* protocol//proxy parsed as protocol/default/proxy
|
|
||||||
* protocol// parsed as protocol/default/
|
|
||||||
* You can concatenate these requests with either ' ' or '\n'.
|
|
||||||
*/
|
|
||||||
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <sys/param.h>
|
|
||||||
#include <sys/socket.h>
|
|
||||||
#include <assert.h>
|
|
||||||
|
|
||||||
#include <net/route.h>
|
|
||||||
#include <netinet/in.h>
|
|
||||||
#include <netinet6/ipsec.h>
|
|
||||||
|
|
||||||
#include <netkey/keyv2.h>
|
|
||||||
#include <netkey/key_var.h>
|
|
||||||
|
|
||||||
#include <arpa/inet.h>
|
|
||||||
|
|
||||||
#include <netdb.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <ctype.h>
|
|
||||||
#include <strings.h>
|
|
||||||
#include <errno.h>
|
|
||||||
|
|
||||||
#include "ipsec_strerror.h"
|
|
||||||
|
|
||||||
/* order must be the same */
|
|
||||||
static char *tokens[] = {
|
|
||||||
"discard", "none", "ipsec", "entrust", "bypass",
|
|
||||||
"esp", "ah", "ipcomp", "default", "use", "require", "/", NULL
|
|
||||||
};
|
|
||||||
enum token {
|
|
||||||
t_invalid = -1, t_discard, t_none, t_ipsec, t_entrust, t_bypass,
|
|
||||||
t_esp, t_ah, t_ipcomp, t_default, t_use, t_require, t_slash, t_omit,
|
|
||||||
};
|
|
||||||
static int values[] = {
|
|
||||||
IPSEC_POLICY_DISCARD, IPSEC_POLICY_NONE, IPSEC_POLICY_IPSEC,
|
|
||||||
IPSEC_POLICY_ENTRUST, IPSEC_POLICY_BYPASS,
|
|
||||||
IPPROTO_ESP, IPPROTO_AH, IPPROTO_IPCOMP,
|
|
||||||
IPSEC_LEVEL_DEFAULT, IPSEC_LEVEL_USE, IPSEC_LEVEL_REQUIRE, 0, 0,
|
|
||||||
};
|
|
||||||
struct pbuf {
|
|
||||||
char *buf;
|
|
||||||
int buflen; /* size of the buffer */
|
|
||||||
int off; /* current offset */
|
|
||||||
};
|
|
||||||
|
|
||||||
/* XXX duplicated def */
|
|
||||||
static char *ipsp_strs[] = {
|
|
||||||
"discard", "none", "ipsec", "entrust", "bypass",
|
|
||||||
};
|
|
||||||
|
|
||||||
static enum token gettoken(char *p);
|
|
||||||
static char *skiptoken(char *p, enum token t);
|
|
||||||
static char *skipspaces(char *p);
|
|
||||||
static char *parse_request(struct pbuf *pbuf, char *p);
|
|
||||||
static char *parse_policy(struct pbuf *pbuf, char *p);
|
|
||||||
static char *get_sockaddr(char *host, struct sockaddr *addr);
|
|
||||||
static int parse_setreq(struct pbuf *pbuf, int proto, int level,
|
|
||||||
struct sockaddr *proxy);
|
|
||||||
static int parse_main(struct pbuf *pbuf, char *policy);
|
|
||||||
|
|
||||||
static enum token gettoken(char *p)
|
|
||||||
{
|
|
||||||
int i;
|
|
||||||
int l;
|
|
||||||
|
|
||||||
assert(p);
|
|
||||||
for (i = 0; i < sizeof(tokens)/sizeof(tokens[0]); i++) {
|
|
||||||
if (tokens[i] == NULL)
|
|
||||||
continue;
|
|
||||||
l = strlen(tokens[i]);
|
|
||||||
if (strncmp(p, tokens[i], l) != 0)
|
|
||||||
continue;
|
|
||||||
/* slash alone is okay as token */
|
|
||||||
if (i == t_slash)
|
|
||||||
return i;
|
|
||||||
/* other ones are words, so needs proper termination */
|
|
||||||
if (isspace(p[l]) || p[l] == '/' || p[l] == '\0')
|
|
||||||
return i;
|
|
||||||
}
|
|
||||||
return t_invalid;
|
|
||||||
}
|
|
||||||
|
|
||||||
static char *skiptoken(char *p, enum token t)
|
|
||||||
{
|
|
||||||
assert(p);
|
|
||||||
assert(tokens[t] != NULL);
|
|
||||||
|
|
||||||
if (gettoken(p) != t)
|
|
||||||
return NULL;
|
|
||||||
return p + strlen(tokens[t]);
|
|
||||||
}
|
|
||||||
|
|
||||||
static char *skipspaces(char *p)
|
|
||||||
{
|
|
||||||
assert(p);
|
|
||||||
while (p && isspace(*p))
|
|
||||||
p++;
|
|
||||||
return p;
|
|
||||||
}
|
|
||||||
|
|
||||||
static char *parse_request(struct pbuf *pbuf, char *p)
|
|
||||||
{
|
|
||||||
enum token t;
|
|
||||||
int i;
|
|
||||||
enum token ts[3]; /* set of tokens */
|
|
||||||
struct sockaddr_storage proxy;
|
|
||||||
int isproxy;
|
|
||||||
|
|
||||||
assert(p);
|
|
||||||
assert(pbuf);
|
|
||||||
|
|
||||||
i = 0;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* here, we accept sequence like:
|
|
||||||
* [token slash]* token
|
|
||||||
* and decode that into ts[].
|
|
||||||
*/
|
|
||||||
for (i = 0; i < sizeof(ts)/sizeof(ts[0]); i++)
|
|
||||||
ts[i] = t_invalid;
|
|
||||||
i = 0;
|
|
||||||
while (i < sizeof(ts)/sizeof(ts[0])) {
|
|
||||||
/* get a token */
|
|
||||||
p = skipspaces(p);
|
|
||||||
t = gettoken(p);
|
|
||||||
switch (t) {
|
|
||||||
case t_invalid:
|
|
||||||
/*
|
|
||||||
* this may be a proxy.
|
|
||||||
* this shouldn't be a termination.
|
|
||||||
*/
|
|
||||||
if (*p != '\0')
|
|
||||||
goto breakbreak;
|
|
||||||
goto parseerror;
|
|
||||||
case t_esp:
|
|
||||||
case t_ah:
|
|
||||||
case t_ipcomp:
|
|
||||||
case t_default:
|
|
||||||
case t_use:
|
|
||||||
case t_require:
|
|
||||||
/*
|
|
||||||
* protocol or level - just keep it into ts[],
|
|
||||||
* we'll care about protocol/level ordering afterwards
|
|
||||||
*/
|
|
||||||
ts[i++] = t;
|
|
||||||
p = skiptoken(p, t);
|
|
||||||
break;
|
|
||||||
case t_slash:
|
|
||||||
/*
|
|
||||||
* the user did not specify the token - don't advance
|
|
||||||
* the pointer.
|
|
||||||
*/
|
|
||||||
ts[i++] = t_omit;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
/* bzz, you are wrong */
|
|
||||||
goto parseerror;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* get a slash */
|
|
||||||
p = skipspaces(p);
|
|
||||||
t = gettoken(p);
|
|
||||||
switch (t) {
|
|
||||||
case t_invalid:
|
|
||||||
/* this may be a termination. */
|
|
||||||
if (*p == '\0')
|
|
||||||
goto breakbreak;
|
|
||||||
goto parseerror;
|
|
||||||
case t_esp:
|
|
||||||
case t_ah:
|
|
||||||
case t_ipcomp:
|
|
||||||
/* protocol - we've hit the next request */
|
|
||||||
goto breakbreak;
|
|
||||||
case t_slash:
|
|
||||||
p = skiptoken(p, t);
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
/* bzz, you are wrong */
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
breakbreak:
|
|
||||||
|
|
||||||
/* alright, we've got the tokens. */
|
|
||||||
switch (i) {
|
|
||||||
case 0:
|
|
||||||
ipsec_errcode = EIPSEC_NO_PROTO;
|
|
||||||
return NULL; /* no token? naa, go away */
|
|
||||||
case 1:
|
|
||||||
case 2:
|
|
||||||
if (!(ts[0] == t_esp || ts[0] == t_ah || ts[0] == t_ipcomp)) {
|
|
||||||
ipsec_errcode = EIPSEC_INVAL_PROTO;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
if (i == 1) {
|
|
||||||
i++;
|
|
||||||
ts[1] = t_default;
|
|
||||||
}
|
|
||||||
if (ts[1] == t_omit)
|
|
||||||
ts[1] = t_default;
|
|
||||||
if (!(ts[1] == t_default || ts[1] == t_use
|
|
||||||
|| ts[1] == t_require)) {
|
|
||||||
ipsec_errcode = EIPSEC_INVAL_LEVEL;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
ipsec_errcode = EIPSEC_INVAL_LEVEL; /*XXX*/
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* here, we should be having 2 tokens */
|
|
||||||
assert(i == 2);
|
|
||||||
|
|
||||||
/* we may have a proxy here */
|
|
||||||
isproxy = 0;
|
|
||||||
if (*p != '\0' && gettoken(p) == t_invalid) {
|
|
||||||
p = get_sockaddr(p, (struct sockaddr *)&proxy);
|
|
||||||
if (p == NULL) {
|
|
||||||
/* get_sockaddr updates ipsec_errcode */
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
isproxy++;
|
|
||||||
p = skipspaces(p);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (parse_setreq(pbuf, values[ts[0]], values[ts[1]],
|
|
||||||
isproxy ? (struct sockaddr *)&proxy : NULL) < 0) {
|
|
||||||
/* parse_setreq updates ipsec_errcode */
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
return p;
|
|
||||||
|
|
||||||
parseerror:
|
|
||||||
ipsec_errcode = EIPSEC_NO_ERROR; /*sentinel*/
|
|
||||||
switch (i) {
|
|
||||||
case 0:
|
|
||||||
ipsec_errcode = EIPSEC_NO_PROTO;
|
|
||||||
break;
|
|
||||||
case 1:
|
|
||||||
case 2:
|
|
||||||
if (!(ts[0] == t_esp || ts[0] == t_ah || ts[0] == t_ipcomp))
|
|
||||||
ipsec_errcode = EIPSEC_INVAL_PROTO;
|
|
||||||
if (i == 1)
|
|
||||||
break;
|
|
||||||
if (!(ts[1] == t_default || ts[1] == t_use
|
|
||||||
|| ts[1] == t_require)) {
|
|
||||||
ipsec_errcode = EIPSEC_INVAL_LEVEL;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if (ipsec_errcode == EIPSEC_NO_ERROR)
|
|
||||||
ipsec_errcode = EIPSEC_INVAL_LEVEL; /*XXX*/
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
static char *parse_policy(struct pbuf *pbuf, char *p)
|
|
||||||
{
|
|
||||||
enum token t;
|
|
||||||
int len;
|
|
||||||
struct sadb_x_policy *policy;
|
|
||||||
|
|
||||||
assert(p);
|
|
||||||
assert(pbuf);
|
|
||||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
|
||||||
|
|
||||||
/* get the token */
|
|
||||||
p = skipspaces(p);
|
|
||||||
t = gettoken(p);
|
|
||||||
switch (t) {
|
|
||||||
case t_discard:
|
|
||||||
case t_none:
|
|
||||||
case t_ipsec:
|
|
||||||
case t_entrust:
|
|
||||||
case t_bypass:
|
|
||||||
p = skiptoken(p, t);
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
/* bzz, you're wrong */
|
|
||||||
ipsec_errcode = EIPSEC_INVAL_POLICY;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* construct policy structure */
|
|
||||||
len = PFKEY_ALIGN8(sizeof(*policy));
|
|
||||||
policy = NULL;
|
|
||||||
if (pbuf->buf) {
|
|
||||||
if (pbuf->off + len > pbuf->buflen) {
|
|
||||||
/* buffer overflow */
|
|
||||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
policy = (struct sadb_x_policy *)&pbuf->buf[pbuf->off];
|
|
||||||
memset(policy, 0, sizeof(*policy));
|
|
||||||
policy->sadb_x_policy_len = PFKEY_UNIT64(len);
|
|
||||||
/* update later */
|
|
||||||
policy->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
|
|
||||||
policy->sadb_x_policy_type = values[t];
|
|
||||||
}
|
|
||||||
pbuf->off += len;
|
|
||||||
|
|
||||||
/* alright, go to the next step */
|
|
||||||
while (p && *p)
|
|
||||||
p = parse_request(pbuf, p);
|
|
||||||
|
|
||||||
/* ipsec policy needs request */
|
|
||||||
if (t == t_ipsec && pbuf->off == len) {
|
|
||||||
ipsec_errcode = EIPSEC_INVAL_POLICY;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* update length */
|
|
||||||
if (policy)
|
|
||||||
policy->sadb_x_policy_len = PFKEY_UNIT64(pbuf->off);
|
|
||||||
|
|
||||||
return p;
|
|
||||||
}
|
|
||||||
|
|
||||||
static char *get_sockaddr(char *host, struct sockaddr *addr)
|
|
||||||
{
|
|
||||||
struct sockaddr *saddr = NULL;
|
|
||||||
struct addrinfo hints, *res;
|
|
||||||
char *serv = NULL;
|
|
||||||
int error;
|
|
||||||
char *p, c;
|
|
||||||
|
|
||||||
/* find the next delimiter */
|
|
||||||
p = host;
|
|
||||||
while (p && *p && !isspace(*p) && *p != '/')
|
|
||||||
p++;
|
|
||||||
if (p == host)
|
|
||||||
return NULL;
|
|
||||||
c = *p;
|
|
||||||
*p = '\0';
|
|
||||||
|
|
||||||
memset(&hints, 0, sizeof(hints));
|
|
||||||
hints.ai_family = PF_UNSPEC;
|
|
||||||
if ((error = getaddrinfo(host, serv, &hints, &res)) != 0) {
|
|
||||||
ipsec_set_strerror(gai_strerror(error));
|
|
||||||
*p = c;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (res->ai_addr == NULL) {
|
|
||||||
ipsec_set_strerror(gai_strerror(error));
|
|
||||||
*p = c;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
#if 0
|
|
||||||
if (res->ai_next) {
|
|
||||||
printf("getaddrinfo(%s): "
|
|
||||||
"resolved to multiple address, taking the first one",
|
|
||||||
host);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if ((saddr = malloc(res->ai_addr->sa_len)) == NULL) {
|
|
||||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
|
||||||
freeaddrinfo(res);
|
|
||||||
*p = c;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
memcpy(addr, res->ai_addr, res->ai_addr->sa_len);
|
|
||||||
|
|
||||||
freeaddrinfo(res);
|
|
||||||
|
|
||||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
|
||||||
*p = c;
|
|
||||||
return p;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int parse_setreq(struct pbuf *pbuf, int proto, int level,
|
|
||||||
struct sockaddr *proxy)
|
|
||||||
{
|
|
||||||
struct sadb_x_ipsecrequest *req;
|
|
||||||
int start;
|
|
||||||
int len;
|
|
||||||
|
|
||||||
assert(pbuf);
|
|
||||||
|
|
||||||
start = pbuf->off;
|
|
||||||
|
|
||||||
len = PFKEY_ALIGN8(sizeof(*req));
|
|
||||||
req = NULL;
|
|
||||||
if (pbuf->buf) {
|
|
||||||
if (pbuf->off + len > pbuf->buflen) {
|
|
||||||
/* buffer overflow */
|
|
||||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
req = (struct sadb_x_ipsecrequest *)&pbuf->buf[pbuf->off];
|
|
||||||
memset(req, 0, sizeof(*req));
|
|
||||||
req->sadb_x_ipsecrequest_len = len; /* updated later */
|
|
||||||
req->sadb_x_ipsecrequest_proto = proto;
|
|
||||||
req->sadb_x_ipsecrequest_mode =
|
|
||||||
(proxy == NULL ? IPSEC_MODE_TRANSPORT
|
|
||||||
: IPSEC_MODE_TUNNEL);
|
|
||||||
req->sadb_x_ipsecrequest_level = level;
|
|
||||||
|
|
||||||
}
|
|
||||||
pbuf->off += len;
|
|
||||||
|
|
||||||
if (proxy) {
|
|
||||||
len = PFKEY_ALIGN8(proxy->sa_len);
|
|
||||||
if (pbuf->buf) {
|
|
||||||
if (pbuf->off + len > pbuf->buflen) {
|
|
||||||
/* buffer overflow */
|
|
||||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
memset(&pbuf->buf[pbuf->off], 0, len);
|
|
||||||
memcpy(&pbuf->buf[pbuf->off], proxy, proxy->sa_len);
|
|
||||||
}
|
|
||||||
if (req)
|
|
||||||
req->sadb_x_ipsecrequest_len += len;
|
|
||||||
pbuf->off += len;
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int parse_main(struct pbuf *pbuf, char *policy)
|
|
||||||
{
|
|
||||||
char *p;
|
|
||||||
|
|
||||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
|
||||||
|
|
||||||
if (policy == NULL) {
|
|
||||||
ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
p = parse_policy(pbuf, policy);
|
|
||||||
if (!p) {
|
|
||||||
/* ipsec_errcode updated somewhere inside */
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
p = skipspaces(p);
|
|
||||||
if (*p != '\0') {
|
|
||||||
ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* %%% */
|
|
||||||
int ipsec_get_policylen(char *policy)
|
|
||||||
{
|
|
||||||
struct pbuf pbuf;
|
|
||||||
|
|
||||||
memset(&pbuf, 0, sizeof(pbuf));
|
|
||||||
if (parse_main(&pbuf, policy) < 0)
|
|
||||||
return -1;
|
|
||||||
|
|
||||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
|
||||||
return pbuf.off;
|
|
||||||
}
|
|
||||||
|
|
||||||
int ipsec_set_policy(char *buf, int len, char *policy)
|
|
||||||
{
|
|
||||||
struct pbuf pbuf;
|
|
||||||
|
|
||||||
memset(&pbuf, 0, sizeof(pbuf));
|
|
||||||
pbuf.buf = buf;
|
|
||||||
pbuf.buflen = len;
|
|
||||||
if (parse_main(&pbuf, policy) < 0)
|
|
||||||
return -1;
|
|
||||||
|
|
||||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
|
||||||
return pbuf.off;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* policy is sadb_x_policy buffer.
|
|
||||||
* Must call free() later.
|
|
||||||
* When delimiter == NULL, alternatively ' '(space) is applied.
|
|
||||||
*/
|
|
||||||
char *ipsec_dump_policy(char *policy, char *delimiter)
|
|
||||||
{
|
|
||||||
struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy;
|
|
||||||
struct sadb_x_ipsecrequest *xisr;
|
|
||||||
int xtlen, buflen;
|
|
||||||
char *buf;
|
|
||||||
|
|
||||||
/* sanity check */
|
|
||||||
if (policy == NULL)
|
|
||||||
return NULL;
|
|
||||||
if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) {
|
|
||||||
ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* set delimiter */
|
|
||||||
if (delimiter == NULL)
|
|
||||||
delimiter = " ";
|
|
||||||
|
|
||||||
switch (xpl->sadb_x_policy_type) {
|
|
||||||
case IPSEC_POLICY_DISCARD:
|
|
||||||
case IPSEC_POLICY_NONE:
|
|
||||||
case IPSEC_POLICY_IPSEC:
|
|
||||||
case IPSEC_POLICY_BYPASS:
|
|
||||||
case IPSEC_POLICY_ENTRUST:
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
ipsec_errcode = EIPSEC_INVAL_POLICY;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
buflen = strlen(ipsp_strs[xpl->sadb_x_policy_type]) + 1;
|
|
||||||
|
|
||||||
if ((buf = malloc(buflen)) == NULL) {
|
|
||||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
strcpy(buf, ipsp_strs[xpl->sadb_x_policy_type]);
|
|
||||||
|
|
||||||
if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
|
|
||||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
|
||||||
return buf;
|
|
||||||
}
|
|
||||||
|
|
||||||
xtlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl);
|
|
||||||
xisr = (struct sadb_x_ipsecrequest *)(policy + sizeof(*xpl));
|
|
||||||
|
|
||||||
/* count length of buffer for use */
|
|
||||||
/* XXX non-seriously */
|
|
||||||
while (xtlen > 0) {
|
|
||||||
buflen += 20;
|
|
||||||
if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL)
|
|
||||||
buflen += 50;
|
|
||||||
xtlen -= xisr->sadb_x_ipsecrequest_len;
|
|
||||||
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
|
|
||||||
+ xisr->sadb_x_ipsecrequest_len);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* validity check */
|
|
||||||
if (xtlen < 0) {
|
|
||||||
ipsec_errcode = EIPSEC_INVAL_SADBMSG;
|
|
||||||
free(buf);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((buf = realloc(buf, buflen)) == NULL) {
|
|
||||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
xtlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl);
|
|
||||||
xisr = (struct sadb_x_ipsecrequest *)(policy + sizeof(*xpl));
|
|
||||||
|
|
||||||
while (xtlen > 0) {
|
|
||||||
switch (xisr->sadb_x_ipsecrequest_proto) {
|
|
||||||
case IPPROTO_ESP:
|
|
||||||
strcat(buf, delimiter);
|
|
||||||
strcat(buf, "esp");
|
|
||||||
break;
|
|
||||||
case IPPROTO_AH:
|
|
||||||
strcat(buf, delimiter);
|
|
||||||
strcat(buf, "ah");
|
|
||||||
break;
|
|
||||||
case IPPROTO_IPCOMP:
|
|
||||||
strcat(buf, delimiter);
|
|
||||||
strcat(buf, "ipcomp");
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
ipsec_errcode = EIPSEC_INVAL_PROTO;
|
|
||||||
free(buf);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
switch (xisr->sadb_x_ipsecrequest_level) {
|
|
||||||
case IPSEC_LEVEL_DEFAULT:
|
|
||||||
strcat(buf, "/default");
|
|
||||||
break;
|
|
||||||
case IPSEC_LEVEL_USE:
|
|
||||||
strcat(buf, "/use");
|
|
||||||
break;
|
|
||||||
case IPSEC_LEVEL_REQUIRE:
|
|
||||||
strcat(buf, "/require");
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
ipsec_errcode = EIPSEC_INVAL_LEVEL;
|
|
||||||
free(buf);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL) {
|
|
||||||
char tmp[100]; /* XXX */
|
|
||||||
struct sockaddr *saddr =
|
|
||||||
(struct sockaddr *)((caddr_t)xisr + sizeof(*xisr));
|
|
||||||
#if 1
|
|
||||||
inet_ntop(saddr->sa_family, _INADDRBYSA(saddr),
|
|
||||||
tmp, sizeof(tmp));
|
|
||||||
#else
|
|
||||||
getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp),
|
|
||||||
NULL, 0, NI_NUMERICHOST);
|
|
||||||
#endif
|
|
||||||
strcat(buf, "/");
|
|
||||||
strcat(buf, tmp);
|
|
||||||
}
|
|
||||||
|
|
||||||
xtlen -= xisr->sadb_x_ipsecrequest_len;
|
|
||||||
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
|
|
||||||
+ xisr->sadb_x_ipsecrequest_len);
|
|
||||||
}
|
|
||||||
|
|
||||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
|
||||||
return buf;
|
|
||||||
}
|
|
@ -25,8 +25,8 @@
|
|||||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||||
.\" SUCH DAMAGE.
|
.\" SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $NetBSD: ipsec_set_policy.3,v 1.5 1999/12/21 14:17:18 itojun Exp $
|
.\" $NetBSD: ipsec_set_policy.3,v 1.6 2000/01/31 14:15:31 itojun Exp $
|
||||||
.\" KAME Id: ipsec_set_policy.3,v 1.1.2.6 1999/07/01 06:54:58 sakane Exp
|
.\" KAME Id: ipsec_set_policy.3,v 1.8 2000/01/27 17:59:12 itojun Exp
|
||||||
.\"
|
.\"
|
||||||
.Dd May 5, 1998
|
.Dd May 5, 1998
|
||||||
.Dt IPSEC_SET_POLICY 3
|
.Dt IPSEC_SET_POLICY 3
|
||||||
@ -43,10 +43,10 @@
|
|||||||
.\"
|
.\"
|
||||||
.Sh SYNOPSIS
|
.Sh SYNOPSIS
|
||||||
.Fd #include <netinet6/ipsec.h>
|
.Fd #include <netinet6/ipsec.h>
|
||||||
|
.Ft "char *"
|
||||||
|
.Fn ipsec_set_policy "char *policy" "int len"
|
||||||
.Ft int
|
.Ft int
|
||||||
.Fn ipsec_set_policy "char *buf" "int len" "char *policy"
|
.Fn ipsec_get_policylen "char *buf"
|
||||||
.Ft int
|
|
||||||
.Fn ipsec_get_policylen "char *policy"
|
|
||||||
.Ft "char *"
|
.Ft "char *"
|
||||||
.Fn ipsec_dump_policy "char *buf" "char *delim"
|
.Fn ipsec_dump_policy "char *buf" "char *delim"
|
||||||
.\"
|
.\"
|
||||||
@ -58,21 +58,18 @@ and/or
|
|||||||
.Li struct sadb_x_ipsecrequest
|
.Li struct sadb_x_ipsecrequest
|
||||||
from human-readable policy specification.
|
from human-readable policy specification.
|
||||||
policy specification must be given as C string
|
policy specification must be given as C string
|
||||||
.Fa policy ,
|
|
||||||
and the resulting structure will be generated at the buffer pointed to by
|
|
||||||
.Fa buf ,
|
|
||||||
length
|
|
||||||
.Fa len .
|
|
||||||
.Pp
|
|
||||||
To obtain the required buffer size beforehand, use
|
|
||||||
.Fn ipsec_get_policylen
|
|
||||||
with the same
|
|
||||||
.Fa policy
|
.Fa policy
|
||||||
argument.
|
and length
|
||||||
|
.Fa len
|
||||||
|
of
|
||||||
|
.Fa policy .
|
||||||
|
.Fn ipsec_set_policy
|
||||||
|
will return the buffer of IPsec policy specification structure.
|
||||||
|
.Pp
|
||||||
|
You may want the length of the generated buffer such when calling
|
||||||
|
.Xr setsockopt 2 .
|
||||||
.Fn ipsec_get_policylen
|
.Fn ipsec_get_policylen
|
||||||
will return the required buffer size,
|
will return the length.
|
||||||
and you may want to allocate buffer dynamically for use with
|
|
||||||
.Fn ipsec_set_policy .
|
|
||||||
.Pp
|
.Pp
|
||||||
.Fn ipsec_dump_policy
|
.Fn ipsec_dump_policy
|
||||||
converts IPsec policy structure into readable form.
|
converts IPsec policy structure into readable form.
|
||||||
@ -95,51 +92,99 @@ returns pointer to dynamically allocated string.
|
|||||||
It is caller's responsibility to reclaim the region, by using
|
It is caller's responsibility to reclaim the region, by using
|
||||||
.Xr free 3 .
|
.Xr free 3 .
|
||||||
.Pp
|
.Pp
|
||||||
|
.\"
|
||||||
.Fa policy
|
.Fa policy
|
||||||
is formatted as either of the following:
|
is formatted as either of the following:
|
||||||
.Bl -tag -width "discard"
|
.Bl -tag -width "discard"
|
||||||
.It Li discard
|
.It Ar direction Li entrust
|
||||||
.Li discard
|
.Ar direction
|
||||||
means the packet matching indexes will be discarded.
|
must be
|
||||||
.It Li none
|
.Li in
|
||||||
.Li none
|
or
|
||||||
means IPsec will not be performed on the matching packets
|
.Li out .
|
||||||
|
.Ar direction
|
||||||
|
specifies which direction the policy needs to be applied.
|
||||||
|
.Li entrust
|
||||||
|
means to consult to SPD defined by
|
||||||
|
.Xr setkey 8 .
|
||||||
|
.It Ar direction Li bypass
|
||||||
|
.Li bypass
|
||||||
|
means to be bypassed the IPsec processing.
|
||||||
.Po
|
.Po
|
||||||
packet will be transmitted in clear
|
packet will be transmitted in clear
|
||||||
.Pc .
|
.Pc .
|
||||||
.It Xo Li ipsec
|
This is for privileged socket.
|
||||||
.Ar protocol
|
.It Xo
|
||||||
.Op Ar /level
|
.Ar direction
|
||||||
.Op Ar /peer
|
.Li ipsec
|
||||||
.Op ...
|
.Ar request ...
|
||||||
.Xc
|
.Xc
|
||||||
.Li ipsec
|
.Li ipsec
|
||||||
means that the matching packets are subject to IPsec processing.
|
means that the matching packets are subject to IPsec processing.
|
||||||
.Li ipsec
|
.Li ipsec
|
||||||
can be followed by multiple set of
|
can be followed by one or more
|
||||||
.Do
|
.Ar request
|
||||||
|
string, which is formatted as below:
|
||||||
|
.Bl -tag -width "discard"
|
||||||
|
.It Xo
|
||||||
.Ar protocol
|
.Ar protocol
|
||||||
|
.Li /
|
||||||
|
.Ar mode
|
||||||
|
.Li /
|
||||||
|
.Ar src
|
||||||
|
.Li -
|
||||||
|
.Ar dst
|
||||||
.Op Ar /level
|
.Op Ar /level
|
||||||
.Op Ar /peer
|
.Xc
|
||||||
.Dc
|
|
||||||
arguments.
|
|
||||||
.Ar protocol
|
.Ar protocol
|
||||||
is either
|
is either
|
||||||
.Li ah ,
|
.Li ah ,
|
||||||
.Li esp
|
.Li esp
|
||||||
or
|
or
|
||||||
.Li ipcomp .
|
.Li ipcomp .
|
||||||
|
.Pp
|
||||||
|
.Ar mode
|
||||||
|
is either
|
||||||
|
.Li transport
|
||||||
|
or
|
||||||
|
.Li tunnel .
|
||||||
|
.Pp
|
||||||
|
.Ar src
|
||||||
|
and
|
||||||
|
.Ar dst
|
||||||
|
specifies IPsec endpoint.
|
||||||
|
.Ar src
|
||||||
|
always means
|
||||||
|
.Dq sending node
|
||||||
|
and
|
||||||
|
.Ar dst
|
||||||
|
always means
|
||||||
|
.Dq receiving node .
|
||||||
|
Therefore, when
|
||||||
|
.Ar direction
|
||||||
|
is
|
||||||
|
.Li in ,
|
||||||
|
.Ar dst
|
||||||
|
is this node
|
||||||
|
and
|
||||||
|
.Ar src
|
||||||
|
is the other node
|
||||||
|
.Pq peer .
|
||||||
|
.Pp
|
||||||
.Ar level
|
.Ar level
|
||||||
must be set to one of the following:
|
must be set to one of the following:
|
||||||
.Li default , use
|
.Li default , use , require
|
||||||
or
|
or
|
||||||
.Li require .
|
.Li unique .
|
||||||
.Li default
|
.Li default
|
||||||
means that the kernel should consult the system default policy
|
means that the kernel should consult the system default policy
|
||||||
defined by
|
defined by
|
||||||
.Xr sysctl 8 ,
|
.Xr sysctl 8 ,
|
||||||
such as
|
such as
|
||||||
.Li net.inet.ipsec.esp_trans_deflev .
|
.Li net.inet.ipsec.esp_trans_deflev .
|
||||||
|
See
|
||||||
|
.Xr ipsec 4
|
||||||
|
regarding the system default.
|
||||||
.Li use
|
.Li use
|
||||||
means that a relevant SA can be used when available,
|
means that a relevant SA can be used when available,
|
||||||
since the kernel may perform IPsec operation against packets when possible.
|
since the kernel may perform IPsec operation against packets when possible.
|
||||||
@ -150,14 +195,24 @@ or encrypted
|
|||||||
.Li require
|
.Li require
|
||||||
means that a relevant SA is required,
|
means that a relevant SA is required,
|
||||||
since the kernel must perform IPsec operation against packets.
|
since the kernel must perform IPsec operation against packets.
|
||||||
.Ar peer
|
.Li unique
|
||||||
is an IPv4 or IPv6 address string, and it will be used as
|
is the same as
|
||||||
a hint when IPsec system configures IPsec tunnel mode SA by using
|
.Li require ,
|
||||||
key management protocol.
|
but adds the restriction that the SA for outbound traffic is used
|
||||||
.Pp
|
only for this policy.
|
||||||
If the string is kept unambiguous,
|
You may need the identifier in order to relate the policy and the SA
|
||||||
|
when you define the SA by manual keying.
|
||||||
|
You can put the decimal number as the identifier after
|
||||||
|
.Li unique
|
||||||
|
like
|
||||||
|
.Li unique : number .
|
||||||
|
.Li number
|
||||||
|
must be between 1 and 32767 .
|
||||||
|
If the
|
||||||
|
.Ar request
|
||||||
|
string is kept unambiguous,
|
||||||
.Ar level
|
.Ar level
|
||||||
and slashes surrounding
|
and slash prior to
|
||||||
.Ar level
|
.Ar level
|
||||||
can be omitted.
|
can be omitted.
|
||||||
However, it is encouraged to specify them explicitly
|
However, it is encouraged to specify them explicitly
|
||||||
@ -167,19 +222,31 @@ If
|
|||||||
is omitted, it will be interpreted as
|
is omitted, it will be interpreted as
|
||||||
.Li default .
|
.Li default .
|
||||||
.El
|
.El
|
||||||
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
Here are several examples:
|
Note that there is a bit difference of specification from
|
||||||
|
.Xr setkey 8 .
|
||||||
|
In specification by
|
||||||
|
.Xr setkey 8 ,
|
||||||
|
both entrust and bypass are not used. Refer to
|
||||||
|
.Xr setkey 8
|
||||||
|
for detail.
|
||||||
|
.Pp
|
||||||
|
Here are several examples
|
||||||
|
.Pq long lines are wrapped for readability :
|
||||||
.Bd -literal -offset indent
|
.Bd -literal -offset indent
|
||||||
discard
|
in discard
|
||||||
ipsec esp/require
|
out ipsec esp/transport/10.1.1.1-10.1.1.2/require
|
||||||
ipsec ah/use/10.1.1.1
|
in ipsec ah/transport/10.1.1.2-10.1.1.1/require
|
||||||
ipsec esp/use ah/require
|
out ipsec esp/transport/10.1.1.2-10.1.1.1/use
|
||||||
ipsec ipcomp/use esp/use ah/require
|
ah/tunnel/10.1.1.2-10.1.1.1/unique:1000
|
||||||
|
in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use
|
||||||
|
esp/transport/10.1.1.2-10.1.1.1/use
|
||||||
.Ed
|
.Ed
|
||||||
.\"
|
.\"
|
||||||
.Sh RETURN VALUES
|
.Sh RETURN VALUES
|
||||||
.Fn ipsec_set_policy
|
.Fn ipsec_set_policy
|
||||||
returns with 0 on success, negative value on errors.
|
returns a pointer to the allocated buffer of policy specification if successful; otherwise a NULL pointer is returned.
|
||||||
.Fn ipsec_get_policylen
|
.Fn ipsec_get_policylen
|
||||||
returns with positive value
|
returns with positive value
|
||||||
.Pq meaning the buffer size
|
.Pq meaning the buffer size
|
||||||
@ -192,6 +259,7 @@ on errors.
|
|||||||
.\"
|
.\"
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr ipsec_strerror 3 ,
|
.Xr ipsec_strerror 3 ,
|
||||||
|
.Xr ispec 4 ,
|
||||||
.Xr setkey 8
|
.Xr setkey 8
|
||||||
.\"
|
.\"
|
||||||
.Sh HISTORY
|
.Sh HISTORY
|
||||||
|
@ -25,8 +25,8 @@
|
|||||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||||
.\" SUCH DAMAGE.
|
.\" SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $NetBSD: ipsec_strerror.3,v 1.5 1999/12/21 14:17:18 itojun Exp $
|
.\" $NetBSD: ipsec_strerror.3,v 1.6 2000/01/31 14:15:31 itojun Exp $
|
||||||
.\" KAME Id: ipsec_strerror.3,v 1.1.2.1 1999/05/06 09:26:43 itojun Exp
|
.\" KAME Id: ipsec_strerror.3,v 1.4 2000/01/27 17:59:13 itojun Exp
|
||||||
.\"
|
.\"
|
||||||
.Dd May 6, 1998
|
.Dd May 6, 1998
|
||||||
.Dt IPSEC_STRERROR 3
|
.Dt IPSEC_STRERROR 3
|
||||||
@ -42,7 +42,7 @@
|
|||||||
.Sh SYNOPSIS
|
.Sh SYNOPSIS
|
||||||
.Fd #include <netinet6/ipsec.h>
|
.Fd #include <netinet6/ipsec.h>
|
||||||
.Ft "char *"
|
.Ft "char *"
|
||||||
.Fn ipsec_strerror "int code"
|
.Fn ipsec_strerror
|
||||||
.\"
|
.\"
|
||||||
.Sh DESCRIPTION
|
.Sh DESCRIPTION
|
||||||
.Pa netinet6/ipsec.h
|
.Pa netinet6/ipsec.h
|
||||||
@ -54,6 +54,19 @@ which is used to pass error code from IPsec policy manipulation library
|
|||||||
to user program.
|
to user program.
|
||||||
.Fn ipsec_strerror
|
.Fn ipsec_strerror
|
||||||
can be used to obtain error message string for the error code.
|
can be used to obtain error message string for the error code.
|
||||||
|
.Pp
|
||||||
|
The array pointed to is not to be modified by the program.
|
||||||
|
Since
|
||||||
|
.Fn ipsec_strerror
|
||||||
|
uses
|
||||||
|
.Xr strerror 3
|
||||||
|
as underlying function, calling
|
||||||
|
.Xr strerror 3
|
||||||
|
after
|
||||||
|
.Fn ipsec_strerror
|
||||||
|
would make the return value from
|
||||||
|
.Fn ipsec_strerror
|
||||||
|
invalid, or overwritten.
|
||||||
.\"
|
.\"
|
||||||
.Sh RETURN VALUES
|
.Sh RETURN VALUES
|
||||||
.Fn ipsec_strerror
|
.Fn ipsec_strerror
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: ipsec_strerror.c,v 1.3 1999/07/04 01:36:13 itojun Exp $ */
|
/* $NetBSD: ipsec_strerror.c,v 1.4 2000/01/31 14:15:31 itojun Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||||
@ -46,7 +46,9 @@ static char *ipsec_errlist[] = {
|
|||||||
"Invalid sadb message", /*EIPSEC_INVAL_SADBMSG*/
|
"Invalid sadb message", /*EIPSEC_INVAL_SADBMSG*/
|
||||||
"Invalid version", /*EIPSEC_INVAL_VERSION*/
|
"Invalid version", /*EIPSEC_INVAL_VERSION*/
|
||||||
"Invalid security policy", /*EIPSEC_INVAL_POLICY*/
|
"Invalid security policy", /*EIPSEC_INVAL_POLICY*/
|
||||||
|
"Invalid address specification", /*EIPSEC_INVAL_ADDRESS*/
|
||||||
"Invalid ipsec protocol", /*EIPSEC_INVAL_PROTO*/
|
"Invalid ipsec protocol", /*EIPSEC_INVAL_PROTO*/
|
||||||
|
"Invalid ipsec mode", /*EIPSEC_INVAL_MODE*/
|
||||||
"Invalid ipsec level", /*EIPSEC_INVAL_LEVEL*/
|
"Invalid ipsec level", /*EIPSEC_INVAL_LEVEL*/
|
||||||
"Invalid SA type", /*EIPSEC_INVAL_SATYPE*/
|
"Invalid SA type", /*EIPSEC_INVAL_SATYPE*/
|
||||||
"Invalid message type", /*EIPSEC_INVAL_MSGTYPE*/
|
"Invalid message type", /*EIPSEC_INVAL_MSGTYPE*/
|
||||||
@ -55,6 +57,7 @@ static char *ipsec_errlist[] = {
|
|||||||
"Invalid key length", /*EIPSEC_INVAL_KEYLEN*/
|
"Invalid key length", /*EIPSEC_INVAL_KEYLEN*/
|
||||||
"Invalid address family", /*EIPSEC_INVAL_FAMILY*/
|
"Invalid address family", /*EIPSEC_INVAL_FAMILY*/
|
||||||
"Invalid prefix length", /*EIPSEC_INVAL_PREFIXLEN*/
|
"Invalid prefix length", /*EIPSEC_INVAL_PREFIXLEN*/
|
||||||
|
"Invalid direciton", /*EIPSEC_INVAL_DIR*/
|
||||||
"SPI range violation", /*EIPSEC_INVAL_SPI*/
|
"SPI range violation", /*EIPSEC_INVAL_SPI*/
|
||||||
"No protocol specified", /*EIPSEC_NO_PROTO*/
|
"No protocol specified", /*EIPSEC_NO_PROTO*/
|
||||||
"No algorithm specified", /*EIPSEC_NO_ALGS*/
|
"No algorithm specified", /*EIPSEC_NO_ALGS*/
|
||||||
@ -62,6 +65,7 @@ static char *ipsec_errlist[] = {
|
|||||||
"Must get supported algorithms list first", /*EIPSEC_DO_GET_SUPP_LIST*/
|
"Must get supported algorithms list first", /*EIPSEC_DO_GET_SUPP_LIST*/
|
||||||
"Protocol mismatch", /*EIPSEC_PROTO_MISMATCH*/
|
"Protocol mismatch", /*EIPSEC_PROTO_MISMATCH*/
|
||||||
"Family mismatch", /*EIPSEC_FAMILY_MISMATCH*/
|
"Family mismatch", /*EIPSEC_FAMILY_MISMATCH*/
|
||||||
|
"Too few arguments", /*EIPSEC_FEW_ARGUMENTS*/
|
||||||
NULL, /*EIPSEC_SYSTEM_ERROR*/
|
NULL, /*EIPSEC_SYSTEM_ERROR*/
|
||||||
"Unknown error", /*EIPSEC_MAX*/
|
"Unknown error", /*EIPSEC_MAX*/
|
||||||
};
|
};
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: ipsec_strerror.h,v 1.3 1999/07/04 01:36:13 itojun Exp $ */
|
/* $NetBSD: ipsec_strerror.h,v 1.4 2000/01/31 14:15:31 itojun Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||||
@ -30,7 +30,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
extern int ipsec_errcode;
|
extern int ipsec_errcode;
|
||||||
extern void ipsec_set_strerror(char *str);
|
extern void ipsec_set_strerror __P((char *));
|
||||||
|
|
||||||
#define EIPSEC_NO_ERROR 0 /*success*/
|
#define EIPSEC_NO_ERROR 0 /*success*/
|
||||||
#define EIPSEC_NOT_SUPPORTED 1 /*not supported*/
|
#define EIPSEC_NOT_SUPPORTED 1 /*not supported*/
|
||||||
@ -38,21 +38,25 @@ extern void ipsec_set_strerror(char *str);
|
|||||||
#define EIPSEC_INVAL_SADBMSG 3 /*invalid sadb message*/
|
#define EIPSEC_INVAL_SADBMSG 3 /*invalid sadb message*/
|
||||||
#define EIPSEC_INVAL_VERSION 4 /*invalid version*/
|
#define EIPSEC_INVAL_VERSION 4 /*invalid version*/
|
||||||
#define EIPSEC_INVAL_POLICY 5 /*invalid security policy*/
|
#define EIPSEC_INVAL_POLICY 5 /*invalid security policy*/
|
||||||
#define EIPSEC_INVAL_PROTO 6 /*invalid ipsec protocol*/
|
#define EIPSEC_INVAL_ADDRESS 6 /*invalid address specification*/
|
||||||
#define EIPSEC_INVAL_LEVEL 7 /*invalid ipsec level*/
|
#define EIPSEC_INVAL_PROTO 7 /*invalid ipsec protocol*/
|
||||||
#define EIPSEC_INVAL_SATYPE 8 /*invalid SA type*/
|
#define EIPSEC_INVAL_MODE 8 /*Invalid ipsec mode*/
|
||||||
#define EIPSEC_INVAL_MSGTYPE 9 /*invalid message type*/
|
#define EIPSEC_INVAL_LEVEL 9 /*invalid ipsec level*/
|
||||||
#define EIPSEC_INVAL_EXTTYPE 10 /*invalid extension type*/
|
#define EIPSEC_INVAL_SATYPE 10 /*invalid SA type*/
|
||||||
#define EIPSEC_INVAL_ALGS 11 /*Invalid algorithm type*/
|
#define EIPSEC_INVAL_MSGTYPE 11 /*invalid message type*/
|
||||||
#define EIPSEC_INVAL_KEYLEN 12 /*invalid key length*/
|
#define EIPSEC_INVAL_EXTTYPE 12 /*invalid extension type*/
|
||||||
#define EIPSEC_INVAL_FAMILY 13 /*invalid address family*/
|
#define EIPSEC_INVAL_ALGS 13 /*Invalid algorithm type*/
|
||||||
#define EIPSEC_INVAL_PREFIXLEN 14 /*SPI range violation*/
|
#define EIPSEC_INVAL_KEYLEN 14 /*invalid key length*/
|
||||||
#define EIPSEC_INVAL_SPI 15 /*invalid prefixlen*/
|
#define EIPSEC_INVAL_FAMILY 15 /*invalid address family*/
|
||||||
#define EIPSEC_NO_PROTO 16 /*no protocol specified*/
|
#define EIPSEC_INVAL_PREFIXLEN 16 /*SPI range violation*/
|
||||||
#define EIPSEC_NO_ALGS 17 /*No algorithm specified*/
|
#define EIPSEC_INVAL_DIR 17 /*Invalid direciton*/
|
||||||
#define EIPSEC_NO_BUFS 18 /*no buffers available*/
|
#define EIPSEC_INVAL_SPI 18 /*invalid prefixlen*/
|
||||||
#define EIPSEC_DO_GET_SUPP_LIST 19 /*must get supported algorithm first*/
|
#define EIPSEC_NO_PROTO 19 /*no protocol specified*/
|
||||||
#define EIPSEC_PROTO_MISMATCH 20 /*protocol mismatch*/
|
#define EIPSEC_NO_ALGS 20 /*No algorithm specified*/
|
||||||
#define EIPSEC_FAMILY_MISMATCH 21 /*family mismatch*/
|
#define EIPSEC_NO_BUFS 21 /*no buffers available*/
|
||||||
#define EIPSEC_SYSTEM_ERROR 22 /*system error*/
|
#define EIPSEC_DO_GET_SUPP_LIST 22 /*must get supported algorithm first*/
|
||||||
#define EIPSEC_MAX 23 /*unknown error*/
|
#define EIPSEC_PROTO_MISMATCH 23 /*protocol mismatch*/
|
||||||
|
#define EIPSEC_FAMILY_MISMATCH 24 /*family mismatch*/
|
||||||
|
#define EIPSEC_FEW_ARGUMENTS 25 /*Too few arguments*/
|
||||||
|
#define EIPSEC_SYSTEM_ERROR 26 /*system error*/
|
||||||
|
#define EIPSEC_MAX 27 /*unknown error*/
|
||||||
|
2167
lib/libipsec/pfkey.c
2167
lib/libipsec/pfkey.c
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: pfkey_dump.c,v 1.3 1999/07/04 01:36:13 itojun Exp $ */
|
/* $NetBSD: pfkey_dump.c,v 1.4 2000/01/31 14:15:32 itojun Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||||
@ -38,6 +38,7 @@
|
|||||||
#include <netkey/key_debug.h>
|
#include <netkey/key_debug.h>
|
||||||
|
|
||||||
#include <netinet/in.h>
|
#include <netinet/in.h>
|
||||||
|
#include <netinet6/ipsec.h>
|
||||||
#ifdef INET6
|
#ifdef INET6
|
||||||
#include <netinet6/in6.h>
|
#include <netinet6/in6.h>
|
||||||
#endif
|
#endif
|
||||||
@ -52,7 +53,7 @@
|
|||||||
#include "ipsec_strerror.h"
|
#include "ipsec_strerror.h"
|
||||||
|
|
||||||
#define GETMSGSTR(str, num) \
|
#define GETMSGSTR(str, num) \
|
||||||
{ \
|
do { \
|
||||||
if (sizeof((str)[0]) == 0 \
|
if (sizeof((str)[0]) == 0 \
|
||||||
|| num >= sizeof(str)/sizeof((str)[0])) \
|
|| num >= sizeof(str)/sizeof((str)[0])) \
|
||||||
printf("%d ", (num)); \
|
printf("%d ", (num)); \
|
||||||
@ -60,14 +61,15 @@
|
|||||||
printf("%d ", (num)); \
|
printf("%d ", (num)); \
|
||||||
else \
|
else \
|
||||||
printf("%s ", (str)[(num)]); \
|
printf("%s ", (str)[(num)]); \
|
||||||
}
|
} while (0)
|
||||||
|
|
||||||
#define GETAF(p) \
|
#define GETAF(p) \
|
||||||
(((struct sockaddr *)(p))->sa_family)
|
(((struct sockaddr *)(p))->sa_family)
|
||||||
|
|
||||||
static char *_str_addr(u_int family, caddr_t addr, u_int pref, u_int port);
|
static char *_str_ipaddr __P((u_int family, caddr_t addr));
|
||||||
static char *_str_time(time_t t);
|
static char *_str_prefport __P((u_int family, u_int pref, u_int port));
|
||||||
static void _str_lifetime_byte(struct sadb_lifetime *x, char *str);
|
static char *_str_time __P((time_t t));
|
||||||
|
static void _str_lifetime_byte __P((struct sadb_lifetime *x, char *str));
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Must to be re-written about following strings.
|
* Must to be re-written about following strings.
|
||||||
@ -85,21 +87,27 @@ static char *_str_satype[] = {
|
|||||||
"ipcomp",
|
"ipcomp",
|
||||||
};
|
};
|
||||||
|
|
||||||
static char *_str_upper[] = {
|
static char *_str_mode[] = {
|
||||||
"any", "icmp", "", "", "",
|
"any",
|
||||||
"", "tcp", "", "", "",
|
"transport",
|
||||||
"", "", "", "", "",
|
"tunnel",
|
||||||
"", "", "udp", "", "",
|
|
||||||
"", "", "", "", "",
|
|
||||||
"", "", "", "", "",
|
|
||||||
};
|
};
|
||||||
|
|
||||||
#if 0
|
static char *_str_upper[] = {
|
||||||
static char *_str_base[] = {
|
/*0*/ "ip", "icmp", "igmp", "ggp", "ip4",
|
||||||
"new",
|
"", "tcp", "", "egp", "",
|
||||||
"old",
|
/*10*/ "", "", "", "", "",
|
||||||
|
"", "", "udp", "", "",
|
||||||
|
/*20*/ "", "", "idp", "", "",
|
||||||
|
"", "", "", "", "tp",
|
||||||
|
/*30*/ "", "", "", "", "",
|
||||||
|
"", "", "", "", "",
|
||||||
|
/*40*/ "", "ip6", "", "rt6", "frag6",
|
||||||
|
"", "rsvp", "gre", "", "",
|
||||||
|
/*50*/ "esp", "ah", "", "", "",
|
||||||
|
"", "", "", "icmp6", "none",
|
||||||
|
/*60*/ "dst6",
|
||||||
};
|
};
|
||||||
#endif
|
|
||||||
|
|
||||||
static char *_str_state[] = {
|
static char *_str_state[] = {
|
||||||
"larval",
|
"larval",
|
||||||
@ -134,16 +142,12 @@ static char *_str_alg_comp[] = {
|
|||||||
"lzs",
|
"lzs",
|
||||||
};
|
};
|
||||||
|
|
||||||
static char *_str_dir[] = {
|
|
||||||
"outbound",
|
|
||||||
"inbound",
|
|
||||||
"bi-direction",
|
|
||||||
};
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* dump SADB_MSG formated. For debugging, you should use kdebug_sadb().
|
* dump SADB_MSG formated. For debugging, you should use kdebug_sadb().
|
||||||
*/
|
*/
|
||||||
void pfkey_sadump(struct sadb_msg *m)
|
void
|
||||||
|
pfkey_sadump(m)
|
||||||
|
struct sadb_msg *m;
|
||||||
{
|
{
|
||||||
caddr_t mhp[SADB_EXT_MAX + 1];
|
caddr_t mhp[SADB_EXT_MAX + 1];
|
||||||
struct sadb_sa *m_sa;
|
struct sadb_sa *m_sa;
|
||||||
@ -154,7 +158,11 @@ void pfkey_sadump(struct sadb_msg *m)
|
|||||||
struct sadb_sens *m_sens;
|
struct sadb_sens *m_sens;
|
||||||
|
|
||||||
/* check pfkey message. */
|
/* check pfkey message. */
|
||||||
if (pfkey_check(m, mhp)) {
|
if (pfkey_align(m, mhp)) {
|
||||||
|
printf("%s\n", ipsec_strerror());
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (pfkey_check(mhp)) {
|
||||||
printf("%s\n", ipsec_strerror());
|
printf("%s\n", ipsec_strerror());
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -169,7 +177,7 @@ void pfkey_sadump(struct sadb_msg *m)
|
|||||||
m_auth = (struct sadb_key *)mhp[SADB_EXT_KEY_AUTH];
|
m_auth = (struct sadb_key *)mhp[SADB_EXT_KEY_AUTH];
|
||||||
m_enc = (struct sadb_key *)mhp[SADB_EXT_KEY_ENCRYPT];
|
m_enc = (struct sadb_key *)mhp[SADB_EXT_KEY_ENCRYPT];
|
||||||
m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
|
m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
|
||||||
m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
|
m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST];
|
||||||
m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY];
|
m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY];
|
||||||
|
|
||||||
/* source address */
|
/* source address */
|
||||||
@ -178,10 +186,7 @@ void pfkey_sadump(struct sadb_msg *m)
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
printf("%s ",
|
printf("%s ",
|
||||||
_str_addr(GETAF((caddr_t)m_saddr + sizeof(*m_saddr)),
|
_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)));
|
||||||
_INADDRBYSA((caddr_t)m_saddr + sizeof(*m_saddr)),
|
|
||||||
m_saddr->sadb_address_prefixlen,
|
|
||||||
_INPORTBYSA((caddr_t)m_saddr + sizeof(*m_saddr))));
|
|
||||||
|
|
||||||
/* destination address */
|
/* destination address */
|
||||||
if (m_daddr == NULL) {
|
if (m_daddr == NULL) {
|
||||||
@ -189,42 +194,25 @@ void pfkey_sadump(struct sadb_msg *m)
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
printf("%s ",
|
printf("%s ",
|
||||||
_str_addr(GETAF((caddr_t)m_daddr + sizeof(*m_daddr)),
|
_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)));
|
||||||
_INADDRBYSA((caddr_t)m_daddr + sizeof(*m_daddr)),
|
|
||||||
m_daddr->sadb_address_prefixlen,
|
|
||||||
_INPORTBYSA((caddr_t)m_daddr + sizeof(*m_daddr))));
|
|
||||||
|
|
||||||
/* upper layer protocol */
|
|
||||||
if (m_saddr->sadb_address_proto != m_saddr->sadb_address_proto) {
|
|
||||||
printf("upper layer protocol mismatched.\n");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
GETMSGSTR(_str_upper, m_saddr->sadb_address_proto);
|
|
||||||
|
|
||||||
/* proxy address */
|
|
||||||
if (m_paddr != NULL) {
|
|
||||||
int prefix = _INALENBYAF(GETAF((caddr_t)m_paddr + sizeof(*m_paddr))) << 3;
|
|
||||||
printf("%s",
|
|
||||||
_str_addr(GETAF((caddr_t)m_paddr + sizeof(*m_paddr)),
|
|
||||||
_INADDRBYSA((caddr_t)m_paddr + sizeof(*m_paddr)),
|
|
||||||
prefix,
|
|
||||||
0));
|
|
||||||
}
|
|
||||||
printf("\n");
|
|
||||||
|
|
||||||
/* SA type */
|
/* SA type */
|
||||||
if (m_sa == NULL) {
|
if (m_sa == NULL) {
|
||||||
printf("no SA extension.\n");
|
printf("no SA extension.\n");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
printf("\t");
|
printf("\n\t");
|
||||||
|
|
||||||
GETMSGSTR(_str_satype, m->sadb_msg_satype);
|
GETMSGSTR(_str_satype, m->sadb_msg_satype);
|
||||||
|
|
||||||
printf("spi=%u(0x%08x) replay=%u flags=0x%08x\n",
|
printf("mode=");
|
||||||
|
GETMSGSTR(_str_mode, m->sadb_msg_mode);
|
||||||
|
|
||||||
|
printf("spi=%u(0x%08x) reqid=%u(0x%08x)\n",
|
||||||
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
|
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
|
||||||
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
|
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
|
||||||
m_sa->sadb_sa_replay,
|
(u_int32_t)m->sadb_msg_reqid,
|
||||||
m_sa->sadb_sa_flags);
|
(u_int32_t)m->sadb_msg_reqid);
|
||||||
|
|
||||||
/* encryption key */
|
/* encryption key */
|
||||||
if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
|
if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
|
||||||
@ -249,8 +237,13 @@ void pfkey_sadump(struct sadb_msg *m)
|
|||||||
printf("\n");
|
printf("\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* replay windoe size & flags */
|
||||||
|
printf("\treplay=%u flags=0x%08x ",
|
||||||
|
m_sa->sadb_sa_replay,
|
||||||
|
m_sa->sadb_sa_flags);
|
||||||
|
|
||||||
/* state */
|
/* state */
|
||||||
printf("\tstate=");
|
printf("state=");
|
||||||
GETMSGSTR(_str_state, m_sa->sadb_sa_state);
|
GETMSGSTR(_str_state, m_sa->sadb_sa_state);
|
||||||
|
|
||||||
printf("seq=%lu pid=%lu\n",
|
printf("seq=%lu pid=%lu\n",
|
||||||
@ -299,24 +292,26 @@ void pfkey_sadump(struct sadb_msg *m)
|
|||||||
0 : m_lfts->sadb_lifetime_allocations));
|
0 : m_lfts->sadb_lifetime_allocations));
|
||||||
}
|
}
|
||||||
|
|
||||||
{ /* XXX TEST */
|
/* XXX DEBUG */
|
||||||
char *x = (char *)&m->sadb_msg_reserved;
|
printf("\trefcnt=%u\n", m->sadb_msg_reserved2);
|
||||||
printf("\tdir=");
|
|
||||||
GETMSGSTR(_str_dir, (int)x[0]);
|
|
||||||
printf("refcnt=%d\n", (int)x[1]);
|
|
||||||
}
|
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
void pfkey_spdump(struct sadb_msg *m)
|
void
|
||||||
|
pfkey_spdump(m)
|
||||||
|
struct sadb_msg *m;
|
||||||
{
|
{
|
||||||
caddr_t mhp[SADB_EXT_MAX + 1];
|
caddr_t mhp[SADB_EXT_MAX + 1];
|
||||||
struct sadb_address *m_saddr, *m_daddr;
|
struct sadb_address *m_saddr, *m_daddr;
|
||||||
struct sadb_x_policy *m_xpl;
|
struct sadb_x_policy *m_xpl;
|
||||||
|
|
||||||
/* check pfkey message. */
|
/* check pfkey message. */
|
||||||
if (pfkey_check(m, mhp)) {
|
if (pfkey_align(m, mhp)) {
|
||||||
|
printf("%s\n", ipsec_strerror());
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (pfkey_check(mhp)) {
|
||||||
printf("%s\n", ipsec_strerror());
|
printf("%s\n", ipsec_strerror());
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -330,25 +325,32 @@ void pfkey_spdump(struct sadb_msg *m)
|
|||||||
printf("no ADDRESS_SRC extension.\n");
|
printf("no ADDRESS_SRC extension.\n");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
printf("%s ",
|
printf("%s%s ",
|
||||||
_str_addr(GETAF((caddr_t)m_saddr + sizeof(*m_saddr)),
|
_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)),
|
||||||
_INADDRBYSA((caddr_t)m_saddr + sizeof(*m_saddr)),
|
_str_prefport(GETAF(m_saddr + 1),
|
||||||
m_saddr->sadb_address_prefixlen,
|
m_saddr->sadb_address_prefixlen,
|
||||||
_INPORTBYSA((caddr_t)m_saddr + sizeof(*m_saddr))));
|
_INPORTBYSA(m_saddr + 1)));
|
||||||
|
|
||||||
/* destination address */
|
/* destination address */
|
||||||
if (m_daddr == NULL) {
|
if (m_daddr == NULL) {
|
||||||
printf("no ADDRESS_DST extension.\n");
|
printf("no ADDRESS_DST extension.\n");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
printf("%s ",
|
printf("%s%s ",
|
||||||
_str_addr(GETAF((caddr_t)m_daddr + sizeof(*m_daddr)),
|
_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)),
|
||||||
_INADDRBYSA((caddr_t)m_daddr + sizeof(*m_daddr)),
|
_str_prefport(GETAF(m_daddr + 1),
|
||||||
m_daddr->sadb_address_prefixlen,
|
m_daddr->sadb_address_prefixlen,
|
||||||
_INPORTBYSA((caddr_t)m_daddr + sizeof(*m_daddr))));
|
_INPORTBYSA(m_daddr + 1)));
|
||||||
|
|
||||||
/* upper layer protocol */
|
/* upper layer protocol */
|
||||||
GETMSGSTR(_str_upper, m_saddr->sadb_address_proto);
|
if (m_saddr->sadb_address_proto != m_daddr->sadb_address_proto) {
|
||||||
|
printf("upper layer protocol mismatched.\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (m_saddr->sadb_address_proto == IPSEC_ULPROTO_ANY)
|
||||||
|
printf("any");
|
||||||
|
else
|
||||||
|
GETMSGSTR(_str_upper, m_saddr->sadb_address_proto);
|
||||||
|
|
||||||
/* policy */
|
/* policy */
|
||||||
{
|
{
|
||||||
@ -369,37 +371,65 @@ void pfkey_spdump(struct sadb_msg *m)
|
|||||||
(u_long)m->sadb_msg_seq,
|
(u_long)m->sadb_msg_seq,
|
||||||
(u_long)m->sadb_msg_pid);
|
(u_long)m->sadb_msg_pid);
|
||||||
|
|
||||||
{ /* TEST */
|
/* XXX TEST */
|
||||||
char *x = (char *)&m->sadb_msg_reserved;
|
printf("\trefcnt=%u\n", m->sadb_msg_reserved2);
|
||||||
printf("\tdir=");
|
|
||||||
GETMSGSTR(_str_dir, (int)x[0]);
|
|
||||||
printf("refcnt=%d\n", (int)x[1]);
|
|
||||||
}
|
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* set "ip address/prefix[port number]" to buffer.
|
* set "ipaddress" to buffer.
|
||||||
*/
|
*/
|
||||||
static char *_str_addr(u_int family, caddr_t addr, u_int pref, u_int port)
|
static char *
|
||||||
|
_str_ipaddr(family, addr)
|
||||||
|
u_int family;
|
||||||
|
caddr_t addr;
|
||||||
{
|
{
|
||||||
static char buf[128];
|
static char buf[128];
|
||||||
char pbuf[128];
|
char addrbuf[128];
|
||||||
|
|
||||||
if (addr == NULL)
|
if (addr == NULL)
|
||||||
return "";
|
return "";
|
||||||
|
|
||||||
inet_ntop(family, addr, pbuf, sizeof(pbuf));
|
inet_ntop(family, addr, addrbuf, sizeof(addrbuf));
|
||||||
|
|
||||||
|
snprintf(buf, sizeof(buf), "%s", addrbuf);
|
||||||
|
|
||||||
|
return buf;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* set "/prefix[port number]" to buffer.
|
||||||
|
*/
|
||||||
|
static char *
|
||||||
|
_str_prefport(family, pref, port)
|
||||||
|
u_int family, pref, port;
|
||||||
|
{
|
||||||
|
static char buf[128];
|
||||||
|
char prefbuf[10];
|
||||||
|
char portbuf[10];
|
||||||
|
|
||||||
|
if (pref == (_INALENBYAF(family) << 3))
|
||||||
|
prefbuf[0] = '\0';
|
||||||
|
else
|
||||||
|
snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
|
||||||
|
|
||||||
|
if (port == IPSEC_PORT_ANY)
|
||||||
|
snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
|
||||||
|
else
|
||||||
|
snprintf(portbuf, sizeof(portbuf), "[%u]", ntohs(port));
|
||||||
|
|
||||||
|
snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
|
||||||
|
|
||||||
snprintf(buf, sizeof(buf), "%s/%u[%u]", pbuf, pref, ntohs(port));
|
|
||||||
return buf;
|
return buf;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* set "Mon Day Time Year" to buffer
|
* set "Mon Day Time Year" to buffer
|
||||||
*/
|
*/
|
||||||
static char *_str_time(time_t t)
|
static char *
|
||||||
|
_str_time(t)
|
||||||
|
time_t t;
|
||||||
{
|
{
|
||||||
static char buf[128];
|
static char buf[128];
|
||||||
|
|
||||||
@ -417,7 +447,10 @@ static char *_str_time(time_t t)
|
|||||||
return(buf);
|
return(buf);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void _str_lifetime_byte(struct sadb_lifetime *x, char *str)
|
static void
|
||||||
|
_str_lifetime_byte(x, str)
|
||||||
|
struct sadb_lifetime *x;
|
||||||
|
char *str;
|
||||||
{
|
{
|
||||||
double y;
|
double y;
|
||||||
char *unit;
|
char *unit;
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
# $NetBSD: shlib_version,v 1.1 1999/07/01 20:15:29 itojun Exp $
|
# $NetBSD: shlib_version,v 1.2 2000/01/31 14:15:32 itojun Exp $
|
||||||
# Remember to update distrib/sets/lists/base/shl.* when changing
|
# Remember to update distrib/sets/lists/base/shl.* when changing
|
||||||
#
|
#
|
||||||
major=0
|
major=1
|
||||||
minor=0
|
minor=0
|
||||||
|
Loading…
Reference in New Issue
Block a user