upgrade libipsec to the latest.
- parser now uses yacc/lex (there'll be no symbol conflict). - outbound policy and inbound policy is now separate - policy specification for tunnel SA is improved - api changed, bump shlib major XXX some of programs will become not buildable - will commit shortly
This commit is contained in:
parent
2a29f83468
commit
e5e6464767
@ -1,4 +1,4 @@
|
||||
# $NetBSD: shl.elf,v 1.14 1999/11/23 11:20:29 blymn Exp $
|
||||
# $NetBSD: shl.elf,v 1.15 2000/01/31 14:15:34 itojun Exp $
|
||||
./usr/lib/libamu.so.1
|
||||
./usr/lib/libbfd.so.3
|
||||
./usr/lib/libbz2.so.0
|
||||
@ -8,7 +8,7 @@
|
||||
./usr/lib/libedit.so.2
|
||||
./usr/lib/libg2c.so.0
|
||||
./usr/lib/libgnumalloc.so.0
|
||||
./usr/lib/libipsec.so.0
|
||||
./usr/lib/libipsec.so.1
|
||||
./usr/lib/libkvm.so.5
|
||||
./usr/lib/libm.so.0
|
||||
./usr/lib/libmenu.so.0
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $NetBSD: shl.mi,v 1.52 2000/01/28 17:40:41 itojun Exp $
|
||||
# $NetBSD: shl.mi,v 1.53 2000/01/31 14:15:34 itojun Exp $
|
||||
./usr/lib/libamu.so.1.1
|
||||
./usr/lib/libbfd.so.3.0
|
||||
./usr/lib/libbz2.so.0.0
|
||||
@ -8,7 +8,7 @@
|
||||
./usr/lib/libedit.so.2.3
|
||||
./usr/lib/libg2c.so.0.0
|
||||
./usr/lib/libgnumalloc.so.0.0
|
||||
./usr/lib/libipsec.so.0.0
|
||||
./usr/lib/libipsec.so.1.0
|
||||
./usr/lib/libkvm.so.5.0
|
||||
./usr/lib/libm.so.0.1
|
||||
./usr/lib/libmenu.so.0.1
|
||||
|
@ -1,17 +1,24 @@
|
||||
# $NetBSD: Makefile,v 1.2 1999/07/03 06:59:28 itojun Exp $
|
||||
# $NetBSD: Makefile,v 1.3 2000/01/31 14:15:30 itojun Exp $
|
||||
|
||||
LIB= ipsec
|
||||
#CFLAGS+=-g
|
||||
CPPFLAGS+=-DIPSEC_DEBUG
|
||||
CPPFLAGS+=-DIPSEC
|
||||
CPPFLAGS+=-DINET6
|
||||
CFLAGS+=-g
|
||||
CPPFLAGS+=-DIPSEC_DEBUG -DIPSEC -DINET6 -I. -DYY_NO_UNPUT
|
||||
|
||||
.PATH: ${.CURDIR}/../../sys/netkey
|
||||
SRCS= pfkey.c pfkey_dump.c
|
||||
SRCS+= ipsec_policy.c ipsec_strerror.c key_debug.c
|
||||
SRCS+= ipsec_strerror.c policy_parse.y policy_token.l
|
||||
SRCS+= ipsec_get_policylen.c ipsec_dump_policy.c
|
||||
SRCS+= key_debug.c
|
||||
LPREFIX+=__libyy
|
||||
YPREFIX+=__libyy
|
||||
YHEADER=1
|
||||
|
||||
#LFLAGS+= -olex.yy.c
|
||||
|
||||
MAN= ipsec_set_policy.3 ipsec_strerror.3
|
||||
MLINKS+=ipsec_set_policy.3 ipsec_get_policylen.3 \
|
||||
ipsec_set_policy.3 ipsec_dump_policy.3
|
||||
|
||||
CLEANFILES+= y.tab.h
|
||||
|
||||
.include <bsd.lib.mk>
|
||||
|
@ -1,667 +0,0 @@
|
||||
/* $NetBSD: ipsec_policy.c,v 1.3 1999/07/04 01:36:12 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#if 0
|
||||
static char *rcsid = "@(#) ipsec_policy.c KAME Revision: 1.1.4.8";
|
||||
#else
|
||||
#include <sys/cdefs.h>
|
||||
#ifndef lint
|
||||
__RCSID("$NetBSD: ipsec_policy.c,v 1.3 1999/07/04 01:36:12 itojun Exp $");
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/*
|
||||
* The following requests are accepted:
|
||||
* protocol parsed as protocol/default/
|
||||
* protocol/level/proxy
|
||||
* protocol/ parsed as protocol/default/
|
||||
* protocol/level parsed as protocol/level/
|
||||
* protocol/level/ parsed as protocol/level/
|
||||
* protocol/proxy parsed as protocol/default/proxy
|
||||
* protocol//proxy parsed as protocol/default/proxy
|
||||
* protocol// parsed as protocol/default/
|
||||
* You can concatenate these requests with either ' ' or '\n'.
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/socket.h>
|
||||
#include <assert.h>
|
||||
|
||||
#include <net/route.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet6/ipsec.h>
|
||||
|
||||
#include <netkey/keyv2.h>
|
||||
#include <netkey/key_var.h>
|
||||
|
||||
#include <arpa/inet.h>
|
||||
|
||||
#include <netdb.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
#include <strings.h>
|
||||
#include <errno.h>
|
||||
|
||||
#include "ipsec_strerror.h"
|
||||
|
||||
/* order must be the same */
|
||||
static char *tokens[] = {
|
||||
"discard", "none", "ipsec", "entrust", "bypass",
|
||||
"esp", "ah", "ipcomp", "default", "use", "require", "/", NULL
|
||||
};
|
||||
enum token {
|
||||
t_invalid = -1, t_discard, t_none, t_ipsec, t_entrust, t_bypass,
|
||||
t_esp, t_ah, t_ipcomp, t_default, t_use, t_require, t_slash, t_omit,
|
||||
};
|
||||
static int values[] = {
|
||||
IPSEC_POLICY_DISCARD, IPSEC_POLICY_NONE, IPSEC_POLICY_IPSEC,
|
||||
IPSEC_POLICY_ENTRUST, IPSEC_POLICY_BYPASS,
|
||||
IPPROTO_ESP, IPPROTO_AH, IPPROTO_IPCOMP,
|
||||
IPSEC_LEVEL_DEFAULT, IPSEC_LEVEL_USE, IPSEC_LEVEL_REQUIRE, 0, 0,
|
||||
};
|
||||
struct pbuf {
|
||||
char *buf;
|
||||
int buflen; /* size of the buffer */
|
||||
int off; /* current offset */
|
||||
};
|
||||
|
||||
/* XXX duplicated def */
|
||||
static char *ipsp_strs[] = {
|
||||
"discard", "none", "ipsec", "entrust", "bypass",
|
||||
};
|
||||
|
||||
static enum token gettoken(char *p);
|
||||
static char *skiptoken(char *p, enum token t);
|
||||
static char *skipspaces(char *p);
|
||||
static char *parse_request(struct pbuf *pbuf, char *p);
|
||||
static char *parse_policy(struct pbuf *pbuf, char *p);
|
||||
static char *get_sockaddr(char *host, struct sockaddr *addr);
|
||||
static int parse_setreq(struct pbuf *pbuf, int proto, int level,
|
||||
struct sockaddr *proxy);
|
||||
static int parse_main(struct pbuf *pbuf, char *policy);
|
||||
|
||||
static enum token gettoken(char *p)
|
||||
{
|
||||
int i;
|
||||
int l;
|
||||
|
||||
assert(p);
|
||||
for (i = 0; i < sizeof(tokens)/sizeof(tokens[0]); i++) {
|
||||
if (tokens[i] == NULL)
|
||||
continue;
|
||||
l = strlen(tokens[i]);
|
||||
if (strncmp(p, tokens[i], l) != 0)
|
||||
continue;
|
||||
/* slash alone is okay as token */
|
||||
if (i == t_slash)
|
||||
return i;
|
||||
/* other ones are words, so needs proper termination */
|
||||
if (isspace(p[l]) || p[l] == '/' || p[l] == '\0')
|
||||
return i;
|
||||
}
|
||||
return t_invalid;
|
||||
}
|
||||
|
||||
static char *skiptoken(char *p, enum token t)
|
||||
{
|
||||
assert(p);
|
||||
assert(tokens[t] != NULL);
|
||||
|
||||
if (gettoken(p) != t)
|
||||
return NULL;
|
||||
return p + strlen(tokens[t]);
|
||||
}
|
||||
|
||||
static char *skipspaces(char *p)
|
||||
{
|
||||
assert(p);
|
||||
while (p && isspace(*p))
|
||||
p++;
|
||||
return p;
|
||||
}
|
||||
|
||||
static char *parse_request(struct pbuf *pbuf, char *p)
|
||||
{
|
||||
enum token t;
|
||||
int i;
|
||||
enum token ts[3]; /* set of tokens */
|
||||
struct sockaddr_storage proxy;
|
||||
int isproxy;
|
||||
|
||||
assert(p);
|
||||
assert(pbuf);
|
||||
|
||||
i = 0;
|
||||
|
||||
/*
|
||||
* here, we accept sequence like:
|
||||
* [token slash]* token
|
||||
* and decode that into ts[].
|
||||
*/
|
||||
for (i = 0; i < sizeof(ts)/sizeof(ts[0]); i++)
|
||||
ts[i] = t_invalid;
|
||||
i = 0;
|
||||
while (i < sizeof(ts)/sizeof(ts[0])) {
|
||||
/* get a token */
|
||||
p = skipspaces(p);
|
||||
t = gettoken(p);
|
||||
switch (t) {
|
||||
case t_invalid:
|
||||
/*
|
||||
* this may be a proxy.
|
||||
* this shouldn't be a termination.
|
||||
*/
|
||||
if (*p != '\0')
|
||||
goto breakbreak;
|
||||
goto parseerror;
|
||||
case t_esp:
|
||||
case t_ah:
|
||||
case t_ipcomp:
|
||||
case t_default:
|
||||
case t_use:
|
||||
case t_require:
|
||||
/*
|
||||
* protocol or level - just keep it into ts[],
|
||||
* we'll care about protocol/level ordering afterwards
|
||||
*/
|
||||
ts[i++] = t;
|
||||
p = skiptoken(p, t);
|
||||
break;
|
||||
case t_slash:
|
||||
/*
|
||||
* the user did not specify the token - don't advance
|
||||
* the pointer.
|
||||
*/
|
||||
ts[i++] = t_omit;
|
||||
break;
|
||||
default:
|
||||
/* bzz, you are wrong */
|
||||
goto parseerror;
|
||||
}
|
||||
|
||||
/* get a slash */
|
||||
p = skipspaces(p);
|
||||
t = gettoken(p);
|
||||
switch (t) {
|
||||
case t_invalid:
|
||||
/* this may be a termination. */
|
||||
if (*p == '\0')
|
||||
goto breakbreak;
|
||||
goto parseerror;
|
||||
case t_esp:
|
||||
case t_ah:
|
||||
case t_ipcomp:
|
||||
/* protocol - we've hit the next request */
|
||||
goto breakbreak;
|
||||
case t_slash:
|
||||
p = skiptoken(p, t);
|
||||
break;
|
||||
default:
|
||||
/* bzz, you are wrong */
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
breakbreak:
|
||||
|
||||
/* alright, we've got the tokens. */
|
||||
switch (i) {
|
||||
case 0:
|
||||
ipsec_errcode = EIPSEC_NO_PROTO;
|
||||
return NULL; /* no token? naa, go away */
|
||||
case 1:
|
||||
case 2:
|
||||
if (!(ts[0] == t_esp || ts[0] == t_ah || ts[0] == t_ipcomp)) {
|
||||
ipsec_errcode = EIPSEC_INVAL_PROTO;
|
||||
return NULL;
|
||||
}
|
||||
if (i == 1) {
|
||||
i++;
|
||||
ts[1] = t_default;
|
||||
}
|
||||
if (ts[1] == t_omit)
|
||||
ts[1] = t_default;
|
||||
if (!(ts[1] == t_default || ts[1] == t_use
|
||||
|| ts[1] == t_require)) {
|
||||
ipsec_errcode = EIPSEC_INVAL_LEVEL;
|
||||
return NULL;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
ipsec_errcode = EIPSEC_INVAL_LEVEL; /*XXX*/
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* here, we should be having 2 tokens */
|
||||
assert(i == 2);
|
||||
|
||||
/* we may have a proxy here */
|
||||
isproxy = 0;
|
||||
if (*p != '\0' && gettoken(p) == t_invalid) {
|
||||
p = get_sockaddr(p, (struct sockaddr *)&proxy);
|
||||
if (p == NULL) {
|
||||
/* get_sockaddr updates ipsec_errcode */
|
||||
return NULL;
|
||||
}
|
||||
isproxy++;
|
||||
p = skipspaces(p);
|
||||
}
|
||||
|
||||
if (parse_setreq(pbuf, values[ts[0]], values[ts[1]],
|
||||
isproxy ? (struct sockaddr *)&proxy : NULL) < 0) {
|
||||
/* parse_setreq updates ipsec_errcode */
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return p;
|
||||
|
||||
parseerror:
|
||||
ipsec_errcode = EIPSEC_NO_ERROR; /*sentinel*/
|
||||
switch (i) {
|
||||
case 0:
|
||||
ipsec_errcode = EIPSEC_NO_PROTO;
|
||||
break;
|
||||
case 1:
|
||||
case 2:
|
||||
if (!(ts[0] == t_esp || ts[0] == t_ah || ts[0] == t_ipcomp))
|
||||
ipsec_errcode = EIPSEC_INVAL_PROTO;
|
||||
if (i == 1)
|
||||
break;
|
||||
if (!(ts[1] == t_default || ts[1] == t_use
|
||||
|| ts[1] == t_require)) {
|
||||
ipsec_errcode = EIPSEC_INVAL_LEVEL;
|
||||
}
|
||||
break;
|
||||
}
|
||||
if (ipsec_errcode == EIPSEC_NO_ERROR)
|
||||
ipsec_errcode = EIPSEC_INVAL_LEVEL; /*XXX*/
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static char *parse_policy(struct pbuf *pbuf, char *p)
|
||||
{
|
||||
enum token t;
|
||||
int len;
|
||||
struct sadb_x_policy *policy;
|
||||
|
||||
assert(p);
|
||||
assert(pbuf);
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
|
||||
/* get the token */
|
||||
p = skipspaces(p);
|
||||
t = gettoken(p);
|
||||
switch (t) {
|
||||
case t_discard:
|
||||
case t_none:
|
||||
case t_ipsec:
|
||||
case t_entrust:
|
||||
case t_bypass:
|
||||
p = skiptoken(p, t);
|
||||
break;
|
||||
default:
|
||||
/* bzz, you're wrong */
|
||||
ipsec_errcode = EIPSEC_INVAL_POLICY;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* construct policy structure */
|
||||
len = PFKEY_ALIGN8(sizeof(*policy));
|
||||
policy = NULL;
|
||||
if (pbuf->buf) {
|
||||
if (pbuf->off + len > pbuf->buflen) {
|
||||
/* buffer overflow */
|
||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
policy = (struct sadb_x_policy *)&pbuf->buf[pbuf->off];
|
||||
memset(policy, 0, sizeof(*policy));
|
||||
policy->sadb_x_policy_len = PFKEY_UNIT64(len);
|
||||
/* update later */
|
||||
policy->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
|
||||
policy->sadb_x_policy_type = values[t];
|
||||
}
|
||||
pbuf->off += len;
|
||||
|
||||
/* alright, go to the next step */
|
||||
while (p && *p)
|
||||
p = parse_request(pbuf, p);
|
||||
|
||||
/* ipsec policy needs request */
|
||||
if (t == t_ipsec && pbuf->off == len) {
|
||||
ipsec_errcode = EIPSEC_INVAL_POLICY;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* update length */
|
||||
if (policy)
|
||||
policy->sadb_x_policy_len = PFKEY_UNIT64(pbuf->off);
|
||||
|
||||
return p;
|
||||
}
|
||||
|
||||
static char *get_sockaddr(char *host, struct sockaddr *addr)
|
||||
{
|
||||
struct sockaddr *saddr = NULL;
|
||||
struct addrinfo hints, *res;
|
||||
char *serv = NULL;
|
||||
int error;
|
||||
char *p, c;
|
||||
|
||||
/* find the next delimiter */
|
||||
p = host;
|
||||
while (p && *p && !isspace(*p) && *p != '/')
|
||||
p++;
|
||||
if (p == host)
|
||||
return NULL;
|
||||
c = *p;
|
||||
*p = '\0';
|
||||
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = PF_UNSPEC;
|
||||
if ((error = getaddrinfo(host, serv, &hints, &res)) != 0) {
|
||||
ipsec_set_strerror(gai_strerror(error));
|
||||
*p = c;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (res->ai_addr == NULL) {
|
||||
ipsec_set_strerror(gai_strerror(error));
|
||||
*p = c;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
#if 0
|
||||
if (res->ai_next) {
|
||||
printf("getaddrinfo(%s): "
|
||||
"resolved to multiple address, taking the first one",
|
||||
host);
|
||||
}
|
||||
#endif
|
||||
|
||||
if ((saddr = malloc(res->ai_addr->sa_len)) == NULL) {
|
||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
freeaddrinfo(res);
|
||||
*p = c;
|
||||
return NULL;
|
||||
}
|
||||
memcpy(addr, res->ai_addr, res->ai_addr->sa_len);
|
||||
|
||||
freeaddrinfo(res);
|
||||
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
*p = c;
|
||||
return p;
|
||||
}
|
||||
|
||||
static int parse_setreq(struct pbuf *pbuf, int proto, int level,
|
||||
struct sockaddr *proxy)
|
||||
{
|
||||
struct sadb_x_ipsecrequest *req;
|
||||
int start;
|
||||
int len;
|
||||
|
||||
assert(pbuf);
|
||||
|
||||
start = pbuf->off;
|
||||
|
||||
len = PFKEY_ALIGN8(sizeof(*req));
|
||||
req = NULL;
|
||||
if (pbuf->buf) {
|
||||
if (pbuf->off + len > pbuf->buflen) {
|
||||
/* buffer overflow */
|
||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
return -1;
|
||||
}
|
||||
req = (struct sadb_x_ipsecrequest *)&pbuf->buf[pbuf->off];
|
||||
memset(req, 0, sizeof(*req));
|
||||
req->sadb_x_ipsecrequest_len = len; /* updated later */
|
||||
req->sadb_x_ipsecrequest_proto = proto;
|
||||
req->sadb_x_ipsecrequest_mode =
|
||||
(proxy == NULL ? IPSEC_MODE_TRANSPORT
|
||||
: IPSEC_MODE_TUNNEL);
|
||||
req->sadb_x_ipsecrequest_level = level;
|
||||
|
||||
}
|
||||
pbuf->off += len;
|
||||
|
||||
if (proxy) {
|
||||
len = PFKEY_ALIGN8(proxy->sa_len);
|
||||
if (pbuf->buf) {
|
||||
if (pbuf->off + len > pbuf->buflen) {
|
||||
/* buffer overflow */
|
||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
return -1;
|
||||
}
|
||||
memset(&pbuf->buf[pbuf->off], 0, len);
|
||||
memcpy(&pbuf->buf[pbuf->off], proxy, proxy->sa_len);
|
||||
}
|
||||
if (req)
|
||||
req->sadb_x_ipsecrequest_len += len;
|
||||
pbuf->off += len;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int parse_main(struct pbuf *pbuf, char *policy)
|
||||
{
|
||||
char *p;
|
||||
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
|
||||
if (policy == NULL) {
|
||||
ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
|
||||
return -1;
|
||||
}
|
||||
|
||||
p = parse_policy(pbuf, policy);
|
||||
if (!p) {
|
||||
/* ipsec_errcode updated somewhere inside */
|
||||
return -1;
|
||||
}
|
||||
p = skipspaces(p);
|
||||
if (*p != '\0') {
|
||||
ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
|
||||
return -1;
|
||||
}
|
||||
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* %%% */
|
||||
int ipsec_get_policylen(char *policy)
|
||||
{
|
||||
struct pbuf pbuf;
|
||||
|
||||
memset(&pbuf, 0, sizeof(pbuf));
|
||||
if (parse_main(&pbuf, policy) < 0)
|
||||
return -1;
|
||||
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
return pbuf.off;
|
||||
}
|
||||
|
||||
int ipsec_set_policy(char *buf, int len, char *policy)
|
||||
{
|
||||
struct pbuf pbuf;
|
||||
|
||||
memset(&pbuf, 0, sizeof(pbuf));
|
||||
pbuf.buf = buf;
|
||||
pbuf.buflen = len;
|
||||
if (parse_main(&pbuf, policy) < 0)
|
||||
return -1;
|
||||
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
return pbuf.off;
|
||||
}
|
||||
|
||||
/*
|
||||
* policy is sadb_x_policy buffer.
|
||||
* Must call free() later.
|
||||
* When delimiter == NULL, alternatively ' '(space) is applied.
|
||||
*/
|
||||
char *ipsec_dump_policy(char *policy, char *delimiter)
|
||||
{
|
||||
struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy;
|
||||
struct sadb_x_ipsecrequest *xisr;
|
||||
int xtlen, buflen;
|
||||
char *buf;
|
||||
|
||||
/* sanity check */
|
||||
if (policy == NULL)
|
||||
return NULL;
|
||||
if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) {
|
||||
ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* set delimiter */
|
||||
if (delimiter == NULL)
|
||||
delimiter = " ";
|
||||
|
||||
switch (xpl->sadb_x_policy_type) {
|
||||
case IPSEC_POLICY_DISCARD:
|
||||
case IPSEC_POLICY_NONE:
|
||||
case IPSEC_POLICY_IPSEC:
|
||||
case IPSEC_POLICY_BYPASS:
|
||||
case IPSEC_POLICY_ENTRUST:
|
||||
break;
|
||||
default:
|
||||
ipsec_errcode = EIPSEC_INVAL_POLICY;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
buflen = strlen(ipsp_strs[xpl->sadb_x_policy_type]) + 1;
|
||||
|
||||
if ((buf = malloc(buflen)) == NULL) {
|
||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
return NULL;
|
||||
}
|
||||
strcpy(buf, ipsp_strs[xpl->sadb_x_policy_type]);
|
||||
|
||||
if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
return buf;
|
||||
}
|
||||
|
||||
xtlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl);
|
||||
xisr = (struct sadb_x_ipsecrequest *)(policy + sizeof(*xpl));
|
||||
|
||||
/* count length of buffer for use */
|
||||
/* XXX non-seriously */
|
||||
while (xtlen > 0) {
|
||||
buflen += 20;
|
||||
if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL)
|
||||
buflen += 50;
|
||||
xtlen -= xisr->sadb_x_ipsecrequest_len;
|
||||
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
|
||||
+ xisr->sadb_x_ipsecrequest_len);
|
||||
}
|
||||
|
||||
/* validity check */
|
||||
if (xtlen < 0) {
|
||||
ipsec_errcode = EIPSEC_INVAL_SADBMSG;
|
||||
free(buf);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if ((buf = realloc(buf, buflen)) == NULL) {
|
||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
xtlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl);
|
||||
xisr = (struct sadb_x_ipsecrequest *)(policy + sizeof(*xpl));
|
||||
|
||||
while (xtlen > 0) {
|
||||
switch (xisr->sadb_x_ipsecrequest_proto) {
|
||||
case IPPROTO_ESP:
|
||||
strcat(buf, delimiter);
|
||||
strcat(buf, "esp");
|
||||
break;
|
||||
case IPPROTO_AH:
|
||||
strcat(buf, delimiter);
|
||||
strcat(buf, "ah");
|
||||
break;
|
||||
case IPPROTO_IPCOMP:
|
||||
strcat(buf, delimiter);
|
||||
strcat(buf, "ipcomp");
|
||||
break;
|
||||
default:
|
||||
ipsec_errcode = EIPSEC_INVAL_PROTO;
|
||||
free(buf);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
switch (xisr->sadb_x_ipsecrequest_level) {
|
||||
case IPSEC_LEVEL_DEFAULT:
|
||||
strcat(buf, "/default");
|
||||
break;
|
||||
case IPSEC_LEVEL_USE:
|
||||
strcat(buf, "/use");
|
||||
break;
|
||||
case IPSEC_LEVEL_REQUIRE:
|
||||
strcat(buf, "/require");
|
||||
break;
|
||||
default:
|
||||
ipsec_errcode = EIPSEC_INVAL_LEVEL;
|
||||
free(buf);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL) {
|
||||
char tmp[100]; /* XXX */
|
||||
struct sockaddr *saddr =
|
||||
(struct sockaddr *)((caddr_t)xisr + sizeof(*xisr));
|
||||
#if 1
|
||||
inet_ntop(saddr->sa_family, _INADDRBYSA(saddr),
|
||||
tmp, sizeof(tmp));
|
||||
#else
|
||||
getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp),
|
||||
NULL, 0, NI_NUMERICHOST);
|
||||
#endif
|
||||
strcat(buf, "/");
|
||||
strcat(buf, tmp);
|
||||
}
|
||||
|
||||
xtlen -= xisr->sadb_x_ipsecrequest_len;
|
||||
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
|
||||
+ xisr->sadb_x_ipsecrequest_len);
|
||||
}
|
||||
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
return buf;
|
||||
}
|
@ -25,8 +25,8 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $NetBSD: ipsec_set_policy.3,v 1.5 1999/12/21 14:17:18 itojun Exp $
|
||||
.\" KAME Id: ipsec_set_policy.3,v 1.1.2.6 1999/07/01 06:54:58 sakane Exp
|
||||
.\" $NetBSD: ipsec_set_policy.3,v 1.6 2000/01/31 14:15:31 itojun Exp $
|
||||
.\" KAME Id: ipsec_set_policy.3,v 1.8 2000/01/27 17:59:12 itojun Exp
|
||||
.\"
|
||||
.Dd May 5, 1998
|
||||
.Dt IPSEC_SET_POLICY 3
|
||||
@ -43,10 +43,10 @@
|
||||
.\"
|
||||
.Sh SYNOPSIS
|
||||
.Fd #include <netinet6/ipsec.h>
|
||||
.Ft "char *"
|
||||
.Fn ipsec_set_policy "char *policy" "int len"
|
||||
.Ft int
|
||||
.Fn ipsec_set_policy "char *buf" "int len" "char *policy"
|
||||
.Ft int
|
||||
.Fn ipsec_get_policylen "char *policy"
|
||||
.Fn ipsec_get_policylen "char *buf"
|
||||
.Ft "char *"
|
||||
.Fn ipsec_dump_policy "char *buf" "char *delim"
|
||||
.\"
|
||||
@ -58,21 +58,18 @@ and/or
|
||||
.Li struct sadb_x_ipsecrequest
|
||||
from human-readable policy specification.
|
||||
policy specification must be given as C string
|
||||
.Fa policy ,
|
||||
and the resulting structure will be generated at the buffer pointed to by
|
||||
.Fa buf ,
|
||||
length
|
||||
.Fa len .
|
||||
.Pp
|
||||
To obtain the required buffer size beforehand, use
|
||||
.Fn ipsec_get_policylen
|
||||
with the same
|
||||
.Fa policy
|
||||
argument.
|
||||
and length
|
||||
.Fa len
|
||||
of
|
||||
.Fa policy .
|
||||
.Fn ipsec_set_policy
|
||||
will return the buffer of IPsec policy specification structure.
|
||||
.Pp
|
||||
You may want the length of the generated buffer such when calling
|
||||
.Xr setsockopt 2 .
|
||||
.Fn ipsec_get_policylen
|
||||
will return the required buffer size,
|
||||
and you may want to allocate buffer dynamically for use with
|
||||
.Fn ipsec_set_policy .
|
||||
will return the length.
|
||||
.Pp
|
||||
.Fn ipsec_dump_policy
|
||||
converts IPsec policy structure into readable form.
|
||||
@ -95,51 +92,99 @@ returns pointer to dynamically allocated string.
|
||||
It is caller's responsibility to reclaim the region, by using
|
||||
.Xr free 3 .
|
||||
.Pp
|
||||
.\"
|
||||
.Fa policy
|
||||
is formatted as either of the following:
|
||||
.Bl -tag -width "discard"
|
||||
.It Li discard
|
||||
.Li discard
|
||||
means the packet matching indexes will be discarded.
|
||||
.It Li none
|
||||
.Li none
|
||||
means IPsec will not be performed on the matching packets
|
||||
.It Ar direction Li entrust
|
||||
.Ar direction
|
||||
must be
|
||||
.Li in
|
||||
or
|
||||
.Li out .
|
||||
.Ar direction
|
||||
specifies which direction the policy needs to be applied.
|
||||
.Li entrust
|
||||
means to consult to SPD defined by
|
||||
.Xr setkey 8 .
|
||||
.It Ar direction Li bypass
|
||||
.Li bypass
|
||||
means to be bypassed the IPsec processing.
|
||||
.Po
|
||||
packet will be transmitted in clear
|
||||
.Pc .
|
||||
.It Xo Li ipsec
|
||||
.Ar protocol
|
||||
.Op Ar /level
|
||||
.Op Ar /peer
|
||||
.Op ...
|
||||
This is for privileged socket.
|
||||
.It Xo
|
||||
.Ar direction
|
||||
.Li ipsec
|
||||
.Ar request ...
|
||||
.Xc
|
||||
.Li ipsec
|
||||
means that the matching packets are subject to IPsec processing.
|
||||
.Li ipsec
|
||||
can be followed by multiple set of
|
||||
.Do
|
||||
can be followed by one or more
|
||||
.Ar request
|
||||
string, which is formatted as below:
|
||||
.Bl -tag -width "discard"
|
||||
.It Xo
|
||||
.Ar protocol
|
||||
.Li /
|
||||
.Ar mode
|
||||
.Li /
|
||||
.Ar src
|
||||
.Li -
|
||||
.Ar dst
|
||||
.Op Ar /level
|
||||
.Op Ar /peer
|
||||
.Dc
|
||||
arguments.
|
||||
.Xc
|
||||
.Ar protocol
|
||||
is either
|
||||
.Li ah ,
|
||||
.Li esp
|
||||
or
|
||||
.Li ipcomp .
|
||||
.Pp
|
||||
.Ar mode
|
||||
is either
|
||||
.Li transport
|
||||
or
|
||||
.Li tunnel .
|
||||
.Pp
|
||||
.Ar src
|
||||
and
|
||||
.Ar dst
|
||||
specifies IPsec endpoint.
|
||||
.Ar src
|
||||
always means
|
||||
.Dq sending node
|
||||
and
|
||||
.Ar dst
|
||||
always means
|
||||
.Dq receiving node .
|
||||
Therefore, when
|
||||
.Ar direction
|
||||
is
|
||||
.Li in ,
|
||||
.Ar dst
|
||||
is this node
|
||||
and
|
||||
.Ar src
|
||||
is the other node
|
||||
.Pq peer .
|
||||
.Pp
|
||||
.Ar level
|
||||
must be set to one of the following:
|
||||
.Li default , use
|
||||
.Li default , use , require
|
||||
or
|
||||
.Li require .
|
||||
.Li unique .
|
||||
.Li default
|
||||
means that the kernel should consult the system default policy
|
||||
defined by
|
||||
.Xr sysctl 8 ,
|
||||
such as
|
||||
.Li net.inet.ipsec.esp_trans_deflev .
|
||||
See
|
||||
.Xr ipsec 4
|
||||
regarding the system default.
|
||||
.Li use
|
||||
means that a relevant SA can be used when available,
|
||||
since the kernel may perform IPsec operation against packets when possible.
|
||||
@ -150,14 +195,24 @@ or encrypted
|
||||
.Li require
|
||||
means that a relevant SA is required,
|
||||
since the kernel must perform IPsec operation against packets.
|
||||
.Ar peer
|
||||
is an IPv4 or IPv6 address string, and it will be used as
|
||||
a hint when IPsec system configures IPsec tunnel mode SA by using
|
||||
key management protocol.
|
||||
.Pp
|
||||
If the string is kept unambiguous,
|
||||
.Li unique
|
||||
is the same as
|
||||
.Li require ,
|
||||
but adds the restriction that the SA for outbound traffic is used
|
||||
only for this policy.
|
||||
You may need the identifier in order to relate the policy and the SA
|
||||
when you define the SA by manual keying.
|
||||
You can put the decimal number as the identifier after
|
||||
.Li unique
|
||||
like
|
||||
.Li unique : number .
|
||||
.Li number
|
||||
must be between 1 and 32767 .
|
||||
If the
|
||||
.Ar request
|
||||
string is kept unambiguous,
|
||||
.Ar level
|
||||
and slashes surrounding
|
||||
and slash prior to
|
||||
.Ar level
|
||||
can be omitted.
|
||||
However, it is encouraged to specify them explicitly
|
||||
@ -167,19 +222,31 @@ If
|
||||
is omitted, it will be interpreted as
|
||||
.Li default .
|
||||
.El
|
||||
.El
|
||||
.Pp
|
||||
Here are several examples:
|
||||
Note that there is a bit difference of specification from
|
||||
.Xr setkey 8 .
|
||||
In specification by
|
||||
.Xr setkey 8 ,
|
||||
both entrust and bypass are not used. Refer to
|
||||
.Xr setkey 8
|
||||
for detail.
|
||||
.Pp
|
||||
Here are several examples
|
||||
.Pq long lines are wrapped for readability :
|
||||
.Bd -literal -offset indent
|
||||
discard
|
||||
ipsec esp/require
|
||||
ipsec ah/use/10.1.1.1
|
||||
ipsec esp/use ah/require
|
||||
ipsec ipcomp/use esp/use ah/require
|
||||
in discard
|
||||
out ipsec esp/transport/10.1.1.1-10.1.1.2/require
|
||||
in ipsec ah/transport/10.1.1.2-10.1.1.1/require
|
||||
out ipsec esp/transport/10.1.1.2-10.1.1.1/use
|
||||
ah/tunnel/10.1.1.2-10.1.1.1/unique:1000
|
||||
in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use
|
||||
esp/transport/10.1.1.2-10.1.1.1/use
|
||||
.Ed
|
||||
.\"
|
||||
.Sh RETURN VALUES
|
||||
.Fn ipsec_set_policy
|
||||
returns with 0 on success, negative value on errors.
|
||||
returns a pointer to the allocated buffer of policy specification if successful; otherwise a NULL pointer is returned.
|
||||
.Fn ipsec_get_policylen
|
||||
returns with positive value
|
||||
.Pq meaning the buffer size
|
||||
@ -192,6 +259,7 @@ on errors.
|
||||
.\"
|
||||
.Sh SEE ALSO
|
||||
.Xr ipsec_strerror 3 ,
|
||||
.Xr ispec 4 ,
|
||||
.Xr setkey 8
|
||||
.\"
|
||||
.Sh HISTORY
|
||||
|
@ -25,8 +25,8 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $NetBSD: ipsec_strerror.3,v 1.5 1999/12/21 14:17:18 itojun Exp $
|
||||
.\" KAME Id: ipsec_strerror.3,v 1.1.2.1 1999/05/06 09:26:43 itojun Exp
|
||||
.\" $NetBSD: ipsec_strerror.3,v 1.6 2000/01/31 14:15:31 itojun Exp $
|
||||
.\" KAME Id: ipsec_strerror.3,v 1.4 2000/01/27 17:59:13 itojun Exp
|
||||
.\"
|
||||
.Dd May 6, 1998
|
||||
.Dt IPSEC_STRERROR 3
|
||||
@ -42,7 +42,7 @@
|
||||
.Sh SYNOPSIS
|
||||
.Fd #include <netinet6/ipsec.h>
|
||||
.Ft "char *"
|
||||
.Fn ipsec_strerror "int code"
|
||||
.Fn ipsec_strerror
|
||||
.\"
|
||||
.Sh DESCRIPTION
|
||||
.Pa netinet6/ipsec.h
|
||||
@ -54,6 +54,19 @@ which is used to pass error code from IPsec policy manipulation library
|
||||
to user program.
|
||||
.Fn ipsec_strerror
|
||||
can be used to obtain error message string for the error code.
|
||||
.Pp
|
||||
The array pointed to is not to be modified by the program.
|
||||
Since
|
||||
.Fn ipsec_strerror
|
||||
uses
|
||||
.Xr strerror 3
|
||||
as underlying function, calling
|
||||
.Xr strerror 3
|
||||
after
|
||||
.Fn ipsec_strerror
|
||||
would make the return value from
|
||||
.Fn ipsec_strerror
|
||||
invalid, or overwritten.
|
||||
.\"
|
||||
.Sh RETURN VALUES
|
||||
.Fn ipsec_strerror
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipsec_strerror.c,v 1.3 1999/07/04 01:36:13 itojun Exp $ */
|
||||
/* $NetBSD: ipsec_strerror.c,v 1.4 2000/01/31 14:15:31 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
@ -46,7 +46,9 @@ static char *ipsec_errlist[] = {
|
||||
"Invalid sadb message", /*EIPSEC_INVAL_SADBMSG*/
|
||||
"Invalid version", /*EIPSEC_INVAL_VERSION*/
|
||||
"Invalid security policy", /*EIPSEC_INVAL_POLICY*/
|
||||
"Invalid address specification", /*EIPSEC_INVAL_ADDRESS*/
|
||||
"Invalid ipsec protocol", /*EIPSEC_INVAL_PROTO*/
|
||||
"Invalid ipsec mode", /*EIPSEC_INVAL_MODE*/
|
||||
"Invalid ipsec level", /*EIPSEC_INVAL_LEVEL*/
|
||||
"Invalid SA type", /*EIPSEC_INVAL_SATYPE*/
|
||||
"Invalid message type", /*EIPSEC_INVAL_MSGTYPE*/
|
||||
@ -55,6 +57,7 @@ static char *ipsec_errlist[] = {
|
||||
"Invalid key length", /*EIPSEC_INVAL_KEYLEN*/
|
||||
"Invalid address family", /*EIPSEC_INVAL_FAMILY*/
|
||||
"Invalid prefix length", /*EIPSEC_INVAL_PREFIXLEN*/
|
||||
"Invalid direciton", /*EIPSEC_INVAL_DIR*/
|
||||
"SPI range violation", /*EIPSEC_INVAL_SPI*/
|
||||
"No protocol specified", /*EIPSEC_NO_PROTO*/
|
||||
"No algorithm specified", /*EIPSEC_NO_ALGS*/
|
||||
@ -62,6 +65,7 @@ static char *ipsec_errlist[] = {
|
||||
"Must get supported algorithms list first", /*EIPSEC_DO_GET_SUPP_LIST*/
|
||||
"Protocol mismatch", /*EIPSEC_PROTO_MISMATCH*/
|
||||
"Family mismatch", /*EIPSEC_FAMILY_MISMATCH*/
|
||||
"Too few arguments", /*EIPSEC_FEW_ARGUMENTS*/
|
||||
NULL, /*EIPSEC_SYSTEM_ERROR*/
|
||||
"Unknown error", /*EIPSEC_MAX*/
|
||||
};
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipsec_strerror.h,v 1.3 1999/07/04 01:36:13 itojun Exp $ */
|
||||
/* $NetBSD: ipsec_strerror.h,v 1.4 2000/01/31 14:15:31 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
@ -30,7 +30,7 @@
|
||||
*/
|
||||
|
||||
extern int ipsec_errcode;
|
||||
extern void ipsec_set_strerror(char *str);
|
||||
extern void ipsec_set_strerror __P((char *));
|
||||
|
||||
#define EIPSEC_NO_ERROR 0 /*success*/
|
||||
#define EIPSEC_NOT_SUPPORTED 1 /*not supported*/
|
||||
@ -38,21 +38,25 @@ extern void ipsec_set_strerror(char *str);
|
||||
#define EIPSEC_INVAL_SADBMSG 3 /*invalid sadb message*/
|
||||
#define EIPSEC_INVAL_VERSION 4 /*invalid version*/
|
||||
#define EIPSEC_INVAL_POLICY 5 /*invalid security policy*/
|
||||
#define EIPSEC_INVAL_PROTO 6 /*invalid ipsec protocol*/
|
||||
#define EIPSEC_INVAL_LEVEL 7 /*invalid ipsec level*/
|
||||
#define EIPSEC_INVAL_SATYPE 8 /*invalid SA type*/
|
||||
#define EIPSEC_INVAL_MSGTYPE 9 /*invalid message type*/
|
||||
#define EIPSEC_INVAL_EXTTYPE 10 /*invalid extension type*/
|
||||
#define EIPSEC_INVAL_ALGS 11 /*Invalid algorithm type*/
|
||||
#define EIPSEC_INVAL_KEYLEN 12 /*invalid key length*/
|
||||
#define EIPSEC_INVAL_FAMILY 13 /*invalid address family*/
|
||||
#define EIPSEC_INVAL_PREFIXLEN 14 /*SPI range violation*/
|
||||
#define EIPSEC_INVAL_SPI 15 /*invalid prefixlen*/
|
||||
#define EIPSEC_NO_PROTO 16 /*no protocol specified*/
|
||||
#define EIPSEC_NO_ALGS 17 /*No algorithm specified*/
|
||||
#define EIPSEC_NO_BUFS 18 /*no buffers available*/
|
||||
#define EIPSEC_DO_GET_SUPP_LIST 19 /*must get supported algorithm first*/
|
||||
#define EIPSEC_PROTO_MISMATCH 20 /*protocol mismatch*/
|
||||
#define EIPSEC_FAMILY_MISMATCH 21 /*family mismatch*/
|
||||
#define EIPSEC_SYSTEM_ERROR 22 /*system error*/
|
||||
#define EIPSEC_MAX 23 /*unknown error*/
|
||||
#define EIPSEC_INVAL_ADDRESS 6 /*invalid address specification*/
|
||||
#define EIPSEC_INVAL_PROTO 7 /*invalid ipsec protocol*/
|
||||
#define EIPSEC_INVAL_MODE 8 /*Invalid ipsec mode*/
|
||||
#define EIPSEC_INVAL_LEVEL 9 /*invalid ipsec level*/
|
||||
#define EIPSEC_INVAL_SATYPE 10 /*invalid SA type*/
|
||||
#define EIPSEC_INVAL_MSGTYPE 11 /*invalid message type*/
|
||||
#define EIPSEC_INVAL_EXTTYPE 12 /*invalid extension type*/
|
||||
#define EIPSEC_INVAL_ALGS 13 /*Invalid algorithm type*/
|
||||
#define EIPSEC_INVAL_KEYLEN 14 /*invalid key length*/
|
||||
#define EIPSEC_INVAL_FAMILY 15 /*invalid address family*/
|
||||
#define EIPSEC_INVAL_PREFIXLEN 16 /*SPI range violation*/
|
||||
#define EIPSEC_INVAL_DIR 17 /*Invalid direciton*/
|
||||
#define EIPSEC_INVAL_SPI 18 /*invalid prefixlen*/
|
||||
#define EIPSEC_NO_PROTO 19 /*no protocol specified*/
|
||||
#define EIPSEC_NO_ALGS 20 /*No algorithm specified*/
|
||||
#define EIPSEC_NO_BUFS 21 /*no buffers available*/
|
||||
#define EIPSEC_DO_GET_SUPP_LIST 22 /*must get supported algorithm first*/
|
||||
#define EIPSEC_PROTO_MISMATCH 23 /*protocol mismatch*/
|
||||
#define EIPSEC_FAMILY_MISMATCH 24 /*family mismatch*/
|
||||
#define EIPSEC_FEW_ARGUMENTS 25 /*Too few arguments*/
|
||||
#define EIPSEC_SYSTEM_ERROR 26 /*system error*/
|
||||
#define EIPSEC_MAX 27 /*unknown error*/
|
||||
|
2159
lib/libipsec/pfkey.c
2159
lib/libipsec/pfkey.c
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: pfkey_dump.c,v 1.3 1999/07/04 01:36:13 itojun Exp $ */
|
||||
/* $NetBSD: pfkey_dump.c,v 1.4 2000/01/31 14:15:32 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
@ -38,6 +38,7 @@
|
||||
#include <netkey/key_debug.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <netinet6/ipsec.h>
|
||||
#ifdef INET6
|
||||
#include <netinet6/in6.h>
|
||||
#endif
|
||||
@ -52,7 +53,7 @@
|
||||
#include "ipsec_strerror.h"
|
||||
|
||||
#define GETMSGSTR(str, num) \
|
||||
{ \
|
||||
do { \
|
||||
if (sizeof((str)[0]) == 0 \
|
||||
|| num >= sizeof(str)/sizeof((str)[0])) \
|
||||
printf("%d ", (num)); \
|
||||
@ -60,14 +61,15 @@
|
||||
printf("%d ", (num)); \
|
||||
else \
|
||||
printf("%s ", (str)[(num)]); \
|
||||
}
|
||||
} while (0)
|
||||
|
||||
#define GETAF(p) \
|
||||
(((struct sockaddr *)(p))->sa_family)
|
||||
|
||||
static char *_str_addr(u_int family, caddr_t addr, u_int pref, u_int port);
|
||||
static char *_str_time(time_t t);
|
||||
static void _str_lifetime_byte(struct sadb_lifetime *x, char *str);
|
||||
static char *_str_ipaddr __P((u_int family, caddr_t addr));
|
||||
static char *_str_prefport __P((u_int family, u_int pref, u_int port));
|
||||
static char *_str_time __P((time_t t));
|
||||
static void _str_lifetime_byte __P((struct sadb_lifetime *x, char *str));
|
||||
|
||||
/*
|
||||
* Must to be re-written about following strings.
|
||||
@ -85,21 +87,27 @@ static char *_str_satype[] = {
|
||||
"ipcomp",
|
||||
};
|
||||
|
||||
static char *_str_upper[] = {
|
||||
"any", "icmp", "", "", "",
|
||||
"", "tcp", "", "", "",
|
||||
"", "", "", "", "",
|
||||
"", "", "udp", "", "",
|
||||
"", "", "", "", "",
|
||||
"", "", "", "", "",
|
||||
static char *_str_mode[] = {
|
||||
"any",
|
||||
"transport",
|
||||
"tunnel",
|
||||
};
|
||||
|
||||
#if 0
|
||||
static char *_str_base[] = {
|
||||
"new",
|
||||
"old",
|
||||
static char *_str_upper[] = {
|
||||
/*0*/ "ip", "icmp", "igmp", "ggp", "ip4",
|
||||
"", "tcp", "", "egp", "",
|
||||
/*10*/ "", "", "", "", "",
|
||||
"", "", "udp", "", "",
|
||||
/*20*/ "", "", "idp", "", "",
|
||||
"", "", "", "", "tp",
|
||||
/*30*/ "", "", "", "", "",
|
||||
"", "", "", "", "",
|
||||
/*40*/ "", "ip6", "", "rt6", "frag6",
|
||||
"", "rsvp", "gre", "", "",
|
||||
/*50*/ "esp", "ah", "", "", "",
|
||||
"", "", "", "icmp6", "none",
|
||||
/*60*/ "dst6",
|
||||
};
|
||||
#endif
|
||||
|
||||
static char *_str_state[] = {
|
||||
"larval",
|
||||
@ -134,16 +142,12 @@ static char *_str_alg_comp[] = {
|
||||
"lzs",
|
||||
};
|
||||
|
||||
static char *_str_dir[] = {
|
||||
"outbound",
|
||||
"inbound",
|
||||
"bi-direction",
|
||||
};
|
||||
|
||||
/*
|
||||
* dump SADB_MSG formated. For debugging, you should use kdebug_sadb().
|
||||
*/
|
||||
void pfkey_sadump(struct sadb_msg *m)
|
||||
void
|
||||
pfkey_sadump(m)
|
||||
struct sadb_msg *m;
|
||||
{
|
||||
caddr_t mhp[SADB_EXT_MAX + 1];
|
||||
struct sadb_sa *m_sa;
|
||||
@ -154,7 +158,11 @@ void pfkey_sadump(struct sadb_msg *m)
|
||||
struct sadb_sens *m_sens;
|
||||
|
||||
/* check pfkey message. */
|
||||
if (pfkey_check(m, mhp)) {
|
||||
if (pfkey_align(m, mhp)) {
|
||||
printf("%s\n", ipsec_strerror());
|
||||
return;
|
||||
}
|
||||
if (pfkey_check(mhp)) {
|
||||
printf("%s\n", ipsec_strerror());
|
||||
return;
|
||||
}
|
||||
@ -169,7 +177,7 @@ void pfkey_sadump(struct sadb_msg *m)
|
||||
m_auth = (struct sadb_key *)mhp[SADB_EXT_KEY_AUTH];
|
||||
m_enc = (struct sadb_key *)mhp[SADB_EXT_KEY_ENCRYPT];
|
||||
m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
|
||||
m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
|
||||
m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST];
|
||||
m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY];
|
||||
|
||||
/* source address */
|
||||
@ -178,10 +186,7 @@ void pfkey_sadump(struct sadb_msg *m)
|
||||
return;
|
||||
}
|
||||
printf("%s ",
|
||||
_str_addr(GETAF((caddr_t)m_saddr + sizeof(*m_saddr)),
|
||||
_INADDRBYSA((caddr_t)m_saddr + sizeof(*m_saddr)),
|
||||
m_saddr->sadb_address_prefixlen,
|
||||
_INPORTBYSA((caddr_t)m_saddr + sizeof(*m_saddr))));
|
||||
_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)));
|
||||
|
||||
/* destination address */
|
||||
if (m_daddr == NULL) {
|
||||
@ -189,42 +194,25 @@ void pfkey_sadump(struct sadb_msg *m)
|
||||
return;
|
||||
}
|
||||
printf("%s ",
|
||||
_str_addr(GETAF((caddr_t)m_daddr + sizeof(*m_daddr)),
|
||||
_INADDRBYSA((caddr_t)m_daddr + sizeof(*m_daddr)),
|
||||
m_daddr->sadb_address_prefixlen,
|
||||
_INPORTBYSA((caddr_t)m_daddr + sizeof(*m_daddr))));
|
||||
|
||||
/* upper layer protocol */
|
||||
if (m_saddr->sadb_address_proto != m_saddr->sadb_address_proto) {
|
||||
printf("upper layer protocol mismatched.\n");
|
||||
return;
|
||||
}
|
||||
GETMSGSTR(_str_upper, m_saddr->sadb_address_proto);
|
||||
|
||||
/* proxy address */
|
||||
if (m_paddr != NULL) {
|
||||
int prefix = _INALENBYAF(GETAF((caddr_t)m_paddr + sizeof(*m_paddr))) << 3;
|
||||
printf("%s",
|
||||
_str_addr(GETAF((caddr_t)m_paddr + sizeof(*m_paddr)),
|
||||
_INADDRBYSA((caddr_t)m_paddr + sizeof(*m_paddr)),
|
||||
prefix,
|
||||
0));
|
||||
}
|
||||
printf("\n");
|
||||
_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)));
|
||||
|
||||
/* SA type */
|
||||
if (m_sa == NULL) {
|
||||
printf("no SA extension.\n");
|
||||
return;
|
||||
}
|
||||
printf("\t");
|
||||
printf("\n\t");
|
||||
|
||||
GETMSGSTR(_str_satype, m->sadb_msg_satype);
|
||||
|
||||
printf("spi=%u(0x%08x) replay=%u flags=0x%08x\n",
|
||||
printf("mode=");
|
||||
GETMSGSTR(_str_mode, m->sadb_msg_mode);
|
||||
|
||||
printf("spi=%u(0x%08x) reqid=%u(0x%08x)\n",
|
||||
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
|
||||
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
|
||||
m_sa->sadb_sa_replay,
|
||||
m_sa->sadb_sa_flags);
|
||||
(u_int32_t)m->sadb_msg_reqid,
|
||||
(u_int32_t)m->sadb_msg_reqid);
|
||||
|
||||
/* encryption key */
|
||||
if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
|
||||
@ -249,8 +237,13 @@ void pfkey_sadump(struct sadb_msg *m)
|
||||
printf("\n");
|
||||
}
|
||||
|
||||
/* replay windoe size & flags */
|
||||
printf("\treplay=%u flags=0x%08x ",
|
||||
m_sa->sadb_sa_replay,
|
||||
m_sa->sadb_sa_flags);
|
||||
|
||||
/* state */
|
||||
printf("\tstate=");
|
||||
printf("state=");
|
||||
GETMSGSTR(_str_state, m_sa->sadb_sa_state);
|
||||
|
||||
printf("seq=%lu pid=%lu\n",
|
||||
@ -299,24 +292,26 @@ void pfkey_sadump(struct sadb_msg *m)
|
||||
0 : m_lfts->sadb_lifetime_allocations));
|
||||
}
|
||||
|
||||
{ /* XXX TEST */
|
||||
char *x = (char *)&m->sadb_msg_reserved;
|
||||
printf("\tdir=");
|
||||
GETMSGSTR(_str_dir, (int)x[0]);
|
||||
printf("refcnt=%d\n", (int)x[1]);
|
||||
}
|
||||
/* XXX DEBUG */
|
||||
printf("\trefcnt=%u\n", m->sadb_msg_reserved2);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
void pfkey_spdump(struct sadb_msg *m)
|
||||
void
|
||||
pfkey_spdump(m)
|
||||
struct sadb_msg *m;
|
||||
{
|
||||
caddr_t mhp[SADB_EXT_MAX + 1];
|
||||
struct sadb_address *m_saddr, *m_daddr;
|
||||
struct sadb_x_policy *m_xpl;
|
||||
|
||||
/* check pfkey message. */
|
||||
if (pfkey_check(m, mhp)) {
|
||||
if (pfkey_align(m, mhp)) {
|
||||
printf("%s\n", ipsec_strerror());
|
||||
return;
|
||||
}
|
||||
if (pfkey_check(mhp)) {
|
||||
printf("%s\n", ipsec_strerror());
|
||||
return;
|
||||
}
|
||||
@ -330,24 +325,31 @@ void pfkey_spdump(struct sadb_msg *m)
|
||||
printf("no ADDRESS_SRC extension.\n");
|
||||
return;
|
||||
}
|
||||
printf("%s ",
|
||||
_str_addr(GETAF((caddr_t)m_saddr + sizeof(*m_saddr)),
|
||||
_INADDRBYSA((caddr_t)m_saddr + sizeof(*m_saddr)),
|
||||
printf("%s%s ",
|
||||
_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)),
|
||||
_str_prefport(GETAF(m_saddr + 1),
|
||||
m_saddr->sadb_address_prefixlen,
|
||||
_INPORTBYSA((caddr_t)m_saddr + sizeof(*m_saddr))));
|
||||
_INPORTBYSA(m_saddr + 1)));
|
||||
|
||||
/* destination address */
|
||||
if (m_daddr == NULL) {
|
||||
printf("no ADDRESS_DST extension.\n");
|
||||
return;
|
||||
}
|
||||
printf("%s ",
|
||||
_str_addr(GETAF((caddr_t)m_daddr + sizeof(*m_daddr)),
|
||||
_INADDRBYSA((caddr_t)m_daddr + sizeof(*m_daddr)),
|
||||
printf("%s%s ",
|
||||
_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)),
|
||||
_str_prefport(GETAF(m_daddr + 1),
|
||||
m_daddr->sadb_address_prefixlen,
|
||||
_INPORTBYSA((caddr_t)m_daddr + sizeof(*m_daddr))));
|
||||
_INPORTBYSA(m_daddr + 1)));
|
||||
|
||||
/* upper layer protocol */
|
||||
if (m_saddr->sadb_address_proto != m_daddr->sadb_address_proto) {
|
||||
printf("upper layer protocol mismatched.\n");
|
||||
return;
|
||||
}
|
||||
if (m_saddr->sadb_address_proto == IPSEC_ULPROTO_ANY)
|
||||
printf("any");
|
||||
else
|
||||
GETMSGSTR(_str_upper, m_saddr->sadb_address_proto);
|
||||
|
||||
/* policy */
|
||||
@ -369,37 +371,65 @@ void pfkey_spdump(struct sadb_msg *m)
|
||||
(u_long)m->sadb_msg_seq,
|
||||
(u_long)m->sadb_msg_pid);
|
||||
|
||||
{ /* TEST */
|
||||
char *x = (char *)&m->sadb_msg_reserved;
|
||||
printf("\tdir=");
|
||||
GETMSGSTR(_str_dir, (int)x[0]);
|
||||
printf("refcnt=%d\n", (int)x[1]);
|
||||
}
|
||||
/* XXX TEST */
|
||||
printf("\trefcnt=%u\n", m->sadb_msg_reserved2);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
/*
|
||||
* set "ip address/prefix[port number]" to buffer.
|
||||
* set "ipaddress" to buffer.
|
||||
*/
|
||||
static char *_str_addr(u_int family, caddr_t addr, u_int pref, u_int port)
|
||||
static char *
|
||||
_str_ipaddr(family, addr)
|
||||
u_int family;
|
||||
caddr_t addr;
|
||||
{
|
||||
static char buf[128];
|
||||
char pbuf[128];
|
||||
char addrbuf[128];
|
||||
|
||||
if (addr == NULL)
|
||||
return "";
|
||||
|
||||
inet_ntop(family, addr, pbuf, sizeof(pbuf));
|
||||
inet_ntop(family, addr, addrbuf, sizeof(addrbuf));
|
||||
|
||||
snprintf(buf, sizeof(buf), "%s", addrbuf);
|
||||
|
||||
return buf;
|
||||
}
|
||||
|
||||
/*
|
||||
* set "/prefix[port number]" to buffer.
|
||||
*/
|
||||
static char *
|
||||
_str_prefport(family, pref, port)
|
||||
u_int family, pref, port;
|
||||
{
|
||||
static char buf[128];
|
||||
char prefbuf[10];
|
||||
char portbuf[10];
|
||||
|
||||
if (pref == (_INALENBYAF(family) << 3))
|
||||
prefbuf[0] = '\0';
|
||||
else
|
||||
snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
|
||||
|
||||
if (port == IPSEC_PORT_ANY)
|
||||
snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
|
||||
else
|
||||
snprintf(portbuf, sizeof(portbuf), "[%u]", ntohs(port));
|
||||
|
||||
snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
|
||||
|
||||
snprintf(buf, sizeof(buf), "%s/%u[%u]", pbuf, pref, ntohs(port));
|
||||
return buf;
|
||||
}
|
||||
|
||||
/*
|
||||
* set "Mon Day Time Year" to buffer
|
||||
*/
|
||||
static char *_str_time(time_t t)
|
||||
static char *
|
||||
_str_time(t)
|
||||
time_t t;
|
||||
{
|
||||
static char buf[128];
|
||||
|
||||
@ -417,7 +447,10 @@ static char *_str_time(time_t t)
|
||||
return(buf);
|
||||
}
|
||||
|
||||
static void _str_lifetime_byte(struct sadb_lifetime *x, char *str)
|
||||
static void
|
||||
_str_lifetime_byte(x, str)
|
||||
struct sadb_lifetime *x;
|
||||
char *str;
|
||||
{
|
||||
double y;
|
||||
char *unit;
|
||||
|
@ -1,5 +1,5 @@
|
||||
# $NetBSD: shlib_version,v 1.1 1999/07/01 20:15:29 itojun Exp $
|
||||
# $NetBSD: shlib_version,v 1.2 2000/01/31 14:15:32 itojun Exp $
|
||||
# Remember to update distrib/sets/lists/base/shl.* when changing
|
||||
#
|
||||
major=0
|
||||
major=1
|
||||
minor=0
|
||||
|
Loading…
Reference in New Issue
Block a user