diff options
| author | pjd <pjd@FreeBSD.org> | 2005-10-12 21:40:41 +0000 |
|---|---|---|
| committer | pjd <pjd@FreeBSD.org> | 2005-10-12 21:40:41 +0000 |
| commit | 053665bac90d14585a498ab6f860e11fbdeeeb36 (patch) | |
| tree | 1600cb34f9373cf9f3b7a23f20390e0cacf1a3dc | |
| parent | 3e107f99141a41b88c5c2b73ebd82591076ea73a (diff) | |
| download | FreeBSD-src-053665bac90d14585a498ab6f860e11fbdeeeb36.zip FreeBSD-src-053665bac90d14585a498ab6f860e11fbdeeeb36.tar.gz | |
setkey(8) was repo-copied from usr.sbin/ to sbin/.
This will allow for NFS mount of /usr over IPsec.
Discussed on: arch@
| -rwxr-xr-x | etc/rc.d/ipsec | 2 | ||||
| -rw-r--r-- | sbin/Makefile | 1 | ||||
| -rw-r--r-- | usr.sbin/Makefile | 1 | ||||
| -rw-r--r-- | usr.sbin/setkey/Makefile | 62 | ||||
| -rw-r--r-- | usr.sbin/setkey/parse.y | 1267 | ||||
| -rw-r--r-- | usr.sbin/setkey/sample.cf | 219 | ||||
| -rw-r--r-- | usr.sbin/setkey/scriptdump.pl | 56 | ||||
| -rw-r--r-- | usr.sbin/setkey/setkey.8 | 693 | ||||
| -rw-r--r-- | usr.sbin/setkey/setkey.c | 632 | ||||
| -rw-r--r-- | usr.sbin/setkey/test-pfkey.c | 531 | ||||
| -rw-r--r-- | usr.sbin/setkey/test-policy.c | 161 | ||||
| -rw-r--r-- | usr.sbin/setkey/token.l | 286 | ||||
| -rw-r--r-- | usr.sbin/setkey/vchar.h | 36 |
13 files changed, 2 insertions, 3945 deletions
diff --git a/etc/rc.d/ipsec b/etc/rc.d/ipsec index 788ff3a..9eb0f8f 100755 --- a/etc/rc.d/ipsec +++ b/etc/rc.d/ipsec @@ -21,7 +21,7 @@ stop_precmd="test -f /etc/ipsec.conf" stop_cmd="ipsec_stop" reload_cmd="ipsec_reload" extra_commands="reload" -ipsec_program="/usr/sbin/setkey" +ipsec_program="/sbin/setkey" # ipsec_file is set by rc.conf ipsec_prestart() diff --git a/sbin/Makefile b/sbin/Makefile index 89ce11d..bf43850 100644 --- a/sbin/Makefile +++ b/sbin/Makefile @@ -81,6 +81,7 @@ SUBDIR= adjkerntz \ rtsol \ savecore \ ${_sconfig} \ + setkey \ shutdown \ slattach \ spppcontrol \ diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile index a59ea00..1c732c2 100644 --- a/usr.sbin/Makefile +++ b/usr.sbin/Makefile @@ -148,7 +148,6 @@ SUBDIR= ac \ sa \ ${_sendmail} \ setfmac \ - setkey \ setpmac \ ${_sicontrol} \ sliplogin \ diff --git a/usr.sbin/setkey/Makefile b/usr.sbin/setkey/Makefile deleted file mode 100644 index 91977e0..0000000 --- a/usr.sbin/setkey/Makefile +++ /dev/null @@ -1,62 +0,0 @@ -# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# 3. Neither the name of the project nor the names of its contributors -# may be used to endorse or promote products derived from this software -# without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ - -PROG= setkey -MAN= setkey.8 -SRCS= setkey.c parse.y token.l - -CFLAGS+= -I${.CURDIR} -I${.CURDIR}/../../lib/libipsec -YFLAGS= -d - -DPADD= ${LIBL} ${LIBY} -LDADD= -ll -ly - -CLEANFILES= y.tab.c y.tab.h key_test.o keytest - -# libpfkey -# ipsec_strerror.c is for avoiding shlib reference to non-exported function. -.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey -SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c -CFLAGS+= -I${.CURDIR}/../../lib/libipsec -I${.CURDIR}/../../sys/netkey - -SRCS+= y.tab.h -y.tab.h: parse.y -CFLAGS+= -DIPSEC_DEBUG -DINET6 -DYY_NO_UNPUT -I. -DPADD+= ${LIBIPSEC} -LDADD+= -lipsec -CLEANFILES+= scriptdump y.tab.h - -#SCRIPTS= scriptdump - -LOCALPREFIX= /usr - -scriptdump: scriptdump.pl - sed -e 's#@LOCALPREFIX@#${LOCALPREFIX}#' < $> > scriptdump - -.include <bsd.prog.mk> diff --git a/usr.sbin/setkey/parse.y b/usr.sbin/setkey/parse.y deleted file mode 100644 index d6bb8c4..0000000 --- a/usr.sbin/setkey/parse.y +++ /dev/null @@ -1,1267 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: parse.y,v 1.82 2004/04/15 08:03:57 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -%{ -#include <sys/types.h> -#include <sys/param.h> -#include <sys/socket.h> - -#include <net/route.h> -#include <netinet/in.h> -#include <net/pfkeyv2.h> -#include <netkey/key_var.h> -#include <netinet6/ipsec.h> -#include <arpa/inet.h> - -#include <string.h> -#include <unistd.h> -#include <stdio.h> -#include <netdb.h> -#include <ctype.h> -#include <errno.h> - -#include "libpfkey.h" -#include "vchar.h" - -#define ATOX(c) \ - (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10))) - -u_int32_t p_spi; -u_int p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode; -u_int32_t p_reqid; -u_int p_key_enc_len, p_key_auth_len; -caddr_t p_key_enc, p_key_auth; -time_t p_lt_hard, p_lt_soft; - -static int p_aiflags = 0, p_aifamily = PF_UNSPEC; - -static struct addrinfo *parse_addr __P((char *, char *)); -static int fix_portstr __P((vchar_t *, vchar_t *, vchar_t *)); -static int setvarbuf __P((char *, int *, struct sadb_ext *, int, caddr_t, int)); -void parse_init __P((void)); -void free_buffer __P((void)); - -int setkeymsg0 __P((struct sadb_msg *, unsigned int, unsigned int, size_t)); -static int setkeymsg_spdaddr __P((unsigned int, unsigned int, vchar_t *, - struct addrinfo *, int, struct addrinfo *, int)); -static int setkeymsg_addr __P((unsigned int, unsigned int, - struct addrinfo *, struct addrinfo *, int)); -static int setkeymsg_add __P((unsigned int, unsigned int, - struct addrinfo *, struct addrinfo *)); -extern int setkeymsg __P((char *, size_t *)); -extern int sendkeymsg __P((char *, size_t)); - -extern int yylex __P((void)); -extern void yyfatal __P((const char *)); -extern void yyerror __P((const char *)); -%} - -%union { - int num; - unsigned long ulnum; - vchar_t val; - struct addrinfo *res; -} - -%token EOT SLASH BLCL ELCL -%token ADD GET DELETE DELETEALL FLUSH DUMP -%token PR_ESP PR_AH PR_IPCOMP PR_TCP -%token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI -%token F_MODE MODE F_REQID -%token F_EXT EXTENSION NOCYCLICSEQ -%token ALG_AUTH ALG_AUTH_NOKEY -%token ALG_ENC ALG_ENC_NOKEY ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD -%token ALG_COMP -%token F_LIFETIME_HARD F_LIFETIME_SOFT -%token DECSTRING QUOTEDSTRING HEXSTRING STRING ANY - /* SPD management */ -%token SPDADD SPDDELETE SPDDUMP SPDFLUSH -%token F_POLICY PL_REQUESTS -%token F_AIFLAGS -%token TAGGED - -%type <num> prefix protocol_spec upper_spec -%type <num> ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY -%type <num> ALG_AUTH ALG_AUTH_NOKEY -%type <num> ALG_COMP -%type <num> PR_ESP PR_AH PR_IPCOMP PR_TCP -%type <num> EXTENSION MODE -%type <ulnum> DECSTRING -%type <val> PL_REQUESTS portstr key_string -%type <val> policy_requests -%type <val> QUOTEDSTRING HEXSTRING STRING -%type <val> F_AIFLAGS -%type <val> upper_misc_spec policy_spec -%type <res> ipaddr - -%% -commands - : /*NOTHING*/ - | commands command - { - free_buffer(); - parse_init(); - } - ; - -command - : add_command - | get_command - | delete_command - | deleteall_command - | flush_command - | dump_command - | spdadd_command - | spddelete_command - | spddump_command - | spdflush_command - ; - /* commands concerned with management, there is in tail of this file. */ - - /* add command */ -add_command - : ADD ipaddropts ipaddr ipaddr protocol_spec spi extension_spec algorithm_spec EOT - { - int status; - - status = setkeymsg_add(SADB_ADD, $5, $3, $4); - if (status < 0) - return -1; - } - ; - - /* delete */ -delete_command - : DELETE ipaddropts ipaddr ipaddr protocol_spec spi extension_spec EOT - { - int status; - - if ($3->ai_next || $4->ai_next) { - yyerror("multiple address specified"); - return -1; - } - if (p_mode != IPSEC_MODE_ANY) - yyerror("WARNING: mode is obsolete"); - - status = setkeymsg_addr(SADB_DELETE, $5, $3, $4, 0); - if (status < 0) - return -1; - } - ; - - /* deleteall command */ -deleteall_command - : DELETEALL ipaddropts ipaddr ipaddr protocol_spec EOT - { - int status; - - status = setkeymsg_addr(SADB_DELETE, $5, $3, $4, 1); - if (status < 0) - return -1; - } - ; - - /* get command */ -get_command - : GET ipaddropts ipaddr ipaddr protocol_spec spi extension_spec EOT - { - int status; - - if (p_mode != IPSEC_MODE_ANY) - yyerror("WARNING: mode is obsolete"); - - status = setkeymsg_addr(SADB_GET, $5, $3, $4, 0); - if (status < 0) - return -1; - } - ; - - /* flush */ -flush_command - : FLUSH protocol_spec EOT - { - struct sadb_msg msg; - setkeymsg0(&msg, SADB_FLUSH, $2, sizeof(msg)); - sendkeymsg((char *)&msg, sizeof(msg)); - } - ; - - /* dump */ -dump_command - : DUMP protocol_spec EOT - { - struct sadb_msg msg; - setkeymsg0(&msg, SADB_DUMP, $2, sizeof(msg)); - sendkeymsg((char *)&msg, sizeof(msg)); - } - ; - -protocol_spec - : /*NOTHING*/ - { - $$ = SADB_SATYPE_UNSPEC; - } - | PR_ESP - { - $$ = SADB_SATYPE_ESP; - if ($1 == 1) - p_ext |= SADB_X_EXT_OLD; - else - p_ext &= ~SADB_X_EXT_OLD; - } - | PR_AH - { - $$ = SADB_SATYPE_AH; - if ($1 == 1) - p_ext |= SADB_X_EXT_OLD; - else - p_ext &= ~SADB_X_EXT_OLD; - } - | PR_IPCOMP - { - $$ = SADB_X_SATYPE_IPCOMP; - } - | PR_TCP - { - $$ = SADB_X_SATYPE_TCPSIGNATURE; - } - ; - -spi - : DECSTRING { p_spi = $1; } - | HEXSTRING - { - char *ep; - unsigned long v; - - ep = NULL; - v = strtoul($1.buf, &ep, 16); - if (!ep || *ep) { - yyerror("invalid SPI"); - return -1; - } - if (v & ~0xffffffff) { - yyerror("SPI too big."); - return -1; - } - - p_spi = v; - } - ; - -algorithm_spec - : esp_spec - | ah_spec - | ipcomp_spec - ; - -esp_spec - : F_ENC enc_alg F_AUTH auth_alg - | F_ENC enc_alg - ; - -ah_spec - : F_AUTH auth_alg - ; - -ipcomp_spec - : F_COMP ALG_COMP - { - if ($2 < 0) { - yyerror("unsupported algorithm"); - return -1; - } - p_alg_enc = $2; - } - | F_COMP ALG_COMP F_RAWCPI - { - if ($2 < 0) { - yyerror("unsupported algorithm"); - return -1; - } - p_alg_enc = $2; - p_ext |= SADB_X_EXT_RAWCPI; - } - ; - -enc_alg - : ALG_ENC_NOKEY { - if ($1 < 0) { - yyerror("unsupported algorithm"); - return -1; - } - p_alg_enc = $1; - - p_key_enc_len = 0; - p_key_enc = NULL; - if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT, - p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) { - yyerror(ipsec_strerror()); - return -1; - } - } - | ALG_ENC key_string { - if ($1 < 0) { - yyerror("unsupported algorithm"); - return -1; - } - p_alg_enc = $1; - - p_key_enc_len = $2.len; - p_key_enc = $2.buf; - if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT, - p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) { - yyerror(ipsec_strerror()); - return -1; - } - } - | ALG_ENC_OLD { - if ($1 < 0) { - yyerror("unsupported algorithm"); - return -1; - } - yyerror("WARNING: obsolete algorithm"); - p_alg_enc = $1; - - p_key_enc_len = 0; - p_key_enc = NULL; - if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT, - p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) { - yyerror(ipsec_strerror()); - return -1; - } - } - | ALG_ENC_DESDERIV key_string - { - if ($1 < 0) { - yyerror("unsupported algorithm"); - return -1; - } - p_alg_enc = $1; - if (p_ext & SADB_X_EXT_OLD) { - yyerror("algorithm mismatched"); - return -1; - } - p_ext |= SADB_X_EXT_DERIV; - - p_key_enc_len = $2.len; - p_key_enc = $2.buf; - if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT, - p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) { - yyerror(ipsec_strerror()); - return -1; - } - } - | ALG_ENC_DES32IV key_string - { - if ($1 < 0) { - yyerror("unsupported algorithm"); - return -1; - } - p_alg_enc = $1; - if (!(p_ext & SADB_X_EXT_OLD)) { - yyerror("algorithm mismatched"); - return -1; - } - p_ext |= SADB_X_EXT_IV4B; - - p_key_enc_len = $2.len; - p_key_enc = $2.buf; - if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT, - p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) { - yyerror(ipsec_strerror()); - return -1; - } - } - ; - -auth_alg - : ALG_AUTH key_string { - if ($1 < 0) { - yyerror("unsupported algorithm"); - return -1; - } - p_alg_auth = $1; - - p_key_auth_len = $2.len; - p_key_auth = $2.buf; - - if (p_alg_auth == SADB_X_AALG_TCP_MD5) { - if ((p_key_auth_len < 1) || (p_key_auth_len > - 80)) - return -1; - } else if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH, - p_alg_auth, PFKEY_UNUNIT64(p_key_auth_len)) < 0) { - yyerror(ipsec_strerror()); - return -1; - } - } - | ALG_AUTH_NOKEY { - if ($1 < 0) { - yyerror("unsupported algorithm"); - return -1; - } - p_alg_auth = $1; - - p_key_auth_len = 0; - p_key_auth = NULL; - } - ; - -key_string - : QUOTEDSTRING - { - $$ = $1; - } - | HEXSTRING - { - caddr_t pp_key; - caddr_t bp; - caddr_t yp = $1.buf; - int l; - - l = strlen(yp) % 2 + strlen(yp) / 2; - if ((pp_key = malloc(l)) == 0) { - yyerror("not enough core"); - return -1; - } - memset(pp_key, 0, l); - - bp = pp_key; - if (strlen(yp) % 2) { - *bp = ATOX(yp[0]); - yp++, bp++; - } - while (*yp) { - *bp = (ATOX(yp[0]) << 4) | ATOX(yp[1]); - yp += 2, bp++; - } - - $$.len = l; - $$.buf = pp_key; - } - ; - -extension_spec - : /*NOTHING*/ - | extension_spec extension - ; - -extension - : F_EXT EXTENSION { p_ext |= $2; } - | F_EXT NOCYCLICSEQ { p_ext &= ~SADB_X_EXT_CYCSEQ; } - | F_MODE MODE { p_mode = $2; } - | F_MODE ANY { p_mode = IPSEC_MODE_ANY; } - | F_REQID DECSTRING { p_reqid = $2; } - | F_REPLAY DECSTRING - { - if ((p_ext & SADB_X_EXT_OLD) != 0) { - yyerror("replay prevention cannot be used with " - "ah/esp-old"); - return -1; - } - p_replay = $2; - } - | F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; } - | F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; } - ; - - /* definition about command for SPD management */ - /* spdadd */ -spdadd_command - : SPDADD ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec policy_spec EOT - { - int status; - struct addrinfo *src, *dst; - - /* fixed port fields if ulp is icmpv6 */ - if ($10.buf != NULL) { - if ($9 != IPPROTO_ICMPV6) - return -1; - free($5.buf); - free($8.buf); - if (fix_portstr(&$10, &$5, &$8)) - return -1; - } - - src = parse_addr($3.buf, $5.buf); - dst = parse_addr($6.buf, $8.buf); - if (!src || !dst) { - /* yyerror is already called */ - return -1; - } - if (src->ai_next || dst->ai_next) { - yyerror("multiple address specified"); - freeaddrinfo(src); - freeaddrinfo(dst); - return -1; - } - - status = setkeymsg_spdaddr(SADB_X_SPDADD, $9, &$11, - src, $4, dst, $7); - freeaddrinfo(src); - freeaddrinfo(dst); - if (status < 0) - return -1; - } - | SPDADD TAGGED QUOTEDSTRING policy_spec EOT - { - return -1; - } - ; - -spddelete_command - : SPDDELETE ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec policy_spec EOT - { - int status; - struct addrinfo *src, *dst; - - /* fixed port fields if ulp is icmpv6 */ - if ($10.buf != NULL) { - if ($9 != IPPROTO_ICMPV6) - return -1; - free($5.buf); - free($8.buf); - if (fix_portstr(&$10, &$5, &$8)) - return -1; - } - - src = parse_addr($3.buf, $5.buf); - dst = parse_addr($6.buf, $8.buf); - if (!src || !dst) { - /* yyerror is already called */ - return -1; - } - if (src->ai_next || dst->ai_next) { - yyerror("multiple address specified"); - freeaddrinfo(src); - freeaddrinfo(dst); - return -1; - } - - status = setkeymsg_spdaddr(SADB_X_SPDDELETE, $9, &$11, - src, $4, dst, $7); - freeaddrinfo(src); - freeaddrinfo(dst); - if (status < 0) - return -1; - } - ; - -spddump_command: - SPDDUMP EOT - { - struct sadb_msg msg; - setkeymsg0(&msg, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC, - sizeof(msg)); - sendkeymsg((char *)&msg, sizeof(msg)); - } - ; - -spdflush_command: - SPDFLUSH EOT - { - struct sadb_msg msg; - setkeymsg0(&msg, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC, - sizeof(msg)); - sendkeymsg((char *)&msg, sizeof(msg)); - } - ; - -ipaddropts - : /* nothing */ - | ipaddropts ipaddropt - ; - -ipaddropt - : F_AIFLAGS - { - char *p; - - for (p = $1.buf + 1; *p; p++) - switch (*p) { - case '4': - p_aifamily = AF_INET; - break; -#ifdef INET6 - case '6': - p_aifamily = AF_INET6; - break; -#endif - case 'n': - p_aiflags = AI_NUMERICHOST; - break; - default: - yyerror("invalid flag"); - return -1; - } - } - ; - -ipaddr - : STRING - { - $$ = parse_addr($1.buf, NULL); - if ($$ == NULL) { - /* yyerror already called by parse_addr */ - return -1; - } - } - ; - -prefix - : /*NOTHING*/ { $$ = -1; } - | SLASH DECSTRING { $$ = $2; } - ; - -portstr - : /*NOTHING*/ - { - $$.buf = strdup("0"); - if (!$$.buf) { - yyerror("insufficient memory"); - return -1; - } - $$.len = strlen($$.buf); - } - | BLCL ANY ELCL - { - $$.buf = strdup("0"); - if (!$$.buf) { - yyerror("insufficient memory"); - return -1; - } - $$.len = strlen($$.buf); - } - | BLCL DECSTRING ELCL - { - char buf[20]; - snprintf(buf, sizeof(buf), "%lu", $2); - $$.buf = strdup(buf); - if (!$$.buf) { - yyerror("insufficient memory"); - return -1; - } - $$.len = strlen($$.buf); - } - | BLCL STRING ELCL - { - $$ = $2; - } - ; - -upper_spec - : DECSTRING { $$ = $1; } - | ANY { $$ = IPSEC_ULPROTO_ANY; } - | PR_TCP { $$ = IPPROTO_TCP; } - | STRING - { - struct protoent *ent; - - ent = getprotobyname($1.buf); - if (ent) - $$ = ent->p_proto; - else { - if (strcmp("icmp6", $1.buf) == 0) { - $$ = IPPROTO_ICMPV6; - } else if(strcmp("ip4", $1.buf) == 0) { - $$ = IPPROTO_IPV4; - } else { - yyerror("invalid upper layer protocol"); - return -1; - } - } - endprotoent(); - } - ; - -upper_misc_spec - : /*NOTHING*/ - { - $$.buf = NULL; - $$.len = 0; - } - | STRING - { - $$.buf = strdup($1.buf); - if (!$$.buf) { - yyerror("insufficient memory"); - return -1; - } - $$.len = strlen($$.buf); - } - ; - -policy_spec - : F_POLICY policy_requests - { - char *policy; - - policy = ipsec_set_policy($2.buf, $2.len); - if (policy == NULL) { - yyerror(ipsec_strerror()); - return -1; - } - - $$.buf = policy; - $$.len = ipsec_get_policylen(policy); - } - ; - -policy_requests - : PL_REQUESTS { $$ = $1; } - ; - -%% - -int -setkeymsg0(msg, type, satype, l) - struct sadb_msg *msg; - unsigned int type; - unsigned int satype; - size_t l; -{ - - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = type; - msg->sadb_msg_errno = 0; - msg->sadb_msg_satype = satype; - msg->sadb_msg_reserved = 0; - msg->sadb_msg_seq = 0; - msg->sadb_msg_pid = getpid(); - msg->sadb_msg_len = PFKEY_UNIT64(l); - return 0; -} - -/* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */ -static int -setkeymsg_spdaddr(type, upper, policy, srcs, splen, dsts, dplen) - unsigned int type; - unsigned int upper; - vchar_t *policy; - struct addrinfo *srcs; - int splen; - struct addrinfo *dsts; - int dplen; -{ - struct sadb_msg *msg; - char buf[BUFSIZ]; - int l, l0; - struct sadb_address m_addr; - struct addrinfo *s, *d; - int n; - int plen; - struct sockaddr *sa; - int salen; - - msg = (struct sadb_msg *)buf; - - if (!srcs || !dsts) - return -1; - - /* fix up length afterwards */ - setkeymsg0(msg, type, SADB_SATYPE_UNSPEC, 0); - l = sizeof(struct sadb_msg); - - memcpy(buf + l, policy->buf, policy->len); - l += policy->len; - - l0 = l; - n = 0; - - /* do it for all src/dst pairs */ - for (s = srcs; s; s = s->ai_next) { - for (d = dsts; d; d = d->ai_next) { - /* rewind pointer */ - l = l0; - - if (s->ai_addr->sa_family != d->ai_addr->sa_family) - continue; - switch (s->ai_addr->sa_family) { - case AF_INET: - plen = sizeof(struct in_addr) << 3; - break; -#ifdef INET6 - case AF_INET6: - plen = sizeof(struct in6_addr) << 3; - break; -#endif - default: - continue; - } - - /* set src */ - sa = s->ai_addr; - salen = s->ai_addr->sa_len; - m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) + - PFKEY_ALIGN8(salen)); - m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; - m_addr.sadb_address_proto = upper; - m_addr.sadb_address_prefixlen = - (splen >= 0 ? splen : plen); - m_addr.sadb_address_reserved = 0; - - setvarbuf(buf, &l, (struct sadb_ext *)&m_addr, - sizeof(m_addr), (caddr_t)sa, salen); - - /* set dst */ - sa = d->ai_addr; - salen = d->ai_addr->sa_len; - m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) + - PFKEY_ALIGN8(salen)); - m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST; - m_addr.sadb_address_proto = upper; - m_addr.sadb_address_prefixlen = - (dplen >= 0 ? dplen : plen); - m_addr.sadb_address_reserved = 0; - - setvarbuf(buf, &l, (struct sadb_ext *)&m_addr, - sizeof(m_addr), (caddr_t)sa, salen); - - msg->sadb_msg_len = PFKEY_UNIT64(l); - - sendkeymsg(buf, l); - - n++; - } - } - - if (n == 0) - return -1; - else - return 0; -} - -/* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */ -static int -setkeymsg_addr(type, satype, srcs, dsts, no_spi) - unsigned int type; - unsigned int satype; - struct addrinfo *srcs; - struct addrinfo *dsts; - int no_spi; -{ - struct sadb_msg *msg; - char buf[BUFSIZ]; - int l, l0, len; - struct sadb_sa m_sa; - struct sadb_x_sa2 m_sa2; - struct sadb_address m_addr; - struct addrinfo *s, *d; - int n; - int plen; - struct sockaddr *sa; - int salen; - - msg = (struct sadb_msg *)buf; - - if (!srcs || !dsts) - return -1; - - /* fix up length afterwards */ - setkeymsg0(msg, type, satype, 0); - l = sizeof(struct sadb_msg); - - if (!no_spi) { - len = sizeof(struct sadb_sa); - m_sa.sadb_sa_len = PFKEY_UNIT64(len); - m_sa.sadb_sa_exttype = SADB_EXT_SA; - m_sa.sadb_sa_spi = htonl(p_spi); - m_sa.sadb_sa_replay = p_replay; - m_sa.sadb_sa_state = 0; - m_sa.sadb_sa_auth = p_alg_auth; - m_sa.sadb_sa_encrypt = p_alg_enc; - m_sa.sadb_sa_flags = p_ext; - - memcpy(buf + l, &m_sa, len); - l += len; - - len = sizeof(struct sadb_x_sa2); - m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len); - m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2; - m_sa2.sadb_x_sa2_mode = p_mode; - m_sa2.sadb_x_sa2_reqid = p_reqid; - - memcpy(buf + l, &m_sa2, len); - l += len; - } - - l0 = l; - n = 0; - - /* do it for all src/dst pairs */ - for (s = srcs; s; s = s->ai_next) { - for (d = dsts; d; d = d->ai_next) { - /* rewind pointer */ - l = l0; - - if (s->ai_addr->sa_family != d->ai_addr->sa_family) - continue; - switch (s->ai_addr->sa_family) { - case AF_INET: - plen = sizeof(struct in_addr) << 3; - break; -#ifdef INET6 - case AF_INET6: - plen = sizeof(struct in6_addr) << 3; - break; -#endif - default: - continue; - } - - /* set src */ - sa = s->ai_addr; - salen = s->ai_addr->sa_len; - m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) + - PFKEY_ALIGN8(salen)); - m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; - m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY; - m_addr.sadb_address_prefixlen = plen; - m_addr.sadb_address_reserved = 0; - - setvarbuf(buf, &l, (struct sadb_ext *)&m_addr, - sizeof(m_addr), (caddr_t)sa, salen); - - /* set dst */ - sa = d->ai_addr; - salen = d->ai_addr->sa_len; - m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) + - PFKEY_ALIGN8(salen)); - m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST; - m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY; - m_addr.sadb_address_prefixlen = plen; - m_addr.sadb_address_reserved = 0; - - setvarbuf(buf, &l, (struct sadb_ext *)&m_addr, - sizeof(m_addr), (caddr_t)sa, salen); - - msg->sadb_msg_len = PFKEY_UNIT64(l); - - sendkeymsg(buf, l); - - n++; - } - } - - if (n == 0) - return -1; - else - return 0; -} - -/* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */ -static int -setkeymsg_add(type, satype, srcs, dsts) - unsigned int type; - unsigned int satype; - struct addrinfo *srcs; - struct addrinfo *dsts; -{ - struct sadb_msg *msg; - char buf[BUFSIZ]; - int l, l0, len; - struct sadb_sa m_sa; - struct sadb_x_sa2 m_sa2; - struct sadb_address m_addr; - struct addrinfo *s, *d; - int n; - int plen; - struct sockaddr *sa; - int salen; - - msg = (struct sadb_msg *)buf; - - if (!srcs || !dsts) - return -1; - - /* fix up length afterwards */ - setkeymsg0(msg, type, satype, 0); - l = sizeof(struct sadb_msg); - - /* set encryption algorithm, if present. */ - if (satype != SADB_X_SATYPE_IPCOMP && p_key_enc) { - struct sadb_key m_key; - - m_key.sadb_key_len = - PFKEY_UNIT64(sizeof(m_key) - + PFKEY_ALIGN8(p_key_enc_len)); - m_key.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; - m_key.sadb_key_bits = p_key_enc_len * 8; - m_key.sadb_key_reserved = 0; - - setvarbuf(buf, &l, - (struct sadb_ext *)&m_key, sizeof(m_key), - (caddr_t)p_key_enc, p_key_enc_len); - } - - /* set authentication algorithm, if present. */ - if (p_key_auth) { - struct sadb_key m_key; - - m_key.sadb_key_len = - PFKEY_UNIT64(sizeof(m_key) - + PFKEY_ALIGN8(p_key_auth_len)); - m_key.sadb_key_exttype = SADB_EXT_KEY_AUTH; - m_key.sadb_key_bits = p_key_auth_len * 8; - m_key.sadb_key_reserved = 0; - - setvarbuf(buf, &l, - (struct sadb_ext *)&m_key, sizeof(m_key), - (caddr_t)p_key_auth, p_key_auth_len); - } - - /* set lifetime for HARD */ - if (p_lt_hard != 0) { - struct sadb_lifetime m_lt; - u_int slen = sizeof(struct sadb_lifetime); - - m_lt.sadb_lifetime_len = PFKEY_UNIT64(slen); - m_lt.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; - m_lt.sadb_lifetime_allocations = 0; - m_lt.sadb_lifetime_bytes = 0; - m_lt.sadb_lifetime_addtime = p_lt_hard; - m_lt.sadb_lifetime_usetime = 0; - - memcpy(buf + l, &m_lt, slen); - l += len; - } - - /* set lifetime for SOFT */ - if (p_lt_soft != 0) { - struct sadb_lifetime m_lt; - u_int slen = sizeof(struct sadb_lifetime); - - m_lt.sadb_lifetime_len = PFKEY_UNIT64(slen); - m_lt.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; - m_lt.sadb_lifetime_allocations = 0; - m_lt.sadb_lifetime_bytes = 0; - m_lt.sadb_lifetime_addtime = p_lt_soft; - m_lt.sadb_lifetime_usetime = 0; - - memcpy(buf + l, &m_lt, slen); - l += len; - } - - len = sizeof(struct sadb_sa); - m_sa.sadb_sa_len = PFKEY_UNIT64(len); - m_sa.sadb_sa_exttype = SADB_EXT_SA; - m_sa.sadb_sa_spi = htonl(p_spi); - m_sa.sadb_sa_replay = p_replay; - m_sa.sadb_sa_state = 0; - m_sa.sadb_sa_auth = p_alg_auth; - m_sa.sadb_sa_encrypt = p_alg_enc; - m_sa.sadb_sa_flags = p_ext; - - memcpy(buf + l, &m_sa, len); - l += len; - - len = sizeof(struct sadb_x_sa2); - m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len); - m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2; - m_sa2.sadb_x_sa2_mode = p_mode; - m_sa2.sadb_x_sa2_reqid = p_reqid; - - memcpy(buf + l, &m_sa2, len); - l += len; - - l0 = l; - n = 0; - - /* do it for all src/dst pairs */ - for (s = srcs; s; s = s->ai_next) { - for (d = dsts; d; d = d->ai_next) { - /* rewind pointer */ - l = l0; - - if (s->ai_addr->sa_family != d->ai_addr->sa_family) - continue; - switch (s->ai_addr->sa_family) { - case AF_INET: - plen = sizeof(struct in_addr) << 3; - break; -#ifdef INET6 - case AF_INET6: - plen = sizeof(struct in6_addr) << 3; - break; -#endif - default: - continue; - } - - /* set src */ - sa = s->ai_addr; - salen = s->ai_addr->sa_len; - m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) + - PFKEY_ALIGN8(salen)); - m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; - m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY; - m_addr.sadb_address_prefixlen = plen; - m_addr.sadb_address_reserved = 0; - - setvarbuf(buf, &l, (struct sadb_ext *)&m_addr, - sizeof(m_addr), (caddr_t)sa, salen); - - /* set dst */ - sa = d->ai_addr; - salen = d->ai_addr->sa_len; - m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) + - PFKEY_ALIGN8(salen)); - m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST; - m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY; - m_addr.sadb_address_prefixlen = plen; - m_addr.sadb_address_reserved = 0; - - setvarbuf(buf, &l, (struct sadb_ext *)&m_addr, - sizeof(m_addr), (caddr_t)sa, salen); - - msg->sadb_msg_len = PFKEY_UNIT64(l); - - sendkeymsg(buf, l); - - n++; - } - } - - if (n == 0) - return -1; - else - return 0; -} - -static struct addrinfo * -parse_addr(host, port) - char *host; - char *port; -{ - struct addrinfo hints, *res = NULL; - int error; - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = p_aifamily; - hints.ai_socktype = SOCK_DGRAM; /*dummy*/ - hints.ai_protocol = IPPROTO_UDP; /*dummy*/ - hints.ai_flags = p_aiflags; - error = getaddrinfo(host, port, &hints, &res); - if (error != 0) { - yyerror(gai_strerror(error)); - return NULL; - } - return res; -} - -static int -fix_portstr(spec, sport, dport) - vchar_t *spec, *sport, *dport; -{ - char *p, *p2; - u_int l; - - l = 0; - for (p = spec->buf; *p != ',' && *p != '\0' && l < spec->len; p++, l++) - ; - if (*p == '\0') { - p2 = "0"; - } else { - if (*p == ',') { - *p = '\0'; - p2 = ++p; - } - for (p = p2; *p != '\0' && l < spec->len; p++, l++) - ; - if (*p != '\0' || *p2 == '\0') { - yyerror("invalid an upper layer protocol spec"); - return -1; - } - } - - sport->buf = strdup(spec->buf); - if (!sport->buf) { - yyerror("insufficient memory"); - return -1; - } - sport->len = strlen(sport->buf); - dport->buf = strdup(p2); - if (!dport->buf) { - yyerror("insufficient memory"); - return -1; - } - dport->len = strlen(dport->buf); - - return 0; -} - -static int -setvarbuf(buf, off, ebuf, elen, vbuf, vlen) - char *buf; - int *off; - struct sadb_ext *ebuf; - int elen; - caddr_t vbuf; - int vlen; -{ - memset(buf + *off, 0, PFKEY_UNUNIT64(ebuf->sadb_ext_len)); - memcpy(buf + *off, (caddr_t)ebuf, elen); - memcpy(buf + *off + elen, vbuf, vlen); - (*off) += PFKEY_ALIGN8(elen + vlen); - - return 0; -} - -void -parse_init() -{ - p_spi = 0; - - p_ext = SADB_X_EXT_CYCSEQ; - p_alg_enc = SADB_EALG_NONE; - p_alg_auth = SADB_AALG_NONE; - p_mode = IPSEC_MODE_ANY; - p_reqid = 0; - p_replay = 0; - p_key_enc_len = p_key_auth_len = 0; - p_key_enc = p_key_auth = 0; - p_lt_hard = p_lt_soft = 0; - - p_aiflags = 0; - p_aifamily = PF_UNSPEC; - - return; -} - -void -free_buffer() -{ - /* we got tons of memory leaks in the parser anyways, leave them */ - - return; -} diff --git a/usr.sbin/setkey/sample.cf b/usr.sbin/setkey/sample.cf deleted file mode 100644 index c534fa1..0000000 --- a/usr.sbin/setkey/sample.cf +++ /dev/null @@ -1,219 +0,0 @@ -# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# 3. Neither the name of the project nor the names of its contributors -# may be used to endorse or promote products derived from this software -# without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ - -# There are sample scripts for IPsec configuration by manual keying. -# A security association is uniquely identified by a triple consisting -# of a Security Parameter Index (SPI), an IP Destination Address, and a -# security protocol (AH or ESP) identifier. You must take care of these -# parameters when you configure by manual keying. - -# ESP transport mode is recommended for TCP port number 110 between -# Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key -# is "kamekame", and authentication algorithm is hmac-sha1 whose key -# is "this is the test key". -# -# ============ ESP ============ -# | | -# Host-A Host-B -# fec0::10 -------------------- fec0::11 -# -# At Host-A and Host-B, -spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec - esp/transport//use ; -spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec - esp/transport//use ; -add fec0::10 fec0::11 esp 0x10001 - -m transport - -E blowfish-cbc "kamekame" - -A hmac-sha1 "this is the test key" ; -add fec0::11 fec0::10 esp 0x10002 - -m transport - -E blowfish-cbc "kamekame" - -A hmac-sha1 "this is the test key" ; - -# "[any]" is wildcard of port number. Note that "[0]" is the number of -# zero in port number. - -# Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5 -# whose key is "this is the test" as authentication algorithm. -# That protocol takes place between Gateway-A and Gateway-B. -# -# ======= AH ======= -# | | -# Network-A Gateway-A Gateway-B Network-B -# 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24 -# -# At Gateway-A: -spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec - ah/tunnel/172.16.0.1-172.16.0.2/require ; -spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec - ah/tunnel/172.16.0.2-172.16.0.1/require ; -add 172.16.0.1 172.16.0.2 ah-old 0x10003 - -m any - -A keyed-md5 "this is the test" ; -add 172.16.0.2 172.16.0.1 ah-old 0x10004 - -m any - -A keyed-md5 "this is the test" ; - -# If port number field is omitted such above then "[any]" is employed. -# -m specifies the mode of SA to be used. "-m any" means wildcard of -# mode of security protocol. You can use this SAs for both tunnel and -# transport mode. - -# At Gateway-B. Attention to the selector and peer's IP address for tunnel. -spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec - ah/tunnel/172.16.0.2-172.16.0.1/require ; -spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec - ah/tunnel/172.16.0.1-172.16.0.2/require ; -add 172.16.0.1 172.16.0.2 ah-old 0x10003 - -m tunnel - -A keyed-md5 "this is the test" ; -add 172.16.0.2 172.16.0.1 ah-old 0x10004 - -m tunnel - -A keyed-md5 "this is the test" ; - -# AH transport mode followed by ESP tunnel mode is required between -# Gateway-A and Gateway-B. -# Encryption algorithm is 3des-cbc, and authentication algorithm for ESP -# is hmac-sha1. Authentication algorithm for AH is hmac-md5. -# -# ========== AH ========= -# | ======= ESP ===== | -# | | | | -# Network-A Gateway-A Gateway-B Network-B -# fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64 -# -# At Gateway-A: -spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec - esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require - ah/transport//require ; -spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec - esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require - ah/transport//require ; -add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 - -m tunnel - -E 3des-cbc "kamekame12341234kame1234" - -A hmac-sha1 "this is the test key" ; -add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 - -m transport - -A hmac-md5 "this is the test" ; -add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 - -m tunnel - -E 3des-cbc "kamekame12341234kame1234" - -A hmac-sha1 "this is the test key" ; -add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 - -m transport - -A hmac-md5 "this is the test" ; - -# ESP tunnel mode is required between Host-A and Gateway-A. -# Encryption algorithm is cast128-cbc, and authentication algorithm -# for ESP is hmac-sha1. -# ESP transport mode is recommended between Host-A and Host-B. -# Encryption algorithm is rc5-cbc, and authentication algorithm -# for ESP is hmac-md5. -# -# ================== ESP ================= -# | ======= ESP ======= | -# | | | | -# Host-A Gateway-A Host-B -# fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2 -# -# At Host-A: -spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec - esp/transport//use - esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ; -spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec - esp/transport//use - esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ; -add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001 - -m transport - -E cast128-cbc "12341234" - -A hmac-sha1 "this is the test key" ; -add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002 - -E rc5-cbc "kamekame" - -A hmac-md5 "this is the test" ; -add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003 - -m transport - -E cast128-cbc "12341234" - -A hmac-sha1 "this is the test key" ; -add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004 - -E rc5-cbc "kamekame" - -A hmac-md5 "this is the test" ; - -# By "get" command, you can get a entry of either SP or SA. -get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; - -# Also delete command, you can delete a entry of either SP or SA. -spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out; -delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; - -# By dump command, you can dump all entry of either SP or SA. -dump ; -spddump ; -dump esp ; -flush esp ; - -# By flush command, you can flush all entry of either SP or SA. -flush ; -spdflush ; - -# "flush" and "dump" commands can specify a security protocol. -dump esp ; -flush ah ; - -# XXX -add ::1 ::1 esp 10001 -m transport -E null ; -add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ; -add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ; -add ::1 ::1 esp 10004 -m transport -E null -A null ; -add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ; -add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ; -add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ; -add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ; -add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ; -add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ; -add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ; -add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ; -add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ; -add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ; -add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ; -add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ; -add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ; -add ::1 ::1 esp 10018 -m transport -E null ; -#add ::1 ::1 ah 20000 -m transport -A null ; -add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234"; -add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234"; -add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234"; -add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234"; -add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234"; -#add ::1 ::1 ipcomp 30000 -C oui ; -add ::1 ::1 ipcomp 30001 -C deflate ; -#add ::1 ::1 ipcomp 30002 -C lzs ; - -# enjoy. diff --git a/usr.sbin/setkey/scriptdump.pl b/usr.sbin/setkey/scriptdump.pl deleted file mode 100644 index a1d8adb..0000000 --- a/usr.sbin/setkey/scriptdump.pl +++ /dev/null @@ -1,56 +0,0 @@ -#! @LOCALPREFIX@/bin/perl -# $FreeBSD$ - -if ($< != 0) { - print STDERR "must be root to invoke this\n"; - exit 1; -} - -$mode = 'add'; -while ($i = shift @ARGV) { - if ($i eq '-d') { - $mode = 'delete'; - } else { - print STDERR "usage: scriptdump [-d]\n"; - exit 1; - } -} - -open(IN, "setkey -D |") || die; -foreach $_ (<IN>) { - if (/^[^\t]/) { - ($src, $dst) = split(/\s+/, $_); - } elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*reqid=(\d+)/) { - ($proto, $ipsecmode, $spi, $reqid) = ($1, $2, $3, $4); - } elsif (/^\tE: (\S+) (.*)/) { - $ealgo = $1; - $ekey = $2; - $ekey =~ s/\s//g; - $ekey =~ s/^/0x/g; - } elsif (/^\tA: (\S+) (.*)/) { - $aalgo = $1; - $akey = $2; - $akey =~ s/\s//g; - $akey =~ s/^/0x/g; - } elsif (/^\tseq=(0x\d+) replay=(\d+) flags=(0x\d+) state=/) { - print "$mode $src $dst $proto $spi"; - $replay = $2; - print " -u $reqid" if $reqid; - if ($mode eq 'add') { - print " -m $ipsecmode -r $replay" if $replay; - if ($proto eq 'esp') { - print " -E $ealgo $ekey" if $ealgo; - print " -A $aalgo $akey" if $aalgo; - } elsif ($proto eq 'ah') { - print " -A $aalgo $akey" if $aalgo; - } - } - print ";\n"; - - $src = $dst = $upper = $proxy = ''; - $ealgo = $ekey = $aalgo = $akey = ''; - } -} -close(IN); - -exit 0; diff --git a/usr.sbin/setkey/setkey.8 b/usr.sbin/setkey/setkey.8 deleted file mode 100644 index 36537c8..0000000 --- a/usr.sbin/setkey/setkey.8 +++ /dev/null @@ -1,693 +0,0 @@ -.\" $KAME: setkey.8,v 1.89 2003/09/07 22:17:41 itojun Exp $ -.\" -.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. Neither the name of the project nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD$ -.\" -.Dd November 20, 2000 -.Dt SETKEY 8 -.Os -.\" -.Sh NAME -.Nm setkey -.Nd "manually manipulate the IPsec SA/SP database" -.\" -.Sh SYNOPSIS -.Nm -.Op Fl v -.Fl c -.Nm -.Op Fl v -.Fl f Ar filename -.Nm -.Op Fl aPlv -.Fl D -.Nm -.Op Fl Pv -.Fl F -.Nm -.Op Fl h -.Fl x -.\" -.Sh DESCRIPTION -The -.Nm -utility adds, updates, dumps, or flushes -Security Association Database (SAD) entries -as well as Security Policy Database (SPD) entries in the kernel. -.Pp -The -.Nm -utility takes a series of operations from the standard input -(if invoked with -.Fl c ) -or the file named -.Ar filename -(if invoked with -.Fl f Ar filename ) . -.Bl -tag -width indent -.It Fl D -Dump the SAD entries. -If with -.Fl P , -the SPD entries are dumped. -.It Fl F -Flush the SAD entries. -If with -.Fl P , -the SPD entries are flushed. -.It Fl a -The -.Nm -utility -usually does not display dead SAD entries with -.Fl D . -If with -.Fl a , -the dead SAD entries will be displayed as well. -A dead SAD entry means that -it has been expired but remains in the system -because it is referenced by some SPD entries. -.It Fl h -Add hexadecimal dump on -.Fl x -mode. -.It Fl l -Loop forever with short output on -.Fl D . -.It Fl v -Be verbose. -The program will dump messages exchanged on -.Dv PF_KEY -socket, including messages sent from other processes to the kernel. -.It Fl x -Loop forever and dump all the messages transmitted to -.Dv PF_KEY -socket. -.Fl xx -makes each timestamps unformatted. -.El -.Ss Configuration syntax -With -.Fl c -or -.Fl f -on the command line, -.Nm -accepts the following configuration syntax. -Lines starting with hash signs -.Pq Ql # -are treated as comment lines. -.Bl -tag -width indent -.It Xo -.Li add -.Op Fl 46n -.Ar src Ar dst Ar protocol Ar spi -.Op Ar extensions -.Ar algorithm ... -.Li ; -.Xc -Add an SAD entry. -.Li add -can fail with multiple reasons, -including when the key length does not match the specified algorithm. -.\" -.It Xo -.Li get -.Op Fl 46n -.Ar src Ar dst Ar protocol Ar spi -.Li ; -.Xc -Show an SAD entry. -.\" -.It Xo -.Li delete -.Op Fl 46n -.Ar src Ar dst Ar protocol Ar spi -.Li ; -.Xc -Remove an SAD entry. -.\" -.It Xo -.Li deleteall -.Op Fl 46n -.Ar src Ar dst Ar protocol -.Li ; -.Xc -Remove all SAD entries that match the specification. -.\" -.It Xo -.Li flush -.Op Ar protocol -.Li ; -.Xc -Clear all SAD entries matched by the options. -.Fl F -on the command line achieves the same functionality. -.\" -.It Xo -.Li dump -.Op Ar protocol -.Li ; -.Xc -Dumps all SAD entries matched by the options. -.Fl D -on the command line achieves the same functionality. -.\" -.It Xo -.Li spdadd -.Op Fl 46n -.Ar src_range Ar dst_range Ar upperspec Ar policy -.Li ; -.Xc -Add an SPD entry. -.\" -.It Xo -.Li spddelete -.Op Fl 46n -.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction -.Li ; -.Xc -Delete an SPD entry. -.\" -.It Xo -.Li spdflush -.Li ; -.Xc -Clear all SPD entries. -.Fl FP -on the command line achieves the same functionality. -.\" -.It Xo -.Li spddump -.Li ; -.Xc -Dumps all SPD entries. -.Fl DP -on the command line achieves the same functionality. -.El -.\" -.Pp -Meta-arguments are as follows: -.Pp -.Bl -tag -compact -width indent -.It Ar src -.It Ar dst -Source/destination of the secure communication is specified as -IPv4/v6 address. -The -.Nm -utility -can resolve a FQDN into numeric addresses. -If the FQDN resolves into multiple addresses, -.Nm -will install multiple SAD/SPD entries into the kernel -by trying all possible combinations. -.Fl 4 , -.Fl 6 -and -.Fl n -restricts the address resolution of FQDN in certain ways. -.Fl 4 -and -.Fl 6 -restrict results into IPv4/v6 addresses only, respectively. -.Fl n -avoids FQDN resolution and requires addresses to be numeric addresses. -.\" -.Pp -.It Ar protocol -.Ar protocol -is one of following: -.Bl -tag -width Fl -compact -.It Li esp -ESP based on rfc2406 -.It Li esp-old -ESP based on rfc1827 -.It Li ah -AH based on rfc2402 -.It Li ah-old -AH based on rfc1826 -.It Li ipcomp -IPComp -.It Li tcp -TCP-MD5 based on rfc2385 -.El -.\" -.Pp -.It Ar spi -Security Parameter Index -(SPI) -for the SAD and the SPD. -.Ar spi -must be a decimal number, or a hexadecimal number with -.Ql 0x -prefix. -SPI values between 0 and 255 are reserved for future use by IANA -and they cannot be used. -TCP-MD5 associations must use 0x1000 and therefore only have per-host -granularity at this time. -.\" -.Pp -.It Ar extensions -take some of the following: -.Bl -tag -width Fl -compact -.\" -.It Fl m Ar mode -Specify a security protocol mode for use. -.Ar mode -is one of following: -.Li transport , tunnel -or -.Li any . -The default value is -.Li any . -.\" -.It Fl r Ar size -Specify window size of bytes for replay prevention. -.Ar size -must be decimal number in 32-bit word. -If -.Ar size -is zero or not specified, replay check does not take place. -.\" -.It Fl u Ar id -Specify the identifier of the policy entry in SPD. -See -.Ar policy . -.\" -.It Fl f Ar pad_option -defines the content of the ESP padding. -.Ar pad_option -is one of following: -.Bl -tag -width random-pad -compact -.It Li zero-pad -All of the padding are zero. -.It Li random-pad -A series of randomized values are set. -.It Li seq-pad -A series of sequential increasing numbers started from 1 are set. -.El -.\" -.It Fl f Li nocyclic-seq -Do not allow cyclic sequence number. -.\" -.It Fl lh Ar time -.It Fl ls Ar time -Specify hard/soft life time duration of the SA. -.El -.\" -.Pp -.It Ar algorithm -.Bl -tag -width Fl -compact -.It Fl E Ar ealgo Ar key -Specify an encryption algorithm -.Ar ealgo -for ESP. -.It Xo -.Fl E Ar ealgo Ar key -.Fl A Ar aalgo Ar key -.Xc -Specify a encryption algorithm -.Ar ealgo , -as well as a payload authentication algorithm -.Ar aalgo , -for ESP. -.It Fl A Ar aalgo Ar key -Specify an authentication algorithm for AH. -.It Fl C Ar calgo Op Fl R -Specify a compression algorithm for IPComp. -If -.Fl R -is specified, -.Ar spi -field value will be used as the IPComp CPI -(compression parameter index) -on wire as is. -If -.Fl R -is not specified, -the kernel will use well-known CPI on wire, and -.Ar spi -field will be used only as an index for kernel internal usage. -.El -.Pp -.Ar key -must be double-quoted character string, or a series of hexadecimal digits -preceded by -.Ql 0x . -.Pp -Possible values for -.Ar ealgo , -.Ar aalgo -and -.Ar calgo -are specified in separate section. -.\" -.Pp -.It Ar src_range -.It Ar dst_range -These are selections of the secure communication specified as -IPv4/v6 address or IPv4/v6 address range, and it may accompany -TCP/UDP port specification. -This takes the following form: -.Bd -unfilled -.Ar address -.Ar address/prefixlen -.Ar address[port] -.Ar address/prefixlen[port] -.Ed -.Pp -.Ar prefixlen -and -.Ar port -must be decimal number. -The square bracket around -.Ar port -is really necessary. -They are not manpage metacharacters. -For FQDN resolution, the rules applicable to -.Ar src -and -.Ar dst -apply here as well. -.\" -.Pp -.It Ar upperspec -Upper-layer protocol to be used. -You can use one of words in -.Pa /etc/protocols -as -.Ar upperspec . -Or -.Li icmp6 , -.Li ip4 , -and -.Li any -can be specified. -.Li any -stands for -.Dq any protocol . -Also you can use the protocol number. -You can specify a type and/or a code of ICMPv6 when -upper-layer protocol is ICMPv6. -The specification can be placed after -.Li icmp6 . -A type is separated with a code by single comma. -A code must be specified anytime. -When a zero is specified, the kernel deals with it as a wildcard. -Note that the kernel cannot distinguish a wildcard from that a type -of ICMPv6 is zero. -For example, the following means the policy does not require IPsec -for any inbound Neighbor Solicitation: -.Pp -.Dl "spdadd ::/0 ::/0 icmp6 135,0 -P in none;" -.Pp -NOTE: -.Ar upperspec -does not work against forwarding case at this moment, -as it requires extra reassembly at forwarding node -(not implemented at this moment). -We have many protocols in -.Pa /etc/protocols , -but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec. -You have to consider and be careful to use them. -.\" -.Pp -.It Ar policy -.Ar policy -is the one of the following three formats: -.Bd -ragged -offset indent -.It Fl P Ar direction Li discard -.It Fl P Ar direction Li none -.It Xo Fl P Ar direction Li ipsec -.Ar protocol/mode/src-dst/level Op ... -.Xc -.Ed -.Pp -You must specify the direction of its policy as -.Ar direction . -Either -.Li out -or -.Li in -are used. -.Li discard -means the packet matching indexes will be discarded. -.Li none -means that IPsec operation will not take place onto the packet. -.Li ipsec -means that IPsec operation will take place onto the packet. -The part of -.Ar protocol/mode/src-dst/level -specifies the rule how to process the packet. -Either -.Li ah , -.Li esp -or -.Li ipcomp -is to be set as -.Ar protocol . -.Ar mode -is either -.Li transport -or -.Li tunnel . -If -.Ar mode -is -.Li tunnel , -you must specify the end-points addresses of the SA as -.Ar src -and -.Ar dst -with -.Sq - -between these addresses which is used to specify the SA to use. -If -.Ar mode -is -.Li transport , -both -.Ar src -and -.Ar dst -can be omitted. -.Ar level -is to be one of the following: -.Li default , use , require -or -.Li unique . -If the SA is not available in every level, the kernel will request -getting SA to the key exchange daemon. -.Li default -means the kernel consults to the system wide default against protocol you -specified, e.g., -.Li esp_trans_deflev -sysctl variable, when the kernel processes the packet. -.Li use -means that the kernel use a SA if it is available, -otherwise the kernel keeps normal operation. -.Li require -means SA is required whenever the kernel sends a packet matched -with the policy. -.Li unique -is the same to require. -In addition, it allows the policy to bind with the unique out-bound SA. -You just specify the policy level -.Li unique , -.Xr racoon 8 -will configure the SA for the policy. -If you configure the SA by manual keying for that policy, -you can put the decimal number as the policy identifier after -.Li unique -separated by colon -.Ql :\& -like the following; -.Li unique:number . -In order to bind this policy to the SA, -.Li number -must be between 1 and 32767. -It corresponds to -.Ar extensions Fl u -of the manual SA configuration. -When you want to use SA bundle, you can define multiple rules. -For example, if an IP header was followed by AH header followed by ESP header -followed by an upper layer protocol header, the rule -would be: -.Dl esp/transport//require ah/transport//require ; -The rule order is very important. -.Pp -Note that -.Dq Li discard -and -.Dq Li none -are not in the syntax described in -.Xr ipsec_set_policy 3 . -There are little differences in the syntax. -See -.Xr ipsec_set_policy 3 -for detail. -.Pp -.El -.Pp -.\" -.Sh ALGORITHMS -The following list shows the supported algorithms. -.Sy protocol -and -.Sy algorithm -are almost orthogonal. -Followings are the list of authentication algorithms that can be used as -.Ar aalgo -in -.Fl A Ar aalgo -of -.Ar protocol -parameter: -.Pp -.Bd -literal -offset indent -algorithm keylen (bits) comment -hmac-md5 128 ah: rfc2403 - 128 ah-old: rfc2085 -hmac-sha1 160 ah: rfc2404 - 160 ah-old: 128bit ICV (no document) -keyed-md5 128 ah: 96bit ICV (no document) - 128 ah-old: rfc1828 -keyed-sha1 160 ah: 96bit ICV (no document) - 160 ah-old: 128bit ICV (no document) -null 0 to 2048 for debugging -hmac-sha2-256 256 ah: 96bit ICV - (draft-ietf-ipsec-ciph-sha-256-00) - 256 ah-old: 128bit ICV (no document) -hmac-sha2-384 384 ah: 96bit ICV (no document) - 384 ah-old: 128bit ICV (no document) -hmac-sha2-512 512 ah: 96bit ICV (no document) - 512 ah-old: 128bit ICV (no document) -hmac-ripemd160 160 ah: 96bit ICV (RFC2857) - ah-old: 128bit ICV (no document) -aes-xcbc-mac 128 ah: 96bit ICV (RFC3566) - 128 ah-old: 128bit ICV (no document) -tcp-md5 8 to 640 tcp: rfc2385 -.Ed -.Pp -Followings are the list of encryption algorithms that can be used as -.Ar ealgo -in -.Fl E Ar ealgo -of -.Ar protocol -parameter: -.Pp -.Bd -literal -offset indent -algorithm keylen (bits) comment -des-cbc 64 esp-old: rfc1829, esp: rfc2405 -3des-cbc 192 rfc2451 -null 0 to 2048 rfc2410 -blowfish-cbc 40 to 448 rfc2451 -cast128-cbc 40 to 128 rfc2451 -des-deriv 64 ipsec-ciph-des-derived-01 -3des-deriv 192 no document -rijndael-cbc 128/192/256 rfc3602 -aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03 -.Ed -.Pp -Note that the first 128 bits of a key for -.Li aes-ctr -will be used as AES key, and remaining 32 bits will be used as nonce. -.Pp -Followings are the list of compression algorithms that can be used as -.Ar calgo -in -.Fl C Ar calgo -of -.Ar protocol -parameter: -.Pp -.Bd -literal -offset indent -algorithm comment -deflate rfc2394 -.Ed -.\" -.Sh EXIT STATUS -.Ex -std -.\" -.Sh EXAMPLES -.Bd -literal -offset -add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 - -E des-cbc 0x3ffe05014819ffff ; - -add -6 myhost.example.com yourhost.example.com ah 123456 - -A hmac-sha1 "AH SA configuration!" ; - -add 10.0.11.41 10.0.11.33 esp 0x10001 - -E des-cbc 0x3ffe05014819ffff - -A hmac-md5 "authentication!!" ; - -get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ; - -flush ; - -dump esp ; - -spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any - -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ; - -add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ; - -.Ed -.\" -.Sh SEE ALSO -.Xr ipsec_set_policy 3 , -.Xr racoon 8 , -.Xr sysctl 8 -.Rs -.%T "Changed manual key configuration for IPsec" -.%O "http://www.kame.net/newsletter/19991007/" -.%D "October 1999" -.Re -.\" -.Sh HISTORY -The -.Nm -utility first appeared in WIDE Hydrangea IPv6 protocol stack kit. -The utility was completely re-designed in June 1998. -.\" -.Sh BUGS -The -.Nm -utility -should report and handle syntax errors better. -.Pp -For IPsec gateway configuration, -.Ar src_range -and -.Ar dst_range -with TCP/UDP port number do not work, as the gateway does not reassemble -packets -(cannot inspect upper-layer headers). diff --git a/usr.sbin/setkey/setkey.c b/usr.sbin/setkey/setkey.c deleted file mode 100644 index 5bdd6df..0000000 --- a/usr.sbin/setkey/setkey.c +++ /dev/null @@ -1,632 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: setkey.c,v 1.28 2003/06/27 07:15:45 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <sys/types.h> -#include <sys/param.h> -#include <sys/socket.h> -#include <sys/time.h> -#include <err.h> -#include <net/route.h> -#include <netinet/in.h> -#include <net/pfkeyv2.h> -#include <netkey/keydb.h> -#include <netkey/key_debug.h> -#include <netinet6/ipsec.h> - -#include <stdio.h> -#include <stdlib.h> -#include <limits.h> -#include <string.h> -#include <ctype.h> -#include <unistd.h> -#include <errno.h> -#include <netdb.h> - -#include "libpfkey.h" - -void usage __P((void)); -int main __P((int, char **)); -int get_supported __P((void)); -void sendkeyshort __P((u_int)); -void promisc __P((void)); -int sendkeymsg __P((char *, size_t)); -int postproc __P((struct sadb_msg *, int)); -const char *numstr __P((int)); -void shortdump_hdr __P((void)); -void shortdump __P((struct sadb_msg *)); -static void printdate __P((void)); -static int32_t gmt2local __P((time_t)); - -#define MODE_SCRIPT 1 -#define MODE_CMDDUMP 2 -#define MODE_CMDFLUSH 3 -#define MODE_PROMISC 4 - -int so; - -int f_forever = 0; -int f_all = 0; -int f_verbose = 0; -int f_mode = 0; -int f_cmddump = 0; -int f_policy = 0; -int f_hexdump = 0; -int f_tflag = 0; -static time_t thiszone; - -extern int lineno; - -extern int parse __P((FILE **)); - -void -usage() -{ - - printf("usage: setkey [-v] -c\n"); - printf(" setkey [-v] -f filename\n"); - printf(" setkey [-Palv] -D\n"); - printf(" setkey [-Pv] -F\n"); - printf(" setkey [-h] -x\n"); - exit(1); -} - -int -main(ac, av) - int ac; - char **av; -{ - FILE *fp = stdin; - int c; - - if (ac == 1) { - usage(); - /* NOTREACHED */ - } - - thiszone = gmt2local(0); - - while ((c = getopt(ac, av, "acdf:hlvxDFP")) != -1) { - switch (c) { - case 'c': - f_mode = MODE_SCRIPT; - fp = stdin; - break; - case 'f': - f_mode = MODE_SCRIPT; - if ((fp = fopen(optarg, "r")) == NULL) { - err(-1, "fopen"); - /*NOTREACHED*/ - } - break; - case 'D': - f_mode = MODE_CMDDUMP; - break; - case 'F': - f_mode = MODE_CMDFLUSH; - break; - case 'a': - f_all = 1; - break; - case 'l': - f_forever = 1; - break; - case 'h': - f_hexdump = 1; - break; - case 'x': - f_mode = MODE_PROMISC; - f_tflag++; - break; - case 'P': - f_policy = 1; - break; - case 'v': - f_verbose = 1; - break; - default: - usage(); - /*NOTREACHED*/ - } - } - - so = pfkey_open(); - if (so < 0) { - perror("pfkey_open"); - exit(1); - } - - switch (f_mode) { - case MODE_CMDDUMP: - sendkeyshort(f_policy ? SADB_X_SPDDUMP: SADB_DUMP); - break; - case MODE_CMDFLUSH: - sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH); - break; - case MODE_SCRIPT: - if (get_supported() < 0) { - errx(-1, "%s", ipsec_strerror()); - /*NOTREACHED*/ - } - if (parse(&fp)) - exit (1); - break; - case MODE_PROMISC: - promisc(); - /*NOTREACHED*/ - default: - usage(); - /*NOTREACHED*/ - } - - exit(0); -} - -int -get_supported() -{ - - if (pfkey_send_register(so, SADB_SATYPE_UNSPEC) < 0) - return -1; - - if (pfkey_recv_register(so) < 0) - return -1; - - return 0; -} - -void -sendkeyshort(type) - u_int type; -{ - struct sadb_msg msg; - - msg.sadb_msg_version = PF_KEY_V2; - msg.sadb_msg_type = type; - msg.sadb_msg_errno = 0; - msg.sadb_msg_satype = SADB_SATYPE_UNSPEC; - msg.sadb_msg_len = PFKEY_UNIT64(sizeof(msg)); - msg.sadb_msg_reserved = 0; - msg.sadb_msg_seq = 0; - msg.sadb_msg_pid = getpid(); - - sendkeymsg((char *)&msg, sizeof(msg)); - - return; -} - -void -promisc() -{ - struct sadb_msg msg; - u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */ - ssize_t l; - - msg.sadb_msg_version = PF_KEY_V2; - msg.sadb_msg_type = SADB_X_PROMISC; - msg.sadb_msg_errno = 0; - msg.sadb_msg_satype = 1; - msg.sadb_msg_len = PFKEY_UNIT64(sizeof(msg)); - msg.sadb_msg_reserved = 0; - msg.sadb_msg_seq = 0; - msg.sadb_msg_pid = getpid(); - - if ((l = send(so, &msg, sizeof(msg), 0)) < 0) { - err(1, "send"); - /*NOTREACHED*/ - } - - while (1) { - struct sadb_msg *base; - - if ((l = recv(so, rbuf, sizeof(*base), MSG_PEEK)) < 0) { - err(1, "recv"); - /*NOTREACHED*/ - } - - if (l != sizeof(*base)) - continue; - - base = (struct sadb_msg *)rbuf; - if ((l = recv(so, rbuf, PFKEY_UNUNIT64(base->sadb_msg_len), - 0)) < 0) { - err(1, "recv"); - /*NOTREACHED*/ - } - printdate(); - if (f_hexdump) { - int i; - for (i = 0; i < l; i++) { - if (i % 16 == 0) - printf("%08x: ", i); - printf("%02x ", rbuf[i] & 0xff); - if (i % 16 == 15) - printf("\n"); - } - if (l % 16) - printf("\n"); - } - /* adjust base pointer for promisc mode */ - if (base->sadb_msg_type == SADB_X_PROMISC) { - if ((ssize_t)sizeof(*base) < l) - base++; - else - base = NULL; - } - if (base) { - kdebug_sadb(base); - printf("\n"); - fflush(stdout); - } - } -} - -int -sendkeymsg(buf, len) - char *buf; - size_t len; -{ - u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */ - ssize_t l; - struct sadb_msg *msg; - - { - struct timeval tv; - tv.tv_sec = 1; - tv.tv_usec = 0; - if (setsockopt(so, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) < 0) { - perror("setsockopt"); - goto end; - } - } - - if (f_forever) - shortdump_hdr(); -again: - if (f_verbose) { - kdebug_sadb((struct sadb_msg *)buf); - printf("\n"); - } - if (f_hexdump) { - int i; - for (i = 0; i < len; i++) { - if (i % 16 == 0) - printf("%08x: ", i); - printf("%02x ", buf[i] & 0xff); - if (i % 16 == 15) - printf("\n"); - } - if (len % 16) - printf("\n"); - } - - if ((l = send(so, buf, len, 0)) < 0) { - perror("send"); - goto end; - } - - msg = (struct sadb_msg *)rbuf; - do { - if ((l = recv(so, rbuf, sizeof(rbuf), 0)) < 0) { - perror("recv"); - goto end; - } - - if (PFKEY_UNUNIT64(msg->sadb_msg_len) != l) { - warnx("invalid keymsg length"); - break; - } - - if (f_verbose) { - kdebug_sadb((struct sadb_msg *)rbuf); - printf("\n"); - } - if (postproc(msg, l) < 0) - break; - } while (msg->sadb_msg_errno || msg->sadb_msg_seq); - - if (f_forever) { - fflush(stdout); - sleep(1); - goto again; - } - -end: - return(0); -} - -int -postproc(msg, len) - struct sadb_msg *msg; - int len; -{ - - if (msg->sadb_msg_errno != 0) { - char inf[80]; - const char *errmsg = NULL; - - if (f_mode == MODE_SCRIPT) - snprintf(inf, sizeof(inf), "The result of line %d: ", lineno); - else - inf[0] = '\0'; - - switch (msg->sadb_msg_errno) { - case ENOENT: - switch (msg->sadb_msg_type) { - case SADB_DELETE: - case SADB_GET: - case SADB_X_SPDDELETE: - errmsg = "No entry"; - break; - case SADB_DUMP: - errmsg = "No SAD entries"; - break; - case SADB_X_SPDDUMP: - errmsg = "No SPD entries"; - break; - } - break; - default: - errmsg = strerror(msg->sadb_msg_errno); - } - printf("%s%s.\n", inf, errmsg); - return(-1); - } - - switch (msg->sadb_msg_type) { - case SADB_GET: - pfkey_sadump(msg); - break; - - case SADB_DUMP: - /* filter out DEAD SAs */ - if (!f_all) { - caddr_t mhp[SADB_EXT_MAX + 1]; - struct sadb_sa *sa; - pfkey_align(msg, mhp); - pfkey_check(mhp); - if ((sa = (struct sadb_sa *)mhp[SADB_EXT_SA]) != NULL) { - if (sa->sadb_sa_state == SADB_SASTATE_DEAD) - break; - } - } - if (f_forever) - shortdump(msg); - else - pfkey_sadump(msg); - msg = (struct sadb_msg *)((caddr_t)msg + - PFKEY_UNUNIT64(msg->sadb_msg_len)); - if (f_verbose) { - kdebug_sadb((struct sadb_msg *)msg); - printf("\n"); - } - break; - - case SADB_X_SPDDUMP: - pfkey_spdump(msg); - if (msg->sadb_msg_seq == 0) break; - msg = (struct sadb_msg *)((caddr_t)msg + - PFKEY_UNUNIT64(msg->sadb_msg_len)); - if (f_verbose) { - kdebug_sadb((struct sadb_msg *)msg); - printf("\n"); - } - break; - } - - return(0); -} - -/*------------------------------------------------------------*/ -static const char *satype[] = { - NULL, NULL, "ah", "esp" -}; -static const char *sastate[] = { - "L", "M", "D", "d" -}; -static const char *ipproto[] = { -/*0*/ "ip", "icmp", "igmp", "ggp", "ip4", - NULL, "tcp", NULL, "egp", NULL, -/*10*/ NULL, NULL, NULL, NULL, NULL, - NULL, NULL, "udp", NULL, NULL, -/*20*/ NULL, NULL, "idp", NULL, NULL, - NULL, NULL, NULL, NULL, "tp", -/*30*/ NULL, NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, NULL, -/*40*/ NULL, "ip6", NULL, "rt6", "frag6", - NULL, "rsvp", "gre", NULL, NULL, -/*50*/ "esp", "ah", NULL, NULL, NULL, - NULL, NULL, NULL, "icmp6", "none", -/*60*/ "dst6", -}; - -#define STR_OR_ID(x, tab) \ - (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x)) - -const char * -numstr(x) - int x; -{ - static char buf[20]; - snprintf(buf, sizeof(buf), "#%d", x); - return buf; -} - -void -shortdump_hdr() -{ - printf("%-4s %-3s %-1s %-8s %-7s %s -> %s\n", - "time", "p", "s", "spi", "ltime", "src", "dst"); -} - -void -shortdump(msg) - struct sadb_msg *msg; -{ - caddr_t mhp[SADB_EXT_MAX + 1]; - char buf[NI_MAXHOST], pbuf[NI_MAXSERV]; - struct sadb_sa *sa; - struct sadb_address *saddr; - struct sadb_lifetime *lts, *lth, *ltc; - struct sockaddr *s; - u_int t; - time_t cur = time(0); - - pfkey_align(msg, mhp); - pfkey_check(mhp); - - printf("%02lu%02lu", (u_long)(cur % 3600) / 60, (u_long)(cur % 60)); - - printf(" %-3s", STR_OR_ID(msg->sadb_msg_satype, satype)); - - if ((sa = (struct sadb_sa *)mhp[SADB_EXT_SA]) != NULL) { - printf(" %-1s", STR_OR_ID(sa->sadb_sa_state, sastate)); - printf(" %08x", (u_int32_t)ntohl(sa->sadb_sa_spi)); - } else - printf("%-1s %-8s", "?", "?"); - - lts = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT]; - lth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD]; - ltc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT]; - if (lts && lth && ltc) { - if (ltc->sadb_lifetime_addtime == 0) - t = (u_long)0; - else - t = (u_long)(cur - ltc->sadb_lifetime_addtime); - if (t >= 1000) - strlcpy(buf, " big/", sizeof(buf)); - else - snprintf(buf, sizeof(buf), " %3lu/", (u_long)t); - printf("%s", buf); - - t = (u_long)lth->sadb_lifetime_addtime; - if (t >= 1000) - strlcpy(buf, "big", sizeof(buf)); - else - snprintf(buf, sizeof(buf), "%-3lu", (u_long)t); - printf("%s", buf); - } else - printf(" ??\?/???"); /* backslash to avoid trigraph ??/ */ - - printf(" "); - - if ((saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]) != NULL) { - if (saddr->sadb_address_proto) - printf("%s ", STR_OR_ID(saddr->sadb_address_proto, ipproto)); - s = (struct sockaddr *)(saddr + 1); - getnameinfo(s, s->sa_len, buf, sizeof(buf), - pbuf, sizeof(pbuf), NI_NUMERICHOST|NI_NUMERICSERV); - if (strcmp(pbuf, "0") != 0) - printf("%s[%s]", buf, pbuf); - else - printf("%s", buf); - } else - printf("?"); - - printf(" -> "); - - if ((saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]) != NULL) { - if (saddr->sadb_address_proto) - printf("%s ", STR_OR_ID(saddr->sadb_address_proto, ipproto)); - - s = (struct sockaddr *)(saddr + 1); - getnameinfo(s, s->sa_len, buf, sizeof(buf), - pbuf, sizeof(pbuf), NI_NUMERICHOST|NI_NUMERICSERV); - if (strcmp(pbuf, "0") != 0) - printf("%s[%s]", buf, pbuf); - else - printf("%s", buf); - } else - printf("?"); - - printf("\n"); -} - -/* From: tcpdump(1):gmt2local.c and util.c */ -/* - * Print the timestamp - */ -static void -printdate() -{ - struct timeval tp; - int s; - - if (gettimeofday(&tp, NULL) == -1) { - perror("gettimeofday"); - return; - } - - if (f_tflag == 1) { - /* Default */ - s = (tp.tv_sec + thiszone ) % 86400; - (void)printf("%02d:%02d:%02d.%06u ", - s / 3600, (s % 3600) / 60, s % 60, (u_int32_t)tp.tv_usec); - } else if (f_tflag > 1) { - /* Unix timeval style */ - (void)printf("%u.%06u ", - (u_int32_t)tp.tv_sec, (u_int32_t)tp.tv_usec); - } - - printf("\n"); -} - -/* - * Returns the difference between gmt and local time in seconds. - * Use gmtime() and localtime() to keep things simple. - */ -int32_t -gmt2local(time_t t) -{ - register int dt, dir; - register struct tm *gmt, *loc; - struct tm sgmt; - - if (t == 0) - t = time(NULL); - gmt = &sgmt; - *gmt = *gmtime(&t); - loc = localtime(&t); - dt = (loc->tm_hour - gmt->tm_hour) * 60 * 60 + - (loc->tm_min - gmt->tm_min) * 60; - - /* - * If the year or julian day is different, we span 00:00 GMT - * and must add or subtract a day. Check the year first to - * avoid problems when the julian day wraps. - */ - dir = loc->tm_year - gmt->tm_year; - if (dir == 0) - dir = loc->tm_yday - gmt->tm_yday; - dt += dir * 24 * 60 * 60; - - return (dt); -} diff --git a/usr.sbin/setkey/test-pfkey.c b/usr.sbin/setkey/test-pfkey.c deleted file mode 100644 index b1fb238..0000000 --- a/usr.sbin/setkey/test-pfkey.c +++ /dev/null @@ -1,531 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: test-pfkey.c,v 1.4 2000/06/07 00:29:14 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <sys/types.h> -#include <sys/param.h> -#include <sys/socket.h> -#include <net/route.h> -#include <net/pfkeyv2.h> -#include <netinet/in.h> -#include <netkey/keydb.h> -#include <netkey/key_var.h> -#include <netkey/key_debug.h> - -#include <stdio.h> -#include <stdlib.h> -#include <limits.h> -#include <string.h> -#include <ctype.h> -#include <unistd.h> -#include <errno.h> -#include <netdb.h> - -u_char m_buf[BUFSIZ]; -u_int m_len; -char *pname; - -void Usage __P((void)); -int sendkeymsg __P((void)); -void key_setsadbmsg __P((u_int)); -void key_setsadbsens __P((void)); -void key_setsadbprop __P((void)); -void key_setsadbid __P((u_int, caddr_t)); -void key_setsadblft __P((u_int, u_int)); -void key_setspirange __P((void)); -void key_setsadbkey __P((u_int, caddr_t)); -void key_setsadbsa __P((void)); -void key_setsadbaddr __P((u_int, u_int, caddr_t)); -void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int)); - -void -Usage() -{ - printf("Usage:\t%s number\n", pname); - exit(0); -} - -int -main(ac, av) - int ac; - char **av; -{ - pname = *av; - - if (ac == 1) Usage(); - - key_setsadbmsg(atoi(*(av+1))); - sendkeymsg(); - - exit(0); -} - -/* %%% */ -int -sendkeymsg() -{ - u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */ - int so, len; - - if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) { - perror("socket(PF_KEY)"); - goto end; - } -#if 0 - { -#include <sys/time.h> - struct timeval tv; - tv.tv_sec = 1; - tv.tv_usec = 0; - if (setsockopt(so, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) < 0) { - perror("setsockopt"); - goto end; - } - } -#endif - - pfkey_sadump((struct sadb_msg *)m_buf); - - if ((len = send(so, m_buf, m_len, 0)) < 0) { - perror("send"); - goto end; - } - - if ((len = recv(so, rbuf, sizeof(rbuf), 0)) < 0) { - perror("recv"); - goto end; - } - - pfkey_sadump((struct sadb_msg *)rbuf); - -end: - (void)close(so); - return(0); -} - -void -key_setsadbmsg(type) - u_int type; -{ - struct sadb_msg m_msg; - - memset(&m_msg, 0, sizeof(m_msg)); - m_msg.sadb_msg_version = PF_KEY_V2; - m_msg.sadb_msg_type = type; - m_msg.sadb_msg_errno = 0; - m_msg.sadb_msg_satype = SADB_SATYPE_ESP; -#if 0 - m_msg.sadb_msg_reserved = 0; -#endif - m_msg.sadb_msg_seq = 0; - m_msg.sadb_msg_pid = getpid(); - - m_len = sizeof(struct sadb_msg); - memcpy(m_buf, &m_msg, m_len); - - switch (type) { - case SADB_GETSPI: - /*<base, address(SD), SPI range>*/ - key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "10.0.3.4"); - key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "127.0.0.1"); - key_setspirange(); - /*<base, SA(*), address(SD)>*/ - break; - - case SADB_ADD: - /* <base, SA, (lifetime(HSC),) address(SD), (address(P),) - key(AE), (identity(SD),) (sensitivity)> */ - key_setsadbaddr(SADB_EXT_ADDRESS_PROXY, AF_INET6, "3ffe::1"); - case SADB_UPDATE: - key_setsadbsa(); - key_setsadblft(SADB_EXT_LIFETIME_HARD, 10); - key_setsadblft(SADB_EXT_LIFETIME_SOFT, 5); - key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1"); - key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4"); - /* XXX key_setsadbkey(SADB_EXT_KEY_AUTH, "abcde"); */ - key_setsadbkey(SADB_EXT_KEY_AUTH, "1234567812345678"); - key_setsadbkey(SADB_EXT_KEY_ENCRYPT, "12345678"); - key_setsadbid(SADB_EXT_IDENTITY_SRC, "hoge1234@hoge.com"); - key_setsadbid(SADB_EXT_IDENTITY_DST, "hage5678@hage.net"); - key_setsadbsens(); - /* <base, SA, (lifetime(HSC),) address(SD), (address(P),) - (identity(SD),) (sensitivity)> */ - break; - - case SADB_DELETE: - /* <base, SA(*), address(SDP)> */ - key_setsadbsa(); - key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1"); - key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4"); - key_setsadbaddr(SADB_EXT_ADDRESS_PROXY, AF_INET6, "3ffe::1"); - /* <base, SA(*), address(SDP)> */ - break; - - case SADB_GET: - /* <base, SA(*), address(SDP)> */ - key_setsadbsa(); - key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1"); - key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4"); - key_setsadbaddr(SADB_EXT_ADDRESS_PROXY, AF_INET6, "3ffe::1"); - /* <base, SA, (lifetime(HSC),) address(SD), (address(P),) - key(AE), (identity(SD),) (sensitivity)> */ - break; - - case SADB_ACQUIRE: - /* <base, address(SD), (address(P),) (identity(SD),) - (sensitivity,) proposal> */ - key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1"); - key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4"); - key_setsadbaddr(SADB_EXT_ADDRESS_PROXY, AF_INET6, "3ffe::1"); - key_setsadbid(SADB_EXT_IDENTITY_SRC, "hoge1234@hoge.com"); - key_setsadbid(SADB_EXT_IDENTITY_DST, "hage5678@hage.net"); - key_setsadbsens(); - key_setsadbprop(); - /* <base, address(SD), (address(P),) (identity(SD),) - (sensitivity,) proposal> */ - break; - - case SADB_REGISTER: - /* <base> */ - /* <base, supported> */ - break; - - case SADB_EXPIRE: - case SADB_FLUSH: - break; - - case SADB_DUMP: - break; - - case SADB_X_PROMISC: - /* <base> */ - /* <base, base(, others)> */ - break; - - case SADB_X_PCHANGE: - break; - - /* for SPD management */ - case SADB_X_SPDFLUSH: - case SADB_X_SPDDUMP: - break; - - case SADB_X_SPDADD: -#if 0 - { - struct sadb_x_policy m_policy; - - m_policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(m_policy)); - m_policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; - m_policy.sadb_x_policy_type = SADB_X_PL_IPSEC; - m_policy.sadb_x_policy_esp_trans = 1; - m_policy.sadb_x_policy_ah_trans = 2; - m_policy.sadb_x_policy_esp_network = 3; - m_policy.sadb_x_policy_ah_network = 4; - m_policy.sadb_x_policy_reserved = 0; - - memcpy(m_buf + m_len, &m_policy, sizeof(struct sadb_x_policy)); - m_len += sizeof(struct sadb_x_policy); - } -#endif - - case SADB_X_SPDDELETE: - key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1"); - key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4"); - break; - } - - ((struct sadb_msg *)m_buf)->sadb_msg_len = PFKEY_UNIT64(m_len); - - return; -} - -void -key_setsadbsens() -{ - struct sadb_sens m_sens; - u_char buf[64]; - u_int s, i, slen, ilen, len; - - /* make sens & integ */ - s = htonl(0x01234567); - i = htonl(0x89abcdef); - slen = sizeof(s); - ilen = sizeof(i); - memcpy(buf, &s, slen); - memcpy(buf + slen, &i, ilen); - - len = sizeof(m_sens) + PFKEY_ALIGN8(slen) + PFKEY_ALIGN8(ilen); - m_sens.sadb_sens_len = PFKEY_UNIT64(len); - m_sens.sadb_sens_exttype = SADB_EXT_SENSITIVITY; - m_sens.sadb_sens_dpd = 1; - m_sens.sadb_sens_sens_level = 2; - m_sens.sadb_sens_sens_len = PFKEY_ALIGN8(slen); - m_sens.sadb_sens_integ_level = 3; - m_sens.sadb_sens_integ_len = PFKEY_ALIGN8(ilen); - m_sens.sadb_sens_reserved = 0; - - key_setsadbextbuf(m_buf, m_len, - (caddr_t)&m_sens, sizeof(struct sadb_sens), - buf, slen + ilen); - m_len += len; - - return; -} - -void -key_setsadbprop() -{ - struct sadb_prop m_prop; - struct sadb_comb *m_comb; - u_char buf[256]; - u_int len = sizeof(m_prop) + sizeof(m_comb) * 2; - - /* make prop & comb */ - m_prop.sadb_prop_len = PFKEY_UNIT64(len); - m_prop.sadb_prop_exttype = SADB_EXT_PROPOSAL; - m_prop.sadb_prop_replay = 0; - m_prop.sadb_prop_reserved[0] = 0; - m_prop.sadb_prop_reserved[1] = 0; - m_prop.sadb_prop_reserved[2] = 0; - - /* the 1st is ESP DES-CBC HMAC-MD5 */ - m_comb = (struct sadb_comb *)buf; - m_comb->sadb_comb_auth = SADB_AALG_MD5HMAC; - m_comb->sadb_comb_encrypt = SADB_EALG_DESCBC; - m_comb->sadb_comb_flags = 0; - m_comb->sadb_comb_auth_minbits = 8; - m_comb->sadb_comb_auth_maxbits = 96; - m_comb->sadb_comb_encrypt_minbits = 64; - m_comb->sadb_comb_encrypt_maxbits = 64; - m_comb->sadb_comb_reserved = 0; - m_comb->sadb_comb_soft_allocations = 0; - m_comb->sadb_comb_hard_allocations = 0; - m_comb->sadb_comb_soft_bytes = 0; - m_comb->sadb_comb_hard_bytes = 0; - m_comb->sadb_comb_soft_addtime = 0; - m_comb->sadb_comb_hard_addtime = 0; - m_comb->sadb_comb_soft_usetime = 0; - m_comb->sadb_comb_hard_usetime = 0; - - /* the 2st is ESP 3DES-CBC and AH HMAC-SHA1 */ - m_comb = (struct sadb_comb *)(buf + sizeof(*m_comb)); - m_comb->sadb_comb_auth = SADB_AALG_SHA1HMAC; - m_comb->sadb_comb_encrypt = SADB_EALG_3DESCBC; - m_comb->sadb_comb_flags = 0; - m_comb->sadb_comb_auth_minbits = 8; - m_comb->sadb_comb_auth_maxbits = 96; - m_comb->sadb_comb_encrypt_minbits = 64; - m_comb->sadb_comb_encrypt_maxbits = 64; - m_comb->sadb_comb_reserved = 0; - m_comb->sadb_comb_soft_allocations = 0; - m_comb->sadb_comb_hard_allocations = 0; - m_comb->sadb_comb_soft_bytes = 0; - m_comb->sadb_comb_hard_bytes = 0; - m_comb->sadb_comb_soft_addtime = 0; - m_comb->sadb_comb_hard_addtime = 0; - m_comb->sadb_comb_soft_usetime = 0; - m_comb->sadb_comb_hard_usetime = 0; - - key_setsadbextbuf(m_buf, m_len, - (caddr_t)&m_prop, sizeof(struct sadb_prop), - buf, sizeof(*m_comb) * 2); - m_len += len; - - return; -} - -void -key_setsadbid(ext, str) - u_int ext; - caddr_t str; -{ - struct sadb_ident m_id; - u_int idlen = strlen(str), len; - - len = sizeof(m_id) + PFKEY_ALIGN8(idlen); - m_id.sadb_ident_len = PFKEY_UNIT64(len); - m_id.sadb_ident_exttype = ext; - m_id.sadb_ident_type = SADB_IDENTTYPE_USERFQDN; - m_id.sadb_ident_reserved = 0; - m_id.sadb_ident_id = getpid(); - - key_setsadbextbuf(m_buf, m_len, - (caddr_t)&m_id, sizeof(struct sadb_ident), - str, idlen); - m_len += len; - - return; -} - -void -key_setsadblft(ext, time) - u_int ext, time; -{ - struct sadb_lifetime m_lft; - - m_lft.sadb_lifetime_len = PFKEY_UNIT64(sizeof(m_lft)); - m_lft.sadb_lifetime_exttype = ext; - m_lft.sadb_lifetime_allocations = 0x2; - m_lft.sadb_lifetime_bytes = 0x1000; - m_lft.sadb_lifetime_addtime = time; - m_lft.sadb_lifetime_usetime = 0x0020; - - memcpy(m_buf + m_len, &m_lft, sizeof(struct sadb_lifetime)); - m_len += sizeof(struct sadb_lifetime); - - return; -} - -void -key_setspirange() -{ - struct sadb_spirange m_spi; - - m_spi.sadb_spirange_len = PFKEY_UNIT64(sizeof(m_spi)); - m_spi.sadb_spirange_exttype = SADB_EXT_SPIRANGE; - m_spi.sadb_spirange_min = 0x00001000; - m_spi.sadb_spirange_max = 0x00002000; - m_spi.sadb_spirange_reserved = 0; - - memcpy(m_buf + m_len, &m_spi, sizeof(struct sadb_spirange)); - m_len += sizeof(struct sadb_spirange); - - return; -} - -void -key_setsadbkey(ext, str) - u_int ext; - caddr_t str; -{ - struct sadb_key m_key; - u_int keylen = strlen(str); - u_int len; - - len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen); - m_key.sadb_key_len = PFKEY_UNIT64(len); - m_key.sadb_key_exttype = ext; - m_key.sadb_key_bits = keylen * 8; - m_key.sadb_key_reserved = 0; - - key_setsadbextbuf(m_buf, m_len, - (caddr_t)&m_key, sizeof(struct sadb_key), - str, keylen); - m_len += len; - - return; -} - -void -key_setsadbsa() -{ - struct sadb_sa m_sa; - - m_sa.sadb_sa_len = PFKEY_UNIT64(sizeof(struct sadb_sa)); - m_sa.sadb_sa_exttype = SADB_EXT_SA; - m_sa.sadb_sa_spi = htonl(0x12345678); - m_sa.sadb_sa_replay = 4; - m_sa.sadb_sa_state = 0; - m_sa.sadb_sa_auth = SADB_AALG_MD5HMAC; - m_sa.sadb_sa_encrypt = SADB_EALG_DESCBC; - m_sa.sadb_sa_flags = 0; - - memcpy(m_buf + m_len, &m_sa, sizeof(struct sadb_sa)); - m_len += sizeof(struct sadb_sa); - - return; -} - -void -key_setsadbaddr(ext, af, str) - u_int ext, af; - caddr_t str; -{ - struct sadb_address m_addr; - u_int len; - struct addrinfo hints, *res; - const char *serv; - int plen; - - switch (af) { - case AF_INET: - plen = sizeof(struct in_addr) << 3; - break; - case AF_INET6: - plen = sizeof(struct in6_addr) << 3; - break; - default: - /* XXX bark */ - exit(1); - } - - /* make sockaddr buffer */ - memset(&hints, 0, sizeof(hints)); - hints.ai_family = af; - hints.ai_socktype = SOCK_DGRAM; /*dummy*/ - hints.ai_flags = AI_NUMERICHOST; - serv = (ext == SADB_EXT_ADDRESS_PROXY ? "0" : "4660"); /*0x1234*/ - if (getaddrinfo(str, serv, &hints, &res) != 0 || res->ai_next) { - /* XXX bark */ - exit(1); - } - - len = sizeof(struct sadb_address) + PFKEY_ALIGN8(res->ai_addrlen); - m_addr.sadb_address_len = PFKEY_UNIT64(len); - m_addr.sadb_address_exttype = ext; - m_addr.sadb_address_proto = - (ext == SADB_EXT_ADDRESS_PROXY ? 0 : IPPROTO_TCP); - m_addr.sadb_address_prefixlen = plen; - m_addr.sadb_address_reserved = 0; - - key_setsadbextbuf(m_buf, m_len, - (caddr_t)&m_addr, sizeof(struct sadb_address), - (caddr_t)res->ai_addr, res->ai_addrlen); - m_len += len; - - freeaddrinfo(res); - - return; -} - -void -key_setsadbextbuf(dst, off, ebuf, elen, vbuf, vlen) - caddr_t dst, ebuf, vbuf; - int off, elen, vlen; -{ - memset(dst + off, 0, elen + vlen); - memcpy(dst + off, (caddr_t)ebuf, elen); - memcpy(dst + off + elen, vbuf, vlen); - - return; -} - diff --git a/usr.sbin/setkey/test-policy.c b/usr.sbin/setkey/test-policy.c deleted file mode 100644 index 27cd478..0000000 --- a/usr.sbin/setkey/test-policy.c +++ /dev/null @@ -1,161 +0,0 @@ -/* - * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD$ - */ - -#include <sys/types.h> -#include <sys/param.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <netinet6/in6.h> -#include <netkey/keyv2.h> -#include <stdlib.h> -#include <string.h> - -#include <netinet6/ipsec.h> - -char *requests[] = { -"must_error", /* must be error */ -"ipsec must_error", /* must be error */ -"ipsec esp/must_error", /* must be error */ -"discard", -"none", -"entrust", -"bypass", /* may be error */ -"ipsec esp", /* must be error */ -"ipsec ah/require", -"ipsec ah/use/", -"ipsec esp/require ah/default/203.178.141.194", -"ipsec ah/use/203.178.141.195 esp/use/203.178.141.194", -"ipsec esp/elf.wide.ydc.co.jp esp/www.wide.ydc.co.jp" -" -ipsec esp/require ah/use esp/require/10.0.0.1 -ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 -ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 -ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 -ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 -ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 -ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 -ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 -ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1ah/use/3ffe:501:481d::1 -", -}; - -u_char *p_secpolicy; - -int test(char *buf, int family); -char *setpolicy(char *req); - -main() -{ - int i; - char *buf; - - for (i = 0; i < sizeof(requests)/sizeof(requests[0]); i++) { - printf("* requests:[%s]\n", requests[i]); - if ((buf = setpolicy(requests[i])) == NULL) - continue; - printf("\tsetlen:%d\n", PFKEY_EXTLEN(buf)); - - printf("\tPF_INET:\n"); - test(buf, PF_INET); - - printf("\tPF_INET6:\n"); - test(buf, PF_INET6); - free(buf); - } -} - -int test(char *policy, int family) -{ - int so, proto, optname; - int len; - char getbuf[1024]; - - switch (family) { - case PF_INET: - proto = IPPROTO_IP; - optname = IP_IPSEC_POLICY; - break; - case PF_INET6: - proto = IPPROTO_IPV6; - optname = IPV6_IPSEC_POLICY; - break; - } - - if ((so = socket(family, SOCK_DGRAM, 0)) < 0) - perror("socket"); - - if (setsockopt(so, proto, optname, policy, PFKEY_EXTLEN(policy)) < 0) - perror("setsockopt"); - - len = sizeof(getbuf); - memset(getbuf, 0, sizeof(getbuf)); - if (getsockopt(so, proto, optname, getbuf, &len) < 0) - perror("getsockopt"); - - { - char *buf = NULL; - - printf("\tgetlen:%d\n", len); - - if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) - ipsec_strerror(); - else - printf("\t[%s]\n", buf); - - free(buf); - } - - close (so); -} - -char *setpolicy(char *req) -{ - int len; - char *buf; - - if ((len = ipsec_get_policylen(req)) < 0) { - printf("ipsec_get_policylen: %s\n", ipsec_strerror()); - return NULL; - } - - if ((buf = malloc(len)) == NULL) { - perror("malloc"); - return NULL; - } - - if ((len = ipsec_set_policy(buf, len, req)) < 0) { - printf("ipsec_set_policy: %s\n", ipsec_strerror()); - free(buf); - return NULL; - } - - return buf; -} diff --git a/usr.sbin/setkey/token.l b/usr.sbin/setkey/token.l deleted file mode 100644 index 74c1e17..0000000 --- a/usr.sbin/setkey/token.l +++ /dev/null @@ -1,286 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: token.l,v 1.43 2003/07/25 09:35:28 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -%{ -#include <sys/types.h> -#include <sys/param.h> -#include <sys/socket.h> -#include <net/route.h> -#include <net/pfkeyv2.h> -#include <netkey/keydb.h> -#include <netkey/key_debug.h> -#include <netinet/in.h> -#include <netinet6/ipsec.h> - -#include <stdlib.h> -#include <limits.h> -#include <string.h> -#include <unistd.h> -#include <errno.h> -#include <netdb.h> - -#include "vchar.h" -#include "y.tab.h" - -int lineno = 1; - -extern u_char m_buf[BUFSIZ]; -extern u_int m_len; -extern int f_debug; - -int yylex __P((void)); -void yyfatal __P((const char *s)); -void yyerror __P((const char *s)); -extern void parse_init __P((void)); -int parse __P((FILE **)); -int yyparse __P((void)); -%} - -/* common section */ -nl \n -ws [ \t]+ -digit [0-9] -letter [0-9A-Za-z] -hexdigit [0-9A-Fa-f] -dot \. -hyphen \- -slash \/ -blcl \[ -elcl \] -semi \; -comment \#.* -quotedstring \"[^"]*\" -decstring {digit}+ -hexstring 0[xX]{hexdigit}+ -ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*) -ipaddrmask {slash}{digit}{1,3} -name {letter}(({letter}|{digit}|{hyphen})*({letter}|{digit}))* -hostname {name}(({dot}{name})+{dot}?)? - -%s S_PL S_AUTHALG S_ENCALG - -%% - -add { return(ADD); } -delete { return(DELETE); } -deleteall { return(DELETEALL); } -get { return(GET); } -flush { return(FLUSH); } -dump { return(DUMP); } - - /* for management SPD */ -spdadd { return(SPDADD); } -spddelete { return(SPDDELETE); } -spddump { return(SPDDUMP); } -spdflush { return(SPDFLUSH); } -tagged { return(TAGGED); } -{hyphen}P { BEGIN S_PL; return(F_POLICY); } -<S_PL>[a-zA-Z0-9:\.\-_/ \n\t][a-zA-Z0-9:\.%\-_/ \n\t]* { - yymore(); - - /* count up for nl */ - { - char *p; - for (p = yytext; *p != '\0'; p++) - if (*p == '\n') - lineno++; - } - - yylval.val.len = strlen(yytext); - yylval.val.buf = strdup(yytext); - if (!yylval.val.buf) - yyfatal("insufficient memory"); - - return(PL_REQUESTS); - } -<S_PL>{semi} { BEGIN INITIAL; return(EOT); } - - /* address resolution flags */ -{hyphen}[n46][n46]* { - yylval.val.len = strlen(yytext); - yylval.val.buf = strdup(yytext); - if (!yylval.val.buf) - yyfatal("insufficient memory"); - return(F_AIFLAGS); - } - - /* security protocols */ -ah { yylval.num = 0; return(PR_AH); } -esp { yylval.num = 0; return(PR_ESP); } -ah-old { yylval.num = 1; return(PR_AH); } -esp-old { yylval.num = 1; return(PR_ESP); } -ipcomp { yylval.num = 0; return(PR_IPCOMP); } -tcp { yylval.num = 0; return(PR_TCP); } - - /* authentication alogorithm */ -{hyphen}A { BEGIN S_AUTHALG; return(F_AUTH); } -<S_AUTHALG>hmac-md5 { yylval.num = SADB_AALG_MD5HMAC; BEGIN INITIAL; return(ALG_AUTH); } -<S_AUTHALG>hmac-sha1 { yylval.num = SADB_AALG_SHA1HMAC; BEGIN INITIAL; return(ALG_AUTH); } -<S_AUTHALG>keyed-md5 { yylval.num = SADB_X_AALG_MD5; BEGIN INITIAL; return(ALG_AUTH); } -<S_AUTHALG>keyed-sha1 { yylval.num = SADB_X_AALG_SHA; BEGIN INITIAL; return(ALG_AUTH); } -<S_AUTHALG>hmac-sha2-256 { yylval.num = SADB_X_AALG_SHA2_256; BEGIN INITIAL; return(ALG_AUTH); } -<S_AUTHALG>hmac-sha2-384 { yylval.num = SADB_X_AALG_SHA2_384; BEGIN INITIAL; return(ALG_AUTH); } -<S_AUTHALG>hmac-sha2-512 { yylval.num = SADB_X_AALG_SHA2_512; BEGIN INITIAL; return(ALG_AUTH); } -<S_AUTHALG>hmac-ripemd160 { yylval.num = SADB_X_AALG_RIPEMD160HMAC; BEGIN INITIAL; return(ALG_AUTH); } -<S_AUTHALG>aes-xcbc-mac { yylval.num = SADB_X_AALG_AES_XCBC_MAC; BEGIN INITIAL; return(ALG_AUTH); } -<S_AUTHALG>tcp-md5 { yylval.num = SADB_X_AALG_TCP_MD5; BEGIN INITIAL; return(ALG_AUTH); } -<S_AUTHALG>null { yylval.num = SADB_X_AALG_NULL; BEGIN INITIAL; return(ALG_AUTH_NOKEY); } - - /* encryption alogorithm */ -{hyphen}E { BEGIN S_ENCALG; return(F_ENC); } -<S_ENCALG>des-cbc { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC); } -<S_ENCALG>3des-cbc { yylval.num = SADB_EALG_3DESCBC; BEGIN INITIAL; return(ALG_ENC); } -<S_ENCALG>null { yylval.num = SADB_EALG_NULL; BEGIN INITIAL; return(ALG_ENC_NOKEY); } -<S_ENCALG>simple { yylval.num = SADB_EALG_NULL; BEGIN INITIAL; return(ALG_ENC_OLD); } -<S_ENCALG>blowfish-cbc { yylval.num = SADB_X_EALG_BLOWFISHCBC; BEGIN INITIAL; return(ALG_ENC); } -<S_ENCALG>cast128-cbc { yylval.num = SADB_X_EALG_CAST128CBC; BEGIN INITIAL; return(ALG_ENC); } -<S_ENCALG>des-deriv { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC_DESDERIV); } -<S_ENCALG>des-32iv { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC_DES32IV); } -<S_ENCALG>rijndael-cbc { yylval.num = SADB_X_EALG_RIJNDAELCBC; BEGIN INITIAL; return(ALG_ENC); } -<S_ENCALG>aes-ctr { yylval.num = SADB_X_EALG_AESCTR; BEGIN INITIAL; return(ALG_ENC); } - - /* compression algorithms */ -{hyphen}C { return(F_COMP); } -oui { yylval.num = SADB_X_CALG_OUI; return(ALG_COMP); } -deflate { yylval.num = SADB_X_CALG_DEFLATE; return(ALG_COMP); } -lzs { yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); } -{hyphen}R { return(F_RAWCPI); } - - /* extension */ -{hyphen}m { return(F_MODE); } -transport { yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); } -tunnel { yylval.num = IPSEC_MODE_TUNNEL; return(MODE); } -{hyphen}u { return(F_REQID); } -{hyphen}f { return(F_EXT); } -random-pad { yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); } -seq-pad { yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); } -zero-pad { yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); } -nocyclic-seq { return(NOCYCLICSEQ); } -{hyphen}r { return(F_REPLAY); } -{hyphen}lh { return(F_LIFETIME_HARD); } -{hyphen}ls { return(F_LIFETIME_SOFT); } - - /* ... */ -any { return(ANY); } -{ws} { } -{nl} { lineno++; } -{comment} -{semi} { return(EOT); } - - /* for address parameters: /prefix, [port] */ -{slash} { return SLASH; } -{blcl} { return BLCL; } -{elcl} { return ELCL; } - - /* parameter */ -{decstring} { - char *bp; - - yylval.ulnum = strtoul(yytext, &bp, 10); - return(DECSTRING); - } - -{hexstring} { - yylval.val.buf = strdup(yytext + 2); - if (!yylval.val.buf) - yyfatal("insufficient memory"); - yylval.val.len = strlen(yylval.val.buf); - - return(HEXSTRING); - } - -{quotedstring} { - char *p = yytext; - while (*++p != '"') ; - *p = '\0'; - yytext++; - yylval.val.len = yyleng - 2; - yylval.val.buf = strdup(yytext); - if (!yylval.val.buf) - yyfatal("insufficient memory"); - - return(QUOTEDSTRING); - } - -[A-Za-z0-9:][A-Za-z0-9:%\.-]* { - yylval.val.len = yyleng; - yylval.val.buf = strdup(yytext); - if (!yylval.val.buf) - yyfatal("insufficient memory"); - return(STRING); - } - -[0-9,]+ { - yylval.val.len = yyleng; - yylval.val.buf = strdup(yytext); - if (!yylval.val.buf) - yyfatal("insufficient memory"); - return(STRING); - } - -. { - yyfatal("Syntax error"); - /*NOTREACHED*/ - } - -%% - -void -yyfatal(s) - const char *s; -{ - yyerror(s); - exit(1); -} - -void -yyerror(s) - const char *s; -{ - printf("line %d: %s at [%s]\n", lineno, s, yytext); -} - -int -parse(fp) - FILE **fp; -{ - yyin = *fp; - - parse_init(); - - if (yyparse()) { - printf("parse failed, line %d.\n", lineno); - return(-1); - } - - return(0); -} diff --git a/usr.sbin/setkey/vchar.h b/usr.sbin/setkey/vchar.h deleted file mode 100644 index f3251c7..0000000 --- a/usr.sbin/setkey/vchar.h +++ /dev/null @@ -1,36 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: vchar.h,v 1.2 2000/06/07 00:29:14 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -typedef struct { - u_int len; - caddr_t buf; -} vchar_t; |
