diff options
| author | itojun <itojun@FreeBSD.org> | 2000-07-04 16:22:05 +0000 |
|---|---|---|
| committer | itojun <itojun@FreeBSD.org> | 2000-07-04 16:22:05 +0000 |
| commit | 0bbd943f404b5100a81abdec2bd8519971e0c58e (patch) | |
| tree | b98b84ed27cb35ed58163ab9530a39ecc47f3254 /lib/libipsec | |
| parent | 993cb1d94fc91849b548394143e230fa61400d5b (diff) | |
| download | FreeBSD-src-0bbd943f404b5100a81abdec2bd8519971e0c58e.zip FreeBSD-src-0bbd943f404b5100a81abdec2bd8519971e0c58e.tar.gz | |
synchronize with latest kame tree.
behavior change: policy syntax was changed. you may need to update your
setkey(8) configuration files.
Diffstat (limited to 'lib/libipsec')
| -rw-r--r-- | lib/libipsec/Makefile | 8 | ||||
| -rw-r--r-- | lib/libipsec/ipsec_dump_policy.c | 270 | ||||
| -rw-r--r-- | lib/libipsec/ipsec_get_policylen.c | 7 | ||||
| -rw-r--r-- | lib/libipsec/ipsec_set_policy.3 | 35 | ||||
| -rw-r--r-- | lib/libipsec/ipsec_strerror.3 | 38 | ||||
| -rw-r--r-- | lib/libipsec/ipsec_strerror.c | 17 | ||||
| -rw-r--r-- | lib/libipsec/ipsec_strerror.h | 65 | ||||
| -rw-r--r-- | lib/libipsec/libpfkey.h | 77 | ||||
| -rw-r--r-- | lib/libipsec/pfkey.c | 630 | ||||
| -rw-r--r-- | lib/libipsec/pfkey_dump.c | 185 | ||||
| -rw-r--r-- | lib/libipsec/policy_parse.y | 112 | ||||
| -rw-r--r-- | lib/libipsec/policy_token.l | 27 | ||||
| -rw-r--r-- | lib/libipsec/test-policy.c | 276 |
13 files changed, 1149 insertions, 598 deletions
diff --git a/lib/libipsec/Makefile b/lib/libipsec/Makefile index bac3dd2..52510f7 100644 --- a/lib/libipsec/Makefile +++ b/lib/libipsec/Makefile @@ -27,7 +27,7 @@ # $FreeBSD$ LIB= ipsec -SHLIB_MAJOR= 0 +SHLIB_MAJOR= 1 SHLIB_MINOR= 0 CFLAGS+=-I${.OBJDIR} CFLAGS+=-DIPSEC_DEBUG -DIPSEC @@ -35,11 +35,11 @@ CFLAGS+=-DIPSEC_DEBUG -DIPSEC CFLAGS+=-DINET6 .endif -.PATH: ${.CURDIR}/../../sys/netkey -SRCS= pfkey.c pfkey_dump.c +#.PATH: ${.CURDIR}/../../sys/netkey +#SRCS= pfkey.c pfkey_dump.c SRCS+= ipsec_strerror.c policy_parse.y policy_token.l SRCS+= ipsec_dump_policy.c ipsec_get_policylen.c -SRCS+= key_debug.c +#SRCS+= key_debug.c CLEANFILES+= y.tab.c y.tab.h YFLAGS+=-d -p __libipsecyy LFLAGS+=-P__libipsecyy diff --git a/lib/libipsec/ipsec_dump_policy.c b/lib/libipsec/ipsec_dump_policy.c index a9ef2f5..35b8586 100644 --- a/lib/libipsec/ipsec_dump_policy.c +++ b/lib/libipsec/ipsec_dump_policy.c @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: ipsec_dump_policy.c,v 1.11 2000/05/07 05:29:47 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,8 +28,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ #include <sys/types.h> @@ -39,6 +40,7 @@ #include <arpa/inet.h> +#include <stdio.h> #include <stdlib.h> #include <string.h> #include <netdb.h> @@ -53,7 +55,11 @@ static const char *ipsp_policy_strs[] = { "discard", "none", "ipsec", "entrust", "bypass", }; -static int set_addresses __P((char *buf, caddr_t ptr)); +static char *ipsec_dump_ipsecrequest __P((char *, size_t, + struct sadb_x_ipsecrequest *, size_t)); +static int set_addresses __P((char *, size_t, struct sockaddr *, + struct sockaddr *)); +static char *set_address __P((char *, size_t, struct sockaddr *)); /* * policy is sadb_x_policy buffer. @@ -67,15 +73,16 @@ ipsec_dump_policy(policy, delimiter) { struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy; struct sadb_x_ipsecrequest *xisr; - int xtlen, buflen; + size_t off, buflen; char *buf; - int error; + char isrbuf[1024]; + char *newbuf; /* sanity check */ if (policy == NULL) return NULL; if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) { - ipsec_errcode = EIPSEC_INVAL_EXTTYPE; + __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; return NULL; } @@ -89,7 +96,7 @@ ipsec_dump_policy(policy, delimiter) case IPSEC_DIR_OUTBOUND: break; default: - ipsec_errcode = EIPSEC_INVAL_DIR; + __ipsec_errcode = EIPSEC_INVAL_DIR; return NULL; } @@ -101,7 +108,7 @@ ipsec_dump_policy(policy, delimiter) case IPSEC_POLICY_ENTRUST: break; default: - ipsec_errcode = EIPSEC_INVAL_POLICY; + __ipsec_errcode = EIPSEC_INVAL_POLICY; return NULL; } @@ -111,143 +118,190 @@ ipsec_dump_policy(policy, delimiter) + 1; /* NUL */ if ((buf = malloc(buflen)) == NULL) { - ipsec_errcode = EIPSEC_NO_BUFS; + __ipsec_errcode = EIPSEC_NO_BUFS; return NULL; } - strcpy(buf, ipsp_dir_strs[xpl->sadb_x_policy_dir]); - strcat(buf, " "); - strcat(buf, ipsp_policy_strs[xpl->sadb_x_policy_type]); + snprintf(buf, buflen, "%s %s", ipsp_dir_strs[xpl->sadb_x_policy_dir], + ipsp_policy_strs[xpl->sadb_x_policy_type]); if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return buf; } - xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl); - xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); - /* count length of buffer for use */ - /* XXX non-seriously */ - while (xtlen > 0) { - buflen += 20; - if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL) - buflen += 50; - xtlen -= xisr->sadb_x_ipsecrequest_len; - xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr - + xisr->sadb_x_ipsecrequest_len); + off = sizeof(*xpl); + while (off < PFKEY_EXTLEN(xpl)) { + xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off); + off += xisr->sadb_x_ipsecrequest_len; } /* validity check */ - if (xtlen < 0) { - ipsec_errcode = EIPSEC_INVAL_SADBMSG; + if (off != PFKEY_EXTLEN(xpl)) { + __ipsec_errcode = EIPSEC_INVAL_SADBMSG; free(buf); return NULL; } - if ((buf = realloc(buf, buflen)) == NULL) { - ipsec_errcode = EIPSEC_NO_BUFS; - return NULL; - } + off = sizeof(*xpl); + while (off < PFKEY_EXTLEN(xpl)) { + xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off); - xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl); - xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); - - while (xtlen > 0) { - strcat(buf, delimiter); - - switch (xisr->sadb_x_ipsecrequest_proto) { - case IPPROTO_ESP: - strcat(buf, "esp"); - break; - case IPPROTO_AH: - strcat(buf, "ah"); - break; - case IPPROTO_IPCOMP: - strcat(buf, "ipcomp"); - break; - default: - ipsec_errcode = EIPSEC_INVAL_PROTO; + if (ipsec_dump_ipsecrequest(isrbuf, sizeof(isrbuf), xisr, + PFKEY_EXTLEN(xpl) - off) == NULL) { free(buf); return NULL; } - strcat(buf, "/"); - - switch (xisr->sadb_x_ipsecrequest_mode) { - case IPSEC_MODE_ANY: - strcat(buf, "any"); - break; - case IPSEC_MODE_TRANSPORT: - strcat(buf, "transport"); - break; - case IPSEC_MODE_TUNNEL: - strcat(buf, "tunnel"); - break; - default: - ipsec_errcode = EIPSEC_INVAL_MODE; + buflen = strlen(buf) + strlen(delimiter) + strlen(isrbuf) + 1; + newbuf = (char *)realloc(buf, buflen); + if (newbuf == NULL) { + __ipsec_errcode = EIPSEC_NO_BUFS; free(buf); return NULL; } + buf = newbuf; + snprintf(buf, buflen, "%s%s%s", buf, delimiter, isrbuf); - strcat(buf, "/"); + off += xisr->sadb_x_ipsecrequest_len; + } - if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { - error = set_addresses(buf, (caddr_t)(xisr + 1)); - if (error) { - ipsec_errcode = EIPSEC_INVAL_MODE; - free(buf); - return NULL; - } - } + __ipsec_errcode = EIPSEC_NO_ERROR; + return buf; +} - switch (xisr->sadb_x_ipsecrequest_level) { - case IPSEC_LEVEL_DEFAULT: - strcat(buf, "/default"); - break; - case IPSEC_LEVEL_USE: - strcat(buf, "/use"); - break; - case IPSEC_LEVEL_REQUIRE: - strcat(buf, "/require"); - break; - case IPSEC_LEVEL_UNIQUE: - strcat(buf, "/unique"); - break; - default: - ipsec_errcode = EIPSEC_INVAL_LEVEL; - free(buf); +static char * +ipsec_dump_ipsecrequest(buf, len, xisr, bound) + char *buf; + size_t len; + struct sadb_x_ipsecrequest *xisr; + size_t bound; /* boundary */ +{ + const char *proto, *mode, *level; + char abuf[NI_MAXHOST * 2 + 2]; + + if (xisr->sadb_x_ipsecrequest_len > bound) { + __ipsec_errcode = EIPSEC_INVAL_PROTO; + return NULL; + } + + switch (xisr->sadb_x_ipsecrequest_proto) { + case IPPROTO_ESP: + proto = "esp"; + break; + case IPPROTO_AH: + proto = "ah"; + break; + case IPPROTO_IPCOMP: + proto = "ipcomp"; + break; + default: + __ipsec_errcode = EIPSEC_INVAL_PROTO; + return NULL; + } + + switch (xisr->sadb_x_ipsecrequest_mode) { + case IPSEC_MODE_ANY: + mode = "any"; + break; + case IPSEC_MODE_TRANSPORT: + mode = "transport"; + break; + case IPSEC_MODE_TUNNEL: + mode = "tunnel"; + break; + default: + __ipsec_errcode = EIPSEC_INVAL_MODE; + return NULL; + } + + abuf[0] = '\0'; + if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { + struct sockaddr *sa1, *sa2; + caddr_t p; + + p = (caddr_t)(xisr + 1); + sa1 = (struct sockaddr *)p; + sa2 = (struct sockaddr *)(p + sa1->sa_len); + if (sizeof(*xisr) + sa1->sa_len + sa2->sa_len != + xisr->sadb_x_ipsecrequest_len) { + __ipsec_errcode = EIPSEC_INVAL_ADDRESS; return NULL; } + if (set_addresses(abuf, sizeof(abuf), sa1, sa2) != 0) { + __ipsec_errcode = EIPSEC_INVAL_ADDRESS; + return NULL; + } + } - xtlen -= xisr->sadb_x_ipsecrequest_len; - xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr - + xisr->sadb_x_ipsecrequest_len); + switch (xisr->sadb_x_ipsecrequest_level) { + case IPSEC_LEVEL_DEFAULT: + level = "default"; + break; + case IPSEC_LEVEL_USE: + level = "use"; + break; + case IPSEC_LEVEL_REQUIRE: + level = "require"; + break; + case IPSEC_LEVEL_UNIQUE: + level = "unique"; + break; + default: + __ipsec_errcode = EIPSEC_INVAL_LEVEL; + return NULL; + } + + if (xisr->sadb_x_ipsecrequest_reqid == 0) + snprintf(buf, len, "%s/%s/%s/%s", proto, mode, abuf, level); + else { + int ch; + + if (xisr->sadb_x_ipsecrequest_reqid > IPSEC_MANUAL_REQID_MAX) + ch = '#'; + else + ch = ':'; + snprintf(buf, len, "%s/%s/%s/%s%c%d", proto, mode, abuf, level, + ch, xisr->sadb_x_ipsecrequest_reqid); } - ipsec_errcode = EIPSEC_NO_ERROR; return buf; } static int -set_addresses(buf, ptr) +set_addresses(buf, len, sa1, sa2) char *buf; - caddr_t ptr; + size_t len; + struct sockaddr *sa1; + struct sockaddr *sa2; { - char tmp[100]; /* XXX */ - struct sockaddr *saddr = (struct sockaddr *)ptr; - - getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp), - NULL, 0, NI_NUMERICHOST); - - strcat(buf, tmp); - - strcat(buf, "-"); - - saddr = (struct sockaddr *)((caddr_t)saddr + saddr->sa_len); - getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp), - NULL, 0, NI_NUMERICHOST); + char tmp1[NI_MAXHOST], tmp2[NI_MAXHOST]; + + if (set_address(tmp1, sizeof(tmp1), sa1) == NULL || + set_address(tmp2, sizeof(tmp2), sa2) == NULL) + return -1; + if (strlen(tmp1) + 1 + strlen(tmp2) + 1 > len) + return -1; + snprintf(buf, len, "%s-%s", tmp1, tmp2); + return 0; +} - strcat(buf, tmp); +static char * +set_address(buf, len, sa) + char *buf; + size_t len; + struct sockaddr *sa; +{ +#ifdef NI_WITHSCOPEID + const int niflags = NI_NUMERICHOST | NI_WITHSCOPEID; +#else + const int niflags = NI_NUMERICHOST; +#endif - return 0; + if (len < 1) + return NULL; + buf[0] = '\0'; + if (getnameinfo(sa, sa->sa_len, buf, len, NULL, 0, niflags) != 0) + return NULL; + return buf; } diff --git a/lib/libipsec/ipsec_get_policylen.c b/lib/libipsec/ipsec_get_policylen.c index a8a3e5d..9986de0 100644 --- a/lib/libipsec/ipsec_get_policylen.c +++ b/lib/libipsec/ipsec_get_policylen.c @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: ipsec_get_policylen.c,v 1.5 2000/05/07 05:25:03 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,13 +28,13 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ #include <sys/types.h> #include <sys/param.h> +#include <netinet6/ipsec.h> + #include <net/pfkeyv2.h> #include "ipsec_strerror.h" diff --git a/lib/libipsec/ipsec_set_policy.3 b/lib/libipsec/ipsec_set_policy.3 index e8a61eb..d5d0503 100644 --- a/lib/libipsec/ipsec_set_policy.3 +++ b/lib/libipsec/ipsec_set_policy.3 @@ -1,4 +1,7 @@ .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. +.\" $FreeBSD$ +.\" $KAME: ipsec_set_policy.3,v 1.10 2000/05/07 05:25:03 itojun Exp $ +.\" .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -25,9 +28,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: ipsec_set_policy.3,v 1.5 1999/10/20 00:21:06 sakane Exp $ -.\" $FreeBSD$ -.\" .Dd May 5, 1998 .Dt IPSEC_SET_POLICY 3 .Os @@ -36,10 +36,10 @@ .Nm ipsec_get_policylen , .Nm ipsec_dump_policy .Nd manipulate IPsec policy specification structure from readable string +.\" .Sh LIBRARY .Lb libipsec .Sh SYNOPSIS -.Fd #include <sys/types.h> .Fd #include <netinet6/ipsec.h> .Ft "char *" .Fn ipsec_set_policy "char *policy" "int len" @@ -167,9 +167,9 @@ is the other node .Pp .Ar level must be set to one of the following: -.Li default , use +.Li default , use , require or -.Li require . +.Li unique . .Li default means that the kernel should consult the system default policy defined by @@ -189,6 +189,19 @@ or encrypted .Li require means that a relevant SA is required, since the kernel must perform IPsec operation against packets. +.Li unique +is the same as +.Li require , +but adds the restriction that the SA for outbound traffic is used +only for this policy. +You may need the identifier in order to relate the policy and the SA +when you define the SA by manual keying. +You can put the decimal number as the identifier after +.Li unique +like +.Li unique : number . +.Li number +must be between 1 and 32767 . If the .Ar request string is kept unambiguous, @@ -219,8 +232,8 @@ Here are several examples in discard out ipsec esp/transport/10.1.1.1-10.1.1.2/require in ipsec ah/transport/10.1.1.2-10.1.1.1/require -in ipsec esp/transport/10.1.1.2-10.1.1.1/use - ah/tunnel/10.1.1.2-10.1.1.1/require +out ipsec esp/transport/10.1.1.2-10.1.1.1/use + ah/tunnel/10.1.1.2-10.1.1.1/unique:1000 in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use esp/transport/10.1.1.2-10.1.1.1/use .Ed @@ -238,11 +251,7 @@ and on errors. .Sh SEE ALSO .Xr ipsec_strerror 3 , -.Xr ipsec 4 , +.Xr ispec 4 , .Xr setkey 8 .Sh HISTORY The functions first appeared in WIDE/KAME IPv6 protocol stack kit. -.Pp -IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack -was initially integrated into -.Fx 4.0 diff --git a/lib/libipsec/ipsec_strerror.3 b/lib/libipsec/ipsec_strerror.3 index d1f3c58..d0d3977 100644 --- a/lib/libipsec/ipsec_strerror.3 +++ b/lib/libipsec/ipsec_strerror.3 @@ -1,4 +1,7 @@ .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. +.\" $FreeBSD$ +.\" $KAME: ipsec_strerror.3,v 1.6 2000/05/07 05:25:03 itojun Exp $ +.\" .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -25,22 +28,19 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: ipsec_strerror.3,v 1.2 1999/09/21 03:49:19 itojun Exp $ -.\" $FreeBSD$ -.\" .Dd May 6, 1998 .Dt IPSEC_STRERROR 3 .Os +.\" .Sh NAME .Nm ipsec_strerror .Nd error code for IPsec policy manipulation library -.Sh LIBRARY -.Lb libipsec +.\" .Sh SYNOPSIS -.Fd #include <sys/types.h> .Fd #include <netinet6/ipsec.h> .Ft "char *" -.Fn ipsec_strerror void +.Fn ipsec_strerror +.\" .Sh DESCRIPTION .Pa netinet6/ipsec.h declares @@ -51,16 +51,30 @@ which is used to pass error code from IPsec policy manipulation library to user program. .Fn ipsec_strerror can be used to obtain error message string for the error code. +.Pp +The array pointed to is not to be modified by the program. +Since +.Fn ipsec_strerror +uses +.Xr strerror 3 +as underlying function, calling +.Xr strerror 3 +after +.Fn ipsec_strerror +would make the return value from +.Fn ipsec_strerror +invalid, or overwritten. +.\" .Sh RETURN VALUES .Fn ipsec_strerror always return a pointer to C string. The C string must not be overwritten by user programs. .\" -.\" .Sh SEE ALSO +.Sh SEE ALSO +.Xr ipsec_set_policy 3 .\" .Sh HISTORY The functions first appeared in WIDE/KAME IPv6 protocol stack kit. -.Pp -IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack -was initially integrated into -.Fx 4.0 +.\" +.\" .Sh BUGS +.\" (to be written) diff --git a/lib/libipsec/ipsec_strerror.c b/lib/libipsec/ipsec_strerror.c index 601b1d7..1cf4e4c 100644 --- a/lib/libipsec/ipsec_strerror.c +++ b/lib/libipsec/ipsec_strerror.c @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: ipsec_strerror.c,v 1.6 2000/05/07 05:25:03 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,8 +28,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ #include <sys/types.h> @@ -37,7 +38,7 @@ #include "ipsec_strerror.h" -int ipsec_errcode; +int __ipsec_errcode; static char *ipsec_errlist[] = { "Success", /*EIPSEC_NO_ERROR*/ @@ -72,15 +73,15 @@ NULL, /*EIPSEC_SYSTEM_ERROR*/ char *ipsec_strerror(void) { - if (ipsec_errcode < 0 || ipsec_errcode > EIPSEC_MAX) - ipsec_errcode = EIPSEC_MAX; + if (__ipsec_errcode < 0 || __ipsec_errcode > EIPSEC_MAX) + __ipsec_errcode = EIPSEC_MAX; - return ipsec_errlist[ipsec_errcode]; + return ipsec_errlist[__ipsec_errcode]; } -void ipsec_set_strerror(char *str) +void __ipsec_set_strerror(char *str) { - ipsec_errcode = EIPSEC_SYSTEM_ERROR; + __ipsec_errcode = EIPSEC_SYSTEM_ERROR; ipsec_errlist[EIPSEC_SYSTEM_ERROR] = str; return; diff --git a/lib/libipsec/ipsec_strerror.h b/lib/libipsec/ipsec_strerror.h index 752ba75..02448cd 100644 --- a/lib/libipsec/ipsec_strerror.h +++ b/lib/libipsec/ipsec_strerror.h @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: ipsec_strerror.h,v 1.7 2000/05/07 05:25:03 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,38 +28,36 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ -extern int ipsec_errcode; -extern void ipsec_set_strerror(char *str); +extern int __ipsec_errcode; +extern void __ipsec_set_strerror __P((char *)); -#define EIPSEC_NO_ERROR 0 /*success*/ -#define EIPSEC_NOT_SUPPORTED 1 /*not supported*/ -#define EIPSEC_INVAL_ARGUMENT 2 /*invalid argument*/ -#define EIPSEC_INVAL_SADBMSG 3 /*invalid sadb message*/ -#define EIPSEC_INVAL_VERSION 4 /*invalid version*/ -#define EIPSEC_INVAL_POLICY 5 /*invalid security policy*/ -#define EIPSEC_INVAL_ADDRESS 6 /*invalid address specification*/ -#define EIPSEC_INVAL_PROTO 7 /*invalid ipsec protocol*/ -#define EIPSEC_INVAL_MODE 8 /*Invalid ipsec mode*/ -#define EIPSEC_INVAL_LEVEL 9 /*invalid ipsec level*/ -#define EIPSEC_INVAL_SATYPE 10 /*invalid SA type*/ -#define EIPSEC_INVAL_MSGTYPE 11 /*invalid message type*/ -#define EIPSEC_INVAL_EXTTYPE 12 /*invalid extension type*/ -#define EIPSEC_INVAL_ALGS 13 /*Invalid algorithm type*/ -#define EIPSEC_INVAL_KEYLEN 14 /*invalid key length*/ -#define EIPSEC_INVAL_FAMILY 15 /*invalid address family*/ -#define EIPSEC_INVAL_PREFIXLEN 16 /*SPI range violation*/ -#define EIPSEC_INVAL_DIR 17 /*Invalid direciton*/ -#define EIPSEC_INVAL_SPI 18 /*invalid prefixlen*/ -#define EIPSEC_NO_PROTO 19 /*no protocol specified*/ -#define EIPSEC_NO_ALGS 20 /*No algorithm specified*/ -#define EIPSEC_NO_BUFS 21 /*no buffers available*/ -#define EIPSEC_DO_GET_SUPP_LIST 22 /*must get supported algorithm first*/ -#define EIPSEC_PROTO_MISMATCH 23 /*protocol mismatch*/ -#define EIPSEC_FAMILY_MISMATCH 24 /*family mismatch*/ -#define EIPSEC_FEW_ARGUMENTS 25 /*Too few arguments*/ -#define EIPSEC_SYSTEM_ERROR 26 /*system error*/ -#define EIPSEC_MAX 27 /*unknown error*/ +#define EIPSEC_NO_ERROR 0 /*success*/ +#define EIPSEC_NOT_SUPPORTED 1 /*not supported*/ +#define EIPSEC_INVAL_ARGUMENT 2 /*invalid argument*/ +#define EIPSEC_INVAL_SADBMSG 3 /*invalid sadb message*/ +#define EIPSEC_INVAL_VERSION 4 /*invalid version*/ +#define EIPSEC_INVAL_POLICY 5 /*invalid security policy*/ +#define EIPSEC_INVAL_ADDRESS 6 /*invalid address specification*/ +#define EIPSEC_INVAL_PROTO 7 /*invalid ipsec protocol*/ +#define EIPSEC_INVAL_MODE 8 /*Invalid ipsec mode*/ +#define EIPSEC_INVAL_LEVEL 9 /*invalid ipsec level*/ +#define EIPSEC_INVAL_SATYPE 10 /*invalid SA type*/ +#define EIPSEC_INVAL_MSGTYPE 11 /*invalid message type*/ +#define EIPSEC_INVAL_EXTTYPE 12 /*invalid extension type*/ +#define EIPSEC_INVAL_ALGS 13 /*Invalid algorithm type*/ +#define EIPSEC_INVAL_KEYLEN 14 /*invalid key length*/ +#define EIPSEC_INVAL_FAMILY 15 /*invalid address family*/ +#define EIPSEC_INVAL_PREFIXLEN 16 /*SPI range violation*/ +#define EIPSEC_INVAL_DIR 17 /*Invalid direciton*/ +#define EIPSEC_INVAL_SPI 18 /*invalid prefixlen*/ +#define EIPSEC_NO_PROTO 19 /*no protocol specified*/ +#define EIPSEC_NO_ALGS 20 /*No algorithm specified*/ +#define EIPSEC_NO_BUFS 21 /*no buffers available*/ +#define EIPSEC_DO_GET_SUPP_LIST 22 /*must get supported algorithm first*/ +#define EIPSEC_PROTO_MISMATCH 23 /*protocol mismatch*/ +#define EIPSEC_FAMILY_MISMATCH 24 /*family mismatch*/ +#define EIPSEC_FEW_ARGUMENTS 25 /*Too few arguments*/ +#define EIPSEC_SYSTEM_ERROR 26 /*system error*/ +#define EIPSEC_MAX 27 /*unknown error*/ diff --git a/lib/libipsec/libpfkey.h b/lib/libipsec/libpfkey.h new file mode 100644 index 0000000..ad87700 --- /dev/null +++ b/lib/libipsec/libpfkey.h @@ -0,0 +1,77 @@ +/* $FreeBSD$ */ +/* $KAME: libpfkey.h,v 1.1 2000/06/08 21:28:32 itojun Exp $ */ + +/* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +extern void pfkey_sadump __P((struct sadb_msg *)); +extern void pfkey_spdump __P((struct sadb_msg *)); + +struct sockaddr; +int ipsec_check_keylen __P((u_int, u_int, u_int)); +u_int pfkey_set_softrate __P((u_int, u_int)); +u_int pfkey_get_softrate __P((u_int)); +int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *, + struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t)); +int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *, + struct sockaddr *, u_int32_t, u_int32_t, u_int, + caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t, + u_int64_t, u_int64_t, u_int32_t)); +int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *, + struct sockaddr *, u_int32_t, u_int32_t, u_int, + caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t, + u_int64_t, u_int64_t, u_int32_t)); +int pfkey_send_delete __P((int, u_int, u_int, + struct sockaddr *, struct sockaddr *, u_int32_t)); +int pfkey_send_get __P((int, u_int, u_int, + struct sockaddr *, struct sockaddr *, u_int32_t)); +int pfkey_send_register __P((int, u_int)); +int pfkey_recv_register __P((int)); +int pfkey_send_flush __P((int, u_int)); +int pfkey_send_dump __P((int, u_int)); +int pfkey_send_promisc_toggle __P((int, int)); +int pfkey_send_spdadd __P((int, struct sockaddr *, u_int, + struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t)); +int pfkey_send_spdupdate __P((int, struct sockaddr *, u_int, + struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t)); +int pfkey_send_spddelete __P((int, struct sockaddr *, u_int, + struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t)); +int pfkey_send_spddelete2 __P((int, u_int32_t)); +int pfkey_send_spdget __P((int, u_int32_t)); +int pfkey_send_spdsetidx __P((int, struct sockaddr *, u_int, + struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t)); +int pfkey_send_spdflush __P((int)); +int pfkey_send_spddump __P((int)); + +int pfkey_open __P((void)); +void pfkey_close __P((int)); +struct sadb_msg *pfkey_recv __P((int)); +int pfkey_send __P((int, struct sadb_msg *, int)); +int pfkey_align __P((struct sadb_msg *, caddr_t *)); +int pfkey_check __P((caddr_t *)); diff --git a/lib/libipsec/pfkey.c b/lib/libipsec/pfkey.c index 318be33..11b6722 100644 --- a/lib/libipsec/pfkey.c +++ b/lib/libipsec/pfkey.c @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: pfkey.c,v 1.31 2000/06/10 14:17:43 sakane Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,21 +28,14 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ -#ifndef lint -static char *rcsid = "@(#) pfkey.c $Revision: 1.10 $"; -#endif - #include <sys/types.h> #include <sys/param.h> #include <sys/socket.h> #include <net/pfkeyv2.h> #include <netkey/key_var.h> #include <netinet/in.h> -#include <netinet6/in6.h> #include <netinet6/ipsec.h> #include <stdlib.h> @@ -48,31 +44,31 @@ static char *rcsid = "@(#) pfkey.c $Revision: 1.10 $"; #include <errno.h> #include "ipsec_strerror.h" - -#define CALLOC(size, cast) (cast)calloc(1, (size)) - -static int pfkey_send_x1 __P((int so, u_int type, u_int satype, u_int mode, - struct sockaddr *src, struct sockaddr *dst, u_int32_t spi, u_int wsize, - caddr_t keymat, - u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen, - u_int flags, - u_int32_t l_alloc, u_int32_t l_bytes, - u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq)); -static int pfkey_send_x2 __P((int so, u_int type, u_int satype, u_int mode, - struct sockaddr *src, struct sockaddr *dst, u_int32_t spi)); -static int pfkey_send_x3 __P((int so, u_int type, u_int satype)); - -static caddr_t pfkey_setsadbmsg __P((caddr_t buf, u_int type, u_int tlen, - u_int satype, u_int mode, u_int32_t seq, pid_t pid)); -static caddr_t pfkey_setsadbsa __P((caddr_t buf, u_int32_t spi, u_int wsize, - u_int auth, u_int enc, u_int32_t flags)); -static caddr_t pfkey_setsadbaddr __P((caddr_t buf, u_int exttype, - struct sockaddr *saddr, u_int prefixlen, u_int ul_proto)); -static caddr_t pfkey_setsadbkey(caddr_t buf, u_int type, - caddr_t key, u_int keylen); -static caddr_t pfkey_setsadblifetime(caddr_t buf, u_int type, - u_int32_t l_alloc, u_int32_t l_bytes, - u_int32_t l_addtime, u_int32_t l_usetime); +#include "libpfkey.h" + +#define CALLOC(size, cast) (cast)calloc(1, (size)) + +static int pfkey_send_x1 __P((int, u_int, u_int, u_int, struct sockaddr *, + struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t, + u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t, + u_int32_t, u_int32_t, u_int32_t)); +static int pfkey_send_x2 __P((int, u_int, u_int, u_int, + struct sockaddr *, struct sockaddr *, u_int32_t)); +static int pfkey_send_x3 __P((int, u_int, u_int)); +static int pfkey_send_x4 __P((int, u_int, struct sockaddr *, u_int, + struct sockaddr *, u_int, u_int, char *, int, u_int32_t)); +static int pfkey_send_x5 __P((int, u_int, u_int32_t)); + +static caddr_t pfkey_setsadbmsg __P((caddr_t, u_int, u_int, + u_int, u_int32_t, pid_t)); +static caddr_t pfkey_setsadbsa __P((caddr_t, u_int32_t, u_int, + u_int, u_int, u_int32_t)); +static caddr_t pfkey_setsadbaddr __P((caddr_t, u_int, + struct sockaddr *, u_int, u_int)); +static caddr_t pfkey_setsadbkey __P((caddr_t, u_int, caddr_t, u_int)); +static caddr_t pfkey_setsadblifetime __P((caddr_t, u_int, u_int32_t, u_int32_t, + u_int32_t, u_int32_t)); +static caddr_t pfkey_setsadbxsa2 __P((caddr_t, u_int32_t, u_int32_t)); /* * check key length against algorithm specified. @@ -98,7 +94,7 @@ ipsec_check_keylen(supported, alg_id, keylen) /* validity check */ if (ipsec_supported == NULL) { - ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST; + __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST; return -1; } switch (supported) { @@ -106,7 +102,7 @@ ipsec_check_keylen(supported, alg_id, keylen) case SADB_EXT_SUPPORTED_ENCRYPT: break; default: - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } @@ -137,18 +133,18 @@ ipsec_check_keylen(supported, alg_id, keylen) } } - ipsec_errcode = EIPSEC_NOT_SUPPORTED; + __ipsec_errcode = EIPSEC_NOT_SUPPORTED; return -1; /* NOTREACHED */ found: if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) { - ipsec_errcode = EIPSEC_INVAL_KEYLEN; + __ipsec_errcode = EIPSEC_INVAL_KEYLEN; return -1; } - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -165,7 +161,7 @@ u_int pfkey_set_softrate(type, rate) u_int type, rate; { - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; if (rate > 100 || rate == 0) rate = 100; @@ -185,7 +181,7 @@ pfkey_set_softrate(type, rate) return 0; } - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return 1; } @@ -218,33 +214,46 @@ pfkey_get_softrate(type) * -1 : error occured, and set errno. */ int -pfkey_send_getspi(so, satype, mode, src, dst, min, max, seq) +pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) int so; u_int satype, mode; struct sockaddr *src, *dst; - u_int32_t min, max, seq; + u_int32_t min, max, reqid, seq; { struct sadb_msg *newmsg; int len; int need_spirange = 0; caddr_t p; + int plen; /* validity check */ if (src == NULL || dst == NULL) { - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } if (src->sa_family != dst->sa_family) { - ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; return -1; } if (min > max || (min > 0 && min <= 255)) { - ipsec_errcode = EIPSEC_INVAL_SPI; + __ipsec_errcode = EIPSEC_INVAL_SPI; + return -1; + } + switch (src->sa_family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; + default: + __ipsec_errcode = EIPSEC_INVAL_FAMILY; return -1; } /* create new sadb_msg to send. */ len = sizeof(struct sadb_msg) + + sizeof(struct sadb_x_sa2) + sizeof(struct sadb_address) + PFKEY_ALIGN8(src->sa_len) + sizeof(struct sadb_address) @@ -256,32 +265,28 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, seq) } if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return -1; } p = pfkey_setsadbmsg((caddr_t)newmsg, SADB_GETSPI, - len, satype, mode, seq, getpid()); + len, satype, seq, getpid()); + + p = pfkey_setsadbxsa2(p, mode, reqid); /* set sadb_address for source */ - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_SRC, - src, - _INALENBYAF(src->sa_family) << 3, - IPSEC_ULPROTO_ANY); + p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_SRC, src, plen, + IPSEC_ULPROTO_ANY); /* set sadb_address for destination */ - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_DST, - dst, - _INALENBYAF(dst->sa_family) << 3, - IPSEC_ULPROTO_ANY); + p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_DST, dst, plen, + IPSEC_ULPROTO_ANY); /* proccessing spi range */ if (need_spirange) { int _len = sizeof(struct sadb_spirange); -#define _SADB_SPIRANGE(p) ((struct sadb_spirange *)(p)) +#define _SADB_SPIRANGE(p) ((struct sadb_spirange *)(p)) _SADB_SPIRANGE(p)->sadb_spirange_len = PFKEY_UNIT64(_len); _SADB_SPIRANGE(p)->sadb_spirange_exttype = SADB_EXT_SPIRANGE; _SADB_SPIRANGE(p)->sadb_spirange_min = min; @@ -297,7 +302,7 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, seq) if (len < 0) return -1; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return len; } @@ -309,13 +314,13 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, seq) * -1 : error occured, and set errno. */ int -pfkey_send_update(so, satype, mode, src, dst, spi, wsize, +pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize, keymat, e_type, e_keylen, a_type, a_keylen, flags, l_alloc, l_bytes, l_addtime, l_usetime, seq) int so; u_int satype, mode, wsize; struct sockaddr *src, *dst; - u_int32_t spi; + u_int32_t spi, reqid; caddr_t keymat; u_int e_type, e_keylen, a_type, a_keylen, flags; u_int32_t l_alloc; @@ -324,7 +329,8 @@ pfkey_send_update(so, satype, mode, src, dst, spi, wsize, { int len; if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi, - wsize, keymat, e_type, e_keylen, a_type, a_keylen, flags, + reqid, wsize, + keymat, e_type, e_keylen, a_type, a_keylen, flags, l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) return -1; @@ -339,13 +345,13 @@ pfkey_send_update(so, satype, mode, src, dst, spi, wsize, * -1 : error occured, and set errno. */ int -pfkey_send_add(so, satype, mode, src, dst, spi, wsize, +pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize, keymat, e_type, e_keylen, a_type, a_keylen, flags, l_alloc, l_bytes, l_addtime, l_usetime, seq) int so; u_int satype, mode, wsize; struct sockaddr *src, *dst; - u_int32_t spi; + u_int32_t spi, reqid; caddr_t keymat; u_int e_type, e_keylen, a_type, a_keylen, flags; u_int32_t l_alloc; @@ -354,7 +360,8 @@ pfkey_send_add(so, satype, mode, src, dst, spi, wsize, { int len; if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi, - wsize, keymat, e_type, e_keylen, a_type, a_keylen, flags, + reqid, wsize, + keymat, e_type, e_keylen, a_type, a_keylen, flags, l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) return -1; @@ -458,7 +465,7 @@ pfkey_recv_register(so) sup->sadb_supported_len = PFKEY_EXTLEN(sup); break; default: - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; free(newmsg); return -1; } @@ -468,7 +475,7 @@ pfkey_recv_register(so) } if (tlen < 0) { - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; return -1; } @@ -477,7 +484,7 @@ pfkey_recv_register(so) ipsec_supported = newmsg; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -546,7 +553,6 @@ pfkey_send_promisc_toggle(so, flag) /* * sending SADB_X_SPDADD message to the kernel. - * The length of key material is a_keylen + e_keylen. * OUT: * positive: success and return length sent. * -1 : error occured, and set errno. @@ -556,133 +562,140 @@ pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq) int so; struct sockaddr *src, *dst; u_int prefs, prefd, proto; - char *policy; + caddr_t policy; int policylen; u_int32_t seq; { - struct sadb_msg *newmsg; int len; - caddr_t p; - - /* validity check */ - if (src == NULL || dst == NULL) { - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; - return -1; - } - if (src->sa_family != dst->sa_family) { - ipsec_errcode = EIPSEC_FAMILY_MISMATCH; - return -1; - } - if (prefs > (_INALENBYAF(src->sa_family) << 3) - || prefd > (_INALENBYAF(dst->sa_family) << 3)) { - ipsec_errcode = EIPSEC_INVAL_PREFIXLEN; - return -1; - } - - /* create new sadb_msg to reply. */ - len = sizeof(struct sadb_msg) - + sizeof(struct sadb_address) - + PFKEY_ALIGN8(_SALENBYAF(src->sa_family)) - + sizeof(struct sadb_address) - + PFKEY_ALIGN8(_SALENBYAF(src->sa_family)) - + policylen; - if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { - ipsec_set_strerror(strerror(errno)); + if ((len = pfkey_send_x4(so, SADB_X_SPDADD, + src, prefs, dst, prefd, proto, + policy, policylen, seq)) < 0) return -1; - } - p = pfkey_setsadbmsg((caddr_t)newmsg, SADB_X_SPDADD, len, - SADB_SATYPE_UNSPEC, IPSEC_MODE_ANY, seq, getpid()); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_SRC, - src, - prefs, - proto); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_DST, - dst, - prefd, - proto); - memcpy(p, policy, policylen); + return len; +} - /* send message */ - len = pfkey_send(so, newmsg, len); - free(newmsg); +/* + * sending SADB_X_SPDUPDATE message to the kernel. + * OUT: + * positive: success and return length sent. + * -1 : error occured, and set errno. + */ +int +pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq) + int so; + struct sockaddr *src, *dst; + u_int prefs, prefd, proto; + caddr_t policy; + int policylen; + u_int32_t seq; +{ + int len; - if (len < 0) + if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, + src, prefs, dst, prefd, proto, + policy, policylen, seq)) < 0) return -1; - ipsec_errcode = EIPSEC_NO_ERROR; return len; } /* * sending SADB_X_SPDDELETE message to the kernel. - * The length of key material is a_keylen + e_keylen. * OUT: * positive: success and return length sent. * -1 : error occured, and set errno. */ int -pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, seq) +pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq) int so; struct sockaddr *src, *dst; u_int prefs, prefd, proto; + caddr_t policy; + int policylen; u_int32_t seq; { - struct sadb_msg *newmsg; int len; - caddr_t p; - /* validity check */ - if (src == NULL || dst == NULL) { - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + if (policylen != sizeof(struct sadb_x_policy)) { + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } - if (src->sa_family != dst->sa_family) { - ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + + if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE, + src, prefs, dst, prefd, proto, + policy, policylen, seq)) < 0) return -1; - } - if (prefs > (_INALENBYAF(src->sa_family) << 3) - || prefd > (_INALENBYAF(dst->sa_family) << 3)) { - ipsec_errcode = EIPSEC_INVAL_PREFIXLEN; + + return len; +} + +/* + * sending SADB_X_SPDDELETE message to the kernel. + * OUT: + * positive: success and return length sent. + * -1 : error occured, and set errno. + */ +int +pfkey_send_spddelete2(so, spid) + int so; + u_int32_t spid; +{ + int len; + + if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0) return -1; - } - /* create new sadb_msg to reply. */ - len = sizeof(struct sadb_msg) - + sizeof(struct sadb_address) - + PFKEY_ALIGN8(_SALENBYAF(src->sa_family)) - + sizeof(struct sadb_address) - + PFKEY_ALIGN8(_SALENBYAF(src->sa_family)); + return len; +} - if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { - ipsec_set_strerror(strerror(errno)); +/* + * sending SADB_X_SPDGET message to the kernel. + * OUT: + * positive: success and return length sent. + * -1 : error occured, and set errno. + */ +int +pfkey_send_spdget(so, spid) + int so; + u_int32_t spid; +{ + int len; + + if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0) return -1; - } - p = pfkey_setsadbmsg((caddr_t)newmsg, SADB_X_SPDDELETE, len, - SADB_SATYPE_UNSPEC, IPSEC_MODE_ANY, seq, getpid()); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_SRC, - src, - prefs, - proto); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_DST, - dst, - prefd, - proto); + return len; +} - /* send message */ - len = pfkey_send(so, newmsg, len); - free(newmsg); +/* + * sending SADB_X_SPDSETIDX message to the kernel. + * OUT: + * positive: success and return length sent. + * -1 : error occured, and set errno. + */ +int +pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq) + int so; + struct sockaddr *src, *dst; + u_int prefs, prefd, proto; + caddr_t policy; + int policylen; + u_int32_t seq; +{ + int len; - if (len < 0) + if (policylen != sizeof(struct sadb_x_policy)) { + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + return -1; + } + + if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX, + src, prefs, dst, prefd, proto, + policy, policylen, seq)) < 0) return -1; - ipsec_errcode = EIPSEC_NO_ERROR; return len; } @@ -724,13 +737,13 @@ pfkey_send_spddump(so) /* sending SADB_ADD or SADB_UPDATE message to the kernel */ static int -pfkey_send_x1(so, type, satype, mode, src, dst, spi, wsize, +pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, keymat, e_type, e_keylen, a_type, a_keylen, flags, l_alloc, l_bytes, l_addtime, l_usetime, seq) int so; u_int type, satype, mode; struct sockaddr *src, *dst; - u_int32_t spi; + u_int32_t spi, reqid; u_int wsize; caddr_t keymat; u_int e_type, e_keylen, a_type, a_keylen, flags; @@ -739,44 +752,57 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, wsize, struct sadb_msg *newmsg; int len; caddr_t p; + int plen; /* validity check */ if (src == NULL || dst == NULL) { - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } if (src->sa_family != dst->sa_family) { - ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + return -1; + } + switch (src->sa_family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; + default: + __ipsec_errcode = EIPSEC_INVAL_FAMILY; return -1; } switch (satype) { case SADB_SATYPE_ESP: if (e_type == SADB_EALG_NONE) { - ipsec_errcode = EIPSEC_NO_ALGS; + __ipsec_errcode = EIPSEC_NO_ALGS; return -1; } break; case SADB_SATYPE_AH: if (e_type != SADB_EALG_NONE) { - ipsec_errcode = EIPSEC_INVAL_ALGS; + __ipsec_errcode = EIPSEC_INVAL_ALGS; return -1; } if (a_type == SADB_AALG_NONE) { - ipsec_errcode = EIPSEC_NO_ALGS; + __ipsec_errcode = EIPSEC_NO_ALGS; return -1; } break; case SADB_X_SATYPE_IPCOMP: break; default: - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; return -1; } /* create new sadb_msg to reply. */ len = sizeof(struct sadb_msg) + sizeof(struct sadb_sa) + + sizeof(struct sadb_x_sa2) + sizeof(struct sadb_address) + PFKEY_ALIGN8(src->sa_len) + sizeof(struct sadb_address) @@ -790,23 +816,18 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, wsize, len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen)); if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return -1; } p = pfkey_setsadbmsg((caddr_t)newmsg, type, len, - satype, mode, seq, getpid()); + satype, seq, getpid()); p = pfkey_setsadbsa(p, spi, wsize, a_type, e_type, flags); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_SRC, - src, - _INALENBYAF(src->sa_family) << 3, - IPSEC_ULPROTO_ANY); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_DST, - dst, - _INALENBYAF(dst->sa_family) << 3, - IPSEC_ULPROTO_ANY); + p = pfkey_setsadbxsa2(p, mode, reqid); + p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_SRC, src, plen, + IPSEC_ULPROTO_ANY); + p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_DST, dst, plen, + IPSEC_ULPROTO_ANY); if (e_type != SADB_EALG_NONE) p = pfkey_setsadbkey(p, SADB_EXT_KEY_ENCRYPT, @@ -828,7 +849,7 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, wsize, if (len < 0) return -1; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return len; } @@ -843,14 +864,26 @@ pfkey_send_x2(so, type, satype, mode, src, dst, spi) struct sadb_msg *newmsg; int len; caddr_t p; + int plen; /* validity check */ if (src == NULL || dst == NULL) { - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } if (src->sa_family != dst->sa_family) { - ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + return -1; + } + switch (src->sa_family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; + default: + __ipsec_errcode = EIPSEC_INVAL_FAMILY; return -1; } @@ -863,22 +896,16 @@ pfkey_send_x2(so, type, satype, mode, src, dst, spi) + PFKEY_ALIGN8(dst->sa_len); if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return -1; } - p = pfkey_setsadbmsg((caddr_t)newmsg, type, len, satype, mode, 0, getpid()); + p = pfkey_setsadbmsg((caddr_t)newmsg, type, len, satype, 0, getpid()); p = pfkey_setsadbsa(p, spi, 0, 0, 0, 0); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_SRC, - src, - _INALENBYAF(src->sa_family) << 3, - IPSEC_ULPROTO_ANY); - p = pfkey_setsadbaddr(p, - SADB_EXT_ADDRESS_DST, - dst, - _INALENBYAF(dst->sa_family) << 3, - IPSEC_ULPROTO_ANY); + p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_SRC, src, plen, + IPSEC_ULPROTO_ANY); + p = pfkey_setsadbaddr(p, SADB_EXT_ADDRESS_DST, dst, plen, + IPSEC_ULPROTO_ANY); /* send message */ len = pfkey_send(so, newmsg, len); @@ -887,7 +914,7 @@ pfkey_send_x2(so, type, satype, mode, src, dst, spi) if (len < 0) return -1; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return len; } @@ -907,7 +934,7 @@ pfkey_send_x3(so, type, satype) switch (type) { case SADB_X_PROMISC: if (satype != 0 && satype != 1) { - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; return -1; } break; @@ -919,7 +946,7 @@ pfkey_send_x3(so, type, satype) case SADB_X_SATYPE_IPCOMP: break; default: - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; return -1; } } @@ -928,11 +955,11 @@ pfkey_send_x3(so, type, satype) len = sizeof(struct sadb_msg); if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return -1; } - (void)pfkey_setsadbmsg((caddr_t)newmsg, type, len, satype, 0, 0, getpid()); + (void)pfkey_setsadbmsg((caddr_t)newmsg, type, len, satype, 0, getpid()); /* send message */ len = pfkey_send(so, newmsg, len); @@ -941,7 +968,128 @@ pfkey_send_x3(so, type, satype) if (len < 0) return -1; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; + return len; +} + +/* sending SADB_X_SPDADD message to the kernel */ +static int +pfkey_send_x4(so, type, src, prefs, dst, prefd, proto, policy, policylen, seq) + int so; + struct sockaddr *src, *dst; + u_int type, prefs, prefd, proto; + char *policy; + int policylen; + u_int32_t seq; +{ + struct sadb_msg *newmsg; + int len; + caddr_t p; + int plen; + + /* validity check */ + if (src == NULL || dst == NULL) { + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + return -1; + } + if (src->sa_family != dst->sa_family) { + __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + return -1; + } + + switch (src->sa_family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; + default: + __ipsec_errcode = EIPSEC_INVAL_FAMILY; + return -1; + } + if (prefs > plen || prefd > plen) { + __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN; + return -1; + } + + /* create new sadb_msg to reply. */ + len = sizeof(struct sadb_msg) + + sizeof(struct sadb_address) + + PFKEY_ALIGN8(src->sa_len) + + sizeof(struct sadb_address) + + PFKEY_ALIGN8(src->sa_len) + + policylen; + + if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { + __ipsec_set_strerror(strerror(errno)); + return -1; + } + + p = pfkey_setsadbmsg((caddr_t)newmsg, type, len, + SADB_SATYPE_UNSPEC, seq, getpid()); + p = pfkey_setsadbaddr(p, + SADB_EXT_ADDRESS_SRC, + src, + prefs, + proto); + p = pfkey_setsadbaddr(p, + SADB_EXT_ADDRESS_DST, + dst, + prefd, + proto); + memcpy(p, policy, policylen); + + /* send message */ + len = pfkey_send(so, newmsg, len); + free(newmsg); + + if (len < 0) + return -1; + + __ipsec_errcode = EIPSEC_NO_ERROR; + return len; +} + +/* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */ +static int +pfkey_send_x5(so, type, spid) + int so; + u_int type; + u_int32_t spid; +{ + struct sadb_msg *newmsg; + struct sadb_x_policy xpl; + int len; + caddr_t p; + + /* create new sadb_msg to reply. */ + len = sizeof(struct sadb_msg) + + sizeof(xpl); + + if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { + __ipsec_set_strerror(strerror(errno)); + return -1; + } + + p = pfkey_setsadbmsg((caddr_t)newmsg, type, len, + SADB_SATYPE_UNSPEC, 0, getpid()); + + memset(&xpl, 0, sizeof(xpl)); + xpl.sadb_x_policy_len = PFKEY_UNUNIT64(sizeof(xpl)); + xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY; + xpl.sadb_x_policy_id = spid; + + memcpy(p, &xpl, sizeof(xpl)); + + /* send message */ + len = pfkey_send(so, newmsg, len); + free(newmsg); + + if (len < 0) + return -1; + + __ipsec_errcode = EIPSEC_NO_ERROR; return len; } @@ -958,7 +1106,7 @@ pfkey_open() const int bufsiz = 128 * 1024; /*is 128K enough?*/ if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) { - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return -1; } @@ -969,7 +1117,7 @@ pfkey_open() (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz)); (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz)); - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return so; } @@ -985,7 +1133,7 @@ pfkey_close(so) { (void)close(so); - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return; } @@ -1005,37 +1153,37 @@ pfkey_recv(so) while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) { if (errno == EINTR) continue; - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return NULL; } if (len < sizeof(buf)) { recv(so, (caddr_t)&buf, sizeof(buf), 0); - ipsec_errcode = EIPSEC_MAX; + __ipsec_errcode = EIPSEC_MAX; return NULL; } /* read real message */ reallen = PFKEY_UNUNIT64(buf.sadb_msg_len); if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == 0) { - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return NULL; } while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) { if (errno == EINTR) continue; - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); free(newmsg); return NULL; } if (len != reallen) { - ipsec_errcode = EIPSEC_SYSTEM_ERROR; + __ipsec_errcode = EIPSEC_SYSTEM_ERROR; free(newmsg); return NULL; } - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return newmsg; } @@ -1052,11 +1200,11 @@ pfkey_send(so, msg, len) int len; { if ((len = send(so, (caddr_t)msg, len, 0)) < 0) { - ipsec_set_strerror(strerror(errno)); + __ipsec_set_strerror(strerror(errno)); return -1; } - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return len; } @@ -1083,7 +1231,7 @@ pfkey_align(msg, mhp) /* validity check */ if (msg == NULL || mhp == NULL) { - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } @@ -1100,7 +1248,7 @@ pfkey_align(msg, mhp) /* duplicate check */ /* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/ if (mhp[ext->sadb_ext_type] != NULL) { - ipsec_errcode = EIPSEC_INVAL_EXTTYPE; + __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; return -1; } @@ -1125,10 +1273,11 @@ pfkey_align(msg, mhp) case SADB_EXT_SUPPORTED_ENCRYPT: case SADB_EXT_SPIRANGE: case SADB_X_EXT_POLICY: + case SADB_X_EXT_SA2: mhp[ext->sadb_ext_type] = (caddr_t)ext; break; default: - ipsec_errcode = EIPSEC_INVAL_EXTTYPE; + __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; return -1; } @@ -1137,7 +1286,7 @@ pfkey_align(msg, mhp) ext = (struct sadb_ext *)((caddr_t)ext + extlen); } - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -1160,7 +1309,7 @@ pfkey_check(mhp) /* validity check */ if (mhp == NULL || mhp[0] == NULL) { - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } @@ -1168,13 +1317,13 @@ pfkey_check(mhp) /* check version */ if (msg->sadb_msg_version != PF_KEY_V2) { - ipsec_errcode = EIPSEC_INVAL_VERSION; + __ipsec_errcode = EIPSEC_INVAL_VERSION; return -1; } /* check type */ if (msg->sadb_msg_type > SADB_MAX) { - ipsec_errcode = EIPSEC_INVAL_MSGTYPE; + __ipsec_errcode = EIPSEC_INVAL_MSGTYPE; return -1; } @@ -1189,7 +1338,7 @@ pfkey_check(mhp) case SADB_GET: case SADB_ACQUIRE: case SADB_EXPIRE: - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; return -1; } break; @@ -1202,7 +1351,7 @@ pfkey_check(mhp) case SADB_X_SPDGET: case SADB_X_SPDDUMP: case SADB_X_SPDFLUSH: - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; return -1; } break; @@ -1210,14 +1359,14 @@ pfkey_check(mhp) case SADB_SATYPE_OSPFV2: case SADB_SATYPE_RIPV2: case SADB_SATYPE_MIP: - ipsec_errcode = EIPSEC_NOT_SUPPORTED; + __ipsec_errcode = EIPSEC_NOT_SUPPORTED; return -1; case 1: /* XXX: What does it do ? */ if (msg->sadb_msg_type == SADB_X_PROMISC) break; /*FALLTHROUGH*/ default: - ipsec_errcode = EIPSEC_INVAL_SATYPE; + __ipsec_errcode = EIPSEC_INVAL_SATYPE; return -1; } @@ -1230,13 +1379,13 @@ pfkey_check(mhp) dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]); if (src0->sadb_address_proto != dst0->sadb_address_proto) { - ipsec_errcode = EIPSEC_PROTO_MISMATCH; + __ipsec_errcode = EIPSEC_PROTO_MISMATCH; return -1; } if (PFKEY_ADDR_SADDR(src0)->sa_family != PFKEY_ADDR_SADDR(dst0)->sa_family) { - ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; return -1; } @@ -1245,7 +1394,7 @@ pfkey_check(mhp) case AF_INET6: break; default: - ipsec_errcode = EIPSEC_INVAL_FAMILY; + __ipsec_errcode = EIPSEC_INVAL_FAMILY; return -1; } @@ -1255,7 +1404,7 @@ pfkey_check(mhp) */ } - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -1264,9 +1413,9 @@ pfkey_check(mhp) * `buf' must has been allocated sufficiently. */ static caddr_t -pfkey_setsadbmsg(buf, type, tlen, satype, mode, seq, pid) +pfkey_setsadbmsg(buf, type, tlen, satype, seq, pid) caddr_t buf; - u_int type, satype, mode; + u_int type, satype; u_int tlen; u_int32_t seq; pid_t pid; @@ -1275,7 +1424,7 @@ pfkey_setsadbmsg(buf, type, tlen, satype, mode, seq, pid) u_int len; p = (struct sadb_msg *)buf; - len = sizeof(struct sadb_sa); + len = sizeof(struct sadb_msg); memset(p, 0, len); p->sadb_msg_version = PF_KEY_V2; @@ -1283,7 +1432,6 @@ pfkey_setsadbmsg(buf, type, tlen, satype, mode, seq, pid) p->sadb_msg_errno = 0; p->sadb_msg_satype = satype; p->sadb_msg_len = PFKEY_UNIT64(tlen); - p->sadb_msg_mode = mode; p->sadb_msg_reserved = 0; p->sadb_msg_seq = seq; p->sadb_msg_pid = (u_int32_t)pid; @@ -1402,7 +1550,7 @@ pfkey_setsadblifetime(buf, type, l_alloc, l_bytes, l_addtime, l_usetime) p->sadb_lifetime_allocations = (l_alloc * soft_lifetime_allocations_rate) /100; p->sadb_lifetime_bytes - = ((l_bytes * soft_lifetime_bytes_rate) /100) << 10; + = (l_bytes * soft_lifetime_bytes_rate) /100; p->sadb_lifetime_addtime = (l_addtime * soft_lifetime_addtime_rate) /100; p->sadb_lifetime_usetime @@ -1410,7 +1558,7 @@ pfkey_setsadblifetime(buf, type, l_alloc, l_bytes, l_addtime, l_usetime) break; case SADB_EXT_LIFETIME_HARD: p->sadb_lifetime_allocations = l_alloc; - p->sadb_lifetime_bytes = l_bytes << 10; + p->sadb_lifetime_bytes = l_bytes; p->sadb_lifetime_addtime = l_addtime; p->sadb_lifetime_usetime = l_usetime; break; @@ -1419,3 +1567,29 @@ pfkey_setsadblifetime(buf, type, l_alloc, l_bytes, l_addtime, l_usetime) return buf + len; } +/* + * copy secasvar data into sadb_address. + * `buf' must has been allocated sufficiently. + */ +static caddr_t +pfkey_setsadbxsa2(buf, mode0, reqid) + caddr_t buf; + u_int32_t mode0; + u_int32_t reqid; +{ + struct sadb_x_sa2 *p; + u_int8_t mode = mode0 & 0xff; + u_int len; + + p = (struct sadb_x_sa2 *)buf; + len = sizeof(struct sadb_x_sa2); + + memset(p, 0, len); + p->sadb_x_sa2_len = PFKEY_UNIT64(len); + p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; + p->sadb_x_sa2_mode = mode; + p->sadb_x_sa2_reqid = reqid; + + return(buf + len); +} + diff --git a/lib/libipsec/pfkey_dump.c b/lib/libipsec/pfkey_dump.c index b7def24..6408651 100644 --- a/lib/libipsec/pfkey_dump.c +++ b/lib/libipsec/pfkey_dump.c @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: pfkey_dump.c,v 1.19 2000/06/10 06:47:11 sakane Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,8 +28,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ #include <sys/types.h> @@ -39,9 +40,6 @@ #include <netinet/in.h> #include <netinet6/ipsec.h> -#ifdef INET6 -#include <netinet6/in6.h> -#endif #include <arpa/inet.h> #include <stdlib.h> @@ -49,11 +47,13 @@ #include <stdio.h> #include <string.h> #include <time.h> +#include <netdb.h> #include "ipsec_strerror.h" +#include "libpfkey.h" -#define GETMSGSTR(str, num) \ -{ \ +#define GETMSGSTR(str, num) \ +do { \ if (sizeof((str)[0]) == 0 \ || num >= sizeof(str)/sizeof((str)[0])) \ printf("%d ", (num)); \ @@ -61,15 +61,12 @@ printf("%d ", (num)); \ else \ printf("%s ", (str)[(num)]); \ -} - -#define GETAF(p) \ - (((struct sockaddr *)(p))->sa_family) +} while (0) -static char *_str_ipaddr __P((u_int family, caddr_t addr)); -static char *_str_prefport __P((u_int family, u_int pref, u_int port)); -static char *_str_time __P((time_t t)); -static void _str_lifetime_byte __P((struct sadb_lifetime *x, char *str)); +static char *str_ipaddr __P((struct sockaddr *)); +static char *str_prefport __P((u_int, u_int, u_int)); +static char *str_time __P((time_t)); +static void str_lifetime_byte __P((struct sadb_lifetime *, char *)); /* * Must to be re-written about following strings. @@ -151,6 +148,7 @@ pfkey_sadump(m) { caddr_t mhp[SADB_EXT_MAX + 1]; struct sadb_sa *m_sa; + struct sadb_x_sa2 *m_sa2; struct sadb_lifetime *m_lftc, *m_lfth, *m_lfts; struct sadb_address *m_saddr, *m_daddr, *m_paddr; struct sadb_key *m_auth, *m_enc; @@ -168,6 +166,7 @@ pfkey_sadump(m) } m_sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; + m_sa2 = (struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2]; m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT]; m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD]; m_lfts = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT]; @@ -177,7 +176,7 @@ pfkey_sadump(m) m_auth = (struct sadb_key *)mhp[SADB_EXT_KEY_AUTH]; m_enc = (struct sadb_key *)mhp[SADB_EXT_KEY_ENCRYPT]; m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC]; - m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC]; + m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST]; m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY]; /* source address */ @@ -185,34 +184,36 @@ pfkey_sadump(m) printf("no ADDRESS_SRC extension.\n"); return; } - printf("%s ", - _str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1))); + printf("%s ", str_ipaddr((struct sockaddr *)(m_saddr + 1))); /* destination address */ if (m_daddr == NULL) { printf("no ADDRESS_DST extension.\n"); return; } - printf("%s ", - _str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1))); + printf("%s ", str_ipaddr((struct sockaddr *)(m_daddr + 1))); /* SA type */ if (m_sa == NULL) { printf("no SA extension.\n"); return; } + if (m_sa2 == NULL) { + printf("no SA2 extension.\n"); + return; + } printf("\n\t"); GETMSGSTR(_str_satype, m->sadb_msg_satype); printf("mode="); - GETMSGSTR(_str_mode, m->sadb_msg_mode); + GETMSGSTR(_str_mode, m_sa2->sadb_x_sa2_mode); - printf("spi=%u(0x%08x) replay=%u flags=0x%08x\n", + printf("spi=%u(0x%08x) reqid=%u(0x%08x)\n", (u_int32_t)ntohl(m_sa->sadb_sa_spi), (u_int32_t)ntohl(m_sa->sadb_sa_spi), - m_sa->sadb_sa_replay, - m_sa->sadb_sa_flags); + (u_int32_t)m_sa2->sadb_x_sa2_reqid, + (u_int32_t)m_sa2->sadb_x_sa2_reqid); /* encryption key */ if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) { @@ -237,8 +238,13 @@ pfkey_sadump(m) printf("\n"); } + /* replay windoe size & flags */ + printf("\treplay=%u flags=0x%08x ", + m_sa->sadb_sa_replay, + m_sa->sadb_sa_flags); + /* state */ - printf("\tstate="); + printf("state="); GETMSGSTR(_str_state, m_sa->sadb_sa_state); printf("seq=%lu pid=%lu\n", @@ -250,8 +256,8 @@ pfkey_sadump(m) time_t tmp_time = time(0); printf("\tcreated: %s", - _str_time(m_lftc->sadb_lifetime_addtime)); - printf("\tcurrent: %s\n", _str_time(tmp_time)); + str_time(m_lftc->sadb_lifetime_addtime)); + printf("\tcurrent: %s\n", str_time(tmp_time)); printf("\tdiff: %lu(s)", (u_long)(m_lftc->sadb_lifetime_addtime == 0 ? 0 : (tmp_time - m_lftc->sadb_lifetime_addtime))); @@ -264,7 +270,7 @@ pfkey_sadump(m) 0 : m_lfts->sadb_lifetime_addtime)); printf("\tlast: %s", - _str_time(m_lftc->sadb_lifetime_usetime)); + str_time(m_lftc->sadb_lifetime_usetime)); printf("\thard: %lu(s)", (u_long)(m_lfth == NULL ? 0 : m_lfth->sadb_lifetime_usetime)); @@ -272,9 +278,9 @@ pfkey_sadump(m) (u_long)(m_lfts == NULL ? 0 : m_lfts->sadb_lifetime_usetime)); - _str_lifetime_byte(m_lftc, "current"); - _str_lifetime_byte(m_lfth, "hard"); - _str_lifetime_byte(m_lfts, "soft"); + str_lifetime_byte(m_lftc, "current"); + str_lifetime_byte(m_lfth, "hard"); + str_lifetime_byte(m_lfts, "soft"); printf("\n"); printf("\tallocated: %lu", @@ -288,7 +294,7 @@ pfkey_sadump(m) } /* XXX DEBUG */ - printf("\trefcnt=%d\n", m->sadb_msg_reserved); + printf("\trefcnt=%u\n", m->sadb_msg_reserved); return; } @@ -297,9 +303,12 @@ void pfkey_spdump(m) struct sadb_msg *m; { + char pbuf[NI_MAXSERV]; caddr_t mhp[SADB_EXT_MAX + 1]; struct sadb_address *m_saddr, *m_daddr; struct sadb_x_policy *m_xpl; + struct sockaddr *sa; + u_int16_t port; /* check pfkey message. */ if (pfkey_align(m, mhp)) { @@ -320,25 +329,49 @@ pfkey_spdump(m) printf("no ADDRESS_SRC extension.\n"); return; } - printf("%s%s ", - _str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)), - _str_prefport(GETAF(m_saddr + 1), - m_saddr->sadb_address_prefixlen, - _INPORTBYSA(m_saddr + 1))); + sa = (struct sockaddr *)(m_saddr + 1); + switch (sa->sa_family) { + case AF_INET: + case AF_INET6: + if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf), + NI_NUMERICSERV) != 0) + port = 0; /*XXX*/ + else + port = atoi(pbuf); + printf("%s%s ", str_ipaddr(sa), + str_prefport(sa->sa_family, + m_saddr->sadb_address_prefixlen, port)); + break; + default: + printf("unknown-af "); + break; + } /* destination address */ if (m_daddr == NULL) { printf("no ADDRESS_DST extension.\n"); return; } - printf("%s%s ", - _str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)), - _str_prefport(GETAF(m_daddr + 1), - m_daddr->sadb_address_prefixlen, - _INPORTBYSA(m_daddr + 1))); + sa = (struct sockaddr *)(m_daddr + 1); + switch (sa->sa_family) { + case AF_INET: + case AF_INET6: + if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf), + NI_NUMERICSERV) != 0) + port = 0; /*XXX*/ + else + port = atoi(pbuf); + printf("%s%s ", str_ipaddr(sa), + str_prefport(sa->sa_family, + m_daddr->sadb_address_prefixlen, port)); + break; + default: + printf("unknown-af "); + break; + } /* upper layer protocol */ - if (m_saddr->sadb_address_proto != m_saddr->sadb_address_proto) { + if (m_saddr->sadb_address_proto != m_daddr->sadb_address_proto) { printf("upper layer protocol mismatched.\n"); return; } @@ -362,12 +395,13 @@ pfkey_spdump(m) free(d_xpl); } - printf("\tseq=%ld pid=%ld\n", + printf("\tspid=%ld seq=%ld pid=%ld\n", + (u_long)m_xpl->sadb_x_policy_id, (u_long)m->sadb_msg_seq, (u_long)m->sadb_msg_pid); /* XXX TEST */ - printf("\trefcnt=%d\n", m->sadb_msg_reserved); + printf("\trefcnt=%u\n", m->sadb_msg_reserved); return; } @@ -376,35 +410,48 @@ pfkey_spdump(m) * set "ipaddress" to buffer. */ static char * -_str_ipaddr(family, addr) - u_int family; - caddr_t addr; +str_ipaddr(sa) + struct sockaddr *sa; { - static char buf[128]; - char addrbuf[128]; + static char buf[NI_MAXHOST]; +#ifdef NI_WITHSCOPEID + const int niflag = NI_NUMERICHOST | NI_WITHSCOPEID; +#else + const int niflag = NI_NUMERICHOST; +#endif - if (addr == NULL) + if (sa == NULL) return ""; - inet_ntop(family, addr, addrbuf, sizeof(addrbuf)); - - snprintf(buf, sizeof(buf), "%s", addrbuf); - - return buf; + if (getnameinfo(sa, sa->sa_len, buf, sizeof(buf), NULL, 0, niflag) == 0) + return buf; + return NULL; } /* * set "/prefix[port number]" to buffer. */ static char * -_str_prefport(family, pref, port) +str_prefport(family, pref, port) u_int family, pref, port; { static char buf[128]; char prefbuf[10]; char portbuf[10]; + int plen; + + switch (family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; + default: + return "?"; + } - if (pref == (_INALENBYAF(family) << 3)) + if (pref == plen) prefbuf[0] = '\0'; else snprintf(prefbuf, sizeof(prefbuf), "/%u", pref); @@ -412,7 +459,7 @@ _str_prefport(family, pref, port) if (port == IPSEC_PORT_ANY) snprintf(portbuf, sizeof(portbuf), "[%s]", "any"); else - snprintf(portbuf, sizeof(portbuf), "[%u]", ntohs(port)); + snprintf(portbuf, sizeof(portbuf), "[%u]", port); snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf); @@ -423,7 +470,7 @@ _str_prefport(family, pref, port) * set "Mon Day Time Year" to buffer */ static char * -_str_time(t) +str_time(t) time_t t; { static char buf[128]; @@ -443,7 +490,7 @@ _str_time(t) } static void -_str_lifetime_byte(x, str) +str_lifetime_byte(x, str) struct sadb_lifetime *x; char *str; { @@ -456,8 +503,24 @@ _str_lifetime_byte(x, str) return; } +#if 0 + if ((x->sadb_lifetime_bytes) / 1024 / 1024) { + y = (x->sadb_lifetime_bytes) * 1.0 / 1024 / 1024; + unit = "M"; + w = 1; + } else if ((x->sadb_lifetime_bytes) / 1024) { + y = (x->sadb_lifetime_bytes) * 1.0 / 1024; + unit = "K"; + w = 1; + } else { + y = (x->sadb_lifetime_bytes) * 1.0; + unit = ""; + w = 0; + } +#else y = (x->sadb_lifetime_bytes) * 1.0; unit = ""; w = 0; +#endif printf("\t%s: %.*f(%sbytes)", str, w, y, unit); } diff --git a/lib/libipsec/policy_parse.y b/lib/libipsec/policy_parse.y index ffa1a6f..e36d7b7 100644 --- a/lib/libipsec/policy_parse.y +++ b/lib/libipsec/policy_parse.y @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: policy_parse.y,v 1.10 2000/05/07 05:25:03 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,10 +28,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ -/* KAME $Id: policy_parse.y,v 1.1 1999/10/20 01:26:41 sakane Exp $ */ /* * IN/OUT bound policy configuration take place such below: @@ -59,24 +59,24 @@ #include <stdlib.h> #include <stdio.h> -#include <errno.h> #include <string.h> #include <netdb.h> #include "ipsec_strerror.h" -#define ATOX(c) \ +#define ATOX(c) \ (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) )) static caddr_t pbuf = NULL; /* sadb_x_policy buffer */ static int tlen = 0; /* total length of pbuf */ static int offset = 0; /* offset of pbuf */ -static int p_dir, p_type, p_protocol, p_mode, p_level; +static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid; static struct sockaddr *p_src = NULL; static struct sockaddr *p_dst = NULL; +struct _val; extern void yyerror __P((char *msg)); -static struct sockaddr *parse_sockaddr __P((/*struct _val *buf*/)); +static struct sockaddr *parse_sockaddr __P((struct _val *buf)); static int rule_check __P((void)); static int init_x_policy __P((void)); static int set_x_request __P((struct sockaddr *src, struct sockaddr *dst)); @@ -85,8 +85,8 @@ static void policy_parse_request_init __P((void)); static caddr_t policy_parse __P((char *msg, int msglen)); extern void __policy__strbuffer__init__ __P((char *msg)); -extern int yyparse(); -extern int yylex(); +extern int yyparse __P((void)); +extern int yylex __P((void)); %} @@ -98,12 +98,12 @@ extern int yylex(); } val; } -%token DIR ACTION PROTOCOL MODE LEVEL +%token DIR ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY %token IPADDRESS %token ME ANY %token SLASH HYPHEN %type <num> DIR ACTION PROTOCOL MODE LEVEL -%type <val> IPADDRESS +%type <val> IPADDRESS LEVEL_SPECIFY %% policy_spec @@ -116,6 +116,14 @@ policy_spec return -1; } rules + | DIR + { + p_dir = $1; + p_type = 0; /* ignored it by kernel */ + + if (init_x_policy()) + return -1; + } ; rules @@ -139,11 +147,11 @@ rule | protocol SLASH mode SLASH SLASH level | protocol SLASH mode | protocol SLASH { - ipsec_errcode = EIPSEC_FEW_ARGUMENTS; + __ipsec_errcode = EIPSEC_FEW_ARGUMENTS; return -1; } | protocol { - ipsec_errcode = EIPSEC_FEW_ARGUMENTS; + __ipsec_errcode = EIPSEC_FEW_ARGUMENTS; return -1; } ; @@ -157,7 +165,14 @@ mode ; level - : LEVEL { p_level = $1; } + : LEVEL { + p_level = $1; + p_reqid = 0; + } + | LEVEL_SPECIFY { + p_level = IPSEC_LEVEL_UNIQUE; + p_reqid = atol($1.buf); /* atol() is good. */ + } ; addresses @@ -174,13 +189,13 @@ addresses } | ME HYPHEN ANY { if (p_dir != IPSEC_DIR_OUTBOUND) { - ipsec_errcode = EIPSEC_INVAL_DIR; + __ipsec_errcode = EIPSEC_INVAL_DIR; return -1; } } | ANY HYPHEN ME { if (p_dir != IPSEC_DIR_INBOUND) { - ipsec_errcode = EIPSEC_INVAL_DIR; + __ipsec_errcode = EIPSEC_INVAL_DIR; return -1; } } @@ -195,7 +210,10 @@ void yyerror(msg) char *msg; { - fprintf(stderr, "%s\n", msg); + extern char *__libipsecyytext; /*XXX*/ + + fprintf(stderr, "libipsec: %s while parsing \"%s\"\n", + msg, __libipsecyytext); return; } @@ -213,43 +231,29 @@ parse_sockaddr(buf) hints.ai_family = PF_UNSPEC; hints.ai_flags = AI_NUMERICHOST; error = getaddrinfo(buf->buf, serv, &hints, &res); - if (error != 0 || res->ai_addr == NULL) { - ipsec_set_strerror(error == EAI_SYSTEM ? - gai_strerror(error) : strerror(errno)); + if (error != 0) { + yyerror("invalid IP address"); + __ipsec_set_strerror(gai_strerror(error)); return NULL; } if (res->ai_addr == NULL) { - ipsec_set_strerror(gai_strerror(error)); + yyerror("invalid IP address"); + __ipsec_set_strerror(gai_strerror(error)); return NULL; } newaddr = malloc(res->ai_addr->sa_len); if (newaddr == NULL) { - ipsec_errcode = EIPSEC_NO_BUFS; + __ipsec_errcode = EIPSEC_NO_BUFS; freeaddrinfo(res); return NULL; } memcpy(newaddr, res->ai_addr, res->ai_addr->sa_len); - /* - * XXX: If the scope of the destination is link-local, - * embed the scope-id(in this case, interface index) - * into the address. - */ - if (newaddr->sa_family == AF_INET6) { - struct sockaddr_in6 *sin6; - - sin6 = (struct sockaddr_in6 *)newaddr; - if(IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) && - sin6->sin6_scope_id != 0) - *(u_short *)&sin6->sin6_addr.s6_addr[2] = - htons(sin6->sin6_scope_id & 0xffff); - } - freeaddrinfo(res); - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return newaddr; } @@ -258,29 +262,29 @@ rule_check() { if (p_type == IPSEC_POLICY_IPSEC) { if (p_protocol == IPPROTO_IP) { - ipsec_errcode = EIPSEC_NO_PROTO; + __ipsec_errcode = EIPSEC_NO_PROTO; return -1; } if (p_mode != IPSEC_MODE_TRANSPORT && p_mode != IPSEC_MODE_TUNNEL) { - ipsec_errcode = EIPSEC_INVAL_MODE; + __ipsec_errcode = EIPSEC_INVAL_MODE; return -1; } if (p_src == NULL && p_dst == NULL) { if (p_mode != IPSEC_MODE_TRANSPORT) { - ipsec_errcode = EIPSEC_INVAL_ADDRESS; + __ipsec_errcode = EIPSEC_INVAL_ADDRESS; return -1; } } else if (p_src->sa_family != p_dst->sa_family) { - ipsec_errcode = EIPSEC_FAMILY_MISMATCH; + __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; return -1; } } - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -293,7 +297,7 @@ init_x_policy() pbuf = malloc(tlen); if (pbuf == NULL) { - ipsec_errcode = EIPSEC_NO_BUFS; + __ipsec_errcode = EIPSEC_NO_BUFS; return -1; } p = (struct sadb_x_policy *)pbuf; @@ -304,7 +308,7 @@ init_x_policy() p->sadb_x_policy_reserved = 0; offset = tlen; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -322,7 +326,7 @@ set_x_request(src, dst) pbuf = realloc(pbuf, tlen); if (pbuf == NULL) { - ipsec_errcode = EIPSEC_NO_BUFS; + __ipsec_errcode = EIPSEC_NO_BUFS; return -1; } p = (struct sadb_x_ipsecrequest *)&pbuf[offset]; @@ -330,12 +334,13 @@ set_x_request(src, dst) p->sadb_x_ipsecrequest_proto = p_protocol; p->sadb_x_ipsecrequest_mode = p_mode; p->sadb_x_ipsecrequest_level = p_level; + p->sadb_x_ipsecrequest_reqid = p_reqid; offset += sizeof(*p); if (set_sockaddr(src) || set_sockaddr(dst)) return -1; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -344,7 +349,7 @@ set_sockaddr(addr) struct sockaddr *addr; { if (addr == NULL) { - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -354,7 +359,7 @@ set_sockaddr(addr) offset += addr->sa_len; - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return 0; } @@ -364,6 +369,7 @@ policy_parse_request_init() p_protocol = IPPROTO_IP; p_mode = IPSEC_MODE_ANY; p_level = IPSEC_LEVEL_DEFAULT; + p_reqid = 0; if (p_src != NULL) { free(p_src); p_src = NULL; @@ -401,7 +407,7 @@ policy_parse(msg, msglen) /* update total length */ ((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen); - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return pbuf; } @@ -415,12 +421,12 @@ ipsec_set_policy(msg, msglen) policy = policy_parse(msg, msglen); if (policy == NULL) { - if (ipsec_errcode == EIPSEC_NO_ERROR) - ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + if (__ipsec_errcode == EIPSEC_NO_ERROR) + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return NULL; } - ipsec_errcode = EIPSEC_NO_ERROR; + __ipsec_errcode = EIPSEC_NO_ERROR; return policy; } diff --git a/lib/libipsec/policy_token.l b/lib/libipsec/policy_token.l index fc11d09..81d632b 100644 --- a/lib/libipsec/policy_token.l +++ b/lib/libipsec/policy_token.l @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: policy_token.l,v 1.9 2000/05/07 05:25:03 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,8 +28,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ %{ @@ -46,8 +47,14 @@ #include <unistd.h> #include <errno.h> +#ifndef __NetBSD__ #include "y.tab.h" -#define yylval __libipsecyylval /* XXX */ +#else +#include "policy_parse.h" +#endif +#define yylval __libipsecyylval /* XXX */ + +int yylex __P((void)); %} %option noyywrap @@ -56,7 +63,6 @@ nl \n ws [ \t]+ digit [0-9] -letter [0-9A-Za-z] hexdigit [0-9A-Fa-f] special [()+\|\?\*,] dot \. @@ -79,9 +85,7 @@ decstring {digit}+ hexpair {hexdigit}{hexdigit} hexstring 0[xX]{hexdigit}+ octetstring {octet}({dot}{octet})+ -ipaddress [a-zA-Z0-9:\._][a-zA-Z0-9:\._]*(%{letter}{letter}+)? -name {letter}(({letter}|{digit}|{hyphen})*({letter}|{digit}))* -hostname {name}(({dot}{name})+{dot}?)? +ipaddress [a-zA-Z0-9:\._][a-zA-Z0-9:\._]*(%[a-zA-Z0-9]+)? %% @@ -107,12 +111,17 @@ any { return(ANY); } default { yylval.num = IPSEC_LEVEL_DEFAULT; return(LEVEL); } use { yylval.num = IPSEC_LEVEL_USE; return(LEVEL); } require { yylval.num = IPSEC_LEVEL_REQUIRE; return(LEVEL); } +unique{colon}{decstring} { + yylval.val.len = strlen(yytext + 7); + yylval.val.buf = yytext + 7; + return(LEVEL_SPECIFY); + } unique { yylval.num = IPSEC_LEVEL_UNIQUE; return(LEVEL); } {slash} { return(SLASH); } {ipaddress} { yylval.val.len = strlen(yytext); - yylval.val.buf = strdup(yytext); + yylval.val.buf = yytext; return(IPADDRESS); } @@ -123,6 +132,8 @@ unique { yylval.num = IPSEC_LEVEL_UNIQUE; return(LEVEL); } %% +void __policy__strbuffer__init__ __P((char *)); + void __policy__strbuffer__init__(msg) char *msg; diff --git a/lib/libipsec/test-policy.c b/lib/libipsec/test-policy.c index c8fd727..5a4faf5 100644 --- a/lib/libipsec/test-policy.c +++ b/lib/libipsec/test-policy.c @@ -1,3 +1,6 @@ +/* $FreeBSD$ */ +/* $KAME: test-policy.c,v 1.13 2000/05/07 05:25:03 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. @@ -25,8 +28,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ #include <sys/types.h> @@ -34,7 +35,6 @@ #include <sys/socket.h> #include <netinet/in.h> -#include <netinet6/in6.h> #include <net/pfkeyv2.h> #include <netkey/key_debug.h> #include <netinet6/ipsec.h> @@ -43,90 +43,115 @@ #include <stdlib.h> #include <unistd.h> #include <string.h> +#include <errno.h> #include <err.h> -char *requests[] = { -"must_error", /* error */ -"in ipsec must_error", /* error */ -"out ipsec esp/must_error", /* error */ -"out discard", -"out none", -"in entrust", -"out entrust", -"in bypass", /* may be error */ -"out ipsec esp", /* error */ -"in ipsec ah/transport", -"in ipsec ah/tunnel", /* error */ -"out ipsec ah/transport/", -"out ipsec ah/tunnel/", /* error */ -"in ipsec esp / transport / 10.0.0.1-10.0.0.2", -"in ipsec esp/tunnel/::1-::2", -"in ipsec esp/tunnel/10.0.0.1-::2", /* error */ -"in ipsec esp/tunnel/::1-::2/require", -"out ipsec ah/transport//use", -"out ipsec ah/transport esp/use", -"in ipsec ah/transport esp/tunnel", /* error */ -"in ipsec +struct req_t { + int result; /* expected result; 0:ok 1:ng */ + char *str; +} reqs[] = { +{ 0, "out ipsec" }, +{ 1, "must_error" }, +{ 1, "in ipsec must_error" }, +{ 1, "out ipsec esp/must_error" }, +{ 1, "out discard" }, +{ 1, "out none" }, +{ 0, "in entrust" }, +{ 0, "out entrust" }, +{ 1, "out ipsec esp" }, +{ 0, "in ipsec ah/transport" }, +{ 1, "in ipsec ah/tunnel" }, +{ 0, "out ipsec ah/transport/" }, +{ 1, "out ipsec ah/tunnel/" }, +{ 0, "in ipsec esp / transport / 10.0.0.1-10.0.0.2" }, +{ 0, "in ipsec esp/tunnel/::1-::2" }, +{ 1, "in ipsec esp/tunnel/10.0.0.1-::2" }, +{ 0, "in ipsec esp/tunnel/::1-::2/require" }, +{ 0, "out ipsec ah/transport//use" }, +{ 1, "out ipsec ah/transport esp/use" }, +{ 1, "in ipsec ah/transport esp/tunnel" }, +{ 0, "in ipsec ah/transport esp/tunnel/::1-::1" }, +{ 0, "in ipsec ah / transport - esp / tunnel / ::1-::2", -" -out ipsec -ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require -ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require -ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require -", -"out ipsec esp/transport/fec0::10-fec0::11/use", + esp / tunnel / ::1-::2" }, +{ 0, "out ipsec + ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require + ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require + ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require + " }, +{ 0, "out ipsec esp/transport/fec0::10-fec0::11/use" }, }; -int test(char *buf, int family); +int test1 __P((void)); +int test1sub1 __P((struct req_t *)); +int test1sub2 __P((char *, int)); +int test2 __P((void)); +int test2sub __P((int)); int main(ac, av) int ac; char **av; { - int do_setsockopt; - char *buf; - int i; + test1(); + test2(); - if (ac != 1) - do_setsockopt = 1; - else - do_setsockopt = 0; + exit(0); +} - for (i = 0; i < sizeof(requests)/sizeof(requests[0]); i++) { - printf("*** requests ***\n"); - printf("\t[%s]\n", requests[i]); +int +test1() +{ + int i; + int result; + + printf("TEST1\n"); + for (i = 0; i < sizeof(reqs)/sizeof(reqs[0]); i++) { + printf("#%d [%s]\n", i + 1, reqs[i].str); - buf = ipsec_set_policy(requests[i], strlen(requests[i])); - if (buf == NULL) { - printf("ipsec_set_policy: %s\n", ipsec_strerror()); - continue; + result = test1sub1(&reqs[i]); + if (result == 0 && reqs[i].result == 1) { + errx(1, "ERROR: expecting failure.\n"); + } else if (result == 1 && reqs[i].result == 0) { + errx(1, "ERROR: expecting success.\n"); } + } + + return 0; +} - printf("\tsetlen:%d\n", ipsec_get_policylen(buf)); +int +test1sub1(req) + struct req_t *req; +{ + char *buf; - if (do_setsockopt) { - printf("\tPF_INET:\n"); - test(buf, PF_INET); + buf = ipsec_set_policy(req->str, strlen(req->str)); + if (buf == NULL) { + printf("ipsec_set_policy: %s\n", ipsec_strerror()); + return 1; + } - printf("\tPF_INET6:\n"); - test(buf, PF_INET6); - } else { - kdebug_sadb_x_policy((struct sadb_ext *)buf); - } + if (test1sub2(buf, PF_INET) != 0 + || test1sub2(buf, PF_INET6) != 0) { free(buf); + return 1; } +#if 0 + kdebug_sadb_x_policy((struct sadb_ext *)buf); +#endif + free(buf); return 0; } int -test(policy, family) +test1sub2(policy, family) char *policy; int family; { - int so, proto, optname; + int so; + int proto = 0, optname = 0; int len; char getbuf[1024]; @@ -145,35 +170,148 @@ test(policy, family) err(1, "socket"); len = ipsec_get_policylen(policy); +#if 0 + printf("\tsetlen:%d\n", len); +#endif + if (setsockopt(so, proto, optname, policy, len) < 0) { - printf("error on setsockopt"); - goto end; + printf("fail to set sockopt; %s\n", strerror(errno)); + close(so); + return 1; } - len = sizeof(getbuf); memset(getbuf, 0, sizeof(getbuf)); + memcpy(getbuf, policy, sizeof(struct sadb_x_policy)); if (getsockopt(so, proto, optname, getbuf, &len) < 0) { - printf("error on getsockopt"); - goto end; + printf("fail to get sockopt; %s\n", strerror(errno)); + close(so); + return 1; } { char *buf = NULL; +#if 0 printf("\tgetlen:%d\n", len); +#endif if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) { printf("%s\n", ipsec_strerror()); - goto end; - } else { - printf("\t[%s]\n", buf); - free(buf); + close(so); + return 1; } +#if 0 + printf("\t[%s]\n", buf); +#endif + free(buf); } - end: close (so); + return 0; +} + +char addr[] = { + 28, 28, 0, 0, + 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, + 0, 0, 0, 0, +}; + +int +test2() +{ + int so; + char *pol1 = "out ipsec"; + char *pol2 = "out ipsec ah/transport//use"; + char *sp1, *sp2; + int splen1, splen2; + int spid; + struct sadb_msg *m; + + printf("TEST2\n"); + if (getuid() != 0) + errx(1, "root privilege required.\n"); + + sp1 = ipsec_set_policy(pol1, strlen(pol1)); + splen1 = ipsec_get_policylen(sp1); + sp2 = ipsec_set_policy(pol2, strlen(pol2)); + splen2 = ipsec_get_policylen(sp2); + + if ((so = pfkey_open()) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + + printf("spdflush()\n"); + if (pfkey_send_spdflush(so) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + m = pfkey_recv(so); + free(m); + + printf("spdsetidx()\n"); + if (pfkey_send_spdsetidx(so, (struct sockaddr *)addr, 128, + (struct sockaddr *)addr, 128, + 255, sp1, splen1, 0) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + m = pfkey_recv(so); + free(m); + + printf("spdupdate()\n"); + if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128, + (struct sockaddr *)addr, 128, + 255, sp2, splen2, 0) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + m = pfkey_recv(so); + free(m); + + printf("spddelete()\n"); + if (pfkey_send_spddelete(so, (struct sockaddr *)addr, 128, + (struct sockaddr *)addr, 128, + 255, sp1, splen1, 0) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + m = pfkey_recv(so); + free(m); + + printf("spdadd()\n"); + if (pfkey_send_spdadd(so, (struct sockaddr *)addr, 128, + (struct sockaddr *)addr, 128, + 255, sp2, splen2, 0) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + spid = test2sub(so); + + printf("spdget(%u)\n", spid); + if (pfkey_send_spdget(so, spid) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + m = pfkey_recv(so); + free(m); + + printf("spddelete2()\n"); + if (pfkey_send_spddelete2(so, spid) < 0) + errx(1, "ERROR: %s\n", ipsec_strerror()); + m = pfkey_recv(so); + free(m); + + /* expecting failure */ + printf("spdupdate()\n"); + if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128, + (struct sockaddr *)addr, 128, + 255, sp2, splen2, 0) == 0) { + errx(1, "ERROR: expecting failure.\n"); + } return 0; } +int +test2sub(so) + int so; +{ + struct sadb_msg *msg; + caddr_t mhp[SADB_EXT_MAX + 1]; + + if ((msg = pfkey_recv(so)) == NULL) + errx(1, "ERROR: pfkey_recv failure.\n"); + if (pfkey_align(msg, mhp) < 0) + errx(1, "ERROR: pfkey_align failure.\n"); + + return ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id; +} + |
