diff options
| author | itojun <itojun@FreeBSD.org> | 2000-07-04 16:22:05 +0000 |
|---|---|---|
| committer | itojun <itojun@FreeBSD.org> | 2000-07-04 16:22:05 +0000 |
| commit | 0bbd943f404b5100a81abdec2bd8519971e0c58e (patch) | |
| tree | b98b84ed27cb35ed58163ab9530a39ecc47f3254 /usr.sbin/setkey | |
| parent | 993cb1d94fc91849b548394143e230fa61400d5b (diff) | |
| download | FreeBSD-src-0bbd943f404b5100a81abdec2bd8519971e0c58e.zip FreeBSD-src-0bbd943f404b5100a81abdec2bd8519971e0c58e.tar.gz | |
synchronize with latest kame tree.
behavior change: policy syntax was changed. you may need to update your
setkey(8) configuration files.
Diffstat (limited to 'usr.sbin/setkey')
| -rw-r--r-- | usr.sbin/setkey/Makefile | 7 | ||||
| -rw-r--r-- | usr.sbin/setkey/parse.y | 431 | ||||
| -rw-r--r-- | usr.sbin/setkey/sample.cf | 4 | ||||
| -rw-r--r-- | usr.sbin/setkey/scriptdump.pl | 12 | ||||
| -rw-r--r-- | usr.sbin/setkey/setkey.8 | 137 | ||||
| -rw-r--r-- | usr.sbin/setkey/setkey.c | 92 | ||||
| -rw-r--r-- | usr.sbin/setkey/test-pfkey.c | 119 | ||||
| -rw-r--r-- | usr.sbin/setkey/token.l | 81 | ||||
| -rw-r--r-- | usr.sbin/setkey/vchar.h | 13 |
9 files changed, 543 insertions, 353 deletions
diff --git a/usr.sbin/setkey/Makefile b/usr.sbin/setkey/Makefile index e6fbadc..8feb0a6 100644 --- a/usr.sbin/setkey/Makefile +++ b/usr.sbin/setkey/Makefile @@ -29,11 +29,18 @@ PROG= setkey SRCS= setkey.c parse.y token.l CFLAGS+=-g +CFLAGS+=-I${.CURDIR}/../../lib/libipsec DPADD= ${LIBL} ${LIBY} LDADD= -ll -ly CLEANFILES+= y.tab.c y.tab.h key_test.o keytest YFLAGS+=-d +# libpfkey. +# ipsec_strerror.c is for avoiding shlib reference to non-exported function. +.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey +SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c +CFLAGS+=-I${.CURDIR}/../../lib/libipsec -I${.CURDIR}/../../sys/netkey + SCRIPTS= scriptdump BINOWN = root diff --git a/usr.sbin/setkey/parse.y b/usr.sbin/setkey/parse.y index 761c34d..0eea4c1 100644 --- a/usr.sbin/setkey/parse.y +++ b/usr.sbin/setkey/parse.y @@ -1,7 +1,10 @@ +/* $FreeBSD$ */ +/* $KAME: parse.y,v 1.29 2000/06/10 14:17:44 sakane Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +16,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,10 +28,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ -/* KAME $Id: parse.y,v 1.7 1999/10/27 17:08:57 sakane Exp $ */ %{ #include <sys/types.h> @@ -45,48 +45,52 @@ #include <string.h> #include <unistd.h> #include <stdio.h> +#include <netdb.h> #include <ctype.h> #include <errno.h> -#include <netdb.h> +#include "libpfkey.h" #include "vchar.h" #define ATOX(c) \ (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) )) -u_int p_type; -u_int32_t p_spi; -struct sockaddr *p_src, *p_dst; -u_int p_prefs, p_prefd, p_upper; -u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode; -u_int p_key_enc_len, p_key_auth_len; -caddr_t p_key_enc, p_key_auth; -time_t p_lt_hard, p_lt_soft; +u_int p_type; +u_int32_t p_spi; +struct sockaddr *p_src, *p_dst; +u_int p_prefs, p_prefd, p_upper; +u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode; +u_int32_t p_reqid; +u_int p_key_enc_len, p_key_auth_len; +caddr_t p_key_enc, p_key_auth; +time_t p_lt_hard, p_lt_soft; -u_int p_policy_len; -char *p_policy; +u_int p_policy_len; +char *p_policy; /* temporary buffer */ -static struct sockaddr *pp_addr; -static u_int pp_prefix; -static u_int pp_port; -static caddr_t pp_key; - -extern u_char m_buf[BUFSIZ]; -extern int m_len; -extern char cmdarg[8192]; -extern int f_debug; - -int setkeymsg __P((void)); -static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int)); -void parse_init __P((void)); -void free_buffer __P((void)); - -extern int setkeymsg __P((void)); -extern int sendkeymsg __P((void)); - -extern int yylex __P((void)); -extern void yyerror __P((char *)); +static struct sockaddr *pp_addr; +static u_int pp_prefix; +static u_int pp_port; +static caddr_t pp_key; + +extern u_char m_buf[BUFSIZ]; +extern int m_len; +extern char cmdarg[8192]; +extern int f_debug; + +int setkeymsg __P((void)); +static struct addrinfo *parse_addr __P((char *, char *, int)); +static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int)); +void parse_init __P((void)); +void free_buffer __P((void)); + +extern int setkeymsg __P((void)); +extern int sendkeymsg __P((void)); + +extern int yylex __P((void)); +extern void yyfatal __P((const char *)); +extern void yyerror __P((const char *)); %} %union { @@ -96,11 +100,11 @@ extern void yyerror __P((char *)); %token EOT %token ADD GET DELETE FLUSH DUMP -%token IP4_ADDRESS IP6_ADDRESS PREFIX PORT PORTANY +%token ADDRESS PREFIX PORT PORTANY %token UP_PROTO PR_ESP PR_AH PR_IPCOMP %token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI -%token F_MODE MODE -%token F_EXT EXTENSION +%token F_MODE MODE F_REQID +%token F_EXT EXTENSION NOCYCLICSEQ %token ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP %token F_LIFETIME_HARD F_LIFETIME_SOFT %token DECSTRING QUOTEDSTRING HEXSTRING ANY @@ -108,6 +112,14 @@ extern void yyerror __P((char *)); %token SPDADD SPDDELETE SPDDUMP SPDFLUSH %token F_POLICY PL_REQUESTS +%type <num> PORT PREFIX EXTENSION MODE +%type <num> UP_PROTO PR_ESP PR_AH PR_IPCOMP +%type <num> ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP +%type <num> DECSTRING +%type <val> ADDRESS PL_REQUESTS +%type <val> key_string policy_requests +%type <val> QUOTEDSTRING HEXSTRING + %% commands : /*NOTHING*/ @@ -146,13 +158,23 @@ add_command /* delete */ delete_command : DELETE { p_type = SADB_DELETE; } - sa_selector_spec extension_spec EOT + sa_selector_spec extension_spec + { + if (p_mode != IPSEC_MODE_ANY) + yyerror("WARNING: mode is obsoleted."); + } + EOT ; /* get command */ get_command : GET { p_type = SADB_GET; } - sa_selector_spec extension_spec EOT + sa_selector_spec extension_spec + { + if (p_mode != IPSEC_MODE_ANY) + yyerror("WARNING: mode is obsoleted."); + } + EOT ; /* flush */ @@ -179,7 +201,7 @@ protocol_spec | PR_ESP { p_satype = SADB_SATYPE_ESP; - if ($1.num == 1) + if ($1 == 1) p_ext |= SADB_X_EXT_OLD; else p_ext &= ~SADB_X_EXT_OLD; @@ -187,7 +209,7 @@ protocol_spec | PR_AH { p_satype = SADB_SATYPE_AH; - if ($1.num == 1) + if ($1 == 1) p_ext |= SADB_X_EXT_OLD; else p_ext &= ~SADB_X_EXT_OLD; @@ -199,18 +221,18 @@ protocol_spec ; spi - : DECSTRING { p_spi = $1.num; } + : DECSTRING { p_spi = $1; } | HEXSTRING { caddr_t bp; - caddr_t yp = $1.val.buf; + caddr_t yp = $1.buf; char buf0[4], buf[4]; int i, j; /* sanity check */ - if ($1.val.len > 4) { + if ($1.len > 4) { yyerror("SPI too big."); - free($1.val.buf); + free($1.buf); return -1; } @@ -223,13 +245,13 @@ spi /* initialize */ for (i = 0; i < 4; i++) buf[i] = 0; - for (j = $1.val.len - 1, i = 3; j >= 0; j--, i--) + for (j = $1.len - 1, i = 3; j >= 0; j--, i--) buf[i] = buf0[j]; /* XXX: endian */ p_spi = ntohl(*(u_int32_t *)buf); - free($1.val.buf); + free($1.buf); } ; @@ -249,16 +271,16 @@ ah_spec ; ipcomp_spec - : F_COMP ALG_COMP { p_alg_enc = $2.num; } - | F_COMP ALG_COMP { p_alg_enc = $2.num; } + : F_COMP ALG_COMP { p_alg_enc = $2; } + | F_COMP ALG_COMP { p_alg_enc = $2; } F_RAWCPI { p_ext |= SADB_X_EXT_RAWCPI; } ; enc_alg - : ALG_ENC { p_alg_enc = $1.num; } + : ALG_ENC { p_alg_enc = $1; } | ALG_ENC_DESDERIV { - p_alg_enc = $1.num; + p_alg_enc = $1; if (p_ext & SADB_X_EXT_OLD) { yyerror("algorithm mismatched."); return -1; @@ -267,7 +289,7 @@ enc_alg } | ALG_ENC_DES32IV { - p_alg_enc = $1.num; + p_alg_enc = $1; if (!(p_ext & SADB_X_EXT_OLD)) { yyerror("algorithm mismatched."); return -1; @@ -286,7 +308,7 @@ enc_key } | key_string { - p_key_enc_len = $1.val.len; + p_key_enc_len = $1.len; p_key_enc = pp_key; if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT, @@ -299,7 +321,7 @@ enc_key ; auth_alg - : ALG_AUTH { p_alg_auth = $1.num; } + : ALG_AUTH { p_alg_auth = $1; } ; auth_key @@ -312,7 +334,7 @@ auth_key } | key_string { - p_key_auth_len = $1.val.len; + p_key_auth_len = $1.len; p_key_auth = pp_key; if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH, @@ -327,20 +349,20 @@ auth_key key_string : QUOTEDSTRING { - pp_key = $1.val.buf; + pp_key = $1.buf; /* free pp_key later */ } | HEXSTRING { caddr_t bp; - caddr_t yp = $1.val.buf; + caddr_t yp = $1.buf; - if ((pp_key = malloc($1.val.len)) == 0) { - free($1.val.buf); - yyerror(strerror(errno)); + if ((pp_key = malloc($1.len)) == 0) { + free($1.buf); + yyerror("not enough core"); return -1; } - memset(pp_key, 0, $1.val.len); + memset(pp_key, 0, $1.len); bp = pp_key; while (*yp) { @@ -348,7 +370,7 @@ key_string yp += 2, bp++; } - free($1.val.buf); + free($1.buf); } ; @@ -358,9 +380,11 @@ extension_spec ; extension - : F_EXT EXTENSION { p_ext |= $1.num; } - | F_MODE MODE { p_mode = $2.num; } + : F_EXT EXTENSION { p_ext |= $2; } + | F_EXT NOCYCLICSEQ { p_ext &= ~SADB_X_EXT_CYCSEQ; } + | F_MODE MODE { p_mode = $2; } | F_MODE ANY { p_mode = IPSEC_MODE_ANY; } + | F_REQID DECSTRING { p_reqid = $2; } | F_REPLAY DECSTRING { if (p_ext & SADB_X_EXT_OLD) { @@ -368,10 +392,10 @@ extension "only use on new spec."); return -1; } - p_replay = $2.num; + p_replay = $2; } - | F_LIFETIME_HARD DECSTRING { p_lt_hard = $2.num; } - | F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2.num; } + | F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; } + | F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; } ; /* definition about command for SPD management */ @@ -391,7 +415,7 @@ spddelete_command: p_type = SADB_X_SPDDELETE; p_satype = SADB_SATYPE_UNSPEC; } - sp_selector_spec EOT + sp_selector_spec policy_spec EOT ; spddump_command: @@ -416,97 +440,107 @@ spdflush_command: sp_selector_spec : ipaddress { p_src = pp_addr; } prefix { p_prefs = pp_prefix; } - port { _INPORTBYSA(p_src) = htons(pp_port); } + port + { + switch (p_src->sa_family) { + case AF_INET: + ((struct sockaddr_in *)p_src)->sin_port = + htons(pp_port); + break; +#ifdef INET6 + case AF_INET6: + ((struct sockaddr_in6 *)p_src)->sin6_port = + htons(pp_port); + break; +#endif + default: + exit(1); /*XXX*/ + } + } ipaddress { p_dst = pp_addr; } prefix { p_prefd = pp_prefix; } - port { _INPORTBYSA(p_dst) = htons(pp_port); } + port + { + switch (p_dst->sa_family) { + case AF_INET: + ((struct sockaddr_in *)p_dst)->sin_port = + htons(pp_port); + break; +#ifdef INET6 + case AF_INET6: + ((struct sockaddr_in6 *)p_dst)->sin6_port = + htons(pp_port); + break; +#endif + default: + exit(1); /*XXX*/ + } + } upper_spec + { + /* XXX is it something userland should check? */ +#if 0 + switch (p_upper) { + case IPPROTO_ICMP: + case IPPROTO_ICMPV6: + if (_INPORTBYSA(p_src) != IPSEC_PORT_ANY + || _INPORTBYSA(p_dst) != IPSEC_PORT_ANY) { + yyerror("port number must be \"any\"."); + return -1; + } + if ((pp_addr->sa_family == AF_INET6 + && p_upper == IPPROTO_ICMP) + || (pp_addr->sa_family == AF_INET + && p_upper == IPPROTO_ICMPV6)) { + yyerror("upper layer protocol " + "mismatched.\n"); + return -1; + } + break; + default: + break; + } +#endif + } ; ipaddress - : IP4_ADDRESS + : ADDRESS { - struct sockaddr_in *in; - u_int sa_len = $1.val.len; - - if ((in = (struct sockaddr_in *)malloc(sa_len)) == 0) { - yyerror(strerror(errno)); - free($1.val.buf); - return -1; - } - memset((caddr_t)in, 0, sa_len); - - in->sin_family = PF_INET; - in->sin_len = sa_len; - in->sin_port = IPSEC_PORT_ANY; - (void)inet_pton(PF_INET, $1.val.buf, &in->sin_addr); + struct addrinfo *res; - pp_addr = (struct sockaddr *)in; - free($1.val.buf); - } - | IP6_ADDRESS - { -#ifdef INET6 - struct sockaddr_in6 *in6; - u_int sa_len = $1.val.len; - struct addrinfo hints, *res; - int ret_gai; - - if ((in6 = (struct sockaddr_in6 *)malloc(sa_len)) == 0) { - free($1.val.buf); - yyerror(strerror(errno)); + res = parse_addr($1.buf, NULL, AI_NUMERICHOST); + if (res == NULL) { + free($1.buf); return -1; } - memset((caddr_t)in6, 0, sa_len); - - bzero(&hints, sizeof(struct addrinfo)); - hints.ai_flags = AI_NUMERICHOST; - hints.ai_family = AF_INET6; - ret_gai = getaddrinfo($1.val.buf, NULL, &hints, &res); - if (ret_gai) { - free($1.val.buf); - free(in6); - yyerror(gai_strerror(ret_gai)); - if (ret_gai == EAI_SYSTEM) - yyerror(strerror(errno)); - return -1; + pp_addr = (struct sockaddr *)malloc(res->ai_addrlen); + if (!pp_addr) { + yyerror("not enough core"); + goto end; } - (void)memcpy(in6, res->ai_addr, res->ai_addrlen); - - /* - * XXX: If the scope of the destination is link-local, - * embed the scope-id(in this case, interface index) - * into the address. - */ - if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr) && - in6->sin6_scope_id != 0) - *(u_short *)&in6->sin6_addr.s6_addr[2] = - htons(in6->sin6_scope_id & 0xffff); + memcpy(pp_addr, res->ai_addr, res->ai_addrlen); + end: freeaddrinfo(res); - - pp_addr = (struct sockaddr *)in6; -#else - yyerror("IPv6 address not supported"); -#endif - free($1.val.buf); + free($1.buf); } ; prefix : /*NOTHING*/ { pp_prefix = ~0; } - | PREFIX { pp_prefix = $1.num; } + | PREFIX { pp_prefix = $1; } ; port : /*NOTHING*/ { pp_port = IPSEC_PORT_ANY; } - | PORT { pp_port = $1.num; } + | PORT { pp_port = $1; } | PORTANY { pp_port = IPSEC_PORT_ANY; } ; upper_spec - : DECSTRING { p_upper = $1.num; } - | UP_PROTO { p_upper = $1.num; } + : DECSTRING { p_upper = $1; } + | UP_PROTO { p_upper = $1; } | PR_ESP { p_upper = IPPROTO_ESP; }; | PR_AH { p_upper = IPPROTO_AH; }; | PR_IPCOMP { p_upper = IPPROTO_IPCOMP; }; @@ -516,9 +550,9 @@ upper_spec policy_spec : F_POLICY policy_requests { - p_policy = ipsec_set_policy($2.val.buf, $2.val.len); + p_policy = ipsec_set_policy($2.buf, $2.len); if (p_policy == NULL) { - free($2.val.buf); + free($2.buf); p_policy = NULL; yyerror(ipsec_strerror()); return -1; @@ -526,13 +560,12 @@ policy_spec p_policy_len = ipsec_get_policylen(p_policy); - free($2.val.buf); + free($2.buf); } ; -policy_requests: - /*NOTHING*/ - | PL_REQUESTS { $$ = $1; } +policy_requests + : PL_REQUESTS { $$ = $1; } ; %% @@ -546,7 +579,6 @@ setkeymsg() m_msg.sadb_msg_type = p_type; m_msg.sadb_msg_errno = 0; m_msg.sadb_msg_satype = p_satype; - m_msg.sadb_msg_mode = p_mode; m_msg.sadb_msg_reserved = 0; m_msg.sadb_msg_seq = 0; m_msg.sadb_msg_pid = getpid(); @@ -629,6 +661,7 @@ setkeymsg() case SADB_GET: { struct sadb_sa m_sa; + struct sadb_x_sa2 m_sa2; struct sadb_address m_addr; u_int len; @@ -645,14 +678,36 @@ setkeymsg() memcpy(m_buf + m_len, &m_sa, len); m_len += len; + len = sizeof(struct sadb_x_sa2); + m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len); + m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2; + m_sa2.sadb_x_sa2_mode = p_mode; + m_sa2.sadb_x_sa2_reqid = p_reqid; + + memcpy(m_buf + m_len, &m_sa2, len); + m_len += len; + /* set src */ m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) + PFKEY_ALIGN8(p_src->sa_len)); m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY; - m_addr.sadb_address_prefixlen = - _INALENBYAF(p_src->sa_family) << 3; + switch (p_src->sa_family) { + case AF_INET: + m_addr.sadb_address_prefixlen = + sizeof(struct in_addr) << 3; + break; +#ifdef INET6 + case AF_INET6: + m_addr.sadb_address_prefixlen = + sizeof(struct in6_addr) << 3; + break; +#endif + default: + yyerror("unsupported address family"); + exit(1); /*XXX*/ + } m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -665,8 +720,21 @@ setkeymsg() + PFKEY_ALIGN8(p_dst->sa_len)); m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST; m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY; - m_addr.sadb_address_prefixlen = - _INALENBYAF(p_dst->sa_family) << 3; + switch (p_dst->sa_family) { + case AF_INET: + m_addr.sadb_address_prefixlen = + sizeof(struct in_addr) << 3; + break; +#ifdef INET6 + case AF_INET6: + m_addr.sadb_address_prefixlen = + sizeof(struct in6_addr) << 3; + break; +#endif + default: + yyerror("unsupported address family"); + exit(1); /*XXX*/ + } m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -681,17 +749,15 @@ setkeymsg() break; case SADB_X_SPDADD: + case SADB_X_SPDDELETE: { + struct sadb_address m_addr; + u_int8_t plen; + memcpy(m_buf + m_len, p_policy, p_policy_len); m_len += p_policy_len; free(p_policy); p_policy = NULL; - } - /* FALLTHROUGH */ - - case SADB_X_SPDDELETE: - { - struct sadb_address m_addr; /* set src */ m_addr.sadb_address_len = @@ -699,9 +765,21 @@ setkeymsg() + PFKEY_ALIGN8(p_src->sa_len)); m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; m_addr.sadb_address_proto = p_upper; + switch (p_src->sa_family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; +#ifdef INET6 + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; +#endif + default: + yyerror("unsupported address family"); + exit(1); /*XXX*/ + } m_addr.sadb_address_prefixlen = - (p_prefs != ~0 ? p_prefs : - _INALENBYAF(p_src->sa_family) << 3); + (p_prefs != ~0 ? p_prefs : plen); m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -714,9 +792,21 @@ setkeymsg() + PFKEY_ALIGN8(p_dst->sa_len)); m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST; m_addr.sadb_address_proto = p_upper; + switch (p_dst->sa_family) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; +#ifdef INET6 + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; +#endif + default: + yyerror("unsupported address family"); + exit(1); /*XXX*/ + } m_addr.sadb_address_prefixlen = - (p_prefd != ~0 ? p_prefd : - _INALENBYAF(p_dst->sa_family) << 3); + (p_prefd != ~0 ? p_prefd : plen); m_addr.sadb_address_reserved = 0; setvarbuf(&m_len, @@ -731,6 +821,30 @@ setkeymsg() return 0; } +static struct addrinfo * +parse_addr(host, port, flag) + char *host; + char *port; + int flag; +{ + struct addrinfo hints, *res = NULL; + int error; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_DGRAM; + hints.ai_flags = flag; + error = getaddrinfo(host, port, &hints, &res); + if (error != 0) { + yyerror(gai_strerror(error)); + return NULL; + } + if (res->ai_next != NULL) { + yyerror(gai_strerror(error)); + } + return res; +} + static int setvarbuf(off, ebuf, elen, vbuf, vlen) caddr_t vbuf; @@ -757,11 +871,12 @@ parse_init() p_upper = 0; p_satype = 0; - p_ext = SADB_X_EXT_NONE; + p_ext = SADB_X_EXT_CYCSEQ; p_alg_enc = SADB_EALG_NONE; p_alg_auth = SADB_AALG_NONE; p_mode = IPSEC_MODE_ANY; - p_replay = 4; + p_reqid = 0; + p_replay = 0; p_key_enc_len = p_key_auth_len = 0; p_key_enc = p_key_auth = 0; p_lt_hard = p_lt_soft = 0; diff --git a/usr.sbin/setkey/sample.cf b/usr.sbin/setkey/sample.cf index 886c449..978289d 100644 --- a/usr.sbin/setkey/sample.cf +++ b/usr.sbin/setkey/sample.cf @@ -170,7 +170,7 @@ add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004 get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; # Also delete command, you can delete a entry of either SP or SA. -spddelete out fec0:0:0:1::/64 fec0:0:0:2:/64 any ; +spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out; delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; # By dump command, you can dump all entry of either SP or SA. @@ -204,7 +204,7 @@ add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ; add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ; add ::1 ::1 esp 10015 -m transport -f zero-pad -E simple ; add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E simple ; -add ::1 ::1 esp 10017 -m transport -f seq-pad -f cyclic-seq -E simple ; +add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E simple ; add ::1 ::1 esp 10018 -m transport -E simple ; #add ::1 ::1 ah 20000 -m transport -A null ; add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234"; diff --git a/usr.sbin/setkey/scriptdump.pl b/usr.sbin/setkey/scriptdump.pl index 5df9b4f..aa36544 100644 --- a/usr.sbin/setkey/scriptdump.pl +++ b/usr.sbin/setkey/scriptdump.pl @@ -20,8 +20,8 @@ open(IN, "setkey -D |") || die; foreach $_ (<IN>) { if (/^[^\t]/) { ($src, $dst) = split(/\s+/, $_); - } elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*replay=(\d+)/) { - ($proto, $ipsecmode, $spi, $replay) = ($1, $2, $3, $4); + } elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*reqid=(\d+)/) { + ($proto, $ipsecmode, $spi, $reqid) = ($1, $2, $3, $4); } elsif (/^\tE: (\S+) (.*)/) { $ealgo = $1; $ekey = $2; @@ -32,17 +32,19 @@ foreach $_ (<IN>) { $akey = $2; $akey =~ s/\s//g; $akey =~ s/^/0x/g; - } elsif (/^\tstate=/) { + } elsif (/^\treplay=(\d+) flags=(0x\d+) state=/) { print "$mode $src $dst $proto $spi -m $ipsecmode"; - print " -r $replay" if $replay; + $replay = $1; + print " -u $reqid" if $reqid; if ($mode eq 'add') { + print " -r $replay" if $replay; if ($proto eq 'esp') { print " -E $ealgo $ekey" if $ealgo; print " -A $aalgo $akey" if $aalgo; } elsif ($proto eq 'ah') { print " -A $aalgo $akey" if $aalgo; } - } + } print ";\n"; $src = $dst = $upper = $proxy = ''; diff --git a/usr.sbin/setkey/setkey.8 b/usr.sbin/setkey/setkey.8 index ffe1297..4736657c 100644 --- a/usr.sbin/setkey/setkey.8 +++ b/usr.sbin/setkey/setkey.8 @@ -1,6 +1,9 @@ +.\" $FreeBSD$ +.\" $KAME: setkey.8,v 1.28 2000/06/16 12:03:46 sakane Exp $ +.\" .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. .\" All rights reserved. -.\" +.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: @@ -12,7 +15,7 @@ .\" 3. Neither the name of the project nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. -.\" +.\" .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,15 +28,14 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: setkey.8,v 1.14 1999/10/27 17:08:58 sakane Exp $ -.\" $FreeBSD$ -.\" .Dd May 17, 1998 .Dt SETKEY 8 -.Os +.Os KAME +.\" .Sh NAME .Nm setkey -.Nd manually manipulate the SA/SP database. +.Nd manually manipulate the IPsec SA/SP database. +.\" .Sh SYNOPSIS .Nm setkey .Op Fl dv @@ -50,19 +52,20 @@ .Nm setkey .Op Fl h .Fl x -.\" +.\" .Sh DESCRIPTION .Nm -updates, or lists the content of, Security Association Database (SAD) entries -in the kernel as well as Security Policy Database (SPD) entries. +addes, updates, dumpes, or flushes +Security Association Database (SAD) entries +as well as Security Policy Database (SPD) entries in the kernel. .Pp .Nm -takes a series of operation from standard input +takes a series of operations from the standard input .Po if invoked with .Fl c .Pc -or file named +or the file named .Ar filename .Po if invoked with @@ -75,21 +78,23 @@ If with .Fl P , the SPD entries are dumped. .It Fl F -Flush the SAD. +Flush the SAD entries. If with .Fl P , -the SPD are flushed. +the SPD entries are flushed. .It Fl a .Nm -usually do not display dead SAD entries on +usually does not display dead SAD entries with .Fl D . -With +If with .Fl a , -dead SAD entries will be displayed as well. -Dead SAD entries are kept in the kernel, -when they are referenced from any of SPD entries in the kernel. +the dead SAD entries will be displayed as well. +A dead SAD entry means that +it has been expired but remains +because it is referenced by SPD entries. .It Fl d -Enable debugging messages. +Enable to print debugging messages for command parser, +without talking to kernel. It is not used usually. .It Fl x Loop forever and dump all the messages transmitted to .Dv PF_KEY @@ -98,7 +103,6 @@ socket. Add hexadecimal dump on .Fl x mode. -The order is significant. .It Fl l Loop forever with short output on .Fl D . @@ -111,10 +115,8 @@ including messages sent from other processes .Pc . .El .Pp -Operation has the following grammar. -Note that lines, that start with a -hashmark ('#') are treated as comment lines. -Description of meta-arguments follows. +Operations have the following grammar. Note that lines starting with +hashmarks ('#') are treated as comment lines. .Bl -tag -width Ds .It Xo .Li add @@ -123,51 +125,49 @@ Description of meta-arguments follows. .Ar algorithm... .Li ; .Xc -Add a SAD entry. +Add an SAD entry. .\" .It Xo .Li get .Ar src Ar dst Ar protocol Ar spi -.Op Ar mode .Li ; .Xc -Show a SAD entry. +Show an SAD entry. .\" .It Xo .Li delete .Ar src Ar dst Ar protocol Ar spi -.Op Ar mode .Li ; .Xc -Remove a SAD entry. +Remove an SAD entry. .\" .It Xo .Li flush .Op Ar protocol .Li ; .Xc -Clear all SAD entries that matches the options. +Clear all SAD entries matched by the options. .\" .It Xo .Li dump .Op Ar protocol .Li ; .Xc -Dumps all SAD entries that matches the options. +Dumps all SAD entries matched by the options. .\" .It Xo .Li spdadd .Ar src_range Ar dst_range Ar upperspec Ar policy .Li ; .Xc -Add a SPD entry. +Add an SPD entry. .\" .It Xo .Li spddelete -.Ar src_range Ar dst_range Ar upperspec +.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction .Li ; .Xc -Delete a SPD entry. +Delete an SPD entry. .\" .It Xo .Li spdflush @@ -215,8 +215,9 @@ IPCOMP .\" .Pp .It Ar spi -Security Parameter Index (SPI) for the SA and SPD. +Security Parameter Index (SPI) for the SAD and the SPD. It must be decimal number or hexadecimal number +You can not use the set of SPI values in the range 0 through 255. .Po with .Li 0x @@ -225,30 +226,40 @@ attached .\" .Pp .It Ar extensions -takes some of the following: -.Bl -tag -width Fl -compact +take some of the following: +.Bl -tag -width Fl -compact +.\" .It Fl m Ar mode -Specify an security protocol mode for use. By default, -.Li any . +Specify a security protocol mode for use. .Ar mode is one of following: .Li transport , tunnel or .Li any . +The default value is +.Li any . +.\" .It Fl r Ar size Specify window size of bytes for replay prevention. .Ar size must be decimal number in 32-bit word. If .Ar size is zero or not specified, replay check don't take place. +.\" +.It Fl u Ar id +Specify the identifier of policy. See also +.Xr ipsec_set_policy 3 . +.\" .It Fl f Ar pad_option .Ar pad_option is one of following: .Li zero-pad , random-pad or .Li seq-pad -.It Fl f Li cyclic-seq -Allow cyclic sequence number. +.\" +.It Fl f Li nocyclic-seq +Don't allow cyclic sequence number. +.\" .It Fl lh Ar time .It Fl ls Ar time Specify hard/soft lifetime. @@ -256,7 +267,7 @@ Specify hard/soft lifetime. .\" .Pp .It Ar algorithm -.Bl -tag -width Fl -compact +.Bl -tag -width Fl -compact .It Fl E Ar ealgo Ar key Specify encryption algorithm. .It Fl A Ar aalgo Ar key @@ -268,7 +279,7 @@ is used for esp, it will be treated as ESP payload authentication algorithm. Specify compression algorithm. If .Fl R -is specified with +is not specified with .Li ipcomp line, the kernel will use well-known IPComp CPI .Pq compression parameter index @@ -280,7 +291,7 @@ field is only for kernel internal use in this case. .\"Therefore, compression protocol number will appear on IPComp CPI field. If .Fl R -is not used, +is used, the value on .Ar spi field will appear on IPComp CPI field on outgoing packets. @@ -311,7 +322,7 @@ SAs accept only. .Pp .Ar key -must be double-quoted character string or a series of hexadecimal digits. +must be double-quoted character string or series of hexadecimal digits. .Pp Possible values for .Ar ealgo , @@ -322,7 +333,7 @@ are specified in separate section. .\" .It Ar src_range .It Ar dst_range -These are selection of the secure communication is specified as +These are selections of the secure communication specified as IPv4/v6 address or IPv4/v6 address range, and it may accompany TCP/UDP port specification. This takes the following form: @@ -365,7 +376,7 @@ NOTE: .Ar upperspec does not work against forwarding case at this moment, as it requires extra reassembly at forwarding node -.Pq not implemented as this moment . +.Pq not implemented at this moment . .\" .It Ar policy .Ar policy @@ -427,15 +438,15 @@ is to be one of the following: or .Li require . .Li default -means kernel consults to the system wide default against protocol you +means the kernel consults to the system wide default against protocol you specified, e.g. .Li esp_trans_deflev -sysctl variable, when kernel processes the packet. +sysctl variable, when the kernel processes the packet. .Li use -means that kernel use a SA if it's available, -otherwise kernel keeps normal operation. +means that the kernel use a SA if it's available, +otherwise the kernel keeps normal operation. .Li require -means SA is required whenever kernel deals with the packet. +means SA is required whenever the kernel deals with the packet. Note that .Dq Li discard and @@ -456,7 +467,7 @@ The following list shows the supported algorithms. and .Sy algorithm are almost orthogonal. -Following are the list of authentication algorithms that can be used as +Followings are the list of authentication algorithms that can be used as .Ar aalgo in .Fl A Ar aalgo @@ -477,7 +488,7 @@ keyed-sha1 160 ah: 96bit ICV (no document) null 0 to 2048 for debugging .Ed .Pp -Following are the list of encryption algorithms that can be used as +Followings are the list of encryption algorithms that can be used as .Ar ealgo in .Fl E Ar ealgo @@ -497,7 +508,7 @@ des-deriv 64 ipsec-ciph-des-derived-01 (expired) 3des-deriv 192 no document .Ed .Pp -Following are the list of compression algorithms that can be used as +Followings are the list of compression algorithms that can be used as .Ar calgo in .Fl C Ar calgo @@ -510,7 +521,7 @@ algorithm comment deflate rfc2394 lzs rfc2395 .Ed -.\" +.\" .Sh EXAMPLES .Bd -literal -offset add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 @@ -533,20 +544,18 @@ spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ; .Ed -.\" +.\" .Sh RETURN VALUES The command exits with 0 on success, and non-zero on errors. -.\" +.\" .Sh SEE ALSO .Xr ipsec_set_policy 3 , .Xr sysctl 8 -.\" +.\" .Sh HISTORY The .Nm command first appeared in WIDE Hydrangea IPv6 protocol stack kit. The command was completely re-designed in June 1998. -.Pp -IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack -was initially integrated into -.Fx 4.0 +.\" +.\" .Sh BUGS diff --git a/usr.sbin/setkey/setkey.c b/usr.sbin/setkey/setkey.c index 73edc3f..b1e1c1e 100644 --- a/usr.sbin/setkey/setkey.c +++ b/usr.sbin/setkey/setkey.c @@ -1,7 +1,10 @@ +/* $FreeBSD$ */ +/* $KAME: setkey.c,v 1.14 2000/06/10 06:47:09 sakane Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +16,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,10 +28,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ -/* KAME $Id: setkey.c,v 1.5 1999/10/26 09:39:37 sakane Exp $ */ #include <sys/types.h> #include <sys/param.h> @@ -51,40 +51,42 @@ #include <errno.h> #include <netdb.h> -void Usage __P((void)); -int main __P((int, char **)); -int get_supported __P((void)); -void sendkeyshort __P((u_int)); -void promisc __P((void)); -int sendkeymsg __P((void)); -int postproc __P((struct sadb_msg *, int)); -const char *numstr __P((int)); -void shortdump_hdr __P((void)); -void shortdump __P((struct sadb_msg *)); +#include "libpfkey.h" + +void Usage __P((void)); +int main __P((int, char **)); +int get_supported __P((void)); +void sendkeyshort __P((u_int)); +void promisc __P((void)); +int sendkeymsg __P((void)); +int postproc __P((struct sadb_msg *, int)); +const char *numstr __P((int)); +void shortdump_hdr __P((void)); +void shortdump __P((struct sadb_msg *)); #define MODE_SCRIPT 1 #define MODE_CMDDUMP 2 #define MODE_CMDFLUSH 3 +#define MODE_PROMISC 4 int so; -int f_forever = 0; -int f_all = 0; -int f_debug = 0; -int f_verbose = 0; -int f_mode = 0; -int f_cmddump = 0; -int f_policy = 0; -int f_promisc = 0; -int f_hexdump = 0; -char *pname; +int f_forever = 0; +int f_all = 0; +int f_debug = 0; +int f_verbose = 0; +int f_mode = 0; +int f_cmddump = 0; +int f_policy = 0; +int f_hexdump = 0; +char *pname; -u_char m_buf[BUFSIZ]; -u_int m_len; +u_char m_buf[BUFSIZ]; +u_int m_len; -extern int lineno; +extern int lineno; -extern int parse __P((FILE **)); +extern int parse __P((FILE **)); void Usage() @@ -95,7 +97,7 @@ Usage() printf("\t%s [-Pdv] -F\n", pname); printf("\t%s [-h] -x\n", pname); pfkey_close(so); - exit(0); + exit(1); } int @@ -139,9 +141,8 @@ main(ac, av) f_hexdump = 1; break; case 'x': - f_promisc = 1; - promisc(); - /*NOTREACHED*/ + f_mode = MODE_PROMISC; + break; case 'P': f_policy = 1; break; @@ -170,10 +171,15 @@ main(ac, av) errx(-1, "%s", ipsec_strerror()); /*NOTREACHED*/ } - parse(&fp); + if (parse(&fp)) + exit (1); break; + case MODE_PROMISC: + promisc(); + /*NOTREACHED*/ default: Usage(); + /*NOTREACHED*/ } exit(0); @@ -216,7 +222,6 @@ sendkeyshort(type) m_msg->sadb_msg_satype = SADB_SATYPE_UNSPEC; m_msg->sadb_msg_len = PFKEY_UNIT64(m_len); m_msg->sadb_msg_reserved = 0; - m_msg->sadb_msg_reserved = 0; m_msg->sadb_msg_seq = 0; m_msg->sadb_msg_pid = getpid(); @@ -240,7 +245,6 @@ promisc() m_msg->sadb_msg_satype = 1; m_msg->sadb_msg_len = PFKEY_UNIT64(m_len); m_msg->sadb_msg_reserved = 0; - m_msg->sadb_msg_reserved = 0; m_msg->sadb_msg_seq = 0; m_msg->sadb_msg_pid = getpid(); @@ -325,8 +329,10 @@ sendkeymsg() if (f_forever) shortdump_hdr(); again: - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)m_buf); + printf("\n"); + } if ((len = send(so, m_buf, m_len, 0)) < 0) { perror("send"); @@ -345,8 +351,10 @@ again: break; } - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)rbuf); + printf("\n"); + } if (postproc(msg, len) < 0) break; } while (msg->sadb_msg_errno || msg->sadb_msg_seq); @@ -423,8 +431,10 @@ postproc(msg, len) pfkey_sadump(msg); msg = (struct sadb_msg *)((caddr_t)msg + PFKEY_UNUNIT64(msg->sadb_msg_len)); - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)msg); + printf("\n"); + } break; case SADB_X_SPDDUMP: @@ -432,8 +442,10 @@ postproc(msg, len) if (msg->sadb_msg_seq == 0) break; msg = (struct sadb_msg *)((caddr_t)msg + PFKEY_UNUNIT64(msg->sadb_msg_len)); - if (f_verbose) + if (f_verbose) { kdebug_sadb((struct sadb_msg *)msg); + printf("\n"); + } break; } diff --git a/usr.sbin/setkey/test-pfkey.c b/usr.sbin/setkey/test-pfkey.c index 849aba3..b1fb238 100644 --- a/usr.sbin/setkey/test-pfkey.c +++ b/usr.sbin/setkey/test-pfkey.c @@ -1,7 +1,10 @@ +/* $FreeBSD$ */ +/* $KAME: test-pfkey.c,v 1.4 2000/06/07 00:29:14 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +16,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,10 +28,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ -/* KAME $Id: test-pfkey.c,v 1.2 1999/10/26 08:09:17 itojun Exp $ */ #include <sys/types.h> #include <sys/param.h> @@ -47,23 +47,24 @@ #include <ctype.h> #include <unistd.h> #include <errno.h> - -u_char m_buf[BUFSIZ]; -u_int m_len; -char *pname; - -void Usage __P((void)); -int sendkeymsg __P((void)); -void key_setsadbmsg __P((u_int)); -void key_setsadbsens __P((void)); -void key_setsadbprop __P((void)); -void key_setsadbid __P((u_int, caddr_t)); -void key_setsadblft __P((u_int, u_int)); -void key_setspirange __P((void)); -void key_setsadbkey __P((u_int, caddr_t)); -void key_setsadbsa __P((void)); -void key_setsadbaddr __P((u_int, u_int, caddr_t)); -void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int)); +#include <netdb.h> + +u_char m_buf[BUFSIZ]; +u_int m_len; +char *pname; + +void Usage __P((void)); +int sendkeymsg __P((void)); +void key_setsadbmsg __P((u_int)); +void key_setsadbsens __P((void)); +void key_setsadbprop __P((void)); +void key_setsadbid __P((u_int, caddr_t)); +void key_setsadblft __P((u_int, u_int)); +void key_setspirange __P((void)); +void key_setsadbkey __P((u_int, caddr_t)); +void key_setsadbsa __P((void)); +void key_setsadbaddr __P((u_int, u_int, caddr_t)); +void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int)); void Usage() @@ -98,6 +99,18 @@ sendkeymsg() perror("socket(PF_KEY)"); goto end; } +#if 0 + { +#include <sys/time.h> + struct timeval tv; + tv.tv_sec = 1; + tv.tv_usec = 0; + if (setsockopt(so, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) < 0) { + perror("setsockopt"); + goto end; + } + } +#endif pfkey_sadump((struct sadb_msg *)m_buf); @@ -124,11 +137,14 @@ key_setsadbmsg(type) { struct sadb_msg m_msg; + memset(&m_msg, 0, sizeof(m_msg)); m_msg.sadb_msg_version = PF_KEY_V2; m_msg.sadb_msg_type = type; m_msg.sadb_msg_errno = 0; m_msg.sadb_msg_satype = SADB_SATYPE_ESP; +#if 0 m_msg.sadb_msg_reserved = 0; +#endif m_msg.sadb_msg_seq = 0; m_msg.sadb_msg_pid = getpid(); @@ -223,6 +239,24 @@ key_setsadbmsg(type) break; case SADB_X_SPDADD: +#if 0 + { + struct sadb_x_policy m_policy; + + m_policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(m_policy)); + m_policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; + m_policy.sadb_x_policy_type = SADB_X_PL_IPSEC; + m_policy.sadb_x_policy_esp_trans = 1; + m_policy.sadb_x_policy_ah_trans = 2; + m_policy.sadb_x_policy_esp_network = 3; + m_policy.sadb_x_policy_ah_network = 4; + m_policy.sadb_x_policy_reserved = 0; + + memcpy(m_buf + m_len, &m_policy, sizeof(struct sadb_x_policy)); + m_len += sizeof(struct sadb_x_policy); + } +#endif + case SADB_X_SPDDELETE: key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1"); key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4"); @@ -437,32 +471,49 @@ key_setsadbaddr(ext, af, str) caddr_t str; { struct sadb_address m_addr; - u_char abuf[64]; - struct sockaddr *a = (struct sockaddr *)abuf; u_int len; + struct addrinfo hints, *res; + const char *serv; + int plen; + + switch (af) { + case AF_INET: + plen = sizeof(struct in_addr) << 3; + break; + case AF_INET6: + plen = sizeof(struct in6_addr) << 3; + break; + default: + /* XXX bark */ + exit(1); + } /* make sockaddr buffer */ - memset(abuf, 0, sizeof(abuf)); - a->sa_len = _SALENBYAF(af); - a->sa_family = af; - _INPORTBYSA(a) = - (ext == SADB_EXT_ADDRESS_PROXY ? 0 : htons(0x1234)); - if (inet_pton(af, str, _INADDRBYSA(a)) != 1) - ; /* XXX do something */ + memset(&hints, 0, sizeof(hints)); + hints.ai_family = af; + hints.ai_socktype = SOCK_DGRAM; /*dummy*/ + hints.ai_flags = AI_NUMERICHOST; + serv = (ext == SADB_EXT_ADDRESS_PROXY ? "0" : "4660"); /*0x1234*/ + if (getaddrinfo(str, serv, &hints, &res) != 0 || res->ai_next) { + /* XXX bark */ + exit(1); + } - len = sizeof(struct sadb_address) + PFKEY_ALIGN8(a->sa_len); + len = sizeof(struct sadb_address) + PFKEY_ALIGN8(res->ai_addrlen); m_addr.sadb_address_len = PFKEY_UNIT64(len); m_addr.sadb_address_exttype = ext; m_addr.sadb_address_proto = (ext == SADB_EXT_ADDRESS_PROXY ? 0 : IPPROTO_TCP); - m_addr.sadb_address_prefixlen = _INALENBYAF(af); + m_addr.sadb_address_prefixlen = plen; m_addr.sadb_address_reserved = 0; key_setsadbextbuf(m_buf, m_len, (caddr_t)&m_addr, sizeof(struct sadb_address), - abuf, a->sa_len); + (caddr_t)res->ai_addr, res->ai_addrlen); m_len += len; + freeaddrinfo(res); + return; } diff --git a/usr.sbin/setkey/token.l b/usr.sbin/setkey/token.l index 0154bee..8916fdd 100644 --- a/usr.sbin/setkey/token.l +++ b/usr.sbin/setkey/token.l @@ -1,7 +1,10 @@ +/* $FreeBSD$ */ +/* $KAME: token.l,v 1.13 2000/06/07 00:29:14 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +16,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,8 +28,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ %{ @@ -63,18 +64,19 @@ #define PREPROC DECHO CMDARG -int lineno = 1; -char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */ +int lineno = 1; +char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */ -extern u_char m_buf[BUFSIZ]; -extern u_int m_len; -extern int f_debug; +extern u_char m_buf[BUFSIZ]; +extern u_int m_len; +extern int f_debug; -int yylex __P((void)); -void yyerror __P((char *s)); -extern void parse_init __P((void)); -int parse __P((FILE **)); -int yyparse __P((void)); +int yylex __P((void)); +void yyfatal __P((const char *s)); +void yyerror __P((const char *s)); +extern void parse_init __P((void)); +int parse __P((FILE **)); +int yyparse __P((void)); %} @@ -106,9 +108,7 @@ decstring {digit}+ hexpair {hexdigit}{hexdigit} hexstring 0[xX]{hexdigit}+ octetstring {octet}({dot}{octet})+ -ipaddress {ipv4addr}|{ipv6addr} -ipv4addr {digit}{1,3}({dot}{digit}{1,3}){0,3} -ipv6addr {hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,7}(%{letter}{letter}+)? +ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*) ipaddrmask {slash}{digit}{1,3} ipaddrport {blcl}{decstring}{elcl} keyword {letter}{letter}+ @@ -186,11 +186,12 @@ lzs { PREPROC; yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); } {hyphen}m { PREPROC; return(F_MODE); } transport { PREPROC; yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); } tunnel { PREPROC; yylval.num = IPSEC_MODE_TUNNEL; return(MODE); } +{hyphen}u { PREPROC; return(F_REQID); } {hyphen}f { PREPROC; return(F_EXT); } random-pad { PREPROC; yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); } seq-pad { PREPROC; yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); } zero-pad { PREPROC; yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); } -cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); } +nocyclic-seq { PREPROC; return(NOCYCLICSEQ); } {hyphen}r { PREPROC; return(F_REPLAY); } {hyphen}lh { PREPROC; return(F_LIFETIME_HARD); } {hyphen}ls { PREPROC; return(F_LIFETIME_SOFT); } @@ -214,35 +215,17 @@ any { PREPROC; return(ANY); } char *bp; PREPROC; - yylval.num = strtol(yytext, &bp, 10); + yylval.num = strtoul(yytext, &bp, 10); return(DECSTRING); } -{ipv4addr} { - /* - * I can't supprt the type without dot, - * because it's umbiguous against {decstring}. - * e.g. 127 - */ +{ipaddress} { PREPROC; - yylval.val.len = sizeof(struct sockaddr_in); + yylval.val.len = yyleng; yylval.val.buf = strdup(yytext); - return(IP4_ADDRESS); - } - -{ipv6addr} { -#ifdef INET6 - PREPROC; - - yylval.val.len = sizeof(struct sockaddr_in6); - yylval.val.buf = strdup(yytext); - - return(IP6_ADDRESS); -#else - yyerror("IPv6 address not supported"); -#endif + return(ADDRESS); } {ipaddrmask} { @@ -263,7 +246,6 @@ any { PREPROC; return(ANY); } } {blcl}any{elcl} { - char *p = yytext; PREPROC; return(PORTANY); } @@ -294,12 +276,24 @@ any { PREPROC; return(ANY); } return(QUOTEDSTRING); } -. { yyerror("Syntax error"); } +. { + yyfatal("Syntax error"); + /*NOTREACHED*/ + } %% void -yyerror(char *s) +yyfatal(s) + const char *s; +{ + yyerror(s); + exit(1); +} + +void +yyerror(s) + const char *s; { printf("line %d: %s at [%s]\n", lineno, s, yytext); } @@ -319,4 +313,3 @@ parse(fp) return(0); } - diff --git a/usr.sbin/setkey/vchar.h b/usr.sbin/setkey/vchar.h index 977f5f0..f3251c7 100644 --- a/usr.sbin/setkey/vchar.h +++ b/usr.sbin/setkey/vchar.h @@ -1,7 +1,10 @@ +/* $FreeBSD$ */ +/* $KAME: vchar.h,v 1.2 2000/06/07 00:29:14 itojun Exp $ */ + /* * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -13,7 +16,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,11 +28,9 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ typedef struct { - u_int len; - caddr_t buf; + u_int len; + caddr_t buf; } vchar_t; |
