diff options
author | ru <ru@FreeBSD.org> | 2003-06-23 10:56:43 +0000 |
---|---|---|
committer | ru <ru@FreeBSD.org> | 2003-06-23 10:56:43 +0000 |
commit | d72cbcaa9c8cf6e0e4476a41e0254dd545f76847 (patch) | |
tree | 2f9b2a3fb26e343479c0e6bccf9f2a58a4cb2eca /usr.sbin | |
parent | be58c39327361b5d9db527523a0d0d0a380a60ba (diff) | |
download | FreeBSD-src-d72cbcaa9c8cf6e0e4476a41e0254dd545f76847.zip FreeBSD-src-d72cbcaa9c8cf6e0e4476a41e0254dd545f76847.tar.gz |
Delete keyadmin: its functionality is now provided by setkey(8).
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/keyadmin/Makefile | 7 | ||||
-rw-r--r-- | usr.sbin/keyadmin/keyadmin.8 | 249 | ||||
-rw-r--r-- | usr.sbin/keyadmin/keyadmin.c | 1254 | ||||
-rw-r--r-- | usr.sbin/keyadmin/keys | 18 |
4 files changed, 0 insertions, 1528 deletions
diff --git a/usr.sbin/keyadmin/Makefile b/usr.sbin/keyadmin/Makefile deleted file mode 100644 index c068d89..0000000 --- a/usr.sbin/keyadmin/Makefile +++ /dev/null @@ -1,7 +0,0 @@ -# $ANA: Makefile,v 1.2 1996/06/13 20:11:05 wollman Exp $ -# $FreeBSD$ - -PROG= keyadmin -MAN= keyadmin.8 - -.include <bsd.prog.mk> diff --git a/usr.sbin/keyadmin/keyadmin.8 b/usr.sbin/keyadmin/keyadmin.8 deleted file mode 100644 index a125e99..0000000 --- a/usr.sbin/keyadmin/keyadmin.8 +++ /dev/null @@ -1,249 +0,0 @@ -.\"# @(#)COPYRIGHT 1.1a (NRL) 17 August 1995 -.\" -.\"COPYRIGHT NOTICE -.\" -.\"All of the documentation and software included in this software -.\"distribution from the US Naval Research Laboratory (NRL) are -.\"copyrighted by their respective developers. -.\" -.\"This software and documentation were developed at NRL by various -.\"people. Those developers have each copyrighted the portions that they -.\"developed at NRL and have assigned All Rights for those portions to -.\"NRL. Outside the USA, NRL also has copyright on the software -.\"developed at NRL. The affected files all contain specific copyright -.\"notices and those notices must be retained in any derived work. -.\" -.\"NRL LICENSE -.\" -.\"NRL grants permission for redistribution and use in source and binary -.\"forms, with or without modification, of the software and documentation -.\"created at NRL provided that the following conditions are met: -.\" -.\"1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\"2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\"3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" -.\" This product includes software developed at the Information -.\" Technology Division, US Naval Research Laboratory. -.\" -.\"4. Neither the name of the NRL nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\"THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS -.\"IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -.\"TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -.\"PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NRL OR -.\"CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -.\"EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -.\"PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -.\"PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -.\"LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -.\"NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -.\"SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\"The views and conclusions contained in the software and documentation -.\"are those of the authors and should not be interpreted as representing -.\"official policies, either expressed or implied, of the US Naval -.\"Research Laboratory (NRL). -.\" -.\"----------------------------------------------------------------------*/ -.\" -.\" $ANA: keyadmin.8,v 1.3 1996/06/13 20:15:57 wollman Exp $ -.\" $FreeBSD$ -.\" -.Dd June 13, 1996 -.Dt KEY 8 -.Os -.Sh NAME -.Nm keyadmin -.Nd manually manipulate the kernel key management database -.Sh SYNOPSIS -.Nm -.Op Ar command Op Ar args -.Sh DESCRIPTION -The -.Nm -utility is used to manually enter security associations into the kernel -key/security association database. (See -.Xr key 4 ) . -.Pp -Almost any operation offered in the -.Xr key 4 -API is available to privileged users running -.Nm . -Until there is an implementation of an automated key management protocol, -which will manipulate the key database in a manner similar to how -.Xr routed 8 -or -.Xr gated 8 -manipulates the routing tables, -.Nm -is the only way of establishing security associations. -.Pp -If -.Nm -is invoked without any arguments, it will enter an interactive mode, where -the user can type in -.Dq Ar command Op Ar args -interactively, or use -.Nm -to enter a single -.Dq Ar command Op Ar args . -.Ar Command -can be one of the following: -.Bl -inset -.It Ic del Ar type spi source destination -.Pp -Delete a security association between -.Ar source -and -.Ar destination -of the given -.Ar type -and -.Ar spi . -Example: -.Bd -literal - delete esp 90125 anderson.yes.org rabin.yes.org -.Ed -.It Ic get Ar type spi source destination -.Pp -Retrieve (and print) a security association between -.Ar source -and -.Ar destination -of the given -.Ar type -and -.Ar spi . -Example: -.Bd -literal - get ah 5150 eddie.vanhalen.com alex.vanhalen.com -.Ed -.It Ic dump -.Pp -Display the entire security association table. WARNING: This prints a lot -of data. -.It Ic load Ar filename -.Pp -Load security association information from a file formatted as documented in -.Xr keys 5 . -If -.Dq - -is specified for the -.Ar filename , -load keys from the standard input. -.It Ic save Ar filename -.Pp -Save security association information to a file formatted as documented in -.Xr keys 5 . -If -.Dq - -is specified for the -.Ar filename , -place the key file out on the standard output. (This can be used as a sort -of lightweight -.Ic dump -command.) -NOTE: The -.Ic save -command must create a new file; it will not write into an -existing file. This is to prevent writing into a world-readable file, or a -named pipe or UNIX socket (see -.Xr socket 2 -and -.Xr mkfifo 1 ) . -.It Ic help Op command -.Pp -Offer brief help without an argument, or slightly more specific help on a -particular command. -.It Ic flush -.Pp -Erase all entries in the kernel security association table. -.El -.Pp -The following values for -.Ar command -are only available by using -.Nm -in its interactive mode of operation: -.Bl -inset -.It Ic add Ar type spi source destination transform key -.Op Ar iv -.Pp -Add a security association of a particular -.Ar type -and -.Ar spi -from a -.Ar source -to a -.Ar destination , -using a particular -.Ar transform -and -.Ar key . -If a transform requires an initialization vector, the -.Ar iv -argument contains it. This command is available only in interactive mode -because -.Nm -makes no attempt to destroy its argument vector after use. A malicious user -of the -.Xr ps 1 -command could determine security keys if -.Ic add -were allowed to be used straight from the command line. Example: -.Bd -literal - add esp 2112 temples.syrinx.org priests.syrinx.org des-cbc \\ - a652a476a652a476 87ac9876deac9876 -.Ed -.It Ic exit -.It Ic quit -.Pp -Exit interaction with -.Nm . -An EOF will also end interaction with -.Nm . -.El -.Sh SEE ALSO -.Xr ipsec 4 , -.Xr key 4 , -.Xr route 4 , -.Xr gated 8 , -.Xr routed 8 -.Sh HISTORY -The -.Nm -utility first appeared in NRL's -.Bx 4.4 -IPv6 networking distribution. -The -.Nm -utility -started its life as a pipe dream thought up by Dan McDonald, and came to -life through the excruciating efforts of Ran Atkinson, Dan McDonald, -Craig Metz, and Bao Phan. -The NRL version of the program was originally called -.Nm key , -but was renamed to -.Nm -because of the conflict with -.Xr key 1 . -.Sh BUGS -The -.Nm -utility needs a -n flag like -.Xr route 8 -to avoid name lookups. -.Pp -The -.Ic dump -and -.Ic save -commands currently display the first 30 or so entries. diff --git a/usr.sbin/keyadmin/keyadmin.c b/usr.sbin/keyadmin/keyadmin.c deleted file mode 100644 index d34c60d..0000000 --- a/usr.sbin/keyadmin/keyadmin.c +++ /dev/null @@ -1,1254 +0,0 @@ -/*---------------------------------------------------------------------- - key.c: Main routines for the key(8) tool for manually managing - cryptographic keys and security associations inside the - Key Engine of the operating system. - - Future Enhancements should support: - multiple sensitivity levels - OSPFv2 keys - RIPv2 keys - Triple DES for ESP - DES+MD5 for ESP - - Copyright 1995 by Bao Phan, Randall Atkinson, & Dan McDonald, - All Rights Reserved. All Rights have been assigned to the - US Naval Research Laboratory. The NRL Copyright Notice and - License govern distribution and use of this software. -----------------------------------------------------------------------*/ -/*---------------------------------------------------------------------- -# @(#)COPYRIGHT 1.1a (NRL) 17 August 1995 - -COPYRIGHT NOTICE - -All of the documentation and software included in this software -distribution from the US Naval Research Laboratory (NRL) are -copyrighted by their respective developers. - -This software and documentation were developed at NRL by various -people. Those developers have each copyrighted the portions that they -developed at NRL and have assigned All Rights for those portions to -NRL. Outside the USA, NRL also has copyright on the software -developed at NRL. The affected files all contain specific copyright -notices and those notices must be retained in any derived work. - -NRL LICENSE - -NRL grants permission for redistribution and use in source and binary -forms, with or without modification, of the software and documentation -created at NRL provided that the following conditions are met: - -1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. -3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - - This product includes software developed at the Information - Technology Division, US Naval Research Laboratory. - -4. Neither the name of the NRL nor the names of its contributors - may be used to endorse or promote products derived from this software - without specific prior written permission. - -THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS -IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NRL OR -CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -The views and conclusions contained in the software and documentation -are those of the authors and should not be interpreted as representing -official policies, either expressed or implied, of the US Naval -Research Laboratory (NRL). - -----------------------------------------------------------------------*/ - -/* - * $ANA: keyadmin.c,v 1.2 1996/06/13 19:42:40 wollman Exp $ - */ - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/socket.h> -#include <sys/socketvar.h> - -#include <err.h> -#include <errno.h> -#include <fcntl.h> -#include <netdb.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#include <netinet/in.h> - -#ifdef INET6 -#include <netinet6/in6.h> -#else /* INET6 */ -#if 0 -#include <netinet6/in6_types.h> -#endif -#endif /* INET6 */ - -#ifdef IPSEC -#include <netsec/ipsec.h> -#endif -#include <netkey/key.h> - -#ifdef INET6 -#include <netinet6/support.h> -#endif - -#ifndef INET6 /* XXX */ -#define hostname2addr(a, b, c) gethostbyname(a) -#define addr2hostname(a, b, c, d) gethostbyaddr((a), (b), (c)) -#endif - -#include <arpa/inet.h> - -int parse7 __P((int, char **)); -int parse4 __P((int, char **)); -int docmd __P((int, char **)); - -#define KEYCMD_ARG_MAX 10 - -#define KEYCMD_LOAD 1 -#define KEYCMD_SAVE 2 -#define KEYCMD_ADD 3 -#define KEYCMD_DEL 4 -#define KEYCMD_FLUSH 5 -#define KEYCMD_GET 6 -#define KEYCMD_DUMP 7 -#define KEYCMD_HELP 8 -#define KEYCMD_EXIT 9 -#define KEYCMD_SHELL 10 - -struct nametonum { - char *name; - int num; - int flags; -}; - -char parse7usage[] = "<type> <spi> <src> <dst> <transform> <key> [iv]"; -char parse4usage[] = "<type> <spi> <src> <dst>"; - -struct keycmd { - char *name; - int num; - int (*parse) __P((int, char **)); - char *usage; - char *help; -} keycmds[] = { - { "add", KEYCMD_ADD, parse7, parse7usage, - "Adds a specific key entry to the kernel key table." }, - { "del", KEYCMD_DEL, parse4, parse4usage, - "Removes a specific key entry from the kernel key table." }, - { "get", KEYCMD_GET, parse4, parse4usage, - "Retrieves a key entry from the kernel key table." }, - { "dump", KEYCMD_DUMP, NULL, " ", - "Retrieves all key entries from the kernel key table." }, - { "load", KEYCMD_LOAD, NULL, "{ <filename> | - }", - "Loads keys from a file or stdin into the kernel key table." }, - { "save", KEYCMD_SAVE, NULL, "{ <filename> | - }", - "Saves keys from the kernel key table to a file or stdout." }, - { "help", KEYCMD_HELP, NULL, "[command]", - "Provides limited on-line help. Read the man page for more." }, - { "flush", KEYCMD_FLUSH, NULL, NULL, - "Clears the kernel key table." }, - { "!", KEYCMD_SHELL, NULL, "[command]", - "Executes a subshell." }, - { "exit", KEYCMD_EXIT, NULL, NULL, - "Exits the program." }, - { "quit", KEYCMD_EXIT, NULL, NULL, - "Exits the program." }, - { NULL, 0, NULL, NULL, NULL } -}; - -/* flags: index into algorithmtabs */ - -struct nametonum keytypes[] = { -#ifdef IPSEC - { "ah", KEY_TYPE_AH, 0 }, - { "esp", KEY_TYPE_ESP, 1 }, -#endif - { "rsvp", KEY_TYPE_RSVP, 2 }, - { "ospf", KEY_TYPE_OSPF, 3 }, - { "rip", KEY_TYPE_RIPV2, 4 }, - { NULL, 0, 0 } -}; - -#ifndef IPSEC_ALGTYPE_AUTH_MD5 /* XXX */ -#define IPSEC_ALGTYPE_AUTH_MD5 1 -#endif - -/* flags: true = iv req. */ -struct nametonum authalgorithms[] = { - { "md5", IPSEC_ALGTYPE_AUTH_MD5, 0 }, -#ifdef DEBUG - /* These provide no security but are useful for debugging the - kernel's ESP and Key Engine and PF_KEY routines */ - { "dummy", IPSEC_ALGTYPE_AUTH_DUMMY, 0 }, - { "cksum", IPSEC_ALGTYPE_AUTH_CKSUM, 0 }, -#endif - { NULL, 0, 0 } -}; - -#ifndef IPSEC_ALGTYPE_ESP_DES_CBC /* XXX */ -#define IPSEC_ALGTYPE_ESP_DES_CBC 1 -#endif - -/* flags: true = iv req. */ -struct nametonum encralgorithms[] = { - { "des-cbc", IPSEC_ALGTYPE_ESP_DES_CBC, 1 }, -#ifdef DEBUG - /* These provide no security but are useful for debugging the - kernel's ESP and Key Engine and PF_KEY routines */ - { "dummy", IPSEC_ALGTYPE_ESP_DUMMY, 0 }, -#endif - { NULL, 0, 0 } -}; - -/* - * These numbers should be defined in a header file somewhere - * and shared with the consuming programs, once someone has - * actually written the support in those programs (rspvd, - * gated, and routed). Probably <protocols/...>...? - */ -#define RSVP_AUTHTYPE_MD5 1 /* XXX */ -struct nametonum rsvpalgorithms[] = { - { "md5", RSVP_AUTHTYPE_MD5, 0 }, - { NULL, 0, 0 } -}; - -#define OSPF_AUTHTYPE_MD5 1 /* XXX */ -struct nametonum ospfalgorithms[] = { - { "md5", OSPF_AUTHTYPE_MD5, 0 }, - { NULL, 0, 0 } -}; - -#define RIPV2_AUTHTYPE_MD5 1 /* XXX */ -struct nametonum ripalgorithms[] = { - { "md5", RIPV2_AUTHTYPE_MD5, 0 }, - { NULL, 0, 0 } -}; - -/* NB: It is the ordering here that determines the values for the - flags specified above that are used to index into algorithmtabs[] */ -struct nametonum *algorithmtabs[] = { - authalgorithms, - encralgorithms, - rsvpalgorithms, - ospfalgorithms, - ripalgorithms, - NULL -}; - -char buffer[1024] = "\0"; - -#define MAXRCVBUFSIZE 8 * 1024 - -char key_message[sizeof(struct key_msghdr) + MAX_SOCKADDR_SZ * 3 - + MAX_KEY_SZ + MAX_IV_SZ]; -int key_messageptr; - -int keysock = -1; - -int keygetseqno = 1; -int keydumpseqno = 1; -pid_t mypid; - - -/*---------------------------------------------------------------------- - help: Print appropriate help message on stdout. - -----------------------------------------------------------------------*/ -int help(cmdname) - char *cmdname; -{ - int i; - - if (cmdname) { - for (i = 0; keycmds[i].name; i++) - if (!strcasecmp(keycmds[i].name, cmdname)) - break; - - if (!keycmds[i].name) { - warnx("unknown command: %s", cmdname); - return 0; - } - - printf("%s%s%s\n", keycmds[i].name, keycmds[i].usage ? " " : "", - keycmds[i].usage ? keycmds[i].usage : ""); - - if (keycmds[i].help) - puts(keycmds[i].help); - } else { - for (i = 0; keycmds[i].name; i++) - printf("\t%s%s%s\n", keycmds[i].name, keycmds[i].usage ? " " : "", - keycmds[i].usage ? keycmds[i].usage : ""); - } - - return 0; -} - -/*---------------------------------------------------------------------- - usage: print suitable usage message on stdout. - -----------------------------------------------------------------------*/ -static void -usage() -{ - - fprintf(stderr, "usage: keyadmin <command> <args>\n"); -} - -/*---------------------------------------------------------------------- - parsekey: parse argument into a binary key and also record - the length of the resulting key. -----------------------------------------------------------------------*/ -int parsekey(key, keylen, arg) - u_int8_t *key; - u_int8_t *keylen; - char *arg; -{ - int i, j, k, l; - u_int8_t thisbyte; - - i = strlen(arg); - - if ((i == 1) && (arg[0] == '0')) { - *keylen = 0; - return 0; - } - - if ((i % 2)) { - printf("Invalid number \"%s\"\n", arg); - return -1; - } - - j = 1; - k = l = thisbyte = 0; - - while(arg[k]) { - if ((arg[k] >= '0') && (arg[k] <= '9')) - thisbyte |= arg[k] - '0'; - else - if ((arg[k] >= 'a') && (arg[k] <= 'f')) - thisbyte |= arg[k] - 'a' + 10; - else - if ((arg[k] >= 'A') && (arg[k] <= 'F')) - thisbyte |= arg[k] - 'A' + 10; - else { - printf("Invalid hex number \"%s\"\n", arg); - return 1; - } - - if (!(j % 2)) - key[l++] = thisbyte; - - thisbyte = (thisbyte << 4); - j++; - k++; - } - - *keylen = l; - - return 0; -} - -/*---------------------------------------------------------------------- - parsenametonum: converts command-line name into index number. - -----------------------------------------------------------------------*/ -int parsenametonum(tab, arg) - struct nametonum *tab; - char *arg; -{ - int i; - - for (i = 0; tab[i].name; i++) - if (!strcasecmp(tab[i].name, arg)) - return i; - - if (!tab[i].name) - return -1; -} - -/*---------------------------------------------------------------------- - parsesockaddr: Convert hostname arg into an appropriate sockaddr. - -----------------------------------------------------------------------*/ -int parsesockaddr(sockaddr, arg) - struct sockaddr *sockaddr; - char *arg; -{ - struct hostent *hostent; - struct in_addr in_addr, *in_addrp; -#ifdef INET6 - struct in_addr6 in_addr6, *in_addr6p; -#endif /* INET6 */ - - if ((hostent = hostname2addr(arg, AF_INET, 0))) - if ((hostent->h_addrtype == AF_INET) && - (hostent->h_length == sizeof(struct in_addr))) { - in_addrp = ((struct in_addr *)hostent->h_addr_list[0]); - goto fillin4; - } - - if (ascii2addr(AF_INET, arg, (char *)&in_addr) == - sizeof(struct in_addr)) { - in_addrp = &in_addr; - goto fillin4; - } - -#ifdef INET6 - if (hostent = hostname2addr(arg, AF_INET6)) - if ((hostent->h_addrtype == AF_INET6) && - (hostent->h_length == sizeof(struct in_addr6))) { - in_addr6p = ((struct in_addr6 *)hostent->h_addr_list[0]); - goto fillin6; - } - - if (ascii2addr(AF_INET6, arg, (char *)&in_addr6) - == sizeof(struct in_addr6)) { - in_addr6p = &in_addr6; - goto fillin6; - } -#endif /* INET6 */ - - warnx("unknown host \"%s\"", arg); - return 1; - - fillin4: - bzero(sockaddr, sizeof(struct sockaddr_in)); - sockaddr->sa_len = sizeof(struct sockaddr_in); - sockaddr->sa_family = AF_INET; - ((struct sockaddr_in *)sockaddr)->sin_addr = *in_addrp; - return 0; - -#ifdef INET6 - fillin6: - bzero(sockaddr, sizeof(struct sockaddr_in6)); - sockaddr->sa_len = sizeof(struct sockaddr_in6); - sockaddr->sa_family = AF_INET6; - ((struct sockaddr_in6 *)sockaddr)->sin6_addr = *in_addr6p; - return 0; -#endif /* INET6 */ -} - -/*---------------------------------------------------------------------- - dummyfromaddr: Creates a zeroed sockaddr of family af. - -----------------------------------------------------------------------*/ -void dummyfromaddr(sa, af) - struct sockaddr *sa; - int af; -{ - int size; -#ifdef INET6 - size = (af == AF_INET6) ? sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in)); -#else /* INET6 */ - size = sizeof(struct sockaddr_in); -#endif /* INET6 */ - bzero((char *)sa, size); - sa->sa_family = af; - sa->sa_len = size; -} - -/* - * Macros to ensure word alignment. - */ -#define ROUNDUP(a) \ - ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) -#define ADVANCE(x, n) \ - { x += ROUNDUP(n); } - - -/*---------------------------------------------------------------------- - parse4: parse keytype, spi, src addr, and dest addr from argv (command line) - and stick in structure pointed to by key_messageptr. -----------------------------------------------------------------------*/ -int parse4(argc, argv) - int argc; - char *argv[]; -{ - int i; - - if (argc < 4) - return 1; - - if ((i = parsenametonum(keytypes, argv[0])) < 0) - return i; - - ((struct key_msghdr *)key_message)->type = keytypes[i].num; - - /* Should we zero check? */ - ((struct key_msghdr *)key_message)->spi = atoi(argv[1]); - - if (parsesockaddr(key_message + key_messageptr, argv[2]) != 0) - return 1; - ADVANCE(key_messageptr, ((struct sockaddr *)(key_message + - key_messageptr))->sa_len); - - if (parsesockaddr(key_message + key_messageptr, argv[3]) != 0) - return 1; - ADVANCE(key_messageptr, ((struct sockaddr *)(key_message + - key_messageptr))->sa_len); - - /* - * We need to put a dummy from address since the kernel expects - * this to be in the message. - */ -#ifdef INET6 - dummyfromaddr(key_message + key_messageptr, AF_INET6); -#else /* INET6 */ - dummyfromaddr(key_message + key_messageptr, AF_INET); -#endif /* INET6 */ - ADVANCE(key_messageptr, ((struct sockaddr *)(key_message + - key_messageptr))->sa_len); - - return 0; -} - -/*---------------------------------------------------------------------- - parse7: parse keytype, spi, src addr, dest addr, alg type, key, and iv - from argv (command line) - and stick in structure pointed to by key_messageptr. -----------------------------------------------------------------------*/ -int parse7(argc, argv) - int argc; - char *argv[]; -{ - int i, j; - - if (argc < 6) - return 1; - - if ((i = parsenametonum(keytypes, argv[0])) < 0) - return i; - - ((struct key_msghdr *)key_message)->type = keytypes[i].num; - -/* Should we zero check? */ - ((struct key_msghdr *)key_message)->spi = atoi(argv[1]); - - if (parsesockaddr(key_message + key_messageptr, argv[2]) != 0) - return 1; - ADVANCE(key_messageptr, ((struct sockaddr *)(key_message + - key_messageptr))->sa_len); - - if (parsesockaddr(key_message + key_messageptr, argv[3]) != 0) - return 1; - ADVANCE(key_messageptr, ((struct sockaddr *)(key_message + - key_messageptr))->sa_len); - - /* - * We need to put a dummy from address since the kernel expects - * this to be in the message. - */ -#ifdef INET6 - dummyfromaddr(key_message + key_messageptr, AF_INET6); -#else /* INET6 */ - dummyfromaddr(key_message + key_messageptr, AF_INET); -#endif /* INET6 */ - ADVANCE(key_messageptr, ((struct sockaddr *)(key_message + - key_messageptr))->sa_len); - - if ((j = parsenametonum(algorithmtabs[keytypes[i].flags], argv[4])) < 0) - return j; - - ((struct key_msghdr *)key_message)->algorithm = - algorithmtabs[keytypes[i].flags][j].num; - - if ((argc < 7) && algorithmtabs[keytypes[i].flags][j].flags) - return 1; - - if (parsekey(key_message + key_messageptr, - &(((struct key_msghdr *)key_message)->keylen), argv[5]) != 0) - return 1; - ADVANCE(key_messageptr, ((struct key_msghdr *)key_message)->keylen); - - if (argc >= 7) { - if (parsekey(key_message + key_messageptr, - &(((struct key_msghdr *)key_message)->ivlen), argv[6]) != 0) - return 1; - ADVANCE(key_messageptr, ((struct key_msghdr *)key_message)->ivlen); - } - - return 0; -} - -/*---------------------------------------------------------------------- - parsecmdline: - -----------------------------------------------------------------------*/ -int parsecmdline(buffer, argv, argc) - char *buffer; - char **argv; - int *argc; -{ - int i = 0, iargc = 0; - char *head; - - head = buffer; - - while(buffer[i] && (iargc < KEYCMD_ARG_MAX)) { - if ((buffer[i] == '\n') || (buffer[i] == '#')) { - buffer[i] = 0; - if (*head) - argv[iargc++] = head; - break; - } - if ((buffer[i] == ' ') || (buffer[i] == '\t')) { - buffer[i] = 0; - if (*head) - argv[iargc++] = head; - head = &(buffer[++i]); - } else - i++; - }; - argv[iargc] = NULL; - *argc = iargc; - - return iargc ? 0 : 1; -} - - -/*---------------------------------------------------------------------- - load: load keys from file filename into Key Engine. - -----------------------------------------------------------------------*/ -int load(filename) - char *filename; -{ - FILE *fh; - char buffer[1024], *buf, *largv[KEYCMD_ARG_MAX], *c; - int i, largc, left, line = 0; - - if (strcmp(filename, "-")) { - if (!(fh = fopen(filename, "r"))) - return -1; - } else - fh = stdin; - - largv[0] = "add"; - - buf = buffer; - left = sizeof(buffer); - - while(fgets(buf, left, fh)) { - line++; - if ((c = strchr(buffer, '\\'))) { - left = (sizeof(buffer) - 1) - (--c - buffer); - buf = c; - } else { - buffer[sizeof(buffer)-1] = 0; - - if ((i = parsecmdline(buffer, &(largv[1]), &largc)) < 0) - return i; - - if (!i) { - if ((i = docmd(++largc, largv))) { - if (i > 0) { - warnx("parse error on line %d of %s", line, filename); - return 0; - } - return i; - } - } - - buf = buffer; - left = sizeof(buffer); - } - }; - - return 0; -} - -/*---------------------------------------------------------------------- - parsedata: - -----------------------------------------------------------------------*/ -int -parsedata(km, kip) - struct key_msghdr *km; - struct key_msgdata *kip; -{ - char *cp, *cpmax; - - if (!km) - return (-1); - if (!(km->key_msglen)) - return (-1); - - cp = (caddr_t)(km + 1); - cpmax = (caddr_t)km + km->key_msglen; - -#define NEXTDATA(x, n) \ - { x += ROUNDUP(n); if (cp >= cpmax) { \ - warnx("kernel returned a truncated message!"); return(-1); } } - - /* Grab src addr */ - kip->src = (struct sockaddr *)cp; - if (!kip->src->sa_len) - return(-1); - - NEXTDATA(cp, kip->src->sa_len); - - /* Grab dest addr */ - kip->dst = (struct sockaddr *)cp; - if (!kip->dst->sa_len) - return(-1); - - NEXTDATA(cp, kip->dst->sa_len); - - /* Grab from addr */ - kip->from = (struct sockaddr *)cp; - if (!kip->from->sa_len) - return(-1); - - NEXTDATA(cp, kip->from->sa_len); - - /* Grab key */ - if (kip->keylen = km->keylen) { - kip->key = cp; - NEXTDATA(cp, km->keylen); - } - - /* Grab iv */ - if (kip->ivlen = km->ivlen) - kip->iv = cp; - - cp += kip->ivlen; - - printf("key: parsedata: difference=%d\n", cp - cpmax); - return (0); -} - - -/*---------------------------------------------------------------------- - printkeyiv: - -----------------------------------------------------------------------*/ -void printkeyiv(fp, cp, len) - FILE *fp; - caddr_t cp; - int len; -{ - int i; - for (i=0; i<len; i++) - fprintf(fp, "%02x", (u_int8_t)*(cp+i)); -} - -/*---------------------------------------------------------------------- - printsockaddr: - -----------------------------------------------------------------------*/ -void printsockaddr(fp, sa) - FILE *fp; - struct sockaddr *sa; -{ - struct hostent *hp; - char *addrp; - int len; - -#ifdef INET6 - if (sa->sa_family == AF_INET6) { - len = sizeof(struct in_addr6); - addrp = (char *)&(((struct sockaddr_in6 *)sa)->sin6_addr); - } else { -#endif /* INET6 */ - len = sizeof(struct in_addr); - addrp = (char *)&(((struct sockaddr_in *)sa)->sin_addr); -#ifdef INET6 - } -#endif /* INET6 */ - - if((hp = addr2hostname(addrp, len, sa->sa_family, 0)) != NULL) - fprintf(fp, "%s", hp->h_name); - else - fprintf(fp, "%s", addr2ascii(sa->sa_family, addrp, len, NULL)); -} - -/*---------------------------------------------------------------------- - parsenumtoname: - -----------------------------------------------------------------------*/ -char * -parsenumtoname(tab, num) - struct nametonum *tab; - int num; -{ - int i; - for (i = 0; tab[i].name; i++) { - if (num == tab[i].num) - return(tab[i].name); - } - return(0); -} - -/*---------------------------------------------------------------------- - parsenumtoflag: - -----------------------------------------------------------------------*/ -int -parsenumtoflag(tab, num) - struct nametonum *tab; - int num; -{ - int i; - for (i = 0; tab[i].name; i++) { - if (num == tab[i].num) - return(tab[i].flags); - } - return(-1); -} - - -/*---------------------------------------------------------------------- - printkeymsg: - -----------------------------------------------------------------------*/ -void printkeymsg(kmp, kdp) - struct key_msghdr *kmp; - struct key_msgdata *kdp; -{ - - printf("type=%d(%s) ",kmp->type, parsenumtoname(keytypes, kmp->type)); - printf("spi=%u ", kmp->spi); - printf("algorithm=%u(%s) ", kmp->algorithm, - parsenumtoname(algorithmtabs[parsenumtoflag(keytypes, kmp->type)], - kmp->algorithm)); - printf("state=0x%x ",kmp->state); - - if (kmp->state != 0) { - if (kmp->state & K_USED) - printf("USED "); - if (kmp->state & K_UNIQUE) - printf("UNIQUE "); - if (kmp->state & K_LARVAL) - printf("LARVAL "); - if (kmp->state & K_ZOMBIE) - printf("ZOMBIE "); - if (kmp->state & K_DEAD) - printf("DEAD "); - if (kmp->state & K_INBOUND) - printf("INBOUND "); - if (kmp->state & K_OUTBOUND) - printf("OUTBOUND"); - } - printf("\n"); - printf("sensitivity_label=%d ",kmp->label); - printf("lifetype=%d ",kmp->lifetype); - printf("lifetime1=%d ",kmp->lifetime1); - printf("lifetime2=%d\n",kmp->lifetime2); - printf("key (len=%d):\t",kdp->keylen); - printkeyiv(stdout, kdp->key, kdp->keylen); - printf("\n"); - printf("iv (len=%d):\t", kdp->ivlen); - printkeyiv(stdout, kdp->iv, kdp->ivlen); - printf("\n"); - printf("src:\t"); - printsockaddr(stdout, (struct sockaddr *)kdp->src); - printf("\n"); - printf("dst:\t"); - printsockaddr(stdout, (struct sockaddr *)kdp->dst); - printf("\n"); -/* printf("from:\t"); - printsockaddr(stdout, (struct sockaddr *)kdp->from); */ - printf("\n"); -} - -/*---------------------------------------------------------------------- - docmd: - -----------------------------------------------------------------------*/ -int docmd(argc, argv) - int argc; - char **argv; -{ - int i, j, seqno; - int fd; - FILE *fp; - - if (!argv[0] || !argc) - return -1; - - if (!argv[0][0]) - return -1; - - bzero(&key_message, sizeof(key_message)); - key_messageptr = sizeof(struct key_msghdr); - - for (i = 0; keycmds[i].name; i++) - if (!strcasecmp(keycmds[i].name, argv[0])) - break; - - if (!keycmds[i].name) - return -1; - - if (keycmds[i].parse) - if ((j = keycmds[i].parse(argc - 1, &(argv[1])))) - return j; - - ((struct key_msghdr *)key_message)->key_msglen = key_messageptr; - ((struct key_msghdr *)key_message)->key_msgvers = 1; - ((struct key_msghdr *)key_message)->key_seq = 1; - - switch(keycmds[i].num) { - - case KEYCMD_ADD: -#ifndef NOSANITYCHK - /* - * For now, we do sanity check of security association - * information here until we find a better place. - */ - { - struct key_msghdr *kmp = (struct key_msghdr *)key_message; - - if ((kmp->type == KEY_TYPE_AH || - kmp->type == KEY_TYPE_ESP) && (kmp->spi < 256)) { - warnx("add: spi must be greater than 255"); - return(0); - } - - if (kmp->type == KEY_TYPE_ESP && - (kmp->algorithm == IPSEC_ALGTYPE_ESP_DES_CBC -#ifdef IPSEC_ALGTYPE_ESP_3DES - || kmp->algorithm == IPSEC_ALGTYPE_ESP_3DES -#endif - )) { - if (kmp->keylen != 8) { - warnx("add: key must be 8 bytes"); - return (0); - } - if (kmp->ivlen != 4 && kmp->ivlen != 8) { - warnx("add: iv must be 4 or 8 bytes"); - return (0); - } - } - - if (kmp->type == KEY_TYPE_AH && - kmp->algorithm == IPSEC_ALGTYPE_AUTH_MD5 && kmp->keylen == 0) { - warnx("add: no key specified"); - return (0); - } - } -#endif - ((struct key_msghdr *)key_message)->key_msgtype = KEY_ADD; - if (write(keysock, key_message, - ((struct key_msghdr *)key_message)->key_msglen) != - ((struct key_msghdr *)key_message)->key_msglen) { - if (errno == EEXIST) - warnx("add: security association already exists"); - else - warn("add"); - return -1; - } - read(keysock, key_message, sizeof(key_message)); - return (0); - - case KEYCMD_DEL: - ((struct key_msghdr *)key_message)->key_msgtype = KEY_DELETE; - if (write(keysock, key_message, - ((struct key_msghdr *)key_message)->key_msglen) != - ((struct key_msghdr *)key_message)->key_msglen) { - if (errno == ESRCH) { - warnx("delete: security association not found"); - return 0; - } else { - warn("delete"); - return -1; - } - } - read(keysock, key_message, sizeof(key_message)); - return (0); - - case KEYCMD_GET: - ((struct key_msghdr *)key_message)->key_msgtype = KEY_GET; - ((struct key_msghdr *)key_message)->key_seq = seqno = keygetseqno++; - - if (write(keysock, key_message, - ((struct key_msghdr *)key_message)->key_msglen) != - ((struct key_msghdr *)key_message)->key_msglen) { - if (errno == ESRCH) { - warnx("get: security association not found"); - return 0; - } else { - warn("get"); - return (-1); - } /* endif ESRCH */ - } /* endif write() */ - - { - int len; - struct key_msgdata keymsgdata; - - len = sizeof(struct key_msghdr) + MAX_SOCKADDR_SZ * 3 - + MAX_KEY_SZ + MAX_IV_SZ; - -readmesg: - if (read(keysock, key_message, len) < 0) { - warn("read"); - return -1; - } - - if (!((((struct key_msghdr *)&key_message)->key_pid==mypid) - && (((struct key_msghdr *)&key_message)->key_msgtype==KEY_GET) - && (((struct key_msghdr *)&key_message)->key_seq==seqno))) { - fprintf(stderr, "."); - goto readmesg; - } - - if (((struct key_msghdr *)&key_message)->key_errno != 0) { - printf("Error: kernel reporting errno=%d\n", - ((struct key_msghdr *)&key_message)->key_errno); - return 0; - } - - if (parsedata((struct key_msghdr *)&key_message, &keymsgdata) < 0) { - printf("get: can't parse reply\n"); - return -1; - } - printf("\n"); - printkeymsg((struct key_msghdr *)&key_message, &keymsgdata); - } - return (0); - - case KEYCMD_FLUSH: - ((struct key_msghdr *)key_message)->key_msgtype = KEY_FLUSH; - if (write(keysock, key_message, - ((struct key_msghdr *)key_message)->key_msglen) != - ((struct key_msghdr *)key_message)->key_msglen) { - warn("write"); - return -1; - } - read(keysock, key_message, sizeof(key_message)); - return (0); - - case KEYCMD_HELP: - return help((argc > 1) ? argv[1] : NULL); - - case KEYCMD_SHELL: - if (argc > 1) { - char buffer[1024], *ap, *ep, *c; - int i; - - ep = buffer + sizeof(buffer) - 1; - for (i = 1, ap = buffer; (i < argc) && (ap < ep); i++) { - c = argv[i]; - while ((*(ap++) = *(c++)) && (ap < ep)); - *(ap - 1) = ' '; - } - *(ap - 1) = 0; - system(buffer); - } else { - char *c = getenv("SHELL"); - if (!c) - c = "/bin/sh"; - system(c); - } - return 0; - - case KEYCMD_EXIT: - exit(0); - - case KEYCMD_LOAD: - if (argc != 2) - return 1; - return load(argv[1]); - - case KEYCMD_SAVE: - if (argc != 2) - return 1; - if (!strcmp(argv[1], "-")) - fp = stdout; - else if ((fd = open(argv[1], O_CREAT | O_RDWR | O_EXCL, - S_IRUSR | S_IWUSR)) < 0) { - warn("open"); - return 1; - } else if (!(fp = fdopen(fd, "w"))) { - warn("fdopen"); - return 1; - } - - case KEYCMD_DUMP: - ((struct key_msghdr *)key_message)->key_msgtype = KEY_DUMP; - if (write(keysock, key_message, - ((struct key_msghdr *)key_message)->key_msglen) != - ((struct key_msghdr *)key_message)->key_msglen) { - warn("write"); - return -1; - } - - { - struct key_msgdata keymsgdata; - -readmesg2: - if (read(keysock, key_message, sizeof(key_message)) < 0) { - warn("read"); - return -1; - } - - if (!((((struct key_msghdr *)&key_message)->key_pid==mypid) - && (((struct key_msghdr *)&key_message)->key_msgtype==KEY_DUMP))) - goto readmesg2; - - /* - * Kernel is done sending secassoc if key_seq == 0 - */ - if (((struct key_msghdr *)&key_message)->key_seq == 0) { - if ((keycmds[i].num == KEYCMD_SAVE) && (fp != stdout)) - fclose(fp); - return 0; - } - - if (parsedata((struct key_msghdr *)&key_message, &keymsgdata) < 0) { - printf("get: can't parse reply\n"); - goto readmesg2; - } - if (keycmds[i].num == KEYCMD_SAVE) { - char *keytype, *algorithm; - - keytype = parsenumtoname(keytypes, - ((struct key_msghdr *)&key_message)->type); - - algorithm = parsenumtoname(algorithmtabs[parsenumtoflag(keytypes, - ((struct key_msghdr *)&key_message)->type)], - ((struct key_msghdr *)&key_message)->algorithm); - - fprintf(fp, "%s %u ", keytype, - ((struct key_msghdr *)&key_message)->spi); - printsockaddr(fp, (struct sockaddr *)(keymsgdata.src)); - fprintf(fp, " "); - printsockaddr(fp, (struct sockaddr *)(keymsgdata.dst)); - fprintf(fp, " "); - fprintf(fp, "%s ", algorithm); - printkeyiv(fp, keymsgdata.key, keymsgdata.keylen); - fprintf(fp, " "); - printkeyiv(fp, keymsgdata.iv, keymsgdata.ivlen); - fprintf(fp, "\n"); - } else - printkeymsg((struct key_msghdr *)&key_message, &keymsgdata); - goto readmesg2; - } - return (0); - } - return (-1); -} - -/*---------------------------------------------------------------------- - main: - -----------------------------------------------------------------------*/ -int main(argc, argv) - int argc; - char *argv[]; -{ - int i, j; - u_long rcvsize; - - if (getuid()) - errx(1, "this program is intended for the superuser only"); - - if (!(keysock = socket(PF_KEY, SOCK_RAW, 0))) { - warn("socket"); - return -1; - } - - for (rcvsize = MAXRCVBUFSIZE; rcvsize; rcvsize -= 1024) { - if (setsockopt(keysock, SOL_SOCKET, SO_RCVBUF, &rcvsize, - sizeof(rcvsize)) <= 0) - break; - } - - mypid = getpid(); - if (mypid < 0) { - warn("getpid"); - return -1; - } - - if (argc > 1) { - /* - * Attempt to do a single command, based on command line arguments. - */ - if (strcasecmp(argv[1], "add") == 0) - errx(1, "cannot add keys from the command line. RTFM for why"); - if ((i = docmd(argc - 1, &(argv[1])))) { - if (i > 0) { - for (j = 0; keycmds[j].name; j++) - if (!strcasecmp(keycmds[j].name, argv[1])) - break; - - if (keycmds[j].name) { - fprintf(stderr, "usage: %s%s%s\n", keycmds[j].name, - keycmds[j].usage ? " " : "", - keycmds[j].usage ? keycmds[j].usage : ""); - exit(1); - } - } - usage(); - } - return 0; - } - - { - char buffer[1024]; - char *iargv[KEYCMD_ARG_MAX]; - int iargc; - - while(1) { - printf("key> "); - if (!(fgets(buffer, sizeof(buffer), stdin))) - return -1; - buffer[sizeof(buffer)-1] = 0; - /* - * get command line, and parse into an argc/argv form. - */ - if ((i = parsecmdline(buffer, iargv, &iargc)) < 0) - exit(1); - if (i > 0) - continue; - errno = 0; - /* - * given argc/argv, process argument as if it came from the command - * line. - */ - if ((i = docmd(iargc, iargv))) { - if (i > 0) { - for (j = 0; keycmds[j].name; j++) - if (!strcasecmp(keycmds[j].name, iargv[0])) - break; - - if (keycmds[j].name) { - fprintf(stderr, "usage: %s%s%s\n", keycmds[j].name, - keycmds[j].usage ? " " : "", - keycmds[j].usage ? keycmds[j].usage : ""); - } else - i = -1; - } - if (i < 0) { - if (errno) - warn("system error"); - else - warnx("unrecognized command"); - warnx("type 'help' if you need help"); - }; - }; - }; - }; -} - -/* EOF */ diff --git a/usr.sbin/keyadmin/keys b/usr.sbin/keyadmin/keys deleted file mode 100644 index b1657bf..0000000 --- a/usr.sbin/keyadmin/keys +++ /dev/null @@ -1,18 +0,0 @@ -# This is an example key file. - -# The format of entries in this file is as follows: -# <type> <spi> <src> <dst> <transform> <key> [iv] -# -# where: -# -# <type> is currently one of { ah | esp } -# <spi> is a decimal number -# <src> is an IP address for the source this association applies to -# <dst> is an IP address for the destination this assoc. applies to -# <transform> is currently one of { md5 } for ah, { des-cbc } for esp -# <key> is a hexadecimal key value (key length is derived from hex len) -# [iv] is a hexadecimal initial value (length is derived from hex len) -# [this field is required for des-cbc, ignored for others] - -ah 1142 ::0 ::0 md5 0123456789abcdef0123456789abcdef -esp 1984 ::0 ::0 des-cbc 0123456789abcdef 11223344 |