- plug memory leak.

- fixed a length of the sadb extension in the case of pfkey_send_x5(). - used getprotobynumber() for printing a upper layer protocol name. - modified the output format against the change of the setkey syntax about a icmp6 type/code. - don't enumerate reserved fields. use memset. Obtained from: KAME
svn path=/head/; revision=122107
2003-11-05 09:41:23 +00:00 · 2003-11-05 09:41:23 +00:00 · bd9f52d566 · 2020-12-20 02:59:44 +00:00
commit bd9f52d566
parent 5cf7816f16
6 changed files with 150 additions and 110 deletions
--- a/lib/libipsec/Makefile
+++ b/lib/libipsec/Makefile
@ -24,6 +24,7 @@
 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
 # $FreeBSD$
 LIB=	ipsec
--- a/lib/libipsec/ipsec_set_policy.3
+++ b/lib/libipsec/ipsec_set_policy.3
@ -1,5 +1,5 @@
-.\"	$KAME: ipsec_set_policy.3,v 1.15 2001/08/17 07:21:36 itojun Exp $
+.\"	$KAME: ipsec_set_policy.3,v 1.16 2003/01/06 21:59:03 sumikawa Exp $
-.\"     $FreeBSD$
+.\"	$FreeBSD$
 .\"
 .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
 .\" All rights reserved.
@ -117,7 +117,7 @@ means to consult to SPD defined by
 .It Ar direction Li bypass
 .Li bypass
 means to be bypassed the IPsec processing.
-(packet will be transmitted in clear).
+.Pq packet will be transmitted in clear .
 This is for privileged socket.
 .It Xo
 .Ar direction
@ -174,7 +174,7 @@ is this node
 and
 .Ar src
 is the other node
-(peer).
+.Pq peer .
 If
 .Ar mode
 is
@ -203,9 +203,9 @@ regarding the system default.
 means that a relevant SA can be used when available,
 since the kernel may perform IPsec operation against packets when possible.
 In this case, packets can be transmitted in clear
-(when SA is not available),
+.Pq when SA is not available ,
 or encrypted
-(when SA is available).
+.Pq when SA is available .
 .Li require
 means that a relevant SA is required,
 since the kernel must perform IPsec operation against packets.
@ -248,7 +248,7 @@ Refer to
 for detail.
 .Pp
 Here are several examples
-(long lines are wrapped for readability):
+.Pq long lines are wrapped for readability :
 .Bd -literal -offset indent
 in discard
 out ipsec esp/transport//require
@ -265,7 +265,7 @@ successful; otherwise a NULL pointer is returned.
 The
 .Fn ipsec_get_policylen
 function returns with positive value
-(meaning the buffer size)
+.Pq meaning the buffer size
 on success, and negative value on errors.
 The
 .Fn ipsec_dump_policy
--- a/lib/libipsec/pfkey.c
+++ b/lib/libipsec/pfkey.c
@ -1,4 +1,4 @@
-/*	$KAME: pfkey.c,v 1.39 2001/03/05 18:22:17 thorpej Exp $	*/
+/*	$KAME: pfkey.c,v 1.46 2003/08/26 03:37:06 itojun Exp $	*/
 /*
 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -44,7 +44,6 @@ __FBSDID("$FreeBSD$");
 #include <unistd.h>
 #include <string.h>
 #include <errno.h>
 #include <stdio.h>
 #include "ipsec_strerror.h"
 #include "libpfkey.h"
@ -706,11 +705,14 @@ pfkey_recv_register(so)
 	int error = -1;
 	/* receive message */
-	do {
+	for (;;) {
 		if ((newmsg = pfkey_recv(so)) == NULL)
 			return -1;
-	} while (newmsg->sadb_msg_type != SADB_REGISTER
+		if (newmsg->sadb_msg_type == SADB_REGISTER &&
-	    || newmsg->sadb_msg_pid != pid);
+		    newmsg->sadb_msg_pid == pid)
 			break;
 		free(newmsg);
 	}
 	/* check and fix */
 	newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len);
@ -1540,7 +1542,7 @@ pfkey_send_x5(so, type, spid)
 		return -1;
 	}
 	memset(&xpl, 0, sizeof(xpl));
-	xpl.sadb_x_policy_len = PFKEY_UNUNIT64(sizeof(xpl));
+	xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl));
 	xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 	xpl.sadb_x_policy_id = spid;
 	memcpy(p, &xpl, sizeof(xpl));
--- a/lib/libipsec/pfkey_dump.c
+++ b/lib/libipsec/pfkey_dump.c
@ -1,4 +1,4 @@
-/*	$KAME: pfkey_dump.c,v 1.28 2001/06/27 10:46:51 sakane Exp $	*/
+/*	$KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $	*/
 /*
 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -102,7 +102,8 @@ do { \
 } while (0)
 static char *str_ipaddr(struct sockaddr *);
-static char *str_prefport(u_int, u_int, u_int);
+static char *str_prefport(u_int, u_int, u_int, u_int);
 static void str_upperspec(u_int, u_int, u_int);
 static char *str_time(time_t);
 static void str_lifetime_byte(struct sadb_lifetime *, char *);
@ -133,22 +134,6 @@ static char *str_mode[] = {
 	"tunnel",
 };
 static char *str_upper[] = {
 /*0*/	"ip", "icmp", "igmp", "ggp", "ip4",
 	"", "tcp", "", "egp", "",
 /*10*/	"", "", "", "", "",
 	"", "", "udp", "", "",
 /*20*/	"", "", "idp", "", "",
 	"", "", "", "", "tp",
 /*30*/	"", "", "", "", "",
 	"", "", "", "", "",
 /*40*/	"", "ip6", "", "rt6", "frag6",
 	"", "rsvp", "gre", "", "",
 /*50*/	"esp", "ah", "", "", "",
 	"", "", "", "icmp6", "none",
 /*60*/	"dst6",
 };
 static char *str_state[] = {
 	"larval",
 	"mature",
@ -381,9 +366,9 @@ pfkey_spdump(m)
 	caddr_t mhp[SADB_EXT_MAX + 1];
 	struct sadb_address *m_saddr, *m_daddr;
 	struct sadb_x_policy *m_xpl;
-	struct sadb_lifetime *m_lft = NULL;
+	struct sadb_lifetime *m_lftc = NULL, *m_lfth = NULL;
 	struct sockaddr *sa;
-	u_int16_t port;
+	u_int16_t sport = 0, dport = 0;
 	/* check pfkey message. */
 	if (pfkey_align(m, mhp)) {
@ -398,63 +383,60 @@ pfkey_spdump(m)
 	m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
 	m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
 	m_xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
-	m_lft = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
+	m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
 	m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
-	/* source address */
+	if (m_saddr && m_daddr) {
-	if (m_saddr == NULL) {
+		/* source address */
-		printf("no ADDRESS_SRC extension.\n");
+		sa = (struct sockaddr *)(m_saddr + 1);
-		return;
+		switch (sa->sa_family) {
-	}
+		case AF_INET:
-	sa = (struct sockaddr *)(m_saddr + 1);
+		case AF_INET6:
-	switch (sa->sa_family) {
+			if (getnameinfo(sa, sa->sa_len, NULL, 0,
-	case AF_INET:
+			    pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0)
-	case AF_INET6:
+				sport = 0;	/*XXX*/
-		if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
+			else
-		    NI_NUMERICSERV) != 0)
+				sport = atoi(pbuf);
-			port = 0;	/*XXX*/
+			printf("%s%s ", str_ipaddr(sa),
-		else
+				str_prefport(sa->sa_family,
-			port = atoi(pbuf);
+				    m_saddr->sadb_address_prefixlen, sport,
-		printf("%s%s ", str_ipaddr(sa),
+				    m_saddr->sadb_address_proto));
-			str_prefport(sa->sa_family,
+			break;
-			    m_saddr->sadb_address_prefixlen, port));
+		default:
-		break;
+			printf("unknown-af ");
-	default:
+			break;
-		printf("unknown-af ");
+		}
 		break;
 	}
-	/* destination address */
+		/* destination address */
-	if (m_daddr == NULL) {
+		sa = (struct sockaddr *)(m_daddr + 1);
-		printf("no ADDRESS_DST extension.\n");
+		switch (sa->sa_family) {
-		return;
+		case AF_INET:
-	}
+		case AF_INET6:
-	sa = (struct sockaddr *)(m_daddr + 1);
+			if (getnameinfo(sa, sa->sa_len, NULL, 0,
-	switch (sa->sa_family) {
+			    pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0)
-	case AF_INET:
+				dport = 0;	/*XXX*/
-	case AF_INET6:
+			else
-		if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
+				dport = atoi(pbuf);
-		    NI_NUMERICSERV) != 0)
+			printf("%s%s ", str_ipaddr(sa),
-			port = 0;	/*XXX*/
+				str_prefport(sa->sa_family,
-		else
+				    m_daddr->sadb_address_prefixlen, dport,
-			port = atoi(pbuf);
+				    m_saddr->sadb_address_proto));
-		printf("%s%s ", str_ipaddr(sa),
+			break;
-			str_prefport(sa->sa_family,
+		default:
-			    m_daddr->sadb_address_prefixlen, port));
+			printf("unknown-af ");
-		break;
+			break;
-	default:
+		}
 		printf("unknown-af ");
 		break;
 	}
-	/* upper layer protocol */
+		/* upper layer protocol */
-	if (m_saddr->sadb_address_proto != m_daddr->sadb_address_proto) {
+		if (m_saddr->sadb_address_proto !=
-		printf("upper layer protocol mismatched.\n");
+		    m_daddr->sadb_address_proto) {
-		return;
+			printf("upper layer protocol mismatched.\n");
 			return;
 		}
 		str_upperspec(m_saddr->sadb_address_proto, sport, dport);
 	}
 	if (m_saddr->sadb_address_proto == IPSEC_ULPROTO_ANY)
 		printf("any");
 	else
-		GETMSGSTR(str_upper, m_saddr->sadb_address_proto);
+		printf("(no selector, probably per-socket policy) ");
 	/* policy */
    {
@ -472,11 +454,19 @@ pfkey_spdump(m)
    }
 	/* lifetime */
-	if (m_lft) {
+	if (m_lftc) {
-		printf("\tlifetime:%lu validtime:%lu\n",
+		printf("\tcreated: %s  ",
-			(u_long)m_lft->sadb_lifetime_addtime,
+			str_time(m_lftc->sadb_lifetime_addtime));
-			(u_long)m_lft->sadb_lifetime_usetime);
+		printf("lastused: %s\n",
 			str_time(m_lftc->sadb_lifetime_usetime));
 	}
 	if (m_lfth) {
 		printf("\tlifetime: %lu(s) ",
 			(u_long)m_lfth->sadb_lifetime_addtime);
 		printf("validtime: %lu(s)\n",
 			(u_long)m_lfth->sadb_lifetime_usetime);
 	}
 	printf("\tspid=%ld seq=%ld pid=%ld\n",
 		(u_long)m_xpl->sadb_x_policy_id,
@ -511,8 +501,8 @@ str_ipaddr(sa)
 * set "/prefix[port number]" to buffer.
 */
 static char *
-str_prefport(family, pref, port)
+str_prefport(family, pref, port, ulp)
-	u_int family, pref, port;
+	u_int family, pref, port, ulp;
 {
 	static char buf[128];
 	char prefbuf[128];
@ -535,16 +525,50 @@ str_prefport(family, pref, port)
 	else
 		snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
-	if (port == IPSEC_PORT_ANY)
+	if (ulp == IPPROTO_ICMPV6)
-		snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
+		memset(portbuf, 0, sizeof(portbuf));
-	else
+	else {
-		snprintf(portbuf, sizeof(portbuf), "[%u]", port);
+		if (port == IPSEC_PORT_ANY)
 			snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
 		else
 			snprintf(portbuf, sizeof(portbuf), "[%u]", port);
 	}
 	snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
 	return buf;
 }
 static void
 str_upperspec(ulp, p1, p2)
 	u_int ulp, p1, p2;
 {
 	if (ulp == IPSEC_ULPROTO_ANY)
 		printf("any");
 	else if (ulp == IPPROTO_ICMPV6) {
 		printf("icmp6");
 		if (!(p1 == IPSEC_PORT_ANY && p2 == IPSEC_PORT_ANY))
 			printf(" %u,%u", p1, p2);
 	} else {
 		struct protoent *ent;
 		switch (ulp) {
 		case IPPROTO_IPV4:
 			printf("ip4");
 			break;
 		default:
 			ent = getprotobynumber(ulp);
 			if (ent)
 				printf("%s", ent->p_name);
 			else
 				printf("%u", ulp);
 			endprotoent();
 			break;
 		}
 	}
 }
 /*
 * set "Mon Day Time Year" to buffer
 */
--- a/lib/libipsec/policy_parse.y
+++ b/lib/libipsec/policy_parse.y
@ -1,5 +1,4 @@
-/*	$FreeBSD$	*/
+/*	$KAME: policy_parse.y,v 1.14 2003/06/27 03:39:20 itojun Exp $	*/
 /*	$KAME: policy_parse.y,v 1.10 2000/05/07 05:25:03 itojun Exp $	*/
 /*
 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -50,6 +49,9 @@
 */
 %{
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/socket.h>
@ -85,9 +87,12 @@ static void policy_parse_request_init(void);
 static caddr_t policy_parse(char *msg, int msglen);
 extern void __policy__strbuffer__init__(char *msg);
 extern void __policy__strbuffer__free__(void);
 extern int yyparse(void);
 extern int yylex(void);
 extern char *__libipsecyytext;	/*XXX*/
 %}
 %union {
@ -210,8 +215,6 @@ void
 yyerror(msg)
 	char *msg;
 {
 	extern char *__libipsecyytext;	/*XXX*/
 	fprintf(stderr, "libipsec: %s while parsing \"%s\"\n",
 		msg, __libipsecyytext);
@ -300,12 +303,14 @@ init_x_policy()
 		__ipsec_errcode = EIPSEC_NO_BUFS;
 		return -1;
 	}
 	memset(pbuf, 0, tlen);
 	p = (struct sadb_x_policy *)pbuf;
 	p->sadb_x_policy_len = 0;	/* must update later */
 	p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 	p->sadb_x_policy_type = p_type;
 	p->sadb_x_policy_dir = p_dir;
-	p->sadb_x_policy_reserved = 0;
+	p->sadb_x_policy_id = 0;
 	offset = tlen;
 	__ipsec_errcode = EIPSEC_NO_ERROR;
@ -398,6 +403,8 @@ policy_parse(msg, msglen)
 	__policy__strbuffer__init__(msg);
 	error = yyparse();	/* it must be set errcode. */
 	__policy__strbuffer__free__();
 	if (error) {
 		if (pbuf != NULL)
 			free(pbuf);
--- a/lib/libipsec/policy_token.l
+++ b/lib/libipsec/policy_token.l
@ -1,5 +1,5 @@
 /*	$FreeBSD$	*/
-/*	$KAME: policy_token.l,v 1.11 2000/12/01 10:08:29 sakane Exp $	*/
+/*	$KAME: policy_token.l,v 1.13 2003/05/09 05:19:55 sakane Exp $	*/
 /*
 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -46,11 +46,7 @@
 #include <unistd.h>
 #include <errno.h>
 #ifndef __NetBSD__
 #include "y.tab.h"
 #else
 #include "policy_parse.h"
 #endif
 #define yylval __libipsecyylval	/* XXX */
 int yylex(void);
@ -133,16 +129,26 @@ unique		{ yylval.num = IPSEC_LEVEL_UNIQUE; return(LEVEL); }
 %%
 void __policy__strbuffer__init__(char *);
 void __policy__strbuffer__free__(void);
 static YY_BUFFER_STATE strbuffer;
 void
 __policy__strbuffer__init__(msg)
 	char *msg;
 {
-	YY_BUFFER_STATE yyb;
+	if (yy_current_buffer)
-
+		yy_delete_buffer(yy_current_buffer);
-	yyb = (YY_BUFFER_STATE)yy_scan_string(msg);
+	strbuffer = (YY_BUFFER_STATE)yy_scan_string(msg);
-	yy_switch_to_buffer(yyb);
+	yy_switch_to_buffer(strbuffer);
 	return;
 }
 void
 __policy__strbuffer__free__()
 {
 	yy_delete_buffer(strbuffer);
 	return;
 }