MFC: Move setkey(8) from usr.sbin/ to sbin/ and make rc.d/ipsec to run
before rc.d/mountcritremote, so it is possible to mount /usr/ over IPsec. Discussed on: arch@ Suggested by: Tomasz Pi³at <tomasz.pilat@axelspringer.pl> Prodded by: dougb
This commit is contained in:
parent
f19ad45cf8
commit
407c7742ed
@ -6,7 +6,7 @@
|
||||
|
||||
# PROVIDE: ipsec
|
||||
# REQUIRE: root mountcritlocal
|
||||
# BEFORE: DAEMON
|
||||
# BEFORE: DAEMON mountcritremote
|
||||
# KEYWORD: nojail
|
||||
|
||||
# it does not really require beforenetlkm.
|
||||
@ -21,7 +21,7 @@ stop_precmd="test -f /etc/ipsec.conf"
|
||||
stop_cmd="ipsec_stop"
|
||||
reload_cmd="ipsec_reload"
|
||||
extra_commands="reload"
|
||||
ipsec_program="/usr/sbin/setkey"
|
||||
ipsec_program="/sbin/setkey"
|
||||
# ipsec_file is set by rc.conf
|
||||
|
||||
ipsec_prestart()
|
||||
|
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
# PROVIDE: mountcritremote
|
||||
# REQUIRE: NETWORKING root mountcritlocal cleanvar
|
||||
# REQUIRE: NETWORKING root mountcritlocal cleanvar ipsec
|
||||
# KEYWORD: nojail
|
||||
|
||||
. /etc/rc.subr
|
||||
|
@ -81,6 +81,7 @@ SUBDIR= adjkerntz \
|
||||
rtsol \
|
||||
savecore \
|
||||
${_sconfig} \
|
||||
setkey \
|
||||
shutdown \
|
||||
slattach \
|
||||
spppcontrol \
|
||||
|
@ -1,5 +1,5 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: parse.y,v 1.83 2004/05/18 08:48:23 sakane Exp $ */
|
||||
/* $KAME: parse.y,v 1.82 2004/04/15 08:03:57 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
|
@ -147,7 +147,6 @@ SUBDIR= ac \
|
||||
sa \
|
||||
${_sendmail} \
|
||||
setfmac \
|
||||
setkey \
|
||||
setpmac \
|
||||
${_sicontrol} \
|
||||
sliplogin \
|
||||
|
@ -1,62 +0,0 @@
|
||||
# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
# 3. Neither the name of the project nor the names of its contributors
|
||||
# may be used to endorse or promote products derived from this software
|
||||
# without specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
|
||||
PROG= setkey
|
||||
MAN= setkey.8
|
||||
SRCS= setkey.c parse.y token.l
|
||||
|
||||
CFLAGS+= -I${.CURDIR} -I${.CURDIR}/../../lib/libipsec
|
||||
YFLAGS= -d
|
||||
|
||||
DPADD= ${LIBL} ${LIBY}
|
||||
LDADD= -ll -ly
|
||||
|
||||
CLEANFILES= y.tab.c y.tab.h key_test.o keytest
|
||||
|
||||
# libpfkey
|
||||
# ipsec_strerror.c is for avoiding shlib reference to non-exported function.
|
||||
.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey
|
||||
SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c
|
||||
CFLAGS+= -I${.CURDIR}/../../lib/libipsec -I${.CURDIR}/../../sys/netkey
|
||||
|
||||
SRCS+= y.tab.h
|
||||
y.tab.h: parse.y
|
||||
CFLAGS+= -DIPSEC_DEBUG -DINET6 -DYY_NO_UNPUT -I.
|
||||
DPADD+= ${LIBIPSEC}
|
||||
LDADD+= -lipsec
|
||||
CLEANFILES+= scriptdump y.tab.h
|
||||
|
||||
#SCRIPTS= scriptdump
|
||||
|
||||
LOCALPREFIX= /usr
|
||||
|
||||
scriptdump: scriptdump.pl
|
||||
sed -e 's#@LOCALPREFIX@#${LOCALPREFIX}#' < $> > scriptdump
|
||||
|
||||
.include <bsd.prog.mk>
|
File diff suppressed because it is too large
Load Diff
@ -1,219 +0,0 @@
|
||||
# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
# 3. Neither the name of the project nor the names of its contributors
|
||||
# may be used to endorse or promote products derived from this software
|
||||
# without specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
|
||||
# There are sample scripts for IPsec configuration by manual keying.
|
||||
# A security association is uniquely identified by a triple consisting
|
||||
# of a Security Parameter Index (SPI), an IP Destination Address, and a
|
||||
# security protocol (AH or ESP) identifier. You must take care of these
|
||||
# parameters when you configure by manual keying.
|
||||
|
||||
# ESP transport mode is recommended for TCP port number 110 between
|
||||
# Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key
|
||||
# is "kamekame", and authentication algorithm is hmac-sha1 whose key
|
||||
# is "this is the test key".
|
||||
#
|
||||
# ============ ESP ============
|
||||
# | |
|
||||
# Host-A Host-B
|
||||
# fec0::10 -------------------- fec0::11
|
||||
#
|
||||
# At Host-A and Host-B,
|
||||
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
|
||||
esp/transport//use ;
|
||||
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
|
||||
esp/transport//use ;
|
||||
add fec0::10 fec0::11 esp 0x10001
|
||||
-m transport
|
||||
-E blowfish-cbc "kamekame"
|
||||
-A hmac-sha1 "this is the test key" ;
|
||||
add fec0::11 fec0::10 esp 0x10002
|
||||
-m transport
|
||||
-E blowfish-cbc "kamekame"
|
||||
-A hmac-sha1 "this is the test key" ;
|
||||
|
||||
# "[any]" is wildcard of port number. Note that "[0]" is the number of
|
||||
# zero in port number.
|
||||
|
||||
# Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5
|
||||
# whose key is "this is the test" as authentication algorithm.
|
||||
# That protocol takes place between Gateway-A and Gateway-B.
|
||||
#
|
||||
# ======= AH =======
|
||||
# | |
|
||||
# Network-A Gateway-A Gateway-B Network-B
|
||||
# 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
|
||||
#
|
||||
# At Gateway-A:
|
||||
spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
|
||||
ah/tunnel/172.16.0.1-172.16.0.2/require ;
|
||||
spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
|
||||
ah/tunnel/172.16.0.2-172.16.0.1/require ;
|
||||
add 172.16.0.1 172.16.0.2 ah-old 0x10003
|
||||
-m any
|
||||
-A keyed-md5 "this is the test" ;
|
||||
add 172.16.0.2 172.16.0.1 ah-old 0x10004
|
||||
-m any
|
||||
-A keyed-md5 "this is the test" ;
|
||||
|
||||
# If port number field is omitted such above then "[any]" is employed.
|
||||
# -m specifies the mode of SA to be used. "-m any" means wildcard of
|
||||
# mode of security protocol. You can use this SAs for both tunnel and
|
||||
# transport mode.
|
||||
|
||||
# At Gateway-B. Attention to the selector and peer's IP address for tunnel.
|
||||
spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
|
||||
ah/tunnel/172.16.0.2-172.16.0.1/require ;
|
||||
spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
|
||||
ah/tunnel/172.16.0.1-172.16.0.2/require ;
|
||||
add 172.16.0.1 172.16.0.2 ah-old 0x10003
|
||||
-m tunnel
|
||||
-A keyed-md5 "this is the test" ;
|
||||
add 172.16.0.2 172.16.0.1 ah-old 0x10004
|
||||
-m tunnel
|
||||
-A keyed-md5 "this is the test" ;
|
||||
|
||||
# AH transport mode followed by ESP tunnel mode is required between
|
||||
# Gateway-A and Gateway-B.
|
||||
# Encryption algorithm is 3des-cbc, and authentication algorithm for ESP
|
||||
# is hmac-sha1. Authentication algorithm for AH is hmac-md5.
|
||||
#
|
||||
# ========== AH =========
|
||||
# | ======= ESP ===== |
|
||||
# | | | |
|
||||
# Network-A Gateway-A Gateway-B Network-B
|
||||
# fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
|
||||
#
|
||||
# At Gateway-A:
|
||||
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
|
||||
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
|
||||
ah/transport//require ;
|
||||
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
|
||||
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
|
||||
ah/transport//require ;
|
||||
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
|
||||
-m tunnel
|
||||
-E 3des-cbc "kamekame12341234kame1234"
|
||||
-A hmac-sha1 "this is the test key" ;
|
||||
add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001
|
||||
-m transport
|
||||
-A hmac-md5 "this is the test" ;
|
||||
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001
|
||||
-m tunnel
|
||||
-E 3des-cbc "kamekame12341234kame1234"
|
||||
-A hmac-sha1 "this is the test key" ;
|
||||
add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
|
||||
-m transport
|
||||
-A hmac-md5 "this is the test" ;
|
||||
|
||||
# ESP tunnel mode is required between Host-A and Gateway-A.
|
||||
# Encryption algorithm is cast128-cbc, and authentication algorithm
|
||||
# for ESP is hmac-sha1.
|
||||
# ESP transport mode is recommended between Host-A and Host-B.
|
||||
# Encryption algorithm is rc5-cbc, and authentication algorithm
|
||||
# for ESP is hmac-md5.
|
||||
#
|
||||
# ================== ESP =================
|
||||
# | ======= ESP ======= |
|
||||
# | | | |
|
||||
# Host-A Gateway-A Host-B
|
||||
# fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
|
||||
#
|
||||
# At Host-A:
|
||||
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
|
||||
esp/transport//use
|
||||
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
|
||||
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
|
||||
esp/transport//use
|
||||
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
|
||||
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
|
||||
-m transport
|
||||
-E cast128-cbc "12341234"
|
||||
-A hmac-sha1 "this is the test key" ;
|
||||
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
|
||||
-E rc5-cbc "kamekame"
|
||||
-A hmac-md5 "this is the test" ;
|
||||
add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
|
||||
-m transport
|
||||
-E cast128-cbc "12341234"
|
||||
-A hmac-sha1 "this is the test key" ;
|
||||
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
|
||||
-E rc5-cbc "kamekame"
|
||||
-A hmac-md5 "this is the test" ;
|
||||
|
||||
# By "get" command, you can get a entry of either SP or SA.
|
||||
get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
|
||||
|
||||
# Also delete command, you can delete a entry of either SP or SA.
|
||||
spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
|
||||
delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
|
||||
|
||||
# By dump command, you can dump all entry of either SP or SA.
|
||||
dump ;
|
||||
spddump ;
|
||||
dump esp ;
|
||||
flush esp ;
|
||||
|
||||
# By flush command, you can flush all entry of either SP or SA.
|
||||
flush ;
|
||||
spdflush ;
|
||||
|
||||
# "flush" and "dump" commands can specify a security protocol.
|
||||
dump esp ;
|
||||
flush ah ;
|
||||
|
||||
# XXX
|
||||
add ::1 ::1 esp 10001 -m transport -E null ;
|
||||
add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
|
||||
add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
|
||||
add ::1 ::1 esp 10004 -m transport -E null -A null ;
|
||||
add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ;
|
||||
add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
|
||||
add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ;
|
||||
add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ;
|
||||
add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
|
||||
add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
|
||||
add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
|
||||
add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
|
||||
add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
|
||||
add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
|
||||
add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
|
||||
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
|
||||
add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
|
||||
add ::1 ::1 esp 10018 -m transport -E null ;
|
||||
#add ::1 ::1 ah 20000 -m transport -A null ;
|
||||
add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
|
||||
add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
|
||||
add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234";
|
||||
add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234";
|
||||
add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234";
|
||||
#add ::1 ::1 ipcomp 30000 -C oui ;
|
||||
add ::1 ::1 ipcomp 30001 -C deflate ;
|
||||
#add ::1 ::1 ipcomp 30002 -C lzs ;
|
||||
|
||||
# enjoy.
|
@ -1,56 +0,0 @@
|
||||
#! @LOCALPREFIX@/bin/perl
|
||||
# $FreeBSD$
|
||||
|
||||
if ($< != 0) {
|
||||
print STDERR "must be root to invoke this\n";
|
||||
exit 1;
|
||||
}
|
||||
|
||||
$mode = 'add';
|
||||
while ($i = shift @ARGV) {
|
||||
if ($i eq '-d') {
|
||||
$mode = 'delete';
|
||||
} else {
|
||||
print STDERR "usage: scriptdump [-d]\n";
|
||||
exit 1;
|
||||
}
|
||||
}
|
||||
|
||||
open(IN, "setkey -D |") || die;
|
||||
foreach $_ (<IN>) {
|
||||
if (/^[^\t]/) {
|
||||
($src, $dst) = split(/\s+/, $_);
|
||||
} elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*reqid=(\d+)/) {
|
||||
($proto, $ipsecmode, $spi, $reqid) = ($1, $2, $3, $4);
|
||||
} elsif (/^\tE: (\S+) (.*)/) {
|
||||
$ealgo = $1;
|
||||
$ekey = $2;
|
||||
$ekey =~ s/\s//g;
|
||||
$ekey =~ s/^/0x/g;
|
||||
} elsif (/^\tA: (\S+) (.*)/) {
|
||||
$aalgo = $1;
|
||||
$akey = $2;
|
||||
$akey =~ s/\s//g;
|
||||
$akey =~ s/^/0x/g;
|
||||
} elsif (/^\tseq=(0x\d+) replay=(\d+) flags=(0x\d+) state=/) {
|
||||
print "$mode $src $dst $proto $spi";
|
||||
$replay = $2;
|
||||
print " -u $reqid" if $reqid;
|
||||
if ($mode eq 'add') {
|
||||
print " -m $ipsecmode -r $replay" if $replay;
|
||||
if ($proto eq 'esp') {
|
||||
print " -E $ealgo $ekey" if $ealgo;
|
||||
print " -A $aalgo $akey" if $aalgo;
|
||||
} elsif ($proto eq 'ah') {
|
||||
print " -A $aalgo $akey" if $aalgo;
|
||||
}
|
||||
}
|
||||
print ";\n";
|
||||
|
||||
$src = $dst = $upper = $proxy = '';
|
||||
$ealgo = $ekey = $aalgo = $akey = '';
|
||||
}
|
||||
}
|
||||
close(IN);
|
||||
|
||||
exit 0;
|
@ -1,693 +0,0 @@
|
||||
.\" $KAME: setkey.8,v 1.89 2003/09/07 22:17:41 itojun Exp $
|
||||
.\"
|
||||
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\" 3. Neither the name of the project nor the names of its contributors
|
||||
.\" may be used to endorse or promote products derived from this software
|
||||
.\" without specific prior written permission.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd November 20, 2000
|
||||
.Dt SETKEY 8
|
||||
.Os
|
||||
.\"
|
||||
.Sh NAME
|
||||
.Nm setkey
|
||||
.Nd "manually manipulate the IPsec SA/SP database"
|
||||
.\"
|
||||
.Sh SYNOPSIS
|
||||
.Nm
|
||||
.Op Fl v
|
||||
.Fl c
|
||||
.Nm
|
||||
.Op Fl v
|
||||
.Fl f Ar filename
|
||||
.Nm
|
||||
.Op Fl aPlv
|
||||
.Fl D
|
||||
.Nm
|
||||
.Op Fl Pv
|
||||
.Fl F
|
||||
.Nm
|
||||
.Op Fl h
|
||||
.Fl x
|
||||
.\"
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
.Nm
|
||||
utility adds, updates, dumps, or flushes
|
||||
Security Association Database (SAD) entries
|
||||
as well as Security Policy Database (SPD) entries in the kernel.
|
||||
.Pp
|
||||
The
|
||||
.Nm
|
||||
utility takes a series of operations from the standard input
|
||||
(if invoked with
|
||||
.Fl c )
|
||||
or the file named
|
||||
.Ar filename
|
||||
(if invoked with
|
||||
.Fl f Ar filename ) .
|
||||
.Bl -tag -width indent
|
||||
.It Fl D
|
||||
Dump the SAD entries.
|
||||
If with
|
||||
.Fl P ,
|
||||
the SPD entries are dumped.
|
||||
.It Fl F
|
||||
Flush the SAD entries.
|
||||
If with
|
||||
.Fl P ,
|
||||
the SPD entries are flushed.
|
||||
.It Fl a
|
||||
The
|
||||
.Nm
|
||||
utility
|
||||
usually does not display dead SAD entries with
|
||||
.Fl D .
|
||||
If with
|
||||
.Fl a ,
|
||||
the dead SAD entries will be displayed as well.
|
||||
A dead SAD entry means that
|
||||
it has been expired but remains in the system
|
||||
because it is referenced by some SPD entries.
|
||||
.It Fl h
|
||||
Add hexadecimal dump on
|
||||
.Fl x
|
||||
mode.
|
||||
.It Fl l
|
||||
Loop forever with short output on
|
||||
.Fl D .
|
||||
.It Fl v
|
||||
Be verbose.
|
||||
The program will dump messages exchanged on
|
||||
.Dv PF_KEY
|
||||
socket, including messages sent from other processes to the kernel.
|
||||
.It Fl x
|
||||
Loop forever and dump all the messages transmitted to
|
||||
.Dv PF_KEY
|
||||
socket.
|
||||
.Fl xx
|
||||
makes each timestamps unformatted.
|
||||
.El
|
||||
.Ss Configuration syntax
|
||||
With
|
||||
.Fl c
|
||||
or
|
||||
.Fl f
|
||||
on the command line,
|
||||
.Nm
|
||||
accepts the following configuration syntax.
|
||||
Lines starting with hash signs
|
||||
.Pq Ql #
|
||||
are treated as comment lines.
|
||||
.Bl -tag -width indent
|
||||
.It Xo
|
||||
.Li add
|
||||
.Op Fl 46n
|
||||
.Ar src Ar dst Ar protocol Ar spi
|
||||
.Op Ar extensions
|
||||
.Ar algorithm ...
|
||||
.Li ;
|
||||
.Xc
|
||||
Add an SAD entry.
|
||||
.Li add
|
||||
can fail with multiple reasons,
|
||||
including when the key length does not match the specified algorithm.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li get
|
||||
.Op Fl 46n
|
||||
.Ar src Ar dst Ar protocol Ar spi
|
||||
.Li ;
|
||||
.Xc
|
||||
Show an SAD entry.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li delete
|
||||
.Op Fl 46n
|
||||
.Ar src Ar dst Ar protocol Ar spi
|
||||
.Li ;
|
||||
.Xc
|
||||
Remove an SAD entry.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li deleteall
|
||||
.Op Fl 46n
|
||||
.Ar src Ar dst Ar protocol
|
||||
.Li ;
|
||||
.Xc
|
||||
Remove all SAD entries that match the specification.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li flush
|
||||
.Op Ar protocol
|
||||
.Li ;
|
||||
.Xc
|
||||
Clear all SAD entries matched by the options.
|
||||
.Fl F
|
||||
on the command line achieves the same functionality.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li dump
|
||||
.Op Ar protocol
|
||||
.Li ;
|
||||
.Xc
|
||||
Dumps all SAD entries matched by the options.
|
||||
.Fl D
|
||||
on the command line achieves the same functionality.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li spdadd
|
||||
.Op Fl 46n
|
||||
.Ar src_range Ar dst_range Ar upperspec Ar policy
|
||||
.Li ;
|
||||
.Xc
|
||||
Add an SPD entry.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li spddelete
|
||||
.Op Fl 46n
|
||||
.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction
|
||||
.Li ;
|
||||
.Xc
|
||||
Delete an SPD entry.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li spdflush
|
||||
.Li ;
|
||||
.Xc
|
||||
Clear all SPD entries.
|
||||
.Fl FP
|
||||
on the command line achieves the same functionality.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li spddump
|
||||
.Li ;
|
||||
.Xc
|
||||
Dumps all SPD entries.
|
||||
.Fl DP
|
||||
on the command line achieves the same functionality.
|
||||
.El
|
||||
.\"
|
||||
.Pp
|
||||
Meta-arguments are as follows:
|
||||
.Pp
|
||||
.Bl -tag -compact -width indent
|
||||
.It Ar src
|
||||
.It Ar dst
|
||||
Source/destination of the secure communication is specified as
|
||||
IPv4/v6 address.
|
||||
The
|
||||
.Nm
|
||||
utility
|
||||
can resolve a FQDN into numeric addresses.
|
||||
If the FQDN resolves into multiple addresses,
|
||||
.Nm
|
||||
will install multiple SAD/SPD entries into the kernel
|
||||
by trying all possible combinations.
|
||||
.Fl 4 ,
|
||||
.Fl 6
|
||||
and
|
||||
.Fl n
|
||||
restricts the address resolution of FQDN in certain ways.
|
||||
.Fl 4
|
||||
and
|
||||
.Fl 6
|
||||
restrict results into IPv4/v6 addresses only, respectively.
|
||||
.Fl n
|
||||
avoids FQDN resolution and requires addresses to be numeric addresses.
|
||||
.\"
|
||||
.Pp
|
||||
.It Ar protocol
|
||||
.Ar protocol
|
||||
is one of following:
|
||||
.Bl -tag -width Fl -compact
|
||||
.It Li esp
|
||||
ESP based on rfc2406
|
||||
.It Li esp-old
|
||||
ESP based on rfc1827
|
||||
.It Li ah
|
||||
AH based on rfc2402
|
||||
.It Li ah-old
|
||||
AH based on rfc1826
|
||||
.It Li ipcomp
|
||||
IPComp
|
||||
.It Li tcp
|
||||
TCP-MD5 based on rfc2385
|
||||
.El
|
||||
.\"
|
||||
.Pp
|
||||
.It Ar spi
|
||||
Security Parameter Index
|
||||
(SPI)
|
||||
for the SAD and the SPD.
|
||||
.Ar spi
|
||||
must be a decimal number, or a hexadecimal number with
|
||||
.Ql 0x
|
||||
prefix.
|
||||
SPI values between 0 and 255 are reserved for future use by IANA
|
||||
and they cannot be used.
|
||||
TCP-MD5 associations must use 0x1000 and therefore only have per-host
|
||||
granularity at this time.
|
||||
.\"
|
||||
.Pp
|
||||
.It Ar extensions
|
||||
take some of the following:
|
||||
.Bl -tag -width Fl -compact
|
||||
.\"
|
||||
.It Fl m Ar mode
|
||||
Specify a security protocol mode for use.
|
||||
.Ar mode
|
||||
is one of following:
|
||||
.Li transport , tunnel
|
||||
or
|
||||
.Li any .
|
||||
The default value is
|
||||
.Li any .
|
||||
.\"
|
||||
.It Fl r Ar size
|
||||
Specify window size of bytes for replay prevention.
|
||||
.Ar size
|
||||
must be decimal number in 32-bit word.
|
||||
If
|
||||
.Ar size
|
||||
is zero or not specified, replay check does not take place.
|
||||
.\"
|
||||
.It Fl u Ar id
|
||||
Specify the identifier of the policy entry in SPD.
|
||||
See
|
||||
.Ar policy .
|
||||
.\"
|
||||
.It Fl f Ar pad_option
|
||||
defines the content of the ESP padding.
|
||||
.Ar pad_option
|
||||
is one of following:
|
||||
.Bl -tag -width random-pad -compact
|
||||
.It Li zero-pad
|
||||
All of the padding are zero.
|
||||
.It Li random-pad
|
||||
A series of randomized values are set.
|
||||
.It Li seq-pad
|
||||
A series of sequential increasing numbers started from 1 are set.
|
||||
.El
|
||||
.\"
|
||||
.It Fl f Li nocyclic-seq
|
||||
Do not allow cyclic sequence number.
|
||||
.\"
|
||||
.It Fl lh Ar time
|
||||
.It Fl ls Ar time
|
||||
Specify hard/soft life time duration of the SA.
|
||||
.El
|
||||
.\"
|
||||
.Pp
|
||||
.It Ar algorithm
|
||||
.Bl -tag -width Fl -compact
|
||||
.It Fl E Ar ealgo Ar key
|
||||
Specify an encryption algorithm
|
||||
.Ar ealgo
|
||||
for ESP.
|
||||
.It Xo
|
||||
.Fl E Ar ealgo Ar key
|
||||
.Fl A Ar aalgo Ar key
|
||||
.Xc
|
||||
Specify a encryption algorithm
|
||||
.Ar ealgo ,
|
||||
as well as a payload authentication algorithm
|
||||
.Ar aalgo ,
|
||||
for ESP.
|
||||
.It Fl A Ar aalgo Ar key
|
||||
Specify an authentication algorithm for AH.
|
||||
.It Fl C Ar calgo Op Fl R
|
||||
Specify a compression algorithm for IPComp.
|
||||
If
|
||||
.Fl R
|
||||
is specified,
|
||||
.Ar spi
|
||||
field value will be used as the IPComp CPI
|
||||
(compression parameter index)
|
||||
on wire as is.
|
||||
If
|
||||
.Fl R
|
||||
is not specified,
|
||||
the kernel will use well-known CPI on wire, and
|
||||
.Ar spi
|
||||
field will be used only as an index for kernel internal usage.
|
||||
.El
|
||||
.Pp
|
||||
.Ar key
|
||||
must be double-quoted character string, or a series of hexadecimal digits
|
||||
preceded by
|
||||
.Ql 0x .
|
||||
.Pp
|
||||
Possible values for
|
||||
.Ar ealgo ,
|
||||
.Ar aalgo
|
||||
and
|
||||
.Ar calgo
|
||||
are specified in separate section.
|
||||
.\"
|
||||
.Pp
|
||||
.It Ar src_range
|
||||
.It Ar dst_range
|
||||
These are selections of the secure communication specified as
|
||||
IPv4/v6 address or IPv4/v6 address range, and it may accompany
|
||||
TCP/UDP port specification.
|
||||
This takes the following form:
|
||||
.Bd -unfilled
|
||||
.Ar address
|
||||
.Ar address/prefixlen
|
||||
.Ar address[port]
|
||||
.Ar address/prefixlen[port]
|
||||
.Ed
|
||||
.Pp
|
||||
.Ar prefixlen
|
||||
and
|
||||
.Ar port
|
||||
must be decimal number.
|
||||
The square bracket around
|
||||
.Ar port
|
||||
is really necessary.
|
||||
They are not manpage metacharacters.
|
||||
For FQDN resolution, the rules applicable to
|
||||
.Ar src
|
||||
and
|
||||
.Ar dst
|
||||
apply here as well.
|
||||
.\"
|
||||
.Pp
|
||||
.It Ar upperspec
|
||||
Upper-layer protocol to be used.
|
||||
You can use one of words in
|
||||
.Pa /etc/protocols
|
||||
as
|
||||
.Ar upperspec .
|
||||
Or
|
||||
.Li icmp6 ,
|
||||
.Li ip4 ,
|
||||
and
|
||||
.Li any
|
||||
can be specified.
|
||||
.Li any
|
||||
stands for
|
||||
.Dq any protocol .
|
||||
Also you can use the protocol number.
|
||||
You can specify a type and/or a code of ICMPv6 when
|
||||
upper-layer protocol is ICMPv6.
|
||||
The specification can be placed after
|
||||
.Li icmp6 .
|
||||
A type is separated with a code by single comma.
|
||||
A code must be specified anytime.
|
||||
When a zero is specified, the kernel deals with it as a wildcard.
|
||||
Note that the kernel cannot distinguish a wildcard from that a type
|
||||
of ICMPv6 is zero.
|
||||
For example, the following means the policy does not require IPsec
|
||||
for any inbound Neighbor Solicitation:
|
||||
.Pp
|
||||
.Dl "spdadd ::/0 ::/0 icmp6 135,0 -P in none;"
|
||||
.Pp
|
||||
NOTE:
|
||||
.Ar upperspec
|
||||
does not work against forwarding case at this moment,
|
||||
as it requires extra reassembly at forwarding node
|
||||
(not implemented at this moment).
|
||||
We have many protocols in
|
||||
.Pa /etc/protocols ,
|
||||
but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec.
|
||||
You have to consider and be careful to use them.
|
||||
.\"
|
||||
.Pp
|
||||
.It Ar policy
|
||||
.Ar policy
|
||||
is the one of the following three formats:
|
||||
.Bd -ragged -offset indent
|
||||
.It Fl P Ar direction Li discard
|
||||
.It Fl P Ar direction Li none
|
||||
.It Xo Fl P Ar direction Li ipsec
|
||||
.Ar protocol/mode/src-dst/level Op ...
|
||||
.Xc
|
||||
.Ed
|
||||
.Pp
|
||||
You must specify the direction of its policy as
|
||||
.Ar direction .
|
||||
Either
|
||||
.Li out
|
||||
or
|
||||
.Li in
|
||||
are used.
|
||||
.Li discard
|
||||
means the packet matching indexes will be discarded.
|
||||
.Li none
|
||||
means that IPsec operation will not take place onto the packet.
|
||||
.Li ipsec
|
||||
means that IPsec operation will take place onto the packet.
|
||||
The part of
|
||||
.Ar protocol/mode/src-dst/level
|
||||
specifies the rule how to process the packet.
|
||||
Either
|
||||
.Li ah ,
|
||||
.Li esp
|
||||
or
|
||||
.Li ipcomp
|
||||
is to be set as
|
||||
.Ar protocol .
|
||||
.Ar mode
|
||||
is either
|
||||
.Li transport
|
||||
or
|
||||
.Li tunnel .
|
||||
If
|
||||
.Ar mode
|
||||
is
|
||||
.Li tunnel ,
|
||||
you must specify the end-points addresses of the SA as
|
||||
.Ar src
|
||||
and
|
||||
.Ar dst
|
||||
with
|
||||
.Sq -
|
||||
between these addresses which is used to specify the SA to use.
|
||||
If
|
||||
.Ar mode
|
||||
is
|
||||
.Li transport ,
|
||||
both
|
||||
.Ar src
|
||||
and
|
||||
.Ar dst
|
||||
can be omitted.
|
||||
.Ar level
|
||||
is to be one of the following:
|
||||
.Li default , use , require
|
||||
or
|
||||
.Li unique .
|
||||
If the SA is not available in every level, the kernel will request
|
||||
getting SA to the key exchange daemon.
|
||||
.Li default
|
||||
means the kernel consults to the system wide default against protocol you
|
||||
specified, e.g.,
|
||||
.Li esp_trans_deflev
|
||||
sysctl variable, when the kernel processes the packet.
|
||||
.Li use
|
||||
means that the kernel use a SA if it is available,
|
||||
otherwise the kernel keeps normal operation.
|
||||
.Li require
|
||||
means SA is required whenever the kernel sends a packet matched
|
||||
with the policy.
|
||||
.Li unique
|
||||
is the same to require.
|
||||
In addition, it allows the policy to bind with the unique out-bound SA.
|
||||
You just specify the policy level
|
||||
.Li unique ,
|
||||
.Xr racoon 8
|
||||
will configure the SA for the policy.
|
||||
If you configure the SA by manual keying for that policy,
|
||||
you can put the decimal number as the policy identifier after
|
||||
.Li unique
|
||||
separated by colon
|
||||
.Ql :\&
|
||||
like the following;
|
||||
.Li unique:number .
|
||||
In order to bind this policy to the SA,
|
||||
.Li number
|
||||
must be between 1 and 32767.
|
||||
It corresponds to
|
||||
.Ar extensions Fl u
|
||||
of the manual SA configuration.
|
||||
When you want to use SA bundle, you can define multiple rules.
|
||||
For example, if an IP header was followed by AH header followed by ESP header
|
||||
followed by an upper layer protocol header, the rule
|
||||
would be:
|
||||
.Dl esp/transport//require ah/transport//require ;
|
||||
The rule order is very important.
|
||||
.Pp
|
||||
Note that
|
||||
.Dq Li discard
|
||||
and
|
||||
.Dq Li none
|
||||
are not in the syntax described in
|
||||
.Xr ipsec_set_policy 3 .
|
||||
There are little differences in the syntax.
|
||||
See
|
||||
.Xr ipsec_set_policy 3
|
||||
for detail.
|
||||
.Pp
|
||||
.El
|
||||
.Pp
|
||||
.\"
|
||||
.Sh ALGORITHMS
|
||||
The following list shows the supported algorithms.
|
||||
.Sy protocol
|
||||
and
|
||||
.Sy algorithm
|
||||
are almost orthogonal.
|
||||
Followings are the list of authentication algorithms that can be used as
|
||||
.Ar aalgo
|
||||
in
|
||||
.Fl A Ar aalgo
|
||||
of
|
||||
.Ar protocol
|
||||
parameter:
|
||||
.Pp
|
||||
.Bd -literal -offset indent
|
||||
algorithm keylen (bits) comment
|
||||
hmac-md5 128 ah: rfc2403
|
||||
128 ah-old: rfc2085
|
||||
hmac-sha1 160 ah: rfc2404
|
||||
160 ah-old: 128bit ICV (no document)
|
||||
keyed-md5 128 ah: 96bit ICV (no document)
|
||||
128 ah-old: rfc1828
|
||||
keyed-sha1 160 ah: 96bit ICV (no document)
|
||||
160 ah-old: 128bit ICV (no document)
|
||||
null 0 to 2048 for debugging
|
||||
hmac-sha2-256 256 ah: 96bit ICV
|
||||
(draft-ietf-ipsec-ciph-sha-256-00)
|
||||
256 ah-old: 128bit ICV (no document)
|
||||
hmac-sha2-384 384 ah: 96bit ICV (no document)
|
||||
384 ah-old: 128bit ICV (no document)
|
||||
hmac-sha2-512 512 ah: 96bit ICV (no document)
|
||||
512 ah-old: 128bit ICV (no document)
|
||||
hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
|
||||
ah-old: 128bit ICV (no document)
|
||||
aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
|
||||
128 ah-old: 128bit ICV (no document)
|
||||
tcp-md5 8 to 640 tcp: rfc2385
|
||||
.Ed
|
||||
.Pp
|
||||
Followings are the list of encryption algorithms that can be used as
|
||||
.Ar ealgo
|
||||
in
|
||||
.Fl E Ar ealgo
|
||||
of
|
||||
.Ar protocol
|
||||
parameter:
|
||||
.Pp
|
||||
.Bd -literal -offset indent
|
||||
algorithm keylen (bits) comment
|
||||
des-cbc 64 esp-old: rfc1829, esp: rfc2405
|
||||
3des-cbc 192 rfc2451
|
||||
null 0 to 2048 rfc2410
|
||||
blowfish-cbc 40 to 448 rfc2451
|
||||
cast128-cbc 40 to 128 rfc2451
|
||||
des-deriv 64 ipsec-ciph-des-derived-01
|
||||
3des-deriv 192 no document
|
||||
rijndael-cbc 128/192/256 rfc3602
|
||||
aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
|
||||
.Ed
|
||||
.Pp
|
||||
Note that the first 128 bits of a key for
|
||||
.Li aes-ctr
|
||||
will be used as AES key, and remaining 32 bits will be used as nonce.
|
||||
.Pp
|
||||
Followings are the list of compression algorithms that can be used as
|
||||
.Ar calgo
|
||||
in
|
||||
.Fl C Ar calgo
|
||||
of
|
||||
.Ar protocol
|
||||
parameter:
|
||||
.Pp
|
||||
.Bd -literal -offset indent
|
||||
algorithm comment
|
||||
deflate rfc2394
|
||||
.Ed
|
||||
.\"
|
||||
.Sh EXIT STATUS
|
||||
.Ex -std
|
||||
.\"
|
||||
.Sh EXAMPLES
|
||||
.Bd -literal -offset
|
||||
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
|
||||
-E des-cbc 0x3ffe05014819ffff ;
|
||||
|
||||
add -6 myhost.example.com yourhost.example.com ah 123456
|
||||
-A hmac-sha1 "AH SA configuration!" ;
|
||||
|
||||
add 10.0.11.41 10.0.11.33 esp 0x10001
|
||||
-E des-cbc 0x3ffe05014819ffff
|
||||
-A hmac-md5 "authentication!!" ;
|
||||
|
||||
get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
|
||||
|
||||
flush ;
|
||||
|
||||
dump esp ;
|
||||
|
||||
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
|
||||
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
|
||||
|
||||
add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
|
||||
|
||||
.Ed
|
||||
.\"
|
||||
.Sh SEE ALSO
|
||||
.Xr ipsec_set_policy 3 ,
|
||||
.Xr racoon 8 ,
|
||||
.Xr sysctl 8
|
||||
.Rs
|
||||
.%T "Changed manual key configuration for IPsec"
|
||||
.%O "http://www.kame.net/newsletter/19991007/"
|
||||
.%D "October 1999"
|
||||
.Re
|
||||
.\"
|
||||
.Sh HISTORY
|
||||
The
|
||||
.Nm
|
||||
utility first appeared in WIDE Hydrangea IPv6 protocol stack kit.
|
||||
The utility was completely re-designed in June 1998.
|
||||
.\"
|
||||
.Sh BUGS
|
||||
The
|
||||
.Nm
|
||||
utility
|
||||
should report and handle syntax errors better.
|
||||
.Pp
|
||||
For IPsec gateway configuration,
|
||||
.Ar src_range
|
||||
and
|
||||
.Ar dst_range
|
||||
with TCP/UDP port number do not work, as the gateway does not reassemble
|
||||
packets
|
||||
(cannot inspect upper-layer headers).
|
@ -1,632 +0,0 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: setkey.c,v 1.28 2003/06/27 07:15:45 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/time.h>
|
||||
#include <err.h>
|
||||
#include <net/route.h>
|
||||
#include <netinet/in.h>
|
||||
#include <net/pfkeyv2.h>
|
||||
#include <netkey/keydb.h>
|
||||
#include <netkey/key_debug.h>
|
||||
#include <netinet6/ipsec.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <limits.h>
|
||||
#include <string.h>
|
||||
#include <ctype.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#include <netdb.h>
|
||||
|
||||
#include "libpfkey.h"
|
||||
|
||||
void usage __P((void));
|
||||
int main __P((int, char **));
|
||||
int get_supported __P((void));
|
||||
void sendkeyshort __P((u_int));
|
||||
void promisc __P((void));
|
||||
int sendkeymsg __P((char *, size_t));
|
||||
int postproc __P((struct sadb_msg *, int));
|
||||
const char *numstr __P((int));
|
||||
void shortdump_hdr __P((void));
|
||||
void shortdump __P((struct sadb_msg *));
|
||||
static void printdate __P((void));
|
||||
static int32_t gmt2local __P((time_t));
|
||||
|
||||
#define MODE_SCRIPT 1
|
||||
#define MODE_CMDDUMP 2
|
||||
#define MODE_CMDFLUSH 3
|
||||
#define MODE_PROMISC 4
|
||||
|
||||
int so;
|
||||
|
||||
int f_forever = 0;
|
||||
int f_all = 0;
|
||||
int f_verbose = 0;
|
||||
int f_mode = 0;
|
||||
int f_cmddump = 0;
|
||||
int f_policy = 0;
|
||||
int f_hexdump = 0;
|
||||
int f_tflag = 0;
|
||||
static time_t thiszone;
|
||||
|
||||
extern int lineno;
|
||||
|
||||
extern int parse __P((FILE **));
|
||||
|
||||
void
|
||||
usage()
|
||||
{
|
||||
|
||||
printf("usage: setkey [-v] -c\n");
|
||||
printf(" setkey [-v] -f filename\n");
|
||||
printf(" setkey [-Palv] -D\n");
|
||||
printf(" setkey [-Pv] -F\n");
|
||||
printf(" setkey [-h] -x\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
int
|
||||
main(ac, av)
|
||||
int ac;
|
||||
char **av;
|
||||
{
|
||||
FILE *fp = stdin;
|
||||
int c;
|
||||
|
||||
if (ac == 1) {
|
||||
usage();
|
||||
/* NOTREACHED */
|
||||
}
|
||||
|
||||
thiszone = gmt2local(0);
|
||||
|
||||
while ((c = getopt(ac, av, "acdf:hlvxDFP")) != -1) {
|
||||
switch (c) {
|
||||
case 'c':
|
||||
f_mode = MODE_SCRIPT;
|
||||
fp = stdin;
|
||||
break;
|
||||
case 'f':
|
||||
f_mode = MODE_SCRIPT;
|
||||
if ((fp = fopen(optarg, "r")) == NULL) {
|
||||
err(-1, "fopen");
|
||||
/*NOTREACHED*/
|
||||
}
|
||||
break;
|
||||
case 'D':
|
||||
f_mode = MODE_CMDDUMP;
|
||||
break;
|
||||
case 'F':
|
||||
f_mode = MODE_CMDFLUSH;
|
||||
break;
|
||||
case 'a':
|
||||
f_all = 1;
|
||||
break;
|
||||
case 'l':
|
||||
f_forever = 1;
|
||||
break;
|
||||
case 'h':
|
||||
f_hexdump = 1;
|
||||
break;
|
||||
case 'x':
|
||||
f_mode = MODE_PROMISC;
|
||||
f_tflag++;
|
||||
break;
|
||||
case 'P':
|
||||
f_policy = 1;
|
||||
break;
|
||||
case 'v':
|
||||
f_verbose = 1;
|
||||
break;
|
||||
default:
|
||||
usage();
|
||||
/*NOTREACHED*/
|
||||
}
|
||||
}
|
||||
|
||||
so = pfkey_open();
|
||||
if (so < 0) {
|
||||
perror("pfkey_open");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
switch (f_mode) {
|
||||
case MODE_CMDDUMP:
|
||||
sendkeyshort(f_policy ? SADB_X_SPDDUMP: SADB_DUMP);
|
||||
break;
|
||||
case MODE_CMDFLUSH:
|
||||
sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH);
|
||||
break;
|
||||
case MODE_SCRIPT:
|
||||
if (get_supported() < 0) {
|
||||
errx(-1, "%s", ipsec_strerror());
|
||||
/*NOTREACHED*/
|
||||
}
|
||||
if (parse(&fp))
|
||||
exit (1);
|
||||
break;
|
||||
case MODE_PROMISC:
|
||||
promisc();
|
||||
/*NOTREACHED*/
|
||||
default:
|
||||
usage();
|
||||
/*NOTREACHED*/
|
||||
}
|
||||
|
||||
exit(0);
|
||||
}
|
||||
|
||||
int
|
||||
get_supported()
|
||||
{
|
||||
|
||||
if (pfkey_send_register(so, SADB_SATYPE_UNSPEC) < 0)
|
||||
return -1;
|
||||
|
||||
if (pfkey_recv_register(so) < 0)
|
||||
return -1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
sendkeyshort(type)
|
||||
u_int type;
|
||||
{
|
||||
struct sadb_msg msg;
|
||||
|
||||
msg.sadb_msg_version = PF_KEY_V2;
|
||||
msg.sadb_msg_type = type;
|
||||
msg.sadb_msg_errno = 0;
|
||||
msg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
|
||||
msg.sadb_msg_len = PFKEY_UNIT64(sizeof(msg));
|
||||
msg.sadb_msg_reserved = 0;
|
||||
msg.sadb_msg_seq = 0;
|
||||
msg.sadb_msg_pid = getpid();
|
||||
|
||||
sendkeymsg((char *)&msg, sizeof(msg));
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
promisc()
|
||||
{
|
||||
struct sadb_msg msg;
|
||||
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
|
||||
ssize_t l;
|
||||
|
||||
msg.sadb_msg_version = PF_KEY_V2;
|
||||
msg.sadb_msg_type = SADB_X_PROMISC;
|
||||
msg.sadb_msg_errno = 0;
|
||||
msg.sadb_msg_satype = 1;
|
||||
msg.sadb_msg_len = PFKEY_UNIT64(sizeof(msg));
|
||||
msg.sadb_msg_reserved = 0;
|
||||
msg.sadb_msg_seq = 0;
|
||||
msg.sadb_msg_pid = getpid();
|
||||
|
||||
if ((l = send(so, &msg, sizeof(msg), 0)) < 0) {
|
||||
err(1, "send");
|
||||
/*NOTREACHED*/
|
||||
}
|
||||
|
||||
while (1) {
|
||||
struct sadb_msg *base;
|
||||
|
||||
if ((l = recv(so, rbuf, sizeof(*base), MSG_PEEK)) < 0) {
|
||||
err(1, "recv");
|
||||
/*NOTREACHED*/
|
||||
}
|
||||
|
||||
if (l != sizeof(*base))
|
||||
continue;
|
||||
|
||||
base = (struct sadb_msg *)rbuf;
|
||||
if ((l = recv(so, rbuf, PFKEY_UNUNIT64(base->sadb_msg_len),
|
||||
0)) < 0) {
|
||||
err(1, "recv");
|
||||
/*NOTREACHED*/
|
||||
}
|
||||
printdate();
|
||||
if (f_hexdump) {
|
||||
int i;
|
||||
for (i = 0; i < l; i++) {
|
||||
if (i % 16 == 0)
|
||||
printf("%08x: ", i);
|
||||
printf("%02x ", rbuf[i] & 0xff);
|
||||
if (i % 16 == 15)
|
||||
printf("\n");
|
||||
}
|
||||
if (l % 16)
|
||||
printf("\n");
|
||||
}
|
||||
/* adjust base pointer for promisc mode */
|
||||
if (base->sadb_msg_type == SADB_X_PROMISC) {
|
||||
if ((ssize_t)sizeof(*base) < l)
|
||||
base++;
|
||||
else
|
||||
base = NULL;
|
||||
}
|
||||
if (base) {
|
||||
kdebug_sadb(base);
|
||||
printf("\n");
|
||||
fflush(stdout);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
int
|
||||
sendkeymsg(buf, len)
|
||||
char *buf;
|
||||
size_t len;
|
||||
{
|
||||
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
|
||||
ssize_t l;
|
||||
struct sadb_msg *msg;
|
||||
|
||||
{
|
||||
struct timeval tv;
|
||||
tv.tv_sec = 1;
|
||||
tv.tv_usec = 0;
|
||||
if (setsockopt(so, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) < 0) {
|
||||
perror("setsockopt");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (f_forever)
|
||||
shortdump_hdr();
|
||||
again:
|
||||
if (f_verbose) {
|
||||
kdebug_sadb((struct sadb_msg *)buf);
|
||||
printf("\n");
|
||||
}
|
||||
if (f_hexdump) {
|
||||
int i;
|
||||
for (i = 0; i < len; i++) {
|
||||
if (i % 16 == 0)
|
||||
printf("%08x: ", i);
|
||||
printf("%02x ", buf[i] & 0xff);
|
||||
if (i % 16 == 15)
|
||||
printf("\n");
|
||||
}
|
||||
if (len % 16)
|
||||
printf("\n");
|
||||
}
|
||||
|
||||
if ((l = send(so, buf, len, 0)) < 0) {
|
||||
perror("send");
|
||||
goto end;
|
||||
}
|
||||
|
||||
msg = (struct sadb_msg *)rbuf;
|
||||
do {
|
||||
if ((l = recv(so, rbuf, sizeof(rbuf), 0)) < 0) {
|
||||
perror("recv");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (PFKEY_UNUNIT64(msg->sadb_msg_len) != l) {
|
||||
warnx("invalid keymsg length");
|
||||
break;
|
||||
}
|
||||
|
||||
if (f_verbose) {
|
||||
kdebug_sadb((struct sadb_msg *)rbuf);
|
||||
printf("\n");
|
||||
}
|
||||
if (postproc(msg, l) < 0)
|
||||
break;
|
||||
} while (msg->sadb_msg_errno || msg->sadb_msg_seq);
|
||||
|
||||
if (f_forever) {
|
||||
fflush(stdout);
|
||||
sleep(1);
|
||||
goto again;
|
||||
}
|
||||
|
||||
end:
|
||||
return(0);
|
||||
}
|
||||
|
||||
int
|
||||
postproc(msg, len)
|
||||
struct sadb_msg *msg;
|
||||
int len;
|
||||
{
|
||||
|
||||
if (msg->sadb_msg_errno != 0) {
|
||||
char inf[80];
|
||||
const char *errmsg = NULL;
|
||||
|
||||
if (f_mode == MODE_SCRIPT)
|
||||
snprintf(inf, sizeof(inf), "The result of line %d: ", lineno);
|
||||
else
|
||||
inf[0] = '\0';
|
||||
|
||||
switch (msg->sadb_msg_errno) {
|
||||
case ENOENT:
|
||||
switch (msg->sadb_msg_type) {
|
||||
case SADB_DELETE:
|
||||
case SADB_GET:
|
||||
case SADB_X_SPDDELETE:
|
||||
errmsg = "No entry";
|
||||
break;
|
||||
case SADB_DUMP:
|
||||
errmsg = "No SAD entries";
|
||||
break;
|
||||
case SADB_X_SPDDUMP:
|
||||
errmsg = "No SPD entries";
|
||||
break;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
errmsg = strerror(msg->sadb_msg_errno);
|
||||
}
|
||||
printf("%s%s.\n", inf, errmsg);
|
||||
return(-1);
|
||||
}
|
||||
|
||||
switch (msg->sadb_msg_type) {
|
||||
case SADB_GET:
|
||||
pfkey_sadump(msg);
|
||||
break;
|
||||
|
||||
case SADB_DUMP:
|
||||
/* filter out DEAD SAs */
|
||||
if (!f_all) {
|
||||
caddr_t mhp[SADB_EXT_MAX + 1];
|
||||
struct sadb_sa *sa;
|
||||
pfkey_align(msg, mhp);
|
||||
pfkey_check(mhp);
|
||||
if ((sa = (struct sadb_sa *)mhp[SADB_EXT_SA]) != NULL) {
|
||||
if (sa->sadb_sa_state == SADB_SASTATE_DEAD)
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (f_forever)
|
||||
shortdump(msg);
|
||||
else
|
||||
pfkey_sadump(msg);
|
||||
msg = (struct sadb_msg *)((caddr_t)msg +
|
||||
PFKEY_UNUNIT64(msg->sadb_msg_len));
|
||||
if (f_verbose) {
|
||||
kdebug_sadb((struct sadb_msg *)msg);
|
||||
printf("\n");
|
||||
}
|
||||
break;
|
||||
|
||||
case SADB_X_SPDDUMP:
|
||||
pfkey_spdump(msg);
|
||||
if (msg->sadb_msg_seq == 0) break;
|
||||
msg = (struct sadb_msg *)((caddr_t)msg +
|
||||
PFKEY_UNUNIT64(msg->sadb_msg_len));
|
||||
if (f_verbose) {
|
||||
kdebug_sadb((struct sadb_msg *)msg);
|
||||
printf("\n");
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
return(0);
|
||||
}
|
||||
|
||||
/*------------------------------------------------------------*/
|
||||
static const char *satype[] = {
|
||||
NULL, NULL, "ah", "esp"
|
||||
};
|
||||
static const char *sastate[] = {
|
||||
"L", "M", "D", "d"
|
||||
};
|
||||
static const char *ipproto[] = {
|
||||
/*0*/ "ip", "icmp", "igmp", "ggp", "ip4",
|
||||
NULL, "tcp", NULL, "egp", NULL,
|
||||
/*10*/ NULL, NULL, NULL, NULL, NULL,
|
||||
NULL, NULL, "udp", NULL, NULL,
|
||||
/*20*/ NULL, NULL, "idp", NULL, NULL,
|
||||
NULL, NULL, NULL, NULL, "tp",
|
||||
/*30*/ NULL, NULL, NULL, NULL, NULL,
|
||||
NULL, NULL, NULL, NULL, NULL,
|
||||
/*40*/ NULL, "ip6", NULL, "rt6", "frag6",
|
||||
NULL, "rsvp", "gre", NULL, NULL,
|
||||
/*50*/ "esp", "ah", NULL, NULL, NULL,
|
||||
NULL, NULL, NULL, "icmp6", "none",
|
||||
/*60*/ "dst6",
|
||||
};
|
||||
|
||||
#define STR_OR_ID(x, tab) \
|
||||
(((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
|
||||
|
||||
const char *
|
||||
numstr(x)
|
||||
int x;
|
||||
{
|
||||
static char buf[20];
|
||||
snprintf(buf, sizeof(buf), "#%d", x);
|
||||
return buf;
|
||||
}
|
||||
|
||||
void
|
||||
shortdump_hdr()
|
||||
{
|
||||
printf("%-4s %-3s %-1s %-8s %-7s %s -> %s\n",
|
||||
"time", "p", "s", "spi", "ltime", "src", "dst");
|
||||
}
|
||||
|
||||
void
|
||||
shortdump(msg)
|
||||
struct sadb_msg *msg;
|
||||
{
|
||||
caddr_t mhp[SADB_EXT_MAX + 1];
|
||||
char buf[NI_MAXHOST], pbuf[NI_MAXSERV];
|
||||
struct sadb_sa *sa;
|
||||
struct sadb_address *saddr;
|
||||
struct sadb_lifetime *lts, *lth, *ltc;
|
||||
struct sockaddr *s;
|
||||
u_int t;
|
||||
time_t cur = time(0);
|
||||
|
||||
pfkey_align(msg, mhp);
|
||||
pfkey_check(mhp);
|
||||
|
||||
printf("%02lu%02lu", (u_long)(cur % 3600) / 60, (u_long)(cur % 60));
|
||||
|
||||
printf(" %-3s", STR_OR_ID(msg->sadb_msg_satype, satype));
|
||||
|
||||
if ((sa = (struct sadb_sa *)mhp[SADB_EXT_SA]) != NULL) {
|
||||
printf(" %-1s", STR_OR_ID(sa->sadb_sa_state, sastate));
|
||||
printf(" %08x", (u_int32_t)ntohl(sa->sadb_sa_spi));
|
||||
} else
|
||||
printf("%-1s %-8s", "?", "?");
|
||||
|
||||
lts = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT];
|
||||
lth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
|
||||
ltc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
|
||||
if (lts && lth && ltc) {
|
||||
if (ltc->sadb_lifetime_addtime == 0)
|
||||
t = (u_long)0;
|
||||
else
|
||||
t = (u_long)(cur - ltc->sadb_lifetime_addtime);
|
||||
if (t >= 1000)
|
||||
strlcpy(buf, " big/", sizeof(buf));
|
||||
else
|
||||
snprintf(buf, sizeof(buf), " %3lu/", (u_long)t);
|
||||
printf("%s", buf);
|
||||
|
||||
t = (u_long)lth->sadb_lifetime_addtime;
|
||||
if (t >= 1000)
|
||||
strlcpy(buf, "big", sizeof(buf));
|
||||
else
|
||||
snprintf(buf, sizeof(buf), "%-3lu", (u_long)t);
|
||||
printf("%s", buf);
|
||||
} else
|
||||
printf(" ??\?/???"); /* backslash to avoid trigraph ??/ */
|
||||
|
||||
printf(" ");
|
||||
|
||||
if ((saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]) != NULL) {
|
||||
if (saddr->sadb_address_proto)
|
||||
printf("%s ", STR_OR_ID(saddr->sadb_address_proto, ipproto));
|
||||
s = (struct sockaddr *)(saddr + 1);
|
||||
getnameinfo(s, s->sa_len, buf, sizeof(buf),
|
||||
pbuf, sizeof(pbuf), NI_NUMERICHOST|NI_NUMERICSERV);
|
||||
if (strcmp(pbuf, "0") != 0)
|
||||
printf("%s[%s]", buf, pbuf);
|
||||
else
|
||||
printf("%s", buf);
|
||||
} else
|
||||
printf("?");
|
||||
|
||||
printf(" -> ");
|
||||
|
||||
if ((saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]) != NULL) {
|
||||
if (saddr->sadb_address_proto)
|
||||
printf("%s ", STR_OR_ID(saddr->sadb_address_proto, ipproto));
|
||||
|
||||
s = (struct sockaddr *)(saddr + 1);
|
||||
getnameinfo(s, s->sa_len, buf, sizeof(buf),
|
||||
pbuf, sizeof(pbuf), NI_NUMERICHOST|NI_NUMERICSERV);
|
||||
if (strcmp(pbuf, "0") != 0)
|
||||
printf("%s[%s]", buf, pbuf);
|
||||
else
|
||||
printf("%s", buf);
|
||||
} else
|
||||
printf("?");
|
||||
|
||||
printf("\n");
|
||||
}
|
||||
|
||||
/* From: tcpdump(1):gmt2local.c and util.c */
|
||||
/*
|
||||
* Print the timestamp
|
||||
*/
|
||||
static void
|
||||
printdate()
|
||||
{
|
||||
struct timeval tp;
|
||||
int s;
|
||||
|
||||
if (gettimeofday(&tp, NULL) == -1) {
|
||||
perror("gettimeofday");
|
||||
return;
|
||||
}
|
||||
|
||||
if (f_tflag == 1) {
|
||||
/* Default */
|
||||
s = (tp.tv_sec + thiszone ) % 86400;
|
||||
(void)printf("%02d:%02d:%02d.%06u ",
|
||||
s / 3600, (s % 3600) / 60, s % 60, (u_int32_t)tp.tv_usec);
|
||||
} else if (f_tflag > 1) {
|
||||
/* Unix timeval style */
|
||||
(void)printf("%u.%06u ",
|
||||
(u_int32_t)tp.tv_sec, (u_int32_t)tp.tv_usec);
|
||||
}
|
||||
|
||||
printf("\n");
|
||||
}
|
||||
|
||||
/*
|
||||
* Returns the difference between gmt and local time in seconds.
|
||||
* Use gmtime() and localtime() to keep things simple.
|
||||
*/
|
||||
int32_t
|
||||
gmt2local(time_t t)
|
||||
{
|
||||
register int dt, dir;
|
||||
register struct tm *gmt, *loc;
|
||||
struct tm sgmt;
|
||||
|
||||
if (t == 0)
|
||||
t = time(NULL);
|
||||
gmt = &sgmt;
|
||||
*gmt = *gmtime(&t);
|
||||
loc = localtime(&t);
|
||||
dt = (loc->tm_hour - gmt->tm_hour) * 60 * 60 +
|
||||
(loc->tm_min - gmt->tm_min) * 60;
|
||||
|
||||
/*
|
||||
* If the year or julian day is different, we span 00:00 GMT
|
||||
* and must add or subtract a day. Check the year first to
|
||||
* avoid problems when the julian day wraps.
|
||||
*/
|
||||
dir = loc->tm_year - gmt->tm_year;
|
||||
if (dir == 0)
|
||||
dir = loc->tm_yday - gmt->tm_yday;
|
||||
dt += dir * 24 * 60 * 60;
|
||||
|
||||
return (dt);
|
||||
}
|
@ -1,531 +0,0 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: test-pfkey.c,v 1.4 2000/06/07 00:29:14 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/socket.h>
|
||||
#include <net/route.h>
|
||||
#include <net/pfkeyv2.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netkey/keydb.h>
|
||||
#include <netkey/key_var.h>
|
||||
#include <netkey/key_debug.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <limits.h>
|
||||
#include <string.h>
|
||||
#include <ctype.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#include <netdb.h>
|
||||
|
||||
u_char m_buf[BUFSIZ];
|
||||
u_int m_len;
|
||||
char *pname;
|
||||
|
||||
void Usage __P((void));
|
||||
int sendkeymsg __P((void));
|
||||
void key_setsadbmsg __P((u_int));
|
||||
void key_setsadbsens __P((void));
|
||||
void key_setsadbprop __P((void));
|
||||
void key_setsadbid __P((u_int, caddr_t));
|
||||
void key_setsadblft __P((u_int, u_int));
|
||||
void key_setspirange __P((void));
|
||||
void key_setsadbkey __P((u_int, caddr_t));
|
||||
void key_setsadbsa __P((void));
|
||||
void key_setsadbaddr __P((u_int, u_int, caddr_t));
|
||||
void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int));
|
||||
|
||||
void
|
||||
Usage()
|
||||
{
|
||||
printf("Usage:\t%s number\n", pname);
|
||||
exit(0);
|
||||
}
|
||||
|
||||
int
|
||||
main(ac, av)
|
||||
int ac;
|
||||
char **av;
|
||||
{
|
||||
pname = *av;
|
||||
|
||||
if (ac == 1) Usage();
|
||||
|
||||
key_setsadbmsg(atoi(*(av+1)));
|
||||
sendkeymsg();
|
||||
|
||||
exit(0);
|
||||
}
|
||||
|
||||
/* %%% */
|
||||
int
|
||||
sendkeymsg()
|
||||
{
|
||||
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
|
||||
int so, len;
|
||||
|
||||
if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
|
||||
perror("socket(PF_KEY)");
|
||||
goto end;
|
||||
}
|
||||
#if 0
|
||||
{
|
||||
#include <sys/time.h>
|
||||
struct timeval tv;
|
||||
tv.tv_sec = 1;
|
||||
tv.tv_usec = 0;
|
||||
if (setsockopt(so, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) < 0) {
|
||||
perror("setsockopt");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
pfkey_sadump((struct sadb_msg *)m_buf);
|
||||
|
||||
if ((len = send(so, m_buf, m_len, 0)) < 0) {
|
||||
perror("send");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if ((len = recv(so, rbuf, sizeof(rbuf), 0)) < 0) {
|
||||
perror("recv");
|
||||
goto end;
|
||||
}
|
||||
|
||||
pfkey_sadump((struct sadb_msg *)rbuf);
|
||||
|
||||
end:
|
||||
(void)close(so);
|
||||
return(0);
|
||||
}
|
||||
|
||||
void
|
||||
key_setsadbmsg(type)
|
||||
u_int type;
|
||||
{
|
||||
struct sadb_msg m_msg;
|
||||
|
||||
memset(&m_msg, 0, sizeof(m_msg));
|
||||
m_msg.sadb_msg_version = PF_KEY_V2;
|
||||
m_msg.sadb_msg_type = type;
|
||||
m_msg.sadb_msg_errno = 0;
|
||||
m_msg.sadb_msg_satype = SADB_SATYPE_ESP;
|
||||
#if 0
|
||||
m_msg.sadb_msg_reserved = 0;
|
||||
#endif
|
||||
m_msg.sadb_msg_seq = 0;
|
||||
m_msg.sadb_msg_pid = getpid();
|
||||
|
||||
m_len = sizeof(struct sadb_msg);
|
||||
memcpy(m_buf, &m_msg, m_len);
|
||||
|
||||
switch (type) {
|
||||
case SADB_GETSPI:
|
||||
/*<base, address(SD), SPI range>*/
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "10.0.3.4");
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "127.0.0.1");
|
||||
key_setspirange();
|
||||
/*<base, SA(*), address(SD)>*/
|
||||
break;
|
||||
|
||||
case SADB_ADD:
|
||||
/* <base, SA, (lifetime(HSC),) address(SD), (address(P),)
|
||||
key(AE), (identity(SD),) (sensitivity)> */
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_PROXY, AF_INET6, "3ffe::1");
|
||||
case SADB_UPDATE:
|
||||
key_setsadbsa();
|
||||
key_setsadblft(SADB_EXT_LIFETIME_HARD, 10);
|
||||
key_setsadblft(SADB_EXT_LIFETIME_SOFT, 5);
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1");
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4");
|
||||
/* XXX key_setsadbkey(SADB_EXT_KEY_AUTH, "abcde"); */
|
||||
key_setsadbkey(SADB_EXT_KEY_AUTH, "1234567812345678");
|
||||
key_setsadbkey(SADB_EXT_KEY_ENCRYPT, "12345678");
|
||||
key_setsadbid(SADB_EXT_IDENTITY_SRC, "hoge1234@hoge.com");
|
||||
key_setsadbid(SADB_EXT_IDENTITY_DST, "hage5678@hage.net");
|
||||
key_setsadbsens();
|
||||
/* <base, SA, (lifetime(HSC),) address(SD), (address(P),)
|
||||
(identity(SD),) (sensitivity)> */
|
||||
break;
|
||||
|
||||
case SADB_DELETE:
|
||||
/* <base, SA(*), address(SDP)> */
|
||||
key_setsadbsa();
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1");
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4");
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_PROXY, AF_INET6, "3ffe::1");
|
||||
/* <base, SA(*), address(SDP)> */
|
||||
break;
|
||||
|
||||
case SADB_GET:
|
||||
/* <base, SA(*), address(SDP)> */
|
||||
key_setsadbsa();
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1");
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4");
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_PROXY, AF_INET6, "3ffe::1");
|
||||
/* <base, SA, (lifetime(HSC),) address(SD), (address(P),)
|
||||
key(AE), (identity(SD),) (sensitivity)> */
|
||||
break;
|
||||
|
||||
case SADB_ACQUIRE:
|
||||
/* <base, address(SD), (address(P),) (identity(SD),)
|
||||
(sensitivity,) proposal> */
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1");
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4");
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_PROXY, AF_INET6, "3ffe::1");
|
||||
key_setsadbid(SADB_EXT_IDENTITY_SRC, "hoge1234@hoge.com");
|
||||
key_setsadbid(SADB_EXT_IDENTITY_DST, "hage5678@hage.net");
|
||||
key_setsadbsens();
|
||||
key_setsadbprop();
|
||||
/* <base, address(SD), (address(P),) (identity(SD),)
|
||||
(sensitivity,) proposal> */
|
||||
break;
|
||||
|
||||
case SADB_REGISTER:
|
||||
/* <base> */
|
||||
/* <base, supported> */
|
||||
break;
|
||||
|
||||
case SADB_EXPIRE:
|
||||
case SADB_FLUSH:
|
||||
break;
|
||||
|
||||
case SADB_DUMP:
|
||||
break;
|
||||
|
||||
case SADB_X_PROMISC:
|
||||
/* <base> */
|
||||
/* <base, base(, others)> */
|
||||
break;
|
||||
|
||||
case SADB_X_PCHANGE:
|
||||
break;
|
||||
|
||||
/* for SPD management */
|
||||
case SADB_X_SPDFLUSH:
|
||||
case SADB_X_SPDDUMP:
|
||||
break;
|
||||
|
||||
case SADB_X_SPDADD:
|
||||
#if 0
|
||||
{
|
||||
struct sadb_x_policy m_policy;
|
||||
|
||||
m_policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(m_policy));
|
||||
m_policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
|
||||
m_policy.sadb_x_policy_type = SADB_X_PL_IPSEC;
|
||||
m_policy.sadb_x_policy_esp_trans = 1;
|
||||
m_policy.sadb_x_policy_ah_trans = 2;
|
||||
m_policy.sadb_x_policy_esp_network = 3;
|
||||
m_policy.sadb_x_policy_ah_network = 4;
|
||||
m_policy.sadb_x_policy_reserved = 0;
|
||||
|
||||
memcpy(m_buf + m_len, &m_policy, sizeof(struct sadb_x_policy));
|
||||
m_len += sizeof(struct sadb_x_policy);
|
||||
}
|
||||
#endif
|
||||
|
||||
case SADB_X_SPDDELETE:
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1");
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4");
|
||||
break;
|
||||
}
|
||||
|
||||
((struct sadb_msg *)m_buf)->sadb_msg_len = PFKEY_UNIT64(m_len);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
key_setsadbsens()
|
||||
{
|
||||
struct sadb_sens m_sens;
|
||||
u_char buf[64];
|
||||
u_int s, i, slen, ilen, len;
|
||||
|
||||
/* make sens & integ */
|
||||
s = htonl(0x01234567);
|
||||
i = htonl(0x89abcdef);
|
||||
slen = sizeof(s);
|
||||
ilen = sizeof(i);
|
||||
memcpy(buf, &s, slen);
|
||||
memcpy(buf + slen, &i, ilen);
|
||||
|
||||
len = sizeof(m_sens) + PFKEY_ALIGN8(slen) + PFKEY_ALIGN8(ilen);
|
||||
m_sens.sadb_sens_len = PFKEY_UNIT64(len);
|
||||
m_sens.sadb_sens_exttype = SADB_EXT_SENSITIVITY;
|
||||
m_sens.sadb_sens_dpd = 1;
|
||||
m_sens.sadb_sens_sens_level = 2;
|
||||
m_sens.sadb_sens_sens_len = PFKEY_ALIGN8(slen);
|
||||
m_sens.sadb_sens_integ_level = 3;
|
||||
m_sens.sadb_sens_integ_len = PFKEY_ALIGN8(ilen);
|
||||
m_sens.sadb_sens_reserved = 0;
|
||||
|
||||
key_setsadbextbuf(m_buf, m_len,
|
||||
(caddr_t)&m_sens, sizeof(struct sadb_sens),
|
||||
buf, slen + ilen);
|
||||
m_len += len;
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
key_setsadbprop()
|
||||
{
|
||||
struct sadb_prop m_prop;
|
||||
struct sadb_comb *m_comb;
|
||||
u_char buf[256];
|
||||
u_int len = sizeof(m_prop) + sizeof(m_comb) * 2;
|
||||
|
||||
/* make prop & comb */
|
||||
m_prop.sadb_prop_len = PFKEY_UNIT64(len);
|
||||
m_prop.sadb_prop_exttype = SADB_EXT_PROPOSAL;
|
||||
m_prop.sadb_prop_replay = 0;
|
||||
m_prop.sadb_prop_reserved[0] = 0;
|
||||
m_prop.sadb_prop_reserved[1] = 0;
|
||||
m_prop.sadb_prop_reserved[2] = 0;
|
||||
|
||||
/* the 1st is ESP DES-CBC HMAC-MD5 */
|
||||
m_comb = (struct sadb_comb *)buf;
|
||||
m_comb->sadb_comb_auth = SADB_AALG_MD5HMAC;
|
||||
m_comb->sadb_comb_encrypt = SADB_EALG_DESCBC;
|
||||
m_comb->sadb_comb_flags = 0;
|
||||
m_comb->sadb_comb_auth_minbits = 8;
|
||||
m_comb->sadb_comb_auth_maxbits = 96;
|
||||
m_comb->sadb_comb_encrypt_minbits = 64;
|
||||
m_comb->sadb_comb_encrypt_maxbits = 64;
|
||||
m_comb->sadb_comb_reserved = 0;
|
||||
m_comb->sadb_comb_soft_allocations = 0;
|
||||
m_comb->sadb_comb_hard_allocations = 0;
|
||||
m_comb->sadb_comb_soft_bytes = 0;
|
||||
m_comb->sadb_comb_hard_bytes = 0;
|
||||
m_comb->sadb_comb_soft_addtime = 0;
|
||||
m_comb->sadb_comb_hard_addtime = 0;
|
||||
m_comb->sadb_comb_soft_usetime = 0;
|
||||
m_comb->sadb_comb_hard_usetime = 0;
|
||||
|
||||
/* the 2st is ESP 3DES-CBC and AH HMAC-SHA1 */
|
||||
m_comb = (struct sadb_comb *)(buf + sizeof(*m_comb));
|
||||
m_comb->sadb_comb_auth = SADB_AALG_SHA1HMAC;
|
||||
m_comb->sadb_comb_encrypt = SADB_EALG_3DESCBC;
|
||||
m_comb->sadb_comb_flags = 0;
|
||||
m_comb->sadb_comb_auth_minbits = 8;
|
||||
m_comb->sadb_comb_auth_maxbits = 96;
|
||||
m_comb->sadb_comb_encrypt_minbits = 64;
|
||||
m_comb->sadb_comb_encrypt_maxbits = 64;
|
||||
m_comb->sadb_comb_reserved = 0;
|
||||
m_comb->sadb_comb_soft_allocations = 0;
|
||||
m_comb->sadb_comb_hard_allocations = 0;
|
||||
m_comb->sadb_comb_soft_bytes = 0;
|
||||
m_comb->sadb_comb_hard_bytes = 0;
|
||||
m_comb->sadb_comb_soft_addtime = 0;
|
||||
m_comb->sadb_comb_hard_addtime = 0;
|
||||
m_comb->sadb_comb_soft_usetime = 0;
|
||||
m_comb->sadb_comb_hard_usetime = 0;
|
||||
|
||||
key_setsadbextbuf(m_buf, m_len,
|
||||
(caddr_t)&m_prop, sizeof(struct sadb_prop),
|
||||
buf, sizeof(*m_comb) * 2);
|
||||
m_len += len;
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
key_setsadbid(ext, str)
|
||||
u_int ext;
|
||||
caddr_t str;
|
||||
{
|
||||
struct sadb_ident m_id;
|
||||
u_int idlen = strlen(str), len;
|
||||
|
||||
len = sizeof(m_id) + PFKEY_ALIGN8(idlen);
|
||||
m_id.sadb_ident_len = PFKEY_UNIT64(len);
|
||||
m_id.sadb_ident_exttype = ext;
|
||||
m_id.sadb_ident_type = SADB_IDENTTYPE_USERFQDN;
|
||||
m_id.sadb_ident_reserved = 0;
|
||||
m_id.sadb_ident_id = getpid();
|
||||
|
||||
key_setsadbextbuf(m_buf, m_len,
|
||||
(caddr_t)&m_id, sizeof(struct sadb_ident),
|
||||
str, idlen);
|
||||
m_len += len;
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
key_setsadblft(ext, time)
|
||||
u_int ext, time;
|
||||
{
|
||||
struct sadb_lifetime m_lft;
|
||||
|
||||
m_lft.sadb_lifetime_len = PFKEY_UNIT64(sizeof(m_lft));
|
||||
m_lft.sadb_lifetime_exttype = ext;
|
||||
m_lft.sadb_lifetime_allocations = 0x2;
|
||||
m_lft.sadb_lifetime_bytes = 0x1000;
|
||||
m_lft.sadb_lifetime_addtime = time;
|
||||
m_lft.sadb_lifetime_usetime = 0x0020;
|
||||
|
||||
memcpy(m_buf + m_len, &m_lft, sizeof(struct sadb_lifetime));
|
||||
m_len += sizeof(struct sadb_lifetime);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
key_setspirange()
|
||||
{
|
||||
struct sadb_spirange m_spi;
|
||||
|
||||
m_spi.sadb_spirange_len = PFKEY_UNIT64(sizeof(m_spi));
|
||||
m_spi.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
|
||||
m_spi.sadb_spirange_min = 0x00001000;
|
||||
m_spi.sadb_spirange_max = 0x00002000;
|
||||
m_spi.sadb_spirange_reserved = 0;
|
||||
|
||||
memcpy(m_buf + m_len, &m_spi, sizeof(struct sadb_spirange));
|
||||
m_len += sizeof(struct sadb_spirange);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
key_setsadbkey(ext, str)
|
||||
u_int ext;
|
||||
caddr_t str;
|
||||
{
|
||||
struct sadb_key m_key;
|
||||
u_int keylen = strlen(str);
|
||||
u_int len;
|
||||
|
||||
len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen);
|
||||
m_key.sadb_key_len = PFKEY_UNIT64(len);
|
||||
m_key.sadb_key_exttype = ext;
|
||||
m_key.sadb_key_bits = keylen * 8;
|
||||
m_key.sadb_key_reserved = 0;
|
||||
|
||||
key_setsadbextbuf(m_buf, m_len,
|
||||
(caddr_t)&m_key, sizeof(struct sadb_key),
|
||||
str, keylen);
|
||||
m_len += len;
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
key_setsadbsa()
|
||||
{
|
||||
struct sadb_sa m_sa;
|
||||
|
||||
m_sa.sadb_sa_len = PFKEY_UNIT64(sizeof(struct sadb_sa));
|
||||
m_sa.sadb_sa_exttype = SADB_EXT_SA;
|
||||
m_sa.sadb_sa_spi = htonl(0x12345678);
|
||||
m_sa.sadb_sa_replay = 4;
|
||||
m_sa.sadb_sa_state = 0;
|
||||
m_sa.sadb_sa_auth = SADB_AALG_MD5HMAC;
|
||||
m_sa.sadb_sa_encrypt = SADB_EALG_DESCBC;
|
||||
m_sa.sadb_sa_flags = 0;
|
||||
|
||||
memcpy(m_buf + m_len, &m_sa, sizeof(struct sadb_sa));
|
||||
m_len += sizeof(struct sadb_sa);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
key_setsadbaddr(ext, af, str)
|
||||
u_int ext, af;
|
||||
caddr_t str;
|
||||
{
|
||||
struct sadb_address m_addr;
|
||||
u_int len;
|
||||
struct addrinfo hints, *res;
|
||||
const char *serv;
|
||||
int plen;
|
||||
|
||||
switch (af) {
|
||||
case AF_INET:
|
||||
plen = sizeof(struct in_addr) << 3;
|
||||
break;
|
||||
case AF_INET6:
|
||||
plen = sizeof(struct in6_addr) << 3;
|
||||
break;
|
||||
default:
|
||||
/* XXX bark */
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* make sockaddr buffer */
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = af;
|
||||
hints.ai_socktype = SOCK_DGRAM; /*dummy*/
|
||||
hints.ai_flags = AI_NUMERICHOST;
|
||||
serv = (ext == SADB_EXT_ADDRESS_PROXY ? "0" : "4660"); /*0x1234*/
|
||||
if (getaddrinfo(str, serv, &hints, &res) != 0 || res->ai_next) {
|
||||
/* XXX bark */
|
||||
exit(1);
|
||||
}
|
||||
|
||||
len = sizeof(struct sadb_address) + PFKEY_ALIGN8(res->ai_addrlen);
|
||||
m_addr.sadb_address_len = PFKEY_UNIT64(len);
|
||||
m_addr.sadb_address_exttype = ext;
|
||||
m_addr.sadb_address_proto =
|
||||
(ext == SADB_EXT_ADDRESS_PROXY ? 0 : IPPROTO_TCP);
|
||||
m_addr.sadb_address_prefixlen = plen;
|
||||
m_addr.sadb_address_reserved = 0;
|
||||
|
||||
key_setsadbextbuf(m_buf, m_len,
|
||||
(caddr_t)&m_addr, sizeof(struct sadb_address),
|
||||
(caddr_t)res->ai_addr, res->ai_addrlen);
|
||||
m_len += len;
|
||||
|
||||
freeaddrinfo(res);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
key_setsadbextbuf(dst, off, ebuf, elen, vbuf, vlen)
|
||||
caddr_t dst, ebuf, vbuf;
|
||||
int off, elen, vlen;
|
||||
{
|
||||
memset(dst + off, 0, elen + vlen);
|
||||
memcpy(dst + off, (caddr_t)ebuf, elen);
|
||||
memcpy(dst + off + elen, vbuf, vlen);
|
||||
|
||||
return;
|
||||
}
|
||||
|
@ -1,161 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet6/in6.h>
|
||||
#include <netkey/keyv2.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <netinet6/ipsec.h>
|
||||
|
||||
char *requests[] = {
|
||||
"must_error", /* must be error */
|
||||
"ipsec must_error", /* must be error */
|
||||
"ipsec esp/must_error", /* must be error */
|
||||
"discard",
|
||||
"none",
|
||||
"entrust",
|
||||
"bypass", /* may be error */
|
||||
"ipsec esp", /* must be error */
|
||||
"ipsec ah/require",
|
||||
"ipsec ah/use/",
|
||||
"ipsec esp/require ah/default/203.178.141.194",
|
||||
"ipsec ah/use/203.178.141.195 esp/use/203.178.141.194",
|
||||
"ipsec esp/elf.wide.ydc.co.jp esp/www.wide.ydc.co.jp"
|
||||
"
|
||||
ipsec esp/require ah/use esp/require/10.0.0.1
|
||||
ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1
|
||||
ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1
|
||||
ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1
|
||||
ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1
|
||||
ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1
|
||||
ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1
|
||||
ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1
|
||||
ah/use/3ffe:501:481d::1 ah/use/3ffe:501:481d::1ah/use/3ffe:501:481d::1
|
||||
",
|
||||
};
|
||||
|
||||
u_char *p_secpolicy;
|
||||
|
||||
int test(char *buf, int family);
|
||||
char *setpolicy(char *req);
|
||||
|
||||
main()
|
||||
{
|
||||
int i;
|
||||
char *buf;
|
||||
|
||||
for (i = 0; i < sizeof(requests)/sizeof(requests[0]); i++) {
|
||||
printf("* requests:[%s]\n", requests[i]);
|
||||
if ((buf = setpolicy(requests[i])) == NULL)
|
||||
continue;
|
||||
printf("\tsetlen:%d\n", PFKEY_EXTLEN(buf));
|
||||
|
||||
printf("\tPF_INET:\n");
|
||||
test(buf, PF_INET);
|
||||
|
||||
printf("\tPF_INET6:\n");
|
||||
test(buf, PF_INET6);
|
||||
free(buf);
|
||||
}
|
||||
}
|
||||
|
||||
int test(char *policy, int family)
|
||||
{
|
||||
int so, proto, optname;
|
||||
int len;
|
||||
char getbuf[1024];
|
||||
|
||||
switch (family) {
|
||||
case PF_INET:
|
||||
proto = IPPROTO_IP;
|
||||
optname = IP_IPSEC_POLICY;
|
||||
break;
|
||||
case PF_INET6:
|
||||
proto = IPPROTO_IPV6;
|
||||
optname = IPV6_IPSEC_POLICY;
|
||||
break;
|
||||
}
|
||||
|
||||
if ((so = socket(family, SOCK_DGRAM, 0)) < 0)
|
||||
perror("socket");
|
||||
|
||||
if (setsockopt(so, proto, optname, policy, PFKEY_EXTLEN(policy)) < 0)
|
||||
perror("setsockopt");
|
||||
|
||||
len = sizeof(getbuf);
|
||||
memset(getbuf, 0, sizeof(getbuf));
|
||||
if (getsockopt(so, proto, optname, getbuf, &len) < 0)
|
||||
perror("getsockopt");
|
||||
|
||||
{
|
||||
char *buf = NULL;
|
||||
|
||||
printf("\tgetlen:%d\n", len);
|
||||
|
||||
if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL)
|
||||
ipsec_strerror();
|
||||
else
|
||||
printf("\t[%s]\n", buf);
|
||||
|
||||
free(buf);
|
||||
}
|
||||
|
||||
close (so);
|
||||
}
|
||||
|
||||
char *setpolicy(char *req)
|
||||
{
|
||||
int len;
|
||||
char *buf;
|
||||
|
||||
if ((len = ipsec_get_policylen(req)) < 0) {
|
||||
printf("ipsec_get_policylen: %s\n", ipsec_strerror());
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if ((buf = malloc(len)) == NULL) {
|
||||
perror("malloc");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if ((len = ipsec_set_policy(buf, len, req)) < 0) {
|
||||
printf("ipsec_set_policy: %s\n", ipsec_strerror());
|
||||
free(buf);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return buf;
|
||||
}
|
@ -1,286 +0,0 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: token.l,v 1.43 2003/07/25 09:35:28 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
%{
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/socket.h>
|
||||
#include <net/route.h>
|
||||
#include <net/pfkeyv2.h>
|
||||
#include <netkey/keydb.h>
|
||||
#include <netkey/key_debug.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet6/ipsec.h>
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <limits.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#include <netdb.h>
|
||||
|
||||
#include "vchar.h"
|
||||
#include "y.tab.h"
|
||||
|
||||
int lineno = 1;
|
||||
|
||||
extern u_char m_buf[BUFSIZ];
|
||||
extern u_int m_len;
|
||||
extern int f_debug;
|
||||
|
||||
int yylex __P((void));
|
||||
void yyfatal __P((const char *s));
|
||||
void yyerror __P((const char *s));
|
||||
extern void parse_init __P((void));
|
||||
int parse __P((FILE **));
|
||||
int yyparse __P((void));
|
||||
%}
|
||||
|
||||
/* common section */
|
||||
nl \n
|
||||
ws [ \t]+
|
||||
digit [0-9]
|
||||
letter [0-9A-Za-z]
|
||||
hexdigit [0-9A-Fa-f]
|
||||
dot \.
|
||||
hyphen \-
|
||||
slash \/
|
||||
blcl \[
|
||||
elcl \]
|
||||
semi \;
|
||||
comment \#.*
|
||||
quotedstring \"[^"]*\"
|
||||
decstring {digit}+
|
||||
hexstring 0[xX]{hexdigit}+
|
||||
ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
|
||||
ipaddrmask {slash}{digit}{1,3}
|
||||
name {letter}(({letter}|{digit}|{hyphen})*({letter}|{digit}))*
|
||||
hostname {name}(({dot}{name})+{dot}?)?
|
||||
|
||||
%s S_PL S_AUTHALG S_ENCALG
|
||||
|
||||
%%
|
||||
|
||||
add { return(ADD); }
|
||||
delete { return(DELETE); }
|
||||
deleteall { return(DELETEALL); }
|
||||
get { return(GET); }
|
||||
flush { return(FLUSH); }
|
||||
dump { return(DUMP); }
|
||||
|
||||
/* for management SPD */
|
||||
spdadd { return(SPDADD); }
|
||||
spddelete { return(SPDDELETE); }
|
||||
spddump { return(SPDDUMP); }
|
||||
spdflush { return(SPDFLUSH); }
|
||||
tagged { return(TAGGED); }
|
||||
{hyphen}P { BEGIN S_PL; return(F_POLICY); }
|
||||
<S_PL>[a-zA-Z0-9:\.\-_/ \n\t][a-zA-Z0-9:\.%\-_/ \n\t]* {
|
||||
yymore();
|
||||
|
||||
/* count up for nl */
|
||||
{
|
||||
char *p;
|
||||
for (p = yytext; *p != '\0'; p++)
|
||||
if (*p == '\n')
|
||||
lineno++;
|
||||
}
|
||||
|
||||
yylval.val.len = strlen(yytext);
|
||||
yylval.val.buf = strdup(yytext);
|
||||
if (!yylval.val.buf)
|
||||
yyfatal("insufficient memory");
|
||||
|
||||
return(PL_REQUESTS);
|
||||
}
|
||||
<S_PL>{semi} { BEGIN INITIAL; return(EOT); }
|
||||
|
||||
/* address resolution flags */
|
||||
{hyphen}[n46][n46]* {
|
||||
yylval.val.len = strlen(yytext);
|
||||
yylval.val.buf = strdup(yytext);
|
||||
if (!yylval.val.buf)
|
||||
yyfatal("insufficient memory");
|
||||
return(F_AIFLAGS);
|
||||
}
|
||||
|
||||
/* security protocols */
|
||||
ah { yylval.num = 0; return(PR_AH); }
|
||||
esp { yylval.num = 0; return(PR_ESP); }
|
||||
ah-old { yylval.num = 1; return(PR_AH); }
|
||||
esp-old { yylval.num = 1; return(PR_ESP); }
|
||||
ipcomp { yylval.num = 0; return(PR_IPCOMP); }
|
||||
tcp { yylval.num = 0; return(PR_TCP); }
|
||||
|
||||
/* authentication alogorithm */
|
||||
{hyphen}A { BEGIN S_AUTHALG; return(F_AUTH); }
|
||||
<S_AUTHALG>hmac-md5 { yylval.num = SADB_AALG_MD5HMAC; BEGIN INITIAL; return(ALG_AUTH); }
|
||||
<S_AUTHALG>hmac-sha1 { yylval.num = SADB_AALG_SHA1HMAC; BEGIN INITIAL; return(ALG_AUTH); }
|
||||
<S_AUTHALG>keyed-md5 { yylval.num = SADB_X_AALG_MD5; BEGIN INITIAL; return(ALG_AUTH); }
|
||||
<S_AUTHALG>keyed-sha1 { yylval.num = SADB_X_AALG_SHA; BEGIN INITIAL; return(ALG_AUTH); }
|
||||
<S_AUTHALG>hmac-sha2-256 { yylval.num = SADB_X_AALG_SHA2_256; BEGIN INITIAL; return(ALG_AUTH); }
|
||||
<S_AUTHALG>hmac-sha2-384 { yylval.num = SADB_X_AALG_SHA2_384; BEGIN INITIAL; return(ALG_AUTH); }
|
||||
<S_AUTHALG>hmac-sha2-512 { yylval.num = SADB_X_AALG_SHA2_512; BEGIN INITIAL; return(ALG_AUTH); }
|
||||
<S_AUTHALG>hmac-ripemd160 { yylval.num = SADB_X_AALG_RIPEMD160HMAC; BEGIN INITIAL; return(ALG_AUTH); }
|
||||
<S_AUTHALG>aes-xcbc-mac { yylval.num = SADB_X_AALG_AES_XCBC_MAC; BEGIN INITIAL; return(ALG_AUTH); }
|
||||
<S_AUTHALG>tcp-md5 { yylval.num = SADB_X_AALG_TCP_MD5; BEGIN INITIAL; return(ALG_AUTH); }
|
||||
<S_AUTHALG>null { yylval.num = SADB_X_AALG_NULL; BEGIN INITIAL; return(ALG_AUTH_NOKEY); }
|
||||
|
||||
/* encryption alogorithm */
|
||||
{hyphen}E { BEGIN S_ENCALG; return(F_ENC); }
|
||||
<S_ENCALG>des-cbc { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC); }
|
||||
<S_ENCALG>3des-cbc { yylval.num = SADB_EALG_3DESCBC; BEGIN INITIAL; return(ALG_ENC); }
|
||||
<S_ENCALG>null { yylval.num = SADB_EALG_NULL; BEGIN INITIAL; return(ALG_ENC_NOKEY); }
|
||||
<S_ENCALG>simple { yylval.num = SADB_EALG_NULL; BEGIN INITIAL; return(ALG_ENC_OLD); }
|
||||
<S_ENCALG>blowfish-cbc { yylval.num = SADB_X_EALG_BLOWFISHCBC; BEGIN INITIAL; return(ALG_ENC); }
|
||||
<S_ENCALG>cast128-cbc { yylval.num = SADB_X_EALG_CAST128CBC; BEGIN INITIAL; return(ALG_ENC); }
|
||||
<S_ENCALG>des-deriv { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC_DESDERIV); }
|
||||
<S_ENCALG>des-32iv { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC_DES32IV); }
|
||||
<S_ENCALG>rijndael-cbc { yylval.num = SADB_X_EALG_RIJNDAELCBC; BEGIN INITIAL; return(ALG_ENC); }
|
||||
<S_ENCALG>aes-ctr { yylval.num = SADB_X_EALG_AESCTR; BEGIN INITIAL; return(ALG_ENC); }
|
||||
|
||||
/* compression algorithms */
|
||||
{hyphen}C { return(F_COMP); }
|
||||
oui { yylval.num = SADB_X_CALG_OUI; return(ALG_COMP); }
|
||||
deflate { yylval.num = SADB_X_CALG_DEFLATE; return(ALG_COMP); }
|
||||
lzs { yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); }
|
||||
{hyphen}R { return(F_RAWCPI); }
|
||||
|
||||
/* extension */
|
||||
{hyphen}m { return(F_MODE); }
|
||||
transport { yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
|
||||
tunnel { yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
|
||||
{hyphen}u { return(F_REQID); }
|
||||
{hyphen}f { return(F_EXT); }
|
||||
random-pad { yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); }
|
||||
seq-pad { yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); }
|
||||
zero-pad { yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); }
|
||||
nocyclic-seq { return(NOCYCLICSEQ); }
|
||||
{hyphen}r { return(F_REPLAY); }
|
||||
{hyphen}lh { return(F_LIFETIME_HARD); }
|
||||
{hyphen}ls { return(F_LIFETIME_SOFT); }
|
||||
|
||||
/* ... */
|
||||
any { return(ANY); }
|
||||
{ws} { }
|
||||
{nl} { lineno++; }
|
||||
{comment}
|
||||
{semi} { return(EOT); }
|
||||
|
||||
/* for address parameters: /prefix, [port] */
|
||||
{slash} { return SLASH; }
|
||||
{blcl} { return BLCL; }
|
||||
{elcl} { return ELCL; }
|
||||
|
||||
/* parameter */
|
||||
{decstring} {
|
||||
char *bp;
|
||||
|
||||
yylval.ulnum = strtoul(yytext, &bp, 10);
|
||||
return(DECSTRING);
|
||||
}
|
||||
|
||||
{hexstring} {
|
||||
yylval.val.buf = strdup(yytext + 2);
|
||||
if (!yylval.val.buf)
|
||||
yyfatal("insufficient memory");
|
||||
yylval.val.len = strlen(yylval.val.buf);
|
||||
|
||||
return(HEXSTRING);
|
||||
}
|
||||
|
||||
{quotedstring} {
|
||||
char *p = yytext;
|
||||
while (*++p != '"') ;
|
||||
*p = '\0';
|
||||
yytext++;
|
||||
yylval.val.len = yyleng - 2;
|
||||
yylval.val.buf = strdup(yytext);
|
||||
if (!yylval.val.buf)
|
||||
yyfatal("insufficient memory");
|
||||
|
||||
return(QUOTEDSTRING);
|
||||
}
|
||||
|
||||
[A-Za-z0-9:][A-Za-z0-9:%\.-]* {
|
||||
yylval.val.len = yyleng;
|
||||
yylval.val.buf = strdup(yytext);
|
||||
if (!yylval.val.buf)
|
||||
yyfatal("insufficient memory");
|
||||
return(STRING);
|
||||
}
|
||||
|
||||
[0-9,]+ {
|
||||
yylval.val.len = yyleng;
|
||||
yylval.val.buf = strdup(yytext);
|
||||
if (!yylval.val.buf)
|
||||
yyfatal("insufficient memory");
|
||||
return(STRING);
|
||||
}
|
||||
|
||||
. {
|
||||
yyfatal("Syntax error");
|
||||
/*NOTREACHED*/
|
||||
}
|
||||
|
||||
%%
|
||||
|
||||
void
|
||||
yyfatal(s)
|
||||
const char *s;
|
||||
{
|
||||
yyerror(s);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
void
|
||||
yyerror(s)
|
||||
const char *s;
|
||||
{
|
||||
printf("line %d: %s at [%s]\n", lineno, s, yytext);
|
||||
}
|
||||
|
||||
int
|
||||
parse(fp)
|
||||
FILE **fp;
|
||||
{
|
||||
yyin = *fp;
|
||||
|
||||
parse_init();
|
||||
|
||||
if (yyparse()) {
|
||||
printf("parse failed, line %d.\n", lineno);
|
||||
return(-1);
|
||||
}
|
||||
|
||||
return(0);
|
||||
}
|
@ -1,36 +0,0 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: vchar.h,v 1.2 2000/06/07 00:29:14 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
typedef struct {
|
||||
u_int len;
|
||||
caddr_t buf;
|
||||
} vchar_t;
|
Loading…
Reference in New Issue
Block a user