mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-01 12:19:28 +00:00
Code Issues Releases Activity

- do hexdump on send. set length field properly

Browse Source 
- check for encryption/authentication key together with algorithm.
- warned if a deprecated encryption algorithm (that includes "simple")
  is specified.
- changed the syntax how to define a policy of a ICMPv6 type and/or a
  code, like spdadd ::/0 ::/0 icmp6 134,0 -P out none;
- random cleanup in parser.
- use yyfatal, or return -1 after yyerror.
- deal with strdup() failure.
- permit scope notation in policy string (-P
  esp/tunnel/foo%scope-bar%scope/use)
- simplify /prefix and [port].
- g/c some unused symbols.

Obtained from:	KAME
This commit is contained in:
Hajimu UMEMOTO 2003-11-05 09:47:54 +00:00
parent bd9f52d566
commit cf43a05493
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=122108
12 changed files with 2482 additions and 1882 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sbin/setkey/Makefile
View File

@ -39,7 +39,7 @@ LDADD= -ll -ly
CLEANFILES= y.tab.c y.tab.h key_test.o keytest
# libpfkey.
# libpfkey
# ipsec_strerror.c is for avoiding shlib reference to non-exported function.
.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey
SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c

1414
sbin/setkey/parse.y
View File

File diff suppressed because it is too large Load Diff

36
sbin/setkey/sample.cf
View File

@ -45,9 +45,9 @@
#
# At Host-A and Host-B,
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
esp/transport/fec0::10-fec0::11/use ;
esp/transport//use ;
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
esp/transport/fec0::11-fec0::10/use ;
esp/transport//use ;
add fec0::10 fec0::11 esp 0x10001
-m transport
-E blowfish-cbc "kamekame"
@ -112,10 +112,10 @@ add 172.16.0.2 172.16.0.1 ah-old 0x10004
# At Gateway-A:
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
ah/transport//require ;
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
ah/transport//require ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
-m tunnel
-E 3des-cbc "kamekame12341234kame1234"
@ -146,10 +146,10 @@ add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
#
# At Host-A:
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
esp/transport//use
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
esp/transport/fec0:0:0:2::2-fec0:0:0:1::1/use
esp/transport//use
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
-m transport
@ -166,10 +166,10 @@ add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
# By "get" command, you can get an entry of either SP or SA.
# By "get" command, you can get a entry of either SP or SA.
get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
# Also delete command, you can delete an entry of either SP or SA.
# Also delete command, you can delete a entry of either SP or SA.
spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
@ -188,24 +188,24 @@ dump esp ;
flush ah ;
# XXX
add ::1 ::1 esp 10001 -m transport -E simple ;
add ::1 ::1 esp 10001 -m transport -E null ;
add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
add ::1 ::1 esp 10004 -m transport -E simple -A null ;
add ::1 ::1 esp 10005 -m transport -E simple -A hmac-md5 "1234123412341234" ;
add ::1 ::1 esp 10006 -m tunnel -E simple -A hmac-sha1 "12341234123412341234" ;
add ::1 ::1 esp 10007 -m transport -E simple -A keyed-md5 "1234123412341234" ;
add ::1 ::1 esp 10008 -m any -E simple -A keyed-sha1 "12341234123412341234" ;
add ::1 ::1 esp 10004 -m transport -E null -A null ;
add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ;
add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ;
add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ;
add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
add ::1 ::1 esp 10015 -m transport -f zero-pad -E simple ;
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E simple ;
add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E simple ;
add ::1 ::1 esp 10018 -m transport -E simple ;
add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
add ::1 ::1 esp 10018 -m transport -E null ;
#add ::1 ::1 ah 20000 -m transport -A null ;
add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";

340
sbin/setkey/setkey.8
View File

@ -1,4 +1,4 @@
.\" $KAME: setkey.8,v 1.49 2001/05/18 05:49:51 sakane Exp $
.\" $KAME: setkey.8,v 1.89 2003/09/07 22:17:41 itojun Exp $
.\" $FreeBSD$
.\"
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -34,20 +34,20 @@
.\"
.Sh NAME
.Nm setkey
.Nd "manually manipulate the IPsec SA/SP database"
.Nd manually manipulate the IPsec SA/SP database
.\"
.Sh SYNOPSIS
.Nm
.Op Fl dv
.Op Fl v
.Fl c
.Nm
.Op Fl dv
.Op Fl v
.Fl f Ar filename
.Nm
.Op Fl adPlv
.Op Fl aPlv
.Fl D
.Nm
.Op Fl dPv
.Op Fl Pv
.Fl F
.Nm
.Op Fl h
@ -56,19 +56,23 @@
.Sh DESCRIPTION
The
.Nm
utility adds, updates, dumps, or flushes
command adds, updates, dumps, or flushes
Security Association Database (SAD) entries
as well as Security Policy Database (SPD) entries in the kernel.
.Pp
The
.Nm
utility takes a series of operations from the standard input
(if invoked with
.Fl c )
command takes a series of operations from the standard input
.Po
if invoked with
.Fl c
.Pc
or the file named
.Ar filename
(if invoked with
.Fl f Ar filename ) .
.Po
if invoked with
.Fl f Ar filename
.Pc .
.Bl -tag -width Ds
.It Fl D
Dump the SAD entries.
@ -81,24 +85,15 @@ If with
.Fl P ,
the SPD entries are flushed.
.It Fl a
Dead SAD entries are usually not displayed with
.Nm
usually does not display dead SAD entries with
.Fl D .
If with
.Fl a ,
the dead SAD entries will be displayed as well.
A dead SAD entry means that
it has been expired but remains
because it is referenced by SPD entries.
.It Fl d
Enable to print debugging messages for command parser,
without talking to kernel.
It is not used usually.
.It Fl x
Loop forever and dump all the messages transmitted to
.Dv PF_KEY
socket.
.Fl xx
makes each timestamps unformatted.
it has been expired but remains in the system
because it is referenced by some SPD entries.
.It Fl h
Add hexadecimal dump on
.Fl x
@ -111,23 +106,39 @@ Be verbose.
The program will dump messages exchanged on
.Dv PF_KEY
socket, including messages sent from other processes to the kernel.
.It Fl x
Loop forever and dump all the messages transmitted to
.Dv PF_KEY
socket.
.Fl xx
makes each timestamps unformatted.
.El
.Pp
Operations have the following grammar.
Note that lines starting with
hashmarks ('#') are treated as comment lines.
.Ss Configuration syntax
With
.Fl c
or
.Fl f
on the command line,
.Nm
accepts the following configuration syntax.
Lines starting with hash signs ('#') are treated as comment lines.
.Bl -tag -width Ds
.It Xo
.Li add
.Op Fl 46n
.Ar src Ar dst Ar protocol Ar spi
.Op Ar extensions
.Ar algorithm...
.Ar algorithm ...
.Li ;
.Xc
Add an SAD entry.
.Li add
can fail with multiple reasons,
including when the key length does not match the specified algorithm.
.\"
.It Xo
.Li get
.Op Fl 46n
.Ar src Ar dst Ar protocol Ar spi
.Li ;
.Xc
@ -135,6 +146,7 @@ Show an SAD entry.
.\"
.It Xo
.Li delete
.Op Fl 46n
.Ar src Ar dst Ar protocol Ar spi
.Li ;
.Xc
@ -142,6 +154,7 @@ Remove an SAD entry.
.\"
.It Xo
.Li deleteall
.Op Fl 46n
.Ar src Ar dst Ar protocol
.Li ;
.Xc
@ -153,6 +166,8 @@ Remove all SAD entries that match the specification.
.Li ;
.Xc
Clear all SAD entries matched by the options.
.Fl F
on the command line achieves the same functionality.
.\"
.It Xo
.Li dump
@ -160,9 +175,12 @@ Clear all SAD entries matched by the options.
.Li ;
.Xc
Dumps all SAD entries matched by the options.
.Fl D
on the command line achieves the same functionality.
.\"
.It Xo
.Li spdadd
.Op Fl 46n
.Ar src_range Ar dst_range Ar upperspec Ar policy
.Li ;
.Xc
@ -170,6 +188,7 @@ Add an SPD entry.
.\"
.It Xo
.Li spddelete
.Op Fl 46n
.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction
.Li ;
.Xc
@ -180,12 +199,16 @@ Delete an SPD entry.
.Li ;
.Xc
Clear all SPD entries.
.Fl FP
on the command line achieves the same functionality.
.\"
.It Xo
.Li spddump
.Li ;
.Xc
Dumps all SPD entries.
.Fl DP
on the command line achieves the same functionality.
.El
.\"
.Pp
@ -196,13 +219,23 @@ Meta-arguments are as follows:
.It Ar dst
Source/destination of the secure communication is specified as
IPv4/v6 address.
The
.Nm
utility does not consult hostname-to-address for arguments
.Ar src
can resolve a FQDN into numeric addresses.
If the FQDN resolves into multiple addresses,
.Nm
will install multiple SAD/SPD entries into the kernel
by trying all possible combinations.
.Fl 4 ,
.Fl 6
and
.Ar dst .
They must be in numeric form.
.Fl n
restricts the address resolution of FQDN in certain ways.
.Fl 4
and
.Fl 6
restrict results into IPv4/v6 addresses only, respectively.
.Fl n
avoids FQDN resolution and requires addresses to be numeric addresses.
.\"
.Pp
.It Ar protocol
@ -210,7 +243,7 @@ They must be in numeric form.
is one of following:
.Bl -tag -width Fl -compact
.It Li esp
ESP based on rfc2405
ESP based on rfc2406
.It Li esp-old
ESP based on rfc1827
.It Li ah
@ -218,21 +251,24 @@ AH based on rfc2402
.It Li ah-old
AH based on rfc1826
.It Li ipcomp
IPCOMP
IPComp
.El
.\"
.Pp
.It Ar spi
Security Parameter Index (SPI) for the SAD and the SPD.
It must be decimal number or hexadecimal number
You cannot use the set of SPI values in the range 0 through 255.
(with
.Li 0x
attached).
Security Parameter Index
.Pq SPI
for the SAD and the SPD.
.Ar spi
must be a decimal number, or a hexadecimal number with
.Dq Li 0x
prefix.
SPI values between 0 and 255 are reserved for future use by IANA
and they cannot be used.
.\"
.Pp
.It Ar extensions
takes some of the following:
take some of the following:
.Bl -tag -width Fl -compact
.\"
.It Fl m Ar mode
@ -283,62 +319,41 @@ Specify hard/soft life time duration of the SA.
.It Ar algorithm
.Bl -tag -width Fl -compact
.It Fl E Ar ealgo Ar key
Specify an encryption algorithm.
Specify an encryption algorithm
.Ar ealgo
for ESP.
.It Xo
.Fl E Ar ealgo Ar key
.Fl A Ar aalgo Ar key
.Xc
Specify a encryption algorithm
.Ar ealgo ,
as well as a payload authentication algorithm
.Ar aalgo ,
for ESP.
.It Fl A Ar aalgo Ar key
Specify an authentication algorithm.
If
.Fl A
is used with
.Ar protocol Li esp ,
it will be treated as ESP payload authentication algorithm.
Specify an authentication algorithm for AH.
.It Fl C Ar calgo Op Fl R
Specify compression algorithm.
Specify a compression algorithm for IPComp.
If
.Fl R
is not specified with
.Li ipcomp
line, the kernel will use well-known IPComp CPI
(compression parameter index)
on IPComp CPI field on packets, and
is specified,
.Ar spi
field will be ignored.
.Ar spi
field is only for kernel internal use in this case.
.\"Therefore, compression protocol number will appear on IPComp CPI field.
field value will be used as the IPComp CPI
.Pq compression parameter index
on wire as is.
If
.Fl R
is used,
the value on
is not specified,
the kernel will use well-known CPI on wire, and
.Ar spi
field will appear on IPComp CPI field on outgoing packets.
.Ar spi
field needs to be smaller than
.Li 0x10000
in this case.
field will be used only as an index for kernel internal usage.
.El
.Pp
.Ar protocol Li esp
accepts
.Fl E
and
.Fl A .
.Ar protocol Li esp-old
accepts
.Fl E
only.
.Ar protocol Li ah
and
.Li ah-old
accept
.Fl A
only.
.Ar protocol Li ipcomp
accepts
.Fl C
only.
.Pp
.Ar key
must be double-quoted character string or series of hexadecimal digits.
must be double-quoted character string, or a series of hexadecimal digits
preceded by
.Dq Li 0x .
.Pp
Possible values for
.Ar ealgo ,
@ -369,14 +384,11 @@ The square bracket around
.Ar port
is really necessary.
They are not manpage metacharacters.
.Pp
The
.Nm
utility does not consult hostname-to-address for arguments
For FQDN resolution, the rules applicable to
.Ar src
and
.Ar dst .
They must be in numeric form.
.Ar dst
apply here as well.
.\"
.Pp
.It Ar upperspec
@ -395,34 +407,38 @@ can be specified.
stands for
.Dq any protocol .
Also you can use the protocol number.
You can specify a type and/or a code of ICMPv6 when
Upper-layer protocol is ICMPv6.
the specification can be placed after
.Li icmp6 .
A type is separated with a code by single comma.
A code must be specified anytime.
When a zero is specified, the kernel deals with it as a wildcard.
Note that the kernel can not distinguish a wildcard from that a type
of ICMPv6 is zero.
For example, the following means the policy doesn't require IPsec
for any inbound Neighbor Solicitation.
.Dl spdadd ::/0 ::/0 icmp6 135,0 -P in none ;
.Pp
NOTE:
.Ar upperspec
does not work against forwarding case at this moment,
as it requires extra reassembly at forwarding node
(not implemented at this moment).
.Pq not implemented at this moment .
We have many protocols in
.Pa /etc/protocols ,
but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec.
You have to consider and be careful to use them.
.Li icmp
.Li tcp
.Li udp
all protocols
.\"
.Pp
.It Ar policy
.Ar policy
is the one of following:
.Bd -literal -offset
.Xo
.Fl P Ar direction Li discard
.Xc
.Xo
.Fl P Ar direction Li none
.Xc
.Xo
.Fl P Ar direction Li ipsec Ar protocol/mode/src-dst/level
is the one of the following three formats:
.Bd -literal -offset indent
.It Fl P Ar direction Li discard
.It Fl P Ar direction Li none
.It Xo Fl P Ar direction Li ipsec
.Ar protocol/mode/src-dst/level Op ...
.Xc
.Ed
.Pp
@ -439,6 +455,9 @@ means the packet matching indexes will be discarded.
means that IPsec operation will not take place onto the packet.
.Li ipsec
means that IPsec operation will take place onto the packet.
The part of
.Ar protocol/mode/src-dst/level
specifies the rule how to process the packet.
Either
.Li ah ,
.Li esp
@ -480,7 +499,7 @@ If the SA is not available in every level, the kernel will request
getting SA to the key exchange daemon.
.Li default
means the kernel consults to the system wide default against protocol you
specified, e.g.\&
specified, e.g.
.Li esp_trans_deflev
sysctl variable, when the kernel processes the packet.
.Li use
@ -492,17 +511,29 @@ with the policy.
.Li unique
is the same to require.
In addition, it allows the policy to bind with the unique out-bound SA.
If you use the SA by manual keying,
You just specify the policy level
.Li unique ,
.Xr racoon 8
will configure the SA for the policy.
If you configure the SA by manual keying for that policy,
you can put the decimal number as the policy identifier after
.Li unique
separated by colon
.Sq \:
.Sq \&:
like the following;
.Li unique:number .
in order to bind this policy to the SA.
.Li number
must be between 1 and 32767.
It corresponds to
.Ar extensions Fl u .
.Ar extensions Fl u
of the manual SA configuration.
When you want to use SA bundle, you can define multiple rules.
For example, if an IP header was followed by AH header followed by ESP header
followed by an upper layer protocol header, the rule
would be:
.Dl esp/transport//require ah/transport//require ;
The rule order is very important.
.Pp
Note that
.Dq Li discard
@ -543,7 +574,8 @@ keyed-md5 128 ah: 96bit ICV (no document)
keyed-sha1 160 ah: 96bit ICV (no document)
160 ah-old: 128bit ICV (no document)
null 0 to 2048 for debugging
hmac-sha2-256 256 ah: 96bit ICV (no document)
hmac-sha2-256 256 ah: 96bit ICV
(draft-ietf-ipsec-ciph-sha-256-00)
256 ah-old: 128bit ICV (no document)
hmac-sha2-384 384 ah: 96bit ICV (no document)
384 ah-old: 128bit ICV (no document)
@ -551,8 +583,8 @@ hmac-sha2-512 512 ah: 96bit ICV (no document)
512 ah-old: 128bit ICV (no document)
hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
ah-old: 128bit ICV (no document)
aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
128 ah-old: 128bit ICV (no document)
.\"aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
.\" 128 ah-old: 128bit ICV (no document)
.Ed
.Pp
Followings are the list of encryption algorithms that can be used as
@ -567,13 +599,13 @@ parameter:
algorithm keylen (bits) comment
des-cbc 64 esp-old: rfc1829, esp: rfc2405
3des-cbc 192 rfc2451
simple 0 to 2048 rfc2410
null 0 to 2048 rfc2410
blowfish-cbc 40 to 448 rfc2451
cast128-cbc 40 to 128 rfc2451
des-deriv 64 ipsec-ciph-des-derived-01 (expired)
des-deriv 64 ipsec-ciph-des-derived-01
3des-deriv 192 no document
rijndael-cbc 128/192/256 draft-ietf-ipsec-ciph-aes-cbc-00
aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
rijndael-cbc 128/192/256 rfc3602
.\"aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
.Ed
.Pp
Note that the first 128 bits of a key for
@ -591,44 +623,58 @@ parameter:
.Bd -literal -offset indent
algorithm comment
deflate rfc2394
lzs rfc2395
.Ed
.\"
.Sh EXAMPLES
.Bd -literal -offset
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
-E des-cbc "ESP SA!!" ;
add 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456
-A hmac-sha1 "AH SA configuration!" ;
add 10.0.11.41 10.0.11.33 esp 0x10001
-E des-cbc "ESP with"
-A hmac-md5 "authentication!!" ;
get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
flush ;
dump esp ;
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
.Ed
.\"
.Sh RETURN VALUES
The command exits with 0 on success, and non-zero on errors.
.\"
.Sh EXAMPLES
.Bd -literal -offset
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
-E des-cbc 0x3ffe05014819ffff ;
add -6 myhost.example.com yourhost.example.com ah 123456
-A hmac-sha1 "AH SA configuration!" ;
add 10.0.11.41 10.0.11.33 esp 0x10001
-E des-cbc 0x3ffe05014819ffff
-A hmac-md5 "authentication!!" ;
get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
flush ;
dump esp ;
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
.Ed
.\"
.Sh SEE ALSO
.Xr ipsec_set_policy 3 ,
.Xr racoon 8 ,
.Xr sysctl 8
.Rs
.%T "Changed manual key configuration for IPsec"
.%O "http://www.kame.net/newsletter/19991007/"
.%D "October 1999"
.Re
.\"
.Sh HISTORY
The
.Nm
utility first appeared in WIDE Hydrangea IPv6 protocol stack kit.
command first appeared in WIDE Hydrangea IPv6 protocol stack kit.
The command was completely re-designed in June 1998.
.\"
.\" .Sh BUGS
.Sh BUGS
.Nm
should report and handle syntax errors better.
.Pp
For IPsec gateway configuration,
.Ar src_range
and
.Ar dst_range
with TCP/UDP port number do not work, as the gateway does not reassemble
packets
.Pq cannot inspect upper-layer headers .

127
sbin/setkey/setkey.c
View File

@ -1,5 +1,5 @@
/* $FreeBSD$ */
/* $KAME: setkey.c,v 1.18 2001/05/08 04:36:39 itojun Exp $ */
/* $KAME: setkey.c,v 1.28 2003/06/27 07:15:45 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -58,7 +58,7 @@ int main __P((int, char **));
int get_supported __P((void));
void sendkeyshort __P((u_int));
void promisc __P((void));
int sendkeymsg __P((void));
int sendkeymsg __P((char *, size_t));
int postproc __P((struct sadb_msg *, int));
const char *numstr __P((int));
void shortdump_hdr __P((void));
@ -75,18 +75,12 @@ int so;
int f_forever = 0;
int f_all = 0;
int f_debug = 0;
int f_verbose = 0;
int f_mode = 0;
int f_cmddump = 0;
int f_policy = 0;
int f_hexdump = 0;
int f_tflag = 0;
char *pname;
u_char m_buf[BUFSIZ];
u_int m_len;
static time_t thiszone;
extern int lineno;
@ -96,12 +90,12 @@ extern int parse __P((FILE **));
void
usage()
{
printf("usage:\t%s [-dv] -c\n", pname);
printf("\t%s [-dv] -f (file)\n", pname);
printf("\t%s [-Padlv] -D\n", pname);
printf("\t%s [-Pdv] -F\n", pname);
printf("\t%s [-h] -x\n", pname);
pfkey_close(so);
printf("usage: setkey [-v] -c\n");
printf(" setkey [-v] -f filename\n");
printf(" setkey [-Palv] -D\n");
printf(" setkey [-Pv] -F\n");
printf(" setkey [-h] -x\n");
exit(1);
}
@ -113,8 +107,6 @@ main(ac, av)
FILE *fp = stdin;
int c;
pname = *av;
if (ac == 1) {
usage();
/* NOTREACHED */
@ -157,9 +149,6 @@ main(ac, av)
case 'P':
f_policy = 1;
break;
case 'd':
f_debug = 1;
break;
case 'v':
f_verbose = 1;
break;
@ -169,13 +158,18 @@ main(ac, av)
}
}
so = pfkey_open();
if (so < 0) {
perror("pfkey_open");
exit(1);
}
switch (f_mode) {
case MODE_CMDDUMP:
sendkeyshort(f_policy ? SADB_X_SPDDUMP: SADB_DUMP);
break;
case MODE_CMDFLUSH:
sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH);
pfkey_close(so);
break;
case MODE_SCRIPT:
if (get_supported() < 0) {
@ -199,16 +193,6 @@ main(ac, av)
int
get_supported()
{
int so;
if ((so = pfkey_open()) < 0) {
perror("pfkey_open");
return -1;
}
/* debug mode ? */
if (f_debug)
return 0;
if (pfkey_send_register(so, SADB_SATYPE_UNSPEC) < 0)
return -1;
@ -223,20 +207,18 @@ void
sendkeyshort(type)
u_int type;
{
struct sadb_msg *m_msg = (struct sadb_msg *)m_buf;
struct sadb_msg msg;
m_len = sizeof(struct sadb_msg);
msg.sadb_msg_version = PF_KEY_V2;
msg.sadb_msg_type = type;
msg.sadb_msg_errno = 0;
msg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
msg.sadb_msg_len = PFKEY_UNIT64(sizeof(msg));
msg.sadb_msg_reserved = 0;
msg.sadb_msg_seq = 0;
msg.sadb_msg_pid = getpid();
m_msg->sadb_msg_version = PF_KEY_V2;
m_msg->sadb_msg_type = type;
m_msg->sadb_msg_errno = 0;
m_msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_seq = 0;
m_msg->sadb_msg_pid = getpid();
sendkeymsg();
sendkeymsg((char *)&msg, sizeof(msg));
return;
}
@ -244,27 +226,20 @@ sendkeyshort(type)
void
promisc()
{
struct sadb_msg *m_msg = (struct sadb_msg *)m_buf;
struct sadb_msg msg;
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
int so, l;
ssize_t l;
m_len = sizeof(struct sadb_msg);
msg.sadb_msg_version = PF_KEY_V2;
msg.sadb_msg_type = SADB_X_PROMISC;
msg.sadb_msg_errno = 0;
msg.sadb_msg_satype = 1;
msg.sadb_msg_len = PFKEY_UNIT64(sizeof(msg));
msg.sadb_msg_reserved = 0;
msg.sadb_msg_seq = 0;
msg.sadb_msg_pid = getpid();
m_msg->sadb_msg_version = PF_KEY_V2;
m_msg->sadb_msg_type = SADB_X_PROMISC;
m_msg->sadb_msg_errno = 0;
m_msg->sadb_msg_satype = 1;
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_seq = 0;
m_msg->sadb_msg_pid = getpid();
if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
err(1, "socket(PF_KEY)");
/*NOTREACHED*/
}
if ((l = send(so, m_buf, m_len, 0)) < 0) {
if ((l = send(so, &msg, sizeof(msg), 0)) < 0) {
err(1, "send");
/*NOTREACHED*/
}
@ -301,7 +276,7 @@ promisc()
}
/* adjust base pointer for promisc mode */
if (base->sadb_msg_type == SADB_X_PROMISC) {
if (sizeof(*base) < l)
if ((ssize_t)sizeof(*base) < l)
base++;
else
base = NULL;
@ -315,19 +290,14 @@ promisc()
}
int
sendkeymsg()
sendkeymsg(buf, len)
char *buf;
size_t len;
{
int so;
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
int l;
ssize_t l;
struct sadb_msg *msg;
if ((so = pfkey_open()) < 0) {
perror("pfkey_open");
return -1;
}
{
struct timeval tv;
tv.tv_sec = 1;
@ -342,11 +312,23 @@ sendkeymsg()
shortdump_hdr();
again:
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)m_buf);
kdebug_sadb((struct sadb_msg *)buf);
printf("\n");
}
if (f_hexdump) {
int i;
for (i = 0; i < len; i++) {
if (i % 16 == 0)
printf("%08x: ", i);
printf("%02x ", buf[i] & 0xff);
if (i % 16 == 15)
printf("\n");
}
if (len % 16)
printf("\n");
}
if ((l = send(so, m_buf, m_len, 0)) < 0) {
if ((l = send(so, buf, len, 0)) < 0) {
perror("send");
goto end;
}
@ -378,7 +360,6 @@ sendkeymsg()
}
end:
pfkey_close(so);
return(0);
}

263
sbin/setkey/token.l
View File

@ -1,5 +1,5 @@
/* $FreeBSD$ */
/* $KAME: token.l,v 1.21 2001/05/18 05:35:01 sakane Exp $ */
/* $KAME: token.l,v 1.43 2003/07/25 09:35:28 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -46,30 +46,12 @@
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include "vchar.h"
#ifdef __NetBSD__
#include "parse.h"
#else
#include "y.tab.h"
#endif
#define DECHO \
if (f_debug) {printf("<%d>", yy_start); ECHO ; printf("\n"); }
#define CMDARG \
{ \
char *__buf__ = strdup(yytext), *__p__; \
for (__p__ = __buf__; *__p__ != NULL; __p__++) \
if (*__p__ == '\n' || *__p__ == '\t') \
*__p__ = ' '; \
strcat(cmdarg, __buf__); \
free(__buf__); \
}
#define PREPROC DECHO CMDARG
int lineno = 1;
char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */
extern u_char m_buf[BUFSIZ];
extern u_int m_len;
@ -81,7 +63,6 @@ void yyerror __P((const char *s));
extern void parse_init __P((void));
int parse __P((FILE **));
int yyparse __P((void));
%}
/* common section */
@ -90,199 +71,177 @@ ws [ \t]+
digit [0-9]
letter [0-9A-Za-z]
hexdigit [0-9A-Fa-f]
/*octet (([01]?{digit}?{digit})|((2([0-4]{digit}))|(25[0-5])))*/
special [()+\|\?\*,]
dot \.
comma \,
hyphen \-
colon \:
slash \/
bcl \{
ecl \}
blcl \[
elcl \]
percent \%
semi \;
usec {dot}{digit}{1,6}
comment \#.*
ccomment "/*"
bracketstring \<[^>]*\>
quotedstring \"[^"]*\"
decstring {digit}+
hexpair {hexdigit}{hexdigit}
hexstring 0[xX]{hexdigit}+
octetstring {octet}({dot}{octet})+
ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
ipaddrmask {slash}{digit}{1,3}
ipaddrport {blcl}{decstring}{elcl}
keyword {letter}{letter}+
name {letter}(({letter}|{digit}|{hyphen})*({letter}|{digit}))*
hostname {name}(({dot}{name})+{dot}?)?
%s S_PL
%s S_PL S_AUTHALG S_ENCALG
%%
add { PREPROC; return(ADD); }
delete { PREPROC; return(DELETE); }
deleteall { PREPROC; return(DELETEALL); }
get { PREPROC; return(GET); }
flush { PREPROC; return(FLUSH); }
dump { PREPROC; return(DUMP); }
add { return(ADD); }
delete { return(DELETE); }
deleteall { return(DELETEALL); }
get { return(GET); }
flush { return(FLUSH); }
dump { return(DUMP); }
/* for management SPD */
spdadd { PREPROC; return(SPDADD); }
spddelete { PREPROC; return(SPDDELETE); }
spddump { PREPROC; return(SPDDUMP); }
spdflush { PREPROC; return(SPDFLUSH); }
{hyphen}P { BEGIN S_PL; PREPROC; return(F_POLICY); }
<S_PL>[a-zA-Z0-9:\.\-_/ \n\t][a-zA-Z0-9:\.\-_/ \n\t]* {
yymore();
spdadd { return(SPDADD); }
spddelete { return(SPDDELETE); }
spddump { return(SPDDUMP); }
spdflush { return(SPDFLUSH); }
tagged { return(TAGGED); }
{hyphen}P { BEGIN S_PL; return(F_POLICY); }
<S_PL>[a-zA-Z0-9:\.\-_/ \n\t][a-zA-Z0-9:\.%\-_/ \n\t]* {
yymore();
/* count up for nl */
{
char *p;
for (p = yytext; *p != NULL; p++)
if (*p == '\n')
lineno++;
}
/* count up for nl */
{
char *p;
for (p = yytext; *p != NULL; p++)
if (*p == '\n')
lineno++;
}
yylval.val.len = strlen(yytext);
yylval.val.buf = strdup(yytext);
yylval.val.len = strlen(yytext);
yylval.val.buf = strdup(yytext);
if (!yylval.val.buf)
yyfatal("insufficient memory");
return(PL_REQUESTS);
}
<S_PL>{semi} { PREPROC; BEGIN INITIAL; return(EOT); }
return(PL_REQUESTS);
}
<S_PL>{semi} { BEGIN INITIAL; return(EOT); }
/* address resolution flags */
{hyphen}[n46][n46]* {
yylval.val.len = strlen(yytext);
yylval.val.buf = strdup(yytext);
if (!yylval.val.buf)
yyfatal("insufficient memory");
return(F_AIFLAGS);
}
/* security protocols */
ah { PREPROC; yylval.num = 0; return(PR_AH); }
esp { PREPROC; yylval.num = 0; return(PR_ESP); }
ah-old { PREPROC; yylval.num = 1; return(PR_AH); }
esp-old { PREPROC; yylval.num = 1; return(PR_ESP); }
ipcomp { PREPROC; yylval.num = 0; return(PR_IPCOMP); }
ah { yylval.num = 0; return(PR_AH); }
esp { yylval.num = 0; return(PR_ESP); }
ah-old { yylval.num = 1; return(PR_AH); }
esp-old { yylval.num = 1; return(PR_ESP); }
ipcomp { yylval.num = 0; return(PR_IPCOMP); }
/* authentication alogorithm */
{hyphen}A { PREPROC; return(F_AUTH); }
hmac-md5 { PREPROC; yylval.num = SADB_AALG_MD5HMAC; return(ALG_AUTH); }
hmac-sha1 { PREPROC; yylval.num = SADB_AALG_SHA1HMAC; return(ALG_AUTH); }
keyed-md5 { PREPROC; yylval.num = SADB_X_AALG_MD5; return(ALG_AUTH); }
keyed-sha1 { PREPROC; yylval.num = SADB_X_AALG_SHA; return(ALG_AUTH); }
hmac-sha2-256 { PREPROC; yylval.num = SADB_X_AALG_SHA2_256; return(ALG_AUTH); }
hmac-sha2-384 { PREPROC; yylval.num = SADB_X_AALG_SHA2_384; return(ALG_AUTH); }
hmac-sha2-512 { PREPROC; yylval.num = SADB_X_AALG_SHA2_512; return(ALG_AUTH); }
hmac-ripemd160 { PREPROC; yylval.num = SADB_X_AALG_RIPEMD160HMAC; return(ALG_AUTH); }
aes-xcbc-mac { PREPROC; yylval.num = SADB_X_AALG_AES_XCBC_MAC; return(ALG_AUTH); }
null { PREPROC; yylval.num = SADB_X_AALG_NULL; return(ALG_AUTH); }
{hyphen}A { BEGIN S_AUTHALG; return(F_AUTH); }
<S_AUTHALG>hmac-md5 { yylval.num = SADB_AALG_MD5HMAC; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>hmac-sha1 { yylval.num = SADB_AALG_SHA1HMAC; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>keyed-md5 { yylval.num = SADB_X_AALG_MD5; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>keyed-sha1 { yylval.num = SADB_X_AALG_SHA; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>hmac-sha2-256 { yylval.num = SADB_X_AALG_SHA2_256; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>hmac-sha2-384 { yylval.num = SADB_X_AALG_SHA2_384; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>hmac-sha2-512 { yylval.num = SADB_X_AALG_SHA2_512; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>hmac-ripemd160 { yylval.num = SADB_X_AALG_RIPEMD160HMAC; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>aes-xcbc-mac { yylval.num = SADB_X_AALG_AES_XCBC_MAC; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>null { yylval.num = SADB_X_AALG_NULL; BEGIN INITIAL; return(ALG_AUTH_NOKEY); }
/* encryption alogorithm */
{hyphen}E { PREPROC; return(F_ENC); }
des-cbc { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC); }
3des-cbc { PREPROC; yylval.num = SADB_EALG_3DESCBC; return(ALG_ENC); }
simple { PREPROC; yylval.num = SADB_EALG_NULL; return(ALG_ENC); }
blowfish-cbc { PREPROC; yylval.num = SADB_X_EALG_BLOWFISHCBC; return(ALG_ENC); }
cast128-cbc { PREPROC; yylval.num = SADB_X_EALG_CAST128CBC; return(ALG_ENC); }
des-deriv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DESDERIV); }
des-32iv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DES32IV); }
rijndael-cbc { PREPROC; yylval.num = SADB_X_EALG_RIJNDAELCBC; return(ALG_ENC); }
aes-ctr { PREPROC; yylval.num = SADB_X_EALG_AESCTR; return(ALG_ENC); }
{hyphen}E { BEGIN S_ENCALG; return(F_ENC); }
<S_ENCALG>des-cbc { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC); }
<S_ENCALG>3des-cbc { yylval.num = SADB_EALG_3DESCBC; BEGIN INITIAL; return(ALG_ENC); }
<S_ENCALG>null { yylval.num = SADB_EALG_NULL; BEGIN INITIAL; return(ALG_ENC_NOKEY); }
<S_ENCALG>simple { yylval.num = SADB_EALG_NULL; BEGIN INITIAL; return(ALG_ENC_OLD); }
<S_ENCALG>blowfish-cbc { yylval.num = SADB_X_EALG_BLOWFISHCBC; BEGIN INITIAL; return(ALG_ENC); }
<S_ENCALG>cast128-cbc { yylval.num = SADB_X_EALG_CAST128CBC; BEGIN INITIAL; return(ALG_ENC); }
<S_ENCALG>des-deriv { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC_DESDERIV); }
<S_ENCALG>des-32iv { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC_DES32IV); }
<S_ENCALG>rijndael-cbc { yylval.num = SADB_X_EALG_RIJNDAELCBC; BEGIN INITIAL; return(ALG_ENC); }
<S_ENCALG>aes-ctr { yylval.num = SADB_X_EALG_AESCTR; BEGIN INITIAL; return(ALG_ENC); }
/* compression algorithms */
{hyphen}C { PREPROC; return(F_COMP); }
oui { PREPROC; yylval.num = SADB_X_CALG_OUI; return(ALG_COMP); }
deflate { PREPROC; yylval.num = SADB_X_CALG_DEFLATE; return(ALG_COMP); }
lzs { PREPROC; yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); }
{hyphen}R { PREPROC; return(F_RAWCPI); }
{hyphen}C { return(F_COMP); }
oui { yylval.num = SADB_X_CALG_OUI; return(ALG_COMP); }
deflate { yylval.num = SADB_X_CALG_DEFLATE; return(ALG_COMP); }
lzs { yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); }
{hyphen}R { return(F_RAWCPI); }
/* extension */
{hyphen}m { PREPROC; return(F_MODE); }
transport { PREPROC; yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
tunnel { PREPROC; yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
{hyphen}u { PREPROC; return(F_REQID); }
{hyphen}f { PREPROC; return(F_EXT); }
random-pad { PREPROC; yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); }
seq-pad { PREPROC; yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); }
zero-pad { PREPROC; yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); }
nocyclic-seq { PREPROC; return(NOCYCLICSEQ); }
{hyphen}r { PREPROC; return(F_REPLAY); }
{hyphen}lh { PREPROC; return(F_LIFETIME_HARD); }
{hyphen}ls { PREPROC; return(F_LIFETIME_SOFT); }
{hyphen}m { return(F_MODE); }
transport { yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
tunnel { yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
{hyphen}u { return(F_REQID); }
{hyphen}f { return(F_EXT); }
random-pad { yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); }
seq-pad { yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); }
zero-pad { yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); }
nocyclic-seq { return(NOCYCLICSEQ); }
{hyphen}r { return(F_REPLAY); }
{hyphen}lh { return(F_LIFETIME_HARD); }
{hyphen}ls { return(F_LIFETIME_SOFT); }
/* ... */
any { PREPROC; return(ANY); }
{ws} { PREPROC; }
any { return(ANY); }
{ws} { }
{nl} { lineno++; }
{comment}
{semi} { PREPROC; return(EOT); }
{semi} { return(EOT); }
/* for address parameters: /prefix, [port] */
{slash} { return SLASH; }
{blcl} { return BLCL; }
{elcl} { return ELCL; }
/* parameter */
{decstring} {
char *bp;
PREPROC;
yylval.num = strtoul(yytext, &bp, 10);
yylval.ulnum = strtoul(yytext, &bp, 10);
return(DECSTRING);
}
{ipaddress} {
PREPROC;
yylval.val.len = yyleng;
yylval.val.buf = strdup(yytext);
return(ADDRESS);
}
{ipaddrmask} {
PREPROC;
yytext++;
yylval.num = atoi(yytext);
return(PREFIX);
}
{ipaddrport} {
char *p = yytext;
PREPROC;
while (*++p != ']') ;
*p = NULL;
yytext++;
yylval.num = atoi(yytext);
return(PORT);
}
{blcl}any{elcl} {
PREPROC;
return(PORTANY);
}
{hexstring} {
int len = yyleng - 2; /* (str - "0x") */
PREPROC;
yylval.val.len = (len & 1) + (len / 2);
/* fixed string if length is odd. */
if (len & 1) {
yytext[1] = '0';
yylval.val.buf = strdup(yytext + 1);
} else
yylval.val.buf = strdup(yytext + 2);
yylval.val.buf = strdup(yytext + 2);
if (!yylval.val.buf)
yyfatal("insufficient memory");
yylval.val.len = strlen(yylval.val.buf);
return(HEXSTRING);
}
{quotedstring} {
char *p = yytext;
PREPROC;
while (*++p != '"') ;
*p = NULL;
yytext++;
yylval.val.len = yyleng - 2;
yylval.val.buf = strdup(yytext);
if (!yylval.val.buf)
yyfatal("insufficient memory");
return(QUOTEDSTRING);
}
[a-z0-9.\-]* {
[A-Za-z0-9:][A-Za-z0-9:%\.-]* {
yylval.val.len = yyleng;
yylval.val.buf = strdup(yytext);
if (!yylval.val.buf)
yyfatal("insufficient memory");
return(STRING);
}
[0-9,]+ {
yylval.val.len = yyleng;
yylval.val.buf = strdup(yytext);
if (!yylval.val.buf)
yyfatal("insufficient memory");
return(STRING);
}

2
usr.sbin/setkey/Makefile
View File

@ -39,7 +39,7 @@ LDADD= -ll -ly
CLEANFILES= y.tab.c y.tab.h key_test.o keytest
# libpfkey.
# libpfkey
# ipsec_strerror.c is for avoiding shlib reference to non-exported function.
.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey
SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c

1414
usr.sbin/setkey/parse.y
View File

File diff suppressed because it is too large Load Diff

36
usr.sbin/setkey/sample.cf
View File

@ -45,9 +45,9 @@
#
# At Host-A and Host-B,
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
esp/transport/fec0::10-fec0::11/use ;
esp/transport//use ;
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
esp/transport/fec0::11-fec0::10/use ;
esp/transport//use ;
add fec0::10 fec0::11 esp 0x10001
-m transport
-E blowfish-cbc "kamekame"
@ -112,10 +112,10 @@ add 172.16.0.2 172.16.0.1 ah-old 0x10004
# At Gateway-A:
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
ah/transport//require ;
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
ah/transport//require ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
-m tunnel
-E 3des-cbc "kamekame12341234kame1234"
@ -146,10 +146,10 @@ add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
#
# At Host-A:
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
esp/transport//use
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
esp/transport/fec0:0:0:2::2-fec0:0:0:1::1/use
esp/transport//use
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
-m transport
@ -166,10 +166,10 @@ add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
# By "get" command, you can get an entry of either SP or SA.
# By "get" command, you can get a entry of either SP or SA.
get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
# Also delete command, you can delete an entry of either SP or SA.
# Also delete command, you can delete a entry of either SP or SA.
spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
@ -188,24 +188,24 @@ dump esp ;
flush ah ;
# XXX
add ::1 ::1 esp 10001 -m transport -E simple ;
add ::1 ::1 esp 10001 -m transport -E null ;
add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
add ::1 ::1 esp 10004 -m transport -E simple -A null ;
add ::1 ::1 esp 10005 -m transport -E simple -A hmac-md5 "1234123412341234" ;
add ::1 ::1 esp 10006 -m tunnel -E simple -A hmac-sha1 "12341234123412341234" ;
add ::1 ::1 esp 10007 -m transport -E simple -A keyed-md5 "1234123412341234" ;
add ::1 ::1 esp 10008 -m any -E simple -A keyed-sha1 "12341234123412341234" ;
add ::1 ::1 esp 10004 -m transport -E null -A null ;
add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ;
add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ;
add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ;
add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
add ::1 ::1 esp 10015 -m transport -f zero-pad -E simple ;
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E simple ;
add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E simple ;
add ::1 ::1 esp 10018 -m transport -E simple ;
add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
add ::1 ::1 esp 10018 -m transport -E null ;
#add ::1 ::1 ah 20000 -m transport -A null ;
add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";

340
usr.sbin/setkey/setkey.8
View File

@ -1,4 +1,4 @@
.\" $KAME: setkey.8,v 1.49 2001/05/18 05:49:51 sakane Exp $
.\" $KAME: setkey.8,v 1.89 2003/09/07 22:17:41 itojun Exp $
.\" $FreeBSD$
.\"
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -34,20 +34,20 @@
.\"
.Sh NAME
.Nm setkey
.Nd "manually manipulate the IPsec SA/SP database"
.Nd manually manipulate the IPsec SA/SP database
.\"
.Sh SYNOPSIS
.Nm
.Op Fl dv
.Op Fl v
.Fl c
.Nm
.Op Fl dv
.Op Fl v
.Fl f Ar filename
.Nm
.Op Fl adPlv
.Op Fl aPlv
.Fl D
.Nm
.Op Fl dPv
.Op Fl Pv
.Fl F
.Nm
.Op Fl h
@ -56,19 +56,23 @@
.Sh DESCRIPTION
The
.Nm
utility adds, updates, dumps, or flushes
command adds, updates, dumps, or flushes
Security Association Database (SAD) entries
as well as Security Policy Database (SPD) entries in the kernel.
.Pp
The
.Nm
utility takes a series of operations from the standard input
(if invoked with
.Fl c )
command takes a series of operations from the standard input
.Po
if invoked with
.Fl c
.Pc
or the file named
.Ar filename
(if invoked with
.Fl f Ar filename ) .
.Po
if invoked with
.Fl f Ar filename
.Pc .
.Bl -tag -width Ds
.It Fl D
Dump the SAD entries.
@ -81,24 +85,15 @@ If with
.Fl P ,
the SPD entries are flushed.
.It Fl a
Dead SAD entries are usually not displayed with
.Nm
usually does not display dead SAD entries with
.Fl D .
If with
.Fl a ,
the dead SAD entries will be displayed as well.
A dead SAD entry means that
it has been expired but remains
because it is referenced by SPD entries.
.It Fl d
Enable to print debugging messages for command parser,
without talking to kernel.
It is not used usually.
.It Fl x
Loop forever and dump all the messages transmitted to
.Dv PF_KEY
socket.
.Fl xx
makes each timestamps unformatted.
it has been expired but remains in the system
because it is referenced by some SPD entries.
.It Fl h
Add hexadecimal dump on
.Fl x
@ -111,23 +106,39 @@ Be verbose.
The program will dump messages exchanged on
.Dv PF_KEY
socket, including messages sent from other processes to the kernel.
.It Fl x
Loop forever and dump all the messages transmitted to
.Dv PF_KEY
socket.
.Fl xx
makes each timestamps unformatted.
.El
.Pp
Operations have the following grammar.
Note that lines starting with
hashmarks ('#') are treated as comment lines.
.Ss Configuration syntax
With
.Fl c
or
.Fl f
on the command line,
.Nm
accepts the following configuration syntax.
Lines starting with hash signs ('#') are treated as comment lines.
.Bl -tag -width Ds
.It Xo
.Li add
.Op Fl 46n
.Ar src Ar dst Ar protocol Ar spi
.Op Ar extensions
.Ar algorithm...
.Ar algorithm ...
.Li ;
.Xc
Add an SAD entry.
.Li add
can fail with multiple reasons,
including when the key length does not match the specified algorithm.
.\"
.It Xo
.Li get
.Op Fl 46n
.Ar src Ar dst Ar protocol Ar spi
.Li ;
.Xc
@ -135,6 +146,7 @@ Show an SAD entry.
.\"
.It Xo
.Li delete
.Op Fl 46n
.Ar src Ar dst Ar protocol Ar spi
.Li ;
.Xc
@ -142,6 +154,7 @@ Remove an SAD entry.
.\"
.It Xo
.Li deleteall
.Op Fl 46n
.Ar src Ar dst Ar protocol
.Li ;
.Xc
@ -153,6 +166,8 @@ Remove all SAD entries that match the specification.
.Li ;
.Xc
Clear all SAD entries matched by the options.
.Fl F
on the command line achieves the same functionality.
.\"
.It Xo
.Li dump
@ -160,9 +175,12 @@ Clear all SAD entries matched by the options.
.Li ;
.Xc
Dumps all SAD entries matched by the options.
.Fl D
on the command line achieves the same functionality.
.\"
.It Xo
.Li spdadd
.Op Fl 46n
.Ar src_range Ar dst_range Ar upperspec Ar policy
.Li ;
.Xc
@ -170,6 +188,7 @@ Add an SPD entry.
.\"
.It Xo
.Li spddelete
.Op Fl 46n
.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction
.Li ;
.Xc
@ -180,12 +199,16 @@ Delete an SPD entry.
.Li ;
.Xc
Clear all SPD entries.
.Fl FP
on the command line achieves the same functionality.
.\"
.It Xo
.Li spddump
.Li ;
.Xc
Dumps all SPD entries.
.Fl DP
on the command line achieves the same functionality.
.El
.\"
.Pp
@ -196,13 +219,23 @@ Meta-arguments are as follows:
.It Ar dst
Source/destination of the secure communication is specified as
IPv4/v6 address.
The
.Nm
utility does not consult hostname-to-address for arguments
.Ar src
can resolve a FQDN into numeric addresses.
If the FQDN resolves into multiple addresses,
.Nm
will install multiple SAD/SPD entries into the kernel
by trying all possible combinations.
.Fl 4 ,
.Fl 6
and
.Ar dst .
They must be in numeric form.
.Fl n
restricts the address resolution of FQDN in certain ways.
.Fl 4
and
.Fl 6
restrict results into IPv4/v6 addresses only, respectively.
.Fl n
avoids FQDN resolution and requires addresses to be numeric addresses.
.\"
.Pp
.It Ar protocol
@ -210,7 +243,7 @@ They must be in numeric form.
is one of following:
.Bl -tag -width Fl -compact
.It Li esp
ESP based on rfc2405
ESP based on rfc2406
.It Li esp-old
ESP based on rfc1827
.It Li ah
@ -218,21 +251,24 @@ AH based on rfc2402
.It Li ah-old
AH based on rfc1826
.It Li ipcomp
IPCOMP
IPComp
.El
.\"
.Pp
.It Ar spi
Security Parameter Index (SPI) for the SAD and the SPD.
It must be decimal number or hexadecimal number
You cannot use the set of SPI values in the range 0 through 255.
(with
.Li 0x
attached).
Security Parameter Index
.Pq SPI
for the SAD and the SPD.
.Ar spi
must be a decimal number, or a hexadecimal number with
.Dq Li 0x
prefix.
SPI values between 0 and 255 are reserved for future use by IANA
and they cannot be used.
.\"
.Pp
.It Ar extensions
takes some of the following:
take some of the following:
.Bl -tag -width Fl -compact
.\"
.It Fl m Ar mode
@ -283,62 +319,41 @@ Specify hard/soft life time duration of the SA.
.It Ar algorithm
.Bl -tag -width Fl -compact
.It Fl E Ar ealgo Ar key
Specify an encryption algorithm.
Specify an encryption algorithm
.Ar ealgo
for ESP.
.It Xo
.Fl E Ar ealgo Ar key
.Fl A Ar aalgo Ar key
.Xc
Specify a encryption algorithm
.Ar ealgo ,
as well as a payload authentication algorithm
.Ar aalgo ,
for ESP.
.It Fl A Ar aalgo Ar key
Specify an authentication algorithm.
If
.Fl A
is used with
.Ar protocol Li esp ,
it will be treated as ESP payload authentication algorithm.
Specify an authentication algorithm for AH.
.It Fl C Ar calgo Op Fl R
Specify compression algorithm.
Specify a compression algorithm for IPComp.
If
.Fl R
is not specified with
.Li ipcomp
line, the kernel will use well-known IPComp CPI
(compression parameter index)
on IPComp CPI field on packets, and
is specified,
.Ar spi
field will be ignored.
.Ar spi
field is only for kernel internal use in this case.
.\"Therefore, compression protocol number will appear on IPComp CPI field.
field value will be used as the IPComp CPI
.Pq compression parameter index
on wire as is.
If
.Fl R
is used,
the value on
is not specified,
the kernel will use well-known CPI on wire, and
.Ar spi
field will appear on IPComp CPI field on outgoing packets.
.Ar spi
field needs to be smaller than
.Li 0x10000
in this case.
field will be used only as an index for kernel internal usage.
.El
.Pp
.Ar protocol Li esp
accepts
.Fl E
and
.Fl A .
.Ar protocol Li esp-old
accepts
.Fl E
only.
.Ar protocol Li ah
and
.Li ah-old
accept
.Fl A
only.
.Ar protocol Li ipcomp
accepts
.Fl C
only.
.Pp
.Ar key
must be double-quoted character string or series of hexadecimal digits.
must be double-quoted character string, or a series of hexadecimal digits
preceded by
.Dq Li 0x .
.Pp
Possible values for
.Ar ealgo ,
@ -369,14 +384,11 @@ The square bracket around
.Ar port
is really necessary.
They are not manpage metacharacters.
.Pp
The
.Nm
utility does not consult hostname-to-address for arguments
For FQDN resolution, the rules applicable to
.Ar src
and
.Ar dst .
They must be in numeric form.
.Ar dst
apply here as well.
.\"
.Pp
.It Ar upperspec
@ -395,34 +407,38 @@ can be specified.
stands for
.Dq any protocol .
Also you can use the protocol number.
You can specify a type and/or a code of ICMPv6 when
Upper-layer protocol is ICMPv6.
the specification can be placed after
.Li icmp6 .
A type is separated with a code by single comma.
A code must be specified anytime.
When a zero is specified, the kernel deals with it as a wildcard.
Note that the kernel can not distinguish a wildcard from that a type
of ICMPv6 is zero.
For example, the following means the policy doesn't require IPsec
for any inbound Neighbor Solicitation.
.Dl spdadd ::/0 ::/0 icmp6 135,0 -P in none ;
.Pp
NOTE:
.Ar upperspec
does not work against forwarding case at this moment,
as it requires extra reassembly at forwarding node
(not implemented at this moment).
.Pq not implemented at this moment .
We have many protocols in
.Pa /etc/protocols ,
but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec.
You have to consider and be careful to use them.
.Li icmp
.Li tcp
.Li udp
all protocols
.\"
.Pp
.It Ar policy
.Ar policy
is the one of following:
.Bd -literal -offset
.Xo
.Fl P Ar direction Li discard
.Xc
.Xo
.Fl P Ar direction Li none
.Xc
.Xo
.Fl P Ar direction Li ipsec Ar protocol/mode/src-dst/level
is the one of the following three formats:
.Bd -literal -offset indent
.It Fl P Ar direction Li discard
.It Fl P Ar direction Li none
.It Xo Fl P Ar direction Li ipsec
.Ar protocol/mode/src-dst/level Op ...
.Xc
.Ed
.Pp
@ -439,6 +455,9 @@ means the packet matching indexes will be discarded.
means that IPsec operation will not take place onto the packet.
.Li ipsec
means that IPsec operation will take place onto the packet.
The part of
.Ar protocol/mode/src-dst/level
specifies the rule how to process the packet.
Either
.Li ah ,
.Li esp
@ -480,7 +499,7 @@ If the SA is not available in every level, the kernel will request
getting SA to the key exchange daemon.
.Li default
means the kernel consults to the system wide default against protocol you
specified, e.g.\&
specified, e.g.
.Li esp_trans_deflev
sysctl variable, when the kernel processes the packet.
.Li use
@ -492,17 +511,29 @@ with the policy.
.Li unique
is the same to require.
In addition, it allows the policy to bind with the unique out-bound SA.
If you use the SA by manual keying,
You just specify the policy level
.Li unique ,
.Xr racoon 8
will configure the SA for the policy.
If you configure the SA by manual keying for that policy,
you can put the decimal number as the policy identifier after
.Li unique
separated by colon
.Sq \:
.Sq \&:
like the following;
.Li unique:number .
in order to bind this policy to the SA.
.Li number
must be between 1 and 32767.
It corresponds to
.Ar extensions Fl u .
.Ar extensions Fl u
of the manual SA configuration.
When you want to use SA bundle, you can define multiple rules.
For example, if an IP header was followed by AH header followed by ESP header
followed by an upper layer protocol header, the rule
would be:
.Dl esp/transport//require ah/transport//require ;
The rule order is very important.
.Pp
Note that
.Dq Li discard
@ -543,7 +574,8 @@ keyed-md5 128 ah: 96bit ICV (no document)
keyed-sha1 160 ah: 96bit ICV (no document)
160 ah-old: 128bit ICV (no document)
null 0 to 2048 for debugging
hmac-sha2-256 256 ah: 96bit ICV (no document)
hmac-sha2-256 256 ah: 96bit ICV
(draft-ietf-ipsec-ciph-sha-256-00)
256 ah-old: 128bit ICV (no document)
hmac-sha2-384 384 ah: 96bit ICV (no document)
384 ah-old: 128bit ICV (no document)
@ -551,8 +583,8 @@ hmac-sha2-512 512 ah: 96bit ICV (no document)
512 ah-old: 128bit ICV (no document)
hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
ah-old: 128bit ICV (no document)
aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
128 ah-old: 128bit ICV (no document)
.\"aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
.\" 128 ah-old: 128bit ICV (no document)
.Ed
.Pp
Followings are the list of encryption algorithms that can be used as
@ -567,13 +599,13 @@ parameter:
algorithm keylen (bits) comment
des-cbc 64 esp-old: rfc1829, esp: rfc2405
3des-cbc 192 rfc2451
simple 0 to 2048 rfc2410
null 0 to 2048 rfc2410
blowfish-cbc 40 to 448 rfc2451
cast128-cbc 40 to 128 rfc2451
des-deriv 64 ipsec-ciph-des-derived-01 (expired)
des-deriv 64 ipsec-ciph-des-derived-01
3des-deriv 192 no document
rijndael-cbc 128/192/256 draft-ietf-ipsec-ciph-aes-cbc-00
aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
rijndael-cbc 128/192/256 rfc3602
.\"aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
.Ed
.Pp
Note that the first 128 bits of a key for
@ -591,44 +623,58 @@ parameter:
.Bd -literal -offset indent
algorithm comment
deflate rfc2394
lzs rfc2395
.Ed
.\"
.Sh EXAMPLES
.Bd -literal -offset
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
-E des-cbc "ESP SA!!" ;
add 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456
-A hmac-sha1 "AH SA configuration!" ;
add 10.0.11.41 10.0.11.33 esp 0x10001
-E des-cbc "ESP with"
-A hmac-md5 "authentication!!" ;
get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
flush ;
dump esp ;
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
.Ed
.\"
.Sh RETURN VALUES
The command exits with 0 on success, and non-zero on errors.
.\"
.Sh EXAMPLES
.Bd -literal -offset
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
-E des-cbc 0x3ffe05014819ffff ;
add -6 myhost.example.com yourhost.example.com ah 123456
-A hmac-sha1 "AH SA configuration!" ;
add 10.0.11.41 10.0.11.33 esp 0x10001
-E des-cbc 0x3ffe05014819ffff
-A hmac-md5 "authentication!!" ;
get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
flush ;
dump esp ;
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
.Ed
.\"
.Sh SEE ALSO
.Xr ipsec_set_policy 3 ,
.Xr racoon 8 ,
.Xr sysctl 8
.Rs
.%T "Changed manual key configuration for IPsec"
.%O "http://www.kame.net/newsletter/19991007/"
.%D "October 1999"
.Re
.\"
.Sh HISTORY
The
.Nm
utility first appeared in WIDE Hydrangea IPv6 protocol stack kit.
command first appeared in WIDE Hydrangea IPv6 protocol stack kit.
The command was completely re-designed in June 1998.
.\"
.\" .Sh BUGS
.Sh BUGS
.Nm
should report and handle syntax errors better.
.Pp
For IPsec gateway configuration,
.Ar src_range
and
.Ar dst_range
with TCP/UDP port number do not work, as the gateway does not reassemble
packets
.Pq cannot inspect upper-layer headers .

127
usr.sbin/setkey/setkey.c
View File

@ -1,5 +1,5 @@
/* $FreeBSD$ */
/* $KAME: setkey.c,v 1.18 2001/05/08 04:36:39 itojun Exp $ */
/* $KAME: setkey.c,v 1.28 2003/06/27 07:15:45 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -58,7 +58,7 @@ int main __P((int, char **));
int get_supported __P((void));
void sendkeyshort __P((u_int));
void promisc __P((void));
int sendkeymsg __P((void));
int sendkeymsg __P((char *, size_t));
int postproc __P((struct sadb_msg *, int));
const char *numstr __P((int));
void shortdump_hdr __P((void));
@ -75,18 +75,12 @@ int so;
int f_forever = 0;
int f_all = 0;
int f_debug = 0;
int f_verbose = 0;
int f_mode = 0;
int f_cmddump = 0;
int f_policy = 0;
int f_hexdump = 0;
int f_tflag = 0;
char *pname;
u_char m_buf[BUFSIZ];
u_int m_len;
static time_t thiszone;
extern int lineno;
@ -96,12 +90,12 @@ extern int parse __P((FILE **));
void
usage()
{
printf("usage:\t%s [-dv] -c\n", pname);
printf("\t%s [-dv] -f (file)\n", pname);
printf("\t%s [-Padlv] -D\n", pname);
printf("\t%s [-Pdv] -F\n", pname);
printf("\t%s [-h] -x\n", pname);
pfkey_close(so);
printf("usage: setkey [-v] -c\n");
printf(" setkey [-v] -f filename\n");
printf(" setkey [-Palv] -D\n");
printf(" setkey [-Pv] -F\n");
printf(" setkey [-h] -x\n");
exit(1);
}
@ -113,8 +107,6 @@ main(ac, av)
FILE *fp = stdin;
int c;
pname = *av;
if (ac == 1) {
usage();
/* NOTREACHED */
@ -157,9 +149,6 @@ main(ac, av)
case 'P':
f_policy = 1;
break;
case 'd':
f_debug = 1;
break;
case 'v':
f_verbose = 1;
break;
@ -169,13 +158,18 @@ main(ac, av)
}
}
so = pfkey_open();
if (so < 0) {
perror("pfkey_open");
exit(1);
}
switch (f_mode) {
case MODE_CMDDUMP:
sendkeyshort(f_policy ? SADB_X_SPDDUMP: SADB_DUMP);
break;
case MODE_CMDFLUSH:
sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH);
pfkey_close(so);
break;
case MODE_SCRIPT:
if (get_supported() < 0) {
@ -199,16 +193,6 @@ main(ac, av)
int
get_supported()
{
int so;
if ((so = pfkey_open()) < 0) {
perror("pfkey_open");
return -1;
}
/* debug mode ? */
if (f_debug)
return 0;
if (pfkey_send_register(so, SADB_SATYPE_UNSPEC) < 0)
return -1;
@ -223,20 +207,18 @@ void
sendkeyshort(type)
u_int type;
{
struct sadb_msg *m_msg = (struct sadb_msg *)m_buf;
struct sadb_msg msg;
m_len = sizeof(struct sadb_msg);
msg.sadb_msg_version = PF_KEY_V2;
msg.sadb_msg_type = type;
msg.sadb_msg_errno = 0;
msg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
msg.sadb_msg_len = PFKEY_UNIT64(sizeof(msg));
msg.sadb_msg_reserved = 0;
msg.sadb_msg_seq = 0;
msg.sadb_msg_pid = getpid();
m_msg->sadb_msg_version = PF_KEY_V2;
m_msg->sadb_msg_type = type;
m_msg->sadb_msg_errno = 0;
m_msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_seq = 0;
m_msg->sadb_msg_pid = getpid();
sendkeymsg();
sendkeymsg((char *)&msg, sizeof(msg));
return;
}
@ -244,27 +226,20 @@ sendkeyshort(type)
void
promisc()
{
struct sadb_msg *m_msg = (struct sadb_msg *)m_buf;
struct sadb_msg msg;
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
int so, l;
ssize_t l;
m_len = sizeof(struct sadb_msg);
msg.sadb_msg_version = PF_KEY_V2;
msg.sadb_msg_type = SADB_X_PROMISC;
msg.sadb_msg_errno = 0;
msg.sadb_msg_satype = 1;
msg.sadb_msg_len = PFKEY_UNIT64(sizeof(msg));
msg.sadb_msg_reserved = 0;
msg.sadb_msg_seq = 0;
msg.sadb_msg_pid = getpid();
m_msg->sadb_msg_version = PF_KEY_V2;
m_msg->sadb_msg_type = SADB_X_PROMISC;
m_msg->sadb_msg_errno = 0;
m_msg->sadb_msg_satype = 1;
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
m_msg->sadb_msg_reserved = 0;
m_msg->sadb_msg_seq = 0;
m_msg->sadb_msg_pid = getpid();
if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
err(1, "socket(PF_KEY)");
/*NOTREACHED*/
}
if ((l = send(so, m_buf, m_len, 0)) < 0) {
if ((l = send(so, &msg, sizeof(msg), 0)) < 0) {
err(1, "send");
/*NOTREACHED*/
}
@ -301,7 +276,7 @@ promisc()
}
/* adjust base pointer for promisc mode */
if (base->sadb_msg_type == SADB_X_PROMISC) {
if (sizeof(*base) < l)
if ((ssize_t)sizeof(*base) < l)
base++;
else
base = NULL;
@ -315,19 +290,14 @@ promisc()
}
int
sendkeymsg()
sendkeymsg(buf, len)
char *buf;
size_t len;
{
int so;
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
int l;
ssize_t l;
struct sadb_msg *msg;
if ((so = pfkey_open()) < 0) {
perror("pfkey_open");
return -1;
}
{
struct timeval tv;
tv.tv_sec = 1;
@ -342,11 +312,23 @@ sendkeymsg()
shortdump_hdr();
again:
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)m_buf);
kdebug_sadb((struct sadb_msg *)buf);
printf("\n");
}
if (f_hexdump) {
int i;
for (i = 0; i < len; i++) {
if (i % 16 == 0)
printf("%08x: ", i);
printf("%02x ", buf[i] & 0xff);
if (i % 16 == 15)
printf("\n");
}
if (len % 16)
printf("\n");
}
if ((l = send(so, m_buf, m_len, 0)) < 0) {
if ((l = send(so, buf, len, 0)) < 0) {
perror("send");
goto end;
}
@ -378,7 +360,6 @@ sendkeymsg()
}
end:
pfkey_close(so);
return(0);
}

263
usr.sbin/setkey/token.l
View File

@ -1,5 +1,5 @@
/* $FreeBSD$ */
/* $KAME: token.l,v 1.21 2001/05/18 05:35:01 sakane Exp $ */
/* $KAME: token.l,v 1.43 2003/07/25 09:35:28 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -46,30 +46,12 @@
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include "vchar.h"
#ifdef __NetBSD__
#include "parse.h"
#else
#include "y.tab.h"
#endif
#define DECHO \
if (f_debug) {printf("<%d>", yy_start); ECHO ; printf("\n"); }
#define CMDARG \
{ \
char *__buf__ = strdup(yytext), *__p__; \
for (__p__ = __buf__; *__p__ != NULL; __p__++) \
if (*__p__ == '\n' || *__p__ == '\t') \
*__p__ = ' '; \
strcat(cmdarg, __buf__); \
free(__buf__); \
}
#define PREPROC DECHO CMDARG
int lineno = 1;
char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */
extern u_char m_buf[BUFSIZ];
extern u_int m_len;
@ -81,7 +63,6 @@ void yyerror __P((const char *s));
extern void parse_init __P((void));
int parse __P((FILE **));
int yyparse __P((void));
%}
/* common section */
@ -90,199 +71,177 @@ ws [ \t]+
digit [0-9]
letter [0-9A-Za-z]
hexdigit [0-9A-Fa-f]
/*octet (([01]?{digit}?{digit})|((2([0-4]{digit}))|(25[0-5])))*/
special [()+\|\?\*,]
dot \.
comma \,
hyphen \-
colon \:
slash \/
bcl \{
ecl \}
blcl \[
elcl \]
percent \%
semi \;
usec {dot}{digit}{1,6}
comment \#.*
ccomment "/*"
bracketstring \<[^>]*\>
quotedstring \"[^"]*\"
decstring {digit}+
hexpair {hexdigit}{hexdigit}
hexstring 0[xX]{hexdigit}+
octetstring {octet}({dot}{octet})+
ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
ipaddrmask {slash}{digit}{1,3}
ipaddrport {blcl}{decstring}{elcl}
keyword {letter}{letter}+
name {letter}(({letter}|{digit}|{hyphen})*({letter}|{digit}))*
hostname {name}(({dot}{name})+{dot}?)?
%s S_PL
%s S_PL S_AUTHALG S_ENCALG
%%
add { PREPROC; return(ADD); }
delete { PREPROC; return(DELETE); }
deleteall { PREPROC; return(DELETEALL); }
get { PREPROC; return(GET); }
flush { PREPROC; return(FLUSH); }
dump { PREPROC; return(DUMP); }
add { return(ADD); }
delete { return(DELETE); }
deleteall { return(DELETEALL); }
get { return(GET); }
flush { return(FLUSH); }
dump { return(DUMP); }
/* for management SPD */
spdadd { PREPROC; return(SPDADD); }
spddelete { PREPROC; return(SPDDELETE); }
spddump { PREPROC; return(SPDDUMP); }
spdflush { PREPROC; return(SPDFLUSH); }
{hyphen}P { BEGIN S_PL; PREPROC; return(F_POLICY); }
<S_PL>[a-zA-Z0-9:\.\-_/ \n\t][a-zA-Z0-9:\.\-_/ \n\t]* {
yymore();
spdadd { return(SPDADD); }
spddelete { return(SPDDELETE); }
spddump { return(SPDDUMP); }
spdflush { return(SPDFLUSH); }
tagged { return(TAGGED); }
{hyphen}P { BEGIN S_PL; return(F_POLICY); }
<S_PL>[a-zA-Z0-9:\.\-_/ \n\t][a-zA-Z0-9:\.%\-_/ \n\t]* {
yymore();
/* count up for nl */
{
char *p;
for (p = yytext; *p != NULL; p++)
if (*p == '\n')
lineno++;
}
/* count up for nl */
{
char *p;
for (p = yytext; *p != NULL; p++)
if (*p == '\n')
lineno++;
}
yylval.val.len = strlen(yytext);
yylval.val.buf = strdup(yytext);
yylval.val.len = strlen(yytext);
yylval.val.buf = strdup(yytext);
if (!yylval.val.buf)
yyfatal("insufficient memory");
return(PL_REQUESTS);
}
<S_PL>{semi} { PREPROC; BEGIN INITIAL; return(EOT); }
return(PL_REQUESTS);
}
<S_PL>{semi} { BEGIN INITIAL; return(EOT); }
/* address resolution flags */
{hyphen}[n46][n46]* {
yylval.val.len = strlen(yytext);
yylval.val.buf = strdup(yytext);
if (!yylval.val.buf)
yyfatal("insufficient memory");
return(F_AIFLAGS);
}
/* security protocols */
ah { PREPROC; yylval.num = 0; return(PR_AH); }
esp { PREPROC; yylval.num = 0; return(PR_ESP); }
ah-old { PREPROC; yylval.num = 1; return(PR_AH); }
esp-old { PREPROC; yylval.num = 1; return(PR_ESP); }
ipcomp { PREPROC; yylval.num = 0; return(PR_IPCOMP); }
ah { yylval.num = 0; return(PR_AH); }
esp { yylval.num = 0; return(PR_ESP); }
ah-old { yylval.num = 1; return(PR_AH); }
esp-old { yylval.num = 1; return(PR_ESP); }
ipcomp { yylval.num = 0; return(PR_IPCOMP); }
/* authentication alogorithm */
{hyphen}A { PREPROC; return(F_AUTH); }
hmac-md5 { PREPROC; yylval.num = SADB_AALG_MD5HMAC; return(ALG_AUTH); }
hmac-sha1 { PREPROC; yylval.num = SADB_AALG_SHA1HMAC; return(ALG_AUTH); }
keyed-md5 { PREPROC; yylval.num = SADB_X_AALG_MD5; return(ALG_AUTH); }
keyed-sha1 { PREPROC; yylval.num = SADB_X_AALG_SHA; return(ALG_AUTH); }
hmac-sha2-256 { PREPROC; yylval.num = SADB_X_AALG_SHA2_256; return(ALG_AUTH); }
hmac-sha2-384 { PREPROC; yylval.num = SADB_X_AALG_SHA2_384; return(ALG_AUTH); }
hmac-sha2-512 { PREPROC; yylval.num = SADB_X_AALG_SHA2_512; return(ALG_AUTH); }
hmac-ripemd160 { PREPROC; yylval.num = SADB_X_AALG_RIPEMD160HMAC; return(ALG_AUTH); }
aes-xcbc-mac { PREPROC; yylval.num = SADB_X_AALG_AES_XCBC_MAC; return(ALG_AUTH); }
null { PREPROC; yylval.num = SADB_X_AALG_NULL; return(ALG_AUTH); }
{hyphen}A { BEGIN S_AUTHALG; return(F_AUTH); }
<S_AUTHALG>hmac-md5 { yylval.num = SADB_AALG_MD5HMAC; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>hmac-sha1 { yylval.num = SADB_AALG_SHA1HMAC; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>keyed-md5 { yylval.num = SADB_X_AALG_MD5; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>keyed-sha1 { yylval.num = SADB_X_AALG_SHA; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>hmac-sha2-256 { yylval.num = SADB_X_AALG_SHA2_256; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>hmac-sha2-384 { yylval.num = SADB_X_AALG_SHA2_384; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>hmac-sha2-512 { yylval.num = SADB_X_AALG_SHA2_512; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>hmac-ripemd160 { yylval.num = SADB_X_AALG_RIPEMD160HMAC; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>aes-xcbc-mac { yylval.num = SADB_X_AALG_AES_XCBC_MAC; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>null { yylval.num = SADB_X_AALG_NULL; BEGIN INITIAL; return(ALG_AUTH_NOKEY); }
/* encryption alogorithm */
{hyphen}E { PREPROC; return(F_ENC); }
des-cbc { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC); }
3des-cbc { PREPROC; yylval.num = SADB_EALG_3DESCBC; return(ALG_ENC); }
simple { PREPROC; yylval.num = SADB_EALG_NULL; return(ALG_ENC); }
blowfish-cbc { PREPROC; yylval.num = SADB_X_EALG_BLOWFISHCBC; return(ALG_ENC); }
cast128-cbc { PREPROC; yylval.num = SADB_X_EALG_CAST128CBC; return(ALG_ENC); }
des-deriv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DESDERIV); }
des-32iv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DES32IV); }
rijndael-cbc { PREPROC; yylval.num = SADB_X_EALG_RIJNDAELCBC; return(ALG_ENC); }
aes-ctr { PREPROC; yylval.num = SADB_X_EALG_AESCTR; return(ALG_ENC); }
{hyphen}E { BEGIN S_ENCALG; return(F_ENC); }
<S_ENCALG>des-cbc { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC); }
<S_ENCALG>3des-cbc { yylval.num = SADB_EALG_3DESCBC; BEGIN INITIAL; return(ALG_ENC); }
<S_ENCALG>null { yylval.num = SADB_EALG_NULL; BEGIN INITIAL; return(ALG_ENC_NOKEY); }
<S_ENCALG>simple { yylval.num = SADB_EALG_NULL; BEGIN INITIAL; return(ALG_ENC_OLD); }
<S_ENCALG>blowfish-cbc { yylval.num = SADB_X_EALG_BLOWFISHCBC; BEGIN INITIAL; return(ALG_ENC); }
<S_ENCALG>cast128-cbc { yylval.num = SADB_X_EALG_CAST128CBC; BEGIN INITIAL; return(ALG_ENC); }
<S_ENCALG>des-deriv { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC_DESDERIV); }
<S_ENCALG>des-32iv { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC_DES32IV); }
<S_ENCALG>rijndael-cbc { yylval.num = SADB_X_EALG_RIJNDAELCBC; BEGIN INITIAL; return(ALG_ENC); }
<S_ENCALG>aes-ctr { yylval.num = SADB_X_EALG_AESCTR; BEGIN INITIAL; return(ALG_ENC); }
/* compression algorithms */
{hyphen}C { PREPROC; return(F_COMP); }
oui { PREPROC; yylval.num = SADB_X_CALG_OUI; return(ALG_COMP); }
deflate { PREPROC; yylval.num = SADB_X_CALG_DEFLATE; return(ALG_COMP); }
lzs { PREPROC; yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); }
{hyphen}R { PREPROC; return(F_RAWCPI); }
{hyphen}C { return(F_COMP); }
oui { yylval.num = SADB_X_CALG_OUI; return(ALG_COMP); }
deflate { yylval.num = SADB_X_CALG_DEFLATE; return(ALG_COMP); }
lzs { yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); }
{hyphen}R { return(F_RAWCPI); }
/* extension */
{hyphen}m { PREPROC; return(F_MODE); }
transport { PREPROC; yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
tunnel { PREPROC; yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
{hyphen}u { PREPROC; return(F_REQID); }
{hyphen}f { PREPROC; return(F_EXT); }
random-pad { PREPROC; yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); }
seq-pad { PREPROC; yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); }
zero-pad { PREPROC; yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); }
nocyclic-seq { PREPROC; return(NOCYCLICSEQ); }
{hyphen}r { PREPROC; return(F_REPLAY); }
{hyphen}lh { PREPROC; return(F_LIFETIME_HARD); }
{hyphen}ls { PREPROC; return(F_LIFETIME_SOFT); }
{hyphen}m { return(F_MODE); }
transport { yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
tunnel { yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
{hyphen}u { return(F_REQID); }
{hyphen}f { return(F_EXT); }
random-pad { yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); }
seq-pad { yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); }
zero-pad { yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); }
nocyclic-seq { return(NOCYCLICSEQ); }
{hyphen}r { return(F_REPLAY); }
{hyphen}lh { return(F_LIFETIME_HARD); }
{hyphen}ls { return(F_LIFETIME_SOFT); }
/* ... */
any { PREPROC; return(ANY); }
{ws} { PREPROC; }
any { return(ANY); }
{ws} { }
{nl} { lineno++; }
{comment}
{semi} { PREPROC; return(EOT); }
{semi} { return(EOT); }
/* for address parameters: /prefix, [port] */
{slash} { return SLASH; }
{blcl} { return BLCL; }
{elcl} { return ELCL; }
/* parameter */
{decstring} {
char *bp;
PREPROC;
yylval.num = strtoul(yytext, &bp, 10);
yylval.ulnum = strtoul(yytext, &bp, 10);
return(DECSTRING);
}
{ipaddress} {
PREPROC;
yylval.val.len = yyleng;
yylval.val.buf = strdup(yytext);
return(ADDRESS);
}
{ipaddrmask} {
PREPROC;
yytext++;
yylval.num = atoi(yytext);
return(PREFIX);
}
{ipaddrport} {
char *p = yytext;
PREPROC;
while (*++p != ']') ;
*p = NULL;
yytext++;
yylval.num = atoi(yytext);
return(PORT);
}
{blcl}any{elcl} {
PREPROC;
return(PORTANY);
}
{hexstring} {
int len = yyleng - 2; /* (str - "0x") */
PREPROC;
yylval.val.len = (len & 1) + (len / 2);
/* fixed string if length is odd. */
if (len & 1) {
yytext[1] = '0';
yylval.val.buf = strdup(yytext + 1);
} else
yylval.val.buf = strdup(yytext + 2);
yylval.val.buf = strdup(yytext + 2);
if (!yylval.val.buf)
yyfatal("insufficient memory");
yylval.val.len = strlen(yylval.val.buf);
return(HEXSTRING);
}
{quotedstring} {
char *p = yytext;
PREPROC;
while (*++p != '"') ;
*p = NULL;
yytext++;
yylval.val.len = yyleng - 2;
yylval.val.buf = strdup(yytext);
if (!yylval.val.buf)
yyfatal("insufficient memory");
return(QUOTEDSTRING);
}
[a-z0-9.\-]* {
[A-Za-z0-9:][A-Za-z0-9:%\.-]* {
yylval.val.len = yyleng;
yylval.val.buf = strdup(yytext);
if (!yylval.val.buf)
yyfatal("insufficient memory");
return(STRING);
}
[0-9,]+ {
yylval.val.len = yyleng;
yylval.val.buf = strdup(yytext);
if (!yylval.val.buf)
yyfatal("insufficient memory");
return(STRING);
}