Gitiles
Code Review Sign In
code.illumos.org / illumos-gate / 5d3b8cb7141cfa596d20cdc5043b8a6df635938d / . / usr / src / cmd / cmd-inet / usr.sbin / ipsecutils / ipseckey.c
blob: 24f3410dde6a3614925e55e06b47d05a487c904b [file] [log] [blame]
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* NOTE:I'm trying to use "struct sadb_foo" instead of "sadb_foo_t"
* as a maximal PF_KEY portability test.
*
* Also, this is a deliberately single-threaded app, also for portability
* to systems without POSIX threads.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/sysmacros.h>
#include <sys/fcntl.h>
#include <net/pfkeyv2.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/uio.h>
#include <syslog.h>
#include <signal.h>
#include <unistd.h>
#include <limits.h>
#include <stdlib.h>
#include <stdio.h>
#include <stdarg.h>
#include <netdb.h>
#include <pwd.h>
#include <errno.h>
#include <libintl.h>
#include <locale.h>
#include <fcntl.h>
#include <strings.h>
#include <ctype.h>
#include <sys/cladm.h>
#include <ipsec_util.h>
static int keysock;
static int cluster_socket;
static uint32_t seq;
static pid_t mypid;
static boolean_t vflag = B_FALSE; /* Verbose? */
static boolean_t cflag = B_FALSE; /* Check Only */
char *my_fmri = NULL;
FILE *debugfile = stdout;
static struct sockaddr_in cli_addr;
static boolean_t in_cluster_mode = B_FALSE;
#define MAX_GET_SIZE 1024
/*
* WARN() and ERROR() do the same thing really, with ERROR() the function
* that prints the error buffer needs to be called at the end of a code block
* This will print out all accumulated errors before bailing. The WARN()
* macro calls handle_errors() in such a way that it prints the message
* then continues.
* If the FATAL() macro used call handle_errors() immediately.
*/
#define ERROR(x, y, z) x = record_error(x, y, z)
#define ERROR1(w, x, y, z) w = record_error(w, x, y, z)
#define ERROR2(v, w, x, y, z) v = record_error(v, w, x, y, z)
#define WARN(x, y, z) ERROR(x, y, z);\
handle_errors(x, NULL, B_FALSE, B_FALSE); x = NULL
#define WARN1(w, x, y, z) ERROR1(w, x, y, z);\
handle_errors(w, NULL, B_FALSE, B_FALSE); w = NULL
#define WARN2(v, w, x, y, z) ERROR2(v, w, x, y, z);\
handle_errors(v, NULL, B_FALSE, B_FALSE); v = NULL
#define FATAL(x, y, z) ERROR(x, y, z);\
handle_errors(x, y, B_TRUE, B_TRUE)
#define FATAL1(w, x, y, z) ERROR1(w, x, y, z);\
handle_errors(w, x, B_TRUE, B_TRUE)
/* Defined as a uint64_t array for alignment purposes. */
static uint64_t get_buffer[MAX_GET_SIZE];
/*
* Disable default TAB completion for now (until some brave soul tackles it).
*/
/* ARGSUSED */
static
CPL_MATCH_FN(no_match)
{
return (0);
}
/*
* Create/Grow a buffer large enough to hold error messages. If *ebuf
* is not NULL then it will contain a copy of the command line that
* triggered the error/warning, copy this into a new buffer or
* append new messages to the existing buffer.
*/
/*PRINTFLIKE1*/
char *
record_error(char *ep, char *ebuf, char *fmt, ...)
{
char *err_ptr;
char tmp_buff[1024];
va_list ap;
int length = 0;
err_ptr = ep;
va_start(ap, fmt);
length = vsnprintf(tmp_buff, sizeof (tmp_buff), fmt, ap);
va_end(ap);
/* There is a new line character */
length++;
if (ep == NULL) {
if (ebuf != NULL)
length += strlen(ebuf);
} else {
length += strlen(ep);
}
if (err_ptr == NULL)
err_ptr = calloc(length, sizeof (char));
else
err_ptr = realloc(err_ptr, length);
if (err_ptr == NULL)
Bail("realloc() failure");
/*
* If (ep == NULL) then this is the first error to record,
* copy in the command line that triggered this error/warning.
*/
if (ep == NULL && ebuf != NULL)
(void) strlcpy(err_ptr, ebuf, length);
/*
* Now the actual error.
*/
(void) strlcat(err_ptr, tmp_buff, length);
return (err_ptr);
}
/*
* If not in interactive mode print usage message and exit.
*/
static void
usage(void)
{
if (!interactive) {
(void) fprintf(stderr, gettext("Usage:\t"
"ipseckey [ -nvp ] | cmd [sa_type] [extfield value]*\n"));
(void) fprintf(stderr,
gettext("\tipseckey [ -nvp ] -f infile\n"));
(void) fprintf(stderr,
gettext("\tipseckey [ -nvp ] -s outfile\n"));
EXIT_FATAL(NULL);
} else {
(void) fprintf(stderr,
gettext("Type help or ? for usage info\n"));
}
}
/*
* Print out any errors, tidy up as required.
* error pointer ep will be free()'d
*/
void
handle_errors(char *ep, char *ebuf, boolean_t fatal, boolean_t done)
{
if (ep != NULL) {
if (my_fmri == NULL) {
/*
* For now suppress the errors when run from smf(5)
* because potentially sensitive information could
* end up in a publicly readable logfile.
*/
(void) fprintf(stdout, "%s\n", ep);
(void) fflush(stdout);
}
free(ep);
if (fatal) {
if (ebuf != NULL) {
free(ebuf);
}
/* reset command buffer */
if (interactive)
longjmp(env, 1);
} else {
return;
}
} else {
/*
* No errors, if this is the last time that this function
* is called, free(ebuf) and reset command buffer.
*/
if (done) {
if (ebuf != NULL) {
free(ebuf);
}
/* reset command buffer */
if (interactive)
longjmp(env, 1);
}
return;
}
EXIT_FATAL(NULL);
}
/*
* Initialize a PF_KEY base message.
*/
static void
msg_init(struct sadb_msg *msg, uint8_t type, uint8_t satype)
{
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = type;
msg->sadb_msg_errno = 0;
msg->sadb_msg_satype = satype;
/* For starters... */
msg->sadb_msg_len = SADB_8TO64(sizeof (*msg));
msg->sadb_msg_reserved = 0;
msg->sadb_msg_seq = ++seq;
msg->sadb_msg_pid = mypid;
}
/*
* parseXXX and rparseXXX commands parse input and convert them to PF_KEY
* field values, or do the reverse for the purposes of saving the SA tables.
* (See the save_XXX functions.)
*/
#define CMD_NONE 0
#define CMD_UPDATE 2
#define CMD_UPDATE_PAIR 3
#define CMD_ADD 4
#define CMD_DELETE 5
#define CMD_DELETE_PAIR 6
#define CMD_GET 7
#define CMD_FLUSH 9
#define CMD_DUMP 10
#define CMD_MONITOR 11
#define CMD_PMONITOR 12
#define CMD_QUIT 13
#define CMD_SAVE 14
#define CMD_HELP 15
/*
* Parse the command.
*/
static int
parsecmd(char *cmdstr)
{
static struct cmdtable {
char *cmd;
int token;
} table[] = {
/*
* Q: Do we want to do GETSPI?
* A: No, it's for automated key mgmt. only. Either that,
* or it isn't relevant until we support non IPsec SA types.
*/
{"update", CMD_UPDATE},
{"update-pair", CMD_UPDATE_PAIR},
{"add", CMD_ADD},
{"delete", CMD_DELETE},
{"delete-pair", CMD_DELETE_PAIR},
{"get", CMD_GET},
/*
* Q: And ACQUIRE and REGISTER and EXPIRE?
* A: not until we support non IPsec SA types.
*/
{"flush", CMD_FLUSH},
{"dump", CMD_DUMP},
{"monitor", CMD_MONITOR},
{"passive_monitor", CMD_PMONITOR},
{"pmonitor", CMD_PMONITOR},
{"quit", CMD_QUIT},
{"exit", CMD_QUIT},
{"save", CMD_SAVE},
{"help", CMD_HELP},
{"?", CMD_HELP},
{NULL, CMD_NONE}
};
struct cmdtable *ct = table;
while (ct->cmd != NULL && strcmp(ct->cmd, cmdstr) != 0)
ct++;
return (ct->token);
}
/*
* Convert a number from a command line. I picked "u_longlong_t" for the
* number because we need the largest number available. Also, the strto<num>
* calls don't deal in units of uintNN_t.
*/
static u_longlong_t
parsenum(char *num, boolean_t bail, char *ebuf)
{
u_longlong_t rc = 0;
char *end = NULL;
char *ep = NULL;
if (num == NULL) {
FATAL(ep, ebuf, gettext("Unexpected end of command line,"
" was expecting a number.\n"));
/* NOTREACHED */
}
errno = 0;
rc = strtoull(num, &end, 0);
if (errno != 0 || end == num || *end != '\0') {
if (bail) {
FATAL1(ep, ebuf, gettext(
"Expecting a number, not \"%s\"!\n"), num);
} else {
/*
* -1, while not optimal, is sufficiently out of range
* for most of this function's applications when
* we don't just bail.
*/
return ((u_longlong_t)-1);
}
}
handle_errors(ep, NULL, B_FALSE, B_FALSE);
return (rc);
}
/*
* Parse and reverse parse a specific SA type (AH, ESP, etc.).
*/
static struct typetable {
char *type;
int token;
} type_table[] = {
{"all", SADB_SATYPE_UNSPEC},
{"ah", SADB_SATYPE_AH},
{"esp", SADB_SATYPE_ESP},
/* PF_KEY NOTE: More to come if net/pfkeyv2.h gets updated. */
{NULL, 0} /* Token value is irrelevant for this entry. */
};
static int
parsesatype(char *type, char *ebuf)
{
struct typetable *tt = type_table;
char *ep = NULL;
if (type == NULL)
return (SADB_SATYPE_UNSPEC);
while (tt->type != NULL && strcasecmp(tt->type, type) != 0)
tt++;
/*
* New SA types (including ones keysock maintains for user-land
* protocols) may be added, so parse a numeric value if possible.
*/
if (tt->type == NULL) {
tt->token = (int)parsenum(type, B_FALSE, ebuf);
if (tt->token == -1) {
ERROR1(ep, ebuf, gettext(
"Unknown SA type (%s).\n"), type);
tt->token = SADB_SATYPE_UNSPEC;
}
}
handle_errors(ep, NULL, interactive ? B_TRUE : B_FALSE, B_FALSE);
return (tt->token);
}
#define NEXTEOF 0
#define NEXTNONE 1
#define NEXTNUM 2
#define NEXTSTR 3
#define NEXTNUMSTR 4
#define NEXTADDR 5
#define NEXTHEX 6
#define NEXTIDENT 7
#define NEXTADDR4 8
#define NEXTADDR6 9
#define NEXTLABEL 10
#define TOK_EOF 0
#define TOK_UNKNOWN 1
#define TOK_SPI 2
#define TOK_REPLAY 3
#define TOK_STATE 4
#define TOK_AUTHALG 5
#define TOK_ENCRALG 6
#define TOK_FLAGS 7
#define TOK_SOFT_ALLOC 8
#define TOK_SOFT_BYTES 9
#define TOK_SOFT_ADDTIME 10
#define TOK_SOFT_USETIME 11
#define TOK_HARD_ALLOC 12
#define TOK_HARD_BYTES 13
#define TOK_HARD_ADDTIME 14
#define TOK_HARD_USETIME 15
#define TOK_CURRENT_ALLOC 16
#define TOK_CURRENT_BYTES 17
#define TOK_CURRENT_ADDTIME 18
#define TOK_CURRENT_USETIME 19
#define TOK_SRCADDR 20
#define TOK_DSTADDR 21
#define TOK_PROXYADDR 22
#define TOK_AUTHKEY 23
#define TOK_ENCRKEY 24
#define TOK_SRCIDTYPE 25
#define TOK_DSTIDTYPE 26
#define TOK_DPD 27
#define TOK_SENS_LEVEL 28
#define TOK_SENS_MAP 29
#define TOK_INTEG_LEVEL 30
#define TOK_INTEG_MAP 31
#define TOK_SRCADDR6 32
#define TOK_DSTADDR6 33
#define TOK_PROXYADDR6 34
#define TOK_SRCPORT 35
#define TOK_DSTPORT 36
#define TOK_PROTO 37
#define TOK_ENCAP 38
#define TOK_NATLOC 39
#define TOK_NATREM 40
#define TOK_NATLPORT 41
#define TOK_NATRPORT 42
#define TOK_IPROTO 43
#define TOK_IDSTADDR 44
#define TOK_IDSTADDR6 45
#define TOK_ISRCPORT 46
#define TOK_IDSTPORT 47
#define TOK_PAIR_SPI 48
#define TOK_FLAG_INBOUND 49
#define TOK_FLAG_OUTBOUND 50
#define TOK_REPLAY_VALUE 51
#define TOK_IDLE_ADDTIME 52
#define TOK_IDLE_USETIME 53
#define TOK_RESERVED 54
#define TOK_LABEL 55
#define TOK_OLABEL 56
#define TOK_IMPLABEL 57
static struct toktable {
char *string;
int token;
int next;
} tokens[] = {
/* "String", token value, next arg is */
{"spi", TOK_SPI, NEXTNUM},
{"pair-spi", TOK_PAIR_SPI, NEXTNUM},
{"replay", TOK_REPLAY, NEXTNUM},
{"state", TOK_STATE, NEXTNUMSTR},
{"auth_alg", TOK_AUTHALG, NEXTNUMSTR},
{"authalg", TOK_AUTHALG, NEXTNUMSTR},
{"encr_alg", TOK_ENCRALG, NEXTNUMSTR},
{"encralg", TOK_ENCRALG, NEXTNUMSTR},
{"flags", TOK_FLAGS, NEXTNUM},
{"soft_alloc", TOK_SOFT_ALLOC, NEXTNUM},
{"soft_bytes", TOK_SOFT_BYTES, NEXTNUM},
{"soft_addtime", TOK_SOFT_ADDTIME, NEXTNUM},
{"soft_usetime", TOK_SOFT_USETIME, NEXTNUM},
{"hard_alloc", TOK_HARD_ALLOC, NEXTNUM},
{"hard_bytes", TOK_HARD_BYTES, NEXTNUM},
{"hard_addtime", TOK_HARD_ADDTIME, NEXTNUM},
{"hard_usetime", TOK_HARD_USETIME, NEXTNUM},
{"current_alloc", TOK_CURRENT_ALLOC, NEXTNUM},
{"current_bytes", TOK_CURRENT_BYTES, NEXTNUM},
{"current_addtime", TOK_CURRENT_ADDTIME, NEXTNUM},
{"current_usetime", TOK_CURRENT_USETIME, NEXTNUM},
{"saddr", TOK_SRCADDR, NEXTADDR},
{"srcaddr", TOK_SRCADDR, NEXTADDR},
{"src", TOK_SRCADDR, NEXTADDR},
{"daddr", TOK_DSTADDR, NEXTADDR},
{"dstaddr", TOK_DSTADDR, NEXTADDR},
{"dst", TOK_DSTADDR, NEXTADDR},
{"proxyaddr", TOK_PROXYADDR, NEXTADDR},
{"proxy", TOK_PROXYADDR, NEXTADDR},
{"innersrc", TOK_PROXYADDR, NEXTADDR},
{"isrc", TOK_PROXYADDR, NEXTADDR},
{"innerdst", TOK_IDSTADDR, NEXTADDR},
{"idst", TOK_IDSTADDR, NEXTADDR},
{"sport", TOK_SRCPORT, NEXTNUM},
{"dport", TOK_DSTPORT, NEXTNUM},
{"innersport", TOK_ISRCPORT, NEXTNUM},
{"isport", TOK_ISRCPORT, NEXTNUM},
{"innerdport", TOK_IDSTPORT, NEXTNUM},
{"idport", TOK_IDSTPORT, NEXTNUM},
{"proto", TOK_PROTO, NEXTNUM},
{"ulp", TOK_PROTO, NEXTNUM},
{"iproto", TOK_IPROTO, NEXTNUM},
{"iulp", TOK_IPROTO, NEXTNUM},
{"saddr6", TOK_SRCADDR6, NEXTADDR},
{"srcaddr6", TOK_SRCADDR6, NEXTADDR},
{"src6", TOK_SRCADDR6, NEXTADDR},
{"daddr6", TOK_DSTADDR6, NEXTADDR},
{"dstaddr6", TOK_DSTADDR6, NEXTADDR},
{"dst6", TOK_DSTADDR6, NEXTADDR},
{"proxyaddr6", TOK_PROXYADDR6, NEXTADDR},
{"proxy6", TOK_PROXYADDR6, NEXTADDR},
{"innersrc6", TOK_PROXYADDR6, NEXTADDR},
{"isrc6", TOK_PROXYADDR6, NEXTADDR},
{"innerdst6", TOK_IDSTADDR6, NEXTADDR},
{"idst6", TOK_IDSTADDR6, NEXTADDR},
{"authkey", TOK_AUTHKEY, NEXTHEX},
{"encrkey", TOK_ENCRKEY, NEXTHEX},
{"srcidtype", TOK_SRCIDTYPE, NEXTIDENT},
{"dstidtype", TOK_DSTIDTYPE, NEXTIDENT},
{"dpd", TOK_DPD, NEXTNUM},
{"sens_level", TOK_SENS_LEVEL, NEXTNUM},
{"sens_map", TOK_SENS_MAP, NEXTHEX},
{"integ_level", TOK_INTEG_LEVEL, NEXTNUM},
{"integ_map", TOK_INTEG_MAP, NEXTHEX},
{"nat_loc", TOK_NATLOC, NEXTADDR},
{"nat_rem", TOK_NATREM, NEXTADDR},
{"nat_lport", TOK_NATLPORT, NEXTNUM},
{"nat_rport", TOK_NATRPORT, NEXTNUM},
{"encap", TOK_ENCAP, NEXTNUMSTR},
{"outbound", TOK_FLAG_OUTBOUND, NULL},
{"inbound", TOK_FLAG_INBOUND, NULL},
{"reserved_bits", TOK_RESERVED, NEXTNUM},
{"replay_value", TOK_REPLAY_VALUE, NEXTNUM},
{"idle_addtime", TOK_IDLE_ADDTIME, NEXTNUM},
{"idle_usetime", TOK_IDLE_USETIME, NEXTNUM},
{"label", TOK_LABEL, NEXTLABEL},
{"outer-label", TOK_OLABEL, NEXTLABEL},
{"implicit-label", TOK_IMPLABEL, NEXTLABEL},
{NULL, TOK_UNKNOWN, NEXTEOF}
};
/*
* Q: Do I need stuff for proposals, combinations, supported algorithms,
* or SPI ranges?
*
* A: Probably not, but you never know.
*
* Parse out extension header type values.
*/
static int
parseextval(char *value, int *next)
{
struct toktable *tp;
if (value == NULL)
return (TOK_EOF);
for (tp = tokens; tp->string != NULL; tp++)
if (strcmp(value, tp->string) == 0)
break;
/*
* Since the OS controls what extensions are available, we don't have
* to parse numeric values here.
*/
*next = tp->next;
return (tp->token);
}
/*
* Parse possible state values.
*/
static uint8_t
parsestate(char *state, char *ebuf)
{
struct states {
char *state;
uint8_t retval;
} states[] = {
{"larval", SADB_SASTATE_LARVAL},
{"mature", SADB_SASTATE_MATURE},
{"dying", SADB_SASTATE_DYING},
{"dead", SADB_SASTATE_DEAD},
{NULL, 0}
};
struct states *sp;
char *ep = NULL;
if (state == NULL) {
FATAL(ep, ebuf, "Unexpected end of command line "
"was expecting a state.\n");
}
for (sp = states; sp->state != NULL; sp++) {
if (strcmp(sp->state, state) == 0)
return (sp->retval);
}
ERROR1(ep, ebuf, gettext("Unknown state type \"%s\"\n"), state);
handle_errors(ep, NULL, B_FALSE, B_FALSE);
return (0);
}
/*
* Return the numerical algorithm identifier corresponding to the specified
* algorithm name.
*/
static uint8_t
parsealg(char *alg, int proto_num, char *ebuf)
{
u_longlong_t invalue;
struct ipsecalgent *algent;
char *ep = NULL;
if (alg == NULL) {
FATAL(ep, ebuf, gettext("Unexpected end of command line, "
"was expecting an algorithm name.\n"));
}
algent = getipsecalgbyname(alg, proto_num, NULL);
if (algent != NULL) {
uint8_t alg_num;
alg_num = algent->a_alg_num;
if (ALG_FLAG_COUNTERMODE & algent->a_alg_flags)
WARN1(ep, ebuf, gettext(
"Using manual keying with a Counter mode algorithm "
"such as \"%s\" may be insecure!\n"),
algent->a_names[0]);
freeipsecalgent(algent);
return (alg_num);
}
/*
* Since algorithms can be loaded during kernel run-time, check for
* numeric algorithm values too. PF_KEY can catch bad ones with EINVAL.
*/
invalue = parsenum(alg, B_FALSE, ebuf);
if (invalue != (u_longlong_t)-1 &&
(u_longlong_t)(invalue & (u_longlong_t)0xff) == invalue)
return ((uint8_t)invalue);
if (proto_num == IPSEC_PROTO_ESP) {
ERROR1(ep, ebuf, gettext(
"Unknown encryption algorithm type \"%s\"\n"), alg);
} else {
ERROR1(ep, ebuf, gettext(
"Unknown authentication algorithm type \"%s\"\n"), alg);
}
handle_errors(ep, NULL, B_FALSE, B_FALSE);
return (0);
}
/*
* Parse and reverse parse out a source/destination ID type.
*/
static struct idtypes {
char *idtype;
uint8_t retval;
} idtypes[] = {
{"prefix", SADB_IDENTTYPE_PREFIX},
{"fqdn", SADB_IDENTTYPE_FQDN},
{"domain", SADB_IDENTTYPE_FQDN},
{"domainname", SADB_IDENTTYPE_FQDN},
{"user_fqdn", SADB_IDENTTYPE_USER_FQDN},
{"mailbox", SADB_IDENTTYPE_USER_FQDN},
{"der_dn", SADB_X_IDENTTYPE_DN},
{"der_gn", SADB_X_IDENTTYPE_GN},
{NULL, 0}
};
static uint16_t
parseidtype(char *type, char *ebuf)
{
struct idtypes *idp;
u_longlong_t invalue;
char *ep = NULL;
if (type == NULL) {
/* Shouldn't reach here, see callers for why. */
FATAL(ep, ebuf, gettext("Unexpected end of command line, "
"was expecting a type.\n"));
}
for (idp = idtypes; idp->idtype != NULL; idp++) {
if (strcasecmp(idp->idtype, type) == 0)
return (idp->retval);
}
/*
* Since identity types are almost arbitrary, check for numeric
* algorithm values too. PF_KEY can catch bad ones with EINVAL.
*/
invalue = parsenum(type, B_FALSE, ebuf);
if (invalue != (u_longlong_t)-1 &&
(u_longlong_t)(invalue & (u_longlong_t)0xffff) == invalue)
return ((uint16_t)invalue);
ERROR1(ep, ebuf, gettext("Unknown identity type \"%s\"\n"), type);
handle_errors(ep, NULL, B_FALSE, B_FALSE);
return (0);
}
/*
* Parse an address off the command line. Return length of sockaddr,
* and either return a hostent pointer (caller frees). The new
* getipnodebyname() call does the Right Thing (TM), even with
* raw addresses (colon-separated IPv6 or dotted decimal IPv4).
*/
static struct {
struct hostent he;
char *addtl[2];
} dummy;
static union {
struct in6_addr ipv6;
struct in_addr ipv4;
uint64_t aligner;
} addr1;
static int
parseaddr(char *addr, struct hostent **hpp, boolean_t v6only, char *ebuf)
{
int hp_errno;
struct hostent *hp = NULL;
char *ep = NULL;
if (addr == NULL) {
FATAL(ep, ebuf, gettext("Unexpected end of command line, "
"was expecting an address.\n"));
}
if (!nflag) {
/*
* Try name->address first. Assume AF_INET6, and
* get IPv4's, plus IPv6's if and only if IPv6 is configured.
* This means to add IPv6 SAs, you must have IPv6
* up-and-running. (AI_DEFAULT works here.)
*/
hp = getipnodebyname(addr, AF_INET6,
(v6only ? AI_ADDRCONFIG : (AI_DEFAULT | AI_ALL)),
&hp_errno);
} else {
/*
* Try a normal address conversion only. Use "dummy"
* to construct a fake hostent. Caller will know not
* to free this one.
*/
if (inet_pton(AF_INET6, addr, &addr1) == 1) {
dummy.he.h_addr_list = dummy.addtl;
dummy.addtl[0] = (char *)&addr1;
dummy.addtl[1] = NULL;
hp = &dummy.he;
dummy.he.h_addrtype = AF_INET6;
dummy.he.h_length = sizeof (struct in6_addr);
} else if (inet_pton(AF_INET, addr, &addr1) == 1) {
/*
* Remap to AF_INET6 anyway.
*/
dummy.he.h_addr_list = dummy.addtl;
dummy.addtl[0] = (char *)&addr1;
dummy.addtl[1] = NULL;
hp = &dummy.he;
dummy.he.h_addrtype = AF_INET6;
dummy.he.h_length = sizeof (struct in6_addr);
/*
* NOTE: If macro changes to disallow in-place
* conversion, rewhack this.
*/
IN6_INADDR_TO_V4MAPPED(&addr1.ipv4, &addr1.ipv6);
} else {
hp = NULL;
}
}
if (hp == NULL)
WARN1(ep, ebuf, gettext("Unknown address %s."), addr);
*hpp = hp;
/* Always return sockaddr_in6 for now. */
handle_errors(ep, NULL, B_FALSE, B_FALSE);
return (sizeof (struct sockaddr_in6));
}
/*
* Parse a hex character for a key. A string will take the form:
* xxxxxxxxx/nn
* where
* xxxxxxxxx == a string of hex characters ([0-9][a-f][A-F])
* nn == an optional decimal "mask". If it is not present, it
* is assumed that the hex string will be rounded to the nearest
* byte, where odd nibbles, like 123 will become 0x0123.
*
* NOTE:Unlike the expression of IP addresses, I will not allow an
* excessive "mask". For example 2112/50 is very illegal.
* NOTE2: This key should be in canonical order. Consult your man
* pages per algorithm about said order.
*/
#define hd2num(hd) (((hd) >= '0' && (hd) <= '9') ? ((hd) - '0') : \
(((hd) >= 'a' && (hd) <= 'f') ? ((hd) - 'a' + 10) : ((hd) - 'A' + 10)))
static struct sadb_key *
parsekey(char *input, char *ebuf, uint_t reserved_bits)
{
struct sadb_key *retval;
uint_t i, hexlen = 0, bits, alloclen;
uint8_t *key;
char *ep = NULL;
if (input == NULL) {
FATAL(ep, ebuf, gettext("Unexpected end of command line, "
"was expecting a key.\n"));
}
/* Allow hex values prepended with 0x convention */
if ((strnlen(input, sizeof (hexlen)) > 2) &&
(strncasecmp(input, "0x", 2) == 0))
input += 2;
for (i = 0; input[i] != '\0' && input[i] != '/'; i++)
hexlen++;
if (input[i] == '\0') {
bits = 0;
} else {
/* Have /nn. */
input[i] = '\0';
if (sscanf((input + i + 1), "%u", &bits) != 1) {
FATAL1(ep, ebuf, gettext(
"\"%s\" is not a bit specifier.\n"),
(input + i + 1));
}
/* hexlen in nibbles */
if (((bits + 3) >> 2) > hexlen) {
ERROR2(ep, ebuf, gettext(
"bit length %d is too big for %s.\n"), bits, input);
}
/*
* Adjust hexlen down if user gave us too small of a bit
* count.
*/
if ((hexlen << 2) > bits + 3) {
WARN2(ep, ebuf, gettext(
"WARNING: Lower bits will be truncated "
"for:\n\t%s/%d.\n"), input, bits);
hexlen = (bits + 3) >> 2;
input[hexlen] = '\0';
}
}
/*
* Allocate. Remember, hexlen is in nibbles.
*/
alloclen = sizeof (*retval) + roundup((hexlen/2 + (hexlen & 0x1)), 8);
retval = malloc(alloclen);
if (retval == NULL)
Bail("malloc(parsekey)");
retval->sadb_key_len = SADB_8TO64(alloclen);
retval->sadb_key_reserved = reserved_bits;
if (bits == 0)
retval->sadb_key_bits = (hexlen + (hexlen & 0x1)) << 2;
else
retval->sadb_key_bits = bits;
/*
* Read in nibbles. Read in odd-numbered as shifted high.
* (e.g. 123 becomes 0x1230).
*/
key = (uint8_t *)(retval + 1);
for (i = 0; input[i] != '\0'; i += 2) {
boolean_t second = (input[i + 1] != '\0');
if (!isxdigit(input[i]) ||
(!isxdigit(input[i + 1]) && second)) {
ERROR1(ep, ebuf, gettext(
"string '%s' not a hex value.\n"), input);
free(retval);
retval = NULL;
break;
}
*key = (hd2num(input[i]) << 4);
if (second)
*key |= hd2num(input[i + 1]);
else
break; /* out of for loop. */
key++;
}
/* bzero the remaining bits if we're a non-octet amount. */
if (bits & 0x7)
*((input[i] == '\0') ? key - 1 : key) &=
0xff << (8 - (bits & 0x7));
handle_errors(ep, NULL, B_FALSE, B_FALSE);
return (retval);
}
#include <tsol/label.h>
#define PARSELABEL_BAD_TOKEN ((struct sadb_sens *)-1)
static struct sadb_sens *
parselabel(int token, char *label)
{
bslabel_t *sl = NULL;
int err, len;
sadb_sens_t *sens;
int doi = 1; /* XXX XXX DEFAULT_DOI XXX XXX */
err = str_to_label(label, &sl, MAC_LABEL, L_DEFAULT, NULL);
if (err < 0)
return (NULL);
len = ipsec_convert_sl_to_sens(doi, sl, NULL);
sens = malloc(len);
if (sens == NULL) {
Bail("malloc parsed label");
/* Should exit before reaching here... */
return (NULL);
}
(void) ipsec_convert_sl_to_sens(doi, sl, sens);
switch (token) {
case TOK_LABEL:
break;
case TOK_OLABEL:
sens->sadb_sens_exttype = SADB_X_EXT_OUTER_SENS;
break;
case TOK_IMPLABEL:
sens->sadb_sens_exttype = SADB_X_EXT_OUTER_SENS;
sens->sadb_x_sens_flags = SADB_X_SENS_IMPLICIT;
break;
default:
free(sens);
/*
* Return a different return code for a bad label, but really,
* this would be a caller error.
*/
return (PARSELABEL_BAD_TOKEN);
}
return (sens);
}
/*
* Write a message to the PF_KEY socket. If verbose, print the message
* heading into the kernel.
*/
static int
key_write(int fd, void *msg, size_t len)
{
if (vflag) {
(void) printf(
gettext("VERBOSE ON: Message to kernel looks like:\n"));
(void) printf("==========================================\n");
print_samsg(stdout, msg, B_FALSE, vflag, nflag);
(void) printf("==========================================\n");
}
return (write(fd, msg, len));
}
/*
* SIGALRM handler for time_critical_enter.
*/
static void
time_critical_catch(int signal)
{
if (signal == SIGALRM) {
errx(1, gettext("Reply message from PF_KEY timed out."));
} else {
errx(1, gettext("Caught signal %d while trying to receive"
"PF_KEY reply message"), signal);
}
/* errx() calls exit. */
}
#define TIME_CRITICAL_TIME 10 /* In seconds */
/*
* Enter a "time critical" section where key is waiting for a return message.
*/
static void
time_critical_enter(void)
{
(void) signal(SIGALRM, time_critical_catch);
(void) alarm(TIME_CRITICAL_TIME);
}
/*
* Exit the "time critical" section after getting an appropriate return
* message.
*/
static void
time_critical_exit(void)
{
(void) alarm(0);
(void) signal(SIGALRM, SIG_DFL);
}
/*
* Construct a PF_KEY FLUSH message for the SA type specified.
*/
static void
doflush(int satype)
{
struct sadb_msg msg;
int rc;
msg_init(&msg, SADB_FLUSH, (uint8_t)satype);
rc = key_write(keysock, &msg, sizeof (msg));
if (rc == -1)
Bail("write() to PF_KEY socket failed (in doflush)");
time_critical_enter();
do {
rc = read(keysock, &msg, sizeof (msg));
if (rc == -1)
Bail("read (in doflush)");
} while (msg.sadb_msg_seq != seq || msg.sadb_msg_pid != mypid);
time_critical_exit();
/*
* I should _never_ hit the following unless:
*
* 1. There is a kernel bug.
* 2. There is another process filling in its pid with mine, and
* issuing a different message that would cause a different result.
*/
if (msg.sadb_msg_type != SADB_FLUSH ||
msg.sadb_msg_satype != (uint8_t)satype) {
syslog((LOG_NOTICE|LOG_AUTH),
gettext("doflush: Return message not of type SADB_FLUSH!"));
Bail("doflush: Return message not of type SADB_FLUSH!");
}
if (msg.sadb_msg_errno != 0) {
errno = msg.sadb_msg_errno;
if (errno == EINVAL) {
print_diagnostic(stderr, msg.sadb_x_msg_diagnostic);
warnx(gettext("Cannot flush SA type %d."), satype);
}
Bail("return message (in doflush)");
}
}
/*
* save_XXX functions are used when "saving" the SA tables to either a
* file or standard output. They use the dump_XXX functions where needed,
* but mostly they use the rparseXXX functions.
*/
/*
* Because "save" and "dump" both use the SADB_DUMP message, fold both
* into the same function.
*/
static void
dodump(int satype, FILE *ofile)
{
struct sadb_msg *msg = (struct sadb_msg *)get_buffer;
int rc;
if (ofile != NULL) {
(void) fprintf(ofile,
gettext("# This key file was generated by the"));
(void) fprintf(ofile,
gettext(" ipseckey(1m) command's 'save' feature.\n\n"));
}
msg_init(msg, SADB_DUMP, (uint8_t)satype);
rc = key_write(keysock, msg, sizeof (*msg));
if (rc == -1)
Bail("write to PF_KEY socket failed (in dodump)");
do {
/*
* For DUMP, do only the read as a time critical section.
*/
time_critical_enter();
rc = read(keysock, get_buffer, sizeof (get_buffer));
time_critical_exit();
if (rc == -1)
Bail("read (in dodump)");
if (msg->sadb_msg_pid == mypid &&
msg->sadb_msg_type == SADB_DUMP &&
msg->sadb_msg_seq != 0 &&
msg->sadb_msg_errno == 0) {
if (ofile == NULL) {
print_samsg(stdout, get_buffer, B_FALSE, vflag,
nflag);
(void) putchar('\n');
} else {
save_assoc(get_buffer, ofile);
}
}
} while (msg->sadb_msg_pid != mypid ||
(msg->sadb_msg_errno == 0 && msg->sadb_msg_seq != 0));
if (ofile != NULL && ofile != stdout)
(void) fclose(ofile);
if (msg->sadb_msg_errno == 0) {
if (ofile == NULL)
(void) printf(
gettext("Dump succeeded for SA type %d.\n"),
satype);
} else {
print_diagnostic(stderr, msg->sadb_x_msg_diagnostic);
errno = msg->sadb_msg_errno;
Bail("Dump failed");
}
}
#define SCOPE_UNSPEC 0
#define SCOPE_LINKLOCAL 1
#define SCOPE_SITELOCAL 2
#define SCOPE_GLOBAL 3
#define SCOPE_V4COMPAT 4
#define SCOPE_LOOPBACK 5 /* Pedantic, yes, but necessary. */
static int
ipv6_addr_scope(struct in6_addr *addr)
{
/* Don't return anything regarding multicast for now... */
if (IN6_IS_ADDR_UNSPECIFIED(addr))
return (SCOPE_UNSPEC);
if (IN6_IS_ADDR_LINKLOCAL(addr))
return (SCOPE_LINKLOCAL);
if (IN6_IS_ADDR_SITELOCAL(addr))
return (SCOPE_SITELOCAL);
if (IN6_IS_ADDR_V4COMPAT(addr))
return (SCOPE_V4COMPAT);
if (IN6_IS_ADDR_LOOPBACK(addr))
return (SCOPE_LOOPBACK);
/* For now, return global by default. */
return (SCOPE_GLOBAL);
}
/*
* doaddresses():
*
* Used by doaddup() and dodelget() to create new SA's based on the
* provided source and destination addresses hostent.
*
* sadb_msg_type: expected PF_KEY reply message type
* sadb_msg_satype: expected PF_KEY reply satype
* cmd: user command
* srchp: hostent for the source address(es)
* dsthp: hostent for the destination address(es)
* src: points to the SADB source address extension
* dst: points to the SADB destination address extension
* unspec_src: indicates an unspecified source address.
* buffer: pointer to the SADB buffer to use with PF_KEY
* buffer_size: size of buffer
* spi: spi for this message (set by caller)
* srcport: source port if specified
* dstport: destination port if specified
* proto: IP protocol number if specified
* iproto: Inner (tunnel mode) IP protocol number if specified
* NATT note: we are going to assume a semi-sane world where NAT
* boxen don't explode to multiple addresses.
*/
static void
doaddresses(uint8_t sadb_msg_type, uint8_t sadb_msg_satype, int cmd,
struct hostent *srchp, struct hostent *dsthp,
struct sadb_address *src, struct sadb_address *dst,
boolean_t unspec_src, uint64_t *buffer, int buffer_size, uint32_t spi,
char *ebuf)
{
boolean_t single_dst;
struct sockaddr_in6 *sin6;
struct sadb_msg *msgp;
int i, rc;
char **walker; /* For the SRC and PROXY walking functions. */
char *first_match;
uint64_t savebuf[MAX_GET_SIZE];
uint16_t srcport = 0, dstport = 0;
char *ep = NULL;
/*
* Okay, now we have "src", "dst", and maybe "proxy" reassigned
* to point into the buffer to be written to PF_KEY, we can do
* potentially several writes based on destination address.
*
* First, obtain port numbers from passed-in extensions.
*/
if (src != NULL) {
sin6 = (struct sockaddr_in6 *)(src + 1);
srcport = ntohs(sin6->sin6_port);
}
if (dst != NULL) {
sin6 = (struct sockaddr_in6 *)(dst + 1);
dstport = ntohs(sin6->sin6_port);
}
/*
* The rules for ADD, GET, and UPDATE: (NOTE: This assumes IPsec.
* If other consumers of PF_KEY happen, this will have to be
* rewhacked.):
*
* Do a message for every possible DST address.
*
* If a source or proxy address explodes, keep unspecified
* (and mention unspecified).
*
* If dsthp is == dummy.he, then go through the loop once.
* If any other hp is == dummy.he, then you don't have to apply any
* silly rules.
*
* DELETE is different, because you can leave either "src" or "dst"
* blank! You need to explode if one of them is full, and not assume
* that the other is set.
*/
if (dsthp == NULL) {
/*
* No destination address specified.
* With extended diagnostics, we don't have to bail the
* non-DELETE cases here. The EINVAL diagnostics will be
* enough to inform the user(s) what happened.
*/
i = 0;
do {
if (srchp == &dummy.he) {
/* Just to be sure... */
srchp->h_addr_list[1] = NULL;
} else if (srchp != NULL) {
/* Degenerate case, h_addr_list[0] == NULL. */
if (srchp->h_addr_list[i] == NULL)
Bail("Empty source address list");
/*
* Fill in the src sockaddr.
*/
sin6 = (struct sockaddr_in6 *)(src + 1);
bzero(sin6, sizeof (*sin6));
bcopy(srchp->h_addr_list[i], &sin6->sin6_addr,
sizeof (struct in6_addr));
sin6->sin6_family = AF_INET6;
sin6->sin6_port = htons(srcport);
}
/* Save off a copy for later writing... */
msgp = (struct sadb_msg *)buffer;
bcopy(buffer, savebuf, SADB_64TO8(msgp->sadb_msg_len));
rc = key_write(keysock, buffer,
SADB_64TO8(msgp->sadb_msg_len));
if (rc == -1)
Bail("write() to PF_KEY socket "
"(in doaddresses)");
/*
* Sends the message to the Solaris Cluster daemon
*/
if (in_cluster_mode) {
(void) sendto(cluster_socket, buffer,
SADB_64TO8(msgp->sadb_msg_len), 0,
(struct sockaddr *)&cli_addr,
sizeof (cli_addr));
}
time_critical_enter();
do {
rc = read(keysock, buffer, buffer_size);
if (rc == -1)
Bail("read (in doaddresses)");
} while (msgp->sadb_msg_seq != seq ||
msgp->sadb_msg_pid != mypid);
time_critical_exit();
if (msgp->sadb_msg_type != sadb_msg_type ||
msgp->sadb_msg_satype != sadb_msg_satype) {
syslog((LOG_NOTICE|LOG_AUTH), gettext(
"doaddresses: Unexpected returned message "
"(%d exp %d)\n"), msgp->sadb_msg_type,
sadb_msg_type);
Bail("doaddresses: Unexpected returned "
"message");
}
errno = msgp->sadb_msg_errno;
if (errno != 0) {
if (errno == EINVAL) {
WARN(ep, ebuf, gettext(
"One of the entered "
"values is incorrect."));
print_diagnostic(stderr,
msgp->sadb_x_msg_diagnostic);
} else {
Bail("return message (in doaddresses)");
}
}
/* ...and then restore the saved buffer. */
msgp = (struct sadb_msg *)savebuf;
bcopy(savebuf, buffer, SADB_64TO8(msgp->sadb_msg_len));
} while (srchp != NULL && srchp->h_addr_list[++i] != NULL);
return;
}
single_dst = (dsthp == &dummy.he || dsthp->h_addr_list[1] == NULL);
for (i = 0; dsthp->h_addr_list[i] != NULL; i++) {
if (dsthp == &dummy.he) {
/* Just to be sure... */
dsthp->h_addr_list[1] = NULL;
} else {
/*
* Fill in the dst sockaddr.
*/
sin6 = (struct sockaddr_in6 *)(dst + 1);
bzero(sin6, sizeof (*sin6));
bcopy(dsthp->h_addr_list[i], &sin6->sin6_addr,
sizeof (struct in6_addr));
sin6->sin6_family = AF_INET6;
sin6->sin6_port = htons(dstport);
}
/*
* Try and assign src, if there's any ambiguity.
*/
if (!unspec_src && srchp != &dummy.he) {
if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
/*
* IPv4 address. Find an IPv4 address, then
* keep looking for a second one. If a second
* exists, print a message, and fill in the
* unspecified address.
*/
first_match = NULL;
for (walker = srchp->h_addr_list;
*walker != NULL; walker++) {
/* LINTED E_BAD_PTR_CAST_ALIGN */
if (IN6_IS_ADDR_V4MAPPED(
(struct in6_addr *)*walker)) {
if (first_match != NULL)
break;
else
first_match = *walker;
}
}
sin6 = (struct sockaddr_in6 *)(src + 1);
bzero(sin6, sizeof (*sin6));
if (first_match == NULL) {
/*
* No IPv4 hits. Is this a single
* dest?
*/
WARN1(ep, ebuf, gettext(
"No IPv4 source address "
"for name %s.\n"), srchp->h_name);
if (single_dst) {
ERROR(ep, ebuf, gettext(
"Only single destination "
"IP address.\n"));
} else {
/* Continue, but do I print? */
continue; /* for loop */
}
/* I should never reach here. */
}
sin6->sin6_family = AF_INET6;
sin6->sin6_port = htons(srcport);
if (*walker != NULL) {
/*
* Early loop exit. It must've been
* multiple hits...
*
* Issue a null-source warning?
*/
WARN1(ep, ebuf, gettext(
"Multiple IPv4 source addresses "
"for %s, using unspecified source "
"instead."), srchp->h_name);
} else {
/*
* If I reach here w/o hitting the
* previous if statements, I have a
* single source address for this
* destination.
*/
bcopy(first_match, &sin6->sin6_addr,
sizeof (struct in6_addr));
}
} else {
/*
* IPv6 address. Find an IPv6 address.
* Unlike IPv4 addresses, things can get a
* little more sticky with scopes, etc.
*/
int dst_scope, src_scope;
dst_scope = ipv6_addr_scope(&sin6->sin6_addr);
first_match = NULL;
for (walker = srchp->h_addr_list;
*walker != NULL; walker++) {
/* LINTED E_BAD_PTR_CAST_ALIGN */
if (!IN6_IS_ADDR_V4MAPPED(
(struct in6_addr *)*walker)) {
/*
* Set first-match, etc.
* Take into account scopes,
* and other IPv6 thingies.
*/
src_scope = ipv6_addr_scope(
/* LINTED E_BAD_PTR_CAST */
(struct in6_addr *)*walker);
if (src_scope == SCOPE_UNSPEC ||
src_scope == dst_scope) {
if (first_match !=
NULL)
break;
else
first_match =
*walker;
}
}
}
sin6 = (struct sockaddr_in6 *)(src + 1);
bzero(sin6, sizeof (*sin6));
sin6->sin6_port = htons(srcport);
if (first_match == NULL) {
/*
* No IPv6 hits. Is this a single
* dest?
*/
WARN1(ep, ebuf, gettext(
"No IPv6 source address of "
"matching scope for name %s.\n"),
srchp->h_name);
if (single_dst) {
ERROR(ep, ebuf, gettext(
"Only a single IPV6 "
"destination "
"address.\n"));
} else {
/* Continue, but do I print? */
continue; /* for loop */
}
/* I should never reach here. */
}
sin6->sin6_family = AF_INET6;
if (*walker != NULL) {
/*
* Early loop exit. Issue a
* null-source warning?
*/
WARN1(ep, ebuf, gettext(
"Multiple IPv6 source addresses "
"for %s of the same scope, using "
"unspecified source instead.\n"),
srchp->h_name);
} else {
/*
* If I reach here w/o hitting the
* previous if statements, I have a
* single source address for this
* destination.
*/
bcopy(first_match, &sin6->sin6_addr,
sizeof (struct in6_addr));
}
}
}
/*
* If there are errors at this point there is no
* point sending anything to PF_KEY.
*/
handle_errors(ep, ebuf, B_TRUE, B_FALSE);
/* Save off a copy for later writing... */
msgp = (struct sadb_msg *)buffer;
bcopy(buffer, savebuf, SADB_64TO8(msgp->sadb_msg_len));
rc = key_write(keysock, buffer, SADB_64TO8(msgp->sadb_msg_len));
if (rc == -1)
Bail("write() to PF_KEY socket (in doaddresses)");
if (in_cluster_mode) {
(void) sendto(cluster_socket, buffer,
SADB_64TO8(msgp->sadb_msg_len), 0,
(struct sockaddr *)&cli_addr,
sizeof (cli_addr));
}
/* Blank the key for paranoia's sake. */
bzero(buffer, buffer_size);
time_critical_enter();
do {
rc = read(keysock, buffer, buffer_size);
if (rc == -1)
Bail("read (in doaddresses)");
} while (msgp->sadb_msg_seq != seq ||
msgp->sadb_msg_pid != mypid);
time_critical_exit();
/*
* I should _never_ hit the following unless:
*
* 1. There is a kernel bug.
* 2. Another process is mistakenly using my pid in a PF_KEY
* message.
*/
if (msgp->sadb_msg_type != sadb_msg_type ||
msgp->sadb_msg_satype != sadb_msg_satype) {
syslog((LOG_NOTICE|LOG_AUTH), gettext(
"doaddresses: Unexpected returned message "
"(%d exp %d)\n"), msgp->sadb_msg_type,
sadb_msg_type);
Bail("doaddresses: Unexpected returned message");
}
if (msgp->sadb_msg_errno != 0) {
char addrprint[INET6_ADDRSTRLEN];
int on_errno = 0;
char *on_errno_msg;
/*
* Print different error messages depending
* on the SADB message type being processed.
* If we get a ESRCH error for a GET/DELETE
* messages, we report that the SA does not
* exist. If we get a EEXIST error for a
* ADD/UPDATE message, we report that the
* SA already exists.
*/
if (sadb_msg_type == SADB_GET ||
sadb_msg_type == SADB_DELETE) {
on_errno = ESRCH;
on_errno_msg = "does not exist";
} else if (sadb_msg_type == SADB_ADD ||
sadb_msg_type == SADB_UPDATE) {
on_errno = EEXIST;
on_errno_msg = "already exists";
}
errno = msgp->sadb_msg_errno;
if (errno == on_errno) {
ERROR2(ep, ebuf, gettext(
"Association (type = %s) "
"with spi 0x%x and addr\n"),
rparsesatype(msgp->sadb_msg_satype),
ntohl(spi));
ERROR2(ep, ebuf, "%s %s.\n",
do_inet_ntop(dsthp->h_addr_list[i],
addrprint, sizeof (addrprint)),
on_errno_msg);
msgp = (struct sadb_msg *)savebuf;
bcopy(savebuf, buffer,
SADB_64TO8(msgp->sadb_msg_len));
continue;
} else {
if (errno == EINVAL || errno == ESRCH) {
ERROR2(ep, ebuf, gettext(
"PF_KEY Diagnostic code %u: %s.\n"),
msgp->sadb_x_msg_diagnostic,
keysock_diag(
msgp->sadb_x_msg_diagnostic));
} else {
Bail("return message (in doaddresses)");
}
}
}
if (cmd == CMD_GET) {
if (msgp->sadb_msg_len > MAX_GET_SIZE) {
WARN1(ep, ebuf, gettext("WARNING: "
"SA information bigger than %d bytes.\n"),
SADB_64TO8(MAX_GET_SIZE));
}
print_samsg(stdout, buffer, B_FALSE, vflag, nflag);
}
handle_errors(ep, ebuf, B_TRUE, B_FALSE);
/* ...and then restore the saved buffer. */
msgp = (struct sadb_msg *)savebuf;
bcopy(savebuf, buffer, SADB_64TO8(msgp->sadb_msg_len));
lines_added++;
}
/* Degenerate case, h_addr_list[0] == NULL. */
if (i == 0)
Bail("Empty destination address list");
/*
* free(ebuf) even if there are no errors.
* handle_errors() won't return here.
*/
handle_errors(ep, ebuf, B_TRUE, B_TRUE);
}
/*
* Perform an add or an update. ADD and UPDATE are similar in the extensions
* they need.
*/
static void
doaddup(int cmd, int satype, char *argv[], char *ebuf)
{
uint64_t *buffer, *nexthdr;
struct sadb_msg msg;
struct sadb_sa *assoc = NULL;
struct sadb_x_pair *sadb_pair = NULL;
struct sadb_address *src = NULL, *dst = NULL;
struct sadb_address *isrc = NULL, *idst = NULL;
struct sadb_address *natt_local = NULL, *natt_remote = NULL;
struct sadb_key *encrypt = NULL, *auth = NULL;
struct sadb_ident *srcid = NULL, *dstid = NULL;
struct sadb_lifetime *hard = NULL, *soft = NULL; /* Current? */
struct sadb_lifetime *idle = NULL;
struct sadb_x_replay_ctr *replay_ctr = NULL;
struct sadb_sens *label = NULL, *olabel = NULL;
struct sockaddr_in6 *sin6;
/* MLS TODO: Need sensitivity eventually. */
int next, token, sa_len, alloclen, totallen = sizeof (msg), prefix;
uint32_t spi = 0;
uint_t reserved_bits = 0;
uint8_t sadb_msg_type;
char *thiscmd, *pstr;
boolean_t readstate = B_FALSE, unspec_src = B_FALSE;
boolean_t alloc_inner = B_FALSE, use_natt = B_FALSE;
struct hostent *srchp = NULL, *dsthp = NULL, *isrchp = NULL,
*idsthp = NULL;
struct hostent *natt_lhp = NULL, *natt_rhp = NULL;
uint16_t srcport = 0, dstport = 0, natt_lport = 0, natt_rport = 0,
isrcport = 0, idstport = 0;
uint8_t proto = 0, iproto = 0;
char *ep = NULL;
switch (cmd) {
case CMD_ADD:
thiscmd = "add";
sadb_msg_type = SADB_ADD;
break;
case CMD_UPDATE:
thiscmd = "update";
sadb_msg_type = SADB_UPDATE;
break;
case CMD_UPDATE_PAIR:
thiscmd = "update-pair";
sadb_msg_type = SADB_X_UPDATEPAIR;
break;
}
msg_init(&msg, sadb_msg_type, (uint8_t)satype);
/* Assume last element in argv is set to NULL. */
do {
token = parseextval(*argv, &next);
argv++;
switch (token) {
case TOK_EOF:
/* Do nothing, I'm done. */
break;
case TOK_UNKNOWN:
ERROR1(ep, ebuf, gettext(
"Unknown extension field \"%s\" \n"), *(argv - 1));
break;
case TOK_SPI:
case TOK_PAIR_SPI:
case TOK_REPLAY:
case TOK_STATE:
case TOK_AUTHALG:
case TOK_ENCRALG:
case TOK_ENCAP:
/*
* May want to place this chunk of code in a function.
*
* This code checks for duplicate entries on a command
* line.
*/
/* Allocate the SADB_EXT_SA extension. */
if (assoc == NULL) {
assoc = malloc(sizeof (*assoc));
if (assoc == NULL)
Bail("malloc(assoc)");
bzero(assoc, sizeof (*assoc));
assoc->sadb_sa_exttype = SADB_EXT_SA;
assoc->sadb_sa_len =
SADB_8TO64(sizeof (*assoc));
totallen += sizeof (*assoc);
}
switch (token) {
case TOK_SPI:
/*
* If some cretin types in "spi 0" then he/she
* can type in another SPI.
*/
if (assoc->sadb_sa_spi != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single SPI value.\n"));
break;
}
/* Must convert SPI to network order! */
assoc->sadb_sa_spi =
htonl((uint32_t)parsenum(*argv, B_TRUE,
ebuf));
if (assoc->sadb_sa_spi == 0) {
ERROR(ep, ebuf, gettext(
"Invalid SPI value \"0\" .\n"));
}
break;
case TOK_PAIR_SPI:
if (cmd == CMD_UPDATE_PAIR) {
ERROR(ep, ebuf, gettext(
"pair-spi can not be used with the "
"\"update-pair\" command.\n"));
}
if (sadb_pair == NULL) {
sadb_pair = malloc(sizeof (*sadb_pair));
if (assoc == NULL)
Bail("malloc(assoc)");
bzero(sadb_pair, sizeof (*sadb_pair));
totallen += sizeof (*sadb_pair);
}
if (sadb_pair->sadb_x_pair_spi != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single pair SPI value.\n"));
break;
}
/* Must convert SPI to network order! */
sadb_pair->sadb_x_pair_len =
SADB_8TO64(sizeof (*sadb_pair));
sadb_pair->sadb_x_pair_exttype =
SADB_X_EXT_PAIR;
sadb_pair->sadb_x_pair_spi =
htonl((uint32_t)parsenum(*argv, B_TRUE,
ebuf));
if (sadb_pair->sadb_x_pair_spi == 0) {
ERROR(ep, ebuf, gettext(
"Invalid SPI value \"0\" .\n"));
}
assoc->sadb_sa_flags |=
SADB_X_SAFLAGS_PAIRED;
break;
case TOK_REPLAY:
/*
* That same cretin can do the same with
* replay.
*/
if (assoc->sadb_sa_replay != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single replay window size.\n"));
break;
}
assoc->sadb_sa_replay =
(uint8_t)parsenum(*argv, B_TRUE, ebuf);
if (assoc->sadb_sa_replay != 0) {
WARN(ep, ebuf, gettext(
"WARNING: Replay with manual"
" keying considered harmful.\n"));
}
break;
case TOK_STATE:
/*
* 0 is an actual state value, LARVAL. This
* means that one can type in the larval state
* and then type in another state on the same
* command line.
*/
if (assoc->sadb_sa_state != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single SA state.\n"));
break;
}
assoc->sadb_sa_state = parsestate(*argv,
ebuf);
readstate = B_TRUE;
break;
case TOK_AUTHALG:
if (assoc->sadb_sa_auth != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single auth algorithm.\n"));
break;
}
assoc->sadb_sa_auth = parsealg(*argv,
IPSEC_PROTO_AH, ebuf);
break;
case TOK_ENCRALG:
if (satype == SADB_SATYPE_AH) {
ERROR(ep, ebuf, gettext("Cannot specify"
" encryption with SA type ah.\n"));
break;
}
if (assoc->sadb_sa_encrypt != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single encryption algorithm.\n"));
break;
}
assoc->sadb_sa_encrypt = parsealg(*argv,
IPSEC_PROTO_ESP, ebuf);
break;
case TOK_ENCAP:
if (use_natt) {
ERROR(ep, ebuf, gettext(
"Can only specify single"
" encapsulation.\n"));
break;
}
if (strncmp(*argv, "udp", 3)) {
ERROR(ep, ebuf, gettext(
"Can only specify udp"
" encapsulation.\n"));
break;
}
use_natt = B_TRUE;
/* set assoc flags later */
break;
}
argv++;
break;
case TOK_SRCPORT:
if (srcport != 0) {
ERROR(ep, ebuf, gettext("Can only specify "
"single source port.\n"));
break;
}
srcport = parsenum(*argv, B_TRUE, ebuf);
argv++;
break;
case TOK_DSTPORT:
if (dstport != 0) {
ERROR(ep, ebuf, gettext("Can only specify "
"single destination port.\n"));
break;
}
dstport = parsenum(*argv, B_TRUE, ebuf);
argv++;
break;
case TOK_ISRCPORT:
alloc_inner = B_TRUE;
if (isrcport != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single inner-source port.\n"));
break;
}
isrcport = parsenum(*argv, B_TRUE, ebuf);
argv++;
break;
case TOK_IDSTPORT:
alloc_inner = B_TRUE;
if (idstport != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single inner-destination port.\n"));
break;
}
idstport = parsenum(*argv, B_TRUE, ebuf);
argv++;
break;
case TOK_NATLPORT:
if (natt_lport != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single NAT-T local port.\n"));
break;
}
natt_lport = parsenum(*argv, B_TRUE, ebuf);
argv++;
break;
case TOK_NATRPORT:
if (natt_rport != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single NAT-T remote port.\n"));
break;
}
natt_rport = parsenum(*argv, B_TRUE, ebuf);
argv++;
break;
case TOK_PROTO:
if (proto != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single protocol.\n"));
break;
}
proto = parsenum(*argv, B_TRUE, ebuf);
argv++;
break;
case TOK_IPROTO:
alloc_inner = B_TRUE;
if (iproto != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single inner protocol.\n"));
break;
}
iproto = parsenum(*argv, B_TRUE, ebuf);
argv++;
break;
case TOK_SRCADDR:
case TOK_SRCADDR6:
if (src != NULL) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single source address.\n"));
break;
}
sa_len = parseaddr(*argv, &srchp,
(token == TOK_SRCADDR6), ebuf);
if (srchp == NULL) {
ERROR1(ep, ebuf, gettext(
"Unknown src address \"%s\"\n"), *argv);
break;
}
argv++;
/*
* Round of the sockaddr length to an 8 byte
* boundary to make PF_KEY happy.
*/
alloclen = sizeof (*src) + roundup(sa_len, 8);
src = malloc(alloclen);
if (src == NULL)
Bail("malloc(src)");
totallen += alloclen;
src->sadb_address_len = SADB_8TO64(alloclen);
src->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
src->sadb_address_reserved = 0;
src->sadb_address_prefixlen = 0;
src->sadb_address_proto = 0;
if (srchp == &dummy.he) {
/*
* Single address with -n flag.
*/
sin6 = (struct sockaddr_in6 *)(src + 1);
bzero(sin6, sizeof (*sin6));
sin6->sin6_family = AF_INET6;
bcopy(srchp->h_addr_list[0], &sin6->sin6_addr,
sizeof (struct in6_addr));
}
break;
case TOK_DSTADDR:
case TOK_DSTADDR6:
if (dst != NULL) {
ERROR(ep, ebuf, gettext(
"Can only specify single "
"destination address.\n"));
break;
}
sa_len = parseaddr(*argv, &dsthp,
(token == TOK_DSTADDR6), ebuf);
if (dsthp == NULL) {
ERROR1(ep, ebuf, gettext(
"Unknown dst address \"%s\"\n"), *argv);
break;
}
argv++;
alloclen = sizeof (*dst) + roundup(sa_len, 8);
dst = malloc(alloclen);
if (dst == NULL)
Bail("malloc(dst)");
totallen += alloclen;
dst->sadb_address_len = SADB_8TO64(alloclen);
dst->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
dst->sadb_address_reserved = 0;
dst->sadb_address_prefixlen = 0;
dst->sadb_address_proto = 0;
if (dsthp == &dummy.he) {
/*
* Single address with -n flag.
*/
sin6 = (struct sockaddr_in6 *)(dst + 1);
bzero(sin6, sizeof (*sin6));
sin6->sin6_family = AF_INET6;
bcopy(dsthp->h_addr_list[0], &sin6->sin6_addr,
sizeof (struct in6_addr));
}
break;
case TOK_PROXYADDR:
case TOK_PROXYADDR6:
if (isrc != NULL) {
ERROR(ep, ebuf, gettext(
"Can only specify single "
"proxy/inner-source address.\n"));
break;
}
if ((pstr = strchr(*argv, '/')) != NULL) {
/* Parse out the prefix. */
errno = 0;
prefix = strtol(pstr + 1, NULL, 10);
if (errno != 0) {
ERROR1(ep, ebuf, gettext(
"Invalid prefix %s."), pstr);
break;
}
/* Recycle pstr */
alloclen = (int)(pstr - *argv);
pstr = malloc(alloclen + 1);
if (pstr == NULL) {
Bail("malloc(pstr)");
}
(void) strlcpy(pstr, *argv, alloclen + 1);
} else {
pstr = *argv;
/*
* Assume mapping to AF_INET6, and we're a host.
* XXX some miscreants may still make classful
* assumptions. If this is a problem, fix it
* here.
*/
prefix = 128;
}
sa_len = parseaddr(pstr, &isrchp,
(token == TOK_PROXYADDR6), ebuf);
if (isrchp == NULL) {
ERROR1(ep, ebuf, gettext(
"Unknown proxy/inner-source address "
"\"%s\"\n"), *argv);
break;
}
if (pstr != *argv)
free(pstr);
argv++;
alloclen = sizeof (*isrc) + roundup(sa_len, 8);
isrc = malloc(alloclen);
if (isrc == NULL)
Bail("malloc(isrc)");
totallen += alloclen;
isrc->sadb_address_len = SADB_8TO64(alloclen);
isrc->sadb_address_exttype = SADB_EXT_ADDRESS_PROXY;
isrc->sadb_address_reserved = 0;
isrc->sadb_address_prefixlen = prefix;
isrc->sadb_address_proto = 0;
if (isrchp == &dummy.he ||
isrchp->h_addr_list[1] == NULL) {
/*
* Single address with -n flag or single name.
*/
sin6 = (struct sockaddr_in6 *)(isrc + 1);
bzero(sin6, sizeof (*sin6));
sin6->sin6_family = AF_INET6;
bcopy(isrchp->h_addr_list[0], &sin6->sin6_addr,
sizeof (struct in6_addr));
/*
* normalize prefixlen for IPv4-mapped
* addresses.
*/
if (prefix <= 32 &&
IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr))
isrc->sadb_address_prefixlen += 96;
alloc_inner = B_TRUE;
} else {
/*
* If the proxy/isrc address is vague, don't
* bother.
*/
totallen -= alloclen;
free(isrc);
isrc = NULL;
WARN1(ep, ebuf, gettext(
"Proxy/inner-source address %s "
"is vague, not using.\n"), isrchp->h_name);
freehostent(isrchp);
isrchp = NULL;
break;
}
break;
case TOK_IDSTADDR:
case TOK_IDSTADDR6:
if (idst != NULL) {
ERROR(ep, ebuf, gettext(
"Can only specify single "
"inner-destination address.\n"));
break;
}
if ((pstr = strchr(*argv, '/')) != NULL) {
/* Parse out the prefix. */
errno = 0;
prefix = strtol(pstr + 1, NULL, 10);
if (errno != 0) {
ERROR1(ep, ebuf, gettext(
"Invalid prefix %s.\n"), pstr);
break;
}
/* Recycle pstr */
alloclen = (int)(pstr - *argv);
pstr = malloc(alloclen + 1);
if (pstr == NULL) {
Bail("malloc(pstr)");
}
(void) strlcpy(pstr, *argv, alloclen + 1);
} else {
pstr = *argv;
/*
* Assume mapping to AF_INET6, and we're a host.
* XXX some miscreants may still make classful
* assumptions. If this is a problem, fix it
* here.
*/
prefix = 128;
}
sa_len = parseaddr(pstr, &idsthp,
(token == TOK_IDSTADDR6), ebuf);
if (idsthp == NULL) {
ERROR1(ep, ebuf, gettext(
"Unknown Inner Src address "
" \"%s\"\n"), *argv);
break;
}
if (pstr != *argv)
free(pstr);
argv++;
alloclen = sizeof (*idst) + roundup(sa_len, 8);
idst = malloc(alloclen);
if (idst == NULL)
Bail("malloc(idst)");
totallen += alloclen;
idst->sadb_address_len = SADB_8TO64(alloclen);
idst->sadb_address_exttype =
SADB_X_EXT_ADDRESS_INNER_DST;
idst->sadb_address_reserved = 0;
idst->sadb_address_prefixlen = prefix;
idst->sadb_address_proto = 0;
if (idsthp == &dummy.he ||
idsthp->h_addr_list[1] == NULL) {
/*
* Single address with -n flag or single name.
*/
sin6 = (struct sockaddr_in6 *)(idst + 1);
bzero(sin6, sizeof (*sin6));
sin6->sin6_family = AF_INET6;
bcopy(idsthp->h_addr_list[0], &sin6->sin6_addr,
sizeof (struct in6_addr));
/*
* normalize prefixlen for IPv4-mapped
* addresses.
*/
if (prefix <= 32 &&
IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr))
idst->sadb_address_prefixlen += 96;
alloc_inner = B_TRUE;
} else {
/*
* If the idst address is vague, don't bother.
*/
totallen -= alloclen;
free(idst);
idst = NULL;
WARN1(ep, ebuf, gettext(
"Inner destination address %s "
"is vague, not using.\n"), idsthp->h_name);
freehostent(idsthp);
idsthp = NULL;
break;
}
break;
case TOK_NATLOC:
if (natt_local != NULL) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single NAT-T local address.\n"));
break;
}
sa_len = parseaddr(*argv, &natt_lhp, 0, ebuf);
if (natt_lhp == NULL) {
ERROR1(ep, ebuf, gettext(
"Unknown NAT-T local address \"%s\"\n"),
*argv);
break;
}
argv++;
/*
* Round of the sockaddr length to an 8 byte
* boundary to make PF_KEY happy.
*/
alloclen = sizeof (*natt_local) + roundup(sa_len, 8);
natt_local = malloc(alloclen);
if (natt_local == NULL)
Bail("malloc(natt_local)");
totallen += alloclen;
natt_local->sadb_address_len = SADB_8TO64(alloclen);
natt_local->sadb_address_exttype =
SADB_X_EXT_ADDRESS_NATT_LOC;
natt_local->sadb_address_reserved = 0;
natt_local->sadb_address_prefixlen = 0;
natt_local->sadb_address_proto = 0;
if (natt_lhp == &dummy.he ||
natt_lhp->h_addr_list[1] == NULL) {
/*
* Single address with -n flag or single name.
*/
sin6 = (struct sockaddr_in6 *)(natt_local + 1);
bzero(sin6, sizeof (*sin6));
sin6->sin6_family = AF_INET6;
bcopy(natt_lhp->h_addr_list[0],
&sin6->sin6_addr, sizeof (struct in6_addr));
} else {
/*
* If the nat-local address is vague, don't
* bother.
*/
totallen -= alloclen;
free(natt_local);
natt_local = NULL;
WARN1(ep, ebuf, gettext(
"NAT-T local address %s "
"is vague, not using.\n"),
natt_lhp->h_name);
freehostent(natt_lhp);
natt_lhp = NULL;
break;
}
break;
case TOK_NATREM:
if (natt_remote != NULL) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single NAT-T remote address.\n"));
break;
}
sa_len = parseaddr(*argv, &natt_rhp, 0, ebuf);
if (natt_rhp == NULL) {
ERROR1(ep, ebuf, gettext(
"Unknown NAT-T remote address \"%s\"\n"),
*argv);
break;
}
argv++;
/*
* Round of the sockaddr length to an 8 byte
* boundary to make PF_KEY happy.
*/
alloclen = sizeof (*natt_remote) + roundup(sa_len, 8);
natt_remote = malloc(alloclen);
if (natt_remote == NULL)
Bail("malloc(natt_remote)");
totallen += alloclen;
natt_remote->sadb_address_len = SADB_8TO64(alloclen);
natt_remote->sadb_address_exttype =
SADB_X_EXT_ADDRESS_NATT_REM;
natt_remote->sadb_address_reserved = 0;
natt_remote->sadb_address_prefixlen = 0;
natt_remote->sadb_address_proto = 0;
if (natt_rhp == &dummy.he ||
natt_rhp->h_addr_list[1] == NULL) {
/*
* Single address with -n flag or single name.
*/
sin6 = (struct sockaddr_in6 *)(natt_remote + 1);
bzero(sin6, sizeof (*sin6));
sin6->sin6_family = AF_INET6;
bcopy(natt_rhp->h_addr_list[0],
&sin6->sin6_addr, sizeof (struct in6_addr));
} else {
/*
* If the nat-renote address is vague, don't
* bother.
*/
totallen -= alloclen;
free(natt_remote);
natt_remote = NULL;
WARN1(ep, ebuf, gettext(
"NAT-T remote address %s "
"is vague, not using.\n"),
natt_rhp->h_name);
freehostent(natt_rhp);
natt_rhp = NULL;
break;
}
break;
case TOK_ENCRKEY:
if (encrypt != NULL) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single encryption key.\n"));
break;
}
if (assoc != NULL &&
assoc->sadb_sa_encrypt == SADB_EALG_NULL) {
FATAL(ep, ebuf, gettext(
"Cannot specify a key with NULL "
"encryption algorithm.\n"));
break;
}
encrypt = parsekey(*argv, ebuf, reserved_bits);
argv++;
if (encrypt == NULL) {
ERROR(ep, ebuf, gettext(
"Invalid encryption key.\n"));
break;
}
totallen += SADB_64TO8(encrypt->sadb_key_len);
encrypt->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
break;
case TOK_AUTHKEY:
if (auth != NULL) {
ERROR(ep, ebuf, gettext(
"Can only specify single"
" authentication key.\n"));
break;
}
auth = parsekey(*argv, ebuf, 0);
argv++;
if (auth == NULL) {
ERROR(ep, ebuf, gettext(
"Invalid authentication key.\n"));
break;
}
totallen += SADB_64TO8(auth->sadb_key_len);
auth->sadb_key_exttype = SADB_EXT_KEY_AUTH;
break;
case TOK_SRCIDTYPE:
if (*argv == NULL || *(argv + 1) == NULL) {
FATAL(ep, ebuf, gettext(
"Unexpected end of command "
"line - Expecting Src Type.\n"));
/* NOTREACHED */
break;
}
if (srcid != NULL) {
ERROR(ep, ebuf, gettext(
"Can only specify single"
" source certificate identity.\n"));
break;
}
alloclen = sizeof (*srcid) +
roundup(strlen(*(argv + 1)) + 1, 8);
srcid = malloc(alloclen);
if (srcid == NULL)
Bail("malloc(srcid)");
totallen += alloclen;
srcid->sadb_ident_type = parseidtype(*argv, ebuf);
argv++;
srcid->sadb_ident_len = SADB_8TO64(alloclen);
srcid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC;
srcid->sadb_ident_reserved = 0;
srcid->sadb_ident_id = 0; /* Not useful here. */
(void) strlcpy((char *)(srcid + 1), *argv, alloclen);
argv++;
break;
case TOK_DSTIDTYPE:
if (*argv == NULL || *(argv + 1) == NULL) {
ERROR(ep, ebuf, gettext(
"Unexpected end of command"
" line - expecting dst type.\n"));
break;
}
if (dstid != NULL) {
ERROR(ep, ebuf, gettext(
"Can only specify single destination "
"certificate identity.\n"));
break;
}
alloclen = sizeof (*dstid) +
roundup(strlen(*(argv + 1)) + 1, 8);
dstid = malloc(alloclen);
if (dstid == NULL)
Bail("malloc(dstid)");
totallen += alloclen;
dstid->sadb_ident_type = parseidtype(*argv, ebuf);
argv++;
dstid->sadb_ident_len = SADB_8TO64(alloclen);
dstid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST;
dstid->sadb_ident_reserved = 0;
dstid->sadb_ident_id = 0; /* Not useful here. */
(void) strlcpy((char *)(dstid + 1), *argv, alloclen);
argv++;
break;
case TOK_HARD_ALLOC:
case TOK_HARD_BYTES:
case TOK_HARD_ADDTIME:
case TOK_HARD_USETIME:
if (hard == NULL) {
hard = malloc(sizeof (*hard));
if (hard == NULL)
Bail("malloc(hard_lifetime)");
bzero(hard, sizeof (*hard));
hard->sadb_lifetime_exttype =
SADB_EXT_LIFETIME_HARD;
hard->sadb_lifetime_len =
SADB_8TO64(sizeof (*hard));
totallen += sizeof (*hard);
}
switch (token) {
case TOK_HARD_ALLOC:
if (hard->sadb_lifetime_allocations != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify single"
" hard allocation limit.\n"));
break;
}
hard->sadb_lifetime_allocations =
(uint32_t)parsenum(*argv, B_TRUE, ebuf);
break;
case TOK_HARD_BYTES:
if (hard->sadb_lifetime_bytes != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single hard byte limit.\n"));
break;
}
hard->sadb_lifetime_bytes = parsenum(*argv,
B_TRUE, ebuf);
break;
case TOK_HARD_ADDTIME:
if (hard->sadb_lifetime_addtime != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single past-add lifetime.\n"));
break;
}
hard->sadb_lifetime_addtime = parsenum(*argv,
B_TRUE, ebuf);
break;
case TOK_HARD_USETIME:
if (hard->sadb_lifetime_usetime != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify "
"single past-use lifetime.\n"));
break;
}
hard->sadb_lifetime_usetime = parsenum(*argv,
B_TRUE, ebuf);
break;
}
argv++;
break;
case TOK_SOFT_ALLOC:
case TOK_SOFT_BYTES:
case TOK_SOFT_ADDTIME:
case TOK_SOFT_USETIME:
if (soft == NULL) {
soft = malloc(sizeof (*soft));
if (soft == NULL)
Bail("malloc(soft_lifetime)");
bzero(soft, sizeof (*soft));
soft->sadb_lifetime_exttype =
SADB_EXT_LIFETIME_SOFT;
soft->sadb_lifetime_len =
SADB_8TO64(sizeof (*soft));
totallen += sizeof (*soft);
}
switch (token) {
case TOK_SOFT_ALLOC:
if (soft->sadb_lifetime_allocations != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify single"
" soft allocation limit.\n"));
break;
}
soft->sadb_lifetime_allocations =
(uint32_t)parsenum(*argv, B_TRUE, ebuf);
break;
case TOK_SOFT_BYTES:
if (soft->sadb_lifetime_bytes != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify single"
" soft byte limit.\n"));
break;
}
soft->sadb_lifetime_bytes = parsenum(*argv,
B_TRUE, ebuf);
break;
case TOK_SOFT_ADDTIME:
if (soft->sadb_lifetime_addtime != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify single"
" past-add lifetime.\n"));
break;
}
soft->sadb_lifetime_addtime = parsenum(*argv,
B_TRUE, ebuf);
break;
case TOK_SOFT_USETIME:
if (soft->sadb_lifetime_usetime != 0) {
ERROR(ep, ebuf, gettext(
"Can only specify single"
" past-use lifetime.\n"));
break;
}
soft->sadb_lifetime_usetime = parsenum(*argv,
B_TRUE, ebuf);
break;
}
argv++;
break;
case TOK_FLAG_INBOUND:
assoc->sadb_sa_flags |= SADB_X_SAFLAGS_INBOUND;
break;
case TOK_FLAG_OUTBOUND:
assoc->sadb_sa_flags |= SADB_X_SAFLAGS_OUTBOUND;
break;
case TOK_REPLAY_VALUE:
if (replay_ctr != NULL) {
ERROR(ep, ebuf, gettext(
"Can only specify single "
"replay value."));
break;
}
replay_ctr = calloc(1, sizeof (*replay_ctr));
if (replay_ctr == NULL) {
Bail("malloc(replay value)");
}
/*
* We currently do not support a 64-bit
* replay value. RFC 4301 will require one,
* however, and we have a field in place when
* 4301 is built.
*/
replay_ctr->sadb_x_rc_exttype = SADB_X_EXT_REPLAY_VALUE;
replay_ctr->sadb_x_rc_len =
SADB_8TO64(sizeof (*replay_ctr));
totallen += sizeof (*replay_ctr);
replay_ctr->sadb_x_rc_replay32 = (uint32_t)parsenum(
*argv, B_TRUE, ebuf);
argv++;
break;
case TOK_IDLE_ADDTIME:
case TOK_IDLE_USETIME:
if (idle == NULL) {
idle = calloc(1, sizeof (*idle));
if (idle == NULL) {
Bail("malloc idle lifetime");
}
idle->sadb_lifetime_exttype =
SADB_X_EXT_LIFETIME_IDLE;
idle->sadb_lifetime_len =
SADB_8TO64(sizeof (*idle));
totallen += sizeof (*idle);
}
switch (token) {
case TOK_IDLE_ADDTIME:
idle->sadb_lifetime_addtime =
(uint32_t)parsenum(*argv,
B_TRUE, ebuf);
break;
case TOK_IDLE_USETIME:
idle->sadb_lifetime_usetime =
(uint32_t)parsenum(*argv,
B_TRUE, ebuf);
break;
}
argv++;
break;
case TOK_RESERVED:
if (encrypt != NULL)
ERROR(ep, ebuf, gettext(
"Reserved bits need to be "
"specified before key.\n"));
reserved_bits = (uint_t)parsenum(*argv,
B_TRUE, ebuf);
argv++;
break;
case TOK_LABEL:
label = parselabel(token, *argv);
argv++;
if (label == NULL) {
ERROR(ep, ebuf,
gettext("Malformed security label\n"));
break;
} else if (label == PARSELABEL_BAD_TOKEN) {
Bail("Internal token value error");
}
totallen += SADB_64TO8(label->sadb_sens_len);
break;
case TOK_OLABEL:
case TOK_IMPLABEL:
olabel = parselabel(token, *argv);
argv++;
if (label == NULL) {
ERROR(ep, ebuf,
gettext("Malformed security label\n"));
break;
} else if (label == PARSELABEL_BAD_TOKEN) {
Bail("Internal token value error");
}
totallen += SADB_64TO8(olabel->sadb_sens_len);
break;
default:
ERROR1(ep, ebuf, gettext(
"Don't use extension %s for add/update.\n"),
*(argv - 1));
break;
}
} while (token != TOK_EOF);
handle_errors(ep, ebuf, B_TRUE, B_FALSE);
#define PORT_ONLY_ALLOCATE(af, socktype, exttype, extvar, port) { \
alloclen = sizeof (sadb_address_t) + roundup(sizeof (socktype), 8); \
(extvar) = calloc(1, alloclen); \
if ((extvar) == NULL) { \
Bail("malloc(implicit port)"); \
} \
totallen += alloclen; \
(extvar)->sadb_address_len = SADB_8TO64(alloclen); \
(extvar)->sadb_address_exttype = (exttype); \
/* sin/sin6 has equivalent offsets for ports! */ \
sin6 = (struct sockaddr_in6 *)((extvar) + 1); \
sin6->sin6_family = (af); \
sin6->sin6_port = (port); \
}
/*
* If we specify inner ports or NAT ports w/o addresses, we still need
* to allocate. Also, if we have one inner address, we need the
* other, even if we don't specify anything.
*/
if (use_natt) {
if (natt_lport != 0 && natt_local == NULL) {
PORT_ONLY_ALLOCATE(AF_INET, struct sockaddr_in,
SADB_X_EXT_ADDRESS_NATT_LOC, natt_local,
natt_lport);
}
if (natt_rport != 0 && natt_remote == NULL) {
PORT_ONLY_ALLOCATE(AF_INET, struct sockaddr_in,
SADB_X_EXT_ADDRESS_NATT_REM, natt_remote,
natt_rport);
}
} else {
if (natt_lport != 0 || natt_rport != 0) {
ERROR(ep, ebuf, gettext("Must specify 'encap udp' "
"with any NAT-T port.\n"));
} else if (natt_local != NULL || natt_remote != NULL) {
ERROR(ep, ebuf, gettext("Must specify 'encap udp' "
"with any NAT-T address.\n"));
}
}
if (alloc_inner && idst == NULL) {
PORT_ONLY_ALLOCATE(AF_INET6, struct sockaddr_in6,
SADB_X_EXT_ADDRESS_INNER_DST, idst, 0);
}
if (alloc_inner && isrc == NULL) {
PORT_ONLY_ALLOCATE(AF_INET6, struct sockaddr_in6,
SADB_X_EXT_ADDRESS_INNER_SRC, isrc, 0);
}
#undef PORT_ONLY_ALLOCATE
/*
* Okay, so now I have all of the potential extensions!
* Allocate a single contiguous buffer. Keep in mind that it'll
* be enough because the key itself will be yanked.
*/
if (src == NULL && dst != NULL) {
/*
* Set explicit unspecified source address.
*/
size_t lenbytes = SADB_64TO8(dst->sadb_address_len);
unspec_src = B_TRUE;
totallen += lenbytes;
src = malloc(lenbytes);
if (src == NULL)
Bail("malloc(implicit src)");
/* Confusing, but we're copying from DST to SRC. :) */
bcopy(dst, src, lenbytes);
src->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
sin6 = (struct sockaddr_in6 *)(src + 1);
bzero(sin6, sizeof (*sin6));
sin6->sin6_family = AF_INET6;
}
msg.sadb_msg_len = SADB_8TO64(totallen);
buffer = malloc(totallen);
nexthdr = buffer;
bcopy(&msg, nexthdr, sizeof (msg));
nexthdr += SADB_8TO64(sizeof (msg));
if (assoc != NULL) {
if (assoc->sadb_sa_spi == 0) {
ERROR1(ep, ebuf, gettext(
"The SPI value is missing for "
"the association you wish to %s.\n"), thiscmd);
}
if (assoc->sadb_sa_auth == 0 && assoc->sadb_sa_encrypt == 0 &&
cmd == CMD_ADD) {
free(assoc);
FATAL(ep, ebuf, gettext(
"Select at least one algorithm "
"for this add.\n"));
}
/* Hack to let user specify NULL ESP implicitly. */
if (msg.sadb_msg_satype == SADB_SATYPE_ESP &&
assoc->sadb_sa_encrypt == 0)
assoc->sadb_sa_encrypt = SADB_EALG_NULL;
/* 0 is an actual value. Print a warning if it was entered. */
if (assoc->sadb_sa_state == 0) {
if (readstate) {
ERROR(ep, ebuf, gettext(
"WARNING: Cannot set LARVAL SA state.\n"));
}
assoc->sadb_sa_state = SADB_SASTATE_MATURE;
}
if (use_natt) {
if (natt_remote != NULL)
assoc->sadb_sa_flags |= SADB_X_SAFLAGS_NATT_REM;
if (natt_local != NULL)
assoc->sadb_sa_flags |= SADB_X_SAFLAGS_NATT_LOC;
}
if (alloc_inner) {
/*
* For now, assume RFC 3884's dream of transport-mode
* SAs with inner IP address selectors will not
* happen.
*/
assoc->sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL;
if (proto != 0 && proto != IPPROTO_ENCAP &&
proto != IPPROTO_IPV6) {
ERROR1(ep, ebuf, gettext