diff options
Diffstat (limited to 'programs/spi')
| -rw-r--r-- | programs/spi/.cvsignore | 1 | ||||
| -rw-r--r-- | programs/spi/Makefile | 69 | ||||
| -rw-r--r-- | programs/spi/spi.5 | 213 | ||||
| -rw-r--r-- | programs/spi/spi.8 | 525 | ||||
| -rw-r--r-- | programs/spi/spi.c | 1689 |
5 files changed, 0 insertions, 2497 deletions
diff --git a/programs/spi/.cvsignore b/programs/spi/.cvsignore deleted file mode 100644 index c928c4b77..000000000 --- a/programs/spi/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -spi diff --git a/programs/spi/Makefile b/programs/spi/Makefile deleted file mode 100644 index 10a1eaa9c..000000000 --- a/programs/spi/Makefile +++ /dev/null @@ -1,69 +0,0 @@ -# Makefile for the KLIPS interface utilities -# Copyright (C) 1998, 1999 Henry Spencer. -# Copyright (C) 1999, 2000, 2001 Richard Guy Briggs -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.2 2004/03/22 21:53:21 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=spi -EXTRA5PROC=${PROGRAM}.5 - -LIBS=${FREESWANLIB} - -OBJS=constants.o alg_info.o kernel_alg.o - -include ../Makefile.program - -constants.o : ../pluto/constants.c ../pluto/constants.h - $(CC) $(CFLAGS) -c -o $@ $< - -alg_info.o : ../pluto/alg_info.c ../pluto/alg_info.h - $(CC) $(CFLAGS) -DNO_PLUTO -c -o $@ $< - -kernel_alg.o : ../pluto/kernel_alg.c ../pluto/kernel_alg.h - $(CC) $(CFLAGS) -DNO_PLUTO -c -o $@ $< - -# -# $Log: Makefile,v $ -# Revision 1.2 2004/03/22 21:53:21 as -# merged alg-0.8.1 branch with HEAD -# -# Revision 1.1.4.1 2004/03/16 09:48:22 as -# alg-0.8.1rc12 patch merged -# -# Revision 1.1 2004/03/15 20:35:31 as -# added files from freeswan-2.04-x509-1.5.3 -# -# Revision 1.4 2002/06/03 20:25:31 mcr -# man page for files actually existant in /proc/net changed back to -# ipsec_foo via new EXTRA5PROC process. -# -# Revision 1.3 2002/06/02 21:51:41 mcr -# changed TOPDIR->FREESWANSRCDIR in all Makefiles. -# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the -# kernel sense.) -# -# Revision 1.2 2002/04/26 01:21:26 mcr -# while tracking down a missing (not installed) /etc/ipsec.conf, -# MCR has decided that it is not okay for each program subdir to have -# some subset (determined with -f) of possible files. -# Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. -# Optional PROGRAM.5 files have been added to the makefiles. -# -# Revision 1.1 2002/04/24 07:55:32 mcr -# #include patches and Makefiles for post-reorg compilation. -# -# -# diff --git a/programs/spi/spi.5 b/programs/spi/spi.5 deleted file mode 100644 index a8faebee4..000000000 --- a/programs/spi/spi.5 +++ /dev/null @@ -1,213 +0,0 @@ -.TH IPSEC_SPI 5 "26 Jun 2000" -.\" -.\" RCSID $Id: spi.5,v 1.1 2004/03/15 20:35:31 as Exp $ -.\" -.SH NAME -ipsec_spi \- list IPSEC Security Associations -.SH SYNOPSIS -.B ipsec -.B spi -.PP -.B cat -.B /proc/net/ipsec_spi -.PP -.SH DESCRIPTION -.I /proc/net/ipsec_spi -is a read-only file that lists the current IPSEC Security Associations. -A Security Association (SA) is a transform through which packet contents -are to be processed before being forwarded. A transform can be an -IPv4-in-IPv4 or IPv6-in-IPv6 encapsulation, an IPSEC Authentication Header (authentication -with no encryption), or an IPSEC Encapsulation Security Payload -(encryption, possibly including authentication). -.PP -When a packet is passed from a higher networking layer through an IPSEC -virtual interface, a search in the extended routing table (see -.IR ipsec_eroute (5)) -yields -a IP protocol number -, -a Security Parameters Index (SPI) -and -an effective destination address -. -When an IPSEC packet arrives from the network, -its ostensible destination, an SPI and an IP protocol -specified by its outermost IPSEC header are used. -The destination/SPI/protocol combination is used to select a relevant SA. -(See -.IR ipsec_spigrp (5) -for discussion of how multiple transforms are combined.) -.PP -An -.I spi , -.I proto, -.I daddr -and -.IR address_family -arguments specify an SAID. -.I Proto -is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol. -.I Spi -is a number, preceded by '.' indicating hexadecimal and IPv4 or by ':' indicating hexadecimal and IPv6, -where each hexadecimal digit represents 4 bits, -between -.B 0x100 -and -.BR 0xffffffff ; -values from -.B 0x0 -to -.B 0xff -are reserved. -.I Daddr -is a dotted-decimal IPv4 destination address or a coloned hex IPv6 destination address. -.PP -An -.I SAID -combines the three parameters above, such as: "tun.101@1.2.3.4" for IPv4 or "tun:101@3049:1::1" for IPv6 -.PP -A table entry consists of: -.IP + 3 -.BR SAID -.IP + -<transform name (proto,encalg,authalg)>: -.IP + -direction (dir=) -.IP + -source address (src=) -.IP + -source and destination addresses and masks for inner header policy check -addresses (policy=), as dotted-quads or coloned hex, separated by '->', -for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only -.IP + -initialisation vector length and value (iv_bits=, iv=) if non-zero -.IP + -out-of-order window size, number of out-of-order errors, sequence -number, recently received packet bitmask, maximum difference between -sequence numbers (ooowin=, ooo_errs=, seq=, bit=, max_seq_diff=) if SA -is AH or ESP and if individual items are non-zero -.IP + -extra flags (flags=) if any are set -.IP + -authenticator length in bits (alen=) if non-zero -.IP + -authentication key length in bits (aklen=) if non-zero -.IP + -authentication errors (auth_errs=) if non-zero -.IP + -encryption key length in bits (eklen=) if non-zero -.IP + -encryption size errors (encr_size_errs=) if non-zero -.IP + -encryption padding error warnings (encr_pad_errs=) if non-zero -.IP + -lifetimes legend, c=Current status, s=Soft limit when exceeded will -initiate rekeying, h=Hard limit will cause termination of SA (life(c,s,h)=) -.IP + 6 -number of connections to which the SA is allocated (c), that will cause a -rekey (s), that will cause an expiry (h) (alloc=), if any value is non-zero -.IP + -number of bytes processesd by this SA (c), that will cause a rekey (s), that -will cause an expiry (h) (bytes=), if any value is non-zero -.IP + -time since the SA was added (c), until rekey (s), until expiry (h), in seconds (add=) -.IP + -time since the SA was first used (c), until rekey (s), until expiry (h), in seconds (used=), -if any value is non-zero -.IP + -number of packets processesd by this SA (c), that will cause a rekey (s), that -will cause an expiry (h) (packets=), if any value is non-zero -.IP + 3 -time since the last packet was processed, in seconds (idle=), if SA has -been used -.IP -average compression ratio (ratio=) -.SH EXAMPLES -.B "tun.12a@192.168.43.1 IPIP: dir=out src=192.168.43.2" -.br -.B " life(c,s,h)=bytes(14073,0,0)add(269,0,0)" -.br -.B " use(149,0,0)packets(14,0,0)" -.br -.B " idle=23 -.LP -is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up between machines -192.168.43.2 and 192.168.43.1 with an SPI of 12a in hexadecimal that has -passed about 14 kilobytes of traffic in 14 packets since it was created, -269 seconds ago, first used 149 seconds ago and has been idle for 23 -seconds. -.LP -.B "esp:9a35fc02@3049:1::1 ESP_3DES_HMAC_MD5:" -.br -.B " dir=in src=9a35fc02@3049:1::2" -.br -.B " ooowin=32 seq=7149 bit=0xffffffff" -.br -.B " alen=128 aklen=128 eklen=192" -.br -.B " life(c,s,h)=bytes(1222304,0,0)add(4593,0,0)" -.br -.B " use(3858,0,0)packets(7149,0,0)" -.br -.B " idle=23" -.LP -is an inbound Encapsulating Security Payload (protocol 50) SA on machine -3049:1::1 with an SPI of 9a35fc02 that uses 3DES as the encryption -cipher, HMAC MD5 as the authentication algorithm, an out-of-order -window of 32 packets, a present sequence number of 7149, every one of -the last 32 sequence numbers was received, the authenticator length and -keys is 128 bits, the encryption key is 192 bits (actually 168 for 3DES -since 1 of 8 bits is a parity bit), has passed 1.2 Mbytes of data in -7149 packets, was added 4593 seconds ago, first used -3858 seconds ago and has been idle for 23 seconds. -.LP -.SH FILES -/proc/net/ipsec_spi, /usr/local/bin/ipsec -.SH "SEE ALSO" -ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5), -ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_spi(8), ipsec_version(5), -ipsec_pf_key(5) -.SH HISTORY -Written for the Linux FreeS/WAN project -<http://www.freeswan.org/> -by Richard Guy Briggs. -.SH BUGS -The add and use times are awkward, displayed in seconds since machine -start. It would be better to display them in seconds before now for -human readability. -.\" -.\" $Log: spi.5,v $ -.\" Revision 1.1 2004/03/15 20:35:31 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.9 2002/04/24 07:35:39 mcr -.\" Moved from ./klips/utils/spi.5,v -.\" -.\" Revision 1.8 2001/08/01 23:22:44 rgb -.\" Fix inconsistancies between manpage and output. -.\" -.\" Revision 1.7 2000/11/30 16:47:28 rgb -.\" Added src= to /proc/net/ipsec_spi manpage. -.\" -.\" Revision 1.6 2000/09/17 18:56:48 rgb -.\" Added IPCOMP support. -.\" -.\" Revision 1.5 2000/09/13 15:54:32 rgb -.\" Added Gerhard's ipv6 updates. -.\" -.\" Revision 1.4 2000/07/05 17:24:03 rgb -.\" Updated for relative, rather than absolute values for addtime and -.\" usetime. -.\" -.\" Revision 1.3 2000/06/30 18:21:55 rgb -.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5) -.\" and correct FILES sections to no longer refer to /dev/ipsec which has -.\" been removed since PF_KEY does not use it. -.\" -.\" Revision 1.2 2000/06/28 12:44:12 henry -.\" format touchup -.\" -.\" Revision 1.1 2000/06/28 05:43:00 rgb -.\" Added manpages for all 5 klips utils. -.\" -.\" diff --git a/programs/spi/spi.8 b/programs/spi/spi.8 deleted file mode 100644 index fe6537c07..000000000 --- a/programs/spi/spi.8 +++ /dev/null @@ -1,525 +0,0 @@ -.TH IPSEC_SPI 8 "23 Oct 2001" -.\" -.\" RCSID $Id: spi.8,v 1.1 2004/03/15 20:35:31 as Exp $ -.\" -.SH NAME -ipsec spi \- manage IPSEC Security Associations -.SH SYNOPSIS -.br -Note: In the following, -.br -.B <SA> -means: -.B \-\-af -(inet | inet6) -.B \-\-edst -daddr -.B \-\-spi -spi -.B \-\-proto -proto OR -.B \-\-said -said, -.br -.B <life> -means: -.B \-\-life -(soft | hard)\-(allocations | bytes | addtime | usetime | packets)=value[,...] -.PP -.B ipsec -.B spi -.PP -.B ipsec -.B spi -.B <SA> -.B \-\-src -src -.B \-\-ah -.BR hmac-md5-96 | hmac-sha1-96 -[ -.B \-\-replay_window -replayw ] -[ -.B <life> -] -.B \-\-authkey -akey -.PP -.B ipsec -.B spi -.B <SA> -.B \-\-src -src -.B \-\-esp -.BR 3des -[ -.B \-\-replay_window -replayw ] -[ -.B <life> -] -.B \-\-enckey -ekey -.PP -.B ipsec -.B spi -.B <SA> -.B \-\-src -src -.B \-\-esp -.BR 3des-md5-96 | 3des-sha1-96 -[ -.B \-\-replay_window -replayw ] -[ -.B <life> -] -.B \-\-enckey -ekey -.B \-\-authkey -akey -.PP -.B ipsec -.B spi -.B <SA> -.B \-\-src -src -.B \-\-comp -.BR deflate -.PP -.B ipsec -.B spi -.B <SA> -.B \-\-ip4 -.B \-\-src -encap-src -.B \-\-dst -encap-dst -.PP -.B ipsec -.B spi -.B <SA> -.B \-\-ip6 -.B \-\-src -encap-src -.B \-\-dst -encap-dst -.PP -.B ipsec -.B spi -.B <SA> -.B \-\-del -.PP -.B ipsec -.B spi -.B \-\-help -.PP -.B ipsec -.B spi -.B \-\-version -.PP -.B ipsec -.B spi -.B \-\-clear -.PP -.SH DESCRIPTION -.I Spi -creates and deletes IPSEC Security Associations. -A Security Association (SA) is a transform through which packet -contents are to be processed before being forwarded. -A transform can be an IPv4-in-IPv4 or an IPv6-in-IPv6 encapsulation, -an IPSEC Authentication Header (authentication with no encryption), -or an IPSEC Encapsulation Security Payload (encryption, possibly -including authentication). -.PP -When a packet is passed from a higher networking layer -through an IPSEC virtual interface, -a search in the extended routing table (see -.IR ipsec_eroute (8)) -yields an effective destination address, a -Security Parameters Index (SPI) and a IP protocol number. -When an IPSEC packet arrives from the network, -its ostensible destination, an SPI and an IP protocol -specified by its outermost IPSEC header are used. -The destination/SPI/protocol combination is used to select a relevant SA. -(See -.IR ipsec_spigrp (8) -for discussion of how multiple transforms are combined.) -.PP -The -.IR af , -.IR daddr , -.I spi -and -.I proto -arguments specify the SA to be created or deleted. -.I af -is the address family (inet for IPv4, inet6 for IPv6). -.I Daddr -is a destination address -in dotted-decimal notation for IPv4 -or in a coloned hex notation for IPv6. -.I Spi -is a number, preceded by '0x' for hexadecimal, -between -.B 0x100 -and -.BR 0xffffffff ; -values from -.B 0x0 -to -.B 0xff -are reserved. -.I Proto -is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol. -The protocol must agree with the algorithm selected. -.PP -Alternatively, the -.I said -argument can also specify an SA to be created or deleted. -.I Said -combines the three parameters above, such as: "tun.101@1.2.3.4" or "tun:101@1:2::3:4", -where the address family is specified by "." for IPv4 and ":" for IPv6. The address -family indicators substitute the "0x" for hexadecimal. -.PP -The source address, -.IR src , -must also be provided for the inbound policy check to -function. The source address does not need to be included if inbound -policy checking has been disabled. -.PP -Keys vectors must be entered as hexadecimal or base64 numbers. -They should be cryptographically strong random numbers. -.PP -All hexadecimal numbers are entered as strings of hexadecimal digits -(0-9 and a-f), without spaces, preceded by '0x', where each hexadecimal -digit represents 4 bits. -All base64 numbers are entered as strings of base64 digits - (0-9, A-Z, a-z, '+' and '/'), without spaces, preceded by '0s', -where each hexadecimal digit represents 6 bits and '=' is used for padding. -.PP -The deletion of an SA which has been grouped will result in the entire chain -being deleted. -.PP -The form with no additional arguments lists the contents of -/proc/net/ipsec_spi. The format of /proc/net/ipsec_spi is discussed in -ipsec_spi(5). -.PP -The lifetime severity of -.B soft -sets a limit when the key management daemons are asked to rekey the SA. -The lifetime severity of -.B hard -sets a limit when the SA must expire. -The lifetime type -.B allocations -tells the system when to expire the SA because it is being shared by too many -eroutes (not currently used). The lifetime type of -.B bytes -tells the system to expire the SA after a certain number of bytes have been -processed with that SA. The lifetime type of -.B addtime -tells the system to expire the SA a certain number of seconds after the SA was -installed. The lifetime type of -.B usetime -tells the system to expire the SA a certain number of seconds after that SA has -processed its first packet. The lifetime type of -.B packets -tells the system to expire the SA after a certain number of packets have been -processed with that SA. -.SH OPTIONS -.TP 10 -.B \-\-af -specifies the address family (inet for IPv4, inet6 for IPv6) -.TP -.B \-\-edst -specifies the effective destination -.I daddr -of the Security Association -.TP -.B \-\-spi -specifies the Security Parameters Index -.I spi -of the Security Association -.TP -.B \-\-proto -specifies the IP protocol -.I proto -of the Security Association -.TP -.B \-\-said -specifies the Security Association in monolithic format -.TP -.B \-\-ah -add an SA for an IPSEC Authentication Header, -specified by the following transform identifier -(\c -.BR hmac-md5-96 -or -.BR hmac-sha1-96 ) -(RFC2402, obsoletes RFC1826) -.TP -.B hmac-md5-96 -transform following the HMAC and MD5 standards, -using a 128-bit -.I key -to produce a 96-bit authenticator (RFC2403) -.TP -.B hmac-sha1-96 -transform following the HMAC and SHA1 standards, -using a 160-bit -.I key -to produce a 96-bit authenticator (RFC2404) -.TP -.B \-\-esp -add an SA for an IPSEC Encapsulation Security Payload, -specified by the following -transform identifier (\c -.BR 3des , -or -.BR 3des-md5-96 ) -(RFC2406, obsoletes RFC1827) -.TP -.B 3des -encryption transform following the Triple-DES standard in -Cipher-Block-Chaining mode using a 64-bit -.I iv -(internally generated) and a 192-bit 3DES -.I ekey -(RFC2451) -.TP -.B 3des-md5-96 -encryption transform following the Triple-DES standard in -Cipher-Block-Chaining mode with authentication provided by -HMAC and MD5 -(96-bit authenticator), -using a 64-bit -.IR iv -(internally generated), a 192-bit 3DES -.I ekey -and a 128-bit HMAC-MD5 -.I akey -(RFC2451, RFC2403) -.TP -.B 3des-sha1-96 -encryption transform following the Triple-DES standard in -Cipher-Block-Chaining mode with authentication provided by -HMAC and SHA1 -(96-bit authenticator), -using a 64-bit -.IR iv -(internally generated), a 192-bit 3DES -.I ekey -and a 160-bit HMAC-SHA1 -.I akey -(RFC2451, RFC2404) -.TP -.BR \-\-replay_window " replayw" -sets the replay window size; valid values are decimal, 1 to 64 -.TP -.BR \-\-life " life_param[,life_param]" -sets the lifetime expiry; the format of -.B life_param -consists of a comma-separated list of lifetime specifications without spaces; -a lifetime specification is comprised of a severity of -.BR soft " or " hard -followed by a '-', followed by a lifetime type of -.BR allocations ", " bytes ", " addtime ", " usetime " or " packets -followed by an '=' and finally by a value -.TP -.B \-\-comp -add an SA for IPSEC IP Compression, -specified by the following -transform identifier (\c -.BR deflate ) -(RFC2393) -.TP -.B deflate -compression transform following the patent-free Deflate compression algorithm -(RFC2394) -.TP -.B \-\-ip4 -add an SA for an IPv4-in-IPv4 -tunnel from -.I encap-src -to -.I encap-dst -.TP -.B \-\-ip6 -add an SA for an IPv6-in-IPv6 -tunnel from -.I encap-src -to -.I encap-dst -.TP -.B \-\-src -specify the source end of an IP-in-IP tunnel from -.I encap-src -to -.I encap-dst -and also specifies the source address of the Security Association to be -used in inbound policy checking and must be the same address -family as -.I af -and -.I edst -.TP -.B \-\-dst -specify the destination end of an IP-in-IP tunnel from -.I encap-src -to -.I encap-dst -.TP -.B \-\-del -delete the specified SA -.TP -.BR \-\-clear -clears the table of -.BR SA s -.TP -.BR \-\-help -display synopsis -.TP -.BR \-\-version -display version information -.SH EXAMPLES -To keep line lengths down and reduce clutter, -some of the long keys in these examples have been abbreviated -by replacing part of their text with -.RI `` ... ''. -Keys used when the programs are actually run must, -of course, be the full length required for the particular algorithm. -.LP -.B "ipsec spi \-\-af inet \-\-edst gw2 \-\-spi 0x125 \-\-proto esp \e" -.br -.B " \-\-src gw1 \e" -.br -.B " \-\-esp 3des\-md5\-96 \e" -.br -.BI "\ \ \ \-\-enckey\ 0x6630" "..." "97ce\ \e" -.br -.BI " \-\-authkey 0x9941" "..." "71df" -.LP -sets up an SA from -.BR gw1 -to -.BR gw2 -with an SPI of -.BR 0x125 -and protocol -.BR ESP -(50) using -.BR 3DES -encryption with integral -.BR MD5-96 -authentication transform, using an encryption key of -.BI 0x6630 ... 97ce -and an authentication key of -.BI 0x9941 ... 71df -(see note above about abbreviated keys). -.LP -.B "ipsec spi \-\-af inet6 \-\-edst 3049:9::9000:3100 \-\-spi 0x150 \-\-proto ah \e" -.br -.B " \-\-src 3049:9::9000:3101 \e" -.br -.B " \-\-ah hmac\-md5\-96 \e" -.br -.BI "\ \ \ \-\-authkey\ 0x1234" "..." "2eda\ \e" -.LP -sets up an SA from -.BR 3049:9::9000:3101 -to -.BR 3049:9::9000:3100 -with an SPI of -.BR 0x150 -and protocol -.BR AH -(50) using -.BR MD5-96 -authentication transform, using an authentication key of -.BI 0x1234 ... 2eda -(see note above about abbreviated keys). -.LP -.B "ipsec spi \-\-said tun.987@192.168.100.100 \-\-del " -.LP -deletes an SA to -.BR 192.168.100.100 -with an SPI of -.BR 0x987 -and protocol -.BR IPv4-in-IPv4 -(4). -.LP -.B "ipsec spi \-\-said tun:500@3049:9::1000:1 \-\-del " -.LP -deletes an SA to -.BR 3049:9::1000:1 -with an SPI of -.BR 0x500 -and protocol -.BR IPv6-in-IPv6 -(4). -.LP -.SH FILES -/proc/net/ipsec_spi, /usr/local/bin/ipsec -.SH "SEE ALSO" -ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8), -ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_spi(5) -.SH HISTORY -Written for the Linux FreeS/WAN project -<http://www.freeswan.org/> -by Richard Guy Briggs. -.SH BUGS -The syntax is messy and the transform naming needs work. -.\" -.\" $Log: spi.8,v $ -.\" Revision 1.1 2004/03/15 20:35:31 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.32 2002/04/24 07:35:40 mcr -.\" Moved from ./klips/utils/spi.8,v -.\" -.\" Revision 1.31 2001/11/06 20:18:47 rgb -.\" Added lifetime parameters. -.\" -.\" Revision 1.30 2001/10/24 03:23:32 rgb -.\" Added lifetime option and parameters. -.\" -.\" Revision 1.29 2001/05/30 08:14:04 rgb -.\" Removed vestiges of esp-null transforms. -.\" -.\" Revision 1.28 2000/11/29 19:15:20 rgb -.\" Add --src requirement for inbound policy routing. -.\" -.\" Revision 1.27 2000/09/17 18:56:48 rgb -.\" Added IPCOMP support. -.\" -.\" Revision 1.26 2000/09/13 15:54:32 rgb -.\" Added Gerhard's ipv6 updates. -.\" -.\" Revision 1.25 2000/09/12 22:36:45 rgb -.\" Gerhard's IPv6 support. -.\" -.\" Revision 1.24 2000/06/30 18:21:55 rgb -.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5) -.\" and correct FILES sections to no longer refer to /dev/ipsec which has -.\" been removed since PF_KEY does not use it. -.\" -.\" Revision 1.23 2000/06/21 16:54:57 rgb -.\" Added 'no additional args' text for listing contents of -.\" /proc/net/ipsec_* files. -.\" -.\" Revision 1.22 1999/08/11 08:35:16 rgb -.\" Update, deleting references to obsolete and insecure algorithms. -.\" -.\" Revision 1.21 1999/07/19 18:53:55 henry -.\" improve font usage in key abbreviations -.\" -.\" Revision 1.20 1999/07/19 18:50:09 henry -.\" fix slightly-misformed comments -.\" abbreviate long keys to avoid long-line complaints -.\" -.\" Revision 1.19 1999/04/06 04:54:38 rgb -.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes -.\" patch shell fixes. -.\" diff --git a/programs/spi/spi.c b/programs/spi/spi.c deleted file mode 100644 index 369d556c7..000000000 --- a/programs/spi/spi.c +++ /dev/null @@ -1,1689 +0,0 @@ -/* - * All-in-one program to set Security Association parameters - * Copyright (C) 1996 John Ioannidis. - * Copyright (C) 1997, 1998, 1999, 2000, 2001, 2002 Richard Guy Briggs. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -char spi_c_version[] = "RCSID $Id: spi.c,v 1.7 2004/10/14 20:03:26 as Exp $"; - -#include <asm/types.h> -#include <sys/types.h> -#include <sys/ioctl.h> -/* #include <linux/netdevice.h> */ -#include <net/if.h> -/* #include <linux/types.h> */ /* new */ -#include <sys/stat.h> -#include <fcntl.h> -#include <string.h> -#include <errno.h> - -/* #include <sys/socket.h> */ - -#include <netinet/in.h> -#include <arpa/inet.h> -/* #include <linux/ip.h> */ -#include <netdb.h> - -#include <unistd.h> -#include <getopt.h> -#include <ctype.h> -#include <stdio.h> -#include <stdlib.h> -#include <freeswan.h> -#if 0 -#include <linux/autoconf.h> /* CONFIG_IPSEC_PFKEYv2 */ -#endif - #include <signal.h> - #include <sys/socket.h> - #include <pfkeyv2.h> - #include <pfkey.h> - -#include "freeswan/radij.h" -#include "freeswan/ipsec_encap.h" -#include "freeswan/ipsec_xform.h" -#include "freeswan/ipsec_ipe4.h" -#include "freeswan/ipsec_ah.h" -#include "freeswan/ipsec_esp.h" -#include "freeswan/ipsec_sa.h" /* IPSEC_SAREF_NULL */ - -/* - * Manual conn support for ipsec_alg (modular algos). - * Rather ugly to include from pluto dir but avoids - * code duplication. - */ -#ifndef NO_KERNEL_ALG -#include "../pluto/alg_info.h" -#include "../pluto/constants.h" -struct connection; -#include "../pluto/kernel_alg.h" -#endif /* NO_KERNEL_ALG */ - -char *program_name; -int debug = 0; -int saref = 0; -char *command; -extern char *optarg; -extern int optind, opterr, optopt; -char scratch[2]; -char *iv = NULL, *enckey = NULL, *authkey = NULL; -size_t ivlen = 0, enckeylen = 0, authkeylen = 0; -ip_address edst, dst, src; -int address_family = 0; -unsigned char proto = 0; -int alg = 0; - -#ifndef NO_KERNEL_ALG -/* - * Manual connection support for modular algos (ipsec_alg) --Juanjo. - */ -#define XF_OTHER_ALG (XF_CLR-1) /* define magic XF_ symbol for alg_info's */ -#include <assert.h> -const char *alg_string = NULL; /* algorithm string */ -struct alg_info_esp *alg_info = NULL; /* algorithm info got from string */ -struct esp_info *esp_info = NULL; /* esp info from 1st (only) element */ -const char *alg_err; /* auxiliar for parsing errors */ -int proc_read_ok = 0; /* /proc/net/pf_key_support read ok */ -#endif /* NO_KERNEL_ALG */ - -int replay_window = 0; -char sa[SATOT_BUF]; - -extern unsigned int pfkey_lib_debug; /* used by libfreeswan/pfkey_v2_build */ -int pfkey_sock; -fd_set pfkey_socks; -uint32_t pfkey_seq = 0; -enum life_severity { - life_soft = 0, - life_hard = 1, - life_maxsever = 2 -}; -enum life_type { - life_alloc = 0, - life_bytes = 1, - life_addtime = 2, - life_usetime = 3, - life_packets = 4, - life_maxtype = 5 -}; - -#define streql(_a,_b) (!strcmp((_a),(_b))) - -static const char *usage_string = "\ -Usage:\n\ - in the following, <SA> is: --af <inet | inet6> --edst <dstaddr> --spi <spi> --proto <proto>\n\ - OR: --said <proto><.|:><spi>@<dstaddr>\n\ - <life> is: --life <soft|hard>-<allocations|bytes|addtime|usetime|packets>=<value>[,...]\n\ -spi --clear\n\ -spi --help\n\ -spi --version\n\ -spi\n\ -spi --del <SA>\n\ -spi --ip4 <SA> --src <encap-src> --dst <encap-dst>\n\ -spi --ip6 <SA> --src <encap-src> --dst <encap-dst>\n\ -spi --ah <algo> <SA> [<life> ][ --replay_window <replay_window> ] --authkey <key>\n\ - where <algo> is one of: hmac-md5-96 | hmac-sha1-96\n\ -spi --esp <algo> <SA> [<life> ][ --replay_window <replay-window> ] --enckey <ekey> --authkey <akey>\n\ - where <algo> is one of: 3des-md5-96 | 3des-sha1-96\n\ -spi --esp <algo> <SA> [<life> ][ --replay_window <replay-window> ] --enckey <ekey>\n\ - where <algo> is: 3des\n\ -spi --comp <algo> <SA>\n\ - where <algo> is: deflate\n\ -[ --debug ] is optional to any spi command.\n\ -[ --label <label> ] is optional to any spi command.\n\ -[ --listenreply ] is optional, and causes the command to stick\n\ - around and listen to what the PF_KEY socket says.\n\ -"; - - -static void -usage(char *s, FILE *f) -{ - /* s argument is actually ignored, at present */ - fprintf(f, "%s:%s", s, usage_string); - exit(-1); -} - -int -parse_life_options(uint32_t life[life_maxsever][life_maxtype], - char *life_opt[life_maxsever][life_maxtype], - char *optarg) -{ - char *optargp = optarg; - char *endptr; - - do { - int life_severity, life_type; - char *optargt = optargp; - - if(strncmp(optargp, "soft", sizeof("soft")-1) == 0) { - life_severity = life_soft; - optargp += sizeof("soft")-1; - } else if(strncmp(optargp, "hard", sizeof("hard")-1) == 0) { - life_severity = life_hard; - optargp += sizeof("hard")-1; - } else { - fprintf(stderr, - "%s: missing lifetime severity in %s, optargt=0p%p, optargp=0p%p, sizeof(\"soft\")=%d\n", - program_name, - optargt, - optargt, - optargp, - (int)sizeof("soft")); - usage(program_name, stderr); - return(1); - } - if(debug) { - fprintf(stdout, - "%s: debug: life_severity=%d, optargt=0p%p=\"%s\", optargp=0p%p=\"%s\", sizeof(\"soft\")=%d\n", - program_name, - life_severity, - optargt, - optargt, - optargp, - optargp, - (int)sizeof("soft")); - } - if(*(optargp++) != '-') { - fprintf(stderr, - "%s: expected '-' after severity of lifetime parameter to --life option.\n", - program_name); - usage(program_name, stderr); - return(1); - } - if(debug) { - fprintf(stdout, - "%s: debug: optargt=0p%p=\"%s\", optargp=0p%p=\"%s\", strlen(optargt)=%d, strlen(optargp)=%d, strncmp(optargp, \"addtime\", sizeof(\"addtime\")-1)=%d\n", - program_name, - optargt, - optargt, - optargp, - optargp, - (int)strlen(optargt), - (int)strlen(optargp), - strncmp(optargp, "addtime", sizeof("addtime")-1)); - } - if(strncmp(optargp, "allocations", sizeof("allocations")-1) == 0) { - life_type = life_alloc; - optargp += sizeof("allocations")-1; - } else if(strncmp(optargp, "bytes", sizeof("bytes")-1) == 0) { - life_type = life_bytes; - optargp += sizeof("bytes")-1; - } else if(strncmp(optargp, "addtime", sizeof("addtime")-1) == 0) { - life_type = life_addtime; - optargp += sizeof("addtime")-1; - } else if(strncmp(optargp, "usetime", sizeof("usetime")-1) == 0) { - life_type = life_usetime; - optargp += sizeof("usetime")-1; - } else if(strncmp(optargp, "packets", sizeof("packets")-1) == 0) { - life_type = life_packets; - optargp += sizeof("packets")-1; - } else { - fprintf(stderr, - "%s: missing lifetime type after '-' in %s\n", - program_name, - optargt); - usage(program_name, stderr); - return(1); - } - if(debug) { - fprintf(stdout, - "%s: debug: life_type=%d\n", - program_name, - life_type); - } - if(life_opt[life_severity][life_type] != NULL) { - fprintf(stderr, - "%s: Error, lifetime parameter redefined:%s, already defined as:0p%p\n", - program_name, - optargt, - life_opt[life_severity][life_type]); - return(1); - } - if(*(optargp++) != '=') { - fprintf(stderr, - "%s: expected '=' after type of lifetime parameter to --life option.\n", - program_name); - usage(program_name, stderr); - return(1); - } - if(debug) { - fprintf(stdout, - "%s: debug: optargt=0p%p, optargt+strlen(optargt)=0p%p, optargp=0p%p, strlen(optargp)=%d\n", - program_name, - optargt, - optargt+strlen(optargt), - optargp, - (int)strlen(optargp)); - } - if(strlen(optargp) == 0) { - fprintf(stderr, - "%s: expected value after '=' in --life option. optargt=0p%p, optargt+strlen(optargt)=0p%p, optargp=0p%p\n", - program_name, - optargt, - optargt+strlen(optargt), - optargp); - usage(program_name, stderr); - return(1); - } - life[life_severity][life_type] = strtoul(optargp, &endptr, 0); - - if(!((endptr == optargp + strlen(optargp)) || (endptr == optargp + strcspn(optargp, ", ")))) { - fprintf(stderr, - "%s: Invalid character='%c' at offset %d in lifetime option parameter: '%s', parameter string is %d characters long, %d valid value characters found.\n", - program_name, - *endptr, - (int)(endptr - optarg), - optarg, - (int)strlen(optarg), - (int)(strcspn(optargp, ", ") - 1)); - return(1); - } - life_opt[life_severity][life_type] = optargt; - if(debug) { - fprintf(stdout, "%s lifetime %s set to %d.\n", - program_name, optargt, life[life_severity][life_type]); - } - optargp=endptr+1; - } while(*endptr==',' || isspace(*endptr)); - - return(0); -} - -int -pfkey_register(uint8_t satype) { - /* for registering SA types that can be negotiated */ - int error; - ssize_t wlen; - struct sadb_ext *extensions[SADB_EXT_MAX + 1]; - struct sadb_msg *pfkey_msg; - - pfkey_extensions_init(extensions); - error = pfkey_msg_hdr_build(&extensions[0], - SADB_REGISTER, - satype, - 0, - ++pfkey_seq, - getpid()); - if(error != 0) { - fprintf(stderr, "%s: Trouble building message header, error=%d.\n", - program_name, error); - pfkey_extensions_free(extensions); - return(1); - } - - error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN); - if(error != 0) { - fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n", - program_name, error); - pfkey_extensions_free(extensions); - pfkey_msg_free(&pfkey_msg); - return(1); - } - wlen = write(pfkey_sock, pfkey_msg, - pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN); - if(wlen != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) { - /* cleanup code here */ - if(wlen < 0) - fprintf(stderr, "%s: Trouble writing to channel PF_KEY: %s\n", - program_name, - strerror(errno)); - else - fprintf(stderr, "%s: write to channel PF_KEY truncated.\n", - program_name); - pfkey_extensions_free(extensions); - pfkey_msg_free(&pfkey_msg); - return(1); - } - pfkey_extensions_free(extensions); - pfkey_msg_free(&pfkey_msg); - - return(0); -} - -static struct option const longopts[] = -{ - {"ah", 1, 0, 'H'}, - {"esp", 1, 0, 'P'}, - {"comp", 1, 0, 'Z'}, - {"ip4", 0, 0, '4'}, - {"ip6", 0, 0, '6'}, - {"del", 0, 0, 'd'}, - - {"authkey", 1, 0, 'A'}, - {"enckey", 1, 0, 'E'}, - {"edst", 1, 0, 'e'}, - {"spi", 1, 0, 's'}, - {"proto", 1, 0, 'p'}, - {"af", 1, 0, 'a'}, - {"replay_window", 1, 0, 'w'}, - {"iv", 1, 0, 'i'}, - {"dst", 1, 0, 'D'}, - {"src", 1, 0, 'S'}, - {"said", 1, 0, 'I'}, - - {"help", 0, 0, 'h'}, - {"version", 0, 0, 'v'}, - {"clear", 0, 0, 'c'}, - {"label", 1, 0, 'l'}, - {"debug", 0, 0, 'g'}, - {"optionsfrom", 1, 0, '+'}, - {"life", 1, 0, 'f'}, - {"saref", 0, 0, 'r'}, - {"listenreply", 0, 0, 'R'}, - {0, 0, 0, 0} -}; - -int -main(int argc, char *argv[]) -{ - char *endptr; - __u32 spi = 0; - int c, previous = -1; -/* int ret; */ - ip_said said; - size_t sa_len; - const char* error_s; - char ipaddr_txt[ADDRTOT_BUF]; - char ipsaid_txt[SATOT_BUF]; - - int error = 0; - ssize_t io_error; - int argcount = argc; - pid_t mypid; - int listenreply = 0; - - unsigned char authalg, encryptalg; - struct sadb_ext *extensions[SADB_EXT_MAX + 1]; - struct sadb_msg *pfkey_msg; - char *iv_opt, *akey_opt, *ekey_opt, *alg_opt, *edst_opt, *spi_opt, *proto_opt, *af_opt, *said_opt, *dst_opt, *src_opt; -#if 0 - ip_address pfkey_address_p_ska; - ip_address pfkey_ident_s_ska; - ip_address pfkey_ident_d_ska; -#endif - uint32_t life[life_maxsever][life_maxtype]; - char *life_opt[life_maxsever][life_maxtype]; - - program_name = argv[0]; - mypid = getpid(); - - memset(&said, 0, sizeof(said)); - iv_opt = akey_opt = ekey_opt = alg_opt = edst_opt = spi_opt = proto_opt = af_opt = said_opt = dst_opt = src_opt = NULL; - { - int i,j; - for(i = 0; i < life_maxsever; i++) { - for(j = 0; j < life_maxtype; j++) { - life_opt[i][j] = NULL; - life[i][j] = 0; - } - } - } - - while((c = getopt_long(argc, argv, ""/*"H:P:Z:46dcA:E:e:s:a:w:i:D:S:hvgl:+:f:"*/, longopts, 0)) != EOF) { - switch(c) { - case 'g': - debug = 1; - pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX; - argcount--; - break; - - case 'R': - listenreply = 1; - argcount--; - break; - - case 'r': - saref = 1; - argcount--; - break; - - case 'l': - program_name = malloc(strlen(argv[0]) - + 10 /* update this when changing the sprintf() */ - + strlen(optarg)); - sprintf(program_name, "%s --label %s", - argv[0], - optarg); - argcount -= 2; - break; - case 'H': - if(alg) { - fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n", - program_name); - exit(1); - } - if (!strcmp(optarg, "hmac-md5-96")) { - alg = XF_AHHMACMD5; - } else if(!strcmp(optarg, "hmac-sha1-96")) { - alg = XF_AHHMACSHA1; - } else { - fprintf(stderr, "%s: Unknown authentication algorithm '%s' follows '--ah' option.\n", - program_name, optarg); - exit(1); - } - if(debug) { - fprintf(stdout, "%s: Algorithm %d selected.\n", - program_name, - alg); - } - alg_opt = optarg; - break; - case 'P': - if(alg) { - fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n", - program_name); - exit(1); - } - if (!strcmp(optarg, "3des-md5-96")) { - alg = XF_ESP3DESMD596; - } else if(!strcmp(optarg, "3des-sha1-96")) { - alg = XF_ESP3DESSHA196; - } else if(!strcmp(optarg, "3des")) { - alg = XF_ESP3DES; -#ifndef NO_KERNEL_ALG - } else if((alg_info=alg_info_esp_create_from_str(optarg, &alg_err))) { - int esp_ealg_id, esp_aalg_id; - alg = XF_OTHER_ALG; - if (alg_info->alg_info_cnt>1) { - fprintf(stderr, "%s: Invalid encryption algorithm '%s' " - "follows '--esp' option: lead too many(%d) " - "transforms\n", - program_name, optarg, alg_info->alg_info_cnt); - exit(1); - } - alg_string=optarg; - esp_info=&alg_info->esp[0]; - if (debug) { - fprintf(stdout, "%s: alg_info: cnt=%d ealg[0]=%d aalg[0]=%d\n", - program_name, - alg_info->alg_info_cnt, - esp_info->encryptalg, - esp_info->authalg); - } - esp_ealg_id=esp_info->esp_ealg_id; - esp_aalg_id=esp_info->esp_aalg_id; - if (kernel_alg_proc_read()==0) { - proc_read_ok++; - if (!kernel_alg_esp_enc_ok(esp_ealg_id, 0, 0)) - { - fprintf(stderr, "%s: ESP encryptalg=%d (\"%s\") " - "not present\n", - program_name, - esp_ealg_id, - enum_name(&esp_transformid_names, esp_ealg_id)); - exit(1); - } - if (!kernel_alg_esp_auth_ok(esp_aalg_id, 0)) - { - fprintf(stderr, "%s: ESP authalg=%d (\"%s\")" - "not present\n", - program_name, - esp_aalg_id, - enum_name(&auth_alg_names, esp_aalg_id)); - exit(1); - } - } -#endif /* NO_KERNEL_ALG */ - } else { - fprintf(stderr, "%s: Invalid encryption algorithm '%s' follows '--esp' option.\n", - program_name, optarg); - exit(1); - } - if(debug) { - fprintf(stdout, "%s: Algorithm %d selected.\n", - program_name, - alg); - } - alg_opt = optarg; - break; - case 'Z': - if(alg) { - fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n", - program_name); - exit(1); - } - if (!strcmp(optarg, "deflate")) { - alg = XF_COMPDEFLATE; - } else { - fprintf(stderr, "%s: Unknown compression algorithm '%s' follows '--comp' option.\n", - program_name, optarg); - exit(1); - } - if(debug) { - fprintf(stdout, "%s: Algorithm %d selected.\n", - program_name, - alg); - } - alg_opt = optarg; - break; - case '4': - if(alg) { - fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n", - program_name); - exit(1); - } - alg = XF_IP4; - address_family = AF_INET; - if(debug) { - fprintf(stdout, "%s: Algorithm %d selected.\n", - program_name, - alg); - } - alg_opt = optarg; - break; - case '6': - if(alg) { - fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n", - program_name); - exit(1); - } - alg = XF_IP6; - address_family = AF_INET6; - if(debug) { - fprintf(stdout, "%s: Algorithm %d selected.\n", - program_name, - alg); - } - alg_opt = optarg; - break; - case 'd': - if(alg) { - fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n", - program_name); - exit(1); - } - alg = XF_DEL; - if(debug) { - fprintf(stdout, "%s: Algorithm %d selected.\n", - program_name, - alg); - } - alg_opt = optarg; - break; - case 'c': - if(alg) { - fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n", - program_name); - exit(1); - } - alg = XF_CLR; - if(debug) { - fprintf(stdout, "%s: Algorithm %d selected.\n", - program_name, - alg); - } - alg_opt = optarg; - break; - case 'e': - if(said_opt) { - fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined in SA:%s\n", - program_name, optarg, said_opt); - exit (1); - } - if(edst_opt) { - fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined as:%s\n", - program_name, optarg, edst_opt); - exit (1); - } - error_s = ttoaddr(optarg, 0, address_family, &edst); - if(error_s != NULL) { - if(error_s) { - fprintf(stderr, "%s: Error, %s converting --edst argument:%s\n", - program_name, error_s, optarg); - exit (1); - } - } - edst_opt = optarg; - if(debug) { - addrtot(&edst, 0, ipaddr_txt, sizeof(ipaddr_txt)); - fprintf(stdout, "%s: edst=%s.\n", - program_name, - ipaddr_txt); - } - break; - case 's': - if(said_opt) { - fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined in SA:%s\n", - program_name, optarg, said_opt); - exit (1); - } - if(spi_opt) { - fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined as:%s\n", - program_name, optarg, spi_opt); - exit (1); - } - spi = strtoul(optarg, &endptr, 0); - if(!(endptr == optarg + strlen(optarg))) { - fprintf(stderr, "%s: Invalid character in SPI parameter: %s\n", - program_name, optarg); - exit (1); - } - if(spi < 0x100) { - fprintf(stderr, "%s: Illegal reserved spi: %s => 0x%x Must be larger than 0x100.\n", - program_name, optarg, spi); - exit(1); - } - spi_opt = optarg; - break; - case 'p': - if(said_opt) { - fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined in SA:%s\n", - program_name, optarg, said_opt); - exit (1); - } - if(proto_opt) { - fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined as:%s\n", - program_name, optarg, proto_opt); - exit (1); - } - if(!strcmp(optarg, "ah")) - proto = SA_AH; - if(!strcmp(optarg, "esp")) - proto = SA_ESP; - if(!strcmp(optarg, "tun")) - proto = SA_IPIP; - if(!strcmp(optarg, "comp")) - proto = SA_COMP; - if(proto == 0) { - fprintf(stderr, "%s: Invalid PROTO parameter: %s\n", - program_name, optarg); - exit (1); - } - proto_opt = optarg; - break; - case 'a': - if(said_opt) { - fprintf(stderr, "%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined in SA:%s\n", - program_name, optarg, said_opt); - exit (1); - } - if(af_opt) { - fprintf(stderr, "%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined as:%s\n", - program_name, optarg, af_opt); - exit (1); - } - if(strcmp(optarg, "inet") == 0) { - address_family = AF_INET; - /* currently we ensure that all addresses belong to the same address family */ - anyaddr(address_family, &dst); - anyaddr(address_family, &edst); - anyaddr(address_family, &src); - } - if(strcmp(optarg, "inet6") == 0) { - address_family = AF_INET6; - /* currently we ensure that all addresses belong to the same address family */ - anyaddr(address_family, &dst); - anyaddr(address_family, &edst); - anyaddr(address_family, &src); - } - if((strcmp(optarg, "inet") != 0) && (strcmp(optarg, "inet6") != 0)) { - fprintf(stderr, "%s: Invalid ADDRESS FAMILY parameter: %s.\n", - program_name, optarg); - exit (1); - } - af_opt = optarg; - break; - case 'I': - if(said_opt) { - fprintf(stderr, "%s: Error, SAID parameter redefined:%s, already defined in SA:%s\n", - program_name, optarg, said_opt); - exit (1); - } - if(proto_opt) { - fprintf(stderr, "%s: Error, PROTO parameter redefined in SA:%s, already defined as:%s\n", - program_name, optarg, proto_opt); - exit (1); - } - if(edst_opt) { - fprintf(stderr, "%s: Error, EDST parameter redefined in SA:%s, already defined as:%s\n", - program_name, optarg, edst_opt); - exit (1); - } - if(spi_opt) { - fprintf(stderr, "%s: Error, SPI parameter redefined in SA:%s, already defined as:%s\n", - program_name, optarg, spi_opt); - exit (1); - } - error_s = ttosa(optarg, 0, &said); - if(error_s != NULL) { - fprintf(stderr, "%s: Error, %s converting --sa argument:%s\n", - program_name, error_s, optarg); - exit (1); - } - if(debug) { - satot(&said, 0, ipsaid_txt, sizeof(ipsaid_txt)); - fprintf(stdout, "%s: said=%s.\n", - program_name, - ipsaid_txt); - } - /* init the src and dst with the same address family */ - if(address_family == 0) { - address_family = addrtypeof(&said.dst); - } else if(address_family != addrtypeof(&said.dst)) { - fprintf(stderr, "%s: Error, specified address family (%d) is different that of SAID: %s\n", - program_name, address_family, optarg); - exit (1); - } - anyaddr(address_family, &dst); - anyaddr(address_family, &edst); - anyaddr(address_family, &src); - said_opt = optarg; - break; - case 'A': - if(optarg[0] == '0') { - switch(optarg[1]) { - case 't': - case 'x': - case 's': - break; - default: - fprintf(stderr, "%s: Authentication key must have a '0x', '0t' or '0s' prefix to select the format: %s\n", - program_name, optarg); - exit(1); - } - } - authkeylen = atodata(optarg, 0, NULL, 0); - if(!authkeylen) { - fprintf(stderr, "%s: unknown format or syntax error in authentication key: %s\n", - program_name, optarg); - exit (1); - } - authkey = malloc(authkeylen); - if(authkey == NULL) { - fprintf(stderr, "%s: Memory allocation error.\n", program_name); - exit(1); - } - memset(authkey, 0, authkeylen); - authkeylen = atodata(optarg, 0, authkey, authkeylen); - akey_opt = optarg; - break; - case 'E': - if(optarg[0] == '0') { - switch(optarg[1]) { - case 't': - case 'x': - case 's': - break; - default: - fprintf(stderr, "%s: Encryption key must have a '0x', '0t' or '0s' prefix to select the format: %s\n", - program_name, optarg); - exit(1); - } - } - enckeylen = atodata(optarg, 0, NULL, 0); - if(!enckeylen) { - fprintf(stderr, "%s: unknown format or syntax error in encryption key: %s\n", - program_name, optarg); - exit (1); - } - enckey = malloc(enckeylen); - if(enckey == NULL) { - fprintf(stderr, "%s: Memory allocation error.\n", program_name); - exit(1); - } - memset(enckey, 0, enckeylen); - enckeylen = atodata(optarg, 0, enckey, enckeylen); - ekey_opt = optarg; - break; - case 'w': - replay_window = strtoul(optarg, &endptr, 0); - if(!(endptr == optarg + strlen(optarg))) { - fprintf(stderr, "%s: Invalid character in replay_window parameter: %s\n", - program_name, optarg); - exit (1); - } - if((replay_window < 0x1) || (replay_window > 64)) { - fprintf(stderr, "%s: Failed -- Illegal window size: arg=%s, replay_window=%d, must be 1 <= size <= 64.\n", - program_name, optarg, replay_window); - exit(1); - } - break; - case 'i': - if(optarg[0] == '0') { - switch(optarg[1]) { - case 't': - case 'x': - case 's': - break; - default: - fprintf(stderr, "%s: IV must have a '0x', '0t' or '0s' prefix to select the format, found '%c'.\n", - program_name, optarg[1]); - exit(1); - } - } - ivlen = atodata(optarg, 0, NULL, 0); - if(!ivlen) { - fprintf(stderr, "%s: unknown format or syntax error in IV: %s\n", - program_name, optarg); - exit (1); - } - iv = malloc(ivlen); - if(iv == NULL) { - fprintf(stderr, "%s: Memory allocation error.\n", program_name); - exit(1); - } - memset(iv, 0, ivlen); - ivlen = atodata(optarg, 0, iv, ivlen); - iv_opt = optarg; - break; - case 'D': - if(dst_opt) { - fprintf(stderr, "%s: Error, DST parameter redefined:%s, already defined as:%s\n", - program_name, optarg, dst_opt); - exit (1); - } - error_s = ttoaddr(optarg, 0, address_family, &dst); - if(error_s != NULL) { - fprintf(stderr, "%s: Error, %s converting --dst argument:%s\n", - program_name, error_s, optarg); - exit (1); - } - dst_opt = optarg; - if(debug) { - addrtot(&dst, 0, ipaddr_txt, sizeof(ipaddr_txt)); - fprintf(stdout, "%s: dst=%s.\n", - program_name, - ipaddr_txt); - } - break; - case 'S': - if(src_opt) { - fprintf(stderr, "%s: Error, SRC parameter redefined:%s, already defined as:%s\n", - program_name, optarg, src_opt); - exit (1); - } - error_s = ttoaddr(optarg, 0, address_family, &src); - if(error_s != NULL) { - fprintf(stderr, "%s: Error, %s converting --src argument:%s\n", - program_name, error_s, optarg); - exit (1); - } - src_opt = optarg; - if(debug) { - addrtot(&src, 0, ipaddr_txt, sizeof(ipaddr_txt)); - fprintf(stdout, "%s: src=%s.\n", - program_name, - ipaddr_txt); - } - break; - case 'h': - usage(program_name, stdout); - exit(0); - case '?': - usage(program_name, stderr); - exit(1); - case 'v': - fprintf(stdout, "%s, %s\n", program_name, spi_c_version); - exit(1); - case '+': /* optionsfrom */ - optionsfrom(optarg, &argc, &argv, optind, stderr); - /* no return on error */ - break; - case 'f': - if(parse_life_options(life, - life_opt, - optarg) != 0) { - exit(1); - }; - break; - default: - fprintf(stderr, "%s: unrecognized option '%c', update option processing.\n", - program_name, c); - exit(1); - } - previous = c; - } - if(debug) { - fprintf(stdout, "%s: All options processed.\n", - program_name); - } - - if(argcount == 1) { - system("cat /proc/net/ipsec_spi"); - exit(0); - } - - switch(alg) { -#ifndef NO_KERNEL_ALG - case XF_OTHER_ALG: - /* validate keysizes */ - if (proc_read_ok) { - const struct sadb_alg *alg_p; - size_t keylen, minbits, maxbits; - - alg_p=kernel_alg_sadb_alg_get(SADB_SATYPE_ESP,SADB_EXT_SUPPORTED_ENCRYPT, - esp_info->encryptalg); - assert(alg_p); - keylen=enckeylen * 8; - - if (alg_p->sadb_alg_id==ESP_3DES || alg_p->sadb_alg_id==ESP_DES) { - maxbits=minbits=alg_p->sadb_alg_minbits * 8 /7; - } else { - minbits=alg_p->sadb_alg_minbits; - maxbits=alg_p->sadb_alg_maxbits; - } - /* - * if explicit keylen told in encrypt algo, eg "aes128" - * check actual keylen "equality" - */ - if (esp_info->esp_ealg_keylen && - esp_info->esp_ealg_keylen!=keylen) { - fprintf(stderr, "%s: invalid encryption keylen=%d, " - "required %d by encrypt algo string=\"%s\"\n", - program_name, - (int)keylen, - (int)esp_info->esp_ealg_keylen, - alg_string); - exit(1); - - } - /* thanks DES for this sh*t */ - - if (minbits > keylen || maxbits < keylen) { - fprintf(stderr, "%s: invalid encryption keylen=%d, " - "must be between %d and %d bits\n", - program_name, - (int)keylen, (int)minbits, (int)maxbits); - exit(1); - } - alg_p=kernel_alg_sadb_alg_get(SADB_SATYPE_ESP,SADB_EXT_SUPPORTED_AUTH, - esp_info->authalg); - assert(alg_p); - keylen=authkeylen * 8; - minbits=alg_p->sadb_alg_minbits; - maxbits=alg_p->sadb_alg_maxbits; - if (minbits > keylen || maxbits < keylen) { - fprintf(stderr, "%s: invalid auth keylen=%d, " - "must be between %d and %d bits\n", - program_name, - (int)keylen, (int)minbits, (int)maxbits); - exit(1); - } - - } -#endif /* NO_KERNEL_ALG */ - case XF_IP4: - case XF_IP6: - case XF_DEL: - case XF_AHHMACMD5: - case XF_AHHMACSHA1: - case XF_ESP3DESMD596: - case XF_ESP3DESSHA196: - case XF_ESP3DES: - case XF_COMPDEFLATE: - if(!said_opt) { - if(isanyaddr(&edst)) { - fprintf(stderr, "%s: SA destination not specified.\n", - program_name); - exit(1); - } - if(!spi) { - fprintf(stderr, "%s: SA SPI not specified.\n", - program_name); - exit(1); - } - if(!proto) { - fprintf(stderr, "%s: SA PROTO not specified.\n", - program_name); - exit(1); - } - initsaid(&edst, htonl(spi), proto, &said); - } else { - proto = said.proto; - spi = ntohl(said.spi); - edst = said.dst; - } - if((address_family != 0) && (address_family != addrtypeof(&said.dst))) { - fprintf(stderr, "%s: Defined address family and address family of SA missmatch.\n", - program_name); - exit(1); - } - sa_len = satot(&said, 0, sa, sizeof(sa)); - - if(debug) { - fprintf(stdout, "%s: SA valid.\n", - program_name); - } - break; - case XF_CLR: - break; - default: - fprintf(stderr, "%s: No action chosen. See '%s --help' for usage.\n", - program_name, program_name); - exit(1); - } - - switch(alg) { - case XF_CLR: - case XF_DEL: - case XF_IP4: - case XF_IP6: - case XF_AHHMACMD5: - case XF_AHHMACSHA1: - case XF_ESP3DESMD596: - case XF_ESP3DESSHA196: - case XF_ESP3DES: - case XF_COMPDEFLATE: -#ifndef NO_KERNEL_ALG - case XF_OTHER_ALG: -#endif /* NO_KERNEL_ALG */ - break; - default: - fprintf(stderr, "%s: No action chosen. See '%s --help' for usage.\n", - program_name, program_name); - exit(1); - } - if(debug) { - fprintf(stdout, "%s: Algorithm ok.\n", - program_name); - } - - if((pfkey_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) { - fprintf(stderr, "%s: Trouble opening PF_KEY family socket with error: ", - program_name); - switch(errno) { - case ENOENT: - fprintf(stderr, "device does not exist. See FreeS/WAN installation procedure.\n"); - break; - case EACCES: - fprintf(stderr, "access denied. "); - if(getuid() == 0) { - fprintf(stderr, "Check permissions. Should be 600.\n"); - } else { - fprintf(stderr, "You must be root to open this file.\n"); - } - break; - case EUNATCH: - fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n"); - break; - case ENODEV: - fprintf(stderr, "KLIPS not loaded or enabled.\n"); - break; - case EBUSY: - fprintf(stderr, "KLIPS is busy. Most likely a serious internal error occured in a previous command. Please report as much detail as possible to development team.\n"); - break; - case EINVAL: - fprintf(stderr, "Invalid argument, KLIPS not loaded or check kernel log messages for specifics.\n"); - break; - case ENOBUFS: - fprintf(stderr, "No kernel memory to allocate SA.\n"); - break; - case ESOCKTNOSUPPORT: - fprintf(stderr, "Algorithm support not available in the kernel. Please compile in support.\n"); - break; - case EEXIST: - fprintf(stderr, "SA already in use. Delete old one first.\n"); - break; - case ENXIO: - fprintf(stderr, "SA does not exist. Cannot delete.\n"); - break; - case EAFNOSUPPORT: - fprintf(stderr, "KLIPS not loaded or enabled.\n"); - break; - default: - fprintf(stderr, "Unknown file open error %d. Please report as much detail as possible to development team.\n", errno); - } - exit(1); - } - -#ifdef MANUAL_IS_NOT_ABLE_TO_NEGOTIATE - /* for registering SA types that can be negotiated */ - if(pfkey_register(SADB_SATYPE_AH) != 0) { - exit(1); - } - if(pfkey_register(SADB_SATYPE_ESP) != 0) { - exit(1); - } - if(pfkey_register(SADB_X_SATYPE_IPIP) != 0) { - exit(1); - } - if(pfkey_register(SADB_X_SATYPE_COMP) != 0) { - exit(1); - } -#endif /* MANUAL_IS_NOT_ABLE_TO_NEGOTIATE */ - - /* Build an SADB_ADD message to send down. */ - /* It needs <base, SA, address(SD), key(AE)> minimum. */ - /* Lifetime(HS) could be added before addresses. */ - pfkey_extensions_init(extensions); - if(debug) { - fprintf(stdout, "%s: extensions=0p%p &extensions=0p%p extensions[0]=0p%p &extensions[0]=0p%p cleared.\n", - program_name, - extensions, - &extensions, - extensions[0], - &extensions[0]); - } - if((error = pfkey_msg_hdr_build(&extensions[0], - (alg == XF_DEL ? SADB_DELETE : alg == XF_CLR ? SADB_FLUSH : SADB_ADD), - proto2satype(proto), - 0, - ++pfkey_seq, - mypid))) { - fprintf(stderr, "%s: Trouble building message header, error=%d.\n", - program_name, error); - pfkey_extensions_free(extensions); - exit(1); - } - if(debug) { - fprintf(stdout, "%s: extensions=0p%p &extensions=0p%p extensions[0]=0p%p &extensions[0]=0p%p set w/msghdr.\n", - program_name, - extensions, - &extensions, - extensions[0], - &extensions[0]); - } - if(debug) { - fprintf(stdout, "%s: base message assembled.\n", program_name); - } - - switch(alg) { - case XF_AHHMACMD5: - case XF_ESP3DESMD596: - authalg = SADB_AALG_MD5_HMAC; - break; - case XF_AHHMACSHA1: - case XF_ESP3DESSHA196: - authalg = SADB_AALG_SHA1_HMAC; - break; -#ifndef NO_KERNEL_ALG - case XF_OTHER_ALG: - authalg= esp_info->authalg; - if(debug) { - fprintf(stdout, "%s: debug: authalg=%d\n", - program_name, authalg); - } - break; -#endif /* NO_KERNEL_ALG */ - case XF_ESP3DESMD5: - default: - authalg = SADB_AALG_NONE; - } - switch(alg) { - case XF_ESP3DES: - case XF_ESP3DESMD596: - case XF_ESP3DESSHA196: - encryptalg = SADB_EALG_3DES_CBC; - break; - case XF_COMPDEFLATE: - encryptalg = SADB_X_CALG_DEFLATE; - break; -#ifndef NO_KERNEL_ALG - case XF_OTHER_ALG: - encryptalg= esp_info->encryptalg; - if(debug) { - fprintf(stdout, "%s: debug: encryptalg=%d\n", - program_name, encryptalg); - } - break; -#endif /* NO_KERNEL_ALG */ - default: - encryptalg = SADB_EALG_NONE; - } - if(!(alg == XF_CLR /* IE: pfkey_msg->sadb_msg_type == SADB_FLUSH */)) { - if((error = pfkey_sa_build(&extensions[SADB_EXT_SA], - SADB_EXT_SA, - htonl(spi), /* in network order */ - replay_window, - SADB_SASTATE_MATURE, - authalg, - encryptalg, - 0))) { - fprintf(stderr, "%s: Trouble building sa extension, error=%d.\n", - program_name, error); - pfkey_extensions_free(extensions); - exit(1); - } - if(debug) { - fprintf(stdout, "%s: extensions[0]=0p%p previously set with msg_hdr.\n", - program_name, - extensions[0]); - } - if(debug) { - fprintf(stdout, "%s: assembled SA extension, pfkey msg authalg=%d encalg=%d.\n", - program_name, - authalg, - encryptalg); - } - - if(debug) { - int i,j; - for(i = 0; i < life_maxsever; i++) { - for(j = 0; j < life_maxtype; j++) { - fprintf(stdout, "%s: i=%d, j=%d, life_opt[%d][%d]=0p%p, life[%d][%d]=%d\n", - program_name, - i, j, i, j, life_opt[i][j], i, j, life[i][j]); - } - } - } - if(life_opt[life_soft][life_alloc] != NULL || - life_opt[life_soft][life_bytes] != NULL || - life_opt[life_soft][life_addtime] != NULL || - life_opt[life_soft][life_usetime] != NULL || - life_opt[life_soft][life_packets] != NULL) { - if((error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_SOFT], - SADB_EXT_LIFETIME_SOFT, - life[life_soft][life_alloc],/*-1,*/ /*allocations*/ - life[life_soft][life_bytes],/*-1,*/ /*bytes*/ - life[life_soft][life_addtime],/*-1,*/ /*addtime*/ - life[life_soft][life_usetime],/*-1,*/ /*usetime*/ - life[life_soft][life_packets]/*-1*/))) { /*packets*/ - fprintf(stderr, "%s: Trouble building lifetime_s extension, error=%d.\n", - program_name, error); - pfkey_extensions_free(extensions); - exit(1); - } - if(debug) { - fprintf(stdout, "%s: lifetime_s extension assembled.\n", - program_name); - } - } - - if(life_opt[life_hard][life_alloc] != NULL || - life_opt[life_hard][life_bytes] != NULL || - life_opt[life_hard][life_addtime] != NULL || - life_opt[life_hard][life_usetime] != NULL || - life_opt[life_hard][life_packets] != NULL) { - if((error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_HARD], - SADB_EXT_LIFETIME_HARD, - life[life_hard][life_alloc],/*-1,*/ /*allocations*/ - life[life_hard][life_bytes],/*-1,*/ /*bytes*/ - life[life_hard][life_addtime],/*-1,*/ /*addtime*/ - life[life_hard][life_usetime],/*-1,*/ /*usetime*/ - life[life_hard][life_packets]/*-1*/))) { /*packets*/ - fprintf(stderr, "%s: Trouble building lifetime_h extension, error=%d.\n", - program_name, error); - pfkey_extensions_free(extensions); - exit(1); - } - if(debug) { - fprintf(stdout, "%s: lifetime_h extension assembled.\n", - program_name); - } - } - - if(debug) { - addrtot(&src, 0, ipaddr_txt, sizeof(ipaddr_txt)); - fprintf(stdout, "%s: assembling address_s extension (%s).\n", - program_name, ipaddr_txt); - } - - if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC], - SADB_EXT_ADDRESS_SRC, - 0, - 0, - sockaddrof(&src)))) { - addrtot(&src, 0, ipaddr_txt, sizeof(ipaddr_txt)); - fprintf(stderr, "%s: Trouble building address_s extension (%s), error=%d.\n", - program_name, ipaddr_txt, error); - pfkey_extensions_free(extensions); - exit(1); - } - if(debug) { - ip_address temp_addr; - - switch(address_family) { - case AF_INET: - initaddr((const unsigned char *)&(((struct sockaddr_in*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_SRC])) + 1))->sin_addr), - sockaddrlenof(&src), address_family, &temp_addr); - break; - case AF_INET6: - initaddr((const unsigned char *)&(((struct sockaddr_in6*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_SRC])) + 1))->sin6_addr), - sockaddrlenof(&src), address_family, &temp_addr); - break; - default: - fprintf(stdout, "%s: unknown address family (%d).\n", - program_name, address_family); - exit(1); - } - addrtot(&temp_addr, 0, ipaddr_txt, sizeof(ipaddr_txt)); - fprintf(stdout, "%s: address_s extension assembled (%s).\n", - program_name, ipaddr_txt); - } - - if(debug) { - addrtot(&edst, 0, ipaddr_txt, sizeof(ipaddr_txt)); - fprintf(stdout, "%s: assembling address_d extension (%s).\n", - program_name, ipaddr_txt); - } - - if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST], - SADB_EXT_ADDRESS_DST, - 0, - 0, - sockaddrof(&edst)))) { - addrtot(&edst, 0, ipaddr_txt, sizeof(ipaddr_txt)); - fprintf(stderr, "%s: Trouble building address_d extension (%s), error=%d.\n", - program_name, ipaddr_txt, error); - pfkey_extensions_free(extensions); - exit(1); - } - if(debug) { - ip_address temp_addr; - switch(address_family) { - case AF_INET: - initaddr((const unsigned char *)&(((struct sockaddr_in*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_DST])) + 1))->sin_addr), - 4, address_family, &temp_addr); - break; - case AF_INET6: - initaddr((const unsigned char *)&(((struct sockaddr_in6*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_DST])) + 1))->sin6_addr), - 16, address_family, &temp_addr); - break; - default: - fprintf(stdout, "%s: unknown address family (%d).\n", - program_name, address_family); - exit(1); - } - addrtot(&temp_addr, 0, ipaddr_txt, sizeof(ipaddr_txt)); - fprintf(stdout, "%s: address_d extension assembled (%s).\n", - program_name, ipaddr_txt); - } - -#if PFKEY_PROXY - anyaddr(address_family, &pfkey_address_p_ska); - if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_PROXY], - SADB_EXT_ADDRESS_PROXY, - 0, - 0, - sockaddrof(&pfkey_address_p_ska)))) { - fprintf(stderr, "%s: Trouble building address_p extension, error=%d.\n", - program_name, error); - pfkey_extensions_free(extensions); - exit(1); - } - if(debug) { - fprintf(stdout, "%s: address_p extension assembled.\n", program_name); - } -#endif /* PFKEY_PROXY */ - - switch(alg) { -#ifndef NO_KERNEL_ALG - /* Allow no auth ... after all is local root decision 8) */ - case XF_OTHER_ALG: - if (!authalg) - break; -#endif /* NO_KERNEL_ALG */ - case XF_AHHMACMD5: - case XF_ESP3DESMD596: - case XF_AHHMACSHA1: - case XF_ESP3DESSHA196: - if((error = pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH], - SADB_EXT_KEY_AUTH, - authkeylen * 8, - authkey))) { - fprintf(stderr, "%s: Trouble building key_a extension, error=%d.\n", - program_name, error); - pfkey_extensions_free(extensions); - exit(1); - } - if(debug) { - fprintf(stdout, "%s: key_a extension assembled.\n", - program_name); - } - break; - default: - break; - } - - switch(alg) { - case XF_ESP3DES: - case XF_ESP3DESMD596: - case XF_ESP3DESSHA196: -#ifndef NO_KERNEL_ALG - case XF_OTHER_ALG: -#endif /* NO_KERNEL_ALG */ - if((error = pfkey_key_build(&extensions[SADB_EXT_KEY_ENCRYPT], - SADB_EXT_KEY_ENCRYPT, - enckeylen * 8, - enckey))) { - fprintf(stderr, "%s: Trouble building key_e extension, error=%d.\n", - program_name, error); - pfkey_extensions_free(extensions); - exit(1); - } - if(debug) { - fprintf(stdout, "%s: key_e extension assembled.\n", - program_name); - } - break; - default: - break; - } - -#ifdef PFKEY_IDENT /* GG: looks wierd, not touched */ - if((pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_SRC], - SADB_EXT_IDENTITY_SRC, - SADB_IDENTTYPE_PREFIX, - 0, - strlen(pfkey_ident_s_ska), - pfkey_ident_s_ska))) { - fprintf(stderr, "%s: Trouble building ident_s extension, error=%d.\n", - program_name, error); - pfkey_extensions_free(extensions); - exit(1); - } - if(subnettoa(addr, mask, format, pfkey_ident_s_ska, - sizeof(pfkey_ident_s_ska) ) != - sizeof(pfkey_ident_s_ska) ) { - exit (1); - } - - if((error = pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_DST], - SADB_EXT_IDENTITY_DST, - SADB_IDENTTYPE_PREFIX, - 0, - strlen(pfkey_ident_d_ska), - pfkey_ident_d_ska))) { - fprintf(stderr, "%s: Trouble building ident_d extension, error=%d.\n", - program_name, error); - pfkey_extensions_free(extensions); - exit(1); - } - if(subnettoa(addr, mask, format, pfkey_ident_d_ska, - sizeof(pfkey_ident_d_ska) ) != - sizeof(pfkey_ident_d_ska) ) { - exit (1); - } - - if(debug) { - fprintf(stdout, "%s: ident extensions assembled.\n", - program_name); - } -#endif /* PFKEY_IDENT */ - } - - if(debug) { - fprintf(stdout, "%s: assembling pfkey msg....\n", - program_name); - } - if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) { - fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n", - program_name, error); - pfkey_extensions_free(extensions); - pfkey_msg_free(&pfkey_msg); - exit(1); - } - if(debug) { - fprintf(stdout, "%s: assembled.\n", - program_name); - } - if(debug) { - fprintf(stdout, "%s: writing pfkey msg.\n", - program_name); - } - io_error = write(pfkey_sock, - pfkey_msg, - pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN); - if(io_error < 0) { - fprintf(stderr, "%s: pfkey write failed (errno=%d): ", - program_name, errno); - pfkey_extensions_free(extensions); - pfkey_msg_free(&pfkey_msg); - switch(errno) { - case EACCES: - fprintf(stderr, "access denied. "); - if(getuid() == 0) { - fprintf(stderr, "Check permissions. Should be 600.\n"); - } else { - fprintf(stderr, "You must be root to open this file.\n"); - } - break; - case EUNATCH: - fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n"); - break; - case EBUSY: - fprintf(stderr, "KLIPS is busy. Most likely a serious internal error occured in a previous command. Please report as much detail as possible to development team.\n"); - break; - case EINVAL: - fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n"); - break; - case ENODEV: - fprintf(stderr, "KLIPS not loaded or enabled.\n"); - fprintf(stderr, "No device?!?\n"); - break; - case ENOBUFS: - fprintf(stderr, "No kernel memory to allocate SA.\n"); - break; - case ESOCKTNOSUPPORT: - fprintf(stderr, "Algorithm support not available in the kernel. Please compile in support.\n"); - break; - case EEXIST: - fprintf(stderr, "SA already in use. Delete old one first.\n"); - break; - case ENOENT: - fprintf(stderr, "device does not exist. See FreeS/WAN installation procedure.\n"); - break; - case ENXIO: - case ESRCH: - fprintf(stderr, "SA does not exist. Cannot delete.\n"); - break; - case ENOSPC: - fprintf(stderr, "no room in kernel SAref table. Cannot process request.\n"); - break; - case ESPIPE: - fprintf(stderr, "kernel SAref table internal error. Cannot process request.\n"); - break; - default: - fprintf(stderr, "Unknown socket write error %d (%s). Please report as much detail as possible to development team.\n", - errno, strerror(errno)); - } - exit(1); - } else if (io_error != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) { - fprintf(stderr, "%s: pfkey write truncated to %d bytes\n", - program_name, (int)io_error); - pfkey_extensions_free(extensions); - pfkey_msg_free(&pfkey_msg); - exit(1); - } - - if(debug) { - fprintf(stdout, "%s: pfkey command written to socket.\n", - program_name); - } - - if(pfkey_msg) { - pfkey_extensions_free(extensions); - pfkey_msg_free(&pfkey_msg); - } - if(debug) { - fprintf(stdout, "%s: pfkey message buffer freed.\n", - program_name); - } - if(authkey) { - memset((caddr_t)authkey, 0, authkeylen); - free(authkey); - } - if(enckey) { - memset((caddr_t)enckey, 0, enckeylen); - free(enckey); - } - if(iv) { - memset((caddr_t)iv, 0, ivlen); - free(iv); - } - - if(listenreply || saref) { - ssize_t readlen; - unsigned char pfkey_buf[PFKEYv2_MAX_MSGSIZE]; - - while((readlen = read(pfkey_sock, pfkey_buf, sizeof(pfkey_buf))) > 0) { - struct sadb_ext *extensions[SADB_EXT_MAX + 1]; - pfkey_extensions_init(extensions); - pfkey_msg = (struct sadb_msg *)pfkey_buf; - - /* first, see if we got enough for an sadb_msg */ - if((size_t)readlen < sizeof(struct sadb_msg)) { - if(debug) { - printf("%s: runt packet of size: %ld (<%lu)\n", - program_name, (long)readlen, (unsigned long)sizeof(struct sadb_msg)); - } - continue; - } - - /* okay, we got enough for a message, print it out */ - if(debug) { - printf("%s: pfkey v%d msg received. type=%d(%s) seq=%d len=%d pid=%d errno=%d satype=%d(%s)\n", - program_name, - pfkey_msg->sadb_msg_version, - pfkey_msg->sadb_msg_type, - pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type), - pfkey_msg->sadb_msg_seq, - pfkey_msg->sadb_msg_len, - pfkey_msg->sadb_msg_pid, - pfkey_msg->sadb_msg_errno, - pfkey_msg->sadb_msg_satype, - satype2name(pfkey_msg->sadb_msg_satype)); - } - - if(readlen != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) - { - if(debug) { - printf("%s: packet size read from socket=%d doesn't equal sadb_msg_len %u * %u; message not decoded\n", - program_name, - (int)readlen, - (unsigned)pfkey_msg->sadb_msg_len, - (unsigned)IPSEC_PFKEYv2_ALIGN); - } - continue; - } - - if (pfkey_msg_parse(pfkey_msg, NULL, extensions, EXT_BITS_OUT)) { - if(debug) { - printf("%s: unparseable PF_KEY message.\n", - program_name); - } - continue; - } else { - if(debug) { - printf("%s: parseable PF_KEY message.\n", - program_name); - } - } - if((pid_t)pfkey_msg->sadb_msg_pid == mypid) { - if(saref) { - printf("%s: saref=%d\n", - program_name, - (extensions[SADB_EXT_SA] != NULL) - ? ((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_x_sa_ref - : IPSEC_SAREF_NULL); - } - break; - } - } - } - (void) close(pfkey_sock); /* close the socket */ - if(debug || listenreply) { - printf("%s: exited normally\n", program_name); - } - exit(0); -} |