1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 * 21 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 22 */ 23 24 #include <unistd.h> 25 #include <stdio.h> 26 #include <stdarg.h> 27 #include <stdlib.h> 28 #include <sys/sysconf.h> 29 #include <string.h> 30 #include <strings.h> 31 #include <libintl.h> 32 #include <locale.h> 33 #include <ctype.h> 34 #include <time.h> 35 #include <sys/sysmacros.h> 36 #include <sys/stat.h> 37 #include <sys/mman.h> 38 #include <fcntl.h> 39 #include <sys/socket.h> 40 #include <netdb.h> 41 #include <errno.h> 42 #include <assert.h> 43 #include <netinet/in.h> 44 #include <arpa/inet.h> 45 #include <door.h> 46 #include <setjmp.h> 47 48 #include <ipsec_util.h> 49 #include <ikedoor.h> 50 51 static int doorfd = -1; 52 53 /* 54 * These are additional return values for the command line parsing 55 * function (parsecmd()). They are specific to this utility, but 56 * need to share the same space as the IKE_SVC_* defs, without conflicts. 57 * So they're defined relative to the end of that range. 58 */ 59 #define IKEADM_HELP_GENERAL IKE_SVC_MAX + 1 60 #define IKEADM_HELP_GET IKE_SVC_MAX + 2 61 #define IKEADM_HELP_SET IKE_SVC_MAX + 3 62 #define IKEADM_HELP_ADD IKE_SVC_MAX + 4 63 #define IKEADM_HELP_DEL IKE_SVC_MAX + 5 64 #define IKEADM_HELP_DUMP IKE_SVC_MAX + 6 65 #define IKEADM_HELP_FLUSH IKE_SVC_MAX + 7 66 #define IKEADM_HELP_READ IKE_SVC_MAX + 8 67 #define IKEADM_HELP_WRITE IKE_SVC_MAX + 9 68 #define IKEADM_HELP_TOKEN IKE_SVC_MAX + 10 69 #define IKEADM_HELP_HELP IKE_SVC_MAX + 11 70 #define IKEADM_EXIT IKE_SVC_MAX + 12 71 72 /* 73 * Disable default TAB completion for now (until some brave soul tackles it). 74 */ 75 /* ARGSUSED */ 76 static 77 CPL_MATCH_FN(no_match) 78 { 79 return (0); 80 } 81 82 static void command_complete(int s) __NORETURN; 83 static void usage(void) __NORETURN; 84 85 static void 86 command_complete(int s) 87 { 88 if (interactive) { 89 longjmp(env, 1); 90 } else { 91 exit(s); 92 } 93 } 94 95 static void 96 usage(void) 97 { 98 if (!interactive) { 99 (void) fprintf(stderr, gettext("Usage:\t" 100 "ikeadm [ -hnp ] cmd obj [cmd-specific options]\n")); 101 (void) fprintf(stderr, gettext(" \tikeadm help\n")); 102 } else { 103 (void) fprintf(stderr, 104 gettext("\nType help for usage info\n")); 105 } 106 107 command_complete(1); 108 } 109 110 static void 111 print_help() 112 { 113 (void) printf(gettext("Valid commands and objects:\n")); 114 (void) printf( 115 "\tget debug|priv|stats|p1|rule|preshared|defaults [%s]\n", 116 gettext("identifier")); 117 (void) printf("\tset priv %s\n", gettext("level")); 118 (void) printf("\tset debug %s [%s]\n", 119 gettext("level"), gettext("filename")); 120 (void) printf("\tadd rule|preshared {%s}|%s\n", 121 gettext("definition"), gettext("filename")); 122 (void) printf("\tdel p1|rule|preshared %s\n", gettext("identifier")); 123 (void) printf("\tdump p1|rule|preshared|certcache|groups|" 124 "encralgs|authalgs\n"); 125 (void) printf("\tflush p1|certcache\n"); 126 (void) printf("\tread rule|preshared [%s]\n", gettext("filename")); 127 (void) printf("\twrite rule|preshared %s\n", gettext("filename")); 128 (void) printf("\ttoken <login|logout> %s\n", 129 gettext("<PKCS#11 Token Object>")); 130 (void) printf( 131 "\thelp [get|set|add|del|dump|flush|read|write|token|help]\n"); 132 (void) printf("\texit %s\n", gettext("exit the program")); 133 (void) printf("\tquit %s\n", gettext("exit the program")); 134 135 command_complete(0); 136 } 137 138 static void 139 print_get_help() 140 { 141 (void) printf( 142 gettext("This command gets information from in.iked.\n\n")); 143 (void) printf(gettext("Objects that may be retrieved include:\n")); 144 (void) printf("\tdebug\t\t"); 145 (void) printf(gettext("the current debug level\n")); 146 (void) printf("\tpriv\t\t"); 147 (void) printf(gettext("the current privilege level\n")); 148 (void) printf("\tstats\t\t"); 149 (void) printf(gettext("current usage statistics\n")); 150 (void) printf("\tp1\t\t"); 151 (void) printf(gettext("a phase 1 SA, identified by\n")); 152 (void) printf(gettext("\t\t\t local_ip remote_ip OR\n")); 153 (void) printf(gettext("\t\t\t init_cookie resp_cookie\n")); 154 (void) printf("\trule\t\t"); 155 (void) printf(gettext("a phase 1 rule, identified by its label\n")); 156 (void) printf("\tpreshared\t"); 157 (void) printf(gettext("a preshared key, identified by\n")); 158 (void) printf(gettext("\t\t\t local_ip remote_ip OR\n")); 159 (void) printf(gettext("\t\t\t local_id remote_id\n")); 160 (void) printf("\n"); 161 162 command_complete(0); 163 } 164 165 static void 166 print_set_help() 167 { 168 (void) printf(gettext("This command sets values in in.iked.\n\n")); 169 (void) printf(gettext("Objects that may be set include:\n")); 170 (void) printf("\tdebug\t\t"); 171 (void) printf(gettext("change the debug level\n")); 172 (void) printf("\tpriv\t\t"); 173 (void) printf( 174 gettext("change the privilege level (may only be lowered)\n")); 175 (void) printf("\n"); 176 177 command_complete(0); 178 } 179 180 static void 181 print_add_help() 182 { 183 (void) printf( 184 gettext("This command adds items to in.iked's tables.\n\n")); 185 (void) printf(gettext("Objects that may be set include:\n")); 186 (void) printf("\trule\t\t"); 187 (void) printf(gettext("a phase 1 policy rule\n")); 188 (void) printf("\tpreshared\t"); 189 (void) printf(gettext("a preshared key\n")); 190 (void) printf( 191 gettext("\nObjects may be entered on the command-line, as a\n")); 192 (void) printf( 193 gettext("series of keywords and tokens contained in curly\n")); 194 (void) printf( 195 gettext("braces ('{', '}'); or the name of a file containing\n")); 196 (void) printf(gettext("the object definition may be provided.\n\n")); 197 (void) printf( 198 gettext("For security purposes, preshared keys may only be\n")); 199 (void) printf( 200 gettext("entered on the command-line if ikeadm is running in\n")); 201 (void) printf(gettext("interactive mode.\n")); 202 (void) printf("\n"); 203 204 command_complete(0); 205 } 206 207 static void 208 print_del_help() 209 { 210 (void) printf( 211 gettext("This command deletes an item from in.iked's tables.\n\n")); 212 (void) printf(gettext("Objects that may be deleted include:\n")); 213 (void) printf("\tp1\t\t"); 214 (void) printf(gettext("a phase 1 SA, identified by\n")); 215 (void) printf(gettext("\t\t\t local_ip remote_ip OR\n")); 216 (void) printf(gettext("\t\t\t init_cookie resp_cookie\n")); 217 (void) printf("\trule\t\t"); 218 (void) printf(gettext("a phase 1 rule, identified by its label\n")); 219 (void) printf("\tpreshared\t"); 220 (void) printf(gettext("a preshared key, identified by\n")); 221 (void) printf(gettext("\t\t\t local_ip remote_ip OR\n")); 222 (void) printf(gettext("\t\t\t local_id remote_id\n")); 223 (void) printf("\n"); 224 225 command_complete(0); 226 } 227 228 static void 229 print_dump_help() 230 { 231 (void) printf( 232 gettext("This command dumps one of in.iked's tables.\n\n")); 233 (void) printf(gettext("Tables that may be dumped include:\n")); 234 (void) printf("\tp1\t\t"); 235 (void) printf(gettext("all phase 1 SAs\n")); 236 (void) printf("\trule\t\t"); 237 (void) printf(gettext("all phase 1 rules\n")); 238 (void) printf("\tpreshared\t"); 239 (void) printf(gettext("all preshared keys\n")); 240 (void) printf("\tcertcache\t"); 241 (void) printf(gettext("all cached certificates\n")); 242 (void) printf("\tgroups\t\t"); 243 (void) printf(gettext("all implemented Diffie-Hellman groups\n")); 244 (void) printf("\tencralgs\t"); 245 (void) printf(gettext("all encryption algorithms for IKE\n")); 246 (void) printf("\tauthalgs\t"); 247 (void) printf(gettext("all authentication algorithms IKE\n")); 248 (void) printf("\n"); 249 250 command_complete(0); 251 } 252 253 static void 254 print_flush_help() 255 { 256 (void) printf( 257 gettext("This command clears one of in.iked's tables.\n\n")); 258 (void) printf(gettext("Tables that may be flushed include:\n")); 259 (void) printf("\tp1\t\t"); 260 (void) printf(gettext("all phase 1 SAs\n")); 261 (void) printf("\tcertcache\t"); 262 (void) printf(gettext("all cached certificates\n")); 263 (void) printf("\n"); 264 265 command_complete(0); 266 } 267 268 static void 269 print_read_help() 270 { 271 (void) printf( 272 gettext("This command reads a new configuration file into\n")); 273 (void) printf( 274 gettext("in.iked, discarding the old configuration info.\n\n")); 275 (void) printf(gettext("Sets of data that may be read include:\n")); 276 (void) printf("\trule\t\t"); 277 (void) printf(gettext("all phase 1 rules\n")); 278 (void) printf("\tpreshared\t"); 279 (void) printf(gettext("all preshared keys\n\n")); 280 (void) printf( 281 gettext("A filename may be provided to specify a source file\n")); 282 (void) printf(gettext("other than the default.\n")); 283 (void) printf("\n"); 284 285 command_complete(0); 286 } 287 288 static void 289 print_write_help() 290 { 291 (void) printf( 292 gettext("This command writes in.iked's current configuration\n")); 293 (void) printf(gettext("out to a config file.\n\n")); 294 (void) printf(gettext("Sets of data that may be written include:\n")); 295 (void) printf("\trule\t\t"); 296 (void) printf(gettext("all phase 1 rules\n")); 297 (void) printf("\tpreshared\t"); 298 (void) printf(gettext("all preshared keys\n\n")); 299 (void) printf( 300 gettext("A filename must be provided to specify the file to\n")); 301 (void) printf(gettext("which the information should be written.\n")); 302 (void) printf("\n"); 303 304 command_complete(0); 305 } 306 307 static void 308 print_token_help() 309 { 310 (void) printf(gettext( 311 "This command logs IKE into and out of PKCS#11 tokens.\n\n")); 312 (void) printf(gettext("Commands include:\n")); 313 (void) printf("\tlogin <PKCS#11 Token Object>\t"); 314 (void) printf(gettext("log into token\n")); 315 (void) printf("\tlogout <PKCS#11 Token Object>\t"); 316 (void) printf(gettext("log out of token\n\n")); 317 (void) printf( 318 gettext("The PKCS#11 Token Object name must be " 319 "enclosed in quotation marks.\n")); 320 (void) printf("\n"); 321 322 command_complete(0); 323 } 324 325 static void 326 print_help_help() 327 { 328 (void) printf( 329 gettext("This command provides information about commands.\n\n")); 330 (void) printf( 331 gettext("The 'help' command alone provides a list of valid\n")); 332 (void) printf( 333 gettext("commands, along with the valid objects for each.\n")); 334 (void) printf( 335 gettext("'help' followed by a valid command name provides\n")); 336 (void) printf(gettext("further information about that command.\n")); 337 (void) printf("\n"); 338 339 command_complete(0); 340 } 341 342 /*PRINTFLIKE1*/ 343 static void 344 message(char *fmt, ...) 345 { 346 va_list ap; 347 char msgbuf[BUFSIZ]; 348 349 va_start(ap, fmt); 350 (void) vsnprintf(msgbuf, BUFSIZ, fmt, ap); 351 (void) fprintf(stderr, gettext("ikeadm: %s\n"), msgbuf); 352 va_end(ap); 353 } 354 355 static int 356 open_door(void) 357 { 358 if (doorfd >= 0) 359 (void) close(doorfd); 360 doorfd = open(DOORNM, O_RDONLY); 361 return (doorfd); 362 } 363 364 static ike_service_t * 365 ikedoor_call(char *reqp, int size, door_desc_t *descp, int ndesc) 366 { 367 door_arg_t arg; 368 int retries = 0; 369 370 arg.data_ptr = reqp; 371 arg.data_size = size; 372 arg.desc_ptr = descp; 373 arg.desc_num = ndesc; 374 arg.rbuf = (char *)NULL; 375 arg.rsize = 0; 376 377 retry: 378 if (door_call(doorfd, &arg) < 0) { 379 if ((errno == EBADF) && ((++retries < 2) && 380 (open_door() >= 0))) 381 goto retry; 382 (void) fprintf(stderr, 383 gettext("Unable to communicate with in.iked\n")); 384 Bail("door_call failed"); 385 } 386 387 if ((ndesc > 0) && (descp->d_attributes & DOOR_RELEASE) && 388 ((errno == EBADF) || (errno == EFAULT))) { 389 /* callers assume passed fds will be closed no matter what */ 390 (void) close(descp->d_data.d_desc.d_descriptor); 391 } 392 393 /* LINTED E_BAD_PTR_CAST_ALIGN */ 394 return ((ike_service_t *)arg.rbuf); 395 } 396 397 /* 398 * Parsing functions 399 */ 400 401 /* stolen from ipseckey.c, with a second tier added */ 402 static int 403 parsecmd(char *cmdstr, char *objstr) 404 { 405 #define MAXOBJS 11 406 struct objtbl { 407 char *obj; 408 int token; 409 }; 410 static struct cmdtbl { 411 char *cmd; 412 int null_obj_token; 413 struct objtbl objt[MAXOBJS]; 414 } table[] = { 415 {"get", IKE_SVC_ERROR, { 416 {"debug", IKE_SVC_GET_DBG}, 417 {"priv", IKE_SVC_GET_PRIV}, 418 {"stats", IKE_SVC_GET_STATS}, 419 {"p1", IKE_SVC_GET_P1}, 420 {"rule", IKE_SVC_GET_RULE}, 421 {"preshared", IKE_SVC_GET_PS}, 422 {"defaults", IKE_SVC_GET_DEFS}, 423 {NULL, IKE_SVC_ERROR} 424 } 425 }, 426 {"set", IKE_SVC_ERROR, { 427 {"debug", IKE_SVC_SET_DBG}, 428 {"priv", IKE_SVC_SET_PRIV}, 429 {NULL, IKE_SVC_ERROR} 430 } 431 }, 432 {"token", IKE_SVC_ERROR, { 433 {"login", IKE_SVC_SET_PIN}, 434 {"logout", IKE_SVC_DEL_PIN}, 435 {NULL, IKE_SVC_ERROR}, 436 } 437 }, 438 {"add", IKE_SVC_ERROR, { 439 {"rule", IKE_SVC_NEW_RULE}, 440 {"preshared", IKE_SVC_NEW_PS}, 441 {NULL, IKE_SVC_ERROR} 442 } 443 }, 444 {"del", IKE_SVC_ERROR, { 445 {"p1", IKE_SVC_DEL_P1}, 446 {"rule", IKE_SVC_DEL_RULE}, 447 {"preshared", IKE_SVC_DEL_PS}, 448 {NULL, IKE_SVC_ERROR} 449 } 450 }, 451 {"dump", IKE_SVC_ERROR, { 452 {"p1", IKE_SVC_DUMP_P1S}, 453 {"rule", IKE_SVC_DUMP_RULES}, 454 {"preshared", IKE_SVC_DUMP_PS}, 455 {"certcache", IKE_SVC_DUMP_CERTCACHE}, 456 {"groups", IKE_SVC_DUMP_GROUPS}, 457 {"encralgs", IKE_SVC_DUMP_ENCRALGS}, 458 {"authalgs", IKE_SVC_DUMP_AUTHALGS}, 459 {NULL, IKE_SVC_ERROR} 460 } 461 }, 462 {"flush", IKE_SVC_ERROR, { 463 {"p1", IKE_SVC_FLUSH_P1S}, 464 {"certcache", IKE_SVC_FLUSH_CERTCACHE}, 465 {NULL, IKE_SVC_ERROR} 466 } 467 }, 468 {"read", IKE_SVC_ERROR, { 469 {"rule", IKE_SVC_READ_RULES}, 470 {"preshared", IKE_SVC_READ_PS}, 471 {NULL, IKE_SVC_ERROR} 472 } 473 }, 474 {"write", IKE_SVC_ERROR, { 475 {"rule", IKE_SVC_WRITE_RULES}, 476 {"preshared", IKE_SVC_WRITE_PS}, 477 {NULL, IKE_SVC_ERROR} 478 } 479 }, 480 {"help", IKEADM_HELP_GENERAL, { 481 {"get", IKEADM_HELP_GET}, 482 {"set", IKEADM_HELP_SET}, 483 {"add", IKEADM_HELP_ADD}, 484 {"del", IKEADM_HELP_DEL}, 485 {"dump", IKEADM_HELP_DUMP}, 486 {"flush", IKEADM_HELP_FLUSH}, 487 {"read", IKEADM_HELP_READ}, 488 {"write", IKEADM_HELP_WRITE}, 489 {"token", IKEADM_HELP_TOKEN}, 490 {"help", IKEADM_HELP_HELP}, 491 {NULL, IKE_SVC_ERROR} 492 } 493 }, 494 {"exit", IKEADM_EXIT, { 495 {NULL, IKE_SVC_ERROR} 496 } 497 }, 498 {"quit", IKEADM_EXIT, { 499 {NULL, IKE_SVC_ERROR} 500 } 501 }, 502 {"dbg", IKE_SVC_ERROR, { 503 {"rbdump", IKE_SVC_DBG_RBDUMP}, 504 {NULL, IKE_SVC_ERROR} 505 } 506 }, 507 {NULL, IKE_SVC_ERROR, { 508 {NULL, IKE_SVC_ERROR} 509 } 510 } 511 }; 512 struct cmdtbl *ct = table; 513 struct objtbl *ot; 514 515 if (cmdstr == NULL) { 516 return (IKE_SVC_ERROR); 517 } 518 519 while (ct->cmd != NULL && strcmp(ct->cmd, cmdstr) != 0) 520 ct++; 521 ot = ct->objt; 522 523 if (ct->cmd == NULL) { 524 message(gettext("Unrecognized command '%s'"), cmdstr); 525 return (ot->token); 526 } 527 528 if (objstr == NULL) { 529 return (ct->null_obj_token); 530 } 531 532 while (ot->obj != NULL && strcmp(ot->obj, objstr) != 0) 533 ot++; 534 535 if (ot->obj == NULL) 536 message(gettext("Unrecognized object '%s'"), objstr); 537 538 return (ot->token); 539 } 540 541 /* 542 * Parsing functions: 543 * Parse command-line identification info. All return -1 on failure, 544 * or the number of cmd-line args "consumed" on success (though argc 545 * and argv params are not actually modified). 546 */ 547 548 static int 549 parse_label(int argc, char **argv, char *label) 550 { 551 if ((argc < 1) || (argv == NULL)) 552 return (-1); 553 554 if (strlcpy(label, argv[0], MAX_LABEL_LEN) >= MAX_LABEL_LEN) 555 return (-1); 556 557 return (1); 558 } 559 560 /* 561 * Parse a PKCS#11 token get the label. 562 */ 563 static int 564 parse_token(int argc, char **argv, char *token_label) 565 { 566 if ((argc < 1) || (argv == NULL)) 567 return (-1); 568 569 if (strlcpy(token_label, argv[0], PKCS11_TOKSIZE) >= PKCS11_TOKSIZE) 570 return (-1); 571 572 return (0); 573 } 574 575 /* 576 * Parse an address off the command line. In the hpp param, either 577 * return a hostent pointer (caller frees) or a pointer to a dummy_he_t 578 * (must also be freed by the caller; both cases are handled by the 579 * macro FREE_HE). The new getipnodebyname() call does the Right Thing 580 * (TM), even with raw addresses (colon-separated IPv6 or dotted decimal 581 * IPv4). 582 * (mostly stolen from ipseckey.c, though some tweaks were made 583 * to better serve our purposes here.) 584 */ 585 586 typedef struct { 587 struct hostent he; 588 char *addtl[2]; 589 } dummy_he_t; 590 591 static int 592 parse_addr(int argc, char **argv, struct hostent **hpp) 593 { 594 int hp_errno; 595 struct hostent *hp = NULL; 596 dummy_he_t *dhp; 597 char *addr1; 598 599 if ((argc < 1) || (argv == NULL) || (argv[0] == NULL)) 600 return (-1); 601 602 if (!nflag) { 603 /* 604 * Try name->address first. Assume AF_INET6, and 605 * get IPV4s, plus IPv6s iff IPv6 is configured. 606 */ 607 hp = getipnodebyname(argv[0], AF_INET6, AI_DEFAULT | AI_ALL, 608 &hp_errno); 609 } else { 610 /* 611 * Try a normal address conversion only. malloc a 612 * dummy_he_t to construct a fake hostent. Caller 613 * will know to free this one using free_he(). 614 */ 615 dhp = (dummy_he_t *)malloc(sizeof (dummy_he_t)); 616 addr1 = (char *)malloc(sizeof (struct in6_addr)); 617 if (inet_pton(AF_INET6, argv[0], addr1) == 1) { 618 dhp->he.h_addr_list = dhp->addtl; 619 dhp->addtl[0] = addr1; 620 dhp->addtl[1] = NULL; 621 hp = &dhp->he; 622 dhp->he.h_addrtype = AF_INET6; 623 dhp->he.h_length = sizeof (struct in6_addr); 624 } else if (inet_pton(AF_INET, argv[0], addr1) == 1) { 625 dhp->he.h_addr_list = dhp->addtl; 626 dhp->addtl[0] = addr1; 627 dhp->addtl[1] = NULL; 628 hp = &dhp->he; 629 dhp->he.h_addrtype = AF_INET; 630 dhp->he.h_length = sizeof (struct in_addr); 631 } else { 632 hp = NULL; 633 } 634 } 635 636 *hpp = hp; 637 638 if (hp == NULL) { 639 message(gettext("Unknown address %s."), argv[0]); 640 return (-1); 641 } 642 643 return (1); 644 } 645 646 /* 647 * Free a dummy_he_t structure that was malloc'd in parse_addr(). 648 * Unfortunately, callers of parse_addr don't want to know about 649 * dummy_he_t structs, so all they have is a pointer to the struct 650 * hostent; so that's what's passed in. To manage this, we make 651 * the assumption that the struct hostent is the first field in 652 * the dummy_he_t, and therefore a pointer to it is a pointer to 653 * the dummy_he_t. 654 */ 655 static void 656 free_he(struct hostent *hep) 657 { 658 dummy_he_t *p = (dummy_he_t *)hep; 659 660 assert(p != NULL); 661 662 if (p->addtl[0]) 663 free(p->addtl[0]); 664 if (p->addtl[1]) 665 free(p->addtl[1]); 666 667 free(p); 668 } 669 670 #define FREE_HE(x) \ 671 if (nflag) \ 672 free_he(x); \ 673 else \ 674 freehostent(x) 675 676 static void 677 headdr2sa(char *hea, struct sockaddr_storage *sa, int len) 678 { 679 struct sockaddr_in *sin; 680 struct sockaddr_in6 *sin6; 681 682 if (len == sizeof (struct in6_addr)) { 683 /* LINTED E_BAD_PTR_CAST_ALIGN */ 684 if (IN6_IS_ADDR_V4MAPPED((struct in6_addr *)hea)) { 685 sin = (struct sockaddr_in *)sa; 686 (void) memset(sin, 0, sizeof (*sin)); 687 /* LINTED E_BAD_PTR_CAST_ALIGN */ 688 IN6_V4MAPPED_TO_INADDR((struct in6_addr *)hea, 689 &sin->sin_addr); 690 sin->sin_family = AF_INET; 691 } else { 692 sin6 = (struct sockaddr_in6 *)sa; 693 (void) memset(sin6, 0, sizeof (*sin6)); 694 (void) memcpy(&sin6->sin6_addr, hea, 695 sizeof (struct in6_addr)); 696 sin6->sin6_family = AF_INET6; 697 } 698 } else { 699 sin = (struct sockaddr_in *)sa; 700 (void) memset(sin, 0, sizeof (*sin)); 701 (void) memcpy(&sin->sin_addr, hea, sizeof (struct in_addr)); 702 sin->sin_family = AF_INET; 703 } 704 } 705 706 /* 707 * The possible ident-type keywords that might be used on the command 708 * line. This is a superset of the ones supported by ipseckey, those 709 * in the ike config file, and those in ike.preshared. 710 */ 711 static keywdtab_t idtypes[] = { 712 /* ip, ipv4, and ipv6 are valid for preshared keys... */ 713 {SADB_IDENTTYPE_RESERVED, "ip"}, 714 {SADB_IDENTTYPE_RESERVED, "ipv4"}, 715 {SADB_IDENTTYPE_RESERVED, "ipv6"}, 716 {SADB_IDENTTYPE_PREFIX, "prefix"}, 717 {SADB_IDENTTYPE_PREFIX, "ipv4-prefix"}, 718 {SADB_IDENTTYPE_PREFIX, "ipv6-prefix"}, 719 {SADB_IDENTTYPE_PREFIX, "subnet"}, 720 {SADB_IDENTTYPE_PREFIX, "subnetv4"}, 721 {SADB_IDENTTYPE_PREFIX, "subnetv6"}, 722 {SADB_IDENTTYPE_FQDN, "fqdn"}, 723 {SADB_IDENTTYPE_FQDN, "dns"}, 724 {SADB_IDENTTYPE_FQDN, "domain"}, 725 {SADB_IDENTTYPE_FQDN, "domainname"}, 726 {SADB_IDENTTYPE_USER_FQDN, "user_fqdn"}, 727 {SADB_IDENTTYPE_USER_FQDN, "mbox"}, 728 {SADB_IDENTTYPE_USER_FQDN, "mailbox"}, 729 {SADB_X_IDENTTYPE_DN, "dn"}, 730 {SADB_X_IDENTTYPE_DN, "asn1dn"}, 731 {SADB_X_IDENTTYPE_GN, "gn"}, 732 {SADB_X_IDENTTYPE_GN, "asn1gn"}, 733 {SADB_X_IDENTTYPE_ADDR_RANGE, "ipv4-range"}, 734 {SADB_X_IDENTTYPE_ADDR_RANGE, "ipv6-range"}, 735 {SADB_X_IDENTTYPE_ADDR_RANGE, "rangev4"}, 736 {SADB_X_IDENTTYPE_ADDR_RANGE, "rangev6"}, 737 {SADB_X_IDENTTYPE_KEY_ID, "keyid"}, 738 {NULL, 0} 739 }; 740 741 static int 742 parse_idtype(char *type, uint16_t *idnum) 743 { 744 keywdtab_t *idp; 745 746 if (type == NULL) 747 return (-1); 748 749 for (idp = idtypes; idp->kw_str != NULL; idp++) { 750 if (strcasecmp(idp->kw_str, type) == 0) { 751 if (idnum != NULL) 752 *idnum = idp->kw_tag; 753 return (1); 754 } 755 } 756 757 return (-1); 758 } 759 760 /* 761 * The sadb_ident_t is malloc'd, since its length varies; 762 * so the caller must free() it when done with the data. 763 */ 764 static int 765 parse_ident(int argc, char **argv, sadb_ident_t **idpp) 766 { 767 int alloclen, consumed; 768 sadb_ident_t *idp; 769 if ((argc < 2) || (argv == NULL) || (argv[0] == NULL) || 770 (argv[1] == NULL)) 771 return (-1); 772 773 alloclen = sizeof (sadb_ident_t) + IKEDOORROUNDUP(strlen(argv[1]) + 1); 774 *idpp = idp = (sadb_ident_t *)malloc(alloclen); 775 if (idp == NULL) 776 Bail("parsing identity"); 777 778 if ((consumed = parse_idtype(argv[0], &idp->sadb_ident_type)) < 0) { 779 message(gettext("unknown identity type %s."), argv[0]); 780 return (-1); 781 } 782 783 idp->sadb_ident_len = SADB_8TO64(alloclen); 784 idp->sadb_ident_reserved = 0; 785 idp->sadb_ident_id = 0; 786 787 /* now copy in identity param */ 788 (void) strlcpy((char *)(idp + 1), argv[1], 789 alloclen - (sizeof (sadb_ident_t))); 790 791 return (++consumed); 792 } 793 794 static int 795 parse_cky(int argc, char **argv, uint64_t *ckyp) 796 { 797 u_longlong_t arg; 798 799 if ((argc < 1) || (argv[0] == NULL)) 800 return (-1); 801 802 errno = 0; 803 arg = strtoull(argv[0], NULL, 0); 804 if (errno != 0) { 805 message(gettext("failed to parse cookie %s."), argv[0]); 806 return (-1); 807 } 808 809 *ckyp = (uint64_t)arg; 810 811 return (1); 812 } 813 814 static int 815 parse_addr_pr(int argc, char **argv, struct hostent **h1pp, 816 struct hostent **h2pp) 817 { 818 int rtn, consumed = 0; 819 820 if ((rtn = parse_addr(argc, argv, h1pp)) < 0) { 821 return (-1); 822 } 823 consumed = rtn; 824 argc -= rtn; 825 argv += rtn; 826 827 if ((rtn = parse_addr(argc, argv, h2pp)) < 0) { 828 FREE_HE(*h1pp); 829 return (-1); 830 } 831 consumed += rtn; 832 833 return (consumed); 834 } 835 836 /* 837 * The sadb_ident_ts are malloc'd, since their length varies; 838 * so the caller must free() them when done with the data. 839 */ 840 static int 841 parse_ident_pr(int argc, char **argv, sadb_ident_t **id1pp, 842 sadb_ident_t **id2pp) 843 { 844 int rtn, consumed = 0; 845 846 if ((rtn = parse_ident(argc, argv, id1pp)) < 0) { 847 return (-1); 848 } 849 consumed = rtn; 850 argc -= rtn; 851 argv += rtn; 852 853 (*id1pp)->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 854 855 if ((rtn = parse_ident(argc, argv, id2pp)) < 0) { 856 free(*id1pp); 857 return (-1); 858 } 859 consumed += rtn; 860 861 (*id2pp)->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 862 863 return (consumed); 864 } 865 866 static int 867 parse_cky_pr(int argc, char **argv, ike_cky_pr_t *cpr) 868 { 869 int rtn, consumed = 0; 870 871 if ((rtn = parse_cky(argc, argv, &cpr->cky_i)) < 0) { 872 return (-1); 873 } 874 consumed = rtn; 875 argc -= rtn; 876 argv += rtn; 877 878 if ((rtn = parse_cky(argc, argv, &cpr->cky_r)) < 0) { 879 return (-1); 880 } 881 consumed += rtn; 882 883 return (consumed); 884 } 885 886 /* 887 * Preshared key field types...used for parsing preshared keys that 888 * have been entered on the command line. The code to parse preshared 889 * keys (parse_ps, parse_key, parse_psfldid, parse_ikmtype, ...) is 890 * mostly duplicated from in.iked's readps.c. 891 */ 892 #define PSFLD_LOCID 1 893 #define PSFLD_LOCIDTYPE 2 894 #define PSFLD_REMID 3 895 #define PSFLD_REMIDTYPE 4 896 #define PSFLD_MODE 5 897 #define PSFLD_KEY 6 898 899 static keywdtab_t psfldtypes[] = { 900 {PSFLD_LOCID, "localid"}, 901 {PSFLD_LOCIDTYPE, "localidtype"}, 902 {PSFLD_REMID, "remoteid"}, 903 {PSFLD_REMIDTYPE, "remoteidtype"}, 904 {PSFLD_MODE, "ike_mode"}, 905 {PSFLD_KEY, "key"}, 906 {NULL, 0} 907 }; 908 909 static int 910 parse_psfldid(char *type, uint16_t *idnum) 911 { 912 keywdtab_t *pfp; 913 914 if (type == NULL) 915 return (-1); 916 917 for (pfp = psfldtypes; pfp->kw_str != NULL; pfp++) { 918 if (strcasecmp(pfp->kw_str, type) == 0) { 919 if (idnum != NULL) 920 *idnum = pfp->kw_tag; 921 return (1); 922 } 923 } 924 925 return (-1); 926 } 927 928 static keywdtab_t ikemodes[] = { 929 {IKE_XCHG_IDENTITY_PROTECT, "main"}, 930 {IKE_XCHG_AGGRESSIVE, "aggressive"}, 931 {IKE_XCHG_IP_AND_AGGR, "both"}, 932 {NULL, 0} 933 }; 934 935 static int 936 parse_ikmtype(char *mode, uint16_t *modenum) 937 { 938 keywdtab_t *ikmp; 939 940 if (mode == NULL) 941 return (-1); 942 943 for (ikmp = ikemodes; ikmp->kw_str != NULL; ikmp++) { 944 if (strcasecmp(ikmp->kw_str, mode) == 0) { 945 if (modenum != NULL) 946 *modenum = ikmp->kw_tag; 947 return (1); 948 } 949 } 950 951 return (-1); 952 } 953 954 #define hd2num(hd) (((hd) >= '0' && (hd) <= '9') ? ((hd) - '0') : \ 955 (((hd) >= 'a' && (hd) <= 'f') ? ((hd) - 'a' + 10) : ((hd) - 'A' + 10))) 956 957 static uint8_t * 958 parse_key(char *input, uint_t *keybuflen, uint_t *lbits) 959 { 960 uint8_t *keyp, *keybufp; 961 uint_t i, hexlen = 0, bits, alloclen; 962 963 for (i = 0; input[i] != '\0' && input[i] != '/'; i++) 964 hexlen++; 965 966 if (input[i] == '\0') { 967 bits = 0; 968 } else { 969 /* Have /nn. */ 970 input[i] = '\0'; 971 if (sscanf((input + i + 1), "%u", &bits) != 1) 972 return (NULL); 973 974 /* hexlen is in nibbles */ 975 if (((bits + 3) >> 2) > hexlen) 976 return (NULL); 977 978 /* 979 * Adjust hexlen down if user gave us too small of a bit 980 * count. 981 */ 982 if ((hexlen << 2) > bits + 3) { 983 hexlen = (bits + 3) >> 2; 984 input[hexlen] = '\0'; 985 } 986 } 987 988 /* 989 * Allocate. Remember, hexlen is in nibbles. 990 */ 991 992 alloclen = (hexlen/2 + (hexlen & 0x1)); 993 keyp = malloc(alloclen); 994 995 if (keyp == NULL) 996 return (NULL); 997 998 keybufp = keyp; 999 *keybuflen = alloclen; 1000 if (bits == 0) 1001 *lbits = (hexlen + (hexlen & 0x1)) << 2; 1002 else 1003 *lbits = bits; 1004 1005 /* 1006 * Read in nibbles. Read in odd-numbered as shifted high. 1007 * (e.g. 123 becomes 0x1230). 1008 */ 1009 for (i = 0; input[i] != '\0'; i += 2) { 1010 boolean_t second = (input[i + 1] != '\0'); 1011 1012 if (!isxdigit(input[i]) || 1013 (!isxdigit(input[i + 1]) && second)) { 1014 free(keyp); 1015 return (NULL); 1016 } 1017 *keyp = (hd2num(input[i]) << 4); 1018 if (second) 1019 *keyp |= hd2num(input[i + 1]); 1020 else 1021 break; /* out of for loop. */ 1022 keyp++; 1023 } 1024 1025 /* zero the remaining bits if we're a non-octet amount. */ 1026 if (bits & 0x7) 1027 *((input[i] == '\0') ? keyp - 1 : keyp) &= 1028 0xff << (8 - (bits & 0x7)); 1029 return (keybufp); 1030 } 1031 1032 /* 1033 * the ike_ps_t struct (plus trailing data) will be allocated here, 1034 * so it will need to be freed by the caller. 1035 */ 1036 static int 1037 parse_ps(int argc, char **argv, ike_ps_t **presharedpp, int *len) 1038 { 1039 uint_t c = 0, locidlen, remidlen, keylen, keybits; 1040 uint_t a_locidtotal = 0, a_remidtotal = 0; 1041 char *locid, *remid, *locpfx = NULL, *rempfx = NULL; 1042 uint8_t *keyp = NULL; 1043 uint16_t fldid, locidtype, remidtype, mtype; 1044 struct hostent *loche = NULL, *remhe = NULL; 1045 ike_ps_t *psp = NULL; 1046 sadb_ident_t *sidp; 1047 boolean_t whacked = B_FALSE; 1048 int pfxlen = 0; 1049 1050 if ((argv[c] == NULL) || (argv[c][0] != '{')) 1051 return (-1); 1052 if (argv[c][1] != 0) { 1053 /* no space between '{' and first token */ 1054 argv[c]++; 1055 } else { 1056 c++; 1057 } 1058 if ((argv[argc - 1][strlen(argv[argc - 1]) - 1] == '}') && 1059 (argv[argc - 1][0] != '}')) { 1060 /* 1061 * whack '}' without a space before it or parsers break. 1062 * Remember this trailing character for later 1063 */ 1064 argv[argc - 1][strlen(argv[argc - 1]) - 1] = '\0'; 1065 whacked = B_TRUE; 1066 } 1067 1068 /* Default to type IP */ 1069 locidtype = remidtype = SADB_IDENTTYPE_RESERVED; 1070 /* Default to base exchanges */ 1071 mtype = IKE_XCHG_BASE; 1072 1073 while ((c < argc) && (argv[c] != NULL) && (argv[c][0] != '}')) { 1074 if ((argv[c + 1] == NULL) || (argv[c + 1][0] == '}')) 1075 goto bail; 1076 if (parse_psfldid(argv[c++], &fldid) < 0) 1077 goto bail; 1078 switch (fldid) { 1079 case PSFLD_LOCID: 1080 locid = argv[c++]; 1081 locidlen = strlen(locid) + 1; 1082 break; 1083 case PSFLD_LOCIDTYPE: 1084 if (parse_idtype(argv[c++], &locidtype) < 0) 1085 goto bail; 1086 break; 1087 case PSFLD_REMID: 1088 remid = argv[c++]; 1089 remidlen = strlen(remid) + 1; 1090 break; 1091 case PSFLD_REMIDTYPE: 1092 if (parse_idtype(argv[c++], &remidtype) < 0) 1093 goto bail; 1094 break; 1095 case PSFLD_MODE: 1096 if (parse_ikmtype(argv[c++], &mtype) < 0) 1097 goto bail; 1098 break; 1099 case PSFLD_KEY: 1100 keyp = parse_key(argv[c++], &keylen, &keybits); 1101 if (keyp == NULL) 1102 goto bail; 1103 break; 1104 } 1105 } 1106 1107 /* Make sure the line was terminated with '}' */ 1108 if (argv[c] == NULL) { 1109 if (!whacked) 1110 goto bail; 1111 } else if (argv[c][0] != '}') { 1112 goto bail; 1113 } 1114 1115 /* 1116 * make sure we got all the required fields. If no idtype, assume 1117 * ip addr; if that translation fails, we'll catch the error then. 1118 */ 1119 if (locid == NULL || remid == NULL || keyp == NULL || mtype == 0) 1120 goto bail; 1121 1122 /* figure out the size buffer we need */ 1123 *len = sizeof (ike_ps_t); 1124 if (locidtype != SADB_IDENTTYPE_RESERVED) { 1125 a_locidtotal = IKEDOORROUNDUP(sizeof (sadb_ident_t) + locidlen); 1126 *len += a_locidtotal; 1127 } 1128 if (remidtype != SADB_IDENTTYPE_RESERVED) { 1129 a_remidtotal = IKEDOORROUNDUP(sizeof (sadb_ident_t) + remidlen); 1130 *len += a_remidtotal; 1131 } 1132 *len += keylen; 1133 1134 psp = malloc(*len); 1135 if (psp == NULL) 1136 goto bail; 1137 (void) memset(psp, 0, *len); 1138 1139 psp->ps_ike_mode = mtype; 1140 1141 psp->ps_localid_off = sizeof (ike_ps_t); 1142 if (locidtype == SADB_IDENTTYPE_RESERVED) { 1143 locpfx = strchr(locid, '/'); 1144 if (locpfx != NULL) { 1145 *locpfx = '\0'; 1146 locpfx++; 1147 } 1148 1149 /* 1150 * this is an ip address, store in the sockaddr field; 1151 * we won't use an sadb_ident_t. 1152 */ 1153 psp->ps_localid_len = 0; 1154 if (parse_addr(1, &locid, &loche) < 0) 1155 goto bail; 1156 if (loche->h_addr_list[1] != NULL) { 1157 message(gettext("preshared key identifier cannot " 1158 "match multiple IP addresses")); 1159 goto bail; 1160 } 1161 headdr2sa(loche->h_addr_list[0], &psp->ps_ipaddrs.loc_addr, 1162 loche->h_length); 1163 FREE_HE(loche); 1164 } else { 1165 psp->ps_localid_len = sizeof (sadb_ident_t) + locidlen; 1166 sidp = (sadb_ident_t *)((int)psp + psp->ps_localid_off); 1167 sidp->sadb_ident_len = psp->ps_localid_len; 1168 sidp->sadb_ident_type = locidtype; 1169 (void) strlcpy((char *)(sidp + 1), locid, a_locidtotal); 1170 } 1171 1172 psp->ps_remoteid_off = psp->ps_localid_off + a_locidtotal; 1173 if (remidtype == SADB_IDENTTYPE_RESERVED) { 1174 rempfx = strchr(remid, '/'); 1175 if (rempfx != NULL) { 1176 *rempfx = '\0'; 1177 rempfx++; 1178 } 1179 1180 /* 1181 * this is an ip address, store in the sockaddr field; 1182 * we won't use an sadb_ident_t. 1183 */ 1184 psp->ps_remoteid_len = 0; 1185 if (parse_addr(1, &remid, &remhe) < 0) 1186 goto bail; 1187 if (remhe->h_addr_list[1] != NULL) { 1188 message(gettext("preshared key identifier cannot " 1189 "match multiple IP addresses")); 1190 goto bail; 1191 } 1192 headdr2sa(remhe->h_addr_list[0], &psp->ps_ipaddrs.rem_addr, 1193 remhe->h_length); 1194 FREE_HE(remhe); 1195 } else { 1196 /* make sure we have at least 16-bit alignment */ 1197 if (remidlen & 0x1) 1198 remidlen++; 1199 psp->ps_remoteid_len = sizeof (sadb_ident_t) + remidlen; 1200 sidp = (sadb_ident_t *)((int)psp + psp->ps_remoteid_off); 1201 sidp->sadb_ident_len = psp->ps_remoteid_len; 1202 sidp->sadb_ident_type = remidtype; 1203 (void) strlcpy((char *)(sidp + 1), remid, a_remidtotal); 1204 } 1205 1206 psp->ps_key_off = psp->ps_remoteid_off + a_remidtotal; 1207 psp->ps_key_len = keylen; 1208 psp->ps_key_bits = keybits; 1209 (void) memcpy((uint8_t *)((int)psp + psp->ps_key_off), keyp, keylen); 1210 if (locpfx != NULL && ((pfxlen = atoi(locpfx)) > 0)) 1211 psp->ps_localid_plen = pfxlen; 1212 if (rempfx != NULL && ((pfxlen = atoi(rempfx)) > 0)) 1213 psp->ps_remoteid_plen = pfxlen; 1214 1215 *presharedpp = psp; 1216 1217 return (c); 1218 1219 bail: 1220 if (loche != NULL) 1221 FREE_HE(loche); 1222 if (remhe != NULL) 1223 FREE_HE(remhe); 1224 if (keyp != NULL) 1225 free(keyp); 1226 if (psp != NULL) 1227 free(psp); 1228 1229 *presharedpp = NULL; 1230 1231 return (-1); 1232 } 1233 1234 /* 1235 * Printing functions 1236 * 1237 * A potential point of confusion here is that the ikeadm-specific string- 1238 * producing functions do not match the ipsec_util.c versions in style: the 1239 * ikeadm-specific functions return a string (and are named foostr), while 1240 * the ipsec_util.c functions actually print the string to the file named 1241 * in the second arg to the function (and are named dump_foo). 1242 * 1243 * Localization for ikeadm seems more straightforward when complete 1244 * phrases are translated rather than: a part of a phrase, a call to 1245 * dump_foo(), and more of the phrase. It could also accommodate 1246 * non-English grammar more easily. 1247 */ 1248 1249 static char * 1250 errstr(int err) 1251 { 1252 static char rtn[MAXLINESIZE]; 1253 1254 switch (err) { 1255 case IKE_ERR_NO_OBJ: 1256 return (gettext("No data returned")); 1257 case IKE_ERR_NO_DESC: 1258 return (gettext("No destination provided")); 1259 case IKE_ERR_ID_INVALID: 1260 return (gettext("Id info invalid")); 1261 case IKE_ERR_LOC_INVALID: 1262 return (gettext("Destination invalid")); 1263 case IKE_ERR_CMD_INVALID: 1264 return (gettext("Command invalid")); 1265 case IKE_ERR_DATA_INVALID: 1266 return (gettext("Supplied data invalid")); 1267 case IKE_ERR_CMD_NOTSUP: 1268 return (gettext("Unknown command")); 1269 case IKE_ERR_REQ_INVALID: 1270 return (gettext("Request invalid")); 1271 case IKE_ERR_NO_PRIV: 1272 return (gettext("Not allowed at current privilege level")); 1273 case IKE_ERR_NO_AUTH: 1274 return (gettext("User not authorized")); 1275 case IKE_ERR_SYS_ERR: 1276 return (gettext("System error")); 1277 case IKE_ERR_DUP_IGNORED: 1278 return (gettext("One or more duplicate entries ignored")); 1279 case IKE_ERR_NO_TOKEN: 1280 return (gettext( 1281 "token login failed or no objects on device")); 1282 case IKE_ERR_IN_PROGRESS: 1283 return (gettext( 1284 "Duplicate operation already in progress")); 1285 case IKE_ERR_NO_MEM: 1286 return (gettext( 1287 "Insufficient memory")); 1288 default: 1289 (void) snprintf(rtn, MAXLINESIZE, 1290 gettext("<unknown error %d>"), err); 1291 return (rtn); 1292 } 1293 } 1294 1295 static char * 1296 dbgstr(int bit) 1297 { 1298 static char rtn[MAXLINESIZE]; 1299 1300 switch (bit) { 1301 case D_CERT: 1302 return (gettext("Certificate management")); 1303 case D_KEY: 1304 return (gettext("Key management")); 1305 case D_OP: 1306 return (gettext("Operational")); 1307 case D_P1: 1308 return (gettext("Phase 1 SA creation")); 1309 case D_P2: 1310 return (gettext("Phase 2 SA creation")); 1311 case D_PFKEY: 1312 return (gettext("PF_KEY interface")); 1313 case D_POL: 1314 return (gettext("Policy management")); 1315 case D_PROP: 1316 return (gettext("Proposal construction")); 1317 case D_DOOR: 1318 return (gettext("Door interface")); 1319 case D_CONFIG: 1320 return (gettext("Config file processing")); 1321 case D_LABEL: 1322 return (gettext("MAC label processing")); 1323 default: 1324 (void) snprintf(rtn, MAXLINESIZE, 1325 gettext("<unknown flag 0x%x>"), bit); 1326 return (rtn); 1327 } 1328 } 1329 1330 static char * 1331 privstr(int priv) 1332 { 1333 static char rtn[MAXLINESIZE]; 1334 1335 switch (priv) { 1336 case IKE_PRIV_MINIMUM: 1337 return (gettext("base privileges")); 1338 case IKE_PRIV_MODKEYS: 1339 return (gettext("access to preshared key information")); 1340 case IKE_PRIV_KEYMAT: 1341 return (gettext("access to keying material")); 1342 default: 1343 (void) snprintf(rtn, MAXLINESIZE, 1344 gettext("<unknown level %d>"), priv); 1345 return (rtn); 1346 } 1347 } 1348 1349 static char * 1350 xchgstr(int xchg) 1351 { 1352 static char rtn[MAXLINESIZE]; 1353 1354 switch (xchg) { 1355 case IKE_XCHG_NONE: 1356 return (gettext("<unspecified>")); 1357 case IKE_XCHG_BASE: 1358 return (gettext("base")); 1359 case IKE_XCHG_IDENTITY_PROTECT: 1360 return (gettext("main mode (identity protect)")); 1361 case IKE_XCHG_AUTH_ONLY: 1362 return (gettext("authentication only")); 1363 case IKE_XCHG_AGGRESSIVE: 1364 return (gettext("aggressive mode")); 1365 case IKE_XCHG_IP_AND_AGGR: 1366 return (gettext("main and aggressive mode")); 1367 case IKE_XCHG_ANY: 1368 return (gettext("any mode")); 1369 default: 1370 (void) snprintf(rtn, MAXLINESIZE, 1371 gettext("<unknown %d>"), xchg); 1372 return (rtn); 1373 } 1374 } 1375 1376 static char * 1377 statestr(int state) 1378 { 1379 static char rtn[MAXLINESIZE]; 1380 1381 switch (state) { 1382 case IKE_SA_STATE_INIT: 1383 return (gettext("INITIALIZING")); 1384 case IKE_SA_STATE_SENT_SA: 1385 return (gettext("SENT FIRST MSG (SA)")); 1386 case IKE_SA_STATE_SENT_KE: 1387 return (gettext("SENT SECOND MSG (KE)")); 1388 case IKE_SA_STATE_SENT_LAST: 1389 return (gettext("SENT FINAL MSG")); 1390 case IKE_SA_STATE_DONE: 1391 return (gettext("ACTIVE")); 1392 case IKE_SA_STATE_DELETED: 1393 return (gettext("DELETED")); 1394 case IKE_SA_STATE_INVALID: 1395 return (gettext("<invalid>")); 1396 default: 1397 (void) snprintf(rtn, MAXLINESIZE, 1398 gettext("<unknown %d>"), state); 1399 return (rtn); 1400 } 1401 } 1402 1403 static char * 1404 authmethstr(int meth) 1405 { 1406 static char rtn[MAXLINESIZE]; 1407 1408 switch (meth) { 1409 case IKE_AUTH_METH_PRE_SHARED_KEY: 1410 return (gettext("pre-shared key")); 1411 case IKE_AUTH_METH_DSS_SIG: 1412 return (gettext("DSS signatures")); 1413 case IKE_AUTH_METH_RSA_SIG: 1414 return (gettext("RSA signatures")); 1415 case IKE_AUTH_METH_RSA_ENCR: 1416 return (gettext("RSA Encryption")); 1417 case IKE_AUTH_METH_RSA_ENCR_REVISED: 1418 return (gettext("Revised RSA Encryption")); 1419 default: 1420 (void) snprintf(rtn, MAXLINESIZE, 1421 gettext("<unknown %d>"), meth); 1422 return (rtn); 1423 } 1424 } 1425 1426 static char * 1427 prfstr(int prf) 1428 { 1429 static char rtn[MAXLINESIZE]; 1430 1431 switch (prf) { 1432 case IKE_PRF_NONE: 1433 return (gettext("<none/unavailable>")); 1434 case IKE_PRF_HMAC_MD5: 1435 return ("HMAC MD5"); 1436 case IKE_PRF_HMAC_SHA1: 1437 return ("HMAC SHA1"); 1438 case IKE_PRF_HMAC_SHA256: 1439 return ("HMAC SHA256"); 1440 case IKE_PRF_HMAC_SHA384: 1441 return ("HMAC SHA384"); 1442 case IKE_PRF_HMAC_SHA512: 1443 return ("HMAC SHA512"); 1444 default: 1445 (void) snprintf(rtn, MAXLINESIZE, 1446 gettext("<unknown %d>"), prf); 1447 return (rtn); 1448 } 1449 } 1450 1451 static char * 1452 dhstr(int grp) 1453 { 1454 static char rtn[MAXLINESIZE]; 1455 1456 switch (grp) { 1457 case 0: 1458 return (gettext("<unavailable>")); 1459 case IKE_GRP_DESC_MODP_768: 1460 return (gettext("768-bit MODP (group 1)")); 1461 case IKE_GRP_DESC_MODP_1024: 1462 return (gettext("1024-bit MODP (group 2)")); 1463 case IKE_GRP_DESC_EC2N_155: 1464 return (gettext("EC2N group on GP[2^155]")); 1465 case IKE_GRP_DESC_EC2N_185: 1466 return (gettext("EC2N group on GP[2^185]")); 1467 case IKE_GRP_DESC_MODP_1536: 1468 return (gettext("1536-bit MODP (group 5)")); 1469 case IKE_GRP_DESC_MODP_2048: 1470 return (gettext("2048-bit MODP (group 14)")); 1471 case IKE_GRP_DESC_MODP_3072: 1472 return (gettext("3072-bit MODP (group 15)")); 1473 case IKE_GRP_DESC_MODP_4096: 1474 return (gettext("4096-bit MODP (group 16)")); 1475 case IKE_GRP_DESC_MODP_6144: 1476 return (gettext("6144-bit MODP (group 17)")); 1477 case IKE_GRP_DESC_MODP_8192: 1478 return (gettext("8192-bit MODP (group 18)")); 1479 case IKE_GRP_DESC_ECP_256: 1480 return (gettext("256-bit ECP (group 19)")); 1481 case IKE_GRP_DESC_ECP_384: 1482 return (gettext("384-bit ECP (group 20)")); 1483 case IKE_GRP_DESC_ECP_521: 1484 return (gettext("521-bit ECP (group 21)")); 1485 case IKE_GRP_DESC_MODP_1024_160: 1486 return ( 1487 gettext("1024-bit MODP with 160-bit subprime (group 22)")); 1488 case IKE_GRP_DESC_MODP_2048_224: 1489 return ( 1490 gettext("2048-bit MODP with 224-bit subprime (group 23)")); 1491 case IKE_GRP_DESC_MODP_2048_256: 1492 return ( 1493 gettext("2048-bit MODP with 256-bit subprime (group 24)")); 1494 case IKE_GRP_DESC_ECP_192: 1495 return (gettext("192-bit ECP (group 25)")); 1496 case IKE_GRP_DESC_ECP_224: 1497 return (gettext("224-bit ECP (group 26)")); 1498 default: 1499 (void) snprintf(rtn, MAXLINESIZE, gettext("<unknown %d>"), grp); 1500 return (rtn); 1501 } 1502 } 1503 1504 static void 1505 print_hdr(char *prefix, ike_p1_hdr_t *hdrp) 1506 { 1507 char sbuf[TBUF_SIZE]; 1508 char tbuf[TBUF_SIZE]; 1509 time_t ltime = (time_t)hdrp->p1hdr_dpd_time; 1510 1511 (void) printf( 1512 gettext("%s Cookies: Initiator 0x%llx Responder 0x%llx\n"), 1513 prefix, ntohll(hdrp->p1hdr_cookies.cky_i), 1514 ntohll(hdrp->p1hdr_cookies.cky_r)); 1515 (void) printf(gettext("%s The local host is the %s.\n"), prefix, 1516 hdrp->p1hdr_isinit ? gettext("initiator") : gettext("responder")); 1517 (void) printf(gettext("%s ISAKMP version %d.%d; %s exchange\n"), prefix, 1518 hdrp->p1hdr_major, hdrp->p1hdr_minor, xchgstr(hdrp->p1hdr_xchg)); 1519 (void) printf(gettext("%s Current state is %s\n"), prefix, 1520 statestr(hdrp->p1hdr_state)); 1521 if (hdrp->p1hdr_support_dpd == B_FALSE) { 1522 return; 1523 } 1524 (void) printf(gettext("%s Dead Peer Detection (RFC 3706)" 1525 " enabled"), prefix); 1526 if (hdrp->p1hdr_dpd_state < DPD_IN_PROGRESS) { 1527 (void) printf("\n"); 1528 return; 1529 } 1530 if (strftime(tbuf, TBUF_SIZE, NULL, 1531 localtime(<ime)) == 0) { 1532 (void) strlcpy(tbuf, gettext("<time conversion failed>"), 1533 TBUF_SIZE); 1534 } 1535 (void) printf(gettext("\n%s Dead Peer Detection handshake "), prefix); 1536 switch (hdrp->p1hdr_dpd_state) { 1537 case DPD_SUCCESSFUL: 1538 (void) strlcpy(sbuf, gettext("was successful at "), TBUF_SIZE); 1539 break; 1540 case DPD_FAILURE: 1541 (void) strlcpy(sbuf, gettext("failed at "), TBUF_SIZE); 1542 break; 1543 case DPD_IN_PROGRESS: 1544 (void) strlcpy(sbuf, gettext("is in progress."), TBUF_SIZE); 1545 break; 1546 } 1547 (void) printf("%s %s", sbuf, 1548 (hdrp->p1hdr_dpd_state == DPD_IN_PROGRESS) ? "" : tbuf); 1549 (void) printf("\n"); 1550 } 1551 1552 static void 1553 print_lt_limits(char *prefix, ike_p1_xform_t *xfp) 1554 { 1555 char byte_str[BYTE_STR_SIZE]; /* byte lifetime string representation */ 1556 char secs_str[SECS_STR_SIZE]; /* lifetime string representation */ 1557 1558 (void) printf(gettext("%s Lifetime limits:\n"), prefix); 1559 (void) printf(gettext("%s %u seconds%s; %u kbytes %sprotected\n"), 1560 prefix, xfp->p1xf_max_secs, secs2out(xfp->p1xf_max_secs, 1561 secs_str, sizeof (secs_str), SPC_BEGIN), xfp->p1xf_max_kbytes, 1562 bytecnt2out((uint64_t)xfp->p1xf_max_kbytes << 10, byte_str, 1563 sizeof (byte_str), SPC_END)); 1564 (void) printf(gettext("%s keying material for IPsec SAs can be " 1565 "provided %u times%s\n"), prefix, xfp->p1xf_max_keyuses, 1566 xfp->p1xf_max_keyuses == 0 ? " (no limit)" : ""); 1567 } 1568 1569 #define LT_USAGE_LEN 16 /* 1 uint64 + 2 uint32s */ 1570 static void 1571 print_lt_usage(char *prefix, ike_p1_stats_t *sp) 1572 { 1573 time_t scratch; 1574 char tbuf[TBUF_SIZE]; 1575 char bytestr[BYTE_STR_SIZE]; /* byte lifetime representation */ 1576 1577 (void) printf(gettext("%s Current usage:\n"), prefix); 1578 scratch = (time_t)sp->p1stat_start; 1579 if (strftime(tbuf, TBUF_SIZE, NULL, localtime(&scratch)) == 0) 1580 (void) strlcpy(tbuf, gettext("<time conversion failed>"), 1581 TBUF_SIZE); 1582 (void) printf(gettext("%s SA was created at %s\n"), prefix, tbuf); 1583 (void) printf(gettext("%s %u kbytes %sprotected\n"), 1584 prefix, sp->p1stat_kbytes, 1585 bytecnt2out((uint64_t)sp->p1stat_kbytes << 10, bytestr, 1586 sizeof (bytestr), SPC_END)); 1587 (void) printf(gettext("%s keying material for IPsec SAs provided " 1588 "%u times\n"), prefix, sp->p1stat_keyuses); 1589 } 1590 1591 static void 1592 print_xform(char *prefix, ike_p1_xform_t *xfp, boolean_t print_lifetimes) 1593 { 1594 (void) printf(gettext("%s Authentication method: %s"), prefix, 1595 authmethstr(xfp->p1xf_auth_meth)); 1596 (void) printf(gettext("\n%s Encryption alg: "), prefix); 1597 (void) dump_ealg(xfp->p1xf_encr_alg, stdout); 1598 if (xfp->p1xf_encr_low_bits != 0) { 1599 (void) printf(gettext("(%d..%d)"), xfp->p1xf_encr_low_bits, 1600 xfp->p1xf_encr_high_bits); 1601 } else if ((xfp->p1xf_encr_low_bits == 0) && 1602 (xfp->p1xf_encr_high_bits != 0)) { 1603 /* 1604 * High bits is a placeholder for 1605 * negotiated algorithm strength 1606 */ 1607 (void) printf(gettext("(%d)"), xfp->p1xf_encr_high_bits); 1608 } 1609 (void) printf(gettext("; Authentication alg: ")); 1610 (void) dump_aalg(xfp->p1xf_auth_alg, stdout); 1611 (void) printf("\n%s ", prefix); 1612 if (xfp->p1xf_prf != 0) 1613 (void) printf(gettext("PRF: %s ; "), prfstr(xfp->p1xf_prf)); 1614 (void) printf(gettext("Oakley Group: %s\n"), 1615 dhstr(xfp->p1xf_dh_group)); 1616 if (xfp->p1xf_pfs == 0) { 1617 (void) printf(gettext("%s Phase 2 PFS is not used\n"), prefix); 1618 } else { 1619 (void) printf(gettext( 1620 "%s Phase 2 PFS is required (Oakley Group: %s)\n"), 1621 prefix, dhstr(xfp->p1xf_pfs)); 1622 } 1623 1624 if (print_lifetimes) 1625 print_lt_limits(prefix, xfp); 1626 } 1627 1628 static void 1629 print_lifetime(char *prefix, ike_p1_xform_t *xfp, ike_p1_stats_t *sp, 1630 int statlen) 1631 { 1632 time_t current, remain, exp; 1633 char tbuf[TBUF_SIZE]; 1634 char byte_str[BYTE_STR_SIZE]; /* byte lifetime representation */ 1635 char secs_str[SECS_STR_SIZE]; /* seconds lifetime representation */ 1636 1637 current = time(NULL); 1638 1639 print_lt_limits(prefix, xfp); 1640 1641 /* 1642 * make sure the stats struct we've been passed is as big 1643 * as we expect it to be. The usage stats are at the end, 1644 * so anything less than the size we expect won't work. 1645 */ 1646 if (statlen >= sizeof (ike_p1_stats_t)) { 1647 print_lt_usage(prefix, sp); 1648 } else { 1649 return; 1650 } 1651 1652 (void) printf(gettext("%s Expiration info:\n"), prefix); 1653 1654 if (xfp->p1xf_max_kbytes != 0) 1655 (void) printf(gettext("%s %u more bytes %scan be " 1656 "protected.\n"), 1657 prefix, xfp->p1xf_max_kbytes - sp->p1stat_kbytes, 1658 bytecnt2out((uint64_t)(xfp->p1xf_max_kbytes - 1659 sp->p1stat_kbytes) << 10, byte_str, sizeof (byte_str), 1660 SPC_END)); 1661 1662 if (xfp->p1xf_max_keyuses != 0) 1663 (void) printf(gettext("%s Keying material can be provided " 1664 "%u more times.\n"), prefix, 1665 xfp->p1xf_max_keyuses - sp->p1stat_keyuses); 1666 1667 if (xfp->p1xf_max_secs != 0) { 1668 exp = (time_t)sp->p1stat_start + (time_t)xfp->p1xf_max_secs; 1669 remain = exp - current; 1670 if (strftime(tbuf, TBUF_SIZE, NULL, localtime(&exp)) == 0) 1671 (void) strlcpy(tbuf, 1672 gettext("<time conversion failed>"), TBUF_SIZE); 1673 /* 1674 * The SA may have expired but still exist because libike 1675 * has not freed it yet. 1676 */ 1677 if (remain > 0) { 1678 (void) printf(gettext( 1679 "%s SA expires in %lu seconds%s\n"), 1680 prefix, remain, secs2out(remain, secs_str, 1681 sizeof (secs_str), SPC_BEGIN)); 1682 (void) printf(gettext("%s Time of expiration: %s\n"), 1683 prefix, tbuf); 1684 } else { 1685 (void) printf(gettext("%s SA Expired at %s\n"), 1686 prefix, tbuf); 1687 } 1688 } 1689 } 1690 1691 /* used to verify structure lengths... */ 1692 #define COUNTER_32BIT 4 1693 #define COUNTER_PAIR 8 1694 1695 static void 1696 print_p1stats(char *prefix, ike_p1_stats_t *sp, int statlen, 1697 boolean_t print_lifetimes) 1698 { 1699 if (statlen < COUNTER_PAIR) 1700 return; 1701 (void) printf(gettext("%s %u Quick Mode SAs created; "), prefix, 1702 sp->p1stat_new_qm_sas); 1703 (void) printf(gettext("%u Quick Mode SAs deleted\n"), 1704 sp->p1stat_del_qm_sas); 1705 statlen -= COUNTER_PAIR; 1706 1707 if ((print_lifetimes) && (statlen >= LT_USAGE_LEN)) 1708 print_lt_usage(prefix, sp); 1709 } 1710 1711 static void 1712 print_errs(char *prefix, ike_p1_errors_t *errp, int errlen) 1713 { 1714 /* 1715 * Don't try to break this one up; it's either all or nothing! 1716 */ 1717 if (errlen < sizeof (ike_p1_errors_t)) 1718 return; 1719 1720 (void) printf(gettext("%s %u RX errors: "), prefix, 1721 errp->p1err_decrypt + errp->p1err_hash + errp->p1err_otherrx); 1722 (void) printf(gettext("%u decryption, %u hash, %u other\n"), 1723 errp->p1err_decrypt, errp->p1err_hash, errp->p1err_otherrx); 1724 (void) printf(gettext("%s %u TX errors\n"), prefix, errp->p1err_tx); 1725 } 1726 1727 static void 1728 print_addr_range(char *prefix, ike_addr_pr_t *pr) 1729 { 1730 boolean_t range = B_TRUE; 1731 struct sockaddr_storage *beg, *end; 1732 struct sockaddr_in *bsin, *esin; 1733 struct sockaddr_in6 *bsin6, *esin6; 1734 1735 beg = &pr->beg_iprange; 1736 end = &pr->end_iprange; 1737 1738 if (beg->ss_family != end->ss_family) { 1739 (void) printf(gettext("%s invalid address range\n"), prefix); 1740 return; 1741 } 1742 1743 switch (beg->ss_family) { 1744 case AF_INET: 1745 bsin = (struct sockaddr_in *)beg; 1746 esin = (struct sockaddr_in *)end; 1747 if ((uint32_t)bsin->sin_addr.s_addr == 1748 (uint32_t)esin->sin_addr.s_addr) 1749 range = B_FALSE; 1750 break; 1751 case AF_INET6: 1752 bsin6 = (struct sockaddr_in6 *)beg; 1753 esin6 = (struct sockaddr_in6 *)end; 1754 if (IN6_ARE_ADDR_EQUAL(&bsin6->sin6_addr, &esin6->sin6_addr)) 1755 range = B_FALSE; 1756 break; 1757 default: 1758 (void) printf(gettext("%s invalid address range\n"), prefix); 1759 return; 1760 } 1761 1762 (void) printf("%s ", prefix); 1763 (void) dump_sockaddr((struct sockaddr *)beg, 0, B_TRUE, stdout, nflag); 1764 if (range) { 1765 (void) printf(" - "); 1766 (void) dump_sockaddr((struct sockaddr *)end, 0, B_TRUE, stdout, 1767 nflag); 1768 } 1769 (void) printf("\n"); 1770 1771 } 1772 1773 /* 1774 * used to tell printing function if info should be identified 1775 * as belonging to initiator, responder, or neither 1776 */ 1777 #define IS_INITIATOR 1 1778 #define IS_RESPONDER 2 1779 #define DONT_PRINT_INIT 3 1780 1781 static void 1782 print_addr(char *prefix, struct sockaddr_storage *sa, int init_instr, 1783 int mask) 1784 { 1785 (void) printf(gettext("%s Address"), prefix); 1786 1787 if (init_instr != DONT_PRINT_INIT) 1788 (void) printf(" (%s):\n", (init_instr == IS_INITIATOR) ? 1789 gettext("Initiator") : gettext("Responder")); 1790 else 1791 (void) printf(":\n"); 1792 1793 (void) printf("%s ", prefix); 1794 (void) dump_sockaddr((struct sockaddr *)sa, mask, B_FALSE, stdout, 1795 nflag); 1796 } 1797 1798 static void 1799 print_id(char *prefix, sadb_ident_t *idp, int init_instr) 1800 { 1801 boolean_t canprint; 1802 1803 switch (init_instr) { 1804 case IS_INITIATOR: 1805 (void) printf(gettext("%s Initiator identity, "), prefix); 1806 break; 1807 case IS_RESPONDER: 1808 (void) printf(gettext("%s Responder identity, "), prefix); 1809 break; 1810 case DONT_PRINT_INIT: 1811 (void) printf(gettext("%s Identity, "), prefix); 1812 break; 1813 default: 1814 (void) printf(gettext("<invalid identity>\n")); 1815 return; 1816 } 1817 (void) printf(gettext("uid=%d, type "), idp->sadb_ident_id); 1818 canprint = dump_sadb_idtype(idp->sadb_ident_type, stdout, NULL); 1819 if (canprint) { 1820 (void) printf("\n%s %s\n", prefix, (char *)(idp + 1)); 1821 } else { 1822 (void) printf(gettext("\n%s "), prefix); 1823 print_asn1_name(stdout, 1824 (const unsigned char *)(idp + 1), 1825 SADB_64TO8(idp->sadb_ident_len) - sizeof (sadb_ident_t)); 1826 } 1827 } 1828 1829 static void 1830 print_idspec(char *prefix, char *idp, int icnt, int ecnt) 1831 { 1832 int i; 1833 1834 (void) printf(gettext("%s Identity descriptors:\n"), prefix); 1835 1836 for (i = 0; i < icnt; i++) { 1837 if (i == 0) 1838 (void) printf(gettext("%s Includes:\n"), prefix); 1839 (void) printf("%s %s\n", prefix, idp); 1840 idp += strlen(idp) + 1; 1841 } 1842 1843 for (i = 0; i < ecnt; i++) { 1844 if (i == 0) 1845 (void) printf(gettext("%s Excludes:\n"), prefix); 1846 (void) printf("%s %s\n", prefix, idp); 1847 idp += strlen(idp) + 1; 1848 } 1849 } 1850 1851 static void 1852 print_keys(char *prefix, ike_p1_key_t *keyp, int size) 1853 { 1854 uint32_t *curp; 1855 ike_p1_key_t *p; 1856 int ssize; 1857 1858 curp = (uint32_t *)keyp; 1859 1860 ssize = sizeof (ike_p1_key_t); 1861 1862 while ((intptr_t)curp - (intptr_t)keyp < size) { 1863 size_t p1klen, len; 1864 1865 p = (ike_p1_key_t *)curp; 1866 p1klen = p->p1key_len; 1867 len = p1klen - ssize; 1868 1869 p1klen = roundup(p1klen, sizeof (ike_p1_key_t)); 1870 if (p1klen < ssize) { 1871 (void) printf(gettext("Short key\n")); 1872 break; 1873 } 1874 1875 switch (p->p1key_type) { 1876 case IKE_KEY_PRESHARED: 1877 (void) printf(gettext("%s Pre-shared key (%d bytes): "), 1878 prefix, len); 1879 break; 1880 case IKE_KEY_SKEYID: 1881 (void) printf(gettext("%s SKEYID (%d bytes): "), 1882 prefix, len); 1883 break; 1884 case IKE_KEY_SKEYID_D: 1885 (void) printf(gettext("%s SKEYID_d (%d bytes): "), 1886 prefix, len); 1887 break; 1888 case IKE_KEY_SKEYID_A: 1889 (void) printf(gettext("%s SKEYID_a (%d bytes): "), 1890 prefix, len); 1891 break; 1892 case IKE_KEY_SKEYID_E: 1893 (void) printf(gettext("%s SKEYID_e (%d bytes): "), 1894 prefix, len); 1895 break; 1896 case IKE_KEY_ENCR: 1897 (void) printf(gettext("%s Encryption key (%d bytes): "), 1898 prefix, len); 1899 break; 1900 case IKE_KEY_IV: 1901 (void) printf( 1902 gettext("%s Initialization vector (%d bytes): "), 1903 prefix, len); 1904 break; 1905 default: 1906 (void) printf(gettext("%s Unidentified key info %p %d"), 1907 prefix, p, p1klen); 1908 goto badkey; 1909 } 1910 (void) dump_key((uint8_t *)(p + 1), SADB_8TO1(len), 0, 1911 stdout, B_FALSE); 1912 badkey: 1913 (void) printf("\n"); 1914 assert(IS_P2ALIGNED(p1klen, 8)); 1915 curp += (p1klen >> 2); 1916 } 1917 } 1918 1919 static void 1920 print_group_header(void) 1921 { 1922 (void) printf(gettext("\nList of Diffie-Hellman groups for setting " 1923 "up IKE SAs")); 1924 (void) printf(gettext("\nThe values match the IPsec attribute " 1925 "assigned numbers published by IANA\n\n")); 1926 (void) printf("%-6s%-9s%-50s\n", 1927 gettext("Value"), gettext("Strength"), gettext("Description")); 1928 } 1929 1930 static void 1931 print_group(ike_group_t *gp) 1932 { 1933 (void) printf("%-6u%-9u%-50s\n", 1934 gp->group_number, gp->group_bits, gp->group_label); 1935 } 1936 1937 static void 1938 print_encralg_header(void) 1939 { 1940 (void) printf(gettext("\nList of encryption algorithms for IKE")); 1941 (void) printf(gettext("\nThe values match the IPsec attribute " 1942 "assigned numbers published by IANA\n\n")); 1943 (void) printf("%-6s%-20s%-15s\n", gettext("Value"), 1944 gettext("Name"), gettext("Keylen range")); 1945 } 1946 1947 static void 1948 print_encralg(ike_encralg_t *ep) 1949 { 1950 char keylen_str[16]; 1951 1952 (void) strlcpy(keylen_str, "N/A", sizeof (keylen_str)); 1953 if (ep->encr_keylen_min != 0 || ep->encr_keylen_max != 0) 1954 (void) snprintf(keylen_str, sizeof (keylen_str), "%d-%d", 1955 ep->encr_keylen_min, ep->encr_keylen_max); 1956 (void) printf("%-6u%-20s%-15s\n", 1957 ep->encr_value, ep->encr_name, keylen_str); 1958 } 1959 1960 static void 1961 print_authalg_header(void) 1962 { 1963 (void) printf(gettext("\nList of authentication algorithms for IKE")); 1964 (void) printf(gettext("\nThe values match the IPsec attribute " 1965 "assigned numbers published by IANA\n\n")); 1966 (void) printf("%-6s%-20s\n", gettext("Value"), gettext("Name")); 1967 } 1968 1969 static void 1970 print_authalg(ike_authalg_t *ap) 1971 { 1972 (void) printf("%-6u%-20s\n", 1973 ap->auth_value, ap->auth_name); 1974 } 1975 1976 static void 1977 print_p1(ike_p1_sa_t *p1) 1978 { 1979 ike_p1_stats_t *sp; 1980 ike_p1_errors_t *ep; 1981 ike_p1_key_t *kp; 1982 sadb_ident_t *lidp, *ridp; 1983 int lstat, rstat; 1984 1985 (void) printf("\n"); 1986 print_hdr("IKESA:", &p1->p1sa_hdr); 1987 print_xform("XFORM:", &p1->p1sa_xform, B_FALSE); 1988 1989 if (p1->p1sa_hdr.p1hdr_isinit) { 1990 lstat = IS_INITIATOR; 1991 rstat = IS_RESPONDER; 1992 } else { 1993 lstat = IS_RESPONDER; 1994 rstat = IS_INITIATOR; 1995 } 1996 print_addr("LOCIP:", &p1->p1sa_ipaddrs.loc_addr, lstat, 0); 1997 print_addr("REMIP:", &p1->p1sa_ipaddrs.rem_addr, rstat, 0); 1998 1999 /* 2000 * the stat len might be 0; but still make the call 2001 * to print_lifetime() to pick up the xform info 2002 */ 2003 sp = (ike_p1_stats_t *)((int)(p1) + p1->p1sa_stat_off); 2004 print_lifetime("LIFTM:", &p1->p1sa_xform, sp, p1->p1sa_stat_len); 2005 2006 if (p1->p1sa_stat_len > 0) { 2007 print_p1stats("STATS:", sp, p1->p1sa_stat_len, B_FALSE); 2008 } 2009 2010 if (p1->p1sa_error_len > 0) { 2011 ep = (ike_p1_errors_t *)((int)(p1) + p1->p1sa_error_off); 2012 print_errs("ERRS: ", ep, p1->p1sa_error_len); 2013 } 2014 2015 if (p1->p1sa_localid_len > 0) { 2016 lidp = (sadb_ident_t *)((int)(p1) + p1->p1sa_localid_off); 2017 print_id("LOCID:", lidp, lstat); 2018 } 2019 2020 if (p1->p1sa_remoteid_len > 0) { 2021 ridp = (sadb_ident_t *)((int)(p1) + p1->p1sa_remoteid_off); 2022 print_id("REMID:", ridp, rstat); 2023 } 2024 2025 if (p1->p1sa_key_len > 0) { 2026 kp = (ike_p1_key_t *)((int)(p1) + p1->p1sa_key_off); 2027 print_keys("KEY: ", kp, p1->p1sa_key_len); 2028 } 2029 } 2030 2031 static void 2032 print_certcache(ike_certcache_t *c) 2033 { 2034 (void) printf("\n"); 2035 2036 (void) printf(gettext("CERTIFICATE CACHE ID: %d\n"), c->cache_id); 2037 (void) printf(gettext("\tSubject Name: <%s>\n"), 2038 (c->subject != NULL) ? c->subject : gettext("Name unavailable")); 2039 (void) printf(gettext("\t Issuer Name: <%s>\n"), 2040 (c->issuer != NULL) ? c->issuer : gettext("Name unavailable")); 2041 if ((int)c->certclass == -1) 2042 (void) printf(gettext("\t\t[trusted certificate]\n")); 2043 switch (c->linkage) { 2044 case CERT_OFF_WIRE: 2045 (void) printf(gettext("\t\t[Public certificate only]\n")); 2046 (void) printf(gettext( 2047 "\t\t[Obtained via certificate payload]\n")); 2048 break; 2049 case CERT_NO_PRIVKEY: 2050 (void) printf(gettext("\t\t[Public certificate only]\n")); 2051 break; 2052 case CERT_PRIVKEY_LOCKED: 2053 (void) printf(gettext( 2054 "\t\t[Private key linked but locked]\n")); 2055 break; 2056 case CERT_PRIVKEY_AVAIL: 2057 (void) printf(gettext("\t\t[Private key available]\n")); 2058 break; 2059 } 2060 } 2061 2062 static void 2063 print_ps(ike_ps_t *ps) 2064 { 2065 sadb_ident_t *lidp, *ridp; 2066 uint8_t *keyp; 2067 2068 (void) printf("\n"); 2069 2070 (void) printf(gettext("PSKEY: For %s exchanges\n"), 2071 xchgstr(ps->ps_ike_mode)); 2072 2073 if (ps->ps_key_len > 0) { 2074 keyp = (uint8_t *)((int)(ps) + ps->ps_key_off); 2075 (void) printf(gettext("PSKEY: Pre-shared key (%d bytes): "), 2076 ps->ps_key_len); 2077 (void) dump_key(keyp, ps->ps_key_bits, 0, stdout, B_FALSE); 2078 (void) printf("\n"); 2079 } 2080 2081 /* 2082 * We get *either* and address or an ident, never both. So if 2083 * the ident is there, don't try printing an address. 2084 */ 2085 if (ps->ps_localid_len > 0) { 2086 lidp = (sadb_ident_t *) 2087 ((int)(ps) + ps->ps_localid_off); 2088 print_id("LOCID:", lidp, DONT_PRINT_INIT); 2089 } else { 2090 print_addr("LOCIP:", &ps->ps_ipaddrs.loc_addr, DONT_PRINT_INIT, 2091 ps->ps_localid_plen > 0 ? ps->ps_localid_plen : 0); 2092 } 2093 2094 if (ps->ps_remoteid_len > 0) { 2095 ridp = (sadb_ident_t *) 2096 ((int)(ps) + ps->ps_remoteid_off); 2097 print_id("REMID:", ridp, DONT_PRINT_INIT); 2098 } else { 2099 print_addr("REMIP:", &ps->ps_ipaddrs.rem_addr, DONT_PRINT_INIT, 2100 ps->ps_remoteid_plen > 0 ? ps->ps_remoteid_plen : 0); 2101 } 2102 } 2103 2104 #define PREFIXLEN 16 2105 2106 static void 2107 print_rule(ike_rule_t *rp) 2108 { 2109 char prefix[PREFIXLEN]; 2110 int i; 2111 ike_p1_xform_t *xfp; 2112 ike_addr_pr_t *lipp, *ripp; 2113 char *lidp, *ridp; 2114 char byte_str[BYTE_STR_SIZE]; /* kbyte string representation */ 2115 char secs_str[SECS_STR_SIZE]; /* seconds string representation */ 2116 2117 (void) printf("\n"); 2118 (void) printf(gettext("GLOBL: Label '%s', key manager cookie %u\n"), 2119 rp->rule_label, rp->rule_kmcookie); 2120 (void) printf(gettext("GLOBL: local_idtype=")); 2121 (void) dump_sadb_idtype(rp->rule_local_idtype, stdout, NULL); 2122 (void) printf(gettext(", ike_mode=%s\n"), xchgstr(rp->rule_ike_mode)); 2123 (void) printf(gettext( 2124 "GLOBL: p1_nonce_len=%u, p2_nonce_len=%u, p2_pfs=%s (group %u)\n"), 2125 rp->rule_p1_nonce_len, rp->rule_p2_nonce_len, 2126 (rp->rule_p2_pfs) ? gettext("true") : gettext("false"), 2127 rp->rule_p2_pfs); 2128 (void) printf( 2129 gettext("GLOBL: p2_lifetime=%u seconds%s\n"), 2130 rp->rule_p2_lifetime_secs, secs2out(rp->rule_p2_lifetime_secs, 2131 secs_str, sizeof (secs_str), SPC_BEGIN)); 2132 (void) printf( 2133 gettext("GLOBL: p2_softlife=%u seconds%s\n"), 2134 rp->rule_p2_softlife_secs, secs2out(rp->rule_p2_softlife_secs, 2135 secs_str, sizeof (secs_str), SPC_BEGIN)); 2136 (void) printf( 2137 gettext("GLOBL: p2_idletime=%u seconds%s\n"), 2138 rp->rule_p2_idletime_secs, secs2out(rp->rule_p2_idletime_secs, 2139 secs_str, sizeof (secs_str), SPC_BEGIN)); 2140 /* 2141 * Perform explicit conversion before passing to bytecnt2out() 2142 * to avoid integer overflow. 2143 */ 2144 (void) printf( 2145 gettext("GLOBL: p2_lifetime_kb=%u kilobytes%s\n"), 2146 rp->rule_p2_lifetime_kb, 2147 bytecnt2out((uint64_t)(rp->rule_p2_lifetime_kb) << 10, 2148 byte_str, sizeof (byte_str), SPC_BEGIN)); 2149 (void) printf( 2150 gettext("GLOBL: p2_softlife_kb=%u kilobytes%s\n"), 2151 rp->rule_p2_softlife_kb, 2152 bytecnt2out(((uint64_t)(rp->rule_p2_softlife_kb)) << 10, 2153 byte_str, sizeof (byte_str), SPC_BEGIN)); 2154 2155 if (rp->rule_locip_cnt > 0) { 2156 (void) printf(gettext("LOCIP: IP address range(s):\n")); 2157 lipp = (ike_addr_pr_t *)((int)rp + rp->rule_locip_off); 2158 for (i = 0; i < rp->rule_locip_cnt; i++, lipp++) { 2159 print_addr_range("LOCIP:", lipp); 2160 } 2161 } 2162 2163 if (rp->rule_remip_cnt > 0) { 2164 (void) printf(gettext("REMIP: IP address range(s):\n")); 2165 ripp = (ike_addr_pr_t *)((int)rp + rp->rule_remip_off); 2166 for (i = 0; i < rp->rule_remip_cnt; i++, ripp++) { 2167 print_addr_range("REMIP:", ripp); 2168 } 2169 } 2170 2171 if (rp->rule_locid_inclcnt + rp->rule_locid_exclcnt > 0) { 2172 lidp = (char *)((int)rp + rp->rule_locid_off); 2173 print_idspec("LOCID:", lidp, rp->rule_locid_inclcnt, 2174 rp->rule_locid_exclcnt); 2175 } 2176 2177 if (rp->rule_remid_inclcnt + rp->rule_remid_exclcnt > 0) { 2178 ridp = (char *)((int)rp + rp->rule_remid_off); 2179 print_idspec("REMID:", ridp, rp->rule_remid_inclcnt, 2180 rp->rule_remid_exclcnt); 2181 } 2182 2183 if (rp->rule_xform_cnt > 0) { 2184 (void) printf(gettext("XFRMS: Available Transforms:\n")); 2185 xfp = (ike_p1_xform_t *)((int)rp + rp->rule_xform_off); 2186 for (i = 0; i < rp->rule_xform_cnt; i++, xfp++) { 2187 (void) snprintf(prefix, PREFIXLEN, "XF %2u:", i); 2188 print_xform(prefix, xfp, B_TRUE); 2189 } 2190 } 2191 } 2192 2193 #undef PREFIXLEN 2194 2195 #define PRSACNTS(init, resp) \ 2196 (void) printf(gettext("initiator: %10u responder: %10u\n"), \ 2197 (init), (resp)) 2198 2199 static void 2200 print_stats(ike_stats_t *sp, int len) 2201 { 2202 /* 2203 * before printing each line, make sure the structure we were 2204 * given is big enough to include the fields needed. 2205 */ 2206 if (len < COUNTER_PAIR) 2207 return; 2208 (void) printf(gettext("Phase 1 SA counts:\n")); 2209 (void) printf(gettext("Current: ")); 2210 PRSACNTS(sp->st_init_p1_current, sp->st_resp_p1_current); 2211 len -= COUNTER_PAIR; 2212 2213 if (len < COUNTER_PAIR) 2214 return; 2215 (void) printf(gettext("Total: ")); 2216 PRSACNTS(sp->st_init_p1_total, sp->st_resp_p1_total); 2217 len -= COUNTER_PAIR; 2218 2219 if (len < COUNTER_PAIR) 2220 return; 2221 (void) printf(gettext("Attempted: ")); 2222 PRSACNTS(sp->st_init_p1_attempts, sp->st_resp_p1_attempts); 2223 len -= COUNTER_PAIR; 2224 2225 if (len < (COUNTER_PAIR + COUNTER_32BIT)) 2226 return; 2227 (void) printf(gettext("Failed: ")); 2228 PRSACNTS(sp->st_init_p1_noresp + sp->st_init_p1_respfail, 2229 sp->st_resp_p1_fail); 2230 (void) printf( 2231 gettext(" initiator fails include %u time-out(s)\n"), 2232 sp->st_init_p1_noresp); 2233 2234 if (len < PATH_MAX) 2235 return; 2236 if (*(sp->st_pkcs11_libname) != '\0') 2237 (void) printf(gettext("PKCS#11 library linked in from %s\n"), 2238 sp->st_pkcs11_libname); 2239 } 2240 2241 /* Print one line of 'get defaults' output (i.e. single value). */ 2242 static void 2243 print_defaults(char *label, char *description, char *unit, 2244 uint_t current, uint_t def) 2245 { 2246 (void) printf("%-18s%-10s%11u %-10s%-26s\n", label, 2247 (current != def) ? gettext("config") : gettext("default"), 2248 current, unit, description); 2249 } 2250 2251 /* 2252 * Print out defaults used by in.iked, the argument is a buffer containing 2253 * two ike_defaults_t's, the first contains the hard coded defaults, the second 2254 * contains the actual values used. If these differ, then the defaults have been 2255 * changed via a config file entry. Note that "-" indicates this default 2256 * is not tunable via ike.config(4) or is system wide tunable. 2257 */ 2258 static void 2259 do_print_defaults(ike_defaults_t *dp) 2260 { 2261 ike_defaults_t *ddp; 2262 ddp = (ike_defaults_t *)(dp + 1); 2263 2264 (void) printf(gettext("\nGlobal defaults. Some values can be" 2265 " over-ridden on a per rule basis.\n")); 2266 (void) printf(gettext("\nSystem defaults are time delayed.\n\n")); 2267 2268 (void) printf("%-18s%-10s%-12s%-10s%-26s\n\n", 2269 gettext("Token:"), gettext("Source:"), gettext("Value:"), 2270 gettext("Unit:"), gettext("Description:")); 2271 2272 /* iked tunables */ 2273 print_defaults("p1_lifetime_secs", gettext("phase 1 lifetime"), 2274 gettext("seconds"), ddp->rule_p1_lifetime_secs, 2275 dp->rule_p1_lifetime_secs); 2276 2277 print_defaults("-", gettext("minimum phase 1 lifetime"), 2278 gettext("seconds"), ddp->rule_p1_minlife, 2279 dp->rule_p1_minlife); 2280 2281 print_defaults("p1_nonce_len", gettext("phase 1 nonce length"), 2282 gettext("bytes"), ddp->rule_p1_nonce_len, 2283 dp->rule_p1_nonce_len); 2284 2285 print_defaults("p2_lifetime_secs", gettext("phase 2 lifetime"), 2286 gettext("seconds"), ddp->rule_p2_lifetime_secs, 2287 dp->rule_p2_lifetime_secs); 2288 2289 print_defaults("p2_softlife_secs", gettext("phase 2 soft lifetime"), 2290 gettext("seconds"), ddp->rule_p2_softlife_secs, 2291 dp->rule_p2_softlife_secs); 2292 2293 print_defaults("p2_idletime_secs", gettext("phase 2 idle time"), 2294 gettext("seconds"), ddp->rule_p2_idletime_secs, 2295 dp->rule_p2_idletime_secs); 2296 2297 print_defaults("p2_lifetime_kb", gettext("phase 2 lifetime"), 2298 gettext("kilobytes"), ddp->rule_p2_lifetime_kb, 2299 dp->rule_p2_lifetime_kb); 2300 2301 print_defaults("p2_softlife_kb", gettext("phase 2 soft lifetime"), 2302 gettext("kilobytes"), ddp->rule_p2_softlife_kb, 2303 dp->rule_p2_softlife_kb); 2304 2305 /* system wide tunables */ 2306 print_defaults("-", gettext("system phase 2 lifetime"), 2307 gettext("seconds"), ddp->sys_p2_lifetime_secs, 2308 dp->sys_p2_lifetime_secs); 2309 2310 print_defaults("-", gettext("system phase 2 soft lifetime"), 2311 gettext("seconds"), ddp->sys_p2_softlife_secs, 2312 dp->sys_p2_softlife_secs); 2313 2314 print_defaults("-", gettext("system phase 2 idle time"), 2315 gettext("seconds"), ddp->sys_p2_idletime_secs, 2316 dp->sys_p2_idletime_secs); 2317 2318 print_defaults("-", gettext("system phase 2 lifetime"), 2319 gettext("bytes"), ddp->sys_p2_lifetime_bytes, 2320 dp->sys_p2_lifetime_bytes); 2321 2322 print_defaults("-", gettext("system phase 2 soft lifetime"), 2323 gettext("bytes"), ddp->sys_p2_softlife_bytes, 2324 dp->sys_p2_softlife_bytes); 2325 2326 /* minimum and maximum values */ 2327 print_defaults("-", gettext("minimum phase 2 hard lifetime"), 2328 gettext("seconds"), ddp->rule_p2_minlife_hard_secs, 2329 dp->rule_p2_minlife_hard_secs); 2330 2331 print_defaults("-", gettext("minimum phase 2 soft lifetime"), 2332 gettext("seconds"), ddp->rule_p2_minlife_soft_secs, 2333 dp->rule_p2_minlife_soft_secs); 2334 2335 print_defaults("-", gettext("minimum phase 2 idle lifetime"), 2336 gettext("seconds"), ddp->rule_p2_minlife_idle_secs, 2337 dp->rule_p2_minlife_idle_secs); 2338 2339 print_defaults("-", gettext("minimum phase 2 hard lifetime"), 2340 gettext("kilobytes"), ddp->rule_p2_minlife_hard_kb, 2341 dp->rule_p2_minlife_hard_kb); 2342 2343 print_defaults("-", gettext("minimum phase 2 soft lifetime"), 2344 gettext("kilobytes"), ddp->rule_p2_minlife_soft_kb, 2345 dp->rule_p2_minlife_soft_kb); 2346 2347 print_defaults("-", gettext("minimum phase 2 delta"), 2348 gettext("seconds"), ddp->rule_p2_mindiff_secs, 2349 dp->rule_p2_mindiff_secs); 2350 2351 print_defaults("-", gettext("minimum phase 2 delta"), 2352 gettext("kilobytes"), ddp->rule_p2_mindiff_kb, 2353 dp->rule_p2_mindiff_kb); 2354 2355 print_defaults("-", gettext("maximum phase 2 lifetime"), 2356 gettext("seconds"), ddp->rule_p2_maxlife_secs, 2357 dp->rule_p2_maxlife_secs); 2358 2359 print_defaults("-", gettext("conversion factor"), 2360 gettext("kbytes/s"), ddp->conversion_factor, 2361 dp->conversion_factor); 2362 2363 print_defaults("-", gettext("maximum phase 2 lifetime"), 2364 gettext("kilobytes"), ddp->rule_p2_maxlife_kb, 2365 dp->rule_p2_maxlife_kb); 2366 2367 /* other values */ 2368 print_defaults("p2_nonce_len", gettext("phase 2 nonce length"), 2369 gettext("bytes"), ddp->rule_p2_nonce_len, 2370 dp->rule_p2_nonce_len); 2371 2372 print_defaults("p2_pfs", gettext("phase 2 PFS"), 2373 " ", ddp->rule_p2_pfs, dp->rule_p2_pfs); 2374 2375 print_defaults("max_certs", gettext("max certificates"), 2376 " ", ddp->rule_max_certs, dp->rule_max_certs); 2377 2378 print_defaults("-", gettext("IKE port number"), 2379 " ", ddp->rule_ike_port, dp->rule_ike_port); 2380 2381 print_defaults("-", gettext("NAT-T port number"), 2382 " ", ddp->rule_natt_port, dp->rule_natt_port); 2383 } 2384 2385 static void 2386 print_categories(int level) 2387 { 2388 int mask; 2389 2390 if (level == 0) { 2391 (void) printf(gettext("No debug categories enabled.\n")); 2392 return; 2393 } 2394 2395 (void) printf(gettext("Debug categories enabled:")); 2396 for (mask = 1; mask <= D_HIGHBIT; mask <<= 1) { 2397 if (level & mask) 2398 (void) printf("\n\t%s", dbgstr(mask)); 2399 } 2400 (void) printf("\n"); 2401 } 2402 2403 /*PRINTFLIKE2*/ 2404 static void 2405 ikeadm_err_exit(ike_err_t *err, char *fmt, ...) 2406 { 2407 va_list ap; 2408 char bailbuf[BUFSIZ]; 2409 2410 va_start(ap, fmt); 2411 (void) vsnprintf(bailbuf, BUFSIZ, fmt, ap); 2412 va_end(ap); 2413 if ((err != NULL) && (err->ike_err == IKE_ERR_SYS_ERR)) { 2414 bail_msg("%s: %s", bailbuf, (err->ike_err_unix == 0) ? 2415 gettext("<unknown error>") : strerror(err->ike_err_unix)); 2416 } else { 2417 bail_msg("%s: %s", bailbuf, (err == NULL) ? 2418 gettext("<unknown error>") : errstr(err->ike_err)); 2419 } 2420 } 2421 2422 /*PRINTFLIKE2*/ 2423 static void 2424 ikeadm_err_msg(ike_err_t *err, char *fmt, ...) 2425 { 2426 va_list ap; 2427 char mbuf[BUFSIZ]; 2428 2429 va_start(ap, fmt); 2430 (void) vsnprintf(mbuf, BUFSIZ, fmt, ap); 2431 va_end(ap); 2432 if ((err != NULL) && (err->ike_err == IKE_ERR_SYS_ERR)) { 2433 message("%s: %s", mbuf, (err->ike_err_unix == 0) ? 2434 gettext("<unknown error>") : 2435 ((err->ike_err_unix == EEXIST) ? 2436 gettext("Duplicate entry") : 2437 strerror(err->ike_err_unix))); 2438 } else { 2439 message("%s: %s", mbuf, (err == NULL) ? 2440 gettext("<unknown error>") : errstr(err->ike_err)); 2441 } 2442 } 2443 2444 2445 /* 2446 * Command functions 2447 */ 2448 2449 /* 2450 * Exploit the fact that ike_dbg_t and ike_priv_t have identical 2451 * formats in the following two functions. 2452 */ 2453 static void 2454 do_getvar(int cmd) 2455 { 2456 ike_service_t req, *rtn; 2457 ike_dbg_t *dreq; 2458 char *varname; 2459 2460 switch (cmd) { 2461 case IKE_SVC_GET_DBG: 2462 varname = gettext("debug"); 2463 break; 2464 case IKE_SVC_GET_PRIV: 2465 varname = gettext("privilege"); 2466 break; 2467 default: 2468 bail_msg(gettext("unrecognized get command (%d)"), cmd); 2469 } 2470 2471 dreq = &req.svc_dbg; 2472 dreq->cmd = cmd; 2473 dreq->dbg_level = 0; 2474 2475 rtn = ikedoor_call((char *)&req, sizeof (ike_dbg_t), NULL, 0); 2476 2477 if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) { 2478 ikeadm_err_exit(&rtn->svc_err, 2479 gettext("error getting %s level"), varname); 2480 } 2481 dreq = &rtn->svc_dbg; 2482 (void) printf(gettext("Current %s level is 0x%x"), 2483 varname, dreq->dbg_level); 2484 2485 if (cmd == IKE_SVC_GET_DBG) { 2486 (void) printf("\n"); 2487 print_categories(dreq->dbg_level); 2488 } else { 2489 (void) printf(gettext(", %s enabled\n"), 2490 privstr(dreq->dbg_level)); 2491 } 2492 } 2493 2494 /* 2495 * Log into a token and unlock all objects 2496 * referenced by PKCS#11 hint files. 2497 */ 2498 static void 2499 do_setdel_pin(int cmd, int argc, char **argv) 2500 { 2501 ike_service_t req, *rtn; 2502 ike_pin_t *preq; 2503 char token_label[PKCS11_TOKSIZE]; 2504 char *token_pin; 2505 char prompt[80]; 2506 2507 if (argc < 1) 2508 Bail(gettext("Must specify PKCS#11 token object.")); 2509 2510 preq = &req.svc_pin; 2511 preq->cmd = cmd; 2512 2513 switch (cmd) { 2514 case IKE_SVC_SET_PIN: 2515 if (parse_token(argc, argv, token_label) != 0) 2516 Bail("Invalid syntax for \"token login\""); 2517 (void) snprintf(prompt, sizeof (prompt), 2518 "Enter PIN for PKCS#11 token \'%s\': ", token_label); 2519 token_pin = 2520 getpassphrase(prompt); 2521 (void) strlcpy((char *)preq->token_pin, token_pin, MAX_PIN_LEN); 2522 bzero(token_pin, strlen(token_pin)); 2523 break; 2524 case IKE_SVC_DEL_PIN: 2525 if (parse_token(argc, argv, token_label) != 0) 2526 Bail("Invalid syntax for \"token logout\""); 2527 break; 2528 default: 2529 bail_msg(gettext("unrecognized token command (%d)"), cmd); 2530 } 2531 2532 (void) strlcpy(preq->pkcs11_token, token_label, PKCS11_TOKSIZE); 2533 2534 rtn = ikedoor_call((char *)&req, sizeof (ike_pin_t), NULL, 0); 2535 if (cmd == IKE_SVC_SET_PIN) 2536 bzero(preq->token_pin, sizeof (preq->token_pin)); 2537 2538 if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) { 2539 ikeadm_err_exit(&rtn->svc_err, 2540 gettext("PKCS#11 operation")); 2541 } 2542 preq = &rtn->svc_pin; 2543 message(gettext("PKCS#11 operation successful")); 2544 } 2545 2546 static void 2547 do_setvar(int cmd, int argc, char **argv) 2548 { 2549 ike_service_t req, *rtn; 2550 ike_dbg_t *dreq; 2551 door_desc_t *descp = NULL, desc; 2552 int fd, ndesc = 0; 2553 uint32_t reqlevel; 2554 char *varname; 2555 2556 if (argc < 1) 2557 Bail("unspecified level"); 2558 reqlevel = strtoul(argv[0], NULL, 0); 2559 2560 switch (cmd) { 2561 case IKE_SVC_SET_DBG: 2562 if (argc > 2) 2563 Bail("Too many arguments to \"set debug\""); 2564 varname = gettext("debug"); 2565 if (reqlevel == 0) { 2566 /* check for a string... */ 2567 reqlevel = parsedbgopts(argv[0]); 2568 } 2569 if (reqlevel == D_INVALID) 2570 bail_msg(gettext("Bad debug flag: %s"), argv[0]); 2571 break; 2572 case IKE_SVC_SET_PRIV: 2573 if (argc > 1) 2574 Bail("Too many arguments to \"set priv\""); 2575 2576 varname = gettext("privilege"); 2577 if (reqlevel == 0) { 2578 /* check for a string... */ 2579 reqlevel = privstr2num(argv[0]); 2580 } 2581 if (reqlevel > IKE_PRIV_MAXIMUM) 2582 bail_msg(gettext("Bad privilege flag: %s"), argv[0]); 2583 break; 2584 default: 2585 bail_msg(gettext("unrecognized set command (%d)"), cmd); 2586 } 2587 2588 dreq = &req.svc_dbg; 2589 dreq->cmd = cmd; 2590 dreq->dbg_level = reqlevel; 2591 2592 if ((argc == 2) && (cmd == IKE_SVC_SET_DBG)) { 2593 fd = open(argv[1], O_RDWR | O_CREAT | O_APPEND, 2594 S_IRUSR | S_IWUSR); 2595 if (fd < 0) 2596 Bail("open debug file"); 2597 desc.d_data.d_desc.d_descriptor = fd; 2598 desc.d_attributes = DOOR_DESCRIPTOR; 2599 descp = &desc; 2600 ndesc = 1; 2601 } 2602 2603 rtn = ikedoor_call((char *)&req, sizeof (ike_dbg_t), descp, ndesc); 2604 2605 if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) { 2606 ikeadm_err_exit(&rtn->svc_err, 2607 gettext("error setting %s level"), varname); 2608 } 2609 dreq = &rtn->svc_dbg; 2610 (void) printf( 2611 gettext("Successfully changed %s level from 0x%x to 0x%x\n"), 2612 varname, dreq->dbg_level, reqlevel); 2613 2614 if (cmd == IKE_SVC_SET_DBG) { 2615 print_categories(reqlevel); 2616 } else { 2617 (void) printf(gettext("New privilege level 0x%x enables %s\n"), 2618 reqlevel, privstr(reqlevel)); 2619 } 2620 } 2621 2622 static void 2623 do_getstats(int cmd) 2624 { 2625 ike_service_t *rtn; 2626 ike_statreq_t sreq, *sreqp; 2627 ike_stats_t *sp; 2628 2629 sreq.cmd = cmd; 2630 2631 rtn = ikedoor_call((char *)&sreq, sizeof (ike_statreq_t), NULL, 0); 2632 if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) { 2633 ikeadm_err_exit(&rtn->svc_err, gettext("error getting stats")); 2634 } 2635 2636 sreqp = &rtn->svc_stats; 2637 sp = (ike_stats_t *)(sreqp + 1); 2638 print_stats(sp, sreqp->stat_len); 2639 } 2640 2641 static void 2642 do_getdefs(int cmd) 2643 { 2644 ike_service_t *rtn; 2645 ike_defreq_t dreq, *dreqp; 2646 ike_defaults_t *dp; 2647 2648 dreq.cmd = cmd; 2649 2650 rtn = ikedoor_call((char *)&dreq, sizeof (ike_defreq_t), NULL, 0); 2651 if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) { 2652 ikeadm_err_exit(&rtn->svc_err, 2653 gettext("error getting defaults")); 2654 } 2655 2656 dreqp = &rtn->svc_defaults; 2657 dp = (ike_defaults_t *)(dreqp + 1); 2658 2659 /* 2660 * Before printing each line, make sure the structure we were 2661 * given is big enough to include the fields needed. 2662 * Silently bail out of there is a version mismatch. 2663 */ 2664 if (dreqp->stat_len < ((2 * sizeof (ike_defaults_t)) 2665 + sizeof (ike_defreq_t)) || dreqp->version != DOORVER) { 2666 return; 2667 } 2668 do_print_defaults(dp); 2669 } 2670 2671 static void 2672 do_dump(int cmd) 2673 { 2674 char *name; 2675 ike_service_t req, *rtn; 2676 ike_dump_t *dreq, *dump; 2677 2678 switch (cmd) { 2679 case IKE_SVC_DUMP_P1S: 2680 name = gettext("phase 1 SA info"); 2681 break; 2682 case IKE_SVC_DUMP_RULES: 2683 name = gettext("policy rules"); 2684 break; 2685 case IKE_SVC_DUMP_PS: 2686 name = gettext("preshared keys"); 2687 break; 2688 case IKE_SVC_DUMP_CERTCACHE: 2689 name = gettext("certcache"); 2690 break; 2691 case IKE_SVC_DUMP_GROUPS: 2692 name = gettext("groups"); 2693 print_group_header(); 2694 break; 2695 case IKE_SVC_DUMP_ENCRALGS: 2696 name = gettext("encralgs"); 2697 print_encralg_header(); 2698 break; 2699 case IKE_SVC_DUMP_AUTHALGS: 2700 name = gettext("authalgs"); 2701 print_authalg_header(); 2702 break; 2703 default: 2704 bail_msg(gettext("unrecognized dump command (%d)"), cmd); 2705 } 2706 2707 dreq = &req.svc_dump; 2708 dreq->cmd = cmd; 2709 dreq->dump_len = 0; 2710 dreq->dump_next = 0; 2711 do { 2712 rtn = ikedoor_call((char *)&req, sizeof (ike_dump_t), 2713 NULL, 0); 2714 if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) { 2715 if (rtn && (rtn->svc_err.ike_err == IKE_ERR_NO_OBJ)) { 2716 /* no entries to print */ 2717 break; 2718 } 2719 ikeadm_err_exit(&rtn->svc_err, 2720 gettext("error getting %s"), name); 2721 } 2722 dump = &rtn->svc_dump; 2723 2724 switch (cmd) { 2725 case IKE_SVC_DUMP_P1S: 2726 print_p1((ike_p1_sa_t *)(dump + 1)); 2727 break; 2728 case IKE_SVC_DUMP_RULES: 2729 print_rule((ike_rule_t *)(dump + 1)); 2730 break; 2731 case IKE_SVC_DUMP_PS: 2732 print_ps((ike_ps_t *)(dump + 1)); 2733 break; 2734 case IKE_SVC_DUMP_CERTCACHE: 2735 print_certcache((ike_certcache_t *)(dump + 1)); 2736 break; 2737 case IKE_SVC_DUMP_GROUPS: 2738 print_group((ike_group_t *)(dump + 1)); 2739 break; 2740 case IKE_SVC_DUMP_ENCRALGS: 2741 print_encralg((ike_encralg_t *)(dump + 1)); 2742 break; 2743 case IKE_SVC_DUMP_AUTHALGS: 2744 print_authalg((ike_authalg_t *)(dump + 1)); 2745 break; 2746 } 2747 2748 dreq->dump_next = dump->dump_next; 2749 2750 (void) munmap((char *)rtn, dump->dump_len); 2751 2752 } while (dreq->dump_next); 2753 2754 (void) printf(gettext("\nCompleted dump of %s\n"), name); 2755 } 2756 2757 static void 2758 do_getdel_doorcall(int cmd, int idlen, int idtype, char *idp, char *name) 2759 { 2760 int totallen; 2761 char *p; 2762 ike_service_t *reqp, *rtnp; 2763 ike_get_t *getp; 2764 boolean_t getcmd; 2765 2766 getcmd = ((cmd == IKE_SVC_GET_P1) || (cmd == IKE_SVC_GET_RULE) || 2767 (cmd == IKE_SVC_GET_PS)); 2768 2769 /* 2770 * WARNING: to avoid being redundant, this code takes advantage 2771 * of the fact that the ike_get_t and ike_del_t structures are 2772 * identical (only the field names differ, their function and 2773 * size are the same). If for some reason those structures 2774 * change, this code will need to be re-written to accomodate 2775 * that difference. 2776 */ 2777 totallen = sizeof (ike_get_t) + idlen; 2778 if ((reqp = (ike_service_t *)malloc(totallen)) == NULL) 2779 Bail("malloc(id)"); 2780 2781 getp = &reqp->svc_get; 2782 getp->cmd = cmd; 2783 getp->get_len = totallen; 2784 getp->get_idtype = idtype; 2785 p = (char *)(getp + 1); 2786 2787 (void) memcpy(p, idp, idlen); 2788 2789 rtnp = ikedoor_call((char *)reqp, totallen, NULL, 0); 2790 if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) { 2791 if (rtnp && (rtnp->svc_err.ike_err == IKE_ERR_NO_OBJ)) { 2792 message(gettext("Could not find requested %s."), name); 2793 } else { 2794 ikeadm_err_msg(&rtnp->svc_err, gettext("error %s %s"), 2795 (getcmd) ? gettext("getting") : gettext("deleting"), 2796 name); 2797 } 2798 free(reqp); 2799 return; 2800 } 2801 getp = &rtnp->svc_get; 2802 2803 if (getcmd) { 2804 switch (cmd) { 2805 case IKE_SVC_GET_P1: 2806 print_p1((ike_p1_sa_t *)(getp + 1)); 2807 break; 2808 case IKE_SVC_GET_PS: 2809 print_ps((ike_ps_t *)(getp + 1)); 2810 break; 2811 case IKE_SVC_GET_RULE: 2812 print_rule((ike_rule_t *)(getp + 1)); 2813 break; 2814 } 2815 } else { 2816 message(gettext("Successfully deleted selected %s."), name); 2817 } 2818 2819 (void) munmap((char *)rtnp, getp->get_len); 2820 free(reqp); 2821 } 2822 2823 static void 2824 do_getdel(int cmd, int argc, char **argv) 2825 { 2826 int idlen, idtype = 0, i, j; 2827 int bytelen1, bytelen2; 2828 char *name, *idp, *p, *p1, *p2; 2829 ike_addr_pr_t apr; 2830 ike_cky_pr_t cpr; 2831 sadb_ident_t *sid1p, *sid2p; 2832 struct hostent *he1p, *he2p; 2833 char label[MAX_LABEL_LEN]; 2834 2835 if ((argc < 1) || (argv[0] == NULL)) { 2836 Bail("not enough identification info"); 2837 } 2838 2839 switch (cmd) { 2840 case IKE_SVC_GET_P1: 2841 case IKE_SVC_DEL_P1: 2842 name = gettext("phase 1 SA"); 2843 /* 2844 * The first token must either be an address (or hostname) 2845 * or a cookie. We require cookies to be entered as hex 2846 * numbers, beginning with 0x; so if our token starts with 2847 * that, it's a cookie. 2848 */ 2849 if (strncmp(argv[0], "0x", 2) == 0) { 2850 if (parse_cky_pr(argc, argv, &cpr) >= 0) { 2851 idtype = IKE_ID_CKY_PAIR; 2852 idlen = sizeof (ike_cky_pr_t); 2853 idp = (char *)&cpr; 2854 } 2855 } else { 2856 if (parse_addr_pr(argc, argv, &he1p, &he2p) >= 0) { 2857 idtype = IKE_ID_ADDR_PAIR; 2858 idlen = sizeof (ike_addr_pr_t); 2859 } 2860 } 2861 break; 2862 2863 case IKE_SVC_GET_RULE: 2864 case IKE_SVC_DEL_RULE: 2865 name = gettext("policy rule"); 2866 if (parse_label(argc, argv, label) >= 0) { 2867 idtype = IKE_ID_LABEL; 2868 idlen = MAX_LABEL_LEN; 2869 idp = label; 2870 } 2871 break; 2872 2873 case IKE_SVC_GET_PS: 2874 case IKE_SVC_DEL_PS: 2875 name = gettext("preshared key"); 2876 /* 2877 * The first token must either be an address or an ident 2878 * type. Check for an ident type to determine which it is. 2879 */ 2880 if (parse_idtype(argv[0], NULL) >= 0) { 2881 if (parse_ident_pr(argc, argv, &sid1p, &sid2p) >= 0) { 2882 idtype = IKE_ID_IDENT_PAIR; 2883 idlen = SADB_64TO8(sid1p->sadb_ident_len) + 2884 SADB_64TO8(sid2p->sadb_ident_len); 2885 } 2886 } else { 2887 if (parse_addr_pr(argc, argv, &he1p, &he2p) >= 0) { 2888 idtype = IKE_ID_ADDR_PAIR; 2889 idlen = sizeof (ike_addr_pr_t); 2890 } 2891 } 2892 break; 2893 2894 default: 2895 bail_msg(gettext("unrecognized get/del command (%d)"), cmd); 2896 } 2897 2898 switch (idtype) { 2899 case IKE_ID_ADDR_PAIR: 2900 /* 2901 * we might have exploding addrs here; do every possible 2902 * combination. 2903 */ 2904 i = 0; 2905 j = 0; 2906 while ((p1 = he1p->h_addr_list[i++]) != NULL) { 2907 headdr2sa(p1, &apr.loc_addr, he1p->h_length); 2908 2909 while ((p2 = he2p->h_addr_list[j++]) != NULL) { 2910 headdr2sa(p2, &apr.rem_addr, he2p->h_length); 2911 do_getdel_doorcall(cmd, idlen, idtype, 2912 (char *)&apr, name); 2913 } 2914 } 2915 FREE_HE(he1p); 2916 FREE_HE(he2p); 2917 break; 2918 2919 case IKE_ID_IDENT_PAIR: 2920 bytelen1 = SADB_64TO8(sid1p->sadb_ident_len); 2921 bytelen2 = SADB_64TO8(sid2p->sadb_ident_len); 2922 if (idlen != bytelen1 + bytelen2) 2923 Bail("ident syntax error"); 2924 idp = p = (char *)malloc(idlen); 2925 if (p == NULL) 2926 Bail("malloc(id)"); 2927 (void) memcpy(p, (char *)sid1p, bytelen1); 2928 p += bytelen1; 2929 (void) memcpy(p, (char *)sid2p, bytelen2); 2930 do_getdel_doorcall(cmd, idlen, idtype, idp, name); 2931 free(idp); 2932 free(sid1p); 2933 free(sid2p); 2934 break; 2935 2936 case IKE_ID_CKY_PAIR: 2937 case IKE_ID_LABEL: 2938 do_getdel_doorcall(cmd, idlen, idtype, idp, name); 2939 break; 2940 2941 case 0: 2942 default: 2943 bail_msg(gettext("invalid %s identification\n"), name); 2944 } 2945 } 2946 2947 /* 2948 * Copy source into target, inserting an escape character ('\') before 2949 * any quotes that appear. Return true on success, false on failure. 2950 */ 2951 static boolean_t 2952 escapequotes(char *target, char *source, int tlen) 2953 { 2954 int s, t, len = strlen(source) + 1; 2955 2956 if (tlen < len) 2957 return (B_FALSE); 2958 2959 for (s = 0, t = 0; s < len && t < tlen; s++) { 2960 if (source[s] == '\"') 2961 target[t++] = '\\'; 2962 target[t++] = source[s]; 2963 } 2964 2965 if ((t == tlen) && (s < len)) 2966 return (B_FALSE); 2967 2968 return (B_TRUE); 2969 } 2970 2971 /* 2972 * Return true if the arg following the given keyword should 2973 * be in quotes (i.e. is a string), false if not. 2974 */ 2975 static boolean_t 2976 quotedfield(char *keywd) 2977 { 2978 if ((strncmp(keywd, "label", strlen("label") + 1) == 0) || 2979 (strncmp(keywd, "local_id", strlen("local_id") + 1) == 0) || 2980 (strncmp(keywd, "remote_id", strlen("remote_id") + 1) == 0)) 2981 return (B_TRUE); 2982 2983 return (B_FALSE); 2984 } 2985 2986 static void 2987 do_new(int cmd, int argc, char **argv) 2988 { 2989 ike_service_t *rtn; 2990 ike_new_t new, *newp = NULL; 2991 door_desc_t desc, *descp = NULL; 2992 int i, fd, ndesc = 0, buflen; 2993 char *name, tmpfilepath[32]; 2994 FILE *tmpfile; 2995 2996 switch (cmd) { 2997 case IKE_SVC_NEW_PS: 2998 name = gettext("preshared key"); 2999 break; 3000 case IKE_SVC_NEW_RULE: 3001 name = gettext("policy rule"); 3002 break; 3003 default: 3004 bail_msg(gettext("unrecognized new command (%d)"), cmd); 3005 } 3006 3007 if (argc == 1) { 3008 /* We've been given a file to read from */ 3009 fd = open(argv[0], O_RDONLY); 3010 if (fd < 0) 3011 Bail("open source file"); 3012 3013 desc.d_data.d_desc.d_descriptor = fd; 3014 desc.d_attributes = DOOR_DESCRIPTOR | DOOR_RELEASE; 3015 descp = &desc; 3016 ndesc = 1; 3017 3018 new.cmd = cmd; 3019 new.new_len = 0; 3020 newp = &new; 3021 buflen = sizeof (ike_new_t); 3022 3023 } else if ((argc > 1) && (cmd == IKE_SVC_NEW_PS)) { 3024 /* 3025 * This is an alternative to using the tmpfile method 3026 * for preshared keys. It means we're duplicating the 3027 * parsing effort that happens in readps.c; but it 3028 * does avoid having the key sitting in a file. 3029 */ 3030 ike_ps_t *psp; 3031 int pslen; 3032 3033 /* 3034 * must be in interactive mode; don't want keys in 3035 * the process args. 3036 */ 3037 if (!interactive) 3038 Bail("Must be in interactive mode to add key info."); 3039 if (parse_ps(argc, argv, &psp, &pslen) < 0) { 3040 errno = 0; 3041 Bail("invalid preshared key definition"); 3042 } 3043 newp = malloc(sizeof (ike_new_t) + pslen); 3044 if (newp == NULL) 3045 Bail("alloc pskey"); 3046 newp->cmd = cmd; 3047 newp->new_len = sizeof (ike_new_t) + pslen; 3048 (void) memcpy((char *)(newp + 1), psp, pslen); 3049 buflen = newp->new_len; 3050 /* parse_ps allocated the ike_ps_t buffer; free it now */ 3051 free(psp); 3052 3053 } else if ((argc > 1) && (cmd == IKE_SVC_NEW_RULE)) { 3054 /* 3055 * We've been given the item in argv. However, parsing 3056 * rules can get more than a little messy, and in.iked 3057 * already has a great parser for this stuff! So don't 3058 * fool around with trying to do the parsing here. Just 3059 * write it out to a tempfile, and send the fd to in.iked. 3060 * 3061 * We could conceivably do this for preshared keys, 3062 * rather than duplicating the parsing effort; but that 3063 * would mean the key would be written out to a file, 3064 * which isn't such a good idea. 3065 */ 3066 boolean_t doquotes = B_FALSE; 3067 int rtn; 3068 3069 if ((argv[0][0] != '{') || 3070 (argv[argc - 1][strlen(argv[argc - 1]) - 1] != '}')) 3071 bail_msg(gettext("improperly formatted %s"), name); 3072 3073 /* attempt to use a fairly unpredictable file name... */ 3074 (void) sprintf(tmpfilepath, "/var/run/%x", (int)gethrtime()); 3075 fd = open(tmpfilepath, O_RDWR | O_CREAT | O_EXCL, 3076 S_IRUSR | S_IWUSR); 3077 if (fd < 0) 3078 Bail("cannot open tmpfile"); 3079 3080 /* and make it inaccessible asap */ 3081 if (unlink(tmpfilepath) < 0) { 3082 (void) close(fd); 3083 Bail("tmpfile error"); 3084 } 3085 3086 tmpfile = fdopen(fd, "w"); 3087 if (tmpfile == NULL) { 3088 (void) close(fd); 3089 Bail("cannot write to tmpfile"); 3090 } 3091 3092 for (i = 0; i < argc; i++) { 3093 /* 3094 * We have to do some gyrations with our string here, 3095 * to properly handle quotes. There are two issues: 3096 * - some of the fields of a rule may have embedded 3097 * whitespace, and thus must be quoted on the cmd 3098 * line. The shell removes the quotes, and gives 3099 * us a single argv string; but we need to put the 3100 * quotes back in when we write the string out to 3101 * file. The doquotes boolean is set when we 3102 * process a keyword which will be followed by a 3103 * string value (so the NEXT argv element will be 3104 * quoted). 3105 * - there might be a quote character in a field, 3106 * that was escaped on the cmdline. The shell 3107 * removes the escape char, and leaves the quote 3108 * in the string it gives us. We need to put the 3109 * escape char back in before writing to file. 3110 */ 3111 char field[MAXLINESIZE]; 3112 if (!escapequotes(field, argv[i], MAXLINESIZE)) 3113 Bail("write to tmpfile failed (arg too big)"); 3114 if (doquotes) { 3115 rtn = fprintf(tmpfile, "\"%s\"\n", field); 3116 doquotes = B_FALSE; 3117 } else { 3118 rtn = fprintf(tmpfile, "%s\n", field); 3119 } 3120 if (rtn < 0) 3121 Bail("write to tmpfile failed"); 3122 /* 3123 * check if this is a keyword identifying 3124 * a field that needs to be quoted. 3125 */ 3126 doquotes = quotedfield(argv[i]); 3127 } 3128 if (fflush(tmpfile) == EOF) 3129 Bail("write to tmpfile failed"); 3130 /* rewind so that the daemon will get the beginning */ 3131 rewind(tmpfile); 3132 3133 desc.d_data.d_desc.d_descriptor = fd; 3134 desc.d_attributes = DOOR_DESCRIPTOR | DOOR_RELEASE; 3135 descp = &desc; 3136 ndesc = 1; 3137 3138 new.cmd = cmd; 3139 new.new_len = 0; 3140 newp = &new; 3141 buflen = sizeof (ike_new_t); 3142 3143 } else { 3144 /* not enough information! */ 3145 bail_msg(gettext("missing %s description or file name"), name); 3146 } 3147 3148 rtn = ikedoor_call((char *)newp, buflen, descp, ndesc); 3149 3150 if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) { 3151 ikeadm_err_msg(&rtn->svc_err, 3152 gettext("error creating new %s"), name); 3153 } else { 3154 message(gettext("Successfully created new %s."), name); 3155 } 3156 } 3157 3158 static void 3159 do_flush(int cmd) 3160 { 3161 ike_service_t *rtnp; 3162 ike_flush_t flush; 3163 3164 if (cmd != IKE_SVC_FLUSH_P1S && cmd != IKE_SVC_FLUSH_CERTCACHE) { 3165 bail_msg(gettext("unrecognized flush command (%d)."), cmd); 3166 } 3167 3168 flush.cmd = cmd; 3169 3170 rtnp = ikedoor_call((char *)&flush, sizeof (ike_flush_t), NULL, 0); 3171 if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) { 3172 ikeadm_err_exit(&rtnp->svc_err, gettext("error doing flush")); 3173 } 3174 if (cmd == IKE_SVC_FLUSH_P1S) 3175 message(gettext("Successfully flushed P1 SAs.")); 3176 else 3177 message(gettext("Successfully flushed cert cache.")); 3178 } 3179 3180 static void 3181 do_rw(int cmd, int argc, char **argv) 3182 { 3183 ike_service_t *rtnp; 3184 ike_rw_t rw; 3185 door_desc_t desc, *descp = NULL; 3186 int oflag, omode, fd, ndesc = 0; 3187 char *op, *obj = NULL; 3188 boolean_t writing = B_FALSE; 3189 3190 switch (cmd) { 3191 case IKE_SVC_READ_PS: 3192 obj = gettext("preshared key"); 3193 /* FALLTHRU */ 3194 case IKE_SVC_READ_RULES: 3195 if (obj == NULL) 3196 obj = gettext("policy rule"); 3197 op = gettext("read"); 3198 oflag = O_RDONLY; 3199 omode = 0; 3200 break; 3201 3202 case IKE_SVC_WRITE_PS: 3203 obj = gettext("preshared key"); 3204 /* FALLTHRU */ 3205 case IKE_SVC_WRITE_RULES: 3206 if (obj == NULL) 3207 obj = gettext("policy rule"); 3208 op = gettext("write"); 3209 oflag = O_RDWR | O_CREAT | O_EXCL; 3210 omode = S_IRUSR | S_IWUSR; 3211 3212 /* for write commands, dest location must be specified */ 3213 if (argc < 1) { 3214 bail_msg(gettext("destination location required " 3215 "to write %ss"), obj); 3216 } 3217 writing = B_TRUE; 3218 break; 3219 3220 default: 3221 bail_msg(gettext("unrecognized read/write command (%d)."), cmd); 3222 } 3223 3224 rw.cmd = cmd; 3225 3226 if (argc >= 1) { 3227 rw.rw_loc = IKE_RW_LOC_USER_SPEC; 3228 fd = open(argv[0], oflag, omode); 3229 if (fd < 0) 3230 Bail("open user-specified file"); 3231 3232 desc.d_data.d_desc.d_descriptor = fd; 3233 desc.d_attributes = DOOR_DESCRIPTOR | DOOR_RELEASE; 3234 descp = &desc; 3235 ndesc = 1; 3236 } else { 3237 rw.rw_loc = IKE_RW_LOC_DEFAULT; 3238 } 3239 3240 rtnp = ikedoor_call((char *)&rw, sizeof (ike_rw_t), descp, ndesc); 3241 if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) { 3242 /* 3243 * Need to remove the target file in the 3244 * case of a failed write command. 3245 */ 3246 if (writing) { 3247 /* 3248 * argv[0] must be valid if we're writing; we 3249 * exit before setting this boolean if not. 3250 */ 3251 (void) unlink(argv[0]); 3252 (void) close(fd); 3253 3254 if ((rtnp != NULL) && 3255 (rtnp->svc_err.ike_err == IKE_ERR_NO_OBJ)) { 3256 message(gettext("No %s information to write."), 3257 obj); 3258 return; 3259 } 3260 } 3261 ikeadm_err_exit(&rtnp->svc_err, gettext("error doing %s"), op); 3262 } 3263 message(gettext("Completed %s of %s configuration information."), 3264 op, obj); 3265 } 3266 3267 static void 3268 do_rbdump() 3269 { 3270 ike_cmd_t req; 3271 ike_service_t *rtnp; 3272 3273 req.cmd = IKE_SVC_DBG_RBDUMP; 3274 3275 rtnp = ikedoor_call((char *)&req, sizeof (ike_cmd_t), NULL, 0); 3276 if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) { 3277 ikeadm_err_exit(&rtnp->svc_err, gettext("error doing flush")); 3278 } 3279 message(gettext("Successfully dumped rulebase; check iked dbg")); 3280 } 3281 3282 #define REQ_ARG_CNT 1 3283 3284 /*ARGSUSED*/ 3285 static void 3286 parseit(int argc, char **argv, char *notused, boolean_t notused_either) 3287 { 3288 int cmd, cmd_obj_args = 1; 3289 char *cmdstr, *objstr; 3290 3291 if (interactive) { 3292 if (argc == 0) 3293 return; 3294 } 3295 3296 if (argc < REQ_ARG_CNT) { 3297 usage(); 3298 } 3299 3300 cmdstr = argv[0]; 3301 if (argc > REQ_ARG_CNT) { 3302 cmd_obj_args++; 3303 objstr = argv[1]; 3304 } else { 3305 objstr = NULL; 3306 } 3307 cmd = parsecmd(cmdstr, objstr); 3308 3309 /* skip over args specifying command/object */ 3310 argc -= cmd_obj_args; 3311 argv += cmd_obj_args; 3312 3313 switch (cmd) { 3314 case IKE_SVC_GET_DEFS: 3315 if (argc != 0) { 3316 print_get_help(); 3317 break; 3318 } 3319 do_getdefs(cmd); 3320 break; 3321 case IKE_SVC_GET_DBG: 3322 case IKE_SVC_GET_PRIV: 3323 if (argc != 0) { 3324 print_get_help(); 3325 break; 3326 } 3327 do_getvar(cmd); 3328 break; 3329 case IKE_SVC_GET_STATS: 3330 if (argc != 0) { 3331 print_get_help(); 3332 break; 3333 } 3334 do_getstats(cmd); 3335 break; 3336 case IKE_SVC_SET_DBG: 3337 case IKE_SVC_SET_PRIV: 3338 do_setvar(cmd, argc, argv); 3339 break; 3340 case IKE_SVC_SET_PIN: 3341 case IKE_SVC_DEL_PIN: 3342 do_setdel_pin(cmd, argc, argv); 3343 break; 3344 case IKE_SVC_DUMP_P1S: 3345 case IKE_SVC_DUMP_RULES: 3346 case IKE_SVC_DUMP_GROUPS: 3347 case IKE_SVC_DUMP_ENCRALGS: 3348 case IKE_SVC_DUMP_AUTHALGS: 3349 case IKE_SVC_DUMP_PS: 3350 case IKE_SVC_DUMP_CERTCACHE: 3351 if (argc != NULL) { 3352 print_dump_help(); 3353 break; 3354 } 3355 do_dump(cmd); 3356 break; 3357 case IKE_SVC_GET_P1: 3358 case IKE_SVC_GET_RULE: 3359 case IKE_SVC_GET_PS: 3360 case IKE_SVC_DEL_P1: 3361 case IKE_SVC_DEL_RULE: 3362 case IKE_SVC_DEL_PS: 3363 do_getdel(cmd, argc, argv); 3364 break; 3365 case IKE_SVC_NEW_RULE: 3366 case IKE_SVC_NEW_PS: 3367 do_new(cmd, argc, argv); 3368 break; 3369 case IKE_SVC_FLUSH_P1S: 3370 case IKE_SVC_FLUSH_CERTCACHE: 3371 if (argc != 0) { 3372 print_flush_help(); 3373 break; 3374 } 3375 do_flush(cmd); 3376 break; 3377 case IKE_SVC_READ_RULES: 3378 case IKE_SVC_READ_PS: 3379 case IKE_SVC_WRITE_RULES: 3380 case IKE_SVC_WRITE_PS: 3381 do_rw(cmd, argc, argv); 3382 break; 3383 case IKEADM_HELP_GENERAL: 3384 print_help(); 3385 break; 3386 case IKEADM_HELP_GET: 3387 print_get_help(); 3388 break; 3389 case IKEADM_HELP_SET: 3390 print_set_help(); 3391 break; 3392 case IKEADM_HELP_ADD: 3393 print_add_help(); 3394 break; 3395 case IKEADM_HELP_DEL: 3396 print_del_help(); 3397 break; 3398 case IKEADM_HELP_DUMP: 3399 print_dump_help(); 3400 break; 3401 case IKEADM_HELP_FLUSH: 3402 print_flush_help(); 3403 break; 3404 case IKEADM_HELP_READ: 3405 print_read_help(); 3406 break; 3407 case IKEADM_HELP_WRITE: 3408 print_write_help(); 3409 break; 3410 case IKEADM_HELP_TOKEN: 3411 print_token_help(); 3412 break; 3413 case IKEADM_HELP_HELP: 3414 print_help_help(); 3415 break; 3416 case IKEADM_EXIT: 3417 if (interactive) 3418 exit(0); 3419 break; 3420 case IKE_SVC_DBG_RBDUMP: 3421 do_rbdump(); 3422 break; 3423 case IKE_SVC_ERROR: 3424 usage(); 3425 default: 3426 exit(0); 3427 } 3428 } 3429 3430 int 3431 main(int argc, char **argv) 3432 { 3433 char ch; 3434 3435 (void) setlocale(LC_ALL, ""); 3436 #if !defined(TEXT_DOMAIN) 3437 #define TEXT_DOMAIN "SYS_TEST" 3438 #endif 3439 (void) textdomain(TEXT_DOMAIN); 3440 3441 while ((ch = getopt(argc, argv, "hpn")) != EOF) { 3442 switch (ch) { 3443 case 'h': 3444 print_help(); 3445 return (0); 3446 case 'p': 3447 pflag = B_TRUE; 3448 break; 3449 case 'n': 3450 nflag = B_TRUE; 3451 break; 3452 default: 3453 usage(); 3454 } 3455 } 3456 argc -= optind; 3457 argv += optind; 3458 3459 if (open_door() < 0) { 3460 (void) fprintf(stderr, 3461 gettext("Unable to communicate with in.iked\n")); 3462 Bail("open_door failed"); 3463 } 3464 3465 if (*argv == NULL) { 3466 /* no cmd-line args, do interactive mode */ 3467 do_interactive(stdin, NULL, "ikeadm> ", NULL, parseit, 3468 no_match); 3469 } 3470 3471 parseit(argc, argv, NULL, B_FALSE); 3472 3473 return (0); 3474 } 3475