1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright (c) 2016 by Delphix. All rights reserved. 24 */ 25 26 /* 27 * NOTE:I'm trying to use "struct sadb_foo" instead of "sadb_foo_t" 28 * as a maximal PF_KEY portability test. 29 * 30 * Also, this is a deliberately single-threaded app, also for portability 31 * to systems without POSIX threads. 32 */ 33 34 #include <sys/types.h> 35 #include <sys/stat.h> 36 #include <sys/socket.h> 37 #include <sys/sysmacros.h> 38 #include <sys/fcntl.h> 39 #include <net/pfkeyv2.h> 40 #include <arpa/inet.h> 41 #include <netinet/in.h> 42 #include <sys/uio.h> 43 44 #include <syslog.h> 45 #include <signal.h> 46 #include <unistd.h> 47 #include <limits.h> 48 #include <stdlib.h> 49 #include <stdio.h> 50 #include <stdarg.h> 51 #include <netdb.h> 52 #include <pwd.h> 53 #include <errno.h> 54 #include <libintl.h> 55 #include <locale.h> 56 #include <fcntl.h> 57 #include <strings.h> 58 #include <ctype.h> 59 #include <sys/cladm.h> 60 61 #include <ipsec_util.h> 62 63 static int keysock; 64 static int cluster_socket; 65 static uint32_t seq; 66 static pid_t mypid; 67 static boolean_t vflag = B_FALSE; /* Verbose? */ 68 static boolean_t cflag = B_FALSE; /* Check Only */ 69 70 char *my_fmri = NULL; 71 FILE *debugfile = stdout; 72 static struct sockaddr_in cli_addr; 73 static boolean_t in_cluster_mode = B_FALSE; 74 75 #define MAX_GET_SIZE 1024 76 /* 77 * WARN() and ERROR() do the same thing really, with ERROR() the function 78 * that prints the error buffer needs to be called at the end of a code block 79 * This will print out all accumulated errors before bailing. The WARN() 80 * macro calls handle_errors() in such a way that it prints the message 81 * then continues. 82 * If the FATAL() macro used call handle_errors() immediately. 83 */ 84 #define ERROR(x, y, z) x = record_error(x, y, z) 85 #define ERROR1(w, x, y, z) w = record_error(w, x, y, z) 86 #define ERROR2(v, w, x, y, z) v = record_error(v, w, x, y, z) 87 #define WARN(x, y, z) ERROR(x, y, z);\ 88 handle_errors(x, NULL, B_FALSE, B_FALSE); x = NULL 89 #define WARN1(w, x, y, z) ERROR1(w, x, y, z);\ 90 handle_errors(w, NULL, B_FALSE, B_FALSE); w = NULL 91 #define WARN2(v, w, x, y, z) ERROR2(v, w, x, y, z);\ 92 handle_errors(v, NULL, B_FALSE, B_FALSE); v = NULL 93 #define FATAL(x, y, z) ERROR(x, y, z);\ 94 handle_errors(x, y, B_TRUE, B_TRUE) 95 #define FATAL1(w, x, y, z) ERROR1(w, x, y, z);\ 96 handle_errors(w, x, B_TRUE, B_TRUE) 97 98 /* Defined as a uint64_t array for alignment purposes. */ 99 static uint64_t get_buffer[MAX_GET_SIZE]; 100 101 /* 102 * Disable default TAB completion for now (until some brave soul tackles it). 103 */ 104 /* ARGSUSED */ 105 static 106 CPL_MATCH_FN(no_match) 107 { 108 return (0); 109 } 110 111 /* 112 * Create/Grow a buffer large enough to hold error messages. If *ebuf 113 * is not NULL then it will contain a copy of the command line that 114 * triggered the error/warning, copy this into a new buffer or 115 * append new messages to the existing buffer. 116 */ 117 /*PRINTFLIKE1*/ 118 char * 119 record_error(char *ep, char *ebuf, char *fmt, ...) 120 { 121 char *err_ptr; 122 char tmp_buff[1024]; 123 va_list ap; 124 int length = 0; 125 err_ptr = ep; 126 127 va_start(ap, fmt); 128 length = vsnprintf(tmp_buff, sizeof (tmp_buff), fmt, ap); 129 va_end(ap); 130 131 /* There is a new line character */ 132 length++; 133 134 if (ep == NULL) { 135 if (ebuf != NULL) 136 length += strlen(ebuf); 137 } else { 138 length += strlen(ep); 139 } 140 141 if (err_ptr == NULL) 142 err_ptr = calloc(length, sizeof (char)); 143 else 144 err_ptr = realloc(err_ptr, length); 145 146 if (err_ptr == NULL) 147 Bail("realloc() failure"); 148 149 /* 150 * If (ep == NULL) then this is the first error to record, 151 * copy in the command line that triggered this error/warning. 152 */ 153 if (ep == NULL && ebuf != NULL) 154 (void) strlcpy(err_ptr, ebuf, length); 155 156 /* 157 * Now the actual error. 158 */ 159 (void) strlcat(err_ptr, tmp_buff, length); 160 return (err_ptr); 161 } 162 163 /* 164 * If not in interactive mode print usage message and exit. 165 */ 166 static void 167 usage(void) 168 { 169 if (!interactive) { 170 (void) fprintf(stderr, gettext("Usage:\t" 171 "ipseckey [ -nvp ] | cmd [sa_type] [extfield value]*\n")); 172 (void) fprintf(stderr, 173 gettext("\tipseckey [ -nvp ] -f infile\n")); 174 (void) fprintf(stderr, 175 gettext("\tipseckey [ -nvp ] -s outfile\n")); 176 EXIT_FATAL(NULL); 177 } else { 178 (void) fprintf(stderr, 179 gettext("Type help or ? for usage info\n")); 180 } 181 } 182 183 184 /* 185 * Print out any errors, tidy up as required. 186 * error pointer ep will be free()'d 187 */ 188 void 189 handle_errors(char *ep, char *ebuf, boolean_t fatal, boolean_t done) 190 { 191 if (ep != NULL) { 192 if (my_fmri == NULL) { 193 /* 194 * For now suppress the errors when run from smf(7) 195 * because potentially sensitive information could 196 * end up in a publicly readable logfile. 197 */ 198 (void) fprintf(stdout, "%s\n", ep); 199 (void) fflush(stdout); 200 } 201 free(ep); 202 if (fatal) { 203 if (ebuf != NULL) { 204 free(ebuf); 205 } 206 /* reset command buffer */ 207 if (interactive) 208 longjmp(env, 1); 209 } else { 210 return; 211 } 212 } else { 213 /* 214 * No errors, if this is the last time that this function 215 * is called, free(ebuf) and reset command buffer. 216 */ 217 if (done) { 218 if (ebuf != NULL) { 219 free(ebuf); 220 } 221 /* reset command buffer */ 222 if (interactive) 223 longjmp(env, 1); 224 } 225 return; 226 } 227 EXIT_FATAL(NULL); 228 } 229 230 /* 231 * Initialize a PF_KEY base message. 232 */ 233 static void 234 msg_init(struct sadb_msg *msg, uint8_t type, uint8_t satype) 235 { 236 msg->sadb_msg_version = PF_KEY_V2; 237 msg->sadb_msg_type = type; 238 msg->sadb_msg_errno = 0; 239 msg->sadb_msg_satype = satype; 240 /* For starters... */ 241 msg->sadb_msg_len = SADB_8TO64(sizeof (*msg)); 242 msg->sadb_msg_reserved = 0; 243 msg->sadb_msg_seq = ++seq; 244 msg->sadb_msg_pid = mypid; 245 } 246 247 /* 248 * parseXXX and rparseXXX commands parse input and convert them to PF_KEY 249 * field values, or do the reverse for the purposes of saving the SA tables. 250 * (See the save_XXX functions.) 251 */ 252 253 #define CMD_NONE 0 254 #define CMD_UPDATE 2 255 #define CMD_UPDATE_PAIR 3 256 #define CMD_ADD 4 257 #define CMD_DELETE 5 258 #define CMD_DELETE_PAIR 6 259 #define CMD_GET 7 260 #define CMD_FLUSH 9 261 #define CMD_DUMP 10 262 #define CMD_MONITOR 11 263 #define CMD_PMONITOR 12 264 #define CMD_QUIT 13 265 #define CMD_SAVE 14 266 #define CMD_HELP 15 267 268 /* 269 * Parse the command. 270 */ 271 static int 272 parsecmd(char *cmdstr) 273 { 274 static struct cmdtable { 275 char *cmd; 276 int token; 277 } table[] = { 278 /* 279 * Q: Do we want to do GETSPI? 280 * A: No, it's for automated key mgmt. only. Either that, 281 * or it isn't relevant until we support non IPsec SA types. 282 */ 283 {"update", CMD_UPDATE}, 284 {"update-pair", CMD_UPDATE_PAIR}, 285 {"add", CMD_ADD}, 286 {"delete", CMD_DELETE}, 287 {"delete-pair", CMD_DELETE_PAIR}, 288 {"get", CMD_GET}, 289 /* 290 * Q: And ACQUIRE and REGISTER and EXPIRE? 291 * A: not until we support non IPsec SA types. 292 */ 293 {"flush", CMD_FLUSH}, 294 {"dump", CMD_DUMP}, 295 {"monitor", CMD_MONITOR}, 296 {"passive_monitor", CMD_PMONITOR}, 297 {"pmonitor", CMD_PMONITOR}, 298 {"quit", CMD_QUIT}, 299 {"exit", CMD_QUIT}, 300 {"save", CMD_SAVE}, 301 {"help", CMD_HELP}, 302 {"?", CMD_HELP}, 303 {NULL, CMD_NONE} 304 }; 305 struct cmdtable *ct = table; 306 307 while (ct->cmd != NULL && strcmp(ct->cmd, cmdstr) != 0) 308 ct++; 309 return (ct->token); 310 } 311 312 /* 313 * Convert a number from a command line. I picked "u_longlong_t" for the 314 * number because we need the largest number available. Also, the strto<num> 315 * calls don't deal in units of uintNN_t. 316 */ 317 static u_longlong_t 318 parsenum(char *num, boolean_t bail, char *ebuf) 319 { 320 u_longlong_t rc = 0; 321 char *end = NULL; 322 char *ep = NULL; 323 324 if (num == NULL) { 325 FATAL(ep, ebuf, gettext("Unexpected end of command line," 326 " was expecting a number.\n")); 327 /* NOTREACHED */ 328 } 329 330 errno = 0; 331 rc = strtoull(num, &end, 0); 332 if (errno != 0 || end == num || *end != '\0') { 333 if (bail) { 334 FATAL1(ep, ebuf, gettext( 335 "Expecting a number, not \"%s\"!\n"), num); 336 } else { 337 /* 338 * -1, while not optimal, is sufficiently out of range 339 * for most of this function's applications when 340 * we don't just bail. 341 */ 342 return ((u_longlong_t)-1); 343 } 344 } 345 handle_errors(ep, NULL, B_FALSE, B_FALSE); 346 return (rc); 347 } 348 349 /* 350 * Parse and reverse parse a specific SA type (AH, ESP, etc.). 351 */ 352 static struct typetable { 353 char *type; 354 int token; 355 } type_table[] = { 356 {"all", SADB_SATYPE_UNSPEC}, 357 {"ah", SADB_SATYPE_AH}, 358 {"esp", SADB_SATYPE_ESP}, 359 /* PF_KEY NOTE: More to come if net/pfkeyv2.h gets updated. */ 360 {NULL, 0} /* Token value is irrelevant for this entry. */ 361 }; 362 363 364 static int 365 parsesatype(char *type, char *ebuf) 366 { 367 struct typetable *tt = type_table; 368 char *ep = NULL; 369 370 if (type == NULL) 371 return (SADB_SATYPE_UNSPEC); 372 373 while (tt->type != NULL && strcasecmp(tt->type, type) != 0) 374 tt++; 375 376 /* 377 * New SA types (including ones keysock maintains for user-land 378 * protocols) may be added, so parse a numeric value if possible. 379 */ 380 if (tt->type == NULL) { 381 tt->token = (int)parsenum(type, B_FALSE, ebuf); 382 if (tt->token == -1) { 383 ERROR1(ep, ebuf, gettext( 384 "Unknown SA type (%s).\n"), type); 385 tt->token = SADB_SATYPE_UNSPEC; 386 } 387 } 388 handle_errors(ep, NULL, interactive ? B_TRUE : B_FALSE, B_FALSE); 389 return (tt->token); 390 } 391 392 #define NEXTEOF 0 393 #define NEXTNONE 1 394 #define NEXTNUM 2 395 #define NEXTSTR 3 396 #define NEXTNUMSTR 4 397 #define NEXTADDR 5 398 #define NEXTHEX 6 399 #define NEXTIDENT 7 400 #define NEXTADDR4 8 401 #define NEXTADDR6 9 402 #define NEXTLABEL 10 403 404 #define TOK_EOF 0 405 #define TOK_UNKNOWN 1 406 #define TOK_SPI 2 407 #define TOK_REPLAY 3 408 #define TOK_STATE 4 409 #define TOK_AUTHALG 5 410 #define TOK_ENCRALG 6 411 #define TOK_FLAGS 7 412 #define TOK_SOFT_ALLOC 8 413 #define TOK_SOFT_BYTES 9 414 #define TOK_SOFT_ADDTIME 10 415 #define TOK_SOFT_USETIME 11 416 #define TOK_HARD_ALLOC 12 417 #define TOK_HARD_BYTES 13 418 #define TOK_HARD_ADDTIME 14 419 #define TOK_HARD_USETIME 15 420 #define TOK_CURRENT_ALLOC 16 421 #define TOK_CURRENT_BYTES 17 422 #define TOK_CURRENT_ADDTIME 18 423 #define TOK_CURRENT_USETIME 19 424 #define TOK_SRCADDR 20 425 #define TOK_DSTADDR 21 426 #define TOK_PROXYADDR 22 427 #define TOK_AUTHKEY 23 428 #define TOK_ENCRKEY 24 429 #define TOK_SRCIDTYPE 25 430 #define TOK_DSTIDTYPE 26 431 #define TOK_DPD 27 432 #define TOK_SENS_LEVEL 28 433 #define TOK_SENS_MAP 29 434 #define TOK_INTEG_LEVEL 30 435 #define TOK_INTEG_MAP 31 436 #define TOK_SRCADDR6 32 437 #define TOK_DSTADDR6 33 438 #define TOK_PROXYADDR6 34 439 #define TOK_SRCPORT 35 440 #define TOK_DSTPORT 36 441 #define TOK_PROTO 37 442 #define TOK_ENCAP 38 443 #define TOK_NATLOC 39 444 #define TOK_NATREM 40 445 #define TOK_NATLPORT 41 446 #define TOK_NATRPORT 42 447 #define TOK_IPROTO 43 448 #define TOK_IDSTADDR 44 449 #define TOK_IDSTADDR6 45 450 #define TOK_ISRCPORT 46 451 #define TOK_IDSTPORT 47 452 #define TOK_PAIR_SPI 48 453 #define TOK_FLAG_INBOUND 49 454 #define TOK_FLAG_OUTBOUND 50 455 #define TOK_REPLAY_VALUE 51 456 #define TOK_IDLE_ADDTIME 52 457 #define TOK_IDLE_USETIME 53 458 #define TOK_RESERVED 54 459 #define TOK_LABEL 55 460 #define TOK_OLABEL 56 461 #define TOK_IMPLABEL 57 462 463 464 static struct toktable { 465 char *string; 466 int token; 467 int next; 468 } tokens[] = { 469 /* "String", token value, next arg is */ 470 {"spi", TOK_SPI, NEXTNUM}, 471 {"pair-spi", TOK_PAIR_SPI, NEXTNUM}, 472 {"replay", TOK_REPLAY, NEXTNUM}, 473 {"state", TOK_STATE, NEXTNUMSTR}, 474 {"auth_alg", TOK_AUTHALG, NEXTNUMSTR}, 475 {"authalg", TOK_AUTHALG, NEXTNUMSTR}, 476 {"encr_alg", TOK_ENCRALG, NEXTNUMSTR}, 477 {"encralg", TOK_ENCRALG, NEXTNUMSTR}, 478 {"flags", TOK_FLAGS, NEXTNUM}, 479 {"soft_alloc", TOK_SOFT_ALLOC, NEXTNUM}, 480 {"soft_bytes", TOK_SOFT_BYTES, NEXTNUM}, 481 {"soft_addtime", TOK_SOFT_ADDTIME, NEXTNUM}, 482 {"soft_usetime", TOK_SOFT_USETIME, NEXTNUM}, 483 {"hard_alloc", TOK_HARD_ALLOC, NEXTNUM}, 484 {"hard_bytes", TOK_HARD_BYTES, NEXTNUM}, 485 {"hard_addtime", TOK_HARD_ADDTIME, NEXTNUM}, 486 {"hard_usetime", TOK_HARD_USETIME, NEXTNUM}, 487 {"current_alloc", TOK_CURRENT_ALLOC, NEXTNUM}, 488 {"current_bytes", TOK_CURRENT_BYTES, NEXTNUM}, 489 {"current_addtime", TOK_CURRENT_ADDTIME, NEXTNUM}, 490 {"current_usetime", TOK_CURRENT_USETIME, NEXTNUM}, 491 492 {"saddr", TOK_SRCADDR, NEXTADDR}, 493 {"srcaddr", TOK_SRCADDR, NEXTADDR}, 494 {"src", TOK_SRCADDR, NEXTADDR}, 495 {"daddr", TOK_DSTADDR, NEXTADDR}, 496 {"dstaddr", TOK_DSTADDR, NEXTADDR}, 497 {"dst", TOK_DSTADDR, NEXTADDR}, 498 {"proxyaddr", TOK_PROXYADDR, NEXTADDR}, 499 {"proxy", TOK_PROXYADDR, NEXTADDR}, 500 {"innersrc", TOK_PROXYADDR, NEXTADDR}, 501 {"isrc", TOK_PROXYADDR, NEXTADDR}, 502 {"innerdst", TOK_IDSTADDR, NEXTADDR}, 503 {"idst", TOK_IDSTADDR, NEXTADDR}, 504 505 {"sport", TOK_SRCPORT, NEXTNUM}, 506 {"dport", TOK_DSTPORT, NEXTNUM}, 507 {"innersport", TOK_ISRCPORT, NEXTNUM}, 508 {"isport", TOK_ISRCPORT, NEXTNUM}, 509 {"innerdport", TOK_IDSTPORT, NEXTNUM}, 510 {"idport", TOK_IDSTPORT, NEXTNUM}, 511 {"proto", TOK_PROTO, NEXTNUM}, 512 {"ulp", TOK_PROTO, NEXTNUM}, 513 {"iproto", TOK_IPROTO, NEXTNUM}, 514 {"iulp", TOK_IPROTO, NEXTNUM}, 515 516 {"saddr6", TOK_SRCADDR6, NEXTADDR}, 517 {"srcaddr6", TOK_SRCADDR6, NEXTADDR}, 518 {"src6", TOK_SRCADDR6, NEXTADDR}, 519 {"daddr6", TOK_DSTADDR6, NEXTADDR}, 520 {"dstaddr6", TOK_DSTADDR6, NEXTADDR}, 521 {"dst6", TOK_DSTADDR6, NEXTADDR}, 522 {"proxyaddr6", TOK_PROXYADDR6, NEXTADDR}, 523 {"proxy6", TOK_PROXYADDR6, NEXTADDR}, 524 {"innersrc6", TOK_PROXYADDR6, NEXTADDR}, 525 {"isrc6", TOK_PROXYADDR6, NEXTADDR}, 526 {"innerdst6", TOK_IDSTADDR6, NEXTADDR}, 527 {"idst6", TOK_IDSTADDR6, NEXTADDR}, 528 529 {"authkey", TOK_AUTHKEY, NEXTHEX}, 530 {"encrkey", TOK_ENCRKEY, NEXTHEX}, 531 {"srcidtype", TOK_SRCIDTYPE, NEXTIDENT}, 532 {"dstidtype", TOK_DSTIDTYPE, NEXTIDENT}, 533 {"dpd", TOK_DPD, NEXTNUM}, 534 {"sens_level", TOK_SENS_LEVEL, NEXTNUM}, 535 {"sens_map", TOK_SENS_MAP, NEXTHEX}, 536 {"integ_level", TOK_INTEG_LEVEL, NEXTNUM}, 537 {"integ_map", TOK_INTEG_MAP, NEXTHEX}, 538 {"nat_loc", TOK_NATLOC, NEXTADDR}, 539 {"nat_rem", TOK_NATREM, NEXTADDR}, 540 {"nat_lport", TOK_NATLPORT, NEXTNUM}, 541 {"nat_rport", TOK_NATRPORT, NEXTNUM}, 542 {"encap", TOK_ENCAP, NEXTNUMSTR}, 543 544 {"outbound", TOK_FLAG_OUTBOUND, 0}, 545 {"inbound", TOK_FLAG_INBOUND, 0}, 546 547 {"reserved_bits", TOK_RESERVED, NEXTNUM}, 548 {"replay_value", TOK_REPLAY_VALUE, NEXTNUM}, 549 {"idle_addtime", TOK_IDLE_ADDTIME, NEXTNUM}, 550 {"idle_usetime", TOK_IDLE_USETIME, NEXTNUM}, 551 552 {"label", TOK_LABEL, NEXTLABEL}, 553 {"outer-label", TOK_OLABEL, NEXTLABEL}, 554 {"implicit-label", TOK_IMPLABEL, NEXTLABEL}, 555 556 {NULL, TOK_UNKNOWN, NEXTEOF} 557 }; 558 559 /* 560 * Q: Do I need stuff for proposals, combinations, supported algorithms, 561 * or SPI ranges? 562 * 563 * A: Probably not, but you never know. 564 * 565 * Parse out extension header type values. 566 */ 567 static int 568 parseextval(char *value, int *next) 569 { 570 struct toktable *tp; 571 572 if (value == NULL) 573 return (TOK_EOF); 574 575 for (tp = tokens; tp->string != NULL; tp++) 576 if (strcmp(value, tp->string) == 0) 577 break; 578 579 /* 580 * Since the OS controls what extensions are available, we don't have 581 * to parse numeric values here. 582 */ 583 584 *next = tp->next; 585 return (tp->token); 586 } 587 588 /* 589 * Parse possible state values. 590 */ 591 static uint8_t 592 parsestate(char *state, char *ebuf) 593 { 594 struct states { 595 char *state; 596 uint8_t retval; 597 } states[] = { 598 {"larval", SADB_SASTATE_LARVAL}, 599 {"mature", SADB_SASTATE_MATURE}, 600 {"dying", SADB_SASTATE_DYING}, 601 {"dead", SADB_SASTATE_DEAD}, 602 {NULL, 0} 603 }; 604 struct states *sp; 605 char *ep = NULL; 606 607 if (state == NULL) { 608 FATAL(ep, ebuf, "Unexpected end of command line " 609 "was expecting a state.\n"); 610 } 611 612 for (sp = states; sp->state != NULL; sp++) { 613 if (strcmp(sp->state, state) == 0) 614 return (sp->retval); 615 } 616 ERROR1(ep, ebuf, gettext("Unknown state type \"%s\"\n"), state); 617 handle_errors(ep, NULL, B_FALSE, B_FALSE); 618 return (0); 619 } 620 621 /* 622 * Return the numerical algorithm identifier corresponding to the specified 623 * algorithm name. 624 */ 625 static uint8_t 626 parsealg(char *alg, int proto_num, char *ebuf) 627 { 628 u_longlong_t invalue; 629 struct ipsecalgent *algent; 630 char *ep = NULL; 631 632 if (alg == NULL) { 633 FATAL(ep, ebuf, gettext("Unexpected end of command line, " 634 "was expecting an algorithm name.\n")); 635 } 636 637 algent = getipsecalgbyname(alg, proto_num, NULL); 638 if (algent != NULL) { 639 uint8_t alg_num; 640 641 alg_num = algent->a_alg_num; 642 if (ALG_FLAG_COUNTERMODE & algent->a_alg_flags) 643 WARN1(ep, ebuf, gettext( 644 "Using manual keying with a Counter mode algorithm " 645 "such as \"%s\" may be insecure!\n"), 646 algent->a_names[0]); 647 freeipsecalgent(algent); 648 649 return (alg_num); 650 } 651 652 /* 653 * Since algorithms can be loaded during kernel run-time, check for 654 * numeric algorithm values too. PF_KEY can catch bad ones with EINVAL. 655 */ 656 invalue = parsenum(alg, B_FALSE, ebuf); 657 if (invalue != (u_longlong_t)-1 && 658 (u_longlong_t)(invalue & (u_longlong_t)0xff) == invalue) 659 return ((uint8_t)invalue); 660 661 if (proto_num == IPSEC_PROTO_ESP) { 662 ERROR1(ep, ebuf, gettext( 663 "Unknown encryption algorithm type \"%s\"\n"), alg); 664 } else { 665 ERROR1(ep, ebuf, gettext( 666 "Unknown authentication algorithm type \"%s\"\n"), alg); 667 } 668 handle_errors(ep, NULL, B_FALSE, B_FALSE); 669 return (0); 670 } 671 672 /* 673 * Parse and reverse parse out a source/destination ID type. 674 */ 675 static struct idtypes { 676 char *idtype; 677 uint8_t retval; 678 } idtypes[] = { 679 {"prefix", SADB_IDENTTYPE_PREFIX}, 680 {"fqdn", SADB_IDENTTYPE_FQDN}, 681 {"domain", SADB_IDENTTYPE_FQDN}, 682 {"domainname", SADB_IDENTTYPE_FQDN}, 683 {"user_fqdn", SADB_IDENTTYPE_USER_FQDN}, 684 {"mailbox", SADB_IDENTTYPE_USER_FQDN}, 685 {"der_dn", SADB_X_IDENTTYPE_DN}, 686 {"der_gn", SADB_X_IDENTTYPE_GN}, 687 {NULL, 0} 688 }; 689 690 static uint16_t 691 parseidtype(char *type, char *ebuf) 692 { 693 struct idtypes *idp; 694 u_longlong_t invalue; 695 char *ep = NULL; 696 697 if (type == NULL) { 698 /* Shouldn't reach here, see callers for why. */ 699 FATAL(ep, ebuf, gettext("Unexpected end of command line, " 700 "was expecting a type.\n")); 701 } 702 703 for (idp = idtypes; idp->idtype != NULL; idp++) { 704 if (strcasecmp(idp->idtype, type) == 0) 705 return (idp->retval); 706 } 707 /* 708 * Since identity types are almost arbitrary, check for numeric 709 * algorithm values too. PF_KEY can catch bad ones with EINVAL. 710 */ 711 invalue = parsenum(type, B_FALSE, ebuf); 712 if (invalue != (u_longlong_t)-1 && 713 (u_longlong_t)(invalue & (u_longlong_t)0xffff) == invalue) 714 return ((uint16_t)invalue); 715 716 717 ERROR1(ep, ebuf, gettext("Unknown identity type \"%s\"\n"), type); 718 719 handle_errors(ep, NULL, B_FALSE, B_FALSE); 720 return (0); 721 } 722 723 /* 724 * Parse an address off the command line. Return length of sockaddr, 725 * and either return a hostent pointer (caller frees). The new 726 * getipnodebyname() call does the Right Thing (TM), even with 727 * raw addresses (colon-separated IPv6 or dotted decimal IPv4). 728 */ 729 730 static struct { 731 struct hostent he; 732 char *addtl[2]; 733 } dummy; 734 static union { 735 struct in6_addr ipv6; 736 struct in_addr ipv4; 737 uint64_t aligner; 738 } addr1; 739 740 static int 741 parseaddr(char *addr, struct hostent **hpp, boolean_t v6only, char *ebuf) 742 { 743 int hp_errno; 744 struct hostent *hp = NULL; 745 char *ep = NULL; 746 747 if (addr == NULL) { 748 FATAL(ep, ebuf, gettext("Unexpected end of command line, " 749 "was expecting an address.\n")); 750 } 751 752 if (!nflag) { 753 /* 754 * Try name->address first. Assume AF_INET6, and 755 * get IPv4's, plus IPv6's if and only if IPv6 is configured. 756 * This means to add IPv6 SAs, you must have IPv6 757 * up-and-running. (AI_DEFAULT works here.) 758 */ 759 hp = getipnodebyname(addr, AF_INET6, 760 (v6only ? AI_ADDRCONFIG : (AI_DEFAULT | AI_ALL)), 761 &hp_errno); 762 } else { 763 /* 764 * Try a normal address conversion only. Use "dummy" 765 * to construct a fake hostent. Caller will know not 766 * to free this one. 767 */ 768 if (inet_pton(AF_INET6, addr, &addr1) == 1) { 769 dummy.he.h_addr_list = dummy.addtl; 770 dummy.addtl[0] = (char *)&addr1; 771 dummy.addtl[1] = NULL; 772 hp = &dummy.he; 773 dummy.he.h_addrtype = AF_INET6; 774 dummy.he.h_length = sizeof (struct in6_addr); 775 } else if (inet_pton(AF_INET, addr, &addr1) == 1) { 776 /* 777 * Remap to AF_INET6 anyway. 778 */ 779 dummy.he.h_addr_list = dummy.addtl; 780 dummy.addtl[0] = (char *)&addr1; 781 dummy.addtl[1] = NULL; 782 hp = &dummy.he; 783 dummy.he.h_addrtype = AF_INET6; 784 dummy.he.h_length = sizeof (struct in6_addr); 785 /* 786 * NOTE: If macro changes to disallow in-place 787 * conversion, rewhack this. 788 */ 789 IN6_INADDR_TO_V4MAPPED(&addr1.ipv4, &addr1.ipv6); 790 } else { 791 hp = NULL; 792 } 793 } 794 795 if (hp == NULL) 796 WARN1(ep, ebuf, gettext("Unknown address %s."), addr); 797 798 *hpp = hp; 799 /* Always return sockaddr_in6 for now. */ 800 handle_errors(ep, NULL, B_FALSE, B_FALSE); 801 return (sizeof (struct sockaddr_in6)); 802 } 803 804 /* 805 * Parse a hex character for a key. A string will take the form: 806 * xxxxxxxxx/nn 807 * where 808 * xxxxxxxxx == a string of hex characters ([0-9][a-f][A-F]) 809 * nn == an optional decimal "mask". If it is not present, it 810 * is assumed that the hex string will be rounded to the nearest 811 * byte, where odd nibbles, like 123 will become 0x0123. 812 * 813 * NOTE:Unlike the expression of IP addresses, I will not allow an 814 * excessive "mask". For example 2112/50 is very illegal. 815 * NOTE2: This key should be in canonical order. Consult your man 816 * pages per algorithm about said order. 817 */ 818 819 #define hd2num(hd) (((hd) >= '0' && (hd) <= '9') ? ((hd) - '0') : \ 820 (((hd) >= 'a' && (hd) <= 'f') ? ((hd) - 'a' + 10) : ((hd) - 'A' + 10))) 821 822 static struct sadb_key * 823 parsekey(char *input, char *ebuf, uint_t reserved_bits) 824 { 825 struct sadb_key *retval; 826 uint_t i, hexlen = 0, bits, alloclen; 827 uint8_t *key; 828 char *ep = NULL; 829 830 if (input == NULL) { 831 FATAL(ep, ebuf, gettext("Unexpected end of command line, " 832 "was expecting a key.\n")); 833 } 834 /* Allow hex values prepended with 0x convention */ 835 if ((strnlen(input, sizeof (hexlen)) > 2) && 836 (strncasecmp(input, "0x", 2) == 0)) 837 input += 2; 838 839 for (i = 0; input[i] != '\0' && input[i] != '/'; i++) 840 hexlen++; 841 842 if (input[i] == '\0') { 843 bits = 0; 844 } else { 845 /* Have /nn. */ 846 input[i] = '\0'; 847 if (sscanf((input + i + 1), "%u", &bits) != 1) { 848 FATAL1(ep, ebuf, gettext( 849 "\"%s\" is not a bit specifier.\n"), 850 (input + i + 1)); 851 } 852 /* hexlen in nibbles */ 853 if (((bits + 3) >> 2) > hexlen) { 854 ERROR2(ep, ebuf, gettext( 855 "bit length %d is too big for %s.\n"), bits, input); 856 } 857 /* 858 * Adjust hexlen down if user gave us too small of a bit 859 * count. 860 */ 861 if ((hexlen << 2) > bits + 3) { 862 WARN2(ep, ebuf, gettext( 863 "WARNING: Lower bits will be truncated " 864 "for:\n\t%s/%d.\n"), input, bits); 865 hexlen = (bits + 3) >> 2; 866 input[hexlen] = '\0'; 867 } 868 } 869 870 /* 871 * Allocate. Remember, hexlen is in nibbles. 872 */ 873 874 alloclen = sizeof (*retval) + roundup((hexlen/2 + (hexlen & 0x1)), 8); 875 retval = malloc(alloclen); 876 877 if (retval == NULL) 878 Bail("malloc(parsekey)"); 879 retval->sadb_key_len = SADB_8TO64(alloclen); 880 881 retval->sadb_key_reserved = reserved_bits; 882 883 if (bits == 0) 884 retval->sadb_key_bits = (hexlen + (hexlen & 0x1)) << 2; 885 else 886 retval->sadb_key_bits = bits; 887 888 /* 889 * Read in nibbles. Read in odd-numbered as shifted high. 890 * (e.g. 123 becomes 0x1230). 891 */ 892 893 key = (uint8_t *)(retval + 1); 894 for (i = 0; input[i] != '\0'; i += 2) { 895 boolean_t second = (input[i + 1] != '\0'); 896 897 if (!isxdigit(input[i]) || 898 (!isxdigit(input[i + 1]) && second)) { 899 ERROR1(ep, ebuf, gettext( 900 "string '%s' not a hex value.\n"), input); 901 free(retval); 902 retval = NULL; 903 break; 904 } 905 *key = (hd2num(input[i]) << 4); 906 if (second) 907 *key |= hd2num(input[i + 1]); 908 else 909 break; /* out of for loop. */ 910 key++; 911 } 912 913 /* bzero the remaining bits if we're a non-octet amount. */ 914 if (bits & 0x7) 915 *((input[i] == '\0') ? key - 1 : key) &= 916 0xff << (8 - (bits & 0x7)); 917 918 handle_errors(ep, NULL, B_FALSE, B_FALSE); 919 return (retval); 920 } 921 922 #include <tsol/label.h> 923 924 #define PARSELABEL_BAD_TOKEN ((struct sadb_sens *)-1) 925 926 static struct sadb_sens * 927 parselabel(int token, char *label) 928 { 929 bslabel_t *sl = NULL; 930 int err, len; 931 sadb_sens_t *sens; 932 int doi = 1; /* XXX XXX DEFAULT_DOI XXX XXX */ 933 934 err = str_to_label(label, &sl, MAC_LABEL, L_DEFAULT, NULL); 935 if (err < 0) 936 return (NULL); 937 938 len = ipsec_convert_sl_to_sens(doi, sl, NULL); 939 940 sens = malloc(len); 941 if (sens == NULL) { 942 Bail("malloc parsed label"); 943 /* Should exit before reaching here... */ 944 return (NULL); 945 } 946 947 (void) ipsec_convert_sl_to_sens(doi, sl, sens); 948 949 switch (token) { 950 case TOK_LABEL: 951 break; 952 953 case TOK_OLABEL: 954 sens->sadb_sens_exttype = SADB_X_EXT_OUTER_SENS; 955 break; 956 957 case TOK_IMPLABEL: 958 sens->sadb_sens_exttype = SADB_X_EXT_OUTER_SENS; 959 sens->sadb_x_sens_flags = SADB_X_SENS_IMPLICIT; 960 break; 961 962 default: 963 free(sens); 964 /* 965 * Return a different return code for a bad label, but really, 966 * this would be a caller error. 967 */ 968 return (PARSELABEL_BAD_TOKEN); 969 } 970 971 return (sens); 972 } 973 974 /* 975 * Write a message to the PF_KEY socket. If verbose, print the message 976 * heading into the kernel. 977 */ 978 static int 979 key_write(int fd, void *msg, size_t len) 980 { 981 if (vflag) { 982 (void) printf( 983 gettext("VERBOSE ON: Message to kernel looks like:\n")); 984 (void) printf("==========================================\n"); 985 print_samsg(stdout, msg, B_FALSE, vflag, nflag); 986 (void) printf("==========================================\n"); 987 } 988 989 return (write(fd, msg, len)); 990 } 991 992 /* 993 * SIGALRM handler for time_critical_enter. 994 */ 995 static void 996 time_critical_catch(int signal) 997 { 998 if (signal == SIGALRM) { 999 errx(1, gettext("Reply message from PF_KEY timed out.")); 1000 } else { 1001 errx(1, gettext("Caught signal %d while trying to receive" 1002 "PF_KEY reply message"), signal); 1003 } 1004 /* errx() calls exit. */ 1005 } 1006 1007 #define TIME_CRITICAL_TIME 10 /* In seconds */ 1008 1009 /* 1010 * Enter a "time critical" section where key is waiting for a return message. 1011 */ 1012 static void 1013 time_critical_enter(void) 1014 { 1015 (void) signal(SIGALRM, time_critical_catch); 1016 (void) alarm(TIME_CRITICAL_TIME); 1017 } 1018 1019 /* 1020 * Exit the "time critical" section after getting an appropriate return 1021 * message. 1022 */ 1023 static void 1024 time_critical_exit(void) 1025 { 1026 (void) alarm(0); 1027 (void) signal(SIGALRM, SIG_DFL); 1028 } 1029 1030 /* 1031 * Construct a PF_KEY FLUSH message for the SA type specified. 1032 */ 1033 static void 1034 doflush(int satype) 1035 { 1036 struct sadb_msg msg; 1037 int rc; 1038 1039 msg_init(&msg, SADB_FLUSH, (uint8_t)satype); 1040 rc = key_write(keysock, &msg, sizeof (msg)); 1041 if (rc == -1) 1042 Bail("write() to PF_KEY socket failed (in doflush)"); 1043 1044 time_critical_enter(); 1045 do { 1046 rc = read(keysock, &msg, sizeof (msg)); 1047 if (rc == -1) 1048 Bail("read (in doflush)"); 1049 } while (msg.sadb_msg_seq != seq || msg.sadb_msg_pid != mypid); 1050 time_critical_exit(); 1051 1052 /* 1053 * I should _never_ hit the following unless: 1054 * 1055 * 1. There is a kernel bug. 1056 * 2. There is another process filling in its pid with mine, and 1057 * issuing a different message that would cause a different result. 1058 */ 1059 if (msg.sadb_msg_type != SADB_FLUSH || 1060 msg.sadb_msg_satype != (uint8_t)satype) { 1061 syslog((LOG_NOTICE|LOG_AUTH), 1062 gettext("doflush: Return message not of type SADB_FLUSH!")); 1063 Bail("doflush: Return message not of type SADB_FLUSH!"); 1064 } 1065 1066 if (msg.sadb_msg_errno != 0) { 1067 errno = msg.sadb_msg_errno; 1068 if (errno == EINVAL) { 1069 print_diagnostic(stderr, msg.sadb_x_msg_diagnostic); 1070 warnx(gettext("Cannot flush SA type %d."), satype); 1071 } 1072 Bail("return message (in doflush)"); 1073 } 1074 } 1075 1076 /* 1077 * save_XXX functions are used when "saving" the SA tables to either a 1078 * file or standard output. They use the dump_XXX functions where needed, 1079 * but mostly they use the rparseXXX functions. 1080 */ 1081 1082 /* 1083 * Because "save" and "dump" both use the SADB_DUMP message, fold both 1084 * into the same function. 1085 */ 1086 static void 1087 dodump(int satype, FILE *ofile) 1088 { 1089 struct sadb_msg *msg = (struct sadb_msg *)get_buffer; 1090 int rc; 1091 1092 if (ofile != NULL) { 1093 (void) fprintf(ofile, 1094 gettext("# This key file was generated by the")); 1095 (void) fprintf(ofile, 1096 gettext(" ipseckey(8) command's 'save' feature.\n\n")); 1097 } 1098 msg_init(msg, SADB_DUMP, (uint8_t)satype); 1099 rc = key_write(keysock, msg, sizeof (*msg)); 1100 if (rc == -1) 1101 Bail("write to PF_KEY socket failed (in dodump)"); 1102 1103 do { 1104 /* 1105 * For DUMP, do only the read as a time critical section. 1106 */ 1107 time_critical_enter(); 1108 rc = read(keysock, get_buffer, sizeof (get_buffer)); 1109 time_critical_exit(); 1110 if (rc == -1) 1111 Bail("read (in dodump)"); 1112 if (msg->sadb_msg_pid == mypid && 1113 msg->sadb_msg_type == SADB_DUMP && 1114 msg->sadb_msg_seq != 0 && 1115 msg->sadb_msg_errno == 0) { 1116 if (ofile == NULL) { 1117 print_samsg(stdout, get_buffer, B_FALSE, vflag, 1118 nflag); 1119 (void) putchar('\n'); 1120 } else { 1121 save_assoc(get_buffer, ofile); 1122 } 1123 } 1124 } while (msg->sadb_msg_pid != mypid || 1125 (msg->sadb_msg_errno == 0 && msg->sadb_msg_seq != 0)); 1126 1127 if (ofile != NULL && ofile != stdout) 1128 (void) fclose(ofile); 1129 1130 if (msg->sadb_msg_errno == 0) { 1131 if (ofile == NULL) 1132 (void) printf( 1133 gettext("Dump succeeded for SA type %d.\n"), 1134 satype); 1135 } else { 1136 print_diagnostic(stderr, msg->sadb_x_msg_diagnostic); 1137 errno = msg->sadb_msg_errno; 1138 Bail("Dump failed"); 1139 } 1140 } 1141 1142 #define SCOPE_UNSPEC 0 1143 #define SCOPE_LINKLOCAL 1 1144 #define SCOPE_SITELOCAL 2 1145 #define SCOPE_GLOBAL 3 1146 #define SCOPE_V4COMPAT 4 1147 #define SCOPE_LOOPBACK 5 /* Pedantic, yes, but necessary. */ 1148 1149 static int 1150 ipv6_addr_scope(struct in6_addr *addr) 1151 { 1152 /* Don't return anything regarding multicast for now... */ 1153 1154 if (IN6_IS_ADDR_UNSPECIFIED(addr)) 1155 return (SCOPE_UNSPEC); 1156 1157 if (IN6_IS_ADDR_LINKLOCAL(addr)) 1158 return (SCOPE_LINKLOCAL); 1159 1160 if (IN6_IS_ADDR_SITELOCAL(addr)) 1161 return (SCOPE_SITELOCAL); 1162 1163 if (IN6_IS_ADDR_V4COMPAT(addr)) 1164 return (SCOPE_V4COMPAT); 1165 1166 if (IN6_IS_ADDR_LOOPBACK(addr)) 1167 return (SCOPE_LOOPBACK); 1168 1169 /* For now, return global by default. */ 1170 return (SCOPE_GLOBAL); 1171 } 1172 1173 /* 1174 * doaddresses(): 1175 * 1176 * Used by doaddup() and dodelget() to create new SA's based on the 1177 * provided source and destination addresses hostent. 1178 * 1179 * sadb_msg_type: expected PF_KEY reply message type 1180 * sadb_msg_satype: expected PF_KEY reply satype 1181 * cmd: user command 1182 * srchp: hostent for the source address(es) 1183 * dsthp: hostent for the destination address(es) 1184 * src: points to the SADB source address extension 1185 * dst: points to the SADB destination address extension 1186 * unspec_src: indicates an unspecified source address. 1187 * buffer: pointer to the SADB buffer to use with PF_KEY 1188 * buffer_size: size of buffer 1189 * spi: spi for this message (set by caller) 1190 * srcport: source port if specified 1191 * dstport: destination port if specified 1192 * proto: IP protocol number if specified 1193 * iproto: Inner (tunnel mode) IP protocol number if specified 1194 * NATT note: we are going to assume a semi-sane world where NAT 1195 * boxen don't explode to multiple addresses. 1196 */ 1197 static void 1198 doaddresses(uint8_t sadb_msg_type, uint8_t sadb_msg_satype, int cmd, 1199 struct hostent *srchp, struct hostent *dsthp, 1200 struct sadb_address *src, struct sadb_address *dst, 1201 boolean_t unspec_src, uint64_t *buffer, int buffer_size, uint32_t spi, 1202 char *ebuf) 1203 { 1204 boolean_t last_dst; 1205 struct sockaddr_in6 *sin6; 1206 struct sadb_msg *msgp; 1207 int i, rc; 1208 char **walker; /* For the SRC and PROXY walking functions. */ 1209 char *first_match; 1210 uint64_t savebuf[MAX_GET_SIZE]; 1211 uint16_t srcport = 0, dstport = 0; 1212 char *ep = NULL; 1213 1214 /* 1215 * Okay, now we have "src", "dst", and maybe "proxy" reassigned 1216 * to point into the buffer to be written to PF_KEY, we can do 1217 * potentially several writes based on destination address. 1218 * 1219 * First, obtain port numbers from passed-in extensions. 1220 */ 1221 1222 if (src != NULL) { 1223 sin6 = (struct sockaddr_in6 *)(src + 1); 1224 srcport = ntohs(sin6->sin6_port); 1225 } 1226 if (dst != NULL) { 1227 sin6 = (struct sockaddr_in6 *)(dst + 1); 1228 dstport = ntohs(sin6->sin6_port); 1229 } 1230 1231 /* 1232 * The rules for ADD, GET, and UPDATE: (NOTE: This assumes IPsec. 1233 * If other consumers of PF_KEY happen, this will have to be 1234 * rewhacked.): 1235 * 1236 * Do a message for every possible DST address. 1237 * 1238 * If a source or proxy address explodes, keep unspecified 1239 * (and mention unspecified). 1240 * 1241 * DELETE is different, because you can leave either "src" or "dst" 1242 * blank! You need to explode if one of them is full, and not assume 1243 * that the other is set. 1244 */ 1245 1246 if (dsthp == NULL) { 1247 /* 1248 * No destination address specified. 1249 * With extended diagnostics, we don't have to bail the 1250 * non-DELETE cases here. The EINVAL diagnostics will be 1251 * enough to inform the user(s) what happened. 1252 */ 1253 i = 0; 1254 do { 1255 if (srchp == &dummy.he) { 1256 /* Just to be sure... */ 1257 srchp->h_addr_list[1] = NULL; 1258 } else if (srchp != NULL) { 1259 /* Degenerate case, h_addr_list[0] == NULL. */ 1260 if (srchp->h_addr_list[i] == NULL) 1261 Bail("Empty source address list"); 1262 1263 /* 1264 * Fill in the src sockaddr. 1265 */ 1266 sin6 = (struct sockaddr_in6 *)(src + 1); 1267 bzero(sin6, sizeof (*sin6)); 1268 bcopy(srchp->h_addr_list[i], &sin6->sin6_addr, 1269 sizeof (struct in6_addr)); 1270 sin6->sin6_family = AF_INET6; 1271 sin6->sin6_port = htons(srcport); 1272 } 1273 1274 /* Save off a copy for later writing... */ 1275 msgp = (struct sadb_msg *)buffer; 1276 bcopy(buffer, savebuf, SADB_64TO8(msgp->sadb_msg_len)); 1277 1278 rc = key_write(keysock, buffer, 1279 SADB_64TO8(msgp->sadb_msg_len)); 1280 if (rc == -1) 1281 Bail("write() to PF_KEY socket " 1282 "(in doaddresses)"); 1283 /* 1284 * Sends the message to the Solaris Cluster daemon 1285 */ 1286 1287 if (in_cluster_mode) { 1288 (void) sendto(cluster_socket, buffer, 1289 SADB_64TO8(msgp->sadb_msg_len), 0, 1290 (struct sockaddr *)&cli_addr, 1291 sizeof (cli_addr)); 1292 } 1293 1294 time_critical_enter(); 1295 do { 1296 rc = read(keysock, buffer, buffer_size); 1297 if (rc == -1) 1298 Bail("read (in doaddresses)"); 1299 } while (msgp->sadb_msg_seq != seq || 1300 msgp->sadb_msg_pid != mypid); 1301 time_critical_exit(); 1302 1303 if (msgp->sadb_msg_type != sadb_msg_type || 1304 msgp->sadb_msg_satype != sadb_msg_satype) { 1305 syslog((LOG_NOTICE|LOG_AUTH), gettext( 1306 "doaddresses: Unexpected returned message " 1307 "(%d exp %d)\n"), msgp->sadb_msg_type, 1308 sadb_msg_type); 1309 Bail("doaddresses: Unexpected returned " 1310 "message"); 1311 } 1312 1313 errno = msgp->sadb_msg_errno; 1314 if (errno != 0) { 1315 if (errno == EINVAL) { 1316 WARN(ep, ebuf, gettext( 1317 "One of the entered " 1318 "values is incorrect.")); 1319 print_diagnostic(stderr, 1320 msgp->sadb_x_msg_diagnostic); 1321 } else { 1322 Bail("return message (in doaddresses)"); 1323 } 1324 } 1325 1326 /* ...and then restore the saved buffer. */ 1327 msgp = (struct sadb_msg *)savebuf; 1328 bcopy(savebuf, buffer, SADB_64TO8(msgp->sadb_msg_len)); 1329 } while (srchp != NULL && srchp->h_addr_list[++i] != NULL); 1330 return; 1331 } 1332 1333 /* 1334 * Go through the list of all dst addresses, trying to find matching 1335 * src address for each. If the first address is == dummy.he we will go 1336 * through the loop just once. If any other hp is == dummy.he, then we 1337 * don't have to apply any silly rules. 1338 */ 1339 for (i = 0; dsthp->h_addr_list[i] != NULL; i++) { 1340 if (dsthp == &dummy.he) { 1341 /* Just to be sure... */ 1342 dsthp->h_addr_list[1] = NULL; 1343 } else { 1344 /* 1345 * Fill in the dst sockaddr. 1346 */ 1347 sin6 = (struct sockaddr_in6 *)(dst + 1); 1348 bzero(sin6, sizeof (*sin6)); 1349 bcopy(dsthp->h_addr_list[i], &sin6->sin6_addr, 1350 sizeof (struct in6_addr)); 1351 sin6->sin6_family = AF_INET6; 1352 sin6->sin6_port = htons(dstport); 1353 } 1354 1355 last_dst = (dsthp->h_addr_list[i + 1] == NULL); 1356 1357 /* 1358 * Try and assign src, if there's any ambiguity. 1359 */ 1360 if (!unspec_src && srchp != &dummy.he) { 1361 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { 1362 /* 1363 * IPv4 address. Find an IPv4 address, then 1364 * keep looking for a second one. If a second 1365 * exists, print a message, and fill in the 1366 * unspecified address. 1367 */ 1368 first_match = NULL; 1369 1370 for (walker = srchp->h_addr_list; 1371 *walker != NULL; walker++) { 1372 /* LINTED E_BAD_PTR_CAST_ALIGN */ 1373 if (IN6_IS_ADDR_V4MAPPED( 1374 (struct in6_addr *)*walker)) { 1375 if (first_match != NULL) 1376 break; 1377 else 1378 first_match = *walker; 1379 } 1380 } 1381 sin6 = (struct sockaddr_in6 *)(src + 1); 1382 bzero(sin6, sizeof (*sin6)); 1383 1384 if (first_match == NULL) { 1385 /* 1386 * No IPv4 hits. Is this the last 1387 * destination address in the list ? 1388 */ 1389 ERROR1(ep, ebuf, gettext( 1390 "No IPv4 source address " 1391 "for name %s.\n"), srchp->h_name); 1392 if (last_dst) { 1393 FATAL(ep, ebuf, gettext( 1394 "No match for destination " 1395 "IP address.\n")); 1396 } else { 1397 /* Continue, but do I print? */ 1398 continue; /* for loop */ 1399 } 1400 1401 /* I should never reach here. */ 1402 } 1403 1404 sin6->sin6_family = AF_INET6; 1405 sin6->sin6_port = htons(srcport); 1406 if (*walker != NULL) { 1407 /* 1408 * Early loop exit. It must've been 1409 * multiple hits... 1410 * 1411 * Issue a null-source warning? 1412 */ 1413 WARN1(ep, ebuf, gettext( 1414 "Multiple IPv4 source addresses " 1415 "for %s, using unspecified source " 1416 "instead."), srchp->h_name); 1417 } else { 1418 /* 1419 * If I reach here w/o hitting the 1420 * previous if statements, I have a 1421 * single source address for this 1422 * destination. 1423 */ 1424 bcopy(first_match, &sin6->sin6_addr, 1425 sizeof (struct in6_addr)); 1426 } 1427 } else { 1428 /* 1429 * IPv6 address. Find an IPv6 address. 1430 * Unlike IPv4 addresses, things can get a 1431 * little more sticky with scopes, etc. 1432 */ 1433 int dst_scope, src_scope; 1434 1435 dst_scope = ipv6_addr_scope(&sin6->sin6_addr); 1436 1437 first_match = NULL; 1438 for (walker = srchp->h_addr_list; 1439 *walker != NULL; walker++) { 1440 /* LINTED E_BAD_PTR_CAST_ALIGN */ 1441 if (!IN6_IS_ADDR_V4MAPPED( 1442 (struct in6_addr *)*walker)) { 1443 /* 1444 * Set first-match, etc. 1445 * Take into account scopes, 1446 * and other IPv6 thingies. 1447 */ 1448 src_scope = ipv6_addr_scope( 1449 /* LINTED E_BAD_PTR_CAST */ 1450 (struct in6_addr *)*walker); 1451 if (src_scope == SCOPE_UNSPEC || 1452 src_scope == dst_scope) { 1453 if (first_match != 1454 NULL) 1455 break; 1456 else 1457 first_match = 1458 *walker; 1459 } 1460 } 1461 } 1462 1463 sin6 = (struct sockaddr_in6 *)(src + 1); 1464 bzero(sin6, sizeof (*sin6)); 1465 sin6->sin6_port = htons(srcport); 1466 if (first_match == NULL) { 1467 /* 1468 * No IPv6 hits. Is this the last 1469 * destination address in the list ? 1470 */ 1471 ERROR1(ep, ebuf, gettext( 1472 "No IPv6 source address of " 1473 "matching scope for name %s.\n"), 1474 srchp->h_name); 1475 if (last_dst) { 1476 FATAL(ep, ebuf, gettext( 1477 "No match for IPV6 " 1478 "destination " 1479 "address.\n")); 1480 } else { 1481 /* Continue, but do I print? */ 1482 continue; /* for loop */ 1483 } 1484 1485 /* I should never reach here. */ 1486 } 1487 sin6->sin6_family = AF_INET6; 1488 if (*walker != NULL) { 1489 /* 1490 * Early loop exit. Issue a 1491 * null-source warning? 1492 */ 1493 WARN1(ep, ebuf, gettext( 1494 "Multiple IPv6 source addresses " 1495 "for %s of the same scope, using " 1496 "unspecified source instead.\n"), 1497 srchp->h_name); 1498 } else { 1499 /* 1500 * If I reach here w/o hitting the 1501 * previous if statements, I have a 1502 * single source address for this 1503 * destination. 1504 */ 1505 bcopy(first_match, &sin6->sin6_addr, 1506 sizeof (struct in6_addr)); 1507 } 1508 } 1509 } 1510 1511 /* 1512 * If there are errors at this point there is no 1513 * point sending anything to PF_KEY. 1514 */ 1515 handle_errors(ep, ebuf, B_TRUE, B_FALSE); 1516 1517 /* Save off a copy for later writing... */ 1518 msgp = (struct sadb_msg *)buffer; 1519 bcopy(buffer, savebuf, SADB_64TO8(msgp->sadb_msg_len)); 1520 1521 rc = key_write(keysock, buffer, SADB_64TO8(msgp->sadb_msg_len)); 1522 if (rc == -1) 1523 Bail("write() to PF_KEY socket (in doaddresses)"); 1524 1525 if (in_cluster_mode) { 1526 (void) sendto(cluster_socket, buffer, 1527 SADB_64TO8(msgp->sadb_msg_len), 0, 1528 (struct sockaddr *)&cli_addr, 1529 sizeof (cli_addr)); 1530 } 1531 /* Blank the key for paranoia's sake. */ 1532 bzero(buffer, buffer_size); 1533 time_critical_enter(); 1534 do { 1535 rc = read(keysock, buffer, buffer_size); 1536 if (rc == -1) 1537 Bail("read (in doaddresses)"); 1538 } while (msgp->sadb_msg_seq != seq || 1539 msgp->sadb_msg_pid != mypid); 1540 time_critical_exit(); 1541 1542 /* 1543 * I should _never_ hit the following unless: 1544 * 1545 * 1. There is a kernel bug. 1546 * 2. Another process is mistakenly using my pid in a PF_KEY 1547 * message. 1548 */ 1549 if (msgp->sadb_msg_type != sadb_msg_type || 1550 msgp->sadb_msg_satype != sadb_msg_satype) { 1551 syslog((LOG_NOTICE|LOG_AUTH), gettext( 1552 "doaddresses: Unexpected returned message " 1553 "(%d exp %d)\n"), msgp->sadb_msg_type, 1554 sadb_msg_type); 1555 Bail("doaddresses: Unexpected returned message"); 1556 } 1557 1558 if (msgp->sadb_msg_errno != 0) { 1559 char addrprint[INET6_ADDRSTRLEN]; 1560 int on_errno = 0; 1561 char *on_errno_msg; 1562 1563 /* 1564 * Print different error messages depending 1565 * on the SADB message type being processed. 1566 * If we get a ESRCH error for a GET/DELETE 1567 * messages, we report that the SA does not 1568 * exist. If we get a EEXIST error for a 1569 * ADD/UPDATE message, we report that the 1570 * SA already exists. 1571 */ 1572 if (sadb_msg_type == SADB_GET || 1573 sadb_msg_type == SADB_DELETE) { 1574 on_errno = ESRCH; 1575 on_errno_msg = "does not exist"; 1576 } else if (sadb_msg_type == SADB_ADD || 1577 sadb_msg_type == SADB_UPDATE) { 1578 on_errno = EEXIST; 1579 on_errno_msg = "already exists"; 1580 } 1581 1582 errno = msgp->sadb_msg_errno; 1583 if (errno == on_errno) { 1584 ERROR2(ep, ebuf, gettext( 1585 "Association (type = %s) " 1586 "with spi 0x%x and addr\n"), 1587 rparsesatype(msgp->sadb_msg_satype), 1588 ntohl(spi)); 1589 ERROR2(ep, ebuf, "%s %s.\n", 1590 do_inet_ntop(dsthp->h_addr_list[i], 1591 addrprint, sizeof (addrprint)), 1592 on_errno_msg); 1593 msgp = (struct sadb_msg *)savebuf; 1594 bcopy(savebuf, buffer, 1595 SADB_64TO8(msgp->sadb_msg_len)); 1596 continue; 1597 } else { 1598 if (errno == EINVAL || errno == ESRCH) { 1599 ERROR2(ep, ebuf, gettext( 1600 "PF_KEY Diagnostic code %u: %s.\n"), 1601 msgp->sadb_x_msg_diagnostic, 1602 keysock_diag( 1603 msgp->sadb_x_msg_diagnostic)); 1604 } else { 1605 Bail("return message (in doaddresses)"); 1606 } 1607 } 1608 } 1609 1610 if (cmd == CMD_GET) { 1611 if (msgp->sadb_msg_len > MAX_GET_SIZE) { 1612 WARN1(ep, ebuf, gettext("WARNING: " 1613 "SA information bigger than %d bytes.\n"), 1614 SADB_64TO8(MAX_GET_SIZE)); 1615 } 1616 print_samsg(stdout, buffer, B_FALSE, vflag, nflag); 1617 } 1618 1619 handle_errors(ep, ebuf, B_TRUE, B_FALSE); 1620 1621 /* ...and then restore the saved buffer. */ 1622 msgp = (struct sadb_msg *)savebuf; 1623 bcopy(savebuf, buffer, SADB_64TO8(msgp->sadb_msg_len)); 1624 lines_added++; 1625 } 1626 1627 /* Degenerate case, h_addr_list[0] == NULL. */ 1628 if (i == 0) 1629 Bail("Empty destination address list"); 1630 1631 /* 1632 * free(ebuf) even if there are no errors. 1633 * handle_errors() won't return here. 1634 */ 1635 handle_errors(ep, ebuf, B_TRUE, B_TRUE); 1636 } 1637 1638 /* 1639 * Perform an add or an update. ADD and UPDATE are similar in the extensions 1640 * they need. 1641 */ 1642 static void 1643 doaddup(int cmd, int satype, char *argv[], char *ebuf) 1644 { 1645 uint64_t *buffer, *nexthdr; 1646 struct sadb_msg msg; 1647 struct sadb_sa *assoc = NULL; 1648 struct sadb_x_pair *sadb_pair = NULL; 1649 struct sadb_address *src = NULL, *dst = NULL; 1650 struct sadb_address *isrc = NULL, *idst = NULL; 1651 struct sadb_address *natt_local = NULL, *natt_remote = NULL; 1652 struct sadb_key *encrypt = NULL, *auth = NULL; 1653 struct sadb_ident *srcid = NULL, *dstid = NULL; 1654 struct sadb_lifetime *hard = NULL, *soft = NULL; /* Current? */ 1655 struct sadb_lifetime *idle = NULL; 1656 struct sadb_x_replay_ctr *replay_ctr = NULL; 1657 struct sadb_sens *label = NULL, *olabel = NULL; 1658 struct sockaddr_in6 *sin6; 1659 /* MLS TODO: Need sensitivity eventually. */ 1660 int next, token, sa_len, alloclen, totallen = sizeof (msg), prefix; 1661 uint32_t spi = 0; 1662 uint_t reserved_bits = 0; 1663 uint8_t sadb_msg_type; 1664 char *thiscmd, *pstr; 1665 boolean_t readstate = B_FALSE, unspec_src = B_FALSE; 1666 boolean_t alloc_inner = B_FALSE, use_natt = B_FALSE; 1667 struct hostent *srchp = NULL, *dsthp = NULL, *isrchp = NULL, 1668 *idsthp = NULL; 1669 struct hostent *natt_lhp = NULL, *natt_rhp = NULL; 1670 uint16_t srcport = 0, dstport = 0, natt_lport = 0, natt_rport = 0, 1671 isrcport = 0, idstport = 0; 1672 uint8_t proto = 0, iproto = 0; 1673 char *ep = NULL; 1674 1675 switch (cmd) { 1676 case CMD_ADD: 1677 thiscmd = "add"; 1678 sadb_msg_type = SADB_ADD; 1679 break; 1680 case CMD_UPDATE: 1681 thiscmd = "update"; 1682 sadb_msg_type = SADB_UPDATE; 1683 break; 1684 case CMD_UPDATE_PAIR: 1685 thiscmd = "update-pair"; 1686 sadb_msg_type = SADB_X_UPDATEPAIR; 1687 break; 1688 } 1689 1690 msg_init(&msg, sadb_msg_type, (uint8_t)satype); 1691 /* Assume last element in argv is set to NULL. */ 1692 do { 1693 token = parseextval(*argv, &next); 1694 argv++; 1695 switch (token) { 1696 case TOK_EOF: 1697 /* Do nothing, I'm done. */ 1698 break; 1699 case TOK_UNKNOWN: 1700 ERROR1(ep, ebuf, gettext( 1701 "Unknown extension field \"%s\" \n"), *(argv - 1)); 1702 break; 1703 case TOK_SPI: 1704 case TOK_PAIR_SPI: 1705 case TOK_REPLAY: 1706 case TOK_STATE: 1707 case TOK_AUTHALG: 1708 case TOK_ENCRALG: 1709 case TOK_ENCAP: 1710 /* 1711 * May want to place this chunk of code in a function. 1712 * 1713 * This code checks for duplicate entries on a command 1714 * line. 1715 */ 1716 1717 /* Allocate the SADB_EXT_SA extension. */ 1718 if (assoc == NULL) { 1719 assoc = malloc(sizeof (*assoc)); 1720 if (assoc == NULL) 1721 Bail("malloc(assoc)"); 1722 bzero(assoc, sizeof (*assoc)); 1723 assoc->sadb_sa_exttype = SADB_EXT_SA; 1724 assoc->sadb_sa_len = 1725 SADB_8TO64(sizeof (*assoc)); 1726 totallen += sizeof (*assoc); 1727 } 1728 switch (token) { 1729 case TOK_SPI: 1730 /* 1731 * If they type in "spi 0" then they 1732 * can type in another SPI. 1733 */ 1734 if (assoc->sadb_sa_spi != 0) { 1735 ERROR(ep, ebuf, gettext( 1736 "Can only specify " 1737 "single SPI value.\n")); 1738 break; 1739 } 1740 /* Must convert SPI to network order! */ 1741 assoc->sadb_sa_spi = 1742 htonl((uint32_t)parsenum(*argv, B_TRUE, 1743 ebuf)); 1744 if (assoc->sadb_sa_spi == 0) { 1745 ERROR(ep, ebuf, gettext( 1746 "Invalid SPI value \"0\" .\n")); 1747 } 1748 break; 1749 case TOK_PAIR_SPI: 1750 if (cmd == CMD_UPDATE_PAIR) { 1751 ERROR(ep, ebuf, gettext( 1752 "pair-spi can not be used with the " 1753 "\"update-pair\" command.\n")); 1754 } 1755 if (sadb_pair == NULL) { 1756 sadb_pair = malloc(sizeof (*sadb_pair)); 1757 if (assoc == NULL) 1758 Bail("malloc(assoc)"); 1759 bzero(sadb_pair, sizeof (*sadb_pair)); 1760 totallen += sizeof (*sadb_pair); 1761 } 1762 if (sadb_pair->sadb_x_pair_spi != 0) { 1763 ERROR(ep, ebuf, gettext( 1764 "Can only specify " 1765 "single pair SPI value.\n")); 1766 break; 1767 } 1768 /* Must convert SPI to network order! */ 1769 sadb_pair->sadb_x_pair_len = 1770 SADB_8TO64(sizeof (*sadb_pair)); 1771 sadb_pair->sadb_x_pair_exttype = 1772 SADB_X_EXT_PAIR; 1773 sadb_pair->sadb_x_pair_spi = 1774 htonl((uint32_t)parsenum(*argv, B_TRUE, 1775 ebuf)); 1776 if (sadb_pair->sadb_x_pair_spi == 0) { 1777 ERROR(ep, ebuf, gettext( 1778 "Invalid SPI value \"0\" .\n")); 1779 } 1780 assoc->sadb_sa_flags |= 1781 SADB_X_SAFLAGS_PAIRED; 1782 break; 1783 case TOK_REPLAY: 1784 /* 1785 * That same cretin can do the same with 1786 * replay. 1787 */ 1788 if (assoc->sadb_sa_replay != 0) { 1789 ERROR(ep, ebuf, gettext( 1790 "Can only specify " 1791 "single replay window size.\n")); 1792 break; 1793 } 1794 assoc->sadb_sa_replay = 1795 (uint8_t)parsenum(*argv, B_TRUE, ebuf); 1796 if (assoc->sadb_sa_replay != 0) { 1797 WARN(ep, ebuf, gettext( 1798 "WARNING: Replay with manual" 1799 " keying considered harmful.\n")); 1800 } 1801 break; 1802 case TOK_STATE: 1803 /* 1804 * 0 is an actual state value, LARVAL. This 1805 * means that one can type in the larval state 1806 * and then type in another state on the same 1807 * command line. 1808 */ 1809 if (assoc->sadb_sa_state != 0) { 1810 ERROR(ep, ebuf, gettext( 1811 "Can only specify " 1812 "single SA state.\n")); 1813 break; 1814 } 1815 assoc->sadb_sa_state = parsestate(*argv, 1816 ebuf); 1817 readstate = B_TRUE; 1818 break; 1819 case TOK_AUTHALG: 1820 if (assoc->sadb_sa_auth != 0) { 1821 ERROR(ep, ebuf, gettext( 1822 "Can only specify " 1823 "single auth algorithm.\n")); 1824 break; 1825 } 1826 assoc->sadb_sa_auth = parsealg(*argv, 1827 IPSEC_PROTO_AH, ebuf); 1828 break; 1829 case TOK_ENCRALG: 1830 if (satype == SADB_SATYPE_AH) { 1831 ERROR(ep, ebuf, gettext("Cannot specify" 1832 " encryption with SA type ah.\n")); 1833 break; 1834 } 1835 if (assoc->sadb_sa_encrypt != 0) { 1836 ERROR(ep, ebuf, gettext( 1837 "Can only specify " 1838 "single encryption algorithm.\n")); 1839 break; 1840 } 1841 assoc->sadb_sa_encrypt = parsealg(*argv, 1842 IPSEC_PROTO_ESP, ebuf); 1843 break; 1844 case TOK_ENCAP: 1845 if (use_natt) { 1846 ERROR(ep, ebuf, gettext( 1847 "Can only specify single" 1848 " encapsulation.\n")); 1849 break; 1850 } 1851 if (strncmp(*argv, "udp", 3)) { 1852 ERROR(ep, ebuf, gettext( 1853 "Can only specify udp" 1854 " encapsulation.\n")); 1855 break; 1856 } 1857 use_natt = B_TRUE; 1858 /* set assoc flags later */ 1859 break; 1860 } 1861 argv++; 1862 break; 1863 case TOK_SRCPORT: 1864 if (srcport != 0) { 1865 ERROR(ep, ebuf, gettext("Can only specify " 1866 "single source port.\n")); 1867 break; 1868 } 1869 srcport = parsenum(*argv, B_TRUE, ebuf); 1870 argv++; 1871 break; 1872 case TOK_DSTPORT: 1873 if (dstport != 0) { 1874 ERROR(ep, ebuf, gettext("Can only specify " 1875 "single destination port.\n")); 1876 break; 1877 } 1878 dstport = parsenum(*argv, B_TRUE, ebuf); 1879 argv++; 1880 break; 1881 case TOK_ISRCPORT: 1882 alloc_inner = B_TRUE; 1883 if (isrcport != 0) { 1884 ERROR(ep, ebuf, gettext( 1885 "Can only specify " 1886 "single inner-source port.\n")); 1887 break; 1888 } 1889 isrcport = parsenum(*argv, B_TRUE, ebuf); 1890 argv++; 1891 break; 1892 case TOK_IDSTPORT: 1893 alloc_inner = B_TRUE; 1894 if (idstport != 0) { 1895 ERROR(ep, ebuf, gettext( 1896 "Can only specify " 1897 "single inner-destination port.\n")); 1898 break; 1899 } 1900 idstport = parsenum(*argv, B_TRUE, ebuf); 1901 argv++; 1902 break; 1903 case TOK_NATLPORT: 1904 if (natt_lport != 0) { 1905 ERROR(ep, ebuf, gettext( 1906 "Can only specify " 1907 "single NAT-T local port.\n")); 1908 break; 1909 } 1910 natt_lport = parsenum(*argv, B_TRUE, ebuf); 1911 argv++; 1912 break; 1913 case TOK_NATRPORT: 1914 if (natt_rport != 0) { 1915 ERROR(ep, ebuf, gettext( 1916 "Can only specify " 1917 "single NAT-T remote port.\n")); 1918 break; 1919 } 1920 natt_rport = parsenum(*argv, B_TRUE, ebuf); 1921 argv++; 1922 break; 1923 1924 case TOK_PROTO: 1925 if (proto != 0) { 1926 ERROR(ep, ebuf, gettext( 1927 "Can only specify " 1928 "single protocol.\n")); 1929 break; 1930 } 1931 proto = parsenum(*argv, B_TRUE, ebuf); 1932 argv++; 1933 break; 1934 case TOK_IPROTO: 1935 alloc_inner = B_TRUE; 1936 if (iproto != 0) { 1937 ERROR(ep, ebuf, gettext( 1938 "Can only specify " 1939 "single inner protocol.\n")); 1940 break; 1941 } 1942 iproto = parsenum(*argv, B_TRUE, ebuf); 1943 argv++; 1944 break; 1945 case TOK_SRCADDR: 1946 case TOK_SRCADDR6: 1947 if (src != NULL) { 1948 ERROR(ep, ebuf, gettext( 1949 "Can only specify " 1950 "single source address.\n")); 1951 break; 1952 } 1953 sa_len = parseaddr(*argv, &srchp, 1954 (token == TOK_SRCADDR6), ebuf); 1955 if (srchp == NULL) { 1956 ERROR1(ep, ebuf, gettext( 1957 "Unknown src address \"%s\"\n"), *argv); 1958 break; 1959 } 1960 argv++; 1961 /* 1962 * Round of the sockaddr length to an 8 byte 1963 * boundary to make PF_KEY happy. 1964 */ 1965 alloclen = sizeof (*src) + roundup(sa_len, 8); 1966 src = malloc(alloclen); 1967 if (src == NULL) 1968 Bail("malloc(src)"); 1969 totallen += alloclen; 1970 src->sadb_address_len = SADB_8TO64(alloclen); 1971 src->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 1972 src->sadb_address_reserved = 0; 1973 src->sadb_address_prefixlen = 0; 1974 src->sadb_address_proto = 0; 1975 if (srchp == &dummy.he) { 1976 /* 1977 * Single address with -n flag. 1978 */ 1979 sin6 = (struct sockaddr_in6 *)(src + 1); 1980 bzero(sin6, sizeof (*sin6)); 1981 sin6->sin6_family = AF_INET6; 1982 bcopy(srchp->h_addr_list[0], &sin6->sin6_addr, 1983 sizeof (struct in6_addr)); 1984 } 1985 break; 1986 case TOK_DSTADDR: 1987 case TOK_DSTADDR6: 1988 if (dst != NULL) { 1989 ERROR(ep, ebuf, gettext( 1990 "Can only specify single " 1991 "destination address.\n")); 1992 break; 1993 } 1994 sa_len = parseaddr(*argv, &dsthp, 1995 (token == TOK_DSTADDR6), ebuf); 1996 if (dsthp == NULL) { 1997 ERROR1(ep, ebuf, gettext( 1998 "Unknown dst address \"%s\"\n"), *argv); 1999 break; 2000 } 2001 argv++; 2002 alloclen = sizeof (*dst) + roundup(sa_len, 8); 2003 dst = malloc(alloclen); 2004 if (dst == NULL) 2005 Bail("malloc(dst)"); 2006 totallen += alloclen; 2007 dst->sadb_address_len = SADB_8TO64(alloclen); 2008 dst->sadb_address_exttype = SADB_EXT_ADDRESS_DST; 2009 dst->sadb_address_reserved = 0; 2010 dst->sadb_address_prefixlen = 0; 2011 dst->sadb_address_proto = 0; 2012 if (dsthp == &dummy.he) { 2013 /* 2014 * Single address with -n flag. 2015 */ 2016 sin6 = (struct sockaddr_in6 *)(dst + 1); 2017 bzero(sin6, sizeof (*sin6)); 2018 sin6->sin6_family = AF_INET6; 2019 bcopy(dsthp->h_addr_list[0], &sin6->sin6_addr, 2020 sizeof (struct in6_addr)); 2021 } 2022 break; 2023 case TOK_PROXYADDR: 2024 case TOK_PROXYADDR6: 2025 if (isrc != NULL) { 2026 ERROR(ep, ebuf, gettext( 2027 "Can only specify single " 2028 "proxy/inner-source address.\n")); 2029 break; 2030 } 2031 if ((pstr = strchr(*argv, '/')) != NULL) { 2032 /* Parse out the prefix. */ 2033 errno = 0; 2034 prefix = strtol(pstr + 1, NULL, 10); 2035 if (errno != 0) { 2036 ERROR1(ep, ebuf, gettext( 2037 "Invalid prefix %s."), pstr); 2038 break; 2039 } 2040 /* Recycle pstr */ 2041 alloclen = (int)(pstr - *argv); 2042 pstr = malloc(alloclen + 1); 2043 if (pstr == NULL) { 2044 Bail("malloc(pstr)"); 2045 } 2046 (void) strlcpy(pstr, *argv, alloclen + 1); 2047 } else { 2048 pstr = *argv; 2049 /* 2050 * Assume mapping to AF_INET6, and we're a host. 2051 * XXX some miscreants may still make classful 2052 * assumptions. If this is a problem, fix it 2053 * here. 2054 */ 2055 prefix = 128; 2056 } 2057 sa_len = parseaddr(pstr, &isrchp, 2058 (token == TOK_PROXYADDR6), ebuf); 2059 if (isrchp == NULL) { 2060 ERROR1(ep, ebuf, gettext( 2061 "Unknown proxy/inner-source address " 2062 "\"%s\"\n"), *argv); 2063 break; 2064 } 2065 if (pstr != *argv) 2066 free(pstr); 2067 argv++; 2068 alloclen = sizeof (*isrc) + roundup(sa_len, 8); 2069 isrc = malloc(alloclen); 2070 if (isrc == NULL) 2071 Bail("malloc(isrc)"); 2072 totallen += alloclen; 2073 isrc->sadb_address_len = SADB_8TO64(alloclen); 2074 isrc->sadb_address_exttype = SADB_EXT_ADDRESS_PROXY; 2075 isrc->sadb_address_reserved = 0; 2076 isrc->sadb_address_prefixlen = prefix; 2077 isrc->sadb_address_proto = 0; 2078 if (isrchp == &dummy.he || 2079 isrchp->h_addr_list[1] == NULL) { 2080 /* 2081 * Single address with -n flag or single name. 2082 */ 2083 sin6 = (struct sockaddr_in6 *)(isrc + 1); 2084 bzero(sin6, sizeof (*sin6)); 2085 sin6->sin6_family = AF_INET6; 2086 bcopy(isrchp->h_addr_list[0], &sin6->sin6_addr, 2087 sizeof (struct in6_addr)); 2088 /* 2089 * normalize prefixlen for IPv4-mapped 2090 * addresses. 2091 */ 2092 if (prefix <= 32 && 2093 IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) 2094 isrc->sadb_address_prefixlen += 96; 2095 alloc_inner = B_TRUE; 2096 } else { 2097 /* 2098 * If the proxy/isrc address is vague, don't 2099 * bother. 2100 */ 2101 totallen -= alloclen; 2102 free(isrc); 2103 isrc = NULL; 2104 WARN1(ep, ebuf, gettext( 2105 "Proxy/inner-source address %s " 2106 "is vague, not using.\n"), isrchp->h_name); 2107 freehostent(isrchp); 2108 isrchp = NULL; 2109 break; 2110 } 2111 break; 2112 case TOK_IDSTADDR: 2113 case TOK_IDSTADDR6: 2114 if (idst != NULL) { 2115 ERROR(ep, ebuf, gettext( 2116 "Can only specify single " 2117 "inner-destination address.\n")); 2118 break; 2119 } 2120 if ((pstr = strchr(*argv, '/')) != NULL) { 2121 /* Parse out the prefix. */ 2122 errno = 0; 2123 prefix = strtol(pstr + 1, NULL, 10); 2124 if (errno != 0) { 2125 ERROR1(ep, ebuf, gettext( 2126 "Invalid prefix %s.\n"), pstr); 2127 break; 2128 } 2129 /* Recycle pstr */ 2130 alloclen = (int)(pstr - *argv); 2131 pstr = malloc(alloclen + 1); 2132 if (pstr == NULL) { 2133 Bail("malloc(pstr)"); 2134 } 2135 (void) strlcpy(pstr, *argv, alloclen + 1); 2136 } else { 2137 pstr = *argv; 2138 /* 2139 * Assume mapping to AF_INET6, and we're a host. 2140 * XXX some miscreants may still make classful 2141 * assumptions. If this is a problem, fix it 2142 * here. 2143 */ 2144 prefix = 128; 2145 } 2146 sa_len = parseaddr(pstr, &idsthp, 2147 (token == TOK_IDSTADDR6), ebuf); 2148 if (idsthp == NULL) { 2149 ERROR1(ep, ebuf, gettext( 2150 "Unknown Inner Src address " 2151 " \"%s\"\n"), *argv); 2152 break; 2153 } 2154 if (pstr != *argv) 2155 free(pstr); 2156 argv++; 2157 alloclen = sizeof (*idst) + roundup(sa_len, 8); 2158 idst = malloc(alloclen); 2159 if (idst == NULL) 2160 Bail("malloc(idst)"); 2161 totallen += alloclen; 2162 idst->sadb_address_len = SADB_8TO64(alloclen); 2163 idst->sadb_address_exttype = 2164 SADB_X_EXT_ADDRESS_INNER_DST; 2165 idst->sadb_address_reserved = 0; 2166 idst->sadb_address_prefixlen = prefix; 2167 idst->sadb_address_proto = 0; 2168 if (idsthp == &dummy.he || 2169 idsthp->h_addr_list[1] == NULL) { 2170 /* 2171 * Single address with -n flag or single name. 2172 */ 2173 sin6 = (struct sockaddr_in6 *)(idst + 1); 2174 bzero(sin6, sizeof (*sin6)); 2175 sin6->sin6_family = AF_INET6; 2176 bcopy(idsthp->h_addr_list[0], &sin6->sin6_addr, 2177 sizeof (struct in6_addr)); 2178 /* 2179 * normalize prefixlen for IPv4-mapped 2180 * addresses. 2181 */ 2182 if (prefix <= 32 && 2183 IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) 2184 idst->sadb_address_prefixlen += 96; 2185 alloc_inner = B_TRUE; 2186 } else { 2187 /* 2188 * If the idst address is vague, don't bother. 2189 */ 2190 totallen -= alloclen; 2191 free(idst); 2192 idst = NULL; 2193 WARN1(ep, ebuf, gettext( 2194 "Inner destination address %s " 2195 "is vague, not using.\n"), idsthp->h_name); 2196 freehostent(idsthp); 2197 idsthp = NULL; 2198 break; 2199 } 2200 break; 2201 case TOK_NATLOC: 2202 if (natt_local != NULL) { 2203 ERROR(ep, ebuf, gettext( 2204 "Can only specify " 2205 "single NAT-T local address.\n")); 2206 break; 2207 } 2208 sa_len = parseaddr(*argv, &natt_lhp, 0, ebuf); 2209 if (natt_lhp == NULL) { 2210 ERROR1(ep, ebuf, gettext( 2211 "Unknown NAT-T local address \"%s\"\n"), 2212 *argv); 2213 break; 2214 } 2215 argv++; 2216 /* 2217 * Round of the sockaddr length to an 8 byte 2218 * boundary to make PF_KEY happy. 2219 */ 2220 alloclen = sizeof (*natt_local) + roundup(sa_len, 8); 2221 natt_local = malloc(alloclen); 2222 if (natt_local == NULL) 2223 Bail("malloc(natt_local)"); 2224 totallen += alloclen; 2225 natt_local->sadb_address_len = SADB_8TO64(alloclen); 2226 natt_local->sadb_address_exttype = 2227 SADB_X_EXT_ADDRESS_NATT_LOC; 2228 natt_local->sadb_address_reserved = 0; 2229 natt_local->sadb_address_prefixlen = 0; 2230 natt_local->sadb_address_proto = 0; 2231 if (natt_lhp == &dummy.he || 2232 natt_lhp->h_addr_list[1] == NULL) { 2233 /* 2234 * Single address with -n flag or single name. 2235 */ 2236 sin6 = (struct sockaddr_in6 *)(natt_local + 1); 2237 bzero(sin6, sizeof (*sin6)); 2238 sin6->sin6_family = AF_INET6; 2239 bcopy(natt_lhp->h_addr_list[0], 2240 &sin6->sin6_addr, sizeof (struct in6_addr)); 2241 } else { 2242 /* 2243 * If the nat-local address is vague, don't 2244 * bother. 2245 */ 2246 totallen -= alloclen; 2247 free(natt_local); 2248 natt_local = NULL; 2249 WARN1(ep, ebuf, gettext( 2250 "NAT-T local address %s " 2251 "is vague, not using.\n"), 2252 natt_lhp->h_name); 2253 freehostent(natt_lhp); 2254 natt_lhp = NULL; 2255 break; 2256 } 2257 break; 2258 case TOK_NATREM: 2259 if (natt_remote != NULL) { 2260 ERROR(ep, ebuf, gettext( 2261 "Can only specify " 2262 "single NAT-T remote address.\n")); 2263 break; 2264 } 2265 sa_len = parseaddr(*argv, &natt_rhp, 0, ebuf); 2266 if (natt_rhp == NULL) { 2267 ERROR1(ep, ebuf, gettext( 2268 "Unknown NAT-T remote address \"%s\"\n"), 2269 *argv); 2270 break; 2271 } 2272 argv++; 2273 /* 2274 * Round of the sockaddr length to an 8 byte 2275 * boundary to make PF_KEY happy. 2276 */ 2277 alloclen = sizeof (*natt_remote) + roundup(sa_len, 8); 2278 natt_remote = malloc(alloclen); 2279 if (natt_remote == NULL) 2280 Bail("malloc(natt_remote)"); 2281 totallen += alloclen; 2282 natt_remote->sadb_address_len = SADB_8TO64(alloclen); 2283 natt_remote->sadb_address_exttype = 2284 SADB_X_EXT_ADDRESS_NATT_REM; 2285 natt_remote->sadb_address_reserved = 0; 2286 natt_remote->sadb_address_prefixlen = 0; 2287 natt_remote->sadb_address_proto = 0; 2288 if (natt_rhp == &dummy.he || 2289 natt_rhp->h_addr_list[1] == NULL) { 2290 /* 2291 * Single address with -n flag or single name. 2292 */ 2293 sin6 = (struct sockaddr_in6 *)(natt_remote + 1); 2294 bzero(sin6, sizeof (*sin6)); 2295 sin6->sin6_family = AF_INET6; 2296 bcopy(natt_rhp->h_addr_list[0], 2297 &sin6->sin6_addr, sizeof (struct in6_addr)); 2298 } else { 2299 /* 2300 * If the nat-renote address is vague, don't 2301 * bother. 2302 */ 2303 totallen -= alloclen; 2304 free(natt_remote); 2305 natt_remote = NULL; 2306 WARN1(ep, ebuf, gettext( 2307 "NAT-T remote address %s " 2308 "is vague, not using.\n"), 2309 natt_rhp->h_name); 2310 freehostent(natt_rhp); 2311 natt_rhp = NULL; 2312 break; 2313 } 2314 break; 2315 case TOK_ENCRKEY: 2316 if (encrypt != NULL) { 2317 ERROR(ep, ebuf, gettext( 2318 "Can only specify " 2319 "single encryption key.\n")); 2320 break; 2321 } 2322 if (assoc != NULL && 2323 assoc->sadb_sa_encrypt == SADB_EALG_NULL) { 2324 FATAL(ep, ebuf, gettext( 2325 "Cannot specify a key with NULL " 2326 "encryption algorithm.\n")); 2327 break; 2328 } 2329 encrypt = parsekey(*argv, ebuf, reserved_bits); 2330 argv++; 2331 if (encrypt == NULL) { 2332 ERROR(ep, ebuf, gettext( 2333 "Invalid encryption key.\n")); 2334 break; 2335 } 2336 totallen += SADB_64TO8(encrypt->sadb_key_len); 2337 encrypt->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 2338 break; 2339 case TOK_AUTHKEY: 2340 if (auth != NULL) { 2341 ERROR(ep, ebuf, gettext( 2342 "Can only specify single" 2343 " authentication key.\n")); 2344 break; 2345 } 2346 auth = parsekey(*argv, ebuf, 0); 2347 argv++; 2348 if (auth == NULL) { 2349 ERROR(ep, ebuf, gettext( 2350 "Invalid authentication key.\n")); 2351 break; 2352 } 2353 totallen += SADB_64TO8(auth->sadb_key_len); 2354 auth->sadb_key_exttype = SADB_EXT_KEY_AUTH; 2355 break; 2356 case TOK_SRCIDTYPE: 2357 if (*argv == NULL || *(argv + 1) == NULL) { 2358 FATAL(ep, ebuf, gettext( 2359 "Unexpected end of command " 2360 "line - Expecting Src Type.\n")); 2361 /* NOTREACHED */ 2362 break; 2363 } 2364 if (srcid != NULL) { 2365 ERROR(ep, ebuf, gettext( 2366 "Can only specify single" 2367 " source certificate identity.\n")); 2368 break; 2369 } 2370 alloclen = sizeof (*srcid) + 2371 roundup(strlen(*(argv + 1)) + 1, 8); 2372 srcid = malloc(alloclen); 2373 if (srcid == NULL) 2374 Bail("malloc(srcid)"); 2375 totallen += alloclen; 2376 srcid->sadb_ident_type = parseidtype(*argv, ebuf); 2377 argv++; 2378 srcid->sadb_ident_len = SADB_8TO64(alloclen); 2379 srcid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 2380 srcid->sadb_ident_reserved = 0; 2381 srcid->sadb_ident_id = 0; /* Not useful here. */ 2382 (void) strlcpy((char *)(srcid + 1), *argv, alloclen); 2383 argv++; 2384 break; 2385 case TOK_DSTIDTYPE: 2386 if (*argv == NULL || *(argv + 1) == NULL) { 2387 ERROR(ep, ebuf, gettext( 2388 "Unexpected end of command" 2389 " line - expecting dst type.\n")); 2390 break; 2391 } 2392 if (dstid != NULL) { 2393 ERROR(ep, ebuf, gettext( 2394 "Can only specify single destination " 2395 "certificate identity.\n")); 2396 break; 2397 } 2398 alloclen = sizeof (*dstid) + 2399 roundup(strlen(*(argv + 1)) + 1, 8); 2400 dstid = malloc(alloclen); 2401 if (dstid == NULL) 2402 Bail("malloc(dstid)"); 2403 totallen += alloclen; 2404 dstid->sadb_ident_type = parseidtype(*argv, ebuf); 2405 argv++; 2406 dstid->sadb_ident_len = SADB_8TO64(alloclen); 2407 dstid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 2408 dstid->sadb_ident_reserved = 0; 2409 dstid->sadb_ident_id = 0; /* Not useful here. */ 2410 (void) strlcpy((char *)(dstid + 1), *argv, alloclen); 2411 argv++; 2412 break; 2413 case TOK_HARD_ALLOC: 2414 case TOK_HARD_BYTES: 2415 case TOK_HARD_ADDTIME: 2416 case TOK_HARD_USETIME: 2417 if (hard == NULL) { 2418 hard = malloc(sizeof (*hard)); 2419 if (hard == NULL) 2420 Bail("malloc(hard_lifetime)"); 2421 bzero(hard, sizeof (*hard)); 2422 hard->sadb_lifetime_exttype = 2423 SADB_EXT_LIFETIME_HARD; 2424 hard->sadb_lifetime_len = 2425 SADB_8TO64(sizeof (*hard)); 2426 totallen += sizeof (*hard); 2427 } 2428 switch (token) { 2429 case TOK_HARD_ALLOC: 2430 if (hard->sadb_lifetime_allocations != 0) { 2431 ERROR(ep, ebuf, gettext( 2432 "Can only specify single" 2433 " hard allocation limit.\n")); 2434 break; 2435 } 2436 hard->sadb_lifetime_allocations = 2437 (uint32_t)parsenum(*argv, B_TRUE, ebuf); 2438 break; 2439 case TOK_HARD_BYTES: 2440 if (hard->sadb_lifetime_bytes != 0) { 2441 ERROR(ep, ebuf, gettext( 2442 "Can only specify " 2443 "single hard byte limit.\n")); 2444 break; 2445 } 2446 hard->sadb_lifetime_bytes = parsenum(*argv, 2447 B_TRUE, ebuf); 2448 break; 2449 case TOK_HARD_ADDTIME: 2450 if (hard->sadb_lifetime_addtime != 0) { 2451 ERROR(ep, ebuf, gettext( 2452 "Can only specify " 2453 "single past-add lifetime.\n")); 2454 break; 2455 } 2456 hard->sadb_lifetime_addtime = parsenum(*argv, 2457 B_TRUE, ebuf); 2458 break; 2459 case TOK_HARD_USETIME: 2460 if (hard->sadb_lifetime_usetime != 0) { 2461 ERROR(ep, ebuf, gettext( 2462 "Can only specify " 2463 "single past-use lifetime.\n")); 2464 break; 2465 } 2466 hard->sadb_lifetime_usetime = parsenum(*argv, 2467 B_TRUE, ebuf); 2468 break; 2469 } 2470 argv++; 2471 break; 2472 case TOK_SOFT_ALLOC: 2473 case TOK_SOFT_BYTES: 2474 case TOK_SOFT_ADDTIME: 2475 case TOK_SOFT_USETIME: 2476 if (soft == NULL) { 2477 soft = malloc(sizeof (*soft)); 2478 if (soft == NULL) 2479 Bail("malloc(soft_lifetime)"); 2480 bzero(soft, sizeof (*soft)); 2481 soft->sadb_lifetime_exttype = 2482 SADB_EXT_LIFETIME_SOFT; 2483 soft->sadb_lifetime_len = 2484 SADB_8TO64(sizeof (*soft)); 2485 totallen += sizeof (*soft); 2486 } 2487 switch (token) { 2488 case TOK_SOFT_ALLOC: 2489 if (soft->sadb_lifetime_allocations != 0) { 2490 ERROR(ep, ebuf, gettext( 2491 "Can only specify single" 2492 " soft allocation limit.\n")); 2493 break; 2494 } 2495 soft->sadb_lifetime_allocations = 2496 (uint32_t)parsenum(*argv, B_TRUE, ebuf); 2497 break; 2498 case TOK_SOFT_BYTES: 2499 if (soft->sadb_lifetime_bytes != 0) { 2500 ERROR(ep, ebuf, gettext( 2501 "Can only specify single" 2502 " soft byte limit.\n")); 2503 break; 2504 } 2505 soft->sadb_lifetime_bytes = parsenum(*argv, 2506 B_TRUE, ebuf); 2507 break; 2508 case TOK_SOFT_ADDTIME: 2509 if (soft->sadb_lifetime_addtime != 0) { 2510 ERROR(ep, ebuf, gettext( 2511 "Can only specify single" 2512 " past-add lifetime.\n")); 2513 break; 2514 } 2515 soft->sadb_lifetime_addtime = parsenum(*argv, 2516 B_TRUE, ebuf); 2517 break; 2518 case TOK_SOFT_USETIME: 2519 if (soft->sadb_lifetime_usetime != 0) { 2520 ERROR(ep, ebuf, gettext( 2521 "Can only specify single" 2522 " past-use lifetime.\n")); 2523 break; 2524 } 2525 soft->sadb_lifetime_usetime = parsenum(*argv, 2526 B_TRUE, ebuf); 2527 break; 2528 } 2529 argv++; 2530 break; 2531 case TOK_FLAG_INBOUND: 2532 assoc->sadb_sa_flags |= SADB_X_SAFLAGS_INBOUND; 2533 break; 2534 case TOK_FLAG_OUTBOUND: 2535 assoc->sadb_sa_flags |= SADB_X_SAFLAGS_OUTBOUND; 2536 break; 2537 case TOK_REPLAY_VALUE: 2538 if (replay_ctr != NULL) { 2539 ERROR(ep, ebuf, gettext( 2540 "Can only specify single " 2541 "replay value.")); 2542 break; 2543 } 2544 replay_ctr = calloc(1, sizeof (*replay_ctr)); 2545 if (replay_ctr == NULL) { 2546 Bail("malloc(replay value)"); 2547 } 2548 /* 2549 * We currently do not support a 64-bit 2550 * replay value. RFC 4301 will require one, 2551 * however, and we have a field in place when 2552 * 4301 is built. 2553 */ 2554 replay_ctr->sadb_x_rc_exttype = SADB_X_EXT_REPLAY_VALUE; 2555 replay_ctr->sadb_x_rc_len = 2556 SADB_8TO64(sizeof (*replay_ctr)); 2557 totallen += sizeof (*replay_ctr); 2558 replay_ctr->sadb_x_rc_replay32 = (uint32_t)parsenum( 2559 *argv, B_TRUE, ebuf); 2560 argv++; 2561 break; 2562 case TOK_IDLE_ADDTIME: 2563 case TOK_IDLE_USETIME: 2564 if (idle == NULL) { 2565 idle = calloc(1, sizeof (*idle)); 2566 if (idle == NULL) { 2567 Bail("malloc idle lifetime"); 2568 } 2569 idle->sadb_lifetime_exttype = 2570 SADB_X_EXT_LIFETIME_IDLE; 2571 idle->sadb_lifetime_len = 2572 SADB_8TO64(sizeof (*idle)); 2573 totallen += sizeof (*idle); 2574 } 2575 switch (token) { 2576 case TOK_IDLE_ADDTIME: 2577 idle->sadb_lifetime_addtime = 2578 (uint32_t)parsenum(*argv, 2579 B_TRUE, ebuf); 2580 break; 2581 case TOK_IDLE_USETIME: 2582 idle->sadb_lifetime_usetime = 2583 (uint32_t)parsenum(*argv, 2584 B_TRUE, ebuf); 2585 break; 2586 } 2587 argv++; 2588 break; 2589 case TOK_RESERVED: 2590 if (encrypt != NULL) 2591 ERROR(ep, ebuf, gettext( 2592 "Reserved bits need to be " 2593 "specified before key.\n")); 2594 reserved_bits = (uint_t)parsenum(*argv, 2595 B_TRUE, ebuf); 2596 argv++; 2597 break; 2598 case TOK_LABEL: 2599 label = parselabel(token, *argv); 2600 argv++; 2601 if (label == NULL) { 2602 ERROR(ep, ebuf, 2603 gettext("Malformed security label\n")); 2604 break; 2605 } else if (label == PARSELABEL_BAD_TOKEN) { 2606 Bail("Internal token value error"); 2607 } 2608 totallen += SADB_64TO8(label->sadb_sens_len); 2609 break; 2610 2611 case TOK_OLABEL: 2612 case TOK_IMPLABEL: 2613 olabel = parselabel(token, *argv); 2614 argv++; 2615 if (label == NULL) { 2616 ERROR(ep, ebuf, 2617 gettext("Malformed security label\n")); 2618 break; 2619 } else if (label == PARSELABEL_BAD_TOKEN) { 2620 Bail("Internal token value error"); 2621 } 2622 totallen += SADB_64TO8(olabel->sadb_sens_len); 2623 break; 2624 default: 2625 ERROR1(ep, ebuf, gettext( 2626 "Don't use extension %s for add/update.\n"), 2627 *(argv - 1)); 2628 break; 2629 } 2630 } while (token != TOK_EOF); 2631 2632 handle_errors(ep, ebuf, B_TRUE, B_FALSE); 2633 2634 #define PORT_ONLY_ALLOCATE(af, socktype, exttype, extvar, port) { \ 2635 alloclen = sizeof (sadb_address_t) + roundup(sizeof (socktype), 8); \ 2636 (extvar) = calloc(1, alloclen); \ 2637 if ((extvar) == NULL) { \ 2638 Bail("malloc(implicit port)"); \ 2639 } \ 2640 totallen += alloclen; \ 2641 (extvar)->sadb_address_len = SADB_8TO64(alloclen); \ 2642 (extvar)->sadb_address_exttype = (exttype); \ 2643 /* sin/sin6 has equivalent offsets for ports! */ \ 2644 sin6 = (struct sockaddr_in6 *)((extvar) + 1); \ 2645 sin6->sin6_family = (af); \ 2646 sin6->sin6_port = (port); \ 2647 } 2648 2649 /* 2650 * If we specify inner ports or NAT ports w/o addresses, we still need 2651 * to allocate. Also, if we have one inner address, we need the 2652 * other, even if we don't specify anything. 2653 */ 2654 if (use_natt) { 2655 if (natt_lport != 0 && natt_local == NULL) { 2656 PORT_ONLY_ALLOCATE(AF_INET, struct sockaddr_in, 2657 SADB_X_EXT_ADDRESS_NATT_LOC, natt_local, 2658 natt_lport); 2659 } 2660 2661 if (natt_rport != 0 && natt_remote == NULL) { 2662 PORT_ONLY_ALLOCATE(AF_INET, struct sockaddr_in, 2663 SADB_X_EXT_ADDRESS_NATT_REM, natt_remote, 2664 natt_rport); 2665 } 2666 } else { 2667 if (natt_lport != 0 || natt_rport != 0) { 2668 ERROR(ep, ebuf, gettext("Must specify 'encap udp' " 2669 "with any NAT-T port.\n")); 2670 } else if (natt_local != NULL || natt_remote != NULL) { 2671 ERROR(ep, ebuf, gettext("Must specify 'encap udp' " 2672 "with any NAT-T address.\n")); 2673 } 2674 } 2675 2676 if (alloc_inner && idst == NULL) { 2677 PORT_ONLY_ALLOCATE(AF_INET6, struct sockaddr_in6, 2678 SADB_X_EXT_ADDRESS_INNER_DST, idst, 0); 2679 } 2680 2681 if (alloc_inner && isrc == NULL) { 2682 PORT_ONLY_ALLOCATE(AF_INET6, struct sockaddr_in6, 2683 SADB_X_EXT_ADDRESS_INNER_SRC, isrc, 0); 2684 } 2685 #undef PORT_ONLY_ALLOCATE 2686 2687 /* 2688 * Okay, so now I have all of the potential extensions! 2689 * Allocate a single contiguous buffer. Keep in mind that it'll 2690 * be enough because the key itself will be yanked. 2691 */ 2692 2693 if (src == NULL && dst != NULL) { 2694 /* 2695 * Set explicit unspecified source address. 2696 */ 2697 size_t lenbytes = SADB_64TO8(dst->sadb_address_len); 2698 2699 unspec_src = B_TRUE; 2700 totallen += lenbytes; 2701 src = malloc(lenbytes); 2702 if (src == NULL) 2703 Bail("malloc(implicit src)"); 2704 /* Confusing, but we're copying from DST to SRC. :) */ 2705 bcopy(dst, src, lenbytes); 2706 src->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 2707 sin6 = (struct sockaddr_in6 *)(src + 1); 2708 bzero(sin6, sizeof (*sin6)); 2709 sin6->sin6_family = AF_INET6; 2710 } 2711 2712 msg.sadb_msg_len = SADB_8TO64(totallen); 2713 2714 buffer = malloc(totallen); 2715 nexthdr = buffer; 2716 bcopy(&msg, nexthdr, sizeof (msg)); 2717 nexthdr += SADB_8TO64(sizeof (msg)); 2718 if (assoc != NULL) { 2719 if (assoc->sadb_sa_spi == 0) { 2720 ERROR1(ep, ebuf, gettext( 2721 "The SPI value is missing for " 2722 "the association you wish to %s.\n"), thiscmd); 2723 } 2724 if (assoc->sadb_sa_auth == 0 && assoc->sadb_sa_encrypt == 0 && 2725 cmd == CMD_ADD) { 2726 free(assoc); 2727 FATAL(ep, ebuf, gettext( 2728 "Select at least one algorithm " 2729 "for this add.\n")); 2730 } 2731 2732 /* Hack to let user specify NULL ESP implicitly. */ 2733 if (msg.sadb_msg_satype == SADB_SATYPE_ESP && 2734 assoc->sadb_sa_encrypt == 0) 2735 assoc->sadb_sa_encrypt = SADB_EALG_NULL; 2736 2737 /* 0 is an actual value. Print a warning if it was entered. */ 2738 if (assoc->sadb_sa_state == 0) { 2739 if (readstate) { 2740 ERROR(ep, ebuf, gettext( 2741 "WARNING: Cannot set LARVAL SA state.\n")); 2742 } 2743 assoc->sadb_sa_state = SADB_SASTATE_MATURE; 2744 } 2745 2746 if (use_natt) { 2747 if (natt_remote != NULL) 2748 assoc->sadb_sa_flags |= SADB_X_SAFLAGS_NATT_REM; 2749 if (natt_local != NULL) 2750 assoc->sadb_sa_flags |= SADB_X_SAFLAGS_NATT_LOC; 2751 } 2752 2753 if (alloc_inner) { 2754 /* 2755 * For now, assume RFC 3884's dream of transport-mode 2756 * SAs with inner IP address selectors will not 2757 * happen. 2758 */ 2759 assoc->sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; 2760 if (proto != 0 && proto != IPPROTO_ENCAP && 2761 proto != IPPROTO_IPV6) { 2762 ERROR1(ep, ebuf, gettext( 2763 "WARNING: Protocol type %d not " 2764 "for use with Tunnel-Mode SA.\n"), proto); 2765 /* Continue and let PF_KEY scream... */ 2766 } 2767 } 2768 2769 bcopy(assoc, nexthdr, SADB_64TO8(assoc->sadb_sa_len)); 2770 nexthdr += assoc->sadb_sa_len; 2771 /* Save the SPI for the case of an error. */ 2772 spi = assoc->sadb_sa_spi; 2773 free(assoc); 2774 } else { 2775 if (spi == 0) 2776 ERROR1(ep, ebuf, gettext( 2777 "Need to define SPI for %s.\n"), thiscmd); 2778 ERROR1(ep, ebuf, gettext( 2779 "Need SA parameters for %s.\n"), thiscmd); 2780 } 2781 2782 if (sadb_pair != NULL) { 2783 if (sadb_pair->sadb_x_pair_spi == 0) { 2784 ERROR1(ep, ebuf, gettext( 2785 "The SPI value is missing for the " 2786 "association you wish to %s.\n"), thiscmd); 2787 } 2788 bcopy(sadb_pair, nexthdr, 2789 SADB_64TO8(sadb_pair->sadb_x_pair_len)); 2790 nexthdr += sadb_pair->sadb_x_pair_len; 2791 free(sadb_pair); 2792 } 2793 2794 if (hard != NULL) { 2795 bcopy(hard, nexthdr, SADB_64TO8(hard->sadb_lifetime_len)); 2796 nexthdr += hard->sadb_lifetime_len; 2797 free(hard); 2798 } 2799 2800 if (soft != NULL) { 2801 bcopy(soft, nexthdr, SADB_64TO8(soft->sadb_lifetime_len)); 2802 nexthdr += soft->sadb_lifetime_len; 2803 free(soft); 2804 } 2805 2806 if (idle != NULL) { 2807 bcopy(idle, nexthdr, SADB_64TO8(idle->sadb_lifetime_len)); 2808 nexthdr += idle->sadb_lifetime_len; 2809 free(idle); 2810 } 2811 2812 if (encrypt == NULL && auth == NULL && cmd == CMD_ADD) { 2813 ERROR(ep, ebuf, gettext( 2814 "Must have at least one key for an add.\n")); 2815 } 2816 2817 if (encrypt != NULL) { 2818 bcopy(encrypt, nexthdr, SADB_64TO8(encrypt->sadb_key_len)); 2819 nexthdr += encrypt->sadb_key_len; 2820 bzero(encrypt, SADB_64TO8(encrypt->sadb_key_len)); 2821 free(encrypt); 2822 } 2823 2824 if (auth != NULL) { 2825 bcopy(auth, nexthdr, SADB_64TO8(auth->sadb_key_len)); 2826 nexthdr += auth->sadb_key_len; 2827 bzero(auth, SADB_64TO8(auth->sadb_key_len)); 2828 free(auth); 2829 } 2830 2831 if (srcid != NULL) { 2832 bcopy(srcid, nexthdr, SADB_64TO8(srcid->sadb_ident_len)); 2833 nexthdr += srcid->sadb_ident_len; 2834 free(srcid); 2835 } 2836 2837 if (dstid != NULL) { 2838 bcopy(dstid, nexthdr, SADB_64TO8(dstid->sadb_ident_len)); 2839 nexthdr += dstid->sadb_ident_len; 2840 free(dstid); 2841 } 2842 2843 if (dst != NULL) { 2844 bcopy(dst, nexthdr, SADB_64TO8(dst->sadb_address_len)); 2845 free(dst); 2846 dst = (struct sadb_address *)nexthdr; 2847 dst->sadb_address_proto = proto; 2848 ((struct sockaddr_in6 *)(dst + 1))->sin6_port = htons(dstport); 2849 nexthdr += dst->sadb_address_len; 2850 } else { 2851 FATAL1(ep, ebuf, gettext( 2852 "Need destination address for %s.\n"), thiscmd); 2853 } 2854 2855 if (use_natt) { 2856 if (natt_remote == NULL && natt_local == NULL) { 2857 ERROR(ep, ebuf, gettext( 2858 "Must specify NAT-T remote or local address " 2859 "for UDP encapsulation.\n")); 2860 } 2861 2862 if (natt_remote != NULL) { 2863 bcopy(natt_remote, nexthdr, 2864 SADB_64TO8(natt_remote->sadb_address_len)); 2865 free(natt_remote); 2866 natt_remote = (struct sadb_address *)nexthdr; 2867 nexthdr += natt_remote->sadb_address_len; 2868 ((struct sockaddr_in6 *)(natt_remote + 1))->sin6_port = 2869 htons(natt_rport); 2870 } 2871 2872 if (natt_local != NULL) { 2873 bcopy(natt_local, nexthdr, 2874 SADB_64TO8(natt_local->sadb_address_len)); 2875 free(natt_local); 2876 natt_local = (struct sadb_address *)nexthdr; 2877 nexthdr += natt_local->sadb_address_len; 2878 ((struct sockaddr_in6 *)(natt_local + 1))->sin6_port = 2879 htons(natt_lport); 2880 } 2881 } 2882 2883 handle_errors(ep, ebuf, B_TRUE, B_FALSE); 2884 2885 /* 2886 * PF_KEY requires a source address extension, even if the source 2887 * address itself is unspecified. (See "Set explicit unspecified..." 2888 * code fragment above. Destination reality check was above.) 2889 */ 2890 bcopy(src, nexthdr, SADB_64TO8(src->sadb_address_len)); 2891 free(src); 2892 src = (struct sadb_address *)nexthdr; 2893 src->sadb_address_proto = proto; 2894 ((struct sockaddr_in6 *)(src + 1))->sin6_port = htons(srcport); 2895 nexthdr += src->sadb_address_len; 2896 2897 if (isrc != NULL) { 2898 bcopy(isrc, nexthdr, SADB_64TO8(isrc->sadb_address_len)); 2899 free(isrc); 2900 isrc = (struct sadb_address *)nexthdr; 2901 isrc->sadb_address_proto = iproto; 2902 ((struct sockaddr_in6 *)(isrc + 1))->sin6_port = 2903 htons(isrcport); 2904 nexthdr += isrc->sadb_address_len; 2905 } 2906 2907 if (idst != NULL) { 2908 bcopy(idst, nexthdr, SADB_64TO8(idst->sadb_address_len)); 2909 free(idst); 2910 idst = (struct sadb_address *)nexthdr; 2911 idst->sadb_address_proto = iproto; 2912 ((struct sockaddr_in6 *)(idst + 1))->sin6_port = 2913 htons(idstport); 2914 nexthdr += idst->sadb_address_len; 2915 } 2916 2917 if (replay_ctr != NULL) { 2918 bcopy(replay_ctr, nexthdr, 2919 SADB_64TO8(replay_ctr->sadb_x_rc_len)); 2920 nexthdr += replay_ctr->sadb_x_rc_len; 2921 free(replay_ctr); 2922 } 2923 2924 if (label != NULL) { 2925 bcopy(label, nexthdr, SADB_64TO8(label->sadb_sens_len)); 2926 nexthdr += label->sadb_sens_len; 2927 free(label); 2928 label = NULL; 2929 } 2930 2931 if (olabel != NULL) { 2932 bcopy(olabel, nexthdr, SADB_64TO8(olabel->sadb_sens_len)); 2933 nexthdr += olabel->sadb_sens_len; 2934 free(olabel); 2935 olabel = NULL; 2936 } 2937 2938 if (cflag) { 2939 /* 2940 * Assume the checked cmd would have worked if it was actually 2941 * used. doaddresses() will increment lines_added if it 2942 * succeeds. 2943 */ 2944 lines_added++; 2945 } else { 2946 doaddresses(sadb_msg_type, satype, 2947 cmd, srchp, dsthp, src, dst, unspec_src, buffer, totallen, 2948 spi, ebuf); 2949 } 2950 2951 if (isrchp != NULL && isrchp != &dummy.he) 2952 freehostent(isrchp); 2953 if (idsthp != NULL && idsthp != &dummy.he) 2954 freehostent(idsthp); 2955 if (srchp != NULL && srchp != &dummy.he) 2956 freehostent(srchp); 2957 if (dsthp != NULL && dsthp != &dummy.he) 2958 freehostent(dsthp); 2959 if (natt_lhp != NULL && natt_lhp != &dummy.he) 2960 freehostent(natt_lhp); 2961 if (natt_rhp != NULL && natt_rhp != &dummy.he) 2962 freehostent(natt_rhp); 2963 free(ebuf); 2964 free(buffer); 2965 } 2966 2967 /* 2968 * DELETE and GET are similar, in that they only need the extensions 2969 * required to _find_ an SA, and then either delete it or obtain its 2970 * information. 2971 */ 2972 static void 2973 dodelget(int cmd, int satype, char *argv[], char *ebuf) 2974 { 2975 struct sadb_msg *msg = (struct sadb_msg *)get_buffer; 2976 uint64_t *nextext; 2977 struct sadb_sa *assoc = NULL; 2978 struct sadb_address *src = NULL, *dst = NULL; 2979 int next, token, sa_len; 2980 char *thiscmd; 2981 uint32_t spi; 2982 uint8_t sadb_msg_type; 2983 struct hostent *srchp = NULL, *dsthp = NULL; 2984 struct sockaddr_in6 *sin6; 2985 boolean_t unspec_src = B_TRUE; 2986 uint16_t srcport = 0, dstport = 0; 2987 uint8_t proto = 0; 2988 char *ep = NULL; 2989 uint32_t sa_flags = 0; 2990 2991 /* Set the first extension header to right past the base message. */ 2992 nextext = (uint64_t *)(msg + 1); 2993 bzero(nextext, sizeof (get_buffer) - sizeof (*msg)); 2994 2995 switch (cmd) { 2996 case CMD_GET: 2997 thiscmd = "get"; 2998 sadb_msg_type = SADB_GET; 2999 break; 3000 case CMD_DELETE: 3001 thiscmd = "delete"; 3002 sadb_msg_type = SADB_DELETE; 3003 break; 3004 case CMD_DELETE_PAIR: 3005 thiscmd = "delete-pair"; 3006 sadb_msg_type = SADB_X_DELPAIR; 3007 break; 3008 } 3009 3010 msg_init(msg, sadb_msg_type, (uint8_t)satype); 3011 3012 #define ALLOC_ADDR_EXT(ext, exttype) \ 3013 (ext) = (struct sadb_address *)nextext; \ 3014 nextext = (uint64_t *)((ext) + 1); \ 3015 nextext += SADB_8TO64(roundup(sa_len, 8)); \ 3016 (ext)->sadb_address_exttype = exttype; \ 3017 (ext)->sadb_address_len = nextext - ((uint64_t *)ext); 3018 3019 /* Assume last element in argv is set to NULL. */ 3020 do { 3021 token = parseextval(*argv, &next); 3022 argv++; 3023 switch (token) { 3024 case TOK_EOF: 3025 /* Do nothing, I'm done. */ 3026 break; 3027 case TOK_UNKNOWN: 3028 ERROR1(ep, ebuf, gettext( 3029 "Unknown extension field \"%s\"\n"), *(argv - 1)); 3030 break; 3031 case TOK_SPI: 3032 if (assoc != NULL) { 3033 ERROR(ep, ebuf, gettext( 3034 "Can only specify single SPI value.\n")); 3035 break; 3036 } 3037 assoc = (struct sadb_sa *)nextext; 3038 nextext = (uint64_t *)(assoc + 1); 3039 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc)); 3040 assoc->sadb_sa_exttype = SADB_EXT_SA; 3041 assoc->sadb_sa_spi = htonl((uint32_t)parsenum(*argv, 3042 B_TRUE, ebuf)); 3043 spi = assoc->sadb_sa_spi; 3044 argv++; 3045 break; 3046 case TOK_SRCPORT: 3047 if (srcport != 0) { 3048 ERROR(ep, ebuf, gettext( 3049 "Can only specify single source port.\n")); 3050 break; 3051 } 3052 srcport = parsenum(*argv, B_TRUE, ebuf); 3053 argv++; 3054 break; 3055 case TOK_DSTPORT: 3056 if (dstport != 0) { 3057 ERROR(ep, ebuf, gettext( 3058 "Can only " 3059 "specify single destination port.\n")); 3060 break; 3061 } 3062 dstport = parsenum(*argv, B_TRUE, ebuf); 3063 argv++; 3064 break; 3065 case TOK_PROTO: 3066 if (proto != 0) { 3067 ERROR(ep, ebuf, gettext( 3068 "Can only specify single protocol.\n")); 3069 break; 3070 } 3071 proto = parsenum(*argv, B_TRUE, ebuf); 3072 argv++; 3073 break; 3074 case TOK_SRCADDR: 3075 case TOK_SRCADDR6: 3076 if (src != NULL) { 3077 ERROR(ep, ebuf, gettext( 3078 "Can only specify single source addr.\n")); 3079 break; 3080 } 3081 sa_len = parseaddr(*argv, &srchp, 3082 (token == TOK_SRCADDR6), ebuf); 3083 if (srchp == NULL) { 3084 ERROR1(ep, ebuf, gettext( 3085 "Unknown source address \"%s\"\n"), *argv); 3086 break; 3087 } 3088 argv++; 3089 3090 unspec_src = B_FALSE; 3091 3092 ALLOC_ADDR_EXT(src, SADB_EXT_ADDRESS_SRC); 3093 3094 if (srchp == &dummy.he) { 3095 /* 3096 * Single address with -n flag. 3097 */ 3098 sin6 = (struct sockaddr_in6 *)(src + 1); 3099 bzero(sin6, sizeof (*sin6)); 3100 sin6->sin6_family = AF_INET6; 3101 bcopy(srchp->h_addr_list[0], &sin6->sin6_addr, 3102 sizeof (struct in6_addr)); 3103 } 3104 /* The rest is pre-bzeroed for us. */ 3105 break; 3106 case TOK_DSTADDR: 3107 case TOK_DSTADDR6: 3108 if (dst != NULL) { 3109 ERROR(ep, ebuf, gettext( 3110 "Can only specify single destination " 3111 "address.\n")); 3112 break; 3113 } 3114 sa_len = parseaddr(*argv, &dsthp, 3115 (token == TOK_SRCADDR6), ebuf); 3116 if (dsthp == NULL) { 3117 ERROR1(ep, ebuf, gettext( 3118 "Unknown destination address \"%s\"\n"), 3119 *argv); 3120 break; 3121 } 3122 argv++; 3123 3124 ALLOC_ADDR_EXT(dst, SADB_EXT_ADDRESS_DST); 3125 3126 if (dsthp == &dummy.he) { 3127 /* 3128 * Single address with -n flag. 3129 */ 3130 sin6 = (struct sockaddr_in6 *)(dst + 1); 3131 bzero(sin6, sizeof (*sin6)); 3132 sin6->sin6_family = AF_INET6; 3133 bcopy(dsthp->h_addr_list[0], &sin6->sin6_addr, 3134 sizeof (struct in6_addr)); 3135 } 3136 /* The rest is pre-bzeroed for us. */ 3137 break; 3138 case TOK_FLAG_INBOUND: 3139 sa_flags |= SADB_X_SAFLAGS_INBOUND; 3140 break; 3141 case TOK_FLAG_OUTBOUND: 3142 sa_flags |= SADB_X_SAFLAGS_OUTBOUND; 3143 break; 3144 default: 3145 ERROR2(ep, ebuf, gettext( 3146 "Don't use extension %s for '%s' command.\n"), 3147 *(argv - 1), thiscmd); 3148 break; 3149 } 3150 } while (token != TOK_EOF); 3151 3152 handle_errors(ep, ebuf, B_TRUE, B_FALSE); 3153 3154 if (assoc == NULL) { 3155 FATAL1(ep, ebuf, gettext( 3156 "Need SA parameters for %s.\n"), thiscmd); 3157 } 3158 3159 /* We can set the flags now with valid assoc in hand. */ 3160 assoc->sadb_sa_flags |= sa_flags; 3161 3162 if ((srcport != 0) && (src == NULL)) { 3163 ALLOC_ADDR_EXT(src, SADB_EXT_ADDRESS_SRC); 3164 sin6 = (struct sockaddr_in6 *)(src + 1); 3165 src->sadb_address_proto = proto; 3166 bzero(sin6, sizeof (*sin6)); 3167 sin6->sin6_family = AF_INET6; 3168 sin6->sin6_port = htons(srcport); 3169 } 3170 3171 if ((dstport != 0) && (dst == NULL)) { 3172 ALLOC_ADDR_EXT(dst, SADB_EXT_ADDRESS_DST); 3173 sin6 = (struct sockaddr_in6 *)(dst + 1); 3174 src->sadb_address_proto = proto; 3175 bzero(sin6, sizeof (*sin6)); 3176 sin6->sin6_family = AF_INET6; 3177 sin6->sin6_port = htons(dstport); 3178 } 3179 3180 /* So I have enough of the message to send it down! */ 3181 msg->sadb_msg_len = nextext - get_buffer; 3182 3183 if (cflag) { 3184 /* 3185 * Assume the checked cmd would have worked if it was actually 3186 * used. doaddresses() will increment lines_added if it 3187 * succeeds. 3188 */ 3189 lines_added++; 3190 } else { 3191 doaddresses(sadb_msg_type, satype, 3192 cmd, srchp, dsthp, src, dst, unspec_src, get_buffer, 3193 sizeof (get_buffer), spi, NULL); 3194 } 3195 3196 if (srchp != NULL && srchp != &dummy.he) 3197 freehostent(srchp); 3198 if (dsthp != NULL && dsthp != &dummy.he) 3199 freehostent(dsthp); 3200 } 3201 3202 /* 3203 * "ipseckey monitor" should exit very gracefully if ^C is tapped provided 3204 * it is not running in interactive mode. 3205 */ 3206 static void 3207 monitor_catch(int signal) 3208 { 3209 if (!interactive) 3210 errx(signal, gettext("Bailing on signal %d."), signal); 3211 } 3212 3213 /* 3214 * Loop forever, listening on PF_KEY messages. 3215 */ 3216 static void 3217 domonitor(boolean_t passive) 3218 { 3219 struct sadb_msg *samsg; 3220 struct sigaction newsig, oldsig; 3221 int rc; 3222 3223 /* Catch ^C. */ 3224 newsig.sa_handler = monitor_catch; 3225 newsig.sa_flags = 0; 3226 (void) sigemptyset(&newsig.sa_mask); 3227 (void) sigaddset(&newsig.sa_mask, SIGINT); 3228 (void) sigaction(SIGINT, &newsig, &oldsig); 3229 3230 samsg = (struct sadb_msg *)get_buffer; 3231 if (!passive) { 3232 (void) printf(gettext("Actively")); 3233 msg_init(samsg, SADB_X_PROMISC, 1); /* Turn ON promisc. */ 3234 rc = key_write(keysock, samsg, sizeof (*samsg)); 3235 if (rc == -1) 3236 Bail("write (SADB_X_PROMISC)"); 3237 } else { 3238 (void) printf(gettext("Passively")); 3239 } 3240 (void) printf(gettext(" monitoring the PF_KEY socket.\n")); 3241 3242 for (; ; ) { 3243 /* 3244 * I assume that read() is non-blocking, and will never 3245 * return 0. 3246 */ 3247 rc = read(keysock, samsg, sizeof (get_buffer)); 3248 if (rc == -1) { 3249 if (errno == EINTR && interactive) 3250 goto out; 3251 else 3252 Bail("read (in domonitor)"); 3253 } 3254 (void) printf(gettext("Read %d bytes.\n"), rc); 3255 /* 3256 * Q: Should I use the same method of printing as GET does? 3257 * A: For now, yes. 3258 */ 3259 print_samsg(stdout, get_buffer, B_TRUE, vflag, nflag); 3260 (void) putchar('\n'); 3261 } 3262 3263 out: 3264 if (interactive) 3265 /* restore SIGINT behavior */ 3266 (void) sigaction(SIGINT, &oldsig, NULL); 3267 } 3268 3269 /* 3270 * Either mask or unmask all relevant signals. 3271 */ 3272 static void 3273 mask_signals(boolean_t unmask) 3274 { 3275 sigset_t set; 3276 static sigset_t oset; 3277 3278 if (unmask) { 3279 (void) sigprocmask(SIG_SETMASK, &oset, NULL); 3280 } else { 3281 (void) sigfillset(&set); 3282 (void) sigprocmask(SIG_SETMASK, &set, &oset); 3283 } 3284 } 3285 3286 /* 3287 * Assorted functions to print help text. 3288 */ 3289 #define puts_tr(s) (void) puts(gettext(s)) 3290 3291 static void 3292 doattrhelp() 3293 { 3294 int i; 3295 3296 puts_tr("\nSA attributes:"); 3297 3298 for (i = 0; tokens[i].string != NULL; i++) { 3299 if (i%3 == 0) 3300 (void) printf("\n"); 3301 (void) printf(" %-15.15s", tokens[i].string); 3302 } 3303 (void) printf("\n"); 3304 } 3305 3306 static void 3307 dohelpcmd(char *cmds) 3308 { 3309 int cmd; 3310 3311 if (strcmp(cmds, "attr") == 0) { 3312 doattrhelp(); 3313 return; 3314 } 3315 3316 cmd = parsecmd(cmds); 3317 switch (cmd) { 3318 case CMD_UPDATE: 3319 puts_tr("update - Update an existing SA"); 3320 break; 3321 case CMD_UPDATE_PAIR: 3322 puts_tr("update-pair - Update an existing pair of SA's"); 3323 break; 3324 case CMD_ADD: 3325 puts_tr("add - Add a new security association (SA)"); 3326 break; 3327 case CMD_DELETE: 3328 puts_tr("delete - Delete an SA"); 3329 break; 3330 case CMD_DELETE_PAIR: 3331 puts_tr("delete-pair - Delete a pair of SA's"); 3332 break; 3333 case CMD_GET: 3334 puts_tr("get - Display an SA"); 3335 break; 3336 case CMD_FLUSH: 3337 puts_tr("flush - Delete all SAs"); 3338 puts_tr(""); 3339 puts_tr("Optional arguments:"); 3340 puts_tr("all delete all SAs"); 3341 puts_tr("esp delete just ESP SAs"); 3342 puts_tr("ah delete just AH SAs"); 3343 puts_tr("<number> delete just SAs with type given by number"); 3344 puts_tr(""); 3345 break; 3346 case CMD_DUMP: 3347 puts_tr("dump - Display all SAs"); 3348 puts_tr(""); 3349 puts_tr("Optional arguments:"); 3350 puts_tr("all display all SAs"); 3351 puts_tr("esp display just ESP SAs"); 3352 puts_tr("ah display just AH SAs"); 3353 puts_tr("<number> display just SAs with type " 3354 "given by number"); 3355 puts_tr(""); 3356 break; 3357 case CMD_MONITOR: 3358 puts_tr("monitor - Monitor all PF_KEY reply messages."); 3359 break; 3360 case CMD_PMONITOR: 3361 puts_tr( 3362 "pmonitor, passive_monitor - Monitor PF_KEY messages that"); 3363 puts_tr( 3364 " reply to all PF_KEY sockets."); 3365 break; 3366 3367 case CMD_QUIT: 3368 puts_tr("quit, exit - Exit the program"); 3369 break; 3370 case CMD_SAVE: 3371 puts_tr("save - Saves all SAs to a file"); 3372 break; 3373 case CMD_HELP: 3374 puts_tr("help - Display list of commands"); 3375 puts_tr("help <cmd> - Display help for command"); 3376 puts_tr("help attr - Display possible SA attributes"); 3377 break; 3378 default: 3379 (void) printf(gettext("%s: Unknown command\n"), cmds); 3380 break; 3381 } 3382 } 3383 3384 3385 static void 3386 dohelp(char *cmds) 3387 { 3388 if (cmds != NULL) { 3389 dohelpcmd(cmds); 3390 return; 3391 } 3392 puts_tr("Commands"); 3393 puts_tr("--------"); 3394 puts_tr("?, help - Display this list"); 3395 puts_tr("help <cmd> - Display help for command"); 3396 puts_tr("help attr - Display possible SA attributes"); 3397 puts_tr("quit, exit - Exit the program"); 3398 puts_tr("monitor - Monitor all PF_KEY reply messages."); 3399 puts_tr("pmonitor, passive_monitor - Monitor PF_KEY messages that"); 3400 puts_tr(" reply to all PF_KEY sockets."); 3401 puts_tr(""); 3402 puts_tr("The following commands are of the form:"); 3403 puts_tr(" <command> {SA type} {attribute value}*"); 3404 puts_tr(""); 3405 puts_tr("add (interactive only) - Add a new security association (SA)"); 3406 puts_tr("update (interactive only) - Update an existing SA"); 3407 puts_tr("update-pair (interactive only) - Update an existing SA pair"); 3408 puts_tr("delete - Delete an SA"); 3409 puts_tr("delete-pair - Delete an SA pair"); 3410 puts_tr("get - Display an SA"); 3411 puts_tr("flush - Delete all SAs"); 3412 puts_tr("dump - Display all SAs"); 3413 puts_tr("save - Saves all SAs to a file"); 3414 } 3415 3416 /* 3417 * "Parse" a command line from argv. 3418 */ 3419 static void 3420 parseit(int argc, char *argv[], char *ebuf, boolean_t read_cmdfile) 3421 { 3422 int cmd, satype; 3423 char *ep = NULL; 3424 3425 if (argc == 0) 3426 return; 3427 cmd = parsecmd(*argv++); 3428 3429 /* 3430 * Some commands loop forever and should only be run from the command 3431 * line, they should never be run from a command file as this may 3432 * be used at boot time. 3433 */ 3434 switch (cmd) { 3435 case CMD_HELP: 3436 if (read_cmdfile) 3437 ERROR(ep, ebuf, gettext("Help not appropriate in " 3438 "config file.")); 3439 else 3440 dohelp(*argv); 3441 return; 3442 case CMD_MONITOR: 3443 if (read_cmdfile) 3444 ERROR(ep, ebuf, gettext("Monitor not appropriate in " 3445 "config file.")); 3446 else { 3447 domonitor(B_FALSE); 3448 /* 3449 * Return from the function in interactive mode to 3450 * avoid error message in the next switch statement. 3451 * Also print newline to prevent prompt clobbering. 3452 * The same is done for CMD_PMONITOR. 3453 */ 3454 if (interactive) { 3455 (void) printf("\n"); 3456 return; 3457 } 3458 } 3459 break; 3460 case CMD_PMONITOR: 3461 if (read_cmdfile) 3462 ERROR(ep, ebuf, gettext("Monitor not appropriate in " 3463 "config file.")); 3464 else { 3465 domonitor(B_TRUE); 3466 if (interactive) { 3467 (void) printf("\n"); 3468 return; 3469 } 3470 } 3471 break; 3472 case CMD_QUIT: 3473 EXIT_OK(NULL); 3474 } 3475 3476 handle_errors(ep, ebuf, B_FALSE, B_FALSE); 3477 3478 satype = parsesatype(*argv, ebuf); 3479 3480 if (satype != SADB_SATYPE_UNSPEC) { 3481 argv++; 3482 } else { 3483 /* 3484 * You must specify either "all" or a specific SA type 3485 * for the "save" command. 3486 */ 3487 if (cmd == CMD_SAVE) 3488 if (*argv == NULL) { 3489 FATAL(ep, ebuf, gettext( 3490 "Must specify a specific " 3491 "SA type for save.\n")); 3492 } else { 3493 argv++; 3494 } 3495 } 3496 3497 switch (cmd) { 3498 case CMD_FLUSH: 3499 if (argc > 2) { 3500 ERROR(ep, ebuf, gettext("Too many arguments for " 3501 "flush command")); 3502 handle_errors(ep, ebuf, 3503 interactive ? B_TRUE : B_FALSE, B_FALSE); 3504 } 3505 if (!cflag) 3506 doflush(satype); 3507 /* 3508 * If this was called because of an entry in a cmd file 3509 * then this action needs to be counted to prevent 3510 * do_interactive() treating this as an error. 3511 */ 3512 lines_added++; 3513 break; 3514 case CMD_ADD: 3515 case CMD_UPDATE: 3516 case CMD_UPDATE_PAIR: 3517 /* 3518 * NOTE: Shouldn't allow ADDs or UPDATEs with keying material 3519 * from the command line. 3520 */ 3521 if (!interactive) { 3522 errx(1, gettext( 3523 "can't do ADD or UPDATE from the command line.\n")); 3524 } 3525 if (satype == SADB_SATYPE_UNSPEC) { 3526 FATAL(ep, ebuf, gettext( 3527 "Must specify a specific SA type.")); 3528 /* NOTREACHED */ 3529 } 3530 /* Parse for extensions, including keying material. */ 3531 doaddup(cmd, satype, argv, ebuf); 3532 break; 3533 case CMD_DELETE: 3534 case CMD_DELETE_PAIR: 3535 case CMD_GET: 3536 if (satype == SADB_SATYPE_UNSPEC) { 3537 FATAL(ep, ebuf, gettext( 3538 "Must specify a single SA type.")); 3539 /* NOTREACHED */ 3540 } 3541 /* Parse for bare minimum to locate an SA. */ 3542 dodelget(cmd, satype, argv, ebuf); 3543 break; 3544 case CMD_DUMP: 3545 if (read_cmdfile) 3546 ERROR(ep, ebuf, gettext("Dump not appropriate in " 3547 "config file.")); 3548 else { 3549 if (argc > 2) { 3550 ERROR(ep, ebuf, gettext("Too many arguments " 3551 "for dump command")); 3552 handle_errors(ep, ebuf, 3553 interactive ? B_TRUE : B_FALSE, B_FALSE); 3554 } 3555 dodump(satype, NULL); 3556 } 3557 break; 3558 case CMD_SAVE: 3559 if (read_cmdfile) { 3560 ERROR(ep, ebuf, gettext("Save not appropriate in " 3561 "config file.")); 3562 } else { 3563 mask_signals(B_FALSE); /* Mask signals */ 3564 dodump(satype, opensavefile(argv[0])); 3565 mask_signals(B_TRUE); /* Unmask signals */ 3566 } 3567 break; 3568 default: 3569 warnx(gettext("Unknown command (%s).\n"), 3570 *(argv - ((satype == SADB_SATYPE_UNSPEC) ? 1 : 2))); 3571 usage(); 3572 } 3573 handle_errors(ep, ebuf, B_FALSE, B_FALSE); 3574 } 3575 3576 int 3577 main(int argc, char *argv[]) 3578 { 3579 int ch; 3580 FILE *infile = stdin, *savefile; 3581 boolean_t dosave = B_FALSE, readfile = B_FALSE; 3582 char *configfile = NULL; 3583 struct stat sbuf; 3584 int bootflags; 3585 3586 (void) setlocale(LC_ALL, ""); 3587 #if !defined(TEXT_DOMAIN) 3588 #define TEXT_DOMAIN "SYS_TEST" 3589 #endif 3590 (void) textdomain(TEXT_DOMAIN); 3591 3592 /* 3593 * Check to see if the command is being run from smf(7). 3594 */ 3595 my_fmri = getenv("SMF_FMRI"); 3596 3597 openlog("ipseckey", LOG_CONS, LOG_AUTH); 3598 if (getuid() != 0) { 3599 errx(1, "Insufficient privileges to run ipseckey."); 3600 } 3601 3602 /* umask me to paranoid, I only want to create files read-only */ 3603 (void) umask((mode_t)00377); 3604 3605 while ((ch = getopt(argc, argv, "pnvf:s:c:")) != EOF) 3606 switch (ch) { 3607 case 'p': 3608 pflag = B_TRUE; 3609 break; 3610 case 'n': 3611 nflag = B_TRUE; 3612 break; 3613 case 'v': 3614 vflag = B_TRUE; 3615 break; 3616 case 'c': 3617 cflag = B_TRUE; 3618 /* FALLTHRU */ 3619 case 'f': 3620 if (dosave) 3621 usage(); 3622 3623 /* 3624 * Use stat() to check and see if the user inadvertently 3625 * passed in a bad pathname, or the name of a directory. 3626 * We should also check to see if the filename is a 3627 * pipe. We use stat() here because fopen() will block 3628 * unless the other end of the pipe is open. This would 3629 * be undesirable, especially if this is called at boot 3630 * time. If we ever need to support reading from a pipe 3631 * or special file, this should be revisited. 3632 */ 3633 if (stat(optarg, &sbuf) == -1) { 3634 EXIT_BADCONFIG2("Invalid pathname: %s\n", 3635 optarg); 3636 } 3637 if (!(sbuf.st_mode & S_IFREG)) { 3638 EXIT_BADCONFIG2("%s - Not a regular file\n", 3639 optarg); 3640 } 3641 infile = fopen(optarg, "r"); 3642 if (infile == NULL) { 3643 EXIT_BADCONFIG2("Unable to open configuration " 3644 "file: %s\n", optarg); 3645 } 3646 /* 3647 * The input file contains keying information, because 3648 * this is sensative, we should only accept data from 3649 * this file if the file is root owned and only readable 3650 * by privileged users. If the command is being run by 3651 * the administrator, issue a warning, if this is run by 3652 * smf(7) (IE: boot time) and the permissions are too 3653 * open, we will fail, the SMF service will end up in 3654 * maintenace mode. The check is made with fstat() to 3655 * eliminate any possible TOT to TOU window. 3656 */ 3657 if (fstat(fileno(infile), &sbuf) == -1) { 3658 (void) fclose(infile); 3659 EXIT_BADCONFIG2("Unable to stat configuration " 3660 "file: %s\n", optarg); 3661 } 3662 if (INSECURE_PERMS(sbuf)) { 3663 if (my_fmri != NULL) { 3664 (void) fclose(infile); 3665 EXIT_BADCONFIG2("Config file " 3666 "%s has insecure permissions.", 3667 optarg); 3668 } else { 3669 (void) fprintf(stderr, gettext( 3670 "Config file %s has insecure " 3671 "permissions, will be rejected in " 3672 "permanent config.\n"), optarg); 3673 } 3674 } 3675 configfile = strdup(optarg); 3676 readfile = B_TRUE; 3677 break; 3678 case 's': 3679 if (readfile) 3680 usage(); 3681 dosave = B_TRUE; 3682 savefile = opensavefile(optarg); 3683 break; 3684 default: 3685 usage(); 3686 } 3687 3688 argc -= optind; 3689 argv += optind; 3690 3691 mypid = getpid(); 3692 3693 keysock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); 3694 3695 if (keysock == -1) { 3696 if (errno == EPERM) { 3697 EXIT_BADPERM("Insufficient privileges to open " 3698 "PF_KEY socket.\n"); 3699 } else { 3700 /* some other reason */ 3701 EXIT_FATAL("Opening PF_KEY socket"); 3702 } 3703 } 3704 3705 if ((_cladm(CL_INITIALIZE, CL_GET_BOOTFLAG, &bootflags) != 0) || 3706 (bootflags & CLUSTER_BOOTED)) { 3707 in_cluster_mode = B_TRUE; 3708 cluster_socket = socket(AF_INET, SOCK_DGRAM, 0); 3709 cli_addr.sin_family = AF_INET; 3710 cli_addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); 3711 cli_addr.sin_port = htons(CLUSTER_UDP_PORT); 3712 } 3713 3714 if (dosave) { 3715 mask_signals(B_FALSE); /* Mask signals */ 3716 dodump(SADB_SATYPE_UNSPEC, savefile); 3717 mask_signals(B_TRUE); /* Unmask signals */ 3718 EXIT_OK(NULL); 3719 } 3720 3721 /* 3722 * When run from smf(7) flush any existing SA's first 3723 * otherwise you will end up in maintenance mode. 3724 */ 3725 if ((my_fmri != NULL) && readfile) { 3726 (void) fprintf(stdout, gettext( 3727 "Flushing existing SA's before adding new SA's\n")); 3728 (void) fflush(stdout); 3729 doflush(SADB_SATYPE_UNSPEC); 3730 } 3731 if (infile != stdin || argc == 0) { 3732 /* Go into interactive mode here. */ 3733 do_interactive(infile, configfile, "ipseckey> ", my_fmri, 3734 parseit, no_match); 3735 } 3736 parseit(argc, argv, NULL, B_FALSE); 3737 3738 return (0); 3739 } 3740