1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * NOTE:I'm trying to use "struct sadb_foo" instead of "sadb_foo_t" 28 * as a maximal PF_KEY portability test. 29 * 30 * Also, this is a deliberately single-threaded app, also for portability 31 * to systems without POSIX threads. 32 */ 33 34 #include <sys/types.h> 35 #include <sys/stat.h> 36 #include <sys/socket.h> 37 #include <sys/sysmacros.h> 38 #include <sys/fcntl.h> 39 #include <net/pfkeyv2.h> 40 #include <arpa/inet.h> 41 #include <netinet/in.h> 42 #include <sys/uio.h> 43 44 #include <syslog.h> 45 #include <signal.h> 46 #include <unistd.h> 47 #include <limits.h> 48 #include <stdlib.h> 49 #include <stdio.h> 50 #include <stdarg.h> 51 #include <netdb.h> 52 #include <pwd.h> 53 #include <errno.h> 54 #include <libintl.h> 55 #include <locale.h> 56 #include <fcntl.h> 57 #include <strings.h> 58 #include <ctype.h> 59 #include <sys/cladm.h> 60 61 #include <ipsec_util.h> 62 63 static int keysock; 64 static int cluster_socket; 65 static uint32_t seq; 66 static pid_t mypid; 67 static boolean_t vflag = B_FALSE; /* Verbose? */ 68 static boolean_t cflag = B_FALSE; /* Check Only */ 69 70 char *my_fmri = NULL; 71 FILE *debugfile = stdout; 72 static struct sockaddr_in cli_addr; 73 static boolean_t in_cluster_mode = B_FALSE; 74 75 #define MAX_GET_SIZE 1024 76 /* 77 * WARN() and ERROR() do the same thing really, with ERROR() the function 78 * that prints the error buffer needs to be called at the end of a code block 79 * This will print out all accumulated errors before bailing. The WARN() 80 * macro calls handle_errors() in such a way that it prints the message 81 * then continues. 82 * If the FATAL() macro used call handle_errors() immediately. 83 */ 84 #define ERROR(x, y, z) x = record_error(x, y, z) 85 #define ERROR1(w, x, y, z) w = record_error(w, x, y, z) 86 #define ERROR2(v, w, x, y, z) v = record_error(v, w, x, y, z) 87 #define WARN(x, y, z) ERROR(x, y, z);\ 88 handle_errors(x, NULL, B_FALSE, B_FALSE); x = NULL 89 #define WARN1(w, x, y, z) ERROR1(w, x, y, z);\ 90 handle_errors(w, NULL, B_FALSE, B_FALSE); w = NULL 91 #define WARN2(v, w, x, y, z) ERROR2(v, w, x, y, z);\ 92 handle_errors(v, NULL, B_FALSE, B_FALSE); v = NULL 93 #define FATAL(x, y, z) ERROR(x, y, z);\ 94 handle_errors(x, y, B_TRUE, B_TRUE) 95 #define FATAL1(w, x, y, z) ERROR1(w, x, y, z);\ 96 handle_errors(w, x, B_TRUE, B_TRUE) 97 98 /* Defined as a uint64_t array for alignment purposes. */ 99 static uint64_t get_buffer[MAX_GET_SIZE]; 100 101 /* 102 * Create/Grow a buffer large enough to hold error messages. If *ebuf 103 * is not NULL then it will contain a copy of the command line that 104 * triggered the error/warning, copy this into a new buffer or 105 * append new messages to the existing buffer. 106 */ 107 /*PRINTFLIKE1*/ 108 char * 109 record_error(char *ep, char *ebuf, char *fmt, ...) 110 { 111 char *err_ptr; 112 char tmp_buff[1024]; 113 va_list ap; 114 int length = 0; 115 err_ptr = ep; 116 117 va_start(ap, fmt); 118 length = vsnprintf(tmp_buff, sizeof (tmp_buff), fmt, ap); 119 va_end(ap); 120 121 /* There is a new line character */ 122 length++; 123 124 if (ep == NULL) { 125 if (ebuf != NULL) 126 length += strlen(ebuf); 127 } else { 128 length += strlen(ep); 129 } 130 131 if (err_ptr == NULL) 132 err_ptr = calloc(length, sizeof (char)); 133 else 134 err_ptr = realloc(err_ptr, length); 135 136 if (err_ptr == NULL) 137 Bail("realloc() failure"); 138 139 /* 140 * If (ep == NULL) then this is the first error to record, 141 * copy in the command line that triggered this error/warning. 142 */ 143 if (ep == NULL && ebuf != NULL) 144 (void) strlcpy(err_ptr, ebuf, length); 145 146 /* 147 * Now the actual error. 148 */ 149 (void) strlcat(err_ptr, tmp_buff, length); 150 return (err_ptr); 151 } 152 153 /* 154 * Print usage message. 155 */ 156 static void 157 usage(void) 158 { 159 if (!interactive) { 160 (void) fprintf(stderr, gettext("Usage:\t" 161 "ipseckey [ -nvp ] | cmd [sa_type] [extfield value]*\n")); 162 (void) fprintf(stderr, 163 gettext("\tipseckey [ -nvp ] -f infile\n")); 164 (void) fprintf(stderr, 165 gettext("\tipseckey [ -nvp ] -s outfile\n")); 166 } 167 EXIT_FATAL(NULL); 168 } 169 170 171 /* 172 * Print out any errors, tidy up as required. 173 * error pointer ep will be free()'d 174 */ 175 void 176 handle_errors(char *ep, char *ebuf, boolean_t fatal, boolean_t done) 177 { 178 if (ep != NULL) { 179 if (my_fmri == NULL) { 180 /* 181 * For now suppress the errors when run from smf(5) 182 * because potentially sensitive information could 183 * end up in a publicly readable logfile. 184 */ 185 (void) fprintf(stdout, "%s\n", ep); 186 (void) fflush(stdout); 187 } 188 free(ep); 189 if (fatal) { 190 if (ebuf != NULL) { 191 free(ebuf); 192 } 193 /* reset command buffer */ 194 if (interactive) 195 longjmp(env, 1); 196 } else { 197 return; 198 } 199 } else { 200 /* 201 * No errors, if this is the last time that this function 202 * is called, free(ebuf) and reset command buffer. 203 */ 204 if (done) { 205 if (ebuf != NULL) { 206 free(ebuf); 207 } 208 /* reset command buffer */ 209 if (interactive) 210 longjmp(env, 1); 211 } 212 return; 213 } 214 EXIT_FATAL(NULL); 215 } 216 217 /* 218 * Initialize a PF_KEY base message. 219 */ 220 static void 221 msg_init(struct sadb_msg *msg, uint8_t type, uint8_t satype) 222 { 223 msg->sadb_msg_version = PF_KEY_V2; 224 msg->sadb_msg_type = type; 225 msg->sadb_msg_errno = 0; 226 msg->sadb_msg_satype = satype; 227 /* For starters... */ 228 msg->sadb_msg_len = SADB_8TO64(sizeof (*msg)); 229 msg->sadb_msg_reserved = 0; 230 msg->sadb_msg_seq = ++seq; 231 msg->sadb_msg_pid = mypid; 232 } 233 234 /* 235 * parseXXX and rparseXXX commands parse input and convert them to PF_KEY 236 * field values, or do the reverse for the purposes of saving the SA tables. 237 * (See the save_XXX functions.) 238 */ 239 240 #define CMD_NONE 0 241 #define CMD_UPDATE 2 242 #define CMD_UPDATE_PAIR 3 243 #define CMD_ADD 4 244 #define CMD_DELETE 5 245 #define CMD_DELETE_PAIR 6 246 #define CMD_GET 7 247 #define CMD_FLUSH 9 248 #define CMD_DUMP 10 249 #define CMD_MONITOR 11 250 #define CMD_PMONITOR 12 251 #define CMD_QUIT 13 252 #define CMD_SAVE 14 253 #define CMD_HELP 15 254 255 /* 256 * Parse the command. 257 */ 258 static int 259 parsecmd(char *cmdstr) 260 { 261 static struct cmdtable { 262 char *cmd; 263 int token; 264 } table[] = { 265 /* 266 * Q: Do we want to do GETSPI? 267 * A: No, it's for automated key mgmt. only. Either that, 268 * or it isn't relevant until we support non IPsec SA types. 269 */ 270 {"update", CMD_UPDATE}, 271 {"update-pair", CMD_UPDATE_PAIR}, 272 {"add", CMD_ADD}, 273 {"delete", CMD_DELETE}, 274 {"delete-pair", CMD_DELETE_PAIR}, 275 {"get", CMD_GET}, 276 /* 277 * Q: And ACQUIRE and REGISTER and EXPIRE? 278 * A: not until we support non IPsec SA types. 279 */ 280 {"flush", CMD_FLUSH}, 281 {"dump", CMD_DUMP}, 282 {"monitor", CMD_MONITOR}, 283 {"passive_monitor", CMD_PMONITOR}, 284 {"pmonitor", CMD_PMONITOR}, 285 {"quit", CMD_QUIT}, 286 {"exit", CMD_QUIT}, 287 {"save", CMD_SAVE}, 288 {"help", CMD_HELP}, 289 {"?", CMD_HELP}, 290 {NULL, CMD_NONE} 291 }; 292 struct cmdtable *ct = table; 293 294 while (ct->cmd != NULL && strcmp(ct->cmd, cmdstr) != 0) 295 ct++; 296 return (ct->token); 297 } 298 299 /* 300 * Convert a number from a command line. I picked "u_longlong_t" for the 301 * number because we need the largest number available. Also, the strto<num> 302 * calls don't deal in units of uintNN_t. 303 */ 304 static u_longlong_t 305 parsenum(char *num, boolean_t bail, char *ebuf) 306 { 307 u_longlong_t rc = 0; 308 char *end = NULL; 309 char *ep = NULL; 310 311 if (num == NULL) { 312 FATAL(ep, ebuf, gettext("Unexpected end of command line," 313 " was expecting a number.\n")); 314 /* NOTREACHED */ 315 } 316 317 errno = 0; 318 rc = strtoull(num, &end, 0); 319 if (errno != 0 || end == num || *end != '\0') { 320 if (bail) { 321 FATAL1(ep, ebuf, gettext( 322 "Expecting a number, not \"%s\"!\n"), num); 323 } else { 324 /* 325 * -1, while not optimal, is sufficiently out of range 326 * for most of this function's applications when 327 * we don't just bail. 328 */ 329 return ((u_longlong_t)-1); 330 } 331 } 332 handle_errors(ep, NULL, B_FALSE, B_FALSE); 333 return (rc); 334 } 335 336 /* 337 * Parse and reverse parse a specific SA type (AH, ESP, etc.). 338 */ 339 static struct typetable { 340 char *type; 341 int token; 342 } type_table[] = { 343 {"all", SADB_SATYPE_UNSPEC}, 344 {"ah", SADB_SATYPE_AH}, 345 {"esp", SADB_SATYPE_ESP}, 346 /* PF_KEY NOTE: More to come if net/pfkeyv2.h gets updated. */ 347 {NULL, 0} /* Token value is irrelevant for this entry. */ 348 }; 349 350 351 static int 352 parsesatype(char *type, char *ebuf) 353 { 354 struct typetable *tt = type_table; 355 char *ep = NULL; 356 357 if (type == NULL) 358 return (SADB_SATYPE_UNSPEC); 359 360 while (tt->type != NULL && strcasecmp(tt->type, type) != 0) 361 tt++; 362 363 /* 364 * New SA types (including ones keysock maintains for user-land 365 * protocols) may be added, so parse a numeric value if possible. 366 */ 367 if (tt->type == NULL) { 368 tt->token = (int)parsenum(type, B_FALSE, ebuf); 369 if (tt->token == -1) { 370 ERROR1(ep, ebuf, gettext( 371 "Unknown SA type (%s).\n"), type); 372 tt->token = SADB_SATYPE_UNSPEC; 373 } 374 } 375 handle_errors(ep, NULL, B_FALSE, B_FALSE); 376 return (tt->token); 377 } 378 379 #define NEXTEOF 0 380 #define NEXTNONE 1 381 #define NEXTNUM 2 382 #define NEXTSTR 3 383 #define NEXTNUMSTR 4 384 #define NEXTADDR 5 385 #define NEXTHEX 6 386 #define NEXTIDENT 7 387 #define NEXTADDR4 8 388 #define NEXTADDR6 9 389 390 #define TOK_EOF 0 391 #define TOK_UNKNOWN 1 392 #define TOK_SPI 2 393 #define TOK_REPLAY 3 394 #define TOK_STATE 4 395 #define TOK_AUTHALG 5 396 #define TOK_ENCRALG 6 397 #define TOK_FLAGS 7 398 #define TOK_SOFT_ALLOC 8 399 #define TOK_SOFT_BYTES 9 400 #define TOK_SOFT_ADDTIME 10 401 #define TOK_SOFT_USETIME 11 402 #define TOK_HARD_ALLOC 12 403 #define TOK_HARD_BYTES 13 404 #define TOK_HARD_ADDTIME 14 405 #define TOK_HARD_USETIME 15 406 #define TOK_CURRENT_ALLOC 16 407 #define TOK_CURRENT_BYTES 17 408 #define TOK_CURRENT_ADDTIME 18 409 #define TOK_CURRENT_USETIME 19 410 #define TOK_SRCADDR 20 411 #define TOK_DSTADDR 21 412 #define TOK_PROXYADDR 22 413 #define TOK_AUTHKEY 23 414 #define TOK_ENCRKEY 24 415 #define TOK_SRCIDTYPE 25 416 #define TOK_DSTIDTYPE 26 417 #define TOK_DPD 27 418 #define TOK_SENS_LEVEL 28 419 #define TOK_SENS_MAP 29 420 #define TOK_INTEG_LEVEL 30 421 #define TOK_INTEG_MAP 31 422 #define TOK_SRCADDR6 32 423 #define TOK_DSTADDR6 33 424 #define TOK_PROXYADDR6 34 425 #define TOK_SRCPORT 35 426 #define TOK_DSTPORT 36 427 #define TOK_PROTO 37 428 #define TOK_ENCAP 38 429 #define TOK_NATLOC 39 430 #define TOK_NATREM 40 431 #define TOK_NATLPORT 41 432 #define TOK_NATRPORT 42 433 #define TOK_IPROTO 43 434 #define TOK_IDSTADDR 44 435 #define TOK_IDSTADDR6 45 436 #define TOK_ISRCPORT 46 437 #define TOK_IDSTPORT 47 438 #define TOK_PAIR_SPI 48 439 #define TOK_FLAG_INBOUND 49 440 #define TOK_FLAG_OUTBOUND 50 441 #define TOK_REPLAY_VALUE 51 442 #define TOK_IDLE_ADDTIME 52 443 #define TOK_IDLE_USETIME 53 444 445 static struct toktable { 446 char *string; 447 int token; 448 int next; 449 } tokens[] = { 450 /* "String", token value, next arg is */ 451 {"spi", TOK_SPI, NEXTNUM}, 452 {"pair-spi", TOK_PAIR_SPI, NEXTNUM}, 453 {"replay", TOK_REPLAY, NEXTNUM}, 454 {"state", TOK_STATE, NEXTNUMSTR}, 455 {"auth_alg", TOK_AUTHALG, NEXTNUMSTR}, 456 {"authalg", TOK_AUTHALG, NEXTNUMSTR}, 457 {"encr_alg", TOK_ENCRALG, NEXTNUMSTR}, 458 {"encralg", TOK_ENCRALG, NEXTNUMSTR}, 459 {"flags", TOK_FLAGS, NEXTNUM}, 460 {"soft_alloc", TOK_SOFT_ALLOC, NEXTNUM}, 461 {"soft_bytes", TOK_SOFT_BYTES, NEXTNUM}, 462 {"soft_addtime", TOK_SOFT_ADDTIME, NEXTNUM}, 463 {"soft_usetime", TOK_SOFT_USETIME, NEXTNUM}, 464 {"hard_alloc", TOK_HARD_ALLOC, NEXTNUM}, 465 {"hard_bytes", TOK_HARD_BYTES, NEXTNUM}, 466 {"hard_addtime", TOK_HARD_ADDTIME, NEXTNUM}, 467 {"hard_usetime", TOK_HARD_USETIME, NEXTNUM}, 468 {"current_alloc", TOK_CURRENT_ALLOC, NEXTNUM}, 469 {"current_bytes", TOK_CURRENT_BYTES, NEXTNUM}, 470 {"current_addtime", TOK_CURRENT_ADDTIME, NEXTNUM}, 471 {"current_usetime", TOK_CURRENT_USETIME, NEXTNUM}, 472 473 {"saddr", TOK_SRCADDR, NEXTADDR}, 474 {"srcaddr", TOK_SRCADDR, NEXTADDR}, 475 {"src", TOK_SRCADDR, NEXTADDR}, 476 {"daddr", TOK_DSTADDR, NEXTADDR}, 477 {"dstaddr", TOK_DSTADDR, NEXTADDR}, 478 {"dst", TOK_DSTADDR, NEXTADDR}, 479 {"proxyaddr", TOK_PROXYADDR, NEXTADDR}, 480 {"proxy", TOK_PROXYADDR, NEXTADDR}, 481 {"innersrc", TOK_PROXYADDR, NEXTADDR}, 482 {"isrc", TOK_PROXYADDR, NEXTADDR}, 483 {"innerdst", TOK_IDSTADDR, NEXTADDR}, 484 {"idst", TOK_IDSTADDR, NEXTADDR}, 485 486 {"sport", TOK_SRCPORT, NEXTNUM}, 487 {"dport", TOK_DSTPORT, NEXTNUM}, 488 {"innersport", TOK_ISRCPORT, NEXTNUM}, 489 {"isport", TOK_ISRCPORT, NEXTNUM}, 490 {"innerdport", TOK_IDSTPORT, NEXTNUM}, 491 {"idport", TOK_IDSTPORT, NEXTNUM}, 492 {"proto", TOK_PROTO, NEXTNUM}, 493 {"ulp", TOK_PROTO, NEXTNUM}, 494 {"iproto", TOK_IPROTO, NEXTNUM}, 495 {"iulp", TOK_IPROTO, NEXTNUM}, 496 497 {"saddr6", TOK_SRCADDR6, NEXTADDR}, 498 {"srcaddr6", TOK_SRCADDR6, NEXTADDR}, 499 {"src6", TOK_SRCADDR6, NEXTADDR}, 500 {"daddr6", TOK_DSTADDR6, NEXTADDR}, 501 {"dstaddr6", TOK_DSTADDR6, NEXTADDR}, 502 {"dst6", TOK_DSTADDR6, NEXTADDR}, 503 {"proxyaddr6", TOK_PROXYADDR6, NEXTADDR}, 504 {"proxy6", TOK_PROXYADDR6, NEXTADDR}, 505 {"innersrc6", TOK_PROXYADDR6, NEXTADDR}, 506 {"isrc6", TOK_PROXYADDR6, NEXTADDR}, 507 {"innerdst6", TOK_IDSTADDR6, NEXTADDR}, 508 {"idst6", TOK_IDSTADDR6, NEXTADDR}, 509 510 {"authkey", TOK_AUTHKEY, NEXTHEX}, 511 {"encrkey", TOK_ENCRKEY, NEXTHEX}, 512 {"srcidtype", TOK_SRCIDTYPE, NEXTIDENT}, 513 {"dstidtype", TOK_DSTIDTYPE, NEXTIDENT}, 514 {"dpd", TOK_DPD, NEXTNUM}, 515 {"sens_level", TOK_SENS_LEVEL, NEXTNUM}, 516 {"sens_map", TOK_SENS_MAP, NEXTHEX}, 517 {"integ_level", TOK_INTEG_LEVEL, NEXTNUM}, 518 {"integ_map", TOK_INTEG_MAP, NEXTHEX}, 519 {"nat_loc", TOK_NATLOC, NEXTADDR}, 520 {"nat_rem", TOK_NATREM, NEXTADDR}, 521 {"nat_lport", TOK_NATLPORT, NEXTNUM}, 522 {"nat_rport", TOK_NATRPORT, NEXTNUM}, 523 {"encap", TOK_ENCAP, NEXTNUMSTR}, 524 525 {"outbound", TOK_FLAG_OUTBOUND, NULL}, 526 {"inbound", TOK_FLAG_INBOUND, NULL}, 527 528 {"replay_value", TOK_REPLAY_VALUE, NEXTNUM}, 529 {"idle_addtime", TOK_IDLE_ADDTIME, NEXTNUM}, 530 {"idle_usetime", TOK_IDLE_USETIME, NEXTNUM}, 531 {NULL, TOK_UNKNOWN, NEXTEOF} 532 }; 533 534 /* 535 * Q: Do I need stuff for proposals, combinations, supported algorithms, 536 * or SPI ranges? 537 * 538 * A: Probably not, but you never know. 539 * 540 * Parse out extension header type values. 541 */ 542 static int 543 parseextval(char *value, int *next) 544 { 545 struct toktable *tp; 546 547 if (value == NULL) 548 return (TOK_EOF); 549 550 for (tp = tokens; tp->string != NULL; tp++) 551 if (strcmp(value, tp->string) == 0) 552 break; 553 554 /* 555 * Since the OS controls what extensions are available, we don't have 556 * to parse numeric values here. 557 */ 558 559 *next = tp->next; 560 return (tp->token); 561 } 562 563 /* 564 * Parse possible state values. 565 */ 566 static uint8_t 567 parsestate(char *state, char *ebuf) 568 { 569 struct states { 570 char *state; 571 uint8_t retval; 572 } states[] = { 573 {"larval", SADB_SASTATE_LARVAL}, 574 {"mature", SADB_SASTATE_MATURE}, 575 {"dying", SADB_SASTATE_DYING}, 576 {"dead", SADB_SASTATE_DEAD}, 577 {NULL, 0} 578 }; 579 struct states *sp; 580 char *ep = NULL; 581 582 if (state == NULL) { 583 FATAL(ep, ebuf, "Unexpected end of command line " 584 "was expecting a state.\n"); 585 } 586 587 for (sp = states; sp->state != NULL; sp++) { 588 if (strcmp(sp->state, state) == 0) 589 return (sp->retval); 590 } 591 ERROR1(ep, ebuf, gettext("Unknown state type \"%s\"\n"), state); 592 handle_errors(ep, NULL, B_FALSE, B_FALSE); 593 return (0); 594 } 595 596 /* 597 * Return the numerical algorithm identifier corresponding to the specified 598 * algorithm name. 599 */ 600 static uint8_t 601 parsealg(char *alg, int proto_num, char *ebuf) 602 { 603 u_longlong_t invalue; 604 struct ipsecalgent *algent; 605 char *ep = NULL; 606 607 if (alg == NULL) { 608 FATAL(ep, ebuf, gettext("Unexpected end of command line, " 609 "was expecting an algorithm name.\n")); 610 } 611 612 algent = getipsecalgbyname(alg, proto_num, NULL); 613 if (algent != NULL) { 614 uint8_t alg_num; 615 616 alg_num = algent->a_alg_num; 617 freeipsecalgent(algent); 618 619 return (alg_num); 620 } 621 622 /* 623 * Since algorithms can be loaded during kernel run-time, check for 624 * numeric algorithm values too. PF_KEY can catch bad ones with EINVAL. 625 */ 626 invalue = parsenum(alg, B_FALSE, ebuf); 627 if (invalue != (u_longlong_t)-1 && 628 (u_longlong_t)(invalue & (u_longlong_t)0xff) == invalue) 629 return ((uint8_t)invalue); 630 631 if (proto_num == IPSEC_PROTO_ESP) { 632 ERROR1(ep, ebuf, gettext( 633 "Unknown encryption algorithm type \"%s\"\n"), alg); 634 } else { 635 ERROR1(ep, ebuf, gettext( 636 "Unknown authentication algorithm type \"%s\"\n"), alg); 637 } 638 handle_errors(ep, NULL, B_FALSE, B_FALSE); 639 return (0); 640 } 641 642 /* 643 * Parse and reverse parse out a source/destination ID type. 644 */ 645 static struct idtypes { 646 char *idtype; 647 uint8_t retval; 648 } idtypes[] = { 649 {"prefix", SADB_IDENTTYPE_PREFIX}, 650 {"fqdn", SADB_IDENTTYPE_FQDN}, 651 {"domain", SADB_IDENTTYPE_FQDN}, 652 {"domainname", SADB_IDENTTYPE_FQDN}, 653 {"user_fqdn", SADB_IDENTTYPE_USER_FQDN}, 654 {"mailbox", SADB_IDENTTYPE_USER_FQDN}, 655 {"der_dn", SADB_X_IDENTTYPE_DN}, 656 {"der_gn", SADB_X_IDENTTYPE_GN}, 657 {NULL, 0} 658 }; 659 660 static uint16_t 661 parseidtype(char *type, char *ebuf) 662 { 663 struct idtypes *idp; 664 u_longlong_t invalue; 665 char *ep = NULL; 666 667 if (type == NULL) { 668 /* Shouldn't reach here, see callers for why. */ 669 FATAL(ep, ebuf, gettext("Unexpected end of command line, " 670 "was expecting a type.\n")); 671 } 672 673 for (idp = idtypes; idp->idtype != NULL; idp++) { 674 if (strcasecmp(idp->idtype, type) == 0) 675 return (idp->retval); 676 } 677 /* 678 * Since identity types are almost arbitrary, check for numeric 679 * algorithm values too. PF_KEY can catch bad ones with EINVAL. 680 */ 681 invalue = parsenum(type, B_FALSE, ebuf); 682 if (invalue != (u_longlong_t)-1 && 683 (u_longlong_t)(invalue & (u_longlong_t)0xffff) == invalue) 684 return ((uint16_t)invalue); 685 686 687 ERROR1(ep, ebuf, gettext("Unknown identity type \"%s\"\n"), type); 688 689 handle_errors(ep, NULL, B_FALSE, B_FALSE); 690 return (0); 691 } 692 693 /* 694 * Parse an address off the command line. Return length of sockaddr, 695 * and either return a hostent pointer (caller frees). The new 696 * getipnodebyname() call does the Right Thing (TM), even with 697 * raw addresses (colon-separated IPv6 or dotted decimal IPv4). 698 */ 699 700 static struct { 701 struct hostent he; 702 char *addtl[2]; 703 } dummy; 704 static union { 705 struct in6_addr ipv6; 706 struct in_addr ipv4; 707 uint64_t aligner; 708 } addr1; 709 710 static int 711 parseaddr(char *addr, struct hostent **hpp, boolean_t v6only, char *ebuf) 712 { 713 int hp_errno; 714 struct hostent *hp = NULL; 715 char *ep = NULL; 716 717 if (addr == NULL) { 718 FATAL(ep, ebuf, gettext("Unexpected end of command line, " 719 "was expecting an address.\n")); 720 } 721 722 if (!nflag) { 723 /* 724 * Try name->address first. Assume AF_INET6, and 725 * get IPv4's, plus IPv6's if and only if IPv6 is configured. 726 * This means to add IPv6 SAs, you must have IPv6 727 * up-and-running. (AI_DEFAULT works here.) 728 */ 729 hp = getipnodebyname(addr, AF_INET6, 730 (v6only ? AI_ADDRCONFIG : (AI_DEFAULT | AI_ALL)), 731 &hp_errno); 732 } else { 733 /* 734 * Try a normal address conversion only. Use "dummy" 735 * to construct a fake hostent. Caller will know not 736 * to free this one. 737 */ 738 if (inet_pton(AF_INET6, addr, &addr1) == 1) { 739 dummy.he.h_addr_list = dummy.addtl; 740 dummy.addtl[0] = (char *)&addr1; 741 dummy.addtl[1] = NULL; 742 hp = &dummy.he; 743 dummy.he.h_addrtype = AF_INET6; 744 dummy.he.h_length = sizeof (struct in6_addr); 745 } else if (inet_pton(AF_INET, addr, &addr1) == 1) { 746 /* 747 * Remap to AF_INET6 anyway. 748 */ 749 dummy.he.h_addr_list = dummy.addtl; 750 dummy.addtl[0] = (char *)&addr1; 751 dummy.addtl[1] = NULL; 752 hp = &dummy.he; 753 dummy.he.h_addrtype = AF_INET6; 754 dummy.he.h_length = sizeof (struct in6_addr); 755 /* 756 * NOTE: If macro changes to disallow in-place 757 * conversion, rewhack this. 758 */ 759 IN6_INADDR_TO_V4MAPPED(&addr1.ipv4, &addr1.ipv6); 760 } else { 761 hp = NULL; 762 } 763 } 764 765 if (hp == NULL) 766 WARN1(ep, ebuf, gettext("Unknown address %s."), addr); 767 768 *hpp = hp; 769 /* Always return sockaddr_in6 for now. */ 770 handle_errors(ep, NULL, B_FALSE, B_FALSE); 771 return (sizeof (struct sockaddr_in6)); 772 } 773 774 /* 775 * Parse a hex character for a key. A string will take the form: 776 * xxxxxxxxx/nn 777 * where 778 * xxxxxxxxx == a string of hex characters ([0-9][a-f][A-F]) 779 * nn == an optional decimal "mask". If it is not present, it 780 * is assumed that the hex string will be rounded to the nearest 781 * byte, where odd nibbles, like 123 will become 0x0123. 782 * 783 * NOTE:Unlike the expression of IP addresses, I will not allow an 784 * excessive "mask". For example 2112/50 is very illegal. 785 * NOTE2: This key should be in canonical order. Consult your man 786 * pages per algorithm about said order. 787 */ 788 789 #define hd2num(hd) (((hd) >= '0' && (hd) <= '9') ? ((hd) - '0') : \ 790 (((hd) >= 'a' && (hd) <= 'f') ? ((hd) - 'a' + 10) : ((hd) - 'A' + 10))) 791 792 static struct sadb_key * 793 parsekey(char *input, char *ebuf) 794 { 795 struct sadb_key *retval; 796 uint_t i, hexlen = 0, bits, alloclen; 797 uint8_t *key; 798 char *ep = NULL; 799 800 if (input == NULL) { 801 FATAL(ep, ebuf, gettext("Unexpected end of command line, " 802 "was expecting a key.\n")); 803 } 804 /* Allow hex values prepended with 0x convention */ 805 if ((strnlen(input, sizeof (hexlen)) > 2) && 806 (strncasecmp(input, "0x", 2) == 0)) 807 input += 2; 808 809 for (i = 0; input[i] != '\0' && input[i] != '/'; i++) 810 hexlen++; 811 812 if (input[i] == '\0') { 813 bits = 0; 814 } else { 815 /* Have /nn. */ 816 input[i] = '\0'; 817 if (sscanf((input + i + 1), "%u", &bits) != 1) { 818 FATAL1(ep, ebuf, gettext( 819 "\"%s\" is not a bit specifier.\n"), 820 (input + i + 1)); 821 } 822 /* hexlen in nibbles */ 823 if (((bits + 3) >> 2) > hexlen) { 824 ERROR2(ep, ebuf, gettext( 825 "bit length %d is too big for %s.\n"), bits, input); 826 } 827 /* 828 * Adjust hexlen down if user gave us too small of a bit 829 * count. 830 */ 831 if ((hexlen << 2) > bits + 3) { 832 WARN2(ep, ebuf, gettext( 833 "WARNING: Lower bits will be truncated " 834 "for:\n\t%s/%d.\n"), input, bits); 835 hexlen = (bits + 3) >> 2; 836 input[hexlen] = '\0'; 837 } 838 } 839 840 /* 841 * Allocate. Remember, hexlen is in nibbles. 842 */ 843 844 alloclen = sizeof (*retval) + roundup((hexlen/2 + (hexlen & 0x1)), 8); 845 retval = malloc(alloclen); 846 847 if (retval == NULL) 848 Bail("malloc(parsekey)"); 849 retval->sadb_key_len = SADB_8TO64(alloclen); 850 retval->sadb_key_reserved = 0; 851 if (bits == 0) 852 retval->sadb_key_bits = (hexlen + (hexlen & 0x1)) << 2; 853 else 854 retval->sadb_key_bits = bits; 855 856 /* 857 * Read in nibbles. Read in odd-numbered as shifted high. 858 * (e.g. 123 becomes 0x1230). 859 */ 860 861 key = (uint8_t *)(retval + 1); 862 for (i = 0; input[i] != '\0'; i += 2) { 863 boolean_t second = (input[i + 1] != '\0'); 864 865 if (!isxdigit(input[i]) || 866 (!isxdigit(input[i + 1]) && second)) { 867 ERROR1(ep, ebuf, gettext( 868 "string '%s' not a hex value.\n"), input); 869 free(retval); 870 retval = NULL; 871 break; 872 } 873 *key = (hd2num(input[i]) << 4); 874 if (second) 875 *key |= hd2num(input[i + 1]); 876 else 877 break; /* out of for loop. */ 878 key++; 879 } 880 881 /* bzero the remaining bits if we're a non-octet amount. */ 882 if (bits & 0x7) 883 *((input[i] == '\0') ? key - 1 : key) &= 884 0xff << (8 - (bits & 0x7)); 885 886 handle_errors(ep, NULL, B_FALSE, B_FALSE); 887 return (retval); 888 } 889 890 /* 891 * Write a message to the PF_KEY socket. If verbose, print the message 892 * heading into the kernel. 893 */ 894 static int 895 key_write(int fd, void *msg, size_t len) 896 { 897 if (vflag) { 898 (void) printf( 899 gettext("VERBOSE ON: Message to kernel looks like:\n")); 900 (void) printf("==========================================\n"); 901 print_samsg(stdout, msg, B_FALSE, vflag, nflag); 902 (void) printf("==========================================\n"); 903 } 904 905 return (write(fd, msg, len)); 906 } 907 908 /* 909 * SIGALRM handler for time_critical_enter. 910 */ 911 static void 912 time_critical_catch(int signal) 913 { 914 if (signal == SIGALRM) { 915 errx(1, gettext("Reply message from PF_KEY timed out.")); 916 } else { 917 errx(1, gettext("Caught signal %d while trying to receive" 918 "PF_KEY reply message"), signal); 919 } 920 /* errx() calls exit. */ 921 } 922 923 #define TIME_CRITICAL_TIME 10 /* In seconds */ 924 925 /* 926 * Enter a "time critical" section where key is waiting for a return message. 927 */ 928 static void 929 time_critical_enter(void) 930 { 931 (void) signal(SIGALRM, time_critical_catch); 932 (void) alarm(TIME_CRITICAL_TIME); 933 } 934 935 /* 936 * Exit the "time critical" section after getting an appropriate return 937 * message. 938 */ 939 static void 940 time_critical_exit(void) 941 { 942 (void) alarm(0); 943 (void) signal(SIGALRM, SIG_DFL); 944 } 945 946 /* 947 * Construct a PF_KEY FLUSH message for the SA type specified. 948 */ 949 static void 950 doflush(int satype) 951 { 952 struct sadb_msg msg; 953 int rc; 954 955 msg_init(&msg, SADB_FLUSH, (uint8_t)satype); 956 rc = key_write(keysock, &msg, sizeof (msg)); 957 if (rc == -1) 958 Bail("write() to PF_KEY socket failed (in doflush)"); 959 960 time_critical_enter(); 961 do { 962 rc = read(keysock, &msg, sizeof (msg)); 963 if (rc == -1) 964 Bail("read (in doflush)"); 965 } while (msg.sadb_msg_seq != seq || msg.sadb_msg_pid != mypid); 966 time_critical_exit(); 967 968 /* 969 * I should _never_ hit the following unless: 970 * 971 * 1. There is a kernel bug. 972 * 2. There is another process filling in its pid with mine, and 973 * issuing a different message that would cause a different result. 974 */ 975 if (msg.sadb_msg_type != SADB_FLUSH || 976 msg.sadb_msg_satype != (uint8_t)satype) { 977 syslog((LOG_NOTICE|LOG_AUTH), 978 gettext("doflush: Return message not of type SADB_FLUSH!")); 979 Bail("doflush: Return message not of type SADB_FLUSH!"); 980 } 981 982 if (msg.sadb_msg_errno != 0) { 983 errno = msg.sadb_msg_errno; 984 if (errno == EINVAL) { 985 print_diagnostic(stderr, msg.sadb_x_msg_diagnostic); 986 warnx(gettext("Cannot flush SA type %d."), satype); 987 } 988 Bail("return message (in doflush)"); 989 } 990 } 991 992 /* 993 * save_XXX functions are used when "saving" the SA tables to either a 994 * file or standard output. They use the dump_XXX functions where needed, 995 * but mostly they use the rparseXXX functions. 996 */ 997 998 /* 999 * Because "save" and "dump" both use the SADB_DUMP message, fold both 1000 * into the same function. 1001 */ 1002 static void 1003 dodump(int satype, FILE *ofile) 1004 { 1005 struct sadb_msg *msg = (struct sadb_msg *)get_buffer; 1006 int rc; 1007 1008 if (ofile != NULL) { 1009 (void) fprintf(ofile, 1010 gettext("# This key file was generated by the")); 1011 (void) fprintf(ofile, 1012 gettext(" ipseckey(1m) command's 'save' feature.\n\n")); 1013 } 1014 msg_init(msg, SADB_DUMP, (uint8_t)satype); 1015 rc = key_write(keysock, msg, sizeof (*msg)); 1016 if (rc == -1) 1017 Bail("write to PF_KEY socket failed (in dodump)"); 1018 1019 do { 1020 /* 1021 * For DUMP, do only the read as a time critical section. 1022 */ 1023 time_critical_enter(); 1024 rc = read(keysock, get_buffer, sizeof (get_buffer)); 1025 time_critical_exit(); 1026 if (rc == -1) 1027 Bail("read (in dodump)"); 1028 if (msg->sadb_msg_pid == mypid && 1029 msg->sadb_msg_type == SADB_DUMP && 1030 msg->sadb_msg_seq != 0 && 1031 msg->sadb_msg_errno == 0) { 1032 if (ofile == NULL) { 1033 print_samsg(stdout, get_buffer, B_FALSE, vflag, 1034 nflag); 1035 (void) putchar('\n'); 1036 } else { 1037 save_assoc(get_buffer, ofile); 1038 } 1039 } 1040 } while (msg->sadb_msg_pid != mypid || 1041 (msg->sadb_msg_errno == 0 && msg->sadb_msg_seq != 0)); 1042 1043 if (ofile != NULL && ofile != stdout) 1044 (void) fclose(ofile); 1045 1046 if (msg->sadb_msg_errno == 0) { 1047 if (ofile == NULL) 1048 (void) printf( 1049 gettext("Dump succeeded for SA type %d.\n"), 1050 satype); 1051 } else { 1052 print_diagnostic(stderr, msg->sadb_x_msg_diagnostic); 1053 errno = msg->sadb_msg_errno; 1054 Bail("Dump failed"); 1055 } 1056 } 1057 1058 #define SCOPE_UNSPEC 0 1059 #define SCOPE_LINKLOCAL 1 1060 #define SCOPE_SITELOCAL 2 1061 #define SCOPE_GLOBAL 3 1062 #define SCOPE_V4COMPAT 4 1063 #define SCOPE_LOOPBACK 5 /* Pedantic, yes, but necessary. */ 1064 1065 static int 1066 ipv6_addr_scope(struct in6_addr *addr) 1067 { 1068 /* Don't return anything regarding multicast for now... */ 1069 1070 if (IN6_IS_ADDR_UNSPECIFIED(addr)) 1071 return (SCOPE_UNSPEC); 1072 1073 if (IN6_IS_ADDR_LINKLOCAL(addr)) 1074 return (SCOPE_LINKLOCAL); 1075 1076 if (IN6_IS_ADDR_SITELOCAL(addr)) 1077 return (SCOPE_SITELOCAL); 1078 1079 if (IN6_IS_ADDR_V4COMPAT(addr)) 1080 return (SCOPE_V4COMPAT); 1081 1082 if (IN6_IS_ADDR_LOOPBACK(addr)) 1083 return (SCOPE_LOOPBACK); 1084 1085 /* For now, return global by default. */ 1086 return (SCOPE_GLOBAL); 1087 } 1088 1089 /* 1090 * doaddresses(): 1091 * 1092 * Used by doaddup() and dodelget() to create new SA's based on the 1093 * provided source and destination addresses hostent. 1094 * 1095 * sadb_msg_type: expected PF_KEY reply message type 1096 * sadb_msg_satype: expected PF_KEY reply satype 1097 * cmd: user command 1098 * srchp: hostent for the source address(es) 1099 * dsthp: hostent for the destination address(es) 1100 * src: points to the SADB source address extension 1101 * dst: points to the SADB destination address extension 1102 * unspec_src: indicates an unspecified source address. 1103 * buffer: pointer to the SADB buffer to use with PF_KEY 1104 * buffer_size: size of buffer 1105 * spi: spi for this message (set by caller) 1106 * srcport: source port if specified 1107 * dstport: destination port if specified 1108 * proto: IP protocol number if specified 1109 * iproto: Inner (tunnel mode) IP protocol number if specified 1110 * NATT note: we are going to assume a semi-sane world where NAT 1111 * boxen don't explode to multiple addresses. 1112 */ 1113 static void 1114 doaddresses(uint8_t sadb_msg_type, uint8_t sadb_msg_satype, int cmd, 1115 struct hostent *srchp, struct hostent *dsthp, 1116 struct sadb_address *src, struct sadb_address *dst, 1117 boolean_t unspec_src, uint64_t *buffer, int buffer_size, uint32_t spi, 1118 char *ebuf) 1119 { 1120 boolean_t single_dst; 1121 struct sockaddr_in6 *sin6; 1122 struct sadb_msg *msgp; 1123 int i, rc; 1124 char **walker; /* For the SRC and PROXY walking functions. */ 1125 char *first_match; 1126 uint64_t savebuf[MAX_GET_SIZE]; 1127 uint16_t srcport = 0, dstport = 0; 1128 char *ep = NULL; 1129 1130 /* 1131 * Okay, now we have "src", "dst", and maybe "proxy" reassigned 1132 * to point into the buffer to be written to PF_KEY, we can do 1133 * potentially several writes based on destination address. 1134 * 1135 * First, obtain port numbers from passed-in extensions. 1136 */ 1137 1138 if (src != NULL) { 1139 sin6 = (struct sockaddr_in6 *)(src + 1); 1140 srcport = ntohs(sin6->sin6_port); 1141 } 1142 if (dst != NULL) { 1143 sin6 = (struct sockaddr_in6 *)(dst + 1); 1144 dstport = ntohs(sin6->sin6_port); 1145 } 1146 1147 /* 1148 * The rules for ADD, GET, and UPDATE: (NOTE: This assumes IPsec. 1149 * If other consumers of PF_KEY happen, this will have to be 1150 * rewhacked.): 1151 * 1152 * Do a message for every possible DST address. 1153 * 1154 * If a source or proxy address explodes, keep unspecified 1155 * (and mention unspecified). 1156 * 1157 * If dsthp is == dummy.he, then go through the loop once. 1158 * If any other hp is == dummy.he, then you don't have to apply any 1159 * silly rules. 1160 * 1161 * DELETE is different, because you can leave either "src" or "dst" 1162 * blank! You need to explode if one of them is full, and not assume 1163 * that the other is set. 1164 */ 1165 1166 if (dsthp == NULL) { 1167 /* 1168 * No destination address specified. 1169 * With extended diagnostics, we don't have to bail the 1170 * non-DELETE cases here. The EINVAL diagnostics will be 1171 * enough to inform the user(s) what happened. 1172 */ 1173 i = 0; 1174 do { 1175 if (srchp == &dummy.he) { 1176 /* Just to be sure... */ 1177 srchp->h_addr_list[1] = NULL; 1178 } else if (srchp != NULL) { 1179 /* Degenerate case, h_addr_list[0] == NULL. */ 1180 if (srchp->h_addr_list[i] == NULL) 1181 Bail("Empty source address list"); 1182 1183 /* 1184 * Fill in the src sockaddr. 1185 */ 1186 sin6 = (struct sockaddr_in6 *)(src + 1); 1187 bzero(sin6, sizeof (*sin6)); 1188 bcopy(srchp->h_addr_list[i], &sin6->sin6_addr, 1189 sizeof (struct in6_addr)); 1190 sin6->sin6_family = AF_INET6; 1191 sin6->sin6_port = htons(srcport); 1192 } 1193 1194 /* Save off a copy for later writing... */ 1195 msgp = (struct sadb_msg *)buffer; 1196 bcopy(buffer, savebuf, SADB_64TO8(msgp->sadb_msg_len)); 1197 1198 rc = key_write(keysock, buffer, 1199 SADB_64TO8(msgp->sadb_msg_len)); 1200 if (rc == -1) 1201 Bail("write() to PF_KEY socket " 1202 "(in doaddresses)"); 1203 /* 1204 * Sends the message to the Solaris Cluster daemon 1205 */ 1206 1207 if (in_cluster_mode) { 1208 (void) sendto(cluster_socket, buffer, 1209 SADB_64TO8(msgp->sadb_msg_len), 0, 1210 (struct sockaddr *)&cli_addr, 1211 sizeof (cli_addr)); 1212 } 1213 1214 time_critical_enter(); 1215 do { 1216 rc = read(keysock, buffer, buffer_size); 1217 if (rc == -1) 1218 Bail("read (in doaddresses)"); 1219 } while (msgp->sadb_msg_seq != seq || 1220 msgp->sadb_msg_pid != mypid); 1221 time_critical_exit(); 1222 1223 if (msgp->sadb_msg_type != sadb_msg_type || 1224 msgp->sadb_msg_satype != sadb_msg_satype) { 1225 syslog((LOG_NOTICE|LOG_AUTH), gettext( 1226 "doaddresses: Unexpected returned message " 1227 "(%d exp %d)\n"), msgp->sadb_msg_type, 1228 sadb_msg_type); 1229 Bail("doaddresses: Unexpected returned " 1230 "message"); 1231 } 1232 1233 errno = msgp->sadb_msg_errno; 1234 if (errno != 0) { 1235 if (errno == EINVAL) { 1236 WARN(ep, ebuf, gettext( 1237 "One of the entered " 1238 "values is incorrect.")); 1239 print_diagnostic(stderr, 1240 msgp->sadb_x_msg_diagnostic); 1241 } else { 1242 Bail("return message (in doaddresses)"); 1243 } 1244 } 1245 1246 /* ...and then restore the saved buffer. */ 1247 msgp = (struct sadb_msg *)savebuf; 1248 bcopy(savebuf, buffer, SADB_64TO8(msgp->sadb_msg_len)); 1249 } while (srchp != NULL && srchp->h_addr_list[++i] != NULL); 1250 return; 1251 } 1252 1253 single_dst = (dsthp == &dummy.he || dsthp->h_addr_list[1] == NULL); 1254 1255 for (i = 0; dsthp->h_addr_list[i] != NULL; i++) { 1256 if (dsthp == &dummy.he) { 1257 /* Just to be sure... */ 1258 dsthp->h_addr_list[1] = NULL; 1259 } else { 1260 /* 1261 * Fill in the dst sockaddr. 1262 */ 1263 sin6 = (struct sockaddr_in6 *)(dst + 1); 1264 bzero(sin6, sizeof (*sin6)); 1265 bcopy(dsthp->h_addr_list[i], &sin6->sin6_addr, 1266 sizeof (struct in6_addr)); 1267 sin6->sin6_family = AF_INET6; 1268 sin6->sin6_port = htons(dstport); 1269 } 1270 1271 /* 1272 * Try and assign src, if there's any ambiguity. 1273 */ 1274 if (!unspec_src && srchp != &dummy.he) { 1275 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { 1276 /* 1277 * IPv4 address. Find an IPv4 address, then 1278 * keep looking for a second one. If a second 1279 * exists, print a message, and fill in the 1280 * unspecified address. 1281 */ 1282 first_match = NULL; 1283 1284 for (walker = srchp->h_addr_list; 1285 *walker != NULL; walker++) { 1286 /* LINTED E_BAD_PTR_CAST_ALIGN */ 1287 if (IN6_IS_ADDR_V4MAPPED( 1288 (struct in6_addr *)*walker)) { 1289 if (first_match != NULL) 1290 break; 1291 else 1292 first_match = *walker; 1293 } 1294 } 1295 sin6 = (struct sockaddr_in6 *)(src + 1); 1296 bzero(sin6, sizeof (*sin6)); 1297 1298 if (first_match == NULL) { 1299 /* 1300 * No IPv4 hits. Is this a single 1301 * dest? 1302 */ 1303 WARN1(ep, ebuf, gettext( 1304 "No IPv4 source address " 1305 "for name %s.\n"), srchp->h_name); 1306 if (single_dst) { 1307 ERROR(ep, ebuf, gettext( 1308 "Only single destination " 1309 "IP address.\n")); 1310 } else { 1311 /* Continue, but do I print? */ 1312 continue; /* for loop */ 1313 } 1314 1315 /* I should never reach here. */ 1316 } 1317 1318 sin6->sin6_family = AF_INET6; 1319 sin6->sin6_port = htons(srcport); 1320 if (*walker != NULL) { 1321 /* 1322 * Early loop exit. It must've been 1323 * multiple hits... 1324 * 1325 * Issue a null-source warning? 1326 */ 1327 WARN1(ep, ebuf, gettext( 1328 "Multiple IPv4 source addresses " 1329 "for %s, using unspecified source " 1330 "instead."), srchp->h_name); 1331 } else { 1332 /* 1333 * If I reach here w/o hitting the 1334 * previous if statements, I have a 1335 * single source address for this 1336 * destination. 1337 */ 1338 bcopy(first_match, &sin6->sin6_addr, 1339 sizeof (struct in6_addr)); 1340 } 1341 } else { 1342 /* 1343 * IPv6 address. Find an IPv6 address. 1344 * Unlike IPv4 addresses, things can get a 1345 * little more sticky with scopes, etc. 1346 */ 1347 int dst_scope, src_scope; 1348 1349 dst_scope = ipv6_addr_scope(&sin6->sin6_addr); 1350 1351 first_match = NULL; 1352 for (walker = srchp->h_addr_list; 1353 *walker != NULL; walker++) { 1354 /* LINTED E_BAD_PTR_CAST_ALIGN */ 1355 if (!IN6_IS_ADDR_V4MAPPED( 1356 (struct in6_addr *)*walker)) { 1357 /* 1358 * Set first-match, etc. 1359 * Take into account scopes, 1360 * and other IPv6 thingies. 1361 */ 1362 src_scope = ipv6_addr_scope( 1363 /* LINTED E_BAD_PTR_CAST */ 1364 (struct in6_addr *)*walker); 1365 if (src_scope == SCOPE_UNSPEC || 1366 src_scope == dst_scope) { 1367 if (first_match != 1368 NULL) 1369 break; 1370 else 1371 first_match = 1372 *walker; 1373 } 1374 } 1375 } 1376 1377 sin6 = (struct sockaddr_in6 *)(src + 1); 1378 bzero(sin6, sizeof (*sin6)); 1379 sin6->sin6_port = htons(srcport); 1380 if (first_match == NULL) { 1381 /* 1382 * No IPv6 hits. Is this a single 1383 * dest? 1384 */ 1385 WARN1(ep, ebuf, gettext( 1386 "No IPv6 source address of " 1387 "matching scope for name %s.\n"), 1388 srchp->h_name); 1389 if (single_dst) { 1390 ERROR(ep, ebuf, gettext( 1391 "Only a single IPV6 " 1392 "destination " 1393 "address.\n")); 1394 } else { 1395 /* Continue, but do I print? */ 1396 continue; /* for loop */ 1397 } 1398 1399 /* I should never reach here. */ 1400 } 1401 sin6->sin6_family = AF_INET6; 1402 if (*walker != NULL) { 1403 /* 1404 * Early loop exit. Issue a 1405 * null-source warning? 1406 */ 1407 WARN1(ep, ebuf, gettext( 1408 "Multiple IPv6 source addresses " 1409 "for %s of the same scope, using " 1410 "unspecified source instead.\n"), 1411 srchp->h_name); 1412 } else { 1413 /* 1414 * If I reach here w/o hitting the 1415 * previous if statements, I have a 1416 * single source address for this 1417 * destination. 1418 */ 1419 bcopy(first_match, &sin6->sin6_addr, 1420 sizeof (struct in6_addr)); 1421 } 1422 } 1423 } 1424 1425 /* 1426 * If there are errors at this point there is no 1427 * point sending anything to PF_KEY. 1428 */ 1429 handle_errors(ep, ebuf, B_TRUE, B_FALSE); 1430 1431 /* Save off a copy for later writing... */ 1432 msgp = (struct sadb_msg *)buffer; 1433 bcopy(buffer, savebuf, SADB_64TO8(msgp->sadb_msg_len)); 1434 1435 rc = key_write(keysock, buffer, SADB_64TO8(msgp->sadb_msg_len)); 1436 if (rc == -1) 1437 Bail("write() to PF_KEY socket (in doaddresses)"); 1438 1439 if (in_cluster_mode) { 1440 (void) sendto(cluster_socket, buffer, 1441 SADB_64TO8(msgp->sadb_msg_len), 0, 1442 (struct sockaddr *)&cli_addr, 1443 sizeof (cli_addr)); 1444 } 1445 /* Blank the key for paranoia's sake. */ 1446 bzero(buffer, buffer_size); 1447 time_critical_enter(); 1448 do { 1449 rc = read(keysock, buffer, buffer_size); 1450 if (rc == -1) 1451 Bail("read (in doaddresses)"); 1452 } while (msgp->sadb_msg_seq != seq || 1453 msgp->sadb_msg_pid != mypid); 1454 time_critical_exit(); 1455 1456 /* 1457 * I should _never_ hit the following unless: 1458 * 1459 * 1. There is a kernel bug. 1460 * 2. Another process is mistakenly using my pid in a PF_KEY 1461 * message. 1462 */ 1463 if (msgp->sadb_msg_type != sadb_msg_type || 1464 msgp->sadb_msg_satype != sadb_msg_satype) { 1465 syslog((LOG_NOTICE|LOG_AUTH), gettext( 1466 "doaddresses: Unexpected returned message " 1467 "(%d exp %d)\n"), msgp->sadb_msg_type, 1468 sadb_msg_type); 1469 Bail("doaddresses: Unexpected returned message"); 1470 } 1471 1472 if (msgp->sadb_msg_errno != 0) { 1473 char addrprint[INET6_ADDRSTRLEN]; 1474 int on_errno = 0; 1475 char *on_errno_msg; 1476 1477 /* 1478 * Print different error messages depending 1479 * on the SADB message type being processed. 1480 * If we get a ESRCH error for a GET/DELETE 1481 * messages, we report that the SA does not 1482 * exist. If we get a EEXIST error for a 1483 * ADD/UPDATE message, we report that the 1484 * SA already exists. 1485 */ 1486 if (sadb_msg_type == SADB_GET || 1487 sadb_msg_type == SADB_DELETE) { 1488 on_errno = ESRCH; 1489 on_errno_msg = "does not exist"; 1490 } else if (sadb_msg_type == SADB_ADD || 1491 sadb_msg_type == SADB_UPDATE) { 1492 on_errno = EEXIST; 1493 on_errno_msg = "already exists"; 1494 } 1495 1496 errno = msgp->sadb_msg_errno; 1497 if (errno == on_errno) { 1498 ERROR2(ep, ebuf, gettext( 1499 "Association (type = %s) " 1500 "with spi 0x%x and addr\n"), 1501 rparsesatype(msgp->sadb_msg_satype), 1502 ntohl(spi)); 1503 ERROR2(ep, ebuf, "%s %s.\n", 1504 do_inet_ntop(dsthp->h_addr_list[i], 1505 addrprint, sizeof (addrprint)), 1506 on_errno_msg); 1507 msgp = (struct sadb_msg *)savebuf; 1508 bcopy(savebuf, buffer, 1509 SADB_64TO8(msgp->sadb_msg_len)); 1510 continue; 1511 } else { 1512 if (errno == EINVAL || errno == ESRCH) { 1513 ERROR2(ep, ebuf, gettext( 1514 "PF_KEY Diagnostic code %u: %s.\n"), 1515 msgp->sadb_x_msg_diagnostic, 1516 keysock_diag( 1517 msgp->sadb_x_msg_diagnostic)); 1518 } else { 1519 Bail("return message (in doaddresses)"); 1520 } 1521 } 1522 } 1523 1524 if (cmd == CMD_GET) { 1525 if (msgp->sadb_msg_len > MAX_GET_SIZE) { 1526 WARN1(ep, ebuf, gettext("WARNING: " 1527 "SA information bigger than %d bytes.\n"), 1528 SADB_64TO8(MAX_GET_SIZE)); 1529 } 1530 print_samsg(stdout, buffer, B_FALSE, vflag, nflag); 1531 } 1532 1533 handle_errors(ep, ebuf, B_TRUE, B_FALSE); 1534 1535 /* ...and then restore the saved buffer. */ 1536 msgp = (struct sadb_msg *)savebuf; 1537 bcopy(savebuf, buffer, SADB_64TO8(msgp->sadb_msg_len)); 1538 lines_added++; 1539 } 1540 1541 /* Degenerate case, h_addr_list[0] == NULL. */ 1542 if (i == 0) 1543 Bail("Empty destination address list"); 1544 1545 /* 1546 * free(ebuf) even if there are no errors. 1547 * handle_errors() won't return here. 1548 */ 1549 handle_errors(ep, ebuf, B_TRUE, B_TRUE); 1550 } 1551 1552 /* 1553 * Perform an add or an update. ADD and UPDATE are similar in the extensions 1554 * they need. 1555 */ 1556 static void 1557 doaddup(int cmd, int satype, char *argv[], char *ebuf) 1558 { 1559 uint64_t *buffer, *nexthdr; 1560 struct sadb_msg msg; 1561 struct sadb_sa *assoc = NULL; 1562 struct sadb_x_pair *sadb_pair = NULL; 1563 struct sadb_address *src = NULL, *dst = NULL; 1564 struct sadb_address *isrc = NULL, *idst = NULL; 1565 struct sadb_address *natt_local = NULL, *natt_remote = NULL; 1566 struct sadb_key *encrypt = NULL, *auth = NULL; 1567 struct sadb_ident *srcid = NULL, *dstid = NULL; 1568 struct sadb_lifetime *hard = NULL, *soft = NULL; /* Current? */ 1569 struct sadb_lifetime *idle = NULL; 1570 struct sadb_x_replay_ctr *replay_ctr = NULL; 1571 struct sockaddr_in6 *sin6; 1572 /* MLS TODO: Need sensitivity eventually. */ 1573 int next, token, sa_len, alloclen, totallen = sizeof (msg), prefix; 1574 uint32_t spi = 0; 1575 uint8_t sadb_msg_type; 1576 char *thiscmd, *pstr; 1577 boolean_t readstate = B_FALSE, unspec_src = B_FALSE; 1578 boolean_t alloc_inner = B_FALSE, use_natt = B_FALSE; 1579 struct hostent *srchp = NULL, *dsthp = NULL, *isrchp = NULL, 1580 *idsthp = NULL; 1581 struct hostent *natt_lhp = NULL, *natt_rhp = NULL; 1582 uint16_t srcport = 0, dstport = 0, natt_lport = 0, natt_rport = 0, 1583 isrcport = 0, idstport = 0; 1584 uint8_t proto = 0, iproto = 0; 1585 char *ep = NULL; 1586 1587 switch (cmd) { 1588 case CMD_ADD: 1589 thiscmd = "add"; 1590 sadb_msg_type = SADB_ADD; 1591 break; 1592 case CMD_UPDATE: 1593 thiscmd = "update"; 1594 sadb_msg_type = SADB_UPDATE; 1595 break; 1596 case CMD_UPDATE_PAIR: 1597 thiscmd = "update-pair"; 1598 sadb_msg_type = SADB_X_UPDATEPAIR; 1599 break; 1600 } 1601 1602 msg_init(&msg, sadb_msg_type, (uint8_t)satype); 1603 /* Assume last element in argv is set to NULL. */ 1604 do { 1605 token = parseextval(*argv, &next); 1606 argv++; 1607 switch (token) { 1608 case TOK_EOF: 1609 /* Do nothing, I'm done. */ 1610 break; 1611 case TOK_UNKNOWN: 1612 ERROR1(ep, ebuf, gettext( 1613 "Unknown extension field \"%s\" \n"), *(argv - 1)); 1614 break; 1615 case TOK_SPI: 1616 case TOK_PAIR_SPI: 1617 case TOK_REPLAY: 1618 case TOK_STATE: 1619 case TOK_AUTHALG: 1620 case TOK_ENCRALG: 1621 case TOK_ENCAP: 1622 /* 1623 * May want to place this chunk of code in a function. 1624 * 1625 * This code checks for duplicate entries on a command 1626 * line. 1627 */ 1628 1629 /* Allocate the SADB_EXT_SA extension. */ 1630 if (assoc == NULL) { 1631 assoc = malloc(sizeof (*assoc)); 1632 if (assoc == NULL) 1633 Bail("malloc(assoc)"); 1634 bzero(assoc, sizeof (*assoc)); 1635 assoc->sadb_sa_exttype = SADB_EXT_SA; 1636 assoc->sadb_sa_len = 1637 SADB_8TO64(sizeof (*assoc)); 1638 totallen += sizeof (*assoc); 1639 } 1640 switch (token) { 1641 case TOK_SPI: 1642 /* 1643 * If some cretin types in "spi 0" then he/she 1644 * can type in another SPI. 1645 */ 1646 if (assoc->sadb_sa_spi != 0) { 1647 ERROR(ep, ebuf, gettext( 1648 "Can only specify " 1649 "single SPI value.\n")); 1650 break; 1651 } 1652 /* Must convert SPI to network order! */ 1653 assoc->sadb_sa_spi = 1654 htonl((uint32_t)parsenum(*argv, B_TRUE, 1655 ebuf)); 1656 if (assoc->sadb_sa_spi == 0) { 1657 ERROR(ep, ebuf, gettext( 1658 "Invalid SPI value \"0\" .\n")); 1659 } 1660 break; 1661 case TOK_PAIR_SPI: 1662 if (cmd == CMD_UPDATE_PAIR) { 1663 ERROR(ep, ebuf, gettext( 1664 "pair-spi can not be used with the " 1665 "\"update-pair\" command.\n")); 1666 } 1667 if (sadb_pair == NULL) { 1668 sadb_pair = malloc(sizeof (*sadb_pair)); 1669 if (assoc == NULL) 1670 Bail("malloc(assoc)"); 1671 bzero(sadb_pair, sizeof (*sadb_pair)); 1672 totallen += sizeof (*sadb_pair); 1673 } 1674 if (sadb_pair->sadb_x_pair_spi != 0) { 1675 ERROR(ep, ebuf, gettext( 1676 "Can only specify " 1677 "single pair SPI value.\n")); 1678 break; 1679 } 1680 /* Must convert SPI to network order! */ 1681 sadb_pair->sadb_x_pair_len = 1682 SADB_8TO64(sizeof (*sadb_pair)); 1683 sadb_pair->sadb_x_pair_exttype = 1684 SADB_X_EXT_PAIR; 1685 sadb_pair->sadb_x_pair_spi = 1686 htonl((uint32_t)parsenum(*argv, B_TRUE, 1687 ebuf)); 1688 if (sadb_pair->sadb_x_pair_spi == 0) { 1689 ERROR(ep, ebuf, gettext( 1690 "Invalid SPI value \"0\" .\n")); 1691 } 1692 assoc->sadb_sa_flags |= 1693 SADB_X_SAFLAGS_PAIRED; 1694 break; 1695 case TOK_REPLAY: 1696 /* 1697 * That same cretin can do the same with 1698 * replay. 1699 */ 1700 if (assoc->sadb_sa_replay != 0) { 1701 ERROR(ep, ebuf, gettext( 1702 "Can only specify " 1703 "single replay window size.\n")); 1704 break; 1705 } 1706 assoc->sadb_sa_replay = 1707 (uint8_t)parsenum(*argv, B_TRUE, ebuf); 1708 if (assoc->sadb_sa_replay != 0) { 1709 WARN(ep, ebuf, gettext( 1710 "WARNING: Replay with manual" 1711 " keying considered harmful.\n")); 1712 } 1713 break; 1714 case TOK_STATE: 1715 /* 1716 * 0 is an actual state value, LARVAL. This 1717 * means that one can type in the larval state 1718 * and then type in another state on the same 1719 * command line. 1720 */ 1721 if (assoc->sadb_sa_state != 0) { 1722 ERROR(ep, ebuf, gettext( 1723 "Can only specify " 1724 "single SA state.\n")); 1725 break; 1726 } 1727 assoc->sadb_sa_state = parsestate(*argv, 1728 ebuf); 1729 readstate = B_TRUE; 1730 break; 1731 case TOK_AUTHALG: 1732 if (assoc->sadb_sa_auth != 0) { 1733 ERROR(ep, ebuf, gettext( 1734 "Can only specify " 1735 "single auth algorithm.\n")); 1736 break; 1737 } 1738 assoc->sadb_sa_auth = parsealg(*argv, 1739 IPSEC_PROTO_AH, ebuf); 1740 break; 1741 case TOK_ENCRALG: 1742 if (satype == SADB_SATYPE_AH) { 1743 ERROR(ep, ebuf, gettext("Cannot specify" 1744 " encryption with SA type ah.\n")); 1745 break; 1746 } 1747 if (assoc->sadb_sa_encrypt != 0) { 1748 ERROR(ep, ebuf, gettext( 1749 "Can only specify " 1750 "single encryption algorithm.\n")); 1751 break; 1752 } 1753 assoc->sadb_sa_encrypt = parsealg(*argv, 1754 IPSEC_PROTO_ESP, ebuf); 1755 break; 1756 case TOK_ENCAP: 1757 if (use_natt) { 1758 ERROR(ep, ebuf, gettext( 1759 "Can only specify single" 1760 " encapsulation.\n")); 1761 break; 1762 } 1763 if (strncmp(*argv, "udp", 3)) { 1764 ERROR(ep, ebuf, gettext( 1765 "Can only specify udp" 1766 " encapsulation.\n")); 1767 break; 1768 } 1769 use_natt = B_TRUE; 1770 /* set assoc flags later */ 1771 break; 1772 } 1773 argv++; 1774 break; 1775 case TOK_SRCPORT: 1776 if (srcport != 0) { 1777 ERROR(ep, ebuf, gettext("Can only specify " 1778 "single source port.\n")); 1779 break; 1780 } 1781 srcport = parsenum(*argv, B_TRUE, ebuf); 1782 argv++; 1783 break; 1784 case TOK_DSTPORT: 1785 if (dstport != 0) { 1786 ERROR(ep, ebuf, gettext("Can only specify " 1787 "single destination port.\n")); 1788 break; 1789 } 1790 dstport = parsenum(*argv, B_TRUE, ebuf); 1791 argv++; 1792 break; 1793 case TOK_ISRCPORT: 1794 alloc_inner = B_TRUE; 1795 if (isrcport != 0) { 1796 ERROR(ep, ebuf, gettext( 1797 "Can only specify " 1798 "single inner-source port.\n")); 1799 break; 1800 } 1801 isrcport = parsenum(*argv, B_TRUE, ebuf); 1802 argv++; 1803 break; 1804 case TOK_IDSTPORT: 1805 alloc_inner = B_TRUE; 1806 if (idstport != 0) { 1807 ERROR(ep, ebuf, gettext( 1808 "Can only specify " 1809 "single inner-destination port.\n")); 1810 break; 1811 } 1812 idstport = parsenum(*argv, B_TRUE, ebuf); 1813 argv++; 1814 break; 1815 case TOK_NATLPORT: 1816 if (natt_lport != 0) { 1817 ERROR(ep, ebuf, gettext( 1818 "Can only specify " 1819 "single NAT-T local port.\n")); 1820 break; 1821 } 1822 natt_lport = parsenum(*argv, B_TRUE, ebuf); 1823 argv++; 1824 break; 1825 case TOK_NATRPORT: 1826 if (natt_rport != 0) { 1827 ERROR(ep, ebuf, gettext( 1828 "Can only specify " 1829 "single NAT-T remote port.\n")); 1830 break; 1831 } 1832 natt_rport = parsenum(*argv, B_TRUE, ebuf); 1833 argv++; 1834 break; 1835 1836 case TOK_PROTO: 1837 if (proto != 0) { 1838 ERROR(ep, ebuf, gettext( 1839 "Can only specify " 1840 "single protocol.\n")); 1841 break; 1842 } 1843 proto = parsenum(*argv, B_TRUE, ebuf); 1844 argv++; 1845 break; 1846 case TOK_IPROTO: 1847 alloc_inner = B_TRUE; 1848 if (iproto != 0) { 1849 ERROR(ep, ebuf, gettext( 1850 "Can only specify " 1851 "single inner protocol.\n")); 1852 break; 1853 } 1854 iproto = parsenum(*argv, B_TRUE, ebuf); 1855 argv++; 1856 break; 1857 case TOK_SRCADDR: 1858 case TOK_SRCADDR6: 1859 if (src != NULL) { 1860 ERROR(ep, ebuf, gettext( 1861 "Can only specify " 1862 "single source address.\n")); 1863 break; 1864 } 1865 sa_len = parseaddr(*argv, &srchp, 1866 (token == TOK_SRCADDR6), ebuf); 1867 if (srchp == NULL) { 1868 ERROR1(ep, ebuf, gettext( 1869 "Unknown src address \"%s\"\n"), *argv); 1870 break; 1871 } 1872 argv++; 1873 /* 1874 * Round of the sockaddr length to an 8 byte 1875 * boundary to make PF_KEY happy. 1876 */ 1877 alloclen = sizeof (*src) + roundup(sa_len, 8); 1878 src = malloc(alloclen); 1879 if (src == NULL) 1880 Bail("malloc(src)"); 1881 totallen += alloclen; 1882 src->sadb_address_len = SADB_8TO64(alloclen); 1883 src->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 1884 src->sadb_address_reserved = 0; 1885 src->sadb_address_prefixlen = 0; 1886 src->sadb_address_proto = 0; 1887 if (srchp == &dummy.he) { 1888 /* 1889 * Single address with -n flag. 1890 */ 1891 sin6 = (struct sockaddr_in6 *)(src + 1); 1892 bzero(sin6, sizeof (*sin6)); 1893 sin6->sin6_family = AF_INET6; 1894 bcopy(srchp->h_addr_list[0], &sin6->sin6_addr, 1895 sizeof (struct in6_addr)); 1896 } 1897 break; 1898 case TOK_DSTADDR: 1899 case TOK_DSTADDR6: 1900 if (dst != NULL) { 1901 ERROR(ep, ebuf, gettext( 1902 "Can only specify single " 1903 "destination address.\n")); 1904 break; 1905 } 1906 sa_len = parseaddr(*argv, &dsthp, 1907 (token == TOK_DSTADDR6), ebuf); 1908 if (dsthp == NULL) { 1909 ERROR1(ep, ebuf, gettext( 1910 "Unknown dst address \"%s\"\n"), *argv); 1911 break; 1912 } 1913 argv++; 1914 alloclen = sizeof (*dst) + roundup(sa_len, 8); 1915 dst = malloc(alloclen); 1916 if (dst == NULL) 1917 Bail("malloc(dst)"); 1918 totallen += alloclen; 1919 dst->sadb_address_len = SADB_8TO64(alloclen); 1920 dst->sadb_address_exttype = SADB_EXT_ADDRESS_DST; 1921 dst->sadb_address_reserved = 0; 1922 dst->sadb_address_prefixlen = 0; 1923 dst->sadb_address_proto = 0; 1924 if (dsthp == &dummy.he) { 1925 /* 1926 * Single address with -n flag. 1927 */ 1928 sin6 = (struct sockaddr_in6 *)(dst + 1); 1929 bzero(sin6, sizeof (*sin6)); 1930 sin6->sin6_family = AF_INET6; 1931 bcopy(dsthp->h_addr_list[0], &sin6->sin6_addr, 1932 sizeof (struct in6_addr)); 1933 } 1934 break; 1935 case TOK_PROXYADDR: 1936 case TOK_PROXYADDR6: 1937 if (isrc != NULL) { 1938 ERROR(ep, ebuf, gettext( 1939 "Can only specify single " 1940 "proxy/inner-source address.\n")); 1941 break; 1942 } 1943 if ((pstr = strchr(*argv, '/')) != NULL) { 1944 /* Parse out the prefix. */ 1945 errno = 0; 1946 prefix = strtol(pstr + 1, NULL, 10); 1947 if (errno != 0) { 1948 ERROR1(ep, ebuf, gettext( 1949 "Invalid prefix %s."), pstr); 1950 break; 1951 } 1952 /* Recycle pstr */ 1953 alloclen = (int)(pstr - *argv); 1954 pstr = malloc(alloclen + 1); 1955 if (pstr == NULL) { 1956 Bail("malloc(pstr)"); 1957 } 1958 (void) strlcpy(pstr, *argv, alloclen + 1); 1959 } else { 1960 pstr = *argv; 1961 /* 1962 * Assume mapping to AF_INET6, and we're a host. 1963 * XXX some miscreants may still make classful 1964 * assumptions. If this is a problem, fix it 1965 * here. 1966 */ 1967 prefix = 128; 1968 } 1969 sa_len = parseaddr(pstr, &isrchp, 1970 (token == TOK_PROXYADDR6), ebuf); 1971 if (isrchp == NULL) { 1972 ERROR1(ep, ebuf, gettext( 1973 "Unknown proxy/inner-source address " 1974 "\"%s\"\n"), *argv); 1975 break; 1976 } 1977 if (pstr != *argv) 1978 free(pstr); 1979 argv++; 1980 alloclen = sizeof (*isrc) + roundup(sa_len, 8); 1981 isrc = malloc(alloclen); 1982 if (isrc == NULL) 1983 Bail("malloc(isrc)"); 1984 totallen += alloclen; 1985 isrc->sadb_address_len = SADB_8TO64(alloclen); 1986 isrc->sadb_address_exttype = SADB_EXT_ADDRESS_PROXY; 1987 isrc->sadb_address_reserved = 0; 1988 isrc->sadb_address_prefixlen = prefix; 1989 isrc->sadb_address_proto = 0; 1990 if (isrchp == &dummy.he || 1991 isrchp->h_addr_list[1] == NULL) { 1992 /* 1993 * Single address with -n flag or single name. 1994 */ 1995 sin6 = (struct sockaddr_in6 *)(isrc + 1); 1996 bzero(sin6, sizeof (*sin6)); 1997 sin6->sin6_family = AF_INET6; 1998 bcopy(isrchp->h_addr_list[0], &sin6->sin6_addr, 1999 sizeof (struct in6_addr)); 2000 /* 2001 * normalize prefixlen for IPv4-mapped 2002 * addresses. 2003 */ 2004 if (prefix <= 32 && 2005 IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) 2006 isrc->sadb_address_prefixlen += 96; 2007 alloc_inner = B_TRUE; 2008 } else { 2009 /* 2010 * If the proxy/isrc address is vague, don't 2011 * bother. 2012 */ 2013 totallen -= alloclen; 2014 free(isrc); 2015 isrc = NULL; 2016 WARN1(ep, ebuf, gettext( 2017 "Proxy/inner-source address %s " 2018 "is vague, not using.\n"), isrchp->h_name); 2019 freehostent(isrchp); 2020 isrchp = NULL; 2021 break; 2022 } 2023 break; 2024 case TOK_IDSTADDR: 2025 case TOK_IDSTADDR6: 2026 if (idst != NULL) { 2027 ERROR(ep, ebuf, gettext( 2028 "Can only specify single " 2029 "inner-destination address.\n")); 2030 break; 2031 } 2032 if ((pstr = strchr(*argv, '/')) != NULL) { 2033 /* Parse out the prefix. */ 2034 errno = 0; 2035 prefix = strtol(pstr + 1, NULL, 10); 2036 if (errno != 0) { 2037 ERROR1(ep, ebuf, gettext( 2038 "Invalid prefix %s.\n"), pstr); 2039 break; 2040 } 2041 /* Recycle pstr */ 2042 alloclen = (int)(pstr - *argv); 2043 pstr = malloc(alloclen + 1); 2044 if (pstr == NULL) { 2045 Bail("malloc(pstr)"); 2046 } 2047 (void) strlcpy(pstr, *argv, alloclen + 1); 2048 } else { 2049 pstr = *argv; 2050 /* 2051 * Assume mapping to AF_INET6, and we're a host. 2052 * XXX some miscreants may still make classful 2053 * assumptions. If this is a problem, fix it 2054 * here. 2055 */ 2056 prefix = 128; 2057 } 2058 sa_len = parseaddr(pstr, &idsthp, 2059 (token == TOK_IDSTADDR6), ebuf); 2060 if (idsthp == NULL) { 2061 ERROR1(ep, ebuf, gettext( 2062 "Unknown Inner Src address " 2063 " \"%s\"\n"), *argv); 2064 break; 2065 } 2066 if (pstr != *argv) 2067 free(pstr); 2068 argv++; 2069 alloclen = sizeof (*idst) + roundup(sa_len, 8); 2070 idst = malloc(alloclen); 2071 if (idst == NULL) 2072 Bail("malloc(idst)"); 2073 totallen += alloclen; 2074 idst->sadb_address_len = SADB_8TO64(alloclen); 2075 idst->sadb_address_exttype = 2076 SADB_X_EXT_ADDRESS_INNER_DST; 2077 idst->sadb_address_reserved = 0; 2078 idst->sadb_address_prefixlen = prefix; 2079 idst->sadb_address_proto = 0; 2080 if (idsthp == &dummy.he || 2081 idsthp->h_addr_list[1] == NULL) { 2082 /* 2083 * Single address with -n flag or single name. 2084 */ 2085 sin6 = (struct sockaddr_in6 *)(idst + 1); 2086 bzero(sin6, sizeof (*sin6)); 2087 sin6->sin6_family = AF_INET6; 2088 bcopy(idsthp->h_addr_list[0], &sin6->sin6_addr, 2089 sizeof (struct in6_addr)); 2090 /* 2091 * normalize prefixlen for IPv4-mapped 2092 * addresses. 2093 */ 2094 if (prefix <= 32 && 2095 IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) 2096 idst->sadb_address_prefixlen += 96; 2097 alloc_inner = B_TRUE; 2098 } else { 2099 /* 2100 * If the idst address is vague, don't bother. 2101 */ 2102 totallen -= alloclen; 2103 free(idst); 2104 idst = NULL; 2105 WARN1(ep, ebuf, gettext( 2106 "Inner destination address %s " 2107 "is vague, not using.\n"), idsthp->h_name); 2108 freehostent(idsthp); 2109 idsthp = NULL; 2110 break; 2111 } 2112 break; 2113 case TOK_NATLOC: 2114 if (natt_local != NULL) { 2115 ERROR(ep, ebuf, gettext( 2116 "Can only specify " 2117 "single NAT-T local address.\n")); 2118 break; 2119 } 2120 sa_len = parseaddr(*argv, &natt_lhp, 0, ebuf); 2121 if (natt_lhp == NULL) { 2122 ERROR1(ep, ebuf, gettext( 2123 "Unknown NAT-T local address \"%s\"\n"), 2124 *argv); 2125 break; 2126 } 2127 argv++; 2128 /* 2129 * Round of the sockaddr length to an 8 byte 2130 * boundary to make PF_KEY happy. 2131 */ 2132 alloclen = sizeof (*natt_local) + roundup(sa_len, 8); 2133 natt_local = malloc(alloclen); 2134 if (natt_local == NULL) 2135 Bail("malloc(natt_local)"); 2136 totallen += alloclen; 2137 natt_local->sadb_address_len = SADB_8TO64(alloclen); 2138 natt_local->sadb_address_exttype = 2139 SADB_X_EXT_ADDRESS_NATT_LOC; 2140 natt_local->sadb_address_reserved = 0; 2141 natt_local->sadb_address_prefixlen = 0; 2142 natt_local->sadb_address_proto = 0; 2143 if (natt_lhp == &dummy.he || 2144 natt_lhp->h_addr_list[1] == NULL) { 2145 /* 2146 * Single address with -n flag or single name. 2147 */ 2148 sin6 = (struct sockaddr_in6 *)(natt_local + 1); 2149 bzero(sin6, sizeof (*sin6)); 2150 sin6->sin6_family = AF_INET6; 2151 bcopy(natt_lhp->h_addr_list[0], 2152 &sin6->sin6_addr, sizeof (struct in6_addr)); 2153 } else { 2154 /* 2155 * If the nat-local address is vague, don't 2156 * bother. 2157 */ 2158 totallen -= alloclen; 2159 free(natt_local); 2160 natt_local = NULL; 2161 WARN1(ep, ebuf, gettext( 2162 "NAT-T local address %s " 2163 "is vague, not using.\n"), 2164 natt_lhp->h_name); 2165 freehostent(natt_lhp); 2166 natt_lhp = NULL; 2167 break; 2168 } 2169 break; 2170 case TOK_NATREM: 2171 if (natt_remote != NULL) { 2172 ERROR(ep, ebuf, gettext( 2173 "Can only specify " 2174 "single NAT-T remote address.\n")); 2175 break; 2176 } 2177 sa_len = parseaddr(*argv, &natt_rhp, 0, ebuf); 2178 if (natt_rhp == NULL) { 2179 ERROR1(ep, ebuf, gettext( 2180 "Unknown NAT-T remote address \"%s\"\n"), 2181 *argv); 2182 break; 2183 } 2184 argv++; 2185 /* 2186 * Round of the sockaddr length to an 8 byte 2187 * boundary to make PF_KEY happy. 2188 */ 2189 alloclen = sizeof (*natt_remote) + roundup(sa_len, 8); 2190 natt_remote = malloc(alloclen); 2191 if (natt_remote == NULL) 2192 Bail("malloc(natt_remote)"); 2193 totallen += alloclen; 2194 natt_remote->sadb_address_len = SADB_8TO64(alloclen); 2195 natt_remote->sadb_address_exttype = 2196 SADB_X_EXT_ADDRESS_NATT_REM; 2197 natt_remote->sadb_address_reserved = 0; 2198 natt_remote->sadb_address_prefixlen = 0; 2199 natt_remote->sadb_address_proto = 0; 2200 if (natt_rhp == &dummy.he || 2201 natt_rhp->h_addr_list[1] == NULL) { 2202 /* 2203 * Single address with -n flag or single name. 2204 */ 2205 sin6 = (struct sockaddr_in6 *)(natt_remote + 1); 2206 bzero(sin6, sizeof (*sin6)); 2207 sin6->sin6_family = AF_INET6; 2208 bcopy(natt_rhp->h_addr_list[0], 2209 &sin6->sin6_addr, sizeof (struct in6_addr)); 2210 } else { 2211 /* 2212 * If the nat-renote address is vague, don't 2213 * bother. 2214 */ 2215 totallen -= alloclen; 2216 free(natt_remote); 2217 natt_remote = NULL; 2218 WARN1(ep, ebuf, gettext( 2219 "NAT-T remote address %s " 2220 "is vague, not using.\n"), 2221 natt_rhp->h_name); 2222 freehostent(natt_rhp); 2223 natt_rhp = NULL; 2224 break; 2225 } 2226 break; 2227 case TOK_ENCRKEY: 2228 if (encrypt != NULL) { 2229 ERROR(ep, ebuf, gettext( 2230 "Can only specify " 2231 "single encryption key.\n")); 2232 break; 2233 } 2234 if (assoc != NULL && 2235 assoc->sadb_sa_encrypt == SADB_EALG_NULL) { 2236 FATAL(ep, ebuf, gettext( 2237 "Cannot specify a key with NULL " 2238 "encryption algorithm.\n")); 2239 break; 2240 } 2241 encrypt = parsekey(*argv, ebuf); 2242 argv++; 2243 if (encrypt == NULL) { 2244 ERROR(ep, ebuf, gettext( 2245 "Invalid encryption key.\n")); 2246 break; 2247 } 2248 totallen += SADB_64TO8(encrypt->sadb_key_len); 2249 encrypt->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 2250 break; 2251 case TOK_AUTHKEY: 2252 if (auth != NULL) { 2253 ERROR(ep, ebuf, gettext( 2254 "Can only specify single" 2255 " authentication key.\n")); 2256 break; 2257 } 2258 auth = parsekey(*argv, ebuf); 2259 argv++; 2260 if (auth == NULL) { 2261 ERROR(ep, ebuf, gettext( 2262 "Invalid authentication key.\n")); 2263 break; 2264 } 2265 totallen += SADB_64TO8(auth->sadb_key_len); 2266 auth->sadb_key_exttype = SADB_EXT_KEY_AUTH; 2267 break; 2268 case TOK_SRCIDTYPE: 2269 if (*argv == NULL || *(argv + 1) == NULL) { 2270 FATAL(ep, ebuf, gettext( 2271 "Unexpected end of command " 2272 "line - Expecting Src Type.\n")); 2273 /* NOTREACHED */ 2274 break; 2275 } 2276 if (srcid != NULL) { 2277 ERROR(ep, ebuf, gettext( 2278 "Can only specify single" 2279 " source certificate identity.\n")); 2280 break; 2281 } 2282 alloclen = sizeof (*srcid) + 2283 roundup(strlen(*(argv + 1)) + 1, 8); 2284 srcid = malloc(alloclen); 2285 if (srcid == NULL) 2286 Bail("malloc(srcid)"); 2287 totallen += alloclen; 2288 srcid->sadb_ident_type = parseidtype(*argv, ebuf); 2289 argv++; 2290 srcid->sadb_ident_len = SADB_8TO64(alloclen); 2291 srcid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 2292 srcid->sadb_ident_reserved = 0; 2293 srcid->sadb_ident_id = 0; /* Not useful here. */ 2294 (void) strlcpy((char *)(srcid + 1), *argv, alloclen); 2295 argv++; 2296 break; 2297 case TOK_DSTIDTYPE: 2298 if (*argv == NULL || *(argv + 1) == NULL) { 2299 ERROR(ep, ebuf, gettext( 2300 "Unexpected end of command" 2301 " line - expecting dst type.\n")); 2302 break; 2303 } 2304 if (dstid != NULL) { 2305 ERROR(ep, ebuf, gettext( 2306 "Can only specify single destination " 2307 "certificate identity.\n")); 2308 break; 2309 } 2310 alloclen = sizeof (*dstid) + 2311 roundup(strlen(*(argv + 1)) + 1, 8); 2312 dstid = malloc(alloclen); 2313 if (dstid == NULL) 2314 Bail("malloc(dstid)"); 2315 totallen += alloclen; 2316 dstid->sadb_ident_type = parseidtype(*argv, ebuf); 2317 argv++; 2318 dstid->sadb_ident_len = SADB_8TO64(alloclen); 2319 dstid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 2320 dstid->sadb_ident_reserved = 0; 2321 dstid->sadb_ident_id = 0; /* Not useful here. */ 2322 (void) strlcpy((char *)(dstid + 1), *argv, alloclen); 2323 argv++; 2324 break; 2325 case TOK_HARD_ALLOC: 2326 case TOK_HARD_BYTES: 2327 case TOK_HARD_ADDTIME: 2328 case TOK_HARD_USETIME: 2329 if (hard == NULL) { 2330 hard = malloc(sizeof (*hard)); 2331 if (hard == NULL) 2332 Bail("malloc(hard_lifetime)"); 2333 bzero(hard, sizeof (*hard)); 2334 hard->sadb_lifetime_exttype = 2335 SADB_EXT_LIFETIME_HARD; 2336 hard->sadb_lifetime_len = 2337 SADB_8TO64(sizeof (*hard)); 2338 totallen += sizeof (*hard); 2339 } 2340 switch (token) { 2341 case TOK_HARD_ALLOC: 2342 if (hard->sadb_lifetime_allocations != 0) { 2343 ERROR(ep, ebuf, gettext( 2344 "Can only specify single" 2345 " hard allocation limit.\n")); 2346 break; 2347 } 2348 hard->sadb_lifetime_allocations = 2349 (uint32_t)parsenum(*argv, B_TRUE, ebuf); 2350 break; 2351 case TOK_HARD_BYTES: 2352 if (hard->sadb_lifetime_bytes != 0) { 2353 ERROR(ep, ebuf, gettext( 2354 "Can only specify " 2355 "single hard byte limit.\n")); 2356 break; 2357 } 2358 hard->sadb_lifetime_bytes = parsenum(*argv, 2359 B_TRUE, ebuf); 2360 break; 2361 case TOK_HARD_ADDTIME: 2362 if (hard->sadb_lifetime_addtime != 0) { 2363 ERROR(ep, ebuf, gettext( 2364 "Can only specify " 2365 "single past-add lifetime.\n")); 2366 break; 2367 } 2368 hard->sadb_lifetime_addtime = parsenum(*argv, 2369 B_TRUE, ebuf); 2370 break; 2371 case TOK_HARD_USETIME: 2372 if (hard->sadb_lifetime_usetime != 0) { 2373 ERROR(ep, ebuf, gettext( 2374 "Can only specify " 2375 "single past-use lifetime.\n")); 2376 break; 2377 } 2378 hard->sadb_lifetime_usetime = parsenum(*argv, 2379 B_TRUE, ebuf); 2380 break; 2381 } 2382 argv++; 2383 break; 2384 case TOK_SOFT_ALLOC: 2385 case TOK_SOFT_BYTES: 2386 case TOK_SOFT_ADDTIME: 2387 case TOK_SOFT_USETIME: 2388 if (soft == NULL) { 2389 soft = malloc(sizeof (*soft)); 2390 if (soft == NULL) 2391 Bail("malloc(soft_lifetime)"); 2392 bzero(soft, sizeof (*soft)); 2393 soft->sadb_lifetime_exttype = 2394 SADB_EXT_LIFETIME_SOFT; 2395 soft->sadb_lifetime_len = 2396 SADB_8TO64(sizeof (*soft)); 2397 totallen += sizeof (*soft); 2398 } 2399 switch (token) { 2400 case TOK_SOFT_ALLOC: 2401 if (soft->sadb_lifetime_allocations != 0) { 2402 ERROR(ep, ebuf, gettext( 2403 "Can only specify single" 2404 " soft allocation limit.\n")); 2405 break; 2406 } 2407 soft->sadb_lifetime_allocations = 2408 (uint32_t)parsenum(*argv, B_TRUE, ebuf); 2409 break; 2410 case TOK_SOFT_BYTES: 2411 if (soft->sadb_lifetime_bytes != 0) { 2412 ERROR(ep, ebuf, gettext( 2413 "Can only specify single" 2414 " soft byte limit.\n")); 2415 break; 2416 } 2417 soft->sadb_lifetime_bytes = parsenum(*argv, 2418 B_TRUE, ebuf); 2419 break; 2420 case TOK_SOFT_ADDTIME: 2421 if (soft->sadb_lifetime_addtime != 0) { 2422 ERROR(ep, ebuf, gettext( 2423 "Can only specify single" 2424 " past-add lifetime.\n")); 2425 break; 2426 } 2427 soft->sadb_lifetime_addtime = parsenum(*argv, 2428 B_TRUE, ebuf); 2429 break; 2430 case TOK_SOFT_USETIME: 2431 if (soft->sadb_lifetime_usetime != 0) { 2432 ERROR(ep, ebuf, gettext( 2433 "Can only specify single" 2434 " past-use lifetime.\n")); 2435 break; 2436 } 2437 soft->sadb_lifetime_usetime = parsenum(*argv, 2438 B_TRUE, ebuf); 2439 break; 2440 } 2441 argv++; 2442 break; 2443 case TOK_FLAG_INBOUND: 2444 assoc->sadb_sa_flags |= SADB_X_SAFLAGS_INBOUND; 2445 break; 2446 case TOK_FLAG_OUTBOUND: 2447 assoc->sadb_sa_flags |= SADB_X_SAFLAGS_OUTBOUND; 2448 break; 2449 case TOK_REPLAY_VALUE: 2450 if (replay_ctr != NULL) { 2451 ERROR(ep, ebuf, gettext( 2452 "Can only specify single " 2453 "replay value.")); 2454 break; 2455 } 2456 replay_ctr = calloc(1, sizeof (*replay_ctr)); 2457 if (replay_ctr == NULL) { 2458 Bail("malloc(replay value)"); 2459 } 2460 /* 2461 * We currently do not support a 64-bit 2462 * replay value. RFC 4301 will require one, 2463 * however, and we have a field in place when 2464 * 4301 is built. 2465 */ 2466 replay_ctr->sadb_x_rc_exttype = SADB_X_EXT_REPLAY_VALUE; 2467 replay_ctr->sadb_x_rc_len = 2468 SADB_8TO64(sizeof (*replay_ctr)); 2469 totallen += sizeof (*replay_ctr); 2470 replay_ctr->sadb_x_rc_replay32 = (uint32_t)parsenum( 2471 *argv, B_TRUE, ebuf); 2472 argv++; 2473 break; 2474 case TOK_IDLE_ADDTIME: 2475 case TOK_IDLE_USETIME: 2476 if (idle == NULL) { 2477 idle = calloc(1, sizeof (*idle)); 2478 if (idle == NULL) { 2479 Bail("malloc idle lifetime"); 2480 } 2481 idle->sadb_lifetime_exttype = 2482 SADB_X_EXT_LIFETIME_IDLE; 2483 idle->sadb_lifetime_len = 2484 SADB_8TO64(sizeof (*idle)); 2485 totallen += sizeof (*idle); 2486 } 2487 switch (token) { 2488 case TOK_IDLE_ADDTIME: 2489 idle->sadb_lifetime_addtime = 2490 (uint32_t)parsenum(*argv, 2491 B_TRUE, ebuf); 2492 break; 2493 case TOK_IDLE_USETIME: 2494 idle->sadb_lifetime_usetime = 2495 (uint32_t)parsenum(*argv, 2496 B_TRUE, ebuf); 2497 break; 2498 } 2499 argv++; 2500 break; 2501 default: 2502 ERROR1(ep, ebuf, gettext( 2503 "Don't use extension %s for add/update.\n"), 2504 *(argv - 1)); 2505 break; 2506 } 2507 } while (token != TOK_EOF); 2508 2509 handle_errors(ep, ebuf, B_TRUE, B_FALSE); 2510 2511 #define PORT_ONLY_ALLOCATE(af, socktype, exttype, extvar, port) { \ 2512 alloclen = sizeof (sadb_address_t) + roundup(sizeof (socktype), 8); \ 2513 (extvar) = calloc(1, alloclen); \ 2514 if ((extvar) == NULL) { \ 2515 Bail("malloc(implicit port)"); \ 2516 } \ 2517 totallen += alloclen; \ 2518 (extvar)->sadb_address_len = SADB_8TO64(alloclen); \ 2519 (extvar)->sadb_address_exttype = (exttype); \ 2520 /* sin/sin6 has equivalent offsets for ports! */ \ 2521 sin6 = (struct sockaddr_in6 *)((extvar) + 1); \ 2522 sin6->sin6_family = (af); \ 2523 sin6->sin6_port = (port); \ 2524 } 2525 2526 /* 2527 * If we specify inner ports or NAT ports w/o addresses, we still need 2528 * to allocate. Also, if we have one inner address, we need the 2529 * other, even if we don't specify anything. 2530 */ 2531 if (use_natt) { 2532 if (natt_lport != 0 && natt_local == NULL) { 2533 PORT_ONLY_ALLOCATE(AF_INET, struct sockaddr_in, 2534 SADB_X_EXT_ADDRESS_NATT_LOC, natt_local, 2535 natt_lport); 2536 } 2537 2538 if (natt_rport != 0 && natt_remote == NULL) { 2539 PORT_ONLY_ALLOCATE(AF_INET, struct sockaddr_in, 2540 SADB_X_EXT_ADDRESS_NATT_REM, natt_remote, 2541 natt_rport); 2542 } 2543 } else { 2544 if (natt_lport != 0 || natt_rport != 0) { 2545 ERROR(ep, ebuf, gettext("Must specify 'encap udp' " 2546 "with any NAT-T port.\n")); 2547 } else if (natt_local != NULL || natt_remote != NULL) { 2548 ERROR(ep, ebuf, gettext("Must specify 'encap udp' " 2549 "with any NAT-T address.\n")); 2550 } 2551 } 2552 2553 if (alloc_inner && idst == NULL) { 2554 PORT_ONLY_ALLOCATE(AF_INET6, struct sockaddr_in6, 2555 SADB_X_EXT_ADDRESS_INNER_DST, idst, 0); 2556 } 2557 2558 if (alloc_inner && isrc == NULL) { 2559 PORT_ONLY_ALLOCATE(AF_INET6, struct sockaddr_in6, 2560 SADB_X_EXT_ADDRESS_INNER_SRC, isrc, 0); 2561 } 2562 #undef PORT_ONLY_ALLOCATE 2563 2564 /* 2565 * Okay, so now I have all of the potential extensions! 2566 * Allocate a single contiguous buffer. Keep in mind that it'll 2567 * be enough because the key itself will be yanked. 2568 */ 2569 2570 if (src == NULL && dst != NULL) { 2571 /* 2572 * Set explicit unspecified source address. 2573 */ 2574 size_t lenbytes = SADB_64TO8(dst->sadb_address_len); 2575 2576 unspec_src = B_TRUE; 2577 totallen += lenbytes; 2578 src = malloc(lenbytes); 2579 if (src == NULL) 2580 Bail("malloc(implicit src)"); 2581 /* Confusing, but we're copying from DST to SRC. :) */ 2582 bcopy(dst, src, lenbytes); 2583 src->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 2584 sin6 = (struct sockaddr_in6 *)(src + 1); 2585 bzero(sin6, sizeof (*sin6)); 2586 sin6->sin6_family = AF_INET6; 2587 } 2588 2589 msg.sadb_msg_len = SADB_8TO64(totallen); 2590 2591 buffer = malloc(totallen); 2592 nexthdr = buffer; 2593 bcopy(&msg, nexthdr, sizeof (msg)); 2594 nexthdr += SADB_8TO64(sizeof (msg)); 2595 if (assoc != NULL) { 2596 if (assoc->sadb_sa_spi == 0) { 2597 ERROR1(ep, ebuf, gettext( 2598 "The SPI value is missing for " 2599 "the association you wish to %s.\n"), thiscmd); 2600 } 2601 if (assoc->sadb_sa_auth == 0 && assoc->sadb_sa_encrypt == 0 && 2602 cmd == CMD_ADD) { 2603 free(assoc); 2604 FATAL(ep, ebuf, gettext( 2605 "Select at least one algorithm " 2606 "for this add.\n")); 2607 } 2608 2609 /* Hack to let user specify NULL ESP implicitly. */ 2610 if (msg.sadb_msg_satype == SADB_SATYPE_ESP && 2611 assoc->sadb_sa_encrypt == 0) 2612 assoc->sadb_sa_encrypt = SADB_EALG_NULL; 2613 2614 /* 0 is an actual value. Print a warning if it was entered. */ 2615 if (assoc->sadb_sa_state == 0) { 2616 if (readstate) { 2617 ERROR(ep, ebuf, gettext( 2618 "WARNING: Cannot set LARVAL SA state.\n")); 2619 } 2620 assoc->sadb_sa_state = SADB_SASTATE_MATURE; 2621 } 2622 2623 if (use_natt) { 2624 if (natt_remote != NULL) 2625 assoc->sadb_sa_flags |= SADB_X_SAFLAGS_NATT_REM; 2626 if (natt_local != NULL) 2627 assoc->sadb_sa_flags |= SADB_X_SAFLAGS_NATT_LOC; 2628 } 2629 2630 if (alloc_inner) { 2631 /* 2632 * For now, assume RFC 3884's dream of transport-mode 2633 * SAs with inner IP address selectors will not 2634 * happen. 2635 */ 2636 assoc->sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; 2637 if (proto != 0 && proto != IPPROTO_ENCAP && 2638 proto != IPPROTO_IPV6) { 2639 ERROR1(ep, ebuf, gettext( 2640 "WARNING: Protocol type %d not " 2641 "for use with Tunnel-Mode SA.\n"), proto); 2642 /* Continue and let PF_KEY scream... */ 2643 } 2644 } 2645 2646 bcopy(assoc, nexthdr, SADB_64TO8(assoc->sadb_sa_len)); 2647 nexthdr += assoc->sadb_sa_len; 2648 /* Save the SPI for the case of an error. */ 2649 spi = assoc->sadb_sa_spi; 2650 free(assoc); 2651 } else { 2652 if (spi == 0) 2653 ERROR1(ep, ebuf, gettext( 2654 "Need to define SPI for %s.\n"), thiscmd); 2655 ERROR1(ep, ebuf, gettext( 2656 "Need SA parameters for %s.\n"), thiscmd); 2657 } 2658 2659 if (sadb_pair != NULL) { 2660 if (sadb_pair->sadb_x_pair_spi == 0) { 2661 ERROR1(ep, ebuf, gettext( 2662 "The SPI value is missing for the " 2663 "association you wish to %s.\n"), thiscmd); 2664 } 2665 bcopy(sadb_pair, nexthdr, 2666 SADB_64TO8(sadb_pair->sadb_x_pair_len)); 2667 nexthdr += sadb_pair->sadb_x_pair_len; 2668 free(sadb_pair); 2669 } 2670 2671 if (hard != NULL) { 2672 bcopy(hard, nexthdr, SADB_64TO8(hard->sadb_lifetime_len)); 2673 nexthdr += hard->sadb_lifetime_len; 2674 free(hard); 2675 } 2676 2677 if (soft != NULL) { 2678 bcopy(soft, nexthdr, SADB_64TO8(soft->sadb_lifetime_len)); 2679 nexthdr += soft->sadb_lifetime_len; 2680 free(soft); 2681 } 2682 2683 if (idle != NULL) { 2684 bcopy(idle, nexthdr, SADB_64TO8(idle->sadb_lifetime_len)); 2685 nexthdr += idle->sadb_lifetime_len; 2686 free(idle); 2687 } 2688 2689 if (encrypt == NULL && auth == NULL && cmd == CMD_ADD) { 2690 ERROR(ep, ebuf, gettext( 2691 "Must have at least one key for an add.\n")); 2692 } 2693 2694 if (encrypt != NULL) { 2695 bcopy(encrypt, nexthdr, SADB_64TO8(encrypt->sadb_key_len)); 2696 nexthdr += encrypt->sadb_key_len; 2697 bzero(encrypt, SADB_64TO8(encrypt->sadb_key_len)); 2698 free(encrypt); 2699 } 2700 2701 if (auth != NULL) { 2702 bcopy(auth, nexthdr, SADB_64TO8(auth->sadb_key_len)); 2703 nexthdr += auth->sadb_key_len; 2704 bzero(auth, SADB_64TO8(auth->sadb_key_len)); 2705 free(auth); 2706 } 2707 2708 if (srcid != NULL) { 2709 bcopy(srcid, nexthdr, SADB_64TO8(srcid->sadb_ident_len)); 2710 nexthdr += srcid->sadb_ident_len; 2711 free(srcid); 2712 } 2713 2714 if (dstid != NULL) { 2715 bcopy(dstid, nexthdr, SADB_64TO8(dstid->sadb_ident_len)); 2716 nexthdr += dstid->sadb_ident_len; 2717 free(dstid); 2718 } 2719 2720 if (dst != NULL) { 2721 bcopy(dst, nexthdr, SADB_64TO8(dst->sadb_address_len)); 2722 free(dst); 2723 dst = (struct sadb_address *)nexthdr; 2724 dst->sadb_address_proto = proto; 2725 ((struct sockaddr_in6 *)(dst + 1))->sin6_port = htons(dstport); 2726 nexthdr += dst->sadb_address_len; 2727 } else { 2728 FATAL1(ep, ebuf, gettext( 2729 "Need destination address for %s.\n"), thiscmd); 2730 } 2731 2732 if (use_natt) { 2733 if (natt_remote == NULL && natt_local == NULL) { 2734 ERROR(ep, ebuf, gettext( 2735 "Must specify NAT-T remote or local address " 2736 "for UDP encapsulation.\n")); 2737 } 2738 2739 if (natt_remote != NULL) { 2740 bcopy(natt_remote, nexthdr, 2741 SADB_64TO8(natt_remote->sadb_address_len)); 2742 free(natt_remote); 2743 natt_remote = (struct sadb_address *)nexthdr; 2744 nexthdr += natt_remote->sadb_address_len; 2745 ((struct sockaddr_in6 *)(natt_remote + 1))->sin6_port = 2746 htons(natt_rport); 2747 } 2748 2749 if (natt_local != NULL) { 2750 bcopy(natt_local, nexthdr, 2751 SADB_64TO8(natt_local->sadb_address_len)); 2752 free(natt_local); 2753 natt_local = (struct sadb_address *)nexthdr; 2754 nexthdr += natt_local->sadb_address_len; 2755 ((struct sockaddr_in6 *)(natt_local + 1))->sin6_port = 2756 htons(natt_lport); 2757 } 2758 } 2759 2760 handle_errors(ep, ebuf, B_TRUE, B_FALSE); 2761 2762 /* 2763 * PF_KEY requires a source address extension, even if the source 2764 * address itself is unspecified. (See "Set explicit unspecified..." 2765 * code fragment above. Destination reality check was above.) 2766 */ 2767 bcopy(src, nexthdr, SADB_64TO8(src->sadb_address_len)); 2768 free(src); 2769 src = (struct sadb_address *)nexthdr; 2770 src->sadb_address_proto = proto; 2771 ((struct sockaddr_in6 *)(src + 1))->sin6_port = htons(srcport); 2772 nexthdr += src->sadb_address_len; 2773 2774 if (isrc != NULL) { 2775 bcopy(isrc, nexthdr, SADB_64TO8(isrc->sadb_address_len)); 2776 free(isrc); 2777 isrc = (struct sadb_address *)nexthdr; 2778 isrc->sadb_address_proto = iproto; 2779 ((struct sockaddr_in6 *)(isrc + 1))->sin6_port = 2780 htons(isrcport); 2781 nexthdr += isrc->sadb_address_len; 2782 } 2783 2784 if (idst != NULL) { 2785 bcopy(idst, nexthdr, SADB_64TO8(idst->sadb_address_len)); 2786 free(idst); 2787 idst = (struct sadb_address *)nexthdr; 2788 idst->sadb_address_proto = iproto; 2789 ((struct sockaddr_in6 *)(idst + 1))->sin6_port = 2790 htons(idstport); 2791 nexthdr += idst->sadb_address_len; 2792 } 2793 2794 if (replay_ctr != NULL) { 2795 bcopy(replay_ctr, nexthdr, 2796 SADB_64TO8(replay_ctr->sadb_x_rc_len)); 2797 nexthdr += replay_ctr->sadb_x_rc_len; 2798 free(replay_ctr); 2799 } 2800 2801 if (cflag) { 2802 /* 2803 * Assume the checked cmd would have worked if it was actually 2804 * used. doaddresses() will increment lines_added if it 2805 * succeeds. 2806 */ 2807 lines_added++; 2808 } else { 2809 doaddresses(sadb_msg_type, satype, 2810 cmd, srchp, dsthp, src, dst, unspec_src, buffer, totallen, 2811 spi, ebuf); 2812 } 2813 2814 if (isrchp != NULL && isrchp != &dummy.he) 2815 freehostent(isrchp); 2816 if (idsthp != NULL && idsthp != &dummy.he) 2817 freehostent(idsthp); 2818 if (srchp != NULL && srchp != &dummy.he) 2819 freehostent(srchp); 2820 if (dsthp != NULL && dsthp != &dummy.he) 2821 freehostent(dsthp); 2822 if (natt_lhp != NULL && natt_lhp != &dummy.he) 2823 freehostent(natt_lhp); 2824 if (natt_rhp != NULL && natt_rhp != &dummy.he) 2825 freehostent(natt_rhp); 2826 2827 free(ebuf); 2828 free(buffer); 2829 } 2830 2831 /* 2832 * DELETE and GET are similar, in that they only need the extensions 2833 * required to _find_ an SA, and then either delete it or obtain its 2834 * information. 2835 */ 2836 static void 2837 dodelget(int cmd, int satype, char *argv[], char *ebuf) 2838 { 2839 struct sadb_msg *msg = (struct sadb_msg *)get_buffer; 2840 uint64_t *nextext; 2841 struct sadb_sa *assoc = NULL; 2842 struct sadb_address *src = NULL, *dst = NULL; 2843 int next, token, sa_len; 2844 char *thiscmd; 2845 uint32_t spi; 2846 uint8_t sadb_msg_type; 2847 struct hostent *srchp = NULL, *dsthp = NULL; 2848 struct sockaddr_in6 *sin6; 2849 boolean_t unspec_src = B_TRUE; 2850 uint16_t srcport = 0, dstport = 0; 2851 uint8_t proto = 0; 2852 char *ep = NULL; 2853 2854 /* Set the first extension header to right past the base message. */ 2855 nextext = (uint64_t *)(msg + 1); 2856 bzero(nextext, sizeof (get_buffer) - sizeof (*msg)); 2857 2858 switch (cmd) { 2859 case CMD_GET: 2860 thiscmd = "get"; 2861 sadb_msg_type = SADB_GET; 2862 break; 2863 case CMD_DELETE: 2864 thiscmd = "delete"; 2865 sadb_msg_type = SADB_DELETE; 2866 break; 2867 case CMD_DELETE_PAIR: 2868 thiscmd = "delete-pair"; 2869 sadb_msg_type = SADB_X_DELPAIR; 2870 break; 2871 } 2872 2873 msg_init(msg, sadb_msg_type, (uint8_t)satype); 2874 2875 #define ALLOC_ADDR_EXT(ext, exttype) \ 2876 (ext) = (struct sadb_address *)nextext; \ 2877 nextext = (uint64_t *)((ext) + 1); \ 2878 nextext += SADB_8TO64(roundup(sa_len, 8)); \ 2879 (ext)->sadb_address_exttype = exttype; \ 2880 (ext)->sadb_address_len = nextext - ((uint64_t *)ext); 2881 2882 /* Assume last element in argv is set to NULL. */ 2883 do { 2884 token = parseextval(*argv, &next); 2885 argv++; 2886 switch (token) { 2887 case TOK_EOF: 2888 /* Do nothing, I'm done. */ 2889 break; 2890 case TOK_UNKNOWN: 2891 ERROR1(ep, ebuf, gettext( 2892 "Unknown extension field \"%s\"\n"), *(argv - 1)); 2893 break; 2894 case TOK_SPI: 2895 if (assoc != NULL) { 2896 ERROR(ep, ebuf, gettext( 2897 "Can only specify single SPI value.\n")); 2898 break; 2899 } 2900 assoc = (struct sadb_sa *)nextext; 2901 nextext = (uint64_t *)(assoc + 1); 2902 assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc)); 2903 assoc->sadb_sa_exttype = SADB_EXT_SA; 2904 assoc->sadb_sa_spi = htonl((uint32_t)parsenum(*argv, 2905 B_TRUE, ebuf)); 2906 spi = assoc->sadb_sa_spi; 2907 argv++; 2908 break; 2909 case TOK_SRCPORT: 2910 if (srcport != 0) { 2911 ERROR(ep, ebuf, gettext( 2912 "Can only specify single source port.\n")); 2913 break; 2914 } 2915 srcport = parsenum(*argv, B_TRUE, ebuf); 2916 argv++; 2917 break; 2918 case TOK_DSTPORT: 2919 if (dstport != 0) { 2920 ERROR(ep, ebuf, gettext( 2921 "Can only " 2922 "specify single destination port.\n")); 2923 break; 2924 } 2925 dstport = parsenum(*argv, B_TRUE, ebuf); 2926 argv++; 2927 break; 2928 case TOK_PROTO: 2929 if (proto != 0) { 2930 ERROR(ep, ebuf, gettext( 2931 "Can only specify single protocol.\n")); 2932 break; 2933 } 2934 proto = parsenum(*argv, B_TRUE, ebuf); 2935 argv++; 2936 break; 2937 case TOK_SRCADDR: 2938 case TOK_SRCADDR6: 2939 if (src != NULL) { 2940 ERROR(ep, ebuf, gettext( 2941 "Can only specify single source addr.\n")); 2942 break; 2943 } 2944 sa_len = parseaddr(*argv, &srchp, 2945 (token == TOK_SRCADDR6), ebuf); 2946 if (srchp == NULL) { 2947 ERROR1(ep, ebuf, gettext( 2948 "Unknown source address \"%s\"\n"), *argv); 2949 break; 2950 } 2951 argv++; 2952 2953 unspec_src = B_FALSE; 2954 2955 ALLOC_ADDR_EXT(src, SADB_EXT_ADDRESS_SRC); 2956 2957 if (srchp == &dummy.he) { 2958 /* 2959 * Single address with -n flag. 2960 */ 2961 sin6 = (struct sockaddr_in6 *)(src + 1); 2962 bzero(sin6, sizeof (*sin6)); 2963 sin6->sin6_family = AF_INET6; 2964 bcopy(srchp->h_addr_list[0], &sin6->sin6_addr, 2965 sizeof (struct in6_addr)); 2966 } 2967 /* The rest is pre-bzeroed for us. */ 2968 break; 2969 case TOK_DSTADDR: 2970 case TOK_DSTADDR6: 2971 if (dst != NULL) { 2972 ERROR(ep, ebuf, gettext( 2973 "Can only specify single destination " 2974 "address.\n")); 2975 break; 2976 } 2977 sa_len = parseaddr(*argv, &dsthp, 2978 (token == TOK_SRCADDR6), ebuf); 2979 if (dsthp == NULL) { 2980 ERROR1(ep, ebuf, gettext( 2981 "Unknown destination address \"%s\"\n"), 2982 *argv); 2983 break; 2984 } 2985 argv++; 2986 2987 ALLOC_ADDR_EXT(dst, SADB_EXT_ADDRESS_DST); 2988 2989 if (dsthp == &dummy.he) { 2990 /* 2991 * Single address with -n flag. 2992 */ 2993 sin6 = (struct sockaddr_in6 *)(dst + 1); 2994 bzero(sin6, sizeof (*sin6)); 2995 sin6->sin6_family = AF_INET6; 2996 bcopy(dsthp->h_addr_list[0], &sin6->sin6_addr, 2997 sizeof (struct in6_addr)); 2998 } 2999 /* The rest is pre-bzeroed for us. */ 3000 break; 3001 case TOK_FLAG_INBOUND: 3002 assoc->sadb_sa_flags |= SADB_X_SAFLAGS_INBOUND; 3003 break; 3004 case TOK_FLAG_OUTBOUND: 3005 assoc->sadb_sa_flags |= SADB_X_SAFLAGS_OUTBOUND; 3006 break; 3007 default: 3008 ERROR2(ep, ebuf, gettext( 3009 "Don't use extension %s for '%s' command.\n"), 3010 *(argv - 1), thiscmd); 3011 break; 3012 } 3013 } while (token != TOK_EOF); 3014 3015 handle_errors(ep, ebuf, B_TRUE, B_FALSE); 3016 3017 if ((srcport != 0) && (src == NULL)) { 3018 ALLOC_ADDR_EXT(src, SADB_EXT_ADDRESS_SRC); 3019 sin6 = (struct sockaddr_in6 *)(src + 1); 3020 src->sadb_address_proto = proto; 3021 bzero(sin6, sizeof (*sin6)); 3022 sin6->sin6_family = AF_INET6; 3023 sin6->sin6_port = htons(srcport); 3024 } 3025 3026 if ((dstport != 0) && (dst == NULL)) { 3027 ALLOC_ADDR_EXT(dst, SADB_EXT_ADDRESS_DST); 3028 sin6 = (struct sockaddr_in6 *)(dst + 1); 3029 src->sadb_address_proto = proto; 3030 bzero(sin6, sizeof (*sin6)); 3031 sin6->sin6_family = AF_INET6; 3032 sin6->sin6_port = htons(dstport); 3033 } 3034 3035 /* So I have enough of the message to send it down! */ 3036 msg->sadb_msg_len = nextext - get_buffer; 3037 3038 if (assoc == NULL) { 3039 FATAL1(ep, ebuf, gettext( 3040 "Need SA parameters for %s.\n"), thiscmd); 3041 } 3042 3043 if (cflag) { 3044 /* 3045 * Assume the checked cmd would have worked if it was actually 3046 * used. doaddresses() will increment lines_added if it 3047 * succeeds. 3048 */ 3049 lines_added++; 3050 } else { 3051 doaddresses(sadb_msg_type, satype, 3052 cmd, srchp, dsthp, src, dst, unspec_src, get_buffer, 3053 sizeof (get_buffer), spi, NULL); 3054 } 3055 3056 if (srchp != NULL && srchp != &dummy.he) 3057 freehostent(srchp); 3058 if (dsthp != NULL && dsthp != &dummy.he) 3059 freehostent(dsthp); 3060 } 3061 3062 /* 3063 * "ipseckey monitor" should exit very gracefully if ^C is tapped. 3064 */ 3065 static void 3066 monitor_catch(int signal) 3067 { 3068 errx(signal, gettext("Bailing on signal %d."), signal); 3069 } 3070 3071 /* 3072 * Loop forever, listening on PF_KEY messages. 3073 */ 3074 static void 3075 domonitor(boolean_t passive) 3076 { 3077 struct sadb_msg *samsg; 3078 int rc; 3079 3080 /* Catch ^C. */ 3081 (void) signal(SIGINT, monitor_catch); 3082 3083 samsg = (struct sadb_msg *)get_buffer; 3084 if (!passive) { 3085 (void) printf(gettext("Actively")); 3086 msg_init(samsg, SADB_X_PROMISC, 1); /* Turn ON promisc. */ 3087 rc = key_write(keysock, samsg, sizeof (*samsg)); 3088 if (rc == -1) 3089 Bail("write (SADB_X_PROMISC)"); 3090 } else { 3091 (void) printf(gettext("Passively")); 3092 } 3093 (void) printf(gettext(" monitoring the PF_KEY socket.\n")); 3094 3095 for (; ; ) { 3096 /* 3097 * I assume that read() is non-blocking, and will never 3098 * return 0. 3099 */ 3100 rc = read(keysock, samsg, sizeof (get_buffer)); 3101 if (rc == -1) 3102 Bail("read (in domonitor)"); 3103 (void) printf(gettext("Read %d bytes.\n"), rc); 3104 /* 3105 * Q: Should I use the same method of printing as GET does? 3106 * A: For now, yes. 3107 */ 3108 print_samsg(stdout, get_buffer, B_TRUE, vflag, nflag); 3109 (void) putchar('\n'); 3110 } 3111 } 3112 3113 /* 3114 * Either mask or unmask all relevant signals. 3115 */ 3116 static void 3117 mask_signals(boolean_t unmask) 3118 { 3119 sigset_t set; 3120 static sigset_t oset; 3121 3122 if (unmask) { 3123 (void) sigprocmask(SIG_SETMASK, &oset, NULL); 3124 } else { 3125 (void) sigfillset(&set); 3126 (void) sigprocmask(SIG_SETMASK, &set, &oset); 3127 } 3128 } 3129 3130 /* 3131 * Assorted functions to print help text. 3132 */ 3133 #define puts_tr(s) (void) puts(gettext(s)) 3134 3135 static void 3136 doattrhelp() 3137 { 3138 int i; 3139 3140 puts_tr("\nSA attributes:"); 3141 3142 for (i = 0; tokens[i].string != NULL; i++) { 3143 if (i%3 == 0) 3144 (void) printf("\n"); 3145 (void) printf(" %-15.15s", tokens[i].string); 3146 } 3147 (void) printf("\n"); 3148 } 3149 3150 static void 3151 dohelpcmd(char *cmds) 3152 { 3153 int cmd; 3154 3155 if (strcmp(cmds, "attr") == 0) { 3156 doattrhelp(); 3157 return; 3158 } 3159 3160 cmd = parsecmd(cmds); 3161 switch (cmd) { 3162 case CMD_UPDATE: 3163 puts_tr("update - Update an existing SA"); 3164 break; 3165 case CMD_UPDATE_PAIR: 3166 puts_tr("update-pair - Update an existing pair of SA's"); 3167 break; 3168 case CMD_ADD: 3169 puts_tr("add - Add a new security association (SA)"); 3170 break; 3171 case CMD_DELETE: 3172 puts_tr("delete - Delete an SA"); 3173 break; 3174 case CMD_DELETE_PAIR: 3175 puts_tr("delete-pair - Delete a pair of SA's"); 3176 break; 3177 case CMD_GET: 3178 puts_tr("get - Display an SA"); 3179 break; 3180 case CMD_FLUSH: 3181 puts_tr("flush - Delete all SAs"); 3182 break; 3183 case CMD_DUMP: 3184 puts_tr("dump - Display all SAs"); 3185 break; 3186 case CMD_MONITOR: 3187 puts_tr("monitor - Monitor all PF_KEY reply messages."); 3188 break; 3189 case CMD_PMONITOR: 3190 puts_tr( 3191 "pmonitor, passive_monitor - Monitor PF_KEY messages that"); 3192 puts_tr( 3193 " reply to all PF_KEY sockets."); 3194 break; 3195 3196 case CMD_QUIT: 3197 puts_tr("quit, exit - Exit the program"); 3198 break; 3199 case CMD_SAVE: 3200 puts_tr("save - Saves all SAs to a file"); 3201 break; 3202 case CMD_HELP: 3203 puts_tr("help - Display list of commands"); 3204 puts_tr("help <cmd> - Display help for command"); 3205 puts_tr("help attr - Display possible SA attributes"); 3206 break; 3207 default: 3208 (void) printf(gettext("%s: Unknown command\n"), cmds); 3209 break; 3210 } 3211 } 3212 3213 3214 static void 3215 dohelp(char *cmds) 3216 { 3217 if (cmds != NULL) { 3218 dohelpcmd(cmds); 3219 return; 3220 } 3221 puts_tr("Commands"); 3222 puts_tr("--------"); 3223 puts_tr("?, help - Display this list"); 3224 puts_tr("help <cmd> - Display help for command"); 3225 puts_tr("help attr - Display possible SA attributes"); 3226 puts_tr("quit, exit - Exit the program"); 3227 puts_tr("monitor - Monitor all PF_KEY reply messages."); 3228 puts_tr("pmonitor, passive_monitor - Monitor PF_KEY messages that"); 3229 puts_tr(" reply to all PF_KEY sockets."); 3230 puts_tr(""); 3231 puts_tr("The following commands are of the form:"); 3232 puts_tr(" <command> {SA type} {attribute value}*"); 3233 puts_tr(""); 3234 puts_tr("add (interactive only) - Add a new security association (SA)"); 3235 puts_tr("update (interactive only) - Update an existing SA"); 3236 puts_tr("update-pair (interactive only) - Update an existing SA pair"); 3237 puts_tr("delete - Delete an SA"); 3238 puts_tr("delete-pair - Delete an SA pair"); 3239 puts_tr("get - Display an SA"); 3240 puts_tr("flush - Delete all SAs"); 3241 puts_tr("dump - Display all SAs"); 3242 puts_tr("save - Saves all SAs to a file"); 3243 } 3244 3245 /* 3246 * "Parse" a command line from argv. 3247 */ 3248 static void 3249 parseit(int argc, char *argv[], char *ebuf, boolean_t read_cmdfile) 3250 { 3251 int cmd, satype; 3252 char *ep = NULL; 3253 3254 if (argc == 0) 3255 return; 3256 cmd = parsecmd(*argv++); 3257 3258 /* 3259 * Some commands loop forever and should only be run from the command 3260 * line, they should never be run from a command file as this may 3261 * be used at boot time. 3262 */ 3263 switch (cmd) { 3264 case CMD_HELP: 3265 if (read_cmdfile) 3266 ERROR(ep, ebuf, gettext("Help not appropriate in " 3267 "config file.")); 3268 else 3269 dohelp(*argv); 3270 return; 3271 case CMD_MONITOR: 3272 if (read_cmdfile) 3273 ERROR(ep, ebuf, gettext("Monitor not appropriate in " 3274 "config file.")); 3275 else 3276 domonitor(B_FALSE); 3277 break; 3278 case CMD_PMONITOR: 3279 if (read_cmdfile) 3280 ERROR(ep, ebuf, gettext("Monitor not appropriate in " 3281 "config file.")); 3282 else 3283 domonitor(B_TRUE); 3284 break; 3285 case CMD_QUIT: 3286 EXIT_OK(NULL); 3287 } 3288 3289 handle_errors(ep, ebuf, B_FALSE, B_FALSE); 3290 3291 satype = parsesatype(*argv, ebuf); 3292 3293 if (satype != SADB_SATYPE_UNSPEC) { 3294 argv++; 3295 } else { 3296 /* 3297 * You must specify either "all" or a specific SA type 3298 * for the "save" command. 3299 */ 3300 if (cmd == CMD_SAVE) 3301 if (*argv == NULL) { 3302 FATAL(ep, ebuf, gettext( 3303 "Must specify a specific " 3304 "SA type for save.\n")); 3305 } else { 3306 argv++; 3307 } 3308 } 3309 3310 switch (cmd) { 3311 case CMD_FLUSH: 3312 if (!cflag) 3313 doflush(satype); 3314 /* 3315 * If this was called because of an entry in a cmd file 3316 * then this action needs to be counted to prevent 3317 * do_interactive() treating this as an error. 3318 */ 3319 lines_added++; 3320 break; 3321 case CMD_ADD: 3322 case CMD_UPDATE: 3323 case CMD_UPDATE_PAIR: 3324 /* 3325 * NOTE: Shouldn't allow ADDs or UPDATEs with keying material 3326 * from the command line. 3327 */ 3328 if (!interactive) { 3329 errx(1, gettext( 3330 "can't do ADD or UPDATE from the command line.\n")); 3331 } 3332 if (satype == SADB_SATYPE_UNSPEC) { 3333 FATAL(ep, ebuf, gettext( 3334 "Must specify a specific SA type.")); 3335 /* NOTREACHED */ 3336 } 3337 /* Parse for extensions, including keying material. */ 3338 doaddup(cmd, satype, argv, ebuf); 3339 break; 3340 case CMD_DELETE: 3341 case CMD_DELETE_PAIR: 3342 case CMD_GET: 3343 if (satype == SADB_SATYPE_UNSPEC) { 3344 FATAL(ep, ebuf, gettext( 3345 "Must specify a single SA type.")); 3346 /* NOTREACHED */ 3347 } 3348 /* Parse for bare minimum to locate an SA. */ 3349 dodelget(cmd, satype, argv, ebuf); 3350 break; 3351 case CMD_DUMP: 3352 if (read_cmdfile) 3353 ERROR(ep, ebuf, gettext("Dump not appropriate in " 3354 "config file.")); 3355 else 3356 dodump(satype, NULL); 3357 break; 3358 case CMD_SAVE: 3359 if (read_cmdfile) { 3360 ERROR(ep, ebuf, gettext("Save not appropriate in " 3361 "config file.")); 3362 } else { 3363 mask_signals(B_FALSE); /* Mask signals */ 3364 dodump(satype, opensavefile(argv[0])); 3365 mask_signals(B_TRUE); /* Unmask signals */ 3366 } 3367 break; 3368 default: 3369 warnx(gettext("Unknown command (%s).\n"), 3370 *(argv - ((satype == SADB_SATYPE_UNSPEC) ? 1 : 2))); 3371 usage(); 3372 } 3373 handle_errors(ep, ebuf, B_FALSE, B_FALSE); 3374 } 3375 3376 int 3377 main(int argc, char *argv[]) 3378 { 3379 int ch; 3380 FILE *infile = stdin, *savefile; 3381 boolean_t dosave = B_FALSE, readfile = B_FALSE; 3382 char *configfile = NULL; 3383 struct stat sbuf; 3384 int bootflags; 3385 3386 (void) setlocale(LC_ALL, ""); 3387 #if !defined(TEXT_DOMAIN) 3388 #define TEXT_DOMAIN "SYS_TEST" 3389 #endif 3390 (void) textdomain(TEXT_DOMAIN); 3391 3392 /* 3393 * Check to see if the command is being run from smf(5). 3394 */ 3395 my_fmri = getenv("SMF_FMRI"); 3396 3397 openlog("ipseckey", LOG_CONS, LOG_AUTH); 3398 if (getuid() != 0) { 3399 errx(1, "Insufficient privileges to run ipseckey."); 3400 } 3401 3402 /* umask me to paranoid, I only want to create files read-only */ 3403 (void) umask((mode_t)00377); 3404 3405 while ((ch = getopt(argc, argv, "pnvf:s:c:")) != EOF) 3406 switch (ch) { 3407 case 'p': 3408 pflag = B_TRUE; 3409 break; 3410 case 'n': 3411 nflag = B_TRUE; 3412 break; 3413 case 'v': 3414 vflag = B_TRUE; 3415 break; 3416 case 'c': 3417 cflag = B_TRUE; 3418 /* FALLTHRU */ 3419 case 'f': 3420 if (dosave) 3421 usage(); 3422 infile = fopen(optarg, "r"); 3423 if (infile == NULL) { 3424 EXIT_BADCONFIG2("Unable to open configuration " 3425 "file: %s\n", optarg); 3426 } 3427 /* 3428 * Check file permissions/ownership and warn or 3429 * fail depending on state of SMF control. 3430 */ 3431 if (fstat(fileno(infile), &sbuf) == -1) { 3432 (void) fclose(infile); 3433 EXIT_BADCONFIG2("Unable to stat configuration " 3434 "file: %s\n", optarg); 3435 } 3436 if (INSECURE_PERMS(sbuf)) { 3437 if (my_fmri != NULL) { 3438 (void) fclose(infile); 3439 EXIT_BADCONFIG2("Config file " 3440 "%s has insecure permissions.", 3441 optarg); 3442 } else { 3443 (void) fprintf(stderr, "%s %s\n", 3444 optarg, gettext( 3445 "has insecure permissions, will be " 3446 "rejected in permanent config.")); 3447 } 3448 } 3449 configfile = strdup(optarg); 3450 readfile = B_TRUE; 3451 break; 3452 case 's': 3453 if (readfile) 3454 usage(); 3455 dosave = B_TRUE; 3456 savefile = opensavefile(optarg); 3457 break; 3458 default: 3459 usage(); 3460 } 3461 3462 argc -= optind; 3463 argv += optind; 3464 3465 mypid = getpid(); 3466 3467 keysock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); 3468 3469 if (keysock == -1) { 3470 if (errno == EPERM) { 3471 EXIT_BADPERM("Insufficient privileges to open " 3472 "PF_KEY socket.\n"); 3473 } else { 3474 /* some other reason */ 3475 EXIT_FATAL("Opening PF_KEY socket"); 3476 } 3477 } 3478 3479 if ((_cladm(CL_INITIALIZE, CL_GET_BOOTFLAG, &bootflags) != 0) || 3480 (bootflags & CLUSTER_BOOTED)) { 3481 in_cluster_mode = B_TRUE; 3482 cluster_socket = socket(AF_INET, SOCK_DGRAM, 0); 3483 cli_addr.sin_family = AF_INET; 3484 cli_addr.sin_addr.s_addr = INADDR_LOOPBACK; 3485 cli_addr.sin_port = htons(CLUSTER_UDP_PORT); 3486 } 3487 3488 if (dosave) { 3489 mask_signals(B_FALSE); /* Mask signals */ 3490 dodump(SADB_SATYPE_UNSPEC, savefile); 3491 mask_signals(B_TRUE); /* Unmask signals */ 3492 EXIT_OK(NULL); 3493 } 3494 3495 /* 3496 * When run from smf(5) flush any existing SA's first 3497 * otherwise you will end up in maintenance mode. 3498 */ 3499 if ((my_fmri != NULL) && readfile) { 3500 (void) fprintf(stdout, gettext( 3501 "Flushing existing SA's before adding new SA's\n")); 3502 (void) fflush(stdout); 3503 doflush(SADB_SATYPE_UNSPEC); 3504 } 3505 if (infile != stdin || *argv == NULL) { 3506 /* Go into interactive mode here. */ 3507 do_interactive(infile, configfile, "ipseckey> ", my_fmri, 3508 parseit); 3509 } 3510 parseit(argc, argv, NULL, B_FALSE); 3511 3512 return (0); 3513 } 3514