summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2007-01-03 12:17:44 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2007-01-03 12:17:44 +0000
commit93e8aa55dd50b47672de31b3b779d3bbcbfd0949 (patch)
tree715a0ae33b3d42879fe996e0546cf2ccf67f7fa7
parent8f2a7094ed1bf1b16d6d21f6060e5890a0a10cc4 (diff)
do not print secret keys by default, -k restores old behaviour; ok hshoexer
-rw-r--r--sbin/ipsecctl/ipsecctl.86
-rw-r--r--sbin/ipsecctl/ipsecctl.c10
-rw-r--r--sbin/ipsecctl/ipsecctl.h3
-rw-r--r--sbin/ipsecctl/pfkdump.c7
4 files changed, 19 insertions, 7 deletions
diff --git a/sbin/ipsecctl/ipsecctl.8 b/sbin/ipsecctl/ipsecctl.8
index a098173ce80..5b4a1e720b7 100644
--- a/sbin/ipsecctl/ipsecctl.8
+++ b/sbin/ipsecctl/ipsecctl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsecctl.8,v 1.23 2006/09/29 10:51:27 jmc Exp $
+.\" $OpenBSD: ipsecctl.8,v 1.24 2007/01/03 12:17:43 markus Exp $
.\"
.\" Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
.\"
@@ -22,7 +22,7 @@
.Nd control flows for IPsec
.Sh SYNOPSIS
.Nm ipsecctl
-.Op Fl dFmnv
+.Op Fl dFkmnv
.Oo Fl D Ar macro Ns =
.Ar value Oc
.Op Fl f Ar file
@@ -67,6 +67,8 @@ option flushes the SPD and the SAD.
.It Fl f Ar file
Load the rules contained in
.Ar file .
+.It Fl k
+Show secret keying material when printing the active SAD entries.
.It Fl m
Continuously display all
.Dv PF_KEY
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index a64dbe412e0..d64c2a44cc7 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.c,v 1.64 2006/11/30 15:51:28 markus Exp $ */
+/* $OpenBSD: ipsecctl.c,v 1.65 2007/01/03 12:17:43 markus Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -648,16 +648,18 @@ main(int argc, char *argv[])
if (argc < 2)
usage();
- while ((ch = getopt(argc, argv, "D:df:Fmnvs:")) != -1) {
+ while ((ch = getopt(argc, argv, "D:df:Fkmnvs:")) != -1) {
switch (ch) {
case 'D':
if (cmdline_symset(optarg) < 0)
warnx("could not parse macro definition %s",
optarg);
break;
+
case 'd':
opts |= IPSECCTL_OPT_DELETE;
break;
+
case 'f':
rulesopt = optarg;
break;
@@ -666,6 +668,10 @@ main(int argc, char *argv[])
opts |= IPSECCTL_OPT_FLUSH;
break;
+ case 'k':
+ opts |= IPSECCTL_OPT_SHOWKEY;
+ break;
+
case 'm':
opts |= IPSECCTL_OPT_MONITOR;
break;
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index e99691f41ec..789ba2f1bb1 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.h,v 1.52 2006/11/30 15:51:28 markus Exp $ */
+/* $OpenBSD: ipsecctl.h,v 1.53 2007/01/03 12:17:43 markus Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -28,6 +28,7 @@
#define IPSECCTL_OPT_FLUSH 0x0100
#define IPSECCTL_OPT_DELETE 0x0200
#define IPSECCTL_OPT_MONITOR 0x0400
+#define IPSECCTL_OPT_SHOWKEY 0x0800
enum {
ACTION_ADD, ACTION_DELETE
diff --git a/sbin/ipsecctl/pfkdump.c b/sbin/ipsecctl/pfkdump.c
index 461ec13882b..bcfa10bd5f6 100644
--- a/sbin/ipsecctl/pfkdump.c
+++ b/sbin/ipsecctl/pfkdump.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkdump.c,v 1.23 2006/11/24 13:52:13 reyk Exp $ */
+/* $OpenBSD: pfkdump.c,v 1.24 2007/01/03 12:17:43 markus Exp $ */
/*
* Copyright (c) 2003 Markus Friedl. All rights reserved.
@@ -618,7 +618,10 @@ pfkey_print_sa(struct sadb_msg *msg, int opts)
setup_extensions(msg);
sa = (struct sadb_sa *)extensions[SADB_EXT_SA];
-
+ if (!(opts & IPSECCTL_OPT_SHOWKEY)) {
+ extensions[SADB_EXT_KEY_AUTH] = NULL;
+ extensions[SADB_EXT_KEY_ENCRYPT] = NULL;
+ }
bzero(&r, sizeof r);
r.type |= RULE_SA;
r.tmode = (msg->sadb_msg_satype != SADB_X_SATYPE_TCPSIGNATURE) &&