diff options
| author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 1999-02-24 22:53:48 +0000 |
|---|---|---|
| committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 1999-02-24 22:53:48 +0000 |
| commit | 89f13b6fea2755ea949385e3046726cb1a3a695e (patch) | |
| tree | fbc98a9ee6ebd618bd94a66ce00952506500396e /sbin | |
| parent | 7b06ca56d8a31a610cbe1bb13453fd8722b68bc4 (diff) | |
Almost rewritten ipsecadm to use pfkey. Error reporting is a bit lacking still.
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/ipsecadm/Makefile | 5 | ||||
| -rw-r--r-- | sbin/ipsecadm/ipsecadm.1 | 75 | ||||
| -rw-r--r-- | sbin/ipsecadm/ipsecadm.c | 1370 | ||||
| -rw-r--r-- | sbin/ipsecadm/kernel.c | 80 | ||||
| -rw-r--r-- | sbin/ipsecadm/xf_ah_new.c | 107 | ||||
| -rw-r--r-- | sbin/ipsecadm/xf_ah_old.c | 105 | ||||
| -rw-r--r-- | sbin/ipsecadm/xf_delspi.c | 91 | ||||
| -rw-r--r-- | sbin/ipsecadm/xf_esp_new.c | 127 | ||||
| -rw-r--r-- | sbin/ipsecadm/xf_esp_old.c | 112 | ||||
| -rw-r--r-- | sbin/ipsecadm/xf_flow.c | 157 | ||||
| -rw-r--r-- | sbin/ipsecadm/xf_grp.c | 94 | ||||
| -rw-r--r-- | sbin/ipsecadm/xf_ip4.c | 92 |
12 files changed, 1038 insertions, 1377 deletions
diff --git a/sbin/ipsecadm/Makefile b/sbin/ipsecadm/Makefile index 734515dd7cb..05bf387de53 100644 --- a/sbin/ipsecadm/Makefile +++ b/sbin/ipsecadm/Makefile @@ -1,7 +1,6 @@ -# $OpenBSD: Makefile,v 1.1 1998/11/14 23:37:20 deraadt Exp $ +# $OpenBSD: Makefile,v 1.2 1999/02/24 22:53:36 angelos Exp $ PROG= ipsecadm -SRCS= ipsecadm.c kernel.c xf_esp_new.c xf_esp_old.c xf_ah_old.c xf_ah_new.c \ - xf_delspi.c xf_grp.c xf_ip4.c xf_flow.c +SRCS= ipsecadm.c .include <bsd.prog.mk> diff --git a/sbin/ipsecadm/ipsecadm.1 b/sbin/ipsecadm/ipsecadm.1 index df62a8acbe2..6da655d1cde 100644 --- a/sbin/ipsecadm/ipsecadm.1 +++ b/sbin/ipsecadm/ipsecadm.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsecadm.1,v 1.7 1999/02/17 20:39:16 deraadt Exp $ +.\" $OpenBSD: ipsecadm.1,v 1.8 1999/02/24 22:53:36 angelos Exp $ .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. .\" @@ -58,13 +58,12 @@ Allowed modifiers are: .Fl dst , .Fl src , +.Fl proxy , .Fl spi , -.Fl tunnel , .Fl enc , .Fl auth , -.Fl iv , -.Fl newpadding , .Fl authkey , +.Fl forcetunnel , and .Fl key . .It old esp @@ -72,10 +71,11 @@ Setup a SPI which uses the old esp transforms. Only encryption algorithms can be applied. Allowed modifiers are: .Fl dst , .Fl src , +.Fl proxy , .Fl spi , -.Fl tunnel , .Fl enc , -.Fl iv +.Fl halfiv , +.Fl forcetunnel , and .Fl key . .It new ah @@ -84,8 +84,9 @@ will be done with HMAC using the specified hash algorithm. Allowed modifiers are: .Fl dst , .Fl src , +.Fl proxy , .Fl spi , -.Fl tunnel , +.Fl forcetunnel , .Fl auth , and .Fl key . @@ -94,8 +95,9 @@ Setup a SPI which uses the old ah transforms. Simple keyed hashes will be used for authentication. Allowed modifiers are: .Fl dst , .Fl src , +.Fl proxy , .Fl spi , -.Fl tunnel , +.Fl forcetunnel , .Fl auth , and .Fl key . @@ -108,9 +110,8 @@ does not appear on the wire. Unlike other setups, like new esp, there is no necessary setup in the receiving side. Allowed modifiers are: .Fl dst , .Fl src , -.Fl spi , and -.Fl tunnel . +.Fl spi. .It delspi The specified Security Association (SA) will be deleted. An SA consists of the destination address, SPI and security protocol. Allowed modifiers are: @@ -150,27 +151,46 @@ If no command is given defaults to new esp mode. .Pp The modifiers have the following meanings: -.Bl -tag -width newpadding -offset indent +.Bl -tag -width forcetunnel -offset indent .It src The source IP address for the SPI. This is necessary for incoming SAs to avoid source address spoofing between mutually suspicious hosts that have established SAs with us. For outgoing SAs, this -field is used if the SA is for packets that originate from this host, and -its purpose is to slightly speedup packet processing. If this field is +field is used to slightly speedup packet processing. If this field is zero (0.0.0.0), no spoofing check will be done for incoming SAs, and an extra routing lookup may be necessary for certain classes of packets that -originate from the local machine and make use of the SA. The value in this -field is not used when processing outgoing packets in -.Xr vpn 8 -mode (encrypting/authenticating other hosts' packets). +originate from the local machine and make use of the SA. If present, the +value of this field is used when doing IP-in-IP encapsulation (e.g., when +the +.Nm forcetunnel +option has been specified. .It dst The destination IP address for the SPI. +.It proxy +This IP address, if provided, is checked against the inner IP address when +doing tunneling to a firewall, to prevent source spoofing attacks. It is +strongly recommended that this option is provided when applicable. It is +applicable in a scenario when host A is using IPsec to communicate with +firewall B, and through that to host C. In that case, the proxy address for +the incoming SA should be C. This option is not necessary for outgoing SAs. .It spi The unique Security Parameter Index (SPI). .It tunnel -The source and destination IP addresses for the external IP header. +This option has been deprecated. The arguments are ignored, and it +otherwise has the same effect as the +.Nm forcetunnel +option. .It newpadding -For new ESP, specify new style self-describing padding should be used. +This option has been deprecated. +.It forcetunnel +Force IP-inside-IP encapsulation before ESP or AH processing is performed for +outgoing packets. The source/destination addresses of the outgoing IP packet +will be those provided in the +.Nm src +and +.Nm dst +options. Notice that the IPsec stack will perform IP-inside-IP encapsulation +when deemed necessary, even if this flag has not been set. .It enc The encryption algorithm to be used with the SPI. Possible values are: @@ -179,7 +199,7 @@ are: This is available for both old and new esp. Notice that hardware crackers for DES can be (and have been) built for US$250,000. Use DES for encryption of critical information at your risk. -We suggest using of 3DES instead. The DES support is kept for interoperability +We suggest using 3DES instead. DES support is kept for interoperability (with old implementations) purposes only. .It Nm 3des This is available for both old and new esp. It is more considered to be @@ -237,14 +257,13 @@ practical way of generating keys is by using the .Xr random 4 device (e.g. dd if=/dev/urandom bs=1024 count=1 | sha1) .It iv -The initialization vector used for encryption. In old esp mode you need -to specify it as either four or eight byte long value. In new esp mode -the transforms can either use an eight byte iv or will derive one -when none is specified with -.Xr ipsecadm 1 . -The -.Nm iv -should be given in hexadecimal digits. +This option has been deprecated. The argument is ignored. When applicable, +it has the same behaviour as the +.Nm halfiv +option. +.It halfiv +This option causes use of a 4 byte IV in old ESP (as opposed to 8 bytes). It +may only be used with old ESP. .It proto The security protocol needed by .Nm delspi , diff --git a/sbin/ipsecadm/ipsecadm.c b/sbin/ipsecadm/ipsecadm.c index 1930fdc1b3b..3d7c6c38cf7 100644 --- a/sbin/ipsecadm/ipsecadm.c +++ b/sbin/ipsecadm/ipsecadm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecadm.c,v 1.3 1999/02/17 20:39:16 deraadt Exp $ */ +/* $OpenBSD: ipsecadm.c,v 1.4 1999/02/24 22:53:37 angelos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -56,9 +56,9 @@ #include <stdlib.h> #include <string.h> #include <paths.h> -#include "net/encap.h" +#include <sys/uio.h> +#include "net/pfkeyv2.h" #include "netinet/ip_ipsp.h" -#include "netinet/ip_esp.h" #define ESP_OLD 0x01 #define ESP_NEW 0x02 @@ -78,423 +78,1031 @@ #define iscmd(x,y) (((x) & CMD_MASK) == (y)) typedef struct { - char *name; - int id, flags; -} transform; - -int xf_esp_new __P((struct in_addr, struct in_addr, u_int32_t, int, int, - u_char *, u_char *, u_char *, struct in_addr, struct in_addr, int)); -int xf_esp_old __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *, - u_char *, struct in_addr, struct in_addr)); -int xf_ah_new __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *, - struct in_addr, struct in_addr)); -int xf_ah_old __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *, - struct in_addr, struct in_addr)); - -int xf_delspi __P((struct in_addr, u_int32_t, int, int)); -int xf_grp __P((struct in_addr, u_int32_t, int, struct in_addr, u_int32_t, int)); -int xf_flow __P((struct in_addr, u_int32_t, int, struct in_addr, - struct in_addr, struct in_addr, struct in_addr, int, int, int, int, int)); -int xf_ip4 __P((struct in_addr, struct in_addr, u_int32_t, - struct in_addr, struct in_addr)); + char *name; + int id, flags; +} transform; transform xf[] = { - {"des", ALG_ENC_DES, XF_ENC |ESP_OLD|ESP_NEW}, - {"3des", ALG_ENC_3DES, XF_ENC |ESP_OLD|ESP_NEW}, - {"blf", ALG_ENC_BLF, XF_ENC | ESP_NEW}, - {"cast", ALG_ENC_CAST, XF_ENC | ESP_NEW}, - {"skipjack", ALG_ENC_SKIPJACK, XF_ENC | ESP_NEW}, - {"md5", ALG_AUTH_MD5, XF_AUTH|AH_OLD|AH_NEW|ESP_NEW}, - {"sha1", ALG_AUTH_SHA1,XF_AUTH|AH_OLD|AH_NEW|ESP_NEW}, - {"rmd160", ALG_AUTH_RMD160, XF_AUTH|AH_NEW|ESP_NEW}, + {"des", SADB_EALG_DESCBC, XF_ENC |ESP_OLD|ESP_NEW}, + {"3des", SADB_EALG_3DESCBC, XF_ENC |ESP_OLD|ESP_NEW}, + {"blf", SADB_EALG_X_BLF, XF_ENC | ESP_NEW}, + {"cast", SADB_EALG_X_CAST, XF_ENC | ESP_NEW}, + {"skipjack", SADB_EALG_X_SKIPJACK, XF_ENC | ESP_NEW}, + {"md5", SADB_AALG_MD5HMAC96, XF_AUTH|AH_NEW|ESP_NEW}, + {"sha1", SADB_AALG_SHA1HMAC96,XF_AUTH|AH_NEW|ESP_NEW}, + {"md5", SADB_AALG_X_MD5, XF_AUTH|AH_OLD}, + {"sha1", SADB_AALG_X_SHA1,XF_AUTH|AH_OLD}, + {"rmd160", SADB_AALG_X_RIPEMD160HMAC96, XF_AUTH|AH_NEW|ESP_NEW}, }; -char buf[1024]; +/* XXX Depending on message type, we should listen for message replies */ +void +xf_set(struct iovec *iov, int cnt, int len) +{ + int sd; + + sd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); + if (sd < 0) + { + perror("socket"); + exit(1); + } + + if (writev(sd, iov, cnt) != len) + { + perror("write"); + exit(1); + } + + close(sd); +} int x2i(char *s) { - char ss[3]; - ss[0] = s[0]; - ss[1] = s[1]; - ss[2] = 0; + char ss[3]; + ss[0] = s[0]; + ss[1] = s[1]; + ss[2] = 0; - if (!isxdigit(s[0]) || !isxdigit(s[1])) { - fprintf(stderr, - "Keys and IVs should be specified in hex digits.\n"); - exit(-1); - } - return strtoul(ss, NULL, 16); + if (!isxdigit(s[0]) || !isxdigit(s[1])) + { + fprintf(stderr, "Keys should be specified in hex digits.\n"); + exit(-1); + } + + return strtoul(ss, NULL, 16); } int isvalid(char *option, int type, int mode) { - int i; - - for (i = sizeof(xf) / sizeof(transform) - 1; i >= 0; i--) - if (!strcmp(option, xf[i].name)) { - if ((xf[i].flags & CMD_MASK) == type && - (xf[i].flags & mode)) - return xf[i].id; - else - return 0; - } - return 0; + int i; + + for (i = sizeof(xf) / sizeof(transform) - 1; i >= 0; i--) + if (!strcmp(option, xf[i].name)) + { + if ((xf[i].flags & CMD_MASK) == type && + (xf[i].flags & mode)) + return xf[i].id; + else + return 0; + } + + return 0; } void usage() { - fprintf( stderr, "usage: ipsecadm [command] <modifier...>\n" - "\tCommands: new esp, old esp, new ah, old ah, group, delspi, ip4, flow\n" - "\tPossible modifiers:\n" - "\t\t-enc <alg>\t encryption algorithm\n" - "\t\t-auth <alg>\t authentication algorithm\n" - "\t\t-src <ip>\t source address to be used\n" - "\t\t-tunnel <ip> <ip> tunneling addresses\n" - "\t\t-dst <ip>\t destination address to be used\n" - "\t\t-spi <val>\t SPI to be used\n" - "\t\t-key <val>\t key material to be used\n" - "\t\t-authkey <val>\t key material for auth in new esp\n" - "\t\t-iv <val>\t iv to be used\n" - "\t\t-proto <val>\t security protocol\n" - "\t\t-chain\t\t SPI chain delete\n" - "\t\t-newpadding\t new style padding for new ESP\n" - "\t\t-transport <val>\t protocol number for flow\n" - "\t\t-addr <ip> <net> <ip> <net>\t subnets for flow\n" - "\t\t-delete\t\t delete specified flow\n" - "\t\t-local\t\t also create a local flow\n" - "\talso: dst2, spi2, proto2\n" - ); + fprintf(stderr, "usage: ipsecadm [command] <modifier...>\n" + "\tCommands: new esp, old esp, new ah, old ah, group, delspi, ip4, flow\n" + "\tPossible modifiers:\n" + "\t\t-enc <alg>\t encryption algorithm\n" + "\t\t-auth <alg>\t authentication algorithm\n" + "\t\t-src <ip>\t source address to be used\n" + "\t\t-halfiv\t use 4-byte IV in old ESP\n" + "\t\t-forcetunnel\t force tunneling even when not necessary\n" + "\t\t-dst <ip>\t destination address to be used\n" + "\t\t-proxy <ip>\t proxy address to be used\n" + "\t\t-spi <val>\t SPI to be used\n" + "\t\t-key <val>\t key material to be used\n" + "\t\t-authkey <val>\t key material for auth in new esp\n" + "\t\t-proto <val>\t security protocol\n" + "\t\t-chain\t\t SPI chain delete\n" + "\t\t-transport <val>\t protocol number for flow\n" + "\t\t-addr <ip> <net> <ip> <net>\t subnets for flow\n" + "\t\t-delete\t\t delete specified flow\n" + "\t\t-local\t\t also create a local flow\n" + "\talso: dst2, spi2, proto2\n" + ); } int -main(argc, argv) - int argc; - char **argv; +main(int argc, char **argv) { - int i; - int mode = ESP_NEW, new = 1, flag = 0, newpadding = 0; - int auth = 0, enc = 0, ivlen = 0, klen = 0, alen = 0; - int proto = IPPROTO_ESP, proto2 = IPPROTO_AH; - int dport = -1, sport = -1, tproto = -1; - int delete = 0, local = 0, result; - int chain = 0; - u_int32_t spi = 0, spi2 = 0; - struct in_addr src, dst, dst2, osrc, odst, osmask, odmask; - u_char *ivp = NULL, *keyp = NULL, *authp = NULL; - struct protoent *tp; - struct servent *svp; - char *transportproto = NULL; - - osrc.s_addr = odst.s_addr = src.s_addr = dst.s_addr = dst2.s_addr = 0; - osmask.s_addr = odmask.s_addr = 0; - - if (argc < 2) { - usage(); + int auth = 0, enc = 0, klen = 0, alen = 0, mode = ESP_NEW, i = 0; + int proto = IPPROTO_ESP, proto2 = IPPROTO_AH; + int dport = -1, sport = -1, tproto = -1; + u_int32_t spi = 0, spi2 = 0; + union sockaddr_union src, dst, dst2, osrc, odst, osmask, odmask, proxy; + u_char *keyp = NULL, *authp = NULL; + struct protoent *tp; + struct servent *svp; + char *transportproto = NULL; + struct sadb_msg smsg; + struct sadb_sa sa; + struct sadb_sa sa2; + struct sadb_address sad1; /* src */ + struct sadb_address sad2; /* dst */ + struct sadb_address sad3; /* proxy */ + struct sadb_address sad4; /* osrc */ + struct sadb_address sad5; /* odst */ + struct sadb_address sad6; /* osmask */ + struct sadb_address sad7; /* odmask */ + struct sadb_address sad8; /* dst2 */ + struct sadb_key skey1; + struct sadb_key skey2; + struct sadb_protocol sprotocol; + struct iovec iov[20]; + int cnt = 0; + u_char realkey[8192], realakey[8192]; + + if (argc < 2) + { + usage(); + exit(1); + } + + /* Zero out */ + bzero(&smsg, sizeof(smsg)); + bzero(&sa, sizeof(sa)); + bzero(&sa2, sizeof(sa2)); + bzero(&skey1, sizeof(skey1)); + bzero(&skey2, sizeof(skey2)); + bzero(&sad1, sizeof(sad1)); + bzero(&sad2, sizeof(sad2)); + bzero(&sad3, sizeof(sad3)); + bzero(&sad4, sizeof(sad4)); + bzero(&sad5, sizeof(sad5)); + bzero(&sad6, sizeof(sad6)); + bzero(&sad7, sizeof(sad7)); + bzero(&sad8, sizeof(sad8)); + bzero(&sprotocol, sizeof(sprotocol)); + bzero(iov, sizeof(iov)); + bzero(realkey, sizeof(realkey)); + bzero(realakey, sizeof(realakey)); + + /* Initialize */ + smsg.sadb_msg_version = PF_KEY_V2; + smsg.sadb_msg_seq = 1; + smsg.sadb_msg_pid = getpid(); + smsg.sadb_msg_len = sizeof(smsg) / 8; + + /* Initialize */ + sa.sadb_sa_exttype = SADB_EXT_SA; + sa.sadb_sa_len = sizeof(sa) / 8; + sa.sadb_sa_replay = 0; + sa.sadb_sa_state = SADB_SASTATE_MATURE; + + /* Initialize */ + sa2.sadb_sa_exttype = SADB_EXT_X_SA2; + sa2.sadb_sa_len = sizeof(sa2) / 8; + sa2.sadb_sa_replay = 0; + sa2.sadb_sa_state = SADB_SASTATE_MATURE; + + /* Initialize */ + bzero(&src, sizeof(union sockaddr_union)); + bzero(&dst, sizeof(union sockaddr_union)); + bzero(&dst2, sizeof(union sockaddr_union)); + bzero(&osrc, sizeof(union sockaddr_union)); + bzero(&odst, sizeof(union sockaddr_union)); + bzero(&osmask, sizeof(union sockaddr_union)); + bzero(&odmask, sizeof(union sockaddr_union)); + bzero(&proxy, sizeof(union sockaddr_union)); + + if (!strcmp(argv[1], "new") && argc > 3) + { + if (!strcmp(argv[2], "esp")) + { + mode = ESP_NEW; + smsg.sadb_msg_type = SADB_ADD; + smsg.sadb_msg_satype = SADB_SATYPE_ESP; + } + else + if (!strcmp(argv[2], "ah")) + { + mode = AH_NEW; + smsg.sadb_msg_type = SADB_ADD; + smsg.sadb_msg_satype = SADB_SATYPE_AH; + } + else + { + fprintf(stderr, "%s: unexpected identifier %s\n", argv[0], + argv[2]); + exit(1); + } + + i += 2; + } + else + if (!strcmp(argv[1], "old") && argc > 3) + { + if (!strcmp(argv[2], "esp")) + { + mode = ESP_OLD; + smsg.sadb_msg_type = SADB_ADD; + smsg.sadb_msg_satype = SADB_SATYPE_X_ESP_OLD; + } + else + if (!strcmp(argv[2], "ah")) + { + mode = AH_OLD; + smsg.sadb_msg_type = SADB_ADD; + smsg.sadb_msg_satype = SADB_SATYPE_X_AH_OLD; + } + else + { + fprintf(stderr, "%s: unexpected identifier %s\n", argv[0], + argv[2]); exit(1); + } + + i += 2; + } + else + if (!strcmp(argv[1], "delspi")) + { + smsg.sadb_msg_type = SADB_DELETE; + mode = DEL_SPI; + i++; } - - for (i=1; i < argc; i++) { - if (!strcmp(argv[i], "new") && !flag) { - flag = 1; - new = 1; - } else if (!strcmp(argv[i], "old") && !flag) { - flag = 1; - new = 0; - } else if (!strcmp(argv[i], "esp") && flag < 2) { - flag = 2; - mode = new ? ESP_NEW : ESP_OLD; - } else if (!strcmp(argv[i], "ah") && flag < 2) { - flag = 2; - mode = new ? AH_NEW : AH_OLD; - } else if (!strcmp(argv[i], "delspi") && flag < 2) { - flag = 2; - mode = DEL_SPI; - } else if (!strcmp(argv[i], "group") && flag < 2) { - flag = 2; - mode = GRP_SPI; - } else if (!strcmp(argv[i], "flow") && flag < 2) { - flag = 2; - mode = FLOW; - } else if (!strcmp(argv[i], "ip4") && flag < 2) { - flag = 2; + else + if (!strcmp(argv[1], "group")) + { + smsg.sadb_msg_type = SADB_X_GRPSPIS; + mode = GRP_SPI; + i++; + } + else + if (!strcmp(argv[1], "flow")) + { + /* It may not be ADDFLOW, but never mind that for now */ + smsg.sadb_msg_type = SADB_X_ADDFLOW; + mode = FLOW; + i++; + } + else + if (!strcmp(argv[1], "ip4")) + { mode = ENC_IP; - } else if (argv[i][0] == '-') { - break; - } else { + smsg.sadb_msg_type = SADB_ADD; + smsg.sadb_msg_satype = SADB_SATYPE_X_IPIP; + i++; + } + else + { fprintf(stderr, "%s: Unknown command: %s", argv[0], argv[i]); exit(1); - } + } + + for (i++; i < argc; i++) + { + if (argv[i][0] != '-') + { + fprintf(stderr, "%s: Expected option, got %s\n", + argv[0], argv[i]); + exit(1); } - for (; i < argc; i++) { - if (argv[i][0] != '-') { - fprintf(stderr, "%s: Expected option, got %s\n", - argv[0], argv[i]); - exit(1); - } else if (!strcmp(argv[i]+1, "enc") && enc == 0 && i+1 < argc) { - if ((enc = isvalid(argv[i+1], XF_ENC, mode)) == 0) { - fprintf(stderr, "%s: Invalid encryption algorithm %s\n", - argv[0], argv[i+1]); - exit(1); - } - i++; - } else if (!strcmp(argv[i]+1, "auth") && auth == 0 && i+1 < argc) { - if ((auth = isvalid(argv[i+1], XF_AUTH, mode)) == 0) { - fprintf(stderr, "%s: Invalid auth algorithm %s\n", - argv[0], argv[i+1]); - exit(1); - } - i++; - } else if (!strcmp(argv[i]+1, "key") && keyp == NULL && i+1 < argc) { - keyp = argv[++i]; - klen = strlen(keyp); - } else if (!strcmp(argv[i]+1, "authkey") && authp == NULL && i+1 < argc) { - if (!(mode & ESP_NEW)) { - fprintf(stderr, "%s: Invalid option %s for selected mode\n", - argv[0], argv[i]); - exit(1); - } - authp = argv[++i]; - alen = strlen(authp); - } else if (!strcmp(argv[i]+1, "iv") && ivp == NULL && i+1 < argc) { - if (mode & (AH_OLD|AH_NEW)) { - fprintf(stderr, "%s: Invalid option %s with auth\n", - argv[0], argv[i]); - exit(1); - } - ivp = argv[++i]; - ivlen = strlen(ivp); - } else if (!strcmp(argv[i]+1, "spi") && spi == 0 && i+1 < argc) { - if ((spi = htonl(strtoul(argv[i+1], NULL, 16))) == 0) { - fprintf(stderr, "%s: Invalid spi %s\n", - argv[0], argv[i+1]); - exit(1); - } - i++; - } else if (!strcmp(argv[i]+1, "spi2") && spi2 == 0 && - iscmd(mode, GRP_SPI) && i+1 < argc) { - if ((spi2 = htonl(strtoul(argv[i+1], NULL, 16))) == 0) { - fprintf(stderr, "%s: Invalid spi2 %s\n", - argv[0], argv[i+1]); - exit(1); - } - i++; - } else if (!strcmp(argv[i]+1, "src") && i+1 < argc) { - src.s_addr = inet_addr(argv[i+1]); - i++; - } else if (!strcmp(argv[i]+1, "newpadding") && (mode & ESP_NEW)) { - newpadding = 1; - } else if (!strcmp(argv[i]+1, "delete") && iscmd(mode, FLOW)) { - delete = 1; - } else if (!strcmp(argv[i]+1, "local") && iscmd(mode, FLOW)) { - local = 1; - } else if (!strcmp(argv[i]+1, "tunnel") && - (isencauth(mode) || mode == ENC_IP) && i+2 < argc) { - osrc.s_addr = inet_addr(argv[i+1]); - i++; - odst.s_addr = inet_addr(argv[i+1]); - i++; - } else if (!strcmp(argv[i]+1, "addr") && - iscmd(mode, FLOW) && i+4 < argc) { - osrc.s_addr = inet_addr(argv[i+1]); i++; - osmask.s_addr = inet_addr(argv[i+1]); i++; - odst.s_addr = inet_addr(argv[i+1]); i++; - odmask.s_addr = inet_addr(argv[i+1]); i++; - } else if (!strcmp(argv[i]+1, "transport") && - iscmd(mode, FLOW) && i+1 < argc) { - if (isalpha(argv[i+1][0])) { - tp = getprotobyname(argv[i+1]); - if (tp == NULL) { - fprintf(stderr, "%s: unknown protocol %s\n", argv[0], argv[i+1]); - exit(1); - } - tproto = tp->p_proto; - transportproto = argv[i+1]; - } else { - tproto = atoi(argv[i+1]); - tp = getprotobynumber(tproto); - if (tp == NULL) - transportproto = "UNKNOWN"; - else - transportproto = tp->p_name; /* This is static, but it doesn't matter for this application */ + if (!strcmp(argv[i] + 1, "enc") && enc == 0 && (i + 1 < argc)) + { + if ((enc = isvalid(argv[i + 1], XF_ENC, mode)) == 0) + { + fprintf(stderr, "%s: Invalid encryption algorithm %s\n", + argv[0], argv[i + 1]); + exit(1); + } + + skey1.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; + sa.sadb_sa_encrypt = enc; + i++; + continue; + } + + if (!strcmp(argv[i] + 1, "auth") && auth == 0 && (i + 1 < argc)) + { + if ((auth = isvalid(argv[i + 1], XF_AUTH, mode)) == 0) + { + fprintf(stderr, "%s: Invalid auth algorithm %s\n", + argv[0], argv[i + 1]); + exit(1); + } + + skey2.sadb_key_exttype = SADB_EXT_KEY_AUTH; + sa.sadb_sa_auth = auth; + i++; + continue; + } + + if (!strcmp(argv[i] + 1, "key") && keyp == NULL && + (i + 1 < argc)) + { + if (mode & (AH_NEW | AH_OLD)) + { + authp = argv[++i]; + alen = strlen(authp) / 2; + } + else + { + keyp = argv[++i]; + klen = strlen(keyp) / 2; + } + continue; + } + + if (!strcmp(argv[i] + 1, "authkey") && authp == NULL && + (i + 1 < argc)) + { + if (!(mode & ESP_NEW)) + { + fprintf(stderr, "%s: Invalid option %s for selected mode\n", + argv[0], argv[i]); + exit(1); + } + + authp = argv[++i]; + alen = strlen(authp) / 2; + continue; + } + + if (!strcmp(argv[i] + 1, "iv") && (i + 1 < argc)) + { + if (mode & (AH_OLD | AH_NEW)) + { + fprintf(stderr, "%s: Invalid option %s with auth\n", + argv[0], argv[i]); + exit(1); + } + + fprintf(stderr, + "%s: Warning: option iv has been deprecated\n", argv[0]); + + if (mode & ESP_OLD) + if (strlen(argv[i + 2]) == 4) + sa.sadb_sa_flags |= SADB_SAFLAGS_X_HALFIV; + + i++; + continue; + } + + if (!strcmp(argv[i] + 1, "spi") && spi == 0 && (i + 1 < argc)) + { + if ((spi = htonl(strtoul(argv[i + 1], NULL, 16))) == 0) + { + fprintf(stderr, "%s: Invalid spi %s\n", argv[0], argv[i + 1]); + exit(1); + } + + sa.sadb_sa_spi = spi; + i++; + continue; + } + + if (!strcmp(argv[i] + 1, "spi2") && spi2 == 0 && + iscmd(mode, GRP_SPI) && (i + 1 < argc)) + { + if ((spi2 = htonl(strtoul(argv[i + 1], NULL, 16))) == 0) { + fprintf(stderr, "%s: Invalid spi2 %s\n", argv[0], argv[i + 1]); + exit(1); + } + + sa2.sadb_sa_spi = spi2; + i++; + continue; + } + + if (!strcmp(argv[i] + 1, "src") && (i + 1 < argc)) + { + src.sin.sin_family = AF_INET; + src.sin.sin_len = sizeof(struct sockaddr_in); + src.sin.sin_addr.s_addr = inet_addr(argv[i + 1]); + sad1.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; + sad1.sadb_address_len = 1 + sizeof(struct sockaddr_in) / 8; + i++; + continue; + } + + if (!strcmp(argv[i] + 1, "proxy") && (i + 1 < argc)) + { + proxy.sin.sin_family = AF_INET; + proxy.sin.sin_len = sizeof(struct sockaddr_in); + proxy.sin.sin_addr.s_addr = inet_addr(argv[i + 1]); + sad3.sadb_address_exttype = SADB_EXT_ADDRESS_PROXY; + sad3.sadb_address_len = 1 + sizeof(struct sockaddr_in) / 8; + i++; + continue; + } + + if (!strcmp(argv[i] + 1, "newpadding")) + { + fprintf(stderr, + "%s: Warning: option newpadding has been deprecated\n", + argv[0]); + continue; + } + + if (!strcmp(argv[i] + 1, "forcetunnel") && isencauth(mode)) + { + sa.sadb_sa_flags |= SADB_SAFLAGS_X_TUNNEL; + continue; + } + + if (!strcmp(argv[i] + 1, "halfiv")) + { + if (!(mode & ESP_OLD)) + { + fprintf(stderr, + "%s: option halfiv can be used only with old ESP\n", + argv[0]); + exit(1); + } + + sa.sadb_sa_flags |= SADB_SAFLAGS_X_HALFIV; + continue; + } + + if (!strcmp(argv[i] + 1, "delete") && iscmd(mode, FLOW)) + { + smsg.sadb_msg_type = SADB_X_DELFLOW; + continue; + } + + if (!strcmp(argv[i] + 1, "local") && iscmd(mode, FLOW)) + { + sa.sadb_sa_flags |= SADB_SAFLAGS_X_LOCALFLOW; + continue; + } + + if (!strcmp(argv[i] + 1, "tunnel") && + (isencauth(mode) || mode == ENC_IP) && ( i + 2 < argc)) + { + i += 2; + sa.sadb_sa_flags |= SADB_SAFLAGS_X_TUNNEL; + continue; + } + + if (!strcmp(argv[i] + 1, "addr") && iscmd(mode, FLOW) && + (i + 4 < argc)) + { + sad4.sadb_address_exttype = SADB_EXT_X_SRC_FLOW; + sad5.sadb_address_exttype = SADB_EXT_X_DST_FLOW; + sad6.sadb_address_exttype = SADB_EXT_X_SRC_MASK; + sad7.sadb_address_exttype = SADB_EXT_X_DST_MASK; + + sad4.sadb_address_len = (sizeof(sad4) + + sizeof(struct sockaddr_in)) / 8; + sad5.sadb_address_len = (sizeof(sad5) + + sizeof(struct sockaddr_in)) / 8; + sad6.sadb_address_len = (sizeof(sad6) + + sizeof(struct sockaddr_in)) / 8; + sad7.sadb_address_len = (sizeof(sad7) + + sizeof(struct sockaddr_in)) / 8; + + osrc.sin.sin_family = odst.sin.sin_family = AF_INET; + osmask.sin.sin_family = odmask.sin.sin_family = AF_INET; + osrc.sin.sin_len = odst.sin.sin_len = sizeof(struct sockaddr_in); + osmask.sin.sin_len = sizeof(struct sockaddr_in); + odmask.sin.sin_len = sizeof(struct sockaddr_in); + + osrc.sin.sin_addr.s_addr = inet_addr(argv[i + 1]); i++; + osmask.sin.sin_addr.s_addr = inet_addr(argv[i + 1]); i++; + odst.sin.sin_addr.s_addr = inet_addr(argv[i + 1]); i++; + odmask.sin.sin_addr.s_addr = inet_addr(argv[i + 1]); i++; + continue; + } + + if (!strcmp(argv[i] + 1, "transport") && + iscmd(mode, FLOW) && (i + 1 < argc)) + { + if (isalpha(argv[i + 1][0])) + { + tp = getprotobyname(argv[i + 1]); + if (tp == NULL) + { + fprintf(stderr, + "%s: unknown protocol %s\n", argv[0], argv[i + 1]); + exit(1); + } + + tproto = tp->p_proto; + transportproto = argv[i + 1]; + } + else + { + tproto = atoi(argv[i + 1]); + tp = getprotobynumber(tproto); + if (tp == NULL) + transportproto = "UNKNOWN"; + else + transportproto = tp->p_name; + } + + sprotocol.sadb_protocol_len = 1; + sprotocol.sadb_protocol_exttype = SADB_EXT_X_PROTOCOL; + sprotocol.sadb_protocol_proto = tproto; + i++; + continue; + } + + if (!strcmp(argv[i] + 1, "sport") && + iscmd(mode, FLOW) && (i + 1 < argc)) + { + if (isalpha(argv[i + 1][0])) + { + svp = getservbyname(argv[i + 1], transportproto); + if (svp == NULL) + { + fprintf(stderr, + "%s: unknown service port %s for protocol %s\n", + argv[0], argv[i + 1], transportproto); + exit(1); + } + + sport = svp->s_port; + } + else + sport = atoi(argv[i+1]); + + osrc.sin.sin_port = sport; + osmask.sin.sin_port = 0xffff; + i++; + continue; + } + + if (!strcmp(argv[i] + 1, "dport") && + iscmd(mode, FLOW) && (i + 1 < argc)) + { + if (isalpha(argv[i + 1][0])) + { + svp = getservbyname(argv[i + 1], transportproto); + if (svp == NULL) + { + fprintf(stderr, + "%s: unknown service port %s for protocol %s\n", + argv[0], argv[i + 1], transportproto); + exit(1); + } + dport = svp->s_port; + } + else + dport = atoi(argv[i + 1]); + + odst.sin.sin_port = dport; + odmask.sin.sin_port = 0xffff; + i++; + continue; + } + + if (!strcmp(argv[i] + 1, "dst") && (i + 1 < argc)) + { + sad2.sadb_address_exttype = SADB_EXT_ADDRESS_DST; + sad2.sadb_address_len = (sizeof(sad2) + + sizeof(struct sockaddr_in)) / 8; + dst.sin.sin_family = AF_INET; + dst.sin.sin_len = sizeof(struct sockaddr_in); + dst.sin.sin_addr.s_addr = inet_addr(argv[i + 1]); + i++; + continue; + } + + if (!strcmp(argv[i] + 1, "dst2") && + iscmd(mode, GRP_SPI) && (i + 1 < argc)) + { + sad8.sadb_address_len = (sizeof(sad8) + + sizeof(struct sockaddr_in)) / 8; + sad8.sadb_address_exttype = SADB_EXT_X_DST2; + dst2.sin.sin_family = AF_INET; + dst2.sin.sin_len = sizeof(struct sockaddr_in); + dst2.sin.sin_addr.s_addr = inet_addr(argv[i + 1]); + i++; + continue; + } + + if (!strcmp(argv[i] + 1, "proto") && (i + 1 < argc) && + (iscmd(mode, FLOW) || iscmd(mode, GRP_SPI) || + iscmd(mode, DEL_SPI))) + { + if (isalpha(argv[i + 1][0])) + { + if (!strcasecmp(argv[i + 1], "esp")) + { + smsg.sadb_msg_satype = SADB_SATYPE_ESP; + proto = IPPROTO_ESP; + } + else + if (!strcasecmp(argv[i + 1], "ah")) + { + smsg.sadb_msg_satype = SADB_SATYPE_AH; + proto = IPPROTO_AH; } - i++; - } else if (!strcmp(argv[i]+1, "sport") && - iscmd(mode, FLOW) && i+1 < argc) { - if (isalpha(argv[i+1][0])) { - svp = getservbyname(argv[i+1], transportproto); - if (svp == NULL) { - fprintf(stderr, "%s: unknown service port %s for protocol %s\n", argv[0], argv[i+1], transportproto); - exit(1); - } - sport = svp->s_port; - } else - sport = atoi(argv[i+1]); - i++; - } else if (!strcmp(argv[i]+1, "dport") && - iscmd(mode, FLOW) && i+1 < argc) { - if (isalpha(argv[i+1][0])) { - svp = getservbyname(argv[i+1], transportproto); - if (svp == NULL) { - fprintf(stderr, "%s: unknown service port %s for protocol %s\n", argv[0], argv[i+1], transportproto); - exit(1); - } - dport = svp->s_port; - } else - dport = atoi(argv[i+1]); - i++; - } else if (!strcmp(argv[i]+1, "dst") && i+1 < argc) { - dst.s_addr = inet_addr(argv[i+1]); - i++; - } else if (!strcmp(argv[i]+1, "dst2") && - iscmd(mode, GRP_SPI) && i+1 < argc) { - dst2.s_addr = inet_addr(argv[i+1]); - i++; - } else if (!strcmp(argv[i]+1, "proto") && i+1 < argc) { - if (isalpha(argv[i+1][0])) { - if (!strcasecmp(argv[i+1], "esp")) - proto = IPPROTO_ESP; - else if (!strcasecmp(argv[i+1], "ah")) - proto = IPPROTO_AH; - else if (!strcasecmp(argv[i+1], "ip4")) - proto = IPPROTO_IPIP; - else { - fprintf(stderr, "%s: unknown security protocol type %s\n", argv[0], argv[i+1]); - exit(1); - } - } else { - proto = atoi(argv[i+1]); - if (proto != IPPROTO_ESP && proto != IPPROTO_AH && - proto != IPPROTO_IPIP) { - fprintf(stderr, "%s: unknown security protocol %d\n", argv[0], proto); + else + if (!strcasecmp(argv[i + 1], "ip4")) + { + smsg.sadb_msg_satype = SADB_SATYPE_X_IPIP; + proto = IPPROTO_IPIP; + } + else + { + fprintf(stderr, + "%s: unknown security protocol type %s\n", + argv[0], argv[i + 1]); exit(1); - } + } + } + else + { + proto = atoi(argv[i + 1]); + if (proto != IPPROTO_ESP && proto != IPPROTO_AH && + proto != IPPROTO_IPIP) + { + fprintf(stderr, + "%s: unknown security protocol %d\n", + argv[0], proto); + exit(1); + } + + if (proto == IPPROTO_ESP) + smsg.sadb_msg_satype = SADB_SATYPE_ESP; + else + if (proto == IPPROTO_AH) + smsg.sadb_msg_satype = SADB_SATYPE_AH; + else + if (proto == IPPROTO_IPIP) + smsg.sadb_msg_satype = SADB_SATYPE_X_IPIP; + } + + i++; + continue; + } + + if (!strcmp(argv[i] + 1, "proto2") && + iscmd(mode, GRP_SPI) && (i + 1 < argc)) + { + if (isalpha(argv[i + 1][0])) + { + if (!strcasecmp(argv[i + 1], "esp")) + { + sprotocol.sadb_protocol_proto = SADB_SATYPE_ESP; + proto2 = IPPROTO_ESP; + } + else + if (!strcasecmp(argv[i + 1], "ah")) + { + sprotocol.sadb_protocol_proto = SADB_SATYPE_AH; + proto2 = IPPROTO_AH; } - i++; - } else if (!strcmp(argv[i]+1, "proto2") && - iscmd(mode, GRP_SPI) && i+1 < argc) { - if (isalpha(argv[i+1][0])) { - if (!strcasecmp(argv[i+1], "esp")) - proto2 = IPPROTO_ESP; - else if (!strcasecmp(argv[i+1], "ah")) - proto2 = IPPROTO_AH; - else if (!strcasecmp(argv[i+1], "ip4")) - proto2 = IPPROTO_IPIP; - else { - fprintf(stderr, "%s: unknown security protocol2 type %s\n", argv[0], argv[i+1]); - exit(1); - } - } else - proto2 = atoi(argv[i+1]); - if (proto2 != IPPROTO_ESP && proto2 != IPPROTO_AH && - proto2 != IPPROTO_IPIP) { - fprintf(stderr, "%s: unknown security protocol %d\n", argv[0], proto); - exit(1); - } - i++; - } else if (!strcmp(argv[i]+1, "chain") && chain == 0 && - iscmd(mode, DEL_SPI)) { - chain = 1; - } else { - fprintf(stderr, "%s: Unkown option: %s\n", argv[0], argv[i]); - exit(1); - } + else + if (!strcasecmp(argv[i + 1], "ip4")) + { + sprotocol.sadb_protocol_proto = SADB_SATYPE_X_IPIP; + proto2 = IPPROTO_IPIP; + } + else + { + fprintf(stderr, + "%s: unknown security protocol2 type %s\n", + argv[0], argv[i+1]); + exit(1); + } + } + else + proto2 = atoi(argv[i + 1]); + + if (proto2 != IPPROTO_ESP && proto2 != IPPROTO_AH && + proto2 != IPPROTO_IPIP) + { + fprintf(stderr, + "%s: unknown security protocol2 %d\n", argv[0], proto); + exit(1); + } + + sprotocol.sadb_protocol_exttype = SADB_EXT_X_PROTOCOL; + sprotocol.sadb_protocol_len = 1; + i++; + continue; } + if (!strcmp(argv[i] + 1, "chain") && + !(sa.sadb_sa_flags & SADB_SAFLAGS_X_CHAINDEL) && + iscmd(mode, DEL_SPI)) + { + sa.sadb_sa_flags |= SADB_SAFLAGS_X_CHAINDEL; + continue; + } + + /* No match */ + fprintf(stderr, + "%s: Unknown or invalid option: %s\n", argv[0], argv[i]); + exit(1); + } + + /* Sanity checks */ + if ((mode & (ESP_NEW | ESP_OLD)) && enc == 0) + { + fprintf(stderr, "%s: No encryption algorithm specified\n", argv[0]); + exit(1); + } + + if ((mode & (AH_NEW | AH_OLD)) && auth == 0) + { + fprintf(stderr, "%s: No authentication algorithm specified\n", + argv[0]); + exit(1); + } + + if (isencauth(mode) && keyp == NULL) + { + fprintf(stderr, "%s: No key material specified\n", argv[0]); + exit(1); + } + + if ((mode & ESP_NEW) && auth && authp == NULL) + { + fprintf(stderr, "%s: No auth key material specified\n", argv[0]); + exit(1); + } + + if (spi == 0) + { + fprintf(stderr, "%s: No SPI specified\n", argv[0]); + exit(1); + } + + if (iscmd(mode, GRP_SPI) && spi2 == 0) + { + fprintf(stderr, "%s: No SPI2 specified\n", argv[0]); + exit(1); + } + + if ((isencauth(mode) || iscmd(mode, ENC_IP)) && + src.sin.sin_addr.s_addr == 0) + { + fprintf(stderr, "%s: No source address specified\n", argv[0]); + exit(1); + } - /* Sanity checks */ - if ((mode & (ESP_NEW|ESP_OLD)) && enc == 0) { - fprintf(stderr, "%s: No encryption algorithm specified\n", - argv[0]); - exit(1); - } else if ((mode & (AH_NEW|AH_OLD)) && auth == 0) { - fprintf(stderr, "%s: No authenication algorithm specified\n", - argv[0]); - exit(1); - } else if (isencauth(mode) && keyp == NULL) { - fprintf(stderr, "%s: No key material specified\n", argv[0]); - exit(1); - } else if ((mode & ESP_NEW) && auth && authp == NULL) { - fprintf(stderr, "%s: No auth key material specified\n", argv[0]); - exit(1); - } else if (spi == 0) { - fprintf(stderr, "%s: No SPI specified\n", argv[0]); - exit(1); - } else if (iscmd(mode, GRP_SPI) && spi2 == 0) { - fprintf(stderr, "%s: No SPI2 specified\n", argv[0]); - exit(1); - } else if ((isencauth(mode) || iscmd(mode, ENC_IP)) && - src.s_addr == 0) { - fprintf(stderr, "%s: No source address specified\n", argv[0]); - exit(1); - } else if ((iscmd(mode, DEL_SPI) || iscmd(mode, GRP_SPI) || - iscmd(mode, FLOW)) && - proto != IPPROTO_ESP && proto != IPPROTO_AH && - proto != IPPROTO_IPIP) { - fprintf(stderr, "%s: Security protocol is none of AH, ESP or IPIP\n", argv[0]); - exit(1); - } else if (iscmd(mode, GRP_SPI) && - proto2 != IPPROTO_ESP && proto2 != IPPROTO_AH && - proto2 != IPPROTO_IPIP) { - fprintf(stderr, "%s: Security protocol2 is none of AH, ESP or IPIP\n", argv[0]); - exit(1); - } else if (dst.s_addr == 0) { - fprintf(stderr, "%s: No destination address specified\n", - argv[0]); - exit(1); - } else if (iscmd(mode, ENC_IP) && - (odst.s_addr == 0 || osrc.s_addr == 0)) { - fprintf(stderr, "%s: No tunnel addresses specified\n", - argv[0]); - exit(1); - } else if (iscmd(mode, FLOW) && - (odst.s_addr == 0 && odmask.s_addr == 0 && - osrc.s_addr == 0 && osmask.s_addr == 0)) { - fprintf(stderr, "%s: No subnets for flow specified\n", - argv[0]); - exit(1); - } else if (iscmd(mode, GRP_SPI) && dst2.s_addr == 0) { - fprintf(stderr, "%s: No destination address2 specified\n", - argv[0]); - exit(1); + if ((iscmd(mode, DEL_SPI) || iscmd(mode, GRP_SPI) || iscmd(mode, FLOW)) && + proto != IPPROTO_ESP && proto != IPPROTO_AH && proto != IPPROTO_IPIP) + { + fprintf(stderr, "%s: Security protocol is none of AH, ESP or IPIP\n", + argv[0]); + exit(1); + } + + if (iscmd(mode, GRP_SPI) && proto2 != IPPROTO_ESP && + proto2 != IPPROTO_AH && proto2 != IPPROTO_IPIP) + { + fprintf(stderr, "%s: Security protocol2 is none of AH, ESP or IPIP\n", + argv[0]); + exit(1); + } + + if (dst.sin.sin_addr.s_addr == 0) + { + fprintf(stderr, "%s: No destination address for the SA specified\n", + argv[0]); + exit(1); + } + + if (iscmd(mode, FLOW) && (odst.sin.sin_addr.s_addr == 0 && + odmask.sin.sin_addr.s_addr == 0 && + osrc.sin.sin_addr.s_addr == 0 && + osmask.sin.sin_addr.s_addr == 0)) + { + fprintf(stderr, "%s: No subnets for flow specified\n", argv[0]); + exit(1); + } + + if (iscmd(mode, FLOW) && (sprotocol.sadb_protocol_proto == 0) && + (odst.sin.sin_port || osrc.sin.sin_port)) + { + fprintf(stderr, "%s: No transport protocol supplied with source/destination ports\n", argv[0]); + exit(1); + } + + if (iscmd(mode, GRP_SPI) && dst2.sin.sin_addr.s_addr == 0) + { + fprintf(stderr, "%s: No destination address2 specified\n", argv[0]); + exit(1); + } + + if ((klen > 2 * 8100) || (alen > 2 * 8100)) + { + fprintf(stderr, "%s: key too long\n", argv[0]); + exit(1); + } + + if (keyp != NULL) + { + for (i = 0; i < klen; i++) + realkey[i] = x2i(keyp + 2 * i); + } + + if (authp != NULL) + { + for (i = 0; i < alen; i++) + realakey[i] = x2i(authp + 2 * i); + } + + /* message header */ + iov[cnt].iov_base = &smsg; + iov[cnt++].iov_len = sizeof(smsg); + + if (isencauth(mode)) + { + /* SA header */ + iov[cnt].iov_base = &sa; + iov[cnt++].iov_len = sizeof(sa); + smsg.sadb_msg_len += sa.sadb_sa_len; + + /* Destination address header */ + iov[cnt].iov_base = &sad2; + iov[cnt++].iov_len = sizeof(sad2); + /* Destination address */ + iov[cnt].iov_base = &dst; + iov[cnt++].iov_len = sizeof(struct sockaddr_in); + smsg.sadb_msg_len += sad2.sadb_address_len; + + if (src.sin.sin_addr.s_addr) + { + /* Source address header */ + iov[cnt].iov_base = &sad1; + iov[cnt++].iov_len = sizeof(sad1); + /* Source address */ + iov[cnt].iov_base = &src; + iov[cnt++].iov_len = sizeof(struct sockaddr_in); + smsg.sadb_msg_len += sad1.sadb_address_len; } - if (isencauth(mode)) { - switch(mode) { - case ESP_NEW: - result = xf_esp_new(src, dst, spi, enc, auth, ivp, keyp, - authp, osrc, odst, newpadding); - break; - case ESP_OLD: - result = xf_esp_old(src, dst, spi, enc, ivp, keyp, osrc, odst); - break; - case AH_NEW: - result = xf_ah_new(src, dst, spi, auth, keyp, osrc, odst); - break; - case AH_OLD: - result = xf_ah_old(src, dst, spi, auth, keyp, osrc, odst); - break; - } - } else { - switch(mode & CMD_MASK) { - case GRP_SPI: - result = xf_grp(dst, spi, proto, dst2, spi2, proto2); - break; - case DEL_SPI: - result = xf_delspi(dst, spi, proto, chain); - break; - case ENC_IP: - result = xf_ip4(src, dst, spi, osrc, odst); - break; + if (proxy.sin.sin_addr.s_addr) + { + /* Proxy address header */ + iov[cnt].iov_base = &sad3; + iov[cnt++].iov_len = sizeof(sad3); + /* Proxy address */ + iov[cnt].iov_base = &proxy; + iov[cnt++].iov_len = sizeof(struct sockaddr_in); + smsg.sadb_msg_len += sad3.sadb_address_len; + } + + if (keyp) + { + /* Key header */ + iov[cnt].iov_base = &skey1; + iov[cnt++].iov_len = sizeof(skey1); + /* Key */ + iov[cnt].iov_base = realkey; + iov[cnt++].iov_len = ((klen + 7) / 8) * 8; + skey1.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; + skey1.sadb_key_len = (sizeof(skey1) + ((klen + 7) / 8) * 8) / 8; + skey1.sadb_key_bits = 8 * klen; + smsg.sadb_msg_len += skey1.sadb_key_len; + } + + if (authp) + { + /* Auth key header */ + iov[cnt].iov_base = &skey2; + iov[cnt++].iov_len = sizeof(skey2); + /* Auth key */ + iov[cnt].iov_base = realakey; + iov[cnt++].iov_len = ((alen + 7) / 8) * 8; + skey2.sadb_key_exttype = SADB_EXT_KEY_AUTH; + skey2.sadb_key_len = (sizeof(skey2) + ((alen + 7) / 8) * 8) / 8; + skey2.sadb_key_bits = 8 * alen; + smsg.sadb_msg_len += skey2.sadb_key_len; + } + } + else + { + switch(mode & CMD_MASK) + { + case GRP_SPI: + /* SA header */ + iov[cnt].iov_base = &sa; + iov[cnt++].iov_len = sizeof(sa); + smsg.sadb_msg_len += sa.sadb_sa_len; + + /* Destination address header */ + iov[cnt].iov_base = &sad2; + iov[cnt++].iov_len = sizeof(sad2); + /* Destination address */ + iov[cnt].iov_base = &dst; + iov[cnt++].iov_len = sizeof(struct sockaddr_in); + smsg.sadb_msg_len += sad2.sadb_address_len; + + /* SA header */ + iov[cnt].iov_base = &sa2; + iov[cnt++].iov_len = sizeof(sa2); + smsg.sadb_msg_len += sa2.sadb_sa_len; + + /* Destination2 address header */ + iov[cnt].iov_base = &sad8; + iov[cnt++].iov_len = sizeof(sad8); + /* Destination2 address */ + iov[cnt].iov_base = &dst2; + iov[cnt++].iov_len = sizeof(struct sockaddr_in); + smsg.sadb_msg_len += sad8.sadb_address_len; + + /* Protocol2 */ + iov[cnt].iov_base = &sprotocol; + iov[cnt++].iov_len = sizeof(sprotocol); + smsg.sadb_msg_len += sprotocol.sadb_protocol_len; + break; + + case DEL_SPI: + /* SA header */ + iov[cnt].iov_base = &sa; + iov[cnt++].iov_len = sizeof(sa); + smsg.sadb_msg_len += sa.sadb_sa_len; + + /* Destination address header */ + iov[cnt].iov_base = &sad2; + iov[cnt++].iov_len = sizeof(sad2); + /* Destination address */ + iov[cnt].iov_base = &dst; + iov[cnt++].iov_len = sizeof(struct sockaddr_in); + smsg.sadb_msg_len += sad2.sadb_address_len; + break; + + case ENC_IP: + /* SA header */ + iov[cnt].iov_base = &sa; + iov[cnt++].iov_len = sizeof(sa); + smsg.sadb_msg_len += sa.sadb_sa_len; + + /* Destination address header */ + iov[cnt].iov_base = &sad2; + iov[cnt++].iov_len = sizeof(sad2); + /* Destination address */ + iov[cnt].iov_base = &dst; + iov[cnt++].iov_len = sizeof(struct sockaddr_in); + smsg.sadb_msg_len += sad2.sadb_address_len; + + if (src.sin.sin_addr.s_addr) + { + /* Source address header */ + iov[cnt].iov_base = &sad1; + iov[cnt++].iov_len = sizeof(sad1); + /* Source address */ + iov[cnt].iov_base = &src; + iov[cnt++].iov_len = sizeof(struct sockaddr_in); + smsg.sadb_msg_len += sad1.sadb_address_len; + } + break; + case FLOW: - result = xf_flow(dst, spi, proto, osrc, osmask, odst, odmask, - tproto, sport, dport, delete, local); - break; - } + if (smsg.sadb_msg_type != SADB_X_DELFLOW) + { + /* Destination address header */ + iov[cnt].iov_base = &sad2; + iov[cnt++].iov_len = sizeof(sad2); + /* Destination address */ + iov[cnt].iov_base = &dst; + iov[cnt++].iov_len = sizeof(struct sockaddr_in); + smsg.sadb_msg_len += sad2.sadb_address_len; + } + + /* SA header */ + iov[cnt].iov_base = &sa; + iov[cnt++].iov_len = sizeof(sa); + smsg.sadb_msg_len += sa.sadb_sa_len; + + if (sprotocol.sadb_protocol_len) + { + /* Protocol2 */ + iov[cnt].iov_base = &sprotocol; + iov[cnt++].iov_len = sizeof(sprotocol); + smsg.sadb_msg_len += sprotocol.sadb_protocol_len; + } + + /* Flow source address header */ + iov[cnt].iov_base = &sad4; + iov[cnt++].iov_len = sizeof(sad4); + /* Flow source addressaddress */ + iov[cnt].iov_base = &osrc; + iov[cnt++].iov_len = sizeof(struct sockaddr_in); + smsg.sadb_msg_len += sad4.sadb_address_len; + + /* Flow destination address header */ + iov[cnt].iov_base = &sad5; + iov[cnt++].iov_len = sizeof(sad5); + /* Flow destination address */ + iov[cnt].iov_base = &odst; + iov[cnt++].iov_len = sizeof(struct sockaddr_in); + smsg.sadb_msg_len += sad5.sadb_address_len; + + /* Flow source address mask header */ + iov[cnt].iov_base = &sad6; + iov[cnt++].iov_len = sizeof(sad6); + /* Flow source address mask */ + iov[cnt].iov_base = &osmask; + iov[cnt++].iov_len = sizeof(struct sockaddr_in); + smsg.sadb_msg_len += sad6.sadb_address_len; + + /* Flow destination address mask header */ + iov[cnt].iov_base = &sad7; + iov[cnt++].iov_len = sizeof(sad7); + /* Flow destination address mask */ + iov[cnt].iov_base = &odmask; + iov[cnt++].iov_len = sizeof(struct sockaddr_in); + smsg.sadb_msg_len += sad7.sadb_address_len; + break; } + } - exit (result ? 0 : 1); + xf_set(iov, cnt, smsg.sadb_msg_len * 8); + exit (0); } + diff --git a/sbin/ipsecadm/kernel.c b/sbin/ipsecadm/kernel.c deleted file mode 100644 index d17592ad4d4..00000000000 --- a/sbin/ipsecadm/kernel.c +++ /dev/null @@ -1,80 +0,0 @@ -/* $OpenBSD: kernel.c,v 1.1 1998/11/14 23:37:20 deraadt Exp $ */ -/* - * The authors of this code are John Ioannidis (ji@tla.org), - * Angelos D. Keromytis (kermit@csd.uch.gr) and - * Niels Provos (provos@physnet.uni-hamburg.de). - * - * This code was written by John Ioannidis for BSD/OS in Athens, Greece, - * in November 1995. - * - * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis. - * - * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis - * and Niels Provos. - * - * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis - * and Niels Provos. - * - * Permission to use, copy, and modify this software without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * You may use this code under the GNU public license if you so wish. Please - * contribute changes back to the authors under this freer than GPL license - * so that we may further the use of strong encryption without limitations to - * all. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#include <sys/param.h> -#include <sys/file.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/mbuf.h> -#include <sys/sysctl.h> - -#include <net/if.h> -#include <net/route.h> -#include <net/if_dl.h> -#include <netinet/in.h> -#include <netns/ns.h> -#include <netiso/iso.h> -#include <netccitt/x25.h> -#include <arpa/inet.h> -#include <netdb.h> - -#include <errno.h> -#include <unistd.h> -#include <stdio.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> -#include <paths.h> -#include "net/encap.h" - -int -xf_set(em) - struct encap_msghdr *em; -{ - int sd; - - sd = socket(AF_ENCAP, SOCK_RAW, AF_UNSPEC); - if (sd < 0) { - perror("socket"); - return 0; - } - - if (write(sd, (char *)em, em->em_msglen) != em->em_msglen) { - perror("write"); - return 0; - } - - close(sd); - return 1; -} diff --git a/sbin/ipsecadm/xf_ah_new.c b/sbin/ipsecadm/xf_ah_new.c deleted file mode 100644 index bb1cbcc7571..00000000000 --- a/sbin/ipsecadm/xf_ah_new.c +++ /dev/null @@ -1,107 +0,0 @@ -/* $OpenBSD: xf_ah_new.c,v 1.1 1998/11/14 23:37:20 deraadt Exp $ */ -/* - * The authors of this code are John Ioannidis (ji@tla.org), - * Angelos D. Keromytis (kermit@csd.uch.gr) and - * Niels Provos (provos@physnet.uni-hamburg.de). - * - * This code was written by John Ioannidis for BSD/OS in Athens, Greece, - * in November 1995. - * - * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis. - * - * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis - * and Niels Provos. - * - * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis - * and Niels Provos. - * - * Permission to use, copy, and modify this software without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * You may use this code under the GNU public license if you so wish. Please - * contribute changes back to the authors under this freer than GPL license - * so that we may further the use of strong encryption without limitations to - * all. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#include <sys/param.h> -#include <sys/file.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/mbuf.h> -#include <sys/sysctl.h> - -#include <net/if.h> -#include <net/route.h> -#include <net/if_dl.h> -#include <netinet/in.h> -#include <netns/ns.h> -#include <netiso/iso.h> -#include <netccitt/x25.h> -#include <arpa/inet.h> -#include <netdb.h> - -#include <errno.h> -#include <unistd.h> -#include <stdio.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> -#include <paths.h> -#include "net/encap.h" -#include "netinet/ip_ipsp.h" -#include "netinet/ip_ah.h" - -extern char buf[]; - -int xf_set __P(( struct encap_msghdr *)); -int x2i __P((char *)); - -int -xf_ah_new(src, dst, spi, auth, keyp, osrc, odst) -struct in_addr src, dst; -u_int32_t spi; -int auth; -u_char *keyp; -struct in_addr osrc, odst; -{ - int klen, i; - - struct encap_msghdr *em; - struct ah_new_xencap *xd; - - klen = strlen(keyp)/2; - - em = (struct encap_msghdr *)&buf[0]; - - em->em_msglen = EMT_SETSPI_FLEN + AH_NEW_XENCAP_LEN + klen; - em->em_version = PFENCAP_VERSION_1; - em->em_type = EMT_SETSPI; - em->em_spi = spi; - em->em_src = src; - em->em_dst = dst; - em->em_osrc = osrc; - em->em_odst = odst; - em->em_alg = XF_NEW_AH; - em->em_sproto = IPPROTO_AH; - - xd = (struct ah_new_xencap *)(em->em_dat); - - xd->amx_hash_algorithm = auth; - xd->amx_wnd = -1; /* Manual setup -- no sequence number */ - xd->amx_keylen = klen; - - bzero(xd->amx_key, klen); - for (i = 0; i < klen; i++ ) - xd->amx_key[i] = x2i(keyp+2*i); - - return xf_set(em); -} diff --git a/sbin/ipsecadm/xf_ah_old.c b/sbin/ipsecadm/xf_ah_old.c deleted file mode 100644 index 9185b50e9a3..00000000000 --- a/sbin/ipsecadm/xf_ah_old.c +++ /dev/null @@ -1,105 +0,0 @@ -/* $OpenBSD: xf_ah_old.c,v 1.1 1998/11/14 23:37:20 deraadt Exp $ */ -/* - * The authors of this code are John Ioannidis (ji@tla.org), - * Angelos D. Keromytis (kermit@csd.uch.gr) and - * Niels Provos (provos@physnet.uni-hamburg.de). - * - * This code was written by John Ioannidis for BSD/OS in Athens, Greece, - * in November 1995. - * - * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis. - * - * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis - * and Niels Provos. - * - * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis - * and Niels Provos. - * - * Permission to use, copy, and modify this software without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * You may use this code under the GNU public license if you so wish. Please - * contribute changes back to the authors under this freer than GPL license - * so that we may further the use of strong encryption without limitations to - * all. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#include <sys/param.h> -#include <sys/file.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/mbuf.h> -#include <sys/sysctl.h> - -#include <net/if.h> -#include <net/route.h> -#include <net/if_dl.h> -#include <netinet/in.h> -#include <netns/ns.h> -#include <netiso/iso.h> -#include <netccitt/x25.h> -#include <arpa/inet.h> -#include <netdb.h> - -#include <errno.h> -#include <unistd.h> -#include <stdio.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> -#include <paths.h> -#include "net/encap.h" -#include "netinet/ip_ipsp.h" -#include "netinet/ip_ah.h" - -extern char buf[]; - -int xf_set __P(( struct encap_msghdr *)); -int x2i __P((char *)); - -int -xf_ah_old(src, dst, spi, auth, keyp, osrc, odst) -struct in_addr src, dst; -u_int32_t spi; -int auth; -u_char *keyp; -struct in_addr osrc, odst; -{ - int klen, i; - - struct encap_msghdr *em; - struct ah_old_xencap *xd; - - klen = strlen(keyp)/2; - - em = (struct encap_msghdr *)&buf[0]; - - em->em_msglen = EMT_SETSPI_FLEN + AH_OLD_XENCAP_LEN + klen; - em->em_version = PFENCAP_VERSION_1; - em->em_type = EMT_SETSPI; - em->em_spi = spi; - em->em_src = src; - em->em_dst = dst; - em->em_osrc = osrc; - em->em_odst = odst; - em->em_alg = XF_OLD_AH; - em->em_sproto = IPPROTO_AH; - - xd = (struct ah_old_xencap *)(em->em_dat); - - xd->amx_hash_algorithm = auth; - xd->amx_keylen = klen; - - for (i = 0; i < klen; i++ ) - xd->amx_key[i] = x2i(keyp + 2*i); - - return xf_set(em); -} diff --git a/sbin/ipsecadm/xf_delspi.c b/sbin/ipsecadm/xf_delspi.c deleted file mode 100644 index d98be70348f..00000000000 --- a/sbin/ipsecadm/xf_delspi.c +++ /dev/null @@ -1,91 +0,0 @@ -/* $OpenBSD: xf_delspi.c,v 1.1 1998/11/14 23:37:21 deraadt Exp $ */ -/* - * The authors of this code are John Ioannidis (ji@tla.org), - * Angelos D. Keromytis (kermit@csd.uch.gr) and - * Niels Provos (provos@physnet.uni-hamburg.de). - * - * This code was written by John Ioannidis for BSD/OS in Athens, Greece, - * in November 1995. - * - * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis. - * - * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis - * and Niels Provos. - * - * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis - * and Niels Provos. - * - * Permission to use, copy, and modify this software without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * You may use this code under the GNU public license if you so wish. Please - * contribute changes back to the authors under this freer than GPL license - * so that we may further the use of strong encryption without limitations to - * all. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#include <sys/param.h> -#include <sys/file.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/mbuf.h> -#include <sys/sysctl.h> - -#include <net/if.h> -#include <net/route.h> -#include <net/if_dl.h> -#include <netinet/in.h> -#include <netns/ns.h> -#include <netiso/iso.h> -#include <netccitt/x25.h> -#include <arpa/inet.h> -#include <netdb.h> - -#include <errno.h> -#include <unistd.h> -#include <stdio.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> -#include <paths.h> -#include "net/encap.h" -#include "netinet/ip_ipsp.h" - -extern char buf[]; - -int xf_set __P((struct encap_msghdr *)); - -int -xf_delspi(dst, spi, proto, chain) -struct in_addr dst; -u_int32_t spi; -int proto, chain; -{ - struct encap_msghdr *em; - - em = (struct encap_msghdr *)&buf[0]; - em->em_version = PFENCAP_VERSION_1; - - if (chain) { - em->em_msglen = EMT_DELSPICHAIN_FLEN; - em->em_type = EMT_DELSPICHAIN; - } else { - em->em_msglen = EMT_DELSPI_FLEN; - em->em_type = EMT_DELSPI; - } - em->em_gen_spi = spi; - em->em_gen_dst = dst; - em->em_gen_sproto = proto; - - return xf_set(em); -} - - diff --git a/sbin/ipsecadm/xf_esp_new.c b/sbin/ipsecadm/xf_esp_new.c deleted file mode 100644 index 5b8250f2af5..00000000000 --- a/sbin/ipsecadm/xf_esp_new.c +++ /dev/null @@ -1,127 +0,0 @@ -/* $OpenBSD: xf_esp_new.c,v 1.1 1998/11/14 23:37:21 deraadt Exp $ */ -/* - * The authors of this code are John Ioannidis (ji@tla.org), - * Angelos D. Keromytis (kermit@csd.uch.gr) and - * Niels Provos (provos@physnet.uni-hamburg.de). - * - * This code was written by John Ioannidis for BSD/OS in Athens, Greece, - * in November 1995. - * - * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis. - * - * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis - * and Niels Provos. - * - * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis - * and Niels Provos. - * - * Permission to use, copy, and modify this software without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * You may use this code under the GNU public license if you so wish. Please - * contribute changes back to the authors under this freer than GPL license - * so that we may further the use of strong encryption without limitations to - * all. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#include <sys/param.h> -#include <sys/file.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/mbuf.h> -#include <sys/sysctl.h> - -#include <net/if.h> -#include <net/route.h> -#include <net/if_dl.h> -#include <netinet/in.h> -#include <netns/ns.h> -#include <netiso/iso.h> -#include <netccitt/x25.h> -#include <arpa/inet.h> -#include <netdb.h> - -#include <errno.h> -#include <unistd.h> -#include <stdio.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> -#include <paths.h> -#include "net/encap.h" -#include "netinet/ip_ipsp.h" -#include "netinet/ip_esp.h" - -extern char buf[]; - -int xf_set __P(( struct encap_msghdr *)); -int x2i __P((char *)); - -int -xf_esp_new(src, dst, spi, enc, auth, ivp, keyp, authp, - osrc, odst, newpadding) -struct in_addr src, dst; -u_int32_t spi; -int enc, auth; -u_char *ivp, *keyp, *authp; -struct in_addr osrc, odst; -int newpadding; -{ - int i, klen, alen, ivlen; - - struct encap_msghdr *em; - struct esp_new_xencap *xd; - - klen = strlen(keyp)/2; - alen = authp == NULL ? 0 : strlen(authp)/2; - ivlen = ivp == NULL ? 0 : strlen(ivp)/2; - - em = (struct encap_msghdr *)&buf[0]; - - em->em_msglen = EMT_SETSPI_FLEN + ESP_NEW_XENCAP_LEN + - ivlen + klen + alen; - - em->em_version = PFENCAP_VERSION_1; - em->em_type = EMT_SETSPI; - em->em_spi = spi; - em->em_src = src; - em->em_dst = dst; - em->em_osrc = osrc; - em->em_odst = odst; - em->em_alg = XF_NEW_ESP; - em->em_sproto = IPPROTO_ESP; - - xd = (struct esp_new_xencap *)(em->em_dat); - - xd->edx_enc_algorithm = enc; - xd->edx_hash_algorithm = auth; - xd->edx_ivlen = ivlen; - xd->edx_confkeylen = klen; - xd->edx_authkeylen = alen; - xd->edx_wnd = -1; /* Manual keying -- no seq */ - xd->edx_flags = auth ? ESP_NEW_FLAG_AUTH : 0; - - if (newpadding) - xd->edx_flags |= ESP_NEW_FLAG_NPADDING; - - for (i = 0; i < ivlen; i++) - xd->edx_data[i] = x2i(ivp+2*i); - - for (i = 0; i < klen; i++) - xd->edx_data[i+ivlen] = x2i(keyp+2*i); - - for (i = 0; i < alen; i++) - xd->edx_data[i+ivlen+klen] = x2i(authp+2*i); - - return xf_set(em); -} - - diff --git a/sbin/ipsecadm/xf_esp_old.c b/sbin/ipsecadm/xf_esp_old.c deleted file mode 100644 index da1ac77de9d..00000000000 --- a/sbin/ipsecadm/xf_esp_old.c +++ /dev/null @@ -1,112 +0,0 @@ -/* $OpenBSD: xf_esp_old.c,v 1.1 1998/11/14 23:37:21 deraadt Exp $ */ -/* - * The authors of this code are John Ioannidis (ji@tla.org), - * Angelos D. Keromytis (kermit@csd.uch.gr) and - * Niels Provos (provos@physnet.uni-hamburg.de). - * - * This code was written by John Ioannidis for BSD/OS in Athens, Greece, - * in November 1995. - * - * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis. - * - * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis - * and Niels Provos. - * - * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis - * and Niels Provos. - * - * Permission to use, copy, and modify this software without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * You may use this code under the GNU public license if you so wish. Please - * contribute changes back to the authors under this freer than GPL license - * so that we may further the use of strong encryption without limitations to - * all. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#include <sys/param.h> -#include <sys/file.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/mbuf.h> -#include <sys/sysctl.h> - -#include <net/if.h> -#include <net/route.h> -#include <net/if_dl.h> -#include <netinet/in.h> -#include <netns/ns.h> -#include <netiso/iso.h> -#include <netccitt/x25.h> -#include <arpa/inet.h> -#include <netdb.h> - -#include <errno.h> -#include <unistd.h> -#include <stdio.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> -#include <paths.h> -#include "net/encap.h" -#include "netinet/ip_ipsp.h" -#include "netinet/ip_esp.h" - -extern char buf[]; - -int xf_set __P(( struct encap_msghdr *)); -int x2i __P((char *)); - -int -xf_esp_old(src, dst, spi, enc, ivp, keyp, osrc, odst) -struct in_addr src, dst; -u_int32_t spi; -int enc; -u_char *ivp, *keyp; -struct in_addr osrc, odst; -{ - int i, ivlen, klen; - - struct encap_msghdr *em; - struct esp_old_xencap *xd; - - klen = strlen(keyp)/2; - ivlen = ivp == NULL ? 0 : strlen(ivp)/2; - - em = (struct encap_msghdr *)&buf[0]; - - em->em_msglen = EMT_SETSPI_FLEN + ESP_OLD_XENCAP_LEN + ivlen + klen; - em->em_version = PFENCAP_VERSION_1; - em->em_type = EMT_SETSPI; - em->em_spi = spi; - em->em_src = src; - em->em_dst = dst; - em->em_osrc = osrc; - em->em_odst = odst; - em->em_alg = XF_OLD_ESP; - em->em_sproto = IPPROTO_ESP; - - xd = (struct esp_old_xencap *)(em->em_dat); - - xd->edx_enc_algorithm = enc; - xd->edx_ivlen = ivlen; - xd->edx_keylen = klen; - - for (i = 0; i < ivlen; i++) - xd->edx_data[i] = x2i(ivp+2*i); - - for (i = 0; i < klen; i++) - xd->edx_data[i+ivlen] = x2i(keyp+2*i); - - return xf_set(em); -} - - diff --git a/sbin/ipsecadm/xf_flow.c b/sbin/ipsecadm/xf_flow.c deleted file mode 100644 index 294ac70ac0e..00000000000 --- a/sbin/ipsecadm/xf_flow.c +++ /dev/null @@ -1,157 +0,0 @@ -/* $OpenBSD: xf_flow.c,v 1.2 1998/11/24 14:41:58 niklas Exp $ */ -/* - * The authors of this code are John Ioannidis (ji@tla.org), - * Angelos D. Keromytis (kermit@csd.uch.gr) and - * Niels Provos (provos@physnet.uni-hamburg.de). - * - * This code was written by John Ioannidis for BSD/OS in Athens, Greece, - * in November 1995. - * - * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis. - * - * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis - * and Niels Provos. - * - * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis - * and Niels Provos. - * - * Permission to use, copy, and modify this software without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * You may use this code under the GNU public license if you so wish. Please - * contribute changes back to the authors under this freer than GPL license - * so that we may further the use of strong encryption without limitations to - * all. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - - -#include <sys/param.h> -#include <sys/file.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/mbuf.h> -#include <sys/sysctl.h> - -#include <net/if.h> -#include <net/route.h> -#include <net/if_dl.h> -#include <netinet/in.h> -#include <netns/ns.h> -#include <netiso/iso.h> -#include <netccitt/x25.h> -#include <arpa/inet.h> -#include <netdb.h> - -#include <errno.h> -#include <unistd.h> -#include <stdio.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> -#include <paths.h> -#include "net/encap.h" - -#define ROUNDUP(a) \ - ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) - -extern char buf[]; - -int -xf_flow(struct in_addr dst, u_int32_t spi, int proto, - struct in_addr osrc, struct in_addr osmask, - struct in_addr odst, struct in_addr odmask, - int tproto, int sport, int dport, int delete, int local) -{ - struct sockaddr_encap *ddst, *msk, *gw; - struct rt_msghdr *rtm; - int sd, off, error = 0; - - sd = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC); - if (sd < 0) { - perror("socket"); - return 0; - } - - rtm = (struct rt_msghdr *)(&buf[0]); - off = sizeof(*rtm); - ddst = (struct sockaddr_encap *) (&buf[off]); - off = ROUNDUP(off + SENT_IP4_LEN); - if (!delete) { - gw = (struct sockaddr_encap *) (&buf[off]); - off = ROUNDUP(off + SENT_IPSP_LEN); - } - msk = (struct sockaddr_encap *) (&buf[off]); - bzero(buf, off + SENT_IP4_LEN); - - rtm->rtm_version = RTM_VERSION; - rtm->rtm_type = delete ? RTM_DELETE : RTM_ADD; - rtm->rtm_index = 0; - rtm->rtm_pid = getpid(); - rtm->rtm_addrs = RTA_DST | (delete ? 0 : RTA_GATEWAY) | RTA_NETMASK; - rtm->rtm_errno = 0; - rtm->rtm_flags = RTF_UP | (delete ? 0 : RTF_GATEWAY) | RTF_STATIC; - rtm->rtm_inits = 0; - - ddst->sen_len = SENT_IP4_LEN; - ddst->sen_family = AF_ENCAP; - ddst->sen_type = SENT_IP4; - ddst->sen_ip_src.s_addr = osrc.s_addr & osmask.s_addr; - ddst->sen_ip_dst.s_addr = odst.s_addr & odmask.s_addr; - ddst->sen_proto = ddst->sen_sport = ddst->sen_dport = 0; - - if (tproto > 0) { - ddst->sen_proto = tproto; - msk->sen_proto = 0xff; - - if (sport > 0) { - ddst->sen_sport = sport; - msk->sen_sport = 0xffff; - } - - if (dport > 0) { - ddst->sen_dport = dport; - msk->sen_dport = 0xffff; - } - } - - if (!delete) { - gw->sen_len = SENT_IPSP_LEN; - gw->sen_family = AF_ENCAP; - gw->sen_type = SENT_IPSP; - gw->sen_ipsp_dst.s_addr = dst.s_addr; - gw->sen_ipsp_spi = spi; - gw->sen_ipsp_sproto = proto; - } - - msk->sen_len = SENT_IP4_LEN; - msk->sen_family = AF_ENCAP; - msk->sen_type = SENT_IP4; - msk->sen_ip_src.s_addr = osmask.s_addr; - msk->sen_ip_dst.s_addr = odmask.s_addr; - - rtm->rtm_msglen = off + msk->sen_len; - - if (write(sd, (caddr_t) buf, rtm->rtm_msglen) == -1) { - perror("write"); - error = 1; - } - - /* Additionally create/delete a flow for local packets */ - if (local) { - ddst->sen_ip_src.s_addr = INADDR_ANY; - msk->sen_ip_src.s_addr = INADDR_BROADCAST; - if (write(sd, (caddr_t) buf, rtm->rtm_msglen) == -1) { - perror("write"); - error = 1; - } - } - return (error ? 0 : 1); -} diff --git a/sbin/ipsecadm/xf_grp.c b/sbin/ipsecadm/xf_grp.c deleted file mode 100644 index 25e997a5003..00000000000 --- a/sbin/ipsecadm/xf_grp.c +++ /dev/null @@ -1,94 +0,0 @@ -/* $OpenBSD: xf_grp.c,v 1.1 1998/11/14 23:37:21 deraadt Exp $ */ -/* - * The authors of this code are John Ioannidis (ji@tla.org), - * Angelos D. Keromytis (kermit@csd.uch.gr) and - * Niels Provos (provos@physnet.uni-hamburg.de). - * - * This code was written by John Ioannidis for BSD/OS in Athens, Greece, - * in November 1995. - * - * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis. - * - * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis - * and Niels Provos. - * - * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis - * and Niels Provos. - * - * Permission to use, copy, and modify this software without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * You may use this code under the GNU public license if you so wish. Please - * contribute changes back to the authors under this freer than GPL license - * so that we may further the use of strong encryption without limitations to - * all. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#include <sys/param.h> -#include <sys/file.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/mbuf.h> -#include <sys/sysctl.h> - -#include <net/if.h> -#include <net/route.h> -#include <net/if_dl.h> -#include <netinet/in.h> -#include <netns/ns.h> -#include <netiso/iso.h> -#include <netccitt/x25.h> -#include <arpa/inet.h> -#include <netdb.h> - -#include <errno.h> -#include <unistd.h> -#include <stdio.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> -#include <paths.h> -#include "net/encap.h" -#include "netinet/ip_ipsp.h" - -extern char buf[]; - -int xf_set __P(( struct encap_msghdr *)); -int x2i __P((char *)); - -int -xf_grp(dst, spi, proto, dst2, spi2, proto2) -struct in_addr dst, dst2; -u_int32_t spi, spi2; -int proto, proto2; -{ - struct encap_msghdr *em; - - bzero(buf, EMT_GRPSPIS_FLEN); - - em = (struct encap_msghdr *)&buf[0]; - - em->em_msglen = EMT_GRPSPIS_FLEN; - em->em_version = PFENCAP_VERSION_1; - em->em_type = EMT_GRPSPIS; - - em->em_rel_spi = spi; - em->em_rel_dst = dst; - em->em_rel_sproto = proto; - - em->em_rel_spi2 = spi2; - em->em_rel_dst2 = dst2; - em->em_rel_sproto2 = proto2; - - return xf_set(em); -} - - diff --git a/sbin/ipsecadm/xf_ip4.c b/sbin/ipsecadm/xf_ip4.c deleted file mode 100644 index 8a2d073a76f..00000000000 --- a/sbin/ipsecadm/xf_ip4.c +++ /dev/null @@ -1,92 +0,0 @@ -/* $OpenBSD: xf_ip4.c,v 1.1 1998/11/14 23:37:21 deraadt Exp $ */ -/* - * The authors of this code are John Ioannidis (ji@tla.org), - * Angelos D. Keromytis (kermit@csd.uch.gr) and - * Niels Provos (provos@physnet.uni-hamburg.de). - * - * This code was written by John Ioannidis for BSD/OS in Athens, Greece, - * in November 1995. - * - * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis. - * - * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis - * and Niels Provos. - * - * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis - * and Niels Provos. - * - * Permission to use, copy, and modify this software without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * You may use this code under the GNU public license if you so wish. Please - * contribute changes back to the authors under this freer than GPL license - * so that we may further the use of strong encryption without limitations to - * all. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#include <sys/param.h> -#include <sys/file.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/mbuf.h> -#include <sys/sysctl.h> - -#include <net/if.h> -#include <net/route.h> -#include <net/if_dl.h> -#include <netinet/in.h> -#include <netns/ns.h> -#include <netiso/iso.h> -#include <netccitt/x25.h> -#include <arpa/inet.h> -#include <netdb.h> - -#include <errno.h> -#include <unistd.h> -#include <stdio.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> -#include <paths.h> -#include "net/encap.h" -#include "netinet/ip_ipsp.h" - -extern char buf[]; - -int xf_set __P(( struct encap_msghdr *)); -int x2i __P((char *)); - -int -xf_ip4(src, dst, spi, osrc, odst) -struct in_addr src, dst; -u_int32_t spi; -struct in_addr osrc, odst; -{ - struct encap_msghdr *em; - - em = (struct encap_msghdr *)&buf[0]; - - em->em_msglen = EMT_SETSPI_FLEN + 1; - - em->em_version = PFENCAP_VERSION_1; - em->em_type = EMT_SETSPI; - em->em_sproto = IPPROTO_IPIP; - em->em_spi = spi; - em->em_src = src; - em->em_dst = dst; - em->em_osrc = osrc; - em->em_odst = odst; - em->em_alg = XF_IP4; - - return xf_set(em); -} - - |