diff options
| author |   deraadt <deraadt@openbsd.org> | 2006-05-26 04:02:58 +0000 |
|---|---|---|
| committer | deraadt <deraadt@openbsd.org> | 2006-05-26 04:02:58 +0000 |
| commit | 937c2fea0bb779828249255f728ec074e7625ffb (patch) | |
| tree | cc0ee65a06cf2b091ae0e957caceb0114b6bf3cb | |
| parent | prettier printing (diff) | |
| download | wireguard-openbsd-937c2fea0bb779828249255f728ec074e7625ffb.tar.xz wireguard-openbsd-937c2fea0bb779828249255f728ec074e7625ffb.zip | |
let us not talk about ipsecadm and vpn anymore; ok reyk
| -rw-r--r-- | lib/libc/gen/sysctl.3 | 6 | ||||
| -rw-r--r-- | regress/sbin/Makefile | 4 | ||||
| -rw-r--r-- | regress/sbin/ipsecadm/Makefile | 50 | ||||
| -rw-r--r-- | sbin/Makefile | 4 | ||||
| -rw-r--r-- | sbin/brconfig/brconfig.8 | 8 | ||||
| -rw-r--r-- | sbin/ipsecadm/Makefile | 7 | ||||
| -rw-r--r-- | sbin/ipsecadm/ipsecadm.8 | 788 | ||||
| -rw-r--r-- | sbin/ipsecadm/ipsecadm.c | 1581 | ||||
| -rw-r--r-- | sbin/ipsecadm/pfkdump.c | 673 | ||||
| -rw-r--r-- | sbin/isakmpd/isakmpd.8 | 6 | ||||
| -rw-r--r-- | sbin/isakmpd/isakmpd.conf.5 | 6 | ||||
| -rw-r--r-- | share/Makefile | 4 | ||||
| -rw-r--r-- | share/ipsec/Makefile | 12 | ||||
| -rw-r--r-- | share/ipsec/rc.vpn | 104 | ||||
| -rw-r--r-- | share/man/man4/bridge.4 | 6 | ||||
| -rw-r--r-- | share/man/man4/enc.4 | 9 | ||||
| -rw-r--r-- | share/man/man4/ipcomp.4 | 8 | ||||
| -rw-r--r-- | share/man/man4/ipsec.4 | 20 | ||||
| -rw-r--r-- | share/man/man4/tcp.4 | 5 | ||||
| -rw-r--r-- | share/man/man5/hostname.if.5 | 4 | ||||
| -rw-r--r-- | share/man/man8/Makefile | 4 | ||||
| -rw-r--r-- | share/man/man8/vpn.8 | 734 | ||||
| -rw-r--r-- | usr.bin/spell/special.4bsd | 1 | ||||
| -rw-r--r-- | usr.sbin/bgpd/bgpd.conf.5 | 4 | ||||
| -rw-r--r-- | usr.sbin/sasyncd/sasyncd.conf.5 | 8 |
25 files changed, 46 insertions, 4010 deletions
diff --git a/lib/libc/gen/sysctl.3 b/lib/libc/gen/sysctl.3 index e8641a8e775..b920d09b059 100644 --- a/lib/libc/gen/sysctl.3 +++ b/lib/libc/gen/sysctl.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sysctl.3,v 1.151 2006/05/17 08:34:42 gwk Exp $ +.\" $OpenBSD: sysctl.3,v 1.152 2006/05/26 04:02:59 deraadt Exp $ .\" .\" Copyright (c) 1993 .\" The Regents of the University of California. All rights reserved. @@ -1274,7 +1274,7 @@ and Note that lzs is only available with .Xr hifn 4 . See -.Xr ipsecadm 8 +.Xr ipsecctl 8 for more information. .It Li ip.ipsec-enc-alg This is the default encryption algorithm the kernel will instruct key @@ -1412,7 +1412,7 @@ This value applies to normal transport protocols, not to .It Li ipcomp.enable Enable the IPComp protocol. See -.Xr ipsecadm 8 +.Xr ipsecctl 8 for more information. .It Li ipip.allow If set to 0, incoming IP-in-IP packets will not be processed. diff --git a/regress/sbin/Makefile b/regress/sbin/Makefile index 3b7227e7e44..c299f503487 100644 --- a/regress/sbin/Makefile +++ b/regress/sbin/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.5 2005/08/08 14:52:41 hshoexer Exp $ +# $OpenBSD: Makefile,v 1.6 2006/05/26 04:02:59 deraadt Exp $ -SUBDIR+= ipsecadm ipsecctl pfctl route +SUBDIR+= ipsecctl pfctl route install: diff --git a/regress/sbin/ipsecadm/Makefile b/regress/sbin/ipsecadm/Makefile deleted file mode 100644 index 7a48ef1a96c..00000000000 --- a/regress/sbin/ipsecadm/Makefile +++ /dev/null @@ -1,50 +0,0 @@ -# $OpenBSD: Makefile,v 1.3 2004/12/29 04:39:17 david Exp $ - -SRC=192.0.2.0 -DST=192.0.2.1 -SPI=1000 -EK=eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee -AK=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa - -IPCOMP_ENABLE!= sysctl -n net.inet.ipcomp.enable -ESP_ENABLE!= sysctl -n net.inet.esp.enable -AH_ENABLE!= sysctl -n net.inet.ah.enable - -.ifmake !obj && !clean && !cleandir && !depend && !regress -.INTERRUPT: - -@${SUDO} sysctl -q net.inet.ipcomp.enable=${IPCOMP_ENABLE} - -@${SUDO} sysctl -q net.inet.esp.enable=${ESP_ENABLE} - -@${SUDO} sysctl -q net.inet.ah.enable=${AH_ENABLE} - -.END: - -@${SUDO} sysctl -q net.inet.ipcomp.enable=${IPCOMP_ENABLE} - -@${SUDO} sysctl -q net.inet.esp.enable=${ESP_ENABLE} - -@${SUDO} sysctl -q net.inet.ah.enable=${AH_ENABLE} -.endif - -ipcomp: - @${SUDO} sysctl -q net.inet.ipcomp.enable=1 - ${SUDO} ipsecadm ipcomp -cpi ${SPI} -dst ${DST} -comp deflate - ${SUDO} ipsecadm delspi -spi ${SPI} -dst ${DST} -proto ipcomp - -tcpmd5: - ${SUDO} ipsecadm tcpmd5 -spi ${SPI} -src ${SRC} -dst ${DST} -key deadbeef - ${SUDO} ipsecadm delspi -spi ${SPI} -dst ${DST} -proto tcpmd5 - -esp: - @${SUDO} sysctl -q net.inet.esp.enable=1 - ${SUDO} ipsecadm new esp -spi ${SPI} -src ${SRC} -dst ${DST} \ - -enc aes -key ${EK} -auth sha1 -authkey ${AK} - ${SUDO} ipsecadm delspi -spi ${SPI} -dst ${DST} -proto esp - -ah: - @${SUDO} sysctl -q net.inet.ah.enable=1 - ${SUDO} ipsecadm new ah -spi ${SPI} -src ${SRC} -dst ${DST} \ - -key ${AK} -auth sha1 - ${SUDO} ipsecadm delspi -spi ${SPI} -dst ${DST} -proto ah - -REGRESS_TARGETS=ipcomp tcpmd5 esp ah -REGRESS_ROOT_TARGETS=${REGRESS_TARGETS} -.PHONY: ${REGRESS_TARGETS} - -.include <bsd.regress.mk> diff --git a/sbin/Makefile b/sbin/Makefile index efea15cc815..8c8d1c88312 100644 --- a/sbin/Makefile +++ b/sbin/Makefile @@ -1,10 +1,10 @@ -# $OpenBSD: Makefile,v 1.77 2006/01/09 21:26:46 jsg Exp $ +# $OpenBSD: Makefile,v 1.78 2006/05/26 04:02:58 deraadt Exp $ # Not ported: XNSrouted enpload scsiformat startslip # Missing: icheck SUBDIR= atactl badsect bioctl brconfig ccdconfig disklabel dmesg dhclient \ - fsck growfs ifconfig init iopctl ipsecadm ipsecctl isakmpd kbd \ + fsck growfs ifconfig init iopctl ipsecctl isakmpd kbd \ lmccontrol mknod modload modunload mount mountd ncheck_ffs nfsd \ nologin pfctl pflogd ping quotacheck raidctl reboot route routed \ savecore scan_ffs scsi shutdown slattach swapctl sysctl \ diff --git a/sbin/brconfig/brconfig.8 b/sbin/brconfig/brconfig.8 index b9629f74da9..9fde45312a1 100644 --- a/sbin/brconfig/brconfig.8 +++ b/sbin/brconfig/brconfig.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: brconfig.8,v 1.53 2005/09/27 21:31:40 jmc Exp $ +.\" $OpenBSD: brconfig.8,v 1.54 2006/05/26 04:02:59 deraadt Exp $ .\" .\" Copyright (c) 1999-2001 Jason L. Wright (jason@thought.net) .\" All rights reserved. @@ -187,7 +187,7 @@ Setting this flag causes all packets to be passed on to .Xr ipsec 4 for processing, based on the policies established by the administrator using the -.Xr ipsecadm 8 +.Xr ipsecctl 8 command. If appropriate security associations (SAs) exist, they will be used to encrypt or decrypt the packets. @@ -359,7 +359,7 @@ between the two bridges. To only protect the bridge traffic between the two bridges, the transport protocol 97 (etherip) selector may be used in -.Xr ipsecadm 8 +.Xr ipsecctl 8 or .Xr isakmpd 8 . Otherwise, the Ethernet frames will be sent in the clear between the @@ -457,7 +457,7 @@ commands are used to add and delete span ports to and from a bridge. .Xr bridgename.if 5 , .Xr pf.conf 5 , .Xr ifconfig 8 , -.Xr ipsecadm 8 , +.Xr ipsecctl 8 , .Xr isakmpd 8 .Sh HISTORY The diff --git a/sbin/ipsecadm/Makefile b/sbin/ipsecadm/Makefile deleted file mode 100644 index 5b0782d8d8e..00000000000 --- a/sbin/ipsecadm/Makefile +++ /dev/null @@ -1,7 +0,0 @@ -# $OpenBSD: Makefile,v 1.6 2004/01/27 22:46:55 itojun Exp $ - -PROG= ipsecadm -MAN= ipsecadm.8 -SRCS= ipsecadm.c pfkdump.c - -.include <bsd.prog.mk> diff --git a/sbin/ipsecadm/ipsecadm.8 b/sbin/ipsecadm/ipsecadm.8 deleted file mode 100644 index 7af01ae9c82..00000000000 --- a/sbin/ipsecadm/ipsecadm.8 +++ /dev/null @@ -1,788 +0,0 @@ -.\" $OpenBSD: ipsecadm.8,v 1.70 2005/09/27 12:22:03 markus Exp $ -.\" -.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by Niels Provos. -.\" 4. The name of the author may not be used to endorse or promote products -.\" derived from this software without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" Manual page, using -mandoc macros -.\" -.Dd August 26, 1997 -.Dt IPSECADM 8 -.Os -.Sh NAME -.Nm ipsecadm -.Nd interface to set up IPsec -.Sh SYNOPSIS -.Nm ipsecadm -.Ar command Op Ar modifier ... -.Sh NOTE -To use -.Nm , -.Xr ipsec 4 -must be enabled by having one or more of the following -.Xr sysctl 3 -variables set: -.Pp -.Bl -tag -offset 4n -width net.inet.ipcomp.enable -compact -.It Va net.inet.esp.enable -Enable the ESP IPsec protocol -.It Va net.inet.ah.enable -Enable the AH IPsec protocol -.It Va net.inet.ipcomp.enable -Enable the IPComp protocol -.El -.Pp -Both the ESP and AH protocols are enabled by default. -To keep local modifications of these variables across reboots, see -.Xr sysctl.conf 5 . -.Sh DESCRIPTION -The -.Nm -utility sets up security associations in the kernel -to be used with -.Xr ipsec 4 . -It can be used to specify the encryption and authentication -algorithms and key material for the network layer security -provided by IPsec. -The possible commands are: -.Bl -tag -width new_esp -.It Cm new esp -Set up a Security Association (SA) which uses the new ESP transforms -(RFC 2406). -An SA consists of the destination address, -a Security Parameter Index (SPI) and a security protocol. -Encryption and authentication algorithms can be applied. -This is the default mode. -Allowed -modifiers are: -.Fl dst , -.Fl src , -.Fl proxy , -.Fl spi , -.Fl enc , -.Fl srcid_type , -.Fl srcid , -.Fl dstid_type , -.Fl dstid , -.Fl auth , -.Fl authkey , -.Fl authkeyfile , -.Fl forcetunnel , -.Fl udpencap , -.Fl key , -and -.Fl keyfile . -.It Cm old esp -Set up an SA which uses the old ESP transforms (RFC 1827). -Only encryption algorithms can be applied. -Allowed modifiers are: -.Fl dst , -.Fl src , -.Fl proxy , -.Fl spi , -.Fl enc , -.Fl srcid_type , -.Fl srcid , -.Fl dstid_type , -.Fl dstid , -.Fl halfiv , -.Fl forcetunnel , -.Fl key , -and -.Fl keyfile . -.It Cm new ah -Set up an SA which uses the new AH transforms (RFC 2402). -Authentication will be done with Hashed Message Authentication Code -(HMAC) using the specified hash algorithm. -Allowed modifiers are: -.Fl dst , -.Fl src , -.Fl proxy , -.Fl spi , -.Fl srcid_type , -.Fl srcid , -.Fl dstid_type , -.Fl dstid , -.Fl forcetunnel , -.Fl auth , -.Fl key , -and -.Fl keyfile . -.It Cm old ah -Set up an SA which uses the old AH transforms (RFC 1826). -Simple keyed hashes will be used for authentication. -Allowed modifiers are: -.Fl dst , -.Fl src , -.Fl proxy , -.Fl spi , -.Fl srcid_type , -.Fl srcid , -.Fl dstid_type , -.Fl dstid , -.Fl forcetunnel , -.Fl auth , -.Fl key , -and -.Fl keyfile . -.It Cm group -Group two SAs together, such that whenever the first one is applied, the -second one will be applied as well (SA bundle). -Arbitrarily long SA bundles can thus be created. -Note that the last SA in the bundle is the one that is applied last. -Thus, if an ESP and an AH SA are bundled together (in that order), then -the resulting packet will have an AH header, followed by an ESP header, -followed by the encrypted payload. -Allowed modifiers are: -.Fl dst , -.Fl spi , -.Fl proto , -.Fl dst2 , -.Fl spi2 , -and -.Fl proto2 . -.It Cm ip4 -Set up an SA which uses the IP-in-IP encapsulation protocol. -This mode -offers no security services by itself but can be used to route other -(experimental or otherwise) protocols over an IP network. -The SPI value -is not used for anything other than referencing the information and -does not appear on the wire. -Unlike other setups, like new ESP, there -is no necessary setup in the receiving side. -Allowed modifiers are: -.Fl dst , -.Fl src , -and -.Fl spi . -.It Cm delspi -Delete the specified SA. -Allowed modifiers are: -.Fl dst , -.Fl spi , -and -.Fl proto . -.It Cm flow -Create a flow determining what security parameters a packet should -have (input or output). -Allowed modifiers are: -.Fl src , -.Fl dst , -.Fl proto , -.Fl addr , -.Fl transport , -.Fl sport , -.Fl dport , -.Fl delete , -.Fl in , -.Fl out , -.Fl srcid , -.Fl dstid , -.Fl srcid_type , -.Fl dstid_type , -.Fl acquire , -.Fl require , -.Fl dontacq , -.Fl use , -.Fl bypass , -.Fl permit -and -.Fl deny . -.Pp -The -.Xr netstat 1 -command shows all specified flows. -.Pp -Flows are directional, and the -.Fl in -and -.Fl out -modifiers are used to specify the direction. -By default, flows are assumed to apply to outgoing packets. -The kernel will attempt to find an appropriate -Security Association from those already present (an SA that matches -the destination address, if set, and the security protocol). -If the destination address is set to all zeroes (0.0.0.0) or left -unspecified, the destination address from the packet will be used -to locate an SA (the source address is used for incoming flows). -For incoming flows, the destination address (if specified) should -point to the expected source of the SA (the remote SA peer). -.Pp -If no such SA exists, key management daemons will be used to generate -them if -.Fl acquire -or -.Fl require -were used. -If -.Fl acquire -was used, traffic will be allowed out (or in) and IPsec will be used -when the relevant SAs have been established. -If -.Fl require -was used, traffic will not be allowed in or out until it is protected -by IPsec. -If -.Fl dontacq -was used, traffic will not be allowed in or out until it is protected -by IPsec, but key management will not be asked to provide such an SA. -The -.Fl proto -argument (by default set to -.Cm esp ) -can be used to determine what type of SA should be established. -.Pp -A -.Em bypass -or -.Em permit -flow (created with -.Fl bypass -or -.Fl permit ) -is used to specify a flow for which IPsec processing will be -bypassed, i.e., packets will/need not be processed by any SAs. -For bypass or permit -flows, additional modifiers are restricted to: -.Fl addr , -.Fl transport , -.Fl sport , -.Fl dport , -.Fl in , -.Fl out , -and -.Fl delete . -A -.Em deny -flow is used to specify classes of packets that must be dropped -(either on output or input) without further processing. -.Fl deny -takes the same additional modifiers as -.Fl bypass . -.It Cm flush -Flush SAs from kernel. -This includes flushing any flows and -routing entries associated with the SAs. -Allowed modifiers are: -.Fl ah , -.Fl esp , -.Fl oldah , -.Fl oldesp , -.Fl ip4 , -.Fl ipcomp , -and -.Fl tcpmd5 . -Default action is to flush all types of security associations -from the kernel. -.It Cm show -Show SAs from kernel. -Allowed modifiers are: -.Fl ah , -.Fl esp , -.Fl oldah , -.Fl oldesp , -.Fl ip4 , -.Fl ipcomp , -and -.Fl tcpmd5 . -Default action is to show all types of security associations -from the kernel. -.It Cm monitor -Continuously display all -.Dv PF_KEY -messages exchanged with -the kernel. -.It Cm ipcomp -Set up an IP Compression Association (IPCA) which will use the IPComp -transforms. -Just like an SA, an IPCA consists of the destination -address, a Compression Parameter Index (CPI) and a protocol (which is -fixed to IPComp). -Compression algorithms are applied. -Allowed modifiers are: -.Fl dst , -.Fl src , -.Fl cpi , -.Fl comp , -and -.Fl forcetunnel . -To create an IPsec SA using compression, an IPCA and an SA must first -be created. -After this, an IPCA/SA bundle must be created using the -.Cm group -command. -The IPCA must be applied first. -See -.Xr ipcomp 4 -for further information on the IPComp protocol. -.It Cm tcpmd5 -Set up a key for use by the RFC 2385 TCP MD5 option. -Allowed modifiers are: -.Fl dst , -.Fl src , -.Fl spi , -.Fl key , -and -.Fl keyfile . -.El -.Pp -If no command is given, -.Nm -defaults to new ESP mode. -.Pp -The modifiers have the following meanings: -.Bl -tag -width 7n -.It Fl src Ar address -The source IP address for the SA. -This is necessary for incoming -SAs to avoid source address spoofing between mutually -suspicious hosts that have established SAs with us. -For outgoing SAs, -this field is used to fill in the source address when doing tunneling. -.It Fl dst Ar address -The destination IP address for the SA. -.It Fl dst2 Ar address -The second IP address used by -.Cm group . -.It Fl proxy Ar address -This IP address, if provided, is checked against the inner IP address when -doing tunneling to a firewall, to prevent source spoofing attacks. -It is -strongly recommended that this option is provided when applicable. -It is -applicable in a scenario when host A is using IPsec to communicate with -firewall B, and through that to host C. -In that case, the proxy address for -the incoming SA should be C. -This option is not necessary for outgoing SAs. -.It Fl spi Ar index -The Security Parameter Index (SPI), given as a hexadecimal number. -.It Fl spi2 Ar index -The second SPI used by -.Cm group . -.It Fl cpi Ar index -The Compression Parameter Index (CPI), given as a 16-bit hexadecimal number. -.It Fl tunnel -.Sy This modifier has been deprecated. -The arguments are ignored, and it otherwise has the same effect as the -.Fl forcetunnel -option. -.It Fl newpadding -.Sy This modifier has been deprecated. -.It Fl forcetunnel -Force IP-inside-IP encapsulation before ESP or AH processing is performed for -outgoing packets. -The source/destination addresses of the outgoing IP packet -will be those provided in the -.Fl src -and -.Fl dst -options. -Notice that the IPsec stack will perform IP-inside-IP encapsulation -when deemed necessary, even if this flag has not been set. -.It Fl udpencap Ar port -Enable ESP-inside-UDP encapsulation. -The UDP destination port must be specified on the command line. -This port will be used for sending encapsulated UDP packets. -.It Fl enc Ar algorithm -The encryption algorithm to be used with the SA. -Possible values are: -.Bl -tag -width skipjack -.It Cm des -This is available for both old and new ESP. -Notice that hardware crackers for DES can be (and have been) built for -US$250,000 (in 1998). -Use DES for encryption of critical information at your own risk. -Use of 3DES or AES is recommended instead. -DES support is kept for interoperability -(with old implementations) purposes only. -See -.Xr des_cipher 3 . -.It Cm 3des -This is available for both old and new ESP. -It is considered more secure than straight DES, since it uses larger -keys. -.It Cm aes -AES/Rijndael CBC encryption is available only in new ESP. -.It Cm aesctr -AES/Rijndael CTR (RFC 3686) encryption is available only in new ESP. -.It Cm blf -Blowfish encryption is available only in new ESP. -See -.Xr blf_key 3 . -.It Cm cast -CAST encryption is available only in new ESP. -.It Cm skipjack -SKIPJACK encryption is available only in new ESP. -This algorithm was designed by the NSA and is faster than 3DES. -However, since it was designed by the NSA, -it is a poor choice. -.It Cm null -The NULL encryption algorithm is available for new ESP. -It should be used in combination with an authentication algorithm -to provide authentication and integrity without confidentiality. -.El -.Pp -.It Fl auth Ar algorithm -The authentication algorithm to be used with the SA. -Possible values are: -.Cm md5 -and -.Cm sha1 -for both old and new AH and also new ESP. -.Cm rmd160 , -.Cm sha2-256 , -.Cm sha2-384 , -and -.Cm sha2-512 -are also available -for both new AH and ESP. -.It Fl comp Ar algorithm -The compression algorithm to be used with the IPCA. -Possible values are: -.Cm deflate -and -.Cm lzs . -Note that -.Cm lzs -is only available with -.Xr hifn 4 -because of the patent held by Hifn, Inc. -.It Fl key Ar key -The secret symmetric key used for encryption and authentication. -The sizes for -.Cm des -and -.Cm 3des -are fixed to 8 and 24 bytes, respectively. -For other ciphers like -.Cm cast , -.Cm aes , -or -.Cm blf , -the key length can vary, depending on the algorithm. -The -.Ar key -should be given in hexadecimal digits. -The -.Ar key -should be chosen at random (ideally, using some true-random source like -coin flipping). -It is very important that the key is not guessable. -One practical way of generating 160-bit (20-byte) keys is as follows: -.Bd -literal -offset indent -$ openssl rand 20 | hexdump -e '20/1 "%02x"' -.Ed -.It Fl keyfile Ar file -Read the key from a file. -May be used instead of the -.Fl key -flag, and has the same syntax considerations. -.It Fl authkey Ar key -The secret key material used for authentication -if additional authentication in new ESP mode is required. -For old or new AH, the key material for authentication is passed with the -.Fl key -option. -The -.Ar key -should be given in hexadecimal digits. -The -.Ar key -should be chosen at random (ideally, using some true-random source like -coin flipping). -It is very important that the key is not guessable. -One practical way of generating 160-bit (20-byte) keys is as follows: -.Bd -literal -offset indent -$ openssl rand 20 | hexdump -e '20/1 "%02x"' -.Ed -.It Fl authkeyfile Ar file -Read the additional authentication key from a file. -May be used instead of the -.Fl authkey -flag, and has the same syntax considerations. -.It Fl iv -.Sy This modifier has been deprecated. -The argument is ignored. -When applicable, it has the same behaviour as the -.Fl halfiv -option. -.It Fl halfiv -This option causes use of a 4-byte initialization vector (IV) in old ESP -(as opposed to 8 bytes). -It may only be used with old ESP. -.It Fl proto Ar protocol -The security protocol needed by -.Cm delspi -or -.Cm flow , -to uniquely specify the SA. -The default value is 50 which means -.Dv IPPROTO_ESP . -Other accepted values are 51 -.Dv ( IPPROTO_AH ) -and 4 -.Dv ( IPPROTO_IP ) . -One can also specify the symbolic names -.Dq esp , -.Dq ah , -and -.Dq ip4 , -case insensitive. -.It Fl proto2 Ar protocol -The second security protocol used by -.Cm group . -It defaults to -.Dv IPPROTO_AH , -otherwise takes the same values as -.Fl proto . -.It Fl addr Ar srcnet mask dstnet mask -.It Xo -.Fl addr -.Ar srcnet Ns / Ns Ar prefixlen -.Ar dstnet Ns / Ns Ar prefixlen -.Xc -The first form is the source address, source network mask, destination -address, and destination network mask. -The second form is the source and destination addresses and netmasks -in CIDR notation. -Either form can be specified against which packets need to match -in order to use the specified Security Association. -All addresses must be of the same address family -(IPv4 or IPv6). -.It Fl transport Ar protocol -The protocol number which packets need to match to use the specified -Security Association. -By default, the protocol number is not used for matching. -Instead of a number, a valid protocol name that appears in -.Xr protocols 5 -can be used. -.It Fl sport Ar port -The source port which packets have to match for the flow. -By default, the source port is not used for matching. -Instead of a number, a valid service name that appears in -.Xr services 5 -can be used. -.It Fl dport Ar port -The destination port which packets have to match for the flow. -By default, the destination port is not used for matching. -Instead of a number, a valid service name that appears in -.Xr services 5 -can be used. -.It Fl srcid Ar id -For -.Cm flow , -used to specify what local identity key management -should use when negotiating the SAs. -If left unspecified, the source address of the flow is used -(see the discussion on -.Cm flow -above, with regard to source address). -.It Fl dstid Ar id -For -.Cm flow , -used to specify what the remote identity key management -should expect. -If left unspecified, the destination address of the flow is used -(see the discussion on -.Cm flow -above, with regard to destination address). -.It Fl srcid_type Ar type -For -.Cm flow , -used to specify the type of identity given by -.Fl srcid . -Valid values are -.Cm prefix , -.Cm fqdn , -and -.Cm ufqdn . -.Pp -The -.Cm prefix -type implies an IPv4 or IPv6 address followed by a forward slash -character and a decimal number indicating the number of important bits -in the address (equivalent to a netmask, in IPv4 terms). -Key management then has to pick a local identity that falls within the -address space indicated. -.Pp -The -.Cm fqdn -and -.Cm ufqdn -types are DNS-style host names and mailbox-format user -addresses, respectively, and are especially useful for mobile user -scenarios. -Note that no validity checking on the identities is done. -.It Fl dstid_type Ar type -See -.Fl srcid_type . -.It Fl delete -Instead of creating a flow, an existing flow is deleted. -.It Fl bypass -For -.Cm flow , -create or delete a -.Em bypass -flow. -Packets matching this flow will not be processed by IPsec. -.It Fl permit -Same as -.Fl bypass . -.It Fl deny -For -.Cm flow , -create or delete a -.Em deny -flow. -Packets matching this flow will be dropped. -.It Fl use -For -.Cm flow , -specify that packets matching this flow should try to use IPsec if -possible. -.It Fl acquire -For -.Cm flow , -specify that packets matching this flow should try to use IPsec and -establish SAs dynamically if possible, but permit unencrypted -traffic. -.It Fl require -For -.Cm flow , -specify that packets matching this flow must use IPsec, and establish -SAs dynamically as needed. -If no SAs are established, traffic is not allowed through. -.It Fl dontacq -For -.Cm flow , -specify that packets matching this flow must use IPsec. -If such SAs are not present, simply drop the packets. -Such a policy may be used to demand peers establish SAs before they -can communicate, without going through the burden of -initiating the SA ourselves (thus allowing for some denial of service -attacks). -This flow type is particularly suitable for security gateways. -.It Fl in -For -.Cm flow , -specify that it should be used to match incoming packets only. -.It Fl out -For -.Cm flow , -specify that it should be used to match outgoing packets only. -.It Fl ah -For -.Cm flush , -only flush SAs of type AH. -.It Fl esp -For -.Cm flush , -only flush SAs of type ESP. -.It Fl oldah -For -.Cm flush , -only flush SAs of type old AH. -.It Fl oldesp -For -.Cm flush , -only flush SAs of type old ESP. -.It Fl ip4 -For -.Cm flush , -only flush SAs of type IPv4. -.It Fl ipcomp -For -.Cm flush , -only flush SAs of type IPComp. -.It Fl tcpmd5 -For -.Cm flush , -only flush SAs using the TCP MD5 option. -.El -.Sh EXAMPLES -Set up an SA which uses new ESP with 3DES encryption and HMAC-SHA1 -authentication: -.Bd -literal -offset 3n -# ipsecadm new esp -enc 3des -auth sha1 -spi 100a \e - -dst 169.20.12.2 -src 169.20.12.3 \e - -key 638063806380638063806380638063806380638063806380 \e - -authkey 1234123412341234123412341234123412341234 -.Ed -.Pp -Set up an SA for authentication with old AH only: -.Bd -literal -offset 3n -# ipsecadm old ah -auth md5 -spi 10f2 \e - -dst 169.20.12.2 -src 169.20.12.3 \e - -key 12341234deadbeef -.Ed -.Pp -Set up a flow requiring use of AH: -.Bd -literal -offset 3n -# ipsecadm flow -dst 169.20.12.2 -proto ah \e - -addr 10.1.1.0/24 10.0.0.0/24 -out -require -.Ed -.Pp -Set up an inbound SA: -.Bd -literal -offset 3n -# ipsecadm new esp -enc blf -auth md5 -spi 1002 \e - -dst 169.20.12.3 -src 169.20.12.2 \e - -key abadbeef15deadbeefabadbeef15deadbeefabadbeef15deadbeef \e - -authkey 12349876432167890192837465098273 -.Ed -.Pp -Set up an ingress flow for the inbound SA: -.Bd -literal -offset 3n -# ipsecadm flow -addr 10.0.0.0/8 10.1.1.0/24 \e - -dst 169.20.12.2 -proto esp -in -require -.Ed -.Pp -Set up a bypass flow: -.Bd -literal -offset 3n -# ipsecadm flow -bypass -out -addr 10.1.1.0/24 10.1.1.0/24 -.Ed -.Pp -Set up a key for the TCP MD5 option: -.Bd -literal -offset 3n -# ipsecadm tcpmd5 -src ::1 -dst ::1 -spi 0100 -key deadbeef -.Ed -.Pp -Delete all ESP SAs and their flows and routing information: -.Bd -literal -offset 3n -# ipsecadm flush -esp -.Ed -.Sh SEE ALSO -.Xr netstat 1 , -.Xr enc 4 , -.Xr ipcomp 4 , -.Xr ipsec 4 , -.Xr protocols 5 , -.Xr services 5 , -.Xr sysctl.conf 5 , -.Xr isakmpd 8 , -.Xr vpn 8 diff --git a/sbin/ipsecadm/ipsecadm.c b/sbin/ipsecadm/ipsecadm.c deleted file mode 100644 index 7bacfe281e1..00000000000 --- a/sbin/ipsecadm/ipsecadm.c +++ /dev/null @@ -1,1581 +0,0 @@ -/* $OpenBSD: ipsecadm.c,v 1.86 2005/06/07 02:36:41 henning Exp $ */ -/* - * The authors of this code are John Ioannidis (ji@tla.org), - * Angelos D. Keromytis (kermit@csd.uch.gr) and - * Niels Provos (provos@physnet.uni-hamburg.de). - * - * This code was written by John Ioannidis for BSD/OS in Athens, Greece, - * in November 1995. - * - * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis. - * - * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis - * and Niels Provos. - * - * Additional features in 1999 by Angelos D. Keromytis. - * - * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, - * Angelos D. Keromytis and Niels Provos. - * Copyright (c) 2001, Angelos D. Keromytis. - * - * Permission to use, copy, and modify this software with or without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * You may use this code under the GNU public license if you so wish. Please - * contribute changes back to the authors under this freer than GPL license - * so that we may further the use of strong encryption without limitations to - * all. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#include <sys/param.h> -#include <sys/file.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/mbuf.h> -#include <sys/sysctl.h> -#include <sys/uio.h> -#include <sys/stat.h> - -#include <net/if.h> -#include <net/route.h> -#include <net/if_dl.h> -#include <netinet/in.h> -#include <net/pfkeyv2.h> -#include <netinet/ip_ipsp.h> -#include <netinet/in.h> -#include <arpa/inet.h> - -#include <netdb.h> -#include <errno.h> -#include <unistd.h> -#include <stdio.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> -#include <paths.h> -#include <err.h> - -#define KEYSIZE_LIMIT 1024 - -#define ESP_OLD 0x0001 -#define ESP_NEW 0x0002 -#define AH_OLD 0x0004 -#define AH_NEW 0x0008 - -#define XF_ENC 0x0100 -#define XF_AUTH 0x0200 -#define DEL_SPI 0x0300 -#define GRP_SPI 0x0400 -#define FLOW 0x0500 -#define FLUSH 0x0700 -#define XF_COMP 0x0900 -#define SHOW 0x0a00 -#define MONITOR 0x0b00 - -/* pseudo commands */ -#define IPCOMP 0x1000 -#define TCPMD5 0x2000 -#define ENC_IP 0x4000 - -#define CMD_MASK 0xff00 -#define XFORM_MASK 0x0f00 - -#define isencauth(x) ((x)&~CMD_MASK) -#define iscmd(x,y) (((x) & CMD_MASK) == (y)) - -typedef struct { - char *name; - int id, flags; -} transform; - -transform xf[] = { - { "null", SADB_EALG_NULL, XF_ENC | ESP_NEW }, - { "des", SADB_EALG_DESCBC, XF_ENC | ESP_OLD | ESP_NEW }, - { "3des", SADB_EALG_3DESCBC, XF_ENC | ESP_OLD | ESP_NEW }, - { "aes", SADB_X_EALG_AES, XF_ENC | ESP_NEW }, - { "aesctr", SADB_X_EALG_AESCTR, XF_ENC | ESP_NEW }, - { "blf", SADB_X_EALG_BLF, XF_ENC | ESP_NEW }, - { "cast", SADB_X_EALG_CAST, XF_ENC | ESP_NEW }, - { "skipjack", SADB_X_EALG_SKIPJACK, XF_ENC | ESP_NEW }, - { "md5", SADB_AALG_MD5HMAC, XF_AUTH | AH_NEW | ESP_NEW }, - { "sha1", SADB_AALG_SHA1HMAC, XF_AUTH | AH_NEW | ESP_NEW }, - { "sha2-256", SADB_X_AALG_SHA2_256, XF_AUTH | AH_NEW | ESP_NEW }, - { "sha2-384", SADB_X_AALG_SHA2_384, XF_AUTH | AH_NEW | ESP_NEW }, - { "sha2-512", SADB_X_AALG_SHA2_512, XF_AUTH | AH_NEW | ESP_NEW }, - { "md5", SADB_X_AALG_MD5, XF_AUTH | AH_OLD }, - { "sha1", SADB_X_AALG_SHA1, XF_AUTH | AH_OLD }, - { "rmd160", SADB_X_AALG_RIPEMD160HMAC, XF_AUTH | AH_NEW | ESP_NEW }, - { "deflate", SADB_X_CALG_DEFLATE, XF_COMP | IPCOMP }, - { "lzs", SADB_X_CALG_LZS, XF_COMP | IPCOMP }, -}; - -#define ROUNDUP(x) (((x) + sizeof(u_int64_t) - 1) & ~(sizeof(u_int64_t) - 1)) - -void ipsecadm_monitor(void); -void ipsecadm_show(u_int8_t); -int addrparse(const char *, struct sockaddr *, struct sockaddr *); -void xf_set(struct iovec *, int, int); -int x2i(u_char *); -int isvalid(char *, int, int); -__dead void usage(void); - -/* - * returns 0 if "str" represents an address, returns 1 if address/mask, - * returns -1 on failure. - */ -int -addrparse(const char *str, struct sockaddr *addr, struct sockaddr *mask) -{ - struct addrinfo hints, *res = NULL; - char *p = NULL, *sp, *ep; - u_long prefixlen = 0; - u_char *ap; - int bitlen; - - /* slash */ - if (mask && (p = strchr(str, '/')) != NULL) { - if (!p[1]) - return -1; - ep = NULL; - prefixlen = strtoul(p + 1, &ep, 10); - if (*ep) - return -1; - - sp = strdup(str); - if (!sp) - return -1; - sp[p - str] = '\0'; - str = sp; - } else - sp = NULL; - - memset(&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_DGRAM; /* dummy */ - hints.ai_flags = AI_NUMERICHOST; - hints.ai_family = PF_UNSPEC; - if (getaddrinfo(str, "0", &hints, &res) != 0) - return -1; - if (res->ai_next) - goto fail; - - memcpy(addr, res->ai_addr, res->ai_addrlen); - - if (!p) { - freeaddrinfo(res); - if (sp) - free(sp); - return 0; - } - switch (res->ai_family) { - case AF_INET: - ap = (u_char *) & ((struct sockaddr_in *) mask)->sin_addr; - bitlen = 32; - break; - case AF_INET6: - ap = (u_char *) & ((struct sockaddr_in6 *) mask)->sin6_addr; - bitlen = 128; - break; - default: - goto fail; - } - - if (prefixlen > bitlen) - goto fail; - - memset(mask, 0, addr->sa_len); - mask->sa_len = addr->sa_len; - mask->sa_family = addr->sa_family; - memset(ap, 0xff, prefixlen / 8); - if (prefixlen % 8) - ap[prefixlen / 8] = (0xff00 >> (prefixlen % 8)) & 0xff; - - if (res) - freeaddrinfo(res); - if (sp) - free(sp); - return 1; - -fail: - if (res) - freeaddrinfo(res); - if (sp) - free(sp); - return -1; -} - -void -xf_set(struct iovec *iov, int cnt, int len) -{ - struct sadb_msg sm; - int sd; - - sd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); - if (sd < 0) - errx(1, "socket: %s%s", strerror(errno), - errno == EPROTONOSUPPORT ? - "\nMake sure your kernel is compiled with option KEY" : ""); - if (writev(sd, iov, cnt) != len) - err(1, "write"); - if (read(sd, &sm, sizeof(sm)) != sizeof(sm)) - err(1, "read"); - if (sm.sadb_msg_errno != 0) { - /* XXX We need better error reporting than this */ - errno = sm.sadb_msg_errno; - err(1, "pfkey"); - } - close(sd); -} - -int -x2i(u_char *s) -{ - char ss[3]; - - ss[0] = s[0]; - ss[1] = s[1]; - ss[2] = 0; - - if (!isxdigit(s[0]) || !isxdigit(s[1])) - errx(1, "keys should be specified in hex digits"); - return strtoul(ss, NULL, 16); -} - -int -isvalid(char *option, int type, int mode) -{ - int i; - - for (i = sizeof(xf) / sizeof(transform) - 1; i >= 0; i--) - if (!strcmp(option, xf[i].name) && - (xf[i].flags & XFORM_MASK) == type && - (xf[i].flags & mode)) { - goto gotit; - } - return 0; -gotit: - if (!strcmp(option, "des") || !strcmp(option, "skipjack")) - warnx("warning: use of %s is strongly discouraged due to" - " cryptographic weaknesses", option); - return xf[i].id; -} - -void -usage(void) -{ - fprintf(stderr, "usage: ipsecadm command [modifier ...]\n" - "\tCommands: new esp, old esp, new ah, old ah, group, delspi, ip4, ipcomp,\n" - "\t\t tcpmd5, flow, flush, show, monitor\n" - "\tPossible modifiers:\n" - "\t -enc <alg>\t\t\tencryption algorithm\n" - "\t -auth <alg>\t\t\tauthentication algorithm\n" - "\t -comp <alg>\t\t\tcompression algorithm\n" - "\t -src <ip>\t\t\tsource address to be used\n" - "\t -halfiv\t\t\tuse 4-byte IV in old ESP\n" - "\t -forcetunnel\t\t\tforce IP-in-IP encapsulation\n" - "\t -udpencap <port>\t\tenable ESP-in-UDP encapsulation\n" - "\t -dst <ip>\t\t\tdestination address to be used\n" - "\t -proto <val>\t\t\tsecurity protocol\n" - "\t -proxy <ip>\t\t\tproxy address to be used\n" - "\t -spi <val>\t\t\tSPI to be used\n" - "\t -cpi <val>\t\t\tCPI to be used\n" - "\t -key <val>\t\t\tkey material to be used\n" - "\t -keyfile <file>\t\tfile to read key material from\n" - "\t -authkey <val>\t\tkey material for auth in new esp\n" - "\t -authkeyfile <file>\t\tfile to read authkey material from\n" - "\t -sport <port>\t\t\tsource port for flow\n" - "\t -dport <port>\t\t\tdestination port for flow\n" - "\t -transport <val>\t\tprotocol number for flow\n" - "\t -addr <srcnet> <mask> <dstnet> <mask>\t\tsubnets for flow\n" - "\t -addr <srcnet/prefix> <dstnet/prefix>\t\tsame as above but in CIDR\n" - "\t -delete\t\t\tdelete specified flow\n" - "\t -bypass\t\t\tpermit a flow through without IPsec\n" - "\t -permit\t\t\tsame as bypass\n" - "\t -deny\t\t\t\tcreate a deny-packets flow\n" - "\t -use\t\t\t\tuse an SA for a flow if it exists\n" - "\t -acquire\t\t\tsend unprotected while acquiring SA\n" - "\t -require\t\t\trequire an SA for a flow, use key mgmt.\n" - "\t -dontacq\t\t\trequire, without using key mgmt.\n" - "\t -in\t\t\t\tspecify incoming-packet policy\n" - "\t -out\t\t\t\tspecify outgoing-packet policy\n" - "\t -[ah|esp|ip4|ipcomp|tcpmd5]\tflush a particular protocol\n" - "\t -srcid <id>\t\t\tsource identity for flows\n" - "\t -dstid <id>\t\t\tdestination identity for flows\n" - "\t -srcid_type <type>\t\tsource identity type\n" - "\t -dstid_type <type>\t\tdestination identity type\n" - "\talso: dst2, spi2, proto2\n" - ); - exit(1); -} - -int -main(int argc, char *argv[]) -{ - int auth = 0, enc = 0, klen = 0, alen = 0, mode = ESP_NEW, i = 0; - int proto = IPPROTO_ESP, proto2 = IPPROTO_AH, sproto2 = SADB_SATYPE_AH; - int dport = -1, sport = -1, tproto = -1; - int srcset = 0, dstset = 0, dst2set = 0, proxyset = 0; - int cnt = 0, bypass = 0, deny = 0, ipsec = 0, comp = 0; - u_int32_t spi = SPI_LOCAL_USE, spi2 = SPI_LOCAL_USE; - u_int32_t cpi = SPI_LOCAL_USE; - union sockaddr_union *src, *dst, *dst2, *osrc, *odst, *osmask; - union sockaddr_union *odmask, *proxy; - u_char srcbuf[256], dstbuf[256], dst2buf[256], osrcbuf[256]; - u_char odstbuf[256], osmaskbuf[256], odmaskbuf[256], proxybuf[256]; - u_char *keyp = NULL, *authp = NULL; - u_char *srcid = NULL, *dstid = NULL; - struct protoent *tp; - struct servent *svp; - char *transportproto = NULL; - struct sadb_msg smsg; - struct sadb_sa sa, sa2; - struct sadb_address sad1, sad2, sad3; /* src, dst, proxy */ - struct sadb_address sad4, sad5; /* osrc, odst */ - struct sadb_address sad6, sad7, sad8; /* osmask, odmask, dst2 */ - struct sadb_ident sid1, sid2; - struct sadb_key skey1, skey2; - struct sadb_protocol sprotocol, sprotocol2; - struct sadb_x_udpencap udpencap; /* Peer UDP Port */ - u_char realkey[8192], realakey[8192]; - struct iovec iov[30]; - struct addrinfo hints, *res; - const char *errstr; - u_long ll; - char *ep; - - if (argc < 2) - usage(); - - /* Zero out */ - memset(&smsg, 0, sizeof(smsg)); - memset(&sa, 0, sizeof(sa)); - memset(&sa2, 0, sizeof(sa2)); - memset(&skey1, 0, sizeof(skey1)); - memset(&skey2, 0, sizeof(skey2)); - memset(&sad1, 0, sizeof(sad1)); - memset(&sad2, 0, sizeof(sad2)); - memset(&sad3, 0, sizeof(sad3)); - memset(&sad4, 0, sizeof(sad4)); - memset(&sad5, 0, sizeof(sad5)); - memset(&sad6, 0, sizeof(sad6)); - memset(&sad7, 0, sizeof(sad7)); - memset(&sad8, 0, sizeof(sad8)); - memset(&sprotocol, 0, sizeof(sprotocol)); - memset(&sprotocol2, 0, sizeof(sprotocol2)); - memset(iov, 0, sizeof(iov)); - memset(realkey, 0, sizeof(realkey)); - memset(realakey, 0, sizeof(realakey)); - memset(&sid1, 0, sizeof(sid1)); - memset(&sid2, 0, sizeof(sid2)); - memset(&udpencap, 0, sizeof(udpencap)); - - src = (union sockaddr_union *) srcbuf; - dst = (union sockaddr_union *) dstbuf; - dst2 = (union sockaddr_union *) dst2buf; - osrc = (union sockaddr_union *) osrcbuf; - odst = (union sockaddr_union *) odstbuf; - osmask = (union sockaddr_union *) osmaskbuf; - odmask = (union sockaddr_union *) odmaskbuf; - proxy = (union sockaddr_union *) proxybuf; - - memset(srcbuf, 0, sizeof(srcbuf)); - memset(dstbuf, 0, sizeof(dstbuf)); - memset(dst2buf, 0, sizeof(dst2buf)); - memset(osrcbuf, 0, sizeof(osrcbuf)); - memset(odstbuf, 0, sizeof(odstbuf)); - memset(osmaskbuf, 0, sizeof(osmaskbuf)); - memset(odmaskbuf, 0, sizeof(odmaskbuf)); - memset(proxybuf, 0, sizeof(proxybuf)); - - /* Initialize */ - smsg.sadb_msg_version = PF_KEY_V2; - smsg.sadb_msg_seq = 1; - smsg.sadb_msg_pid = getpid(); - smsg.sadb_msg_len = sizeof(smsg) / 8; - - /* Initialize */ - sa.sadb_sa_exttype = SADB_EXT_SA; - sa.sadb_sa_len = sizeof(sa) / 8; - sa.sadb_sa_replay = 0; - sa.sadb_sa_state = SADB_SASTATE_MATURE; - - sa2.sadb_sa_exttype = SADB_X_EXT_SA2; - sa2.sadb_sa_len = sizeof(sa) / 8; - sa2.sadb_sa_replay = 0; - sa2.sadb_sa_state = SADB_SASTATE_MATURE; - - sid1.sadb_ident_len = sizeof(sid1) / 8; - sid1.sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; - - sid2.sadb_ident_len = sizeof(sid2) / 8; - sid2.sadb_ident_exttype = SADB_EXT_IDENTITY_DST; - - sprotocol2.sadb_protocol_len = 1; - sprotocol2.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; - sprotocol2.sadb_protocol_direction = IPSP_DIRECTION_OUT; - sprotocol2.sadb_protocol_flags = SADB_X_POLICYFLAGS_POLICY; - sprotocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; - sprotocol.sadb_protocol_len = 1; - - if (!strcmp(argv[1], "new") && argc > 3) { - if (!strcmp(argv[2], "esp")) { - mode = ESP_NEW; - smsg.sadb_msg_type = SADB_ADD; - smsg.sadb_msg_satype = SADB_SATYPE_ESP; - } else if (!strcmp(argv[2], "ah")) { - mode = AH_NEW; - smsg.sadb_msg_type = SADB_ADD; - smsg.sadb_msg_satype = SADB_SATYPE_AH; - } else - errx(1, "unexpected identifier %s", argv[2]); - - i += 2; - } else if (!strcmp(argv[1], "old") && argc > 3) { - if (!strcmp(argv[2], "esp")) { - mode = ESP_OLD; - smsg.sadb_msg_type = SADB_ADD; - smsg.sadb_msg_satype = SADB_SATYPE_ESP; - sa.sadb_sa_flags |= SADB_X_SAFLAGS_RANDOMPADDING; - sa.sadb_sa_flags |= SADB_X_SAFLAGS_NOREPLAY; - } else if (!strcmp(argv[2], "ah")) { - mode = AH_OLD; - smsg.sadb_msg_type = SADB_ADD; - smsg.sadb_msg_satype = SADB_SATYPE_AH; - sa.sadb_sa_flags |= SADB_X_SAFLAGS_NOREPLAY; - } else - errx(1, "unexpected identifier %s", argv[2]); - - i += 2; - } else if (!strcmp(argv[1], "delspi")) { - smsg.sadb_msg_type = SADB_DELETE; - smsg.sadb_msg_satype = SADB_SATYPE_ESP; - mode = DEL_SPI; - i++; - } else if (!strcmp(argv[1], "group")) { - smsg.sadb_msg_type = SADB_X_GRPSPIS; - smsg.sadb_msg_satype = SADB_SATYPE_ESP; - mode = GRP_SPI; - i++; - } else if (!strcmp(argv[1], "flow")) { - /* It may not be ADDFLOW, but never mind that for now */ - smsg.sadb_msg_type = SADB_X_ADDFLOW; - smsg.sadb_msg_satype = SADB_SATYPE_ESP; - mode = FLOW; - i++; - } else if (!strcmp(argv[1], "flush")) { - mode = FLUSH; - smsg.sadb_msg_type = SADB_FLUSH; - smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC; - i++; - } else if (!strcmp(argv[1], "ip4")) { - mode = ENC_IP; - smsg.sadb_msg_type = SADB_ADD; - smsg.sadb_msg_satype = SADB_X_SATYPE_IPIP; - i++; - } else if (!strcmp(argv[1], "tcpmd5")) { - mode = TCPMD5; - smsg.sadb_msg_type = SADB_ADD; - smsg.sadb_msg_satype = SADB_X_SATYPE_TCPSIGNATURE; - i++; - } else if (!strcmp(argv[1], "ipcomp")) { - mode = IPCOMP; - smsg.sadb_msg_type = SADB_ADD; - smsg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; - i++; - } else if (!strcmp(argv[1], "monitor")) { - mode = MONITOR; - i++; - } else if (!strcmp(argv[1], "show")) { - mode = SHOW; - smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC; - i++; - } else { - warnx("unknown command: %s", argv[1]); - usage(); - } - - for (i++; i < argc; i++) { - if (argv[i][0] != '-') - errx(1, "expected option, got %s", argv[i]); - if (!strcmp(argv[i] + 1, "enc") && enc == 0 && (i + 1 < argc)) { - if ((enc = isvalid(argv[i + 1], XF_ENC, mode)) == 0) - errx(1, "invalid encryption algorithm %s", - argv[i + 1]); - skey1.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; - sa.sadb_sa_encrypt = enc; - i++; - continue; - } - if (!strcmp(argv[i] + 1, "auth") && auth == 0 && (i + 1 < argc)) { - if ((auth = isvalid(argv[i + 1], XF_AUTH, mode)) == 0) - errx(1, "invalid auth algorithm %s", argv[i + 1]); - skey2.sadb_key_exttype = SADB_EXT_KEY_AUTH; - sa.sadb_sa_auth = auth; - i++; - continue; - } - if (!strcmp(argv[i] + 1, "comp") && comp == 0 && (i + 1 < argc)) { - if ((comp = isvalid(argv[i + 1], XF_COMP, mode)) == 0) - errx(1, "invalid comp algorithm %s", argv[i + 1]); - /* - * Use encryption algo slot to store compression algo - * since we cannot modify sadb_sa - */ - sa.sadb_sa_encrypt = comp; - i++; - continue; - } - if (!strcmp(argv[i] + 1, "key") && keyp == NULL && - (i + 1 < argc)) { - if (mode & (AH_NEW | AH_OLD | TCPMD5)) { - authp = (u_char *)argv[++i]; - alen = strlen((char *)authp) / 2; - } else { - keyp = (u_char *)argv[++i]; - klen = strlen((char *)keyp) / 2; - } - continue; - } - if (!strcmp(argv[i] + 1, "keyfile") && keyp == NULL && - (i + 1 < argc)) { - struct stat sb; - u_char *pptr; - int fd; - - if (stat(argv[++i], &sb) < 0) - err(1, "stat"); - if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0)) - errx(1, "file %s is too %s " - "(must be between 1 and %d bytes)", - argv[i], sb.st_size ? "large" : "small", - KEYSIZE_LIMIT); - if ((pptr = malloc(sb.st_size)) == NULL) - err(1, "malloc"); - if ((fd = open(argv[i], O_RDONLY)) < 0) - err(1, "open"); - if (read(fd, pptr, sb.st_size) < sb.st_size) - err(1, "read"); - close(fd); - - if (mode & (AH_NEW | AH_OLD | TCPMD5)) { - authp = pptr; - alen = sb.st_size / 2; - } else { - keyp = pptr; - klen = sb.st_size / 2; - } - continue; - } - if (!strcmp(argv[i] + 1, "authkeyfile") && authp == NULL && - (i + 1 < argc)) { - struct stat sb; - int fd; - - if (!(mode & ESP_NEW)) - errx(1, "invalid option %s for selected mode", - argv[i]); - if (stat(argv[++i], &sb) < 0) - err(1, "stat"); - if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0)) - errx(1, "file %s is too %s " - "(must be between 1 and %d bytes)", - argv[i], sb.st_size ? "large" : "small", - KEYSIZE_LIMIT); - if ((authp = malloc(sb.st_size)) == NULL) - err(1, "malloc"); - if ((fd = open(argv[i], O_RDONLY)) < 0) - err(1, "open"); - if (read(fd, authp, sb.st_size) < sb.st_size) - err(1, "read"); - close(fd); - - alen = sb.st_size / 2; - continue; - } - if (!strcmp(argv[i] + 1, "authkey") && authp == NULL && - (i + 1 < argc)) { - if (!(mode & ESP_NEW)) - errx(1, "invalid option %s for selected mode", - argv[i]); - authp = (u_char *)argv[++i]; - alen = strlen((char *)authp) / 2; - continue; - } - if (!strcmp(argv[i] + 1, "iv") && (i + 1 < argc)) { - if (mode & (AH_OLD | AH_NEW)) - errx(1, "invalid option %s with auth", - argv[i]); - warnx("warning: option iv has been deprecated"); - - /* Horrible hack */ - if (mode & ESP_OLD) - if (strlen(argv[i + 2]) == 4) - sa.sadb_sa_flags |= SADB_X_SAFLAGS_HALFIV; - - i++; - continue; - } - if ((iscmd(mode, FLUSH) || iscmd(mode, SHOW)) && - smsg.sadb_msg_satype == SADB_SATYPE_UNSPEC) { - if (!strcmp(argv[i] + 1, "esp")) - smsg.sadb_msg_satype = SADB_SATYPE_ESP; - else if (!strcmp(argv[i] + 1, "ah")) - smsg.sadb_msg_satype = SADB_SATYPE_AH; - else if (!strcmp(argv[i] + 1, "ip4")) - smsg.sadb_msg_satype = SADB_X_SATYPE_IPIP; - else if (!strcmp(argv[i] + 1, "tcpmd5")) - smsg.sadb_msg_satype = SADB_X_SATYPE_TCPSIGNATURE; - else if (!strcmp(argv[i] + 1, "ipcomp")) - smsg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; - else - errx(1, "invalid SA type %s", argv[i] + 1); - i++; - continue; - } - if (!strcmp(argv[i] + 1, "spi") && iscmd(mode, FLOW)) { - warnx("use of flag \"-spi\" is deprecated with " - "flow creation or deletion"); - i++; - continue; - } - if (!strcmp(argv[i] + 1, "spi") && spi == SPI_LOCAL_USE && - (i + 1 < argc) && !bypass && !deny) { - ll = strtoul(argv[i + 1], &ep, 16); - if ((argv[i + 1] == '\0' || *ep != '\0') || - (errno == ERANGE && ll == ULONG_MAX) || - (ll >= SPI_RESERVED_MIN && ll <= SPI_RESERVED_MAX)) - errx(1, "invalid spi %s", argv[i + 1]); - spi = ll; - sa.sadb_sa_spi = htonl(spi); - i++; - continue; - } - if (!strcmp(argv[i] + 1, "spi2") && spi2 == SPI_LOCAL_USE && - iscmd(mode, GRP_SPI) && (i + 1 < argc)) { - ll = strtoul(argv[i + 1], &ep, 16); - if ((argv[i + 1] == '\0' || *ep != '\0') || - (errno == ERANGE && ll == ULONG_MAX) || - (ll >= SPI_RESERVED_MIN && ll <= SPI_RESERVED_MAX)) - errx(1, "invalid spi2 %s", argv[i + 1]); - spi2 = ll; - sa2.sadb_sa_spi = htonl(spi2); - i++; - continue; - } - if (!strcmp(argv[i] + 1, "cpi") && cpi == SPI_LOCAL_USE && - (i + 1 < argc) && !bypass && !deny) { - ll = strtoul(argv[i + 1], &ep, 16); - if ((argv[i + 1] == '\0' || *ep != '\0') || - (errno == ERANGE && ll == ULONG_MAX) || - (ll >= CPI_RESERVED_MIN && ll <= CPI_RESERVED_MAX) || - (ll > USHRT_MAX)) - errx(1, "invalid cpi %s", argv[i + 1]); - cpi = ll; - sa.sadb_sa_spi = ntohl(cpi); - i++; - continue; - } - if (!strcmp(argv[i] + 1, "dst2") && - iscmd(mode, GRP_SPI) && (i + 1 < argc)) { - sad8.sadb_address_exttype = SADB_X_EXT_DST2; - memset(&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_DGRAM; /*dummy*/ - hints.ai_family = PF_UNSPEC; - if (getaddrinfo(argv[i + 1], "0", &hints, &res) != 0) - errx(1, "destination address2 %s is not valid", - argv[i + 1]); - - if (res->ai_next) - errx(1, "destination address2 %s resolves to " - "multiple addresses", argv[i + 1]); - - switch (res->ai_family) { - case AF_INET6: - if (res->ai_addrlen != sizeof(dst2->sin6)) - errx(1, "destination address2 %s resolves " - "to unexpected address", argv[i + 1]); - memcpy(&dst2->sin6, res->ai_addr, - sizeof(dst2->sin6)); - dst2set = 1; - break; - case AF_INET: - if (res->ai_addrlen != sizeof(dst2->sin)) - errx(1, "destination address2 %s resolves " - "to unexpected address", argv[i + 1]); - memcpy(&dst2->sin, res->ai_addr, - sizeof(dst2->sin)); - dst2set = 1; - break; - default: - errx(1, "destination address2 %s resolved to " - "unsupported address family", argv[i + 1]); - /* NOTREACHED */ - } - - freeaddrinfo(res); - - if (dst2set == 0) - errx(1, "destination address2 %s is not valid", - argv[i + 1]); - i++; - continue; - } - if (!strcmp(argv[i] + 1, "src") && (i + 1 < argc)) { - sad1.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; - memset(&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_DGRAM; /*dummy*/ - hints.ai_family = PF_UNSPEC; - if (getaddrinfo(argv[i + 1], "0", &hints, &res) != 0) - errx(1, "source address %s is not valid", - argv[i + 1]); - - if (res->ai_next) - errx(1, "source address %s resolves to " - "multiple addresses", argv[i + 1]); - - switch (res->ai_family) { - case AF_INET6: - if (res->ai_addrlen != sizeof(src->sin6)) - errx(1, "source address %s resolves to " - "unexpected address", argv[i + 1]); - memcpy(&src->sin6, res->ai_addr, - sizeof(src->sin6)); - srcset = 1; - sad1.sadb_address_len = (sizeof(sad1) + - ROUNDUP(sizeof(struct sockaddr_in6))) / 8; - break; - case AF_INET: - if (res->ai_addrlen != sizeof(src->sin)) - errx(1, "source address %s resolves to " - "unexpected address", argv[i + 1]); - memcpy(&src->sin, res->ai_addr, - sizeof(src->sin)); - srcset = 1; - sad1.sadb_address_len = (sizeof(sad1) + - ROUNDUP(sizeof(struct sockaddr_in))) / 8; - break; - default: - errx(1, "source address %s resolved to " - "unsupported address family", argv[i + 1]); - /* NOTREACHED */ - } - - freeaddrinfo(res); - - if (srcset == 0) - errx(1, "source address %s is not valid", - argv[i + 1]); - i++; - continue; - } - if (!strcmp(argv[i] + 1, "proxy") && (i + 1 < argc) && !deny && - !bypass && !ipsec) { - sad3.sadb_address_exttype = SADB_EXT_ADDRESS_PROXY; - memset(&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_DGRAM; /*dummy*/ - hints.ai_family = PF_UNSPEC; - if (getaddrinfo(argv[i + 1], "0", &hints, &res) != 0) - errx(1, "proxy address %s is not valid", - argv[i + 1]); - - if (res->ai_next) - errx(1, "proxy address %s resolves to " - "multiple addresses", argv[i + 1]); - - switch (res->ai_family) { - case AF_INET6: - if (res->ai_addrlen != sizeof(proxy->sin6)) - errx(1, "proxy address %s resolves to " - "unexpected address", argv[i + 1]); - memcpy(&proxy->sin6, res->ai_addr, - sizeof(proxy->sin6)); - proxyset = 1; - sad3.sadb_address_len = (sizeof(sad3) + - ROUNDUP(sizeof(struct sockaddr_in6))) / 8; - break; - case AF_INET: - if (res->ai_addrlen != sizeof(proxy->sin)) - errx(1, "proxy address %s resolves to " - "unexpected address", argv[i + 1]); - memcpy(&proxy->sin, res->ai_addr, - sizeof(proxy->sin)); - proxyset = 1; - sad3.sadb_address_len = (sizeof(sad3) + - ROUNDUP(sizeof(struct sockaddr_in))) / 8; - break; - default: - errx(1, "proxy address %s resolved to " - "unsupported address family", argv[i + 1]); - /* NOTREACHED */ - } - - freeaddrinfo(res); - - if (proxyset == 0) - errx(1, "proxy address %s is not valid", - argv[i + 1]); - i++; - continue; - } - if (!strcmp(argv[i] + 1, "newpadding")) { - warnx("warning: option newpadding has been deprecated"); - continue; - } - if (!strcmp(argv[i] + 1, "in") && iscmd(mode, FLOW)) { - sprotocol2.sadb_protocol_direction = IPSP_DIRECTION_IN; - continue; - } - if (!strcmp(argv[i] + 1, "out") && iscmd(mode, FLOW)) { - sprotocol2.sadb_protocol_direction = IPSP_DIRECTION_OUT; - continue; - } - if (!strcmp(argv[i] + 1, "forcetunnel") && isencauth(mode)) { - sa.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; - continue; - } - if (!strcmp(argv[i] + 1, "udpencap") && - udpencap.sadb_x_udpencap_port == 0 && (i + 1 < argc)) { - if (!(mode & ESP_NEW)) - errx(1, "option udpencap can " - "be used only with new ESP"); - sa.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; - udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP; - udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8; - udpencap.sadb_x_udpencap_port = - strtonum(argv[i + 1], 0, USHRT_MAX, &errstr); - if (errstr) - errx(1, "invalid port %s", argv[i + 1]); - udpencap.sadb_x_udpencap_port = - htons(udpencap.sadb_x_udpencap_port); - udpencap.sadb_x_udpencap_reserved = 0; - i++; - continue; - } - if (!strcmp(argv[i] + 1, "halfiv")) { - if (!(mode & ESP_OLD)) - errx(1, "option halfiv can be used only " - "with old ESP"); - sa.sadb_sa_flags |= SADB_X_SAFLAGS_HALFIV; - continue; - } - if (!strcmp(argv[i] + 1, "delete") && iscmd(mode, FLOW)) { - smsg.sadb_msg_type = SADB_X_DELFLOW; - continue; - } - if (!strcmp(argv[i] + 1, "local") && iscmd(mode, FLOW)) { - warnx("warning: option local has been deprecated"); - continue; - } - if (!strcmp(argv[i] + 1, "tunnel") && - (isencauth(mode) || mode == ENC_IP) && (i + 2 < argc)) { - i += 2; - sa.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; - continue; - } - if (!strcmp(argv[i] + 1, "srcid") && (iscmd(mode, FLOW) || - isencauth(mode)) && (i + 1 < argc)) { - int len = ROUNDUP(strlen(argv[i + 1]) + 1); - - if (srcid != NULL) - errx(1, "srcid specified multiple times"); - if ((srcid = calloc(len, sizeof(char))) == NULL) - err(1, "calloc"); - strlcpy((char *)srcid, argv[i + 1], len); - sid1.sadb_ident_len += ROUNDUP(strlen((char *)srcid) + 1) / - sizeof(u_int64_t); - i++; - continue; - } - if (!strcmp(argv[i] + 1, "dstid") && (iscmd(mode, FLOW) || - isencauth(mode)) && (i + 1 < argc)) { - int len = ROUNDUP(strlen(argv[i + 1]) + 1); - - if (dstid != NULL) - errx(1, "dstid specified multiple times"); - if ((dstid = calloc(len, sizeof(char))) == NULL) - err(1, "calloc"); - strlcpy((char *)dstid, argv[i + 1], len); - sid2.sadb_ident_len += ROUNDUP(strlen((char *)dstid) + 1) / - sizeof(u_int64_t); - i++; - continue; - } - if (!strcmp(argv[i] + 1, "srcid_type") && (iscmd(mode, FLOW) || - isencauth(mode)) && (i + 1 < argc)) { - if (sid1.sadb_ident_type != 0) - errx(1, "srcid_type specified multiple times"); - if (!strcmp(argv[i + 1], "prefix")) - sid1.sadb_ident_type = SADB_IDENTTYPE_PREFIX; - else if (!strcmp(argv[i + 1], "fqdn")) - sid1.sadb_ident_type = SADB_IDENTTYPE_FQDN; - else if (!strcmp(argv[i + 1], "ufqdn")) - sid1.sadb_ident_type = SADB_IDENTTYPE_USERFQDN; - else - errx(1, "unknown identity type \"%s\"", - argv[i + 1]); - i++; - continue; - } - if (!strcmp(argv[i] + 1, "dstid_type") && (iscmd(mode, FLOW) || - isencauth(mode)) && (i + 1 < argc)) { - if (sid2.sadb_ident_type != 0) - errx(1, "dstid_type specified multiple times"); - if (!strcmp(argv[i + 1], "prefix")) - sid2.sadb_ident_type = SADB_IDENTTYPE_PREFIX; - else if (!strcmp(argv[i + 1], "fqdn")) - sid2.sadb_ident_type = SADB_IDENTTYPE_FQDN; - else if (!strcmp(argv[i + 1], "ufqdn")) - sid2.sadb_ident_type = SADB_IDENTTYPE_USERFQDN; - else - errx(1, "unknown identity type \"%s\"", - argv[i + 1]); - i++; - continue; - } - if (!strcmp(argv[i] + 1, "addr") && iscmd(mode, FLOW) && - (i + 1 < argc)) { - int advance; - - sad4.sadb_address_exttype = SADB_X_EXT_SRC_FLOW; - sad5.sadb_address_exttype = SADB_X_EXT_DST_FLOW; - sad6.sadb_address_exttype = SADB_X_EXT_SRC_MASK; - sad7.sadb_address_exttype = SADB_X_EXT_DST_MASK; - - switch (addrparse(argv[i + 1], &osrc->sa, &osmask->sa)) { - case 0: - advance = 4; - if (i + 4 >= argc) - errx(1, "-addr takes 4 arguments"); - if (addrparse(argv[i + 2], &osmask->sa, NULL) != 0 || - addrparse(argv[i + 3], &odst->sa, NULL) != 0 || - addrparse(argv[i + 4], &odmask->sa, NULL) != 0) - errx(1, "invalid address on -addr"); - break; - case 1: - advance = 2; - if (i + 2 >= argc) - errx(1, "-addr takes 2 arguments"); - if (addrparse(argv[i + 2], &odst->sa, - &odmask->sa) != 1) - errx(1, "invalid address on -addr"); - break; - default: - errx(1, "invalid address %s on -addr", argv[i + 1]); - /* NOTREACHED */ - } - if (osrc->sa.sa_family != odst->sa.sa_family) - errx(1, "mixed address families specified in addr"); - sad4.sadb_address_len = (sizeof(sad4) + - ROUNDUP(osrc->sa.sa_len)) / 8; - sad5.sadb_address_len = (sizeof(sad5) + - ROUNDUP(odst->sa.sa_len)) / 8; - sad6.sadb_address_len = (sizeof(sad6) + - ROUNDUP(osmask->sa.sa_len)) / 8; - sad7.sadb_address_len = (sizeof(sad7) + - ROUNDUP(odmask->sa.sa_len)) / 8; - - i += advance; - continue; - } - if ((!strcmp(argv[i] + 1, "bypass") || !strcmp(argv[i] + 1, "permit")) - && iscmd(mode, FLOW) && !deny && - !ipsec && !bypass) { - /* Setup everything for a bypass flow */ - bypass = 1; - sprotocol2.sadb_protocol_proto = SADB_X_FLOW_TYPE_BYPASS; - continue; - } - if (!strcmp(argv[i] + 1, "deny") && iscmd(mode, FLOW) && !ipsec && - !deny && !bypass) { - /* Setup everything for a deny flow */ - deny = 1; - sprotocol2.sadb_protocol_proto = SADB_X_FLOW_TYPE_DENY; - continue; - } - if (!strcmp(argv[i] + 1, "use") && iscmd(mode, FLOW) && !deny && - !bypass && !ipsec) { - ipsec = 1; - sprotocol2.sadb_protocol_proto = SADB_X_FLOW_TYPE_USE; - continue; - } - if (!strcmp(argv[i] + 1, "acquire") && iscmd(mode, FLOW) && !deny && - !bypass && !ipsec) { - ipsec = 1; - sprotocol2.sadb_protocol_proto = SADB_X_FLOW_TYPE_ACQUIRE; - continue; - } - if (!strcmp(argv[i] + 1, "require") && iscmd(mode, FLOW) && !deny && - !bypass && !ipsec) { - ipsec = 1; - sprotocol2.sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE; - continue; - } - if (!strcmp(argv[i] + 1, "dontacq") && iscmd(mode, FLOW) && !deny && - !bypass && !ipsec) { - ipsec = 1; - sprotocol2.sadb_protocol_proto = SADB_X_FLOW_TYPE_DONTACQ; - continue; - } - if (!strcmp(argv[i] + 1, "transport") && - iscmd(mode, FLOW) && (i + 1 < argc)) { - if (isalpha(argv[i + 1][0])) { - tp = getprotobyname(argv[i + 1]); - if (tp == NULL) - errx(1, "unknown protocol %s", - argv[i + 1]); - tproto = tp->p_proto; - transportproto = argv[i + 1]; - } else { - tproto = strtonum(argv[i + 1], 0, INT_MAX, - &errstr); - if (errstr) - errx(1, "bad protocol %s", - argv[i + 1]); - tp = getprotobynumber(tproto); - if (tp == NULL) - transportproto = "UNKNOWN"; - else - transportproto = tp->p_name; - } - - sprotocol.sadb_protocol_len = 1; - sprotocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; - sprotocol.sadb_protocol_proto = tproto; - i++; - continue; - } - if (!strcmp(argv[i] + 1, "sport") && - iscmd(mode, FLOW) && (i + 1 < argc)) { - if (isalpha(argv[i + 1][0])) { - svp = getservbyname(argv[i + 1], transportproto); - if (svp == NULL) - errx(1, "unknown service port %s for " - "protocol %s", argv[i + 1], - transportproto); - sport = svp->s_port; - } else { - sport = strtonum(argv[i + 1], 0, USHRT_MAX, - &errstr); - if (errstr) - errx(1, "invalid port %s", argv[i + 1]); - sport = htons(sport); - } - i++; - continue; - } - if (!strcmp(argv[i] + 1, "dport") && - iscmd(mode, FLOW) && (i + 1 < argc)) { - if (isalpha(argv[i + 1][0])) { - svp = getservbyname(argv[i + 1], transportproto); - if (svp == NULL) - errx(1, "unknown service port %s for " - "protocol %s", argv[i + 1], - transportproto); - dport = svp->s_port; - } else { - dport = strtonum(argv[i + 1], 0, USHRT_MAX, - &errstr); - if (errstr) - errx(1, "invalid port %s", argv[i + 1]); - dport = htons(dport); - } - i++; - continue; - } - if (!strcmp(argv[i] + 1, "dst") && (i + 1 < argc) && !bypass && !deny) { - sad2.sadb_address_exttype = SADB_EXT_ADDRESS_DST; - memset(&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_DGRAM; /*dummy*/ - hints.ai_family = PF_UNSPEC; - if (getaddrinfo(argv[i + 1], "0", &hints, &res) != 0) - errx(1, "destination address %s is not valid", - argv[i + 1]); - - if (res->ai_next) - errx(1, "destination address %s resolves to " - "multiple addresses", argv[i + 1]); - - switch (res->ai_family) { - case AF_INET6: - if (res->ai_addrlen != sizeof(dst->sin6)) - errx(1, "destination address %s resolves to " - "unexpected address", argv[i + 1]); - memcpy(&dst->sin6, res->ai_addr, - sizeof(dst->sin6)); - dstset = 1; - sad2.sadb_address_len = (sizeof(sad2) + - ROUNDUP(sizeof(struct sockaddr_in6))) / 8; - break; - case AF_INET: - if (res->ai_addrlen != sizeof(dst->sin)) - errx(1, "destination address %s resolves to " - "unexpected address", argv[i + 1]); - memcpy(&dst->sin, res->ai_addr, - sizeof(dst->sin)); - dstset = 1; - sad2.sadb_address_len = (sizeof(sad2) + - ROUNDUP(sizeof(struct sockaddr_in))) / 8; - break; - default: - errx(1, "destination address %s resolved to " - "unsupported address family", argv[i + 1]); - /* NOTREACHED */ - } - - freeaddrinfo(res); - - if (dstset == 0) - errx(1, "destination address %s is not valid", - argv[i + 1]); - i++; - continue; - } - if (!strcmp(argv[i] + 1, "proto2") && - iscmd(mode, GRP_SPI) && (i + 1 < argc)) { - if (isalpha(argv[i + 1][0])) { - if (!strcasecmp(argv[i + 1], "esp")) { - sprotocol.sadb_protocol_proto = sproto2 = - SADB_SATYPE_ESP; - proto2 = IPPROTO_ESP; - } else if (!strcasecmp(argv[i + 1], "ah")) { - sprotocol.sadb_protocol_proto = sproto2 = - SADB_SATYPE_AH; - proto2 = IPPROTO_AH; - } else if (!strcasecmp(argv[i + 1], "ip4")) { - sprotocol.sadb_protocol_proto = sproto2 = - SADB_X_SATYPE_IPIP; - proto2 = IPPROTO_IPIP; - } else if (!strcasecmp(argv[i + 1], "ipcomp")) { - sprotocol.sadb_protocol_proto = sproto2 = - SADB_X_SATYPE_IPCOMP; - } else - errx(1, "unknown security protocol2 " - "type %s", argv[i + 1]); - } else { - proto2 = strtonum(argv[i + 1], 0, INT_MAX, - &errstr); - if (errstr || (proto2 != IPPROTO_ESP && - proto2 != IPPROTO_AH && - proto2 != IPPROTO_IPIP && - proto2 != IPPROTO_IPCOMP)) - errx(1, "unknown security protocol2 %s", - argv[i + 1]); - if (proto2 == IPPROTO_ESP) - sprotocol.sadb_protocol_proto = sproto2 = - SADB_SATYPE_ESP; - else if (proto2 == IPPROTO_AH) - sprotocol.sadb_protocol_proto = sproto2 = - SADB_SATYPE_AH; - else if (proto2 == IPPROTO_IPIP) - sprotocol.sadb_protocol_proto = sproto2 = - SADB_X_SATYPE_IPIP; - else if (proto2 == IPPROTO_IPCOMP) - sprotocol.sadb_protocol_proto = sproto2 = - SADB_X_SATYPE_IPCOMP; - } - i++; - continue; - } - if (!strcmp(argv[i] + 1, "proto") && (i + 1 < argc) && - ((iscmd(mode, FLOW) && !bypass && !deny) || iscmd(mode, DEL_SPI) || - iscmd(mode, GRP_SPI))) { - if (isalpha(argv[i + 1][0])) { - if (!strcasecmp(argv[i + 1], "esp")) { - smsg.sadb_msg_satype = SADB_SATYPE_ESP; - proto = IPPROTO_ESP; - } else if (!strcasecmp(argv[i + 1], "ah")) { - smsg.sadb_msg_satype = SADB_SATYPE_AH; - proto = IPPROTO_AH; - } else if (!strcasecmp(argv[i + 1], "ip4")) { - smsg.sadb_msg_satype = SADB_X_SATYPE_IPIP; - proto = IPPROTO_IPIP; - } else if (!strcasecmp(argv[i + 1], "ipcomp")) { - smsg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; - proto = IPPROTO_IPCOMP; - } else if (!strcasecmp(argv[i + 1], "tcpmd5")) { - smsg.sadb_msg_satype = SADB_X_SATYPE_TCPSIGNATURE; - proto = IPPROTO_TCP; - } else - errx(1, "unknown security protocol type %s", - argv[i + 1]); - } else { - proto = strtonum(argv[i + 1], 0, INT_MAX, - &errstr); - if (errstr || (proto != IPPROTO_ESP && - proto != IPPROTO_AH && - proto != IPPROTO_IPIP && - proto != IPPROTO_IPCOMP)) { - errx(1, "unknown security protocol %s", - argv[i + 1]); - } - if (proto == IPPROTO_ESP) - smsg.sadb_msg_satype = SADB_SATYPE_ESP; - else if (proto == IPPROTO_AH) - smsg.sadb_msg_satype = SADB_SATYPE_AH; - else if (proto == IPPROTO_IPIP) - smsg.sadb_msg_satype = SADB_X_SATYPE_IPIP; - else if (proto == IPPROTO_IPCOMP) - smsg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; - } - i++; - continue; - } - errx(1, "unknown option: %s", argv[i]); - } - - if (iscmd(mode, SHOW)) { - ipsecadm_show(smsg.sadb_msg_satype); - exit(0); - } else if (iscmd(mode, MONITOR)) { - ipsecadm_monitor(); - exit(0); - } - - /* Sanity checks */ - if ((mode & (ESP_NEW | ESP_OLD)) && enc == 0 && auth == 0) - errx(1, "no encryption or authentication algorithm specified"); - if (iscmd(mode, GRP_SPI) && spi2 == SPI_LOCAL_USE) - errx(1, "no SPI2 specified"); - if ((mode & (AH_NEW | AH_OLD)) && auth == 0) - errx(1, "no authentication algorithm specified"); - if (iscmd(mode, IPCOMP) && comp == 0) - errx(1, "no compression algorithm specified"); - if ((srcid != NULL) && (sid1.sadb_ident_type == 0)) - errx(1, "srcid_type not specified"); - if ((dstid != NULL) && (sid2.sadb_ident_type == 0)) - errx(1, "dstid_type not specified"); - if ((srcid == NULL) && (sid1.sadb_ident_type != 0)) - errx(1, "srcid_type specified, but no srcid given"); - if ((dstid == NULL) && (sid2.sadb_ident_type != 0)) - errx(1, "dstid_type specified, but no dstid given"); - if (((mode & (ESP_NEW | ESP_OLD)) && enc && keyp == NULL) || - ((mode & (AH_NEW | AH_OLD | TCPMD5)) && authp == NULL)) - errx(1, "no key material specified"); - if ((mode & ESP_NEW) && auth && authp == NULL) - errx(1, "no auth key material specified"); - if (spi == SPI_LOCAL_USE && !iscmd(mode, FLUSH) && !iscmd(mode, FLOW) - && !iscmd(mode, IPCOMP)) - errx(1, "no SPI specified"); - if (iscmd(mode, IPCOMP) && cpi == SPI_LOCAL_USE) - errx(1, "no CPI specified"); - if ((isencauth(mode) || iscmd(mode, ENC_IP)) && !srcset) - errx(1, "no source address specified"); - if (!dstset && !iscmd(mode, FLUSH) && !iscmd(mode, FLOW)) - errx(1, "no destination address for the SA specified"); - if (iscmd(mode, FLOW) && (sprotocol.sadb_protocol_proto == 0) && - (odst->sin.sin_port || osrc->sin.sin_port)) - errx(1, "no transport protocol supplied with" - " source/destination ports"); - if (iscmd(mode, GRP_SPI) && !dst2set) - errx(1, "no destination address2 specified"); - if ((klen > 2 * 8100) || (alen > 2 * 8100)) - errx(1, "key too long"); - if (iscmd(mode, FLOW) && proto == IPPROTO_IPCOMP) - sprotocol2.sadb_protocol_proto = SADB_X_FLOW_TYPE_USE; - if (keyp != NULL) - for (i = 0; i < klen; i++) - realkey[i] = x2i(keyp + 2 * i); - if (authp != NULL) - for (i = 0; i < alen; i++) - realakey[i] = x2i(authp + 2 * i); - /* message header */ - iov[cnt].iov_base = &smsg; - iov[cnt++].iov_len = sizeof(smsg); - - if (isencauth(mode) || iscmd(mode, TCPMD5)) { /* XXX */ - /* SA header */ - iov[cnt].iov_base = &sa; - iov[cnt++].iov_len = sizeof(sa); - smsg.sadb_msg_len += sa.sadb_sa_len; - - /* Destination address header */ - iov[cnt].iov_base = &sad2; - iov[cnt++].iov_len = sizeof(sad2); - /* Destination address */ - iov[cnt].iov_base = dst; - iov[cnt++].iov_len = ROUNDUP(dst->sa.sa_len); - smsg.sadb_msg_len += sad2.sadb_address_len; - - if (srcid) { - iov[cnt].iov_base = &sid1; - iov[cnt++].iov_len = sizeof(sid1); - /* SRC identity */ - iov[cnt].iov_base = srcid; - iov[cnt++].iov_len = ROUNDUP(strlen((char *)srcid) + 1); - smsg.sadb_msg_len += sid1.sadb_ident_len; - } - if (dstid) { - iov[cnt].iov_base = &sid2; - iov[cnt++].iov_len = sizeof(sid2); - /* DST identity */ - iov[cnt].iov_base = dstid; - iov[cnt++].iov_len = ROUNDUP(strlen((char *)dstid) + 1); - smsg.sadb_msg_len += sid2.sadb_ident_len; - } - if (sad1.sadb_address_exttype) { - /* Source address header */ - iov[cnt].iov_base = &sad1; - iov[cnt++].iov_len = sizeof(sad1); - /* Source address */ - iov[cnt].iov_base = src; - iov[cnt++].iov_len = ROUNDUP(src->sa.sa_len); - smsg.sadb_msg_len += sad1.sadb_address_len; - } - if (proxy->sa.sa_len) { - /* Proxy address header */ - iov[cnt].iov_base = &sad3; - iov[cnt++].iov_len = sizeof(sad3); - /* Proxy address */ - iov[cnt].iov_base = proxy; - iov[cnt++].iov_len = ROUNDUP(proxy->sa.sa_len); - smsg.sadb_msg_len += sad3.sadb_address_len; - } - if (keyp) { - /* Key header */ - iov[cnt].iov_base = &skey1; - iov[cnt++].iov_len = sizeof(skey1); - /* Key */ - iov[cnt].iov_base = realkey; - iov[cnt++].iov_len = ((klen + 7) / 8) * 8; - skey1.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; - skey1.sadb_key_len = (sizeof(skey1) + ((klen + 7) / 8) * 8) / 8; - skey1.sadb_key_bits = 8 * klen; - smsg.sadb_msg_len += skey1.sadb_key_len; - } - if (authp) { - /* Auth key header */ - iov[cnt].iov_base = &skey2; - iov[cnt++].iov_len = sizeof(skey2); - /* Auth key */ - iov[cnt].iov_base = realakey; - iov[cnt++].iov_len = ((alen + 7) / 8) * 8; - skey2.sadb_key_exttype = SADB_EXT_KEY_AUTH; - skey2.sadb_key_len = (sizeof(skey2) + ((alen + 7) / 8) * 8) / 8; - skey2.sadb_key_bits = 8 * alen; - smsg.sadb_msg_len += skey2.sadb_key_len; - } - if (sa.sadb_sa_flags & SADB_X_SAFLAGS_UDPENCAP) { - iov[cnt].iov_base = &udpencap; - iov[cnt++].iov_len = sizeof(udpencap); - smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len; - } - } else { - switch (mode & CMD_MASK) { - case GRP_SPI: - /* SA header */ - iov[cnt].iov_base = &sa; - iov[cnt++].iov_len = sizeof(sa); - smsg.sadb_msg_len += sa.sadb_sa_len; - - /* Destination address header */ - iov[cnt].iov_base = &sad2; - iov[cnt++].iov_len = sizeof(sad2); - /* Destination address */ - iov[cnt].iov_base = dst; - iov[cnt++].iov_len = ROUNDUP(dst->sa.sa_len); - smsg.sadb_msg_len += sad2.sadb_address_len; - - /* SA header */ - iov[cnt].iov_base = &sa2; - iov[cnt++].iov_len = sizeof(sa2); - smsg.sadb_msg_len += sa2.sadb_sa_len; - - /* Destination2 address header */ - iov[cnt].iov_base = &sad8; - iov[cnt++].iov_len = sizeof(sad8); - /* Destination2 address */ - iov[cnt].iov_base = dst2; - iov[cnt++].iov_len = ROUNDUP(dst2->sa.sa_len); - smsg.sadb_msg_len += sad8.sadb_address_len; - - sprotocol.sadb_protocol_proto = sproto2; - - /* Protocol2 */ - iov[cnt].iov_base = &sprotocol; - iov[cnt++].iov_len = sizeof(sprotocol); - smsg.sadb_msg_len += sprotocol.sadb_protocol_len; - break; - - case DEL_SPI: - /* SA header */ - iov[cnt].iov_base = &sa; - iov[cnt++].iov_len = sizeof(sa); - smsg.sadb_msg_len += sa.sadb_sa_len; - - /* Destination address header */ - iov[cnt].iov_base = &sad2; - iov[cnt++].iov_len = sizeof(sad2); - /* Destination address */ - iov[cnt].iov_base = dst; - iov[cnt++].iov_len = ROUNDUP(dst->sa.sa_len); - smsg.sadb_msg_len += sad2.sadb_address_len; - break; - - case ENC_IP: - /* SA header */ - iov[cnt].iov_base = &sa; - iov[cnt++].iov_len = sizeof(sa); - smsg.sadb_msg_len += sa.sadb_sa_len; - - /* Destination address header */ - iov[cnt].iov_base = &sad2; - iov[cnt++].iov_len = sizeof(sad2); - /* Destination address */ - iov[cnt].iov_base = dst; - iov[cnt++].iov_len = ROUNDUP(dst->sa.sa_len); - smsg.sadb_msg_len += sad2.sadb_address_len; - - if (sad1.sadb_address_exttype) { - /* Source address header */ - iov[cnt].iov_base = &sad1; - iov[cnt++].iov_len = sizeof(sad1); - /* Source address */ - iov[cnt].iov_base = src; - iov[cnt++].iov_len = ROUNDUP(src->sa.sa_len); - smsg.sadb_msg_len += sad1.sadb_address_len; - } - break; - - case IPCOMP: - /* SA header */ - iov[cnt].iov_base = &sa; - iov[cnt++].iov_len = sizeof(sa); - smsg.sadb_msg_len += sa.sadb_sa_len; - - /* Destination address header */ - iov[cnt].iov_base = &sad2; - iov[cnt++].iov_len = sizeof(sad2); - /* Destination address */ - iov[cnt].iov_base = dst; - iov[cnt++].iov_len = ROUNDUP(dst->sa.sa_len); - smsg.sadb_msg_len += sad2.sadb_address_len; - - if (sad1.sadb_address_exttype) { - /* Source address header */ - iov[cnt].iov_base = &sad1; - iov[cnt++].iov_len = sizeof(sad1); - /* Source address */ - iov[cnt].iov_base = src; - iov[cnt++].iov_len = ROUNDUP(src->sa.sa_len); - smsg.sadb_msg_len += sad1.sadb_address_len; - } - break; - - case FLOW: - if ((smsg.sadb_msg_type != SADB_X_DELFLOW) && - (sad2.sadb_address_exttype)) { - /* Destination address header */ - iov[cnt].iov_base = &sad2; - iov[cnt++].iov_len = sizeof(sad2); - /* Destination address */ - iov[cnt].iov_base = dst; - iov[cnt++].iov_len = ROUNDUP(dst->sa.sa_len); - smsg.sadb_msg_len += sad2.sadb_address_len; - } - if ((sad1.sadb_address_exttype) && - (smsg.sadb_msg_type != SADB_X_DELFLOW)) { - /* Source address header */ - iov[cnt].iov_base = &sad1; - iov[cnt++].iov_len = sizeof(sad1); - /* Source address */ - iov[cnt].iov_base = src; - iov[cnt++].iov_len = ROUNDUP(src->sa.sa_len); - smsg.sadb_msg_len += sad1.sadb_address_len; - } - if (sprotocol.sadb_protocol_len) { - /* Transport protocol */ - iov[cnt].iov_base = &sprotocol; - iov[cnt++].iov_len = sizeof(sprotocol); - smsg.sadb_msg_len += sprotocol.sadb_protocol_len; - } - /* Flow type */ - iov[cnt].iov_base = &sprotocol2; - iov[cnt++].iov_len = sizeof(sprotocol2); - smsg.sadb_msg_len += sprotocol2.sadb_protocol_len; - - /* Flow source address header */ - if ((sport != -1) && (sport != 0)) { - if (osrc->sa.sa_family == AF_INET) { - osrc->sin.sin_port = sport; - osmask->sin.sin_port = 0xffff; - } else if (osrc->sa.sa_family == AF_INET6) { - osrc->sin6.sin6_port = sport; - osmask->sin6.sin6_port = 0xffff; - } - } - iov[cnt].iov_base = &sad4; - iov[cnt++].iov_len = sizeof(sad4); - /* Flow source address */ - iov[cnt].iov_base = osrc; - iov[cnt++].iov_len = ROUNDUP(osrc->sa.sa_len); - smsg.sadb_msg_len += sad4.sadb_address_len; - - /* Flow destination address header */ - iov[cnt].iov_base = &sad5; - iov[cnt++].iov_len = sizeof(sad5); - /* Flow destination address */ - if ((dport != -1) && (dport != 0)) { - if (odst->sa.sa_family == AF_INET) { - odst->sin.sin_port = dport; - odmask->sin.sin_port = 0xffff; - } else if (odst->sa.sa_family == AF_INET6) { - odst->sin6.sin6_port = dport; - odmask->sin6.sin6_port = 0xffff; - } - } - iov[cnt].iov_base = odst; - iov[cnt++].iov_len = ROUNDUP(odst->sa.sa_len); - smsg.sadb_msg_len += sad5.sadb_address_len; - - /* Flow source address mask header */ - iov[cnt].iov_base = &sad6; - iov[cnt++].iov_len = sizeof(sad6); - /* Flow source address mask */ - iov[cnt].iov_base = osmask; - iov[cnt++].iov_len = ROUNDUP(osmask->sa.sa_len); - smsg.sadb_msg_len += sad6.sadb_address_len; - - /* Flow destination address mask header */ - iov[cnt].iov_base = &sad7; - iov[cnt++].iov_len = sizeof(sad7); - /* Flow destination address mask */ - iov[cnt].iov_base = odmask; - iov[cnt++].iov_len = ROUNDUP(odmask->sa.sa_len); - smsg.sadb_msg_len += sad7.sadb_address_len; - - if (srcid && - (smsg.sadb_msg_type != SADB_X_DELFLOW)) { - iov[cnt].iov_base = &sid1; - iov[cnt++].iov_len = sizeof(sid1); - /* SRC identity */ - iov[cnt].iov_base = srcid; - iov[cnt++].iov_len = ROUNDUP(strlen((char *)srcid) + 1); - smsg.sadb_msg_len += sid1.sadb_ident_len; - } - if (dstid && - (smsg.sadb_msg_type != SADB_X_DELFLOW)) { - iov[cnt].iov_base = &sid2; - iov[cnt++].iov_len = sizeof(sid2); - /* DST identity */ - iov[cnt].iov_base = dstid; - iov[cnt++].iov_len = ROUNDUP(strlen((char *)dstid) + 1); - smsg.sadb_msg_len += sid2.sadb_ident_len; - } - break; - - case FLUSH: - /* No more work needed */ - break; - } - } - - xf_set(iov, cnt, smsg.sadb_msg_len * 8); - exit(0); -} diff --git a/sbin/ipsecadm/pfkdump.c b/sbin/ipsecadm/pfkdump.c deleted file mode 100644 index 8bda12f94e1..00000000000 --- a/sbin/ipsecadm/pfkdump.c +++ /dev/null @@ -1,673 +0,0 @@ -/* $OpenBSD: pfkdump.c,v 1.18 2005/12/21 01:40:23 millert Exp $ */ - -/* - * Copyright (c) 2003 Markus Friedl. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -#include <sys/param.h> -#include <sys/socket.h> -#include <sys/time.h> -#include <sys/sysctl.h> -#include <net/pfkeyv2.h> -#include <netinet/ip_ipsp.h> -#include <netdb.h> -#include <string.h> -#include <unistd.h> -#include <stdlib.h> -#include <stdio.h> -#include <err.h> -#include <errno.h> - -#define PFKEY2_CHUNK sizeof(u_int64_t) - -void print_sa(struct sadb_ext *, struct sadb_msg *); -void print_addr(struct sadb_ext *, struct sadb_msg *); -void print_key(struct sadb_ext *, struct sadb_msg *); -void print_life(struct sadb_ext *, struct sadb_msg *); -void print_proto(struct sadb_ext *, struct sadb_msg *); -void print_flow(struct sadb_ext *, struct sadb_msg *); -void print_supp(struct sadb_ext *, struct sadb_msg *); -void print_prop(struct sadb_ext *, struct sadb_msg *); -void print_sens(struct sadb_ext *, struct sadb_msg *); -void print_spir(struct sadb_ext *, struct sadb_msg *); -void print_ident(struct sadb_ext *, struct sadb_msg *); -void print_policy(struct sadb_ext *, struct sadb_msg *); -void print_cred(struct sadb_ext *, struct sadb_msg *); -void print_auth(struct sadb_ext *, struct sadb_msg *); -void print_udpenc(struct sadb_ext *, struct sadb_msg *); - -struct idname *lookup(struct idname [], u_int8_t); -char *lookup_name(struct idname [], u_int8_t); -void print_ext(struct sadb_ext *, struct sadb_msg *); -void print_msg(struct sadb_msg *, int); -char *alg_by_ext(u_int8_t, u_int8_t); -void print_alg(struct sadb_alg *, u_int8_t); -void print_comb(struct sadb_comb *, struct sadb_msg *); -void msg_send(int, u_int8_t, u_int8_t); -void msg_read(int); -void do_pfkey(int, u_int8_t); -void ipsecadm_monitor(void); -void ipsecadm_show(u_int8_t); - -struct idname { - u_int8_t id; - char *name; - void (*func)(struct sadb_ext *, struct sadb_msg *); -}; - -struct idname ext_types[] = { - { SADB_EXT_RESERVED, "reserved", NULL }, - { SADB_EXT_SA, "sa", print_sa}, - { SADB_EXT_LIFETIME_CURRENT, "lifetime_cur", print_life }, - { SADB_EXT_LIFETIME_HARD, "lifetime_hard", print_life }, - { SADB_EXT_LIFETIME_SOFT, "lifetime_soft", print_life }, - { SADB_EXT_ADDRESS_SRC, "address_src", print_addr}, - { SADB_EXT_ADDRESS_DST, "address_dst", print_addr}, - { SADB_EXT_ADDRESS_PROXY, "address_proxy", print_addr}, - { SADB_EXT_KEY_AUTH, "key_auth", print_key}, - { SADB_EXT_KEY_ENCRYPT, "key_encrypt", print_key}, - { SADB_EXT_IDENTITY_SRC, "identity_src", print_ident }, - { SADB_EXT_IDENTITY_DST, "identity_dst", print_ident }, - { SADB_EXT_SENSITIVITY, "sensitivity", print_sens }, - { SADB_EXT_PROPOSAL, "proposal", print_prop }, - { SADB_EXT_SUPPORTED_AUTH, "supported_auth", print_supp }, - { SADB_EXT_SUPPORTED_ENCRYPT, "supported_encrypt", print_supp }, - { SADB_EXT_SPIRANGE, "spirange", print_spir }, - { SADB_X_EXT_SRC_MASK, "x_src_mask", print_addr }, - { SADB_X_EXT_DST_MASK, "x_dst_mask", print_addr }, - { SADB_X_EXT_PROTOCOL, "x_protocol", print_proto }, - { SADB_X_EXT_FLOW_TYPE, "x_flow_type", print_flow }, - { SADB_X_EXT_SRC_FLOW, "x_src_flow", print_addr }, - { SADB_X_EXT_DST_FLOW, "x_dst_flow", print_addr }, - { SADB_X_EXT_SA2, "x_sa2", print_sa }, - { SADB_X_EXT_DST2, "x_dst2", print_addr }, - { SADB_X_EXT_POLICY, "x_policy", print_policy }, - { SADB_X_EXT_LOCAL_CREDENTIALS, "x_local_cred", print_cred }, - { SADB_X_EXT_REMOTE_CREDENTIALS,"x_remote_cred", print_cred }, - { SADB_X_EXT_LOCAL_AUTH, "x_local_auth", print_auth }, - { SADB_X_EXT_REMOTE_AUTH, "x_remote_auth", print_auth }, - { SADB_X_EXT_SUPPORTED_COMP, "x_supported_comp", print_supp }, - { SADB_X_EXT_UDPENCAP, "x_udpencap", print_udpenc }, -#ifdef SADB_X_EXT_LIFETIME_LASTUSE - { SADB_X_EXT_LIFETIME_LASTUSE, "x_lifetime_lastuse", print_life }, -#endif - { 0, NULL, NULL } -}; - -struct idname msg_types[] = { - { SADB_ACQUIRE, "sadb_acquire", NULL }, - { SADB_ADD, "sadb_add", NULL }, - { SADB_DELETE, "sadb_delete", NULL }, - { SADB_DUMP, "sadb_dump", NULL }, - { SADB_EXPIRE, "sadb_expire", NULL }, - { SADB_FLUSH, "sadb_flush", NULL }, - { SADB_GET, "sadb_get", NULL }, - { SADB_GETSPI, "sadb_getspi", NULL }, - { SADB_REGISTER, "sadb_register", NULL }, - { SADB_UPDATE, "sadb_update", NULL }, - { SADB_X_ADDFLOW, "sadb_x_addflow", NULL }, - { SADB_X_ASKPOLICY, "sadb_x_askpolicy", NULL }, - { SADB_X_DELFLOW, "sadb_x_delflow", NULL }, - { SADB_X_GRPSPIS, "sadb_x_grpspis", NULL }, - { SADB_X_PROMISC, "sadb_x_promisc", NULL }, - { 0, NULL, NULL }, -}; - -struct idname sa_types[] = { - { SADB_SATYPE_UNSPEC, "unspec", NULL }, - { SADB_SATYPE_AH, "ah", NULL }, - { SADB_SATYPE_ESP, "esp", NULL }, - { SADB_SATYPE_RSVP, "rsvp", NULL }, - { SADB_SATYPE_OSPFV2, "ospfv2", NULL }, - { SADB_SATYPE_RIPV2, "ripv2", NULL }, - { SADB_SATYPE_MIP, "mip", NULL }, - { SADB_X_SATYPE_IPIP, "ipip", NULL }, - { SADB_X_SATYPE_TCPSIGNATURE, "tcpmd5", NULL }, - { SADB_X_SATYPE_IPCOMP, "ipcomp", NULL }, - { 0, NULL, NULL } -}; - -struct idname auth_types[] = { - { SADB_AALG_NONE, "none", NULL }, - { SADB_X_AALG_DES, "des", NULL }, - { SADB_AALG_MD5HMAC, "hmac-md5", NULL }, - { SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", NULL }, - { SADB_AALG_SHA1HMAC, "hmac-sha1", NULL }, - { SADB_X_AALG_SHA2_256, "hmac-sha2-256", NULL }, - { SADB_X_AALG_SHA2_384, "hmac-sha2-384", NULL }, - { SADB_X_AALG_SHA2_512, "hmac-sha2-512", NULL }, - { SADB_X_AALG_MD5, "md5", NULL }, - { SADB_X_AALG_SHA1, "sha1", NULL }, - { 0, NULL, NULL } -}; - -struct idname enc_types[] = { - { SADB_EALG_NONE, "none", NULL }, - { SADB_EALG_3DESCBC, "3des-cbc", NULL }, - { SADB_EALG_DESCBC, "des-cbc", NULL }, - { SADB_X_EALG_3IDEA, "idea3", NULL }, - { SADB_X_EALG_AES, "aes", NULL }, - { SADB_X_EALG_AESCTR, "aesctr", NULL }, - { SADB_X_EALG_BLF, "blowfish", NULL }, - { SADB_X_EALG_CAST, "cast128", NULL }, - { SADB_X_EALG_DES_IV32, "des-iv32", NULL }, - { SADB_X_EALG_DES_IV64, "des-iv64", NULL }, - { SADB_X_EALG_IDEA, "idea", NULL }, - { SADB_EALG_NULL, "null", NULL }, - { SADB_X_EALG_RC4, "rc4", NULL }, - { SADB_X_EALG_RC5, "rc5", NULL }, - { SADB_X_EALG_SKIPJACK, "skipjack", NULL }, - { 0, NULL, NULL } -}; - -struct idname comp_types[] = { - { SADB_X_CALG_NONE, "none", NULL }, - { SADB_X_CALG_OUI, "oui", NULL }, - { SADB_X_CALG_DEFLATE, "deflate", NULL }, - { SADB_X_CALG_LZS, "lzs", NULL }, - { 0, NULL, NULL } -}; - -struct idname cred_types[] = { - { SADB_X_CREDTYPE_X509, "x509-asn1", NULL }, - { SADB_X_CREDTYPE_KEYNOTE, "keynote", NULL }, - { 0, NULL, NULL } -}; - -struct idname xauth_types[] = { - { SADB_X_AUTHTYPE_NONE, "none", NULL }, - { SADB_X_AUTHTYPE_PASSPHRASE, "passphrase", NULL }, - { SADB_X_AUTHTYPE_RSA, "rsa", NULL }, - { 0, NULL, NULL } -}; - -struct idname identity_types[] = { - { SADB_IDENTTYPE_RESERVED, "reserved", NULL }, - { SADB_IDENTTYPE_PREFIX, "prefix", NULL }, - { SADB_IDENTTYPE_FQDN, "fqdn", NULL }, - { SADB_IDENTTYPE_USERFQDN, "ufqdn", NULL }, - { SADB_X_IDENTTYPE_CONNECTION, "x_connection", NULL }, - { 0, NULL, NULL } -}; - -struct idname flow_types[] = { - { SADB_X_FLOW_TYPE_USE, "use", NULL }, - { SADB_X_FLOW_TYPE_ACQUIRE, "acquire", NULL }, - { SADB_X_FLOW_TYPE_REQUIRE, "require", NULL }, - { SADB_X_FLOW_TYPE_BYPASS, "bypass", NULL }, - { SADB_X_FLOW_TYPE_DENY, "deny", NULL }, - { SADB_X_FLOW_TYPE_DONTACQ, "dontacq", NULL }, - { 0, NULL, NULL } -}; - -struct idname states[] = { - { SADB_SASTATE_LARVAL, "larval", NULL }, - { SADB_SASTATE_MATURE, "mature", NULL }, - { SADB_SASTATE_DYING, "dying", NULL }, - { SADB_SASTATE_DEAD, "dead", NULL }, - { 0, NULL, NULL } -}; - -struct idname * -lookup(struct idname tab[], u_int8_t id) -{ - struct idname *entry; - - for (entry = tab; entry->name; entry++) - if (entry->id == id) - return (entry); - return (NULL); -} - -char * -lookup_name(struct idname tab[], u_int8_t id) -{ - struct idname *entry; - - entry = lookup(tab, id); - return (entry ? entry->name : "unknown"); -} - -void -print_ext(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct idname *entry; - - if ((entry = lookup(ext_types, ext->sadb_ext_type)) == NULL) { - printf("unknown ext: type %u len %u\n", - ext->sadb_ext_type, ext->sadb_ext_len); - return; - } - printf("\t%s: ", entry->name); - if (entry->func != NULL) - (*entry->func)(ext, msg); - else - printf("type %u len %u\n", - ext->sadb_ext_type, ext->sadb_ext_len); -} - -void -print_msg(struct sadb_msg *msg, int promisc) -{ - struct sadb_ext *ext; - - printf("%s: satype %s vers %u len %u seq %u %spid %u\n", - lookup_name(msg_types, msg->sadb_msg_type), - lookup_name(sa_types, msg->sadb_msg_satype), - msg->sadb_msg_version, msg->sadb_msg_len, - msg->sadb_msg_seq, -#if 0 - promisc ? "from " : "to ", -#else - "", -#endif - msg->sadb_msg_pid); - if (msg->sadb_msg_errno) - printf("\terrno %u: %s\n", msg->sadb_msg_errno, - strerror(msg->sadb_msg_errno)); - for (ext = (struct sadb_ext *)(msg + 1); - (u_int8_t *)ext - (u_int8_t *)msg < - msg->sadb_msg_len * PFKEY2_CHUNK && - ext->sadb_ext_len > 0; - ext = (struct sadb_ext *)((u_int8_t *)ext + - ext->sadb_ext_len * PFKEY2_CHUNK)) - print_ext(ext, msg); - fflush(stdout); -} - -void -print_sa(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_sa *sa = (struct sadb_sa *) ext; - - if (msg->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) - printf("cpi 0x%8.8x comp %s\n", - ntohl(sa->sadb_sa_spi), - lookup_name(comp_types, sa->sadb_sa_encrypt)); - else - printf("spi 0x%8.8x auth %s enc %s\n", - ntohl(sa->sadb_sa_spi), - lookup_name(auth_types, sa->sadb_sa_auth), - lookup_name(enc_types, sa->sadb_sa_encrypt)); - printf("\t\tstate %s replay %u flags %u\n", - lookup_name(states, sa->sadb_sa_state), - sa->sadb_sa_replay, sa->sadb_sa_flags); -} - -void -print_addr(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_address *addr = (struct sadb_address *) ext; - struct sockaddr *sa; - struct sockaddr_in *sin; - struct sockaddr_in6 *sin6; - char hbuf[NI_MAXHOST]; - - sa = (struct sockaddr *)(addr + 1); - if (sa->sa_family == 0) - printf("<any>"); - else if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf), NULL, 0, - NI_NUMERICHOST)) - printf("<could not get numeric hostname>"); - else - printf("%s", hbuf); - switch (sa->sa_family) { - case AF_INET: - sin = (struct sockaddr_in *)sa; - if (sin->sin_port) - printf(" port %u", ntohs(sin->sin_port)); - break; - case AF_INET6: - sin6 = (struct sockaddr_in6 *)sa; - if (sin6->sin6_port) - printf(" port %u", ntohs(sin6->sin6_port)); - break; - } - printf("\n"); -} - -void -print_key(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_key *key = (struct sadb_key *) ext; - u_int8_t *data; - int i; - - printf("bits %u: ", key->sadb_key_bits); - data = (u_int8_t *)(key + 1); - for (i = 0; i < key->sadb_key_bits / 8; i++) { - printf("%2.2x", data[i]); - data[i] = 0x00; /* clear sensitive data */ - } - printf("\n"); -} - -void -print_life(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_lifetime *life = (struct sadb_lifetime *) ext; - - printf("alloc %u bytes %llu add %llu first %llu\n", - life->sadb_lifetime_allocations, - life->sadb_lifetime_bytes, - life->sadb_lifetime_addtime, - life->sadb_lifetime_usetime); -} - -void -print_proto(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_protocol *proto = (struct sadb_protocol *) ext; - - /* overloaded */ - if (msg->sadb_msg_type == SADB_X_GRPSPIS) - printf("satype %s flags %u\n", - lookup_name(sa_types, proto->sadb_protocol_proto), - proto->sadb_protocol_flags); - else - printf("proto %u flags %u\n", - proto->sadb_protocol_proto, proto->sadb_protocol_flags); -} - -void -print_flow(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_protocol *proto = (struct sadb_protocol *) ext; - char *dir = "unknown"; - - switch (proto->sadb_protocol_direction) { - case IPSP_DIRECTION_IN: - dir = "in"; - break; - case IPSP_DIRECTION_OUT: - dir = "out"; - break; - } - printf("type %s direction %s\n", - lookup_name(flow_types, proto->sadb_protocol_proto), dir); -} - -char * -alg_by_ext(u_int8_t ext_type, u_int8_t id) -{ - switch (ext_type) { - case SADB_EXT_SUPPORTED_ENCRYPT: - return lookup_name(enc_types, id); - case SADB_EXT_SUPPORTED_AUTH: - return lookup_name(auth_types, id); - case SADB_X_EXT_SUPPORTED_COMP: - return lookup_name(comp_types, id); - default: - return "unknown"; - } -} - -void -print_alg(struct sadb_alg *alg, u_int8_t ext_type) -{ - printf("\t\t%s iv %u min %u max %u\n", - alg_by_ext(ext_type, alg->sadb_alg_id), alg->sadb_alg_ivlen, - alg->sadb_alg_minbits, alg->sadb_alg_maxbits); -} - -void -print_supp(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_supported *supported = (struct sadb_supported *) ext; - struct sadb_alg *alg; - - printf("\n"); - for (alg = (struct sadb_alg *)(supported + 1); - (u_int8_t *)alg - (u_int8_t *)ext < - ext->sadb_ext_len * PFKEY2_CHUNK; - alg++) - print_alg(alg, ext->sadb_ext_type); -} - -void -print_comb(struct sadb_comb *comb, struct sadb_msg *msg) -{ - printf("\t\tauth %s min %u max %u\n" - "\t\tenc %s min %u max %u\n" - "\t\taddtime hard %llu soft %llu\n" - "\t\tusetime hard %llu soft %llu\n", - lookup_name(auth_types, comb->sadb_comb_auth), - comb->sadb_comb_auth_minbits, - comb->sadb_comb_auth_maxbits, - lookup_name(enc_types, comb->sadb_comb_encrypt), - comb->sadb_comb_encrypt_minbits, - comb->sadb_comb_encrypt_maxbits, - comb->sadb_comb_soft_addtime, - comb->sadb_comb_hard_addtime, - comb->sadb_comb_soft_usetime, - comb->sadb_comb_hard_usetime); -#if 0 - comb->sadb_comb_flags, - comb->sadb_comb_reserved, - comb->sadb_comb_soft_allocations, - comb->sadb_comb_hard_allocations, - comb->sadb_comb_soft_bytes, - comb->sadb_comb_hard_bytes, -#endif -} - -void -print_prop(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_prop *prop = (struct sadb_prop *) ext; - struct sadb_comb *comb; - - printf("replay %u\n", prop->sadb_prop_replay); - for (comb = (struct sadb_comb *)(prop + 1); - (u_int8_t *)comb - (u_int8_t *)ext < - ext->sadb_ext_len * PFKEY2_CHUNK; - comb++) - print_comb(comb, msg); -} - -void -print_sens(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_sens *sens = (struct sadb_sens *) ext; - - printf("dpd %u sens_level %u integ_level %u\n", - sens->sadb_sens_dpd, - sens->sadb_sens_sens_level, - sens->sadb_sens_integ_level); -} - -void -print_spir(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_spirange *spirange = (struct sadb_spirange *) ext; - - printf("min 0x%8.8x max 0x%8.8x\n", - spirange->sadb_spirange_min, spirange->sadb_spirange_max); -} - -void -print_ident(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_ident *ident = (struct sadb_ident *) ext; - - printf("type %s id %llu: %s\n", - lookup_name(identity_types, ident->sadb_ident_type), - ident->sadb_ident_id, (char *)(ident + 1)); -} - -void -print_policy(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_x_policy *x_policy = (struct sadb_x_policy *) ext; - - printf("seq %u\n", x_policy->sadb_x_policy_seq); -} - -void -print_cred(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_x_cred *x_cred = (struct sadb_x_cred *) ext; - - printf("type %s\n", - lookup_name(cred_types, x_cred->sadb_x_cred_type)); -} - -void -print_auth(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_x_cred *x_cred = (struct sadb_x_cred *) ext; - - printf("type %s\n", - lookup_name(xauth_types, x_cred->sadb_x_cred_type)); -} - -void -print_udpenc(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_x_udpencap *x_udpencap = (struct sadb_x_udpencap *) ext; - - printf("udpencap port %u\n", ntohs(x_udpencap->sadb_x_udpencap_port)); -} - -void -msg_send(int pfkey, u_int8_t satype, u_int8_t mtype) -{ - struct sadb_msg msg; - static u_int32_t seq = 0; - - memset(&msg, 0, sizeof(msg)); - msg.sadb_msg_version = PF_KEY_V2; - msg.sadb_msg_pid = getpid(); - msg.sadb_msg_seq = ++seq; - msg.sadb_msg_satype = satype; - msg.sadb_msg_type = mtype; - msg.sadb_msg_len = sizeof(msg) / PFKEY2_CHUNK; - if (write(pfkey, &msg, sizeof(msg)) != sizeof(msg)) - err(1, "write"); -} - -void -msg_read(int pfkey) -{ - struct sadb_msg hdr, *msg; - u_int8_t *data; - int promisc = 0; - ssize_t len; - - if (recv(pfkey, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) - err(1, "peek"); - len = hdr.sadb_msg_len * PFKEY2_CHUNK; - if ((data = malloc(len)) == NULL) - err(1, "malloc"); - if (read(pfkey, data, len) != len) - err(1, "read"); - msg = (struct sadb_msg *)data; - if (hdr.sadb_msg_type == SADB_X_PROMISC) { - /* remove extra header from promisc messages */ - if ((msg->sadb_msg_len * PFKEY2_CHUNK) > 2 * sizeof(hdr)) { - /*printf("promisc\n");*/ - msg++; - promisc++; - } - } - print_msg(msg, promisc); - memset(data, 0, len); - free(data); -} - -void -do_pfkey(int monitor, u_int8_t satype) -{ - struct timeval tv; - fd_set *rset; - ssize_t set_size; - int pfkey, n; - - if ((pfkey = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) - err(1, "socket PFKEY"); - if (monitor) { - /* satype 1 enables promisc mode */ - msg_send(pfkey, 1, SADB_X_PROMISC); - } else - msg_send(pfkey, satype, SADB_DUMP); - set_size = howmany(pfkey + 1, NFDBITS) * sizeof(fd_mask); - if ((rset = malloc(set_size)) == NULL) - err(1, "malloc"); - tv.tv_sec = 0; - tv.tv_usec = 10000; - for (;;) { - memset(rset, 0, set_size); - FD_SET(pfkey, rset); - if ((n = select(pfkey+1, rset, NULL, NULL, - monitor ? NULL : &tv)) < 0) - err(2, "select"); - if (n == 0) - break; - if (FD_ISSET(pfkey, rset)) - msg_read(pfkey); - } - close(pfkey); -} - -void -ipsecadm_monitor(void) -{ - do_pfkey(1, 0); -} - -void -ipsecadm_show(u_int8_t satype) -{ - struct sadb_msg *msg; - int mib[5]; - size_t need; - char *buf, *lim, *next; - - mib[0] = CTL_NET; - mib[1] = PF_KEY; - mib[2] = PF_KEY_V2; - mib[3] = NET_KEY_SADB_DUMP; - mib[4] = satype; - - /* - * Dump the SADB using sysctl(3), but fall back to the pfkey - * socket if sysctl fails. - */ - if (sysctl(mib, 5, NULL, &need, NULL, 0) == -1) { - do_pfkey(0, satype); - return; - } - if (need == 0) - return; - if ((buf = malloc(need)) == NULL) - err(1, "malloc"); - if (sysctl(mib, 5, buf, &need, NULL, 0) == -1) - err(1, "sysctl"); - lim = buf + need; - for (next = buf; next < lim; - next += msg->sadb_msg_len * PFKEY2_CHUNK) { - msg = (struct sadb_msg *)next; - if (msg->sadb_msg_len == 0) - break; - print_msg(msg, 0); - } -} diff --git a/sbin/isakmpd/isakmpd.8 b/sbin/isakmpd/isakmpd.8 index a6aabcfee38..c9508bae438 100644 --- a/sbin/isakmpd/isakmpd.8 +++ b/sbin/isakmpd/isakmpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: isakmpd.8,v 1.83 2005/09/23 14:45:25 hshoexer Exp $ +.\" $OpenBSD: isakmpd.8,v 1.84 2006/05/26 04:02:59 deraadt Exp $ .\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $ .\" .\" Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. @@ -112,7 +112,7 @@ If given, .Nm does not set up flows automatically. This is useful when flows are configured with -.Xr ipsecadm 8 +.Xr ipsecctl 8 or by other programs like .Xr bgpd 8 . Thus @@ -217,7 +217,7 @@ does not read the policy configuration file and no policy check is accomplished. This option can be used when policies for flows and SA establishment are arranged by other programs like -.Xr ipsecadm 8 +.Xr ipsecctl 8 or .Xr bgpd 8 . .It Fl L diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5 index bca9f273a2f..c098e642644 100644 --- a/sbin/isakmpd/isakmpd.conf.5 +++ b/sbin/isakmpd/isakmpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: isakmpd.conf.5,v 1.108 2005/10/06 18:29:18 hshoexer Exp $ +.\" $OpenBSD: isakmpd.conf.5,v 1.109 2006/05/26 04:02:59 deraadt Exp $ .\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $ .\" .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. @@ -192,7 +192,7 @@ If this tag is defined, .Xr isakmpd 8 will not set up flows automatically. This is useful when flows are configured with -.Xr ipsecadm 8 +.Xr ipsectl 8 or by other programs like .Xr bgpd 8 . Thus @@ -292,7 +292,7 @@ which enables the policy checking. When set to any other value, policies will not be checked. This is useful when policies for flows and SA establishment are arranged by other programs like -.Xr ipsecadm 8 +.Xr ipsecctl 8 or .Xr bgpd 8 . .El diff --git a/share/Makefile b/share/Makefile index 29f415a0cb0..8774a9e094e 100644 --- a/share/Makefile +++ b/share/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.12 2005/08/08 05:53:01 espie Exp $ +# $OpenBSD: Makefile,v 1.13 2006/05/26 04:02:58 deraadt Exp $ -SUBDIR= dict doc ipsec lkm locale man misc mk tabset termtypes \ +SUBDIR= dict doc lkm locale man misc mk tabset termtypes \ tmac zoneinfo pf .include <bsd.subdir.mk> diff --git a/share/ipsec/Makefile b/share/ipsec/Makefile deleted file mode 100644 index 782c0b45ea1..00000000000 --- a/share/ipsec/Makefile +++ /dev/null @@ -1,12 +0,0 @@ -# -# $OpenBSD: Makefile,v 1.4 2002/09/06 22:06:29 deraadt Exp $ -# -FILES= rc.vpn -NOOBJ= noobj - -all clean cleandir depend lint tags: - -install: - install -c -m 0444 ${FILES} ${DESTDIR}${BINDIR}/ipsec - -.include <bsd.prog.mk> diff --git a/share/ipsec/rc.vpn b/share/ipsec/rc.vpn deleted file mode 100644 index cec9fb979b6..00000000000 --- a/share/ipsec/rc.vpn +++ /dev/null @@ -1,104 +0,0 @@ -#!/bin/sh -# $OpenBSD: rc.vpn,v 1.21 2004/02/25 08:42:38 jmc Exp $ -# -# Richard Reiner, Ph.D., FSC Internet Corp. -# rreiner@fscinternet.com -# v0.81 / 26Jul98 -# -# Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99 -# and Markus Friedl <markus@openbsd.org> -# -# rc.vpn -- configure IPsec in tunnel mode for a mesh of N local and -# M remote networks. (N x M mesh) -# -# For this to work, you will need to have these enabled (in /etc/sysctl.conf): -# 'sysctl net.inet.ip.forwarding=1' (IP packet routing) -# 'sysctl net.inet.esp.enable=1' (IPsec ESP protocol) - -# XXX The configuration parameters should be moved to another file. - -# Uncomment to debug (and not execute) commands -DEBUG=echo - -# Gateway addresses -GW_LOCAL=192.168.254.254 -GW_REMOTE=192.168.1.2 - -# Local and remote networks -LOCAL_NETWORKS="192.168.254.0/24 192.168.253.0/24" -REMOTE_NETWORKS="192.168.1.0/24 192.168.2.0/24" - -# Optional, use for manual keying only -# Crypto options and keys, note that key/iv lengths need to correspond -# to the selected encryption and authentication algorithms. -ENC=3des -AUTH=sha1 -SPI_OUT=1000 -SPI_IN=1001 -KEYFILE=/etc/esp-enc-key -AUTHKEYFILE=/etc/esp-auth-key - -############################################################################# -############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- ############# -############################################################################# - -ipsecadm=/sbin/ipsecadm - -# -# Sanity, be verbose about errors. -# XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary. -# - -abort=0 -if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then - echo "$0: variable 'net.inet.esp.enable=0' (IPsec ESP protocol)" - abort=1 -fi -if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then - echo "$0: variable 'net.inet.ip.forwarding=0' (IP forwarding/routing)" - abort=1 -fi -if [ ${abort} = 1 ]; then - echo "$0: must be enabled in /etc/sysctl.conf. Aborting VPN setup." - [ ! -n "${DEBUG}" ] && exit 0 -fi - -$DEBUG $ipsecadm flush - -# -# Setup the manual SAs -# - -if [ "$ENC" ]; then - $DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_REMOTE \ - -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \ - -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE - - $DEBUG $ipsecadm new esp -src $GW_REMOTE -dst $GW_LOCAL \ - -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \ - -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE -fi - -# -# Setup the Flows, aka SPD -# - -# add the gateways -LOCAL_NETWORKS="${GW_LOCAL}/32 ${LOCAL_NETWORKS}" -REMOTE_NETWORKS="${GW_REMOTE}/32 ${REMOTE_NETWORKS}" -# but allow ESP in the clear -BYPASS="$DEBUG ${ipsecadm} flow -transport esp -src ${GW_LOCAL} -dst ${GW_REMOTE} -bypass" -$BYPASS -out -addr ${GW_LOCAL}/32 ${GW_REMOTE}/32 -$BYPASS -in -addr ${GW_REMOTE}/32 ${GW_LOCAL}/32 - -FLOW="$DEBUG ${ipsecadm} flow -proto esp -src ${GW_LOCAL} -dst ${GW_REMOTE} -require" - -# each local net to each remote net -for local_net in ${LOCAL_NETWORKS}; do - for remote_net in ${REMOTE_NETWORKS}; do - $FLOW -out -addr $local_net $remote_net - $FLOW -in -addr $remote_net $local_net - done -done - -exit 0 diff --git a/share/man/man4/bridge.4 b/share/man/man4/bridge.4 index a4e2afcd39f..6cd93d2f77f 100644 --- a/share/man/man4/bridge.4 +++ b/share/man/man4/bridge.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bridge.4,v 1.59 2006/05/09 19:03:04 jmc Exp $ +.\" $OpenBSD: bridge.4,v 1.60 2006/05/26 04:02:59 deraadt Exp $ .\" .\" Copyright (c) 1999-2001 Jason L. Wright (jason@thought.net) .\" All rights reserved. @@ -596,7 +596,7 @@ interface, the bridge will also perform transparent .Xr ipsec 4 processing on the packets (encrypt or decrypt them), according to the policies set with the -.Xr ipsecadm 8 +.Xr ipsecctl 8 command by the administrator. If appropriate security associations (SAs) do not exist, any key management daemons such as @@ -619,7 +619,7 @@ and certificates, to impersonate the protected host(s)). .Xr pf 4 , .Xr bridgename.if 5 , .Xr brconfig 8 , -.Xr ipsecadm 8 , +.Xr ipsecctl 8 , .Xr isakmpd 8 , .Xr netstart 8 .Sh HISTORY diff --git a/share/man/man4/enc.4 b/share/man/man4/enc.4 index cfbd8b2d9e7..b1b43f734ac 100644 --- a/share/man/man4/enc.4 +++ b/share/man/man4/enc.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: enc.4,v 1.20 2005/04/17 12:31:38 jmc Exp $ +.\" $OpenBSD: enc.4,v 1.21 2006/05/26 04:02:59 deraadt Exp $ .\" .\" Copyright (c) 1999 Angelos D. Keromytis .\" All rights reserved. @@ -45,9 +45,6 @@ firewalls to filter .Xr ipsec 4 traffic using .Xr pf 4 . -The -.Xr vpn 8 -manpage shows an example of such a setup. .Pp The .Nm @@ -79,5 +76,5 @@ or all incoming packets after they have been similarly processed: .Xr ipsec 4 , .Xr netintro 4 , .Xr pf 4 , -.Xr tcpdump 8 , -.Xr vpn 8 +.Xr tcpdump 8 + diff --git a/share/man/man4/ipcomp.4 b/share/man/man4/ipcomp.4 index 1f53cf6673f..dd24bfbba52 100644 --- a/share/man/man4/ipcomp.4 +++ b/share/man/man4/ipcomp.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipcomp.4,v 1.12 2005/04/08 18:44:03 jmc Exp $ +.\" $OpenBSD: ipcomp.4,v 1.13 2006/05/26 04:02:59 deraadt Exp $ .\" .\" Copyright (c) 2001 Jean-Jacques Bernard-Gundol <jj@wabbitt.org> .\" All rights reserved. @@ -68,10 +68,10 @@ Compression Parameter Index (CPI). An IPCA is the pendant of the SA (Security Association) for IPsec. .Pp Currently, IPCA can be created using the -.Xr ipsecadm 8 +.Xr ipsecctl 8 tool. Using -.Xr ipsecadm 8 +.Xr ipsecctl 8 it is also possible to create IPComp flows and SA/IPCA bundles. Such a bundle is used to create a combination of IPsec and IPComp @@ -115,7 +115,7 @@ displays information about IPComp flows. .Xr ip 4 , .Xr ipsec 4 , .Xr netintro 4 , -.Xr ipsecadm 8 , +.Xr ipsecctl 8 , .Xr sysctl 8 .Sh HISTORY The diff --git a/share/man/man4/ipsec.4 b/share/man/man4/ipsec.4 index cf30daf363d..7b8ba5eb670 100644 --- a/share/man/man4/ipsec.4 +++ b/share/man/man4/ipsec.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.4,v 1.69 2005/12/12 11:56:47 jmc Exp $ +.\" $OpenBSD: ipsec.4,v 1.70 2006/05/26 04:02:59 deraadt Exp $ .\" .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. @@ -89,7 +89,7 @@ by replaying it verbatim cause the peer to think a new message (withdrawal request) had been received. WARNING: as per the standard's specification, replay protection is not performed when using manual-keyed IPsec (e.g. when using -.Xr ipsecadm 8 ) . +.Xr ipsecctl 8 ) . .El .Ss IPsec Protocols IPsec provides these services using two new protocols: @@ -155,9 +155,7 @@ using the information in the other end's SA. The only issue remaining is to ensure that both ends have matching SAs. This may be done manually, or automatically using a key management daemon. .Pp -Further information on manual SA establishment is described in both -.Xr ipsecadm 8 -and +Further information on manual SA establishment is described in .Xr ipsecctl 8 . Information on automated key management may be found in .Xr isakmpd 8 . @@ -191,8 +189,6 @@ An SA will contain information specifying whether it is a tunnel or transport mode SA, and for tunnels it will contain values to fill in into the outer IP header. .Pp -Further information on setting up VPNs is described in -.Xr vpn 8 . .Ss Lifetimes The SA also holds a couple of other parameters, especially useful for automatic keying, called lifetimes, which puts a limit on how much we can @@ -258,11 +254,9 @@ it is processed by the PF/NAT code. Unless PF drops the packet, it will then be IPsec-processed, even if the packet has been modified by NAT. .Pp -Security Associations can be set up manually with the -.Xr ipsecadm 8 -and +Security Associations can be set up manually with .Xr ipsecctl 8 -utilities, or automatically with the +or automatically with the .Xr isakmpd 8 key management daemon. .Ss Additional Variables @@ -391,11 +385,9 @@ flag (look for ``tdb'' and ``xform'' allocations). .Xr options 4 , .Xr tcp 4 , .Xr udp 4 , -.Xr ipsecadm 8 , .Xr ipsecctl 8 , .Xr isakmpd 8 , -.Xr sysctl 8 , -.Xr vpn 8 +.Xr sysctl 8 .Sh HISTORY The IPsec protocol design process was started in 1992 by John Ioannidis, Phil Karn, and William Allen Simpson. diff --git a/share/man/man4/tcp.4 b/share/man/man4/tcp.4 index f25973bf097..dda2d606aa7 100644 --- a/share/man/man4/tcp.4 +++ b/share/man/man4/tcp.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tcp.4,v 1.17 2005/07/10 08:30:51 hshoexer Exp $ +.\" $OpenBSD: tcp.4,v 1.18 2006/05/26 04:02:59 deraadt Exp $ .\" $NetBSD: tcp.4,v 1.3 1994/11/30 16:22:35 jtc Exp $ .\" .\" Copyright (c) 1983, 1991, 1993 @@ -141,8 +141,6 @@ Use TCP MD5 signatures per RFC 2385. This requires .Em Security Associations to be set up, which can be done using -.Xr ipsecadm 8 -or .Xr ipsecctl 8 . When a listening socket has .Em TCP_MD5SIG @@ -210,7 +208,6 @@ exists. .Xr ip 4 , .Xr ip6 4 , .Xr netintro 4 , -.Xr ipsecadm 8 , .Xr ipsecctl 8 .Sh HISTORY The diff --git a/share/man/man5/hostname.if.5 b/share/man/man5/hostname.if.5 index 96c4eaa8cb4..461770ebc94 100644 --- a/share/man/man5/hostname.if.5 +++ b/share/man/man5/hostname.if.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: hostname.if.5,v 1.44 2006/05/23 13:38:49 jmc Exp $ +.\" $OpenBSD: hostname.if.5,v 1.45 2006/05/26 04:02:59 deraadt Exp $ .\" $NetBSD: hosts.5,v 1.4 1994/11/30 19:31:20 jtc Exp $ .\" .\" Copyright (c) 1983, 1991, 1993 @@ -310,7 +310,7 @@ add fxp0 add ep1 -learn fxp0 # -!ipsecadm flush +!ipsecctl -F # static fxp0 8:0:20:1e:2f:2b up # and finally enable it diff --git a/share/man/man8/Makefile b/share/man/man8/Makefile index 4fec628e94e..7177802b5d4 100644 --- a/share/man/man8/Makefile +++ b/share/man/man8/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.58 2006/05/09 21:25:30 deraadt Exp $ +# $OpenBSD: Makefile,v 1.59 2006/05/26 04:02:59 deraadt Exp $ # $NetBSD: Makefile,v 1.13 1996/03/28 21:36:40 mark Exp $ # @(#)Makefile 8.1 (Berkeley) 6/5/93 @@ -8,7 +8,7 @@ MAN= afterboot.8 boot_config.8 compat_aout.8 compat_bsdos.8 \ compat_svr4.8 compat_ultrix.8 crash.8 daily.8 dhcp.8 \ diskless.8 genassym.sh.8 intro.8 netstart.8 rc.8 \ rc.conf.8 rc.shutdown.8 release.8 security.8 ssl.8 \ - starttls.8 sticky.8 update.8 vpn.8 yp.8 + starttls.8 sticky.8 update.8 yp.8 MLINKS+=boot_config.8 UKC.8 MLINKS+=daily.8 weekly.8 daily.8 monthly.8 diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8 deleted file mode 100644 index 3ba0852d0e1..00000000000 --- a/share/man/man8/vpn.8 +++ /dev/null @@ -1,734 +0,0 @@ -.\" $OpenBSD: vpn.8,v 1.109 2006/05/02 21:14:43 jmc Exp $ -.\" -.\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de> -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by Niels Provos. -.\" 4. The name of the author may not be used to endorse or promote products -.\" derived from this software without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" Manual page, using -mandoc macros -.\" -.Dd February 9, 1999 -.Dt VPN 8 -.Os -.Sh NAME -.Nm vpn -.Nd configuring the system for virtual private networks -.Sh DESCRIPTION -A Virtual Private Network (VPN) -is used to securely connect two or more subnets over the internet. -For each subnet there is a security gateway which is -linked via a cryptographically secured tunnel to the security gateway of -the other subnet. -.Xr ipsec 4 -is used to provide the necessary network-layer cryptographic services. -This document describes the configuration process for setting up a VPN. -.Pp -Briefly, creating a VPN consists of the following steps: -.Pp -.Bl -enum -compact -.It -Enable packet forwarding. -.It -Choose a key exchange method: manual or automated. -.It -For manual keying, generate the keys. -.It -For manual keying, create the Security Associations (SA). -.It -For manual keying, create the appropriate IPsec flows. -.It -For automated keying, configure the keying daemon. -.It -Configure firewall rules appropriately. -.It -Enable the packet filter. -.It -For automated keying, start the keying daemon. -.It -Test the setup. -.El -.Ss About this page -It is recommended that a test setup be created before attempting to -deploy a VPN on the internet. -The examples in this page can be done using two machines -directly connected to each other, -and a little imagination. -The IP address of each machine represents a gateway address; -the alias (see below) is simply a hook into a fictitious network. -.Pp -The following steps are only necessary -if the VPN is being set up as a test VPN, -on an internal LAN. -.Pp -The VPN can be represented using two machines (A and B). -An alias should be added to each machine, -to give it the appearance of being in another network. -.Pp -On machine A: -.Bd -literal -offset indent -# ifconfig ne0 192.168.1.13 description "Machine A" -# ifconfig ne0 alias 10.0.50.1 -.Ed -.Pp -On machine B: -.Bd -literal -offset indent -# ifconfig bge0 192.168.1.15 description "Machine B" -# ifconfig bge0 alias 10.0.99.1 -.Ed -.Pp -For all other (non-test) cases, -.Xr ifconfig 8 -should be used to configure machines as normal. -.Pp -Additionally, the GATEWAY_* and NETWORK_* variables used in the -following sections are defined below in -.Sx Configuring Firewall Rules . -Please see that section for the correct values for these variables. -.Ss Enabling Packet Forwarding -For security gateways, proper operation often requires packet -forwarding to be enabled using -.Xr sysctl 8 : -.Bd -literal -offset indent -# sysctl net.inet.ip.forwarding=1 -# sysctl net.inet6.ip6.forwarding=1 -.Ed -.Pp -Packet forwarding defaults to -.Sq off . -.Pp -Additionally, if -.Va net.inet.ip.forwarding -is set to 2, -IP forwarding is restricted to IPsec traffic only. -These and other IPsec related options are documented in -.Xr sysctl 3 . -.Pp -For more permanent operation, -the appropriate option(s) can be enabled in -.Xr sysctl.conf 5 . -.Ss Choosing a Key Exchange Method -There are currently two key exchange methods available: -.Pp -.Bl -bullet -compact -.It -manual keying: -.Xr ipsecadm 8 -or -.Xr ipsecctl 8 -.It -automated keying: -.Xr isakmpd 8 -.El -.Ss Generating Manual Keys [manual keying] -The shared secret symmetric keys used to create a VPN can -be any hexadecimal value, so long as both sides of the connection use -the same values. -Since the security of the VPN is based on these keys -being unguessable, it is very important that the keys be chosen using a -strong random source. -One practical method of generating them is by using the -.Xr random 4 -device. -To produce 160 bits (20 bytes) of randomness, for example, do: -.Bd -literal -offset indent -$ openssl rand 20 | hexdump -e '20/1 "%02x"' -.Ed -or: -.Bd -literal -offset indent -compact -$ openssl rand 20 | perl -pe 's/./unpack("H2",$&)/ges' -.Ed -.Pp -Different cipher types may require different sized keys. -.Pp -.Bl -column "CipherXX" "Key Length" -offset indent -compact -.It Em Cipher Key Length -.It Li DES Ta "56 bits" -.It Li 3DES Ta "168 bits" -.It Li AES Ta "Variable (128 bits recommended)" -.It Li BLF Ta "Variable (160 bits recommended)" -.It Li CAST Ta "Variable (128 bits maximum and recommended)" -.It Li SKIPJACK Ta "80 bits" -.El -.Pp -Use of DES or SKIPJACK as an encryption algorithm is not recommended -(except for backwards compatibility) due to their short key length. -Furthermore, recent attacks on SKIPJACK have shown severe weaknesses -in its structure. -.Pp -Note that DES requires 8 bytes to form a 56-bit key and 3DES requires 24 bytes -to form its 168-bit key. -This is because the most significant bit of each byte is ignored by both -algorithms. -.Pp -The following would create suitable keys for a 3DES encryption key -and SHA-1 authentication key: -.Bd -literal -offset indent -$ openssl rand 24 | hexdump -e '24/1 "%02x"' \*(Gt enc_key -$ openssl rand 20 | hexdump -e '20/1 "%02x"' \*(Gt auth_key -.Ed -.Pp -The 3DES encryption key needs 192 bits (3x64), or 24 bytes. -The SHA-1 authentication key needs 160 bits, or 20 bytes. -.Ss Creating Security Associations [manual keying] -Before the IPsec flows can be defined, two Security Associations (SAs) -must be defined on each end of the VPN e.g.: -.Bd -literal -offset indent -# ipsecadm new esp -src $GATEWAY_A -dst $GATEWAY_B \e - -spi $SPI_AB -forcetunnel -enc 3des -auth sha1 \e - -keyfile $ENCRYPTION_KEY_FILE \e - -authkeyfile $AUTHENTICATION_KEY_FILE - -# ipsecadm new esp -src $GATEWAY_B -dst $GATEWAY_A \e - -spi $SPI_BA -forcetunnel -enc 3des -auth sha1 \e - -keyfile $ENCRYPTION_KEY_FILE \e - -authkeyfile $AUTHENTICATION_KEY_FILE -.Ed -.Pp -Note that the -.Fl key -and -.Fl authkey -options may be used to specify the keys directly in the -.Xr ipsecadm 8 -command line. -However, another user could view the keys by using the -.Xr ps 1 -command at the appropriate time (or use a program for doing so). -.Pp -Instead of -.Xr ipsecadm 8 , -the -.Xr ipsecctl 8 -utility can be used to define SAs. -It uses a rule based syntax similar to -.Xr pf.conf 5 . -On gateway A add these lines to the file -.Xr ipsec.conf 5 : -.Bd -literal -offset indent -esp from 192.168.1.13 to 192.168.1.15 spi 0xdeadbeef:0xbeefdead \e - authkey file "/path/to/gateA.auth:/path/to/gateB.auth" \e - enckey file "/path/to/gateA.enc:/path/to/gateB.enc" -.Ed -.Pp -Similarly on gateway B add these lines to -.Xr ipsec.conf 5 : -.Bd -literal -offset indent -esp from 192.168.1.15 to 192.168.1.13 spi 0xbeefdead:0xdeadbeef \e - authkey file "/path/to/gateB.auth:/path/to/gateA.auth" \e - enckey file "/path/to/gateB.enc:/path/to/gateA.enc" -.Ed -.Pp -Note that when no authentication and encryption algorithms are defined, -.Xr ipsecctl 8 -will automatically use HMAC-SHA2-256 for authentication and AES-128 in -countermode for encryption. -Therefore the authentication key needs to be 256 bits long; the encryption key -160 bits. -For details see -.Xr ipsec.conf 5 . -.Ss Creating IPsec Flows [manual keying] -Both IPsec gateways need to configure -.Xr ipsec 4 -routes (flows) with the -.Xr ipsecadm 8 -tool. -Two flows are created on each machine: -the first is for outbound flows, -the second is the ingress filter for the incoming security association. -.Pp -On the security gateway of subnet A: -.Bd -literal -offset indent -# ipsecadm flow -out -require -proto esp \e - -src $GATEWAY_A -dst $GATEWAY_B \e - -addr $NETWORK_A $NETWORK_B -# ipsecadm flow -in -require -proto esp \e - -src $GATEWAY_A -dst $GATEWAY_B \e - -addr $NETWORK_B $NETWORK_A -.Ed -.Pp -On the security gateway of subnet B: -.Bd -literal -offset indent -# ipsecadm flow -out -require -proto esp \e - -src $GATEWAY_B -dst $GATEWAY_A \e - -addr $NETWORK_B $NETWORK_A -# ipsecadm flow -in -require -proto esp \e - -src $GATEWAY_B -dst $GATEWAY_A \e - -addr $NETWORK_A $NETWORK_B -.Ed -.Pp -Again it is possible to use -.Xr ipsecctl 8 -to define flows. -On gateway A add this line to -.Xr ipsec.conf 5 : -.Bd -literal -offset indent -flow esp from 10.0.50.0/24 to 10.0.99.0/24 peer 192.168.1.15 -.Ed -.Pp -And on gateway B this line: -.Bd -literal -offset indent -flow from 10.0.99.0/24 to 10.0.50.0/24 peer 192.168.1.13 -.Ed -.Pp -Note that -.Xr ipsecctl 8 -will automatically use ESP in tunnel mode. -For details see -.Xr ipsec.conf 5 . -.Pp -To activate the SAs and flows, run this command on both gateways: -.Bd -literal -offset indent -# ipsecctl -f /etc/ipsec.conf -.Ed -.Ss Configuring the Keying Daemon [automated keying] -Unless manual keying is used, both security gateways need to use the -.Xr isakmpd 8 -key management daemon. -.Xr isakmpd 8 -implements security policy using the -.Em KeyNote -trust management system. -.Pp -To create a VPN between the same two C class networks as the example -above, using -.Xr isakmpd 8 : -.Bl -enum -.It -Create -.Pa /etc/isakmpd/isakmpd.conf -for machine A: -.Bd -literal -offset indent -# Filter incoming phase 1 negotiations so they are only -# valid if negotiating with this local address. - -[General] -Listen-On= 192.168.1.13 - -# Incoming phase 1 negotiations are multiplexed on the -# source IP address. Phase 1 is used to set up a protected -# channel just between the two gateway machines. -# This channel is then used for the phase 2 negotiation -# traffic (i.e. encrypted & authenticated). - -[Phase 1] -192.168.1.15= peer-machineB - -# 'Phase 2' defines which connections the daemon -# should establish. These connections contain the actual -# "IPsec VPN" information. - -[Phase 2] -Connections= VPN-A-B - -# ISAKMP phase 1 peers (from [Phase 1]) - -[peer-machineB] -Phase= 1 -Address= 192.168.1.15 -Configuration= Default-main-mode -Authentication= yoursharedsecret - -# IPSEC phase 2 connections (from [Phase 2]) - -[VPN-A-B] -Phase= 2 -ISAKMP-peer= peer-machineB -Configuration= Default-quick-mode -Local-ID= machineA-internal-network -Remote-ID= machineB-internal-network - -# ID sections (as used in [VPN-A-B]) - -[machineA-internal-network] -ID-type= IPV4_ADDR_SUBNET -Network= 10.0.50.0 -Netmask= 255.255.255.0 - -[machineB-internal-network] -ID-type= IPV4_ADDR_SUBNET -Network= 10.0.99.0 -Netmask= 255.255.255.0 - -# Main and Quick Mode descriptions -# (as used by peers and connections). - -[Default-main-mode] -EXCHANGE_TYPE= ID_PROT -Transforms= 3DES-SHA,BLF-SHA - -[Default-quick-mode] -EXCHANGE_TYPE= QUICK_MODE -Suites= QM-ESP-3DES-SHA-SUITE -.Ed -.Pp -.It -Create -.Pa /etc/isakmpd/isakmpd.conf -for machine B: -.Bd -literal -offset indent -# Filter incoming phase 1 negotiations so they are only -# valid if negotiating with this local address. - -[General] -Listen-On= 192.168.1.15 - -# Incoming phase 1 negotiations are multiplexed on the -# source IP address. Phase 1 is used to set up a protected -# channel just between the two gateway machines. -# This channel is then used for the phase 2 negotiation -# traffic (i.e. encrypted & authenticated). - -[Phase 1] -192.168.1.13= peer-machineA - -# 'Phase 2' defines which connections the daemon -# should establish. These connections contain the actual -# "IPsec VPN" information. - -[Phase 2] -Connections= VPN-B-A - -# ISAKMP phase 1 peers (from [Phase 1]) - -[peer-machineA] -Phase= 1 -Address= 192.168.1.13 -Configuration= Default-main-mode -Authentication= yoursharedsecret - -# IPSEC phase 2 connections (from [Phase 2]) - -[VPN-B-A] -Phase= 2 -ISAKMP-peer= peer-machineA -Configuration= Default-quick-mode -Local-ID= machineB-internal-network -Remote-ID= machineA-internal-network - -# ID sections (as used in [VPN-A-B]) - -[machineA-internal-network] -ID-type= IPV4_ADDR_SUBNET -Network= 10.0.50.0 -Netmask= 255.255.255.0 - -[machineB-internal-network] -ID-type= IPV4_ADDR_SUBNET -Network= 10.0.99.0 -Netmask= 255.255.255.0 - -# Main and Quick Mode descriptions -# (as used by peers and connections). - -[Default-main-mode] -EXCHANGE_TYPE= ID_PROT -Transforms= 3DES-SHA,BLF-SHA - -[Default-quick-mode] -EXCHANGE_TYPE= QUICK_MODE -Suites= QM-ESP-3DES-SHA-SUITE -.Ed -.It -Read through the configuration one more time. -The only real differences between the two files in this example are -the IP addresses, and ordering of Local-ID and Remote-ID for the VPN -itself. -Note that the shared secret (the -.Em Authentication -tag) must match between machineA and machineB. -.Pp -Due to the sensitive information contained in the configuration file, -it must be owned by root and installed without any permissions for -"group" or "other". -.Pp -.Dl # chown root:wheel /etc/isakmpd/isakmpd.conf -.Dl # chmod 0600 /etc/isakmpd/isakmpd.conf -.It -Create a simple -.Pa /etc/isakmpd/isakmpd.policy -file for both machine A and machine B (identical): -.Bd -literal -offset indent -Keynote-version: 2 -Authorizer: "POLICY" -Conditions: app_domain == "IPsec policy" && - esp_present == "yes" && - esp_enc_alg != "null" -\*(Gt "true"; -.Ed -.Pp -Due to the sensitive information contained in the policy file, -it must be owned by root and installed without any permissions for -"group" or "other". -.Pp -.Dl # chown root:wheel /etc/isakmpd/isakmpd.policy -.Dl # chmod 0600 /etc/isakmpd/isakmpd.policy -.El -.Ss Configuring Firewall Rules -.Xr pf 4 -needs to be configured such that all packets from the outside are blocked -by default. -Only successfully IPsec-processed packets (those on the -.Xr enc 4 -interface) or key management packets -(for automated keying, -UDP packets with source and destination ports of 500) -should be allowed to pass. -.Pp -Additional filter rules may be present for other traffic, -though care should be taken that other rules do not leak IPsec traffic. -NAT rules can also be used on the -.Xr enc 4 -interface. -.Pp -.Sy Note : -The examples in this page describe a test setup on an internal LAN, -using private (non-routable) IP addresses. -In a typical setup, -at least GATEWAY_A and GATEWAY_B would be configured using -public (routable) IP addresses. -NETWORK_A and NETWORK_B may or may not use public IP addresses, -depending on the network. -.Pp -The -.Xr pf.conf 5 -rules for a tunnel which uses encryption (the ESP IPsec protocol) and -.Xr isakmpd 8 -on security gateway A might look like this: -.Bd -literal -offset indent -GATEWAY_A = "192.168.1.13" -GATEWAY_B = "192.168.1.15" -NETWORK_A = "10.0.50.0/24" -NETWORK_B = "10.0.99.0/24" - -ext_if="ne0" - -# default deny -# $ext_if is the only interface going to the outside. -block log on { enc0, $ext_if } all - -# Pass encrypted traffic to/from security gateways -pass in proto esp from $GATEWAY_B to $GATEWAY_A -pass out proto esp from $GATEWAY_A to $GATEWAY_B - -# Need to allow ipencap traffic on enc0. -pass in on enc0 proto ipencap from $GATEWAY_B to $GATEWAY_A - -# Pass traffic to/from the designated subnets. -pass in on enc0 from $NETWORK_B to $NETWORK_A -pass out on enc0 from $NETWORK_A to $NETWORK_B - -# Pass isakmpd(8) traffic to/from the security gateways -pass in on $ext_if proto udp from $GATEWAY_B port = 500 \e - to $GATEWAY_A port = 500 -pass out on $ext_if proto udp from $GATEWAY_A port = 500 \e - to $GATEWAY_B port = 500 -.Ed -.Pp -The -.Xr pf.conf 5 -rules on security gateway B might look like this: -.Bd -literal -offset indent -GATEWAY_A = "192.168.1.13" -GATEWAY_B = "192.168.1.15" -NETWORK_A = "10.0.50.0/24" -NETWORK_B = "10.0.99.0/24" - -ext_if="bge0" - -# default deny -# $ext_if is the only interface going to the outside. -block log on { enc0, $ext_if } all - -# Passing in encrypted traffic from security gateways -pass in proto esp from $GATEWAY_A to $GATEWAY_B -pass out proto esp from $GATEWAY_B to $GATEWAY_A - -# Need to allow ipencap traffic on enc0. -pass in on enc0 proto ipencap from $GATEWAY_A to $GATEWAY_B - -# Passing in traffic from the designated subnets. -pass in on enc0 from $NETWORK_A to $NETWORK_B -pass out on enc0 from $NETWORK_B to $NETWORK_A - -# Passing in isakmpd(8) traffic from the security gateways -pass in on $ext_if proto udp from $GATEWAY_A port = 500 \e - to $GATEWAY_B port = 500 -pass out on $ext_if proto udp from $GATEWAY_B port = 500 \e - to $GATEWAY_A port = 500 -.Ed -.Ss Enabling the Packet Filter -Enable the packet filter and load the ruleset: -.Bd -literal -offset indent -# pfctl -e -# pfctl -f /etc/pf.conf -.Ed -.Ss Starting the Keying Daemon [automated keying] -Start -.Xr isakmpd 8 -.Pp -On both machines, run: -.Pp -.Dl # /sbin/isakmpd -.Pp -To run with verbose debugging enabled, instead start with: -.Pp -.Dl # /sbin/isakmpd -d -DA=99 -.Ss Testing the Setup -It is important to check the setup is working correctly. -Remember that the following examples illustrate a test setup only, -and therefore tests carried out on GATEWAY_A and NETWORK_A will be -carried out on the same machine (Machine A). -If this were a real setup, GATEWAY_A and a machine on NETWORK_A would be -different machines. -.Pp -Using the test setup, -first check the routing table shows the routes between the two gateways. -.Pp -On GATEWAY_A: -.Bd -literal -offset 1n -$ netstat -rn -f encap -Routing tables - -Encap: -Source Port Destination Port Proto SA(Address/Proto/Type/Direction) -10.0.99/24 0 10.0.50/24 0 0 192.168.1.15/50/use/in -10.0.50/24 0 10.0.99/24 0 0 192.168.1.15/50/require/out -.Ed -.Pp -This shows that anything with source address 10.0.99.0/24 (NETWORK_B) -is routed to destination 10.0.50.0/24 (NETWORK_A), -and vice versa. -The opposite would be true if -.Xr netstat 1 -were run on GATEWAY_B. -.Pp -Note that the routing table above is given for an automated keying session. -SA information for a manual keying session would differ slightly: the -.Dq Type -field would be -.Dq require -for both directions. -.Pp -Next check that you can -.Xr ping 8 -the networks: -.Pp -On NETWORK_A: -.Pp -.Dl $ ping -I 10.0.50.1 10.0.99.1 -.Pp -Note the -.Fl I -option passed to -.Xr ping 8 : -this is necessary to specify a source address -from the network. -Check that the -.Xr ping 8 -works from both NETWORK_A and NETWORK_B, changing the arguments as necessary. -.Pp -Check that the traffic between the two networks really is -ESP encapsulated. -On GATEWAY_A: -.Pp -.Dl # tcpdump -n -i ne0 esp -.Pp -On NETWORK_A: -.Pp -.Dl $ ping -I 10.0.50.1 10.0.99.1 -.Pp -Check that -.Xr tcpdump 8 -shows ESP packets whilst the ping is in progress. -That shows that the traffic is IPsec encapsulated. -.Pp -If both networks are pingable, -the routing tables look as described above, -and -.Xr tcpdump 8 -is working as described, -it means the VPN is working correctly. -However, it is also important to check that no IPsec traffic -is being leaked, -either by badly designed firewall rules -or by a misconfigured VPN setup. -.Pp -On GATEWAY_A: -.Pp -.Dl "# tcpdump -n -i ne0 not esp and host 192.168.1.15" -.Pp -On NETWORK_A: -.Pp -.Dl $ ping -I 10.0.50.1 10.0.99.1 -.Pp -This time -.Xr tcpdump 8 -has been instructed to ignore ESP packets going to -host 192.168.1.15 (GATEWAY_B), -and no traffic should be seen whilst the ping is running. -One exception to this is if the automated keying setup has been followed, -in which case -.Xr isakmpd 8 -key management packets on UDP port 500 may be seen. -This is perfectly normal. -If any traffic is being leaked -i.e. the last ping detailed above is showing traffic, -it is suggested that the administrator review the steps above, -paying particular notice to the firewall configuration procedures. -.Sh FILES -.Bl -tag -width "/etc/isakmpd/isakmpd.policyXX" -compact -.It Pa /etc/ipsec.conf -.Xr ipsecctl 8 -configuration file. -.It Pa /etc/isakmpd/isakmpd.conf -.Xr isakmpd 8 -configuration file. -.It Pa /etc/isakmpd/isakmpd.policy -.Xr isakmpd 8 -policy file. -.It Pa /etc/pf.conf -Firewall configuration file. -.It Pa /usr/share/ipsec/rc.vpn -Sample VPN configuration file. -.El -.Sh SEE ALSO -.Xr netstat 1 , -.Xr openssl 1 , -.Xr sysctl 3 , -.Xr enc 4 , -.Xr ipsec 4 , -.Xr keynote 4 , -.Xr ipsec.conf 5 , -.Xr isakmpd.conf 5 , -.Xr isakmpd.policy 5 , -.Xr pf.conf 5 , -.Xr ifconfig 8 , -.Xr ipsecadm 8 , -.Xr ipsecctl 8 , -.Xr isakmpd 8 , -.Xr pfctl 8 , -.Xr ping 8 , -.Xr sysctl 8 , -.Xr tcpdump 8 diff --git a/usr.bin/spell/special.4bsd b/usr.bin/spell/special.4bsd index c9e2fe17273..3e832f43686 100644 --- a/usr.bin/spell/special.4bsd +++ b/usr.bin/spell/special.4bsd @@ -567,7 +567,6 @@ ipftest ipmon ipnat ipresend -ipsecadm ipsend iptest irand diff --git a/usr.sbin/bgpd/bgpd.conf.5 b/usr.sbin/bgpd/bgpd.conf.5 index ba01d9bc9a6..0dafcfd45d1 100644 --- a/usr.sbin/bgpd/bgpd.conf.5 +++ b/usr.sbin/bgpd/bgpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bgpd.conf.5,v 1.69 2006/04/04 12:39:19 henning Exp $ +.\" $OpenBSD: bgpd.conf.5,v 1.70 2006/05/26 04:02:59 deraadt Exp $ .\" .\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> .\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -1045,7 +1045,7 @@ configuration file .Xr tcp 4 , .Xr bgpctl 8 , .Xr bgpd 8 , -.Xr ipsecadm 8 , +.Xr ipsecctl 8 , .Xr isakmpd 8 , .Xr rc.conf.local 8 .Sh HISTORY diff --git a/usr.sbin/sasyncd/sasyncd.conf.5 b/usr.sbin/sasyncd/sasyncd.conf.5 index c2b0de55b6c..90b12e2a13d 100644 --- a/usr.sbin/sasyncd/sasyncd.conf.5 +++ b/usr.sbin/sasyncd/sasyncd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sasyncd.conf.5,v 1.9 2005/05/31 21:15:32 jmc Exp $ +.\" $OpenBSD: sasyncd.conf.5,v 1.10 2006/05/26 04:02:59 deraadt Exp $ .\" .\" Copyright (c) 2005 Håkan Olsson. All rights reserved. .\" @@ -81,10 +81,10 @@ Pass any SADB_FLUSH messages along. For example, in this mode .Xr sasyncd 8 will synchronize an -.Ic ipsecadm flush +.Ic ipsecctl -F command to all connected slaves. For more information, see -.Xr ipsecadm 8 . +.Xr ipsecctl 8 . .It Ic startup Send a SADB_FLUSH message to the slaves as they connect, and act as .Ic sync @@ -147,7 +147,7 @@ bytes long (corresponding to AES using a 128, 192 or 256 bit key). .Xr chmod 1 , .Xr carp 4 , .Xr chown 8 , -.Xr ipsecadm 8 , +.Xr ipsecctl 8 , .Xr sasyncd 8 .Sh HISTORY The |