Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src sync with almost-latest KAME IPsec. full changelog would be...
details: https://anonhg.NetBSD.org/src/rev/021127b386bc
branches: trunk
changeset: 487732:021127b386bc
user: itojun <itojun%NetBSD.org@localhost>
date: Mon Jun 12 10:40:37 2000 +0000
description:
sync with almost-latest KAME IPsec. full changelog would be too big
to mention here. notable changes are like below.
kernel:
- make PF_KEY kernel interface more robust against broken input stream.
it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
in struct sadb_msg. we cannot just change these standard structs.
sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
these functions are not supplied in /usr/lib.
setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
specify it)
- spddelete takes direction specification
diffstat:
lib/libipsec/ipsec_dump_policy.c | 283 +-
lib/libipsec/ipsec_get_policylen.c | 3 +-
lib/libipsec/ipsec_set_policy.3 | 20 +-
lib/libipsec/ipsec_strerror.3 | 9 +-
lib/libipsec/ipsec_strerror.c | 3 +-
lib/libipsec/ipsec_strerror.h | 3 +-
lib/libipsec/libpfkey.h | 77 +
lib/libipsec/pfkey.c | 500 ++-
lib/libipsec/pfkey_dump.c | 145 +-
lib/libipsec/policy_parse.y | 12 +-
lib/libipsec/policy_token.l | 3 +-
sys/net/pfkeyv2.h | 102 +-
sys/netinet6/ipsec.c | 6 +-
sys/netkey/key.c | 4927 +++++++++++++++++++++--------------
sys/netkey/key.h | 53 +-
sys/netkey/key_debug.c | 76 +-
sys/netkey/key_debug.h | 9 +-
sys/netkey/key_var.h | 47 +-
sys/netkey/keydb.c | 16 +-
sys/netkey/keydb.h | 11 +-
sys/netkey/keysock.c | 97 +-
sys/netkey/keysock.h | 9 +-
usr.sbin/setkey/Makefile | 3 +-
usr.sbin/setkey/parse.y | 249 +-
usr.sbin/setkey/setkey.8 | 6 +-
usr.sbin/setkey/setkey.c | 20 +-
usr.sbin/setkey/test-pfkey.c | 53 +-
usr.sbin/setkey/token.l | 58 +-
usr.sbin/setkey/vchar.h | 7 +-
29 files changed, 4087 insertions(+), 2720 deletions(-)
diffs (truncated from 10061 to 300 lines):
diff -r 18f6886a92eb -r 021127b386bc lib/libipsec/ipsec_dump_policy.c
--- a/lib/libipsec/ipsec_dump_policy.c Mon Jun 12 10:32:06 2000 +0000
+++ b/lib/libipsec/ipsec_dump_policy.c Mon Jun 12 10:40:37 2000 +0000
@@ -1,4 +1,5 @@
-/* $NetBSD: ipsec_dump_policy.c,v 1.2 2000/03/13 21:23:55 itojun Exp $ */
+/* $NetBSD: ipsec_dump_policy.c,v 1.3 2000/06/12 10:40:52 itojun Exp $ */
+/* $KAME: ipsec_dump_policy.c,v 1.11 2000/05/07 05:29:47 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@@ -42,13 +43,10 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <netdb.h>
#include "ipsec_strerror.h"
-#ifdef USE_GETNAMEINFO
-#undef USE_GETNAMEINFO
-#endif
-
static const char *ipsp_dir_strs[] = {
"any", "in", "out",
};
@@ -57,7 +55,11 @@
"discard", "none", "ipsec", "entrust", "bypass",
};
-static int set_addresses __P((char *buf, caddr_t ptr));
+static char *ipsec_dump_ipsecrequest __P((char *, size_t,
+ struct sadb_x_ipsecrequest *, size_t));
+static int set_addresses __P((char *, size_t, struct sockaddr *,
+ struct sockaddr *));
+static char *set_address __P((char *, size_t, struct sockaddr *));
/*
* policy is sadb_x_policy buffer.
@@ -71,9 +73,10 @@
{
struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy;
struct sadb_x_ipsecrequest *xisr;
- int xtlen, buflen;
+ size_t off, buflen;
char *buf;
- int error;
+ char isrbuf[1024];
+ char *newbuf;
/* sanity check */
if (policy == NULL)
@@ -118,159 +121,187 @@
__ipsec_errcode = EIPSEC_NO_BUFS;
return NULL;
}
- strcpy(buf, ipsp_dir_strs[xpl->sadb_x_policy_dir]);
- strcat(buf, " ");
- strcat(buf, ipsp_policy_strs[xpl->sadb_x_policy_type]);
+ snprintf(buf, buflen, "%s %s", ipsp_dir_strs[xpl->sadb_x_policy_dir],
+ ipsp_policy_strs[xpl->sadb_x_policy_type]);
if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
__ipsec_errcode = EIPSEC_NO_ERROR;
return buf;
}
- xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
- xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
-
/* count length of buffer for use */
- /* XXX non-seriously */
- while (xtlen > 0) {
- /* protocol/mode/addresses/level */
- buflen += (10 + 10 + 82 + 20);
- xtlen -= xisr->sadb_x_ipsecrequest_len;
- xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
- + xisr->sadb_x_ipsecrequest_len);
+ off = sizeof(*xpl);
+ while (off < PFKEY_EXTLEN(xpl)) {
+ xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
+ off += xisr->sadb_x_ipsecrequest_len;
}
/* validity check */
- if (xtlen < 0) {
+ if (off != PFKEY_EXTLEN(xpl)) {
__ipsec_errcode = EIPSEC_INVAL_SADBMSG;
free(buf);
return NULL;
}
- if ((buf = realloc(buf, buflen)) == NULL) {
- __ipsec_errcode = EIPSEC_NO_BUFS;
- return NULL;
- }
-
- xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
- xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
-
- while (xtlen > 0) {
- strcat(buf, delimiter);
+ off = sizeof(*xpl);
+ while (off < PFKEY_EXTLEN(xpl)) {
+ xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
- switch (xisr->sadb_x_ipsecrequest_proto) {
- case IPPROTO_ESP:
- strcat(buf, "esp");
- break;
- case IPPROTO_AH:
- strcat(buf, "ah");
- break;
- case IPPROTO_IPCOMP:
- strcat(buf, "ipcomp");
- break;
- default:
- __ipsec_errcode = EIPSEC_INVAL_PROTO;
- free(buf);
- return NULL;
- }
-
- strcat(buf, "/");
-
- switch (xisr->sadb_x_ipsecrequest_mode) {
- case IPSEC_MODE_ANY:
- strcat(buf, "any");
- break;
- case IPSEC_MODE_TRANSPORT:
- strcat(buf, "transport");
- break;
- case IPSEC_MODE_TUNNEL:
- strcat(buf, "tunnel");
- break;
- default:
- __ipsec_errcode = EIPSEC_INVAL_MODE;
+ if (ipsec_dump_ipsecrequest(isrbuf, sizeof(isrbuf), xisr,
+ PFKEY_EXTLEN(xpl) - off) == NULL) {
free(buf);
return NULL;
}
- strcat(buf, "/");
-
- if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
- error = set_addresses(buf, (caddr_t)(xisr + 1));
- if (error) {
- __ipsec_errcode = EIPSEC_INVAL_MODE;
- free(buf);
- return NULL;
- }
- }
-
- switch (xisr->sadb_x_ipsecrequest_level) {
- case IPSEC_LEVEL_DEFAULT:
- strcat(buf, "/default");
- break;
- case IPSEC_LEVEL_USE:
- strcat(buf, "/use");
- break;
- case IPSEC_LEVEL_REQUIRE:
- strcat(buf, "/require");
- break;
- case IPSEC_LEVEL_UNIQUE:
- strcat(buf, "/unique");
- break;
- default:
- __ipsec_errcode = EIPSEC_INVAL_LEVEL;
+ buflen = strlen(buf) + strlen(delimiter) + strlen(isrbuf) + 1;
+ newbuf = (char *)realloc(buf, buflen);
+ if (newbuf == NULL) {
+ __ipsec_errcode = EIPSEC_NO_BUFS;
free(buf);
return NULL;
}
+ buf = newbuf;
+ snprintf(buf, buflen, "%s%s%s", buf, delimiter, isrbuf);
- if (xisr->sadb_x_ipsecrequest_reqid != 0) {
- char id[16];
- if (xisr->sadb_x_ipsecrequest_reqid
- > IPSEC_MANUAL_REQID_MAX)
- strcat(buf, "#");
- else
- strcat(buf, ":");
- snprintf(id, sizeof(id), "%d",
- xisr->sadb_x_ipsecrequest_reqid);
- strcat(buf, id);
- }
-
- xtlen -= xisr->sadb_x_ipsecrequest_len;
- xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
- + xisr->sadb_x_ipsecrequest_len);
+ off += xisr->sadb_x_ipsecrequest_len;
}
__ipsec_errcode = EIPSEC_NO_ERROR;
return buf;
}
-static int
-set_addresses(buf, ptr)
+static char *
+ipsec_dump_ipsecrequest(buf, len, xisr, bound)
char *buf;
- caddr_t ptr;
+ size_t len;
+ struct sadb_x_ipsecrequest *xisr;
+ size_t bound; /* boundary */
{
- char tmp[100]; /* XXX */
- struct sockaddr *saddr = (struct sockaddr *)ptr;
+ const char *proto, *mode, *level;
+ char abuf[NI_MAXHOST * 2 + 2];
+
+ if (xisr->sadb_x_ipsecrequest_len > bound) {
+ __ipsec_errcode = EIPSEC_INVAL_PROTO;
+ return NULL;
+ }
+
+ switch (xisr->sadb_x_ipsecrequest_proto) {
+ case IPPROTO_ESP:
+ proto = "esp";
+ break;
+ case IPPROTO_AH:
+ proto = "ah";
+ break;
+ case IPPROTO_IPCOMP:
+ proto = "ipcomp";
+ break;
+ default:
+ __ipsec_errcode = EIPSEC_INVAL_PROTO;
+ return NULL;
+ }
+
+ switch (xisr->sadb_x_ipsecrequest_mode) {
+ case IPSEC_MODE_ANY:
+ mode = "any";
+ break;
+ case IPSEC_MODE_TRANSPORT:
+ mode = "transport";
+ break;
+ case IPSEC_MODE_TUNNEL:
+ mode = "tunnel";
+ break;
+ default:
+ __ipsec_errcode = EIPSEC_INVAL_MODE;
+ return NULL;
+ }
+
+ abuf[0] = '\0';
+ if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
+ struct sockaddr *sa1, *sa2;
+ caddr_t p;
-#ifdef USE_GETNAMEINFO
- getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp),
- NULL, 0, NI_NUMERICHOST);
-#else
- inet_ntop(saddr->sa_family, _INADDRBYSA(saddr),
- tmp, sizeof(tmp));
-#endif
- strcat(buf, tmp);
+ p = (caddr_t)(xisr + 1);
+ sa1 = (struct sockaddr *)p;
+ sa2 = (struct sockaddr *)(p + sa1->sa_len);
+ if (sizeof(*xisr) + sa1->sa_len + sa2->sa_len !=
+ xisr->sadb_x_ipsecrequest_len) {
+ __ipsec_errcode = EIPSEC_INVAL_ADDRESS;
+ return NULL;
+ }
+ if (set_addresses(abuf, sizeof(abuf), sa1, sa2) != 0) {
+ __ipsec_errcode = EIPSEC_INVAL_ADDRESS;
+ return NULL;
+ }
+ }
- strcat(buf, "-");
+ switch (xisr->sadb_x_ipsecrequest_level) {
+ case IPSEC_LEVEL_DEFAULT:
+ level = "default";
+ break;
+ case IPSEC_LEVEL_USE:
+ level = "use";
+ break;
+ case IPSEC_LEVEL_REQUIRE:
+ level = "require";
+ break;
+ case IPSEC_LEVEL_UNIQUE:
+ level = "unique";
+ break;
+ default:
+ __ipsec_errcode = EIPSEC_INVAL_LEVEL;
+ return NULL;
+ }
- saddr = (struct sockaddr *)((caddr_t)saddr + saddr->sa_len);
-#ifdef USE_GETNAMEINFO
- getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp),
- NULL, 0, NI_NUMERICHOST);
-#else
Home |
Main Index |
Thread Index |
Old Index