Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src sync with latest kame setkey(8), modulo icmp6 hack.
details: https://anonhg.NetBSD.org/src/rev/6521243aa455
branches: trunk
changeset: 526935:6521243aa455
user: itojun <itojun%NetBSD.org@localhost>
date: Tue May 14 11:24:20 2002 +0000
description:
sync with latest kame setkey(8), modulo icmp6 hack.
pfkey.c is now more picky about buffer length validation.
spddump (setkey -DP) will print lifetime information.
diffstat:
lib/libipsec/libpfkey.h | 17 +-
lib/libipsec/pfkey.c | 778 ++++++++++++++++++++++++++++++++++++++-------
lib/libipsec/pfkey_dump.c | 106 ++++--
sbin/setkey/parse.y | 27 +-
sbin/setkey/setkey.8 | 52 +-
sbin/setkey/token.l | 4 +-
6 files changed, 779 insertions(+), 205 deletions(-)
diffs (truncated from 1632 to 300 lines):
diff -r d4fcdfce2fe2 -r 6521243aa455 lib/libipsec/libpfkey.h
--- a/lib/libipsec/libpfkey.h Tue May 14 11:03:39 2002 +0000
+++ b/lib/libipsec/libpfkey.h Tue May 14 11:24:20 2002 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: libpfkey.h,v 1.1 2000/06/12 10:40:52 itojun Exp $ */
-/* $KAME: libpfkey.h,v 1.1 2000/06/08 21:28:32 itojun Exp $ */
+/* $NetBSD: libpfkey.h,v 1.2 2002/05/14 11:24:21 itojun Exp $ */
+/* $KAME: libpfkey.h,v 1.6 2001/03/05 18:22:17 thorpej Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -30,11 +30,15 @@
* SUCH DAMAGE.
*/
+struct sadb_msg;
extern void pfkey_sadump __P((struct sadb_msg *));
extern void pfkey_spdump __P((struct sadb_msg *));
struct sockaddr;
+struct sadb_alg;
int ipsec_check_keylen __P((u_int, u_int, u_int));
+int ipsec_check_keylen2 __P((u_int, u_int, u_int));
+int ipsec_get_keylen __P((u_int, u_int, struct sadb_alg *));
u_int pfkey_set_softrate __P((u_int, u_int));
u_int pfkey_get_softrate __P((u_int));
int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
@@ -49,17 +53,26 @@
u_int64_t, u_int64_t, u_int32_t));
int pfkey_send_delete __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
+int pfkey_send_delete_all __P((int, u_int, u_int,
+ struct sockaddr *, struct sockaddr *));
int pfkey_send_get __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
int pfkey_send_register __P((int, u_int));
int pfkey_recv_register __P((int));
+int pfkey_set_supported __P((struct sadb_msg *, int));
int pfkey_send_flush __P((int, u_int));
int pfkey_send_dump __P((int, u_int));
int pfkey_send_promisc_toggle __P((int, int));
int pfkey_send_spdadd __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
+int pfkey_send_spdadd2 __P((int, struct sockaddr *, u_int,
+ struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
+ caddr_t, int, u_int32_t));
int pfkey_send_spdupdate __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
+int pfkey_send_spdupdate2 __P((int, struct sockaddr *, u_int,
+ struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
+ caddr_t, int, u_int32_t));
int pfkey_send_spddelete __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spddelete2 __P((int, u_int32_t));
diff -r d4fcdfce2fe2 -r 6521243aa455 lib/libipsec/pfkey.c
--- a/lib/libipsec/pfkey.c Tue May 14 11:03:39 2002 +0000
+++ b/lib/libipsec/pfkey.c Tue May 14 11:24:20 2002 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: pfkey.c,v 1.12 2001/09/16 16:34:26 wiz Exp $ */
-/* $KAME: pfkey.c,v 1.31 2000/06/10 14:17:43 sakane Exp $ */
+/* $NetBSD: pfkey.c,v 1.13 2002/05/14 11:24:21 itojun Exp $ */
+/* $KAME: pfkey.c,v 1.41 2002/05/14 10:59:09 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@@ -48,6 +48,9 @@
#define CALLOC(size, cast) (cast)calloc(1, (size))
+static int findsupportedmap __P((int));
+static int setsupportedmap __P((struct sadb_supported *));
+static struct sadb_alg *findsupportedalg __P((u_int, u_int));
static int pfkey_send_x1 __P((int, u_int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t,
u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t,
@@ -56,90 +59,167 @@
struct sockaddr *, struct sockaddr *, u_int32_t));
static int pfkey_send_x3 __P((int, u_int, u_int));
static int pfkey_send_x4 __P((int, u_int, struct sockaddr *, u_int,
- struct sockaddr *, u_int, u_int, char *, int, u_int32_t));
+ struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
+ char *, int, u_int32_t));
static int pfkey_send_x5 __P((int, u_int, u_int32_t));
-static caddr_t pfkey_setsadbmsg __P((caddr_t, u_int, u_int,
+static caddr_t pfkey_setsadbmsg __P((caddr_t, caddr_t, u_int, u_int,
u_int, u_int32_t, pid_t));
-static caddr_t pfkey_setsadbsa __P((caddr_t, u_int32_t, u_int,
+static caddr_t pfkey_setsadbsa __P((caddr_t, caddr_t, u_int32_t, u_int,
u_int, u_int, u_int32_t));
-static caddr_t pfkey_setsadbaddr __P((caddr_t, u_int,
+static caddr_t pfkey_setsadbaddr __P((caddr_t, caddr_t, u_int,
struct sockaddr *, u_int, u_int));
-static caddr_t pfkey_setsadbkey __P((caddr_t, u_int, caddr_t, u_int));
-static caddr_t pfkey_setsadblifetime __P((caddr_t, u_int, u_int32_t, u_int32_t,
- u_int32_t, u_int32_t));
-static caddr_t pfkey_setsadbxsa2 __P((caddr_t, u_int32_t, u_int32_t));
+static caddr_t pfkey_setsadbkey __P((caddr_t, caddr_t, u_int, caddr_t, u_int));
+static caddr_t pfkey_setsadblifetime __P((caddr_t, caddr_t, u_int, u_int32_t,
+ u_int32_t, u_int32_t, u_int32_t));
+static caddr_t pfkey_setsadbxsa2 __P((caddr_t, caddr_t, u_int32_t, u_int32_t));
+
+/*
+ * make and search supported algorithm structure.
+ */
+static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, };
+
+static int supported_map[] = {
+ SADB_SATYPE_AH,
+ SADB_SATYPE_ESP,
+ SADB_X_SATYPE_IPCOMP,
+};
+
+static int
+findsupportedmap(satype)
+ int satype;
+{
+ int i;
+
+ for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++)
+ if (supported_map[i] == satype)
+ return i;
+ return -1;
+}
+
+static struct sadb_alg *
+findsupportedalg(satype, alg_id)
+ u_int satype, alg_id;
+{
+ int algno;
+ int tlen;
+ caddr_t p;
+
+ /* validity check */
+ algno = findsupportedmap(satype);
+ if (algno == -1) {
+ __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+ return NULL;
+ }
+ if (ipsec_supported[algno] == NULL) {
+ __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST;
+ return NULL;
+ }
+
+ tlen = ipsec_supported[algno]->sadb_supported_len
+ - sizeof(struct sadb_supported);
+ p = (caddr_t)(ipsec_supported[algno] + 1);
+ while (tlen > 0) {
+ if (tlen < sizeof(struct sadb_alg)) {
+ /* invalid format */
+ break;
+ }
+ if (((struct sadb_alg *)p)->sadb_alg_id == alg_id)
+ return (struct sadb_alg *)p;
+
+ tlen -= sizeof(struct sadb_alg);
+ p += sizeof(struct sadb_alg);
+ }
+
+ __ipsec_errcode = EIPSEC_NOT_SUPPORTED;
+ return NULL;
+}
+
+static int
+setsupportedmap(sup)
+ struct sadb_supported *sup;
+{
+ struct sadb_supported **ipsup;
+
+ switch (sup->sadb_supported_exttype) {
+ case SADB_EXT_SUPPORTED_AUTH:
+ ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)];
+ break;
+ case SADB_EXT_SUPPORTED_ENCRYPT:
+ ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)];
+ break;
+ default:
+ __ipsec_errcode = EIPSEC_INVAL_SATYPE;
+ return -1;
+ }
+
+ if (*ipsup)
+ free(*ipsup);
+
+ *ipsup = malloc(sup->sadb_supported_len);
+ if (!*ipsup) {
+ __ipsec_set_strerror(strerror(errno));
+ return -1;
+ }
+ memcpy(*ipsup, sup, sup->sadb_supported_len);
+
+ return 0;
+}
/*
* check key length against algorithm specified.
- * supported is either SADB_EXT_SUPPORTED_ENCRYPT or SADB_EXT_SUPPORTED_AUTH.
- * Refer to keyv2.h to get more info.
+ * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the
+ * augument, and only calls to ipsec_check_keylen2();
* keylen is the unit of bit.
* OUT:
* -1: invalid.
* 0: valid.
*/
-struct sadb_msg *ipsec_supported = NULL;
-
int
ipsec_check_keylen(supported, alg_id, keylen)
u_int supported;
u_int alg_id;
u_int keylen;
{
- u_int tlen;
- caddr_t p;
- struct sadb_supported *sup;
- struct sadb_alg *alg;
+ int satype;
/* validity check */
- if (ipsec_supported == NULL) {
- __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST;
- return -1;
- }
switch (supported) {
case SADB_EXT_SUPPORTED_AUTH:
+ satype = SADB_SATYPE_AH;
+ break;
case SADB_EXT_SUPPORTED_ENCRYPT:
+ satype = SADB_SATYPE_ESP;
break;
default:
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return -1;
}
- tlen = ipsec_supported->sadb_msg_len - sizeof(struct sadb_msg);
- p = (caddr_t)ipsec_supported + sizeof(struct sadb_msg);
-
- for (;
- tlen > 0;
- tlen -= sup->sadb_supported_len, p += sup->sadb_supported_len) {
-
- sup = (struct sadb_supported *)p;
-
- if (sup->sadb_supported_exttype != supported)
- continue;
-
- {
- u_int ttlen = sup->sadb_supported_len;
- caddr_t pp = p + sizeof(*sup);
+ return ipsec_check_keylen2(satype, alg_id, keylen);
+}
- for (;
- ttlen > 0;
- ttlen -= sizeof(*alg), pp += sizeof(*alg)) {
- alg = (struct sadb_alg *)pp;
+/*
+ * check key length against algorithm specified.
+ * satype is one of satype defined at pfkeyv2.h.
+ * keylen is the unit of bit.
+ * OUT:
+ * -1: invalid.
+ * 0: valid.
+ */
+int
+ipsec_check_keylen2(satype, alg_id, keylen)
+ u_int satype;
+ u_int alg_id;
+ u_int keylen;
+{
+ struct sadb_alg *alg;
- if (alg->sadb_alg_id == alg_id)
- goto found;
- }
- }
- }
+ alg = findsupportedalg(satype, alg_id);
+ if (!alg)
+ return -1;
- __ipsec_errcode = EIPSEC_NOT_SUPPORTED;
- return -1;
- /* NOTREACHED */
-
- found:
- if (keylen < alg->sadb_alg_minbits
- || keylen > alg->sadb_alg_maxbits) {
+ if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) {
__ipsec_errcode = EIPSEC_INVAL_KEYLEN;
return -1;
}
@@ -149,6 +229,50 @@
}
/*
+ * get max/min key length against algorithm specified.
+ * satype is one of satype defined at pfkeyv2.h.
Home |
Main Index |
Thread Index |
Old Index