rtems/rtems-libbsd
1
0
Fork 0
mirror of https://git.rtems.org/rtems-libbsd/ synced 2025-06-06 18:43:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

Added files to get netshell to link when using ping.

Browse Source
This commit is contained in:
Jennifer Averett 2012-10-11 09:03:25 -05:00
parent d4ceffbe23
commit 05519817fb
21 changed files with 8033 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
freebsd-userspace/Makefile
View File

@ -21,6 +21,7 @@ CFLAGS += -I$(INSTALL_BASE)/include
#Only Needed for db files
CFLAGS += -D__DBINTERFACE_PRIVATE
CFLAGS += -g
CFLAGS += -w
CFLAGS += -std=gnu99
CFLAGS += -MT $@ -MD -MP -MF $(basename $@).d
@ -60,6 +61,7 @@ C_FILES += lib/libc/net/getprotoent.c
C_FILES += lib/libc/net/getprotoname.c
C_FILES += lib/libc/net/getservent.c
C_FILES += lib/libc/net/nsdispatch.c
C_FILES += lib/libc/net/gai_strerror.c
# The following two /net files are generated
C_FILES += lib/libc/net/nslexer.c
C_FILES += lib/libc/net/nsparser.c
@ -78,7 +80,7 @@ C_FILES += lib/libc/net/map_v4v6.c
C_FILES += lib/libc/net/name6.c
C_FILES += lib/libc/net/rcmd.c
C_FILES += lib/libc/net/recv.c
C_FILES += lib/libc/net/send.c
# C_FILES += lib/libc/net/send.c
C_FILES += lib/libc/resolv/herror.c
C_FILES += lib/libc/resolv/h_errno.c
C_FILES += lib/libc/resolv/res_comp.c
@ -125,12 +127,27 @@ C_FILES += lib/libc/db/recno/rec_utils.c
C_FILES += lib/libc/db/mpool/mpool.c
# libipsec files
C_FILES += lib/libipsec/pfkey_dump.c
# Has a main and may or may not be needed
# C_FILES += lib/libipsec/test-policy.c
C_FILES += lib/libipsec/pfkey.c
C_FILES += lib/libipsec/ipsec_strerror.c
C_FILES += lib/libipsec/ipsec_get_policylen.c
C_FILES += lib/libipsec/ipsec_dump_policy.c
# The following two /net files are generated
C_FILES += lib/libipsec/policy_token.c
C_FILES += lib/libipsec/policy_parse.c
# RTEMS Specific Files
# C_FILES += rtems/rtems-net-setup.c
C_FILES += rtems/syslog.c
C_FILES += rtems/rtems-syslog-initialize.c
C_FILES += rtems/rtems-getprogname.c
C_FILES += rtems/rtems-uthread_main_np.c
C_FILES += rtems/rtems-uthread_kevent.c
C_FILES += rtems/rtems-uthread_kqueue.c
# ping command sources
C_FILES += commands/sbin/ping/ping.c
@ -215,11 +232,16 @@ C_D_FILES = $(C_FILES:%.c=%.d)
LIB = libbsdc.a
GEN_FILES = include/rpc/rpcb_prot.h
GEN_FILES += commands/sbin/route/keywords.h
# lib/libc/net
GEN_FILES += lib/libc/net/nslexer.c
GEN_FILES += lib/libc/net/nsparser.c
EXTRA_CLEAN = lib/libc/net/nsparser.i
# lib/libipsec
GEN_FILES += lib/libipsec/policy_token.c
GEN_FILES += lib/libipsec/policy_parse.c
EXTRA_CLEAN += lib/libc/net/policy_parse.i
all: $(LIB)
$(LIB): $(GEN_FILES) $(C_O_FILES)
@ -239,19 +261,28 @@ commands/sbin/route/keywords.h: commands/sbin/route/keywords
> commands/sbin/route/keywords.h
rm -f _keywords.tmp
YFLAGS+=-p_nsyy
LFLAGS+=-P_nsyy
# lib/libc/net Yacc and lex files
lib/libc/net/nslexer.c: lib/libc/net/nslexer.l
${LEX} ${LFLAGS} -t $^ | \
${LEX} -P _nsyy -t $^ | \
sed -e '/YY_BUF_SIZE/s/16384/1024/' >$@
lib/libc/net/nsparser.c: lib/libc/net/nsparser.y
yacc -d ${YFLAGS} -o lib/libc/net/nsparser.i $^
yacc -d -p_nsyy -o lib/libc/net/nsparser.i $^
cat lib/libc/net/nsparser.i | \
sed -e '/YY_BUF_SIZE/s/16384/1024/' >$@
rm -f lib/libc/net/nsparser.i
# libipsec Yacc and lex files
lib/libipsec/policy_token.c: lib/libipsec/policy_token.l
${LEX} -P __libipsecyy -t $^ | \
sed -e '/YY_BUF_SIZE/s/16384/1024/' >$@
lib/libipsec/policy_parse.c: lib/libipsec/policy_parse.y
yacc -d -p __libipsecyy -o lib/libipsec/policy_parse.i $^
cat lib/libipsec/policy_parse.i | \
sed -e '/YY_BUF_SIZE/s/16384/1024/' >$@
rm -f lib/libipsec/policy_parse.i
install: $(LIB)
install -d $(INSTALL_BASE)/include
cd include; for i in `find . -name '*.h'` ; do \

70
freebsd-userspace/lib/libc/include/spinlock.h Normal file
View File

@ -0,0 +1,70 @@
/*
* Copyright (c) 1998 John Birrell <jb@cimlogic.com.au>.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the author nor the names of any co-contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY JOHN BIRRELL AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*
* Lock definitions used in both libc and libpthread.
*
*/
#ifndef _SPINLOCK_H_
#define _SPINLOCK_H_
#include <sys/cdefs.h>
#include <sys/types.h>
/*
* Lock structure with room for debugging information.
*/
struct _spinlock {
volatile long access_lock;
volatile long lock_owner;
volatile char *fname;
volatile int lineno;
};
typedef struct _spinlock spinlock_t;
#define _SPINLOCK_INITIALIZER { 0, 0, 0, 0 }
#define _SPINUNLOCK(_lck) _spinunlock(_lck);
#ifdef _LOCK_DEBUG
#define _SPINLOCK(_lck) _spinlock_debug(_lck, __FILE__, __LINE__)
#else
#define _SPINLOCK(_lck) _spinlock(_lck)
#endif
/*
* Thread function prototype definitions:
*/
__BEGIN_DECLS
long _atomic_lock(volatile long *);
void _spinlock(spinlock_t *);
void _spinunlock(spinlock_t *);
void _spinlock_debug(spinlock_t *, char *, int);
__END_DECLS
#endif /* _SPINLOCK_H_ */

124
freebsd-userspace/lib/libc/net/gai_strerror.c Normal file
View File

@ -0,0 +1,124 @@
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef __rtems__
#include <freebsd/machine/rtems-bsd-config.h>
#include <freebsd/sys/_types.h>
#endif
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include "namespace.h"
#include <netdb.h>
#if defined(NLS)
#include <nl_types.h>
#include <errno.h>
#include <limits.h>
#include <stdlib.h>
#include <string.h>
#include "reentrant.h"
#endif
#include "un-namespace.h"
/* Entries EAI_ADDRFAMILY (1) and EAI_NODATA (7) are obsoleted, but left */
/* for backward compatibility with userland code prior to 2553bis-02 */
static const char *ai_errlist[] = {
"Success", /* 0 */
"Address family for hostname not supported", /* 1 */
"Temporary failure in name resolution", /* EAI_AGAIN */
"Invalid value for ai_flags", /* EAI_BADFLAGS */
"Non-recoverable failure in name resolution", /* EAI_FAIL */
"ai_family not supported", /* EAI_FAMILY */
"Memory allocation failure", /* EAI_MEMORY */
"No address associated with hostname", /* 7 */
"hostname nor servname provided, or not known", /* EAI_NONAME */
"servname not supported for ai_socktype", /* EAI_SERVICE */
"ai_socktype not supported", /* EAI_SOCKTYPE */
"System error returned in errno", /* EAI_SYSTEM */
"Invalid value for hints", /* EAI_BADHINTS */
"Resolved protocol is unknown", /* EAI_PROTOCOL */
"Argument buffer overflow" /* EAI_OVERFLOW */
};
#if defined(NLS)
static char gai_buf[NL_TEXTMAX];
static once_t gai_init_once = ONCE_INITIALIZER;
static thread_key_t gai_key;
static int gai_keycreated = 0;
static void
gai_keycreate(void)
{
gai_keycreated = (thr_keycreate(&gai_key, free) == 0);
}
#endif
const char *
gai_strerror(int ecode)
{
#if defined(NLS)
nl_catd catd;
char *buf;
if (thr_main() != 0)
buf = gai_buf;
else {
if (thr_once(&gai_init_once, gai_keycreate) != 0 ||
!gai_keycreated)
goto thr_err;
if ((buf = thr_getspecific(gai_key)) == NULL) {
if ((buf = malloc(sizeof(gai_buf))) == NULL)
goto thr_err;
if (thr_setspecific(gai_key, buf) != 0) {
free(buf);
goto thr_err;
}
}
}
catd = catopen("libc", NL_CAT_LOCALE);
if (ecode > 0 && ecode < EAI_MAX)
strlcpy(buf, catgets(catd, 3, ecode, ai_errlist[ecode]),
sizeof(gai_buf));
else if (ecode == 0)
strlcpy(buf, catgets(catd, 3, NL_MSGMAX - 1, "Success"),
sizeof(gai_buf));
else
strlcpy(buf, catgets(catd, 3, NL_MSGMAX, "Unknown error"),
sizeof(gai_buf));
catclose(catd);
return buf;
thr_err:
#endif
if (ecode >= 0 && ecode < EAI_MAX)
return ai_errlist[ecode];
return "Unknown error";
}

312
freebsd-userspace/lib/libipsec/ipsec_dump_policy.c Normal file
View File

@ -0,0 +1,312 @@
/* $KAME: ipsec_dump_policy.c,v 1.13 2002/06/27 14:35:11 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#ifdef __rtems__
#include <freebsd/netipsec/key_var.h>
#include <freebsd/netinet/in.h>
#include <freebsd/netipsec/ipsec.h>
#else
#include <netipsec/key_var.h>
#include <netinet/in.h>
#include <netipsec/ipsec.h>
#endif
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include "ipsec_strerror.h"
static const char *ipsp_dir_strs[] = {
"any", "in", "out",
};
static const char *ipsp_policy_strs[] = {
"discard", "none", "ipsec", "entrust", "bypass",
};
static char *ipsec_dump_ipsecrequest(char *, size_t,
struct sadb_x_ipsecrequest *, size_t);
static int set_addresses(char *, size_t, struct sockaddr *, struct sockaddr *);
static char *set_address(char *, size_t, struct sockaddr *);
/*
* policy is sadb_x_policy buffer.
* Must call free() later.
* When delimiter == NULL, alternatively ' '(space) is applied.
*/
char *
ipsec_dump_policy(policy, delimiter)
caddr_t policy;
char *delimiter;
{
struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy;
struct sadb_x_ipsecrequest *xisr;
size_t off, buflen;
char *buf;
char isrbuf[1024];
char *newbuf;
/* sanity check */
if (policy == NULL)
return NULL;
if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) {
__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
return NULL;
}
/* set delimiter */
if (delimiter == NULL)
delimiter = " ";
switch (xpl->sadb_x_policy_dir) {
case IPSEC_DIR_ANY:
case IPSEC_DIR_INBOUND:
case IPSEC_DIR_OUTBOUND:
break;
default:
__ipsec_errcode = EIPSEC_INVAL_DIR;
return NULL;
}
switch (xpl->sadb_x_policy_type) {
case IPSEC_POLICY_DISCARD:
case IPSEC_POLICY_NONE:
case IPSEC_POLICY_IPSEC:
case IPSEC_POLICY_BYPASS:
case IPSEC_POLICY_ENTRUST:
break;
default:
__ipsec_errcode = EIPSEC_INVAL_POLICY;
return NULL;
}
buflen = strlen(ipsp_dir_strs[xpl->sadb_x_policy_dir])
+ 1 /* space */
+ strlen(ipsp_policy_strs[xpl->sadb_x_policy_type])
+ 1; /* NUL */
if ((buf = malloc(buflen)) == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
return NULL;
}
snprintf(buf, buflen, "%s %s", ipsp_dir_strs[xpl->sadb_x_policy_dir],
ipsp_policy_strs[xpl->sadb_x_policy_type]);
if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
__ipsec_errcode = EIPSEC_NO_ERROR;
return buf;
}
/* count length of buffer for use */
off = sizeof(*xpl);
while (off < PFKEY_EXTLEN(xpl)) {
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
off += xisr->sadb_x_ipsecrequest_len;
}
/* validity check */
if (off != PFKEY_EXTLEN(xpl)) {
__ipsec_errcode = EIPSEC_INVAL_SADBMSG;
free(buf);
return NULL;
}
off = sizeof(*xpl);
while (off < PFKEY_EXTLEN(xpl)) {
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
if (ipsec_dump_ipsecrequest(isrbuf, sizeof(isrbuf), xisr,
PFKEY_EXTLEN(xpl) - off) == NULL) {
free(buf);
return NULL;
}
buflen = strlen(buf) + strlen(delimiter) + strlen(isrbuf) + 1;
newbuf = (char *)realloc(buf, buflen);
if (newbuf == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
free(buf);
return NULL;
}
buf = newbuf;
snprintf(buf, buflen, "%s%s%s", buf, delimiter, isrbuf);
off += xisr->sadb_x_ipsecrequest_len;
}
__ipsec_errcode = EIPSEC_NO_ERROR;
return buf;
}
static char *
ipsec_dump_ipsecrequest(buf, len, xisr, bound)
char *buf;
size_t len;
struct sadb_x_ipsecrequest *xisr;
size_t bound; /* boundary */
{
const char *proto, *mode, *level;
char abuf[NI_MAXHOST * 2 + 2];
if (xisr->sadb_x_ipsecrequest_len > bound) {
__ipsec_errcode = EIPSEC_INVAL_PROTO;
return NULL;
}
switch (xisr->sadb_x_ipsecrequest_proto) {
case IPPROTO_ESP:
proto = "esp";
break;
case IPPROTO_AH:
proto = "ah";
break;
case IPPROTO_IPCOMP:
proto = "ipcomp";
break;
case IPPROTO_TCP:
proto = "tcp";
default:
__ipsec_errcode = EIPSEC_INVAL_PROTO;
return NULL;
}
switch (xisr->sadb_x_ipsecrequest_mode) {
case IPSEC_MODE_ANY:
mode = "any";
break;
case IPSEC_MODE_TRANSPORT:
mode = "transport";
break;
case IPSEC_MODE_TUNNEL:
mode = "tunnel";
break;
default:
__ipsec_errcode = EIPSEC_INVAL_MODE;
return NULL;
}
abuf[0] = '\0';
if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
struct sockaddr *sa1, *sa2;
caddr_t p;
p = (caddr_t)(xisr + 1);
sa1 = (struct sockaddr *)p;
sa2 = (struct sockaddr *)(p + sa1->sa_len);
if (sizeof(*xisr) + sa1->sa_len + sa2->sa_len !=
xisr->sadb_x_ipsecrequest_len) {
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
return NULL;
}
if (set_addresses(abuf, sizeof(abuf), sa1, sa2) != 0) {
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
return NULL;
}
}
switch (xisr->sadb_x_ipsecrequest_level) {
case IPSEC_LEVEL_DEFAULT:
level = "default";
break;
case IPSEC_LEVEL_USE:
level = "use";
break;
case IPSEC_LEVEL_REQUIRE:
level = "require";
break;
case IPSEC_LEVEL_UNIQUE:
level = "unique";
break;
default:
__ipsec_errcode = EIPSEC_INVAL_LEVEL;
return NULL;
}
if (xisr->sadb_x_ipsecrequest_reqid == 0)
snprintf(buf, len, "%s/%s/%s/%s", proto, mode, abuf, level);
else {
int ch;
if (xisr->sadb_x_ipsecrequest_reqid > IPSEC_MANUAL_REQID_MAX)
ch = '#';
else
ch = ':';
snprintf(buf, len, "%s/%s/%s/%s%c%u", proto, mode, abuf, level,
ch, xisr->sadb_x_ipsecrequest_reqid);
}
return buf;
}
static int
set_addresses(buf, len, sa1, sa2)
char *buf;
size_t len;
struct sockaddr *sa1;
struct sockaddr *sa2;
{
char tmp1[NI_MAXHOST], tmp2[NI_MAXHOST];
if (set_address(tmp1, sizeof(tmp1), sa1) == NULL ||
set_address(tmp2, sizeof(tmp2), sa2) == NULL)
return -1;
if (strlen(tmp1) + 1 + strlen(tmp2) + 1 > len)
return -1;
snprintf(buf, len, "%s-%s", tmp1, tmp2);
return 0;
}
static char *
set_address(buf, len, sa)
char *buf;
size_t len;
struct sockaddr *sa;
{
const int niflags = NI_NUMERICHOST;
if (len < 1)
return NULL;
buf[0] = '\0';
if (getnameinfo(sa, sa->sa_len, buf, len, NULL, 0, niflags) != 0)
return NULL;
return buf;
}

54
freebsd-userspace/lib/libipsec/ipsec_get_policylen.c Normal file
View File

@ -0,0 +1,54 @@
/* $KAME: ipsec_get_policylen.c,v 1.5 2000/05/07 05:25:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/param.h>
#ifdef __rtems__
#include <freebsd/netipsec/ipsec.h>
#include <freebsd/net/pfkeyv2.h>
#else
#include <netipsec/ipsec.h>
#include <net/pfkeyv2.h>
#endif
#include "ipsec_strerror.h"
int
ipsec_get_policylen(policy)
caddr_t policy;
{
return policy ? PFKEY_EXTLEN(policy) : -1;
}

332
freebsd-userspace/lib/libipsec/ipsec_set_policy.3 Normal file
View File

@ -0,0 +1,332 @@
.\" $KAME: ipsec_set_policy.3,v 1.15 2001/08/17 07:21:36 itojun Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the project nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd February 14, 2006
.Dt IPSEC_SET_POLICY 3
.Os
.Sh NAME
.Nm ipsec_set_policy ,
.Nm ipsec_get_policylen ,
.Nm ipsec_dump_policy
.Nd create an IPsec policy structure from a human readable string
.\"
.Sh LIBRARY
.Lb libipsec
.Sh SYNOPSIS
.In netipsec/ipsec.h
.Ft "char *"
.Fn ipsec_set_policy "char *policy" "int len"
.Ft int
.Fn ipsec_get_policylen "char *buf"
.Ft "char *"
.Fn ipsec_dump_policy "char *buf" "char *delim"
.Sh DESCRIPTION
The
.Fn ipsec_set_policy
function generates an IPsec policy specification structure,
.Li struct sadb_x_policy
and/or
.Li struct sadb_x_ipsecrequest
from a human-readable policy specification.
The policy specification must be given as a C string,
passed in the
.Fa policy
argument and the length of the string, given as
.Fa len .
The
.Fn ipsec_set_policy
function returns pointer to a buffer which contains a properly formed
IPsec policy specification structure.
The buffer is dynamically allocated, and must be freed by using the
.Xr free 3
library function.
.Pp
The
.Fn ipsec_get_policylen
function will returns the of the buffer which is needed when passing
the specification structure to the
.Xr setsockopt 2
system call.
.Pp
The
.Fn ipsec_dump_policy
function converts an IPsec policy structure into a human readable form.
The
.Fa buf
argument points to an IPsec policy structure,
.Li struct sadb_x_policy .
.Fa delim
is a delimiter string, which is usually a blank character.
If you set
.Fa delim
to
.Dv NULL ,
a single white space is assumed.
The
.Fn ipsec_dump_policy
function returns a pointer to dynamically allocated string.
It is the caller's responsibility to free the returned pointer using the
.Xr free 3
library call.
.Pp
A
.Fa policy
is given in the following way:
.Bl -tag -width "discard"
.It Ar direction Li discard
The
.Ar direction
must be
.Li in
or
.Li out
and
specifies which direction the policy needs to be applied, either on
inbound or outbound packets.
When the
.Li discard
policy is selected, packets will be dropped if they match the policy.
.It Ar direction Li entrust
.Li entrust
means to consult the security policy database
(SPD)
in the kernel, as controlled by
.Xr setkey 8 .
.It Ar direction Li bypass
A direction of
.Li bypass
indicates that IPsec processing should not occur and that the
packet will be transmitted in clear.
The bypass option is only
available to privileged sockets.
.It Xo
.Ar direction
.Li ipsec
.Ar request ...
.Xc
A direction of
.Li ipsec
means that matching packets are processed by IPsec.
.Li ipsec
can be followed by one or more
.Ar request
string, which is formatted as:
.Bl -tag -width "discard"
.It Xo
.Ar protocol
.Li /
.Ar mode
.Li /
.Ar src
.Li -
.Ar dst
.Op Ar /level
.Xc
The
.Ar protocol
is one of:
.Li ah ,
.Li esp
or
.Li ipcomp
indicating Authentication Header, Encapsulating Security Protocol or
IP Compression protocol is used.
.Pp
The
.Ar mode
is either
.Li transport
or
.Li tunnel
the meanings of both modes are described in
.Xr ipsec 4 .
.Pp
The
.Ar src
and
.Ar dst
specify the IP address, either v4 or v6, of the source and destination systems.
The
.Ar src
always stands for the
.Dq sending node
and
.Ar dst
always stands for the
.Dq receiving node .
When
.Ar direction
is
.Li in ,
.Ar dst
is this local node
and
.Ar src
is the remote node or peer.
If
.Ar mode
is
.Li transport ,
both
.Ar src
and
.Ar dst
can be omitted.
.Pp
The
.Ar level
must be set to one of the following:
.Li default , use , require
or
.Li unique .
.Li default
means that the kernel should consult the default security policies as
defined by a set of
.Xr sysctl 8 ,
variables.
The relevant
.Xr sysctl 8
variables are described in
.Xr ipsec 4 .
.Pp
When
.Li use
is selected a relevant security association
(SA)
can be used when available but is not necessary.
If the SA is available then packets will be handled by IPsec,
i.e., encrypted and/or authenticated but if an SA is not available then
packets will be transmitted in the clear.
The
.Li use
option is not recommended because it allows for accidental
mis-configurations where encrypted or authenticated link becomes
unencrypted or unauthenticated, the
.Li require
keyword is recommended instead of
.Li use
where possible.
Using the
.Li require
keyword means that a relevant SA is required,
and that the kernel must perform IPsec processing on all matching
packets.
.Pp
The
.Li unique
keyword has the same effect as
.Li require ,
but adds the restriction that the SA for outbound traffic is used
only for this policy.
You may need the identifier in order to relate the policy and the SA
when you define the SA by manual keying using
.Xr setkey 8 .
Put the decimal number as the identifier after the
.Li unique
keyword in this way:
.Li unique : number ,
where
.Li number
must be between 1 and 32767.
.Pp
If the
.Ar request
string is kept unambiguous,
.Ar level
and the slash prior to
.Ar level
can be omitted but you are encouraged to specify them explicitly
to avoid unintended behaviors.
If
.Ar level
is omitted, it will be interpreted as
.Li default .
.El
.El
.Pp
Note that there is a difference between the specification allowed here
and in
.Xr setkey 8 .
When specifying security policies with
.Xr setkey 8 ,
neither entrust nor bypass are used.
Refer to
.Xr setkey 8
for details.
.Sh RETURN VALUES
The
.Fn ipsec_set_policy
function returns a pointer to the allocated buffer containing a the
policy specification if successful; otherwise a NULL pointer is
returned.
.Pp
The
.Fn ipsec_get_policylen
function returns a positive value,
indicating the buffer size,
on success, and a negative value on error.
.Pp
The
.Fn ipsec_dump_policy
function returns a pointer to a dynamically allocated region
containing a human readable security policy on success, and
.Dv NULL
on error.
.Sh EXAMPLES
Set a policy that all inbound packets are discarded.
.Pp
.Dl "in discard"
.Pp
.\"
All outbound packets are required to be processed by IPsec and
transported using ESP.
.Pp
.Dl "out ipsec esp/transport//require"
.Pp
.\"
All inbound packets are required to be authenticated using the AH protocol.
.Pp
.Dl "in ipsec ah/transport//require"
.Pp
.\"
Tunnel packets outbound through the endpoints at 10.1.1.2 and 10.1.1.1.
.Pp
.Dl "out ipsec esp/tunnel/10.1.1.2-10.1.1.1/require"
.Sh SEE ALSO
.Xr ipsec_strerror 3 ,
.Xr ipsec 4 ,
.Xr setkey 8
.Sh HISTORY
These functions first appeared in WIDE/KAME IPv6 protocol stack kit.
.Pp
IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack
was initially integrated into
.Fx 4.0 .

90
freebsd-userspace/lib/libipsec/ipsec_strerror.3 Normal file
View File

@ -0,0 +1,90 @@
.\" $KAME: ipsec_strerror.3,v 1.9 2001/08/17 07:21:36 itojun Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the project nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd February 14, 2006
.Dt IPSEC_STRERROR 3
.Os
.\"
.Sh NAME
.Nm ipsec_strerror
.Nd error messages for the IPsec policy manipulation library
.\"
.Sh SYNOPSIS
.In netipsec/ipsec.h
.Ft "const char *"
.Fn ipsec_strerror
.\"
.Sh DESCRIPTION
.In netipsec/ipsec.h
declares
.Pp
.Dl extern int ipsec_errcode;
.Pp
which is used to pass an error code from IPsec policy manipulation library
to a user program.
The
.Fn ipsec_strerror
function can be used to obtain the error message string for the error code.
.Pp
The array pointed to is not to be modified by the program.
Since
.Fn ipsec_strerror
uses
.Xr strerror 3
as an underlying function, calling
.Xr strerror 3
after
.Fn ipsec_strerror
would overwrite the the return value from
.Fn ipsec_strerror
and make it invalid.
.\"
.Sh RETURN VALUES
The
.Fn ipsec_strerror
function always returns a pointer to C string.
The C string must not be overwritten by the caller.
.\"
.Sh SEE ALSO
.Xr ipsec_set_policy 3
.\"
.Sh HISTORY
The
.Fn ipsec_strerror
function first appeared in WIDE/KAME IPv6 protocol stack kit.
.\"
.Sh BUGS
The
.Fn ipsec_strerror
function will return its result which may be overwritten by subsequent calls.
.Pp
.Va ipsec_errcode
is not thread safe.

94
freebsd-userspace/lib/libipsec/ipsec_strerror.c Normal file
View File

@ -0,0 +1,94 @@
/* $KAME: ipsec_strerror.c,v 1.7 2000/07/30 00:45:12 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/param.h>
#include <string.h>
#ifdef __rtems__
#include <freebsd/netipsec/ipsec.h>
#else
#include <netipsec/ipsec.h>
#endif
#include "ipsec_strerror.h"
int __ipsec_errcode;
static const char *ipsec_errlist[] = {
"Success", /*EIPSEC_NO_ERROR*/
"Not supported", /*EIPSEC_NOT_SUPPORTED*/
"Invalid argument", /*EIPSEC_INVAL_ARGUMENT*/
"Invalid sadb message", /*EIPSEC_INVAL_SADBMSG*/
"Invalid version", /*EIPSEC_INVAL_VERSION*/
"Invalid security policy", /*EIPSEC_INVAL_POLICY*/
"Invalid address specification", /*EIPSEC_INVAL_ADDRESS*/
"Invalid ipsec protocol", /*EIPSEC_INVAL_PROTO*/
"Invalid ipsec mode", /*EIPSEC_INVAL_MODE*/
"Invalid ipsec level", /*EIPSEC_INVAL_LEVEL*/
"Invalid SA type", /*EIPSEC_INVAL_SATYPE*/
"Invalid message type", /*EIPSEC_INVAL_MSGTYPE*/
"Invalid extension type", /*EIPSEC_INVAL_EXTTYPE*/
"Invalid algorithm type", /*EIPSEC_INVAL_ALGS*/
"Invalid key length", /*EIPSEC_INVAL_KEYLEN*/
"Invalid address family", /*EIPSEC_INVAL_FAMILY*/
"Invalid prefix length", /*EIPSEC_INVAL_PREFIXLEN*/
"Invalid direciton", /*EIPSEC_INVAL_DIR*/
"SPI range violation", /*EIPSEC_INVAL_SPI*/
"No protocol specified", /*EIPSEC_NO_PROTO*/
"No algorithm specified", /*EIPSEC_NO_ALGS*/
"No buffers available", /*EIPSEC_NO_BUFS*/
"Must get supported algorithms list first", /*EIPSEC_DO_GET_SUPP_LIST*/
"Protocol mismatch", /*EIPSEC_PROTO_MISMATCH*/
"Family mismatch", /*EIPSEC_FAMILY_MISMATCH*/
"Too few arguments", /*EIPSEC_FEW_ARGUMENTS*/
NULL, /*EIPSEC_SYSTEM_ERROR*/
"Unknown error", /*EIPSEC_MAX*/
};
const char *ipsec_strerror(void)
{
if (__ipsec_errcode < 0 || __ipsec_errcode > EIPSEC_MAX)
__ipsec_errcode = EIPSEC_MAX;
return ipsec_errlist[__ipsec_errcode];
}
void __ipsec_set_strerror(const char *str)
{
__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
ipsec_errlist[EIPSEC_SYSTEM_ERROR] = str;
return;
}

63
freebsd-userspace/lib/libipsec/ipsec_strerror.h Normal file
View File

@ -0,0 +1,63 @@
/* $FreeBSD$ */
/* $KAME: ipsec_strerror.h,v 1.8 2000/07/30 00:45:12 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
extern int __ipsec_errcode;
extern void __ipsec_set_strerror(const char *);
#define EIPSEC_NO_ERROR 0 /*success*/
#define EIPSEC_NOT_SUPPORTED 1 /*not supported*/
#define EIPSEC_INVAL_ARGUMENT 2 /*invalid argument*/
#define EIPSEC_INVAL_SADBMSG 3 /*invalid sadb message*/
#define EIPSEC_INVAL_VERSION 4 /*invalid version*/
#define EIPSEC_INVAL_POLICY 5 /*invalid security policy*/
#define EIPSEC_INVAL_ADDRESS 6 /*invalid address specification*/
#define EIPSEC_INVAL_PROTO 7 /*invalid ipsec protocol*/
#define EIPSEC_INVAL_MODE 8 /*Invalid ipsec mode*/
#define EIPSEC_INVAL_LEVEL 9 /*invalid ipsec level*/
#define EIPSEC_INVAL_SATYPE 10 /*invalid SA type*/
#define EIPSEC_INVAL_MSGTYPE 11 /*invalid message type*/
#define EIPSEC_INVAL_EXTTYPE 12 /*invalid extension type*/
#define EIPSEC_INVAL_ALGS 13 /*Invalid algorithm type*/
#define EIPSEC_INVAL_KEYLEN 14 /*invalid key length*/
#define EIPSEC_INVAL_FAMILY 15 /*invalid address family*/
#define EIPSEC_INVAL_PREFIXLEN 16 /*SPI range violation*/
#define EIPSEC_INVAL_DIR 17 /*Invalid direciton*/
#define EIPSEC_INVAL_SPI 18 /*invalid prefixlen*/
#define EIPSEC_NO_PROTO 19 /*no protocol specified*/
#define EIPSEC_NO_ALGS 20 /*No algorithm specified*/
#define EIPSEC_NO_BUFS 21 /*no buffers available*/
#define EIPSEC_DO_GET_SUPP_LIST 22 /*must get supported algorithm first*/
#define EIPSEC_PROTO_MISMATCH 23 /*protocol mismatch*/
#define EIPSEC_FAMILY_MISMATCH 24 /*family mismatch*/
#define EIPSEC_FEW_ARGUMENTS 25 /*Too few arguments*/
#define EIPSEC_SYSTEM_ERROR 26 /*system error*/
#define EIPSEC_MAX 27 /*unknown error*/

86
freebsd-userspace/lib/libipsec/libpfkey.h Normal file
View File

@ -0,0 +1,86 @@
/* $FreeBSD$ */
/* $KAME: libpfkey.h,v 1.6 2001/03/05 18:22:17 thorpej Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
struct sadb_msg;
extern void pfkey_sadump(struct sadb_msg *);
extern void pfkey_spdump(struct sadb_msg *);
struct sockaddr;
struct sadb_alg;
int ipsec_check_keylen(u_int, u_int, u_int);
int ipsec_check_keylen2(u_int, u_int, u_int);
int ipsec_get_keylen(u_int, u_int, struct sadb_alg *);
u_int pfkey_set_softrate(u_int, u_int);
u_int pfkey_get_softrate(u_int);
int pfkey_send_getspi(int, u_int, u_int, struct sockaddr *, struct sockaddr *,
u_int32_t, u_int32_t, u_int32_t, u_int32_t);
int pfkey_send_update(int, u_int, u_int, struct sockaddr *, struct sockaddr *,
u_int32_t, u_int32_t, u_int, caddr_t, u_int, u_int, u_int, u_int,
u_int, u_int32_t, u_int64_t, u_int64_t, u_int64_t, u_int32_t);
int pfkey_send_add(int, u_int, u_int, struct sockaddr *, struct sockaddr *,
u_int32_t, u_int32_t, u_int, caddr_t, u_int, u_int, u_int, u_int,
u_int, u_int32_t, u_int64_t, u_int64_t, u_int64_t, u_int32_t);
int pfkey_send_delete(int, u_int, u_int, struct sockaddr *, struct sockaddr *,
u_int32_t);
int pfkey_send_delete_all(int, u_int, u_int, struct sockaddr *,
struct sockaddr *);
int pfkey_send_get(int, u_int, u_int, struct sockaddr *, struct sockaddr *,
u_int32_t);
int pfkey_send_register(int, u_int);
int pfkey_recv_register(int);
int pfkey_set_supported(struct sadb_msg *, int);
int pfkey_send_flush(int, u_int);
int pfkey_send_dump(int, u_int);
int pfkey_send_promisc_toggle(int, int);
int pfkey_send_spdadd(int, struct sockaddr *, u_int, struct sockaddr *, u_int,
u_int, caddr_t, int, u_int32_t);
int pfkey_send_spdadd2(int, struct sockaddr *, u_int, struct sockaddr *, u_int,
u_int, u_int64_t, u_int64_t, caddr_t, int, u_int32_t);
int pfkey_send_spdupdate(int, struct sockaddr *, u_int, struct sockaddr *,
u_int, u_int, caddr_t, int, u_int32_t);
int pfkey_send_spdupdate2(int, struct sockaddr *, u_int, struct sockaddr *,
u_int, u_int, u_int64_t, u_int64_t, caddr_t, int, u_int32_t);
int pfkey_send_spddelete(int, struct sockaddr *, u_int, struct sockaddr *,
u_int, u_int, caddr_t, int, u_int32_t);
int pfkey_send_spddelete2(int, u_int32_t);
int pfkey_send_spdget(int, u_int32_t);
int pfkey_send_spdsetidx(int, struct sockaddr *, u_int, struct sockaddr *,
u_int, u_int, caddr_t, int, u_int32_t);
int pfkey_send_spdflush(int);
int pfkey_send_spddump(int);
int pfkey_open(void);
void pfkey_close(int);
struct sadb_msg *pfkey_recv(int);
int pfkey_send(int, struct sadb_msg *, int);
int pfkey_align(struct sadb_msg *, caddr_t *);
int pfkey_check(caddr_t *);

2132
freebsd-userspace/lib/libipsec/pfkey.c Normal file
View File

File diff suppressed because it is too large Load Diff

646
freebsd-userspace/lib/libipsec/pfkey_dump.c Normal file
View File

@ -0,0 +1,646 @@
/* $KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#ifdef __rtems__
#include <freebsd/netipsec/ipsec.h>
#include <freebsd/net/pfkeyv2.h>
#include <freebsd/netipsec/key_var.h>
#include <freebsd/netipsec/key_debug.h>
#include <freebsd/netinet/in.h>
#else
#include <netipsec/ipsec.h>
#include <net/pfkeyv2.h>
#include <netipsec/key_var.h>
#include <netipsec/key_debug.h>
#include <netinet/in.h>
#endif
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <netdb.h>
#include "ipsec_strerror.h"
#include "libpfkey.h"
/* cope with old kame headers - ugly */
#ifndef SADB_X_AALG_MD5
#define SADB_X_AALG_MD5 SADB_AALG_MD5
#endif
#ifndef SADB_X_AALG_SHA
#define SADB_X_AALG_SHA SADB_AALG_SHA
#endif
#ifndef SADB_X_AALG_NULL
#define SADB_X_AALG_NULL SADB_AALG_NULL
#endif
#ifndef SADB_X_EALG_BLOWFISHCBC
#define SADB_X_EALG_BLOWFISHCBC SADB_EALG_BLOWFISHCBC
#endif
#ifndef SADB_X_EALG_CAST128CBC
#define SADB_X_EALG_CAST128CBC SADB_EALG_CAST128CBC
#endif
#ifndef SADB_X_EALG_RC5CBC
#ifdef SADB_EALG_RC5CBC
#define SADB_X_EALG_RC5CBC SADB_EALG_RC5CBC
#endif
#endif
#define GETMSGSTR(str, num) \
do { \
if (sizeof((str)[0]) == 0 \
|| num >= sizeof(str)/sizeof((str)[0])) \
printf("%u ", (num)); \
else if (strlen((str)[(num)]) == 0) \
printf("%u ", (num)); \
else \
printf("%s ", (str)[(num)]); \
} while (0)
#define GETMSGV2S(v2s, num) \
do { \
struct val2str *p; \
for (p = (v2s); p && p->str; p++) { \
if (p->val == (num)) \
break; \
} \
if (p && p->str) \
printf("%s ", p->str); \
else \
printf("%u ", (num)); \
} while (0)
static char *str_ipaddr(struct sockaddr *);
static char *str_prefport(u_int, u_int, u_int, u_int);
static void str_upperspec(u_int, u_int, u_int);
static char *str_time(time_t);
static void str_lifetime_byte(struct sadb_lifetime *, char *);
struct val2str {
int val;
const char *str;
};
/*
* Must to be re-written about following strings.
*/
static char *str_satype[] = {
"unspec",
"unknown",
"ah",
"esp",
"unknown",
"rsvp",
"ospfv2",
"ripv2",
"mip",
"ipcomp",
"policy",
"tcp"
};
static char *str_mode[] = {
"any",
"transport",
"tunnel",
};
static char *str_state[] = {
"larval",
"mature",
"dying",
"dead",
};
static struct val2str str_alg_auth[] = {
{ SADB_AALG_NONE, "none", },
{ SADB_AALG_MD5HMAC, "hmac-md5", },
{ SADB_AALG_SHA1HMAC, "hmac-sha1", },
{ SADB_X_AALG_MD5, "md5", },
{ SADB_X_AALG_SHA, "sha", },
{ SADB_X_AALG_NULL, "null", },
{ SADB_X_AALG_TCP_MD5, "tcp-md5", },
#ifdef SADB_X_AALG_SHA2_256
{ SADB_X_AALG_SHA2_256, "hmac-sha2-256", },
#endif
#ifdef SADB_X_AALG_SHA2_384
{ SADB_X_AALG_SHA2_384, "hmac-sha2-384", },
#endif
#ifdef SADB_X_AALG_SHA2_512
{ SADB_X_AALG_SHA2_512, "hmac-sha2-512", },
#endif
#ifdef SADB_X_AALG_RIPEMD160HMAC
{ SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", },
#endif
#ifdef SADB_X_AALG_AES_XCBC_MAC
{ SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", },
#endif
{ -1, NULL, },
};
static struct val2str str_alg_enc[] = {
{ SADB_EALG_NONE, "none", },
{ SADB_EALG_DESCBC, "des-cbc", },
{ SADB_EALG_3DESCBC, "3des-cbc", },
{ SADB_EALG_NULL, "null", },
#ifdef SADB_X_EALG_RC5CBC
{ SADB_X_EALG_RC5CBC, "rc5-cbc", },
#endif
{ SADB_X_EALG_CAST128CBC, "cast128-cbc", },
{ SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", },
#ifdef SADB_X_EALG_RIJNDAELCBC
{ SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", },
#endif
#ifdef SADB_X_EALG_TWOFISHCBC
{ SADB_X_EALG_TWOFISHCBC, "twofish-cbc", },
#endif
#ifdef SADB_X_EALG_AESCTR
{ SADB_X_EALG_AESCTR, "aes-ctr", },
#endif
#ifdef SADB_X_EALG_CAMELLIACBC
{ SADB_X_EALG_CAMELLIACBC, "camellia-cbc", },
#endif
{ -1, NULL, },
};
static struct val2str str_alg_comp[] = {
{ SADB_X_CALG_NONE, "none", },
{ SADB_X_CALG_OUI, "oui", },
{ SADB_X_CALG_DEFLATE, "deflate", },
{ SADB_X_CALG_LZS, "lzs", },
{ -1, NULL, },
};
/*
* dump SADB_MSG formated. For debugging, you should use kdebug_sadb().
*/
void
pfkey_sadump(m)
struct sadb_msg *m;
{
caddr_t mhp[SADB_EXT_MAX + 1];
struct sadb_sa *m_sa;
struct sadb_x_sa2 *m_sa2;
struct sadb_lifetime *m_lftc, *m_lfth, *m_lfts;
struct sadb_address *m_saddr, *m_daddr, *m_paddr;
struct sadb_key *m_auth, *m_enc;
struct sadb_ident *m_sid, *m_did;
struct sadb_sens *m_sens;
/* check pfkey message. */
if (pfkey_align(m, mhp)) {
printf("%s\n", ipsec_strerror());
return;
}
if (pfkey_check(mhp)) {
printf("%s\n", ipsec_strerror());
return;
}
m_sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
m_sa2 = (struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2];
m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
m_lfts = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT];
m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
m_paddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_PROXY];
m_auth = (struct sadb_key *)mhp[SADB_EXT_KEY_AUTH];
m_enc = (struct sadb_key *)mhp[SADB_EXT_KEY_ENCRYPT];
m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST];
m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY];
/* source address */
if (m_saddr == NULL) {
printf("no ADDRESS_SRC extension.\n");
return;
}
printf("%s ", str_ipaddr((struct sockaddr *)(m_saddr + 1)));
/* destination address */
if (m_daddr == NULL) {
printf("no ADDRESS_DST extension.\n");
return;
}
printf("%s ", str_ipaddr((struct sockaddr *)(m_daddr + 1)));
/* SA type */
if (m_sa == NULL) {
printf("no SA extension.\n");
return;
}
if (m_sa2 == NULL) {
printf("no SA2 extension.\n");
return;
}
printf("\n\t");
GETMSGSTR(str_satype, m->sadb_msg_satype);
printf("mode=");
GETMSGSTR(str_mode, m_sa2->sadb_x_sa2_mode);
printf("spi=%u(0x%08x) reqid=%u(0x%08x)\n",
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
(u_int32_t)m_sa2->sadb_x_sa2_reqid,
(u_int32_t)m_sa2->sadb_x_sa2_reqid);
/* encryption key */
if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
printf("\tC: ");
GETMSGV2S(str_alg_comp, m_sa->sadb_sa_encrypt);
} else if (m->sadb_msg_satype == SADB_SATYPE_ESP) {
if (m_enc != NULL) {
printf("\tE: ");
GETMSGV2S(str_alg_enc, m_sa->sadb_sa_encrypt);
ipsec_hexdump((caddr_t)m_enc + sizeof(*m_enc),
m_enc->sadb_key_bits / 8);
printf("\n");
}
}
/* authentication key */
if (m_auth != NULL) {
printf("\tA: ");
GETMSGV2S(str_alg_auth, m_sa->sadb_sa_auth);
ipsec_hexdump((caddr_t)m_auth + sizeof(*m_auth),
m_auth->sadb_key_bits / 8);
printf("\n");
}
/* replay windoe size & flags */
printf("\tseq=0x%08x replay=%u flags=0x%08x ",
m_sa2->sadb_x_sa2_sequence,
m_sa->sadb_sa_replay,
m_sa->sadb_sa_flags);
/* state */
printf("state=");
GETMSGSTR(str_state, m_sa->sadb_sa_state);
printf("\n");
/* lifetime */
if (m_lftc != NULL) {
time_t tmp_time = time(0);
printf("\tcreated: %s",
str_time(m_lftc->sadb_lifetime_addtime));
printf("\tcurrent: %s\n", str_time(tmp_time));
printf("\tdiff: %lu(s)",
(u_long)(m_lftc->sadb_lifetime_addtime == 0 ?
0 : (tmp_time - m_lftc->sadb_lifetime_addtime)));
printf("\thard: %lu(s)",
(u_long)(m_lfth == NULL ?
0 : m_lfth->sadb_lifetime_addtime));
printf("\tsoft: %lu(s)\n",
(u_long)(m_lfts == NULL ?
0 : m_lfts->sadb_lifetime_addtime));
printf("\tlast: %s",
str_time(m_lftc->sadb_lifetime_usetime));
printf("\thard: %lu(s)",
(u_long)(m_lfth == NULL ?
0 : m_lfth->sadb_lifetime_usetime));
printf("\tsoft: %lu(s)\n",
(u_long)(m_lfts == NULL ?
0 : m_lfts->sadb_lifetime_usetime));
str_lifetime_byte(m_lftc, "current");
str_lifetime_byte(m_lfth, "hard");
str_lifetime_byte(m_lfts, "soft");
printf("\n");
printf("\tallocated: %lu",
(unsigned long)m_lftc->sadb_lifetime_allocations);
printf("\thard: %lu",
(u_long)(m_lfth == NULL ?
0 : m_lfth->sadb_lifetime_allocations));
printf("\tsoft: %lu\n",
(u_long)(m_lfts == NULL ?
0 : m_lfts->sadb_lifetime_allocations));
}
printf("\tsadb_seq=%lu pid=%lu ",
(u_long)m->sadb_msg_seq,
(u_long)m->sadb_msg_pid);
/* XXX DEBUG */
printf("refcnt=%u\n", m->sadb_msg_reserved);
return;
}
void
pfkey_spdump(m)
struct sadb_msg *m;
{
char pbuf[NI_MAXSERV];
caddr_t mhp[SADB_EXT_MAX + 1];
struct sadb_address *m_saddr, *m_daddr;
struct sadb_x_policy *m_xpl;
struct sadb_lifetime *m_lftc = NULL, *m_lfth = NULL;
struct sockaddr *sa;
u_int16_t sport = 0, dport = 0;
/* check pfkey message. */
if (pfkey_align(m, mhp)) {
printf("%s\n", ipsec_strerror());
return;
}
if (pfkey_check(mhp)) {
printf("%s\n", ipsec_strerror());
return;
}
m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
m_xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
if (m_saddr && m_daddr) {
/* source address */
sa = (struct sockaddr *)(m_saddr + 1);
switch (sa->sa_family) {
case AF_INET:
case AF_INET6:
if (getnameinfo(sa, sa->sa_len, NULL, 0,
pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0)
sport = 0; /*XXX*/
else
sport = atoi(pbuf);
printf("%s%s ", str_ipaddr(sa),
str_prefport(sa->sa_family,
m_saddr->sadb_address_prefixlen, sport,
m_saddr->sadb_address_proto));
break;
default:
printf("unknown-af ");
break;
}
/* destination address */
sa = (struct sockaddr *)(m_daddr + 1);
switch (sa->sa_family) {
case AF_INET:
case AF_INET6:
if (getnameinfo(sa, sa->sa_len, NULL, 0,
pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0)
dport = 0; /*XXX*/
else
dport = atoi(pbuf);
printf("%s%s ", str_ipaddr(sa),
str_prefport(sa->sa_family,
m_daddr->sadb_address_prefixlen, dport,
m_saddr->sadb_address_proto));
break;
default:
printf("unknown-af ");
break;
}
/* upper layer protocol */
if (m_saddr->sadb_address_proto !=
m_daddr->sadb_address_proto) {
printf("upper layer protocol mismatched.\n");
return;
}
str_upperspec(m_saddr->sadb_address_proto, sport, dport);
}
else
printf("(no selector, probably per-socket policy) ");
/* policy */
{
char *d_xpl;
if (m_xpl == NULL) {
printf("no X_POLICY extension.\n");
return;
}
d_xpl = ipsec_dump_policy((char *)m_xpl, "\n\t");
/* dump SPD */
printf("\n\t%s\n", d_xpl);
free(d_xpl);
}
/* lifetime */
if (m_lftc) {
printf("\tcreated: %s ",
str_time(m_lftc->sadb_lifetime_addtime));
printf("lastused: %s\n",
str_time(m_lftc->sadb_lifetime_usetime));
}
if (m_lfth) {
printf("\tlifetime: %lu(s) ",
(u_long)m_lfth->sadb_lifetime_addtime);
printf("validtime: %lu(s)\n",
(u_long)m_lfth->sadb_lifetime_usetime);
}
printf("\tspid=%ld seq=%ld pid=%ld\n",
(u_long)m_xpl->sadb_x_policy_id,
(u_long)m->sadb_msg_seq,
(u_long)m->sadb_msg_pid);
/* XXX TEST */
printf("\trefcnt=%u\n", m->sadb_msg_reserved);
return;
}
/*
* set "ipaddress" to buffer.
*/
static char *
str_ipaddr(sa)
struct sockaddr *sa;
{
static char buf[NI_MAXHOST];
const int niflag = NI_NUMERICHOST;
if (sa == NULL)
return "";
if (getnameinfo(sa, sa->sa_len, buf, sizeof(buf), NULL, 0, niflag) == 0)
return buf;
return NULL;
}
/*
* set "/prefix[port number]" to buffer.
*/
static char *
str_prefport(family, pref, port, ulp)
u_int family, pref, port, ulp;
{
static char buf[128];
char prefbuf[128];
char portbuf[128];
int plen;
switch (family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
default:
return "?";
}
if (pref == plen)
prefbuf[0] = '\0';
else
snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
if (ulp == IPPROTO_ICMPV6)
memset(portbuf, 0, sizeof(portbuf));
else {
if (port == IPSEC_PORT_ANY)
snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
else
snprintf(portbuf, sizeof(portbuf), "[%u]", port);
}
snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
return buf;
}
static void
str_upperspec(ulp, p1, p2)
u_int ulp, p1, p2;
{
if (ulp == IPSEC_ULPROTO_ANY)
printf("any");
else if (ulp == IPPROTO_ICMPV6) {
printf("icmp6");
if (!(p1 == IPSEC_PORT_ANY && p2 == IPSEC_PORT_ANY))
printf(" %u,%u", p1, p2);
} else {
struct protoent *ent;
switch (ulp) {
case IPPROTO_IPV4:
printf("ip4");
break;
default:
ent = getprotobynumber(ulp);
if (ent)
printf("%s", ent->p_name);
else
printf("%u", ulp);
endprotoent();
break;
}
}
}
/*
* set "Mon Day Time Year" to buffer
*/
static char *
str_time(t)
time_t t;
{
static char buf[128];
if (t == 0) {
int i = 0;
for (;i < 20;) buf[i++] = ' ';
} else {
char *t0;
t0 = ctime(&t);
memcpy(buf, t0 + 4, 20);
}
buf[20] = '\0';
return(buf);
}
static void
str_lifetime_byte(x, str)
struct sadb_lifetime *x;
char *str;
{
double y;
char *unit;
int w;
if (x == NULL) {
printf("\t%s: 0(bytes)", str);
return;
}
#if 0
if ((x->sadb_lifetime_bytes) / 1024 / 1024) {
y = (x->sadb_lifetime_bytes) * 1.0 / 1024 / 1024;
unit = "M";
w = 1;
} else if ((x->sadb_lifetime_bytes) / 1024) {
y = (x->sadb_lifetime_bytes) * 1.0 / 1024;
unit = "K";
w = 1;
} else {
y = (x->sadb_lifetime_bytes) * 1.0;
unit = "";
w = 0;
}
#else
y = (x->sadb_lifetime_bytes) * 1.0;
unit = "";
w = 0;
#endif
printf("\t%s: %.*f(%sbytes)", str, w, y, unit);
}

966
freebsd-userspace/lib/libipsec/policy_parse.c Normal file
View File

@ -0,0 +1,966 @@
#ifndef lint
static const char yysccsid[] = "@(#)yaccpar 1.9 (Berkeley) 02/21/93";
#endif
#define YYBYACC 1
#define YYMAJOR 1
#define YYMINOR 9
#define YYPATCH 20101229
#define YYEMPTY (-1)
#define yyclearin (yychar = YYEMPTY)
#define yyerrok (yyerrflag = 0)
#define YYRECOVERING() (yyerrflag != 0)
#ifndef yyparse
#define yyparse __libipsecyyparse
#endif /* yyparse */
#ifndef yylex
#define yylex __libipsecyylex
#endif /* yylex */
#ifndef yyerror
#define yyerror __libipsecyyerror
#endif /* yyerror */
#ifndef yychar
#define yychar __libipsecyychar
#endif /* yychar */
#ifndef yyval
#define yyval __libipsecyyval
#endif /* yyval */
#ifndef yylval
#define yylval __libipsecyylval
#endif /* yylval */
#ifndef yydebug
#define yydebug __libipsecyydebug
#endif /* yydebug */
#ifndef yynerrs
#define yynerrs __libipsecyynerrs
#endif /* yynerrs */
#ifndef yyerrflag
#define yyerrflag __libipsecyyerrflag
#endif /* yyerrflag */
#ifndef yylhs
#define yylhs __libipsecyylhs
#endif /* yylhs */
#ifndef yylen
#define yylen __libipsecyylen
#endif /* yylen */
#ifndef yydefred
#define yydefred __libipsecyydefred
#endif /* yydefred */
#ifndef yydgoto
#define yydgoto __libipsecyydgoto
#endif /* yydgoto */
#ifndef yysindex
#define yysindex __libipsecyysindex
#endif /* yysindex */
#ifndef yyrindex
#define yyrindex __libipsecyyrindex
#endif /* yyrindex */
#ifndef yygindex
#define yygindex __libipsecyygindex
#endif /* yygindex */
#ifndef yytable
#define yytable __libipsecyytable
#endif /* yytable */
#ifndef yycheck
#define yycheck __libipsecyycheck
#endif /* yycheck */
#ifndef yyname
#define yyname __libipsecyyname
#endif /* yyname */
#ifndef yyrule
#define yyrule __libipsecyyrule
#endif /* yyrule */
#define YYPREFIX "__libipsecyy"
#define YYPURE 0
#line 52 "lib/libipsec/policy_parse.y"
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#ifdef __rtems__
#include <freebsd/netipsec/ipsec.h>
#else
#include <netipsec/ipsec.h>
#endif
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include "ipsec_strerror.h"
#define ATOX(c) \
(isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
static caddr_t pbuf = NULL; /* sadb_x_policy buffer */
static int tlen = 0; /* total length of pbuf */
static int offset = 0; /* offset of pbuf */
static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid;
static struct sockaddr *p_src = NULL;
static struct sockaddr *p_dst = NULL;
struct _val;
extern void yyerror(char *msg);
static struct sockaddr *parse_sockaddr(struct _val *buf);
static int rule_check(void);
static int init_x_policy(void);
static int set_x_request(struct sockaddr *src, struct sockaddr *dst);
static int set_sockaddr(struct sockaddr *addr);
static void policy_parse_request_init(void);
static caddr_t policy_parse(char *msg, int msglen);
extern void __policy__strbuffer__init__(char *msg);
extern void __policy__strbuffer__free__(void);
extern int yyparse(void);
extern int yylex(void);
extern char *__libipsecyytext; /*XXX*/
#line 102 "lib/libipsec/policy_parse.y"
#ifdef YYSTYPE
#undef YYSTYPE_IS_DECLARED
#define YYSTYPE_IS_DECLARED 1
#endif
#ifndef YYSTYPE_IS_DECLARED
#define YYSTYPE_IS_DECLARED 1
typedef union {
u_int num;
struct _val {
int len;
char *buf;
} val;
} YYSTYPE;
#endif /* !YYSTYPE_IS_DECLARED */
#line 163 "lib/libipsec/policy_parse.i"
/* compatibility with bison */
#ifdef YYPARSE_PARAM
/* compatibility with FreeBSD */
# ifdef YYPARSE_PARAM_TYPE
# define YYPARSE_DECL() yyparse(YYPARSE_PARAM_TYPE YYPARSE_PARAM)
# else
# define YYPARSE_DECL() yyparse(void *YYPARSE_PARAM)
# endif
#else
# define YYPARSE_DECL() yyparse(void)
#endif
/* Parameters sent to lex. */
#ifdef YYLEX_PARAM
# define YYLEX_DECL() yylex(void *YYLEX_PARAM)
# define YYLEX yylex(YYLEX_PARAM)
#else
# define YYLEX_DECL() yylex(void)
# define YYLEX yylex()
#endif
/* Parameters sent to yyerror. */
#define YYERROR_DECL() yyerror(const char *s)
#define YYERROR_CALL(msg) yyerror(msg)
extern int YYPARSE_DECL();
#define DIR 257
#define ACTION 258
#define PROTOCOL 259
#define MODE 260
#define LEVEL 261
#define LEVEL_SPECIFY 262
#define IPADDRESS 263
#define ME 264
#define ANY 265
#define SLASH 266
#define HYPHEN 267
#define YYERRCODE 256
static const short __libipsecyylhs[] = { -1,
2, 0, 0, 1, 1, 3, 3, 3, 3, 3,
3, 3, 3, 4, 5, 7, 7, 8, 6, 6,
6,
};
static const short __libipsecyylen[] = { 2,
0, 4, 1, 0, 2, 7, 6, 5, 4, 6,
3, 2, 1, 1, 1, 1, 1, 0, 4, 3,
3,
};
static const short __libipsecyydefred[] = { 0,
0, 0, 1, 4, 0, 14, 5, 0, 0, 15,
0, 0, 18, 0, 0, 0, 0, 0, 0, 0,
16, 17, 10, 0, 0, 20, 21, 6, 19,
};
static const short __libipsecyydgoto[] = { 2,
5, 4, 7, 8, 11, 17, 23, 18,
};
static const short __libipsecyysindex[] = { -257,
-245, 0, 0, 0, -244, 0, 0, -252, -243, 0,
-248, -256, 0, -251, -247, -250, -242, -246, -240, -241,
0, 0, 0, -250, -237, 0, 0, 0, 0,
};
static const short __libipsecyyrindex[] = { 0,
19, 0, 0, 0, 22, 0, 0, 1, 2, 0,
3, 4, 0, 0, 0, 0, 5, 0, 0, 0,
0, 0, 0, 6, 0, 0, 0, 0, 0,
};
static const short __libipsecyygindex[] = { 0,
0, 0, 0, 0, 0, 0, 7, 0,
};
#define YYTABLESIZE 265
static const short __libipsecyytable[] = { 1,
13, 12, 11, 9, 8, 7, 13, 14, 15, 16,
21, 22, 3, 9, 6, 19, 10, 12, 3, 20,
25, 2, 27, 24, 26, 29, 0, 0, 0, 0,
28, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 13,
12, 11, 9, 8, 7,
};
static const short __libipsecyycheck[] = { 257,
0, 0, 0, 0, 0, 0, 263, 264, 265, 266,
261, 262, 258, 266, 259, 267, 260, 266, 0, 267,
267, 0, 264, 266, 265, 263, -1, -1, -1, -1,
24, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, 259,
259, 259, 259, 259, 259,
};
#define YYFINAL 2
#ifndef YYDEBUG
#define YYDEBUG 0
#endif
#define YYMAXTOKEN 267
#if YYDEBUG
static const char *yyname[] = {
"end-of-file",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"DIR","ACTION","PROTOCOL","MODE",
"LEVEL","LEVEL_SPECIFY","IPADDRESS","ME","ANY","SLASH","HYPHEN",
};
static const char *yyrule[] = {
"$accept : policy_spec",
"$$1 :",
"policy_spec : DIR ACTION $$1 rules",
"policy_spec : DIR",
"rules :",
"rules : rules rule",
"rule : protocol SLASH mode SLASH addresses SLASH level",
"rule : protocol SLASH mode SLASH addresses SLASH",
"rule : protocol SLASH mode SLASH addresses",
"rule : protocol SLASH mode SLASH",
"rule : protocol SLASH mode SLASH SLASH level",
"rule : protocol SLASH mode",
"rule : protocol SLASH",
"rule : protocol",
"protocol : PROTOCOL",
"mode : MODE",
"level : LEVEL",
"level : LEVEL_SPECIFY",
"$$2 :",
"addresses : IPADDRESS $$2 HYPHEN IPADDRESS",
"addresses : ME HYPHEN ANY",
"addresses : ANY HYPHEN ME",
};
#endif
/* define the initial stack-sizes */
#ifdef YYSTACKSIZE
#undef YYMAXDEPTH
#define YYMAXDEPTH YYSTACKSIZE
#else
#ifdef YYMAXDEPTH
#define YYSTACKSIZE YYMAXDEPTH
#else
#define YYSTACKSIZE 500
#define YYMAXDEPTH 500
#endif
#endif
#define YYINITSTACKSIZE 500
int yydebug;
int yynerrs;
typedef struct {
unsigned stacksize;
short *s_base;
short *s_mark;
short *s_last;
YYSTYPE *l_base;
YYSTYPE *l_mark;
} YYSTACKDATA;
int yyerrflag;
int yychar;
YYSTYPE yyval;
YYSTYPE yylval;
/* variables for the parser stack */
static YYSTACKDATA yystack;
#line 217 "lib/libipsec/policy_parse.y"
void
yyerror(msg)
char *msg;
{
fprintf(stderr, "libipsec: %s while parsing \"%s\"\n",
msg, __libipsecyytext);
return;
}
static struct sockaddr *
parse_sockaddr(buf)
struct _val *buf;
{
struct addrinfo hints, *res;
char *serv = NULL;
int error;
struct sockaddr *newaddr = NULL;
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_flags = AI_NUMERICHOST;
error = getaddrinfo(buf->buf, serv, &hints, &res);
if (error != 0) {
yyerror("invalid IP address");
__ipsec_set_strerror(gai_strerror(error));
return NULL;
}
if (res->ai_addr == NULL) {
yyerror("invalid IP address");
__ipsec_set_strerror(gai_strerror(error));
return NULL;
}
newaddr = malloc(res->ai_addr->sa_len);
if (newaddr == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
freeaddrinfo(res);
return NULL;
}
memcpy(newaddr, res->ai_addr, res->ai_addr->sa_len);
freeaddrinfo(res);
__ipsec_errcode = EIPSEC_NO_ERROR;
return newaddr;
}
static int
rule_check()
{
if (p_type == IPSEC_POLICY_IPSEC) {
if (p_protocol == IPPROTO_IP) {
__ipsec_errcode = EIPSEC_NO_PROTO;
return -1;
}
if (p_mode != IPSEC_MODE_TRANSPORT
&& p_mode != IPSEC_MODE_TUNNEL) {
__ipsec_errcode = EIPSEC_INVAL_MODE;
return -1;
}
if (p_src == NULL && p_dst == NULL) {
if (p_mode != IPSEC_MODE_TRANSPORT) {
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
return -1;
}
}
else if (p_src->sa_family != p_dst->sa_family) {
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
return -1;
}
}
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
static int
init_x_policy()
{
struct sadb_x_policy *p;
tlen = sizeof(struct sadb_x_policy);
pbuf = malloc(tlen);
if (pbuf == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
return -1;
}
memset(pbuf, 0, tlen);
p = (struct sadb_x_policy *)pbuf;
p->sadb_x_policy_len = 0; /* must update later */
p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
p->sadb_x_policy_type = p_type;
p->sadb_x_policy_dir = p_dir;
p->sadb_x_policy_id = 0;
offset = tlen;
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
static int
set_x_request(src, dst)
struct sockaddr *src, *dst;
{
struct sadb_x_ipsecrequest *p;
int reqlen;
reqlen = sizeof(*p)
+ (src ? src->sa_len : 0)
+ (dst ? dst->sa_len : 0);
tlen += reqlen; /* increment to total length */
pbuf = realloc(pbuf, tlen);
if (pbuf == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
return -1;
}
p = (struct sadb_x_ipsecrequest *)&pbuf[offset];
p->sadb_x_ipsecrequest_len = reqlen;
p->sadb_x_ipsecrequest_proto = p_protocol;
p->sadb_x_ipsecrequest_mode = p_mode;
p->sadb_x_ipsecrequest_level = p_level;
p->sadb_x_ipsecrequest_reqid = p_reqid;
offset += sizeof(*p);
if (set_sockaddr(src) || set_sockaddr(dst))
return -1;
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
static int
set_sockaddr(addr)
struct sockaddr *addr;
{
if (addr == NULL) {
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
/* tlen has already incremented */
memcpy(&pbuf[offset], addr, addr->sa_len);
offset += addr->sa_len;
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
static void
policy_parse_request_init()
{
p_protocol = IPPROTO_IP;
p_mode = IPSEC_MODE_ANY;
p_level = IPSEC_LEVEL_DEFAULT;
p_reqid = 0;
if (p_src != NULL) {
free(p_src);
p_src = NULL;
}
if (p_dst != NULL) {
free(p_dst);
p_dst = NULL;
}
return;
}
static caddr_t
policy_parse(msg, msglen)
char *msg;
int msglen;
{
int error;
pbuf = NULL;
tlen = 0;
/* initialize */
p_dir = IPSEC_DIR_INVALID;
p_type = IPSEC_POLICY_DISCARD;
policy_parse_request_init();
__policy__strbuffer__init__(msg);
error = yyparse(); /* it must be set errcode. */
__policy__strbuffer__free__();
if (error) {
if (pbuf != NULL)
free(pbuf);
return NULL;
}
/* update total length */
((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen);
__ipsec_errcode = EIPSEC_NO_ERROR;
return pbuf;
}
caddr_t
ipsec_set_policy(msg, msglen)
char *msg;
int msglen;
{
caddr_t policy;
policy = policy_parse(msg, msglen);
if (policy == NULL) {
if (__ipsec_errcode == EIPSEC_NO_ERROR)
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return NULL;
}
__ipsec_errcode = EIPSEC_NO_ERROR;
return policy;
}
#line 597 "lib/libipsec/policy_parse.i"
#if YYDEBUG
#include <stdio.h> /* needed for printf */
#endif
#include <stdlib.h> /* needed for malloc, etc */
#include <string.h> /* needed for memset */
/* allocate initial stack or double stack size, up to YYMAXDEPTH */
static int yygrowstack(YYSTACKDATA *data)
{
int i;
unsigned newsize;
short *newss;
YYSTYPE *newvs;
if ((newsize = data->stacksize) == 0)
newsize = YYINITSTACKSIZE;
else if (newsize >= YYMAXDEPTH)
return -1;
else if ((newsize *= 2) > YYMAXDEPTH)
newsize = YYMAXDEPTH;
i = data->s_mark - data->s_base;
newss = (short *)realloc(data->s_base, newsize * sizeof(*newss));
if (newss == 0)
return -1;
data->s_base = newss;
data->s_mark = newss + i;
newvs = (YYSTYPE *)realloc(data->l_base, newsize * sizeof(*newvs));
if (newvs == 0)
return -1;
data->l_base = newvs;
data->l_mark = newvs + i;
data->stacksize = newsize;
data->s_last = data->s_base + newsize - 1;
return 0;
}
#if YYPURE || defined(YY_NO_LEAKS)
static void yyfreestack(YYSTACKDATA *data)
{
free(data->s_base);
free(data->l_base);
memset(data, 0, sizeof(*data));
}
#else
#define yyfreestack(data) /* nothing */
#endif
#define YYABORT goto yyabort
#define YYREJECT goto yyabort
#define YYACCEPT goto yyaccept
#define YYERROR goto yyerrlab
int
YYPARSE_DECL()
{
int yym, yyn, yystate;
#if YYDEBUG
const char *yys;
if ((yys = getenv("YYDEBUG")) != 0)
{
yyn = *yys;
if (yyn >= '0' && yyn <= '9')
yydebug = yyn - '0';
}
#endif
yynerrs = 0;
yyerrflag = 0;
yychar = YYEMPTY;
yystate = 0;
#if YYPURE
memset(&yystack, 0, sizeof(yystack));
#endif
if (yystack.s_base == NULL && yygrowstack(&yystack)) goto yyoverflow;
yystack.s_mark = yystack.s_base;
yystack.l_mark = yystack.l_base;
yystate = 0;
*yystack.s_mark = 0;
yyloop:
if ((yyn = yydefred[yystate]) != 0) goto yyreduce;
if (yychar < 0)
{
if ((yychar = YYLEX) < 0) yychar = 0;
#if YYDEBUG
if (yydebug)
{
yys = 0;
if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
if (!yys) yys = "illegal-symbol";
printf("%sdebug: state %d, reading %d (%s)\n",
YYPREFIX, yystate, yychar, yys);
}
#endif
}
if ((yyn = yysindex[yystate]) && (yyn += yychar) >= 0 &&
yyn <= YYTABLESIZE && yycheck[yyn] == yychar)
{
#if YYDEBUG
if (yydebug)
printf("%sdebug: state %d, shifting to state %d\n",
YYPREFIX, yystate, yytable[yyn]);
#endif
if (yystack.s_mark >= yystack.s_last && yygrowstack(&yystack))
{
goto yyoverflow;
}
yystate = yytable[yyn];
*++yystack.s_mark = yytable[yyn];
*++yystack.l_mark = yylval;
yychar = YYEMPTY;
if (yyerrflag > 0) --yyerrflag;
goto yyloop;
}
if ((yyn = yyrindex[yystate]) && (yyn += yychar) >= 0 &&
yyn <= YYTABLESIZE && yycheck[yyn] == yychar)
{
yyn = yytable[yyn];
goto yyreduce;
}
if (yyerrflag) goto yyinrecovery;
yyerror("syntax error");
goto yyerrlab;
yyerrlab:
++yynerrs;
yyinrecovery:
if (yyerrflag < 3)
{
yyerrflag = 3;
for (;;)
{
if ((yyn = yysindex[*yystack.s_mark]) && (yyn += YYERRCODE) >= 0 &&
yyn <= YYTABLESIZE && yycheck[yyn] == YYERRCODE)
{
#if YYDEBUG
if (yydebug)
printf("%sdebug: state %d, error recovery shifting\
to state %d\n", YYPREFIX, *yystack.s_mark, yytable[yyn]);
#endif
if (yystack.s_mark >= yystack.s_last && yygrowstack(&yystack))
{
goto yyoverflow;
}
yystate = yytable[yyn];
*++yystack.s_mark = yytable[yyn];
*++yystack.l_mark = yylval;
goto yyloop;
}
else
{
#if YYDEBUG
if (yydebug)
printf("%sdebug: error recovery discarding state %d\n",
YYPREFIX, *yystack.s_mark);
#endif
if (yystack.s_mark <= yystack.s_base) goto yyabort;
--yystack.s_mark;
--yystack.l_mark;
}
}
}
else
{
if (yychar == 0) goto yyabort;
#if YYDEBUG
if (yydebug)
{
yys = 0;
if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
if (!yys) yys = "illegal-symbol";
printf("%sdebug: state %d, error recovery discards token %d (%s)\n",
YYPREFIX, yystate, yychar, yys);
}
#endif
yychar = YYEMPTY;
goto yyloop;
}
yyreduce:
#if YYDEBUG
if (yydebug)
printf("%sdebug: state %d, reducing by rule %d (%s)\n",
YYPREFIX, yystate, yyn, yyrule[yyn]);
#endif
yym = yylen[yyn];
if (yym)
yyval = yystack.l_mark[1-yym];
else
memset(&yyval, 0, sizeof yyval);
switch (yyn)
{
case 1:
#line 120 "lib/libipsec/policy_parse.y"
{
p_dir = yystack.l_mark[-1].num;
p_type = yystack.l_mark[0].num;
if (init_x_policy())
return -1;
}
break;
case 3:
#line 129 "lib/libipsec/policy_parse.y"
{
p_dir = yystack.l_mark[0].num;
p_type = 0; /* ignored it by kernel */
if (init_x_policy())
return -1;
}
break;
case 5:
#line 140 "lib/libipsec/policy_parse.y"
{
if (rule_check() < 0)
return -1;
if (set_x_request(p_src, p_dst) < 0)
return -1;
policy_parse_request_init();
}
break;
case 12:
#line 158 "lib/libipsec/policy_parse.y"
{
__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
return -1;
}
break;
case 13:
#line 162 "lib/libipsec/policy_parse.y"
{
__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
return -1;
}
break;
case 14:
#line 169 "lib/libipsec/policy_parse.y"
{ p_protocol = yystack.l_mark[0].num; }
break;
case 15:
#line 173 "lib/libipsec/policy_parse.y"
{ p_mode = yystack.l_mark[0].num; }
break;
case 16:
#line 177 "lib/libipsec/policy_parse.y"
{
p_level = yystack.l_mark[0].num;
p_reqid = 0;
}
break;
case 17:
#line 181 "lib/libipsec/policy_parse.y"
{
p_level = IPSEC_LEVEL_UNIQUE;
p_reqid = atol(yystack.l_mark[0].val.buf); /* atol() is good. */
}
break;
case 18:
#line 188 "lib/libipsec/policy_parse.y"
{
p_src = parse_sockaddr(&yystack.l_mark[0].val);
if (p_src == NULL)
return -1;
}
break;
case 19:
#line 194 "lib/libipsec/policy_parse.y"
{
p_dst = parse_sockaddr(&yystack.l_mark[0].val);
if (p_dst == NULL)
return -1;
}
break;
case 20:
#line 199 "lib/libipsec/policy_parse.y"
{
if (p_dir != IPSEC_DIR_OUTBOUND) {
__ipsec_errcode = EIPSEC_INVAL_DIR;
return -1;
}
}
break;
case 21:
#line 205 "lib/libipsec/policy_parse.y"
{
if (p_dir != IPSEC_DIR_INBOUND) {
__ipsec_errcode = EIPSEC_INVAL_DIR;
return -1;
}
}
break;
#line 905 "lib/libipsec/policy_parse.i"
}
yystack.s_mark -= yym;
yystate = *yystack.s_mark;
yystack.l_mark -= yym;
yym = yylhs[yyn];
if (yystate == 0 && yym == 0)
{
#if YYDEBUG
if (yydebug)
printf("%sdebug: after reduction, shifting from state 0 to\
state %d\n", YYPREFIX, YYFINAL);
#endif
yystate = YYFINAL;
*++yystack.s_mark = YYFINAL;
*++yystack.l_mark = yyval;
if (yychar < 0)
{
if ((yychar = YYLEX) < 0) yychar = 0;
#if YYDEBUG
if (yydebug)
{
yys = 0;
if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
if (!yys) yys = "illegal-symbol";
printf("%sdebug: state %d, reading %d (%s)\n",
YYPREFIX, YYFINAL, yychar, yys);
}
#endif
}
if (yychar == 0) goto yyaccept;
goto yyloop;
}
if ((yyn = yygindex[yym]) && (yyn += yystate) >= 0 &&
yyn <= YYTABLESIZE && yycheck[yyn] == yystate)
yystate = yytable[yyn];
else
yystate = yydgoto[yym];
#if YYDEBUG
if (yydebug)
printf("%sdebug: after reduction, shifting from state %d \
to state %d\n", YYPREFIX, *yystack.s_mark, yystate);
#endif
if (yystack.s_mark >= yystack.s_last && yygrowstack(&yystack))
{
goto yyoverflow;
}
*++yystack.s_mark = (short) yystate;
*++yystack.l_mark = yyval;
goto yyloop;
yyoverflow:
yyerror("yacc stack overflow");
yyabort:
yyfreestack(&yystack);
return (1);
yyaccept:
yyfreestack(&yystack);
return (0);
}

443
freebsd-userspace/lib/libipsec/policy_parse.y Normal file
View File

@ -0,0 +1,443 @@
/* $KAME: policy_parse.y,v 1.14 2003/06/27 03:39:20 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* IN/OUT bound policy configuration take place such below:
* in <policy>
* out <policy>
*
* <policy> is one of following:
* "discard", "none", "ipsec <requests>", "entrust", "bypass",
*
* The following requests are accepted as <requests>:
*
* protocol/mode/src-dst/level
* protocol/mode/src-dst parsed as protocol/mode/src-dst/default
* protocol/mode/src-dst/ parsed as protocol/mode/src-dst/default
* protocol/transport parsed as protocol/mode/any-any/default
* protocol/transport//level parsed as protocol/mode/any-any/level
*
* You can concatenate these requests with either ' '(single space) or '\n'.
*/
%{
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#ifdef __rtems__
#include <freebsd/netipsec/ipsec.h>
#else
#include <netipsec/ipsec.h>
#endif
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include "ipsec_strerror.h"
#define ATOX(c) \
(isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
static caddr_t pbuf = NULL; /* sadb_x_policy buffer */
static int tlen = 0; /* total length of pbuf */
static int offset = 0; /* offset of pbuf */
static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid;
static struct sockaddr *p_src = NULL;
static struct sockaddr *p_dst = NULL;
struct _val;
extern void yyerror(char *msg);
static struct sockaddr *parse_sockaddr(struct _val *buf);
static int rule_check(void);
static int init_x_policy(void);
static int set_x_request(struct sockaddr *src, struct sockaddr *dst);
static int set_sockaddr(struct sockaddr *addr);
static void policy_parse_request_init(void);
static caddr_t policy_parse(char *msg, int msglen);
extern void __policy__strbuffer__init__(char *msg);
extern void __policy__strbuffer__free__(void);
extern int yyparse(void);
extern int yylex(void);
extern char *__libipsecyytext; /*XXX*/
%}
%union {
u_int num;
struct _val {
int len;
char *buf;
} val;
}
%token DIR ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY
%token IPADDRESS
%token ME ANY
%token SLASH HYPHEN
%type <num> DIR ACTION PROTOCOL MODE LEVEL
%type <val> IPADDRESS LEVEL_SPECIFY
%%
policy_spec
: DIR ACTION
{
p_dir = $1;
p_type = $2;
if (init_x_policy())
return -1;
}
rules
| DIR
{
p_dir = $1;
p_type = 0; /* ignored it by kernel */
if (init_x_policy())
return -1;
}
;
rules
: /*NOTHING*/
| rules rule {
if (rule_check() < 0)
return -1;
if (set_x_request(p_src, p_dst) < 0)
return -1;
policy_parse_request_init();
}
;
rule
: protocol SLASH mode SLASH addresses SLASH level
| protocol SLASH mode SLASH addresses SLASH
| protocol SLASH mode SLASH addresses
| protocol SLASH mode SLASH
| protocol SLASH mode SLASH SLASH level
| protocol SLASH mode
| protocol SLASH {
__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
return -1;
}
| protocol {
__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
return -1;
}
;
protocol
: PROTOCOL { p_protocol = $1; }
;
mode
: MODE { p_mode = $1; }
;
level
: LEVEL {
p_level = $1;
p_reqid = 0;
}
| LEVEL_SPECIFY {
p_level = IPSEC_LEVEL_UNIQUE;
p_reqid = atol($1.buf); /* atol() is good. */
}
;
addresses
: IPADDRESS {
p_src = parse_sockaddr(&$1);
if (p_src == NULL)
return -1;
}
HYPHEN
IPADDRESS {
p_dst = parse_sockaddr(&$4);
if (p_dst == NULL)
return -1;
}
| ME HYPHEN ANY {
if (p_dir != IPSEC_DIR_OUTBOUND) {
__ipsec_errcode = EIPSEC_INVAL_DIR;
return -1;
}
}
| ANY HYPHEN ME {
if (p_dir != IPSEC_DIR_INBOUND) {
__ipsec_errcode = EIPSEC_INVAL_DIR;
return -1;
}
}
/*
| ME HYPHEN ME
*/
;
%%
void
yyerror(msg)
char *msg;
{
fprintf(stderr, "libipsec: %s while parsing \"%s\"\n",
msg, __libipsecyytext);
return;
}
static struct sockaddr *
parse_sockaddr(buf)
struct _val *buf;
{
struct addrinfo hints, *res;
char *serv = NULL;
int error;
struct sockaddr *newaddr = NULL;
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_flags = AI_NUMERICHOST;
error = getaddrinfo(buf->buf, serv, &hints, &res);
if (error != 0) {
yyerror("invalid IP address");
__ipsec_set_strerror(gai_strerror(error));
return NULL;
}
if (res->ai_addr == NULL) {
yyerror("invalid IP address");
__ipsec_set_strerror(gai_strerror(error));
return NULL;
}
newaddr = malloc(res->ai_addr->sa_len);
if (newaddr == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
freeaddrinfo(res);
return NULL;
}
memcpy(newaddr, res->ai_addr, res->ai_addr->sa_len);
freeaddrinfo(res);
__ipsec_errcode = EIPSEC_NO_ERROR;
return newaddr;
}
static int
rule_check()
{
if (p_type == IPSEC_POLICY_IPSEC) {
if (p_protocol == IPPROTO_IP) {
__ipsec_errcode = EIPSEC_NO_PROTO;
return -1;
}
if (p_mode != IPSEC_MODE_TRANSPORT
&& p_mode != IPSEC_MODE_TUNNEL) {
__ipsec_errcode = EIPSEC_INVAL_MODE;
return -1;
}
if (p_src == NULL && p_dst == NULL) {
if (p_mode != IPSEC_MODE_TRANSPORT) {
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
return -1;
}
}
else if (p_src->sa_family != p_dst->sa_family) {
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
return -1;
}
}
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
static int
init_x_policy()
{
struct sadb_x_policy *p;
tlen = sizeof(struct sadb_x_policy);
pbuf = malloc(tlen);
if (pbuf == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
return -1;
}
memset(pbuf, 0, tlen);
p = (struct sadb_x_policy *)pbuf;
p->sadb_x_policy_len = 0; /* must update later */
p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
p->sadb_x_policy_type = p_type;
p->sadb_x_policy_dir = p_dir;
p->sadb_x_policy_id = 0;
offset = tlen;
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
static int
set_x_request(src, dst)
struct sockaddr *src, *dst;
{
struct sadb_x_ipsecrequest *p;
int reqlen;
reqlen = sizeof(*p)
+ (src ? src->sa_len : 0)
+ (dst ? dst->sa_len : 0);
tlen += reqlen; /* increment to total length */
pbuf = realloc(pbuf, tlen);
if (pbuf == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
return -1;
}
p = (struct sadb_x_ipsecrequest *)&pbuf[offset];
p->sadb_x_ipsecrequest_len = reqlen;
p->sadb_x_ipsecrequest_proto = p_protocol;
p->sadb_x_ipsecrequest_mode = p_mode;
p->sadb_x_ipsecrequest_level = p_level;
p->sadb_x_ipsecrequest_reqid = p_reqid;
offset += sizeof(*p);
if (set_sockaddr(src) || set_sockaddr(dst))
return -1;
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
static int
set_sockaddr(addr)
struct sockaddr *addr;
{
if (addr == NULL) {
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
/* tlen has already incremented */
memcpy(&pbuf[offset], addr, addr->sa_len);
offset += addr->sa_len;
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
static void
policy_parse_request_init()
{
p_protocol = IPPROTO_IP;
p_mode = IPSEC_MODE_ANY;
p_level = IPSEC_LEVEL_DEFAULT;
p_reqid = 0;
if (p_src != NULL) {
free(p_src);
p_src = NULL;
}
if (p_dst != NULL) {
free(p_dst);
p_dst = NULL;
}
return;
}
static caddr_t
policy_parse(msg, msglen)
char *msg;
int msglen;
{
int error;
pbuf = NULL;
tlen = 0;
/* initialize */
p_dir = IPSEC_DIR_INVALID;
p_type = IPSEC_POLICY_DISCARD;
policy_parse_request_init();
__policy__strbuffer__init__(msg);
error = yyparse(); /* it must be set errcode. */
__policy__strbuffer__free__();
if (error) {
if (pbuf != NULL)
free(pbuf);
return NULL;
}
/* update total length */
((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen);
__ipsec_errcode = EIPSEC_NO_ERROR;
return pbuf;
}
caddr_t
ipsec_set_policy(msg, msglen)
char *msg;
int msglen;
{
caddr_t policy;
policy = policy_parse(msg, msglen);
if (policy == NULL) {
if (__ipsec_errcode == EIPSEC_NO_ERROR)
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return NULL;
}
__ipsec_errcode = EIPSEC_NO_ERROR;
return policy;
}

2009
freebsd-userspace/lib/libipsec/policy_token.c Normal file
View File

File diff suppressed because it is too large Load Diff

169
freebsd-userspace/lib/libipsec/policy_token.l Normal file
View File

@ -0,0 +1,169 @@
/* $FreeBSD$ */
/* $KAME: policy_token.l,v 1.13 2003/05/09 05:19:55 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
%{
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <net/route.h>
#ifdef __rtems__
#include <freebsd/net/pfkeyv2.h>
#include <freebsd/netipsec/keydb.h>
#include <freebsd/netinet/in.h>
#include <freebsd/netipsec/ipsec.h>
#else
#include <net/pfkeyv2.h>
#include <netipsec/keydb.h>
#include <netinet/in.h>
#include <netipsec/ipsec.h>
#endif
#include <stdlib.h>
#include <limits.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#ifdef __rtems__
#include "../../y.tab.h"
/* XXX - Jennifer doesn't know where to get this from */
YY_BUFFER_STATE yy_current_buffer;
#else
#include "y.tab.h"
#endif
#define yylval __libipsecyylval /* XXX */
int yylex(void);
%}
%option noyywrap
%option nounput
/* common section */
nl \n
ws [ \t]+
digit [0-9]
hexdigit [0-9A-Fa-f]
special [()+\|\?\*,]
dot \.
comma \,
hyphen \-
colon \:
slash \/
bcl \{
ecl \}
blcl \[
elcl \]
percent \%
semi \;
usec {dot}{digit}{1,6}
comment \#.*
ccomment "/*"
bracketstring \<[^>]*\>
quotedstring \"[^"]*\"
decstring {digit}+
hexpair {hexdigit}{hexdigit}
hexstring 0[xX]{hexdigit}+
octetstring {octet}({dot}{octet})+
ipaddress [a-zA-Z0-9:\._][a-zA-Z0-9:\._]*(%[a-zA-Z0-9]+)?
%%
in { yylval.num = IPSEC_DIR_INBOUND; return(DIR); }
out { yylval.num = IPSEC_DIR_OUTBOUND; return(DIR); }
discard { yylval.num = IPSEC_POLICY_DISCARD; return(ACTION); }
none { yylval.num = IPSEC_POLICY_NONE; return(ACTION); }
ipsec { yylval.num = IPSEC_POLICY_IPSEC; return(ACTION); }
bypass { yylval.num = IPSEC_POLICY_BYPASS; return(ACTION); }
entrust { yylval.num = IPSEC_POLICY_ENTRUST; return(ACTION); }
esp { yylval.num = IPPROTO_ESP; return(PROTOCOL); }
ah { yylval.num = IPPROTO_AH; return(PROTOCOL); }
ipcomp { yylval.num = IPPROTO_IPCOMP; return(PROTOCOL); }
tcp { yylval.num = IPPROTO_TCP; return(PROTOCOL); }
transport { yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
tunnel { yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
me { return(ME); }
any { return(ANY); }
default { yylval.num = IPSEC_LEVEL_DEFAULT; return(LEVEL); }
use { yylval.num = IPSEC_LEVEL_USE; return(LEVEL); }
require { yylval.num = IPSEC_LEVEL_REQUIRE; return(LEVEL); }
unique{colon}{decstring} {
yylval.val.len = strlen(yytext + 7);
yylval.val.buf = yytext + 7;
return(LEVEL_SPECIFY);
}
unique { yylval.num = IPSEC_LEVEL_UNIQUE; return(LEVEL); }
{slash} { return(SLASH); }
{ipaddress} {
yylval.val.len = strlen(yytext);
yylval.val.buf = yytext;
return(IPADDRESS);
}
{hyphen} { return(HYPHEN); }
{ws} { ; }
{nl} { ; }
%%
void __policy__strbuffer__init__(char *);
void __policy__strbuffer__free__(void);
static YY_BUFFER_STATE strbuffer;
void
__policy__strbuffer__init__(msg)
char *msg;
{
if (yy_current_buffer)
yy_delete_buffer(yy_current_buffer);
strbuffer = (YY_BUFFER_STATE)yy_scan_string(msg);
yy_switch_to_buffer(strbuffer);
return;
}
void
__policy__strbuffer__free__()
{
yy_delete_buffer(strbuffer);
return;
}

334
freebsd-userspace/lib/libipsec/test-policy.c Normal file
View File

@ -0,0 +1,334 @@
/* $KAME: test-policy.c,v 1.16 2003/08/26 03:24:08 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <net/pfkeyv2.h>
#include <netipsec/key_debug.h>
#include <netipsec/ipsec.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include <err.h>
#include "libpfkey.h"
struct req_t {
int result; /* expected result; 0:ok 1:ng */
char *str;
} reqs[] = {
{ 0, "out ipsec" },
{ 1, "must_error" },
{ 1, "in ipsec must_error" },
{ 1, "out ipsec esp/must_error" },
{ 1, "out discard" },
{ 1, "out none" },
{ 0, "in entrust" },
{ 0, "out entrust" },
{ 1, "out ipsec esp" },
{ 0, "in ipsec ah/transport" },
{ 1, "in ipsec ah/tunnel" },
{ 0, "out ipsec ah/transport/" },
{ 1, "out ipsec ah/tunnel/" },
{ 0, "in ipsec esp / transport / 10.0.0.1-10.0.0.2" },
{ 0, "in ipsec esp/tunnel/::1-::2" },
{ 1, "in ipsec esp/tunnel/10.0.0.1-::2" },
{ 0, "in ipsec esp/tunnel/::1-::2/require" },
{ 0, "out ipsec ah/transport//use" },
{ 1, "out ipsec ah/transport esp/use" },
{ 1, "in ipsec ah/transport esp/tunnel" },
{ 0, "in ipsec ah/transport esp/tunnel/::1-::1" },
{ 0, "in ipsec
ah / transport
esp / tunnel / ::1-::2" },
{ 0, "out ipsec
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
" },
{ 0, "out ipsec esp/transport/fec0::10-fec0::11/use" },
};
int test1(void);
int test1sub1(struct req_t *);
int test1sub2(char *, int);
int test2(void);
int test2sub(int);
int
main(ac, av)
int ac;
char **av;
{
test1();
test2();
exit(0);
}
int
test1()
{
int i;
int result;
printf("TEST1\n");
for (i = 0; i < sizeof(reqs)/sizeof(reqs[0]); i++) {
printf("#%d [%s]\n", i + 1, reqs[i].str);
result = test1sub1(&reqs[i]);
if (result == 0 && reqs[i].result == 1) {
warnx("ERROR: expecting failure.");
} else if (result == 1 && reqs[i].result == 0) {
warnx("ERROR: expecting success.");
}
}
return 0;
}
int
test1sub1(req)
struct req_t *req;
{
char *buf;
buf = ipsec_set_policy(req->str, strlen(req->str));
if (buf == NULL) {
printf("ipsec_set_policy: %s\n", ipsec_strerror());
return 1;
}
if (test1sub2(buf, PF_INET) != 0
|| test1sub2(buf, PF_INET6) != 0) {
free(buf);
return 1;
}
#if 0
kdebug_sadb_x_policy((struct sadb_ext *)buf);
#endif
free(buf);
return 0;
}
int
test1sub2(policy, family)
char *policy;
int family;
{
int so;
int proto = 0, optname = 0;
int len;
char getbuf[1024];
switch (family) {
case PF_INET:
proto = IPPROTO_IP;
optname = IP_IPSEC_POLICY;
break;
case PF_INET6:
proto = IPPROTO_IPV6;
optname = IPV6_IPSEC_POLICY;
break;
}
if ((so = socket(family, SOCK_DGRAM, 0)) < 0)
err(1, "socket");
len = ipsec_get_policylen(policy);
#if 0
printf("\tsetlen:%d\n", len);
#endif
if (setsockopt(so, proto, optname, policy, len) < 0) {
printf("fail to set sockopt; %s\n", strerror(errno));
close(so);
return 1;
}
memset(getbuf, 0, sizeof(getbuf));
memcpy(getbuf, policy, sizeof(struct sadb_x_policy));
if (getsockopt(so, proto, optname, getbuf, &len) < 0) {
printf("fail to get sockopt; %s\n", strerror(errno));
close(so);
return 1;
}
{
char *buf = NULL;
#if 0
printf("\tgetlen:%d\n", len);
#endif
if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) {
printf("%s\n", ipsec_strerror());
close(so);
return 1;
}
#if 0
printf("\t[%s]\n", buf);
#endif
free(buf);
}
close (so);
return 0;
}
char addr[] = {
28, 28, 0, 0,
0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1,
0, 0, 0, 0,
};
int
test2()
{
int so;
char *pol1 = "out ipsec";
char *pol2 = "out ipsec ah/transport//use";
char *sp1, *sp2;
int splen1, splen2;
int spid;
struct sadb_msg *m;
printf("TEST2\n");
if (getuid() != 0)
errx(1, "root privilege required.");
sp1 = ipsec_set_policy(pol1, strlen(pol1));
splen1 = ipsec_get_policylen(sp1);
sp2 = ipsec_set_policy(pol2, strlen(pol2));
splen2 = ipsec_get_policylen(sp2);
if ((so = pfkey_open()) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
printf("spdflush()\n");
if (pfkey_send_spdflush(so) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("spdsetidx()\n");
if (pfkey_send_spdsetidx(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, sp1, splen1, 0) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("spdupdate()\n");
if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, sp2, splen2, 0) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("sleep(4)\n");
sleep(4);
printf("spddelete()\n");
if (pfkey_send_spddelete(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, sp1, splen1, 0) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("spdadd()\n");
if (pfkey_send_spdadd(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, sp2, splen2, 0) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
spid = test2sub(so);
printf("spdget(%u)\n", spid);
if (pfkey_send_spdget(so, spid) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("sleep(4)\n");
sleep(4);
printf("spddelete2()\n");
if (pfkey_send_spddelete2(so, spid) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("spdadd() with lifetime's 10(s)\n");
if (pfkey_send_spdadd2(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, 0, 10, sp2, splen2, 0) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
spid = test2sub(so);
/* expecting failure */
printf("spdupdate()\n");
if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, sp2, splen2, 0) == 0) {
warnx("ERROR: expecting failure.");
}
return 0;
}
int
test2sub(so)
int so;
{
struct sadb_msg *msg;
caddr_t mhp[SADB_EXT_MAX + 1];
if ((msg = pfkey_recv(so)) == NULL)
errx(1, "ERROR: pfkey_recv failure.");
if (pfkey_align(msg, mhp) < 0)
errx(1, "ERROR: pfkey_align failure.");
return ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id;
}

16
freebsd-userspace/rtems/ipsec_get_policylen.c Normal file
View File

@ -0,0 +1,16 @@
#include <sys/types.h>
#include <sys/param.h>
#include <netipsec/ipsec.h>
#include <net/pfkeyv2.h>
#include "ipsec_strerror.h"
int
ipsec_get_policylen(policy)
caddr_t policy;
{
return policy ? PFKEY_EXTLEN(policy) : -1;
}

15
freebsd-userspace/rtems/rtems-uthread_kevent.c Normal file
View File

@ -0,0 +1,15 @@
#include <unistd.h>
#include <errno.h>
#include <sys/time.h>
#include <rtems.h>
#include <rtems/error.h>
__weak_reference(_kevent, kevent);
int
_kevent(int kq, const struct kevent *changelist, int nchanges,
struct kevent *eventlist, int nevents, const struct timespec *timeout)
{
rtems_panic("Unimplemented method!!!\n");
return -1;
}

14
freebsd-userspace/rtems/rtems-uthread_kqueue.c Normal file
View File

@ -0,0 +1,14 @@
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
#include <rtems.h>
#include <rtems/error.h>
__weak_reference(_kqueue, kqueue);
int
_kqueue(void)
{
rtems_panic("Unimplemented method!!!\n");
return -1;
}

26
freebsd-userspace/y.tab.h Normal file
View File

@ -0,0 +1,26 @@
#define DIR 257
#define ACTION 258
#define PROTOCOL 259
#define MODE 260
#define LEVEL 261
#define LEVEL_SPECIFY 262
#define IPADDRESS 263
#define ME 264
#define ANY 265
#define SLASH 266
#define HYPHEN 267
#ifdef YYSTYPE
#undef YYSTYPE_IS_DECLARED
#define YYSTYPE_IS_DECLARED 1
#endif
#ifndef YYSTYPE_IS_DECLARED
#define YYSTYPE_IS_DECLARED 1
typedef union {
u_int num;
struct _val {
int len;
char *buf;
} val;
} YYSTYPE;
#endif /* !YYSTYPE_IS_DECLARED */
extern YYSTYPE __libipsecyylval;