struct ipsec_sa * __ipsec_sa_get(struct ipsec_sa *ips, const char *func, int line) { if (ips == NULL) return NULL; #ifdef CONFIG_KLIPS_DEBUG if(debug_xform) { char sa[SATOT_BUF]; size_t sa_len; sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); KLIPS_PRINT(debug_xform, "ipsec_sa_get: " "ipsec_sa %p SA:%s, ref:%d reference count (%d++) incremented by %s:%d.\n", ips, sa_len ? sa : " (error)", ips->ips_ref, atomic_read(&ips->ips_refcount), func, line); } #endif atomic_inc(&ips->ips_refcount); // check to make sure we were not deleted if (ips->ips_marked_deleted) { // we cannot use this reference ipsec_sa_put (ips); ips = NULL; } return ips; }
IPSEC_PROCFS_DEBUG_NO_STATIC int ipsec_spigrp_show(struct seq_file *seq, void *offset) { int i; struct ipsec_sa *sa_p, *sa_p2; char sa[SATOT_BUF]; size_t sa_len; KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS, "klips_debug:ipsec_spigrp_show: seq=%p offset=%p\n", seq, offset); spin_lock_bh(&tdb_lock); for (i = 0; i < SADB_HASHMOD; i++) { for (sa_p = ipsec_sadb_hash[i]; sa_p != NULL; sa_p = sa_p->ips_hnext) { sa_p2 = sa_p; while (sa_p2 != NULL) { struct ipsec_sa *sa2n; sa_len = satot(&sa_p2->ips_said, 'x', sa, sizeof(sa)); seq_printf(seq, "%s ", sa_len ? sa : " (error)"); sa2n = sa_p2->ips_next; sa_p2 = sa2n; } seq_printf(seq, "\n"); } } spin_unlock_bh(&tdb_lock); return 0; }
void __ipsec_sa_put(struct ipsec_sa *ips, const char *func, int line) { if(ips == NULL) { KLIPS_PRINT(debug_xform, "ipsec_sa_put: " "null pointer passed in!\n"); return; } #ifdef CONFIG_KLIPS_DEBUG if(debug_xform) { char sa[SATOT_BUF]; size_t sa_len; sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); KLIPS_PRINT(debug_xform, "ipsec_sa_put: " "ipsec_sa %p SA:%s, ref:%d reference count (%d--) decremented by %s:%d.\n", ips, sa_len ? sa : " (error)", ips->ips_ref, atomic_read(&ips->ips_refcount), func, line); } #endif if(atomic_dec_and_test(&ips->ips_refcount)) { KLIPS_PRINT(debug_xform, "ipsec_sa_put: freeing %p\n", ips); /* it was zero */ ipsec_sa_wipe(ips); } return; }
IPSEC_PROCFS_DEBUG_NO_STATIC int ipsec_spi_format(struct ipsec_sa *sa_p, struct seq_file *seq) { char sa[SATOT_BUF]; char buf_s[SUBNETTOA_BUF]; char buf_d[SUBNETTOA_BUF]; size_t sa_len; ipsec_sa_get(sa_p, IPSEC_REFPROC); sa_len = satot(&sa_p->ips_said, 'x', sa, sizeof(sa)); seq_printf(seq, "%s ", sa_len ? sa : " (error)"); seq_printf(seq, "%s%s%s", IPS_XFORM_NAME(sa_p)); seq_printf(seq, ": dir=%s", (sa_p->ips_flags & EMT_INBOUND) ? "in " : "out"); if (sa_p->ips_addr_s) { sin_addrtot(sa_p->ips_addr_s, 0, buf_s, sizeof(buf_s)); seq_printf(seq, " src=%s", buf_s); } if ((sa_p->ips_said.proto == IPPROTO_IPIP) && (sa_p->ips_flags & (SADB_X_SAFLAGS_INFLOW |SADB_X_SAFLAGS_POLICYONLY))) { if (sa_p->ips_flow_s.u.v4.sin_family == AF_INET) { subnettoa(sa_p->ips_flow_s.u.v4.sin_addr, sa_p->ips_mask_s.u.v4.sin_addr, 0, buf_s, sizeof(buf_s)); subnettoa(sa_p->ips_flow_d.u.v4.sin_addr, sa_p->ips_mask_d.u.v4.sin_addr, 0, buf_d, sizeof(buf_d)); } else { subnet6toa(&sa_p->ips_flow_s.u.v6.sin6_addr, &sa_p->ips_mask_s.u.v6.sin6_addr, 0, buf_s, sizeof(buf_s)); subnet6toa(&sa_p->ips_flow_d.u.v6.sin6_addr, &sa_p->ips_mask_d.u.v6.sin6_addr, 0, buf_d, sizeof(buf_d)); } seq_printf(seq, " policy=%s->%s", buf_s, buf_d); } if (sa_p->ips_iv_bits) { int j; seq_printf(seq, " iv_bits=%dbits iv=0x", sa_p->ips_iv_bits); for (j = 0; j < sa_p->ips_iv_bits / 8; j++) { #ifdef CONFIG_KLIPS_OCF if (sa_p->ips_iv == NULL) { /* * ocf doesn't set the IV * so fake it for the test cases */ seq_printf(seq, "%02x", 0xA5 + j); } else #endif seq_printf(seq, "%02x", ((__u8*)sa_p->ips_iv)[j]); } } if (sa_p->ips_encalg || sa_p->ips_authalg) { if (sa_p->ips_replaywin) seq_printf(seq, " ooowin=%d", sa_p->ips_replaywin); if (sa_p->ips_errs.ips_replaywin_errs) seq_printf(seq, " ooo_errs=%d", sa_p->ips_errs.ips_replaywin_errs); if (sa_p->ips_replaywin_lastseq) seq_printf(seq, " seq=%d", sa_p->ips_replaywin_lastseq); if (sa_p->ips_replaywin_bitmap) seq_printf(seq, " bit=0x%Lx", sa_p->ips_replaywin_bitmap); if (sa_p->ips_replaywin_maxdiff) seq_printf(seq, " max_seq_diff=%d", sa_p->ips_replaywin_maxdiff); } if (sa_p->ips_flags & ~EMT_INBOUND) { seq_printf(seq, " flags=0x%x", sa_p->ips_flags & ~EMT_INBOUND); seq_printf(seq, "<"); /* flag printing goes here */ seq_printf(seq, ">"); } if (sa_p->ips_auth_bits) seq_printf(seq, " alen=%d", sa_p->ips_auth_bits); if (sa_p->ips_key_bits_a) seq_printf(seq, " aklen=%d", sa_p->ips_key_bits_a); if (sa_p->ips_errs.ips_auth_errs) seq_printf(seq, " auth_errs=%d", sa_p->ips_errs.ips_auth_errs); if (sa_p->ips_key_bits_e) seq_printf(seq, " eklen=%d", sa_p->ips_key_bits_e); if (sa_p->ips_errs.ips_encsize_errs) seq_printf(seq, " encr_size_errs=%d", sa_p->ips_errs.ips_encsize_errs); if (sa_p->ips_errs.ips_encpad_errs) seq_printf(seq, " encr_pad_errs=%d", sa_p->ips_errs.ips_encpad_errs); seq_printf(seq, " jiffies=%lu", jiffies); seq_printf(seq, " life(c,s,h)="); ipsec_lifetime_format(seq, "alloc", ipsec_life_countbased, &sa_p->ips_life.ipl_allocations); ipsec_lifetime_format(seq, "bytes", ipsec_life_countbased, &sa_p->ips_life.ipl_bytes); ipsec_lifetime_format(seq, "addtime", ipsec_life_timebased, &sa_p->ips_life.ipl_addtime); ipsec_lifetime_format(seq, "usetime", ipsec_life_timebased, &sa_p->ips_life.ipl_usetime); ipsec_lifetime_format(seq, "packets", ipsec_life_countbased, &sa_p->ips_life.ipl_packets); if (sa_p->ips_life.ipl_usetime.ipl_last) { /* XXX-MCR should be last? */ seq_printf(seq, " idle=%Ld", ipsec_jiffieshz_elapsed(jiffies/HZ, sa_p->ips_life.ipl_usetime.ipl_last)); } #ifdef CONFIG_KLIPS_IPCOMP if (sa_p->ips_said.proto == IPPROTO_COMP && (sa_p->ips_comp_ratio_dbytes || sa_p->ips_comp_ratio_cbytes)) { seq_printf(seq, " ratio=%Ld:%Ld", sa_p->ips_comp_ratio_dbytes, sa_p->ips_comp_ratio_cbytes); } #endif /* CONFIG_KLIPS_IPCOMP */ seq_printf(seq, " natencap="); switch (sa_p->ips_natt_type) { case 0: seq_printf(seq, "none"); break; case ESPINUDP_WITH_NON_IKE: seq_printf(seq, "nonike"); break; case ESPINUDP_WITH_NON_ESP: seq_printf(seq, "nonesp"); break; default: seq_printf(seq, "unknown"); break; } seq_printf(seq, " natsport=%d", sa_p->ips_natt_sport); seq_printf(seq, " natdport=%d", sa_p->ips_natt_dport); /* we decrement by one, because this SA has been referenced in order to dump this info */ seq_printf(seq, " refcount=%d", atomic_read(&sa_p->ips_refcount)-1); #ifdef IPSEC_SA_RECOUNT_DEBUG { int f; seq_printf(seq, "["); for (f = 0; f < sizeof(sa_p->ips_track); f++) seq_printf(seq, "%s%d", f == 0 ? "" : ",", sa_p->ips_track[f]); seq_printf(seq, "]"); } #endif seq_printf(seq, " ref=%d", sa_p->ips_ref); seq_printf(seq, " refhim=%d", sa_p->ips_refhim); if (sa_p->ips_out) { seq_printf(seq, " outif=%s:%d", sa_p->ips_out->name, sa_p->ips_transport_direct); } if (debug_xform) { seq_printf(seq, " reftable=%lu refentry=%lu", (unsigned long)IPsecSAref2table(sa_p->ips_ref), (unsigned long)IPsecSAref2entry(sa_p->ips_ref)); } seq_printf(seq, "\n"); ipsec_sa_put(sa_p, IPSEC_REFPROC); return 0; }
int main(int argc, char *argv[]) { __u32 spi = 0; int c; ip_said said; const char *error_s; char ipsaid_txt[SATOT_BUF]; int outif = 0; int error = 0; ssize_t io_error; int argcount = argc; pid_t mypid; int listenreply = 0; unsigned char authalg, encryptalg; struct sadb_ext *extensions[K_SADB_EXT_MAX + 1]; struct sadb_msg *pfkey_msg; char *edst_opt, *spi_opt, *proto_opt, *af_opt, *said_opt, *dst_opt, *src_opt; u_int32_t natt; u_int16_t sport, dport; uint32_t life[life_maxsever][life_maxtype]; char *life_opt[life_maxsever][life_maxtype]; struct stat sts; struct sadb_builds sab; progname = argv[0]; mypid = getpid(); natt = 0; sport = 0; dport = 0; tool_init_log(); zero(&said); /* OK: no pointer fields */ edst_opt = spi_opt = proto_opt = af_opt = said_opt = dst_opt = src_opt = NULL; { int i, j; for (i = 0; i < life_maxsever; i++) { for (j = 0; j < life_maxtype; j++) { life_opt[i][j] = NULL; life[i][j] = 0; } } } while ((c = getopt_long(argc, argv, "" /*"H:P:Z:46dcA:E:e:s:a:w:i:D:S:hvgl:+:f:"*/, longopts, 0)) != EOF) { unsigned long u; err_t ugh; switch (c) { case 'g': debug = TRUE; pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX; /* paul: this is a plutoism? cur_debugging = 0xffffffff; */ argcount--; break; case 'R': listenreply = 1; argcount--; break; case 'r': dumpsaref = 1; argcount--; break; case 'b': /* set the SAref to use */ ugh = ttoulb(optarg, 0, 0, INT_MAX, &u); if (ugh != NULL) { fprintf(stderr, "%s: Invalid SAREFi parameter \"%s\": %s\n", progname, optarg, ugh); exit(1); } saref_me = u; argcount--; break; case 'B': /* set the SAref to use for outgoing packets */ ugh = ttoulb(optarg, 0, 0, INT_MAX, &u); if (ugh != NULL) { fprintf(stderr, "%s: Invalid SAREFo parameter \"%s\": %s\n", progname, optarg, ugh); exit(1); } saref_him = u; argcount--; break; case 'O': /* set interface from which packet should arrive */ ugh = ttoulb(optarg, 0, 0, INT_MAX, &u); if (ugh != NULL) { fprintf(stderr, "%s: Invalid outif parameter \"%s\": %s\n", progname, optarg, ugh); exit(1); } outif = u; argcount--; break; case 'l': { static const char combine_fmt[] = "%s --label %s"; size_t room = strlen(argv[0]) + sizeof(combine_fmt) + strlen(optarg); progname = malloc(room); snprintf(progname, room, combine_fmt, argv[0], optarg); tool_close_log(); tool_init_log(); argcount -= 2; break; } case 'H': if (alg) { fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n", progname); exit(1); } if (streq(optarg, "hmac-md5-96")) { alg = XF_AHHMACMD5; } else if (streq(optarg, "hmac-sha1-96")) { alg = XF_AHHMACSHA1; } else { fprintf(stderr, "%s: Unknown authentication algorithm '%s' follows '--ah' option.\n", progname, optarg); exit(1); } if (debug) { fprintf(stdout, "%s: Algorithm %d selected.\n", progname, alg); } break; case 'P': if (alg) { fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n", progname); exit(1); } alg = decode_esp(optarg); if (debug) { fprintf(stdout, "%s: Algorithm %d selected.\n", progname, alg); } break; case 'Z': if (alg) { fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n", progname); exit(1); } if (streq(optarg, "deflate")) { alg = XF_COMPDEFLATE; } else if (streq(optarg, "lzs")) { alg = XF_COMPLZS; } else { fprintf(stderr, "%s: Unknown compression algorithm '%s' follows '--comp' option.\n", progname, optarg); exit(1); } if (debug) { fprintf(stdout, "%s: Algorithm %d selected.\n", progname, alg); } break; case '4': if (alg) { fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n", progname); exit(1); } alg = XF_IP4; address_family = AF_INET; if (debug) { fprintf(stdout, "%s: Algorithm %d selected.\n", progname, alg); } break; case '6': if (alg) { fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n", progname); exit(1); } alg = XF_IP6; address_family = AF_INET6; if (debug) { fprintf(stdout, "%s: Algorithm %d selected.\n", progname, alg); } break; case 'd': if (alg) { fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n", progname); exit(1); } alg = XF_DEL; if (debug) { fprintf(stdout, "%s: Algorithm %d selected.\n", progname, alg); } break; case 'c': if (alg) { fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n", progname); exit(1); } alg = XF_CLR; if (debug) { fprintf(stdout, "%s: Algorithm %d selected.\n", progname, alg); } break; case 'e': if (said_opt) { fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined in SA:%s\n", progname, optarg, said_opt); exit(1); } if (edst_opt) { fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined as:%s\n", progname, optarg, edst_opt); exit(1); } error_s = ttoaddr(optarg, 0, address_family, &edst); if (error_s != NULL) { if (error_s) { fprintf(stderr, "%s: Error, %s converting --edst argument:%s\n", progname, error_s, optarg); exit(1); } } edst_opt = optarg; if (debug) { ipstr_buf b; fprintf(stdout, "%s: edst=%s.\n", progname, ipstr(&edst, &b)); } break; case 's': if (said_opt != NULL) { fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined in SA:%s\n", progname, optarg, said_opt); exit(1); } if (spi_opt != NULL) { fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined as:%s\n", progname, optarg, spi_opt); exit(1); } ugh = ttoulb(optarg, 0, 0, 0xFFFFFFFFul, &u); if (ugh == NULL && u < 0x100) ugh = "0 - 0xFF are reserved"; if (ugh != NULL) { fprintf(stderr, "%s: Invalid SPI parameter \"%s\": %s\n", progname, optarg, ugh); exit(1); } spi = u; spi_opt = optarg; break; case 'p': if (said_opt != NULL) { fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined in SA:%s\n", progname, optarg, said_opt); exit(1); } if (proto_opt != NULL) { fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined as:%s\n", progname, optarg, proto_opt); exit(1); } if (streq(optarg, "ah")) { proto = SA_AH; } else if (streq(optarg, "esp")) { proto = SA_ESP; } else if (streq(optarg, "tun")) { proto = SA_IPIP; } else if (streq(optarg, "comp")) { proto = SA_COMP; } else { fprintf(stderr, "%s: Invalid PROTO parameter: %s\n", progname, optarg); exit(1); } proto_opt = optarg; break; case 'a': if (said_opt) { fprintf(stderr, "%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined in SA:%s\n", progname, optarg, said_opt); exit(1); } if (af_opt) { fprintf(stderr, "%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined as:%s\n", progname, optarg, af_opt); exit(1); } if (streq(optarg, "inet")) { address_family = AF_INET; /* currently we ensure that all addresses belong to the same address family */ anyaddr(address_family, &dst); anyaddr(address_family, &edst); anyaddr(address_family, &src); } else if (streq(optarg, "inet6")) { address_family = AF_INET6; /* currently we ensure that all addresses belong to the same address family */ anyaddr(address_family, &dst); anyaddr(address_family, &edst); anyaddr(address_family, &src); } else { fprintf(stderr, "%s: Invalid ADDRESS FAMILY parameter: %s.\n", progname, optarg); exit(1); } af_opt = optarg; break; case 'I': if (said_opt) { fprintf(stderr, "%s: Error, SAID parameter redefined:%s, already defined in SA:%s\n", progname, optarg, said_opt); exit(1); } if (proto_opt) { fprintf(stderr, "%s: Error, PROTO parameter redefined in SA:%s, already defined as:%s\n", progname, optarg, proto_opt); exit(1); } if (edst_opt) { fprintf(stderr, "%s: Error, EDST parameter redefined in SA:%s, already defined as:%s\n", progname, optarg, edst_opt); exit(1); } if (spi_opt) { fprintf(stderr, "%s: Error, SPI parameter redefined in SA:%s, already defined as:%s\n", progname, optarg, spi_opt); exit(1); } error_s = ttosa(optarg, 0, &said); if (error_s != NULL) { fprintf(stderr, "%s: Error, %s converting --sa argument:%s\n", progname, error_s, optarg); exit(1); } if (debug) { satot(&said, 0, ipsaid_txt, sizeof(ipsaid_txt)); fprintf(stdout, "%s: said=%s.\n", progname, ipsaid_txt); } /* init the src and dst with the same address family */ if (address_family == 0) { address_family = addrtypeof(&said.dst); } else if (address_family != addrtypeof(&said.dst)) { fprintf(stderr, "%s: Error, specified address family (%d) is different that of SAID: %s\n", progname, address_family, optarg); exit(1); } anyaddr(address_family, &dst); anyaddr(address_family, &edst); anyaddr(address_family, &src); said_opt = optarg; break; case 'A': decode_blob(optarg, "Authentication Key", &authkey, &authkeylen); break; case 'E': decode_blob(optarg, "Encryption Key", &enckey, &enckeylen); break; case 'w': { err_t ugh = ttoul(optarg, 0, 0, &replay_window); if (ugh != NULL) { fprintf(stderr, "%s: Invalid replay_window parameter: %s\n", progname, ugh); exit(1); } if (!(1 <= replay_window && replay_window <= 64)) { fprintf(stderr, "%s: Failed -- Illegal window size: arg=%s, replay_window=%lu, must be 1 <= size <= 64.\n", progname, optarg, replay_window); exit(1); } } break; case 'i': decode_blob(optarg, "IV", &iv, &ivlen); break; case 'D': if (dst_opt) { fprintf(stderr, "%s: Error, DST parameter redefined:%s, already defined as:%s\n", progname, optarg, dst_opt); exit(1); } error_s = ttoaddr(optarg, 0, address_family, &dst); if (error_s != NULL) { fprintf(stderr, "%s: Error, %s converting --dst argument:%s\n", progname, error_s, optarg); exit(1); } dst_opt = optarg; if (debug) { ipstr_buf b; fprintf(stdout, "%s: dst=%s.\n", progname, ipstr(&dst, &b)); } break; case 'F': /* src port */ { unsigned long u; err_t ugh = ttoulb(optarg, 0, 0, 0xFFFF, &u); if (ugh != NULL) { fprintf(stderr, "%s: Invalid source port parameter \"%s\": %s\n", progname, optarg, ugh); exit(1); } sport = u; } break; case 'G': /* dst port */ { unsigned long u; err_t ugh = ttoulb(optarg, 0, 0, 0xFFFF, &u); if (ugh != NULL) { fprintf(stderr, "%s: Invalid destination port parameter \"%s\": %s\n", progname, optarg, ugh); exit(1); } dport = u; } break; case 'N': /* nat-type */ if (strcaseeq(optarg, "nonesp")) { natt = ESPINUDP_WITH_NON_ESP; } else if (strcaseeq(optarg, "none")) { natt = 0; } else { /* ??? what does this do? Where is it documented? */ unsigned long u; err_t ugh = ttoulb(optarg, 0, 0, 0xFFFFFFFFul, &u); if (ugh != NULL) { fprintf(stderr, "%s: Invalid character in natt parameter \"%s\": %s\n", progname, optarg, ugh); exit(1); } natt = u; } break; case 'S': if (src_opt) { fprintf(stderr, "%s: Error, SRC parameter redefined:%s, already defined as:%s\n", progname, optarg, src_opt); exit(1); } error_s = ttoaddr(optarg, 0, address_family, &src); if (error_s != NULL) { fprintf(stderr, "%s: Error, %s converting --src argument:%s\n", progname, error_s, optarg); exit(1); } src_opt = optarg; if (debug) { ipstr_buf b; fprintf(stdout, "%s: src=%s.\n", progname, ipstr(&src, &b)); } break; case 'h': usage(progname, stdout); exit(0); case '?': usage(progname, stderr); exit(1); case 'v': fprintf(stdout, "%s, %s\n", progname, ipsec_version_code()); exit(1); case 'f': if (parse_life_options(life, life_opt, optarg) != 0) exit(1); break; default: fprintf(stderr, "%s: unrecognized option '%c', update option processing.\n", progname, c); exit(1); } } if (debug) { fprintf(stdout, "%s: All options processed.\n", progname); } if (stat("/proc/net/pfkey", &sts) == 0) { fprintf(stderr, "%s: NETKEY does not use the ipsec spi command. Use 'ip xfrm' instead.\n", progname); exit(1); } if (argcount == 1) { int ret = 1; if ((stat("/proc/net/ipsec_spi", &sts)) != 0) { fprintf(stderr, "%s: No spi - no IPsec support in kernel (are the modules loaded?)\n", progname); } else { ret = system("cat /proc/net/ipsec_spi"); ret = ret != -1 && WIFEXITED(ret) ? WEXITSTATUS(ret) : 1; } exit(ret); } switch (alg) { case XF_OTHER_ALG: /* validate keysizes */ if (proc_read_ok) { const struct sadb_alg *alg_p; size_t keylen, minbits, maxbits; alg_p = kernel_alg_sadb_alg_get(SADB_SATYPE_ESP, SADB_EXT_SUPPORTED_ENCRYPT, esp_info->encryptalg); assert(alg_p != NULL); keylen = enckeylen * 8; minbits = alg_p->sadb_alg_minbits; maxbits = alg_p->sadb_alg_maxbits; /* * if explicit keylen told in encrypt algo, eg "aes128" * check actual keylen "equality" */ if (esp_info->enckeylen && esp_info->enckeylen != keylen) { fprintf(stderr, "%s: invalid encryption keylen=%d, " "required %d by encrypt algo string=\"%s\"\n", progname, (int)keylen, (int)esp_info->enckeylen, alg_string); exit(1); } /* thanks DES for this sh*t */ if (minbits > keylen || maxbits < keylen) { fprintf(stderr, "%s: invalid encryption keylen=%d, " "must be between %d and %d bits\n", progname, (int)keylen, (int)minbits, (int)maxbits); exit(1); } alg_p = kernel_alg_sadb_alg_get(SADB_SATYPE_ESP, SADB_EXT_SUPPORTED_AUTH, esp_info->authalg); assert(alg_p); keylen = authkeylen * 8; minbits = alg_p->sadb_alg_minbits; maxbits = alg_p->sadb_alg_maxbits; if (minbits > keylen || maxbits < keylen) { fprintf(stderr, "%s: invalid auth keylen=%d, " "must be between %d and %d bits\n", progname, (int)keylen, (int)minbits, (int)maxbits); exit(1); } } /* * ??? this break was added in a2791fda77a5cfcc6bc992fbc5019f4448112f88 * It is likely correct, but we're not sure. * Luckily this code is probably never used. */ break; case XF_IP4: case XF_IP6: case XF_DEL: case XF_COMPDEFLATE: case XF_COMPLZS: if (!said_opt) { if (isanyaddr(&edst)) { fprintf(stderr, "%s: SA destination not specified.\n", progname); exit(1); } if (!spi) { fprintf(stderr, "%s: SA SPI not specified.\n", progname); exit(1); } if (!proto) { fprintf(stderr, "%s: SA PROTO not specified.\n", progname); exit(1); } initsaid(&edst, htonl(spi), proto, &said); } else { proto = said.proto; spi = ntohl(said.spi); edst = said.dst; } if ((address_family != 0) && (address_family != addrtypeof(&said.dst))) { fprintf(stderr, "%s: Defined address family and address family of SA missmatch.\n", progname); exit(1); } if (debug) { fprintf(stdout, "%s: SA valid.\n", progname); } break; case XF_CLR: break; default: fprintf(stderr, "%s: No action chosen. See '%s --help' for usage.\n", progname, progname); exit(1); } switch (alg) { case XF_CLR: case XF_DEL: case XF_IP4: case XF_IP6: case XF_COMPDEFLATE: case XF_COMPLZS: case XF_OTHER_ALG: break; default: fprintf(stderr, "%s: No action chosen. See '%s --help' for usage.\n", progname, progname); exit(1); } if (debug) { fprintf(stdout, "%s: Algorithm ok.\n", progname); } pfkey_sock = pfkey_open_sock_with_error(); if (pfkey_sock < 0) exit(1); /* Build an SADB_ADD message to send down. */ /* It needs <base, SA, address(SD), key(AE)> minimum. */ /* Lifetime(HS) could be added before addresses. */ pfkey_extensions_init(extensions); error = pfkey_msg_hdr_build(&extensions[0], alg == XF_DEL ? SADB_DELETE : alg == XF_CLR ? SADB_FLUSH : SADB_ADD, proto2satype(proto), 0, ++pfkey_seq, mypid); if (error != 0) { fprintf(stderr, "%s: Trouble building message header, error=%d.\n", progname, error); pfkey_extensions_free(extensions); exit(1); } switch (alg) { case XF_OTHER_ALG: authalg = esp_info->authalg; if (debug) { fprintf(stdout, "%s: debug: authalg=%d\n", progname, authalg); } break; default: authalg = SADB_AALG_NONE; } switch (alg) { case XF_COMPDEFLATE: encryptalg = SADB_X_CALG_DEFLATE; break; case XF_COMPLZS: encryptalg = SADB_X_CALG_LZS; break; case XF_OTHER_ALG: encryptalg = esp_info->encryptalg; if (debug) { fprintf(stdout, "%s: debug: encryptalg=%d\n", progname, encryptalg); } break; default: encryptalg = SADB_EALG_NONE; } /* IE: pfkey_msg->sadb_msg_type == SADB_FLUSH */ if (!(alg == XF_CLR)) { sab.sa_base.sadb_sa_len = 0; sab.sa_base.sadb_sa_exttype = SADB_EXT_SA; sab.sa_base.sadb_sa_spi = htonl(spi); sab.sa_base.sadb_sa_replay = replay_window; sab.sa_base.sadb_sa_state = K_SADB_SASTATE_MATURE; sab.sa_base.sadb_sa_auth = authalg; sab.sa_base.sadb_sa_encrypt = encryptalg; sab.sa_base.sadb_sa_flags = 0; sab.sa_base.sadb_x_sa_ref = IPSEC_SAREF_NULL; sab.sa_base.sadb_x_reserved[0] = 0; sab.sa_base.sadb_x_reserved[1] = 0; sab.sa_base.sadb_x_reserved[2] = 0; sab.sa_base.sadb_x_reserved[3] = 0; error = pfkey_sa_builds(&extensions[SADB_EXT_SA], sab); if (error != 0) { fprintf(stderr, "%s: Trouble building sa extension, error=%d.\n", progname, error); pfkey_extensions_free(extensions); exit(1); } if (saref_me || saref_him) { error = pfkey_saref_build(&extensions[ K_SADB_X_EXT_SAREF], saref_me, saref_him); if (error) { fprintf(stderr, "%s: Trouble building saref extension, error=%d.\n", progname, error); pfkey_extensions_free(extensions); exit(1); } } if (outif != 0) { error = pfkey_outif_build(&extensions[ SADB_X_EXT_PLUMBIF], outif); if (error != 0) { fprintf(stderr, "%s: Trouble building outif extension, error=%d.\n", progname, error); pfkey_extensions_free(extensions); exit(1); } } if (debug) { fprintf(stdout, "%s: extensions[0]=0p%p previously set with msg_hdr.\n", progname, extensions[0]); } if (debug) { fprintf(stdout, "%s: assembled SA extension, pfkey msg authalg=%d encalg=%d.\n", progname, authalg, encryptalg); } if (debug) { int i, j; for (i = 0; i < life_maxsever; i++) { for (j = 0; j < life_maxtype; j++) { fprintf(stdout, "%s: i=%d, j=%d, life_opt[%d][%d]=0p%p, life[%d][%d]=%d\n", progname, i, j, i, j, life_opt[i][j], i, j, life[i][j]); } } } emit_lifetime("lifetime_s", SADB_EXT_LIFETIME_SOFT, extensions, life_opt[life_soft], life[life_soft]); emit_lifetime("lifetime_h", SADB_EXT_LIFETIME_HARD, extensions, life_opt[life_hard], life[life_hard]); if (debug) { ipstr_buf b; fprintf(stdout, "%s: assembling address_s extension (%s).\n", progname, ipstr(&src, &b)); } error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC], SADB_EXT_ADDRESS_SRC, 0, 0, sockaddrof(&src)); if (error != 0) { ipstr_buf b; fprintf(stderr, "%s: Trouble building address_s extension (%s), error=%d.\n", progname, ipstr(&src, &b), error); pfkey_extensions_free(extensions); exit(1); } error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST], SADB_EXT_ADDRESS_DST, 0, 0, sockaddrof(&edst)); if (error != 0) { ipstr_buf b; fprintf(stderr, "%s: Trouble building address_d extension (%s), error=%d.\n", progname, ipstr(&edst, &b), error); pfkey_extensions_free(extensions); exit(1); } switch (alg) { /* Allow no auth ... after all is local root decision 8) */ case XF_OTHER_ALG: if (!authalg) break; error = pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH], SADB_EXT_KEY_AUTH, authkeylen * 8, authkey); if (error != 0) { fprintf(stderr, "%s: Trouble building key_a extension, error=%d.\n", progname, error); pfkey_extensions_free(extensions); exit(1); } if (debug) { fprintf(stdout, "%s: key_a extension assembled.\n", progname); } break; default: break; } switch (alg) { case XF_OTHER_ALG: if (enckeylen == 0) { if (debug) fprintf(stdout, "%s: key not provided (NULL alg?).\n", progname); break; } error = pfkey_key_build(&extensions[SADB_EXT_KEY_ENCRYPT], SADB_EXT_KEY_ENCRYPT, enckeylen * 8, enckey); if (error != 0) { fprintf(stderr, "%s: Trouble building key_e extension, error=%d.\n", progname, error); pfkey_extensions_free(extensions); exit(1); } if (debug) { fprintf(stdout, "%s: key_e extension assembled.\n", progname); } break; default: break; } } if (natt != 0) { bool success; int err; err = pfkey_x_nat_t_type_build(&extensions[ K_SADB_X_EXT_NAT_T_TYPE], natt); success = pfkey_build(err, "pfkey_nat_t_type Add ESP SA", ipsaid_txt, extensions); if (!success) return FALSE; if (debug) fprintf(stderr, "setting natt_type to %d\n", natt); if (sport != 0) { err = pfkey_x_nat_t_port_build( &extensions[K_SADB_X_EXT_NAT_T_SPORT], K_SADB_X_EXT_NAT_T_SPORT, sport); success = pfkey_build(err, "pfkey_nat_t_sport Add ESP SA", ipsaid_txt, extensions); if (debug) fprintf(stderr, "setting natt_sport to %d\n", sport); if (!success) return FALSE; } if (dport != 0) { err = pfkey_x_nat_t_port_build( &extensions[K_SADB_X_EXT_NAT_T_DPORT], K_SADB_X_EXT_NAT_T_DPORT, dport); success = pfkey_build(err, "pfkey_nat_t_dport Add ESP SA", ipsaid_txt, extensions); if (debug) fprintf(stderr, "setting natt_dport to %d\n", dport); if (!success) return FALSE; } #if 0 /* not yet implemented */ if (natt != 0 && !isanyaddr(&natt_oa)) { ip_str_buf b; success = pfkeyext_address(SADB_X_EXT_NAT_T_OA, &natt_oa, "pfkey_nat_t_oa Add ESP SA", ipsaid_txt, extensions); if (debug) fprintf(stderr, "setting nat_oa to %s\n", ipstr(&natt_oa, &b)); if (!success) return FALSE; } #endif } if (debug) { fprintf(stdout, "%s: assembling pfkey msg....\n", progname); } error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN); if (error != 0) { fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n", progname, error); pfkey_extensions_free(extensions); pfkey_msg_free(&pfkey_msg); exit(1); } if (debug) { fprintf(stdout, "%s: assembled.\n", progname); } if (debug) { fprintf(stdout, "%s: writing pfkey msg.\n", progname); } io_error = write(pfkey_sock, pfkey_msg, pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN); if (io_error < 0) { fprintf(stderr, "%s: pfkey write failed (errno=%d): ", progname, errno); pfkey_extensions_free(extensions); pfkey_msg_free(&pfkey_msg); switch (errno) { case EACCES: fprintf(stderr, "access denied. "); if (getuid() == 0) fprintf(stderr, "Check permissions. Should be 600.\n"); else fprintf(stderr, "You must be root to open this file.\n"); break; case EUNATCH: fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n"); break; case EBUSY: fprintf(stderr, "KLIPS is busy. Most likely a serious internal error occured in a previous command. Please report as much detail as possible to development team.\n"); break; case EINVAL: fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n"); break; case ENODEV: fprintf(stderr, "KLIPS not loaded or enabled.\n"); fprintf(stderr, "No device?!?\n"); break; case ENOBUFS: fprintf(stderr, "No kernel memory to allocate SA.\n"); break; case ESOCKTNOSUPPORT: fprintf(stderr, "Algorithm support not available in the kernel. Please compile in support.\n"); break; case EEXIST: fprintf(stderr, "SA already in use. Delete old one first.\n"); break; case ENOENT: fprintf(stderr, "device does not exist. See Libreswan installation procedure.\n"); break; case ENXIO: case ESRCH: fprintf(stderr, "SA does not exist. Cannot delete.\n"); break; case ENOSPC: fprintf(stderr, "no room in kernel SAref table. Cannot process request.\n"); break; case ESPIPE: fprintf(stderr, "kernel SAref table internal error. Cannot process request.\n"); break; default: fprintf(stderr, "Unknown socket write error %d (%s). Please report as much detail as possible to development team.\n", errno, strerror(errno)); } exit(1); } else if (io_error != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) { fprintf(stderr, "%s: pfkey write truncated to %d bytes\n", progname, (int)io_error); pfkey_extensions_free(extensions); pfkey_msg_free(&pfkey_msg); exit(1); } if (debug) { fprintf(stdout, "%s: pfkey command written to socket.\n", progname); } if (pfkey_msg != NULL) { pfkey_extensions_free(extensions); pfkey_msg_free(&pfkey_msg); } if (debug) { fprintf(stdout, "%s: pfkey message buffer freed.\n", progname); } if (authkey != NULL) { memset(authkey, 0, authkeylen); free(authkey); } if (enckey != NULL) { memset(enckey, 0, enckeylen); free(enckey); } if (iv != NULL) { memset(iv, 0, ivlen); free(iv); } if (listenreply || saref_me || dumpsaref) { ssize_t readlen; unsigned char pfkey_buf[PFKEYv2_MAX_MSGSIZE]; while ((readlen = read(pfkey_sock, pfkey_buf, sizeof(pfkey_buf))) > 0) { struct sadb_ext *extensions[K_SADB_EXT_MAX + 1]; pfkey_extensions_init(extensions); pfkey_msg = (struct sadb_msg *)pfkey_buf; /* first, see if we got enough for an sadb_msg */ if ((size_t)readlen < sizeof(struct sadb_msg)) { if (debug) { printf("%s: runt packet of size: %ld (<%lu)\n", progname, (long)readlen, (unsigned long)sizeof(struct sadb_msg)); } continue; } /* okay, we got enough for a message, print it out */ if (debug) { printf("%s: pfkey v%d msg received. type=%d(%s) seq=%d len=%d pid=%d errno=%d satype=%d(%s)\n", progname, pfkey_msg->sadb_msg_version, pfkey_msg->sadb_msg_type, pfkey_v2_sadb_type_string(pfkey_msg-> sadb_msg_type), pfkey_msg->sadb_msg_seq, pfkey_msg->sadb_msg_len, pfkey_msg->sadb_msg_pid, pfkey_msg->sadb_msg_errno, pfkey_msg->sadb_msg_satype, satype2name(pfkey_msg->sadb_msg_satype)); } if (readlen != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) { if (debug) { printf("%s: packet size read from socket=%d doesn't equal sadb_msg_len %u * %u; message not decoded\n", progname, (int)readlen, (unsigned)pfkey_msg->sadb_msg_len, (unsigned)IPSEC_PFKEYv2_ALIGN); } continue; } if (pfkey_msg_parse(pfkey_msg, NULL, extensions, EXT_BITS_OUT)) { if (debug) { printf("%s: unparseable PF_KEY message.\n", progname); } continue; } if (debug) { printf("%s: parseable PF_KEY message.\n", progname); } if ((pid_t)pfkey_msg->sadb_msg_pid == mypid) { if (saref_me || dumpsaref) { struct sadb_x_saref *s = (struct sadb_x_saref *) extensions[ K_SADB_X_EXT_SAREF]; if (s != NULL) { printf("%s: saref=%d/%d\n", progname, s->sadb_x_saref_me, s->sadb_x_saref_him); } } break; } } } (void) close(pfkey_sock); /* close the socket */ if (debug || listenreply) printf("%s: exited normally\n", progname); exit(0); }
int ipsec_sa_print(struct ipsec_sa *ips) { char sa[SATOT_BUF]; size_t sa_len; printk(KERN_INFO "klips_debug: SA:"); if(ips == NULL) { printk("NULL\n"); return -ENOENT; } printk(" ref=%d", ips->ips_ref); printk(" refcount=%d", atomic_read(&ips->ips_refcount)); if(ips->ips_hnext != NULL) { printk(" hnext=0p%p", ips->ips_hnext); } if(ips->ips_next != NULL) { printk(" next=0p%p", ips->ips_next); } sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); printk(" said=%s", sa_len ? sa : " (error)"); if(ips->ips_seq) { printk(" seq=%u", ips->ips_seq); } if(ips->ips_pid) { printk(" pid=%u", ips->ips_pid); } if(ips->ips_authalg) { printk(" authalg=%u", ips->ips_authalg); } if(ips->ips_encalg) { printk(" encalg=%u", ips->ips_encalg); } printk(" XFORM=%s%s%s", IPS_XFORM_NAME(ips)); if(ips->ips_replaywin) { printk(" ooowin=%u", ips->ips_replaywin); } if(ips->ips_flags) { printk(" flags=%u", ips->ips_flags); } if(ips->ips_addr_s) { char buf[SUBNETTOA_BUF]; addrtoa(((struct sockaddr_in*)(ips->ips_addr_s))->sin_addr, 0, buf, sizeof(buf)); printk(" src=%s", buf); } if(ips->ips_addr_d) { char buf[SUBNETTOA_BUF]; addrtoa(((struct sockaddr_in*)(ips->ips_addr_s))->sin_addr, 0, buf, sizeof(buf)); printk(" dst=%s", buf); } if(ips->ips_addr_p) { char buf[SUBNETTOA_BUF]; addrtoa(((struct sockaddr_in*)(ips->ips_addr_p))->sin_addr, 0, buf, sizeof(buf)); printk(" proxy=%s", buf); } if(ips->ips_key_bits_a) { printk(" key_bits_a=%u", ips->ips_key_bits_a); } if(ips->ips_key_bits_e) { printk(" key_bits_e=%u", ips->ips_key_bits_e); } printk("\n"); return 0; }
enum ipsec_rcv_value ipsec_rcv_ipcomp_decomp(struct ipsec_rcv_state *irs) { unsigned int flags = 0; struct ipsec_sa *ipsp = irs->ipsp; struct sk_buff *skb; skb=irs->skb; ipsec_xmit_dmp("ipcomp", skb->data, skb->len); if(ipsp == NULL) { return IPSEC_RCV_SAIDNOTFOUND; } #if 0 /* we want to check that this wasn't the first SA on the list, because * we don't support bare IPCOMP, for unexplained reasons. MCR */ if (ipsp->ips_onext != NULL) { KLIPS_PRINT(debug_rcv, "klips_debug:ipsec_rcv: " "Incoming packet with outer IPCOMP header SA:%s: not yet supported by KLIPS, dropped\n", irs->sa_len ? irs->sa : " (error)"); if(irs->stats) { irs->stats->rx_dropped++; } return IPSEC_RCV_IPCOMPALONE; } #endif if(sysctl_ipsec_inbound_policy_check && ((((ntohl(ipsp->ips_said.spi) & 0x0000ffff) != ntohl(irs->said.spi)) && (ipsp->ips_encalg != ntohl(irs->said.spi)) /* this is a workaround for peer non-compliance with rfc2393 */ ))) { char sa2[SATOT_BUF]; size_t sa_len2 = 0; sa_len2 = satot(&ipsp->ips_said, 0, sa2, sizeof(sa2)); KLIPS_PRINT(debug_rcv, "klips_debug:ipsec_rcv: " "Incoming packet with SA(IPCA):%s does not match policy SA(IPCA):%s cpi=%04x cpi->spi=%08x spi=%08x, spi->cpi=%04x for SA grouping, dropped.\n", irs->sa_len ? irs->sa : " (error)", ipsp != NULL ? (sa_len2 ? sa2 : " (error)") : "NULL", ntohs(irs->protostuff.ipcompstuff.compp->ipcomp_cpi), (__u32)ntohl(irs->said.spi), ipsp != NULL ? (__u32)ntohl((ipsp->ips_said.spi)) : 0, ipsp != NULL ? (__u16)(ntohl(ipsp->ips_said.spi) & 0x0000ffff) : 0); if(irs->stats) { irs->stats->rx_dropped++; } return IPSEC_RCV_SAIDNOTFOUND; } ipsp->ips_comp_ratio_cbytes += ntohs(irs->ipp->tot_len); irs->next_header = irs->protostuff.ipcompstuff.compp->ipcomp_nh; skb = skb_decompress(skb, ipsp, &flags); if (!skb || flags) { spin_unlock(&tdb_lock); KLIPS_PRINT(debug_rcv, "klips_debug:ipsec_rcv: " "skb_decompress() returned error flags=%x, dropped.\n", flags); if (irs->stats) { if (flags) irs->stats->rx_errors++; else irs->stats->rx_dropped++; } return IPSEC_RCV_IPCOMPFAILED; } /* make sure we update the pointer */ irs->skb = skb; #ifdef NET_21 irs->ipp = skb->nh.iph; #else /* NET_21 */ irs->ipp = skb->ip_hdr; #endif /* NET_21 */ ipsp->ips_comp_ratio_dbytes += ntohs(irs->ipp->tot_len); KLIPS_PRINT(debug_rcv, "klips_debug:ipsec_rcv: " "packet decompressed SA(IPCA):%s cpi->spi=%08x spi=%08x, spi->cpi=%04x, nh=%d.\n", irs->sa_len ? irs->sa : " (error)", (__u32)ntohl(irs->said.spi), ipsp != NULL ? (__u32)ntohl((ipsp->ips_said.spi)) : 0, ipsp != NULL ? (__u16)(ntohl(ipsp->ips_said.spi) & 0x0000ffff) : 0, irs->next_header); KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, irs->ipp); return IPSEC_RCV_OK; }