Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/lib ipsec support library.
details: https://anonhg.NetBSD.org/src/rev/919837fc0f92
branches: trunk
changeset: 474224:919837fc0f92
user: itojun <itojun%NetBSD.org@localhost>
date: Thu Jul 01 20:15:26 1999 +0000
description:
ipsec support library.
mainly for debugging, and policy text->binary conversion. NO crypto code
is included so it is export safe.
diffstat:
lib/Makefile | 5 +-
lib/libipsec/Makefile | 16 +
lib/libipsec/ipsec_policy.c | 659 ++++++++++++++++++++
lib/libipsec/ipsec_set_policy.3 | 197 ++++++
lib/libipsec/ipsec_strerror.3 | 65 ++
lib/libipsec/ipsec_strerror.c | 81 ++
lib/libipsec/ipsec_strerror.h | 56 +
lib/libipsec/pfkey.c | 1250 +++++++++++++++++++++++++++++++++++++++
lib/libipsec/pfkey_dump.c | 449 ++++++++++++++
lib/libipsec/shlib_version | 5 +
10 files changed, 2782 insertions(+), 1 deletions(-)
diffs (truncated from 2831 to 300 lines):
diff -r 6fc3a33cf35b -r 919837fc0f92 lib/Makefile
--- a/lib/Makefile Thu Jul 01 20:14:42 1999 +0000
+++ b/lib/Makefile Thu Jul 01 20:15:26 1999 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.52 1999/06/07 00:53:09 thorpej Exp $
+# $NetBSD: Makefile,v 1.53 1999/07/01 20:15:26 itojun Exp $
# from: @(#)Makefile 5.25.1.1 (Berkeley) 5/7/91
.include <bsd.own.mk> # for EXPORTABLE_SYSTEM definition
@@ -16,4 +16,7 @@
SUBDIR+= libtelnet
.endif
+# IPv6/IPsec
+SUBDIR+= libipsec
+
.include <bsd.subdir.mk>
diff -r 6fc3a33cf35b -r 919837fc0f92 lib/libipsec/Makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/libipsec/Makefile Thu Jul 01 20:15:26 1999 +0000
@@ -0,0 +1,16 @@
+# $NetBSD: Makefile,v 1.1 1999/07/01 20:15:27 itojun Exp $
+
+LIB= ipsec
+CFLAGS+=-g -DIPSEC_DEBUG
+CFLAGS+=-DIPSEC
+CFLAGS+=-DINET6
+
+.PATH: ${.CURDIR}/../../sys/netkey
+SRCS= pfkey.c pfkey_dump.c
+SRCS+= ipsec_policy.c ipsec_strerror.c key_debug.c
+
+MAN= ipsec_set_policy.3 ipsec_strerror.3
+MLINKS+=ipsec_set_policy.3 ipsec_get_policylen.3 \
+ ipsec_set_policy.3 ipsec_dump_policy.3
+
+.include <bsd.lib.mk>
diff -r 6fc3a33cf35b -r 919837fc0f92 lib/libipsec/ipsec_policy.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/libipsec/ipsec_policy.c Thu Jul 01 20:15:26 1999 +0000
@@ -0,0 +1,659 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__RCSID("@(#) ipsec_policy.c $Revision: 1.1 $");
+
+/*
+ * The following requests are accepted:
+ * protocol parsed as protocol/default/
+ * protocol/level/proxy
+ * protocol/ parsed as protocol/default/
+ * protocol/level parsed as protocol/level/
+ * protocol/level/ parsed as protocol/level/
+ * protocol/proxy parsed as protocol/default/proxy
+ * protocol//proxy parsed as protocol/default/proxy
+ * protocol// parsed as protocol/default/
+ * You can concatenate these requests with either ' ' or '\n'.
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <assert.h>
+
+#include <net/route.h>
+#include <netinet/in.h>
+#include <netinet6/ipsec.h>
+
+#include <netkey/keyv2.h>
+#include <netkey/key_var.h>
+
+#include <arpa/inet.h>
+
+#include <netdb.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <strings.h>
+#include <errno.h>
+
+#include "ipsec_strerror.h"
+
+/* order must be the same */
+static char *tokens[] = {
+ "discard", "none", "ipsec", "entrust", "bypass",
+ "esp", "ah", "ipcomp", "default", "use", "require", "/", NULL
+};
+enum token {
+ t_invalid = -1, t_discard, t_none, t_ipsec, t_entrust, t_bypass,
+ t_esp, t_ah, t_ipcomp, t_default, t_use, t_require, t_slash, t_omit,
+};
+static int values[] = {
+ IPSEC_POLICY_DISCARD, IPSEC_POLICY_NONE, IPSEC_POLICY_IPSEC,
+ IPSEC_POLICY_ENTRUST, IPSEC_POLICY_BYPASS,
+ IPPROTO_ESP, IPPROTO_AH, IPPROTO_IPCOMP,
+ IPSEC_LEVEL_DEFAULT, IPSEC_LEVEL_USE, IPSEC_LEVEL_REQUIRE, 0, 0,
+};
+struct pbuf {
+ char *buf;
+ int buflen; /* size of the buffer */
+ int off; /* current offset */
+};
+
+/* XXX duplicated def */
+static char *ipsp_strs[] = {
+ "discard", "none", "ipsec", "entrust", "bypass",
+};
+
+static enum token gettoken(char *p);
+static char *skiptoken(char *p, enum token t);
+static char *skipspaces(char *p);
+static char *parse_request(struct pbuf *pbuf, char *p);
+static char *parse_policy(struct pbuf *pbuf, char *p);
+static char *get_sockaddr(char *host, struct sockaddr *addr);
+static int parse_setreq(struct pbuf *pbuf, int proto, int level,
+ struct sockaddr *proxy);
+static int parse_main(struct pbuf *pbuf, char *policy);
+
+static enum token gettoken(char *p)
+{
+ int i;
+ int l;
+
+ assert(p);
+ for (i = 0; i < sizeof(tokens)/sizeof(tokens[0]); i++) {
+ if (tokens[i] == NULL)
+ continue;
+ l = strlen(tokens[i]);
+ if (strncmp(p, tokens[i], l) != 0)
+ continue;
+ /* slash alone is okay as token */
+ if (i == t_slash)
+ return i;
+ /* other ones are words, so needs proper termination */
+ if (isspace(p[l]) || p[l] == '/' || p[l] == '\0')
+ return i;
+ }
+ return t_invalid;
+}
+
+static char *skiptoken(char *p, enum token t)
+{
+ assert(p);
+ assert(tokens[t] != NULL);
+
+ if (gettoken(p) != t)
+ return NULL;
+ return p + strlen(tokens[t]);
+}
+
+static char *skipspaces(char *p)
+{
+ assert(p);
+ while (p && isspace(*p))
+ p++;
+ return p;
+}
+
+static char *parse_request(struct pbuf *pbuf, char *p)
+{
+ enum token t;
+ int i;
+ enum token ts[3]; /* set of tokens */
+ struct sockaddr_storage proxy;
+ int isproxy;
+
+ assert(p);
+ assert(pbuf);
+
+ i = 0;
+
+ /*
+ * here, we accept sequence like:
+ * [token slash]* token
+ * and decode that into ts[].
+ */
+ for (i = 0; i < sizeof(ts)/sizeof(ts[0]); i++)
+ ts[i] = t_invalid;
+ i = 0;
+ while (i < sizeof(ts)/sizeof(ts[0])) {
+ /* get a token */
+ p = skipspaces(p);
+ t = gettoken(p);
+ switch (t) {
+ case t_invalid:
+ /*
+ * this may be a proxy.
+ * this shouldn't be a termination.
+ */
+ if (*p != '\0')
+ goto breakbreak;
+ goto parseerror;
+ case t_esp:
+ case t_ah:
+ case t_ipcomp:
+ case t_default:
+ case t_use:
+ case t_require:
+ /*
+ * protocol or level - just keep it into ts[],
+ * we'll care about protocol/level ordering afterwards
+ */
+ ts[i++] = t;
+ p = skiptoken(p, t);
+ break;
+ case t_slash:
+ /*
+ * the user did not specify the token - don't advance
+ * the pointer.
+ */
+ ts[i++] = t_omit;
+ break;
+ default:
+ /* bzz, you are wrong */
+ goto parseerror;
+ }
+
+ /* get a slash */
+ p = skipspaces(p);
+ t = gettoken(p);
+ switch (t) {
+ case t_invalid:
+ /* this may be a termination. */
+ if (*p == '\0')
+ goto breakbreak;
+ goto parseerror;
+ case t_esp:
+ case t_ah:
+ case t_ipcomp:
+ /* protocol - we've hit the next request */
+ goto breakbreak;
+ case t_slash:
+ p = skiptoken(p, t);
+ break;
+ default:
+ /* bzz, you are wrong */
+ return NULL;
+ }
+ }
+
+breakbreak:
+
+ /* alright, we've got the tokens. */
+ switch (i) {
+ case 0:
+ ipsec_errcode = EIPSEC_NO_PROTO;
+ return NULL; /* no token? naa, go away */
+ case 1:
+ case 2:
+ if (!(ts[0] == t_esp || ts[0] == t_ah || ts[0] == t_ipcomp)) {
+ ipsec_errcode = EIPSEC_INVAL_PROTO;
+ return NULL;
+ }
+ if (i == 1) {
+ i++;
+ ts[1] = t_default;
+ }
+ if (ts[1] == t_omit)
+ ts[1] = t_default;
+ if (!(ts[1] == t_default || ts[1] == t_use
+ || ts[1] == t_require)) {
+ ipsec_errcode = EIPSEC_INVAL_LEVEL;
+ return NULL;
+ }
+ break;
+ default:
+ ipsec_errcode = EIPSEC_INVAL_LEVEL; /*XXX*/
+ return NULL;
+ }
+
+ /* here, we should be having 2 tokens */
+ assert(i == 2);
+
Home |
Main Index |
Thread Index |
Old Index