2 * All-in-one program to set Security Association parameters
3 * Copyright (C) 1996 John Ioannidis.
4 * Copyright (C) 1997, 1998, 1999, 2000, 2001 Richard Guy Briggs.
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 char spi_c_version[] = "RCSID $Id: spi.c,v 1.84 2002/03/08 21:44:04 rgb Exp $";
19 #include <asm/types.h>
20 #include <sys/types.h>
21 #include <sys/ioctl.h>
22 /* #include <linux/netdevice.h> */
24 /* #include <linux/types.h> */ /* new */
30 /* #include <sys/socket.h> */
32 #include <netinet/in.h>
33 #include <arpa/inet.h>
34 /* #include <linux/ip.h> */
44 #include <sys/socket.h>
47 #include "ipsec_xform.h"
50 * Manual conn support for ipsec_alg (modular algos).
51 * Rather ugly to include from pluto dir but avoids
55 #include "../../pluto/alg_info.h"
56 #include "../../pluto/constants.h"
58 #include "../../pluto/kernel_alg.h"
59 #endif /* NO_KERNEL_ALG */
62 char me[] = "ipsec spi";
66 extern int optind, opterr, optopt;
68 char *iv = NULL, *enckey = NULL, *authkey = NULL;
69 size_t ivlen = 0, enckeylen = 0, authkeylen = 0;
70 ip_address edst, dst, src;
71 int address_family = 0;
72 unsigned char proto = 0;
77 * Manual connection support for modular algos (ipsec_alg) --Juanjo.
79 #define XF_OTHER_ALG (XF_CLR-1) /* define magic XF_ symbol for alg_info's */
81 const char *alg_string = NULL; /* algorithm string */
82 struct alg_info_esp *alg_info = NULL; /* algorithm info got from string */
83 struct esp_info *esp_info = NULL; /* esp info from 1st (only) element */
84 const char *alg_err; /* auxiliar for parsing errors */
85 int proc_read_ok = 0; /* /proc/net/pf_key_support read ok */
86 #endif /* NO_KERNEL_ALG */
88 int replay_window = 0;
91 extern unsigned int pfkey_lib_debug; /* used by libfreeswan/pfkey_v2_build */
94 uint32_t pfkey_seq = 0;
109 #define streql(_a,_b) (!strcmp((_a),(_b)))
111 static const char *usage_string = "\
113 in the following, <SA> is: --af <inet | inet6> --edst <dstaddr> --spi <spi> --proto <proto>\n\
114 OR: --said <proto><.|:><spi>@<dstaddr>\n\
115 <life> is: --life <soft|hard>-<allocations|bytes|addtime|usetime|packets>=<value>[,...]\n\
121 spi --ip4 <SA> --src <encap-src> --dst <encap-dst>\n\
122 spi --ip6 <SA> --src <encap-src> --dst <encap-dst>\n\
123 spi --ah <algo> <SA> [<life> ][ --replay_window <replay_window> ] --authkey <key>\n\
124 where <algo> is one of: hmac-md5-96 | hmac-sha1-96\n\
125 spi --esp <algo> <SA> [<life> ][ --replay_window <replay-window> ] --enckey <ekey> --authkey <akey>\n\
126 where <algo> is one of: des-md5-96 | des-sha1-96 | 3des-md5-96 | 3des-sha1-96\n\
127 spi --esp <algo> <SA> [<life> ][ --replay_window <replay-window> ] --enckey <ekey>\n\
128 where <algo> is: des | 3des\n\
129 spi --comp <algo> <SA>\n\
130 where <algo> is: deflate | lzs\n\
131 [ --debug ] is optional to any spi command.\n\
132 [ --label <label> ] is optional to any spi command.\n\
137 usage(char *s, FILE *f)
139 /* s argument is actually ignored, at present */
140 fprintf(f, "%s:%s", s, usage_string);
145 #ifdef SIGS_FROM_BELOW
147 pfkey_sig_handler(int x)
153 fd_set l_pfkey_socks;
155 unsigned char buffer[PFKEYv2_MAX_MSGSIZE];
156 struct sadb_ext *extensions_parse[SADB_EXT_MAX + 1];
157 struct sadb_msg *pfkey_msg;
159 /* if(signal.type == SIGIO) } */
162 memcpy(&l_pfkey_socks, &pfkey_socks, sizeof(pfkey_socks));
164 fprintf(stdout, "%s:pfkey_sig_handler: "
165 "entering select for pfkey_sock=%d.\n",
168 if((i = select(pfkey_sock + 1, &l_pfkey_socks, NULL, NULL, NULL)) < 0) {
169 fprintf(stderr, "%s:system error:pfkey_sig_handler: "
170 "select returned errno:%d.\n",
176 fprintf(stdout, "%s:pfkey_sig_handler: "
177 "select returned %d.\n",
183 ret = recvmsg(pfkey_sock,
184 /* struct msghdr * */msg,
185 /* unsigned int */flags);
187 fprintf(stderr, "%s: pfkey recvmsg failed.\n",
196 fprintf(stderr, "system error:%d\n",
200 fprintf(stderr, "unknown error:%d\n",
206 fprintf(stdout, "%s:pfkey_sig_handler: "
207 "entering read for pfkey_sock=%d.\n",
210 if((len = read(pfkey_sock, buffer, sizeof(buffer))) < 0) {
211 fprintf(stderr, "%s: pfkey read failed.\n",
220 fprintf(stderr, "%s:system error:%d\n",
225 fprintf(stderr, "%s:unknown error:%d\n",
233 if(len < sizeof(struct sadb_msg)) {
234 fprintf(stderr, "%s:system error:pfkey_sig_handler: "
235 "read returned only %d octets of a minimum of %d octets for the message header.\n",
237 len, sizeof(struct sadb_msg));
241 fprintf(stdout, "%s:pfkey_sig_handler: "
242 "read %d octets from pfkey_sock=%d.\n",
246 pfkey_msg = (struct sadb_msg*)buffer;
248 if(pfkey_msg->sadb_msg_version != PF_KEY_V2) {
249 fprintf(stderr, "system error:pfkey_sig_handler: not PF_KEY_V2 msg.\n");
253 if(len != pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN) {
254 fprintf(stderr, "system error:pfkey_sig_handler: bogus msg len of %d, not %d byte aligned.\n",
255 len, IPSEC_PFKEYv2_ALIGN);
259 /* XXX when this becomes a lib, keying daemons must be able to receive errors */
260 if(pfkey_msg->sadb_msg_errno) {
261 fprintf(stderr, "system error:pfkey_sig_handler: errno set to %d.\n",
262 pfkey_msg->sadb_msg_errno);
267 if(pfkey_msg->sadb_msg_pid != getpid()) {
268 fprintf(stderr, "system error:pfkey_sig_handler: pid (%d) does not equal originating process pid (%d).\n",
269 pfkey_msg->sadb_msg_pid, getpid());
273 if(pfkey_msg->sadb_msg_seq != pfkey_seq) {
274 fprintf(stderr, "system error:pfkey_sig_handler: seq (%d) does not equal original message seq (%d).\n",
275 pfkey_msg->sadb_msg_seq, pfkey_seq);
279 if(pfkey_msg->sadb_msg_reserved) {
280 fprintf(stderr, "system error:pfkey_sig_handler: reserved field must be zero, set to %d.\n",
281 pfkey_msg->sadb_msg_reserved);
285 if((pfkey_msg->sadb_msg_type > SADB_MAX) || (!pfkey_msg->sadb_msg_type)){
286 fprintf(stderr, "system error:pfkey_sig_handler: msg type too large or small:%d.\n",
287 pfkey_msg->sadb_msg_type);
291 if((error = pfkey_msg_parse(pfkey_msg, NULL, extensions_parse, EXT_BITS_OUT))) {
292 fprintf(stderr, "system error:pfkey_sig_handler: pfkey_msg_parse returns %d.\n",
295 fprintf(stdout, "%s:pfkey_sig_handler: return (msg would normally be sent for parsing).\n",
302 #endif /* SIGS_FROM_BELOW */
305 parse_life_options(uint32_t life[life_maxsever][life_maxtype],
306 char *life_opt[life_maxsever][life_maxtype],
309 char *optargp = optarg;
313 int life_severity, life_type;
314 char *optargt = optargp;
316 if(strncmp(optargp, "soft", sizeof("soft")-1) == 0) {
317 life_severity = life_soft;
318 optargp += sizeof("soft")-1;
319 } else if(strncmp(optargp, "hard", sizeof("hard")-1) == 0) {
320 life_severity = life_hard;
321 optargp += sizeof("hard")-1;
323 fprintf(stderr, "%s: missing lifetime severity in %s, optargt=%p, optargp=%p, sizeof(\"soft\")=%d\n",
324 program_name, optargt, optargt, optargp, sizeof("soft"));
325 usage(program_name, stderr);
329 fprintf(stdout, "%s: debug: life_severity=%d, optargt=%p=\"%s\", optargp=%p=\"%s\", sizeof(\"soft\")=%d\n",
330 program_name, life_severity, optargt, optargt, optargp, optargp, sizeof("soft"));
332 if(*(optargp++) != '-') {
333 fprintf(stderr, "%s: expected '-' after severity of lifetime parameter to --life option.\n",
335 usage(program_name, stderr);
339 fprintf(stdout, "%s: debug: optargt=%p=\"%s\", optargp=%p=\"%s\", strlen(optargt)=%d, strlen(optargp)=%d, strncmp(optargp, \"addtime\", sizeof(\"addtime\")-1)=%d\n",
340 program_name, optargt, optargt, optargp, optargp, strlen(optargt), strlen(optargp), strncmp(optargp, "addtime", sizeof("addtime")-1));
342 if(strncmp(optargp, "allocations", sizeof("allocations")-1) == 0) {
343 life_type = life_alloc;
344 optargp += sizeof("allocations")-1;
345 } else if(strncmp(optargp, "bytes", sizeof("bytes")-1) == 0) {
346 life_type = life_bytes;
347 optargp += sizeof("bytes")-1;
348 } else if(strncmp(optargp, "addtime", sizeof("addtime")-1) == 0) {
349 life_type = life_addtime;
350 optargp += sizeof("addtime")-1;
351 } else if(strncmp(optargp, "usetime", sizeof("usetime")-1) == 0) {
352 life_type = life_usetime;
353 optargp += sizeof("usetime")-1;
354 } else if(strncmp(optargp, "packets", sizeof("packets")-1) == 0) {
355 life_type = life_packets;
356 optargp += sizeof("packets")-1;
358 fprintf(stderr, "%s: missing lifetime type after '-' in %s\n",
359 program_name, optargt);
360 usage(program_name, stderr);
364 fprintf(stdout, "%s: debug: life_type=%d\n",
365 program_name, life_type);
367 if(life_opt[life_severity][life_type] != NULL) {
368 fprintf(stderr, "%s: Error, lifetime parameter redefined:%s, already defined as:%p\n",
369 program_name, optargt, life_opt[life_severity][life_type]);
372 if(*(optargp++) != '=') {
373 fprintf(stderr, "%s: expected '=' after type of lifetime parameter to --life option.\n",
375 usage(program_name, stderr);
379 fprintf(stdout, "%s: debug: optargt=%p, optargt+strlen(optargt)=%p, optargp=%p, strlen(optargp)=%d\n",
380 program_name, optargt, optargt+strlen(optargt), optargp, strlen(optargp));
382 if(strlen(optargp) == 0) {
383 fprintf(stderr, "%s: expected value after '=' in --life option. optargt=%p, optargt+strlen(optargt)=%p, optargp=%p\n",
384 program_name, optargt, optargt+strlen(optargt), optargp);
385 usage(program_name, stderr);
388 life[life_severity][life_type] = strtoul(optargp, &endptr, 0);
390 if(!((endptr == optargp + strlen(optargp)) || (endptr == optargp + strcspn(optargp, ", ")))) {
391 fprintf(stderr, "%s: Invalid character='%c' at offset %d in lifetime option parameter: '%s', parameter string is %d characters long, %d valid value characters found.\n",
393 *endptr, endptr - optarg, optarg, strlen(optarg), strcspn(optargp, ", ") - 1);
396 life_opt[life_severity][life_type] = optargt;
398 fprintf(stdout, "%s lifetime %s set to %d.\n",
399 program_name, optargt, life[life_severity][life_type]);
402 } while(*endptr==',' || isspace(*endptr));
408 pfkey_register(uint8_t satype) {
409 /* for registering SA types that can be negotiated */
411 struct sadb_ext *extensions[SADB_EXT_MAX + 1];
412 struct sadb_msg *pfkey_msg;
414 pfkey_extensions_init(extensions);
415 if((error = pfkey_msg_hdr_build(&extensions[0],
421 fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
422 program_name, error);
423 pfkey_extensions_free(extensions);
426 if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
427 fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
428 program_name, error);
429 pfkey_extensions_free(extensions);
430 pfkey_msg_free(&pfkey_msg);
433 if(write(pfkey_sock, pfkey_msg,
434 pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN) !=
435 pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN) {
436 /* cleanup code here */
437 fprintf(stderr, "%s: Trouble writing to channel PF_KEY.\n", program_name);
438 pfkey_extensions_free(extensions);
439 pfkey_msg_free(&pfkey_msg);
442 pfkey_extensions_free(extensions);
443 pfkey_msg_free(&pfkey_msg);
448 static struct option const longopts[] =
457 {"authkey", 1, 0, 'A'},
458 {"enckey", 1, 0, 'E'},
461 {"proto", 1, 0, 'p'},
463 {"replay_window", 1, 0, 'w'},
470 {"version", 0, 0, 'v'},
471 {"clear", 0, 0, 'c'},
472 {"label", 1, 0, 'l'},
473 {"debug", 0, 0, 'g'},
474 {"optionsfrom", 1, 0, '+'},
480 main(int argc, char *argv[])
484 int c, previous = -1;
489 char ipaddr_txt[ADDRTOT_BUF];
490 char ipsaid_txt[SATOT_BUF];
495 unsigned char authalg, encryptalg;
496 struct sadb_ext *extensions[SADB_EXT_MAX + 1];
497 struct sadb_msg *pfkey_msg;
498 char *iv_opt, *akey_opt, *ekey_opt, *alg_opt, *edst_opt, *spi_opt, *proto_opt, *af_opt, *said_opt, *dst_opt, *src_opt;
500 ip_address pfkey_address_p_ska;
501 ip_address pfkey_ident_s_ska;
502 ip_address pfkey_ident_d_ska;
504 uint32_t life[life_maxsever][life_maxtype];
505 char *life_opt[life_maxsever][life_maxtype];
507 program_name = argv[0];
508 memset(&said, 0, sizeof(said));
509 iv_opt = akey_opt = ekey_opt = alg_opt = edst_opt = spi_opt = proto_opt = af_opt = said_opt = dst_opt = src_opt = NULL;
512 for(i = 0; i < life_maxsever; i++) {
513 for(j = 0; j < life_maxtype; j++) {
514 life_opt[i][j] = NULL;
520 while((c = getopt_long(argc, argv, ""/*"H:P:Z:46dcA:E:e:s:a:w:i:D:S:hvgl:+:f:"*/, longopts, 0)) != EOF) {
528 program_name = malloc(strlen(argv[0])
529 + 10 /* update this when changing the sprintf() */
531 sprintf(program_name, "%s --label %s",
538 fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
542 if (!strcmp(optarg, "hmac-md5-96")) {
544 } else if(!strcmp(optarg, "hmac-sha1-96")) {
547 fprintf(stderr, "%s: Unknown authentication algorithm '%s' follows '--ah' option.\n",
548 program_name, optarg);
552 fprintf(stdout, "Algorithm %d selected.\n", alg);
558 fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
562 if (!strcmp(optarg, "3des-md5-96")) {
563 alg = XF_ESP3DESMD596;
564 } else if(!strcmp(optarg, "3des-sha1-96")) {
565 alg = XF_ESP3DESSHA196;
566 } else if(!strcmp(optarg, "3des")) {
568 } else if(!strcmp(optarg, "des-md5-96")) {
569 alg = XF_ESPDESMD596;
570 } else if(!strcmp(optarg, "des-sha1-96")) {
571 alg = XF_ESPDESSHA196;
572 } else if(!strcmp(optarg, "des")) {
574 #ifndef NO_KERNEL_ALG
575 } else if((alg_info=alg_info_esp_create_from_str(optarg, &alg_err))) {
576 int esp_ealg_id, esp_aalg_id;
578 if (alg_info->alg_info_cnt>1) {
579 fprintf(stderr, "%s: Invalid encryption algorithm '%s' "
580 "follows '--esp' option: lead too many(%d) "
582 program_name, optarg, alg_info->alg_info_cnt);
586 esp_info=&alg_info->esp[0];
588 fprintf(stdout, "%s: alg_info: cnt=%d ealg[0]=%d aalg[0]=%d\n",
590 alg_info->alg_info_cnt,
591 esp_info->encryptalg,
594 esp_ealg_id=esp_info->esp_ealg_id;
595 esp_aalg_id=esp_info->esp_aalg_id;
596 if (kernel_alg_proc_read()==0) {
598 if (!kernel_alg_esp_enc_ok(esp_ealg_id, 0, 0))
600 fprintf(stderr, "%s: ESP encryptalg=%d (\"%s\") "
604 enum_name(&esp_transformid_names, esp_ealg_id));
607 if (!kernel_alg_esp_auth_ok(esp_aalg_id, 0))
609 fprintf(stderr, "%s: ESP authalg=%d (\"%s\")"
613 enum_name(&auth_alg_names, esp_aalg_id));
617 #endif /* NO_KERNEL_ALG */
619 fprintf(stderr, "%s: Invalid encryption algorithm '%s' follows '--esp' option.\n",
620 program_name, optarg);
624 fprintf(stdout, "Algorithm %d selected.\n", alg);
630 fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
634 if (!strcmp(optarg, "deflate")) {
635 alg = XF_COMPDEFLATE;
636 } else if (!strcmp(optarg, "lzs")) {
639 fprintf(stderr, "%s: Unknown compression algorithm '%s' follows '--comp' option.\n",
640 program_name, optarg);
644 fprintf(stdout, "Algorithm %d selected.\n", alg);
650 fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
655 address_family = AF_INET;
657 fprintf(stdout, "Algorithm %d selected.\n", alg);
663 fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
668 address_family = AF_INET6;
670 fprintf(stdout, "Algorithm %d selected.\n", alg);
676 fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
682 fprintf(stdout, "Algorithm %d selected.\n", alg);
688 fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
694 fprintf(stdout, "Algorithm %d selected.\n", alg);
700 fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined in SA:%s\n",
701 program_name, optarg, said_opt);
705 fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined as:%s\n",
706 program_name, optarg, edst_opt);
709 error_s = ttoaddr(optarg, 0, address_family, &edst);
710 if(error_s != NULL) {
712 fprintf(stderr, "%s: Error, %s converting --edst argument:%s\n",
713 program_name, error_s, optarg);
719 addrtot(&edst, 0, ipaddr_txt, sizeof(ipaddr_txt));
720 fprintf(stdout, "edst=%s.\n", ipaddr_txt);
725 fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined in SA:%s\n",
726 program_name, optarg, said_opt);
730 fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined as:%s\n",
731 program_name, optarg, spi_opt);
734 spi = strtoul(optarg, &endptr, 0);
735 if(!(endptr == optarg + strlen(optarg))) {
736 fprintf(stderr, "%s: Invalid character in SPI parameter: %s\n",
737 program_name, optarg);
741 fprintf(stderr, "%s: Illegal reserved spi: %s => 0x%x Must be larger than 0x100.\n",
742 program_name, optarg, spi);
749 fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined in SA:%s\n",
750 program_name, optarg, said_opt);
754 fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined as:%s\n",
755 program_name, optarg, proto_opt);
758 if(!strcmp(optarg, "ah"))
760 if(!strcmp(optarg, "esp"))
762 if(!strcmp(optarg, "tun"))
764 if(!strcmp(optarg, "comp"))
767 fprintf(stderr, "%s: Invalid PROTO parameter: %s\n",
768 program_name, optarg);
775 fprintf(stderr, "%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined in SA:%s\n",
776 program_name, optarg, said_opt);
780 fprintf(stderr, "%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined as:%s\n",
781 program_name, optarg, af_opt);
784 if(strcmp(optarg, "inet") == 0) {
785 address_family = AF_INET;
786 /* currently we ensure that all addresses belong to the same address family */
787 anyaddr(address_family, &dst);
788 anyaddr(address_family, &edst);
789 anyaddr(address_family, &src);
791 if(strcmp(optarg, "inet6") == 0) {
792 address_family = AF_INET6;
793 /* currently we ensure that all addresses belong to the same address family */
794 anyaddr(address_family, &dst);
795 anyaddr(address_family, &edst);
796 anyaddr(address_family, &src);
798 if((strcmp(optarg, "inet") != 0) && (strcmp(optarg, "inet6") != 0)) {
799 fprintf(stderr, "%s: Invalid ADDRESS FAMILY parameter: %s.\n",
800 program_name, optarg);
807 fprintf(stderr, "%s: Error, SAID parameter redefined:%s, already defined in SA:%s\n",
808 program_name, optarg, said_opt);
812 fprintf(stderr, "%s: Error, PROTO parameter redefined in SA:%s, already defined as:%s\n",
813 program_name, optarg, proto_opt);
817 fprintf(stderr, "%s: Error, EDST parameter redefined in SA:%s, already defined as:%s\n",
818 program_name, optarg, edst_opt);
822 fprintf(stderr, "%s: Error, SPI parameter redefined in SA:%s, already defined as:%s\n",
823 program_name, optarg, spi_opt);
826 error_s = ttosa(optarg, 0, &said);
827 if(error_s != NULL) {
828 fprintf(stderr, "%s: Error, %s converting --sa argument:%s\n",
829 program_name, error_s, optarg);
833 satot(&said, 0, ipsaid_txt, sizeof(ipsaid_txt));
834 fprintf(stdout, "said=%s.\n", ipsaid_txt);
836 /* init the src and dst with the same address family */
837 if(address_family == 0) {
838 address_family = addrtypeof(&said.dst);
839 } else if(address_family != addrtypeof(&said.dst)) {
840 fprintf(stderr, "%s: Error, specified address family (%d) is different that of SAID: %s\n",
841 program_name, address_family, optarg);
844 anyaddr(address_family, &dst);
845 anyaddr(address_family, &edst);
846 anyaddr(address_family, &src);
850 if(optarg[0] == '0') {
857 fprintf(stderr, "%s: Authentication key must have a '0x', '0t' or '0s' prefix to select the format: %s\n",
858 program_name, optarg);
862 authkeylen = atodata(optarg, 0, NULL, 0);
864 fprintf(stderr, "%s: unknown format or syntax error in authentication key: %s\n",
865 program_name, optarg);
868 authkey = malloc(authkeylen);
869 if(authkey == NULL) {
870 fprintf(stderr, "%s: Memory allocation error.\n", program_name);
873 memset(authkey, 0, authkeylen);
874 authkeylen = atodata(optarg, 0, authkey, authkeylen);
878 if(optarg[0] == '0') {
885 fprintf(stderr, "%s: Encryption key must have a '0x', '0t' or '0s' prefix to select the format: %s\n",
886 program_name, optarg);
890 enckeylen = atodata(optarg, 0, NULL, 0);
892 fprintf(stderr, "%s: unknown format or syntax error in encryption key: %s\n",
893 program_name, optarg);
896 enckey = malloc(enckeylen);
898 fprintf(stderr, "%s: Memory allocation error.\n", program_name);
901 memset(enckey, 0, enckeylen);
902 enckeylen = atodata(optarg, 0, enckey, enckeylen);
906 replay_window = strtoul(optarg, &endptr, 0);
907 if(!(endptr == optarg + strlen(optarg))) {
908 fprintf(stderr, "%s: Invalid character in replay_window parameter: %s\n",
909 program_name, optarg);
912 if((replay_window < 0x1) || (replay_window > 64)) {
913 fprintf(stderr, "%s: Failed -- Illegal window size: arg=%s, replay_window=%d, must be 1 <= size <= 64.\n",
914 program_name, optarg, replay_window);
919 if(optarg[0] == '0') {
926 fprintf(stderr, "%s: IV must have a '0x', '0t' or '0s' prefix to select the format, found '%c'.\n",
927 program_name, optarg[1]);
931 ivlen = atodata(optarg, 0, NULL, 0);
933 fprintf(stderr, "%s: unknown format or syntax error in IV: %s\n",
934 program_name, optarg);
939 fprintf(stderr, "%s: Memory allocation error.\n", program_name);
942 memset(iv, 0, ivlen);
943 ivlen = atodata(optarg, 0, iv, ivlen);
948 fprintf(stderr, "%s: Error, DST parameter redefined:%s, already defined as:%s\n",
949 program_name, optarg, dst_opt);
952 error_s = ttoaddr(optarg, 0, address_family, &dst);
953 if(error_s != NULL) {
954 fprintf(stderr, "%s: Error, %s converting --dst argument:%s\n",
955 program_name, error_s, optarg);
960 addrtot(&dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
961 fprintf(stdout, "dst=%s.\n", ipaddr_txt);
966 fprintf(stderr, "%s: Error, SRC parameter redefined:%s, already defined as:%s\n",
967 program_name, optarg, src_opt);
970 error_s = ttoaddr(optarg, 0, address_family, &src);
971 if(error_s != NULL) {
972 fprintf(stderr, "%s: Error, %s converting --src argument:%s\n",
973 program_name, error_s, optarg);
978 addrtot(&src, 0, ipaddr_txt, sizeof(ipaddr_txt));
979 fprintf(stdout, "src=%s.\n", ipaddr_txt);
983 usage(program_name, stdout);
986 usage(program_name, stderr);
989 fprintf(stdout, "%s %s\n", me, ipsec_version_code());
990 fprintf(stdout, "See `ipsec --copyright' for copyright information.\n");
992 case '+': /* optionsfrom */
993 optionsfrom(optarg, &argc, &argv, optind, stderr);
994 /* no return on error */
997 if(parse_life_options(life,
1004 fprintf(stderr, "%s: unrecognized option '%c', update option processing.\n",
1011 fprintf(stdout, "All options processed.\n");
1015 system("cat /proc/net/ipsec_spi");
1020 #ifndef NO_KERNEL_ALG
1022 /* validate keysizes */
1024 const struct sadb_alg *alg_p;
1025 int keylen, minbits, maxbits;
1026 alg_p=kernel_alg_sadb_alg_get(SADB_SATYPE_ESP,SADB_EXT_SUPPORTED_ENCRYPT,
1027 esp_info->encryptalg);
1029 keylen=enckeylen * 8;
1031 if (alg_p->sadb_alg_id==ESP_3DES) {
1032 maxbits=minbits=alg_p->sadb_alg_minbits * 8 /7;
1034 minbits=alg_p->sadb_alg_minbits;
1035 maxbits=alg_p->sadb_alg_maxbits;
1038 * if explicit keylen told in encrypt algo, eg "aes128"
1039 * check actual keylen "equality"
1041 if (esp_info->esp_ealg_keylen &&
1042 esp_info->esp_ealg_keylen!=keylen) {
1043 fprintf(stderr, "%s: invalid encryption keylen=%d, "
1044 "required %d by encrypt algo string=\"%s\"\n",
1047 esp_info->esp_ealg_keylen,
1052 /* thanks DES for this sh*t */
1054 if (minbits > keylen || maxbits < keylen) {
1055 fprintf(stderr, "%s: invalid encryption keylen=%d, "
1056 "must be between %d and %d bits\n",
1058 keylen, minbits, maxbits);
1061 alg_p=kernel_alg_sadb_alg_get(SADB_SATYPE_ESP,SADB_EXT_SUPPORTED_AUTH,
1064 keylen=authkeylen * 8;
1065 minbits=alg_p->sadb_alg_minbits;
1066 maxbits=alg_p->sadb_alg_maxbits;
1067 if (minbits > keylen || maxbits < keylen) {
1068 fprintf(stderr, "%s: invalid auth keylen=%d, "
1069 "must be between %d and %d bits\n",
1071 keylen, minbits, maxbits);
1076 #endif /* NO_KERNEL_ALG */
1082 case XF_ESPDESMD596:
1083 case XF_ESPDESSHA196:
1084 case XF_ESP3DESMD596:
1085 case XF_ESP3DESSHA196:
1086 case XF_ESPNULLMD596:
1087 case XF_ESPNULLSHA196:
1090 case XF_COMPDEFLATE:
1093 if(isanyaddr(&edst)) {
1094 fprintf(stderr, "%s: SA destination not specified.\n",
1099 fprintf(stderr, "%s: SA SPI not specified.\n",
1104 fprintf(stderr, "%s: SA PROTO not specified.\n",
1108 initsaid(&edst, htonl(spi), proto, &said);
1111 spi = ntohl(said.spi);
1114 if((address_family != 0) && (address_family != addrtypeof(&said.dst))) {
1115 fprintf(stderr, "%s: Defined address family and address family of SA missmatch.\n",
1119 sa_len = satot(&said, 0, sa, sizeof(sa));
1122 fprintf(stdout, "SA valid.\n");
1128 fprintf(stderr, "%s: No action chosen. See '%s --help' for usage.\n",
1129 program_name, program_name);
1140 case XF_ESPDESMD596:
1141 case XF_ESPDESSHA196:
1142 case XF_ESP3DESMD596:
1143 case XF_ESP3DESSHA196:
1144 case XF_ESPNULLMD596:
1145 case XF_ESPNULLSHA196:
1148 case XF_COMPDEFLATE:
1150 #ifndef NO_KERNEL_ALG
1152 #endif /* NO_KERNEL_ALG */
1155 fprintf(stderr, "%s: No action chosen. See '%s --help' for usage.\n",
1156 program_name, program_name);
1160 fprintf(stdout, "Algorithm ok.\n");
1163 if((pfkey_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) {
1164 fprintf(stderr, "%s: Trouble openning PF_KEY family socket with error: ",
1168 fprintf(stderr, "device does not exist. See FreeS/WAN installation procedure.\n");
1171 fprintf(stderr, "access denied. ");
1173 fprintf(stderr, "Check permissions. Should be 600.\n");
1175 fprintf(stderr, "You must be root to open this file.\n");
1179 fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
1182 fprintf(stderr, "KLIPS not loaded or enabled.\n");
1185 fprintf(stderr, "KLIPS is busy. Most likely a serious internal error occured in a previous command. Please report as much detail as possible to development team.\n");
1188 fprintf(stderr, "Invalid argument, KLIPS not loaded or check kernel log messages for specifics.\n");
1191 fprintf(stderr, "No kernel memory to allocate SA.\n");
1193 case ESOCKTNOSUPPORT:
1194 fprintf(stderr, "Algorithm support not available in the kernel. Please compile in support.\n");
1197 fprintf(stderr, "SA already in use. Delete old one first.\n");
1200 fprintf(stderr, "SA does not exist. Cannot delete.\n");
1203 fprintf(stderr, "KLIPS not loaded or enabled.\n");
1206 fprintf(stderr, "Unknown file open error %d. Please report as much detail as possible to development team.\n", errno);
1211 #ifdef SIGS_FROM_BELOW
1213 struct sigaction sig_act;
1215 memset(&sig_act, 0, sizeof(sig_act));
1217 sig_act.sa_handler = pfkey_sig_handler;
1218 sigemptyset(&sig_act.sa_mask);
1219 sig_act.sa_flags = SA_RESTART;
1221 sig_act_err = sigaction(SIGIO, &sig_act, NULL);
1222 if(sig_act_err < 0) {
1223 fprintf(stderr, "Signal handler registration error.\n", sig_act_err);
1227 #endif /* SIGS_FROM_BELOW */
1229 #ifdef MANUAL_IS_NOT_ABLE_TO_NEGOTIATE
1230 /* for registering SA types that can be negotiated */
1231 if(pfkey_register(SADB_SATYPE_AH) != 0) {
1234 if(pfkey_register(SADB_SATYPE_ESP)) != 0) {
1237 if(pfkey_register(SADB_X_SATYPE_IPIP)) != 0) {
1240 if(pfkey_register(SADB_X_SATYPE_COMP)) != 0) {
1243 #endif /* MANUAL_IS_NOT_ABLE_TO_NEGOTIATE */
1245 /* Build an SADB_ADD message to send down. */
1246 /* It needs <base, SA, address(SD), key(AE)> minimum. */
1247 /* Lifetime(HS) could be added before addresses. */
1248 pfkey_extensions_init(extensions);
1250 fprintf(stdout, "%s: extensions=%p &extensions=%p extensions[0]=%p &extensions[0]=%p cleared.\n",
1257 if((error = pfkey_msg_hdr_build(&extensions[0],
1258 (alg == XF_DEL ? SADB_DELETE : alg == XF_CLR ? SADB_FLUSH : SADB_ADD),
1259 proto2satype(proto),
1263 fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
1264 program_name, error);
1265 pfkey_extensions_free(extensions);
1269 fprintf(stdout, "%s: extensions=%p &extensions=%p extensions[0]=%p &extensions[0]=%p set w/msghdr.\n",
1277 fprintf(stdout, "%s: base message assembled.\n", program_name);
1282 case XF_ESPDESMD596:
1283 case XF_ESP3DESMD596:
1284 authalg = SADB_AALG_MD5HMAC;
1287 case XF_ESPDESSHA196:
1288 case XF_ESP3DESSHA196:
1289 authalg = SADB_AALG_SHA1HMAC;
1291 #ifndef NO_KERNEL_ALG
1293 authalg= esp_info->authalg;
1295 fprintf(stdout, "%s: debug: authalg=%d\n",
1296 program_name, authalg);
1299 #endif /* NO_KERNEL_ALG */
1303 authalg = SADB_AALG_NONE;
1307 case XF_ESPDESMD596:
1308 case XF_ESPDESSHA196:
1309 encryptalg = SADB_EALG_DESCBC;
1312 case XF_ESP3DESMD596:
1313 case XF_ESP3DESSHA196:
1314 encryptalg = SADB_EALG_3DESCBC;
1316 case XF_COMPDEFLATE:
1317 encryptalg = SADB_X_CALG_DEFLATE;
1320 encryptalg = SADB_X_CALG_LZS;
1322 #ifndef NO_KERNEL_ALG
1324 encryptalg= esp_info->encryptalg;
1326 fprintf(stdout, "%s: debug: encryptalg=%d\n",
1327 program_name, encryptalg);
1330 #endif /* NO_KERNEL_ALG */
1332 encryptalg = SADB_EALG_NONE;
1334 if(!(alg == XF_CLR /* IE: pfkey_msg->sadb_msg_type == SADB_FLUSH */)) {
1335 if((error = pfkey_sa_build(&extensions[SADB_EXT_SA],
1337 htonl(spi), /* in network order */
1339 SADB_SASTATE_MATURE,
1343 fprintf(stderr, "%s: Trouble building sa extension, error=%d.\n",
1344 program_name, error);
1345 pfkey_extensions_free(extensions);
1349 fprintf(stdout, "%s: extensions[0]=%p previously set with msg_hdr.\n",
1354 fprintf(stdout, "%s: assembled SA extension, pfkey msg authalg=%d encalg=%d.\n",
1360 #if 1 /* def PFKEY_LIFETIME */
1363 for(i = 0; i < life_maxsever; i++) {
1364 for(j = 0; j < life_maxtype; j++) {
1365 fprintf(stdout, "i=%d, j=%d, life_opt[%d][%d]=%p, life[%d][%d]=%d\n",
1366 i, j, i, j, life_opt[i][j], i, j, life[i][j]);
1370 if(life_opt[life_soft][life_alloc] != NULL ||
1371 life_opt[life_soft][life_bytes] != NULL ||
1372 life_opt[life_soft][life_addtime] != NULL ||
1373 life_opt[life_soft][life_usetime] != NULL ||
1374 life_opt[life_soft][life_packets] != NULL) {
1375 if((error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_SOFT],
1376 SADB_EXT_LIFETIME_SOFT,
1377 life[life_soft][life_alloc],/*-1,*/ /*allocations*/
1378 life[life_soft][life_bytes],/*-1,*/ /*bytes*/
1379 life[life_soft][life_addtime],/*-1,*/ /*addtime*/
1380 life[life_soft][life_usetime],/*-1,*/ /*usetime*/
1381 life[life_soft][life_packets]/*-1*/))) { /*packets*/
1382 fprintf(stderr, "%s: Trouble building lifetime_s extension, error=%d.\n",
1383 program_name, error);
1384 pfkey_extensions_free(extensions);
1388 fprintf(stdout, "%s: lifetime_s extension assembled.\n",
1393 if(life_opt[life_hard][life_alloc] != NULL ||
1394 life_opt[life_hard][life_bytes] != NULL ||
1395 life_opt[life_hard][life_addtime] != NULL ||
1396 life_opt[life_hard][life_usetime] != NULL ||
1397 life_opt[life_hard][life_packets] != NULL) {
1398 if((error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_HARD],
1399 SADB_EXT_LIFETIME_HARD,
1400 life[life_hard][life_alloc],/*-1,*/ /*allocations*/
1401 life[life_hard][life_bytes],/*-1,*/ /*bytes*/
1402 life[life_hard][life_addtime],/*-1,*/ /*addtime*/
1403 life[life_hard][life_usetime],/*-1,*/ /*usetime*/
1404 life[life_hard][life_packets]/*-1*/))) { /*packets*/
1405 fprintf(stderr, "%s: Trouble building lifetime_h extension, error=%d.\n",
1406 program_name, error);
1407 pfkey_extensions_free(extensions);
1411 fprintf(stdout, "%s: lifetime_h extension assembled.\n",
1415 #endif /* PFKEY_LIFETIME */
1418 addrtot(&src, 0, ipaddr_txt, sizeof(ipaddr_txt));
1419 fprintf(stdout, "%s: assembling address_s extension (%s).\n",
1420 program_name, ipaddr_txt);
1423 if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
1424 SADB_EXT_ADDRESS_SRC,
1427 sockaddrof(&src)))) {
1428 addrtot(&src, 0, ipaddr_txt, sizeof(ipaddr_txt));
1429 fprintf(stderr, "%s: Trouble building address_s extension (%s), error=%d.\n",
1430 program_name, ipaddr_txt, error);
1431 pfkey_extensions_free(extensions);
1435 ip_address temp_addr;
1437 switch(address_family) {
1439 initaddr((const unsigned char *)&(((struct sockaddr_in*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_SRC])) + 1))->sin_addr),
1440 sockaddrlenof(&src), address_family, &temp_addr);
1443 initaddr((const unsigned char *)&(((struct sockaddr_in6*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_SRC])) + 1))->sin6_addr),
1444 sockaddrlenof(&src), address_family, &temp_addr);
1447 fprintf(stdout, "%s: unknown address family (%d).\n",
1448 program_name, address_family);
1451 addrtot(&temp_addr, 0, ipaddr_txt, sizeof(ipaddr_txt));
1452 fprintf(stdout, "%s: address_s extension assembled (%s).\n",
1453 program_name, ipaddr_txt);
1457 addrtot(&edst, 0, ipaddr_txt, sizeof(ipaddr_txt));
1458 fprintf(stdout, "%s: assembling address_d extension (%s).\n",
1459 program_name, ipaddr_txt);
1462 if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
1463 SADB_EXT_ADDRESS_DST,
1466 sockaddrof(&edst)))) {
1467 addrtot(&edst, 0, ipaddr_txt, sizeof(ipaddr_txt));
1468 fprintf(stderr, "%s: Trouble building address_d extension (%s), error=%d.\n",
1469 program_name, ipaddr_txt, error);
1470 pfkey_extensions_free(extensions);
1474 ip_address temp_addr;
1475 switch(address_family) {
1477 initaddr((const unsigned char *)&(((struct sockaddr_in*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_DST])) + 1))->sin_addr),
1478 4, address_family, &temp_addr);
1481 initaddr((const unsigned char *)&(((struct sockaddr_in6*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_DST])) + 1))->sin6_addr),
1482 16, address_family, &temp_addr);
1485 fprintf(stdout, "%s: unknown address family (%d).\n",
1486 program_name, address_family);
1489 addrtot(&temp_addr, 0, ipaddr_txt, sizeof(ipaddr_txt));
1490 fprintf(stdout, "%s: address_d extension assembled (%s).\n",
1491 program_name, ipaddr_txt);
1495 anyaddr(address_family, &pfkey_address_p_ska);
1496 if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_PROXY],
1497 SADB_EXT_ADDRESS_PROXY,
1500 sockaddrof(&pfkey_address_p_ska)))) {
1501 fprintf(stderr, "%s: Trouble building address_p extension, error=%d.\n",
1502 program_name, error);
1503 pfkey_extensions_free(extensions);
1507 fprintf(stdout, "%s: address_p extension assembled.\n", program_name);
1509 #endif /* PFKEY_PROXY */
1513 case XF_ESPDESMD596:
1514 case XF_ESP3DESMD596:
1516 case XF_ESPDESSHA196:
1517 case XF_ESP3DESSHA196:
1518 #ifndef NO_KERNEL_ALG
1520 #endif /* NO_KERNEL_ALG */
1521 if((error = pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH],
1525 fprintf(stderr, "%s: Trouble building key_a extension, error=%d.\n",
1526 program_name, error);
1527 pfkey_extensions_free(extensions);
1531 fprintf(stdout, "%s: key_a extension assembled.\n",
1541 case XF_ESPDESMD596:
1542 case XF_ESPDESSHA196:
1544 case XF_ESP3DESMD596:
1545 case XF_ESP3DESSHA196:
1546 #ifndef NO_KERNEL_ALG
1548 #endif /* NO_KERNEL_ALG */
1549 if((error = pfkey_key_build(&extensions[SADB_EXT_KEY_ENCRYPT],
1550 SADB_EXT_KEY_ENCRYPT,
1553 fprintf(stderr, "%s: Trouble building key_e extension, error=%d.\n",
1554 program_name, error);
1555 pfkey_extensions_free(extensions);
1559 fprintf(stdout, "%s: key_e extension assembled.\n",
1567 #ifdef PFKEY_IDENT /* GG: looks wierd, not touched */
1568 if((pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_SRC],
1569 SADB_EXT_IDENTITY_SRC,
1570 SADB_IDENTTYPE_PREFIX,
1572 strlen(pfkey_ident_s_ska),
1573 pfkey_ident_s_ska))) {
1574 fprintf(stderr, "%s: Trouble building ident_s extension, error=%d.\n",
1575 program_name, error);
1576 pfkey_extensions_free(extensions);
1579 if(subnettoa(addr, mask, format, pfkey_ident_s_ska,
1580 sizeof(pfkey_ident_s_ska) ) !=
1581 sizeof(pfkey_ident_s_ska) ) {
1585 if((error = pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_DST],
1586 SADB_EXT_IDENTITY_DST,
1587 SADB_IDENTTYPE_PREFIX,
1589 strlen(pfkey_ident_d_ska),
1590 pfkey_ident_d_ska))) {
1591 fprintf(stderr, "%s: Trouble building ident_d extension, error=%d.\n",
1592 program_name, error);
1593 pfkey_extensions_free(extensions);
1596 if(subnettoa(addr, mask, format, pfkey_ident_d_ska,
1597 sizeof(pfkey_ident_d_ska) ) !=
1598 sizeof(pfkey_ident_d_ska) ) {
1603 fprintf(stdout, "%s: ident extensions assembled.\n",
1606 #endif /* PFKEY_IDENT */
1610 fprintf(stdout, "%s: assembling pfkey msg....\n",
1613 if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
1614 fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
1615 program_name, error);
1616 pfkey_extensions_free(extensions);
1617 pfkey_msg_free(&pfkey_msg);
1621 fprintf(stdout, "%s: assembled.\n",
1625 fprintf(stdout, "%s: writing pfkey msg.\n",
1628 if((error = write(pfkey_sock,
1630 pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) !=
1631 pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN) {
1632 fprintf(stderr, "%s: pfkey write failed, returning %d with errno=%d.\n",
1633 program_name, error, errno);
1634 pfkey_extensions_free(extensions);
1635 pfkey_msg_free(&pfkey_msg);
1638 fprintf(stderr, "access denied. ");
1640 fprintf(stderr, "Check permissions. Should be 600.\n");
1642 fprintf(stderr, "You must be root to open this file.\n");
1646 fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
1649 fprintf(stderr, "KLIPS is busy. Most likely a serious internal error occured in a previous command. Please report as much detail as possible to development team.\n");
1652 fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
1655 fprintf(stderr, "KLIPS not loaded or enabled.\n");
1656 fprintf(stderr, "No device?!?\n");
1659 fprintf(stderr, "No kernel memory to allocate SA.\n");
1661 case ESOCKTNOSUPPORT:
1662 fprintf(stderr, "Algorithm support not available in the kernel. Please compile in support.\n");
1665 fprintf(stderr, "SA already in use. Delete old one first.\n");
1668 fprintf(stderr, "device does not exist. See FreeS/WAN installation procedure.\n");
1672 fprintf(stderr, "SA does not exist. Cannot delete.\n");
1675 fprintf(stderr, "Unknown socket write error %d. Please report as much detail as possible to development team.\n", errno);
1677 /* fprintf(stderr, "%s: socket write returned errno %d\n",
1678 program_name, errno);*/
1682 fprintf(stdout, "%s: pfkey command written to socket.\n",
1686 #if 0 /* use write() rather than sendmsg() */
1687 error = sendmsg(/* int */pfkey_sock,
1688 /* const void* */msg,
1690 /* unsigned int flags MSG_OOB|MSG_DONTROUTE */ 0);
1692 fprintf(stderr, "%s: pfkey sendmsg failed.\n",
1696 fprintf(stderr, "bad data error, since this should not happen, advise the maintainer.\n");
1704 fprintf(stderr, "system error:%d\n", error);
1707 fprintf(stderr, "unknown error:%d\n", error);
1714 sleep (1); /* wait for errors to come back through signal handling */
1715 read(pfkey_sock, &pfkey_buf, sizeof(pfkey_msg) );
1716 fprintf(stdout, "%s: pfkey_buf read.\n", program_name);
1717 /* fprintf(stdout, "%s: press a key to close pfkey socket.\n", program_name); */
1718 /* getchar(); */ /* RGB wait for keystroke to exit (debug) */
1719 fprintf(stdout, "%s: sleeping 2 seconds to allow return messages.\n", program_name);
1720 sleep(1); /* wait for errors to come back through signal handling */
1721 fprintf(stdout, "%s: pfkey_sig_handler called.\n", program_name);
1722 pfkey_sig_handler(0); /* solicit upmsg */
1725 pfkey_extensions_free(extensions);
1726 pfkey_msg_free(&pfkey_msg);
1729 fprintf(stdout, "%s: pfkey message buffer freed.\n",
1732 (void) close(pfkey_sock); /* close the socket */
1734 memset((caddr_t)authkey, 0, authkeylen);
1738 memset((caddr_t)enckey, 0, enckeylen);
1742 memset((caddr_t)iv, 0, ivlen);
1750 * Revision 1.84 2002/03/08 21:44:04 rgb
1751 * Update for all GNU-compliant --version strings.
1753 * Revision 1.83 2002/02/20 00:01:53 rgb
1754 * Cleaned out unused code.
1756 * Revision 1.82 2001/11/09 02:16:37 rgb
1757 * Fixed bug that erroneously required explicit af parameter for --said.
1758 * Fixed missing SA message on delete.
1760 * Revision 1.81 2001/11/06 20:18:47 rgb
1761 * Added lifetime parameters.
1763 * Revision 1.80 2001/10/25 06:57:10 rgb
1764 * Added space as legal delimiter in lifetime parameter list.
1766 * Revision 1.79 2001/10/24 03:23:55 rgb
1767 * Moved lifetime option parsing to a seperate function and allowed for
1768 * comma-seperated lists of lifetime parameters.
1769 * Moved SATYPE registrations to a seperate function.
1771 * Revision 1.78 2001/10/22 19:49:35 rgb
1772 * Added lifetime parameter capabilities.
1774 * Revision 1.77 2001/10/02 17:17:17 rgb
1775 * Check error return for all "tto*" calls and report errors. This, in
1776 * conjuction with the fix to "tto*" will detect AF not set.
1778 * Revision 1.76 2001/09/08 21:13:35 rgb
1779 * Added pfkey ident extension support for ISAKMPd. (NetCelo)
1781 * Revision 1.75 2001/09/07 22:24:42 rgb
1782 * Added EAFNOSUPPORT socket open error code in case KLIPS is not loaded.
1784 * Revision 1.74 2001/06/14 19:35:14 rgb
1785 * Update copyright date.
1787 * Revision 1.73 2001/05/30 08:14:05 rgb
1788 * Removed vestiges of esp-null transforms.
1790 * Revision 1.72 2001/05/21 02:02:55 rgb
1791 * Eliminate 1-letter options.
1793 * Revision 1.71 2001/05/16 05:07:20 rgb
1794 * Fixed --label option in KLIPS manual utils to add the label to the
1795 * command name rather than replace it in error text.
1796 * Fix 'print table' non-option in KLIPS manual utils to deal with --label
1797 * and --debug options.
1799 * Revision 1.70 2000/11/06 04:36:57 rgb
1800 * Display conversion on replay_window failure.
1801 * Don't register SATYPEs for manual.
1803 * Revision 1.69 2000/09/28 00:37:20 rgb
1804 * Swapped order of pfkey_registration of IPCOMP and IPIP.
1806 * Revision 1.68 2000/09/17 18:56:48 rgb
1807 * Added IPCOMP support.
1809 * Revision 1.67 2000/09/12 22:36:45 rgb
1810 * Gerhard's IPv6 support.
1812 * Revision 1.66 2000/09/08 19:17:31 rgb
1813 * Removed all references to CONFIG_IPSEC_PFKEYv2.
1815 * Revision 1.65 2000/08/30 05:34:54 rgb
1818 * Revision 1.64 2000/08/27 01:50:51 rgb
1819 * Update copyright dates and fix replay window endian bug.
1821 * Revision 1.63 2000/08/18 21:19:27 rgb
1822 * Removed no longer used resolve_ip() code.
1824 * Revision 1.62 2000/08/01 14:51:53 rgb
1825 * Removed _all_ remaining traces of DES.
1827 * Revision 1.61 2000/07/26 20:48:42 rgb
1828 * Fixed typo that caused compile failure.
1830 * Revision 1.60 2000/07/26 03:41:46 rgb
1831 * Changed all printf's to fprintf's. Fixed tncfg's usage to stderr.
1833 * Revision 1.59 2000/06/21 16:51:27 rgb
1834 * Added no additional argument option to usage text.
1836 * Revision 1.58 2000/03/16 06:40:49 rgb
1837 * Hardcode PF_KEYv2 support.
1839 * Revision 1.57 2000/01/22 23:22:46 rgb
1840 * Use new function proto2satype().
1842 * Revision 1.56 2000/01/21 09:42:32 rgb
1843 * Replace resolve_ip() with atoaddr() from freeswanlib.
1845 * Revision 1.55 2000/01/21 06:24:57 rgb
1846 * Blasted any references in usage and code to deleted algos.
1847 * Removed DES usage.
1848 * Changed usage of memset on extensions to pfkey_extensions_init().
1850 * Revision 1.54 1999/12/29 21:17:41 rgb
1851 * Changed pfkey_msg_build() I/F to include a struct sadb_msg**
1852 * parameter for cleaner manipulation of extensions[] and to guard
1853 * against potential memory leaks.
1854 * Changed the I/F to pfkey_msg_free() for the same reason.
1856 * Revision 1.53 1999/12/10 17:35:37 rgb
1857 * Added address debugging.
1858 * Fixed undetected spi followed by said sanity check bug.
1859 * Fixed unset spi and edst using said bug.
1861 * Revision 1.52 1999/12/09 23:13:53 rgb
1862 * Added argument to pfkey_sa_build() to do eroutes.
1864 * Revision 1.51 1999/12/07 18:29:13 rgb
1865 * Converted local functions to static to limit scope.
1866 * Removed unused cruft.
1867 * Changed types to unsigned to quiet compiler.
1868 * Cleaned up compiler directives.
1870 * Revision 1.50 1999/12/01 22:19:04 rgb
1871 * Change pfkey_sa_build to accept an SPI in network byte order.
1872 * Minor reformatting.
1873 * Close socket after cleanup.
1874 * Moved pfkey_lib_debug variable into the library.
1876 * Revision 1.49 1999/11/27 11:53:56 rgb
1877 * Fix pfkey_v2_parse calls.
1878 * Add argument to pfkey_msg_parse() for direction.
1879 * Move parse-after-build check inside pfkey_msg_build().
1881 * Revision 1.48 1999/11/25 19:05:12 rgb
1882 * Add parser calls to parse newly built message and disabled signal
1884 * Zapped all manual pfkey assignment code in favour of build library
1886 * Clean out other unused code.
1888 * Revision 1.47 1999/11/25 09:08:46 rgb
1889 * Turn debug compiler directive into command line switch.
1890 * Fix unused argument bug in usage.
1891 * Delete unused variables and code.
1892 * Add default to alg switch to catch algo not set.
1893 * Added error return checking from pfkey_build routines.
1894 * Clarified assignment in conditional with parens.
1895 * Fixed extension pointer bugs passing args to pfkey_build routines.
1897 * Revision 1.46 1999/11/24 17:22:25 rgb
1898 * Fix PFKEY_BUILD_LIB compiler directives.
1899 * Fix bug in memset(extensions) size argument.
1900 * Fix bug in extensions type and calling style.
1901 * Fix PFKEY_BUILD_LIB ifdef boundary bug.
1903 * Revision 1.45 1999/11/23 23:11:18 rgb
1904 * Added pfkey_v2_build calls.
1905 * Sort out pfkey and freeswan headers, putting them in a library path.
1906 * Corrected a couple of bugs in as-yet-inactive code.
1907 * Clarified indention of pfkey_msg assembly code.
1909 * Revision 1.44 1999/11/18 04:56:07 rgb
1910 * Change expected signal type comment.
1911 * Add signal handler degugging code.
1912 * Temporarily remove select() code for signal debugging.
1913 * Fix minor sequence number bug.
1915 * Revision 1.43 1999/10/27 20:01:01 rgb
1916 * Enabled the signal handler.
1917 * Changed pfkey_seq from post-increment to pre-increment.
1919 * Revision 1.42 1999/10/16 00:26:34 rgb
1920 * Add to pfkey lifetime support.
1921 * Attempt to add pfkey socket receive support.
1922 * Change to more intuitive name of pfkey socket variable.
1924 * Revision 1.41 1999/07/08 19:18:33 rgb
1925 * Shut off debugging by default.
1927 * Revision 1.40 1999/06/10 16:12:53 rgb
1928 * Add autoconf to use pfkey.
1929 * Add error return code description.
1931 * Revision 1.39 1999/04/29 15:26:54 rgb
1932 * Debug pfkey support.
1933 * Add debugging instrumentation.
1934 * Add error return code checks.
1935 * Add support for DELETE and CLR messages.
1936 * Add support for IPPROTO_IPIP.
1937 * Copy in src address.
1938 * Set sin_zero properly.
1939 * Add ident_d support(untested).
1940 * Fix msg header copy length bug.
1941 * Add kludge to support FLUSH.
1943 * Revision 1.38 1999/04/15 15:37:28 rgb
1944 * Forward check changes from POST1_00 branch.
1946 * Revision 1.34.2.2 1999/04/13 20:58:10 rgb
1947 * Add argc==1 --> /proc/net/ipsec_*.
1949 * Revision 1.34.2.1 1999/03/30 17:07:04 rgb
1950 * Make main() return type explicit.
1952 * OOO window size htons bugfix.
1954 * Revision 1.37 1999/04/11 00:12:08 henry
1957 * Revision 1.36 1999/04/06 04:54:38 rgb
1958 * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes
1959 * patch shell fixes.
1961 * Revision 1.35 1999/03/17 15:40:07 rgb
1962 * Make explicit main() return type of int.
1963 * Fix memory clear bug in spi.c.
1965 * Revision 1.34 1999/02/16 05:20:49 rgb
1966 * Fix memory clear bugs just prior to normal exit that were causing ipsec
1967 * manual scripts to fail and potentially leaving large core files.
1969 * Revision 1.33 1999/02/09 00:13:16 rgb
1970 * Fix replay window htonl bug.
1972 * Revision 1.32 1999/01/22 06:35:54 rgb
1974 * Added algorithm switch code.
1975 * Removed IV requirement, now an option (kept code for back-compat).
1977 * Add error-checking.
1978 * Removed PFKEY code, will re-add later.
1980 * Revision 1.31 1998/11/12 21:08:04 rgb
1981 * Add --label option to identify caller from scripts.
1983 * Revision 1.30 1998/11/11 18:34:12 rgb
1984 * Fixed #includes for RH5.1.
1986 * Revision 1.29 1998/11/11 07:14:18 rgb
1987 * #include cleanup to hopefully compile under RH5.1.
1989 * Revision 1.28 1998/11/10 05:34:11 rgb
1990 * Add support for SA direction flag.
1991 * Add more specific error output messages.
1993 * Revision 1.27 1998/10/27 00:31:12 rgb
1994 * Set replay structure flag to 0 (not used).
1996 * Revision 1.26 1998/10/26 01:28:38 henry
1997 * use SA_* protocol names, not IPPROTO_*, to avoid compile problems
1999 * Revision 1.25 1998/10/25 02:45:39 rgb
2000 * Change program to program_name to bring in line with other utils.
2001 * Added debugging code to find null proto bug, premature exit on hex info bug.
2002 * Fixed premature exit on hex info bug.
2004 * Revision 1.24 1998/10/22 06:34:16 rgb
2005 * Fixed bad stucture pointer.
2006 * Fixed unknown var (cut and paste error).
2008 * Revision 1.23 1998/10/19 18:56:24 rgb
2009 * Added inclusion of freeswan.h.
2010 * sa_id structure implemented and used: now includes protocol.
2011 * Start to add some inactive pfkey2 code.
2013 * Revision 1.22 1998/10/09 18:47:30 rgb
2014 * Add 'optionfrom' to get more options from a named file.
2016 * Revision 1.21 1998/10/09 04:36:03 rgb
2017 * Standardise on '-96' notation for AH transforms.
2019 * Revision 1.20 1998/09/03 01:29:32 henry
2020 * improve atodata()-failed error messages a bit
2022 * Revision 1.19 1998/09/02 03:14:33 henry
2023 * no point in printing zero lengths used as error returns
2025 * Revision 1.18 1998/09/02 03:12:08 henry
2026 * --help output goes on stdout, not stderr
2028 * Revision 1.17 1998/09/01 19:50:50 henry
2029 * fix operator-precedence bug that often messed up --ah SPI creation
2032 * Revision 1.16 1998/08/28 03:14:12 rgb
2033 * Simplify/Clarify usage text.
2035 * Revision 1.15 1998/08/12 00:16:46 rgb
2036 * Removed a lot of old cruft that was commented out.
2037 * Updated usage text.
2038 * Added config options for new xforms.
2040 * Revision 1.14 1998/08/05 22:24:45 rgb
2041 * Change includes to accomodate RH5.x
2043 * Revision 1.13 1998/07/29 21:41:17 rgb
2044 * Fix spi bug, add hexadecimal value entry debugging.
2046 * Revision 1.12 1998/07/28 00:14:24 rgb
2047 * Convert from positional parameters to long options.
2048 * Add --clean option.
2049 * Add hostname lookup support.
2051 * Revision 1.11 1998/07/14 18:15:55 rgb
2052 * Fix undetected bug using AH-SHA1 with manual keying: The key was
2053 * truncated by the data structure used to get it to the kernel.
2055 * Revision 1.10 1998/07/09 18:14:11 rgb
2056 * Added error checking to IP's and keys.
2057 * Made most error messages more specific rather than spamming usage text.
2058 * Added more descriptive kernel error return codes and messages.
2059 * Converted all spi translations to unsigned.
2060 * Removed all invocations of perror.
2062 * Revision 1.9 1998/06/30 18:04:31 rgb
2063 * Fix compiler warning: couldn't find 'struct option' prototype.
2065 * Revision 1.8 1998/06/11 05:40:04 rgb
2066 * Make usage text more concise WRT replay window sizes and defaults.
2067 * Make error reporting more concise WRT exact IV and key lengths supported
2070 * Revision 1.7 1998/06/08 17:54:58 rgb
2071 * Fixed string escape code in usage.
2073 * Revision 1.6 1998/06/05 02:22:49 rgb
2074 * Clarify usage text and update for key splitting and i/r removal.
2075 * Require keys of exact length.
2077 * Revision 1.5 1998/05/27 20:54:11 rgb
2078 * Added --help and --version directives. Separated auth and encr keys.
2080 * Revision 1.4 1998/05/18 21:12:13 rgb
2081 * Clean up debugging code, clean up after keys, cleaner options setting.
2083 * Revision 1.3 1998/05/06 03:37:11 rgb
2084 * Fixed incorrect signed interpretation of command line spi to unsigned long.
2085 * It prevented deletion of ~spi values generated by pluto.
2087 * Revision 1.2 1998/05/01 23:34:01 rgb
2088 * Clarified the usage text.
2090 * Revision 1.1.1.1 1998/04/08 05:35:10 henry
2091 * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
2093 * Revision 0.5 1997/06/03 04:31:55 ji
2094 * Added esp 3des-md5-96
2096 * Revision 0.4 1997/01/15 01:37:54 ji
2097 * New program in this release, replaces set* programs.