1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 * 21 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 22 */ 23 24 #include <unistd.h> 25 #include <stdio.h> 26 #include <stdarg.h> 27 #include <stdlib.h> 28 #include <sys/sysconf.h> 29 #include <string.h> 30 #include <strings.h> 31 #include <libintl.h> 32 #include <locale.h> 33 #include <ctype.h> 34 #include <time.h> 35 #include <sys/sysmacros.h> 36 #include <sys/stat.h> 37 #include <sys/mman.h> 38 #include <fcntl.h> 39 #include <sys/socket.h> 40 #include <netdb.h> 41 #include <errno.h> 42 #include <assert.h> 43 #include <netinet/in.h> 44 #include <arpa/inet.h> 45 #include <door.h> 46 #include <setjmp.h> 47 48 #include <ipsec_util.h> 49 #include <ikedoor.h> 50 51 static int doorfd = -1; 52 53 /* 54 * These are additional return values for the command line parsing 55 * function (parsecmd()). They are specific to this utility, but 56 * need to share the same space as the IKE_SVC_* defs, without conflicts. 57 * So they're defined relative to the end of that range. 58 */ 59 #define IKEADM_HELP_GENERAL IKE_SVC_MAX + 1 60 #define IKEADM_HELP_GET IKE_SVC_MAX + 2 61 #define IKEADM_HELP_SET IKE_SVC_MAX + 3 62 #define IKEADM_HELP_ADD IKE_SVC_MAX + 4 63 #define IKEADM_HELP_DEL IKE_SVC_MAX + 5 64 #define IKEADM_HELP_DUMP IKE_SVC_MAX + 6 65 #define IKEADM_HELP_FLUSH IKE_SVC_MAX + 7 66 #define IKEADM_HELP_READ IKE_SVC_MAX + 8 67 #define IKEADM_HELP_WRITE IKE_SVC_MAX + 9 68 #define IKEADM_HELP_TOKEN IKE_SVC_MAX + 10 69 #define IKEADM_HELP_HELP IKE_SVC_MAX + 11 70 #define IKEADM_EXIT IKE_SVC_MAX + 12 71 72 /* 73 * Disable default TAB completion for now (until some brave soul tackles it). 74 */ 75 /* ARGSUSED */ 76 static 77 CPL_MATCH_FN(no_match) 78 { 79 return (0); 80 } 81 82 static void 83 command_complete(int s) 84 { 85 if (interactive) { 86 longjmp(env, 1); 87 } else { 88 exit(s); 89 } 90 } 91 92 static void 93 usage() 94 { 95 if (!interactive) { 96 (void) fprintf(stderr, gettext("Usage:\t" 97 "ikeadm [ -hnp ] cmd obj [cmd-specific options]\n")); 98 (void) fprintf(stderr, gettext(" \tikeadm help\n")); 99 } else { 100 (void) fprintf(stderr, 101 gettext("\nType help for usage info\n")); 102 } 103 104 command_complete(1); 105 } 106 107 static void 108 print_help() 109 { 110 (void) printf(gettext("Valid commands and objects:\n")); 111 (void) printf( 112 "\tget debug|priv|stats|p1|rule|preshared|defaults [%s]\n", 113 gettext("identifier")); 114 (void) printf("\tset priv %s\n", gettext("level")); 115 (void) printf("\tset debug %s [%s]\n", 116 gettext("level"), gettext("filename")); 117 (void) printf("\tadd rule|preshared {%s}|%s\n", 118 gettext("definition"), gettext("filename")); 119 (void) printf("\tdel p1|rule|preshared %s\n", gettext("identifier")); 120 (void) printf("\tdump p1|rule|preshared|certcache|groups|" 121 "encralgs|authalgs\n"); 122 (void) printf("\tflush p1|certcache\n"); 123 (void) printf("\tread rule|preshared [%s]\n", gettext("filename")); 124 (void) printf("\twrite rule|preshared %s\n", gettext("filename")); 125 (void) printf("\ttoken <login|logout> %s\n", 126 gettext("<PKCS#11 Token Object>")); 127 (void) printf( 128 "\thelp [get|set|add|del|dump|flush|read|write|token|help]\n"); 129 (void) printf("\texit %s\n", gettext("exit the program")); 130 (void) printf("\tquit %s\n", gettext("exit the program")); 131 132 command_complete(0); 133 } 134 135 static void 136 print_get_help() 137 { 138 (void) printf( 139 gettext("This command gets information from in.iked.\n\n")); 140 (void) printf(gettext("Objects that may be retrieved include:\n")); 141 (void) printf("\tdebug\t\t"); 142 (void) printf(gettext("the current debug level\n")); 143 (void) printf("\tpriv\t\t"); 144 (void) printf(gettext("the current privilege level\n")); 145 (void) printf("\tstats\t\t"); 146 (void) printf(gettext("current usage statistics\n")); 147 (void) printf("\tp1\t\t"); 148 (void) printf(gettext("a phase 1 SA, identified by\n")); 149 (void) printf(gettext("\t\t\t local_ip remote_ip OR\n")); 150 (void) printf(gettext("\t\t\t init_cookie resp_cookie\n")); 151 (void) printf("\trule\t\t"); 152 (void) printf(gettext("a phase 1 rule, identified by its label\n")); 153 (void) printf("\tpreshared\t"); 154 (void) printf(gettext("a preshared key, identified by\n")); 155 (void) printf(gettext("\t\t\t local_ip remote_ip OR\n")); 156 (void) printf(gettext("\t\t\t local_id remote_id\n")); 157 (void) printf("\n"); 158 159 command_complete(0); 160 } 161 162 static void 163 print_set_help() 164 { 165 (void) printf(gettext("This command sets values in in.iked.\n\n")); 166 (void) printf(gettext("Objects that may be set include:\n")); 167 (void) printf("\tdebug\t\t"); 168 (void) printf(gettext("change the debug level\n")); 169 (void) printf("\tpriv\t\t"); 170 (void) printf( 171 gettext("change the privilege level (may only be lowered)\n")); 172 (void) printf("\n"); 173 174 command_complete(0); 175 } 176 177 static void 178 print_add_help() 179 { 180 (void) printf( 181 gettext("This command adds items to in.iked's tables.\n\n")); 182 (void) printf(gettext("Objects that may be set include:\n")); 183 (void) printf("\trule\t\t"); 184 (void) printf(gettext("a phase 1 policy rule\n")); 185 (void) printf("\tpreshared\t"); 186 (void) printf(gettext("a preshared key\n")); 187 (void) printf( 188 gettext("\nObjects may be entered on the command-line, as a\n")); 189 (void) printf( 190 gettext("series of keywords and tokens contained in curly\n")); 191 (void) printf( 192 gettext("braces ('{', '}'); or the name of a file containing\n")); 193 (void) printf(gettext("the object definition may be provided.\n\n")); 194 (void) printf( 195 gettext("For security purposes, preshared keys may only be\n")); 196 (void) printf( 197 gettext("entered on the command-line if ikeadm is running in\n")); 198 (void) printf(gettext("interactive mode.\n")); 199 (void) printf("\n"); 200 201 command_complete(0); 202 } 203 204 static void 205 print_del_help() 206 { 207 (void) printf( 208 gettext("This command deletes an item from in.iked's tables.\n\n")); 209 (void) printf(gettext("Objects that may be deleted include:\n")); 210 (void) printf("\tp1\t\t"); 211 (void) printf(gettext("a phase 1 SA, identified by\n")); 212 (void) printf(gettext("\t\t\t local_ip remote_ip OR\n")); 213 (void) printf(gettext("\t\t\t init_cookie resp_cookie\n")); 214 (void) printf("\trule\t\t"); 215 (void) printf(gettext("a phase 1 rule, identified by its label\n")); 216 (void) printf("\tpreshared\t"); 217 (void) printf(gettext("a preshared key, identified by\n")); 218 (void) printf(gettext("\t\t\t local_ip remote_ip OR\n")); 219 (void) printf(gettext("\t\t\t local_id remote_id\n")); 220 (void) printf("\n"); 221 222 command_complete(0); 223 } 224 225 static void 226 print_dump_help() 227 { 228 (void) printf( 229 gettext("This command dumps one of in.iked's tables.\n\n")); 230 (void) printf(gettext("Tables that may be dumped include:\n")); 231 (void) printf("\tp1\t\t"); 232 (void) printf(gettext("all phase 1 SAs\n")); 233 (void) printf("\trule\t\t"); 234 (void) printf(gettext("all phase 1 rules\n")); 235 (void) printf("\tpreshared\t"); 236 (void) printf(gettext("all preshared keys\n")); 237 (void) printf("\tcertcache\t"); 238 (void) printf(gettext("all cached certificates\n")); 239 (void) printf("\tgroups\t\t"); 240 (void) printf(gettext("all implemented Diffie-Hellman groups\n")); 241 (void) printf("\tencralgs\t"); 242 (void) printf(gettext("all encryption algorithms for IKE\n")); 243 (void) printf("\tauthalgs\t"); 244 (void) printf(gettext("all authentication algorithms IKE\n")); 245 (void) printf("\n"); 246 247 command_complete(0); 248 } 249 250 static void 251 print_flush_help() 252 { 253 (void) printf( 254 gettext("This command clears one of in.iked's tables.\n\n")); 255 (void) printf(gettext("Tables that may be flushed include:\n")); 256 (void) printf("\tp1\t\t"); 257 (void) printf(gettext("all phase 1 SAs\n")); 258 (void) printf("\tcertcache\t"); 259 (void) printf(gettext("all cached certificates\n")); 260 (void) printf("\n"); 261 262 command_complete(0); 263 } 264 265 static void 266 print_read_help() 267 { 268 (void) printf( 269 gettext("This command reads a new configuration file into\n")); 270 (void) printf( 271 gettext("in.iked, discarding the old configuration info.\n\n")); 272 (void) printf(gettext("Sets of data that may be read include:\n")); 273 (void) printf("\trule\t\t"); 274 (void) printf(gettext("all phase 1 rules\n")); 275 (void) printf("\tpreshared\t"); 276 (void) printf(gettext("all preshared keys\n\n")); 277 (void) printf( 278 gettext("A filename may be provided to specify a source file\n")); 279 (void) printf(gettext("other than the default.\n")); 280 (void) printf("\n"); 281 282 command_complete(0); 283 } 284 285 static void 286 print_write_help() 287 { 288 (void) printf( 289 gettext("This command writes in.iked's current configuration\n")); 290 (void) printf(gettext("out to a config file.\n\n")); 291 (void) printf(gettext("Sets of data that may be written include:\n")); 292 (void) printf("\trule\t\t"); 293 (void) printf(gettext("all phase 1 rules\n")); 294 (void) printf("\tpreshared\t"); 295 (void) printf(gettext("all preshared keys\n\n")); 296 (void) printf( 297 gettext("A filename must be provided to specify the file to\n")); 298 (void) printf(gettext("which the information should be written.\n")); 299 (void) printf("\n"); 300 301 command_complete(0); 302 } 303 304 static void 305 print_token_help() 306 { 307 (void) printf(gettext( 308 "This command logs IKE into and out of PKCS#11 tokens.\n\n")); 309 (void) printf(gettext("Commands include:\n")); 310 (void) printf("\tlogin <PKCS#11 Token Object>\t"); 311 (void) printf(gettext("log into token\n")); 312 (void) printf("\tlogout <PKCS#11 Token Object>\t"); 313 (void) printf(gettext("log out of token\n\n")); 314 (void) printf( 315 gettext("The PKCS#11 Token Object name must be " 316 "enclosed in quotation marks.\n")); 317 (void) printf("\n"); 318 319 command_complete(0); 320 } 321 322 static void 323 print_help_help() 324 { 325 (void) printf( 326 gettext("This command provides information about commands.\n\n")); 327 (void) printf( 328 gettext("The 'help' command alone provides a list of valid\n")); 329 (void) printf( 330 gettext("commands, along with the valid objects for each.\n")); 331 (void) printf( 332 gettext("'help' followed by a valid command name provides\n")); 333 (void) printf(gettext("further information about that command.\n")); 334 (void) printf("\n"); 335 336 command_complete(0); 337 } 338 339 /*PRINTFLIKE1*/ 340 static void 341 message(char *fmt, ...) 342 { 343 va_list ap; 344 char msgbuf[BUFSIZ]; 345 346 va_start(ap, fmt); 347 (void) vsnprintf(msgbuf, BUFSIZ, fmt, ap); 348 (void) fprintf(stderr, gettext("ikeadm: %s\n"), msgbuf); 349 va_end(ap); 350 } 351 352 static int 353 open_door(void) 354 { 355 if (doorfd >= 0) 356 (void) close(doorfd); 357 doorfd = open(DOORNM, O_RDONLY); 358 return (doorfd); 359 } 360 361 static ike_service_t * 362 ikedoor_call(char *reqp, int size, door_desc_t *descp, int ndesc) 363 { 364 door_arg_t arg; 365 int retries = 0; 366 367 arg.data_ptr = reqp; 368 arg.data_size = size; 369 arg.desc_ptr = descp; 370 arg.desc_num = ndesc; 371 arg.rbuf = (char *)NULL; 372 arg.rsize = 0; 373 374 retry: 375 if (door_call(doorfd, &arg) < 0) { 376 if ((errno == EBADF) && ((++retries < 2) && 377 (open_door() >= 0))) 378 goto retry; 379 (void) fprintf(stderr, 380 gettext("Unable to communicate with in.iked\n")); 381 Bail("door_call failed"); 382 } 383 384 if ((ndesc > 0) && (descp->d_attributes & DOOR_RELEASE) && 385 ((errno == EBADF) || (errno == EFAULT))) { 386 /* callers assume passed fds will be closed no matter what */ 387 (void) close(descp->d_data.d_desc.d_descriptor); 388 } 389 390 /* LINTED E_BAD_PTR_CAST_ALIGN */ 391 return ((ike_service_t *)arg.rbuf); 392 } 393 394 /* 395 * Parsing functions 396 */ 397 398 /* stolen from ipseckey.c, with a second tier added */ 399 static int 400 parsecmd(char *cmdstr, char *objstr) 401 { 402 #define MAXOBJS 11 403 struct objtbl { 404 char *obj; 405 int token; 406 }; 407 static struct cmdtbl { 408 char *cmd; 409 int null_obj_token; 410 struct objtbl objt[MAXOBJS]; 411 } table[] = { 412 {"get", IKE_SVC_ERROR, { 413 {"debug", IKE_SVC_GET_DBG}, 414 {"priv", IKE_SVC_GET_PRIV}, 415 {"stats", IKE_SVC_GET_STATS}, 416 {"p1", IKE_SVC_GET_P1}, 417 {"rule", IKE_SVC_GET_RULE}, 418 {"preshared", IKE_SVC_GET_PS}, 419 {"defaults", IKE_SVC_GET_DEFS}, 420 {NULL, IKE_SVC_ERROR} 421 } 422 }, 423 {"set", IKE_SVC_ERROR, { 424 {"debug", IKE_SVC_SET_DBG}, 425 {"priv", IKE_SVC_SET_PRIV}, 426 {NULL, IKE_SVC_ERROR} 427 } 428 }, 429 {"token", IKE_SVC_ERROR, { 430 {"login", IKE_SVC_SET_PIN}, 431 {"logout", IKE_SVC_DEL_PIN}, 432 {NULL, IKE_SVC_ERROR}, 433 } 434 }, 435 {"add", IKE_SVC_ERROR, { 436 {"rule", IKE_SVC_NEW_RULE}, 437 {"preshared", IKE_SVC_NEW_PS}, 438 {NULL, IKE_SVC_ERROR} 439 } 440 }, 441 {"del", IKE_SVC_ERROR, { 442 {"p1", IKE_SVC_DEL_P1}, 443 {"rule", IKE_SVC_DEL_RULE}, 444 {"preshared", IKE_SVC_DEL_PS}, 445 {NULL, IKE_SVC_ERROR} 446 } 447 }, 448 {"dump", IKE_SVC_ERROR, { 449 {"p1", IKE_SVC_DUMP_P1S}, 450 {"rule", IKE_SVC_DUMP_RULES}, 451 {"preshared", IKE_SVC_DUMP_PS}, 452 {"certcache", IKE_SVC_DUMP_CERTCACHE}, 453 {"groups", IKE_SVC_DUMP_GROUPS}, 454 {"encralgs", IKE_SVC_DUMP_ENCRALGS}, 455 {"authalgs", IKE_SVC_DUMP_AUTHALGS}, 456 {NULL, IKE_SVC_ERROR} 457 } 458 }, 459 {"flush", IKE_SVC_ERROR, { 460 {"p1", IKE_SVC_FLUSH_P1S}, 461 {"certcache", IKE_SVC_FLUSH_CERTCACHE}, 462 {NULL, IKE_SVC_ERROR} 463 } 464 }, 465 {"read", IKE_SVC_ERROR, { 466 {"rule", IKE_SVC_READ_RULES}, 467 {"preshared", IKE_SVC_READ_PS}, 468 {NULL, IKE_SVC_ERROR} 469 } 470 }, 471 {"write", IKE_SVC_ERROR, { 472 {"rule", IKE_SVC_WRITE_RULES}, 473 {"preshared", IKE_SVC_WRITE_PS}, 474 {NULL, IKE_SVC_ERROR} 475 } 476 }, 477 {"help", IKEADM_HELP_GENERAL, { 478 {"get", IKEADM_HELP_GET}, 479 {"set", IKEADM_HELP_SET}, 480 {"add", IKEADM_HELP_ADD}, 481 {"del", IKEADM_HELP_DEL}, 482 {"dump", IKEADM_HELP_DUMP}, 483 {"flush", IKEADM_HELP_FLUSH}, 484 {"read", IKEADM_HELP_READ}, 485 {"write", IKEADM_HELP_WRITE}, 486 {"token", IKEADM_HELP_TOKEN}, 487 {"help", IKEADM_HELP_HELP}, 488 {NULL, IKE_SVC_ERROR} 489 } 490 }, 491 {"exit", IKEADM_EXIT, { 492 {NULL, IKE_SVC_ERROR} 493 } 494 }, 495 {"quit", IKEADM_EXIT, { 496 {NULL, IKE_SVC_ERROR} 497 } 498 }, 499 {"dbg", IKE_SVC_ERROR, { 500 {"rbdump", IKE_SVC_DBG_RBDUMP}, 501 {NULL, IKE_SVC_ERROR} 502 } 503 }, 504 {NULL, IKE_SVC_ERROR, { 505 {NULL, IKE_SVC_ERROR} 506 } 507 } 508 }; 509 struct cmdtbl *ct = table; 510 struct objtbl *ot; 511 512 if (cmdstr == NULL) { 513 return (IKE_SVC_ERROR); 514 } 515 516 while (ct->cmd != NULL && strcmp(ct->cmd, cmdstr) != 0) 517 ct++; 518 ot = ct->objt; 519 520 if (ct->cmd == NULL) { 521 message(gettext("Unrecognized command '%s'"), cmdstr); 522 return (ot->token); 523 } 524 525 if (objstr == NULL) { 526 return (ct->null_obj_token); 527 } 528 529 while (ot->obj != NULL && strcmp(ot->obj, objstr) != 0) 530 ot++; 531 532 if (ot->obj == NULL) 533 message(gettext("Unrecognized object '%s'"), objstr); 534 535 return (ot->token); 536 } 537 538 /* 539 * Parsing functions: 540 * Parse command-line identification info. All return -1 on failure, 541 * or the number of cmd-line args "consumed" on success (though argc 542 * and argv params are not actually modified). 543 */ 544 545 static int 546 parse_label(int argc, char **argv, char *label) 547 { 548 if ((argc < 1) || (argv == NULL)) 549 return (-1); 550 551 if (strlcpy(label, argv[0], MAX_LABEL_LEN) >= MAX_LABEL_LEN) 552 return (-1); 553 554 return (1); 555 } 556 557 /* 558 * Parse a PKCS#11 token get the label. 559 */ 560 static int 561 parse_token(int argc, char **argv, char *token_label) 562 { 563 if ((argc < 1) || (argv == NULL)) 564 return (-1); 565 566 if (strlcpy(token_label, argv[0], PKCS11_TOKSIZE) >= PKCS11_TOKSIZE) 567 return (-1); 568 569 return (0); 570 } 571 572 /* 573 * Parse an address off the command line. In the hpp param, either 574 * return a hostent pointer (caller frees) or a pointer to a dummy_he_t 575 * (must also be freed by the caller; both cases are handled by the 576 * macro FREE_HE). The new getipnodebyname() call does the Right Thing 577 * (TM), even with raw addresses (colon-separated IPv6 or dotted decimal 578 * IPv4). 579 * (mostly stolen from ipseckey.c, though some tweaks were made 580 * to better serve our purposes here.) 581 */ 582 583 typedef struct { 584 struct hostent he; 585 char *addtl[2]; 586 } dummy_he_t; 587 588 static int 589 parse_addr(int argc, char **argv, struct hostent **hpp) 590 { 591 int hp_errno; 592 struct hostent *hp = NULL; 593 dummy_he_t *dhp; 594 char *addr1; 595 596 if ((argc < 1) || (argv == NULL) || (argv[0] == NULL)) 597 return (-1); 598 599 if (!nflag) { 600 /* 601 * Try name->address first. Assume AF_INET6, and 602 * get IPV4s, plus IPv6s iff IPv6 is configured. 603 */ 604 hp = getipnodebyname(argv[0], AF_INET6, AI_DEFAULT | AI_ALL, 605 &hp_errno); 606 } else { 607 /* 608 * Try a normal address conversion only. malloc a 609 * dummy_he_t to construct a fake hostent. Caller 610 * will know to free this one using free_he(). 611 */ 612 dhp = (dummy_he_t *)malloc(sizeof (dummy_he_t)); 613 addr1 = (char *)malloc(sizeof (struct in6_addr)); 614 if (inet_pton(AF_INET6, argv[0], addr1) == 1) { 615 dhp->he.h_addr_list = dhp->addtl; 616 dhp->addtl[0] = addr1; 617 dhp->addtl[1] = NULL; 618 hp = &dhp->he; 619 dhp->he.h_addrtype = AF_INET6; 620 dhp->he.h_length = sizeof (struct in6_addr); 621 } else if (inet_pton(AF_INET, argv[0], addr1) == 1) { 622 dhp->he.h_addr_list = dhp->addtl; 623 dhp->addtl[0] = addr1; 624 dhp->addtl[1] = NULL; 625 hp = &dhp->he; 626 dhp->he.h_addrtype = AF_INET; 627 dhp->he.h_length = sizeof (struct in_addr); 628 } else { 629 hp = NULL; 630 } 631 } 632 633 *hpp = hp; 634 635 if (hp == NULL) { 636 message(gettext("Unknown address %s."), argv[0]); 637 return (-1); 638 } 639 640 return (1); 641 } 642 643 /* 644 * Free a dummy_he_t structure that was malloc'd in parse_addr(). 645 * Unfortunately, callers of parse_addr don't want to know about 646 * dummy_he_t structs, so all they have is a pointer to the struct 647 * hostent; so that's what's passed in. To manage this, we make 648 * the assumption that the struct hostent is the first field in 649 * the dummy_he_t, and therefore a pointer to it is a pointer to 650 * the dummy_he_t. 651 */ 652 static void 653 free_he(struct hostent *hep) 654 { 655 dummy_he_t *p = (dummy_he_t *)hep; 656 657 assert(p != NULL); 658 659 if (p->addtl[0]) 660 free(p->addtl[0]); 661 if (p->addtl[1]) 662 free(p->addtl[1]); 663 664 free(p); 665 } 666 667 #define FREE_HE(x) \ 668 if (nflag) \ 669 free_he(x); \ 670 else \ 671 freehostent(x) 672 673 static void 674 headdr2sa(char *hea, struct sockaddr_storage *sa, int len) 675 { 676 struct sockaddr_in *sin; 677 struct sockaddr_in6 *sin6; 678 679 if (len == sizeof (struct in6_addr)) { 680 /* LINTED E_BAD_PTR_CAST_ALIGN */ 681 if (IN6_IS_ADDR_V4MAPPED((struct in6_addr *)hea)) { 682 sin = (struct sockaddr_in *)sa; 683 (void) memset(sin, 0, sizeof (*sin)); 684 /* LINTED E_BAD_PTR_CAST_ALIGN */ 685 IN6_V4MAPPED_TO_INADDR((struct in6_addr *)hea, 686 &sin->sin_addr); 687 sin->sin_family = AF_INET; 688 } else { 689 sin6 = (struct sockaddr_in6 *)sa; 690 (void) memset(sin6, 0, sizeof (*sin6)); 691 (void) memcpy(&sin6->sin6_addr, hea, 692 sizeof (struct in6_addr)); 693 sin6->sin6_family = AF_INET6; 694 } 695 } else { 696 sin = (struct sockaddr_in *)sa; 697 (void) memset(sin, 0, sizeof (*sin)); 698 (void) memcpy(&sin->sin_addr, hea, sizeof (struct in_addr)); 699 sin->sin_family = AF_INET; 700 } 701 } 702 703 /* 704 * The possible ident-type keywords that might be used on the command 705 * line. This is a superset of the ones supported by ipseckey, those 706 * in the ike config file, and those in ike.preshared. 707 */ 708 static keywdtab_t idtypes[] = { 709 /* ip, ipv4, and ipv6 are valid for preshared keys... */ 710 {SADB_IDENTTYPE_RESERVED, "ip"}, 711 {SADB_IDENTTYPE_RESERVED, "ipv4"}, 712 {SADB_IDENTTYPE_RESERVED, "ipv6"}, 713 {SADB_IDENTTYPE_PREFIX, "prefix"}, 714 {SADB_IDENTTYPE_PREFIX, "ipv4-prefix"}, 715 {SADB_IDENTTYPE_PREFIX, "ipv6-prefix"}, 716 {SADB_IDENTTYPE_PREFIX, "subnet"}, 717 {SADB_IDENTTYPE_PREFIX, "subnetv4"}, 718 {SADB_IDENTTYPE_PREFIX, "subnetv6"}, 719 {SADB_IDENTTYPE_FQDN, "fqdn"}, 720 {SADB_IDENTTYPE_FQDN, "dns"}, 721 {SADB_IDENTTYPE_FQDN, "domain"}, 722 {SADB_IDENTTYPE_FQDN, "domainname"}, 723 {SADB_IDENTTYPE_USER_FQDN, "user_fqdn"}, 724 {SADB_IDENTTYPE_USER_FQDN, "mbox"}, 725 {SADB_IDENTTYPE_USER_FQDN, "mailbox"}, 726 {SADB_X_IDENTTYPE_DN, "dn"}, 727 {SADB_X_IDENTTYPE_DN, "asn1dn"}, 728 {SADB_X_IDENTTYPE_GN, "gn"}, 729 {SADB_X_IDENTTYPE_GN, "asn1gn"}, 730 {SADB_X_IDENTTYPE_ADDR_RANGE, "ipv4-range"}, 731 {SADB_X_IDENTTYPE_ADDR_RANGE, "ipv6-range"}, 732 {SADB_X_IDENTTYPE_ADDR_RANGE, "rangev4"}, 733 {SADB_X_IDENTTYPE_ADDR_RANGE, "rangev6"}, 734 {SADB_X_IDENTTYPE_KEY_ID, "keyid"}, 735 {NULL, 0} 736 }; 737 738 static int 739 parse_idtype(char *type, uint16_t *idnum) 740 { 741 keywdtab_t *idp; 742 743 if (type == NULL) 744 return (-1); 745 746 for (idp = idtypes; idp->kw_str != NULL; idp++) { 747 if (strcasecmp(idp->kw_str, type) == 0) { 748 if (idnum != NULL) 749 *idnum = idp->kw_tag; 750 return (1); 751 } 752 } 753 754 return (-1); 755 } 756 757 /* 758 * The sadb_ident_t is malloc'd, since its length varies; 759 * so the caller must free() it when done with the data. 760 */ 761 static int 762 parse_ident(int argc, char **argv, sadb_ident_t **idpp) 763 { 764 int alloclen, consumed; 765 sadb_ident_t *idp; 766 if ((argc < 2) || (argv == NULL) || (argv[0] == NULL) || 767 (argv[1] == NULL)) 768 return (-1); 769 770 alloclen = sizeof (sadb_ident_t) + IKEDOORROUNDUP(strlen(argv[1]) + 1); 771 *idpp = idp = (sadb_ident_t *)malloc(alloclen); 772 if (idp == NULL) 773 Bail("parsing identity"); 774 775 if ((consumed = parse_idtype(argv[0], &idp->sadb_ident_type)) < 0) { 776 message(gettext("unknown identity type %s."), argv[0]); 777 return (-1); 778 } 779 780 idp->sadb_ident_len = SADB_8TO64(alloclen); 781 idp->sadb_ident_reserved = 0; 782 idp->sadb_ident_id = 0; 783 784 /* now copy in identity param */ 785 (void) strlcpy((char *)(idp + 1), argv[1], 786 alloclen - (sizeof (sadb_ident_t))); 787 788 return (++consumed); 789 } 790 791 static int 792 parse_cky(int argc, char **argv, uint64_t *ckyp) 793 { 794 u_longlong_t arg; 795 796 if ((argc < 1) || (argv[0] == NULL)) 797 return (-1); 798 799 errno = 0; 800 arg = strtoull(argv[0], NULL, 0); 801 if (errno != 0) { 802 message(gettext("failed to parse cookie %s."), argv[0]); 803 return (-1); 804 } 805 806 *ckyp = (uint64_t)arg; 807 808 return (1); 809 } 810 811 static int 812 parse_addr_pr(int argc, char **argv, struct hostent **h1pp, 813 struct hostent **h2pp) 814 { 815 int rtn, consumed = 0; 816 817 if ((rtn = parse_addr(argc, argv, h1pp)) < 0) { 818 return (-1); 819 } 820 consumed = rtn; 821 argc -= rtn; 822 argv += rtn; 823 824 if ((rtn = parse_addr(argc, argv, h2pp)) < 0) { 825 FREE_HE(*h1pp); 826 return (-1); 827 } 828 consumed += rtn; 829 830 return (consumed); 831 } 832 833 /* 834 * The sadb_ident_ts are malloc'd, since their length varies; 835 * so the caller must free() them when done with the data. 836 */ 837 static int 838 parse_ident_pr(int argc, char **argv, sadb_ident_t **id1pp, 839 sadb_ident_t **id2pp) 840 { 841 int rtn, consumed = 0; 842 843 if ((rtn = parse_ident(argc, argv, id1pp)) < 0) { 844 return (-1); 845 } 846 consumed = rtn; 847 argc -= rtn; 848 argv += rtn; 849 850 (*id1pp)->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 851 852 if ((rtn = parse_ident(argc, argv, id2pp)) < 0) { 853 free(*id1pp); 854 return (-1); 855 } 856 consumed += rtn; 857 858 (*id2pp)->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 859 860 return (consumed); 861 } 862 863 static int 864 parse_cky_pr(int argc, char **argv, ike_cky_pr_t *cpr) 865 { 866 int rtn, consumed = 0; 867 868 if ((rtn = parse_cky(argc, argv, &cpr->cky_i)) < 0) { 869 return (-1); 870 } 871 consumed = rtn; 872 argc -= rtn; 873 argv += rtn; 874 875 if ((rtn = parse_cky(argc, argv, &cpr->cky_r)) < 0) { 876 return (-1); 877 } 878 consumed += rtn; 879 880 return (consumed); 881 } 882 883 /* 884 * Preshared key field types...used for parsing preshared keys that 885 * have been entered on the command line. The code to parse preshared 886 * keys (parse_ps, parse_key, parse_psfldid, parse_ikmtype, ...) is 887 * mostly duplicated from in.iked's readps.c. 888 */ 889 #define PSFLD_LOCID 1 890 #define PSFLD_LOCIDTYPE 2 891 #define PSFLD_REMID 3 892 #define PSFLD_REMIDTYPE 4 893 #define PSFLD_MODE 5 894 #define PSFLD_KEY 6 895 896 static keywdtab_t psfldtypes[] = { 897 {PSFLD_LOCID, "localid"}, 898 {PSFLD_LOCIDTYPE, "localidtype"}, 899 {PSFLD_REMID, "remoteid"}, 900 {PSFLD_REMIDTYPE, "remoteidtype"}, 901 {PSFLD_MODE, "ike_mode"}, 902 {PSFLD_KEY, "key"}, 903 {NULL, 0} 904 }; 905 906 static int 907 parse_psfldid(char *type, uint16_t *idnum) 908 { 909 keywdtab_t *pfp; 910 911 if (type == NULL) 912 return (-1); 913 914 for (pfp = psfldtypes; pfp->kw_str != NULL; pfp++) { 915 if (strcasecmp(pfp->kw_str, type) == 0) { 916 if (idnum != NULL) 917 *idnum = pfp->kw_tag; 918 return (1); 919 } 920 } 921 922 return (-1); 923 } 924 925 static keywdtab_t ikemodes[] = { 926 {IKE_XCHG_IDENTITY_PROTECT, "main"}, 927 {IKE_XCHG_AGGRESSIVE, "aggressive"}, 928 {IKE_XCHG_IP_AND_AGGR, "both"}, 929 {NULL, 0} 930 }; 931 932 static int 933 parse_ikmtype(char *mode, uint16_t *modenum) 934 { 935 keywdtab_t *ikmp; 936 937 if (mode == NULL) 938 return (-1); 939 940 for (ikmp = ikemodes; ikmp->kw_str != NULL; ikmp++) { 941 if (strcasecmp(ikmp->kw_str, mode) == 0) { 942 if (modenum != NULL) 943 *modenum = ikmp->kw_tag; 944 return (1); 945 } 946 } 947 948 return (-1); 949 } 950 951 #define hd2num(hd) (((hd) >= '0' && (hd) <= '9') ? ((hd) - '0') : \ 952 (((hd) >= 'a' && (hd) <= 'f') ? ((hd) - 'a' + 10) : ((hd) - 'A' + 10))) 953 954 static uint8_t * 955 parse_key(char *input, uint_t *keybuflen, uint_t *lbits) 956 { 957 uint8_t *keyp, *keybufp; 958 uint_t i, hexlen = 0, bits, alloclen; 959 960 for (i = 0; input[i] != '\0' && input[i] != '/'; i++) 961 hexlen++; 962 963 if (input[i] == '\0') { 964 bits = 0; 965 } else { 966 /* Have /nn. */ 967 input[i] = '\0'; 968 if (sscanf((input + i + 1), "%u", &bits) != 1) 969 return (NULL); 970 971 /* hexlen is in nibbles */ 972 if (((bits + 3) >> 2) > hexlen) 973 return (NULL); 974 975 /* 976 * Adjust hexlen down if user gave us too small of a bit 977 * count. 978 */ 979 if ((hexlen << 2) > bits + 3) { 980 hexlen = (bits + 3) >> 2; 981 input[hexlen] = '\0'; 982 } 983 } 984 985 /* 986 * Allocate. Remember, hexlen is in nibbles. 987 */ 988 989 alloclen = (hexlen/2 + (hexlen & 0x1)); 990 keyp = malloc(alloclen); 991 992 if (keyp == NULL) 993 return (NULL); 994 995 keybufp = keyp; 996 *keybuflen = alloclen; 997 if (bits == 0) 998 *lbits = (hexlen + (hexlen & 0x1)) << 2; 999 else 1000 *lbits = bits; 1001 1002 /* 1003 * Read in nibbles. Read in odd-numbered as shifted high. 1004 * (e.g. 123 becomes 0x1230). 1005 */ 1006 for (i = 0; input[i] != '\0'; i += 2) { 1007 boolean_t second = (input[i + 1] != '\0'); 1008 1009 if (!isxdigit(input[i]) || 1010 (!isxdigit(input[i + 1]) && second)) { 1011 free(keyp); 1012 return (NULL); 1013 } 1014 *keyp = (hd2num(input[i]) << 4); 1015 if (second) 1016 *keyp |= hd2num(input[i + 1]); 1017 else 1018 break; /* out of for loop. */ 1019 keyp++; 1020 } 1021 1022 /* zero the remaining bits if we're a non-octet amount. */ 1023 if (bits & 0x7) 1024 *((input[i] == '\0') ? keyp - 1 : keyp) &= 1025 0xff << (8 - (bits & 0x7)); 1026 return (keybufp); 1027 } 1028 1029 /* 1030 * the ike_ps_t struct (plus trailing data) will be allocated here, 1031 * so it will need to be freed by the caller. 1032 */ 1033 static int 1034 parse_ps(int argc, char **argv, ike_ps_t **presharedpp, int *len) 1035 { 1036 uint_t c = 0, locidlen, remidlen, keylen, keybits; 1037 uint_t a_locidtotal = 0, a_remidtotal = 0; 1038 char *locid, *remid, *locpfx = NULL, *rempfx = NULL; 1039 uint8_t *keyp = NULL; 1040 uint16_t fldid, locidtype, remidtype, mtype; 1041 struct hostent *loche = NULL, *remhe = NULL; 1042 ike_ps_t *psp = NULL; 1043 sadb_ident_t *sidp; 1044 boolean_t whacked = B_FALSE; 1045 int pfxlen = 0; 1046 1047 if ((argv[c] == NULL) || (argv[c][0] != '{')) 1048 return (-1); 1049 if (argv[c][1] != 0) { 1050 /* no space between '{' and first token */ 1051 argv[c]++; 1052 } else { 1053 c++; 1054 } 1055 if ((argv[argc - 1][strlen(argv[argc - 1]) - 1] == '}') && 1056 (argv[argc - 1][0] != '}')) { 1057 /* 1058 * whack '}' without a space before it or parsers break. 1059 * Remember this trailing character for later 1060 */ 1061 argv[argc - 1][strlen(argv[argc - 1]) - 1] = '\0'; 1062 whacked = B_TRUE; 1063 } 1064 1065 /* Default to type IP */ 1066 locidtype = remidtype = SADB_IDENTTYPE_RESERVED; 1067 /* Default to base exchanges */ 1068 mtype = IKE_XCHG_BASE; 1069 1070 while ((c < argc) && (argv[c] != NULL) && (argv[c][0] != '}')) { 1071 if ((argv[c + 1] == NULL) || (argv[c + 1][0] == '}')) 1072 goto bail; 1073 if (parse_psfldid(argv[c++], &fldid) < 0) 1074 goto bail; 1075 switch (fldid) { 1076 case PSFLD_LOCID: 1077 locid = argv[c++]; 1078 locidlen = strlen(locid) + 1; 1079 break; 1080 case PSFLD_LOCIDTYPE: 1081 if (parse_idtype(argv[c++], &locidtype) < 0) 1082 goto bail; 1083 break; 1084 case PSFLD_REMID: 1085 remid = argv[c++]; 1086 remidlen = strlen(remid) + 1; 1087 break; 1088 case PSFLD_REMIDTYPE: 1089 if (parse_idtype(argv[c++], &remidtype) < 0) 1090 goto bail; 1091 break; 1092 case PSFLD_MODE: 1093 if (parse_ikmtype(argv[c++], &mtype) < 0) 1094 goto bail; 1095 break; 1096 case PSFLD_KEY: 1097 keyp = parse_key(argv[c++], &keylen, &keybits); 1098 if (keyp == NULL) 1099 goto bail; 1100 break; 1101 } 1102 } 1103 1104 /* Make sure the line was terminated with '}' */ 1105 if (argv[c] == NULL) { 1106 if (!whacked) 1107 goto bail; 1108 } else if (argv[c][0] != '}') { 1109 goto bail; 1110 } 1111 1112 /* 1113 * make sure we got all the required fields. If no idtype, assume 1114 * ip addr; if that translation fails, we'll catch the error then. 1115 */ 1116 if (locid == NULL || remid == NULL || keyp == NULL || mtype == 0) 1117 goto bail; 1118 1119 /* figure out the size buffer we need */ 1120 *len = sizeof (ike_ps_t); 1121 if (locidtype != SADB_IDENTTYPE_RESERVED) { 1122 a_locidtotal = IKEDOORROUNDUP(sizeof (sadb_ident_t) + locidlen); 1123 *len += a_locidtotal; 1124 } 1125 if (remidtype != SADB_IDENTTYPE_RESERVED) { 1126 a_remidtotal = IKEDOORROUNDUP(sizeof (sadb_ident_t) + remidlen); 1127 *len += a_remidtotal; 1128 } 1129 *len += keylen; 1130 1131 psp = malloc(*len); 1132 if (psp == NULL) 1133 goto bail; 1134 (void) memset(psp, 0, *len); 1135 1136 psp->ps_ike_mode = mtype; 1137 1138 psp->ps_localid_off = sizeof (ike_ps_t); 1139 if (locidtype == SADB_IDENTTYPE_RESERVED) { 1140 locpfx = strchr(locid, '/'); 1141 if (locpfx != NULL) { 1142 *locpfx = '\0'; 1143 locpfx++; 1144 } 1145 1146 /* 1147 * this is an ip address, store in the sockaddr field; 1148 * we won't use an sadb_ident_t. 1149 */ 1150 psp->ps_localid_len = 0; 1151 if (parse_addr(1, &locid, &loche) < 0) 1152 goto bail; 1153 if (loche->h_addr_list[1] != NULL) { 1154 message(gettext("preshared key identifier cannot " 1155 "match multiple IP addresses")); 1156 goto bail; 1157 } 1158 headdr2sa(loche->h_addr_list[0], &psp->ps_ipaddrs.loc_addr, 1159 loche->h_length); 1160 FREE_HE(loche); 1161 } else { 1162 psp->ps_localid_len = sizeof (sadb_ident_t) + locidlen; 1163 sidp = (sadb_ident_t *)((int)psp + psp->ps_localid_off); 1164 sidp->sadb_ident_len = psp->ps_localid_len; 1165 sidp->sadb_ident_type = locidtype; 1166 (void) strlcpy((char *)(sidp + 1), locid, a_locidtotal); 1167 } 1168 1169 psp->ps_remoteid_off = psp->ps_localid_off + a_locidtotal; 1170 if (remidtype == SADB_IDENTTYPE_RESERVED) { 1171 rempfx = strchr(remid, '/'); 1172 if (rempfx != NULL) { 1173 *rempfx = '\0'; 1174 rempfx++; 1175 } 1176 1177 /* 1178 * this is an ip address, store in the sockaddr field; 1179 * we won't use an sadb_ident_t. 1180 */ 1181 psp->ps_remoteid_len = 0; 1182 if (parse_addr(1, &remid, &remhe) < 0) 1183 goto bail; 1184 if (remhe->h_addr_list[1] != NULL) { 1185 message(gettext("preshared key identifier cannot " 1186 "match multiple IP addresses")); 1187 goto bail; 1188 } 1189 headdr2sa(remhe->h_addr_list[0], &psp->ps_ipaddrs.rem_addr, 1190 remhe->h_length); 1191 FREE_HE(remhe); 1192 } else { 1193 /* make sure we have at least 16-bit alignment */ 1194 if (remidlen & 0x1) 1195 remidlen++; 1196 psp->ps_remoteid_len = sizeof (sadb_ident_t) + remidlen; 1197 sidp = (sadb_ident_t *)((int)psp + psp->ps_remoteid_off); 1198 sidp->sadb_ident_len = psp->ps_remoteid_len; 1199 sidp->sadb_ident_type = remidtype; 1200 (void) strlcpy((char *)(sidp + 1), remid, a_remidtotal); 1201 } 1202 1203 psp->ps_key_off = psp->ps_remoteid_off + a_remidtotal; 1204 psp->ps_key_len = keylen; 1205 psp->ps_key_bits = keybits; 1206 (void) memcpy((uint8_t *)((int)psp + psp->ps_key_off), keyp, keylen); 1207 if (locpfx != NULL && ((pfxlen = atoi(locpfx)) > 0)) 1208 psp->ps_localid_plen = pfxlen; 1209 if (rempfx != NULL && ((pfxlen = atoi(rempfx)) > 0)) 1210 psp->ps_remoteid_plen = pfxlen; 1211 1212 *presharedpp = psp; 1213 1214 return (c); 1215 1216 bail: 1217 if (loche != NULL) 1218 FREE_HE(loche); 1219 if (remhe != NULL) 1220 FREE_HE(remhe); 1221 if (keyp != NULL) 1222 free(keyp); 1223 if (psp != NULL) 1224 free(psp); 1225 1226 *presharedpp = NULL; 1227 1228 return (-1); 1229 } 1230 1231 /* 1232 * Printing functions 1233 * 1234 * A potential point of confusion here is that the ikeadm-specific string- 1235 * producing functions do not match the ipsec_util.c versions in style: the 1236 * ikeadm-specific functions return a string (and are named foostr), while 1237 * the ipsec_util.c functions actually print the string to the file named 1238 * in the second arg to the function (and are named dump_foo). 1239 * 1240 * Localization for ikeadm seems more straightforward when complete 1241 * phrases are translated rather than: a part of a phrase, a call to 1242 * dump_foo(), and more of the phrase. It could also accommodate 1243 * non-English grammar more easily. 1244 */ 1245 1246 static char * 1247 errstr(int err) 1248 { 1249 static char rtn[MAXLINESIZE]; 1250 1251 switch (err) { 1252 case IKE_ERR_NO_OBJ: 1253 return (gettext("No data returned")); 1254 case IKE_ERR_NO_DESC: 1255 return (gettext("No destination provided")); 1256 case IKE_ERR_ID_INVALID: 1257 return (gettext("Id info invalid")); 1258 case IKE_ERR_LOC_INVALID: 1259 return (gettext("Destination invalid")); 1260 case IKE_ERR_CMD_INVALID: 1261 return (gettext("Command invalid")); 1262 case IKE_ERR_DATA_INVALID: 1263 return (gettext("Supplied data invalid")); 1264 case IKE_ERR_CMD_NOTSUP: 1265 return (gettext("Unknown command")); 1266 case IKE_ERR_REQ_INVALID: 1267 return (gettext("Request invalid")); 1268 case IKE_ERR_NO_PRIV: 1269 return (gettext("Not allowed at current privilege level")); 1270 case IKE_ERR_NO_AUTH: 1271 return (gettext("User not authorized")); 1272 case IKE_ERR_SYS_ERR: 1273 return (gettext("System error")); 1274 case IKE_ERR_DUP_IGNORED: 1275 return (gettext("One or more duplicate entries ignored")); 1276 case IKE_ERR_NO_TOKEN: 1277 return (gettext( 1278 "token login failed or no objects on device")); 1279 case IKE_ERR_IN_PROGRESS: 1280 return (gettext( 1281 "Duplicate operation already in progress")); 1282 case IKE_ERR_NO_MEM: 1283 return (gettext( 1284 "Insufficient memory")); 1285 default: 1286 (void) snprintf(rtn, MAXLINESIZE, 1287 gettext("<unknown error %d>"), err); 1288 return (rtn); 1289 } 1290 } 1291 1292 static char * 1293 dbgstr(int bit) 1294 { 1295 static char rtn[MAXLINESIZE]; 1296 1297 switch (bit) { 1298 case D_CERT: 1299 return (gettext("Certificate management")); 1300 case D_KEY: 1301 return (gettext("Key management")); 1302 case D_OP: 1303 return (gettext("Operational")); 1304 case D_P1: 1305 return (gettext("Phase 1 SA creation")); 1306 case D_P2: 1307 return (gettext("Phase 2 SA creation")); 1308 case D_PFKEY: 1309 return (gettext("PF_KEY interface")); 1310 case D_POL: 1311 return (gettext("Policy management")); 1312 case D_PROP: 1313 return (gettext("Proposal construction")); 1314 case D_DOOR: 1315 return (gettext("Door interface")); 1316 case D_CONFIG: 1317 return (gettext("Config file processing")); 1318 case D_LABEL: 1319 return (gettext("MAC label processing")); 1320 default: 1321 (void) snprintf(rtn, MAXLINESIZE, 1322 gettext("<unknown flag 0x%x>"), bit); 1323 return (rtn); 1324 } 1325 } 1326 1327 static char * 1328 privstr(int priv) 1329 { 1330 static char rtn[MAXLINESIZE]; 1331 1332 switch (priv) { 1333 case IKE_PRIV_MINIMUM: 1334 return (gettext("base privileges")); 1335 case IKE_PRIV_MODKEYS: 1336 return (gettext("access to preshared key information")); 1337 case IKE_PRIV_KEYMAT: 1338 return (gettext("access to keying material")); 1339 default: 1340 (void) snprintf(rtn, MAXLINESIZE, 1341 gettext("<unknown level %d>"), priv); 1342 return (rtn); 1343 } 1344 } 1345 1346 static char * 1347 xchgstr(int xchg) 1348 { 1349 static char rtn[MAXLINESIZE]; 1350 1351 switch (xchg) { 1352 case IKE_XCHG_NONE: 1353 return (gettext("<unspecified>")); 1354 case IKE_XCHG_BASE: 1355 return (gettext("base")); 1356 case IKE_XCHG_IDENTITY_PROTECT: 1357 return (gettext("main mode (identity protect)")); 1358 case IKE_XCHG_AUTH_ONLY: 1359 return (gettext("authentication only")); 1360 case IKE_XCHG_AGGRESSIVE: 1361 return (gettext("aggressive mode")); 1362 case IKE_XCHG_IP_AND_AGGR: 1363 return (gettext("main and aggressive mode")); 1364 case IKE_XCHG_ANY: 1365 return (gettext("any mode")); 1366 default: 1367 (void) snprintf(rtn, MAXLINESIZE, 1368 gettext("<unknown %d>"), xchg); 1369 return (rtn); 1370 } 1371 } 1372 1373 static char * 1374 statestr(int state) 1375 { 1376 static char rtn[MAXLINESIZE]; 1377 1378 switch (state) { 1379 case IKE_SA_STATE_INIT: 1380 return (gettext("INITIALIZING")); 1381 case IKE_SA_STATE_SENT_SA: 1382 return (gettext("SENT FIRST MSG (SA)")); 1383 case IKE_SA_STATE_SENT_KE: 1384 return (gettext("SENT SECOND MSG (KE)")); 1385 case IKE_SA_STATE_SENT_LAST: 1386 return (gettext("SENT FINAL MSG")); 1387 case IKE_SA_STATE_DONE: 1388 return (gettext("ACTIVE")); 1389 case IKE_SA_STATE_DELETED: 1390 return (gettext("DELETED")); 1391 case IKE_SA_STATE_INVALID: 1392 return (gettext("<invalid>")); 1393 default: 1394 (void) snprintf(rtn, MAXLINESIZE, 1395 gettext("<unknown %d>"), state); 1396 return (rtn); 1397 } 1398 } 1399 1400 static char * 1401 authmethstr(int meth) 1402 { 1403 static char rtn[MAXLINESIZE]; 1404 1405 switch (meth) { 1406 case IKE_AUTH_METH_PRE_SHARED_KEY: 1407 return (gettext("pre-shared key")); 1408 case IKE_AUTH_METH_DSS_SIG: 1409 return (gettext("DSS signatures")); 1410 case IKE_AUTH_METH_RSA_SIG: 1411 return (gettext("RSA signatures")); 1412 case IKE_AUTH_METH_RSA_ENCR: 1413 return (gettext("RSA Encryption")); 1414 case IKE_AUTH_METH_RSA_ENCR_REVISED: 1415 return (gettext("Revised RSA Encryption")); 1416 default: 1417 (void) snprintf(rtn, MAXLINESIZE, 1418 gettext("<unknown %d>"), meth); 1419 return (rtn); 1420 } 1421 } 1422 1423 static char * 1424 prfstr(int prf) 1425 { 1426 static char rtn[MAXLINESIZE]; 1427 1428 switch (prf) { 1429 case IKE_PRF_NONE: 1430 return (gettext("<none/unavailable>")); 1431 case IKE_PRF_HMAC_MD5: 1432 return ("HMAC MD5"); 1433 case IKE_PRF_HMAC_SHA1: 1434 return ("HMAC SHA1"); 1435 case IKE_PRF_HMAC_SHA256: 1436 return ("HMAC SHA256"); 1437 case IKE_PRF_HMAC_SHA384: 1438 return ("HMAC SHA384"); 1439 case IKE_PRF_HMAC_SHA512: 1440 return ("HMAC SHA512"); 1441 default: 1442 (void) snprintf(rtn, MAXLINESIZE, 1443 gettext("<unknown %d>"), prf); 1444 return (rtn); 1445 } 1446 } 1447 1448 static char * 1449 dhstr(int grp) 1450 { 1451 static char rtn[MAXLINESIZE]; 1452 1453 switch (grp) { 1454 case 0: 1455 return (gettext("<unavailable>")); 1456 case IKE_GRP_DESC_MODP_768: 1457 return (gettext("768-bit MODP (group 1)")); 1458 case IKE_GRP_DESC_MODP_1024: 1459 return (gettext("1024-bit MODP (group 2)")); 1460 case IKE_GRP_DESC_EC2N_155: 1461 return (gettext("EC2N group on GP[2^155]")); 1462 case IKE_GRP_DESC_EC2N_185: 1463 return (gettext("EC2N group on GP[2^185]")); 1464 case IKE_GRP_DESC_MODP_1536: 1465 return (gettext("1536-bit MODP (group 5)")); 1466 case IKE_GRP_DESC_MODP_2048: 1467 return (gettext("2048-bit MODP (group 14)")); 1468 case IKE_GRP_DESC_MODP_3072: 1469 return (gettext("3072-bit MODP (group 15)")); 1470 case IKE_GRP_DESC_MODP_4096: 1471 return (gettext("4096-bit MODP (group 16)")); 1472 case IKE_GRP_DESC_MODP_6144: 1473 return (gettext("6144-bit MODP (group 17)")); 1474 case IKE_GRP_DESC_MODP_8192: 1475 return (gettext("8192-bit MODP (group 18)")); 1476 case IKE_GRP_DESC_ECP_256: 1477 return (gettext("256-bit ECP (group 19)")); 1478 case IKE_GRP_DESC_ECP_384: 1479 return (gettext("384-bit ECP (group 20)")); 1480 case IKE_GRP_DESC_ECP_521: 1481 return (gettext("521-bit ECP (group 21)")); 1482 case IKE_GRP_DESC_MODP_1024_160: 1483 return ( 1484 gettext("1024-bit MODP with 160-bit subprime (group 22)")); 1485 case IKE_GRP_DESC_MODP_2048_224: 1486 return ( 1487 gettext("2048-bit MODP with 224-bit subprime (group 23)")); 1488 case IKE_GRP_DESC_MODP_2048_256: 1489 return ( 1490 gettext("2048-bit MODP with 256-bit subprime (group 24)")); 1491 case IKE_GRP_DESC_ECP_192: 1492 return (gettext("192-bit ECP (group 25)")); 1493 case IKE_GRP_DESC_ECP_224: 1494 return (gettext("224-bit ECP (group 26)")); 1495 default: 1496 (void) snprintf(rtn, MAXLINESIZE, gettext("<unknown %d>"), grp); 1497 return (rtn); 1498 } 1499 } 1500 1501 static void 1502 print_hdr(char *prefix, ike_p1_hdr_t *hdrp) 1503 { 1504 char sbuf[TBUF_SIZE]; 1505 char tbuf[TBUF_SIZE]; 1506 time_t ltime = (time_t)hdrp->p1hdr_dpd_time; 1507 1508 (void) printf( 1509 gettext("%s Cookies: Initiator 0x%llx Responder 0x%llx\n"), 1510 prefix, ntohll(hdrp->p1hdr_cookies.cky_i), 1511 ntohll(hdrp->p1hdr_cookies.cky_r)); 1512 (void) printf(gettext("%s The local host is the %s.\n"), prefix, 1513 hdrp->p1hdr_isinit ? gettext("initiator") : gettext("responder")); 1514 (void) printf(gettext("%s ISAKMP version %d.%d; %s exchange\n"), prefix, 1515 hdrp->p1hdr_major, hdrp->p1hdr_minor, xchgstr(hdrp->p1hdr_xchg)); 1516 (void) printf(gettext("%s Current state is %s\n"), prefix, 1517 statestr(hdrp->p1hdr_state)); 1518 if (hdrp->p1hdr_support_dpd == B_FALSE) { 1519 return; 1520 } 1521 (void) printf(gettext("%s Dead Peer Detection (RFC 3706)" 1522 " enabled"), prefix); 1523 if (hdrp->p1hdr_dpd_state < DPD_IN_PROGRESS) { 1524 (void) printf("\n"); 1525 return; 1526 } 1527 if (strftime(tbuf, TBUF_SIZE, NULL, 1528 localtime(<ime)) == 0) { 1529 (void) strlcpy(tbuf, gettext("<time conversion failed>"), 1530 TBUF_SIZE); 1531 } 1532 (void) printf(gettext("\n%s Dead Peer Detection handshake "), prefix); 1533 switch (hdrp->p1hdr_dpd_state) { 1534 case DPD_SUCCESSFUL: 1535 (void) strlcpy(sbuf, gettext("was successful at "), TBUF_SIZE); 1536 break; 1537 case DPD_FAILURE: 1538 (void) strlcpy(sbuf, gettext("failed at "), TBUF_SIZE); 1539 break; 1540 case DPD_IN_PROGRESS: 1541 (void) strlcpy(sbuf, gettext("is in progress."), TBUF_SIZE); 1542 break; 1543 } 1544 (void) printf("%s %s", sbuf, 1545 (hdrp->p1hdr_dpd_state == DPD_IN_PROGRESS) ? "" : tbuf); 1546 (void) printf("\n"); 1547 } 1548 1549 static void 1550 print_lt_limits(char *prefix, ike_p1_xform_t *xfp) 1551 { 1552 char byte_str[BYTE_STR_SIZE]; /* byte lifetime string representation */ 1553 char secs_str[SECS_STR_SIZE]; /* lifetime string representation */ 1554 1555 (void) printf(gettext("%s Lifetime limits:\n"), prefix); 1556 (void) printf(gettext("%s %u seconds%s; %u kbytes %sprotected\n"), 1557 prefix, xfp->p1xf_max_secs, secs2out(xfp->p1xf_max_secs, 1558 secs_str, sizeof (secs_str), SPC_BEGIN), xfp->p1xf_max_kbytes, 1559 bytecnt2out((uint64_t)xfp->p1xf_max_kbytes << 10, byte_str, 1560 sizeof (byte_str), SPC_END)); 1561 (void) printf(gettext("%s keying material for IPsec SAs can be " 1562 "provided %u times%s\n"), prefix, xfp->p1xf_max_keyuses, 1563 xfp->p1xf_max_keyuses == 0 ? " (no limit)" : ""); 1564 } 1565 1566 #define LT_USAGE_LEN 16 /* 1 uint64 + 2 uint32s */ 1567 static void 1568 print_lt_usage(char *prefix, ike_p1_stats_t *sp) 1569 { 1570 time_t scratch; 1571 char tbuf[TBUF_SIZE]; 1572 char bytestr[BYTE_STR_SIZE]; /* byte lifetime representation */ 1573 1574 (void) printf(gettext("%s Current usage:\n"), prefix); 1575 scratch = (time_t)sp->p1stat_start; 1576 if (strftime(tbuf, TBUF_SIZE, NULL, localtime(&scratch)) == 0) 1577 (void) strlcpy(tbuf, gettext("<time conversion failed>"), 1578 TBUF_SIZE); 1579 (void) printf(gettext("%s SA was created at %s\n"), prefix, tbuf); 1580 (void) printf(gettext("%s %u kbytes %sprotected\n"), 1581 prefix, sp->p1stat_kbytes, 1582 bytecnt2out((uint64_t)sp->p1stat_kbytes << 10, bytestr, 1583 sizeof (bytestr), SPC_END)); 1584 (void) printf(gettext("%s keying material for IPsec SAs provided " 1585 "%u times\n"), prefix, sp->p1stat_keyuses); 1586 } 1587 1588 static void 1589 print_xform(char *prefix, ike_p1_xform_t *xfp, boolean_t print_lifetimes) 1590 { 1591 (void) printf(gettext("%s Authentication method: %s"), prefix, 1592 authmethstr(xfp->p1xf_auth_meth)); 1593 (void) printf(gettext("\n%s Encryption alg: "), prefix); 1594 (void) dump_ealg(xfp->p1xf_encr_alg, stdout); 1595 if (xfp->p1xf_encr_low_bits != 0) { 1596 (void) printf(gettext("(%d..%d)"), xfp->p1xf_encr_low_bits, 1597 xfp->p1xf_encr_high_bits); 1598 } else if ((xfp->p1xf_encr_low_bits == 0) && 1599 (xfp->p1xf_encr_high_bits != 0)) { 1600 /* 1601 * High bits is a placeholder for 1602 * negotiated algorithm strength 1603 */ 1604 (void) printf(gettext("(%d)"), xfp->p1xf_encr_high_bits); 1605 } 1606 (void) printf(gettext("; Authentication alg: ")); 1607 (void) dump_aalg(xfp->p1xf_auth_alg, stdout); 1608 (void) printf("\n%s ", prefix); 1609 if (xfp->p1xf_prf != 0) 1610 (void) printf(gettext("PRF: %s ; "), prfstr(xfp->p1xf_prf)); 1611 (void) printf(gettext("Oakley Group: %s\n"), 1612 dhstr(xfp->p1xf_dh_group)); 1613 if (xfp->p1xf_pfs == 0) { 1614 (void) printf(gettext("%s Phase 2 PFS is not used\n"), prefix); 1615 } else { 1616 (void) printf(gettext( 1617 "%s Phase 2 PFS is required (Oakley Group: %s)\n"), 1618 prefix, dhstr(xfp->p1xf_pfs)); 1619 } 1620 1621 if (print_lifetimes) 1622 print_lt_limits(prefix, xfp); 1623 } 1624 1625 static void 1626 print_lifetime(char *prefix, ike_p1_xform_t *xfp, ike_p1_stats_t *sp, 1627 int statlen) 1628 { 1629 time_t current, remain, exp; 1630 char tbuf[TBUF_SIZE]; 1631 char byte_str[BYTE_STR_SIZE]; /* byte lifetime representation */ 1632 char secs_str[SECS_STR_SIZE]; /* seconds lifetime representation */ 1633 1634 current = time(NULL); 1635 1636 print_lt_limits(prefix, xfp); 1637 1638 /* 1639 * make sure the stats struct we've been passed is as big 1640 * as we expect it to be. The usage stats are at the end, 1641 * so anything less than the size we expect won't work. 1642 */ 1643 if (statlen >= sizeof (ike_p1_stats_t)) { 1644 print_lt_usage(prefix, sp); 1645 } else { 1646 return; 1647 } 1648 1649 (void) printf(gettext("%s Expiration info:\n"), prefix); 1650 1651 if (xfp->p1xf_max_kbytes != 0) 1652 (void) printf(gettext("%s %u more bytes %scan be " 1653 "protected.\n"), 1654 prefix, xfp->p1xf_max_kbytes - sp->p1stat_kbytes, 1655 bytecnt2out((uint64_t)(xfp->p1xf_max_kbytes - 1656 sp->p1stat_kbytes) << 10, byte_str, sizeof (byte_str), 1657 SPC_END)); 1658 1659 if (xfp->p1xf_max_keyuses != 0) 1660 (void) printf(gettext("%s Keying material can be provided " 1661 "%u more times.\n"), prefix, 1662 xfp->p1xf_max_keyuses - sp->p1stat_keyuses); 1663 1664 if (xfp->p1xf_max_secs != 0) { 1665 exp = (time_t)sp->p1stat_start + (time_t)xfp->p1xf_max_secs; 1666 remain = exp - current; 1667 if (strftime(tbuf, TBUF_SIZE, NULL, localtime(&exp)) == 0) 1668 (void) strlcpy(tbuf, 1669 gettext("<time conversion failed>"), TBUF_SIZE); 1670 /* 1671 * The SA may have expired but still exist because libike 1672 * has not freed it yet. 1673 */ 1674 if (remain > 0) { 1675 (void) printf(gettext( 1676 "%s SA expires in %lu seconds%s\n"), 1677 prefix, remain, secs2out(remain, secs_str, 1678 sizeof (secs_str), SPC_BEGIN)); 1679 (void) printf(gettext("%s Time of expiration: %s\n"), 1680 prefix, tbuf); 1681 } else { 1682 (void) printf(gettext("%s SA Expired at %s\n"), 1683 prefix, tbuf); 1684 } 1685 } 1686 } 1687 1688 /* used to verify structure lengths... */ 1689 #define COUNTER_32BIT 4 1690 #define COUNTER_PAIR 8 1691 1692 static void 1693 print_p1stats(char *prefix, ike_p1_stats_t *sp, int statlen, 1694 boolean_t print_lifetimes) 1695 { 1696 if (statlen < COUNTER_PAIR) 1697 return; 1698 (void) printf(gettext("%s %u Quick Mode SAs created; "), prefix, 1699 sp->p1stat_new_qm_sas); 1700 (void) printf(gettext("%u Quick Mode SAs deleted\n"), 1701 sp->p1stat_del_qm_sas); 1702 statlen -= COUNTER_PAIR; 1703 1704 if ((print_lifetimes) && (statlen >= LT_USAGE_LEN)) 1705 print_lt_usage(prefix, sp); 1706 } 1707 1708 static void 1709 print_errs(char *prefix, ike_p1_errors_t *errp, int errlen) 1710 { 1711 /* 1712 * Don't try to break this one up; it's either all or nothing! 1713 */ 1714 if (errlen < sizeof (ike_p1_errors_t)) 1715 return; 1716 1717 (void) printf(gettext("%s %u RX errors: "), prefix, 1718 errp->p1err_decrypt + errp->p1err_hash + errp->p1err_otherrx); 1719 (void) printf(gettext("%u decryption, %u hash, %u other\n"), 1720 errp->p1err_decrypt, errp->p1err_hash, errp->p1err_otherrx); 1721 (void) printf(gettext("%s %u TX errors\n"), prefix, errp->p1err_tx); 1722 } 1723 1724 static void 1725 print_addr_range(char *prefix, ike_addr_pr_t *pr) 1726 { 1727 boolean_t range = B_TRUE; 1728 struct sockaddr_storage *beg, *end; 1729 struct sockaddr_in *bsin, *esin; 1730 struct sockaddr_in6 *bsin6, *esin6; 1731 1732 beg = &pr->beg_iprange; 1733 end = &pr->end_iprange; 1734 1735 if (beg->ss_family != end->ss_family) { 1736 (void) printf(gettext("%s invalid address range\n"), prefix); 1737 return; 1738 } 1739 1740 switch (beg->ss_family) { 1741 case AF_INET: 1742 bsin = (struct sockaddr_in *)beg; 1743 esin = (struct sockaddr_in *)end; 1744 if ((uint32_t)bsin->sin_addr.s_addr == 1745 (uint32_t)esin->sin_addr.s_addr) 1746 range = B_FALSE; 1747 break; 1748 case AF_INET6: 1749 bsin6 = (struct sockaddr_in6 *)beg; 1750 esin6 = (struct sockaddr_in6 *)end; 1751 if (IN6_ARE_ADDR_EQUAL(&bsin6->sin6_addr, &esin6->sin6_addr)) 1752 range = B_FALSE; 1753 break; 1754 default: 1755 (void) printf(gettext("%s invalid address range\n"), prefix); 1756 return; 1757 } 1758 1759 (void) printf("%s ", prefix); 1760 (void) dump_sockaddr((struct sockaddr *)beg, 0, B_TRUE, stdout, nflag); 1761 if (range) { 1762 (void) printf(" - "); 1763 (void) dump_sockaddr((struct sockaddr *)end, 0, B_TRUE, stdout, 1764 nflag); 1765 } 1766 (void) printf("\n"); 1767 1768 } 1769 1770 /* 1771 * used to tell printing function if info should be identified 1772 * as belonging to initiator, responder, or neither 1773 */ 1774 #define IS_INITIATOR 1 1775 #define IS_RESPONDER 2 1776 #define DONT_PRINT_INIT 3 1777 1778 static void 1779 print_addr(char *prefix, struct sockaddr_storage *sa, int init_instr, 1780 int mask) 1781 { 1782 (void) printf(gettext("%s Address"), prefix); 1783 1784 if (init_instr != DONT_PRINT_INIT) 1785 (void) printf(" (%s):\n", (init_instr == IS_INITIATOR) ? 1786 gettext("Initiator") : gettext("Responder")); 1787 else 1788 (void) printf(":\n"); 1789 1790 (void) printf("%s ", prefix); 1791 (void) dump_sockaddr((struct sockaddr *)sa, mask, B_FALSE, stdout, 1792 nflag); 1793 } 1794 1795 static void 1796 print_id(char *prefix, sadb_ident_t *idp, int init_instr) 1797 { 1798 boolean_t canprint; 1799 1800 switch (init_instr) { 1801 case IS_INITIATOR: 1802 (void) printf(gettext("%s Initiator identity, "), prefix); 1803 break; 1804 case IS_RESPONDER: 1805 (void) printf(gettext("%s Responder identity, "), prefix); 1806 break; 1807 case DONT_PRINT_INIT: 1808 (void) printf(gettext("%s Identity, "), prefix); 1809 break; 1810 default: 1811 (void) printf(gettext("<invalid identity>\n")); 1812 return; 1813 } 1814 (void) printf(gettext("uid=%d, type "), idp->sadb_ident_id); 1815 canprint = dump_sadb_idtype(idp->sadb_ident_type, stdout, NULL); 1816 if (canprint) { 1817 (void) printf("\n%s %s\n", prefix, (char *)(idp + 1)); 1818 } else { 1819 (void) printf(gettext("\n%s "), prefix); 1820 print_asn1_name(stdout, 1821 (const unsigned char *)(idp + 1), 1822 SADB_64TO8(idp->sadb_ident_len) - sizeof (sadb_ident_t)); 1823 } 1824 } 1825 1826 static void 1827 print_idspec(char *prefix, char *idp, int icnt, int ecnt) 1828 { 1829 int i; 1830 1831 (void) printf(gettext("%s Identity descriptors:\n"), prefix); 1832 1833 for (i = 0; i < icnt; i++) { 1834 if (i == 0) 1835 (void) printf(gettext("%s Includes:\n"), prefix); 1836 (void) printf("%s %s\n", prefix, idp); 1837 idp += strlen(idp) + 1; 1838 } 1839 1840 for (i = 0; i < ecnt; i++) { 1841 if (i == 0) 1842 (void) printf(gettext("%s Excludes:\n"), prefix); 1843 (void) printf("%s %s\n", prefix, idp); 1844 idp += strlen(idp) + 1; 1845 } 1846 } 1847 1848 static void 1849 print_keys(char *prefix, ike_p1_key_t *keyp, int size) 1850 { 1851 uint32_t *curp; 1852 ike_p1_key_t *p; 1853 int ssize; 1854 1855 curp = (uint32_t *)keyp; 1856 1857 ssize = sizeof (ike_p1_key_t); 1858 1859 while ((intptr_t)curp - (intptr_t)keyp < size) { 1860 size_t p1klen, len; 1861 1862 p = (ike_p1_key_t *)curp; 1863 p1klen = p->p1key_len; 1864 len = p1klen - ssize; 1865 1866 p1klen = roundup(p1klen, sizeof (ike_p1_key_t)); 1867 if (p1klen < ssize) { 1868 (void) printf(gettext("Short key\n")); 1869 break; 1870 } 1871 1872 switch (p->p1key_type) { 1873 case IKE_KEY_PRESHARED: 1874 (void) printf(gettext("%s Pre-shared key (%d bytes): "), 1875 prefix, len); 1876 break; 1877 case IKE_KEY_SKEYID: 1878 (void) printf(gettext("%s SKEYID (%d bytes): "), 1879 prefix, len); 1880 break; 1881 case IKE_KEY_SKEYID_D: 1882 (void) printf(gettext("%s SKEYID_d (%d bytes): "), 1883 prefix, len); 1884 break; 1885 case IKE_KEY_SKEYID_A: 1886 (void) printf(gettext("%s SKEYID_a (%d bytes): "), 1887 prefix, len); 1888 break; 1889 case IKE_KEY_SKEYID_E: 1890 (void) printf(gettext("%s SKEYID_e (%d bytes): "), 1891 prefix, len); 1892 break; 1893 case IKE_KEY_ENCR: 1894 (void) printf(gettext("%s Encryption key (%d bytes): "), 1895 prefix, len); 1896 break; 1897 case IKE_KEY_IV: 1898 (void) printf( 1899 gettext("%s Initialization vector (%d bytes): "), 1900 prefix, len); 1901 break; 1902 default: 1903 (void) printf(gettext("%s Unidentified key info %p %d"), 1904 prefix, p, p1klen); 1905 goto badkey; 1906 } 1907 (void) dump_key((uint8_t *)(p + 1), SADB_8TO1(len), 0, 1908 stdout, B_FALSE); 1909 badkey: 1910 (void) printf("\n"); 1911 assert(IS_P2ALIGNED(p1klen, 8)); 1912 curp += (p1klen >> 2); 1913 } 1914 } 1915 1916 static void 1917 print_group_header(void) 1918 { 1919 (void) printf(gettext("\nList of Diffie-Hellman groups for setting " 1920 "up IKE SAs")); 1921 (void) printf(gettext("\nThe values match the IPsec attribute " 1922 "assigned numbers published by IANA\n\n")); 1923 (void) printf("%-6s%-9s%-50s\n", 1924 gettext("Value"), gettext("Strength"), gettext("Description")); 1925 } 1926 1927 static void 1928 print_group(ike_group_t *gp) 1929 { 1930 (void) printf("%-6u%-9u%-50s\n", 1931 gp->group_number, gp->group_bits, gp->group_label); 1932 } 1933 1934 static void 1935 print_encralg_header(void) 1936 { 1937 (void) printf(gettext("\nList of encryption algorithms for IKE")); 1938 (void) printf(gettext("\nThe values match the IPsec attribute " 1939 "assigned numbers published by IANA\n\n")); 1940 (void) printf("%-6s%-20s%-15s\n", gettext("Value"), 1941 gettext("Name"), gettext("Keylen range")); 1942 } 1943 1944 static void 1945 print_encralg(ike_encralg_t *ep) 1946 { 1947 char keylen_str[16]; 1948 1949 (void) strlcpy(keylen_str, "N/A", sizeof (keylen_str)); 1950 if (ep->encr_keylen_min != 0 || ep->encr_keylen_max != 0) 1951 (void) snprintf(keylen_str, sizeof (keylen_str), "%d-%d", 1952 ep->encr_keylen_min, ep->encr_keylen_max); 1953 (void) printf("%-6u%-20s%-15s\n", 1954 ep->encr_value, ep->encr_name, keylen_str); 1955 } 1956 1957 static void 1958 print_authalg_header(void) 1959 { 1960 (void) printf(gettext("\nList of authentication algorithms for IKE")); 1961 (void) printf(gettext("\nThe values match the IPsec attribute " 1962 "assigned numbers published by IANA\n\n")); 1963 (void) printf("%-6s%-20s\n", gettext("Value"), gettext("Name")); 1964 } 1965 1966 static void 1967 print_authalg(ike_authalg_t *ap) 1968 { 1969 (void) printf("%-6u%-20s\n", 1970 ap->auth_value, ap->auth_name); 1971 } 1972 1973 static void 1974 print_p1(ike_p1_sa_t *p1) 1975 { 1976 ike_p1_stats_t *sp; 1977 ike_p1_errors_t *ep; 1978 ike_p1_key_t *kp; 1979 sadb_ident_t *lidp, *ridp; 1980 int lstat, rstat; 1981 1982 (void) printf("\n"); 1983 print_hdr("IKESA:", &p1->p1sa_hdr); 1984 print_xform("XFORM:", &p1->p1sa_xform, B_FALSE); 1985 1986 if (p1->p1sa_hdr.p1hdr_isinit) { 1987 lstat = IS_INITIATOR; 1988 rstat = IS_RESPONDER; 1989 } else { 1990 lstat = IS_RESPONDER; 1991 rstat = IS_INITIATOR; 1992 } 1993 print_addr("LOCIP:", &p1->p1sa_ipaddrs.loc_addr, lstat, 0); 1994 print_addr("REMIP:", &p1->p1sa_ipaddrs.rem_addr, rstat, 0); 1995 1996 /* 1997 * the stat len might be 0; but still make the call 1998 * to print_lifetime() to pick up the xform info 1999 */ 2000 sp = (ike_p1_stats_t *)((int)(p1) + p1->p1sa_stat_off); 2001 print_lifetime("LIFTM:", &p1->p1sa_xform, sp, p1->p1sa_stat_len); 2002 2003 if (p1->p1sa_stat_len > 0) { 2004 print_p1stats("STATS:", sp, p1->p1sa_stat_len, B_FALSE); 2005 } 2006 2007 if (p1->p1sa_error_len > 0) { 2008 ep = (ike_p1_errors_t *)((int)(p1) + p1->p1sa_error_off); 2009 print_errs("ERRS: ", ep, p1->p1sa_error_len); 2010 } 2011 2012 if (p1->p1sa_localid_len > 0) { 2013 lidp = (sadb_ident_t *)((int)(p1) + p1->p1sa_localid_off); 2014 print_id("LOCID:", lidp, lstat); 2015 } 2016 2017 if (p1->p1sa_remoteid_len > 0) { 2018 ridp = (sadb_ident_t *)((int)(p1) + p1->p1sa_remoteid_off); 2019 print_id("REMID:", ridp, rstat); 2020 } 2021 2022 if (p1->p1sa_key_len > 0) { 2023 kp = (ike_p1_key_t *)((int)(p1) + p1->p1sa_key_off); 2024 print_keys("KEY: ", kp, p1->p1sa_key_len); 2025 } 2026 } 2027 2028 static void 2029 print_certcache(ike_certcache_t *c) 2030 { 2031 (void) printf("\n"); 2032 2033 (void) printf(gettext("CERTIFICATE CACHE ID: %d\n"), c->cache_id); 2034 (void) printf(gettext("\tSubject Name: <%s>\n"), 2035 (c->subject != NULL) ? c->subject : gettext("Name unavailable")); 2036 (void) printf(gettext("\t Issuer Name: <%s>\n"), 2037 (c->issuer != NULL) ? c->issuer : gettext("Name unavailable")); 2038 if ((int)c->certclass == -1) 2039 (void) printf(gettext("\t\t[trusted certificate]\n")); 2040 switch (c->linkage) { 2041 case CERT_OFF_WIRE: 2042 (void) printf(gettext("\t\t[Public certificate only]\n")); 2043 (void) printf(gettext( 2044 "\t\t[Obtained via certificate payload]\n")); 2045 break; 2046 case CERT_NO_PRIVKEY: 2047 (void) printf(gettext("\t\t[Public certificate only]\n")); 2048 break; 2049 case CERT_PRIVKEY_LOCKED: 2050 (void) printf(gettext( 2051 "\t\t[Private key linked but locked]\n")); 2052 break; 2053 case CERT_PRIVKEY_AVAIL: 2054 (void) printf(gettext("\t\t[Private key available]\n")); 2055 break; 2056 } 2057 } 2058 2059 static void 2060 print_ps(ike_ps_t *ps) 2061 { 2062 sadb_ident_t *lidp, *ridp; 2063 uint8_t *keyp; 2064 2065 (void) printf("\n"); 2066 2067 (void) printf(gettext("PSKEY: For %s exchanges\n"), 2068 xchgstr(ps->ps_ike_mode)); 2069 2070 if (ps->ps_key_len > 0) { 2071 keyp = (uint8_t *)((int)(ps) + ps->ps_key_off); 2072 (void) printf(gettext("PSKEY: Pre-shared key (%d bytes): "), 2073 ps->ps_key_len); 2074 (void) dump_key(keyp, ps->ps_key_bits, 0, stdout, B_FALSE); 2075 (void) printf("\n"); 2076 } 2077 2078 /* 2079 * We get *either* and address or an ident, never both. So if 2080 * the ident is there, don't try printing an address. 2081 */ 2082 if (ps->ps_localid_len > 0) { 2083 lidp = (sadb_ident_t *) 2084 ((int)(ps) + ps->ps_localid_off); 2085 print_id("LOCID:", lidp, DONT_PRINT_INIT); 2086 } else { 2087 print_addr("LOCIP:", &ps->ps_ipaddrs.loc_addr, DONT_PRINT_INIT, 2088 ps->ps_localid_plen > 0 ? ps->ps_localid_plen : 0); 2089 } 2090 2091 if (ps->ps_remoteid_len > 0) { 2092 ridp = (sadb_ident_t *) 2093 ((int)(ps) + ps->ps_remoteid_off); 2094 print_id("REMID:", ridp, DONT_PRINT_INIT); 2095 } else { 2096 print_addr("REMIP:", &ps->ps_ipaddrs.rem_addr, DONT_PRINT_INIT, 2097 ps->ps_remoteid_plen > 0 ? ps->ps_remoteid_plen : 0); 2098 } 2099 } 2100 2101 #define PREFIXLEN 16 2102 2103 static void 2104 print_rule(ike_rule_t *rp) 2105 { 2106 char prefix[PREFIXLEN]; 2107 int i; 2108 ike_p1_xform_t *xfp; 2109 ike_addr_pr_t *lipp, *ripp; 2110 char *lidp, *ridp; 2111 char byte_str[BYTE_STR_SIZE]; /* kbyte string representation */ 2112 char secs_str[SECS_STR_SIZE]; /* seconds string representation */ 2113 2114 (void) printf("\n"); 2115 (void) printf(gettext("GLOBL: Label '%s', key manager cookie %u\n"), 2116 rp->rule_label, rp->rule_kmcookie); 2117 (void) printf(gettext("GLOBL: local_idtype=")); 2118 (void) dump_sadb_idtype(rp->rule_local_idtype, stdout, NULL); 2119 (void) printf(gettext(", ike_mode=%s\n"), xchgstr(rp->rule_ike_mode)); 2120 (void) printf(gettext( 2121 "GLOBL: p1_nonce_len=%u, p2_nonce_len=%u, p2_pfs=%s (group %u)\n"), 2122 rp->rule_p1_nonce_len, rp->rule_p2_nonce_len, 2123 (rp->rule_p2_pfs) ? gettext("true") : gettext("false"), 2124 rp->rule_p2_pfs); 2125 (void) printf( 2126 gettext("GLOBL: p2_lifetime=%u seconds%s\n"), 2127 rp->rule_p2_lifetime_secs, secs2out(rp->rule_p2_lifetime_secs, 2128 secs_str, sizeof (secs_str), SPC_BEGIN)); 2129 (void) printf( 2130 gettext("GLOBL: p2_softlife=%u seconds%s\n"), 2131 rp->rule_p2_softlife_secs, secs2out(rp->rule_p2_softlife_secs, 2132 secs_str, sizeof (secs_str), SPC_BEGIN)); 2133 (void) printf( 2134 gettext("GLOBL: p2_idletime=%u seconds%s\n"), 2135 rp->rule_p2_idletime_secs, secs2out(rp->rule_p2_idletime_secs, 2136 secs_str, sizeof (secs_str), SPC_BEGIN)); 2137 /* 2138 * Perform explicit conversion before passing to bytecnt2out() 2139 * to avoid integer overflow. 2140 */ 2141 (void) printf( 2142 gettext("GLOBL: p2_lifetime_kb=%u kilobytes%s\n"), 2143 rp->rule_p2_lifetime_kb, 2144 bytecnt2out((uint64_t)(rp->rule_p2_lifetime_kb) << 10, 2145 byte_str, sizeof (byte_str), SPC_BEGIN)); 2146 (void) printf( 2147 gettext("GLOBL: p2_softlife_kb=%u kilobytes%s\n"), 2148 rp->rule_p2_softlife_kb, 2149 bytecnt2out(((uint64_t)(rp->rule_p2_softlife_kb)) << 10, 2150 byte_str, sizeof (byte_str), SPC_BEGIN)); 2151 2152 if (rp->rule_locip_cnt > 0) { 2153 (void) printf(gettext("LOCIP: IP address range(s):\n")); 2154 lipp = (ike_addr_pr_t *)((int)rp + rp->rule_locip_off); 2155 for (i = 0; i < rp->rule_locip_cnt; i++, lipp++) { 2156 print_addr_range("LOCIP:", lipp); 2157 } 2158 } 2159 2160 if (rp->rule_remip_cnt > 0) { 2161 (void) printf(gettext("REMIP: IP address range(s):\n")); 2162 ripp = (ike_addr_pr_t *)((int)rp + rp->rule_remip_off); 2163 for (i = 0; i < rp->rule_remip_cnt; i++, ripp++) { 2164 print_addr_range("REMIP:", ripp); 2165 } 2166 } 2167 2168 if (rp->rule_locid_inclcnt + rp->rule_locid_exclcnt > 0) { 2169 lidp = (char *)((int)rp + rp->rule_locid_off); 2170 print_idspec("LOCID:", lidp, rp->rule_locid_inclcnt, 2171 rp->rule_locid_exclcnt); 2172 } 2173 2174 if (rp->rule_remid_inclcnt + rp->rule_remid_exclcnt > 0) { 2175 ridp = (char *)((int)rp + rp->rule_remid_off); 2176 print_idspec("REMID:", ridp, rp->rule_remid_inclcnt, 2177 rp->rule_remid_exclcnt); 2178 } 2179 2180 if (rp->rule_xform_cnt > 0) { 2181 (void) printf(gettext("XFRMS: Available Transforms:\n")); 2182 xfp = (ike_p1_xform_t *)((int)rp + rp->rule_xform_off); 2183 for (i = 0; i < rp->rule_xform_cnt; i++, xfp++) { 2184 (void) snprintf(prefix, PREFIXLEN, "XF %2u:", i); 2185 print_xform(prefix, xfp, B_TRUE); 2186 } 2187 } 2188 } 2189 2190 #undef PREFIXLEN 2191 2192 #define PRSACNTS(init, resp) \ 2193 (void) printf(gettext("initiator: %10u responder: %10u\n"), \ 2194 (init), (resp)) 2195 2196 static void 2197 print_stats(ike_stats_t *sp, int len) 2198 { 2199 /* 2200 * before printing each line, make sure the structure we were 2201 * given is big enough to include the fields needed. 2202 */ 2203 if (len < COUNTER_PAIR) 2204 return; 2205 (void) printf(gettext("Phase 1 SA counts:\n")); 2206 (void) printf(gettext("Current: ")); 2207 PRSACNTS(sp->st_init_p1_current, sp->st_resp_p1_current); 2208 len -= COUNTER_PAIR; 2209 2210 if (len < COUNTER_PAIR) 2211 return; 2212 (void) printf(gettext("Total: ")); 2213 PRSACNTS(sp->st_init_p1_total, sp->st_resp_p1_total); 2214 len -= COUNTER_PAIR; 2215 2216 if (len < COUNTER_PAIR) 2217 return; 2218 (void) printf(gettext("Attempted: ")); 2219 PRSACNTS(sp->st_init_p1_attempts, sp->st_resp_p1_attempts); 2220 len -= COUNTER_PAIR; 2221 2222 if (len < (COUNTER_PAIR + COUNTER_32BIT)) 2223 return; 2224 (void) printf(gettext("Failed: ")); 2225 PRSACNTS(sp->st_init_p1_noresp + sp->st_init_p1_respfail, 2226 sp->st_resp_p1_fail); 2227 (void) printf( 2228 gettext(" initiator fails include %u time-out(s)\n"), 2229 sp->st_init_p1_noresp); 2230 2231 if (len < PATH_MAX) 2232 return; 2233 if (*(sp->st_pkcs11_libname) != '\0') 2234 (void) printf(gettext("PKCS#11 library linked in from %s\n"), 2235 sp->st_pkcs11_libname); 2236 } 2237 2238 /* Print one line of 'get defaults' output (i.e. single value). */ 2239 static void 2240 print_defaults(char *label, char *description, char *unit, 2241 uint_t current, uint_t def) 2242 { 2243 (void) printf("%-18s%-10s%11u %-10s%-26s\n", label, 2244 (current != def) ? gettext("config") : gettext("default"), 2245 current, unit, description); 2246 } 2247 2248 /* 2249 * Print out defaults used by in.iked, the argument is a buffer containing 2250 * two ike_defaults_t's, the first contains the hard coded defaults, the second 2251 * contains the actual values used. If these differ, then the defaults have been 2252 * changed via a config file entry. Note that "-" indicates this default 2253 * is not tunable via ike.config(4) or is system wide tunable. 2254 */ 2255 static void 2256 do_print_defaults(ike_defaults_t *dp) 2257 { 2258 ike_defaults_t *ddp; 2259 ddp = (ike_defaults_t *)(dp + 1); 2260 2261 (void) printf(gettext("\nGlobal defaults. Some values can be" 2262 " over-ridden on a per rule basis.\n")); 2263 (void) printf(gettext("\nSystem defaults are time delayed.\n\n")); 2264 2265 (void) printf("%-18s%-10s%-12s%-10s%-26s\n\n", 2266 gettext("Token:"), gettext("Source:"), gettext("Value:"), 2267 gettext("Unit:"), gettext("Description:")); 2268 2269 /* iked tunables */ 2270 print_defaults("p1_lifetime_secs", gettext("phase 1 lifetime"), 2271 gettext("seconds"), ddp->rule_p1_lifetime_secs, 2272 dp->rule_p1_lifetime_secs); 2273 2274 print_defaults("-", gettext("minimum phase 1 lifetime"), 2275 gettext("seconds"), ddp->rule_p1_minlife, 2276 dp->rule_p1_minlife); 2277 2278 print_defaults("p1_nonce_len", gettext("phase 1 nonce length"), 2279 gettext("bytes"), ddp->rule_p1_nonce_len, 2280 dp->rule_p1_nonce_len); 2281 2282 print_defaults("p2_lifetime_secs", gettext("phase 2 lifetime"), 2283 gettext("seconds"), ddp->rule_p2_lifetime_secs, 2284 dp->rule_p2_lifetime_secs); 2285 2286 print_defaults("p2_softlife_secs", gettext("phase 2 soft lifetime"), 2287 gettext("seconds"), ddp->rule_p2_softlife_secs, 2288 dp->rule_p2_softlife_secs); 2289 2290 print_defaults("p2_idletime_secs", gettext("phase 2 idle time"), 2291 gettext("seconds"), ddp->rule_p2_idletime_secs, 2292 dp->rule_p2_idletime_secs); 2293 2294 print_defaults("p2_lifetime_kb", gettext("phase 2 lifetime"), 2295 gettext("kilobytes"), ddp->rule_p2_lifetime_kb, 2296 dp->rule_p2_lifetime_kb); 2297 2298 print_defaults("p2_softlife_kb", gettext("phase 2 soft lifetime"), 2299 gettext("kilobytes"), ddp->rule_p2_softlife_kb, 2300 dp->rule_p2_softlife_kb); 2301 2302 /* system wide tunables */ 2303 print_defaults("-", gettext("system phase 2 lifetime"), 2304 gettext("seconds"), ddp->sys_p2_lifetime_secs, 2305 dp->sys_p2_lifetime_secs); 2306 2307 print_defaults("-", gettext("system phase 2 soft lifetime"), 2308 gettext("seconds"), ddp->sys_p2_softlife_secs, 2309 dp->sys_p2_softlife_secs); 2310 2311 print_defaults("-", gettext("system phase 2 idle time"), 2312 gettext("seconds"), ddp->sys_p2_idletime_secs, 2313 dp->sys_p2_idletime_secs); 2314 2315 print_defaults("-", gettext("system phase 2 lifetime"), 2316 gettext("bytes"), ddp->sys_p2_lifetime_bytes, 2317 dp->sys_p2_lifetime_bytes); 2318 2319 print_defaults("-", gettext("system phase 2 soft lifetime"), 2320 gettext("bytes"), ddp->sys_p2_softlife_bytes, 2321 dp->sys_p2_softlife_bytes); 2322 2323 /* minimum and maximum values */ 2324 print_defaults("-", gettext("minimum phase 2 hard lifetime"), 2325 gettext("seconds"), ddp->rule_p2_minlife_hard_secs, 2326 dp->rule_p2_minlife_hard_secs); 2327 2328 print_defaults("-", gettext("minimum phase 2 soft lifetime"), 2329 gettext("seconds"), ddp->rule_p2_minlife_soft_secs, 2330 dp->rule_p2_minlife_soft_secs); 2331 2332 print_defaults("-", gettext("minimum phase 2 idle lifetime"), 2333 gettext("seconds"), ddp->rule_p2_minlife_idle_secs, 2334 dp->rule_p2_minlife_idle_secs); 2335 2336 print_defaults("-", gettext("minimum phase 2 hard lifetime"), 2337 gettext("kilobytes"), ddp->rule_p2_minlife_hard_kb, 2338 dp->rule_p2_minlife_hard_kb); 2339 2340 print_defaults("-", gettext("minimum phase 2 soft lifetime"), 2341 gettext("kilobytes"), ddp->rule_p2_minlife_soft_kb, 2342 dp->rule_p2_minlife_soft_kb); 2343 2344 print_defaults("-", gettext("minimum phase 2 delta"), 2345 gettext("seconds"), ddp->rule_p2_mindiff_secs, 2346 dp->rule_p2_mindiff_secs); 2347 2348 print_defaults("-", gettext("minimum phase 2 delta"), 2349 gettext("kilobytes"), ddp->rule_p2_mindiff_kb, 2350 dp->rule_p2_mindiff_kb); 2351 2352 print_defaults("-", gettext("maximum phase 2 lifetime"), 2353 gettext("seconds"), ddp->rule_p2_maxlife_secs, 2354 dp->rule_p2_maxlife_secs); 2355 2356 print_defaults("-", gettext("conversion factor"), 2357 gettext("kbytes/s"), ddp->conversion_factor, 2358 dp->conversion_factor); 2359 2360 print_defaults("-", gettext("maximum phase 2 lifetime"), 2361 gettext("kilobytes"), ddp->rule_p2_maxlife_kb, 2362 dp->rule_p2_maxlife_kb); 2363 2364 /* other values */ 2365 print_defaults("p2_nonce_len", gettext("phase 2 nonce length"), 2366 gettext("bytes"), ddp->rule_p2_nonce_len, 2367 dp->rule_p2_nonce_len); 2368 2369 print_defaults("p2_pfs", gettext("phase 2 PFS"), 2370 " ", ddp->rule_p2_pfs, dp->rule_p2_pfs); 2371 2372 print_defaults("max_certs", gettext("max certificates"), 2373 " ", ddp->rule_max_certs, dp->rule_max_certs); 2374 2375 print_defaults("-", gettext("IKE port number"), 2376 " ", ddp->rule_ike_port, dp->rule_ike_port); 2377 2378 print_defaults("-", gettext("NAT-T port number"), 2379 " ", ddp->rule_natt_port, dp->rule_natt_port); 2380 } 2381 2382 static void 2383 print_categories(int level) 2384 { 2385 int mask; 2386 2387 if (level == 0) { 2388 (void) printf(gettext("No debug categories enabled.\n")); 2389 return; 2390 } 2391 2392 (void) printf(gettext("Debug categories enabled:")); 2393 for (mask = 1; mask <= D_HIGHBIT; mask <<= 1) { 2394 if (level & mask) 2395 (void) printf("\n\t%s", dbgstr(mask)); 2396 } 2397 (void) printf("\n"); 2398 } 2399 2400 /*PRINTFLIKE2*/ 2401 static void 2402 ikeadm_err_exit(ike_err_t *err, char *fmt, ...) 2403 { 2404 va_list ap; 2405 char bailbuf[BUFSIZ]; 2406 2407 va_start(ap, fmt); 2408 (void) vsnprintf(bailbuf, BUFSIZ, fmt, ap); 2409 va_end(ap); 2410 if ((err != NULL) && (err->ike_err == IKE_ERR_SYS_ERR)) { 2411 bail_msg("%s: %s", bailbuf, (err->ike_err_unix == 0) ? 2412 gettext("<unknown error>") : strerror(err->ike_err_unix)); 2413 } else { 2414 bail_msg("%s: %s", bailbuf, (err == NULL) ? 2415 gettext("<unknown error>") : errstr(err->ike_err)); 2416 } 2417 } 2418 2419 /*PRINTFLIKE2*/ 2420 static void 2421 ikeadm_err_msg(ike_err_t *err, char *fmt, ...) 2422 { 2423 va_list ap; 2424 char mbuf[BUFSIZ]; 2425 2426 va_start(ap, fmt); 2427 (void) vsnprintf(mbuf, BUFSIZ, fmt, ap); 2428 va_end(ap); 2429 if ((err != NULL) && (err->ike_err == IKE_ERR_SYS_ERR)) { 2430 message("%s: %s", mbuf, (err->ike_err_unix == 0) ? 2431 gettext("<unknown error>") : 2432 ((err->ike_err_unix == EEXIST) ? 2433 gettext("Duplicate entry") : 2434 strerror(err->ike_err_unix))); 2435 } else { 2436 message("%s: %s", mbuf, (err == NULL) ? 2437 gettext("<unknown error>") : errstr(err->ike_err)); 2438 } 2439 } 2440 2441 2442 /* 2443 * Command functions 2444 */ 2445 2446 /* 2447 * Exploit the fact that ike_dbg_t and ike_priv_t have identical 2448 * formats in the following two functions. 2449 */ 2450 static void 2451 do_getvar(int cmd) 2452 { 2453 ike_service_t req, *rtn; 2454 ike_dbg_t *dreq; 2455 char *varname; 2456 2457 switch (cmd) { 2458 case IKE_SVC_GET_DBG: 2459 varname = gettext("debug"); 2460 break; 2461 case IKE_SVC_GET_PRIV: 2462 varname = gettext("privilege"); 2463 break; 2464 default: 2465 bail_msg(gettext("unrecognized get command (%d)"), cmd); 2466 } 2467 2468 dreq = &req.svc_dbg; 2469 dreq->cmd = cmd; 2470 dreq->dbg_level = 0; 2471 2472 rtn = ikedoor_call((char *)&req, sizeof (ike_dbg_t), NULL, 0); 2473 2474 if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) { 2475 ikeadm_err_exit(&rtn->svc_err, 2476 gettext("error getting %s level"), varname); 2477 } 2478 dreq = &rtn->svc_dbg; 2479 (void) printf(gettext("Current %s level is 0x%x"), 2480 varname, dreq->dbg_level); 2481 2482 if (cmd == IKE_SVC_GET_DBG) { 2483 (void) printf("\n"); 2484 print_categories(dreq->dbg_level); 2485 } else { 2486 (void) printf(gettext(", %s enabled\n"), 2487 privstr(dreq->dbg_level)); 2488 } 2489 } 2490 2491 /* 2492 * Log into a token and unlock all objects 2493 * referenced by PKCS#11 hint files. 2494 */ 2495 static void 2496 do_setdel_pin(int cmd, int argc, char **argv) 2497 { 2498 ike_service_t req, *rtn; 2499 ike_pin_t *preq; 2500 char token_label[PKCS11_TOKSIZE]; 2501 char *token_pin; 2502 char prompt[80]; 2503 2504 if (argc < 1) 2505 Bail(gettext("Must specify PKCS#11 token object.")); 2506 2507 preq = &req.svc_pin; 2508 preq->cmd = cmd; 2509 2510 switch (cmd) { 2511 case IKE_SVC_SET_PIN: 2512 if (parse_token(argc, argv, token_label) != 0) 2513 Bail("Invalid syntax for \"token login\""); 2514 (void) snprintf(prompt, sizeof (prompt), 2515 "Enter PIN for PKCS#11 token \'%s\': ", token_label); 2516 token_pin = 2517 getpassphrase(prompt); 2518 (void) strlcpy((char *)preq->token_pin, token_pin, MAX_PIN_LEN); 2519 bzero(token_pin, strlen(token_pin)); 2520 break; 2521 case IKE_SVC_DEL_PIN: 2522 if (parse_token(argc, argv, token_label) != 0) 2523 Bail("Invalid syntax for \"token logout\""); 2524 break; 2525 default: 2526 bail_msg(gettext("unrecognized token command (%d)"), cmd); 2527 } 2528 2529 (void) strlcpy(preq->pkcs11_token, token_label, PKCS11_TOKSIZE); 2530 2531 rtn = ikedoor_call((char *)&req, sizeof (ike_pin_t), NULL, 0); 2532 if (cmd == IKE_SVC_SET_PIN) 2533 bzero(preq->token_pin, sizeof (preq->token_pin)); 2534 2535 if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) { 2536 ikeadm_err_exit(&rtn->svc_err, 2537 gettext("PKCS#11 operation")); 2538 } 2539 preq = &rtn->svc_pin; 2540 message(gettext("PKCS#11 operation successful")); 2541 } 2542 2543 static void 2544 do_setvar(int cmd, int argc, char **argv) 2545 { 2546 ike_service_t req, *rtn; 2547 ike_dbg_t *dreq; 2548 door_desc_t *descp = NULL, desc; 2549 int fd, ndesc = 0; 2550 uint32_t reqlevel; 2551 char *varname; 2552 2553 if (argc < 1) 2554 Bail("unspecified level"); 2555 reqlevel = strtoul(argv[0], NULL, 0); 2556 2557 switch (cmd) { 2558 case IKE_SVC_SET_DBG: 2559 if (argc > 2) 2560 Bail("Too many arguments to \"set debug\""); 2561 varname = gettext("debug"); 2562 if (reqlevel == 0) { 2563 /* check for a string... */ 2564 reqlevel = parsedbgopts(argv[0]); 2565 } 2566 if (reqlevel == D_INVALID) 2567 bail_msg(gettext("Bad debug flag: %s"), argv[0]); 2568 break; 2569 case IKE_SVC_SET_PRIV: 2570 if (argc > 1) 2571 Bail("Too many arguments to \"set priv\""); 2572 2573 varname = gettext("privilege"); 2574 if (reqlevel == 0) { 2575 /* check for a string... */ 2576 reqlevel = privstr2num(argv[0]); 2577 } 2578 if (reqlevel > IKE_PRIV_MAXIMUM) 2579 bail_msg(gettext("Bad privilege flag: %s"), argv[0]); 2580 break; 2581 default: 2582 bail_msg(gettext("unrecognized set command (%d)"), cmd); 2583 } 2584 2585 dreq = &req.svc_dbg; 2586 dreq->cmd = cmd; 2587 dreq->dbg_level = reqlevel; 2588 2589 if ((argc == 2) && (cmd == IKE_SVC_SET_DBG)) { 2590 fd = open(argv[1], O_RDWR | O_CREAT | O_APPEND, 2591 S_IRUSR | S_IWUSR); 2592 if (fd < 0) 2593 Bail("open debug file"); 2594 desc.d_data.d_desc.d_descriptor = fd; 2595 desc.d_attributes = DOOR_DESCRIPTOR; 2596 descp = &desc; 2597 ndesc = 1; 2598 } 2599 2600 rtn = ikedoor_call((char *)&req, sizeof (ike_dbg_t), descp, ndesc); 2601 2602 if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) { 2603 ikeadm_err_exit(&rtn->svc_err, 2604 gettext("error setting %s level"), varname); 2605 } 2606 dreq = &rtn->svc_dbg; 2607 (void) printf( 2608 gettext("Successfully changed %s level from 0x%x to 0x%x\n"), 2609 varname, dreq->dbg_level, reqlevel); 2610 2611 if (cmd == IKE_SVC_SET_DBG) { 2612 print_categories(reqlevel); 2613 } else { 2614 (void) printf(gettext("New privilege level 0x%x enables %s\n"), 2615 reqlevel, privstr(reqlevel)); 2616 } 2617 } 2618 2619 static void 2620 do_getstats(int cmd) 2621 { 2622 ike_service_t *rtn; 2623 ike_statreq_t sreq, *sreqp; 2624 ike_stats_t *sp; 2625 2626 sreq.cmd = cmd; 2627 2628 rtn = ikedoor_call((char *)&sreq, sizeof (ike_statreq_t), NULL, 0); 2629 if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) { 2630 ikeadm_err_exit(&rtn->svc_err, gettext("error getting stats")); 2631 } 2632 2633 sreqp = &rtn->svc_stats; 2634 sp = (ike_stats_t *)(sreqp + 1); 2635 print_stats(sp, sreqp->stat_len); 2636 } 2637 2638 static void 2639 do_getdefs(int cmd) 2640 { 2641 ike_service_t *rtn; 2642 ike_defreq_t dreq, *dreqp; 2643 ike_defaults_t *dp; 2644 2645 dreq.cmd = cmd; 2646 2647 rtn = ikedoor_call((char *)&dreq, sizeof (ike_defreq_t), NULL, 0); 2648 if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) { 2649 ikeadm_err_exit(&rtn->svc_err, 2650 gettext("error getting defaults")); 2651 } 2652 2653 dreqp = &rtn->svc_defaults; 2654 dp = (ike_defaults_t *)(dreqp + 1); 2655 2656 /* 2657 * Before printing each line, make sure the structure we were 2658 * given is big enough to include the fields needed. 2659 * Silently bail out of there is a version mismatch. 2660 */ 2661 if (dreqp->stat_len < ((2 * sizeof (ike_defaults_t)) 2662 + sizeof (ike_defreq_t)) || dreqp->version != DOORVER) { 2663 return; 2664 } 2665 do_print_defaults(dp); 2666 } 2667 2668 static void 2669 do_dump(int cmd) 2670 { 2671 char *name; 2672 ike_service_t req, *rtn; 2673 ike_dump_t *dreq, *dump; 2674 2675 switch (cmd) { 2676 case IKE_SVC_DUMP_P1S: 2677 name = gettext("phase 1 SA info"); 2678 break; 2679 case IKE_SVC_DUMP_RULES: 2680 name = gettext("policy rules"); 2681 break; 2682 case IKE_SVC_DUMP_PS: 2683 name = gettext("preshared keys"); 2684 break; 2685 case IKE_SVC_DUMP_CERTCACHE: 2686 name = gettext("certcache"); 2687 break; 2688 case IKE_SVC_DUMP_GROUPS: 2689 name = gettext("groups"); 2690 print_group_header(); 2691 break; 2692 case IKE_SVC_DUMP_ENCRALGS: 2693 name = gettext("encralgs"); 2694 print_encralg_header(); 2695 break; 2696 case IKE_SVC_DUMP_AUTHALGS: 2697 name = gettext("authalgs"); 2698 print_authalg_header(); 2699 break; 2700 default: 2701 bail_msg(gettext("unrecognized dump command (%d)"), cmd); 2702 } 2703 2704 dreq = &req.svc_dump; 2705 dreq->cmd = cmd; 2706 dreq->dump_len = 0; 2707 dreq->dump_next = 0; 2708 do { 2709 rtn = ikedoor_call((char *)&req, sizeof (ike_dump_t), 2710 NULL, 0); 2711 if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) { 2712 if (rtn && (rtn->svc_err.ike_err == IKE_ERR_NO_OBJ)) { 2713 /* no entries to print */ 2714 break; 2715 } 2716 ikeadm_err_exit(&rtn->svc_err, 2717 gettext("error getting %s"), name); 2718 } 2719 dump = &rtn->svc_dump; 2720 2721 switch (cmd) { 2722 case IKE_SVC_DUMP_P1S: 2723 print_p1((ike_p1_sa_t *)(dump + 1)); 2724 break; 2725 case IKE_SVC_DUMP_RULES: 2726 print_rule((ike_rule_t *)(dump + 1)); 2727 break; 2728 case IKE_SVC_DUMP_PS: 2729 print_ps((ike_ps_t *)(dump + 1)); 2730 break; 2731 case IKE_SVC_DUMP_CERTCACHE: 2732 print_certcache((ike_certcache_t *)(dump + 1)); 2733 break; 2734 case IKE_SVC_DUMP_GROUPS: 2735 print_group((ike_group_t *)(dump + 1)); 2736 break; 2737 case IKE_SVC_DUMP_ENCRALGS: 2738 print_encralg((ike_encralg_t *)(dump + 1)); 2739 break; 2740 case IKE_SVC_DUMP_AUTHALGS: 2741 print_authalg((ike_authalg_t *)(dump + 1)); 2742 break; 2743 } 2744 2745 dreq->dump_next = dump->dump_next; 2746 2747 (void) munmap((char *)rtn, dump->dump_len); 2748 2749 } while (dreq->dump_next); 2750 2751 (void) printf(gettext("\nCompleted dump of %s\n"), name); 2752 } 2753 2754 static void 2755 do_getdel_doorcall(int cmd, int idlen, int idtype, char *idp, char *name) 2756 { 2757 int totallen; 2758 char *p; 2759 ike_service_t *reqp, *rtnp; 2760 ike_get_t *getp; 2761 boolean_t getcmd; 2762 2763 getcmd = ((cmd == IKE_SVC_GET_P1) || (cmd == IKE_SVC_GET_RULE) || 2764 (cmd == IKE_SVC_GET_PS)); 2765 2766 /* 2767 * WARNING: to avoid being redundant, this code takes advantage 2768 * of the fact that the ike_get_t and ike_del_t structures are 2769 * identical (only the field names differ, their function and 2770 * size are the same). If for some reason those structures 2771 * change, this code will need to be re-written to accomodate 2772 * that difference. 2773 */ 2774 totallen = sizeof (ike_get_t) + idlen; 2775 if ((reqp = (ike_service_t *)malloc(totallen)) == NULL) 2776 Bail("malloc(id)"); 2777 2778 getp = &reqp->svc_get; 2779 getp->cmd = cmd; 2780 getp->get_len = totallen; 2781 getp->get_idtype = idtype; 2782 p = (char *)(getp + 1); 2783 2784 (void) memcpy(p, idp, idlen); 2785 2786 rtnp = ikedoor_call((char *)reqp, totallen, NULL, 0); 2787 if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) { 2788 if (rtnp && (rtnp->svc_err.ike_err == IKE_ERR_NO_OBJ)) { 2789 message(gettext("Could not find requested %s."), name); 2790 } else { 2791 ikeadm_err_msg(&rtnp->svc_err, gettext("error %s %s"), 2792 (getcmd) ? gettext("getting") : gettext("deleting"), 2793 name); 2794 } 2795 free(reqp); 2796 return; 2797 } 2798 getp = &rtnp->svc_get; 2799 2800 if (getcmd) { 2801 switch (cmd) { 2802 case IKE_SVC_GET_P1: 2803 print_p1((ike_p1_sa_t *)(getp + 1)); 2804 break; 2805 case IKE_SVC_GET_PS: 2806 print_ps((ike_ps_t *)(getp + 1)); 2807 break; 2808 case IKE_SVC_GET_RULE: 2809 print_rule((ike_rule_t *)(getp + 1)); 2810 break; 2811 } 2812 } else { 2813 message(gettext("Successfully deleted selected %s."), name); 2814 } 2815 2816 (void) munmap((char *)rtnp, getp->get_len); 2817 free(reqp); 2818 } 2819 2820 static void 2821 do_getdel(int cmd, int argc, char **argv) 2822 { 2823 int idlen, idtype = 0, i, j; 2824 int bytelen1, bytelen2; 2825 char *name, *idp, *p, *p1, *p2; 2826 ike_addr_pr_t apr; 2827 ike_cky_pr_t cpr; 2828 sadb_ident_t *sid1p, *sid2p; 2829 struct hostent *he1p, *he2p; 2830 char label[MAX_LABEL_LEN]; 2831 2832 if ((argc < 1) || (argv[0] == NULL)) { 2833 Bail("not enough identification info"); 2834 } 2835 2836 switch (cmd) { 2837 case IKE_SVC_GET_P1: 2838 case IKE_SVC_DEL_P1: 2839 name = gettext("phase 1 SA"); 2840 /* 2841 * The first token must either be an address (or hostname) 2842 * or a cookie. We require cookies to be entered as hex 2843 * numbers, beginning with 0x; so if our token starts with 2844 * that, it's a cookie. 2845 */ 2846 if (strncmp(argv[0], "0x", 2) == 0) { 2847 if (parse_cky_pr(argc, argv, &cpr) >= 0) { 2848 idtype = IKE_ID_CKY_PAIR; 2849 idlen = sizeof (ike_cky_pr_t); 2850 idp = (char *)&cpr; 2851 } 2852 } else { 2853 if (parse_addr_pr(argc, argv, &he1p, &he2p) >= 0) { 2854 idtype = IKE_ID_ADDR_PAIR; 2855 idlen = sizeof (ike_addr_pr_t); 2856 } 2857 } 2858 break; 2859 2860 case IKE_SVC_GET_RULE: 2861 case IKE_SVC_DEL_RULE: 2862 name = gettext("policy rule"); 2863 if (parse_label(argc, argv, label) >= 0) { 2864 idtype = IKE_ID_LABEL; 2865 idlen = MAX_LABEL_LEN; 2866 idp = label; 2867 } 2868 break; 2869 2870 case IKE_SVC_GET_PS: 2871 case IKE_SVC_DEL_PS: 2872 name = gettext("preshared key"); 2873 /* 2874 * The first token must either be an address or an ident 2875 * type. Check for an ident type to determine which it is. 2876 */ 2877 if (parse_idtype(argv[0], NULL) >= 0) { 2878 if (parse_ident_pr(argc, argv, &sid1p, &sid2p) >= 0) { 2879 idtype = IKE_ID_IDENT_PAIR; 2880 idlen = SADB_64TO8(sid1p->sadb_ident_len) + 2881 SADB_64TO8(sid2p->sadb_ident_len); 2882 } 2883 } else { 2884 if (parse_addr_pr(argc, argv, &he1p, &he2p) >= 0) { 2885 idtype = IKE_ID_ADDR_PAIR; 2886 idlen = sizeof (ike_addr_pr_t); 2887 } 2888 } 2889 break; 2890 2891 default: 2892 bail_msg(gettext("unrecognized get/del command (%d)"), cmd); 2893 } 2894 2895 switch (idtype) { 2896 case IKE_ID_ADDR_PAIR: 2897 /* 2898 * we might have exploding addrs here; do every possible 2899 * combination. 2900 */ 2901 i = 0; 2902 j = 0; 2903 while ((p1 = he1p->h_addr_list[i++]) != NULL) { 2904 headdr2sa(p1, &apr.loc_addr, he1p->h_length); 2905 2906 while ((p2 = he2p->h_addr_list[j++]) != NULL) { 2907 headdr2sa(p2, &apr.rem_addr, he2p->h_length); 2908 do_getdel_doorcall(cmd, idlen, idtype, 2909 (char *)&apr, name); 2910 } 2911 } 2912 FREE_HE(he1p); 2913 FREE_HE(he2p); 2914 break; 2915 2916 case IKE_ID_IDENT_PAIR: 2917 bytelen1 = SADB_64TO8(sid1p->sadb_ident_len); 2918 bytelen2 = SADB_64TO8(sid2p->sadb_ident_len); 2919 if (idlen != bytelen1 + bytelen2) 2920 Bail("ident syntax error"); 2921 idp = p = (char *)malloc(idlen); 2922 if (p == NULL) 2923 Bail("malloc(id)"); 2924 (void) memcpy(p, (char *)sid1p, bytelen1); 2925 p += bytelen1; 2926 (void) memcpy(p, (char *)sid2p, bytelen2); 2927 do_getdel_doorcall(cmd, idlen, idtype, idp, name); 2928 free(idp); 2929 free(sid1p); 2930 free(sid2p); 2931 break; 2932 2933 case IKE_ID_CKY_PAIR: 2934 case IKE_ID_LABEL: 2935 do_getdel_doorcall(cmd, idlen, idtype, idp, name); 2936 break; 2937 2938 case 0: 2939 default: 2940 bail_msg(gettext("invalid %s identification\n"), name); 2941 } 2942 } 2943 2944 /* 2945 * Copy source into target, inserting an escape character ('\') before 2946 * any quotes that appear. Return true on success, false on failure. 2947 */ 2948 static boolean_t 2949 escapequotes(char *target, char *source, int tlen) 2950 { 2951 int s, t, len = strlen(source) + 1; 2952 2953 if (tlen < len) 2954 return (B_FALSE); 2955 2956 for (s = 0, t = 0; s < len && t < tlen; s++) { 2957 if (source[s] == '\"') 2958 target[t++] = '\\'; 2959 target[t++] = source[s]; 2960 } 2961 2962 if ((t == tlen) && (s < len)) 2963 return (B_FALSE); 2964 2965 return (B_TRUE); 2966 } 2967 2968 /* 2969 * Return true if the arg following the given keyword should 2970 * be in quotes (i.e. is a string), false if not. 2971 */ 2972 static boolean_t 2973 quotedfield(char *keywd) 2974 { 2975 if ((strncmp(keywd, "label", strlen("label") + 1) == 0) || 2976 (strncmp(keywd, "local_id", strlen("local_id") + 1) == 0) || 2977 (strncmp(keywd, "remote_id", strlen("remote_id") + 1) == 0)) 2978 return (B_TRUE); 2979 2980 return (B_FALSE); 2981 } 2982 2983 static void 2984 do_new(int cmd, int argc, char **argv) 2985 { 2986 ike_service_t *rtn; 2987 ike_new_t new, *newp = NULL; 2988 door_desc_t desc, *descp = NULL; 2989 int i, fd, ndesc = 0, buflen; 2990 char *name, tmpfilepath[32]; 2991 FILE *tmpfile; 2992 2993 switch (cmd) { 2994 case IKE_SVC_NEW_PS: 2995 name = gettext("preshared key"); 2996 break; 2997 case IKE_SVC_NEW_RULE: 2998 name = gettext("policy rule"); 2999 break; 3000 default: 3001 bail_msg(gettext("unrecognized new command (%d)"), cmd); 3002 } 3003 3004 if (argc == 1) { 3005 /* We've been given a file to read from */ 3006 fd = open(argv[0], O_RDONLY); 3007 if (fd < 0) 3008 Bail("open source file"); 3009 3010 desc.d_data.d_desc.d_descriptor = fd; 3011 desc.d_attributes = DOOR_DESCRIPTOR | DOOR_RELEASE; 3012 descp = &desc; 3013 ndesc = 1; 3014 3015 new.cmd = cmd; 3016 new.new_len = 0; 3017 newp = &new; 3018 buflen = sizeof (ike_new_t); 3019 3020 } else if ((argc > 1) && (cmd == IKE_SVC_NEW_PS)) { 3021 /* 3022 * This is an alternative to using the tmpfile method 3023 * for preshared keys. It means we're duplicating the 3024 * parsing effort that happens in readps.c; but it 3025 * does avoid having the key sitting in a file. 3026 */ 3027 ike_ps_t *psp; 3028 int pslen; 3029 3030 /* 3031 * must be in interactive mode; don't want keys in 3032 * the process args. 3033 */ 3034 if (!interactive) 3035 Bail("Must be in interactive mode to add key info."); 3036 if (parse_ps(argc, argv, &psp, &pslen) < 0) { 3037 errno = 0; 3038 Bail("invalid preshared key definition"); 3039 } 3040 newp = malloc(sizeof (ike_new_t) + pslen); 3041 if (newp == NULL) 3042 Bail("alloc pskey"); 3043 newp->cmd = cmd; 3044 newp->new_len = sizeof (ike_new_t) + pslen; 3045 (void) memcpy((char *)(newp + 1), psp, pslen); 3046 buflen = newp->new_len; 3047 /* parse_ps allocated the ike_ps_t buffer; free it now */ 3048 free(psp); 3049 3050 } else if ((argc > 1) && (cmd == IKE_SVC_NEW_RULE)) { 3051 /* 3052 * We've been given the item in argv. However, parsing 3053 * rules can get more than a little messy, and in.iked 3054 * already has a great parser for this stuff! So don't 3055 * fool around with trying to do the parsing here. Just 3056 * write it out to a tempfile, and send the fd to in.iked. 3057 * 3058 * We could conceivably do this for preshared keys, 3059 * rather than duplicating the parsing effort; but that 3060 * would mean the key would be written out to a file, 3061 * which isn't such a good idea. 3062 */ 3063 boolean_t doquotes = B_FALSE; 3064 int rtn; 3065 3066 if ((argv[0][0] != '{') || 3067 (argv[argc - 1][strlen(argv[argc - 1]) - 1] != '}')) 3068 bail_msg(gettext("improperly formatted %s"), name); 3069 3070 /* attempt to use a fairly unpredictable file name... */ 3071 (void) sprintf(tmpfilepath, "/var/run/%x", (int)gethrtime()); 3072 fd = open(tmpfilepath, O_RDWR | O_CREAT | O_EXCL, 3073 S_IRUSR | S_IWUSR); 3074 if (fd < 0) 3075 Bail("cannot open tmpfile"); 3076 3077 /* and make it inaccessible asap */ 3078 if (unlink(tmpfilepath) < 0) { 3079 (void) close(fd); 3080 Bail("tmpfile error"); 3081 } 3082 3083 tmpfile = fdopen(fd, "w"); 3084 if (tmpfile == NULL) { 3085 (void) close(fd); 3086 Bail("cannot write to tmpfile"); 3087 } 3088 3089 for (i = 0; i < argc; i++) { 3090 /* 3091 * We have to do some gyrations with our string here, 3092 * to properly handle quotes. There are two issues: 3093 * - some of the fields of a rule may have embedded 3094 * whitespace, and thus must be quoted on the cmd 3095 * line. The shell removes the quotes, and gives 3096 * us a single argv string; but we need to put the 3097 * quotes back in when we write the string out to 3098 * file. The doquotes boolean is set when we 3099 * process a keyword which will be followed by a 3100 * string value (so the NEXT argv element will be 3101 * quoted). 3102 * - there might be a quote character in a field, 3103 * that was escaped on the cmdline. The shell 3104 * removes the escape char, and leaves the quote 3105 * in the string it gives us. We need to put the 3106 * escape char back in before writing to file. 3107 */ 3108 char field[MAXLINESIZE]; 3109 if (!escapequotes(field, argv[i], MAXLINESIZE)) 3110 Bail("write to tmpfile failed (arg too big)"); 3111 if (doquotes) { 3112 rtn = fprintf(tmpfile, "\"%s\"\n", field); 3113 doquotes = B_FALSE; 3114 } else { 3115 rtn = fprintf(tmpfile, "%s\n", field); 3116 } 3117 if (rtn < 0) 3118 Bail("write to tmpfile failed"); 3119 /* 3120 * check if this is a keyword identifying 3121 * a field that needs to be quoted. 3122 */ 3123 doquotes = quotedfield(argv[i]); 3124 } 3125 if (fflush(tmpfile) == EOF) 3126 Bail("write to tmpfile failed"); 3127 /* rewind so that the daemon will get the beginning */ 3128 rewind(tmpfile); 3129 3130 desc.d_data.d_desc.d_descriptor = fd; 3131 desc.d_attributes = DOOR_DESCRIPTOR | DOOR_RELEASE; 3132 descp = &desc; 3133 ndesc = 1; 3134 3135 new.cmd = cmd; 3136 new.new_len = 0; 3137 newp = &new; 3138 buflen = sizeof (ike_new_t); 3139 3140 } else { 3141 /* not enough information! */ 3142 bail_msg(gettext("missing %s description or file name"), name); 3143 } 3144 3145 rtn = ikedoor_call((char *)newp, buflen, descp, ndesc); 3146 3147 if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) { 3148 ikeadm_err_msg(&rtn->svc_err, 3149 gettext("error creating new %s"), name); 3150 } else { 3151 message(gettext("Successfully created new %s."), name); 3152 } 3153 } 3154 3155 static void 3156 do_flush(int cmd) 3157 { 3158 ike_service_t *rtnp; 3159 ike_flush_t flush; 3160 3161 if (cmd != IKE_SVC_FLUSH_P1S && cmd != IKE_SVC_FLUSH_CERTCACHE) { 3162 bail_msg(gettext("unrecognized flush command (%d)."), cmd); 3163 } 3164 3165 flush.cmd = cmd; 3166 3167 rtnp = ikedoor_call((char *)&flush, sizeof (ike_flush_t), NULL, 0); 3168 if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) { 3169 ikeadm_err_exit(&rtnp->svc_err, gettext("error doing flush")); 3170 } 3171 if (cmd == IKE_SVC_FLUSH_P1S) 3172 message(gettext("Successfully flushed P1 SAs.")); 3173 else 3174 message(gettext("Successfully flushed cert cache.")); 3175 } 3176 3177 static void 3178 do_rw(int cmd, int argc, char **argv) 3179 { 3180 ike_service_t *rtnp; 3181 ike_rw_t rw; 3182 door_desc_t desc, *descp = NULL; 3183 int oflag, omode, fd, ndesc = 0; 3184 char *op, *obj = NULL; 3185 boolean_t writing = B_FALSE; 3186 3187 switch (cmd) { 3188 case IKE_SVC_READ_PS: 3189 obj = gettext("preshared key"); 3190 /* FALLTHRU */ 3191 case IKE_SVC_READ_RULES: 3192 if (obj == NULL) 3193 obj = gettext("policy rule"); 3194 op = gettext("read"); 3195 oflag = O_RDONLY; 3196 omode = 0; 3197 break; 3198 3199 case IKE_SVC_WRITE_PS: 3200 obj = gettext("preshared key"); 3201 /* FALLTHRU */ 3202 case IKE_SVC_WRITE_RULES: 3203 if (obj == NULL) 3204 obj = gettext("policy rule"); 3205 op = gettext("write"); 3206 oflag = O_RDWR | O_CREAT | O_EXCL; 3207 omode = S_IRUSR | S_IWUSR; 3208 3209 /* for write commands, dest location must be specified */ 3210 if (argc < 1) { 3211 bail_msg(gettext("destination location required " 3212 "to write %ss"), obj); 3213 } 3214 writing = B_TRUE; 3215 break; 3216 3217 default: 3218 bail_msg(gettext("unrecognized read/write command (%d)."), cmd); 3219 } 3220 3221 rw.cmd = cmd; 3222 3223 if (argc >= 1) { 3224 rw.rw_loc = IKE_RW_LOC_USER_SPEC; 3225 fd = open(argv[0], oflag, omode); 3226 if (fd < 0) 3227 Bail("open user-specified file"); 3228 3229 desc.d_data.d_desc.d_descriptor = fd; 3230 desc.d_attributes = DOOR_DESCRIPTOR | DOOR_RELEASE; 3231 descp = &desc; 3232 ndesc = 1; 3233 } else { 3234 rw.rw_loc = IKE_RW_LOC_DEFAULT; 3235 } 3236 3237 rtnp = ikedoor_call((char *)&rw, sizeof (ike_rw_t), descp, ndesc); 3238 if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) { 3239 /* 3240 * Need to remove the target file in the 3241 * case of a failed write command. 3242 */ 3243 if (writing) { 3244 /* 3245 * argv[0] must be valid if we're writing; we 3246 * exit before setting this boolean if not. 3247 */ 3248 (void) unlink(argv[0]); 3249 (void) close(fd); 3250 3251 if ((rtnp != NULL) && 3252 (rtnp->svc_err.ike_err == IKE_ERR_NO_OBJ)) { 3253 message(gettext("No %s information to write."), 3254 obj); 3255 return; 3256 } 3257 } 3258 ikeadm_err_exit(&rtnp->svc_err, gettext("error doing %s"), op); 3259 } 3260 message(gettext("Completed %s of %s configuration information."), 3261 op, obj); 3262 } 3263 3264 static void 3265 do_rbdump() 3266 { 3267 ike_cmd_t req; 3268 ike_service_t *rtnp; 3269 3270 req.cmd = IKE_SVC_DBG_RBDUMP; 3271 3272 rtnp = ikedoor_call((char *)&req, sizeof (ike_cmd_t), NULL, 0); 3273 if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) { 3274 ikeadm_err_exit(&rtnp->svc_err, gettext("error doing flush")); 3275 } 3276 message(gettext("Successfully dumped rulebase; check iked dbg")); 3277 } 3278 3279 #define REQ_ARG_CNT 1 3280 3281 /*ARGSUSED*/ 3282 static void 3283 parseit(int argc, char **argv, char *notused, boolean_t notused_either) 3284 { 3285 int cmd, cmd_obj_args = 1; 3286 char *cmdstr, *objstr; 3287 3288 if (interactive) { 3289 if (argc == 0) 3290 return; 3291 } 3292 3293 if (argc < REQ_ARG_CNT) { 3294 usage(); 3295 } 3296 3297 cmdstr = argv[0]; 3298 if (argc > REQ_ARG_CNT) { 3299 cmd_obj_args++; 3300 objstr = argv[1]; 3301 } else { 3302 objstr = NULL; 3303 } 3304 cmd = parsecmd(cmdstr, objstr); 3305 3306 /* skip over args specifying command/object */ 3307 argc -= cmd_obj_args; 3308 argv += cmd_obj_args; 3309 3310 switch (cmd) { 3311 case IKE_SVC_GET_DEFS: 3312 if (argc != 0) { 3313 print_get_help(); 3314 break; 3315 } 3316 do_getdefs(cmd); 3317 break; 3318 case IKE_SVC_GET_DBG: 3319 case IKE_SVC_GET_PRIV: 3320 if (argc != 0) { 3321 print_get_help(); 3322 break; 3323 } 3324 do_getvar(cmd); 3325 break; 3326 case IKE_SVC_GET_STATS: 3327 if (argc != 0) { 3328 print_get_help(); 3329 break; 3330 } 3331 do_getstats(cmd); 3332 break; 3333 case IKE_SVC_SET_DBG: 3334 case IKE_SVC_SET_PRIV: 3335 do_setvar(cmd, argc, argv); 3336 break; 3337 case IKE_SVC_SET_PIN: 3338 case IKE_SVC_DEL_PIN: 3339 do_setdel_pin(cmd, argc, argv); 3340 break; 3341 case IKE_SVC_DUMP_P1S: 3342 case IKE_SVC_DUMP_RULES: 3343 case IKE_SVC_DUMP_GROUPS: 3344 case IKE_SVC_DUMP_ENCRALGS: 3345 case IKE_SVC_DUMP_AUTHALGS: 3346 case IKE_SVC_DUMP_PS: 3347 case IKE_SVC_DUMP_CERTCACHE: 3348 if (argc != NULL) { 3349 print_dump_help(); 3350 break; 3351 } 3352 do_dump(cmd); 3353 break; 3354 case IKE_SVC_GET_P1: 3355 case IKE_SVC_GET_RULE: 3356 case IKE_SVC_GET_PS: 3357 case IKE_SVC_DEL_P1: 3358 case IKE_SVC_DEL_RULE: 3359 case IKE_SVC_DEL_PS: 3360 do_getdel(cmd, argc, argv); 3361 break; 3362 case IKE_SVC_NEW_RULE: 3363 case IKE_SVC_NEW_PS: 3364 do_new(cmd, argc, argv); 3365 break; 3366 case IKE_SVC_FLUSH_P1S: 3367 case IKE_SVC_FLUSH_CERTCACHE: 3368 if (argc != 0) { 3369 print_flush_help(); 3370 break; 3371 } 3372 do_flush(cmd); 3373 break; 3374 case IKE_SVC_READ_RULES: 3375 case IKE_SVC_READ_PS: 3376 case IKE_SVC_WRITE_RULES: 3377 case IKE_SVC_WRITE_PS: 3378 do_rw(cmd, argc, argv); 3379 break; 3380 case IKEADM_HELP_GENERAL: 3381 print_help(); 3382 break; 3383 case IKEADM_HELP_GET: 3384 print_get_help(); 3385 break; 3386 case IKEADM_HELP_SET: 3387 print_set_help(); 3388 break; 3389 case IKEADM_HELP_ADD: 3390 print_add_help(); 3391 break; 3392 case IKEADM_HELP_DEL: 3393 print_del_help(); 3394 break; 3395 case IKEADM_HELP_DUMP: 3396 print_dump_help(); 3397 break; 3398 case IKEADM_HELP_FLUSH: 3399 print_flush_help(); 3400 break; 3401 case IKEADM_HELP_READ: 3402 print_read_help(); 3403 break; 3404 case IKEADM_HELP_WRITE: 3405 print_write_help(); 3406 break; 3407 case IKEADM_HELP_TOKEN: 3408 print_token_help(); 3409 break; 3410 case IKEADM_HELP_HELP: 3411 print_help_help(); 3412 break; 3413 case IKEADM_EXIT: 3414 if (interactive) 3415 exit(0); 3416 break; 3417 case IKE_SVC_DBG_RBDUMP: 3418 do_rbdump(); 3419 break; 3420 case IKE_SVC_ERROR: 3421 usage(); 3422 default: 3423 exit(0); 3424 } 3425 } 3426 3427 int 3428 main(int argc, char **argv) 3429 { 3430 char ch; 3431 3432 (void) setlocale(LC_ALL, ""); 3433 #if !defined(TEXT_DOMAIN) 3434 #define TEXT_DOMAIN "SYS_TEST" 3435 #endif 3436 (void) textdomain(TEXT_DOMAIN); 3437 3438 while ((ch = getopt(argc, argv, "hpn")) != EOF) { 3439 switch (ch) { 3440 case 'h': 3441 print_help(); 3442 return (0); 3443 case 'p': 3444 pflag = B_TRUE; 3445 break; 3446 case 'n': 3447 nflag = B_TRUE; 3448 break; 3449 default: 3450 usage(); 3451 } 3452 } 3453 argc -= optind; 3454 argv += optind; 3455 3456 if (open_door() < 0) { 3457 (void) fprintf(stderr, 3458 gettext("Unable to communicate with in.iked\n")); 3459 Bail("open_door failed"); 3460 } 3461 3462 if (*argv == NULL) { 3463 /* no cmd-line args, do interactive mode */ 3464 do_interactive(stdin, NULL, "ikeadm> ", NULL, parseit, 3465 no_match); 3466 } 3467 3468 parseit(argc, argv, NULL, B_FALSE); 3469 3470 return (0); 3471 }