#include <ipsec_util.h>
#include <netdb.h>
#include <locale.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <assert.h>
#include <unistd.h>
#include <net/pfpolicy.h>
#include <strings.h>
#include <errno.h>
#include <sys/crypto/common.h>
#include <zone.h>
#define SPDSOCK_DIAG_BUF_LEN 128
typedef enum cmd_s {
CMD_NONE = 0,
CMD_ADD,
CMD_ADD_PROTO,
CMD_DEL,
CMD_DEL_PROTO,
CMD_EXEC_MODE,
CMD_LIST_KERNEL
} cmd_t;
static const char *comma = ",";
static int adddel_flags, increment = 0, default_keylen;
static boolean_t synch_kernel;
static cmd_t cmd = CMD_NONE;
static int proto_number = -1, alg_number = -1, alg_flags = 0;
static char *proto_name, *alg_names_string, *block_sizes_string;
static char *key_sizes_string, *mech_name, *exec_mode_string;
static char *flag_string;
static ipsecalgs_exec_mode_t proto_exec_mode = LIBIPSEC_ALGS_EXEC_SYNC;
enum param_values {iv_len, mac_len, salt_bytes, max_param};
static int mech_params[max_param];
#define SYNC_REQ_SIZE 4096
static uint64_t sync_req_buf[SYNC_REQ_SIZE];
static struct spd_attribute *sync_req_attr;
static uint_t sync_req_alg_count, sync_req_proto_count;
#define EMIT(ap, tag, value) { \
(ap)->spd_attr_tag = (tag); \
(ap)->spd_attr_value = (value); \
(ap)++; \
if ((char *)(ap) + sizeof (*ap) - \
(char *)sync_req_buf > SYNC_REQ_SIZE) \
bail_nomem(); \
}
static void dump_alg(struct ipsecalgent *);
static void algs_walker(void (*)(struct ipsecalgent *), void (*)(uint_t));
static int
parse_flag(char *flag_str, uint_t flag)
{
static struct flagtable {
char *label;
int token;
} table[] = {
{"VALID", ALG_FLAG_VALID},
{"COUNTER", ALG_FLAG_COUNTERMODE},
{"COMBINED", ALG_FLAG_COMBINED},
{"CCM", ALG_FLAG_CCM},
{"GCM", ALG_FLAG_GCM},
{NULL, 0}
};
struct flagtable *ft = table;
if (flag_str == NULL) {
if ((ALG_FLAG_KERNELCHECKED & flag) && !(ALG_FLAG_VALID & flag))
(void) printf("INVALID ");
while (ft->token != 0) {
if (ft->token & flag) {
(void) printf("%s ", ft->label);
}
ft++;
}
return (0);
}
while (ft->label != NULL && strcmp(ft->label, flag_str) != 0)
ft++;
return (ft->token);
}
static void
usage(void)
{
errx(EXIT_FAILURE, gettext("Usage:\tipsecalgs\n"
"\tipsecalgs -l\n"
"\tipsecalgs -s\n"
"\tipsecalgs -a [-P protocol-number | -p protocol-name]\n"
"\t\t-k keylen-list [-i inc]\n"
"\t\t[-K default-keylen] -b blocklen-list\n"
"\t\t-n alg-names -N alg-number -m mech-name\n"
"\t\t[-M MAC length] [-S salt length] [-I IV length]\n"
"\t\t[-F COMBINED,COUNTER,CCM|GCM ] [-f] [-s]\n"
"\tipsecalgs -P protocol-number -p protocol-name\n"
"\t\t[-e exec-mode] [-f] [-s]\n"
"\tipsecalgs -r -p protocol-name -n alg-name [-s]\n"
"\tipsecalgs -r -p protocol-name -N alg-number [-s]\n"
"\tipsecalgs -R -P protocol-number [-s]\n"
"\tipsecalgs -R -p protocol-name [-s]\n"
"\tipsecalgs -e exec-mode -P protocol-number [-s]\n"
"\tipsecalgs -e exec-mode -p protocol-number [-s]"));
}
static void
bail_nomem(void)
{
errx(EXIT_FAILURE, gettext("Out of memory."));
}
static uint_t
num_sizes(int *sizes)
{
uint_t nsizes = 0;
while (sizes[nsizes] != 0)
nsizes++;
return (nsizes);
}
static void
synch_emit_alg(struct ipsecalgent *alg)
{
uint_t nkey_sizes, nblock_sizes, i;
uint_t nparams;
EMIT(sync_req_attr, SPD_ATTR_ALG_ID, alg->a_alg_num);
EMIT(sync_req_attr, SPD_ATTR_ALG_PROTO, alg->a_proto_num);
EMIT(sync_req_attr, SPD_ATTR_ALG_INCRBITS, alg->a_key_increment);
nkey_sizes = num_sizes(alg->a_key_sizes);
EMIT(sync_req_attr, SPD_ATTR_ALG_NKEYSIZES, nkey_sizes);
for (i = 0; i < nkey_sizes; i++)
EMIT(sync_req_attr, SPD_ATTR_ALG_KEYSIZE, alg->a_key_sizes[i]);
nblock_sizes = num_sizes(alg->a_block_sizes);
nparams = num_sizes(alg->a_mech_params);
EMIT(sync_req_attr, SPD_ATTR_ALG_NBLOCKSIZES, nblock_sizes);
for (i = 0; i < nblock_sizes; i++) {
EMIT(sync_req_attr, SPD_ATTR_ALG_BLOCKSIZE,
alg->a_block_sizes[i]);
}
EMIT(sync_req_attr, SPD_ATTR_ALG_NPARAMS, nparams);
for (i = 0; i < nparams; i++) {
EMIT(sync_req_attr, SPD_ATTR_ALG_PARAMS,
alg->a_mech_params[i]);
}
EMIT(sync_req_attr, SPD_ATTR_ALG_FLAGS, alg->a_alg_flags);
EMIT(sync_req_attr, SPD_ATTR_ALG_MECHNAME, CRYPTO_MAX_MECH_NAME);
(void) strncpy((char *)sync_req_attr, alg->a_mech_name,
CRYPTO_MAX_MECH_NAME);
sync_req_attr = (struct spd_attribute *)((uint64_t *)sync_req_attr +
SPD_8TO64(CRYPTO_MAX_MECH_NAME));
EMIT(sync_req_attr, SPD_ATTR_NEXT, 0);
sync_req_alg_count++;
}
static void
synch_emit_proto(uint_t proto_num)
{
ipsecalgs_exec_mode_t exec_mode;
uint32_t exec_mode_spdval;
EMIT(sync_req_attr, SPD_ATTR_PROTO_ID, proto_num);
if (ipsecproto_get_exec_mode(proto_num, &exec_mode) != 0) {
errx(EXIT_FAILURE, gettext("cannot get execution mode for "
"proto %d"), proto_num);
}
switch (exec_mode) {
case LIBIPSEC_ALGS_EXEC_SYNC:
exec_mode_spdval = SPD_ALG_EXEC_MODE_SYNC;
break;
case LIBIPSEC_ALGS_EXEC_ASYNC:
exec_mode_spdval = SPD_ALG_EXEC_MODE_ASYNC;
break;
}
EMIT(sync_req_attr, SPD_ATTR_PROTO_EXEC_MODE, exec_mode_spdval);
EMIT(sync_req_attr, SPD_ATTR_NEXT, 0);
sync_req_proto_count++;
}
static void
kernel_synch(void)
{
int sfd = socket(PF_POLICY, SOCK_RAW, PF_POLICY_V1);
int cnt, req_len;
struct spd_msg *msg;
struct spd_ext_actions *act;
struct spd_attribute *attr;
if (sfd < 0) {
err(EXIT_FAILURE, gettext("Unable to open policy socket"));
}
msg = (struct spd_msg *)sync_req_buf;
(void) memset(msg, 0, sizeof (*msg));
msg->spd_msg_version = PF_POLICY_V1;
msg->spd_msg_type = SPD_UPDATEALGS;
act = (struct spd_ext_actions *)(msg + 1);
act->spd_actions_exttype = SPD_EXT_ACTION;
act->spd_actions_reserved = 0;
sync_req_alg_count = 0;
sync_req_proto_count = 0;
sync_req_attr = (struct spd_attribute *)(act + 1);
algs_walker(synch_emit_alg, synch_emit_proto);
act->spd_actions_count = sync_req_alg_count + sync_req_proto_count;
attr = sync_req_attr - 1;
attr->spd_attr_tag = SPD_ATTR_END;
req_len = (char *)sync_req_attr - (char *)sync_req_buf;
msg->spd_msg_len = SPD_8TO64(req_len);
act->spd_actions_len = SPD_8TO64(req_len - sizeof (*msg));
cnt = write(sfd, sync_req_buf, req_len);
if (cnt != req_len) {
if (cnt < 0) {
err(EXIT_FAILURE, gettext("algs update write failed"));
} else {
errx(EXIT_FAILURE, gettext("algs update short write"));
}
}
cnt = read(sfd, sync_req_buf, req_len);
if (cnt == -1) {
err(EXIT_FAILURE, gettext("algs update read failed"));
}
if (cnt < sizeof (struct spd_msg)) {
errx(EXIT_FAILURE, gettext(
"algs update failed while reading reply (short read)"));
}
msg = (struct spd_msg *)sync_req_buf;
if (msg->spd_msg_errno != 0) {
errno = msg->spd_msg_errno;
warn(gettext("algs update failed"));
if (msg->spd_msg_diagnostic != 0) {
warnx("%s", spdsock_diag(msg->spd_msg_diagnostic));
}
exit(EXIT_FAILURE);
}
(void) close(sfd);
}
static void
list_kernel_algs(void)
{
int sfd = socket(PF_POLICY, SOCK_RAW, PF_POLICY_V1);
int cnt, retval;
uint64_t reply_buf[2048];
spd_ext_t *exts[SPD_EXT_MAX+1];
struct spd_msg msg;
struct spd_ext_actions *actp;
struct spd_attribute *attr, *endattr;
uint64_t *start, *end;
struct ipsecalgent alg;
uint_t cur_key, cur_block;
uint_t nkey_sizes, nblock_sizes, nparams;
char diag_buf[SPDSOCK_DIAG_BUF_LEN];
if (sfd < 0) {
err(EXIT_FAILURE, gettext("Unable to open policy socket"));
}
(void) memset(&msg, 0, sizeof (msg));
msg.spd_msg_version = PF_POLICY_V1;
msg.spd_msg_type = SPD_DUMPALGS;
msg.spd_msg_len = SPD_8TO64(sizeof (msg));
cnt = write(sfd, &msg, sizeof (msg));
if (cnt != sizeof (msg)) {
if (cnt < 0) {
err(EXIT_FAILURE, gettext("dump algs write failed"));
} else {
errx(EXIT_FAILURE, gettext("dump algs short write"));
}
}
cnt = read(sfd, reply_buf, sizeof (reply_buf));
if (cnt == -1) {
err(EXIT_FAILURE, gettext("dump algs read failed"));
}
if (cnt < sizeof (struct spd_msg)) {
errx(EXIT_FAILURE, gettext(
"dump algs failed while reading reply (short read)"));
}
(void) close(sfd);
retval = spdsock_get_ext(exts, (spd_msg_t *)reply_buf, SPD_8TO64(cnt),
diag_buf, SPDSOCK_DIAG_BUF_LEN);
if (retval == KGE_LEN && exts[0]->spd_ext_len == 0) {
return;
} else if (retval != 0) {
if (strlen(diag_buf) != 0)
warnx("%s", diag_buf);
errx(EXIT_FAILURE, gettext("invalid extension "
"in dump algs reply (%d)"), retval);
}
if (exts[SPD_EXT_ACTION] == NULL) {
errx(EXIT_FAILURE,
gettext("action missing in dump algs reply"));
}
actp = (struct spd_ext_actions *)exts[SPD_EXT_ACTION];
start = (uint64_t *)actp;
end = (start + actp->spd_actions_len);
endattr = (struct spd_attribute *)end;
attr = (struct spd_attribute *)&actp[1];
bzero(&alg, sizeof (alg));
nkey_sizes = nblock_sizes = 0;
(void) printf("Kernel list of algorithms:\n\n");
while (attr < endattr) {
switch (attr->spd_attr_tag) {
case SPD_ATTR_NOP:
case SPD_ATTR_EMPTY:
break;
case SPD_ATTR_END:
attr = endattr;
case SPD_ATTR_NEXT:
alg.a_alg_flags |= ALG_FLAG_KERNELCHECKED;
dump_alg(&alg);
free(alg.a_key_sizes);
free(alg.a_block_sizes);
free(alg.a_mech_name);
free(alg.a_mech_params);
bzero(&alg, sizeof (alg));
nkey_sizes = nblock_sizes = 0;
break;
case SPD_ATTR_ALG_ID:
alg.a_alg_num = attr->spd_attr_value;
break;
case SPD_ATTR_ALG_PROTO:
alg.a_proto_num = attr->spd_attr_value;
break;
case SPD_ATTR_ALG_INCRBITS:
alg.a_key_increment = attr->spd_attr_value;
break;
case SPD_ATTR_ALG_NKEYSIZES:
nkey_sizes = attr->spd_attr_value;
if (alg.a_key_sizes != NULL) {
errx(EXIT_FAILURE, gettext("duplicate number "
"of keys in dump algs reply"));
}
alg.a_key_sizes = calloc(nkey_sizes + 1, sizeof (int));
if (alg.a_key_sizes == NULL)
bail_nomem();
cur_key = 0;
break;
case SPD_ATTR_ALG_KEYSIZE:
if (cur_key >= nkey_sizes) {
errx(EXIT_FAILURE, gettext("too many key sizes"
" in dump algs reply"));
}
alg.a_key_sizes[cur_key++] = attr->spd_attr_value;
break;
case SPD_ATTR_ALG_NBLOCKSIZES:
nblock_sizes = attr->spd_attr_value;
if (alg.a_block_sizes != NULL) {
errx(EXIT_FAILURE, gettext("duplicate number "
"of blocks in dump algs reply"));
}
alg.a_block_sizes = calloc(nblock_sizes + 1,
sizeof (int));
if (alg.a_block_sizes == NULL)
bail_nomem();
cur_block = 0;
break;
case SPD_ATTR_ALG_BLOCKSIZE:
if (cur_block >= nblock_sizes) {
errx(EXIT_FAILURE, gettext("too many block "
"sizes in dump algs reply"));
}
alg.a_block_sizes[cur_block++] = attr->spd_attr_value;
break;
case SPD_ATTR_ALG_NPARAMS:
nparams = attr->spd_attr_value;
if (alg.a_mech_params != NULL) {
errx(EXIT_FAILURE, gettext("duplicate number "
"of params in dump algs reply"));
}
alg.a_mech_params = calloc(nparams + 1,
sizeof (int));
if (alg.a_mech_params == NULL)
bail_nomem();
cur_block = 0;
break;
case SPD_ATTR_ALG_PARAMS:
if (cur_block >= nparams) {
errx(EXIT_FAILURE, gettext("too many params "
"in dump algs reply"));
}
alg.a_mech_params[cur_block++] = attr->spd_attr_value;
break;
case SPD_ATTR_ALG_FLAGS:
alg.a_alg_flags = attr->spd_attr_value;
break;
case SPD_ATTR_ALG_MECHNAME: {
char *mech_name;
if (alg.a_mech_name != NULL) {
errx(EXIT_FAILURE, gettext(
"duplicate mech name in dump algs reply"));
}
alg.a_mech_name = malloc(attr->spd_attr_value);
if (alg.a_mech_name == NULL)
bail_nomem();
mech_name = (char *)(attr + 1);
bcopy(mech_name, alg.a_mech_name, attr->spd_attr_value);
attr = (struct spd_attribute *)((uint64_t *)attr +
SPD_8TO64(attr->spd_attr_value));
break;
}
}
attr++;
}
}
static int *
parse_intlist(char *args, int *num_args)
{
int *rc = NULL;
char *holder = NULL;
while ((holder = strtok((holder == NULL) ? args : NULL, comma)) !=
NULL) {
(*num_args)++;
rc = realloc(rc, ((*num_args) + 1) * sizeof (int));
if (rc == NULL)
bail_nomem();
rc[(*num_args) - 1] = atoi(holder);
if (rc[(*num_args) - 1] == 0)
usage();
rc[*num_args] = 0;
}
return (rc);
}
static void
new_alg(void)
{
struct ipsecalgent newbie;
int num_names = 0, num_block_sizes = 0, num_key_sizes = 0;
int i, rc;
char *holder = NULL;
if (proto_number == -1) {
if (proto_name == NULL) {
warnx(gettext("Missing protocol number."));
usage();
}
proto_number = getipsecprotobyname(proto_name);
if (proto_number == -1) {
warnx(gettext("Unknown protocol."));
usage();
}
}
if (alg_number == -1) {
warnx(gettext("Missing algorithm number."));
usage();
}
if (key_sizes_string == NULL) {
warnx(gettext("Missing key size(s)."));
usage();
}
if (alg_names_string == NULL) {
warnx(gettext("Missing algorithm name(s)."));
usage();
}
if (block_sizes_string == NULL) {
warnx(gettext("Missing block/MAC lengths"));
usage();
}
if (mech_name == NULL) {
warnx(gettext("Missing mechanism name."));
usage();
}
newbie.a_proto_num = proto_number;
newbie.a_alg_num = alg_number;
newbie.a_key_increment = increment;
newbie.a_mech_name = mech_name;
newbie.a_alg_flags = alg_flags;
newbie.a_alg_flags |= ALG_FLAG_VALID;
while ((holder = strtok((holder == NULL) ? flag_string : NULL,
comma)) != NULL) {
alg_flags = parse_flag(holder, 0);
if (!alg_flags) {
warnx(gettext("Invalid flag: %s\n"), holder);
usage();
}
newbie.a_alg_flags |= alg_flags;
}
newbie.a_names = NULL;
while ((holder = strtok((holder == NULL) ? alg_names_string : NULL,
comma)) != NULL) {
newbie.a_names = realloc(newbie.a_names,
sizeof (char *) * ((++num_names) + 1));
if (newbie.a_names == NULL)
bail_nomem();
newbie.a_names[num_names - 1] = holder;
newbie.a_names[num_names] = NULL;
}
newbie.a_block_sizes = parse_intlist(block_sizes_string,
&num_block_sizes);
newbie.a_mech_params = &mech_params[0];
if ((holder = strchr(key_sizes_string, '-')) != NULL) {
if (newbie.a_key_increment == 0) {
warnx(gettext("Missing key increment"));
usage();
}
newbie.a_key_sizes = calloc(sizeof (int),
LIBIPSEC_ALGS_KEY_NUM_VAL);
if (newbie.a_key_sizes == NULL)
bail_nomem();
*holder = '\0';
holder++;
newbie.a_key_sizes[LIBIPSEC_ALGS_KEY_MIN_IDX] =
atoi(key_sizes_string);
if (newbie.a_key_sizes[LIBIPSEC_ALGS_KEY_MIN_IDX] == 0) {
warnx(gettext("Invalid lower key size range"));
usage();
}
newbie.a_key_sizes[LIBIPSEC_ALGS_KEY_MAX_IDX] = atoi(holder);
if (newbie.a_key_sizes[LIBIPSEC_ALGS_KEY_MAX_IDX] == 0) {
warnx(gettext("Invalid higher key size range"));
usage();
}
if (newbie.a_key_sizes[LIBIPSEC_ALGS_KEY_MIN_IDX] >=
newbie.a_key_sizes[LIBIPSEC_ALGS_KEY_MAX_IDX]) {
warnx(gettext("Invalid key size range (min >= max)"));
usage();
}
if (((newbie.a_key_sizes[LIBIPSEC_ALGS_KEY_MAX_IDX] -
newbie.a_key_sizes[LIBIPSEC_ALGS_KEY_MIN_IDX]) %
newbie.a_key_increment) != 0) {
warnx(gettext("Key size increment"
" not consistent with key size range"));
usage();
}
if (default_keylen != 0) {
if (default_keylen <
newbie.a_key_sizes[LIBIPSEC_ALGS_KEY_MIN_IDX] ||
default_keylen >
newbie.a_key_sizes[LIBIPSEC_ALGS_KEY_MAX_IDX] ||
((default_keylen -
newbie.a_key_sizes[LIBIPSEC_ALGS_KEY_MIN_IDX]) %
newbie.a_key_increment) != 0) {
warnx(gettext("Default key size not consistent"
" with key size range"));
usage();
}
newbie.a_key_sizes[LIBIPSEC_ALGS_KEY_DEF_IDX] =
default_keylen;
} else {
newbie.a_key_sizes[LIBIPSEC_ALGS_KEY_DEF_IDX] =
newbie.a_key_sizes[LIBIPSEC_ALGS_KEY_MIN_IDX];
}
} else {
if (newbie.a_key_increment != 0) {
warnx(gettext("Key increment must "
"not be specified with key sizes enumeration"));
usage();
}
newbie.a_key_sizes = parse_intlist(key_sizes_string,
&num_key_sizes);
if (default_keylen != 0 && default_keylen !=
newbie.a_key_sizes[0]) {
for (i = 1; i < num_key_sizes; i++) {
if (newbie.a_key_sizes[i] == default_keylen)
break;
if (i >= num_key_sizes) {
warnx(gettext("Default key size not "
"in list of key sizes"));
usage();
}
newbie.a_key_sizes[i] = newbie.a_key_sizes[0];
newbie.a_key_sizes[0] = default_keylen;
}
}
}
if ((rc = addipsecalg(&newbie, adddel_flags)) != 0) {
errx(EXIT_FAILURE, gettext("addipsecalg() call failed: "
"%s"), ipsecalgs_diag(rc));
}
free(newbie.a_names);
free(newbie.a_block_sizes);
free(newbie.a_key_sizes);
}
static void
new_proto(void)
{
int rc;
if ((rc = addipsecproto(proto_name, proto_number, proto_exec_mode,
adddel_flags))
!= 0) {
errx(EXIT_FAILURE, gettext(
"Cannot add protocol %1$d \"%2$s\": %3$s"), proto_number,
proto_name, ipsecalgs_diag(rc));
}
}
static void
remove_alg(void)
{
int rc;
if (proto_number == -1) {
if (proto_name == NULL) {
warnx(gettext("Missing protocol number."));
usage();
}
proto_number = getipsecprotobyname(proto_name);
if (proto_number == -1) {
errx(EXIT_FAILURE, gettext(
"Unknown protocol \"%s\"."), proto_name);
}
}
if (alg_number == -1) {
if (alg_names_string == NULL) {
errx(EXIT_FAILURE, gettext("Missing algorithm ID."));
}
if (strchr(alg_names_string, ',') != NULL) {
errx(EXIT_FAILURE, gettext(
"Specify a single algorithm name for removal, "
"not a list."));
}
if ((rc = delipsecalgbyname(alg_names_string, proto_number))
!= 0) {
errx(EXIT_FAILURE, gettext(
"Could not remove algorithm %1$s: %2$s"),
alg_names_string, ipsecalgs_diag(rc));
}
} else {
if ((rc = delipsecalgbynum(alg_number, proto_number)) != 0) {
errx(EXIT_FAILURE, gettext(
"Could not remove algorithm %1$d: %2$s"),
alg_number, ipsecalgs_diag(rc));
}
}
}
static void
remove_proto(void)
{
int rc;
if (proto_number == -1) {
if (proto_name == NULL) {
warnx(gettext("Please specify protocol to remove."));
usage();
}
if ((rc = delipsecprotobyname(proto_name)) != 0) {
errx(EXIT_FAILURE, gettext(
"Could not remove protocol %1$s: %2$s"),
proto_name, ipsecalgs_diag(rc));
}
} else {
if ((rc = delipsecprotobynum(proto_number)) != 0) {
errx(EXIT_FAILURE, gettext(
"Could not remove protocol %1$d: %2$s"),
proto_number, ipsecalgs_diag(rc));
}
}
}
static void
set_exec_mode(void)
{
int rc;
if (proto_number == -1) {
if (proto_name == NULL) {
warnx(gettext(
"Please specify protocol name or number."));
usage();
}
proto_number = getipsecprotobyname(proto_name);
if (proto_number == -1) {
errx(EXIT_FAILURE, gettext("Unknown protocol %s"),
proto_name);
}
}
if ((rc = ipsecproto_set_exec_mode(proto_number, proto_exec_mode))
!= 0) {
errx(EXIT_FAILURE, gettext("Cannot set execution mode: %s"),
ipsecalgs_diag(rc));
}
}
static void
dump_alg(struct ipsecalgent *alg)
{
int *ifloater;
char **floater;
(void) printf(gettext("\tProtocol number: %d\n"), alg->a_proto_num);
(void) printf(gettext("\tAlgorithm number: %d\n"), alg->a_alg_num);
if (alg->a_names != NULL) {
(void) printf(gettext("\tAlgorithm names: "));
floater = alg->a_names;
assert(floater != NULL && *floater != NULL);
do {
(void) printf("%s", *floater);
if (*(++floater) != NULL)
(void) putchar(',');
} while (*floater != NULL);
(void) putchar('\n');
}
(void) printf(gettext("\tMechanism Name: %s\n"), alg->a_mech_name);
(void) printf(gettext("\tBlock sizes or MAC sizes: "));
ifloater = alg->a_block_sizes;
(void) list_ints(stdout, ifloater);
(void) putchar('\n');
(void) printf(gettext("\tKey sizes: "));
if (alg->a_key_increment != 0)
(void) printf(gettext(
"%1$d-%2$d, increment %3$d, default %4$d"),
alg->a_key_sizes[LIBIPSEC_ALGS_KEY_MIN_IDX],
alg->a_key_sizes[LIBIPSEC_ALGS_KEY_MAX_IDX],
alg->a_key_increment,
alg->a_key_sizes[LIBIPSEC_ALGS_KEY_DEF_IDX]);
else
(void) list_ints(stdout, alg->a_key_sizes);
(void) putchar('\n');
(void) printf(gettext("\tAlgorithm parameters: "));
ifloater = alg->a_mech_params;
(void) list_ints(stdout, ifloater);
(void) putchar('\n');
(void) printf(gettext("\tAlgorithm flags: "));
(void) parse_flag(NULL, alg->a_alg_flags);
(void) putchar('\n');
(void) putchar('\n');
}
static void
dump_proto(uint_t proto_id)
{
char *proto_name;
ipsecalgs_exec_mode_t exec_mode;
proto_name = getipsecprotobynum(proto_id);
(void) printf(gettext("Protocol %1$d/%2$s "),
proto_id, proto_name != NULL ? proto_name : gettext("<unknown>"));
(void) printf("(%s", gettext("execution mode: "));
if (ipsecproto_get_exec_mode(proto_id, &exec_mode) != 0) {
(void) printf(gettext("<unknown>"));
} else {
switch (exec_mode) {
case LIBIPSEC_ALGS_EXEC_SYNC:
(void) printf("sync");
break;
case LIBIPSEC_ALGS_EXEC_ASYNC:
(void) printf("async");
break;
}
}
(void) printf(")\n\n");
free(proto_name);
}
static void
algs_walker(void (*alg_action)(struct ipsecalgent *),
void (*proto_action)(uint_t))
{
int *proto_nums, proto_count, i;
int *alg_nums, alg_count, j;
struct ipsecalgent *alg;
proto_nums = getipsecprotos(&proto_count);
if (proto_nums == NULL) {
errx(EXIT_FAILURE, gettext("getipsecprotos() failed."));
}
for (i = 0; i < proto_count; i++) {
if (proto_action != NULL)
proto_action(proto_nums[i]);
alg_nums = getipsecalgs(&alg_count, proto_nums[i]);
if (alg_nums == NULL) {
free(proto_nums);
errx(EXIT_FAILURE, gettext("getipsecalgs() failed."));
}
for (j = 0; j < alg_count; j++) {
alg = getipsecalgbynum(alg_nums[j], proto_nums[i],
NULL);
if (alg == NULL)
continue;
if (alg_action != NULL)
alg_action(alg);
freeipsecalgent(alg);
}
free(alg_nums);
}
free(proto_nums);
}
static void
show_algs(void)
{
(void) puts(gettext(
"List of algorithms, grouped by IPsec protocol:\n"));
algs_walker(dump_alg, dump_proto);
}
static int
try_int(char *optarg, const char *what)
{
int rc = atoi(optarg);
if (rc <= 0) {
warnx(gettext("Invalid %s value"), what);
usage();
}
return (rc);
}
static void
try_cmd(cmd_t newcmd)
{
if (cmd != CMD_NONE)
usage();
cmd = newcmd;
}
int
main(int argc, char *argv[])
{
int c;
zoneid_t zoneid;
ushort_t flags;
(void) setlocale(LC_ALL, "");
#if !defined(TEXT_DOMAIN)
#define TEXT_DOMAIN "SYS_TEST"
#endif
(void) textdomain(TEXT_DOMAIN);
if (argc == 1) {
show_algs();
return (EXIT_SUCCESS);
}
while ((c = getopt(argc, argv,
"aflrRsb:p:P:i:k:K:m:n:N:e:S:M:I:F:")) != EOF) {
switch (c) {
case 'a':
try_cmd(CMD_ADD);
break;
case 'f':
adddel_flags = LIBIPSEC_ALGS_ADD_FORCE;
break;
case 'l':
try_cmd(CMD_LIST_KERNEL);
break;
case 'r':
try_cmd(CMD_DEL);
break;
case 'R':
try_cmd(CMD_DEL_PROTO);
break;
case 's':
synch_kernel = B_TRUE;
break;
case 'n':
if (alg_names_string != NULL)
usage();
alg_names_string = optarg;
break;
case 'b':
if (block_sizes_string != NULL)
usage();
block_sizes_string = optarg;
break;
case 'p':
if (proto_name != NULL)
usage();
proto_name = optarg;
break;
case 'P':
if (proto_number != -1)
usage();
proto_number = try_int(optarg,
gettext("protocol number"));
break;
case 'e':
if (exec_mode_string != NULL)
usage();
exec_mode_string = optarg;
if (_str_to_ipsec_exec_mode(exec_mode_string,
&proto_exec_mode) == -1) {
warnx(gettext("Invalid execution mode \"%s\""),
exec_mode_string);
usage();
}
break;
case 'i':
if (increment != 0)
usage();
increment = try_int(optarg,
gettext("key size increment"));
break;
case 'k':
if (key_sizes_string != NULL)
usage();
key_sizes_string = optarg;
break;
case 'K':
if (default_keylen != 0)
usage();
default_keylen = try_int(optarg,
gettext("default key size"));
break;
case 'm':
if (mech_name != NULL)
usage();
mech_name = optarg;
break;
case 'N':
if (alg_number != -1)
usage();
alg_number = try_int(optarg,
gettext("algorithm number"));
break;
case 'I':
if (mech_params[iv_len] != 0)
usage();
mech_params[iv_len] = try_int(optarg,
gettext("Initialization Vector length"));
break;
case 'M':
if (mech_params[mac_len] != 0)
usage();
mech_params[mac_len] = try_int(optarg,
gettext("Integrity Check Vector length"));
break;
case 'S':
if (mech_params[salt_bytes] != 0)
usage();
mech_params[salt_bytes] = try_int(optarg,
gettext("Salt length"));
break;
case 'F':
flags = atoi(optarg);
if (flags) {
alg_flags |= flags;
flag_string = NULL;
} else {
flag_string = optarg;
}
break;
default:
usage();
}
}
if (proto_number != -1 && proto_name != NULL)
try_cmd(CMD_ADD_PROTO);
else if (exec_mode_string != NULL)
try_cmd(CMD_EXEC_MODE);
switch (cmd) {
case CMD_ADD:
new_alg();
break;
case CMD_ADD_PROTO:
new_proto();
break;
case CMD_DEL:
remove_alg();
break;
case CMD_DEL_PROTO:
remove_proto();
break;
case CMD_EXEC_MODE:
set_exec_mode();
break;
case CMD_LIST_KERNEL:
if (synch_kernel)
usage();
list_kernel_algs();
break;
default:
if (!synch_kernel)
usage();
}
if (synch_kernel) {
if ((zoneid = getzoneid()) == 0) {
kernel_synch();
} else {
if (zone_getattr(zoneid, ZONE_ATTR_FLAGS, &flags,
sizeof (flags)) < 0) {
err(EXIT_FAILURE, gettext(
"Unable to determine zone IP type"));
}
if (flags & ZF_NET_EXCL) {
kernel_synch();
} else {
(void) printf(gettext("Synchronization with "
"kernel not appropriate in this zone.\n"));
}
}
}
return (EXIT_SUCCESS);
}
