1 /* $OpenBSD: pfkdump.c,v 1.55 2021/10/22 12:30:54 bluhm Exp $ */ 2 3 /* 4 * Copyright (c) 2003 Markus Friedl. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include <sys/socket.h> 28 #include <sys/time.h> 29 #include <sys/sysctl.h> 30 #include <sys/queue.h> 31 32 #include <net/pfkeyv2.h> 33 #include <netinet/ip_ipsp.h> 34 #include <netdb.h> 35 #include <string.h> 36 #include <unistd.h> 37 #include <stdlib.h> 38 #include <stdio.h> 39 #include <err.h> 40 #include <errno.h> 41 42 #include "ipsecctl.h" 43 #include "pfkey.h" 44 45 static void print_proto(struct sadb_ext *, struct sadb_msg *, int); 46 static void print_flow(struct sadb_ext *, struct sadb_msg *, int); 47 static void print_supp(struct sadb_ext *, struct sadb_msg *, int); 48 static void print_prop(struct sadb_ext *, struct sadb_msg *, int); 49 static void print_sens(struct sadb_ext *, struct sadb_msg *, int); 50 static void print_spir(struct sadb_ext *, struct sadb_msg *, int); 51 static void print_policy(struct sadb_ext *, struct sadb_msg *, int); 52 static void print_sa(struct sadb_ext *, struct sadb_msg *, int); 53 static void print_addr(struct sadb_ext *, struct sadb_msg *, int); 54 static void print_key(struct sadb_ext *, struct sadb_msg *, int); 55 static void print_life(struct sadb_ext *, struct sadb_msg *, int); 56 static void print_ident(struct sadb_ext *, struct sadb_msg *, int); 57 static void print_udpenc(struct sadb_ext *, struct sadb_msg *, int); 58 static void print_tag(struct sadb_ext *, struct sadb_msg *, int); 59 static void print_rdomain(struct sadb_ext *, struct sadb_msg *, int); 60 static void print_replay(struct sadb_ext *, struct sadb_msg *, int); 61 static void print_mtu(struct sadb_ext *, struct sadb_msg *, int); 62 static void print_tap(struct sadb_ext *, struct sadb_msg *, int); 63 static void print_satype(struct sadb_ext *, struct sadb_msg *, int); 64 static void print_counter(struct sadb_ext *, struct sadb_msg *, int); 65 66 static struct idname *lookup(struct idname *, u_int32_t); 67 static char *lookup_name(struct idname *, u_int32_t); 68 static void print_ext(struct sadb_ext *, struct sadb_msg *, int); 69 70 void pfkey_print_raw(u_int8_t *, ssize_t); 71 static char *print_flags(uint32_t); 72 73 struct sadb_ext *extensions[SADB_EXT_MAX + 1]; 74 75 struct idname { 76 u_int32_t id; 77 char *name; 78 void (*func)(struct sadb_ext *, struct sadb_msg *, int); 79 }; 80 81 struct idname ext_types[] = { 82 { SADB_EXT_RESERVED, "reserved", NULL }, 83 { SADB_EXT_SA, "sa", print_sa }, 84 { SADB_EXT_LIFETIME_CURRENT, "lifetime_cur", print_life }, 85 { SADB_EXT_LIFETIME_HARD, "lifetime_hard", print_life }, 86 { SADB_EXT_LIFETIME_SOFT, "lifetime_soft", print_life }, 87 { SADB_EXT_ADDRESS_SRC, "address_src", print_addr }, 88 { SADB_EXT_ADDRESS_DST, "address_dst", print_addr }, 89 { SADB_EXT_ADDRESS_PROXY, "address_proxy", print_addr }, 90 { SADB_EXT_KEY_AUTH, "key_auth", print_key }, 91 { SADB_EXT_KEY_ENCRYPT, "key_encrypt", print_key }, 92 { SADB_EXT_IDENTITY_SRC, "identity_src", print_ident }, 93 { SADB_EXT_IDENTITY_DST, "identity_dst", print_ident }, 94 { SADB_EXT_SENSITIVITY, "sensitivity", print_sens }, 95 { SADB_EXT_PROPOSAL, "proposal", print_prop }, 96 { SADB_EXT_SUPPORTED_AUTH, "supported_auth", print_supp }, 97 { SADB_EXT_SUPPORTED_ENCRYPT, "supported_encrypt", print_supp }, 98 { SADB_EXT_SPIRANGE, "spirange", print_spir }, 99 { SADB_X_EXT_SRC_MASK, "src_mask", print_addr }, 100 { SADB_X_EXT_DST_MASK, "dst_mask", print_addr }, 101 { SADB_X_EXT_PROTOCOL, "protocol", print_proto }, 102 { SADB_X_EXT_FLOW_TYPE, "flow_type", print_flow }, 103 { SADB_X_EXT_SRC_FLOW, "src_flow", print_addr }, 104 { SADB_X_EXT_DST_FLOW, "dst_flow", print_addr }, 105 { SADB_X_EXT_SA2, "sa2", print_sa }, 106 { SADB_X_EXT_DST2, "dst2", print_addr }, 107 { SADB_X_EXT_POLICY, "policy", print_policy }, 108 { SADB_X_EXT_SUPPORTED_COMP, "supported_comp", print_supp }, 109 { SADB_X_EXT_UDPENCAP, "udpencap", print_udpenc }, 110 { SADB_X_EXT_LIFETIME_LASTUSE, "lifetime_lastuse", print_life }, 111 { SADB_X_EXT_TAG, "tag", print_tag }, 112 { SADB_X_EXT_RDOMAIN, "rdomain", print_rdomain }, 113 { SADB_X_EXT_REPLAY, "replay", print_replay }, 114 { SADB_X_EXT_MTU, "mtu", print_mtu }, 115 { SADB_X_EXT_TAP, "tap", print_tap }, 116 { SADB_X_EXT_SATYPE2, "satype2", print_satype }, 117 { SADB_X_EXT_COUNTER, "counter", print_counter }, 118 { 0, NULL, NULL } 119 }; 120 121 struct idname msg_types[] = { 122 { SADB_ACQUIRE, "sadb_acquire", NULL }, 123 { SADB_ADD, "sadb_add", NULL }, 124 { SADB_DELETE, "sadb_delete", NULL }, 125 { SADB_DUMP, "sadb_dump", NULL }, 126 { SADB_EXPIRE, "sadb_expire", NULL }, 127 { SADB_FLUSH, "sadb_flush", NULL }, 128 { SADB_GET, "sadb_get", NULL }, 129 { SADB_GETSPI, "sadb_getspi", NULL }, 130 { SADB_REGISTER, "sadb_register", NULL }, 131 { SADB_UPDATE, "sadb_update", NULL }, 132 { SADB_X_ADDFLOW, "sadb_addflow", NULL }, 133 { SADB_X_ASKPOLICY, "sadb_askpolicy", NULL }, 134 { SADB_X_DELFLOW, "sadb_delflow", NULL }, 135 { SADB_X_GRPSPIS, "sadb_grpspis", NULL }, 136 { SADB_X_PROMISC, "sadb_promisc", NULL }, 137 { 0, NULL, NULL }, 138 }; 139 140 struct idname sa_types[] = { 141 { SADB_SATYPE_UNSPEC, "unspec", NULL }, 142 { SADB_SATYPE_AH, "ah", NULL }, 143 { SADB_SATYPE_ESP, "esp", NULL }, 144 { SADB_SATYPE_RSVP, "rsvp", NULL }, 145 { SADB_SATYPE_OSPFV2, "ospfv2", NULL }, 146 { SADB_SATYPE_RIPV2, "ripv2", NULL }, 147 { SADB_SATYPE_MIP, "mip", NULL }, 148 { SADB_X_SATYPE_IPIP, "ipip", NULL }, 149 { SADB_X_SATYPE_TCPSIGNATURE, "tcpmd5", NULL }, 150 { SADB_X_SATYPE_IPCOMP, "ipcomp", NULL }, 151 { 0, NULL, NULL } 152 }; 153 154 struct idname auth_types[] = { 155 { SADB_AALG_NONE, "none", NULL }, 156 { SADB_AALG_MD5HMAC, "hmac-md5", NULL }, 157 { SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", NULL }, 158 { SADB_AALG_SHA1HMAC, "hmac-sha1", NULL }, 159 { SADB_X_AALG_SHA2_256, "hmac-sha2-256", NULL }, 160 { SADB_X_AALG_SHA2_384, "hmac-sha2-384", NULL }, 161 { SADB_X_AALG_SHA2_512, "hmac-sha2-512", NULL }, 162 { SADB_X_AALG_AES128GMAC, "gmac-aes-128", NULL }, 163 { SADB_X_AALG_AES192GMAC, "gmac-aes-192", NULL }, 164 { SADB_X_AALG_AES256GMAC, "gmac-aes-256", NULL }, 165 { SADB_X_AALG_CHACHA20POLY1305, "chacha20-poly1305", NULL }, 166 { 0, NULL, NULL } 167 }; 168 169 struct idname enc_types[] = { 170 { SADB_EALG_NONE, "none", NULL }, 171 { SADB_EALG_3DESCBC, "3des-cbc", NULL }, 172 { SADB_X_EALG_AES, "aes", NULL }, 173 { SADB_X_EALG_AESCTR, "aesctr", NULL }, 174 { SADB_X_EALG_AESGCM16, "aes-gcm", NULL }, 175 { SADB_X_EALG_AESGMAC, "aes-gmac", NULL }, 176 { SADB_X_EALG_BLF, "blowfish", NULL }, 177 { SADB_X_EALG_CAST, "cast128", NULL }, 178 { SADB_EALG_NULL, "null", NULL }, 179 { SADB_X_EALG_CHACHA20POLY1305, "chacha20-poly1305", NULL }, 180 { 0, NULL, NULL } 181 }; 182 183 struct idname comp_types[] = { 184 { SADB_X_CALG_NONE, "none", NULL }, 185 { SADB_X_CALG_OUI, "oui", NULL }, 186 { SADB_X_CALG_DEFLATE, "deflate", NULL }, 187 { 0, NULL, NULL } 188 }; 189 190 struct idname flag_types[] = { 191 { SADB_SAFLAGS_PFS, "pfs", NULL }, 192 { SADB_X_SAFLAGS_TUNNEL, "tunnel", NULL }, 193 { SADB_X_SAFLAGS_CHAINDEL, "chaindel", NULL }, 194 { SADB_X_SAFLAGS_UDPENCAP, "udpencap", NULL }, 195 { SADB_X_SAFLAGS_ESN, "esn", NULL }, 196 { 0, NULL, NULL } 197 }; 198 199 struct idname identity_types[] = { 200 { SADB_IDENTTYPE_RESERVED, "reserved", NULL }, 201 { SADB_IDENTTYPE_PREFIX, "prefix", NULL }, 202 { SADB_IDENTTYPE_FQDN, "fqdn", NULL }, 203 { SADB_IDENTTYPE_USERFQDN, "ufqdn", NULL }, 204 { SADB_IDENTTYPE_ASN1_DN, "asn1_dn", NULL }, 205 { 0, NULL, NULL } 206 }; 207 208 struct idname flow_types[] = { 209 { SADB_X_FLOW_TYPE_USE, "use", NULL }, 210 { SADB_X_FLOW_TYPE_ACQUIRE, "acquire", NULL }, 211 { SADB_X_FLOW_TYPE_REQUIRE, "require", NULL }, 212 { SADB_X_FLOW_TYPE_BYPASS, "bypass", NULL }, 213 { SADB_X_FLOW_TYPE_DENY, "deny", NULL }, 214 { SADB_X_FLOW_TYPE_DONTACQ, "dontacq", NULL }, 215 { 0, NULL, NULL } 216 }; 217 218 struct idname states[] = { 219 { SADB_SASTATE_LARVAL, "larval", NULL }, 220 { SADB_SASTATE_MATURE, "mature", NULL }, 221 { SADB_SASTATE_DYING, "dying", NULL }, 222 { SADB_SASTATE_DEAD, "dead", NULL }, 223 { 0, NULL, NULL } 224 }; 225 226 static struct idname * 227 lookup(struct idname *tab, u_int32_t id) 228 { 229 struct idname *entry; 230 231 for (entry = tab; entry->name; entry++) 232 if (entry->id == id) 233 return (entry); 234 return (NULL); 235 } 236 237 static char * 238 lookup_name(struct idname *tab, u_int32_t id) 239 { 240 struct idname *entry; 241 242 entry = lookup(tab, id); 243 return (entry ? entry->name : "unknown"); 244 } 245 246 static void 247 print_ext(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 248 { 249 struct idname *entry; 250 251 if ((entry = lookup(ext_types, ext->sadb_ext_type)) == NULL) { 252 printf("unknown ext: type %u len %u\n", 253 ext->sadb_ext_type, ext->sadb_ext_len); 254 return; 255 } 256 printf("\t%s: ", entry->name); 257 if (entry->func != NULL) 258 (*entry->func)(ext, msg, opts); 259 else 260 printf("type %u len %u", 261 ext->sadb_ext_type, ext->sadb_ext_len); 262 printf("\n"); 263 } 264 265 static char * 266 print_flags(uint32_t flags) 267 { 268 static char fstr[80]; 269 struct idname *entry; 270 int len; 271 int i, comma = 0, n; 272 273 len = snprintf(fstr, sizeof(fstr), "%#x<", flags); 274 if (len < 0 || (size_t)len >= sizeof(fstr)) 275 return (NULL); 276 for (i = 0; i < 32; i++) { 277 if ((flags & (1 << i)) == 0 || 278 (entry = lookup(flag_types, 1 << i)) == NULL) 279 continue; 280 n = snprintf(fstr + len, sizeof(fstr) - len - 1, 281 comma ? ",%s" : "%s", entry->name); 282 if (n < 0 || (size_t)n >= sizeof(fstr) - len - 1) 283 return (NULL); 284 len += n; 285 comma = 1; 286 } 287 strlcat(fstr, ">", sizeof(fstr)); 288 289 return (fstr); 290 } 291 292 static void 293 print_sa(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 294 { 295 struct sadb_sa *sa = (struct sadb_sa *)ext; 296 297 if (msg->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) 298 printf("cpi 0x%8.8x comp %s\n", 299 ntohl(sa->sadb_sa_spi), 300 lookup_name(comp_types, sa->sadb_sa_encrypt)); 301 else 302 printf("spi 0x%8.8x auth %s enc %s\n", 303 ntohl(sa->sadb_sa_spi), 304 lookup_name(auth_types, sa->sadb_sa_auth), 305 lookup_name(enc_types, sa->sadb_sa_encrypt)); 306 printf("\t\tstate %s replay %u flags %s", 307 lookup_name(states, sa->sadb_sa_state), 308 sa->sadb_sa_replay, print_flags(sa->sadb_sa_flags)); 309 } 310 311 /* ARGSUSED1 */ 312 static void 313 print_addr(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 314 { 315 struct sadb_address *addr = (struct sadb_address *)ext; 316 struct sockaddr *sa; 317 struct sockaddr_in *sin4; 318 struct sockaddr_in6 *sin6; 319 char hbuf[NI_MAXHOST]; 320 321 sa = (struct sockaddr *)(addr + 1); 322 if (sa->sa_family == 0) 323 printf("<any>"); 324 else if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf), NULL, 0, 325 NI_NUMERICHOST)) 326 printf("<could not get numeric hostname>"); 327 else 328 printf("%s", hbuf); 329 switch (sa->sa_family) { 330 case AF_INET: 331 sin4 = (struct sockaddr_in *)sa; 332 if (sin4->sin_port) 333 printf(" port %u", ntohs(sin4->sin_port)); 334 break; 335 case AF_INET6: 336 sin6 = (struct sockaddr_in6 *)sa; 337 if (sin6->sin6_port) 338 printf(" port %u", ntohs(sin6->sin6_port)); 339 break; 340 } 341 } 342 343 /* ARGSUSED1 */ 344 static void 345 print_key(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 346 { 347 struct sadb_key *key = (struct sadb_key *)ext; 348 u_int8_t *data; 349 int i; 350 351 printf("bits %u: ", key->sadb_key_bits); 352 data = (u_int8_t *)(key + 1); 353 for (i = 0; i < key->sadb_key_bits / 8; i++) { 354 printf("%2.2x", data[i]); 355 data[i] = 0x00; /* clear sensitive data */ 356 } 357 } 358 359 /* ARGSUSED1 */ 360 static void 361 print_life(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 362 { 363 struct sadb_lifetime *life = (struct sadb_lifetime *)ext; 364 365 printf("alloc %u bytes %llu add %llu first %llu", 366 life->sadb_lifetime_allocations, 367 life->sadb_lifetime_bytes, 368 life->sadb_lifetime_addtime, 369 life->sadb_lifetime_usetime); 370 } 371 372 static void 373 print_proto(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 374 { 375 struct sadb_protocol *proto = (struct sadb_protocol *)ext; 376 377 /* overloaded */ 378 if (msg->sadb_msg_type == SADB_X_GRPSPIS) 379 printf("satype %s flags %x", 380 lookup_name(sa_types, proto->sadb_protocol_proto), 381 proto->sadb_protocol_flags); 382 else 383 printf("proto %u flags %x", 384 proto->sadb_protocol_proto, proto->sadb_protocol_flags); 385 } 386 387 /* ARGSUSED1 */ 388 static void 389 print_flow(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 390 { 391 struct sadb_protocol *proto = (struct sadb_protocol *)ext; 392 char *dir = "unknown"; 393 394 switch (proto->sadb_protocol_direction) { 395 case IPSP_DIRECTION_IN: 396 dir = "in"; 397 break; 398 case IPSP_DIRECTION_OUT: 399 dir = "out"; 400 break; 401 } 402 printf("type %s direction %s", 403 lookup_name(flow_types, proto->sadb_protocol_proto), dir); 404 } 405 406 static void 407 print_tag(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 408 { 409 struct sadb_x_tag *stag = (struct sadb_x_tag *)ext; 410 char *p; 411 412 p = (char *)(stag + 1); 413 printf("%s", p); 414 } 415 416 static void 417 print_replay(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 418 { 419 struct sadb_x_replay *sreplay = (struct sadb_x_replay *)ext; 420 421 printf("rpl %llu", sreplay->sadb_x_replay_count); 422 } 423 424 static void 425 print_mtu(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 426 { 427 struct sadb_x_mtu *smtu = (struct sadb_x_mtu *)ext; 428 429 printf("mtu %u", smtu->sadb_x_mtu_mtu); 430 } 431 432 static void 433 print_tap(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 434 { 435 struct sadb_x_tap *stap = (struct sadb_x_tap *)ext; 436 437 printf("enc%u", stap->sadb_x_tap_unit); 438 } 439 440 static void 441 print_satype(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 442 { 443 struct sadb_protocol *proto = (struct sadb_protocol *)ext; 444 445 printf("type %s", lookup_name(sa_types, proto->sadb_protocol_proto)); 446 } 447 448 static void 449 print_counter(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 450 { 451 struct sadb_x_counter *scnt = (struct sadb_x_counter *)ext; 452 453 printf("\n"); 454 455 #define plural(n) ((n) != 1 ? "s" : "") 456 #define p(f, m) if (scnt->f || opts & IPSECCTL_OPT_VERBOSE2) \ 457 printf(m, scnt->f, plural(scnt->f)) 458 p(sadb_x_counter_ipackets, "\t\t%llu input packet%s\n"); 459 p(sadb_x_counter_opackets, "\t\t%llu output packet%s\n"); 460 p(sadb_x_counter_ibytes, "\t\t%llu input byte%s\n"); 461 p(sadb_x_counter_obytes, "\t\t%llu output byte%s\n"); 462 p(sadb_x_counter_idecompbytes, "\t\t%llu input byte%s, decompressed\n"); 463 p(sadb_x_counter_ouncompbytes,"\t\t%llu output byte%s, uncompressed\n"); 464 p(sadb_x_counter_idrops, "\t\t%llu packet%s dropped on input\n"); 465 p(sadb_x_counter_odrops, "\t\t%llu packet%s dropped on output\n"); 466 #undef p 467 #undef plural 468 } 469 470 static char * 471 alg_by_ext(u_int8_t ext_type, u_int8_t id) 472 { 473 switch (ext_type) { 474 case SADB_EXT_SUPPORTED_ENCRYPT: 475 return lookup_name(enc_types, id); 476 case SADB_EXT_SUPPORTED_AUTH: 477 return lookup_name(auth_types, id); 478 case SADB_X_EXT_SUPPORTED_COMP: 479 return lookup_name(comp_types, id); 480 default: 481 return "unknown"; 482 } 483 } 484 485 static void 486 print_alg(struct sadb_alg *alg, u_int8_t ext_type) 487 { 488 printf("\t\t%s iv %u min %u max %u", 489 alg_by_ext(ext_type, alg->sadb_alg_id), alg->sadb_alg_ivlen, 490 alg->sadb_alg_minbits, alg->sadb_alg_maxbits); 491 } 492 493 /* ARGSUSED1 */ 494 static void 495 print_supp(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 496 { 497 struct sadb_supported *supported = (struct sadb_supported *)ext; 498 struct sadb_alg *alg; 499 500 printf("\n"); 501 for (alg = (struct sadb_alg *)(supported + 1); 502 (size_t)((u_int8_t *)alg - (u_int8_t *)ext) < 503 ext->sadb_ext_len * PFKEYV2_CHUNK; 504 alg++) { 505 struct sadb_alg *next = alg + 1; 506 print_alg(alg, ext->sadb_ext_type); 507 if ((size_t)((u_int8_t *)next - (u_int8_t *)ext) < 508 ext->sadb_ext_len * PFKEYV2_CHUNK) 509 printf("\n"); 510 } 511 } 512 513 /* ARGSUSED1 */ 514 static void 515 print_comb(struct sadb_comb *comb, struct sadb_msg *msg, int opts) 516 { 517 printf("\t\tauth %s min %u max %u\n" 518 "\t\tenc %s min %u max %u\n" 519 "\t\taddtime hard %llu soft %llu\n" 520 "\t\tusetime hard %llu soft %llu", 521 lookup_name(auth_types, comb->sadb_comb_auth), 522 comb->sadb_comb_auth_minbits, 523 comb->sadb_comb_auth_maxbits, 524 lookup_name(enc_types, comb->sadb_comb_encrypt), 525 comb->sadb_comb_encrypt_minbits, 526 comb->sadb_comb_encrypt_maxbits, 527 comb->sadb_comb_soft_addtime, 528 comb->sadb_comb_hard_addtime, 529 comb->sadb_comb_soft_usetime, 530 comb->sadb_comb_hard_usetime); 531 #if 0 532 comb->sadb_comb_flags, 533 comb->sadb_comb_reserved, 534 comb->sadb_comb_soft_allocations, 535 comb->sadb_comb_hard_allocations, 536 comb->sadb_comb_soft_bytes, 537 comb->sadb_comb_hard_bytes, 538 #endif 539 } 540 541 /* ARGSUSED1 */ 542 static void 543 print_prop(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 544 { 545 struct sadb_prop *prop = (struct sadb_prop *)ext; 546 struct sadb_comb *comb; 547 548 printf("replay %u\n", prop->sadb_prop_replay); 549 for (comb = (struct sadb_comb *)(prop + 1); 550 (size_t)((u_int8_t *)comb - (u_int8_t *)ext) < 551 ext->sadb_ext_len * PFKEYV2_CHUNK; 552 comb++) 553 print_comb(comb, msg, opts); 554 } 555 556 /* ARGSUSED1 */ 557 static void 558 print_sens(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 559 { 560 struct sadb_sens *sens = (struct sadb_sens *)ext; 561 562 printf("dpd %u sens_level %u integ_level %u", 563 sens->sadb_sens_dpd, 564 sens->sadb_sens_sens_level, 565 sens->sadb_sens_integ_level); 566 } 567 568 /* ARGSUSED1 */ 569 static void 570 print_spir(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 571 { 572 struct sadb_spirange *spirange = (struct sadb_spirange *)ext; 573 574 printf("min 0x%8.8x max 0x%8.8x", 575 spirange->sadb_spirange_min, spirange->sadb_spirange_max); 576 } 577 578 /* ARGSUSED1 */ 579 static void 580 print_ident(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 581 { 582 struct sadb_ident *ident = (struct sadb_ident *)ext; 583 584 printf("type %s id %llu: %s", 585 lookup_name(identity_types, ident->sadb_ident_type), 586 ident->sadb_ident_id, (char *)(ident + 1)); 587 } 588 589 /* ARGSUSED1 */ 590 static void 591 print_policy(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 592 { 593 struct sadb_x_policy *x_policy = (struct sadb_x_policy *)ext; 594 595 printf("seq %u", x_policy->sadb_x_policy_seq); 596 } 597 598 /* ARGSUSED1 */ 599 static void 600 print_udpenc(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 601 { 602 struct sadb_x_udpencap *x_udpencap = (struct sadb_x_udpencap *)ext; 603 604 printf("udpencap port %u", ntohs(x_udpencap->sadb_x_udpencap_port)); 605 } 606 607 /* ARGSUSED1 */ 608 static void 609 print_rdomain(struct sadb_ext *ext, struct sadb_msg *msg, int opts) 610 { 611 struct sadb_x_rdomain *srdomain = (struct sadb_x_rdomain *)ext; 612 613 printf("%d/%d", srdomain->sadb_x_rdomain_dom1, 614 srdomain->sadb_x_rdomain_dom2); 615 } 616 617 static void 618 setup_extensions(struct sadb_msg *msg) 619 { 620 struct sadb_ext *ext; 621 622 bzero(extensions, sizeof(extensions)); 623 if (msg->sadb_msg_len == 0) 624 return; 625 for (ext = (struct sadb_ext *)(msg + 1); 626 (size_t)((u_int8_t *)ext - (u_int8_t *)msg) < 627 msg->sadb_msg_len * PFKEYV2_CHUNK && ext->sadb_ext_len > 0; 628 ext = (struct sadb_ext *)((u_int8_t *)ext + 629 ext->sadb_ext_len * PFKEYV2_CHUNK)) 630 extensions[ext->sadb_ext_type] = ext; 631 } 632 633 static void 634 parse_addr(struct sadb_ext *ext, struct ipsec_addr_wrap *ipa) 635 { 636 struct sadb_address *addr = (struct sadb_address *)ext; 637 struct sockaddr *sa; 638 639 if (addr == NULL) 640 return; 641 sa = (struct sockaddr *)(addr + 1); 642 switch (sa->sa_family) { 643 case AF_INET: 644 ipa->address.v4 = ((struct sockaddr_in *)sa)->sin_addr; 645 set_ipmask(ipa, 32); 646 break; 647 case AF_INET6: 648 ipa->address.v6 = ((struct sockaddr_in6 *)sa)->sin6_addr; 649 set_ipmask(ipa, 128); 650 break; 651 } 652 ipa->af = sa->sa_family; 653 ipa->next = NULL; 654 ipa->tail = ipa; 655 } 656 657 static void 658 parse_key(struct sadb_ext *ext, struct ipsec_key *ikey) 659 { 660 struct sadb_key *key = (struct sadb_key *)ext; 661 u_int8_t *data; 662 663 if (key == NULL) 664 return; 665 data = (u_int8_t *)(key + 1); 666 ikey->data = data; 667 ikey->len = key->sadb_key_bits / 8; 668 } 669 670 static void 671 parse_satype(struct sadb_ext *ext, u_int8_t *satype) 672 { 673 struct sadb_protocol *proto = (struct sadb_protocol *)ext; 674 675 if (proto == NULL) 676 return; 677 switch (proto->sadb_protocol_proto) { 678 case SADB_SATYPE_ESP: 679 *satype = IPSEC_ESP; 680 break; 681 case SADB_SATYPE_AH: 682 *satype = IPSEC_AH; 683 break; 684 case SADB_X_SATYPE_IPCOMP: 685 *satype = IPSEC_IPCOMP; 686 break; 687 case SADB_X_SATYPE_IPIP: 688 *satype = IPSEC_IPIP; 689 break; 690 default: 691 return; 692 } 693 } 694 695 u_int32_t 696 pfkey_get_spi(struct sadb_msg *msg) 697 { 698 struct sadb_sa *sa; 699 700 setup_extensions(msg); 701 sa = (struct sadb_sa *)extensions[SADB_EXT_SA]; 702 return (ntohl(sa->sadb_sa_spi)); 703 } 704 705 /* opposite of pfkey_sa() */ 706 void 707 pfkey_print_sa(struct sadb_msg *msg, int opts) 708 { 709 int i; 710 struct ipsec_rule r; 711 struct ipsec_key enckey, authkey; 712 struct ipsec_transforms xfs; 713 struct ipsec_addr_wrap src, dst, dst2; 714 struct sadb_sa *sa, *sa2; 715 716 setup_extensions(msg); 717 sa = (struct sadb_sa *)extensions[SADB_EXT_SA]; 718 bzero(&r, sizeof r); 719 r.type |= RULE_SA; 720 r.tmode = (msg->sadb_msg_satype != SADB_X_SATYPE_TCPSIGNATURE) && 721 (sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL) ? 722 IPSEC_TUNNEL : IPSEC_TRANSPORT; 723 r.spi = ntohl(sa->sadb_sa_spi); 724 725 switch (msg->sadb_msg_satype) { 726 case SADB_SATYPE_AH: 727 r.satype = IPSEC_AH; 728 break; 729 case SADB_SATYPE_ESP: 730 r.satype = IPSEC_ESP; 731 break; 732 case SADB_X_SATYPE_IPCOMP: 733 r.satype = IPSEC_IPCOMP; 734 break; 735 case SADB_X_SATYPE_TCPSIGNATURE: 736 r.satype = IPSEC_TCPMD5; 737 break; 738 case SADB_X_SATYPE_IPIP: 739 r.satype = IPSEC_IPIP; 740 break; 741 default: 742 return; 743 } 744 bzero(&dst, sizeof dst); 745 bzero(&src, sizeof src); 746 parse_addr(extensions[SADB_EXT_ADDRESS_SRC], &src); 747 parse_addr(extensions[SADB_EXT_ADDRESS_DST], &dst); 748 r.src = &src; 749 r.dst = &dst; 750 if (r.satype == IPSEC_IPCOMP) { 751 if (sa->sadb_sa_encrypt) { 752 bzero(&xfs, sizeof xfs); 753 r.xfs = &xfs; 754 switch (sa->sadb_sa_encrypt) { 755 case SADB_X_CALG_DEFLATE: 756 xfs.compxf = &compxfs[COMPXF_DEFLATE]; 757 break; 758 } 759 } 760 } else if (r.satype == IPSEC_TCPMD5) { 761 bzero(&authkey, sizeof authkey); 762 parse_key(extensions[SADB_EXT_KEY_AUTH], &authkey); 763 r.authkey = &authkey; 764 } else if (sa->sadb_sa_encrypt || sa->sadb_sa_auth) { 765 bzero(&xfs, sizeof xfs); 766 r.xfs = &xfs; 767 if (sa->sadb_sa_encrypt) { 768 bzero(&enckey, sizeof enckey); 769 parse_key(extensions[SADB_EXT_KEY_ENCRYPT], &enckey); 770 r.enckey = &enckey; 771 772 switch (sa->sadb_sa_encrypt) { 773 case SADB_EALG_3DESCBC: 774 xfs.encxf = &encxfs[ENCXF_3DES_CBC]; 775 break; 776 case SADB_X_EALG_AES: 777 switch (r.enckey->len) { 778 case 192/8: 779 xfs.encxf = &encxfs[ENCXF_AES_192]; 780 break; 781 case 256/8: 782 xfs.encxf = &encxfs[ENCXF_AES_256]; 783 break; 784 default: 785 xfs.encxf = &encxfs[ENCXF_AES]; 786 break; 787 } 788 break; 789 case SADB_X_EALG_AESCTR: 790 switch (r.enckey->len) { 791 case 28: 792 xfs.encxf = &encxfs[ENCXF_AES_192_CTR]; 793 break; 794 case 36: 795 xfs.encxf = &encxfs[ENCXF_AES_256_CTR]; 796 break; 797 default: 798 xfs.encxf = &encxfs[ENCXF_AESCTR]; 799 break; 800 } 801 break; 802 case SADB_X_EALG_AESGCM16: 803 switch (r.enckey->len) { 804 case 28: 805 xfs.encxf = &encxfs[ENCXF_AES_192_GCM]; 806 break; 807 case 36: 808 xfs.encxf = &encxfs[ENCXF_AES_256_GCM]; 809 break; 810 default: 811 xfs.encxf = &encxfs[ENCXF_AES_128_GCM]; 812 break; 813 } 814 break; 815 case SADB_X_EALG_AESGMAC: 816 switch (r.enckey->len) { 817 case 28: 818 xfs.encxf = &encxfs[ENCXF_AES_192_GMAC]; 819 break; 820 case 36: 821 xfs.encxf = &encxfs[ENCXF_AES_256_GMAC]; 822 break; 823 default: 824 xfs.encxf = &encxfs[ENCXF_AES_128_GMAC]; 825 break; 826 } 827 break; 828 case SADB_X_EALG_BLF: 829 xfs.encxf = &encxfs[ENCXF_BLOWFISH]; 830 break; 831 case SADB_X_EALG_CAST: 832 xfs.encxf = &encxfs[ENCXF_CAST128]; 833 break; 834 case SADB_X_EALG_CHACHA20POLY1305: 835 xfs.encxf = &encxfs[ENCXF_CHACHA20_POLY1305]; 836 break; 837 case SADB_EALG_NULL: 838 xfs.encxf = &encxfs[ENCXF_NULL]; 839 break; 840 } 841 } 842 if (sa->sadb_sa_auth) { 843 bzero(&authkey, sizeof authkey); 844 parse_key(extensions[SADB_EXT_KEY_AUTH], &authkey); 845 r.authkey = &authkey; 846 847 switch (sa->sadb_sa_auth) { 848 case SADB_AALG_MD5HMAC: 849 xfs.authxf = &authxfs[AUTHXF_HMAC_MD5]; 850 break; 851 case SADB_X_AALG_RIPEMD160HMAC: 852 xfs.authxf = &authxfs[AUTHXF_HMAC_RIPEMD160]; 853 break; 854 case SADB_AALG_SHA1HMAC: 855 xfs.authxf = &authxfs[AUTHXF_HMAC_SHA1]; 856 break; 857 case SADB_X_AALG_SHA2_256: 858 xfs.authxf = &authxfs[AUTHXF_HMAC_SHA2_256]; 859 break; 860 case SADB_X_AALG_SHA2_384: 861 xfs.authxf = &authxfs[AUTHXF_HMAC_SHA2_384]; 862 break; 863 case SADB_X_AALG_SHA2_512: 864 xfs.authxf = &authxfs[AUTHXF_HMAC_SHA2_512]; 865 break; 866 } 867 } 868 } 869 if (!(opts & IPSECCTL_OPT_SHOWKEY)) { 870 bzero(&enckey, sizeof enckey); 871 bzero(&authkey, sizeof authkey); 872 extensions[SADB_EXT_KEY_AUTH] = NULL; 873 extensions[SADB_EXT_KEY_ENCRYPT] = NULL; 874 } 875 if (extensions[SADB_X_EXT_SA2]) { 876 r.type |= RULE_BUNDLE; 877 sa2 = (struct sadb_sa *)extensions[SADB_X_EXT_SA2]; 878 r.spi2 = ntohl(sa2->sadb_sa_spi); 879 parse_addr(extensions[SADB_X_EXT_DST2], &dst2); 880 r.dst2 = &dst2; 881 parse_satype(extensions[SADB_X_EXT_SATYPE2], &r.proto2); 882 r.proto = r.satype; 883 } 884 ipsecctl_print_rule(&r, opts); 885 886 if (opts & IPSECCTL_OPT_VERBOSE) { 887 for (i = 0; i <= SADB_EXT_MAX; i++) 888 if (extensions[i]) 889 print_ext(extensions[i], msg, opts); 890 } 891 fflush(stdout); 892 } 893 894 /* ARGSUSED1 */ 895 void 896 pfkey_monitor_sa(struct sadb_msg *msg, int opts) 897 { 898 int i; 899 900 setup_extensions(msg); 901 902 printf("%s: satype %s vers %u len %u seq %u pid %u\n", 903 lookup_name(msg_types, msg->sadb_msg_type), 904 lookup_name(sa_types, msg->sadb_msg_satype), 905 msg->sadb_msg_version, msg->sadb_msg_len, 906 msg->sadb_msg_seq, 907 msg->sadb_msg_pid); 908 if (msg->sadb_msg_errno) 909 printf("\terrno %u: %s\n", msg->sadb_msg_errno, 910 strerror(msg->sadb_msg_errno)); 911 for (i = 0; i <= SADB_EXT_MAX; i++) 912 if (extensions[i]) 913 print_ext(extensions[i], msg, opts); 914 fflush(stdout); 915 } 916 917 void 918 pfkey_print_raw(u_int8_t *data, ssize_t len) 919 { 920 int i; 921 const u_int8_t *sp = (const u_int8_t *)data; 922 923 printf("RAW PFKEYV2 MESSAGE:\n"); 924 for (i = 0; i < len; i++) { 925 if ((i % 8 == 0) && (i != 0)) 926 printf("\n"); 927 printf("%02x ", *sp); 928 sp++; 929 } 930 printf("\n"); 931 } 932