Mercurial > illumos > illumos-gate
changeset 4342:d140da8c7329
6561665 ipseckey -f does not understand "flush" keyword anymore
author | pwernau |
---|---|
date | Tue, 29 May 2007 13:04:40 -0700 |
parents | 68ad29579bb7 |
children | d010db0a849a |
files | usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ikeadm.c usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ipseckey.c usr/src/lib/libipsecutil/common/ipsec_util.c usr/src/lib/libipsecutil/common/ipsec_util.h |
diffstat | 4 files changed, 134 insertions(+), 73 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ikeadm.c Tue May 29 11:25:08 2007 -0700 +++ b/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ikeadm.c Tue May 29 13:04:40 2007 -0700 @@ -2843,7 +2843,7 @@ /*ARGSUSED*/ static void -parseit(int argc, char **argv, char *notused) +parseit(int argc, char **argv, char *notused, boolean_t notused_either) { int cmd, cmd_obj_args = 1; char *cmdstr, *objstr; @@ -2995,7 +2995,7 @@ do_interactive(stdin, NULL, "ikeadm> ", NULL, parseit); } - parseit(argc, argv, NULL); + parseit(argc, argv, NULL, B_FALSE); return (0); }
--- a/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ipseckey.c Tue May 29 11:25:08 2007 -0700 +++ b/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ipseckey.c Tue May 29 13:04:40 2007 -0700 @@ -885,7 +885,7 @@ errx(1, gettext("Reply message from PF_KEY timed out.")); } else { errx(1, gettext("Caught signal %d while trying to receive" - "PF_KEY reply message"), signal); + "PF_KEY reply message"), signal); } /* errx() calls exit. */ } @@ -1455,7 +1455,7 @@ ntohl(spi)); ERROR2(ep, ebuf, "%s %s.\n", do_inet_ntop(dsthp->h_addr_list[i], - addrprint, sizeof (addrprint)), + addrprint, sizeof (addrprint)), on_errno_msg); msgp = (struct sadb_msg *)savebuf; bcopy(savebuf, buffer, @@ -2214,7 +2214,7 @@ if (dstid != NULL) { ERROR(ep, ebuf, gettext( "Can only specify single destination " - "certificate identity.\n")); + "certificate identity.\n")); break; } alloclen = sizeof (*dstid) + @@ -2431,7 +2431,7 @@ "the association you wish to %s.\n"), thiscmd); } if (assoc->sadb_sa_auth == 0 && assoc->sadb_sa_encrypt == 0 && - cmd == CMD_ADD) { + cmd == CMD_ADD) { free(assoc); FATAL(ep, ebuf, gettext( "Select at least one algorithm " @@ -2614,24 +2614,31 @@ nexthdr += idst->sadb_address_len; } - if (!cflag) { + if (cflag) { + /* + * Assume the checked cmd would have worked if it was actually + * used. doaddresses() will increment lines_added if it + * succeeds. + */ + lines_added++; + } else { doaddresses((cmd == CMD_ADD) ? SADB_ADD : SADB_UPDATE, satype, cmd, srchp, dsthp, src, dst, unspec_src, buffer, totallen, spi, ebuf); } if (isrchp != NULL && isrchp != &dummy.he) - freehostent(isrchp); + freehostent(isrchp); if (idsthp != NULL && idsthp != &dummy.he) - freehostent(idsthp); + freehostent(idsthp); if (srchp != NULL && srchp != &dummy.he) - freehostent(srchp); + freehostent(srchp); if (dsthp != NULL && dsthp != &dummy.he) - freehostent(dsthp); + freehostent(dsthp); if (natt_lhp != NULL && natt_lhp != &dummy.he) - freehostent(natt_lhp); + freehostent(natt_lhp); if (natt_rhp != NULL && natt_rhp != &dummy.he) - freehostent(natt_rhp); + freehostent(natt_rhp); free(ebuf); free(buffer); @@ -2829,7 +2836,14 @@ "Need SA parameters for %s.\n"), thiscmd); } - if (!cflag) { + if (cflag) { + /* + * Assume the checked cmd would have worked if it was actually + * used. doaddresses() will increment lines_added if it + * succeeds. + */ + lines_added++; + } else { doaddresses((cmd == CMD_GET) ? SADB_GET : SADB_DELETE, satype, cmd, srchp, dsthp, src, dst, unspec_src, get_buffer, sizeof (get_buffer), spi, NULL); @@ -3020,7 +3034,7 @@ * "Parse" a command line from argv. */ static void -parseit(int argc, char *argv[], char *ebuf) +parseit(int argc, char *argv[], char *ebuf, boolean_t read_cmdfile) { int cmd, satype; char *ep = NULL; @@ -3029,20 +3043,39 @@ return; cmd = parsecmd(*argv++); + /* + * Some commands loop forever and should only be run from the command + * line, they should never be run from a command file as this may + * be used at boot time. + */ switch (cmd) { case CMD_HELP: - dohelp(*argv); + if (read_cmdfile) + ERROR(ep, ebuf, gettext("Help not appropriate in " + "config file.")); + else + dohelp(*argv); return; case CMD_MONITOR: - domonitor(B_FALSE); + if (read_cmdfile) + ERROR(ep, ebuf, gettext("Monitor not appropriate in " + "config file.")); + else + domonitor(B_FALSE); break; case CMD_PMONITOR: - domonitor(B_TRUE); + if (read_cmdfile) + ERROR(ep, ebuf, gettext("Monitor not appropriate in " + "config file.")); + else + domonitor(B_TRUE); break; case CMD_QUIT: EXIT_OK(NULL); } + handle_errors(ep, ebuf, B_FALSE, B_FALSE); + satype = parsesatype(*argv, ebuf); if (satype != SADB_SATYPE_UNSPEC) { @@ -3064,7 +3097,14 @@ switch (cmd) { case CMD_FLUSH: - doflush(satype); + if (!cflag) + doflush(satype); + /* + * If this was called because of an entry in a cmd file + * then this action needs to be counted to prevent + * do_interactive() treating this as an error. + */ + lines_added++; break; case CMD_ADD: case CMD_UPDATE: @@ -3095,18 +3135,28 @@ dodelget(cmd, satype, argv, ebuf); break; case CMD_DUMP: - dodump(satype, NULL); + if (read_cmdfile) + ERROR(ep, ebuf, gettext("Dump not appropriate in " + "config file.")); + else + dodump(satype, NULL); break; case CMD_SAVE: - mask_signals(B_FALSE); /* Mask signals */ - dodump(satype, opensavefile(argv[0])); - mask_signals(B_TRUE); /* Unmask signals */ + if (read_cmdfile) { + ERROR(ep, ebuf, gettext("Save not appropriate in " + "config file.")); + } else { + mask_signals(B_FALSE); /* Mask signals */ + dodump(satype, opensavefile(argv[0])); + mask_signals(B_TRUE); /* Unmask signals */ + } break; default: warnx(gettext("Unknown command (%s).\n"), *(argv - ((satype == SADB_SATYPE_UNSPEC) ? 1 : 2))); usage(); } + handle_errors(ep, ebuf, B_FALSE, B_FALSE); } int @@ -3210,7 +3260,7 @@ do_interactive(infile, configfile, "ipseckey> ", my_fmri, parseit); } - parseit(argc, argv, NULL); + parseit(argc, argv, NULL, B_FALSE); return (0); }
--- a/usr/src/lib/libipsecutil/common/ipsec_util.c Tue May 29 11:25:08 2007 -0700 +++ b/usr/src/lib/libipsecutil/common/ipsec_util.c Tue May 29 13:04:40 2007 -0700 @@ -559,7 +559,7 @@ if (thisargc != 0) { lines_parsed++; /* ebuf consumed */ - parseit(thisargc, thisargv, ebuf); + parseit(thisargc, thisargv, ebuf, readfile); } else { free(ebuf); } @@ -572,46 +572,57 @@ } bzero(ibuf, IBUF_SIZE); } - if (!readfile) { + + /* + * The following code is ipseckey specific. This should never be + * used by ikeadm which also calls this function because ikeadm + * only runs interactively. If this ever changes this code block + * sould be revisited. + */ + if (readfile) { + if (lines_parsed != 0 && lines_added == 0) { + ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile, + dgettext(TEXT_DOMAIN, "Configuration file did not " + "contain any valid SAs")); + } + + /* + * There were errors. Putting the service in maintenance mode. + * When svc.startd(1M) allows services to degrade themselves, + * this should be revisited. + * + * If this function was called from a program running as a + * smf_method(5), print a warning message. Don't spew out the + * errors as these will end up in the smf(5) log file which is + * publically readable, the errors may contain sensitive + * information. + */ + if ((lines_added < lines_parsed) && (configfile != NULL)) { + if (my_fmri != NULL) { + ipsecutil_exit(SERVICE_BADCONF, my_fmri, + debugfile, dgettext(TEXT_DOMAIN, + "The configuration file contained %d " + "errors.\n" + "Manually check the configuration with:\n" + "ipseckey -c %s\n" + "Use svcadm(1M) to clear maintenance " + "condition when errors are resolved.\n"), + lines_parsed - lines_added, configfile); + } else { + EXIT_BADCONFIG(NULL); + } + } else { + if (my_fmri != NULL) + ipsecutil_exit(SERVICE_EXIT_OK, my_fmri, + debugfile, dgettext(TEXT_DOMAIN, + "%d actions successfully processed."), + lines_added); + } + } else { (void) putchar('\n'); (void) fflush(stdout); } - if (lines_added == 0) - ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile, - dgettext(TEXT_DOMAIN, "Configuration file did not " - "contain any valid SAs")); - - /* - * There were some errors. Putting the service in maintenance mode. - * When svc.startd(1M) allows services to degrade themselves, - * this should be revisited. - * - * If this function was called from a program running as a - * smf_method(5), print a warning message. Don't spew out the - * errors as these will end up in the smf(5) log file which is - * publically readable, the errors may contain sensitive information. - */ - if ((lines_added < lines_parsed) && (configfile != NULL)) { - if (my_fmri != NULL) { - ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile, - dgettext(TEXT_DOMAIN, - "The configuration file contained %d errors.\n" - "Manually check the configuration with:\n" - "ipseckey -c %s\n" - "Use svcadm(1M) to clear maintenance condition " - "when errors are resolved.\n"), - lines_parsed - lines_added, configfile); - } else { - EXIT_BADCONFIG(NULL); - } - } else { - if (my_fmri != NULL) - ipsecutil_exit(SERVICE_EXIT_OK, my_fmri, debugfile, - dgettext(TEXT_DOMAIN, - "%d SA's successfullly added."), lines_added); - } EXIT_OK(NULL); - exit(0); } /* @@ -1556,7 +1567,7 @@ if (hard != NULL && hard->sadb_lifetime_len != SADB_8TO64(sizeof (*hard))) { warnx(dgettext(TEXT_DOMAIN, "WARNING: HARD lifetime " - "extension length (%u) is bad."), + "extension length (%u) is bad."), SADB_64TO8(hard->sadb_lifetime_len)); } @@ -1610,12 +1621,12 @@ "%s%llu more bytes can be protected.\n"), soft_prefix, (soft->sadb_lifetime_bytes > - current->sadb_lifetime_bytes) ? + current->sadb_lifetime_bytes) ? (soft->sadb_lifetime_bytes - - current->sadb_lifetime_bytes) : (0)); + current->sadb_lifetime_bytes) : (0)); if (soft->sadb_lifetime_addtime != 0 || (soft->sadb_lifetime_usetime != 0 && - current->sadb_lifetime_usetime != 0)) { + current->sadb_lifetime_usetime != 0)) { int64_t adddelta, usedelta; if (soft->sadb_lifetime_addtime != 0) { @@ -1672,12 +1683,12 @@ "%s%llu more bytes can be protected.\n"), hard_prefix, (hard->sadb_lifetime_bytes > - current->sadb_lifetime_bytes) ? + current->sadb_lifetime_bytes) ? (hard->sadb_lifetime_bytes - - current->sadb_lifetime_bytes) : (0)); + current->sadb_lifetime_bytes) : (0)); if (hard->sadb_lifetime_addtime != 0 || (hard->sadb_lifetime_usetime != 0 && - current->sadb_lifetime_usetime != 0)) { + current->sadb_lifetime_usetime != 0)) { int64_t adddelta, usedelta; if (hard->sadb_lifetime_addtime != 0) { @@ -2208,7 +2219,7 @@ if (current - buffer != samsg->sadb_msg_len) { warnx(dgettext(TEXT_DOMAIN, "WARNING: insufficient buffer " - "space or corrupt message.")); + "space or corrupt message.")); } (void) fflush(stdout); /* Make sure our message is out there. */ @@ -2318,7 +2329,7 @@ return (B_FALSE); if (addr->sadb_address_prefixlen != 0 && !((addr->sadb_address_prefixlen == 32 && af == AF_INET) || - (addr->sadb_address_prefixlen == 128 && af == AF_INET6))) { + (addr->sadb_address_prefixlen == 128 && af == AF_INET6))) { if (fprintf(ofile, "/%d", addr->sadb_address_prefixlen) < 0) return (B_FALSE); } @@ -2443,7 +2454,7 @@ if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) { if (fprintf(ofile, "encr_alg %s ", rparsealg(assoc->sadb_sa_encrypt, - IPSEC_PROTO_ESP)) < 0) { + IPSEC_PROTO_ESP)) < 0) { tidyup(); bail(dgettext(TEXT_DOMAIN, "save_assoc: fprintf encrypt")); @@ -2452,7 +2463,7 @@ if (assoc->sadb_sa_auth != SADB_AALG_NONE) { if (fprintf(ofile, "auth_alg %s ", rparsealg(assoc->sadb_sa_auth, - IPSEC_PROTO_AH)) < 0) { + IPSEC_PROTO_AH)) < 0) { tidyup(); bail(dgettext(TEXT_DOMAIN, "save_assoc: fprintf auth"));
--- a/usr/src/lib/libipsecutil/common/ipsec_util.h Tue May 29 11:25:08 2007 -0700 +++ b/usr/src/lib/libipsecutil/common/ipsec_util.h Tue May 29 13:04:40 2007 -0700 @@ -146,7 +146,7 @@ */ /* callback function passed in to do_interactive() */ -typedef void (*parse_cmdln_fn)(int, char **, char *); +typedef void (*parse_cmdln_fn)(int, char **, char *, boolean_t); extern void do_interactive(FILE *, char *, char *, char *, parse_cmdln_fn);