test-policy.c revision 57855 
155505Sshin/*
255505Sshin * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
355505Sshin * All rights reserved.
455505Sshin *
555505Sshin * Redistribution and use in source and binary forms, with or without
655505Sshin * modification, are permitted provided that the following conditions
755505Sshin * are met:
855505Sshin * 1. Redistributions of source code must retain the above copyright
955505Sshin *    notice, this list of conditions and the following disclaimer.
1055505Sshin * 2. Redistributions in binary form must reproduce the above copyright
1155505Sshin *    notice, this list of conditions and the following disclaimer in the
1255505Sshin *    documentation and/or other materials provided with the distribution.
1355505Sshin * 3. Neither the name of the project nor the names of its contributors
1455505Sshin *    may be used to endorse or promote products derived from this software
1555505Sshin *    without specific prior written permission.
1655505Sshin *
1755505Sshin * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
1855505Sshin * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1955505Sshin * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
2055505Sshin * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
2155505Sshin * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
2255505Sshin * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
2355505Sshin * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2455505Sshin * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
2555505Sshin * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
2655505Sshin * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
2755505Sshin * SUCH DAMAGE.
2855505Sshin *
2955505Sshin * $FreeBSD: head/lib/libipsec/test-policy.c 57855 2000-03-09 14:57:16Z shin $
3055505Sshin */
3155505Sshin
3255505Sshin#include <sys/types.h>
3355505Sshin#include <sys/param.h>
3455505Sshin#include <sys/socket.h>
3555505Sshin
3655505Sshin#include <netinet/in.h>
3755505Sshin#include <netinet6/in6.h>
3857855Sshin#include <net/pfkeyv2.h>
3955505Sshin#include <netkey/key_debug.h>
4055505Sshin#include <netinet6/ipsec.h>
4155505Sshin
4255505Sshin#include <stdio.h>
4355505Sshin#include <stdlib.h>
4455505Sshin#include <unistd.h>
4555505Sshin#include <string.h>
4655505Sshin#include <err.h>
4755505Sshin
4855505Sshinchar *requests[] = {
4955505Sshin"must_error",				/* error */
5055505Sshin"in ipsec must_error",			/* error */
5155505Sshin"out ipsec esp/must_error",		/* error */
5255505Sshin"out discard",
5355505Sshin"out none",
5455505Sshin"in entrust",
5555505Sshin"out entrust",
5655505Sshin"in bypass",				/* may be error */
5755505Sshin"out ipsec esp",			/* error */
5855505Sshin"in ipsec ah/transport",
5955505Sshin"in ipsec ah/tunnel",			/* error */
6055505Sshin"out ipsec ah/transport/",
6155505Sshin"out ipsec ah/tunnel/",			/* error */
6255505Sshin"in ipsec esp / transport / 10.0.0.1-10.0.0.2",
6355505Sshin"in ipsec esp/tunnel/::1-::2",
6455505Sshin"in ipsec esp/tunnel/10.0.0.1-::2",	/* error */
6555505Sshin"in ipsec esp/tunnel/::1-::2/require",
6655505Sshin"out ipsec ah/transport//use",
6755505Sshin"out ipsec ah/transport esp/use",
6855505Sshin"in ipsec ah/transport esp/tunnel",	/* error */
6955505Sshin"in ipsec
7055505Sshin	ah / transport
7155505Sshin	esp / tunnel / ::1-::2",
7255505Sshin"
7355505Sshinout ipsec
7455505Sshinah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
7555505Sshinah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
7655505Sshinah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
7755505Sshin",
7855505Sshin"out ipsec esp/transport/fec0::10-fec0::11/use",
7955505Sshin};
8055505Sshin
8155505Sshinint test(char *buf, int family);
8255505Sshin
8355505Sshinint
8455505Sshinmain(ac, av)
8555505Sshin	int ac;
8655505Sshin	char **av;
8755505Sshin{
8855505Sshin	int do_setsockopt;
8955505Sshin	char *buf;
9055505Sshin	int i;
9155505Sshin
9255505Sshin	if (ac != 1)
9355505Sshin		do_setsockopt = 1;
9455505Sshin	else
9555505Sshin		do_setsockopt = 0;
9655505Sshin
9755505Sshin	for (i = 0; i < sizeof(requests)/sizeof(requests[0]); i++) {
9855505Sshin		printf("*** requests ***\n");
9955505Sshin		printf("\t[%s]\n", requests[i]);
10055505Sshin
10155505Sshin		buf = ipsec_set_policy(requests[i], strlen(requests[i]));
10255505Sshin		if (buf == NULL) {
10355505Sshin			printf("ipsec_set_policy: %s\n", ipsec_strerror());
10455505Sshin			continue;
10555505Sshin		}
10655505Sshin
10755505Sshin		printf("\tsetlen:%d\n", ipsec_get_policylen(buf));
10855505Sshin
10955505Sshin		if (do_setsockopt) {
11055505Sshin			printf("\tPF_INET:\n");
11155505Sshin			test(buf, PF_INET);
11255505Sshin
11355505Sshin			printf("\tPF_INET6:\n");
11455505Sshin			test(buf, PF_INET6);
11555505Sshin		} else {
11655505Sshin			kdebug_sadb_x_policy((struct sadb_ext *)buf);
11755505Sshin		}
11855505Sshin		free(buf);
11955505Sshin	}
12055505Sshin
12155505Sshin	return 0;
12255505Sshin}
12355505Sshin
12455505Sshinint
12555505Sshintest(policy, family)
12655505Sshin	char *policy;
12755505Sshin	int family;
12855505Sshin{
12955505Sshin	int so, proto, optname;
13055505Sshin	int len;
13155505Sshin	char getbuf[1024];
13255505Sshin
13355505Sshin	switch (family) {
13455505Sshin	case PF_INET:
13555505Sshin		proto = IPPROTO_IP;
13655505Sshin		optname = IP_IPSEC_POLICY;
13755505Sshin		break;
13855505Sshin	case PF_INET6:
13955505Sshin		proto = IPPROTO_IPV6;
14055505Sshin		optname = IPV6_IPSEC_POLICY;
14155505Sshin		break;
14255505Sshin	}
14355505Sshin
14455505Sshin	if ((so = socket(family, SOCK_DGRAM, 0)) < 0)
14555505Sshin		err(1, "socket");
14655505Sshin
14755505Sshin	len = ipsec_get_policylen(policy);
14855505Sshin	if (setsockopt(so, proto, optname, policy, len) < 0) {
14955505Sshin		printf("error on setsockopt");
15055505Sshin		goto end;
15155505Sshin	}
15255505Sshin
15355505Sshin	len = sizeof(getbuf);
15455505Sshin	memset(getbuf, 0, sizeof(getbuf));
15555505Sshin	if (getsockopt(so, proto, optname, getbuf, &len) < 0) {
15655505Sshin		printf("error on getsockopt");
15755505Sshin		goto end;
15855505Sshin	}
15955505Sshin
16055505Sshin    {
16155505Sshin	char *buf = NULL;
16255505Sshin
16355505Sshin	printf("\tgetlen:%d\n", len);
16455505Sshin
16555505Sshin	if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) {
16655505Sshin		printf("%s\n", ipsec_strerror());
16755505Sshin		goto end;
16855505Sshin	} else {
16955505Sshin		printf("\t[%s]\n", buf);
17055505Sshin		free(buf);
17155505Sshin	}
17255505Sshin    }
17355505Sshin
17455505Sshin    end:
17555505Sshin	close (so);
17655505Sshin
17755505Sshin	return 0;
17855505Sshin}
17955505Sshin
180