test-policy.c revision 57855
155505Sshin/* 255505Sshin * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 355505Sshin * All rights reserved. 455505Sshin * 555505Sshin * Redistribution and use in source and binary forms, with or without 655505Sshin * modification, are permitted provided that the following conditions 755505Sshin * are met: 855505Sshin * 1. Redistributions of source code must retain the above copyright 955505Sshin * notice, this list of conditions and the following disclaimer. 1055505Sshin * 2. Redistributions in binary form must reproduce the above copyright 1155505Sshin * notice, this list of conditions and the following disclaimer in the 1255505Sshin * documentation and/or other materials provided with the distribution. 1355505Sshin * 3. Neither the name of the project nor the names of its contributors 1455505Sshin * may be used to endorse or promote products derived from this software 1555505Sshin * without specific prior written permission. 1655505Sshin * 1755505Sshin * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 1855505Sshin * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1955505Sshin * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2055505Sshin * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 2155505Sshin * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2255505Sshin * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2355505Sshin * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2455505Sshin * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2555505Sshin * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2655505Sshin * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2755505Sshin * SUCH DAMAGE. 2855505Sshin * 2955505Sshin * $FreeBSD: head/lib/libipsec/test-policy.c 57855 2000-03-09 14:57:16Z shin $ 3055505Sshin */ 3155505Sshin 3255505Sshin#include <sys/types.h> 3355505Sshin#include <sys/param.h> 3455505Sshin#include <sys/socket.h> 3555505Sshin 3655505Sshin#include <netinet/in.h> 3755505Sshin#include <netinet6/in6.h> 3857855Sshin#include <net/pfkeyv2.h> 3955505Sshin#include <netkey/key_debug.h> 4055505Sshin#include <netinet6/ipsec.h> 4155505Sshin 4255505Sshin#include <stdio.h> 4355505Sshin#include <stdlib.h> 4455505Sshin#include <unistd.h> 4555505Sshin#include <string.h> 4655505Sshin#include <err.h> 4755505Sshin 4855505Sshinchar *requests[] = { 4955505Sshin"must_error", /* error */ 5055505Sshin"in ipsec must_error", /* error */ 5155505Sshin"out ipsec esp/must_error", /* error */ 5255505Sshin"out discard", 5355505Sshin"out none", 5455505Sshin"in entrust", 5555505Sshin"out entrust", 5655505Sshin"in bypass", /* may be error */ 5755505Sshin"out ipsec esp", /* error */ 5855505Sshin"in ipsec ah/transport", 5955505Sshin"in ipsec ah/tunnel", /* error */ 6055505Sshin"out ipsec ah/transport/", 6155505Sshin"out ipsec ah/tunnel/", /* error */ 6255505Sshin"in ipsec esp / transport / 10.0.0.1-10.0.0.2", 6355505Sshin"in ipsec esp/tunnel/::1-::2", 6455505Sshin"in ipsec esp/tunnel/10.0.0.1-::2", /* error */ 6555505Sshin"in ipsec esp/tunnel/::1-::2/require", 6655505Sshin"out ipsec ah/transport//use", 6755505Sshin"out ipsec ah/transport esp/use", 6855505Sshin"in ipsec ah/transport esp/tunnel", /* error */ 6955505Sshin"in ipsec 7055505Sshin ah / transport 7155505Sshin esp / tunnel / ::1-::2", 7255505Sshin" 7355505Sshinout ipsec 7455505Sshinah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require 7555505Sshinah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require 7655505Sshinah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require 7755505Sshin", 7855505Sshin"out ipsec esp/transport/fec0::10-fec0::11/use", 7955505Sshin}; 8055505Sshin 8155505Sshinint test(char *buf, int family); 8255505Sshin 8355505Sshinint 8455505Sshinmain(ac, av) 8555505Sshin int ac; 8655505Sshin char **av; 8755505Sshin{ 8855505Sshin int do_setsockopt; 8955505Sshin char *buf; 9055505Sshin int i; 9155505Sshin 9255505Sshin if (ac != 1) 9355505Sshin do_setsockopt = 1; 9455505Sshin else 9555505Sshin do_setsockopt = 0; 9655505Sshin 9755505Sshin for (i = 0; i < sizeof(requests)/sizeof(requests[0]); i++) { 9855505Sshin printf("*** requests ***\n"); 9955505Sshin printf("\t[%s]\n", requests[i]); 10055505Sshin 10155505Sshin buf = ipsec_set_policy(requests[i], strlen(requests[i])); 10255505Sshin if (buf == NULL) { 10355505Sshin printf("ipsec_set_policy: %s\n", ipsec_strerror()); 10455505Sshin continue; 10555505Sshin } 10655505Sshin 10755505Sshin printf("\tsetlen:%d\n", ipsec_get_policylen(buf)); 10855505Sshin 10955505Sshin if (do_setsockopt) { 11055505Sshin printf("\tPF_INET:\n"); 11155505Sshin test(buf, PF_INET); 11255505Sshin 11355505Sshin printf("\tPF_INET6:\n"); 11455505Sshin test(buf, PF_INET6); 11555505Sshin } else { 11655505Sshin kdebug_sadb_x_policy((struct sadb_ext *)buf); 11755505Sshin } 11855505Sshin free(buf); 11955505Sshin } 12055505Sshin 12155505Sshin return 0; 12255505Sshin} 12355505Sshin 12455505Sshinint 12555505Sshintest(policy, family) 12655505Sshin char *policy; 12755505Sshin int family; 12855505Sshin{ 12955505Sshin int so, proto, optname; 13055505Sshin int len; 13155505Sshin char getbuf[1024]; 13255505Sshin 13355505Sshin switch (family) { 13455505Sshin case PF_INET: 13555505Sshin proto = IPPROTO_IP; 13655505Sshin optname = IP_IPSEC_POLICY; 13755505Sshin break; 13855505Sshin case PF_INET6: 13955505Sshin proto = IPPROTO_IPV6; 14055505Sshin optname = IPV6_IPSEC_POLICY; 14155505Sshin break; 14255505Sshin } 14355505Sshin 14455505Sshin if ((so = socket(family, SOCK_DGRAM, 0)) < 0) 14555505Sshin err(1, "socket"); 14655505Sshin 14755505Sshin len = ipsec_get_policylen(policy); 14855505Sshin if (setsockopt(so, proto, optname, policy, len) < 0) { 14955505Sshin printf("error on setsockopt"); 15055505Sshin goto end; 15155505Sshin } 15255505Sshin 15355505Sshin len = sizeof(getbuf); 15455505Sshin memset(getbuf, 0, sizeof(getbuf)); 15555505Sshin if (getsockopt(so, proto, optname, getbuf, &len) < 0) { 15655505Sshin printf("error on getsockopt"); 15755505Sshin goto end; 15855505Sshin } 15955505Sshin 16055505Sshin { 16155505Sshin char *buf = NULL; 16255505Sshin 16355505Sshin printf("\tgetlen:%d\n", len); 16455505Sshin 16555505Sshin if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) { 16655505Sshin printf("%s\n", ipsec_strerror()); 16755505Sshin goto end; 16855505Sshin } else { 16955505Sshin printf("\t[%s]\n", buf); 17055505Sshin free(buf); 17155505Sshin } 17255505Sshin } 17355505Sshin 17455505Sshin end: 17555505Sshin close (so); 17655505Sshin 17755505Sshin return 0; 17855505Sshin} 17955505Sshin 180