This is the `key' program from NRL's IPv6 distribution, heavily

hacked up by me to remove the IPv6 stuff (fow now). I renamed it `keyadmin' since `key' was already taken by the S/Key calculator. Its purpose is to act as a command-driven interface to the `PF_KEY' socket domain, analogously to thefunction of route(8) in the `PF_ROUTE' domain. This program is believed to be exportable, since it does no actual cryptography itself.
2025-01-01 00:18:15 +01:00 · 1996-06-17 19:47:57 +00:00 · 1996-06-17 19:47:57 +00:00 · 1cd1e41621
commit 1cd1e41621
parent 6da0e3ac2e
4 changed files with 1521 additions and 0 deletions
--- a/usr.sbin/keyadmin/Makefile
+++ b/usr.sbin/keyadmin/Makefile
@ -0,0 +1,6 @@
+#	$ANA: Makefile,v 1.2 1996/06/13 20:11:05 wollman Exp $
+
+PROG=	keyadmin
+MAN8=	keyadmin.8
+
+.include <bsd.prog.mk>
--- a/usr.sbin/keyadmin/keyadmin.8
+++ b/usr.sbin/keyadmin/keyadmin.8
@ -0,0 +1,239 @@
+.\"#	@(#)COPYRIGHT	1.1a (NRL) 17 August 1995
+.\"
+.\"COPYRIGHT NOTICE
+.\"
+.\"All of the documentation and software included in this software
+.\"distribution from the US Naval Research Laboratory (NRL) are
+.\"copyrighted by their respective developers.
+.\"
+.\"This software and documentation were developed at NRL by various
+.\"people.  Those developers have each copyrighted the portions that they
+.\"developed at NRL and have assigned All Rights for those portions to
+.\"NRL.  Outside the USA, NRL also has copyright on the software
+.\"developed at NRL. The affected files all contain specific copyright
+.\"notices and those notices must be retained in any derived work.
+.\"
+.\"NRL LICENSE
+.\"
+.\"NRL grants permission for redistribution and use in source and binary
+.\"forms, with or without modification, of the software and documentation
+.\"created at NRL provided that the following conditions are met:
+.\"
+.\"1. Redistributions of source code must retain the above copyright
+.\"   notice, this list of conditions and the following disclaimer.
+.\"2. Redistributions in binary form must reproduce the above copyright
+.\"   notice, this list of conditions and the following disclaimer in the
+.\"   documentation and/or other materials provided with the distribution.
+.\"3. All advertising materials mentioning features or use of this software
+.\"   must display the following acknowledgement:
+.\"
+.\"	This product includes software developed at the Information
+.\"	Technology Division, US Naval Research Laboratory.
+.\"
+.\"4. Neither the name of the NRL nor the names of its contributors
+.\"   may be used to endorse or promote products derived from this software
+.\"   without specific prior written permission.
+.\"
+.\"THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS
+.\"IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\"TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+.\"PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL NRL OR
+.\"CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+.\"EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+.\"PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+.\"PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+.\"LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+.\"NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+.\"SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\"The views and conclusions contained in the software and documentation
+.\"are those of the authors and should not be interpreted as representing
+.\"official policies, either expressed or implied, of the US Naval
+.\"Research Laboratory (NRL).
+.\"
+.\"----------------------------------------------------------------------*/
+.\"
+.\"	$ANA: keyadmin.8,v 1.3 1996/06/13 20:15:57 wollman Exp $
+.\"
+.Dd June 13, 1996
+.Dt KEY 8
+.Os
+.Sh NAME
+.Nm keyadmin
+.Nd manually manipulate the kernel key management database
+.Sh SYNOPSIS
+.Nm keyadmin
+.Op Ar command Op Ar args
+.Sh DESCRIPTION
+The
+.Nm
+command is used to manually enter security associations into the kernel
+key/security association database.  (See 
+.Xr key 4 ).
+.Pp
+Almost any operation offered in the
+.Xr key 4
+API is available to privleged users running
+.Nm keyadmin .
+Until there is an implementation of an automated key management protocol,
+which will manipulate the key database in a manner similar to how
+.Xr routed 8
+or
+.Xr gated 8
+manipulates the routing tables,
+.Nm
+is the only way of establishing security associations.
+.Pp
+If
+.Nm
+is invoked without any arguments, it will enter an interactive mode, where
+the user can type in
+.Dq Ar command Op Ar args
+interactively, or use
+.Nm
+to enter a single
+.Dq Ar command Op Ar args .
+.Ar Command
+can be one of the following:
+.Bl -inset
+.It Nm del Ar type spi source destination
+.Pp
+Delete a security association between
+.Ar source
+and
+.Ar destination
+of the given
+.Ar type
+and
+.Ar spi .
+Example:
+.Bd -literal
+	delete esp 90125 anderson.yes.org rabin.yes.org
+.Ed
+.It Nm get Ar type spi source destination
+.Pp
+Retrieve (and print) a security association between
+.Ar source
+and
+.Ar destination
+of the given
+.Ar type
+and
+.Ar spi .
+Example:
+.Bd -literal
+	get ah 5150 eddie.vanhalen.com alex.vanhalen.com
+.Ed
+.It Nm dump
+.Pp
+Display the entire security association table.  WARNING:  This prints a lot
+of data.
+.It Nm load Ar filename
+.Pp
+Load security association information from a file formatted as documented in
+.Xr keys 5 .  If 
+.Dq -
+is specified for the
+.Ar filename ,
+load keys from the standard input.
+.It Nm save Ar filename
+.Pp
+Save security association information to a file formatted as documented in
+.Xr keys 5 .  If
+.Dq -
+is specified for the
+.Ar filename ,
+place the key file out on the standard output.  (This can be used as a sort
+of lightweight
+.Nm dump
+command.)
+NOTE:  The save command must create a new file; it will not write into an
+existing file.  This is to prevent writing into a world-readable file, or a
+named pipe or UNIX socket (see
+.Xr socket 2
+and
+.Xr mkfifo 1 ).
+.It Nm help Op command
+.Pp
+Offer brief help without an argument, or slightly more specific help on a
+particular command.
+.It Nm flush
+.Pp
+Erase all entries in the kernel security association table.
+.El
+
+.Pp
+The following values for
+.Ar command
+are only available by using
+.Nm key
+in its interactive mode of operation:
+.Bl -inset
+.It Nm add Ar type spi source destination transform key
+.Op Ar iv
+.Pp
+Add a security association of a particular
+.Ar type
+and
+.Ar spi
+from a
+.Ar source
+to a
+.Ar destination ,
+using a particular
+.Ar transform
+and
+.Ar key .
+If a transform requires an initialization vector, the
+.Ar iv
+argument contains it.  This command is available only in interactive mode
+because
+.Nm
+makes no attempt to destroy its argument vector after use.  A malicous user
+of the
+.Xr ps 1
+command could determine security keys if
+.Nm add
+were allowed to be used straight from the command line.  Example:
+.Bd -literal
+	add esp 2112 temples.syrinx.org priests.syrinx.org des-cbc \\
+		a652a476a652a476 87ac9876deac9876
+.Ed
+.It Nm exit
+.It Nm quit
+.Pp
+Exit interaction with
+.Nm keyadmin .
+An EOF will also end interaction with
+.Nm keyadmin .
+.El
+.Sh SEE ALSO
+.Xr ipsec 4 ,
+.Xr key 4 ,
+.Xr route 4 ,
+.Xr gated 8 ,
+.Xr routed 8
+
+.Sh HISTORY
+The
+.Nm
+command first appeared in NRL's
+.Bx 4.4
+IPv6 networking distribution.
+.Nm Keyadmin
+started its life as a pipe dream thought up by Dan McDonald, and came to
+life through the excruciating efforts of Ran Atkinson, Dan McDonald, 
+Craig Metz, and Bao Phan.
+The NRL version of the program was originally called
+.Nm key ,
+but was renamed to
+.Nm keyadmin
+because of the conflict with
+.Xr key 1 .
+.Sh BUGS
+.Nm Keyadmin
+needs a -n flag like
+.Xr route 8
+to avoid name lookups.
+.Pp
+The dump and save commands currently display the first 30 or so entries.
--- a/usr.sbin/keyadmin/keyadmin.c
+++ b/usr.sbin/keyadmin/keyadmin.c
--- a/usr.sbin/keyadmin/keys
+++ b/usr.sbin/keyadmin/keys
@ -0,0 +1,18 @@
+# This is an example key file.
+
+# The format of entries in this file is as follows:
+# <type> <spi> <src> <dst> <transform> <key> [iv]
+#
+# where:
+#
+# <type>       is currently one of { ah | esp }
+# <spi>        is a decimal number
+# <src>        is an IP address for the source this association applies to
+# <dst>        is an IP address for the destination this assoc. applies to
+# <transform>  is currently one of { md5 } for ah, { des-cbc } for esp
+# <key>        is a hexadecimal key value (key length is derived from hex len)
+# [iv]         is a hexadecimal initial value (length is derived from hex len)
+#                  [this field is required for des-cbc, ignored for others]
+
+ah 	1142 ::0 ::0 md5 	0123456789abcdef0123456789abcdef
+esp	1984 ::0 ::0 des-cbc 	0123456789abcdef 11223344