ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

Bye bye Pluto! 

Charon will take over IKEv1 duties from here.  This also removes
libfreeswan and whack.
This commit is contained in:
Tobias Brunner 2012-05-15 16:59:00 +02:00
parent 4a54860986
commit fff4b74db2
180 changed files with 41 additions and 69881 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Android.mk.in
View File

@ -6,12 +6,10 @@ include $(CLEAR_VARS)
# build/target/product/core.mk
# possible executables are
# starter - allows to control and configure the daemons from the command line
# charon - the IKEv2 daemon
# pluto - the IKEv1 daemon
# charon - the IKE daemon
# if you enable starter and/or pluto (see above) uncomment the proper lines here
# if you enable starter (see above) uncomment this line too
# strongswan_BUILD_STARTER := true
# strongswan_BUILD_PLUTO := true
# this is the list of plugins that are built into libstrongswan and charon
# also these plugins are loaded by default (if not changed in strongswan.conf)
@ -19,20 +17,10 @@ strongswan_CHARON_PLUGINS := openssl fips-prf random pubkey pkcs1 \
pem xcbc hmac kernel-netlink socket-default android \
stroke eap-identity eap-mschapv2 eap-md5
ifneq ($(strongswan_BUILD_PLUTO),)
# if both daemons are enabled we use raw sockets in charon
strongswan_CHARON_PLUGINS := $(subst socket-default,socket-raw, \
$(strongswan_CHARON_PLUGINS))
# plugins loaded by pluto
strongswan_PLUTO_PLUGINS := openssl fips-prf random pubkey pkcs1 \
pem xcbc hmac kernel-netlink xauth
endif
strongswan_STARTER_PLUGINS := kernel-netlink
# list of all plugins - used to enable them with the function below
strongswan_PLUGINS := $(sort $(strongswan_CHARON_PLUGINS) \
$(strongswan_PLUTO_PLUGINS) \
$(strongswan_STARTER_PLUGINS))
# helper macros to only add source files for plugins included in the list above
@ -115,18 +103,10 @@ strongswan_BUILD := \
ifneq ($(strongswan_BUILD_STARTER),)
strongswan_BUILD += \
libfreeswan \
starter \
stroke \
ipsec
endif
ifneq ($(strongswan_BUILD_PLUTO),)
strongswan_BUILD += \
libfreeswan \
pluto \
whack
endif
include $(addprefix $(LOCAL_PATH)/src/,$(addsuffix /Android.mk, \
$(sort $(strongswan_BUILD))))

98
configure.in
View File

@ -164,12 +164,9 @@ ARG_ENABL_SET([manager], [enable web management console (proof of concept
ARG_ENABL_SET([mediation], [enable IKEv2 Mediation Extension.])
ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and plugins.])
ARG_DISBL_SET([load-warning], [disable the charon/pluto plugin load option warning in starter.])
ARG_ENABL_SET([pluto], [enable the IKEv1 keying daemon pluto.])
ARG_DISBL_SET([ikev1], [disable IKEv1 protocol support in charon.])
ARG_DISBL_SET([ikev2], [disable IKEv2 protocol support in charon.])
ARG_DISBL_SET([xauth], [disable xauth plugin.])
ARG_DISBL_SET([threads], [disable the use of threads in pluto. Charon always uses threads.])
ARG_DISBL_SET([adns], [disable the use of adns in pluto (disables opportunistic encryption).])
ARG_DISBL_SET([charon], [disable the IKEv1/IKEv2 keying daemon charon.])
ARG_DISBL_SET([tools], [disable additional utilities (openac, scepclient and pki).])
ARG_DISBL_SET([scripts], [disable additional utilities (found in directory scripts).])
@ -303,16 +300,6 @@ if test x$medcli = xtrue; then
mediation=true
fi
if test x$pluto = xtrue; then
if test x$socket_raw = xfalse; then
AC_MSG_NOTICE([Enforcing --enable-socket-raw, as pluto is enabled])
socket_raw=true
if test x$socket_default_given = xfalse; then
socket_default=false
fi
fi
fi
dnl ===========================================
dnl check required libraries and header files
dnl ===========================================
@ -789,7 +776,6 @@ m4_include(m4/macros/add-plugin.m4)
# plugin lists for all components
charon_plugins=
pluto_plugins=
starter_plugins=
pool_plugins=
attest_plugins=
@ -802,59 +788,57 @@ medsrv_plugins=
nm_plugins=
# location specific lists for checksumming,
# for src/libcharon, src/pluto, src/libhydra and src/libstrongswan
# for src/libcharon, src/libhydra and src/libstrongswan
c_plugins=
p_plugins=
h_plugins=
s_plugins=
ADD_PLUGIN([test-vectors], [s charon pluto openac scepclient pki])
ADD_PLUGIN([curl], [s charon pluto scepclient scripts nm])
ADD_PLUGIN([soup], [s charon pluto scripts nm])
ADD_PLUGIN([ldap], [s charon pluto scepclient scripts nm])
ADD_PLUGIN([mysql], [s charon pluto pool manager medsrv attest])
ADD_PLUGIN([sqlite], [s charon pluto pool manager medsrv attest])
ADD_PLUGIN([test-vectors], [s charon openac scepclient pki])
ADD_PLUGIN([curl], [s charon scepclient scripts nm])
ADD_PLUGIN([soup], [s charon scripts nm])
ADD_PLUGIN([ldap], [s charon scepclient scripts nm])
ADD_PLUGIN([mysql], [s charon pool manager medsrv attest])
ADD_PLUGIN([sqlite], [s charon pool manager medsrv attest])
ADD_PLUGIN([pkcs11], [s charon pki nm])
ADD_PLUGIN([aes], [s charon pluto openac scepclient pki scripts nm])
ADD_PLUGIN([des], [s charon pluto openac scepclient pki scripts nm])
ADD_PLUGIN([blowfish], [s charon pluto openac scepclient pki scripts nm])
ADD_PLUGIN([sha1], [s charon pluto openac scepclient pki scripts medsrv attest nm])
ADD_PLUGIN([sha2], [s charon pluto openac scepclient pki scripts medsrv attest nm])
ADD_PLUGIN([aes], [s charon openac scepclient pki scripts nm])
ADD_PLUGIN([des], [s charon openac scepclient pki scripts nm])
ADD_PLUGIN([blowfish], [s charon openac scepclient pki scripts nm])
ADD_PLUGIN([sha1], [s charon openac scepclient pki scripts medsrv attest nm])
ADD_PLUGIN([sha2], [s charon openac scepclient pki scripts medsrv attest nm])
ADD_PLUGIN([md4], [s charon openac manager scepclient pki nm])
ADD_PLUGIN([md5], [s charon pluto openac scepclient pki scripts attest nm])
ADD_PLUGIN([random], [s charon pluto openac scepclient pki scripts medsrv attest nm])
ADD_PLUGIN([md5], [s charon openac scepclient pki scripts attest nm])
ADD_PLUGIN([random], [s charon openac scepclient pki scripts medsrv attest nm])
ADD_PLUGIN([nonce], [s charon nm])
ADD_PLUGIN([x509], [s charon pluto openac scepclient pki scripts attest nm])
ADD_PLUGIN([x509], [s charon openac scepclient pki scripts attest nm])
ADD_PLUGIN([revocation], [s charon nm])
ADD_PLUGIN([constraints], [s charon nm])
ADD_PLUGIN([pubkey], [s charon])
ADD_PLUGIN([pkcs1], [s charon pluto openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([pkcs8], [s charon pluto openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([pgp], [s charon pluto])
ADD_PLUGIN([dnskey], [s pluto])
ADD_PLUGIN([pem], [s charon pluto openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([pkcs1], [s charon openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([pkcs8], [s charon openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([pgp], [s charon])
ADD_PLUGIN([dnskey], [s charon])
ADD_PLUGIN([pem], [s charon openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([padlock], [s charon])
ADD_PLUGIN([openssl], [s charon pluto openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([gcrypt], [s charon pluto openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([af-alg], [s charon pluto openac scepclient pki scripts medsrv attest nm])
ADD_PLUGIN([openssl], [s charon openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([gcrypt], [s charon openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([af-alg], [s charon openac scepclient pki scripts medsrv attest nm])
ADD_PLUGIN([fips-prf], [s charon nm])
ADD_PLUGIN([gmp], [s charon pluto openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([gmp], [s charon openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([agent], [s charon nm])
ADD_PLUGIN([xcbc], [s charon nm])
ADD_PLUGIN([cmac], [s charon nm])
ADD_PLUGIN([hmac], [s charon pluto scripts nm])
ADD_PLUGIN([hmac], [s charon scripts nm])
ADD_PLUGIN([ctr], [s charon scripts nm])
ADD_PLUGIN([ccm], [s charon scripts nm])
ADD_PLUGIN([gcm], [s charon scripts nm])
ADD_PLUGIN([xauth], [p pluto])
ADD_PLUGIN([attr], [h charon pluto])
ADD_PLUGIN([attr-sql], [h charon pluto])
ADD_PLUGIN([attr], [h charon])
ADD_PLUGIN([attr-sql], [h charon])
ADD_PLUGIN([load-tester], [c charon])
ADD_PLUGIN([kernel-pfkey], [h charon pluto starter nm])
ADD_PLUGIN([kernel-pfroute], [h charon pluto starter nm])
ADD_PLUGIN([kernel-klips], [h charon pluto starter])
ADD_PLUGIN([kernel-netlink], [h charon pluto starter nm])
ADD_PLUGIN([resolve], [h charon pluto])
ADD_PLUGIN([kernel-pfkey], [h charon starter nm])
ADD_PLUGIN([kernel-pfroute], [h charon starter nm])
ADD_PLUGIN([kernel-klips], [h charon starter])
ADD_PLUGIN([kernel-netlink], [h charon starter nm])
ADD_PLUGIN([resolve], [h charon])
ADD_PLUGIN([socket-default], [c charon nm])
ADD_PLUGIN([socket-raw], [c charon nm])
ADD_PLUGIN([socket-dynamic], [c charon])
@ -907,7 +891,6 @@ ADD_PLUGIN([addrblock], [c charon])
ADD_PLUGIN([unit-tester], [c charon])
AC_SUBST(charon_plugins)
AC_SUBST(pluto_plugins)
AC_SUBST(starter_plugins)
AC_SUBST(pool_plugins)
AC_SUBST(attest_plugins)
@ -1039,10 +1022,6 @@ AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
dnl pluto plugins
dnl =============
AM_CONDITIONAL(USE_XAUTH, test x$xauth = xtrue)
dnl other options
dnl =============
AM_CONDITIONAL(USE_SMARTCARD, test x$smartcard = xtrue)
@ -1058,7 +1037,6 @@ AM_CONDITIONAL(USE_MANAGER, test x$manager = xtrue)
AM_CONDITIONAL(USE_ME, test x$mediation = xtrue)
AM_CONDITIONAL(USE_INTEGRITY_TEST, test x$integrity_test = xtrue)
AM_CONDITIONAL(USE_LOAD_WARNING, test x$load_warning = xtrue)
AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue)
AM_CONDITIONAL(USE_IKEV1, test x$ikev1 = xtrue)
AM_CONDITIONAL(USE_IKEV2, test x$ikev2 = xtrue)
AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
@ -1068,13 +1046,13 @@ AM_CONDITIONAL(USE_NM, test x$nm = xtrue)
AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue)
AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$pluto = xtrue -o x$nm = xtrue)
AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue)
AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$nm = xtrue)
AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue)
AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue)
AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$pluto = xtrue -o x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue)
AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue)
AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue)
@ -1162,7 +1140,6 @@ AC_OUTPUT(
src/libhydra/plugins/kernel_pfkey/Makefile
src/libhydra/plugins/kernel_pfroute/Makefile
src/libhydra/plugins/resolve/Makefile
src/libfreeswan/Makefile
src/libsimaka/Makefile
src/libtls/Makefile
src/libradius/Makefile
@ -1176,9 +1153,6 @@ AC_OUTPUT(
src/libimcv/plugins/imv_test/Makefile
src/libimcv/plugins/imc_scanner/Makefile
src/libimcv/plugins/imv_scanner/Makefile
src/pluto/Makefile
src/pluto/plugins/xauth/Makefile
src/whack/Makefile
src/charon/Makefile
src/charon-nm/Makefile
src/libcharon/Makefile

8
src/Makefile.am
View File

@ -41,17 +41,13 @@ if USE_LIBCHARON
endif
if USE_FILE_CONFIG
SUBDIRS += libfreeswan starter
SUBDIRS += starter
endif
if USE_IPSEC_SCRIPT
SUBDIRS += ipsec _copyright
endif
if USE_PLUTO
SUBDIRS += pluto whack
endif
if USE_CHARON
SUBDIRS += charon
endif
@ -69,7 +65,7 @@ if USE_UPDOWN
endif
if USE_TOOLS
SUBDIRS += libfreeswan openac scepclient pki
SUBDIRS += openac scepclient pki
endif
if USE_CONFTEST

5
src/checksum/Makefile.am
View File

@ -79,11 +79,6 @@ if !MONOLITHIC
endif
endif
if USE_PLUTO
exes += $(top_builddir)/src/pluto/.libs/pluto
AM_CFLAGS += -DP_PLUGINS=\""${p_plugins}\""
endif
if USE_TOOLS
exes += $(top_builddir)/src/openac/.libs/openac
exes += $(top_builddir)/src/pki/.libs/pki

38
src/libfreeswan/Android.mk
View File

@ -1,38 +0,0 @@
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
# copy-n-paste from Makefile.am
LOCAL_SRC_FILES := \
addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \
atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \
pfkey_v2_build.c pfkey_v2_debug.c \
pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c rangetoa.c \
pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c \
satot.c subnetof.c subnettoa.c subnettot.c \
subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \
ultoa.c ultot.c
# build libfreeswan ------------------------------------------------------------
LOCAL_C_INCLUDES += \
$(libvstr_PATH) \
$(strongswan_PATH)/src/include \
$(strongswan_PATH)/src/libstrongswan \
$(strongswan_PATH)/src/libhydra \
$(strongswan_PATH)/src/pluto
LOCAL_CFLAGS := $(strongswan_CFLAGS)
LOCAL_MODULE := libfreeswan
LOCAL_MODULE_TAGS := optional
LOCAL_ARM_MODE := arm
LOCAL_PRELINK_MODULE := false
LOCAL_SHARED_LIBRARIES += libstrongswan
include $(BUILD_SHARED_LIBRARY)

22
src/libfreeswan/Makefile.am
View File

@ -1,22 +0,0 @@
noinst_LIBRARIES = libfreeswan.a
libfreeswan_a_SOURCES = \
addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \
atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \
pfkey_v2_build.c pfkey_v2_debug.c \
pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c rangetoa.c \
pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c \
satot.c subnetof.c subnettoa.c subnettot.c \
subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \
ultoa.c ultot.c
INCLUDES = \
-I$(top_srcdir)/src/libstrongswan \
-I$(top_srcdir)/src/libhydra \
-I$(top_srcdir)/src/pluto
dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \
portof.3 rangetosubnet.3 sameaddr.3 subnetof.3 \
ttoaddr.3 ttodata.3 ttosa.3 ttoul.3
EXTRA_DIST = Android.mk

66
src/libfreeswan/addrtoa.c
View File

@ -1,66 +0,0 @@
/*
* addresses to ASCII
* Copyright (C) 1998, 1999 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
#define NBYTES 4 /* bytes in an address */
#define PERBYTE 4 /* three digits plus a dot or NUL */
#define BUFLEN (NBYTES*PERBYTE)
#if BUFLEN != ADDRTOA_BUF
#error "ADDRTOA_BUF in freeswan.h inconsistent with addrtoa() code"
#endif
/*
- addrtoa - convert binary address to ASCII dotted decimal
*/
size_t /* space needed for full conversion */
addrtoa(addr, format, dst, dstlen)
struct in_addr addr;
int format; /* character */
char *dst; /* need not be valid if dstlen is 0 */
size_t dstlen;
{
unsigned long a = ntohl(addr.s_addr);
int i;
size_t n;
unsigned long byte;
char buf[BUFLEN];
char *p;
switch (format) {
case 0:
break;
default:
return 0;
break;
}
p = buf;
for (i = NBYTES-1; i >= 0; i--) {
byte = (a >> (i*8)) & 0xff;
p += ultoa(byte, 10, p, PERBYTE);
if (i != 0)
*(p-1) = '.';
}
n = p - buf;
if (dstlen > 0) {
if (n > dstlen)
buf[dstlen - 1] = '\0';
strcpy(dst, buf);
}
return n;
}

302
src/libfreeswan/addrtot.c
View File

@ -1,302 +0,0 @@
/*
* addresses to text
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include <sys/socket.h>
#include "internal.h"
#include "freeswan.h"
#define IP4BYTES 4 /* bytes in an IPv4 address */
#define PERBYTE 4 /* three digits plus a dot or NUL */
#define IP6BYTES 16 /* bytes in an IPv6 address */
/* forwards */
static size_t normal4(const unsigned char *s, size_t len, char *b, char **dp);
static size_t normal6(const unsigned char *s, size_t len, char *b, char **dp, int squish);
static size_t reverse4(const unsigned char *s, size_t len, char *b, char **dp);
static size_t reverse6(const unsigned char *s, size_t len, char *b, char **dp);
/*
- addrtot - convert binary address to text (dotted decimal or IPv6 string)
*/
size_t /* space needed for full conversion */
addrtot(src, format, dst, dstlen)
const ip_address *src;
int format; /* character */
char *dst; /* need not be valid if dstlen is 0 */
size_t dstlen;
{
const unsigned char *b;
size_t n;
char buf[1+ADDRTOT_BUF+1]; /* :address: */
char *p;
int t = addrtypeof(src);
# define TF(t, f) (((t)<<8) | (f))
n = addrbytesptr(src, &b);
if (n == 0)
return 0;
switch (TF(t, format)) {
case TF(AF_INET, 0):
n = normal4(b, n, buf, &p);
break;
case TF(AF_INET6, 0):
n = normal6(b, n, buf, &p, 1);
break;
case TF(AF_INET, 'Q'):
n = normal4(b, n, buf, &p);
break;
case TF(AF_INET6, 'Q'):
n = normal6(b, n, buf, &p, 0);
break;
case TF(AF_INET, 'r'):
n = reverse4(b, n, buf, &p);
break;
case TF(AF_INET6, 'r'):
n = reverse6(b, n, buf, &p);
break;
default: /* including (AF_INET, 'R') */
return 0;
break;
}
if (dstlen > 0) {
if (dstlen < n)
p[dstlen - 1] = '\0';
strcpy(dst, p);
}
return n;
}
/*
- normal4 - normal IPv4 address-text conversion
*/
static size_t /* size of text, including NUL */
normal4(srcp, srclen, buf, dstp)
const unsigned char *srcp;
size_t srclen;
char *buf; /* guaranteed large enough */
char **dstp; /* where to put result pointer */
{
int i;
char *p;
if (srclen != IP4BYTES) /* "can't happen" */
return 0;
p = buf;
for (i = 0; i < IP4BYTES; i++) {
p += ultot(srcp[i], 10, p, PERBYTE);
if (i != IP4BYTES - 1)
*(p-1) = '.'; /* overwrites the NUL */
}
*dstp = buf;
return p - buf;
}
/*
- normal6 - normal IPv6 address-text conversion
*/
static size_t /* size of text, including NUL */
normal6(srcp, srclen, buf, dstp, squish)
const unsigned char *srcp;
size_t srclen;
char *buf; /* guaranteed large enough, plus 2 */
char **dstp; /* where to put result pointer */
int squish; /* whether to squish out 0:0 */
{
int i;
unsigned long piece;
char *p;
char *q;
if (srclen != IP6BYTES) /* "can't happen" */
return 0;
p = buf;
*p++ = ':';
for (i = 0; i < IP6BYTES/2; i++) {
piece = (srcp[2*i] << 8) + srcp[2*i + 1];
p += ultot(piece, 16, p, 5); /* 5 = abcd + NUL */
*(p-1) = ':'; /* overwrites the NUL */
}
*p = '\0';
q = strstr(buf, ":0:0:");
if (squish && q != NULL) { /* zero squishing is possible */
p = q + 1;
while (*p == '0' && *(p+1) == ':')
p += 2;
q++;
*q++ = ':'; /* overwrite first 0 */
while (*p != '\0')
*q++ = *p++;
*q = '\0';
if (!(*(q-1) == ':' && *(q-2) == ':'))
*--q = '\0'; /* strip final : unless :: */
p = buf;
if (!(*p == ':' && *(p+1) == ':'))
p++; /* skip initial : unless :: */
} else {
q = p;
*--q = '\0'; /* strip final : */
p = buf + 1; /* skip initial : */
}
*dstp = p;
return q - p + 1;
}
/*
- reverse4 - IPv4 reverse-lookup conversion
*/
static size_t /* size of text, including NUL */
reverse4(srcp, srclen, buf, dstp)
const unsigned char *srcp;
size_t srclen;
char *buf; /* guaranteed large enough */
char **dstp; /* where to put result pointer */
{
int i;
char *p;
if (srclen != IP4BYTES) /* "can't happen" */
return 0;
p = buf;
for (i = IP4BYTES-1; i >= 0; i--) {
p += ultot(srcp[i], 10, p, PERBYTE);
*(p-1) = '.'; /* overwrites the NUL */
}
strcpy(p, "IN-ADDR.ARPA.");
*dstp = buf;
return strlen(buf) + 1;
}
/*
- reverse6 - IPv6 reverse-lookup conversion (RFC 1886)
* A trifle inefficient, really shouldn't use ultot...
*/
static size_t /* size of text, including NUL */
reverse6(srcp, srclen, buf, dstp)
const unsigned char *srcp;
size_t srclen;
char *buf; /* guaranteed large enough */
char **dstp; /* where to put result pointer */
{
int i;
unsigned long piece;
char *p;
if (srclen != IP6BYTES) /* "can't happen" */
return 0;
p = buf;
for (i = IP6BYTES-1; i >= 0; i--) {
piece = srcp[i];
p += ultot(piece&0xf, 16, p, 2);
*(p-1) = '.';
p += ultot(piece>>4, 16, p, 2);
*(p-1) = '.';
}
strcpy(p, "IP6.ARPA.");
*dstp = buf;
return strlen(buf) + 1;
}
/*
- reverse6 - modern IPv6 reverse-lookup conversion (RFC 2874)
* this version removed as it was obsoleted in the end.
*/
#ifdef ADDRTOT_MAIN
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
void regress(void);
int
main(int argc, char *argv[])
{
if (argc < 2) {
fprintf(stderr, "Usage: %s {addr|net/mask|begin...end|-r}\n",
argv[0]);
exit(2);
}
if (strcmp(argv[1], "-r") == 0) {
regress();
fprintf(stderr, "regress() returned?!?\n");
exit(1);
}
exit(0);
}
struct rtab {
char *input;
char format;
char *output; /* NULL means error expected */
} rtab[] = {
{"1.2.3.0", 0, "1.2.3.0"},
{"1:2::3:4", 0, "1:2::3:4"},
{"1:2::3:4", 'Q', "1:2:0:0:0:0:3:4"},
{"1:2:0:0:3:4:0:0", 0, "1:2::3:4:0:0"},
{"1.2.3.4", 'r' , "4.3.2.1.IN-ADDR.ARPA."},
/* 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f */
{"1:2::3:4", 'r', "4.0.0.0.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.1.0.0.0.IP6.ARPA."},
{NULL, 0, NULL}
};
void
regress()
{
struct rtab *r;
int status = 0;
ip_address a;
char in[100];
char buf[100];
const char *oops;
size_t n;
for (r = rtab; r->input != NULL; r++) {
strcpy(in, r->input);
/* convert it *to* internal format */
oops = ttoaddr(in, strlen(in), 0, &a);
/* now convert it back */
n = addrtot(&a, r->format, buf, sizeof(buf));
if (n == 0 && r->output == NULL)
{} /* okay, error expected */
else if (n == 0) {
printf("`%s' atoasr failed\n", r->input);
status = 1;
} else if (r->output == NULL) {
printf("`%s' atoasr succeeded unexpectedly '%c'\n",
r->input, r->format);
status = 1;
} else {
if (strcasecmp(r->output, buf) != 0) {
printf("`%s' '%c' gave `%s', expected `%s'\n",
r->input, r->format, buf, r->output);
status = 1;
}
}
}
exit(status);
}
#endif /* ADDRTOT_MAIN */

94
src/libfreeswan/addrtypeof.c
View File

@ -1,94 +0,0 @@
/*
* extract parts of an ip_address
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include <sys/socket.h>
#include "internal.h"
#include "freeswan.h"
/*
- addrtypeof - get the type of an ip_address
*/
int
addrtypeof(src)
const ip_address *src;
{
return src->u.v4.sin_family;
}
/*
- addrbytesptr - get pointer to the address bytes of an ip_address
*/
size_t /* 0 for error */
addrbytesptr(src, dstp)
const ip_address *src;
const unsigned char **dstp; /* NULL means just a size query */
{
const unsigned char *p;
size_t n;
switch (src->u.v4.sin_family) {
case AF_INET:
p = (const unsigned char *)&src->u.v4.sin_addr.s_addr;
n = 4;
break;
case AF_INET6:
p = (const unsigned char *)&src->u.v6.sin6_addr;
n = 16;
break;
default:
return 0;
break;
}
if (dstp != NULL)
*dstp = p;
return n;
}
/*
- addrlenof - get length of the address bytes of an ip_address
*/
size_t /* 0 for error */
addrlenof(src)
const ip_address *src;
{
return addrbytesptr(src, NULL);
}
/*
- addrbytesof - get the address bytes of an ip_address
*/
size_t /* 0 for error */
addrbytesof(src, dst, dstlen)
const ip_address *src;
unsigned char *dst;
size_t dstlen;
{
const unsigned char *p;
size_t n;
size_t ncopy;
n = addrbytesptr(src, &p);
if (n == 0)
return 0;
if (dstlen > 0) {
ncopy = n;
if (ncopy > dstlen)
ncopy = dstlen;
memcpy(dst, p, ncopy);
}
return n;
}

86
src/libfreeswan/anyaddr.3
View File

@ -1,86 +0,0 @@
.TH IPSEC_ANYADDR 3 "8 Sept 2000"
.SH NAME
ipsec anyaddr \- get "any" address
.br
ipsec isanyaddr \- test address for equality to "any" address
.br
ipsec unspecaddr \- get "unspecified" address
.br
ipsec isunspecaddr \- test address for equality to "unspecified" address
.br
ipsec loopbackaddr \- get loopback address
.br
ipsec isloopbackaddr \- test address for equality to loopback address
.SH SYNOPSIS
.B "#include <freeswan.h>
.sp
.B "const char *anyaddr(int af, ip_address *dst);"
.br
.B "int isanyaddr(const ip_address *src);"
.br
.B "const char *unspecaddr(int af, ip_address *dst);"
.br
.B "int isunspecaddr(const ip_address *src);"
.br
.B "const char *loopbackaddr(int af, ip_address *dst);"
.br
.B "int isloopbackaddr(const ip_address *src);"
.SH DESCRIPTION
These functions fill in, and test for, special values of the
.I ip_address
type.
.PP
.I Anyaddr
fills in the destination
.I *dst
with the ``any'' address of address family
.IR af
(normally
.B AF_INET
or
.BR AF_INET6 ).
The IPv4 ``any'' address is the one embodied in the old
.B INADDR_ANY
macro.
.PP
.I Isanyaddr
returns
.B 1
if the
.I src
address equals the ``any'' address,
and
.B 0
otherwise.
.PP
Similarly,
.I unspecaddr
supplies, and
.I isunspecaddr
tests for,
the ``unspecified'' address,
which may be the same as the ``any'' address.
.PP
Similarly,
.I loopbackaddr
supplies, and
.I islookbackaddr
tests for,
the loopback address.
.PP
.IR Anyaddr ,
.IR unspecaddr ,
and
.I loopbackaddr
return
.B NULL
for success and
a pointer to a string-literal error message for failure;
see DIAGNOSTICS.
.SH SEE ALSO
inet(3), ipsec_addrtot(3), ipsec_sameaddr(3)
.SH DIAGNOSTICS
Fatal errors in the address-supplying functions are:
unknown address family.
.SH HISTORY
Written for the FreeS/WAN project by Henry Spencer.

147
src/libfreeswan/anyaddr.c
View File

@ -1,147 +0,0 @@
/*
* special addresses
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include <sys/socket.h>
#include "internal.h"
#include "freeswan.h"
/* OpenSolaris defines strange versions of these macros */
#ifdef __sun
#undef IN6ADDR_ANY_INIT
#define IN6ADDR_ANY_INIT {{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
#undef IN6ADDR_LOOPBACK_INIT
#define IN6ADDR_LOOPBACK_INIT {{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
#endif
static struct in6_addr v6any = IN6ADDR_ANY_INIT;
static struct in6_addr v6loop = IN6ADDR_LOOPBACK_INIT;
/*
- anyaddr - initialize to the any-address value
*/
err_t /* NULL for success, else string literal */
anyaddr(af, dst)
int af; /* address family */
ip_address *dst;
{
uint32_t v4any = htonl(INADDR_ANY);
switch (af) {
case AF_INET:
return initaddr((unsigned char *)&v4any, sizeof(v4any), af, dst);
break;
case AF_INET6:
return initaddr((unsigned char *)&v6any, sizeof(v6any), af, dst);
break;
default:
return "unknown address family in anyaddr/unspecaddr";
break;
}
}
/*
- unspecaddr - initialize to the unspecified-address value
*/
err_t /* NULL for success, else string literal */
unspecaddr(af, dst)
int af; /* address family */
ip_address *dst;
{
return anyaddr(af, dst);
}
/*
- loopbackaddr - initialize to the loopback-address value
*/
err_t /* NULL for success, else string literal */
loopbackaddr(af, dst)
int af; /* address family */
ip_address *dst;
{
uint32_t v4loop = htonl(INADDR_LOOPBACK);
switch (af) {
case AF_INET:
return initaddr((unsigned char *)&v4loop, sizeof(v4loop), af, dst);
break;
case AF_INET6:
return initaddr((unsigned char *)&v6loop, sizeof(v6loop), af, dst);
break;
default:
return "unknown address family in loopbackaddr";
break;
}
}
/*
- isanyaddr - test for the any-address value
*/
int
isanyaddr(src)
const ip_address *src;
{
uint32_t v4any = htonl(INADDR_ANY);
int cmp;
switch (src->u.v4.sin_family) {
case AF_INET:
cmp = memcmp(&src->u.v4.sin_addr.s_addr, &v4any, sizeof(v4any));
break;
case AF_INET6:
cmp = memcmp(&src->u.v6.sin6_addr, &v6any, sizeof(v6any));
break;
default:
return 0;
break;
}
return (cmp == 0) ? 1 : 0;
}
/*
- isunspecaddr - test for the unspecified-address value
*/
int
isunspecaddr(src)
const ip_address *src;
{
return isanyaddr(src);
}
/*
- isloopbackaddr - test for the loopback-address value
*/
int
isloopbackaddr(src)
const ip_address *src;
{
uint32_t v4loop = htonl(INADDR_LOOPBACK);
int cmp;
switch (src->u.v4.sin_family) {
case AF_INET:
cmp = memcmp(&src->u.v4.sin_addr.s_addr, &v4loop, sizeof(v4loop));
break;
case AF_INET6:
cmp = memcmp(&src->u.v6.sin6_addr, &v6loop, sizeof(v6loop));
break;
default:
return 0;
break;
}
return (cmp == 0) ? 1 : 0;
}

291
src/libfreeswan/atoaddr.3
View File

@ -1,291 +0,0 @@
.TH IPSEC_ATOADDR 3 "11 June 2001"
.SH NAME
ipsec atoaddr, addrtoa \- convert Internet addresses to and from ASCII
.br
ipsec atosubnet, subnettoa \- convert subnet/mask ASCII form to and from addresses
.SH SYNOPSIS
.B "#include <freeswan.h>
.sp
.B "const char *atoaddr(const char *src, size_t srclen,"
.ti +1c
.B "struct in_addr *addr);"
.br
.B "size_t addrtoa(struct in_addr addr, int format,"
.ti +1c
.B "char *dst, size_t dstlen);"
.sp
.B "const char *atosubnet(const char *src, size_t srclen,"
.ti +1c
.B "struct in_addr *addr, struct in_addr *mask);"
.br
.B "size_t subnettoa(struct in_addr addr, struct in_addr mask,"
.ti +1c
.B "int format, char *dst, size_t dstlen);"
.SH DESCRIPTION
These functions are obsolete; see
.IR ipsec_ttoaddr (3)
for their replacements.
.PP
.I Atoaddr
converts an ASCII name or dotted-decimal address into a binary address
(in network byte order).
.I Addrtoa
does the reverse conversion, back to an ASCII dotted-decimal address.
.I Atosubnet
and
.I subnettoa
do likewise for the ``address/mask'' ASCII form used to write a
specification of a subnet.
.PP
An address is specified in ASCII as a
dotted-decimal address (e.g.
.BR 1.2.3.4 ),
an eight-digit network-order hexadecimal number with the usual C prefix (e.g.
.BR 0x01020304 ,
which is synonymous with
.BR 1.2.3.4 ),
an eight-digit host-order hexadecimal number with a
.B 0h
prefix (e.g.
.BR 0h01020304 ,
which is synonymous with
.B 1.2.3.4
on a big-endian host and
.B 4.3.2.1
on a little-endian host),
a DNS name to be looked up via
.IR getaddrinfo (3),
or an old-style network name to be looked up via
.IR getnetbyname (3).
.PP
A dotted-decimal address may be incomplete, in which case
ASCII-to-binary conversion implicitly appends
as many instances of
.B .0
as necessary to bring it up to four components.
The components of a dotted-decimal address are always taken as
decimal, and leading zeros are ignored.
For example,
.B 10
is synonymous with
.BR 10.0.0.0 ,
and
.B 128.009.000.032
is synonymous with
.BR 128.9.0.32
(the latter example is verbatim from RFC 1166).
The result of
.I addrtoa
is always complete and does not contain leading zeros.
.PP
The letters in
a hexadecimal address may be uppercase or lowercase or any mixture thereof.
Use of hexadecimal addresses is
.B strongly
.BR discouraged ;
they are included only to save hassles when dealing with
the handful of perverted programs which already print
network addresses in hexadecimal.
.PP
DNS names may be complete (optionally terminated with a ``.'')
or incomplete, and are looked up as specified by local system configuration
(see
.IR resolver (5)).
The first value returned by
.IR getaddrinfo (3)
is used,
so with current DNS implementations,
the result when the name corresponds to more than one address is
difficult to predict.
Name lookup resorts to
.IR getnetbyname (3)
only if
.IR getaddrinfo (3)
fails.
.PP
A subnet specification is of the form \fInetwork\fB/\fImask\fR.
The
.I network
and
.I mask
can be any form acceptable to
.IR atoaddr .
In addition, the
.I mask
can be a decimal integer (leading zeros ignored) giving a bit count,
in which case
it stands for a mask with that number of high bits on and all others off
(e.g.,
.B 24
means
.BR 255.255.255.0 ).
In any case, the mask must be contiguous
(a sequence of high bits on and all remaining low bits off).
As a special case, the subnet specification
.B %default
is a synonym for
.BR 0.0.0.0/0 .
.PP
.I Atosubnet
ANDs the mask with the address before returning,
so that any non-network bits in the address are turned off
(e.g.,
.B 10.1.2.3/24
is synonymous with
.BR 10.1.2.0/24 ).
.I Subnettoa
generates the decimal-integer-bit-count
form of the mask,
with no leading zeros,
unless the mask is non-contiguous.
.PP
The
.I srclen
parameter of
.I atoaddr
and
.I atosubnet
specifies the length of the ASCII string pointed to by
.IR src ;
it is an error for there to be anything else
(e.g., a terminating NUL) within that length.
As a convenience for cases where an entire NUL-terminated string is
to be converted,
a
.I srclen
value of
.B 0
is taken to mean
.BR strlen(src) .
.PP
The
.I dstlen
parameter of
.I addrtoa
and
.I subnettoa
specifies the size of the
.I dst
parameter;
under no circumstances are more than
.I dstlen
bytes written to
.IR dst .
A result which will not fit is truncated.
.I Dstlen
can be zero, in which case
.I dst
need not be valid and no result is written,
but the return value is unaffected;
in all other cases, the (possibly truncated) result is NUL-terminated.
The
.I freeswan.h
header file defines constants,
.B ADDRTOA_BUF
and
.BR SUBNETTOA_BUF ,
which are the sizes of buffers just large enough for worst-case results.
.PP
The
.I format
parameter of
.I addrtoa
and
.I subnettoa
specifies what format is to be used for the conversion.
The value
.B 0
(not the ASCII character
.BR '0' ,
but a zero value)
specifies a reasonable default,
and is in fact the only format currently available.
This parameter is a hedge against future needs.
.PP
The ASCII-to-binary functions return NULL for success and
a pointer to a string-literal error message for failure;
see DIAGNOSTICS.
The binary-to-ASCII functions return
.B 0
for a failure, and otherwise
always return the size of buffer which would
be needed to
accommodate the full conversion result, including terminating NUL;
it is the caller's responsibility to check this against the size of
the provided buffer to determine whether truncation has occurred.
.SH SEE ALSO
inet(3)
.SH DIAGNOSTICS
Fatal errors in
.I atoaddr
are:
empty input;
attempt to allocate temporary storage for a very long name failed;
name lookup failed;
syntax error in dotted-decimal form;
dotted-decimal component too large to fit in 8 bits.
.PP
Fatal errors in
.I atosubnet
are:
no
.B /
in
.IR src ;
.I atoaddr
error in conversion of
.I network
or
.IR mask ;
bit-count mask too big;
mask non-contiguous.
.PP
Fatal errors in
.I addrtoa
and
.I subnettoa
are:
unknown format.
.SH HISTORY
Written for the FreeS/WAN project by Henry Spencer.
.SH BUGS
The interpretation of incomplete dotted-decimal addresses
(e.g.
.B 10/24
means
.BR 10.0.0.0/24 )
differs from that of some older conversion
functions, e.g. those of
.IR inet (3).
The behavior of the older functions has never been
particularly consistent or particularly useful.
.PP
Ignoring leading zeros in dotted-decimal components and bit counts
is arguably the most useful behavior in this application,
but it might occasionally cause confusion with the historical use of leading
zeros to denote octal numbers.
.PP
It is barely possible that somebody, somewhere,
might have a legitimate use for non-contiguous subnet masks.
.PP
.IR Getnetbyname (3)
is a historical dreg.
.PP
The restriction of ASCII-to-binary error reports to literal strings
(so that callers don't need to worry about freeing them or copying them)
does limit the precision of error reporting.
.PP
The ASCII-to-binary error-reporting convention lends itself
to slightly obscure code,
because many readers will not think of NULL as signifying success.
A good way to make it clearer is to write something like:
.PP
.RS
.nf
.B "const char *error;"
.sp
.B "error = atoaddr( /* ... */ );"
.B "if (error != NULL) {"
.B " /* something went wrong */"
.fi
.RE

261
src/libfreeswan/atoaddr.c
View File

@ -1,261 +0,0 @@
/*
* conversion from ASCII forms of addresses to internal ones
* Copyright (C) 1998, 1999 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include <sys/socket.h>
#include "internal.h"
#include "freeswan.h"
/*
* Define NOLEADINGZEROS to interpret 032 as an error, not as 32. There
* is deliberately no way to interpret it as 26 (i.e., as octal).
*/
/*
* Legal characters in a domain name. Underscore technically is not,
* but is a common misunderstanding.
*/
static const char namechars[] = "abcdefghijklmnopqrstuvwxyz0123456789"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ-_.";
static const char *try8hex(const char *, size_t, struct in_addr *);
static const char *try8hosthex(const char *, size_t, struct in_addr *);
static const char *trydotted(const char *, size_t, struct in_addr *);
static const char *getbyte(const char **, const char *, int *);
/*
- atoaddr - convert ASCII name or dotted-decimal address to binary address
*/
const char * /* NULL for success, else string literal */
atoaddr(src, srclen, addrp)
const char *src;
size_t srclen; /* 0 means "apply strlen" */
struct in_addr *addrp;
{
struct addrinfo hints, *res;
struct netent *ne = NULL;
const char *oops, *msg = NULL;
# define HEXLEN 10 /* strlen("0x11223344") */
# ifndef ATOADDRBUF
# define ATOADDRBUF 100
# endif
char namebuf[ATOADDRBUF];
char *p = namebuf;
char *q;
int error;
if (srclen == 0)
srclen = strlen(src);
if (srclen == 0)
return "empty string";
/* might it be hex? */
if (srclen == HEXLEN && *src == '0' && CIEQ(*(src+1), 'x'))
return try8hex(src+2, srclen-2, addrp);
if (srclen == HEXLEN && *src == '0' && CIEQ(*(src+1), 'h'))
return try8hosthex(src+2, srclen-2, addrp);
/* try it as dotted decimal */
oops = trydotted(src, srclen, addrp);
if (oops == NULL)
return NULL; /* it worked */
if (*oops != '?')
return oops; /* it *was* probably meant as a d.q. */
/* try it as a name -- first, NUL-terminate it */
if (srclen > sizeof(namebuf)-1) {
p = (char *) MALLOC(srclen+1);
if (p == NULL)
return "unable to allocate temporary space for name";
}
p[0] = '\0';
strncat(p, src, srclen);
/* next, check that it's a vaguely legal name */
for (q = p; *q != '\0'; q++)
{
if (!isprint(*q))
{
msg = "unprintable character in name";
goto error;
}
}
if (strspn(p, namechars) != srclen)
{
msg = "illegal (non-DNS-name) character in name";
goto error;
}
/* try as host name, failing that as /etc/networks network name */
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET;
error = getaddrinfo(p, NULL, &hints, &res);
if (error != 0)
{
ne = getnetbyname(p);
if (ne == NULL)
{
msg = "name lookup failed";
goto error;
}
addrp->s_addr = htonl(ne->n_net);
}
else
{
struct sockaddr_in *in = (struct sockaddr_in*)res->ai_addr;
memcpy(&addrp->s_addr, &in->sin_addr.s_addr, sizeof(addrp->s_addr));
freeaddrinfo(res);
}
error:
if (p != namebuf)
{
FREE(p);
}
return msg;
}
/*
- try8hosthex - try conversion as an eight-digit host-order hex number
*/
const char * /* NULL for success, else string literal */
try8hosthex(src, srclen, addrp)
const char *src;
size_t srclen; /* should be 8 */
struct in_addr *addrp;
{
const char *oops;
unsigned long addr;
if (srclen != 8)
return "internal error, try8hex called with bad length";
oops = atoul(src, srclen, 16, &addr);
if (oops != NULL)
return oops;
addrp->s_addr = addr;
return NULL;
}
/*
- try8hex - try conversion as an eight-digit network-order hex number
*/
const char * /* NULL for success, else string literal */
try8hex(src, srclen, addrp)
const char *src;
size_t srclen; /* should be 8 */
struct in_addr *addrp;
{
const char *oops;
oops = try8hosthex(src, srclen, addrp);
if (oops != NULL)
return oops;
addrp->s_addr = htonl(addrp->s_addr);
return NULL;
}
/*
- trydotted - try conversion as dotted decimal
*
* If the first char of a complaint is '?', that means "didn't look like
* dotted decimal at all".
*/
const char * /* NULL for success, else string literal */
trydotted(src, srclen, addrp)
const char *src;
size_t srclen;
struct in_addr *addrp;
{
const char *stop = src + srclen; /* just past end */
int byte;
const char *oops;
unsigned long addr;
int i;
# define NBYTES 4
# define BYTE 8
addr = 0;
for (i = 0; i < NBYTES && src < stop; i++) {
oops = getbyte(&src, stop, &byte);
if (oops != NULL) {
if (*oops != '?')
return oops; /* bad number */
if (i > 1)
return oops+1; /* failed number */
return oops; /* with leading '?' */
}
addr = (addr << BYTE) | byte;
if (i < 3 && src < stop && *src++ != '.') {
if (i == 0)
return "?syntax error in dotted-decimal address";
else
return "syntax error in dotted-decimal address";
}
}
addr <<= (NBYTES - i) * BYTE;
if (src != stop)
return "extra garbage on end of dotted-decimal address";
addrp->s_addr = htonl(addr);
return NULL;
}
/*
- getbyte - try to scan a byte in dotted decimal
* A subtlety here is that all this arithmetic on ASCII digits really is
* highly portable -- ANSI C guarantees that digits 0-9 are contiguous.
* It's easier to just do it ourselves than set up for a call to atoul().
*
* If the first char of a complaint is '?', that means "didn't look like a
* number at all".
*/
const char * /* NULL for success, else string literal */
getbyte(srcp, stop, retp)
const char **srcp; /* *srcp is updated */
const char *stop; /* first untouchable char */
int *retp; /* return-value pointer */
{
char c;
const char *p;
int no;
if (*srcp >= stop)
return "?empty number in dotted-decimal address";
if (stop - *srcp >= 3 && **srcp == '0' && CIEQ(*(*srcp+1), 'x'))
return "hex numbers not supported in dotted-decimal addresses";
#ifdef NOLEADINGZEROS
if (stop - *srcp >= 2 && **srcp == '0' && isdigit(*(*srcp+1)))
return "octal numbers not supported in dotted-decimal addresses";
#endif /* NOLEADINGZEROS */
/* must be decimal, if it's numeric at all */
no = 0;
p = *srcp;
while (p < stop && no <= 255 && (c = *p) >= '0' && c <= '9') {
no = no*10 + (c - '0');
p++;
}
if (p == *srcp)
return "?non-numeric component in dotted-decimal address";
*srcp = p;
if (no > 255)
return "byte overflow in dotted-decimal address";
*retp = no;
return NULL;
}

185
src/libfreeswan/atoasr.3
View File

@ -1,185 +0,0 @@
.TH IPSEC_ATOASR 3 "11 June 2001"
.SH NAME
ipsec atoasr \- convert ASCII to Internet address, subnet, or range
.br
ipsec rangetoa \- convert Internet address range to ASCII
.SH SYNOPSIS
.B "#include <freeswan.h>
.sp
.B "const char *atoasr(const char *src, size_t srclen,"
.ti +1c
.B "char *type, struct in_addr *addrs);"
.br
.B "size_t rangetoa(struct in_addr *addrs, int format,
.ti +1c
.B "char *dst, size_t dstlen);"
.SH DESCRIPTION
These functions are obsolete;
there is no current equivalent,
because so far they have not proved useful.
.PP
.I Atoasr
converts an ASCII address, subnet, or address range
into a suitable combination of binary addresses
(in network byte order).
.I Rangetoa
converts an address range back into ASCII,
using dotted-decimal form for the addresses
(the other reverse conversions are handled by
.IR ipsec_addrtoa (3)
and
.IR ipsec_subnettoa (3)).
.PP
A single address can be any form acceptable to
.IR ipsec_atoaddr (3):
dotted decimal, DNS name, or hexadecimal number.
A subnet
specification uses the form \fInetwork\fB/\fImask\fR
interpreted by
.IR ipsec_atosubnet (3).
.PP
An address range is two
.IR ipsec_atoaddr (3)
addresses separated by a
.B ...
delimiter.
If there are four dots rather than three, the first is taken as
part of the begin address,
e.g. for a complete DNS name which ends with
.B .
to suppress completion attempts.
The begin address of a range must be
less than or equal to the end address.
.PP
The
.I srclen
parameter of
.I atoasr
specifies the length of the ASCII string pointed to by
.IR src ;
it is an error for there to be anything else
(e.g., a terminating NUL) within that length.
As a convenience for cases where an entire NUL-terminated string is
to be converted,
a
.I srclen
value of
.B 0
is taken to mean
.BR strlen(src) .
.PP
The
.I type
parameter of
.I atoasr
must point to a
.B char
variable used to record which form was found.
The
.I addrs
parameter must point to a two-element array of
.B "struct in_addr"
which receives the results.
The values stored into
.BR *type ,
and the corresponding values in the array, are:
.PP
.ta 3c +2c +3c
*type addrs[0] addrs[1]
.sp 0.8
address \&\fB'a'\fR address -
.br
subnet \&\fB's'\fR network mask
.br
range \&\fB'r'\fR begin end
.PP
The
.I dstlen
parameter of
.I rangetoa
specifies the size of the
.I dst
parameter;
under no circumstances are more than
.I dstlen
bytes written to
.IR dst .
A result which will not fit is truncated.
.I Dstlen
can be zero, in which case
.I dst
need not be valid and no result is written,
but the return value is unaffected;
in all other cases, the (possibly truncated) result is NUL-terminated.
The
.I freeswan.h
header file defines a constant,
.BR RANGETOA_BUF ,
which is the size of a buffer just large enough for worst-case results.
.PP
The
.I format
parameter of
.I rangetoa
specifies what format is to be used for the conversion.
The value
.B 0
(not the ASCII character
.BR '0' ,
but a zero value)
specifies a reasonable default,
and is in fact the only format currently available.
This parameter is a hedge against future needs.
.PP
.I Atoasr
returns NULL for success and
a pointer to a string-literal error message for failure;
see DIAGNOSTICS.
.I Rangetoa
returns
.B 0
for a failure, and otherwise
always returns the size of buffer which would
be needed to
accommodate the full conversion result, including terminating NUL;
it is the caller's responsibility to check this against the size of
the provided buffer to determine whether truncation has occurred.
.SH SEE ALSO
ipsec_atoaddr(3), ipsec_atosubnet(3)
.SH DIAGNOSTICS
Fatal errors in
.I atoasr
are:
empty input;
error in
.IR ipsec_atoaddr (3)
or
.IR ipsec_atosubnet (3)
during conversion;
begin address of range exceeds end address.
.PP
Fatal errors in
.I rangetoa
are:
unknown format.
.SH HISTORY
Written for the FreeS/WAN project by Henry Spencer.
.SH BUGS
The restriction of error reports to literal strings
(so that callers don't need to worry about freeing them or copying them)
does limit the precision of error reporting.
.PP
The error-reporting convention lends itself
to slightly obscure code,
because many readers will not think of NULL as signifying success.
A good way to make it clearer is to write something like:
.PP
.RS
.nf
.B "const char *error;"
.sp
.B "error = atoasr( /* ... */ );"
.B "if (error != NULL) {"
.B " /* something went wrong */"
.fi
.RE

210
src/libfreeswan/atoasr.c
View File

@ -1,210 +0,0 @@
/*
* convert from ASCII form of address/subnet/range to binary
* Copyright (C) 1998, 1999 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
/*
- atoasr - convert ASCII to address, subnet, or range
*/
const char * /* NULL for success, else string literal */
atoasr(src, srclen, typep, addrsp)
const char *src;
size_t srclen; /* 0 means "apply strlen" */
char *typep; /* return type code: 'a', 's', 'r' */
struct in_addr addrsp[2];
{
const char *punct;
const char *stop;
const char *oops;
if (srclen == 0)
srclen = strlen(src);
if (srclen == 0)
return "empty string";
/* subnet is easy to spot */
punct = memchr(src, '/', srclen);
if (punct != NULL) {
*typep = 's';
return atosubnet(src, srclen, &addrsp[0], &addrsp[1]);
}
/* try for a range */
stop = src + srclen;
for (punct = src; (punct = memchr(punct, '.', stop - punct)) != NULL;
punct++)
if (stop - punct > 3 && *(punct+1) == '.' && *(punct+2) == '.')
break; /* NOTE BREAK OUT */
if (punct == NULL) {
/* didn't find the range delimiter, must be plain address */
*typep = 'a';
return atoaddr(src, srclen, &addrsp[0]);
}
/* looks like a range */
*typep = 'r';
if (stop - punct > 4 && *(punct+3) == '.')
punct++; /* first dot is trailing dot of name */
oops = atoaddr(src, punct - src, &addrsp[0]);
if (oops != NULL)
return oops;
oops = atoaddr(punct+3, stop - (punct+3), &addrsp[1]);
if (oops != NULL)
return oops;
if (ntohl(addrsp[0].s_addr) > ntohl(addrsp[1].s_addr))
return "invalid range, begin > end";
return NULL;
}
#ifdef ATOASR_MAIN
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
void regress(void);
int
main(int argc, char *argv[])
{
struct in_addr a[2];
char buf[100];
const char *oops;
size_t n;
char type;
if (argc < 2) {
fprintf(stderr, "Usage: %s {addr|net/mask|begin...end|-r}\n",
argv[0]);
exit(2);
}
if (strcmp(argv[1], "-r") == 0) {
regress();
fprintf(stderr, "regress() returned?!?\n");
exit(1);
}
oops = atoasr(argv[1], 0, &type, a);
if (oops != NULL) {
fprintf(stderr, "%s: conversion failed: %s\n", argv[0], oops);
exit(1);
}
switch (type) {
case 'a':
n = addrtoa(a[0], 0, buf, sizeof(buf));
break;
case 's':
n = subnettoa(a[0], a[1], 0, buf, sizeof(buf));
break;
case 'r':
n = rangetoa(a, 0, buf, sizeof(buf));
break;
default:
fprintf(stderr, "%s: unknown type '%c'\n", argv[0], type);
exit(1);
break;
}
if (n > sizeof(buf)) {
fprintf(stderr, "%s: reverse conversion of ", argv[0]);
fprintf(stderr, "%s ", inet_ntoa(a[0]));
fprintf(stderr, "%s", inet_ntoa(a[1]));
fprintf(stderr, " failed: need %ld bytes, have only %ld\n",
(long)n, (long)sizeof(buf));
exit(1);
}
printf("%s\n", buf);
exit(0);
}
struct rtab {
char *input;
char *output; /* NULL means error expected */
} rtab[] = {
{"1.2.3.0", "1.2.3.0"},
{"1.2.3.0/255.255.255.0", "1.2.3.0/24"},
{"1.2.3.0...1.2.3.5", "1.2.3.0...1.2.3.5"},
{"1.2.3.4.5", NULL},
{"1.2.3.4/", NULL},
{"1.2.3.4...", NULL},
{"1.2.3.4....", NULL},
{"localhost/32", "127.0.0.1/32"},
{"localhost...127.0.0.3", "127.0.0.1...127.0.0.3"},
{"127.0.0.0...localhost", "127.0.0.0...127.0.0.1"},
{"127.0.0.3...localhost", NULL},
{NULL, NULL}
};
void
regress(void)
{
struct rtab *r;
int status = 0;
struct in_addr a[2];
char in[100];
char buf[100];
const char *oops;
size_t n;
char type;
for (r = rtab; r->input != NULL; r++) {
strcpy(in, r->input);
oops = atoasr(in, 0, &type, a);
if (oops != NULL && r->output == NULL)
{} /* okay, error expected */
else if (oops != NULL) {
printf("`%s' atoasr failed: %s\n", r->input, oops);
status = 1;
} else if (r->output == NULL) {
printf("`%s' atoasr succeeded unexpectedly '%c'\n",
r->input, type);
status = 1;
} else {
switch (type) {
case 'a':
n = addrtoa(a[0], 0, buf, sizeof(buf));
break;
case 's':
n = subnettoa(a[0], a[1], 0, buf, sizeof(buf));
break;
case 'r':
n = rangetoa(a, 0, buf, sizeof(buf));
break;
default:
fprintf(stderr, "`%s' unknown type '%c'\n",
r->input, type);
n = 0;
status = 1;
break;
}
if (n > sizeof(buf)) {
printf("`%s' '%c' reverse failed: need %ld\n",
r->input, type, (long)n);
status = 1;
} else if (n > 0 && strcmp(r->output, buf) != 0) {
printf("`%s' '%c' gave `%s', expected `%s'\n",
r->input, type, buf, r->output);
status = 1;
}
}
}
exit(status);
}
#endif /* ATOASR_MAIN */

214
src/libfreeswan/atosubnet.c
View File

@ -1,214 +0,0 @@
/*
* convert from ASCII form of subnet specification to binary
* Copyright (C) 1998, 1999 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
#ifndef DEFAULTSUBNET
#define DEFAULTSUBNET "%default"
#endif
/*
- atosubnet - convert ASCII "addr/mask" to address and mask
* Mask can be integer bit count.
*/
const char * /* NULL for success, else string literal */
atosubnet(src, srclen, addrp, maskp)
const char *src;
size_t srclen; /* 0 means "apply strlen" */
struct in_addr *addrp;
struct in_addr *maskp;
{
const char *slash;
const char *mask;
size_t mlen;
const char *oops;
unsigned long bc;
static char def[] = DEFAULTSUBNET;
# define DEFLEN (sizeof(def) - 1) /* -1 for NUL */
static char defis[] = "0/0";
# define DEFILEN (sizeof(defis) - 1)
if (srclen == 0)
srclen = strlen(src);
if (srclen == 0)
return "empty string";
if (srclen == DEFLEN && strncmp(src, def, srclen) == 0) {
src = defis;
srclen = DEFILEN;
}
slash = memchr(src, '/', srclen);
if (slash == NULL)
return "no / in subnet specification";
mask = slash + 1;
mlen = srclen - (mask - src);
oops = atoaddr(src, slash-src, addrp);
if (oops != NULL)
return oops;
oops = atoul(mask, mlen, 10, &bc);
if (oops == NULL) {
/* atoul succeeded, it's a bit-count mask */
if (bc > ABITS)
return "bit-count mask too large";
#ifdef NOLEADINGZEROS
if (mlen > 1 && *mask == '0')
return "octal not allowed in mask";
#endif /* NOLEADINGZEROS */
*maskp = bitstomask((int)bc);
} else {
oops = atoaddr(mask, mlen, maskp);
if (oops != NULL)
return oops;
if (!goodmask(*maskp))
return "non-contiguous mask";
}
addrp->s_addr &= maskp->s_addr;
return NULL;
}
#ifdef ATOSUBNET_MAIN
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
void regress(void);
int
main(int argc, char *argv[])
{
struct in_addr a;
struct in_addr m;
char buf[100];
const char *oops;
size_t n;
if (argc < 2) {
fprintf(stderr, "Usage: %s {addr/mask|-r}\n", argv[0]);
exit(2);
}
if (strcmp(argv[1], "-r") == 0) {
regress();
fprintf(stderr, "regress() returned?!?\n");
exit(1);
}
oops = atosubnet(argv[1], 0, &a, &m);
if (oops != NULL) {
fprintf(stderr, "%s: conversion failed: %s\n", argv[0], oops);
exit(1);
}
n = subnettoa(a, m, 0, buf, sizeof(buf));
if (n > sizeof(buf)) {
fprintf(stderr, "%s: reverse conversion of ", argv[0]);
fprintf(stderr, "%s/", inet_ntoa(a));
fprintf(stderr, "%s", inet_ntoa(m));
fprintf(stderr, " failed: need %ld bytes, have only %ld\n",
(long)n, (long)sizeof(buf));
exit(1);
}
printf("%s\n", buf);
exit(0);
}
struct rtab {
char *input;
char *output; /* NULL means error expected */
} rtab[] = {
{"1.2.3.0/255.255.255.0", "1.2.3.0/24"},
{"1.2.3.0/24", "1.2.3.0/24"},
{"1.2.3.1/255.255.255.240", "1.2.3.0/28"},
{"1.2.3.1/32", "1.2.3.1/32"},
{"1.2.3.1/0", "0.0.0.0/0"},
/* "1.2.3.1/255.255.127.0", "1.2.3.0/255.255.127.0", */
{"1.2.3.1/255.255.127.0", NULL},
{"128.009.000.032/32", "128.9.0.32/32"},
{"128.0x9.0.32/32", NULL},
{"0x80090020/32", "128.9.0.32/32"},
{"0x800x0020/32", NULL},
{"128.9.0.32/0xffFF0000", "128.9.0.0/16"},
{"128.9.0.32/0xff0000FF", NULL},
{"128.9.0.32/0x0000ffFF", NULL},
{"128.9.0.32/0x00ffFF0000", NULL},
{"128.9.0.32/0xffFF", NULL},
{"128.9.0.32.27/32", NULL},
{"128.9.0k32/32", NULL},
{"328.9.0.32/32", NULL},
{"128.9..32/32", NULL},
{"10/8", "10.0.0.0/8"},
{"10.0/8", "10.0.0.0/8"},
{"10.0.0/8", "10.0.0.0/8"},
{"10.0.1/24", "10.0.1.0/24"},
{"_", NULL},
{"_/_", NULL},
{"1.2.3.1", NULL},
{"1.2.3.1/_", NULL},
{"1.2.3.1/24._", NULL},
{"1.2.3.1/99", NULL},
{"localhost/32", "127.0.0.1/32"},
{"%default", "0.0.0.0/0"},
{NULL, NULL}
};
void
regress()
{
struct rtab *r;
int status = 0;
struct in_addr a;
struct in_addr m;
char in[100];
char buf[100];
const char *oops;
size_t n;
for (r = rtab; r->input != NULL; r++) {
strcpy(in, r->input);
oops = atosubnet(in, 0, &a, &m);
if (oops != NULL && r->output == NULL)
{} /* okay, error expected */
else if (oops != NULL) {
printf("`%s' atosubnet failed: %s\n", r->input, oops);
status = 1;
} else if (r->output == NULL) {
printf("`%s' atosubnet succeeded unexpectedly\n",
r->input);
status = 1;
} else {
n = subnettoa(a, m, 0, buf, sizeof(buf));
if (n > sizeof(buf)) {
printf("`%s' subnettoa failed: need %ld\n",
r->input, (long)n);
status = 1;
} else if (strcmp(r->output, buf) != 0) {
printf("`%s' gave `%s', expected `%s'\n",
r->input, buf, r->output);
status = 1;
}
}
}
exit(status);
}
#endif /* ATOSUBNET_MAIN */

160
src/libfreeswan/atoul.3
View File

@ -1,160 +0,0 @@
.TH IPSEC_ATOUL 3 "11 June 2001"
.SH NAME
ipsec atoul, ultoa \- convert unsigned-long numbers to and from ASCII
.SH SYNOPSIS
.B "#include <freeswan.h>
.sp
.B "const char *atoul(const char *src, size_t srclen,"
.ti +1c
.B "int base, unsigned long *n);"
.br
.B "size_t ultoa(unsigned long n, int base, char *dst,"
.ti +1c
.B "size_t dstlen);"
.SH DESCRIPTION
These functions are obsolete; see
.IR ipsec_ttoul (3)
for their replacements.
.PP
.I Atoul
converts an ASCII number into a binary
.B "unsigned long"
value.
.I Ultoa
does the reverse conversion, back to an ASCII version.
.PP
Numbers are specified in ASCII as
decimal (e.g.
.BR 123 ),
octal with a leading zero (e.g.
.BR 012 ,
which has value 10),
or hexadecimal with a leading
.B 0x
(e.g.
.BR 0x1f ,
which has value 31)
in either upper or lower case.
.PP
The
.I srclen
parameter of
.I atoul
specifies the length of the ASCII string pointed to by
.IR src ;
it is an error for there to be anything else
(e.g., a terminating NUL) within that length.
As a convenience for cases where an entire NUL-terminated string is
to be converted,
a
.I srclen
value of
.B 0
is taken to mean
.BR strlen(src) .
.PP
The
.I base
parameter of
.I atoul
can be
.BR 8 ,
.BR 10 ,
or
.BR 16 ,
in which case the number supplied is assumed to be of that form
(and in the case of
.BR 16 ,
to lack any
.B 0x
prefix).
It can also be
.BR 0 ,
in which case the number is examined for a leading zero
or a leading
.B 0x
to determine its base,
or
.B 13
(halfway between 10 and 16),
which has the same effect as
.B 0
except that a non-hexadecimal
number is considered decimal regardless of any leading zero.
.PP
The
.I dstlen
parameter of
.I ultoa
specifies the size of the
.I dst
parameter;
under no circumstances are more than
.I dstlen
bytes written to
.IR dst .
A result which will not fit is truncated.
.I Dstlen
can be zero, in which case
.I dst
need not be valid and no result is written,
but the return value is unaffected;
in all other cases, the (possibly truncated) result is NUL-terminated.
.PP
The
.I base
parameter of
.I ultoa
must be
.BR 8 ,
.BR 10 ,
or
.BR 16 .
.PP
.I Atoul
returns NULL for success and
a pointer to a string-literal error message for failure;
see DIAGNOSTICS.
.I Ultoa
returns the size of buffer which would
be needed to
accommodate the full conversion result, including terminating NUL;
it is the caller's responsibility to check this against the size of
the provided buffer to determine whether truncation has occurred.
.SH SEE ALSO
atol(3), strtoul(3)
.SH DIAGNOSTICS
Fatal errors in
.I atoul
are:
empty input;
unknown
.IR base ;
non-digit character found;
number too large for an
.BR "unsigned long" .
.SH HISTORY
Written for the FreeS/WAN project by Henry Spencer.
.SH BUGS
There is no provision for reporting an invalid
.I base
parameter given to
.IR ultoa .
.PP
The restriction of error reports to literal strings
(so that callers don't need to worry about freeing them or copying them)
does limit the precision of error reporting.
.PP
The error-reporting convention lends itself to slightly obscure code,
because many readers will not think of NULL as signifying success.
A good way to make it clearer is to write something like:
.PP
.RS
.nf
.B "const char *error;"
.sp
.B "error = atoul( /* ... */ );"
.B "if (error != NULL) {"
.B " /* something went wrong */"
.fi
.RE

88
src/libfreeswan/atoul.c
View File

@ -1,88 +0,0 @@
/*
* convert from ASCII form of unsigned long to binary
* Copyright (C) 1998, 1999 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
/*
- atoul - convert ASCII substring to unsigned long number
*/
const char * /* NULL for success, else string literal */
atoul(src, srclen, base, resultp)
const char *src;
size_t srclen; /* 0 means strlen(src) */
int base; /* 0 means figure it out */
unsigned long *resultp;
{
const char *stop;
static char hex[] = "0123456789abcdef";
static char uchex[] = "0123456789ABCDEF";
int d;
char c;
char *p;
unsigned long r;
unsigned long rlimit;
int dlimit;
if (srclen == 0)
srclen = strlen(src);
if (srclen == 0)
return "empty string";
if (base == 0 || base == 13) {
if (srclen > 2 && *src == '0' && CIEQ(*(src+1), 'x'))
return atoul(src+2, srclen-2, 16, resultp);
if (srclen > 1 && *src == '0' && base != 13)
return atoul(src+1, srclen-1, 8, resultp);
return atoul(src, srclen, 10, resultp);
}
if (base != 8 && base != 10 && base != 16)
return "unsupported number base";
r = 0;
stop = src + srclen;
if (base == 16) {
while (src < stop) {
c = *src++;
p = strchr(hex, c);
if (p != NULL)
d = p - hex;
else {
p = strchr(uchex, c);
if (p == NULL)
return "non-hex-digit in hex number";
d = p - uchex;
}
r = (r << 4) | d;
}
/* defer length check to catch invalid digits first */
if (srclen > sizeof(unsigned long) * 2)
return "hex number too long";
} else {
rlimit = ULONG_MAX / base;
dlimit = (int)(ULONG_MAX - rlimit*base);
while (src < stop) {
c = *src++;
d = c - '0';
if (d < 0 || d >= base)
return "non-digit in number";
if (r > rlimit || (r == rlimit && d > dlimit))
return "unsigned-long overflow";
r = r*base + d;
}
}
*resultp = r;
return NULL;
}

57
src/libfreeswan/copyright.c
View File

@ -1,57 +0,0 @@
/*
* return IPsec copyright notice
* Copyright (C) 2001, 2002 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
static const char *co[] = {
"Copyright (C) 1999-2009 Henry Spencer, Richard Guy Briggs,",
" D. Hugh Redelmeier, Sandy Harris, Claudia Schmeing,",
" Michael Richardson, Angelos D. Keromytis, John Ioannidis,",
"",
" Ken Bantoft, Stephen J. Bevan, JuanJo Ciarlante, Mathieu Lafon,",
" Stephane Laroche, Kai Martius, Stephan Scholz, Tuomo Soini, Herbert Xu,",
"",
" Martin Berner, Marco Bertossa, David Buechi, Ueli Galizzi,",
" Christoph Gysin, Andreas Hess, Patric Lichtsteiner, Michael Meier,",
" Andreas Schleiss, Ariane Seiler, Mario Strasser, Lukas Suter,",
" Roger Wegmann, Simon Zwahlen,",
" ZHW Zuercher Hochschule Winterthur (Switzerland).",
"",
" Philip Boetschi, Tobias Brunner, Sansar Choinyambuu, Adrian Doerig,",
" Andreas Eigenmann, Fabian Hartmann, Noah Heusser, Jan Hutter,",
" Thomas Kallenberg, Daniel Roethlisberger, Joel Stillhart, Martin Willi,",
" Daniel Wydler, Andreas Steffen,",
" HSR Hochschule fuer Technik Rapperswil (Switzerland).",
"",
"This program is free software; you can redistribute it and/or modify it",
"under the terms of the GNU General Public License as published by the",
"Free Software Foundation; either version 2 of the License, or (at your",
"option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.",
"",
"This program is distributed in the hope that it will be useful, but",
"WITHOUT ANY WARRANTY; without even the implied warranty of",
"MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General",
"Public License (file COPYING in the distribution) for more details.",
NULL
};
/*
- ipsec_copyright_notice - return copyright notice, as a vector of strings
*/
const char **
ipsec_copyright_notice()
{
return co;
}

230
src/libfreeswan/datatot.c
View File

@ -1,230 +0,0 @@
/*
* convert from binary data (e.g. key) to text form
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
static void convert(const char *src, size_t nreal, int format, char *out);
/*
- datatot - convert data bytes to text
*/
size_t /* true length (with NUL) for success */
datatot(src, srclen, format, dst, dstlen)
const char *src;
size_t srclen;
int format; /* character indicating what format */
char *dst; /* need not be valid if dstlen is 0 */
size_t dstlen;
{
size_t inblocksize; /* process this many bytes at a time */
size_t outblocksize; /* producing this many */
size_t breakevery; /* add a _ every this many (0 means don't) */
size_t sincebreak; /* output bytes since last _ */
char breakchar; /* character used to break between groups */
char inblock[10]; /* enough for any format */
char outblock[10]; /* enough for any format */
char fake[1]; /* fake output area for dstlen == 0 */
size_t needed; /* return value */
char *stop; /* where the terminating NUL will go */
size_t ntodo; /* remaining input */
size_t nreal;
char *out;
char *prefix;
breakevery = 0;
breakchar = '_';
switch (format) {
case 0:
case 'h':
format = 'x';
breakevery = 8;
/* FALLTHROUGH */
case 'x':
inblocksize = 1;
outblocksize = 2;
prefix = "0x";
break;
case ':':
breakevery = 2;
breakchar = ':';
/* FALLTHROUGH */
case 16:
inblocksize = 1;
outblocksize = 2;
prefix = "";
format = 'x';
break;
case 's':
inblocksize = 3;
outblocksize = 4;
prefix = "0s";
break;
case 64: /* beware, equals ' ' */
inblocksize = 3;
outblocksize = 4;
prefix = "";
format = 's';
break;
default:
return 0;
break;
}
assert(inblocksize < sizeof(inblock));
assert(outblocksize < sizeof(outblock));
assert(breakevery % outblocksize == 0);
if (srclen == 0)
return 0;
ntodo = srclen;
if (dstlen == 0) { /* dispose of awkward special case */
dst = fake;
dstlen = 1;
}
stop = dst + dstlen - 1;
nreal = strlen(prefix);
needed = nreal; /* for starters */
if (dstlen <= nreal) { /* prefix won't fit */
strncpy(dst, prefix, dstlen - 1);
dst += dstlen - 1;
} else {
strcpy(dst, prefix);
dst += nreal;
}
assert(dst <= stop);
sincebreak = 0;
while (ntodo > 0) {
if (ntodo < inblocksize) { /* incomplete input */
memset(inblock, 0, sizeof(inblock));
memcpy(inblock, src, ntodo);
src = inblock;
nreal = ntodo;
ntodo = inblocksize;
} else
nreal = inblocksize;
out = (outblocksize > stop - dst) ? outblock : dst;
convert(src, nreal, format, out);
needed += outblocksize;
sincebreak += outblocksize;
if (dst < stop) {
if (out != dst) {
assert(outblocksize > stop - dst);
memcpy(dst, out, stop - dst);
dst = stop;
} else
dst += outblocksize;
}
src += inblocksize;
ntodo -= inblocksize;
if (breakevery != 0 && sincebreak >= breakevery && ntodo > 0) {
if (dst < stop)
*dst++ = breakchar;
needed++;
sincebreak = 0;
}
}
assert(dst <= stop);
*dst++ = '\0';
needed++;
return needed;
}
/*
- convert - convert one input block to one output block
*/
static void
convert(src, nreal, format, out)
const char *src;
size_t nreal; /* how much of the input block is real */
int format;
char *out;
{
static char hex[] = "0123456789abcdef";
static char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789+/";
unsigned char c;
unsigned char c1, c2, c3;
assert(nreal > 0);
switch (format) {
case 'x':
assert(nreal == 1);
c = (unsigned char)*src;
*out++ = hex[c >> 4];
*out++ = hex[c & 0xf];
break;
case 's':
c1 = (unsigned char)*src++;
c2 = (unsigned char)*src++;
c3 = (unsigned char)*src++;
*out++ = base64[c1 >> 2]; /* top 6 bits of c1 */
c = (c1 & 0x3) << 4; /* bottom 2 of c1... */
c |= c2 >> 4; /* ...top 4 of c2 */
*out++ = base64[c];
if (nreal == 1)
*out++ = '=';
else {
c = (c2 & 0xf) << 2; /* bottom 4 of c2... */
c |= c3 >> 6; /* ...top 2 of c3 */
*out++ = base64[c];
}
if (nreal <= 2)
*out++ = '=';
else
*out++ = base64[c3 & 0x3f]; /* bottom 6 of c3 */
break;
default:
assert(nreal == 0); /* unknown format */
break;
}
}
/*
- datatoa - convert data to ASCII
* backward-compatibility synonym for datatot
*/
size_t /* true length (with NUL) for success */
datatoa(src, srclen, format, dst, dstlen)
const char *src;
size_t srclen;
int format; /* character indicating what format */
char *dst; /* need not be valid if dstlen is 0 */
size_t dstlen;
{
return datatot(src, srclen, format, dst, dstlen);
}
/*
- bytestoa - convert data bytes to ASCII
* backward-compatibility synonym for datatot
*/
size_t /* true length (with NUL) for success */
bytestoa(src, srclen, format, dst, dstlen)
const char *src;
size_t srclen;
int format; /* character indicating what format */
char *dst; /* need not be valid if dstlen is 0 */
size_t dstlen;
{
return datatot(src, srclen, format, dst, dstlen);
}

371
src/libfreeswan/freeswan.h
View File

@ -1,371 +0,0 @@
#ifndef _FREESWAN_H
/*
* header file for FreeS/WAN library functions
* Copyright (C) 1998, 1999, 2000 Henry Spencer.
* Copyright (C) 1999, 2000, 2001 Richard Guy Briggs
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#define _FREESWAN_H /* seen it, no need to see it again */
# include <sys/types.h>
# include <stdio.h>
# include <netinet/in.h>
# define DEBUG_NO_STATIC static
#include <ipsec_param.h>
#include <utils.h>
/*
* We assume header files have IPv6 (i.e. kernel version >= 2.1.0)
*/
#define NET_21
#ifndef IPPROTO_COMP
# define IPPROTO_COMP 108
#endif /* !IPPROTO_COMP */
#ifndef IPPROTO_INT
# define IPPROTO_INT 61
#endif /* !IPPROTO_INT */
#ifdef CONFIG_IPSEC_DEBUG
# define DEBUG_NO_STATIC
#else /* CONFIG_IPSEC_DEBUG */
# define DEBUG_NO_STATIC static
#endif /* CONFIG_IPSEC_DEBUG */
#define ESPINUDP_WITH_NON_IKE 1 /* draft-ietf-ipsec-nat-t-ike-00/01 */
#define ESPINUDP_WITH_NON_ESP 2 /* draft-ietf-ipsec-nat-t-ike-02 */
/*
* Basic data types for the address-handling functions.
* ip_address and ip_subnet are supposed to be opaque types; do not
* use their definitions directly, they are subject to change!
*/
/* then the main types */
typedef struct {
union {
struct sockaddr_in v4;
struct sockaddr_in6 v6;
} u;
} ip_address;
typedef struct {
ip_address addr;
int maskbits;
} ip_subnet;
/* and the SA ID stuff */
typedef u_int32_t ipsec_spi_t;
typedef struct { /* to identify an SA, we need: */
ip_address dst; /* A. destination host */
ipsec_spi_t spi; /* B. 32-bit SPI, assigned by dest. host */
# define SPI_PASS 256 /* magic values... */
# define SPI_DROP 257 /* ...for use... */
# define SPI_REJECT 258 /* ...with SA_INT */
# define SPI_HOLD 259
# define SPI_TRAP 260
# define SPI_TRAPSUBNET 261
int proto; /* C. protocol */
# define SA_ESP 50 /* IPPROTO_ESP */
# define SA_AH 51 /* IPPROTO_AH */
# define SA_IPIP 4 /* IPPROTO_IPIP */
# define SA_COMP 108 /* IPPROTO_COMP */
# define SA_INT 61 /* IANA reserved for internal use */
} ip_said;
struct sa_id { /* old v4-only version */
struct in_addr dst;
ipsec_spi_t spi;
int proto;
};
/* misc */
struct prng { /* pseudo-random-number-generator guts */
unsigned char sbox[256];
int i, j;
unsigned long count;
};
/*
* definitions for user space, taken from freeswan/ipsec_sa.h
*/
typedef uint32_t IPsecSAref_t;
#define IPSEC_SA_REF_TABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH)
#define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t))
#define IPsecSAref2NFmark(x) ((x) << (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
#define NFmark2IPsecSAref(x) ((x) >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
#define IPSEC_SAREF_NULL (~((IPsecSAref_t)0))
/* GCC magic for use in function definitions! */
#ifdef GCC_LINT
# define PRINTF_LIKE(n) __attribute__ ((format(printf, n, n+1)))
# define NEVER_RETURNS __attribute__ ((noreturn))
# define UNUSED __attribute__ ((unused))
# define BLANK_FORMAT " " /* GCC_LINT whines about empty formats */
#else
# define PRINTF_LIKE(n) /* ignore */
# define NEVER_RETURNS /* ignore */
# define UNUSED /* ignore */
# define BLANK_FORMAT ""
#endif
/*
* new IPv6-compatible functions
*/
/* text conversions */
err_t ttoul(const char *src, size_t srclen, int format, unsigned long *dst);
size_t ultot(unsigned long src, int format, char *buf, size_t buflen);
#define ULTOT_BUF (22+1) /* holds 64 bits in octal */
err_t ttoaddr(const char *src, size_t srclen, int af, ip_address *dst);
err_t tnatoaddr(const char *src, size_t srclen, int af, ip_address *dst);
size_t addrtot(const ip_address *src, int format, char *buf, size_t buflen);
/* RFC 1886 old IPv6 reverse-lookup format is the bulkiest */
#define ADDRTOT_BUF (32*2 + 3 + 1 + 3 + 1 + 1)
err_t ttosubnet(const char *src, size_t srclen, int af, ip_subnet *dst);
size_t subnettot(const ip_subnet *src, int format, char *buf, size_t buflen);
#define SUBNETTOT_BUF (ADDRTOT_BUF + 1 + 3)
err_t ttosa(const char *src, size_t srclen, ip_said *dst);
size_t satot(const ip_said *src, int format, char *bufptr, size_t buflen);
#define SATOT_BUF (5 + ULTOA_BUF + 1 + ADDRTOT_BUF)
err_t ttodata(const char *src, size_t srclen, int base, char *buf,
size_t buflen, size_t *needed);
err_t ttodatav(const char *src, size_t srclen, int base,
char *buf, size_t buflen, size_t *needed,
char *errp, size_t errlen, unsigned int flags);
#define TTODATAV_BUF 40 /* ttodatav's largest non-literal message */
#define TTODATAV_IGNORESPACE (1<<1) /* ignore spaces in base64 encodings*/
#define TTODATAV_SPACECOUNTS 0 /* do not ignore spaces in base64 */
size_t datatot(const char *src, size_t srclen, int format, char *buf,
size_t buflen);
err_t ttoprotoport(char *src, size_t src_len, u_int8_t *proto, u_int16_t *port,
bool *has_port_wildcard);
/* initializations */
void initsaid(const ip_address *addr, ipsec_spi_t spi, int proto, ip_said *dst);
err_t loopbackaddr(int af, ip_address *dst);
err_t unspecaddr(int af, ip_address *dst);
err_t anyaddr(int af, ip_address *dst);
err_t initaddr(const unsigned char *src, size_t srclen, int af, ip_address *dst);
err_t initsubnet(const ip_address *addr, int maskbits, int clash, ip_subnet *dst);
err_t addrtosubnet(const ip_address *addr, ip_subnet *dst);
/* misc. conversions and related */
err_t rangetosubnet(const ip_address *from, const ip_address *to, ip_subnet *dst);
int addrtypeof(const ip_address *src);
int subnettypeof(const ip_subnet *src);
size_t addrlenof(const ip_address *src);
size_t addrbytesptr(const ip_address *src, const unsigned char **dst);
size_t addrbytesof(const ip_address *src, unsigned char *dst, size_t dstlen);
int masktocount(const ip_address *src);
void networkof(const ip_subnet *src, ip_address *dst);
void maskof(const ip_subnet *src, ip_address *dst);
/* tests */
int sameaddr(const ip_address *a, const ip_address *b);
int addrcmp(const ip_address *a, const ip_address *b);
int samesubnet(const ip_subnet *a, const ip_subnet *b);
int addrinsubnet(const ip_address *a, const ip_subnet *s);
int subnetinsubnet(const ip_subnet *a, const ip_subnet *b);
int subnetishost(const ip_subnet *s);
int samesaid(const ip_said *a, const ip_said *b);
int sameaddrtype(const ip_address *a, const ip_address *b);
int samesubnettype(const ip_subnet *a, const ip_subnet *b);
int isanyaddr(const ip_address *src);
int isunspecaddr(const ip_address *src);
int isloopbackaddr(const ip_address *src);
/* low-level grot */
int portof(const ip_address *src);
void setportof(int port, ip_address *dst);
struct sockaddr *sockaddrof(ip_address *src);
size_t sockaddrlenof(const ip_address *src);
/* odds and ends */
const char **ipsec_copyright_notice(void);
const char *dns_string_rr(int rr, char *buf, int bufsize);
const char *dns_string_datetime(time_t seconds,
char *buf,
int bufsize);
/*
* old functions, to be deleted eventually
*/
/* unsigned long */
const char * /* NULL for success, else string literal */
atoul(
const char *src,
size_t srclen, /* 0 means strlen(src) */
int base, /* 0 means figure it out */
unsigned long *resultp
);
size_t /* space needed for full conversion */
ultoa(
unsigned long n,
int base,
char *dst,
size_t dstlen
);
#define ULTOA_BUF 21 /* just large enough for largest result, */
/* assuming 64-bit unsigned long! */
/* Internet addresses */
const char * /* NULL for success, else string literal */
atoaddr(
const char *src,
size_t srclen, /* 0 means strlen(src) */
struct in_addr *addr
);
size_t /* space needed for full conversion */
addrtoa(
struct in_addr addr,
int format, /* character; 0 means default */
char *dst,
size_t dstlen
);
#define ADDRTOA_BUF 16 /* just large enough for largest result */
/* subnets */
const char * /* NULL for success, else string literal */
atosubnet(
const char *src,
size_t srclen, /* 0 means strlen(src) */
struct in_addr *addr,
struct in_addr *mask
);
size_t /* space needed for full conversion */
subnettoa(
struct in_addr addr,
struct in_addr mask,
int format, /* character; 0 means default */
char *dst,
size_t dstlen
);
#define SUBNETTOA_BUF 32 /* large enough for worst case result */
/* ranges */
const char * /* NULL for success, else string literal */
atoasr(
const char *src,
size_t srclen, /* 0 means strlen(src) */
char *type, /* 'a', 's', 'r' */
struct in_addr *addrs /* two-element array */
);
size_t /* space needed for full conversion */
rangetoa(
struct in_addr *addrs, /* two-element array */
int format, /* character; 0 means default */
char *dst,
size_t dstlen
);
#define RANGETOA_BUF 34 /* large enough for worst case result */
/* generic data, e.g. keys */
const char * /* NULL for success, else string literal */
atobytes(
const char *src,
size_t srclen, /* 0 means strlen(src) */
char *dst,
size_t dstlen,
size_t *lenp /* NULL means don't bother telling me */
);
size_t /* 0 failure, else true size */
bytestoa(
const char *src,
size_t srclen,
int format, /* character; 0 means default */
char *dst,
size_t dstlen
);
/* old versions of generic-data functions; deprecated */
size_t /* 0 failure, else true size */
atodata(
const char *src,
size_t srclen, /* 0 means strlen(src) */
char *dst,
size_t dstlen
);
size_t /* 0 failure, else true size */
datatoa(
const char *src,
size_t srclen,
int format, /* character; 0 means default */
char *dst,
size_t dstlen
);
/* part extraction and special addresses */
struct in_addr
subnetof(
struct in_addr addr,
struct in_addr mask
);
struct in_addr
hostof(
struct in_addr addr,
struct in_addr mask
);
struct in_addr
broadcastof(
struct in_addr addr,
struct in_addr mask
);
/* mask handling */
int
goodmask(
struct in_addr mask
);
int
masktobits(
struct in_addr mask
);
struct in_addr
bitstomask(
int n
);
/*
* Debugging levels for pfkey_lib_debug
*/
#define PF_KEY_DEBUG_PARSE_NONE 0
#define PF_KEY_DEBUG_PARSE_PROBLEM 1
#define PF_KEY_DEBUG_PARSE_STRUCT 2
#define PF_KEY_DEBUG_PARSE_FLOW 4
#define PF_KEY_DEBUG_PARSE_MAX 7
extern unsigned int pfkey_lib_debug; /* bits selecting what to report */
/*
* pluto and lwdnsq need to know the maximum size of the commands to,
* and replies from lwdnsq.
*/
#define LWDNSQ_CMDBUF_LEN 1024
#define LWDNSQ_RESULT_LEN_MAX 4096
#endif /* _FREESWAN_H */

56
src/libfreeswan/goodmask.3
View File

@ -1,56 +0,0 @@
.TH IPSEC_GOODMASK 3 "11 June 2001"
.SH NAME
ipsec goodmask \- is this Internet subnet mask a valid one?
.br
ipsec masktobits \- convert Internet subnet mask to bit count
.br
ipsec bitstomask \- convert bit count to Internet subnet mask
.SH SYNOPSIS
.B "#include <freeswan.h>
.sp
.B "int goodmask(struct in_addr mask);"
.br
.B "int masktobits(struct in_addr mask);"
.br
.B "struct in_addr bitstomask(int n);"
.SH DESCRIPTION
These functions are obsolete;
see
.IR ipsec_masktocount (3)
for a partial replacement.
.PP
.I Goodmask
reports whether the subnet
.I mask
is a valid one,
i.e. consists of a (possibly empty) sequence of
.BR 1 s
followed by a (possibly empty) sequence of
.BR 0 s.
.I Masktobits
takes a (valid) subnet mask and returns the number of
.B 1
bits in it.
.I Bitstomask
reverses this,
returning the subnet mask corresponding to bit count
.IR n .
.PP
All masks are in network byte order.
.SH SEE ALSO
inet(3), ipsec_atosubnet(3)
.SH DIAGNOSTICS
.I Masktobits
returns
.B \-1
for an invalid mask.
.I Bitstomask
returns an all-zeros mask for a negative or out-of-range
.IR n .
.SH HISTORY
Written for the FreeS/WAN project by Henry Spencer.
.SH BUGS
The error-reporting convention of
.I bitstomask
is less than ideal;
zero is sometimes a legitimate mask.

95
src/libfreeswan/goodmask.c
View File

@ -1,95 +0,0 @@
/*
* minor utilities for subnet-mask manipulation
* Copyright (C) 1998, 1999 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
/*
- goodmask - is this a good (^1*0*$) subnet mask?
* You are not expected to understand this. See Henry S. Warren Jr,
* "Functions realizable with word-parallel logical and two's-complement
* addition instructions", CACM 20.6 (June 1977), p.439.
*/
int /* predicate */
goodmask(mask)
struct in_addr mask;
{
unsigned long x = ntohl(mask.s_addr);
/* clear rightmost contiguous string of 1-bits */
# define CRCS1B(x) (((x|(x-1))+1)&x)
# define TOPBIT (1UL << 31)
/* either zero, or has one string of 1-bits which is left-justified */
if (x == 0 || (CRCS1B(x) == 0 && (x&TOPBIT)))
return 1;
return 0;
}
/*
- masktobits - how many bits in this mask?
* The algorithm is essentially a binary search, but highly optimized
* for this particular task.
*/
int /* -1 means !goodmask() */
masktobits(mask)
struct in_addr mask;
{
unsigned long m = ntohl(mask.s_addr);
int masklen;
if (!goodmask(mask))
return -1;
if (m&0x00000001UL)
return 32;
masklen = 0;
if (m&(0x0000ffffUL<<1)) { /* <<1 for 1-origin numbering */
masklen |= 0x10;
m <<= 16;
}
if (m&(0x00ff0000UL<<1)) {
masklen |= 0x08;
m <<= 8;
}
if (m&(0x0f000000UL<<1)) {
masklen |= 0x04;
m <<= 4;
}
if (m&(0x30000000UL<<1)) {
masklen |= 0x02;
m <<= 2;
}
if (m&(0x40000000UL<<1))
masklen |= 0x01;
return masklen;
}
/*
- bitstomask - return a mask with this many high bits on
*/
struct in_addr
bitstomask(n)
int n;
{
struct in_addr result;
if (n > 0 && n <= ABITS)
result.s_addr = htonl(~((1UL << (ABITS - n)) - 1));
else if (n == 0)
result.s_addr = 0;
else
result.s_addr = 0; /* best error report we can do */
return result;
}

128
src/libfreeswan/initaddr.3
View File

@ -1,128 +0,0 @@
.TH IPSEC_INITADDR 3 "11 Sept 2000"
.SH NAME
ipsec initaddr \- initialize an ip_address
.br
ipsec addrtypeof \- get address type of an ip_address
.br
ipsec addrlenof \- get length of address within an ip_address
.br
ipsec addrbytesof \- get copy of address within an ip_address
.br
ipsec addrbytesptr \- get pointer to address within an ip_address
.SH SYNOPSIS
.B "#include <freeswan.h>"
.sp
.B "const char *initaddr(const char *src, size_t srclen,"
.ti +1c
.B "int af, ip_address *dst);"
.br
.B "int addrtypeof(const ip_address *src);"
.br
.B "size_t addrlenof(const ip_address *src);"
.br
.B "size_t addrbytesof(const ip_address *src,"
.ti +1c
.B "unsigned char *dst, size_t dstlen);"
.br
.B "size_t addrbytesptr(const ip_address *src,"
.ti +1c
.B "const unsigned char **dst);"
.SH DESCRIPTION
The
.B <freeswan.h>
library uses an internal type
.I ip_address
to contain one of the (currently two) types of IP address.
These functions provide basic tools for creating and examining this type.
.PP
.I Initaddr
initializes a variable
.I *dst
of type
.I ip_address
from an address
(in network byte order,
indicated by a pointer
.I src
and a length
.IR srclen )
and an address family
.I af
(typically
.B AF_INET
or
.BR AF_INET6 ).
The length must be consistent with the address family.
.PP
.I Addrtypeof
returns the address type of an address,
normally
.B AF_INET
or
.BR AF_INET6 .
(The
.B <freeswan.h>
header file arranges to include the necessary headers for these
names to be known.)
.PP
.I Addrlenof
returns the size (in bytes) of the address within an
.IR ip_address ,
to permit storage allocation etc.
.PP
.I Addrbytesof
copies the address within the
.I ip_address
.I src
to the buffer indicated by the pointer
.I dst
and the length
.IR dstlen ,
and returns the address length (in bytes).
If the address will not fit,
as many bytes as will fit are copied;
the returned length is still the full length.
It is the caller's responsibility to check the
returned value to ensure that there was enough room.
.PP
.I Addrbytesptr
sets
.I *dst
to a pointer to the internal address within the
.IR ip_address ,
and returns the address length (in bytes).
If
.I dst
is
.BR NULL ,
it just returns the address length.
The pointer points to
.B const
to discourage misuse.
.PP
.I Initaddr
returns
.B NULL
for success and
a pointer to a string-literal error message for failure;
see DIAGNOSTICS.
.PP
The functions which return
.I size_t
return
.B 0
for a failure.
.SH SEE ALSO
inet(3), ipsec_ttoaddr(3)
.SH DIAGNOSTICS
An unknown address family is a fatal error for any of these functions
except
.IR addrtypeof .
An address-size mismatch is a fatal error for
.IR initaddr .
.SH HISTORY
Written for the FreeS/WAN project by Henry Spencer.
.SH BUGS
.I Addrtypeof
should probably have been named
.IR addrfamilyof .

51
src/libfreeswan/initaddr.c
View File

@ -1,51 +0,0 @@
/*
* initialize address structure
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include <sys/socket.h>
#include "internal.h"
#include "freeswan.h"
/*
- initaddr - initialize ip_address from bytes
*/
err_t /* NULL for success, else string literal */
initaddr(src, srclen, af, dst)
const unsigned char *src;
size_t srclen;
int af; /* address family */
ip_address *dst;
{
switch (af) {
case AF_INET:
if (srclen != 4)
return "IPv4 address must be exactly 4 bytes";
dst->u.v4.sin_family = af;
dst->u.v4.sin_port = 0; /* unused */
memcpy((char *)&dst->u.v4.sin_addr.s_addr, src, srclen);
break;
case AF_INET6:
if (srclen != 16)
return "IPv6 address must be exactly 16 bytes";
dst->u.v6.sin6_family = af;
dst->u.v6.sin6_flowinfo = 0; /* unused */
dst->u.v6.sin6_port = 0; /* unused */
memcpy((char *)&dst->u.v6.sin6_addr, src, srclen);
break;
default:
return "unknown address family in initaddr";
break;
}
return NULL;
}

31
src/libfreeswan/initsaid.c
View File

@ -1,31 +0,0 @@
/*
* initialize SA ID structure
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
/*
- initsaid - initialize SA ID from bits
*/
void
initsaid(addr, spi, proto, dst)
const ip_address *addr;
ipsec_spi_t spi;
int proto;
ip_said *dst;
{
dst->dst = *addr;
dst->spi = spi;
dst->proto = proto;
}

136
src/libfreeswan/initsubnet.3
View File

@ -1,136 +0,0 @@
.TH IPSEC_INITSUBNET 3 "12 March 2002"
.SH NAME
ipsec initsubnet \- initialize an ip_subnet
.br
ipsec addrtosubnet \- initialize a singleton ip_subnet
.br
ipsec subnettypeof \- get address type of an ip_subnet
.br
ipsec masktocount \- convert subnet mask to bit count
.br
ipsec networkof \- get base address of an ip_subnet
.br
ipsec maskof \- get subnet mask of an ip_subnet
.SH SYNOPSIS
.B "#include <freeswan.h>"
.sp
.B "const char *initsubnet(const ip_address *addr,"
.ti +1c
.B "int maskbits, int clash, ip_subnet *dst);"
.br
.B "const char *addrtosubnet(const ip_address *addr,"
.ti +1c
.B "ip_subnet *dst);"
.sp
.B "int subnettypeof(const ip_subnet *src);"
.br
.B "int masktocount(const ip_address *src);"
.br
.B "void networkof(const ip_subnet *src, ip_address *dst);"
.br
.B "void maskof(const ip_subnet *src, ip_address *dst);"
.SH DESCRIPTION
The
.B <freeswan.h>
library uses an internal type
.I ip_subnet
to contain a description of an IP subnet
(base address plus mask).
These functions provide basic tools for creating and examining this type.
.PP
.I Initsubnet
initializes a variable
.I *dst
of type
.I ip_subnet
from a base address and
a count of mask bits.
The
.I clash
parameter specifies what to do if the base address includes
.B 1
bits outside the prefix specified by the mask
(that is, in the ``host number'' part of the address):
.RS
.IP '0' 5
zero out host-number bits
.IP 'x'
non-zero host-number bits are an error
.RE
.PP
.I Initsubnet
returns
.B NULL
for success and
a pointer to a string-literal error message for failure;
see DIAGNOSTICS.
.PP
.I Addrtosubnet
initializes an
.I ip_subnet
variable
.I *dst
to a ``singleton subnet'' containing the single address
.IR *addr .
It returns
.B NULL
for success and
a pointer to a string-literal error message for failure.
.PP
.I Subnettypeof
returns the address type of a subnet,
normally
.B AF_INET
or
.BR AF_INET6 .
(The
.B <freeswan.h>
header file arranges to include the necessary headers for these
names to be known.)
.PP
.I Masktocount
converts a subnet mask, expressed as an address, to a bit count
suitable for use with
.IR initsubnet .
It returns
.B \-1
for error; see DIAGNOSTICS.
.PP
.I Networkof
fills in
.I *dst
with the base address of subnet
.IR src .
.PP
.I Maskof
fills in
.I *dst
with the subnet mask of subnet
.IR src ,
expressed as an address.
.SH SEE ALSO
inet(3), ipsec_ttosubnet(3), ipsec_rangetosubnet(3)
.SH DIAGNOSTICS
Fatal errors in
.I initsubnet
are:
unknown address family;
unknown
.I clash
value;
impossible mask bit count;
non-zero host-number bits and
.I clash
is
.BR 'x' .
Fatal errors in
.I addrtosubnet
are:
unknown address family.
Fatal errors in
.I masktocount
are:
unknown address family;
mask bits not contiguous.
.SH HISTORY
Written for the FreeS/WAN project by Henry Spencer.

93
src/libfreeswan/initsubnet.c
View File

@ -1,93 +0,0 @@
/*
* initialize subnet structure
* Copyright (C) 2000, 2002 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
/*
- initsubnet - initialize ip_subnet from address and count
*
* The only hard part is checking for host-part bits turned on.
*/
err_t /* NULL for success, else string literal */
initsubnet(addr, count, clash, dst)
const ip_address *addr;
int count;
int clash; /* '0' zero host-part bits, 'x' die on them */
ip_subnet *dst;
{
unsigned char *p;
int n;
int c;
unsigned m;
int die;
dst->addr = *addr;
n = addrbytesptr(&dst->addr, (const unsigned char **)&p);
if (n == 0)
return "unknown address family";
switch (clash) {
case '0':
die = 0;
break;
case 'x':
die = 1;
break;
default:
return "unknown clash-control value in initsubnet";
break;
}
c = count / 8;
if (c > n)
return "impossible mask count";
p += c;
n -= c;
m = 0xff;
c = count % 8;
if (n > 0 && c != 0) /* partial byte */
m >>= c;
for (; n > 0; n--) {
if ((*p & m) != 0) {
if (die)
return "improper subnet, host-part bits on";
*p &= ~m;
}
m = 0xff;
p++;
}
dst->maskbits = count;
return NULL;
}
/*
- addrtosubnet - initialize ip_subnet from a single address
*/
err_t /* NULL for success, else string literal */
addrtosubnet(addr, dst)
const ip_address *addr;
ip_subnet *dst;
{
int n;
dst->addr = *addr;
n = addrbytesptr(&dst->addr, (const unsigned char **)NULL);
if (n == 0)
return "unknown address family";
dst->maskbits = n*8;
return NULL;
}

46
src/libfreeswan/internal.h
View File

@ -1,46 +0,0 @@
/*
* internal definitions for use within the library; do not export!
* Copyright (C) 1998, 1999 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#ifndef ABITS
#define ABITS 32 /* bits in an IPv4 address */
#endif
/* case-independent ASCII character equality comparison */
#define CIEQ(c1, c2) ( ((c1)&~040) == ((c2)&~040) )
/* syntax for passthrough SA */
#ifndef PASSTHROUGHNAME
#define PASSTHROUGHNAME "%passthrough"
#define PASSTHROUGH4NAME "%passthrough4"
#define PASSTHROUGH6NAME "%passthrough6"
#define PASSTHROUGHIS "tun0@0.0.0.0"
#define PASSTHROUGH4IS "tun0@0.0.0.0"
#define PASSTHROUGH6IS "tun0@::"
#define PASSTHROUGHTYPE "tun"
#define PASSTHROUGHSPI 0
#define PASSTHROUGHDST 0
#endif
#include <sys/types.h>
#include <netinet/in.h>
#include <string.h>
#include <ctype.h>
#include <assert.h>
#include <limits.h>
#include <netdb.h>
#include <stdlib.h>
#define MALLOC(n) malloc(n)
#define FREE(p) free(p)

54
src/libfreeswan/ipsec_param.h
View File

@ -1,54 +0,0 @@
/*
* @(#) FreeSWAN tunable paramaters
*
* Copyright (C) 2001 Richard Guy Briggs <rgb@freeswan.org>
* and Michael Richardson <mcr@freeswan.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/*
* This file provides a set of #define's which may be tuned by various
* people/configurations. It keeps all compile-time tunables in one place.
*
* This file should be included before all other IPsec kernel-only files.
*
*/
#ifndef _IPSEC_PARAM_H_
/*
* This is for the SA reference table. This number is related to the
* maximum number of SAs that KLIPS can concurrently deal with, plus enough
* space for keeping expired SAs around.
*
* TABLE_MAX_WIDTH is the number of bits that we will use.
* MAIN_TABLE_WIDTH is the number of bits used for the primary index table.
*
*/
#ifndef IPSEC_SA_REF_TABLE_IDX_WIDTH
# define IPSEC_SA_REF_TABLE_IDX_WIDTH 16
#endif
#ifndef IPSEC_SA_REF_MAINTABLE_IDX_WIDTH
# define IPSEC_SA_REF_MAINTABLE_IDX_WIDTH 4
#endif
#ifndef IPSEC_SA_REF_FREELIST_NUM_ENTRIES
# define IPSEC_SA_REF_FREELIST_NUM_ENTRIES 256
#endif
#ifndef IPSEC_SA_REF_CODE
# define IPSEC_SA_REF_CODE 1
#endif
#define _IPSEC_PARAM_H_
#endif /* _IPSEC_PARAM_H_ */

205
src/libfreeswan/pfkey.h
View File

@ -1,205 +0,0 @@
/*
* FreeS/WAN specific PF_KEY headers
* Copyright (C) 1999, 2000, 2001 Richard Guy Briggs.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef __NET_IPSEC_PF_KEY_H
#define __NET_IPSEC_PF_KEY_H
extern void (*pfkey_debug_func)(const char *message, ...);
extern uint8_t satype2proto(uint8_t satype);
extern uint8_t proto2satype(uint8_t proto);
extern char* satype2name(uint8_t satype);
extern char* proto2name(uint8_t proto);
struct key_opt
{
uint32_t key_pid; /* process ID */
struct sock *sk;
};
#define key_pid(sk) ((struct key_opt*)&((sk)->protinfo))->key_pid
#define IPSEC_PFKEYv2_ALIGN (sizeof(uint64_t)/sizeof(uint8_t))
#define BITS_PER_OCTET 8
#define OCTETBITS 8
#define PFKEYBITS 64
#define DIVUP(x,y) ((x + y -1) / y) /* divide, rounding upwards */
#define ALIGN_N(x,y) (DIVUP(x,y) * y) /* align on y boundary */
#define PFKEYv2_MAX_MSGSIZE 4096
/*
* PF_KEYv2 permitted and required extensions in and out bitmaps
*/
struct pf_key_ext_parsers_def {
int (*parser)(struct sadb_ext*);
char *parser_name;
};
extern unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/];
#define EXT_BITS_IN 0
#define EXT_BITS_OUT 1
#define EXT_BITS_PERM 0
#define EXT_BITS_REQ 1
extern void pfkey_extensions_init(struct sadb_ext *extensions[SADB_EXT_MAX + 1]);
extern void pfkey_extensions_free(struct sadb_ext *extensions[SADB_EXT_MAX + 1]);
extern void pfkey_msg_free(struct sadb_msg **pfkey_msg);
extern int pfkey_msg_parse(struct sadb_msg *pfkey_msg,
struct pf_key_ext_parsers_def *ext_parsers[],
struct sadb_ext **extensions,
int dir);
/*
* PF_KEYv2 build function prototypes
*/
int
pfkey_msg_hdr_build(struct sadb_ext** pfkey_ext,
uint8_t msg_type,
uint8_t satype,
uint8_t msg_errno,
uint32_t seq,
uint32_t pid);
int
pfkey_sa_ref_build(struct sadb_ext ** pfkey_ext,
uint16_t exttype,
uint32_t spi, /* in network order */
uint8_t replay_window,
uint8_t sa_state,
uint8_t auth,
uint8_t encrypt,
uint32_t flags,
uint32_t/*IPsecSAref_t*/ ref);
int
pfkey_sa_build(struct sadb_ext ** pfkey_ext,
uint16_t exttype,
uint32_t spi, /* in network order */
uint8_t replay_window,
uint8_t sa_state,
uint8_t auth,
uint8_t encrypt,
uint32_t flags);
int
pfkey_lifetime_build(struct sadb_ext ** pfkey_ext,
uint16_t exttype,
uint32_t allocations,
uint64_t bytes,
uint64_t addtime,
uint64_t usetime,
uint32_t packets);
int
pfkey_address_build(struct sadb_ext** pfkey_ext,
uint16_t exttype,
uint8_t proto,
uint8_t prefixlen,
struct sockaddr* address);
int
pfkey_key_build(struct sadb_ext** pfkey_ext,
uint16_t exttype,
uint16_t key_bits,
char* key);
int
pfkey_ident_build(struct sadb_ext** pfkey_ext,
uint16_t exttype,
uint16_t ident_type,
uint64_t ident_id,
uint8_t ident_len,
char* ident_string);
int
pfkey_x_nat_t_type_build(struct sadb_ext** pfkey_ext,
uint8_t type);
int
pfkey_x_nat_t_port_build(struct sadb_ext** pfkey_ext,
uint16_t exttype,
uint16_t port);
int
pfkey_sens_build(struct sadb_ext** pfkey_ext,
uint32_t dpd,
uint8_t sens_level,
uint8_t sens_len,
uint64_t* sens_bitmap,
uint8_t integ_level,
uint8_t integ_len,
uint64_t* integ_bitmap);
int
pfkey_x_protocol_build(struct sadb_ext **, uint8_t);
int
pfkey_prop_build(struct sadb_ext** pfkey_ext,
uint8_t replay,
unsigned int comb_num,
struct sadb_comb* comb);
int
pfkey_supported_build(struct sadb_ext** pfkey_ext,
uint16_t exttype,
unsigned int alg_num,
struct sadb_alg* alg);
int
pfkey_spirange_build(struct sadb_ext** pfkey_ext,
uint16_t exttype,
uint32_t min,
uint32_t max);
int
pfkey_x_kmprivate_build(struct sadb_ext** pfkey_ext);
int
pfkey_x_satype_build(struct sadb_ext** pfkey_ext,
uint8_t satype);
int
pfkey_x_debug_build(struct sadb_ext** pfkey_ext,
uint32_t tunnel,
uint32_t netlink,
uint32_t xform,
uint32_t eroute,
uint32_t spi,
uint32_t radij,
uint32_t esp,
uint32_t ah,
uint32_t rcv,
uint32_t pfkey,
uint32_t ipcomp,
uint32_t verbose);
int
pfkey_msg_build(struct sadb_msg** pfkey_msg,
struct sadb_ext* extensions[],
int dir);
/* in pfkey_v2_debug.c - routines to decode numbers -> strings */
const char *
pfkey_v2_sadb_ext_string(int extnum);
const char *
pfkey_v2_sadb_type_string(int sadb_type);
#endif /* __NET_IPSEC_PF_KEY_H */

1388
src/libfreeswan/pfkey_v2_build.c
View File

File diff suppressed because it is too large Load Diff

104
src/libfreeswan/pfkey_v2_debug.c
View File

@ -1,104 +0,0 @@
/*
* @(#) pfkey version 2 debugging messages
*
* Copyright (C) 2001 Richard Guy Briggs <rgb@freeswan.org>
* and Michael Richardson <mcr@freeswan.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
# include <sys/types.h>
# include <errno.h>
#include "freeswan.h"
#include "pfkeyv2.h"
#include "pfkey.h"
/*
* This file provides ASCII translations of PF_KEY magic numbers.
*
*/
static char *pfkey_sadb_ext_strings[]={
"reserved", /* SADB_EXT_RESERVED 0 */
"security-association", /* SADB_EXT_SA 1 */
"lifetime-current", /* SADB_EXT_LIFETIME_CURRENT 2 */
"lifetime-hard", /* SADB_EXT_LIFETIME_HARD 3 */
"lifetime-soft", /* SADB_EXT_LIFETIME_SOFT 4 */
"source-address", /* SADB_EXT_ADDRESS_SRC 5 */
"destination-address", /* SADB_EXT_ADDRESS_DST 6 */
"proxy-address", /* SADB_EXT_ADDRESS_PROXY 7 */
"authentication-key", /* SADB_EXT_KEY_AUTH 8 */
"cipher-key", /* SADB_EXT_KEY_ENCRYPT 9 */
"source-identity", /* SADB_EXT_IDENTITY_SRC 10 */
"destination-identity", /* SADB_EXT_IDENTITY_DST 11 */
"sensitivity-label", /* SADB_EXT_SENSITIVITY 12 */
"proposal", /* SADB_EXT_PROPOSAL 13 */
"supported-auth", /* SADB_EXT_SUPPORTED_AUTH 14 */
"supported-cipher", /* SADB_EXT_SUPPORTED_ENCRYPT 15 */
"spi-range", /* SADB_EXT_SPIRANGE 16 */
"X-kmpprivate", /* SADB_X_EXT_KMPRIVATE 17 */
"X-satype2", /* SADB_X_EXT_SATYPE2 18 */
"X-security-association", /* SADB_X_EXT_SA2 19 */
"X-destination-address2", /* SADB_X_EXT_ADDRESS_DST2 20 */
"X-source-flow-address", /* SADB_X_EXT_ADDRESS_SRC_FLOW 21 */
"X-dest-flow-address", /* SADB_X_EXT_ADDRESS_DST_FLOW 22 */
"X-source-mask", /* SADB_X_EXT_ADDRESS_SRC_MASK 23 */
"X-dest-mask", /* SADB_X_EXT_ADDRESS_DST_MASK 24 */
"X-set-debug", /* SADB_X_EXT_DEBUG 25 */
"X-protocol", /* SADB_X_EXT_PROTOCOL 26 */
"X-NAT-T-type", /* SADB_X_EXT_NAT_T_TYPE 27 */
"X-NAT-T-sport", /* SADB_X_EXT_NAT_T_SPORT 28 */
"X-NAT-T-dport", /* SADB_X_EXT_NAT_T_DPORT 29 */
"X-NAT-T-OA", /* SADB_X_EXT_NAT_T_OA 30 */
};
const char *
pfkey_v2_sadb_ext_string(int ext)
{
if(ext <= SADB_EXT_MAX) {
return pfkey_sadb_ext_strings[ext];
} else {
return "unknown-ext";
}
}
static char *pfkey_sadb_type_strings[]={
"reserved", /* SADB_RESERVED */
"getspi", /* SADB_GETSPI */
"update", /* SADB_UPDATE */
"add", /* SADB_ADD */
"delete", /* SADB_DELETE */
"get", /* SADB_GET */
"acquire", /* SADB_ACQUIRE */
"register", /* SADB_REGISTER */
"expire", /* SADB_EXPIRE */
"flush", /* SADB_FLUSH */
"dump", /* SADB_DUMP */
"x-promisc", /* SADB_X_PROMISC */
"x-pchange", /* SADB_X_PCHANGE */
"x-groupsa", /* SADB_X_GRPSA */
"x-addflow(eroute)", /* SADB_X_ADDFLOW */
"x-delflow(eroute)", /* SADB_X_DELFLOW */
"x-debug", /* SADB_X_DEBUG */
"x-nat-t-new-mapping", /* SADB_X_NAT_T_NEW_MAPPING */
};
const char *
pfkey_v2_sadb_type_string(int sadb_type)
{
if(sadb_type <= SADB_MAX) {
return pfkey_sadb_type_strings[sadb_type];
} else {
return "unknown-sadb-type";
}
}

692
src/libfreeswan/pfkey_v2_ext_bits.c
View File

@ -1,692 +0,0 @@
/*
* RFC2367 PF_KEYv2 Key management API message parser
* Copyright (C) 1999, 2000, 2001 Richard Guy Briggs.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/*
* Template from klips/net/ipsec/ipsec/ipsec_parse.c.
*/
char pfkey_v2_ext_bits_c_version[] = "";
# include <sys/types.h>
# include <errno.h>
#include <freeswan.h>
#include <pfkeyv2.h>
#include <pfkey.h>
unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/] = {
/* INBOUND EXTENSIONS */
{
/* PERMITTED IN */
{
/* SADB_RESERVED */
0
,
/* SADB_GETSPI */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_SPIRANGE
,
/* SADB_UPDATE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_CURRENT
| 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_KEY_AUTH
| 1<<SADB_EXT_KEY_ENCRYPT
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
| 1<<SADB_X_EXT_NAT_T_SPORT
| 1<<SADB_X_EXT_NAT_T_DPORT
,
/* SADB_ADD */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_KEY_AUTH
| 1<<SADB_EXT_KEY_ENCRYPT
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
| 1<<SADB_X_EXT_NAT_T_TYPE
| 1<<SADB_X_EXT_NAT_T_SPORT
| 1<<SADB_X_EXT_NAT_T_DPORT
| 1<<SADB_X_EXT_NAT_T_OA
,
/* SADB_DELETE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
,
/* SADB_GET */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
,
/* SADB_ACQUIRE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
| 1<<SADB_EXT_PROPOSAL
,
/* SADB_REGISTER */
1<<SADB_EXT_RESERVED
,
/* SADB_EXPIRE */
0
,
/* SADB_FLUSH */
1<<SADB_EXT_RESERVED
,
/* SADB_DUMP */
1<<SADB_EXT_RESERVED
,
/* SADB_X_PROMISC */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_CURRENT
| 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_KEY_AUTH
| 1<<SADB_EXT_KEY_ENCRYPT
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
| 1<<SADB_EXT_PROPOSAL
| 1<<SADB_EXT_SUPPORTED_AUTH
| 1<<SADB_EXT_SUPPORTED_ENCRYPT
| 1<<SADB_EXT_SPIRANGE
| 1<<SADB_X_EXT_KMPRIVATE
| 1<<SADB_X_EXT_SATYPE2
| 1<<SADB_X_EXT_SA2
| 1<<SADB_X_EXT_ADDRESS_DST2
,
/* SADB_X_PCHANGE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_CURRENT
| 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_KEY_AUTH
| 1<<SADB_EXT_KEY_ENCRYPT
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
| 1<<SADB_EXT_PROPOSAL
| 1<<SADB_EXT_SUPPORTED_AUTH
| 1<<SADB_EXT_SUPPORTED_ENCRYPT
| 1<<SADB_EXT_SPIRANGE
| 1<<SADB_X_EXT_KMPRIVATE
| 1<<SADB_X_EXT_SATYPE2
| 1<<SADB_X_EXT_SA2
| 1<<SADB_X_EXT_ADDRESS_DST2
,
/* SADB_X_GRPSA */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_X_EXT_SATYPE2
| 1<<SADB_X_EXT_SA2
| 1<<SADB_X_EXT_ADDRESS_DST2
,
/* SADB_X_ADDFLOW */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
| 1<<SADB_X_EXT_ADDRESS_DST_MASK
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_X_EXT_PROTOCOL
,
/* SADB_X_DELFLOW */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
| 1<<SADB_X_EXT_ADDRESS_DST_MASK
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_X_EXT_PROTOCOL
,
/* SADB_X_DEBUG */
1<<SADB_EXT_RESERVED
| 1<<SADB_X_EXT_DEBUG
,
/* SADB_X_NAT_T_NEW_MAPPING */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_X_EXT_NAT_T_SPORT
| 1<<SADB_X_EXT_NAT_T_DPORT
},
/* REQUIRED IN */
{
/* SADB_RESERVED */
0
,
/* SADB_GETSPI */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_SPIRANGE
,
/* SADB_UPDATE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
/*| 1<<SADB_EXT_KEY_AUTH*/
/*| 1<<SADB_EXT_KEY_ENCRYPT*/
,
/* SADB_ADD */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
/*| 1<<SADB_EXT_KEY_AUTH*/
/*| 1<<SADB_EXT_KEY_ENCRYPT*/
,
/* SADB_DELETE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
,
/* SADB_GET */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
,
/* SADB_ACQUIRE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_PROPOSAL
,
/* SADB_REGISTER */
1<<SADB_EXT_RESERVED
,
/* SADB_EXPIRE */
0
,
/* SADB_FLUSH */
1<<SADB_EXT_RESERVED
,
/* SADB_DUMP */
1<<SADB_EXT_RESERVED
,
/* SADB_X_PROMISC */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_CURRENT
| 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_KEY_AUTH
| 1<<SADB_EXT_KEY_ENCRYPT
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
| 1<<SADB_EXT_PROPOSAL
| 1<<SADB_EXT_SUPPORTED_AUTH
| 1<<SADB_EXT_SUPPORTED_ENCRYPT
| 1<<SADB_EXT_SPIRANGE
| 1<<SADB_X_EXT_KMPRIVATE
| 1<<SADB_X_EXT_SATYPE2
| 1<<SADB_X_EXT_SA2
| 1<<SADB_X_EXT_ADDRESS_DST2
,
/* SADB_X_PCHANGE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_CURRENT
| 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_KEY_AUTH
| 1<<SADB_EXT_KEY_ENCRYPT
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
| 1<<SADB_EXT_PROPOSAL
| 1<<SADB_EXT_SUPPORTED_AUTH
| 1<<SADB_EXT_SUPPORTED_ENCRYPT
| 1<<SADB_EXT_SPIRANGE
| 1<<SADB_X_EXT_KMPRIVATE
| 1<<SADB_X_EXT_SATYPE2
| 1<<SADB_X_EXT_SA2
| 1<<SADB_X_EXT_ADDRESS_DST2
,
/* SADB_X_GRPSA */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_DST
/*| 1<<SADB_X_EXT_SATYPE2*/
/*| 1<<SADB_X_EXT_SA2*/
/*| 1<<SADB_X_EXT_ADDRESS_DST2*/
,
/* SADB_X_ADDFLOW */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
| 1<<SADB_X_EXT_ADDRESS_DST_MASK
,
/* SADB_X_DELFLOW */
1<<SADB_EXT_RESERVED
/*| 1<<SADB_EXT_SA*/
#if 0 /* SADB_X_CLREROUTE doesn't need all these... */
| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
| 1<<SADB_X_EXT_ADDRESS_DST_MASK
#endif
,
/* SADB_X_DEBUG */
1<<SADB_EXT_RESERVED
| 1<<SADB_X_EXT_DEBUG
,
/* SADB_X_NAT_T_NEW_MAPPING */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_X_EXT_NAT_T_SPORT
| 1<<SADB_X_EXT_NAT_T_DPORT
}
},
/* OUTBOUND EXTENSIONS */
{
/* PERMITTED OUT */
{
/* SADB_RESERVED */
0
,
/* SADB_GETSPI */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
,
/* SADB_UPDATE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_CURRENT
| 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
,
/* SADB_ADD */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
| 1<<SADB_X_EXT_NAT_T_TYPE
| 1<<SADB_X_EXT_NAT_T_SPORT
| 1<<SADB_X_EXT_NAT_T_DPORT
| 1<<SADB_X_EXT_NAT_T_OA
,
/* SADB_DELETE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
,
/* SADB_GET */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_CURRENT
| 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_KEY_AUTH
| 1<<SADB_EXT_KEY_ENCRYPT
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
,
/* SADB_ACQUIRE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
| 1<<SADB_EXT_PROPOSAL
,
/* SADB_REGISTER */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SUPPORTED_AUTH
| 1<<SADB_EXT_SUPPORTED_ENCRYPT
,
/* SADB_EXPIRE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_CURRENT
| 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
,
/* SADB_FLUSH */
1<<SADB_EXT_RESERVED
,
/* SADB_DUMP */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_CURRENT
| 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_KEY_AUTH
| 1<<SADB_EXT_KEY_ENCRYPT
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
,
/* SADB_X_PROMISC */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_CURRENT
| 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_KEY_AUTH
| 1<<SADB_EXT_KEY_ENCRYPT
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
| 1<<SADB_EXT_PROPOSAL
| 1<<SADB_EXT_SUPPORTED_AUTH
| 1<<SADB_EXT_SUPPORTED_ENCRYPT
| 1<<SADB_EXT_SPIRANGE
| 1<<SADB_X_EXT_KMPRIVATE
| 1<<SADB_X_EXT_SATYPE2
| 1<<SADB_X_EXT_SA2
| 1<<SADB_X_EXT_ADDRESS_DST2
,
/* SADB_X_PCHANGE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_CURRENT
| 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_KEY_AUTH
| 1<<SADB_EXT_KEY_ENCRYPT
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
| 1<<SADB_EXT_PROPOSAL
| 1<<SADB_EXT_SUPPORTED_AUTH
| 1<<SADB_EXT_SUPPORTED_ENCRYPT
| 1<<SADB_EXT_SPIRANGE
| 1<<SADB_X_EXT_KMPRIVATE
| 1<<SADB_X_EXT_SATYPE2
| 1<<SADB_X_EXT_SA2
| 1<<SADB_X_EXT_ADDRESS_DST2
,
/* SADB_X_GRPSA */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_X_EXT_SATYPE2
| 1<<SADB_X_EXT_SA2
| 1<<SADB_X_EXT_ADDRESS_DST2
,
/* SADB_X_ADDFLOW */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
| 1<<SADB_X_EXT_ADDRESS_DST_MASK
| 1<<SADB_X_EXT_PROTOCOL
,
/* SADB_X_DELFLOW */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
| 1<<SADB_X_EXT_ADDRESS_DST_MASK
| 1<<SADB_X_EXT_PROTOCOL
,
/* SADB_X_DEBUG */
1<<SADB_EXT_RESERVED
| 1<<SADB_X_EXT_DEBUG
,
/* SADB_X_NAT_T_NEW_MAPPING */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_X_EXT_NAT_T_SPORT
| 1<<SADB_X_EXT_NAT_T_DPORT
},
/* REQUIRED OUT */
{
/* SADB_RESERVED */
0
,
/* SADB_GETSPI */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
,
/* SADB_UPDATE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
,
/* SADB_ADD */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
,
/* SADB_DELETE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
,
/* SADB_GET */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
/* | 1<<SADB_EXT_KEY_AUTH */
/* | 1<<SADB_EXT_KEY_ENCRYPT */
,
/* SADB_ACQUIRE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_PROPOSAL
,
/* SADB_REGISTER */
1<<SADB_EXT_RESERVED
/* | 1<<SADB_EXT_SUPPORTED_AUTH
| 1<<SADB_EXT_SUPPORTED_ENCRYPT */
,
/* SADB_EXPIRE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_CURRENT
/* | 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT */
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
,
/* SADB_FLUSH */
1<<SADB_EXT_RESERVED
,
/* SADB_DUMP */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_KEY_AUTH
| 1<<SADB_EXT_KEY_ENCRYPT
,
/* SADB_X_PROMISC */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_CURRENT
| 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_KEY_AUTH
| 1<<SADB_EXT_KEY_ENCRYPT
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
| 1<<SADB_EXT_PROPOSAL
| 1<<SADB_EXT_SUPPORTED_AUTH
| 1<<SADB_EXT_SUPPORTED_ENCRYPT
| 1<<SADB_EXT_SPIRANGE
| 1<<SADB_X_EXT_KMPRIVATE
| 1<<SADB_X_EXT_SATYPE2
| 1<<SADB_X_EXT_SA2
| 1<<SADB_X_EXT_ADDRESS_DST2
,
/* SADB_X_PCHANGE */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_LIFETIME_CURRENT
| 1<<SADB_EXT_LIFETIME_HARD
| 1<<SADB_EXT_LIFETIME_SOFT
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_EXT_ADDRESS_PROXY
| 1<<SADB_EXT_KEY_AUTH
| 1<<SADB_EXT_KEY_ENCRYPT
| 1<<SADB_EXT_IDENTITY_SRC
| 1<<SADB_EXT_IDENTITY_DST
| 1<<SADB_EXT_SENSITIVITY
| 1<<SADB_EXT_PROPOSAL
| 1<<SADB_EXT_SUPPORTED_AUTH
| 1<<SADB_EXT_SUPPORTED_ENCRYPT
| 1<<SADB_EXT_SPIRANGE
| 1<<SADB_X_EXT_KMPRIVATE
| 1<<SADB_X_EXT_SATYPE2
| 1<<SADB_X_EXT_SA2
| 1<<SADB_X_EXT_ADDRESS_DST2
,
/* SADB_X_GRPSA */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_DST
,
/* SADB_X_ADDFLOW */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
| 1<<SADB_X_EXT_ADDRESS_DST_MASK
,
/* SADB_X_DELFLOW */
1<<SADB_EXT_RESERVED
/*| 1<<SADB_EXT_SA*/
| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
| 1<<SADB_X_EXT_ADDRESS_DST_MASK
,
/* SADB_X_DEBUG */
1<<SADB_EXT_RESERVED
| 1<<SADB_X_EXT_DEBUG
,
/* SADB_X_NAT_T_NEW_MAPPING */
1<<SADB_EXT_RESERVED
| 1<<SADB_EXT_SA
| 1<<SADB_EXT_ADDRESS_SRC
| 1<<SADB_EXT_ADDRESS_DST
| 1<<SADB_X_EXT_NAT_T_SPORT
| 1<<SADB_X_EXT_NAT_T_DPORT
}
}
};

1539
src/libfreeswan/pfkey_v2_parse.c
View File

File diff suppressed because it is too large Load Diff

368
src/libfreeswan/pfkeyv2.h
View File

@ -1,368 +0,0 @@
/*
RFC 2367 PF_KEY Key Management API July 1998
Appendix D: Sample Header File
This file defines structures and symbols for the PF_KEY Version 2
key management interface. It was written at the U.S. Naval Research
Laboratory. This file is in the public domain. The authors ask that
you leave this credit intact on any copies of this file.
*/
#ifndef __PFKEY_V2_H
#define __PFKEY_V2_H 1
#define PF_KEY_V2 2
#define PFKEYV2_REVISION 199806L
#define SADB_RESERVED 0
#define SADB_GETSPI 1
#define SADB_UPDATE 2
#define SADB_ADD 3
#define SADB_DELETE 4
#define SADB_GET 5
#define SADB_ACQUIRE 6
#define SADB_REGISTER 7
#define SADB_EXPIRE 8
#define SADB_FLUSH 9
#define SADB_DUMP 10
#define SADB_X_PROMISC 11
#define SADB_X_PCHANGE 12
#define SADB_X_GRPSA 13
#define SADB_X_ADDFLOW 14
#define SADB_X_DELFLOW 15
#define SADB_X_DEBUG 16
#define SADB_X_NAT_T_NEW_MAPPING 17
#define SADB_MAX 17
struct sadb_msg {
uint8_t sadb_msg_version;
uint8_t sadb_msg_type;
uint8_t sadb_msg_errno;
uint8_t sadb_msg_satype;
uint16_t sadb_msg_len;
uint16_t sadb_msg_reserved;
uint32_t sadb_msg_seq;
uint32_t sadb_msg_pid;
};
struct sadb_ext {
uint16_t sadb_ext_len;
uint16_t sadb_ext_type;
};
struct sadb_sa {
uint16_t sadb_sa_len;
uint16_t sadb_sa_exttype;
uint32_t sadb_sa_spi;
uint8_t sadb_sa_replay;
uint8_t sadb_sa_state;
uint8_t sadb_sa_auth;
uint8_t sadb_sa_encrypt;
uint32_t sadb_sa_flags;
uint32_t /*IPsecSAref_t*/ sadb_x_sa_ref; /* 32 bits */
uint8_t sadb_x_reserved[4];
};
struct sadb_sa_v1 {
uint16_t sadb_sa_len;
uint16_t sadb_sa_exttype;
uint32_t sadb_sa_spi;
uint8_t sadb_sa_replay;
uint8_t sadb_sa_state;
uint8_t sadb_sa_auth;
uint8_t sadb_sa_encrypt;
uint32_t sadb_sa_flags;
};
struct sadb_lifetime {
uint16_t sadb_lifetime_len;
uint16_t sadb_lifetime_exttype;
uint32_t sadb_lifetime_allocations;
uint64_t sadb_lifetime_bytes;
uint64_t sadb_lifetime_addtime;
uint64_t sadb_lifetime_usetime;
uint32_t sadb_x_lifetime_packets;
uint32_t sadb_x_lifetime_reserved;
};
struct sadb_address {
uint16_t sadb_address_len;
uint16_t sadb_address_exttype;
uint8_t sadb_address_proto;
uint8_t sadb_address_prefixlen;
uint16_t sadb_address_reserved;
};
struct sadb_key {
uint16_t sadb_key_len;
uint16_t sadb_key_exttype;
uint16_t sadb_key_bits;
uint16_t sadb_key_reserved;
};
struct sadb_ident {
uint16_t sadb_ident_len;
uint16_t sadb_ident_exttype;
uint16_t sadb_ident_type;
uint16_t sadb_ident_reserved;
uint64_t sadb_ident_id;
};
struct sadb_sens {
uint16_t sadb_sens_len;
uint16_t sadb_sens_exttype;
uint32_t sadb_sens_dpd;
uint8_t sadb_sens_sens_level;
uint8_t sadb_sens_sens_len;
uint8_t sadb_sens_integ_level;
uint8_t sadb_sens_integ_len;
uint32_t sadb_sens_reserved;
};
struct sadb_prop {
uint16_t sadb_prop_len;
uint16_t sadb_prop_exttype;
uint8_t sadb_prop_replay;
uint8_t sadb_prop_reserved[3];
};
struct sadb_comb {
uint8_t sadb_comb_auth;
uint8_t sadb_comb_encrypt;
uint16_t sadb_comb_flags;
uint16_t sadb_comb_auth_minbits;
uint16_t sadb_comb_auth_maxbits;
uint16_t sadb_comb_encrypt_minbits;
uint16_t sadb_comb_encrypt_maxbits;
uint32_t sadb_comb_reserved;
uint32_t sadb_comb_soft_allocations;
uint32_t sadb_comb_hard_allocations;
uint64_t sadb_comb_soft_bytes;
uint64_t sadb_comb_hard_bytes;
uint64_t sadb_comb_soft_addtime;
uint64_t sadb_comb_hard_addtime;
uint64_t sadb_comb_soft_usetime;
uint64_t sadb_comb_hard_usetime;
uint32_t sadb_x_comb_soft_packets;
uint32_t sadb_x_comb_hard_packets;
};
struct sadb_supported {
uint16_t sadb_supported_len;
uint16_t sadb_supported_exttype;
uint32_t sadb_supported_reserved;
};
struct sadb_alg {
uint8_t sadb_alg_id;
uint8_t sadb_alg_ivlen;
uint16_t sadb_alg_minbits;
uint16_t sadb_alg_maxbits;
uint16_t sadb_alg_reserved;
};
struct sadb_spirange {
uint16_t sadb_spirange_len;
uint16_t sadb_spirange_exttype;
uint32_t sadb_spirange_min;
uint32_t sadb_spirange_max;
uint32_t sadb_spirange_reserved;
};
struct sadb_x_kmprivate {
uint16_t sadb_x_kmprivate_len;
uint16_t sadb_x_kmprivate_exttype;
uint32_t sadb_x_kmprivate_reserved;
};
struct sadb_x_satype {
uint16_t sadb_x_satype_len;
uint16_t sadb_x_satype_exttype;
uint8_t sadb_x_satype_satype;
uint8_t sadb_x_satype_reserved[3];
};
struct sadb_x_policy {
uint16_t sadb_x_policy_len;
uint16_t sadb_x_policy_exttype;
uint16_t sadb_x_policy_type;
uint8_t sadb_x_policy_dir;
uint8_t sadb_x_policy_reserved;
uint32_t sadb_x_policy_id;
uint32_t sadb_x_policy_reserved2;
};
struct sadb_x_debug {
uint16_t sadb_x_debug_len;
uint16_t sadb_x_debug_exttype;
uint32_t sadb_x_debug_tunnel;
uint32_t sadb_x_debug_netlink;
uint32_t sadb_x_debug_xform;
uint32_t sadb_x_debug_eroute;
uint32_t sadb_x_debug_spi;
uint32_t sadb_x_debug_radij;
uint32_t sadb_x_debug_esp;
uint32_t sadb_x_debug_ah;
uint32_t sadb_x_debug_rcv;
uint32_t sadb_x_debug_pfkey;
uint32_t sadb_x_debug_ipcomp;
uint32_t sadb_x_debug_verbose;
uint8_t sadb_x_debug_reserved[4];
};
struct sadb_x_nat_t_type {
uint16_t sadb_x_nat_t_type_len;
uint16_t sadb_x_nat_t_type_exttype;
uint8_t sadb_x_nat_t_type_type;
uint8_t sadb_x_nat_t_type_reserved[3];
};
struct sadb_x_nat_t_port {
uint16_t sadb_x_nat_t_port_len;
uint16_t sadb_x_nat_t_port_exttype;
uint16_t sadb_x_nat_t_port_port;
uint16_t sadb_x_nat_t_port_reserved;
};
/*
* A protocol structure for passing through the transport level
* protocol. It contains more fields than are actually used/needed
* but it is this way to be compatible with the structure used in
* OpenBSD (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfkeyv2.h)
*/
struct sadb_protocol {
uint16_t sadb_protocol_len;
uint16_t sadb_protocol_exttype;
uint8_t sadb_protocol_proto;
uint8_t sadb_protocol_direction;
uint8_t sadb_protocol_flags;
uint8_t sadb_protocol_reserved2;
};
#define SADB_EXT_RESERVED 0
#define SADB_EXT_SA 1
#define SADB_EXT_LIFETIME_CURRENT 2
#define SADB_EXT_LIFETIME_HARD 3
#define SADB_EXT_LIFETIME_SOFT 4
#define SADB_EXT_ADDRESS_SRC 5
#define SADB_EXT_ADDRESS_DST 6
#define SADB_EXT_ADDRESS_PROXY 7
#define SADB_EXT_KEY_AUTH 8
#define SADB_EXT_KEY_ENCRYPT 9
#define SADB_EXT_IDENTITY_SRC 10
#define SADB_EXT_IDENTITY_DST 11
#define SADB_EXT_SENSITIVITY 12
#define SADB_EXT_PROPOSAL 13
#define SADB_EXT_SUPPORTED_AUTH 14
#define SADB_EXT_SUPPORTED_ENCRYPT 15
#define SADB_EXT_SPIRANGE 16
#define SADB_X_EXT_KMPRIVATE 17
#define SADB_X_EXT_SATYPE2 18
#ifdef KERNEL26_HAS_KAME_DUPLICATES
#define SADB_X_EXT_POLICY 18
#endif
#define SADB_X_EXT_SA2 19
#define SADB_X_EXT_ADDRESS_DST2 20
#define SADB_X_EXT_ADDRESS_SRC_FLOW 21
#define SADB_X_EXT_ADDRESS_DST_FLOW 22
#define SADB_X_EXT_ADDRESS_SRC_MASK 23
#define SADB_X_EXT_ADDRESS_DST_MASK 24
#define SADB_X_EXT_DEBUG 25
#define SADB_X_EXT_PROTOCOL 26
#define SADB_X_EXT_NAT_T_TYPE 27
#define SADB_X_EXT_NAT_T_SPORT 28
#define SADB_X_EXT_NAT_T_DPORT 29
#define SADB_X_EXT_NAT_T_OA 30
#define SADB_EXT_MAX 30
/* SADB_X_DELFLOW required over and above SADB_X_SAFLAGS_CLEARFLOW */
#define SADB_X_EXT_ADDRESS_DELFLOW \
( (1<<SADB_X_EXT_ADDRESS_SRC_FLOW) \
| (1<<SADB_X_EXT_ADDRESS_DST_FLOW) \
| (1<<SADB_X_EXT_ADDRESS_SRC_MASK) \
| (1<<SADB_X_EXT_ADDRESS_DST_MASK))
#define SADB_SATYPE_UNSPEC 0
#define SADB_SATYPE_AH 2
#define SADB_SATYPE_ESP 3
#define SADB_SATYPE_RSVP 5
#define SADB_SATYPE_OSPFV2 6
#define SADB_SATYPE_RIPV2 7
#define SADB_SATYPE_MIP 8
#define SADB_X_SATYPE_IPIP 9
#ifdef KERNEL26_HAS_KAME_DUPLICATES
#define SADB_X_SATYPE_IPCOMP 9 /* ICK! */
#endif
#define SADB_X_SATYPE_COMP 10
#define SADB_X_SATYPE_INT 11
#define SADB_SATYPE_MAX 11
#define SADB_SASTATE_LARVAL 0
#define SADB_SASTATE_MATURE 1
#define SADB_SASTATE_DYING 2
#define SADB_SASTATE_DEAD 3
#define SADB_SASTATE_MAX 3
#define SADB_SAFLAGS_PFS 1
#define SADB_X_SAFLAGS_REPLACEFLOW 2
#define SADB_X_SAFLAGS_CLEARFLOW 4
#define SADB_X_SAFLAGS_INFLOW 8
/* Authentication algorithms */
#define SADB_AALG_NONE 0
#define SADB_AALG_MD5HMAC 2
#define SADB_AALG_SHA1HMAC 3
#define SADB_X_AALG_SHA2_256HMAC 5
#define SADB_X_AALG_SHA2_384HMAC 6
#define SADB_X_AALG_SHA2_512HMAC 7
#define SADB_X_AALG_RIPEMD160HMAC 8
#define SADB_X_AALG_AES_XCBC_MAC 9
#define SADB_X_AALG_NULL 251 /* kame */
#define SADB_X_AALG_SHA2_256_96HMAC 252
#define SADB_AALG_MAX 252
/* Encryption algorithms */
#define SADB_EALG_NONE 0
#define SADB_EALG_DESCBC 2
#define SADB_EALG_3DESCBC 3
#define SADB_X_EALG_CASTCBC 6
#define SADB_X_EALG_BLOWFISHCBC 7
#define SADB_EALG_NULL 11
#define SADB_X_EALG_AESCBC 12
#define SADB_X_EALG_AESCTR 13
#define SADB_X_EALG_AES_CCM_ICV8 14
#define SADB_X_EALG_AES_CCM_ICV12 15
#define SADB_X_EALG_AES_CCM_ICV16 16
#define SADB_X_EALG_AES_GCM_ICV8 18
#define SADB_X_EALG_AES_GCM_ICV12 19
#define SADB_X_EALG_AES_GCM_ICV16 20
#define SADB_X_EALG_CAMELLIACBC 22
#define SADB_X_EALG_NULL_AES_GMAC 23
#define SADB_EALG_MAX 253 /* last EALG */
/* private allocations should use 249-255 (RFC2407) */
#define SADB_X_EALG_SERPENTCBC 252 /* draft-ietf-ipsec-ciph-aes-cbc-00 */
#define SADB_X_EALG_TWOFISHCBC 253 /* draft-ietf-ipsec-ciph-aes-cbc-00 */
/* Compression algorithms */
#define SADB_X_CALG_NONE 0
#define SADB_X_CALG_OUI 1
#define SADB_X_CALG_DEFLATE 2
#define SADB_X_CALG_LZS 3
#define SADB_X_CALG_LZJH 4
#define SADB_X_CALG_MAX 4
#define SADB_X_TALG_NONE 0
#define SADB_X_TALG_IPv4_in_IPv4 1
#define SADB_X_TALG_IPv6_in_IPv4 2
#define SADB_X_TALG_IPv4_in_IPv6 3
#define SADB_X_TALG_IPv6_in_IPv6 4
#define SADB_X_TALG_MAX 4
/* Identity Extension values */
#define SADB_IDENTTYPE_RESERVED 0
#define SADB_IDENTTYPE_PREFIX 1
#define SADB_IDENTTYPE_FQDN 2
#define SADB_IDENTTYPE_USERFQDN 3
#define SADB_IDENTTYPE_MAX 3
#endif /* __PFKEY_V2_H */

69
src/libfreeswan/portof.3
View File

@ -1,69 +0,0 @@
.TH IPSEC_PORTOF 3 "8 Sept 2000"
.SH NAME
ipsec portof \- get port field of an ip_address
.br
ipsec setportof \- set port field of an ip_address
.br
ipsec sockaddrof \- get pointer to internal sockaddr of an ip_address
.br
ipsec sockaddrlenof \- get length of internal sockaddr of an ip_address
.SH SYNOPSIS
.B "#include <freeswan.h>"
.sp
.B "int portof(const ip_address *src);"
.br
.B "void setportof(int port, ip_address *dst);"
.br
.B "struct sockaddr *sockaddrof(ip_address *src);"
.br
.B "size_t sockaddrlenof(const ip_address *src);"
.SH DESCRIPTION
The
.B <freeswan.h>
internal type
.I ip_address
contains one of the
.I sockaddr
types internally.
\fIReliance on this feature is discouraged\fR,
but it may occasionally be necessary.
These functions provide low-level tools for this purpose.
.PP
.I Portof
and
.I setportof
respectively read and write the port-number field of the internal
.IR sockaddr .
The values are in network byte order.
.PP
.I Sockaddrof
returns a pointer to the internal
.IR sockaddr ,
for passing to other functions.
.PP
.I Sockaddrlenof
reports the size of the internal
.IR sockaddr ,
for use in storage allocation.
.SH SEE ALSO
inet(3), ipsec_initaddr(3)
.SH DIAGNOSTICS
.I Portof
returns
.BR \-1 ,
.I sockaddrof
returns
.BR NULL ,
and
.I sockaddrlenof
returns
.B 0
if an unknown address family is found within the
.IR ip_address .
.SH HISTORY
Written for the FreeS/WAN project by Henry Spencer.
.SH BUGS
These functions all depend on low-level details of the
.I ip_address
type, which are in principle subject to change.
Avoid using them unless really necessary.

96
src/libfreeswan/portof.c
View File

@ -1,96 +0,0 @@
/*
* low-level ip_address ugliness
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include <sys/socket.h>
#include "internal.h"
#include "freeswan.h"
/*
- portof - get the port field of an ip_address
*/
int /* network order */
portof(src)
const ip_address *src;
{
switch (src->u.v4.sin_family) {
case AF_INET:
return src->u.v4.sin_port;
break;
case AF_INET6:
return src->u.v6.sin6_port;
break;
default:
return -1; /* "can't happen" */
break;
}
}
/*
- setportof - set the port field of an ip_address
*/
void
setportof(port, dst)
int port; /* network order */
ip_address *dst;
{
switch (dst->u.v4.sin_family) {
case AF_INET:
dst->u.v4.sin_port = port;
break;
case AF_INET6:
dst->u.v6.sin6_port = port;
break;
}
}
/*
- sockaddrof - get a pointer to the sockaddr hiding inside an ip_address
*/
struct sockaddr *
sockaddrof(src)
ip_address *src;
{
switch (src->u.v4.sin_family) {
case AF_INET:
return (struct sockaddr *)&src->u.v4;
break;
case AF_INET6:
return (struct sockaddr *)&src->u.v6;
break;
default:
return NULL; /* "can't happen" */
break;
}
}
/*
- sockaddrlenof - get length of the sockaddr hiding inside an ip_address
*/
size_t /* 0 for error */
sockaddrlenof(src)
const ip_address *src;
{
switch (src->u.v4.sin_family) {
case AF_INET:
return sizeof(src->u.v4);
break;
case AF_INET6:
return sizeof(src->u.v6);
break;
default:
return 0;
break;
}
}

59
src/libfreeswan/rangetoa.c
View File

@ -1,59 +0,0 @@
/*
* convert binary form of address range to ASCII
* Copyright (C) 1998, 1999 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
/*
- rangetoa - convert address range to ASCII
*/
size_t /* space needed for full conversion */
rangetoa(addrs, format, dst, dstlen)
struct in_addr addrs[2];
int format; /* character */
char *dst; /* need not be valid if dstlen is 0 */
size_t dstlen;
{
size_t len;
size_t rest;
int n;
char *p;
switch (format) {
case 0:
break;
default:
return 0;
break;
}
len = addrtoa(addrs[0], 0, dst, dstlen);
if (len < dstlen)
for (p = dst + len - 1, n = 3; len < dstlen && n > 0;
p++, len++, n--)
*p = '.';
else
p = NULL;
if (len < dstlen)
rest = dstlen - len;
else {
if (dstlen > 0)
*(dst + dstlen - 1) = '\0';
rest = 0;
}
len += addrtoa(addrs[1], 0, p, rest);
return len;
}

58
src/libfreeswan/rangetosubnet.3
View File

@ -1,58 +0,0 @@
.TH IPSEC_RANGETOSUBNET 3 "8 Sept 2000"
.SH NAME
ipsec rangetosubnet \- convert address range to subnet
.SH SYNOPSIS
.B "#include <freeswan.h>"
.sp
.B "const char *rangetosubnet(const ip_address *start,"
.ti +1c
.B "const ip_address *stop, ip_subnet *dst);"
.SH DESCRIPTION
.I Rangetosubnet
accepts two IP addresses which define an address range,
from
.I start
to
.I stop
inclusive,
and converts this to a subnet if possible.
The addresses must both be IPv4 or both be IPv6,
and the address family of the resulting subnet is the same.
.PP
.I Rangetosubnet
returns NULL for success and
a pointer to a string-literal error message for failure;
see DIAGNOSTICS.
.SH SEE ALSO
ipsec_initsubnet(3), ipsec_ttosubnet(3)
.SH DIAGNOSTICS
Fatal errors in
.I rangetosubnet
are:
mixed address families;
unknown address family;
.I start
and
.I stop
do not define a subnet.
.SH HISTORY
Written for the FreeS/WAN project by Henry Spencer.
.SH BUGS
The restriction of error reports to literal strings
(so that callers don't need to worry about freeing them or copying them)
does limit the precision of error reporting.
.PP
The error-reporting convention lends itself
to slightly obscure code,
because many readers will not think of NULL as signifying success.
A good way to make it clearer is to write something like:
.PP
.RS
.nf
.B "const char *error;"
.sp
.B "error = rangetosubnet( /* ... */ );"
.B "if (error != NULL) {"
.B " /* something went wrong */"
.fi
.RE

224
src/libfreeswan/rangetosubnet.c
View File

@ -1,224 +0,0 @@
/*
* express an address range as a subnet (if possible)
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
/*
- rangetosubnet - turn an address range into a subnet, if possible
*
* A range which is a valid subnet will have a network part which is the
* same in the from value and the to value, followed by a host part which
* is all 0 in the from value and all 1 in the to value.
*/
err_t
rangetosubnet(from, to, dst)
const ip_address *from;
const ip_address *to;
ip_subnet *dst;
{
unsigned const char *fp;
unsigned const char *tp;
unsigned fb;
unsigned tb;
unsigned const char *f;
unsigned const char *t;
size_t n;
size_t n2;
int i;
int nnet;
unsigned m;
if (addrtypeof(from) != addrtypeof(to))
return "mismatched address types";
n = addrbytesptr(from, &fp);
if (n == 0)
return "unknown address type";
n2 = addrbytesptr(to, &tp);
if (n != n2)
return "internal size mismatch in rangetosubnet";
f = fp;
t = tp;
nnet = 0;
for (i = n; i > 0 && *f == *t; i--, f++, t++)
nnet += 8;
if (i > 0 && !(*f == 0x00 && *t == 0xff)) { /* mid-byte bdry. */
fb = *f++;
tb = *t++;
i--;
m = 0x80;
while ((fb&m) == (tb&m)) {
fb &= ~m;
tb |= m;
m >>= 1;
nnet++;
}
if (fb != 0x00 || tb != 0xff)
return "not a valid subnet";
}
for (; i > 0 && *f == 0x00 && *t == 0xff; i--, f++, t++)
continue;
if (i != 0)
return "invalid subnet";
return initsubnet(from, nnet, 'x', dst);
}
#ifdef RANGETOSUBNET_MAIN
#include <stdio.h>
void regress(void);
int
main(int argc, char *argv[])
{
ip_address start;
ip_address stop;
ip_subnet sub;
char buf[100];
const char *oops;
size_t n;
int af;
int i;
if (argc == 2 && strcmp(argv[1], "-r") == 0) {
regress();
fprintf(stderr, "regress() returned?!?\n");
exit(1);
}
if (argc < 3) {
fprintf(stderr, "Usage: %s [-6] start stop\n", argv[0]);
fprintf(stderr, " or: %s -r\n", argv[0]);
exit(2);
}
af = AF_INET;
i = 1;
if (strcmp(argv[i], "-6") == 0) {
af = AF_INET6;
i++;
}
oops = ttoaddr(argv[i], 0, af, &start);
if (oops != NULL) {
fprintf(stderr, "%s: start conversion failed: %s\n", argv[0], oops);
exit(1);
}
oops = ttoaddr(argv[i+1], 0, af, &stop);
if (oops != NULL) {
fprintf(stderr, "%s: stop conversion failed: %s\n", argv[0], oops);
exit(1);
}
oops = rangetosubnet(&start, &stop, &sub);
if (oops != NULL) {
fprintf(stderr, "%s: rangetosubnet failed: %s\n", argv[0], oops);
exit(1);
}
n = subnettot(&sub, 0, buf, sizeof(buf));
if (n > sizeof(buf)) {
fprintf(stderr, "%s: reverse conversion", argv[0]);
fprintf(stderr, " failed: need %ld bytes, have only %ld\n",
(long)n, (long)sizeof(buf));
exit(1);
}
printf("%s\n", buf);
exit(0);
}
struct rtab {
int family;
char *start;
char *stop;
char *output; /* NULL means error expected */
} rtab[] = {
{4, "1.2.3.0", "1.2.3.255", "1.2.3.0/24"},
{4, "1.2.3.0", "1.2.3.7", "1.2.3.0/29"},
{4, "1.2.3.240", "1.2.3.255", "1.2.3.240/28"},
{4, "0.0.0.0", "255.255.255.255", "0.0.0.0/0"},
{4, "1.2.3.4", "1.2.3.4", "1.2.3.4/32"},
{4, "1.2.3.0", "1.2.3.254", NULL},
{4, "1.2.3.0", "1.2.3.126", NULL},
{4, "1.2.3.0", "1.2.3.125", NULL},
{4, "1.2.0.0", "1.2.255.255", "1.2.0.0/16"},
{4, "1.2.0.0", "1.2.0.255", "1.2.0.0/24"},
{4, "1.2.255.0", "1.2.255.255", "1.2.255.0/24"},
{4, "1.2.255.0", "1.2.254.255", NULL},
{4, "1.2.255.1", "1.2.255.255", NULL},
{4, "1.2.0.1", "1.2.255.255", NULL},
{6, "1:2:3:4:5:6:7:0", "1:2:3:4:5:6:7:ffff", "1:2:3:4:5:6:7:0/112"},
{6, "1:2:3:4:5:6:7:0", "1:2:3:4:5:6:7:fff", "1:2:3:4:5:6:7:0/116"},
{6, "1:2:3:4:5:6:7:f0", "1:2:3:4:5:6:7:ff", "1:2:3:4:5:6:7:f0/124"},
{4, NULL, NULL, NULL},
};
void
regress()
{
struct rtab *r;
int status = 0;
ip_address start;
ip_address stop;
ip_subnet sub;
char buf[100];
const char *oops;
size_t n;
int af;
for (r = rtab; r->start != NULL; r++) {
af = (r->family == 4) ? AF_INET : AF_INET6;
oops = ttoaddr(r->start, 0, af, &start);
if (oops != NULL) {
printf("surprise failure converting `%s'\n", r->start);
exit(1);
}
oops = ttoaddr(r->stop, 0, af, &stop);
if (oops != NULL) {
printf("surprise failure converting `%s'\n", r->stop);
exit(1);
}
oops = rangetosubnet(&start, &stop, &sub);
if (oops != NULL && r->output == NULL)
{} /* okay, error expected */
else if (oops != NULL) {
printf("`%s'-`%s' rangetosubnet failed: %s\n",
r->start, r->stop, oops);
status = 1;
} else if (r->output == NULL) {
printf("`%s'-`%s' rangetosubnet succeeded unexpectedly\n",
r->start, r->stop);
status = 1;
} else {
n = subnettot(&sub, 0, buf, sizeof(buf));
if (n > sizeof(buf)) {
printf("`%s'-`%s' subnettot failed: need %ld\n",
r->start, r->stop, (long)n);
status = 1;
} else if (strcmp(r->output, buf) != 0) {
printf("`%s'-`%s' gave `%s', expected `%s'\n",
r->start, r->stop, buf, r->output);
status = 1;
}
}
}
exit(status);
}
#endif /* RANGETOSUBNET_MAIN */

164
src/libfreeswan/sameaddr.3
View File

@ -1,164 +0,0 @@
.TH IPSEC_ANYADDR 3 "28 Nov 2000"
.SH NAME
ipsec sameaddr \- are two addresses the same?
.br
ipsec addrcmp \- ordered comparison of addresses
.br
ipsec samesubnet \- are two subnets the same?
.br
ipsec addrinsubnet \- is an address within a subnet?
.br
ipsec subnetinsubnet \- is a subnet within another subnet?
.br
ipsec subnetishost \- is a subnet a single host?
.br
ipsec samesaid \- are two SA IDs the same?
.br
ipsec sameaddrtype \- are two addresses of the same address family?
.br
ipsec samesubnettype \- are two subnets of the same address family?
.SH SYNOPSIS
.B "#include <freeswan.h>
.sp
.B "int sameaddr(const ip_address *a, const ip_address *b);"
.br
.B "int addrcmp(const ip_address *a, const ip_address *b);"
.br
.B "int samesubnet(const ip_subnet *a, const ip_subnet *b);"
.br
.B "int addrinsubnet(const ip_address *a, const ip_subnet *s);"
.br
.B "int subnetinsubnet(const ip_subnet *a, const ip_subnet *b);"
.br
.B "int subnetishost(const ip_subnet *s);"
.br
.B "int samesaid(const ip_said *a, const ip_said *b);"
.br
.B "int sameaddrtype(const ip_address *a, const ip_address *b);"
.br
.B "int samesubnettype(const ip_subnet *a, const ip_subnet *b);"
.SH DESCRIPTION
These functions do various comparisons and tests on the
.I ip_address
type and
.I ip_subnet
types.
.PP
.I Sameaddr
returns
non-zero
if addresses
.I a
and
.IR b
are identical,
and
.B 0
otherwise.
Addresses of different families are never identical.
.PP
.I Addrcmp
returns
.BR \-1 ,
.BR 0 ,
or
.BR 1
respectively
if address
.I a
is less than, equal to, or greater than
.IR b .
If they are not of the same address family,
they are never equal;
the ordering reported in this case is arbitrary
(and probably not useful) but consistent.
.PP
.I Samesubnet
returns
non-zero
if subnets
.I a
and
.IR b
are identical,
and
.B 0
otherwise.
Subnets of different address families are never identical.
.PP
.I Addrinsubnet
returns
non-zero
if address
.I a
is within subnet
.IR s
and
.B 0
otherwise.
An address is never within a
subnet of a different address family.
.PP
.I Subnetinsubnet
returns
non-zero
if subnet
.I a
is a subset of subnet
.IR b
and
.B 0
otherwise.
A subnet is deemed to be a subset of itself.
A subnet is never a subset of another
subnet if their address families differ.
.PP
.I Subnetishost
returns
non-zero
if subnet
.I s
is in fact only a single host,
and
.B 0
otherwise.
.PP
.I Samesaid
returns
non-zero
if SA IDs
.I a
and
.IR b
are identical,
and
.B 0
otherwise.
.PP
.I Sameaddrtype
returns
non-zero
if addresses
.I a
and
.IR b
are of the same address family,
and
.B 0
otherwise.
.PP
.I Samesubnettype
returns
non-zero
if subnets
.I a
and
.IR b
are of the same address family,
and
.B 0
otherwise.
.SH SEE ALSO
inet(3), ipsec_initaddr(3)
.SH HISTORY
Written for the FreeS/WAN project by Henry Spencer.

188
src/libfreeswan/sameaddr.c
View File

@ -1,188 +0,0 @@
/*
* comparisons
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
static int samenbits(const ip_address *a, const ip_address *b, int n);
/*
- addrcmp - compare two addresses
* Caution, the order of the tests is subtle: doing type test before
* size test can yield cases where a<b, b<c, but a>c.
*/
int /* like memcmp */
addrcmp(a, b)
const ip_address *a;
const ip_address *b;
{
int at = addrtypeof(a);
int bt = addrtypeof(b);
const unsigned char *ap;
const unsigned char *bp;
size_t as = addrbytesptr(a, &ap);
size_t bs = addrbytesptr(b, &bp);
size_t n = (as < bs) ? as : bs; /* min(as, bs) */
int c = memcmp(ap, bp, n);
if (c != 0) /* bytes differ */
return (c < 0) ? -1 : 1;
if (as != bs) /* comparison incomplete: lexical order */
return (as < bs) ? -1 : 1;
if (at != bt) /* bytes same but not same type: break tie */
return (at < bt) ? -1 : 1;
return 0;
}
/*
- sameaddr - are two addresses the same?
*/
int
sameaddr(a, b)
const ip_address *a;
const ip_address *b;
{
return (addrcmp(a, b) == 0) ? 1 : 0;
}
/*
- samesubnet - are two subnets the same?
*/
int
samesubnet(a, b)
const ip_subnet *a;
const ip_subnet *b;
{
if (!sameaddr(&a->addr, &b->addr)) /* also does type check */
return 0;
if (a->maskbits != b->maskbits)
return 0;
return 1;
}
/*
- subnetishost - is a subnet in fact a single host?
*/
int
subnetishost(a)
const ip_subnet *a;
{
return (a->maskbits == addrlenof(&a->addr)*8) ? 1 : 0;
}
/*
- samesaid - are two SA IDs the same?
*/
int
samesaid(a, b)
const ip_said *a;
const ip_said *b;
{
if (a->spi != b->spi) /* test first, most likely to be different */
return 0;
if (!sameaddr(&a->dst, &b->dst))
return 0;
if (a->proto != b->proto)
return 0;
return 1;
}
/*
- sameaddrtype - do two addresses have the same type?
*/
int
sameaddrtype(a, b)
const ip_address *a;
const ip_address *b;
{
return (addrtypeof(a) == addrtypeof(b)) ? 1 : 0;
}
/*
- samesubnettype - do two subnets have the same type?
*/
int
samesubnettype(a, b)
const ip_subnet *a;
const ip_subnet *b;
{
return (subnettypeof(a) == subnettypeof(b)) ? 1 : 0;
}
/*
- addrinsubnet - is this address in this subnet?
*/
int
addrinsubnet(a, s)
const ip_address *a;
const ip_subnet *s;
{
if (addrtypeof(a) != subnettypeof(s))
return 0;
if (!samenbits(a, &s->addr, s->maskbits))
return 0;
return 1;
}
/*
- subnetinsubnet - is one subnet within another?
*/
int
subnetinsubnet(a, b)
const ip_subnet *a;
const ip_subnet *b;
{
if (subnettypeof(a) != subnettypeof(b))
return 0;
if (a->maskbits < b->maskbits) /* a is bigger than b */
return 0;
if (!samenbits(&a->addr, &b->addr, b->maskbits))
return 0;
return 1;
}
/*
- samenbits - do two addresses have the same first n bits?
*/
static int
samenbits(a, b, nbits)
const ip_address *a;
const ip_address *b;
int nbits;
{
const unsigned char *ap;
const unsigned char *bp;
size_t n;
int m;
if (addrtypeof(a) != addrtypeof(b))
return 0; /* arbitrary */
n = addrbytesptr(a, &ap);
if (n == 0)
return 0; /* arbitrary */
(void) addrbytesptr(b, &bp);
if (nbits > n*8)
return 0; /* "can't happen" */
for (; nbits >= 8 && *ap == *bp; nbits -= 8, ap++, bp++)
continue;
if (nbits >= 8)
return 0;
if (nbits > 0) { /* partial byte */
m = ~(0xff >> nbits);
if ((*ap & m) != (*bp & m))
return 0;
}
return 1;
}

132
src/libfreeswan/satot.c
View File

@ -1,132 +0,0 @@
/*
* convert from binary form of SA ID to text
* Copyright (C) 2000, 2001 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include <sys/socket.h>
#include "internal.h"
#include "freeswan.h"
static struct typename {
char type;
char *name;
} typenames[] = {
{ SA_AH, "ah" },
{ SA_ESP, "esp" },
{ SA_IPIP, "tun" },
{ SA_COMP, "comp" },
{ SA_INT, "int" },
{ 0, NULL }
};
/*
- satot - convert SA to text "ah507@1.2.3.4"
*/
size_t /* space needed for full conversion */
satot(sa, format, dst, dstlen)
const ip_said *sa;
int format; /* character */
char *dst; /* need not be valid if dstlen is 0 */
size_t dstlen;
{
size_t len = 0; /* 0 means "not recognized yet" */
int base;
int showversion; /* use delimiter to show IP version? */
struct typename *tn;
char *p;
char *pre;
char buf[10+1+ULTOT_BUF+ADDRTOT_BUF];
char unk[10];
switch (format) {
case 0:
base = 16;
showversion = 1;
break;
case 'f':
base = 17;
showversion = 1;
break;
case 'x':
base = 'x';
showversion = 0;
break;
case 'd':
base = 10;
showversion = 0;
break;
default:
return 0;
break;
}
pre = NULL;
for (tn = typenames; tn->name != NULL; tn++)
if (sa->proto == tn->type) {
pre = tn->name;
break; /* NOTE BREAK OUT */
}
if (pre == NULL) { /* unknown protocol */
strncpy(unk, "unk", sizeof(unk));
(void) ultot((unsigned char)sa->proto, 10, unk+strlen(unk),
sizeof(unk)-strlen(unk));
pre = unk;
}
if (strcmp(pre, PASSTHROUGHTYPE) == 0 &&
sa->spi == PASSTHROUGHSPI &&
isunspecaddr(&sa->dst)) {
strncpy(buf, (addrtypeof(&sa->dst) == AF_INET) ?
PASSTHROUGH4NAME :
PASSTHROUGH6NAME, sizeof(buf));
len = strlen(buf);
}
if (sa->proto == SA_INT && addrtypeof(&sa->dst) == AF_INET &&
isunspecaddr(&sa->dst)) {
switch (ntohl(sa->spi)) {
case SPI_PASS: p = "%pass"; break;
case SPI_DROP: p = "%drop"; break;
case SPI_REJECT: p = "%reject"; break;
case SPI_HOLD: p = "%hold"; break;
case SPI_TRAP: p = "%trap"; break;
case SPI_TRAPSUBNET: p = "%trapsubnet"; break;
default: p = NULL; break;
}
if (p != NULL) {
strncpy(buf, p, sizeof(buf));
len = strlen(buf);
}
}
if (len == 0) { /* general case needed */
strncpy(buf, pre, sizeof(buf));
len = strlen(buf);
if (showversion) {
*(buf+len) = (addrtypeof(&sa->dst) == AF_INET) ? '.' :
':';
len++;
*(buf+len) = '\0';
}
len += ultot(ntohl(sa->spi), base, buf+len, sizeof(buf)-len);
*(buf+len-1) = '@';
len += addrtot(&sa->dst, 0, buf+len, sizeof(buf)-len);
}
if (dst != NULL) {
if (len > dstlen)
*(buf+dstlen-1) = '\0';
strncpy(dst, buf, dstlen);
}
return len;
}

46
src/libfreeswan/subnetof.3
View File

@ -1,46 +0,0 @@
.TH IPSEC_SUBNETOF 3 "11 June 2001"
.SH NAME
ipsec subnetof \- given Internet address and subnet mask, return subnet number
.br
ipsec hostof \- given Internet address and subnet mask, return host part
.br
ipsec broadcastof \- given Internet address and subnet mask, return broadcast address
.SH SYNOPSIS
.B "#include <freeswan.h>
.sp
.B "struct in_addr subnetof(struct in_addr addr,"
.ti +1c
.B "struct in_addr mask);"
.br
.B "struct in_addr hostof(struct in_addr addr,"
.ti +1c
.B "struct in_addr mask);"
.br
.B "struct in_addr broadcastof(struct in_addr addr,"
.ti +1c
.B "struct in_addr mask);"
.SH DESCRIPTION
These functions are obsolete; see
.IR ipsec_networkof (3)
for their replacements.
.PP
.I Subnetof
takes an Internet
.I address
and a subnet
.I mask
and returns the network part of the address
(all in network byte order).
.I Hostof
similarly returns the host part, and
.I broadcastof
returns the broadcast address (all-1s convention) for the network.
.PP
These functions are provided to hide the Internet bit-munging inside
an API, in hopes of easing the eventual transition to IPv6.
.SH SEE ALSO
inet(3), ipsec_atosubnet(3)
.SH HISTORY
Written for the FreeS/WAN project by Henry Spencer.
.SH BUGS
Calling functions for this is more costly than doing it yourself.

58
src/libfreeswan/subnetof.c
View File

@ -1,58 +0,0 @@
/*
* minor network-address manipulation utilities
* Copyright (C) 1998, 1999 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
/*
- subnetof - given address and mask, return subnet part
*/
struct in_addr
subnetof(addr, mask)
struct in_addr addr;
struct in_addr mask;
{
struct in_addr result;
result.s_addr = addr.s_addr & mask.s_addr;
return result;
}
/*
- hostof - given address and mask, return host part
*/
struct in_addr
hostof(addr, mask)
struct in_addr addr;
struct in_addr mask;
{
struct in_addr result;
result.s_addr = addr.s_addr & ~mask.s_addr;
return result;
}
/*
- broadcastof - given (network) address and mask, return broadcast address
*/
struct in_addr
broadcastof(addr, mask)
struct in_addr addr;
struct in_addr mask;
{
struct in_addr result;
result.s_addr = addr.s_addr | ~mask.s_addr;
return result;
}

60
src/libfreeswan/subnettoa.c
View File

@ -1,60 +0,0 @@
/*
* convert binary form of subnet description to ASCII
* Copyright (C) 1998, 1999 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
/*
- subnettoa - convert address and mask to ASCII "addr/mask"
* Output expresses the mask as a bit count if possible, else dotted decimal.
*/
size_t /* space needed for full conversion */
subnettoa(addr, mask, format, dst, dstlen)
struct in_addr addr;
struct in_addr mask;
int format; /* character */
char *dst; /* need not be valid if dstlen is 0 */
size_t dstlen;
{
size_t len;
size_t rest;
int n;
char *p;
switch (format) {
case 0:
break;
default:
return 0;
break;
}
len = addrtoa(addr, 0, dst, dstlen);
if (len < dstlen) {
dst[len - 1] = '/';
p = dst + len;
rest = dstlen - len;
} else {
p = NULL;
rest = 0;
}
n = masktobits(mask);
if (n >= 0)
len += ultoa((unsigned long)n, 10, p, rest);
else
len += addrtoa(mask, 0, p, rest);
return len;
}

54
src/libfreeswan/subnettot.c
View File

@ -1,54 +0,0 @@
/*
* convert binary form of subnet description to text
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
/*
- subnettot - convert subnet to text "addr/bitcount"
*/
size_t /* space needed for full conversion */
subnettot(sub, format, dst, dstlen)
const ip_subnet *sub;
int format; /* character */
char *dst; /* need not be valid if dstlen is 0 */
size_t dstlen;
{
size_t len;
size_t rest;
char *p;
switch (format) {
case 0:
break;
default:
return 0;
break;
}
len = addrtot(&sub->addr, format, dst, dstlen);
if (len < dstlen) {
dst[len - 1] = '/';
p = dst + len;
rest = dstlen - len;
} else {
p = NULL;
rest = 0;
}
len += ultoa((unsigned long)sub->maskbits, 10, p, rest);
return len;
}

107
src/libfreeswan/subnettypeof.c
View File

@ -1,107 +0,0 @@
/*
* extract parts of an ip_subnet, and related
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
/*
- subnettypeof - get the address type of an ip_subnet
*/
int
subnettypeof(src)
const ip_subnet *src;
{
return src->addr.u.v4.sin_family;
}
/*
- networkof - get the network address of a subnet
*/
void
networkof(src, dst)
const ip_subnet *src;
ip_address *dst;
{
*dst = src->addr;
}
/*
- maskof - get the mask of a subnet, as an address
*/
void
maskof(src, dst)
const ip_subnet *src;
ip_address *dst;
{
int b;
unsigned char buf[16];
size_t n = addrlenof(&src->addr);
unsigned char *p;
if (src->maskbits > n*8 || n > sizeof(buf))
return; /* "can't happen" */
p = buf;
for (b = src->maskbits; b >= 8; b -= 8)
*p++ = 0xff;
if (b != 0)
*p++ = (0xff << (8 - b)) & 0xff;
while (p - buf < n)
*p++ = 0;
(void) initaddr(buf, n, addrtypeof(&src->addr), dst);
}
/*
- masktocount - convert a mask, expressed as an address, to a bit count
*/
int /* -1 if not valid mask */
masktocount(src)
const ip_address *src;
{
int b;
unsigned const char *bp;
size_t n;
unsigned const char *p;
unsigned const char *stop;
n = addrbytesptr(src, &bp);
if (n == 0)
return -1;
p = bp;
stop = bp + n;
n = 0;
while (p < stop && *p == 0xff) {
p++;
n += 8;
}
if (p < stop && *p != 0) { /* boundary in mid-byte */
b = *p++;
while (b&0x80) {
b <<= 1;
n++;
}
if ((b&0xff) != 0)
return -1; /* bits not contiguous */
}
while (p < stop && *p == 0)
p++;
if (p != stop)
return -1;
return n;
}

374
src/libfreeswan/ttoaddr.3
View File

@ -1,374 +0,0 @@
.TH IPSEC_TTOADDR 3 "28 Sept 2001"
.SH NAME
ipsec ttoaddr, tnatoaddr, addrtot \- convert Internet addresses to and from text
.br
ipsec ttosubnet, subnettot \- convert subnet/mask text form to and from addresses
.SH SYNOPSIS
.B "#include <freeswan.h>
.sp
.B "const char *ttoaddr(const char *src, size_t srclen,"
.ti +1c
.B "int af, ip_address *addr);"
.br
.B "const char *tnatoaddr(const char *src, size_t srclen,"
.ti +1c
.B "int af, ip_address *addr);"
.br
.B "size_t addrtot(const ip_address *addr, int format,"
.ti +1c
.B "char *dst, size_t dstlen);"
.sp
.B "const char *ttosubnet(const char *src, size_t srclen,"
.ti +1c
.B "int af, ip_subnet *dst);"
.br
.B "size_t subnettot(const ip_subnet *sub, int format,"
.ti +1c
.B "char *dst, size_t dstlen);"
.SH DESCRIPTION
.I Ttoaddr
converts a text-string name or numeric address into a binary address
(in network byte order).
.I Tnatoaddr
does the same conversion,
but the only text forms it accepts are
the ``official'' forms of
numeric address (dotted-decimal for IPv4, colon-hex for IPv6).
.I Addrtot
does the reverse conversion, from binary address back to a text form.
.I Ttosubnet
and
.I subnettot
do likewise for the ``address/mask'' form used to write a
specification of a subnet.
.PP
An IPv4 address is specified in text as a
dotted-decimal address (e.g.
.BR 1.2.3.4 ),
an eight-digit network-order hexadecimal number with the usual C prefix (e.g.
.BR 0x01020304 ,
which is synonymous with
.BR 1.2.3.4 ),
an eight-digit host-order hexadecimal number with a
.B 0h
prefix (e.g.
.BR 0h01020304 ,
which is synonymous with
.B 1.2.3.4
on a big-endian host and
.B 4.3.2.1
on a little-endian host),
a DNS name to be looked up via
.IR getaddrinfo (3),
or an old-style network name to be looked up via
.IR getnetbyname (3).
.PP
A dotted-decimal address may be incomplete, in which case
text-to-binary conversion implicitly appends
as many instances of
.B .0
as necessary to bring it up to four components.
The components of a dotted-decimal address are always taken as
decimal, and leading zeros are ignored.
For example,
.B 10
is synonymous with
.BR 10.0.0.0 ,
and
.B 128.009.000.032
is synonymous with
.BR 128.9.0.32
(the latter example is verbatim from RFC 1166).
The result of applying
.I addrtot
to an IPv4 address is always complete and does not contain leading zeros.
.PP
Use of hexadecimal addresses is
.B strongly
.BR discouraged ;
they are included only to save hassles when dealing with
the handful of perverted programs which already print
network addresses in hexadecimal.
.PP
An IPv6 address is specified in text with
colon-hex notation (e.g.
.BR 0:56:78ab:22:33:44:55:66 ),
colon-hex with
.B ::
abbreviating at most one subsequence of multiple zeros (e.g.
.BR 99:ab::54:068 ,
which is synonymous with
.BR 99:ab:0:0:0:0:54:68 ),
or a DNS name to be looked up via
.IR getaddrinfo (3).
The result of applying
.I addrtot
to an IPv6 address will use
.B ::
abbreviation if possible,
and will not contain leading zeros.
.PP
The letters in hexadecimal
may be uppercase or lowercase or any mixture thereof.
.PP
DNS names may be complete (optionally terminated with a ``.'')
or incomplete, and are looked up as specified by local system configuration
(see
.IR resolver (5)).
The first value returned by
.IR getaddrinfo (3)
is used,
so with current DNS implementations,
the result when the name corresponds to more than one address is
difficult to predict.
IPv4 name lookup resorts to
.IR getnetbyname (3)
only if
.IR getaddrinfo (3)
fails.
.PP
A subnet specification is of the form \fInetwork\fB/\fImask\fR.
The
.I network
and
.I mask
can be any form acceptable to
.IR ttoaddr .
In addition, and preferably, the
.I mask
can be a decimal integer (leading zeros ignored) giving a bit count,
in which case
it stands for a mask with that number of high bits on and all others off
(e.g.,
.B 24
in IPv4 means
.BR 255.255.255.0 ).
In any case, the mask must be contiguous
(a sequence of high bits on and all remaining low bits off).
As a special case, the subnet specification
.B %default
is a synonym for
.B 0.0.0.0/0
or
.B ::/0
in IPv4 or IPv6 respectively.
.PP
.I Ttosubnet
ANDs the mask with the address before returning,
so that any non-network bits in the address are turned off
(e.g.,
.B 10.1.2.3/24
is synonymous with
.BR 10.1.2.0/24 ).
.I Subnettot
always generates the decimal-integer-bit-count
form of the mask,
with no leading zeros.
.PP
The
.I srclen
parameter of
.I ttoaddr
and
.I ttosubnet
specifies the length of the text string pointed to by
.IR src ;
it is an error for there to be anything else
(e.g., a terminating NUL) within that length.
As a convenience for cases where an entire NUL-terminated string is
to be converted,
a
.I srclen
value of
.B 0
is taken to mean
.BR strlen(src) .
.PP
The
.I af
parameter of
.I ttoaddr
and
.I ttosubnet
specifies the address family of interest.
It should be either
.B AF_INET
or
.BR AF_INET6 .
.PP
The
.I dstlen
parameter of
.I addrtot
and
.I subnettot
specifies the size of the
.I dst
parameter;
under no circumstances are more than
.I dstlen
bytes written to
.IR dst .
A result which will not fit is truncated.
.I Dstlen
can be zero, in which case
.I dst
need not be valid and no result is written,
but the return value is unaffected;
in all other cases, the (possibly truncated) result is NUL-terminated.
The
.I freeswan.h
header file defines constants,
.B ADDRTOT_BUF
and
.BR SUBNETTOT_BUF ,
which are the sizes of buffers just large enough for worst-case results.
.PP
The
.I format
parameter of
.I addrtot
and
.I subnettot
specifies what format is to be used for the conversion.
The value
.B 0
(not the character
.BR '0' ,
but a zero value)
specifies a reasonable default,
and is in fact the only format currently available in
.IR subnettot .
.I Addrtot
also accepts format values
.B 'r'
(signifying a text form suitable for DNS reverse lookups,
e.g.
.B 4.3.2.1.IN-ADDR.ARPA.
for IPv4 and
RFC 2874 format for IPv6),
and
.B 'R'
(signifying an alternate reverse-lookup form,
an error for IPv4 and RFC 1886 format for IPv6).
Reverse-lookup names always end with a ``.''.
.PP
The text-to-binary functions return NULL for success and
a pointer to a string-literal error message for failure;
see DIAGNOSTICS.
The binary-to-text functions return
.B 0
for a failure, and otherwise
always return the size of buffer which would
be needed to
accommodate the full conversion result, including terminating NUL;
it is the caller's responsibility to check this against the size of
the provided buffer to determine whether truncation has occurred.
.SH SEE ALSO
inet(3)
.SH DIAGNOSTICS
Fatal errors in
.I ttoaddr
are:
empty input;
unknown address family;
attempt to allocate temporary storage for a very long name failed;
name lookup failed;
syntax error in dotted-decimal or colon-hex form;
dotted-decimal or colon-hex component too large.
.PP
Fatal errors in
.I ttosubnet
are:
no
.B /
in
.IR src ;
.I ttoaddr
error in conversion of
.I network
or
.IR mask ;
bit-count mask too big;
mask non-contiguous.
.PP
Fatal errors in
.I addrtot
and
.I subnettot
are:
unknown format.
.SH HISTORY
Written for the FreeS/WAN project by Henry Spencer.
.SH BUGS
The interpretation of incomplete dotted-decimal addresses
(e.g.
.B 10/24
means
.BR 10.0.0.0/24 )
differs from that of some older conversion
functions, e.g. those of
.IR inet (3).
The behavior of the older functions has never been
particularly consistent or particularly useful.
.PP
Ignoring leading zeros in dotted-decimal components and bit counts
is arguably the most useful behavior in this application,
but it might occasionally cause confusion with the historical use of leading
zeros to denote octal numbers.
.PP
.I Ttoaddr
does not support the mixed colon-hex-dotted-decimal
convention used to embed an IPv4 address in an IPv6 address.
.PP
.I Addrtot
always uses the
.B ::
abbreviation (which can appear only once in an address) for the
.I first
sequence of multiple zeros in an IPv6 address.
One can construct addresses (unlikely ones) in which this is suboptimal.
.PP
.I Addrtot
.B 'r'
conversion of an IPv6 address uses lowercase hexadecimal,
not the uppercase used in RFC 2874's examples.
It takes careful reading of RFCs 2874, 2673, and 2234 to realize
that lowercase is technically legitimate here,
and there may be software which botches this
and hence would have trouble with lowercase hex.
.PP
Possibly
.I subnettot
ought to recognize the
.B %default
case and generate that string as its output.
Currently it doesn't.
.PP
It is barely possible that somebody, somewhere,
might have a legitimate use for non-contiguous subnet masks.
.PP
.IR Getnetbyname (3)
is a historical dreg.
.PP
.I Tnatoaddr
probably should enforce completeness of dotted-decimal addresses.
.PP
The restriction of text-to-binary error reports to literal strings
(so that callers don't need to worry about freeing them or copying them)
does limit the precision of error reporting.
.PP
The text-to-binary error-reporting convention lends itself
to slightly obscure code,
because many readers will not think of NULL as signifying success.
A good way to make it clearer is to write something like:
.PP
.RS
.nf
.B "const char *error;"
.sp
.B "error = ttoaddr( /* ... */ );"
.B "if (error != NULL) {"
.B " /* something went wrong */"
.fi
.RE

471
src/libfreeswan/ttoaddr.c
View File

@ -1,471 +0,0 @@
/*
* conversion from text forms of addresses to internal ones
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include <sys/socket.h>
#include "internal.h"
#include "freeswan.h"
/*
* Legal ASCII characters in a domain name. Underscore technically is not,
* but is a common misunderstanding. Non-ASCII characters are simply
* exempted from checking at the moment, to allow for UTF-8 encoded stuff;
* the purpose of this check is merely to catch blatant errors.
*/
static const char namechars[] = "abcdefghijklmnopqrstuvwxyz0123456789"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ-_.";
#define ISASCII(c) (((c) & 0x80) == 0)
static err_t tryname(const char *, size_t, int, int, ip_address *);
static err_t tryhex(const char *, size_t, int, ip_address *);
static err_t trydotted(const char *, size_t, ip_address *);
static err_t getbyte(const char **, const char *, int *);
static err_t colon(const char *, size_t, ip_address *);
static err_t getpiece(const char **, const char *, unsigned *);
/*
- ttoaddr - convert text name or dotted-decimal address to binary address
*/
err_t /* NULL for success, else string literal */
ttoaddr(src, srclen, af, dst)
const char *src;
size_t srclen; /* 0 means "apply strlen" */
int af; /* address family */
ip_address *dst;
{
err_t oops;
# define HEXLEN 10 /* strlen("0x11223344") */
int nultermd;
if (srclen == 0) {
srclen = strlen(src);
if (srclen == 0)
return "empty string";
nultermd = 1;
} else
nultermd = 0; /* at least, not *known* to be terminated */
switch (af) {
case AF_INET:
case AF_INET6:
case 0: /* guess */
break;
default:
return "invalid address family";
}
if (af == AF_INET && srclen == HEXLEN && *src == '0') {
if (*(src+1) == 'x' || *(src+1) == 'X')
return tryhex(src+2, srclen-2, 'x', dst);
if (*(src+1) == 'h' || *(src+1) == 'H')
return tryhex(src+2, srclen-2, 'h', dst);
}
if (memchr(src, ':', srclen) != NULL) {
if(af == 0)
{
af = AF_INET6;
}
if (af != AF_INET6)
return "non-ipv6 address may not contain `:'";
return colon(src, srclen, dst);
}
if (af == 0 || af == AF_INET) {
oops = trydotted(src, srclen, dst);
if (oops == NULL)
return NULL; /* it worked */
if (*oops != '?')
return oops; /* probably meant as d-d */
}
return tryname(src, srclen, nultermd, af, dst);
}
/*
- tnatoaddr - convert text numeric address (only) to binary address
*/
err_t /* NULL for success, else string literal */
tnatoaddr(src, srclen, af, dst)
const char *src;
size_t srclen; /* 0 means "apply strlen" */
int af; /* address family */
ip_address *dst;
{
err_t oops;
if (srclen == 0) {
srclen = strlen(src);
if (srclen == 0)
return "empty string";
}
switch (af) {
case 0: /* guess */
oops = colon(src, srclen, dst);
if(oops == NULL)
{
return NULL;
}
oops = trydotted(src, srclen, dst);
if(oops == NULL)
{
return NULL;
}
return "does not appear to be either IPv4 or IPv6 numeric address";
break;
case AF_INET6:
return colon(src, srclen, dst);
break;
case AF_INET:
oops = trydotted(src, srclen, dst);
if (oops == NULL)
return NULL; /* it worked */
if (*oops != '?')
return oops; /* probably meant as d-d */
return "does not appear to be numeric address";
break;
default:
return "unknown address family in tnatoaddr";
break;
}
}
/*
- tryname - try it as a name
* Slightly complicated by lack of reliable NUL termination in source.
*/
static err_t
tryname(src, srclen, nultermd, af, dst)
const char *src;
size_t srclen;
int nultermd; /* is it known to be NUL-terminated? */
int af;
ip_address *dst;
{
struct addrinfo hints, *res;
struct netent *ne = NULL;
char namebuf[100]; /* enough for most DNS names */
const char *cp;
char *p = namebuf;
unsigned char *addr = NULL;
size_t n;
int error;
err_t err = NULL;
for (cp = src, n = srclen; n > 0; cp++, n--)
if (ISASCII(*cp) && strchr(namechars, *cp) == NULL)
return "illegal (non-DNS-name) character in name";
if (nultermd)
cp = src;
else {
if (srclen+1 > sizeof(namebuf)) {
p = (char *) MALLOC(srclen+1);
if (p == NULL)
return "unable to get temporary space for name";
}
p[0] = '\0'; /* strncpy semantics are wrong */
strncat(p, src, srclen);
cp = (const char *)p;
}
memset(&hints, 0, sizeof(hints));
hints.ai_family = af;
error = getaddrinfo(cp, NULL, &hints, &res);
if (error != 0)
{ /* getaddrinfo failed, try getnetbyname */
if (af == AF_INET)
{
ne = getnetbyname(cp);
if (ne != NULL)
{
ne->n_net = htonl(ne->n_net);
addr = (unsigned char*)&ne->n_net;
err = initaddr(addr, sizeof(ne->n_net), af, dst);
}
}
}
else
{
struct addrinfo *r = res;
while (r)
{
size_t addr_len;
switch (r->ai_family)
{
case AF_INET:
{
struct sockaddr_in *in = (struct sockaddr_in*)r->ai_addr;
addr_len = 4;
addr = (unsigned char*)&in->sin_addr.s_addr;
break;
}
case AF_INET6:
{
struct sockaddr_in6 *in6 = (struct sockaddr_in6*)r->ai_addr;
addr_len = 16;
addr = (unsigned char*)&in6->sin6_addr.s6_addr;
break;
}
default:
{ /* unknown family, try next result */
r = r->ai_next;
continue;
}
}
err = initaddr(addr, addr_len, r->ai_family, dst);
break;
}
freeaddrinfo(res);
}
if (p != namebuf)
{
FREE(p);
}
if (addr == NULL)
{
return "does not look numeric and name lookup failed";
}
return err;
}
/*
- tryhex - try conversion as an eight-digit hex number (AF_INET only)
*/
static err_t
tryhex(src, srclen, flavor, dst)
const char *src;
size_t srclen; /* should be 8 */
int flavor; /* 'x' for network order, 'h' for host order */
ip_address *dst;
{
err_t oops;
unsigned long ul;
union {
uint32_t addr;
unsigned char buf[4];
} u;
if (srclen != 8)
return "internal error, tryhex called with bad length";
oops = ttoul(src, srclen, 16, &ul);
if (oops != NULL)
return oops;
u.addr = (flavor == 'h') ? ul : htonl(ul);
return initaddr(u.buf, sizeof(u.buf), AF_INET, dst);
}
/*
- trydotted - try conversion as dotted decimal (AF_INET only)
*
* If the first char of a complaint is '?', that means "didn't look like
* dotted decimal at all".
*/
static err_t
trydotted(src, srclen, dst)
const char *src;
size_t srclen;
ip_address *dst;
{
const char *stop = src + srclen; /* just past end */
int byte;
err_t oops;
# define NBYTES 4
unsigned char buf[NBYTES];
int i;
memset(buf, 0, sizeof(buf));
for (i = 0; i < NBYTES && src < stop; i++) {
oops = getbyte(&src, stop, &byte);
if (oops != NULL) {
if (*oops != '?')
return oops; /* bad number */
if (i > 1)
return oops+1; /* failed number */
return oops; /* with leading '?' */
}
buf[i] = byte;
if (i < 3 && src < stop && *src++ != '.') {
if (i == 0)
return "?syntax error in dotted-decimal address";
else
return "syntax error in dotted-decimal address";
}
}
if (src != stop)
return "extra garbage on end of dotted-decimal address";
return initaddr(buf, sizeof(buf), AF_INET, dst);
}
/*
- getbyte - try to scan a byte in dotted decimal
* A subtlety here is that all this arithmetic on ASCII digits really is
* highly portable -- ANSI C guarantees that digits 0-9 are contiguous.
* It's easier to just do it ourselves than set up for a call to ttoul().
*
* If the first char of a complaint is '?', that means "didn't look like a
* number at all".
*/
err_t
getbyte(srcp, stop, retp)
const char **srcp; /* *srcp is updated */
const char *stop; /* first untouchable char */
int *retp; /* return-value pointer */
{
char c;
const char *p;
int no;
if (*srcp >= stop)
return "?empty number in dotted-decimal address";
no = 0;
p = *srcp;
while (p < stop && no <= 255 && (c = *p) >= '0' && c <= '9') {
no = no*10 + (c - '0');
p++;
}
if (p == *srcp)
return "?non-numeric component in dotted-decimal address";
*srcp = p;
if (no > 255)
return "byte overflow in dotted-decimal address";
*retp = no;
return NULL;
}
/*
- colon - convert IPv6 "numeric" address
*/
static err_t
colon(src, srclen, dst)
const char *src;
size_t srclen; /* known to be >0 */
ip_address *dst;
{
const char *stop = src + srclen; /* just past end */
unsigned piece = 0;
int gapat; /* where was empty piece seen */
err_t oops;
# define NPIECES 8
unsigned char buf[NPIECES*2]; /* short may have wrong byte order */
int i;
int j;
# define IT "IPv6 numeric address"
int naftergap;
/* leading or trailing :: becomes single empty field */
if (*src == ':') { /* legal only if leading :: */
if (srclen == 1 || *(src+1) != ':')
return "illegal leading `:' in " IT;
if (srclen == 2) {
unspecaddr(AF_INET6, dst);
return NULL;
}
src++; /* past first but not second */
srclen--;
}
if (*(stop-1) == ':') { /* legal only if trailing :: */
if (srclen == 1 || *(stop-2) != ':')
return "illegal trailing `:' in " IT;
srclen--; /* leave one */
}
gapat = -1;
for (i = 0; i < NPIECES && src < stop; i++) {
oops = getpiece(&src, stop, &piece);
if (oops != NULL && *oops == ':') { /* empty field */
if (gapat >= 0)
return "more than one :: in " IT;
gapat = i;
} else if (oops != NULL)
return oops;
buf[2*i] = piece >> 8;
buf[2*i + 1] = piece & 0xff;
if (i < NPIECES-1) { /* there should be more input */
if (src == stop && gapat < 0)
return IT " ends prematurely";
if (src != stop && *src++ != ':')
return "syntax error in " IT;
}
}
if (src != stop)
return "extra garbage on end of " IT;
if (gapat < 0 && i < NPIECES) /* should have been caught earlier */
return "incomplete " IT " (internal error)";
if (gapat >= 0 && i == NPIECES)
return "non-abbreviating empty field in " IT;
if (gapat >= 0) {
naftergap = i - (gapat + 1);
for (i--, j = NPIECES-1; naftergap > 0; i--, j--, naftergap--) {
buf[2*j] = buf[2*i];
buf[2*j + 1] = buf[2*i + 1];
}
for (; j >= gapat; j--)
buf[2*j] = buf[2*j + 1] = 0;
}
return initaddr(buf, sizeof(buf), AF_INET6, dst);
}
/*
- getpiece - try to scan one 16-bit piece of an IPv6 address
*/
err_t /* ":" means "empty field seen" */
getpiece(srcp, stop, retp)
const char **srcp; /* *srcp is updated */
const char *stop; /* first untouchable char */
unsigned *retp; /* return-value pointer */
{
const char *p;
# define NDIG 4
int d;
unsigned long ret;
err_t oops;
if (*srcp >= stop || **srcp == ':') { /* empty field */
*retp = 0;
return ":";
}
p = *srcp;
d = 0;
while (p < stop && d < NDIG && isxdigit(*p)) {
p++;
d++;
}
if (d == 0)
return "non-hex field in IPv6 numeric address";
if (p < stop && d == NDIG && isxdigit(*p))
return "field in IPv6 numeric address longer than 4 hex digits";
oops = ttoul(*srcp, d, 16, &ret);
if (oops != NULL) /* shouldn't happen, really... */
return oops;
*srcp = p;
*retp = ret;
return NULL;
}

280
src/libfreeswan/ttodata.3
View File

@ -1,280 +0,0 @@
.TH IPSEC_TTODATA 3 "16 August 2003"
.SH NAME
ipsec ttodata, datatot \- convert binary data bytes from and to text formats
.SH SYNOPSIS
.B "#include <freeswan.h>"
.sp
.B "const char *ttodata(const char *src, size_t srclen,"
.ti +1c
.B "int base, char *dst, size_t dstlen, size_t *lenp);"
.br
.B "const char *ttodatav(const char *src, size_t srclen,"
.ti +1c
.B "int base, char *dst, size_t dstlen, size_t *lenp,"
.ti +1c
.B "char *errp, size_t errlen, int flags);"
.br
.B "size_t datatot(const char *src, size_t srclen,"
.ti +1c
.B "int format, char *dst, size_t dstlen);"
.SH DESCRIPTION
.IR Ttodata ,
.IR ttodatav ,
and
.I datatot
convert arbitrary binary data (e.g. encryption or authentication keys)
from and to more-or-less human-readable text formats.
.PP
Currently supported formats are hexadecimal, base64, and characters.
.PP
A hexadecimal text value begins with a
.B 0x
(or
.BR 0X )
prefix and continues with two-digit groups
of hexadecimal digits (0-9, and a-f or A-F),
each group encoding the value of one binary byte, high-order digit first.
A single
.B _
(underscore)
between consecutive groups is ignored, permitting punctuation to improve
readability; doing this every eight digits seems about right.
.PP
A base64 text value begins with a
.B 0s
(or
.BR 0S )
prefix
and continues with four-digit groups of base64 digits (A-Z, a-z, 0-9, +, and /),
each group encoding the value of three binary bytes as described in
section 6.8 of RFC 2045.
If
.B flags
has the
.B TTODATAV_IGNORESPACE
bit on, blanks are ignore (after the prefix).
Note that the last one or two digits of a base64 group can be
.B =
to indicate that fewer than three binary bytes are encoded.
.PP
A character text value begins with a
.B 0t
(or
.BR 0T )
prefix
and continues with text characters, each being the value of one binary byte.
.PP
All these functions basically copy data from
.I src
(whose size is specified by
.IR srclen )
to
.I dst
(whose size is specified by
.IR dstlen ),
doing the conversion en route.
If the result will not fit in
.IR dst ,
it is truncated;
under no circumstances are more than
.I dstlen
bytes of result written to
.IR dst .
.I Dstlen
can be zero, in which case
.I dst
need not be valid and no result bytes are written at all.
.PP
The
.I base
parameter of
.I ttodata
and
.I ttodatav
specifies what format the input is in;
normally it should be
.B 0
to signify that this gets figured out from the prefix.
Values of
.BR 16 ,
.BR 64 ,
and
.BR 256
respectively signify hexadecimal, base64, and character-text formats
without prefixes.
.PP
The
.I format
parameter of
.IR datatot ,
a single character used as a type code,
specifies which text format is wanted.
The value
.B 0
(not ASCII
.BR '0' ,
but a zero value) specifies a reasonable default.
Other currently-supported values are:
.RS 2
.TP 4
.B 'x'
continuous lower-case hexadecimal with a
.B 0x
prefix
.TP
.B 'h'
lower-case hexadecimal with a
.B 0x
prefix and a
.B _
every eight digits
.TP
.B ':'
lower-case hexadecimal with no prefix and a
.B :
(colon) every two digits
.TP
.B 16
lower-case hexadecimal with no prefix or
.B _
.TP
.B 's'
continuous base64 with a
.B 0s
prefix
.TP
.B 64
continuous base64 with no prefix
.RE
.PP
The default format is currently
.BR 'h' .
.PP
.I Ttodata
returns NULL for success and
a pointer to a string-literal error message for failure;
see DIAGNOSTICS.
On success,
if and only if
.I lenp
is non-NULL,
.B *lenp
is set to the number of bytes required to contain the full untruncated result.
It is the caller's responsibility to check this against
.I dstlen
to determine whether he has obtained a complete result.
The
.B *lenp
value is correct even if
.I dstlen
is zero, which offers a way to determine how much space would be needed
before having to allocate any.
.PP
.I Ttodatav
is just like
.I ttodata
except that in certain cases,
if
.I errp
is non-NULL,
the buffer pointed to by
.I errp
(whose length is given by
.IR errlen )
is used to hold a more detailed error message.
The return value is NULL for success,
and is either
.I errp
or a pointer to a string literal for failure.
If the size of the error-message buffer is
inadequate for the desired message,
.I ttodatav
will fall back on returning a pointer to a literal string instead.
The
.I freeswan.h
header file defines a constant
.B TTODATAV_BUF
which is the size of a buffer large enough for worst-case results.
.PP
The normal return value of
.IR datatot
is the number of bytes required
to contain the full untruncated result.
It is the caller's responsibility to check this against
.I dstlen
to determine whether he has obtained a complete result.
The return value is correct even if
.I dstlen
is zero, which offers a way to determine how much space would be needed
before having to allocate any.
A return value of
.B 0
signals a fatal error of some kind
(see DIAGNOSTICS).
.PP
A zero value for
.I srclen
in
.I ttodata
(but not
.IR datatot !)
is synonymous with
.BR strlen(src) .
A non-zero
.I srclen
in
.I ttodata
must not include the terminating NUL.
.PP
Unless
.I dstlen
is zero,
the result supplied by
.I datatot
is always NUL-terminated,
and its needed-size return value includes space for the terminating NUL.
.PP
Several obsolete variants of these functions
.RI ( atodata ,
.IR datatoa ,
.IR atobytes ,
and
.IR bytestoa )
are temporarily also supported.
.SH SEE ALSO
sprintf(3), ipsec_atoaddr(3)
.SH DIAGNOSTICS
Fatal errors in
.I ttodata
and
.I ttodatav
are:
unknown characters in the input;
unknown or missing prefix;
unknown base;
incomplete digit group;
non-zero padding in a base64 less-than-three-bytes digit group;
zero-length input.
.PP
Fatal errors in
.I datatot
are:
unknown format code;
zero-length input.
.SH HISTORY
Written for the FreeS/WAN project by Henry Spencer.
.SH BUGS
.I Datatot
should have a format code to produce character-text output.
.PP
The
.B 0s
and
.B 0t
prefixes are the author's inventions and are not a standard
of any kind.
They have been chosen to avoid collisions with existing practice
(some C implementations use
.B 0b
for binary)
and possible confusion with unprefixed hexadecimal.

720
src/libfreeswan/ttodata.c
View File

@ -1,720 +0,0 @@
/*
* convert from text form of arbitrary data (e.g., keys) to binary
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
/* converters and misc */
static int unhex(const char *, char *, size_t);
static int unb64(const char *, char *, size_t);
static int untext(const char *, char *, size_t);
static const char *badch(const char *, int, char *, size_t);
/* internal error codes for converters */
#define SHORT (-2) /* internal buffer too short */
#define BADPAD (-3) /* bad base64 padding */
#define BADCH0 (-4) /* invalid character 0 */
#define BADCH1 (-5) /* invalid character 1 */
#define BADCH2 (-6) /* invalid character 2 */
#define BADCH3 (-7) /* invalid character 3 */
#define BADOFF(code) (BADCH0-(code))
/*
- ttodatav - convert text to data, with verbose error reports
* If some of this looks slightly odd, it's because it has changed
* repeatedly (from the original atodata()) without a major rewrite.
*/
const char * /* NULL on success, else literal or errp */
ttodatav(src, srclen, base, dst, dstlen, lenp, errp, errlen, flags)
const char *src;
size_t srclen; /* 0 means apply strlen() */
int base; /* 0 means figure it out */
char *dst; /* need not be valid if dstlen is 0 */
size_t dstlen;
size_t *lenp; /* where to record length (NULL is nowhere) */
char *errp; /* error buffer */
size_t errlen;
unsigned int flags;
{
size_t ingroup; /* number of input bytes converted at once */
char buf[4]; /* output from conversion */
int nbytes; /* size of output */
int (*decode)(const char *, char *, size_t);
char *stop;
int ndone;
int i;
int underscoreok;
int skipSpace = 0;
if (srclen == 0)
srclen = strlen(src);
if (dstlen == 0)
dst = buf; /* point it somewhere valid */
stop = dst + dstlen;
if (base == 0) {
if (srclen < 2)
return "input too short to be valid";
if (*src++ != '0')
return "input does not begin with format prefix";
switch (*src++) {
case 'x':
case 'X':
base = 16;
break;
case 's':
case 'S':
base = 64;
break;
case 't':
case 'T':
base = 256;
break;
default:
return "unknown format prefix";
}
srclen -= 2;
}
switch (base) {
case 16:
decode = unhex;
underscoreok = 1;
ingroup = 2;
break;
case 64:
decode = unb64;
underscoreok = 0;
ingroup = 4;
if(flags & TTODATAV_IGNORESPACE) {
skipSpace = 1;
}
break;
case 256:
decode = untext;
ingroup = 1;
underscoreok = 0;
break;
default:
return "unknown base";
}
/* proceed */
ndone = 0;
while (srclen > 0) {
char stage[4]; /* staging area for group */
size_t sl = 0;
/* Grab ingroup characters into stage,
* squeezing out blanks if we are supposed to ignore them.
*/
for (sl = 0; sl < ingroup; src++, srclen--) {
if (srclen == 0)
return "input ends in mid-byte, perhaps truncated";
else if (!(skipSpace && (*src == ' ' || *src == '\t')))
stage[sl++] = *src;
}
nbytes = (*decode)(stage, buf, sizeof(buf));
switch (nbytes) {
case BADCH0:
case BADCH1:
case BADCH2:
case BADCH3:
return badch(stage, nbytes, errp, errlen);
case SHORT:
return "internal buffer too short (\"can't happen\")";
case BADPAD:
return "bad (non-zero) padding at end of base64 input";
}
if (nbytes <= 0)
return "unknown internal error";
for (i = 0; i < nbytes; i++) {
if (dst < stop)
*dst++ = buf[i];
ndone++;
}
while (srclen >= 1 && skipSpace && (*src == ' ' || *src == '\t')){
src++;
srclen--;
}
if (underscoreok && srclen > 1 && *src == '_') {
/* srclen > 1 means not last character */
src++;
srclen--;
}
}
if (ndone == 0)
return "no data bytes specified by input";
if (lenp != NULL)
*lenp = ndone;
return NULL;
}
/*
- ttodata - convert text to data
*/
const char * /* NULL on success, else literal */
ttodata(src, srclen, base, dst, dstlen, lenp)
const char *src;
size_t srclen; /* 0 means apply strlen() */
int base; /* 0 means figure it out */
char *dst; /* need not be valid if dstlen is 0 */
size_t dstlen;
size_t *lenp; /* where to record length (NULL is nowhere) */
{
return ttodatav(src, srclen, base, dst, dstlen, lenp, (char *)NULL,
(size_t)0, TTODATAV_SPACECOUNTS);
}
/*
- atodata - convert ASCII to data
* backward-compatibility interface
*/
size_t /* 0 for failure, true length for success */
atodata(src, srclen, dst, dstlen)
const char *src;
size_t srclen;
char *dst;
size_t dstlen;
{
size_t len;
const char *err;
err = ttodata(src, srclen, 0, dst, dstlen, &len);
if (err != NULL)
return 0;
return len;
}
/*
- atobytes - convert ASCII to data bytes
* another backward-compatibility interface
*/
const char *
atobytes(src, srclen, dst, dstlen, lenp)
const char *src;
size_t srclen;
char *dst;
size_t dstlen;
size_t *lenp;
{
return ttodata(src, srclen, 0, dst, dstlen, lenp);
}
/*
- unhex - convert two ASCII hex digits to byte
*/
static int /* number of result bytes, or error code */
unhex(src, dst, dstlen)
const char *src; /* known to be full length */
char *dst;
size_t dstlen; /* not large enough is a failure */
{
char *p;
unsigned byte;
static char hex[] = "0123456789abcdef";
if (dstlen < 1)
return SHORT;
p = strchr(hex, *src);
if (p == NULL)
p = strchr(hex, tolower(*src));
if (p == NULL)
return BADCH0;
byte = (p - hex) << 4;
src++;
p = strchr(hex, *src);
if (p == NULL)
p = strchr(hex, tolower(*src));
if (p == NULL)
return BADCH1;
byte |= (p - hex);
*dst = byte;
return 1;
}
/*
- unb64 - convert four ASCII base64 digits to three bytes
* Note that a base64 digit group is padded out with '=' if it represents
* less than three bytes: one byte is dd==, two is ddd=, three is dddd.
*/
static int /* number of result bytes, or error code */
unb64(src, dst, dstlen)
const char *src; /* known to be full length */
char *dst;
size_t dstlen;
{
char *p;
unsigned byte1;
unsigned byte2;
static char base64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
if (dstlen < 3)
return SHORT;
p = strchr(base64, *src++);
if (p == NULL)
return BADCH0;
byte1 = (p - base64) << 2; /* first six bits */
p = strchr(base64, *src++);
if (p == NULL) {
return BADCH1;
}
byte2 = p - base64; /* next six: two plus four */
*dst++ = byte1 | (byte2 >> 4);
byte1 = (byte2 & 0xf) << 4;
p = strchr(base64, *src++);
if (p == NULL) {
if (*(src-1) == '=' && *src == '=') {
if (byte1 != 0) /* bad padding */
return BADPAD;
return 1;
}
return BADCH2;
}
byte2 = p - base64; /* next six: four plus two */
*dst++ = byte1 | (byte2 >> 2);
byte1 = (byte2 & 0x3) << 6;
p = strchr(base64, *src++);
if (p == NULL) {
if (*(src-1) == '=') {
if (byte1 != 0) /* bad padding */
return BADPAD;
return 2;
}
return BADCH3;
}
byte2 = p - base64; /* last six */
*dst++ = byte1 | byte2;
return 3;
}
/*
- untext - convert one ASCII character to byte
*/
static int /* number of result bytes, or error code */
untext(src, dst, dstlen)
const char *src; /* known to be full length */
char *dst;
size_t dstlen; /* not large enough is a failure */
{
if (dstlen < 1)
return SHORT;
*dst = *src;
return 1;
}
/*
- badch - produce a nice complaint about an unknown character
*
* If the compiler complains that the array bigenough[] has a negative
* size, that means the TTODATAV_BUF constant has been set too small.
*/
static const char * /* literal or errp */
badch(src, errcode, errp, errlen)
const char *src;
int errcode;
char *errp; /* might be NULL */
size_t errlen;
{
static const char pre[] = "unknown character (`";
static const char suf[] = "') in input";
char buf[5];
# define REQD (sizeof(pre) - 1 + sizeof(buf) - 1 + sizeof(suf))
struct sizecheck {
char bigenough[TTODATAV_BUF - REQD]; /* see above */
};
char ch;
if (errp == NULL || errlen < REQD)
return "unknown character in input";
strcpy(errp, pre);
ch = *(src + BADOFF(errcode));
if (isprint(ch)) {
buf[0] = ch;
buf[1] = '\0';
} else {
buf[0] = '\\';
buf[1] = ((ch & 0700) >> 6) + '0';
buf[2] = ((ch & 0070) >> 3) + '0';
buf[3] = ((ch & 0007) >> 0) + '0';
buf[4] = '\0';
}
strcat(errp, buf);
strcat(errp, suf);
return (const char *)errp;
}
#ifdef TTODATA_MAIN
#include <stdio.h>
struct artab;
static void check(struct artab *r, char *buf, size_t n, err_t oops, int *status);
static void regress(char *pgm);
static void hexout(const char *s, size_t len, FILE *f);
/*
- main - convert first argument to hex, or run regression
*/
int
main(int argc, char *argv[])
{
char buf[1024];
char buf2[1024];
char err[512];
size_t n;
size_t i;
char *p = buf;
char *p2 = buf2;
char *pgm = argv[0];
const char *oops;
if (argc < 2) {
fprintf(stderr, "Usage: %s {0x<hex>|0s<base64>|-r}\n", pgm);
exit(2);
}
if (strcmp(argv[1], "-r") == 0) {
regress(pgm); /* should not return */
fprintf(stderr, "%s: regress() returned?!?\n", pgm);
exit(1);
}
oops = ttodatav(argv[1], 0, 0, buf, sizeof(buf), &n,
err, sizeof(err), TTODATAV_IGNORESPACE);
if (oops != NULL) {
fprintf(stderr, "%s: ttodata error `%s' in `%s'\n", pgm,
oops, argv[1]);
exit(1);
}
if (n > sizeof(buf)) {
p = (char *)malloc((size_t)n);
if (p == NULL) {
fprintf(stderr,
"%s: unable to malloc %d bytes for result\n",
pgm, n);
exit(1);
}
oops = ttodata(argv[1], 0, 0, p, n, &n);
if (oops != NULL) {
fprintf(stderr, "%s: error `%s' in ttodata retry?!?\n",
pgm, oops);
exit(1);
}
}
hexout(p, n, stdout);
printf("\n");
i = datatot(buf, n, 'h', buf2, sizeof(buf2));
if (i == 0) {
fprintf(stderr, "%s: datatot reports error in `%s'\n", pgm,
argv[1]);
exit(1);
}
if (i > sizeof(buf2)) {
p2 = (char *)malloc((size_t)i);
if (p == NULL) {
fprintf(stderr,
"%s: unable to malloc %d bytes for result\n",
pgm, i);
exit(1);
}
i = datatot(buf, n, 'h', p2, i);
if (i == 0) {
fprintf(stderr, "%s: error in datatoa retry?!?\n", pgm);
exit(1);
}
}
printf("%s\n", p2);
exit(0);
}
/*
- hexout - output an arbitrary-length string in hex
*/
static void
hexout(s, len, f)
const char *s;
size_t len;
FILE *f;
{
size_t i;
fprintf(f, "0x");
for (i = 0; i < len; i++)
fprintf(f, "%02x", (unsigned char)s[i]);
}
struct artab {
int base;
# define IGNORESPACE_BIAS 1000
char *ascii; /* NULL for end */
char *data; /* NULL for error expected */
} atodatatab[] = {
{ 0, "", NULL, },
{ 0, "0", NULL, },
{ 0, "0x", NULL, },
{ 0, "0xa", NULL, },
{ 0, "0xab", "\xab", },
{ 0, "0xabc", NULL, },
{ 0, "0xabcd", "\xab\xcd", },
{ 0, "0x0123456789", "\x01\x23\x45\x67\x89", },
{ 0, "0x01x", NULL, },
{ 0, "0xabcdef", "\xab\xcd\xef", },
{ 0, "0xABCDEF", "\xab\xcd\xef", },
{ 0, "0XaBc0eEd81f", "\xab\xc0\xee\xd8\x1f", },
{ 0, "0XaBc0_eEd8", "\xab\xc0\xee\xd8", },
{ 0, "0XaBc0_", NULL, },
{ 0, "0X_aBc0", NULL, },
{ 0, "0Xa_Bc0", NULL, },
{ 16, "aBc0eEd8", "\xab\xc0\xee\xd8", },
{ 0, "0s", NULL, },
{ 0, "0sA", NULL, },
{ 0, "0sBA", NULL, },
{ 0, "0sCBA", NULL, },
{ 0, "0sDCBA", "\x0c\x20\x40", },
{ 0, "0SDCBA", "\x0c\x20\x40", },
{ 0, "0sDA==", "\x0c", },
{ 0, "0sDC==", NULL, },
{ 0, "0sDCA=", "\x0c\x20", },
{ 0, "0sDCB=", NULL, },
{ 0, "0sDCAZ", "\x0c\x20\x19", },
{ 0, "0sDCAa", "\x0c\x20\x1a", },
{ 0, "0sDCAz", "\x0c\x20\x33", },
{ 0, "0sDCA0", "\x0c\x20\x34", },
{ 0, "0sDCA9", "\x0c\x20\x3d", },
{ 0, "0sDCA+", "\x0c\x20\x3e", },
{ 0, "0sDCA/", "\x0c\x20\x3f", },
{ 0, "0sAbraCadabra+", "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
{ IGNORESPACE_BIAS + 0, "0s AbraCadabra+", "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
{ IGNORESPACE_BIAS + 0, "0sA braCadabra+", "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
{ IGNORESPACE_BIAS + 0, "0sAb raCadabra+", "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
{ IGNORESPACE_BIAS + 0, "0sAbr aCadabra+", "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
{ IGNORESPACE_BIAS + 0, "0sAbra Cadabra+", "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
{ IGNORESPACE_BIAS + 0, "0sAbraC adabra+", "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
{ IGNORESPACE_BIAS + 0, "0sAbraCa dabra+", "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
{ IGNORESPACE_BIAS + 0, "0sAbraCad abra+", "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
{ IGNORESPACE_BIAS + 0, "0sAbraCada bra+", "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
{ IGNORESPACE_BIAS + 0, "0sAbraCadab ra+", "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
{ IGNORESPACE_BIAS + 0, "0sAbraCadabr a+", "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
{ IGNORESPACE_BIAS + 0, "0sAbraCadabra +", "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
{ IGNORESPACE_BIAS + 0, "0sAbraCadabra+ ", "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
{ 0, "0t", NULL, },
{ 0, "0tabc_xyz", "abc_xyz", },
{ 256, "abc_xyz", "abc_xyz", },
{ 0, NULL, NULL, },
};
struct drtab {
char *data; /* input; NULL for end */
char format;
int buflen; /* -1 means big buffer */
int outlen; /* -1 means strlen(ascii)+1 */
char *ascii; /* NULL for error expected */
} datatoatab[] = {
{ "", 'x', -1, -1, NULL, },
{ "", 'X', -1, -1, NULL, },
{ "", 'n', -1, -1, NULL, },
{ "0", 'x', -1, -1, "0x30", },
{ "0", 'x', 0, 5, "---", },
{ "0", 'x', 1, 5, "", },
{ "0", 'x', 2, 5, "0", },
{ "0", 'x', 3, 5, "0x", },
{ "0", 'x', 4, 5, "0x3", },
{ "0", 'x', 5, 5, "0x30", },
{ "0", 'x', 6, 5, "0x30", },
{ "\xab\xcd", 'x', -1, -1, "0xabcd", },
{ "\x01\x23\x45\x67\x89", 'x', -1, -1, "0x0123456789", },
{ "\xab\xcd\xef", 'x', -1, -1, "0xabcdef", },
{ "\xab\xc0\xee\xd8\x1f", 'x', -1, -1, "0xabc0eed81f", },
{ "\x01\x02", 'h', -1, -1, "0x0102", },
{ "\x01\x02\x03\x04\x05\x06", 'h', -1, -1, "0x01020304_0506", },
{ "\xab\xc0\xee\xd8\x1f", 16, -1, -1, "abc0eed81f", },
{ "\x0c\x20\x40", 's', -1, -1, "0sDCBA", },
{ "\x0c\x20\x40", 's', 0, 7, "---", },
{ "\x0c\x20\x40", 's', 1, 7, "", },
{ "\x0c\x20\x40", 's', 2, 7, "0", },
{ "\x0c\x20\x40", 's', 3, 7, "0s", },
{ "\x0c\x20\x40", 's', 4, 7, "0sD", },
{ "\x0c\x20\x40", 's', 5, 7, "0sDC", },
{ "\x0c\x20\x40", 's', 6, 7, "0sDCB", },
{ "\x0c\x20\x40", 's', 7, 7, "0sDCBA", },
{ "\x0c\x20\x40", 's', 8, 7, "0sDCBA", },
{ "\x0c", 's', -1, -1, "0sDA==", },
{ "\x0c\x20", 's', -1, -1, "0sDCA=", },
{ "\x0c\x20\x19", 's', -1, -1, "0sDCAZ", },
{ "\x0c\x20\x1a", 's', -1, -1, "0sDCAa", },
{ "\x0c\x20\x33", 's', -1, -1, "0sDCAz", },
{ "\x0c\x20\x34", 's', -1, -1, "0sDCA0", },
{ "\x0c\x20\x3d", 's', -1, -1, "0sDCA9", },
{ "\x0c\x20\x3e", 's', -1, -1, "0sDCA+", },
{ "\x0c\x20\x3f", 's', -1, -1, "0sDCA/", },
{ "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", 's', -1, -1, "0sAbraCadabra+", },
{ "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", 64, -1, -1, "AbraCadabra+", },
{ NULL, 'x', -1, -1, NULL, },
};
/*
- regress - regression-test ttodata() and datatot()
*/
static void
check(r, buf, n, oops, status)
struct artab *r;
char *buf;
size_t n;
err_t oops;
int *status;
{
if (oops != NULL && r->data == NULL)
{} /* error expected */
else if (oops != NULL) {
printf("`%s' gave error `%s', expecting %d `", r->ascii,
oops, strlen(r->data));
hexout(r->data, strlen(r->data), stdout);
printf("'\n");
*status = 1;
} else if (r->data == NULL) {
printf("`%s' gave %d `", r->ascii, n);
hexout(buf, n, stdout);
printf("', expecting error\n");
*status = 1;
} else if (n != strlen(r->data)) {
printf("length wrong in `%s': got %d `", r->ascii, n);
hexout(buf, n, stdout);
printf("', expecting %d `", strlen(r->data));
hexout(r->data, strlen(r->data), stdout);
printf("'\n");
*status = 1;
} else if (memcmp(buf, r->data, n) != 0) {
printf("`%s' gave %d `", r->ascii, n);
hexout(buf, n, stdout);
printf("', expecting %d `", strlen(r->data));
hexout(r->data, strlen(r->data), stdout);
printf("'\n");
*status = 1;
}
fflush(stdout);
}
static void /* should not return at all, in fact */
regress(pgm)
char *pgm;
{
struct artab *r;
struct drtab *dr;
char buf[100];
size_t n;
int status = 0;
for (r = atodatatab; r->ascii != NULL; r++) {
int base = r->base;
int xbase = 0;
if ((base == 0 || base == IGNORESPACE_BIAS + 0) && r->ascii[0] == '0') {
switch (r->ascii[1]) {
case 'x':
case 'X':
xbase = 16;
break;
case 's':
case 'S':
xbase = 64;
break;
case 't':
case 'T':
xbase = 256;
break;
}
}
if (base >= IGNORESPACE_BIAS) {
base = base - IGNORESPACE_BIAS;
check(r, buf, n, ttodatav(r->ascii, 0, base, buf, sizeof(buf), &n, NULL, 0, TTODATAV_IGNORESPACE), &status);
if (xbase != 0)
check(r, buf, n, ttodatav(r->ascii+2, 0, xbase, buf, sizeof(buf), &n, NULL, 0, TTODATAV_IGNORESPACE), &status);
} else {
check(r, buf, n, ttodata(r->ascii, 0, base, buf, sizeof(buf), &n), &status);
if (base == 64 || xbase == 64)
check(r, buf, n, ttodatav(r->ascii, 0, base, buf, sizeof(buf), &n, NULL, 0, TTODATAV_IGNORESPACE), &status);
if (xbase != 0) {
check(r, buf, n, ttodata(r->ascii+2, 0, xbase, buf, sizeof(buf), &n), &status);
if (base == 64 || xbase == 64)
check(r, buf, n, ttodatav(r->ascii+2, 0, xbase, buf, sizeof(buf), &n, NULL, 0, TTODATAV_IGNORESPACE), &status);
}
}
}
for (dr = datatoatab; dr->data != NULL; dr++) {
size_t should;
strcpy(buf, "---");
n = datatot(dr->data, strlen(dr->data), dr->format, buf,
(dr->buflen == -1) ? sizeof(buf) : dr->buflen);
should = (dr->ascii == NULL) ? 0 : strlen(dr->ascii) + 1;
if (dr->outlen != -1)
should = dr->outlen;
if (n == 0 && dr->ascii == NULL)
{} /* error expected */
else if (n == 0) {
printf("`");
hexout(dr->data, strlen(dr->data), stdout);
printf("' %c gave error, expecting %d `%s'\n",
dr->format, should, dr->ascii);
status = 1;
} else if (dr->ascii == NULL) {
printf("`");
hexout(dr->data, strlen(dr->data), stdout);
printf("' %c gave %d `%.*s', expecting error\n",
dr->format, n, (int)n, buf);
status = 1;
} else if (n != should) {
printf("length wrong in `");
hexout(dr->data, strlen(dr->data), stdout);
printf("': got %d `%s'", n, buf);
printf(", expecting %d `%s'\n", should, dr->ascii);
status = 1;
} else if (strcmp(buf, dr->ascii) != 0) {
printf("`");
hexout(dr->data, strlen(dr->data), stdout);
printf("' gave %d `%s'", n, buf);
printf(", expecting %d `%s'\n", should, dr->ascii);
status = 1;
}
fflush(stdout);
}
exit(status);
}
#endif /* TTODATA_MAIN */

101
src/libfreeswan/ttoprotoport.c
View File

@ -1,101 +0,0 @@
/*
* conversion from protocol/port string to protocol and port
* Copyright (C) 2002 Mario Strasser <mast@gmx.net>,
* Zuercher Hochschule Winterthur,
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "internal.h"
#include "freeswan.h"
/*
* ttoprotoport - converts from protocol/port string to protocol and port
*/
err_t
ttoprotoport(src, src_len, proto, port, has_port_wildcard)
char *src; /* input string */
size_t src_len; /* length of input string, use strlen() if 0 */
u_int8_t *proto; /* extracted protocol number */
u_int16_t *port; /* extracted port number if it exists */
bool *has_port_wildcard; /* set if port is %any */
{
char *end, *service_name;
char proto_name[16];
int proto_len;
long int l;
struct protoent *protocol;
struct servent *service;
/* get the length of the string */
if (!src_len) src_len = strlen(src);
/* locate delimiter '/' between protocol and port */
end = strchr(src, '/');
if (end != NULL) {
proto_len = end - src;
service_name = end + 1;
} else {
proto_len = src_len;
service_name = src + src_len;
}
/* copy protocol name*/
memset(proto_name, '\0', sizeof(proto_name));
memcpy(proto_name, src, proto_len);
/* extract protocol by trying to resolve it by name */
protocol = getprotobyname(proto_name);
if (protocol != NULL) {
*proto = protocol->p_proto;
}
else /* failed, now try it by number */
{
l = strtol(proto_name, &end, 0);
if (*proto_name && *end)
return "<protocol> is neither a number nor a valid name";
if (l < 0 || l > 0xff)
return "<protocol> must be between 0 and 255";
*proto = (u_int8_t)l;
}
/* is there a port wildcard? */
*has_port_wildcard = (strcmp(service_name, "%any") == 0);
if (*has_port_wildcard)
{
*port = 0;
return NULL;
}
/* extract port by trying to resolve it by name */
service = getservbyname(service_name, NULL);
if (service != NULL) {
*port = ntohs(service->s_port);
}
else /* failed, now try it by number */
{
l = strtol(service_name, &end, 0);
if (*service_name && *end)
return "<port> is neither a number nor a valid name";
if (l < 0 || l > 0xffff)
return "<port> must be between 0 and 65535";
*port = (u_int16_t)l;
}
return NULL;
}

287
src/libfreeswan/ttosa.3
View File

@ -1,287 +0,0 @@
.TH IPSEC_TTOSA 3 "26 Nov 2001"
.SH NAME
ipsec ttosa, satot \- convert IPsec Security Association IDs to and from text
.br
ipsec initsaid \- initialize an SA ID
.SH SYNOPSIS
.B "#include <freeswan.h>
.sp
.B "typedef struct {"
.ti +1c
.B "ip_address dst;"
.ti +1c
.B "ipsec_spi_t spi;"
.ti +1c
.B "int proto;"
.br
.B "} ip_said;"
.sp
.B "const char *ttosa(const char *src, size_t srclen,"
.ti +1c
.B "ip_said *sa);
.br
.B "size_t satot(const ip_said *sa, int format,"
.ti +1c
.B "char *dst, size_t dstlen);"
.br
.B "void initsaid(const ip_address *addr, ipsec_spi_t spi,"
.ti +1c
.B "int proto, ip_said *dst);"
.SH DESCRIPTION
.I Ttosa
converts an ASCII Security Association (SA) specifier into an
.B ip_said
structure (containing
a destination-host address
in network byte order,
an SPI number in network byte order, and
a protocol code).
.I Satot
does the reverse conversion, back to a text SA specifier.
.I Initsaid
initializes an
.B ip_said
from separate items of information.
.PP
An SA is specified in text with a mail-like syntax, e.g.
.BR esp.5a7@1.2.3.4 .
An SA specifier contains
a protocol prefix (currently
.BR ah ,
.BR esp ,
.BR tun ,
.BR comp ,
or
.BR int ),
a single character indicating the address family
.RB ( .
for IPv4,
.B :
for IPv6),
an unsigned integer SPI number in hexadecimal (with no
.B 0x
prefix),
and an IP address.
The IP address can be any form accepted by
.IR ipsec_ttoaddr (3),
e.g. dotted-decimal IPv4 address,
colon-hex IPv6 address,
or DNS name.
.PP
As a special case, the SA specifier
.B %passthrough4
or
.B %passthrough6
signifies the special SA used to indicate that packets should be
passed through unaltered.
(At present, these are synonyms for
.B tun.0@0.0.0.0
and
.B tun:0@::
respectively,
but that is subject to change without notice.)
.B %passthrough
is a historical synonym for
.BR %passthrough4 .
These forms are known to both
.I ttosa
and
.IR satot ,
so the internal representation is never visible.
.PP
Similarly, the SA specifiers
.BR %pass ,
.BR %drop ,
.BR %reject ,
.BR %hold ,
.BR %trap ,
and
.BR %trapsubnet
signify special ``magic'' SAs used to indicate that packets should be
passed, dropped, rejected (dropped with ICMP notification),
held,
and trapped (sent up to
.IR ipsec_pluto (8),
with either of two forms of
.B %hold
automatically installed)
respectively.
These forms too are known to both routines,
so the internal representation of the magic SAs should never be visible.
.PP
The
.B <freeswan.h>
header file supplies the
.B ip_said
structure, as well as a data type
.B ipsec_spi_t
which is an unsigned 32-bit integer.
(There is no consistency between kernel and user on what such a type
is called, hence the header hides the differences.)
.PP
The protocol code uses the same numbers that IP does.
For user convenience, given the difficulty in acquiring the exact set of
protocol names used by the kernel,
.B <freeswan.h>
defines the names
.BR SA_ESP ,
.BR SA_AH ,
.BR SA_IPIP ,
and
.BR SA_COMP
to have the same values as the kernel names
.BR IPPROTO_ESP ,
.BR IPPROTO_AH ,
.BR IPPROTO_IPIP ,
and
.BR IPPROTO_COMP .
.PP
.B <freeswan.h>
also defines
.BR SA_INT
to have the value
.BR 61
(reserved by IANA for ``any host internal protocol'')
and
.BR SPI_PASS ,
.BR SPI_DROP ,
.BR SPI_REJECT ,
.BR SPI_HOLD ,
and
.B SPI_TRAP
to have the values 256-260 (in \fIhost\fR byte order) respectively.
These are used in constructing the magic SAs
(which always have address
.BR 0.0.0.0 ).
.PP
If
.I satot
encounters an unknown protocol code, e.g. 77,
it yields output using a prefix
showing the code numerically, e.g. ``unk77''.
This form is
.I not
recognized by
.IR ttosa .
.PP
The
.I srclen
parameter of
.I ttosa
specifies the length of the string pointed to by
.IR src ;
it is an error for there to be anything else
(e.g., a terminating NUL) within that length.
As a convenience for cases where an entire NUL-terminated string is
to be converted,
a
.I srclen
value of
.B 0
is taken to mean
.BR strlen(src) .
.PP
The
.I dstlen
parameter of
.I satot
specifies the size of the
.I dst
parameter;
under no circumstances are more than
.I dstlen
bytes written to
.IR dst .
A result which will not fit is truncated.
.I Dstlen
can be zero, in which case
.I dst
need not be valid and no result is written,
but the return value is unaffected;
in all other cases, the (possibly truncated) result is NUL-terminated.
The
.B <freeswan.h>
header file defines a constant,
.BR SATOT_BUF ,
which is the size of a buffer just large enough for worst-case results.
.PP
The
.I format
parameter of
.I satot
specifies what format is to be used for the conversion.
The value
.B 0
(not the ASCII character
.BR '0' ,
but a zero value)
specifies a reasonable default
(currently
lowercase protocol prefix, lowercase hexadecimal SPI,
dotted-decimal or colon-hex address).
The value
.B 'f'
is similar except that the SPI is padded with
.BR 0 s
to a fixed 32-bit width, to ease aligning displayed tables.
.PP
.I Ttosa
returns
.B NULL
for success and
a pointer to a string-literal error message for failure;
see DIAGNOSTICS.
.I Satot
returns
.B 0
for a failure, and otherwise
always returns the size of buffer which would
be needed to
accommodate the full conversion result, including terminating NUL;
it is the caller's responsibility to check this against the size of
the provided buffer to determine whether truncation has occurred.
.PP
There is also, temporarily, support for some obsolete
forms of SA specifier which lack the address-family indicator.
.SH SEE ALSO
ipsec_ttoul(3), ipsec_ttoaddr(3), ipsec_samesaid(3), inet(3)
.SH DIAGNOSTICS
Fatal errors in
.I ttosa
are:
empty input;
input too small to be a legal SA specifier;
no
.B @
in input;
unknown protocol prefix;
conversion error in
.I ttoul
or
.IR ttoaddr .
.PP
Fatal errors in
.I satot
are:
unknown format.
.SH HISTORY
Written for the FreeS/WAN project by Henry Spencer.
.SH BUGS
The restriction of text-to-binary error reports to literal strings
(so that callers don't need to worry about freeing them or copying them)
does limit the precision of error reporting.
.PP
The text-to-binary error-reporting convention lends itself
to slightly obscure code,
because many readers will not think of NULL as signifying success.
A good way to make it clearer is to write something like:
.PP
.RS
.nf
.B "const char *error;"
.sp
.B "error = ttosa( /* ... */ );"
.B "if (error != NULL) {"
.B " /* something went wrong */"
.fi
.RE

280
src/libfreeswan/ttosa.c
View File

@ -1,280 +0,0 @@
/*
* convert from text form of SA ID to binary
* Copyright (C) 2000, 2001 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include <sys/socket.h>
#include "internal.h"
#include "freeswan.h"
static struct satype {
char *prefix;
size_t prelen; /* strlen(prefix) */
int proto;
} satypes[] = {
{ "ah", 2, SA_AH },
{ "esp", 3, SA_ESP },
{ "tun", 3, SA_IPIP },
{ "comp", 4, SA_COMP },
{ "int", 3, SA_INT },
{ NULL, 0, 0, }
};
static struct magic {
char *name;
char *really;
} magic[] = {
{ PASSTHROUGHNAME, PASSTHROUGH4IS },
{ PASSTHROUGH4NAME, PASSTHROUGH4IS },
{ PASSTHROUGH6NAME, PASSTHROUGH6IS },
{ "%pass", "int256@0.0.0.0" },
{ "%drop", "int257@0.0.0.0" },
{ "%reject", "int258@0.0.0.0" },
{ "%hold", "int259@0.0.0.0" },
{ "%trap", "int260@0.0.0.0" },
{ "%trapsubnet", "int261@0.0.0.0" },
{ NULL, NULL }
};
/*
- ttosa - convert text "ah507@10.0.0.1" to SA identifier
*/
err_t /* NULL for success, else string literal */
ttosa(src, srclen, sa)
const char *src;
size_t srclen; /* 0 means "apply strlen" */
ip_said *sa;
{
const char *at;
const char *addr;
size_t alen;
const char *spi = NULL;
struct satype *sat;
unsigned long ul;
const char *oops;
struct magic *mp;
size_t nlen;
# define MINLEN 5 /* ah0@0 is as short as it can get */
int af;
int base;
if (srclen == 0)
srclen = strlen(src);
if (srclen == 0)
return "empty string";
if (srclen < MINLEN)
return "string too short to be SA identifier";
if (*src == '%') {
for (mp = magic; mp->name != NULL; mp++) {
nlen = strlen(mp->name);
if (srclen == nlen && memcmp(src, mp->name, nlen) == 0)
break;
}
if (mp->name == NULL)
return "unknown % keyword";
src = mp->really;
srclen = strlen(src);
}
at = memchr(src, '@', srclen);
if (at == NULL)
return "no @ in SA specifier";
for (sat = satypes; sat->prefix != NULL; sat++)
if (sat->prelen < srclen &&
strncmp(src, sat->prefix, sat->prelen) == 0) {
sa->proto = sat->proto;
spi = src + sat->prelen;
break; /* NOTE BREAK OUT */
}
if (sat->prefix == NULL)
return "SA specifier lacks valid protocol prefix";
if (spi >= at)
return "no SPI in SA specifier";
switch (*spi) {
case '.':
af = AF_INET;
spi++;
base = 16;
break;
case ':':
af = AF_INET6;
spi++;
base = 16;
break;
default:
af = AF_UNSPEC; /* not known yet */
base = 0;
break;
}
if (spi >= at)
return "no SPI found in SA specifier";
oops = ttoul(spi, at - spi, base, &ul);
if (oops != NULL)
return oops;
sa->spi = htonl(ul);
addr = at + 1;
alen = srclen - (addr - src);
if (af == AF_UNSPEC)
af = (memchr(addr, ':', alen) != NULL) ? AF_INET6 : AF_INET;
oops = ttoaddr(addr, alen, af, &sa->dst);
if (oops != NULL)
return oops;
return NULL;
}
#ifdef TTOSA_MAIN
#include <stdio.h>
void regress(void);
int
main(int argc, char *argv[])
{
ip_said sa;
char buf[100];
char buf2[100];
const char *oops;
size_t n;
if (argc < 2) {
fprintf(stderr, "Usage: %s {ahnnn@aaa|-r}\n", argv[0]);
exit(2);
}
if (strcmp(argv[1], "-r") == 0) {
regress();
fprintf(stderr, "regress() returned?!?\n");
exit(1);
}
oops = ttosa(argv[1], 0, &sa);
if (oops != NULL) {
fprintf(stderr, "%s: conversion failed: %s\n", argv[0], oops);
exit(1);
}
n = satot(&sa, 0, buf, sizeof(buf));
if (n > sizeof(buf)) {
fprintf(stderr, "%s: reverse conv of `%d'", argv[0], sa.proto);
fprintf(stderr, "%lx@", (long unsigned int)sa.spi);
(void) addrtot(&sa.dst, 0, buf2, sizeof(buf2));
fprintf(stderr, "%s", buf2);
fprintf(stderr, " failed: need %ld bytes, have only %ld\n",
(long)n, (long)sizeof(buf));
exit(1);
}
printf("%s\n", buf);
exit(0);
}
struct rtab {
int format;
# define FUDGE 0x1000
char *input;
char *output; /* NULL means error expected */
} rtab[] = {
{0, "esp257@1.2.3.0", "esp.101@1.2.3.0"},
{0, "ah0x20@1.2.3.4", "ah.20@1.2.3.4"},
{0, "tun20@1.2.3.4", "tun.14@1.2.3.4"},
{0, "comp20@1.2.3.4", "comp.14@1.2.3.4"},
{0, "esp257@::1", "esp:101@::1"},
{0, "esp257@0bc:12de::1", "esp:101@bc:12de::1"},
{0, "esp78@1049:1::8007:2040", "esp:4e@1049:1::8007:2040"},
{0, "esp0x78@1049:1::8007:2040", "esp:78@1049:1::8007:2040"},
{0, "ah78@1049:1::8007:2040", "ah:4e@1049:1::8007:2040"},
{0, "ah0x78@1049:1::8007:2040", "ah:78@1049:1::8007:2040"},
{0, "tun78@1049:1::8007:2040", "tun:4e@1049:1::8007:2040"},
{0, "tun0x78@1049:1::8007:2040", "tun:78@1049:1::8007:2040"},
{0, "duk99@3ffe:370:400:ff::9001:3001", NULL},
{0, "esp78x@1049:1::8007:2040", NULL},
{0, "esp0x78@1049:1:0xfff::8007:2040", NULL},
{0, "es78@1049:1::8007:2040", NULL},
{0, "", NULL},
{0, "_", NULL},
{0, "ah2.2", NULL},
{0, "goo2@1.2.3.4", NULL},
{0, "esp9@1.2.3.4", "esp.9@1.2.3.4"},
{'f', "esp0xa9@1.2.3.4", "esp.000000a9@1.2.3.4"},
{0, "espp9@1.2.3.4", NULL},
{0, "es9@1.2.3.4", NULL},
{0, "ah@1.2.3.4", NULL},
{0, "esp7x7@1.2.3.4", NULL},
{0, "esp77@1.0x2.3.4", NULL},
{0, PASSTHROUGHNAME, PASSTHROUGH4NAME},
{0, PASSTHROUGH6NAME, PASSTHROUGH6NAME},
{0, "%pass", "%pass"},
{0, "int256@0.0.0.0", "%pass"},
{0, "%drop", "%drop"},
{0, "int257@0.0.0.0", "%drop"},
{0, "%reject", "%reject"},
{0, "int258@0.0.0.0", "%reject"},
{0, "%hold", "%hold"},
{0, "int259@0.0.0.0", "%hold"},
{0, "%trap", "%trap"},
{0, "int260@0.0.0.0", "%trap"},
{0, "%trapsubnet", "%trapsubnet"},
{0, "int261@0.0.0.0", "%trapsubnet"},
{0, "int262@0.0.0.0", "int.106@0.0.0.0"},
{FUDGE, "esp9@1.2.3.4", "unk77.9@1.2.3.4"},
{0, NULL, NULL}
};
void
regress(void)
{
struct rtab *r;
int status = 0;
ip_said sa;
char in[100];
char buf[100];
const char *oops;
size_t n;
for (r = rtab; r->input != NULL; r++) {
strcpy(in, r->input);
oops = ttosa(in, 0, &sa);
if (oops != NULL && r->output == NULL)
{} /* okay, error expected */
else if (oops != NULL) {
printf("`%s' ttosa failed: %s\n", r->input, oops);
status = 1;
} else if (r->output == NULL) {
printf("`%s' ttosa succeeded unexpectedly\n",
r->input);
status = 1;
} else {
if (r->format&FUDGE)
sa.proto = 77;
n = satot(&sa, (char)r->format, buf, sizeof(buf));
if (n > sizeof(buf)) {
printf("`%s' satot failed: need %ld\n",
r->input, (long)n);
status = 1;
} else if (strcmp(r->output, buf) != 0) {
printf("`%s' gave `%s', expected `%s'\n",
r->input, buf, r->output);
status = 1;
}
}
}
exit(status);
}
#endif /* TTOSA_MAIN */

296
src/libfreeswan/ttosubnet.c
View File

@ -1,296 +0,0 @@
/*
* convert from text form of subnet specification to binary
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include <sys/socket.h>
#include "internal.h"
#include "freeswan.h"
#ifndef DEFAULTSUBNET
#define DEFAULTSUBNET "%default"
#endif
/*
- ttosubnet - convert text "addr/mask" to address and mask
* Mask can be integer bit count.
*/
err_t
ttosubnet(src, srclen, af, dst)
const char *src;
size_t srclen; /* 0 means "apply strlen" */
int af; /* AF_INET or AF_INET6 */
ip_subnet *dst;
{
const char *slash;
const char *colon;
const char *mask;
size_t mlen;
const char *oops;
unsigned long bc;
static char def[] = DEFAULTSUBNET;
# define DEFLEN (sizeof(def) - 1) /* -1 for NUL */
static char defis4[] = "0/0";
# define DEFIS4LEN (sizeof(defis4) - 1)
static char defis6[] = "::/0";
# define DEFIS6LEN (sizeof(defis6) - 1)
ip_address addrtmp;
ip_address masktmp;
int nbits;
int i;
if (srclen == 0)
srclen = strlen(src);
if (srclen == 0)
return "empty string";
switch (af) {
case AF_INET:
nbits = 32;
break;
case AF_INET6:
nbits = 128;
break;
default:
return "unknown address family in ttosubnet";
break;
}
if (srclen == DEFLEN && strncmp(src, def, srclen) == 0) {
src = (af == AF_INET) ? defis4 : defis6;
srclen = (af == AF_INET) ? DEFIS4LEN : DEFIS6LEN;
}
slash = memchr(src, '/', srclen);
if (slash == NULL)
return "no / in subnet specification";
mask = slash + 1;
mlen = srclen - (mask - src);
oops = ttoaddr(src, slash-src, af, &addrtmp);
if (oops != NULL)
return oops;
/* extract port */
colon = memchr(mask, ':', mlen);
if (colon == 0)
{
setportof(0, &addrtmp);
}
else
{
long port;
oops = ttoul(colon+1, mlen-(colon-mask+1), 10, &port);
if (oops != NULL)
return oops;
setportof(htons(port), &addrtmp);
mlen = colon - mask;
}
/*extract mask */
oops = ttoul(mask, mlen, 10, &bc);
if (oops == NULL) {
/* ttoul succeeded, it's a bit-count mask */
if (bc > nbits)
return "subnet mask bit count too large";
i = bc;
} else {
oops = ttoaddr(mask, mlen, af, &masktmp);
if (oops != NULL)
return oops;
i = masktocount(&masktmp);
if (i < 0)
return "non-contiguous or otherwise erroneous mask";
}
return initsubnet(&addrtmp, i, '0', dst);
}
#ifdef TTOSUBNET_MAIN
#include <stdio.h>
void regress(void);
int main(int argc, char *argv[])
{
ip_subnet s;
char buf[100];
char buf2[100];
const char *oops;
size_t n;
int af;
char *p;
if (argc < 2) {
fprintf(stderr, "Usage: %s [-6] addr/mask\n", argv[0]);
fprintf(stderr, " or: %s -r\n", argv[0]);
exit(2);
}
if (strcmp(argv[1], "-r") == 0) {
regress();
fprintf(stderr, "regress() returned?!?\n");
exit(1);
}
af = AF_INET;
p = argv[1];
if (strcmp(argv[1], "-6") == 0) {
af = AF_INET6;
p = argv[2];
} else if (strchr(argv[1], ':') != NULL)
af = AF_INET6;
oops = ttosubnet(p, 0, af, &s);
if (oops != NULL) {
fprintf(stderr, "%s: conversion failed: %s\n", argv[0], oops);
exit(1);
}
n = subnettot(&s, 0, buf, sizeof(buf));
if (n > sizeof(buf)) {
fprintf(stderr, "%s: reverse conversion of ", argv[0]);
(void) addrtot(&s.addr, 0, buf2, sizeof(buf2));
fprintf(stderr, "%s/", buf2);
fprintf(stderr, "%d", s.maskbits);
fprintf(stderr, " failed: need %ld bytes, have only %ld\n",
(long)n, (long)sizeof(buf));
exit(1);
}
printf("%s\n", buf);
exit(0);
}
struct rtab {
int family;
char *input;
char *output; /* NULL means error expected */
} rtab[] = {
{4, "1.2.3.0/255.255.255.0", "1.2.3.0/24"},
{4, "1.2.3.0/24", "1.2.3.0/24"},
{4, "1.2.3.0/24:10", "1.2.3.0/24:10"},
{4, "1.2.3.0/24:-1", NULL},
{4, "1.2.3.0/24:none", NULL},
{4, "1.2.3.0/24:", NULL},
{4, "1.2.3.0/24:0x10", "1.2.3.0/24:16"},
{4, "1.2.3.0/24:0X10", "1.2.3.0/24:16"},
{4, "1.2.3.0/24:010", "1.2.3.0/24:8"},
{4, "1.2.3.1/255.255.255.240", "1.2.3.0/28"},
{4, "1.2.3.1/32", "1.2.3.1/32"},
{4, "1.2.3.1/0", "0.0.0.0/0"},
/* {4, "1.2.3.1/255.255.127.0", "1.2.3.0/255.255.127.0"}, */
{4, "1.2.3.1/255.255.127.0", NULL},
{4, "128.009.000.032/32", "128.9.0.32/32"},
{4, "128.0x9.0.32/32", NULL},
{4, "0x80090020/32", "128.9.0.32/32"},
{4, "0x800x0020/32", NULL},
{4, "128.9.0.32/0xffFF0000", "128.9.0.0/16"},
{4, "128.9.0.32/0xff0000FF", NULL},
{4, "128.9.0.32/0x0000ffFF", NULL},
{4, "128.9.0.32/0x00ffFF0000", NULL},
{4, "128.9.0.32/0xffFF", NULL},
{4, "128.9.0.32.27/32", NULL},
{4, "128.9.0k32/32", NULL},
{4, "328.9.0.32/32", NULL},
{4, "128.9..32/32", NULL},
{4, "10/8", "10.0.0.0/8"},
{4, "10.0/8", "10.0.0.0/8"},
{4, "10.0.0/8", "10.0.0.0/8"},
{4, "10.0.1/24", "10.0.1.0/24"},
{4, "_", NULL},
{4, "_/_", NULL},
{4, "1.2.3.1", NULL},
{4, "1.2.3.1/_", NULL},
{4, "1.2.3.1/24._", NULL},
{4, "1.2.3.1/99", NULL},
{4, "localhost/32", "127.0.0.1/32"},
{4, "%default", "0.0.0.0/0"},
{6, "3049:1::8007:2040/0", "::/0"},
{6, "3049:1::8007:2040/128", "3049:1::8007:2040/128"},
{6, "3049:1::192.168.0.1/128", NULL}, /*"3049:1::c0a8:1/128",*/
{6, "3049:1::8007::2040/128", NULL},
{6, "3049:1::8007:2040/ffff::0", "3049::/16"},
{6, "3049:1::8007:2040/64", "3049:1::/64"},
{6, "3049:1::8007:2040/ffff::", "3049::/16"},
{6, "3049:1::8007:2040/0000:ffff::0", NULL},
{6, "3049:1::8007:2040/ff1f::0", NULL},
{6, "3049:1::8007:x:2040/128", NULL},
{6, "3049:1t::8007:2040/128", NULL},
{6, "3049:1::80071:2040/128", NULL},
{6, "::/21", "::/21"},
{6, "::1/128", "::1/128"},
{6, "1::/21", "1::/21"},
{6, "1::2/128", "1::2/128"},
{6, "1:0:0:0:0:0:0:2/128", "1::2/128"},
{6, "1:0:0:0:3:0:0:2/128", "1::3:0:0:2/128"},
{6, "1:0:0:3:0:0:0:2/128", "1::3:0:0:0:2/128"},
{6, "1:0:3:0:0:0:0:2/128", "1:0:3::2/128"},
{6, "abcd:ef01:2345:6789:0:00a:000:20/128", "abcd:ef01:2345:6789:0:a:0:20/128"},
{6, "3049:1::8007:2040/ffff:ffff:", NULL},
{6, "3049:1::8007:2040/ffff:88::", NULL},
{6, "3049:12::9000:3200/ffff:fff0::", "3049:10::/28"},
{6, "3049:12::9000:3200/28", "3049:10::/28"},
{6, "3049:12::9000:3200/ff00:::", NULL},
{6, "3049:12::9000:3200/ffff:::", NULL},
{6, "3049:12::9000:3200/128_", NULL},
{6, "3049:12::9000:3200/", NULL},
{6, "%default", "::/0"},
{4, NULL, NULL}
};
void
regress(void)
{
struct rtab *r;
int status = 0;
ip_subnet s;
char in[100];
char buf[100];
const char *oops;
size_t n;
int af;
for (r = rtab; r->input != NULL; r++) {
af = (r->family == 4) ? AF_INET : AF_INET6;
strcpy(in, r->input);
oops = ttosubnet(in, 0, af, &s);
if (oops != NULL && r->output == NULL)
{} /* okay, error expected */
else if (oops != NULL) {
printf("`%s' ttosubnet failed: %s\n", r->input, oops);
status = 1;
} else if (r->output == NULL) {
printf("`%s' ttosubnet succeeded unexpectedly\n",
r->input);
status = 1;
} else {
n = subnettot(&s, 0, buf, sizeof(buf));
if (n > sizeof(buf)) {
printf("`%s' subnettot failed: need %ld\n",
r->input, (long)n);
status = 1;
} else if (strcmp(r->output, buf) != 0) {
printf("`%s' gave `%s', expected `%s'\n",
r->input, buf, r->output);
status = 1;
}
}
}
exit(status);
}
#endif /* TTOSUBNET_MAIN */

191
src/libfreeswan/ttoul.3
View File

@ -1,191 +0,0 @@
.TH IPSEC_TTOUL 3 "16 Aug 2000"
.SH NAME
ipsec ttoul, ultot \- convert unsigned-long numbers to and from text
.SH SYNOPSIS
.B "#include <freeswan.h>
.sp
.B "const char *ttoul(const char *src, size_t srclen,"
.ti +1c
.B "int base, unsigned long *n);"
.br
.B "size_t ultot(unsigned long n, int format, char *dst,"
.ti +1c
.B "size_t dstlen);"
.SH DESCRIPTION
.I Ttoul
converts a text-string number into a binary
.B "unsigned long"
value.
.I Ultot
does the reverse conversion, back to a text version.
.PP
Numbers are specified in text as
decimal (e.g.
.BR 123 ),
octal with a leading zero (e.g.
.BR 012 ,
which has value 10),
or hexadecimal with a leading
.B 0x
(e.g.
.BR 0x1f ,
which has value 31)
in either upper or lower case.
.PP
The
.I srclen
parameter of
.I ttoul
specifies the length of the string pointed to by
.IR src ;
it is an error for there to be anything else
(e.g., a terminating NUL) within that length.
As a convenience for cases where an entire NUL-terminated string is
to be converted,
a
.I srclen
value of
.B 0
is taken to mean
.BR strlen(src) .
.PP
The
.I base
parameter of
.I ttoul
can be
.BR 8 ,
.BR 10 ,
or
.BR 16 ,
in which case the number supplied is assumed to be of that form
(and in the case of
.BR 16 ,
to lack any
.B 0x
prefix).
It can also be
.BR 0 ,
in which case the number is examined for a leading zero
or a leading
.B 0x
to determine its base.
.PP
The
.I dstlen
parameter of
.I ultot
specifies the size of the
.I dst
parameter;
under no circumstances are more than
.I dstlen
bytes written to
.IR dst .
A result which will not fit is truncated.
.I Dstlen
can be zero, in which case
.I dst
need not be valid and no result is written,
but the return value is unaffected;
in all other cases, the (possibly truncated) result is NUL-terminated.
The
.I freeswan.h
header file defines a constant,
.BR ULTOT_BUF ,
which is the size of a buffer just large enough for worst-case results.
.PP
The
.I format
parameter of
.I ultot
must be one of:
.RS
.IP \fB'o'\fR 4
octal conversion with leading
.B 0
.IP \fB\ 8\fR
octal conversion with no leading
.B 0
.IP \fB'd'\fR
decimal conversion
.IP \fB10\fR
same as
.B d
.IP \fB'x'\fR
hexadecimal conversion, including leading
.B 0x
.IP \fB16\fR
hexadecimal conversion with no leading
.B 0x
.IP \fB17\fR
like
.B 16
except padded on left with
.BR 0 s
to eight digits (full width of a 32-bit number)
.RE
.PP
.I Ttoul
returns NULL for success and
a pointer to a string-literal error message for failure;
see DIAGNOSTICS.
.I Ultot
returns
.B 0
for a failure, and otherwise
returns the size of buffer which would
be needed to
accommodate the full conversion result, including terminating NUL
(it is the caller's responsibility to check this against the size of
the provided buffer to determine whether truncation has occurred).
.SH SEE ALSO
atol(3), strtoul(3)
.SH DIAGNOSTICS
Fatal errors in
.I ttoul
are:
empty input;
unknown
.IR base ;
non-digit character found;
number too large for an
.BR "unsigned long" .
.PP
Fatal errors in
.I ultot
are:
unknown
.IR format .
.SH HISTORY
Written for the FreeS/WAN project by Henry Spencer.
.SH BUGS
Conversion of
.B 0
with format
.B o
yields
.BR 00 .
.PP
.I Ultot
format
.B 17
is a bit of a kludge.
.PP
The restriction of error reports to literal strings
(so that callers don't need to worry about freeing them or copying them)
does limit the precision of error reporting.
.PP
The error-reporting convention lends itself to slightly obscure code,
because many readers will not think of NULL as signifying success.
A good way to make it clearer is to write something like:
.PP
.RS
.nf
.B "const char *error;"
.sp
.B "error = ttoul( /* ... */ );"
.B "if (error != NULL) {"
.B " /* something went wrong */"
.fi
.RE

89
src/libfreeswan/ttoul.c
View File

@ -1,89 +0,0 @@
/*
* convert from text form of unsigned long to binary
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
/*
- ttoul - convert text substring to unsigned long number
*/
const char * /* NULL for success, else string literal */
ttoul(src, srclen, base, resultp)
const char *src;
size_t srclen; /* 0 means strlen(src) */
int base; /* 0 means figure it out */
unsigned long *resultp;
{
const char *stop;
static char hex[] = "0123456789abcdef";
static char uchex[] = "0123456789ABCDEF";
int d;
char c;
char *p;
unsigned long r;
unsigned long rlimit;
int dlimit;
if (srclen == 0)
srclen = strlen(src);
if (srclen == 0)
return "empty string";
if (base == 0) {
if (srclen > 2 && *src == '0' &&
(*(src+1) == 'x' || *(src+1) == 'X'))
return ttoul(src+2, srclen-2, 16, resultp);
if (srclen > 1 && *src == '0')
return ttoul(src+1, srclen-1, 8, resultp);
return ttoul(src, srclen, 10, resultp);
}
if (base != 8 && base != 10 && base != 16)
return "unsupported number base";
r = 0;
stop = src + srclen;
if (base == 16) {
while (src < stop) {
c = *src++;
p = strchr(hex, c);
if (p != NULL)
d = p - hex;
else {
p = strchr(uchex, c);
if (p == NULL)
return "non-hex digit in hex number";
d = p - uchex;
}
r = (r << 4) | d;
}
/* defer length check to catch invalid digits first */
if (srclen > sizeof(unsigned long) * 2)
return "hex number too long";
} else {
rlimit = ULONG_MAX / base;
dlimit = (int)(ULONG_MAX - rlimit*base);
while (src < stop) {
c = *src++;
d = c - '0';
if (d < 0 || d >= base)
return "non-digit in number";
if (r > rlimit || (r == rlimit && d > dlimit))
return "unsigned-long overflow";
r = r*base + d;
}
}
*resultp = r;
return NULL;
}

65
src/libfreeswan/ultoa.c
View File

@ -1,65 +0,0 @@
/*
* convert unsigned long to ASCII
* Copyright (C) 1998, 1999 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
/*
- ultoa - convert unsigned long to decimal ASCII
*/
size_t /* length required for full conversion */
ultoa(n, base, dst, dstlen)
unsigned long n;
int base;
char *dst; /* need not be valid if dstlen is 0 */
size_t dstlen;
{
char buf[3*sizeof(unsigned long) + 1];
char *bufend = buf + sizeof(buf);
size_t len;
char *p;
static char hex[] = "0123456789abcdef";
p = bufend;
*--p = '\0';
if (base == 10) {
do {
*--p = n%10 + '0';
n /= 10;
} while (n != 0);
} else if (base == 16) {
do {
*--p = hex[n&0xf];
n >>= 4;
} while (n != 0);
*--p = 'x';
*--p = '0';
} else if (base == 8) {
do {
*--p = (n&07) + '0';
n >>= 3;
} while (n != 0);
*--p = '0';
} else
*--p = '?';
len = bufend - p;
if (dstlen > 0) {
if (len > dstlen)
*(p + dstlen - 1) = '\0';
strcpy(dst, p);
}
return len;
}

81
src/libfreeswan/ultot.c
View File

@ -1,81 +0,0 @@
/*
* convert unsigned long to text
* Copyright (C) 2000 Henry Spencer.
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
#include "internal.h"
#include "freeswan.h"
/*
- ultot - convert unsigned long to text
*/
size_t /* length required for full conversion */
ultot(n, base, dst, dstlen)
unsigned long n;
int base;
char *dst; /* need not be valid if dstlen is 0 */
size_t dstlen;
{
char buf[3*sizeof(unsigned long) + 1];
char *bufend = buf + sizeof(buf);
size_t len;
char *p;
static char hex[] = "0123456789abcdef";
# define HEX32 (32/4)
p = bufend;
*--p = '\0';
switch (base) {
case 10:
case 'd':
do {
*--p = n%10 + '0';
n /= 10;
} while (n != 0);
break;
case 16:
case 17:
case 'x':
do {
*--p = hex[n&0xf];
n >>= 4;
} while (n != 0);
if (base == 17)
while (bufend - p < HEX32 + 1)
*--p = '0';
if (base == 'x') {
*--p = 'x';
*--p = '0';
}
break;
case 8:
case 'o':
do {
*--p = (n&07) + '0';
n >>= 3;
} while (n != 0);
if (base == 'o')
*--p = '0';
break;
default:
return 0;
break;
}
len = bufend - p;
if (dstlen > 0) {
if (len > dstlen)
*(p + dstlen - 1) = '\0';
strcpy(dst, p);
}
return len;
}

2
src/pluto/.gitignore vendored
View File

@ -1,2 +0,0 @@
pluto
_pluto_adns

80
src/pluto/Android.mk
View File

@ -1,80 +0,0 @@
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
# copy-n-paste from Makefile.am
LOCAL_SRC_FILES := \
ac.c ac.h \
alg_info.c alg_info.h \
ca.c ca.h \
certs.c certs.h \
connections.c connections.h \
constants.c constants.h \
cookie.c cookie.h \
crl.c crl.h \
crypto.c crypto.h \
db_ops.c db_ops.h \
defs.c defs.h \
demux.c demux.h \
event_queue.c event_queue.h \
fetch.c fetch.h \
foodgroups.c foodgroups.h \
ike_alg.c ike_alg.h \
ipsec_doi.c ipsec_doi.h \
kameipsec.h \
kernel.c kernel.h \
kernel_alg.c kernel_alg.h \
kernel_pfkey.c kernel_pfkey.h \
keys.c keys.h \
lex.c lex.h \
log.c log.h \
myid.c myid.h \
modecfg.c modecfg.h \
nat_traversal.c nat_traversal.h \
ocsp.c ocsp.h \
packet.c packet.h \
pkcs7.c pkcs7.h \
plugin_list.c plugin_list.h \
pluto.c pluto.h \
plutomain.c \
rcv_whack.c rcv_whack.h \
server.c server.h \
smartcard.c smartcard.h \
spdb.c spdb.h \
state.c state.h \
timer.c timer.h \
vendor.c vendor.h \
virtual.c virtual.h \
whack_attribute.c whack_attribute.h \
xauth/xauth_manager.c xauth/xauth_manager.h \
xauth/xauth_provider.h xauth/xauth_verifier.h \
x509.c x509.h \
builder.c builder.h \
rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
LOCAL_SRC_FILES += $(call add_plugin, xauth)
# build pluto ------------------------------------------------------------------
LOCAL_C_INCLUDES += \
$(libvstr_PATH) \
$(strongswan_PATH)/src/libhydra \
$(strongswan_PATH)/src/libstrongswan \
$(strongswan_PATH)/src/libfreeswan \
$(strongswan_PATH)/src/whack
LOCAL_CFLAGS := $(strongswan_CFLAGS) \
-DPLUTO -DVENDORID -DXAUTH_VID -DCISCO_QUIRKS \
-DTHREADS -DKERNEL26_HAS_KAME_DUPLICATES \
-DPLUGINS='"$(strongswan_PLUTO_PLUGINS)"'
LOCAL_MODULE := pluto
LOCAL_MODULE_TAGS := optional
LOCAL_ARM_MODE := arm
LOCAL_PRELINK_MODULE := false
LOCAL_SHARED_LIBRARIES += libstrongswan libhydra libfreeswan libcutils
include $(BUILD_EXECUTABLE)

155
src/pluto/Makefile.am
View File

@ -1,155 +0,0 @@
# Makefile.am was ported from the old Makefile the most
# painless way. Only the most important options are included,
# further work may be necessary here...
ipsec_PROGRAMS = pluto
if USE_ADNS
ipsec_PROGRAMS += _pluto_adns
endif
pluto_SOURCES = \
ac.c ac.h \
alg_info.c alg_info.h \
ca.c ca.h \
certs.c certs.h \
connections.c connections.h \
constants.c constants.h \
cookie.c cookie.h \
crl.c crl.h \
crypto.c crypto.h \
db_ops.c db_ops.h \
defs.c defs.h \
demux.c demux.h \
event_queue.c event_queue.h \
fetch.c fetch.h \
foodgroups.c foodgroups.h \
ike_alg.c ike_alg.h \
ipsec_doi.c ipsec_doi.h \
kameipsec.h \
kernel.c kernel.h \
kernel_alg.c kernel_alg.h \
kernel_pfkey.c kernel_pfkey.h \
keys.c keys.h \
lex.c lex.h \
log.c log.h \
myid.c myid.h \
modecfg.c modecfg.h \
nat_traversal.c nat_traversal.h \
ocsp.c ocsp.h \
packet.c packet.h \
pkcs7.c pkcs7.h \
plugin_list.c plugin_list.h \
pluto.c pluto.h \
plutomain.c \
rcv_whack.c rcv_whack.h \
server.c server.h \
smartcard.c smartcard.h \
spdb.c spdb.h \
state.c state.h \
timer.c timer.h \
vendor.c vendor.h \
virtual.c virtual.h \
whack_attribute.c whack_attribute.h \
xauth/xauth_manager.c xauth/xauth_manager.h \
xauth/xauth_provider.h xauth/xauth_verifier.h \
x509.c x509.h \
builder.c builder.h \
rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
if USE_ADNS
pluto_SOURCES += \
dnskey.c dnskey.h
_pluto_adns_SOURCES = \
adns.c adns.h
endif
plutomain.o : $(top_builddir)/config.status
LIBSTRONGSWANDIR=$(top_builddir)/src/libstrongswan
LIBFREESWANDIR=$(top_builddir)/src/libfreeswan
LIBHYDRADIR=$(top_builddir)/src/libhydra
INCLUDES = \
-I${linux_headers} \
-I$(top_srcdir)/src/libstrongswan \
-I$(top_srcdir)/src/libfreeswan \
-I$(top_srcdir)/src/libhydra \
-I$(top_srcdir)/src/whack
AM_CFLAGS = -rdynamic \
-DIPSEC_DIR=\"${ipsecdir}\" \
-DIPSEC_CONFDIR=\"${sysconfdir}\" \
-DIPSEC_PIDDIR=\"${piddir}\" \
-DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \
-DPLUGINS=\""${pluto_plugins}\"" \
-DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" \
-DKERNEL26_HAS_KAME_DUPLICATES \
-DPLUTO -DDEBUG
pluto_LDADD = \
$(LIBSTRONGSWANDIR)/libstrongswan.la \
$(LIBFREESWANDIR)/libfreeswan.a \
$(LIBHYDRADIR)/libhydra.la \
-lresolv $(PTHREADLIB) $(DLLIB)
if USE_ADNS
_pluto_adns_LDADD = \
$(LIBFREESWANDIR)/libfreeswan.a \
-lresolv $(DLLIB)
endif
dist_man_MANS = pluto.8
EXTRA_DIST = Android.mk
# compile options
#################
# This compile option activates the sending of a strongSwan VID
if USE_VENDORID
AM_CFLAGS += -DVENDORID
endif
# This compile option activates the sending of the XAUTH VID
if USE_XAUTH_VID
AM_CFLAGS += -DXAUTH_VID
endif
# This compile option activates the support of the Cisco VPN client
if USE_CISCO_QUIRKS
AM_CFLAGS += -DCISCO_QUIRKS
endif
# This compile option activates NAT traversal with IPSec transport mode
if USE_NAT_TRANSPORT
AM_CFLAGS += -DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
endif
# This compile option activates smartcard support
if USE_SMARTCARD
AM_CFLAGS += -DSMARTCARD
endif
if USE_LIBCAP
pluto_LDADD += -lcap
endif
if USE_THREADS
AM_CFLAGS += -DTHREADS
endif
if USE_ADNS
AM_CFLAGS += -DADNS
endif
# build optional plugins
########################
SUBDIRS = .
if USE_XAUTH
SUBDIRS += plugins/xauth
endif

298
src/pluto/ac.c
View File

@ -1,298 +0,0 @@
/* Support of X.509 attribute certificates
* Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
* Copyright (C) 2003 Martin Berner, Lukas Suter
* Copyright (C) 2009 Andreas Steffen
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <sys/stat.h>
#include <time.h>
#include <debug.h>
#include <utils/enumerator.h>
#include <utils/linked_list.h>
#include <credentials/certificates/ac.h>
#include "ac.h"
#include "ca.h"
#include "certs.h"
#include "fetch.h"
#include "log.h"
/**
* Chained list of X.509 attribute certificates
*/
static linked_list_t *acerts = NULL;
/**
* Initialize the linked list of attribute certificates
*/
void ac_initialize(void)
{
acerts = linked_list_create();
}
/**
* Free the linked list of attribute certificates
*/
void ac_finalize(void)
{
if (acerts)
{
acerts->destroy_offset(acerts, offsetof(certificate_t, destroy));
}
}
/**
* Get a X.509 attribute certificate for a given holder
*/
certificate_t* ac_get_cert(identification_t *issuer, chunk_t serial)
{
enumerator_t *enumerator;
certificate_t *cert, *found = NULL;
enumerator = acerts->create_enumerator(acerts);
while (enumerator->enumerate(enumerator, &cert))
{
ac_t *ac = (ac_t*)cert;
if (issuer->equals(issuer, ac->get_holderIssuer(ac)) &&
chunk_equals(serial, ac->get_holderSerial(ac)))
{
found = cert;
break;
}
}
enumerator->destroy(enumerator);
return found;
}
/**
* Verifies a X.509 attribute certificate
*/
bool ac_verify_cert(certificate_t *cert, bool strict)
{
ac_t *ac = (ac_t*)cert;
identification_t *subject = cert->get_subject(cert);
identification_t *issuer = cert->get_issuer(cert);
chunk_t authKeyID = ac->get_authKeyIdentifier(ac);
cert_t *aacert;
time_t notBefore, valid_until;
DBG1(DBG_LIB, "holder: '%Y'", subject);
DBG1(DBG_LIB, "issuer: '%Y'", issuer);
if (!cert->get_validity(cert, NULL, NULL, &valid_until))
{
DBG1(DBG_LIB, "attribute certificate is invalid (valid from %T to %T)",
&notBefore, FALSE, &valid_until, FALSE);
return FALSE;
}
DBG1(DBG_LIB, "attribute certificate is valid until %T", &valid_until,
FALSE);
lock_authcert_list("verify_x509acert");
aacert = get_authcert(issuer, authKeyID, X509_AA);
unlock_authcert_list("verify_x509acert");
if (aacert == NULL)
{
DBG1(DBG_LIB, "issuer aacert not found");
return FALSE;
}
DBG2(DBG_LIB, "issuer aacert found");
if (!cert->issued_by(cert, aacert->cert))
{
DBG1(DBG_LIB, "attribute certificate signature is invalid");
return FALSE;
}
DBG1(DBG_LIB, "attribute certificate signature is valid");
return verify_x509cert(aacert, strict, &valid_until);
}
/**
* Add a X.509 attribute certificate to the chained list
*/
static void ac_add_cert(certificate_t *cert)
{
ac_t *ac = (ac_t*)cert;
identification_t *hIssuer = ac->get_holderIssuer(ac);
chunk_t hSerial = ac->get_holderSerial(ac);
enumerator_t *enumerator;
certificate_t *cert_old;
enumerator = acerts->create_enumerator(acerts);
while (enumerator->enumerate(enumerator, &cert_old))
{
ac_t *ac_old = (ac_t*)cert_old;
if (hIssuer->equals(hIssuer, ac_old->get_holderIssuer(ac_old)) &&
chunk_equals(hSerial, ac_old->get_holderSerial(ac_old)))
{
if (certificate_is_newer(cert, cert_old))
{
acerts->remove_at(acerts, enumerator);
cert_old->destroy(cert_old);
}
else
{
cert->destroy(cert);
cert = NULL;
}
break;
}
}
enumerator->destroy(enumerator);
if (cert)
{
acerts->insert_last(acerts, cert);
}
}
/**
* Check if at least one peer attribute matches a connection attribute
*/
bool match_group_membership(ietf_attributes_t *peer_attributes, char *conn,
ietf_attributes_t *conn_attributes)
{
bool match;
if (conn_attributes == NULL)
{
return TRUE;
}
match = conn_attributes->matches(conn_attributes, peer_attributes);
DBG1(DBG_LIB, "%s: peer with attributes '%s' is %sa member of the "
"groups '%s'", conn, peer_attributes->get_string(peer_attributes),
match ? "" : "not ", conn_attributes->get_string(conn_attributes));
return match;
}
/**
* Loads X.509 attribute certificates
*/
void ac_load_certs(void)
{
enumerator_t *enumerator;
struct stat st;
char *file;
DBG1(DBG_LIB, "loading attribute certificates from '%s'", A_CERT_PATH);
enumerator = enumerator_create_directory(A_CERT_PATH);
if (!enumerator)
{
return;
}
while (enumerator->enumerate(enumerator, NULL, &file, &st))
{
certificate_t *cert;
if (!S_ISREG(st.st_mode))
{
/* skip special file */
continue;
}
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
BUILD_FROM_FILE, file, BUILD_END);
if (cert)
{
DBG1(DBG_LIB, " loaded attribute certificate from '%s'", file);
ac_add_cert(cert);
}
}
enumerator->destroy(enumerator);
}
/**
* List all X.509 attribute certificates in the chained list
*/
void ac_list_certs(bool utc)
{
enumerator_t *enumerator;
certificate_t *cert;
time_t now;
/* determine the current time */
time(&now);
if (acerts->get_count(acerts) > 0)
{
whack_log(RC_COMMENT, " ");
whack_log(RC_COMMENT, "List of X.509 Attribute Certificates:");
}
enumerator = acerts->create_enumerator(acerts);
while (enumerator->enumerate(enumerator, &cert))
{
ac_t *ac = (ac_t*)cert;
identification_t *entityName, *holderIssuer, *issuer;
chunk_t holderSerial, serial, authKeyID;
time_t notBefore, notAfter;
ietf_attributes_t *groups;
whack_log(RC_COMMENT, " ");
entityName = cert->get_subject(cert);
if (entityName)
{
whack_log(RC_COMMENT, " holder: \"%Y\"", entityName);
}
holderIssuer = ac->get_holderIssuer(ac);
if (holderIssuer)
{
whack_log(RC_COMMENT, " hissuer: \"%Y\"", holderIssuer);
}
holderSerial = chunk_skip_zero(ac->get_holderSerial(ac));
if (holderSerial.ptr)
{
whack_log(RC_COMMENT, " hserial: %#B", &holderSerial);
}
groups = ac->get_groups(ac);
if (groups)
{
whack_log(RC_COMMENT, " groups: %s", groups->get_string(groups));
groups->destroy(groups);
}
issuer = cert->get_issuer(cert);
whack_log(RC_COMMENT, " issuer: \"%Y\"", issuer);
serial = chunk_skip_zero(ac->get_serial(ac));
whack_log(RC_COMMENT, " serial: %#B", &serial);
cert->get_validity(cert, &now, &notBefore, &notAfter);
whack_log(RC_COMMENT, " validity: not before %T %s",
&notBefore, utc,
(notBefore < now)?"ok":"fatal (not valid yet)");
whack_log(RC_COMMENT, " not after %T %s", &notAfter, utc,
check_expiry(notAfter, ACERT_WARNING_INTERVAL, TRUE));
authKeyID = ac->get_authKeyIdentifier(ac);
if (authKeyID.ptr)
{
whack_log(RC_COMMENT, " authkey: %#B", &authKeyID);
}
}
enumerator->destroy(enumerator);
}

39
src/pluto/ac.h
View File

@ -1,39 +0,0 @@
/* Support of X.509 attribute certificates
* Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
* Copyright (C) 2003 Martin Berner, Lukas Suter
* Copyright (C) 2009 Andreas Steffen
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef _AC_H
#define _AC_H
#include <utils/identification.h>
#include <credentials/certificates/certificate.h>
#include <credentials/ietf_attributes/ietf_attributes.h>
/* access structure for an X.509 attribute certificate */
extern void ac_initialize(void);
extern void ac_finalize(void);
extern void ac_load_certs(void);
extern void ac_list_certs(bool utc);
extern certificate_t* ac_get_cert(identification_t *issuer, chunk_t serial);
extern bool ac_verify_cert(certificate_t *ac, bool strict);
extern bool match_group_membership(ietf_attributes_t *peer_attributes,
char *conn,
ietf_attributes_t *conn_attributes);
#endif /* _AC_H */

610
src/pluto/adns.c
View File

@ -1,610 +0,0 @@
/* Pluto Asynchronous DNS Helper Program -- for internal use only!
* Copyright (C) 2002 D. Hugh Redelmeier.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/* This program executes as multiple processes. The Master process
* receives queries (struct adns_query messages) from Pluto and distributes
* them amongst Worker processes. These Worker processes are created
* by the Master whenever a query arrives and no existing Worker is free.
* At most MAX_WORKERS will be created; after that, the Master will queue
* queries until a Worker becomes free. When a Worker has an answer from
* the resolver, it sends the answer as a struct adns_answer message to the
* Master. The Master then forwards the answer to Pluto, noting that
* the Worker is free to accept another query.
*
* The protocol is simple: Pluto sends a sequence of queries and receives
* a sequence of answers. select(2) is used by Pluto and by the Master
* process to decide when to read, but writes are done without checking
* for readiness. Communications is via pipes. Since only one process
* can write to each pipe, messages will not be interleaved. Fixed length
* records are used for simplicity.
*
* Pluto needs a way to indicate to the Master when to shut down
* and the Master needs to indicate this to each worker. EOF on the pipe
* signifies this.
*
* The interfaces between these components are considered private to
* Pluto. This allows us to get away with less checking. This is a
* reason to use pipes instead of TCP/IP.
*
* Although the code uses plain old UNIX processes, it could be modified
* to use threads. That might reduce resource requirements. It would
* preclude running on systems without thread-safe resolvers.
*/
#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <syslog.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <resolv.h>
#include <netdb.h> /* ??? for h_errno */
#include <freeswan.h>
/* GCC magic! */
#ifdef GCC_LINT
# define UNUSED __attribute__ ((unused))
#else
# define UNUSED /* ignore */
#endif
#include "constants.h"
#include "adns.h" /* needs <resolv.h> */
/* shared by all processes */
static const char *name; /* program name, for messages */
static bool debug = FALSE;
/* Read a variable-length record from a pipe (and no more!).
* First bytes must be a size_t containing the length.
* HES_CONTINUE if record read
* HES_OK if EOF
* HES_IO_ERROR_IN if errno tells the tale.
* Others are errors.
*/
static enum helper_exit_status
read_pipe(int fd, unsigned char *stuff, size_t minlen, size_t maxlen)
{
size_t n = 0;
size_t goal = minlen;
do {
ssize_t m = read(fd, stuff + n, goal - n);
if (m == -1)
{
if (errno != EINTR)
{
syslog(LOG_ERR, "Input error on pipe: %s", strerror(errno));
return HES_IO_ERROR_IN;
}
}
else if (m == 0)
{
return HES_OK; /* treat empty message as EOF */
}
else
{
n += m;
if (n >= sizeof(size_t))
{
goal = *(size_t *)(void *)stuff;
if (goal < minlen || maxlen < goal)
{
if (debug)
fprintf(stderr, "%lu : [%lu, %lu]\n"
, (unsigned long)goal
, (unsigned long)minlen, (unsigned long)maxlen);
return HES_BAD_LEN;
}
}
}
} while (n < goal);
return HES_CONTINUE;
}
/* Write a variable-length record to a pipe.
* First bytes must be a size_t containing the length.
* HES_CONTINUE if record written
* Others are errors.
*/
static enum helper_exit_status
write_pipe(int fd, const unsigned char *stuff)
{
size_t len = *(const size_t *)(const void *)stuff;
size_t n = 0;
do {
ssize_t m = write(fd, stuff + n, len - n);
if (m == -1)
{
/* error, but ignore and retry if EINTR */
if (errno != EINTR)
{
syslog(LOG_ERR, "Output error from master: %s", strerror(errno));
return HES_IO_ERROR_OUT;
}
}
else
{
n += m;
}
} while (n != len);
return HES_CONTINUE;
}
/**************** worker process ****************/
/* The interface in RHL6.x and BIND distribution 8.2.2 are different,
* so we build some of our own :-(
*/
/* Support deprecated interface to allow for older releases of the resolver.
* Fake new interface!
* See resolver(3) bind distribution (should be in RHL6.1, but isn't).
* __RES was 19960801 in RHL6.2, an old resolver.
*/
#if (__RES) <= 19960801
# define OLD_RESOLVER 1
#endif
#ifdef OLD_RESOLVER
# define res_ninit(statp) res_init()
# define res_nquery(statp, dname, class, type, answer, anslen) \
res_query(dname, class, type, answer, anslen)
# define res_nclose(statp) res_close()
static struct __res_state *statp = &_res;
#else /* !OLD_RESOLVER */
static struct __res_state my_res_state /* = { 0 } */;
static res_state statp = &my_res_state;
#endif /* !OLD_RESOLVER */
static int
worker(int qfd, int afd)
{
{
int r = res_ninit(statp);
if (r != 0)
{
syslog(LOG_ERR, "cannot initialize resolver");
return HES_RES_INIT;
}
#ifndef OLD_RESOLVER
statp->options |= RES_ROTATE;
#endif
statp->options |= RES_DEBUG;
}
for (;;)
{
struct adns_query q;
struct adns_answer a;
enum helper_exit_status r = read_pipe(qfd, (unsigned char *)&q
, sizeof(q), sizeof(q));
if (r != HES_CONTINUE)
return r; /* some kind of exit */
if (q.qmagic != ADNS_Q_MAGIC)
{
syslog(LOG_ERR, "error in input from master: bad magic");
return HES_BAD_MAGIC;
}
a.amagic = ADNS_A_MAGIC;
a.serial = q.serial;
a.continuation = NULL;
a.result = res_nquery(statp, q.name_buf, C_IN, q.type, a.ans, sizeof(a.ans));
a.h_errno_val = h_errno;
a.len = offsetof(struct adns_answer, ans) + (a.result < 0? 0 : a.result);
#ifdef DEBUG
if (((q.debugging & IMPAIR_DELAY_ADNS_KEY_ANSWER) && q.type == T_KEY)
|| ((q.debugging & IMPAIR_DELAY_ADNS_TXT_ANSWER) && q.type == T_TXT))
sleep(30); /* delay the answer */
#endif
/* write answer, possibly a bit at a time */
r = write_pipe(afd, (const unsigned char *)&a);
if (r != HES_CONTINUE)
return r; /* some kind of exit */
}
}
/**************** master process ****************/
bool eof_from_pluto = FALSE;
#define PLUTO_QFD 0 /* queries come on stdin */
#define PLUTO_AFD 1 /* answers go out on stdout */
#ifndef MAX_WORKERS
# define MAX_WORKERS 10 /* number of in-flight queries */
#endif
struct worker_info {
int qfd; /* query pipe's file descriptor */
int afd; /* answer pipe's file descriptor */
pid_t pid;
bool busy;
void *continuation; /* of outstanding request */
};
static struct worker_info wi[MAX_WORKERS];
static struct worker_info *wi_roof = wi;
/* request FIFO */
struct query_list {
struct query_list *next;
struct adns_query aq;
};
static struct query_list *oldest_query = NULL;
static struct query_list *newest_query; /* undefined when oldest == NULL */
static struct query_list *free_queries = NULL;
static bool
spawn_worker(void)
{
int qfds[2];
int afds[2];
pid_t p;
if (pipe(qfds) != 0 || pipe(afds) != 0)
{
syslog(LOG_ERR, "pipe(2) failed: %s", strerror(errno));
exit(HES_PIPE);
}
wi_roof->qfd = qfds[1]; /* write end of query pipe */
wi_roof->afd = afds[0]; /* read end of answer pipe */
p = fork();
if (p == -1)
{
/* fork failed: ignore if at least one worker exists */
if (wi_roof == wi)
{
syslog(LOG_ERR, "fork(2) error creating first worker: %s", strerror(errno));
exit(HES_FORK);
}
close(qfds[0]);
close(qfds[1]);
close(afds[0]);
close(afds[1]);
return FALSE;
}
else if (p == 0)
{
/* child */
struct worker_info *w;
close(PLUTO_QFD);
close(PLUTO_AFD);
/* close all master pipes, including ours */
for (w = wi; w <= wi_roof; w++)
{
close(w->qfd);
close(w->afd);
}
exit(worker(qfds[0], afds[1]));
}
else
{
/* parent */
struct worker_info *w = wi_roof++;
w->pid = p;
w->busy = FALSE;
close(qfds[0]);
close(afds[1]);
return TRUE;
}
}
static void
send_eof(struct worker_info *w)
{
pid_t p;
int status;
close(w->qfd);
w->qfd = NULL_FD;
close(w->afd);
w->afd = NULL_FD;
/* reap child */
p = waitpid(w->pid, &status, 0);
/* ignore result -- what could we do with it? */
}
static void
forward_query(struct worker_info *w)
{
struct query_list *q = oldest_query;
if (q == NULL)
{
if (eof_from_pluto)
send_eof(w);
}
else
{
enum helper_exit_status r
= write_pipe(w->qfd, (const unsigned char *) &q->aq);
if (r != HES_CONTINUE)
exit(r);
w->busy = TRUE;
oldest_query = q->next;
q->next = free_queries;
free_queries = q;
}
}
static void
query(void)
{
struct query_list *q = free_queries;
enum helper_exit_status r;
/* find an unused queue entry */
if (q == NULL)
{
q = malloc(sizeof(*q));
if (q == NULL)
{
syslog(LOG_ERR, "malloc(3) failed");
exit(HES_MALLOC);
}
}
else
{
free_queries = q->next;
}
r = read_pipe(PLUTO_QFD, (unsigned char *)&q->aq
, sizeof(q->aq), sizeof(q->aq));
if (r == HES_OK)
{
/* EOF: we're done, except for unanswered queries */
struct worker_info *w;
eof_from_pluto = TRUE;
q->next = free_queries;
free_queries = q;
/* Send bye-bye to unbusy processes.
* Note that if there are queued queries, there won't be
* any non-busy workers.
*/
for (w = wi; w != wi_roof; w++)
if (!w->busy)
send_eof(w);
}
else if (r != HES_CONTINUE)
{
exit(r);
}
else if (q->aq.qmagic != ADNS_Q_MAGIC)
{
syslog(LOG_ERR, "error in query from Pluto: bad magic");
exit(HES_BAD_MAGIC);
}
else
{
struct worker_info *w;
/* got a query */
/* add it to FIFO */
q->next = NULL;
if (oldest_query == NULL)
oldest_query = q;
else
newest_query->next = q;
newest_query = q;
/* See if any worker available */
for (w = wi; ; w++)
{
if (w == wi_roof)
{
/* no free worker */
if (w == wi + MAX_WORKERS)
break; /* no more to be created */
/* make a new one */
if (!spawn_worker())
break; /* cannot create one at this time */
}
if (!w->busy)
{
/* assign first to free worker */
forward_query(w);
break;
}
}
}
return;
}
static void
answer(struct worker_info *w)
{
struct adns_answer a;
enum helper_exit_status r = read_pipe(w->afd, (unsigned char *)&a
, offsetof(struct adns_answer, ans), sizeof(a));
if (r == HES_OK)
{
/* unexpected EOF */
syslog(LOG_ERR, "unexpected EOF from worker");
exit(HES_IO_ERROR_IN);
}
else if (r != HES_CONTINUE)
{
exit(r);
}
else if (a.amagic != ADNS_A_MAGIC)
{
syslog(LOG_ERR, "Input from worker error: bad magic");
exit(HES_BAD_MAGIC);
}
else if (a.continuation != w->continuation)
{
/* answer doesn't match query */
syslog(LOG_ERR, "Input from worker error: continuation mismatch");
exit(HES_SYNC);
}
else
{
/* pass the answer on to Pluto */
enum helper_exit_status r
= write_pipe(PLUTO_AFD, (const unsigned char *) &a);
if (r != HES_CONTINUE)
exit(r);
w->busy = FALSE;
forward_query(w);
}
}
/* assumption: input limited; accept blocking on output */
static int
master(void)
{
for (;;)
{
fd_set readfds;
int maxfd = PLUTO_QFD; /* approximate lower bound */
int ndes = 0;
struct worker_info *w;
FD_ZERO(&readfds);
if (!eof_from_pluto)
{
FD_SET(PLUTO_QFD, &readfds);
ndes++;
}
for (w = wi; w != wi_roof; w++)
{
if (w->busy)
{
FD_SET(w->afd, &readfds);
ndes++;
if (maxfd < w->afd)
maxfd = w->afd;
}
}
if (ndes == 0)
return HES_OK; /* done! */
do {
ndes = select(maxfd + 1, &readfds, NULL, NULL, NULL);
} while (ndes == -1 && errno == EINTR);
if (ndes == -1)
{
syslog(LOG_ERR, "select(2) error: %s", strerror(errno));
exit(HES_IO_ERROR_SELECT);
}
else if (ndes > 0)
{
if (FD_ISSET(PLUTO_QFD, &readfds))
{
query();
ndes--;
}
for (w = wi; ndes > 0 && w != wi_roof; w++)
{
if (w->busy && FD_ISSET(w->afd, &readfds))
{
answer(w);
ndes--;
}
}
}
}
}
/* Not to be invoked by strangers -- user hostile.
* Mandatory args: query-fd answer-fd
* Optional arg: -d, signifying "debug".
*/
static void
adns_usage(const char *fmt, const char *arg)
{
const char **sp = ipsec_copyright_notice();
fprintf(stderr, "INTERNAL TO PLUTO: DO NOT EXECUTE\n");
fprintf(stderr, fmt, arg);
fprintf(stderr, "\nstrongSwan "VERSION"\n");
for (; *sp != NULL; sp++)
fprintf(stderr, "%s\n", *sp);
syslog(LOG_ERR, fmt, arg);
exit(HES_INVOCATION);
}
int
main(int argc UNUSED, char **argv)
{
int i = 1;
name = argv[0];
while (i < argc)
{
if (streq(argv[i], "-d"))
{
i++;
debug = TRUE;
}
else
{
adns_usage("unexpected argument \"%s\"", argv[i]);
/*NOTREACHED*/
}
}
return master();
}

78
src/pluto/adns.h
View File

@ -1,78 +0,0 @@
/* Pluto Asynchronous DNS Helper Program's Header
* Copyright (C) 2002 D. Hugh Redelmeier.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef ADNS
/* dummy struct to make compilers happy */
struct adns_query {
};
#else /* rest of file */
/* The interface in RHL6.x and BIND distribution 8.2.2 are different,
* so we build some of our own :-(
*/
# ifndef NS_MAXDNAME
# define NS_MAXDNAME MAXDNAME /* I hope this is long enough for IPv6 */
# endif
# ifndef NS_PACKETSZ
# define NS_PACKETSZ PACKETSZ
# endif
/* protocol version */
#define ADNS_Q_MAGIC (((((('d' << 8) + 'n') << 8) + 's') << 8) + 4)
#define ADNS_A_MAGIC (((((('d' << 8) + 'n') << 8) + 's') << 8) + 128 + 4)
/* note: both struct adns_query and struct adns_answer must start with
* size_t len;
*/
struct adns_query {
size_t len;
unsigned int qmagic;
unsigned long serial;
lset_t debugging; /* only used #ifdef DEBUG, but don't want layout to change */
u_char name_buf[NS_MAXDNAME + 2];
int type; /* T_KEY or T_TXT */
};
struct adns_answer {
size_t len;
unsigned int amagic;
unsigned long serial;
struct adns_continuation *continuation;
int result;
int h_errno_val;
u_char ans[NS_PACKETSZ * 10]; /* very probably bigger than necessary */
};
enum helper_exit_status {
HES_CONTINUE = -1, /* not an exit */
HES_OK = 0, /* all's well that ends well (perhaps EOF) */
HES_INVOCATION, /* improper invocation */
HES_IO_ERROR_SELECT, /* IO error in select() */
HES_MALLOC, /* malloc failed */
HES_IO_ERROR_IN, /* error reading pipe */
HES_IO_ERROR_OUT, /* error reading pipe */
HES_PIPE, /* pipe(2) failed */
HES_SYNC, /* answer from worker doesn't match query */
HES_FORK, /* fork(2) failed */
HES_RES_INIT, /* resolver initialization failed */
HES_BAD_LEN, /* implausible .len field */
HES_BAD_MAGIC, /* .magic field wrong */
};
#endif /* ADNS */

683
src/pluto/alg_info.c
View File

@ -1,683 +0,0 @@
/*
* Algorithm info parsing and creation functions
* Copyright (C) JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
* Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <stddef.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <ctype.h>
#include <freeswan.h>
#include <pfkeyv2.h>
#include <utils.h>
#include <utils/lexparser.h>
#include <crypto/diffie_hellman.h>
#include <crypto/transform.h>
#include <crypto/proposal/proposal_keywords.h>
#include "alg_info.h"
#include "constants.h"
#include "defs.h"
#include "log.h"
#include "whack.h"
#include "crypto.h"
#include "kernel_alg.h"
#include "ike_alg.h"
/*
* sadb/ESP aa attrib converters
*/
int alg_info_esp_aa2sadb(int auth)
{
int sadb_aalg = 0;
switch(auth)
{
case AUTH_ALGORITHM_HMAC_MD5:
case AUTH_ALGORITHM_HMAC_SHA1:
sadb_aalg = auth + 1;
break;
default:
sadb_aalg = auth;
}
return sadb_aalg;
}
int alg_info_esp_sadb2aa(int sadb_aalg)
{
int auth = 0;
switch(sadb_aalg)
{
case SADB_AALG_MD5HMAC:
case SADB_AALG_SHA1HMAC:
auth = sadb_aalg - 1;
break;
default:
auth = sadb_aalg;
}
return auth;
}
void alg_info_free(struct alg_info *alg_info)
{
free(alg_info);
}
/*
* Raw add routine: only checks for no duplicates
*/
static void __alg_info_esp_add(struct alg_info_esp *alg_info, int ealg_id,
unsigned ek_bits, int aalg_id, unsigned ak_bits)
{
struct esp_info *esp_info = alg_info->esp;
unsigned cnt = alg_info->alg_info_cnt, i;
/* check for overflows */
passert(cnt < countof(alg_info->esp));
/* dont add duplicates */
for (i = 0; i < cnt; i++)
{
if (esp_info[i].esp_ealg_id == ealg_id
&& (!ek_bits || esp_info[i].esp_ealg_keylen == ek_bits)
&& esp_info[i].esp_aalg_id == aalg_id
&& (!ak_bits || esp_info[i].esp_aalg_keylen == ak_bits))
{
return;
}
}
esp_info[cnt].esp_ealg_id = ealg_id;
esp_info[cnt].esp_ealg_keylen = ek_bits;
esp_info[cnt].esp_aalg_id = aalg_id;
esp_info[cnt].esp_aalg_keylen = ak_bits;
/* sadb values */
esp_info[cnt].encryptalg = ealg_id;
esp_info[cnt].authalg = alg_info_esp_aa2sadb(aalg_id);
alg_info->alg_info_cnt++;
DBG(DBG_CRYPT,
DBG_log("esp alg added: %s_%d/%s, cnt=%d",
enum_show(&esp_transform_names, ealg_id), ek_bits,
enum_show(&auth_alg_names, aalg_id),
alg_info->alg_info_cnt)
)
}
/**
* Returns true if the given alg is an authenticated encryption algorithm
*/
static bool is_authenticated_encryption(int ealg_id)
{
switch (ealg_id)
{
case ESP_AES_CCM_8:
case ESP_AES_CCM_12:
case ESP_AES_CCM_16:
case ESP_AES_GCM_8:
case ESP_AES_GCM_12:
case ESP_AES_GCM_16:
case ESP_AES_GMAC:
return TRUE;
}
return FALSE;
}
/*
* Add ESP alg info _with_ logic (policy):
*/
static void alg_info_esp_add(struct alg_info *alg_info, int ealg_id,
int ek_bits, int aalg_id, int ak_bits)
{
/* Policy: default to 3DES */
if (ealg_id == 0)
{
ealg_id = ESP_3DES;
}
if (ealg_id > 0)
{
if (is_authenticated_encryption(ealg_id))
{
__alg_info_esp_add((struct alg_info_esp *)alg_info,
ealg_id, ek_bits,
AUTH_ALGORITHM_NONE, 0);
}
else if (aalg_id > 0)
{
__alg_info_esp_add((struct alg_info_esp *)alg_info,
ealg_id, ek_bits,
aalg_id, ak_bits);
}
else
{
/* Policy: default to SHA-1 and MD5 */
__alg_info_esp_add((struct alg_info_esp *)alg_info,
ealg_id, ek_bits,
AUTH_ALGORITHM_HMAC_SHA1, ak_bits);
__alg_info_esp_add((struct alg_info_esp *)alg_info,
ealg_id, ek_bits,
AUTH_ALGORITHM_HMAC_MD5, ak_bits);
}
}
}
static void __alg_info_ike_add (struct alg_info_ike *alg_info, int ealg_id,
unsigned ek_bits, int aalg_id, unsigned ak_bits,
int modp_id)
{
struct ike_info *ike_info = alg_info->ike;
unsigned cnt = alg_info->alg_info_cnt;
unsigned i;
/* check for overflows */
passert(cnt < countof(alg_info->ike));
/* dont add duplicates */
for (i = 0; i < cnt; i++)
{
if (ike_info[i].ike_ealg == ealg_id
&& (!ek_bits || ike_info[i].ike_eklen == ek_bits)
&& ike_info[i].ike_halg == aalg_id
&& (!ak_bits || ike_info[i].ike_hklen == ak_bits)
&& ike_info[i].ike_modp==modp_id)
return;
}
ike_info[cnt].ike_ealg = ealg_id;
ike_info[cnt].ike_eklen = ek_bits;
ike_info[cnt].ike_halg = aalg_id;
ike_info[cnt].ike_hklen = ak_bits;
ike_info[cnt].ike_modp = modp_id;
alg_info->alg_info_cnt++;
DBG(DBG_CRYPT,
DBG_log("ikg alg added: %s_%d/%s/%s, cnt=%d",
enum_show(&oakley_enc_names, ealg_id), ek_bits,
enum_show(&oakley_hash_names, aalg_id),
enum_show(&oakley_group_names, modp_id),
alg_info->alg_info_cnt)
)
}
/*
* Proposals will be built by looping over default_ike_groups array and
* merging alg_info (ike_info) contents
*/
static int default_ike_groups[] = {
MODP_1536_BIT,
MODP_1024_BIT
};
/*
* Add IKE alg info _with_ logic (policy):
*/
static void alg_info_ike_add (struct alg_info *alg_info, int ealg_id,
int ek_bits, int aalg_id, int ak_bits, int modp_id)
{
int i = 0;
int n_groups = countof(default_ike_groups);
/* if specified modp_id avoid loop over default_ike_groups */
if (modp_id)
{
n_groups=0;
goto in_loop;
}
for (; n_groups--; i++)
{
modp_id = default_ike_groups[i];
in_loop:
/* Policy: default to 3DES */
if (ealg_id == 0)
{
ealg_id = OAKLEY_3DES_CBC;
}
if (ealg_id > 0)
{
if (aalg_id > 0)
{
__alg_info_ike_add((struct alg_info_ike *)alg_info,
ealg_id, ek_bits,
aalg_id, ak_bits,
modp_id);
}
else
{
/* Policy: default to MD5 and SHA */
__alg_info_ike_add((struct alg_info_ike *)alg_info,
ealg_id, ek_bits,
OAKLEY_MD5, ak_bits,
modp_id);
__alg_info_ike_add((struct alg_info_ike *)alg_info,
ealg_id, ek_bits,
OAKLEY_SHA, ak_bits,
modp_id);
}
}
}
}
static status_t alg_info_add(chunk_t alg, unsigned protoid,
int *ealg, size_t *ealg_keysize,
int *aalg, size_t *aalg_keysize, int *dh_group)
{
const proposal_token_t *token = proposal_get_token(alg.ptr, alg.len);
if (token == NULL)
{
return FAILED;
}
switch (token->type)
{
case ENCRYPTION_ALGORITHM:
if (*ealg != 0)
{
return FAILED;
}
*ealg = (protoid == PROTO_ISAKMP) ?
oakley_from_encryption_algorithm(token->algorithm) :
esp_from_encryption_algorithm(token->algorithm);
if (*ealg == 0)
{
return FAILED;
}
*ealg_keysize = token->keysize;
break;
case INTEGRITY_ALGORITHM:
if (*aalg != 0)
{
return FAILED;
}
*aalg = (protoid == PROTO_ISAKMP) ?
oakley_from_integrity_algorithm(token->algorithm) :
esp_from_integrity_algorithm(token->algorithm);
if (*aalg == 0)
{
return FAILED;
}
*aalg_keysize = token->keysize;
break;
case DIFFIE_HELLMAN_GROUP:
if (protoid == PROTO_ISAKMP)
{
if (*dh_group != 0)
{
return FAILED;
}
*dh_group = token->algorithm;
}
break;
default:
return FAILED;
}
return SUCCESS;
}
static status_t alg_info_parse_str(struct alg_info *alg_info, char *alg_str)
{
char *strict, *single;
status_t status = SUCCESS;
strict = alg_str + strlen(alg_str) - 1;
if (*strict == '!')
{
alg_info->alg_info_flags |= ALG_INFO_F_STRICT;
*strict = '\0';
}
while ((single = strsep(&alg_str, ",")))
{
chunk_t string = { (u_char *)single, strlen(single) };
int ealg = 0;
int aalg = 0;
int dh_group = 0;
size_t ealg_keysize = 0;
size_t aalg_keysize = 0;
eat_whitespace(&string);
if (string.len > 0)
{
chunk_t alg;
/* get all token, separated by '-' */
while (extract_token(&alg, '-', &string))
{
status |= alg_info_add(alg, alg_info->alg_info_protoid,
&ealg, &ealg_keysize,
&aalg, &aalg_keysize, &dh_group);
}
if (string.len)
{
status |= alg_info_add(string, alg_info->alg_info_protoid,
&ealg, &ealg_keysize,
&aalg, &aalg_keysize, &dh_group);
}
}
if (status == SUCCESS)
{
switch (alg_info->alg_info_protoid)
{
case PROTO_IPSEC_ESP:
alg_info_esp_add(alg_info, ealg, ealg_keysize,
aalg, aalg_keysize);
break;
case PROTO_ISAKMP:
alg_info_ike_add(alg_info, ealg, ealg_keysize,
aalg, aalg_keysize,
dh_group);
break;
default:
break;
}
}
}
return status;
}
struct alg_info_esp *alg_info_esp_create_from_str(char *alg_str)
{
struct alg_info_esp *alg_info_esp;
char esp_buf[BUF_LEN];
char *pfs_name;
status_t status = SUCCESS;
/*
* alg_info storage should be sized dynamically
* but this may require 2passes to know
* transform count in advance.
*/
alg_info_esp = malloc_thing (struct alg_info_esp);
zero(alg_info_esp);
pfs_name=strchr(alg_str, ';');
if (pfs_name)
{
memcpy(esp_buf, alg_str, pfs_name-alg_str);
esp_buf[pfs_name-alg_str] = 0;
alg_str = esp_buf;
pfs_name++;
/* if pfs strings AND first char is not '0' */
if (*pfs_name && pfs_name[0] != '0')
{
const proposal_token_t *token;
token = proposal_get_token(pfs_name, strlen(pfs_name));
if (token == NULL || token->type != DIFFIE_HELLMAN_GROUP)
{
/* Bomb if pfsgroup not found */
DBG(DBG_CRYPT,
DBG_log("alg_info_esp_create_from_str(): pfsgroup \"%s\" not found"
, pfs_name)
)
status = FAILED;
goto out;
}
alg_info_esp->esp_pfsgroup = token->algorithm;
}
}
else
{
alg_info_esp->esp_pfsgroup = 0;
}
alg_info_esp->alg_info_protoid = PROTO_IPSEC_ESP;
status = alg_info_parse_str((struct alg_info *)alg_info_esp, alg_str);
out:
if (status == SUCCESS)
{
alg_info_esp->ref_cnt = 1;
return alg_info_esp;
}
else
{
free(alg_info_esp);
return NULL;
}
}
struct alg_info_ike *alg_info_ike_create_from_str(char *alg_str)
{
struct alg_info_ike *alg_info_ike;
/*
* alg_info storage should be sized dynamically
* but this may require 2passes to know
* transform count in advance.
*/
alg_info_ike = malloc_thing (struct alg_info_ike);
zero(alg_info_ike);
alg_info_ike->alg_info_protoid = PROTO_ISAKMP;
if (alg_info_parse_str((struct alg_info *)alg_info_ike, alg_str) == SUCCESS)
{
alg_info_ike->ref_cnt = 1;
return alg_info_ike;
}
else
{
free(alg_info_ike);
return NULL;
}
}
/*
* alg_info struct can be shared by
* several connections instances,
* handle free() with ref_cnts
*/
void
alg_info_addref(struct alg_info *alg_info)
{
if (alg_info != NULL)
{
alg_info->ref_cnt++;
}
}
void
alg_info_delref(struct alg_info **alg_info_p)
{
struct alg_info *alg_info = *alg_info_p;
if (alg_info != NULL)
{
passert(alg_info->ref_cnt != 0);
alg_info->ref_cnt--;
if (alg_info->ref_cnt == 0)
{
alg_info_free(alg_info);
}
*alg_info_p = NULL;
}
}
/* snprint already parsed transform list (alg_info) */
int
alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info)
{
char *ptr = buf;
int np = 0;
struct esp_info *esp_info;
struct ike_info *ike_info;
int cnt;
switch (alg_info->alg_info_protoid) {
case PROTO_IPSEC_ESP:
{
struct alg_info_esp *alg_info_esp = (struct alg_info_esp *)alg_info;
ALG_INFO_ESP_FOREACH(alg_info_esp, esp_info, cnt)
{
np = snprintf(ptr, buflen, "%s",
enum_show(&esp_transform_names, esp_info->esp_ealg_id));
ptr += np;
buflen -= np;
if (esp_info->esp_ealg_keylen)
{
np = snprintf(ptr, buflen, "_%zu", esp_info->esp_ealg_keylen);
ptr += np;
buflen -= np;
}
np = snprintf(ptr, buflen, "/%s, ",
enum_show(&auth_alg_names, esp_info->esp_aalg_id));
ptr += np;
buflen -= np;
if (buflen < 0)
goto out;
}
if (alg_info_esp->esp_pfsgroup)
{
np = snprintf(ptr, buflen, "; pfsgroup=%s; ",
enum_show(&oakley_group_names, alg_info_esp->esp_pfsgroup));
ptr += np;
buflen -= np;
if (buflen < 0)
goto out;
}
break;
}
case PROTO_ISAKMP:
ALG_INFO_IKE_FOREACH((struct alg_info_ike *)alg_info, ike_info, cnt)
{
np = snprintf(ptr, buflen, "%s",
enum_show(&oakley_enc_names, ike_info->ike_ealg));
ptr += np;
buflen -= np;
if (ike_info->ike_eklen)
{
np = snprintf(ptr, buflen, "_%zu", ike_info->ike_eklen);
ptr += np;
buflen -= np;
}
np = snprintf(ptr, buflen, "/%s/%s, ",
enum_show(&oakley_hash_names, ike_info->ike_halg),
enum_show(&oakley_group_names, ike_info->ike_modp));
ptr += np;
buflen -= np;
if (buflen < 0)
goto out;
}
break;
default:
np = snprintf(buf, buflen, "INVALID protoid=%d\n"
, alg_info->alg_info_protoid);
ptr += np;
buflen -= np;
goto out;
}
np = snprintf(ptr, buflen, "%s"
, alg_info->alg_info_flags & ALG_INFO_F_STRICT?
"strict":"");
ptr += np;
buflen -= np;
out:
if (buflen < 0)
{
loglog(RC_LOG_SERIOUS
, "buffer space exhausted in alg_info_snprint_ike(), buflen=%d"
, buflen);
}
return ptr - buf;
}
int alg_info_snprint_esp(char *buf, int buflen, struct alg_info_esp *alg_info)
{
char *ptr = buf;
int cnt = alg_info->alg_info_cnt;
struct esp_info *esp_info = alg_info->esp;
while (cnt--)
{
if (kernel_alg_esp_enc_ok(esp_info->esp_ealg_id, 0, NULL)
&& kernel_alg_esp_auth_ok(esp_info->esp_aalg_id, NULL))
{
u_int eklen = (esp_info->esp_ealg_keylen)
? esp_info->esp_ealg_keylen
: kernel_alg_esp_enc_keylen(esp_info->esp_ealg_id)
* BITS_PER_BYTE;
u_int aklen = esp_info->esp_aalg_keylen
? esp_info->esp_aalg_keylen
: kernel_alg_esp_auth_keylen(esp_info->esp_aalg_id)
* BITS_PER_BYTE;
int ret = snprintf(ptr, buflen, "%d_%03d-%d_%03d, ",
esp_info->esp_ealg_id, eklen,
esp_info->esp_aalg_id, aklen);
ptr += ret;
buflen -= ret;
if (buflen < 0)
break;
}
esp_info++;
}
return ptr - buf;
}
int alg_info_snprint_ike(char *buf, int buflen, struct alg_info_ike *alg_info)
{
char *ptr = buf;
int cnt = alg_info->alg_info_cnt;
struct ike_info *ike_info = alg_info->ike;
while (cnt--)
{
struct encrypt_desc *enc_desc = ike_alg_get_crypter(ike_info->ike_ealg);
struct hash_desc *hash_desc = ike_alg_get_hasher(ike_info->ike_halg);
struct dh_desc *dh_desc = ike_alg_get_dh_group(ike_info->ike_modp);
if (enc_desc && hash_desc && dh_desc)
{
u_int eklen = (ike_info->ike_eklen)
? ike_info->ike_eklen
: enc_desc->keydeflen;
u_int aklen = (ike_info->ike_hklen)
? ike_info->ike_hklen
: hash_desc->hash_digest_size * BITS_PER_BYTE;
int ret = snprintf(ptr, buflen, "%d_%03d-%d_%03d-%d, ",
ike_info->ike_ealg, eklen,
ike_info->ike_halg, aklen,
ike_info->ike_modp);
ptr += ret;
buflen -= ret;
if (buflen < 0)
break;
}
ike_info++;
}
return ptr - buf;
}

80
src/pluto/alg_info.h
View File

@ -1,80 +0,0 @@
/* Algorithm info parsing and creation functions
* Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef ALG_INFO_H
#define ALG_INFO_H
struct esp_info {
u_int8_t transid; /* ESP transform */
u_int16_t auth; /* AUTH */
size_t enckeylen; /* keylength for ESP transform */
size_t authkeylen; /* keylength for AUTH */
u_int8_t encryptalg; /* normally encryptalg=transid */
u_int8_t authalg; /* normally authalg=auth+1 */
};
struct ike_info {
u_int16_t ike_ealg; /* high 16 bit nums for reserved */
u_int8_t ike_halg;
size_t ike_eklen;
size_t ike_hklen;
u_int16_t ike_modp;
};
#define ALG_INFO_COMMON \
int alg_info_cnt; \
int ref_cnt; \
unsigned alg_info_flags; \
unsigned alg_info_protoid
struct alg_info {
ALG_INFO_COMMON;
};
struct alg_info_esp {
ALG_INFO_COMMON;
struct esp_info esp[64];
int esp_pfsgroup;
};
struct alg_info_ike {
ALG_INFO_COMMON;
struct ike_info ike[64];
};
#define esp_ealg_id transid
#define esp_aalg_id auth
#define esp_ealg_keylen enckeylen /* bits */
#define esp_aalg_keylen authkeylen /* bits */
/* alg_info_flags bits */
#define ALG_INFO_F_STRICT 0x01
extern int alg_info_esp_aa2sadb(int auth);
extern int alg_info_esp_sadb2aa(int sadb_aalg);
extern void alg_info_free(struct alg_info *alg_info);
extern void alg_info_addref(struct alg_info *alg_info);
extern void alg_info_delref(struct alg_info **alg_info);
extern struct alg_info_esp* alg_info_esp_create_from_str(char *alg_str);
extern struct alg_info_ike* alg_info_ike_create_from_str(char *alg_str);
extern int alg_info_parse(const char *str);
extern int alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info);
extern int alg_info_snprint_esp(char *buf, int buflen
, struct alg_info_esp *alg_info);
extern int alg_info_snprint_ike(char *buf, int buflen
, struct alg_info_ike *alg_info);
#define ALG_INFO_ESP_FOREACH(ai, ai_esp, i) \
for (i=(ai)->alg_info_cnt,ai_esp=(ai)->esp; i--; ai_esp++)
#define ALG_INFO_IKE_FOREACH(ai, ai_ike, i) \
for (i=(ai)->alg_info_cnt,ai_ike=(ai)->ike; i--; ai_ike++)
#endif /* ALG_INFO_H */

150
src/pluto/builder.c
View File

@ -1,150 +0,0 @@
/* Pluto certificate/CRL/AC builder hooks.
* Copyright (C) 2002-2009 Andreas Steffen
* Copyright (C) 2009 Martin Willi
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "builder.h"
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <time.h>
#include <freeswan.h>
#include <library.h>
#include <credentials/certificates/certificate.h>
#include "constants.h"
#include "defs.h"
#include "log.h"
#include "certs.h"
#include "crl.h"
/**
* Load a certificate
*/
static cert_t *builder_load_cert(certificate_type_t type, va_list args)
{
x509_flag_t flags = 0;
chunk_t blob = chunk_empty;
bool pgp = FALSE;
while (TRUE)
{
switch (va_arg(args, builder_part_t))
{
case BUILD_BLOB_PGP:
pgp = TRUE;
/* FALL */
case BUILD_BLOB_ASN1_DER:
blob = va_arg(args, chunk_t);
continue;
case BUILD_X509_FLAG:
flags |= va_arg(args, x509_flag_t);
continue;
case BUILD_END:
break;
default:
return NULL;
}
break;
}
if (blob.ptr)
{
cert_t *cert = malloc_thing(cert_t);
*cert = cert_empty;
if (pgp)
{
cert->cert = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_GPG,
BUILD_BLOB_PGP, blob,
BUILD_END);
}
else
{
cert->cert = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509,
BUILD_BLOB_ASN1_DER, blob,
BUILD_X509_FLAG, flags,
BUILD_END);
}
if (cert->cert)
{
return cert;
}
plog(" error in X.509 certificate");
cert_free(cert);
}
return NULL;
}
/**
* Load a CRL
*/
static x509crl_t *builder_load_crl(certificate_type_t type, va_list args)
{
chunk_t blob = chunk_empty;
x509crl_t *crl;
while (TRUE)
{
switch (va_arg(args, builder_part_t))
{
case BUILD_BLOB_ASN1_DER:
blob = va_arg(args, chunk_t);
continue;
case BUILD_END:
break;
default:
return NULL;
}
break;
}
if (blob.ptr)
{
crl = malloc_thing(x509crl_t);
crl->next = NULL;
crl->distributionPoints = linked_list_create();
crl->crl = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509_CRL,
BUILD_BLOB_ASN1_DER, blob,
BUILD_END);
if (crl->crl)
{
return crl;
}
plog(" error in X.509 crl");
free_crl(crl);
}
return NULL;
}
void init_builder(void)
{
lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT, FALSE,
(builder_function_t)builder_load_cert);
lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL, FALSE,
(builder_function_t)builder_load_crl);
}
void free_builder(void)
{
lib->creds->remove_builder(lib->creds, (builder_function_t)builder_load_cert);
lib->creds->remove_builder(lib->creds, (builder_function_t)builder_load_crl);
}

24
src/pluto/builder.h
View File

@ -1,24 +0,0 @@
/* Pluto certificate/CRL/AC builder hooks.
* Copyright (C) 2009 Martin Willi
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef _BUILDER_H
#define _BUILDER_H
/* register credential builder hooks */
extern void init_builder();
/* unregister credential builder hooks */
extern void free_builder();
#endif /* _BUILDER_H */

712
src/pluto/ca.c
View File

@ -1,712 +0,0 @@
/* Certification Authority (CA) support for IKE authentication
* Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <debug.h>
#include <utils/enumerator.h>
#include <credentials/certificates/x509.h>
#include <freeswan.h>
#include "constants.h"
#include "defs.h"
#include "log.h"
#include "x509.h"
#include "ca.h"
#include "certs.h"
#include "whack.h"
#include "fetch.h"
#include "smartcard.h"
/* chained list of X.509 authority certificates (ca, aa, and ocsp) */
static cert_t *x509authcerts = NULL;
/* chained list of X.509 certification authority information records */
static ca_info_t *ca_infos = NULL;
/*
* Checks if CA a is trusted by CA b
*/
bool trusted_ca(identification_t *a, identification_t *b, int *pathlen)
{
bool match = FALSE;
/* no CA b specified -> any CA a is accepted */
if (b == NULL)
{
*pathlen = (a == NULL) ? 0 : X509_MAX_PATH_LEN;
return TRUE;
}
/* no CA a specified -> trust cannot be established */
if (a == NULL)
{
*pathlen = X509_MAX_PATH_LEN;
return FALSE;
}
*pathlen = 0;
/* CA a equals CA b -> we have a match */
if (a->equals(a, b))
{
return TRUE;
}
/* CA a might be a subordinate CA of b */
lock_authcert_list("trusted_ca");
while ((*pathlen)++ < X509_MAX_PATH_LEN)
{
certificate_t *certificate;
identification_t *issuer;
cert_t *cacert;
cacert = get_authcert(a, chunk_empty, X509_CA);
if (cacert == NULL)
{
break;
}
certificate = cacert->cert;
/* is the certificate self-signed? */
{
x509_t *x509 = (x509_t*)certificate;
if (x509->get_flags(x509) & X509_SELF_SIGNED)
{
break;
}
}
/* does the issuer of CA a match CA b? */
issuer = certificate->get_issuer(certificate);
match = b->equals(b, issuer);
/* we have a match and exit the loop */
if (match)
{
break;
}
/* go one level up in the CA chain */
a = issuer;
}
unlock_authcert_list("trusted_ca");
return match;
}
/*
* does our CA match one of the requested CAs?
*/
bool match_requested_ca(linked_list_t *requested_ca, identification_t *our_ca,
int *our_pathlen)
{
identification_t *ca;
enumerator_t *enumerator;
/* if no ca is requested than any ca will match */
if (requested_ca == NULL || requested_ca->get_count(requested_ca) == 0)
{
*our_pathlen = 0;
return TRUE;
}
*our_pathlen = X509_MAX_PATH_LEN + 1;
enumerator = requested_ca->create_enumerator(requested_ca);
while (enumerator->enumerate(enumerator, &ca))
{
int pathlen;
if (trusted_ca(our_ca, ca, &pathlen) && pathlen < *our_pathlen)
{
*our_pathlen = pathlen;
}
}
enumerator->destroy(enumerator);
if (*our_pathlen > X509_MAX_PATH_LEN)
{
*our_pathlen = X509_MAX_PATH_LEN;
return FALSE;
}
else
{
return TRUE;
}
}
/*
* free the first authority certificate in the chain
*/
static void free_first_authcert(void)
{
cert_t *first = x509authcerts;
x509authcerts = first->next;
cert_free(first);
}
/*
* free all CA certificates
*/
void free_authcerts(void)
{
lock_authcert_list("free_authcerts");
while (x509authcerts != NULL)
{
free_first_authcert();
}
unlock_authcert_list("free_authcerts");
}
/*
* get a X.509 authority certificate with a given subject or keyid
*/
cert_t* get_authcert(identification_t *subject, chunk_t keyid,
x509_flag_t auth_flags)
{
cert_t *cert, *prev_cert = NULL;
/* the authority certificate list is empty */
if (x509authcerts == NULL)
{
return NULL;
}
for (cert = x509authcerts; cert != NULL; prev_cert = cert, cert = cert->next)
{
certificate_t *certificate = cert->cert;
x509_t *x509 = (x509_t*)certificate;
/* skip non-matching types of authority certificates */
if (!(x509->get_flags(x509) & auth_flags))
{
continue;
}
/* compare the keyid with the certificate's subjectKeyIdentifier */
if (keyid.ptr)
{
chunk_t subjectKeyId;
subjectKeyId = x509->get_subjectKeyIdentifier(x509);
if (subjectKeyId.ptr && !chunk_equals(keyid, subjectKeyId))
{
continue;
}
}
/* compare the subjectDistinguishedNames */
if (!(subject && certificate->has_subject(certificate, subject)) &&
(subject || !keyid.ptr))
{
continue;
}
/* found the authcert */
if (cert != x509authcerts)
{
/* bring the certificate up front */
prev_cert->next = cert->next;
cert->next = x509authcerts;
x509authcerts = cert;
}
return cert;
}
return NULL;
}
/*
* add an authority certificate to the chained list
*/
cert_t* add_authcert(cert_t *cert, x509_flag_t auth_flags)
{
certificate_t *certificate = cert->cert;
x509_t *x509 = (x509_t*)certificate;
cert_t *old_cert;
lock_authcert_list("add_authcert");
old_cert = get_authcert(certificate->get_subject(certificate),
x509->get_subjectKeyIdentifier(x509),
auth_flags);
if (old_cert)
{
if (certificate->equals(certificate, old_cert->cert))
{
DBG(DBG_CONTROL | DBG_PARSING ,
DBG_log(" authcert is already present and identical")
)
unlock_authcert_list("add_authcert");
cert_free(cert);
return old_cert;
}
else
{
/* cert is already present but will be replaced by new cert */
free_first_authcert();
DBG(DBG_CONTROL | DBG_PARSING ,
DBG_log(" existing authcert deleted")
)
}
}
/* add new authcert to chained list */
cert->next = x509authcerts;
x509authcerts = cert;
cert_share(cert); /* set count to one */
DBG(DBG_CONTROL | DBG_PARSING,
DBG_log(" authcert inserted")
)
unlock_authcert_list("add_authcert");
return cert;
}
/*
* Loads authority certificates
*/
void load_authcerts(char *type, char *path, x509_flag_t auth_flags)
{
enumerator_t *enumerator;
struct stat st;
char *file;
DBG1(DBG_LIB, "loading %s certificates from '%s'", type, path);
enumerator = enumerator_create_directory(path);
if (!enumerator)
{
DBG1(DBG_LIB, " reading directory '%s' failed", path);
return;
}
while (enumerator->enumerate(enumerator, NULL, &file, &st))
{
cert_t *cert;
if (!S_ISREG(st.st_mode))
{
/* skip special file */
continue;
}
cert = load_cert(file, type, auth_flags);
if (cert)
{
add_authcert(cert, auth_flags);
}
}
enumerator->destroy(enumerator);
}
/*
* list all X.509 authcerts with given auth flags in a chained list
*/
void list_authcerts(const char *caption, x509_flag_t auth_flags, bool utc)
{
lock_authcert_list("list_authcerts");
list_x509cert_chain(caption, x509authcerts, auth_flags, utc);
unlock_authcert_list("list_authcerts");
}
/*
* get a cacert with a given subject or keyid from an alternative list
*/
static const cert_t* get_alt_cacert(identification_t *subject, chunk_t keyid,
const cert_t *cert)
{
if (cert == NULL)
{
return NULL;
}
for (; cert != NULL; cert = cert->next)
{
certificate_t *certificate = cert->cert;
/* compare the keyid with the certificate's subjectKeyIdentifier */
if (keyid.ptr)
{
x509_t *x509 = (x509_t*)certificate;
chunk_t subjectKeyId;
subjectKeyId = x509->get_subjectKeyIdentifier(x509);
if (subjectKeyId.ptr && !chunk_equals(keyid, subjectKeyId))
{
continue;
}
}
/* compare the subjectDistinguishedNames */
if (!certificate->has_subject(certificate, subject))
{
continue;
}
/* we found the cacert */
return cert;
}
return NULL;
}
/* establish trust into a candidate authcert by going up the trust chain.
* validity and revocation status are not checked.
*/
bool trust_authcert_candidate(const cert_t *cert, const cert_t *alt_chain)
{
int pathlen;
lock_authcert_list("trust_authcert_candidate");
for (pathlen = 0; pathlen < X509_MAX_PATH_LEN; pathlen++)
{
certificate_t *certificate = cert->cert;
x509_t *x509 = (x509_t*)certificate;
identification_t *subject = certificate->get_subject(certificate);
identification_t *issuer = certificate->get_issuer(certificate);
chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
const cert_t *authcert = NULL;
DBG(DBG_CONTROL,
DBG_log("subject: '%Y'", subject);
DBG_log("issuer: '%Y'", issuer);
if (authKeyID.ptr != NULL)
{
DBG_log("authkey: %#B", &authKeyID);
}
)
/* search in alternative chain first */
authcert = get_alt_cacert(issuer, authKeyID, alt_chain);
if (authcert != NULL)
{
DBG(DBG_CONTROL,
DBG_log("issuer cacert found in alternative chain")
)
}
else
{
/* search in trusted chain */
authcert = get_authcert(issuer, authKeyID, X509_CA);
if (authcert != NULL)
{
DBG(DBG_CONTROL,
DBG_log("issuer cacert found")
)
}
else
{
plog("issuer cacert not found");
unlock_authcert_list("trust_authcert_candidate");
return FALSE;
}
}
if (!certificate->issued_by(certificate, authcert->cert))
{
plog("certificate signature is invalid");
unlock_authcert_list("trust_authcert_candidate");
return FALSE;
}
DBG(DBG_CONTROL,
DBG_log("certificate signature is valid")
)
/* check if cert is a self-signed root ca */
if (pathlen > 0 && (x509->get_flags(x509) & X509_SELF_SIGNED))
{
DBG(DBG_CONTROL,
DBG_log("reached self-signed root ca")
)
unlock_authcert_list("trust_authcert_candidate");
return TRUE;
}
/* go up one step in the trust chain */
cert = authcert;
}
plog("maximum ca path length of %d levels exceeded", X509_MAX_PATH_LEN);
unlock_authcert_list("trust_authcert_candidate");
return FALSE;
}
/*
* get a CA info record with a given authName or authKeyID
*/
ca_info_t* get_ca_info(identification_t *name, chunk_t keyid)
{
ca_info_t *ca= ca_infos;
while (ca != NULL)
{
if ((keyid.ptr) ? same_keyid(keyid, ca->authKeyID)
: name->equals(name, ca->authName))
{
return ca;
}
ca = ca->next;
}
return NULL;
}
/*
* free the dynamic memory used by a ca_info record
*/
static void
free_ca_info(ca_info_t* ca_info)
{
if (ca_info == NULL)
{
return;
}
ca_info->crluris->destroy_function(ca_info->crluris, free);
DESTROY_IF(ca_info->authName);
free(ca_info->name);
free(ca_info->ldaphost);
free(ca_info->ldapbase);
free(ca_info->ocspuri);
free(ca_info->authKeyID.ptr);
free(ca_info);
}
/*
* free all CA certificates
*/
void free_ca_infos(void)
{
while (ca_infos != NULL)
{
ca_info_t *ca = ca_infos;
ca_infos = ca_infos->next;
free_ca_info(ca);
}
}
/*
* find a CA information record by name and optionally delete it
*/
bool find_ca_info_by_name(const char *name, bool delete)
{
ca_info_t **ca_p = &ca_infos;
ca_info_t *ca = *ca_p;
while (ca != NULL)
{
/* is there already an entry? */
if (streq(name, ca->name))
{
if (delete)
{
lock_ca_info_list("find_ca_info_by_name");
*ca_p = ca->next;
free_ca_info(ca);
plog("deleting ca description \"%s\"", name);
unlock_ca_info_list("find_ca_info_by_name");
}
return TRUE;
}
ca_p = &ca->next;
ca = *ca_p;
}
return FALSE;
}
/*
* Create an empty ca_info_t record
*/
ca_info_t* create_ca_info(void)
{
ca_info_t *ca_info = malloc_thing(ca_info_t);
memset(ca_info, 0, sizeof(ca_info_t));
ca_info->crluris = linked_list_create();
return ca_info;
}
/**
* Adds a CA description to a chained list
*/
void add_ca_info(const whack_message_t *msg)
{
smartcard_t *sc = NULL;
cert_t *cert = NULL;
bool cached_cert = FALSE;
if (find_ca_info_by_name(msg->name, FALSE))
{
loglog(RC_DUPNAME, "attempt to redefine ca record \"%s\"", msg->name);
return;
}
if (scx_on_smartcard(msg->cacert))
{
/* load CA cert from smartcard */
cert = scx_load_cert(msg->cacert, &sc, &cached_cert);
}
else
{
/* load CA cert from file */
cert = load_ca_cert(msg->cacert);
}
if (cert)
{
certificate_t *certificate = cert->cert;
x509_t *x509 = (x509_t*)certificate;
identification_t *subject = certificate->get_subject(certificate);
chunk_t subjectKeyID = x509->get_subjectKeyIdentifier(x509);
ca_info_t *ca = NULL;
/* does the authname already exist? */
ca = get_ca_info(subject, subjectKeyID);
if (ca != NULL)
{
/* ca_info is already present */
loglog(RC_DUPNAME, " duplicate ca information in record \"%s\" found,"
"ignoring \"%s\"", ca->name, msg->name);
cert_free(cert);
return;
}
plog("added ca description \"%s\"", msg->name);
/* create and initialize new ca_info record */
ca = create_ca_info();
/* name */
ca->name = clone_str(msg->name);
/* authName */
ca->authName = subject->clone(subject);
DBG(DBG_CONTROL,
DBG_log("authname: '%Y'", subject)
)
/* authKeyID */
if (subjectKeyID.ptr)
{
ca->authKeyID = chunk_clone(subjectKeyID);
DBG(DBG_CONTROL | DBG_PARSING ,
DBG_log("authkey: %#B", &subjectKeyID)
)
}
/* ldaphost */
ca->ldaphost = clone_str(msg->ldaphost);
/* ldapbase */
ca->ldapbase = clone_str(msg->ldapbase);
/* ocspuri */
if (msg->ocspuri != NULL)
{
if (strncasecmp(msg->ocspuri, "http", 4) == 0)
ca->ocspuri = clone_str(msg->ocspuri);
else
plog(" ignoring ocspuri with unknown protocol");
}
/* add crl uris */
add_distribution_point(ca->crluris, msg->crluri);
add_distribution_point(ca->crluris, msg->crluri2);
/* strictrlpolicy */
ca->strictcrlpolicy = msg->whack_strict;
/* insert ca_info record into the chained list */
lock_ca_info_list("add_ca_info");
ca->next = ca_infos;
ca_infos = ca;
unlock_ca_info_list("add_ca_info");
/* add cacert to list of authcerts */
cert = add_authcert(cert, X509_CA);
if (!cached_cert && sc != NULL)
{
if (sc->last_cert != NULL)
{
sc->last_cert->count--;
}
sc->last_cert = cert;
cert_share(sc->last_cert);
}
if (sc != NULL)
time(&sc->last_load);
}
}
/*
* list all ca_info records in the chained list
*/
void list_ca_infos(bool utc)
{
ca_info_t *ca = ca_infos;
if (ca != NULL)
{
whack_log(RC_COMMENT, " ");
whack_log(RC_COMMENT, "List of X.509 CA Information Records:");
}
while (ca != NULL)
{
/* strictpolicy per CA not supported yet
*
whack_log(RC_COMMENT, "%T, \"%s\", strictcrlpolicy: %s"
, &ca->installed, utc, ca->name
, ca->strictcrlpolicy? "yes":"no");
*/
whack_log(RC_COMMENT, " ");
whack_log(RC_COMMENT, " authname: \"%Y\"", ca->authName);
if (ca->ldaphost)
{
whack_log(RC_COMMENT, " ldaphost: '%s'", ca->ldaphost);
}
if (ca->ldapbase)
{
whack_log(RC_COMMENT, " ldapbase: '%s'", ca->ldapbase);
}
if (ca->ocspuri)
{
whack_log(RC_COMMENT, " ocspuri: '%s'", ca->ocspuri);
}
list_distribution_points(ca->crluris);
if (ca->authKeyID.ptr)
{
whack_log(RC_COMMENT, " authkey: %#B", &ca->authKeyID);
}
ca = ca->next;
}
}

58
src/pluto/ca.h
View File

@ -1,58 +0,0 @@
/* Certification Authority (CA) support for IKE authentication
* Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef _CA_H
#define _CA_H
#include <utils/linked_list.h>
#include <utils/identification.h>
#include "certs.h"
#include "whack.h"
/* CA info structures */
typedef struct ca_info ca_info_t;
struct ca_info {
ca_info_t *next;
char *name;
identification_t *authName;
chunk_t authKeyID;
char *ldaphost;
char *ldapbase;
char *ocspuri;
linked_list_t *crluris;
bool strictcrlpolicy;
};
extern bool trusted_ca(identification_t *a, identification_t *b, int *pathlen);
extern bool match_requested_ca(linked_list_t *requested_ca,
identification_t *our_ca, int *our_pathlen);
extern cert_t* get_authcert(identification_t *subject, chunk_t keyid,
x509_flag_t auth_flags);
extern void load_authcerts(char *type, char *path, x509_flag_t auth_flags);
extern cert_t* add_authcert(cert_t *cert, x509_flag_t auth_flags);
extern void free_authcerts(void);
extern void list_authcerts(const char *caption, x509_flag_t auth_flags, bool utc);
extern bool trust_authcert_candidate(const cert_t *cert, const cert_t *alt_chain);
extern ca_info_t* get_ca_info(identification_t *name, chunk_t keyid);
extern bool find_ca_info_by_name(const char *name, bool delete);
extern void add_ca_info(const whack_message_t *msg);
extern void delete_ca_info(const char *name);
extern void free_ca_infos(void);
extern void list_ca_infos(bool utc);
#endif /* _CA_H */

268
src/pluto/certs.c
View File

@ -1,268 +0,0 @@
/* Certificate support for IKE authentication
* Copyright (C) 2002-2009 Andreas Steffen
*
* HSR - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <time.h>
#include <freeswan.h>
#include <library.h>
#include <asn1/asn1.h>
#include <credentials/certificates/certificate.h>
#include <credentials/certificates/pgp_certificate.h>
#include "constants.h"
#include "defs.h"
#include "log.h"
#include "certs.h"
#include "whack.h"
#include "fetch.h"
#include "keys.h"
#include "builder.h"
/**
* Initialization
*/
const cert_t cert_empty = {
NULL , /* cert */
NULL , /* *next */
0 , /* count */
FALSE /* smartcard */
};
/**
* Chained lists of X.509 and PGP end entity certificates
*/
static cert_t *certs = NULL;
/**
* Free a pluto certificate
*/
void cert_free(cert_t *cert)
{
if (cert)
{
certificate_t *certificate = cert->cert;
if (certificate)
{
certificate->destroy(certificate);
}
free(cert);
}
}
/**
* Add a pluto end entity certificate to the chained list
*/
cert_t* cert_add(cert_t *cert)
{
certificate_t *certificate = cert->cert;
cert_t *c;
lock_certs_and_keys("cert_add");
for (c = certs; c != NULL; c = c->next)
{
if (certificate->equals(certificate, c->cert))
{ /* already in chain, free cert */
unlock_certs_and_keys("cert_add");
cert_free(cert);
return c;
}
}
/* insert new cert at the root of the chain */
cert->next = certs;
certs = cert;
DBG(DBG_CONTROL | DBG_PARSING,
DBG_log(" cert inserted")
)
unlock_certs_and_keys("cert_add");
return cert;
}
/**
* Loads a X.509 or OpenPGP certificate
*/
cert_t* load_cert(char *filename, const char *label, x509_flag_t flags)
{
cert_t *cert;
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT,
BUILD_FROM_FILE, filename,
BUILD_X509_FLAG, flags,
BUILD_END);
if (cert)
{
plog(" loaded %s certificate from '%s'", label, filename);
}
return cert;
}
/**
* Loads a host certificate
*/
cert_t* load_host_cert(char *filename)
{
char *path = concatenate_paths(HOST_CERT_PATH, filename);
return load_cert(path, "host", X509_NONE);
}
/**
* Loads a CA certificate
*/
cert_t* load_ca_cert(char *filename)
{
char *path = concatenate_paths(CA_CERT_PATH, filename);
return load_cert(path, "CA", X509_NONE);
}
/**
* for each link pointing to the certificate increase the count by one
*/
void cert_share(cert_t *cert)
{
if (cert != NULL)
{
cert->count++;
}
}
/* release of a certificate decreases the count by one
* the certificate is freed when the counter reaches zero
*/
void cert_release(cert_t *cert)
{
if (cert && --cert->count == 0)
{
cert_t **pp = &certs;
while (*pp != cert)
{
pp = &(*pp)->next;
}
*pp = cert->next;
cert_free(cert);
}
}
/**
* Get a X.509 certificate with a given issuer found at a certain position
*/
cert_t* get_x509cert(identification_t *issuer, chunk_t keyid, cert_t *chain)
{
cert_t *cert = chain ? chain->next : certs;
while (cert)
{
certificate_t *certificate = cert->cert;
x509_t *x509 = (x509_t*)certificate;
chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
if (keyid.ptr ? same_keyid(keyid, authKeyID) :
certificate->has_issuer(certificate, issuer))
{
return cert;
}
cert = cert->next;
}
return NULL;
}
/**
* List all PGP end certificates in a chained list
*/
void list_pgp_end_certs(bool utc)
{
cert_t *cert = certs;
time_t now = time(NULL);
bool first = TRUE;
while (cert != NULL)
{
certificate_t *certificate = cert->cert;
if (certificate->get_type(certificate) == CERT_GPG)
{
time_t created, until;
public_key_t *key;
identification_t *userid = certificate->get_subject(certificate);
pgp_certificate_t *pgp_cert = (pgp_certificate_t*)certificate;
chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
if (first)
{
whack_log(RC_COMMENT, " ");
whack_log(RC_COMMENT, "List of PGP End Entity Certificates:");
first = false;
}
whack_log(RC_COMMENT, " ");
whack_log(RC_COMMENT, " userid: '%Y'", userid);
whack_log(RC_COMMENT, " digest: %#B", &fingerprint);
/* list validity */
certificate->get_validity(certificate, &now, &created, &until);
whack_log(RC_COMMENT, " created: %T", &created, utc);
whack_log(RC_COMMENT, " until: %T %s%s", &until, utc,
check_expiry(until, CA_CERT_WARNING_INTERVAL, TRUE),
(until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":"");
key = certificate->get_public_key(certificate);
if (key)
{
chunk_t keyid;
whack_log(RC_COMMENT, " pubkey: %N %4d bits%s",
key_type_names, key->get_type(key),
key->get_keysize(key),
has_private_key(cert)? ", has private key" : "");
if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &keyid))
{
whack_log(RC_COMMENT, " keyid: %#B", &keyid);
}
if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &keyid))
{
whack_log(RC_COMMENT, " subjkey: %#B", &keyid);
}
}
}
cert = cert->next;
}
}
/**
* List all X.509 end certificates in a chained list
*/
void list_x509_end_certs(bool utc)
{
list_x509cert_chain("End Entity", certs, X509_NONE, utc);
}
/**
* list all X.509 and OpenPGP end certificates
*/
void cert_list(bool utc)
{
list_x509_end_certs(utc);
list_pgp_end_certs(utc);
}

80
src/pluto/certs.h
View File

@ -1,80 +0,0 @@
/* Certificate support for IKE authentication
* Copyright (C) 2002-2009 Andreas Steffen
*
* HSR - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef _CERTS_H
#define _CERTS_H
#include <credentials/keys/private_key.h>
#include <credentials/certificates/certificate.h>
#include <credentials/certificates/x509.h>
#include <freeswan.h>
#include "defs.h"
/* path definitions for private keys, end certs,
* cacerts, attribute certs and crls
*/
#define PRIVATE_KEY_PATH IPSEC_CONFDIR "/ipsec.d/private"
#define HOST_CERT_PATH IPSEC_CONFDIR "/ipsec.d/certs"
#define CA_CERT_PATH IPSEC_CONFDIR "/ipsec.d/cacerts"
#define A_CERT_PATH IPSEC_CONFDIR "/ipsec.d/acerts"
#define AA_CERT_PATH IPSEC_CONFDIR "/ipsec.d/aacerts"
#define OCSP_CERT_PATH IPSEC_CONFDIR "/ipsec.d/ocspcerts"
#define CRL_PATH IPSEC_CONFDIR "/ipsec.d/crls"
#define REQ_PATH IPSEC_CONFDIR "/ipsec.d/reqs"
/* advance warning of imminent expiry of
* cacerts, public keys, and crls
*/
#define CA_CERT_WARNING_INTERVAL 30 /* days */
#define OCSP_CERT_WARNING_INTERVAL 30 /* days */
#define PUBKEY_WARNING_INTERVAL 7 /* days */
#define CRL_WARNING_INTERVAL 7 /* days */
#define ACERT_WARNING_INTERVAL 1 /* day */
/* access structure for a pluto certificate */
typedef struct cert_t cert_t;
struct cert_t {
certificate_t *cert;
cert_t *next;
int count;
bool smartcard;
};
/* used for initialization */
extern const cert_t cert_empty;
/* do not send certificate requests
* flag set in plutomain.c and used in ipsec_doi.c
*/
extern bool no_cr_send;
extern cert_t* load_cert(char *filename, const char *label, x509_flag_t flags);
extern cert_t* load_host_cert(char *filename);
extern cert_t* load_ca_cert(char *filename);
extern cert_t* cert_add(cert_t *cert);
extern void cert_free(cert_t *cert);
extern void cert_share(cert_t *cert);
extern void cert_release(cert_t *cert);
extern void cert_list(bool utc);
extern cert_t* get_x509cert(identification_t *issuer, chunk_t keyid, cert_t* chain);
#endif /* _CERTS_H */

4507
src/pluto/connections.c
View File

File diff suppressed because it is too large Load Diff

366
src/pluto/connections.h
View File

@ -1,366 +0,0 @@
/* information about connections between hosts and clients
* Copyright (C) 1998-2001 D. Hugh Redelmeier
* Copyright (C) 2009-2010 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef _CONNECTIONS_H
#define _CONNECTIONS_H
#include <sys/queue.h>
#include <utils/host.h>
#include <utils/linked_list.h>
#include <utils/identification.h>
#include <credentials/ietf_attributes/ietf_attributes.h>
#include "certs.h"
#include "smartcard.h"
#include "whack.h"
/* There are two kinds of connections:
* - ISAKMP connections, between hosts (for IKE communication)
* - IPsec connections, between clients (for secure IP communication)
*
* An ISAKMP connection looks like:
* host<--->host
*
* An IPsec connection looks like:
* client-subnet<-->host<->nexthop<--->nexthop<->host<-->client-subnet
*
* For the connection to be relevant to this instance of Pluto,
* exactly one of the hosts must be a public interface of our machine
* known to this instance.
*
* The client subnet might simply be the host -- this is a
* representation of "host mode".
*
* Each nexthop defaults to the neighbouring host's IP address.
* The nexthop is a property of the pair of hosts, not each
* individually. It is only needed for IPsec because of the
* way IPsec is mixed into the kernel routing logic. Furthermore,
* only this end's nexthop is actually used. Eventually, nexthop
* will be unnecessary.
*
* Other information represented:
* - each connection has a name: a chunk of uninterpreted text
* that is unique for each connection.
* - security requirements (currently just the "policy" flags from
* the whack command to initiate the connection, but eventually
* much more. Different for ISAKMP and IPsec connections.
* - rekeying parameters:
* + time an SA may live
* + time before SA death that a rekeying should be attempted
* (only by the initiator)
* + number of times to attempt rekeying
* - With the current KLIPS, we must route packets for a client
* subnet through the ipsec interface (ipsec0). Only one
* gateway can get traffic for a specific (client) subnet.
* Furthermore, if the routing isn't in place, packets will
* be sent in the clear.
* "routing" indicates whether the routing has been done for
* this connection. Note that several connections may claim
* the same routing, as long as they agree about where the
* packets are to be sent.
* - With the current KLIPS, only one outbound IPsec SA bundle can be
* used for a particular client. This is due to a limitation
* of using only routing for selection. So only one IPsec state (SA)
* may "own" the eroute. "eroute_owner" is the serial number of
* this state, SOS_NOBODY if there is none. "routing" indicates
* what kind of erouting has been done for this connection, if any.
*
* Details on routing is in constants.h
*
* Operations on Connections:
*
* - add a new connection (with all details) [whack command]
* - delete a connection (by name) [whack command]
* - initiate a connection (by name) [whack command]
* - find a connection (by IP addresses of hosts)
* [response to peer request; finding ISAKMP connection for IPsec connection]
*
* Some connections are templates, missing the address of the peer
* (represented by INADDR_ANY). These are always arranged so that the
* missing end is "that" (there can only be one missing end). These can
* be instantiated (turned into real connections) by Pluto in one of two
* different ways: Road Warrior Instantiation or Opportunistic
* Instantiation. A template connection is marked for Opportunistic
* Instantiation by specifying the peer client as 0.0.0.0/32 (or the IPV6
* equivalent). Otherwise, it is suitable for Road Warrior Instantiation.
*
* Instantiation creates a new temporary connection, with the missing
* details filled in. The resulting template lasts only as long as there
* is a state that uses it.
*/
/* connection policy priority: how important this policy is
* - used to implement eroute-like precedence (augmented by a small
* bonus for a routed connection).
* - a whole number
* - larger is more important
* - three subcomponents. In order of decreasing significance:
* + length of source subnet mask (8 bits)
* + length of destination subnet mask (8 bits)
* + bias (8 bit)
* - a bias of 1 is added to allow prio BOTTOM_PRIO to be less than all
* normal priorities
* - other bias values are created on the fly to give mild preference
* to certaion conditions (eg. routedness)
* - priority is inherited -- an instance of a policy has the same priority
* as the original policy, even though its subnets might be smaller.
* - display format: n,m
*/
typedef unsigned long policy_prio_t;
#define BOTTOM_PRIO ((policy_prio_t)0) /* smaller than any real prio */
#define set_policy_prio(c) { (c)->prio = \
((policy_prio_t)(c)->spd.this.client.maskbits << 16) \
| ((policy_prio_t)(c)->spd.that.client.maskbits << 8) \
| (policy_prio_t)1; }
#define POLICY_PRIO_BUF (3+1+3+1)
extern void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF]);
struct virtual_t;
struct end {
identification_t *id;
ip_address host_addr, host_nexthop;
host_t *host_srcip;
ip_subnet client;
bool is_left;
bool key_from_DNS_on_demand;
bool has_client;
bool has_client_wildcard;
bool has_port_wildcard;
bool has_id_wildcards;
bool has_natip;
char *updown;
u_int16_t host_port; /* host order */
u_int16_t port; /* host order */
u_int8_t protocol;
cert_t *cert; /* end certificate */
identification_t *ca; /* CA distinguished name */
ietf_attributes_t *groups; /* access control groups */
smartcard_t *sc; /* smartcard reader and key info */
struct virtual_t *virt;
bool modecfg; /* this end: request local address from server */
/* that end: give local addresses to clients */
char *pool; /* name of an associated virtual IP address pool */
bool hostaccess; /* allow access to host via iptables INPUT/OUTPUT */
/* rules if client behind host is a subnet */
bool allow_any; /* IP address is subject to change */
certpolicy_t sendcert; /* whether or not to send the certificate */
};
struct spd_route {
struct spd_route *next;
struct end this;
struct end that;
so_serial_t eroute_owner;
enum routing_t routing; /* level of routing in place */
uint32_t reqid;
mark_t mark_in;
mark_t mark_out;
};
typedef struct connection connection_t;
struct connection {
char *name;
bool ikev1;
lset_t policy;
time_t sa_ike_life_seconds;
time_t sa_ipsec_life_seconds;
time_t sa_rekey_margin;
unsigned long sa_rekey_fuzz;
unsigned long sa_keying_tries;
identification_t *xauth_identity; /* XAUTH identity */
/* RFC 3706 DPD */
time_t dpd_delay;
time_t dpd_timeout;
dpd_action_t dpd_action;
char *log_file_name; /* name of log file */
FILE *log_file; /* possibly open FILE */
TAILQ_ENTRY(connection) log_link; /* linked list of open conns */
bool log_file_err; /* only bitch once */
struct spd_route spd;
/* internal fields: */
unsigned long instance_serial;
policy_prio_t prio;
bool instance_initiation_ok; /* this is an instance of a policy that mandates initiate */
enum connection_kind kind;
const struct iface *interface; /* filled in iff oriented */
so_serial_t /* state object serial number */
newest_isakmp_sa,
newest_ipsec_sa;
#ifdef DEBUG
lset_t extra_debugging;
#endif
/* note: if the client is the gateway, the following must be equal */
sa_family_t addr_family; /* between gateways */
sa_family_t tunnel_addr_family; /* between clients */
connection_t *policy_next; /* if multiple policies,
next one to apply */
struct gw_info *gw_info;
struct alg_info_esp *alg_info_esp;
struct alg_info_ike *alg_info_ike;
struct host_pair *host_pair;
connection_t *hp_next; /* host pair list link */
connection_t *ac_next; /* all connections list link */
linked_list_t *requested_ca; /* collected certificate requests */
linked_list_t *requested; /* requested attributes with handlers */
linked_list_t *attributes; /* configuration attributes with handlers */
bool got_certrequest;
};
#define oriented(c) ((c).interface != NULL)
extern bool orient(connection_t *c);
extern bool same_peer_ids(const connection_t *c, const connection_t *d,
identification_t *his_id);
/* Format the topology of a connection end, leaving out defaults.
* Largest left end looks like: client === host : port [ host_id ] --- hop
* Note: if that==NULL, skip nexthop
*/
#define END_BUF (SUBNETTOT_BUF + ADDRTOT_BUF + IDTOA_BUF + ADDRTOT_BUF + 10)
extern size_t format_end(char *buf, size_t buf_len, const struct end *this,
const struct end *that, bool is_left, lset_t policy);
extern void add_connection(const whack_message_t *wm);
extern void initiate_connection(const char *name, int whackfd);
extern void initiate_opportunistic(const ip_address *our_client,
const ip_address *peer_client,
int transport_proto, bool held, int whackfd);
extern void terminate_connection(const char *nm);
extern void release_connection(connection_t *c, bool relations);
extern void delete_connection(connection_t *c, bool relations);
extern void delete_connections_by_name(const char *name, bool strict);
extern void delete_every_connection(void);
extern char *add_group_instance(connection_t *group, const ip_subnet *target);
extern void remove_group_instance(const connection_t *group, const char *name);
extern void release_dead_interfaces(void);
extern void check_orientations(void);
extern connection_t *route_owner(connection_t *c, struct spd_route **srp,
connection_t **erop, struct spd_route **esrp);
extern connection_t *shunt_owner(const ip_subnet *ours, const ip_subnet *his);
extern bool uniqueIDs; /* --uniqueids? */
extern void ISAKMP_SA_established(connection_t *c, so_serial_t serial);
#define id_is_ipaddr(id) ((id)->get_type(id) == ID_IPV4_ADDR || \
(id)->get_type(id) == ID_IPV6_ADDR)
extern bool his_id_was_instantiated(const connection_t *c);
struct state; /* forward declaration of tag (defined in state.h) */
extern connection_t* con_by_name(const char *nm, bool strict);
extern connection_t* find_host_connection(const ip_address *me,
u_int16_t my_port,
const ip_address *him,
u_int16_t his_port, lset_t policy);
extern connection_t* refine_host_connection(const struct state *st,
identification_t *id,
identification_t *peer_ca);
extern connection_t* find_client_connection(connection_t *c,
const ip_subnet *our_net,
const ip_subnet *peer_net,
const u_int8_t our_protocol,
const u_int16_t out_port,
const u_int8_t peer_protocol,
const u_int16_t peer_port);
extern connection_t* find_connection_by_reqid(uint32_t reqid);
extern connection_t* find_connection_for_clients(struct spd_route **srp,
const ip_address *our_client,
const ip_address *peer_client,
int transport_proto);
extern void get_peer_ca_and_groups(connection_t *c,
identification_t **peer_ca,
ietf_attributes_t **peer_attributes);
/* instantiating routines
* Note: connection_discard() is in state.h because all its work
* is looking through state objects.
*/
struct gw_info; /* forward declaration of tag (defined in dnskey.h) */
struct alg_info; /* forward declaration of tag (defined in alg_info.h) */
extern connection_t *rw_instantiate(connection_t *c,
const ip_address *him,
u_int16_t his_port,
const ip_subnet *his_net,
identification_t *his_id);
extern connection_t *oppo_instantiate(connection_t *c,
const ip_address *him,
identification_t *his_id,
struct gw_info *gw,
const ip_address *our_client,
const ip_address *peer_client);
extern connection_t
*build_outgoing_opportunistic_connection(struct gw_info *gw,
const ip_address *our_client,
const ip_address *peer_client);
#define CONN_INST_BUF BUF_LEN
extern void fmt_conn_instance(const connection_t *c, char buf[CONN_INST_BUF]);
/* operations on "pending", the structure representing Quick Mode
* negotiations delayed until a Keying Channel has been negotiated.
*/
struct pending; /* forward declaration (opaque outside connections.c) */
extern void add_pending(int whack_sock, struct state *isakmp_sa,
connection_t *c, lset_t policy, unsigned long try,
so_serial_t replacing);
extern void release_pending_whacks(struct state *st, err_t story);
extern void unpend(struct state *st);
extern void update_pending(struct state *os, struct state *ns);
extern void flush_pending_by_state(struct state *st);
extern void show_pending_phase2(const struct host_pair *hp, const struct state *st);
extern void connection_discard(connection_t *c);
/* A template connection's eroute can be eclipsed by
* either a %hold or an eroute for an instance iff
* the template is a /32 -> /32. This requires some special casing.
*/
#define eclipsable(sr) (subnetishost(&(sr)->this.client) && subnetishost(&(sr)->that.client))
extern long eclipse_count;
extern connection_t *eclipsed(connection_t *c, struct spd_route **);
/* print connection status */
extern void show_connections_status(bool all, const char *name);
extern int connection_compare(const connection_t *ca
, const connection_t *cb);
extern void update_host_pair(const char *why, connection_t *c
, const ip_address *myaddr, u_int16_t myport
, const ip_address *hisaddr, u_int16_t hisport);
#endif /* _CONNECTIONS_H */

1401
src/pluto/constants.c
View File

File diff suppressed because it is too large Load Diff

1099
src/pluto/constants.h
View File

File diff suppressed because it is too large Load Diff

73
src/pluto/cookie.c
View File

@ -1,73 +0,0 @@
/* cookie generation/verification routines.
* Copyright (C) 1997 Angelos D. Keromytis.
* Copyright (C) 1998-2002 D. Hugh Redelmeier.
* Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <freeswan.h>
#include <library.h>
#include <crypto/rngs/rng.h>
#include "constants.h"
#include "defs.h"
#include "cookie.h"
const u_char zero_cookie[COOKIE_SIZE]; /* guaranteed 0 */
/* Generate a cookie.
* First argument is true if we're to create an Initiator cookie.
* Length SHOULD be a multiple of sizeof(u_int32_t).
*/
void get_cookie(bool initiator, u_int8_t *cookie, int length, ip_address *addr)
{
hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
u_char buffer[HASH_SIZE_SHA1];
do {
if (initiator)
{
rng_t *rng;
rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
rng->get_bytes(rng, length, cookie);
rng->destroy(rng);
}
else /* Responder cookie */
{
chunk_t addr_chunk, secret_chunk, counter_chunk;
size_t addr_len;
static u_int32_t counter = 0;
unsigned char addr_buf[
sizeof(union {struct in_addr A; struct in6_addr B;})];
addr_len = addrbytesof(addr, addr_buf, sizeof(addr_buf));
addr_chunk = chunk_create(addr_buf, addr_len);
secret_chunk = chunk_create(secret_of_the_day, HASH_SIZE_SHA1);
counter++;
counter_chunk = chunk_create((void *) &counter, sizeof(counter));
hasher->get_hash(hasher, addr_chunk, NULL);
hasher->get_hash(hasher, secret_chunk, NULL);
hasher->get_hash(hasher, counter_chunk, buffer);
memcpy(cookie, buffer, length);
}
} while (is_zero_cookie(cookie)); /* probably never loops */
hasher->destroy(hasher);
}

22
src/pluto/cookie.h
View File

@ -1,22 +0,0 @@
/* cookie generation/verification routines.
* Copyright (C) 1998-2002 D. Hugh Redelmeier.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <freeswan.h>
extern const u_char zero_cookie[COOKIE_SIZE]; /* guaranteed 0 */
extern void get_cookie(bool initiator, u_int8_t *cookie, int length,
ip_address *addr);
#define is_zero_cookie(cookie) all_zero((cookie), COOKIE_SIZE)

541
src/pluto/crl.c
View File

@ -1,541 +0,0 @@
/* Support of X.509 certificate revocation lists (CRLs)
* Copyright (C) 2000-2009 Andreas Steffen
*
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <dirent.h>
#include <time.h>
#include <sys/types.h>
#include <freeswan.h>
#include "constants.h"
#include "defs.h"
#include "log.h"
#include "x509.h"
#include "crl.h"
#include "ca.h"
#include "certs.h"
#include "keys.h"
#include "whack.h"
#include "fetch.h"
#include "builder.h"
/* chained lists of X.509 crls */
static x509crl_t *x509crls = NULL;
/**
* Get the X.509 CRL with a given issuer
*/
static x509crl_t* get_x509crl(identification_t *issuer, chunk_t keyid)
{
x509crl_t *x509crl = x509crls;
x509crl_t *prev_crl = NULL;
while (x509crl != NULL)
{
certificate_t *cert_crl = x509crl->crl;
crl_t *crl = (crl_t*)cert_crl;
identification_t *crl_issuer = cert_crl->get_issuer(cert_crl);
chunk_t authKeyID = crl->get_authKeyIdentifier(crl);
if ((keyid.ptr && authKeyID.ptr)? same_keyid(keyid, authKeyID) :
issuer->equals(issuer, crl_issuer))
{
if (x509crl != x509crls)
{
/* bring the CRL up front */
prev_crl->next = x509crl->next;
x509crl->next = x509crls;
x509crls = x509crl;
}
return x509crl;
}
prev_crl = x509crl;
x509crl = x509crl->next;
}
return NULL;
}
/**
* Free the dynamic memory used to store CRLs
*/
void free_crl(x509crl_t *crl)
{
DESTROY_IF(crl->crl);
crl->distributionPoints->destroy_function(crl->distributionPoints, free);
free(crl);
}
static void free_first_crl(void)
{
x509crl_t *crl = x509crls;
x509crls = crl->next;
free_crl(crl);
}
void free_crls(void)
{
lock_crl_list("free_crls");
while (x509crls != NULL)
{
free_first_crl();
}
unlock_crl_list("free_crls");
}
/**
* Insert X.509 CRL into chained list
*/
bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl)
{
certificate_t *cert_crl = x509crl->crl;
crl_t *crl = (crl_t*)cert_crl;
identification_t *issuer = cert_crl->get_issuer(cert_crl);
chunk_t authKeyID = crl->get_authKeyIdentifier(crl);
cert_t *issuer_cert;
x509crl_t *oldcrl;
time_t now, nextUpdate;
bool valid_sig;
/* add distribution point */
add_distribution_point(x509crl->distributionPoints, crl_uri);
lock_authcert_list("insert_crl");
/* get the issuer cacert */
issuer_cert = get_authcert(issuer, authKeyID, X509_CA);
if (issuer_cert == NULL)
{
plog("crl issuer cacert not found");
free_crl(x509crl);
unlock_authcert_list("insert_crl");
return FALSE;
}
DBG(DBG_CONTROL,
DBG_log("crl issuer cacert found")
)
/* check the issuer's signature of the crl */
valid_sig = cert_crl->issued_by(cert_crl, issuer_cert->cert);
unlock_authcert_list("insert_crl");
if (!valid_sig)
{
free_crl(x509crl);
return FALSE;
}
DBG(DBG_CONTROL,
DBG_log("crl signature is valid")
)
/* note the current time */
time(&now);
lock_crl_list("insert_crl");
oldcrl = get_x509crl(issuer, authKeyID);
if (oldcrl != NULL)
{
certificate_t *old_cert_crl = oldcrl->crl;
if (crl_is_newer((crl_t*)cert_crl, (crl_t*)old_cert_crl))
{
/* keep any known CRL distribution points */
add_distribution_points(x509crl->distributionPoints,
oldcrl->distributionPoints);
/* now delete the old CRL */
free_first_crl();
DBG(DBG_CONTROL,
DBG_log("thisUpdate is newer - existing crl deleted")
)
}
else
{
unlock_crl_list("insert_crls");
DBG(DBG_CONTROL,
DBG_log("thisUpdate is not newer - existing crl not replaced");
)
free_crl(x509crl);
old_cert_crl->get_validity(old_cert_crl, &now, NULL, &nextUpdate);
return nextUpdate - now > 2*crl_check_interval;
}
}
/* insert new CRL */
x509crl->next = x509crls;
x509crls = x509crl;
unlock_crl_list("insert_crl");
/* If crl caching is enabled then the crl is saved locally.
* Only http or ldap URIs are cached but not local file URIs.
* The CRL's authorityKeyIdentifier is used as a unique filename
*/
if (cache_crl && strncasecmp(crl_uri, "file", 4) != 0)
{
char buf[BUF_LEN];
chunk_t hex, encoding;
hex = chunk_to_hex(crl->get_authKeyIdentifier(crl), NULL, FALSE);
snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_PATH, hex.ptr);
free(hex.ptr);
if (cert_crl->get_encoding(cert_crl, CERT_ASN1_DER, &encoding))
{
chunk_write(encoding, buf, "crl", 022, TRUE);
free(encoding.ptr);
}
}
/* is the fetched crl valid? */
cert_crl->get_validity(cert_crl, &now, NULL, &nextUpdate);
return nextUpdate - now > 2*crl_check_interval;
}
/**
* Loads CRLs
*/
void load_crls(void)
{
struct dirent **filelist;
u_char buf[BUF_LEN];
u_char *save_dir;
int n;
/* change directory to specified path */
save_dir = getcwd(buf, BUF_LEN);
if (chdir(CRL_PATH))
{
plog("Could not change to directory '%s'", CRL_PATH);
}
else
{
plog("Changing to directory '%s'", CRL_PATH);
n = scandir(CRL_PATH, &filelist, file_select, alphasort);
if (n < 0)
plog(" scandir() error");
else
{
while (n--)
{
char *filename = filelist[n]->d_name;
x509crl_t *x509crl;
x509crl = lib->creds->create(lib->creds, CRED_CERTIFICATE,
CERT_PLUTO_CRL,
BUILD_FROM_FILE, filename, BUILD_END);
if (x509crl)
{
char crl_uri[BUF_LEN];
plog(" loaded crl from '%s'", filename);
snprintf(crl_uri, BUF_LEN, "file://%s/%s", CRL_PATH, filename);
insert_crl(x509crl, crl_uri, FALSE);
}
free(filelist[n]);
}
free(filelist);
}
}
/* restore directory path */
ignore_result(chdir(save_dir));
}
/* Checks if the current certificate is revoked. It goes through the
* list of revoked certificates of the corresponding crl. Either the
* status CERT_GOOD or CERT_REVOKED is returned
*/
static cert_status_t check_revocation(crl_t *crl, chunk_t cert_serial,
time_t *revocationDate,
crl_reason_t *revocationReason)
{
enumerator_t *enumerator;
cert_status_t status;
chunk_t serial;
DBG(DBG_CONTROL,
DBG_log("serial number: %#B", &cert_serial)
)
*revocationDate = UNDEFINED_TIME;
*revocationReason = CRL_REASON_UNSPECIFIED;
status = CERT_GOOD;
enumerator = crl->create_enumerator(crl);
while (enumerator->enumerate(enumerator, &serial,
revocationDate, revocationReason))
{
if (chunk_equals(serial, cert_serial))
{
status = CERT_REVOKED;
break;
}
}
enumerator->destroy(enumerator);
return status;
}
/*
* check if any crls are about to expire
*/
void check_crls(void)
{
x509crl_t *x509crl;
time_t now, nextUpdate, time_left;
lock_crl_list("check_crls");
time(&now);
x509crl = x509crls;
while (x509crl != NULL)
{
certificate_t *cert_crl = x509crl->crl;
crl_t *crl = (crl_t*)cert_crl;
identification_t *issuer = cert_crl->get_issuer(cert_crl);
chunk_t authKeyID = crl->get_authKeyIdentifier(crl);
cert_crl->get_validity(cert_crl, &now, NULL, &nextUpdate);
time_left = nextUpdate - now;
DBG(DBG_CONTROL,
DBG_log("issuer: '%Y'", issuer);
if (authKeyID.ptr)
{
DBG_log("authkey: %#B", &authKeyID);
}
DBG_log("%ld seconds left", time_left)
)
if (time_left < 2*crl_check_interval)
{
fetch_req_t *req = build_crl_fetch_request(issuer, authKeyID,
x509crl->distributionPoints);
add_crl_fetch_request(req);
}
x509crl = x509crl->next;
}
unlock_crl_list("check_crls");
}
/*
* verify if a cert hasn't been revoked by a crl
*/
cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate,
crl_reason_t *revocationReason)
{
certificate_t *certificate = cert->cert;
x509_t *x509 = (x509_t*)certificate;
identification_t *issuer = certificate->get_issuer(certificate);
chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
x509crl_t *x509crl;
ca_info_t *ca;
enumerator_t *enumerator;
x509_cdp_t *cdp;
ca = get_ca_info(issuer, authKeyID);
*revocationDate = UNDEFINED_TIME;
*revocationReason = CRL_REASON_UNSPECIFIED;
lock_crl_list("verify_by_crl");
x509crl = get_x509crl(issuer, authKeyID);
if (x509crl == NULL)
{
linked_list_t *crluris;
unlock_crl_list("verify_by_crl");
plog("crl not found");
crluris = linked_list_create();
if (ca)
{
add_distribution_points(crluris, ca->crluris);
}
enumerator = x509->create_crl_uri_enumerator(x509);
while (enumerator->enumerate(enumerator, &cdp))
{
add_distribution_point(crluris, cdp->uri);
}
enumerator->destroy(enumerator);
if (crluris->get_count(crluris) > 0)
{
fetch_req_t *req;
req = build_crl_fetch_request(issuer, authKeyID, crluris);
crluris->destroy_function(crluris, free);
add_crl_fetch_request(req);
wake_fetch_thread("verify_by_crl");
return CERT_UNKNOWN;
}
else
{
crluris->destroy(crluris);
return CERT_UNDEFINED;
}
}
else
{
certificate_t *cert_crl = x509crl->crl;
crl_t *crl = (crl_t*)cert_crl;
chunk_t authKeyID = crl->get_authKeyIdentifier(crl);
cert_t *issuer_cert;
bool trusted, valid;
DBG(DBG_CONTROL,
DBG_log("crl found")
)
if (ca)
{
add_distribution_points(x509crl->distributionPoints, ca->crluris);
}
enumerator = x509->create_crl_uri_enumerator(x509);
while (enumerator->enumerate(enumerator, &cdp))
{
add_distribution_point(x509crl->distributionPoints, cdp->uri);
}
enumerator->destroy(enumerator);
lock_authcert_list("verify_by_crl");
issuer_cert = get_authcert(issuer, authKeyID, X509_CA);
trusted = issuer_cert ? cert_crl->issued_by(cert_crl, issuer_cert->cert)
: FALSE;
unlock_authcert_list("verify_by_crl");
if (trusted)
{
cert_status_t status;
DBG(DBG_CONTROL,
DBG_log("crl signature is valid")
)
/* return the expiration date */
valid = cert_crl->get_validity(cert_crl, NULL, NULL, until);
/* has the certificate been revoked? */
status = check_revocation(crl, x509->get_serial(x509), revocationDate
, revocationReason);
if (valid)
{
unlock_crl_list("verify_by_crl");
DBG(DBG_CONTROL,
DBG_log("crl is valid: until %T", until, FALSE)
)
}
else
{
fetch_req_t *req;
DBG(DBG_CONTROL,
DBG_log("crl is stale: since %T", until, FALSE)
)
/* try to fetch a crl update */
req = build_crl_fetch_request(issuer, authKeyID,
x509crl->distributionPoints);
unlock_crl_list("verify_by_crl");
add_crl_fetch_request(req);
wake_fetch_thread("verify_by_crl");
}
return status;
}
else
{
unlock_crl_list("verify_by_crl");
plog("crl signature is invalid");
return CERT_UNKNOWN;
}
}
}
/*
* list all X.509 crls in the chained list
*/
void list_crls(bool utc, bool strict)
{
x509crl_t *x509crl;
lock_crl_list("list_crls");
x509crl = x509crls;
if (x509crl)
{
whack_log(RC_COMMENT, " ");
whack_log(RC_COMMENT, "List of X.509 CRLs:");
}
while (x509crl)
{
certificate_t *cert_crl = x509crl->crl;
crl_t *crl = (crl_t*)cert_crl;
chunk_t serial, authKeyID;
time_t thisUpdate, nextUpdate;
u_int revoked = 0;
enumerator_t *enumerator;
whack_log(RC_COMMENT, " ");
whack_log(RC_COMMENT, " issuer: \"%Y\"",
cert_crl->get_issuer(cert_crl));
serial = chunk_skip_zero(crl->get_serial(crl));
if (serial.ptr)
{
whack_log(RC_COMMENT, " serial: %#B", &serial);
}
/* count number of revoked certificates in CRL */
enumerator = crl->create_enumerator(crl);
while (enumerator->enumerate(enumerator, NULL, NULL, NULL))
{
revoked++;
}
enumerator->destroy(enumerator);
whack_log(RC_COMMENT, " revoked: %d certificates", revoked);
list_distribution_points(x509crl->distributionPoints);
cert_crl->get_validity(cert_crl, NULL, &thisUpdate, &nextUpdate);
whack_log(RC_COMMENT, " updates: this %T", &thisUpdate, utc);
whack_log(RC_COMMENT, " next %T %s", &nextUpdate, utc,
check_expiry(nextUpdate, CRL_WARNING_INTERVAL, strict));
authKeyID = crl->get_authKeyIdentifier(crl);
if (authKeyID.ptr)
{
whack_log(RC_COMMENT, " authkey: %#B", &authKeyID);
}
x509crl = x509crl->next;
}
unlock_crl_list("list_crls");
}

53
src/pluto/crl.h
View File

@ -1,53 +0,0 @@
/* Support of X.509 certificate revocation lists (CRLs)
* Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "constants.h"
#include <utils/linked_list.h>
#include <credentials/certificates/certificate.h>
#include <credentials/certificates/crl.h>
/* storage structure for an X.509 CRL */
typedef struct x509crl x509crl_t;
struct x509crl {
certificate_t *crl;
x509crl_t *next;
linked_list_t *distributionPoints;
};
/* apply a strict CRL policy
* flag set in plutomain.c and used in ipsec_doi.c and rcv_whack.c
*/
extern bool strict_crl_policy;
/*
* cache the retrieved CRLs by storing them locally as a file
*/
extern bool cache_crls;
/*
* check periodically for expired crls
*/
extern long crl_check_interval;
extern void load_crls(void);
extern void check_crls(void);
extern bool insert_crl(x509crl_t *crl, char *crl_uri, bool cache_crl);
extern cert_status_t verify_by_crl(cert_t *cert, time_t *until,
time_t *revocationDate,
crl_reason_t *revocationReason);
extern void list_crls(bool utc, bool strict);
extern void free_crls(void);
extern void free_crl(x509crl_t *crl);

698
src/pluto/crypto.c
View File

@ -1,698 +0,0 @@
/* crypto interfaces
*
* Copyright (C) 2010 Tobias Brunner
* Copyright (C) 2007-2009 Andreas Steffen
* Hochschule fuer Technik Rapperswil
*
* Copyright (C) 1998-2001 D. Hugh Redelmeier
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <freeswan.h>
#include "constants.h"
#include "defs.h"
#include "crypto.h"
#include "log.h"
static struct encrypt_desc encrypt_desc_3des =
{
algo_type: IKE_ALG_ENCRYPT,
algo_id: OAKLEY_3DES_CBC,
plugin_name: NULL,
algo_next: NULL,
enc_blocksize: DES_BLOCK_SIZE,
keydeflen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
keyminlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
keymaxlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
};
#define AES_KEY_MIN_LEN 128
#define AES_KEY_DEF_LEN 128
#define AES_KEY_MAX_LEN 256
static struct encrypt_desc encrypt_desc_aes =
{
algo_type: IKE_ALG_ENCRYPT,
algo_id: OAKLEY_AES_CBC,
plugin_name: NULL,
algo_next: NULL,
enc_blocksize: AES_BLOCK_SIZE,
keyminlen: AES_KEY_MIN_LEN,
keydeflen: AES_KEY_DEF_LEN,
keymaxlen: AES_KEY_MAX_LEN,
};
#define CAMELLIA_KEY_MIN_LEN 128
#define CAMELLIA_KEY_DEF_LEN 128
#define CAMELLIA_KEY_MAX_LEN 256
static struct encrypt_desc encrypt_desc_camellia =
{
algo_type: IKE_ALG_ENCRYPT,
algo_id: OAKLEY_CAMELLIA_CBC,
plugin_name: NULL,
algo_next: NULL,
enc_blocksize: CAMELLIA_BLOCK_SIZE,
keyminlen: CAMELLIA_KEY_MIN_LEN,
keydeflen: CAMELLIA_KEY_DEF_LEN,
keymaxlen: CAMELLIA_KEY_MAX_LEN,
};
#define BLOWFISH_KEY_MIN_LEN 128
#define BLOWFISH_KEY_MAX_LEN 448
static struct encrypt_desc encrypt_desc_blowfish =
{
algo_type: IKE_ALG_ENCRYPT,
algo_id: OAKLEY_BLOWFISH_CBC,
plugin_name: NULL,
algo_next: NULL,
enc_blocksize: BLOWFISH_BLOCK_SIZE,
keyminlen: BLOWFISH_KEY_MIN_LEN,
keydeflen: BLOWFISH_KEY_MIN_LEN,
keymaxlen: BLOWFISH_KEY_MAX_LEN,
};
#define SERPENT_KEY_MIN_LEN 128
#define SERPENT_KEY_DEF_LEN 128
#define SERPENT_KEY_MAX_LEN 256
static struct encrypt_desc encrypt_desc_serpent =
{
algo_type: IKE_ALG_ENCRYPT,
algo_id: OAKLEY_SERPENT_CBC,
plugin_name: NULL,
algo_next: NULL,
enc_blocksize: SERPENT_BLOCK_SIZE,
keyminlen: SERPENT_KEY_MIN_LEN,
keydeflen: SERPENT_KEY_DEF_LEN,
keymaxlen: SERPENT_KEY_MAX_LEN,
};
#define TWOFISH_KEY_MIN_LEN 128
#define TWOFISH_KEY_DEF_LEN 128
#define TWOFISH_KEY_MAX_LEN 256
static struct encrypt_desc encrypt_desc_twofish =
{
algo_type: IKE_ALG_ENCRYPT,
algo_id: OAKLEY_TWOFISH_CBC,
plugin_name: NULL,
algo_next: NULL,
enc_blocksize: TWOFISH_BLOCK_SIZE,
keydeflen: TWOFISH_KEY_MIN_LEN,
keyminlen: TWOFISH_KEY_DEF_LEN,
keymaxlen: TWOFISH_KEY_MAX_LEN,
};
static struct encrypt_desc encrypt_desc_twofish_ssh =
{
algo_type: IKE_ALG_ENCRYPT,
algo_id: OAKLEY_TWOFISH_CBC_SSH,
plugin_name: NULL,
algo_next: NULL,
enc_blocksize: TWOFISH_BLOCK_SIZE,
keydeflen: TWOFISH_KEY_MIN_LEN,
keyminlen: TWOFISH_KEY_DEF_LEN,
keymaxlen: TWOFISH_KEY_MAX_LEN,
};
static struct hash_desc hash_desc_md5 =
{
algo_type: IKE_ALG_HASH,
algo_id: OAKLEY_MD5,
plugin_name: NULL,
algo_next: NULL,
hash_digest_size: HASH_SIZE_MD5,
};
static struct hash_desc hash_desc_sha1 =
{
algo_type: IKE_ALG_HASH,
algo_id: OAKLEY_SHA,
plugin_name: NULL,
algo_next: NULL,
hash_digest_size: HASH_SIZE_SHA1,
};
static struct hash_desc hash_desc_sha2_256 = {
algo_type: IKE_ALG_HASH,
algo_id: OAKLEY_SHA2_256,
plugin_name: NULL,
algo_next: NULL,
hash_digest_size: HASH_SIZE_SHA256,
};
static struct hash_desc hash_desc_sha2_384 = {
algo_type: IKE_ALG_HASH,
algo_id: OAKLEY_SHA2_384,
plugin_name: NULL,
algo_next: NULL,
hash_digest_size: HASH_SIZE_SHA384,
};
static struct hash_desc hash_desc_sha2_512 = {
algo_type: IKE_ALG_HASH,
algo_id: OAKLEY_SHA2_512,
plugin_name: NULL,
algo_next: NULL,
hash_digest_size: HASH_SIZE_SHA512,
};
const struct dh_desc unset_group = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: MODP_NONE,
plugin_name: NULL,
algo_next: NULL,
ke_size: 0
};
static struct dh_desc dh_desc_modp_1024 = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: MODP_1024_BIT,
plugin_name: NULL,
algo_next: NULL,
ke_size: 1024 / BITS_PER_BYTE
};
static struct dh_desc dh_desc_modp_1536 = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: MODP_1536_BIT,
plugin_name: NULL,
algo_next: NULL,
ke_size: 1536 / BITS_PER_BYTE
};
static struct dh_desc dh_desc_modp_2048 = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: MODP_2048_BIT,
algo_next: NULL,
ke_size: 2048 / BITS_PER_BYTE
};
static struct dh_desc dh_desc_modp_3072 = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: MODP_3072_BIT,
plugin_name: NULL,
algo_next: NULL,
ke_size: 3072 / BITS_PER_BYTE
};
static struct dh_desc dh_desc_modp_4096 = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: MODP_4096_BIT,
plugin_name: NULL,
algo_next: NULL,
ke_size: 4096 / BITS_PER_BYTE
};
static struct dh_desc dh_desc_modp_6144 = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: MODP_6144_BIT,
plugin_name: NULL,
algo_next: NULL,
ke_size: 6144 / BITS_PER_BYTE
};
static struct dh_desc dh_desc_modp_8192 = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: MODP_8192_BIT,
plugin_name: NULL,
algo_next: NULL,
ke_size: 8192 / BITS_PER_BYTE
};
static struct dh_desc dh_desc_ecp_256 = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: ECP_256_BIT,
plugin_name: NULL,
algo_next: NULL,
ke_size: 2*256 / BITS_PER_BYTE
};
static struct dh_desc dh_desc_ecp_384 = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: ECP_384_BIT,
plugin_name: NULL,
algo_next: NULL,
ke_size: 2*384 / BITS_PER_BYTE
};
static struct dh_desc dh_desc_ecp_521 = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: ECP_521_BIT,
plugin_name: NULL,
algo_next: NULL,
ke_size: 2*528 / BITS_PER_BYTE
};
static struct dh_desc dh_desc_modp_1024_160 = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: MODP_1024_160,
plugin_name: NULL,
algo_next: NULL,
ke_size: 1024 / BITS_PER_BYTE
};
static struct dh_desc dh_desc_modp_2048_224 = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: MODP_2048_224,
plugin_name: NULL,
algo_next: NULL,
ke_size: 2048 / BITS_PER_BYTE
};
static struct dh_desc dh_desc_modp_2048_256 = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: MODP_2048_256,
plugin_name: NULL,
algo_next: NULL,
ke_size: 2048 / BITS_PER_BYTE
};
static struct dh_desc dh_desc_ecp_192 = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: ECP_192_BIT,
plugin_name: NULL,
algo_next: NULL,
ke_size: 2*192 / BITS_PER_BYTE
};
static struct dh_desc dh_desc_ecp_224 = {
algo_type: IKE_ALG_DH_GROUP,
algo_id: ECP_224_BIT,
plugin_name: NULL,
algo_next: NULL,
ke_size: 2*224 / BITS_PER_BYTE
};
bool init_crypto(void)
{
enumerator_t *enumerator;
encryption_algorithm_t encryption_alg;
hash_algorithm_t hash_alg;
diffie_hellman_group_t dh_group;
const char *plugin_name;
bool no_md5 = TRUE;
bool no_sha1 = TRUE;
enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &hash_alg, &plugin_name))
{
const struct hash_desc *desc;
switch (hash_alg)
{
case HASH_SHA1:
desc = &hash_desc_sha1;
no_sha1 = FALSE;
break;
case HASH_SHA256:
desc = &hash_desc_sha2_256;
break;
case HASH_SHA384:
desc = &hash_desc_sha2_384;
break;
case HASH_SHA512:
desc = &hash_desc_sha2_512;
break;
case HASH_MD5:
desc = &hash_desc_md5;
no_md5 = FALSE;
break;
default:
continue;
}
ike_alg_add((struct ike_alg *)desc, plugin_name);
}
enumerator->destroy(enumerator);
if (no_sha1 || no_md5)
{
plog("pluto cannot run without a %s%s%s hasher",
(no_sha1) ? "SHA-1" : "",
(no_sha1 && no_md5) ? " and " : "",
(no_md5) ? "MD5" : "");
return FALSE;
}
enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &encryption_alg, &plugin_name))
{
const struct encrypt_desc *desc;
switch (encryption_alg)
{
case ENCR_3DES:
desc = &encrypt_desc_3des;
break;
case ENCR_BLOWFISH:
desc = &encrypt_desc_blowfish;
break;
case ENCR_AES_CBC:
desc = &encrypt_desc_aes;
break;
case ENCR_CAMELLIA_CBC:
desc = &encrypt_desc_camellia;
break;
case ENCR_TWOFISH_CBC:
desc = &encrypt_desc_twofish;
ike_alg_add((struct ike_alg *)&encrypt_desc_twofish_ssh,
plugin_name);
break;
case ENCR_SERPENT_CBC:
desc = &encrypt_desc_serpent;
break;
default:
continue;
}
ike_alg_add((struct ike_alg *)desc, plugin_name);
}
enumerator->destroy(enumerator);
enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &dh_group, &plugin_name))
{
const struct dh_desc *desc;
switch (dh_group)
{
case MODP_1024_BIT:
desc = &dh_desc_modp_1024;
break;
case MODP_1536_BIT:
desc = &dh_desc_modp_1536;
break;
case MODP_2048_BIT:
desc = &dh_desc_modp_2048;
break;
case MODP_3072_BIT:
desc = &dh_desc_modp_3072;
break;
case MODP_4096_BIT:
desc = &dh_desc_modp_4096;
break;
case MODP_6144_BIT:
desc = &dh_desc_modp_6144;
break;
case MODP_8192_BIT:
desc = &dh_desc_modp_8192;
break;
case ECP_256_BIT:
desc = &dh_desc_ecp_256;
break;
case ECP_384_BIT:
desc = &dh_desc_ecp_384;
break;
case ECP_521_BIT:
desc = &dh_desc_ecp_521;
break;
case MODP_1024_160:
desc = &dh_desc_modp_1024_160;
break;
case MODP_2048_224:
desc = &dh_desc_modp_2048_224;
break;
case MODP_2048_256:
desc = &dh_desc_modp_2048_256;
break;
case ECP_192_BIT:
desc = &dh_desc_ecp_192;
break;
case ECP_224_BIT:
desc = &dh_desc_ecp_224;
break;
default:
continue;
}
ike_alg_add((struct ike_alg *)desc, plugin_name);
}
enumerator->destroy(enumerator);
return TRUE;
}
void free_crypto(void)
{
/* currently nothing to do */
}
/**
* Converts IKEv1 encryption algorithm name to crypter name
*/
encryption_algorithm_t oakley_to_encryption_algorithm(int alg)
{
switch (alg)
{
case OAKLEY_DES_CBC:
return ENCR_DES;
case OAKLEY_IDEA_CBC:
return ENCR_IDEA;
case OAKLEY_BLOWFISH_CBC:
return ENCR_BLOWFISH;
case OAKLEY_RC5_R16_B64_CBC:
return ENCR_RC5;
case OAKLEY_3DES_CBC:
return ENCR_3DES;
case OAKLEY_CAST_CBC:
return ENCR_CAST;
case OAKLEY_AES_CBC:
return ENCR_AES_CBC;
case OAKLEY_CAMELLIA_CBC:
return ENCR_CAMELLIA_CBC;
case OAKLEY_SERPENT_CBC:
return ENCR_SERPENT_CBC;
case OAKLEY_TWOFISH_CBC:
case OAKLEY_TWOFISH_CBC_SSH:
return ENCR_TWOFISH_CBC;
default:
return ENCR_UNDEFINED;
}
}
/**
* Converts IKEv1 hash algorithm name to hasher name
*/
hash_algorithm_t oakley_to_hash_algorithm(int alg)
{
switch (alg)
{
case OAKLEY_MD5:
return HASH_MD5;
case OAKLEY_SHA:
return HASH_SHA1;
case OAKLEY_SHA2_256:
return HASH_SHA256;
case OAKLEY_SHA2_384:
return HASH_SHA384;
case OAKLEY_SHA2_512:
return HASH_SHA512;
default:
return HASH_UNKNOWN;
}
}
/**
* Converts IKEv1 hash algorithm name to IKEv2 prf name
*/
pseudo_random_function_t oakley_to_prf(int alg)
{
switch (alg)
{
case OAKLEY_MD5:
return PRF_HMAC_MD5;
case OAKLEY_SHA:
return PRF_HMAC_SHA1;
case OAKLEY_SHA2_256:
return PRF_HMAC_SHA2_256;
case OAKLEY_SHA2_384:
return PRF_HMAC_SHA2_384;
case OAKLEY_SHA2_512:
return PRF_HMAC_SHA2_512;
default:
return PRF_UNDEFINED;
}
}
/**
* Maps IKEv1 authentication method to IKEv2 signature scheme
*/
signature_scheme_t oakley_to_signature_scheme(int method)
{
switch (method)
{
case OAKLEY_RSA_SIG:
case XAUTHInitRSA:
case XAUTHRespRSA:
return SIGN_RSA_EMSA_PKCS1_NULL;
case OAKLEY_ECDSA_256:
case OAKLEY_ECDSA_384:
case OAKLEY_ECDSA_521:
return SIGN_ECDSA_WITH_NULL;
default:
return SIGN_UNKNOWN;
}
}
/**
* Table to map IKEv2 encryption algorithms to IKEv1 (or IKEv1 ESP) and back
*/
struct {
encryption_algorithm_t alg;
int oakley;
int esp;
} encr_map[] = {
{ENCR_DES, OAKLEY_DES_CBC, ESP_DES },
{ENCR_3DES, OAKLEY_3DES_CBC, ESP_3DES },
{ENCR_RC5, OAKLEY_RC5_R16_B64_CBC, ESP_RC5 },
{ENCR_IDEA, OAKLEY_IDEA_CBC, ESP_IDEA },
{ENCR_CAST, OAKLEY_CAST_CBC, ESP_CAST },
{ENCR_BLOWFISH, OAKLEY_BLOWFISH_CBC, ESP_BLOWFISH },
{ENCR_AES_CBC, OAKLEY_AES_CBC, ESP_AES },
{ENCR_CAMELLIA_CBC, OAKLEY_CAMELLIA_CBC, ESP_CAMELLIA },
{ENCR_SERPENT_CBC, OAKLEY_SERPENT_CBC, ESP_SERPENT },
{ENCR_TWOFISH_CBC, OAKLEY_TWOFISH_CBC, ESP_TWOFISH },
{ENCR_NULL, 0, ESP_NULL },
{ENCR_AES_CTR, 0, ESP_AES_CTR },
{ENCR_AES_CCM_ICV8, 0, ESP_AES_CCM_8 },
{ENCR_AES_CCM_ICV12, 0, ESP_AES_CCM_12},
{ENCR_AES_CCM_ICV16, 0, ESP_AES_CCM_16},
{ENCR_AES_GCM_ICV8, 0, ESP_AES_GCM_8 },
{ENCR_AES_GCM_ICV12, 0, ESP_AES_GCM_12},
{ENCR_AES_GCM_ICV16, 0, ESP_AES_GCM_16},
{ENCR_NULL_AUTH_AES_GMAC, 0, ESP_AES_GMAC },
};
/**
* Converts IKEv2 encryption to IKEv1 encryption algorithm
*/
int oakley_from_encryption_algorithm(encryption_algorithm_t alg)
{
int i;
for (i = 0; i < countof(encr_map); i++)
{
if (encr_map[i].alg == alg)
{
return encr_map[i].oakley;
}
}
return 0;
}
/**
* Converts IKEv2 encryption to IKEv1 ESP encryption algorithm
*/
int esp_from_encryption_algorithm(encryption_algorithm_t alg)
{
int i;
for (i = 0; i < countof(encr_map); i++)
{
if (encr_map[i].alg == alg)
{
return encr_map[i].esp;
}
}
return 0;
}
/**
* Converts IKEv1 ESP encryption to IKEv2 algorithm
*/
encryption_algorithm_t encryption_algorithm_from_esp(int esp)
{
int i;
for (i = 0; i < countof(encr_map); i++)
{
if (encr_map[i].esp == esp)
{
return encr_map[i].alg;
}
}
return 0;
}
/**
* Table to map IKEv2 integrity algorithms to IKEv1 (or IKEv1 ESP) and back
*/
struct {
integrity_algorithm_t alg;
int oakley;
int esp;
} auth_map[] = {
{AUTH_HMAC_MD5_96, OAKLEY_MD5, AUTH_ALGORITHM_HMAC_MD5 },
{AUTH_HMAC_SHA1_96, OAKLEY_SHA, AUTH_ALGORITHM_HMAC_SHA1 },
{AUTH_HMAC_SHA2_256_96, 0, AUTH_ALGORITHM_HMAC_SHA2_256_96},
{AUTH_HMAC_SHA2_256_128, OAKLEY_SHA2_256, AUTH_ALGORITHM_HMAC_SHA2_256 },
{AUTH_HMAC_SHA2_384_192, OAKLEY_SHA2_384, AUTH_ALGORITHM_HMAC_SHA2_384 },
{AUTH_HMAC_SHA2_512_256, OAKLEY_SHA2_512, AUTH_ALGORITHM_HMAC_SHA2_512 },
{AUTH_AES_XCBC_96, 0, AUTH_ALGORITHM_AES_XCBC_MAC },
{AUTH_AES_128_GMAC, 0, AUTH_ALGORITHM_AES_128_GMAC },
{AUTH_AES_192_GMAC, 0, AUTH_ALGORITHM_AES_192_GMAC },
{AUTH_AES_256_GMAC, 0, AUTH_ALGORITHM_AES_256_GMAC },
};
/**
* Converts IKEv2 integrity to IKEv1 hash algorithm
*/
int oakley_from_integrity_algorithm(integrity_algorithm_t alg)
{
int i;
for (i = 0; i < countof(auth_map); i++)
{
if (auth_map[i].alg == alg)
{
return auth_map[i].oakley;
}
}
return 0;
}
/**
* Converts IKEv2 integrity to IKEv1 ESP authentication algorithm
*/
int esp_from_integrity_algorithm(integrity_algorithm_t alg)
{
int i;
for (i = 0; i < countof(auth_map); i++)
{
if (auth_map[i].alg == alg)
{
return auth_map[i].esp;
}
}
return 0;
}
/**
* Converts IKEv1 ESP authentication to IKEv2 integrity algorithm
*/
integrity_algorithm_t integrity_algorithm_from_esp(int esp)
{
int i;
for (i = 0; i < countof(auth_map); i++)
{
if (auth_map[i].esp == esp)
{
return auth_map[i].alg;
}
}
return 0;
}

64
src/pluto/crypto.h
View File

@ -1,64 +0,0 @@
/* crypto interfaces
*
* Copyright (C) 2010 Tobias Brunner
* Copyright (C) 2009 Andreas Steffen
* Hochschule fuer Technik Rapperswil
*
* Copyright (C) 1998, 1999 D. Hugh Redelmeier.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <crypto/crypters/crypter.h>
#include <crypto/signers/signer.h>
#include <crypto/hashers/hasher.h>
#include <crypto/prfs/prf.h>
#include <credentials/keys/public_key.h>
#include "ike_alg.h"
extern bool init_crypto(void);
extern void free_crypto(void);
extern const struct dh_desc unset_group; /* magic signifier */
/* unification of cryptographic encoding/decoding algorithms
* The IV is taken from and returned to st->st_new_iv.
* This allows the old IV to be retained.
* Use update_iv to commit to the new IV (for example, once a packet has
* been validated).
*/
#define MAX_OAKLEY_KEY_LEN0 (3 * DES_CBC_BLOCK_SIZE)
#define MAX_OAKLEY_KEY_LEN (256/BITS_PER_BYTE)
struct state; /* forward declaration, dammit */
#define update_iv(st) memcpy((st)->st_iv, (st)->st_new_iv \
, (st)->st_iv_len = (st)->st_new_iv_len)
#define set_ph1_iv(st, iv) \
passert((st)->st_ph1_iv_len <= sizeof((st)->st_ph1_iv)); \
memcpy((st)->st_ph1_iv, (iv), (st)->st_ph1_iv_len);
/* unification of cryptographic hashing mechanisms */
extern encryption_algorithm_t oakley_to_encryption_algorithm(int alg);
extern hash_algorithm_t oakley_to_hash_algorithm(int alg);
extern pseudo_random_function_t oakley_to_prf(int alg);
extern signature_scheme_t oakley_to_signature_scheme(int method);
extern int oakley_from_encryption_algorithm(encryption_algorithm_t alg);
extern int oakley_from_integrity_algorithm(integrity_algorithm_t alg);
extern int esp_from_encryption_algorithm(encryption_algorithm_t alg);
extern int esp_from_integrity_algorithm(integrity_algorithm_t alg);
extern encryption_algorithm_t encryption_algorithm_from_esp(int esp);
extern integrity_algorithm_t integrity_algorithm_from_esp(int esp);

412
src/pluto/db_ops.c
View File

@ -1,412 +0,0 @@
/* Dynamic db (proposal, transforms, attributes) handling.
* Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/*
* The stratedy is to have (full contained) struct db_prop in db_context
* pointing to ONE dynamically sizable transform vector (trans0).
* Each transform stores attrib. in ONE dyn. sizable attribute vector (attrs0)
* in a "serialized" way (attributes storage is used in linear sequence for
* subsecuent transforms).
*
* Resizing for both trans0 and attrs0 is supported:
* - For trans0: quite simple, just allocate and copy trans. vector content
* also update trans_cur (by offset)
* - For attrs0: after allocating and copying attrs, I must rewrite each
* trans->attrs present in trans0; to achieve this, calculate
* attrs pointer offset (new minus old) and iterate over
* each transform "adding" this difference.
* also update attrs_cur (by offset)
*
* db_context structure:
* +---------------------+
* | prop |
* | .protoid |
* | .trans | --+
* | .trans_cnt | |
* +---------------------+ <-+
* | trans0 | ----> { trans#1 | ... | trans#i | ... }
* +---------------------+ ^
* | trans_cur | ----------------------' current transf.
* +---------------------+
* | attrs0 | ----> { attr#1 | ... | attr#j | ... }
* +---------------------+ ^
* | attrs_cur | ---------------------' current attr.
* +---------------------+
* | max_trans,max_attrs | max_trans/attrs: number of elem. of each vector
* +---------------------+
*
* See testing examples at end for interface usage.
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <malloc.h>
#include <sys/types.h>
#include <freeswan.h>
#include "constants.h"
#include "defs.h"
#include "state.h"
#include "packet.h"
#include "spdb.h"
#include "db_ops.h"
#include "log.h"
#include "whack.h"
#include <assert.h>
#ifdef NOT_YET
/*
* Allocator cache:
* Because of the single-threaded nature of pluto/spdb.c,
* alloc()/free() is exercised many times with very small
* lifetime objects.
* Just caching last object (currently it will select the
* largest) will avoid this allocation mas^Wperturbations
*
*/
struct db_ops_alloc_cache {
void *ptr;
int size;
};
#endif
#ifndef NO_DB_OPS_STATS
/*
* stats: do account for allocations
* displayed in db_ops_show_status()
*/
struct db_ops_stats {
int st_curr_cnt; /* current number of allocations */
int st_total_cnt; /* total allocations so far */
size_t st_maxsz; /* max. size requested */
};
#define DB_OPS_ZERO { 0, 0, 0};
#define DB_OPS_STATS_DESC "{curr_cnt, total_cnt, maxsz}"
#define DB_OPS_STATS_STR(name) name "={%d,%d,%d} "
#define DB_OPS_STATS_F(st) (st).st_curr_cnt, (st).st_total_cnt, (int)(st).st_maxsz
static struct db_ops_stats db_context_st = DB_OPS_ZERO;
static struct db_ops_stats db_trans_st = DB_OPS_ZERO;
static struct db_ops_stats db_attrs_st = DB_OPS_ZERO;
static __inline__ void *malloc_bytes_st(size_t size, struct db_ops_stats *st)
{
void *ptr = malloc(size);
if (ptr)
{
st->st_curr_cnt++;
st->st_total_cnt++;
if (size > st->st_maxsz) st->st_maxsz=size;
}
return ptr;
}
#define ALLOC_BYTES_ST(z,st) malloc_bytes_st(z, &st);
#define PFREE_ST(p,st) do { st.st_curr_cnt--; free(p); } while (0);
#else
#define ALLOC_BYTES_ST(z,n) malloc(z);
#define PFREE_ST(p,n) free(p);
#endif /* NO_DB_OPS_STATS */
/* Initialize db object
* max_trans and max_attrs can be 0, will be dynamically expanded
* as a result of "add" operations
*/
int
db_prop_init(struct db_context *ctx, u_int8_t protoid, int max_trans, int max_attrs)
{
ctx->trans0 = NULL;
ctx->attrs0 = NULL;
if (max_trans > 0) { /* quite silly if not */
ctx->trans0 = ALLOC_BYTES_ST ( sizeof(struct db_trans) * max_trans,
db_trans_st);
memset(ctx->trans0, '\0', sizeof(struct db_trans) * max_trans);
}
if (max_attrs > 0) { /* quite silly if not */
ctx->attrs0 = ALLOC_BYTES_ST (sizeof(struct db_attr) * max_attrs,
db_attrs_st);
memset(ctx->attrs0, '\0', sizeof(struct db_attr) * max_attrs);
}
ctx->max_trans = max_trans;
ctx->max_attrs = max_attrs;
ctx->trans_cur = ctx->trans0;
ctx->attrs_cur = ctx->attrs0;
ctx->prop.protoid = protoid;
ctx->prop.trans = ctx->trans0;
ctx->prop.trans_cnt = 0;
return 0;
}
/* Expand storage for transforms by number delta_trans */
static int
db_trans_expand(struct db_context *ctx, int delta_trans)
{
int ret = -1;
struct db_trans *new_trans, *old_trans;
int max_trans = ctx->max_trans + delta_trans;
int offset;
old_trans = ctx->trans0;
new_trans = ALLOC_BYTES_ST ( sizeof (struct db_trans) * max_trans,
db_trans_st);
if (!new_trans)
goto out;
memcpy(new_trans, old_trans, ctx->max_trans * sizeof(struct db_trans));
/* update trans0 (obviously) */
ctx->trans0 = ctx->prop.trans = new_trans;
/* update trans_cur (by offset) */
offset = (char *)(new_trans) - (char *)(old_trans);
{
char *cctx = (char *)(ctx->trans_cur);
cctx += offset;
ctx->trans_cur = (struct db_trans *)cctx;
}
/* update elem count */
ctx->max_trans = max_trans;
PFREE_ST(old_trans, db_trans_st);
ret = 0;
out:
return ret;
}
/*
* Expand storage for attributes by delta_attrs number AND
* rewrite trans->attr pointers
*/
static int
db_attrs_expand(struct db_context *ctx, int delta_attrs)
{
int ret = -1;
struct db_attr *new_attrs, *old_attrs;
struct db_trans *t;
int ti;
int max_attrs = ctx->max_attrs + delta_attrs;
int offset;
old_attrs = ctx->attrs0;
new_attrs = ALLOC_BYTES_ST ( sizeof (struct db_attr) * max_attrs,
db_attrs_st);
if (!new_attrs)
goto out;
memcpy(new_attrs, old_attrs, ctx->max_attrs * sizeof(struct db_attr));
/* update attrs0 and attrs_cur (obviously) */
offset = (char *)(new_attrs) - (char *)(old_attrs);
{
char *actx = (char *)(ctx->attrs0);
actx += offset;
ctx->attrs0 = (struct db_attr *)actx;
actx = (char *)ctx->attrs_cur;
actx += offset;
ctx->attrs_cur = (struct db_attr *)actx;
}
/* for each transform, rewrite attrs pointer by offsetting it */
for (t=ctx->prop.trans, ti=0; ti < ctx->prop.trans_cnt; t++, ti++) {
char *actx = (char *)(t->attrs);
actx += offset;
t->attrs = (struct db_attr *)actx;
}
/* update elem count */
ctx->max_attrs = max_attrs;
PFREE_ST(old_attrs, db_attrs_st);
ret = 0;
out:
return ret;
}
/* Allocate a new db object */
struct db_context *
db_prop_new(u_int8_t protoid, int max_trans, int max_attrs)
{
struct db_context *ctx;
ctx = ALLOC_BYTES_ST ( sizeof (struct db_context), db_context_st);
if (!ctx) goto out;
if (db_prop_init(ctx, protoid, max_trans, max_attrs) < 0) {
PFREE_ST(ctx, db_context_st);
ctx=NULL;
}
out:
return ctx;
}
/* Free a db object */
void
db_destroy(struct db_context *ctx)
{
if (ctx->trans0) PFREE_ST(ctx->trans0, db_trans_st);
if (ctx->attrs0) PFREE_ST(ctx->attrs0, db_attrs_st);
PFREE_ST(ctx, db_context_st);
}
/* Start a new transform, expand trans0 is needed */
int
db_trans_add(struct db_context *ctx, u_int8_t transid)
{
/* skip incrementing current trans pointer the 1st time*/
if (ctx->trans_cur && ctx->trans_cur->attr_cnt)
ctx->trans_cur++;
/*
* Strategy: if more space is needed, expand by
* <current_size>/2 + 1
*
* This happens to produce a "reasonable" sequence
* after few allocations, eg.:
* 0,1,2,4,8,13,20,31,47
*/
if ((ctx->trans_cur - ctx->trans0) >= ctx->max_trans) {
/* XXX:jjo if fails should shout and flag it */
if (db_trans_expand(ctx, ctx->max_trans/2 + 1)<0)
return -1;
}
ctx->trans_cur->transid = transid;
ctx->trans_cur->attrs=ctx->attrs_cur;
ctx->trans_cur->attr_cnt = 0;
ctx->prop.trans_cnt++;
return 0;
}
/* Add attr copy to current transform, expanding attrs0 if needed */
int
db_attr_add(struct db_context *ctx, const struct db_attr *a)
{
/*
* Strategy: if more space is needed, expand by
* <current_size>/2 + 1
*/
if ((ctx->attrs_cur - ctx->attrs0) >= ctx->max_attrs) {
/* XXX:jjo if fails should shout and flag it */
if (db_attrs_expand(ctx, ctx->max_attrs/2 + 1) < 0)
return -1;
}
*ctx->attrs_cur++=*a;
ctx->trans_cur->attr_cnt++;
return 0;
}
/* Add attr copy (by value) to current transform,
* expanding attrs0 if needed, just calls db_attr_add().
*/
int
db_attr_add_values(struct db_context *ctx, u_int16_t type, u_int16_t val)
{
struct db_attr attr;
attr.type = type;
attr.val = val;
return db_attr_add (ctx, &attr);
}
#ifndef NO_DB_OPS_STATS
int
db_ops_show_status(void)
{
whack_log(RC_COMMENT, "stats " __FILE__ ": "
DB_OPS_STATS_DESC " :"
DB_OPS_STATS_STR("context")
DB_OPS_STATS_STR("trans")
DB_OPS_STATS_STR("attrs"),
DB_OPS_STATS_F(db_context_st),
DB_OPS_STATS_F(db_trans_st),
DB_OPS_STATS_F(db_attrs_st)
);
return 0;
}
#endif /* NO_DB_OPS_STATS */
/*
* From below to end just testing stuff ....
*/
#ifdef TEST
static void db_prop_print(struct db_prop *p)
{
struct db_trans *t;
struct db_attr *a;
int ti, ai;
enum_names *n, *n_at, *n_av;
printf("protoid=\"%s\"\n", enum_name(&protocol_names, p->protoid));
for (ti=0, t=p->trans; ti< p->trans_cnt; ti++, t++) {
switch( t->transid) {
case PROTO_ISAKMP:
n=&isakmp_transformid_names;break;
case PROTO_IPSEC_ESP:
n=&esp_transformid_names;break;
default:
continue;
}
printf(" transid=\"%s\"\n",
enum_name(n, t->transid));
for (ai=0, a=t->attrs; ai < t->attr_cnt; ai++, a++) {
int i;
switch( t->transid) {
case PROTO_ISAKMP:
n_at=&oakley_attr_names;
i=a->type|ISAKMP_ATTR_AF_TV;
n_av=oakley_attr_val_descs[(i)&ISAKMP_ATTR_RTYPE_MASK];
break;
case PROTO_IPSEC_ESP:
n_at=&ipsec_attr_names;
i=a->type|ISAKMP_ATTR_AF_TV;
n_av=ipsec_attr_val_descs[(i)&ISAKMP_ATTR_RTYPE_MASK];
break;
default:
continue;
}
printf(" type=\"%s\" value=\"%s\"\n",
enum_name(n_at, i),
enum_name(n_av, a->val));
}
}
}
static void db_print(struct db_context *ctx)
{
printf("trans_cur diff=%d, attrs_cur diff=%d\n",
ctx->trans_cur - ctx->trans0,
ctx->attrs_cur - ctx->attrs0);
db_prop_print(&ctx->prop);
}
void
passert_fail(const char *pred_str, const char *file_str, unsigned long line_no);
void abort(void);
void
passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
{
fprintf(stderr, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
abort(); /* exiting correctly doesn't always work */
}
int main(void) {
struct db_context *ctx=db_prop_new(PROTO_ISAKMP, 0, 0);
db_trans_add(ctx, KEY_IKE);
db_attr_add_values(ctx, OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC);
db_attr_add_values(ctx, OAKLEY_HASH_ALGORITHM, OAKLEY_MD5);
db_attr_add_values(ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG);
db_attr_add_values(ctx, OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024);
db_trans_add(ctx, KEY_IKE);
db_attr_add_values(ctx, OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_AES_CBC);
db_attr_add_values(ctx, OAKLEY_HASH_ALGORITHM, OAKLEY_MD5);
db_attr_add_values(ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY);
db_attr_add_values(ctx, OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536);
db_trans_add(ctx, ESP_3DES);
db_attr_add_values(ctx, AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1);
db_print(ctx);
db_destroy(ctx);
return 0;
}
#endif

54
src/pluto/db_ops.h
View File

@ -1,54 +0,0 @@
/* Dynamic db (proposal, transforms, attributes) handling.
* Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef _DB_OPS_H
#define _DB_OPS_H
/*
* Main db object, (quite proposal "oriented")
*/
#ifndef NO_DB_CONTEXT
struct db_context {
struct db_prop prop; /* proposal buffer (not pointer) */
struct db_trans *trans0; /* transf. list, dynamically sized */
struct db_trans *trans_cur; /* current transform ptr */
struct db_attr *attrs0; /* attr. list, dynamically sized */
struct db_attr *attrs_cur; /* current attribute ptr */
int max_trans; /* size of trans list */
int max_attrs; /* size of attrs list */
};
/*
* Allocate a new db object
*/
struct db_context * db_prop_new(u_int8_t protoid, int max_trans, int max_attrs);
/* Initialize object for proposal building */
int db_prop_init(struct db_context *ctx, u_int8_t protoid, int max_trans, int max_attrs);
/* Free all resourses for this db */
void db_destroy(struct db_context *ctx);
/* Start a new transform */
int db_trans_add(struct db_context *ctx, u_int8_t transid);
/* Add a new attribute by copying db_attr content */
int db_attr_add(struct db_context *db_ctx, const struct db_attr *attr);
/* Add a new attribute by value */
int db_attr_add_values(struct db_context *ctx, u_int16_t type, u_int16_t val);
/* Get proposal from db object */
static __inline__ struct db_prop *db_prop_get(struct db_context *ctx) {
return &ctx->prop;
}
/* Show stats (allocation, etc) */
#endif /* NO_DB_CONTEXT */
int db_ops_show_status(void);
#endif /* _DB_OPS_H */

145
src/pluto/defs.c
View File

@ -1,145 +0,0 @@
/* misc. universal things
* Copyright (C) 1998-2001 D. Hugh Redelmeier.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <dirent.h>
#include <inttypes.h>
#include <time.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <freeswan.h>
#include "constants.h"
#include "defs.h"
#include "log.h"
#include "whack.h" /* for RC_LOG_SERIOUS */
bool
all_zero(const unsigned char *m, size_t len)
{
size_t i;
for (i = 0; i != len; i++)
if (m[i] != '\0')
return FALSE;
return TRUE;
}
/* Note that there may be as many as six IDs that are temporary at
* one time before unsharing the two ends of a connection. So we need
* at least six temporary buffers for DER_ASN1_DN IDs.
* We rotate them. Be careful!
*/
#define MAX_BUF 10
char*
temporary_cyclic_buffer(void)
{
static char buf[MAX_BUF][BUF_LEN]; /* MAX_BUF internal buffers */
static int counter = 0; /* cyclic counter */
if (++counter == MAX_BUF) counter = 0; /* next internal buffer */
return buf[counter]; /* assign temporary buffer */
}
/* concatenates two sub paths into a string with a maximum size of BUF_LEN
* use for temporary storage only
*/
char* concatenate_paths(char *a, char *b)
{
char *c;
if (*b == '/' || *b == '.')
return b;
c = temporary_cyclic_buffer();
snprintf(c, BUF_LEN, "%s/%s", a, b);
return c;
}
/* moves a chunk to a memory position, chunk is freed afterwards
* position pointer is advanced after the insertion point
*/
void
mv_chunk(u_char **pos, chunk_t content)
{
if (content.len > 0)
{
chunkcpy(*pos, content);
free(content.ptr);
}
}
/* checks if the expiration date has been reached and
* warns during the warning_interval of the imminent
* expiry. strict=TRUE declares a fatal error,
* strict=FALSE issues a warning upon expiry.
*/
const char*
check_expiry(time_t expiration_date, int warning_interval, bool strict)
{
time_t now, time_left;
if (expiration_date == UNDEFINED_TIME)
return "ok (expires never)";
/* determine the current time */
time(&now);
time_left = (expiration_date - now);
if (time_left < 0)
return strict? "fatal (expired)" : "warning (expired)";
if (time_left > 86400*warning_interval)
return "ok";
{
static char buf[35]; /* temporary storage */
const char* unit = "second";
if (time_left > 172800)
{
time_left /= 86400;
unit = "day";
}
else if (time_left > 7200)
{
time_left /= 3600;
unit = "hour";
}
else if (time_left > 120)
{
time_left /= 60;
unit = "minute";
}
snprintf(buf, 35, "warning (expires in %" PRIu64 " %s%s)",
(u_int64_t)time_left, unit, (time_left == 1) ? "" : "s");
return buf;
}
}
/*
* Filter eliminating the directory entries '.' and '..'
*/
int
file_select(const struct dirent *entry)
{
return strcmp(entry->d_name, "." ) &&
strcmp(entry->d_name, "..");
}

79
src/pluto/defs.h
View File

@ -1,79 +0,0 @@
/* misc. universal things
* Copyright (C) 1997 Angelos D. Keromytis.
* Copyright (C) 1998-2001 D. Hugh Redelmeier.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef _DEFS_H
#define _DEFS_H
#include <string.h>
#include <sys/types.h>
#include <chunk.h>
#ifdef DEBUG
# define USED_BY_DEBUG /* ignore */
#else
# define USED_BY_DEBUG UNUSED
#endif
/* type of serial number of a state object
* Needed in connections.h and state.h; here to simplify dependencies.
*/
typedef unsigned long so_serial_t;
#define SOS_NOBODY 0 /* null serial number */
#define SOS_FIRST 1 /* first normal serial number */
/* memory allocation */
#define clone_thing(orig) clalloc((void *)&(orig), sizeof(orig))
#define clone_str(str) \
((str) == NULL? NULL : strdup(str))
#define replace(p, q) \
{ free(p); (p) = (q); }
#define chunkcpy(dst, chunk) \
{ memcpy(dst, chunk.ptr, chunk.len); dst += chunk.len;}
extern char* temporary_cyclic_buffer(void);
extern char* concatenate_paths(char *a, char *b);
/* move a chunk to a memory position and free it after insertion */
extern void mv_chunk(u_char **pos, chunk_t content);
/* warns a predefined interval before expiry */
extern const char* check_expiry(time_t expiration_date,
int warning_interval, bool strict);
#define MAX_PROMPT_PASS_TRIALS 5
#define PROMPT_PASS_LEN 64
/* filter eliminating the directory entries '.' and '..' */
typedef struct dirent dirent_t;
extern int file_select(const dirent_t *entry);
/* cleanly exit Pluto */
extern void exit_pluto(int /*status*/) NEVER_RETURNS;
/* zero all bytes */
#define zero(x) memset((x), '\0', sizeof(*(x)))
/* are all bytes 0? */
extern bool all_zero(const unsigned char *m, size_t len);
/* pad_up(n, m) is the amount to add to n to make it a multiple of m */
#define pad_up(n, m) (((m) - 1) - (((n) + (m) - 1) % (m)))
#endif /* _DEFS_H */

2527
src/pluto/demux.c
View File

File diff suppressed because it is too large Load Diff

97
src/pluto/demux.h
View File

@ -1,97 +0,0 @@
/* demultiplex incoming IKE messages
* Copyright (C) 1998-2002 D. Hugh Redelmeier.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef _DEMUX_H
#define _DEMUX_H
#include "packet.h"
#include "state.h"
extern void init_demux(void);
extern bool send_packet(struct state *st, const char *where);
extern void comm_handle(const struct iface *ifp);
extern u_int8_t reply_buffer[MAX_OUTPUT_UDP_SIZE];
/* State transition function infrastructure
*
* com_handle parses a message, decides what state object it applies to,
* and calls the appropriate state transition function (STF).
* These declarations define the interface to these functions.
*
* Each STF must be able to be restarted up to any failure point:
* a later message will cause the state to be re-entered. This
* explains the use of the replace macro and the care in handling
* MP_INT members of struct state.
*/
struct payload_digest {
pb_stream pbs;
union payload payload;
struct payload_digest *next; /* of same kind */
};
/* message digest
* Note: raw_packet and packet_pbs are "owners" of space on heap.
*/
struct msg_digest {
struct msg_digest *next; /* for free list */
chunk_t raw_packet; /* if encrypted, received packet before decryption */
const struct iface *iface; /* interface on which message arrived */
ip_address sender; /* where message came from */
u_int16_t sender_port; /* host order */
pb_stream packet_pbs; /* whole packet */
pb_stream message_pbs; /* message to be processed */
struct isakmp_hdr hdr; /* message's header */
bool encrypted; /* was it encrypted? */
enum state_kind from_state; /* state we started in */
const struct state_microcode *smc; /* microcode for initial state */
struct state *st; /* current state object */
pb_stream reply; /* room for reply */
pb_stream rbody; /* room for reply body (after header) */
notification_t note; /* reason for failure */
bool dpd; /* peer supports RFC 3706 DPD */
bool openpgp; /* peer supports OpenPGP certificates */
bool ms_nt5; /* peer is a windows 2000+ host */
# define PAYLIMIT 40
struct payload_digest
digest[PAYLIMIT],
*digest_roof,
*chain[ISAKMP_NEXT_ROOF];
unsigned short nat_traversal_vid;
};
extern void release_md(struct msg_digest *md);
/* status for state-transition-function
* Note: STF_FAIL + notification_t means fail with that notification
*/
typedef enum {
STF_IGNORE, /* don't respond */
STF_SUSPEND, /* unfinished -- don't release resources */
STF_OK, /* success */
STF_INTERNAL_ERROR, /* discard everything, we failed */
STF_FAIL /* discard everything, something failed. notification_t added. */
} stf_status;
typedef stf_status state_transition_fn(struct msg_digest *md);
extern void complete_state_transition(struct msg_digest **mdp, stf_status result);
extern void free_md_pool(void);
#endif /* _DEMUX_H */

1590
src/pluto/dnskey.c
View File

File diff suppressed because it is too large Load Diff

75
src/pluto/dnskey.h
View File

@ -1,75 +0,0 @@
/* Find public key in DNS
* Copyright (C) 2000-2002 D. Hugh Redelmeier.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <utils/identification.h>
extern int adns_qfd; /* file descriptor for sending queries to adns */
extern int adns_afd; /* file descriptor for receiving answers from adns */
extern const char *pluto_adns_option; /* path from --pluto_adns */
extern void init_adns(void);
extern void stop_adns(void);
extern void handle_adns_answer(void);
extern bool unsent_ADNS_queries;
extern void send_unsent_ADNS_queries(void);
/* (common prefix of) stuff remembered between async query and answer.
* Filled in by start_adns_query.
* Freed by call to release_adns_continuation.
*/
struct adns_continuation; /* forward declaration (not far!) */
typedef void (*cont_fn_t)(struct adns_continuation *cr, err_t ugh);
struct adns_continuation {
unsigned long qtid; /* query transaction id number */
int type; /* T_TXT or T_KEY, selecting rr type of interest */
cont_fn_t cont_fn; /* function to carry on suspended work */
identification_t *id; /* subject of query */
bool sgw_specified;
identification_t *sgw_id; /* peer, if constrained */
lset_t debugging; /* only used #ifdef DEBUG, but don't want layout to change */
struct gw_info *gateways_from_dns; /* answer, if looking for our TXT rrs */
#ifdef USE_KEYRR
struct pubkey_list *keys_from_dns; /* answer, if looking for KEY rrs */
#endif
struct adns_continuation *previous, *next;
struct pubkey *last_info; /* the last structure we accumulated */
struct adns_query query;
};
extern err_t start_adns_query(identification_t *id /* domain to query */
, identification_t *sgw_id /* if non-null, any accepted gw_info must match */
, int type /* T_TXT or T_KEY, selecting rr type of interest */
, cont_fn_t cont_fn /* continuation function */
, struct adns_continuation *cr);
/* Gateway info gleaned from reverse DNS of client */
struct gw_info {
unsigned refcnt; /* reference counted! */
unsigned pref; /* preference: lower is better */
#define NO_TIME ((time_t) -2) /* time_t value meaning "not_yet" */
identification_t* client_id; /* id of client of peer */
identification_t* gw_id; /* id of peer (if id_is_ipaddr, .ip_addr is address) */
bool gw_key_present;
struct pubkey *key;
struct gw_info *next;
};
extern void gw_addref(struct gw_info *gw);
extern void gw_delref(struct gw_info **gwp);
extern void reset_adns_restart_count(void);

195
src/pluto/event_queue.c
View File

@ -1,195 +0,0 @@
/*
* Copyright (C) 2010 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <unistd.h>
#include <fcntl.h>
#include "event_queue.h"
#include <debug.h>
#include <threading/mutex.h>
#include <utils/linked_list.h>
typedef struct private_event_queue_t private_event_queue_t;
/**
* Private data of event_queue_t class.
*/
struct private_event_queue_t {
/**
* Public event_queue_t interface.
*/
event_queue_t public;
/**
* List of queued events (event_t*).
*/
linked_list_t *events;
/**
* Mutex for event list.
*/
mutex_t *mutex;
/**
* Read end of the notification pipe.
*/
int read_fd;
/**
* Write end of the notification pipe.
*/
int write_fd;
};
typedef struct event_t event_t;
struct event_t {
/**
* Callback function.
*/
void (*callback)(void *data);
/**
* Data to supply to the callback.
*/
void *data;
/**
* Cleanup function.
*/
void (*cleanup)(void *data);
};
static event_t *event_create(void (*callback)(void *data), void *data,
void (*cleanup)(void *data))
{
event_t *this;
INIT(this,
.callback = callback,
.data = data,
.cleanup = cleanup,
);
return this;
}
static void event_destroy(event_t *this)
{
if (this->cleanup)
{
this->cleanup(this->data);
}
free(this);
}
METHOD(event_queue_t, get_event_fd, int,
private_event_queue_t *this)
{
return this->read_fd;
}
METHOD(event_queue_t, handle, void,
private_event_queue_t *this)
{
char buf[10];
linked_list_t *events;
event_t *event;
this->mutex->lock(this->mutex);
/* flush pipe */
while (read(this->read_fd, &buf, sizeof(buf)) == sizeof(buf));
/* replace the list, so we can unlock the mutex while executing the jobs */
events = this->events;
this->events = linked_list_create();
this->mutex->unlock(this->mutex);
while (events->remove_first(events, (void**)&event) == SUCCESS)
{
event->callback(event->data);
event_destroy(event);
}
events->destroy(events);
}
METHOD(event_queue_t, queue, void,
private_event_queue_t *this, void (*callback)(void *data), void *data,
void (*cleanup)(void *data))
{
event_t *event = event_create(callback, data, cleanup);
char c = 0;
this->mutex->lock(this->mutex);
this->events->insert_last(this->events, event);
ignore_result(write(this->write_fd, &c, 1));
this->mutex->unlock(this->mutex);
}
METHOD(event_queue_t, destroy, void,
private_event_queue_t *this)
{
this->mutex->lock(this->mutex);
this->events->destroy_function(this->events, (void*)event_destroy);
this->mutex->unlock(this->mutex);
this->mutex->destroy(this->mutex);
close(this->read_fd);
close(this->write_fd);
free(this);
}
static bool set_nonblock(int socket)
{
int flags = fcntl(socket, F_GETFL);
return flags != -1 && fcntl(socket, F_SETFL, flags | O_NONBLOCK) != -1;
}
static bool set_cloexec(int socket)
{
int flags = fcntl(socket, F_GETFD);
return flags != -1 && fcntl(socket, F_SETFD, flags | FD_CLOEXEC) != -1;
}
/*
* Described in header.
*/
event_queue_t *event_queue_create()
{
private_event_queue_t *this;
int fd[2];
INIT(this,
.public = {
.get_event_fd = _get_event_fd,
.handle = _handle,
.queue = _queue,
.destroy = _destroy,
},
.events = linked_list_create(),
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
);
if (pipe(fd) == -1 ||
!set_nonblock(fd[0]) || !set_cloexec(fd[0]) ||
!set_nonblock(fd[1]) || !set_cloexec(fd[1]))
{
DBG1(DBG_JOB, "failed to create pipe for job queue");
_destroy(this);
return NULL;
}
this->read_fd = fd[0];
this->write_fd = fd[1];
return &this->public;
}

69
src/pluto/event_queue.h
View File

@ -1,69 +0,0 @@
/*
* Copyright (C) 2010 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup event_queue event_queue
* @{ @ingroup pluto
*/
#ifndef EVENT_QUEUE_H_
#define EVENT_QUEUE_H_
typedef struct event_queue_t event_queue_t;
/**
* The event queue facility can be used to synchronize thread-pool threads
* with the pluto main thread. That is, all queued callbacks are executed
* asynchronously by the pluto main thread.
*/
struct event_queue_t {
/**
* Returns the file descriptor used to notify the main thread.
*
* @return fd to use in the main thread
*/
int (*get_event_fd) (event_queue_t *this);
/**
* Handle all queued events.
*/
void (*handle) (event_queue_t *this);
/**
* Add an event to the queue.
*
* @param callback callback function to add to the queue
* @param data data supplied to the callback function
* @param cleanup optional cleanup function
*/
void (*queue) (event_queue_t *this, void (*callback)(void *data),
void *data, void (*cleanup)(void *data));
/**
* Destroy this instance.
*/
void (*destroy) (event_queue_t *this);
};
/**
* Create the event queue.
*
* @return created object
*/
event_queue_t *event_queue_create();
#endif /** EVENT_QUEUE_H_ @}*/

766
src/pluto/fetch.c
View File

@ -1,766 +0,0 @@
/* Dynamic fetching of X.509 CRLs
* Copyright (C) 2002 Stephane Laroche <stephane.laroche@colubris.com>
* Copyright (C) 2002-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <stdlib.h>
#include <errno.h>
#include <sys/time.h>
#include <time.h>
#include <string.h>
#ifdef THREADS
#include <pthread.h>
#endif
#include <freeswan.h>
#include <library.h>
#include <debug.h>
#include <asn1/asn1.h>
#include <credentials/certificates/certificate.h>
#ifdef THREADS
#include <threading/thread.h>
#endif
#include "constants.h"
#include "defs.h"
#include "log.h"
#include "x509.h"
#include "ca.h"
#include "whack.h"
#include "ocsp.h"
#include "crl.h"
#include "fetch.h"
#include "builder.h"
fetch_req_t empty_fetch_req = {
NULL , /* next */
0 , /* trials */
NULL , /* issuer */
{ NULL, 0}, /* authKeyID */
NULL /* distributionPoints */
};
/* chained list of crl fetch requests */
static fetch_req_t *crl_fetch_reqs = NULL;
/* chained list of ocsp fetch requests */
static ocsp_location_t *ocsp_fetch_reqs = NULL;
#ifdef THREADS
static thread_t *thread;
static pthread_mutex_t certs_and_keys_mutex = PTHREAD_MUTEX_INITIALIZER;
static pthread_mutex_t authcert_list_mutex = PTHREAD_MUTEX_INITIALIZER;
static pthread_mutex_t crl_list_mutex = PTHREAD_MUTEX_INITIALIZER;
static pthread_mutex_t ocsp_cache_mutex = PTHREAD_MUTEX_INITIALIZER;
static pthread_mutex_t ca_info_list_mutex = PTHREAD_MUTEX_INITIALIZER;
static pthread_mutex_t crl_fetch_list_mutex = PTHREAD_MUTEX_INITIALIZER;
static pthread_mutex_t ocsp_fetch_list_mutex = PTHREAD_MUTEX_INITIALIZER;
static pthread_mutex_t fetch_wake_mutex = PTHREAD_MUTEX_INITIALIZER;
static pthread_cond_t fetch_wake_cond = PTHREAD_COND_INITIALIZER;
/**
* lock access to my certs and keys
*/
void lock_certs_and_keys(const char *who)
{
pthread_mutex_lock(&certs_and_keys_mutex);
DBG(DBG_CONTROLMORE,
DBG_log("certs and keys locked by '%s'", who)
)
}
/**
* Unlock access to my certs and keys
*/
void unlock_certs_and_keys(const char *who)
{
DBG(DBG_CONTROLMORE,
DBG_log("certs and keys unlocked by '%s'", who)
)
pthread_mutex_unlock(&certs_and_keys_mutex);
}
/**
* Lock access to the chained authcert list
*/
void lock_authcert_list(const char *who)
{
pthread_mutex_lock(&authcert_list_mutex);
DBG(DBG_CONTROLMORE,
DBG_log("authcert list locked by '%s'", who)
)
}
/**
* Unlock access to the chained authcert list
*/
void unlock_authcert_list(const char *who)
{
DBG(DBG_CONTROLMORE,
DBG_log("authcert list unlocked by '%s'", who)
)
pthread_mutex_unlock(&authcert_list_mutex);
}
/**
* Lock access to the chained crl list
*/
void lock_crl_list(const char *who)
{
pthread_mutex_lock(&crl_list_mutex);
DBG(DBG_CONTROLMORE,
DBG_log("crl list locked by '%s'", who)
)
}
/**
* Unlock access to the chained crl list
*/
void unlock_crl_list(const char *who)
{
DBG(DBG_CONTROLMORE,
DBG_log("crl list unlocked by '%s'", who)
)
pthread_mutex_unlock(&crl_list_mutex);
}
/**
* Lock access to the ocsp cache
*/
extern void lock_ocsp_cache(const char *who)
{
pthread_mutex_lock(&ocsp_cache_mutex);
DBG(DBG_CONTROLMORE,
DBG_log("ocsp cache locked by '%s'", who)
)
}
/**
* Unlock access to the ocsp cache
*/
extern void unlock_ocsp_cache(const char *who)
{
DBG(DBG_CONTROLMORE,
DBG_log("ocsp cache unlocked by '%s'", who)
)
pthread_mutex_unlock(&ocsp_cache_mutex);
}
/**
* Lock access to the ca info list
*/
extern void lock_ca_info_list(const char *who)
{
pthread_mutex_lock(&ca_info_list_mutex);
DBG(DBG_CONTROLMORE,
DBG_log("ca info list locked by '%s'", who)
)
}
/**
* Unlock access to the ca info list
*/
extern void unlock_ca_info_list(const char *who)
{
DBG(DBG_CONTROLMORE,
DBG_log("ca info list unlocked by '%s'", who)
)
pthread_mutex_unlock(&ca_info_list_mutex);
}
/**
* Lock access to the chained crl fetch request list
*/
static void lock_crl_fetch_list(const char *who)
{
pthread_mutex_lock(&crl_fetch_list_mutex);
DBG(DBG_CONTROLMORE,
DBG_log("crl fetch request list locked by '%s'", who)
)
}
/**
* Unlock access to the chained crl fetch request list
*/
static void unlock_crl_fetch_list(const char *who)
{
DBG(DBG_CONTROLMORE,
DBG_log("crl fetch request list unlocked by '%s'", who)
)
pthread_mutex_unlock(&crl_fetch_list_mutex);
}
/**
* Lock access to the chained ocsp fetch request list
*/
static void lock_ocsp_fetch_list(const char *who)
{
pthread_mutex_lock(&ocsp_fetch_list_mutex);
DBG(DBG_CONTROLMORE,
DBG_log("ocsp fetch request list locked by '%s'", who)
)
}
/**
* Unlock access to the chained ocsp fetch request list
*/
static void unlock_ocsp_fetch_list(const char *who)
{
DBG(DBG_CONTROLMORE,
DBG_log("ocsp fetch request list unlocked by '%s'", who)
)
pthread_mutex_unlock(&ocsp_fetch_list_mutex);
}
/**
* Wakes up the sleeping fetch thread
*/
void wake_fetch_thread(const char *who)
{
if (crl_check_interval > 0)
{
DBG(DBG_CONTROLMORE,
DBG_log("fetch thread wake call by '%s'", who)
)
pthread_mutex_lock(&fetch_wake_mutex);
pthread_cond_signal(&fetch_wake_cond);
pthread_mutex_unlock(&fetch_wake_mutex);
}
}
#else /* !THREADS */
#define lock_crl_fetch_list(who) /* do nothing */
#define unlock_crl_fetch_list(who) /* do nothing */
#define lock_ocsp_fetch_list(who) /* do nothing */
#define unlock_ocsp_fetch_list(who) /* do nothing */
#endif /* !THREADS */
/**
* Free the dynamic memory used to store fetch requests
*/
static void free_fetch_request(fetch_req_t *req)
{
req->distributionPoints->destroy_function(req->distributionPoints, free);
DESTROY_IF(req->issuer);
free(req->authKeyID.ptr);
free(req);
}
#ifdef THREADS
/**
* Fetch an ASN.1 blob coded in PEM or DER format from a URL
*/
x509crl_t* fetch_crl(char *url)
{
x509crl_t *crl;
chunk_t blob;
DBG1(DBG_LIB, " fetching crl from '%s' ...", url);
if (lib->fetcher->fetch(lib->fetcher, url, &blob, FETCH_END) != SUCCESS)
{
DBG1(DBG_LIB, "crl fetching failed");
return FALSE;
}
crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL,
BUILD_BLOB_PEM, blob, BUILD_END);
free(blob.ptr);
if (!crl)
{
DBG1(DBG_LIB, "crl fetched successfully but data coded in unknown "
"format");
}
return crl;
}
/**
* Complete a distributionPoint URI with ca information
*/
static char* complete_uri(char *distPoint, const char *ldaphost)
{
char *symbol = strchr(distPoint, ':');
if (symbol)
{
int type_len = symbol - distPoint;
if (type_len >= 4 && strncasecmp(distPoint, "ldap", 4) == 0)
{
char *ptr = symbol + 1;
int len = strlen(distPoint) - (type_len + 1);
if (len > 2 && *ptr++ == '/' && *ptr++ == '/')
{
len -= 2;
symbol = strchr(ptr, '/');
if (symbol && symbol - ptr == 0 && ldaphost)
{
char uri[BUF_LEN];
/* insert the ldaphost into the uri */
snprintf(uri, BUF_LEN, "%.*s%s%.*s",
(int)strlen(distPoint) - len, distPoint, ldaphost,
len, symbol);
return strdup(uri);
}
}
}
}
/* default action: copy distributionPoint without change */
return strdup(distPoint);
}
/**
* Try to fetch the crls defined by the fetch requests
*/
static void fetch_crls(bool cache_crls)
{
fetch_req_t *req;
fetch_req_t **reqp;
lock_crl_fetch_list("fetch_crls");
req = crl_fetch_reqs;
reqp = &crl_fetch_reqs;
while (req != NULL)
{
enumerator_t *enumerator;
char *point;
bool valid_crl = FALSE;
const char *ldaphost;
ca_info_t *ca;
lock_ca_info_list("fetch_crls");
ca = get_ca_info(req->issuer, req->authKeyID);
ldaphost = (ca == NULL)? NULL : ca->ldaphost;
enumerator = req->distributionPoints->create_enumerator(req->distributionPoints);
while (enumerator->enumerate(enumerator, &point))
{
x509crl_t *crl;
char *uri;
uri = complete_uri(point, ldaphost);
crl = fetch_crl(uri);
free(uri);
if (crl)
{
if (insert_crl(crl, point, cache_crls))
{
DBG(DBG_CONTROL,
DBG_log("we have a valid crl")
)
valid_crl = TRUE;
break;
}
}
}
enumerator->destroy(enumerator);
unlock_ca_info_list("fetch_crls");
if (valid_crl)
{
/* delete fetch request */
fetch_req_t *req_free = req;
req = req->next;
*reqp = req;
free_fetch_request(req_free);
}
else
{
/* try again next time */
req->trials++;
reqp = &req->next;
req = req->next;
}
}
unlock_crl_fetch_list("fetch_crls");
}
static void fetch_ocsp_status(ocsp_location_t* location)
{
chunk_t request = build_ocsp_request(location);
chunk_t response = chunk_empty;
DBG1(DBG_LIB, " requesting ocsp status from '%s' ...", location->uri);
if (lib->fetcher->fetch(lib->fetcher, location->uri, &response,
FETCH_REQUEST_DATA, request,
FETCH_REQUEST_TYPE, "application/ocsp-request",
FETCH_END) == SUCCESS)
{
parse_ocsp(location, response);
}
else
{
DBG1(DBG_LIB, "ocsp request to %s failed", location->uri);
}
free(request.ptr);
chunk_free(&location->nonce);
/* increment the trial counter of the unresolved fetch requests */
{
ocsp_certinfo_t *certinfo = location->certinfo;
while (certinfo != NULL)
{
certinfo->trials++;
certinfo = certinfo->next;
}
}
}
/**
* Try to fetch the necessary ocsp information
*/
static void fetch_ocsp(void)
{
ocsp_location_t *location;
lock_ocsp_fetch_list("fetch_ocsp");
location = ocsp_fetch_reqs;
/* fetch the ocps status for all locations */
while (location != NULL)
{
if (location->certinfo != NULL)
{
fetch_ocsp_status(location);
}
location = location->next;
}
unlock_ocsp_fetch_list("fetch_ocsp");
}
static void* fetch_thread(void *arg)
{
struct timespec wait_interval;
/* the fetching thread is only cancellable while waiting for new events */
thread_cancelability(FALSE);
DBG(DBG_CONTROL,
DBG_log("fetch thread started")
)
pthread_mutex_lock(&fetch_wake_mutex);
while(1)
{
int status;
wait_interval.tv_nsec = 0;
wait_interval.tv_sec = time(NULL) + crl_check_interval;
DBG(DBG_CONTROL,
DBG_log("next regular crl check in %ld seconds", crl_check_interval)
)
thread_cancelability(TRUE);
status = pthread_cond_timedwait(&fetch_wake_cond, &fetch_wake_mutex
, &wait_interval);
thread_cancelability(FALSE);
if (status == ETIMEDOUT)
{
DBG(DBG_CONTROL,
DBG_log(" ");
DBG_log("*time to check crls and the ocsp cache")
)
check_ocsp();
check_crls();
}
else
{
DBG(DBG_CONTROL,
DBG_log("fetch thread was woken up")
)
}
fetch_ocsp();
fetch_crls(cache_crls);
}
return NULL;
}
#endif /* THREADS*/
/**
* Initializes curl and starts the fetching thread
*/
void fetch_initialize(void)
{
if (crl_check_interval > 0)
{
#ifdef THREADS
thread = thread_create((thread_main_t)fetch_thread, NULL);
if (thread == NULL)
{
plog("fetching thread could not be started");
}
#else /* !THREADS */
plog("warning: not compiled with pthread support");
#endif /* !THREADS */
}
}
/**
* Terminates the fetching thread
*/
void fetch_finalize(void)
{
if (crl_check_interval > 0)
{
#ifdef THREADS
if (thread)
{
thread->cancel(thread);
thread->join(thread);
}
#endif
}
}
void free_crl_fetch(void)
{
lock_crl_fetch_list("free_crl_fetch");
while (crl_fetch_reqs != NULL)
{
fetch_req_t *req = crl_fetch_reqs;
crl_fetch_reqs = req->next;
free_fetch_request(req);
}
unlock_crl_fetch_list("free_crl_fetch");
}
/**
* Free the chained list of ocsp requests
*/
void free_ocsp_fetch(void)
{
lock_ocsp_fetch_list("free_ocsp_fetch");
free_ocsp_locations(&ocsp_fetch_reqs);
unlock_ocsp_fetch_list("free_ocsp_fetch");
}
/**
* Add an additional distribution point
*/
void add_distribution_point(linked_list_t *points, char *new_point)
{
char *point;
bool add = TRUE;
enumerator_t *enumerator;
if (new_point == NULL || *new_point == '\0')
{
return;
}
enumerator = points->create_enumerator(points);
while (enumerator->enumerate(enumerator, &point))
{
if (streq(point, new_point))
{
add = FALSE;
break;
}
}
enumerator->destroy(enumerator);
if (add)
{
points->insert_last(points, strdup(new_point));
}
}
/**
* Add additional distribution points
*/
void add_distribution_points(linked_list_t *points, linked_list_t *new_points)
{
char *new_point;
enumerator_t *enumerator;
enumerator = new_points->create_enumerator(new_points);
while (enumerator->enumerate(enumerator, &new_point))
{
bool add = TRUE;
char *point;
enumerator_t *enumerator;
enumerator = points->create_enumerator(points);
while (enumerator->enumerate(enumerator, &point))
{
if (streq(point, new_point))
{
add = FALSE;
break;
}
}
enumerator->destroy(enumerator);
if (add)
{
points->insert_last(points, strdup(new_point));
}
}
enumerator->destroy(enumerator);
}
fetch_req_t* build_crl_fetch_request(identification_t *issuer,
chunk_t authKeyID,
linked_list_t *distributionPoints)
{
char *point;
enumerator_t *enumerator;
fetch_req_t *req = malloc_thing(fetch_req_t);
memset(req, 0, sizeof(fetch_req_t));
req->distributionPoints = linked_list_create();
/* clone fields */
req->issuer = issuer->clone(issuer);
req->authKeyID = chunk_clone(authKeyID);
/* copy distribution points */
enumerator = distributionPoints->create_enumerator(distributionPoints);
while (enumerator->enumerate(enumerator, &point))
{
req->distributionPoints->insert_last(req->distributionPoints,
strdup(point));
}
enumerator->destroy(enumerator);
return req;
}
/**
* Add a crl fetch request to the chained list
*/
void add_crl_fetch_request(fetch_req_t *req)
{
fetch_req_t *r;
lock_crl_fetch_list("add_crl_fetch_request");
r = crl_fetch_reqs;
while (r != NULL)
{
if (req->authKeyID.ptr ? same_keyid(req->authKeyID, r->authKeyID) :
req->issuer->equals(req->issuer, r->issuer))
{
/* there is already a fetch request */
DBG(DBG_CONTROL,
DBG_log("crl fetch request already exists")
)
/* there might be new distribution points */
add_distribution_points(r->distributionPoints,
req->distributionPoints);
unlock_crl_fetch_list("add_crl_fetch_request");
free_fetch_request(req);
return;
}
r = r->next;
}
/* insert new fetch request at the head of the queue */
req->next = crl_fetch_reqs;
crl_fetch_reqs = req;
DBG(DBG_CONTROL,
DBG_log("crl fetch request added")
)
unlock_crl_fetch_list("add_crl_fetch_request");
}
/**
* Add an ocsp fetch request to the chained list
*/
void add_ocsp_fetch_request(ocsp_location_t *location, chunk_t serialNumber)
{
ocsp_certinfo_t certinfo;
certinfo.serialNumber = serialNumber;
lock_ocsp_fetch_list("add_ocsp_fetch_request");
add_certinfo(location, &certinfo, &ocsp_fetch_reqs, TRUE);
unlock_ocsp_fetch_list("add_ocsp_fetch_request");
}
/**
* List all distribution points
*/
void list_distribution_points(linked_list_t *distributionPoints)
{
char *point;
bool first_point = TRUE;
enumerator_t *enumerator;
enumerator = distributionPoints->create_enumerator(distributionPoints);
while (enumerator->enumerate(enumerator, &point))
{
whack_log(RC_COMMENT, " %s '%s'",
(first_point)? "distPts: " : " ", point);
first_point = FALSE;
}
enumerator->destroy(enumerator);
}
/**
* List all fetch requests in the chained list
*/
void list_crl_fetch_requests(bool utc)
{
fetch_req_t *req;
lock_crl_fetch_list("list_crl_fetch_requests");
req = crl_fetch_reqs;
if (req != NULL)
{
whack_log(RC_COMMENT, " ");
whack_log(RC_COMMENT, "List of CRL Fetch Requests:");
}
while (req != NULL)
{
whack_log(RC_COMMENT, " ");
whack_log(RC_COMMENT, " trials: %d", req->trials);
whack_log(RC_COMMENT, " issuer: \"%Y\"", req->issuer);
if (req->authKeyID.ptr)
{
whack_log(RC_COMMENT, " authkey: %#B", &req->authKeyID);
}
list_distribution_points(req->distributionPoints);
req = req->next;
}
unlock_crl_fetch_list("list_crl_fetch_requests");
}
void list_ocsp_fetch_requests(bool utc)
{
lock_ocsp_fetch_list("list_ocsp_fetch_requests");
list_ocsp_locations(ocsp_fetch_reqs, TRUE, utc, FALSE);
unlock_ocsp_fetch_list("list_ocsp_fetch_requests");
}

82
src/pluto/fetch.h
View File

@ -1,82 +0,0 @@
/* Dynamic fetching of X.509 CRLs
* Copyright (C) 2002 Stephane Laroche <stephane.laroche@colubris.com>
* Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <utils/linked_list.h>
#include <utils/identification.h>
#include "x509.h"
#define FETCH_CMD_TIMEOUT 10 /* seconds */
struct ocsp_location; /* forward declaration of ocsp_location defined in ocsp.h */
typedef enum {
FETCH_GET = 1,
FETCH_POST = 2
} fetch_request_t;
typedef struct fetch_req fetch_req_t;
struct fetch_req {
fetch_req_t *next;
int trials;
identification_t *issuer;
chunk_t authKeyID;
linked_list_t *distributionPoints;
};
#ifdef THREADS
extern void lock_crl_list(const char *who);
extern void unlock_crl_list(const char *who);
extern void lock_ocsp_cache(const char *who);
extern void unlock_ocsp_cache(const char *who);
extern void lock_ca_info_list(const char *who);
extern void unlock_ca_info_list(const char *who);
extern void lock_authcert_list(const char *who);
extern void unlock_authcert_list(const char *who);
extern void lock_certs_and_keys(const char *who);
extern void unlock_certs_and_keys(const char *who);
extern void wake_fetch_thread(const char *who);
#else
#define lock_crl_list(who) /* do nothing */
#define unlock_crl_list(who) /* do nothing */
#define lock_ocsp_cache(who) /* do nothing */
#define unlock_ocsp_cache(who) /* do nothing */
#define lock_ca_info_list(who) /* do nothing */
#define unlock_ca_info_list(who) /* do nothing */
#define lock_authcert_list(who) /* do nothing */
#define unlock_authcert_list(who) /* do nothing */
#define lock_certs_and_keys(who) /* do nothing */
#define unlock_certs_and_keys(who) /* do nothing */
#define wake_fetch_thread(who) /* do nothing */
#endif
extern void fetch_initialize(void);
extern void fetch_finalize(void);
extern void free_crl_fetch(void);
extern void free_ocsp_fetch(void);
extern void add_distribution_point(linked_list_t *points, char* new_point);
extern void add_distribution_points(linked_list_t *points,
linked_list_t *new_points);
extern fetch_req_t* build_crl_fetch_request(identification_t *issuer,
chunk_t authKeyID,
linked_list_t *distributionPoints);
extern void add_crl_fetch_request(fetch_req_t *req);
extern void add_ocsp_fetch_request(struct ocsp_location *location,
chunk_t serialNumber);
extern void list_distribution_points(linked_list_t *distributionPoints);
extern void list_crl_fetch_requests(bool utc);
extern void list_ocsp_fetch_requests(bool utc);
extern size_t write_buffer(void *ptr, size_t size, size_t nmemb, void *data);

450
src/pluto/foodgroups.c
View File

@ -1,450 +0,0 @@
/* Implement policy groups-style control files (aka "foodgroups")
* Copyright (C) 2002 D. Hugh Redelmeier.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <string.h>
#include <stdio.h>
#include <stddef.h>
#include <stdlib.h>
#include <sys/queue.h>
#include <freeswan.h>
#include "constants.h"
#include "defs.h"
#include "connections.h"
#include "foodgroups.h"
#include "kernel.h"
#include "lex.h"
#include "log.h"
#include "whack.h"
/* Food group config files are found in directory fg_path */
#ifndef POLICYGROUPSDIR
#define POLICYGROUPSDIR IPSEC_CONFDIR "/ipsec.d/policies"
#endif
const char *policygroups_dir = POLICYGROUPSDIR;
static char *fg_path = NULL;
static size_t fg_path_space = 0;
/* Groups is a list of connections that are policy groups.
* The list is updated as group connections are added and deleted.
*/
struct fg_groups {
struct fg_groups *next;
connection_t *connection;
};
static struct fg_groups *groups = NULL;
/* Targets is a list of pairs: subnet and its policy group.
* This list is bulk-updated on whack --listen and
* incrementally updated when group connections are deleted.
*
* It is ordered by source subnet, and if those are equal, then target subnet.
* A subnet is compared by comparing the network, and if those are equal,
* comparing the mask.
*/
struct fg_targets {
struct fg_targets *next;
struct fg_groups *group;
ip_subnet subnet;
char *name; /* name of instance of group conn */
};
static struct fg_targets *targets = NULL;
struct fg_targets *new_targets;
/* ipcmp compares the two ip_address values a and b.
* It returns -1, 0, or +1 if a is, respectively,
* less than, equal to, or greater than b.
*/
static int ipcmp(ip_address *a, ip_address *b)
{
if (addrtypeof(a) != addrtypeof(b))
{
return addrtypeof(a) < addrtypeof(b)? -1 : 1;
}
else if (sameaddr(a, b))
{
return 0;
}
else
{
const struct sockaddr *sa = sockaddrof(a)
, *sb = sockaddrof(b);
passert(addrtypeof(a) == AF_INET); /* not yet implemented IPv6 version :-( */
return (ntohl(((const struct sockaddr_in *)sa)->sin_addr.s_addr)
< ntohl(((const struct sockaddr_in *)sb)->sin_addr.s_addr))
? -1 : 1;
}
}
/* subnetcmp compares the two ip_subnet values a and b.
* It returns -1, 0, or +1 if a is, respectively,
* less than, equal to, or greater than b.
*/
static int subnetcmp(const ip_subnet *a, const ip_subnet *b)
{
ip_address neta, maska, netb, maskb;
int r;
networkof(a, &neta);
maskof(a, &maska);
networkof(b, &netb);
maskof(b, &maskb);
r = ipcmp(&neta, &netb);
if (r == 0)
r = ipcmp(&maska, &maskb);
return r;
}
static void read_foodgroup(struct fg_groups *g)
{
const char *fgn = g->connection->name;
const ip_subnet *lsn = &g->connection->spd.this.client;
size_t plen = strlen(policygroups_dir) + 1 + strlen(fgn) + 1;
struct file_lex_position flp_space;
if (plen > fg_path_space)
{
free(fg_path);
fg_path_space = plen + 10;
fg_path = malloc(fg_path_space);
}
snprintf(fg_path, fg_path_space, "%s/%s", policygroups_dir, fgn);
if (!lexopen(&flp_space, fg_path, TRUE))
{
DBG(DBG_CONTROL, DBG_log("no group file \"%s\"", fg_path));
}
else
{
plog("loading group \"%s\"", fg_path);
for (;;)
{
switch (flp->bdry)
{
case B_none:
{
/* !!! this test is not sufficient for distinguishing address families.
* We need a notation to specify that a FQDN is to be resolved to IPv6.
*/
const struct af_info *afi = strchr(tok, ':') == NULL
? &af_inet4_info: &af_inet6_info;
ip_subnet sn;
err_t ugh;
if (strchr(tok, '/') == NULL)
{
/* no /, so treat as /32 or V6 equivalent */
ip_address t;
ugh = ttoaddr(tok, 0, afi->af, &t);
if (ugh == NULL)
ugh = addrtosubnet(&t, &sn);
}
else
{
ugh = ttosubnet(tok, 0, afi->af, &sn);
}
if (ugh != NULL)
{
loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s \"%s\""
, flp->filename, flp->lino, ugh, tok);
}
else if (afi->af != AF_INET)
{
loglog(RC_LOG_SERIOUS
, "\"%s\" line %d: unsupported Address Family \"%s\""
, flp->filename, flp->lino, tok);
}
else
{
/* Find where new entry ought to go in new_targets. */
struct fg_targets **pp;
int r;
for (pp = &new_targets; ; pp = &(*pp)->next)
{
if (*pp == NULL)
{
r = -1; /* end of list is infinite */
break;
}
r = subnetcmp(lsn, &(*pp)->group->connection->spd.this.client);
if (r == 0)
r = subnetcmp(&sn, &(*pp)->subnet);
if (r <= 0)
break;
}
if (r == 0)
{
char source[SUBNETTOT_BUF];
subnettot(lsn, 0, source, sizeof(source));
loglog(RC_LOG_SERIOUS
, "\"%s\" line %d: subnet \"%s\", source %s, already \"%s\""
, flp->filename
, flp->lino
, tok
, source
, (*pp)->group->connection->name);
}
else
{
struct fg_targets *f = malloc_thing(struct fg_targets);
f->next = *pp;
f->group = g;
f->subnet = sn;
f->name = NULL;
*pp = f;
}
}
}
(void)shift(); /* next */
continue;
case B_record:
flp->bdry = B_none; /* eat the Record Boundary */
(void)shift(); /* get real first token */
continue;
case B_file:
break; /* done */
}
break; /* if we reach here, out of loop */
}
lexclose();
}
}
static void free_targets(void)
{
while (targets != NULL)
{
struct fg_targets *t = targets;
targets = t->next;
free(t->name);
free(t);
}
}
void load_groups(void)
{
passert(new_targets == NULL);
/* for each group, add config file targets into new_targets */
{
struct fg_groups *g;
for (g = groups; g != NULL; g = g->next)
if (oriented(*g->connection))
read_foodgroup(g);
}
/* dump new_targets */
DBG(DBG_CONTROL,
{
struct fg_targets *t;
for (t = new_targets; t != NULL; t = t->next)
{
char asource[SUBNETTOT_BUF];
char atarget[SUBNETTOT_BUF];
subnettot(&t->group->connection->spd.this.client
, 0, asource, sizeof(asource));
subnettot(&t->subnet, 0, atarget, sizeof(atarget));
DBG_log("%s->%s %s"
, asource, atarget
, t->group->connection->name);
}
});
/* determine and deal with differences between targets and new_targets.
* structured like a merge.
*/
{
struct fg_targets *op = targets
, *np = new_targets;
while (op != NULL && np != NULL)
{
int r = subnetcmp(&op->group->connection->spd.this.client
, &np->group->connection->spd.this.client);
if (r == 0)
r = subnetcmp(&op->subnet, &np->subnet);
if (r == 0 && op->group == np->group)
{
/* unchanged -- steal name & skip over */
np->name = op->name;
op->name = NULL;
op = op->next;
np = np->next;
}
else
{
/* note: following cases overlap! */
if (r <= 0)
{
remove_group_instance(op->group->connection, op->name);
op = op->next;
}
if (r >= 0)
{
np->name = add_group_instance(np->group->connection, &np->subnet);
np = np->next;
}
}
}
for (; op != NULL; op = op->next)
remove_group_instance(op->group->connection, op->name);
for (; np != NULL; np = np->next)
np->name = add_group_instance(np->group->connection, &np->subnet);
/* update: new_targets replaces targets */
free_targets();
targets = new_targets;
new_targets = NULL;
}
}
void add_group(connection_t *c)
{
struct fg_groups *g = malloc_thing(struct fg_groups);
g->next = groups;
groups = g;
g->connection = c;
}
static struct fg_groups *find_group(const connection_t *c)
{
struct fg_groups *g;
for (g = groups; g != NULL && g->connection != c; g = g->next)
;
return g;
}
void route_group(connection_t *c)
{
/* it makes no sense to route a connection that is ISAKMP-only */
if (!NEVER_NEGOTIATE(c->policy) && !HAS_IPSEC_POLICY(c->policy))
{
loglog(RC_ROUTE, "cannot route an ISAKMP-only group connection");
}
else
{
struct fg_groups *g = find_group(c);
struct fg_targets *t;
passert(g != NULL);
g->connection->policy |= POLICY_GROUTED;
for (t = targets; t != NULL; t = t->next)
{
if (t->group == g)
{
connection_t *ci = con_by_name(t->name, FALSE);
if (ci != NULL)
{
set_cur_connection(ci);
if (!trap_connection(ci))
whack_log(RC_ROUTE, "could not route");
set_cur_connection(c);
}
}
}
}
}
void unroute_group(connection_t *c)
{
struct fg_groups *g = find_group(c);
struct fg_targets *t;
passert(g != NULL);
g->connection->policy &= ~POLICY_GROUTED;
for (t = targets; t != NULL; t = t->next)
{
if (t->group == g)
{
connection_t *ci = con_by_name(t->name, FALSE);
if (ci != NULL)
{
set_cur_connection(ci);
unroute_connection(ci);
set_cur_connection(c);
}
}
}
}
void delete_group(const connection_t *c)
{
struct fg_groups *g;
/* find and remove from groups */
{
struct fg_groups **pp;
for (pp = &groups; (g = *pp)->connection != c; pp = &(*pp)->next)
;
*pp = g->next;
}
/* find and remove from targets */
{
struct fg_targets **pp;
for (pp = &targets; *pp != NULL; )
{
struct fg_targets *t = *pp;
if (t->group == g)
{
*pp = t->next;
remove_group_instance(t->group->connection, t->name);
free(t);
/* pp is ready for next iteration */
}
else
{
pp = &t->next;
}
}
}
free(g);
}

22
src/pluto/foodgroups.h
View File

@ -1,22 +0,0 @@
/* Implement policygroups-style control files (aka "foodgroups")
* Copyright (C) 2002 D. Hugh Redelmeier.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
struct connection; /* forward declaration */
extern void add_group(struct connection *c);
extern void route_group(struct connection *c);
extern void unroute_group(struct connection *c);
extern void delete_group(const struct connection *c);
extern const char *policygroups_dir;
extern void load_groups(void);

Some files were not shown because too many files have changed in this diff Show More