]>
Commit | Line | Data |
---|---|---|
7ba0088d A |
1 | /* $FreeBSD: src/lib/libipsec/ipsec_dump_policy.c,v 1.1.2.1 2000/07/15 07:24:04 kris Exp $ */ |
2 | /* $KAME: ipsec_dump_policy.c,v 1.11 2000/05/07 05:29:47 itojun Exp $ */ | |
3 | ||
4 | /* | |
5 | * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. | |
6 | * All rights reserved. | |
7 | * | |
8 | * Redistribution and use in source and binary forms, with or without | |
9 | * modification, are permitted provided that the following conditions | |
10 | * are met: | |
11 | * 1. Redistributions of source code must retain the above copyright | |
12 | * notice, this list of conditions and the following disclaimer. | |
13 | * 2. Redistributions in binary form must reproduce the above copyright | |
14 | * notice, this list of conditions and the following disclaimer in the | |
15 | * documentation and/or other materials provided with the distribution. | |
16 | * 3. Neither the name of the project nor the names of its contributors | |
17 | * may be used to endorse or promote products derived from this software | |
18 | * without specific prior written permission. | |
19 | * | |
20 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND | |
21 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | |
24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
30 | * SUCH DAMAGE. | |
31 | */ | |
32 | ||
33 | #include <sys/types.h> | |
34 | #include <sys/param.h> | |
35 | #include <sys/socket.h> | |
36 | ||
7ba0088d A |
37 | #include <netinet/in.h> |
38 | #include <netinet6/ipsec.h> | |
39 | ||
40 | #include <arpa/inet.h> | |
41 | ||
42 | #include <stdio.h> | |
43 | #include <stdlib.h> | |
44 | #include <string.h> | |
45 | #include <netdb.h> | |
46 | ||
47 | #include "ipsec_strerror.h" | |
48 | ||
49 | static const char *ipsp_dir_strs[] = { | |
50 | "any", "in", "out", | |
51 | }; | |
52 | ||
53 | static const char *ipsp_policy_strs[] = { | |
54 | "discard", "none", "ipsec", "entrust", "bypass", | |
55 | }; | |
56 | ||
57 | static char *ipsec_dump_ipsecrequest __P((char *, size_t, | |
58 | struct sadb_x_ipsecrequest *, size_t)); | |
59 | static int set_addresses __P((char *, size_t, struct sockaddr *, | |
60 | struct sockaddr *)); | |
61 | static char *set_address __P((char *, size_t, struct sockaddr *)); | |
62 | ||
63 | /* | |
64 | * policy is sadb_x_policy buffer. | |
65 | * Must call free() later. | |
66 | * When delimiter == NULL, alternatively ' '(space) is applied. | |
67 | */ | |
68 | char * | |
69 | ipsec_dump_policy(policy, delimiter) | |
70 | caddr_t policy; | |
71 | char *delimiter; | |
72 | { | |
73 | struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy; | |
74 | struct sadb_x_ipsecrequest *xisr; | |
75 | size_t off, buflen; | |
76 | char *buf; | |
77 | char isrbuf[1024]; | |
78 | char *newbuf; | |
79 | ||
80 | /* sanity check */ | |
81 | if (policy == NULL) | |
82 | return NULL; | |
83 | if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) { | |
84 | __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; | |
85 | return NULL; | |
86 | } | |
87 | ||
88 | /* set delimiter */ | |
89 | if (delimiter == NULL) | |
90 | delimiter = " "; | |
91 | ||
92 | switch (xpl->sadb_x_policy_dir) { | |
93 | case IPSEC_DIR_ANY: | |
94 | case IPSEC_DIR_INBOUND: | |
95 | case IPSEC_DIR_OUTBOUND: | |
96 | break; | |
97 | default: | |
98 | __ipsec_errcode = EIPSEC_INVAL_DIR; | |
99 | return NULL; | |
100 | } | |
101 | ||
102 | switch (xpl->sadb_x_policy_type) { | |
103 | case IPSEC_POLICY_DISCARD: | |
104 | case IPSEC_POLICY_NONE: | |
105 | case IPSEC_POLICY_IPSEC: | |
106 | case IPSEC_POLICY_BYPASS: | |
107 | case IPSEC_POLICY_ENTRUST: | |
108 | break; | |
109 | default: | |
110 | __ipsec_errcode = EIPSEC_INVAL_POLICY; | |
111 | return NULL; | |
112 | } | |
113 | ||
114 | buflen = strlen(ipsp_dir_strs[xpl->sadb_x_policy_dir]) | |
115 | + 1 /* space */ | |
116 | + strlen(ipsp_policy_strs[xpl->sadb_x_policy_type]) | |
117 | + 1; /* NUL */ | |
118 | ||
119 | if ((buf = malloc(buflen)) == NULL) { | |
120 | __ipsec_errcode = EIPSEC_NO_BUFS; | |
121 | return NULL; | |
122 | } | |
123 | snprintf(buf, buflen, "%s %s", ipsp_dir_strs[xpl->sadb_x_policy_dir], | |
124 | ipsp_policy_strs[xpl->sadb_x_policy_type]); | |
125 | ||
126 | if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { | |
127 | __ipsec_errcode = EIPSEC_NO_ERROR; | |
128 | return buf; | |
129 | } | |
130 | ||
131 | /* count length of buffer for use */ | |
132 | off = sizeof(*xpl); | |
133 | while (off < PFKEY_EXTLEN(xpl)) { | |
134 | xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off); | |
135 | off += xisr->sadb_x_ipsecrequest_len; | |
136 | } | |
137 | ||
138 | /* validity check */ | |
139 | if (off != PFKEY_EXTLEN(xpl)) { | |
140 | __ipsec_errcode = EIPSEC_INVAL_SADBMSG; | |
141 | free(buf); | |
142 | return NULL; | |
143 | } | |
144 | ||
145 | off = sizeof(*xpl); | |
146 | while (off < PFKEY_EXTLEN(xpl)) { | |
147 | xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off); | |
148 | ||
149 | if (ipsec_dump_ipsecrequest(isrbuf, sizeof(isrbuf), xisr, | |
150 | PFKEY_EXTLEN(xpl) - off) == NULL) { | |
151 | free(buf); | |
152 | return NULL; | |
153 | } | |
154 | ||
155 | buflen = strlen(buf) + strlen(delimiter) + strlen(isrbuf) + 1; | |
156 | newbuf = (char *)realloc(buf, buflen); | |
157 | if (newbuf == NULL) { | |
158 | __ipsec_errcode = EIPSEC_NO_BUFS; | |
159 | free(buf); | |
160 | return NULL; | |
161 | } | |
162 | buf = newbuf; | |
163 | snprintf(buf, buflen, "%s%s%s", buf, delimiter, isrbuf); | |
164 | ||
165 | off += xisr->sadb_x_ipsecrequest_len; | |
166 | } | |
167 | ||
168 | __ipsec_errcode = EIPSEC_NO_ERROR; | |
169 | return buf; | |
170 | } | |
171 | ||
172 | static char * | |
173 | ipsec_dump_ipsecrequest(buf, len, xisr, bound) | |
174 | char *buf; | |
175 | size_t len; | |
176 | struct sadb_x_ipsecrequest *xisr; | |
177 | size_t bound; /* boundary */ | |
178 | { | |
179 | const char *proto, *mode, *level; | |
180 | char abuf[NI_MAXHOST * 2 + 2]; | |
181 | ||
182 | if (xisr->sadb_x_ipsecrequest_len > bound) { | |
183 | __ipsec_errcode = EIPSEC_INVAL_PROTO; | |
184 | return NULL; | |
185 | } | |
186 | ||
187 | switch (xisr->sadb_x_ipsecrequest_proto) { | |
188 | case IPPROTO_ESP: | |
189 | proto = "esp"; | |
190 | break; | |
191 | case IPPROTO_AH: | |
192 | proto = "ah"; | |
193 | break; | |
194 | case IPPROTO_IPCOMP: | |
195 | proto = "ipcomp"; | |
196 | break; | |
197 | default: | |
198 | __ipsec_errcode = EIPSEC_INVAL_PROTO; | |
199 | return NULL; | |
200 | } | |
201 | ||
202 | switch (xisr->sadb_x_ipsecrequest_mode) { | |
203 | case IPSEC_MODE_ANY: | |
204 | mode = "any"; | |
205 | break; | |
206 | case IPSEC_MODE_TRANSPORT: | |
207 | mode = "transport"; | |
208 | break; | |
209 | case IPSEC_MODE_TUNNEL: | |
210 | mode = "tunnel"; | |
211 | break; | |
212 | default: | |
213 | __ipsec_errcode = EIPSEC_INVAL_MODE; | |
214 | return NULL; | |
215 | } | |
216 | ||
217 | abuf[0] = '\0'; | |
218 | if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { | |
219 | struct sockaddr *sa1, *sa2; | |
220 | caddr_t p; | |
221 | ||
222 | p = (caddr_t)(xisr + 1); | |
223 | sa1 = (struct sockaddr *)p; | |
224 | sa2 = (struct sockaddr *)(p + sa1->sa_len); | |
225 | if (sizeof(*xisr) + sa1->sa_len + sa2->sa_len != | |
226 | xisr->sadb_x_ipsecrequest_len) { | |
227 | __ipsec_errcode = EIPSEC_INVAL_ADDRESS; | |
228 | return NULL; | |
229 | } | |
230 | if (set_addresses(abuf, sizeof(abuf), sa1, sa2) != 0) { | |
231 | __ipsec_errcode = EIPSEC_INVAL_ADDRESS; | |
232 | return NULL; | |
233 | } | |
234 | } | |
235 | ||
236 | switch (xisr->sadb_x_ipsecrequest_level) { | |
237 | case IPSEC_LEVEL_DEFAULT: | |
238 | level = "default"; | |
239 | break; | |
240 | case IPSEC_LEVEL_USE: | |
241 | level = "use"; | |
242 | break; | |
243 | case IPSEC_LEVEL_REQUIRE: | |
244 | level = "require"; | |
245 | break; | |
246 | case IPSEC_LEVEL_UNIQUE: | |
247 | level = "unique"; | |
248 | break; | |
249 | default: | |
250 | __ipsec_errcode = EIPSEC_INVAL_LEVEL; | |
251 | return NULL; | |
252 | } | |
253 | ||
254 | if (xisr->sadb_x_ipsecrequest_reqid == 0) | |
255 | snprintf(buf, len, "%s/%s/%s/%s", proto, mode, abuf, level); | |
256 | else { | |
257 | int ch; | |
258 | ||
259 | if (xisr->sadb_x_ipsecrequest_reqid > IPSEC_MANUAL_REQID_MAX) | |
260 | ch = '#'; | |
261 | else | |
262 | ch = ':'; | |
263 | snprintf(buf, len, "%s/%s/%s/%s%c%d", proto, mode, abuf, level, | |
264 | ch, xisr->sadb_x_ipsecrequest_reqid); | |
265 | } | |
266 | ||
267 | return buf; | |
268 | } | |
269 | ||
270 | static int | |
271 | set_addresses(buf, len, sa1, sa2) | |
272 | char *buf; | |
273 | size_t len; | |
274 | struct sockaddr *sa1; | |
275 | struct sockaddr *sa2; | |
276 | { | |
277 | char tmp1[NI_MAXHOST], tmp2[NI_MAXHOST]; | |
278 | ||
279 | if (set_address(tmp1, sizeof(tmp1), sa1) == NULL || | |
280 | set_address(tmp2, sizeof(tmp2), sa2) == NULL) | |
281 | return -1; | |
282 | if (strlen(tmp1) + 1 + strlen(tmp2) + 1 > len) | |
283 | return -1; | |
284 | snprintf(buf, len, "%s-%s", tmp1, tmp2); | |
285 | return 0; | |
286 | } | |
287 | ||
288 | static char * | |
289 | set_address(buf, len, sa) | |
290 | char *buf; | |
291 | size_t len; | |
292 | struct sockaddr *sa; | |
293 | { | |
294 | #ifdef NI_WITHSCOPEID | |
295 | const int niflags = NI_NUMERICHOST | NI_WITHSCOPEID; | |
296 | #else | |
297 | const int niflags = NI_NUMERICHOST; | |
298 | #endif | |
299 | ||
300 | if (len < 1) | |
301 | return NULL; | |
302 | buf[0] = '\0'; | |
303 | if (getnameinfo(sa, sa->sa_len, buf, len, NULL, 0, niflags) != 0) | |
304 | return NULL; | |
305 | return buf; | |
306 | } |