ipsec_dump_policy.c (55505) | ipsec_dump_policy.c (62583) |
---|---|
1/* $FreeBSD: head/lib/libipsec/ipsec_dump_policy.c 62583 2000-07-04 16:22:05Z itojun $ */ 2/* $KAME: ipsec_dump_policy.c,v 1.11 2000/05/07 05:29:47 itojun Exp $ */ 3 |
|
1/* 2 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 11 unchanged lines hidden (view full) --- 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. | 4/* 5 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright --- 11 unchanged lines hidden (view full) --- 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. |
28 * 29 * $FreeBSD: head/lib/libipsec/ipsec_dump_policy.c 55505 2000-01-06 12:40:54Z shin $ | |
30 */ 31 32#include <sys/types.h> 33#include <sys/param.h> 34#include <sys/socket.h> 35 36#include <netkey/key_var.h> 37#include <netinet/in.h> 38#include <netinet6/ipsec.h> 39 40#include <arpa/inet.h> 41 | 31 */ 32 33#include <sys/types.h> 34#include <sys/param.h> 35#include <sys/socket.h> 36 37#include <netkey/key_var.h> 38#include <netinet/in.h> 39#include <netinet6/ipsec.h> 40 41#include <arpa/inet.h> 42 |
43#include <stdio.h> |
|
42#include <stdlib.h> 43#include <string.h> 44#include <netdb.h> 45 46#include "ipsec_strerror.h" 47 48static const char *ipsp_dir_strs[] = { 49 "any", "in", "out", 50}; 51 52static const char *ipsp_policy_strs[] = { 53 "discard", "none", "ipsec", "entrust", "bypass", 54}; 55 | 44#include <stdlib.h> 45#include <string.h> 46#include <netdb.h> 47 48#include "ipsec_strerror.h" 49 50static const char *ipsp_dir_strs[] = { 51 "any", "in", "out", 52}; 53 54static const char *ipsp_policy_strs[] = { 55 "discard", "none", "ipsec", "entrust", "bypass", 56}; 57 |
56static int set_addresses __P((char *buf, caddr_t ptr)); | 58static char *ipsec_dump_ipsecrequest __P((char *, size_t, 59 struct sadb_x_ipsecrequest *, size_t)); 60static int set_addresses __P((char *, size_t, struct sockaddr *, 61 struct sockaddr *)); 62static char *set_address __P((char *, size_t, struct sockaddr *)); |
57 58/* 59 * policy is sadb_x_policy buffer. 60 * Must call free() later. 61 * When delimiter == NULL, alternatively ' '(space) is applied. 62 */ 63char * 64ipsec_dump_policy(policy, delimiter) 65 caddr_t policy; 66 char *delimiter; 67{ 68 struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy; 69 struct sadb_x_ipsecrequest *xisr; | 63 64/* 65 * policy is sadb_x_policy buffer. 66 * Must call free() later. 67 * When delimiter == NULL, alternatively ' '(space) is applied. 68 */ 69char * 70ipsec_dump_policy(policy, delimiter) 71 caddr_t policy; 72 char *delimiter; 73{ 74 struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy; 75 struct sadb_x_ipsecrequest *xisr; |
70 int xtlen, buflen; | 76 size_t off, buflen; |
71 char *buf; | 77 char *buf; |
72 int error; | 78 char isrbuf[1024]; 79 char *newbuf; |
73 74 /* sanity check */ 75 if (policy == NULL) 76 return NULL; 77 if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) { | 80 81 /* sanity check */ 82 if (policy == NULL) 83 return NULL; 84 if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) { |
78 ipsec_errcode = EIPSEC_INVAL_EXTTYPE; | 85 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; |
79 return NULL; 80 } 81 82 /* set delimiter */ 83 if (delimiter == NULL) 84 delimiter = " "; 85 86 switch (xpl->sadb_x_policy_dir) { 87 case IPSEC_DIR_ANY: 88 case IPSEC_DIR_INBOUND: 89 case IPSEC_DIR_OUTBOUND: 90 break; 91 default: | 86 return NULL; 87 } 88 89 /* set delimiter */ 90 if (delimiter == NULL) 91 delimiter = " "; 92 93 switch (xpl->sadb_x_policy_dir) { 94 case IPSEC_DIR_ANY: 95 case IPSEC_DIR_INBOUND: 96 case IPSEC_DIR_OUTBOUND: 97 break; 98 default: |
92 ipsec_errcode = EIPSEC_INVAL_DIR; | 99 __ipsec_errcode = EIPSEC_INVAL_DIR; |
93 return NULL; 94 } 95 96 switch (xpl->sadb_x_policy_type) { 97 case IPSEC_POLICY_DISCARD: 98 case IPSEC_POLICY_NONE: 99 case IPSEC_POLICY_IPSEC: 100 case IPSEC_POLICY_BYPASS: 101 case IPSEC_POLICY_ENTRUST: 102 break; 103 default: | 100 return NULL; 101 } 102 103 switch (xpl->sadb_x_policy_type) { 104 case IPSEC_POLICY_DISCARD: 105 case IPSEC_POLICY_NONE: 106 case IPSEC_POLICY_IPSEC: 107 case IPSEC_POLICY_BYPASS: 108 case IPSEC_POLICY_ENTRUST: 109 break; 110 default: |
104 ipsec_errcode = EIPSEC_INVAL_POLICY; | 111 __ipsec_errcode = EIPSEC_INVAL_POLICY; |
105 return NULL; 106 } 107 108 buflen = strlen(ipsp_dir_strs[xpl->sadb_x_policy_dir]) 109 + 1 /* space */ 110 + strlen(ipsp_policy_strs[xpl->sadb_x_policy_type]) 111 + 1; /* NUL */ 112 113 if ((buf = malloc(buflen)) == NULL) { | 112 return NULL; 113 } 114 115 buflen = strlen(ipsp_dir_strs[xpl->sadb_x_policy_dir]) 116 + 1 /* space */ 117 + strlen(ipsp_policy_strs[xpl->sadb_x_policy_type]) 118 + 1; /* NUL */ 119 120 if ((buf = malloc(buflen)) == NULL) { |
114 ipsec_errcode = EIPSEC_NO_BUFS; | 121 __ipsec_errcode = EIPSEC_NO_BUFS; |
115 return NULL; 116 } | 122 return NULL; 123 } |
117 strcpy(buf, ipsp_dir_strs[xpl->sadb_x_policy_dir]); 118 strcat(buf, " "); 119 strcat(buf, ipsp_policy_strs[xpl->sadb_x_policy_type]); | 124 snprintf(buf, buflen, "%s %s", ipsp_dir_strs[xpl->sadb_x_policy_dir], 125 ipsp_policy_strs[xpl->sadb_x_policy_type]); |
120 121 if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { | 126 127 if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { |
122 ipsec_errcode = EIPSEC_NO_ERROR; | 128 __ipsec_errcode = EIPSEC_NO_ERROR; |
123 return buf; 124 } 125 | 129 return buf; 130 } 131 |
126 xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl); 127 xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); 128 | |
129 /* count length of buffer for use */ | 132 /* count length of buffer for use */ |
130 /* XXX non-seriously */ 131 while (xtlen > 0) { 132 buflen += 20; 133 if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL) 134 buflen += 50; 135 xtlen -= xisr->sadb_x_ipsecrequest_len; 136 xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr 137 + xisr->sadb_x_ipsecrequest_len); | 133 off = sizeof(*xpl); 134 while (off < PFKEY_EXTLEN(xpl)) { 135 xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off); 136 off += xisr->sadb_x_ipsecrequest_len; |
138 } 139 140 /* validity check */ | 137 } 138 139 /* validity check */ |
141 if (xtlen < 0) { 142 ipsec_errcode = EIPSEC_INVAL_SADBMSG; | 140 if (off != PFKEY_EXTLEN(xpl)) { 141 __ipsec_errcode = EIPSEC_INVAL_SADBMSG; |
143 free(buf); 144 return NULL; 145 } 146 | 142 free(buf); 143 return NULL; 144 } 145 |
147 if ((buf = realloc(buf, buflen)) == NULL) { 148 ipsec_errcode = EIPSEC_NO_BUFS; 149 return NULL; 150 } | 146 off = sizeof(*xpl); 147 while (off < PFKEY_EXTLEN(xpl)) { 148 xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off); |
151 | 149 |
152 xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl); 153 xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); 154 155 while (xtlen > 0) { 156 strcat(buf, delimiter); 157 158 switch (xisr->sadb_x_ipsecrequest_proto) { 159 case IPPROTO_ESP: 160 strcat(buf, "esp"); 161 break; 162 case IPPROTO_AH: 163 strcat(buf, "ah"); 164 break; 165 case IPPROTO_IPCOMP: 166 strcat(buf, "ipcomp"); 167 break; 168 default: 169 ipsec_errcode = EIPSEC_INVAL_PROTO; | 150 if (ipsec_dump_ipsecrequest(isrbuf, sizeof(isrbuf), xisr, 151 PFKEY_EXTLEN(xpl) - off) == NULL) { |
170 free(buf); 171 return NULL; 172 } 173 | 152 free(buf); 153 return NULL; 154 } 155 |
174 strcat(buf, "/"); 175 176 switch (xisr->sadb_x_ipsecrequest_mode) { 177 case IPSEC_MODE_ANY: 178 strcat(buf, "any"); 179 break; 180 case IPSEC_MODE_TRANSPORT: 181 strcat(buf, "transport"); 182 break; 183 case IPSEC_MODE_TUNNEL: 184 strcat(buf, "tunnel"); 185 break; 186 default: 187 ipsec_errcode = EIPSEC_INVAL_MODE; | 156 buflen = strlen(buf) + strlen(delimiter) + strlen(isrbuf) + 1; 157 newbuf = (char *)realloc(buf, buflen); 158 if (newbuf == NULL) { 159 __ipsec_errcode = EIPSEC_NO_BUFS; |
188 free(buf); 189 return NULL; 190 } | 160 free(buf); 161 return NULL; 162 } |
163 buf = newbuf; 164 snprintf(buf, buflen, "%s%s%s", buf, delimiter, isrbuf); |
|
191 | 165 |
192 strcat(buf, "/"); | 166 off += xisr->sadb_x_ipsecrequest_len; 167 } |
193 | 168 |
194 if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { 195 error = set_addresses(buf, (caddr_t)(xisr + 1)); 196 if (error) { 197 ipsec_errcode = EIPSEC_INVAL_MODE; 198 free(buf); 199 return NULL; 200 } 201 } | 169 __ipsec_errcode = EIPSEC_NO_ERROR; 170 return buf; 171} |
202 | 172 |
203 switch (xisr->sadb_x_ipsecrequest_level) { 204 case IPSEC_LEVEL_DEFAULT: 205 strcat(buf, "/default"); 206 break; 207 case IPSEC_LEVEL_USE: 208 strcat(buf, "/use"); 209 break; 210 case IPSEC_LEVEL_REQUIRE: 211 strcat(buf, "/require"); 212 break; 213 case IPSEC_LEVEL_UNIQUE: 214 strcat(buf, "/unique"); 215 break; 216 default: 217 ipsec_errcode = EIPSEC_INVAL_LEVEL; 218 free(buf); | 173static char * 174ipsec_dump_ipsecrequest(buf, len, xisr, bound) 175 char *buf; 176 size_t len; 177 struct sadb_x_ipsecrequest *xisr; 178 size_t bound; /* boundary */ 179{ 180 const char *proto, *mode, *level; 181 char abuf[NI_MAXHOST * 2 + 2]; 182 183 if (xisr->sadb_x_ipsecrequest_len > bound) { 184 __ipsec_errcode = EIPSEC_INVAL_PROTO; 185 return NULL; 186 } 187 188 switch (xisr->sadb_x_ipsecrequest_proto) { 189 case IPPROTO_ESP: 190 proto = "esp"; 191 break; 192 case IPPROTO_AH: 193 proto = "ah"; 194 break; 195 case IPPROTO_IPCOMP: 196 proto = "ipcomp"; 197 break; 198 default: 199 __ipsec_errcode = EIPSEC_INVAL_PROTO; 200 return NULL; 201 } 202 203 switch (xisr->sadb_x_ipsecrequest_mode) { 204 case IPSEC_MODE_ANY: 205 mode = "any"; 206 break; 207 case IPSEC_MODE_TRANSPORT: 208 mode = "transport"; 209 break; 210 case IPSEC_MODE_TUNNEL: 211 mode = "tunnel"; 212 break; 213 default: 214 __ipsec_errcode = EIPSEC_INVAL_MODE; 215 return NULL; 216 } 217 218 abuf[0] = '\0'; 219 if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { 220 struct sockaddr *sa1, *sa2; 221 caddr_t p; 222 223 p = (caddr_t)(xisr + 1); 224 sa1 = (struct sockaddr *)p; 225 sa2 = (struct sockaddr *)(p + sa1->sa_len); 226 if (sizeof(*xisr) + sa1->sa_len + sa2->sa_len != 227 xisr->sadb_x_ipsecrequest_len) { 228 __ipsec_errcode = EIPSEC_INVAL_ADDRESS; |
219 return NULL; 220 } | 229 return NULL; 230 } |
231 if (set_addresses(abuf, sizeof(abuf), sa1, sa2) != 0) { 232 __ipsec_errcode = EIPSEC_INVAL_ADDRESS; 233 return NULL; 234 } 235 } |
|
221 | 236 |
222 xtlen -= xisr->sadb_x_ipsecrequest_len; 223 xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr 224 + xisr->sadb_x_ipsecrequest_len); | 237 switch (xisr->sadb_x_ipsecrequest_level) { 238 case IPSEC_LEVEL_DEFAULT: 239 level = "default"; 240 break; 241 case IPSEC_LEVEL_USE: 242 level = "use"; 243 break; 244 case IPSEC_LEVEL_REQUIRE: 245 level = "require"; 246 break; 247 case IPSEC_LEVEL_UNIQUE: 248 level = "unique"; 249 break; 250 default: 251 __ipsec_errcode = EIPSEC_INVAL_LEVEL; 252 return NULL; |
225 } 226 | 253 } 254 |
227 ipsec_errcode = EIPSEC_NO_ERROR; | 255 if (xisr->sadb_x_ipsecrequest_reqid == 0) 256 snprintf(buf, len, "%s/%s/%s/%s", proto, mode, abuf, level); 257 else { 258 int ch; 259 260 if (xisr->sadb_x_ipsecrequest_reqid > IPSEC_MANUAL_REQID_MAX) 261 ch = '#'; 262 else 263 ch = ':'; 264 snprintf(buf, len, "%s/%s/%s/%s%c%d", proto, mode, abuf, level, 265 ch, xisr->sadb_x_ipsecrequest_reqid); 266 } 267 |
228 return buf; 229} 230 231static int | 268 return buf; 269} 270 271static int |
232set_addresses(buf, ptr) | 272set_addresses(buf, len, sa1, sa2) |
233 char *buf; | 273 char *buf; |
234 caddr_t ptr; | 274 size_t len; 275 struct sockaddr *sa1; 276 struct sockaddr *sa2; |
235{ | 277{ |
236 char tmp[100]; /* XXX */ 237 struct sockaddr *saddr = (struct sockaddr *)ptr; | 278 char tmp1[NI_MAXHOST], tmp2[NI_MAXHOST]; |
238 | 279 |
239 getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp), 240 NULL, 0, NI_NUMERICHOST); | 280 if (set_address(tmp1, sizeof(tmp1), sa1) == NULL || 281 set_address(tmp2, sizeof(tmp2), sa2) == NULL) 282 return -1; 283 if (strlen(tmp1) + 1 + strlen(tmp2) + 1 > len) 284 return -1; 285 snprintf(buf, len, "%s-%s", tmp1, tmp2); 286 return 0; 287} |
241 | 288 |
242 strcat(buf, tmp); | 289static char * 290set_address(buf, len, sa) 291 char *buf; 292 size_t len; 293 struct sockaddr *sa; 294{ 295#ifdef NI_WITHSCOPEID 296 const int niflags = NI_NUMERICHOST | NI_WITHSCOPEID; 297#else 298 const int niflags = NI_NUMERICHOST; 299#endif |
243 | 300 |
244 strcat(buf, "-"); 245 246 saddr = (struct sockaddr *)((caddr_t)saddr + saddr->sa_len); 247 getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp), 248 NULL, 0, NI_NUMERICHOST); 249 250 strcat(buf, tmp); 251 252 return 0; | 301 if (len < 1) 302 return NULL; 303 buf[0] = '\0'; 304 if (getnameinfo(sa, sa->sa_len, buf, len, NULL, 0, niflags) != 0) 305 return NULL; 306 return buf; |
253} | 307} |