1: /* $NetBSD: racoonctl.c,v 1.18 2010/11/12 09:08:26 tteras Exp $ */
2:
3: /* Id: racoonctl.c,v 1.11 2006/04/06 17:06:25 manubsd Exp */
4:
5: /*
6: * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7: * Copyright (C) 2008 Timo Teras.
8: * All rights reserved.
9: *
10: * Redistribution and use in source and binary forms, with or without
11: * modification, are permitted provided that the following conditions
12: * are met:
13: * 1. Redistributions of source code must retain the above copyright
14: * notice, this list of conditions and the following disclaimer.
15: * 2. Redistributions in binary form must reproduce the above copyright
16: * notice, this list of conditions and the following disclaimer in the
17: * documentation and/or other materials provided with the distribution.
18: * 3. Neither the name of the project nor the names of its contributors
19: * may be used to endorse or promote products derived from this software
20: * without specific prior written permission.
21: *
22: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
23: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
26: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32: * SUCH DAMAGE.
33: */
34:
35: #include "config.h"
36:
37: #include <sys/types.h>
38: #include <sys/param.h>
39: #include <sys/socket.h>
40: #include <sys/un.h>
41:
42: #include <netinet/in.h>
43: #include <arpa/inet.h>
44: #include <net/pfkeyv2.h>
45:
46: #include <stdlib.h>
47: #include <stdio.h>
48: #include <string.h>
49: #include <errno.h>
50: #if TIME_WITH_SYS_TIME
51: # include <sys/time.h>
52: # include <time.h>
53: #else
54: # if HAVE_SYS_TIME_H
55: # include <sys/time.h>
56: # else
57: # include <time.h>
58: # endif
59: #endif
60: #include <netdb.h>
61: #ifdef HAVE_UNISTD_H
62: #include <unistd.h>
63: #endif
64: #include <err.h>
65: #include <sys/ioctl.h>
66: #include <resolv.h>
67:
68: #include "var.h"
69: #include "vmbuf.h"
70: #include "misc.h"
71: #include "gcmalloc.h"
72:
73: #include "racoonctl.h"
74: #include "admin.h"
75: #include "schedule.h"
76: #include "handler.h"
77: #include "sockmisc.h"
78: #include "vmbuf.h"
79: #include "plog.h"
80: #include "isakmp_var.h"
81: #include "isakmp.h"
82: #include "isakmp_xauth.h"
83: #include "isakmp_cfg.h"
84: #include "isakmp_unity.h"
85: #include "ipsec_doi.h"
86: #include "evt.h"
87:
88: char *adminsock_path = ADMINSOCK_PATH;
89:
90: static void usage __P((void));
91: static vchar_t *get_combuf __P((int, char **));
92: static int handle_recv __P((vchar_t *));
93: static vchar_t *f_reload __P((int, char **));
94: static vchar_t *f_getsched __P((int, char **));
95: static vchar_t *f_getsa __P((int, char **));
96: static vchar_t *f_getsacert __P((int, char **));
97: static vchar_t *f_flushsa __P((int, char **));
98: static vchar_t *f_deletesa __P((int, char **));
99: static vchar_t *f_exchangesa __P((int, char **));
100: static vchar_t *f_vpnc __P((int, char **));
101: static vchar_t *f_vpnd __P((int, char **));
102: static vchar_t *f_getevt __P((int, char **));
103: #ifdef ENABLE_HYBRID
104: static vchar_t *f_logoutusr __P((int, char **));
105: #endif
106:
107: struct cmd_tag {
108: vchar_t *(*func) __P((int, char **));
109: char *str;
110: } cmdtab[] = {
111: { f_reload, "reload-config" },
112: { f_reload, "rc" },
113: { f_getsched, "show-schedule" },
114: { f_getsched, "sc" },
115: { f_getsa, "show-sa" },
116: { f_getsa, "ss" },
117: { f_getsacert, "get-cert" },
118: { f_getsacert, "gc" },
119: { f_flushsa, "flush-sa" },
120: { f_flushsa, "fs" },
121: { f_deletesa, "delete-sa" },
122: { f_deletesa, "ds" },
123: { f_exchangesa, "establish-sa" },
124: { f_exchangesa, "es" },
125: { f_vpnc, "vpn-connect" },
126: { f_vpnc, "vc" },
127: { f_vpnd, "vpn-disconnect" },
128: { f_vpnd, "vd" },
129: { f_getevt, "show-event" },
130: { f_getevt, "se" },
131: #ifdef ENABLE_HYBRID
132: { f_logoutusr, "logout-user" },
133: { f_logoutusr, "lu" },
134: #endif
135: { NULL, NULL },
136: };
137:
138: struct evtmsg {
139: int type;
140: char *msg;
141: } evtmsg[] = {
142: { EVT_RACOON_QUIT, "Racoon terminated" },
143:
144: { EVT_PHASE1_UP, "Phase 1 established" },
145: { EVT_PHASE1_DOWN, "Phase 1 deleted" },
146: { EVT_PHASE1_NO_RESPONSE, "Phase 1 error: peer not responding" },
147: { EVT_PHASE1_NO_PROPOSAL, "Phase 1 error: no proposal chosen" },
148: { EVT_PHASE1_AUTH_FAILED,
149: "Phase 1 error: authentication failed (bad certificate?)" },
150: { EVT_PHASE1_DPD_TIMEOUT, "Phase 1 error: dead peer detected" },
151: { EVT_PHASE1_MODE_CFG, "Phase 1 mode configuration done" },
152: { EVT_PHASE1_XAUTH_SUCCESS, "Phase 1 Xauth succeeded" },
153: { EVT_PHASE1_XAUTH_FAILED, "Phase 1 Xauth failed" },
154:
155: { EVT_PHASE2_NO_PHASE1, "Phase 2 error: no suitable phase 1" },
156: { EVT_PHASE2_UP, "Phase 2 established" },
157: { EVT_PHASE2_DOWN, "Phase 2 deleted" },
158: { EVT_PHASE2_NO_RESPONSE, "Phase 2 error: no response" },
159: };
160:
161: static vchar_t *get_proto_and_index __P((int, char **, u_int16_t *));
162: static int get_proto __P((char *));
163: static vchar_t *get_index __P((int, char **));
164: static int get_family __P((char *));
165: static vchar_t *get_comindexes __P((int, int, char **));
166: static int get_comindex __P((char *, char **, char **, char **));
167: static int get_ulproto __P((char *));
168:
169: struct proto_tag {
170: int proto;
171: char *str;
172: } prototab[] = {
173: { ADMIN_PROTO_ISAKMP, "isakmp" },
174: { ADMIN_PROTO_IPSEC, "ipsec" },
175: { ADMIN_PROTO_AH, "ah" },
176: { ADMIN_PROTO_ESP, "esp" },
177: { ADMIN_PROTO_INTERNAL, "internal" },
178: { 0, NULL },
179: };
180:
181: struct ulproto_tag {
182: int ul_proto;
183: char *str;
184: } ulprototab[] = {
185: { 0, "any" },
186: { IPPROTO_ICMP, "icmp" },
187: { IPPROTO_TCP, "tcp" },
188: { IPPROTO_UDP, "udp" },
189: { IPPROTO_GRE, "gre" },
190: { 0, NULL },
191: };
192:
193: int so;
194:
195: static char _addr1_[NI_MAXHOST], _addr2_[NI_MAXHOST];
196:
197: char *pname;
198: int long_format = 0;
199: int evt_quit_event = 0;
200:
201: void dump_isakmp_sa __P((char *, int));
202: void dump_internal __P((char *, int));
203: char *pindex_isakmp __P((isakmp_index *));
204: void print_schedule __P((caddr_t, int));
205: void print_evt __P((struct evt_async *));
206: char * fixed_addr __P((char *, char *, int));
207:
208: static void
209: usage()
210: {
211: printf(
212: "Usage:\n"
213: " %s [opts] reload-config\n"
214: " %s [opts] show-schedule\n"
215: " %s [opts] show-sa [protocol]\n"
216: " %s [opts] flush-sa [protocol]\n"
217: " %s [opts] delete-sa <saopts>\n"
218: " %s [opts] establish-sa [-u identity] [-n remoteconf] [-w] <saopts>\n"
219: " %s [opts] vpn-connect [-u identity] vpn_gateway\n"
220: " %s [opts] vpn-disconnect vpn_gateway\n"
221: " %s [opts] show-event\n"
222: " %s [opts] logout-user login\n"
223: "\n"
224: "General options:\n"
225: " -d Debug: hexdump admin messages before sending\n"
226: " -l Increase output verbosity (mainly for show-sa)\n"
227: " -s <socket> Specify adminport socket to use (default: %s)\n"
228: "\n"
229: "Parameter specifications:\n"
230: " <protocol>: \"isakmp\", \"esp\" or \"ah\".\n"
231: " In the case of \"show-sa\" or \"flush-sa\", you can use \"ipsec\".\n"
232: "\n"
233: " <saopts>: \"isakmp\" <family> <src> <dst>\n"
234: " : {\"esp\",\"ah\"} <family> <src/prefixlen/port> <dst/prefixlen/port>\n"
235: " <ul_proto>\n"
236: " <family>: \"inet\" or \"inet6\"\n"
237: " <ul_proto>: \"icmp\", \"tcp\", \"udp\", \"gre\" or \"any\"\n"
238: "\n",
239: pname, pname, pname, pname, pname, pname, pname, pname, pname, pname,
240: ADMINSOCK_PATH);
241: }
242:
243: /*
244: * Check for proper racoonctl interface
245: */
246: #if ((RACOONCTL_INTERFACE_MAJOR != 1) || (RACOONCTL_INTERFACE < 20041230))
247: #error "Incompatible racoonctl interface"
248: #endif
249:
250: int
251: main(ac, av)
252: int ac;
253: char **av;
254: {
255: vchar_t *combuf;
256: int c;
257:
258: pname = *av;
259:
260: /*
261: * Check for proper racoonctl interface
262: */
263: if ((racoonctl_interface_major != RACOONCTL_INTERFACE_MAJOR) ||
264: (racoonctl_interface < RACOONCTL_INTERFACE))
265: errx(1, "Incompatible racoonctl interface");
266:
267: #ifdef __linux__
268: /*
269: * Disable GNU extensions that will prevent racoonct vc -u login
270: * from working (GNU getopt(3) does not like options after vc)
271: */
272: setenv("POSIXLY_CORRECT", "1", 0);
273: #endif
274: while ((c = getopt(ac, av, "lds:")) != -1) {
275: switch(c) {
276: case 'l':
277: long_format++;
278: break;
279:
280: case 'd':
281: loglevel++;
282: break;
283:
284: case 's':
285: adminsock_path = optarg;
286: break;
287:
288: default:
289: usage();
290: exit(0);
291: }
292: }
293:
294: ac -= optind;
295: av += optind;
296:
297: combuf = get_combuf(ac, av);
298: if (!combuf)
299: err(1, "kmpstat");
300:
301: if (loglevel)
302: racoon_hexdump(combuf, ((struct admin_com *)combuf)->ac_len);
303:
304: com_init();
305:
306: if (com_send(combuf) != 0)
307: goto bad;
308:
309: vfree(combuf);
310:
311: do {
312: if (com_recv(&combuf) != 0)
313: goto bad;
314: if (handle_recv(combuf) != 0)
315: goto bad;
316: vfree(combuf);
317: } while (evt_quit_event != 0);
318:
319: close(so);
320: exit(0);
321:
322: bad:
323: close(so);
324: if (errno == EEXIST)
325: exit(0);
326: exit(1);
327: }
328:
329: /* %%% */
330: /*
331: * return command buffer.
332: */
333: static vchar_t *
334: get_combuf(ac, av)
335: int ac;
336: char **av;
337: {
338: struct cmd_tag *cp;
339:
340: if (ac == 0) {
341: usage();
342: exit(0);
343: }
344:
345: /* checking the string of command. */
346: for (cp = &cmdtab[0]; cp->str; cp++) {
347: if (strcmp(*av, cp->str) == 0) {
348: break;
349: }
350: }
351: if (!cp->str) {
352: printf("Invalid command [%s]\n", *av);
353: errno = EINVAL;
354: return NULL;
355: }
356:
357: ac--;
358: av++;
359: return (cp->func)(ac, av);
360: }
361:
362: static vchar_t *
363: make_request(u_int16_t cmd, u_int16_t proto, size_t len)
364: {
365: vchar_t *buf;
366: struct admin_com *head;
367:
368: buf = vmalloc(sizeof(struct admin_com) + len);
369: if (buf == NULL)
370: errx(1, "not enough core");
371:
372: head = (struct admin_com *) buf->v;
373: head->ac_len = buf->l;
374: head->ac_cmd = ADMIN_FLAG_VERSION | cmd;
375: head->ac_version = 1;
376: head->ac_proto = proto;
377:
378: return buf;
379: }
380:
381: static vchar_t *
382: f_reload(ac, av)
383: int ac;
384: char **av;
385: {
386: return make_request(ADMIN_RELOAD_CONF, 0, 0);
387: }
388:
389: static vchar_t *
390: f_getevt(ac, av)
391: int ac;
392: char **av;
393: {
394: evt_quit_event = -1;
395: if (ac >= 1)
396: errx(1, "too many arguments");
397:
398: return make_request(ADMIN_SHOW_EVT, 0, 0);
399: }
400:
401: static vchar_t *
402: f_getsched(ac, av)
403: int ac;
404: char **av;
405: {
406: return make_request(ADMIN_SHOW_SCHED, 0, 0);
407: }
408:
409: static vchar_t *
410: f_getsa(ac, av)
411: int ac;
412: char **av;
413: {
414: int proto;
415:
416: /* need protocol */
417: if (ac != 1)
418: errx(1, "insufficient arguments");
419: proto = get_proto(*av);
420: if (proto == -1)
421: errx(1, "unknown protocol %s", *av);
422:
423: return make_request(ADMIN_SHOW_SA, proto, 0);
424: }
425:
426: static vchar_t *
427: f_getsacert(ac, av)
428: int ac;
429: char **av;
430: {
431: vchar_t *buf, *index;
432: struct admin_com_indexes *com;
433:
434: index = get_index(ac, av);
435: if (index == NULL)
436: return NULL;
437:
438: com = (struct admin_com_indexes *) index->v;
439: buf = make_request(ADMIN_GET_SA_CERT, ADMIN_PROTO_ISAKMP, index->l);
440: if (buf == NULL)
441: errx(1, "Cannot allocate buffer");
442:
443: memcpy(buf->v+sizeof(struct admin_com), index->v, index->l);
444:
445: vfree(index);
446:
447: return buf;
448: }
449:
450: static vchar_t *
451: f_flushsa(ac, av)
452: int ac;
453: char **av;
454: {
455: vchar_t *buf;
456: struct admin_com *head;
457: int proto;
458:
459: /* need protocol */
460: if (ac != 1)
461: errx(1, "insufficient arguments");
462: proto = get_proto(*av);
463: if (proto == -1)
464: errx(1, "unknown protocol %s", *av);
465:
466: return make_request(ADMIN_FLUSH_SA, proto, 0);
467: }
468:
469: static vchar_t *
470: f_deletesa(ac, av)
471: int ac;
472: char **av;
473: {
474: vchar_t *buf, *index;
475: int proto;
476:
477: /* need protocol */
478: if (ac < 1)
479: errx(1, "insufficient arguments");
480: proto = get_proto(*av);
481: if (proto == -1)
482: errx(1, "unknown protocol %s", *av);
483:
484: /* get index(es) */
485: av++;
486: ac--;
487: switch (proto) {
488: case ADMIN_PROTO_ISAKMP:
489: index = get_index(ac, av);
490: if (index == NULL)
491: return NULL;
492: break;
493: case ADMIN_PROTO_AH:
494: case ADMIN_PROTO_ESP:
495: index = get_index(ac, av);
496: if (index == NULL)
497: return NULL;
498: break;
499: default:
500: errno = EPROTONOSUPPORT;
501: return NULL;
502: }
503:
504: buf = make_request(ADMIN_DELETE_SA, proto, index->l);
505: if (buf == NULL)
506: goto out;
507:
508: memcpy(buf->v + sizeof(struct admin_com), index->v, index->l);
509:
510: out:
511: if (index != NULL)
512: vfree(index);
513:
514: return buf;
515: }
516:
517: static vchar_t *
518: f_deleteallsadst(ac, av)
519: int ac;
520: char **av;
521: {
522: vchar_t *buf, *index;
523: u_int16_t proto;
524:
525: index = get_proto_and_index(ac, av, &proto);
526: if (index == NULL)
527: return NULL;
528:
529: buf = make_request(ADMIN_DELETE_ALL_SA_DST, proto, index->l);
530: if (buf == NULL)
531: goto out;
532:
533: memcpy(buf->v+sizeof(struct admin_com), index->v, index->l);
534:
535: out:
536: if (index != NULL)
537: vfree(index);
538:
539: return buf;
540: }
541:
542: static vchar_t *
543: f_exchangesa(ac, av)
544: int ac;
545: char **av;
546: {
547: vchar_t *buf, *index;
548: u_int16_t proto;
549: int cmd = ADMIN_ESTABLISH_SA;
550: size_t com_len = 0;
551: char *id = NULL;
552: char *key = NULL;
553: char *remoteconf = NULL;
554: struct admin_com_psk *acp;
555: int wait = 0;
556:
557: if (ac < 1)
558: errx(1, "insufficient arguments");
559:
560: /* Optional -u identity */
561: if (strcmp(av[0], "-u") == 0) {
562: if (ac < 2)
563: errx(1, "-u require an argument");
564:
565: id = av[1];
566: if ((key = getpass("Password: ")) == NULL)
567: errx(1, "getpass() failed: %s", strerror(errno));
568:
569: com_len += sizeof(*acp) + strlen(id) + 1 + strlen(key) + 1;
570: cmd = ADMIN_ESTABLISH_SA_PSK;
571:
572: av += 2;
573: ac -= 2;
574: }
575:
576: if (ac >= 2 && strcmp(av[0], "-n") == 0) {
577: /* Remoteconf name */
578: remoteconf = av[1];
579: av += 2;
580: ac -= 2;
581: }
582:
583: if (ac >= 1 && strcmp(av[0], "-w") == 0) {
584: wait = 1;
585: av++;
586: ac--;
587: }
588:
589: index = get_proto_and_index(ac, av, &proto);
590: if (index == NULL)
591: return NULL;
592:
593: if (proto == ADMIN_PROTO_ISAKMP && cmd == ADMIN_ESTABLISH_SA &&
594: remoteconf != NULL)
595: com_len += strlen(remoteconf) + 1;
596:
597: if (wait) {
598: switch (proto) {
599: case ADMIN_PROTO_ISAKMP:
600: evt_quit_event = EVT_PHASE1_MODE_CFG;
601: break;
602: case ADMIN_PROTO_AH:
603: case ADMIN_PROTO_ESP:
604: evt_quit_event = EVT_PHASE2_UP;
605: break;
606: default:
607: errno = EPROTONOSUPPORT;
608: return NULL;
609: }
610: }
611:
612: com_len += index->l;
613: buf = make_request(cmd, proto, com_len);
614: if (buf == NULL)
615: errx(1, "Cannot allocate buffer");
616:
617: memcpy(buf->v+sizeof(struct admin_com), index->v, index->l);
618:
619: if (proto == ADMIN_PROTO_ISAKMP && cmd == ADMIN_ESTABLISH_SA &&
620: remoteconf != NULL) {
621: strcpy(buf->v + sizeof(struct admin_com) + index->l,
622: remoteconf);
623: } else if (id && key) {
624: char *data;
625: acp = (struct admin_com_psk *)
626: (buf->v + sizeof(struct admin_com) + index->l);
627:
628: acp->id_type = IDTYPE_USERFQDN;
629: acp->id_len = strlen(id) + 1;
630: acp->key_len = strlen(key) + 1;
631:
632: data = (char *)(acp + 1);
633: strcpy(data, id);
634:
635: data = (char *)(data + acp->id_len);
636: strcpy(data, key);
637: }
638:
639: vfree(index);
640:
641: return buf;
642: }
643:
644: static vchar_t *
645: f_vpnc(ac, av)
646: int ac;
647: char **av;
648: {
649: char *nav[] = {NULL, NULL, NULL, NULL, NULL, NULL};
650: int nac = 0;
651: char *isakmp = "isakmp";
652: char *inet = "inet";
653: char *srcaddr;
654: struct addrinfo hints, *res;
655: struct sockaddr *src;
656: char *idx;
657:
658: if (ac < 1)
659: errx(1, "insufficient arguments");
660:
661: evt_quit_event = EVT_PHASE1_MODE_CFG;
662:
663: /* Optional -u identity */
664: if (strcmp(av[0], "-u") == 0) {
665: if (ac < 2)
666: errx(1, "-u require an argument");
667:
668: nav[nac++] = av[0];
669: nav[nac++] = av[1];
670:
671: ac -= 2;
672: av += 2;
673: }
674:
675: if (ac < 1)
676: errx(1, "VPN gateway required");
677: if (ac > 1)
678: warnx("Extra arguments");
679:
680: /*
681: * Find the source address
682: */
683: memset(&hints, 0, sizeof(hints));
684: hints.ai_family = PF_UNSPEC;
685: hints.ai_socktype = SOCK_DGRAM;
686: if (getaddrinfo(av[0], "4500", &hints, &res) != 0)
687: errx(1, "Cannot resolve destination address");
688:
689: if ((src = getlocaladdr(res->ai_addr)) == NULL)
690: errx(1, "cannot find source address");
691:
692: if ((srcaddr = saddr2str(src)) == NULL)
693: errx(1, "cannot read source address");
694:
695: /* We get "ip[port]" strip the port */
696: if ((idx = index(srcaddr, '[')) == NULL)
697: errx(1, "unexpected source address format");
698: *idx = '\0';
699:
700: nav[nac++] = isakmp;
701: nav[nac++] = inet;
702: nav[nac++] = srcaddr;
703: nav[nac++] = av[0];
704:
705: return f_exchangesa(nac, nav);
706: }
707:
708: static vchar_t *
709: f_vpnd(ac, av)
710: int ac;
711: char **av;
712: {
713: char *nav[] = {NULL, NULL, NULL, NULL};
714: int nac = 0;
715: char *isakmp = "isakmp";
716: char *inet = "inet";
717: char *anyaddr = "0.0.0.0";
718: char *idx;
719:
720: if (ac < 1)
721: errx(1, "VPN gateway required");
722: if (ac > 1)
723: warnx("Extra arguments");
724:
725: evt_quit_event = EVT_PHASE1_DOWN;
726:
727: nav[nac++] = isakmp;
728: nav[nac++] = inet;
729: nav[nac++] = anyaddr;
730: nav[nac++] = av[0];
731:
732: return f_deleteallsadst(nac, nav);
733: }
734:
735: #ifdef ENABLE_HYBRID
736: static vchar_t *
737: f_logoutusr(ac, av)
738: int ac;
739: char **av;
740: {
741: vchar_t *buf;
742: char *user;
743: size_t userlen;
744:
745: /* need username */
746: if (ac < 1)
747: errx(1, "insufficient arguments");
748: user = av[0];
749: userlen = strlen(user);
750: if ((user == NULL) || (userlen > LOGINLEN))
751: errx(1, "bad login (too long?)");
752:
753: buf = make_request(ADMIN_LOGOUT_USER, 0, userlen);
754: if (buf == NULL)
755: return NULL;
756:
757: strncpy(buf->v + sizeof(struct admin_com), user, userlen);
758:
759: return buf;
760: }
761: #endif /* ENABLE_HYBRID */
762:
763: static vchar_t *
764: get_proto_and_index(ac, av, proto)
765: int ac;
766: char **av;
767: u_int16_t *proto;
768: {
769: vchar_t *index = NULL;
770:
771: /* need protocol */
772: if (ac < 1)
773: errx(1, "insufficient arguments");
774: *proto = get_proto(*av);
775: if (*proto == (u_int16_t) -1)
776: errx(1, "unknown protocol %s", *av);
777:
778: /* get index(es) */
779: av++;
780: ac--;
781: switch (*proto) {
782: case ADMIN_PROTO_ISAKMP:
783: case ADMIN_PROTO_AH:
784: case ADMIN_PROTO_ESP:
785: index = get_index(ac, av);
786: break;
787: default:
788: errno = EPROTONOSUPPORT;
789: break;
790: }
791: return index;
792: }
793:
794: static int
795: get_proto(str)
796: char *str;
797: {
798: struct proto_tag *cp;
799:
800: if (str == NULL) {
801: errno = EINVAL;
802: return -1;
803: }
804:
805: /* checking the string of command. */
806: for (cp = &prototab[0]; cp->str; cp++) {
807: if (strcmp(str, cp->str) == 0)
808: return cp->proto;
809: }
810:
811: errno = EINVAL;
812: return -1;
813: }
814:
815: static vchar_t *
816: get_index(ac, av)
817: int ac;
818: char **av;
819: {
820: int family;
821:
822: if (ac != 3 && ac != 4) {
823: errno = EINVAL;
824: return NULL;
825: }
826:
827: /* checking the string of family */
828: family = get_family(*av);
829: if (family == -1)
830: return NULL;
831: av++;
832: ac--;
833:
834: return get_comindexes(family, ac, av);
835: }
836:
837: static int
838: get_family(str)
839: char *str;
840: {
841: if (strcmp("inet", str) == 0)
842: return AF_INET;
843: #ifdef INET6
844: else if (strcmp("inet6", str) == 0)
845: return AF_INET6;
846: #endif
847: errno = EAFNOSUPPORT;
848: return -1;
849: }
850:
851: static vchar_t *
852: get_comindexes(family, ac, av)
853: int family;
854: int ac;
855: char **av;
856: {
857: vchar_t *buf;
858: struct admin_com_indexes *ci;
859: char *p_name = NULL, *p_port = NULL;
860: char *p_prefs = NULL, *p_prefd = NULL;
861: struct sockaddr *src = NULL, *dst = NULL;
862: int ulproto;
863:
864: if (ac != 2 && ac != 3) {
865: errno = EINVAL;
866: return NULL;
867: }
868:
869: if (get_comindex(*av, &p_name, &p_port, &p_prefs) == -1)
870: goto bad;
871: src = get_sockaddr(family, p_name, p_port);
872: if (p_name) {
873: racoon_free(p_name);
874: p_name = NULL;
875: }
876: if (p_port) {
877: racoon_free(p_port);
878: p_port = NULL;
879: }
880: if (src == NULL)
881: goto bad;
882: av++;
883: ac--;
884: if (get_comindex(*av, &p_name, &p_port, &p_prefd) == -1)
885: goto bad;
886: dst = get_sockaddr(family, p_name, p_port);
887: if (p_name) {
888: racoon_free(p_name);
889: p_name = NULL;
890: }
891: if (p_port) {
892: racoon_free(p_port);
893: p_port = NULL;
894: }
895: if (dst == NULL)
896: goto bad;
897:
898: buf = vmalloc(sizeof(*ci));
899: if (buf == NULL)
900: goto bad;
901:
902: av++;
903: ac--;
904: if(ac){
905: ulproto = get_ulproto(*av);
906: if (ulproto == -1)
907: goto bad;
908: }else
909: ulproto=0;
910:
911: ci = (struct admin_com_indexes *)buf->v;
912: if(p_prefs)
913: ci->prefs = (u_int8_t)atoi(p_prefs); /* XXX should be handled error. */
914: else
915: ci->prefs = 32;
916: if(p_prefd)
917: ci->prefd = (u_int8_t)atoi(p_prefd); /* XXX should be handled error. */
918: else
919: ci->prefd = 32;
920: ci->ul_proto = ulproto;
921: memcpy(&ci->src, src, sysdep_sa_len(src));
922: memcpy(&ci->dst, dst, sysdep_sa_len(dst));
923:
924: if (p_name)
925: racoon_free(p_name);
926:
927: return buf;
928:
929: bad:
930: if (p_name)
931: racoon_free(p_name);
932: if (p_port)
933: racoon_free(p_port);
934: if (p_prefs)
935: racoon_free(p_prefs);
936: if (p_prefd)
937: racoon_free(p_prefd);
938: return NULL;
939: }
940:
941: static int
942: get_comindex(str, name, port, pref)
943: char *str, **name, **port, **pref;
944: {
945: char *p;
946:
947: *name = *port = *pref = NULL;
948:
949: *name = racoon_strdup(str);
950: STRDUP_FATAL(*name);
951: p = strpbrk(*name, "/[");
952: if (p != NULL) {
953: if (*(p + 1) == '\0')
954: goto bad;
955: if (*p == '/') {
956: *p = '\0';
957: *pref = racoon_strdup(p + 1);
958: STRDUP_FATAL(*pref);
959: p = strchr(*pref, '[');
960: if (p != NULL) {
961: if (*(p + 1) == '\0')
962: goto bad;
963: *p = '\0';
964: *port = racoon_strdup(p + 1);
965: STRDUP_FATAL(*port);
966: p = strchr(*pref, ']');
967: if (p == NULL)
968: goto bad;
969: *p = '\0';
970: }
971: } else if (*p == '[') {
972: if (*pref == NULL)
973: goto bad;
974: *p = '\0';
975: *port = racoon_strdup(p + 1);
976: STRDUP_FATAL(*port);
977: p = strchr(*pref, ']');
978: if (p == NULL)
979: goto bad;
980: *p = '\0';
981: } else {
982: /* XXX */
983: }
984: }
985:
986: return 0;
987:
988: bad:
989:
990: if (*name)
991: racoon_free(*name);
992: if (*port)
993: racoon_free(*port);
994: if (*pref)
995: racoon_free(*pref);
996: *name = *port = *pref = NULL;
997: return -1;
998: }
999:
1000: static int
1001: get_ulproto(str)
1002: char *str;
1003: {
1004: struct ulproto_tag *cp;
1005:
1006: if(str == NULL){
1007: errno = EINVAL;
1008: return -1;
1009: }
1010:
1011: /* checking the string of upper layer protocol. */
1012: for (cp = &ulprototab[0]; cp->str; cp++) {
1013: if (strcmp(str, cp->str) == 0)
1014: return cp->ul_proto;
1015: }
1016:
1017: errno = EINVAL;
1018: return -1;
1019: }
1020:
1021: /* %%% */
1022: void
1023: dump_isakmp_sa(buf, len)
1024: char *buf;
1025: int len;
1026: {
1027: struct ph1dump *pd;
1028: struct tm *tm;
1029: char tbuf[56];
1030: caddr_t p = NULL;
1031:
1032: /* isakmp status header */
1033: /* short header;
1034: 1234567890123456789012 0000000000000000:0000000000000000 000000000000
1035: */
1036: char *header1 =
1037: "Destination Cookies Created";
1038:
1039: /* semi long header;
1040: 1234567890123456789012 0000000000000000:0000000000000000 00 X 00 X 0000-00-00 00:00:00 000000
1041: */
1042: char *header2 =
1043: "Destination Cookies ST S V E Created Phase2";
1044:
1045: /* long header;
1046: 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000000000000000:0000000000000000 00 X 00 X 0000-00-00 00:00:00 000000
1047: */
1048: char *header3 =
1049: "Source Destination Cookies ST S V E Created Phase2";
1050:
1051: /* phase status header */
1052: /* short format;
1053: side stats source address destination address
1054: xxx xxxxx 1234567890123456789012 1234567890123456789012
1055: */
1056:
1057: static char *estr[] = { "", "B", "M", "U", "A", "I", };
1058:
1059: switch (long_format) {
1060: case 0:
1061: printf("%s\n", header1);
1062: break;
1063: case 1:
1064: printf("%s\n", header2);
1065: break;
1066: case 2:
1067: default:
1068: printf("%s\n", header3);
1069: break;
1070: }
1071:
1072: if (len % sizeof(*pd))
1073: printf("invalid length %d\n", len);
1074: len /= sizeof(*pd);
1075:
1076: pd = (struct ph1dump *)buf;
1077:
1078: while (len-- > 0) {
1079: /* source address */
1080: if (long_format >= 2) {
1081: GETNAMEINFO((struct sockaddr *)&pd->local, _addr1_, _addr2_);
1082: switch (long_format) {
1083: case 0:
1084: break;
1085: case 1:
1086: p = fixed_addr(_addr1_, _addr2_, 22);
1087: break;
1088: case 2:
1089: default:
1090: p = fixed_addr(_addr1_, _addr2_, 45);
1091: break;
1092: }
1093: printf("%s ", p);
1094: }
1095:
1096: /* destination address */
1097: GETNAMEINFO((struct sockaddr *)&pd->remote, _addr1_, _addr2_);
1098: switch (long_format) {
1099: case 0:
1100: case 1:
1101: p = fixed_addr(_addr1_, _addr2_, 22);
1102: break;
1103: case 2:
1104: default:
1105: p = fixed_addr(_addr1_, _addr2_, 45);
1106: break;
1107: }
1108: printf("%s ", p);
1109:
1110: printf("%s ", pindex_isakmp(&pd->index));
1111:
1112: /* statuc, side and version */
1113: if (long_format >= 1) {
1114: printf("%2d %c %2x ",
1115: pd->status,
1116: pd->side == INITIATOR ? 'I' : 'R',
1117: pd->version);
1118: if (ARRAYLEN(estr) > pd->etype)
1119: printf("%s ", estr[pd->etype]);
1120: }
1121:
1122: /* created date */
1123: if (pd->created) {
1124: tm = localtime(&pd->created);
1125: strftime(tbuf, sizeof(tbuf), "%Y-%m-%d %T", tm);
1126: } else
1127: snprintf(tbuf, sizeof(tbuf), " ");
1128: printf("%s ", tbuf);
1129:
1130: /* counter of phase 2 */
1131: if (long_format >= 1)
1132: printf("%6d ", pd->ph2cnt);
1133:
1134: printf("\n");
1135:
1136: pd++;
1137: }
1138:
1139: return;
1140: }
1141:
1142: /* %%% */
1143: void
1144: dump_internal(buf, tlen)
1145: char *buf;
1146: int tlen;
1147: {
1148: struct ph2handle *iph2;
1149: struct sockaddr *addr;
1150:
1151: /*
1152: short header;
1153: source address destination address
1154: 1234567890123456789012 1234567890123456789012
1155: */
1156: char *short_h1 =
1157: "Source Destination ";
1158:
1159: /*
1160: long header;
1161: source address destination address
1162: 123456789012345678901234567890123456789012345 123456789012345678901234567890123456789012345
1163: 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000:0000:0000:0000:0000:0000:0000:0000.00000
1164: */
1165: char *long_h1 =
1166: "Source Destination ";
1167:
1168: printf("%s\n", long_format ? long_h1 : short_h1);
1169:
1170: while (tlen > 0) {
1171: iph2 = (struct ph2handle *)buf;
1172: addr = (struct sockaddr *)(++iph2);
1173:
1174: GETNAMEINFO(addr, _addr1_, _addr2_);
1175: printf("%s ", long_format ?
1176: fixed_addr(_addr1_, _addr2_, 45)
1177: : fixed_addr(_addr1_, _addr2_, 22));
1178: addr++;
1179: tlen -= sysdep_sa_len(addr);
1180:
1181: GETNAMEINFO(addr, _addr1_, _addr2_);
1182: printf("%s ", long_format ?
1183: fixed_addr(_addr1_, _addr2_, 45)
1184: : fixed_addr(_addr1_, _addr2_, 22));
1185: addr++;
1186: tlen -= sysdep_sa_len(addr);
1187:
1188: printf("\n");
1189: }
1190:
1191: return;
1192: }
1193:
1194: /* %%% */
1195: char *
1196: pindex_isakmp(index)
1197: isakmp_index *index;
1198: {
1199: static char buf[64];
1200: u_char *p;
1201: int i, j;
1202:
1203: memset(buf, 0, sizeof(buf));
1204:
1205: /* copy index */
1206: p = (u_char *)index;
1207: for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
1208: snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1209: j += 2;
1210: switch (i) {
1211: case 7:
1212: #if 0
1213: case 15:
1214: #endif
1215: buf[j++] = ':';
1216: }
1217: }
1218:
1219: return buf;
1220: }
1221:
1222: /* print schedule */
1223: char *str_sched_stat[] = {
1224: "off",
1225: "on",
1226: "dead",
1227: };
1228:
1229: char *str_sched_id[] = {
1230: "PH1resend",
1231: "PH1lifetime",
1232: "PH2resend",
1233: "PSTacquire",
1234: "PSTlifetime",
1235: };
1236:
1237: void
1238: print_schedule(buf, len)
1239: caddr_t buf;
1240: int len;
1241: {
1242: struct scheddump *sc = (struct scheddump *)buf;
1243: struct tm *tm;
1244: char tbuf[56];
1245:
1246: if (len % sizeof(*sc))
1247: printf("invalid length %d\n", len);
1248: len /= sizeof(*sc);
1249:
1250: /* 00000000 00000000 00000000 xxx........*/
1251: printf("index tick xtime created\n");
1252:
1253: while (len-- > 0) {
1254: tm = localtime(&sc->created);
1255: strftime(tbuf, sizeof(tbuf), "%Y-%m-%d %T", tm);
1256:
1257: printf("%-8ld %-8ld %-8ld %s\n",
1258: sc->id,
1259: (long)sc->tick,
1260: (long)sc->xtime,
1261: tbuf);
1262: sc++;
1263: }
1264:
1265: return;
1266: }
1267:
1268:
1269: void
1270: print_evt(evtdump)
1271: struct evt_async *evtdump;
1272: {
1273: int i;
1274: char *srcstr;
1275: char *dststr;
1276:
1277: for (i = 0; i < sizeof(evtmsg) / sizeof(evtmsg[0]); i++)
1278: if (evtmsg[i].type == evtdump->ec_type)
1279: break;
1280:
1281: if (evtmsg[i].msg == NULL)
1282: printf("Event %d: ", evtdump->ec_type);
1283: else
1284: printf("%s : ", evtmsg[i].msg);
1285:
1286: if ((srcstr = saddr2str((struct sockaddr *)&evtdump->ec_ph1src)) == NULL)
1287: printf("unknown");
1288: else
1289: printf("%s", srcstr);
1290: printf(" -> ");
1291: if ((dststr = saddr2str((struct sockaddr *)&evtdump->ec_ph1dst)) == NULL)
1292: printf("unknown");
1293: else
1294: printf("%s", dststr);
1295: printf("\n");
1296: }
1297:
1298: /*
1299: * Print ISAKMP mode config info (IP and banner)
1300: */
1301: void
1302: print_cfg(buf, len)
1303: caddr_t buf;
1304: int len;
1305: {
1306: struct evt_async *evtdump = (struct evt_async *)buf;
1307: struct isakmp_data *attr;
1308: char *banner = NULL;
1309: struct in_addr addr4;
1310:
1311: memset(&addr4, 0, sizeof(addr4));
1312:
1313: if (evtdump->ec_type != EVT_PHASE1_MODE_CFG)
1314: return;
1315:
1316: len -= sizeof(*evtdump);
1317: attr = (struct isakmp_data *)(evtdump + 1);
1318:
1319: while (len > 0) {
1320: if (len < sizeof(*attr)) {
1321: printf("short attribute too short\n");
1322: break;
1323: }
1324:
1325: if ((ntohs(attr->type) & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
1326: /* Short attribute, skip */
1327: len -= sizeof(*attr);
1328: attr++;
1329: } else { /* Long attribute */
1330: char *n;
1331:
1332: if (len < (sizeof(*attr) + ntohs(attr->lorv))) {
1333: printf("long attribute too long\n");
1334: break;
1335: }
1336:
1337: switch (ntohs(attr->type) & ~ISAKMP_GEN_MASK) {
1338: case INTERNAL_IP4_ADDRESS:
1339: if (ntohs(attr->lorv) < sizeof(addr4)) {
1340: printf("addr4 attribute too short\n");
1341: break;
1342: }
1343: memcpy(&addr4, attr + 1, sizeof(addr4));
1344: break;
1345:
1346: case UNITY_BANNER:
1347: banner = racoon_malloc(ntohs(attr->lorv) + 1);
1348: if (banner == NULL) {
1349: printf("malloc failed\n");
1350: break;
1351: }
1352: memcpy(banner, attr + 1, ntohs(attr->lorv));
1353: banner[ntohs(attr->lorv)] = '\0';
1354: break;
1355:
1356: default:
1357: break;
1358: }
1359:
1360: len -= (sizeof(*attr) + ntohs(attr->lorv));
1361: n = (char *)attr;
1362: attr = (struct isakmp_data *)
1363: (n + sizeof(*attr) + ntohs(attr->lorv));
1364: }
1365: }
1366:
1367: if (len > 0)
1368: printf("Bound to address %s\n", inet_ntoa(addr4));
1369: else
1370: printf("VPN connexion established\n");
1371:
1372: if (banner) {
1373: struct winsize win;
1374: int col = 0;
1375: int i;
1376:
1377: if (ioctl(1, TIOCGWINSZ, &win) != 1)
1378: col = win.ws_col;
1379:
1380: for (i = 0; i < col; i++)
1381: printf("%c", '=');
1382: printf("\n%s\n", banner);
1383: for (i = 0; i < col; i++)
1384: printf("%c", '=');
1385: printf("\n");
1386: racoon_free(banner);
1387: }
1388: }
1389:
1390:
1391: char *
1392: fixed_addr(addr, port, len)
1393: char *addr, *port;
1394: int len;
1395: {
1396: static char _addr_buf_[BUFSIZ];
1397: char *p;
1398: int plen, i;
1399:
1400: /* initialize */
1401: memset(_addr_buf_, ' ', sizeof(_addr_buf_));
1402:
1403: plen = strlen(port);
1404: if (len < plen + 1)
1405: return NULL;
1406:
1407: p = _addr_buf_;
1408: for (i = 0; i < len - plen - 1 && addr[i] != '\0'; /*noting*/)
1409: *p++ = addr[i++];
1410: *p++ = '.';
1411:
1412: for (i = 0; i < plen && port[i] != '\0'; /*noting*/)
1413: *p++ = port[i++];
1414:
1415: _addr_buf_[len] = '\0';
1416:
1417: return _addr_buf_;
1418: }
1419:
1420: static int
1421: handle_recv(combuf)
1422: vchar_t *combuf;
1423: {
1424: struct admin_com *com;
1425: caddr_t buf;
1426: int len;
1427:
1428: com = (struct admin_com *)combuf->v;
1429: if (com->ac_cmd & ADMIN_FLAG_LONG_REPLY)
1430: len = ((u_int32_t)com->ac_len) + (((u_int32_t)com->ac_len_high) << 16);
1431: else
1432: len = com->ac_len;
1433: len -= sizeof(*com);
1434: buf = combuf->v + sizeof(*com);
1435:
1436: switch (com->ac_cmd & ~ADMIN_FLAG_LONG_REPLY) {
1437: case ADMIN_SHOW_SCHED:
1438: print_schedule(buf, len);
1439: break;
1440:
1441: case ADMIN_SHOW_EVT: {
1442: struct evt_async *ec;
1443:
1444: /* We got no event? */
1445: if (len == 0)
1446: break;
1447:
1448: if (len < sizeof(struct evt_async))
1449: errx(1, "Short buffer\n");
1450:
1451: ec = (struct evt_async *) buf;
1452: if (evt_quit_event <= 0)
1453: print_evt(ec);
1454: else if (evt_quit_event == ec->ec_type) {
1455: switch (ec->ec_type) {
1456: case EVT_PHASE1_MODE_CFG:
1457: print_cfg(ec, len);
1458: break;
1459: default:
1460: print_evt(ec);
1461: break;
1462: }
1463: evt_quit_event = 0;
1464: }
1465: break;
1466: }
1467:
1468: case ADMIN_GET_SA_CERT:
1469: fwrite(buf, len, 1, stdout);
1470: break;
1471:
1472: case ADMIN_SHOW_SA:
1473: {
1474: switch (com->ac_proto) {
1475: case ADMIN_PROTO_ISAKMP:
1476: dump_isakmp_sa(buf, len);
1477: break;
1478: case ADMIN_PROTO_IPSEC:
1479: case ADMIN_PROTO_AH:
1480: case ADMIN_PROTO_ESP:
1481: {
1482: struct sadb_msg *msg = (struct sadb_msg *)buf;
1483:
1484: switch (msg->sadb_msg_errno) {
1485: case ENOENT:
1486: switch (msg->sadb_msg_type) {
1487: case SADB_DELETE:
1488: case SADB_GET:
1489: printf("No entry.\n");
1490: break;
1491: case SADB_DUMP:
1492: printf("No SAD entries.\n");
1493: break;
1494: }
1495: break;
1496: case 0:
1497: while (1) {
1498: pfkey_sadump(msg);
1499: if (msg->sadb_msg_seq == 0)
1500: break;
1501: msg = (struct sadb_msg *)((caddr_t)msg +
1502: PFKEY_UNUNIT64(msg->sadb_msg_len));
1503: }
1504: break;
1505: default:
1506: printf("%s.\n", strerror(msg->sadb_msg_errno));
1507: }
1508: }
1509: break;
1510: case ADMIN_PROTO_INTERNAL:
1511: dump_internal(buf, len);
1512: break;
1513: default:
1514: printf("Invalid proto [%d]\n", com->ac_proto);
1515: }
1516:
1517: }
1518: break;
1519:
1520: default:
1521: /* IGNORE */
1522: break;
1523: }
1524:
1525: return 0;
1526:
1527: bad:
1528: return -1;
1529: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to racoonctl.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon