Import initial strongswan 2.7.0 version into SVN.

4 files changed, 330 insertions, 0 deletions

diff --git a/programs/mailkey/.cvsignore b/programs/mailkey/.cvsignore
new file mode 100644
index 000000000..5af485234
--- /dev/null
+++ b/programs/mailkey/.cvsignore
@@ -0,0 +1 @@
+mailkey
diff --git a/programs/mailkey/Makefile b/programs/mailkey/Makefile
new file mode 100644
index 000000000..4b0385823
--- /dev/null
+++ b/programs/mailkey/Makefile
@@ -0,0 +1,41 @@
+# Makefile for miscelaneous programs
+# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:28 as Exp $
+
+FREESWANSRCDIR=../..
+include ${FREESWANSRCDIR}/Makefile.inc
+
+PROGRAM=mailkey
+
+include ../Makefile.program
+
+#
+# $Log: Makefile,v $
+# Revision 1.1  2004/03/15 20:35:28  as
+# added files from freeswan-2.04-x509-1.5.3
+#
+# Revision 1.1  2003/02/22 03:26:55  sam
+# remaining pieces of mailkey
+#
+# Revision 1.2  2002/06/02 21:51:41  mcr
+# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
+# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
+# 	kernel sense.)
+#
+# Revision 1.1  2002/04/24 07:55:32  mcr
+# 	#include patches and Makefiles for post-reorg compilation.
+#
+#
+#
+
diff --git a/programs/mailkey/mailkey.8 b/programs/mailkey/mailkey.8
new file mode 100644
index 000000000..be6b4ff93
--- /dev/null
+++ b/programs/mailkey/mailkey.8
@@ -0,0 +1,47 @@
+.TH IPSEC_MAILKEY 8 "21 Feb 2002"
+.\" RCSID $Id: mailkey.8,v 1.1 2004/03/15 20:35:28 as Exp $
+.SH NAME
+ipsec mailkey \- mail DNS records for Opportunistic Encryption
+.SH SYNOPSIS
+.B ipsec
+.B mailkey
+\-\-me
+my@address.tld
+[
+.B \-\-reverse
+1.2.3.4
+] [
+.B \-\-forward
+hostname.domain.tld
+]
+.SH DESCRIPTION
+.I mailkey
+is a meta-program. It generates a script which will attempt to mail the TXT 
+records required to enable Opportunistic Encryption (OE).
+.PP
+An e-mail address for the domain's DNS administrator is derived from SOA records. 
+The mail body and destination address are freely editable in the script.
+.PP
+If no administrator can be located, the output file will not be executable.
+.PP
+.TP
+\fB\-\-me\fP\ \fImy@address.tld\fP
+set the Reply-To: address of the mail to be sent.
+.TP
+\fB\-\-forward\fP\ \fIhostname.domain.tld\fP
+the domain name to be used for initator-only OE.  
+.TP
+\fB\-\-reverse\fP\ \fI1.2.3.4\fP
+the IP address to be used for full Opportunistic Encryption.
+.PP
+Only one of --forward or --reverse may be specified.
+.SH FILES
+.nf
+/etc/ipsec.secrets
+.fi
+.SH SEE ALSO
+ipsec_showhostkey(8), host(8)
+.SH HISTORY
+Written for the Linux FreeS/WAN project <http://www.freeswan.org> by Sam Sgro.
+.SH BUGS
+May produce indeterminate results when processing non-routable IPs.
diff --git a/programs/mailkey/mailkey.in b/programs/mailkey/mailkey.in
new file mode 100755
index 000000000..fecdcf62c
--- /dev/null
+++ b/programs/mailkey/mailkey.in
@@ -0,0 +1,241 @@
+#! /bin/sh
+# mail OE DNS RR info to relevent administrator
+#
+# Copyright (C) 2003 Sam Sgro <sam@freeswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: mailkey.in,v 1.1 2004/03/15 20:35:28 as Exp $
+
+me="ipsec mailkey"
+
+PATH=/sbin:/usr/bin:/usr/local/sbin:@IPSEC_SBINDIR@:$PATH export PATH
+
+reverse=0
+forward=0
+mymail=""
+usage="Usage:
+        $me --me my@address.tld --forward hostname.domain.tld
+        $me --me my@address.tld --reverse 1.2.3.4"
+
+for dummy
+do
+        case "$1" in
+        --help)         echo "$usage" ; exit 0  ;;
+        --forward)      forward=1 ; reverse=0 ; hostname="$2" ; shift	;;
+        --reverse)      reverse=1 ; forward=0 ; reverseip="$2" ; shift	;;
+        --me)           mymail="$2" ; shift	;;
+        --)             shift ; break           ;;
+        -*)             echo "$0: unknown option \`$1'" >&2 ; exit 2    ;;
+        *)              break                   ;;
+        esac
+        shift
+done
+
+# only do one of iOE || (pOE/rOE/fOE/insert acronym here) at a time
+# but you have to choose one. Plus, if ya ain't specified your mail address...
+if [ "$forward" -eq "$reverse" ] || [ ! "$mymail" ]
+then
+{ 
+echo "$usage"; exit 0;
+}
+fi 
+
+# Test to see if there is a key to process in the first place.
+test1st=`ipsec showhostkey --txt 1.2.3.4 2>&1`
+test2nd=`echo $test1st | grep TXT`
+if [ ! "$test2nd" ]
+then
+{
+echo "Our attempt to retrieve your RSA key using 'ipsec showhostkey' failed
+with the following error:
+
+"$test1st"
+
+Common concerns: This account must be able to read /etc/ipsec.secrets. 
+If you haven't generated your key yet, please run 'ipsec newhostkey'." 
+exit 0
+}
+fi
+
+
+# This is where we will save the script.
+save_mail_file=~/"OE_mail_""$reverseip$hostname"
+
+# RSA/SOA processing functions.
+# takes two arguments - the IP address/hostname to be used, and an attempt to guess the
+# beginning of the DNS record for the administrator
+txtprocess(){
+ipsec showhostkey --txt $1 | sed "s/^.*	IN	TXT/$2.	IN	TXT/" | grep TXT
+}
+
+# Find the hostmaster part of the SOA.
+# This only works with the "net" portion of in-addr.arpa. commands - 20.168.192.in-addr.arpa. -
+# or the domain portion of FQDNs. The data is prepped using host_data in the individual sections
+# for $forward and $reverse.
+# Note: I've experienced it returning SOAs for non-routeable IP addresses! This needs to be
+# addressed.
+hostprocess(){
+host -t soa $1 | grep SOA | while read a b c d e
+do 
+echo $d | sed -e "s/\(^[a-zA-Z0-9-]*\)\.\([a-zA-Z0-9-\.]*\).$/\1@\2/"
+done
+}
+
+# generate the pieces that go into the template, which are dependent on the type of OE.
+if [ "$reverse" -eq 1 ]; then
+{
+# convert the reverse ip to something appropriate for a DNS record.
+arpaip=`echo $reverseip | sed -e "s/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\4.\3.\2.\1.in-addr.arpa/"`
+# prepare data for hostprocess()
+host_data=`echo $arpaip | sed -e "s/^[0-9]*\.\(.*\)/\1/"`
+
+firstsub="  I'm contacting you in your role as the administrator of the domain
+\"$arpaip\" as listed in its SOA record.
+
+  My network security software, which employs IPSec, requires the
+below keying information to be published as a RR in the DNS domain 
+which you are responsible for.
+
+"
+
+txt=`txtprocess $reverseip $arpaip`
+secondsub="  To this end, I need you to publish the following TXT record:
+
+--DNS_RESOURCE_RECORDS--
+
+"$txt"
+
+--DNS_RESOURCE_RECORDS--"
+
+thirdsub="to enable full Opportunistic Encryption using the IP address: 
+
+"$reverseip
+
+fourthsub="and TXT records are"
+
+proposed_email=`hostprocess $host_data`
+}
+elif [ "$forward" -eq 1 ]; then
+{
+# prepare data for hostprocess()
+# leave only the domain name
+domain_data=`echo $hostname | sed -e "s/.*\.\([a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$\)/\1/"`
+# leave only the host name
+host_data=`echo $hostname | sed -e "s/\(.*\)\.[a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$/\1/"`
+
+firstsub="  I'm contacting you in your role as the administrator of the domain
+\"$hostname\" as listed in its SOA record.
+
+  My network security software, which employs IPSec, requires the
+below keying information to be published as a RR in the DNS domain
+which you are responsible for.
+
+"
+
+txt=`txtprocess @$hostname $host_data`
+secondsub="  To this end, please publish the following TXT record for the hostname 
+$hostname:
+
+
+--DNS_RESOURCE_RECORDS--
+
+$txt
+
+--DNS_RESOURCE_RECORDS--"
+thirdsub="to allow me to use the hostname: 
+
+"$hostname" 
+
+for initiator-only Opportunistic Encryption."
+fourthsub="record is"
+
+proposed_email=`hostprocess $domain_data`
+}
+fi
+
+# Create the template used for the body of the e-mail.
+
+mailbody=$firstsub$secondsub"
+
+
+  Please be careful to preserve the spaces and/or quotation marks as written. 
+These are important for the RSA key to survive DNS processing.
+
+  Thanks for your help in securing the 'net!
+
+	$mymail
+	(Generated by '$me' for $mymail)
+
+
+
+Opportunistic Encryption (OE) is the result of ongoing effort by the FreeS/WAN
+project (www.freeswan.org). It allows for the creation of dynamic IPSec 
+connections between hosts without pre-arrangement, authenticated via RSA keys 
+stored in DNS records.
+
+Technical information on OE can be found in this RFC draft:
+
+http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/draft-richardson-ipsec-opportunistic.txt
+
+If you have any questions about these TXT records, or about OE in general, 
+please direct them to the FreeS/WAN support lists: 
+
+users@lists.freeswan.org
+"
+
+# If we managed to find a hostmaster, make the appropriate modifications to the mail's body and 
+# our instructions to the user.
+if [ "$proposed_email" ]; then
+{
+
+# This is now converting the mail test into an executable script. 
+# Most users will have reached this stage; they can edit the contact_email
+# if they know better than us.
+# -s - Subject line. By extending it, we can "hack" the mail program to
+# include a customized Reply-To header.
+
+mailbody="#!/bin/sh
+#
+# Edit this variable to send this message to an alternate destination
+contact_email=$proposed_email
+
+mail \$contact_email -s 'DNS records for Opportunistic Encryption ($hostname$reverseip) 
+Reply-To: $mymail' <<EOF
+
+"$mailbody"
+
+EOF
+"
+
+screenoutput="Executable mail file saved to:  "$save_mail_file
+}
+else
+{
+# Slightly different instructions if we have nothing to tell the user.
+
+screenoutput="$me: error: Unable to locate SOA record for this domain. Not generating executable file.
+Sample mail file saved to:  "$save_mail_file
+}
+fi
+
+# Create the output that has been prepared.
+echo "$mailbody" > $save_mail_file
+
+# Only make it executable if we've guessed a destination e-mail address.
+if [ "$proposed_email" ]; then
+{
+chmod u+x $save_mail_file
+}
+fi
+
+# Tell the user what'sgoing on.
+echo "$screenoutput"