summaryrefslogtreecommitdiff
path: root/programs/showpolicy
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2006-05-22 05:12:18 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2006-05-22 05:12:18 +0000
commitaa0f5b38aec14428b4b80e06f90ff781f8bca5f1 (patch)
tree95f3d0c8cb0d59d88900dbbd72110d7ab6e15b2a /programs/showpolicy
parent7c383bc22113b23718be89fe18eeb251942d7356 (diff)
downloadvyos-strongswan-aa0f5b38aec14428b4b80e06f90ff781f8bca5f1.tar.gz
vyos-strongswan-aa0f5b38aec14428b4b80e06f90ff781f8bca5f1.zip
Import initial strongswan 2.7.0 version into SVN.
Diffstat (limited to 'programs/showpolicy')
-rw-r--r--programs/showpolicy/.cvsignore1
-rw-r--r--programs/showpolicy/Makefile38
-rw-r--r--programs/showpolicy/showpolicy.841
-rw-r--r--programs/showpolicy/showpolicy.c251
4 files changed, 331 insertions, 0 deletions
diff --git a/programs/showpolicy/.cvsignore b/programs/showpolicy/.cvsignore
new file mode 100644
index 000000000..e4fad4e23
--- /dev/null
+++ b/programs/showpolicy/.cvsignore
@@ -0,0 +1 @@
+showpolicy
diff --git a/programs/showpolicy/Makefile b/programs/showpolicy/Makefile
new file mode 100644
index 000000000..b3ea5a0a8
--- /dev/null
+++ b/programs/showpolicy/Makefile
@@ -0,0 +1,38 @@
+# Makefile for the KLIPS interface utilities
+# Copyright (C) 2003 Michael Richardson <mcr@freeswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:31 as Exp $
+
+FREESWANSRCDIR=../..
+include ${FREESWANSRCDIR}/Makefile.inc
+
+PROGRAM=showpolicy
+EXTRA5PROC=${PROGRAM}.8
+
+LIBS=${POLICYLIB} ${FREESWANLIB}
+
+include ../Makefile.program
+
+#
+# $Log: Makefile,v $
+# Revision 1.1 2004/03/15 20:35:31 as
+# added files from freeswan-2.04-x509-1.5.3
+#
+# Revision 1.2 2003/05/14 02:12:27 mcr
+# addition of CGI-focused interface to policy lookup interface
+#
+# Revision 1.1 2003/05/11 00:45:08 mcr
+# program to interogate ipsec policy of stdin.
+# run this from inetd.
+#
+#
diff --git a/programs/showpolicy/showpolicy.8 b/programs/showpolicy/showpolicy.8
new file mode 100644
index 000000000..4fbc2e40e
--- /dev/null
+++ b/programs/showpolicy/showpolicy.8
@@ -0,0 +1,41 @@
+.TH IPSEC_SHOWPOLICY 8 "7 May 2003"
+.\"
+.\" RCSID $Id: showpolicy.8,v 1.1 2004/03/15 20:35:31 as Exp $
+.\"
+.SH NAME
+ipsec showpolicy \- dump policy of socket found as stdin
+.SH SYNOPSIS
+.PP
+.B ipsec
+.B showpolicy
+.PP
+.SH DESCRIPTION
+.I showpolicy
+calls the
+.IR ipsec_policy_lookup (3)
+function on the file description which is its stdin.
+.PP
+It then dumps the resulting query in a human readable form.
+.PP
+This is a test program. One might run it from inetd, via:
+.TP
+discard stream tcp nowait nobody /usr/local/libexec/ipsec/showpolicy showpolicy
+.SH FILES
+/var/run/ipsecpolicy.ctl
+.SH "SEE ALSO"
+ipsec(8), ipsec_policy_query(3), ipsec_pluto(8)
+.SH HISTORY
+Written for the Linux FreeS/WAN project
+<http://www.freeswan.org/>
+by Michael Richardson
+.SH BUGS
+.\"
+.\" $Log: showpolicy.8,v $
+.\" Revision 1.1 2004/03/15 20:35:31 as
+.\" added files from freeswan-2.04-x509-1.5.3
+.\"
+.\" Revision 1.1 2003/05/11 00:45:08 mcr
+.\" program to interogate ipsec policy of stdin.
+.\" run this from inetd.
+.\"
+.\"
diff --git a/programs/showpolicy/showpolicy.c b/programs/showpolicy/showpolicy.c
new file mode 100644
index 000000000..114cc3936
--- /dev/null
+++ b/programs/showpolicy/showpolicy.c
@@ -0,0 +1,251 @@
+/*
+ * A program to dump the IPsec status of the socket found on stdin.
+ * Run me from inetd, for instance.
+ * Copyright (C) 2003 Michael Richardson <mcr@freeswan.org>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+char showpolicy_version[] = "RCSID $Id: showpolicy.c,v 1.1 2004/03/15 20:35:31 as Exp $";
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <getopt.h>
+#include "freeswan.h"
+#include "freeswan/ipsec_policy.h"
+
+char *program_name;
+
+static void
+help(void)
+{
+ fprintf(stderr,
+ "Usage:\n\n"
+ "showpolicy"
+ " [--cgi] lookup the particulars from CGI variables.\n"
+ " [--socket] lookup the particulars from the socket on stdin.\n"
+ " [--textual] dump output in human friendly form\n"
+ " [--plaintext X] string to dump if no security\n"
+ " [--vpntext X] string to dump if VPN configured tunnel\n"
+ " [--privacytext X] string to dump if just plain DNS OE\n"
+ " [--dnssectext X] string to dump if just DNSSEC OE\n"
+ "\n\n"
+ "FreeS/WAN %s\n",
+ ipsec_version_code());
+}
+
+static const struct option long_opts[] = {
+ /* name, has_arg, flag, val */
+ { "help", no_argument, NULL, 'h' },
+ { "version", no_argument, NULL, 'V' },
+ { "socket", no_argument, NULL, 'i' },
+ { "cgi", no_argument, NULL, 'g' },
+ { "textual", no_argument, NULL, 't' },
+ { "plaintext", required_argument, NULL, 'c' },
+ { "vpntext", required_argument, NULL, 'v' },
+ { "privacytext", required_argument, NULL, 'p' },
+ { "dnssectext", required_argument, NULL, 's' },
+ { 0,0,0,0 }
+};
+
+void dump_policyreply(struct ipsec_policy_cmd_query *q)
+{
+ char src[ADDRTOT_BUF], dst[ADDRTOT_BUF];
+
+ /* now print it! */
+ addrtot(&q->query_local, 0, src, sizeof(src));
+ addrtot(&q->query_remote, 0, dst, sizeof(dst));
+
+ printf("Results of query on %s -> %s with seq %d\n",
+ src, dst, q->head.ipm_msg_seq);
+
+ printf("Received reply of %d bytes.\n", q->head.ipm_msg_len);
+
+ printf("Strength: %d\n", q->strength);
+ printf("Bandwidth: %d\n", q->bandwidth);
+ printf("authdetail: %d\n", q->auth_detail);
+ printf("esp_detail: %d\n", q->esp_detail);
+ printf("comp_detail: %d\n",q->comp_detail);
+
+ printf("credentials: %d\n", q->credential_count);
+ if(q->credential_count > 0) {
+ int c;
+
+ for(c=0; c<q->credential_count; c++) {
+ switch(q->credentials[c].ii_format) {
+ case CERT_DNS_SIGNED_KEY:
+ printf("\tDNSSEC identity: %s (SIG %s)\n",
+ q->credentials[c].ii_credential.ipsec_dns_signed.fqdn,
+ q->credentials[c].ii_credential.ipsec_dns_signed.dns_sig);
+ break;
+
+ case CERT_RAW_RSA:
+ printf("\tlocal identity: %s\n",
+ q->credentials[c].ii_credential.ipsec_raw_key.id_name);
+
+ case CERT_NONE:
+ printf("\tDNS identity: %s\n",
+ q->credentials[c].ii_credential.ipsec_dns_signed.fqdn);
+ break;
+
+ default:
+ printf("\tUnknown identity type %d", q->credentials[c].ii_format);
+ break;
+ }
+ }
+ }
+}
+
+
+int main(int argc, char *argv[])
+{
+ struct ipsec_policy_cmd_query q;
+ err_t ret;
+ int c;
+
+ /* set the defaults */
+ char lookup_style = 'i';
+ char output_style = 's';
+
+ char *plaintext = "clear";
+ char *vpntext = "vpn";
+ char *privacytext = "private";
+ char *dnssectext = "secure";
+
+ while((c = getopt_long(argc, argv, "hVighc:v:p:s:", long_opts, 0))!=EOF) {
+ switch (c) {
+ default:
+ case 'h': /* --help */
+ help();
+ return 0; /* GNU coding standards say to stop here */
+
+ case 'V': /* --version */
+ fprintf(stderr, "FreeS/WAN %s\n", ipsec_version_code());
+ return 0; /* GNU coding standards say to stop here */
+
+ case 'i':
+ if(isatty(0)) {
+ printf("please run this connected to a socket\n");
+ exit(1);
+ }
+
+ lookup_style = 'i';
+ break;
+
+ case 'g':
+ lookup_style = 'g';
+ break;
+
+ case 't':
+ output_style = 't';
+ break;
+
+ case 'c':
+ plaintext = optarg;
+ break;
+
+ case 'v':
+ vpntext = optarg;
+ break;
+
+ case 'p':
+ privacytext = optarg;
+ break;
+
+ case 's':
+ dnssectext = optarg;
+ break;
+ }
+ }
+
+ if((ret = ipsec_policy_init()) != NULL) {
+ perror(ret);
+ exit(2);
+ }
+
+ switch(lookup_style) {
+ case 'i':
+ if((ret = ipsec_policy_lookup(0, &q)) != NULL) {
+ perror(ret);
+ exit(3);
+ }
+ break;
+
+ case 'g':
+ if((ret = ipsec_policy_cgilookup(&q)) != NULL) {
+ perror(ret);
+ exit(3);
+ }
+ break;
+
+ default:
+ abort();
+ break;
+ }
+
+
+ if(output_style == 't') {
+ dump_policyreply(&q);
+ } else {
+ /* start by seeing if there was any crypto */
+ if(q.strength < IPSEC_PRIVACY_PRIVATE) {
+ /* no, so say clear */
+ puts(plaintext);
+ exit(0);
+ }
+
+ /* we now it is crypto, but authentic is it? */
+ if(q.credential_count == 0) {
+ puts(vpntext);
+ exit(0);
+ }
+
+ switch(q.credentials[0].ii_format) {
+ case CERT_DNS_SIGNED_KEY:
+ puts(dnssectext);
+ exit(0);
+
+ case CERT_RAW_RSA:
+ puts(vpntext);
+ exit(0);
+
+ default:
+ puts(privacytext);
+ exit(0);
+ }
+ }
+
+ exit(0);
+}
+
+/*
+ * $Log: showpolicy.c,v $
+ * Revision 1.1 2004/03/15 20:35:31 as
+ * added files from freeswan-2.04-x509-1.5.3
+ *
+ * Revision 1.4 2003/05/14 15:46:44 mcr
+ * switch statement was missing break statements and was running on.
+ *
+ * Revision 1.3 2003/05/14 02:12:27 mcr
+ * addition of CGI-focused interface to policy lookup interface
+ *
+ * Revision 1.2 2003/05/13 03:25:34 mcr
+ * print credentials, if any were provided.
+ *
+ * Revision 1.1 2003/05/11 00:45:08 mcr
+ * program to interogate ipsec policy of stdin.
+ * run this from inetd.
+ *
+ *
+ *
+ */