diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2006-05-22 05:12:18 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2006-05-22 05:12:18 +0000 |
commit | aa0f5b38aec14428b4b80e06f90ff781f8bca5f1 (patch) | |
tree | 95f3d0c8cb0d59d88900dbbd72110d7ab6e15b2a /programs/showpolicy | |
parent | 7c383bc22113b23718be89fe18eeb251942d7356 (diff) | |
download | vyos-strongswan-aa0f5b38aec14428b4b80e06f90ff781f8bca5f1.tar.gz vyos-strongswan-aa0f5b38aec14428b4b80e06f90ff781f8bca5f1.zip |
Import initial strongswan 2.7.0 version into SVN.
Diffstat (limited to 'programs/showpolicy')
-rw-r--r-- | programs/showpolicy/.cvsignore | 1 | ||||
-rw-r--r-- | programs/showpolicy/Makefile | 38 | ||||
-rw-r--r-- | programs/showpolicy/showpolicy.8 | 41 | ||||
-rw-r--r-- | programs/showpolicy/showpolicy.c | 251 |
4 files changed, 331 insertions, 0 deletions
diff --git a/programs/showpolicy/.cvsignore b/programs/showpolicy/.cvsignore new file mode 100644 index 000000000..e4fad4e23 --- /dev/null +++ b/programs/showpolicy/.cvsignore @@ -0,0 +1 @@ +showpolicy diff --git a/programs/showpolicy/Makefile b/programs/showpolicy/Makefile new file mode 100644 index 000000000..b3ea5a0a8 --- /dev/null +++ b/programs/showpolicy/Makefile @@ -0,0 +1,38 @@ +# Makefile for the KLIPS interface utilities +# Copyright (C) 2003 Michael Richardson <mcr@freeswan.org> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:31 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=showpolicy +EXTRA5PROC=${PROGRAM}.8 + +LIBS=${POLICYLIB} ${FREESWANLIB} + +include ../Makefile.program + +# +# $Log: Makefile,v $ +# Revision 1.1 2004/03/15 20:35:31 as +# added files from freeswan-2.04-x509-1.5.3 +# +# Revision 1.2 2003/05/14 02:12:27 mcr +# addition of CGI-focused interface to policy lookup interface +# +# Revision 1.1 2003/05/11 00:45:08 mcr +# program to interogate ipsec policy of stdin. +# run this from inetd. +# +# diff --git a/programs/showpolicy/showpolicy.8 b/programs/showpolicy/showpolicy.8 new file mode 100644 index 000000000..4fbc2e40e --- /dev/null +++ b/programs/showpolicy/showpolicy.8 @@ -0,0 +1,41 @@ +.TH IPSEC_SHOWPOLICY 8 "7 May 2003" +.\" +.\" RCSID $Id: showpolicy.8,v 1.1 2004/03/15 20:35:31 as Exp $ +.\" +.SH NAME +ipsec showpolicy \- dump policy of socket found as stdin +.SH SYNOPSIS +.PP +.B ipsec +.B showpolicy +.PP +.SH DESCRIPTION +.I showpolicy +calls the +.IR ipsec_policy_lookup (3) +function on the file description which is its stdin. +.PP +It then dumps the resulting query in a human readable form. +.PP +This is a test program. One might run it from inetd, via: +.TP +discard stream tcp nowait nobody /usr/local/libexec/ipsec/showpolicy showpolicy +.SH FILES +/var/run/ipsecpolicy.ctl +.SH "SEE ALSO" +ipsec(8), ipsec_policy_query(3), ipsec_pluto(8) +.SH HISTORY +Written for the Linux FreeS/WAN project +<http://www.freeswan.org/> +by Michael Richardson +.SH BUGS +.\" +.\" $Log: showpolicy.8,v $ +.\" Revision 1.1 2004/03/15 20:35:31 as +.\" added files from freeswan-2.04-x509-1.5.3 +.\" +.\" Revision 1.1 2003/05/11 00:45:08 mcr +.\" program to interogate ipsec policy of stdin. +.\" run this from inetd. +.\" +.\" diff --git a/programs/showpolicy/showpolicy.c b/programs/showpolicy/showpolicy.c new file mode 100644 index 000000000..114cc3936 --- /dev/null +++ b/programs/showpolicy/showpolicy.c @@ -0,0 +1,251 @@ +/* + * A program to dump the IPsec status of the socket found on stdin. + * Run me from inetd, for instance. + * Copyright (C) 2003 Michael Richardson <mcr@freeswan.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +char showpolicy_version[] = "RCSID $Id: showpolicy.c,v 1.1 2004/03/15 20:35:31 as Exp $"; + +#include <stdio.h> +#include <unistd.h> +#include <stdlib.h> +#include <sys/socket.h> +#include <getopt.h> +#include "freeswan.h" +#include "freeswan/ipsec_policy.h" + +char *program_name; + +static void +help(void) +{ + fprintf(stderr, + "Usage:\n\n" + "showpolicy" + " [--cgi] lookup the particulars from CGI variables.\n" + " [--socket] lookup the particulars from the socket on stdin.\n" + " [--textual] dump output in human friendly form\n" + " [--plaintext X] string to dump if no security\n" + " [--vpntext X] string to dump if VPN configured tunnel\n" + " [--privacytext X] string to dump if just plain DNS OE\n" + " [--dnssectext X] string to dump if just DNSSEC OE\n" + "\n\n" + "FreeS/WAN %s\n", + ipsec_version_code()); +} + +static const struct option long_opts[] = { + /* name, has_arg, flag, val */ + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'V' }, + { "socket", no_argument, NULL, 'i' }, + { "cgi", no_argument, NULL, 'g' }, + { "textual", no_argument, NULL, 't' }, + { "plaintext", required_argument, NULL, 'c' }, + { "vpntext", required_argument, NULL, 'v' }, + { "privacytext", required_argument, NULL, 'p' }, + { "dnssectext", required_argument, NULL, 's' }, + { 0,0,0,0 } +}; + +void dump_policyreply(struct ipsec_policy_cmd_query *q) +{ + char src[ADDRTOT_BUF], dst[ADDRTOT_BUF]; + + /* now print it! */ + addrtot(&q->query_local, 0, src, sizeof(src)); + addrtot(&q->query_remote, 0, dst, sizeof(dst)); + + printf("Results of query on %s -> %s with seq %d\n", + src, dst, q->head.ipm_msg_seq); + + printf("Received reply of %d bytes.\n", q->head.ipm_msg_len); + + printf("Strength: %d\n", q->strength); + printf("Bandwidth: %d\n", q->bandwidth); + printf("authdetail: %d\n", q->auth_detail); + printf("esp_detail: %d\n", q->esp_detail); + printf("comp_detail: %d\n",q->comp_detail); + + printf("credentials: %d\n", q->credential_count); + if(q->credential_count > 0) { + int c; + + for(c=0; c<q->credential_count; c++) { + switch(q->credentials[c].ii_format) { + case CERT_DNS_SIGNED_KEY: + printf("\tDNSSEC identity: %s (SIG %s)\n", + q->credentials[c].ii_credential.ipsec_dns_signed.fqdn, + q->credentials[c].ii_credential.ipsec_dns_signed.dns_sig); + break; + + case CERT_RAW_RSA: + printf("\tlocal identity: %s\n", + q->credentials[c].ii_credential.ipsec_raw_key.id_name); + + case CERT_NONE: + printf("\tDNS identity: %s\n", + q->credentials[c].ii_credential.ipsec_dns_signed.fqdn); + break; + + default: + printf("\tUnknown identity type %d", q->credentials[c].ii_format); + break; + } + } + } +} + + +int main(int argc, char *argv[]) +{ + struct ipsec_policy_cmd_query q; + err_t ret; + int c; + + /* set the defaults */ + char lookup_style = 'i'; + char output_style = 's'; + + char *plaintext = "clear"; + char *vpntext = "vpn"; + char *privacytext = "private"; + char *dnssectext = "secure"; + + while((c = getopt_long(argc, argv, "hVighc:v:p:s:", long_opts, 0))!=EOF) { + switch (c) { + default: + case 'h': /* --help */ + help(); + return 0; /* GNU coding standards say to stop here */ + + case 'V': /* --version */ + fprintf(stderr, "FreeS/WAN %s\n", ipsec_version_code()); + return 0; /* GNU coding standards say to stop here */ + + case 'i': + if(isatty(0)) { + printf("please run this connected to a socket\n"); + exit(1); + } + + lookup_style = 'i'; + break; + + case 'g': + lookup_style = 'g'; + break; + + case 't': + output_style = 't'; + break; + + case 'c': + plaintext = optarg; + break; + + case 'v': + vpntext = optarg; + break; + + case 'p': + privacytext = optarg; + break; + + case 's': + dnssectext = optarg; + break; + } + } + + if((ret = ipsec_policy_init()) != NULL) { + perror(ret); + exit(2); + } + + switch(lookup_style) { + case 'i': + if((ret = ipsec_policy_lookup(0, &q)) != NULL) { + perror(ret); + exit(3); + } + break; + + case 'g': + if((ret = ipsec_policy_cgilookup(&q)) != NULL) { + perror(ret); + exit(3); + } + break; + + default: + abort(); + break; + } + + + if(output_style == 't') { + dump_policyreply(&q); + } else { + /* start by seeing if there was any crypto */ + if(q.strength < IPSEC_PRIVACY_PRIVATE) { + /* no, so say clear */ + puts(plaintext); + exit(0); + } + + /* we now it is crypto, but authentic is it? */ + if(q.credential_count == 0) { + puts(vpntext); + exit(0); + } + + switch(q.credentials[0].ii_format) { + case CERT_DNS_SIGNED_KEY: + puts(dnssectext); + exit(0); + + case CERT_RAW_RSA: + puts(vpntext); + exit(0); + + default: + puts(privacytext); + exit(0); + } + } + + exit(0); +} + +/* + * $Log: showpolicy.c,v $ + * Revision 1.1 2004/03/15 20:35:31 as + * added files from freeswan-2.04-x509-1.5.3 + * + * Revision 1.4 2003/05/14 15:46:44 mcr + * switch statement was missing break statements and was running on. + * + * Revision 1.3 2003/05/14 02:12:27 mcr + * addition of CGI-focused interface to policy lookup interface + * + * Revision 1.2 2003/05/13 03:25:34 mcr + * print credentials, if any were provided. + * + * Revision 1.1 2003/05/11 00:45:08 mcr + * program to interogate ipsec policy of stdin. + * run this from inetd. + * + * + * + */ |