4 files changed, 331 insertions, 0 deletions
diff --git a/programs/showpolicy/.cvsignore b/programs/showpolicy/.cvsignore
new file mode 100644
index 000000000..e4fad4e23
--- /dev/null
+++ b/programs/showpolicy/.cvsignore
@@ -0,0 +1 @@
+showpolicy
diff --git a/programs/showpolicy/Makefile b/programs/showpolicy/Makefile
new file mode 100644
index 000000000..b3ea5a0a8
--- /dev/null
+++ b/programs/showpolicy/Makefile
@@ -0,0 +1,38 @@
+# Makefile for the KLIPS interface utilities
+# Copyright (C) 2003	Michael Richardson <mcr@freeswan.org>
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:31 as Exp $
+
+FREESWANSRCDIR=../..
+include ${FREESWANSRCDIR}/Makefile.inc
+
+PROGRAM=showpolicy
+EXTRA5PROC=${PROGRAM}.8
+
+LIBS=${POLICYLIB} ${FREESWANLIB} 
+
+include ../Makefile.program
+
+#
+# $Log: Makefile,v $
+# Revision 1.1  2004/03/15 20:35:31  as
+# added files from freeswan-2.04-x509-1.5.3
+#
+# Revision 1.2  2003/05/14 02:12:27  mcr
+# 	addition of CGI-focused interface to policy lookup interface
+#
+# Revision 1.1  2003/05/11 00:45:08  mcr
+# 	program to interogate ipsec policy of stdin.
+# 	run this from inetd.
+#
+#
diff --git a/programs/showpolicy/showpolicy.8 b/programs/showpolicy/showpolicy.8
new file mode 100644
index 000000000..4fbc2e40e
--- /dev/null
+++ b/programs/showpolicy/showpolicy.8
@@ -0,0 +1,41 @@
+.TH IPSEC_SHOWPOLICY 8 "7 May 2003"
+.\"
+.\" RCSID $Id: showpolicy.8,v 1.1 2004/03/15 20:35:31 as Exp $
+.\"
+.SH NAME
+ipsec showpolicy \- dump policy of socket found as stdin
+.SH SYNOPSIS
+.PP
+.B ipsec
+.B showpolicy
+.PP
+.SH DESCRIPTION
+.I showpolicy
+calls the 
+.IR ipsec_policy_lookup (3) 
+function on the file description which is its stdin.
+.PP
+It then dumps the resulting query in a human readable form.
+.PP
+This is a test program. One might run it from inetd, via:
+.TP
+discard stream tcp nowait nobody /usr/local/libexec/ipsec/showpolicy showpolicy
+.SH FILES
+/var/run/ipsecpolicy.ctl
+.SH "SEE ALSO"
+ipsec(8), ipsec_policy_query(3), ipsec_pluto(8)
+.SH HISTORY
+Written for the Linux FreeS/WAN project
+<http://www.freeswan.org/>
+by Michael Richardson
+.SH BUGS
+.\"
+.\" $Log: showpolicy.8,v $
+.\" Revision 1.1  2004/03/15 20:35:31  as
+.\" added files from freeswan-2.04-x509-1.5.3
+.\"
+.\" Revision 1.1  2003/05/11 00:45:08  mcr
+.\" 	program to interogate ipsec policy of stdin.
+.\" 	run this from inetd.
+.\"
+.\"
diff --git a/programs/showpolicy/showpolicy.c b/programs/showpolicy/showpolicy.c
new file mode 100644
index 000000000..114cc3936
--- /dev/null
+++ b/programs/showpolicy/showpolicy.c
@@ -0,0 +1,251 @@
+/*
+ * A program to dump the IPsec status of the socket found on stdin.
+ * Run me from inetd, for instance.
+ * Copyright (C) 2003                Michael Richardson <mcr@freeswan.org>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+char showpolicy_version[] = "RCSID $Id: showpolicy.c,v 1.1 2004/03/15 20:35:31 as Exp $";
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <getopt.h>
+#include "freeswan.h"
+#include "freeswan/ipsec_policy.h"
+
+char *program_name;
+
+static void
+help(void)
+{
+    fprintf(stderr,
+	"Usage:\n\n"
+	"showpolicy"
+	    " [--cgi]        lookup the particulars from CGI variables.\n"
+	    " [--socket]     lookup the particulars from the socket on stdin.\n"
+	    " [--textual]    dump output in human friendly form\n"
+	    " [--plaintext X]    string to dump if no security\n"
+	    " [--vpntext X]      string to dump if VPN configured tunnel\n"
+	    " [--privacytext X]  string to dump if just plain DNS OE\n"
+	    " [--dnssectext X]   string to dump if just DNSSEC OE\n"
+            "\n\n"
+	"FreeS/WAN %s\n",
+	ipsec_version_code());
+}
+
+static const struct option long_opts[] = {
+    /* name, has_arg, flag, val */
+    { "help",        no_argument, NULL, 'h' },
+    { "version",     no_argument, NULL, 'V' },
+    { "socket",      no_argument, NULL, 'i' },
+    { "cgi",         no_argument, NULL, 'g' },
+    { "textual",     no_argument, NULL, 't' },
+    { "plaintext",   required_argument, NULL, 'c' },
+    { "vpntext",     required_argument, NULL, 'v' },
+    { "privacytext", required_argument, NULL, 'p' },
+    { "dnssectext",  required_argument, NULL, 's' },
+    { 0,0,0,0 }
+};
+
+void dump_policyreply(struct ipsec_policy_cmd_query *q)
+{
+  char src[ADDRTOT_BUF], dst[ADDRTOT_BUF];
+
+  /* now print it! */
+  addrtot(&q->query_local,  0, src, sizeof(src));
+  addrtot(&q->query_remote, 0, dst, sizeof(dst));
+  
+  printf("Results of query on %s -> %s with seq %d\n",
+	 src, dst, q->head.ipm_msg_seq);
+  
+  printf("Received reply of %d bytes.\n", q->head.ipm_msg_len);
+
+  printf("Strength:   %d\n", q->strength);
+  printf("Bandwidth:  %d\n", q->bandwidth);
+  printf("authdetail: %d\n", q->auth_detail);
+  printf("esp_detail: %d\n", q->esp_detail);
+  printf("comp_detail: %d\n",q->comp_detail);
+  
+  printf("credentials: %d\n", q->credential_count);
+  if(q->credential_count > 0) {
+    int c;
+
+    for(c=0; c<q->credential_count; c++) {
+      switch(q->credentials[c].ii_format) {
+      case CERT_DNS_SIGNED_KEY:
+	printf("\tDNSSEC identity: %s (SIG %s)\n",
+	       q->credentials[c].ii_credential.ipsec_dns_signed.fqdn,
+	       q->credentials[c].ii_credential.ipsec_dns_signed.dns_sig);
+	break;
+	
+      case CERT_RAW_RSA:
+	printf("\tlocal identity: %s\n",
+	       q->credentials[c].ii_credential.ipsec_raw_key.id_name);
+
+      case CERT_NONE:
+	printf("\tDNS identity: %s\n",
+	       q->credentials[c].ii_credential.ipsec_dns_signed.fqdn);
+	break;
+	
+      default:
+	printf("\tUnknown identity type %d", q->credentials[c].ii_format);
+	break;
+      }
+    }
+  }
+}
+
+
+int main(int argc, char *argv[])
+{
+  struct ipsec_policy_cmd_query q;
+  err_t ret;
+  int   c;
+
+  /* set the defaults */
+  char lookup_style = 'i';
+  char output_style = 's';
+  
+  char *plaintext   = "clear";
+  char *vpntext     = "vpn";
+  char *privacytext = "private";
+  char *dnssectext  = "secure";
+
+  while((c = getopt_long(argc, argv, "hVighc:v:p:s:", long_opts, 0))!=EOF) {
+    switch (c) {
+    default:
+    case 'h':	        /* --help */
+      help();
+      return 0;	/* GNU coding standards say to stop here */
+      
+    case 'V':               /* --version */
+      fprintf(stderr, "FreeS/WAN %s\n", ipsec_version_code());
+      return 0;	/* GNU coding standards say to stop here */
+      
+    case 'i':
+      if(isatty(0)) {
+	printf("please run this connected to a socket\n");
+	exit(1);
+      }
+      
+      lookup_style = 'i';
+      break;
+
+    case 'g':
+      lookup_style = 'g';
+      break;
+      
+    case 't':
+      output_style = 't';
+      break;
+
+    case 'c':
+      plaintext = optarg;
+      break;
+
+    case 'v':
+      vpntext = optarg;
+      break;
+
+    case 'p':
+      privacytext = optarg;
+      break;
+      
+    case 's':
+      dnssectext = optarg;
+      break;
+    }
+  }
+	
+  if((ret = ipsec_policy_init()) != NULL) {
+    perror(ret);
+    exit(2);
+  }
+
+  switch(lookup_style) {
+  case 'i':
+    if((ret = ipsec_policy_lookup(0, &q)) != NULL) {
+      perror(ret);
+      exit(3);
+    }
+    break;
+    
+  case 'g':
+    if((ret = ipsec_policy_cgilookup(&q)) != NULL) {
+      perror(ret);
+      exit(3);
+    }
+    break;
+    
+  default:
+    abort();
+    break;
+  }
+
+
+  if(output_style == 't') {
+    dump_policyreply(&q);
+  } else {
+    /* start by seeing if there was any crypto */
+    if(q.strength < IPSEC_PRIVACY_PRIVATE) {
+      /* no, so say clear */
+      puts(plaintext);
+      exit(0);
+    }
+
+    /* we now it is crypto, but authentic is it? */
+    if(q.credential_count == 0) {
+      puts(vpntext);
+      exit(0);
+    }
+
+    switch(q.credentials[0].ii_format) {
+    case CERT_DNS_SIGNED_KEY:
+      puts(dnssectext);
+      exit(0);
+
+    case CERT_RAW_RSA:
+      puts(vpntext);
+      exit(0);
+      
+    default:
+      puts(privacytext);
+      exit(0);
+    }
+  }
+  
+  exit(0);
+}
+
+/*
+ * $Log: showpolicy.c,v $
+ * Revision 1.1  2004/03/15 20:35:31  as
+ * added files from freeswan-2.04-x509-1.5.3
+ *
+ * Revision 1.4  2003/05/14 15:46:44  mcr
+ * 	switch statement was missing break statements and was running on.
+ *
+ * Revision 1.3  2003/05/14 02:12:27  mcr
+ * 	addition of CGI-focused interface to policy lookup interface
+ *
+ * Revision 1.2  2003/05/13 03:25:34  mcr
+ * 	print credentials, if any were provided.
+ *
+ * Revision 1.1  2003/05/11 00:45:08  mcr
+ * 	program to interogate ipsec policy of stdin.
+ * 	run this from inetd.
+ *
+ *
+ *
+ */