diff options
Diffstat (limited to 'src/pool/pool_attributes.c')
-rw-r--r-- | src/pool/pool_attributes.c | 716 |
1 files changed, 716 insertions, 0 deletions
diff --git a/src/pool/pool_attributes.c b/src/pool/pool_attributes.c new file mode 100644 index 000000000..72af4f494 --- /dev/null +++ b/src/pool/pool_attributes.c @@ -0,0 +1,716 @@ +/* + * Copyright (C) 2009-2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include <string.h> + +#include <library.h> +#include <networking/host.h> + +#include "pool_attributes.h" +#include "pool_usage.h" + +/** + * global database handle + */ +extern database_t *db; + +#define UNITY_NETWORK_LEN 14 + +ENUM(value_type_names, VALUE_HEX, VALUE_SUBNET, + "hex", + "string", + "addr", + "subnet" +); + +typedef struct attr_info_t attr_info_t; + +struct attr_info_t { + char* keyword; + value_type_t value_type; + configuration_attribute_type_t type; + configuration_attribute_type_t type_ip6; +}; + +static const attr_info_t attr_info[] = { + { "internal_ip4_netmask", VALUE_ADDR, INTERNAL_IP4_NETMASK, 0 }, + { "internal_ip6_netmask", VALUE_ADDR, INTERNAL_IP6_NETMASK, 0 }, + { "netmask", VALUE_ADDR, INTERNAL_IP4_NETMASK, + INTERNAL_IP6_NETMASK }, + { "internal_ip4_dns", VALUE_ADDR, INTERNAL_IP4_DNS, 0 }, + { "internal_ip6_dns", VALUE_ADDR, INTERNAL_IP6_DNS, 0 }, + { "dns", VALUE_ADDR, INTERNAL_IP4_DNS, + INTERNAL_IP6_DNS }, + { "internal_ip4_nbns", VALUE_ADDR, INTERNAL_IP4_NBNS, 0 }, + { "internal_ip6_nbns", VALUE_ADDR, INTERNAL_IP6_NBNS, 0 }, + { "nbns", VALUE_ADDR, INTERNAL_IP4_NBNS, + INTERNAL_IP6_NBNS }, + { "wins", VALUE_ADDR, INTERNAL_IP4_NBNS, + INTERNAL_IP6_NBNS }, + { "internal_ip4_dhcp", VALUE_ADDR, INTERNAL_IP4_DHCP, 0 }, + { "internal_ip6_dhcp", VALUE_ADDR, INTERNAL_IP6_DHCP, 0 }, + { "dhcp", VALUE_ADDR, INTERNAL_IP4_DHCP, + INTERNAL_IP6_DHCP }, + { "internal_ip4_server", VALUE_ADDR, INTERNAL_IP4_SERVER, 0 }, + { "internal_ip6_server", VALUE_ADDR, INTERNAL_IP6_SERVER, 0 }, + { "server", VALUE_ADDR, INTERNAL_IP4_SERVER, + INTERNAL_IP6_SERVER }, + { "application_version", VALUE_STRING, APPLICATION_VERSION, 0 }, + { "version", VALUE_STRING, APPLICATION_VERSION, 0 }, + { "unity_banner", VALUE_STRING, UNITY_BANNER, 0 }, + { "banner", VALUE_STRING, UNITY_BANNER, 0 }, + { "unity_def_domain", VALUE_STRING, UNITY_DEF_DOMAIN, 0 }, + { "unity_splitdns_name", VALUE_STRING, UNITY_SPLITDNS_NAME, 0 }, + { "unity_split_include", VALUE_SUBNET, UNITY_SPLIT_INCLUDE, 0 }, + { "unity_split_exclude", VALUE_SUBNET, UNITY_LOCAL_LAN, 0 }, + { "unity_local_lan", VALUE_SUBNET, UNITY_LOCAL_LAN, 0 }, +}; + +/** + * Determine the type of the attribute and its value + */ +static bool parse_attributes(char *name, char *value, value_type_t *value_type, + configuration_attribute_type_t *type, + configuration_attribute_type_t *type_ip6, + chunk_t *blob) +{ + host_t *addr = NULL, *mask = NULL; + chunk_t addr_chunk, mask_chunk, blob_next; + char *text = "", *pos_addr, *pos_mask, *pos_next, *endptr; + int i; + + switch (*value_type) + { + case VALUE_STRING: + *blob = chunk_create(value, strlen(value)); + *blob = chunk_clone(*blob); + break; + case VALUE_HEX: + *blob = chunk_from_hex(chunk_create(value, strlen(value)), NULL); + break; + case VALUE_ADDR: + addr = host_create_from_string(value, 0); + if (addr == NULL) + { + fprintf(stderr, "invalid IP address: '%s'.\n", value); + return FALSE; + } + addr_chunk = addr->get_address(addr); + *blob = chunk_clone(addr_chunk); + break; + case VALUE_SUBNET: + *blob = chunk_empty; + pos_next = value; + + do + { + pos_addr = pos_next; + pos_next = strchr(pos_next, ','); + if (pos_next) + { + *pos_next = '\0'; + pos_next += 1; + } + pos_mask = strchr(pos_addr, '/'); + if (pos_mask == NULL) + { + fprintf(stderr, "invalid IPv4 subnet: '%s'.\n", pos_addr); + free(blob->ptr); + return FALSE; + } + *pos_mask = '\0'; + pos_mask += 1; + addr = host_create_from_string(pos_addr, 0); + mask = host_create_from_string(pos_mask, 0); + if (addr == NULL || addr->get_family(addr) != AF_INET || + mask == NULL || mask->get_family(addr) != AF_INET) + { + fprintf(stderr, "invalid IPv4 subnet: '%s/%s'.\n", + pos_addr, pos_mask); + DESTROY_IF(addr); + DESTROY_IF(mask); + free(blob->ptr); + return FALSE; + } + addr_chunk = addr->get_address(addr); + mask_chunk = mask->get_address(mask); + blob_next = chunk_alloc(blob->len + UNITY_NETWORK_LEN); + memcpy(blob_next.ptr, blob->ptr, blob->len); + pos_addr = blob_next.ptr + blob->len; + memset(pos_addr, 0x00, UNITY_NETWORK_LEN); + memcpy(pos_addr, addr_chunk.ptr, 4); + memcpy(pos_addr + 4, mask_chunk.ptr, 4); + addr->destroy(addr); + addr = NULL; + mask->destroy(mask); + chunk_free(blob); + *blob = blob_next; + } + while (pos_next); + break; + case VALUE_NONE: + *blob = chunk_empty; + break; + } + + /* init the attribute type */ + *type = 0; + *type_ip6 = 0; + + for (i = 0; i < countof(attr_info); i++) + { + if (strcaseeq(name, attr_info[i].keyword)) + { + *type = attr_info[i].type; + *type_ip6 = attr_info[i].type_ip6; + + if (*value_type == VALUE_NONE) + { + *value_type = attr_info[i].value_type; + return TRUE; + } + + if (*value_type != attr_info[i].value_type && + *value_type != VALUE_HEX) + { + switch (attr_info[i].value_type) + { + case VALUE_STRING: + text = "a string"; + break; + case VALUE_HEX: + text = "a hex"; + break; + case VALUE_ADDR: + text = "an IP address"; + break; + case VALUE_SUBNET: + text = "a subnet"; + break; + case VALUE_NONE: + text = "no"; + break; + } + fprintf(stderr, "the %s attribute requires %s value.\n", + name, text); + DESTROY_IF(addr); + free(blob->ptr); + return FALSE; + } + + if (*value_type == VALUE_ADDR) + { + *type = (addr->get_family(addr) == AF_INET) ? + attr_info[i].type : attr_info[i].type_ip6; + addr->destroy(addr); + } + else if (*value_type == VALUE_HEX) + { + *value_type = attr_info[i].value_type; + + if (*value_type == VALUE_ADDR) + { + if (blob->len == 16) + { + *type = attr_info[i].type_ip6; + } + else if (blob->len != 4) + { + fprintf(stderr, "the %s attribute requires " + "a valid IP address.\n", name); + free(blob->ptr); + return FALSE; + } + } + } + return TRUE; + } + } + + /* clean up */ + DESTROY_IF(addr); + + /* is the attribute type numeric? */ + *type = strtol(name, &endptr, 10); + + if (*endptr != '\0') + { + fprintf(stderr, "the %s attribute is not recognized.\n", name); + free(blob->ptr); + return FALSE; + } + if (*type < 1 || *type > 32767) + { + fprintf(stderr, "the attribute type must lie in the range 1..32767.\n"); + free(blob->ptr); + return FALSE; + } + if (*value_type == VALUE_NONE) + { + *value_type = VALUE_HEX; + } + return TRUE; +} + +/** + * Lookup/insert an attribute pool by name + */ +static u_int get_attr_pool(char *name) +{ + enumerator_t *e; + u_int row = 0; + + /* look for an existing attribute pool in the table */ + e = db->query(db, "SELECT id FROM attribute_pools WHERE name = ?", + DB_TEXT, name, DB_UINT); + if (e && e->enumerate(e, &row)) + { + e->destroy(e); + return row; + } + DESTROY_IF(e); + /* not found, insert new one */ + if (db->execute(db, &row, "INSERT INTO attribute_pools (name) VALUES (?)", + DB_TEXT, name) != 1) + { + fprintf(stderr, "creating attribute pool '%s' failed.\n", name); + return 0; + } + return row; +} + +/** + * Lookup/insert an identity + */ +u_int get_identity(identification_t *id) +{ + enumerator_t *e; + u_int row; + + /* look for peer identity in the identities table */ + e = db->query(db, "SELECT id FROM identities WHERE type = ? AND data = ?", + DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id), DB_UINT); + if (e && e->enumerate(e, &row)) + { + e->destroy(e); + return row; + } + DESTROY_IF(e); + /* not found, insert new one */ + if (db->execute(db, &row, "INSERT INTO identities (type,data) VALUES (?,?)", + DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id)) != 1) + { + fprintf(stderr, "creating id '%Y' failed.\n", id); + return 0; + } + return row; +} + +/** + * ipsec pool --addattr <type> - add attribute entry + */ +void add_attr(char *name, char *pool, char *identity, + char *value, value_type_t value_type) +{ + configuration_attribute_type_t type, type_ip6; + u_int pool_id = 0, identity_id = 0; + char id_pool_str[128] = ""; + chunk_t blob; + bool success; + + if (pool) + { + pool_id = get_attr_pool(pool); + if (pool_id == 0) + { + exit(EXIT_FAILURE); + } + + if (identity) + { + identification_t *id; + + id = identification_create_from_string(identity); + identity_id = get_identity(id); + id->destroy(id); + if (identity_id == 0) + { + exit(EXIT_FAILURE); + } + snprintf(id_pool_str, sizeof(id_pool_str), + " for '%s' in pool '%s'", identity, pool); + } + else + { + snprintf(id_pool_str, sizeof(id_pool_str), " in pool '%s'", pool); + } + } + + if (value_type == VALUE_NONE) + { + fprintf(stderr, "the value of the %s attribute is missing.\n", name); + usage(); + } + if (!parse_attributes(name, value, &value_type, &type, &type_ip6, &blob)) + { + exit(EXIT_FAILURE); + } + + success = db->execute(db, NULL, + "INSERT INTO attributes (identity, pool, type, value) " + "VALUES (?, ?, ?, ?)", DB_UINT, identity_id, DB_UINT, pool_id, + DB_INT, type, DB_BLOB, blob) == 1; + free(blob.ptr); + + if (success) + { + printf("added %s attribute (%N)%s.\n", name, + configuration_attribute_type_names, type, id_pool_str); + } + else + { + fprintf(stderr, "adding %s attribute (%N)%s failed.\n", name, + configuration_attribute_type_names, type, id_pool_str); + } +} + +/** + * ipsec pool --delattr <type> - delete attribute entry + */ +void del_attr(char *name, char *pool, char *identity, + char *value, value_type_t value_type) +{ + configuration_attribute_type_t type, type_ip6, type_db; + u_int pool_id = 0, identity_id = 0; + char id_pool_str[128] = ""; + chunk_t blob, blob_db; + u_int id; + enumerator_t *query; + bool found = FALSE; + + if (pool) + { + pool_id = get_attr_pool(pool); + if (pool_id == 0) + { + exit(EXIT_FAILURE); + } + + if (identity) + { + identification_t *id; + + id = identification_create_from_string(identity); + identity_id = get_identity(id); + id->destroy(id); + if (identity_id == 0) + { + exit(EXIT_FAILURE); + } + snprintf(id_pool_str, sizeof(id_pool_str), + " for '%s' in pool '%s'", identity, pool); + } + else + { + snprintf(id_pool_str, sizeof(id_pool_str), " in pool '%s'", pool); + } + } + + if (!parse_attributes(name, value, &value_type, &type, &type_ip6, &blob)) + { + exit(EXIT_FAILURE); + } + + if (blob.len > 0) + { + query = db->query(db, + "SELECT id, type, value FROM attributes " + "WHERE identity = ? AND pool = ? AND type = ? AND value = ?", + DB_UINT, identity_id, DB_UINT, pool_id, DB_INT, type, + DB_BLOB, blob, DB_UINT, DB_INT, DB_BLOB); + } + else if (type_ip6 == 0) + { + query = db->query(db, + "SELECT id, type, value FROM attributes " + "WHERE identity = ? AND pool = ? AND type = ?", + DB_UINT, identity_id, DB_UINT, pool_id, DB_INT, type, + DB_UINT, DB_INT, DB_BLOB); + } + else + { + query = db->query(db, + "SELECT id, type, value FROM attributes " + "WHERE identity = ? AND pool = ? AND (type = ? OR type = ?)", + DB_UINT, identity_id, DB_UINT, pool_id, DB_INT, type, + DB_INT, type_ip6, DB_UINT, DB_INT, DB_BLOB); + } + + if (!query) + { + fprintf(stderr, "deleting '%s' attribute (%N)%s failed.\n", + name, configuration_attribute_type_names, type, id_pool_str); + free(blob.ptr); + exit(EXIT_FAILURE); + } + + while (query->enumerate(query, &id, &type_db, &blob_db)) + { + host_t *server = NULL; + + found = TRUE; + + if (value_type == VALUE_ADDR) + { + int family = (type_db == type_ip6) ? AF_INET6 : AF_INET; + + server = host_create_from_chunk(family, blob_db, 0); + } + + if (db->execute(db, NULL, + "DELETE FROM attributes WHERE id = ?", + DB_UINT, id) != 1) + { + if (server) + { + fprintf(stderr, "deleting %s server %H%s failed\n", + name, server, id_pool_str); + server->destroy(server); + } + else if (value_type == VALUE_STRING) + { + fprintf(stderr, "deleting %s attribute (%N) with value '%.*s'%s failed.\n", + name, configuration_attribute_type_names, type, + (int)blob_db.len, blob_db.ptr, id_pool_str); + } + + else + { + fprintf(stderr, "deleting %s attribute (%N) with value %#B%s failed.\n", + name, configuration_attribute_type_names, type, + &blob_db, id_pool_str); + } + query->destroy(query); + free(blob.ptr); + exit(EXIT_FAILURE); + } + if (server) + { + printf("deleted %s server %H%s\n", name, server, id_pool_str); + server->destroy(server); + } + else if (value_type == VALUE_STRING) + { + printf("deleted %s attribute (%N) with value '%.*s'%s.\n", + name, configuration_attribute_type_names, type, + (int)blob_db.len, blob_db.ptr, id_pool_str); + } + else + { + printf("deleted %s attribute (%N) with value %#B%s.\n", + name, configuration_attribute_type_names, type, + &blob_db, id_pool_str); + } + } + query->destroy(query); + + if (!found) + { + if (blob.len == 0) + { + if (type_ip6 == 0) + { + fprintf(stderr, "no %s attribute (%N) was found%s.\n", name, + configuration_attribute_type_names, type, id_pool_str); + } + else + { + fprintf(stderr, "no %s attribute%s was found.\n", + name, id_pool_str); + } + } + else + { + if (value_type == VALUE_ADDR) + { + host_t *server = host_create_from_chunk(AF_UNSPEC, blob, 0); + + fprintf(stderr, "the %s server %H%s was not found.\n", name, + server, id_pool_str); + server->destroy(server); + } + else + { + fprintf(stderr, "the %s attribute (%N) with value '%.*s'%s " + "was not found.\n", name, + configuration_attribute_type_names, type, + (int)blob.len, blob.ptr, id_pool_str); + } + } + } + free(blob.ptr); +} + +/** + * ipsec pool --statusattr - show all attribute entries + */ +void status_attr(bool hexout) +{ + configuration_attribute_type_t type; + value_type_t value_type; + chunk_t value, addr_chunk, mask_chunk, identity_chunk; + identification_t *identity; + enumerator_t *enumerator; + host_t *addr, *mask; + char type_name[30]; + bool first = TRUE; + int i, identity_type; + char *pool_name; + + /* enumerate over all attributes */ + enumerator = db->query(db, + "SELECT attributes.type, attribute_pools.name, " + "identities.type, identities.data, attributes.value " + "FROM attributes " + "LEFT OUTER JOIN identities " + "ON attributes.identity = identities.id " + "LEFT OUTER JOIN attribute_pools " + "ON attributes.pool = attribute_pools.id " + "ORDER BY attributes.type, attribute_pools.name, " + "identities.type, identities.data, attributes.value", + DB_INT, DB_TEXT, DB_INT, DB_BLOB, DB_BLOB); + if (enumerator) + { + while (enumerator->enumerate(enumerator, &type,&pool_name, + &identity_type, &identity_chunk, &value)) + { + if (first) + { + printf(" type description pool " + " identity value\n"); + first = FALSE; + } + snprintf(type_name, sizeof(type_name), "%N", + configuration_attribute_type_names, type); + if (type_name[0] == '(') + { + type_name[0] = '\0'; + } + printf("%5d %-20s ",type, type_name); + + printf(" %-10s ", (pool_name ? pool_name : "")); + + if (identity_type) + { + identity = identification_create_from_encoding(identity_type, identity_chunk); + printf(" %-20.20Y ", identity); + identity->destroy(identity); + } + else + { + printf(" "); + } + + value_type = VALUE_HEX; + if (!hexout) + { + for (i = 0; i < countof(attr_info); i++) + { + if (type == attr_info[i].type) + { + value_type = attr_info[i].value_type; + break; + } + } + } + switch (value_type) + { + case VALUE_ADDR: + addr = host_create_from_chunk(AF_UNSPEC, value, 0); + if (addr) + { + printf(" %H\n", addr); + addr->destroy(addr); + } + else + { + /* value cannot be represented as an IP address */ + printf(" %#B\n", &value); + } + break; + case VALUE_SUBNET: + if (value.len % UNITY_NETWORK_LEN == 0) + { + for (i = 0; i < value.len / UNITY_NETWORK_LEN; i++) + { + addr_chunk = chunk_create(value.ptr + i*UNITY_NETWORK_LEN, 4); + addr = host_create_from_chunk(AF_INET, addr_chunk, 0); + mask_chunk = chunk_create(addr_chunk.ptr + 4, 4); + mask = host_create_from_chunk(AF_INET, mask_chunk, 0); + printf("%s%H/%H", (i > 0) ? "," : " ", addr, mask); + addr->destroy(addr); + mask->destroy(mask); + } + printf("\n"); + } + else + { + /* value cannot be represented as a list of subnets */ + printf(" %#B\n", &value); + } + break; + case VALUE_STRING: + printf("\"%.*s\"\n", (int)value.len, value.ptr); + break; + case VALUE_HEX: + default: + printf(" %#B\n", &value); + } + } + enumerator->destroy(enumerator); + } +} + +/** + * ipsec pool --showattr - show all supported attribute keywords + */ +void show_attr(void) +{ + int i; + + for (i = 0; i < countof(attr_info); i++) + { + char value_name[10]; + + + snprintf(value_name, sizeof(value_name), "%N", + value_type_names, attr_info[i].value_type); + + printf("%-20s --%-6s (%N", + attr_info[i].keyword, value_name, + configuration_attribute_type_names, attr_info[i].type); + + if (attr_info[i].type_ip6) + { + printf(", %N)\n", + configuration_attribute_type_names, attr_info[i].type_ip6); + } + else + { + printf(")\n"); + } + } +} |