]>
git.ipfire.org Git - people/ms/strongswan.git/blob - programs/showpolicy/showpolicy.c
2 * A program to dump the IPsec status of the socket found on stdin.
3 * Run me from inetd, for instance.
4 * Copyright (C) 2003 Michael Richardson <mcr@freeswan.org>
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 char showpolicy_version
[] = "RCSID $Id: showpolicy.c,v 1.1 2004/03/15 20:35:31 as Exp $";
22 #include <sys/socket.h>
25 #include "freeswan/ipsec_policy.h"
35 " [--cgi] lookup the particulars from CGI variables.\n"
36 " [--socket] lookup the particulars from the socket on stdin.\n"
37 " [--textual] dump output in human friendly form\n"
38 " [--plaintext X] string to dump if no security\n"
39 " [--vpntext X] string to dump if VPN configured tunnel\n"
40 " [--privacytext X] string to dump if just plain DNS OE\n"
41 " [--dnssectext X] string to dump if just DNSSEC OE\n"
44 ipsec_version_code());
47 static const struct option long_opts
[] = {
48 /* name, has_arg, flag, val */
49 { "help", no_argument
, NULL
, 'h' },
50 { "version", no_argument
, NULL
, 'V' },
51 { "socket", no_argument
, NULL
, 'i' },
52 { "cgi", no_argument
, NULL
, 'g' },
53 { "textual", no_argument
, NULL
, 't' },
54 { "plaintext", required_argument
, NULL
, 'c' },
55 { "vpntext", required_argument
, NULL
, 'v' },
56 { "privacytext", required_argument
, NULL
, 'p' },
57 { "dnssectext", required_argument
, NULL
, 's' },
61 void dump_policyreply(struct ipsec_policy_cmd_query
*q
)
63 char src
[ADDRTOT_BUF
], dst
[ADDRTOT_BUF
];
66 addrtot(&q
->query_local
, 0, src
, sizeof(src
));
67 addrtot(&q
->query_remote
, 0, dst
, sizeof(dst
));
69 printf("Results of query on %s -> %s with seq %d\n",
70 src
, dst
, q
->head
.ipm_msg_seq
);
72 printf("Received reply of %d bytes.\n", q
->head
.ipm_msg_len
);
74 printf("Strength: %d\n", q
->strength
);
75 printf("Bandwidth: %d\n", q
->bandwidth
);
76 printf("authdetail: %d\n", q
->auth_detail
);
77 printf("esp_detail: %d\n", q
->esp_detail
);
78 printf("comp_detail: %d\n",q
->comp_detail
);
80 printf("credentials: %d\n", q
->credential_count
);
81 if(q
->credential_count
> 0) {
84 for(c
=0; c
<q
->credential_count
; c
++) {
85 switch(q
->credentials
[c
].ii_format
) {
86 case CERT_DNS_SIGNED_KEY
:
87 printf("\tDNSSEC identity: %s (SIG %s)\n",
88 q
->credentials
[c
].ii_credential
.ipsec_dns_signed
.fqdn
,
89 q
->credentials
[c
].ii_credential
.ipsec_dns_signed
.dns_sig
);
93 printf("\tlocal identity: %s\n",
94 q
->credentials
[c
].ii_credential
.ipsec_raw_key
.id_name
);
97 printf("\tDNS identity: %s\n",
98 q
->credentials
[c
].ii_credential
.ipsec_dns_signed
.fqdn
);
102 printf("\tUnknown identity type %d", q
->credentials
[c
].ii_format
);
110 int main(int argc
, char *argv
[])
112 struct ipsec_policy_cmd_query q
;
116 /* set the defaults */
117 char lookup_style
= 'i';
118 char output_style
= 's';
120 char *plaintext
= "clear";
121 char *vpntext
= "vpn";
122 char *privacytext
= "private";
123 char *dnssectext
= "secure";
125 while((c
= getopt_long(argc
, argv
, "hVighc:v:p:s:", long_opts
, 0))!=EOF
) {
128 case 'h': /* --help */
130 return 0; /* GNU coding standards say to stop here */
132 case 'V': /* --version */
133 fprintf(stderr
, "FreeS/WAN %s\n", ipsec_version_code());
134 return 0; /* GNU coding standards say to stop here */
138 printf("please run this connected to a socket\n");
162 privacytext
= optarg
;
171 if((ret
= ipsec_policy_init()) != NULL
) {
176 switch(lookup_style
) {
178 if((ret
= ipsec_policy_lookup(0, &q
)) != NULL
) {
185 if((ret
= ipsec_policy_cgilookup(&q
)) != NULL
) {
197 if(output_style
== 't') {
198 dump_policyreply(&q
);
200 /* start by seeing if there was any crypto */
201 if(q
.strength
< IPSEC_PRIVACY_PRIVATE
) {
202 /* no, so say clear */
207 /* we now it is crypto, but authentic is it? */
208 if(q
.credential_count
== 0) {
213 switch(q
.credentials
[0].ii_format
) {
214 case CERT_DNS_SIGNED_KEY
:
232 * $Log: showpolicy.c,v $
233 * Revision 1.1 2004/03/15 20:35:31 as
234 * added files from freeswan-2.04-x509-1.5.3
236 * Revision 1.4 2003/05/14 15:46:44 mcr
237 * switch statement was missing break statements and was running on.
239 * Revision 1.3 2003/05/14 02:12:27 mcr
240 * addition of CGI-focused interface to policy lookup interface
242 * Revision 1.2 2003/05/13 03:25:34 mcr
243 * print credentials, if any were provided.
245 * Revision 1.1 2003/05/11 00:45:08 mcr
246 * program to interogate ipsec policy of stdin.
247 * run this from inetd.