programs/showpolicy/showpolicy.c

   1 /*
   2  * A program to dump the IPsec status of the socket found on stdin.
   3  * Run me from inetd, for instance.
   4  * Copyright (C) 2003                Michael Richardson <mcr@freeswan.org>
   5  *
   6  * This program is free software; you can redistribute it and/or modify it
   7  * under the terms of the GNU General Public License as published by the
   8  * Free Software Foundation; either version 2 of the License, or (at your
   9  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  10  *
  11  * This program is distributed in the hope that it will be useful, but
  12  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  13  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * for more details.
  15  */
  16
  17 char showpolicy_version[] = "RCSID $Id: showpolicy.c,v 1.1 2004/03/15 20:35:31 as Exp $";
  18
  19 #include <stdio.h>
  20 #include <unistd.h>
  21 #include <stdlib.h>
  22 #include <sys/socket.h>
  23 #include <getopt.h>
  24 #include "freeswan.h"
  25 #include "freeswan/ipsec_policy.h"
  26
  27 char *program_name;
  28
  29 static void
  30 help(void)
  31 {
  32     fprintf(stderr,
  33         "Usage:\n\n"
  34         "showpolicy"
  35             " [--cgi]        lookup the particulars from CGI variables.\n"
  36             " [--socket]     lookup the particulars from the socket on stdin.\n"
  37             " [--textual]    dump output in human friendly form\n"
  38             " [--plaintext X]    string to dump if no security\n"
  39             " [--vpntext X]      string to dump if VPN configured tunnel\n"
  40             " [--privacytext X]  string to dump if just plain DNS OE\n"
  41             " [--dnssectext X]   string to dump if just DNSSEC OE\n"
  42             "\n\n"
  43         "FreeS/WAN %s\n",
  44         ipsec_version_code());
  45 }
  46
  47 static const struct option long_opts[] = {
  48     /* name, has_arg, flag, val */
  49     { "help",        no_argument, NULL, 'h' },
  50     { "version",     no_argument, NULL, 'V' },
  51     { "socket",      no_argument, NULL, 'i' },
  52     { "cgi",         no_argument, NULL, 'g' },
  53     { "textual",     no_argument, NULL, 't' },
  54     { "plaintext",   required_argument, NULL, 'c' },
  55     { "vpntext",     required_argument, NULL, 'v' },
  56     { "privacytext", required_argument, NULL, 'p' },
  57     { "dnssectext",  required_argument, NULL, 's' },
  58     { 0,0,0,0 }
  59 };
  60
  61 void dump_policyreply(struct ipsec_policy_cmd_query *q)
  62 {
  63   char src[ADDRTOT_BUF], dst[ADDRTOT_BUF];
  64
  65   /* now print it! */
  66   addrtot(&q->query_local,  0, src, sizeof(src));
  67   addrtot(&q->query_remote, 0, dst, sizeof(dst));
  68
  69   printf("Results of query on %s -> %s with seq %d\n",
  70          src, dst, q->head.ipm_msg_seq);
  71
  72   printf("Received reply of %d bytes.\n", q->head.ipm_msg_len);
  73
  74   printf("Strength:   %d\n", q->strength);
  75   printf("Bandwidth:  %d\n", q->bandwidth);
  76   printf("authdetail: %d\n", q->auth_detail);
  77   printf("esp_detail: %d\n", q->esp_detail);
  78   printf("comp_detail: %d\n",q->comp_detail);
  79
  80   printf("credentials: %d\n", q->credential_count);
  81   if(q->credential_count > 0) {
  82     int c;
  83
  84     for(c=0; c<q->credential_count; c++) {
  85       switch(q->credentials[c].ii_format) {
  86       case CERT_DNS_SIGNED_KEY:
  87         printf("\tDNSSEC identity: %s (SIG %s)\n",
  88                q->credentials[c].ii_credential.ipsec_dns_signed.fqdn,
  89                q->credentials[c].ii_credential.ipsec_dns_signed.dns_sig);
  90         break;
  91
  92       case CERT_RAW_RSA:
  93         printf("\tlocal identity: %s\n",
  94                q->credentials[c].ii_credential.ipsec_raw_key.id_name);
  95
  96       case CERT_NONE:
  97         printf("\tDNS identity: %s\n",
  98                q->credentials[c].ii_credential.ipsec_dns_signed.fqdn);
  99         break;
 100
 101       default:
 102         printf("\tUnknown identity type %d", q->credentials[c].ii_format);
 103         break;
 104       }
 105     }
 106   }
 107 }
 108
 109
 110 int main(int argc, char *argv[])
 111 {
 112   struct ipsec_policy_cmd_query q;
 113   err_t ret;
 114   int   c;
 115
 116   /* set the defaults */
 117   char lookup_style = 'i';
 118   char output_style = 's';
 119
 120   char *plaintext   = "clear";
 121   char *vpntext     = "vpn";
 122   char *privacytext = "private";
 123   char *dnssectext  = "secure";
 124
 125   while((c = getopt_long(argc, argv, "hVighc:v:p:s:", long_opts, 0))!=EOF) {
 126     switch (c) {
 127     default:
 128     case 'h':           /* --help */
 129       help();
 130       return 0; /* GNU coding standards say to stop here */
 131
 132     case 'V':               /* --version */
 133       fprintf(stderr, "FreeS/WAN %s\n", ipsec_version_code());
 134       return 0; /* GNU coding standards say to stop here */
 135
 136     case 'i':
 137       if(isatty(0)) {
 138         printf("please run this connected to a socket\n");
 139         exit(1);
 140       }
 141
 142       lookup_style = 'i';
 143       break;
 144
 145     case 'g':
 146       lookup_style = 'g';
 147       break;
 148
 149     case 't':
 150       output_style = 't';
 151       break;
 152
 153     case 'c':
 154       plaintext = optarg;
 155       break;
 156
 157     case 'v':
 158       vpntext = optarg;
 159       break;
 160
 161     case 'p':
 162       privacytext = optarg;
 163       break;
 164
 165     case 's':
 166       dnssectext = optarg;
 167       break;
 168     }
 169   }
 170
 171   if((ret = ipsec_policy_init()) != NULL) {
 172     perror(ret);
 173     exit(2);
 174   }
 175
 176   switch(lookup_style) {
 177   case 'i':
 178     if((ret = ipsec_policy_lookup(0, &q)) != NULL) {
 179       perror(ret);
 180       exit(3);
 181     }
 182     break;
 183
 184   case 'g':
 185     if((ret = ipsec_policy_cgilookup(&q)) != NULL) {
 186       perror(ret);
 187       exit(3);
 188     }
 189     break;
 190
 191   default:
 192     abort();
 193     break;
 194   }
 195
 196
 197   if(output_style == 't') {
 198     dump_policyreply(&q);
 199   } else {
 200     /* start by seeing if there was any crypto */
 201     if(q.strength < IPSEC_PRIVACY_PRIVATE) {
 202       /* no, so say clear */
 203       puts(plaintext);
 204       exit(0);
 205     }
 206
 207     /* we now it is crypto, but authentic is it? */
 208     if(q.credential_count == 0) {
 209       puts(vpntext);
 210       exit(0);
 211     }
 212
 213     switch(q.credentials[0].ii_format) {
 214     case CERT_DNS_SIGNED_KEY:
 215       puts(dnssectext);
 216       exit(0);
 217
 218     case CERT_RAW_RSA:
 219       puts(vpntext);
 220       exit(0);
 221
 222     default:
 223       puts(privacytext);
 224       exit(0);
 225     }
 226   }
 227
 228   exit(0);
 229 }
 230
 231 /*
 232  * $Log: showpolicy.c,v $
 233  * Revision 1.1  2004/03/15 20:35:31  as
 234  * added files from freeswan-2.04-x509-1.5.3
 235  *
 236  * Revision 1.4  2003/05/14 15:46:44  mcr
 237  *      switch statement was missing break statements and was running on.
 238  *
 239  * Revision 1.3  2003/05/14 02:12:27  mcr
 240  *      addition of CGI-focused interface to policy lookup interface
 241  *
 242  * Revision 1.2  2003/05/13 03:25:34  mcr
 243  *      print credentials, if any were provided.
 244  *
 245  * Revision 1.1  2003/05/11 00:45:08  mcr
 246  *      program to interogate ipsec policy of stdin.
 247  *      run this from inetd.
 248  *
 249  *
 250  *
 251  */