projects / strongswan.git / blob
? search:


5b2dc471beba49059908cb83458f799ac5c0c7de
[strongswan.git] / src / whack / whack.c
1 /* command interface to Pluto
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <stdio.h>
17 #include <stdlib.h>
18 #include <stddef.h>
19 #include <string.h>
20 #include <ctype.h>
21 #include <unistd.h>
22 #include <errno.h>
23 #include <sys/types.h>
24 #include <sys/socket.h>
25 #include <sys/un.h>
26 #include <netinet/in.h>
27 #include <arpa/inet.h>
28 #include <getopt.h>
29 #include <assert.h>
30
31 #include <freeswan.h>
32
33 #include <utils/optionsfrom.h>
34
35 #include "constants.h"
36 #include "defs.h"
37 #include "whack.h"
38
39 static void help(void)
40 {
41 fprintf(stderr
42 , "Usage:\n\n"
43 "all forms:"
44 " [--optionsfrom <filename>]"
45 " [--ctlbase <path>]"
46 " [--label <string>]"
47 "\n\n"
48 "help: whack"
49 " [--help]"
50 " [--version]"
51 "\n\n"
52 "connection: whack"
53 " --name <connection_name>"
54 " \\\n "
55 " [--ipv4 | --ipv6]"
56 " [--tunnelipv4 | --tunnelipv6]"
57 " \\\n "
58 " (--host <ip-address> | --id <identity>)"
59 " \\\n "
60 " [--cert <path>]"
61 " [--ca <distinguished name>]"
62 " [--sendcert <policy>]"
63 " \\\n "
64 " [--groups <access control groups>]"
65 " \\\n "
66 " [--ikeport <port-number>]"
67 " [--nexthop <ip-address>]"
68 " [--srcip <ip-address>]"
69 " \\\n "
70 " [--client <subnet> | --clientwithin <address range>]"
71 " [--clientprotoport <protocol>/<port>]"
72 " \\\n "
73 " [--dnskeyondemand]"
74 " [--updown <updown>]"
75 " \\\n "
76 " --to"
77 " (--host <ip-address> | --id <identity>)"
78 " \\\n "
79 " [--cert <path>]"
80 " [--ca <distinguished name>]"
81 " [--sendcert <policy>]"
82 " \\\n "
83 " [--ikeport <port-number>]"
84 " [--nexthop <ip-address>]"
85 " [--srcip <ip-address>]"
86 " \\\n "
87 " [--client <subnet> | --clientwithin <address range>]"
88 " [--clientprotoport <protocol>/<port>]"
89 " \\\n "
90 " [--dnskeyondemand]"
91 " [--updown <updown>]"
92 " [--psk]"
93 " [--rsasig]"
94 " \\\n "
95 " [--encrypt]"
96 " [--authenticate]"
97 " [--compress]"
98 " [--tunnel]"
99 " [--pfs]"
100 " \\\n "
101 " [--ikelifetime <seconds>]"
102 " [--ipseclifetime <seconds>]"
103 " \\\n "
104 " [--reykeymargin <seconds>]"
105 " [--reykeyfuzz <percentage>]"
106 " \\\n "
107 " [--keyingtries <count>]"
108 " \\\n "
109 " [--esp <esp-algos>]"
110 " \\\n "
111 " [--dontrekey]"
112
113 " [--dpdaction (none|clear|hold|restart)]"
114 " \\\n "
115 " [--dpddelay <seconds> --dpdtimeout <seconds>]"
116 " \\\n "
117 " [--initiateontraffic|--pass|--drop|--reject]"
118 " \\\n "
119 " [--failnone|--failpass|--faildrop|--failreject]"
120 "\n\n"
121 "routing: whack"
122 " (--route | --unroute)"
123 " --name <connection_name>"
124 "\n\n"
125 "initiation:"
126 "\n "
127 " whack"
128 " (--initiate | --terminate)"
129 " --name <connection_name>"
130 " [--asynchronous]"
131 "\n\n"
132 "opportunistic initiation: whack"
133 " [--tunnelipv4 | --tunnelipv6]"
134 " \\\n "
135 " --oppohere <ip-address>"
136 " --oppothere <ip-address>"
137 "\n\n"
138 "delete: whack"
139 " --delete"
140 " (--name <connection_name> | --caname <ca name>)"
141 "\n\n"
142 "deletestate: whack"
143 " --deletestate <state_object_number>"
144 " --crash <ip-address>"
145 "\n\n"
146 "pubkey: whack"
147 " --keyid <id>"
148 " [--addkey]"
149 " [--pubkeyrsa <key>]"
150 "\n\n"
151 "myid: whack"
152 " --myid <id>"
153 "\n\n"
154 "ca: whack"
155 " --caname <name>"
156 " --cacert <path>"
157 " \\\n "
158 " [--ldaphost <hostname>]"
159 " [--ldapbase <base>]"
160 " \\\n "
161 " [--crluri <uri>]"
162 " [--crluri2 <uri>]"
163 " [--ocspuri <uri>]"
164 " [--strictcrlpolicy]"
165 "\n\n"
166 #ifdef DEBUG
167 "debug: whack [--name <connection_name>]"
168 " \\\n "
169 " [--debug-none]"
170 " [--debug-all]"
171 " \\\n "
172 " [--debug-raw]"
173 " [--debug-crypt]"
174 " [--debug-parsing]"
175 " [--debug-emitting]"
176 " \\\n "
177 " [--debug-control]"
178 " [--debug-lifecycle]"
179 " [--debug-kernel]"
180 " [--debug-dns]"
181 " \\\n "
182 " [--debug-natt]"
183 " [--debug-oppo]"
184 " [--debug-controlmore]"
185 " [--debug-private]"
186 "\n\n"
187 #endif
188 "leases: whack --leases"
189 " [--name <connection_name>]"
190 " [--lease-addr <ip-address> | --lease-id <identity>]"
191 "\n\n"
192 "listen: whack"
193 " (--listen | --unlisten)"
194 "\n\n"
195 "list: whack [--utc]"
196 " [--listalgs]"
197 " [--listpubkeys]"
198 " [--listcerts]"
199 " [--listcacerts]"
200 " \\\n "
201 " [--listacerts]"
202 " [--listaacerts]"
203 " [--listocspcerts]"
204 " [--listgroups]"
205 " \\\n "
206 " [--listcainfos]"
207 " [--listcrls]"
208 " [--listocsp]"
209 " [--listcards]"
210 " [--listall]"
211 "\n\n"
212 "purge: whack"
213 " [--purgeocsp]"
214 "\n\n"
215 "reread: whack"
216 " [--rereadsecrets]"
217 " [--rereadcacerts]"
218 " [--rereadaacerts]"
219 " \\\n "
220 " [--rereadocspcerts]"
221 " [--rereadacerts]"
222 " [--rereadcrls]"
223 " [--rereadall]"
224 "\n\n"
225 "status: whack"
226 " [--name <connection_name>] --status|--statusall"
227 "\n\n"
228 "scdecrypt: whack"
229 " --scencrypt|scdecrypt <value>"
230 " [--inbase <base>]"
231 " [--outbase <base>]"
232 " [--keyid <id>]"
233 "\n\n"
234 "shutdown: whack"
235 " --shutdown"
236 "\n\n"
237 "strongSwan "VERSION"\n");
238 }
239
240 static const char *label = NULL; /* --label operand, saved for diagnostics */
241
242 static const char *name = NULL; /* --name operand, saved for diagnostics */
243
244 /* options read by optionsfrom */
245 options_t *options;
246
247 /**
248 * exit whack after cleaning up
249 */
250 static void whack_exit(int status)
251 {
252 options->destroy(options);
253 exit(status);
254 }
255
256 /**
257 * print a string as a diagnostic, then exit whack unhappily
258 */
259 static void diag(const char *mess)
260 {
261 if (mess != NULL)
262 {
263 fprintf(stderr, "whack error: ");
264 if (label != NULL)
265 {
266 fprintf(stderr, "%s ", label);
267 }
268 if (name != NULL)
269 {
270 fprintf(stderr, "\"%s\" ", name);
271 }
272 fprintf(stderr, "%s\n", mess);
273 }
274 whack_exit(RC_WHACK_PROBLEM);
275 }
276
277 /* conditially calls diag; prints second arg, if non-NULL, as quoted string */
278 static void diagq(err_t ugh, const char *this)
279 {
280 if (ugh != NULL)
281 {
282 if (this == NULL)
283 {
284 diag(ugh);
285 }
286 else
287 {
288 char buf[120]; /* arbitrary limit */
289
290 snprintf(buf, sizeof(buf), "%s \"%s\"", ugh, this);
291 diag(buf);
292 }
293 }
294 }
295
296 /* complex combined operands return one of these enumerated values
297 * Note: these become flags in an lset_t. Since there are more than
298 * 32, we partition them into:
299 * - OPT_* options (most random options)
300 * - LST_* options (list various internal data)
301 * - DBGOPT_* option (DEBUG options)
302 * - END_* options (End description options)
303 * - CD_* options (Connection Description options)
304 * - CA_* options (CA description options)
305 */
306 enum {
307 # define OPT_FIRST OPT_CTLBASE
308 OPT_CTLBASE,
309 OPT_NAME,
310
311 OPT_CD,
312
313 OPT_KEYID,
314 OPT_ADDKEY,
315 OPT_PUBKEYRSA,
316
317 OPT_MYID,
318
319 OPT_ROUTE,
320 OPT_UNROUTE,
321
322 OPT_INITIATE,
323 OPT_TERMINATE,
324 OPT_DELETE,
325 OPT_DELETESTATE,
326 OPT_LISTEN,
327 OPT_UNLISTEN,
328
329 OPT_LEASES,
330 OPT_LEASEADDR,
331 OPT_LEASEID,
332
333 OPT_PURGEOCSP,
334
335 OPT_REREADSECRETS,
336 OPT_REREADCACERTS,
337 OPT_REREADAACERTS,
338 OPT_REREADOCSPCERTS,
339 OPT_REREADACERTS,
340 OPT_REREADCRLS,
341 OPT_REREADALL,
342
343 OPT_STATUS,
344 OPT_STATUSALL,
345 OPT_SHUTDOWN,
346
347 OPT_OPPO_HERE,
348 OPT_OPPO_THERE,
349
350 OPT_ASYNC,
351 OPT_DELETECRASH,
352
353 # define OPT_LAST OPT_ASYNC /* last "normal" option */
354
355 /* Smartcard options */
356
357 # define SC_FIRST SC_ENCRYPT /* first smartcard option */
358
359 SC_ENCRYPT,
360 SC_DECRYPT,
361 SC_INBASE,
362 SC_OUTBASE,
363
364 # define SC_LAST SC_OUTBASE /* last "smartcard" option */
365
366 /* List options */
367
368 # define LST_FIRST LST_UTC /* first list option */
369 LST_UTC,
370 LST_ALGS,
371 LST_PUBKEYS,
372 LST_CERTS,
373 LST_CACERTS,
374 LST_ACERTS,
375 LST_AACERTS,
376 LST_OCSPCERTS,
377 LST_GROUPS,
378 LST_CAINFOS,
379 LST_CRLS,
380 LST_OCSP,
381 LST_CARDS,
382 LST_ALL,
383
384 # define LST_LAST LST_ALL /* last list option */
385
386 /* Connection End Description options */
387
388 # define END_FIRST END_HOST /* first end description */
389 END_HOST,
390 END_ID,
391 END_CERT,
392 END_CA,
393 END_SENDCERT,
394 END_GROUPS,
395 END_IKEPORT,
396 END_NEXTHOP,
397 END_CLIENT,
398 END_CLIENTWITHIN,
399 END_CLIENTPROTOPORT,
400 END_DNSKEYONDEMAND,
401 END_SRCIP,
402 END_HOSTACCESS,
403 END_UPDOWN,
404
405 #define END_LAST END_UPDOWN /* last end description*/
406
407 /* Connection Description options -- segregated */
408
409 # define CD_FIRST CD_TO /* first connection description */
410 CD_TO,
411
412 # define CD_POLICY_FIRST CD_PSK
413 CD_PSK, /* same order as POLICY_* */
414 CD_RSASIG, /* same order as POLICY_* */
415 CD_ENCRYPT, /* same order as POLICY_* */
416 CD_AUTHENTICATE, /* same order as POLICY_* */
417 CD_COMPRESS, /* same order as POLICY_* */
418 CD_TUNNEL, /* same order as POLICY_* */
419 CD_PFS, /* same order as POLICY_* */
420 CD_DISABLEARRIVALCHECK, /* same order as POLICY_* */
421 CD_SHUNT0, /* same order as POLICY_* */
422 CD_SHUNT1, /* same order as POLICY_* */
423 CD_FAIL0, /* same order as POLICY_* */
424 CD_FAIL1, /* same order as POLICY_* */
425 CD_DONT_REKEY, /* same order as POLICY_* */
426
427 CD_TUNNELIPV4,
428 CD_TUNNELIPV6,
429 CD_CONNIPV4,
430 CD_CONNIPV6,
431
432 CD_IKELIFETIME,
433 CD_IPSECLIFETIME,
434 CD_RKMARGIN,
435 CD_RKFUZZ,
436 CD_KTRIES,
437 CD_DPDACTION,
438 CD_DPDDELAY,
439 CD_DPDTIMEOUT,
440 CD_IKE,
441 CD_PFSGROUP,
442 CD_ESP,
443
444 # define CD_LAST CD_ESP /* last connection description */
445
446 /* Certificate Authority (CA) description options */
447
448 # define CA_FIRST CA_NAME /* first ca description */
449
450 CA_NAME,
451 CA_CERT,
452 CA_LDAPHOST,
453 CA_LDAPBASE,
454 CA_CRLURI,
455 CA_CRLURI2,
456 CA_OCSPURI,
457 CA_STRICT
458
459 # define CA_LAST CA_STRICT /* last ca description */
460
461 #ifdef DEBUG /* must be last so others are less than 32 to fit in lset_t */
462 # define DBGOPT_FIRST DBGOPT_NONE
463 ,
464 /* NOTE: these definitions must match DBG_* and IMPAIR_* in constants.h */
465 DBGOPT_NONE,
466 DBGOPT_ALL,
467
468 DBGOPT_RAW, /* same order as DBG_* */
469 DBGOPT_CRYPT, /* same order as DBG_* */
470 DBGOPT_PARSING, /* same order as DBG_* */
471 DBGOPT_EMITTING, /* same order as DBG_* */
472 DBGOPT_CONTROL, /* same order as DBG_* */
473 DBGOPT_LIFECYCLE, /* same order as DBG_* */
474 DBGOPT_KERNEL, /* same order as DBG_* */
475 DBGOPT_DNS, /* same order as DBG_* */
476 DBGOPT_NATT, /* same order as DBG_* */
477 DBGOPT_OPPO, /* same order as DBG_* */
478 DBGOPT_CONTROLMORE, /* same order as DBG_* */
479
480 DBGOPT_PRIVATE, /* same order as DBG_* */
481
482 DBGOPT_IMPAIR_DELAY_ADNS_KEY_ANSWER, /* same order as IMPAIR_* */
483 DBGOPT_IMPAIR_DELAY_ADNS_TXT_ANSWER, /* same order as IMPAIR_* */
484 DBGOPT_IMPAIR_BUST_MI2, /* same order as IMPAIR_* */
485 DBGOPT_IMPAIR_BUST_MR2 /* same order as IMPAIR_* */
486
487 # define DBGOPT_LAST DBGOPT_IMPAIR_BUST_MR2
488 #endif
489
490 };
491
492 /* Carve up space for result from getop_long.
493 * Stupidly, the only result is an int.
494 * Numeric arg is bit immediately left of basic value.
495 *
496 */
497 #define OPTION_OFFSET 256 /* to get out of the way of letter options */
498 #define NUMERIC_ARG (1 << 9) /* expect a numeric argument */
499 #define AUX_SHIFT 10 /* amount to shift for aux information */
500
501 static const struct option long_opts[] = {
502 # define OO OPTION_OFFSET
503 /* name, has_arg, flag, val */
504
505 { "help", no_argument, NULL, 'h' },
506 { "version", no_argument, NULL, 'v' },
507 { "optionsfrom", required_argument, NULL, '+' },
508 { "label", required_argument, NULL, 'l' },
509
510 { "ctlbase", required_argument, NULL, OPT_CTLBASE + OO },
511 { "name", required_argument, NULL, OPT_NAME + OO },
512
513 { "keyid", required_argument, NULL, OPT_KEYID + OO },
514 { "addkey", no_argument, NULL, OPT_ADDKEY + OO },
515 { "pubkeyrsa", required_argument, NULL, OPT_PUBKEYRSA + OO },
516
517 { "myid", required_argument, NULL, OPT_MYID + OO },
518
519 { "route", no_argument, NULL, OPT_ROUTE + OO },
520 { "unroute", no_argument, NULL, OPT_UNROUTE + OO },
521
522 { "initiate", no_argument, NULL, OPT_INITIATE + OO },
523 { "terminate", no_argument, NULL, OPT_TERMINATE + OO },
524 { "delete", no_argument, NULL, OPT_DELETE + OO },
525 { "deletestate", required_argument, NULL, OPT_DELETESTATE + OO + NUMERIC_ARG },
526 { "crash", required_argument, NULL, OPT_DELETECRASH + OO },
527 { "listen", no_argument, NULL, OPT_LISTEN + OO },
528 { "unlisten", no_argument, NULL, OPT_UNLISTEN + OO },
529
530 { "leases", no_argument, NULL, OPT_LEASES + OO },
531 { "lease-addr", required_argument, NULL, OPT_LEASEADDR + OO },
532 { "lease-id", required_argument, NULL, OPT_LEASEID + OO },
533
534 { "purgeocsp", no_argument, NULL, OPT_PURGEOCSP + OO },
535
536 { "rereadsecrets", no_argument, NULL, OPT_REREADSECRETS + OO },
537 { "rereadcacerts", no_argument, NULL, OPT_REREADCACERTS + OO },
538 { "rereadaacerts", no_argument, NULL, OPT_REREADAACERTS + OO },
539 { "rereadocspcerts", no_argument, NULL, OPT_REREADOCSPCERTS + OO },
540 { "rereadacerts", no_argument, NULL, OPT_REREADACERTS + OO },
541 { "rereadcrls", no_argument, NULL, OPT_REREADCRLS + OO },
542 { "rereadall", no_argument, NULL, OPT_REREADALL + OO },
543 { "status", no_argument, NULL, OPT_STATUS + OO },
544 { "statusall", no_argument, NULL, OPT_STATUSALL + OO },
545 { "shutdown", no_argument, NULL, OPT_SHUTDOWN + OO },
546
547 { "oppohere", required_argument, NULL, OPT_OPPO_HERE + OO },
548 { "oppothere", required_argument, NULL, OPT_OPPO_THERE + OO },
549
550 { "asynchronous", no_argument, NULL, OPT_ASYNC + OO },
551
552 /* smartcard options */
553
554 { "scencrypt", required_argument, NULL, SC_ENCRYPT + OO },
555 { "scdecrypt", required_argument, NULL, SC_DECRYPT + OO },
556 { "inbase", required_argument, NULL, SC_INBASE + OO },
557 { "outbase", required_argument, NULL, SC_OUTBASE + OO },
558
559 /* list options */
560
561 { "utc", no_argument, NULL, LST_UTC + OO },
562 { "listalgs", no_argument, NULL, LST_ALGS + OO },
563 { "listpubkeys", no_argument, NULL, LST_PUBKEYS + OO },
564 { "listcerts", no_argument, NULL, LST_CERTS + OO },
565 { "listcacerts", no_argument, NULL, LST_CACERTS + OO },
566 { "listacerts", no_argument, NULL, LST_ACERTS + OO },
567 { "listaacerts", no_argument, NULL, LST_AACERTS + OO },
568 { "listocspcerts", no_argument, NULL, LST_OCSPCERTS + OO },
569 { "listgroups", no_argument, NULL, LST_GROUPS + OO },
570 { "listcainfos", no_argument, NULL, LST_CAINFOS + OO },
571 { "listcrls", no_argument, NULL, LST_CRLS + OO },
572 { "listocsp", no_argument, NULL, LST_OCSP + OO },
573 { "listcards", no_argument, NULL, LST_CARDS + OO },
574 { "listall", no_argument, NULL, LST_ALL + OO },
575
576 /* options for an end description */
577
578 { "host", required_argument, NULL, END_HOST + OO },
579 { "id", required_argument, NULL, END_ID + OO },
580 { "cert", required_argument, NULL, END_CERT + OO },
581 { "ca", required_argument, NULL, END_CA + OO },
582 { "sendcert", required_argument, NULL, END_SENDCERT + OO },
583 { "groups", required_argument, NULL, END_GROUPS + OO },
584 { "ikeport", required_argument, NULL, END_IKEPORT + OO + NUMERIC_ARG },
585 { "nexthop", required_argument, NULL, END_NEXTHOP + OO },
586 { "client", required_argument, NULL, END_CLIENT + OO },
587 { "clientwithin", required_argument, NULL, END_CLIENTWITHIN + OO },
588 { "clientprotoport", required_argument, NULL, END_CLIENTPROTOPORT + OO },
589 { "dnskeyondemand", no_argument, NULL, END_DNSKEYONDEMAND + OO },
590 { "srcip", required_argument, NULL, END_SRCIP + OO },
591 { "hostaccess", no_argument, NULL, END_HOSTACCESS + OO },
592 { "updown", required_argument, NULL, END_UPDOWN + OO },
593
594 /* options for a connection description */
595
596 { "to", no_argument, NULL, CD_TO + OO },
597
598 { "psk", no_argument, NULL, CD_PSK + OO },
599 { "rsasig", no_argument, NULL, CD_RSASIG + OO },
600
601 { "encrypt", no_argument, NULL, CD_ENCRYPT + OO },
602 { "authenticate", no_argument, NULL, CD_AUTHENTICATE + OO },
603 { "compress", no_argument, NULL, CD_COMPRESS + OO },
604 { "tunnel", no_argument, NULL, CD_TUNNEL + OO },
605 { "tunnelipv4", no_argument, NULL, CD_TUNNELIPV4 + OO },
606 { "tunnelipv6", no_argument, NULL, CD_TUNNELIPV6 + OO },
607 { "pfs", no_argument, NULL, CD_PFS + OO },
608 { "disablearrivalcheck", no_argument, NULL, CD_DISABLEARRIVALCHECK + OO },
609 { "initiateontraffic", no_argument, NULL
610 , CD_SHUNT0 + (POLICY_SHUNT_TRAP >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
611 { "pass", no_argument, NULL
612 , CD_SHUNT0 + (POLICY_SHUNT_PASS >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
613 { "drop", no_argument, NULL
614 , CD_SHUNT0 + (POLICY_SHUNT_DROP >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
615 { "reject", no_argument, NULL
616 , CD_SHUNT0 + (POLICY_SHUNT_REJECT >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
617 { "failnone", no_argument, NULL
618 , CD_FAIL0 + (POLICY_FAIL_NONE >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
619 { "failpass", no_argument, NULL
620 , CD_FAIL0 + (POLICY_FAIL_PASS >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
621 { "faildrop", no_argument, NULL
622 , CD_FAIL0 + (POLICY_FAIL_DROP >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
623 { "failreject", no_argument, NULL
624 , CD_FAIL0 + (POLICY_FAIL_REJECT >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
625 { "dontrekey", no_argument, NULL, CD_DONT_REKEY + OO },
626 { "ipv4", no_argument, NULL, CD_CONNIPV4 + OO },
627 { "ipv6", no_argument, NULL, CD_CONNIPV6 + OO },
628
629 { "ikelifetime", required_argument, NULL, CD_IKELIFETIME + OO + NUMERIC_ARG },
630 { "ipseclifetime", required_argument, NULL, CD_IPSECLIFETIME + OO + NUMERIC_ARG },
631 { "rekeymargin", required_argument, NULL, CD_RKMARGIN + OO + NUMERIC_ARG },
632 { "rekeywindow", required_argument, NULL, CD_RKMARGIN + OO + NUMERIC_ARG }, /* OBSOLETE */
633 { "rekeyfuzz", required_argument, NULL, CD_RKFUZZ + OO + NUMERIC_ARG },
634 { "keyingtries", required_argument, NULL, CD_KTRIES + OO + NUMERIC_ARG },
635 { "dpdaction", required_argument, NULL, CD_DPDACTION + OO },
636 { "dpddelay", required_argument, NULL, CD_DPDDELAY + OO + NUMERIC_ARG },
637 { "dpdtimeout", required_argument, NULL, CD_DPDTIMEOUT + OO + NUMERIC_ARG },
638 { "ike", required_argument, NULL, CD_IKE + OO },
639 { "pfsgroup", required_argument, NULL, CD_PFSGROUP + OO },
640 { "esp", required_argument, NULL, CD_ESP + OO },
641
642 /* options for a ca description */
643
644 { "caname", required_argument, NULL, CA_NAME + OO },
645 { "cacert", required_argument, NULL, CA_CERT + OO },
646 { "ldaphost", required_argument, NULL, CA_LDAPHOST + OO },
647 { "ldapbase", required_argument, NULL, CA_LDAPBASE + OO },
648 { "crluri", required_argument, NULL, CA_CRLURI + OO },
649 { "crluri2", required_argument, NULL, CA_CRLURI2 + OO },
650 { "ocspuri", required_argument, NULL, CA_OCSPURI + OO },
651 { "strictcrlpolicy", no_argument, NULL, CA_STRICT + OO },
652
653 #ifdef DEBUG
654 { "debug-none", no_argument, NULL, DBGOPT_NONE + OO },
655 { "debug-all]", no_argument, NULL, DBGOPT_ALL + OO },
656 { "debug-raw", no_argument, NULL, DBGOPT_RAW + OO },
657 { "debug-crypt", no_argument, NULL, DBGOPT_CRYPT + OO },
658 { "debug-parsing", no_argument, NULL, DBGOPT_PARSING + OO },
659 { "debug-emitting", no_argument, NULL, DBGOPT_EMITTING + OO },
660 { "debug-control", no_argument, NULL, DBGOPT_CONTROL + OO },
661 { "debug-lifecycle", no_argument, NULL, DBGOPT_LIFECYCLE + OO },
662 { "debug-klips", no_argument, NULL, DBGOPT_KERNEL + OO },
663 { "debug-kernel", no_argument, NULL, DBGOPT_KERNEL + OO },
664 { "debug-dns", no_argument, NULL, DBGOPT_DNS + OO },
665 { "debug-natt", no_argument, NULL, DBGOPT_NATT + OO },
666 { "debug-oppo", no_argument, NULL, DBGOPT_OPPO + OO },
667 { "debug-controlmore", no_argument, NULL, DBGOPT_CONTROLMORE + OO },
668 { "debug-private", no_argument, NULL, DBGOPT_PRIVATE + OO },
669
670 { "impair-delay-adns-key-answer", no_argument, NULL, DBGOPT_IMPAIR_DELAY_ADNS_KEY_ANSWER + OO },
671 { "impair-delay-adns-txt-answer", no_argument, NULL, DBGOPT_IMPAIR_DELAY_ADNS_TXT_ANSWER + OO },
672 { "impair-bust-mi2", no_argument, NULL, DBGOPT_IMPAIR_BUST_MI2 + OO },
673 { "impair-bust-mr2", no_argument, NULL, DBGOPT_IMPAIR_BUST_MR2 + OO },
674 #endif
675 # undef OO
676 { 0,0,0,0 }
677 };
678
679 struct sockaddr_un ctl_addr = { AF_UNIX, DEFAULT_CTLBASE CTL_SUFFIX };
680
681 /* helper variables and function to encode strings from whack message */
682
683 static char *next_str,*str_roof;
684
685 static bool pack_str(char **p)
686 {
687 const char *s = *p == NULL? "" : *p; /* note: NULL becomes ""! */
688 size_t len = strlen(s) + 1;
689
690 if (str_roof - next_str < (ptrdiff_t)len)
691 {
692 return FALSE; /* fishy: no end found */
693 }
694 else
695 {
696 strcpy(next_str, s);
697 next_str += len;
698 *p = NULL; /* don't send pointers on the wire! */
699 return TRUE;
700 }
701 }
702
703 static void check_life_time(time_t life, time_t limit, const char *which,
704 const whack_message_t *msg)
705 {
706 time_t mint = msg->sa_rekey_margin * (100 + msg->sa_rekey_fuzz) / 100;
707
708 if (life > limit)
709 {
710 char buf[200]; /* arbitrary limit */
711
712 snprintf(buf, sizeof(buf)
713 , "%s [%lu seconds] must be less than %lu seconds"
714 , which, (unsigned long)life, (unsigned long)limit);
715 diag(buf);
716 }
717 if ((msg->policy & POLICY_DONT_REKEY) == LEMPTY && life <= mint)
718 {
719 char buf[200]; /* arbitrary limit */
720
721 snprintf(buf, sizeof(buf)
722 , "%s [%lu] must be greater than"
723 " rekeymargin*(100+rekeyfuzz)/100 [%lu*(100+%lu)/100 = %lu]"
724 , which
725 , (unsigned long)life
726 , (unsigned long)msg->sa_rekey_margin
727 , (unsigned long)msg->sa_rekey_fuzz
728 , (unsigned long)mint);
729 diag(buf);
730 }
731 }
732
733 static void clear_end(whack_end_t *e)
734 {
735 zero(e);
736 e->id = NULL;
737 e->cert = NULL;
738 e->ca = NULL;
739 e->updown = NULL;
740 e->host_port = IKE_UDP_PORT;
741 }
742
743 static void update_ports(whack_message_t *m)
744 {
745 int port;
746
747 if (m->left.port != 0) {
748 port = htons(m->left.port);
749 setportof(port, &m->left.host_addr);
750 setportof(port, &m->left.client.addr);
751 }
752 if (m->right.port != 0) {
753 port = htons(m->right.port);
754 setportof(port, &m->right.host_addr);
755 setportof(port, &m->right.client.addr);
756 }
757 }
758
759 static void check_end(whack_end_t *this, whack_end_t *that,
760 bool default_nexthop, sa_family_t caf, sa_family_t taf)
761 {
762 if (caf != addrtypeof(&this->host_addr))
763 diag("address family of host inconsistent");
764
765 if (default_nexthop)
766 {
767 if (isanyaddr(&that->host_addr))
768 diag("our nexthop must be specified when other host is a %any or %opportunistic");
769 this->host_nexthop = that->host_addr;
770 }
771
772 if (caf != addrtypeof(&this->host_nexthop))
773 diag("address family of nexthop inconsistent");
774
775 if (this->has_client)
776 {
777 if (taf != subnettypeof(&this->client))
778 diag("address family of client subnet inconsistent");
779 }
780 else
781 {
782 /* fill in anyaddr-anyaddr as (missing) client subnet */
783 ip_address cn;
784
785 diagq(anyaddr(caf, &cn), NULL);
786 diagq(rangetosubnet(&cn, &cn, &this->client), NULL);
787 }
788
789 /* fill in anyaddr if source IP is not defined */
790 if (!this->has_srcip)
791 diagq(anyaddr(caf, &this->host_srcip), optarg);
792
793 /* check protocol */
794 if (this->protocol != that->protocol)
795 diag("the protocol for leftprotoport and rightprotoport must be the same");
796 }
797
798 static void get_secret(int sock)
799 {
800 const char *buf, *secret;
801 int len;
802
803 fflush(stdout);
804 usleep(20000); /* give fflush time for flushing */
805 buf = getpass("Enter: ");
806 secret = (buf == NULL)? "" : buf;
807
808 /* send the secret to pluto */
809 len = strlen(secret) + 1;
810 if (write(sock, secret, len) != len)
811 {
812 int e = errno;
813
814 fprintf(stderr, "whack: write() failed (%d %s)\n", e, strerror(e));
815 exit(RC_WHACK_PROBLEM);
816 }
817 }
818
819 /* This is a hack for initiating ISAKMP exchanges. */
820
821 int main(int argc, char **argv)
822 {
823 whack_message_t msg;
824 char esp_buf[256]; /* uses snprintf */
825 lset_t
826 opts_seen = LEMPTY,
827 sc_seen = LEMPTY,
828 lst_seen = LEMPTY,
829 cd_seen = LEMPTY,
830 ca_seen = LEMPTY,
831 end_seen = LEMPTY,
832 end_seen_before_to = LEMPTY;
833 const char
834 *af_used_by = NULL,
835 *tunnel_af_used_by = NULL;
836
837 /* check division of numbering space */
838 #ifdef DEBUG
839 assert(OPTION_OFFSET + DBGOPT_LAST < NUMERIC_ARG);
840 #else
841 assert(OPTION_OFFSET + CA_LAST < NUMERIC_ARG);
842 #endif
843 assert(OPT_LAST - OPT_FIRST < (sizeof opts_seen * BITS_PER_BYTE));
844 assert(SC_LAST - SC_FIRST < (sizeof sc_seen * BITS_PER_BYTE));
845 assert(LST_LAST - LST_FIRST < (sizeof lst_seen * BITS_PER_BYTE));
846 assert(END_LAST - END_FIRST < (sizeof end_seen * BITS_PER_BYTE));
847 assert(CD_LAST - CD_FIRST < (sizeof cd_seen * BITS_PER_BYTE));
848 assert(CA_LAST - CA_FIRST < (sizeof ca_seen * BITS_PER_BYTE));
849 #ifdef DEBUG /* must be last so others are less than (sizeof cd_seen * BITS_PER_BYTE) to fit in lset_t */
850 assert(DBGOPT_LAST - DBGOPT_FIRST < (sizeof cd_seen * BITS_PER_BYTE));
851 #endif
852 /* check that POLICY bit assignment matches with CD_ */
853 assert(LELEM(CD_DONT_REKEY - CD_POLICY_FIRST) == POLICY_DONT_REKEY);
854
855 zero(&msg);
856
857 clear_end(&msg.right); /* left set from this after --to */
858
859 msg.name = NULL;
860 msg.keyid = NULL;
861 msg.keyval.ptr = NULL;
862 msg.esp = NULL;
863 msg.ike = NULL;
864 msg.pfsgroup = NULL;
865
866 /* if a connection is added via whack then we assume IKEv1 */
867 msg.ikev1 = TRUE;
868
869 msg.sa_ike_life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
870 msg.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
871 msg.sa_rekey_margin = SA_REPLACEMENT_MARGIN_DEFAULT;
872 msg.sa_rekey_fuzz = SA_REPLACEMENT_FUZZ_DEFAULT;
873 msg.sa_keying_tries = SA_REPLACEMENT_RETRIES_DEFAULT;
874
875 msg.addr_family = AF_INET;
876 msg.tunnel_addr_family = AF_INET;
877
878 msg.cacert = NULL;
879 msg.ldaphost = NULL;
880 msg.ldapbase = NULL;
881 msg.crluri = NULL;
882 msg.crluri2 = NULL;
883 msg.ocspuri = NULL;
884
885 options = options_create();
886
887 for (;;)
888 {
889 int long_index;
890 unsigned long opt_whole = 0; /* numeric argument for some flags */
891
892 /* Note: we don't like the way short options get parsed
893 * by getopt_long, so we simply pass an empty string as
894 * the list. It could be "hp:d:c:o:eatfs" "NARXPECK".
895 */
896 int c = getopt_long(argc, argv, "", long_opts, &long_index) - OPTION_OFFSET;
897 int aux = 0;
898
899 /* decode a numeric argument, if expected */
900 if (0 <= c)
901 {
902 if (c & NUMERIC_ARG)
903 {
904 char *endptr;
905
906 c -= NUMERIC_ARG;
907 opt_whole = strtoul(optarg, &endptr, 0);
908
909 if (*endptr != '\0' || endptr == optarg)
910 diagq("badly formed numeric argument", optarg);
911 }
912 if (c >= (1 << AUX_SHIFT))
913 {
914 aux = c >> AUX_SHIFT;
915 c -= aux << AUX_SHIFT;
916 }
917 }
918
919 /* per-class option processing */
920 if (0 <= c && c <= OPT_LAST)
921 {
922 /* OPT_* options get added to opts_seen.
923 * Reject repeated options (unless later code intervenes).
924 */
925 lset_t f = LELEM(c);
926
927 if (opts_seen & f)
928 diagq("duplicated flag", long_opts[long_index].name);
929 opts_seen |= f;
930 }
931 else if (SC_FIRST <= c && c <= SC_LAST)
932 {
933 /* SC_* options get added to sc_seen.
934 * Reject repeated options (unless later code intervenes).
935 */
936 lset_t f = LELEM(c - SC_FIRST);
937
938 if (sc_seen & f)
939 diagq("duplicated flag", long_opts[long_index].name);
940 sc_seen |= f;
941 }
942 else if (LST_FIRST <= c && c <= LST_LAST)
943 {
944 /* LST_* options get added to lst_seen.
945 * Reject repeated options (unless later code intervenes).
946 */
947 lset_t f = LELEM(c - LST_FIRST);
948
949 if (lst_seen & f)
950 diagq("duplicated flag", long_opts[long_index].name);
951 lst_seen |= f;
952 }
953 #ifdef DEBUG
954 else if (DBGOPT_FIRST <= c && c <= DBGOPT_LAST)
955 {
956 msg.whack_options = TRUE;
957 }
958 #endif
959 else if (END_FIRST <= c && c <= END_LAST)
960 {
961 /* END_* options are added to end_seen.
962 * Reject repeated options (unless later code intervenes).
963 */
964 lset_t f = LELEM(c - END_FIRST);
965
966 if (end_seen & f)
967 diagq("duplicated flag", long_opts[long_index].name);
968 end_seen |= f;
969 opts_seen |= LELEM(OPT_CD);
970 }
971 else if (CD_FIRST <= c && c <= CD_LAST)
972 {
973 /* CD_* options are added to cd_seen.
974 * Reject repeated options (unless later code intervenes).
975 */
976 lset_t f = LELEM(c - CD_FIRST);
977
978 if (cd_seen & f)
979 diagq("duplicated flag", long_opts[long_index].name);
980 cd_seen |= f;
981 opts_seen |= LELEM(OPT_CD);
982 }
983 else if (CA_FIRST <= c && c <= CA_LAST)
984 {
985 /* CA_* options are added to ca_seen.
986 * Reject repeated options (unless later code intervenes).
987 */
988 lset_t f = LELEM(c - CA_FIRST);
989
990 if (ca_seen & f)
991 diagq("duplicated flag", long_opts[long_index].name);
992 ca_seen |= f;
993 }
994
995 /* Note: "break"ing from switch terminates loop.
996 * most cases should end with "continue".
997 */
998 switch (c)
999 {
1000 case EOF - OPTION_OFFSET: /* end of flags */
1001 break;
1002
1003 case 0 - OPTION_OFFSET: /* long option already handled */
1004 continue;
1005
1006 case ':' - OPTION_OFFSET: /* diagnostic already printed by getopt_long */
1007 case '?' - OPTION_OFFSET: /* diagnostic already printed by getopt_long */
1008 diag(NULL); /* print no additional diagnostic, but exit sadly */
1009 break; /* not actually reached */
1010
1011 case 'h' - OPTION_OFFSET: /* --help */
1012 help();
1013 whack_exit(0); /* GNU coding standards say to stop here */
1014
1015 case 'v' - OPTION_OFFSET: /* --version */
1016 {
1017 const char **sp = ipsec_copyright_notice();
1018
1019 printf("strongSwan "VERSION"\n");
1020 for (; *sp != NULL; sp++)
1021 puts(*sp);
1022 }
1023 whack_exit(0); /* GNU coding standards say to stop here */
1024
1025 case 'l' - OPTION_OFFSET: /* --label <string> */
1026 label = optarg; /* remember for diagnostics */
1027 continue;
1028
1029 case '+' - OPTION_OFFSET: /* --optionsfrom <filename> */
1030 if (!options->from(options, optarg, &argc, &argv, optind))
1031 {
1032 fprintf(stderr, "optionsfrom failed");
1033 whack_exit(RC_WHACK_PROBLEM);
1034 }
1035 continue;
1036
1037 /* the rest of the options combine in complex ways */
1038
1039 case OPT_CTLBASE: /* --port <ctlbase> */
1040 if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
1041 , "%s%s", optarg, CTL_SUFFIX) == -1)
1042 diag("<ctlbase>" CTL_SUFFIX " must be fit in a sun_addr");
1043 continue;
1044
1045 case OPT_NAME: /* --name <connection-name> */
1046 name = optarg;
1047 msg.name = optarg;
1048 continue;
1049
1050 case OPT_KEYID: /* --keyid <identity> */
1051 msg.whack_key = !msg.whack_sc_op;
1052 msg.keyid = optarg; /* decoded by Pluto */
1053 continue;
1054
1055 case OPT_MYID: /* --myid <identity> */
1056 msg.whack_myid = TRUE;
1057 msg.myid = optarg; /* decoded by Pluto */
1058 continue;
1059
1060 case OPT_ADDKEY: /* --addkey */
1061 msg.whack_addkey = TRUE;
1062 continue;
1063
1064 case OPT_PUBKEYRSA: /* --pubkeyrsa <key> */
1065 {
1066 static char keyspace[RSA_MAX_ENCODING_BYTES]; /* room for 8K bit key */
1067 char diag_space[TTODATAV_BUF];
1068 const char *ugh = ttodatav(optarg, 0, 0
1069 , keyspace, sizeof(keyspace)
1070 , &msg.keyval.len, diag_space, sizeof(diag_space)
1071 , TTODATAV_SPACECOUNTS);
1072
1073 if (ugh != NULL)
1074 {
1075 char ugh_space[80]; /* perhaps enough space */
1076
1077 snprintf(ugh_space, sizeof(ugh_space)
1078 , "RSA public-key data malformed (%s)", ugh);
1079 diagq(ugh_space, optarg);
1080 }
1081 msg.pubkey_alg = PUBKEY_ALG_RSA;
1082 msg.keyval.ptr = keyspace;
1083 }
1084 continue;
1085
1086 case OPT_ROUTE: /* --route */
1087 msg.whack_route = TRUE;
1088 continue;
1089
1090 case OPT_UNROUTE: /* --unroute */
1091 msg.whack_unroute = TRUE;
1092 continue;
1093
1094 case OPT_INITIATE: /* --initiate */
1095 msg.whack_initiate = TRUE;
1096 continue;
1097
1098 case OPT_TERMINATE: /* --terminate */
1099 msg.whack_terminate = TRUE;
1100 continue;
1101
1102 case OPT_DELETE: /* --delete */
1103 msg.whack_delete = TRUE;
1104 continue;
1105
1106 case OPT_DELETESTATE: /* --deletestate <state_object_number> */
1107 msg.whack_deletestate = TRUE;
1108 msg.whack_deletestateno = opt_whole;
1109 continue;
1110
1111 case OPT_DELETECRASH: /* --crash <ip-address> */
1112 msg.whack_crash = TRUE;
1113 tunnel_af_used_by = long_opts[long_index].name;
1114 diagq(ttoaddr(optarg, 0, msg.tunnel_addr_family, &msg.whack_crash_peer), optarg);
1115 if (isanyaddr(&msg.whack_crash_peer))
1116 diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg);
1117 continue;
1118
1119 case OPT_LEASES: /* --leases */
1120 msg.whack_leases = TRUE;
1121 continue;
1122
1123 case OPT_LEASEADDR: /* --lease-addr <ip-address> */
1124 msg.whack_lease_ip = optarg; /* decoded by Pluto */
1125 continue;
1126
1127 case OPT_LEASEID: /* --lease-id <identity> */
1128 msg.whack_lease_id = optarg; /* decoded by Pluto */
1129 continue;
1130
1131 case OPT_LISTEN: /* --listen */
1132 msg.whack_listen = TRUE;
1133 continue;
1134
1135 case OPT_UNLISTEN: /* --unlisten */
1136 msg.whack_unlisten = TRUE;
1137 continue;
1138
1139 case OPT_PURGEOCSP: /* --purgeocsp */
1140 msg.whack_purgeocsp = TRUE;
1141 continue;
1142
1143 case OPT_REREADSECRETS: /* --rereadsecrets */
1144 case OPT_REREADCACERTS: /* --rereadcacerts */
1145 case OPT_REREADAACERTS: /* --rereadaacerts */
1146 case OPT_REREADOCSPCERTS: /* --rereadocspcerts */
1147 case OPT_REREADACERTS: /* --rereadacerts */
1148 case OPT_REREADCRLS: /* --rereadcrls */
1149 msg.whack_reread |= LELEM(c-OPT_REREADSECRETS);
1150 continue;
1151
1152 case OPT_REREADALL: /* --rereadall */
1153 msg.whack_reread = REREAD_ALL;
1154 continue;
1155
1156 case OPT_STATUSALL: /* --statusall */
1157 msg.whack_statusall = TRUE;
1158 /* fall through */
1159
1160 case OPT_STATUS: /* --status */
1161 msg.whack_status = TRUE;
1162 continue;
1163
1164 case OPT_SHUTDOWN: /* --shutdown */
1165 msg.whack_shutdown = TRUE;
1166 continue;
1167
1168 case OPT_OPPO_HERE: /* --oppohere <ip-address> */
1169 tunnel_af_used_by = long_opts[long_index].name;
1170 diagq(ttoaddr(optarg, 0, msg.tunnel_addr_family, &msg.oppo_my_client), optarg);
1171 if (isanyaddr(&msg.oppo_my_client))
1172 diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg);
1173 continue;
1174
1175 case OPT_OPPO_THERE: /* --oppohere <ip-address> */
1176 tunnel_af_used_by = long_opts[long_index].name;
1177 diagq(ttoaddr(optarg, 0, msg.tunnel_addr_family, &msg.oppo_peer_client), optarg);
1178 if (isanyaddr(&msg.oppo_peer_client))
1179 diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg);
1180 continue;
1181
1182 case OPT_ASYNC:
1183 msg.whack_async = TRUE;
1184 continue;
1185
1186 /* Smartcard options */
1187
1188 case SC_ENCRYPT: /* --scencrypt <plaintext data> */
1189 case SC_DECRYPT: /* --scdecrypt <encrypted data> */
1190 msg.whack_sc_op = 1 + c - SC_ENCRYPT;
1191 msg.whack_key = FALSE;
1192 msg.sc_data = optarg;
1193 continue;
1194
1195 case SC_INBASE: /* --inform <format> */
1196 case SC_OUTBASE: /* --outform <format> */
1197 {
1198 int base = 0;
1199
1200 if (streq(optarg, "16") || strcaseeq(optarg, "hex"))
1201 base = 16;
1202 else if (streq(optarg, "64") || strcaseeq(optarg, "base64"))
1203 base = 64;
1204 else if (streq(optarg, "256") || strcaseeq(optarg, "text")
1205 || strcaseeq(optarg, "ascii"))
1206 base = 256;
1207 else
1208 diagq("not a valid base", optarg);
1209
1210 if (c == SC_INBASE)
1211 msg.inbase = base;
1212 else
1213 msg.outbase = base;
1214 }
1215 continue;
1216
1217 /* List options */
1218
1219 case LST_UTC: /* --utc */
1220 msg.whack_utc = TRUE;
1221 continue;
1222
1223 case LST_ALGS: /* --listalgs */
1224 case LST_PUBKEYS: /* --listpubkeys */
1225 case LST_CERTS: /* --listcerts */
1226 case LST_CACERTS: /* --listcacerts */
1227 case LST_ACERTS: /* --listacerts */
1228 case LST_AACERTS: /* --listaacerts */
1229 case LST_OCSPCERTS: /* --listocspcerts */
1230 case LST_GROUPS: /* --listgroups */
1231 case LST_CAINFOS: /* --listcainfos */
1232 case LST_CRLS: /* --listcrls */
1233 case LST_OCSP: /* --listocsp */
1234 case LST_CARDS: /* --listcards */
1235 msg.whack_list |= LELEM(c - LST_ALGS);
1236 continue;
1237
1238 case LST_ALL: /* --listall */
1239 msg.whack_list = LIST_ALL;
1240 continue;
1241
1242 /* Connection Description options */
1243
1244 case END_HOST: /* --host <ip-address> */
1245 {
1246 lset_t new_policy = LEMPTY;
1247
1248 af_used_by = long_opts[long_index].name;
1249 diagq(anyaddr(msg.addr_family, &msg.right.host_addr), optarg);
1250 if (streq(optarg, "%any"))
1251 {
1252 }
1253 else if (streq(optarg, "%opportunistic"))
1254 {
1255 /* always use tunnel mode; mark as opportunistic */
1256 new_policy |= POLICY_TUNNEL | POLICY_OPPO;
1257 }
1258 else if (streq(optarg, "%group"))
1259 {
1260 /* always use tunnel mode; mark as group */
1261 new_policy |= POLICY_TUNNEL | POLICY_GROUP;
1262 }
1263 else if (streq(optarg, "%opportunisticgroup"))
1264 {
1265 /* always use tunnel mode; mark as opportunistic */
1266 new_policy |= POLICY_TUNNEL | POLICY_OPPO | POLICY_GROUP;
1267 }
1268 else
1269 {
1270 diagq(ttoaddr(optarg, 0, msg.addr_family
1271 , &msg.right.host_addr), optarg);
1272 }
1273
1274 msg.policy |= new_policy;
1275
1276 if (new_policy & (POLICY_OPPO | POLICY_GROUP))
1277 {
1278 if (!LHAS(end_seen, END_CLIENT - END_FIRST))
1279 {
1280 /* set host to 0.0.0 and --client to 0.0.0.0/0
1281 * or IPV6 equivalent
1282 */
1283 ip_address any;
1284
1285 tunnel_af_used_by = optarg;
1286 diagq(anyaddr(msg.tunnel_addr_family, &any), optarg);
1287 diagq(initsubnet(&any, 0, '0', &msg.right.client), optarg);
1288 }
1289 msg.right.has_client = TRUE;
1290 }
1291 if (new_policy & POLICY_GROUP)
1292 {
1293 /* client subnet must not be specified by user:
1294 * it will come from the group's file.
1295 */
1296 if (LHAS(end_seen, END_CLIENT - END_FIRST))
1297 diag("--host %group clashes with --client");
1298
1299 end_seen |= LELEM(END_CLIENT - END_FIRST);
1300 }
1301 if (new_policy & POLICY_OPPO)
1302 msg.right.key_from_DNS_on_demand = TRUE;
1303 continue;
1304 }
1305 case END_ID: /* --id <identity> */
1306 msg.right.id = optarg; /* decoded by Pluto */
1307 continue;
1308
1309 case END_CERT: /* --cert <path> */
1310 msg.right.cert = optarg; /* decoded by Pluto */
1311 continue;
1312
1313 case END_CA: /* --ca <distinguished name> */
1314 msg.right.ca = optarg; /* decoded by Pluto */
1315 continue;
1316
1317 case END_SENDCERT:
1318 if (streq(optarg, "yes") || streq(optarg, "always"))
1319 {
1320 msg.right.sendcert = CERT_ALWAYS_SEND;
1321 }
1322 else if (streq(optarg, "no") || streq(optarg, "never"))
1323 {
1324 msg.right.sendcert = CERT_NEVER_SEND;
1325 }
1326 else if (streq(optarg, "ifasked"))
1327 {
1328 msg.right.sendcert = CERT_SEND_IF_ASKED;
1329 }
1330 else
1331 {
1332 diagq("whack sendcert value is not legal", optarg);
1333 }
1334 continue;
1335
1336 case END_GROUPS:/* --groups <access control groups> */
1337 msg.right.groups = optarg; /* decoded by Pluto */
1338 continue;
1339
1340 case END_IKEPORT: /* --ikeport <port-number> */
1341 if (opt_whole<=0 || opt_whole >= 0x10000)
1342 diagq("<port-number> must be a number between 1 and 65535", optarg);
1343 msg.right.host_port = opt_whole;
1344 continue;
1345
1346 case END_NEXTHOP: /* --nexthop <ip-address> */
1347 af_used_by = long_opts[long_index].name;
1348 if (streq(optarg, "%direct"))
1349 diagq(anyaddr(msg.addr_family
1350 , &msg.right.host_nexthop), optarg);
1351 else
1352 diagq(ttoaddr(optarg, 0, msg.addr_family
1353 , &msg.right.host_nexthop), optarg);
1354 continue;
1355
1356 case END_SRCIP: /* --srcip <ip-address> */
1357 af_used_by = long_opts[long_index].name;
1358 if (streq(optarg, "%modeconfig") || streq(optarg, "%modecfg"))
1359 {
1360 msg.right.modecfg = TRUE;
1361 }
1362 else
1363 {
1364 diagq(ttoaddr(optarg, 0, msg.addr_family
1365 , &msg.right.host_srcip), optarg);
1366 msg.right.has_srcip = TRUE;
1367 }
1368 msg.policy |= POLICY_TUNNEL; /* srcip => tunnel */
1369 continue;
1370
1371 case END_CLIENT: /* --client <subnet> */
1372 if (end_seen & LELEM(END_CLIENTWITHIN - END_FIRST))
1373 diag("--client conflicts with --clientwithin");
1374 tunnel_af_used_by = long_opts[long_index].name;
1375 if ((strlen(optarg) >= 6 && strncmp(optarg,"vhost:",6) == 0)
1376 || (strlen(optarg) >= 5 && strncmp(optarg,"vnet:",5) == 0))
1377 {
1378 msg.right.virt = optarg;
1379 }
1380 else
1381 {
1382 diagq(ttosubnet(optarg, 0, msg.tunnel_addr_family, &msg.right.client), optarg);
1383 msg.right.has_client = TRUE;
1384 }
1385 msg.policy |= POLICY_TUNNEL; /* client => tunnel */
1386 continue;
1387
1388 case END_CLIENTWITHIN: /* --clienwithin <address range> */
1389 if (end_seen & LELEM(END_CLIENT - END_FIRST))
1390 diag("--clientwithin conflicts with --client");
1391 tunnel_af_used_by = long_opts[long_index].name;
1392 diagq(ttosubnet(optarg, 0, msg.tunnel_addr_family, &msg.right.client), optarg);
1393 msg.right.has_client = TRUE;
1394 msg.policy |= POLICY_TUNNEL; /* client => tunnel */
1395 msg.right.has_client_wildcard = TRUE;
1396 continue;
1397
1398 case END_CLIENTPROTOPORT: /* --clientprotoport <protocol>/<port> */
1399 diagq(ttoprotoport(optarg, 0, &msg.right.protocol, &msg.right.port
1400 , &msg.right.has_port_wildcard), optarg);
1401 continue;
1402
1403 case END_DNSKEYONDEMAND: /* --dnskeyondemand */
1404 msg.right.key_from_DNS_on_demand = TRUE;
1405 continue;
1406
1407 case END_HOSTACCESS: /* --hostaccess */
1408 msg.right.hostaccess = TRUE;
1409 continue;
1410
1411 case END_UPDOWN: /* --updown <updown> */
1412 msg.right.updown = optarg;
1413 continue;
1414
1415 case CD_TO: /* --to */
1416 /* process right end, move it to left, reset it */
1417 if (!LHAS(end_seen, END_HOST - END_FIRST))
1418 diag("connection missing --host before --to");
1419 msg.left = msg.right;
1420 clear_end(&msg.right);
1421 end_seen_before_to = end_seen;
1422 end_seen = LEMPTY;
1423 continue;
1424
1425 case CD_PSK: /* --psk */
1426 case CD_RSASIG: /* --rsasig */
1427 case CD_ENCRYPT: /* --encrypt */
1428 case CD_AUTHENTICATE: /* --authenticate */
1429 case CD_COMPRESS: /* --compress */
1430 case CD_TUNNEL: /* --tunnel */
1431 case CD_PFS: /* --pfs */
1432 case CD_DISABLEARRIVALCHECK: /* --disablearrivalcheck */
1433 case CD_DONT_REKEY: /* --donotrekey */
1434 msg.policy |= LELEM(c - CD_POLICY_FIRST);
1435 continue;
1436
1437 /* --initiateontraffic
1438 * --pass
1439 * --drop
1440 * --reject
1441 */
1442 case CD_SHUNT0:
1443 msg.policy = (msg.policy & ~POLICY_SHUNT_MASK)
1444 | ((lset_t)aux << POLICY_SHUNT_SHIFT);
1445 continue;
1446
1447 /* --failnone
1448 * --failpass
1449 * --faildrop
1450 * --failreject
1451 */
1452 case CD_FAIL0:
1453 msg.policy = (msg.policy & ~POLICY_FAIL_MASK)
1454 | ((lset_t)aux << POLICY_FAIL_SHIFT);
1455 continue;
1456
1457 case CD_IKELIFETIME: /* --ikelifetime <seconds> */
1458 msg.sa_ike_life_seconds = opt_whole;
1459 continue;
1460
1461 case CD_IPSECLIFETIME: /* --ipseclifetime <seconds> */
1462 msg.sa_ipsec_life_seconds = opt_whole;
1463 continue;
1464
1465 case CD_RKMARGIN: /* --rekeymargin <seconds> */
1466 msg.sa_rekey_margin = opt_whole;
1467 continue;
1468
1469 case CD_RKFUZZ: /* --rekeyfuzz <percentage> */
1470 msg.sa_rekey_fuzz = opt_whole;
1471 continue;
1472
1473 case CD_KTRIES: /* --keyingtries <count> */
1474 msg.sa_keying_tries = opt_whole;
1475 continue;
1476
1477 case CD_DPDACTION:
1478 if (streq(optarg, "none"))
1479 msg.dpd_action = DPD_ACTION_NONE;
1480 else if (streq(optarg, "clear"))
1481 msg.dpd_action = DPD_ACTION_CLEAR;
1482 else if (streq(optarg, "hold"))
1483 msg.dpd_action = DPD_ACTION_HOLD;
1484 else if (streq(optarg, "restart"))
1485 msg.dpd_action = DPD_ACTION_RESTART;
1486 else
1487 msg.dpd_action = DPD_ACTION_UNKNOWN;
1488 continue;
1489
1490 case CD_DPDDELAY:
1491 msg.dpd_delay = opt_whole;
1492 continue;
1493
1494 case CD_DPDTIMEOUT:
1495 msg.dpd_timeout = opt_whole;
1496 continue;
1497
1498 case CD_IKE: /* --ike <ike_alg1,ike_alg2,...> */
1499 msg.ike = optarg;
1500 continue;
1501
1502 case CD_PFSGROUP: /* --pfsgroup modpXXXX */
1503 msg.pfsgroup = optarg;
1504 continue;
1505
1506 case CD_ESP: /* --esp <esp_alg1,esp_alg2,...> */
1507 msg.esp = optarg;
1508 continue;
1509
1510 case CD_CONNIPV4:
1511 if (LHAS(cd_seen, CD_CONNIPV6 - CD_FIRST))
1512 diag("--ipv4 conflicts with --ipv6");
1513
1514 /* Since this is the default, the flag is redundant.
1515 * So we don't need to set msg.addr_family
1516 * and we don't need to check af_used_by
1517 * and we don't have to consider defaulting tunnel_addr_family.
1518 */
1519 continue;
1520
1521 case CD_CONNIPV6:
1522 if (LHAS(cd_seen, CD_CONNIPV4 - CD_FIRST))
1523 diag("--ipv6 conflicts with --ipv4");
1524
1525 if (af_used_by != NULL)
1526 diagq("--ipv6 must precede", af_used_by);
1527
1528 af_used_by = long_opts[long_index].name;
1529 msg.addr_family = AF_INET6;
1530
1531 /* Consider defaulting tunnel_addr_family to AF_INET6.
1532 * Do so only if it hasn't yet been specified or used.
1533 */
1534 if (LDISJOINT(cd_seen, LELEM(CD_TUNNELIPV4 - CD_FIRST) | LELEM(CD_TUNNELIPV6 - CD_FIRST))
1535 && tunnel_af_used_by == NULL)
1536 msg.tunnel_addr_family = AF_INET6;
1537 continue;
1538
1539 case CD_TUNNELIPV4:
1540 if (LHAS(cd_seen, CD_TUNNELIPV6 - CD_FIRST))
1541 diag("--tunnelipv4 conflicts with --tunnelipv6");
1542
1543 if (tunnel_af_used_by != NULL)
1544 diagq("--tunnelipv4 must precede", af_used_by);
1545
1546 msg.tunnel_addr_family = AF_INET;
1547 continue;
1548
1549 case CD_TUNNELIPV6:
1550 if (LHAS(cd_seen, CD_TUNNELIPV4 - CD_FIRST))
1551 diag("--tunnelipv6 conflicts with --tunnelipv4");
1552
1553 if (tunnel_af_used_by != NULL)
1554 diagq("--tunnelipv6 must precede", af_used_by);
1555
1556 msg.tunnel_addr_family = AF_INET6;
1557 continue;
1558
1559 case CA_NAME: /* --caname <name> */
1560 msg.name = optarg;
1561 msg.whack_ca = TRUE;
1562 continue;
1563 case CA_CERT: /* --cacert <path> */
1564 msg.cacert = optarg;
1565 continue;
1566 case CA_LDAPHOST: /* --ldaphost <hostname> */
1567 msg.ldaphost = optarg;
1568 continue;
1569 case CA_LDAPBASE: /* --ldapbase <base> */
1570 msg.ldapbase = optarg;
1571 continue;
1572 case CA_CRLURI: /* --crluri <uri> */
1573 msg.crluri = optarg;
1574 continue;
1575 case CA_CRLURI2: /* --crluri2 <uri> */
1576 msg.crluri2 = optarg;
1577 continue;
1578 case CA_OCSPURI: /* --ocspuri <uri> */
1579 msg.ocspuri = optarg;
1580 continue;
1581 case CA_STRICT: /* --strictcrlpolicy */
1582 msg.whack_strict = TRUE;
1583 continue;
1584
1585 #ifdef DEBUG
1586 case DBGOPT_NONE: /* --debug-none */
1587 msg.debugging = DBG_NONE;
1588 continue;
1589
1590 case DBGOPT_ALL: /* --debug-all */
1591 msg.debugging |= DBG_ALL; /* note: does not include PRIVATE */
1592 continue;
1593
1594 case DBGOPT_RAW: /* --debug-raw */
1595 case DBGOPT_CRYPT: /* --debug-crypt */
1596 case DBGOPT_PARSING: /* --debug-parsing */
1597 case DBGOPT_EMITTING: /* --debug-emitting */
1598 case DBGOPT_CONTROL: /* --debug-control */
1599 case DBGOPT_LIFECYCLE: /* --debug-lifecycle */
1600 case DBGOPT_KERNEL: /* --debug-kernel, --debug-klips */
1601 case DBGOPT_DNS: /* --debug-dns */
1602 case DBGOPT_NATT: /* --debug-natt */
1603 case DBGOPT_OPPO: /* --debug-oppo */
1604 case DBGOPT_CONTROLMORE: /* --debug-controlmore */
1605 case DBGOPT_PRIVATE: /* --debug-private */
1606 case DBGOPT_IMPAIR_DELAY_ADNS_KEY_ANSWER: /* --impair-delay-adns-key-answer */
1607 case DBGOPT_IMPAIR_DELAY_ADNS_TXT_ANSWER: /* --impair-delay-adns-txt-answer */
1608 case DBGOPT_IMPAIR_BUST_MI2: /* --impair_bust_mi2 */
1609 case DBGOPT_IMPAIR_BUST_MR2: /* --impair_bust_mr2 */
1610 msg.debugging |= LELEM(c-DBGOPT_RAW);
1611 continue;
1612 #endif
1613 default:
1614 assert(FALSE); /* unknown return value */
1615 }
1616 break;
1617 }
1618
1619 if (optind != argc)
1620 {
1621 /* If you see this message unexpectedly, perhaps the
1622 * case for the previous option ended with "break"
1623 * instead of "continue"
1624 */
1625 diagq("unexpected argument", argv[optind]);
1626 }
1627
1628 /* For each possible form of the command, figure out if an argument
1629 * suggests whether that form was intended, and if so, whether all
1630 * required information was supplied.
1631 */
1632
1633 /* check opportunistic initiation simulation request */
1634 switch (opts_seen & (LELEM(OPT_OPPO_HERE) | LELEM(OPT_OPPO_THERE)))
1635 {
1636 case LELEM(OPT_OPPO_HERE):
1637 case LELEM(OPT_OPPO_THERE):
1638 diag("--oppohere and --oppothere must be used together");
1639 /*NOTREACHED*/
1640 case LELEM(OPT_OPPO_HERE) | LELEM(OPT_OPPO_THERE):
1641 msg.whack_oppo_initiate = TRUE;
1642 if (LIN(cd_seen, LELEM(CD_TUNNELIPV4 - CD_FIRST) | LELEM(CD_TUNNELIPV6 - CD_FIRST)))
1643 opts_seen &= ~LELEM(OPT_CD);
1644 break;
1645 }
1646
1647 /* check leases */
1648 if (LHAS(opts_seen, OPT_LEASEADDR) && LHAS(opts_seen, OPT_LEASEID))
1649 {
1650 diag("--lease-addr and --lease-id cannot be used together");
1651 }
1652
1653 /* check connection description */
1654 if (LHAS(opts_seen, OPT_CD))
1655 {
1656 if (!LHAS(cd_seen, CD_TO-CD_FIRST))
1657 diag("connection description option, but no --to");
1658
1659 if (!LHAS(end_seen, END_HOST-END_FIRST))
1660 diag("connection missing --host after --to");
1661
1662 if (isanyaddr(&msg.left.host_addr)
1663 && isanyaddr(&msg.right.host_addr))
1664 diag("hosts cannot both be 0.0.0.0 or 0::0");
1665
1666 if (msg.policy & POLICY_OPPO)
1667 {
1668 if ((msg.policy & (POLICY_PSK | POLICY_PUBKEY)) != POLICY_PUBKEY)
1669 diag("only PUBKEY is supported for opportunism");
1670 if ((msg.policy & POLICY_PFS) == 0)
1671 diag("PFS required for opportunism");
1672 if ((msg.policy & POLICY_ENCRYPT) == 0)
1673 diag("encryption required for opportunism");
1674 }
1675
1676 check_end(&msg.left, &msg.right, !LHAS(end_seen_before_to, END_NEXTHOP-END_FIRST)
1677 , msg.addr_family, msg.tunnel_addr_family);
1678
1679 check_end(&msg.right, &msg.left, !LHAS(end_seen, END_NEXTHOP-END_FIRST)
1680 , msg.addr_family, msg.tunnel_addr_family);
1681
1682 if (subnettypeof(&msg.left.client) != subnettypeof(&msg.right.client))
1683 diag("endpoints clash: one is IPv4 and the other is IPv6");
1684
1685 if (NEVER_NEGOTIATE(msg.policy))
1686 {
1687 /* we think this is just a shunt (because he didn't specify
1688 * a host authentication method). If he didn't specify a
1689 * shunt type, he's probably gotten it wrong.
1690 */
1691 if ((msg.policy & POLICY_SHUNT_MASK) == POLICY_SHUNT_TRAP)
1692 diag("non-shunt connection must have --psk or --rsasig or both");
1693 }
1694 else
1695 {
1696 /* not just a shunt: a real ipsec connection */
1697 if ((msg.policy & POLICY_ID_AUTH_MASK) == LEMPTY)
1698 diag("must specify --rsasig or --psk for a connection");
1699
1700 if (!HAS_IPSEC_POLICY(msg.policy)
1701 && (msg.left.has_client || msg.right.has_client))
1702 diag("must not specify clients for ISAKMP-only connection");
1703 }
1704
1705 msg.whack_connection = TRUE;
1706 }
1707
1708 /* decide whether --name is mandatory or forbidden */
1709 if (!LDISJOINT(opts_seen
1710 , LELEM(OPT_ROUTE) | LELEM(OPT_UNROUTE)
1711 | LELEM(OPT_INITIATE) | LELEM(OPT_TERMINATE)
1712 | LELEM(OPT_DELETE) | LELEM(OPT_CD)))
1713 {
1714 if (!LHAS(opts_seen, OPT_NAME) && !msg.whack_ca)
1715 diag("missing --name <connection_name>");
1716 }
1717 else if (!msg.whack_options && !msg.whack_status && !msg.whack_leases)
1718 {
1719 if (LHAS(opts_seen, OPT_NAME))
1720 diag("no reason for --name");
1721 }
1722
1723 if (!LDISJOINT(opts_seen, LELEM(OPT_PUBKEYRSA) | LELEM(OPT_ADDKEY)))
1724 {
1725 if (!LHAS(opts_seen, OPT_KEYID))
1726 diag("--addkey and --pubkeyrsa require --keyid");
1727 }
1728
1729 if (!(msg.whack_connection || msg.whack_key || msg.whack_myid
1730 || msg.whack_delete || msg.whack_deletestate
1731 || msg.whack_initiate || msg.whack_oppo_initiate || msg.whack_terminate
1732 || msg.whack_route || msg.whack_unroute || msg.whack_listen
1733 || msg.whack_unlisten || msg.whack_list || msg.whack_purgeocsp
1734 || msg.whack_reread || msg.whack_ca || msg.whack_status
1735 || msg.whack_options || msg.whack_shutdown || msg.whack_sc_op
1736 || msg.whack_leases))
1737 {
1738 diag("no action specified; try --help for hints");
1739 }
1740
1741 update_ports(&msg);
1742
1743 /* tricky quick and dirty check for wild values */
1744 if (msg.sa_rekey_margin != 0
1745 && msg.sa_rekey_fuzz * msg.sa_rekey_margin * 4 / msg.sa_rekey_margin / 4
1746 != msg.sa_rekey_fuzz)
1747 diag("rekeymargin or rekeyfuzz values are so large that they cause oveflow");
1748
1749 check_life_time (msg.sa_ike_life_seconds, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM
1750 , "ikelifetime", &msg);
1751
1752 check_life_time(msg.sa_ipsec_life_seconds, SA_LIFE_DURATION_MAXIMUM
1753 , "ipseclifetime", &msg);
1754
1755 if (msg.dpd_action == DPD_ACTION_UNKNOWN)
1756 diag("dpdaction must be \"none\", \"clear\", \"hold\" or \"restart\"");
1757
1758 if (msg.dpd_action != DPD_ACTION_NONE)
1759 {
1760 if (msg.dpd_delay <= 0)
1761 diag("dpddelay must be larger than zero");
1762
1763 if (msg.dpd_timeout <= 0)
1764 diag("dpdtimeout must be larger than zero");
1765
1766 if (msg.dpd_timeout <= msg.dpd_delay)
1767 diag("dpdtimeout must be larger than dpddelay");
1768 }
1769
1770 /* pack strings for inclusion in message */
1771 next_str = msg.string;
1772 str_roof = &msg.string[sizeof(msg.string)];
1773
1774 /* build esp message as esp="<esp>;<pfsgroup>" */
1775 if (msg.pfsgroup) {
1776 snprintf(esp_buf, sizeof (esp_buf), "%s;%s",
1777 msg.esp ? msg.esp : "",
1778 msg.pfsgroup ? msg.pfsgroup : "");
1779 msg.esp=esp_buf;
1780 }
1781 if (!pack_str(&msg.name) /* string 1 */
1782 || !pack_str(&msg.left.id) /* string 2 */
1783 || !pack_str(&msg.left.cert) /* string 3 */
1784 || !pack_str(&msg.left.ca) /* string 4 */
1785 || !pack_str(&msg.left.groups) /* string 5 */
1786 || !pack_str(&msg.left.updown) /* string 6 */
1787 || !pack_str(&msg.left.sourceip) /* string 7 */
1788 || !pack_str(&msg.left.virt) /* string 8 */
1789 || !pack_str(&msg.right.id) /* string 9 */
1790 || !pack_str(&msg.right.cert) /* string 10 */
1791 || !pack_str(&msg.right.ca) /* string 11 */
1792 || !pack_str(&msg.right.groups) /* string 12 */
1793 || !pack_str(&msg.right.updown) /* string 13 */
1794 || !pack_str(&msg.right.sourceip) /* string 14 */
1795 || !pack_str(&msg.right.virt) /* string 15 */
1796 || !pack_str(&msg.keyid) /* string 16 */
1797 || !pack_str(&msg.myid) /* string 17 */
1798 || !pack_str(&msg.cacert) /* string 18 */
1799 || !pack_str(&msg.ldaphost) /* string 19 */
1800 || !pack_str(&msg.ldapbase) /* string 20 */
1801 || !pack_str(&msg.crluri) /* string 21 */
1802 || !pack_str(&msg.crluri2) /* string 22 */
1803 || !pack_str(&msg.ocspuri) /* string 23 */
1804 || !pack_str(&msg.ike) /* string 24 */
1805 || !pack_str(&msg.esp) /* string 25 */
1806 || !pack_str(&msg.sc_data) /* string 26 */
1807 || !pack_str(&msg.whack_lease_ip) /* string 27 */
1808 || !pack_str(&msg.whack_lease_id) /* string 28 */
1809 || !pack_str(&msg.xauth_identity) /* string 29 */
1810 || str_roof - next_str < (ptrdiff_t)msg.keyval.len)
1811 diag("too many bytes of strings to fit in message to pluto");
1812
1813 memcpy(next_str, msg.keyval.ptr, msg.keyval.len);
1814 msg.keyval.ptr = NULL;
1815 next_str += msg.keyval.len;
1816
1817 msg.magic = ((opts_seen & ~LELEM(OPT_SHUTDOWN))
1818 | sc_seen | lst_seen | cd_seen | ca_seen) != LEMPTY
1819 || msg.whack_options
1820 ? WHACK_MAGIC : WHACK_BASIC_MAGIC;
1821
1822 /* send message to Pluto */
1823 if (access(ctl_addr.sun_path, R_OK | W_OK) < 0)
1824 {
1825 int e = errno;
1826
1827 switch (e)
1828 {
1829 case EACCES:
1830 fprintf(stderr, "whack: no right to communicate with pluto (access(\"%s\"))\n"
1831 , ctl_addr.sun_path);
1832 break;
1833 case ENOENT:
1834 fprintf(stderr, "whack: Pluto is not running (no \"%s\")\n"
1835 , ctl_addr.sun_path);
1836 break;
1837 default:
1838 fprintf(stderr, "whack: access(\"%s\") failed with %d %s\n"
1839 , ctl_addr.sun_path, errno, strerror(e));
1840 break;
1841 }
1842 whack_exit(RC_WHACK_PROBLEM);
1843 }
1844 else
1845 {
1846 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
1847 int exit_status = 0;
1848 ssize_t len = next_str - (char *)&msg;
1849
1850 if (sock == -1)
1851 {
1852 int e = errno;
1853
1854 fprintf(stderr, "whack: socket() failed (%d %s)\n", e, strerror(e));
1855 whack_exit(RC_WHACK_PROBLEM);
1856 }
1857
1858 if (connect(sock, (struct sockaddr *)&ctl_addr
1859 , offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
1860 {
1861 int e = errno;
1862
1863 fprintf(stderr, "whack:%s connect() for \"%s\" failed (%d %s)\n"
1864 , e == ECONNREFUSED? " is Pluto running? " : ""
1865 , ctl_addr.sun_path, e, strerror(e));
1866 whack_exit(RC_WHACK_PROBLEM);
1867 }
1868
1869 if (write(sock, &msg, len) != len)
1870 {
1871 int e = errno;
1872
1873 fprintf(stderr, "whack: write() failed (%d %s)\n", e, strerror(e));
1874 whack_exit(RC_WHACK_PROBLEM);
1875 }
1876
1877 /* for now, just copy reply back to stdout */
1878
1879 {
1880 char buf[4097]; /* arbitrary limit on log line length */
1881 char *be = buf;
1882
1883 for (;;)
1884 {
1885 char *ls = buf;
1886 ssize_t rl = read(sock, be, (buf + sizeof(buf)-1) - be);
1887
1888 if (rl < 0)
1889 {
1890 int e = errno;
1891
1892 fprintf(stderr, "whack: read() failed (%d %s)\n", e, strerror(e));
1893 whack_exit(RC_WHACK_PROBLEM);
1894 }
1895 if (rl == 0)
1896 {
1897 if (be != buf)
1898 fprintf(stderr, "whack: last line from pluto too long or unterminated\n");
1899 break;
1900 }
1901
1902 be += rl;
1903 *be = '\0';
1904
1905 for (;;)
1906 {
1907 char *le = strchr(ls, '\n');
1908
1909 if (le == NULL)
1910 {
1911 /* move last, partial line to start of buffer */
1912 memmove(buf, ls, be-ls);
1913 be -= ls - buf;
1914 break;
1915 }
1916
1917 le++; /* include NL in line */
1918 ignore_result(write(1, ls, le - ls));
1919
1920 /* figure out prefix number
1921 * and how it should affect our exit status
1922 */
1923 {
1924 unsigned long s = strtoul(ls, NULL, 10);
1925
1926 switch (s)
1927 {
1928 case RC_COMMENT:
1929 case RC_LOG:
1930 /* ignore */
1931 break;
1932 case RC_SUCCESS:
1933 /* be happy */
1934 exit_status = 0;
1935 break;
1936 case RC_ENTERSECRET:
1937 get_secret(sock);
1938 break;
1939 /* case RC_LOG_SERIOUS: */
1940 default:
1941 /* pass through */
1942 exit_status = s;
1943 break;
1944 }
1945 }
1946 ls = le;
1947 }
1948 }
1949 }
1950 whack_exit(exit_status);
1951 }
1952 return -1; /* should never be reached */
1953 }
strongSwan - IPsec VPN