int main(int argc, char *argv[]){
struct ub_ctx *test;
ip_address *addr;
unbound_resolve(&test,"libreswan.org", 0,0, &addr);
}
static bool validate_end(struct ub_ctx *dnsctx ,
#endif
struct starter_conn *conn_st,
struct starter_end *end,
const char *leftright,
bool resolvip UNUSED,
err_t *perr)
{
err_t er = NULL;
char *err_str = NULL;
int family = conn_st->options[KBF_CONNADDRFAMILY];
bool err = FALSE;
# define ERR_FOUND(...) { err |= error_append(&err_str, __VA_ARGS__); }
if (!end->options_set[KNCF_IP])
conn_st->state = STATE_INCOMPLETE;
end->addrtype = end->options[KNCF_IP];
end->addr_family = family;
/* validate the KSCF_IP/KNCF_IP */
switch (end->addrtype) {
case KH_ANY:
anyaddr(family, &(end->addr));
break;
case KH_IFACE:
/* generally, this doesn't show up at this stage */
starter_log(LOG_LEVEL_DEBUG, "starter: %s is KH_IFACE", leftright);
break;
case KH_IPADDR:
assert(end->strings[KSCF_IP] != NULL);
if (end->strings[KSCF_IP][0] == '%') {
pfree(end->iface);
end->iface = clone_str(end->strings[KSCF_IP] + 1, "KH_IPADDR end->iface");
if (!starter_iface_find(end->iface, family,
&end->addr,
&end->nexthop))
conn_st->state = STATE_INVALID;
/* not numeric, so set the type to the iface type */
end->addrtype = KH_IFACE;
break;
}
er = ttoaddr_num(end->strings[KNCF_IP], 0, family,
&(end->addr));
if (er != NULL) {
/* not numeric, so set the type to the string type */
end->addrtype = KH_IPHOSTNAME;
}
if (end->id == NULL) {
ipstr_buf b;
end->id = clone_str(ipstr(&end->addr, &b), "end if");
}
break;
case KH_OPPO:
conn_st->policy |= POLICY_OPPORTUNISTIC;
break;
case KH_OPPOGROUP:
conn_st->policy |= POLICY_OPPORTUNISTIC | POLICY_GROUP;
break;
case KH_GROUP:
conn_st->policy |= POLICY_GROUP;
break;
case KH_IPHOSTNAME:
/* generally, this doesn't show up at this stage */
starter_log(LOG_LEVEL_DEBUG,
"starter: %s is KH_IPHOSTNAME", leftright);
break;
case KH_DEFAULTROUTE:
starter_log(LOG_LEVEL_DEBUG,
"starter: %s is KH_DEFAULTROUTE", leftright);
break;
case KH_NOTSET:
starter_log(LOG_LEVEL_DEBUG, "starter: %s is KH_NOTSET", leftright);
break;
}
/* validate the KSCF_SUBNET */
if (end->strings_set[KSCF_SUBNET]) {
char *value = end->strings[KSCF_SUBNET];
if (end->strings_set[KSCF_ADDRESSPOOL]) {
ERR_FOUND("cannot specify both %ssubnet= and %saddresspool=", leftright,
leftright);
}
if (startswith(value, "vhost:") || startswith(value, "vnet:")) {
er = NULL;
end->virt = clone_str(value, "validate_end item");
} else {
end->has_client = TRUE;
er = ttosubnet(value, 0, family, &(end->subnet));
}
if (er != NULL)
ERR_FOUND("bad subnet %ssubnet=%s [%s]", leftright,
value, er);
}
/* set nexthop address to something consistent, by default */
anyaddr(family, &end->nexthop);
anyaddr(addrtypeof(&end->addr), &end->nexthop);
/* validate the KSCF_NEXTHOP */
if (end->strings_set[KSCF_NEXTHOP]) {
char *value = end->strings[KSCF_NEXTHOP];
if (strcaseeq(value, "%defaultroute")) {
end->nexttype = KH_DEFAULTROUTE;
} else {
if (tnatoaddr(value, strlen(value), AF_INET,
&(end->nexthop)) != NULL &&
tnatoaddr(value, strlen(value), AF_INET6,
&(end->nexthop)) != NULL) {
#ifdef DNSSEC
starter_log(LOG_LEVEL_DEBUG,
"Calling unbound_resolve() for %snexthop value",
leftright);
if (!unbound_resolve(dnsctx, value,
strlen(value), AF_INET,
&(end->nexthop)) &&
!unbound_resolve(dnsctx, value,
strlen(value), AF_INET6,
&(end->nexthop)))
ERR_FOUND("bad value for %snexthop=%s\n",
leftright, value);
#else
er = ttoaddr(value, 0, family,
&(end->nexthop));
if (er != NULL)
ERR_FOUND("bad value for %snexthop=%s [%s]",
leftright, value,
er);
#endif
}
end->nexttype = KH_IPADDR;
}
} else {
#if 0
if (conn_st->policy & POLICY_OPPORTUNISTIC)
end->nexttype = KH_DEFAULTROUTE;
#endif
anyaddr(family, &end->nexthop);
if (end->addrtype == KH_DEFAULTROUTE) {
end->nexttype = KH_DEFAULTROUTE;
}
}
/* validate the KSCF_ID */
if (end->strings_set[KSCF_ID]) {
char *value = end->strings[KSCF_ID];
pfreeany(end->id);
end->id = clone_str(value, "end->id");
}
if (end->options_set[KSCF_RSAKEY1]) {
end->rsakey1_type = end->options[KSCF_RSAKEY1];
end->rsakey2_type = end->options[KSCF_RSAKEY2];
switch (end->options[KSCF_RSAKEY1]) {
case PUBKEY_DNS:
case PUBKEY_DNSONDEMAND:
end->key_from_DNS_on_demand = TRUE;
break;
default:
end->key_from_DNS_on_demand = FALSE;
/* validate the KSCF_RSAKEY1/RSAKEY2 */
if (end->strings[KSCF_RSAKEY1] != NULL) {
char *value = end->strings[KSCF_RSAKEY1];
pfreeany(end->rsakey1);
end->rsakey1 = (unsigned char *)clone_str(value,"end->rsakey1");
}
if (end->strings[KSCF_RSAKEY2] != NULL) {
char *value = end->strings[KSCF_RSAKEY2];
pfreeany(end->rsakey2);
end->rsakey2 = (unsigned char *)clone_str(value,"end->rsakey2");
}
}
}
/* validate the KSCF_SOURCEIP, if any, and if set,
* set the subnet to same value, if not set.
*/
if (end->strings_set[KSCF_SOURCEIP]) {
char *value = end->strings[KSCF_SOURCEIP];
if (tnatoaddr(value, strlen(value), AF_INET,
&(end->sourceip)) != NULL &&
tnatoaddr(value, strlen(value), AF_INET6,
&(end->sourceip)) != NULL) {
#ifdef DNSSEC
starter_log(LOG_LEVEL_DEBUG,
"Calling unbound_resolve() for %ssourceip value",
leftright);
if (!unbound_resolve(dnsctx, value,
strlen(value), AF_INET,
&(end->sourceip)) &&
!unbound_resolve(dnsctx, value,
strlen(value), AF_INET6,
&(end->sourceip)))
ERR_FOUND("bad value for %ssourceip=%s\n",
leftright, value);
#else
er = ttoaddr(value, 0, family, &(end->sourceip));
if (er != NULL)
ERR_FOUND("bad addr %ssourceip=%s [%s]",
leftright, value, er);
#endif
} else {
er = tnatoaddr(value, 0, family, &(end->sourceip));
if (er != NULL)
ERR_FOUND("bad numerical addr %ssourceip=%s [%s]",
leftright, value, er);
}
if (!end->has_client) {
starter_log(LOG_LEVEL_INFO,
"%ssourceip= used but not %ssubnet= defined, defaulting %ssubnet to %s",
leftright, leftright, leftright, value);
er = addrtosubnet(&end->sourceip, &end->subnet);
if (er != NULL) {
ERR_FOUND("attempt to default %ssubnet from %s failed: %s",
leftright, value, er);
}
end->has_client = TRUE;
end->has_client_wildcard = FALSE;
}
}
/* copy certificate path name */
if (end->strings_set[KSCF_CERT])
end->cert = clone_str(end->strings[KSCF_CERT], "KSCF_CERT");
if (end->strings_set[KSCF_CA])
end->ca = clone_str(end->strings[KSCF_CA], "KSCF_CA");
if (end->strings_set[KSCF_UPDOWN])
end->updown = clone_str(end->strings[KSCF_UPDOWN], "KSCF_UPDOWN");
if (end->strings_set[KSCF_PROTOPORT]) {
err_t ugh;
char *value = end->strings[KSCF_PROTOPORT];
ugh = ttoprotoport(value, 0, &end->protocol, &end->port,
&end->has_port_wildcard);
if (ugh != NULL)
ERR_FOUND("bad %sprotoport=%s [%s]", leftright, value,
ugh);
}
if (end->strings_set[KSCF_ADDRESSPOOL]) {
char *addresspool = end->strings[KSCF_ADDRESSPOOL];
if (end->strings_set[KSCF_SUBNET])
ERR_FOUND("cannot specify both %ssubnet= and %saddresspool=",
leftright, leftright);
starter_log(LOG_LEVEL_DEBUG,
"connection's %saddresspool set to: %s",
leftright, end->strings[KSCF_ADDRESSPOOL] );
er = ttorange(addresspool, 0, AF_INET, &end->pool_range, TRUE);
if (er != NULL)
ERR_FOUND("bad %saddresspool=%s [%s]", leftright,
addresspool, er);
}
if (end->options_set[KNCF_XAUTHSERVER] ||
end->options_set[KNCF_XAUTHCLIENT])
conn_st->policy |= POLICY_XAUTH;
/*
KSCF_SUBNETWITHIN --- not sure what to do with it.
KSCF_ESPENCKEY --- todo (manual keying)
KSCF_ESPAUTHKEY --- todo (manual keying)
KSCF_SOURCEIP = 16,
KSCF_MAX = 19
*/
if (err)
*perr = err_str;
return err;
# undef ERR_FOUND
}
