int ikev2_pld_parse(struct iked *env, struct ike_header *hdr, struct iked_message *msg, off_t offset) { log_debug("%s: header ispi %s rspi %s" " nextpayload %s version 0x%02x exchange %s flags 0x%02x" " msgid %d length %d response %d", __func__, print_spi(betoh64(hdr->ike_ispi), 8), print_spi(betoh64(hdr->ike_rspi), 8), print_map(hdr->ike_nextpayload, ikev2_payload_map), hdr->ike_version, print_map(hdr->ike_exchange, ikev2_exchange_map), hdr->ike_flags, betoh32(hdr->ike_msgid), betoh32(hdr->ike_length), msg->msg_response); if (ibuf_size(msg->msg_data) < betoh32(hdr->ike_length)) { log_debug("%s: short message", __func__); return (-1); } offset += sizeof(*hdr); return (ikev2_pld_payloads(env, msg, offset, betoh32(hdr->ike_length), hdr->ike_nextpayload, 0)); }
void ikev1_recv(struct iked *env, struct iked_message *msg) { struct ike_header *hdr; if (ibuf_size(msg->msg_data) <= sizeof(*hdr)) { log_debug("%s: short message", __func__); return; } hdr = (struct ike_header *)ibuf_data(msg->msg_data); log_debug("%s: header ispi %s rspi %s" " nextpayload %u version 0x%02x exchange %u flags 0x%02x" " msgid %u length %u", __func__, print_spi(betoh64(hdr->ike_ispi), 8), print_spi(betoh64(hdr->ike_rspi), 8), hdr->ike_nextpayload, hdr->ike_version, hdr->ike_exchange, hdr->ike_flags, betoh32(hdr->ike_msgid), betoh32(hdr->ike_length)); log_debug("%s: IKEv1 not supported", __func__); }
int up_prefix_cmp(struct update_prefix *a, struct update_prefix *b) { int i; if (a->prefix.aid < b->prefix.aid) return (-1); if (a->prefix.aid > b->prefix.aid) return (1); switch (a->prefix.aid) { case AID_INET: if (ntohl(a->prefix.v4.s_addr) < ntohl(b->prefix.v4.s_addr)) return (-1); if (ntohl(a->prefix.v4.s_addr) > ntohl(b->prefix.v4.s_addr)) return (1); break; case AID_INET6: i = memcmp(&a->prefix.v6, &b->prefix.v6, sizeof(struct in6_addr)); if (i > 0) return (1); if (i < 0) return (-1); break; case AID_VPN_IPv4: if (betoh64(a->prefix.vpn4.rd) < betoh64(b->prefix.vpn4.rd)) return (-1); if (betoh64(a->prefix.vpn4.rd) > betoh64(b->prefix.vpn4.rd)) return (1); if (ntohl(a->prefix.v4.s_addr) < ntohl(b->prefix.v4.s_addr)) return (-1); if (ntohl(a->prefix.v4.s_addr) > ntohl(b->prefix.v4.s_addr)) return (1); if (a->prefixlen < b->prefixlen) return (-1); if (a->prefixlen > b->prefixlen) return (1); if (a->prefix.vpn4.labellen < b->prefix.vpn4.labellen) return (-1); if (a->prefix.vpn4.labellen > b->prefix.vpn4.labellen) return (1); return (memcmp(a->prefix.vpn4.labelstack, b->prefix.vpn4.labelstack, a->prefix.vpn4.labellen)); default: fatalx("pt_prefix_cmp: unknown af"); } if (a->prefixlen < b->prefixlen) return (-1); if (a->prefixlen > b->prefixlen) return (1); return (0); }
/* * show_sym64() * show archive ranlib index (irix6) */ int show_sym64(off_t off, u_long len, const char *name, FILE *fp) { struct ar_hdr ar_head; uint64_t *symtab, *ps; char *strtab, *p; int num, rval = 0; int namelen; if ((symtab = malloc(len)) == NULL) { warn("%s: malloc", name); return 1; } if (pread(fileno(fp), symtab, len, off) != len) { free(symtab); warn("%s: pread", name); return 1; } namelen = sizeof(ar_head.ar_name); if ((p = malloc(sizeof(ar_head.ar_name))) == NULL) { warn("%s: malloc", name); free(symtab); return 1; } printf("\nArchive index:\n"); num = betoh64(*symtab); strtab = (char *)(symtab + num + 1); for (ps = symtab + 1; num--; ps++, strtab += strlen(strtab) + 1) { if (pread(fileno(fp), &ar_head, sizeof ar_head, betoh64(*ps)) != sizeof ar_head || memcmp(ar_head.ar_fmag, ARFMAG, sizeof(ar_head.ar_fmag))) { warnx("%s: member pread", name); rval = 1; break; } *p = '\0'; if (mmbr_name(&ar_head, &p, 0, &namelen, fp)) { rval = 1; break; } printf("%s in %s\n", strtab, p); } free(p); free(symtab); return (rval); }
UInt64 ByteOrder::ntoh64(UInt64 data) { #ifndef ANDROID return be64toh(data); #else return betoh64(data); #endif //ANDROID }
int main(int argc, char **argv) { u_int64_t hostorder; u_int64_t bigendian = 1; hostorder = betoh64(bigendian); return 0; }
void sha512ProcessBlock(Sha512Context *context) { uint_t t; uint64_t temp1; uint64_t temp2; //Initialize the 8 working registers uint64_t a = context->h[0]; uint64_t b = context->h[1]; uint64_t c = context->h[2]; uint64_t d = context->h[3]; uint64_t e = context->h[4]; uint64_t f = context->h[5]; uint64_t g = context->h[6]; uint64_t h = context->h[7]; //Process message in 16-word blocks uint64_t *w = context->w; //Convert from big-endian byte order to host byte order for(t = 0; t < 16; t++) w[t] = betoh64(w[t]); //SHA-512 hash computation (alternate method) for(t = 0; t < 80; t++) { //Prepare the message schedule if(t >= 16) W(t) += SIGMA4(W(t + 14)) + W(t + 9) + SIGMA3(W(t + 1)); //Calculate T1 and T2 temp1 = h + SIGMA2(e) + CH(e, f, g) + k[t] + W(t); temp2 = SIGMA1(a) + MAJ(a, b, c); //Update the working registers h = g; g = f; f = e; e = d + temp1; d = c; c = b; b = a; a = temp1 + temp2; } //Update the hash value context->h[0] += a; context->h[1] += b; context->h[2] += c; context->h[3] += d; context->h[4] += e; context->h[5] += f; context->h[6] += g; context->h[7] += h; }
/* * Decoding routines for GTP version 0. */ void gtp_v0_print(const u_char *cp, u_int length, u_short sport, u_short dport) { struct gtp_v0_hdr *gh = (struct gtp_v0_hdr *)cp; int len, version; u_int64_t tid; gtp_proto = GTP_V0_PROTO; /* Check if this is GTP prime. */ TCHECK(gh->flags); if ((gh->flags & GTPV0_HDR_PROTO_TYPE) == 0) { gtp_proto = GTP_V0_PRIME_PROTO; gtp_v0_print_prime(cp); return; } /* Print GTP header. */ TCHECK(*gh); cp += sizeof(struct gtp_v0_hdr); len = ntohs(gh->length); bcopy(&gh->tid, &tid, sizeof(tid)); printf(" GTPv0 (len %u, seqno %u, flow %u, N-PDU %u, tid 0x%llx) ", ntohs(gh->length), ntohs(gh->seqno), ntohs(gh->flow), ntohs(gh->npduno), betoh64(tid)); /* Decode GTP message. */ printf("%s", tok2str(gtp_v0_msgtype, "Message Type %u", gh->msgtype)); if (!vflag) return; if (gh->msgtype == GTPV0_T_PDU) { TCHECK(cp[0]); version = cp[0] >> 4; printf(" { "); if (version == 4) ip_print(cp, len); #ifdef INET6 else if (version == 6) ip6_print(cp, len); #endif else printf("Unknown IP version %u", version); printf(" }"); } else
static void dlrecv_print(dlsend_msg_t *msg, dlpi_recvinfo_t *rinfo, boolean_t invalid) { uint_t i; (void) printf("Received %s from ", invalid ? "invalid message" : "Elbereth"); for (i = 0; i < rinfo->dri_destaddrlen; i++) { (void) printf("%02x", rinfo->dri_destaddr[i]); if (i + 1 != rinfo->dri_destaddrlen) (void) putchar(':'); } if (invalid) { return; } (void) printf(" seq=%" PRIu64 " host=%s\n", betoh64(msg->dm_count), msg->dm_host); }
uint64_t fmbe64(uint64_t x) { return betoh64(x); }
void whirlpoolProcessBlock(WhirlpoolContext *context) { uint_t i; uint64_t *x = context->x; uint64_t *k = context->k; uint64_t *l = context->l; uint64_t *state = context->state; //Convert from big-endian byte order to host byte order for(i = 0; i < 8; i++) x[i] = betoh64(x[i]); k[0] = context->h[0]; k[1] = context->h[1]; k[2] = context->h[2]; k[3] = context->h[3]; k[4] = context->h[4]; k[5] = context->h[5]; k[6] = context->h[6]; k[7] = context->h[7]; state[0] = x[0] ^ k[0]; state[1] = x[1] ^ k[1]; state[2] = x[2] ^ k[2]; state[3] = x[3] ^ k[3]; state[4] = x[4] ^ k[4]; state[5] = x[5] ^ k[5]; state[6] = x[6] ^ k[6]; state[7] = x[7] ^ k[7]; //Iterate over all rounds for(i = 0; i < 10; i++) { //Key schedule RHO(l[0], k, 0, rc[i]); RHO(l[1], k, 1, 0); RHO(l[2], k, 2, 0); RHO(l[3], k, 3, 0); RHO(l[4], k, 4, 0); RHO(l[5], k, 5, 0); RHO(l[6], k, 6, 0); RHO(l[7], k, 7, 0); k[0] = l[0]; k[1] = l[1]; k[2] = l[2]; k[3] = l[3]; k[4] = l[4]; k[5] = l[5]; k[6] = l[6]; k[7] = l[7]; //Apply the round function RHO(l[0], state, 0, k[0]); RHO(l[1], state, 1, k[1]); RHO(l[2], state, 2, k[2]); RHO(l[3], state, 3, k[3]); RHO(l[4], state, 4, k[4]); RHO(l[5], state, 5, k[5]); RHO(l[6], state, 6, k[6]); RHO(l[7], state, 7, k[7]); state[0] = l[0]; state[1] = l[1]; state[2] = l[2]; state[3] = l[3]; state[4] = l[4]; state[5] = l[5]; state[6] = l[6]; state[7] = l[7]; } //Update the hash value context->h[0] ^= state[0] ^ x[0]; context->h[1] ^= state[1] ^ x[1]; context->h[2] ^= state[2] ^ x[2]; context->h[3] ^= state[3] ^ x[3]; context->h[4] ^= state[4] ^ x[4]; context->h[5] ^= state[5] ^ x[5]; context->h[6] ^= state[6] ^ x[6]; context->h[7] ^= state[7] ^ x[7]; }
int ikev2_pld_notify(struct iked *env, struct ikev2_payload *pld, struct iked_message *msg, off_t offset) { struct ikev2_notify *n; u_int8_t *buf, md[SHA_DIGEST_LENGTH]; size_t len; u_int32_t spi32; u_int64_t spi64; struct iked_spi *rekey; u_int16_t type; u_int16_t group; if ((n = ibuf_seek(msg->msg_data, offset, sizeof(*n))) == NULL) return (-1); type = betoh16(n->n_type); log_debug("%s: protoid %s spisize %d type %s", __func__, print_map(n->n_protoid, ikev2_saproto_map), n->n_spisize, print_map(type, ikev2_n_map)); len = betoh16(pld->pld_length) - sizeof(*pld) - sizeof(*n); if ((buf = ibuf_seek(msg->msg_data, offset + sizeof(*n), len)) == NULL) return (-1); print_hex(buf, 0, len); if (!ikev2_msg_frompeer(msg)) return (0); switch (type) { case IKEV2_N_NAT_DETECTION_SOURCE_IP: case IKEV2_N_NAT_DETECTION_DESTINATION_IP: if (ikev2_nat_detection(env, msg, md, sizeof(md), type) == -1) return (-1); if (len != sizeof(md) || memcmp(buf, md, len) != 0) { log_debug("%s: %s detected NAT, enabling " "UDP encapsulation", __func__, print_map(type, ikev2_n_map)); /* * Enable UDP encapsulation of ESP packages if * the check detected NAT. */ if (msg->msg_sa != NULL) msg->msg_sa->sa_udpencap = 1; } print_hex(md, 0, sizeof(md)); break; case IKEV2_N_INVALID_KE_PAYLOAD: if (len != sizeof(group)) { log_debug("%s: malformed notification", __func__); return (-1); } if (!msg->msg_sa->sa_hdr.sh_initiator) { log_debug("%s: not an initiator", __func__); sa_free(env, msg->msg_sa); msg->msg_sa = NULL; return (-1); } memcpy(&group, buf, len); group = betoh16(group); if ((msg->msg_policy->pol_peerdh = group_get(group)) == NULL) { log_debug("%s: unable to select DH group %d", __func__, group); return (-1); } log_debug("%s: responder selected DH group %d", __func__, group); sa_free(env, msg->msg_sa); msg->msg_sa = NULL; timer_initialize(env, &env->sc_inittmr, ikev2_init_ike_sa, NULL); timer_register(env, &env->sc_inittmr, IKED_INITIATOR_INITIAL); break; case IKEV2_N_NO_ADDITIONAL_SAS: /* This makes sense for Child SAs only atm */ if (msg->msg_sa->sa_stateflags & IKED_REQ_CHILDSA) { ikev2_disable_rekeying(env, msg->msg_sa); msg->msg_sa->sa_stateflags &= ~IKED_REQ_CHILDSA; } break; case IKEV2_N_REKEY_SA: if (len != n->n_spisize) { log_debug("%s: malformed notification", __func__); return (-1); } rekey = &msg->msg_parent->msg_rekey; if (rekey->spi != 0) { log_debug("%s: rekeying of multiple SAs not supported", __func__); return (-1); } switch (n->n_spisize) { case 4: memcpy(&spi32, buf, len); rekey->spi = betoh32(spi32); break; case 8: memcpy(&spi64, buf, len); rekey->spi = betoh64(spi64); break; default: log_debug("%s: invalid spi size %d", __func__, n->n_spisize); return (-1); } rekey->spi_size = n->n_spisize; rekey->spi_protoid = n->n_protoid; log_debug("%s: rekey %s spi %s", __func__, print_map(n->n_protoid, ikev2_saproto_map), print_spi(rekey->spi, n->n_spisize)); break; } return (0); }
int ikev2_pld_delete(struct iked *env, struct ikev2_payload *pld, struct iked_message *msg, off_t offset) { struct iked_childsa **peersas = NULL; struct iked_sa *sa = msg->msg_sa; struct ikev2_delete *del, *localdel; struct ibuf *resp = NULL; u_int64_t *localspi = NULL; u_int64_t spi64, spi = 0; u_int32_t spi32; u_int8_t *buf, *msgbuf = ibuf_data(msg->msg_data); size_t found = 0, failed = 0; int cnt, i, len, sz, ret = -1; /* Skip if it's a reply and we don't have to deal with it */ if (ikev2_msg_frompeer(msg) && sa && (sa->sa_stateflags & IKED_REQ_INF)) { sa->sa_stateflags &= ~IKED_REQ_INF; if ((sa->sa_stateflags & IKED_REQ_DELETE) == 0) return (0); } if ((del = ibuf_seek(msg->msg_data, offset, sizeof(*del))) == NULL) return (-1); cnt = betoh16(del->del_nspi); sz = del->del_spisize; log_debug("%s: proto %s spisize %d nspi %d", __func__, print_map(del->del_protoid, ikev2_saproto_map), sz, cnt); buf = msgbuf + offset + sizeof(*del); len = betoh16(pld->pld_length) - sizeof(*pld) - sizeof(*del); print_hex(buf, 0, len); switch (sz) { case 4: case 8: break; default: if (ikev2_msg_frompeer(msg) && del->del_protoid == IKEV2_SAPROTO_IKE) { /* Send an empty informational response */ if ((resp = ibuf_static()) == NULL) goto done; ret = ikev2_send_ike_e(env, sa, resp, IKEV2_PAYLOAD_NONE, IKEV2_EXCHANGE_INFORMATIONAL, 1); ibuf_release(resp); sa_state(env, sa, IKEV2_STATE_CLOSED); return (ret); } log_debug("%s: invalid SPI size", __func__); return (-1); } if ((len / sz) != cnt) { log_debug("%s: invalid payload length %d/%d != %d", __func__, len, sz, cnt); return (-1); } if (ikev2_msg_frompeer(msg) && ((peersas = calloc(cnt, sizeof(struct iked_childsa *))) == NULL || (localspi = calloc(cnt, sizeof(u_int64_t))) == NULL)) { log_warn("%s", __func__); goto done; } for (i = 0; i < cnt; i++) { switch (sz) { case 4: memcpy(&spi32, buf + (i * sz), sizeof(spi32)); spi = betoh32(spi32); break; case 8: memcpy(&spi64, buf + (i * sz), sizeof(spi64)); spi = betoh64(spi64); break; } log_debug("%s: spi %s", __func__, print_spi(spi, sz)); if (peersas == NULL || sa == NULL) continue; if ((peersas[i] = childsa_lookup(sa, spi, del->del_protoid)) == NULL) { log_warnx("%s: CHILD SA doesn't exist for spi %s", __func__, print_spi(spi, del->del_spisize)); goto done; } if (ikev2_childsa_delete(env, sa, del->del_protoid, spi, &localspi[i], 0) == -1) failed++; else found++; /* * Flows are left in the require mode so that it would be * possible to quickly negotiate a new Child SA */ } /* Parsed outgoing message? */ if (!ikev2_msg_frompeer(msg)) goto done; if (sa && (sa->sa_stateflags & IKED_REQ_DELETE)) { /* Finish rekeying */ sa->sa_stateflags &= ~IKED_REQ_DELETE; ret = 0; goto done; } /* Response to the INFORMATIONAL with Delete payload */ if ((resp = ibuf_static()) == NULL) goto done; if (found) { if ((localdel = ibuf_advance(resp, sizeof(*localdel))) == NULL) goto done; localdel->del_protoid = del->del_protoid; localdel->del_spisize = del->del_spisize; localdel->del_nspi = htobe16(found); for (i = 0; i < cnt; i++) { switch (sz) { case 4: spi32 = htobe32(localspi[i]); if (ibuf_add(resp, &spi32, sizeof(spi32)) != 0) goto done; break; case 8: spi64 = htobe64(localspi[i]); if (ibuf_add(resp, &spi64, sizeof(spi64)) != 0) goto done; break; } } log_warnx("%s: deleted %d spis", __func__, found); } if (found) { ret = ikev2_send_ike_e(env, sa, resp, IKEV2_PAYLOAD_DELETE, IKEV2_EXCHANGE_INFORMATIONAL, 1); } else { /* XXX should we send an INVALID_SPI notification? */ ret = 0; } done: if (localspi) free(localspi); if (peersas) free(peersas); ibuf_release(resp); return (ret); }
/** * Returns the property's data as a 64 bit integer */ int64_t Fabric_Property_get_integer_value(Property *self) { return betoh64(*((int64_t*)self->data)); }
int ikev2_pld_sa(struct iked *env, struct ikev2_payload *pld, struct iked_message *msg, off_t offset) { struct ikev2_sa_proposal sap; struct iked_proposal *prop = NULL; u_int32_t spi32; u_int64_t spi = 0, spi64; u_int8_t *msgbuf = ibuf_data(msg->msg_data); struct iked_proposals *props; props = &msg->msg_parent->msg_proposals; memcpy(&sap, msgbuf + offset, sizeof(sap)); offset += sizeof(sap); if (sap.sap_spisize) { switch (sap.sap_spisize) { case 4: memcpy(&spi32, msgbuf + offset, 4); spi = betoh32(spi32); break; case 8: memcpy(&spi64, msgbuf + offset, 8); spi = betoh64(spi64); break; default: log_debug("%s: unsupported SPI size %d", __func__, sap.sap_spisize); return (-1); } offset += sap.sap_spisize; } log_debug("%s: more %d reserved %d length %d" " proposal #%d protoid %s spisize %d xforms %d spi %s", __func__, sap.sap_more, sap.sap_reserved, betoh16(sap.sap_length), sap.sap_proposalnr, print_map(sap.sap_protoid, ikev2_saproto_map), sap.sap_spisize, sap.sap_transforms, print_spi(spi, sap.sap_spisize)); if (ikev2_msg_frompeer(msg)) { if ((msg->msg_parent->msg_prop = config_add_proposal(props, sap.sap_proposalnr, sap.sap_protoid)) == NULL) { log_debug("%s: invalid proposal", __func__); return (-1); } prop = msg->msg_parent->msg_prop; prop->prop_peerspi.spi = spi; prop->prop_peerspi.spi_protoid = sap.sap_protoid; prop->prop_peerspi.spi_size = sap.sap_spisize; prop->prop_localspi.spi_protoid = sap.sap_protoid; prop->prop_localspi.spi_size = sap.sap_spisize; } /* * Parse the attached transforms */ if (sap.sap_transforms && ikev2_pld_xform(env, &sap, msg, offset) != 0) { log_debug("%s: invalid proposal transforms", __func__); return (-1); } return (0); }
void print_state(struct pfsync_state *s, int opts) { struct pfsync_state_peer *src, *dst; struct pfsync_state_key *sk, *nk; struct protoent *p; int min, sec; int afto = (s->key[PF_SK_STACK].af != s->key[PF_SK_WIRE].af); int idx; if (s->direction == PF_OUT) { src = &s->src; dst = &s->dst; sk = &s->key[PF_SK_STACK]; nk = &s->key[PF_SK_WIRE]; if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6) sk->port[0] = nk->port[0]; } else { src = &s->dst; dst = &s->src; sk = &s->key[PF_SK_WIRE]; nk = &s->key[PF_SK_STACK]; if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6) sk->port[1] = nk->port[1]; } printf("%s ", s->ifname); if ((p = getprotobynumber(s->proto)) != NULL) printf("%s ", p->p_name); else printf("%u ", s->proto); print_host(&nk->addr[1], nk->port[1], nk->af, nk->rdomain, opts); if (nk->af != sk->af || PF_ANEQ(&nk->addr[1], &sk->addr[1], nk->af) || nk->port[1] != sk->port[1] || nk->rdomain != sk->rdomain) { idx = afto ? 0 : 1; printf(" ("); print_host(&sk->addr[idx], sk->port[idx], sk->af, sk->rdomain, opts); printf(")"); } if (s->direction == PF_OUT || (afto && s->direction == PF_IN)) printf(" -> "); else printf(" <- "); print_host(&nk->addr[0], nk->port[0], nk->af, nk->rdomain, opts); if (nk->af != sk->af || PF_ANEQ(&nk->addr[0], &sk->addr[0], nk->af) || nk->port[0] != sk->port[0] || nk->rdomain != sk->rdomain) { idx = afto ? 1 : 0; printf(" ("); print_host(&sk->addr[idx], sk->port[idx], sk->af, sk->rdomain, opts); printf(")"); } printf(" "); if (s->proto == IPPROTO_TCP) { if (src->state <= TCPS_TIME_WAIT && dst->state <= TCPS_TIME_WAIT) printf(" %s:%s\n", tcpstates[src->state], tcpstates[dst->state]); else if (src->state == PF_TCPS_PROXY_SRC || dst->state == PF_TCPS_PROXY_SRC) printf(" PROXY:SRC\n"); else if (src->state == PF_TCPS_PROXY_DST || dst->state == PF_TCPS_PROXY_DST) printf(" PROXY:DST\n"); else printf(" <BAD STATE LEVELS %u:%u>\n", src->state, dst->state); if (opts & PF_OPT_VERBOSE) { printf(" "); print_seq(src); if (src->wscale && dst->wscale) printf(" wscale %u", src->wscale & PF_WSCALE_MASK); printf(" "); print_seq(dst); if (src->wscale && dst->wscale) printf(" wscale %u", dst->wscale & PF_WSCALE_MASK); printf("\n"); } } else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES && dst->state < PFUDPS_NSTATES) { const char *states[] = PFUDPS_NAMES; printf(" %s:%s\n", states[src->state], states[dst->state]); } else if (s->proto != IPPROTO_ICMP && s->proto != IPPROTO_ICMPV6 && src->state < PFOTHERS_NSTATES && dst->state < PFOTHERS_NSTATES) { /* XXX ICMP doesn't really have state levels */ const char *states[] = PFOTHERS_NAMES; printf(" %s:%s\n", states[src->state], states[dst->state]); } else { printf(" %u:%u\n", src->state, dst->state); } if (opts & PF_OPT_VERBOSE) { u_int64_t packets[2]; u_int64_t bytes[2]; u_int32_t creation = ntohl(s->creation); u_int32_t expire = ntohl(s->expire); sec = creation % 60; creation /= 60; min = creation % 60; creation /= 60; printf(" age %.2u:%.2u:%.2u", creation, min, sec); sec = expire % 60; expire /= 60; min = expire % 60; expire /= 60; printf(", expires in %.2u:%.2u:%.2u", expire, min, sec); bcopy(s->packets[0], &packets[0], sizeof(u_int64_t)); bcopy(s->packets[1], &packets[1], sizeof(u_int64_t)); bcopy(s->bytes[0], &bytes[0], sizeof(u_int64_t)); bcopy(s->bytes[1], &bytes[1], sizeof(u_int64_t)); printf(", %llu:%llu pkts, %llu:%llu bytes", betoh64(packets[0]), betoh64(packets[1]), betoh64(bytes[0]), betoh64(bytes[1])); if (ntohl(s->anchor) != -1) printf(", anchor %u", ntohl(s->anchor)); if (ntohl(s->rule) != -1) printf(", rule %u", ntohl(s->rule)); if (s->state_flags & PFSTATE_SLOPPY) printf(", sloppy"); if (s->state_flags & PFSTATE_PFLOW) printf(", pflow"); if (s->sync_flags & PFSYNC_FLAG_SRCNODE) printf(", source-track"); if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE) printf(", sticky-address"); printf("\n"); } if (opts & PF_OPT_VERBOSE2) { u_int64_t id; bcopy(&s->id, &id, sizeof(u_int64_t)); printf(" id: %016llx creatorid: %08x", betoh64(id), ntohl(s->creatorid)); printf("\n"); } }
void print_state(struct pfsync_state *s, int opts) { struct pfsync_state_peer *src, *dst; struct pfsync_state_key *sk, *nk; int min, sec, sidx, didx; if (s->direction == PF_OUT) { src = &s->src; dst = &s->dst; sk = &s->key[PF_SK_STACK]; nk = &s->key[PF_SK_WIRE]; if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6) sk->port[0] = nk->port[0]; } else { src = &s->dst; dst = &s->src; sk = &s->key[PF_SK_WIRE]; nk = &s->key[PF_SK_STACK]; if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6) sk->port[1] = nk->port[1]; } printf("%s ", s->ifname); printf("%s ", ipproto_string(s->proto)); if (nk->af != sk->af) sidx = 1, didx = 0; else sidx = 0, didx = 1; print_host(&nk->addr[didx], nk->port[didx], nk->af, nk->rdomain, NULL, opts); if (nk->af != sk->af || PF_ANEQ(&nk->addr[1], &sk->addr[1], nk->af) || nk->port[1] != sk->port[1]) { printf(" ("); print_host(&sk->addr[1], sk->port[1], sk->af, sk->rdomain, NULL, opts); printf(")"); } if (s->direction == PF_OUT) printf(" -> "); else printf(" <- "); print_host(&nk->addr[sidx], nk->port[sidx], nk->af, nk->rdomain, NULL, opts); if (nk->af != sk->af || PF_ANEQ(&nk->addr[0], &sk->addr[0], nk->af) || nk->port[0] != sk->port[0]) { printf(" ("); print_host(&sk->addr[0], sk->port[0], sk->af, sk->rdomain, NULL, opts); printf(")"); } printf(" "); if (s->proto == IPPROTO_TCP) { if (src->state <= TCPS_TIME_WAIT && dst->state <= TCPS_TIME_WAIT) printf("\n %s:%s", tcpstates[src->state], tcpstates[dst->state]); else if (src->state == PF_TCPS_PROXY_SRC || dst->state == PF_TCPS_PROXY_SRC) printf("\n PROXY:SRC"); else if (src->state == PF_TCPS_PROXY_DST || dst->state == PF_TCPS_PROXY_DST) printf("\n PROXY:DST"); else printf("\n <BAD STATE LEVELS %u:%u>", src->state, dst->state); if (opts & PF_OPT_VERBOSE) { printf("\n "); print_seq(src); if (src->wscale && dst->wscale) printf(" wscale %u", src->wscale & PF_WSCALE_MASK); printf(" "); print_seq(dst); if (src->wscale && dst->wscale) printf(" wscale %u", dst->wscale & PF_WSCALE_MASK); } } else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES && dst->state < PFUDPS_NSTATES) { const char *states[] = PFUDPS_NAMES; printf(" %s:%s", states[src->state], states[dst->state]); } else if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES && dst->state < PFOTHERS_NSTATES) { /* XXX ICMP doesn't really have state levels */ const char *states[] = PFOTHERS_NAMES; printf(" %s:%s", states[src->state], states[dst->state]); } else { printf(" %u:%u", src->state, dst->state); } if (opts & PF_OPT_VERBOSE) { u_int64_t packets[2]; u_int64_t bytes[2]; u_int32_t creation = ntohl(s->creation); u_int32_t expire = ntohl(s->expire); sec = creation % 60; creation /= 60; min = creation % 60; creation /= 60; printf("\n age %.2u:%.2u:%.2u", creation, min, sec); sec = expire % 60; expire /= 60; min = expire % 60; expire /= 60; printf(", expires in %.2u:%.2u:%.2u", expire, min, sec); bcopy(s->packets[0], &packets[0], sizeof(u_int64_t)); bcopy(s->packets[1], &packets[1], sizeof(u_int64_t)); bcopy(s->bytes[0], &bytes[0], sizeof(u_int64_t)); bcopy(s->bytes[1], &bytes[1], sizeof(u_int64_t)); printf(", %llu:%llu pkts, %llu:%llu bytes", betoh64(packets[0]), betoh64(packets[1]), betoh64(bytes[0]), betoh64(bytes[1])); if (s->anchor != -1) printf(", anchor %u", ntohl(s->anchor)); if (s->rule != -1) printf(", rule %u", ntohl(s->rule)); } if (opts & PF_OPT_VERBOSE2) { u_int64_t id; bcopy(&s->id, &id, sizeof(u_int64_t)); printf("\n id: %016llx creatorid: %08x", betoh64(id), ntohl(s->creatorid)); } }
/* * Scan through all entries in the index file `idx' and prune those * entries in `ofile'. * Pruning consists of removing from `db', then invalidating the entry * in `idx' (zeroing its value size). */ static void index_prune(const struct of *ofile, struct mdb *mdb, struct recs *recs, const char *basedir) { const struct of *of; const char *fn; uint64_t vbuf[2]; unsigned seq, sseq; DBT key, val; int ch; recs->cur = 0; seq = R_FIRST; while (0 == (ch = (*mdb->idx->seq)(mdb->idx, &key, &val, seq))) { seq = R_NEXT; assert(sizeof(recno_t) == key.size); memcpy(&recs->last, key.data, key.size); /* Deleted records are zero-sized. Skip them. */ if (0 == val.size) goto cont; /* * Make sure we're sane. * Read past our mdoc/man/cat type to the next string, * then make sure it's bounded by a NUL. * Failing any of these, we go into our error handler. */ fn = (char *)val.data + 1; if (NULL == memchr(fn, '\0', val.size - 1)) break; /* * Search for the file in those we care about. * XXX: build this into a tree. Too slow. */ for (of = ofile->first; of; of = of->next) if (0 == strcmp(fn, of->fname)) break; if (NULL == of) continue; /* * Search through the keyword database, throwing out all * references to our file. */ sseq = R_FIRST; while (0 == (ch = (*mdb->db->seq)(mdb->db, &key, &val, sseq))) { sseq = R_NEXT; if (sizeof(vbuf) != val.size) break; memcpy(vbuf, val.data, val.size); if (recs->last != betoh64(vbuf[1])) continue; if ((ch = (*mdb->db->del)(mdb->db, &key, R_CURSOR)) < 0) break; } if (ch < 0) { perror(mdb->dbn); exit((int)MANDOCLEVEL_SYSERR); } else if (1 != ch) { fprintf(stderr, "%s: corrupt database\n", mdb->dbn); exit((int)MANDOCLEVEL_SYSERR); } if (verb) printf("%s: Deleting from index: %s\n", basedir, fn); val.size = 0; ch = (*mdb->idx->put)(mdb->idx, &key, &val, R_CURSOR); if (ch < 0) break; cont: if (recs->cur >= recs->size) { recs->size += MANDOC_SLOP; recs->stack = mandoc_realloc(recs->stack, recs->size * sizeof(recno_t)); } recs->stack[(int)recs->cur] = recs->last; recs->cur++; } if (ch < 0) { perror(mdb->idxn); exit((int)MANDOCLEVEL_SYSERR); } else if (1 != ch) { fprintf(stderr, "%s: corrupt index\n", mdb->idxn); exit((int)MANDOCLEVEL_SYSERR); } recs->last++; }
/** * Gets the id of a property's text object * * This should only be called on a property with a type * of FABRIC_PROPTYPE_LONGTEXT. Short text is handled * differently. Long text is any text with size * greater than 8 bytes (not including the null terminator). */ textid_t Fabric_Property_get_text_value_id(Property *self) { return (textid_t) betoh64(*((uint64_t*)self->data)); }
/** * Return's the property's data as a 64-bit floating point number */ float64_t Fabric_Property_get_real_value(Property *self) { uint64_t tmp = betoh64(*((uint64_t*)self->data)); return *((float64_t*)&tmp); }
int ikev2_msg_valid_ike_sa(struct iked *env, struct ike_header *oldhdr, struct iked_message *msg) { #if 0 /* XXX Disabled, see comment below */ struct iked_message resp; struct ike_header *hdr; struct ikev2_payload *pld; struct ikev2_notify *n; struct ibuf *buf; struct iked_sa sa; #endif if (msg->msg_sa != NULL && msg->msg_policy != NULL) { /* * Only permit informational requests from initiator * on closing SAs (for DELETE). */ if (msg->msg_sa->sa_state == IKEV2_STATE_CLOSING) { if (((oldhdr->ike_flags & (IKEV2_FLAG_INITIATOR|IKEV2_FLAG_RESPONSE)) == IKEV2_FLAG_INITIATOR) && (oldhdr->ike_exchange == IKEV2_EXCHANGE_INFORMATIONAL)) return (0); return (-1); } return (0); } #if 0 /* * XXX Sending INVALID_IKE_SPIs notifications is disabled * XXX because it is not mandatory and ignored by most * XXX implementations. We might want to enable it in * XXX combination with a rate-limitation to avoid DoS situations. */ /* Fail without error message */ if (msg->msg_response || msg->msg_policy == NULL) return (-1); /* Invalid IKE SA, return notification */ if ((buf = ikev2_msg_init(env, &resp, &msg->msg_peer, msg->msg_peerlen, &msg->msg_local, msg->msg_locallen, 1)) == NULL) goto done; resp.msg_fd = msg->msg_fd; bzero(&sa, sizeof(sa)); if ((oldhdr->ike_flags & IKEV2_FLAG_INITIATOR) == 0) sa.sa_hdr.sh_initiator = 1; sa.sa_hdr.sh_ispi = betoh64(oldhdr->ike_ispi); sa.sa_hdr.sh_rspi = betoh64(oldhdr->ike_rspi); resp.msg_msgid = betoh32(oldhdr->ike_msgid); /* IKE header */ if ((hdr = ikev2_add_header(buf, &sa, resp.msg_msgid, IKEV2_PAYLOAD_NOTIFY, IKEV2_EXCHANGE_INFORMATIONAL, IKEV2_FLAG_RESPONSE)) == NULL) goto done; /* SA payload */ if ((pld = ikev2_add_payload(buf)) == NULL) goto done; if ((n = ibuf_advance(buf, sizeof(*n))) == NULL) goto done; n->n_protoid = IKEV2_SAPROTO_IKE; n->n_spisize = 0; n->n_type = htobe16(IKEV2_N_INVALID_IKE_SPI); if (ikev2_next_payload(pld, sizeof(*n), IKEV2_PAYLOAD_NONE) == -1) goto done; if (ikev2_set_header(hdr, ibuf_size(buf) - sizeof(*hdr)) == -1) goto done; (void)ikev2_pld_parse(env, hdr, &resp, 0); (void)ikev2_msg_send(env, &resp); done: ikev2_msg_cleanup(env, &resp); #endif /* Always fail */ return (-1); }
/* * NB: This function parses both the SA header and the first proposal. * Additional proposals are ignored. */ int ikev2_pld_sa(struct iked *env, struct ikev2_payload *pld, struct iked_message *msg, size_t offset, size_t left) { struct ikev2_sa_proposal sap; struct iked_proposal *prop = NULL; u_int32_t spi32; u_int64_t spi = 0, spi64; u_int8_t *msgbuf = ibuf_data(msg->msg_data); struct iked_proposals *props; size_t total; if (ikev2_validate_sa(msg, offset, left, pld, &sap)) return (-1); if (sap.sap_more) log_debug("%s: more than one proposal specified", __func__); /* Assumed size of the first proposals, including SPI if present. */ total = (betoh16(sap.sap_length) - sizeof(sap)); props = &msg->msg_parent->msg_proposals; offset += sizeof(sap); left -= sizeof(sap); if (sap.sap_spisize) { if (left < sap.sap_spisize) { log_debug("%s: malformed payload: SPI larger than " "actual payload (%zu < %d)", __func__, left, sap.sap_spisize); return (-1); } if (total < sap.sap_spisize) { log_debug("%s: malformed payload: SPI larger than " "proposal (%zu < %d)", __func__, total, sap.sap_spisize); return (-1); } if (total < sap.sap_spisize) { log_debug("%s: malformed payload: SPI too large " "(%zu < %d)", __func__, total, sap.sap_spisize); return (-1); } switch (sap.sap_spisize) { case 4: memcpy(&spi32, msgbuf + offset, 4); spi = betoh32(spi32); break; case 8: memcpy(&spi64, msgbuf + offset, 8); spi = betoh64(spi64); break; default: log_debug("%s: unsupported SPI size %d", __func__, sap.sap_spisize); return (-1); } offset += sap.sap_spisize; left -= sap.sap_spisize; /* Assumed size of the proposal, now without SPI. */ total -= sap.sap_spisize; } /* * As we verified sanity of packet headers, this check will * be always false, but just to be sure we keep it. */ if (left < total) { log_debug("%s: payload malformed: too long for payload " "(%zu < %zu)", __func__, left, total); return (-1); } log_debug("%s: more %d reserved %d length %d" " proposal #%d protoid %s spisize %d xforms %d spi %s", __func__, sap.sap_more, sap.sap_reserved, betoh16(sap.sap_length), sap.sap_proposalnr, print_map(sap.sap_protoid, ikev2_saproto_map), sap.sap_spisize, sap.sap_transforms, print_spi(spi, sap.sap_spisize)); if (ikev2_msg_frompeer(msg)) { if ((msg->msg_parent->msg_prop = config_add_proposal(props, sap.sap_proposalnr, sap.sap_protoid)) == NULL) { log_debug("%s: invalid proposal", __func__); return (-1); } prop = msg->msg_parent->msg_prop; prop->prop_peerspi.spi = spi; prop->prop_peerspi.spi_protoid = sap.sap_protoid; prop->prop_peerspi.spi_size = sap.sap_spisize; prop->prop_localspi.spi_protoid = sap.sap_protoid; prop->prop_localspi.spi_size = sap.sap_spisize; } /* * Parse the attached transforms */ if (sap.sap_transforms && ikev2_pld_xform(env, &sap, msg, offset, total) != 0) { log_debug("%s: invalid proposal transforms", __func__); return (-1); } return (0); }