int
ikev2_pld_parse(struct iked *env, struct ike_header *hdr,
struct iked_message *msg, off_t offset)
{
log_debug("%s: header ispi %s rspi %s"
" nextpayload %s version 0x%02x exchange %s flags 0x%02x"
" msgid %d length %d response %d", __func__,
print_spi(betoh64(hdr->ike_ispi), 8),
print_spi(betoh64(hdr->ike_rspi), 8),
print_map(hdr->ike_nextpayload, ikev2_payload_map),
hdr->ike_version,
print_map(hdr->ike_exchange, ikev2_exchange_map),
hdr->ike_flags,
betoh32(hdr->ike_msgid),
betoh32(hdr->ike_length),
msg->msg_response);
if (ibuf_size(msg->msg_data) < betoh32(hdr->ike_length)) {
log_debug("%s: short message", __func__);
return (-1);
}
offset += sizeof(*hdr);
return (ikev2_pld_payloads(env, msg, offset,
betoh32(hdr->ike_length), hdr->ike_nextpayload, 0));
}
void
ikev1_recv(struct iked *env, struct iked_message *msg)
{
struct ike_header *hdr;
if (ibuf_size(msg->msg_data) <= sizeof(*hdr)) {
log_debug("%s: short message", __func__);
return;
}
hdr = (struct ike_header *)ibuf_data(msg->msg_data);
log_debug("%s: header ispi %s rspi %s"
" nextpayload %u version 0x%02x exchange %u flags 0x%02x"
" msgid %u length %u", __func__,
print_spi(betoh64(hdr->ike_ispi), 8),
print_spi(betoh64(hdr->ike_rspi), 8),
hdr->ike_nextpayload,
hdr->ike_version,
hdr->ike_exchange,
hdr->ike_flags,
betoh32(hdr->ike_msgid),
betoh32(hdr->ike_length));
log_debug("%s: IKEv1 not supported", __func__);
}
int
up_prefix_cmp(struct update_prefix *a, struct update_prefix *b)
{
int i;
if (a->prefix.aid < b->prefix.aid)
return (-1);
if (a->prefix.aid > b->prefix.aid)
return (1);
switch (a->prefix.aid) {
case AID_INET:
if (ntohl(a->prefix.v4.s_addr) < ntohl(b->prefix.v4.s_addr))
return (-1);
if (ntohl(a->prefix.v4.s_addr) > ntohl(b->prefix.v4.s_addr))
return (1);
break;
case AID_INET6:
i = memcmp(&a->prefix.v6, &b->prefix.v6,
sizeof(struct in6_addr));
if (i > 0)
return (1);
if (i < 0)
return (-1);
break;
case AID_VPN_IPv4:
if (betoh64(a->prefix.vpn4.rd) < betoh64(b->prefix.vpn4.rd))
return (-1);
if (betoh64(a->prefix.vpn4.rd) > betoh64(b->prefix.vpn4.rd))
return (1);
if (ntohl(a->prefix.v4.s_addr) < ntohl(b->prefix.v4.s_addr))
return (-1);
if (ntohl(a->prefix.v4.s_addr) > ntohl(b->prefix.v4.s_addr))
return (1);
if (a->prefixlen < b->prefixlen)
return (-1);
if (a->prefixlen > b->prefixlen)
return (1);
if (a->prefix.vpn4.labellen < b->prefix.vpn4.labellen)
return (-1);
if (a->prefix.vpn4.labellen > b->prefix.vpn4.labellen)
return (1);
return (memcmp(a->prefix.vpn4.labelstack,
b->prefix.vpn4.labelstack, a->prefix.vpn4.labellen));
default:
fatalx("pt_prefix_cmp: unknown af");
}
if (a->prefixlen < b->prefixlen)
return (-1);
if (a->prefixlen > b->prefixlen)
return (1);
return (0);
}
/*
* show_sym64()
* show archive ranlib index (irix6)
*/
int
show_sym64(off_t off, u_long len, const char *name, FILE *fp)
{
struct ar_hdr ar_head;
uint64_t *symtab, *ps;
char *strtab, *p;
int num, rval = 0;
int namelen;
if ((symtab = malloc(len)) == NULL) {
warn("%s: malloc", name);
return 1;
}
if (pread(fileno(fp), symtab, len, off) != len) {
free(symtab);
warn("%s: pread", name);
return 1;
}
namelen = sizeof(ar_head.ar_name);
if ((p = malloc(sizeof(ar_head.ar_name))) == NULL) {
warn("%s: malloc", name);
free(symtab);
return 1;
}
printf("\nArchive index:\n");
num = betoh64(*symtab);
strtab = (char *)(symtab + num + 1);
for (ps = symtab + 1; num--; ps++, strtab += strlen(strtab) + 1) {
if (pread(fileno(fp), &ar_head, sizeof ar_head,
betoh64(*ps)) != sizeof ar_head ||
memcmp(ar_head.ar_fmag, ARFMAG, sizeof(ar_head.ar_fmag))) {
warnx("%s: member pread", name);
rval = 1;
break;
}
*p = '\0';
if (mmbr_name(&ar_head, &p, 0, &namelen, fp)) {
rval = 1;
break;
}
printf("%s in %s\n", strtab, p);
}
free(p);
free(symtab);
return (rval);
}
UInt64 ByteOrder::ntoh64(UInt64 data)
{
#ifndef ANDROID
return be64toh(data);
#else
return betoh64(data);
#endif //ANDROID
}
int
main(int argc, char **argv)
{
u_int64_t hostorder;
u_int64_t bigendian = 1;
hostorder = betoh64(bigendian);
return 0;
}
void sha512ProcessBlock(Sha512Context *context)
{
uint_t t;
uint64_t temp1;
uint64_t temp2;
//Initialize the 8 working registers
uint64_t a = context->h[0];
uint64_t b = context->h[1];
uint64_t c = context->h[2];
uint64_t d = context->h[3];
uint64_t e = context->h[4];
uint64_t f = context->h[5];
uint64_t g = context->h[6];
uint64_t h = context->h[7];
//Process message in 16-word blocks
uint64_t *w = context->w;
//Convert from big-endian byte order to host byte order
for(t = 0; t < 16; t++)
w[t] = betoh64(w[t]);
//SHA-512 hash computation (alternate method)
for(t = 0; t < 80; t++)
{
//Prepare the message schedule
if(t >= 16)
W(t) += SIGMA4(W(t + 14)) + W(t + 9) + SIGMA3(W(t + 1));
//Calculate T1 and T2
temp1 = h + SIGMA2(e) + CH(e, f, g) + k[t] + W(t);
temp2 = SIGMA1(a) + MAJ(a, b, c);
//Update the working registers
h = g;
g = f;
f = e;
e = d + temp1;
d = c;
c = b;
b = a;
a = temp1 + temp2;
}
//Update the hash value
context->h[0] += a;
context->h[1] += b;
context->h[2] += c;
context->h[3] += d;
context->h[4] += e;
context->h[5] += f;
context->h[6] += g;
context->h[7] += h;
}
/*
* Decoding routines for GTP version 0.
*/
void
gtp_v0_print(const u_char *cp, u_int length, u_short sport, u_short dport)
{
struct gtp_v0_hdr *gh = (struct gtp_v0_hdr *)cp;
int len, version;
u_int64_t tid;
gtp_proto = GTP_V0_PROTO;
/* Check if this is GTP prime. */
TCHECK(gh->flags);
if ((gh->flags & GTPV0_HDR_PROTO_TYPE) == 0) {
gtp_proto = GTP_V0_PRIME_PROTO;
gtp_v0_print_prime(cp);
return;
}
/* Print GTP header. */
TCHECK(*gh);
cp += sizeof(struct gtp_v0_hdr);
len = ntohs(gh->length);
bcopy(&gh->tid, &tid, sizeof(tid));
printf(" GTPv0 (len %u, seqno %u, flow %u, N-PDU %u, tid 0x%llx) ",
ntohs(gh->length), ntohs(gh->seqno), ntohs(gh->flow),
ntohs(gh->npduno), betoh64(tid));
/* Decode GTP message. */
printf("%s", tok2str(gtp_v0_msgtype, "Message Type %u", gh->msgtype));
if (!vflag)
return;
if (gh->msgtype == GTPV0_T_PDU) {
TCHECK(cp[0]);
version = cp[0] >> 4;
printf(" { ");
if (version == 4)
ip_print(cp, len);
#ifdef INET6
else if (version == 6)
ip6_print(cp, len);
#endif
else
printf("Unknown IP version %u", version);
printf(" }");
} else
static void
dlrecv_print(dlsend_msg_t *msg, dlpi_recvinfo_t *rinfo, boolean_t invalid)
{
uint_t i;
(void) printf("Received %s from ", invalid ?
"invalid message" : "Elbereth");
for (i = 0; i < rinfo->dri_destaddrlen; i++) {
(void) printf("%02x", rinfo->dri_destaddr[i]);
if (i + 1 != rinfo->dri_destaddrlen)
(void) putchar(':');
}
if (invalid) {
return;
}
(void) printf(" seq=%" PRIu64 " host=%s\n", betoh64(msg->dm_count),
msg->dm_host);
}
uint64_t fmbe64(uint64_t x) { return betoh64(x); }
void whirlpoolProcessBlock(WhirlpoolContext *context)
{
uint_t i;
uint64_t *x = context->x;
uint64_t *k = context->k;
uint64_t *l = context->l;
uint64_t *state = context->state;
//Convert from big-endian byte order to host byte order
for(i = 0; i < 8; i++)
x[i] = betoh64(x[i]);
k[0] = context->h[0];
k[1] = context->h[1];
k[2] = context->h[2];
k[3] = context->h[3];
k[4] = context->h[4];
k[5] = context->h[5];
k[6] = context->h[6];
k[7] = context->h[7];
state[0] = x[0] ^ k[0];
state[1] = x[1] ^ k[1];
state[2] = x[2] ^ k[2];
state[3] = x[3] ^ k[3];
state[4] = x[4] ^ k[4];
state[5] = x[5] ^ k[5];
state[6] = x[6] ^ k[6];
state[7] = x[7] ^ k[7];
//Iterate over all rounds
for(i = 0; i < 10; i++)
{
//Key schedule
RHO(l[0], k, 0, rc[i]);
RHO(l[1], k, 1, 0);
RHO(l[2], k, 2, 0);
RHO(l[3], k, 3, 0);
RHO(l[4], k, 4, 0);
RHO(l[5], k, 5, 0);
RHO(l[6], k, 6, 0);
RHO(l[7], k, 7, 0);
k[0] = l[0];
k[1] = l[1];
k[2] = l[2];
k[3] = l[3];
k[4] = l[4];
k[5] = l[5];
k[6] = l[6];
k[7] = l[7];
//Apply the round function
RHO(l[0], state, 0, k[0]);
RHO(l[1], state, 1, k[1]);
RHO(l[2], state, 2, k[2]);
RHO(l[3], state, 3, k[3]);
RHO(l[4], state, 4, k[4]);
RHO(l[5], state, 5, k[5]);
RHO(l[6], state, 6, k[6]);
RHO(l[7], state, 7, k[7]);
state[0] = l[0];
state[1] = l[1];
state[2] = l[2];
state[3] = l[3];
state[4] = l[4];
state[5] = l[5];
state[6] = l[6];
state[7] = l[7];
}
//Update the hash value
context->h[0] ^= state[0] ^ x[0];
context->h[1] ^= state[1] ^ x[1];
context->h[2] ^= state[2] ^ x[2];
context->h[3] ^= state[3] ^ x[3];
context->h[4] ^= state[4] ^ x[4];
context->h[5] ^= state[5] ^ x[5];
context->h[6] ^= state[6] ^ x[6];
context->h[7] ^= state[7] ^ x[7];
}
int
ikev2_pld_notify(struct iked *env, struct ikev2_payload *pld,
struct iked_message *msg, off_t offset)
{
struct ikev2_notify *n;
u_int8_t *buf, md[SHA_DIGEST_LENGTH];
size_t len;
u_int32_t spi32;
u_int64_t spi64;
struct iked_spi *rekey;
u_int16_t type;
u_int16_t group;
if ((n = ibuf_seek(msg->msg_data, offset, sizeof(*n))) == NULL)
return (-1);
type = betoh16(n->n_type);
log_debug("%s: protoid %s spisize %d type %s",
__func__,
print_map(n->n_protoid, ikev2_saproto_map), n->n_spisize,
print_map(type, ikev2_n_map));
len = betoh16(pld->pld_length) - sizeof(*pld) - sizeof(*n);
if ((buf = ibuf_seek(msg->msg_data, offset + sizeof(*n), len)) == NULL)
return (-1);
print_hex(buf, 0, len);
if (!ikev2_msg_frompeer(msg))
return (0);
switch (type) {
case IKEV2_N_NAT_DETECTION_SOURCE_IP:
case IKEV2_N_NAT_DETECTION_DESTINATION_IP:
if (ikev2_nat_detection(env, msg, md, sizeof(md), type) == -1)
return (-1);
if (len != sizeof(md) || memcmp(buf, md, len) != 0) {
log_debug("%s: %s detected NAT, enabling "
"UDP encapsulation", __func__,
print_map(type, ikev2_n_map));
/*
* Enable UDP encapsulation of ESP packages if
* the check detected NAT.
*/
if (msg->msg_sa != NULL)
msg->msg_sa->sa_udpencap = 1;
}
print_hex(md, 0, sizeof(md));
break;
case IKEV2_N_INVALID_KE_PAYLOAD:
if (len != sizeof(group)) {
log_debug("%s: malformed notification", __func__);
return (-1);
}
if (!msg->msg_sa->sa_hdr.sh_initiator) {
log_debug("%s: not an initiator", __func__);
sa_free(env, msg->msg_sa);
msg->msg_sa = NULL;
return (-1);
}
memcpy(&group, buf, len);
group = betoh16(group);
if ((msg->msg_policy->pol_peerdh = group_get(group))
== NULL) {
log_debug("%s: unable to select DH group %d", __func__,
group);
return (-1);
}
log_debug("%s: responder selected DH group %d", __func__,
group);
sa_free(env, msg->msg_sa);
msg->msg_sa = NULL;
timer_initialize(env, &env->sc_inittmr, ikev2_init_ike_sa,
NULL);
timer_register(env, &env->sc_inittmr, IKED_INITIATOR_INITIAL);
break;
case IKEV2_N_NO_ADDITIONAL_SAS:
/* This makes sense for Child SAs only atm */
if (msg->msg_sa->sa_stateflags & IKED_REQ_CHILDSA) {
ikev2_disable_rekeying(env, msg->msg_sa);
msg->msg_sa->sa_stateflags &= ~IKED_REQ_CHILDSA;
}
break;
case IKEV2_N_REKEY_SA:
if (len != n->n_spisize) {
log_debug("%s: malformed notification", __func__);
return (-1);
}
rekey = &msg->msg_parent->msg_rekey;
if (rekey->spi != 0) {
log_debug("%s: rekeying of multiple SAs not supported",
__func__);
return (-1);
}
switch (n->n_spisize) {
case 4:
memcpy(&spi32, buf, len);
rekey->spi = betoh32(spi32);
break;
case 8:
memcpy(&spi64, buf, len);
rekey->spi = betoh64(spi64);
break;
default:
log_debug("%s: invalid spi size %d", __func__,
n->n_spisize);
return (-1);
}
rekey->spi_size = n->n_spisize;
rekey->spi_protoid = n->n_protoid;
log_debug("%s: rekey %s spi %s", __func__,
print_map(n->n_protoid, ikev2_saproto_map),
print_spi(rekey->spi, n->n_spisize));
break;
}
return (0);
}
int
ikev2_pld_delete(struct iked *env, struct ikev2_payload *pld,
struct iked_message *msg, off_t offset)
{
struct iked_childsa **peersas = NULL;
struct iked_sa *sa = msg->msg_sa;
struct ikev2_delete *del, *localdel;
struct ibuf *resp = NULL;
u_int64_t *localspi = NULL;
u_int64_t spi64, spi = 0;
u_int32_t spi32;
u_int8_t *buf, *msgbuf = ibuf_data(msg->msg_data);
size_t found = 0, failed = 0;
int cnt, i, len, sz, ret = -1;
/* Skip if it's a reply and we don't have to deal with it */
if (ikev2_msg_frompeer(msg) && sa &&
(sa->sa_stateflags & IKED_REQ_INF)) {
sa->sa_stateflags &= ~IKED_REQ_INF;
if ((sa->sa_stateflags & IKED_REQ_DELETE) == 0)
return (0);
}
if ((del = ibuf_seek(msg->msg_data, offset, sizeof(*del))) == NULL)
return (-1);
cnt = betoh16(del->del_nspi);
sz = del->del_spisize;
log_debug("%s: proto %s spisize %d nspi %d",
__func__, print_map(del->del_protoid, ikev2_saproto_map),
sz, cnt);
buf = msgbuf + offset + sizeof(*del);
len = betoh16(pld->pld_length) - sizeof(*pld) - sizeof(*del);
print_hex(buf, 0, len);
switch (sz) {
case 4:
case 8:
break;
default:
if (ikev2_msg_frompeer(msg) &&
del->del_protoid == IKEV2_SAPROTO_IKE) {
/* Send an empty informational response */
if ((resp = ibuf_static()) == NULL)
goto done;
ret = ikev2_send_ike_e(env, sa, resp,
IKEV2_PAYLOAD_NONE,
IKEV2_EXCHANGE_INFORMATIONAL, 1);
ibuf_release(resp);
sa_state(env, sa, IKEV2_STATE_CLOSED);
return (ret);
}
log_debug("%s: invalid SPI size", __func__);
return (-1);
}
if ((len / sz) != cnt) {
log_debug("%s: invalid payload length %d/%d != %d",
__func__, len, sz, cnt);
return (-1);
}
if (ikev2_msg_frompeer(msg) &&
((peersas = calloc(cnt, sizeof(struct iked_childsa *))) == NULL ||
(localspi = calloc(cnt, sizeof(u_int64_t))) == NULL)) {
log_warn("%s", __func__);
goto done;
}
for (i = 0; i < cnt; i++) {
switch (sz) {
case 4:
memcpy(&spi32, buf + (i * sz), sizeof(spi32));
spi = betoh32(spi32);
break;
case 8:
memcpy(&spi64, buf + (i * sz), sizeof(spi64));
spi = betoh64(spi64);
break;
}
log_debug("%s: spi %s", __func__, print_spi(spi, sz));
if (peersas == NULL || sa == NULL)
continue;
if ((peersas[i] = childsa_lookup(sa, spi,
del->del_protoid)) == NULL) {
log_warnx("%s: CHILD SA doesn't exist for spi %s",
__func__, print_spi(spi, del->del_spisize));
goto done;
}
if (ikev2_childsa_delete(env, sa, del->del_protoid, spi,
&localspi[i], 0) == -1)
failed++;
else
found++;
/*
* Flows are left in the require mode so that it would be
* possible to quickly negotiate a new Child SA
*/
}
/* Parsed outgoing message? */
if (!ikev2_msg_frompeer(msg))
goto done;
if (sa && (sa->sa_stateflags & IKED_REQ_DELETE)) {
/* Finish rekeying */
sa->sa_stateflags &= ~IKED_REQ_DELETE;
ret = 0;
goto done;
}
/* Response to the INFORMATIONAL with Delete payload */
if ((resp = ibuf_static()) == NULL)
goto done;
if (found) {
if ((localdel = ibuf_advance(resp, sizeof(*localdel))) == NULL)
goto done;
localdel->del_protoid = del->del_protoid;
localdel->del_spisize = del->del_spisize;
localdel->del_nspi = htobe16(found);
for (i = 0; i < cnt; i++) {
switch (sz) {
case 4:
spi32 = htobe32(localspi[i]);
if (ibuf_add(resp, &spi32, sizeof(spi32)) != 0)
goto done;
break;
case 8:
spi64 = htobe64(localspi[i]);
if (ibuf_add(resp, &spi64, sizeof(spi64)) != 0)
goto done;
break;
}
}
log_warnx("%s: deleted %d spis", __func__, found);
}
if (found) {
ret = ikev2_send_ike_e(env, sa, resp, IKEV2_PAYLOAD_DELETE,
IKEV2_EXCHANGE_INFORMATIONAL, 1);
} else {
/* XXX should we send an INVALID_SPI notification? */
ret = 0;
}
done:
if (localspi)
free(localspi);
if (peersas)
free(peersas);
ibuf_release(resp);
return (ret);
}
/**
* Returns the property's data as a 64 bit integer
*/
int64_t Fabric_Property_get_integer_value(Property *self) {
return betoh64(*((int64_t*)self->data));
}
int
ikev2_pld_sa(struct iked *env, struct ikev2_payload *pld,
struct iked_message *msg, off_t offset)
{
struct ikev2_sa_proposal sap;
struct iked_proposal *prop = NULL;
u_int32_t spi32;
u_int64_t spi = 0, spi64;
u_int8_t *msgbuf = ibuf_data(msg->msg_data);
struct iked_proposals *props;
props = &msg->msg_parent->msg_proposals;
memcpy(&sap, msgbuf + offset, sizeof(sap));
offset += sizeof(sap);
if (sap.sap_spisize) {
switch (sap.sap_spisize) {
case 4:
memcpy(&spi32, msgbuf + offset, 4);
spi = betoh32(spi32);
break;
case 8:
memcpy(&spi64, msgbuf + offset, 8);
spi = betoh64(spi64);
break;
default:
log_debug("%s: unsupported SPI size %d",
__func__, sap.sap_spisize);
return (-1);
}
offset += sap.sap_spisize;
}
log_debug("%s: more %d reserved %d length %d"
" proposal #%d protoid %s spisize %d xforms %d spi %s",
__func__, sap.sap_more, sap.sap_reserved,
betoh16(sap.sap_length), sap.sap_proposalnr,
print_map(sap.sap_protoid, ikev2_saproto_map), sap.sap_spisize,
sap.sap_transforms, print_spi(spi, sap.sap_spisize));
if (ikev2_msg_frompeer(msg)) {
if ((msg->msg_parent->msg_prop = config_add_proposal(props,
sap.sap_proposalnr, sap.sap_protoid)) == NULL) {
log_debug("%s: invalid proposal", __func__);
return (-1);
}
prop = msg->msg_parent->msg_prop;
prop->prop_peerspi.spi = spi;
prop->prop_peerspi.spi_protoid = sap.sap_protoid;
prop->prop_peerspi.spi_size = sap.sap_spisize;
prop->prop_localspi.spi_protoid = sap.sap_protoid;
prop->prop_localspi.spi_size = sap.sap_spisize;
}
/*
* Parse the attached transforms
*/
if (sap.sap_transforms &&
ikev2_pld_xform(env, &sap, msg, offset) != 0) {
log_debug("%s: invalid proposal transforms", __func__);
return (-1);
}
return (0);
}
void
print_state(struct pfsync_state *s, int opts)
{
struct pfsync_state_peer *src, *dst;
struct pfsync_state_key *sk, *nk;
struct protoent *p;
int min, sec;
int afto = (s->key[PF_SK_STACK].af != s->key[PF_SK_WIRE].af);
int idx;
if (s->direction == PF_OUT) {
src = &s->src;
dst = &s->dst;
sk = &s->key[PF_SK_STACK];
nk = &s->key[PF_SK_WIRE];
if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
sk->port[0] = nk->port[0];
} else {
src = &s->dst;
dst = &s->src;
sk = &s->key[PF_SK_WIRE];
nk = &s->key[PF_SK_STACK];
if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
sk->port[1] = nk->port[1];
}
printf("%s ", s->ifname);
if ((p = getprotobynumber(s->proto)) != NULL)
printf("%s ", p->p_name);
else
printf("%u ", s->proto);
print_host(&nk->addr[1], nk->port[1], nk->af, nk->rdomain, opts);
if (nk->af != sk->af || PF_ANEQ(&nk->addr[1], &sk->addr[1], nk->af) ||
nk->port[1] != sk->port[1] ||
nk->rdomain != sk->rdomain) {
idx = afto ? 0 : 1;
printf(" (");
print_host(&sk->addr[idx], sk->port[idx], sk->af,
sk->rdomain, opts);
printf(")");
}
if (s->direction == PF_OUT || (afto && s->direction == PF_IN))
printf(" -> ");
else
printf(" <- ");
print_host(&nk->addr[0], nk->port[0], nk->af, nk->rdomain, opts);
if (nk->af != sk->af || PF_ANEQ(&nk->addr[0], &sk->addr[0], nk->af) ||
nk->port[0] != sk->port[0] ||
nk->rdomain != sk->rdomain) {
idx = afto ? 1 : 0;
printf(" (");
print_host(&sk->addr[idx], sk->port[idx], sk->af,
sk->rdomain, opts);
printf(")");
}
printf(" ");
if (s->proto == IPPROTO_TCP) {
if (src->state <= TCPS_TIME_WAIT &&
dst->state <= TCPS_TIME_WAIT)
printf(" %s:%s\n", tcpstates[src->state],
tcpstates[dst->state]);
else if (src->state == PF_TCPS_PROXY_SRC ||
dst->state == PF_TCPS_PROXY_SRC)
printf(" PROXY:SRC\n");
else if (src->state == PF_TCPS_PROXY_DST ||
dst->state == PF_TCPS_PROXY_DST)
printf(" PROXY:DST\n");
else
printf(" <BAD STATE LEVELS %u:%u>\n",
src->state, dst->state);
if (opts & PF_OPT_VERBOSE) {
printf(" ");
print_seq(src);
if (src->wscale && dst->wscale)
printf(" wscale %u",
src->wscale & PF_WSCALE_MASK);
printf(" ");
print_seq(dst);
if (src->wscale && dst->wscale)
printf(" wscale %u",
dst->wscale & PF_WSCALE_MASK);
printf("\n");
}
} else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES &&
dst->state < PFUDPS_NSTATES) {
const char *states[] = PFUDPS_NAMES;
printf(" %s:%s\n", states[src->state], states[dst->state]);
} else if (s->proto != IPPROTO_ICMP && s->proto != IPPROTO_ICMPV6 &&
src->state < PFOTHERS_NSTATES && dst->state < PFOTHERS_NSTATES) {
/* XXX ICMP doesn't really have state levels */
const char *states[] = PFOTHERS_NAMES;
printf(" %s:%s\n", states[src->state], states[dst->state]);
} else {
printf(" %u:%u\n", src->state, dst->state);
}
if (opts & PF_OPT_VERBOSE) {
u_int64_t packets[2];
u_int64_t bytes[2];
u_int32_t creation = ntohl(s->creation);
u_int32_t expire = ntohl(s->expire);
sec = creation % 60;
creation /= 60;
min = creation % 60;
creation /= 60;
printf(" age %.2u:%.2u:%.2u", creation, min, sec);
sec = expire % 60;
expire /= 60;
min = expire % 60;
expire /= 60;
printf(", expires in %.2u:%.2u:%.2u", expire, min, sec);
bcopy(s->packets[0], &packets[0], sizeof(u_int64_t));
bcopy(s->packets[1], &packets[1], sizeof(u_int64_t));
bcopy(s->bytes[0], &bytes[0], sizeof(u_int64_t));
bcopy(s->bytes[1], &bytes[1], sizeof(u_int64_t));
printf(", %llu:%llu pkts, %llu:%llu bytes",
betoh64(packets[0]),
betoh64(packets[1]),
betoh64(bytes[0]),
betoh64(bytes[1]));
if (ntohl(s->anchor) != -1)
printf(", anchor %u", ntohl(s->anchor));
if (ntohl(s->rule) != -1)
printf(", rule %u", ntohl(s->rule));
if (s->state_flags & PFSTATE_SLOPPY)
printf(", sloppy");
if (s->state_flags & PFSTATE_PFLOW)
printf(", pflow");
if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
printf(", source-track");
if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
printf(", sticky-address");
printf("\n");
}
if (opts & PF_OPT_VERBOSE2) {
u_int64_t id;
bcopy(&s->id, &id, sizeof(u_int64_t));
printf(" id: %016llx creatorid: %08x",
betoh64(id), ntohl(s->creatorid));
printf("\n");
}
}
void
print_state(struct pfsync_state *s, int opts)
{
struct pfsync_state_peer *src, *dst;
struct pfsync_state_key *sk, *nk;
int min, sec, sidx, didx;
if (s->direction == PF_OUT) {
src = &s->src;
dst = &s->dst;
sk = &s->key[PF_SK_STACK];
nk = &s->key[PF_SK_WIRE];
if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
sk->port[0] = nk->port[0];
} else {
src = &s->dst;
dst = &s->src;
sk = &s->key[PF_SK_WIRE];
nk = &s->key[PF_SK_STACK];
if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
sk->port[1] = nk->port[1];
}
printf("%s ", s->ifname);
printf("%s ", ipproto_string(s->proto));
if (nk->af != sk->af)
sidx = 1, didx = 0;
else
sidx = 0, didx = 1;
print_host(&nk->addr[didx], nk->port[didx], nk->af, nk->rdomain, NULL, opts);
if (nk->af != sk->af || PF_ANEQ(&nk->addr[1], &sk->addr[1], nk->af) ||
nk->port[1] != sk->port[1]) {
printf(" (");
print_host(&sk->addr[1], sk->port[1], sk->af, sk->rdomain,
NULL, opts);
printf(")");
}
if (s->direction == PF_OUT)
printf(" -> ");
else
printf(" <- ");
print_host(&nk->addr[sidx], nk->port[sidx], nk->af, nk->rdomain, NULL,
opts);
if (nk->af != sk->af || PF_ANEQ(&nk->addr[0], &sk->addr[0], nk->af) ||
nk->port[0] != sk->port[0]) {
printf(" (");
print_host(&sk->addr[0], sk->port[0], sk->af, sk->rdomain, NULL,
opts);
printf(")");
}
printf(" ");
if (s->proto == IPPROTO_TCP) {
if (src->state <= TCPS_TIME_WAIT &&
dst->state <= TCPS_TIME_WAIT)
printf("\n %s:%s", tcpstates[src->state],
tcpstates[dst->state]);
else if (src->state == PF_TCPS_PROXY_SRC ||
dst->state == PF_TCPS_PROXY_SRC)
printf("\n PROXY:SRC");
else if (src->state == PF_TCPS_PROXY_DST ||
dst->state == PF_TCPS_PROXY_DST)
printf("\n PROXY:DST");
else
printf("\n <BAD STATE LEVELS %u:%u>",
src->state, dst->state);
if (opts & PF_OPT_VERBOSE) {
printf("\n ");
print_seq(src);
if (src->wscale && dst->wscale)
printf(" wscale %u",
src->wscale & PF_WSCALE_MASK);
printf(" ");
print_seq(dst);
if (src->wscale && dst->wscale)
printf(" wscale %u",
dst->wscale & PF_WSCALE_MASK);
}
} else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES &&
dst->state < PFUDPS_NSTATES) {
const char *states[] = PFUDPS_NAMES;
printf(" %s:%s", states[src->state], states[dst->state]);
} else if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES &&
dst->state < PFOTHERS_NSTATES) {
/* XXX ICMP doesn't really have state levels */
const char *states[] = PFOTHERS_NAMES;
printf(" %s:%s", states[src->state], states[dst->state]);
} else {
printf(" %u:%u", src->state, dst->state);
}
if (opts & PF_OPT_VERBOSE) {
u_int64_t packets[2];
u_int64_t bytes[2];
u_int32_t creation = ntohl(s->creation);
u_int32_t expire = ntohl(s->expire);
sec = creation % 60;
creation /= 60;
min = creation % 60;
creation /= 60;
printf("\n age %.2u:%.2u:%.2u", creation, min, sec);
sec = expire % 60;
expire /= 60;
min = expire % 60;
expire /= 60;
printf(", expires in %.2u:%.2u:%.2u", expire, min, sec);
bcopy(s->packets[0], &packets[0], sizeof(u_int64_t));
bcopy(s->packets[1], &packets[1], sizeof(u_int64_t));
bcopy(s->bytes[0], &bytes[0], sizeof(u_int64_t));
bcopy(s->bytes[1], &bytes[1], sizeof(u_int64_t));
printf(", %llu:%llu pkts, %llu:%llu bytes",
betoh64(packets[0]),
betoh64(packets[1]),
betoh64(bytes[0]),
betoh64(bytes[1]));
if (s->anchor != -1)
printf(", anchor %u", ntohl(s->anchor));
if (s->rule != -1)
printf(", rule %u", ntohl(s->rule));
}
if (opts & PF_OPT_VERBOSE2) {
u_int64_t id;
bcopy(&s->id, &id, sizeof(u_int64_t));
printf("\n id: %016llx creatorid: %08x",
betoh64(id), ntohl(s->creatorid));
}
}
/*
* Scan through all entries in the index file `idx' and prune those
* entries in `ofile'.
* Pruning consists of removing from `db', then invalidating the entry
* in `idx' (zeroing its value size).
*/
static void
index_prune(const struct of *ofile, struct mdb *mdb,
struct recs *recs, const char *basedir)
{
const struct of *of;
const char *fn;
uint64_t vbuf[2];
unsigned seq, sseq;
DBT key, val;
int ch;
recs->cur = 0;
seq = R_FIRST;
while (0 == (ch = (*mdb->idx->seq)(mdb->idx, &key, &val, seq))) {
seq = R_NEXT;
assert(sizeof(recno_t) == key.size);
memcpy(&recs->last, key.data, key.size);
/* Deleted records are zero-sized. Skip them. */
if (0 == val.size)
goto cont;
/*
* Make sure we're sane.
* Read past our mdoc/man/cat type to the next string,
* then make sure it's bounded by a NUL.
* Failing any of these, we go into our error handler.
*/
fn = (char *)val.data + 1;
if (NULL == memchr(fn, '\0', val.size - 1))
break;
/*
* Search for the file in those we care about.
* XXX: build this into a tree. Too slow.
*/
for (of = ofile->first; of; of = of->next)
if (0 == strcmp(fn, of->fname))
break;
if (NULL == of)
continue;
/*
* Search through the keyword database, throwing out all
* references to our file.
*/
sseq = R_FIRST;
while (0 == (ch = (*mdb->db->seq)(mdb->db,
&key, &val, sseq))) {
sseq = R_NEXT;
if (sizeof(vbuf) != val.size)
break;
memcpy(vbuf, val.data, val.size);
if (recs->last != betoh64(vbuf[1]))
continue;
if ((ch = (*mdb->db->del)(mdb->db,
&key, R_CURSOR)) < 0)
break;
}
if (ch < 0) {
perror(mdb->dbn);
exit((int)MANDOCLEVEL_SYSERR);
} else if (1 != ch) {
fprintf(stderr, "%s: corrupt database\n",
mdb->dbn);
exit((int)MANDOCLEVEL_SYSERR);
}
if (verb)
printf("%s: Deleting from index: %s\n",
basedir, fn);
val.size = 0;
ch = (*mdb->idx->put)(mdb->idx, &key, &val, R_CURSOR);
if (ch < 0)
break;
cont:
if (recs->cur >= recs->size) {
recs->size += MANDOC_SLOP;
recs->stack = mandoc_realloc(recs->stack,
recs->size * sizeof(recno_t));
}
recs->stack[(int)recs->cur] = recs->last;
recs->cur++;
}
if (ch < 0) {
perror(mdb->idxn);
exit((int)MANDOCLEVEL_SYSERR);
} else if (1 != ch) {
fprintf(stderr, "%s: corrupt index\n", mdb->idxn);
exit((int)MANDOCLEVEL_SYSERR);
}
recs->last++;
}
/**
* Gets the id of a property's text object
*
* This should only be called on a property with a type
* of FABRIC_PROPTYPE_LONGTEXT. Short text is handled
* differently. Long text is any text with size
* greater than 8 bytes (not including the null terminator).
*/
textid_t Fabric_Property_get_text_value_id(Property *self) {
return (textid_t) betoh64(*((uint64_t*)self->data));
}
/**
* Return's the property's data as a 64-bit floating point number
*/
float64_t Fabric_Property_get_real_value(Property *self) {
uint64_t tmp = betoh64(*((uint64_t*)self->data));
return *((float64_t*)&tmp);
}
int
ikev2_msg_valid_ike_sa(struct iked *env, struct ike_header *oldhdr,
struct iked_message *msg)
{
#if 0
/* XXX Disabled, see comment below */
struct iked_message resp;
struct ike_header *hdr;
struct ikev2_payload *pld;
struct ikev2_notify *n;
struct ibuf *buf;
struct iked_sa sa;
#endif
if (msg->msg_sa != NULL && msg->msg_policy != NULL) {
/*
* Only permit informational requests from initiator
* on closing SAs (for DELETE).
*/
if (msg->msg_sa->sa_state == IKEV2_STATE_CLOSING) {
if (((oldhdr->ike_flags &
(IKEV2_FLAG_INITIATOR|IKEV2_FLAG_RESPONSE)) ==
IKEV2_FLAG_INITIATOR) &&
(oldhdr->ike_exchange ==
IKEV2_EXCHANGE_INFORMATIONAL))
return (0);
return (-1);
}
return (0);
}
#if 0
/*
* XXX Sending INVALID_IKE_SPIs notifications is disabled
* XXX because it is not mandatory and ignored by most
* XXX implementations. We might want to enable it in
* XXX combination with a rate-limitation to avoid DoS situations.
*/
/* Fail without error message */
if (msg->msg_response || msg->msg_policy == NULL)
return (-1);
/* Invalid IKE SA, return notification */
if ((buf = ikev2_msg_init(env, &resp,
&msg->msg_peer, msg->msg_peerlen,
&msg->msg_local, msg->msg_locallen, 1)) == NULL)
goto done;
resp.msg_fd = msg->msg_fd;
bzero(&sa, sizeof(sa));
if ((oldhdr->ike_flags & IKEV2_FLAG_INITIATOR) == 0)
sa.sa_hdr.sh_initiator = 1;
sa.sa_hdr.sh_ispi = betoh64(oldhdr->ike_ispi);
sa.sa_hdr.sh_rspi = betoh64(oldhdr->ike_rspi);
resp.msg_msgid = betoh32(oldhdr->ike_msgid);
/* IKE header */
if ((hdr = ikev2_add_header(buf, &sa, resp.msg_msgid,
IKEV2_PAYLOAD_NOTIFY, IKEV2_EXCHANGE_INFORMATIONAL,
IKEV2_FLAG_RESPONSE)) == NULL)
goto done;
/* SA payload */
if ((pld = ikev2_add_payload(buf)) == NULL)
goto done;
if ((n = ibuf_advance(buf, sizeof(*n))) == NULL)
goto done;
n->n_protoid = IKEV2_SAPROTO_IKE;
n->n_spisize = 0;
n->n_type = htobe16(IKEV2_N_INVALID_IKE_SPI);
if (ikev2_next_payload(pld, sizeof(*n), IKEV2_PAYLOAD_NONE) == -1)
goto done;
if (ikev2_set_header(hdr, ibuf_size(buf) - sizeof(*hdr)) == -1)
goto done;
(void)ikev2_pld_parse(env, hdr, &resp, 0);
(void)ikev2_msg_send(env, &resp);
done:
ikev2_msg_cleanup(env, &resp);
#endif
/* Always fail */
return (-1);
}
/*
* NB: This function parses both the SA header and the first proposal.
* Additional proposals are ignored.
*/
int
ikev2_pld_sa(struct iked *env, struct ikev2_payload *pld,
struct iked_message *msg, size_t offset, size_t left)
{
struct ikev2_sa_proposal sap;
struct iked_proposal *prop = NULL;
u_int32_t spi32;
u_int64_t spi = 0, spi64;
u_int8_t *msgbuf = ibuf_data(msg->msg_data);
struct iked_proposals *props;
size_t total;
if (ikev2_validate_sa(msg, offset, left, pld, &sap))
return (-1);
if (sap.sap_more)
log_debug("%s: more than one proposal specified", __func__);
/* Assumed size of the first proposals, including SPI if present. */
total = (betoh16(sap.sap_length) - sizeof(sap));
props = &msg->msg_parent->msg_proposals;
offset += sizeof(sap);
left -= sizeof(sap);
if (sap.sap_spisize) {
if (left < sap.sap_spisize) {
log_debug("%s: malformed payload: SPI larger than "
"actual payload (%zu < %d)", __func__, left,
sap.sap_spisize);
return (-1);
}
if (total < sap.sap_spisize) {
log_debug("%s: malformed payload: SPI larger than "
"proposal (%zu < %d)", __func__, total,
sap.sap_spisize);
return (-1);
}
if (total < sap.sap_spisize) {
log_debug("%s: malformed payload: SPI too large "
"(%zu < %d)", __func__, total, sap.sap_spisize);
return (-1);
}
switch (sap.sap_spisize) {
case 4:
memcpy(&spi32, msgbuf + offset, 4);
spi = betoh32(spi32);
break;
case 8:
memcpy(&spi64, msgbuf + offset, 8);
spi = betoh64(spi64);
break;
default:
log_debug("%s: unsupported SPI size %d",
__func__, sap.sap_spisize);
return (-1);
}
offset += sap.sap_spisize;
left -= sap.sap_spisize;
/* Assumed size of the proposal, now without SPI. */
total -= sap.sap_spisize;
}
/*
* As we verified sanity of packet headers, this check will
* be always false, but just to be sure we keep it.
*/
if (left < total) {
log_debug("%s: payload malformed: too long for payload "
"(%zu < %zu)", __func__, left, total);
return (-1);
}
log_debug("%s: more %d reserved %d length %d"
" proposal #%d protoid %s spisize %d xforms %d spi %s",
__func__, sap.sap_more, sap.sap_reserved,
betoh16(sap.sap_length), sap.sap_proposalnr,
print_map(sap.sap_protoid, ikev2_saproto_map), sap.sap_spisize,
sap.sap_transforms, print_spi(spi, sap.sap_spisize));
if (ikev2_msg_frompeer(msg)) {
if ((msg->msg_parent->msg_prop = config_add_proposal(props,
sap.sap_proposalnr, sap.sap_protoid)) == NULL) {
log_debug("%s: invalid proposal", __func__);
return (-1);
}
prop = msg->msg_parent->msg_prop;
prop->prop_peerspi.spi = spi;
prop->prop_peerspi.spi_protoid = sap.sap_protoid;
prop->prop_peerspi.spi_size = sap.sap_spisize;
prop->prop_localspi.spi_protoid = sap.sap_protoid;
prop->prop_localspi.spi_size = sap.sap_spisize;
}
/*
* Parse the attached transforms
*/
if (sap.sap_transforms &&
ikev2_pld_xform(env, &sap, msg, offset, total) != 0) {
log_debug("%s: invalid proposal transforms", __func__);
return (-1);
}
return (0);
}
