#include <sys/types.h>
#include <sys/stat.h>
#include <ipsec_util.h>
#include <stdlib.h>
#include <strings.h>
#include <netdb.h>
#include <fcntl.h>
#include <unistd.h>
#include <libintl.h>
#include <errno.h>
static char *preamble =
"# /etc/inet/ipsecalgs output from ipsecalgs(8)\n"
"#\n"
"# DO NOT EDIT OR PARSE THIS FILE!\n"
"#\n"
"# Use the ipsecalgs(8) command to change the contents of this file.\n"
"# The algorithm descriptions contained in this file are synchronised to the\n"
"# kernel with ipsecalgs -s, the kernel validates the entries at this point."
"\n\n"
"# PROTO|protocol-id|protocol-name|exec-mode\n"
"## NOTE: Some protocol numbers are well-known and defined in <netdb.h>\n\n"
"# ALG|protocol-id|alg-id|name,name,...|ef-id| \n"
"# {default/}{key,key..}or{key-key,inc}|block_size or MAC-size|\n"
"# [parameter,parameter..]|[flags]\n\n"
"#\n"
"## Note: Parameters and flags only apply to certain algorithms.\n\n";
#define CFG_PERMS S_IRUSR | S_IRGRP | S_IROTH
#define CFG_OWNER 0
#define CFG_GROUP 1
#define FPRINTF_ERR(fcall) if ((fcall) < 0) { \
rc = LIBIPSEC_ALGS_DIAG_ALGSFILEWRITE; \
goto bail; \
}
#define FPUT_ERR(fcall) if ((fcall) == EOF) { \
rc = LIBIPSEC_ALGS_DIAG_ALGSFILEWRITE; \
goto bail; \
}
#define PKG_SEC_START(pkgname, doing_pkg, cur_pkg) { \
(void) strcpy((cur_pkg), (pkgname)); \
FPRINTF_ERR(fprintf(f, "%s%s\n", \
LIBIPSEC_ALGS_LINE_PKGSTART, (cur_pkg))); \
(doing_pkg) = B_TRUE; \
}
#define PKG_SEC_END(doing_pkg, cur_pkg) { \
if (doing_pkg) { \
FPRINTF_ERR(fprintf(f, "%s%s\n", \
LIBIPSEC_ALGS_LINE_PKGEND, (cur_pkg))); \
(doing_pkg) = B_FALSE; \
} \
}
int
list_ints(FILE *f, int *floater)
{
boolean_t executed = B_FALSE;
while (*floater != 0) {
executed = B_TRUE;
if (fprintf(f, "%d", *floater) < 0)
return (-1);
if (*(++floater) != 0)
if (fputc(',', f) == EOF)
return (-1);
}
if (!executed)
if (fputc('0', f) == EOF)
return (-1);
return (0);
}
static char *
alg_has_pkg(ipsec_proto_t *proto, struct ipsecalgent *alg)
{
int i;
if (proto->proto_algs_pkgs == NULL)
return (NULL);
for (i = 0; i < proto->proto_algs_npkgs; i++)
if (proto->proto_algs_pkgs[i].alg_num == alg->a_alg_num)
return (proto->proto_algs_pkgs[i].pkg_name);
return (NULL);
}
static int
pkg_section(FILE *f, char *pkg_name, boolean_t *doing_pkg, char *cur_pkg)
{
int rc = 0;
if (pkg_name != NULL) {
if (!*doing_pkg) {
PKG_SEC_START(pkg_name, *doing_pkg, cur_pkg);
} else {
if (strcmp(pkg_name, cur_pkg) != 0) {
PKG_SEC_END(*doing_pkg, cur_pkg);
PKG_SEC_START(pkg_name, *doing_pkg, cur_pkg);
}
}
} else if (*doing_pkg) {
PKG_SEC_END(*doing_pkg, cur_pkg);
}
bail:
return (rc);
}
static int
write_new_algfile(ipsec_proto_t *protos, int num_protos)
{
FILE *f;
int fd, i, j, k;
int rc = 0;
struct ipsecalgent *alg;
char cur_pkg[1024];
boolean_t doing_pkg = B_FALSE;
char *alg_pkg;
char tmp_name_template[] = INET_IPSECALGSPATH "ipsecalgsXXXXXX";
char *tmp_name;
tmp_name = mktemp(tmp_name_template);
fd = open(tmp_name, O_WRONLY|O_CREAT|O_EXCL, CFG_PERMS);
if (fd == -1) {
rc = LIBIPSEC_ALGS_DIAG_ALGSFILEOPEN;
goto bail;
}
f = fdopen(fd, "w");
if (f == NULL) {
(void) close(fd);
rc = LIBIPSEC_ALGS_DIAG_ALGSFILEFDOPEN;
goto bail;
}
FPUT_ERR(fputs(preamble, f));
for (i = 0; i < num_protos; i++) {
rc = pkg_section(f, protos[i].proto_pkg, &doing_pkg, cur_pkg);
if (rc != 0)
goto bail;
FPRINTF_ERR(fprintf(f, "%s%d|%s|",
LIBIPSEC_ALGS_LINE_PROTO,
protos[i].proto_num, protos[i].proto_name));
switch (protos[i].proto_exec_mode) {
case LIBIPSEC_ALGS_EXEC_SYNC:
FPRINTF_ERR(fprintf(f, "sync\n"));
break;
case LIBIPSEC_ALGS_EXEC_ASYNC:
FPRINTF_ERR(fprintf(f, "async\n"));
break;
}
}
PKG_SEC_END(doing_pkg, cur_pkg);
FPUT_ERR(fputs("\n", f));
for (i = 0; i < num_protos; i++) {
for (j = 0; j < protos[i].proto_numalgs; j++) {
alg = protos[i].proto_algs[j];
alg_pkg = alg_has_pkg(&protos[i], alg);
rc = pkg_section(f, alg_pkg, &doing_pkg, cur_pkg);
if (rc != 0)
goto bail;
FPRINTF_ERR(fprintf(f, "%s%d|%d|",
LIBIPSEC_ALGS_LINE_ALG,
alg->a_proto_num, alg->a_alg_num));
for (k = 0; alg->a_names[k] != NULL; k++) {
FPRINTF_ERR(fprintf(f, "%s", alg->a_names[k]));
if (alg->a_names[k+1] != NULL)
FPRINTF_ERR(fprintf(f, ","));
}
FPRINTF_ERR(fprintf(f, "|%s|", alg->a_mech_name));
if (alg->a_key_increment == 0) {
if (list_ints(f, alg->a_key_sizes) == -1) {
rc = LIBIPSEC_ALGS_DIAG_ALGSFILEWRITE;
goto bail;
}
} else {
FPRINTF_ERR(fprintf(f, "%d/%d-%d,%d",
alg->a_key_sizes[0], alg->a_key_sizes[1],
alg->a_key_sizes[2], alg->a_key_increment));
}
FPUT_ERR(fputc('|', f));
if (list_ints(f, alg->a_block_sizes) == -1) {
rc = LIBIPSEC_ALGS_DIAG_ALGSFILEWRITE;
goto bail;
}
FPUT_ERR(fputc('|', f));
if (list_ints(f, alg->a_mech_params) == -1) {
rc = LIBIPSEC_ALGS_DIAG_ALGSFILEWRITE;
goto bail;
}
FPRINTF_ERR(fprintf(f, "|%d\n", alg->a_alg_flags));
}
}
PKG_SEC_END(doing_pkg, cur_pkg);
if (fchmod(fd, CFG_PERMS) == -1) {
rc = LIBIPSEC_ALGS_DIAG_ALGSFILECHMOD;
goto bail;
}
if (fchown(fd, CFG_OWNER, CFG_GROUP) == -1) {
rc = LIBIPSEC_ALGS_DIAG_ALGSFILECHOWN;
goto bail;
}
if (fclose(f) == EOF) {
rc = LIBIPSEC_ALGS_DIAG_ALGSFILECLOSE;
goto bail;
}
if (rename(tmp_name, INET_IPSECALGSFILE) == -1)
rc = LIBIPSEC_ALGS_DIAG_ALGSFILERENAME;
bail:
_clean_trash(protos, num_protos);
return (rc);
}
static ipsec_proto_t *
proto_setup(ipsec_proto_t **protos, int *num_protos, int proto_num,
boolean_t cleanup)
{
int i;
ipsec_proto_t *current_proto, *ret_proto = NULL;
_build_internal_algs(protos, num_protos);
if (*protos == NULL)
return (NULL);
for (i = 0; i < *num_protos; i++) {
current_proto = (*protos) + i;
if (current_proto->proto_num == proto_num) {
ret_proto = current_proto;
break;
}
}
if (ret_proto == NULL) {
if (cleanup)
_clean_trash(*protos, *num_protos);
}
return (ret_proto);
}
static boolean_t
delipsecalgbyname_common(const char *name, ipsec_proto_t *proto,
boolean_t delete_it)
{
int i;
char **name_check;
boolean_t found_match = B_FALSE;
for (i = 0; i < proto->proto_numalgs; i++) {
if (!found_match) {
for (name_check =
proto->proto_algs[i]->a_names;
*name_check != NULL; name_check++) {
if (strcmp(*name_check, name) == 0) {
found_match = B_TRUE;
if (!delete_it)
return (found_match);
freeipsecalgent(proto->proto_algs[i]);
break;
}
}
} else {
proto->proto_algs[i - 1] = proto->proto_algs[i];
}
}
if (found_match)
proto->proto_numalgs--;
return (found_match);
}
static boolean_t
sizes_match(int *a1, int *a2)
{
int i;
for (i = 0; (a1[i] != 0) && (a2[i] != 0); i++) {
if (a1[i] != a2[i])
return (B_FALSE);
}
if ((a1[i] != 0) || (a2[i] != 0))
return (B_FALSE);
return (B_TRUE);
}
static boolean_t
ipsecalg_exists(struct ipsecalgent *newbie, ipsec_proto_t *proto)
{
struct ipsecalgent *curalg;
char **curname, **newbiename;
int i;
boolean_t match;
for (i = 0; i < proto->proto_numalgs; i++) {
curalg = proto->proto_algs[i];
if (curalg->a_alg_num != newbie->a_alg_num)
continue;
if (curalg->a_key_increment != newbie->a_key_increment)
continue;
if (strcmp(curalg->a_mech_name, newbie->a_mech_name) != 0)
continue;
curname = curalg->a_names;
newbiename = newbie->a_names;
match = B_TRUE;
while ((*curname != NULL) && (*newbiename != NULL) && match) {
match = (strcmp(*curname, *newbiename) == 0);
curname++;
newbiename++;
}
if (!match || (*curname != NULL) || (*newbiename != NULL))
continue;
if (!sizes_match(curalg->a_block_sizes, newbie->a_block_sizes))
continue;
if (!sizes_match(curalg->a_key_sizes, newbie->a_key_sizes))
continue;
return (B_TRUE);
}
return (B_FALSE);
}
int
addipsecalg(struct ipsecalgent *newbie, uint_t flags)
{
ipsec_proto_t *protos, *current_proto;
struct ipsecalgent *clone, **holder;
int num_protos, i;
char **name_check;
boolean_t forced_add = (flags & LIBIPSEC_ALGS_ADD_FORCE) != 0;
boolean_t found_match;
if ((current_proto = proto_setup(&protos, &num_protos,
newbie->a_proto_num, B_TRUE)) == NULL)
return (LIBIPSEC_ALGS_DIAG_UNKN_PROTO);
if (ipsecalg_exists(newbie, current_proto))
return (0);
for (name_check = newbie->a_names; *name_check != NULL; name_check++) {
found_match = delipsecalgbyname_common(*name_check,
current_proto, forced_add);
if (found_match && !forced_add) {
_clean_trash(protos, num_protos);
return (LIBIPSEC_ALGS_DIAG_ALG_EXISTS);
}
}
for (i = 0; i < current_proto->proto_numalgs; i++) {
if (current_proto->proto_algs[i]->a_alg_num ==
newbie->a_alg_num) {
if (flags & LIBIPSEC_ALGS_ADD_FORCE) {
clone = _duplicate_alg(newbie);
if (clone != NULL) {
freeipsecalgent(
current_proto->proto_algs[i]);
current_proto->proto_algs[i] = clone;
return (write_new_algfile(protos,
num_protos));
} else {
_clean_trash(protos, num_protos);
return (LIBIPSEC_ALGS_DIAG_NOMEM);
}
} else {
_clean_trash(protos, num_protos);
return (LIBIPSEC_ALGS_DIAG_ALG_EXISTS);
}
}
}
holder = realloc(current_proto->proto_algs,
sizeof (struct ipsecalgent *) * (i + 1));
if (holder == NULL) {
_clean_trash(protos, num_protos);
return (LIBIPSEC_ALGS_DIAG_NOMEM);
}
clone = _duplicate_alg(newbie);
if (clone == NULL) {
free(holder);
_clean_trash(protos, num_protos);
return (LIBIPSEC_ALGS_DIAG_NOMEM);
}
current_proto->proto_numalgs++;
current_proto->proto_algs = holder;
current_proto->proto_algs[i] = clone;
return (write_new_algfile(protos, num_protos));
}
int
delipsecalgbyname(const char *name, int proto_num)
{
ipsec_proto_t *protos, *current_proto;
int num_protos;
if ((current_proto = proto_setup(&protos, &num_protos, proto_num,
B_TRUE)) == NULL)
return (LIBIPSEC_ALGS_DIAG_UNKN_PROTO);
if (delipsecalgbyname_common(name, current_proto, B_TRUE))
return (write_new_algfile(protos, num_protos));
_clean_trash(protos, num_protos);
return (LIBIPSEC_ALGS_DIAG_UNKN_ALG);
}
int
delipsecalgbynum(int alg_num, int proto_num)
{
ipsec_proto_t *protos, *current_proto;
int i, num_protos;
boolean_t found_match = B_FALSE;
if ((current_proto = proto_setup(&protos, &num_protos, proto_num,
B_TRUE)) == NULL)
return (LIBIPSEC_ALGS_DIAG_UNKN_PROTO);
for (i = 0; i < current_proto->proto_numalgs; i++) {
if (!found_match) {
if (current_proto->proto_algs[i]->a_alg_num ==
alg_num) {
found_match = B_TRUE;
freeipsecalgent(current_proto->proto_algs[i]);
}
} else {
current_proto->proto_algs[i - 1] =
current_proto->proto_algs[i];
}
}
if (found_match) {
current_proto->proto_numalgs--;
return (write_new_algfile(protos, num_protos));
}
_clean_trash(protos, num_protos);
return (LIBIPSEC_ALGS_DIAG_UNKN_ALG);
}
static void
delipsecproto_common(ipsec_proto_t *protos, int num_protos,
ipsec_proto_t *proto)
{
int i;
free(proto->proto_name);
for (i = 0; i < proto->proto_numalgs; i++)
freeipsecalgent(proto->proto_algs[i]);
for (i = (proto - protos + 1); i < num_protos; i++)
protos[i - 1] = protos[i];
}
int
addipsecproto(const char *proto_name, int proto_num,
ipsecalgs_exec_mode_t proto_exec_mode, uint_t flags)
{
ipsec_proto_t *protos, *current_proto, *new_proto;
int i, num_protos;
current_proto = proto_setup(&protos, &num_protos, proto_num, B_FALSE);
if (current_proto != NULL) {
if ((strcmp(proto_name, current_proto->proto_name) == 0) &&
(proto_exec_mode == current_proto->proto_exec_mode)) {
return (0);
}
if (!(flags & LIBIPSEC_ALGS_ADD_FORCE))
return (LIBIPSEC_ALGS_DIAG_PROTO_EXISTS);
delipsecproto_common(protos, num_protos--, current_proto);
}
for (i = 0; i < num_protos; i++) {
if (strcmp(protos[i].proto_name, proto_name) == 0) {
if (!(flags & LIBIPSEC_ALGS_ADD_FORCE))
return (LIBIPSEC_ALGS_DIAG_PROTO_EXISTS);
delipsecproto_common(protos, num_protos--, &protos[i]);
break;
}
}
num_protos++;
new_proto = realloc(protos, num_protos *
sizeof (ipsec_proto_t));
if (new_proto == NULL) {
_clean_trash(protos, num_protos - 1);
return (LIBIPSEC_ALGS_DIAG_NOMEM);
}
protos = new_proto;
new_proto += (num_protos - 1);
new_proto->proto_num = proto_num;
new_proto->proto_numalgs = 0;
new_proto->proto_algs = NULL;
new_proto->proto_name = strdup(proto_name);
if (new_proto->proto_name == NULL) {
_clean_trash(protos, num_protos);
return (LIBIPSEC_ALGS_DIAG_NOMEM);
}
new_proto->proto_pkg = NULL;
new_proto->proto_algs_pkgs = NULL;
new_proto->proto_algs_npkgs = 0;
new_proto->proto_exec_mode = proto_exec_mode;
return (write_new_algfile(protos, num_protos));
}
int
delipsecprotobynum(int proto_num)
{
ipsec_proto_t *protos, *current_proto;
int num_protos;
if ((current_proto = proto_setup(&protos, &num_protos, proto_num,
B_TRUE)) == NULL)
return (LIBIPSEC_ALGS_DIAG_UNKN_PROTO);
delipsecproto_common(protos, num_protos--, current_proto);
return (write_new_algfile(protos, num_protos));
}
int
delipsecprotobyname(const char *proto_name)
{
int proto_num;
proto_num = getipsecprotobyname(proto_name);
if (proto_num == -1)
return (LIBIPSEC_ALGS_DIAG_UNKN_PROTO);
return (delipsecprotobynum(proto_num));
}
int *
getipsecprotos(int *nentries)
{
return (_real_getipsecprotos(nentries));
}
int *
getipsecalgs(int *nentries, int proto_num)
{
return (_real_getipsecalgs(nentries, proto_num));
}
const char *
ipsecalgs_diag(int diag)
{
switch (diag) {
case LIBIPSEC_ALGS_DIAG_ALG_EXISTS:
return (dgettext(TEXT_DOMAIN, "Algorithm already exists"));
case LIBIPSEC_ALGS_DIAG_PROTO_EXISTS:
return (dgettext(TEXT_DOMAIN, "Protocol already exists"));
case LIBIPSEC_ALGS_DIAG_UNKN_PROTO:
return (dgettext(TEXT_DOMAIN, "Unknown protocol"));
case LIBIPSEC_ALGS_DIAG_UNKN_ALG:
return (dgettext(TEXT_DOMAIN, "Unknown algorithm"));
case LIBIPSEC_ALGS_DIAG_NOMEM:
return (dgettext(TEXT_DOMAIN, "Out of memory"));
case LIBIPSEC_ALGS_DIAG_ALGSFILEOPEN:
return (dgettext(TEXT_DOMAIN, "open() failed"));
case LIBIPSEC_ALGS_DIAG_ALGSFILEFDOPEN:
return (dgettext(TEXT_DOMAIN, "fdopen() failed"));
case LIBIPSEC_ALGS_DIAG_ALGSFILELOCK:
return (dgettext(TEXT_DOMAIN, "lockf() failed"));
case LIBIPSEC_ALGS_DIAG_ALGSFILERENAME:
return (dgettext(TEXT_DOMAIN, "rename() failed"));
case LIBIPSEC_ALGS_DIAG_ALGSFILEWRITE:
return (dgettext(TEXT_DOMAIN, "write to file failed"));
case LIBIPSEC_ALGS_DIAG_ALGSFILECHMOD:
return (dgettext(TEXT_DOMAIN, "chmod() failed"));
case LIBIPSEC_ALGS_DIAG_ALGSFILECHOWN:
return (dgettext(TEXT_DOMAIN, "chown() failed"));
case LIBIPSEC_ALGS_DIAG_ALGSFILECLOSE:
return (dgettext(TEXT_DOMAIN, "close() failed"));
default:
return (dgettext(TEXT_DOMAIN, "failed"));
}
}
int
ipsecproto_get_exec_mode(int proto_num, ipsecalgs_exec_mode_t *exec_mode)
{
ipsec_proto_t *protos, *current_proto;
int num_protos;
if ((current_proto = proto_setup(&protos, &num_protos, proto_num,
B_TRUE)) == NULL)
return (LIBIPSEC_ALGS_DIAG_UNKN_PROTO);
*exec_mode = current_proto->proto_exec_mode;
_clean_trash(protos, num_protos);
return (0);
}
int
ipsecproto_set_exec_mode(int proto_num, ipsecalgs_exec_mode_t exec_mode)
{
ipsec_proto_t *protos, *current_proto;
int num_protos;
if ((current_proto = proto_setup(&protos, &num_protos, proto_num,
B_TRUE)) == NULL)
return (LIBIPSEC_ALGS_DIAG_UNKN_PROTO);
current_proto->proto_exec_mode = exec_mode;
return (write_new_algfile(protos, num_protos));
}
