1 /* identity representation, as in IKE ID Payloads (RFC 2407 DOI 4.6.2.1)
2 * Copyright (C) 1999-2001 D. Hugh Redelmeier
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * RCSID $Id: id.c,v 1.18 2002/03/09 20:45:38 dhr Exp $
20 #include <sys/socket.h>
21 #include <netinet/in.h>
22 #include <arpa/inet.h>
26 #include "constants.h"
32 #include "connections.h" /* needs id.h */
35 const struct id empty_id; /* all zeros and NULLs */
37 /* Note that there may be as many as four IDs that are temporary at
38 * one time before unsharing the two ends of a connection. So we need
39 * at least four temporary buffers for DER_ASN1_DN IDs.
40 * We rotate them. Be careful!
43 temporary_cyclic_buffer(void)
45 static char buf[4][IDTOA_BUF]; /* four internal buffers */
46 static int counter = 0; /* cyclic counter */
48 if (++counter == 4) counter = 0; /* next internal buffer */
49 return buf[counter]; /* assign temporary buffer */
52 /* Convert textual form of id into a (temporary) struct id.
53 * Note that if the id is to be kept, unshare_id_content will be necessary.
56 atoid(char *src, struct id *id)
62 if (strchr(src, '=') != NULL)
64 /* we interpret this as an ASCII X.501 ID_DER_ASN1_DN */
65 id->kind = ID_DER_ASN1_DN;
66 id->name.ptr = temporary_cyclic_buffer(); /* assign temporary buffer */
68 /* convert from LDAP style or openssl x509 -subject style to ASN.1 DN
69 * discard optional @ character in front of DN
71 ugh = atodn((*src == '@')?src+1:src, &id->name);
73 else if (strchr(src, '@') == NULL)
75 if (streq(src, "%any") || streq(src, "0.0.0.0"))
77 /* any ID will be accepted */
82 /* !!! this test is not sufficient for distinguishing address families.
83 * We need a notation to specify that a FQDN is to be resolved to IPv6.
85 const struct af_info *afi = strchr(src, ':') == NULL
86 ? &af_inet4_info: &af_inet6_info;
88 id->kind = afi->id_addr;
89 ugh = ttoaddr(src, 0, afi->af, &id->ip_addr);
98 /* if there is a second specifier (#) on the line
99 * we interprete this as ID_KEY_ID
101 id->kind = ID_KEY_ID;
103 /* discard @~, convert from hex to bin */
104 ugh = ttodata(src+2, 0, 16, id->name.ptr, strlen(src), &id->name.len);
106 else if (*(src+1) == '~')
108 /* if there is a second specifier (~) on the line
109 * we interprete this as a binary ID_DER_ASN1_DN
111 id->kind = ID_DER_ASN1_DN;
113 /* discard @~, convert from hex to bin */
114 ugh = ttodata(src+2, 0, 16, id->name.ptr, strlen(src), &id->name.len);
119 id->name.ptr = src+1; /* discard @ */
120 id->name.len = strlen(src)-1;
125 /* We leave in @, as per DOI 4.6.2.4
126 * (but DNS wants . instead).
128 id->kind = ID_USER_FQDN;
130 id->name.len = strlen(src);
132 #ifdef INTEROP_CHECKPOINT_FW_4_1
133 /* why couldn't they have used ID_KEY_ID? (violates RFC2407 4.6.2.4) */
134 if (id->kind == ID_USER_FQDN && id->name.len > 0)
136 if (src[id->name.len-1] == '@')
146 * Converts a binary key ID into hexadecimal format
149 keyidtoa(char *dst, size_t dstlen, chunk_t keyid)
154 hex_str(keyid, &str);
155 return (int)(dstlen - str.len);
159 iptoid(const ip_address *ip, struct id *id)
163 switch (addrtypeof(ip))
166 id->kind = ID_IPV4_ADDR;
169 id->kind = ID_IPV6_ADDR;
178 idtoa(const struct id *id, char *dst, size_t dstlen)
185 n = snprintf(dst, dstlen, "(none)");
189 n = (int)addrtot(&id->ip_addr, 0, dst, dstlen) - 1;
192 n = snprintf(dst, dstlen, "@%.*s", (int)id->name.len, id->name.ptr);
195 #ifdef INTEROP_CHECKPOINT_FW_4_1
196 n = snprintf(dst, dstlen, "%.*s%s", (int)id->name.len, id->name.ptr,
197 strchr(id->name.ptr, '@') ? "" : "@");
200 n = snprintf(dst, dstlen, "%.*s", (int)id->name.len, id->name.ptr);
204 n = dntoa(dst, dstlen, id->name);
207 n = keyidtoa(dst, dstlen, id->name);
210 n = snprintf(dst, dstlen, "unknown id kind %d", id->kind);
214 /* "Sanitize" string so that log isn't endangered:
215 * replace unprintable characters with '?'.
219 for ( ; *dst != '\0'; dst++)
227 /* Make private copy of string in struct id.
228 * This is needed if the result of atoid is to be kept.
231 unshare_id_content(struct id *id)
239 id->name.ptr = clone_bytes(id->name.ptr, id->name.len, "keep id name");
251 free_id_content(struct id *id)
270 /* compare two struct id values */
272 same_id(const struct id *a, const struct id *b)
274 if (a->kind != b->kind)
279 return TRUE; /* kind of vacuous */
283 return sameaddr(&a->ip_addr, &b->ip_addr);
287 /* assumption: case should be ignored */
288 return a->name.len == b->name.len
289 && strncasecmp(a->name.ptr, b->name.ptr, a->name.len) == 0;
291 return same_dn(a->name, b->name);
293 /* pretend that it's binary */
294 return a->name.len == b->name.len
295 && memcmp(a->name.ptr, b->name.ptr, a->name.len) == 0;
301 /* build an ID payload
302 * Note: no memory is allocated for the body of the payload (tl->ptr).
303 * We assume it will end up being a pointer into a sufficiently
304 * stable datastructure. It only needs to last a short time.
307 build_id_payload(struct isakmp_ipsec_id *hd, chunk_t *tl, struct end *end)
310 hd->isaiid_idtype = end->id.kind;
311 switch (end->id.kind)
314 hd->isaiid_idtype = aftoinfo(addrtypeof(&end->host_addr))->id_addr;
315 tl->len = addrbytesptr(&end->host_addr
316 , (const unsigned char **)&tl->ptr); /* sets tl->ptr too */
326 tl->len = addrbytesptr(&end->id.ip_addr
327 , (const unsigned char **)&tl->ptr); /* sets tl->ptr too */