Add IPv6 support to fwknop

android/project/jni/config.h

@@ -32,6 +32,9 @@
 /* Path to firewall command executable (it should match the firewall type). */
 #define FIREWALL_EXE "/sbin/iptables"
 
+/* Path to firewall command executable for IPv6 (it should match the firewall type). */
+#define FIREWALL_EXE_IPV6 "/sbin/ip6tables"
+
 /* The firewall type: ipf. */
 /* #undef FIREWALL_IPF */
 

client/config_init.c

@@ -867,9 +867,9 @@ create_fwknoprc(const char *rcfile)
         "#FW_TIMEOUT          30\n"
         "#SPA_SERVER_PORT     62201\n"
         "#SPA_SERVER_PROTO    udp\n"
-        "#ALLOW_IP            <ip addr>\n"
+        "#ALLOW_IP            <IP address>\n"
         "#SPOOF_USER          <username>\n"
-        "#SPOOF_SOURCE_IP     <IPaddr>\n"
+        "#SPOOF_SOURCE_IP     <IP address>\n"
         "#TIME_OFFSET         0\n"
         "#USE_GPG             N\n"
         "#GPG_HOMEDIR         /path/to/.gnupg\n"
@@ -982,7 +982,7 @@ parse_rc_param(fko_cli_options_t *options, const char *var_name, char * val)
         else /* Assume IP address and validate */
         {
             strlcpy(options->allow_ip_str, val, sizeof(options->allow_ip_str));
-            if(! is_valid_ipv4_addr(options->allow_ip_str, strlen(options->allow_ip_str)))
+            if(! is_valid_ip_addr(options->allow_ip_str, strlen(options->allow_ip_str), AF_INET))
                 parse_error = -1;
         }
     }
@@ -1846,7 +1846,8 @@ validate_options(fko_cli_options_t *options)
                 exit(EXIT_FAILURE);
             }
             else if(options->verbose
-                    && strncmp(options->allow_ip_str, "0.0.0.0", strlen("0.0.0.0")) == 0)
+                    && (strncmp(options->allow_ip_str, "0.0.0.0", strlen("0.0.0.0")) == 0
+			    || strncmp(options->allow_ip_str, "::", strlen("::")) == 0))
             {
                 log_msg(LOG_VERBOSITY_WARNING,
                     "[-] WARNING: Should use -a or -R to harden SPA against potential MITM attacks");
@@ -1861,7 +1862,7 @@ validate_options(fko_cli_options_t *options)
     {
         options->resolve_ip_http_https = 0;
 
-        if(! is_valid_ipv4_addr(options->allow_ip_str, strlen(options->allow_ip_str)))
+        if(! is_valid_ip_addr(options->allow_ip_str, strlen(options->allow_ip_str), AF_UNSPEC))
         {
             log_msg(LOG_VERBOSITY_ERROR,
                 "Invalid allow IP specified for SPA access");
@@ -1871,7 +1872,7 @@ validate_options(fko_cli_options_t *options)
 
     if (options->spoof_ip_src_str[0] != 0x00)
     {
-        if(! is_valid_ipv4_addr(options->spoof_ip_src_str, strlen(options->spoof_ip_src_str)))
+        if(! is_valid_ip_addr(options->spoof_ip_src_str, strlen(options->spoof_ip_src_str), AF_UNSPEC))
         {
             log_msg(LOG_VERBOSITY_ERROR, "Invalid spoof IP");
             exit(EXIT_FAILURE);

client/fwknop.c

@@ -774,12 +774,6 @@ set_nat_access(fko_ctx_t ctx, fko_cli_options_t *options, const char * const acc
 
     if (nat_access_buf[0] == 0x0 && options->nat_access_str[0] != 0x0)
     {
-        /* Force the ':' (if any) to a ','
-        */
-        ndx = strchr(options->nat_access_str, ':');
-        if (ndx != NULL)
-            *ndx = ',';
-
         ndx = strchr(options->nat_access_str, ',');
         if (ndx != NULL)
         {
@@ -820,7 +814,7 @@ set_nat_access(fko_ctx_t ctx, fko_cli_options_t *options, const char * const acc
         }
 
 
-        if (is_valid_ipv4_addr(options->nat_access_str, hostlen) || is_valid_hostname(options->nat_access_str, hostlen))
+        if (is_valid_ip_addr(options->nat_access_str, hostlen, AF_UNSPEC) || is_valid_hostname(options->nat_access_str, hostlen))
         {
             snprintf(nat_access_buf, MAX_LINE_LEN, NAT_ACCESS_STR_TEMPLATE,
                 options->nat_access_str, access_port);

client/fwknop_common.h

@@ -87,8 +87,8 @@ typedef struct fko_cli_options
     int  no_save_args;
     int  use_hmac;
     char spa_server_str[MAX_SERVER_STR_LEN];  /* may be a hostname */
-    char allow_ip_str[MAX_IPV4_STR_LEN];
-    char spoof_ip_src_str[MAX_IPV4_STR_LEN];
+    char allow_ip_str[MAX_IPV46_STR_LEN];
+    char spoof_ip_src_str[MAX_IPV46_STR_LEN];
     char spoof_user[MAX_USERNAME_LEN];
     int  rand_port;
     char gpg_recipient_key[MAX_GPG_KEY_ID];

client/http_resolve_host.c

@@ -58,13 +58,12 @@ struct url
 static int
 try_url(struct url *url, fko_cli_options_t *options)
 {
-    int     sock=-1, sock_success=0, res, error, http_buf_len, i;
+    int     sock=-1, sock_success=0, i, res, error, http_buf_len;
     int     bytes_read = 0, position = 0;
-    int     o1, o2, o3, o4;
     struct  addrinfo *result=NULL, *rp, hints;
     char    http_buf[HTTP_MAX_REQUEST_LEN]       = {0};
     char    http_response[HTTP_MAX_RESPONSE_LEN] = {0};
-    char   *ndx;
+    char   *ndx, c;
 
 #ifdef WIN32
     WSADATA wsa_data;
@@ -197,45 +196,47 @@ try_url(struct url *url, fko_cli_options_t *options)
     }
     ndx += 4;
 
-    /* Walk along the content to try to find the end of the IP address.
-     * Note: We are expecting the content to be just an IP address
-     *       (possibly followed by whitespace or other not-digit value).
+     /* Walk along the content to try to find the end of the IP address.
+      * Note: We are expecting the content to be just an IP address
+      *       (possibly followed by whitespace or other not-digit value).
+      */
+     for(i=0; i<MAX_IPV46_STR_LEN; i++) {
+         c = *(ndx+i);
+         if(! isdigit((int)(unsigned char)c) && ! ((c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F')) && c != '.' && c != ':')
+             break;
+     }
+
+     /* Terminate at the first non-digit and non-dot.
      */
-    for(i=0; i<MAX_IPV4_STR_LEN; i++) {
-        if(! isdigit((int)(unsigned char)*(ndx+i)) && *(ndx+i) != '.')
-            break;
-    }
-
-    /* Terminate at the first non-digit and non-dot.
-    */
-    *(ndx+i) = '\0';
-
-    /* Now that we have what we think is an IP address string.  We make
-     * sure the format and values are sane.
-     */
-    if((sscanf(ndx, "%u.%u.%u.%u", &o1, &o2, &o3, &o4)) == 4
-            && o1 >= 0 && o1 <= 255
-            && o2 >= 0 && o2 <= 255
-            && o3 >= 0 && o3 <= 255
-            && o4 >= 0 && o4 <= 255)
-    {
-        strlcpy(options->allow_ip_str, ndx, sizeof(options->allow_ip_str));
-
-        log_msg(LOG_VERBOSITY_INFO,
-                    "\n[+] Resolved external IP (via http://%s%s) as: %s",
-                    url->host,
-                    url->path,
-                    options->allow_ip_str);
+     *(ndx+i) = '\0';
 
-        return(1);
-    }
-    else
+    /* Try to parse the content as an IP address. */
+    memset(&hints, 0, sizeof(struct addrinfo));
+    hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */
+    hints.ai_flags  = AI_NUMERICHOST | AI_CANONNAME;
+    error = getaddrinfo(ndx, NULL, &hints, &result);
+    if (error != 0)
     {
         log_msg(LOG_VERBOSITY_ERROR,
             "[-] From http://%s%s\n    Invalid IP (%s) in HTTP response:\n\n%s",
             url->host, url->path, ndx, http_response);
         return(-1);
     }
+    for (rp = result; rp != NULL; rp = rp->ai_next) {
+	/* the canonical value is in the first structure returned */
+	strlcpy(options->allow_ip_str,
+	        rp->ai_canonname, sizeof(options->allow_ip_str));
+	break;
+    }
+    freeaddrinfo(result);
+
+    log_msg(LOG_VERBOSITY_INFO,
+                "\n[+] Resolved external IP (via http://%s%s) as: %s",
+                url->host,
+                url->path,
+                options->allow_ip_str);
+
+    return(1);
 }
 
 static int
@@ -323,8 +324,9 @@ parse_url(char *res_url, struct url* url)
 int
 resolve_ip_https(fko_cli_options_t *options)
 {
-    int     o1, o2, o3, o4, got_resp=0, i=0;
-    char   *ndx, resp[MAX_IPV4_STR_LEN+1] = {0};
+    int     got_resp=0, error;
+    char    resp[MAX_IPV4_STR_LEN+1] = {0};
+    struct  addrinfo *result=NULL, *rp, hints;
     struct  url url; /* for validation only */
     char    wget_ssl_cmd[MAX_URL_PATH_LEN] = {0};  /* for verbose logging only */
 
@@ -493,32 +495,35 @@ resolve_ip_https(fko_cli_options_t *options)
     pclose(wget);
 #endif
 
-    if(got_resp)
+    if(! got_resp)
     {
-        ndx = resp;
-        for(i=0; i<MAX_IPV4_STR_LEN; i++) {
-            if(! isdigit((int)(unsigned char)*(ndx+i)) && *(ndx+i) != '.')
-                break;
-        }
-        *(ndx+i) = '\0';
-
-        if((sscanf(ndx, "%u.%u.%u.%u", &o1, &o2, &o3, &o4)) == 4
-                && o1 >= 0 && o1 <= 255
-                && o2 >= 0 && o2 <= 255
-                && o3 >= 0 && o3 <= 255
-                && o4 >= 0 && o4 <= 255)
-        {
-            strlcpy(options->allow_ip_str, ndx, sizeof(options->allow_ip_str));
+        log_msg(LOG_VERBOSITY_ERROR,
+            "[-] Could not resolve IP via: '%s'", wget_ssl_cmd);
+        return -1;
+    }
 
-            log_msg(LOG_VERBOSITY_INFO,
-                        "\n[+] Resolved external IP (via '%s') as: %s",
-                        wget_ssl_cmd, options->allow_ip_str);
-            return 1;
-        }
+    memset(&hints, 0, sizeof(struct addrinfo));
+    hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */
+    hints.ai_flags  = AI_NUMERICHOST | AI_CANONNAME;
+    error = getaddrinfo(resp, NULL, &hints, &result);
+    if (error != 0)
+    {
+        log_msg(LOG_VERBOSITY_ERROR,
+            "[-] Could not resolve IP via: '%s'", wget_ssl_cmd);
+        return(-1);
     }
-    log_msg(LOG_VERBOSITY_ERROR,
-        "[-] Could not resolve IP via: '%s'", wget_ssl_cmd);
-    return -1;
+    for (rp = result; rp != NULL; rp = rp->ai_next) {
+	/* the canonical value is in the first structure returned */
+	strlcpy(options->allow_ip_str,
+	        rp->ai_canonname, sizeof(options->allow_ip_str));
+	break;
+    }
+    freeaddrinfo(result);
+
+    log_msg(LOG_VERBOSITY_INFO,
+		"\n[+] Resolved external IP (via '%s') as: %s",
+		wget_ssl_cmd, options->allow_ip_str);
+    return 1;
 }
 
 int