Provided by: openswan_2.6.38-1_amd64 
NAME
ipsec_ttosa, ipsec_satot, ipsec_initsaid - convert IPsec Security Association IDs to and
from text, initialize an SA ID
SYNOPSIS
#include <freeswan.h>
typedef struct {
ip_address dst;
ipsec_spi_t spi;
int proto;
} ip_said;
const char *ttosa(const char *src, size_t srclen,
ip_said *sa);
size_t satot(const ip_said *sa, int format,
char *dst, size_t dstlen);
void initsaid(const ip_address *addr, ipsec_spi_t spi,
int proto, ip_said *dst);
DESCRIPTION
Ttosa converts an ASCII Security Association (SA) specifier into an ip_said structure
(containing a destination-host address in network byte order, an SPI number in network
byte order, and a protocol code). Satot does the reverse conversion, back to a text SA
specifier. Initsaid initializes an ip_said from separate items of information.
An SA is specified in text with a mail-like syntax, e.g. esp.5a7@1.2.3.4. An SA
specifier contains a protocol prefix (currently ah, esp, tun, comp, or int), a single
character indicating the address family (. for IPv4, : for IPv6), an unsigned integer SPI
number in hexadecimal (with no 0x prefix), and an IP address. The IP address can be any
form accepted by ipsec_ttoaddr(3), e.g. dotted-decimal IPv4 address, colon-hex IPv6
address, or DNS name.
As a special case, the SA specifier %passthrough4 or %passthrough6 signifies the special
SA used to indicate that packets should be passed through unaltered. (At present, these
are synonyms for tun.0@0.0.0.0 and tun:0@:: respectively, but that is subject to change
without notice.) %passthrough is a historical synonym for %passthrough4. These forms are
known to both ttosa and satot, so the internal representation is never visible.
Similarly, the SA specifiers %pass, %drop, %reject, %hold, %trap, and %trapsubnet signify
special ``magic'' SAs used to indicate that packets should be passed, dropped, rejected
(dropped with ICMP notification), held, and trapped (sent up to ipsec_pluto(8), with
either of two forms of %hold automatically installed) respectively. These forms too are
known to both routines, so the internal representation of the magic SAs should never be
visible.
The <freeswan.h> header file supplies the ip_said structure, as well as a data type
ipsec_spi_t which is an unsigned 32-bit integer. (There is no consistency between kernel
and user on what such a type is called, hence the header hides the differences.)
The protocol code uses the same numbers that IP does. For user convenience, given the
difficulty in acquiring the exact set of protocol names used by the kernel, <freeswan.h>
defines the names SA_ESP, SA_AH, SA_IPIP, and SA_COMP to have the same values as the
kernel names IPPROTO_ESP, IPPROTO_AH, IPPROTO_IPIP, and IPPROTO_COMP.
<freeswan.h> also defines SA_INT to have the value 61 (reserved by IANA for ``any host
internal protocol'') and SPI_PASS, SPI_DROP, SPI_REJECT, SPI_HOLD, and SPI_TRAP to have
the values 256-260 (in host byte order) respectively. These are used in constructing the
magic SAs (which always have address 0.0.0.0).
If satot encounters an unknown protocol code, e.g. 77, it yields output using a prefix
showing the code numerically, e.g. ``unk77''. This form is not recognized by ttosa.
The srclen parameter of ttosa specifies the length of the string pointed to by src; it is
an error for there to be anything else (e.g., a terminating NUL) within that length. As a
convenience for cases where an entire NUL-terminated string is to be converted, a srclen
value of 0 is taken to mean strlen(src).
The dstlen parameter of satot specifies the size of the dst parameter; under no
circumstances are more than dstlen bytes written to dst. A result which will not fit is
truncated. Dstlen can be zero, in which case dst need not be valid and no result is
written, but the return value is unaffected; in all other cases, the (possibly truncated)
result is NUL-terminated. The <freeswan.h> header file defines a constant, SATOT_BUF,
which is the size of a buffer just large enough for worst-case results.
The format parameter of satot specifies what format is to be used for the conversion. The
value 0 (not the ASCII character '0', but a zero value) specifies a reasonable default
(currently lowercase protocol prefix, lowercase hexadecimal SPI, dotted-decimal or colon-
hex address). The value 'f' is similar except that the SPI is padded with 0s to a fixed
32-bit width, to ease aligning displayed tables.
Ttosa returns NULL for success and a pointer to a string-literal error message for
failure; see DIAGNOSTICS. Satot returns 0 for a failure, and otherwise always returns the
size of buffer which would be needed to accommodate the full conversion result, including
terminating NUL; it is the caller's responsibility to check this against the size of the
provided buffer to determine whether truncation has occurred.
There is also, temporarily, support for some obsolete forms of SA specifier which lack the
address-family indicator.
SEE ALSO
ipsec_ttoul(3), ipsec_ttoaddr(3), ipsec_samesaid(3), inet(3)
DIAGNOSTICS
Fatal errors in ttosa are: empty input; input too small to be a legal SA specifier; no @
in input; unknown protocol prefix; conversion error in ttoul or ttoaddr.
Fatal errors in satot are: unknown format.
HISTORY
Written for the FreeS/WAN project by Henry Spencer.
BUGS
The restriction of text-to-binary error reports to literal strings (so that callers don't
need to worry about freeing them or copying them) does limit the precision of error
reporting.
The text-to-binary error-reporting convention lends itself to slightly obscure code,
because many readers will not think of NULL as signifying success. A good way to make it
clearer is to write something like:
const char *error;
error = ttosa( /* ... */ );
if (error != NULL) {
/* something went wrong */
26 Nov 2001 IPSEC_TTOSA(3)