summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/config.h.in138
-rw-r--r--src/cryptopANT.c847
-rw-r--r--src/cryptopANT.h92
-rw-r--r--src/scramble_ips.c487
4 files changed, 1564 insertions, 0 deletions
diff --git a/src/config.h.in b/src/config.h.in
new file mode 100644
index 0000000..dfbc598
--- /dev/null
+++ b/src/config.h.in
@@ -0,0 +1,138 @@
+/* src/config.h.in. Generated from configure.ac by autoheader. */
+
+/* Define if building universal (internal helper macro) */
+#undef AC_APPLE_UNIVERSAL_BUILD
+
+/* Define to 1 if you have the <dlfcn.h> header file. */
+#undef HAVE_DLFCN_H
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#undef HAVE_INTTYPES_H
+
+/* Define to 1 if you have the `crypto' library (-lcrypto). */
+#undef HAVE_LIBCRYPTO
+
+/* Define to 1 if you have the <openssl/aes.h> header file. */
+#undef HAVE_OPENSSL_AES_H
+
+/* Define to 1 if you have the <openssl/blowfish.h> header file. */
+#undef HAVE_OPENSSL_BLOWFISH_H
+
+/* Define to 1 if you have the <openssl/core_names.h> header file. */
+#undef HAVE_OPENSSL_CORE_NAMES_H
+
+/* Define to 1 if you have the <openssl/err.h> header file. */
+#undef HAVE_OPENSSL_ERR_H
+
+/* Define to 1 if you have the <openssl/evp.h> header file. */
+#undef HAVE_OPENSSL_EVP_H
+
+/* Define to 1 if you have the <openssl/md5.h> header file. */
+#undef HAVE_OPENSSL_MD5_H
+
+/* Define to 1 if you have the <openssl/provider.h> header file. */
+#undef HAVE_OPENSSL_PROVIDER_H
+
+/* Define to 1 if you have the <openssl/sha.h> header file. */
+#undef HAVE_OPENSSL_SHA_H
+
+/* Define to 1 if you have the `regcomp' function. */
+#undef HAVE_REGCOMP
+
+/* Define to 1 if you have the `regexec' function. */
+#undef HAVE_REGEXEC
+
+/* Define to 1 if you have the <regex.h> header file. */
+#undef HAVE_REGEX_H
+
+/* S6_ADDR32 is present in in6_addr when defined */
+#undef HAVE_S6_ADDR32
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#undef HAVE_STDINT_H
+
+/* Define to 1 if you have the <stdio.h> header file. */
+#undef HAVE_STDIO_H
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#undef HAVE_STDLIB_H
+
+/* Define to 1 if you have the <strings.h> header file. */
+#undef HAVE_STRINGS_H
+
+/* Define to 1 if you have the <string.h> header file. */
+#undef HAVE_STRING_H
+
+/* Define to 1 if you have the `strlcpy' function. */
+#undef HAVE_STRLCPY
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#undef HAVE_SYS_STAT_H
+
+/* Define to 1 if you have the <sys/types.h> header file. */
+#undef HAVE_SYS_TYPES_H
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#undef HAVE_UNISTD_H
+
+/* U6_ADDR32 is present in in6_addr when defined */
+#undef HAVE__U6_ADDR32
+
+/* Define to the sub-directory where libtool stores uninstalled libraries. */
+#undef LT_OBJDIR
+
+/* Name of package */
+#undef PACKAGE
+
+/* Define to the address where bug reports for this package should be sent. */
+#undef PACKAGE_BUGREPORT
+
+/* Define to the full name of this package. */
+#undef PACKAGE_NAME
+
+/* Define to the full name and version of this package. */
+#undef PACKAGE_STRING
+
+/* Define to the one symbol short name of this package. */
+#undef PACKAGE_TARNAME
+
+/* Define to the home page for this package. */
+#undef PACKAGE_URL
+
+/* Define to the version of this package. */
+#undef PACKAGE_VERSION
+
+/* Define to 1 if all of the C90 standard headers exist (not just the ones
+ required in a freestanding environment). This macro is provided for
+ backward compatibility; new code need not use it. */
+#undef STDC_HEADERS
+
+/* Version number of package */
+#undef VERSION
+
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
+ significant byte first (like Motorola and SPARC, unlike Intel). */
+#if defined AC_APPLE_UNIVERSAL_BUILD
+# if defined __BIG_ENDIAN__
+# define WORDS_BIGENDIAN 1
+# endif
+#else
+# ifndef WORDS_BIGENDIAN
+# undef WORDS_BIGENDIAN
+# endif
+#endif
+
+/* Define for Solaris 2.5.1 so the uint32_t typedef from <sys/synch.h>,
+ <pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
+ #define below would cause a syntax error. */
+#undef _UINT32_T
+
+/* Define to empty if `const' does not conform to ANSI C. */
+#undef const
+
+/* Define to `unsigned int' if <sys/types.h> does not define. */
+#undef size_t
+
+/* Define to the type of an unsigned integer type of width exactly 32 bits if
+ such a type exists and the standard includes do not define it. */
+#undef uint32_t
diff --git a/src/cryptopANT.c b/src/cryptopANT.c
new file mode 100644
index 0000000..e140f24
--- /dev/null
+++ b/src/cryptopANT.c
@@ -0,0 +1,847 @@
+/* -*- Mode:C; c-basic-offset:8; tab-width:8; indent-tabs-mode:t -*- */
+/*
+ * Copyright (C) 2004-2024 by the University of Southern California
+ * $Id: cdc84b9fca5b7bc01d665de67bbe6358d0a8131f $
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+#include <stdio.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <netinet/in.h>
+#include <fcntl.h>
+#include <stdint.h>
+#include <ctype.h>
+#include <stdlib.h>
+
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <assert.h>
+
+#include <openssl/evp.h>
+#include <openssl/md5.h>
+#include <openssl/blowfish.h>
+#include <openssl/sha.h>
+#include <openssl/aes.h>
+#include <openssl/err.h>
+#include <openssl/core_names.h>
+#include <openssl/provider.h>
+
+#include "cryptopANT.h"
+#include "config.h"
+
+#define MAX_BLK_LENGTH 32
+#define CACHE_BITS 24 /* How many bits of IPv4 we cache, cannot be zero */
+#define BF_KEYLEN 16 /* bytes */
+
+#define TEST_CACHE 0
+
+#define RESET_ETHER_MCAST(p) (*(char*)(p) &= 0xfe)
+
+#ifndef MAX
+#define MAX(a,b) ((a) > (b) ? (a) : (b))
+#endif
+
+#if HAVE__U6_ADDR32
+#define s6_addr32 __u6_addr.__u6_addr32
+#endif
+
+//determined by autoconf
+#ifdef WORDS_BIGENDIAN
+//sigh, older version of the code was not byte-order safe; this is needed
+//to ensure backward compatibility AND compatibility with BE-systems.
+#include <byteswap.h>
+#define cryptopant_swap32(x) bswap_32(x)
+#else
+#define cryptopant_swap32(x) (x)
+#endif
+
+typedef struct ipv4_hash_blk_ {
+ uint32_t ip4;
+ uint8_t pad[MAX_BLK_LENGTH - sizeof(uint32_t)];
+} ipv4_hash_blk_t;
+
+typedef struct ipv6_hash_blk_ {
+ struct in6_addr ip6;
+ uint8_t pad[MAX_BLK_LENGTH - sizeof(struct in6_addr)];
+} ipv6_hash_blk_t;
+
+
+uint8_t scramble_ether_addr[ETHER_ADDR_LEN];
+uint16_t scramble_ether_vlan;
+int scramble_mac;
+
+static int readhexstring (FILE *, u_char *, int *);
+
+static uint32_t ip4cache[1<<CACHE_BITS];
+static uint32_t ip4pad; /* first 4 bytes of pad */
+static uint32_t ip6pad[4];
+static u_char scramble_mac_buf[MAX_BLK_LENGTH];
+static u_char scramble_key[MAX_BLK_LENGTH];
+
+static uint8_t ivec[64];
+
+/* statistics */
+static long ipv4_cache_hits = 0;
+static long ipv4_anon_calls = 0;
+static long ipv6_anon_calls = 0;
+
+
+static ipv4_hash_blk_t b4_in, b4_out;
+static ipv6_hash_blk_t b6_in, b6_out;
+
+static scramble_crypt_t scramble_crypto4 = SCRAMBLE_AES;
+static scramble_crypt_t scramble_crypto6 = SCRAMBLE_AES;
+
+/* openssl EVP pointers */
+static EVP_CIPHER_CTX *ctx4, *ctx6;
+static EVP_CIPHER *cipher4, *cipher6;
+static EVP_MD_CTX *mdctx4, *mdctx6;
+static EVP_MD *md4, *md6;
+
+static struct {
+ char *name;
+ scramble_crypt_t type;
+} scramble_names[] = {
+ { "md5", SCRAMBLE_MD5 },
+ { "blowfish", SCRAMBLE_BLOWFISH },
+ { "aes", SCRAMBLE_AES },
+ { "sha", SCRAMBLE_SHA1 },
+};
+
+const char *
+scramble_type2name(scramble_crypt_t t)
+{
+ int i;
+ for (i = 0; i < sizeof(scramble_names)/sizeof(scramble_names[0]); ++i)
+ if (scramble_names[i].type == t)
+ return scramble_names[i].name;
+ return NULL;
+}
+
+scramble_crypt_t
+scramble_name2type(const char *name)
+{
+ int i;
+ for (i = 0; i < sizeof(scramble_names)/sizeof(scramble_names[0]); ++i)
+ if (strcasecmp(name, scramble_names[i].name) == 0)
+ return scramble_names[i].type;
+ return SCRAMBLE_NONE;
+}
+
+scramble_crypt_t
+scramble_crypto_ip4(void)
+{
+ return scramble_crypto4;
+}
+
+scramble_crypt_t
+scramble_crypto_ip6(void)
+{
+ return scramble_crypto6;
+}
+
+int
+scramble_newkey(u_char *key, int klen)
+{
+ FILE *rnd = fopen(SCRAMBLE_RANDOM_DEV, "r");
+ if (rnd == NULL) {
+ perror("scramble_newkey(): fopen");
+ return -1;
+ }
+ if (fread(key, 1, klen, rnd) != klen) {
+ perror("scramble_newkey(): fread");
+ fclose(rnd);
+ return -1;
+ }
+ fclose(rnd);
+ return 0;
+}
+
+int
+scramble_newpad(u_char *pad, int plen)
+{
+ FILE *rnd = fopen(SCRAMBLE_RANDOM_DEV, "r");
+ if (rnd == NULL) {
+ perror("scramble_newpad(): fopen");
+ return -1;
+ }
+ if (fread(pad, 1, plen, rnd) != plen) {
+ perror("scramble_newpad(): fread");
+ fclose(rnd);
+ return -1;
+ }
+ fclose(rnd);
+ return 0;
+}
+
+int
+scramble_newmac(u_char *mac, int mlen)
+{
+ FILE *rnd = fopen(SCRAMBLE_RANDOM_DEV, "r");
+ if (rnd == NULL) {
+ perror("scramble_newkey(): fopen");
+ return -1;
+ }
+ if (fread(mac, 1, mlen, rnd) != mlen) {
+ perror("scramble_newkey(): fread");
+ fclose(rnd);
+ return -1;
+ }
+ fclose(rnd);
+ return 0;
+}
+
+int
+scramble_newiv(u_char *iv, int ivlen)
+{
+ FILE *rnd = fopen(SCRAMBLE_RANDOM_DEV, "r");
+ if (rnd == NULL) {
+ perror("scramble_newiv(): fopen");
+ return -1;
+ }
+ if (fread(iv, 1, ivlen, rnd) != ivlen) {
+ perror("scramble_newiv(): fread");
+ fclose(rnd);
+ return -1;
+ }
+ fclose(rnd);
+ return 0;
+}
+
+/* read a hex string from fd at current position and store it in s */
+static int
+readhexstring(FILE *f, u_char *s, int *len)
+{
+ char c = 0;
+ int i;
+ for (i = 0; i < *len + 1; ++i) {
+ switch (fread(&c, 1, 1, f)) {
+ case 0:
+ *len = i;
+ return 0;
+ case 1:
+ break;
+ default:
+ return -1;
+ }
+ if (!isxdigit(c)) {
+ *len = i;
+ return 0;
+ }
+ s[i] = ((isdigit(c)) ? c - '0' : tolower(c) - 'a' + 10) << 4;
+ if (fread(&c, 1, 1, f) != 1) {
+ *len = i;
+ return -1; /* error: a byte has 2 digits */
+ }
+ if (!isxdigit(c)) {
+ *len = i;
+ return -1;
+ }
+ s[i] |= (isdigit(c)) ? c - '0' : tolower(c) - 'a' + 10;
+ }
+ if (i == *len + 1)
+ return -1; /* means buffer is too short */
+ return 0;
+}
+
+int
+scramble_readstate(const char *fn, scramble_state_t *s)
+{
+ u_char c4, c6;
+ int l4 = 1, l6 = 1;
+ FILE *f = fopen(fn, "r");
+ if (f == NULL) {
+ perror("scramble_readstate(): fopen");
+ return -1;
+ }
+ if (readhexstring(f, (u_char*)&c4, &l4) != 0) {
+ fprintf(stderr, "scramble_readstate(): error reading c4");
+ fclose(f);
+ return -1;
+ }
+ assert(l4 == 1);
+ s->c4 = (scramble_crypt_t)c4;
+ if (readhexstring(f, (u_char*)&c6, &l6) != 0) {
+ fprintf(stderr, "scramble_readstate(): error reading c6");
+ fclose(f);
+ return -1;
+ }
+ assert(l6 == 1);
+ s->c6 = (scramble_crypt_t)c6;
+ if (readhexstring(f, s->key, &s->klen) != 0) {
+ fprintf(stderr, "scramble_readstate(): error reading key");
+ fclose(f);
+ return -1;
+ }
+ if (readhexstring(f, s->pad, &s->plen) != 0) {
+ fprintf(stderr, "scramble_readstate(): error reading pad");
+ fclose(f);
+ return -1;
+ }
+ if (readhexstring(f, s->mac, &s->mlen) != 0) {
+ fprintf(stderr, "scramble_readstate(): error reading mac");
+ fclose(f);
+ return -1;
+ }
+ if (readhexstring(f, s->iv, &s->ivlen) != 0) {
+ fprintf(stderr, "scramble_readstate(): error reading iv");
+ fclose(f);
+ return -1;
+ }
+ fclose(f);
+ return 0;
+}
+
+int
+scramble_savestate(const char *fn, const scramble_state_t *s)
+{
+ int i;
+ /* set restrictive mode */
+ int fd = creat(fn, S_IRUSR|S_IWUSR);
+ if (fd < 0) {
+ perror("scramble_savestate(): open");
+ return -1;
+ }
+ FILE *f = fdopen(fd, "w");
+ if (f == NULL) {
+ perror("scramble_savestate(): fopen");
+ return -1;
+ }
+ if (fprintf(f, "%02x:%02x:", (unsigned)s->c4, (unsigned)s->c6) < 0) {
+ perror("scramble_savestate(): error saving cryptos");
+ fclose(f);
+ return -1;
+ }
+ for (i = 0; i < s->klen; ++i) {
+ if (fprintf(f, "%02x", s->key[i]) < 0) {
+ perror("scramble_savestate(): error saving key");
+ fclose(f);
+ return -1;
+ }
+ }
+ fprintf(f, ":");
+ for (i = 0; i < s->plen; ++i) {
+ if (fprintf(f, "%02x", s->pad[i]) < 0) {
+ perror("scramble_savestate(): error saving pad");
+ fclose(f);
+ return -1;
+ }
+ }
+ fprintf(f, ":");
+ for (i = 0; i < s->mlen; ++i) {
+ if (fprintf(f, "%02x", s->mac[i]) < 0) {
+ perror("scramble_savestate(): error saving mac");
+ fclose(f);
+ return -1;
+ }
+ }
+
+ fprintf(f, ":");
+ for (i = 0; i < s->ivlen; ++i) {
+ if (fprintf(f, "%02x", s->iv[i]) < 0) {
+ perror("scramble_savestate(): error saving lv");
+ fclose(f);
+ return -1;
+ }
+ }
+ fprintf(f, "\n");
+ fclose(f);
+ return 0;
+}
+
+void
+scramble_cleanup()
+{
+ // openssl evp cleanup
+ if (ctx4 != NULL) {
+ EVP_CIPHER_CTX_free(ctx4);
+ ctx4 = NULL;
+ }
+ if (ctx6 != NULL) {
+ EVP_CIPHER_CTX_free(ctx6);
+ ctx6 = NULL;
+ }
+ if (mdctx4 != NULL) {
+ EVP_MD_CTX_free(mdctx4);
+ mdctx4 = NULL;
+ }
+ if (mdctx6 != NULL) {
+ EVP_MD_CTX_free(mdctx6);
+ mdctx6 = NULL;
+ }
+ if (cipher4 != NULL) {
+ EVP_CIPHER_free(cipher4);
+ cipher4 = NULL;
+ }
+ if (cipher6 != NULL) {
+ EVP_CIPHER_free(cipher6);
+ cipher6 = NULL;
+ }
+ if (md4 != NULL) {
+ EVP_MD_free(md4);
+ md4 = NULL;
+ }
+ if (md6 != NULL) {
+ EVP_MD_free(md6);
+ md6 = NULL;
+ }
+}
+
+
+int
+scramble_init(const scramble_state_t *s)
+{
+ int plen;
+ if (s->plen > MAX_BLK_LENGTH)
+ plen = MAX_BLK_LENGTH;
+ else
+ plen = s->plen;
+
+ scramble_crypto4 = s->c4;
+ scramble_crypto6 = s->c6;
+
+ memcpy(&b4_in, s->pad, plen);
+ ip4pad = cryptopant_swap32(b4_in.ip4);
+
+ memcpy(&b6_in, s->pad, s->plen);
+ ip6pad[0] = b6_in.ip6.s6_addr32[0];
+ ip6pad[1] = b6_in.ip6.s6_addr32[1];
+ ip6pad[2] = b6_in.ip6.s6_addr32[2];
+ ip6pad[3] = b6_in.ip6.s6_addr32[3];
+
+ memcpy(scramble_key, s->key, s->klen);
+
+ // create contexts (will not need them all)
+ ctx4 = EVP_CIPHER_CTX_new();
+ ctx6 = EVP_CIPHER_CTX_new();
+ mdctx4 = EVP_MD_CTX_new();
+ mdctx6 = EVP_MD_CTX_new();
+
+ // fetch ciphers and digests
+ void *res_ctx = NULL, *res_crypt = NULL;
+ switch(s->c4) {
+ case SCRAMBLE_AES:
+ OSSL_PROVIDER_load(NULL, "default");
+ cipher4 = EVP_CIPHER_fetch(NULL, "AES-128-ECB", "provider=default");
+ res_ctx = ctx4;
+ res_crypt = cipher4;
+ break;
+ case SCRAMBLE_BLOWFISH:
+ OSSL_PROVIDER_load(NULL, "legacy");
+ cipher4 = EVP_CIPHER_fetch(NULL, "BF-ECB", "provider=legacy");
+ if (cipher4 == NULL) {
+ cipher4 = EVP_CIPHER_fetch(NULL, "BF-ECB", NULL);
+ }
+ res_ctx = ctx4;
+ res_crypt = cipher4;
+ break;
+ case SCRAMBLE_SHA1:
+ md4 = EVP_MD_fetch(NULL, "SHA1", NULL);
+ res_ctx = mdctx4;
+ res_crypt = md4;
+ break;
+ case SCRAMBLE_MD5:
+ md4 = EVP_MD_fetch(NULL, "MD5", NULL);
+ res_ctx = mdctx4;
+ res_crypt = md4;
+ break;
+ case SCRAMBLE_NONE:
+ break;
+ default:
+ fprintf(stderr,
+ "scramble_init(): unsupported ipv4 scrambling crypto: %d\n", s->c4);
+ return -1;
+ }
+ if (s->c4 != SCRAMBLE_NONE && (res_ctx == NULL || res_crypt == NULL)) {
+ fprintf(stderr,
+ "scramble_init(): EVP ip4 init failures %p %p\n", res_ctx, res_crypt);
+ return -1;
+ }
+
+ res_ctx = res_crypt = NULL;
+
+ switch(s->c6) {
+ case SCRAMBLE_AES:
+ OSSL_PROVIDER_load(NULL, "default");
+ cipher6 = EVP_CIPHER_fetch(NULL, "AES-128-ECB", "provider=default");
+ res_ctx = ctx6;
+ res_crypt = cipher6;
+ break;
+ case SCRAMBLE_BLOWFISH:
+ OSSL_PROVIDER_load(NULL, "legacy");
+ cipher6 = EVP_CIPHER_fetch(NULL, "BF-CBC", "provider=legacy");
+ if (cipher6 == NULL) {
+ cipher6 = EVP_CIPHER_fetch(NULL, "BF-ECB", NULL);
+ }
+ res_ctx = ctx6;
+ res_crypt = cipher6;
+ break;
+ case SCRAMBLE_SHA1:
+ md6 = EVP_MD_fetch(NULL, "SHA1", NULL);
+ res_ctx = mdctx6;
+ res_crypt = md6;
+ break;
+ case SCRAMBLE_MD5:
+ md6 = EVP_MD_fetch(NULL, "MD5", NULL);
+ res_ctx = mdctx6;
+ res_crypt = md6;
+ break;
+ case SCRAMBLE_NONE:
+ break;
+ default:
+ fprintf(stderr,
+ "scramble_init(): unsupported ipv6 scrambling crypto: %d\n", s->c6);
+ return -1;
+
+ }
+ if (s->c6 != SCRAMBLE_NONE && (res_ctx == NULL || res_crypt == NULL)) {
+ fprintf(stderr,
+ "scramble_init(): EVP ip6 init failures %p %p\n", res_ctx, res_crypt);
+ return -1;
+ }
+ if (cipher4 != NULL) {
+ if (!EVP_EncryptInit_ex2(ctx4, cipher4, scramble_key, ivec, NULL)) {
+ fprintf(stderr,
+ "scramble_init(): EVP_EncryptInit_ex2 failed:");
+ ERR_print_errors_fp(stderr);
+ return -1;
+ }
+ }
+ if (cipher6 != NULL) {
+ if (!EVP_EncryptInit_ex2(ctx6, cipher6, scramble_key, ivec, NULL)) {
+ fprintf(stderr,
+ "scramble_init(): EVP_EncryptInit_ex2 failed:");
+ ERR_print_errors_fp(stderr);
+ return -1;
+ }
+ }
+ // don't need to init anything for digests
+
+ scramble_mac = 0;
+
+ memcpy(scramble_mac_buf, s->mac, s->mlen);
+
+ if (s->mlen > 0) {
+ scramble_mac = 1;
+ if (s->mlen < ETHER_ADDR_LEN + ETHER_VLAN_LEN) {
+ fprintf(stderr,
+ "scramble_init(): mac string is too short (%d)\n",
+ s->mlen);
+ return -1;
+ }
+ }
+ memcpy(scramble_ether_addr, scramble_mac_buf, ETHER_ADDR_LEN);
+
+ /* we don't want to map ether unicast to multicast and visa versa */
+ RESET_ETHER_MCAST(scramble_ether_addr);
+
+ memcpy(&scramble_ether_vlan, scramble_mac_buf + ETHER_ADDR_LEN, ETHER_VLAN_LEN);
+ return 0;
+}
+
+/* init everything from file, if it doesn't exist, create it */
+int
+scramble_init_from_file(const char *fn, scramble_crypt_t c4, scramble_crypt_t c6, int *do_mac)
+{
+ // OSSL_PROVIDER *legacy_, *default_;
+ u_char pad[MAX_BLK_LENGTH];
+ u_char key[MAX_BLK_LENGTH];
+ u_char mac[MAX_BLK_LENGTH];
+ u_char iv[MAX_BLK_LENGTH];
+
+ scramble_state_t s;
+ FILE *f;
+
+ s.pad = pad;
+ s.key = key;
+ s.mac = mac;
+ s.iv = iv;
+ if ((f = fopen(fn, "r")) == NULL) {
+ if (errno != ENOENT) {
+ perror("scamble_init_file(): fopen");
+ return -1;
+ }
+ if (c4 == SCRAMBLE_NONE || c6 == SCRAMBLE_NONE)
+ return -1;
+
+ /* file doesn't exist, create it */
+ s.c4 = c4;
+ s.c6 = c6;
+ s.plen = MAX_BLK_LENGTH;
+ s.klen = 16; /* XXX */
+ s.ivlen = 16;
+
+ if (scramble_newpad(pad, s.plen) < 0)
+ return -1;
+ if (scramble_newkey(key, s.klen) < 0)
+ return -1;
+ if (scramble_newiv(iv, s.ivlen) < 0)
+ return -1;
+ if (do_mac && *do_mac) {
+ s.mlen = ETHER_ADDR_LEN + ETHER_VLAN_LEN;
+ if (scramble_newmac(mac, s.mlen) < 0)
+ return -1;
+ } else
+ s.mlen = 0;
+ if (scramble_savestate(fn, &s) < 0)
+ return -1;
+ } else {
+ fclose(f);
+ s.plen = MAX_BLK_LENGTH;
+ s.klen = MAX_BLK_LENGTH;
+ s.mlen = MAX_BLK_LENGTH;
+ s.ivlen = MAX_BLK_LENGTH;
+ if (scramble_readstate(fn, &s) < 0)
+ return -1;
+ if (do_mac)
+ *do_mac = (s.mlen > 0);
+ }
+
+
+ if (scramble_init(&s) < 0)
+ return -1;
+ return 0;
+}
+
+/* scramble IPv4 addresses, input and output are in network byte order */
+uint32_t
+scramble_ip4(uint32_t input, int pass_bits) {
+ uint32_t output = 0;
+ uint32_t m = 0xffffffff << 1;
+ int i = 31;
+ int class_bits = 0;
+ int pbits = 0;
+ int outlen;
+#define MAX_CLASS_BITS 4
+ static int _class_bits[1<<MAX_CLASS_BITS] = {
+ 1,1,1,1,1,1,1,1, /* class A: preserve 1 bit */
+ 2,2,2,2, /* class B: preserve 2 bits */
+ 3,3, /* class C: preserve 3 bits */
+ 4, /* class D: preserve 4 bits */
+ 32 /* class bad, preserve all */
+ };
+ uint32_t *cp;
+
+ input = ntohl(input);
+ cp = ip4cache + (input >> (32 - CACHE_BITS));
+
+ assert(pass_bits >= 0 && pass_bits < 33);
+
+ ++ipv4_anon_calls;
+
+ b4_in.ip4 = input;
+
+ class_bits = _class_bits[input >> (32-MAX_CLASS_BITS)];
+
+ // check cache first
+ output = *cp;
+ if (output != 0) {
+ output <<= (32 - CACHE_BITS);
+ if (class_bits < CACHE_BITS)
+ class_bits = CACHE_BITS;
+ ++ipv4_cache_hits;
+ }
+
+ pbits = MAX(pass_bits, class_bits);
+
+ for (i = 31; i > pbits - 1; --i) {
+ /* pass through 'i' highest bits of ip4 */
+ b4_in.ip4 &= m;
+ /* the following could be:
+ * b4_in.ip4 |= (ip4pad & ~m); */
+ b4_in.ip4 |= (ip4pad >> i);
+ b4_in.ip4 = cryptopant_swap32(b4_in.ip4);
+ uint mdlen = MD5_DIGEST_LENGTH;
+ switch (scramble_crypto4) {
+ case SCRAMBLE_BLOWFISH:
+ if (!EVP_CipherUpdate(ctx4, (u_char*)&b4_out, &outlen, (u_char*)&b4_in, BF_BLOCK)) {
+ /* Error */
+ fprintf(stderr, "scramble_ip4(): EVP_CipherUpdate failed");
+ abort();
+ }
+ case SCRAMBLE_AES:
+ if (!EVP_CipherUpdate(ctx4, (u_char*)&b4_out, &outlen, (u_char*)&b4_in, AES_BLOCK_SIZE)) {
+ /* Error */
+ fprintf(stderr, "scramble_ip4(): EVP_CipherUpdate failed");
+ abort();
+ }
+ break;
+ case SCRAMBLE_SHA1:
+ mdlen = SHA_DIGEST_LENGTH;
+ // fallthrough
+ case SCRAMBLE_MD5:
+ if (!EVP_DigestInit_ex2(mdctx4, md4, NULL) ||
+ !EVP_DigestUpdate(mdctx4, (u_char*)&b4_in, mdlen) ||
+ !EVP_DigestFinal_ex(mdctx4, (u_char*)&b4_out, &mdlen)) {
+ /* Error */
+ fprintf(stderr, "scramble_ip4(): EVP_Digest* failed");
+ abort();
+ }
+ break;
+ default:
+ abort();
+ }
+ output |= (( *((u_char*)&b4_out.ip4) & 1) << (31 - i));
+ b4_in.ip4 = cryptopant_swap32(b4_in.ip4);
+ m <<= 1;
+ }
+
+ /* output == 0 is OK, means pass address unchanged */
+
+ *cp = (output >> (32 - CACHE_BITS));
+
+ return htonl(output ^ input);
+}
+
+/* scramble ipv6 address in place, in network byte order */
+void
+scramble_ip6(struct in6_addr *input, int pass_bits)
+{
+ struct in6_addr output;
+ int i, w;
+ int pbits = pass_bits;
+
+ ++ipv6_anon_calls;
+ b6_in.ip6.s6_addr32[0] = ip6pad[0]; /* XXX this one not needed */
+ b6_in.ip6.s6_addr32[1] = ip6pad[1];
+ b6_in.ip6.s6_addr32[2] = ip6pad[2];
+ b6_in.ip6.s6_addr32[3] = ip6pad[3];
+ int outlen = AES_BLOCK_SIZE;
+ uint mdlen;
+
+ for (w = 0; w < 4; ++w) {
+ uint32_t m = 0xffffffff << 1;
+ uint32_t x = ntohl(input->s6_addr32[w]);
+ uint32_t hpad = ntohl(ip6pad[w]);
+ output.s6_addr32[w] = 0;
+ /* anonymize x, using hpad */
+ for (i = 31; i > pbits - 1; --i) {
+ /* pass through 'i' highest bits of the word */
+ x &= m;
+ /* the following could be:
+ * x |= (hpad & ~m); */
+ x |= (hpad >> i);
+ b6_in.ip6.s6_addr32[w] = htonl(x);
+ /* hashing proper */
+ switch (scramble_crypto6) {
+ case SCRAMBLE_BLOWFISH:
+ /* use BF in chain mode */
+ EVP_CIPHER_CTX_reset(ctx6);
+ if (!EVP_EncryptInit_ex2(ctx6, cipher6, scramble_key, ivec, NULL)) {
+ fprintf(stderr,
+ "scramble_init(): EVP_EncryptInit_ex2 failed:");
+ ERR_print_errors_fp(stderr);
+ }
+ if (!EVP_CipherUpdate(ctx6, (u_char*)&b6_out, &outlen, (u_char*)&b6_in, sizeof(b6_in))) {
+ /* Error */
+ fprintf(stderr, "scramble_ip6(): EVP_CipherUpdate failed\n");
+ ERR_print_errors_fp(stderr);
+ }
+ break;
+ case SCRAMBLE_AES:
+ if (!EVP_CipherUpdate(ctx6, (u_char*)&b6_out, &outlen, (u_char*)&b6_in, AES_BLOCK_SIZE)) {
+ /* Error */
+ fprintf(stderr, "scramble_ip6(): EVP_CipherUpdate failed");
+ }
+ break;
+ case SCRAMBLE_SHA1:
+ case SCRAMBLE_MD5:
+ if (scramble_crypto6 == SCRAMBLE_SHA1) {
+ mdlen = SHA_DIGEST_LENGTH;
+ } else {
+ mdlen = MD5_DIGEST_LENGTH;
+ }
+ // fallthrough
+ if (!EVP_DigestInit_ex2(mdctx6, md6, NULL) ||
+ !EVP_DigestUpdate(mdctx6, (u_char*)&b6_in, mdlen) ||
+ !EVP_DigestFinal_ex(mdctx6, (u_char*)&b6_out, &mdlen)) {
+ /* Error */
+ fprintf(stderr, "scramble_ip6(): EVP_Digest* failed");
+ }
+ break;
+ default:
+ abort();
+ }
+ output.s6_addr32[w] |= ((ntohl(b6_out.ip6.s6_addr32[3]) & 1)
+ << (31 - i));
+ m <<= 1;
+ }
+ pbits = (pbits >= 32) ? pbits - 32 : 0;
+ /* pbits >= 32 this means the above for-loop wasn't executed */
+
+ output.s6_addr32[w] = htonl(output.s6_addr32[w]) ^ input->s6_addr32[w];
+
+ /* restore the word */
+ b6_in.ip6.s6_addr32[w] = input->s6_addr32[w];
+ }
+ *input = output;
+}
+
+/* reverse map scrambled IP addresses, all network byte order */
+uint32_t
+unscramble_ip4(uint32_t input, int pass_bits)
+{
+ int i;
+ uint32_t guess, res;
+
+ guess = input; /* Starting with the input seems
+ * a good idea because some bits
+ * may be passed through
+ * unchanged */
+ for (i=32; i>0; --i) {
+ res = scramble_ip4(guess, pass_bits);
+ /* we're only interested in flipping the
+ * higher bit, don't care about the rest */
+ res ^= input;
+ if (res == 0)
+ return guess;
+ guess ^= res;
+ }
+ //unreachable, since there should be always a match
+ //(since we're zeroing out at least one bit per iteration)
+ assert(0);
+ return (0xffffffff); /* cannot find the match */
+}
+
+/* unscramble ipv6 address in place, in network byte order */
+void
+unscramble_ip6(struct in6_addr *input, int pass_bits)
+{
+ struct in6_addr guess;
+ struct in6_addr res;
+ uint32_t r = 0;
+
+ int i;
+
+ guess = *input;
+ for (i = 0; i < 4; ++i) {
+ for (;;) {
+ res = guess;
+ scramble_ip6(&res, pass_bits);
+ r = res.s6_addr32[i] ^ input->s6_addr32[i];
+
+ if (r == 0) break;
+
+ guess.s6_addr32[i] ^= r;
+ }
+
+ }
+ *input = guess;
+ return;
+}
diff --git a/src/cryptopANT.h b/src/cryptopANT.h
new file mode 100644
index 0000000..8f596ff
--- /dev/null
+++ b/src/cryptopANT.h
@@ -0,0 +1,92 @@
+/* -*- Mode:C; c-basic-offset:8; tab-width:8; indent-tabs-mode:t -*- */
+/*
+ * Copyright (C) 2004-2024 by the University of Southern California
+ * $Id: c23494984e1ae44af55668feda8232282c9473d0 $
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+
+#ifndef _SCRAMBLE_CRYPT_H
+#define _SCRAMBLE_CRYPT_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define ETHER_ADDR_LEN 6
+#define ETHER_VLAN_LEN 2
+
+#define _XOR16(a, b, i) (((uint16_t *)(a))[i] ^= ((uint16_t *)(b))[i])
+#define _XOR32(a, b, i) (((uint32_t *)(a))[i] ^= ((uint32_t *)(b))[i])
+
+#define SCRAMBLE_ETHER_ADDR(a) if (1) { \
+ _XOR32(a, scramble_ether_addr, 0); \
+ _XOR16(a, scramble_ether_addr, 2); \
+ }
+
+#define SCRAMBLE_ETHER_VLAN(v) ((v) ^= scramble_ether_vlan);
+
+#define SCRAMBLE_RANDOM_DEV "/dev/urandom"
+
+typedef enum {
+ SCRAMBLE_NONE = 0x00,
+ SCRAMBLE_MD5 = 0x01,
+ SCRAMBLE_BLOWFISH = 0x02,
+ SCRAMBLE_AES = 0x03,
+ SCRAMBLE_SHA1 = 0x04
+} scramble_crypt_t;
+
+typedef struct {
+ scramble_crypt_t c4;
+ scramble_crypt_t c6;
+ u_char *key;
+ int klen;
+ u_char *pad;
+ int plen;
+ u_char *mac;
+ int mlen;
+ u_char *iv;
+ int ivlen;
+} scramble_state_t;
+
+/* external vars exported by mac scrambling macros */
+extern uint8_t scramble_ether_addr[ETHER_ADDR_LEN];
+extern uint16_t scramble_ether_vlan;
+extern int scramble_mac; /* 0/1 */
+
+/* public functions */
+extern scramble_crypt_t scramble_crypto_ip4 (void);
+extern scramble_crypt_t scramble_crypto_ip6 (void);
+extern scramble_crypt_t scramble_name2type (const char *);
+extern const char* scramble_type2name (scramble_crypt_t);
+extern int scramble_newkey (u_char *, int);
+extern int scramble_newpad (u_char *, int);
+extern int scramble_newmac (u_char *, int);
+extern int scramble_readstate (const char *, scramble_state_t *);
+extern int scramble_savestate (const char *, const scramble_state_t *);
+extern int scramble_init (const scramble_state_t *s);
+extern int scramble_init_from_file (const char *, scramble_crypt_t, scramble_crypt_t, int *);
+extern void scramble_cleanup ();
+extern uint32_t scramble_ip4 (uint32_t, int);
+extern uint32_t unscramble_ip4 (uint32_t, int);
+extern void scramble_ip6 (struct in6_addr *, int);
+extern void unscramble_ip6 (struct in6_addr *, int);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _SCRAMBLE_CRYPT_H */
diff --git a/src/scramble_ips.c b/src/scramble_ips.c
new file mode 100644
index 0000000..5222301
--- /dev/null
+++ b/src/scramble_ips.c
@@ -0,0 +1,487 @@
+/* -*- Mode:C; c-basic-offset:4; tab-width:8; indent-tabs-mode:t -*- */
+/*
+ * Copyright (C) 2004-2024 by the University of Southern California
+ * $Id: a91d5228a362749a1ccff71f0fbdc092ac7ebdcc $
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+/* setup environment */
+#define _GNU_SOURCE 1
+#define _FILE_OFFSET_BITS 64
+
+#include <stdio.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <getopt.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <ctype.h>
+#include <regex.h> //xxx need to check in autoconf
+#include <assert.h>
+#include "cryptopANT.h"
+
+//autoconfigured
+#include "config.h"
+
+//long options
+#define PASS4 256
+#define PASS6 257
+#define KTYPE 258
+#define IPPREFIX 259
+#define IPSUFFIX 260
+
+#define IP4MAXLEN 15 //strlen("xxx.xxx.xxx.xxx")
+#define IP6MAXLEN 39 //strlen("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx")
+#define CBUF_SZ (IP6MAXLEN*2)
+
+#define INITBUFSIZE 4096 //xxx need more space in case text expands due to IP scrambling
+
+#if HAVE__U6_ADDR32
+#define s6_addr32 __u6_addr.__u6_addr32
+#endif
+
+#if HAVE_REGEX_H
+static const char REGEX4[]="((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))";
+static const char REGEX6[]="(((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3}))|:)))(%.+)?)";
+#endif //HAVE_REGEX_H
+
+static int pass_bits4 = 0;
+static int pass_bits6 = 0;
+static int reverse_mode = 0;
+
+//buffers for in/out processing
+static char *linebuf1 = NULL,*linebuf2 = NULL;
+static size_t linebuf1_sz = 0, linebuf2_sz = 0;
+
+static char cbuf[CBUF_SZ];
+
+void
+usage(const char *pname) {
+ fprintf(stderr,
+ "Read IP addresses from stdin and print scrambled addresses on stdout\n"
+ "USAGE:\n"
+ "\t%s [OPTIONS] [-r] key_file\n"
+ "\tWhere OPTIONS are:\n"
+ "\t\t--newkey|-G generate a new key key_file\n"
+ "\t\t--type=TYPE crypto to use for key generation (valid only with --newkey option)\n"
+ "\t\t supported choices are: blowfish (default), aes, sha1, md5\n"
+ "\t\t--pass4=<num> pass <num> higher bits of ipv4 addresses through unchanged\n"
+ "\t\t--pass6=<num> pass <num> higher bits of ipv6 addresses through unchanged\n"
+#if HAVE_REGEX_H
+ "\t\t--ip-prefix=<regex> all ips must be prefixed by this regex prefix (both ipv4 and ipv6)\n"
+ "\t\t--ip-suffix=<regex> all ips must be followed by this regex suffix (both ipv4 and ipv6)\n"
+ "\t\t-t text mode: read text from stdin and scramble all addresses\n"
+ "\t\t that can be found using regex (use with caution)\n"
+#endif //HAVE_REGEX_H
+ "\t\t-r reverse-mode i.e. for unscrambling ip addresses\n"
+ , pname);
+ exit(1);
+}
+
+int
+anon_ip4_txt(const char *oldip, char *newip) {
+ struct in_addr ip4, ip4s;
+ if (inet_pton(AF_INET, oldip, &ip4) <= 0) {
+ fprintf(stderr, "don't understand address (%s)\n", oldip);
+#ifdef HAVE_STRLCPY
+ strlcpy(newip, oldip, INITBUFSIZE);
+#else
+ strcpy(newip, oldip); //copy without changing
+#endif
+ } else {
+ ip4s.s_addr = (reverse_mode)
+ ? unscramble_ip4(ip4.s_addr, pass_bits4)
+ : scramble_ip4(ip4.s_addr, pass_bits4);
+ if (newip != inet_ntop(AF_INET, &ip4s, newip, 256)) {
+ perror("Error: can't print new address");
+ exit(1);
+ }
+ }
+ return strlen(newip);
+}
+int
+anon_ip6_txt(const char *oldip, char *newip) {
+ struct in6_addr ip6;
+ if (inet_pton(AF_INET6, oldip, &ip6) <= 0) {
+ fprintf(stderr, "don't understand address (%s)\n", oldip);
+#ifdef HAVE_STRLCPY
+ strlcpy(newip, oldip, INITBUFSIZE);
+#else
+ strcpy(newip, oldip); //copy without changing
+#endif
+ } else {
+ if (reverse_mode) {
+ unscramble_ip6(&ip6, pass_bits6);
+ } else {
+ scramble_ip6(&ip6, pass_bits6);
+ }
+ if (newip != inet_ntop(AF_INET6, &ip6, newip, 256)) {
+ perror("Error: can't print new address");
+ exit(1);
+ }
+ }
+ return strlen(newip);
+}
+
+//return the pointer in 'in' buffer where processing stopped
+const char*
+search_replace_ip(const char *in, char *out, const regex_t *r,
+ int (*anonf)(const char*, char*), size_t *outsz) {
+ const char *c = in;
+ char *c2 = out;
+ regmatch_t re_match[2];
+ //0th element is the whole thing (including prefix and suffix)
+ //1st element is the IP address
+ while (0 == regexec(r, c, 2, re_match, 0)) {
+ const char *cc=c;
+ if (re_match[1].rm_so != -1) {
+ const char *ipbeg = cc + re_match[1].rm_so;
+ const char *ipend = cc + re_match[1].rm_eo;
+ size_t copylen = ipbeg - c; //from prev match to this one, pass-thru, including prefix
+ //copy from c..(beg-1), advance both pointers
+ while (c2 - out + copylen >= *outsz) {
+ *outsz *= 2;
+ out = realloc(out, *outsz);
+ if (out == NULL) {
+ fprintf(stderr, "Error: run out of buffer space\n");
+ exit(1);
+ }
+ }
+ memcpy(c2, c, copylen);
+ c += copylen;
+ c2+= copylen;
+ char hold = *ipend; //store last character, we'll need temporarly replace it with '\0'
+ *(char*)ipend = '\0';
+ size_t anoniplen = anonf(c, c2);
+ *(char*)ipend = hold; //restore
+ c = ipend;
+ c2 += anoniplen;
+ }
+ }
+ //copy the rest
+ size_t copylen = strlen(c) + 1;
+ while (c2 - out + copylen >= *outsz) {
+ *outsz *= 2;
+ out = realloc(out, *outsz);
+ if (out == NULL) {
+ fprintf(stderr, "Error: run out of buffer space\n");
+ exit(1);
+ }
+ }
+ memcpy(c2, c, copylen);
+
+ return out;
+}
+
+int
+main(int argc, char *argv[])
+{
+ FILE *keyfile = NULL;
+ const char *keyfn = NULL;
+ const char *pname = argv[0];
+
+ int opt;
+ int text_mode = 0;
+ int opt_newkey = 0;
+ char *opt_keytype = NULL;
+#if HAVE_REGEX_H
+ char *opt_ipprefix = NULL;
+ char *opt_ipsuffix = NULL;
+ char regex4[4096];
+ char regex6[4096];
+#endif //HAVE_REGEX_H
+
+ scramble_crypt_t key_crypto = SCRAMBLE_BLOWFISH;
+
+ struct option long_options[] = {
+ {"newkey",0, NULL, 'G'},
+ {"help", 0, NULL, 'h'},
+ {"pass4", 1, NULL, PASS4},
+ {"pass6", 1, NULL, PASS6},
+ {"type", 1, NULL, KTYPE},
+#if HAVE_REGEX_H
+ {"text", 0, NULL, 't'},
+ {"ip-prefix", 1, NULL, IPPREFIX},
+ {"ip-suffix", 1, NULL, IPSUFFIX},
+#endif //HAVE_REGEX_H
+ };
+
+ while((opt = getopt_long(argc, argv,
+ "Ghr"
+#if HAVE_REGEX_H
+ "t"
+#endif //HAVE_REGEX_H
+ , long_options, NULL)) != EOF) {
+ switch(opt) {
+ /* long options first: */
+ case PASS4:
+ pass_bits4 = atoi(optarg);
+ if (pass_bits4 < 0 || pass_bits4 > 32) {
+ fprintf(stderr, "Error: --pass4 option argument must be within [0..32]\n");
+ exit(1);
+ }
+ break;
+ case PASS6:
+ pass_bits6 = atoi(optarg);
+ if (pass_bits6 < 0 || pass_bits6 > 128) {
+ fprintf(stderr, "Error: --pass6 option argument must be within [0..128]\n");
+ exit(1);
+ }
+ break;
+ case KTYPE:
+ opt_keytype = optarg;
+ if (strcmp(opt_keytype, "blowfish") == 0) {
+ key_crypto = SCRAMBLE_BLOWFISH;
+ } else if (strcmp(opt_keytype, "aes") == 0) {
+ key_crypto = SCRAMBLE_AES;
+ } else if (strcmp(opt_keytype, "sha1") == 0) {
+ key_crypto = SCRAMBLE_SHA1;
+ } else if (strcmp(opt_keytype, "md5") == 0) {
+ key_crypto = SCRAMBLE_MD5;
+ } else {
+ fprintf(stderr, "Error: unsupported crypto key type: '%s' (can be one of: blowfish, aes, sha1, md5)\n", opt_keytype);
+ exit(1);
+ }
+ break;
+#if HAVE_REGEX_H
+ case IPPREFIX:
+ opt_ipprefix = optarg;
+ break;
+ case IPSUFFIX:
+ opt_ipsuffix = optarg;
+ break;
+ case 't':
+ text_mode = 1;
+ break;
+#endif //HAVE_REGEX_H
+
+ /* short options: */
+ case 'G':
+ opt_newkey = 1;
+ break;
+ case 'h':
+ usage(pname);
+ /* never returns */
+ break;
+ case 'r':
+ reverse_mode = 1;
+ break;
+
+ default:
+ usage(pname);
+ }
+ }
+ argc -= optind;
+ argv += optind;
+ if (argc != 1) {
+ usage(pname);
+ }
+
+ keyfn = argv[0];
+
+ if (opt_newkey && (text_mode || reverse_mode || pass_bits4 || pass_bits6)) {
+ fprintf(stderr, "Error: --newkey or -G is mutually exclusive with other options.\n");
+ exit(1);
+ }
+ if (opt_keytype && !opt_newkey) {
+ fprintf(stderr, "Error: --type requires --newkey (-G) option.\n");
+ exit(1);
+ }
+#if HAVE_REGEX_H
+ if (!text_mode && (opt_ipprefix != NULL || opt_ipsuffix != NULL)) {
+ fprintf(stderr, "--ip-prefix and --ipsuffix require text mode (-t).\n");
+ exit(1);
+ }
+#endif //HAVE_REGEX_H
+ if ((keyfile = fopen(keyfn, "r")) == NULL) {
+ if (!opt_newkey) {
+ /* no keyfile, but supposed to exist */
+ fprintf(stderr, "Error: cannot open the key_file: '%s': %s\n", keyfn, strerror(errno));
+ exit(1);
+ }
+ } else {
+ if (opt_newkey) {
+ /* keyfile exists, but asked to make new one */
+ fprintf(stderr, "Error: keyfile '%s' already exists, remove it before trying to generate a new one.\n",
+ keyfn);
+ exit(1);
+ }
+ }
+ if (keyfile) fclose(keyfile);
+
+ if (scramble_init_from_file(keyfn, key_crypto, key_crypto, NULL) < 0) {
+ fprintf(stderr, "Error: can't initialize from keyfile '%s'\n", keyfn);
+ exit(1);
+ }
+ if (opt_newkey) {
+ //only generating mode
+ exit(0);
+ }
+
+ if (!text_mode && setvbuf(stdout, NULL, _IOLBF, 0) < 0) {
+ fprintf(stderr, "Error: setting line buffering: %s\n", strerror(errno));
+ exit(1);
+ }
+
+#if 1 //HAVE_REGEX_H
+ if (text_mode) {
+ linebuf1_sz = INITBUFSIZE;
+ linebuf2_sz = INITBUFSIZE;
+ linebuf1 = malloc(linebuf1_sz);
+ linebuf2 = malloc(linebuf2_sz);
+
+ memset(regex4, 0, sizeof(regex4));
+ memset(regex6, 0, sizeof(regex6));
+ if (opt_ipprefix != NULL) {
+ strncat(regex4, opt_ipprefix, sizeof(regex4)-1);
+ strncat(regex6, opt_ipprefix, sizeof(regex6)-1);
+ }
+ strncat(regex4, REGEX4, sizeof(regex4)-1);
+ strncat(regex6, REGEX6, sizeof(regex6)-1);
+ if (opt_ipsuffix != NULL) {
+ strncat(regex4, opt_ipsuffix, sizeof(regex4)-1);
+ strncat(regex6, opt_ipsuffix, sizeof(regex6)-1);
+ }
+ if (regex4[sizeof(regex4)-1] != '\0' ||
+ regex6[sizeof(regex6)-1] != '\0') {
+ fprintf(stderr, "Error: regex for ip addresses is too long.");
+ exit(1);
+ }
+
+ regex_t r4, r6;
+ if (0 != regcomp(&r4, regex4, REG_EXTENDED|REG_NEWLINE))
+ exit(1);
+ if (0 != regcomp(&r6, regex6, REG_EXTENDED|REG_NEWLINE))
+ exit(1);
+ linebuf1[linebuf1_sz-1]='x'; //anything but zero
+ //xxx todo: use buffered reading/writing
+ while (fgets(linebuf1, linebuf1_sz, stdin) != NULL) {
+ //fgets adds a terminating '\0', reading stops after an EOF or a newline
+ if (linebuf1[linebuf1_sz-1] == '\0' && linebuf1[linebuf1_sz-2] != '\n') {
+ //filled the buffer, but no newline; xxx remove newline dependency
+ fprintf(stderr, "Error: input lines are too long; maximum supported is %zd.\n",
+ linebuf1_sz-1);
+ exit(1);
+ }
+ //read a full line, can be anonymized in full
+ linebuf2 = (char*)search_replace_ip(linebuf1, linebuf2, &r4, &anon_ip4_txt, &linebuf2_sz);
+ linebuf1 = (char*)search_replace_ip(linebuf2, linebuf1, &r6, &anon_ip6_txt, &linebuf1_sz);
+ //output
+ fputs(linebuf1, stdout);
+ }
+ regfree(&r4);
+ regfree(&r6);
+ free(linebuf1);
+ free(linebuf2);
+ return 0;
+ }
+#endif
+
+ for (;;) {
+ int af;
+ int i;
+ int prefix = 0;
+ char *plen = NULL;
+ char *c;
+
+ struct in_addr ip4, ip4s;
+ struct in6_addr ip6, ip6s;
+ void *new = NULL;
+ // char *c2;
+ if (fgets(cbuf, CBUF_SZ, stdin) == NULL)
+ break;
+ for (i = strnlen(cbuf, CBUF_SZ-1)-1; i >= 0; --i) {
+ if (!isgraph(cbuf[i]))
+ cbuf[i] = '\0';
+ }
+ plen = NULL;
+ /* first see if this is a network */
+ if (NULL != (c = strchr(cbuf, '/'))) {
+ /* this is a network */
+ plen = c + 1;
+ if (!isdigit(*plen)) {
+ fprintf(stderr, "can't parse network prefix (%s)\n", cbuf);
+ continue;
+ }
+ *c = '\0';
+ prefix = atoi(plen);
+ }
+ /* first try ipv4 */
+ af= AF_INET;
+ if (inet_pton(af, cbuf, &ip4) <= 0) {
+ /* next try ipv6 */
+ af= AF_INET6;
+ if (inet_pton(af, cbuf, &ip6) <= 0) {
+ fprintf(stderr, "don't understand address (%s)\n", cbuf);
+ continue;
+ }
+ ip6s = ip6;
+ if (reverse_mode) {
+ unscramble_ip6(&ip6s, pass_bits6);
+ } else {
+ scramble_ip6(&ip6s, pass_bits6);
+ }
+ new = &ip6s;
+ /* if it was a network, zero out host bits */
+ if (plen && prefix < 128) {
+ int hostbits = 128 - prefix;
+ i = 3;
+ while (hostbits >= 32) {
+ ip6s.s6_addr32[i] = 0;
+ --i;
+ hostbits -= 32;
+ }
+ if (hostbits > 0) {
+ ip6s.s6_addr32[i] = htonl(ntohl(ip6s.s6_addr32[i])
+ & (0xffffffffUL << hostbits));
+ }
+ }
+ } else {
+ ip4s.s_addr = (reverse_mode)
+ ? unscramble_ip4(ip4.s_addr, pass_bits4)
+ : scramble_ip4(ip4.s_addr, pass_bits4);
+ new = &ip4s;
+ /* if it was a network, zero out host bits */
+ if (plen && prefix < 32) {
+ int hostbits = 32 - prefix;
+ ip4s.s_addr = ntohl(ip4s.s_addr);
+ if (hostbits == 32)
+ ip4s.s_addr = 0;
+ else
+ ip4s.s_addr &= 0xffffffffUL << hostbits;
+ ip4s.s_addr = htonl(ip4s.s_addr);
+ }
+ }
+
+ if (cbuf != inet_ntop(af, new, cbuf, CBUF_SZ)) {
+ perror("Error: can't print new address");
+ exit(1);
+ }
+
+ printf("%s", cbuf);
+ if (plen)
+ printf("/%d", prefix);
+ printf("\n");
+ }
+ scramble_cleanup();
+ return 0;
+}