policy.c revision 1.15
1/* $OpenBSD: policy.c,v 1.15 2000/10/07 06:59:56 niklas Exp $ */ 2/* $EOM: policy.c,v 1.45 2000/10/02 03:23:25 angelos Exp $ */ 3 4/* 5 * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. 6 * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. All advertising materials mentioning features or use of this software 17 * must display the following acknowledgement: 18 * This product includes software developed by Ericsson Radio Systems. 19 * 4. The name of the author may not be used to endorse or promote products 20 * derived from this software without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34/* 35 * This code was written under funding by Ericsson Radio Systems. 36 */ 37 38#include <sys/types.h> 39#include <sys/param.h> 40#include <sys/mman.h> 41#include <sys/queue.h> 42#include <sys/stat.h> 43#include <regex.h> 44#include <ctype.h> 45#include <fcntl.h> 46#include <stdio.h> 47#include <stdlib.h> 48#include <string.h> 49#include <unistd.h> 50#include <keynote.h> 51#include <sys/socket.h> 52#include <netinet/in.h> 53#include <arpa/inet.h> 54#include <errno.h> 55#include <openssl/ssl.h> 56 57#include "sysdep.h" 58 59#include "app.h" 60#include "conf.h" 61#include "connection.h" 62#include "cookie.h" 63#include "doi.h" 64#include "dyn.h" 65#include "exchange.h" 66#include "init.h" 67#include "ipsec.h" 68#include "isakmp_doi.h" 69#include "math_group.h" 70#include "sa.h" 71#include "timer.h" 72#include "transport.h" 73#include "udp.h" 74#include "log.h" 75#include "message.h" 76#include "ui.h" 77#include "util.h" 78#include "policy.h" 79#include "x509.h" 80 81#if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE) && 0 82 83void *libkeynote = 0; 84 85/* 86 * These prototypes matches OpenBSD keynote.h 1.6. If you use 87 * a different version than that, you are on your own. 88 */ 89int *lk_keynote_errno; 90int (*lk_kn_add_action) (int, char *, char *, int); 91int (*lk_kn_add_assertion) (int, char *, int, int); 92int (*lk_kn_add_authorizer) (int, char *); 93int (*lk_kn_close) (int); 94int (*lk_kn_do_query) (int, char **, int); 95char *(*lk_kn_encode_key) (struct keynote_deckey *, int, int, int); 96int (*lk_kn_init) (void); 97char **(*lk_kn_read_asserts) (char *, int, int *); 98int (*lk_kn_remove_authorizer) (int, char *); 99int (*lk_kn_get_authorizer) (int, int, int *); 100void (*lk_kn_free_key) (struct keynote_deckey *); 101struct keynote_keylist *(*lk_kn_get_licensees) (int, int); 102#define SYMENTRY(x) { SYM, SYM (x), (void **)&lk_ ## x } 103 104static struct dynload_script libkeynote_script[] = { 105 { LOAD, "libc.so", &libkeynote }, 106 { LOAD, "libcrypto.so", &libkeynote }, 107 { LOAD, "libm.so", &libkeynote }, 108 { LOAD, "libkeynote.so", &libkeynote }, 109 SYMENTRY (keynote_errno), 110 SYMENTRY (kn_add_action), 111 SYMENTRY (kn_add_assertion), 112 SYMENTRY (kn_add_authorizer), 113 SYMENTRY (kn_close), 114 SYMENTRY (kn_do_query), 115 SYMENTRY (kn_encode_key), 116 SYMENTRY (kn_init), 117 SYMENTRY (kn_read_asserts), 118 SYMENTRY (kn_remove_authorizer), 119 SYMENTRY (kn_get_licensees), 120 SYMENTRY (kn_get_authorizer), 121 { EOS } 122}; 123#endif 124 125int keynote_sessid = -1; 126char **keynote_policy_asserts = NULL; 127int keynote_policy_asserts_num = 0; 128char **x509_policy_asserts = NULL; 129int x509_policy_asserts_num = 0; 130int x509_policy_asserts_num_alloc = 0; 131struct exchange *policy_exchange = 0; 132struct sa *policy_sa = 0; 133struct sa *policy_isakmp_sa = 0; 134 135/* 136 * Adaptation of Vixie's inet_ntop4 () 137 */ 138static const char * 139my_inet_ntop4 (const in_addr_t *src, char *dst, size_t size, int normalize) 140{ 141 static const char fmt[] = "%03u.%03u.%03u.%03u"; 142 char tmp[sizeof "255.255.255.255"]; 143 in_addr_t src2; 144 145 if (normalize) 146 src2 = ntohl (*src); 147 else 148 src2 = *src; 149 150 if (sprintf (tmp, fmt, ((u_int8_t *) &src2)[0], ((u_int8_t *) &src2)[1], 151 ((u_int8_t *) &src2)[2], ((u_int8_t *) &src2)[3]) > size) 152 { 153 errno = ENOSPC; 154 return 0; 155 } 156 strcpy (dst, tmp); 157 return dst; 158} 159 160char * 161policy_callback (char *name) 162{ 163 struct proto *proto; 164 165 u_int8_t *attr, *value, *id, *idlocal, *idremote; 166 size_t id_sz, idlocalsz, idremotesz; 167 struct sockaddr_in *sin; 168 struct ipsec_exch *ie; 169 struct ipsec_sa *is; 170 int fmt, lifetype = 0; 171 in_addr_t net, subnet; 172 u_int16_t len, type; 173 time_t tt; 174 static char mytimeofday[15]; 175 176 /* We use all these as a cache. */ 177 static char *esp_present, *ah_present, *comp_present; 178 static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg; 179 static char *comp_alg, ah_life_kbytes[32], ah_life_seconds[32]; 180 static char esp_life_kbytes[32], esp_life_seconds[32], comp_life_kbytes[32]; 181 static char comp_life_seconds[32], *ah_encapsulation, *esp_encapsulation; 182 static char *comp_encapsulation, ah_key_length[32], esp_key_length[32]; 183 static char ah_key_rounds[32], esp_key_rounds[32], comp_dict_size[32]; 184 static char comp_private_alg[32], *remote_filter_type, *local_filter_type; 185 static char remote_filter_addr_upper[64], remote_filter_addr_lower[64]; 186 static char local_filter_addr_upper[64], local_filter_addr_lower[64]; 187 static char ah_group_desc[32], esp_group_desc[32], comp_group_desc[32]; 188 static char remote_ike_address[64], local_ike_address[64]; 189 static char *remote_id_type, remote_id_addr_upper[64], *phase_1; 190 static char remote_id_addr_lower[64], *remote_id_proto, remote_id_port[32]; 191 static char remote_filter_port[32], local_filter_port[32]; 192 static char *remote_filter_proto, *local_filter_proto, *pfs, *initiator; 193 static char remote_filter_proto_num[3], local_filter_proto_num[3]; 194 static char remote_id_proto_num[3]; 195 static char phase1_group[32]; 196 197 /* Allocated. */ 198 static char *remote_filter = 0, *local_filter = 0, *remote_id = 0; 199 200 static int dirty = 1; 201 202 /* We only need to set dirty at initialization time really. */ 203 if (strcmp (name, KEYNOTE_CALLBACK_CLEANUP) == 0 204 || strcmp (name, KEYNOTE_CALLBACK_INITIALIZE) == 0) 205 { 206 esp_present = ah_present = comp_present = pfs = "no"; 207 ah_hash_alg = ah_auth_alg = phase_1 = ""; 208 esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = ""; 209 esp_encapsulation = comp_encapsulation = remote_filter_type = ""; 210 local_filter_type = remote_id_type = initiator = ""; 211 remote_filter_proto = local_filter_proto = remote_id_proto = ""; 212 213 if (remote_filter != 0) 214 { 215 free (remote_filter); 216 remote_filter = 0; 217 } 218 219 if (local_filter != 0) 220 { 221 free (local_filter); 222 local_filter = 0; 223 } 224 225 if (remote_id != 0) 226 { 227 free (remote_id); 228 remote_id = 0; 229 } 230 231 memset (remote_ike_address, 0, sizeof remote_ike_address); 232 memset (local_ike_address, 0, sizeof local_ike_address); 233 memset (ah_life_kbytes, 0, sizeof ah_life_kbytes); 234 memset (ah_life_seconds, 0, sizeof ah_life_seconds); 235 memset (esp_life_kbytes, 0, sizeof esp_life_kbytes); 236 memset (esp_life_seconds, 0, sizeof esp_life_seconds); 237 memset (comp_life_kbytes, 0, sizeof comp_life_kbytes); 238 memset (comp_life_seconds, 0, sizeof comp_life_seconds); 239 memset (ah_key_length, 0, sizeof ah_key_length); 240 memset (ah_key_rounds, 0, sizeof ah_key_rounds); 241 memset (esp_key_length, 0, sizeof esp_key_length); 242 memset (esp_key_rounds, 0, sizeof esp_key_rounds); 243 memset (comp_dict_size, 0, sizeof comp_dict_size); 244 memset (comp_private_alg, 0, sizeof comp_private_alg); 245 memset (remote_filter_addr_upper, 0, sizeof remote_filter_addr_upper); 246 memset (remote_filter_addr_lower, 0, sizeof remote_filter_addr_lower); 247 memset (local_filter_addr_upper, 0, sizeof local_filter_addr_upper); 248 memset (local_filter_addr_lower, 0, sizeof local_filter_addr_lower); 249 memset (remote_id_addr_upper, 0, sizeof remote_id_addr_upper); 250 memset (remote_id_addr_lower, 0, sizeof remote_id_addr_lower); 251 memset (ah_group_desc, 0, sizeof ah_group_desc); 252 memset (esp_group_desc, 0, sizeof esp_group_desc); 253 memset (remote_id_port, 0, sizeof remote_id_port); 254 memset (remote_filter_port, 0, sizeof remote_filter_port); 255 memset (local_filter_port, 0, sizeof local_filter_port); 256 memset (phase1_group, 0, sizeof phase1_group); 257 258 dirty = 1; 259 return ""; 260 } 261 262 /* 263 * If dirty is set, this is the first request for an attribute, so 264 * populate our value cache. 265 */ 266 if (dirty) 267 { 268 ie = policy_exchange->data; 269 270 if (ie->pfs) 271 pfs = "yes"; 272 273 is = policy_isakmp_sa->data; 274 sprintf (phase1_group, "%u", is->group_desc); 275 276 for (proto = TAILQ_FIRST (&policy_sa->protos); proto; 277 proto = TAILQ_NEXT (proto, link)) 278 { 279 switch (proto->proto) 280 { 281 case IPSEC_PROTO_IPSEC_AH: 282 ah_present = "yes"; 283 switch (proto->id) 284 { 285 case IPSEC_AH_MD5: 286 ah_hash_alg = "md5"; 287 break; 288 289 case IPSEC_AH_SHA: 290 ah_hash_alg = "sha"; 291 break; 292 293 case IPSEC_AH_DES: 294 ah_hash_alg = "des"; 295 break; 296 } 297 298 break; 299 300 case IPSEC_PROTO_IPSEC_ESP: 301 esp_present = "yes"; 302 switch (proto->id) 303 { 304 case IPSEC_ESP_DES_IV64: 305 esp_enc_alg = "des-iv64"; 306 break; 307 308 case IPSEC_ESP_DES: 309 esp_enc_alg = "des"; 310 break; 311 312 case IPSEC_ESP_3DES: 313 esp_enc_alg = "3des"; 314 break; 315 316 case IPSEC_ESP_RC5: 317 esp_enc_alg = "rc5"; 318 break; 319 320 case IPSEC_ESP_IDEA: 321 esp_enc_alg = "idea"; 322 break; 323 324 case IPSEC_ESP_CAST: 325 esp_enc_alg = "cast"; 326 break; 327 328 case IPSEC_ESP_BLOWFISH: 329 esp_enc_alg = "blowfish"; 330 break; 331 332 case IPSEC_ESP_3IDEA: 333 esp_enc_alg = "3idea"; 334 break; 335 336 case IPSEC_ESP_DES_IV32: 337 esp_enc_alg = "des-iv32"; 338 break; 339 340 case IPSEC_ESP_RC4: 341 esp_enc_alg = "rc4"; 342 break; 343 344 case IPSEC_ESP_NULL: 345 esp_enc_alg = "null"; 346 break; 347 } 348 349 break; 350 351 case IPSEC_PROTO_IPCOMP: 352 comp_present = "yes"; 353 switch (proto->id) 354 { 355 case IPSEC_IPCOMP_OUI: 356 comp_alg = "oui"; 357 break; 358 359 case IPSEC_IPCOMP_DEFLATE: 360 comp_alg = "deflate"; 361 break; 362 363 case IPSEC_IPCOMP_LZS: 364 comp_alg = "lzs"; 365 break; 366 367 case IPSEC_IPCOMP_V42BIS: 368 comp_alg = "v42bis"; 369 break; 370 } 371 372 break; 373 } 374 375 for (attr = proto->chosen->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF; 376 attr 377 < proto->chosen->p + GET_ISAKMP_GEN_LENGTH (proto->chosen->p); 378 attr = value + len) 379 { 380 if (attr + ISAKMP_ATTR_VALUE_OFF 381 > (proto->chosen->p 382 + GET_ISAKMP_GEN_LENGTH (proto->chosen->p))) 383 return ""; 384 385 type = GET_ISAKMP_ATTR_TYPE (attr); 386 fmt = ISAKMP_ATTR_FORMAT (type); 387 type = ISAKMP_ATTR_TYPE (type); 388 value = attr + (fmt ? ISAKMP_ATTR_LENGTH_VALUE_OFF : 389 ISAKMP_ATTR_VALUE_OFF); 390 len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN : 391 GET_ISAKMP_ATTR_LENGTH_VALUE (attr)); 392 393 if (value + len > proto->chosen->p + 394 GET_ISAKMP_GEN_LENGTH (proto->chosen->p)) 395 return ""; 396 397 switch (type) 398 { 399 case IPSEC_ATTR_SA_LIFE_TYPE: 400 lifetype = decode_16 (value); 401 break; 402 403 case IPSEC_ATTR_SA_LIFE_DURATION: 404 switch (proto->proto) 405 { 406 case IPSEC_PROTO_IPSEC_AH: 407 if (lifetype == IPSEC_DURATION_SECONDS) 408 { 409 if (len == 2) 410 sprintf (ah_life_seconds, "%u", 411 decode_16 (value)); 412 else 413 sprintf (ah_life_seconds, "%u", 414 decode_32 (value)); 415 } 416 else 417 { 418 if (len == 2) 419 sprintf (ah_life_kbytes, "%u", 420 decode_16 (value)); 421 else 422 sprintf (ah_life_kbytes, "%u", 423 decode_32 (value)); 424 } 425 426 break; 427 428 case IPSEC_PROTO_IPSEC_ESP: 429 if (lifetype == IPSEC_DURATION_SECONDS) 430 { 431 if (len == 2) 432 sprintf (esp_life_seconds, "%u", 433 decode_16 (value)); 434 else 435 sprintf (esp_life_seconds, "%u", 436 decode_32 (value)); 437 } 438 else 439 { 440 if (len == 2) 441 sprintf (esp_life_kbytes, "%u", 442 decode_16 (value)); 443 else 444 sprintf (esp_life_kbytes, "%u", 445 decode_32 (value)); 446 } 447 448 break; 449 450 case IPSEC_PROTO_IPCOMP: 451 if (lifetype == IPSEC_DURATION_SECONDS) 452 { 453 if (len == 2) 454 sprintf (comp_life_seconds, "%u", 455 decode_16 (value)); 456 else 457 sprintf (comp_life_seconds, "%u", 458 decode_32 (value)); 459 } 460 else 461 { 462 if (len == 2) 463 sprintf (comp_life_kbytes, "%u", 464 decode_16 (value)); 465 else 466 sprintf (comp_life_kbytes, "%u", 467 decode_32 (value)); 468 } 469 470 break; 471 } 472 break; 473 474 case IPSEC_ATTR_GROUP_DESCRIPTION: 475 switch (proto->proto) 476 { 477 case IPSEC_PROTO_IPSEC_AH: 478 sprintf (ah_group_desc, "%u", decode_16 (value)); 479 break; 480 481 case IPSEC_PROTO_IPSEC_ESP: 482 sprintf (esp_group_desc, "%u", 483 decode_16 (value)); 484 break; 485 486 case IPSEC_PROTO_IPCOMP: 487 sprintf (comp_group_desc, "%u", 488 decode_16 (value)); 489 break; 490 } 491 break; 492 493 case IPSEC_ATTR_ENCAPSULATION_MODE: 494 if (decode_16 (value) == IPSEC_ENCAP_TUNNEL) 495 switch (proto->proto) 496 { 497 case IPSEC_PROTO_IPSEC_AH: 498 ah_encapsulation = "tunnel"; 499 break; 500 501 case IPSEC_PROTO_IPSEC_ESP: 502 esp_encapsulation = "tunnel"; 503 break; 504 505 case IPSEC_PROTO_IPCOMP: 506 comp_encapsulation = "tunnel"; 507 break; 508 } 509 else 510 switch (proto->proto) 511 { 512 case IPSEC_PROTO_IPSEC_AH: 513 ah_encapsulation = "transport"; 514 break; 515 516 case IPSEC_PROTO_IPSEC_ESP: 517 esp_encapsulation = "transport"; 518 break; 519 520 case IPSEC_PROTO_IPCOMP: 521 comp_encapsulation = "transport"; 522 break; 523 } 524 break; 525 526 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: 527 switch (proto->proto) 528 { 529 case IPSEC_PROTO_IPSEC_AH: 530 switch (decode_16 (value)) 531 { 532 case IPSEC_AUTH_HMAC_MD5: 533 ah_auth_alg = "hmac-md5"; 534 break; 535 536 case IPSEC_AUTH_HMAC_SHA: 537 ah_auth_alg = "hmac-sha"; 538 break; 539 540 case IPSEC_AUTH_DES_MAC: 541 ah_auth_alg = "des-mac"; 542 break; 543 544 case IPSEC_AUTH_KPDK: 545 ah_auth_alg = "kpdk"; 546 break; 547 } 548 break; 549 550 case IPSEC_PROTO_IPSEC_ESP: 551 switch (decode_16 (value)) 552 { 553 case IPSEC_AUTH_HMAC_MD5: 554 esp_auth_alg = "hmac-md5"; 555 break; 556 557 case IPSEC_AUTH_HMAC_SHA: 558 esp_auth_alg = "hmac-sha"; 559 break; 560 561 case IPSEC_AUTH_DES_MAC: 562 esp_auth_alg = "des-mac"; 563 break; 564 565 case IPSEC_AUTH_KPDK: 566 esp_auth_alg = "kpdk"; 567 break; 568 } 569 break; 570 } 571 break; 572 573 case IPSEC_ATTR_KEY_LENGTH: 574 switch (proto->proto) 575 { 576 case IPSEC_PROTO_IPSEC_AH: 577 sprintf (ah_key_length, "%u", decode_16 (value)); 578 break; 579 580 case IPSEC_PROTO_IPSEC_ESP: 581 sprintf (esp_key_length, "%u", 582 decode_16 (value)); 583 break; 584 } 585 break; 586 587 case IPSEC_ATTR_KEY_ROUNDS: 588 switch (proto->proto) 589 { 590 case IPSEC_PROTO_IPSEC_AH: 591 sprintf (ah_key_rounds, "%u", decode_16 (value)); 592 break; 593 594 case IPSEC_PROTO_IPSEC_ESP: 595 sprintf (esp_key_rounds, "%u", 596 decode_16 (value)); 597 break; 598 } 599 break; 600 601 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: 602 sprintf (comp_dict_size, "%u", decode_16 (value)); 603 break; 604 605 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: 606 sprintf (comp_private_alg, "%u", decode_16 (value)); 607 break; 608 } 609 } 610 } 611 612 /* XXX IPv4-specific. */ 613 policy_sa->transport->vtbl->get_src (policy_sa->transport, 614 (struct sockaddr **) &sin, &fmt); 615 my_inet_ntop4 (&(sin->sin_addr.s_addr), local_ike_address, 616 sizeof local_ike_address - 1, 0); 617 618 policy_sa->transport->vtbl->get_dst (policy_sa->transport, 619 (struct sockaddr **) &sin, &fmt); 620 my_inet_ntop4 (&(sin->sin_addr.s_addr), remote_ike_address, 621 sizeof remote_ike_address - 1, 0); 622 623 switch (policy_isakmp_sa->exch_type) 624 { 625 case ISAKMP_EXCH_AGGRESSIVE: 626 phase_1 = "aggressive"; 627 break; 628 629 case ISAKMP_EXCH_ID_PROT: 630 phase_1 = "main"; 631 break; 632 } 633 634 if (policy_isakmp_sa->initiator) 635 { 636 id = policy_isakmp_sa->id_r; 637 id_sz = policy_isakmp_sa->id_r_len; 638 } 639 else 640 { 641 id = policy_isakmp_sa->id_i; 642 id_sz = policy_isakmp_sa->id_i_len; 643 } 644 645 switch (id[0]) 646 { 647 case IPSEC_ID_IPV4_ADDR: 648 remote_id_type = "IPv4 address"; 649 650 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 651 my_inet_ntop4 (&net, remote_id_addr_upper, 652 sizeof remote_id_addr_upper - 1, 1); 653 my_inet_ntop4 (&net, remote_id_addr_lower, 654 sizeof remote_id_addr_lower - 1, 1); 655 remote_id = strdup (remote_id_addr_upper); 656 if (!remote_id) 657 { 658 log_print ("policy_callback: strdup (\"%s\") failed", 659 remote_id_addr_upper); 660 goto bad; 661 } 662 break; 663 664 case IPSEC_ID_IPV4_RANGE: 665 remote_id_type = "IPv4 range"; 666 667 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 668 my_inet_ntop4 (&net, remote_id_addr_lower, 669 sizeof remote_id_addr_lower - 1, 1); 670 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); 671 my_inet_ntop4 (&net, remote_id_addr_upper, 672 sizeof remote_id_addr_upper - 1, 1); 673 remote_id = calloc (strlen (remote_id_addr_upper) 674 + strlen (remote_id_addr_lower) + 2, 675 sizeof (char)); 676 if (!remote_id) 677 { 678 log_print ("policy_callback: calloc (%d, %d) failed", 679 strlen (remote_id_addr_upper) 680 + strlen (remote_id_addr_lower) + 2, 681 sizeof (char)); 682 goto bad; 683 } 684 685 strcpy (remote_id, remote_id_addr_lower); 686 remote_id[strlen (remote_id_addr_lower)] = '-'; 687 strcpy (remote_id + strlen (remote_id_addr_lower) + 1, 688 remote_id_addr_upper); 689 break; 690 691 case IPSEC_ID_IPV4_ADDR_SUBNET: 692 remote_id_type = "IPv4 subnet"; 693 694 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 695 subnet = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); 696 net &= subnet; 697 my_inet_ntop4 (&net, remote_id_addr_lower, 698 sizeof remote_id_addr_lower - 1, 1); 699 net |= ~subnet; 700 my_inet_ntop4 (&net, remote_id_addr_upper, 701 sizeof remote_id_addr_upper - 1, 1); 702 remote_id = calloc (strlen (remote_id_addr_upper) 703 + strlen (remote_id_addr_lower) + 2, 704 sizeof (char)); 705 if (!remote_id) 706 { 707 log_print ("policy_callback: calloc (%d, %d) failed", 708 strlen (remote_id_addr_upper) 709 + strlen (remote_id_addr_lower) + 2, 710 sizeof (char)); 711 goto bad; 712 } 713 714 strcpy (remote_id, remote_id_addr_lower); 715 remote_id[strlen (remote_id_addr_lower)] = '-'; 716 strcpy (remote_id + strlen (remote_id_addr_lower) + 1, 717 remote_id_addr_upper); 718 break; 719 720 case IPSEC_ID_IPV6_ADDR: /* XXX we need decode_128 (). */ 721 remote_id_type = "IPv6 address"; 722 break; 723 724 case IPSEC_ID_IPV6_RANGE: /* XXX we need decode_128 (). */ 725 remote_id_type = "IPv6 range"; 726 break; 727 728 case IPSEC_ID_IPV6_ADDR_SUBNET: /* XXX we need decode_128 (). */ 729 remote_id_type = "IPv6 address"; 730 break; 731 732 case IPSEC_ID_FQDN: 733 remote_id_type = "FQDN"; 734 remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 735 sizeof (char)); 736 if (!remote_id) 737 { 738 log_print ("policy_callback: calloc (%d, %d) failed", 739 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 740 sizeof (char)); 741 goto bad; 742 } 743 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 744 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 745 break; 746 747 case IPSEC_ID_USER_FQDN: 748 remote_id_type = "User FQDN"; 749 remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 750 sizeof (char)); 751 if (!remote_id) 752 { 753 log_print ("policy_callback: calloc (%d, %d) failed", 754 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 755 sizeof (char)); 756 goto bad; 757 } 758 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 759 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 760 break; 761 762 case IPSEC_ID_DER_ASN1_DN: /* XXX -- not sure what's in this. */ 763 remote_id_type = "ASN1 DN"; 764 break; 765 766 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */ 767 remote_id_type = "ASN1 GN"; 768 break; 769 770 case IPSEC_ID_KEY_ID: /* XXX -- hex-encode this. */ 771 remote_id_type = "Key ID"; 772 break; 773 774 default: 775 log_print ("policy_callback: unknown remote ID type %u", id[0]); 776 goto bad; 777 } 778 779 switch (id[1]) 780 { 781 case IPPROTO_TCP: 782 remote_id_proto = "tcp"; 783 break; 784 785 case IPPROTO_UDP: 786 remote_id_proto = "udp"; 787 break; 788 789#ifdef IPPROTO_ETHERIP 790 case IPPROTO_ETHERIP: 791 remote_id_proto = "etherip"; 792 break; 793#endif 794 795 default: 796 sprintf (remote_id_proto_num, "%2d", id[1]); 797 remote_id_proto = remote_id_proto_num; 798 break; 799 } 800 801 snprintf (remote_id_port, sizeof remote_id_port - 1, "%u", 802 decode_16 (id + 2)); 803 804 if (policy_exchange->initiator) 805 { 806 initiator = "yes"; 807 idlocal = ie->id_ci; 808 idremote = ie->id_cr; 809 idlocalsz = ie->id_ci_sz; 810 idremotesz = ie->id_cr_sz; 811 } 812 else 813 { 814 initiator = "no"; 815 idlocal = ie->id_cr; 816 idremote = ie->id_ci; 817 idlocalsz = ie->id_cr_sz; 818 idremotesz = ie->id_ci_sz; 819 } 820 821 /* Initialize the ID variables. */ 822 if (idremote) 823 { 824 switch (GET_ISAKMP_ID_TYPE (idremote)) 825 { 826 case IPSEC_ID_IPV4_ADDR: 827 remote_filter_type = "IPv4 address"; 828 829 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 830 my_inet_ntop4 (&net, remote_filter_addr_upper, 831 sizeof remote_filter_addr_upper - 1, 1); 832 my_inet_ntop4 (&net, remote_filter_addr_lower, 833 sizeof (remote_filter_addr_lower) - 1, 1); 834 remote_filter = strdup (remote_filter_addr_upper); 835 if (!remote_filter) 836 { 837 log_print ("policy_callback: strdup (\"%s\") failed", 838 remote_filter_addr_upper); 839 goto bad; 840 } 841 break; 842 843 case IPSEC_ID_IPV4_RANGE: 844 remote_filter_type = "IPv4 range"; 845 846 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 847 my_inet_ntop4 (&net, remote_filter_addr_lower, 848 sizeof remote_filter_addr_lower - 1, 1); 849 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF + 4); 850 my_inet_ntop4 (&net, remote_filter_addr_upper, 851 sizeof remote_filter_addr_upper - 1, 1); 852 remote_filter = calloc (strlen (remote_filter_addr_upper) 853 + strlen (remote_filter_addr_lower) + 2, 854 sizeof (char)); 855 if (!remote_filter) 856 { 857 log_print ("policy_callback: calloc (%d, %d) failed", 858 strlen (remote_filter_addr_upper) 859 + strlen (remote_filter_addr_lower) + 2, 860 sizeof (char)); 861 goto bad; 862 } 863 strcpy (remote_filter, remote_filter_addr_lower); 864 remote_filter[strlen (remote_filter_addr_lower)] = '-'; 865 strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1, 866 remote_filter_addr_upper); 867 break; 868 869 case IPSEC_ID_IPV4_ADDR_SUBNET: 870 remote_filter_type = "IPv4 subnet"; 871 872 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 873 subnet = decode_32 (idremote + ISAKMP_ID_DATA_OFF + 4); 874 net &= subnet; 875 my_inet_ntop4 (&net, remote_filter_addr_lower, 876 sizeof remote_filter_addr_lower - 1, 1); 877 net |= ~subnet; 878 my_inet_ntop4 (&net, remote_filter_addr_upper, 879 sizeof remote_filter_addr_upper - 1, 1); 880 remote_filter = calloc (strlen (remote_filter_addr_upper) 881 + strlen (remote_filter_addr_lower) + 2, 882 sizeof (char)); 883 if (!remote_filter) 884 { 885 log_print ("policy_callback: calloc (%d, %d) failed", 886 strlen (remote_filter_addr_upper) 887 + strlen (remote_filter_addr_lower) + 2, 888 sizeof (char)); 889 goto bad; 890 } 891 strcpy (remote_filter, remote_filter_addr_lower); 892 remote_filter[strlen (remote_filter_addr_lower)] = '-'; 893 strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1, 894 remote_filter_addr_upper); 895 break; 896 897 case IPSEC_ID_IPV6_ADDR: /* XXX we need decode_128 (). */ 898 remote_filter_type = "IPv6 address"; 899 break; 900 901 case IPSEC_ID_IPV6_RANGE: /* XXX we need decode_128 (). */ 902 remote_filter_type = "IPv6 range"; 903 break; 904 905 case IPSEC_ID_IPV6_ADDR_SUBNET: /* XXX we need decode_128 (). */ 906 remote_filter_type = "IPv6 address"; 907 break; 908 909 case IPSEC_ID_FQDN: 910 remote_filter_type = "FQDN"; 911 remote_filter = calloc (idremotesz - ISAKMP_ID_DATA_OFF + 1, 912 sizeof (char)); 913 if (!remote_filter) 914 { 915 log_print ("policy_callback: calloc (%d, %d) failed", 916 idremotesz - ISAKMP_ID_DATA_OFF + 1, 917 sizeof (char)); 918 goto bad; 919 } 920 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 921 idremotesz); 922 break; 923 924 case IPSEC_ID_USER_FQDN: 925 remote_filter_type = "User FQDN"; 926 remote_filter = calloc (idremotesz - ISAKMP_ID_DATA_OFF + 1, 927 sizeof (char)); 928 if (!remote_filter) 929 { 930 log_print ("policy_callback: calloc (%d, %d) failed", 931 idremotesz - ISAKMP_ID_DATA_OFF + 1, 932 sizeof (char)); 933 goto bad; 934 } 935 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 936 idremotesz); 937 break; 938 939 case IPSEC_ID_DER_ASN1_DN: /* XXX -- not sure what's in this. */ 940 remote_filter_type = "ASN1 DN"; 941 break; 942 943 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */ 944 remote_filter_type = "ASN1 GN"; 945 break; 946 947 case IPSEC_ID_KEY_ID: /* XXX -- hex-encode this. */ 948 remote_filter_type = "Key ID"; 949 break; 950 951 default: 952 log_print ("policy_callback: unknown Remote ID type %u", 953 GET_ISAKMP_ID_TYPE (idremote)); 954 goto bad; 955 } 956 957 switch (idremote[ISAKMP_GEN_SZ + 1]) 958 { 959 case IPPROTO_TCP: 960 remote_filter_proto = "tcp"; 961 break; 962 963 case IPPROTO_UDP: 964 remote_filter_proto = "udp"; 965 break; 966 967#ifdef IPPROTO_ETHERIP 968 case IPPROTO_ETHERIP: 969 remote_filter_proto = "etherip"; 970 break; 971#endif 972 973 default: 974 sprintf (remote_filter_proto_num, "%2d", idremote[ISAKMP_GEN_SZ + 1]); 975 remote_filter_proto = remote_filter_proto_num; 976 break; 977 } 978 979 snprintf (remote_filter_port, sizeof remote_filter_port - 1, 980 "%u", decode_16 (idremote + ISAKMP_GEN_SZ + 2)); 981 } 982 else 983 { 984 policy_sa->transport->vtbl->get_dst (policy_sa->transport, 985 (struct sockaddr **) &sin, 986 &fmt); 987 remote_filter_type = "IPv4 address"; 988 989 my_inet_ntop4 (&(sin->sin_addr.s_addr), remote_filter_addr_upper, 990 sizeof remote_filter_addr_upper - 1, 0); 991 my_inet_ntop4 (&(sin->sin_addr.s_addr), remote_filter_addr_lower, 992 sizeof remote_filter_addr_lower - 1, 0); 993 remote_filter = strdup (remote_filter_addr_upper); 994 if (!remote_filter) 995 { 996 log_print ("policy_callback: strdup (\"%s\") failed", 997 remote_filter_addr_upper); 998 goto bad; 999 } 1000 } 1001 1002 if (idlocal) 1003 { 1004 switch (GET_ISAKMP_ID_TYPE (idlocal)) 1005 { 1006 case IPSEC_ID_IPV4_ADDR: 1007 local_filter_type = "IPv4 address"; 1008 1009 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1010 my_inet_ntop4 (&net, local_filter_addr_upper, 1011 sizeof local_filter_addr_upper - 1, 1); 1012 my_inet_ntop4 (&net, local_filter_addr_lower, 1013 sizeof local_filter_addr_upper - 1, 1); 1014 local_filter = strdup (local_filter_addr_upper); 1015 if (!local_filter) 1016 { 1017 log_print ("policy_callback: strdup (\"%s\") failed", 1018 local_filter_addr_upper); 1019 goto bad; 1020 } 1021 break; 1022 1023 case IPSEC_ID_IPV4_RANGE: 1024 local_filter_type = "IPv4 range"; 1025 1026 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1027 my_inet_ntop4 (&net, local_filter_addr_lower, 1028 sizeof local_filter_addr_lower - 1, 1); 1029 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF + 4); 1030 my_inet_ntop4 (&net, local_filter_addr_upper, 1031 sizeof local_filter_addr_upper - 1, 1); 1032 local_filter = calloc (strlen (local_filter_addr_upper) 1033 + strlen (local_filter_addr_lower) + 2, 1034 sizeof (char)); 1035 if (!local_filter) 1036 { 1037 log_print ("policy_callback: calloc (%d, %d) failed", 1038 strlen (local_filter_addr_upper) 1039 + strlen (local_filter_addr_lower) + 2, 1040 sizeof (char)); 1041 goto bad; 1042 } 1043 strcpy (local_filter, local_filter_addr_lower); 1044 local_filter[strlen (local_filter_addr_lower)] = '-'; 1045 strcpy (local_filter + strlen (local_filter_addr_lower) + 1, 1046 local_filter_addr_upper); 1047 break; 1048 1049 case IPSEC_ID_IPV4_ADDR_SUBNET: 1050 local_filter_type = "IPv4 subnet"; 1051 1052 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1053 subnet = decode_32 (idlocal + ISAKMP_ID_DATA_OFF + 4); 1054 net &= subnet; 1055 my_inet_ntop4 (&net, local_filter_addr_lower, 1056 sizeof local_filter_addr_lower - 1, 1); 1057 net |= ~subnet; 1058 my_inet_ntop4 (&net, local_filter_addr_upper, 1059 sizeof local_filter_addr_upper - 1, 1); 1060 local_filter = calloc (strlen (local_filter_addr_upper) 1061 + strlen (local_filter_addr_lower) + 2, 1062 sizeof (char)); 1063 if (!local_filter) 1064 { 1065 log_print ("policy_callback: calloc (%d, %d) failed", 1066 strlen (local_filter_addr_upper) 1067 + strlen (local_filter_addr_lower) + 2, 1068 sizeof (char)); 1069 goto bad; 1070 } 1071 strcpy (local_filter, local_filter_addr_lower); 1072 local_filter[strlen (local_filter_addr_lower)] = '-'; 1073 strcpy (local_filter + strlen (local_filter_addr_lower) + 1, 1074 local_filter_addr_upper); 1075 break; 1076 1077 case IPSEC_ID_IPV6_ADDR: /* XXX we need decode_128 (). */ 1078 local_filter_type = "IPv6 address"; 1079 break; 1080 1081 case IPSEC_ID_IPV6_RANGE: /* XXX we need decode_128 (). */ 1082 local_filter_type = "IPv6 range"; 1083 break; 1084 1085 case IPSEC_ID_IPV6_ADDR_SUBNET: /* XXX we need decode_128 (). */ 1086 local_filter_type = "IPv6 address"; 1087 break; 1088 1089 case IPSEC_ID_FQDN: 1090 local_filter_type = "FQDN"; 1091 local_filter = calloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1092 sizeof (char)); 1093 if (!local_filter) 1094 { 1095 log_print ("policy_callback: calloc (%d, %d) failed", 1096 idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1097 sizeof (char)); 1098 goto bad; 1099 } 1100 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1101 idlocalsz); 1102 break; 1103 1104 case IPSEC_ID_USER_FQDN: 1105 local_filter_type = "User FQDN"; 1106 local_filter = calloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1107 sizeof (char)); 1108 if (!local_filter) 1109 { 1110 log_print ("policy_callback: calloc (%d, %d) failed", 1111 idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1112 sizeof (char)); 1113 goto bad; 1114 } 1115 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1116 idlocalsz); 1117 break; 1118 1119 case IPSEC_ID_DER_ASN1_DN: /* XXX -- not sure what's in this. */ 1120 local_filter_type = "ASN1 DN"; 1121 break; 1122 1123 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */ 1124 local_filter_type = "ASN1 GN"; 1125 break; 1126 1127 case IPSEC_ID_KEY_ID: /* XXX -- hex-encode this. */ 1128 local_filter_type = "Key ID"; 1129 break; 1130 1131 default: 1132 log_print ("policy_callback: unknown Local ID type %u", 1133 GET_ISAKMP_ID_TYPE (idlocal)); 1134 goto bad; 1135 } 1136 1137 switch (idlocal[ISAKMP_GEN_SZ + 1]) 1138 { 1139 case IPPROTO_TCP: 1140 local_filter_proto = "tcp"; 1141 break; 1142 1143 case IPPROTO_UDP: 1144 local_filter_proto = "udp"; 1145 break; 1146 1147#ifdef IPPROTO_ETHERIP 1148 case IPPROTO_ETHERIP: 1149 local_filter_proto = "etherip"; 1150 break; 1151#endif 1152 1153 default: 1154 sprintf (local_filter_proto_num, "%2d", idlocal[ISAKMP_GEN_SZ + 1]); 1155 local_filter_proto = local_filter_proto_num; 1156 break; 1157 } 1158 1159 snprintf (local_filter_port, sizeof local_filter_port - 1, 1160 "%u", decode_16 (idlocal + ISAKMP_GEN_SZ + 2)); 1161 } 1162 else 1163 { 1164 policy_sa->transport->vtbl->get_src (policy_sa->transport, 1165 (struct sockaddr **) &sin, 1166 &fmt); 1167 1168 local_filter_type = "IPv4 address"; 1169 1170 my_inet_ntop4 (&(sin->sin_addr.s_addr), local_filter_addr_upper, 1171 sizeof local_filter_addr_upper - 1, 0); 1172 my_inet_ntop4 (&(sin->sin_addr.s_addr), local_filter_addr_lower, 1173 sizeof local_filter_addr_lower - 1, 0); 1174 local_filter = strdup (local_filter_addr_upper); 1175 if (!local_filter) 1176 { 1177 log_print ("policy_callback: strdup (\"%s\") failed", 1178 local_filter_addr_upper); 1179 goto bad; 1180 } 1181 } 1182 1183 LOG_DBG ((LOG_SA, 80, "Policy context (action attributes):")); 1184 LOG_DBG ((LOG_SA, 80, "esp_present == %s", esp_present)); 1185 LOG_DBG ((LOG_SA, 80, "ah_present == %s", ah_present)); 1186 LOG_DBG ((LOG_SA, 80, "comp_present == %s", comp_present)); 1187 LOG_DBG ((LOG_SA, 80, "ah_hash_alg == %s", ah_hash_alg)); 1188 LOG_DBG ((LOG_SA, 80, "esp_enc_alg == %s", esp_enc_alg)); 1189 LOG_DBG ((LOG_SA, 80, "comp_alg == %s", comp_alg)); 1190 LOG_DBG ((LOG_SA, 80, "ah_auth_alg == %s", ah_auth_alg)); 1191 LOG_DBG ((LOG_SA, 80, "esp_auth_alg == %s", esp_auth_alg)); 1192 LOG_DBG ((LOG_SA, 80, "ah_life_seconds == %s", ah_life_seconds)); 1193 LOG_DBG ((LOG_SA, 80, "ah_life_kbytes == %s", ah_life_kbytes)); 1194 LOG_DBG ((LOG_SA, 80, "esp_life_seconds == %s", esp_life_seconds)); 1195 LOG_DBG ((LOG_SA, 80, "esp_life_kbytes == %s", esp_life_kbytes)); 1196 LOG_DBG ((LOG_SA, 80, "comp_life_seconds == %s", comp_life_seconds)); 1197 LOG_DBG ((LOG_SA, 80, "comp_life_kbytes == %s", comp_life_kbytes)); 1198 LOG_DBG ((LOG_SA, 80, "ah_encapsulation == %s", ah_encapsulation)); 1199 LOG_DBG ((LOG_SA, 80, "esp_encapsulation == %s", esp_encapsulation)); 1200 LOG_DBG ((LOG_SA, 80, "comp_encapsulation == %s", comp_encapsulation)); 1201 LOG_DBG ((LOG_SA, 80, "comp_dict_size == %s", comp_dict_size)); 1202 LOG_DBG ((LOG_SA, 80, "comp_private_alg == %s", comp_private_alg)); 1203 LOG_DBG ((LOG_SA, 80, "ah_key_length == %s", ah_key_length)); 1204 LOG_DBG ((LOG_SA, 80, "ah_key_rounds == %s", ah_key_rounds)); 1205 LOG_DBG ((LOG_SA, 80, "esp_key_length == %s", esp_key_length)); 1206 LOG_DBG ((LOG_SA, 80, "esp_key_rounds == %s", esp_key_rounds)); 1207 LOG_DBG ((LOG_SA, 80, "ah_group_desc == %s", ah_group_desc)); 1208 LOG_DBG ((LOG_SA, 80, "esp_group_desc == %s", esp_group_desc)); 1209 LOG_DBG ((LOG_SA, 80, "comp_group_desc == %s", comp_group_desc)); 1210 LOG_DBG ((LOG_SA, 80, "remote_filter_type == %s", remote_filter_type)); 1211 LOG_DBG ((LOG_SA, 80, "remote_filter_addr_upper == %s", remote_filter_addr_upper)); 1212 LOG_DBG ((LOG_SA, 80, "remote_filter_addr_lower == %s", remote_filter_addr_lower)); 1213 LOG_DBG ((LOG_SA, 80, "remote_filter == %s", remote_filter)); 1214 LOG_DBG ((LOG_SA, 80, "remote_filter_port == %s", remote_filter_port)); 1215 LOG_DBG ((LOG_SA, 80, "remote_filter_proto == %s", remote_filter_proto)); 1216 LOG_DBG ((LOG_SA, 80, "local_filter_type == %s", local_filter_type)); 1217 LOG_DBG ((LOG_SA, 80, "local_filter_addr_upper == %s", local_filter_addr_upper)); 1218 LOG_DBG ((LOG_SA, 80, "local_filter_addr_lower == %s", local_filter_addr_lower)); 1219 LOG_DBG ((LOG_SA, 80, "local_filter == %s", local_filter)); 1220 LOG_DBG ((LOG_SA, 80, "local_filter_port == %s", local_filter_port)); 1221 LOG_DBG ((LOG_SA, 80, "local_filter_proto == %s", local_filter_proto)); 1222 LOG_DBG ((LOG_SA, 80, "remote_id_type == %s", remote_id_type)); 1223 LOG_DBG ((LOG_SA, 80, "remote_id_addr_upper == %s", remote_id_addr_upper)); 1224 LOG_DBG ((LOG_SA, 80, "remote_id_addr_lower == %s", remote_id_addr_lower)); 1225 LOG_DBG ((LOG_SA, 80, "remote_id == %s", remote_id)); 1226 LOG_DBG ((LOG_SA, 80, "remote_id_port == %s", remote_id_port)); 1227 LOG_DBG ((LOG_SA, 80, "remote_id_proto == %s", remote_id_proto)); 1228 LOG_DBG ((LOG_SA, 80, "remote_negotiation_address == %s", remote_ike_address)); 1229 LOG_DBG ((LOG_SA, 80, "local_negotiation_address == %s", local_ike_address)); 1230 LOG_DBG ((LOG_SA, 80, "pfs == %s", pfs)); 1231 LOG_DBG ((LOG_SA, 80, "initiator == %s", initiator)); 1232 LOG_DBG ((LOG_SA, 80, "phase1_group_desc == %s", phase1_group)); 1233 1234 /* Unset dirty now. */ 1235 dirty = 0; 1236 } 1237 1238 if (strcmp (name, "phase_1") == 0) 1239 return phase_1; 1240 1241 if (strcmp (name, "GMTTimeOfDay") == 0) 1242 { 1243 tt = time ((time_t) NULL); 1244 strftime (mytimeofday, 14, "%G%m%d%H%M%S", gmtime (&tt)); 1245 return mytimeofday; 1246 } 1247 1248 if (strcmp (name, "LocalTimeOfDay") == 0) 1249 { 1250 tt = time ((time_t) NULL); 1251 strftime (mytimeofday, 14, "%G%m%d%H%M%S", localtime (&tt)); 1252 return mytimeofday; 1253 } 1254 1255 if (strcmp (name, "initiator") == 0) 1256 return initiator; 1257 1258 if (strcmp (name, "pfs") == 0) 1259 return pfs; 1260 1261 if (strcmp (name, "app_domain") == 0) 1262 return "IPsec policy"; 1263 1264 if (strcmp (name, "doi") == 0) 1265 return "ipsec"; 1266 1267 if (strcmp (name, "esp_present") == 0) 1268 return esp_present; 1269 1270 if (strcmp (name, "ah_present") == 0) 1271 return ah_present; 1272 1273 if (strcmp (name, "comp_present") == 0) 1274 return comp_present; 1275 1276 if (strcmp (name, "ah_hash_alg") == 0) 1277 return ah_hash_alg; 1278 1279 if (strcmp (name, "ah_auth_alg") == 0) 1280 return ah_auth_alg; 1281 1282 if (strcmp (name, "esp_auth_alg") == 0) 1283 return esp_auth_alg; 1284 1285 if (strcmp (name, "esp_enc_alg") == 0) 1286 return esp_enc_alg; 1287 1288 if (strcmp (name, "comp_alg") == 0) 1289 return comp_alg; 1290 1291 if (strcmp (name, "ah_life_kbytes") == 0) 1292 return ah_life_kbytes; 1293 1294 if (strcmp (name, "ah_life_seconds") == 0) 1295 return ah_life_seconds; 1296 1297 if (strcmp (name, "esp_life_kbytes") == 0) 1298 return esp_life_kbytes; 1299 1300 if (strcmp (name, "esp_life_seconds") == 0) 1301 return esp_life_seconds; 1302 1303 if (strcmp (name, "comp_life_kbytes") == 0) 1304 return comp_life_kbytes; 1305 1306 if (strcmp (name, "comp_life_seconds") == 0) 1307 return comp_life_seconds; 1308 1309 if (strcmp (name, "ah_encapsulation") == 0) 1310 return ah_encapsulation; 1311 1312 if (strcmp (name, "esp_encapsulation") == 0) 1313 return esp_encapsulation; 1314 1315 if (strcmp (name, "comp_encapsulation") == 0) 1316 return comp_encapsulation; 1317 1318 if (strcmp (name, "ah_key_length") == 0) 1319 return ah_key_length; 1320 1321 if (strcmp (name, "ah_key_rounds") == 0) 1322 return ah_key_rounds; 1323 1324 if (strcmp (name, "esp_key_length") == 0) 1325 return esp_key_length; 1326 1327 if (strcmp (name, "esp_key_rounds") == 0) 1328 return esp_key_rounds; 1329 1330 if (strcmp (name, "comp_dict_size") == 0) 1331 return comp_dict_size; 1332 1333 if (strcmp (name, "comp_private_alg") == 0) 1334 return comp_private_alg; 1335 1336 if (strcmp (name, "remote_filter_type") == 0) 1337 return remote_filter_type; 1338 1339 if (strcmp (name, "remote_filter") == 0) 1340 return remote_filter; 1341 1342 if (strcmp (name, "remote_filter_addr_upper") == 0) 1343 return remote_filter_addr_upper; 1344 1345 if (strcmp (name, "remote_filter_addr_lower") == 0) 1346 return remote_filter_addr_lower; 1347 1348 if (strcmp (name, "remote_filter_port") == 0) 1349 return remote_filter_port; 1350 1351 if (strcmp (name, "remote_filter_proto") == 0) 1352 return remote_filter_proto; 1353 1354 if (strcmp (name, "local_filter_type") == 0) 1355 return local_filter_type; 1356 1357 if (strcmp (name, "local_filter") == 0) 1358 return local_filter; 1359 1360 if (strcmp (name, "local_filter_addr_upper") == 0) 1361 return local_filter_addr_upper; 1362 1363 if (strcmp (name, "local_filter_addr_lower") == 0) 1364 return local_filter_addr_lower; 1365 1366 if (strcmp (name, "local_filter_port") == 0) 1367 return local_filter_port; 1368 1369 if (strcmp (name, "local_filter_proto") == 0) 1370 return local_filter_proto; 1371 1372 if (strcmp (name, "remote_ike_address") == 0) 1373 return remote_ike_address; 1374 1375 if (strcmp (name, "remote_negotiation_address") == 0) 1376 return remote_ike_address; 1377 1378 if (strcmp (name, "local_ike_address") == 0) 1379 return local_ike_address; 1380 1381 if (strcmp (name, "local_negotiation_address") == 0) 1382 return local_ike_address; 1383 1384 if (strcmp (name, "remote_id_type") == 0) 1385 return remote_id_type; 1386 1387 if (strcmp (name, "remote_id") == 0) 1388 return remote_id; 1389 1390 if (strcmp (name, "remote_id_addr_upper") == 0) 1391 return remote_id_addr_upper; 1392 1393 if (strcmp (name, "remote_id_addr_lower") == 0) 1394 return remote_id_addr_lower; 1395 1396 if (strcmp (name, "remote_id_port") == 0) 1397 return remote_id_port; 1398 1399 if (strcmp (name, "remote_id_proto") == 0) 1400 return remote_id_proto; 1401 1402 if (strcmp (name, "phase1_group_desc") == 0) 1403 return phase1_group; 1404 1405 return ""; 1406 1407 bad: 1408 policy_callback (KEYNOTE_CALLBACK_INITIALIZE); 1409 return ""; 1410} 1411 1412void 1413policy_init (void) 1414{ 1415 char *ptr, *policy_file; 1416 char **asserts; 1417 struct stat st; 1418 int fd, len, i; 1419 1420 LOG_DBG ((LOG_MISC, 50, "policy_init: initializing")); 1421 1422#if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE) 1423 if (!dyn_load (libkeynote_script)) 1424 return; 1425#endif 1426 1427 /* If there exists a session already, release all its resources. */ 1428 if (keynote_sessid != -1) 1429 LK (kn_close, (keynote_sessid)); 1430 1431 /* Initialize a session. */ 1432 keynote_sessid = LK (kn_init, ()); 1433 if (keynote_sessid == -1) 1434 log_fatal ("policy_init: kn_init () failed"); 1435 1436 /* Get policy file from configuration. */ 1437 policy_file = conf_get_str ("General", "policy-file"); 1438 if (!policy_file) 1439 policy_file = POLICY_FILE_DEFAULT; 1440 1441 /* Open policy file. */ 1442 fd = open (policy_file, O_RDONLY); 1443 if (fd == -1) 1444 log_fatal ("policy_init: open (\"%s\", O_RDONLY) failed", policy_file); 1445 1446 /* Get size. */ 1447 if (fstat (fd, &st) == -1) 1448 log_fatal ("policy_init: fstat (%d, &st) failed", fd); 1449 1450 /* Allocate memory to keep policies. */ 1451 ptr = calloc (st.st_size + 1, sizeof (char)); 1452 if (!ptr) 1453 log_fatal ("policy_init: calloc (%d, %d) failed", st.st_size, 1454 sizeof (char)); 1455 1456 /* Just in case there are short reads... */ 1457 for (len = 0; len < st.st_size; len += i) 1458 { 1459 i = read (fd, ptr + len, st.st_size - len); 1460 if (i == -1) 1461 log_fatal ("policy_init: read (%d, %p, %d) failed", fd, ptr + len, 1462 st.st_size - len); 1463 } 1464 1465 /* We're done with this. */ 1466 close (fd); 1467 1468 /* Parse buffer, break up into individual policies. */ 1469 asserts = LK (kn_read_asserts, (ptr, st.st_size, &i)); 1470 1471 /* Begone! */ 1472 free (ptr); 1473 1474 /* Add each individual policy in the session. */ 1475 for (fd = 0; fd < i; fd++) 1476 { 1477 if (LK (kn_add_assertion, (keynote_sessid, asserts[fd], 1478 strlen (asserts[fd]), ASSERT_FLAG_LOCAL)) 1479 == -1) 1480 log_print ("policy_init: " 1481 "kn_add_assertion (%d, %p, %d, ASSERT_FLAG_LOCAL) failed", 1482 keynote_sessid, asserts[fd], strlen (asserts[fd])); 1483 } 1484 1485 /* Cleanup */ 1486 if (keynote_policy_asserts) 1487 { 1488 for (fd = 0; fd < keynote_policy_asserts_num; fd++) 1489 if (keynote_policy_asserts && keynote_policy_asserts[fd]) 1490 free (keynote_policy_asserts[fd]); 1491 1492 free (keynote_policy_asserts); 1493 } 1494 1495 keynote_policy_asserts = asserts; 1496 keynote_policy_asserts_num = i; 1497} 1498 1499/* Nothing needed for initialization */ 1500int 1501keynote_cert_init (void) 1502{ 1503 return 1; 1504} 1505 1506/* Just copy and return */ 1507void * 1508keynote_cert_get (u_int8_t *data, u_int32_t len) 1509{ 1510 char *foo = calloc (len + 1, sizeof(char)); 1511 1512 if (foo == NULL) 1513 return NULL; 1514 1515 memcpy (foo, data, len); 1516 return foo; 1517} 1518 1519/* 1520 * We just verify the signature on the certificates. 1521 * XXX Is this the right thing to do -- verify the signature on all 1522 * XXX credentials ? 1523 */ 1524int 1525keynote_cert_validate (void *scert) 1526{ 1527 char **foo; 1528 int num, i; 1529 1530 if (scert == NULL) 1531 return 0; 1532 1533 foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), 1534 &num)); 1535 if (foo == NULL) 1536 return 0; 1537 1538 for (i = 0; i < num; i++) 1539 { 1540 if (LK (kn_verify_assertion, (scert, strlen ((char *) scert))) != 1541 SIGRESULT_TRUE) 1542 { 1543 for (; i < num; i++) 1544 free (foo[i]); 1545 free (foo); 1546 return 0; 1547 } 1548 1549 free (foo[i]); 1550 } 1551 1552 free (foo); 1553 return 1; 1554} 1555 1556/* Add received credentials */ 1557int 1558keynote_cert_insert (int sid, void *scert) 1559{ 1560 char **foo; 1561 int num; 1562 1563 if (scert == NULL) 1564 return 0; 1565 1566 foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), 1567 &num)); 1568 if (foo == NULL) 1569 return 0; 1570 1571 while (num--) 1572 LK (kn_add_assertion, (sid, foo[num], strlen (foo[num]), 0)); 1573 1574 return 1; 1575} 1576 1577/* Just regular memory free */ 1578void 1579keynote_cert_free (void *cert) 1580{ 1581 free (cert); 1582} 1583 1584/* Verify that the key given to us is valid */ 1585int 1586keynote_certreq_validate (u_int8_t *data, u_int32_t len) 1587{ 1588 struct keynote_deckey dc; 1589 int err = 1; 1590 char *dat; 1591 1592 dat = calloc (len + 1, sizeof(char)); 1593 if (dat == NULL) 1594 return 0; 1595 1596 memcpy (dat, data, len); 1597 1598 if (LK (kn_decode_key, (&dc, dat, KEYNOTE_PUBLIC_KEY)) != 0) 1599 err = 0; 1600 else 1601 LK (kn_free_key, (&dc)); 1602 1603 free (dat); 1604 1605 return err; 1606} 1607 1608/* Beats me what we should be doing with this */ 1609void * 1610keynote_certreq_decode (u_int8_t *data, u_int32_t len) 1611{ 1612 /* XXX */ 1613 return NULL; 1614} 1615 1616void 1617keynote_free_aca (void *blob) 1618{ 1619 /* XXX */ 1620} 1621 1622int 1623keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, 1624 u_int32_t *certlen) 1625{ 1626 char *dirname, *file; 1627 struct stat sb; 1628 int idtype, fd, len; 1629 1630 if (!id) 1631 { 1632 log_print ("keynote_cert_obtain: ID is missing"); 1633 return 0; 1634 } 1635 1636 /* Get type of ID */ 1637 idtype = id[0]; 1638 id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 1639 id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 1640 1641 dirname = conf_get_str ("KeyNote", "Credential-directory"); 1642 if (!dirname) 1643 { 1644 log_print ("keynote_cert_obtain: no Credential-directory"); 1645 return 0; 1646 } 1647 1648 len = strlen (dirname) + strlen (CREDENTIAL_FILE) + 3; 1649 1650 switch (idtype) 1651 { 1652 case IPSEC_ID_IPV4_ADDR: 1653 { 1654 struct in_addr in; 1655 1656 file = calloc (len + 15, sizeof(char)); 1657 if (file == NULL) 1658 { 1659 log_print ("keynote_cert_obtain: failed to allocate %d bytes", 1660 len + 15); 1661 return 0; 1662 } 1663 1664 memcpy (&in, id, sizeof(in)); 1665 sprintf (file, "%s/%s/%s", dirname, inet_ntoa (in), CREDENTIAL_FILE); 1666 break; 1667 } 1668 1669 case IPSEC_ID_FQDN: 1670 case IPSEC_ID_USER_FQDN: 1671 { 1672 file = calloc (len + id_len, sizeof(char)); 1673 if (file == NULL) 1674 { 1675 log_print ("keynote_cert_obtain: failed to allocate %d bytes", 1676 len + id_len); 1677 return 0; 1678 } 1679 1680 sprintf (file, "%s/", dirname); 1681 memcpy (file + strlen (file), id, id_len); 1682 sprintf (file + strlen (dirname) + 1 + id_len, "/%s", CREDENTIAL_FILE); 1683 break; 1684 } 1685 1686 default: 1687 return 0; 1688 } 1689 1690 if (stat (file, &sb) < 0) 1691 { 1692 log_print ("keynote_cert_obtain: failed to stat \"%s\"", file); 1693 free (file); 1694 return 0; 1695 } 1696 1697 *cert = calloc (sb.st_size, sizeof(char)); 1698 if (*cert == NULL) 1699 { 1700 log_print ("keynote_cert_obtain: failed to allocate %d bytes", 1701 sb.st_size); 1702 free (file); 1703 return 0; 1704 } 1705 1706 fd = open (file, O_RDONLY, 0); 1707 if (fd < 0) 1708 { 1709 log_print ("keynote_cert_obtain: failed to open \"%s\"", file); 1710 free (file); 1711 return 0; 1712 } 1713 1714 if (read (fd, *cert, sb.st_size) != sb.st_size) 1715 { 1716 log_print ("keynote_cert_obtain: failed to read %d bytes from \"%s\"", 1717 sb.st_size, file); 1718 free (file); 1719 close (fd); 1720 return 0; 1721 } 1722 1723 close (fd); 1724 free (file); 1725 *certlen = sb.st_size; 1726 return 1; 1727} 1728 1729/* This should never be called */ 1730int 1731keynote_cert_get_subjects (void *scert, int *n, u_int8_t ***id, 1732 u_int32_t **id_len) 1733{ 1734 return 0; 1735} 1736 1737/* Get the Authorizer key */ 1738int 1739keynote_cert_get_key (void *scert, void *keyp) 1740{ 1741 struct keynote_keylist *kl; 1742 int sid, num; 1743 char **foo; 1744 1745 foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), &num)); 1746 if ((foo == NULL) || (num == 0)) 1747 return 0; 1748 1749 sid = LK (kn_add_assertion, (keynote_sessid, foo[num - 1], 1750 strlen (scert), 0)); 1751 while (num--) 1752 free (foo[num]); 1753 free (foo); 1754 1755 if (sid == -1) 1756 return 0; 1757 1758 *(RSA **)keyp = NULL; 1759 1760 kl = LK (kn_get_licensees, (keynote_sessid, sid)); 1761 while (kl) 1762 { 1763 if (kl->key_alg == KEYNOTE_ALGORITHM_RSA) 1764 { 1765 *(RSA **)keyp = LC (RSAPublicKey_dup, (kl->key_key)); 1766 break; 1767 } 1768 1769 kl = kl->key_next; 1770 } 1771 1772 LK (kn_remove_assertion, (keynote_sessid, sid)); 1773 return *(RSA **)keyp == NULL ? 0 : 1; 1774} 1775