policy.c revision 1.17
1/* $OpenBSD: policy.c,v 1.17 2000/10/16 23:28:43 niklas Exp $ */ 2/* $EOM: policy.c,v 1.48 2000/10/14 20:19:51 angelos Exp $ */ 3 4/* 5 * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. 6 * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. All advertising materials mentioning features or use of this software 17 * must display the following acknowledgement: 18 * This product includes software developed by Ericsson Radio Systems. 19 * 4. The name of the author may not be used to endorse or promote products 20 * derived from this software without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34/* 35 * This code was written under funding by Ericsson Radio Systems. 36 */ 37 38#include <sys/types.h> 39#include <sys/param.h> 40#include <sys/mman.h> 41#include <sys/queue.h> 42#include <sys/stat.h> 43#include <regex.h> 44#include <ctype.h> 45#include <fcntl.h> 46#include <stdio.h> 47#include <stdlib.h> 48#include <string.h> 49#include <unistd.h> 50#include <keynote.h> 51#include <sys/socket.h> 52#include <netinet/in.h> 53#include <arpa/inet.h> 54#include <errno.h> 55#include <openssl/ssl.h> 56 57#include "sysdep.h" 58 59#include "app.h" 60#include "conf.h" 61#include "connection.h" 62#include "cookie.h" 63#include "doi.h" 64#include "dyn.h" 65#include "exchange.h" 66#include "init.h" 67#include "ipsec.h" 68#include "isakmp_doi.h" 69#include "math_group.h" 70#include "sa.h" 71#include "timer.h" 72#include "transport.h" 73#include "udp.h" 74#include "log.h" 75#include "message.h" 76#include "ui.h" 77#include "util.h" 78#include "policy.h" 79#include "x509.h" 80 81#if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE) && 0 82 83void *libkeynote = 0; 84 85/* 86 * These prototypes matches OpenBSD keynote.h 1.6. If you use 87 * a different version than that, you are on your own. 88 */ 89int *lk_keynote_errno; 90int (*lk_kn_add_action) (int, char *, char *, int); 91int (*lk_kn_add_assertion) (int, char *, int, int); 92int (*lk_kn_add_authorizer) (int, char *); 93int (*lk_kn_close) (int); 94int (*lk_kn_do_query) (int, char **, int); 95char *(*lk_kn_encode_key) (struct keynote_deckey *, int, int, int); 96int (*lk_kn_init) (void); 97char **(*lk_kn_read_asserts) (char *, int, int *); 98int (*lk_kn_remove_authorizer) (int, char *); 99int (*lk_kn_get_authorizer) (int, int, int *); 100void (*lk_kn_free_key) (struct keynote_deckey *); 101struct keynote_keylist *(*lk_kn_get_licensees) (int, int); 102#define SYMENTRY(x) { SYM, SYM (x), (void **)&lk_ ## x } 103 104static struct dynload_script libkeynote_script[] = { 105 { LOAD, "libc.so", &libkeynote }, 106 { LOAD, "libcrypto.so", &libkeynote }, 107 { LOAD, "libm.so", &libkeynote }, 108 { LOAD, "libkeynote.so", &libkeynote }, 109 SYMENTRY (keynote_errno), 110 SYMENTRY (kn_add_action), 111 SYMENTRY (kn_add_assertion), 112 SYMENTRY (kn_add_authorizer), 113 SYMENTRY (kn_close), 114 SYMENTRY (kn_do_query), 115 SYMENTRY (kn_encode_key), 116 SYMENTRY (kn_init), 117 SYMENTRY (kn_read_asserts), 118 SYMENTRY (kn_remove_authorizer), 119 SYMENTRY (kn_get_licensees), 120 SYMENTRY (kn_get_authorizer), 121 { EOS } 122}; 123#endif 124 125int keynote_sessid = -1; 126char **keynote_policy_asserts = NULL; 127int keynote_policy_asserts_num = 0; 128char **x509_policy_asserts = NULL; 129int x509_policy_asserts_num = 0; 130int x509_policy_asserts_num_alloc = 0; 131struct exchange *policy_exchange = 0; 132struct sa *policy_sa = 0; 133struct sa *policy_isakmp_sa = 0; 134 135/* 136 * Adaptation of Vixie's inet_ntop4 () 137 */ 138static const char * 139my_inet_ntop4 (const in_addr_t *src, char *dst, size_t size, int normalize) 140{ 141 static const char fmt[] = "%03u.%03u.%03u.%03u"; 142 char tmp[sizeof "255.255.255.255"]; 143 in_addr_t src2; 144 145 if (normalize) 146 src2 = ntohl (*src); 147 else 148 src2 = *src; 149 150 if (sprintf (tmp, fmt, ((u_int8_t *) &src2)[0], ((u_int8_t *) &src2)[1], 151 ((u_int8_t *) &src2)[2], ((u_int8_t *) &src2)[3]) > size) 152 { 153 errno = ENOSPC; 154 return 0; 155 } 156 strcpy (dst, tmp); 157 return dst; 158} 159 160char * 161policy_callback (char *name) 162{ 163 struct proto *proto; 164 165 u_int8_t *attr, *value, *id, *idlocal, *idremote; 166 size_t id_sz, idlocalsz, idremotesz; 167 struct sockaddr_in *sin; 168 struct ipsec_exch *ie; 169 struct ipsec_sa *is; 170 int fmt, lifetype = 0; 171 in_addr_t net, subnet; 172 u_int16_t len, type; 173 time_t tt; 174 static char mytimeofday[15]; 175 176 /* We use all these as a cache. */ 177 static char *esp_present, *ah_present, *comp_present; 178 static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg; 179 static char *comp_alg, ah_life_kbytes[32], ah_life_seconds[32]; 180 static char esp_life_kbytes[32], esp_life_seconds[32], comp_life_kbytes[32]; 181 static char comp_life_seconds[32], *ah_encapsulation, *esp_encapsulation; 182 static char *comp_encapsulation, ah_key_length[32], esp_key_length[32]; 183 static char ah_key_rounds[32], esp_key_rounds[32], comp_dict_size[32]; 184 static char comp_private_alg[32], *remote_filter_type, *local_filter_type; 185 static char remote_filter_addr_upper[64], remote_filter_addr_lower[64]; 186 static char local_filter_addr_upper[64], local_filter_addr_lower[64]; 187 static char ah_group_desc[32], esp_group_desc[32], comp_group_desc[32]; 188 static char remote_ike_address[64], local_ike_address[64]; 189 static char *remote_id_type, remote_id_addr_upper[64], *phase_1; 190 static char remote_id_addr_lower[64], *remote_id_proto, remote_id_port[32]; 191 static char remote_filter_port[32], local_filter_port[32]; 192 static char *remote_filter_proto, *local_filter_proto, *pfs, *initiator; 193 static char remote_filter_proto_num[3], local_filter_proto_num[3]; 194 static char remote_id_proto_num[3]; 195 static char phase1_group[32]; 196 197 /* Allocated. */ 198 static char *remote_filter = 0, *local_filter = 0, *remote_id = 0; 199 200 static int dirty = 1; 201 202 /* We only need to set dirty at initialization time really. */ 203 if (strcmp (name, KEYNOTE_CALLBACK_CLEANUP) == 0 204 || strcmp (name, KEYNOTE_CALLBACK_INITIALIZE) == 0) 205 { 206 esp_present = ah_present = comp_present = pfs = "no"; 207 ah_hash_alg = ah_auth_alg = phase_1 = ""; 208 esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = ""; 209 esp_encapsulation = comp_encapsulation = remote_filter_type = ""; 210 local_filter_type = remote_id_type = initiator = ""; 211 remote_filter_proto = local_filter_proto = remote_id_proto = ""; 212 213 if (remote_filter != 0) 214 { 215 free (remote_filter); 216 remote_filter = 0; 217 } 218 219 if (local_filter != 0) 220 { 221 free (local_filter); 222 local_filter = 0; 223 } 224 225 if (remote_id != 0) 226 { 227 free (remote_id); 228 remote_id = 0; 229 } 230 231 memset (remote_ike_address, 0, sizeof remote_ike_address); 232 memset (local_ike_address, 0, sizeof local_ike_address); 233 memset (ah_life_kbytes, 0, sizeof ah_life_kbytes); 234 memset (ah_life_seconds, 0, sizeof ah_life_seconds); 235 memset (esp_life_kbytes, 0, sizeof esp_life_kbytes); 236 memset (esp_life_seconds, 0, sizeof esp_life_seconds); 237 memset (comp_life_kbytes, 0, sizeof comp_life_kbytes); 238 memset (comp_life_seconds, 0, sizeof comp_life_seconds); 239 memset (ah_key_length, 0, sizeof ah_key_length); 240 memset (ah_key_rounds, 0, sizeof ah_key_rounds); 241 memset (esp_key_length, 0, sizeof esp_key_length); 242 memset (esp_key_rounds, 0, sizeof esp_key_rounds); 243 memset (comp_dict_size, 0, sizeof comp_dict_size); 244 memset (comp_private_alg, 0, sizeof comp_private_alg); 245 memset (remote_filter_addr_upper, 0, sizeof remote_filter_addr_upper); 246 memset (remote_filter_addr_lower, 0, sizeof remote_filter_addr_lower); 247 memset (local_filter_addr_upper, 0, sizeof local_filter_addr_upper); 248 memset (local_filter_addr_lower, 0, sizeof local_filter_addr_lower); 249 memset (remote_id_addr_upper, 0, sizeof remote_id_addr_upper); 250 memset (remote_id_addr_lower, 0, sizeof remote_id_addr_lower); 251 memset (ah_group_desc, 0, sizeof ah_group_desc); 252 memset (esp_group_desc, 0, sizeof esp_group_desc); 253 memset (remote_id_port, 0, sizeof remote_id_port); 254 memset (remote_filter_port, 0, sizeof remote_filter_port); 255 memset (local_filter_port, 0, sizeof local_filter_port); 256 memset (phase1_group, 0, sizeof phase1_group); 257 258 dirty = 1; 259 return ""; 260 } 261 262 /* 263 * If dirty is set, this is the first request for an attribute, so 264 * populate our value cache. 265 */ 266 if (dirty) 267 { 268 ie = policy_exchange->data; 269 270 if (ie->pfs) 271 pfs = "yes"; 272 273 is = policy_isakmp_sa->data; 274 sprintf (phase1_group, "%u", is->group_desc); 275 276 for (proto = TAILQ_FIRST (&policy_sa->protos); proto; 277 proto = TAILQ_NEXT (proto, link)) 278 { 279 switch (proto->proto) 280 { 281 case IPSEC_PROTO_IPSEC_AH: 282 ah_present = "yes"; 283 switch (proto->id) 284 { 285 case IPSEC_AH_MD5: 286 ah_hash_alg = "md5"; 287 break; 288 289 case IPSEC_AH_SHA: 290 ah_hash_alg = "sha"; 291 break; 292 293 case IPSEC_AH_RIPEMD: 294 ah_hash_alg = "ripemd"; 295 break; 296 297 case IPSEC_AH_DES: 298 ah_hash_alg = "des"; 299 break; 300 } 301 302 break; 303 304 case IPSEC_PROTO_IPSEC_ESP: 305 esp_present = "yes"; 306 switch (proto->id) 307 { 308 case IPSEC_ESP_DES_IV64: 309 esp_enc_alg = "des-iv64"; 310 break; 311 312 case IPSEC_ESP_DES: 313 esp_enc_alg = "des"; 314 break; 315 316 case IPSEC_ESP_3DES: 317 esp_enc_alg = "3des"; 318 break; 319 320 case IPSEC_ESP_AES: 321 esp_enc_alg = "aes"; 322 break; 323 324 case IPSEC_ESP_RC5: 325 esp_enc_alg = "rc5"; 326 break; 327 328 case IPSEC_ESP_IDEA: 329 esp_enc_alg = "idea"; 330 break; 331 332 case IPSEC_ESP_CAST: 333 esp_enc_alg = "cast"; 334 break; 335 336 case IPSEC_ESP_BLOWFISH: 337 esp_enc_alg = "blowfish"; 338 break; 339 340 case IPSEC_ESP_3IDEA: 341 esp_enc_alg = "3idea"; 342 break; 343 344 case IPSEC_ESP_DES_IV32: 345 esp_enc_alg = "des-iv32"; 346 break; 347 348 case IPSEC_ESP_RC4: 349 esp_enc_alg = "rc4"; 350 break; 351 352 case IPSEC_ESP_NULL: 353 esp_enc_alg = "null"; 354 break; 355 } 356 357 break; 358 359 case IPSEC_PROTO_IPCOMP: 360 comp_present = "yes"; 361 switch (proto->id) 362 { 363 case IPSEC_IPCOMP_OUI: 364 comp_alg = "oui"; 365 break; 366 367 case IPSEC_IPCOMP_DEFLATE: 368 comp_alg = "deflate"; 369 break; 370 371 case IPSEC_IPCOMP_LZS: 372 comp_alg = "lzs"; 373 break; 374 375 case IPSEC_IPCOMP_V42BIS: 376 comp_alg = "v42bis"; 377 break; 378 } 379 380 break; 381 } 382 383 for (attr = proto->chosen->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF; 384 attr 385 < proto->chosen->p + GET_ISAKMP_GEN_LENGTH (proto->chosen->p); 386 attr = value + len) 387 { 388 if (attr + ISAKMP_ATTR_VALUE_OFF 389 > (proto->chosen->p 390 + GET_ISAKMP_GEN_LENGTH (proto->chosen->p))) 391 return ""; 392 393 type = GET_ISAKMP_ATTR_TYPE (attr); 394 fmt = ISAKMP_ATTR_FORMAT (type); 395 type = ISAKMP_ATTR_TYPE (type); 396 value = attr + (fmt ? ISAKMP_ATTR_LENGTH_VALUE_OFF : 397 ISAKMP_ATTR_VALUE_OFF); 398 len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN : 399 GET_ISAKMP_ATTR_LENGTH_VALUE (attr)); 400 401 if (value + len > proto->chosen->p + 402 GET_ISAKMP_GEN_LENGTH (proto->chosen->p)) 403 return ""; 404 405 switch (type) 406 { 407 case IPSEC_ATTR_SA_LIFE_TYPE: 408 lifetype = decode_16 (value); 409 break; 410 411 case IPSEC_ATTR_SA_LIFE_DURATION: 412 switch (proto->proto) 413 { 414 case IPSEC_PROTO_IPSEC_AH: 415 if (lifetype == IPSEC_DURATION_SECONDS) 416 { 417 if (len == 2) 418 sprintf (ah_life_seconds, "%u", 419 decode_16 (value)); 420 else 421 sprintf (ah_life_seconds, "%u", 422 decode_32 (value)); 423 } 424 else 425 { 426 if (len == 2) 427 sprintf (ah_life_kbytes, "%u", 428 decode_16 (value)); 429 else 430 sprintf (ah_life_kbytes, "%u", 431 decode_32 (value)); 432 } 433 434 break; 435 436 case IPSEC_PROTO_IPSEC_ESP: 437 if (lifetype == IPSEC_DURATION_SECONDS) 438 { 439 if (len == 2) 440 sprintf (esp_life_seconds, "%u", 441 decode_16 (value)); 442 else 443 sprintf (esp_life_seconds, "%u", 444 decode_32 (value)); 445 } 446 else 447 { 448 if (len == 2) 449 sprintf (esp_life_kbytes, "%u", 450 decode_16 (value)); 451 else 452 sprintf (esp_life_kbytes, "%u", 453 decode_32 (value)); 454 } 455 456 break; 457 458 case IPSEC_PROTO_IPCOMP: 459 if (lifetype == IPSEC_DURATION_SECONDS) 460 { 461 if (len == 2) 462 sprintf (comp_life_seconds, "%u", 463 decode_16 (value)); 464 else 465 sprintf (comp_life_seconds, "%u", 466 decode_32 (value)); 467 } 468 else 469 { 470 if (len == 2) 471 sprintf (comp_life_kbytes, "%u", 472 decode_16 (value)); 473 else 474 sprintf (comp_life_kbytes, "%u", 475 decode_32 (value)); 476 } 477 478 break; 479 } 480 break; 481 482 case IPSEC_ATTR_GROUP_DESCRIPTION: 483 switch (proto->proto) 484 { 485 case IPSEC_PROTO_IPSEC_AH: 486 sprintf (ah_group_desc, "%u", decode_16 (value)); 487 break; 488 489 case IPSEC_PROTO_IPSEC_ESP: 490 sprintf (esp_group_desc, "%u", 491 decode_16 (value)); 492 break; 493 494 case IPSEC_PROTO_IPCOMP: 495 sprintf (comp_group_desc, "%u", 496 decode_16 (value)); 497 break; 498 } 499 break; 500 501 case IPSEC_ATTR_ENCAPSULATION_MODE: 502 if (decode_16 (value) == IPSEC_ENCAP_TUNNEL) 503 switch (proto->proto) 504 { 505 case IPSEC_PROTO_IPSEC_AH: 506 ah_encapsulation = "tunnel"; 507 break; 508 509 case IPSEC_PROTO_IPSEC_ESP: 510 esp_encapsulation = "tunnel"; 511 break; 512 513 case IPSEC_PROTO_IPCOMP: 514 comp_encapsulation = "tunnel"; 515 break; 516 } 517 else 518 switch (proto->proto) 519 { 520 case IPSEC_PROTO_IPSEC_AH: 521 ah_encapsulation = "transport"; 522 break; 523 524 case IPSEC_PROTO_IPSEC_ESP: 525 esp_encapsulation = "transport"; 526 break; 527 528 case IPSEC_PROTO_IPCOMP: 529 comp_encapsulation = "transport"; 530 break; 531 } 532 break; 533 534 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: 535 switch (proto->proto) 536 { 537 case IPSEC_PROTO_IPSEC_AH: 538 switch (decode_16 (value)) 539 { 540 case IPSEC_AUTH_HMAC_MD5: 541 ah_auth_alg = "hmac-md5"; 542 break; 543 544 case IPSEC_AUTH_HMAC_SHA: 545 ah_auth_alg = "hmac-sha"; 546 break; 547 548 case IPSEC_AUTH_HMAC_RIPEMD: 549 ah_auth_alg = "hmac-ripemd"; 550 break; 551 552 case IPSEC_AUTH_DES_MAC: 553 ah_auth_alg = "des-mac"; 554 break; 555 556 case IPSEC_AUTH_KPDK: 557 ah_auth_alg = "kpdk"; 558 break; 559 } 560 break; 561 562 case IPSEC_PROTO_IPSEC_ESP: 563 switch (decode_16 (value)) 564 { 565 case IPSEC_AUTH_HMAC_MD5: 566 esp_auth_alg = "hmac-md5"; 567 break; 568 569 case IPSEC_AUTH_HMAC_SHA: 570 esp_auth_alg = "hmac-sha"; 571 break; 572 573 case IPSEC_AUTH_HMAC_RIPEMD: 574 esp_auth_alg = "hmac-ripemd"; 575 break; 576 577 case IPSEC_AUTH_DES_MAC: 578 esp_auth_alg = "des-mac"; 579 break; 580 581 case IPSEC_AUTH_KPDK: 582 esp_auth_alg = "kpdk"; 583 break; 584 } 585 break; 586 } 587 break; 588 589 case IPSEC_ATTR_KEY_LENGTH: 590 switch (proto->proto) 591 { 592 case IPSEC_PROTO_IPSEC_AH: 593 sprintf (ah_key_length, "%u", decode_16 (value)); 594 break; 595 596 case IPSEC_PROTO_IPSEC_ESP: 597 sprintf (esp_key_length, "%u", 598 decode_16 (value)); 599 break; 600 } 601 break; 602 603 case IPSEC_ATTR_KEY_ROUNDS: 604 switch (proto->proto) 605 { 606 case IPSEC_PROTO_IPSEC_AH: 607 sprintf (ah_key_rounds, "%u", decode_16 (value)); 608 break; 609 610 case IPSEC_PROTO_IPSEC_ESP: 611 sprintf (esp_key_rounds, "%u", 612 decode_16 (value)); 613 break; 614 } 615 break; 616 617 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: 618 sprintf (comp_dict_size, "%u", decode_16 (value)); 619 break; 620 621 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: 622 sprintf (comp_private_alg, "%u", decode_16 (value)); 623 break; 624 } 625 } 626 } 627 628 /* XXX IPv4-specific. */ 629 policy_sa->transport->vtbl->get_src (policy_sa->transport, 630 (struct sockaddr **) &sin, &fmt); 631 my_inet_ntop4 (&(sin->sin_addr.s_addr), local_ike_address, 632 sizeof local_ike_address - 1, 0); 633 634 policy_sa->transport->vtbl->get_dst (policy_sa->transport, 635 (struct sockaddr **) &sin, &fmt); 636 my_inet_ntop4 (&(sin->sin_addr.s_addr), remote_ike_address, 637 sizeof remote_ike_address - 1, 0); 638 639 switch (policy_isakmp_sa->exch_type) 640 { 641 case ISAKMP_EXCH_AGGRESSIVE: 642 phase_1 = "aggressive"; 643 break; 644 645 case ISAKMP_EXCH_ID_PROT: 646 phase_1 = "main"; 647 break; 648 } 649 650 if (policy_isakmp_sa->initiator) 651 { 652 id = policy_isakmp_sa->id_r; 653 id_sz = policy_isakmp_sa->id_r_len; 654 } 655 else 656 { 657 id = policy_isakmp_sa->id_i; 658 id_sz = policy_isakmp_sa->id_i_len; 659 } 660 661 switch (id[0]) 662 { 663 case IPSEC_ID_IPV4_ADDR: 664 remote_id_type = "IPv4 address"; 665 666 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 667 my_inet_ntop4 (&net, remote_id_addr_upper, 668 sizeof remote_id_addr_upper - 1, 1); 669 my_inet_ntop4 (&net, remote_id_addr_lower, 670 sizeof remote_id_addr_lower - 1, 1); 671 remote_id = strdup (remote_id_addr_upper); 672 if (!remote_id) 673 { 674 log_print ("policy_callback: strdup (\"%s\") failed", 675 remote_id_addr_upper); 676 goto bad; 677 } 678 break; 679 680 case IPSEC_ID_IPV4_RANGE: 681 remote_id_type = "IPv4 range"; 682 683 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 684 my_inet_ntop4 (&net, remote_id_addr_lower, 685 sizeof remote_id_addr_lower - 1, 1); 686 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); 687 my_inet_ntop4 (&net, remote_id_addr_upper, 688 sizeof remote_id_addr_upper - 1, 1); 689 remote_id = calloc (strlen (remote_id_addr_upper) 690 + strlen (remote_id_addr_lower) + 2, 691 sizeof (char)); 692 if (!remote_id) 693 { 694 log_print ("policy_callback: calloc (%d, %d) failed", 695 strlen (remote_id_addr_upper) 696 + strlen (remote_id_addr_lower) + 2, 697 sizeof (char)); 698 goto bad; 699 } 700 701 strcpy (remote_id, remote_id_addr_lower); 702 remote_id[strlen (remote_id_addr_lower)] = '-'; 703 strcpy (remote_id + strlen (remote_id_addr_lower) + 1, 704 remote_id_addr_upper); 705 break; 706 707 case IPSEC_ID_IPV4_ADDR_SUBNET: 708 remote_id_type = "IPv4 subnet"; 709 710 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 711 subnet = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); 712 net &= subnet; 713 my_inet_ntop4 (&net, remote_id_addr_lower, 714 sizeof remote_id_addr_lower - 1, 1); 715 net |= ~subnet; 716 my_inet_ntop4 (&net, remote_id_addr_upper, 717 sizeof remote_id_addr_upper - 1, 1); 718 remote_id = calloc (strlen (remote_id_addr_upper) 719 + strlen (remote_id_addr_lower) + 2, 720 sizeof (char)); 721 if (!remote_id) 722 { 723 log_print ("policy_callback: calloc (%d, %d) failed", 724 strlen (remote_id_addr_upper) 725 + strlen (remote_id_addr_lower) + 2, 726 sizeof (char)); 727 goto bad; 728 } 729 730 strcpy (remote_id, remote_id_addr_lower); 731 remote_id[strlen (remote_id_addr_lower)] = '-'; 732 strcpy (remote_id + strlen (remote_id_addr_lower) + 1, 733 remote_id_addr_upper); 734 break; 735 736 case IPSEC_ID_IPV6_ADDR: /* XXX we need decode_128 (). */ 737 remote_id_type = "IPv6 address"; 738 break; 739 740 case IPSEC_ID_IPV6_RANGE: /* XXX we need decode_128 (). */ 741 remote_id_type = "IPv6 range"; 742 break; 743 744 case IPSEC_ID_IPV6_ADDR_SUBNET: /* XXX we need decode_128 (). */ 745 remote_id_type = "IPv6 address"; 746 break; 747 748 case IPSEC_ID_FQDN: 749 remote_id_type = "FQDN"; 750 remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 751 sizeof (char)); 752 if (!remote_id) 753 { 754 log_print ("policy_callback: calloc (%d, %d) failed", 755 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 756 sizeof (char)); 757 goto bad; 758 } 759 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 760 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 761 break; 762 763 case IPSEC_ID_USER_FQDN: 764 remote_id_type = "User FQDN"; 765 remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 766 sizeof (char)); 767 if (!remote_id) 768 { 769 log_print ("policy_callback: calloc (%d, %d) failed", 770 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 771 sizeof (char)); 772 goto bad; 773 } 774 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 775 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 776 break; 777 778 case IPSEC_ID_DER_ASN1_DN: /* XXX -- not sure what's in this. */ 779 remote_id_type = "ASN1 DN"; 780 break; 781 782 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */ 783 remote_id_type = "ASN1 GN"; 784 break; 785 786 case IPSEC_ID_KEY_ID: /* XXX -- hex-encode this. */ 787 remote_id_type = "Key ID"; 788 break; 789 790 default: 791 log_print ("policy_callback: unknown remote ID type %u", id[0]); 792 goto bad; 793 } 794 795 switch (id[1]) 796 { 797 case IPPROTO_TCP: 798 remote_id_proto = "tcp"; 799 break; 800 801 case IPPROTO_UDP: 802 remote_id_proto = "udp"; 803 break; 804 805#ifdef IPPROTO_ETHERIP 806 case IPPROTO_ETHERIP: 807 remote_id_proto = "etherip"; 808 break; 809#endif 810 811 default: 812 sprintf (remote_id_proto_num, "%2d", id[1]); 813 remote_id_proto = remote_id_proto_num; 814 break; 815 } 816 817 snprintf (remote_id_port, sizeof remote_id_port - 1, "%u", 818 decode_16 (id + 2)); 819 820 if (policy_exchange->initiator) 821 { 822 initiator = "yes"; 823 idlocal = ie->id_ci; 824 idremote = ie->id_cr; 825 idlocalsz = ie->id_ci_sz; 826 idremotesz = ie->id_cr_sz; 827 } 828 else 829 { 830 initiator = "no"; 831 idlocal = ie->id_cr; 832 idremote = ie->id_ci; 833 idlocalsz = ie->id_cr_sz; 834 idremotesz = ie->id_ci_sz; 835 } 836 837 /* Initialize the ID variables. */ 838 if (idremote) 839 { 840 switch (GET_ISAKMP_ID_TYPE (idremote)) 841 { 842 case IPSEC_ID_IPV4_ADDR: 843 remote_filter_type = "IPv4 address"; 844 845 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 846 my_inet_ntop4 (&net, remote_filter_addr_upper, 847 sizeof remote_filter_addr_upper - 1, 1); 848 my_inet_ntop4 (&net, remote_filter_addr_lower, 849 sizeof (remote_filter_addr_lower) - 1, 1); 850 remote_filter = strdup (remote_filter_addr_upper); 851 if (!remote_filter) 852 { 853 log_print ("policy_callback: strdup (\"%s\") failed", 854 remote_filter_addr_upper); 855 goto bad; 856 } 857 break; 858 859 case IPSEC_ID_IPV4_RANGE: 860 remote_filter_type = "IPv4 range"; 861 862 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 863 my_inet_ntop4 (&net, remote_filter_addr_lower, 864 sizeof remote_filter_addr_lower - 1, 1); 865 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF + 4); 866 my_inet_ntop4 (&net, remote_filter_addr_upper, 867 sizeof remote_filter_addr_upper - 1, 1); 868 remote_filter = calloc (strlen (remote_filter_addr_upper) 869 + strlen (remote_filter_addr_lower) + 2, 870 sizeof (char)); 871 if (!remote_filter) 872 { 873 log_print ("policy_callback: calloc (%d, %d) failed", 874 strlen (remote_filter_addr_upper) 875 + strlen (remote_filter_addr_lower) + 2, 876 sizeof (char)); 877 goto bad; 878 } 879 strcpy (remote_filter, remote_filter_addr_lower); 880 remote_filter[strlen (remote_filter_addr_lower)] = '-'; 881 strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1, 882 remote_filter_addr_upper); 883 break; 884 885 case IPSEC_ID_IPV4_ADDR_SUBNET: 886 remote_filter_type = "IPv4 subnet"; 887 888 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 889 subnet = decode_32 (idremote + ISAKMP_ID_DATA_OFF + 4); 890 net &= subnet; 891 my_inet_ntop4 (&net, remote_filter_addr_lower, 892 sizeof remote_filter_addr_lower - 1, 1); 893 net |= ~subnet; 894 my_inet_ntop4 (&net, remote_filter_addr_upper, 895 sizeof remote_filter_addr_upper - 1, 1); 896 remote_filter = calloc (strlen (remote_filter_addr_upper) 897 + strlen (remote_filter_addr_lower) + 2, 898 sizeof (char)); 899 if (!remote_filter) 900 { 901 log_print ("policy_callback: calloc (%d, %d) failed", 902 strlen (remote_filter_addr_upper) 903 + strlen (remote_filter_addr_lower) + 2, 904 sizeof (char)); 905 goto bad; 906 } 907 strcpy (remote_filter, remote_filter_addr_lower); 908 remote_filter[strlen (remote_filter_addr_lower)] = '-'; 909 strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1, 910 remote_filter_addr_upper); 911 break; 912 913 case IPSEC_ID_IPV6_ADDR: /* XXX we need decode_128 (). */ 914 remote_filter_type = "IPv6 address"; 915 break; 916 917 case IPSEC_ID_IPV6_RANGE: /* XXX we need decode_128 (). */ 918 remote_filter_type = "IPv6 range"; 919 break; 920 921 case IPSEC_ID_IPV6_ADDR_SUBNET: /* XXX we need decode_128 (). */ 922 remote_filter_type = "IPv6 address"; 923 break; 924 925 case IPSEC_ID_FQDN: 926 remote_filter_type = "FQDN"; 927 remote_filter = calloc (idremotesz - ISAKMP_ID_DATA_OFF + 1, 928 sizeof (char)); 929 if (!remote_filter) 930 { 931 log_print ("policy_callback: calloc (%d, %d) failed", 932 idremotesz - ISAKMP_ID_DATA_OFF + 1, 933 sizeof (char)); 934 goto bad; 935 } 936 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 937 idremotesz); 938 break; 939 940 case IPSEC_ID_USER_FQDN: 941 remote_filter_type = "User FQDN"; 942 remote_filter = calloc (idremotesz - ISAKMP_ID_DATA_OFF + 1, 943 sizeof (char)); 944 if (!remote_filter) 945 { 946 log_print ("policy_callback: calloc (%d, %d) failed", 947 idremotesz - ISAKMP_ID_DATA_OFF + 1, 948 sizeof (char)); 949 goto bad; 950 } 951 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 952 idremotesz); 953 break; 954 955 case IPSEC_ID_DER_ASN1_DN: /* XXX -- not sure what's in this. */ 956 remote_filter_type = "ASN1 DN"; 957 break; 958 959 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */ 960 remote_filter_type = "ASN1 GN"; 961 break; 962 963 case IPSEC_ID_KEY_ID: /* XXX -- hex-encode this. */ 964 remote_filter_type = "Key ID"; 965 break; 966 967 default: 968 log_print ("policy_callback: unknown Remote ID type %u", 969 GET_ISAKMP_ID_TYPE (idremote)); 970 goto bad; 971 } 972 973 switch (idremote[ISAKMP_GEN_SZ + 1]) 974 { 975 case IPPROTO_TCP: 976 remote_filter_proto = "tcp"; 977 break; 978 979 case IPPROTO_UDP: 980 remote_filter_proto = "udp"; 981 break; 982 983#ifdef IPPROTO_ETHERIP 984 case IPPROTO_ETHERIP: 985 remote_filter_proto = "etherip"; 986 break; 987#endif 988 989 default: 990 sprintf (remote_filter_proto_num, "%2d", idremote[ISAKMP_GEN_SZ + 1]); 991 remote_filter_proto = remote_filter_proto_num; 992 break; 993 } 994 995 snprintf (remote_filter_port, sizeof remote_filter_port - 1, 996 "%u", decode_16 (idremote + ISAKMP_GEN_SZ + 2)); 997 } 998 else 999 { 1000 policy_sa->transport->vtbl->get_dst (policy_sa->transport, 1001 (struct sockaddr **) &sin, 1002 &fmt); 1003 remote_filter_type = "IPv4 address"; 1004 1005 my_inet_ntop4 (&(sin->sin_addr.s_addr), remote_filter_addr_upper, 1006 sizeof remote_filter_addr_upper - 1, 0); 1007 my_inet_ntop4 (&(sin->sin_addr.s_addr), remote_filter_addr_lower, 1008 sizeof remote_filter_addr_lower - 1, 0); 1009 remote_filter = strdup (remote_filter_addr_upper); 1010 if (!remote_filter) 1011 { 1012 log_print ("policy_callback: strdup (\"%s\") failed", 1013 remote_filter_addr_upper); 1014 goto bad; 1015 } 1016 } 1017 1018 if (idlocal) 1019 { 1020 switch (GET_ISAKMP_ID_TYPE (idlocal)) 1021 { 1022 case IPSEC_ID_IPV4_ADDR: 1023 local_filter_type = "IPv4 address"; 1024 1025 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1026 my_inet_ntop4 (&net, local_filter_addr_upper, 1027 sizeof local_filter_addr_upper - 1, 1); 1028 my_inet_ntop4 (&net, local_filter_addr_lower, 1029 sizeof local_filter_addr_upper - 1, 1); 1030 local_filter = strdup (local_filter_addr_upper); 1031 if (!local_filter) 1032 { 1033 log_print ("policy_callback: strdup (\"%s\") failed", 1034 local_filter_addr_upper); 1035 goto bad; 1036 } 1037 break; 1038 1039 case IPSEC_ID_IPV4_RANGE: 1040 local_filter_type = "IPv4 range"; 1041 1042 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1043 my_inet_ntop4 (&net, local_filter_addr_lower, 1044 sizeof local_filter_addr_lower - 1, 1); 1045 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF + 4); 1046 my_inet_ntop4 (&net, local_filter_addr_upper, 1047 sizeof local_filter_addr_upper - 1, 1); 1048 local_filter = calloc (strlen (local_filter_addr_upper) 1049 + strlen (local_filter_addr_lower) + 2, 1050 sizeof (char)); 1051 if (!local_filter) 1052 { 1053 log_print ("policy_callback: calloc (%d, %d) failed", 1054 strlen (local_filter_addr_upper) 1055 + strlen (local_filter_addr_lower) + 2, 1056 sizeof (char)); 1057 goto bad; 1058 } 1059 strcpy (local_filter, local_filter_addr_lower); 1060 local_filter[strlen (local_filter_addr_lower)] = '-'; 1061 strcpy (local_filter + strlen (local_filter_addr_lower) + 1, 1062 local_filter_addr_upper); 1063 break; 1064 1065 case IPSEC_ID_IPV4_ADDR_SUBNET: 1066 local_filter_type = "IPv4 subnet"; 1067 1068 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1069 subnet = decode_32 (idlocal + ISAKMP_ID_DATA_OFF + 4); 1070 net &= subnet; 1071 my_inet_ntop4 (&net, local_filter_addr_lower, 1072 sizeof local_filter_addr_lower - 1, 1); 1073 net |= ~subnet; 1074 my_inet_ntop4 (&net, local_filter_addr_upper, 1075 sizeof local_filter_addr_upper - 1, 1); 1076 local_filter = calloc (strlen (local_filter_addr_upper) 1077 + strlen (local_filter_addr_lower) + 2, 1078 sizeof (char)); 1079 if (!local_filter) 1080 { 1081 log_print ("policy_callback: calloc (%d, %d) failed", 1082 strlen (local_filter_addr_upper) 1083 + strlen (local_filter_addr_lower) + 2, 1084 sizeof (char)); 1085 goto bad; 1086 } 1087 strcpy (local_filter, local_filter_addr_lower); 1088 local_filter[strlen (local_filter_addr_lower)] = '-'; 1089 strcpy (local_filter + strlen (local_filter_addr_lower) + 1, 1090 local_filter_addr_upper); 1091 break; 1092 1093 case IPSEC_ID_IPV6_ADDR: /* XXX we need decode_128 (). */ 1094 local_filter_type = "IPv6 address"; 1095 break; 1096 1097 case IPSEC_ID_IPV6_RANGE: /* XXX we need decode_128 (). */ 1098 local_filter_type = "IPv6 range"; 1099 break; 1100 1101 case IPSEC_ID_IPV6_ADDR_SUBNET: /* XXX we need decode_128 (). */ 1102 local_filter_type = "IPv6 address"; 1103 break; 1104 1105 case IPSEC_ID_FQDN: 1106 local_filter_type = "FQDN"; 1107 local_filter = calloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1108 sizeof (char)); 1109 if (!local_filter) 1110 { 1111 log_print ("policy_callback: calloc (%d, %d) failed", 1112 idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1113 sizeof (char)); 1114 goto bad; 1115 } 1116 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1117 idlocalsz); 1118 break; 1119 1120 case IPSEC_ID_USER_FQDN: 1121 local_filter_type = "User FQDN"; 1122 local_filter = calloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1123 sizeof (char)); 1124 if (!local_filter) 1125 { 1126 log_print ("policy_callback: calloc (%d, %d) failed", 1127 idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1128 sizeof (char)); 1129 goto bad; 1130 } 1131 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1132 idlocalsz); 1133 break; 1134 1135 case IPSEC_ID_DER_ASN1_DN: /* XXX -- not sure what's in this. */ 1136 local_filter_type = "ASN1 DN"; 1137 break; 1138 1139 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */ 1140 local_filter_type = "ASN1 GN"; 1141 break; 1142 1143 case IPSEC_ID_KEY_ID: /* XXX -- hex-encode this. */ 1144 local_filter_type = "Key ID"; 1145 break; 1146 1147 default: 1148 log_print ("policy_callback: unknown Local ID type %u", 1149 GET_ISAKMP_ID_TYPE (idlocal)); 1150 goto bad; 1151 } 1152 1153 switch (idlocal[ISAKMP_GEN_SZ + 1]) 1154 { 1155 case IPPROTO_TCP: 1156 local_filter_proto = "tcp"; 1157 break; 1158 1159 case IPPROTO_UDP: 1160 local_filter_proto = "udp"; 1161 break; 1162 1163#ifdef IPPROTO_ETHERIP 1164 case IPPROTO_ETHERIP: 1165 local_filter_proto = "etherip"; 1166 break; 1167#endif 1168 1169 default: 1170 sprintf (local_filter_proto_num, "%2d", idlocal[ISAKMP_GEN_SZ + 1]); 1171 local_filter_proto = local_filter_proto_num; 1172 break; 1173 } 1174 1175 snprintf (local_filter_port, sizeof local_filter_port - 1, 1176 "%u", decode_16 (idlocal + ISAKMP_GEN_SZ + 2)); 1177 } 1178 else 1179 { 1180 policy_sa->transport->vtbl->get_src (policy_sa->transport, 1181 (struct sockaddr **) &sin, 1182 &fmt); 1183 1184 local_filter_type = "IPv4 address"; 1185 1186 my_inet_ntop4 (&(sin->sin_addr.s_addr), local_filter_addr_upper, 1187 sizeof local_filter_addr_upper - 1, 0); 1188 my_inet_ntop4 (&(sin->sin_addr.s_addr), local_filter_addr_lower, 1189 sizeof local_filter_addr_lower - 1, 0); 1190 local_filter = strdup (local_filter_addr_upper); 1191 if (!local_filter) 1192 { 1193 log_print ("policy_callback: strdup (\"%s\") failed", 1194 local_filter_addr_upper); 1195 goto bad; 1196 } 1197 } 1198 1199 LOG_DBG ((LOG_SA, 80, "Policy context (action attributes):")); 1200 LOG_DBG ((LOG_SA, 80, "esp_present == %s", esp_present)); 1201 LOG_DBG ((LOG_SA, 80, "ah_present == %s", ah_present)); 1202 LOG_DBG ((LOG_SA, 80, "comp_present == %s", comp_present)); 1203 LOG_DBG ((LOG_SA, 80, "ah_hash_alg == %s", ah_hash_alg)); 1204 LOG_DBG ((LOG_SA, 80, "esp_enc_alg == %s", esp_enc_alg)); 1205 LOG_DBG ((LOG_SA, 80, "comp_alg == %s", comp_alg)); 1206 LOG_DBG ((LOG_SA, 80, "ah_auth_alg == %s", ah_auth_alg)); 1207 LOG_DBG ((LOG_SA, 80, "esp_auth_alg == %s", esp_auth_alg)); 1208 LOG_DBG ((LOG_SA, 80, "ah_life_seconds == %s", ah_life_seconds)); 1209 LOG_DBG ((LOG_SA, 80, "ah_life_kbytes == %s", ah_life_kbytes)); 1210 LOG_DBG ((LOG_SA, 80, "esp_life_seconds == %s", esp_life_seconds)); 1211 LOG_DBG ((LOG_SA, 80, "esp_life_kbytes == %s", esp_life_kbytes)); 1212 LOG_DBG ((LOG_SA, 80, "comp_life_seconds == %s", comp_life_seconds)); 1213 LOG_DBG ((LOG_SA, 80, "comp_life_kbytes == %s", comp_life_kbytes)); 1214 LOG_DBG ((LOG_SA, 80, "ah_encapsulation == %s", ah_encapsulation)); 1215 LOG_DBG ((LOG_SA, 80, "esp_encapsulation == %s", esp_encapsulation)); 1216 LOG_DBG ((LOG_SA, 80, "comp_encapsulation == %s", comp_encapsulation)); 1217 LOG_DBG ((LOG_SA, 80, "comp_dict_size == %s", comp_dict_size)); 1218 LOG_DBG ((LOG_SA, 80, "comp_private_alg == %s", comp_private_alg)); 1219 LOG_DBG ((LOG_SA, 80, "ah_key_length == %s", ah_key_length)); 1220 LOG_DBG ((LOG_SA, 80, "ah_key_rounds == %s", ah_key_rounds)); 1221 LOG_DBG ((LOG_SA, 80, "esp_key_length == %s", esp_key_length)); 1222 LOG_DBG ((LOG_SA, 80, "esp_key_rounds == %s", esp_key_rounds)); 1223 LOG_DBG ((LOG_SA, 80, "ah_group_desc == %s", ah_group_desc)); 1224 LOG_DBG ((LOG_SA, 80, "esp_group_desc == %s", esp_group_desc)); 1225 LOG_DBG ((LOG_SA, 80, "comp_group_desc == %s", comp_group_desc)); 1226 LOG_DBG ((LOG_SA, 80, "remote_filter_type == %s", remote_filter_type)); 1227 LOG_DBG ((LOG_SA, 80, "remote_filter_addr_upper == %s", remote_filter_addr_upper)); 1228 LOG_DBG ((LOG_SA, 80, "remote_filter_addr_lower == %s", remote_filter_addr_lower)); 1229 LOG_DBG ((LOG_SA, 80, "remote_filter == %s", remote_filter)); 1230 LOG_DBG ((LOG_SA, 80, "remote_filter_port == %s", remote_filter_port)); 1231 LOG_DBG ((LOG_SA, 80, "remote_filter_proto == %s", remote_filter_proto)); 1232 LOG_DBG ((LOG_SA, 80, "local_filter_type == %s", local_filter_type)); 1233 LOG_DBG ((LOG_SA, 80, "local_filter_addr_upper == %s", local_filter_addr_upper)); 1234 LOG_DBG ((LOG_SA, 80, "local_filter_addr_lower == %s", local_filter_addr_lower)); 1235 LOG_DBG ((LOG_SA, 80, "local_filter == %s", local_filter)); 1236 LOG_DBG ((LOG_SA, 80, "local_filter_port == %s", local_filter_port)); 1237 LOG_DBG ((LOG_SA, 80, "local_filter_proto == %s", local_filter_proto)); 1238 LOG_DBG ((LOG_SA, 80, "remote_id_type == %s", remote_id_type)); 1239 LOG_DBG ((LOG_SA, 80, "remote_id_addr_upper == %s", remote_id_addr_upper)); 1240 LOG_DBG ((LOG_SA, 80, "remote_id_addr_lower == %s", remote_id_addr_lower)); 1241 LOG_DBG ((LOG_SA, 80, "remote_id == %s", remote_id)); 1242 LOG_DBG ((LOG_SA, 80, "remote_id_port == %s", remote_id_port)); 1243 LOG_DBG ((LOG_SA, 80, "remote_id_proto == %s", remote_id_proto)); 1244 LOG_DBG ((LOG_SA, 80, "remote_negotiation_address == %s", remote_ike_address)); 1245 LOG_DBG ((LOG_SA, 80, "local_negotiation_address == %s", local_ike_address)); 1246 LOG_DBG ((LOG_SA, 80, "pfs == %s", pfs)); 1247 LOG_DBG ((LOG_SA, 80, "initiator == %s", initiator)); 1248 LOG_DBG ((LOG_SA, 80, "phase1_group_desc == %s", phase1_group)); 1249 1250 /* Unset dirty now. */ 1251 dirty = 0; 1252 } 1253 1254 if (strcmp (name, "phase_1") == 0) 1255 return phase_1; 1256 1257 if (strcmp (name, "GMTTimeOfDay") == 0) 1258 { 1259 tt = time ((time_t) NULL); 1260 strftime (mytimeofday, 14, "%G%m%d%H%M%S", gmtime (&tt)); 1261 return mytimeofday; 1262 } 1263 1264 if (strcmp (name, "LocalTimeOfDay") == 0) 1265 { 1266 tt = time ((time_t) NULL); 1267 strftime (mytimeofday, 14, "%G%m%d%H%M%S", localtime (&tt)); 1268 return mytimeofday; 1269 } 1270 1271 if (strcmp (name, "initiator") == 0) 1272 return initiator; 1273 1274 if (strcmp (name, "pfs") == 0) 1275 return pfs; 1276 1277 if (strcmp (name, "app_domain") == 0) 1278 return "IPsec policy"; 1279 1280 if (strcmp (name, "doi") == 0) 1281 return "ipsec"; 1282 1283 if (strcmp (name, "esp_present") == 0) 1284 return esp_present; 1285 1286 if (strcmp (name, "ah_present") == 0) 1287 return ah_present; 1288 1289 if (strcmp (name, "comp_present") == 0) 1290 return comp_present; 1291 1292 if (strcmp (name, "ah_hash_alg") == 0) 1293 return ah_hash_alg; 1294 1295 if (strcmp (name, "ah_auth_alg") == 0) 1296 return ah_auth_alg; 1297 1298 if (strcmp (name, "esp_auth_alg") == 0) 1299 return esp_auth_alg; 1300 1301 if (strcmp (name, "esp_enc_alg") == 0) 1302 return esp_enc_alg; 1303 1304 if (strcmp (name, "comp_alg") == 0) 1305 return comp_alg; 1306 1307 if (strcmp (name, "ah_life_kbytes") == 0) 1308 return ah_life_kbytes; 1309 1310 if (strcmp (name, "ah_life_seconds") == 0) 1311 return ah_life_seconds; 1312 1313 if (strcmp (name, "esp_life_kbytes") == 0) 1314 return esp_life_kbytes; 1315 1316 if (strcmp (name, "esp_life_seconds") == 0) 1317 return esp_life_seconds; 1318 1319 if (strcmp (name, "comp_life_kbytes") == 0) 1320 return comp_life_kbytes; 1321 1322 if (strcmp (name, "comp_life_seconds") == 0) 1323 return comp_life_seconds; 1324 1325 if (strcmp (name, "ah_encapsulation") == 0) 1326 return ah_encapsulation; 1327 1328 if (strcmp (name, "esp_encapsulation") == 0) 1329 return esp_encapsulation; 1330 1331 if (strcmp (name, "comp_encapsulation") == 0) 1332 return comp_encapsulation; 1333 1334 if (strcmp (name, "ah_key_length") == 0) 1335 return ah_key_length; 1336 1337 if (strcmp (name, "ah_key_rounds") == 0) 1338 return ah_key_rounds; 1339 1340 if (strcmp (name, "esp_key_length") == 0) 1341 return esp_key_length; 1342 1343 if (strcmp (name, "esp_key_rounds") == 0) 1344 return esp_key_rounds; 1345 1346 if (strcmp (name, "comp_dict_size") == 0) 1347 return comp_dict_size; 1348 1349 if (strcmp (name, "comp_private_alg") == 0) 1350 return comp_private_alg; 1351 1352 if (strcmp (name, "remote_filter_type") == 0) 1353 return remote_filter_type; 1354 1355 if (strcmp (name, "remote_filter") == 0) 1356 return remote_filter; 1357 1358 if (strcmp (name, "remote_filter_addr_upper") == 0) 1359 return remote_filter_addr_upper; 1360 1361 if (strcmp (name, "remote_filter_addr_lower") == 0) 1362 return remote_filter_addr_lower; 1363 1364 if (strcmp (name, "remote_filter_port") == 0) 1365 return remote_filter_port; 1366 1367 if (strcmp (name, "remote_filter_proto") == 0) 1368 return remote_filter_proto; 1369 1370 if (strcmp (name, "local_filter_type") == 0) 1371 return local_filter_type; 1372 1373 if (strcmp (name, "local_filter") == 0) 1374 return local_filter; 1375 1376 if (strcmp (name, "local_filter_addr_upper") == 0) 1377 return local_filter_addr_upper; 1378 1379 if (strcmp (name, "local_filter_addr_lower") == 0) 1380 return local_filter_addr_lower; 1381 1382 if (strcmp (name, "local_filter_port") == 0) 1383 return local_filter_port; 1384 1385 if (strcmp (name, "local_filter_proto") == 0) 1386 return local_filter_proto; 1387 1388 if (strcmp (name, "remote_ike_address") == 0) 1389 return remote_ike_address; 1390 1391 if (strcmp (name, "remote_negotiation_address") == 0) 1392 return remote_ike_address; 1393 1394 if (strcmp (name, "local_ike_address") == 0) 1395 return local_ike_address; 1396 1397 if (strcmp (name, "local_negotiation_address") == 0) 1398 return local_ike_address; 1399 1400 if (strcmp (name, "remote_id_type") == 0) 1401 return remote_id_type; 1402 1403 if (strcmp (name, "remote_id") == 0) 1404 return remote_id; 1405 1406 if (strcmp (name, "remote_id_addr_upper") == 0) 1407 return remote_id_addr_upper; 1408 1409 if (strcmp (name, "remote_id_addr_lower") == 0) 1410 return remote_id_addr_lower; 1411 1412 if (strcmp (name, "remote_id_port") == 0) 1413 return remote_id_port; 1414 1415 if (strcmp (name, "remote_id_proto") == 0) 1416 return remote_id_proto; 1417 1418 if (strcmp (name, "phase1_group_desc") == 0) 1419 return phase1_group; 1420 1421 return ""; 1422 1423 bad: 1424 policy_callback (KEYNOTE_CALLBACK_INITIALIZE); 1425 return ""; 1426} 1427 1428void 1429policy_init (void) 1430{ 1431 char *ptr, *policy_file; 1432 char **asserts; 1433 struct stat st; 1434 int fd, len, i; 1435 1436 LOG_DBG ((LOG_MISC, 50, "policy_init: initializing")); 1437 1438#if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE) 1439 if (!dyn_load (libkeynote_script)) 1440 return; 1441#endif 1442 1443 /* If there exists a session already, release all its resources. */ 1444 if (keynote_sessid != -1) 1445 LK (kn_close, (keynote_sessid)); 1446 1447 /* Initialize a session. */ 1448 keynote_sessid = LK (kn_init, ()); 1449 if (keynote_sessid == -1) 1450 log_fatal ("policy_init: kn_init () failed"); 1451 1452 /* Get policy file from configuration. */ 1453 policy_file = conf_get_str ("General", "policy-file"); 1454 if (!policy_file) 1455 policy_file = POLICY_FILE_DEFAULT; 1456 1457 /* Open policy file. */ 1458 fd = open (policy_file, O_RDONLY); 1459 if (fd == -1) 1460 log_fatal ("policy_init: open (\"%s\", O_RDONLY) failed", policy_file); 1461 1462 /* Get size. */ 1463 if (fstat (fd, &st) == -1) 1464 log_fatal ("policy_init: fstat (%d, &st) failed", fd); 1465 1466 /* Allocate memory to keep policies. */ 1467 ptr = calloc (st.st_size + 1, sizeof (char)); 1468 if (!ptr) 1469 log_fatal ("policy_init: calloc (%d, %d) failed", st.st_size, 1470 sizeof (char)); 1471 1472 /* Just in case there are short reads... */ 1473 for (len = 0; len < st.st_size; len += i) 1474 { 1475 i = read (fd, ptr + len, st.st_size - len); 1476 if (i == -1) 1477 log_fatal ("policy_init: read (%d, %p, %d) failed", fd, ptr + len, 1478 st.st_size - len); 1479 } 1480 1481 /* We're done with this. */ 1482 close (fd); 1483 1484 /* Parse buffer, break up into individual policies. */ 1485 asserts = LK (kn_read_asserts, (ptr, st.st_size, &i)); 1486 1487 /* Begone! */ 1488 free (ptr); 1489 1490 /* Add each individual policy in the session. */ 1491 for (fd = 0; fd < i; fd++) 1492 { 1493 if (LK (kn_add_assertion, (keynote_sessid, asserts[fd], 1494 strlen (asserts[fd]), ASSERT_FLAG_LOCAL)) 1495 == -1) 1496 log_print ("policy_init: " 1497 "kn_add_assertion (%d, %p, %d, ASSERT_FLAG_LOCAL) failed", 1498 keynote_sessid, asserts[fd], strlen (asserts[fd])); 1499 } 1500 1501 /* Cleanup */ 1502 if (keynote_policy_asserts) 1503 { 1504 for (fd = 0; fd < keynote_policy_asserts_num; fd++) 1505 if (keynote_policy_asserts && keynote_policy_asserts[fd]) 1506 free (keynote_policy_asserts[fd]); 1507 1508 free (keynote_policy_asserts); 1509 } 1510 1511 keynote_policy_asserts = asserts; 1512 keynote_policy_asserts_num = i; 1513} 1514 1515/* Nothing needed for initialization */ 1516int 1517keynote_cert_init (void) 1518{ 1519 return 1; 1520} 1521 1522/* Just copy and return */ 1523void * 1524keynote_cert_get (u_int8_t *data, u_int32_t len) 1525{ 1526 char *foo = calloc (len + 1, sizeof(char)); 1527 1528 if (foo == NULL) 1529 return NULL; 1530 1531 memcpy (foo, data, len); 1532 return foo; 1533} 1534 1535/* 1536 * We just verify the signature on the credentials. 1537 * On signature failure, just drop the whole payload. 1538 */ 1539int 1540keynote_cert_validate (void *scert) 1541{ 1542 char **foo; 1543 int num, i; 1544 1545 if (scert == NULL) 1546 return 0; 1547 1548 foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), 1549 &num)); 1550 if (foo == NULL) 1551 return 0; 1552 1553 for (i = 0; i < num; i++) 1554 { 1555 if (LK (kn_verify_assertion, (scert, strlen ((char *) scert))) != 1556 SIGRESULT_TRUE) 1557 { 1558 for (; i < num; i++) 1559 free (foo[i]); 1560 free (foo); 1561 return 0; 1562 } 1563 1564 free (foo[i]); 1565 } 1566 1567 free (foo); 1568 return 1; 1569} 1570 1571/* Add received credentials */ 1572int 1573keynote_cert_insert (int sid, void *scert) 1574{ 1575 char **foo; 1576 int num; 1577 1578 if (scert == NULL) 1579 return 0; 1580 1581 foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), 1582 &num)); 1583 if (foo == NULL) 1584 return 0; 1585 1586 while (num--) 1587 LK (kn_add_assertion, (sid, foo[num], strlen (foo[num]), 0)); 1588 1589 return 1; 1590} 1591 1592/* Just regular memory free */ 1593void 1594keynote_cert_free (void *cert) 1595{ 1596 free (cert); 1597} 1598 1599/* Verify that the key given to us is valid */ 1600int 1601keynote_certreq_validate (u_int8_t *data, u_int32_t len) 1602{ 1603 struct keynote_deckey dc; 1604 int err = 1; 1605 char *dat; 1606 1607 dat = calloc (len + 1, sizeof(char)); 1608 if (dat == NULL) 1609 return 0; 1610 1611 memcpy (dat, data, len); 1612 1613 if (LK (kn_decode_key, (&dc, dat, KEYNOTE_PUBLIC_KEY)) != 0) 1614 err = 0; 1615 else 1616 LK (kn_free_key, (&dc)); 1617 1618 free (dat); 1619 1620 return err; 1621} 1622 1623/* Beats me what we should be doing with this */ 1624void * 1625keynote_certreq_decode (u_int8_t *data, u_int32_t len) 1626{ 1627 /* XXX */ 1628 return NULL; 1629} 1630 1631void 1632keynote_free_aca (void *blob) 1633{ 1634 /* XXX */ 1635} 1636 1637int 1638keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, 1639 u_int32_t *certlen) 1640{ 1641 char *dirname, *file; 1642 struct stat sb; 1643 int idtype, fd, len; 1644 1645 if (!id) 1646 { 1647 log_print ("keynote_cert_obtain: ID is missing"); 1648 return 0; 1649 } 1650 1651 /* Get type of ID */ 1652 idtype = id[0]; 1653 id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 1654 id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 1655 1656 dirname = conf_get_str ("KeyNote", "Credential-directory"); 1657 if (!dirname) 1658 { 1659 log_print ("keynote_cert_obtain: no Credential-directory"); 1660 return 0; 1661 } 1662 1663 len = strlen (dirname) + strlen (CREDENTIAL_FILE) + 3; 1664 1665 switch (idtype) 1666 { 1667 case IPSEC_ID_IPV4_ADDR: 1668 { 1669 struct in_addr in; 1670 1671 file = calloc (len + 15, sizeof(char)); 1672 if (file == NULL) 1673 { 1674 log_print ("keynote_cert_obtain: failed to allocate %d bytes", 1675 len + 15); 1676 return 0; 1677 } 1678 1679 memcpy (&in, id, sizeof(in)); 1680 sprintf (file, "%s/%s/%s", dirname, inet_ntoa (in), CREDENTIAL_FILE); 1681 break; 1682 } 1683 1684 case IPSEC_ID_FQDN: 1685 case IPSEC_ID_USER_FQDN: 1686 { 1687 file = calloc (len + id_len, sizeof(char)); 1688 if (file == NULL) 1689 { 1690 log_print ("keynote_cert_obtain: failed to allocate %d bytes", 1691 len + id_len); 1692 return 0; 1693 } 1694 1695 sprintf (file, "%s/", dirname); 1696 memcpy (file + strlen (file), id, id_len); 1697 sprintf (file + strlen (dirname) + 1 + id_len, "/%s", CREDENTIAL_FILE); 1698 break; 1699 } 1700 1701 default: 1702 return 0; 1703 } 1704 1705 if (stat (file, &sb) < 0) 1706 { 1707 log_print ("keynote_cert_obtain: failed to stat \"%s\"", file); 1708 free (file); 1709 return 0; 1710 } 1711 1712 *cert = calloc (sb.st_size, sizeof(char)); 1713 if (*cert == NULL) 1714 { 1715 log_print ("keynote_cert_obtain: failed to allocate %d bytes", 1716 sb.st_size); 1717 free (file); 1718 return 0; 1719 } 1720 1721 fd = open (file, O_RDONLY, 0); 1722 if (fd < 0) 1723 { 1724 log_print ("keynote_cert_obtain: failed to open \"%s\"", file); 1725 free (file); 1726 return 0; 1727 } 1728 1729 if (read (fd, *cert, sb.st_size) != sb.st_size) 1730 { 1731 log_print ("keynote_cert_obtain: failed to read %d bytes from \"%s\"", 1732 sb.st_size, file); 1733 free (file); 1734 close (fd); 1735 return 0; 1736 } 1737 1738 close (fd); 1739 free (file); 1740 *certlen = sb.st_size; 1741 return 1; 1742} 1743 1744/* This should never be called */ 1745int 1746keynote_cert_get_subjects (void *scert, int *n, u_int8_t ***id, 1747 u_int32_t **id_len) 1748{ 1749 return 0; 1750} 1751 1752/* Get the Authorizer key */ 1753int 1754keynote_cert_get_key (void *scert, void *keyp) 1755{ 1756 struct keynote_keylist *kl; 1757 int sid, num; 1758 char **foo; 1759 1760 foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), &num)); 1761 if ((foo == NULL) || (num == 0)) 1762 return 0; 1763 1764 sid = LK (kn_add_assertion, (keynote_sessid, foo[num - 1], 1765 strlen (scert), 0)); 1766 while (num--) 1767 free (foo[num]); 1768 free (foo); 1769 1770 if (sid == -1) 1771 return 0; 1772 1773 *(RSA **)keyp = NULL; 1774 1775 kl = LK (kn_get_licensees, (keynote_sessid, sid)); 1776 while (kl) 1777 { 1778 if (kl->key_alg == KEYNOTE_ALGORITHM_RSA) 1779 { 1780 *(RSA **)keyp = LC (RSAPublicKey_dup, (kl->key_key)); 1781 break; 1782 } 1783 1784 kl = kl->key_next; 1785 } 1786 1787 LK (kn_remove_assertion, (keynote_sessid, sid)); 1788 return *(RSA **)keyp == NULL ? 0 : 1; 1789} 1790