policy.c revision 1.46
1/* $OpenBSD: policy.c,v 1.46 2001/08/26 01:48:12 niklas Exp $ */ 2/* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ 3 4/* 5 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. 6 * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. 7 * Copyright (c) 2001 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. All advertising materials mentioning features or use of this software 18 * must display the following acknowledgement: 19 * This product includes software developed by Ericsson Radio Systems. 20 * 4. The name of the author may not be used to endorse or promote products 21 * derived from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35/* 36 * This code was written under funding by Ericsson Radio Systems. 37 */ 38 39#include <sys/types.h> 40#include <sys/param.h> 41#include <sys/mman.h> 42#include <sys/queue.h> 43#include <sys/stat.h> 44#include <regex.h> 45#include <ctype.h> 46#include <fcntl.h> 47#include <stdio.h> 48#include <stdlib.h> 49#include <string.h> 50#include <unistd.h> 51#include <keynote.h> 52#include <sys/socket.h> 53#include <netinet/in.h> 54#include <arpa/inet.h> 55#include <errno.h> 56#include <openssl/ssl.h> 57#include <netdb.h> 58 59#include "sysdep.h" 60 61#include "conf.h" 62#include "dyn.h" 63#include "exchange.h" 64#include "ipsec.h" 65#include "isakmp_doi.h" 66#include "sa.h" 67#include "transport.h" 68#include "log.h" 69#include "message.h" 70#include "util.h" 71#include "policy.h" 72#include "x509.h" 73 74#if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE) && 0 75 76void *libkeynote = 0; 77 78/* 79 * These prototypes matches OpenBSD keynote.h 1.6. If you use 80 * a different version than that, you are on your own. 81 */ 82int *lk_keynote_errno; 83int (*lk_kn_add_action) (int, char *, char *, int); 84int (*lk_kn_add_assertion) (int, char *, int, int); 85int (*lk_kn_add_authorizer) (int, char *); 86int (*lk_kn_close) (int); 87int (*lk_kn_do_query) (int, char **, int); 88char *(*lk_kn_encode_key) (struct keynote_deckey *, int, int, int); 89int (*lk_kn_init) (void); 90char **(*lk_kn_read_asserts) (char *, int, int *); 91int (*lk_kn_remove_authorizer) (int, char *); 92int (*lk_kn_get_authorizer) (int, int, int *); 93void (*lk_kn_free_key) (struct keynote_deckey *); 94struct keynote_keylist *(*lk_kn_get_licensees) (int, int); 95#define SYMENTRY(x) { SYM, SYM (x), (void **)&lk_ ## x } 96 97static struct dynload_script libkeynote_script[] = { 98 { LOAD, "libc.so", &libkeynote }, 99 { LOAD, "libcrypto.so", &libkeynote }, 100 { LOAD, "libm.so", &libkeynote }, 101 { LOAD, "libkeynote.so", &libkeynote }, 102 SYMENTRY (keynote_errno), 103 SYMENTRY (kn_add_action), 104 SYMENTRY (kn_add_assertion), 105 SYMENTRY (kn_add_authorizer), 106 SYMENTRY (kn_close), 107 SYMENTRY (kn_do_query), 108 SYMENTRY (kn_encode_key), 109 SYMENTRY (kn_init), 110 SYMENTRY (kn_read_asserts), 111 SYMENTRY (kn_remove_authorizer), 112 SYMENTRY (kn_get_licensees), 113 SYMENTRY (kn_get_authorizer), 114 { EOS } 115}; 116#endif 117 118char **keynote_policy_asserts = NULL; 119int keynote_policy_asserts_num = 0; 120struct exchange *policy_exchange = 0; 121struct sa *policy_sa = 0; 122struct sa *policy_isakmp_sa = 0; 123 124static const char hextab[] = { 125 '0', '1', '2', '3', '4', '5', '6', '7', 126 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' 127}; 128 129/* 130 * Adaptation of Vixie's inet_ntop4 () 131 */ 132static const char * 133my_inet_ntop4 (const in_addr_t *src, char *dst, size_t size, int normalize) 134{ 135 static const char fmt[] = "%03u.%03u.%03u.%03u"; 136 char tmp[sizeof "255.255.255.255"]; 137 in_addr_t src2; 138 139 if (normalize) 140 src2 = ntohl (*src); 141 else 142 src2 = *src; 143 144 if (sprintf (tmp, fmt, ((u_int8_t *) &src2)[0], ((u_int8_t *) &src2)[1], 145 ((u_int8_t *) &src2)[2], ((u_int8_t *) &src2)[3]) > size) 146 { 147 errno = ENOSPC; 148 return 0; 149 } 150 strcpy (dst, tmp); 151 return dst; 152} 153 154static const char * 155my_inet_ntop6 (const unsigned char *src, char *dst, size_t size) 156{ 157 static const char fmt[] = "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x"; 158 char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"]; 159 160 if (sprintf (tmp, fmt, src[0], src[1], src[2], src[3], src[4], src[5], 161 src[6], src[7], src[8], src[9], src[10], src[11], src[12], 162 src[13], src[14], src[15]) > size) 163 { 164 errno = ENOSPC; 165 return 0; 166 } 167 strcpy (dst, tmp); 168 return dst; 169} 170 171char * 172policy_callback (char *name) 173{ 174 struct proto *proto; 175 176 u_int8_t *attr, *value, *id, *idlocal, *idremote; 177 size_t id_sz, idlocalsz, idremotesz; 178 struct sockaddr *sin; 179 struct ipsec_exch *ie; 180 struct ipsec_sa *is; 181 int fmt, i, lifetype = 0; 182 in_addr_t net, subnet; 183 u_int16_t len, type; 184 time_t tt; 185 char *addr; 186 static char mytimeofday[15]; 187 188 /* We use all these as a cache. */ 189 static char *esp_present, *ah_present, *comp_present; 190 static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg; 191 static char *comp_alg, ah_life_kbytes[32], ah_life_seconds[32]; 192 static char esp_life_kbytes[32], esp_life_seconds[32], comp_life_kbytes[32]; 193 static char comp_life_seconds[32], *ah_encapsulation, *esp_encapsulation; 194 static char *comp_encapsulation, ah_key_length[32], esp_key_length[32]; 195 static char ah_key_rounds[32], esp_key_rounds[32], comp_dict_size[32]; 196 static char comp_private_alg[32], *remote_filter_type, *local_filter_type; 197 static char remote_filter_addr_upper[NI_MAXHOST]; 198 static char remote_filter_addr_lower[NI_MAXHOST]; 199 static char local_filter_addr_upper[NI_MAXHOST]; 200 static char local_filter_addr_lower[NI_MAXHOST]; 201 static char ah_group_desc[32], esp_group_desc[32], comp_group_desc[32]; 202 static char remote_ike_address[NI_MAXHOST]; 203 static char local_ike_address[NI_MAXHOST]; 204 static char *remote_id_type, remote_id_addr_upper[NI_MAXHOST], *phase_1; 205 static char remote_id_addr_lower[NI_MAXHOST]; 206 static char *remote_id_proto, remote_id_port[32]; 207 static char remote_filter_port[32], local_filter_port[32]; 208 static char *remote_filter_proto, *local_filter_proto, *pfs, *initiator; 209 static char remote_filter_proto_num[3], local_filter_proto_num[3]; 210 static char remote_id_proto_num[3]; 211 static char phase1_group[32]; 212 213 /* Allocated. */ 214 static char *remote_filter = 0, *local_filter = 0, *remote_id = 0; 215 216 static int dirty = 1; 217 218 /* We only need to set dirty at initialization time really. */ 219 if (strcmp (name, KEYNOTE_CALLBACK_CLEANUP) == 0 220 || strcmp (name, KEYNOTE_CALLBACK_INITIALIZE) == 0) 221 { 222 esp_present = ah_present = comp_present = pfs = "no"; 223 ah_hash_alg = ah_auth_alg = phase_1 = ""; 224 esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = ""; 225 esp_encapsulation = comp_encapsulation = remote_filter_type = ""; 226 local_filter_type = remote_id_type = initiator = ""; 227 remote_filter_proto = local_filter_proto = remote_id_proto = ""; 228 229 if (remote_filter != 0) 230 { 231 free (remote_filter); 232 remote_filter = 0; 233 } 234 235 if (local_filter != 0) 236 { 237 free (local_filter); 238 local_filter = 0; 239 } 240 241 if (remote_id != 0) 242 { 243 free (remote_id); 244 remote_id = 0; 245 } 246 247 memset (remote_ike_address, 0, sizeof remote_ike_address); 248 memset (local_ike_address, 0, sizeof local_ike_address); 249 memset (ah_life_kbytes, 0, sizeof ah_life_kbytes); 250 memset (ah_life_seconds, 0, sizeof ah_life_seconds); 251 memset (esp_life_kbytes, 0, sizeof esp_life_kbytes); 252 memset (esp_life_seconds, 0, sizeof esp_life_seconds); 253 memset (comp_life_kbytes, 0, sizeof comp_life_kbytes); 254 memset (comp_life_seconds, 0, sizeof comp_life_seconds); 255 memset (ah_key_length, 0, sizeof ah_key_length); 256 memset (ah_key_rounds, 0, sizeof ah_key_rounds); 257 memset (esp_key_length, 0, sizeof esp_key_length); 258 memset (esp_key_rounds, 0, sizeof esp_key_rounds); 259 memset (comp_dict_size, 0, sizeof comp_dict_size); 260 memset (comp_private_alg, 0, sizeof comp_private_alg); 261 memset (remote_filter_addr_upper, 0, sizeof remote_filter_addr_upper); 262 memset (remote_filter_addr_lower, 0, sizeof remote_filter_addr_lower); 263 memset (local_filter_addr_upper, 0, sizeof local_filter_addr_upper); 264 memset (local_filter_addr_lower, 0, sizeof local_filter_addr_lower); 265 memset (remote_id_addr_upper, 0, sizeof remote_id_addr_upper); 266 memset (remote_id_addr_lower, 0, sizeof remote_id_addr_lower); 267 memset (ah_group_desc, 0, sizeof ah_group_desc); 268 memset (esp_group_desc, 0, sizeof esp_group_desc); 269 memset (remote_id_port, 0, sizeof remote_id_port); 270 memset (remote_filter_port, 0, sizeof remote_filter_port); 271 memset (local_filter_port, 0, sizeof local_filter_port); 272 memset (phase1_group, 0, sizeof phase1_group); 273 274 dirty = 1; 275 return ""; 276 } 277 278 /* 279 * If dirty is set, this is the first request for an attribute, so 280 * populate our value cache. 281 */ 282 if (dirty) 283 { 284 ie = policy_exchange->data; 285 286 if (ie->pfs) 287 pfs = "yes"; 288 289 is = policy_isakmp_sa->data; 290 sprintf (phase1_group, "%u", is->group_desc); 291 292 for (proto = TAILQ_FIRST (&policy_sa->protos); proto; 293 proto = TAILQ_NEXT (proto, link)) 294 { 295 switch (proto->proto) 296 { 297 case IPSEC_PROTO_IPSEC_AH: 298 ah_present = "yes"; 299 switch (proto->id) 300 { 301 case IPSEC_AH_MD5: 302 ah_hash_alg = "md5"; 303 break; 304 305 case IPSEC_AH_SHA: 306 ah_hash_alg = "sha"; 307 break; 308 309 case IPSEC_AH_RIPEMD: 310 ah_hash_alg = "ripemd"; 311 break; 312 313 case IPSEC_AH_DES: 314 ah_hash_alg = "des"; 315 break; 316 } 317 318 break; 319 320 case IPSEC_PROTO_IPSEC_ESP: 321 esp_present = "yes"; 322 switch (proto->id) 323 { 324 case IPSEC_ESP_DES_IV64: 325 esp_enc_alg = "des-iv64"; 326 break; 327 328 case IPSEC_ESP_DES: 329 esp_enc_alg = "des"; 330 break; 331 332 case IPSEC_ESP_3DES: 333 esp_enc_alg = "3des"; 334 break; 335 336 case IPSEC_ESP_AES: 337 esp_enc_alg = "aes"; 338 break; 339 340 case IPSEC_ESP_RC5: 341 esp_enc_alg = "rc5"; 342 break; 343 344 case IPSEC_ESP_IDEA: 345 esp_enc_alg = "idea"; 346 break; 347 348 case IPSEC_ESP_CAST: 349 esp_enc_alg = "cast"; 350 break; 351 352 case IPSEC_ESP_BLOWFISH: 353 esp_enc_alg = "blowfish"; 354 break; 355 356 case IPSEC_ESP_3IDEA: 357 esp_enc_alg = "3idea"; 358 break; 359 360 case IPSEC_ESP_DES_IV32: 361 esp_enc_alg = "des-iv32"; 362 break; 363 364 case IPSEC_ESP_RC4: 365 esp_enc_alg = "rc4"; 366 break; 367 368 case IPSEC_ESP_NULL: 369 esp_enc_alg = "null"; 370 break; 371 } 372 373 break; 374 375 case IPSEC_PROTO_IPCOMP: 376 comp_present = "yes"; 377 switch (proto->id) 378 { 379 case IPSEC_IPCOMP_OUI: 380 comp_alg = "oui"; 381 break; 382 383 case IPSEC_IPCOMP_DEFLATE: 384 comp_alg = "deflate"; 385 break; 386 387 case IPSEC_IPCOMP_LZS: 388 comp_alg = "lzs"; 389 break; 390 391 case IPSEC_IPCOMP_V42BIS: 392 comp_alg = "v42bis"; 393 break; 394 } 395 396 break; 397 } 398 399 for (attr = proto->chosen->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF; 400 attr 401 < proto->chosen->p + GET_ISAKMP_GEN_LENGTH (proto->chosen->p); 402 attr = value + len) 403 { 404 if (attr + ISAKMP_ATTR_VALUE_OFF 405 > (proto->chosen->p 406 + GET_ISAKMP_GEN_LENGTH (proto->chosen->p))) 407 return ""; 408 409 type = GET_ISAKMP_ATTR_TYPE (attr); 410 fmt = ISAKMP_ATTR_FORMAT (type); 411 type = ISAKMP_ATTR_TYPE (type); 412 value = attr + (fmt ? ISAKMP_ATTR_LENGTH_VALUE_OFF : 413 ISAKMP_ATTR_VALUE_OFF); 414 len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN : 415 GET_ISAKMP_ATTR_LENGTH_VALUE (attr)); 416 417 if (value + len > proto->chosen->p + 418 GET_ISAKMP_GEN_LENGTH (proto->chosen->p)) 419 return ""; 420 421 switch (type) 422 { 423 case IPSEC_ATTR_SA_LIFE_TYPE: 424 lifetype = decode_16 (value); 425 break; 426 427 case IPSEC_ATTR_SA_LIFE_DURATION: 428 switch (proto->proto) 429 { 430 case IPSEC_PROTO_IPSEC_AH: 431 if (lifetype == IPSEC_DURATION_SECONDS) 432 { 433 if (len == 2) 434 sprintf (ah_life_seconds, "%u", 435 decode_16 (value)); 436 else 437 sprintf (ah_life_seconds, "%u", 438 decode_32 (value)); 439 } 440 else 441 { 442 if (len == 2) 443 sprintf (ah_life_kbytes, "%u", 444 decode_16 (value)); 445 else 446 sprintf (ah_life_kbytes, "%u", 447 decode_32 (value)); 448 } 449 450 break; 451 452 case IPSEC_PROTO_IPSEC_ESP: 453 if (lifetype == IPSEC_DURATION_SECONDS) 454 { 455 if (len == 2) 456 sprintf (esp_life_seconds, "%u", 457 decode_16 (value)); 458 else 459 sprintf (esp_life_seconds, "%u", 460 decode_32 (value)); 461 } 462 else 463 { 464 if (len == 2) 465 sprintf (esp_life_kbytes, "%u", 466 decode_16 (value)); 467 else 468 sprintf (esp_life_kbytes, "%u", 469 decode_32 (value)); 470 } 471 472 break; 473 474 case IPSEC_PROTO_IPCOMP: 475 if (lifetype == IPSEC_DURATION_SECONDS) 476 { 477 if (len == 2) 478 sprintf (comp_life_seconds, "%u", 479 decode_16 (value)); 480 else 481 sprintf (comp_life_seconds, "%u", 482 decode_32 (value)); 483 } 484 else 485 { 486 if (len == 2) 487 sprintf (comp_life_kbytes, "%u", 488 decode_16 (value)); 489 else 490 sprintf (comp_life_kbytes, "%u", 491 decode_32 (value)); 492 } 493 494 break; 495 } 496 break; 497 498 case IPSEC_ATTR_GROUP_DESCRIPTION: 499 switch (proto->proto) 500 { 501 case IPSEC_PROTO_IPSEC_AH: 502 sprintf (ah_group_desc, "%u", decode_16 (value)); 503 break; 504 505 case IPSEC_PROTO_IPSEC_ESP: 506 sprintf (esp_group_desc, "%u", 507 decode_16 (value)); 508 break; 509 510 case IPSEC_PROTO_IPCOMP: 511 sprintf (comp_group_desc, "%u", 512 decode_16 (value)); 513 break; 514 } 515 break; 516 517 case IPSEC_ATTR_ENCAPSULATION_MODE: 518 if (decode_16 (value) == IPSEC_ENCAP_TUNNEL) 519 switch (proto->proto) 520 { 521 case IPSEC_PROTO_IPSEC_AH: 522 ah_encapsulation = "tunnel"; 523 break; 524 525 case IPSEC_PROTO_IPSEC_ESP: 526 esp_encapsulation = "tunnel"; 527 break; 528 529 case IPSEC_PROTO_IPCOMP: 530 comp_encapsulation = "tunnel"; 531 break; 532 } 533 else 534 switch (proto->proto) 535 { 536 case IPSEC_PROTO_IPSEC_AH: 537 ah_encapsulation = "transport"; 538 break; 539 540 case IPSEC_PROTO_IPSEC_ESP: 541 esp_encapsulation = "transport"; 542 break; 543 544 case IPSEC_PROTO_IPCOMP: 545 comp_encapsulation = "transport"; 546 break; 547 } 548 break; 549 550 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: 551 switch (proto->proto) 552 { 553 case IPSEC_PROTO_IPSEC_AH: 554 switch (decode_16 (value)) 555 { 556 case IPSEC_AUTH_HMAC_MD5: 557 ah_auth_alg = "hmac-md5"; 558 break; 559 560 case IPSEC_AUTH_HMAC_SHA: 561 ah_auth_alg = "hmac-sha"; 562 break; 563 564 case IPSEC_AUTH_HMAC_RIPEMD: 565 ah_auth_alg = "hmac-ripemd"; 566 break; 567 568 case IPSEC_AUTH_DES_MAC: 569 ah_auth_alg = "des-mac"; 570 break; 571 572 case IPSEC_AUTH_KPDK: 573 ah_auth_alg = "kpdk"; 574 break; 575 } 576 break; 577 578 case IPSEC_PROTO_IPSEC_ESP: 579 switch (decode_16 (value)) 580 { 581 case IPSEC_AUTH_HMAC_MD5: 582 esp_auth_alg = "hmac-md5"; 583 break; 584 585 case IPSEC_AUTH_HMAC_SHA: 586 esp_auth_alg = "hmac-sha"; 587 break; 588 589 case IPSEC_AUTH_HMAC_RIPEMD: 590 esp_auth_alg = "hmac-ripemd"; 591 break; 592 593 case IPSEC_AUTH_DES_MAC: 594 esp_auth_alg = "des-mac"; 595 break; 596 597 case IPSEC_AUTH_KPDK: 598 esp_auth_alg = "kpdk"; 599 break; 600 } 601 break; 602 } 603 break; 604 605 case IPSEC_ATTR_KEY_LENGTH: 606 switch (proto->proto) 607 { 608 case IPSEC_PROTO_IPSEC_AH: 609 sprintf (ah_key_length, "%u", decode_16 (value)); 610 break; 611 612 case IPSEC_PROTO_IPSEC_ESP: 613 sprintf (esp_key_length, "%u", 614 decode_16 (value)); 615 break; 616 } 617 break; 618 619 case IPSEC_ATTR_KEY_ROUNDS: 620 switch (proto->proto) 621 { 622 case IPSEC_PROTO_IPSEC_AH: 623 sprintf (ah_key_rounds, "%u", decode_16 (value)); 624 break; 625 626 case IPSEC_PROTO_IPSEC_ESP: 627 sprintf (esp_key_rounds, "%u", 628 decode_16 (value)); 629 break; 630 } 631 break; 632 633 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: 634 sprintf (comp_dict_size, "%u", decode_16 (value)); 635 break; 636 637 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: 638 sprintf (comp_private_alg, "%u", decode_16 (value)); 639 break; 640 } 641 } 642 } 643 644 policy_sa->transport->vtbl->get_src (policy_sa->transport, &sin); 645 if (sockaddr2text (sin, &addr, 1)) 646 { 647 log_error ("policy_callback: sockaddr2text failed"); 648 goto bad; 649 } 650 strncpy (local_ike_address, addr, sizeof local_ike_address); 651 local_ike_address[sizeof local_ike_address - 1] = '\0'; 652 free (addr); 653 654 policy_sa->transport->vtbl->get_dst (policy_sa->transport, &sin); 655 if (sockaddr2text (sin, &addr, 1)) 656 { 657 log_error ("policy_callback: sockaddr2text failed"); 658 goto bad; 659 } 660 strncpy (remote_ike_address, addr, sizeof remote_ike_address); 661 remote_ike_address[sizeof remote_ike_address - 1] = '\0'; 662 free (addr); 663 664 switch (policy_isakmp_sa->exch_type) 665 { 666 case ISAKMP_EXCH_AGGRESSIVE: 667 phase_1 = "aggressive"; 668 break; 669 670 case ISAKMP_EXCH_ID_PROT: 671 phase_1 = "main"; 672 break; 673 } 674 675 if (policy_isakmp_sa->initiator) 676 { 677 id = policy_isakmp_sa->id_r; 678 id_sz = policy_isakmp_sa->id_r_len; 679 } 680 else 681 { 682 id = policy_isakmp_sa->id_i; 683 id_sz = policy_isakmp_sa->id_i_len; 684 } 685 686 switch (id[0]) 687 { 688 case IPSEC_ID_IPV4_ADDR: 689 remote_id_type = "IPv4 address"; 690 691 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 692 my_inet_ntop4 (&net, remote_id_addr_upper, 693 sizeof remote_id_addr_upper - 1, 1); 694 my_inet_ntop4 (&net, remote_id_addr_lower, 695 sizeof remote_id_addr_lower - 1, 1); 696 remote_id = strdup (remote_id_addr_upper); 697 if (!remote_id) 698 { 699 log_error ("policy_callback: strdup (\"%s\") failed", 700 remote_id_addr_upper); 701 goto bad; 702 } 703 break; 704 705 case IPSEC_ID_IPV4_RANGE: 706 remote_id_type = "IPv4 range"; 707 708 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 709 my_inet_ntop4 (&net, remote_id_addr_lower, 710 sizeof remote_id_addr_lower - 1, 1); 711 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); 712 my_inet_ntop4 (&net, remote_id_addr_upper, 713 sizeof remote_id_addr_upper - 1, 1); 714 remote_id = calloc (strlen (remote_id_addr_upper) 715 + strlen (remote_id_addr_lower) + 2, 716 sizeof (char)); 717 if (!remote_id) 718 { 719 log_error ("policy_callback: calloc (%d, %d) failed", 720 strlen (remote_id_addr_upper) 721 + strlen (remote_id_addr_lower) + 2, 722 sizeof (char)); 723 goto bad; 724 } 725 726 strcpy (remote_id, remote_id_addr_lower); 727 remote_id[strlen (remote_id_addr_lower)] = '-'; 728 strcpy (remote_id + strlen (remote_id_addr_lower) + 1, 729 remote_id_addr_upper); 730 break; 731 732 case IPSEC_ID_IPV4_ADDR_SUBNET: 733 remote_id_type = "IPv4 subnet"; 734 735 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 736 subnet = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); 737 net &= subnet; 738 my_inet_ntop4 (&net, remote_id_addr_lower, 739 sizeof remote_id_addr_lower - 1, 1); 740 net |= ~subnet; 741 my_inet_ntop4 (&net, remote_id_addr_upper, 742 sizeof remote_id_addr_upper - 1, 1); 743 remote_id = calloc (strlen (remote_id_addr_upper) 744 + strlen (remote_id_addr_lower) + 2, 745 sizeof (char)); 746 if (!remote_id) 747 { 748 log_error ("policy_callback: calloc (%d, %d) failed", 749 strlen (remote_id_addr_upper) 750 + strlen (remote_id_addr_lower) + 2, 751 sizeof (char)); 752 goto bad; 753 } 754 755 strcpy (remote_id, remote_id_addr_lower); 756 remote_id[strlen (remote_id_addr_lower)] = '-'; 757 strcpy (remote_id + strlen (remote_id_addr_lower) + 1, 758 remote_id_addr_upper); 759 break; 760 761 case IPSEC_ID_IPV6_ADDR: 762 remote_id_type = "IPv6 address"; 763 my_inet_ntop6 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 764 remote_id_addr_upper, sizeof remote_id_addr_upper); 765 strcpy (remote_id_addr_lower, remote_id_addr_upper); 766 remote_id = strdup (remote_id_addr_upper); 767 if (!remote_id) 768 { 769 log_error ("policy_callback: strdup (\"%s\") failed", 770 remote_id_addr_upper); 771 goto bad; 772 } 773 break; 774 775 case IPSEC_ID_IPV6_RANGE: 776 remote_id_type = "IPv6 range"; 777 778 my_inet_ntop6 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 779 remote_id_addr_lower, 780 sizeof remote_id_addr_lower - 1); 781 782 my_inet_ntop6 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, 783 remote_id_addr_upper, 784 sizeof remote_id_addr_upper - 1); 785 786 remote_id = calloc (strlen (remote_id_addr_upper) + 787 strlen (remote_id_addr_lower) + 2, 788 sizeof (char)); 789 if (!remote_id) 790 { 791 log_error ("policy_callback: calloc (%d, %d) failed", 792 strlen (remote_id_addr_upper) 793 + strlen (remote_id_addr_lower) + 2, 794 sizeof (char)); 795 goto bad; 796 } 797 798 strcpy (remote_id, remote_id_addr_lower); 799 remote_id[strlen (remote_id_addr_lower)] = '-'; 800 strcpy (remote_id + strlen (remote_id_addr_lower) + 1, 801 remote_id_addr_upper); 802 break; 803 804 case IPSEC_ID_IPV6_ADDR_SUBNET: 805 { 806 struct in6_addr net, mask; 807 808 remote_id_type = "IPv6 subnet"; 809 810 bcopy (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, &net, sizeof (net)); 811 bcopy (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, &mask, 812 sizeof (mask)); 813 814 for (i = 0; i < 16; i++) 815 net.s6_addr[i] &= mask.s6_addr[i]; 816 817 my_inet_ntop6 ((char *) &net, remote_id_addr_lower, 818 sizeof remote_id_addr_lower - 1); 819 820 for (i = 0; i < 16; i++) 821 net.s6_addr[i] |= ~mask.s6_addr[i]; 822 823 my_inet_ntop6 ((char *) &net, remote_id_addr_upper, 824 sizeof remote_id_addr_upper - 1); 825 826 remote_id = calloc (strlen (remote_id_addr_upper) + 827 strlen (remote_id_addr_lower) + 2, 828 sizeof (char)); 829 if (!remote_id) 830 { 831 log_error ("policy_callback: calloc (%d, %d) failed", 832 strlen (remote_id_addr_upper) 833 + strlen (remote_id_addr_lower) + 2, 834 sizeof (char)); 835 goto bad; 836 } 837 838 strcpy (remote_id, remote_id_addr_lower); 839 remote_id[strlen (remote_id_addr_lower)] = '-'; 840 strcpy (remote_id + strlen (remote_id_addr_lower) + 1, 841 remote_id_addr_upper); 842 break; 843 } 844 845 case IPSEC_ID_FQDN: 846 remote_id_type = "FQDN"; 847 remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 848 sizeof (char)); 849 if (!remote_id) 850 { 851 log_error ("policy_callback: calloc (%d, %d) failed", 852 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 853 sizeof (char)); 854 goto bad; 855 } 856 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 857 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 858 break; 859 860 case IPSEC_ID_USER_FQDN: 861 remote_id_type = "User FQDN"; 862 remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 863 sizeof (char)); 864 if (!remote_id) 865 { 866 log_error ("policy_callback: calloc (%d, %d) failed", 867 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 868 sizeof (char)); 869 goto bad; 870 } 871 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 872 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 873 break; 874 875 case IPSEC_ID_DER_ASN1_DN: 876 remote_id_type = "ASN1 DN"; 877 878 remote_id = x509_DN_string (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 879 id_sz - ISAKMP_ID_DATA_OFF 880 + ISAKMP_GEN_SZ); 881 if (!remote_id) 882 { 883 LOG_DBG ((LOG_POLICY, 50, 884 "policy_callback: failed to decode name")); 885 goto bad; 886 } 887 break; 888 889 case IPSEC_ID_DER_ASN1_GN: /* XXX */ 890 remote_id_type = "ASN1 GN"; 891 break; 892 893 case IPSEC_ID_KEY_ID: 894 remote_id_type = "Key ID"; 895 remote_id 896 = calloc (2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, 897 sizeof (char)); 898 if (!remote_id) 899 { 900 log_error ("policy_callback: calloc (%d, %d) failed", 901 2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, 902 sizeof (char)); 903 goto bad; 904 } 905 /* Does it contain any non-printable characters ? */ 906 for (i = 0; i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; i++) 907 if (!isprint (*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + i))) 908 break; 909 if (i >= id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) 910 { 911 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 912 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 913 break; 914 } 915 /* Non-printable characters, convert to hex */ 916 for (i = 0; i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; i++) 917 { 918 remote_id[2 * i] 919 = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4]; 920 remote_id[2 * i + 1] 921 = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF]; 922 } 923 break; 924 925 default: 926 log_print ("policy_callback: unknown remote ID type %u", id[0]); 927 goto bad; 928 } 929 930 switch (id[1]) 931 { 932 case IPPROTO_TCP: 933 remote_id_proto = "tcp"; 934 break; 935 936 case IPPROTO_UDP: 937 remote_id_proto = "udp"; 938 break; 939 940#ifdef IPPROTO_ETHERIP 941 case IPPROTO_ETHERIP: 942 remote_id_proto = "etherip"; 943 break; 944#endif 945 946 default: 947 sprintf (remote_id_proto_num, "%2d", id[1]); 948 remote_id_proto = remote_id_proto_num; 949 break; 950 } 951 952 snprintf (remote_id_port, sizeof remote_id_port - 1, "%u", 953 decode_16 (id + 2)); 954 955 if (policy_exchange->initiator) 956 { 957 initiator = "yes"; 958 idlocal = ie->id_ci; 959 idremote = ie->id_cr; 960 idlocalsz = ie->id_ci_sz; 961 idremotesz = ie->id_cr_sz; 962 } 963 else 964 { 965 initiator = "no"; 966 idlocal = ie->id_cr; 967 idremote = ie->id_ci; 968 idlocalsz = ie->id_cr_sz; 969 idremotesz = ie->id_ci_sz; 970 } 971 972 /* Initialize the ID variables. */ 973 if (idremote) 974 { 975 switch (GET_ISAKMP_ID_TYPE (idremote)) 976 { 977 case IPSEC_ID_IPV4_ADDR: 978 remote_filter_type = "IPv4 address"; 979 980 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 981 my_inet_ntop4 (&net, remote_filter_addr_upper, 982 sizeof remote_filter_addr_upper - 1, 1); 983 my_inet_ntop4 (&net, remote_filter_addr_lower, 984 sizeof remote_filter_addr_lower - 1, 1); 985 remote_filter = strdup (remote_filter_addr_upper); 986 if (!remote_filter) 987 { 988 log_error ("policy_callback: strdup (\"%s\") failed", 989 remote_filter_addr_upper); 990 goto bad; 991 } 992 break; 993 994 case IPSEC_ID_IPV4_RANGE: 995 remote_filter_type = "IPv4 range"; 996 997 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 998 my_inet_ntop4 (&net, remote_filter_addr_lower, 999 sizeof remote_filter_addr_lower - 1, 1); 1000 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF + 4); 1001 my_inet_ntop4 (&net, remote_filter_addr_upper, 1002 sizeof remote_filter_addr_upper - 1, 1); 1003 remote_filter = calloc (strlen (remote_filter_addr_upper) 1004 + strlen (remote_filter_addr_lower) + 2, 1005 sizeof (char)); 1006 if (!remote_filter) 1007 { 1008 log_error ("policy_callback: calloc (%d, %d) failed", 1009 strlen (remote_filter_addr_upper) 1010 + strlen (remote_filter_addr_lower) + 2, 1011 sizeof (char)); 1012 goto bad; 1013 } 1014 strcpy (remote_filter, remote_filter_addr_lower); 1015 remote_filter[strlen (remote_filter_addr_lower)] = '-'; 1016 strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1, 1017 remote_filter_addr_upper); 1018 break; 1019 1020 case IPSEC_ID_IPV4_ADDR_SUBNET: 1021 remote_filter_type = "IPv4 subnet"; 1022 1023 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 1024 subnet = decode_32 (idremote + ISAKMP_ID_DATA_OFF + 4); 1025 net &= subnet; 1026 my_inet_ntop4 (&net, remote_filter_addr_lower, 1027 sizeof remote_filter_addr_lower - 1, 1); 1028 net |= ~subnet; 1029 my_inet_ntop4 (&net, remote_filter_addr_upper, 1030 sizeof remote_filter_addr_upper - 1, 1); 1031 remote_filter = calloc (strlen (remote_filter_addr_upper) 1032 + strlen (remote_filter_addr_lower) + 2, 1033 sizeof (char)); 1034 if (!remote_filter) 1035 { 1036 log_error ("policy_callback: calloc (%d, %d) failed", 1037 strlen (remote_filter_addr_upper) 1038 + strlen (remote_filter_addr_lower) + 2, 1039 sizeof (char)); 1040 goto bad; 1041 } 1042 strcpy (remote_filter, remote_filter_addr_lower); 1043 remote_filter[strlen (remote_filter_addr_lower)] = '-'; 1044 strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1, 1045 remote_filter_addr_upper); 1046 break; 1047 1048 case IPSEC_ID_IPV6_ADDR: 1049 remote_filter_type = "IPv6 address"; 1050 my_inet_ntop6 (idremote + ISAKMP_ID_DATA_OFF, 1051 remote_filter_addr_upper, 1052 sizeof remote_filter_addr_upper - 1); 1053 strcpy (remote_filter_addr_lower, remote_filter_addr_upper); 1054 remote_filter = strdup (remote_filter_addr_upper); 1055 if (!remote_filter) 1056 { 1057 log_error ("policy_callback: strdup (\"%s\") failed", 1058 remote_filter_addr_upper); 1059 goto bad; 1060 } 1061 break; 1062 1063 case IPSEC_ID_IPV6_RANGE: 1064 remote_filter_type = "IPv6 range"; 1065 1066 my_inet_ntop6 (idremote + ISAKMP_ID_DATA_OFF, 1067 remote_filter_addr_lower, 1068 sizeof remote_filter_addr_lower - 1); 1069 1070 my_inet_ntop6 (idremote + ISAKMP_ID_DATA_OFF + 16, 1071 remote_filter_addr_upper, 1072 sizeof remote_filter_addr_upper - 1); 1073 1074 remote_filter = calloc (strlen (remote_filter_addr_upper) + 1075 strlen (remote_filter_addr_lower) + 2, 1076 sizeof (char)); 1077 if (!remote_filter) 1078 { 1079 log_error ("policy_callback: calloc (%d, %d) failed", 1080 strlen (remote_filter_addr_upper) + 1081 strlen (remote_filter_addr_lower) + 2, 1082 sizeof (char)); 1083 goto bad; 1084 } 1085 1086 strcpy (remote_filter, remote_filter_addr_lower); 1087 remote_filter[strlen (remote_filter_addr_lower)] = '-'; 1088 strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1, 1089 remote_filter_addr_upper); 1090 break; 1091 1092 case IPSEC_ID_IPV6_ADDR_SUBNET: 1093 { 1094 struct in6_addr net, mask; 1095 1096 remote_filter_type = "IPv6 subnet"; 1097 1098 bcopy (idremote + ISAKMP_ID_DATA_OFF, &net, sizeof (net)); 1099 bcopy (idremote + ISAKMP_ID_DATA_OFF + 16, &mask, sizeof (mask)); 1100 1101 for (i = 0; i < 16; i++) 1102 net.s6_addr[i] &= mask.s6_addr[i]; 1103 1104 my_inet_ntop6 ((char *) &net, remote_filter_addr_lower, 1105 sizeof remote_filter_addr_lower - 1); 1106 1107 for (i = 0; i < 16; i++) 1108 net.s6_addr[i] |= ~mask.s6_addr[i]; 1109 1110 my_inet_ntop6 ((char *) &net, remote_filter_addr_upper, 1111 sizeof remote_filter_addr_upper - 1); 1112 1113 remote_filter = calloc (strlen (remote_filter_addr_upper) + 1114 strlen (remote_filter_addr_lower) + 2, 1115 sizeof (char)); 1116 if (!remote_filter) 1117 { 1118 log_error ("policy_callback: calloc (%d, %d) failed", 1119 strlen (remote_filter_addr_upper) + 1120 strlen (remote_filter_addr_lower) + 2, 1121 sizeof (char)); 1122 goto bad; 1123 } 1124 1125 strcpy (remote_filter, remote_filter_addr_lower); 1126 remote_filter[strlen (remote_filter_addr_lower)] = '-'; 1127 strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1, 1128 remote_filter_addr_upper); 1129 break; 1130 } 1131 1132 case IPSEC_ID_FQDN: 1133 remote_filter_type = "FQDN"; 1134 remote_filter = malloc (idremotesz - ISAKMP_ID_DATA_OFF + 1); 1135 if (!remote_filter) 1136 { 1137 log_error ("policy_callback: malloc (%d) failed", 1138 idremotesz - ISAKMP_ID_DATA_OFF + 1); 1139 goto bad; 1140 } 1141 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 1142 idremotesz - ISAKMP_ID_DATA_OFF); 1143 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] = '\0'; 1144 break; 1145 1146 case IPSEC_ID_USER_FQDN: 1147 remote_filter_type = "User FQDN"; 1148 remote_filter = malloc (idremotesz - ISAKMP_ID_DATA_OFF + 1); 1149 if (!remote_filter) 1150 { 1151 log_error ("policy_callback: malloc (%d) failed", 1152 idremotesz - ISAKMP_ID_DATA_OFF + 1); 1153 goto bad; 1154 } 1155 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 1156 idremotesz - ISAKMP_ID_DATA_OFF); 1157 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] = '\0'; 1158 break; 1159 1160 case IPSEC_ID_DER_ASN1_DN: 1161 remote_filter_type = "ASN1 DN"; 1162 1163 remote_filter = x509_DN_string (idremote + ISAKMP_ID_DATA_OFF, 1164 idremotesz - ISAKMP_ID_DATA_OFF); 1165 if (!remote_filter) 1166 { 1167 LOG_DBG ((LOG_POLICY, 50, 1168 "policy_callback: failed to decode name")); 1169 goto bad; 1170 } 1171 break; 1172 1173 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */ 1174 remote_filter_type = "ASN1 GN"; 1175 break; 1176 1177 case IPSEC_ID_KEY_ID: 1178 remote_filter_type = "Key ID"; 1179 remote_filter 1180 = calloc (2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, 1181 sizeof (char)); 1182 if (!remote_filter) 1183 { 1184 log_error ("policy_callback: calloc (%d, %d) failed", 1185 2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, 1186 sizeof (char)); 1187 goto bad; 1188 } 1189 /* Does it contain any non-printable characters ? */ 1190 for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++) 1191 if (!isprint (*(idremote + ISAKMP_ID_DATA_OFF + i))) 1192 break; 1193 if (i >= idremotesz - ISAKMP_ID_DATA_OFF) 1194 { 1195 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 1196 idremotesz - ISAKMP_ID_DATA_OFF); 1197 break; 1198 } 1199 /* Non-printable characters, convert to hex */ 1200 for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++) 1201 { 1202 remote_filter[2 * i] 1203 = hextab[*(idremote + ISAKMP_ID_DATA_OFF) >> 4]; 1204 remote_filter[2 * i + 1] 1205 = hextab[*(idremote + ISAKMP_ID_DATA_OFF) & 0xF]; 1206 } 1207 break; 1208 1209 default: 1210 log_print ("policy_callback: unknown Remote ID type %u", 1211 GET_ISAKMP_ID_TYPE (idremote)); 1212 goto bad; 1213 } 1214 1215 switch (idremote[ISAKMP_GEN_SZ + 1]) 1216 { 1217 case IPPROTO_TCP: 1218 remote_filter_proto = "tcp"; 1219 break; 1220 1221 case IPPROTO_UDP: 1222 remote_filter_proto = "udp"; 1223 break; 1224 1225#ifdef IPPROTO_ETHERIP 1226 case IPPROTO_ETHERIP: 1227 remote_filter_proto = "etherip"; 1228 break; 1229#endif 1230 1231 default: 1232 sprintf (remote_filter_proto_num, "%2d", 1233 idremote[ISAKMP_GEN_SZ + 1]); 1234 remote_filter_proto = remote_filter_proto_num; 1235 break; 1236 } 1237 1238 snprintf (remote_filter_port, sizeof remote_filter_port - 1, 1239 "%u", decode_16 (idremote + ISAKMP_GEN_SZ + 2)); 1240 } 1241 else 1242 { 1243 policy_sa->transport->vtbl->get_dst (policy_sa->transport, &sin); 1244 switch (sin->sa_family) 1245 { 1246 case AF_INET: 1247 remote_filter_type = "IPv4 address"; 1248 break; 1249 case AF_INET6: 1250 remote_filter_type = "IPv6 address"; 1251 break; 1252 default: 1253 log_print ("policy_callback: unsupported protocol family %d", 1254 sin->sa_family); 1255 goto bad; 1256 } 1257 if (sockaddr2text (sin, &addr, 1)) 1258 { 1259 log_error ("policy_callback: sockaddr2text failed"); 1260 goto bad; 1261 } 1262 memcpy (remote_filter_addr_upper, addr, 1263 sizeof remote_filter_addr_upper); 1264 memcpy (remote_filter_addr_lower, addr, 1265 sizeof remote_filter_addr_lower); 1266 free (addr); 1267 remote_filter = strdup (remote_filter_addr_upper); 1268 if (!remote_filter) 1269 { 1270 log_error ("policy_callback: strdup (\"%s\") failed", 1271 remote_filter_addr_upper); 1272 goto bad; 1273 } 1274 } 1275 1276 if (idlocal) 1277 { 1278 switch (GET_ISAKMP_ID_TYPE (idlocal)) 1279 { 1280 case IPSEC_ID_IPV4_ADDR: 1281 local_filter_type = "IPv4 address"; 1282 1283 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1284 my_inet_ntop4 (&net, local_filter_addr_upper, 1285 sizeof local_filter_addr_upper - 1, 1); 1286 my_inet_ntop4 (&net, local_filter_addr_lower, 1287 sizeof local_filter_addr_upper - 1, 1); 1288 local_filter = strdup (local_filter_addr_upper); 1289 if (!local_filter) 1290 { 1291 log_error ("policy_callback: strdup (\"%s\") failed", 1292 local_filter_addr_upper); 1293 goto bad; 1294 } 1295 break; 1296 1297 case IPSEC_ID_IPV4_RANGE: 1298 local_filter_type = "IPv4 range"; 1299 1300 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1301 my_inet_ntop4 (&net, local_filter_addr_lower, 1302 sizeof local_filter_addr_lower - 1, 1); 1303 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF + 4); 1304 my_inet_ntop4 (&net, local_filter_addr_upper, 1305 sizeof local_filter_addr_upper - 1, 1); 1306 local_filter = calloc (strlen (local_filter_addr_upper) 1307 + strlen (local_filter_addr_lower) + 2, 1308 sizeof (char)); 1309 if (!local_filter) 1310 { 1311 log_error ("policy_callback: calloc (%d, %d) failed", 1312 strlen (local_filter_addr_upper) 1313 + strlen (local_filter_addr_lower) + 2, 1314 sizeof (char)); 1315 goto bad; 1316 } 1317 strcpy (local_filter, local_filter_addr_lower); 1318 local_filter[strlen (local_filter_addr_lower)] = '-'; 1319 strcpy (local_filter + strlen (local_filter_addr_lower) + 1, 1320 local_filter_addr_upper); 1321 break; 1322 1323 case IPSEC_ID_IPV4_ADDR_SUBNET: 1324 local_filter_type = "IPv4 subnet"; 1325 1326 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1327 subnet = decode_32 (idlocal + ISAKMP_ID_DATA_OFF + 4); 1328 net &= subnet; 1329 my_inet_ntop4 (&net, local_filter_addr_lower, 1330 sizeof local_filter_addr_lower - 1, 1); 1331 net |= ~subnet; 1332 my_inet_ntop4 (&net, local_filter_addr_upper, 1333 sizeof local_filter_addr_upper - 1, 1); 1334 local_filter = calloc (strlen (local_filter_addr_upper) 1335 + strlen (local_filter_addr_lower) + 2, 1336 sizeof (char)); 1337 if (!local_filter) 1338 { 1339 log_error ("policy_callback: calloc (%d, %d) failed", 1340 strlen (local_filter_addr_upper) 1341 + strlen (local_filter_addr_lower) + 2, 1342 sizeof (char)); 1343 goto bad; 1344 } 1345 strcpy (local_filter, local_filter_addr_lower); 1346 local_filter[strlen (local_filter_addr_lower)] = '-'; 1347 strcpy (local_filter + strlen (local_filter_addr_lower) + 1, 1348 local_filter_addr_upper); 1349 break; 1350 1351 case IPSEC_ID_IPV6_ADDR: 1352 local_filter_type = "IPv6 address"; 1353 my_inet_ntop6 (idlocal + ISAKMP_ID_DATA_OFF, 1354 local_filter_addr_upper, 1355 sizeof local_filter_addr_upper - 1); 1356 strcpy (local_filter_addr_lower, local_filter_addr_upper); 1357 local_filter = strdup (local_filter_addr_upper); 1358 if (!local_filter) 1359 { 1360 log_error ("policy_callback: strdup (\"%s\") failed", 1361 local_filter_addr_upper); 1362 goto bad; 1363 } 1364 break; 1365 1366 case IPSEC_ID_IPV6_RANGE: 1367 local_filter_type = "IPv6 range"; 1368 1369 my_inet_ntop6 (idlocal + ISAKMP_ID_DATA_OFF, 1370 local_filter_addr_lower, 1371 sizeof local_filter_addr_lower - 1); 1372 1373 my_inet_ntop6 (idlocal + ISAKMP_ID_DATA_OFF + 16, 1374 local_filter_addr_upper, 1375 sizeof local_filter_addr_upper - 1); 1376 1377 local_filter = calloc (strlen (local_filter_addr_upper) + 1378 strlen (local_filter_addr_lower) + 2, 1379 sizeof (char)); 1380 if (!local_filter) 1381 { 1382 log_error ("policy_callback: calloc (%d, %d) failed", 1383 strlen (local_filter_addr_upper) + 1384 strlen (local_filter_addr_lower) + 2, 1385 sizeof (char)); 1386 goto bad; 1387 } 1388 1389 strcpy (local_filter, local_filter_addr_lower); 1390 local_filter[strlen (local_filter_addr_lower)] = '-'; 1391 strcpy (local_filter + strlen (local_filter_addr_lower) + 1, 1392 local_filter_addr_upper); 1393 break; 1394 1395 case IPSEC_ID_IPV6_ADDR_SUBNET: 1396 { 1397 struct in6_addr net, mask; 1398 1399 local_filter_type = "IPv6 subnet"; 1400 1401 bcopy (idlocal + ISAKMP_ID_DATA_OFF, &net, sizeof (net)); 1402 bcopy (idlocal + ISAKMP_ID_DATA_OFF + 16, &mask, sizeof (mask)); 1403 1404 for (i = 0; i < 16; i++) 1405 net.s6_addr[i] &= mask.s6_addr[i]; 1406 1407 my_inet_ntop6 ((char *) &net, local_filter_addr_lower, 1408 sizeof local_filter_addr_lower - 1); 1409 1410 for (i = 0; i < 16; i++) 1411 net.s6_addr[i] |= ~mask.s6_addr[i]; 1412 1413 my_inet_ntop6 ((char *) &net, local_filter_addr_upper, 1414 sizeof local_filter_addr_upper - 1); 1415 1416 local_filter = calloc (strlen (local_filter_addr_upper) + 1417 strlen (local_filter_addr_lower) + 2, 1418 sizeof (char)); 1419 if (!local_filter) 1420 { 1421 log_error ("policy_callback: calloc (%d, %d) failed", 1422 strlen (local_filter_addr_upper) + 1423 strlen (local_filter_addr_lower) + 2, 1424 sizeof (char)); 1425 goto bad; 1426 } 1427 1428 strcpy (local_filter, local_filter_addr_lower); 1429 local_filter[strlen (local_filter_addr_lower)] = '-'; 1430 strcpy (local_filter + strlen (local_filter_addr_lower) + 1, 1431 local_filter_addr_upper); 1432 break; 1433 } 1434 1435 case IPSEC_ID_FQDN: 1436 local_filter_type = "FQDN"; 1437 local_filter = malloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1); 1438 if (!local_filter) 1439 { 1440 log_error ("policy_callback: malloc (%d) failed", 1441 idlocalsz - ISAKMP_ID_DATA_OFF + 1); 1442 goto bad; 1443 } 1444 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1445 idlocalsz - ISAKMP_ID_DATA_OFF); 1446 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; 1447 break; 1448 1449 case IPSEC_ID_USER_FQDN: 1450 local_filter_type = "User FQDN"; 1451 local_filter = malloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1); 1452 if (!local_filter) 1453 { 1454 log_error ("policy_callback: malloc (%d) failed", 1455 idlocalsz - ISAKMP_ID_DATA_OFF + 1); 1456 goto bad; 1457 } 1458 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1459 idlocalsz - ISAKMP_ID_DATA_OFF); 1460 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; 1461 break; 1462 1463 case IPSEC_ID_DER_ASN1_DN: 1464 local_filter_type = "ASN1 DN"; 1465 1466 local_filter = x509_DN_string (idlocal + ISAKMP_ID_DATA_OFF, 1467 idlocalsz - ISAKMP_ID_DATA_OFF); 1468 if (!local_filter) 1469 { 1470 LOG_DBG ((LOG_POLICY, 50, 1471 "policy_callback: failed to decode name")); 1472 goto bad; 1473 } 1474 break; 1475 1476 case IPSEC_ID_DER_ASN1_GN: 1477 /* XXX -- not sure what's in this. */ 1478 local_filter_type = "ASN1 GN"; 1479 break; 1480 1481 case IPSEC_ID_KEY_ID: 1482 local_filter_type = "Key ID"; 1483 local_filter = calloc (2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, 1484 sizeof (char)); 1485 if (!local_filter) 1486 { 1487 log_error ("policy_callback: calloc (%d, %d) failed", 1488 2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, 1489 sizeof (char)); 1490 goto bad; 1491 } 1492 /* Does it contain any non-printable characters ? */ 1493 for (i = 0; i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) 1494 if (!isprint (*(idlocal + ISAKMP_ID_DATA_OFF + i))) 1495 break; 1496 if (i >= idlocalsz - ISAKMP_ID_DATA_OFF) 1497 { 1498 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1499 idlocalsz - ISAKMP_ID_DATA_OFF); 1500 break; 1501 } 1502 /* Non-printable characters, convert to hex */ 1503 for (i = 0; i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) 1504 { 1505 local_filter[2 * i] 1506 = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) >> 4]; 1507 local_filter[2 * i + 1] 1508 = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) & 0xF]; 1509 } 1510 break; 1511 1512 default: 1513 log_print ("policy_callback: unknown Local ID type %u", 1514 GET_ISAKMP_ID_TYPE (idlocal)); 1515 goto bad; 1516 } 1517 1518 switch (idlocal[ISAKMP_GEN_SZ + 1]) 1519 { 1520 case IPPROTO_TCP: 1521 local_filter_proto = "tcp"; 1522 break; 1523 1524 case IPPROTO_UDP: 1525 local_filter_proto = "udp"; 1526 break; 1527 1528#ifdef IPPROTO_ETHERIP 1529 case IPPROTO_ETHERIP: 1530 local_filter_proto = "etherip"; 1531 break; 1532#endif 1533 1534 default: 1535 sprintf (local_filter_proto_num, "%2d", 1536 idlocal[ISAKMP_GEN_SZ + 1]); 1537 local_filter_proto = local_filter_proto_num; 1538 break; 1539 } 1540 1541 snprintf (local_filter_port, sizeof local_filter_port - 1, 1542 "%u", decode_16 (idlocal + ISAKMP_GEN_SZ + 2)); 1543 } 1544 else 1545 { 1546 policy_sa->transport->vtbl->get_src (policy_sa->transport, 1547 (struct sockaddr **)&sin); 1548 switch (sin->sa_family) 1549 { 1550 case AF_INET: 1551 local_filter_type = "IPv4 address"; 1552 break; 1553 case AF_INET6: 1554 local_filter_type = "IPv6 address"; 1555 break; 1556 default: 1557 log_print ("policy_callback: unsupported protocol family %d", 1558 sin->sa_family); 1559 goto bad; 1560 } 1561 1562 if (sockaddr2text (sin, &addr, 1)) 1563 { 1564 log_error ("policy_callback: sockaddr2text failed"); 1565 goto bad; 1566 } 1567 memcpy (local_filter_addr_upper, addr, 1568 sizeof local_filter_addr_upper); 1569 memcpy (local_filter_addr_lower, addr, 1570 sizeof local_filter_addr_lower); 1571 free (addr); 1572 local_filter = strdup (local_filter_addr_upper); 1573 if (!local_filter) 1574 { 1575 log_error ("policy_callback: strdup (\"%s\") failed", 1576 local_filter_addr_upper); 1577 goto bad; 1578 } 1579 } 1580 1581 LOG_DBG ((LOG_POLICY, 80, "Policy context (action attributes):")); 1582 LOG_DBG ((LOG_POLICY, 80, "esp_present == %s", esp_present)); 1583 LOG_DBG ((LOG_POLICY, 80, "ah_present == %s", ah_present)); 1584 LOG_DBG ((LOG_POLICY, 80, "comp_present == %s", comp_present)); 1585 LOG_DBG ((LOG_POLICY, 80, "ah_hash_alg == %s", ah_hash_alg)); 1586 LOG_DBG ((LOG_POLICY, 80, "esp_enc_alg == %s", esp_enc_alg)); 1587 LOG_DBG ((LOG_POLICY, 80, "comp_alg == %s", comp_alg)); 1588 LOG_DBG ((LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg)); 1589 LOG_DBG ((LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg)); 1590 LOG_DBG ((LOG_POLICY, 80, "ah_life_seconds == %s", ah_life_seconds)); 1591 LOG_DBG ((LOG_POLICY, 80, "ah_life_kbytes == %s", ah_life_kbytes)); 1592 LOG_DBG ((LOG_POLICY, 80, "esp_life_seconds == %s", esp_life_seconds)); 1593 LOG_DBG ((LOG_POLICY, 80, "esp_life_kbytes == %s", esp_life_kbytes)); 1594 LOG_DBG ((LOG_POLICY, 80, "comp_life_seconds == %s", comp_life_seconds)); 1595 LOG_DBG ((LOG_POLICY, 80, "comp_life_kbytes == %s", comp_life_kbytes)); 1596 LOG_DBG ((LOG_POLICY, 80, "ah_encapsulation == %s", ah_encapsulation)); 1597 LOG_DBG ((LOG_POLICY, 80, "esp_encapsulation == %s", esp_encapsulation)); 1598 LOG_DBG ((LOG_POLICY, 80, "comp_encapsulation == %s", 1599 comp_encapsulation)); 1600 LOG_DBG ((LOG_POLICY, 80, "comp_dict_size == %s", comp_dict_size)); 1601 LOG_DBG ((LOG_POLICY, 80, "comp_private_alg == %s", comp_private_alg)); 1602 LOG_DBG ((LOG_POLICY, 80, "ah_key_length == %s", ah_key_length)); 1603 LOG_DBG ((LOG_POLICY, 80, "ah_key_rounds == %s", ah_key_rounds)); 1604 LOG_DBG ((LOG_POLICY, 80, "esp_key_length == %s", esp_key_length)); 1605 LOG_DBG ((LOG_POLICY, 80, "esp_key_rounds == %s", esp_key_rounds)); 1606 LOG_DBG ((LOG_POLICY, 80, "ah_group_desc == %s", ah_group_desc)); 1607 LOG_DBG ((LOG_POLICY, 80, "esp_group_desc == %s", esp_group_desc)); 1608 LOG_DBG ((LOG_POLICY, 80, "comp_group_desc == %s", comp_group_desc)); 1609 LOG_DBG ((LOG_POLICY, 80, "remote_filter_type == %s", 1610 remote_filter_type)); 1611 LOG_DBG ((LOG_POLICY, 80, "remote_filter_addr_upper == %s", 1612 remote_filter_addr_upper)); 1613 LOG_DBG ((LOG_POLICY, 80, "remote_filter_addr_lower == %s", 1614 remote_filter_addr_lower)); 1615 LOG_DBG ((LOG_POLICY, 80, "remote_filter == %s", 1616 (remote_filter ? remote_filter : ""))); 1617 LOG_DBG ((LOG_POLICY, 80, "remote_filter_port == %s", 1618 remote_filter_port)); 1619 LOG_DBG ((LOG_POLICY, 80, "remote_filter_proto == %s", 1620 remote_filter_proto)); 1621 LOG_DBG ((LOG_POLICY, 80, "local_filter_type == %s", local_filter_type)); 1622 LOG_DBG ((LOG_POLICY, 80, "local_filter_addr_upper == %s", 1623 local_filter_addr_upper)); 1624 LOG_DBG ((LOG_POLICY, 80, "local_filter_addr_lower == %s", 1625 local_filter_addr_lower)); 1626 LOG_DBG ((LOG_POLICY, 80, "local_filter == %s", 1627 (local_filter ? local_filter : ""))); 1628 LOG_DBG ((LOG_POLICY, 80, "local_filter_port == %s", local_filter_port)); 1629 LOG_DBG ((LOG_POLICY, 80, "local_filter_proto == %s", 1630 local_filter_proto)); 1631 LOG_DBG ((LOG_POLICY, 80, "remote_id_type == %s", remote_id_type)); 1632 LOG_DBG ((LOG_POLICY, 80, "remote_id_addr_upper == %s", 1633 remote_id_addr_upper)); 1634 LOG_DBG ((LOG_POLICY, 80, "remote_id_addr_lower == %s", 1635 remote_id_addr_lower)); 1636 LOG_DBG ((LOG_POLICY, 80, "remote_id == %s", 1637 (remote_id ? remote_id : ""))); 1638 LOG_DBG ((LOG_POLICY, 80, "remote_id_port == %s", remote_id_port)); 1639 LOG_DBG ((LOG_POLICY, 80, "remote_id_proto == %s", remote_id_proto)); 1640 LOG_DBG ((LOG_POLICY, 80, "remote_negotiation_address == %s", 1641 remote_ike_address)); 1642 LOG_DBG ((LOG_POLICY, 80, "local_negotiation_address == %s", 1643 local_ike_address)); 1644 LOG_DBG ((LOG_POLICY, 80, "pfs == %s", pfs)); 1645 LOG_DBG ((LOG_POLICY, 80, "initiator == %s", initiator)); 1646 LOG_DBG ((LOG_POLICY, 80, "phase1_group_desc == %s", phase1_group)); 1647 1648 /* Unset dirty now. */ 1649 dirty = 0; 1650 } 1651 1652 if (strcmp (name, "phase_1") == 0) 1653 return phase_1; 1654 1655 if (strcmp (name, "GMTTimeOfDay") == 0) 1656 { 1657 tt = time ((time_t) NULL); 1658 strftime (mytimeofday, 14, "%G%m%d%H%M%S", gmtime (&tt)); 1659 return mytimeofday; 1660 } 1661 1662 if (strcmp (name, "LocalTimeOfDay") == 0) 1663 { 1664 tt = time ((time_t) NULL); 1665 strftime (mytimeofday, 14, "%G%m%d%H%M%S", localtime (&tt)); 1666 return mytimeofday; 1667 } 1668 1669 if (strcmp (name, "initiator") == 0) 1670 return initiator; 1671 1672 if (strcmp (name, "pfs") == 0) 1673 return pfs; 1674 1675 if (strcmp (name, "app_domain") == 0) 1676 return "IPsec policy"; 1677 1678 if (strcmp (name, "doi") == 0) 1679 return "ipsec"; 1680 1681 if (strcmp (name, "esp_present") == 0) 1682 return esp_present; 1683 1684 if (strcmp (name, "ah_present") == 0) 1685 return ah_present; 1686 1687 if (strcmp (name, "comp_present") == 0) 1688 return comp_present; 1689 1690 if (strcmp (name, "ah_hash_alg") == 0) 1691 return ah_hash_alg; 1692 1693 if (strcmp (name, "ah_auth_alg") == 0) 1694 return ah_auth_alg; 1695 1696 if (strcmp (name, "esp_auth_alg") == 0) 1697 return esp_auth_alg; 1698 1699 if (strcmp (name, "esp_enc_alg") == 0) 1700 return esp_enc_alg; 1701 1702 if (strcmp (name, "comp_alg") == 0) 1703 return comp_alg; 1704 1705 if (strcmp (name, "ah_life_kbytes") == 0) 1706 return ah_life_kbytes; 1707 1708 if (strcmp (name, "ah_life_seconds") == 0) 1709 return ah_life_seconds; 1710 1711 if (strcmp (name, "esp_life_kbytes") == 0) 1712 return esp_life_kbytes; 1713 1714 if (strcmp (name, "esp_life_seconds") == 0) 1715 return esp_life_seconds; 1716 1717 if (strcmp (name, "comp_life_kbytes") == 0) 1718 return comp_life_kbytes; 1719 1720 if (strcmp (name, "comp_life_seconds") == 0) 1721 return comp_life_seconds; 1722 1723 if (strcmp (name, "ah_encapsulation") == 0) 1724 return ah_encapsulation; 1725 1726 if (strcmp (name, "esp_encapsulation") == 0) 1727 return esp_encapsulation; 1728 1729 if (strcmp (name, "comp_encapsulation") == 0) 1730 return comp_encapsulation; 1731 1732 if (strcmp (name, "ah_key_length") == 0) 1733 return ah_key_length; 1734 1735 if (strcmp (name, "ah_key_rounds") == 0) 1736 return ah_key_rounds; 1737 1738 if (strcmp (name, "esp_key_length") == 0) 1739 return esp_key_length; 1740 1741 if (strcmp (name, "esp_key_rounds") == 0) 1742 return esp_key_rounds; 1743 1744 if (strcmp (name, "comp_dict_size") == 0) 1745 return comp_dict_size; 1746 1747 if (strcmp (name, "comp_private_alg") == 0) 1748 return comp_private_alg; 1749 1750 if (strcmp (name, "remote_filter_type") == 0) 1751 return remote_filter_type; 1752 1753 if (strcmp (name, "remote_filter") == 0) 1754 return (remote_filter ? remote_filter : ""); 1755 1756 if (strcmp (name, "remote_filter_addr_upper") == 0) 1757 return remote_filter_addr_upper; 1758 1759 if (strcmp (name, "remote_filter_addr_lower") == 0) 1760 return remote_filter_addr_lower; 1761 1762 if (strcmp (name, "remote_filter_port") == 0) 1763 return remote_filter_port; 1764 1765 if (strcmp (name, "remote_filter_proto") == 0) 1766 return remote_filter_proto; 1767 1768 if (strcmp (name, "local_filter_type") == 0) 1769 return local_filter_type; 1770 1771 if (strcmp (name, "local_filter") == 0) 1772 return (local_filter ? local_filter : ""); 1773 1774 if (strcmp (name, "local_filter_addr_upper") == 0) 1775 return local_filter_addr_upper; 1776 1777 if (strcmp (name, "local_filter_addr_lower") == 0) 1778 return local_filter_addr_lower; 1779 1780 if (strcmp (name, "local_filter_port") == 0) 1781 return local_filter_port; 1782 1783 if (strcmp (name, "local_filter_proto") == 0) 1784 return local_filter_proto; 1785 1786 if (strcmp (name, "remote_ike_address") == 0) 1787 return remote_ike_address; 1788 1789 if (strcmp (name, "remote_negotiation_address") == 0) 1790 return remote_ike_address; 1791 1792 if (strcmp (name, "local_ike_address") == 0) 1793 return local_ike_address; 1794 1795 if (strcmp (name, "local_negotiation_address") == 0) 1796 return local_ike_address; 1797 1798 if (strcmp (name, "remote_id_type") == 0) 1799 return remote_id_type; 1800 1801 if (strcmp (name, "remote_id") == 0) 1802 return (remote_id ? remote_id : ""); 1803 1804 if (strcmp (name, "remote_id_addr_upper") == 0) 1805 return remote_id_addr_upper; 1806 1807 if (strcmp (name, "remote_id_addr_lower") == 0) 1808 return remote_id_addr_lower; 1809 1810 if (strcmp (name, "remote_id_port") == 0) 1811 return remote_id_port; 1812 1813 if (strcmp (name, "remote_id_proto") == 0) 1814 return remote_id_proto; 1815 1816 if (strcmp (name, "phase1_group_desc") == 0) 1817 return phase1_group; 1818 1819 return ""; 1820 1821 bad: 1822 policy_callback (KEYNOTE_CALLBACK_INITIALIZE); 1823 return ""; 1824} 1825 1826void 1827policy_init (void) 1828{ 1829 char *ptr, *policy_file; 1830 char **asserts; 1831 off_t sz; 1832 int fd, len, i; 1833 1834 LOG_DBG ((LOG_POLICY, 30, "policy_init: initializing")); 1835 1836#if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE) 1837 if (!dyn_load (libkeynote_script)) 1838 return; 1839#endif 1840 1841 /* Get policy file from configuration. */ 1842 policy_file = conf_get_str ("General", "Policy-file"); 1843 if (!policy_file) 1844 policy_file = POLICY_FILE_DEFAULT; 1845 1846 /* Check file modes and collect file size */ 1847 if (check_file_secrecy (policy_file, &sz)) 1848 log_fatal ("policy_init: cannot read %s", policy_file); 1849 1850 /* Open policy file. */ 1851 fd = open (policy_file, O_RDONLY); 1852 if (fd == -1) 1853 log_fatal ("policy_init: open (\"%s\", O_RDONLY) failed", policy_file); 1854 1855 /* Allocate memory to keep policies. */ 1856 ptr = calloc (sz + 1, sizeof (char)); 1857 if (!ptr) 1858 log_fatal ("policy_init: calloc (%d, %d) failed", sz + 1, 1859 sizeof (char)); 1860 1861 /* Just in case there are short reads... */ 1862 for (len = 0; len < sz; len += i) 1863 { 1864 i = read (fd, ptr + len, sz - len); 1865 if (i == -1) 1866 log_fatal ("policy_init: read (%d, %p, %d) failed", fd, ptr + len, 1867 sz - len); 1868 } 1869 1870 /* We're done with this. */ 1871 close (fd); 1872 1873 /* Parse buffer, break up into individual policies. */ 1874 asserts = LK (kn_read_asserts, (ptr, sz, &i)); 1875 1876 /* Begone! */ 1877 free (ptr); 1878 1879 if (asserts == (char **) NULL) 1880 log_print ("policy_init: all policies flushed"); 1881 1882 /* Cleanup */ 1883 if (keynote_policy_asserts) 1884 { 1885 for (fd = 0; fd < keynote_policy_asserts_num; fd++) 1886 if (keynote_policy_asserts && keynote_policy_asserts[fd]) 1887 free (keynote_policy_asserts[fd]); 1888 1889 free (keynote_policy_asserts); 1890 } 1891 1892 keynote_policy_asserts = asserts; 1893 keynote_policy_asserts_num = i; 1894} 1895 1896/* Nothing needed for initialization */ 1897int 1898keynote_cert_init (void) 1899{ 1900 return 1; 1901} 1902 1903/* Just copy and return. */ 1904void * 1905keynote_cert_get (u_int8_t *data, u_int32_t len) 1906{ 1907 char *foo = malloc (len + 1); 1908 1909 if (foo == NULL) 1910 return NULL; 1911 1912 memcpy (foo, data, len); 1913 foo[len] = '\0'; 1914 return foo; 1915} 1916 1917/* 1918 * We just verify the signature on the credentials. 1919 * On signature failure, just drop the whole payload. 1920 */ 1921int 1922keynote_cert_validate (void *scert) 1923{ 1924 char **foo; 1925 int num, i; 1926 1927 if (scert == NULL) 1928 return 0; 1929 1930 foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), 1931 &num)); 1932 if (foo == NULL) 1933 return 0; 1934 1935 for (i = 0; i < num; i++) 1936 { 1937 if (LK (kn_verify_assertion, (scert, strlen ((char *) scert))) 1938 != SIGRESULT_TRUE) 1939 { 1940 for (; i < num; i++) 1941 free (foo[i]); 1942 free (foo); 1943 return 0; 1944 } 1945 1946 free (foo[i]); 1947 } 1948 1949 free (foo); 1950 return 1; 1951} 1952 1953/* Add received credentials. */ 1954int 1955keynote_cert_insert (int sid, void *scert) 1956{ 1957 char **foo; 1958 int num; 1959 1960 if (scert == NULL) 1961 return 0; 1962 1963 foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), 1964 &num)); 1965 if (foo == NULL) 1966 return 0; 1967 1968 while (num--) 1969 LK (kn_add_assertion, (sid, foo[num], strlen (foo[num]), 0)); 1970 1971 return 1; 1972} 1973 1974/* Just regular memory free. */ 1975void 1976keynote_cert_free (void *cert) 1977{ 1978 free (cert); 1979} 1980 1981/* Verify that the key given to us is valid. */ 1982int 1983keynote_certreq_validate (u_int8_t *data, u_int32_t len) 1984{ 1985 struct keynote_deckey dc; 1986 int err = 1; 1987 char *dat; 1988 1989 dat = calloc (len + 1, sizeof (char)); 1990 if (!dat) 1991 { 1992 log_error ("keynote_certreq_validate: calloc (%d, %d) failed", len + 1, 1993 sizeof (char)); 1994 return 0; 1995 } 1996 1997 memcpy (dat, data, len); 1998 1999 if (LK (kn_decode_key, (&dc, dat, KEYNOTE_PUBLIC_KEY)) != 0) 2000 err = 0; 2001 else 2002 LK (kn_free_key, (&dc)); 2003 2004 free (dat); 2005 2006 return err; 2007} 2008 2009/* Beats me what we should be doing with this. */ 2010void * 2011keynote_certreq_decode (u_int8_t *data, u_int32_t len) 2012{ 2013 /* XXX */ 2014 return NULL; 2015} 2016 2017void 2018keynote_free_aca (void *blob) 2019{ 2020 /* XXX */ 2021} 2022 2023int 2024keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, 2025 u_int32_t *certlen) 2026{ 2027 char *dirname, *file, *addr_str; 2028 struct stat sb; 2029 int idtype, fd, len; 2030 2031 if (!id) 2032 { 2033 log_print ("keynote_cert_obtain: ID is missing"); 2034 return 0; 2035 } 2036 2037 /* Get type of ID. */ 2038 idtype = id[0]; 2039 id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2040 id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2041 2042 dirname = conf_get_str ("KeyNote", "Credential-directory"); 2043 if (!dirname) 2044 { 2045 LOG_DBG ((LOG_POLICY, 30, 2046 "keynote_cert_obtain: no Credential-directory")); 2047 return 0; 2048 } 2049 2050 len = strlen (dirname) + strlen (CREDENTIAL_FILE) + 3; 2051 2052 switch (idtype) 2053 { 2054 case IPSEC_ID_IPV4_ADDR: 2055 case IPSEC_ID_IPV6_ADDR: 2056 util_ntoa (&addr_str, idtype == IPSEC_ID_IPV4_ADDR ? AF_INET : AF_INET6, 2057 id); 2058 if (addr_str == 0) 2059 return 0; 2060 2061 file = calloc (len + strlen (addr_str), sizeof (char)); 2062 if (file == NULL) 2063 { 2064 log_error ("keynote_cert_obtain: failed to allocate %d bytes", 2065 len + strlen (addr_str)); 2066 free (addr_str); 2067 return 0; 2068 } 2069 2070 sprintf (file, "%s/%s/%s", dirname, addr_str, CREDENTIAL_FILE); 2071 free (addr_str); 2072 break; 2073 2074 case IPSEC_ID_FQDN: 2075 case IPSEC_ID_USER_FQDN: 2076 { 2077 file = calloc (len + id_len, sizeof (char)); 2078 if (file == NULL) 2079 { 2080 log_error ("keynote_cert_obtain: failed to allocate %d bytes", 2081 len + id_len); 2082 return 0; 2083 } 2084 2085 sprintf (file, "%s/", dirname); 2086 memcpy (file + strlen (file), id, id_len); 2087 sprintf (file + strlen (dirname) + 1 + id_len, "/%s", CREDENTIAL_FILE); 2088 break; 2089 } 2090 2091 default: 2092 return 0; 2093 } 2094 2095 if (stat (file, &sb) < 0) 2096 { 2097 LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to stat \"%s\"", 2098 file)); 2099 free (file); 2100 return 0; 2101 } 2102 2103 *cert = calloc (sb.st_size + 1, sizeof (char)); 2104 if (*cert == NULL) 2105 { 2106 log_error ("keynote_cert_obtain: failed to allocate %d bytes", 2107 sb.st_size); 2108 free (file); 2109 return 0; 2110 } 2111 2112 fd = open (file, O_RDONLY, 0); 2113 if (fd < 0) 2114 { 2115 LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to open \"%s\"", 2116 file)); 2117 free (file); 2118 return 0; 2119 } 2120 2121 if (read (fd, *cert, sb.st_size) != sb.st_size) 2122 { 2123 LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to read %d " 2124 "bytes from \"%s\"", sb.st_size, file)); 2125 free (file); 2126 close (fd); 2127 return 0; 2128 } 2129 2130 close (fd); 2131 free (file); 2132 *certlen = sb.st_size; 2133 return 1; 2134} 2135 2136/* This should never be called. */ 2137int 2138keynote_cert_get_subjects (void *scert, int *n, u_int8_t ***id, 2139 u_int32_t **id_len) 2140{ 2141 return 0; 2142} 2143 2144/* Get the authorizer key. */ 2145int 2146keynote_cert_get_key (void *scert, void *keyp) 2147{ 2148 struct keynote_keylist *kl; 2149 int sid, kid, num; 2150 char **foo; 2151 2152 foo = LK (kn_read_asserts, ((char *)scert, strlen ((char *)scert), &num)); 2153 if (foo == NULL || num == 0) 2154 { 2155 log_print ("keynote_cert_get_key: failed to decompose credentials"); 2156 return 0; 2157 } 2158 2159 kid = LK (kn_init, ()); 2160 if (kid == -1) 2161 { 2162 log_print ("keynote_cert_get_key: failed to initialize new policy " 2163 "session"); 2164 while (num--) 2165 free (foo[num]); 2166 free (foo); 2167 return 0; 2168 } 2169 2170 sid = LK (kn_add_assertion, (kid, foo[num - 1], 2171 strlen (foo[num - 1]), 0)); 2172 while (num--) 2173 free (foo[num]); 2174 free (foo); 2175 2176 if (sid == -1) 2177 { 2178 log_print ("keynote_cert_get_key: failed to add assertion"); 2179 LK (kn_close, (kid)); 2180 return 0; 2181 } 2182 2183 *(RSA **)keyp = NULL; 2184 2185 kl = LK (kn_get_licensees, (kid, sid)); 2186 while (kl) 2187 { 2188 if (kl->key_alg == KEYNOTE_ALGORITHM_RSA) 2189 { 2190 *(RSA **)keyp = LC (RSAPublicKey_dup, (kl->key_key)); 2191 break; 2192 } 2193 2194 kl = kl->key_next; 2195 } 2196 2197 LK (kn_remove_assertion, (kid, sid)); 2198 LK (kn_close, (kid)); 2199 return *(RSA **)keyp == NULL ? 0 : 1; 2200} 2201 2202void * 2203keynote_cert_dup (void *cert) 2204{ 2205 return strdup((char *)cert); 2206} 2207 2208void 2209keynote_serialize (void *cert, u_int8_t **data, u_int32_t *datalen) 2210{ 2211 *datalen = strlen ((char *)cert) + 1; 2212 *data = strdup (cert); /* So we allocate an extra character at the end... */ 2213 if (*data == NULL) 2214 log_error ("keynote_serialize: malloc (%d) failed", *datalen); 2215} 2216 2217/* From cert to printable */ 2218char * 2219keynote_printable (void *cert) 2220{ 2221 return strdup ((char *)cert); 2222} 2223 2224/* From printable to cert */ 2225void * 2226keynote_from_printable (char *cert) 2227{ 2228 return strdup (cert); 2229} 2230