policy.c revision 1.53
1/* $OpenBSD: policy.c,v 1.53 2002/06/09 08:13:06 todd Exp $ */ 2/* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ 3 4/* 5 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. 6 * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. 7 * Copyright (c) 2001 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. All advertising materials mentioning features or use of this software 18 * must display the following acknowledgement: 19 * This product includes software developed by Ericsson Radio Systems. 20 * 4. The name of the author may not be used to endorse or promote products 21 * derived from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35/* 36 * This code was written under funding by Ericsson Radio Systems. 37 */ 38 39#include <sys/types.h> 40#include <sys/param.h> 41#include <sys/mman.h> 42#include <sys/queue.h> 43#include <sys/stat.h> 44#include <regex.h> 45#include <ctype.h> 46#include <fcntl.h> 47#include <stdio.h> 48#include <stdlib.h> 49#include <string.h> 50#include <unistd.h> 51#include <keynote.h> 52#include <sys/socket.h> 53#include <netinet/in.h> 54#include <arpa/inet.h> 55#include <errno.h> 56#include <openssl/ssl.h> 57#include <netdb.h> 58 59#include "sysdep.h" 60 61#include "conf.h" 62#include "dyn.h" 63#include "exchange.h" 64#include "ipsec.h" 65#include "isakmp_doi.h" 66#include "sa.h" 67#include "transport.h" 68#include "log.h" 69#include "message.h" 70#include "util.h" 71#include "policy.h" 72#include "x509.h" 73 74#if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE) && 0 75 76void *libkeynote = 0; 77 78/* 79 * These prototypes matches OpenBSD keynote.h 1.6. If you use 80 * a different version than that, you are on your own. 81 */ 82int *lk_keynote_errno; 83int (*lk_kn_add_action) (int, char *, char *, int); 84int (*lk_kn_add_assertion) (int, char *, int, int); 85int (*lk_kn_add_authorizer) (int, char *); 86int (*lk_kn_close) (int); 87int (*lk_kn_do_query) (int, char **, int); 88char *(*lk_kn_encode_key) (struct keynote_deckey *, int, int, int); 89int (*lk_kn_init) (void); 90char **(*lk_kn_read_asserts) (char *, int, int *); 91int (*lk_kn_remove_authorizer) (int, char *); 92int (*lk_kn_get_authorizer) (int, int, int *); 93void (*lk_kn_free_key) (struct keynote_deckey *); 94struct keynote_keylist *(*lk_kn_get_licensees) (int, int); 95#define SYMENTRY(x) { SYM, SYM (x), (void **)&lk_ ## x } 96 97static struct dynload_script libkeynote_script[] = { 98 { LOAD, "libc.so", &libkeynote }, 99 { LOAD, "libcrypto.so", &libkeynote }, 100 { LOAD, "libm.so", &libkeynote }, 101 { LOAD, "libkeynote.so", &libkeynote }, 102 SYMENTRY (keynote_errno), 103 SYMENTRY (kn_add_action), 104 SYMENTRY (kn_add_assertion), 105 SYMENTRY (kn_add_authorizer), 106 SYMENTRY (kn_close), 107 SYMENTRY (kn_do_query), 108 SYMENTRY (kn_encode_key), 109 SYMENTRY (kn_init), 110 SYMENTRY (kn_read_asserts), 111 SYMENTRY (kn_remove_authorizer), 112 SYMENTRY (kn_get_licensees), 113 SYMENTRY (kn_get_authorizer), 114 { EOS } 115}; 116#endif 117 118char **keynote_policy_asserts = NULL; 119int keynote_policy_asserts_num = 0; 120struct exchange *policy_exchange = 0; 121struct sa *policy_sa = 0; 122struct sa *policy_isakmp_sa = 0; 123 124static const char hextab[] = { 125 '0', '1', '2', '3', '4', '5', '6', '7', 126 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' 127}; 128 129/* 130 * Adaptation of Vixie's inet_ntop4 () 131 */ 132static const char * 133my_inet_ntop4 (const in_addr_t *src, char *dst, size_t size, int normalize) 134{ 135 static const char fmt[] = "%03u.%03u.%03u.%03u"; 136 char tmp[sizeof "255.255.255.255"]; 137 in_addr_t src2; 138 139 if (normalize) 140 src2 = ntohl (*src); 141 else 142 src2 = *src; 143 144 if (snprintf (tmp, sizeof tmp, fmt, ((u_int8_t *) &src2)[0], 145 ((u_int8_t *) &src2)[1], ((u_int8_t *) &src2)[2], 146 ((u_int8_t *) &src2)[3]) > size) 147 { 148 errno = ENOSPC; 149 return 0; 150 } 151 strlcpy (dst, tmp, size); 152 return dst; 153} 154 155static const char * 156my_inet_ntop6 (const unsigned char *src, char *dst, size_t size) 157{ 158 static const char fmt[] = "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x"; 159 char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"]; 160 161 if (snprintf (tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3], src[4], 162 src[5], src[6], src[7], src[8], src[9], src[10], src[11], 163 src[12], src[13], src[14], src[15]) > size) 164 { 165 errno = ENOSPC; 166 return 0; 167 } 168 strlcpy (dst, tmp, size); 169 return dst; 170} 171 172char * 173policy_callback (char *name) 174{ 175 struct proto *proto; 176 177 u_int8_t *attr, *value, *id, *idlocal, *idremote; 178 size_t id_sz, idlocalsz, idremotesz; 179 struct sockaddr *sin; 180 struct ipsec_exch *ie; 181 struct ipsec_sa *is; 182 int fmt, i, lifetype = 0; 183 in_addr_t net, subnet; 184 u_int16_t len, type; 185 time_t tt; 186 char *addr; 187 static char mytimeofday[15]; 188 189 /* We use all these as a cache. */ 190#define PMAX 32 191 static char *esp_present, *ah_present, *comp_present; 192 static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg; 193 static char *comp_alg, ah_life_kbytes[PMAX], ah_life_seconds[PMAX]; 194 static char esp_life_kbytes[PMAX], esp_life_seconds[PMAX]; 195 static char comp_life_kbytes[PMAX]; 196 static char comp_life_seconds[PMAX], *ah_encapsulation, *esp_encapsulation; 197 static char *comp_encapsulation, ah_key_length[PMAX], esp_key_length[PMAX]; 198 static char ah_key_rounds[PMAX], esp_key_rounds[PMAX], comp_dict_size[PMAX]; 199 static char comp_private_alg[PMAX], *remote_filter_type, *local_filter_type; 200 static char remote_filter_addr_upper[NI_MAXHOST]; 201 static char remote_filter_addr_lower[NI_MAXHOST]; 202 static char local_filter_addr_upper[NI_MAXHOST]; 203 static char local_filter_addr_lower[NI_MAXHOST]; 204 static char ah_group_desc[PMAX], esp_group_desc[PMAX], comp_group_desc[PMAX]; 205 static char remote_ike_address[NI_MAXHOST]; 206 static char local_ike_address[NI_MAXHOST]; 207 static char *remote_id_type, remote_id_addr_upper[NI_MAXHOST], *phase_1; 208 static char remote_id_addr_lower[NI_MAXHOST]; 209 static char *remote_id_proto, remote_id_port[PMAX]; 210 static char remote_filter_port[PMAX], local_filter_port[PMAX]; 211 static char *remote_filter_proto, *local_filter_proto, *pfs, *initiator; 212 static char remote_filter_proto_num[3], local_filter_proto_num[3]; 213 static char remote_id_proto_num[3]; 214 static char phase1_group[PMAX]; 215 216 /* Allocated. */ 217 static char *remote_filter = 0, *local_filter = 0, *remote_id = 0; 218 219 static int dirty = 1; 220 221 /* We only need to set dirty at initialization time really. */ 222 if (strcmp (name, KEYNOTE_CALLBACK_CLEANUP) == 0 223 || strcmp (name, KEYNOTE_CALLBACK_INITIALIZE) == 0) 224 { 225 esp_present = ah_present = comp_present = pfs = "no"; 226 ah_hash_alg = ah_auth_alg = phase_1 = ""; 227 esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = ""; 228 esp_encapsulation = comp_encapsulation = remote_filter_type = ""; 229 local_filter_type = remote_id_type = initiator = ""; 230 remote_filter_proto = local_filter_proto = remote_id_proto = ""; 231 232 if (remote_filter != 0) 233 { 234 free (remote_filter); 235 remote_filter = 0; 236 } 237 238 if (local_filter != 0) 239 { 240 free (local_filter); 241 local_filter = 0; 242 } 243 244 if (remote_id != 0) 245 { 246 free (remote_id); 247 remote_id = 0; 248 } 249 250 memset (remote_ike_address, 0, sizeof remote_ike_address); 251 memset (local_ike_address, 0, sizeof local_ike_address); 252 memset (ah_life_kbytes, 0, sizeof ah_life_kbytes); 253 memset (ah_life_seconds, 0, sizeof ah_life_seconds); 254 memset (esp_life_kbytes, 0, sizeof esp_life_kbytes); 255 memset (esp_life_seconds, 0, sizeof esp_life_seconds); 256 memset (comp_life_kbytes, 0, sizeof comp_life_kbytes); 257 memset (comp_life_seconds, 0, sizeof comp_life_seconds); 258 memset (ah_key_length, 0, sizeof ah_key_length); 259 memset (ah_key_rounds, 0, sizeof ah_key_rounds); 260 memset (esp_key_length, 0, sizeof esp_key_length); 261 memset (esp_key_rounds, 0, sizeof esp_key_rounds); 262 memset (comp_dict_size, 0, sizeof comp_dict_size); 263 memset (comp_private_alg, 0, sizeof comp_private_alg); 264 memset (remote_filter_addr_upper, 0, sizeof remote_filter_addr_upper); 265 memset (remote_filter_addr_lower, 0, sizeof remote_filter_addr_lower); 266 memset (local_filter_addr_upper, 0, sizeof local_filter_addr_upper); 267 memset (local_filter_addr_lower, 0, sizeof local_filter_addr_lower); 268 memset (remote_id_addr_upper, 0, sizeof remote_id_addr_upper); 269 memset (remote_id_addr_lower, 0, sizeof remote_id_addr_lower); 270 memset (ah_group_desc, 0, sizeof ah_group_desc); 271 memset (esp_group_desc, 0, sizeof esp_group_desc); 272 memset (remote_id_port, 0, sizeof remote_id_port); 273 memset (remote_filter_port, 0, sizeof remote_filter_port); 274 memset (local_filter_port, 0, sizeof local_filter_port); 275 memset (phase1_group, 0, sizeof phase1_group); 276 277 dirty = 1; 278 return ""; 279 } 280 281 /* 282 * If dirty is set, this is the first request for an attribute, so 283 * populate our value cache. 284 */ 285 if (dirty) 286 { 287 ie = policy_exchange->data; 288 289 if (ie->pfs) 290 pfs = "yes"; 291 292 is = policy_isakmp_sa->data; 293 snprintf (phase1_group, PMAX, "%u", is->group_desc); 294 295 for (proto = TAILQ_FIRST (&policy_sa->protos); proto; 296 proto = TAILQ_NEXT (proto, link)) 297 { 298 switch (proto->proto) 299 { 300 case IPSEC_PROTO_IPSEC_AH: 301 ah_present = "yes"; 302 switch (proto->id) 303 { 304 case IPSEC_AH_MD5: 305 ah_hash_alg = "md5"; 306 break; 307 308 case IPSEC_AH_SHA: 309 ah_hash_alg = "sha"; 310 break; 311 312 case IPSEC_AH_RIPEMD: 313 ah_hash_alg = "ripemd"; 314 break; 315 316 case IPSEC_AH_DES: 317 ah_hash_alg = "des"; 318 break; 319 } 320 321 break; 322 323 case IPSEC_PROTO_IPSEC_ESP: 324 esp_present = "yes"; 325 switch (proto->id) 326 { 327 case IPSEC_ESP_DES_IV64: 328 esp_enc_alg = "des-iv64"; 329 break; 330 331 case IPSEC_ESP_DES: 332 esp_enc_alg = "des"; 333 break; 334 335 case IPSEC_ESP_3DES: 336 esp_enc_alg = "3des"; 337 break; 338 339 case IPSEC_ESP_AES: 340 esp_enc_alg = "aes"; 341 break; 342 343 case IPSEC_ESP_RC5: 344 esp_enc_alg = "rc5"; 345 break; 346 347 case IPSEC_ESP_IDEA: 348 esp_enc_alg = "idea"; 349 break; 350 351 case IPSEC_ESP_CAST: 352 esp_enc_alg = "cast"; 353 break; 354 355 case IPSEC_ESP_BLOWFISH: 356 esp_enc_alg = "blowfish"; 357 break; 358 359 case IPSEC_ESP_3IDEA: 360 esp_enc_alg = "3idea"; 361 break; 362 363 case IPSEC_ESP_DES_IV32: 364 esp_enc_alg = "des-iv32"; 365 break; 366 367 case IPSEC_ESP_RC4: 368 esp_enc_alg = "rc4"; 369 break; 370 371 case IPSEC_ESP_NULL: 372 esp_enc_alg = "null"; 373 break; 374 } 375 376 break; 377 378 case IPSEC_PROTO_IPCOMP: 379 comp_present = "yes"; 380 switch (proto->id) 381 { 382 case IPSEC_IPCOMP_OUI: 383 comp_alg = "oui"; 384 break; 385 386 case IPSEC_IPCOMP_DEFLATE: 387 comp_alg = "deflate"; 388 break; 389 390 case IPSEC_IPCOMP_LZS: 391 comp_alg = "lzs"; 392 break; 393 394 case IPSEC_IPCOMP_V42BIS: 395 comp_alg = "v42bis"; 396 break; 397 } 398 399 break; 400 } 401 402 for (attr = proto->chosen->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF; 403 attr 404 < proto->chosen->p + GET_ISAKMP_GEN_LENGTH (proto->chosen->p); 405 attr = value + len) 406 { 407 if (attr + ISAKMP_ATTR_VALUE_OFF 408 > (proto->chosen->p 409 + GET_ISAKMP_GEN_LENGTH (proto->chosen->p))) 410 return ""; 411 412 type = GET_ISAKMP_ATTR_TYPE (attr); 413 fmt = ISAKMP_ATTR_FORMAT (type); 414 type = ISAKMP_ATTR_TYPE (type); 415 value = attr + (fmt ? ISAKMP_ATTR_LENGTH_VALUE_OFF : 416 ISAKMP_ATTR_VALUE_OFF); 417 len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN : 418 GET_ISAKMP_ATTR_LENGTH_VALUE (attr)); 419 420 if (value + len > proto->chosen->p + 421 GET_ISAKMP_GEN_LENGTH (proto->chosen->p)) 422 return ""; 423 424 switch (type) 425 { 426 case IPSEC_ATTR_SA_LIFE_TYPE: 427 lifetype = decode_16 (value); 428 break; 429 430 case IPSEC_ATTR_SA_LIFE_DURATION: 431 switch (proto->proto) 432 { 433 case IPSEC_PROTO_IPSEC_AH: 434 if (lifetype == IPSEC_DURATION_SECONDS) 435 { 436 if (len == 2) 437 snprintf (ah_life_seconds, PMAX, "%u", 438 decode_16 (value)); 439 else 440 snprintf (ah_life_seconds, PMAX, "%u", 441 decode_32 (value)); 442 } 443 else 444 { 445 if (len == 2) 446 snprintf (ah_life_kbytes, PMAX, "%u", 447 decode_16 (value)); 448 else 449 snprintf (ah_life_kbytes, PMAX, "%u", 450 decode_32 (value)); 451 } 452 453 break; 454 455 case IPSEC_PROTO_IPSEC_ESP: 456 if (lifetype == IPSEC_DURATION_SECONDS) 457 { 458 if (len == 2) 459 snprintf (esp_life_seconds, PMAX, "%u", 460 decode_16 (value)); 461 else 462 snprintf (esp_life_seconds, PMAX, "%u", 463 decode_32 (value)); 464 } 465 else 466 { 467 if (len == 2) 468 snprintf (esp_life_kbytes, PMAX, "%u", 469 decode_16 (value)); 470 else 471 snprintf (esp_life_kbytes, PMAX, "%u", 472 decode_32 (value)); 473 } 474 475 break; 476 477 case IPSEC_PROTO_IPCOMP: 478 if (lifetype == IPSEC_DURATION_SECONDS) 479 { 480 if (len == 2) 481 snprintf (comp_life_seconds, PMAX, "%u", 482 decode_16 (value)); 483 else 484 snprintf (comp_life_seconds, PMAX, "%u", 485 decode_32 (value)); 486 } 487 else 488 { 489 if (len == 2) 490 snprintf (comp_life_kbytes, PMAX, "%u", 491 decode_16 (value)); 492 else 493 snprintf (comp_life_kbytes, PMAX, "%u", 494 decode_32 (value)); 495 } 496 497 break; 498 } 499 break; 500 501 case IPSEC_ATTR_GROUP_DESCRIPTION: 502 switch (proto->proto) 503 { 504 case IPSEC_PROTO_IPSEC_AH: 505 snprintf (ah_group_desc, PMAX, "%u", decode_16 (value)); 506 break; 507 508 case IPSEC_PROTO_IPSEC_ESP: 509 snprintf (esp_group_desc, PMAX, "%u", 510 decode_16 (value)); 511 break; 512 513 case IPSEC_PROTO_IPCOMP: 514 snprintf (comp_group_desc, PMAX, "%u", 515 decode_16 (value)); 516 break; 517 } 518 break; 519 520 case IPSEC_ATTR_ENCAPSULATION_MODE: 521 if (decode_16 (value) == IPSEC_ENCAP_TUNNEL) 522 switch (proto->proto) 523 { 524 case IPSEC_PROTO_IPSEC_AH: 525 ah_encapsulation = "tunnel"; 526 break; 527 528 case IPSEC_PROTO_IPSEC_ESP: 529 esp_encapsulation = "tunnel"; 530 break; 531 532 case IPSEC_PROTO_IPCOMP: 533 comp_encapsulation = "tunnel"; 534 break; 535 } 536 else 537 switch (proto->proto) 538 { 539 case IPSEC_PROTO_IPSEC_AH: 540 ah_encapsulation = "transport"; 541 break; 542 543 case IPSEC_PROTO_IPSEC_ESP: 544 esp_encapsulation = "transport"; 545 break; 546 547 case IPSEC_PROTO_IPCOMP: 548 comp_encapsulation = "transport"; 549 break; 550 } 551 break; 552 553 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: 554 switch (proto->proto) 555 { 556 case IPSEC_PROTO_IPSEC_AH: 557 switch (decode_16 (value)) 558 { 559 case IPSEC_AUTH_HMAC_MD5: 560 ah_auth_alg = "hmac-md5"; 561 break; 562 563 case IPSEC_AUTH_HMAC_SHA: 564 ah_auth_alg = "hmac-sha"; 565 break; 566 567 case IPSEC_AUTH_HMAC_RIPEMD: 568 ah_auth_alg = "hmac-ripemd"; 569 break; 570 571 case IPSEC_AUTH_DES_MAC: 572 ah_auth_alg = "des-mac"; 573 break; 574 575 case IPSEC_AUTH_KPDK: 576 ah_auth_alg = "kpdk"; 577 break; 578 } 579 break; 580 581 case IPSEC_PROTO_IPSEC_ESP: 582 switch (decode_16 (value)) 583 { 584 case IPSEC_AUTH_HMAC_MD5: 585 esp_auth_alg = "hmac-md5"; 586 break; 587 588 case IPSEC_AUTH_HMAC_SHA: 589 esp_auth_alg = "hmac-sha"; 590 break; 591 592 case IPSEC_AUTH_HMAC_RIPEMD: 593 esp_auth_alg = "hmac-ripemd"; 594 break; 595 596 case IPSEC_AUTH_DES_MAC: 597 esp_auth_alg = "des-mac"; 598 break; 599 600 case IPSEC_AUTH_KPDK: 601 esp_auth_alg = "kpdk"; 602 break; 603 } 604 break; 605 } 606 break; 607 608 case IPSEC_ATTR_KEY_LENGTH: 609 switch (proto->proto) 610 { 611 case IPSEC_PROTO_IPSEC_AH: 612 snprintf (ah_key_length, PMAX, "%u", decode_16 (value)); 613 break; 614 615 case IPSEC_PROTO_IPSEC_ESP: 616 snprintf (esp_key_length, PMAX, "%u", 617 decode_16 (value)); 618 break; 619 } 620 break; 621 622 case IPSEC_ATTR_KEY_ROUNDS: 623 switch (proto->proto) 624 { 625 case IPSEC_PROTO_IPSEC_AH: 626 snprintf (ah_key_rounds, PMAX, "%u", decode_16 (value)); 627 break; 628 629 case IPSEC_PROTO_IPSEC_ESP: 630 snprintf (esp_key_rounds, PMAX, "%u", 631 decode_16 (value)); 632 break; 633 } 634 break; 635 636 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: 637 snprintf (comp_dict_size, PMAX, "%u", decode_16 (value)); 638 break; 639 640 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: 641 snprintf (comp_private_alg, PMAX, "%u", decode_16 (value)); 642 break; 643 } 644 } 645 } 646 647 policy_sa->transport->vtbl->get_src (policy_sa->transport, &sin); 648 if (sockaddr2text (sin, &addr, 1)) 649 { 650 log_error ("policy_callback: sockaddr2text failed"); 651 goto bad; 652 } 653 strlcpy (local_ike_address, addr, sizeof local_ike_address); 654 free (addr); 655 656 policy_sa->transport->vtbl->get_dst (policy_sa->transport, &sin); 657 if (sockaddr2text (sin, &addr, 1)) 658 { 659 log_error ("policy_callback: sockaddr2text failed"); 660 goto bad; 661 } 662 strlcpy (remote_ike_address, addr, sizeof remote_ike_address); 663 free (addr); 664 665 switch (policy_isakmp_sa->exch_type) 666 { 667 case ISAKMP_EXCH_AGGRESSIVE: 668 phase_1 = "aggressive"; 669 break; 670 671 case ISAKMP_EXCH_ID_PROT: 672 phase_1 = "main"; 673 break; 674 } 675 676 if (policy_isakmp_sa->initiator) 677 { 678 id = policy_isakmp_sa->id_r; 679 id_sz = policy_isakmp_sa->id_r_len; 680 } 681 else 682 { 683 id = policy_isakmp_sa->id_i; 684 id_sz = policy_isakmp_sa->id_i_len; 685 } 686 687 switch (id[0]) 688 { 689 case IPSEC_ID_IPV4_ADDR: 690 remote_id_type = "IPv4 address"; 691 692 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 693 my_inet_ntop4 (&net, remote_id_addr_upper, 694 sizeof remote_id_addr_upper - 1, 1); 695 my_inet_ntop4 (&net, remote_id_addr_lower, 696 sizeof remote_id_addr_lower - 1, 1); 697 remote_id = strdup (remote_id_addr_upper); 698 if (!remote_id) 699 { 700 log_error ("policy_callback: strdup (\"%s\") failed", 701 remote_id_addr_upper); 702 goto bad; 703 } 704 break; 705 706 case IPSEC_ID_IPV4_RANGE: 707 remote_id_type = "IPv4 range"; 708 709 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 710 my_inet_ntop4 (&net, remote_id_addr_lower, 711 sizeof remote_id_addr_lower - 1, 1); 712 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); 713 my_inet_ntop4 (&net, remote_id_addr_upper, 714 sizeof remote_id_addr_upper - 1, 1); 715 len = strlen (remote_id_addr_upper) + strlen (remote_id_addr_lower) 716 + 2; 717 remote_id = calloc (len, sizeof (char)); 718 if (!remote_id) 719 { 720 log_error ("policy_callback: calloc (%d, %lu) failed", len, 721 (unsigned long)sizeof (char)); 722 goto bad; 723 } 724 725 strlcpy (remote_id, remote_id_addr_lower, len); 726 strlcat (remote_id, "-", len); 727 strlcat (remote_id, remote_id_addr_upper, len); 728 break; 729 730 case IPSEC_ID_IPV4_ADDR_SUBNET: 731 remote_id_type = "IPv4 subnet"; 732 733 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 734 subnet = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); 735 net &= subnet; 736 my_inet_ntop4 (&net, remote_id_addr_lower, 737 sizeof remote_id_addr_lower - 1, 1); 738 net |= ~subnet; 739 my_inet_ntop4 (&net, remote_id_addr_upper, 740 sizeof remote_id_addr_upper - 1, 1); 741 len = strlen (remote_id_addr_upper) + strlen (remote_id_addr_lower) 742 + 2; 743 remote_id = calloc (len, sizeof (char)); 744 if (!remote_id) 745 { 746 log_error ("policy_callback: calloc (%d, %lu) failed", len, 747 (unsigned long)sizeof (char)); 748 goto bad; 749 } 750 751 strlcpy (remote_id, remote_id_addr_lower, len); 752 strlcat (remote_id, "-", len); 753 strlcat (remote_id, remote_id_addr_upper, len); 754 break; 755 756 case IPSEC_ID_IPV6_ADDR: 757 remote_id_type = "IPv6 address"; 758 my_inet_ntop6 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 759 remote_id_addr_upper, sizeof remote_id_addr_upper); 760 strlcpy (remote_id_addr_lower, remote_id_addr_upper, 761 sizeof remote_id_addr_lower); 762 remote_id = strdup (remote_id_addr_upper); 763 if (!remote_id) 764 { 765 log_error ("policy_callback: strdup (\"%s\") failed", 766 remote_id_addr_upper); 767 goto bad; 768 } 769 break; 770 771 case IPSEC_ID_IPV6_RANGE: 772 remote_id_type = "IPv6 range"; 773 774 my_inet_ntop6 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 775 remote_id_addr_lower, 776 sizeof remote_id_addr_lower - 1); 777 778 my_inet_ntop6 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, 779 remote_id_addr_upper, 780 sizeof remote_id_addr_upper - 1); 781 782 len = strlen (remote_id_addr_upper) + strlen (remote_id_addr_lower) 783 + 2; 784 remote_id = calloc (len, sizeof (char)); 785 if (!remote_id) 786 { 787 log_error ("policy_callback: calloc (%d, %lu) failed", len, 788 (unsigned long)sizeof (char)); 789 goto bad; 790 } 791 792 strlcpy (remote_id, remote_id_addr_lower, len); 793 strlcat (remote_id, "-", len); 794 strlcat (remote_id, remote_id_addr_upper, len); 795 break; 796 797 case IPSEC_ID_IPV6_ADDR_SUBNET: 798 { 799 struct in6_addr net, mask; 800 801 remote_id_type = "IPv6 subnet"; 802 803 bcopy (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, &net, sizeof (net)); 804 bcopy (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, &mask, 805 sizeof (mask)); 806 807 for (i = 0; i < 16; i++) 808 net.s6_addr[i] &= mask.s6_addr[i]; 809 810 my_inet_ntop6 ((char *) &net, remote_id_addr_lower, 811 sizeof remote_id_addr_lower - 1); 812 813 for (i = 0; i < 16; i++) 814 net.s6_addr[i] |= ~mask.s6_addr[i]; 815 816 my_inet_ntop6 ((char *) &net, remote_id_addr_upper, 817 sizeof remote_id_addr_upper - 1); 818 819 len = strlen (remote_id_addr_upper) + strlen (remote_id_addr_lower) 820 + 2; 821 remote_id = calloc (len, sizeof (char)); 822 if (!remote_id) 823 { 824 log_error ("policy_callback: calloc (%d, %lu) failed", len, 825 (unsigned long)sizeof (char)); 826 goto bad; 827 } 828 829 strlcpy (remote_id, remote_id_addr_lower, len); 830 strlcat (remote_id, "-", len); 831 strlcat (remote_id, remote_id_addr_upper, len); 832 break; 833 } 834 835 case IPSEC_ID_FQDN: 836 remote_id_type = "FQDN"; 837 remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 838 sizeof (char)); 839 if (!remote_id) 840 { 841 log_error ("policy_callback: calloc (%lu, %lu) failed", 842 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 843 (unsigned long)sizeof (char)); 844 goto bad; 845 } 846 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 847 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 848 break; 849 850 case IPSEC_ID_USER_FQDN: 851 remote_id_type = "User FQDN"; 852 remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 853 sizeof (char)); 854 if (!remote_id) 855 { 856 log_error ("policy_callback: calloc (%lu, %lu) failed", 857 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 858 (unsigned long)sizeof (char)); 859 goto bad; 860 } 861 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 862 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 863 break; 864 865 case IPSEC_ID_DER_ASN1_DN: 866 remote_id_type = "ASN1 DN"; 867 868 remote_id = x509_DN_string (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 869 id_sz - ISAKMP_ID_DATA_OFF 870 + ISAKMP_GEN_SZ); 871 if (!remote_id) 872 { 873 LOG_DBG ((LOG_POLICY, 50, 874 "policy_callback: failed to decode name")); 875 goto bad; 876 } 877 break; 878 879 case IPSEC_ID_DER_ASN1_GN: /* XXX */ 880 remote_id_type = "ASN1 GN"; 881 break; 882 883 case IPSEC_ID_KEY_ID: 884 remote_id_type = "Key ID"; 885 remote_id 886 = calloc (2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, 887 sizeof (char)); 888 if (!remote_id) 889 { 890 log_error ("policy_callback: calloc (%lu, %lu) failed", 891 2 * ((unsigned long)id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, 892 (unsigned long)sizeof (char)); 893 goto bad; 894 } 895 /* Does it contain any non-printable characters ? */ 896 for (i = 0; i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; i++) 897 if (!isprint (*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + i))) 898 break; 899 if (i >= id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) 900 { 901 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 902 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 903 break; 904 } 905 /* Non-printable characters, convert to hex */ 906 for (i = 0; i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; i++) 907 { 908 remote_id[2 * i] 909 = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4]; 910 remote_id[2 * i + 1] 911 = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF]; 912 } 913 break; 914 915 default: 916 log_print ("policy_callback: unknown remote ID type %u", id[0]); 917 goto bad; 918 } 919 920 switch (id[1]) 921 { 922 case IPPROTO_TCP: 923 remote_id_proto = "tcp"; 924 break; 925 926 case IPPROTO_UDP: 927 remote_id_proto = "udp"; 928 break; 929 930#ifdef IPPROTO_ETHERIP 931 case IPPROTO_ETHERIP: 932 remote_id_proto = "etherip"; 933 break; 934#endif 935 936 default: 937 snprintf (remote_id_proto_num, 3, "%2d", id[1]); 938 remote_id_proto = remote_id_proto_num; 939 break; 940 } 941 942 snprintf (remote_id_port, sizeof remote_id_port - 1, "%u", 943 decode_16 (id + 2)); 944 945 if (policy_exchange->initiator) 946 { 947 initiator = "yes"; 948 idlocal = ie->id_ci; 949 idremote = ie->id_cr; 950 idlocalsz = ie->id_ci_sz; 951 idremotesz = ie->id_cr_sz; 952 } 953 else 954 { 955 initiator = "no"; 956 idlocal = ie->id_cr; 957 idremote = ie->id_ci; 958 idlocalsz = ie->id_cr_sz; 959 idremotesz = ie->id_ci_sz; 960 } 961 962 /* Initialize the ID variables. */ 963 if (idremote) 964 { 965 switch (GET_ISAKMP_ID_TYPE (idremote)) 966 { 967 case IPSEC_ID_IPV4_ADDR: 968 remote_filter_type = "IPv4 address"; 969 970 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 971 my_inet_ntop4 (&net, remote_filter_addr_upper, 972 sizeof remote_filter_addr_upper - 1, 1); 973 my_inet_ntop4 (&net, remote_filter_addr_lower, 974 sizeof remote_filter_addr_lower - 1, 1); 975 remote_filter = strdup (remote_filter_addr_upper); 976 if (!remote_filter) 977 { 978 log_error ("policy_callback: strdup (\"%s\") failed", 979 remote_filter_addr_upper); 980 goto bad; 981 } 982 break; 983 984 case IPSEC_ID_IPV4_RANGE: 985 remote_filter_type = "IPv4 range"; 986 987 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 988 my_inet_ntop4 (&net, remote_filter_addr_lower, 989 sizeof remote_filter_addr_lower - 1, 1); 990 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF + 4); 991 my_inet_ntop4 (&net, remote_filter_addr_upper, 992 sizeof remote_filter_addr_upper - 1, 1); 993 len = strlen (remote_filter_addr_upper) 994 + strlen (remote_filter_addr_lower) + 2; 995 remote_filter = calloc (len, sizeof (char)); 996 if (!remote_filter) 997 { 998 log_error ("policy_callback: calloc (%d, %lu) failed", len, 999 (unsigned long)sizeof (char)); 1000 goto bad; 1001 } 1002 1003 strlcpy (remote_filter, remote_filter_addr_lower, len); 1004 strlcat (remote_filter, "-", len); 1005 strlcat (remote_filter, remote_filter_addr_upper, len); 1006 break; 1007 1008 case IPSEC_ID_IPV4_ADDR_SUBNET: 1009 remote_filter_type = "IPv4 subnet"; 1010 1011 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 1012 subnet = decode_32 (idremote + ISAKMP_ID_DATA_OFF + 4); 1013 net &= subnet; 1014 my_inet_ntop4 (&net, remote_filter_addr_lower, 1015 sizeof remote_filter_addr_lower - 1, 1); 1016 net |= ~subnet; 1017 my_inet_ntop4 (&net, remote_filter_addr_upper, 1018 sizeof remote_filter_addr_upper - 1, 1); 1019 len = strlen (remote_filter_addr_upper) 1020 + strlen (remote_filter_addr_lower) + 2; 1021 remote_filter = calloc (len, sizeof (char)); 1022 if (!remote_filter) 1023 { 1024 log_error ("policy_callback: calloc (%d, %lu) failed", len, 1025 (unsigned long)sizeof (char)); 1026 goto bad; 1027 } 1028 strlcpy (remote_filter, remote_filter_addr_lower, len); 1029 strlcat (remote_filter, "-", len); 1030 strlcat (remote_filter, remote_filter_addr_upper, len); 1031 break; 1032 1033 case IPSEC_ID_IPV6_ADDR: 1034 remote_filter_type = "IPv6 address"; 1035 my_inet_ntop6 (idremote + ISAKMP_ID_DATA_OFF, 1036 remote_filter_addr_upper, 1037 sizeof remote_filter_addr_upper - 1); 1038 strlcpy (remote_filter_addr_lower, remote_filter_addr_upper, 1039 sizeof remote_filter_addr_lower); 1040 remote_filter = strdup (remote_filter_addr_upper); 1041 if (!remote_filter) 1042 { 1043 log_error ("policy_callback: strdup (\"%s\") failed", 1044 remote_filter_addr_upper); 1045 goto bad; 1046 } 1047 break; 1048 1049 case IPSEC_ID_IPV6_RANGE: 1050 remote_filter_type = "IPv6 range"; 1051 1052 my_inet_ntop6 (idremote + ISAKMP_ID_DATA_OFF, 1053 remote_filter_addr_lower, 1054 sizeof remote_filter_addr_lower - 1); 1055 1056 my_inet_ntop6 (idremote + ISAKMP_ID_DATA_OFF + 16, 1057 remote_filter_addr_upper, 1058 sizeof remote_filter_addr_upper - 1); 1059 1060 len = strlen (remote_filter_addr_upper) 1061 + strlen (remote_filter_addr_lower) + 2; 1062 remote_filter = calloc (len, sizeof (char)); 1063 if (!remote_filter) 1064 { 1065 log_error ("policy_callback: calloc (%d, %lu) failed", len, 1066 (unsigned long)sizeof (char)); 1067 goto bad; 1068 } 1069 1070 strlcpy (remote_filter, remote_filter_addr_lower, len); 1071 strlcat (remote_filter, "-", len); 1072 strlcat (remote_filter, remote_filter_addr_upper, len); 1073 break; 1074 1075 case IPSEC_ID_IPV6_ADDR_SUBNET: 1076 { 1077 struct in6_addr net, mask; 1078 1079 remote_filter_type = "IPv6 subnet"; 1080 1081 bcopy (idremote + ISAKMP_ID_DATA_OFF, &net, sizeof (net)); 1082 bcopy (idremote + ISAKMP_ID_DATA_OFF + 16, &mask, sizeof (mask)); 1083 1084 for (i = 0; i < 16; i++) 1085 net.s6_addr[i] &= mask.s6_addr[i]; 1086 1087 my_inet_ntop6 ((char *) &net, remote_filter_addr_lower, 1088 sizeof remote_filter_addr_lower - 1); 1089 1090 for (i = 0; i < 16; i++) 1091 net.s6_addr[i] |= ~mask.s6_addr[i]; 1092 1093 my_inet_ntop6 ((char *) &net, remote_filter_addr_upper, 1094 sizeof remote_filter_addr_upper - 1); 1095 1096 len = strlen (remote_filter_addr_upper) 1097 + strlen (remote_filter_addr_lower) + 2; 1098 remote_filter = calloc (len, sizeof (char)); 1099 if (!remote_filter) 1100 { 1101 log_error ("policy_callback: calloc (%d, %lu) failed", len, 1102 (unsigned long)sizeof (char)); 1103 goto bad; 1104 } 1105 1106 strlcpy (remote_filter, remote_filter_addr_lower, len); 1107 strlcat (remote_filter, "-", len); 1108 strlcat (remote_filter, remote_filter_addr_upper, len); 1109 break; 1110 } 1111 1112 case IPSEC_ID_FQDN: 1113 remote_filter_type = "FQDN"; 1114 remote_filter = malloc (idremotesz - ISAKMP_ID_DATA_OFF + 1); 1115 if (!remote_filter) 1116 { 1117 log_error ("policy_callback: malloc (%lu) failed", 1118 (unsigned long)idremotesz - ISAKMP_ID_DATA_OFF + 1); 1119 goto bad; 1120 } 1121 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 1122 idremotesz - ISAKMP_ID_DATA_OFF); 1123 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] = '\0'; 1124 break; 1125 1126 case IPSEC_ID_USER_FQDN: 1127 remote_filter_type = "User FQDN"; 1128 remote_filter = malloc (idremotesz - ISAKMP_ID_DATA_OFF + 1); 1129 if (!remote_filter) 1130 { 1131 log_error ("policy_callback: malloc (%lu) failed", 1132 (unsigned long)idremotesz - ISAKMP_ID_DATA_OFF + 1); 1133 goto bad; 1134 } 1135 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 1136 idremotesz - ISAKMP_ID_DATA_OFF); 1137 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] = '\0'; 1138 break; 1139 1140 case IPSEC_ID_DER_ASN1_DN: 1141 remote_filter_type = "ASN1 DN"; 1142 1143 remote_filter = x509_DN_string (idremote + ISAKMP_ID_DATA_OFF, 1144 idremotesz - ISAKMP_ID_DATA_OFF); 1145 if (!remote_filter) 1146 { 1147 LOG_DBG ((LOG_POLICY, 50, 1148 "policy_callback: failed to decode name")); 1149 goto bad; 1150 } 1151 break; 1152 1153 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */ 1154 remote_filter_type = "ASN1 GN"; 1155 break; 1156 1157 case IPSEC_ID_KEY_ID: 1158 remote_filter_type = "Key ID"; 1159 remote_filter 1160 = calloc (2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, 1161 sizeof (char)); 1162 if (!remote_filter) 1163 { 1164 log_error ("policy_callback: calloc (%lu, %lu) failed", 1165 2 * ((unsigned long)idremotesz - ISAKMP_ID_DATA_OFF) + 1, 1166 (unsigned long)sizeof (char)); 1167 goto bad; 1168 } 1169 /* Does it contain any non-printable characters ? */ 1170 for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++) 1171 if (!isprint (*(idremote + ISAKMP_ID_DATA_OFF + i))) 1172 break; 1173 if (i >= idremotesz - ISAKMP_ID_DATA_OFF) 1174 { 1175 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 1176 idremotesz - ISAKMP_ID_DATA_OFF); 1177 break; 1178 } 1179 /* Non-printable characters, convert to hex */ 1180 for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++) 1181 { 1182 remote_filter[2 * i] 1183 = hextab[*(idremote + ISAKMP_ID_DATA_OFF) >> 4]; 1184 remote_filter[2 * i + 1] 1185 = hextab[*(idremote + ISAKMP_ID_DATA_OFF) & 0xF]; 1186 } 1187 break; 1188 1189 default: 1190 log_print ("policy_callback: unknown Remote ID type %u", 1191 GET_ISAKMP_ID_TYPE (idremote)); 1192 goto bad; 1193 } 1194 1195 switch (idremote[ISAKMP_GEN_SZ + 1]) 1196 { 1197 case IPPROTO_TCP: 1198 remote_filter_proto = "tcp"; 1199 break; 1200 1201 case IPPROTO_UDP: 1202 remote_filter_proto = "udp"; 1203 break; 1204 1205#ifdef IPPROTO_ETHERIP 1206 case IPPROTO_ETHERIP: 1207 remote_filter_proto = "etherip"; 1208 break; 1209#endif 1210 1211 default: 1212 snprintf (remote_filter_proto_num, 3, "%2d", 1213 idremote[ISAKMP_GEN_SZ + 1]); 1214 remote_filter_proto = remote_filter_proto_num; 1215 break; 1216 } 1217 1218 snprintf (remote_filter_port, sizeof remote_filter_port - 1, 1219 "%u", decode_16 (idremote + ISAKMP_GEN_SZ + 2)); 1220 } 1221 else 1222 { 1223 policy_sa->transport->vtbl->get_dst (policy_sa->transport, &sin); 1224 switch (sin->sa_family) 1225 { 1226 case AF_INET: 1227 remote_filter_type = "IPv4 address"; 1228 break; 1229 case AF_INET6: 1230 remote_filter_type = "IPv6 address"; 1231 break; 1232 default: 1233 log_print ("policy_callback: unsupported protocol family %d", 1234 sin->sa_family); 1235 goto bad; 1236 } 1237 if (sockaddr2text (sin, &addr, 1)) 1238 { 1239 log_error ("policy_callback: sockaddr2text failed"); 1240 goto bad; 1241 } 1242 memcpy (remote_filter_addr_upper, addr, 1243 sizeof remote_filter_addr_upper); 1244 memcpy (remote_filter_addr_lower, addr, 1245 sizeof remote_filter_addr_lower); 1246 free (addr); 1247 remote_filter = strdup (remote_filter_addr_upper); 1248 if (!remote_filter) 1249 { 1250 log_error ("policy_callback: strdup (\"%s\") failed", 1251 remote_filter_addr_upper); 1252 goto bad; 1253 } 1254 } 1255 1256 if (idlocal) 1257 { 1258 switch (GET_ISAKMP_ID_TYPE (idlocal)) 1259 { 1260 case IPSEC_ID_IPV4_ADDR: 1261 local_filter_type = "IPv4 address"; 1262 1263 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1264 my_inet_ntop4 (&net, local_filter_addr_upper, 1265 sizeof local_filter_addr_upper - 1, 1); 1266 my_inet_ntop4 (&net, local_filter_addr_lower, 1267 sizeof local_filter_addr_upper - 1, 1); 1268 local_filter = strdup (local_filter_addr_upper); 1269 if (!local_filter) 1270 { 1271 log_error ("policy_callback: strdup (\"%s\") failed", 1272 local_filter_addr_upper); 1273 goto bad; 1274 } 1275 break; 1276 1277 case IPSEC_ID_IPV4_RANGE: 1278 local_filter_type = "IPv4 range"; 1279 1280 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1281 my_inet_ntop4 (&net, local_filter_addr_lower, 1282 sizeof local_filter_addr_lower - 1, 1); 1283 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF + 4); 1284 my_inet_ntop4 (&net, local_filter_addr_upper, 1285 sizeof local_filter_addr_upper - 1, 1); 1286 len = strlen (local_filter_addr_upper) 1287 + strlen (local_filter_addr_lower) + 2; 1288 local_filter = calloc (len, sizeof (char)); 1289 if (!local_filter) 1290 { 1291 log_error ("policy_callback: calloc (%d, %lu) failed", len, 1292 (unsigned long)sizeof (char)); 1293 goto bad; 1294 } 1295 strlcpy (local_filter, local_filter_addr_lower, len); 1296 strlcat (local_filter, "-", len); 1297 strlcat (local_filter, local_filter_addr_upper, len); 1298 break; 1299 1300 case IPSEC_ID_IPV4_ADDR_SUBNET: 1301 local_filter_type = "IPv4 subnet"; 1302 1303 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1304 subnet = decode_32 (idlocal + ISAKMP_ID_DATA_OFF + 4); 1305 net &= subnet; 1306 my_inet_ntop4 (&net, local_filter_addr_lower, 1307 sizeof local_filter_addr_lower - 1, 1); 1308 net |= ~subnet; 1309 my_inet_ntop4 (&net, local_filter_addr_upper, 1310 sizeof local_filter_addr_upper - 1, 1); 1311 len = strlen (local_filter_addr_upper) 1312 + strlen (local_filter_addr_lower) + 2; 1313 local_filter = calloc (len, sizeof (char)); 1314 if (!local_filter) 1315 { 1316 log_error ("policy_callback: calloc (%d, %lu) failed", len, 1317 (unsigned long)sizeof (char)); 1318 goto bad; 1319 } 1320 strlcpy (local_filter, local_filter_addr_lower, len); 1321 strlcat (local_filter, "-", len); 1322 strlcat (local_filter, local_filter_addr_upper, len); 1323 break; 1324 1325 case IPSEC_ID_IPV6_ADDR: 1326 local_filter_type = "IPv6 address"; 1327 my_inet_ntop6 (idlocal + ISAKMP_ID_DATA_OFF, 1328 local_filter_addr_upper, 1329 sizeof local_filter_addr_upper - 1); 1330 strlcpy (local_filter_addr_lower, local_filter_addr_upper, 1331 sizeof local_filter_addr_lower); 1332 local_filter = strdup (local_filter_addr_upper); 1333 if (!local_filter) 1334 { 1335 log_error ("policy_callback: strdup (\"%s\") failed", 1336 local_filter_addr_upper); 1337 goto bad; 1338 } 1339 break; 1340 1341 case IPSEC_ID_IPV6_RANGE: 1342 local_filter_type = "IPv6 range"; 1343 1344 my_inet_ntop6 (idlocal + ISAKMP_ID_DATA_OFF, 1345 local_filter_addr_lower, 1346 sizeof local_filter_addr_lower - 1); 1347 1348 my_inet_ntop6 (idlocal + ISAKMP_ID_DATA_OFF + 16, 1349 local_filter_addr_upper, 1350 sizeof local_filter_addr_upper - 1); 1351 1352 len = strlen (local_filter_addr_upper) 1353 + strlen (local_filter_addr_lower) + 2; 1354 local_filter = calloc (len, sizeof (char)); 1355 if (!local_filter) 1356 { 1357 log_error ("policy_callback: calloc (%d, %lu) failed", len, 1358 (unsigned long)sizeof (char)); 1359 goto bad; 1360 } 1361 1362 strlcpy (local_filter, local_filter_addr_lower, len); 1363 strlcat (local_filter, "-", len); 1364 strlcat (local_filter, local_filter_addr_upper, len); 1365 break; 1366 1367 case IPSEC_ID_IPV6_ADDR_SUBNET: 1368 { 1369 struct in6_addr net, mask; 1370 1371 local_filter_type = "IPv6 subnet"; 1372 1373 bcopy (idlocal + ISAKMP_ID_DATA_OFF, &net, sizeof (net)); 1374 bcopy (idlocal + ISAKMP_ID_DATA_OFF + 16, &mask, sizeof (mask)); 1375 1376 for (i = 0; i < 16; i++) 1377 net.s6_addr[i] &= mask.s6_addr[i]; 1378 1379 my_inet_ntop6 ((char *) &net, local_filter_addr_lower, 1380 sizeof local_filter_addr_lower - 1); 1381 1382 for (i = 0; i < 16; i++) 1383 net.s6_addr[i] |= ~mask.s6_addr[i]; 1384 1385 my_inet_ntop6 ((char *) &net, local_filter_addr_upper, 1386 sizeof local_filter_addr_upper - 1); 1387 1388 len = strlen (local_filter_addr_upper) 1389 + strlen (local_filter_addr_lower) + 2; 1390 local_filter = calloc (len, sizeof (char)); 1391 if (!local_filter) 1392 { 1393 log_error ("policy_callback: calloc (%d, %lu) failed", len, 1394 (unsigned long)sizeof (char)); 1395 goto bad; 1396 } 1397 1398 strlcpy (local_filter, local_filter_addr_lower, len); 1399 strlcat (local_filter, "-", len); 1400 strlcat (local_filter, local_filter_addr_upper, len); 1401 break; 1402 } 1403 1404 case IPSEC_ID_FQDN: 1405 local_filter_type = "FQDN"; 1406 local_filter = malloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1); 1407 if (!local_filter) 1408 { 1409 log_error ("policy_callback: malloc (%lu) failed", 1410 (unsigned long)idlocalsz - ISAKMP_ID_DATA_OFF + 1); 1411 goto bad; 1412 } 1413 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1414 idlocalsz - ISAKMP_ID_DATA_OFF); 1415 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; 1416 break; 1417 1418 case IPSEC_ID_USER_FQDN: 1419 local_filter_type = "User FQDN"; 1420 local_filter = malloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1); 1421 if (!local_filter) 1422 { 1423 log_error ("policy_callback: malloc (%lu) failed", 1424 (unsigned long)idlocalsz - ISAKMP_ID_DATA_OFF + 1); 1425 goto bad; 1426 } 1427 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1428 idlocalsz - ISAKMP_ID_DATA_OFF); 1429 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; 1430 break; 1431 1432 case IPSEC_ID_DER_ASN1_DN: 1433 local_filter_type = "ASN1 DN"; 1434 1435 local_filter = x509_DN_string (idlocal + ISAKMP_ID_DATA_OFF, 1436 idlocalsz - ISAKMP_ID_DATA_OFF); 1437 if (!local_filter) 1438 { 1439 LOG_DBG ((LOG_POLICY, 50, 1440 "policy_callback: failed to decode name")); 1441 goto bad; 1442 } 1443 break; 1444 1445 case IPSEC_ID_DER_ASN1_GN: 1446 /* XXX -- not sure what's in this. */ 1447 local_filter_type = "ASN1 GN"; 1448 break; 1449 1450 case IPSEC_ID_KEY_ID: 1451 local_filter_type = "Key ID"; 1452 local_filter = calloc (2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, 1453 sizeof (char)); 1454 if (!local_filter) 1455 { 1456 log_error ("policy_callback: calloc (%lu, %lu) failed", 1457 2 * ((unsigned long)idlocalsz - ISAKMP_ID_DATA_OFF) + 1, 1458 (unsigned long)sizeof (char)); 1459 goto bad; 1460 } 1461 /* Does it contain any non-printable characters ? */ 1462 for (i = 0; i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) 1463 if (!isprint (*(idlocal + ISAKMP_ID_DATA_OFF + i))) 1464 break; 1465 if (i >= idlocalsz - ISAKMP_ID_DATA_OFF) 1466 { 1467 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1468 idlocalsz - ISAKMP_ID_DATA_OFF); 1469 break; 1470 } 1471 /* Non-printable characters, convert to hex */ 1472 for (i = 0; i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) 1473 { 1474 local_filter[2 * i] 1475 = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) >> 4]; 1476 local_filter[2 * i + 1] 1477 = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) & 0xF]; 1478 } 1479 break; 1480 1481 default: 1482 log_print ("policy_callback: unknown Local ID type %u", 1483 GET_ISAKMP_ID_TYPE (idlocal)); 1484 goto bad; 1485 } 1486 1487 switch (idlocal[ISAKMP_GEN_SZ + 1]) 1488 { 1489 case IPPROTO_TCP: 1490 local_filter_proto = "tcp"; 1491 break; 1492 1493 case IPPROTO_UDP: 1494 local_filter_proto = "udp"; 1495 break; 1496 1497#ifdef IPPROTO_ETHERIP 1498 case IPPROTO_ETHERIP: 1499 local_filter_proto = "etherip"; 1500 break; 1501#endif 1502 1503 default: 1504 snprintf (local_filter_proto_num, 3, "%2d", 1505 idlocal[ISAKMP_GEN_SZ + 1]); 1506 local_filter_proto = local_filter_proto_num; 1507 break; 1508 } 1509 1510 snprintf (local_filter_port, sizeof local_filter_port - 1, 1511 "%u", decode_16 (idlocal + ISAKMP_GEN_SZ + 2)); 1512 } 1513 else 1514 { 1515 policy_sa->transport->vtbl->get_src (policy_sa->transport, 1516 (struct sockaddr **)&sin); 1517 switch (sin->sa_family) 1518 { 1519 case AF_INET: 1520 local_filter_type = "IPv4 address"; 1521 break; 1522 case AF_INET6: 1523 local_filter_type = "IPv6 address"; 1524 break; 1525 default: 1526 log_print ("policy_callback: unsupported protocol family %d", 1527 sin->sa_family); 1528 goto bad; 1529 } 1530 1531 if (sockaddr2text (sin, &addr, 1)) 1532 { 1533 log_error ("policy_callback: sockaddr2text failed"); 1534 goto bad; 1535 } 1536 memcpy (local_filter_addr_upper, addr, 1537 sizeof local_filter_addr_upper); 1538 memcpy (local_filter_addr_lower, addr, 1539 sizeof local_filter_addr_lower); 1540 free (addr); 1541 local_filter = strdup (local_filter_addr_upper); 1542 if (!local_filter) 1543 { 1544 log_error ("policy_callback: strdup (\"%s\") failed", 1545 local_filter_addr_upper); 1546 goto bad; 1547 } 1548 } 1549 1550 LOG_DBG ((LOG_POLICY, 80, "Policy context (action attributes):")); 1551 LOG_DBG ((LOG_POLICY, 80, "esp_present == %s", esp_present)); 1552 LOG_DBG ((LOG_POLICY, 80, "ah_present == %s", ah_present)); 1553 LOG_DBG ((LOG_POLICY, 80, "comp_present == %s", comp_present)); 1554 LOG_DBG ((LOG_POLICY, 80, "ah_hash_alg == %s", ah_hash_alg)); 1555 LOG_DBG ((LOG_POLICY, 80, "esp_enc_alg == %s", esp_enc_alg)); 1556 LOG_DBG ((LOG_POLICY, 80, "comp_alg == %s", comp_alg)); 1557 LOG_DBG ((LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg)); 1558 LOG_DBG ((LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg)); 1559 LOG_DBG ((LOG_POLICY, 80, "ah_life_seconds == %s", ah_life_seconds)); 1560 LOG_DBG ((LOG_POLICY, 80, "ah_life_kbytes == %s", ah_life_kbytes)); 1561 LOG_DBG ((LOG_POLICY, 80, "esp_life_seconds == %s", esp_life_seconds)); 1562 LOG_DBG ((LOG_POLICY, 80, "esp_life_kbytes == %s", esp_life_kbytes)); 1563 LOG_DBG ((LOG_POLICY, 80, "comp_life_seconds == %s", comp_life_seconds)); 1564 LOG_DBG ((LOG_POLICY, 80, "comp_life_kbytes == %s", comp_life_kbytes)); 1565 LOG_DBG ((LOG_POLICY, 80, "ah_encapsulation == %s", ah_encapsulation)); 1566 LOG_DBG ((LOG_POLICY, 80, "esp_encapsulation == %s", esp_encapsulation)); 1567 LOG_DBG ((LOG_POLICY, 80, "comp_encapsulation == %s", 1568 comp_encapsulation)); 1569 LOG_DBG ((LOG_POLICY, 80, "comp_dict_size == %s", comp_dict_size)); 1570 LOG_DBG ((LOG_POLICY, 80, "comp_private_alg == %s", comp_private_alg)); 1571 LOG_DBG ((LOG_POLICY, 80, "ah_key_length == %s", ah_key_length)); 1572 LOG_DBG ((LOG_POLICY, 80, "ah_key_rounds == %s", ah_key_rounds)); 1573 LOG_DBG ((LOG_POLICY, 80, "esp_key_length == %s", esp_key_length)); 1574 LOG_DBG ((LOG_POLICY, 80, "esp_key_rounds == %s", esp_key_rounds)); 1575 LOG_DBG ((LOG_POLICY, 80, "ah_group_desc == %s", ah_group_desc)); 1576 LOG_DBG ((LOG_POLICY, 80, "esp_group_desc == %s", esp_group_desc)); 1577 LOG_DBG ((LOG_POLICY, 80, "comp_group_desc == %s", comp_group_desc)); 1578 LOG_DBG ((LOG_POLICY, 80, "remote_filter_type == %s", 1579 remote_filter_type)); 1580 LOG_DBG ((LOG_POLICY, 80, "remote_filter_addr_upper == %s", 1581 remote_filter_addr_upper)); 1582 LOG_DBG ((LOG_POLICY, 80, "remote_filter_addr_lower == %s", 1583 remote_filter_addr_lower)); 1584 LOG_DBG ((LOG_POLICY, 80, "remote_filter == %s", 1585 (remote_filter ? remote_filter : ""))); 1586 LOG_DBG ((LOG_POLICY, 80, "remote_filter_port == %s", 1587 remote_filter_port)); 1588 LOG_DBG ((LOG_POLICY, 80, "remote_filter_proto == %s", 1589 remote_filter_proto)); 1590 LOG_DBG ((LOG_POLICY, 80, "local_filter_type == %s", local_filter_type)); 1591 LOG_DBG ((LOG_POLICY, 80, "local_filter_addr_upper == %s", 1592 local_filter_addr_upper)); 1593 LOG_DBG ((LOG_POLICY, 80, "local_filter_addr_lower == %s", 1594 local_filter_addr_lower)); 1595 LOG_DBG ((LOG_POLICY, 80, "local_filter == %s", 1596 (local_filter ? local_filter : ""))); 1597 LOG_DBG ((LOG_POLICY, 80, "local_filter_port == %s", local_filter_port)); 1598 LOG_DBG ((LOG_POLICY, 80, "local_filter_proto == %s", 1599 local_filter_proto)); 1600 LOG_DBG ((LOG_POLICY, 80, "remote_id_type == %s", remote_id_type)); 1601 LOG_DBG ((LOG_POLICY, 80, "remote_id_addr_upper == %s", 1602 remote_id_addr_upper)); 1603 LOG_DBG ((LOG_POLICY, 80, "remote_id_addr_lower == %s", 1604 remote_id_addr_lower)); 1605 LOG_DBG ((LOG_POLICY, 80, "remote_id == %s", 1606 (remote_id ? remote_id : ""))); 1607 LOG_DBG ((LOG_POLICY, 80, "remote_id_port == %s", remote_id_port)); 1608 LOG_DBG ((LOG_POLICY, 80, "remote_id_proto == %s", remote_id_proto)); 1609 LOG_DBG ((LOG_POLICY, 80, "remote_negotiation_address == %s", 1610 remote_ike_address)); 1611 LOG_DBG ((LOG_POLICY, 80, "local_negotiation_address == %s", 1612 local_ike_address)); 1613 LOG_DBG ((LOG_POLICY, 80, "pfs == %s", pfs)); 1614 LOG_DBG ((LOG_POLICY, 80, "initiator == %s", initiator)); 1615 LOG_DBG ((LOG_POLICY, 80, "phase1_group_desc == %s", phase1_group)); 1616 1617 /* Unset dirty now. */ 1618 dirty = 0; 1619 } 1620 1621 if (strcmp (name, "phase_1") == 0) 1622 return phase_1; 1623 1624 if (strcmp (name, "GMTTimeOfDay") == 0) 1625 { 1626 tt = time ((time_t) NULL); 1627 strftime (mytimeofday, 14, "%Y%m%d%H%M%S", gmtime (&tt)); 1628 return mytimeofday; 1629 } 1630 1631 if (strcmp (name, "LocalTimeOfDay") == 0) 1632 { 1633 tt = time ((time_t) NULL); 1634 strftime (mytimeofday, 14, "%Y%m%d%H%M%S", localtime (&tt)); 1635 return mytimeofday; 1636 } 1637 1638 if (strcmp (name, "initiator") == 0) 1639 return initiator; 1640 1641 if (strcmp (name, "pfs") == 0) 1642 return pfs; 1643 1644 if (strcmp (name, "app_domain") == 0) 1645 return "IPsec policy"; 1646 1647 if (strcmp (name, "doi") == 0) 1648 return "ipsec"; 1649 1650 if (strcmp (name, "esp_present") == 0) 1651 return esp_present; 1652 1653 if (strcmp (name, "ah_present") == 0) 1654 return ah_present; 1655 1656 if (strcmp (name, "comp_present") == 0) 1657 return comp_present; 1658 1659 if (strcmp (name, "ah_hash_alg") == 0) 1660 return ah_hash_alg; 1661 1662 if (strcmp (name, "ah_auth_alg") == 0) 1663 return ah_auth_alg; 1664 1665 if (strcmp (name, "esp_auth_alg") == 0) 1666 return esp_auth_alg; 1667 1668 if (strcmp (name, "esp_enc_alg") == 0) 1669 return esp_enc_alg; 1670 1671 if (strcmp (name, "comp_alg") == 0) 1672 return comp_alg; 1673 1674 if (strcmp (name, "ah_life_kbytes") == 0) 1675 return ah_life_kbytes; 1676 1677 if (strcmp (name, "ah_life_seconds") == 0) 1678 return ah_life_seconds; 1679 1680 if (strcmp (name, "esp_life_kbytes") == 0) 1681 return esp_life_kbytes; 1682 1683 if (strcmp (name, "esp_life_seconds") == 0) 1684 return esp_life_seconds; 1685 1686 if (strcmp (name, "comp_life_kbytes") == 0) 1687 return comp_life_kbytes; 1688 1689 if (strcmp (name, "comp_life_seconds") == 0) 1690 return comp_life_seconds; 1691 1692 if (strcmp (name, "ah_encapsulation") == 0) 1693 return ah_encapsulation; 1694 1695 if (strcmp (name, "esp_encapsulation") == 0) 1696 return esp_encapsulation; 1697 1698 if (strcmp (name, "comp_encapsulation") == 0) 1699 return comp_encapsulation; 1700 1701 if (strcmp (name, "ah_key_length") == 0) 1702 return ah_key_length; 1703 1704 if (strcmp (name, "ah_key_rounds") == 0) 1705 return ah_key_rounds; 1706 1707 if (strcmp (name, "esp_key_length") == 0) 1708 return esp_key_length; 1709 1710 if (strcmp (name, "esp_key_rounds") == 0) 1711 return esp_key_rounds; 1712 1713 if (strcmp (name, "comp_dict_size") == 0) 1714 return comp_dict_size; 1715 1716 if (strcmp (name, "comp_private_alg") == 0) 1717 return comp_private_alg; 1718 1719 if (strcmp (name, "remote_filter_type") == 0) 1720 return remote_filter_type; 1721 1722 if (strcmp (name, "remote_filter") == 0) 1723 return (remote_filter ? remote_filter : ""); 1724 1725 if (strcmp (name, "remote_filter_addr_upper") == 0) 1726 return remote_filter_addr_upper; 1727 1728 if (strcmp (name, "remote_filter_addr_lower") == 0) 1729 return remote_filter_addr_lower; 1730 1731 if (strcmp (name, "remote_filter_port") == 0) 1732 return remote_filter_port; 1733 1734 if (strcmp (name, "remote_filter_proto") == 0) 1735 return remote_filter_proto; 1736 1737 if (strcmp (name, "local_filter_type") == 0) 1738 return local_filter_type; 1739 1740 if (strcmp (name, "local_filter") == 0) 1741 return (local_filter ? local_filter : ""); 1742 1743 if (strcmp (name, "local_filter_addr_upper") == 0) 1744 return local_filter_addr_upper; 1745 1746 if (strcmp (name, "local_filter_addr_lower") == 0) 1747 return local_filter_addr_lower; 1748 1749 if (strcmp (name, "local_filter_port") == 0) 1750 return local_filter_port; 1751 1752 if (strcmp (name, "local_filter_proto") == 0) 1753 return local_filter_proto; 1754 1755 if (strcmp (name, "remote_ike_address") == 0) 1756 return remote_ike_address; 1757 1758 if (strcmp (name, "remote_negotiation_address") == 0) 1759 return remote_ike_address; 1760 1761 if (strcmp (name, "local_ike_address") == 0) 1762 return local_ike_address; 1763 1764 if (strcmp (name, "local_negotiation_address") == 0) 1765 return local_ike_address; 1766 1767 if (strcmp (name, "remote_id_type") == 0) 1768 return remote_id_type; 1769 1770 if (strcmp (name, "remote_id") == 0) 1771 return (remote_id ? remote_id : ""); 1772 1773 if (strcmp (name, "remote_id_addr_upper") == 0) 1774 return remote_id_addr_upper; 1775 1776 if (strcmp (name, "remote_id_addr_lower") == 0) 1777 return remote_id_addr_lower; 1778 1779 if (strcmp (name, "remote_id_port") == 0) 1780 return remote_id_port; 1781 1782 if (strcmp (name, "remote_id_proto") == 0) 1783 return remote_id_proto; 1784 1785 if (strcmp (name, "phase1_group_desc") == 0) 1786 return phase1_group; 1787 1788 if (strcmp (name, "esp_group_desc") == 0) 1789 return esp_group_desc; 1790 1791 if (strcmp (name, "ah_group_desc") == 0) 1792 return ah_group_desc; 1793 1794 if (strcmp (name, "comp_group_desc") == 0) 1795 return comp_group_desc; 1796 1797 return ""; 1798 1799 bad: 1800 policy_callback (KEYNOTE_CALLBACK_INITIALIZE); 1801 return ""; 1802} 1803 1804void 1805policy_init (void) 1806{ 1807 char *ptr, *policy_file; 1808 char **asserts; 1809 size_t sz; 1810 int fd, len, i; 1811 1812 LOG_DBG ((LOG_POLICY, 30, "policy_init: initializing")); 1813 1814#if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE) 1815 if (!dyn_load (libkeynote_script)) 1816 return; 1817#endif 1818 1819 /* Get policy file from configuration. */ 1820 policy_file = conf_get_str ("General", "Policy-file"); 1821 if (!policy_file) 1822 policy_file = POLICY_FILE_DEFAULT; 1823 1824 /* Check file modes and collect file size */ 1825 if (check_file_secrecy (policy_file, &sz)) 1826 log_fatal ("policy_init: cannot read %s", policy_file); 1827 1828 /* Open policy file. */ 1829 fd = open (policy_file, O_RDONLY); 1830 if (fd == -1) 1831 log_fatal ("policy_init: open (\"%s\", O_RDONLY) failed", policy_file); 1832 1833 /* Allocate memory to keep policies. */ 1834 ptr = calloc (sz + 1, sizeof (char)); 1835 if (!ptr) 1836 log_fatal ("policy_init: calloc (%lu, %lu) failed", (unsigned long)sz + 1, 1837 (unsigned long)sizeof (char)); 1838 1839 /* Just in case there are short reads... */ 1840 for (len = 0; len < sz; len += i) 1841 { 1842 i = read (fd, ptr + len, sz - len); 1843 if (i == -1) 1844 log_fatal ("policy_init: read (%d, %p, %lu) failed", fd, ptr + len, 1845 (unsigned long)(sz - len)); 1846 } 1847 1848 /* We're done with this. */ 1849 close (fd); 1850 1851 /* Parse buffer, break up into individual policies. */ 1852 asserts = LK (kn_read_asserts, (ptr, sz, &i)); 1853 1854 /* Begone! */ 1855 free (ptr); 1856 1857 if (asserts == (char **) NULL) 1858 log_print ("policy_init: all policies flushed"); 1859 1860 /* Cleanup */ 1861 if (keynote_policy_asserts) 1862 { 1863 for (fd = 0; fd < keynote_policy_asserts_num; fd++) 1864 if (keynote_policy_asserts && keynote_policy_asserts[fd]) 1865 free (keynote_policy_asserts[fd]); 1866 1867 free (keynote_policy_asserts); 1868 } 1869 1870 keynote_policy_asserts = asserts; 1871 keynote_policy_asserts_num = i; 1872} 1873 1874/* Nothing needed for initialization */ 1875int 1876keynote_cert_init (void) 1877{ 1878 return 1; 1879} 1880 1881/* Just copy and return. */ 1882void * 1883keynote_cert_get (u_int8_t *data, u_int32_t len) 1884{ 1885 char *foo = malloc (len + 1); 1886 1887 if (foo == NULL) 1888 return NULL; 1889 1890 memcpy (foo, data, len); 1891 foo[len] = '\0'; 1892 return foo; 1893} 1894 1895/* 1896 * We just verify the signature on the credentials. 1897 * On signature failure, just drop the whole payload. 1898 */ 1899int 1900keynote_cert_validate (void *scert) 1901{ 1902 char **foo; 1903 int num, i; 1904 1905 if (scert == NULL) 1906 return 0; 1907 1908 foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), 1909 &num)); 1910 if (foo == NULL) 1911 return 0; 1912 1913 for (i = 0; i < num; i++) 1914 { 1915 if (LK (kn_verify_assertion, (scert, strlen ((char *) scert))) 1916 != SIGRESULT_TRUE) 1917 { 1918 for (; i < num; i++) 1919 free (foo[i]); 1920 free (foo); 1921 return 0; 1922 } 1923 1924 free (foo[i]); 1925 } 1926 1927 free (foo); 1928 return 1; 1929} 1930 1931/* Add received credentials. */ 1932int 1933keynote_cert_insert (int sid, void *scert) 1934{ 1935 char **foo; 1936 int num; 1937 1938 if (scert == NULL) 1939 return 0; 1940 1941 foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), 1942 &num)); 1943 if (foo == NULL) 1944 return 0; 1945 1946 while (num--) 1947 LK (kn_add_assertion, (sid, foo[num], strlen (foo[num]), 0)); 1948 1949 return 1; 1950} 1951 1952/* Just regular memory free. */ 1953void 1954keynote_cert_free (void *cert) 1955{ 1956 free (cert); 1957} 1958 1959/* Verify that the key given to us is valid. */ 1960int 1961keynote_certreq_validate (u_int8_t *data, u_int32_t len) 1962{ 1963 struct keynote_deckey dc; 1964 int err = 1; 1965 char *dat; 1966 1967 dat = calloc (len + 1, sizeof (char)); 1968 if (!dat) 1969 { 1970 log_error ("keynote_certreq_validate: calloc (%d, %lu) failed", len + 1, 1971 (unsigned long)sizeof (char)); 1972 return 0; 1973 } 1974 1975 memcpy (dat, data, len); 1976 1977 if (LK (kn_decode_key, (&dc, dat, KEYNOTE_PUBLIC_KEY)) != 0) 1978 err = 0; 1979 else 1980 LK (kn_free_key, (&dc)); 1981 1982 free (dat); 1983 1984 return err; 1985} 1986 1987/* Beats me what we should be doing with this. */ 1988void * 1989keynote_certreq_decode (u_int8_t *data, u_int32_t len) 1990{ 1991 /* XXX */ 1992 return NULL; 1993} 1994 1995void 1996keynote_free_aca (void *blob) 1997{ 1998 /* XXX */ 1999} 2000 2001int 2002keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, 2003 u_int32_t *certlen) 2004{ 2005 char *dirname, *file, *addr_str; 2006 struct stat sb; 2007 size_t size; 2008 int idtype, fd, len; 2009 2010 if (!id) 2011 { 2012 log_print ("keynote_cert_obtain: ID is missing"); 2013 return 0; 2014 } 2015 2016 /* Get type of ID. */ 2017 idtype = id[0]; 2018 id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2019 id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2020 2021 dirname = conf_get_str ("KeyNote", "Credential-directory"); 2022 if (!dirname) 2023 { 2024 LOG_DBG ((LOG_POLICY, 30, 2025 "keynote_cert_obtain: no Credential-directory")); 2026 return 0; 2027 } 2028 2029 len = strlen (dirname) + strlen (CREDENTIAL_FILE) + 3; 2030 2031 switch (idtype) 2032 { 2033 case IPSEC_ID_IPV4_ADDR: 2034 case IPSEC_ID_IPV6_ADDR: 2035 util_ntoa (&addr_str, idtype == IPSEC_ID_IPV4_ADDR ? AF_INET : AF_INET6, 2036 id); 2037 if (addr_str == 0) 2038 return 0; 2039 2040 file = calloc (len + strlen (addr_str), sizeof (char)); 2041 if (file == NULL) 2042 { 2043 log_error ("keynote_cert_obtain: failed to allocate %lu bytes", 2044 (unsigned long)len + strlen (addr_str)); 2045 free (addr_str); 2046 return 0; 2047 } 2048 2049 snprintf (file, len + strlen (addr_str), "%s/%s/%s", dirname, addr_str, 2050 CREDENTIAL_FILE); 2051 free (addr_str); 2052 break; 2053 2054 case IPSEC_ID_FQDN: 2055 case IPSEC_ID_USER_FQDN: 2056 { 2057 file = calloc (len + id_len, sizeof (char)); 2058 if (file == NULL) 2059 { 2060 log_error ("keynote_cert_obtain: failed to allocate %lu bytes", 2061 (unsigned long)len + id_len); 2062 return 0; 2063 } 2064 2065 snprintf (file, len + id_len, "%s/", dirname); 2066 memcpy (file + strlen (dirname) + 1, id, id_len); 2067 snprintf (file + strlen (dirname) + 1 + id_len, 2068 len - strlen (dirname) - 1, "/%s", CREDENTIAL_FILE); 2069 break; 2070 } 2071 2072 default: 2073 return 0; 2074 } 2075 2076 if (stat (file, &sb) < 0) 2077 { 2078 LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to stat \"%s\"", 2079 file)); 2080 free (file); 2081 return 0; 2082 } 2083 size = (size_t)sb.st_size; 2084 2085 *cert = calloc (size + 1, sizeof (char)); 2086 if (*cert == NULL) 2087 { 2088 log_error ("keynote_cert_obtain: failed to allocate %lu bytes", 2089 (unsigned long)size); 2090 free (file); 2091 return 0; 2092 } 2093 2094 fd = open (file, O_RDONLY, 0); 2095 if (fd < 0) 2096 { 2097 LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to open \"%s\"", 2098 file)); 2099 free (file); 2100 return 0; 2101 } 2102 2103 if (read (fd, *cert, size) != size) 2104 { 2105 LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to read %lu " 2106 "bytes from \"%s\"", (unsigned long)size, file)); 2107 free (file); 2108 close (fd); 2109 return 0; 2110 } 2111 2112 close (fd); 2113 free (file); 2114 *certlen = size; 2115 return 1; 2116} 2117 2118/* This should never be called. */ 2119int 2120keynote_cert_get_subjects (void *scert, int *n, u_int8_t ***id, 2121 u_int32_t **id_len) 2122{ 2123 return 0; 2124} 2125 2126/* Get the authorizer key. */ 2127int 2128keynote_cert_get_key (void *scert, void *keyp) 2129{ 2130 struct keynote_keylist *kl; 2131 int sid, kid, num; 2132 char **foo; 2133 2134 foo = LK (kn_read_asserts, ((char *)scert, strlen ((char *)scert), &num)); 2135 if (foo == NULL || num == 0) 2136 { 2137 log_print ("keynote_cert_get_key: failed to decompose credentials"); 2138 return 0; 2139 } 2140 2141 kid = LK (kn_init, ()); 2142 if (kid == -1) 2143 { 2144 log_print ("keynote_cert_get_key: failed to initialize new policy " 2145 "session"); 2146 while (num--) 2147 free (foo[num]); 2148 free (foo); 2149 return 0; 2150 } 2151 2152 sid = LK (kn_add_assertion, (kid, foo[num - 1], 2153 strlen (foo[num - 1]), 0)); 2154 while (num--) 2155 free (foo[num]); 2156 free (foo); 2157 2158 if (sid == -1) 2159 { 2160 log_print ("keynote_cert_get_key: failed to add assertion"); 2161 LK (kn_close, (kid)); 2162 return 0; 2163 } 2164 2165 *(RSA **)keyp = NULL; 2166 2167 kl = LK (kn_get_licensees, (kid, sid)); 2168 while (kl) 2169 { 2170 if (kl->key_alg == KEYNOTE_ALGORITHM_RSA) 2171 { 2172 *(RSA **)keyp = LC (RSAPublicKey_dup, (kl->key_key)); 2173 break; 2174 } 2175 2176 kl = kl->key_next; 2177 } 2178 2179 LK (kn_remove_assertion, (kid, sid)); 2180 LK (kn_close, (kid)); 2181 return *(RSA **)keyp == NULL ? 0 : 1; 2182} 2183 2184void * 2185keynote_cert_dup (void *cert) 2186{ 2187 return strdup((char *)cert); 2188} 2189 2190void 2191keynote_serialize (void *cert, u_int8_t **data, u_int32_t *datalen) 2192{ 2193 *datalen = strlen ((char *)cert) + 1; 2194 *data = strdup (cert); /* So we allocate an extra character at the end... */ 2195 if (*data == NULL) 2196 log_error ("keynote_serialize: malloc (%d) failed", *datalen); 2197} 2198 2199/* From cert to printable */ 2200char * 2201keynote_printable (void *cert) 2202{ 2203 return strdup ((char *)cert); 2204} 2205 2206/* From printable to cert */ 2207void * 2208keynote_from_printable (char *cert) 2209{ 2210 return strdup (cert); 2211} 2212