policy.c revision 1.60
1/* $OpenBSD: policy.c,v 1.60 2003/05/14 18:10:30 ho Exp $ */ 2/* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ 3 4/* 5 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. 6 * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. 7 * Copyright (c) 2001 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. All advertising materials mentioning features or use of this software 18 * must display the following acknowledgement: 19 * This product includes software developed by Ericsson Radio Systems. 20 * 4. The name of the author may not be used to endorse or promote products 21 * derived from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35/* 36 * This code was written under funding by Ericsson Radio Systems. 37 */ 38 39#include <sys/types.h> 40#include <sys/param.h> 41#include <sys/mman.h> 42#include <sys/queue.h> 43#include <sys/stat.h> 44#include <regex.h> 45#include <ctype.h> 46#include <fcntl.h> 47#include <stdio.h> 48#include <stdlib.h> 49#include <string.h> 50#include <unistd.h> 51#include <keynote.h> 52#include <sys/socket.h> 53#include <netinet/in.h> 54#include <arpa/inet.h> 55#include <errno.h> 56#include <openssl/ssl.h> 57#include <netdb.h> 58 59#include "sysdep.h" 60 61#include "conf.h" 62#include "exchange.h" 63#include "ipsec.h" 64#include "isakmp_doi.h" 65#include "sa.h" 66#include "transport.h" 67#include "log.h" 68#include "message.h" 69#include "util.h" 70#include "policy.h" 71#include "x509.h" 72 73char **keynote_policy_asserts = NULL; 74int keynote_policy_asserts_num = 0; 75struct exchange *policy_exchange = 0; 76struct sa *policy_sa = 0; 77struct sa *policy_isakmp_sa = 0; 78 79static const char hextab[] = { 80 '0', '1', '2', '3', '4', '5', '6', '7', 81 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' 82}; 83 84/* 85 * Adaptation of Vixie's inet_ntop4 () 86 */ 87static const char * 88my_inet_ntop4 (const in_addr_t *src, char *dst, size_t size, int normalize) 89{ 90 static const char fmt[] = "%03u.%03u.%03u.%03u"; 91 char tmp[sizeof "255.255.255.255"]; 92 in_addr_t src2; 93 94 if (normalize) 95 src2 = ntohl (*src); 96 else 97 src2 = *src; 98 99 if (snprintf (tmp, sizeof tmp, fmt, ((u_int8_t *) &src2)[0], 100 ((u_int8_t *) &src2)[1], ((u_int8_t *) &src2)[2], 101 ((u_int8_t *) &src2)[3]) > size) 102 { 103 errno = ENOSPC; 104 return 0; 105 } 106 strlcpy (dst, tmp, size); 107 return dst; 108} 109 110static const char * 111my_inet_ntop6 (const unsigned char *src, char *dst, size_t size) 112{ 113 static const char fmt[] = "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x"; 114 char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"]; 115 116 if (snprintf (tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3], src[4], 117 src[5], src[6], src[7], src[8], src[9], src[10], src[11], 118 src[12], src[13], src[14], src[15]) > size) 119 { 120 errno = ENOSPC; 121 return 0; 122 } 123 strlcpy (dst, tmp, size); 124 return dst; 125} 126 127char * 128policy_callback (char *name) 129{ 130 struct proto *proto; 131 132 u_int8_t *attr, *value, *id, *idlocal, *idremote; 133 size_t id_sz, idlocalsz, idremotesz; 134 struct sockaddr *sin; 135 struct ipsec_exch *ie; 136 struct ipsec_sa *is; 137 int fmt, i, lifetype = 0; 138 in_addr_t net, subnet; 139 u_int16_t len, type; 140 time_t tt; 141 char *addr; 142 static char mytimeofday[15]; 143 144 /* We use all these as a cache. */ 145#define PMAX 32 146 static char *esp_present, *ah_present, *comp_present; 147 static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg; 148 static char *comp_alg, ah_life_kbytes[PMAX], ah_life_seconds[PMAX]; 149 static char esp_life_kbytes[PMAX], esp_life_seconds[PMAX]; 150 static char comp_life_kbytes[PMAX]; 151 static char *ah_ecn, *esp_ecn, *comp_ecn; 152 static char comp_life_seconds[PMAX], *ah_encapsulation, *esp_encapsulation; 153 static char *comp_encapsulation, ah_key_length[PMAX], esp_key_length[PMAX]; 154 static char ah_key_rounds[PMAX], esp_key_rounds[PMAX], comp_dict_size[PMAX]; 155 static char comp_private_alg[PMAX], *remote_filter_type, *local_filter_type; 156 static char remote_filter_addr_upper[NI_MAXHOST]; 157 static char remote_filter_addr_lower[NI_MAXHOST]; 158 static char local_filter_addr_upper[NI_MAXHOST]; 159 static char local_filter_addr_lower[NI_MAXHOST]; 160 static char ah_group_desc[PMAX], esp_group_desc[PMAX], comp_group_desc[PMAX]; 161 static char remote_ike_address[NI_MAXHOST]; 162 static char local_ike_address[NI_MAXHOST]; 163 static char *remote_id_type, remote_id_addr_upper[NI_MAXHOST], *phase_1; 164 static char remote_id_addr_lower[NI_MAXHOST]; 165 static char *remote_id_proto, remote_id_port[PMAX]; 166 static char remote_filter_port[PMAX], local_filter_port[PMAX]; 167 static char *remote_filter_proto, *local_filter_proto, *pfs, *initiator; 168 static char remote_filter_proto_num[3], local_filter_proto_num[3]; 169 static char remote_id_proto_num[3]; 170 static char phase1_group[PMAX]; 171 172 /* Allocated. */ 173 static char *remote_filter = 0, *local_filter = 0, *remote_id = 0; 174 175 static int dirty = 1; 176 177 /* We only need to set dirty at initialization time really. */ 178 if (strcmp (name, KEYNOTE_CALLBACK_CLEANUP) == 0 179 || strcmp (name, KEYNOTE_CALLBACK_INITIALIZE) == 0) 180 { 181 esp_present = ah_present = comp_present = pfs = "no"; 182 ah_hash_alg = ah_auth_alg = phase_1 = ""; 183 esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = ""; 184 ah_ecn = esp_ecn = comp_ecn = "no"; 185 esp_encapsulation = comp_encapsulation = remote_filter_type = ""; 186 local_filter_type = remote_id_type = initiator = ""; 187 remote_filter_proto = local_filter_proto = remote_id_proto = ""; 188 189 if (remote_filter != 0) 190 { 191 free (remote_filter); 192 remote_filter = 0; 193 } 194 195 if (local_filter != 0) 196 { 197 free (local_filter); 198 local_filter = 0; 199 } 200 201 if (remote_id != 0) 202 { 203 free (remote_id); 204 remote_id = 0; 205 } 206 207 memset (remote_ike_address, 0, sizeof remote_ike_address); 208 memset (local_ike_address, 0, sizeof local_ike_address); 209 memset (ah_life_kbytes, 0, sizeof ah_life_kbytes); 210 memset (ah_life_seconds, 0, sizeof ah_life_seconds); 211 memset (esp_life_kbytes, 0, sizeof esp_life_kbytes); 212 memset (esp_life_seconds, 0, sizeof esp_life_seconds); 213 memset (comp_life_kbytes, 0, sizeof comp_life_kbytes); 214 memset (comp_life_seconds, 0, sizeof comp_life_seconds); 215 memset (ah_key_length, 0, sizeof ah_key_length); 216 memset (ah_key_rounds, 0, sizeof ah_key_rounds); 217 memset (esp_key_length, 0, sizeof esp_key_length); 218 memset (esp_key_rounds, 0, sizeof esp_key_rounds); 219 memset (comp_dict_size, 0, sizeof comp_dict_size); 220 memset (comp_private_alg, 0, sizeof comp_private_alg); 221 memset (remote_filter_addr_upper, 0, sizeof remote_filter_addr_upper); 222 memset (remote_filter_addr_lower, 0, sizeof remote_filter_addr_lower); 223 memset (local_filter_addr_upper, 0, sizeof local_filter_addr_upper); 224 memset (local_filter_addr_lower, 0, sizeof local_filter_addr_lower); 225 memset (remote_id_addr_upper, 0, sizeof remote_id_addr_upper); 226 memset (remote_id_addr_lower, 0, sizeof remote_id_addr_lower); 227 memset (ah_group_desc, 0, sizeof ah_group_desc); 228 memset (esp_group_desc, 0, sizeof esp_group_desc); 229 memset (remote_id_port, 0, sizeof remote_id_port); 230 memset (remote_filter_port, 0, sizeof remote_filter_port); 231 memset (local_filter_port, 0, sizeof local_filter_port); 232 memset (phase1_group, 0, sizeof phase1_group); 233 234 dirty = 1; 235 return ""; 236 } 237 238 /* 239 * If dirty is set, this is the first request for an attribute, so 240 * populate our value cache. 241 */ 242 if (dirty) 243 { 244 ie = policy_exchange->data; 245 246 if (ie->pfs) 247 pfs = "yes"; 248 249 is = policy_isakmp_sa->data; 250 snprintf (phase1_group, PMAX, "%u", is->group_desc); 251 252 for (proto = TAILQ_FIRST (&policy_sa->protos); proto; 253 proto = TAILQ_NEXT (proto, link)) 254 { 255 switch (proto->proto) 256 { 257 case IPSEC_PROTO_IPSEC_AH: 258 ah_present = "yes"; 259 switch (proto->id) 260 { 261 case IPSEC_AH_MD5: 262 ah_hash_alg = "md5"; 263 break; 264 265 case IPSEC_AH_SHA: 266 ah_hash_alg = "sha"; 267 break; 268 269 case IPSEC_AH_RIPEMD: 270 ah_hash_alg = "ripemd"; 271 break; 272 273 case IPSEC_AH_DES: 274 ah_hash_alg = "des"; 275 break; 276 } 277 278 break; 279 280 case IPSEC_PROTO_IPSEC_ESP: 281 esp_present = "yes"; 282 switch (proto->id) 283 { 284 case IPSEC_ESP_DES_IV64: 285 esp_enc_alg = "des-iv64"; 286 break; 287 288 case IPSEC_ESP_DES: 289 esp_enc_alg = "des"; 290 break; 291 292 case IPSEC_ESP_3DES: 293 esp_enc_alg = "3des"; 294 break; 295 296 case IPSEC_ESP_AES: 297 case IPSEC_ESP_AES_128_CTR: 298 esp_enc_alg = "aes"; 299 break; 300 301 case IPSEC_ESP_RC5: 302 esp_enc_alg = "rc5"; 303 break; 304 305 case IPSEC_ESP_IDEA: 306 esp_enc_alg = "idea"; 307 break; 308 309 case IPSEC_ESP_CAST: 310 esp_enc_alg = "cast"; 311 break; 312 313 case IPSEC_ESP_BLOWFISH: 314 esp_enc_alg = "blowfish"; 315 break; 316 317 case IPSEC_ESP_3IDEA: 318 esp_enc_alg = "3idea"; 319 break; 320 321 case IPSEC_ESP_DES_IV32: 322 esp_enc_alg = "des-iv32"; 323 break; 324 325 case IPSEC_ESP_RC4: 326 esp_enc_alg = "rc4"; 327 break; 328 329 case IPSEC_ESP_NULL: 330 esp_enc_alg = "null"; 331 break; 332 } 333 334 break; 335 336 case IPSEC_PROTO_IPCOMP: 337 comp_present = "yes"; 338 switch (proto->id) 339 { 340 case IPSEC_IPCOMP_OUI: 341 comp_alg = "oui"; 342 break; 343 344 case IPSEC_IPCOMP_DEFLATE: 345 comp_alg = "deflate"; 346 break; 347 348 case IPSEC_IPCOMP_LZS: 349 comp_alg = "lzs"; 350 break; 351 352 case IPSEC_IPCOMP_V42BIS: 353 comp_alg = "v42bis"; 354 break; 355 } 356 357 break; 358 } 359 360 for (attr = proto->chosen->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF; 361 attr 362 < proto->chosen->p + GET_ISAKMP_GEN_LENGTH (proto->chosen->p); 363 attr = value + len) 364 { 365 if (attr + ISAKMP_ATTR_VALUE_OFF 366 > (proto->chosen->p 367 + GET_ISAKMP_GEN_LENGTH (proto->chosen->p))) 368 return ""; 369 370 type = GET_ISAKMP_ATTR_TYPE (attr); 371 fmt = ISAKMP_ATTR_FORMAT (type); 372 type = ISAKMP_ATTR_TYPE (type); 373 value = attr + (fmt ? ISAKMP_ATTR_LENGTH_VALUE_OFF : 374 ISAKMP_ATTR_VALUE_OFF); 375 len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN : 376 GET_ISAKMP_ATTR_LENGTH_VALUE (attr)); 377 378 if (value + len > proto->chosen->p + 379 GET_ISAKMP_GEN_LENGTH (proto->chosen->p)) 380 return ""; 381 382 switch (type) 383 { 384 case IPSEC_ATTR_SA_LIFE_TYPE: 385 lifetype = decode_16 (value); 386 break; 387 388 case IPSEC_ATTR_SA_LIFE_DURATION: 389 switch (proto->proto) 390 { 391 case IPSEC_PROTO_IPSEC_AH: 392 if (lifetype == IPSEC_DURATION_SECONDS) 393 { 394 if (len == 2) 395 snprintf (ah_life_seconds, PMAX, "%u", 396 decode_16 (value)); 397 else 398 snprintf (ah_life_seconds, PMAX, "%u", 399 decode_32 (value)); 400 } 401 else 402 { 403 if (len == 2) 404 snprintf (ah_life_kbytes, PMAX, "%u", 405 decode_16 (value)); 406 else 407 snprintf (ah_life_kbytes, PMAX, "%u", 408 decode_32 (value)); 409 } 410 411 break; 412 413 case IPSEC_PROTO_IPSEC_ESP: 414 if (lifetype == IPSEC_DURATION_SECONDS) 415 { 416 if (len == 2) 417 snprintf (esp_life_seconds, PMAX, "%u", 418 decode_16 (value)); 419 else 420 snprintf (esp_life_seconds, PMAX, "%u", 421 decode_32 (value)); 422 } 423 else 424 { 425 if (len == 2) 426 snprintf (esp_life_kbytes, PMAX, "%u", 427 decode_16 (value)); 428 else 429 snprintf (esp_life_kbytes, PMAX, "%u", 430 decode_32 (value)); 431 } 432 433 break; 434 435 case IPSEC_PROTO_IPCOMP: 436 if (lifetype == IPSEC_DURATION_SECONDS) 437 { 438 if (len == 2) 439 snprintf (comp_life_seconds, PMAX, "%u", 440 decode_16 (value)); 441 else 442 snprintf (comp_life_seconds, PMAX, "%u", 443 decode_32 (value)); 444 } 445 else 446 { 447 if (len == 2) 448 snprintf (comp_life_kbytes, PMAX, "%u", 449 decode_16 (value)); 450 else 451 snprintf (comp_life_kbytes, PMAX, "%u", 452 decode_32 (value)); 453 } 454 455 break; 456 } 457 break; 458 459 case IPSEC_ATTR_GROUP_DESCRIPTION: 460 switch (proto->proto) 461 { 462 case IPSEC_PROTO_IPSEC_AH: 463 snprintf (ah_group_desc, PMAX, "%u", decode_16 (value)); 464 break; 465 466 case IPSEC_PROTO_IPSEC_ESP: 467 snprintf (esp_group_desc, PMAX, "%u", 468 decode_16 (value)); 469 break; 470 471 case IPSEC_PROTO_IPCOMP: 472 snprintf (comp_group_desc, PMAX, "%u", 473 decode_16 (value)); 474 break; 475 } 476 break; 477 478 case IPSEC_ATTR_ECN_TUNNEL: 479 if (decode_16 (value)) 480 switch (proto->proto) 481 { 482 case IPSEC_PROTO_IPSEC_AH: 483 ah_ecn = "yes"; 484 break; 485 486 case IPSEC_PROTO_IPSEC_ESP: 487 esp_ecn = "yes"; 488 break; 489 490 case IPSEC_PROTO_IPCOMP: 491 comp_ecn = "yes"; 492 break; 493 } 494 495 case IPSEC_ATTR_ENCAPSULATION_MODE: 496 if (decode_16 (value) == IPSEC_ENCAP_TUNNEL) 497 switch (proto->proto) 498 { 499 case IPSEC_PROTO_IPSEC_AH: 500 ah_encapsulation = "tunnel"; 501 break; 502 503 case IPSEC_PROTO_IPSEC_ESP: 504 esp_encapsulation = "tunnel"; 505 break; 506 507 case IPSEC_PROTO_IPCOMP: 508 comp_encapsulation = "tunnel"; 509 break; 510 } 511 else 512 switch (proto->proto) 513 { 514 case IPSEC_PROTO_IPSEC_AH: 515 ah_encapsulation = "transport"; 516 break; 517 518 case IPSEC_PROTO_IPSEC_ESP: 519 esp_encapsulation = "transport"; 520 break; 521 522 case IPSEC_PROTO_IPCOMP: 523 comp_encapsulation = "transport"; 524 break; 525 } 526 break; 527 528 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: 529 switch (proto->proto) 530 { 531 case IPSEC_PROTO_IPSEC_AH: 532 switch (decode_16 (value)) 533 { 534 case IPSEC_AUTH_HMAC_MD5: 535 ah_auth_alg = "hmac-md5"; 536 break; 537 538 case IPSEC_AUTH_HMAC_SHA: 539 ah_auth_alg = "hmac-sha"; 540 break; 541 542 case IPSEC_AUTH_HMAC_RIPEMD: 543 ah_auth_alg = "hmac-ripemd"; 544 break; 545 546 case IPSEC_AUTH_DES_MAC: 547 ah_auth_alg = "des-mac"; 548 break; 549 550 case IPSEC_AUTH_KPDK: 551 ah_auth_alg = "kpdk"; 552 break; 553 } 554 break; 555 556 case IPSEC_PROTO_IPSEC_ESP: 557 switch (decode_16 (value)) 558 { 559 case IPSEC_AUTH_HMAC_MD5: 560 esp_auth_alg = "hmac-md5"; 561 break; 562 563 case IPSEC_AUTH_HMAC_SHA: 564 esp_auth_alg = "hmac-sha"; 565 break; 566 567 case IPSEC_AUTH_HMAC_RIPEMD: 568 esp_auth_alg = "hmac-ripemd"; 569 break; 570 571 case IPSEC_AUTH_DES_MAC: 572 esp_auth_alg = "des-mac"; 573 break; 574 575 case IPSEC_AUTH_KPDK: 576 esp_auth_alg = "kpdk"; 577 break; 578 } 579 break; 580 } 581 break; 582 583 case IPSEC_ATTR_KEY_LENGTH: 584 switch (proto->proto) 585 { 586 case IPSEC_PROTO_IPSEC_AH: 587 snprintf (ah_key_length, PMAX, "%u", decode_16 (value)); 588 break; 589 590 case IPSEC_PROTO_IPSEC_ESP: 591 snprintf (esp_key_length, PMAX, "%u", 592 decode_16 (value)); 593 break; 594 } 595 break; 596 597 case IPSEC_ATTR_KEY_ROUNDS: 598 switch (proto->proto) 599 { 600 case IPSEC_PROTO_IPSEC_AH: 601 snprintf (ah_key_rounds, PMAX, "%u", decode_16 (value)); 602 break; 603 604 case IPSEC_PROTO_IPSEC_ESP: 605 snprintf (esp_key_rounds, PMAX, "%u", 606 decode_16 (value)); 607 break; 608 } 609 break; 610 611 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: 612 snprintf (comp_dict_size, PMAX, "%u", decode_16 (value)); 613 break; 614 615 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: 616 snprintf (comp_private_alg, PMAX, "%u", decode_16 (value)); 617 break; 618 } 619 } 620 } 621 622 policy_sa->transport->vtbl->get_src (policy_sa->transport, &sin); 623 if (sockaddr2text (sin, &addr, 1)) 624 { 625 log_error ("policy_callback: sockaddr2text failed"); 626 goto bad; 627 } 628 strlcpy (local_ike_address, addr, sizeof local_ike_address); 629 free (addr); 630 631 policy_sa->transport->vtbl->get_dst (policy_sa->transport, &sin); 632 if (sockaddr2text (sin, &addr, 1)) 633 { 634 log_error ("policy_callback: sockaddr2text failed"); 635 goto bad; 636 } 637 strlcpy (remote_ike_address, addr, sizeof remote_ike_address); 638 free (addr); 639 640 switch (policy_isakmp_sa->exch_type) 641 { 642 case ISAKMP_EXCH_AGGRESSIVE: 643 phase_1 = "aggressive"; 644 break; 645 646 case ISAKMP_EXCH_ID_PROT: 647 phase_1 = "main"; 648 break; 649 } 650 651 if (policy_isakmp_sa->initiator) 652 { 653 id = policy_isakmp_sa->id_r; 654 id_sz = policy_isakmp_sa->id_r_len; 655 } 656 else 657 { 658 id = policy_isakmp_sa->id_i; 659 id_sz = policy_isakmp_sa->id_i_len; 660 } 661 662 switch (id[0]) 663 { 664 case IPSEC_ID_IPV4_ADDR: 665 remote_id_type = "IPv4 address"; 666 667 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 668 my_inet_ntop4 (&net, remote_id_addr_upper, 669 sizeof remote_id_addr_upper - 1, 1); 670 my_inet_ntop4 (&net, remote_id_addr_lower, 671 sizeof remote_id_addr_lower - 1, 1); 672 remote_id = strdup (remote_id_addr_upper); 673 if (!remote_id) 674 { 675 log_error ("policy_callback: strdup (\"%s\") failed", 676 remote_id_addr_upper); 677 goto bad; 678 } 679 break; 680 681 case IPSEC_ID_IPV4_RANGE: 682 remote_id_type = "IPv4 range"; 683 684 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 685 my_inet_ntop4 (&net, remote_id_addr_lower, 686 sizeof remote_id_addr_lower - 1, 1); 687 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); 688 my_inet_ntop4 (&net, remote_id_addr_upper, 689 sizeof remote_id_addr_upper - 1, 1); 690 len = strlen (remote_id_addr_upper) + strlen (remote_id_addr_lower) 691 + 2; 692 remote_id = calloc (len, sizeof (char)); 693 if (!remote_id) 694 { 695 log_error ("policy_callback: calloc (%d, %lu) failed", len, 696 (unsigned long)sizeof (char)); 697 goto bad; 698 } 699 700 strlcpy (remote_id, remote_id_addr_lower, len); 701 strlcat (remote_id, "-", len); 702 strlcat (remote_id, remote_id_addr_upper, len); 703 break; 704 705 case IPSEC_ID_IPV4_ADDR_SUBNET: 706 remote_id_type = "IPv4 subnet"; 707 708 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 709 subnet = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); 710 net &= subnet; 711 my_inet_ntop4 (&net, remote_id_addr_lower, 712 sizeof remote_id_addr_lower - 1, 1); 713 net |= ~subnet; 714 my_inet_ntop4 (&net, remote_id_addr_upper, 715 sizeof remote_id_addr_upper - 1, 1); 716 len = strlen (remote_id_addr_upper) + strlen (remote_id_addr_lower) 717 + 2; 718 remote_id = calloc (len, sizeof (char)); 719 if (!remote_id) 720 { 721 log_error ("policy_callback: calloc (%d, %lu) failed", len, 722 (unsigned long)sizeof (char)); 723 goto bad; 724 } 725 726 strlcpy (remote_id, remote_id_addr_lower, len); 727 strlcat (remote_id, "-", len); 728 strlcat (remote_id, remote_id_addr_upper, len); 729 break; 730 731 case IPSEC_ID_IPV6_ADDR: 732 remote_id_type = "IPv6 address"; 733 my_inet_ntop6 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 734 remote_id_addr_upper, sizeof remote_id_addr_upper); 735 strlcpy (remote_id_addr_lower, remote_id_addr_upper, 736 sizeof remote_id_addr_lower); 737 remote_id = strdup (remote_id_addr_upper); 738 if (!remote_id) 739 { 740 log_error ("policy_callback: strdup (\"%s\") failed", 741 remote_id_addr_upper); 742 goto bad; 743 } 744 break; 745 746 case IPSEC_ID_IPV6_RANGE: 747 remote_id_type = "IPv6 range"; 748 749 my_inet_ntop6 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 750 remote_id_addr_lower, 751 sizeof remote_id_addr_lower - 1); 752 753 my_inet_ntop6 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, 754 remote_id_addr_upper, 755 sizeof remote_id_addr_upper - 1); 756 757 len = strlen (remote_id_addr_upper) + strlen (remote_id_addr_lower) 758 + 2; 759 remote_id = calloc (len, sizeof (char)); 760 if (!remote_id) 761 { 762 log_error ("policy_callback: calloc (%d, %lu) failed", len, 763 (unsigned long)sizeof (char)); 764 goto bad; 765 } 766 767 strlcpy (remote_id, remote_id_addr_lower, len); 768 strlcat (remote_id, "-", len); 769 strlcat (remote_id, remote_id_addr_upper, len); 770 break; 771 772 case IPSEC_ID_IPV6_ADDR_SUBNET: 773 { 774 struct in6_addr net, mask; 775 776 remote_id_type = "IPv6 subnet"; 777 778 bcopy (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, &net, sizeof (net)); 779 bcopy (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, &mask, 780 sizeof (mask)); 781 782 for (i = 0; i < 16; i++) 783 net.s6_addr[i] &= mask.s6_addr[i]; 784 785 my_inet_ntop6 ((unsigned char *) &net, remote_id_addr_lower, 786 sizeof remote_id_addr_lower - 1); 787 788 for (i = 0; i < 16; i++) 789 net.s6_addr[i] |= ~mask.s6_addr[i]; 790 791 my_inet_ntop6 ((unsigned char *) &net, remote_id_addr_upper, 792 sizeof remote_id_addr_upper - 1); 793 794 len = strlen (remote_id_addr_upper) + strlen (remote_id_addr_lower) 795 + 2; 796 remote_id = calloc (len, sizeof (char)); 797 if (!remote_id) 798 { 799 log_error ("policy_callback: calloc (%d, %lu) failed", len, 800 (unsigned long)sizeof (char)); 801 goto bad; 802 } 803 804 strlcpy (remote_id, remote_id_addr_lower, len); 805 strlcat (remote_id, "-", len); 806 strlcat (remote_id, remote_id_addr_upper, len); 807 break; 808 } 809 810 case IPSEC_ID_FQDN: 811 remote_id_type = "FQDN"; 812 remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 813 sizeof (char)); 814 if (!remote_id) 815 { 816 log_error ("policy_callback: calloc (%lu, %lu) failed", 817 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 818 (unsigned long)sizeof (char)); 819 goto bad; 820 } 821 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 822 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 823 break; 824 825 case IPSEC_ID_USER_FQDN: 826 remote_id_type = "User FQDN"; 827 remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 828 sizeof (char)); 829 if (!remote_id) 830 { 831 log_error ("policy_callback: calloc (%lu, %lu) failed", 832 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 833 (unsigned long)sizeof (char)); 834 goto bad; 835 } 836 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 837 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 838 break; 839 840 case IPSEC_ID_DER_ASN1_DN: 841 remote_id_type = "ASN1 DN"; 842 843 remote_id = x509_DN_string (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 844 id_sz - ISAKMP_ID_DATA_OFF 845 + ISAKMP_GEN_SZ); 846 if (!remote_id) 847 { 848 LOG_DBG ((LOG_POLICY, 50, 849 "policy_callback: failed to decode name")); 850 goto bad; 851 } 852 break; 853 854 case IPSEC_ID_DER_ASN1_GN: /* XXX */ 855 remote_id_type = "ASN1 GN"; 856 break; 857 858 case IPSEC_ID_KEY_ID: 859 remote_id_type = "Key ID"; 860 remote_id 861 = calloc (2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, 862 sizeof (char)); 863 if (!remote_id) 864 { 865 log_error ("policy_callback: calloc (%lu, %lu) failed", 866 2 * ((unsigned long)id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, 867 (unsigned long)sizeof (char)); 868 goto bad; 869 } 870 /* Does it contain any non-printable characters ? */ 871 for (i = 0; i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; i++) 872 if (!isprint (*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + i))) 873 break; 874 if (i >= id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) 875 { 876 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 877 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 878 break; 879 } 880 /* Non-printable characters, convert to hex */ 881 for (i = 0; i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; i++) 882 { 883 remote_id[2 * i] 884 = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4]; 885 remote_id[2 * i + 1] 886 = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF]; 887 } 888 break; 889 890 default: 891 log_print ("policy_callback: unknown remote ID type %u", id[0]); 892 goto bad; 893 } 894 895 switch (id[1]) 896 { 897 case IPPROTO_TCP: 898 remote_id_proto = "tcp"; 899 break; 900 901 case IPPROTO_UDP: 902 remote_id_proto = "udp"; 903 break; 904 905#ifdef IPPROTO_ETHERIP 906 case IPPROTO_ETHERIP: 907 remote_id_proto = "etherip"; 908 break; 909#endif 910 911 default: 912 snprintf (remote_id_proto_num, 3, "%d", id[1]); 913 remote_id_proto = remote_id_proto_num; 914 break; 915 } 916 917 snprintf (remote_id_port, sizeof remote_id_port - 1, "%u", 918 decode_16 (id + 2)); 919 920 if (policy_exchange->initiator) 921 { 922 initiator = "yes"; 923 idlocal = ie->id_ci; 924 idremote = ie->id_cr; 925 idlocalsz = ie->id_ci_sz; 926 idremotesz = ie->id_cr_sz; 927 } 928 else 929 { 930 initiator = "no"; 931 idlocal = ie->id_cr; 932 idremote = ie->id_ci; 933 idlocalsz = ie->id_cr_sz; 934 idremotesz = ie->id_ci_sz; 935 } 936 937 /* Initialize the ID variables. */ 938 if (idremote) 939 { 940 switch (GET_ISAKMP_ID_TYPE (idremote)) 941 { 942 case IPSEC_ID_IPV4_ADDR: 943 remote_filter_type = "IPv4 address"; 944 945 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 946 my_inet_ntop4 (&net, remote_filter_addr_upper, 947 sizeof remote_filter_addr_upper - 1, 1); 948 my_inet_ntop4 (&net, remote_filter_addr_lower, 949 sizeof remote_filter_addr_lower - 1, 1); 950 remote_filter = strdup (remote_filter_addr_upper); 951 if (!remote_filter) 952 { 953 log_error ("policy_callback: strdup (\"%s\") failed", 954 remote_filter_addr_upper); 955 goto bad; 956 } 957 break; 958 959 case IPSEC_ID_IPV4_RANGE: 960 remote_filter_type = "IPv4 range"; 961 962 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 963 my_inet_ntop4 (&net, remote_filter_addr_lower, 964 sizeof remote_filter_addr_lower - 1, 1); 965 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF + 4); 966 my_inet_ntop4 (&net, remote_filter_addr_upper, 967 sizeof remote_filter_addr_upper - 1, 1); 968 len = strlen (remote_filter_addr_upper) 969 + strlen (remote_filter_addr_lower) + 2; 970 remote_filter = calloc (len, sizeof (char)); 971 if (!remote_filter) 972 { 973 log_error ("policy_callback: calloc (%d, %lu) failed", len, 974 (unsigned long)sizeof (char)); 975 goto bad; 976 } 977 978 strlcpy (remote_filter, remote_filter_addr_lower, len); 979 strlcat (remote_filter, "-", len); 980 strlcat (remote_filter, remote_filter_addr_upper, len); 981 break; 982 983 case IPSEC_ID_IPV4_ADDR_SUBNET: 984 remote_filter_type = "IPv4 subnet"; 985 986 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 987 subnet = decode_32 (idremote + ISAKMP_ID_DATA_OFF + 4); 988 net &= subnet; 989 my_inet_ntop4 (&net, remote_filter_addr_lower, 990 sizeof remote_filter_addr_lower - 1, 1); 991 net |= ~subnet; 992 my_inet_ntop4 (&net, remote_filter_addr_upper, 993 sizeof remote_filter_addr_upper - 1, 1); 994 len = strlen (remote_filter_addr_upper) 995 + strlen (remote_filter_addr_lower) + 2; 996 remote_filter = calloc (len, sizeof (char)); 997 if (!remote_filter) 998 { 999 log_error ("policy_callback: calloc (%d, %lu) failed", len, 1000 (unsigned long)sizeof (char)); 1001 goto bad; 1002 } 1003 strlcpy (remote_filter, remote_filter_addr_lower, len); 1004 strlcat (remote_filter, "-", len); 1005 strlcat (remote_filter, remote_filter_addr_upper, len); 1006 break; 1007 1008 case IPSEC_ID_IPV6_ADDR: 1009 remote_filter_type = "IPv6 address"; 1010 my_inet_ntop6 (idremote + ISAKMP_ID_DATA_OFF, 1011 remote_filter_addr_upper, 1012 sizeof remote_filter_addr_upper - 1); 1013 strlcpy (remote_filter_addr_lower, remote_filter_addr_upper, 1014 sizeof remote_filter_addr_lower); 1015 remote_filter = strdup (remote_filter_addr_upper); 1016 if (!remote_filter) 1017 { 1018 log_error ("policy_callback: strdup (\"%s\") failed", 1019 remote_filter_addr_upper); 1020 goto bad; 1021 } 1022 break; 1023 1024 case IPSEC_ID_IPV6_RANGE: 1025 remote_filter_type = "IPv6 range"; 1026 1027 my_inet_ntop6 (idremote + ISAKMP_ID_DATA_OFF, 1028 remote_filter_addr_lower, 1029 sizeof remote_filter_addr_lower - 1); 1030 1031 my_inet_ntop6 (idremote + ISAKMP_ID_DATA_OFF + 16, 1032 remote_filter_addr_upper, 1033 sizeof remote_filter_addr_upper - 1); 1034 1035 len = strlen (remote_filter_addr_upper) 1036 + strlen (remote_filter_addr_lower) + 2; 1037 remote_filter = calloc (len, sizeof (char)); 1038 if (!remote_filter) 1039 { 1040 log_error ("policy_callback: calloc (%d, %lu) failed", len, 1041 (unsigned long)sizeof (char)); 1042 goto bad; 1043 } 1044 1045 strlcpy (remote_filter, remote_filter_addr_lower, len); 1046 strlcat (remote_filter, "-", len); 1047 strlcat (remote_filter, remote_filter_addr_upper, len); 1048 break; 1049 1050 case IPSEC_ID_IPV6_ADDR_SUBNET: 1051 { 1052 struct in6_addr net, mask; 1053 1054 remote_filter_type = "IPv6 subnet"; 1055 1056 bcopy (idremote + ISAKMP_ID_DATA_OFF, &net, sizeof (net)); 1057 bcopy (idremote + ISAKMP_ID_DATA_OFF + 16, &mask, sizeof (mask)); 1058 1059 for (i = 0; i < 16; i++) 1060 net.s6_addr[i] &= mask.s6_addr[i]; 1061 1062 my_inet_ntop6 ((unsigned char *) &net, remote_filter_addr_lower, 1063 sizeof remote_filter_addr_lower - 1); 1064 1065 for (i = 0; i < 16; i++) 1066 net.s6_addr[i] |= ~mask.s6_addr[i]; 1067 1068 my_inet_ntop6 ((unsigned char *) &net, remote_filter_addr_upper, 1069 sizeof remote_filter_addr_upper - 1); 1070 1071 len = strlen (remote_filter_addr_upper) 1072 + strlen (remote_filter_addr_lower) + 2; 1073 remote_filter = calloc (len, sizeof (char)); 1074 if (!remote_filter) 1075 { 1076 log_error ("policy_callback: calloc (%d, %lu) failed", len, 1077 (unsigned long)sizeof (char)); 1078 goto bad; 1079 } 1080 1081 strlcpy (remote_filter, remote_filter_addr_lower, len); 1082 strlcat (remote_filter, "-", len); 1083 strlcat (remote_filter, remote_filter_addr_upper, len); 1084 break; 1085 } 1086 1087 case IPSEC_ID_FQDN: 1088 remote_filter_type = "FQDN"; 1089 remote_filter = malloc (idremotesz - ISAKMP_ID_DATA_OFF + 1); 1090 if (!remote_filter) 1091 { 1092 log_error ("policy_callback: malloc (%lu) failed", 1093 (unsigned long)idremotesz - ISAKMP_ID_DATA_OFF + 1); 1094 goto bad; 1095 } 1096 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 1097 idremotesz - ISAKMP_ID_DATA_OFF); 1098 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] = '\0'; 1099 break; 1100 1101 case IPSEC_ID_USER_FQDN: 1102 remote_filter_type = "User FQDN"; 1103 remote_filter = malloc (idremotesz - ISAKMP_ID_DATA_OFF + 1); 1104 if (!remote_filter) 1105 { 1106 log_error ("policy_callback: malloc (%lu) failed", 1107 (unsigned long)idremotesz - ISAKMP_ID_DATA_OFF + 1); 1108 goto bad; 1109 } 1110 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 1111 idremotesz - ISAKMP_ID_DATA_OFF); 1112 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] = '\0'; 1113 break; 1114 1115 case IPSEC_ID_DER_ASN1_DN: 1116 remote_filter_type = "ASN1 DN"; 1117 1118 remote_filter = x509_DN_string (idremote + ISAKMP_ID_DATA_OFF, 1119 idremotesz - ISAKMP_ID_DATA_OFF); 1120 if (!remote_filter) 1121 { 1122 LOG_DBG ((LOG_POLICY, 50, 1123 "policy_callback: failed to decode name")); 1124 goto bad; 1125 } 1126 break; 1127 1128 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */ 1129 remote_filter_type = "ASN1 GN"; 1130 break; 1131 1132 case IPSEC_ID_KEY_ID: 1133 remote_filter_type = "Key ID"; 1134 remote_filter 1135 = calloc (2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, 1136 sizeof (char)); 1137 if (!remote_filter) 1138 { 1139 log_error ("policy_callback: calloc (%lu, %lu) failed", 1140 2 * ((unsigned long)idremotesz - ISAKMP_ID_DATA_OFF) + 1, 1141 (unsigned long)sizeof (char)); 1142 goto bad; 1143 } 1144 /* Does it contain any non-printable characters ? */ 1145 for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++) 1146 if (!isprint (*(idremote + ISAKMP_ID_DATA_OFF + i))) 1147 break; 1148 if (i >= idremotesz - ISAKMP_ID_DATA_OFF) 1149 { 1150 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 1151 idremotesz - ISAKMP_ID_DATA_OFF); 1152 break; 1153 } 1154 /* Non-printable characters, convert to hex */ 1155 for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++) 1156 { 1157 remote_filter[2 * i] 1158 = hextab[*(idremote + ISAKMP_ID_DATA_OFF) >> 4]; 1159 remote_filter[2 * i + 1] 1160 = hextab[*(idremote + ISAKMP_ID_DATA_OFF) & 0xF]; 1161 } 1162 break; 1163 1164 default: 1165 log_print ("policy_callback: unknown Remote ID type %u", 1166 GET_ISAKMP_ID_TYPE (idremote)); 1167 goto bad; 1168 } 1169 1170 switch (idremote[ISAKMP_GEN_SZ + 1]) 1171 { 1172 case IPPROTO_TCP: 1173 remote_filter_proto = "tcp"; 1174 break; 1175 1176 case IPPROTO_UDP: 1177 remote_filter_proto = "udp"; 1178 break; 1179 1180#ifdef IPPROTO_ETHERIP 1181 case IPPROTO_ETHERIP: 1182 remote_filter_proto = "etherip"; 1183 break; 1184#endif 1185 1186 default: 1187 snprintf (remote_filter_proto_num, 3, "%d", 1188 idremote[ISAKMP_GEN_SZ + 1]); 1189 remote_filter_proto = remote_filter_proto_num; 1190 break; 1191 } 1192 1193 snprintf (remote_filter_port, sizeof remote_filter_port - 1, 1194 "%u", decode_16 (idremote + ISAKMP_GEN_SZ + 2)); 1195 } 1196 else 1197 { 1198 policy_sa->transport->vtbl->get_dst (policy_sa->transport, &sin); 1199 switch (sin->sa_family) 1200 { 1201 case AF_INET: 1202 remote_filter_type = "IPv4 address"; 1203 break; 1204 case AF_INET6: 1205 remote_filter_type = "IPv6 address"; 1206 break; 1207 default: 1208 log_print ("policy_callback: unsupported protocol family %d", 1209 sin->sa_family); 1210 goto bad; 1211 } 1212 if (sockaddr2text (sin, &addr, 1)) 1213 { 1214 log_error ("policy_callback: sockaddr2text failed"); 1215 goto bad; 1216 } 1217 memcpy (remote_filter_addr_upper, addr, 1218 sizeof remote_filter_addr_upper); 1219 memcpy (remote_filter_addr_lower, addr, 1220 sizeof remote_filter_addr_lower); 1221 free (addr); 1222 remote_filter = strdup (remote_filter_addr_upper); 1223 if (!remote_filter) 1224 { 1225 log_error ("policy_callback: strdup (\"%s\") failed", 1226 remote_filter_addr_upper); 1227 goto bad; 1228 } 1229 } 1230 1231 if (idlocal) 1232 { 1233 switch (GET_ISAKMP_ID_TYPE (idlocal)) 1234 { 1235 case IPSEC_ID_IPV4_ADDR: 1236 local_filter_type = "IPv4 address"; 1237 1238 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1239 my_inet_ntop4 (&net, local_filter_addr_upper, 1240 sizeof local_filter_addr_upper - 1, 1); 1241 my_inet_ntop4 (&net, local_filter_addr_lower, 1242 sizeof local_filter_addr_upper - 1, 1); 1243 local_filter = strdup (local_filter_addr_upper); 1244 if (!local_filter) 1245 { 1246 log_error ("policy_callback: strdup (\"%s\") failed", 1247 local_filter_addr_upper); 1248 goto bad; 1249 } 1250 break; 1251 1252 case IPSEC_ID_IPV4_RANGE: 1253 local_filter_type = "IPv4 range"; 1254 1255 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1256 my_inet_ntop4 (&net, local_filter_addr_lower, 1257 sizeof local_filter_addr_lower - 1, 1); 1258 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF + 4); 1259 my_inet_ntop4 (&net, local_filter_addr_upper, 1260 sizeof local_filter_addr_upper - 1, 1); 1261 len = strlen (local_filter_addr_upper) 1262 + strlen (local_filter_addr_lower) + 2; 1263 local_filter = calloc (len, sizeof (char)); 1264 if (!local_filter) 1265 { 1266 log_error ("policy_callback: calloc (%d, %lu) failed", len, 1267 (unsigned long)sizeof (char)); 1268 goto bad; 1269 } 1270 strlcpy (local_filter, local_filter_addr_lower, len); 1271 strlcat (local_filter, "-", len); 1272 strlcat (local_filter, local_filter_addr_upper, len); 1273 break; 1274 1275 case IPSEC_ID_IPV4_ADDR_SUBNET: 1276 local_filter_type = "IPv4 subnet"; 1277 1278 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1279 subnet = decode_32 (idlocal + ISAKMP_ID_DATA_OFF + 4); 1280 net &= subnet; 1281 my_inet_ntop4 (&net, local_filter_addr_lower, 1282 sizeof local_filter_addr_lower - 1, 1); 1283 net |= ~subnet; 1284 my_inet_ntop4 (&net, local_filter_addr_upper, 1285 sizeof local_filter_addr_upper - 1, 1); 1286 len = strlen (local_filter_addr_upper) 1287 + strlen (local_filter_addr_lower) + 2; 1288 local_filter = calloc (len, sizeof (char)); 1289 if (!local_filter) 1290 { 1291 log_error ("policy_callback: calloc (%d, %lu) failed", len, 1292 (unsigned long)sizeof (char)); 1293 goto bad; 1294 } 1295 strlcpy (local_filter, local_filter_addr_lower, len); 1296 strlcat (local_filter, "-", len); 1297 strlcat (local_filter, local_filter_addr_upper, len); 1298 break; 1299 1300 case IPSEC_ID_IPV6_ADDR: 1301 local_filter_type = "IPv6 address"; 1302 my_inet_ntop6 (idlocal + ISAKMP_ID_DATA_OFF, 1303 local_filter_addr_upper, 1304 sizeof local_filter_addr_upper - 1); 1305 strlcpy (local_filter_addr_lower, local_filter_addr_upper, 1306 sizeof local_filter_addr_lower); 1307 local_filter = strdup (local_filter_addr_upper); 1308 if (!local_filter) 1309 { 1310 log_error ("policy_callback: strdup (\"%s\") failed", 1311 local_filter_addr_upper); 1312 goto bad; 1313 } 1314 break; 1315 1316 case IPSEC_ID_IPV6_RANGE: 1317 local_filter_type = "IPv6 range"; 1318 1319 my_inet_ntop6 (idlocal + ISAKMP_ID_DATA_OFF, 1320 local_filter_addr_lower, 1321 sizeof local_filter_addr_lower - 1); 1322 1323 my_inet_ntop6 (idlocal + ISAKMP_ID_DATA_OFF + 16, 1324 local_filter_addr_upper, 1325 sizeof local_filter_addr_upper - 1); 1326 1327 len = strlen (local_filter_addr_upper) 1328 + strlen (local_filter_addr_lower) + 2; 1329 local_filter = calloc (len, sizeof (char)); 1330 if (!local_filter) 1331 { 1332 log_error ("policy_callback: calloc (%d, %lu) failed", len, 1333 (unsigned long)sizeof (char)); 1334 goto bad; 1335 } 1336 1337 strlcpy (local_filter, local_filter_addr_lower, len); 1338 strlcat (local_filter, "-", len); 1339 strlcat (local_filter, local_filter_addr_upper, len); 1340 break; 1341 1342 case IPSEC_ID_IPV6_ADDR_SUBNET: 1343 { 1344 struct in6_addr net, mask; 1345 1346 local_filter_type = "IPv6 subnet"; 1347 1348 bcopy (idlocal + ISAKMP_ID_DATA_OFF, &net, sizeof (net)); 1349 bcopy (idlocal + ISAKMP_ID_DATA_OFF + 16, &mask, sizeof (mask)); 1350 1351 for (i = 0; i < 16; i++) 1352 net.s6_addr[i] &= mask.s6_addr[i]; 1353 1354 my_inet_ntop6 ((unsigned char *) &net, local_filter_addr_lower, 1355 sizeof local_filter_addr_lower - 1); 1356 1357 for (i = 0; i < 16; i++) 1358 net.s6_addr[i] |= ~mask.s6_addr[i]; 1359 1360 my_inet_ntop6 ((unsigned char *) &net, local_filter_addr_upper, 1361 sizeof local_filter_addr_upper - 1); 1362 1363 len = strlen (local_filter_addr_upper) 1364 + strlen (local_filter_addr_lower) + 2; 1365 local_filter = calloc (len, sizeof (char)); 1366 if (!local_filter) 1367 { 1368 log_error ("policy_callback: calloc (%d, %lu) failed", len, 1369 (unsigned long)sizeof (char)); 1370 goto bad; 1371 } 1372 1373 strlcpy (local_filter, local_filter_addr_lower, len); 1374 strlcat (local_filter, "-", len); 1375 strlcat (local_filter, local_filter_addr_upper, len); 1376 break; 1377 } 1378 1379 case IPSEC_ID_FQDN: 1380 local_filter_type = "FQDN"; 1381 local_filter = malloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1); 1382 if (!local_filter) 1383 { 1384 log_error ("policy_callback: malloc (%lu) failed", 1385 (unsigned long)idlocalsz - ISAKMP_ID_DATA_OFF + 1); 1386 goto bad; 1387 } 1388 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1389 idlocalsz - ISAKMP_ID_DATA_OFF); 1390 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; 1391 break; 1392 1393 case IPSEC_ID_USER_FQDN: 1394 local_filter_type = "User FQDN"; 1395 local_filter = malloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1); 1396 if (!local_filter) 1397 { 1398 log_error ("policy_callback: malloc (%lu) failed", 1399 (unsigned long)idlocalsz - ISAKMP_ID_DATA_OFF + 1); 1400 goto bad; 1401 } 1402 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1403 idlocalsz - ISAKMP_ID_DATA_OFF); 1404 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; 1405 break; 1406 1407 case IPSEC_ID_DER_ASN1_DN: 1408 local_filter_type = "ASN1 DN"; 1409 1410 local_filter = x509_DN_string (idlocal + ISAKMP_ID_DATA_OFF, 1411 idlocalsz - ISAKMP_ID_DATA_OFF); 1412 if (!local_filter) 1413 { 1414 LOG_DBG ((LOG_POLICY, 50, 1415 "policy_callback: failed to decode name")); 1416 goto bad; 1417 } 1418 break; 1419 1420 case IPSEC_ID_DER_ASN1_GN: 1421 /* XXX -- not sure what's in this. */ 1422 local_filter_type = "ASN1 GN"; 1423 break; 1424 1425 case IPSEC_ID_KEY_ID: 1426 local_filter_type = "Key ID"; 1427 local_filter = calloc (2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, 1428 sizeof (char)); 1429 if (!local_filter) 1430 { 1431 log_error ("policy_callback: calloc (%lu, %lu) failed", 1432 2 * ((unsigned long)idlocalsz - ISAKMP_ID_DATA_OFF) + 1, 1433 (unsigned long)sizeof (char)); 1434 goto bad; 1435 } 1436 /* Does it contain any non-printable characters ? */ 1437 for (i = 0; i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) 1438 if (!isprint (*(idlocal + ISAKMP_ID_DATA_OFF + i))) 1439 break; 1440 if (i >= idlocalsz - ISAKMP_ID_DATA_OFF) 1441 { 1442 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1443 idlocalsz - ISAKMP_ID_DATA_OFF); 1444 break; 1445 } 1446 /* Non-printable characters, convert to hex */ 1447 for (i = 0; i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) 1448 { 1449 local_filter[2 * i] 1450 = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) >> 4]; 1451 local_filter[2 * i + 1] 1452 = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) & 0xF]; 1453 } 1454 break; 1455 1456 default: 1457 log_print ("policy_callback: unknown Local ID type %u", 1458 GET_ISAKMP_ID_TYPE (idlocal)); 1459 goto bad; 1460 } 1461 1462 switch (idlocal[ISAKMP_GEN_SZ + 1]) 1463 { 1464 case IPPROTO_TCP: 1465 local_filter_proto = "tcp"; 1466 break; 1467 1468 case IPPROTO_UDP: 1469 local_filter_proto = "udp"; 1470 break; 1471 1472#ifdef IPPROTO_ETHERIP 1473 case IPPROTO_ETHERIP: 1474 local_filter_proto = "etherip"; 1475 break; 1476#endif 1477 1478 default: 1479 snprintf (local_filter_proto_num, 3, "%d", 1480 idlocal[ISAKMP_GEN_SZ + 1]); 1481 local_filter_proto = local_filter_proto_num; 1482 break; 1483 } 1484 1485 snprintf (local_filter_port, sizeof local_filter_port - 1, 1486 "%u", decode_16 (idlocal + ISAKMP_GEN_SZ + 2)); 1487 } 1488 else 1489 { 1490 policy_sa->transport->vtbl->get_src (policy_sa->transport, 1491 (struct sockaddr **)&sin); 1492 switch (sin->sa_family) 1493 { 1494 case AF_INET: 1495 local_filter_type = "IPv4 address"; 1496 break; 1497 case AF_INET6: 1498 local_filter_type = "IPv6 address"; 1499 break; 1500 default: 1501 log_print ("policy_callback: unsupported protocol family %d", 1502 sin->sa_family); 1503 goto bad; 1504 } 1505 1506 if (sockaddr2text (sin, &addr, 1)) 1507 { 1508 log_error ("policy_callback: sockaddr2text failed"); 1509 goto bad; 1510 } 1511 memcpy (local_filter_addr_upper, addr, 1512 sizeof local_filter_addr_upper); 1513 memcpy (local_filter_addr_lower, addr, 1514 sizeof local_filter_addr_lower); 1515 free (addr); 1516 local_filter = strdup (local_filter_addr_upper); 1517 if (!local_filter) 1518 { 1519 log_error ("policy_callback: strdup (\"%s\") failed", 1520 local_filter_addr_upper); 1521 goto bad; 1522 } 1523 } 1524 1525 LOG_DBG ((LOG_POLICY, 80, "Policy context (action attributes):")); 1526 LOG_DBG ((LOG_POLICY, 80, "esp_present == %s", esp_present)); 1527 LOG_DBG ((LOG_POLICY, 80, "ah_present == %s", ah_present)); 1528 LOG_DBG ((LOG_POLICY, 80, "comp_present == %s", comp_present)); 1529 LOG_DBG ((LOG_POLICY, 80, "ah_hash_alg == %s", ah_hash_alg)); 1530 LOG_DBG ((LOG_POLICY, 80, "esp_enc_alg == %s", esp_enc_alg)); 1531 LOG_DBG ((LOG_POLICY, 80, "comp_alg == %s", comp_alg)); 1532 LOG_DBG ((LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg)); 1533 LOG_DBG ((LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg)); 1534 LOG_DBG ((LOG_POLICY, 80, "ah_life_seconds == %s", ah_life_seconds)); 1535 LOG_DBG ((LOG_POLICY, 80, "ah_life_kbytes == %s", ah_life_kbytes)); 1536 LOG_DBG ((LOG_POLICY, 80, "esp_life_seconds == %s", esp_life_seconds)); 1537 LOG_DBG ((LOG_POLICY, 80, "esp_life_kbytes == %s", esp_life_kbytes)); 1538 LOG_DBG ((LOG_POLICY, 80, "comp_life_seconds == %s", comp_life_seconds)); 1539 LOG_DBG ((LOG_POLICY, 80, "comp_life_kbytes == %s", comp_life_kbytes)); 1540 LOG_DBG ((LOG_POLICY, 80, "ah_encapsulation == %s", ah_encapsulation)); 1541 LOG_DBG ((LOG_POLICY, 80, "esp_encapsulation == %s", esp_encapsulation)); 1542 LOG_DBG ((LOG_POLICY, 80, "comp_encapsulation == %s", 1543 comp_encapsulation)); 1544 LOG_DBG ((LOG_POLICY, 80, "comp_dict_size == %s", comp_dict_size)); 1545 LOG_DBG ((LOG_POLICY, 80, "comp_private_alg == %s", comp_private_alg)); 1546 LOG_DBG ((LOG_POLICY, 80, "ah_key_length == %s", ah_key_length)); 1547 LOG_DBG ((LOG_POLICY, 80, "ah_key_rounds == %s", ah_key_rounds)); 1548 LOG_DBG ((LOG_POLICY, 80, "esp_key_length == %s", esp_key_length)); 1549 LOG_DBG ((LOG_POLICY, 80, "esp_key_rounds == %s", esp_key_rounds)); 1550 LOG_DBG ((LOG_POLICY, 80, "ah_group_desc == %s", ah_group_desc)); 1551 LOG_DBG ((LOG_POLICY, 80, "esp_group_desc == %s", esp_group_desc)); 1552 LOG_DBG ((LOG_POLICY, 80, "comp_group_desc == %s", comp_group_desc)); 1553 LOG_DBG ((LOG_POLICY, 80, "ah_ecn == %s", ah_ecn)); 1554 LOG_DBG ((LOG_POLICY, 80, "esp_ecn == %s", esp_ecn)); 1555 LOG_DBG ((LOG_POLICY, 80, "comp_ecn == %s", comp_ecn)); 1556 LOG_DBG ((LOG_POLICY, 80, "remote_filter_type == %s", 1557 remote_filter_type)); 1558 LOG_DBG ((LOG_POLICY, 80, "remote_filter_addr_upper == %s", 1559 remote_filter_addr_upper)); 1560 LOG_DBG ((LOG_POLICY, 80, "remote_filter_addr_lower == %s", 1561 remote_filter_addr_lower)); 1562 LOG_DBG ((LOG_POLICY, 80, "remote_filter == %s", 1563 (remote_filter ? remote_filter : ""))); 1564 LOG_DBG ((LOG_POLICY, 80, "remote_filter_port == %s", 1565 remote_filter_port)); 1566 LOG_DBG ((LOG_POLICY, 80, "remote_filter_proto == %s", 1567 remote_filter_proto)); 1568 LOG_DBG ((LOG_POLICY, 80, "local_filter_type == %s", local_filter_type)); 1569 LOG_DBG ((LOG_POLICY, 80, "local_filter_addr_upper == %s", 1570 local_filter_addr_upper)); 1571 LOG_DBG ((LOG_POLICY, 80, "local_filter_addr_lower == %s", 1572 local_filter_addr_lower)); 1573 LOG_DBG ((LOG_POLICY, 80, "local_filter == %s", 1574 (local_filter ? local_filter : ""))); 1575 LOG_DBG ((LOG_POLICY, 80, "local_filter_port == %s", local_filter_port)); 1576 LOG_DBG ((LOG_POLICY, 80, "local_filter_proto == %s", 1577 local_filter_proto)); 1578 LOG_DBG ((LOG_POLICY, 80, "remote_id_type == %s", remote_id_type)); 1579 LOG_DBG ((LOG_POLICY, 80, "remote_id_addr_upper == %s", 1580 remote_id_addr_upper)); 1581 LOG_DBG ((LOG_POLICY, 80, "remote_id_addr_lower == %s", 1582 remote_id_addr_lower)); 1583 LOG_DBG ((LOG_POLICY, 80, "remote_id == %s", 1584 (remote_id ? remote_id : ""))); 1585 LOG_DBG ((LOG_POLICY, 80, "remote_id_port == %s", remote_id_port)); 1586 LOG_DBG ((LOG_POLICY, 80, "remote_id_proto == %s", remote_id_proto)); 1587 LOG_DBG ((LOG_POLICY, 80, "remote_negotiation_address == %s", 1588 remote_ike_address)); 1589 LOG_DBG ((LOG_POLICY, 80, "local_negotiation_address == %s", 1590 local_ike_address)); 1591 LOG_DBG ((LOG_POLICY, 80, "pfs == %s", pfs)); 1592 LOG_DBG ((LOG_POLICY, 80, "initiator == %s", initiator)); 1593 LOG_DBG ((LOG_POLICY, 80, "phase1_group_desc == %s", phase1_group)); 1594 1595 /* Unset dirty now. */ 1596 dirty = 0; 1597 } 1598 1599 if (strcmp (name, "phase_1") == 0) 1600 return phase_1; 1601 1602 if (strcmp (name, "GMTTimeOfDay") == 0) 1603 { 1604 tt = time ((time_t) NULL); 1605 strftime (mytimeofday, 14, "%Y%m%d%H%M%S", gmtime (&tt)); 1606 return mytimeofday; 1607 } 1608 1609 if (strcmp (name, "LocalTimeOfDay") == 0) 1610 { 1611 tt = time ((time_t) NULL); 1612 strftime (mytimeofday, 14, "%Y%m%d%H%M%S", localtime (&tt)); 1613 return mytimeofday; 1614 } 1615 1616 if (strcmp (name, "initiator") == 0) 1617 return initiator; 1618 1619 if (strcmp (name, "pfs") == 0) 1620 return pfs; 1621 1622 if (strcmp (name, "app_domain") == 0) 1623 return "IPsec policy"; 1624 1625 if (strcmp (name, "doi") == 0) 1626 return "ipsec"; 1627 1628 if (strcmp (name, "esp_present") == 0) 1629 return esp_present; 1630 1631 if (strcmp (name, "ah_present") == 0) 1632 return ah_present; 1633 1634 if (strcmp (name, "comp_present") == 0) 1635 return comp_present; 1636 1637 if (strcmp (name, "ah_hash_alg") == 0) 1638 return ah_hash_alg; 1639 1640 if (strcmp (name, "ah_auth_alg") == 0) 1641 return ah_auth_alg; 1642 1643 if (strcmp (name, "esp_auth_alg") == 0) 1644 return esp_auth_alg; 1645 1646 if (strcmp (name, "esp_enc_alg") == 0) 1647 return esp_enc_alg; 1648 1649 if (strcmp (name, "comp_alg") == 0) 1650 return comp_alg; 1651 1652 if (strcmp (name, "ah_life_kbytes") == 0) 1653 return ah_life_kbytes; 1654 1655 if (strcmp (name, "ah_life_seconds") == 0) 1656 return ah_life_seconds; 1657 1658 if (strcmp (name, "esp_life_kbytes") == 0) 1659 return esp_life_kbytes; 1660 1661 if (strcmp (name, "esp_life_seconds") == 0) 1662 return esp_life_seconds; 1663 1664 if (strcmp (name, "comp_life_kbytes") == 0) 1665 return comp_life_kbytes; 1666 1667 if (strcmp (name, "comp_life_seconds") == 0) 1668 return comp_life_seconds; 1669 1670 if (strcmp (name, "ah_encapsulation") == 0) 1671 return ah_encapsulation; 1672 1673 if (strcmp (name, "esp_encapsulation") == 0) 1674 return esp_encapsulation; 1675 1676 if (strcmp (name, "comp_encapsulation") == 0) 1677 return comp_encapsulation; 1678 1679 if (strcmp (name, "ah_key_length") == 0) 1680 return ah_key_length; 1681 1682 if (strcmp (name, "ah_key_rounds") == 0) 1683 return ah_key_rounds; 1684 1685 if (strcmp (name, "esp_key_length") == 0) 1686 return esp_key_length; 1687 1688 if (strcmp (name, "esp_key_rounds") == 0) 1689 return esp_key_rounds; 1690 1691 if (strcmp (name, "comp_dict_size") == 0) 1692 return comp_dict_size; 1693 1694 if (strcmp (name, "comp_private_alg") == 0) 1695 return comp_private_alg; 1696 1697 if (strcmp (name, "remote_filter_type") == 0) 1698 return remote_filter_type; 1699 1700 if (strcmp (name, "remote_filter") == 0) 1701 return (remote_filter ? remote_filter : ""); 1702 1703 if (strcmp (name, "remote_filter_addr_upper") == 0) 1704 return remote_filter_addr_upper; 1705 1706 if (strcmp (name, "remote_filter_addr_lower") == 0) 1707 return remote_filter_addr_lower; 1708 1709 if (strcmp (name, "remote_filter_port") == 0) 1710 return remote_filter_port; 1711 1712 if (strcmp (name, "remote_filter_proto") == 0) 1713 return remote_filter_proto; 1714 1715 if (strcmp (name, "local_filter_type") == 0) 1716 return local_filter_type; 1717 1718 if (strcmp (name, "local_filter") == 0) 1719 return (local_filter ? local_filter : ""); 1720 1721 if (strcmp (name, "local_filter_addr_upper") == 0) 1722 return local_filter_addr_upper; 1723 1724 if (strcmp (name, "local_filter_addr_lower") == 0) 1725 return local_filter_addr_lower; 1726 1727 if (strcmp (name, "local_filter_port") == 0) 1728 return local_filter_port; 1729 1730 if (strcmp (name, "local_filter_proto") == 0) 1731 return local_filter_proto; 1732 1733 if (strcmp (name, "remote_ike_address") == 0) 1734 return remote_ike_address; 1735 1736 if (strcmp (name, "remote_negotiation_address") == 0) 1737 return remote_ike_address; 1738 1739 if (strcmp (name, "local_ike_address") == 0) 1740 return local_ike_address; 1741 1742 if (strcmp (name, "local_negotiation_address") == 0) 1743 return local_ike_address; 1744 1745 if (strcmp (name, "remote_id_type") == 0) 1746 return remote_id_type; 1747 1748 if (strcmp (name, "remote_id") == 0) 1749 return (remote_id ? remote_id : ""); 1750 1751 if (strcmp (name, "remote_id_addr_upper") == 0) 1752 return remote_id_addr_upper; 1753 1754 if (strcmp (name, "remote_id_addr_lower") == 0) 1755 return remote_id_addr_lower; 1756 1757 if (strcmp (name, "remote_id_port") == 0) 1758 return remote_id_port; 1759 1760 if (strcmp (name, "remote_id_proto") == 0) 1761 return remote_id_proto; 1762 1763 if (strcmp (name, "phase1_group_desc") == 0) 1764 return phase1_group; 1765 1766 if (strcmp (name, "esp_group_desc") == 0) 1767 return esp_group_desc; 1768 1769 if (strcmp (name, "ah_group_desc") == 0) 1770 return ah_group_desc; 1771 1772 if (strcmp (name, "comp_group_desc") == 0) 1773 return comp_group_desc; 1774 1775 if (strcmp (name, "comp_ecn") == 0) 1776 return comp_ecn; 1777 1778 if (strcmp (name, "ah_ecn") == 0) 1779 return ah_ecn; 1780 1781 if (strcmp (name, "esp_ecn") == 0) 1782 return esp_ecn; 1783 1784 return ""; 1785 1786 bad: 1787 policy_callback (KEYNOTE_CALLBACK_INITIALIZE); 1788 return ""; 1789} 1790 1791void 1792policy_init (void) 1793{ 1794 char *ptr, *policy_file; 1795 char **asserts; 1796 size_t sz; 1797 int fd, len, i; 1798 1799 LOG_DBG ((LOG_POLICY, 30, "policy_init: initializing")); 1800 1801 /* Get policy file from configuration. */ 1802 policy_file = conf_get_str ("General", "Policy-file"); 1803 if (!policy_file) 1804 policy_file = CONF_DFLT_POLICY_FILE; 1805 1806 /* Check file modes and collect file size */ 1807 if (check_file_secrecy (policy_file, &sz)) 1808 log_fatal ("policy_init: cannot read %s", policy_file); 1809 1810 /* Open policy file. */ 1811 fd = open (policy_file, O_RDONLY); 1812 if (fd == -1) 1813 log_fatal ("policy_init: open (\"%s\", O_RDONLY) failed", policy_file); 1814 1815 /* Allocate memory to keep policies. */ 1816 ptr = calloc (sz + 1, sizeof (char)); 1817 if (!ptr) 1818 log_fatal ("policy_init: calloc (%lu, %lu) failed", (unsigned long)sz + 1, 1819 (unsigned long)sizeof (char)); 1820 1821 /* Just in case there are short reads... */ 1822 for (len = 0; len < sz; len += i) 1823 { 1824 i = read (fd, ptr + len, sz - len); 1825 if (i == -1) 1826 log_fatal ("policy_init: read (%d, %p, %lu) failed", fd, ptr + len, 1827 (unsigned long)(sz - len)); 1828 } 1829 1830 /* We're done with this. */ 1831 close (fd); 1832 1833 /* Parse buffer, break up into individual policies. */ 1834 asserts = kn_read_asserts (ptr, sz, &i); 1835 1836 /* Begone! */ 1837 free (ptr); 1838 1839 if (asserts == (char **) NULL) 1840 log_print ("policy_init: all policies flushed"); 1841 1842 /* Cleanup */ 1843 if (keynote_policy_asserts) 1844 { 1845 for (fd = 0; fd < keynote_policy_asserts_num; fd++) 1846 if (keynote_policy_asserts && keynote_policy_asserts[fd]) 1847 free (keynote_policy_asserts[fd]); 1848 1849 free (keynote_policy_asserts); 1850 } 1851 1852 keynote_policy_asserts = asserts; 1853 keynote_policy_asserts_num = i; 1854} 1855 1856/* Nothing needed for initialization */ 1857int 1858keynote_cert_init (void) 1859{ 1860 return 1; 1861} 1862 1863/* Just copy and return. */ 1864void * 1865keynote_cert_get (u_int8_t *data, u_int32_t len) 1866{ 1867 char *foo = malloc (len + 1); 1868 1869 if (foo == NULL) 1870 return NULL; 1871 1872 memcpy (foo, data, len); 1873 foo[len] = '\0'; 1874 return foo; 1875} 1876 1877/* 1878 * We just verify the signature on the credentials. 1879 * On signature failure, just drop the whole payload. 1880 */ 1881int 1882keynote_cert_validate (void *scert) 1883{ 1884 char **foo; 1885 int num, i; 1886 1887 if (scert == NULL) 1888 return 0; 1889 1890 foo = kn_read_asserts ((char *) scert, strlen ((char *) scert), &num); 1891 if (foo == NULL) 1892 return 0; 1893 1894 for (i = 0; i < num; i++) 1895 { 1896 if (kn_verify_assertion (scert, strlen ((char *) scert)) 1897 != SIGRESULT_TRUE) 1898 { 1899 for (; i < num; i++) 1900 free (foo[i]); 1901 free (foo); 1902 return 0; 1903 } 1904 1905 free (foo[i]); 1906 } 1907 1908 free (foo); 1909 return 1; 1910} 1911 1912/* Add received credentials. */ 1913int 1914keynote_cert_insert (int sid, void *scert) 1915{ 1916 char **foo; 1917 int num; 1918 1919 if (scert == NULL) 1920 return 0; 1921 1922 foo = kn_read_asserts ((char *) scert, strlen ((char *) scert), &num); 1923 if (foo == NULL) 1924 return 0; 1925 1926 while (num--) 1927 kn_add_assertion (sid, foo[num], strlen (foo[num]), 0); 1928 1929 return 1; 1930} 1931 1932/* Just regular memory free. */ 1933void 1934keynote_cert_free (void *cert) 1935{ 1936 free (cert); 1937} 1938 1939/* Verify that the key given to us is valid. */ 1940int 1941keynote_certreq_validate (u_int8_t *data, u_int32_t len) 1942{ 1943 struct keynote_deckey dc; 1944 int err = 1; 1945 char *dat; 1946 1947 dat = calloc (len + 1, sizeof (char)); 1948 if (!dat) 1949 { 1950 log_error ("keynote_certreq_validate: calloc (%d, %lu) failed", len + 1, 1951 (unsigned long)sizeof (char)); 1952 return 0; 1953 } 1954 1955 memcpy (dat, data, len); 1956 1957 if (kn_decode_key (&dc, dat, KEYNOTE_PUBLIC_KEY) != 0) 1958 err = 0; 1959 else 1960 kn_free_key (&dc); 1961 1962 free (dat); 1963 1964 return err; 1965} 1966 1967/* Beats me what we should be doing with this. */ 1968void * 1969keynote_certreq_decode (u_int8_t *data, u_int32_t len) 1970{ 1971 /* XXX */ 1972 return NULL; 1973} 1974 1975void 1976keynote_free_aca (void *blob) 1977{ 1978 /* XXX */ 1979} 1980 1981int 1982keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, 1983 u_int32_t *certlen) 1984{ 1985 char *dirname, *file, *addr_str; 1986 struct stat sb; 1987 size_t size; 1988 int idtype, fd, len; 1989 1990 if (!id) 1991 { 1992 log_print ("keynote_cert_obtain: ID is missing"); 1993 return 0; 1994 } 1995 1996 /* Get type of ID. */ 1997 idtype = id[0]; 1998 id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 1999 id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2000 2001 dirname = conf_get_str ("KeyNote", "Credential-directory"); 2002 if (!dirname) 2003 { 2004 LOG_DBG ((LOG_POLICY, 30, 2005 "keynote_cert_obtain: no Credential-directory")); 2006 return 0; 2007 } 2008 2009 len = strlen (dirname) + strlen (CREDENTIAL_FILE) + 3; 2010 2011 switch (idtype) 2012 { 2013 case IPSEC_ID_IPV4_ADDR: 2014 case IPSEC_ID_IPV6_ADDR: 2015 util_ntoa (&addr_str, idtype == IPSEC_ID_IPV4_ADDR ? AF_INET : AF_INET6, 2016 id); 2017 if (addr_str == 0) 2018 return 0; 2019 2020 file = calloc (len + strlen (addr_str), sizeof (char)); 2021 if (file == NULL) 2022 { 2023 log_error ("keynote_cert_obtain: failed to allocate %lu bytes", 2024 (unsigned long)len + strlen (addr_str)); 2025 free (addr_str); 2026 return 0; 2027 } 2028 2029 snprintf (file, len + strlen (addr_str), "%s/%s/%s", dirname, addr_str, 2030 CREDENTIAL_FILE); 2031 free (addr_str); 2032 break; 2033 2034 case IPSEC_ID_FQDN: 2035 case IPSEC_ID_USER_FQDN: 2036 { 2037 file = calloc (len + id_len, sizeof (char)); 2038 if (file == NULL) 2039 { 2040 log_error ("keynote_cert_obtain: failed to allocate %lu bytes", 2041 (unsigned long)len + id_len); 2042 return 0; 2043 } 2044 2045 snprintf (file, len + id_len, "%s/", dirname); 2046 memcpy (file + strlen (dirname) + 1, id, id_len); 2047 snprintf (file + strlen (dirname) + 1 + id_len, 2048 len - strlen (dirname) - 1, "/%s", CREDENTIAL_FILE); 2049 break; 2050 } 2051 2052 default: 2053 return 0; 2054 } 2055 2056 if (stat (file, &sb) < 0) 2057 { 2058 LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to stat \"%s\"", 2059 file)); 2060 free (file); 2061 return 0; 2062 } 2063 size = (size_t)sb.st_size; 2064 2065 *cert = calloc (size + 1, sizeof (char)); 2066 if (*cert == NULL) 2067 { 2068 log_error ("keynote_cert_obtain: failed to allocate %lu bytes", 2069 (unsigned long)size); 2070 free (file); 2071 return 0; 2072 } 2073 2074 fd = open (file, O_RDONLY, 0); 2075 if (fd < 0) 2076 { 2077 LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to open \"%s\"", 2078 file)); 2079 free (file); 2080 return 0; 2081 } 2082 2083 if (read (fd, *cert, size) != size) 2084 { 2085 LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to read %lu " 2086 "bytes from \"%s\"", (unsigned long)size, file)); 2087 free (file); 2088 close (fd); 2089 return 0; 2090 } 2091 2092 close (fd); 2093 free (file); 2094 *certlen = size; 2095 return 1; 2096} 2097 2098/* This should never be called. */ 2099int 2100keynote_cert_get_subjects (void *scert, int *n, u_int8_t ***id, 2101 u_int32_t **id_len) 2102{ 2103 return 0; 2104} 2105 2106/* Get the authorizer key. */ 2107int 2108keynote_cert_get_key (void *scert, void *keyp) 2109{ 2110 struct keynote_keylist *kl; 2111 int sid, kid, num; 2112 char **foo; 2113 2114 foo = kn_read_asserts ((char *)scert, strlen ((char *)scert), &num); 2115 if (foo == NULL || num == 0) 2116 { 2117 log_print ("keynote_cert_get_key: failed to decompose credentials"); 2118 return 0; 2119 } 2120 2121 kid = kn_init (); 2122 if (kid == -1) 2123 { 2124 log_print ("keynote_cert_get_key: failed to initialize new policy " 2125 "session"); 2126 while (num--) 2127 free (foo[num]); 2128 free (foo); 2129 return 0; 2130 } 2131 2132 sid = kn_add_assertion (kid, foo[num - 1], strlen (foo[num - 1]), 0); 2133 while (num--) 2134 free (foo[num]); 2135 free (foo); 2136 2137 if (sid == -1) 2138 { 2139 log_print ("keynote_cert_get_key: failed to add assertion"); 2140 kn_close (kid); 2141 return 0; 2142 } 2143 2144 *(RSA **)keyp = NULL; 2145 2146 kl = kn_get_licensees (kid, sid); 2147 while (kl) 2148 { 2149 if (kl->key_alg == KEYNOTE_ALGORITHM_RSA) 2150 { 2151 *(RSA **)keyp = RSAPublicKey_dup (kl->key_key); 2152 break; 2153 } 2154 2155 kl = kl->key_next; 2156 } 2157 2158 kn_remove_assertion (kid, sid); 2159 kn_close (kid); 2160 return *(RSA **)keyp == NULL ? 0 : 1; 2161} 2162 2163void * 2164keynote_cert_dup (void *cert) 2165{ 2166 return strdup((char *)cert); 2167} 2168 2169void 2170keynote_serialize (void *cert, u_int8_t **data, u_int32_t *datalen) 2171{ 2172 *datalen = strlen ((char *)cert) + 1; 2173 *data = (u_int8_t *)strdup (cert); /* i.e an extra character at the end... */ 2174 if (*data == NULL) 2175 log_error ("keynote_serialize: malloc (%d) failed", *datalen); 2176} 2177 2178/* From cert to printable */ 2179char * 2180keynote_printable (void *cert) 2181{ 2182 return strdup ((char *)cert); 2183} 2184 2185/* From printable to cert */ 2186void * 2187keynote_from_printable (char *cert) 2188{ 2189 return strdup (cert); 2190} 2191