policy.c revision 1.77
1/* $OpenBSD: policy.c,v 1.77 2004/06/25 20:25:34 hshoexer Exp $ */ 2/* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ 3 4/* 5 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. 6 * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. 7 * Copyright (c) 2001 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30/* 31 * This code was written under funding by Ericsson Radio Systems. 32 */ 33 34#include <sys/types.h> 35#include <sys/param.h> 36#include <sys/mman.h> 37#include <sys/queue.h> 38#include <sys/stat.h> 39#include <regex.h> 40#include <ctype.h> 41#include <fcntl.h> 42#include <stdio.h> 43#include <stdlib.h> 44#include <string.h> 45#include <unistd.h> 46#include <keynote.h> 47#include <sys/socket.h> 48#include <netinet/in.h> 49#include <arpa/inet.h> 50#include <errno.h> 51#include <openssl/ssl.h> 52#include <netdb.h> 53 54#include "sysdep.h" 55 56#include "conf.h" 57#include "exchange.h" 58#include "ipsec.h" 59#include "isakmp_doi.h" 60#include "sa.h" 61#include "transport.h" 62#include "log.h" 63#include "message.h" 64#include "monitor.h" 65#include "util.h" 66#include "policy.h" 67#include "x509.h" 68 69char **policy_asserts = NULL; 70int ignore_policy = 0; 71int policy_asserts_num = 0; 72struct exchange *policy_exchange = 0; 73struct sa *policy_sa = 0; 74struct sa *policy_isakmp_sa = 0; 75 76static const char hextab[] = { 77 '0', '1', '2', '3', '4', '5', '6', '7', 78 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' 79}; 80 81/* 82 * Adaptation of Vixie's inet_ntop4 () 83 */ 84static const char * 85my_inet_ntop4(const in_addr_t *src, char *dst, size_t size, int normalize) 86{ 87 static const char fmt[] = "%03u.%03u.%03u.%03u"; 88 char tmp[sizeof "255.255.255.255"]; 89 in_addr_t src2; 90 91 if (normalize) 92 src2 = ntohl(*src); 93 else 94 src2 = *src; 95 96 if (snprintf(tmp, sizeof tmp, fmt, ((u_int8_t *)&src2)[0], 97 ((u_int8_t *)&src2)[1], ((u_int8_t *)&src2)[2], 98 ((u_int8_t *)&src2)[3]) > (int)size) { 99 errno = ENOSPC; 100 return 0; 101 } 102 strlcpy(dst, tmp, size); 103 return dst; 104} 105 106static const char * 107my_inet_ntop6(const unsigned char *src, char *dst, size_t size) 108{ 109 static const char fmt[] = 110 "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x"; 111 char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"]; 112 113 if (snprintf(tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3], 114 src[4], src[5], src[6], src[7], src[8], src[9], src[10], src[11], 115 src[12], src[13], src[14], src[15]) > (int)size) { 116 errno = ENOSPC; 117 return 0; 118 } 119 strlcpy(dst, tmp, size); 120 return dst; 121} 122 123char * 124policy_callback(char *name) 125{ 126 struct proto *proto; 127 128 u_int8_t *attr, *value, *id, *idlocal, *idremote; 129 size_t id_sz, idlocalsz, idremotesz; 130 struct sockaddr *sin; 131 struct ipsec_exch *ie; 132 struct ipsec_sa *is; 133 size_t i; 134 int fmt, lifetype = 0; 135 in_addr_t net, subnet; 136 u_int16_t len, type; 137 time_t tt; 138 char *addr; 139 static char mytimeofday[15]; 140 141 /* We use all these as a cache. */ 142#define PMAX 32 143 static char *esp_present, *ah_present, *comp_present; 144 static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg; 145 static char *comp_alg, ah_life_kbytes[PMAX], ah_life_seconds[PMAX]; 146 static char esp_life_kbytes[PMAX], esp_life_seconds[PMAX]; 147 static char comp_life_kbytes[PMAX]; 148 static char *ah_ecn, *esp_ecn, *comp_ecn; 149 static char comp_life_seconds[PMAX], *ah_encapsulation; 150 static char *esp_encapsulation, *comp_encapsulation; 151 static char ah_key_length[PMAX], esp_key_length[PMAX]; 152 static char ah_key_rounds[PMAX], esp_key_rounds[PMAX]; 153 static char comp_dict_size[PMAX], comp_private_alg[PMAX]; 154 static char *remote_filter_type, *local_filter_type; 155 static char remote_filter_addr_upper[NI_MAXHOST]; 156 static char remote_filter_addr_lower[NI_MAXHOST]; 157 static char local_filter_addr_upper[NI_MAXHOST]; 158 static char local_filter_addr_lower[NI_MAXHOST]; 159 static char ah_group_desc[PMAX], esp_group_desc[PMAX]; 160 static char comp_group_desc[PMAX], remote_ike_address[NI_MAXHOST]; 161 static char local_ike_address[NI_MAXHOST]; 162 static char *remote_id_type, remote_id_addr_upper[NI_MAXHOST]; 163 static char *phase_1, remote_id_addr_lower[NI_MAXHOST]; 164 static char *remote_id_proto, remote_id_port[PMAX]; 165 static char remote_filter_port[PMAX], local_filter_port[PMAX]; 166 static char *remote_filter_proto, *local_filter_proto, *pfs; 167 static char *initiator, remote_filter_proto_num[3]; 168 static char local_filter_proto_num[3], remote_id_proto_num[3]; 169 static char phase1_group[PMAX]; 170 171 /* Allocated. */ 172 static char *remote_filter = 0, *local_filter = 0, *remote_id = 0; 173 174 static int dirty = 1; 175 176 /* We only need to set dirty at initialization time really. */ 177 if (strcmp(name, KEYNOTE_CALLBACK_CLEANUP) == 0 178 || strcmp(name, KEYNOTE_CALLBACK_INITIALIZE) == 0) { 179 esp_present = ah_present = comp_present = pfs = "no"; 180 ah_hash_alg = ah_auth_alg = phase_1 = ""; 181 esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = ""; 182 ah_ecn = esp_ecn = comp_ecn = "no"; 183 esp_encapsulation = comp_encapsulation = ""; 184 remote_filter_type = ""; 185 local_filter_type = remote_id_type = initiator = ""; 186 remote_filter_proto = local_filter_proto = ""; 187 remote_id_proto = ""; 188 189 if (remote_filter != 0) { 190 free(remote_filter); 191 remote_filter = 0; 192 } 193 if (local_filter != 0) { 194 free(local_filter); 195 local_filter = 0; 196 } 197 if (remote_id != 0) { 198 free(remote_id); 199 remote_id = 0; 200 } 201 memset(remote_ike_address, 0, sizeof remote_ike_address); 202 memset(local_ike_address, 0, sizeof local_ike_address); 203 memset(ah_life_kbytes, 0, sizeof ah_life_kbytes); 204 memset(ah_life_seconds, 0, sizeof ah_life_seconds); 205 memset(esp_life_kbytes, 0, sizeof esp_life_kbytes); 206 memset(esp_life_seconds, 0, sizeof esp_life_seconds); 207 memset(comp_life_kbytes, 0, sizeof comp_life_kbytes); 208 memset(comp_life_seconds, 0, sizeof comp_life_seconds); 209 memset(ah_key_length, 0, sizeof ah_key_length); 210 memset(ah_key_rounds, 0, sizeof ah_key_rounds); 211 memset(esp_key_length, 0, sizeof esp_key_length); 212 memset(esp_key_rounds, 0, sizeof esp_key_rounds); 213 memset(comp_dict_size, 0, sizeof comp_dict_size); 214 memset(comp_private_alg, 0, sizeof comp_private_alg); 215 memset(remote_filter_addr_upper, 0, 216 sizeof remote_filter_addr_upper); 217 memset(remote_filter_addr_lower, 0, 218 sizeof remote_filter_addr_lower); 219 memset(local_filter_addr_upper, 0, 220 sizeof local_filter_addr_upper); 221 memset(local_filter_addr_lower, 0, 222 sizeof local_filter_addr_lower); 223 memset(remote_id_addr_upper, 0, sizeof remote_id_addr_upper); 224 memset(remote_id_addr_lower, 0, sizeof remote_id_addr_lower); 225 memset(ah_group_desc, 0, sizeof ah_group_desc); 226 memset(esp_group_desc, 0, sizeof esp_group_desc); 227 memset(remote_id_port, 0, sizeof remote_id_port); 228 memset(remote_filter_port, 0, sizeof remote_filter_port); 229 memset(local_filter_port, 0, sizeof local_filter_port); 230 memset(phase1_group, 0, sizeof phase1_group); 231 232 dirty = 1; 233 return ""; 234 } 235 /* 236 * If dirty is set, this is the first request for an attribute, so 237 * populate our value cache. 238 */ 239 if (dirty) { 240 ie = policy_exchange->data; 241 242 if (ie->pfs) 243 pfs = "yes"; 244 245 is = policy_isakmp_sa->data; 246 snprintf(phase1_group, sizeof phase1_group, "%u", 247 is->group_desc); 248 249 for (proto = TAILQ_FIRST(&policy_sa->protos); proto; 250 proto = TAILQ_NEXT(proto, link)) { 251 switch (proto->proto) { 252 case IPSEC_PROTO_IPSEC_AH: 253 ah_present = "yes"; 254 switch (proto->id) { 255 case IPSEC_AH_MD5: 256 ah_hash_alg = "md5"; 257 break; 258 259 case IPSEC_AH_SHA: 260 ah_hash_alg = "sha"; 261 break; 262 263 case IPSEC_AH_RIPEMD: 264 ah_hash_alg = "ripemd"; 265 break; 266 267 case IPSEC_AH_SHA2_256: 268 ah_auth_alg = "sha2-256"; 269 break; 270 271 case IPSEC_AH_SHA2_384: 272 ah_auth_alg = "sha2-384"; 273 break; 274 275 case IPSEC_AH_SHA2_512: 276 ah_auth_alg = "sha2-512"; 277 break; 278 279 case IPSEC_AH_DES: 280 ah_hash_alg = "des"; 281 break; 282 } 283 284 break; 285 286 case IPSEC_PROTO_IPSEC_ESP: 287 esp_present = "yes"; 288 switch (proto->id) { 289 case IPSEC_ESP_DES_IV64: 290 esp_enc_alg = "des-iv64"; 291 break; 292 293 case IPSEC_ESP_DES: 294 esp_enc_alg = "des"; 295 break; 296 297 case IPSEC_ESP_3DES: 298 esp_enc_alg = "3des"; 299 break; 300 301 case IPSEC_ESP_AES: 302 case IPSEC_ESP_AES_128_CTR: 303 esp_enc_alg = "aes"; 304 break; 305 306 case IPSEC_ESP_RC5: 307 esp_enc_alg = "rc5"; 308 break; 309 310 case IPSEC_ESP_IDEA: 311 esp_enc_alg = "idea"; 312 break; 313 314 case IPSEC_ESP_CAST: 315 esp_enc_alg = "cast"; 316 break; 317 318 case IPSEC_ESP_BLOWFISH: 319 esp_enc_alg = "blowfish"; 320 break; 321 322 case IPSEC_ESP_3IDEA: 323 esp_enc_alg = "3idea"; 324 break; 325 326 case IPSEC_ESP_DES_IV32: 327 esp_enc_alg = "des-iv32"; 328 break; 329 330 case IPSEC_ESP_RC4: 331 esp_enc_alg = "rc4"; 332 break; 333 334 case IPSEC_ESP_NULL: 335 esp_enc_alg = "null"; 336 break; 337 } 338 339 break; 340 341 case IPSEC_PROTO_IPCOMP: 342 comp_present = "yes"; 343 switch (proto->id) { 344 case IPSEC_IPCOMP_OUI: 345 comp_alg = "oui"; 346 break; 347 348 case IPSEC_IPCOMP_DEFLATE: 349 comp_alg = "deflate"; 350 break; 351 352 case IPSEC_IPCOMP_LZS: 353 comp_alg = "lzs"; 354 break; 355 356 case IPSEC_IPCOMP_V42BIS: 357 comp_alg = "v42bis"; 358 break; 359 } 360 361 break; 362 } 363 364 for (attr = proto->chosen->p + 365 ISAKMP_TRANSFORM_SA_ATTRS_OFF; 366 attr < proto->chosen->p + 367 GET_ISAKMP_GEN_LENGTH(proto->chosen->p); 368 attr = value + len) { 369 if (attr + ISAKMP_ATTR_VALUE_OFF > 370 (proto->chosen->p + 371 GET_ISAKMP_GEN_LENGTH(proto->chosen->p))) 372 return ""; 373 374 type = GET_ISAKMP_ATTR_TYPE(attr); 375 fmt = ISAKMP_ATTR_FORMAT(type); 376 type = ISAKMP_ATTR_TYPE(type); 377 value = attr + (fmt ? 378 ISAKMP_ATTR_LENGTH_VALUE_OFF : 379 ISAKMP_ATTR_VALUE_OFF); 380 len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN : 381 GET_ISAKMP_ATTR_LENGTH_VALUE(attr)); 382 383 if (value + len > proto->chosen->p + 384 GET_ISAKMP_GEN_LENGTH(proto->chosen->p)) 385 return ""; 386 387 switch (type) { 388 case IPSEC_ATTR_SA_LIFE_TYPE: 389 lifetype = decode_16(value); 390 break; 391 392 case IPSEC_ATTR_SA_LIFE_DURATION: 393 switch (proto->proto) { 394 case IPSEC_PROTO_IPSEC_AH: 395 if (lifetype == IPSEC_DURATION_SECONDS) { 396 if (len == 2) 397 snprintf(ah_life_seconds, sizeof ah_life_seconds, 398 "%u", decode_16(value)); 399 else 400 snprintf(ah_life_seconds, sizeof ah_life_seconds, 401 "%u", decode_32(value)); 402 } else { 403 if (len == 2) 404 snprintf(ah_life_kbytes, sizeof ah_life_kbytes, 405 "%u", decode_16(value)); 406 else 407 snprintf(ah_life_kbytes, sizeof ah_life_kbytes, 408 "%u", decode_32(value)); 409 } 410 411 break; 412 413 case IPSEC_PROTO_IPSEC_ESP: 414 if (lifetype == IPSEC_DURATION_SECONDS) { 415 if (len == 2) 416 snprintf(esp_life_seconds, 417 sizeof esp_life_seconds, "%u", 418 decode_16(value)); 419 else 420 snprintf(esp_life_seconds, 421 sizeof esp_life_seconds, "%u", 422 decode_32(value)); 423 } else { 424 if (len == 2) 425 snprintf(esp_life_kbytes, 426 sizeof esp_life_kbytes, "%u", 427 decode_16(value)); 428 else 429 snprintf(esp_life_kbytes, 430 sizeof esp_life_kbytes, "%u", 431 decode_32(value)); 432 } 433 434 break; 435 436 case IPSEC_PROTO_IPCOMP: 437 if (lifetype == IPSEC_DURATION_SECONDS) { 438 if (len == 2) 439 snprintf(comp_life_seconds, 440 sizeof comp_life_seconds, "%u", 441 decode_16(value)); 442 else 443 snprintf(comp_life_seconds, 444 sizeof comp_life_seconds, "%u", 445 decode_32(value)); 446 } else { 447 if (len == 2) 448 snprintf(comp_life_kbytes, 449 sizeof comp_life_kbytes, "%u", 450 decode_16(value)); 451 else 452 snprintf(comp_life_kbytes, 453 sizeof comp_life_kbytes, "%u", 454 decode_32(value)); 455 } 456 break; 457 } 458 break; 459 460 case IPSEC_ATTR_GROUP_DESCRIPTION: 461 switch (proto->proto) { 462 case IPSEC_PROTO_IPSEC_AH: 463 snprintf(ah_group_desc, 464 sizeof ah_group_desc, "%u", 465 decode_16(value)); 466 break; 467 468 case IPSEC_PROTO_IPSEC_ESP: 469 snprintf(esp_group_desc, 470 sizeof esp_group_desc, "%u", 471 decode_16(value)); 472 break; 473 474 case IPSEC_PROTO_IPCOMP: 475 snprintf(comp_group_desc, 476 sizeof comp_group_desc, "%u", 477 decode_16(value)); 478 break; 479 } 480 break; 481 482 case IPSEC_ATTR_ECN_TUNNEL: 483 if (decode_16(value)) 484 switch (proto->proto) { 485 case IPSEC_PROTO_IPSEC_AH: 486 ah_ecn = "yes"; 487 break; 488 489 case IPSEC_PROTO_IPSEC_ESP: 490 esp_ecn = "yes"; 491 break; 492 493 case IPSEC_PROTO_IPCOMP: 494 comp_ecn = "yes"; 495 break; 496 } 497 498 case IPSEC_ATTR_ENCAPSULATION_MODE: 499 if (decode_16(value) == IPSEC_ENCAP_TUNNEL) 500 switch (proto->proto) { 501 case IPSEC_PROTO_IPSEC_AH: 502 ah_encapsulation = "tunnel"; 503 break; 504 505 case IPSEC_PROTO_IPSEC_ESP: 506 esp_encapsulation = "tunnel"; 507 break; 508 509 case IPSEC_PROTO_IPCOMP: 510 comp_encapsulation = "tunnel"; 511 break; 512 } 513#if defined (USE_NAT_TRAVERSAL) 514 else if (decode_16(value) == IPSEC_ENCAP_UDP_ENCAP_TUNNEL) 515 switch (proto->proto) { 516 case IPSEC_PROTO_IPSEC_AH: 517 ah_encapsulation = "udp-encap-tunnel"; 518 break; 519 520 case IPSEC_PROTO_IPSEC_ESP: 521 esp_encapsulation = "udp-encap-tunnel"; 522 break; 523 524 case IPSEC_PROTO_IPCOMP: 525 comp_encapsulation = "udp-encap-tunnel"; 526 break; 527 } 528 /* XXX IPSEC_ENCAP_UDP_ENCAP_TRANSPORT */ 529#endif 530 else 531 switch (proto->proto) { 532 case IPSEC_PROTO_IPSEC_AH: 533 ah_encapsulation = "transport"; 534 break; 535 536 case IPSEC_PROTO_IPSEC_ESP: 537 esp_encapsulation = "transport"; 538 break; 539 540 case IPSEC_PROTO_IPCOMP: 541 comp_encapsulation = "transport"; 542 break; 543 } 544 break; 545 546 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: 547 switch (proto->proto) { 548 case IPSEC_PROTO_IPSEC_AH: 549 switch (decode_16(value)) { 550 case IPSEC_AUTH_HMAC_MD5: 551 ah_auth_alg = "hmac-md5"; 552 break; 553 554 case IPSEC_AUTH_HMAC_SHA: 555 ah_auth_alg = "hmac-sha"; 556 break; 557 558 case IPSEC_AUTH_HMAC_RIPEMD: 559 ah_auth_alg = "hmac-ripemd"; 560 break; 561 562 case IPSEC_AUTH_HMAC_SHA2_256: 563 ah_auth_alg = "hmac-sha2-256"; 564 break; 565 566 case IPSEC_AUTH_HMAC_SHA2_384: 567 ah_auth_alg = "hmac-sha2-384"; 568 break; 569 570 case IPSEC_AUTH_HMAC_SHA2_512: 571 ah_auth_alg = "hmac-sha2-512"; 572 break; 573 574 case IPSEC_AUTH_DES_MAC: 575 ah_auth_alg = "des-mac"; 576 break; 577 578 case IPSEC_AUTH_KPDK: 579 ah_auth_alg = "kpdk"; 580 break; 581 } 582 break; 583 584 case IPSEC_PROTO_IPSEC_ESP: 585 switch (decode_16(value)) { 586 case IPSEC_AUTH_HMAC_MD5: 587 esp_auth_alg = "hmac-md5"; 588 break; 589 590 case IPSEC_AUTH_HMAC_SHA: 591 esp_auth_alg = "hmac-sha"; 592 break; 593 594 case IPSEC_AUTH_HMAC_RIPEMD: 595 esp_auth_alg = "hmac-ripemd"; 596 break; 597 598 case IPSEC_AUTH_HMAC_SHA2_256: 599 esp_auth_alg = "hmac-sha2-256"; 600 break; 601 602 case IPSEC_AUTH_HMAC_SHA2_384: 603 esp_auth_alg = "hmac-sha2-384"; 604 break; 605 606 case IPSEC_AUTH_HMAC_SHA2_512: 607 esp_auth_alg = "hmac-sha2-512"; 608 break; 609 610 case IPSEC_AUTH_DES_MAC: 611 esp_auth_alg = "des-mac"; 612 break; 613 614 case IPSEC_AUTH_KPDK: 615 esp_auth_alg = "kpdk"; 616 break; 617 } 618 break; 619 } 620 break; 621 622 case IPSEC_ATTR_KEY_LENGTH: 623 switch (proto->proto) { 624 case IPSEC_PROTO_IPSEC_AH: 625 snprintf(ah_key_length, 626 sizeof ah_key_length, "%u", 627 decode_16(value)); 628 break; 629 630 case IPSEC_PROTO_IPSEC_ESP: 631 snprintf(esp_key_length, 632 sizeof esp_key_length, "%u", 633 decode_16(value)); 634 break; 635 } 636 break; 637 638 case IPSEC_ATTR_KEY_ROUNDS: 639 switch (proto->proto) { 640 case IPSEC_PROTO_IPSEC_AH: 641 snprintf(ah_key_rounds, 642 sizeof ah_key_rounds, "%u", 643 decode_16(value)); 644 break; 645 646 case IPSEC_PROTO_IPSEC_ESP: 647 snprintf(esp_key_rounds, 648 sizeof esp_key_rounds, "%u", 649 decode_16(value)); 650 break; 651 } 652 break; 653 654 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: 655 snprintf(comp_dict_size, 656 sizeof comp_dict_size, "%u", 657 decode_16(value)); 658 break; 659 660 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: 661 snprintf(comp_private_alg, 662 sizeof comp_private_alg, "%u", 663 decode_16(value)); 664 break; 665 } 666 } 667 } 668 669 policy_sa->transport->vtbl->get_src(policy_sa->transport, 670 &sin); 671 if (sockaddr2text(sin, &addr, 1)) { 672 log_error("policy_callback: sockaddr2text failed"); 673 goto bad; 674 } 675 strlcpy(local_ike_address, addr, sizeof local_ike_address); 676 free(addr); 677 678 policy_sa->transport->vtbl->get_dst(policy_sa->transport, 679 &sin); 680 if (sockaddr2text(sin, &addr, 1)) { 681 log_error("policy_callback: sockaddr2text failed"); 682 goto bad; 683 } 684 strlcpy(remote_ike_address, addr, sizeof remote_ike_address); 685 free(addr); 686 687 switch (policy_isakmp_sa->exch_type) { 688 case ISAKMP_EXCH_AGGRESSIVE: 689 phase_1 = "aggressive"; 690 break; 691 692 case ISAKMP_EXCH_ID_PROT: 693 phase_1 = "main"; 694 break; 695 } 696 697 if (policy_isakmp_sa->initiator) { 698 id = policy_isakmp_sa->id_r; 699 id_sz = policy_isakmp_sa->id_r_len; 700 } else { 701 id = policy_isakmp_sa->id_i; 702 id_sz = policy_isakmp_sa->id_i_len; 703 } 704 705 switch (id[0]) { 706 case IPSEC_ID_IPV4_ADDR: 707 remote_id_type = "IPv4 address"; 708 709 net = decode_32(id + ISAKMP_ID_DATA_OFF - 710 ISAKMP_GEN_SZ); 711 my_inet_ntop4(&net, remote_id_addr_upper, 712 sizeof remote_id_addr_upper - 1, 1); 713 my_inet_ntop4(&net, remote_id_addr_lower, 714 sizeof remote_id_addr_lower - 1, 1); 715 remote_id = strdup(remote_id_addr_upper); 716 if (!remote_id) { 717 log_error("policy_callback: " 718 "strdup (\"%s\") failed", 719 remote_id_addr_upper); 720 goto bad; 721 } 722 break; 723 724 case IPSEC_ID_IPV4_RANGE: 725 remote_id_type = "IPv4 range"; 726 727 net = decode_32(id + ISAKMP_ID_DATA_OFF - 728 ISAKMP_GEN_SZ); 729 my_inet_ntop4(&net, remote_id_addr_lower, 730 sizeof remote_id_addr_lower - 1, 1); 731 net = decode_32(id + ISAKMP_ID_DATA_OFF - 732 ISAKMP_GEN_SZ + 4); 733 my_inet_ntop4(&net, remote_id_addr_upper, 734 sizeof remote_id_addr_upper - 1, 1); 735 len = strlen(remote_id_addr_upper) + 736 strlen(remote_id_addr_lower) + 2; 737 remote_id = calloc(len, sizeof(char)); 738 if (!remote_id) { 739 log_error("policy_callback: " 740 "calloc (%d, %lu) failed", len, 741 (unsigned long)sizeof(char)); 742 goto bad; 743 } 744 strlcpy(remote_id, remote_id_addr_lower, len); 745 strlcat(remote_id, "-", len); 746 strlcat(remote_id, remote_id_addr_upper, len); 747 break; 748 749 case IPSEC_ID_IPV4_ADDR_SUBNET: 750 remote_id_type = "IPv4 subnet"; 751 752 net = decode_32(id + ISAKMP_ID_DATA_OFF - 753 ISAKMP_GEN_SZ); 754 subnet = decode_32(id + ISAKMP_ID_DATA_OFF - 755 ISAKMP_GEN_SZ + 4); 756 net &= subnet; 757 my_inet_ntop4(&net, remote_id_addr_lower, 758 sizeof remote_id_addr_lower - 1, 1); 759 net |= ~subnet; 760 my_inet_ntop4(&net, remote_id_addr_upper, 761 sizeof remote_id_addr_upper - 1, 1); 762 len = strlen(remote_id_addr_upper) + 763 strlen(remote_id_addr_lower) + 2; 764 remote_id = calloc(len, sizeof(char)); 765 if (!remote_id) { 766 log_error("policy_callback: " 767 "calloc (%d, %lu) failed", len, 768 (unsigned long)sizeof(char)); 769 goto bad; 770 } 771 strlcpy(remote_id, remote_id_addr_lower, len); 772 strlcat(remote_id, "-", len); 773 strlcat(remote_id, remote_id_addr_upper, len); 774 break; 775 776 case IPSEC_ID_IPV6_ADDR: 777 remote_id_type = "IPv6 address"; 778 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 779 remote_id_addr_upper, sizeof remote_id_addr_upper); 780 strlcpy(remote_id_addr_lower, remote_id_addr_upper, 781 sizeof remote_id_addr_lower); 782 remote_id = strdup(remote_id_addr_upper); 783 if (!remote_id) { 784 log_error("policy_callback: " 785 "strdup (\"%s\") failed", 786 remote_id_addr_upper); 787 goto bad; 788 } 789 break; 790 791 case IPSEC_ID_IPV6_RANGE: 792 remote_id_type = "IPv6 range"; 793 794 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 795 remote_id_addr_lower, 796 sizeof remote_id_addr_lower - 1); 797 798 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - 799 ISAKMP_GEN_SZ + 16, remote_id_addr_upper, 800 sizeof remote_id_addr_upper - 1); 801 802 len = strlen(remote_id_addr_upper) + 803 strlen(remote_id_addr_lower) + 2; 804 remote_id = calloc(len, sizeof(char)); 805 if (!remote_id) { 806 log_error("policy_callback: " 807 "calloc (%d, %lu) failed", len, 808 (unsigned long)sizeof(char)); 809 goto bad; 810 } 811 strlcpy(remote_id, remote_id_addr_lower, len); 812 strlcat(remote_id, "-", len); 813 strlcat(remote_id, remote_id_addr_upper, len); 814 break; 815 816 case IPSEC_ID_IPV6_ADDR_SUBNET: 817 { 818 struct in6_addr net, mask; 819 820 remote_id_type = "IPv6 subnet"; 821 822 bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, &net, 823 sizeof(net)); 824 bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, 825 &mask, sizeof(mask)); 826 827 for (i = 0; i < 16; i++) 828 net.s6_addr[i] &= mask.s6_addr[i]; 829 830 my_inet_ntop6((unsigned char *)&net, 831 remote_id_addr_lower, 832 sizeof remote_id_addr_lower - 1); 833 834 for (i = 0; i < 16; i++) 835 net.s6_addr[i] |= ~mask.s6_addr[i]; 836 837 my_inet_ntop6((unsigned char *)&net, 838 remote_id_addr_upper, 839 sizeof remote_id_addr_upper - 1); 840 841 len = strlen(remote_id_addr_upper) + 842 strlen(remote_id_addr_lower) + 2; 843 remote_id = calloc(len, sizeof(char)); 844 if (!remote_id) { 845 log_error("policy_callback: " 846 "calloc (%d, %lu) failed", len, 847 (unsigned long)sizeof(char)); 848 goto bad; 849 } 850 strlcpy(remote_id, remote_id_addr_lower, len); 851 strlcat(remote_id, "-", len); 852 strlcat(remote_id, remote_id_addr_upper, len); 853 break; 854 } 855 856 case IPSEC_ID_FQDN: 857 remote_id_type = "FQDN"; 858 remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF + 859 ISAKMP_GEN_SZ + 1, sizeof(char)); 860 if (!remote_id) { 861 log_error("policy_callback: " 862 "calloc (%lu, %lu) failed", 863 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + 864 ISAKMP_GEN_SZ + 1, 865 (unsigned long)sizeof(char)); 866 goto bad; 867 } 868 memcpy(remote_id, 869 id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 870 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 871 break; 872 873 case IPSEC_ID_USER_FQDN: 874 remote_id_type = "User FQDN"; 875 remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF + 876 ISAKMP_GEN_SZ + 1, sizeof(char)); 877 if (!remote_id) { 878 log_error("policy_callback: " 879 "calloc (%lu, %lu) failed", 880 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + 881 ISAKMP_GEN_SZ + 1, 882 (unsigned long)sizeof(char)); 883 goto bad; 884 } 885 memcpy(remote_id, 886 id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 887 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 888 break; 889 890 case IPSEC_ID_DER_ASN1_DN: 891 remote_id_type = "ASN1 DN"; 892 893 remote_id = x509_DN_string(id + ISAKMP_ID_DATA_OFF - 894 ISAKMP_GEN_SZ, 895 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 896 if (!remote_id) { 897 LOG_DBG((LOG_POLICY, 50, 898 "policy_callback: failed to decode name")); 899 goto bad; 900 } 901 break; 902 903 case IPSEC_ID_DER_ASN1_GN: /* XXX */ 904 remote_id_type = "ASN1 GN"; 905 break; 906 907 case IPSEC_ID_KEY_ID: 908 remote_id_type = "Key ID"; 909 remote_id = calloc(2 * (id_sz - ISAKMP_ID_DATA_OFF + 910 ISAKMP_GEN_SZ) + 1, sizeof(char)); 911 if (!remote_id) { 912 log_error("policy_callback: " 913 "calloc (%lu, %lu) failed", 914 2 * ((unsigned long)id_sz - 915 ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, 916 (unsigned long)sizeof(char)); 917 goto bad; 918 } 919 /* Does it contain any non-printable characters ? */ 920 for (i = 0; 921 i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; 922 i++) 923 if (!isprint(*(id + ISAKMP_ID_DATA_OFF - 924 ISAKMP_GEN_SZ + i))) 925 break; 926 if (i >= id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) { 927 memcpy(remote_id, id + ISAKMP_ID_DATA_OFF - 928 ISAKMP_GEN_SZ, 929 id_sz - ISAKMP_ID_DATA_OFF + 930 ISAKMP_GEN_SZ); 931 break; 932 } 933 /* Non-printable characters, convert to hex */ 934 for (i = 0; 935 i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; 936 i++) { 937 remote_id[2 * i] = hextab[*(id + 938 ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4]; 939 remote_id[2 * i + 1] = hextab[*(id + 940 ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF]; 941 } 942 break; 943 944 default: 945 log_print("policy_callback: " 946 "unknown remote ID type %u", id[0]); 947 goto bad; 948 } 949 950 switch (id[1]) { 951 case IPPROTO_TCP: 952 remote_id_proto = "tcp"; 953 break; 954 955 case IPPROTO_UDP: 956 remote_id_proto = "udp"; 957 break; 958 959#ifdef IPPROTO_ETHERIP 960 case IPPROTO_ETHERIP: 961 remote_id_proto = "etherip"; 962 break; 963#endif 964 965 default: 966 snprintf(remote_id_proto_num, 967 sizeof remote_id_proto_num, "%d", 968 id[1]); 969 remote_id_proto = remote_id_proto_num; 970 break; 971 } 972 973 snprintf(remote_id_port, sizeof remote_id_port, "%u", 974 decode_16(id + 2)); 975 976 if (policy_exchange->initiator) { 977 initiator = "yes"; 978 idlocal = ie->id_ci; 979 idremote = ie->id_cr; 980 idlocalsz = ie->id_ci_sz; 981 idremotesz = ie->id_cr_sz; 982 } else { 983 initiator = "no"; 984 idlocal = ie->id_cr; 985 idremote = ie->id_ci; 986 idlocalsz = ie->id_cr_sz; 987 idremotesz = ie->id_ci_sz; 988 } 989 990 /* Initialize the ID variables. */ 991 if (idremote) { 992 switch (GET_ISAKMP_ID_TYPE(idremote)) { 993 case IPSEC_ID_IPV4_ADDR: 994 remote_filter_type = "IPv4 address"; 995 996 net = decode_32(idremote + ISAKMP_ID_DATA_OFF); 997 my_inet_ntop4(&net, remote_filter_addr_upper, 998 sizeof remote_filter_addr_upper - 1, 1); 999 my_inet_ntop4(&net, remote_filter_addr_lower, 1000 sizeof remote_filter_addr_lower - 1, 1); 1001 remote_filter = 1002 strdup(remote_filter_addr_upper); 1003 if (!remote_filter) { 1004 log_error("policy_callback: strdup " 1005 "(\"%s\") failed", 1006 remote_filter_addr_upper); 1007 goto bad; 1008 } 1009 break; 1010 1011 case IPSEC_ID_IPV4_RANGE: 1012 remote_filter_type = "IPv4 range"; 1013 1014 net = decode_32(idremote + ISAKMP_ID_DATA_OFF); 1015 my_inet_ntop4(&net, remote_filter_addr_lower, 1016 sizeof remote_filter_addr_lower - 1, 1); 1017 net = decode_32(idremote + ISAKMP_ID_DATA_OFF + 1018 4); 1019 my_inet_ntop4(&net, remote_filter_addr_upper, 1020 sizeof remote_filter_addr_upper - 1, 1); 1021 len = strlen(remote_filter_addr_upper) + 1022 strlen(remote_filter_addr_lower) + 2; 1023 remote_filter = calloc(len, sizeof(char)); 1024 if (!remote_filter) { 1025 log_error("policy_callback: calloc " 1026 "(%d, %lu) failed", len, 1027 (unsigned long)sizeof(char)); 1028 goto bad; 1029 } 1030 strlcpy(remote_filter, 1031 remote_filter_addr_lower, len); 1032 strlcat(remote_filter, "-", len); 1033 strlcat(remote_filter, 1034 remote_filter_addr_upper, len); 1035 break; 1036 1037 case IPSEC_ID_IPV4_ADDR_SUBNET: 1038 remote_filter_type = "IPv4 subnet"; 1039 1040 net = decode_32(idremote + ISAKMP_ID_DATA_OFF); 1041 subnet = decode_32(idremote + 1042 ISAKMP_ID_DATA_OFF + 4); 1043 net &= subnet; 1044 my_inet_ntop4(&net, remote_filter_addr_lower, 1045 sizeof remote_filter_addr_lower - 1, 1); 1046 net |= ~subnet; 1047 my_inet_ntop4(&net, remote_filter_addr_upper, 1048 sizeof remote_filter_addr_upper - 1, 1); 1049 len = strlen(remote_filter_addr_upper) + 1050 strlen(remote_filter_addr_lower) + 2; 1051 remote_filter = calloc(len, sizeof(char)); 1052 if (!remote_filter) { 1053 log_error("policy_callback: calloc " 1054 "(%d, %lu) failed", len, 1055 (unsigned long)sizeof(char)); 1056 goto bad; 1057 } 1058 strlcpy(remote_filter, 1059 remote_filter_addr_lower, len); 1060 strlcat(remote_filter, "-", len); 1061 strlcat(remote_filter, 1062 remote_filter_addr_upper, len); 1063 break; 1064 1065 case IPSEC_ID_IPV6_ADDR: 1066 remote_filter_type = "IPv6 address"; 1067 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF, 1068 remote_filter_addr_upper, 1069 sizeof remote_filter_addr_upper - 1); 1070 strlcpy(remote_filter_addr_lower, 1071 remote_filter_addr_upper, 1072 sizeof remote_filter_addr_lower); 1073 remote_filter = 1074 strdup(remote_filter_addr_upper); 1075 if (!remote_filter) { 1076 log_error("policy_callback: strdup " 1077 "(\"%s\") failed", 1078 remote_filter_addr_upper); 1079 goto bad; 1080 } 1081 break; 1082 1083 case IPSEC_ID_IPV6_RANGE: 1084 remote_filter_type = "IPv6 range"; 1085 1086 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF, 1087 remote_filter_addr_lower, 1088 sizeof remote_filter_addr_lower - 1); 1089 1090 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF + 1091 16, remote_filter_addr_upper, 1092 sizeof remote_filter_addr_upper - 1); 1093 1094 len = strlen(remote_filter_addr_upper) + 1095 strlen(remote_filter_addr_lower) + 2; 1096 remote_filter = calloc(len, sizeof(char)); 1097 if (!remote_filter) { 1098 log_error("policy_callback: calloc " 1099 "(%d, %lu) failed", len, 1100 (unsigned long)sizeof(char)); 1101 goto bad; 1102 } 1103 strlcpy(remote_filter, 1104 remote_filter_addr_lower, len); 1105 strlcat(remote_filter, "-", len); 1106 strlcat(remote_filter, 1107 remote_filter_addr_upper, len); 1108 break; 1109 1110 case IPSEC_ID_IPV6_ADDR_SUBNET: 1111 { 1112 struct in6_addr net, mask; 1113 1114 remote_filter_type = "IPv6 subnet"; 1115 1116 bcopy(idremote + ISAKMP_ID_DATA_OFF, 1117 &net, sizeof(net)); 1118 bcopy(idremote + ISAKMP_ID_DATA_OFF + 1119 16, &mask, sizeof(mask)); 1120 1121 for (i = 0; i < 16; i++) 1122 net.s6_addr[i] &= 1123 mask.s6_addr[i]; 1124 1125 my_inet_ntop6((unsigned char *)&net, 1126 remote_filter_addr_lower, 1127 sizeof remote_filter_addr_lower - 1); 1128 1129 for (i = 0; i < 16; i++) 1130 net.s6_addr[i] |= 1131 ~mask.s6_addr[i]; 1132 1133 my_inet_ntop6((unsigned char *)&net, 1134 remote_filter_addr_upper, 1135 sizeof remote_filter_addr_upper - 1); 1136 1137 len = strlen(remote_filter_addr_upper) 1138 + strlen(remote_filter_addr_lower) + 2; 1139 remote_filter = calloc(len, 1140 sizeof(char)); 1141 if (!remote_filter) { 1142 log_error("policy_callback: " 1143 "calloc (%d, %lu) failed", 1144 len, 1145 (unsigned long)sizeof(char)); 1146 goto bad; 1147 } 1148 strlcpy(remote_filter, 1149 remote_filter_addr_lower, len); 1150 strlcat(remote_filter, "-", len); 1151 strlcat(remote_filter, 1152 remote_filter_addr_upper, len); 1153 break; 1154 } 1155 1156 case IPSEC_ID_FQDN: 1157 remote_filter_type = "FQDN"; 1158 remote_filter = malloc(idremotesz - 1159 ISAKMP_ID_DATA_OFF + 1); 1160 if (!remote_filter) { 1161 log_error("policy_callback: " 1162 "malloc (%lu) failed", 1163 (unsigned long)idremotesz - 1164 ISAKMP_ID_DATA_OFF + 1); 1165 goto bad; 1166 } 1167 memcpy(remote_filter, 1168 idremote + ISAKMP_ID_DATA_OFF, 1169 idremotesz - ISAKMP_ID_DATA_OFF); 1170 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] 1171 = '\0'; 1172 break; 1173 1174 case IPSEC_ID_USER_FQDN: 1175 remote_filter_type = "User FQDN"; 1176 remote_filter = malloc(idremotesz - 1177 ISAKMP_ID_DATA_OFF + 1); 1178 if (!remote_filter) { 1179 log_error("policy_callback: " 1180 "malloc (%lu) failed", 1181 (unsigned long)idremotesz - 1182 ISAKMP_ID_DATA_OFF + 1); 1183 goto bad; 1184 } 1185 memcpy(remote_filter, 1186 idremote + ISAKMP_ID_DATA_OFF, 1187 idremotesz - ISAKMP_ID_DATA_OFF); 1188 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] 1189 = '\0'; 1190 break; 1191 1192 case IPSEC_ID_DER_ASN1_DN: 1193 remote_filter_type = "ASN1 DN"; 1194 1195 remote_filter = x509_DN_string(idremote + 1196 ISAKMP_ID_DATA_OFF, 1197 idremotesz - ISAKMP_ID_DATA_OFF); 1198 if (!remote_filter) { 1199 LOG_DBG((LOG_POLICY, 50, 1200 "policy_callback: " 1201 "failed to decode name")); 1202 goto bad; 1203 } 1204 break; 1205 1206 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure 1207 * what's in this. */ 1208 remote_filter_type = "ASN1 GN"; 1209 break; 1210 1211 case IPSEC_ID_KEY_ID: 1212 remote_filter_type = "Key ID"; 1213 remote_filter 1214 = calloc(2 * (idremotesz - 1215 ISAKMP_ID_DATA_OFF) + 1, 1216 sizeof(char)); 1217 if (!remote_filter) { 1218 log_error("policy_callback: " 1219 "calloc (%lu, %lu) failed", 1220 2 * ((unsigned long)idremotesz - 1221 ISAKMP_ID_DATA_OFF) + 1, 1222 (unsigned long)sizeof(char)); 1223 goto bad; 1224 } 1225 /* 1226 * Does it contain any non-printable 1227 * characters ? 1228 */ 1229 for (i = 0; 1230 i < idremotesz - ISAKMP_ID_DATA_OFF; i++) 1231 if (!isprint(*(idremote + 1232 ISAKMP_ID_DATA_OFF + i))) 1233 break; 1234 if (i >= idremotesz - ISAKMP_ID_DATA_OFF) { 1235 memcpy(remote_filter, 1236 idremote + ISAKMP_ID_DATA_OFF, 1237 idremotesz - ISAKMP_ID_DATA_OFF); 1238 break; 1239 } 1240 /* Non-printable characters, convert to hex */ 1241 for (i = 0; 1242 i < idremotesz - ISAKMP_ID_DATA_OFF; 1243 i++) { 1244 remote_filter[2 * i] 1245 = hextab[*(idremote + 1246 ISAKMP_ID_DATA_OFF) >> 4]; 1247 remote_filter[2 * i + 1] 1248 = hextab[*(idremote + 1249 ISAKMP_ID_DATA_OFF) & 0xF]; 1250 } 1251 break; 1252 1253 default: 1254 log_print("policy_callback: " 1255 "unknown Remote ID type %u", 1256 GET_ISAKMP_ID_TYPE(idremote)); 1257 goto bad; 1258 } 1259 1260 switch (idremote[ISAKMP_GEN_SZ + 1]) { 1261 case IPPROTO_TCP: 1262 remote_filter_proto = "tcp"; 1263 break; 1264 1265 case IPPROTO_UDP: 1266 remote_filter_proto = "udp"; 1267 break; 1268 1269#ifdef IPPROTO_ETHERIP 1270 case IPPROTO_ETHERIP: 1271 remote_filter_proto = "etherip"; 1272 break; 1273#endif 1274 1275 default: 1276 snprintf(remote_filter_proto_num, 1277 sizeof remote_filter_proto_num, "%d", 1278 idremote[ISAKMP_GEN_SZ + 1]); 1279 remote_filter_proto = remote_filter_proto_num; 1280 break; 1281 } 1282 1283 snprintf(remote_filter_port, sizeof remote_filter_port, 1284 "%u", decode_16(idremote + ISAKMP_GEN_SZ + 2)); 1285 } else { 1286 policy_sa->transport->vtbl->get_dst(policy_sa->transport, &sin); 1287 switch (sin->sa_family) { 1288 case AF_INET: 1289 remote_filter_type = "IPv4 address"; 1290 break; 1291 case AF_INET6: 1292 remote_filter_type = "IPv6 address"; 1293 break; 1294 default: 1295 log_print("policy_callback: " 1296 "unsupported protocol family %d", 1297 sin->sa_family); 1298 goto bad; 1299 } 1300 if (sockaddr2text(sin, &addr, 1)) { 1301 log_error("policy_callback: " 1302 "sockaddr2text failed"); 1303 goto bad; 1304 } 1305 memcpy(remote_filter_addr_upper, addr, 1306 sizeof remote_filter_addr_upper); 1307 memcpy(remote_filter_addr_lower, addr, 1308 sizeof remote_filter_addr_lower); 1309 free(addr); 1310 remote_filter = strdup(remote_filter_addr_upper); 1311 if (!remote_filter) { 1312 log_error("policy_callback: " 1313 "strdup (\"%s\") failed", 1314 remote_filter_addr_upper); 1315 goto bad; 1316 } 1317 } 1318 1319 if (idlocal) { 1320 switch (GET_ISAKMP_ID_TYPE(idlocal)) { 1321 case IPSEC_ID_IPV4_ADDR: 1322 local_filter_type = "IPv4 address"; 1323 1324 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); 1325 my_inet_ntop4(&net, local_filter_addr_upper, 1326 sizeof local_filter_addr_upper - 1, 1); 1327 my_inet_ntop4(&net, local_filter_addr_lower, 1328 sizeof local_filter_addr_upper - 1, 1); 1329 local_filter = strdup(local_filter_addr_upper); 1330 if (!local_filter) { 1331 log_error("policy_callback: " 1332 "strdup (\"%s\") failed", 1333 local_filter_addr_upper); 1334 goto bad; 1335 } 1336 break; 1337 1338 case IPSEC_ID_IPV4_RANGE: 1339 local_filter_type = "IPv4 range"; 1340 1341 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); 1342 my_inet_ntop4(&net, local_filter_addr_lower, 1343 sizeof local_filter_addr_lower - 1, 1); 1344 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF + 1345 4); 1346 my_inet_ntop4(&net, local_filter_addr_upper, 1347 sizeof local_filter_addr_upper - 1, 1); 1348 len = strlen(local_filter_addr_upper) 1349 + strlen(local_filter_addr_lower) + 2; 1350 local_filter = calloc(len, sizeof(char)); 1351 if (!local_filter) { 1352 log_error("policy_callback: " 1353 "calloc (%d, %lu) failed", len, 1354 (unsigned long)sizeof(char)); 1355 goto bad; 1356 } 1357 strlcpy(local_filter, local_filter_addr_lower, 1358 len); 1359 strlcat(local_filter, "-", len); 1360 strlcat(local_filter, local_filter_addr_upper, 1361 len); 1362 break; 1363 1364 case IPSEC_ID_IPV4_ADDR_SUBNET: 1365 local_filter_type = "IPv4 subnet"; 1366 1367 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); 1368 subnet = decode_32(idlocal + 1369 ISAKMP_ID_DATA_OFF + 4); 1370 net &= subnet; 1371 my_inet_ntop4(&net, local_filter_addr_lower, 1372 sizeof local_filter_addr_lower - 1, 1); 1373 net |= ~subnet; 1374 my_inet_ntop4(&net, local_filter_addr_upper, 1375 sizeof local_filter_addr_upper - 1, 1); 1376 len = strlen(local_filter_addr_upper) 1377 + strlen(local_filter_addr_lower) + 2; 1378 local_filter = calloc(len, sizeof(char)); 1379 if (!local_filter) { 1380 log_error("policy_callback: " 1381 "calloc (%d, %lu) failed", len, 1382 (unsigned long)sizeof(char)); 1383 goto bad; 1384 } 1385 strlcpy(local_filter, local_filter_addr_lower, 1386 len); 1387 strlcat(local_filter, "-", len); 1388 strlcat(local_filter, local_filter_addr_upper, 1389 len); 1390 break; 1391 1392 case IPSEC_ID_IPV6_ADDR: 1393 local_filter_type = "IPv6 address"; 1394 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF, 1395 local_filter_addr_upper, 1396 sizeof local_filter_addr_upper - 1); 1397 strlcpy(local_filter_addr_lower, 1398 local_filter_addr_upper, 1399 sizeof local_filter_addr_lower); 1400 local_filter = strdup(local_filter_addr_upper); 1401 if (!local_filter) { 1402 log_error("policy_callback: " 1403 "strdup (\"%s\") failed", 1404 local_filter_addr_upper); 1405 goto bad; 1406 } 1407 break; 1408 1409 case IPSEC_ID_IPV6_RANGE: 1410 local_filter_type = "IPv6 range"; 1411 1412 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF, 1413 local_filter_addr_lower, 1414 sizeof local_filter_addr_lower - 1); 1415 1416 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF + 1417 16, local_filter_addr_upper, 1418 sizeof local_filter_addr_upper - 1); 1419 1420 len = strlen(local_filter_addr_upper) 1421 + strlen(local_filter_addr_lower) + 2; 1422 local_filter = calloc(len, sizeof(char)); 1423 if (!local_filter) { 1424 log_error("policy_callback: " 1425 "calloc (%d, %lu) failed", len, 1426 (unsigned long)sizeof(char)); 1427 goto bad; 1428 } 1429 strlcpy(local_filter, local_filter_addr_lower, 1430 len); 1431 strlcat(local_filter, "-", len); 1432 strlcat(local_filter, local_filter_addr_upper, 1433 len); 1434 break; 1435 1436 case IPSEC_ID_IPV6_ADDR_SUBNET: 1437 { 1438 struct in6_addr net, mask; 1439 1440 local_filter_type = "IPv6 subnet"; 1441 1442 bcopy(idlocal + ISAKMP_ID_DATA_OFF, 1443 &net, sizeof(net)); 1444 bcopy(idlocal + ISAKMP_ID_DATA_OFF + 1445 16, &mask, sizeof(mask)); 1446 1447 for (i = 0; i < 16; i++) 1448 net.s6_addr[i] &= 1449 mask.s6_addr[i]; 1450 1451 my_inet_ntop6((unsigned char *)&net, 1452 local_filter_addr_lower, 1453 sizeof local_filter_addr_lower - 1); 1454 1455 for (i = 0; i < 16; i++) 1456 net.s6_addr[i] |= 1457 ~mask.s6_addr[i]; 1458 1459 my_inet_ntop6((unsigned char *)&net, 1460 local_filter_addr_upper, 1461 sizeof local_filter_addr_upper - 1462 1); 1463 1464 len = strlen(local_filter_addr_upper) 1465 + strlen(local_filter_addr_lower) 1466 + 2; 1467 local_filter = calloc(len, 1468 sizeof(char)); 1469 if (!local_filter) { 1470 log_error("policy_callback: " 1471 "calloc (%d, %lu) failed", 1472 len, 1473 (unsigned long)sizeof(char)); 1474 goto bad; 1475 } 1476 strlcpy(local_filter, 1477 local_filter_addr_lower, len); 1478 strlcat(local_filter, "-", len); 1479 strlcat(local_filter, 1480 local_filter_addr_upper, len); 1481 break; 1482 } 1483 1484 case IPSEC_ID_FQDN: 1485 local_filter_type = "FQDN"; 1486 local_filter = malloc(idlocalsz - 1487 ISAKMP_ID_DATA_OFF + 1); 1488 if (!local_filter) { 1489 log_error("policy_callback: " 1490 "malloc (%lu) failed", 1491 (unsigned long)idlocalsz - 1492 ISAKMP_ID_DATA_OFF + 1); 1493 goto bad; 1494 } 1495 memcpy(local_filter, 1496 idlocal + ISAKMP_ID_DATA_OFF, 1497 idlocalsz - ISAKMP_ID_DATA_OFF); 1498 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] 1499 = '\0'; 1500 break; 1501 1502 case IPSEC_ID_USER_FQDN: 1503 local_filter_type = "User FQDN"; 1504 local_filter = malloc(idlocalsz - 1505 ISAKMP_ID_DATA_OFF + 1); 1506 if (!local_filter) { 1507 log_error("policy_callback: " 1508 "malloc (%lu) failed", 1509 (unsigned long)idlocalsz - 1510 ISAKMP_ID_DATA_OFF + 1); 1511 goto bad; 1512 } 1513 memcpy(local_filter, 1514 idlocal + ISAKMP_ID_DATA_OFF, 1515 idlocalsz - ISAKMP_ID_DATA_OFF); 1516 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] 1517 = '\0'; 1518 break; 1519 1520 case IPSEC_ID_DER_ASN1_DN: 1521 local_filter_type = "ASN1 DN"; 1522 1523 local_filter = x509_DN_string(idlocal + 1524 ISAKMP_ID_DATA_OFF, 1525 idlocalsz - ISAKMP_ID_DATA_OFF); 1526 if (!local_filter) { 1527 LOG_DBG((LOG_POLICY, 50, 1528 "policy_callback: failed to decode" 1529 " name")); 1530 goto bad; 1531 } 1532 break; 1533 1534 case IPSEC_ID_DER_ASN1_GN: 1535 /* XXX -- not sure what's in this. */ 1536 local_filter_type = "ASN1 GN"; 1537 break; 1538 1539 case IPSEC_ID_KEY_ID: 1540 local_filter_type = "Key ID"; 1541 local_filter = calloc(2 * (idlocalsz - 1542 ISAKMP_ID_DATA_OFF) + 1, 1543 sizeof(char)); 1544 if (!local_filter) { 1545 log_error("policy_callback: " 1546 "calloc (%lu, %lu) failed", 1547 2 * ((unsigned long)idlocalsz - 1548 ISAKMP_ID_DATA_OFF) + 1, 1549 (unsigned long)sizeof(char)); 1550 goto bad; 1551 } 1552 /* 1553 * Does it contain any non-printable 1554 * characters ? 1555 */ 1556 for (i = 0; 1557 i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) 1558 if (!isprint(*(idlocal + 1559 ISAKMP_ID_DATA_OFF + i))) 1560 break; 1561 if (i >= idlocalsz - ISAKMP_ID_DATA_OFF) { 1562 memcpy(local_filter, idlocal + 1563 ISAKMP_ID_DATA_OFF, 1564 idlocalsz - ISAKMP_ID_DATA_OFF); 1565 break; 1566 } 1567 /* Non-printable characters, convert to hex */ 1568 for (i = 0; 1569 i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) { 1570 local_filter[2 * i] 1571 = hextab[*(idlocal + 1572 ISAKMP_ID_DATA_OFF) >> 4]; 1573 local_filter[2 * i + 1] 1574 = hextab[*(idlocal + 1575 ISAKMP_ID_DATA_OFF) & 0xF]; 1576 } 1577 break; 1578 1579 default: 1580 log_print("policy_callback: " 1581 "unknown Local ID type %u", 1582 GET_ISAKMP_ID_TYPE(idlocal)); 1583 goto bad; 1584 } 1585 1586 switch (idlocal[ISAKMP_GEN_SZ + 1]) { 1587 case IPPROTO_TCP: 1588 local_filter_proto = "tcp"; 1589 break; 1590 1591 case IPPROTO_UDP: 1592 local_filter_proto = "udp"; 1593 break; 1594 1595#ifdef IPPROTO_ETHERIP 1596 case IPPROTO_ETHERIP: 1597 local_filter_proto = "etherip"; 1598 break; 1599#endif 1600 1601 default: 1602 snprintf(local_filter_proto_num, 1603 sizeof local_filter_proto_num, 1604 "%d", idlocal[ISAKMP_GEN_SZ + 1]); 1605 local_filter_proto = local_filter_proto_num; 1606 break; 1607 } 1608 1609 snprintf(local_filter_port, sizeof local_filter_port, 1610 "%u", decode_16(idlocal + ISAKMP_GEN_SZ + 2)); 1611 } else { 1612 policy_sa->transport->vtbl->get_src(policy_sa->transport, 1613 (struct sockaddr **)&sin); 1614 switch (sin->sa_family) { 1615 case AF_INET: 1616 local_filter_type = "IPv4 address"; 1617 break; 1618 case AF_INET6: 1619 local_filter_type = "IPv6 address"; 1620 break; 1621 default: 1622 log_print("policy_callback: " 1623 "unsupported protocol family %d", 1624 sin->sa_family); 1625 goto bad; 1626 } 1627 1628 if (sockaddr2text(sin, &addr, 1)) { 1629 log_error("policy_callback: " 1630 "sockaddr2text failed"); 1631 goto bad; 1632 } 1633 memcpy(local_filter_addr_upper, addr, 1634 sizeof local_filter_addr_upper); 1635 memcpy(local_filter_addr_lower, addr, 1636 sizeof local_filter_addr_lower); 1637 free(addr); 1638 local_filter = strdup(local_filter_addr_upper); 1639 if (!local_filter) { 1640 log_error("policy_callback: " 1641 "strdup (\"%s\") failed", 1642 local_filter_addr_upper); 1643 goto bad; 1644 } 1645 } 1646 1647 LOG_DBG((LOG_POLICY, 80, 1648 "Policy context (action attributes):")); 1649 LOG_DBG((LOG_POLICY, 80, "esp_present == %s", esp_present)); 1650 LOG_DBG((LOG_POLICY, 80, "ah_present == %s", ah_present)); 1651 LOG_DBG((LOG_POLICY, 80, "comp_present == %s", comp_present)); 1652 LOG_DBG((LOG_POLICY, 80, "ah_hash_alg == %s", ah_hash_alg)); 1653 LOG_DBG((LOG_POLICY, 80, "esp_enc_alg == %s", esp_enc_alg)); 1654 LOG_DBG((LOG_POLICY, 80, "comp_alg == %s", comp_alg)); 1655 LOG_DBG((LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg)); 1656 LOG_DBG((LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg)); 1657 LOG_DBG((LOG_POLICY, 80, "ah_life_seconds == %s", 1658 ah_life_seconds)); 1659 LOG_DBG((LOG_POLICY, 80, "ah_life_kbytes == %s", 1660 ah_life_kbytes)); 1661 LOG_DBG((LOG_POLICY, 80, "esp_life_seconds == %s", 1662 esp_life_seconds)); 1663 LOG_DBG((LOG_POLICY, 80, "esp_life_kbytes == %s", 1664 esp_life_kbytes)); 1665 LOG_DBG((LOG_POLICY, 80, "comp_life_seconds == %s", 1666 comp_life_seconds)); 1667 LOG_DBG((LOG_POLICY, 80, "comp_life_kbytes == %s", 1668 comp_life_kbytes)); 1669 LOG_DBG((LOG_POLICY, 80, "ah_encapsulation == %s", 1670 ah_encapsulation)); 1671 LOG_DBG((LOG_POLICY, 80, "esp_encapsulation == %s", 1672 esp_encapsulation)); 1673 LOG_DBG((LOG_POLICY, 80, "comp_encapsulation == %s", 1674 comp_encapsulation)); 1675 LOG_DBG((LOG_POLICY, 80, "comp_dict_size == %s", 1676 comp_dict_size)); 1677 LOG_DBG((LOG_POLICY, 80, "comp_private_alg == %s", 1678 comp_private_alg)); 1679 LOG_DBG((LOG_POLICY, 80, "ah_key_length == %s", 1680 ah_key_length)); 1681 LOG_DBG((LOG_POLICY, 80, "ah_key_rounds == %s", 1682 ah_key_rounds)); 1683 LOG_DBG((LOG_POLICY, 80, "esp_key_length == %s", 1684 esp_key_length)); 1685 LOG_DBG((LOG_POLICY, 80, "esp_key_rounds == %s", 1686 esp_key_rounds)); 1687 LOG_DBG((LOG_POLICY, 80, "ah_group_desc == %s", 1688 ah_group_desc)); 1689 LOG_DBG((LOG_POLICY, 80, "esp_group_desc == %s", 1690 esp_group_desc)); 1691 LOG_DBG((LOG_POLICY, 80, "comp_group_desc == %s", 1692 comp_group_desc)); 1693 LOG_DBG((LOG_POLICY, 80, "ah_ecn == %s", ah_ecn)); 1694 LOG_DBG((LOG_POLICY, 80, "esp_ecn == %s", esp_ecn)); 1695 LOG_DBG((LOG_POLICY, 80, "comp_ecn == %s", comp_ecn)); 1696 LOG_DBG((LOG_POLICY, 80, "remote_filter_type == %s", 1697 remote_filter_type)); 1698 LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_upper == %s", 1699 remote_filter_addr_upper)); 1700 LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_lower == %s", 1701 remote_filter_addr_lower)); 1702 LOG_DBG((LOG_POLICY, 80, "remote_filter == %s", 1703 (remote_filter ? remote_filter : ""))); 1704 LOG_DBG((LOG_POLICY, 80, "remote_filter_port == %s", 1705 remote_filter_port)); 1706 LOG_DBG((LOG_POLICY, 80, "remote_filter_proto == %s", 1707 remote_filter_proto)); 1708 LOG_DBG((LOG_POLICY, 80, "local_filter_type == %s", 1709 local_filter_type)); 1710 LOG_DBG((LOG_POLICY, 80, "local_filter_addr_upper == %s", 1711 local_filter_addr_upper)); 1712 LOG_DBG((LOG_POLICY, 80, "local_filter_addr_lower == %s", 1713 local_filter_addr_lower)); 1714 LOG_DBG((LOG_POLICY, 80, "local_filter == %s", 1715 (local_filter ? local_filter : ""))); 1716 LOG_DBG((LOG_POLICY, 80, "local_filter_port == %s", 1717 local_filter_port)); 1718 LOG_DBG((LOG_POLICY, 80, "local_filter_proto == %s", 1719 local_filter_proto)); 1720 LOG_DBG((LOG_POLICY, 80, "remote_id_type == %s", 1721 remote_id_type)); 1722 LOG_DBG((LOG_POLICY, 80, "remote_id_addr_upper == %s", 1723 remote_id_addr_upper)); 1724 LOG_DBG((LOG_POLICY, 80, "remote_id_addr_lower == %s", 1725 remote_id_addr_lower)); 1726 LOG_DBG((LOG_POLICY, 80, "remote_id == %s", 1727 (remote_id ? remote_id : ""))); 1728 LOG_DBG((LOG_POLICY, 80, "remote_id_port == %s", 1729 remote_id_port)); 1730 LOG_DBG((LOG_POLICY, 80, "remote_id_proto == %s", 1731 remote_id_proto)); 1732 LOG_DBG((LOG_POLICY, 80, "remote_negotiation_address == %s", 1733 remote_ike_address)); 1734 LOG_DBG((LOG_POLICY, 80, "local_negotiation_address == %s", 1735 local_ike_address)); 1736 LOG_DBG((LOG_POLICY, 80, "pfs == %s", pfs)); 1737 LOG_DBG((LOG_POLICY, 80, "initiator == %s", initiator)); 1738 LOG_DBG((LOG_POLICY, 80, "phase1_group_desc == %s", 1739 phase1_group)); 1740 1741 /* Unset dirty now. */ 1742 dirty = 0; 1743 } 1744 if (strcmp(name, "phase_1") == 0) 1745 return phase_1; 1746 1747 if (strcmp(name, "GMTTimeOfDay") == 0) { 1748 tt = time((time_t)NULL); 1749 strftime(mytimeofday, 14, "%Y%m%d%H%M%S", gmtime(&tt)); 1750 return mytimeofday; 1751 } 1752 if (strcmp(name, "LocalTimeOfDay") == 0) { 1753 tt = time((time_t)NULL); 1754 strftime(mytimeofday, 14, "%Y%m%d%H%M%S", localtime(&tt)); 1755 return mytimeofday; 1756 } 1757 if (strcmp(name, "initiator") == 0) 1758 return initiator; 1759 1760 if (strcmp(name, "pfs") == 0) 1761 return pfs; 1762 1763 if (strcmp(name, "app_domain") == 0) 1764 return "IPsec policy"; 1765 1766 if (strcmp(name, "doi") == 0) 1767 return "ipsec"; 1768 1769 if (strcmp(name, "esp_present") == 0) 1770 return esp_present; 1771 1772 if (strcmp(name, "ah_present") == 0) 1773 return ah_present; 1774 1775 if (strcmp(name, "comp_present") == 0) 1776 return comp_present; 1777 1778 if (strcmp(name, "ah_hash_alg") == 0) 1779 return ah_hash_alg; 1780 1781 if (strcmp(name, "ah_auth_alg") == 0) 1782 return ah_auth_alg; 1783 1784 if (strcmp(name, "esp_auth_alg") == 0) 1785 return esp_auth_alg; 1786 1787 if (strcmp(name, "esp_enc_alg") == 0) 1788 return esp_enc_alg; 1789 1790 if (strcmp(name, "comp_alg") == 0) 1791 return comp_alg; 1792 1793 if (strcmp(name, "ah_life_kbytes") == 0) 1794 return ah_life_kbytes; 1795 1796 if (strcmp(name, "ah_life_seconds") == 0) 1797 return ah_life_seconds; 1798 1799 if (strcmp(name, "esp_life_kbytes") == 0) 1800 return esp_life_kbytes; 1801 1802 if (strcmp(name, "esp_life_seconds") == 0) 1803 return esp_life_seconds; 1804 1805 if (strcmp(name, "comp_life_kbytes") == 0) 1806 return comp_life_kbytes; 1807 1808 if (strcmp(name, "comp_life_seconds") == 0) 1809 return comp_life_seconds; 1810 1811 if (strcmp(name, "ah_encapsulation") == 0) 1812 return ah_encapsulation; 1813 1814 if (strcmp(name, "esp_encapsulation") == 0) 1815 return esp_encapsulation; 1816 1817 if (strcmp(name, "comp_encapsulation") == 0) 1818 return comp_encapsulation; 1819 1820 if (strcmp(name, "ah_key_length") == 0) 1821 return ah_key_length; 1822 1823 if (strcmp(name, "ah_key_rounds") == 0) 1824 return ah_key_rounds; 1825 1826 if (strcmp(name, "esp_key_length") == 0) 1827 return esp_key_length; 1828 1829 if (strcmp(name, "esp_key_rounds") == 0) 1830 return esp_key_rounds; 1831 1832 if (strcmp(name, "comp_dict_size") == 0) 1833 return comp_dict_size; 1834 1835 if (strcmp(name, "comp_private_alg") == 0) 1836 return comp_private_alg; 1837 1838 if (strcmp(name, "remote_filter_type") == 0) 1839 return remote_filter_type; 1840 1841 if (strcmp(name, "remote_filter") == 0) 1842 return (remote_filter ? remote_filter : ""); 1843 1844 if (strcmp(name, "remote_filter_addr_upper") == 0) 1845 return remote_filter_addr_upper; 1846 1847 if (strcmp(name, "remote_filter_addr_lower") == 0) 1848 return remote_filter_addr_lower; 1849 1850 if (strcmp(name, "remote_filter_port") == 0) 1851 return remote_filter_port; 1852 1853 if (strcmp(name, "remote_filter_proto") == 0) 1854 return remote_filter_proto; 1855 1856 if (strcmp(name, "local_filter_type") == 0) 1857 return local_filter_type; 1858 1859 if (strcmp(name, "local_filter") == 0) 1860 return (local_filter ? local_filter : ""); 1861 1862 if (strcmp(name, "local_filter_addr_upper") == 0) 1863 return local_filter_addr_upper; 1864 1865 if (strcmp(name, "local_filter_addr_lower") == 0) 1866 return local_filter_addr_lower; 1867 1868 if (strcmp(name, "local_filter_port") == 0) 1869 return local_filter_port; 1870 1871 if (strcmp(name, "local_filter_proto") == 0) 1872 return local_filter_proto; 1873 1874 if (strcmp(name, "remote_ike_address") == 0) 1875 return remote_ike_address; 1876 1877 if (strcmp(name, "remote_negotiation_address") == 0) 1878 return remote_ike_address; 1879 1880 if (strcmp(name, "local_ike_address") == 0) 1881 return local_ike_address; 1882 1883 if (strcmp(name, "local_negotiation_address") == 0) 1884 return local_ike_address; 1885 1886 if (strcmp(name, "remote_id_type") == 0) 1887 return remote_id_type; 1888 1889 if (strcmp(name, "remote_id") == 0) 1890 return (remote_id ? remote_id : ""); 1891 1892 if (strcmp(name, "remote_id_addr_upper") == 0) 1893 return remote_id_addr_upper; 1894 1895 if (strcmp(name, "remote_id_addr_lower") == 0) 1896 return remote_id_addr_lower; 1897 1898 if (strcmp(name, "remote_id_port") == 0) 1899 return remote_id_port; 1900 1901 if (strcmp(name, "remote_id_proto") == 0) 1902 return remote_id_proto; 1903 1904 if (strcmp(name, "phase1_group_desc") == 0) 1905 return phase1_group; 1906 1907 if (strcmp(name, "esp_group_desc") == 0) 1908 return esp_group_desc; 1909 1910 if (strcmp(name, "ah_group_desc") == 0) 1911 return ah_group_desc; 1912 1913 if (strcmp(name, "comp_group_desc") == 0) 1914 return comp_group_desc; 1915 1916 if (strcmp(name, "comp_ecn") == 0) 1917 return comp_ecn; 1918 1919 if (strcmp(name, "ah_ecn") == 0) 1920 return ah_ecn; 1921 1922 if (strcmp(name, "esp_ecn") == 0) 1923 return esp_ecn; 1924 1925 return ""; 1926 1927bad: 1928 policy_callback(KEYNOTE_CALLBACK_INITIALIZE); 1929 return ""; 1930} 1931 1932void 1933policy_init(void) 1934{ 1935 char *ptr, *policy_file; 1936 char **asserts; 1937 size_t sz, len; 1938 int fd, i; 1939 1940 LOG_DBG((LOG_POLICY, 30, "policy_init: initializing")); 1941 1942 /* Do we want to use the policy modules? */ 1943 if (ignore_policy || 1944 strncmp("yes", conf_get_str("General", "Use-Keynote"), 3)) 1945 return; 1946 1947 /* Get policy file from configuration. */ 1948 policy_file = conf_get_str("General", "Policy-file"); 1949 if (!policy_file) 1950 policy_file = CONF_DFLT_POLICY_FILE; 1951 1952 /* Open policy file. */ 1953 fd = monitor_open(policy_file, O_RDONLY, 0); 1954 if (fd == -1) 1955 log_fatal("policy_init: open (\"%s\", O_RDONLY) failed", 1956 policy_file); 1957 1958 /* Check file modes and collect file size */ 1959 if (check_file_secrecy_fd(fd, policy_file, &sz)) { 1960 close(fd); 1961 log_fatal("policy_init: cannot read %s", policy_file); 1962 } 1963 1964 /* Allocate memory to keep policies. */ 1965 ptr = calloc(sz + 1, sizeof(char)); 1966 if (!ptr) 1967 log_fatal("policy_init: calloc (%lu, %lu) failed", 1968 (unsigned long)sz + 1, (unsigned long)sizeof(char)); 1969 1970 /* Just in case there are short reads... */ 1971 for (len = 0; len < sz; len += i) { 1972 i = read(fd, ptr + len, sz - len); 1973 if (i == -1) 1974 log_fatal("policy_init: read (%d, %p, %lu) failed", fd, 1975 ptr + len, (unsigned long)(sz - len)); 1976 } 1977 1978 /* We're done with this. */ 1979 close(fd); 1980 1981 /* Parse buffer, break up into individual policies. */ 1982 asserts = kn_read_asserts(ptr, sz, &i); 1983 1984 /* Begone! */ 1985 free(ptr); 1986 1987 if (asserts == (char **)NULL) 1988 log_print("policy_init: all policies flushed"); 1989 1990 /* Cleanup */ 1991 if (policy_asserts) { 1992 for (fd = 0; fd < policy_asserts_num; fd++) 1993 if (policy_asserts && policy_asserts[fd]) 1994 free(policy_asserts[fd]); 1995 1996 free(policy_asserts); 1997 } 1998 policy_asserts = asserts; 1999 policy_asserts_num = i; 2000} 2001 2002/* Nothing needed for initialization */ 2003int 2004keynote_cert_init(void) 2005{ 2006 return 1; 2007} 2008 2009/* Just copy and return. */ 2010void * 2011keynote_cert_get(u_int8_t *data, u_int32_t len) 2012{ 2013 char *foo = malloc(len + 1); 2014 2015 if (foo == NULL) 2016 return NULL; 2017 2018 memcpy(foo, data, len); 2019 foo[len] = '\0'; 2020 return foo; 2021} 2022 2023/* 2024 * We just verify the signature on the credentials. 2025 * On signature failure, just drop the whole payload. 2026 */ 2027int 2028keynote_cert_validate(void *scert) 2029{ 2030 char **foo; 2031 int num, i; 2032 2033 if (scert == NULL) 2034 return 0; 2035 2036 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); 2037 if (foo == NULL) 2038 return 0; 2039 2040 for (i = 0; i < num; i++) { 2041 if (kn_verify_assertion(scert, strlen((char *)scert)) 2042 != SIGRESULT_TRUE) { 2043 for (; i < num; i++) 2044 free(foo[i]); 2045 free(foo); 2046 return 0; 2047 } 2048 free(foo[i]); 2049 } 2050 2051 free(foo); 2052 return 1; 2053} 2054 2055/* Add received credentials. */ 2056int 2057keynote_cert_insert(int sid, void *scert) 2058{ 2059 char **foo; 2060 int num; 2061 2062 if (scert == NULL) 2063 return 0; 2064 2065 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); 2066 if (foo == NULL) 2067 return 0; 2068 2069 while (num--) 2070 kn_add_assertion(sid, foo[num], strlen(foo[num]), 0); 2071 2072 return 1; 2073} 2074 2075/* Just regular memory free. */ 2076void 2077keynote_cert_free(void *cert) 2078{ 2079 free(cert); 2080} 2081 2082/* Verify that the key given to us is valid. */ 2083int 2084keynote_certreq_validate(u_int8_t *data, u_int32_t len) 2085{ 2086 struct keynote_deckey dc; 2087 int err = 1; 2088 char *dat; 2089 2090 dat = calloc(len + 1, sizeof(char)); 2091 if (!dat) { 2092 log_error("keynote_certreq_validate: calloc (%d, %lu) failed", 2093 len + 1, (unsigned long)sizeof(char)); 2094 return 0; 2095 } 2096 memcpy(dat, data, len); 2097 2098 if (kn_decode_key(&dc, dat, KEYNOTE_PUBLIC_KEY) != 0) 2099 err = 0; 2100 else 2101 kn_free_key(&dc); 2102 2103 free(dat); 2104 2105 return err; 2106} 2107 2108/* Beats me what we should be doing with this. */ 2109void * 2110keynote_certreq_decode(u_int8_t *data, u_int32_t len) 2111{ 2112 /* XXX */ 2113 return NULL; 2114} 2115 2116void 2117keynote_free_aca(void *blob) 2118{ 2119 /* XXX */ 2120} 2121 2122int 2123keynote_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, 2124 u_int32_t *certlen) 2125{ 2126 char *dirname, *file, *addr_str; 2127 struct stat sb; 2128 size_t size; 2129 int idtype, fd, len; 2130 2131 if (!id) { 2132 log_print("keynote_cert_obtain: ID is missing"); 2133 return 0; 2134 } 2135 /* Get type of ID. */ 2136 idtype = id[0]; 2137 id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2138 id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2139 2140 dirname = conf_get_str("KeyNote", "Credential-directory"); 2141 if (!dirname) { 2142 LOG_DBG((LOG_POLICY, 30, 2143 "keynote_cert_obtain: no Credential-directory")); 2144 return 0; 2145 } 2146 len = strlen(dirname) + strlen(CREDENTIAL_FILE) + 3; 2147 2148 switch (idtype) { 2149 case IPSEC_ID_IPV4_ADDR: 2150 case IPSEC_ID_IPV6_ADDR: 2151 util_ntoa(&addr_str, idtype == IPSEC_ID_IPV4_ADDR ? 2152 AF_INET : AF_INET6, id); 2153 if (addr_str == 0) 2154 return 0; 2155 2156 file = calloc(len + strlen(addr_str), sizeof(char)); 2157 if (file == NULL) { 2158 log_error("keynote_cert_obtain: failed to allocate " 2159 "%lu bytes", (unsigned long)len + 2160 strlen(addr_str)); 2161 free(addr_str); 2162 return 0; 2163 } 2164 snprintf(file, len + strlen(addr_str), "%s/%s/%s", dirname, 2165 addr_str, CREDENTIAL_FILE); 2166 free(addr_str); 2167 break; 2168 2169 case IPSEC_ID_FQDN: 2170 case IPSEC_ID_USER_FQDN: { 2171 file = calloc(len + id_len, sizeof(char)); 2172 if (file == NULL) { 2173 log_error("keynote_cert_obtain: " 2174 "failed to allocate %lu bytes", 2175 (unsigned long)len + id_len); 2176 return 0; 2177 } 2178 snprintf(file, len + id_len, "%s/", dirname); 2179 memcpy(file + strlen(dirname) + 1, id, id_len); 2180 snprintf(file + strlen(dirname) + 1 + id_len, 2181 len - strlen(dirname) - 1, "/%s", CREDENTIAL_FILE); 2182 break; 2183 } 2184 2185 default: 2186 return 0; 2187 } 2188 2189 fd = monitor_open(file, O_RDONLY, 0); 2190 if (fd < 0) { 2191 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " 2192 "failed to open \"%s\"", file)); 2193 free(file); 2194 return 0; 2195 } 2196 2197 if (fstat(fd, &sb) < 0) { 2198 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " 2199 "failed to stat \"%s\"", file)); 2200 free(file); 2201 close(fd); 2202 return 0; 2203 } 2204 size = (size_t)sb.st_size; 2205 2206 *cert = calloc(size + 1, sizeof(char)); 2207 if (*cert == NULL) { 2208 log_error("keynote_cert_obtain: failed to allocate %lu bytes", 2209 (unsigned long)size); 2210 free(file); 2211 return 0; 2212 } 2213 2214 if (read(fd, *cert, size) != (int)size) { 2215 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " 2216 "failed to read %lu bytes from \"%s\"", 2217 (unsigned long)size, file)); 2218 free(file); 2219 close(fd); 2220 return 0; 2221 } 2222 close(fd); 2223 free(file); 2224 *certlen = size; 2225 return 1; 2226} 2227 2228/* This should never be called. */ 2229int 2230keynote_cert_get_subjects(void *scert, int *n, u_int8_t ***id, 2231 u_int32_t **id_len) 2232{ 2233 return 0; 2234} 2235 2236/* Get the authorizer key. */ 2237int 2238keynote_cert_get_key(void *scert, void *keyp) 2239{ 2240 struct keynote_keylist *kl; 2241 int sid, kid, num; 2242 char **foo; 2243 2244 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); 2245 if (foo == NULL || num == 0) { 2246 log_print("keynote_cert_get_key: " 2247 "failed to decompose credentials"); 2248 return 0; 2249 } 2250 kid = kn_init(); 2251 if (kid == -1) { 2252 log_print("keynote_cert_get_key: " 2253 "failed to initialize new policy session"); 2254 while (num--) 2255 free(foo[num]); 2256 free(foo); 2257 return 0; 2258 } 2259 sid = kn_add_assertion(kid, foo[num - 1], strlen(foo[num - 1]), 0); 2260 while (num--) 2261 free(foo[num]); 2262 free(foo); 2263 2264 if (sid == -1) { 2265 log_print("keynote_cert_get_key: failed to add assertion"); 2266 kn_close(kid); 2267 return 0; 2268 } 2269 *(RSA **)keyp = NULL; 2270 2271 kl = kn_get_licensees(kid, sid); 2272 while (kl) { 2273 if (kl->key_alg == KEYNOTE_ALGORITHM_RSA || 2274 kl->key_alg == KEYNOTE_ALGORITHM_X509) { 2275 *(RSA **)keyp = RSAPublicKey_dup(kl->key_key); 2276 break; 2277 } 2278 kl = kl->key_next; 2279 } 2280 2281 kn_remove_assertion(kid, sid); 2282 kn_close(kid); 2283 return *(RSA **)keyp == NULL ? 0 : 1; 2284} 2285 2286void * 2287keynote_cert_dup(void *cert) 2288{ 2289 return strdup((char *)cert); 2290} 2291 2292void 2293keynote_serialize(void *cert, u_int8_t **data, u_int32_t *datalen) 2294{ 2295 *datalen = strlen((char *)cert) + 1; 2296 *data = (u_int8_t *)strdup(cert); /* i.e an extra character at 2297 * the end... */ 2298 if (*data == NULL) 2299 log_error("keynote_serialize: malloc (%d) failed", *datalen); 2300} 2301 2302/* From cert to printable */ 2303char * 2304keynote_printable(void *cert) 2305{ 2306 return strdup((char *)cert); 2307} 2308 2309/* From printable to cert */ 2310void * 2311keynote_from_printable(char *cert) 2312{ 2313 return strdup(cert); 2314} 2315