policy.c revision 1.85
1/* $OpenBSD: policy.c,v 1.85 2005/04/08 22:32:10 cloder Exp $ */ 2/* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ 3 4/* 5 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. 6 * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. 7 * Copyright (c) 2001 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30/* 31 * This code was written under funding by Ericsson Radio Systems. 32 */ 33 34#include <sys/types.h> 35#include <sys/param.h> 36#include <sys/mman.h> 37#include <sys/queue.h> 38#include <sys/stat.h> 39#include <regex.h> 40#include <ctype.h> 41#include <fcntl.h> 42#include <stdio.h> 43#include <stdlib.h> 44#include <string.h> 45#include <unistd.h> 46#include <keynote.h> 47#include <sys/socket.h> 48#include <netinet/in.h> 49#include <arpa/inet.h> 50#include <errno.h> 51#include <openssl/ssl.h> 52#include <netdb.h> 53 54#include "conf.h" 55#include "exchange.h" 56#include "ipsec.h" 57#include "isakmp_doi.h" 58#include "sa.h" 59#include "transport.h" 60#include "log.h" 61#include "message.h" 62#include "monitor.h" 63#include "util.h" 64#include "policy.h" 65#include "x509.h" 66 67char **policy_asserts = NULL; 68int ignore_policy = 0; 69int policy_asserts_num = 0; 70struct exchange *policy_exchange = 0; 71struct sa *policy_sa = 0; 72struct sa *policy_isakmp_sa = 0; 73 74static const char hextab[] = { 75 '0', '1', '2', '3', '4', '5', '6', '7', 76 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' 77}; 78 79/* 80 * Adaptation of Vixie's inet_ntop4 () 81 */ 82static const char * 83my_inet_ntop4(const in_addr_t *src, char *dst, size_t size, int normalize) 84{ 85 static const char fmt[] = "%03u.%03u.%03u.%03u"; 86 char tmp[sizeof "255.255.255.255"]; 87 in_addr_t src2; 88 int len; 89 90 if (normalize) 91 src2 = ntohl(*src); 92 else 93 src2 = *src; 94 95 len = snprintf(tmp, sizeof tmp, fmt, ((u_int8_t *)&src2)[0], 96 ((u_int8_t *)&src2)[1], ((u_int8_t *)&src2)[2], 97 ((u_int8_t *)&src2)[3]); 98 if (len == -1 || len > (int)size) { 99 errno = ENOSPC; 100 return 0; 101 } 102 strlcpy(dst, tmp, size); 103 return dst; 104} 105 106static const char * 107my_inet_ntop6(const unsigned char *src, char *dst, size_t size) 108{ 109 static const char fmt[] = 110 "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x"; 111 char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"]; 112 int len; 113 114 len = snprintf(tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3], 115 src[4], src[5], src[6], src[7], src[8], src[9], src[10], src[11], 116 src[12], src[13], src[14], src[15]); 117 if (len == -1 || len > (int)size) { 118 errno = ENOSPC; 119 return 0; 120 } 121 strlcpy(dst, tmp, size); 122 return dst; 123} 124 125char * 126policy_callback(char *name) 127{ 128 struct proto *proto; 129 130 u_int8_t *attr, *value, *id, *idlocal, *idremote; 131 size_t id_sz, idlocalsz, idremotesz; 132 struct sockaddr *sin; 133 struct ipsec_exch *ie; 134 struct ipsec_sa *is; 135 size_t i; 136 int fmt, lifetype = 0; 137 in_addr_t net, subnet; 138 u_int16_t len, type; 139 time_t tt; 140 char *addr; 141 static char mytimeofday[15]; 142 143 /* We use all these as a cache. */ 144#define PMAX 32 145 static char *esp_present, *ah_present, *comp_present; 146 static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg; 147 static char *comp_alg, ah_life_kbytes[PMAX], ah_life_seconds[PMAX]; 148 static char esp_life_kbytes[PMAX], esp_life_seconds[PMAX]; 149 static char comp_life_kbytes[PMAX]; 150 static char *ah_ecn, *esp_ecn, *comp_ecn; 151 static char comp_life_seconds[PMAX], *ah_encapsulation; 152 static char *esp_encapsulation, *comp_encapsulation; 153 static char ah_key_length[PMAX], esp_key_length[PMAX]; 154 static char ah_key_rounds[PMAX], esp_key_rounds[PMAX]; 155 static char comp_dict_size[PMAX], comp_private_alg[PMAX]; 156 static char *remote_filter_type, *local_filter_type; 157 static char remote_filter_addr_upper[NI_MAXHOST]; 158 static char remote_filter_addr_lower[NI_MAXHOST]; 159 static char local_filter_addr_upper[NI_MAXHOST]; 160 static char local_filter_addr_lower[NI_MAXHOST]; 161 static char ah_group_desc[PMAX], esp_group_desc[PMAX]; 162 static char comp_group_desc[PMAX], remote_ike_address[NI_MAXHOST]; 163 static char local_ike_address[NI_MAXHOST]; 164 static char *remote_id_type, remote_id_addr_upper[NI_MAXHOST]; 165 static char *phase_1, remote_id_addr_lower[NI_MAXHOST]; 166 static char *remote_id_proto, remote_id_port[PMAX]; 167 static char remote_filter_port[PMAX], local_filter_port[PMAX]; 168 static char *remote_filter_proto, *local_filter_proto, *pfs; 169 static char *initiator, remote_filter_proto_num[3]; 170 static char local_filter_proto_num[3], remote_id_proto_num[3]; 171 static char phase1_group[PMAX]; 172 173 /* Allocated. */ 174 static char *remote_filter = 0, *local_filter = 0, *remote_id = 0; 175 176 static int dirty = 1; 177 178 /* We only need to set dirty at initialization time really. */ 179 if (strcmp(name, KEYNOTE_CALLBACK_CLEANUP) == 0 || 180 strcmp(name, KEYNOTE_CALLBACK_INITIALIZE) == 0) { 181 esp_present = ah_present = comp_present = pfs = "no"; 182 ah_hash_alg = ah_auth_alg = phase_1 = ""; 183 esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = ""; 184 ah_ecn = esp_ecn = comp_ecn = "no"; 185 esp_encapsulation = comp_encapsulation = ""; 186 remote_filter_type = ""; 187 local_filter_type = remote_id_type = initiator = ""; 188 remote_filter_proto = local_filter_proto = ""; 189 remote_id_proto = ""; 190 191 if (remote_filter != 0) { 192 free(remote_filter); 193 remote_filter = 0; 194 } 195 if (local_filter != 0) { 196 free(local_filter); 197 local_filter = 0; 198 } 199 if (remote_id != 0) { 200 free(remote_id); 201 remote_id = 0; 202 } 203 bzero(remote_ike_address, sizeof remote_ike_address); 204 bzero(local_ike_address, sizeof local_ike_address); 205 bzero(ah_life_kbytes, sizeof ah_life_kbytes); 206 bzero(ah_life_seconds, sizeof ah_life_seconds); 207 bzero(esp_life_kbytes, sizeof esp_life_kbytes); 208 bzero(esp_life_seconds, sizeof esp_life_seconds); 209 bzero(comp_life_kbytes, sizeof comp_life_kbytes); 210 bzero(comp_life_seconds, sizeof comp_life_seconds); 211 bzero(ah_key_length, sizeof ah_key_length); 212 bzero(ah_key_rounds, sizeof ah_key_rounds); 213 bzero(esp_key_length, sizeof esp_key_length); 214 bzero(esp_key_rounds, sizeof esp_key_rounds); 215 bzero(comp_dict_size, sizeof comp_dict_size); 216 bzero(comp_private_alg, sizeof comp_private_alg); 217 bzero(remote_filter_addr_upper, 218 sizeof remote_filter_addr_upper); 219 bzero(remote_filter_addr_lower, 220 sizeof remote_filter_addr_lower); 221 bzero(local_filter_addr_upper, 222 sizeof local_filter_addr_upper); 223 bzero(local_filter_addr_lower, 224 sizeof local_filter_addr_lower); 225 bzero(remote_id_addr_upper, sizeof remote_id_addr_upper); 226 bzero(remote_id_addr_lower, sizeof remote_id_addr_lower); 227 bzero(ah_group_desc, sizeof ah_group_desc); 228 bzero(esp_group_desc, sizeof esp_group_desc); 229 bzero(remote_id_port, sizeof remote_id_port); 230 bzero(remote_filter_port, sizeof remote_filter_port); 231 bzero(local_filter_port, sizeof local_filter_port); 232 bzero(phase1_group, sizeof phase1_group); 233 234 dirty = 1; 235 return ""; 236 } 237 /* 238 * If dirty is set, this is the first request for an attribute, so 239 * populate our value cache. 240 */ 241 if (dirty) { 242 ie = policy_exchange->data; 243 244 if (ie->pfs) 245 pfs = "yes"; 246 247 is = policy_isakmp_sa->data; 248 snprintf(phase1_group, sizeof phase1_group, "%u", 249 is->group_desc); 250 251 for (proto = TAILQ_FIRST(&policy_sa->protos); proto; 252 proto = TAILQ_NEXT(proto, link)) { 253 switch (proto->proto) { 254 case IPSEC_PROTO_IPSEC_AH: 255 ah_present = "yes"; 256 switch (proto->id) { 257 case IPSEC_AH_MD5: 258 ah_hash_alg = "md5"; 259 break; 260 261 case IPSEC_AH_SHA: 262 ah_hash_alg = "sha"; 263 break; 264 265 case IPSEC_AH_RIPEMD: 266 ah_hash_alg = "ripemd"; 267 break; 268 269 case IPSEC_AH_SHA2_256: 270 ah_auth_alg = "sha2-256"; 271 break; 272 273 case IPSEC_AH_SHA2_384: 274 ah_auth_alg = "sha2-384"; 275 break; 276 277 case IPSEC_AH_SHA2_512: 278 ah_auth_alg = "sha2-512"; 279 break; 280 281 case IPSEC_AH_DES: 282 ah_hash_alg = "des"; 283 break; 284 } 285 286 break; 287 288 case IPSEC_PROTO_IPSEC_ESP: 289 esp_present = "yes"; 290 switch (proto->id) { 291 case IPSEC_ESP_DES_IV64: 292 esp_enc_alg = "des-iv64"; 293 break; 294 295 case IPSEC_ESP_DES: 296 esp_enc_alg = "des"; 297 break; 298 299 case IPSEC_ESP_3DES: 300 esp_enc_alg = "3des"; 301 break; 302 303 case IPSEC_ESP_AES: 304 case IPSEC_ESP_AES_128_CTR: 305 esp_enc_alg = "aes"; 306 break; 307 308 case IPSEC_ESP_RC5: 309 esp_enc_alg = "rc5"; 310 break; 311 312 case IPSEC_ESP_IDEA: 313 esp_enc_alg = "idea"; 314 break; 315 316 case IPSEC_ESP_CAST: 317 esp_enc_alg = "cast"; 318 break; 319 320 case IPSEC_ESP_BLOWFISH: 321 esp_enc_alg = "blowfish"; 322 break; 323 324 case IPSEC_ESP_3IDEA: 325 esp_enc_alg = "3idea"; 326 break; 327 328 case IPSEC_ESP_DES_IV32: 329 esp_enc_alg = "des-iv32"; 330 break; 331 332 case IPSEC_ESP_RC4: 333 esp_enc_alg = "rc4"; 334 break; 335 336 case IPSEC_ESP_NULL: 337 esp_enc_alg = "null"; 338 break; 339 } 340 341 break; 342 343 case IPSEC_PROTO_IPCOMP: 344 comp_present = "yes"; 345 switch (proto->id) { 346 case IPSEC_IPCOMP_OUI: 347 comp_alg = "oui"; 348 break; 349 350 case IPSEC_IPCOMP_DEFLATE: 351 comp_alg = "deflate"; 352 break; 353 354 case IPSEC_IPCOMP_LZS: 355 comp_alg = "lzs"; 356 break; 357 358 case IPSEC_IPCOMP_V42BIS: 359 comp_alg = "v42bis"; 360 break; 361 } 362 363 break; 364 } 365 366 for (attr = proto->chosen->p + 367 ISAKMP_TRANSFORM_SA_ATTRS_OFF; 368 attr < proto->chosen->p + 369 GET_ISAKMP_GEN_LENGTH(proto->chosen->p); 370 attr = value + len) { 371 if (attr + ISAKMP_ATTR_VALUE_OFF > 372 (proto->chosen->p + 373 GET_ISAKMP_GEN_LENGTH(proto->chosen->p))) 374 return ""; 375 376 type = GET_ISAKMP_ATTR_TYPE(attr); 377 fmt = ISAKMP_ATTR_FORMAT(type); 378 type = ISAKMP_ATTR_TYPE(type); 379 value = attr + (fmt ? 380 ISAKMP_ATTR_LENGTH_VALUE_OFF : 381 ISAKMP_ATTR_VALUE_OFF); 382 len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN : 383 GET_ISAKMP_ATTR_LENGTH_VALUE(attr)); 384 385 if (value + len > proto->chosen->p + 386 GET_ISAKMP_GEN_LENGTH(proto->chosen->p)) 387 return ""; 388 389 switch (type) { 390 case IPSEC_ATTR_SA_LIFE_TYPE: 391 lifetype = decode_16(value); 392 break; 393 394 case IPSEC_ATTR_SA_LIFE_DURATION: 395 switch (proto->proto) { 396 case IPSEC_PROTO_IPSEC_AH: 397 if (lifetype == IPSEC_DURATION_SECONDS) { 398 if (len == 2) 399 snprintf(ah_life_seconds, sizeof ah_life_seconds, 400 "%u", decode_16(value)); 401 else 402 snprintf(ah_life_seconds, sizeof ah_life_seconds, 403 "%u", decode_32(value)); 404 } else { 405 if (len == 2) 406 snprintf(ah_life_kbytes, sizeof ah_life_kbytes, 407 "%u", decode_16(value)); 408 else 409 snprintf(ah_life_kbytes, sizeof ah_life_kbytes, 410 "%u", decode_32(value)); 411 } 412 413 break; 414 415 case IPSEC_PROTO_IPSEC_ESP: 416 if (lifetype == IPSEC_DURATION_SECONDS) { 417 if (len == 2) 418 snprintf(esp_life_seconds, 419 sizeof esp_life_seconds, "%u", 420 decode_16(value)); 421 else 422 snprintf(esp_life_seconds, 423 sizeof esp_life_seconds, "%u", 424 decode_32(value)); 425 } else { 426 if (len == 2) 427 snprintf(esp_life_kbytes, 428 sizeof esp_life_kbytes, "%u", 429 decode_16(value)); 430 else 431 snprintf(esp_life_kbytes, 432 sizeof esp_life_kbytes, "%u", 433 decode_32(value)); 434 } 435 436 break; 437 438 case IPSEC_PROTO_IPCOMP: 439 if (lifetype == IPSEC_DURATION_SECONDS) { 440 if (len == 2) 441 snprintf(comp_life_seconds, 442 sizeof comp_life_seconds, "%u", 443 decode_16(value)); 444 else 445 snprintf(comp_life_seconds, 446 sizeof comp_life_seconds, "%u", 447 decode_32(value)); 448 } else { 449 if (len == 2) 450 snprintf(comp_life_kbytes, 451 sizeof comp_life_kbytes, "%u", 452 decode_16(value)); 453 else 454 snprintf(comp_life_kbytes, 455 sizeof comp_life_kbytes, "%u", 456 decode_32(value)); 457 } 458 break; 459 } 460 break; 461 462 case IPSEC_ATTR_GROUP_DESCRIPTION: 463 switch (proto->proto) { 464 case IPSEC_PROTO_IPSEC_AH: 465 snprintf(ah_group_desc, 466 sizeof ah_group_desc, "%u", 467 decode_16(value)); 468 break; 469 470 case IPSEC_PROTO_IPSEC_ESP: 471 snprintf(esp_group_desc, 472 sizeof esp_group_desc, "%u", 473 decode_16(value)); 474 break; 475 476 case IPSEC_PROTO_IPCOMP: 477 snprintf(comp_group_desc, 478 sizeof comp_group_desc, "%u", 479 decode_16(value)); 480 break; 481 } 482 break; 483 484 case IPSEC_ATTR_ECN_TUNNEL: 485 if (decode_16(value)) 486 switch (proto->proto) { 487 case IPSEC_PROTO_IPSEC_AH: 488 ah_ecn = "yes"; 489 break; 490 491 case IPSEC_PROTO_IPSEC_ESP: 492 esp_ecn = "yes"; 493 break; 494 495 case IPSEC_PROTO_IPCOMP: 496 comp_ecn = "yes"; 497 break; 498 } 499 500 case IPSEC_ATTR_ENCAPSULATION_MODE: 501 if (decode_16(value) == IPSEC_ENCAP_TUNNEL) 502 switch (proto->proto) { 503 case IPSEC_PROTO_IPSEC_AH: 504 ah_encapsulation = "tunnel"; 505 break; 506 507 case IPSEC_PROTO_IPSEC_ESP: 508 esp_encapsulation = "tunnel"; 509 break; 510 511 case IPSEC_PROTO_IPCOMP: 512 comp_encapsulation = "tunnel"; 513 break; 514 } 515 else if (decode_16(value) == 516 IPSEC_ENCAP_UDP_ENCAP_TUNNEL) 517 switch (proto->proto) { 518 case IPSEC_PROTO_IPSEC_AH: 519 ah_encapsulation = "udp-encap-tunnel"; 520 break; 521 522 case IPSEC_PROTO_IPSEC_ESP: 523 esp_encapsulation = "udp-encap-tunnel"; 524 break; 525 526 case IPSEC_PROTO_IPCOMP: 527 comp_encapsulation = "udp-encap-tunnel"; 528 break; 529 } 530 /* XXX IPSEC_ENCAP_UDP_ENCAP_TRANSPORT */ 531 else 532 switch (proto->proto) { 533 case IPSEC_PROTO_IPSEC_AH: 534 ah_encapsulation = "transport"; 535 break; 536 537 case IPSEC_PROTO_IPSEC_ESP: 538 esp_encapsulation = "transport"; 539 break; 540 541 case IPSEC_PROTO_IPCOMP: 542 comp_encapsulation = "transport"; 543 break; 544 } 545 break; 546 547 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: 548 switch (proto->proto) { 549 case IPSEC_PROTO_IPSEC_AH: 550 switch (decode_16(value)) { 551 case IPSEC_AUTH_HMAC_MD5: 552 ah_auth_alg = "hmac-md5"; 553 break; 554 555 case IPSEC_AUTH_HMAC_SHA: 556 ah_auth_alg = "hmac-sha"; 557 break; 558 559 case IPSEC_AUTH_HMAC_RIPEMD: 560 ah_auth_alg = "hmac-ripemd"; 561 break; 562 563 case IPSEC_AUTH_HMAC_SHA2_256: 564 ah_auth_alg = "hmac-sha2-256"; 565 break; 566 567 case IPSEC_AUTH_HMAC_SHA2_384: 568 ah_auth_alg = "hmac-sha2-384"; 569 break; 570 571 case IPSEC_AUTH_HMAC_SHA2_512: 572 ah_auth_alg = "hmac-sha2-512"; 573 break; 574 575 case IPSEC_AUTH_DES_MAC: 576 ah_auth_alg = "des-mac"; 577 break; 578 579 case IPSEC_AUTH_KPDK: 580 ah_auth_alg = "kpdk"; 581 break; 582 } 583 break; 584 585 case IPSEC_PROTO_IPSEC_ESP: 586 switch (decode_16(value)) { 587 case IPSEC_AUTH_HMAC_MD5: 588 esp_auth_alg = "hmac-md5"; 589 break; 590 591 case IPSEC_AUTH_HMAC_SHA: 592 esp_auth_alg = "hmac-sha"; 593 break; 594 595 case IPSEC_AUTH_HMAC_RIPEMD: 596 esp_auth_alg = "hmac-ripemd"; 597 break; 598 599 case IPSEC_AUTH_HMAC_SHA2_256: 600 esp_auth_alg = "hmac-sha2-256"; 601 break; 602 603 case IPSEC_AUTH_HMAC_SHA2_384: 604 esp_auth_alg = "hmac-sha2-384"; 605 break; 606 607 case IPSEC_AUTH_HMAC_SHA2_512: 608 esp_auth_alg = "hmac-sha2-512"; 609 break; 610 611 case IPSEC_AUTH_DES_MAC: 612 esp_auth_alg = "des-mac"; 613 break; 614 615 case IPSEC_AUTH_KPDK: 616 esp_auth_alg = "kpdk"; 617 break; 618 } 619 break; 620 } 621 break; 622 623 case IPSEC_ATTR_KEY_LENGTH: 624 switch (proto->proto) { 625 case IPSEC_PROTO_IPSEC_AH: 626 snprintf(ah_key_length, 627 sizeof ah_key_length, "%u", 628 decode_16(value)); 629 break; 630 631 case IPSEC_PROTO_IPSEC_ESP: 632 snprintf(esp_key_length, 633 sizeof esp_key_length, "%u", 634 decode_16(value)); 635 break; 636 } 637 break; 638 639 case IPSEC_ATTR_KEY_ROUNDS: 640 switch (proto->proto) { 641 case IPSEC_PROTO_IPSEC_AH: 642 snprintf(ah_key_rounds, 643 sizeof ah_key_rounds, "%u", 644 decode_16(value)); 645 break; 646 647 case IPSEC_PROTO_IPSEC_ESP: 648 snprintf(esp_key_rounds, 649 sizeof esp_key_rounds, "%u", 650 decode_16(value)); 651 break; 652 } 653 break; 654 655 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: 656 snprintf(comp_dict_size, 657 sizeof comp_dict_size, "%u", 658 decode_16(value)); 659 break; 660 661 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: 662 snprintf(comp_private_alg, 663 sizeof comp_private_alg, "%u", 664 decode_16(value)); 665 break; 666 } 667 } 668 } 669 670 policy_sa->transport->vtbl->get_src(policy_sa->transport, 671 &sin); 672 if (sockaddr2text(sin, &addr, 1)) { 673 log_error("policy_callback: sockaddr2text failed"); 674 goto bad; 675 } 676 strlcpy(local_ike_address, addr, sizeof local_ike_address); 677 free(addr); 678 679 policy_sa->transport->vtbl->get_dst(policy_sa->transport, 680 &sin); 681 if (sockaddr2text(sin, &addr, 1)) { 682 log_error("policy_callback: sockaddr2text failed"); 683 goto bad; 684 } 685 strlcpy(remote_ike_address, addr, sizeof remote_ike_address); 686 free(addr); 687 688 switch (policy_isakmp_sa->exch_type) { 689 case ISAKMP_EXCH_AGGRESSIVE: 690 phase_1 = "aggressive"; 691 break; 692 693 case ISAKMP_EXCH_ID_PROT: 694 phase_1 = "main"; 695 break; 696 } 697 698 if (policy_isakmp_sa->initiator) { 699 id = policy_isakmp_sa->id_r; 700 id_sz = policy_isakmp_sa->id_r_len; 701 } else { 702 id = policy_isakmp_sa->id_i; 703 id_sz = policy_isakmp_sa->id_i_len; 704 } 705 706 switch (id[0]) { 707 case IPSEC_ID_IPV4_ADDR: 708 remote_id_type = "IPv4 address"; 709 710 net = decode_32(id + ISAKMP_ID_DATA_OFF - 711 ISAKMP_GEN_SZ); 712 my_inet_ntop4(&net, remote_id_addr_upper, 713 sizeof remote_id_addr_upper - 1, 1); 714 my_inet_ntop4(&net, remote_id_addr_lower, 715 sizeof remote_id_addr_lower - 1, 1); 716 remote_id = strdup(remote_id_addr_upper); 717 if (!remote_id) { 718 log_error("policy_callback: " 719 "strdup (\"%s\") failed", 720 remote_id_addr_upper); 721 goto bad; 722 } 723 break; 724 725 case IPSEC_ID_IPV4_RANGE: 726 remote_id_type = "IPv4 range"; 727 728 net = decode_32(id + ISAKMP_ID_DATA_OFF - 729 ISAKMP_GEN_SZ); 730 my_inet_ntop4(&net, remote_id_addr_lower, 731 sizeof remote_id_addr_lower - 1, 1); 732 net = decode_32(id + ISAKMP_ID_DATA_OFF - 733 ISAKMP_GEN_SZ + 4); 734 my_inet_ntop4(&net, remote_id_addr_upper, 735 sizeof remote_id_addr_upper - 1, 1); 736 len = strlen(remote_id_addr_upper) + 737 strlen(remote_id_addr_lower) + 2; 738 remote_id = calloc(len, sizeof(char)); 739 if (!remote_id) { 740 log_error("policy_callback: " 741 "calloc (%d, %lu) failed", len, 742 (unsigned long)sizeof(char)); 743 goto bad; 744 } 745 strlcpy(remote_id, remote_id_addr_lower, len); 746 strlcat(remote_id, "-", len); 747 strlcat(remote_id, remote_id_addr_upper, len); 748 break; 749 750 case IPSEC_ID_IPV4_ADDR_SUBNET: 751 remote_id_type = "IPv4 subnet"; 752 753 net = decode_32(id + ISAKMP_ID_DATA_OFF - 754 ISAKMP_GEN_SZ); 755 subnet = decode_32(id + ISAKMP_ID_DATA_OFF - 756 ISAKMP_GEN_SZ + 4); 757 net &= subnet; 758 my_inet_ntop4(&net, remote_id_addr_lower, 759 sizeof remote_id_addr_lower - 1, 1); 760 net |= ~subnet; 761 my_inet_ntop4(&net, remote_id_addr_upper, 762 sizeof remote_id_addr_upper - 1, 1); 763 len = strlen(remote_id_addr_upper) + 764 strlen(remote_id_addr_lower) + 2; 765 remote_id = calloc(len, sizeof(char)); 766 if (!remote_id) { 767 log_error("policy_callback: " 768 "calloc (%d, %lu) failed", len, 769 (unsigned long)sizeof(char)); 770 goto bad; 771 } 772 strlcpy(remote_id, remote_id_addr_lower, len); 773 strlcat(remote_id, "-", len); 774 strlcat(remote_id, remote_id_addr_upper, len); 775 break; 776 777 case IPSEC_ID_IPV6_ADDR: 778 remote_id_type = "IPv6 address"; 779 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 780 remote_id_addr_upper, sizeof remote_id_addr_upper); 781 strlcpy(remote_id_addr_lower, remote_id_addr_upper, 782 sizeof remote_id_addr_lower); 783 remote_id = strdup(remote_id_addr_upper); 784 if (!remote_id) { 785 log_error("policy_callback: " 786 "strdup (\"%s\") failed", 787 remote_id_addr_upper); 788 goto bad; 789 } 790 break; 791 792 case IPSEC_ID_IPV6_RANGE: 793 remote_id_type = "IPv6 range"; 794 795 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 796 remote_id_addr_lower, 797 sizeof remote_id_addr_lower - 1); 798 799 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - 800 ISAKMP_GEN_SZ + 16, remote_id_addr_upper, 801 sizeof remote_id_addr_upper - 1); 802 803 len = strlen(remote_id_addr_upper) + 804 strlen(remote_id_addr_lower) + 2; 805 remote_id = calloc(len, sizeof(char)); 806 if (!remote_id) { 807 log_error("policy_callback: " 808 "calloc (%d, %lu) failed", len, 809 (unsigned long)sizeof(char)); 810 goto bad; 811 } 812 strlcpy(remote_id, remote_id_addr_lower, len); 813 strlcat(remote_id, "-", len); 814 strlcat(remote_id, remote_id_addr_upper, len); 815 break; 816 817 case IPSEC_ID_IPV6_ADDR_SUBNET: 818 { 819 struct in6_addr net, mask; 820 821 remote_id_type = "IPv6 subnet"; 822 823 bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, &net, 824 sizeof(net)); 825 bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, 826 &mask, sizeof(mask)); 827 828 for (i = 0; i < 16; i++) 829 net.s6_addr[i] &= mask.s6_addr[i]; 830 831 my_inet_ntop6((unsigned char *)&net, 832 remote_id_addr_lower, 833 sizeof remote_id_addr_lower - 1); 834 835 for (i = 0; i < 16; i++) 836 net.s6_addr[i] |= ~mask.s6_addr[i]; 837 838 my_inet_ntop6((unsigned char *)&net, 839 remote_id_addr_upper, 840 sizeof remote_id_addr_upper - 1); 841 842 len = strlen(remote_id_addr_upper) + 843 strlen(remote_id_addr_lower) + 2; 844 remote_id = calloc(len, sizeof(char)); 845 if (!remote_id) { 846 log_error("policy_callback: " 847 "calloc (%d, %lu) failed", len, 848 (unsigned long)sizeof(char)); 849 goto bad; 850 } 851 strlcpy(remote_id, remote_id_addr_lower, len); 852 strlcat(remote_id, "-", len); 853 strlcat(remote_id, remote_id_addr_upper, len); 854 break; 855 } 856 857 case IPSEC_ID_FQDN: 858 remote_id_type = "FQDN"; 859 remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF + 860 ISAKMP_GEN_SZ + 1, sizeof(char)); 861 if (!remote_id) { 862 log_error("policy_callback: " 863 "calloc (%lu, %lu) failed", 864 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + 865 ISAKMP_GEN_SZ + 1, 866 (unsigned long)sizeof(char)); 867 goto bad; 868 } 869 memcpy(remote_id, 870 id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 871 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 872 break; 873 874 case IPSEC_ID_USER_FQDN: 875 remote_id_type = "User FQDN"; 876 remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF + 877 ISAKMP_GEN_SZ + 1, sizeof(char)); 878 if (!remote_id) { 879 log_error("policy_callback: " 880 "calloc (%lu, %lu) failed", 881 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + 882 ISAKMP_GEN_SZ + 1, 883 (unsigned long)sizeof(char)); 884 goto bad; 885 } 886 memcpy(remote_id, 887 id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 888 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 889 break; 890 891 case IPSEC_ID_DER_ASN1_DN: 892 remote_id_type = "ASN1 DN"; 893 894 remote_id = x509_DN_string(id + ISAKMP_ID_DATA_OFF - 895 ISAKMP_GEN_SZ, 896 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 897 if (!remote_id) { 898 LOG_DBG((LOG_POLICY, 50, 899 "policy_callback: failed to decode name")); 900 goto bad; 901 } 902 break; 903 904 case IPSEC_ID_DER_ASN1_GN: /* XXX */ 905 remote_id_type = "ASN1 GN"; 906 break; 907 908 case IPSEC_ID_KEY_ID: 909 remote_id_type = "Key ID"; 910 remote_id = calloc(2 * (id_sz - ISAKMP_ID_DATA_OFF + 911 ISAKMP_GEN_SZ) + 1, sizeof(char)); 912 if (!remote_id) { 913 log_error("policy_callback: " 914 "calloc (%lu, %lu) failed", 915 2 * ((unsigned long)id_sz - 916 ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, 917 (unsigned long)sizeof(char)); 918 goto bad; 919 } 920 /* Does it contain any non-printable characters ? */ 921 for (i = 0; 922 i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; 923 i++) 924 if (!isprint(*(id + ISAKMP_ID_DATA_OFF - 925 ISAKMP_GEN_SZ + i))) 926 break; 927 if (i >= id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) { 928 memcpy(remote_id, id + ISAKMP_ID_DATA_OFF - 929 ISAKMP_GEN_SZ, 930 id_sz - ISAKMP_ID_DATA_OFF + 931 ISAKMP_GEN_SZ); 932 break; 933 } 934 /* Non-printable characters, convert to hex */ 935 for (i = 0; 936 i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; 937 i++) { 938 remote_id[2 * i] = hextab[*(id + 939 ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4]; 940 remote_id[2 * i + 1] = hextab[*(id + 941 ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF]; 942 } 943 break; 944 945 default: 946 log_print("policy_callback: " 947 "unknown remote ID type %u", id[0]); 948 goto bad; 949 } 950 951 switch (id[1]) { 952 case IPPROTO_TCP: 953 remote_id_proto = "tcp"; 954 break; 955 956 case IPPROTO_UDP: 957 remote_id_proto = "udp"; 958 break; 959 960 case IPPROTO_ETHERIP: 961 remote_id_proto = "etherip"; 962 break; 963 964 default: 965 snprintf(remote_id_proto_num, 966 sizeof remote_id_proto_num, "%d", 967 id[1]); 968 remote_id_proto = remote_id_proto_num; 969 break; 970 } 971 972 snprintf(remote_id_port, sizeof remote_id_port, "%u", 973 decode_16(id + 2)); 974 975 if (policy_exchange->initiator) { 976 initiator = "yes"; 977 idlocal = ie->id_ci; 978 idremote = ie->id_cr; 979 idlocalsz = ie->id_ci_sz; 980 idremotesz = ie->id_cr_sz; 981 } else { 982 initiator = "no"; 983 idlocal = ie->id_cr; 984 idremote = ie->id_ci; 985 idlocalsz = ie->id_cr_sz; 986 idremotesz = ie->id_ci_sz; 987 } 988 989 /* Initialize the ID variables. */ 990 if (idremote) { 991 switch (GET_ISAKMP_ID_TYPE(idremote)) { 992 case IPSEC_ID_IPV4_ADDR: 993 remote_filter_type = "IPv4 address"; 994 995 net = decode_32(idremote + ISAKMP_ID_DATA_OFF); 996 my_inet_ntop4(&net, remote_filter_addr_upper, 997 sizeof remote_filter_addr_upper - 1, 1); 998 my_inet_ntop4(&net, remote_filter_addr_lower, 999 sizeof remote_filter_addr_lower - 1, 1); 1000 remote_filter = 1001 strdup(remote_filter_addr_upper); 1002 if (!remote_filter) { 1003 log_error("policy_callback: strdup " 1004 "(\"%s\") failed", 1005 remote_filter_addr_upper); 1006 goto bad; 1007 } 1008 break; 1009 1010 case IPSEC_ID_IPV4_RANGE: 1011 remote_filter_type = "IPv4 range"; 1012 1013 net = decode_32(idremote + ISAKMP_ID_DATA_OFF); 1014 my_inet_ntop4(&net, remote_filter_addr_lower, 1015 sizeof remote_filter_addr_lower - 1, 1); 1016 net = decode_32(idremote + ISAKMP_ID_DATA_OFF + 1017 4); 1018 my_inet_ntop4(&net, remote_filter_addr_upper, 1019 sizeof remote_filter_addr_upper - 1, 1); 1020 len = strlen(remote_filter_addr_upper) + 1021 strlen(remote_filter_addr_lower) + 2; 1022 remote_filter = calloc(len, sizeof(char)); 1023 if (!remote_filter) { 1024 log_error("policy_callback: calloc " 1025 "(%d, %lu) failed", len, 1026 (unsigned long)sizeof(char)); 1027 goto bad; 1028 } 1029 strlcpy(remote_filter, 1030 remote_filter_addr_lower, len); 1031 strlcat(remote_filter, "-", len); 1032 strlcat(remote_filter, 1033 remote_filter_addr_upper, len); 1034 break; 1035 1036 case IPSEC_ID_IPV4_ADDR_SUBNET: 1037 remote_filter_type = "IPv4 subnet"; 1038 1039 net = decode_32(idremote + ISAKMP_ID_DATA_OFF); 1040 subnet = decode_32(idremote + 1041 ISAKMP_ID_DATA_OFF + 4); 1042 net &= subnet; 1043 my_inet_ntop4(&net, remote_filter_addr_lower, 1044 sizeof remote_filter_addr_lower - 1, 1); 1045 net |= ~subnet; 1046 my_inet_ntop4(&net, remote_filter_addr_upper, 1047 sizeof remote_filter_addr_upper - 1, 1); 1048 len = strlen(remote_filter_addr_upper) + 1049 strlen(remote_filter_addr_lower) + 2; 1050 remote_filter = calloc(len, sizeof(char)); 1051 if (!remote_filter) { 1052 log_error("policy_callback: calloc " 1053 "(%d, %lu) failed", len, 1054 (unsigned long)sizeof(char)); 1055 goto bad; 1056 } 1057 strlcpy(remote_filter, 1058 remote_filter_addr_lower, len); 1059 strlcat(remote_filter, "-", len); 1060 strlcat(remote_filter, 1061 remote_filter_addr_upper, len); 1062 break; 1063 1064 case IPSEC_ID_IPV6_ADDR: 1065 remote_filter_type = "IPv6 address"; 1066 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF, 1067 remote_filter_addr_upper, 1068 sizeof remote_filter_addr_upper - 1); 1069 strlcpy(remote_filter_addr_lower, 1070 remote_filter_addr_upper, 1071 sizeof remote_filter_addr_lower); 1072 remote_filter = 1073 strdup(remote_filter_addr_upper); 1074 if (!remote_filter) { 1075 log_error("policy_callback: strdup " 1076 "(\"%s\") failed", 1077 remote_filter_addr_upper); 1078 goto bad; 1079 } 1080 break; 1081 1082 case IPSEC_ID_IPV6_RANGE: 1083 remote_filter_type = "IPv6 range"; 1084 1085 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF, 1086 remote_filter_addr_lower, 1087 sizeof remote_filter_addr_lower - 1); 1088 1089 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF + 1090 16, remote_filter_addr_upper, 1091 sizeof remote_filter_addr_upper - 1); 1092 1093 len = strlen(remote_filter_addr_upper) + 1094 strlen(remote_filter_addr_lower) + 2; 1095 remote_filter = calloc(len, sizeof(char)); 1096 if (!remote_filter) { 1097 log_error("policy_callback: calloc " 1098 "(%d, %lu) failed", len, 1099 (unsigned long)sizeof(char)); 1100 goto bad; 1101 } 1102 strlcpy(remote_filter, 1103 remote_filter_addr_lower, len); 1104 strlcat(remote_filter, "-", len); 1105 strlcat(remote_filter, 1106 remote_filter_addr_upper, len); 1107 break; 1108 1109 case IPSEC_ID_IPV6_ADDR_SUBNET: 1110 { 1111 struct in6_addr net, mask; 1112 1113 remote_filter_type = "IPv6 subnet"; 1114 1115 bcopy(idremote + ISAKMP_ID_DATA_OFF, 1116 &net, sizeof(net)); 1117 bcopy(idremote + ISAKMP_ID_DATA_OFF + 1118 16, &mask, sizeof(mask)); 1119 1120 for (i = 0; i < 16; i++) 1121 net.s6_addr[i] &= 1122 mask.s6_addr[i]; 1123 1124 my_inet_ntop6((unsigned char *)&net, 1125 remote_filter_addr_lower, 1126 sizeof remote_filter_addr_lower - 1); 1127 1128 for (i = 0; i < 16; i++) 1129 net.s6_addr[i] |= 1130 ~mask.s6_addr[i]; 1131 1132 my_inet_ntop6((unsigned char *)&net, 1133 remote_filter_addr_upper, 1134 sizeof remote_filter_addr_upper - 1); 1135 1136 len = strlen(remote_filter_addr_upper) 1137 + strlen(remote_filter_addr_lower) + 2; 1138 remote_filter = calloc(len, 1139 sizeof(char)); 1140 if (!remote_filter) { 1141 log_error("policy_callback: " 1142 "calloc (%d, %lu) failed", 1143 len, 1144 (unsigned long)sizeof(char)); 1145 goto bad; 1146 } 1147 strlcpy(remote_filter, 1148 remote_filter_addr_lower, len); 1149 strlcat(remote_filter, "-", len); 1150 strlcat(remote_filter, 1151 remote_filter_addr_upper, len); 1152 break; 1153 } 1154 1155 case IPSEC_ID_FQDN: 1156 remote_filter_type = "FQDN"; 1157 remote_filter = malloc(idremotesz - 1158 ISAKMP_ID_DATA_OFF + 1); 1159 if (!remote_filter) { 1160 log_error("policy_callback: " 1161 "malloc (%lu) failed", 1162 (unsigned long)idremotesz - 1163 ISAKMP_ID_DATA_OFF + 1); 1164 goto bad; 1165 } 1166 memcpy(remote_filter, 1167 idremote + ISAKMP_ID_DATA_OFF, 1168 idremotesz - ISAKMP_ID_DATA_OFF); 1169 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] 1170 = '\0'; 1171 break; 1172 1173 case IPSEC_ID_USER_FQDN: 1174 remote_filter_type = "User FQDN"; 1175 remote_filter = malloc(idremotesz - 1176 ISAKMP_ID_DATA_OFF + 1); 1177 if (!remote_filter) { 1178 log_error("policy_callback: " 1179 "malloc (%lu) failed", 1180 (unsigned long)idremotesz - 1181 ISAKMP_ID_DATA_OFF + 1); 1182 goto bad; 1183 } 1184 memcpy(remote_filter, 1185 idremote + ISAKMP_ID_DATA_OFF, 1186 idremotesz - ISAKMP_ID_DATA_OFF); 1187 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] 1188 = '\0'; 1189 break; 1190 1191 case IPSEC_ID_DER_ASN1_DN: 1192 remote_filter_type = "ASN1 DN"; 1193 1194 remote_filter = x509_DN_string(idremote + 1195 ISAKMP_ID_DATA_OFF, 1196 idremotesz - ISAKMP_ID_DATA_OFF); 1197 if (!remote_filter) { 1198 LOG_DBG((LOG_POLICY, 50, 1199 "policy_callback: " 1200 "failed to decode name")); 1201 goto bad; 1202 } 1203 break; 1204 1205 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure 1206 * what's in this. */ 1207 remote_filter_type = "ASN1 GN"; 1208 break; 1209 1210 case IPSEC_ID_KEY_ID: 1211 remote_filter_type = "Key ID"; 1212 remote_filter 1213 = calloc(2 * (idremotesz - 1214 ISAKMP_ID_DATA_OFF) + 1, 1215 sizeof(char)); 1216 if (!remote_filter) { 1217 log_error("policy_callback: " 1218 "calloc (%lu, %lu) failed", 1219 2 * ((unsigned long)idremotesz - 1220 ISAKMP_ID_DATA_OFF) + 1, 1221 (unsigned long)sizeof(char)); 1222 goto bad; 1223 } 1224 /* 1225 * Does it contain any non-printable 1226 * characters ? 1227 */ 1228 for (i = 0; 1229 i < idremotesz - ISAKMP_ID_DATA_OFF; i++) 1230 if (!isprint(*(idremote + 1231 ISAKMP_ID_DATA_OFF + i))) 1232 break; 1233 if (i >= idremotesz - ISAKMP_ID_DATA_OFF) { 1234 memcpy(remote_filter, 1235 idremote + ISAKMP_ID_DATA_OFF, 1236 idremotesz - ISAKMP_ID_DATA_OFF); 1237 break; 1238 } 1239 /* Non-printable characters, convert to hex */ 1240 for (i = 0; 1241 i < idremotesz - ISAKMP_ID_DATA_OFF; 1242 i++) { 1243 remote_filter[2 * i] 1244 = hextab[*(idremote + 1245 ISAKMP_ID_DATA_OFF) >> 4]; 1246 remote_filter[2 * i + 1] 1247 = hextab[*(idremote + 1248 ISAKMP_ID_DATA_OFF) & 0xF]; 1249 } 1250 break; 1251 1252 default: 1253 log_print("policy_callback: " 1254 "unknown Remote ID type %u", 1255 GET_ISAKMP_ID_TYPE(idremote)); 1256 goto bad; 1257 } 1258 1259 switch (idremote[ISAKMP_GEN_SZ + 1]) { 1260 case IPPROTO_TCP: 1261 remote_filter_proto = "tcp"; 1262 break; 1263 1264 case IPPROTO_UDP: 1265 remote_filter_proto = "udp"; 1266 break; 1267 1268 case IPPROTO_ETHERIP: 1269 remote_filter_proto = "etherip"; 1270 break; 1271 1272 default: 1273 snprintf(remote_filter_proto_num, 1274 sizeof remote_filter_proto_num, "%d", 1275 idremote[ISAKMP_GEN_SZ + 1]); 1276 remote_filter_proto = remote_filter_proto_num; 1277 break; 1278 } 1279 1280 snprintf(remote_filter_port, sizeof remote_filter_port, 1281 "%u", decode_16(idremote + ISAKMP_GEN_SZ + 2)); 1282 } else { 1283 policy_sa->transport->vtbl->get_dst(policy_sa->transport, &sin); 1284 switch (sin->sa_family) { 1285 case AF_INET: 1286 remote_filter_type = "IPv4 address"; 1287 break; 1288 case AF_INET6: 1289 remote_filter_type = "IPv6 address"; 1290 break; 1291 default: 1292 log_print("policy_callback: " 1293 "unsupported protocol family %d", 1294 sin->sa_family); 1295 goto bad; 1296 } 1297 if (sockaddr2text(sin, &addr, 1)) { 1298 log_error("policy_callback: " 1299 "sockaddr2text failed"); 1300 goto bad; 1301 } 1302 memcpy(remote_filter_addr_upper, addr, 1303 sizeof remote_filter_addr_upper); 1304 memcpy(remote_filter_addr_lower, addr, 1305 sizeof remote_filter_addr_lower); 1306 free(addr); 1307 remote_filter = strdup(remote_filter_addr_upper); 1308 if (!remote_filter) { 1309 log_error("policy_callback: " 1310 "strdup (\"%s\") failed", 1311 remote_filter_addr_upper); 1312 goto bad; 1313 } 1314 } 1315 1316 if (idlocal) { 1317 switch (GET_ISAKMP_ID_TYPE(idlocal)) { 1318 case IPSEC_ID_IPV4_ADDR: 1319 local_filter_type = "IPv4 address"; 1320 1321 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); 1322 my_inet_ntop4(&net, local_filter_addr_upper, 1323 sizeof local_filter_addr_upper - 1, 1); 1324 my_inet_ntop4(&net, local_filter_addr_lower, 1325 sizeof local_filter_addr_upper - 1, 1); 1326 local_filter = strdup(local_filter_addr_upper); 1327 if (!local_filter) { 1328 log_error("policy_callback: " 1329 "strdup (\"%s\") failed", 1330 local_filter_addr_upper); 1331 goto bad; 1332 } 1333 break; 1334 1335 case IPSEC_ID_IPV4_RANGE: 1336 local_filter_type = "IPv4 range"; 1337 1338 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); 1339 my_inet_ntop4(&net, local_filter_addr_lower, 1340 sizeof local_filter_addr_lower - 1, 1); 1341 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF + 1342 4); 1343 my_inet_ntop4(&net, local_filter_addr_upper, 1344 sizeof local_filter_addr_upper - 1, 1); 1345 len = strlen(local_filter_addr_upper) 1346 + strlen(local_filter_addr_lower) + 2; 1347 local_filter = calloc(len, sizeof(char)); 1348 if (!local_filter) { 1349 log_error("policy_callback: " 1350 "calloc (%d, %lu) failed", len, 1351 (unsigned long)sizeof(char)); 1352 goto bad; 1353 } 1354 strlcpy(local_filter, local_filter_addr_lower, 1355 len); 1356 strlcat(local_filter, "-", len); 1357 strlcat(local_filter, local_filter_addr_upper, 1358 len); 1359 break; 1360 1361 case IPSEC_ID_IPV4_ADDR_SUBNET: 1362 local_filter_type = "IPv4 subnet"; 1363 1364 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); 1365 subnet = decode_32(idlocal + 1366 ISAKMP_ID_DATA_OFF + 4); 1367 net &= subnet; 1368 my_inet_ntop4(&net, local_filter_addr_lower, 1369 sizeof local_filter_addr_lower - 1, 1); 1370 net |= ~subnet; 1371 my_inet_ntop4(&net, local_filter_addr_upper, 1372 sizeof local_filter_addr_upper - 1, 1); 1373 len = strlen(local_filter_addr_upper) + 1374 strlen(local_filter_addr_lower) + 2; 1375 local_filter = calloc(len, sizeof(char)); 1376 if (!local_filter) { 1377 log_error("policy_callback: " 1378 "calloc (%d, %lu) failed", len, 1379 (unsigned long)sizeof(char)); 1380 goto bad; 1381 } 1382 strlcpy(local_filter, local_filter_addr_lower, 1383 len); 1384 strlcat(local_filter, "-", len); 1385 strlcat(local_filter, local_filter_addr_upper, 1386 len); 1387 break; 1388 1389 case IPSEC_ID_IPV6_ADDR: 1390 local_filter_type = "IPv6 address"; 1391 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF, 1392 local_filter_addr_upper, 1393 sizeof local_filter_addr_upper - 1); 1394 strlcpy(local_filter_addr_lower, 1395 local_filter_addr_upper, 1396 sizeof local_filter_addr_lower); 1397 local_filter = strdup(local_filter_addr_upper); 1398 if (!local_filter) { 1399 log_error("policy_callback: " 1400 "strdup (\"%s\") failed", 1401 local_filter_addr_upper); 1402 goto bad; 1403 } 1404 break; 1405 1406 case IPSEC_ID_IPV6_RANGE: 1407 local_filter_type = "IPv6 range"; 1408 1409 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF, 1410 local_filter_addr_lower, 1411 sizeof local_filter_addr_lower - 1); 1412 1413 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF + 1414 16, local_filter_addr_upper, 1415 sizeof local_filter_addr_upper - 1); 1416 1417 len = strlen(local_filter_addr_upper) 1418 + strlen(local_filter_addr_lower) + 2; 1419 local_filter = calloc(len, sizeof(char)); 1420 if (!local_filter) { 1421 log_error("policy_callback: " 1422 "calloc (%d, %lu) failed", len, 1423 (unsigned long)sizeof(char)); 1424 goto bad; 1425 } 1426 strlcpy(local_filter, local_filter_addr_lower, 1427 len); 1428 strlcat(local_filter, "-", len); 1429 strlcat(local_filter, local_filter_addr_upper, 1430 len); 1431 break; 1432 1433 case IPSEC_ID_IPV6_ADDR_SUBNET: 1434 { 1435 struct in6_addr net, mask; 1436 1437 local_filter_type = "IPv6 subnet"; 1438 1439 bcopy(idlocal + ISAKMP_ID_DATA_OFF, 1440 &net, sizeof(net)); 1441 bcopy(idlocal + ISAKMP_ID_DATA_OFF + 1442 16, &mask, sizeof(mask)); 1443 1444 for (i = 0; i < 16; i++) 1445 net.s6_addr[i] &= 1446 mask.s6_addr[i]; 1447 1448 my_inet_ntop6((unsigned char *)&net, 1449 local_filter_addr_lower, 1450 sizeof local_filter_addr_lower - 1); 1451 1452 for (i = 0; i < 16; i++) 1453 net.s6_addr[i] |= 1454 ~mask.s6_addr[i]; 1455 1456 my_inet_ntop6((unsigned char *)&net, 1457 local_filter_addr_upper, 1458 sizeof local_filter_addr_upper - 1459 1); 1460 1461 len = strlen(local_filter_addr_upper) 1462 + strlen(local_filter_addr_lower) 1463 + 2; 1464 local_filter = calloc(len, 1465 sizeof(char)); 1466 if (!local_filter) { 1467 log_error("policy_callback: " 1468 "calloc (%d, %lu) failed", 1469 len, 1470 (unsigned long)sizeof(char)); 1471 goto bad; 1472 } 1473 strlcpy(local_filter, 1474 local_filter_addr_lower, len); 1475 strlcat(local_filter, "-", len); 1476 strlcat(local_filter, 1477 local_filter_addr_upper, len); 1478 break; 1479 } 1480 1481 case IPSEC_ID_FQDN: 1482 local_filter_type = "FQDN"; 1483 local_filter = malloc(idlocalsz - 1484 ISAKMP_ID_DATA_OFF + 1); 1485 if (!local_filter) { 1486 log_error("policy_callback: " 1487 "malloc (%lu) failed", 1488 (unsigned long)idlocalsz - 1489 ISAKMP_ID_DATA_OFF + 1); 1490 goto bad; 1491 } 1492 memcpy(local_filter, 1493 idlocal + ISAKMP_ID_DATA_OFF, 1494 idlocalsz - ISAKMP_ID_DATA_OFF); 1495 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; 1496 break; 1497 1498 case IPSEC_ID_USER_FQDN: 1499 local_filter_type = "User FQDN"; 1500 local_filter = malloc(idlocalsz - 1501 ISAKMP_ID_DATA_OFF + 1); 1502 if (!local_filter) { 1503 log_error("policy_callback: " 1504 "malloc (%lu) failed", 1505 (unsigned long)idlocalsz - 1506 ISAKMP_ID_DATA_OFF + 1); 1507 goto bad; 1508 } 1509 memcpy(local_filter, 1510 idlocal + ISAKMP_ID_DATA_OFF, 1511 idlocalsz - ISAKMP_ID_DATA_OFF); 1512 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; 1513 break; 1514 1515 case IPSEC_ID_DER_ASN1_DN: 1516 local_filter_type = "ASN1 DN"; 1517 1518 local_filter = x509_DN_string(idlocal + 1519 ISAKMP_ID_DATA_OFF, 1520 idlocalsz - ISAKMP_ID_DATA_OFF); 1521 if (!local_filter) { 1522 LOG_DBG((LOG_POLICY, 50, 1523 "policy_callback: failed to decode" 1524 " name")); 1525 goto bad; 1526 } 1527 break; 1528 1529 case IPSEC_ID_DER_ASN1_GN: 1530 /* XXX -- not sure what's in this. */ 1531 local_filter_type = "ASN1 GN"; 1532 break; 1533 1534 case IPSEC_ID_KEY_ID: 1535 local_filter_type = "Key ID"; 1536 local_filter = calloc(2 * (idlocalsz - 1537 ISAKMP_ID_DATA_OFF) + 1, 1538 sizeof(char)); 1539 if (!local_filter) { 1540 log_error("policy_callback: " 1541 "calloc (%lu, %lu) failed", 1542 2 * ((unsigned long)idlocalsz - 1543 ISAKMP_ID_DATA_OFF) + 1, 1544 (unsigned long)sizeof(char)); 1545 goto bad; 1546 } 1547 /* 1548 * Does it contain any non-printable 1549 * characters ? 1550 */ 1551 for (i = 0; 1552 i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) 1553 if (!isprint(*(idlocal + 1554 ISAKMP_ID_DATA_OFF + i))) 1555 break; 1556 if (i >= idlocalsz - ISAKMP_ID_DATA_OFF) { 1557 memcpy(local_filter, idlocal + 1558 ISAKMP_ID_DATA_OFF, 1559 idlocalsz - ISAKMP_ID_DATA_OFF); 1560 break; 1561 } 1562 /* Non-printable characters, convert to hex */ 1563 for (i = 0; 1564 i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) { 1565 local_filter[2 * i] = 1566 hextab[*(idlocal + 1567 ISAKMP_ID_DATA_OFF) >> 4]; 1568 local_filter[2 * i + 1] = 1569 hextab[*(idlocal + 1570 ISAKMP_ID_DATA_OFF) & 0xF]; 1571 } 1572 break; 1573 1574 default: 1575 log_print("policy_callback: " 1576 "unknown Local ID type %u", 1577 GET_ISAKMP_ID_TYPE(idlocal)); 1578 goto bad; 1579 } 1580 1581 switch (idlocal[ISAKMP_GEN_SZ + 1]) { 1582 case IPPROTO_TCP: 1583 local_filter_proto = "tcp"; 1584 break; 1585 1586 case IPPROTO_UDP: 1587 local_filter_proto = "udp"; 1588 break; 1589 1590 case IPPROTO_ETHERIP: 1591 local_filter_proto = "etherip"; 1592 break; 1593 1594 default: 1595 snprintf(local_filter_proto_num, 1596 sizeof local_filter_proto_num, 1597 "%d", idlocal[ISAKMP_GEN_SZ + 1]); 1598 local_filter_proto = local_filter_proto_num; 1599 break; 1600 } 1601 1602 snprintf(local_filter_port, sizeof local_filter_port, 1603 "%u", decode_16(idlocal + ISAKMP_GEN_SZ + 2)); 1604 } else { 1605 policy_sa->transport->vtbl->get_src(policy_sa->transport, 1606 (struct sockaddr **)&sin); 1607 switch (sin->sa_family) { 1608 case AF_INET: 1609 local_filter_type = "IPv4 address"; 1610 break; 1611 case AF_INET6: 1612 local_filter_type = "IPv6 address"; 1613 break; 1614 default: 1615 log_print("policy_callback: " 1616 "unsupported protocol family %d", 1617 sin->sa_family); 1618 goto bad; 1619 } 1620 1621 if (sockaddr2text(sin, &addr, 1)) { 1622 log_error("policy_callback: " 1623 "sockaddr2text failed"); 1624 goto bad; 1625 } 1626 memcpy(local_filter_addr_upper, addr, 1627 sizeof local_filter_addr_upper); 1628 memcpy(local_filter_addr_lower, addr, 1629 sizeof local_filter_addr_lower); 1630 free(addr); 1631 local_filter = strdup(local_filter_addr_upper); 1632 if (!local_filter) { 1633 log_error("policy_callback: " 1634 "strdup (\"%s\") failed", 1635 local_filter_addr_upper); 1636 goto bad; 1637 } 1638 } 1639 1640 LOG_DBG((LOG_POLICY, 80, 1641 "Policy context (action attributes):")); 1642 LOG_DBG((LOG_POLICY, 80, "esp_present == %s", esp_present)); 1643 LOG_DBG((LOG_POLICY, 80, "ah_present == %s", ah_present)); 1644 LOG_DBG((LOG_POLICY, 80, "comp_present == %s", comp_present)); 1645 LOG_DBG((LOG_POLICY, 80, "ah_hash_alg == %s", ah_hash_alg)); 1646 LOG_DBG((LOG_POLICY, 80, "esp_enc_alg == %s", esp_enc_alg)); 1647 LOG_DBG((LOG_POLICY, 80, "comp_alg == %s", comp_alg)); 1648 LOG_DBG((LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg)); 1649 LOG_DBG((LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg)); 1650 LOG_DBG((LOG_POLICY, 80, "ah_life_seconds == %s", 1651 ah_life_seconds)); 1652 LOG_DBG((LOG_POLICY, 80, "ah_life_kbytes == %s", 1653 ah_life_kbytes)); 1654 LOG_DBG((LOG_POLICY, 80, "esp_life_seconds == %s", 1655 esp_life_seconds)); 1656 LOG_DBG((LOG_POLICY, 80, "esp_life_kbytes == %s", 1657 esp_life_kbytes)); 1658 LOG_DBG((LOG_POLICY, 80, "comp_life_seconds == %s", 1659 comp_life_seconds)); 1660 LOG_DBG((LOG_POLICY, 80, "comp_life_kbytes == %s", 1661 comp_life_kbytes)); 1662 LOG_DBG((LOG_POLICY, 80, "ah_encapsulation == %s", 1663 ah_encapsulation)); 1664 LOG_DBG((LOG_POLICY, 80, "esp_encapsulation == %s", 1665 esp_encapsulation)); 1666 LOG_DBG((LOG_POLICY, 80, "comp_encapsulation == %s", 1667 comp_encapsulation)); 1668 LOG_DBG((LOG_POLICY, 80, "comp_dict_size == %s", 1669 comp_dict_size)); 1670 LOG_DBG((LOG_POLICY, 80, "comp_private_alg == %s", 1671 comp_private_alg)); 1672 LOG_DBG((LOG_POLICY, 80, "ah_key_length == %s", 1673 ah_key_length)); 1674 LOG_DBG((LOG_POLICY, 80, "ah_key_rounds == %s", 1675 ah_key_rounds)); 1676 LOG_DBG((LOG_POLICY, 80, "esp_key_length == %s", 1677 esp_key_length)); 1678 LOG_DBG((LOG_POLICY, 80, "esp_key_rounds == %s", 1679 esp_key_rounds)); 1680 LOG_DBG((LOG_POLICY, 80, "ah_group_desc == %s", 1681 ah_group_desc)); 1682 LOG_DBG((LOG_POLICY, 80, "esp_group_desc == %s", 1683 esp_group_desc)); 1684 LOG_DBG((LOG_POLICY, 80, "comp_group_desc == %s", 1685 comp_group_desc)); 1686 LOG_DBG((LOG_POLICY, 80, "ah_ecn == %s", ah_ecn)); 1687 LOG_DBG((LOG_POLICY, 80, "esp_ecn == %s", esp_ecn)); 1688 LOG_DBG((LOG_POLICY, 80, "comp_ecn == %s", comp_ecn)); 1689 LOG_DBG((LOG_POLICY, 80, "remote_filter_type == %s", 1690 remote_filter_type)); 1691 LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_upper == %s", 1692 remote_filter_addr_upper)); 1693 LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_lower == %s", 1694 remote_filter_addr_lower)); 1695 LOG_DBG((LOG_POLICY, 80, "remote_filter == %s", 1696 (remote_filter ? remote_filter : ""))); 1697 LOG_DBG((LOG_POLICY, 80, "remote_filter_port == %s", 1698 remote_filter_port)); 1699 LOG_DBG((LOG_POLICY, 80, "remote_filter_proto == %s", 1700 remote_filter_proto)); 1701 LOG_DBG((LOG_POLICY, 80, "local_filter_type == %s", 1702 local_filter_type)); 1703 LOG_DBG((LOG_POLICY, 80, "local_filter_addr_upper == %s", 1704 local_filter_addr_upper)); 1705 LOG_DBG((LOG_POLICY, 80, "local_filter_addr_lower == %s", 1706 local_filter_addr_lower)); 1707 LOG_DBG((LOG_POLICY, 80, "local_filter == %s", 1708 (local_filter ? local_filter : ""))); 1709 LOG_DBG((LOG_POLICY, 80, "local_filter_port == %s", 1710 local_filter_port)); 1711 LOG_DBG((LOG_POLICY, 80, "local_filter_proto == %s", 1712 local_filter_proto)); 1713 LOG_DBG((LOG_POLICY, 80, "remote_id_type == %s", 1714 remote_id_type)); 1715 LOG_DBG((LOG_POLICY, 80, "remote_id_addr_upper == %s", 1716 remote_id_addr_upper)); 1717 LOG_DBG((LOG_POLICY, 80, "remote_id_addr_lower == %s", 1718 remote_id_addr_lower)); 1719 LOG_DBG((LOG_POLICY, 80, "remote_id == %s", 1720 (remote_id ? remote_id : ""))); 1721 LOG_DBG((LOG_POLICY, 80, "remote_id_port == %s", 1722 remote_id_port)); 1723 LOG_DBG((LOG_POLICY, 80, "remote_id_proto == %s", 1724 remote_id_proto)); 1725 LOG_DBG((LOG_POLICY, 80, "remote_negotiation_address == %s", 1726 remote_ike_address)); 1727 LOG_DBG((LOG_POLICY, 80, "local_negotiation_address == %s", 1728 local_ike_address)); 1729 LOG_DBG((LOG_POLICY, 80, "pfs == %s", pfs)); 1730 LOG_DBG((LOG_POLICY, 80, "initiator == %s", initiator)); 1731 LOG_DBG((LOG_POLICY, 80, "phase1_group_desc == %s", 1732 phase1_group)); 1733 1734 /* Unset dirty now. */ 1735 dirty = 0; 1736 } 1737 if (strcmp(name, "phase_1") == 0) 1738 return phase_1; 1739 1740 if (strcmp(name, "GMTTimeOfDay") == 0) { 1741 tt = time((time_t)NULL); 1742 strftime(mytimeofday, 14, "%Y%m%d%H%M%S", gmtime(&tt)); 1743 return mytimeofday; 1744 } 1745 if (strcmp(name, "LocalTimeOfDay") == 0) { 1746 tt = time((time_t)NULL); 1747 strftime(mytimeofday, 14, "%Y%m%d%H%M%S", localtime(&tt)); 1748 return mytimeofday; 1749 } 1750 if (strcmp(name, "initiator") == 0) 1751 return initiator; 1752 1753 if (strcmp(name, "pfs") == 0) 1754 return pfs; 1755 1756 if (strcmp(name, "app_domain") == 0) 1757 return "IPsec policy"; 1758 1759 if (strcmp(name, "doi") == 0) 1760 return "ipsec"; 1761 1762 if (strcmp(name, "esp_present") == 0) 1763 return esp_present; 1764 1765 if (strcmp(name, "ah_present") == 0) 1766 return ah_present; 1767 1768 if (strcmp(name, "comp_present") == 0) 1769 return comp_present; 1770 1771 if (strcmp(name, "ah_hash_alg") == 0) 1772 return ah_hash_alg; 1773 1774 if (strcmp(name, "ah_auth_alg") == 0) 1775 return ah_auth_alg; 1776 1777 if (strcmp(name, "esp_auth_alg") == 0) 1778 return esp_auth_alg; 1779 1780 if (strcmp(name, "esp_enc_alg") == 0) 1781 return esp_enc_alg; 1782 1783 if (strcmp(name, "comp_alg") == 0) 1784 return comp_alg; 1785 1786 if (strcmp(name, "ah_life_kbytes") == 0) 1787 return ah_life_kbytes; 1788 1789 if (strcmp(name, "ah_life_seconds") == 0) 1790 return ah_life_seconds; 1791 1792 if (strcmp(name, "esp_life_kbytes") == 0) 1793 return esp_life_kbytes; 1794 1795 if (strcmp(name, "esp_life_seconds") == 0) 1796 return esp_life_seconds; 1797 1798 if (strcmp(name, "comp_life_kbytes") == 0) 1799 return comp_life_kbytes; 1800 1801 if (strcmp(name, "comp_life_seconds") == 0) 1802 return comp_life_seconds; 1803 1804 if (strcmp(name, "ah_encapsulation") == 0) 1805 return ah_encapsulation; 1806 1807 if (strcmp(name, "esp_encapsulation") == 0) 1808 return esp_encapsulation; 1809 1810 if (strcmp(name, "comp_encapsulation") == 0) 1811 return comp_encapsulation; 1812 1813 if (strcmp(name, "ah_key_length") == 0) 1814 return ah_key_length; 1815 1816 if (strcmp(name, "ah_key_rounds") == 0) 1817 return ah_key_rounds; 1818 1819 if (strcmp(name, "esp_key_length") == 0) 1820 return esp_key_length; 1821 1822 if (strcmp(name, "esp_key_rounds") == 0) 1823 return esp_key_rounds; 1824 1825 if (strcmp(name, "comp_dict_size") == 0) 1826 return comp_dict_size; 1827 1828 if (strcmp(name, "comp_private_alg") == 0) 1829 return comp_private_alg; 1830 1831 if (strcmp(name, "remote_filter_type") == 0) 1832 return remote_filter_type; 1833 1834 if (strcmp(name, "remote_filter") == 0) 1835 return (remote_filter ? remote_filter : ""); 1836 1837 if (strcmp(name, "remote_filter_addr_upper") == 0) 1838 return remote_filter_addr_upper; 1839 1840 if (strcmp(name, "remote_filter_addr_lower") == 0) 1841 return remote_filter_addr_lower; 1842 1843 if (strcmp(name, "remote_filter_port") == 0) 1844 return remote_filter_port; 1845 1846 if (strcmp(name, "remote_filter_proto") == 0) 1847 return remote_filter_proto; 1848 1849 if (strcmp(name, "local_filter_type") == 0) 1850 return local_filter_type; 1851 1852 if (strcmp(name, "local_filter") == 0) 1853 return (local_filter ? local_filter : ""); 1854 1855 if (strcmp(name, "local_filter_addr_upper") == 0) 1856 return local_filter_addr_upper; 1857 1858 if (strcmp(name, "local_filter_addr_lower") == 0) 1859 return local_filter_addr_lower; 1860 1861 if (strcmp(name, "local_filter_port") == 0) 1862 return local_filter_port; 1863 1864 if (strcmp(name, "local_filter_proto") == 0) 1865 return local_filter_proto; 1866 1867 if (strcmp(name, "remote_ike_address") == 0) 1868 return remote_ike_address; 1869 1870 if (strcmp(name, "remote_negotiation_address") == 0) 1871 return remote_ike_address; 1872 1873 if (strcmp(name, "local_ike_address") == 0) 1874 return local_ike_address; 1875 1876 if (strcmp(name, "local_negotiation_address") == 0) 1877 return local_ike_address; 1878 1879 if (strcmp(name, "remote_id_type") == 0) 1880 return remote_id_type; 1881 1882 if (strcmp(name, "remote_id") == 0) 1883 return (remote_id ? remote_id : ""); 1884 1885 if (strcmp(name, "remote_id_addr_upper") == 0) 1886 return remote_id_addr_upper; 1887 1888 if (strcmp(name, "remote_id_addr_lower") == 0) 1889 return remote_id_addr_lower; 1890 1891 if (strcmp(name, "remote_id_port") == 0) 1892 return remote_id_port; 1893 1894 if (strcmp(name, "remote_id_proto") == 0) 1895 return remote_id_proto; 1896 1897 if (strcmp(name, "phase1_group_desc") == 0) 1898 return phase1_group; 1899 1900 if (strcmp(name, "esp_group_desc") == 0) 1901 return esp_group_desc; 1902 1903 if (strcmp(name, "ah_group_desc") == 0) 1904 return ah_group_desc; 1905 1906 if (strcmp(name, "comp_group_desc") == 0) 1907 return comp_group_desc; 1908 1909 if (strcmp(name, "comp_ecn") == 0) 1910 return comp_ecn; 1911 1912 if (strcmp(name, "ah_ecn") == 0) 1913 return ah_ecn; 1914 1915 if (strcmp(name, "esp_ecn") == 0) 1916 return esp_ecn; 1917 1918 return ""; 1919 1920bad: 1921 policy_callback(KEYNOTE_CALLBACK_INITIALIZE); 1922 return ""; 1923} 1924 1925void 1926policy_init(void) 1927{ 1928 char *ptr, *policy_file; 1929 char **asserts; 1930 size_t sz, len; 1931 int fd, i; 1932 1933 LOG_DBG((LOG_POLICY, 30, "policy_init: initializing")); 1934 1935 /* Do we want to use the policy modules? */ 1936 if (ignore_policy || 1937 strncmp("yes", conf_get_str("General", "Use-Keynote"), 3)) 1938 return; 1939 1940 /* Get policy file from configuration. */ 1941 policy_file = conf_get_str("General", "Policy-file"); 1942 if (!policy_file) 1943 policy_file = CONF_DFLT_POLICY_FILE; 1944 1945 /* Open policy file. */ 1946 fd = monitor_open(policy_file, O_RDONLY, 0); 1947 if (fd == -1) 1948 log_fatal("policy_init: open (\"%s\", O_RDONLY) failed", 1949 policy_file); 1950 1951 /* Check file modes and collect file size */ 1952 if (check_file_secrecy_fd(fd, policy_file, &sz)) { 1953 close(fd); 1954 log_fatal("policy_init: cannot read %s", policy_file); 1955 } 1956 1957 /* Allocate memory to keep policies. */ 1958 ptr = calloc(sz + 1, sizeof(char)); 1959 if (!ptr) 1960 log_fatal("policy_init: calloc (%lu, %lu) failed", 1961 (unsigned long)sz + 1, (unsigned long)sizeof(char)); 1962 1963 /* Just in case there are short reads... */ 1964 for (len = 0; len < sz; len += i) { 1965 i = read(fd, ptr + len, sz - len); 1966 if (i == -1) 1967 log_fatal("policy_init: read (%d, %p, %lu) failed", fd, 1968 ptr + len, (unsigned long)(sz - len)); 1969 } 1970 1971 /* We're done with this. */ 1972 close(fd); 1973 1974 /* Parse buffer, break up into individual policies. */ 1975 asserts = kn_read_asserts(ptr, sz, &i); 1976 1977 /* Begone! */ 1978 free(ptr); 1979 1980 if (asserts == (char **)NULL) 1981 log_print("policy_init: all policies flushed"); 1982 1983 /* Cleanup */ 1984 if (policy_asserts) { 1985 for (fd = 0; fd < policy_asserts_num; fd++) 1986 if (policy_asserts && policy_asserts[fd]) 1987 free(policy_asserts[fd]); 1988 1989 free(policy_asserts); 1990 } 1991 policy_asserts = asserts; 1992 policy_asserts_num = i; 1993} 1994 1995/* Nothing needed for initialization */ 1996int 1997keynote_cert_init(void) 1998{ 1999 return 1; 2000} 2001 2002/* Just copy and return. */ 2003void * 2004keynote_cert_get(u_int8_t *data, u_int32_t len) 2005{ 2006 char *foo = malloc(len + 1); 2007 2008 if (foo == NULL) 2009 return NULL; 2010 2011 memcpy(foo, data, len); 2012 foo[len] = '\0'; 2013 return foo; 2014} 2015 2016/* 2017 * We just verify the signature on the credentials. 2018 * On signature failure, just drop the whole payload. 2019 */ 2020int 2021keynote_cert_validate(void *scert) 2022{ 2023 char **foo; 2024 int num, i; 2025 2026 if (scert == NULL) 2027 return 0; 2028 2029 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); 2030 if (foo == NULL) 2031 return 0; 2032 2033 for (i = 0; i < num; i++) { 2034 if (kn_verify_assertion(scert, strlen((char *)scert)) 2035 != SIGRESULT_TRUE) { 2036 for (; i < num; i++) 2037 free(foo[i]); 2038 free(foo); 2039 return 0; 2040 } 2041 free(foo[i]); 2042 } 2043 2044 free(foo); 2045 return 1; 2046} 2047 2048/* Add received credentials. */ 2049int 2050keynote_cert_insert(int sid, void *scert) 2051{ 2052 char **foo; 2053 int num; 2054 2055 if (scert == NULL) 2056 return 0; 2057 2058 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); 2059 if (foo == NULL) 2060 return 0; 2061 2062 while (num--) 2063 kn_add_assertion(sid, foo[num], strlen(foo[num]), 0); 2064 2065 return 1; 2066} 2067 2068/* Just regular memory free. */ 2069void 2070keynote_cert_free(void *cert) 2071{ 2072 free(cert); 2073} 2074 2075/* Verify that the key given to us is valid. */ 2076int 2077keynote_certreq_validate(u_int8_t *data, u_int32_t len) 2078{ 2079 struct keynote_deckey dc; 2080 int err = 1; 2081 char *dat; 2082 2083 dat = calloc(len + 1, sizeof(char)); 2084 if (!dat) { 2085 log_error("keynote_certreq_validate: calloc (%d, %lu) failed", 2086 len + 1, (unsigned long)sizeof(char)); 2087 return 0; 2088 } 2089 memcpy(dat, data, len); 2090 2091 if (kn_decode_key(&dc, dat, KEYNOTE_PUBLIC_KEY) != 0) 2092 err = 0; 2093 else 2094 kn_free_key(&dc); 2095 2096 free(dat); 2097 2098 return err; 2099} 2100 2101/* Beats me what we should be doing with this. */ 2102void * 2103keynote_certreq_decode(u_int8_t *data, u_int32_t len) 2104{ 2105 /* XXX */ 2106 return NULL; 2107} 2108 2109void 2110keynote_free_aca(void *blob) 2111{ 2112 /* XXX */ 2113} 2114 2115int 2116keynote_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, 2117 u_int32_t *certlen) 2118{ 2119 char *dirname, *file, *addr_str; 2120 struct stat sb; 2121 size_t size; 2122 int idtype, fd, len; 2123 2124 if (!id) { 2125 log_print("keynote_cert_obtain: ID is missing"); 2126 return 0; 2127 } 2128 /* Get type of ID. */ 2129 idtype = id[0]; 2130 id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2131 id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2132 2133 dirname = conf_get_str("KeyNote", "Credential-directory"); 2134 if (!dirname) { 2135 LOG_DBG((LOG_POLICY, 30, 2136 "keynote_cert_obtain: no Credential-directory")); 2137 return 0; 2138 } 2139 len = strlen(dirname) + strlen(CREDENTIAL_FILE) + 3; 2140 2141 switch (idtype) { 2142 case IPSEC_ID_IPV4_ADDR: 2143 case IPSEC_ID_IPV6_ADDR: 2144 util_ntoa(&addr_str, idtype == IPSEC_ID_IPV4_ADDR ? 2145 AF_INET : AF_INET6, id); 2146 if (addr_str == 0) 2147 return 0; 2148 2149 file = calloc(len + strlen(addr_str), sizeof(char)); 2150 if (file == NULL) { 2151 log_error("keynote_cert_obtain: failed to allocate " 2152 "%lu bytes", (unsigned long)len + 2153 strlen(addr_str)); 2154 free(addr_str); 2155 return 0; 2156 } 2157 snprintf(file, len + strlen(addr_str), "%s/%s/%s", dirname, 2158 addr_str, CREDENTIAL_FILE); 2159 free(addr_str); 2160 break; 2161 2162 case IPSEC_ID_FQDN: 2163 case IPSEC_ID_USER_FQDN: { 2164 file = calloc(len + id_len, sizeof(char)); 2165 if (file == NULL) { 2166 log_error("keynote_cert_obtain: " 2167 "failed to allocate %lu bytes", 2168 (unsigned long)len + id_len); 2169 return 0; 2170 } 2171 snprintf(file, len + id_len, "%s/", dirname); 2172 memcpy(file + strlen(dirname) + 1, id, id_len); 2173 snprintf(file + strlen(dirname) + 1 + id_len, 2174 len - strlen(dirname) - 1, "/%s", CREDENTIAL_FILE); 2175 break; 2176 } 2177 2178 default: 2179 return 0; 2180 } 2181 2182 fd = monitor_open(file, O_RDONLY, 0); 2183 if (fd < 0) { 2184 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " 2185 "failed to open \"%s\"", file)); 2186 free(file); 2187 return 0; 2188 } 2189 2190 if (fstat(fd, &sb) < 0) { 2191 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " 2192 "failed to stat \"%s\"", file)); 2193 free(file); 2194 close(fd); 2195 return 0; 2196 } 2197 size = (size_t)sb.st_size; 2198 2199 *cert = calloc(size + 1, sizeof(char)); 2200 if (*cert == NULL) { 2201 log_error("keynote_cert_obtain: failed to allocate %lu bytes", 2202 (unsigned long)size); 2203 free(file); 2204 return 0; 2205 } 2206 2207 if (read(fd, *cert, size) != (int)size) { 2208 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " 2209 "failed to read %lu bytes from \"%s\"", 2210 (unsigned long)size, file)); 2211 free(file); 2212 close(fd); 2213 return 0; 2214 } 2215 close(fd); 2216 free(file); 2217 *certlen = size; 2218 return 1; 2219} 2220 2221/* This should never be called. */ 2222int 2223keynote_cert_get_subjects(void *scert, int *n, u_int8_t ***id, 2224 u_int32_t **id_len) 2225{ 2226 return 0; 2227} 2228 2229/* Get the authorizer key. */ 2230int 2231keynote_cert_get_key(void *scert, void *keyp) 2232{ 2233 struct keynote_keylist *kl; 2234 int sid, kid, num; 2235 char **foo; 2236 2237 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); 2238 if (foo == NULL || num == 0) { 2239 log_print("keynote_cert_get_key: " 2240 "failed to decompose credentials"); 2241 return 0; 2242 } 2243 kid = kn_init(); 2244 if (kid == -1) { 2245 log_print("keynote_cert_get_key: " 2246 "failed to initialize new policy session"); 2247 while (num--) 2248 free(foo[num]); 2249 free(foo); 2250 return 0; 2251 } 2252 sid = kn_add_assertion(kid, foo[num - 1], strlen(foo[num - 1]), 0); 2253 while (num--) 2254 free(foo[num]); 2255 free(foo); 2256 2257 if (sid == -1) { 2258 log_print("keynote_cert_get_key: failed to add assertion"); 2259 kn_close(kid); 2260 return 0; 2261 } 2262 *(RSA **)keyp = NULL; 2263 2264 kl = kn_get_licensees(kid, sid); 2265 while (kl) { 2266 if (kl->key_alg == KEYNOTE_ALGORITHM_RSA || 2267 kl->key_alg == KEYNOTE_ALGORITHM_X509) { 2268 *(RSA **)keyp = RSAPublicKey_dup(kl->key_key); 2269 break; 2270 } 2271 kl = kl->key_next; 2272 } 2273 2274 kn_remove_assertion(kid, sid); 2275 kn_close(kid); 2276 return *(RSA **)keyp == NULL ? 0 : 1; 2277} 2278 2279void * 2280keynote_cert_dup(void *cert) 2281{ 2282 return strdup((char *)cert); 2283} 2284 2285void 2286keynote_serialize(void *cert, u_int8_t **data, u_int32_t *datalen) 2287{ 2288 *datalen = strlen((char *)cert) + 1; 2289 *data = (u_int8_t *)strdup(cert); /* i.e an extra character at 2290 * the end... */ 2291 if (*data == NULL) 2292 log_error("keynote_serialize: malloc (%d) failed", *datalen); 2293} 2294 2295/* From cert to printable */ 2296char * 2297keynote_printable(void *cert) 2298{ 2299 return strdup((char *)cert); 2300} 2301 2302/* From printable to cert */ 2303void * 2304keynote_from_printable(char *cert) 2305{ 2306 return strdup(cert); 2307} 2308