1 /* $OpenBSD: policy.c,v 1.91 2007/08/05 09:43:09 tom Exp $ */ 2 /* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ 3 4 /* 5 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. 6 * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. 7 * Copyright (c) 2001 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This code was written under funding by Ericsson Radio Systems. 32 */ 33 34 #include <sys/types.h> 35 #include <sys/param.h> 36 #include <sys/mman.h> 37 #include <sys/queue.h> 38 #include <sys/stat.h> 39 #include <regex.h> 40 #include <ctype.h> 41 #include <fcntl.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <string.h> 45 #include <unistd.h> 46 #include <keynote.h> 47 #include <sys/socket.h> 48 #include <netinet/in.h> 49 #include <arpa/inet.h> 50 #include <errno.h> 51 #include <openssl/ssl.h> 52 #include <netdb.h> 53 54 #include "conf.h" 55 #include "exchange.h" 56 #include "ipsec.h" 57 #include "isakmp_doi.h" 58 #include "sa.h" 59 #include "transport.h" 60 #include "log.h" 61 #include "message.h" 62 #include "monitor.h" 63 #include "util.h" 64 #include "policy.h" 65 #include "x509.h" 66 67 char **policy_asserts = NULL; 68 int ignore_policy = 0; 69 int policy_asserts_num = 0; 70 struct exchange *policy_exchange = 0; 71 struct sa *policy_sa = 0; 72 struct sa *policy_isakmp_sa = 0; 73 74 static const char hextab[] = { 75 '0', '1', '2', '3', '4', '5', '6', '7', 76 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' 77 }; 78 79 /* 80 * Adaptation of Vixie's inet_ntop4 () 81 */ 82 static const char * 83 my_inet_ntop4(const in_addr_t *src, char *dst, size_t size, int normalize) 84 { 85 static const char fmt[] = "%03u.%03u.%03u.%03u"; 86 char tmp[sizeof "255.255.255.255"]; 87 in_addr_t src2; 88 int len; 89 90 if (normalize) 91 src2 = ntohl(*src); 92 else 93 src2 = *src; 94 95 len = snprintf(tmp, sizeof tmp, fmt, ((u_int8_t *)&src2)[0], 96 ((u_int8_t *)&src2)[1], ((u_int8_t *)&src2)[2], 97 ((u_int8_t *)&src2)[3]); 98 if (len == -1 || len > (int)size) { 99 errno = ENOSPC; 100 return 0; 101 } 102 strlcpy(dst, tmp, size); 103 return dst; 104 } 105 106 static const char * 107 my_inet_ntop6(const unsigned char *src, char *dst, size_t size) 108 { 109 static const char fmt[] = 110 "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x"; 111 char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"]; 112 int len; 113 114 len = snprintf(tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3], 115 src[4], src[5], src[6], src[7], src[8], src[9], src[10], src[11], 116 src[12], src[13], src[14], src[15]); 117 if (len == -1 || len > (int)size) { 118 errno = ENOSPC; 119 return 0; 120 } 121 strlcpy(dst, tmp, size); 122 return dst; 123 } 124 125 char * 126 policy_callback(char *name) 127 { 128 struct proto *proto; 129 130 u_int8_t *attr, *value, *id, *idlocal, *idremote; 131 size_t id_sz, idlocalsz, idremotesz; 132 struct sockaddr *sin; 133 struct ipsec_exch *ie; 134 struct ipsec_sa *is; 135 size_t i; 136 int fmt, lifetype = 0; 137 in_addr_t net, subnet; 138 u_int16_t len, type; 139 time_t tt; 140 char *addr; 141 static char mytimeofday[15]; 142 143 /* We use all these as a cache. */ 144 #define PMAX 32 145 static char *esp_present, *ah_present, *comp_present; 146 static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg; 147 static char *comp_alg, ah_life_kbytes[PMAX], ah_life_seconds[PMAX]; 148 static char esp_life_kbytes[PMAX], esp_life_seconds[PMAX]; 149 static char comp_life_kbytes[PMAX]; 150 static char *ah_ecn, *esp_ecn, *comp_ecn; 151 static char comp_life_seconds[PMAX], *ah_encapsulation; 152 static char *esp_encapsulation, *comp_encapsulation; 153 static char ah_key_length[PMAX], esp_key_length[PMAX]; 154 static char ah_key_rounds[PMAX], esp_key_rounds[PMAX]; 155 static char comp_dict_size[PMAX], comp_private_alg[PMAX]; 156 static char *remote_filter_type, *local_filter_type; 157 static char remote_filter_addr_upper[NI_MAXHOST]; 158 static char remote_filter_addr_lower[NI_MAXHOST]; 159 static char local_filter_addr_upper[NI_MAXHOST]; 160 static char local_filter_addr_lower[NI_MAXHOST]; 161 static char ah_group_desc[PMAX], esp_group_desc[PMAX]; 162 static char comp_group_desc[PMAX], remote_ike_address[NI_MAXHOST]; 163 static char local_ike_address[NI_MAXHOST]; 164 static char *remote_id_type, remote_id_addr_upper[NI_MAXHOST]; 165 static char *phase_1, remote_id_addr_lower[NI_MAXHOST]; 166 static char *remote_id_proto, remote_id_port[PMAX]; 167 static char remote_filter_port[PMAX], local_filter_port[PMAX]; 168 static char *remote_filter_proto, *local_filter_proto, *pfs; 169 static char *initiator, remote_filter_proto_num[3]; 170 static char local_filter_proto_num[3], remote_id_proto_num[3]; 171 static char phase1_group[PMAX]; 172 173 /* Allocated. */ 174 static char *remote_filter = 0, *local_filter = 0, *remote_id = 0; 175 176 static int dirty = 1; 177 178 /* We only need to set dirty at initialization time really. */ 179 if (strcmp(name, KEYNOTE_CALLBACK_CLEANUP) == 0 || 180 strcmp(name, KEYNOTE_CALLBACK_INITIALIZE) == 0) { 181 esp_present = ah_present = comp_present = pfs = "no"; 182 ah_hash_alg = ah_auth_alg = phase_1 = ""; 183 esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = ""; 184 ah_ecn = esp_ecn = comp_ecn = "no"; 185 esp_encapsulation = comp_encapsulation = ""; 186 remote_filter_type = ""; 187 local_filter_type = remote_id_type = initiator = ""; 188 remote_filter_proto = local_filter_proto = ""; 189 remote_id_proto = ""; 190 191 free(remote_filter); 192 remote_filter = 0; 193 free(local_filter); 194 local_filter = 0; 195 free(remote_id); 196 remote_id = 0; 197 198 bzero(remote_ike_address, sizeof remote_ike_address); 199 bzero(local_ike_address, sizeof local_ike_address); 200 bzero(ah_life_kbytes, sizeof ah_life_kbytes); 201 bzero(ah_life_seconds, sizeof ah_life_seconds); 202 bzero(esp_life_kbytes, sizeof esp_life_kbytes); 203 bzero(esp_life_seconds, sizeof esp_life_seconds); 204 bzero(comp_life_kbytes, sizeof comp_life_kbytes); 205 bzero(comp_life_seconds, sizeof comp_life_seconds); 206 bzero(ah_key_length, sizeof ah_key_length); 207 bzero(ah_key_rounds, sizeof ah_key_rounds); 208 bzero(esp_key_length, sizeof esp_key_length); 209 bzero(esp_key_rounds, sizeof esp_key_rounds); 210 bzero(comp_dict_size, sizeof comp_dict_size); 211 bzero(comp_private_alg, sizeof comp_private_alg); 212 bzero(remote_filter_addr_upper, 213 sizeof remote_filter_addr_upper); 214 bzero(remote_filter_addr_lower, 215 sizeof remote_filter_addr_lower); 216 bzero(local_filter_addr_upper, 217 sizeof local_filter_addr_upper); 218 bzero(local_filter_addr_lower, 219 sizeof local_filter_addr_lower); 220 bzero(remote_id_addr_upper, sizeof remote_id_addr_upper); 221 bzero(remote_id_addr_lower, sizeof remote_id_addr_lower); 222 bzero(ah_group_desc, sizeof ah_group_desc); 223 bzero(esp_group_desc, sizeof esp_group_desc); 224 bzero(remote_id_port, sizeof remote_id_port); 225 bzero(remote_filter_port, sizeof remote_filter_port); 226 bzero(local_filter_port, sizeof local_filter_port); 227 bzero(phase1_group, sizeof phase1_group); 228 229 dirty = 1; 230 return ""; 231 } 232 /* 233 * If dirty is set, this is the first request for an attribute, so 234 * populate our value cache. 235 */ 236 if (dirty) { 237 ie = policy_exchange->data; 238 239 if (ie->pfs) 240 pfs = "yes"; 241 242 is = policy_isakmp_sa->data; 243 snprintf(phase1_group, sizeof phase1_group, "%u", 244 is->group_desc); 245 246 for (proto = TAILQ_FIRST(&policy_sa->protos); proto; 247 proto = TAILQ_NEXT(proto, link)) { 248 switch (proto->proto) { 249 case IPSEC_PROTO_IPSEC_AH: 250 ah_present = "yes"; 251 switch (proto->id) { 252 case IPSEC_AH_MD5: 253 ah_hash_alg = "md5"; 254 break; 255 256 case IPSEC_AH_SHA: 257 ah_hash_alg = "sha"; 258 break; 259 260 case IPSEC_AH_RIPEMD: 261 ah_hash_alg = "ripemd"; 262 break; 263 264 case IPSEC_AH_SHA2_256: 265 ah_auth_alg = "sha2-256"; 266 break; 267 268 case IPSEC_AH_SHA2_384: 269 ah_auth_alg = "sha2-384"; 270 break; 271 272 case IPSEC_AH_SHA2_512: 273 ah_auth_alg = "sha2-512"; 274 break; 275 276 case IPSEC_AH_DES: 277 ah_hash_alg = "des"; 278 break; 279 } 280 281 break; 282 283 case IPSEC_PROTO_IPSEC_ESP: 284 esp_present = "yes"; 285 switch (proto->id) { 286 case IPSEC_ESP_DES_IV64: 287 esp_enc_alg = "des-iv64"; 288 break; 289 290 case IPSEC_ESP_DES: 291 esp_enc_alg = "des"; 292 break; 293 294 case IPSEC_ESP_3DES: 295 esp_enc_alg = "3des"; 296 break; 297 298 case IPSEC_ESP_AES: 299 case IPSEC_ESP_AES_128_CTR: 300 esp_enc_alg = "aes"; 301 break; 302 303 case IPSEC_ESP_RC5: 304 esp_enc_alg = "rc5"; 305 break; 306 307 case IPSEC_ESP_IDEA: 308 esp_enc_alg = "idea"; 309 break; 310 311 case IPSEC_ESP_CAST: 312 esp_enc_alg = "cast"; 313 break; 314 315 case IPSEC_ESP_BLOWFISH: 316 esp_enc_alg = "blowfish"; 317 break; 318 319 case IPSEC_ESP_3IDEA: 320 esp_enc_alg = "3idea"; 321 break; 322 323 case IPSEC_ESP_DES_IV32: 324 esp_enc_alg = "des-iv32"; 325 break; 326 327 case IPSEC_ESP_RC4: 328 esp_enc_alg = "rc4"; 329 break; 330 331 case IPSEC_ESP_NULL: 332 esp_enc_alg = "null"; 333 break; 334 } 335 336 break; 337 338 case IPSEC_PROTO_IPCOMP: 339 comp_present = "yes"; 340 switch (proto->id) { 341 case IPSEC_IPCOMP_OUI: 342 comp_alg = "oui"; 343 break; 344 345 case IPSEC_IPCOMP_DEFLATE: 346 comp_alg = "deflate"; 347 break; 348 349 case IPSEC_IPCOMP_LZS: 350 comp_alg = "lzs"; 351 break; 352 353 case IPSEC_IPCOMP_V42BIS: 354 comp_alg = "v42bis"; 355 break; 356 } 357 358 break; 359 } 360 361 for (attr = proto->chosen->p + 362 ISAKMP_TRANSFORM_SA_ATTRS_OFF; 363 attr < proto->chosen->p + 364 GET_ISAKMP_GEN_LENGTH(proto->chosen->p); 365 attr = value + len) { 366 if (attr + ISAKMP_ATTR_VALUE_OFF > 367 (proto->chosen->p + 368 GET_ISAKMP_GEN_LENGTH(proto->chosen->p))) 369 return ""; 370 371 type = GET_ISAKMP_ATTR_TYPE(attr); 372 fmt = ISAKMP_ATTR_FORMAT(type); 373 type = ISAKMP_ATTR_TYPE(type); 374 value = attr + (fmt ? 375 ISAKMP_ATTR_LENGTH_VALUE_OFF : 376 ISAKMP_ATTR_VALUE_OFF); 377 len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN : 378 GET_ISAKMP_ATTR_LENGTH_VALUE(attr)); 379 380 if (value + len > proto->chosen->p + 381 GET_ISAKMP_GEN_LENGTH(proto->chosen->p)) 382 return ""; 383 384 switch (type) { 385 case IPSEC_ATTR_SA_LIFE_TYPE: 386 lifetype = decode_16(value); 387 break; 388 389 case IPSEC_ATTR_SA_LIFE_DURATION: 390 switch (proto->proto) { 391 case IPSEC_PROTO_IPSEC_AH: 392 if (lifetype == IPSEC_DURATION_SECONDS) { 393 if (len == 2) 394 snprintf(ah_life_seconds, sizeof ah_life_seconds, 395 "%u", decode_16(value)); 396 else 397 snprintf(ah_life_seconds, sizeof ah_life_seconds, 398 "%u", decode_32(value)); 399 } else { 400 if (len == 2) 401 snprintf(ah_life_kbytes, sizeof ah_life_kbytes, 402 "%u", decode_16(value)); 403 else 404 snprintf(ah_life_kbytes, sizeof ah_life_kbytes, 405 "%u", decode_32(value)); 406 } 407 408 break; 409 410 case IPSEC_PROTO_IPSEC_ESP: 411 if (lifetype == IPSEC_DURATION_SECONDS) { 412 if (len == 2) 413 snprintf(esp_life_seconds, 414 sizeof esp_life_seconds, "%u", 415 decode_16(value)); 416 else 417 snprintf(esp_life_seconds, 418 sizeof esp_life_seconds, "%u", 419 decode_32(value)); 420 } else { 421 if (len == 2) 422 snprintf(esp_life_kbytes, 423 sizeof esp_life_kbytes, "%u", 424 decode_16(value)); 425 else 426 snprintf(esp_life_kbytes, 427 sizeof esp_life_kbytes, "%u", 428 decode_32(value)); 429 } 430 431 break; 432 433 case IPSEC_PROTO_IPCOMP: 434 if (lifetype == IPSEC_DURATION_SECONDS) { 435 if (len == 2) 436 snprintf(comp_life_seconds, 437 sizeof comp_life_seconds, "%u", 438 decode_16(value)); 439 else 440 snprintf(comp_life_seconds, 441 sizeof comp_life_seconds, "%u", 442 decode_32(value)); 443 } else { 444 if (len == 2) 445 snprintf(comp_life_kbytes, 446 sizeof comp_life_kbytes, "%u", 447 decode_16(value)); 448 else 449 snprintf(comp_life_kbytes, 450 sizeof comp_life_kbytes, "%u", 451 decode_32(value)); 452 } 453 break; 454 } 455 break; 456 457 case IPSEC_ATTR_GROUP_DESCRIPTION: 458 switch (proto->proto) { 459 case IPSEC_PROTO_IPSEC_AH: 460 snprintf(ah_group_desc, 461 sizeof ah_group_desc, "%u", 462 decode_16(value)); 463 break; 464 465 case IPSEC_PROTO_IPSEC_ESP: 466 snprintf(esp_group_desc, 467 sizeof esp_group_desc, "%u", 468 decode_16(value)); 469 break; 470 471 case IPSEC_PROTO_IPCOMP: 472 snprintf(comp_group_desc, 473 sizeof comp_group_desc, "%u", 474 decode_16(value)); 475 break; 476 } 477 break; 478 479 case IPSEC_ATTR_ECN_TUNNEL: 480 if (decode_16(value)) 481 switch (proto->proto) { 482 case IPSEC_PROTO_IPSEC_AH: 483 ah_ecn = "yes"; 484 break; 485 486 case IPSEC_PROTO_IPSEC_ESP: 487 esp_ecn = "yes"; 488 break; 489 490 case IPSEC_PROTO_IPCOMP: 491 comp_ecn = "yes"; 492 break; 493 } 494 495 case IPSEC_ATTR_ENCAPSULATION_MODE: 496 if (decode_16(value) == IPSEC_ENCAP_TUNNEL) 497 switch (proto->proto) { 498 case IPSEC_PROTO_IPSEC_AH: 499 ah_encapsulation = "tunnel"; 500 break; 501 502 case IPSEC_PROTO_IPSEC_ESP: 503 esp_encapsulation = "tunnel"; 504 break; 505 506 case IPSEC_PROTO_IPCOMP: 507 comp_encapsulation = "tunnel"; 508 break; 509 } 510 else if (decode_16(value) == 511 IPSEC_ENCAP_UDP_ENCAP_TUNNEL || 512 decode_16(value) == 513 IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT) 514 switch (proto->proto) { 515 case IPSEC_PROTO_IPSEC_AH: 516 ah_encapsulation = "udp-encap-tunnel"; 517 break; 518 519 case IPSEC_PROTO_IPSEC_ESP: 520 esp_encapsulation = "udp-encap-tunnel"; 521 break; 522 523 case IPSEC_PROTO_IPCOMP: 524 comp_encapsulation = "udp-encap-tunnel"; 525 break; 526 } 527 /* XXX IPSEC_ENCAP_UDP_ENCAP_TRANSPORT */ 528 else 529 switch (proto->proto) { 530 case IPSEC_PROTO_IPSEC_AH: 531 ah_encapsulation = "transport"; 532 break; 533 534 case IPSEC_PROTO_IPSEC_ESP: 535 esp_encapsulation = "transport"; 536 break; 537 538 case IPSEC_PROTO_IPCOMP: 539 comp_encapsulation = "transport"; 540 break; 541 } 542 break; 543 544 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: 545 switch (proto->proto) { 546 case IPSEC_PROTO_IPSEC_AH: 547 switch (decode_16(value)) { 548 case IPSEC_AUTH_HMAC_MD5: 549 ah_auth_alg = "hmac-md5"; 550 break; 551 552 case IPSEC_AUTH_HMAC_SHA: 553 ah_auth_alg = "hmac-sha"; 554 break; 555 556 case IPSEC_AUTH_HMAC_RIPEMD: 557 ah_auth_alg = "hmac-ripemd"; 558 break; 559 560 case IPSEC_AUTH_HMAC_SHA2_256: 561 ah_auth_alg = "hmac-sha2-256"; 562 break; 563 564 case IPSEC_AUTH_HMAC_SHA2_384: 565 ah_auth_alg = "hmac-sha2-384"; 566 break; 567 568 case IPSEC_AUTH_HMAC_SHA2_512: 569 ah_auth_alg = "hmac-sha2-512"; 570 break; 571 572 case IPSEC_AUTH_DES_MAC: 573 ah_auth_alg = "des-mac"; 574 break; 575 576 case IPSEC_AUTH_KPDK: 577 ah_auth_alg = "kpdk"; 578 break; 579 } 580 break; 581 582 case IPSEC_PROTO_IPSEC_ESP: 583 switch (decode_16(value)) { 584 case IPSEC_AUTH_HMAC_MD5: 585 esp_auth_alg = "hmac-md5"; 586 break; 587 588 case IPSEC_AUTH_HMAC_SHA: 589 esp_auth_alg = "hmac-sha"; 590 break; 591 592 case IPSEC_AUTH_HMAC_RIPEMD: 593 esp_auth_alg = "hmac-ripemd"; 594 break; 595 596 case IPSEC_AUTH_HMAC_SHA2_256: 597 esp_auth_alg = "hmac-sha2-256"; 598 break; 599 600 case IPSEC_AUTH_HMAC_SHA2_384: 601 esp_auth_alg = "hmac-sha2-384"; 602 break; 603 604 case IPSEC_AUTH_HMAC_SHA2_512: 605 esp_auth_alg = "hmac-sha2-512"; 606 break; 607 608 case IPSEC_AUTH_DES_MAC: 609 esp_auth_alg = "des-mac"; 610 break; 611 612 case IPSEC_AUTH_KPDK: 613 esp_auth_alg = "kpdk"; 614 break; 615 } 616 break; 617 } 618 break; 619 620 case IPSEC_ATTR_KEY_LENGTH: 621 switch (proto->proto) { 622 case IPSEC_PROTO_IPSEC_AH: 623 snprintf(ah_key_length, 624 sizeof ah_key_length, "%u", 625 decode_16(value)); 626 break; 627 628 case IPSEC_PROTO_IPSEC_ESP: 629 snprintf(esp_key_length, 630 sizeof esp_key_length, "%u", 631 decode_16(value)); 632 break; 633 } 634 break; 635 636 case IPSEC_ATTR_KEY_ROUNDS: 637 switch (proto->proto) { 638 case IPSEC_PROTO_IPSEC_AH: 639 snprintf(ah_key_rounds, 640 sizeof ah_key_rounds, "%u", 641 decode_16(value)); 642 break; 643 644 case IPSEC_PROTO_IPSEC_ESP: 645 snprintf(esp_key_rounds, 646 sizeof esp_key_rounds, "%u", 647 decode_16(value)); 648 break; 649 } 650 break; 651 652 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: 653 snprintf(comp_dict_size, 654 sizeof comp_dict_size, "%u", 655 decode_16(value)); 656 break; 657 658 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: 659 snprintf(comp_private_alg, 660 sizeof comp_private_alg, "%u", 661 decode_16(value)); 662 break; 663 } 664 } 665 } 666 667 policy_sa->transport->vtbl->get_src(policy_sa->transport, 668 &sin); 669 if (sockaddr2text(sin, &addr, 1)) { 670 log_error("policy_callback: sockaddr2text failed"); 671 goto bad; 672 } 673 strlcpy(local_ike_address, addr, sizeof local_ike_address); 674 free(addr); 675 676 policy_sa->transport->vtbl->get_dst(policy_sa->transport, 677 &sin); 678 if (sockaddr2text(sin, &addr, 1)) { 679 log_error("policy_callback: sockaddr2text failed"); 680 goto bad; 681 } 682 strlcpy(remote_ike_address, addr, sizeof remote_ike_address); 683 free(addr); 684 685 switch (policy_isakmp_sa->exch_type) { 686 case ISAKMP_EXCH_AGGRESSIVE: 687 phase_1 = "aggressive"; 688 break; 689 690 case ISAKMP_EXCH_ID_PROT: 691 phase_1 = "main"; 692 break; 693 } 694 695 if (policy_isakmp_sa->initiator) { 696 id = policy_isakmp_sa->id_r; 697 id_sz = policy_isakmp_sa->id_r_len; 698 } else { 699 id = policy_isakmp_sa->id_i; 700 id_sz = policy_isakmp_sa->id_i_len; 701 } 702 703 switch (id[0]) { 704 case IPSEC_ID_IPV4_ADDR: 705 remote_id_type = "IPv4 address"; 706 707 net = decode_32(id + ISAKMP_ID_DATA_OFF - 708 ISAKMP_GEN_SZ); 709 my_inet_ntop4(&net, remote_id_addr_upper, 710 sizeof remote_id_addr_upper - 1, 1); 711 my_inet_ntop4(&net, remote_id_addr_lower, 712 sizeof remote_id_addr_lower - 1, 1); 713 remote_id = strdup(remote_id_addr_upper); 714 if (!remote_id) { 715 log_error("policy_callback: " 716 "strdup (\"%s\") failed", 717 remote_id_addr_upper); 718 goto bad; 719 } 720 break; 721 722 case IPSEC_ID_IPV4_RANGE: 723 remote_id_type = "IPv4 range"; 724 725 net = decode_32(id + ISAKMP_ID_DATA_OFF - 726 ISAKMP_GEN_SZ); 727 my_inet_ntop4(&net, remote_id_addr_lower, 728 sizeof remote_id_addr_lower - 1, 1); 729 net = decode_32(id + ISAKMP_ID_DATA_OFF - 730 ISAKMP_GEN_SZ + 4); 731 my_inet_ntop4(&net, remote_id_addr_upper, 732 sizeof remote_id_addr_upper - 1, 1); 733 len = strlen(remote_id_addr_upper) + 734 strlen(remote_id_addr_lower) + 2; 735 remote_id = calloc(len, sizeof(char)); 736 if (!remote_id) { 737 log_error("policy_callback: " 738 "calloc (%d, %lu) failed", len, 739 (unsigned long)sizeof(char)); 740 goto bad; 741 } 742 strlcpy(remote_id, remote_id_addr_lower, len); 743 strlcat(remote_id, "-", len); 744 strlcat(remote_id, remote_id_addr_upper, len); 745 break; 746 747 case IPSEC_ID_IPV4_ADDR_SUBNET: 748 remote_id_type = "IPv4 subnet"; 749 750 net = decode_32(id + ISAKMP_ID_DATA_OFF - 751 ISAKMP_GEN_SZ); 752 subnet = decode_32(id + ISAKMP_ID_DATA_OFF - 753 ISAKMP_GEN_SZ + 4); 754 net &= subnet; 755 my_inet_ntop4(&net, remote_id_addr_lower, 756 sizeof remote_id_addr_lower - 1, 1); 757 net |= ~subnet; 758 my_inet_ntop4(&net, remote_id_addr_upper, 759 sizeof remote_id_addr_upper - 1, 1); 760 len = strlen(remote_id_addr_upper) + 761 strlen(remote_id_addr_lower) + 2; 762 remote_id = calloc(len, sizeof(char)); 763 if (!remote_id) { 764 log_error("policy_callback: " 765 "calloc (%d, %lu) failed", len, 766 (unsigned long)sizeof(char)); 767 goto bad; 768 } 769 strlcpy(remote_id, remote_id_addr_lower, len); 770 strlcat(remote_id, "-", len); 771 strlcat(remote_id, remote_id_addr_upper, len); 772 break; 773 774 case IPSEC_ID_IPV6_ADDR: 775 remote_id_type = "IPv6 address"; 776 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 777 remote_id_addr_upper, sizeof remote_id_addr_upper); 778 strlcpy(remote_id_addr_lower, remote_id_addr_upper, 779 sizeof remote_id_addr_lower); 780 remote_id = strdup(remote_id_addr_upper); 781 if (!remote_id) { 782 log_error("policy_callback: " 783 "strdup (\"%s\") failed", 784 remote_id_addr_upper); 785 goto bad; 786 } 787 break; 788 789 case IPSEC_ID_IPV6_RANGE: 790 remote_id_type = "IPv6 range"; 791 792 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 793 remote_id_addr_lower, 794 sizeof remote_id_addr_lower - 1); 795 796 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - 797 ISAKMP_GEN_SZ + 16, remote_id_addr_upper, 798 sizeof remote_id_addr_upper - 1); 799 800 len = strlen(remote_id_addr_upper) + 801 strlen(remote_id_addr_lower) + 2; 802 remote_id = calloc(len, sizeof(char)); 803 if (!remote_id) { 804 log_error("policy_callback: " 805 "calloc (%d, %lu) failed", len, 806 (unsigned long)sizeof(char)); 807 goto bad; 808 } 809 strlcpy(remote_id, remote_id_addr_lower, len); 810 strlcat(remote_id, "-", len); 811 strlcat(remote_id, remote_id_addr_upper, len); 812 break; 813 814 case IPSEC_ID_IPV6_ADDR_SUBNET: 815 { 816 struct in6_addr net, mask; 817 818 remote_id_type = "IPv6 subnet"; 819 820 bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, &net, 821 sizeof(net)); 822 bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, 823 &mask, sizeof(mask)); 824 825 for (i = 0; i < 16; i++) 826 net.s6_addr[i] &= mask.s6_addr[i]; 827 828 my_inet_ntop6((unsigned char *)&net, 829 remote_id_addr_lower, 830 sizeof remote_id_addr_lower - 1); 831 832 for (i = 0; i < 16; i++) 833 net.s6_addr[i] |= ~mask.s6_addr[i]; 834 835 my_inet_ntop6((unsigned char *)&net, 836 remote_id_addr_upper, 837 sizeof remote_id_addr_upper - 1); 838 839 len = strlen(remote_id_addr_upper) + 840 strlen(remote_id_addr_lower) + 2; 841 remote_id = calloc(len, sizeof(char)); 842 if (!remote_id) { 843 log_error("policy_callback: " 844 "calloc (%d, %lu) failed", len, 845 (unsigned long)sizeof(char)); 846 goto bad; 847 } 848 strlcpy(remote_id, remote_id_addr_lower, len); 849 strlcat(remote_id, "-", len); 850 strlcat(remote_id, remote_id_addr_upper, len); 851 break; 852 } 853 854 case IPSEC_ID_FQDN: 855 remote_id_type = "FQDN"; 856 remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF + 857 ISAKMP_GEN_SZ + 1, sizeof(char)); 858 if (!remote_id) { 859 log_error("policy_callback: " 860 "calloc (%lu, %lu) failed", 861 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + 862 ISAKMP_GEN_SZ + 1, 863 (unsigned long)sizeof(char)); 864 goto bad; 865 } 866 memcpy(remote_id, 867 id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 868 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 869 break; 870 871 case IPSEC_ID_USER_FQDN: 872 remote_id_type = "User FQDN"; 873 remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF + 874 ISAKMP_GEN_SZ + 1, sizeof(char)); 875 if (!remote_id) { 876 log_error("policy_callback: " 877 "calloc (%lu, %lu) failed", 878 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + 879 ISAKMP_GEN_SZ + 1, 880 (unsigned long)sizeof(char)); 881 goto bad; 882 } 883 memcpy(remote_id, 884 id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 885 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 886 break; 887 888 case IPSEC_ID_DER_ASN1_DN: 889 remote_id_type = "ASN1 DN"; 890 891 remote_id = x509_DN_string(id + ISAKMP_ID_DATA_OFF - 892 ISAKMP_GEN_SZ, 893 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 894 if (!remote_id) { 895 LOG_DBG((LOG_POLICY, 50, 896 "policy_callback: failed to decode name")); 897 goto bad; 898 } 899 break; 900 901 case IPSEC_ID_DER_ASN1_GN: /* XXX */ 902 remote_id_type = "ASN1 GN"; 903 break; 904 905 case IPSEC_ID_KEY_ID: 906 remote_id_type = "Key ID"; 907 remote_id = calloc(2 * (id_sz - ISAKMP_ID_DATA_OFF + 908 ISAKMP_GEN_SZ) + 1, sizeof(char)); 909 if (!remote_id) { 910 log_error("policy_callback: " 911 "calloc (%lu, %lu) failed", 912 2 * ((unsigned long)id_sz - 913 ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, 914 (unsigned long)sizeof(char)); 915 goto bad; 916 } 917 /* Does it contain any non-printable characters ? */ 918 for (i = 0; 919 i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; 920 i++) 921 if (!isprint(*(id + ISAKMP_ID_DATA_OFF - 922 ISAKMP_GEN_SZ + i))) 923 break; 924 if (i >= id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) { 925 memcpy(remote_id, id + ISAKMP_ID_DATA_OFF - 926 ISAKMP_GEN_SZ, 927 id_sz - ISAKMP_ID_DATA_OFF + 928 ISAKMP_GEN_SZ); 929 break; 930 } 931 /* Non-printable characters, convert to hex */ 932 for (i = 0; 933 i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; 934 i++) { 935 remote_id[2 * i] = hextab[*(id + 936 ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4]; 937 remote_id[2 * i + 1] = hextab[*(id + 938 ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF]; 939 } 940 break; 941 942 default: 943 log_print("policy_callback: " 944 "unknown remote ID type %u", id[0]); 945 goto bad; 946 } 947 948 switch (id[1]) { 949 case IPPROTO_TCP: 950 remote_id_proto = "tcp"; 951 break; 952 953 case IPPROTO_UDP: 954 remote_id_proto = "udp"; 955 break; 956 957 case IPPROTO_ETHERIP: 958 remote_id_proto = "etherip"; 959 break; 960 961 default: 962 snprintf(remote_id_proto_num, 963 sizeof remote_id_proto_num, "%d", 964 id[1]); 965 remote_id_proto = remote_id_proto_num; 966 break; 967 } 968 969 snprintf(remote_id_port, sizeof remote_id_port, "%u", 970 decode_16(id + 2)); 971 972 if (policy_exchange->initiator) { 973 initiator = "yes"; 974 idlocal = ie->id_ci; 975 idremote = ie->id_cr; 976 idlocalsz = ie->id_ci_sz; 977 idremotesz = ie->id_cr_sz; 978 } else { 979 initiator = "no"; 980 idlocal = ie->id_cr; 981 idremote = ie->id_ci; 982 idlocalsz = ie->id_cr_sz; 983 idremotesz = ie->id_ci_sz; 984 } 985 986 /* Initialize the ID variables. */ 987 if (idremote) { 988 switch (GET_ISAKMP_ID_TYPE(idremote)) { 989 case IPSEC_ID_IPV4_ADDR: 990 remote_filter_type = "IPv4 address"; 991 992 net = decode_32(idremote + ISAKMP_ID_DATA_OFF); 993 my_inet_ntop4(&net, remote_filter_addr_upper, 994 sizeof remote_filter_addr_upper - 1, 1); 995 my_inet_ntop4(&net, remote_filter_addr_lower, 996 sizeof remote_filter_addr_lower - 1, 1); 997 remote_filter = 998 strdup(remote_filter_addr_upper); 999 if (!remote_filter) { 1000 log_error("policy_callback: strdup " 1001 "(\"%s\") failed", 1002 remote_filter_addr_upper); 1003 goto bad; 1004 } 1005 break; 1006 1007 case IPSEC_ID_IPV4_RANGE: 1008 remote_filter_type = "IPv4 range"; 1009 1010 net = decode_32(idremote + ISAKMP_ID_DATA_OFF); 1011 my_inet_ntop4(&net, remote_filter_addr_lower, 1012 sizeof remote_filter_addr_lower - 1, 1); 1013 net = decode_32(idremote + ISAKMP_ID_DATA_OFF + 1014 4); 1015 my_inet_ntop4(&net, remote_filter_addr_upper, 1016 sizeof remote_filter_addr_upper - 1, 1); 1017 len = strlen(remote_filter_addr_upper) + 1018 strlen(remote_filter_addr_lower) + 2; 1019 remote_filter = calloc(len, sizeof(char)); 1020 if (!remote_filter) { 1021 log_error("policy_callback: calloc " 1022 "(%d, %lu) failed", len, 1023 (unsigned long)sizeof(char)); 1024 goto bad; 1025 } 1026 strlcpy(remote_filter, 1027 remote_filter_addr_lower, len); 1028 strlcat(remote_filter, "-", len); 1029 strlcat(remote_filter, 1030 remote_filter_addr_upper, len); 1031 break; 1032 1033 case IPSEC_ID_IPV4_ADDR_SUBNET: 1034 remote_filter_type = "IPv4 subnet"; 1035 1036 net = decode_32(idremote + ISAKMP_ID_DATA_OFF); 1037 subnet = decode_32(idremote + 1038 ISAKMP_ID_DATA_OFF + 4); 1039 net &= subnet; 1040 my_inet_ntop4(&net, remote_filter_addr_lower, 1041 sizeof remote_filter_addr_lower - 1, 1); 1042 net |= ~subnet; 1043 my_inet_ntop4(&net, remote_filter_addr_upper, 1044 sizeof remote_filter_addr_upper - 1, 1); 1045 len = strlen(remote_filter_addr_upper) + 1046 strlen(remote_filter_addr_lower) + 2; 1047 remote_filter = calloc(len, sizeof(char)); 1048 if (!remote_filter) { 1049 log_error("policy_callback: calloc " 1050 "(%d, %lu) failed", len, 1051 (unsigned long)sizeof(char)); 1052 goto bad; 1053 } 1054 strlcpy(remote_filter, 1055 remote_filter_addr_lower, len); 1056 strlcat(remote_filter, "-", len); 1057 strlcat(remote_filter, 1058 remote_filter_addr_upper, len); 1059 break; 1060 1061 case IPSEC_ID_IPV6_ADDR: 1062 remote_filter_type = "IPv6 address"; 1063 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF, 1064 remote_filter_addr_upper, 1065 sizeof remote_filter_addr_upper - 1); 1066 strlcpy(remote_filter_addr_lower, 1067 remote_filter_addr_upper, 1068 sizeof remote_filter_addr_lower); 1069 remote_filter = 1070 strdup(remote_filter_addr_upper); 1071 if (!remote_filter) { 1072 log_error("policy_callback: strdup " 1073 "(\"%s\") failed", 1074 remote_filter_addr_upper); 1075 goto bad; 1076 } 1077 break; 1078 1079 case IPSEC_ID_IPV6_RANGE: 1080 remote_filter_type = "IPv6 range"; 1081 1082 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF, 1083 remote_filter_addr_lower, 1084 sizeof remote_filter_addr_lower - 1); 1085 1086 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF + 1087 16, remote_filter_addr_upper, 1088 sizeof remote_filter_addr_upper - 1); 1089 1090 len = strlen(remote_filter_addr_upper) + 1091 strlen(remote_filter_addr_lower) + 2; 1092 remote_filter = calloc(len, sizeof(char)); 1093 if (!remote_filter) { 1094 log_error("policy_callback: calloc " 1095 "(%d, %lu) failed", len, 1096 (unsigned long)sizeof(char)); 1097 goto bad; 1098 } 1099 strlcpy(remote_filter, 1100 remote_filter_addr_lower, len); 1101 strlcat(remote_filter, "-", len); 1102 strlcat(remote_filter, 1103 remote_filter_addr_upper, len); 1104 break; 1105 1106 case IPSEC_ID_IPV6_ADDR_SUBNET: 1107 { 1108 struct in6_addr net, mask; 1109 1110 remote_filter_type = "IPv6 subnet"; 1111 1112 bcopy(idremote + ISAKMP_ID_DATA_OFF, 1113 &net, sizeof(net)); 1114 bcopy(idremote + ISAKMP_ID_DATA_OFF + 1115 16, &mask, sizeof(mask)); 1116 1117 for (i = 0; i < 16; i++) 1118 net.s6_addr[i] &= 1119 mask.s6_addr[i]; 1120 1121 my_inet_ntop6((unsigned char *)&net, 1122 remote_filter_addr_lower, 1123 sizeof remote_filter_addr_lower - 1); 1124 1125 for (i = 0; i < 16; i++) 1126 net.s6_addr[i] |= 1127 ~mask.s6_addr[i]; 1128 1129 my_inet_ntop6((unsigned char *)&net, 1130 remote_filter_addr_upper, 1131 sizeof remote_filter_addr_upper - 1); 1132 1133 len = strlen(remote_filter_addr_upper) 1134 + strlen(remote_filter_addr_lower) + 2; 1135 remote_filter = calloc(len, 1136 sizeof(char)); 1137 if (!remote_filter) { 1138 log_error("policy_callback: " 1139 "calloc (%d, %lu) failed", 1140 len, 1141 (unsigned long)sizeof(char)); 1142 goto bad; 1143 } 1144 strlcpy(remote_filter, 1145 remote_filter_addr_lower, len); 1146 strlcat(remote_filter, "-", len); 1147 strlcat(remote_filter, 1148 remote_filter_addr_upper, len); 1149 break; 1150 } 1151 1152 case IPSEC_ID_FQDN: 1153 remote_filter_type = "FQDN"; 1154 remote_filter = malloc(idremotesz - 1155 ISAKMP_ID_DATA_OFF + 1); 1156 if (!remote_filter) { 1157 log_error("policy_callback: " 1158 "malloc (%lu) failed", 1159 (unsigned long)idremotesz - 1160 ISAKMP_ID_DATA_OFF + 1); 1161 goto bad; 1162 } 1163 memcpy(remote_filter, 1164 idremote + ISAKMP_ID_DATA_OFF, 1165 idremotesz - ISAKMP_ID_DATA_OFF); 1166 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] 1167 = '\0'; 1168 break; 1169 1170 case IPSEC_ID_USER_FQDN: 1171 remote_filter_type = "User FQDN"; 1172 remote_filter = malloc(idremotesz - 1173 ISAKMP_ID_DATA_OFF + 1); 1174 if (!remote_filter) { 1175 log_error("policy_callback: " 1176 "malloc (%lu) failed", 1177 (unsigned long)idremotesz - 1178 ISAKMP_ID_DATA_OFF + 1); 1179 goto bad; 1180 } 1181 memcpy(remote_filter, 1182 idremote + ISAKMP_ID_DATA_OFF, 1183 idremotesz - ISAKMP_ID_DATA_OFF); 1184 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] 1185 = '\0'; 1186 break; 1187 1188 case IPSEC_ID_DER_ASN1_DN: 1189 remote_filter_type = "ASN1 DN"; 1190 1191 remote_filter = x509_DN_string(idremote + 1192 ISAKMP_ID_DATA_OFF, 1193 idremotesz - ISAKMP_ID_DATA_OFF); 1194 if (!remote_filter) { 1195 LOG_DBG((LOG_POLICY, 50, 1196 "policy_callback: " 1197 "failed to decode name")); 1198 goto bad; 1199 } 1200 break; 1201 1202 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure 1203 * what's in this. */ 1204 remote_filter_type = "ASN1 GN"; 1205 break; 1206 1207 case IPSEC_ID_KEY_ID: 1208 remote_filter_type = "Key ID"; 1209 remote_filter 1210 = calloc(2 * (idremotesz - 1211 ISAKMP_ID_DATA_OFF) + 1, 1212 sizeof(char)); 1213 if (!remote_filter) { 1214 log_error("policy_callback: " 1215 "calloc (%lu, %lu) failed", 1216 2 * ((unsigned long)idremotesz - 1217 ISAKMP_ID_DATA_OFF) + 1, 1218 (unsigned long)sizeof(char)); 1219 goto bad; 1220 } 1221 /* 1222 * Does it contain any non-printable 1223 * characters ? 1224 */ 1225 for (i = 0; 1226 i < idremotesz - ISAKMP_ID_DATA_OFF; i++) 1227 if (!isprint(*(idremote + 1228 ISAKMP_ID_DATA_OFF + i))) 1229 break; 1230 if (i >= idremotesz - ISAKMP_ID_DATA_OFF) { 1231 memcpy(remote_filter, 1232 idremote + ISAKMP_ID_DATA_OFF, 1233 idremotesz - ISAKMP_ID_DATA_OFF); 1234 break; 1235 } 1236 /* Non-printable characters, convert to hex */ 1237 for (i = 0; 1238 i < idremotesz - ISAKMP_ID_DATA_OFF; 1239 i++) { 1240 remote_filter[2 * i] 1241 = hextab[*(idremote + 1242 ISAKMP_ID_DATA_OFF) >> 4]; 1243 remote_filter[2 * i + 1] 1244 = hextab[*(idremote + 1245 ISAKMP_ID_DATA_OFF) & 0xF]; 1246 } 1247 break; 1248 1249 default: 1250 log_print("policy_callback: " 1251 "unknown Remote ID type %u", 1252 GET_ISAKMP_ID_TYPE(idremote)); 1253 goto bad; 1254 } 1255 1256 switch (idremote[ISAKMP_GEN_SZ + 1]) { 1257 case IPPROTO_TCP: 1258 remote_filter_proto = "tcp"; 1259 break; 1260 1261 case IPPROTO_UDP: 1262 remote_filter_proto = "udp"; 1263 break; 1264 1265 case IPPROTO_ETHERIP: 1266 remote_filter_proto = "etherip"; 1267 break; 1268 1269 default: 1270 snprintf(remote_filter_proto_num, 1271 sizeof remote_filter_proto_num, "%d", 1272 idremote[ISAKMP_GEN_SZ + 1]); 1273 remote_filter_proto = remote_filter_proto_num; 1274 break; 1275 } 1276 1277 snprintf(remote_filter_port, sizeof remote_filter_port, 1278 "%u", decode_16(idremote + ISAKMP_GEN_SZ + 2)); 1279 } else { 1280 policy_sa->transport->vtbl->get_dst(policy_sa->transport, &sin); 1281 switch (sin->sa_family) { 1282 case AF_INET: 1283 remote_filter_type = "IPv4 address"; 1284 break; 1285 case AF_INET6: 1286 remote_filter_type = "IPv6 address"; 1287 break; 1288 default: 1289 log_print("policy_callback: " 1290 "unsupported protocol family %d", 1291 sin->sa_family); 1292 goto bad; 1293 } 1294 if (sockaddr2text(sin, &addr, 1)) { 1295 log_error("policy_callback: " 1296 "sockaddr2text failed"); 1297 goto bad; 1298 } 1299 memcpy(remote_filter_addr_upper, addr, 1300 sizeof remote_filter_addr_upper); 1301 memcpy(remote_filter_addr_lower, addr, 1302 sizeof remote_filter_addr_lower); 1303 free(addr); 1304 remote_filter = strdup(remote_filter_addr_upper); 1305 if (!remote_filter) { 1306 log_error("policy_callback: " 1307 "strdup (\"%s\") failed", 1308 remote_filter_addr_upper); 1309 goto bad; 1310 } 1311 } 1312 1313 if (idlocal) { 1314 switch (GET_ISAKMP_ID_TYPE(idlocal)) { 1315 case IPSEC_ID_IPV4_ADDR: 1316 local_filter_type = "IPv4 address"; 1317 1318 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); 1319 my_inet_ntop4(&net, local_filter_addr_upper, 1320 sizeof local_filter_addr_upper - 1, 1); 1321 my_inet_ntop4(&net, local_filter_addr_lower, 1322 sizeof local_filter_addr_upper - 1, 1); 1323 local_filter = strdup(local_filter_addr_upper); 1324 if (!local_filter) { 1325 log_error("policy_callback: " 1326 "strdup (\"%s\") failed", 1327 local_filter_addr_upper); 1328 goto bad; 1329 } 1330 break; 1331 1332 case IPSEC_ID_IPV4_RANGE: 1333 local_filter_type = "IPv4 range"; 1334 1335 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); 1336 my_inet_ntop4(&net, local_filter_addr_lower, 1337 sizeof local_filter_addr_lower - 1, 1); 1338 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF + 1339 4); 1340 my_inet_ntop4(&net, local_filter_addr_upper, 1341 sizeof local_filter_addr_upper - 1, 1); 1342 len = strlen(local_filter_addr_upper) 1343 + strlen(local_filter_addr_lower) + 2; 1344 local_filter = calloc(len, sizeof(char)); 1345 if (!local_filter) { 1346 log_error("policy_callback: " 1347 "calloc (%d, %lu) failed", len, 1348 (unsigned long)sizeof(char)); 1349 goto bad; 1350 } 1351 strlcpy(local_filter, local_filter_addr_lower, 1352 len); 1353 strlcat(local_filter, "-", len); 1354 strlcat(local_filter, local_filter_addr_upper, 1355 len); 1356 break; 1357 1358 case IPSEC_ID_IPV4_ADDR_SUBNET: 1359 local_filter_type = "IPv4 subnet"; 1360 1361 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); 1362 subnet = decode_32(idlocal + 1363 ISAKMP_ID_DATA_OFF + 4); 1364 net &= subnet; 1365 my_inet_ntop4(&net, local_filter_addr_lower, 1366 sizeof local_filter_addr_lower - 1, 1); 1367 net |= ~subnet; 1368 my_inet_ntop4(&net, local_filter_addr_upper, 1369 sizeof local_filter_addr_upper - 1, 1); 1370 len = strlen(local_filter_addr_upper) + 1371 strlen(local_filter_addr_lower) + 2; 1372 local_filter = calloc(len, sizeof(char)); 1373 if (!local_filter) { 1374 log_error("policy_callback: " 1375 "calloc (%d, %lu) failed", len, 1376 (unsigned long)sizeof(char)); 1377 goto bad; 1378 } 1379 strlcpy(local_filter, local_filter_addr_lower, 1380 len); 1381 strlcat(local_filter, "-", len); 1382 strlcat(local_filter, local_filter_addr_upper, 1383 len); 1384 break; 1385 1386 case IPSEC_ID_IPV6_ADDR: 1387 local_filter_type = "IPv6 address"; 1388 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF, 1389 local_filter_addr_upper, 1390 sizeof local_filter_addr_upper - 1); 1391 strlcpy(local_filter_addr_lower, 1392 local_filter_addr_upper, 1393 sizeof local_filter_addr_lower); 1394 local_filter = strdup(local_filter_addr_upper); 1395 if (!local_filter) { 1396 log_error("policy_callback: " 1397 "strdup (\"%s\") failed", 1398 local_filter_addr_upper); 1399 goto bad; 1400 } 1401 break; 1402 1403 case IPSEC_ID_IPV6_RANGE: 1404 local_filter_type = "IPv6 range"; 1405 1406 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF, 1407 local_filter_addr_lower, 1408 sizeof local_filter_addr_lower - 1); 1409 1410 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF + 1411 16, local_filter_addr_upper, 1412 sizeof local_filter_addr_upper - 1); 1413 1414 len = strlen(local_filter_addr_upper) 1415 + strlen(local_filter_addr_lower) + 2; 1416 local_filter = calloc(len, sizeof(char)); 1417 if (!local_filter) { 1418 log_error("policy_callback: " 1419 "calloc (%d, %lu) failed", len, 1420 (unsigned long)sizeof(char)); 1421 goto bad; 1422 } 1423 strlcpy(local_filter, local_filter_addr_lower, 1424 len); 1425 strlcat(local_filter, "-", len); 1426 strlcat(local_filter, local_filter_addr_upper, 1427 len); 1428 break; 1429 1430 case IPSEC_ID_IPV6_ADDR_SUBNET: 1431 { 1432 struct in6_addr net, mask; 1433 1434 local_filter_type = "IPv6 subnet"; 1435 1436 bcopy(idlocal + ISAKMP_ID_DATA_OFF, 1437 &net, sizeof(net)); 1438 bcopy(idlocal + ISAKMP_ID_DATA_OFF + 1439 16, &mask, sizeof(mask)); 1440 1441 for (i = 0; i < 16; i++) 1442 net.s6_addr[i] &= 1443 mask.s6_addr[i]; 1444 1445 my_inet_ntop6((unsigned char *)&net, 1446 local_filter_addr_lower, 1447 sizeof local_filter_addr_lower - 1); 1448 1449 for (i = 0; i < 16; i++) 1450 net.s6_addr[i] |= 1451 ~mask.s6_addr[i]; 1452 1453 my_inet_ntop6((unsigned char *)&net, 1454 local_filter_addr_upper, 1455 sizeof local_filter_addr_upper - 1456 1); 1457 1458 len = strlen(local_filter_addr_upper) 1459 + strlen(local_filter_addr_lower) 1460 + 2; 1461 local_filter = calloc(len, 1462 sizeof(char)); 1463 if (!local_filter) { 1464 log_error("policy_callback: " 1465 "calloc (%d, %lu) failed", 1466 len, 1467 (unsigned long)sizeof(char)); 1468 goto bad; 1469 } 1470 strlcpy(local_filter, 1471 local_filter_addr_lower, len); 1472 strlcat(local_filter, "-", len); 1473 strlcat(local_filter, 1474 local_filter_addr_upper, len); 1475 break; 1476 } 1477 1478 case IPSEC_ID_FQDN: 1479 local_filter_type = "FQDN"; 1480 local_filter = malloc(idlocalsz - 1481 ISAKMP_ID_DATA_OFF + 1); 1482 if (!local_filter) { 1483 log_error("policy_callback: " 1484 "malloc (%lu) failed", 1485 (unsigned long)idlocalsz - 1486 ISAKMP_ID_DATA_OFF + 1); 1487 goto bad; 1488 } 1489 memcpy(local_filter, 1490 idlocal + ISAKMP_ID_DATA_OFF, 1491 idlocalsz - ISAKMP_ID_DATA_OFF); 1492 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; 1493 break; 1494 1495 case IPSEC_ID_USER_FQDN: 1496 local_filter_type = "User FQDN"; 1497 local_filter = malloc(idlocalsz - 1498 ISAKMP_ID_DATA_OFF + 1); 1499 if (!local_filter) { 1500 log_error("policy_callback: " 1501 "malloc (%lu) failed", 1502 (unsigned long)idlocalsz - 1503 ISAKMP_ID_DATA_OFF + 1); 1504 goto bad; 1505 } 1506 memcpy(local_filter, 1507 idlocal + ISAKMP_ID_DATA_OFF, 1508 idlocalsz - ISAKMP_ID_DATA_OFF); 1509 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; 1510 break; 1511 1512 case IPSEC_ID_DER_ASN1_DN: 1513 local_filter_type = "ASN1 DN"; 1514 1515 local_filter = x509_DN_string(idlocal + 1516 ISAKMP_ID_DATA_OFF, 1517 idlocalsz - ISAKMP_ID_DATA_OFF); 1518 if (!local_filter) { 1519 LOG_DBG((LOG_POLICY, 50, 1520 "policy_callback: failed to decode" 1521 " name")); 1522 goto bad; 1523 } 1524 break; 1525 1526 case IPSEC_ID_DER_ASN1_GN: 1527 /* XXX -- not sure what's in this. */ 1528 local_filter_type = "ASN1 GN"; 1529 break; 1530 1531 case IPSEC_ID_KEY_ID: 1532 local_filter_type = "Key ID"; 1533 local_filter = calloc(2 * (idlocalsz - 1534 ISAKMP_ID_DATA_OFF) + 1, 1535 sizeof(char)); 1536 if (!local_filter) { 1537 log_error("policy_callback: " 1538 "calloc (%lu, %lu) failed", 1539 2 * ((unsigned long)idlocalsz - 1540 ISAKMP_ID_DATA_OFF) + 1, 1541 (unsigned long)sizeof(char)); 1542 goto bad; 1543 } 1544 /* 1545 * Does it contain any non-printable 1546 * characters ? 1547 */ 1548 for (i = 0; 1549 i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) 1550 if (!isprint(*(idlocal + 1551 ISAKMP_ID_DATA_OFF + i))) 1552 break; 1553 if (i >= idlocalsz - ISAKMP_ID_DATA_OFF) { 1554 memcpy(local_filter, idlocal + 1555 ISAKMP_ID_DATA_OFF, 1556 idlocalsz - ISAKMP_ID_DATA_OFF); 1557 break; 1558 } 1559 /* Non-printable characters, convert to hex */ 1560 for (i = 0; 1561 i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) { 1562 local_filter[2 * i] = 1563 hextab[*(idlocal + 1564 ISAKMP_ID_DATA_OFF) >> 4]; 1565 local_filter[2 * i + 1] = 1566 hextab[*(idlocal + 1567 ISAKMP_ID_DATA_OFF) & 0xF]; 1568 } 1569 break; 1570 1571 default: 1572 log_print("policy_callback: " 1573 "unknown Local ID type %u", 1574 GET_ISAKMP_ID_TYPE(idlocal)); 1575 goto bad; 1576 } 1577 1578 switch (idlocal[ISAKMP_GEN_SZ + 1]) { 1579 case IPPROTO_TCP: 1580 local_filter_proto = "tcp"; 1581 break; 1582 1583 case IPPROTO_UDP: 1584 local_filter_proto = "udp"; 1585 break; 1586 1587 case IPPROTO_ETHERIP: 1588 local_filter_proto = "etherip"; 1589 break; 1590 1591 default: 1592 snprintf(local_filter_proto_num, 1593 sizeof local_filter_proto_num, 1594 "%d", idlocal[ISAKMP_GEN_SZ + 1]); 1595 local_filter_proto = local_filter_proto_num; 1596 break; 1597 } 1598 1599 snprintf(local_filter_port, sizeof local_filter_port, 1600 "%u", decode_16(idlocal + ISAKMP_GEN_SZ + 2)); 1601 } else { 1602 policy_sa->transport->vtbl->get_src(policy_sa->transport, 1603 (struct sockaddr **)&sin); 1604 switch (sin->sa_family) { 1605 case AF_INET: 1606 local_filter_type = "IPv4 address"; 1607 break; 1608 case AF_INET6: 1609 local_filter_type = "IPv6 address"; 1610 break; 1611 default: 1612 log_print("policy_callback: " 1613 "unsupported protocol family %d", 1614 sin->sa_family); 1615 goto bad; 1616 } 1617 1618 if (sockaddr2text(sin, &addr, 1)) { 1619 log_error("policy_callback: " 1620 "sockaddr2text failed"); 1621 goto bad; 1622 } 1623 memcpy(local_filter_addr_upper, addr, 1624 sizeof local_filter_addr_upper); 1625 memcpy(local_filter_addr_lower, addr, 1626 sizeof local_filter_addr_lower); 1627 free(addr); 1628 local_filter = strdup(local_filter_addr_upper); 1629 if (!local_filter) { 1630 log_error("policy_callback: " 1631 "strdup (\"%s\") failed", 1632 local_filter_addr_upper); 1633 goto bad; 1634 } 1635 } 1636 1637 LOG_DBG((LOG_POLICY, 80, 1638 "Policy context (action attributes):")); 1639 LOG_DBG((LOG_POLICY, 80, "esp_present == %s", esp_present)); 1640 LOG_DBG((LOG_POLICY, 80, "ah_present == %s", ah_present)); 1641 LOG_DBG((LOG_POLICY, 80, "comp_present == %s", comp_present)); 1642 LOG_DBG((LOG_POLICY, 80, "ah_hash_alg == %s", ah_hash_alg)); 1643 LOG_DBG((LOG_POLICY, 80, "esp_enc_alg == %s", esp_enc_alg)); 1644 LOG_DBG((LOG_POLICY, 80, "comp_alg == %s", comp_alg)); 1645 LOG_DBG((LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg)); 1646 LOG_DBG((LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg)); 1647 LOG_DBG((LOG_POLICY, 80, "ah_life_seconds == %s", 1648 ah_life_seconds)); 1649 LOG_DBG((LOG_POLICY, 80, "ah_life_kbytes == %s", 1650 ah_life_kbytes)); 1651 LOG_DBG((LOG_POLICY, 80, "esp_life_seconds == %s", 1652 esp_life_seconds)); 1653 LOG_DBG((LOG_POLICY, 80, "esp_life_kbytes == %s", 1654 esp_life_kbytes)); 1655 LOG_DBG((LOG_POLICY, 80, "comp_life_seconds == %s", 1656 comp_life_seconds)); 1657 LOG_DBG((LOG_POLICY, 80, "comp_life_kbytes == %s", 1658 comp_life_kbytes)); 1659 LOG_DBG((LOG_POLICY, 80, "ah_encapsulation == %s", 1660 ah_encapsulation)); 1661 LOG_DBG((LOG_POLICY, 80, "esp_encapsulation == %s", 1662 esp_encapsulation)); 1663 LOG_DBG((LOG_POLICY, 80, "comp_encapsulation == %s", 1664 comp_encapsulation)); 1665 LOG_DBG((LOG_POLICY, 80, "comp_dict_size == %s", 1666 comp_dict_size)); 1667 LOG_DBG((LOG_POLICY, 80, "comp_private_alg == %s", 1668 comp_private_alg)); 1669 LOG_DBG((LOG_POLICY, 80, "ah_key_length == %s", 1670 ah_key_length)); 1671 LOG_DBG((LOG_POLICY, 80, "ah_key_rounds == %s", 1672 ah_key_rounds)); 1673 LOG_DBG((LOG_POLICY, 80, "esp_key_length == %s", 1674 esp_key_length)); 1675 LOG_DBG((LOG_POLICY, 80, "esp_key_rounds == %s", 1676 esp_key_rounds)); 1677 LOG_DBG((LOG_POLICY, 80, "ah_group_desc == %s", 1678 ah_group_desc)); 1679 LOG_DBG((LOG_POLICY, 80, "esp_group_desc == %s", 1680 esp_group_desc)); 1681 LOG_DBG((LOG_POLICY, 80, "comp_group_desc == %s", 1682 comp_group_desc)); 1683 LOG_DBG((LOG_POLICY, 80, "ah_ecn == %s", ah_ecn)); 1684 LOG_DBG((LOG_POLICY, 80, "esp_ecn == %s", esp_ecn)); 1685 LOG_DBG((LOG_POLICY, 80, "comp_ecn == %s", comp_ecn)); 1686 LOG_DBG((LOG_POLICY, 80, "remote_filter_type == %s", 1687 remote_filter_type)); 1688 LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_upper == %s", 1689 remote_filter_addr_upper)); 1690 LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_lower == %s", 1691 remote_filter_addr_lower)); 1692 LOG_DBG((LOG_POLICY, 80, "remote_filter == %s", 1693 (remote_filter ? remote_filter : ""))); 1694 LOG_DBG((LOG_POLICY, 80, "remote_filter_port == %s", 1695 remote_filter_port)); 1696 LOG_DBG((LOG_POLICY, 80, "remote_filter_proto == %s", 1697 remote_filter_proto)); 1698 LOG_DBG((LOG_POLICY, 80, "local_filter_type == %s", 1699 local_filter_type)); 1700 LOG_DBG((LOG_POLICY, 80, "local_filter_addr_upper == %s", 1701 local_filter_addr_upper)); 1702 LOG_DBG((LOG_POLICY, 80, "local_filter_addr_lower == %s", 1703 local_filter_addr_lower)); 1704 LOG_DBG((LOG_POLICY, 80, "local_filter == %s", 1705 (local_filter ? local_filter : ""))); 1706 LOG_DBG((LOG_POLICY, 80, "local_filter_port == %s", 1707 local_filter_port)); 1708 LOG_DBG((LOG_POLICY, 80, "local_filter_proto == %s", 1709 local_filter_proto)); 1710 LOG_DBG((LOG_POLICY, 80, "remote_id_type == %s", 1711 remote_id_type)); 1712 LOG_DBG((LOG_POLICY, 80, "remote_id_addr_upper == %s", 1713 remote_id_addr_upper)); 1714 LOG_DBG((LOG_POLICY, 80, "remote_id_addr_lower == %s", 1715 remote_id_addr_lower)); 1716 LOG_DBG((LOG_POLICY, 80, "remote_id == %s", 1717 (remote_id ? remote_id : ""))); 1718 LOG_DBG((LOG_POLICY, 80, "remote_id_port == %s", 1719 remote_id_port)); 1720 LOG_DBG((LOG_POLICY, 80, "remote_id_proto == %s", 1721 remote_id_proto)); 1722 LOG_DBG((LOG_POLICY, 80, "remote_negotiation_address == %s", 1723 remote_ike_address)); 1724 LOG_DBG((LOG_POLICY, 80, "local_negotiation_address == %s", 1725 local_ike_address)); 1726 LOG_DBG((LOG_POLICY, 80, "pfs == %s", pfs)); 1727 LOG_DBG((LOG_POLICY, 80, "initiator == %s", initiator)); 1728 LOG_DBG((LOG_POLICY, 80, "phase1_group_desc == %s", 1729 phase1_group)); 1730 1731 /* Unset dirty now. */ 1732 dirty = 0; 1733 } 1734 if (strcmp(name, "phase_1") == 0) 1735 return phase_1; 1736 1737 if (strcmp(name, "GMTTimeOfDay") == 0) { 1738 tt = time((time_t)NULL); 1739 strftime(mytimeofday, 14, "%Y%m%d%H%M%S", gmtime(&tt)); 1740 return mytimeofday; 1741 } 1742 if (strcmp(name, "LocalTimeOfDay") == 0) { 1743 tt = time((time_t)NULL); 1744 strftime(mytimeofday, 14, "%Y%m%d%H%M%S", localtime(&tt)); 1745 return mytimeofday; 1746 } 1747 if (strcmp(name, "initiator") == 0) 1748 return initiator; 1749 1750 if (strcmp(name, "pfs") == 0) 1751 return pfs; 1752 1753 if (strcmp(name, "app_domain") == 0) 1754 return "IPsec policy"; 1755 1756 if (strcmp(name, "doi") == 0) 1757 return "ipsec"; 1758 1759 if (strcmp(name, "esp_present") == 0) 1760 return esp_present; 1761 1762 if (strcmp(name, "ah_present") == 0) 1763 return ah_present; 1764 1765 if (strcmp(name, "comp_present") == 0) 1766 return comp_present; 1767 1768 if (strcmp(name, "ah_hash_alg") == 0) 1769 return ah_hash_alg; 1770 1771 if (strcmp(name, "ah_auth_alg") == 0) 1772 return ah_auth_alg; 1773 1774 if (strcmp(name, "esp_auth_alg") == 0) 1775 return esp_auth_alg; 1776 1777 if (strcmp(name, "esp_enc_alg") == 0) 1778 return esp_enc_alg; 1779 1780 if (strcmp(name, "comp_alg") == 0) 1781 return comp_alg; 1782 1783 if (strcmp(name, "ah_life_kbytes") == 0) 1784 return ah_life_kbytes; 1785 1786 if (strcmp(name, "ah_life_seconds") == 0) 1787 return ah_life_seconds; 1788 1789 if (strcmp(name, "esp_life_kbytes") == 0) 1790 return esp_life_kbytes; 1791 1792 if (strcmp(name, "esp_life_seconds") == 0) 1793 return esp_life_seconds; 1794 1795 if (strcmp(name, "comp_life_kbytes") == 0) 1796 return comp_life_kbytes; 1797 1798 if (strcmp(name, "comp_life_seconds") == 0) 1799 return comp_life_seconds; 1800 1801 if (strcmp(name, "ah_encapsulation") == 0) 1802 return ah_encapsulation; 1803 1804 if (strcmp(name, "esp_encapsulation") == 0) 1805 return esp_encapsulation; 1806 1807 if (strcmp(name, "comp_encapsulation") == 0) 1808 return comp_encapsulation; 1809 1810 if (strcmp(name, "ah_key_length") == 0) 1811 return ah_key_length; 1812 1813 if (strcmp(name, "ah_key_rounds") == 0) 1814 return ah_key_rounds; 1815 1816 if (strcmp(name, "esp_key_length") == 0) 1817 return esp_key_length; 1818 1819 if (strcmp(name, "esp_key_rounds") == 0) 1820 return esp_key_rounds; 1821 1822 if (strcmp(name, "comp_dict_size") == 0) 1823 return comp_dict_size; 1824 1825 if (strcmp(name, "comp_private_alg") == 0) 1826 return comp_private_alg; 1827 1828 if (strcmp(name, "remote_filter_type") == 0) 1829 return remote_filter_type; 1830 1831 if (strcmp(name, "remote_filter") == 0) 1832 return (remote_filter ? remote_filter : ""); 1833 1834 if (strcmp(name, "remote_filter_addr_upper") == 0) 1835 return remote_filter_addr_upper; 1836 1837 if (strcmp(name, "remote_filter_addr_lower") == 0) 1838 return remote_filter_addr_lower; 1839 1840 if (strcmp(name, "remote_filter_port") == 0) 1841 return remote_filter_port; 1842 1843 if (strcmp(name, "remote_filter_proto") == 0) 1844 return remote_filter_proto; 1845 1846 if (strcmp(name, "local_filter_type") == 0) 1847 return local_filter_type; 1848 1849 if (strcmp(name, "local_filter") == 0) 1850 return (local_filter ? local_filter : ""); 1851 1852 if (strcmp(name, "local_filter_addr_upper") == 0) 1853 return local_filter_addr_upper; 1854 1855 if (strcmp(name, "local_filter_addr_lower") == 0) 1856 return local_filter_addr_lower; 1857 1858 if (strcmp(name, "local_filter_port") == 0) 1859 return local_filter_port; 1860 1861 if (strcmp(name, "local_filter_proto") == 0) 1862 return local_filter_proto; 1863 1864 if (strcmp(name, "remote_ike_address") == 0) 1865 return remote_ike_address; 1866 1867 if (strcmp(name, "remote_negotiation_address") == 0) 1868 return remote_ike_address; 1869 1870 if (strcmp(name, "local_ike_address") == 0) 1871 return local_ike_address; 1872 1873 if (strcmp(name, "local_negotiation_address") == 0) 1874 return local_ike_address; 1875 1876 if (strcmp(name, "remote_id_type") == 0) 1877 return remote_id_type; 1878 1879 if (strcmp(name, "remote_id") == 0) 1880 return (remote_id ? remote_id : ""); 1881 1882 if (strcmp(name, "remote_id_addr_upper") == 0) 1883 return remote_id_addr_upper; 1884 1885 if (strcmp(name, "remote_id_addr_lower") == 0) 1886 return remote_id_addr_lower; 1887 1888 if (strcmp(name, "remote_id_port") == 0) 1889 return remote_id_port; 1890 1891 if (strcmp(name, "remote_id_proto") == 0) 1892 return remote_id_proto; 1893 1894 if (strcmp(name, "phase1_group_desc") == 0) 1895 return phase1_group; 1896 1897 if (strcmp(name, "esp_group_desc") == 0) 1898 return esp_group_desc; 1899 1900 if (strcmp(name, "ah_group_desc") == 0) 1901 return ah_group_desc; 1902 1903 if (strcmp(name, "comp_group_desc") == 0) 1904 return comp_group_desc; 1905 1906 if (strcmp(name, "comp_ecn") == 0) 1907 return comp_ecn; 1908 1909 if (strcmp(name, "ah_ecn") == 0) 1910 return ah_ecn; 1911 1912 if (strcmp(name, "esp_ecn") == 0) 1913 return esp_ecn; 1914 1915 return ""; 1916 1917 bad: 1918 policy_callback(KEYNOTE_CALLBACK_INITIALIZE); 1919 return ""; 1920 } 1921 1922 void 1923 policy_init(void) 1924 { 1925 char *ptr, *policy_file; 1926 char **asserts; 1927 size_t sz, len; 1928 int fd, i; 1929 1930 LOG_DBG((LOG_POLICY, 30, "policy_init: initializing")); 1931 1932 /* Do we want to use the policy modules? */ 1933 if (ignore_policy || 1934 strncmp("yes", conf_get_str("General", "Use-Keynote"), 3)) 1935 return; 1936 1937 /* Get policy file from configuration. */ 1938 policy_file = conf_get_str("General", "Policy-file"); 1939 if (!policy_file) 1940 policy_file = CONF_DFLT_POLICY_FILE; 1941 1942 /* Open policy file. */ 1943 fd = monitor_open(policy_file, O_RDONLY, 0); 1944 if (fd == -1) 1945 log_fatal("policy_init: open (\"%s\", O_RDONLY) failed", 1946 policy_file); 1947 1948 /* Check file modes and collect file size */ 1949 if (check_file_secrecy_fd(fd, policy_file, &sz)) { 1950 close(fd); 1951 log_fatal("policy_init: cannot read %s", policy_file); 1952 } 1953 1954 /* Allocate memory to keep policies. */ 1955 ptr = calloc(sz + 1, sizeof(char)); 1956 if (!ptr) 1957 log_fatal("policy_init: calloc (%lu, %lu) failed", 1958 (unsigned long)sz + 1, (unsigned long)sizeof(char)); 1959 1960 /* Just in case there are short reads... */ 1961 for (len = 0; len < sz; len += i) { 1962 i = read(fd, ptr + len, sz - len); 1963 if (i == -1) 1964 log_fatal("policy_init: read (%d, %p, %lu) failed", fd, 1965 ptr + len, (unsigned long)(sz - len)); 1966 } 1967 1968 /* We're done with this. */ 1969 close(fd); 1970 1971 /* Parse buffer, break up into individual policies. */ 1972 asserts = kn_read_asserts(ptr, sz, &i); 1973 1974 /* Begone! */ 1975 free(ptr); 1976 1977 if (asserts == (char **)NULL) 1978 log_print("policy_init: all policies flushed"); 1979 1980 /* Cleanup */ 1981 if (policy_asserts) { 1982 for (fd = 0; fd < policy_asserts_num; fd++) 1983 if (policy_asserts) 1984 free(policy_asserts[fd]); 1985 1986 free(policy_asserts); 1987 } 1988 policy_asserts = asserts; 1989 policy_asserts_num = i; 1990 } 1991 1992 /* Nothing needed for initialization */ 1993 int 1994 keynote_cert_init(void) 1995 { 1996 return 1; 1997 } 1998 1999 /* Just copy and return. */ 2000 void * 2001 keynote_cert_get(u_int8_t *data, u_int32_t len) 2002 { 2003 char *foo = malloc(len + 1); 2004 2005 if (foo == NULL) 2006 return NULL; 2007 2008 memcpy(foo, data, len); 2009 foo[len] = '\0'; 2010 return foo; 2011 } 2012 2013 /* 2014 * We just verify the signature on the credentials. 2015 * On signature failure, just drop the whole payload. 2016 */ 2017 int 2018 keynote_cert_validate(void *scert) 2019 { 2020 char **foo; 2021 int num, i; 2022 2023 if (scert == NULL) 2024 return 0; 2025 2026 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); 2027 if (foo == NULL) 2028 return 0; 2029 2030 for (i = 0; i < num; i++) { 2031 if (kn_verify_assertion(scert, strlen((char *)scert)) 2032 != SIGRESULT_TRUE) { 2033 for (; i < num; i++) 2034 free(foo[i]); 2035 free(foo); 2036 return 0; 2037 } 2038 free(foo[i]); 2039 } 2040 2041 free(foo); 2042 return 1; 2043 } 2044 2045 /* Add received credentials. */ 2046 int 2047 keynote_cert_insert(int sid, void *scert) 2048 { 2049 char **foo; 2050 int num; 2051 2052 if (scert == NULL) 2053 return 0; 2054 2055 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); 2056 if (foo == NULL) 2057 return 0; 2058 2059 while (num--) 2060 kn_add_assertion(sid, foo[num], strlen(foo[num]), 0); 2061 2062 return 1; 2063 } 2064 2065 /* Just regular memory free. */ 2066 void 2067 keynote_cert_free(void *cert) 2068 { 2069 free(cert); 2070 } 2071 2072 /* Verify that the key given to us is valid. */ 2073 int 2074 keynote_certreq_validate(u_int8_t *data, u_int32_t len) 2075 { 2076 struct keynote_deckey dc; 2077 int err = 1; 2078 char *dat; 2079 2080 dat = calloc(len + 1, sizeof(char)); 2081 if (!dat) { 2082 log_error("keynote_certreq_validate: calloc (%d, %lu) failed", 2083 len + 1, (unsigned long)sizeof(char)); 2084 return 0; 2085 } 2086 memcpy(dat, data, len); 2087 2088 if (kn_decode_key(&dc, dat, KEYNOTE_PUBLIC_KEY) != 0) 2089 err = 0; 2090 else 2091 kn_free_key(&dc); 2092 2093 free(dat); 2094 2095 return err; 2096 } 2097 2098 /* Beats me what we should be doing with this. */ 2099 int 2100 keynote_certreq_decode(void **pdata, u_int8_t *data, u_int32_t len) 2101 { 2102 /* XXX */ 2103 return 0; 2104 } 2105 2106 void 2107 keynote_free_aca(void *blob) 2108 { 2109 /* XXX */ 2110 } 2111 2112 int 2113 keynote_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, 2114 u_int32_t *certlen) 2115 { 2116 char *dirname, *file, *addr_str; 2117 struct stat sb; 2118 size_t size; 2119 int idtype, fd, len; 2120 2121 if (!id) { 2122 log_print("keynote_cert_obtain: ID is missing"); 2123 return 0; 2124 } 2125 /* Get type of ID. */ 2126 idtype = id[0]; 2127 id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2128 id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2129 2130 dirname = conf_get_str("KeyNote", "Credential-directory"); 2131 if (!dirname) { 2132 LOG_DBG((LOG_POLICY, 30, 2133 "keynote_cert_obtain: no Credential-directory")); 2134 return 0; 2135 } 2136 len = strlen(dirname) + strlen(CREDENTIAL_FILE) + 3; 2137 2138 switch (idtype) { 2139 case IPSEC_ID_IPV4_ADDR: 2140 case IPSEC_ID_IPV6_ADDR: 2141 util_ntoa(&addr_str, idtype == IPSEC_ID_IPV4_ADDR ? 2142 AF_INET : AF_INET6, id); 2143 if (addr_str == 0) 2144 return 0; 2145 2146 if (asprintf(&file, "%s/%s/%s", dirname, 2147 addr_str, CREDENTIAL_FILE) == -1) { 2148 log_error("keynote_cert_obtain: failed to allocate " 2149 "%lu bytes", (unsigned long)len + 2150 strlen(addr_str)); 2151 free(addr_str); 2152 return 0; 2153 } 2154 free(addr_str); 2155 break; 2156 2157 case IPSEC_ID_FQDN: 2158 case IPSEC_ID_USER_FQDN: 2159 file = calloc(len + id_len, sizeof(char)); 2160 if (file == NULL) { 2161 log_error("keynote_cert_obtain: " 2162 "failed to allocate %lu bytes", 2163 (unsigned long)len + id_len); 2164 return 0; 2165 } 2166 snprintf(file, len + id_len, "%s/", dirname); 2167 memcpy(file + strlen(dirname) + 1, id, id_len); 2168 snprintf(file + strlen(dirname) + 1 + id_len, 2169 len - strlen(dirname) - 1, "/%s", CREDENTIAL_FILE); 2170 break; 2171 2172 default: 2173 return 0; 2174 } 2175 2176 fd = monitor_open(file, O_RDONLY, 0); 2177 if (fd < 0) { 2178 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " 2179 "failed to open \"%s\"", file)); 2180 free(file); 2181 return 0; 2182 } 2183 2184 if (fstat(fd, &sb) < 0) { 2185 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " 2186 "failed to stat \"%s\"", file)); 2187 free(file); 2188 close(fd); 2189 return 0; 2190 } 2191 size = (size_t)sb.st_size; 2192 2193 *cert = calloc(size + 1, sizeof(char)); 2194 if (*cert == NULL) { 2195 log_error("keynote_cert_obtain: failed to allocate %lu bytes", 2196 (unsigned long)size); 2197 free(file); 2198 close(fd); 2199 return 0; 2200 } 2201 2202 if (read(fd, *cert, size) != (int)size) { 2203 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " 2204 "failed to read %lu bytes from \"%s\"", 2205 (unsigned long)size, file)); 2206 free(cert); 2207 cert = NULL; 2208 free(file); 2209 close(fd); 2210 return 0; 2211 } 2212 close(fd); 2213 free(file); 2214 *certlen = size; 2215 return 1; 2216 } 2217 2218 /* This should never be called. */ 2219 int 2220 keynote_cert_get_subjects(void *scert, int *n, u_int8_t ***id, 2221 u_int32_t **id_len) 2222 { 2223 return 0; 2224 } 2225 2226 /* Get the authorizer key. */ 2227 int 2228 keynote_cert_get_key(void *scert, void *keyp) 2229 { 2230 struct keynote_keylist *kl; 2231 int sid, kid, num; 2232 char **foo; 2233 2234 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); 2235 if (foo == NULL || num == 0) { 2236 log_print("keynote_cert_get_key: " 2237 "failed to decompose credentials"); 2238 return 0; 2239 } 2240 kid = kn_init(); 2241 if (kid == -1) { 2242 log_print("keynote_cert_get_key: " 2243 "failed to initialize new policy session"); 2244 while (num--) 2245 free(foo[num]); 2246 free(foo); 2247 return 0; 2248 } 2249 sid = kn_add_assertion(kid, foo[num - 1], strlen(foo[num - 1]), 0); 2250 while (num--) 2251 free(foo[num]); 2252 free(foo); 2253 2254 if (sid == -1) { 2255 log_print("keynote_cert_get_key: failed to add assertion"); 2256 kn_close(kid); 2257 return 0; 2258 } 2259 *(RSA **)keyp = NULL; 2260 2261 kl = kn_get_licensees(kid, sid); 2262 while (kl) { 2263 if (kl->key_alg == KEYNOTE_ALGORITHM_RSA || 2264 kl->key_alg == KEYNOTE_ALGORITHM_X509) { 2265 *(RSA **)keyp = RSAPublicKey_dup(kl->key_key); 2266 break; 2267 } 2268 kl = kl->key_next; 2269 } 2270 2271 kn_remove_assertion(kid, sid); 2272 kn_close(kid); 2273 return *(RSA **)keyp == NULL ? 0 : 1; 2274 } 2275 2276 void * 2277 keynote_cert_dup(void *cert) 2278 { 2279 return strdup((char *)cert); 2280 } 2281 2282 void 2283 keynote_serialize(void *cert, u_int8_t **data, u_int32_t *datalen) 2284 { 2285 *datalen = strlen((char *)cert) + 1; 2286 *data = (u_int8_t *)strdup(cert); /* i.e an extra character at 2287 * the end... */ 2288 if (*data == NULL) 2289 log_error("keynote_serialize: malloc (%d) failed", *datalen); 2290 } 2291 2292 /* From cert to printable */ 2293 char * 2294 keynote_printable(void *cert) 2295 { 2296 return strdup((char *)cert); 2297 } 2298 2299 /* From printable to cert */ 2300 void * 2301 keynote_from_printable(char *cert) 2302 { 2303 return strdup(cert); 2304 } 2305 2306 /* Number of CAs we trust (currently this is x509 only) */ 2307 int 2308 keynote_ca_count(void) 2309 { 2310 return 0; 2311 } 2312