1 /* $OpenBSD: policy.c,v 1.43 2001/08/11 05:26:59 angelos Exp $ */ 2 /* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ 3 4 /* 5 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. 6 * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. 7 * Copyright (c) 2001 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. All advertising materials mentioning features or use of this software 18 * must display the following acknowledgement: 19 * This product includes software developed by Ericsson Radio Systems. 20 * 4. The name of the author may not be used to endorse or promote products 21 * derived from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35 /* 36 * This code was written under funding by Ericsson Radio Systems. 37 */ 38 39 #include <sys/types.h> 40 #include <sys/param.h> 41 #include <sys/mman.h> 42 #include <sys/queue.h> 43 #include <sys/stat.h> 44 #include <regex.h> 45 #include <ctype.h> 46 #include <fcntl.h> 47 #include <stdio.h> 48 #include <stdlib.h> 49 #include <string.h> 50 #include <unistd.h> 51 #include <keynote.h> 52 #include <sys/socket.h> 53 #include <netinet/in.h> 54 #include <arpa/inet.h> 55 #include <errno.h> 56 #include <openssl/ssl.h> 57 #include <netdb.h> 58 59 #include "sysdep.h" 60 61 #include "app.h" 62 #include "conf.h" 63 #include "connection.h" 64 #include "cookie.h" 65 #include "doi.h" 66 #include "dyn.h" 67 #include "exchange.h" 68 #include "init.h" 69 #include "ipsec.h" 70 #include "isakmp_doi.h" 71 #include "math_group.h" 72 #include "sa.h" 73 #include "timer.h" 74 #include "transport.h" 75 #include "udp.h" 76 #include "log.h" 77 #include "message.h" 78 #include "ui.h" 79 #include "util.h" 80 #include "policy.h" 81 #include "x509.h" 82 83 #if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE) && 0 84 85 void *libkeynote = 0; 86 87 /* 88 * These prototypes matches OpenBSD keynote.h 1.6. If you use 89 * a different version than that, you are on your own. 90 */ 91 int *lk_keynote_errno; 92 int (*lk_kn_add_action) (int, char *, char *, int); 93 int (*lk_kn_add_assertion) (int, char *, int, int); 94 int (*lk_kn_add_authorizer) (int, char *); 95 int (*lk_kn_close) (int); 96 int (*lk_kn_do_query) (int, char **, int); 97 char *(*lk_kn_encode_key) (struct keynote_deckey *, int, int, int); 98 int (*lk_kn_init) (void); 99 char **(*lk_kn_read_asserts) (char *, int, int *); 100 int (*lk_kn_remove_authorizer) (int, char *); 101 int (*lk_kn_get_authorizer) (int, int, int *); 102 void (*lk_kn_free_key) (struct keynote_deckey *); 103 struct keynote_keylist *(*lk_kn_get_licensees) (int, int); 104 #define SYMENTRY(x) { SYM, SYM (x), (void **)&lk_ ## x } 105 106 static struct dynload_script libkeynote_script[] = { 107 { LOAD, "libc.so", &libkeynote }, 108 { LOAD, "libcrypto.so", &libkeynote }, 109 { LOAD, "libm.so", &libkeynote }, 110 { LOAD, "libkeynote.so", &libkeynote }, 111 SYMENTRY (keynote_errno), 112 SYMENTRY (kn_add_action), 113 SYMENTRY (kn_add_assertion), 114 SYMENTRY (kn_add_authorizer), 115 SYMENTRY (kn_close), 116 SYMENTRY (kn_do_query), 117 SYMENTRY (kn_encode_key), 118 SYMENTRY (kn_init), 119 SYMENTRY (kn_read_asserts), 120 SYMENTRY (kn_remove_authorizer), 121 SYMENTRY (kn_get_licensees), 122 SYMENTRY (kn_get_authorizer), 123 { EOS } 124 }; 125 #endif 126 127 char **keynote_policy_asserts = NULL; 128 int keynote_policy_asserts_num = 0; 129 struct exchange *policy_exchange = 0; 130 struct sa *policy_sa = 0; 131 struct sa *policy_isakmp_sa = 0; 132 133 static const char hextab[] = { 134 '0', '1', '2', '3', '4', '5', '6', '7', 135 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' 136 }; 137 138 /* 139 * Adaptation of Vixie's inet_ntop4 () 140 */ 141 static const char * 142 my_inet_ntop4 (const in_addr_t *src, char *dst, size_t size, int normalize) 143 { 144 static const char fmt[] = "%03u.%03u.%03u.%03u"; 145 char tmp[sizeof "255.255.255.255"]; 146 in_addr_t src2; 147 148 if (normalize) 149 src2 = ntohl (*src); 150 else 151 src2 = *src; 152 153 if (sprintf (tmp, fmt, ((u_int8_t *) &src2)[0], ((u_int8_t *) &src2)[1], 154 ((u_int8_t *) &src2)[2], ((u_int8_t *) &src2)[3]) > size) 155 { 156 errno = ENOSPC; 157 return 0; 158 } 159 strcpy (dst, tmp); 160 return dst; 161 } 162 163 static const char * 164 my_inet_ntop6 (const unsigned char *src, char *dst, size_t size) 165 { 166 static const char fmt[] = "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x"; 167 char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"]; 168 169 if (sprintf (tmp, fmt, src[0], src[1], src[2], src[3], src[4], src[5], 170 src[6], src[7], src[8], src[9], src[10], src[11], src[12], 171 src[13], src[14], src[15]) > size) 172 { 173 errno = ENOSPC; 174 return 0; 175 } 176 strcpy (dst, tmp); 177 return dst; 178 } 179 180 char * 181 policy_callback (char *name) 182 { 183 struct proto *proto; 184 185 u_int8_t *attr, *value, *id, *idlocal, *idremote; 186 size_t id_sz, idlocalsz, idremotesz; 187 struct sockaddr *sin; 188 struct ipsec_exch *ie; 189 struct ipsec_sa *is; 190 int fmt, i, lifetype = 0; 191 in_addr_t net, subnet; 192 u_int16_t len, type; 193 time_t tt; 194 char *addr; 195 static char mytimeofday[15]; 196 X509_NAME *x509name; 197 198 /* We use all these as a cache. */ 199 static char *esp_present, *ah_present, *comp_present; 200 static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg; 201 static char *comp_alg, ah_life_kbytes[32], ah_life_seconds[32]; 202 static char esp_life_kbytes[32], esp_life_seconds[32], comp_life_kbytes[32]; 203 static char comp_life_seconds[32], *ah_encapsulation, *esp_encapsulation; 204 static char *comp_encapsulation, ah_key_length[32], esp_key_length[32]; 205 static char ah_key_rounds[32], esp_key_rounds[32], comp_dict_size[32]; 206 static char comp_private_alg[32], *remote_filter_type, *local_filter_type; 207 static char remote_filter_addr_upper[NI_MAXHOST]; 208 static char remote_filter_addr_lower[NI_MAXHOST]; 209 static char local_filter_addr_upper[NI_MAXHOST]; 210 static char local_filter_addr_lower[NI_MAXHOST]; 211 static char ah_group_desc[32], esp_group_desc[32], comp_group_desc[32]; 212 static char remote_ike_address[NI_MAXHOST]; 213 static char local_ike_address[NI_MAXHOST]; 214 static char *remote_id_type, remote_id_addr_upper[NI_MAXHOST], *phase_1; 215 static char remote_id_addr_lower[NI_MAXHOST]; 216 static char *remote_id_proto, remote_id_port[32]; 217 static char remote_filter_port[32], local_filter_port[32]; 218 static char *remote_filter_proto, *local_filter_proto, *pfs, *initiator; 219 static char remote_filter_proto_num[3], local_filter_proto_num[3]; 220 static char remote_id_proto_num[3]; 221 static char phase1_group[32]; 222 223 /* Allocated. */ 224 static char *remote_filter = 0, *local_filter = 0, *remote_id = 0; 225 226 static int dirty = 1; 227 228 /* We only need to set dirty at initialization time really. */ 229 if (strcmp (name, KEYNOTE_CALLBACK_CLEANUP) == 0 230 || strcmp (name, KEYNOTE_CALLBACK_INITIALIZE) == 0) 231 { 232 esp_present = ah_present = comp_present = pfs = "no"; 233 ah_hash_alg = ah_auth_alg = phase_1 = ""; 234 esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = ""; 235 esp_encapsulation = comp_encapsulation = remote_filter_type = ""; 236 local_filter_type = remote_id_type = initiator = ""; 237 remote_filter_proto = local_filter_proto = remote_id_proto = ""; 238 239 if (remote_filter != 0) 240 { 241 free (remote_filter); 242 remote_filter = 0; 243 } 244 245 if (local_filter != 0) 246 { 247 free (local_filter); 248 local_filter = 0; 249 } 250 251 if (remote_id != 0) 252 { 253 free (remote_id); 254 remote_id = 0; 255 } 256 257 memset (remote_ike_address, 0, sizeof remote_ike_address); 258 memset (local_ike_address, 0, sizeof local_ike_address); 259 memset (ah_life_kbytes, 0, sizeof ah_life_kbytes); 260 memset (ah_life_seconds, 0, sizeof ah_life_seconds); 261 memset (esp_life_kbytes, 0, sizeof esp_life_kbytes); 262 memset (esp_life_seconds, 0, sizeof esp_life_seconds); 263 memset (comp_life_kbytes, 0, sizeof comp_life_kbytes); 264 memset (comp_life_seconds, 0, sizeof comp_life_seconds); 265 memset (ah_key_length, 0, sizeof ah_key_length); 266 memset (ah_key_rounds, 0, sizeof ah_key_rounds); 267 memset (esp_key_length, 0, sizeof esp_key_length); 268 memset (esp_key_rounds, 0, sizeof esp_key_rounds); 269 memset (comp_dict_size, 0, sizeof comp_dict_size); 270 memset (comp_private_alg, 0, sizeof comp_private_alg); 271 memset (remote_filter_addr_upper, 0, sizeof remote_filter_addr_upper); 272 memset (remote_filter_addr_lower, 0, sizeof remote_filter_addr_lower); 273 memset (local_filter_addr_upper, 0, sizeof local_filter_addr_upper); 274 memset (local_filter_addr_lower, 0, sizeof local_filter_addr_lower); 275 memset (remote_id_addr_upper, 0, sizeof remote_id_addr_upper); 276 memset (remote_id_addr_lower, 0, sizeof remote_id_addr_lower); 277 memset (ah_group_desc, 0, sizeof ah_group_desc); 278 memset (esp_group_desc, 0, sizeof esp_group_desc); 279 memset (remote_id_port, 0, sizeof remote_id_port); 280 memset (remote_filter_port, 0, sizeof remote_filter_port); 281 memset (local_filter_port, 0, sizeof local_filter_port); 282 memset (phase1_group, 0, sizeof phase1_group); 283 284 dirty = 1; 285 return ""; 286 } 287 288 /* 289 * If dirty is set, this is the first request for an attribute, so 290 * populate our value cache. 291 */ 292 if (dirty) 293 { 294 ie = policy_exchange->data; 295 296 if (ie->pfs) 297 pfs = "yes"; 298 299 is = policy_isakmp_sa->data; 300 sprintf (phase1_group, "%u", is->group_desc); 301 302 for (proto = TAILQ_FIRST (&policy_sa->protos); proto; 303 proto = TAILQ_NEXT (proto, link)) 304 { 305 switch (proto->proto) 306 { 307 case IPSEC_PROTO_IPSEC_AH: 308 ah_present = "yes"; 309 switch (proto->id) 310 { 311 case IPSEC_AH_MD5: 312 ah_hash_alg = "md5"; 313 break; 314 315 case IPSEC_AH_SHA: 316 ah_hash_alg = "sha"; 317 break; 318 319 case IPSEC_AH_RIPEMD: 320 ah_hash_alg = "ripemd"; 321 break; 322 323 case IPSEC_AH_DES: 324 ah_hash_alg = "des"; 325 break; 326 } 327 328 break; 329 330 case IPSEC_PROTO_IPSEC_ESP: 331 esp_present = "yes"; 332 switch (proto->id) 333 { 334 case IPSEC_ESP_DES_IV64: 335 esp_enc_alg = "des-iv64"; 336 break; 337 338 case IPSEC_ESP_DES: 339 esp_enc_alg = "des"; 340 break; 341 342 case IPSEC_ESP_3DES: 343 esp_enc_alg = "3des"; 344 break; 345 346 case IPSEC_ESP_AES: 347 esp_enc_alg = "aes"; 348 break; 349 350 case IPSEC_ESP_RC5: 351 esp_enc_alg = "rc5"; 352 break; 353 354 case IPSEC_ESP_IDEA: 355 esp_enc_alg = "idea"; 356 break; 357 358 case IPSEC_ESP_CAST: 359 esp_enc_alg = "cast"; 360 break; 361 362 case IPSEC_ESP_BLOWFISH: 363 esp_enc_alg = "blowfish"; 364 break; 365 366 case IPSEC_ESP_3IDEA: 367 esp_enc_alg = "3idea"; 368 break; 369 370 case IPSEC_ESP_DES_IV32: 371 esp_enc_alg = "des-iv32"; 372 break; 373 374 case IPSEC_ESP_RC4: 375 esp_enc_alg = "rc4"; 376 break; 377 378 case IPSEC_ESP_NULL: 379 esp_enc_alg = "null"; 380 break; 381 } 382 383 break; 384 385 case IPSEC_PROTO_IPCOMP: 386 comp_present = "yes"; 387 switch (proto->id) 388 { 389 case IPSEC_IPCOMP_OUI: 390 comp_alg = "oui"; 391 break; 392 393 case IPSEC_IPCOMP_DEFLATE: 394 comp_alg = "deflate"; 395 break; 396 397 case IPSEC_IPCOMP_LZS: 398 comp_alg = "lzs"; 399 break; 400 401 case IPSEC_IPCOMP_V42BIS: 402 comp_alg = "v42bis"; 403 break; 404 } 405 406 break; 407 } 408 409 for (attr = proto->chosen->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF; 410 attr 411 < proto->chosen->p + GET_ISAKMP_GEN_LENGTH (proto->chosen->p); 412 attr = value + len) 413 { 414 if (attr + ISAKMP_ATTR_VALUE_OFF 415 > (proto->chosen->p 416 + GET_ISAKMP_GEN_LENGTH (proto->chosen->p))) 417 return ""; 418 419 type = GET_ISAKMP_ATTR_TYPE (attr); 420 fmt = ISAKMP_ATTR_FORMAT (type); 421 type = ISAKMP_ATTR_TYPE (type); 422 value = attr + (fmt ? ISAKMP_ATTR_LENGTH_VALUE_OFF : 423 ISAKMP_ATTR_VALUE_OFF); 424 len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN : 425 GET_ISAKMP_ATTR_LENGTH_VALUE (attr)); 426 427 if (value + len > proto->chosen->p + 428 GET_ISAKMP_GEN_LENGTH (proto->chosen->p)) 429 return ""; 430 431 switch (type) 432 { 433 case IPSEC_ATTR_SA_LIFE_TYPE: 434 lifetype = decode_16 (value); 435 break; 436 437 case IPSEC_ATTR_SA_LIFE_DURATION: 438 switch (proto->proto) 439 { 440 case IPSEC_PROTO_IPSEC_AH: 441 if (lifetype == IPSEC_DURATION_SECONDS) 442 { 443 if (len == 2) 444 sprintf (ah_life_seconds, "%u", 445 decode_16 (value)); 446 else 447 sprintf (ah_life_seconds, "%u", 448 decode_32 (value)); 449 } 450 else 451 { 452 if (len == 2) 453 sprintf (ah_life_kbytes, "%u", 454 decode_16 (value)); 455 else 456 sprintf (ah_life_kbytes, "%u", 457 decode_32 (value)); 458 } 459 460 break; 461 462 case IPSEC_PROTO_IPSEC_ESP: 463 if (lifetype == IPSEC_DURATION_SECONDS) 464 { 465 if (len == 2) 466 sprintf (esp_life_seconds, "%u", 467 decode_16 (value)); 468 else 469 sprintf (esp_life_seconds, "%u", 470 decode_32 (value)); 471 } 472 else 473 { 474 if (len == 2) 475 sprintf (esp_life_kbytes, "%u", 476 decode_16 (value)); 477 else 478 sprintf (esp_life_kbytes, "%u", 479 decode_32 (value)); 480 } 481 482 break; 483 484 case IPSEC_PROTO_IPCOMP: 485 if (lifetype == IPSEC_DURATION_SECONDS) 486 { 487 if (len == 2) 488 sprintf (comp_life_seconds, "%u", 489 decode_16 (value)); 490 else 491 sprintf (comp_life_seconds, "%u", 492 decode_32 (value)); 493 } 494 else 495 { 496 if (len == 2) 497 sprintf (comp_life_kbytes, "%u", 498 decode_16 (value)); 499 else 500 sprintf (comp_life_kbytes, "%u", 501 decode_32 (value)); 502 } 503 504 break; 505 } 506 break; 507 508 case IPSEC_ATTR_GROUP_DESCRIPTION: 509 switch (proto->proto) 510 { 511 case IPSEC_PROTO_IPSEC_AH: 512 sprintf (ah_group_desc, "%u", decode_16 (value)); 513 break; 514 515 case IPSEC_PROTO_IPSEC_ESP: 516 sprintf (esp_group_desc, "%u", 517 decode_16 (value)); 518 break; 519 520 case IPSEC_PROTO_IPCOMP: 521 sprintf (comp_group_desc, "%u", 522 decode_16 (value)); 523 break; 524 } 525 break; 526 527 case IPSEC_ATTR_ENCAPSULATION_MODE: 528 if (decode_16 (value) == IPSEC_ENCAP_TUNNEL) 529 switch (proto->proto) 530 { 531 case IPSEC_PROTO_IPSEC_AH: 532 ah_encapsulation = "tunnel"; 533 break; 534 535 case IPSEC_PROTO_IPSEC_ESP: 536 esp_encapsulation = "tunnel"; 537 break; 538 539 case IPSEC_PROTO_IPCOMP: 540 comp_encapsulation = "tunnel"; 541 break; 542 } 543 else 544 switch (proto->proto) 545 { 546 case IPSEC_PROTO_IPSEC_AH: 547 ah_encapsulation = "transport"; 548 break; 549 550 case IPSEC_PROTO_IPSEC_ESP: 551 esp_encapsulation = "transport"; 552 break; 553 554 case IPSEC_PROTO_IPCOMP: 555 comp_encapsulation = "transport"; 556 break; 557 } 558 break; 559 560 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: 561 switch (proto->proto) 562 { 563 case IPSEC_PROTO_IPSEC_AH: 564 switch (decode_16 (value)) 565 { 566 case IPSEC_AUTH_HMAC_MD5: 567 ah_auth_alg = "hmac-md5"; 568 break; 569 570 case IPSEC_AUTH_HMAC_SHA: 571 ah_auth_alg = "hmac-sha"; 572 break; 573 574 case IPSEC_AUTH_HMAC_RIPEMD: 575 ah_auth_alg = "hmac-ripemd"; 576 break; 577 578 case IPSEC_AUTH_DES_MAC: 579 ah_auth_alg = "des-mac"; 580 break; 581 582 case IPSEC_AUTH_KPDK: 583 ah_auth_alg = "kpdk"; 584 break; 585 } 586 break; 587 588 case IPSEC_PROTO_IPSEC_ESP: 589 switch (decode_16 (value)) 590 { 591 case IPSEC_AUTH_HMAC_MD5: 592 esp_auth_alg = "hmac-md5"; 593 break; 594 595 case IPSEC_AUTH_HMAC_SHA: 596 esp_auth_alg = "hmac-sha"; 597 break; 598 599 case IPSEC_AUTH_HMAC_RIPEMD: 600 esp_auth_alg = "hmac-ripemd"; 601 break; 602 603 case IPSEC_AUTH_DES_MAC: 604 esp_auth_alg = "des-mac"; 605 break; 606 607 case IPSEC_AUTH_KPDK: 608 esp_auth_alg = "kpdk"; 609 break; 610 } 611 break; 612 } 613 break; 614 615 case IPSEC_ATTR_KEY_LENGTH: 616 switch (proto->proto) 617 { 618 case IPSEC_PROTO_IPSEC_AH: 619 sprintf (ah_key_length, "%u", decode_16 (value)); 620 break; 621 622 case IPSEC_PROTO_IPSEC_ESP: 623 sprintf (esp_key_length, "%u", 624 decode_16 (value)); 625 break; 626 } 627 break; 628 629 case IPSEC_ATTR_KEY_ROUNDS: 630 switch (proto->proto) 631 { 632 case IPSEC_PROTO_IPSEC_AH: 633 sprintf (ah_key_rounds, "%u", decode_16 (value)); 634 break; 635 636 case IPSEC_PROTO_IPSEC_ESP: 637 sprintf (esp_key_rounds, "%u", 638 decode_16 (value)); 639 break; 640 } 641 break; 642 643 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: 644 sprintf (comp_dict_size, "%u", decode_16 (value)); 645 break; 646 647 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: 648 sprintf (comp_private_alg, "%u", decode_16 (value)); 649 break; 650 } 651 } 652 } 653 654 policy_sa->transport->vtbl->get_src (policy_sa->transport, &sin); 655 if (sockaddr2text (sin, &addr, 1)) 656 { 657 log_error ("policy_callback: sockaddr2text failed"); 658 goto bad; 659 } 660 strncpy (local_ike_address, addr, sizeof local_ike_address); 661 local_ike_address[sizeof local_ike_address - 1] = '\0'; 662 free (addr); 663 664 policy_sa->transport->vtbl->get_dst (policy_sa->transport, &sin); 665 if (sockaddr2text (sin, &addr, 1)) 666 { 667 log_error ("policy_callback: sockaddr2text failed"); 668 goto bad; 669 } 670 strncpy (remote_ike_address, addr, sizeof remote_ike_address); 671 remote_ike_address[sizeof remote_ike_address - 1] = '\0'; 672 free (addr); 673 674 switch (policy_isakmp_sa->exch_type) 675 { 676 case ISAKMP_EXCH_AGGRESSIVE: 677 phase_1 = "aggressive"; 678 break; 679 680 case ISAKMP_EXCH_ID_PROT: 681 phase_1 = "main"; 682 break; 683 } 684 685 if (policy_isakmp_sa->initiator) 686 { 687 id = policy_isakmp_sa->id_r; 688 id_sz = policy_isakmp_sa->id_r_len; 689 } 690 else 691 { 692 id = policy_isakmp_sa->id_i; 693 id_sz = policy_isakmp_sa->id_i_len; 694 } 695 696 switch (id[0]) 697 { 698 case IPSEC_ID_IPV4_ADDR: 699 remote_id_type = "IPv4 address"; 700 701 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 702 my_inet_ntop4 (&net, remote_id_addr_upper, 703 sizeof remote_id_addr_upper - 1, 1); 704 my_inet_ntop4 (&net, remote_id_addr_lower, 705 sizeof remote_id_addr_lower - 1, 1); 706 remote_id = strdup (remote_id_addr_upper); 707 if (!remote_id) 708 { 709 log_error ("policy_callback: strdup (\"%s\") failed", 710 remote_id_addr_upper); 711 goto bad; 712 } 713 break; 714 715 case IPSEC_ID_IPV4_RANGE: 716 remote_id_type = "IPv4 range"; 717 718 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 719 my_inet_ntop4 (&net, remote_id_addr_lower, 720 sizeof remote_id_addr_lower - 1, 1); 721 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); 722 my_inet_ntop4 (&net, remote_id_addr_upper, 723 sizeof remote_id_addr_upper - 1, 1); 724 remote_id = calloc (strlen (remote_id_addr_upper) 725 + strlen (remote_id_addr_lower) + 2, 726 sizeof (char)); 727 if (!remote_id) 728 { 729 log_error ("policy_callback: calloc (%d, %d) failed", 730 strlen (remote_id_addr_upper) 731 + strlen (remote_id_addr_lower) + 2, 732 sizeof (char)); 733 goto bad; 734 } 735 736 strcpy (remote_id, remote_id_addr_lower); 737 remote_id[strlen (remote_id_addr_lower)] = '-'; 738 strcpy (remote_id + strlen (remote_id_addr_lower) + 1, 739 remote_id_addr_upper); 740 break; 741 742 case IPSEC_ID_IPV4_ADDR_SUBNET: 743 remote_id_type = "IPv4 subnet"; 744 745 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 746 subnet = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); 747 net &= subnet; 748 my_inet_ntop4 (&net, remote_id_addr_lower, 749 sizeof remote_id_addr_lower - 1, 1); 750 net |= ~subnet; 751 my_inet_ntop4 (&net, remote_id_addr_upper, 752 sizeof remote_id_addr_upper - 1, 1); 753 remote_id = calloc (strlen (remote_id_addr_upper) 754 + strlen (remote_id_addr_lower) + 2, 755 sizeof (char)); 756 if (!remote_id) 757 { 758 log_error ("policy_callback: calloc (%d, %d) failed", 759 strlen (remote_id_addr_upper) 760 + strlen (remote_id_addr_lower) + 2, 761 sizeof (char)); 762 goto bad; 763 } 764 765 strcpy (remote_id, remote_id_addr_lower); 766 remote_id[strlen (remote_id_addr_lower)] = '-'; 767 strcpy (remote_id + strlen (remote_id_addr_lower) + 1, 768 remote_id_addr_upper); 769 break; 770 771 case IPSEC_ID_IPV6_ADDR: 772 remote_id_type = "IPv6 address"; 773 my_inet_ntop6 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 774 remote_id_addr_upper, sizeof remote_id_addr_upper); 775 strcpy (remote_id_addr_lower, remote_id_addr_upper); 776 remote_id = strdup (remote_id_addr_upper); 777 if (!remote_id) 778 { 779 log_error ("policy_callback: strdup (\"%s\") failed", 780 remote_id_addr_upper); 781 goto bad; 782 } 783 break; 784 785 case IPSEC_ID_IPV6_RANGE: 786 remote_id_type = "IPv6 range"; 787 788 my_inet_ntop6 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 789 remote_id_addr_lower, 790 sizeof remote_id_addr_lower - 1); 791 792 my_inet_ntop6 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, 793 remote_id_addr_upper, 794 sizeof remote_id_addr_upper - 1); 795 796 remote_id = calloc (strlen (remote_id_addr_upper) + 797 strlen (remote_id_addr_lower) + 2, 798 sizeof (char)); 799 if (!remote_id) 800 { 801 log_error ("policy_callback: calloc (%d, %d) failed", 802 strlen (remote_id_addr_upper) 803 + strlen (remote_id_addr_lower) + 2, 804 sizeof (char)); 805 goto bad; 806 } 807 808 strcpy (remote_id, remote_id_addr_lower); 809 remote_id[strlen (remote_id_addr_lower)] = '-'; 810 strcpy (remote_id + strlen (remote_id_addr_lower) + 1, 811 remote_id_addr_upper); 812 break; 813 814 case IPSEC_ID_IPV6_ADDR_SUBNET: 815 { 816 struct in6_addr net, mask; 817 818 remote_id_type = "IPv6 subnet"; 819 820 bcopy (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, &net, sizeof (net)); 821 bcopy (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, &mask, 822 sizeof (mask)); 823 824 for (i = 0; i < 16; i++) 825 net.s6_addr[i] &= mask.s6_addr[i]; 826 827 my_inet_ntop6 ((char *) &net, remote_id_addr_lower, 828 sizeof remote_id_addr_lower - 1); 829 830 for (i = 0; i < 16; i++) 831 net.s6_addr[i] |= ~mask.s6_addr[i]; 832 833 my_inet_ntop6 ((char *) &net, remote_id_addr_upper, 834 sizeof remote_id_addr_upper - 1); 835 836 remote_id = calloc (strlen (remote_id_addr_upper) + 837 strlen (remote_id_addr_lower) + 2, 838 sizeof (char)); 839 if (!remote_id) 840 { 841 log_error ("policy_callback: calloc (%d, %d) failed", 842 strlen (remote_id_addr_upper) 843 + strlen (remote_id_addr_lower) + 2, 844 sizeof (char)); 845 goto bad; 846 } 847 848 strcpy (remote_id, remote_id_addr_lower); 849 remote_id[strlen (remote_id_addr_lower)] = '-'; 850 strcpy (remote_id + strlen (remote_id_addr_lower) + 1, 851 remote_id_addr_upper); 852 break; 853 } 854 855 case IPSEC_ID_FQDN: 856 remote_id_type = "FQDN"; 857 remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 858 sizeof (char)); 859 if (!remote_id) 860 { 861 log_error ("policy_callback: calloc (%d, %d) failed", 862 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 863 sizeof (char)); 864 goto bad; 865 } 866 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 867 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 868 break; 869 870 case IPSEC_ID_USER_FQDN: 871 remote_id_type = "User FQDN"; 872 remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 873 sizeof (char)); 874 if (!remote_id) 875 { 876 log_error ("policy_callback: calloc (%d, %d) failed", 877 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 878 sizeof (char)); 879 goto bad; 880 } 881 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 882 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 883 break; 884 885 case IPSEC_ID_DER_ASN1_DN: 886 remote_id_type = "ASN1 DN"; 887 888 remote_id = calloc (257, sizeof (char)); 889 if (!remote_id) 890 { 891 log_error ("policy_callback: calloc (%d, %d) failed", 257, 892 sizeof (char)); 893 goto bad; 894 } 895 896 addr = id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 897 x509name = LC (d2i_X509_NAME, (NULL, (unsigned char **) &addr, 898 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ)); 899 if (!x509name) 900 { 901 log_error ("policy_callback: failed to initialize DN"); 902 goto bad; 903 } 904 if (!LC (X509_NAME_oneline, (x509name, remote_id, 256))) 905 { 906 LOG_DBG ((LOG_POLICY, 50, 907 "policy_callback: failed to decode name")); 908 LC (X509_NAME_free, (x509name)); 909 goto bad; 910 911 } 912 LC (X509_NAME_free, (x509name)); 913 break; 914 915 case IPSEC_ID_DER_ASN1_GN: /* XXX */ 916 remote_id_type = "ASN1 GN"; 917 break; 918 919 case IPSEC_ID_KEY_ID: 920 remote_id_type = "Key ID"; 921 remote_id 922 = calloc (2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, 923 sizeof (char)); 924 if (!remote_id) 925 { 926 log_error ("policy_callback: calloc (%d, %d) failed", 927 2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, 928 sizeof (char)); 929 goto bad; 930 } 931 /* Does it contain any non-printable characters ? */ 932 for (i = 0; i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; i++) 933 if (!isprint (*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + i))) 934 break; 935 if (i >= id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) 936 { 937 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 938 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 939 break; 940 } 941 /* Non-printable characters, convert to hex */ 942 for (i = 0; i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; i++) 943 { 944 remote_id[2 * i] 945 = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4]; 946 remote_id[2 * i + 1] 947 = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF]; 948 } 949 break; 950 951 default: 952 log_print ("policy_callback: unknown remote ID type %u", id[0]); 953 goto bad; 954 } 955 956 switch (id[1]) 957 { 958 case IPPROTO_TCP: 959 remote_id_proto = "tcp"; 960 break; 961 962 case IPPROTO_UDP: 963 remote_id_proto = "udp"; 964 break; 965 966 #ifdef IPPROTO_ETHERIP 967 case IPPROTO_ETHERIP: 968 remote_id_proto = "etherip"; 969 break; 970 #endif 971 972 default: 973 sprintf (remote_id_proto_num, "%2d", id[1]); 974 remote_id_proto = remote_id_proto_num; 975 break; 976 } 977 978 snprintf (remote_id_port, sizeof remote_id_port - 1, "%u", 979 decode_16 (id + 2)); 980 981 if (policy_exchange->initiator) 982 { 983 initiator = "yes"; 984 idlocal = ie->id_ci; 985 idremote = ie->id_cr; 986 idlocalsz = ie->id_ci_sz; 987 idremotesz = ie->id_cr_sz; 988 } 989 else 990 { 991 initiator = "no"; 992 idlocal = ie->id_cr; 993 idremote = ie->id_ci; 994 idlocalsz = ie->id_cr_sz; 995 idremotesz = ie->id_ci_sz; 996 } 997 998 /* Initialize the ID variables. */ 999 if (idremote) 1000 { 1001 switch (GET_ISAKMP_ID_TYPE (idremote)) 1002 { 1003 case IPSEC_ID_IPV4_ADDR: 1004 remote_filter_type = "IPv4 address"; 1005 1006 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 1007 my_inet_ntop4 (&net, remote_filter_addr_upper, 1008 sizeof remote_filter_addr_upper - 1, 1); 1009 my_inet_ntop4 (&net, remote_filter_addr_lower, 1010 sizeof remote_filter_addr_lower - 1, 1); 1011 remote_filter = strdup (remote_filter_addr_upper); 1012 if (!remote_filter) 1013 { 1014 log_error ("policy_callback: strdup (\"%s\") failed", 1015 remote_filter_addr_upper); 1016 goto bad; 1017 } 1018 break; 1019 1020 case IPSEC_ID_IPV4_RANGE: 1021 remote_filter_type = "IPv4 range"; 1022 1023 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 1024 my_inet_ntop4 (&net, remote_filter_addr_lower, 1025 sizeof remote_filter_addr_lower - 1, 1); 1026 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF + 4); 1027 my_inet_ntop4 (&net, remote_filter_addr_upper, 1028 sizeof remote_filter_addr_upper - 1, 1); 1029 remote_filter = calloc (strlen (remote_filter_addr_upper) 1030 + strlen (remote_filter_addr_lower) + 2, 1031 sizeof (char)); 1032 if (!remote_filter) 1033 { 1034 log_error ("policy_callback: calloc (%d, %d) failed", 1035 strlen (remote_filter_addr_upper) 1036 + strlen (remote_filter_addr_lower) + 2, 1037 sizeof (char)); 1038 goto bad; 1039 } 1040 strcpy (remote_filter, remote_filter_addr_lower); 1041 remote_filter[strlen (remote_filter_addr_lower)] = '-'; 1042 strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1, 1043 remote_filter_addr_upper); 1044 break; 1045 1046 case IPSEC_ID_IPV4_ADDR_SUBNET: 1047 remote_filter_type = "IPv4 subnet"; 1048 1049 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 1050 subnet = decode_32 (idremote + ISAKMP_ID_DATA_OFF + 4); 1051 net &= subnet; 1052 my_inet_ntop4 (&net, remote_filter_addr_lower, 1053 sizeof remote_filter_addr_lower - 1, 1); 1054 net |= ~subnet; 1055 my_inet_ntop4 (&net, remote_filter_addr_upper, 1056 sizeof remote_filter_addr_upper - 1, 1); 1057 remote_filter = calloc (strlen (remote_filter_addr_upper) 1058 + strlen (remote_filter_addr_lower) + 2, 1059 sizeof (char)); 1060 if (!remote_filter) 1061 { 1062 log_error ("policy_callback: calloc (%d, %d) failed", 1063 strlen (remote_filter_addr_upper) 1064 + strlen (remote_filter_addr_lower) + 2, 1065 sizeof (char)); 1066 goto bad; 1067 } 1068 strcpy (remote_filter, remote_filter_addr_lower); 1069 remote_filter[strlen (remote_filter_addr_lower)] = '-'; 1070 strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1, 1071 remote_filter_addr_upper); 1072 break; 1073 1074 case IPSEC_ID_IPV6_ADDR: 1075 remote_filter_type = "IPv6 address"; 1076 my_inet_ntop6 (idremote + ISAKMP_ID_DATA_OFF, 1077 remote_filter_addr_upper, 1078 sizeof remote_filter_addr_upper - 1); 1079 strcpy (remote_filter_addr_lower, remote_filter_addr_upper); 1080 remote_filter = strdup (remote_filter_addr_upper); 1081 if (!remote_filter) 1082 { 1083 log_error ("policy_callback: strdup (\"%s\") failed", 1084 remote_filter_addr_upper); 1085 goto bad; 1086 } 1087 break; 1088 1089 case IPSEC_ID_IPV6_RANGE: 1090 remote_filter_type = "IPv6 range"; 1091 1092 my_inet_ntop6 (idremote + ISAKMP_ID_DATA_OFF, 1093 remote_filter_addr_lower, 1094 sizeof remote_filter_addr_lower - 1); 1095 1096 my_inet_ntop6 (idremote + ISAKMP_ID_DATA_OFF + 16, 1097 remote_filter_addr_upper, 1098 sizeof remote_filter_addr_upper - 1); 1099 1100 remote_filter = calloc (strlen (remote_filter_addr_upper) + 1101 strlen (remote_filter_addr_lower) + 2, 1102 sizeof (char)); 1103 if (!remote_filter) 1104 { 1105 log_error ("policy_callback: calloc (%d, %d) failed", 1106 strlen (remote_filter_addr_upper) + 1107 strlen (remote_filter_addr_lower) + 2, 1108 sizeof (char)); 1109 goto bad; 1110 } 1111 1112 strcpy (remote_filter, remote_filter_addr_lower); 1113 remote_filter[strlen (remote_filter_addr_lower)] = '-'; 1114 strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1, 1115 remote_filter_addr_upper); 1116 break; 1117 1118 case IPSEC_ID_IPV6_ADDR_SUBNET: 1119 { 1120 struct in6_addr net, mask; 1121 1122 remote_filter_type = "IPv6 subnet"; 1123 1124 bcopy (idremote + ISAKMP_ID_DATA_OFF, &net, sizeof (net)); 1125 bcopy (idremote + ISAKMP_ID_DATA_OFF + 16, &mask, sizeof (mask)); 1126 1127 for (i = 0; i < 16; i++) 1128 net.s6_addr[i] &= mask.s6_addr[i]; 1129 1130 my_inet_ntop6 ((char *) &net, remote_filter_addr_lower, 1131 sizeof remote_filter_addr_lower - 1); 1132 1133 for (i = 0; i < 16; i++) 1134 net.s6_addr[i] |= ~mask.s6_addr[i]; 1135 1136 my_inet_ntop6 ((char *) &net, remote_filter_addr_upper, 1137 sizeof remote_filter_addr_upper - 1); 1138 1139 remote_filter = calloc (strlen (remote_filter_addr_upper) + 1140 strlen (remote_filter_addr_lower) + 2, 1141 sizeof (char)); 1142 if (!remote_filter) 1143 { 1144 log_error ("policy_callback: calloc (%d, %d) failed", 1145 strlen (remote_filter_addr_upper) + 1146 strlen (remote_filter_addr_lower) + 2, 1147 sizeof (char)); 1148 goto bad; 1149 } 1150 1151 strcpy (remote_filter, remote_filter_addr_lower); 1152 remote_filter[strlen (remote_filter_addr_lower)] = '-'; 1153 strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1, 1154 remote_filter_addr_upper); 1155 break; 1156 } 1157 1158 case IPSEC_ID_FQDN: 1159 remote_filter_type = "FQDN"; 1160 remote_filter = calloc (idremotesz - ISAKMP_ID_DATA_OFF + 1, 1161 sizeof (char)); 1162 if (!remote_filter) 1163 { 1164 log_error ("policy_callback: calloc (%d, %d) failed", 1165 idremotesz - ISAKMP_ID_DATA_OFF + 1, 1166 sizeof (char)); 1167 goto bad; 1168 } 1169 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 1170 idremotesz); 1171 break; 1172 1173 case IPSEC_ID_USER_FQDN: 1174 remote_filter_type = "User FQDN"; 1175 remote_filter = calloc (idremotesz - ISAKMP_ID_DATA_OFF + 1, 1176 sizeof (char)); 1177 if (!remote_filter) 1178 { 1179 log_error ("policy_callback: calloc (%d, %d) failed", 1180 idremotesz - ISAKMP_ID_DATA_OFF + 1, 1181 sizeof (char)); 1182 goto bad; 1183 } 1184 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 1185 idremotesz); 1186 break; 1187 1188 case IPSEC_ID_DER_ASN1_DN: 1189 remote_filter_type = "ASN1 DN"; 1190 1191 remote_filter = calloc (257, sizeof (char)); 1192 if (!remote_filter) 1193 { 1194 log_error ("policy_callback: calloc (%d, %d) failed", 257, 1195 sizeof (char)); 1196 goto bad; 1197 } 1198 1199 addr = idremote + ISAKMP_ID_DATA_OFF; 1200 x509name = LC (d2i_X509_NAME, (NULL, (unsigned char **) &addr, 1201 idremotesz - ISAKMP_ID_DATA_OFF)); 1202 if (!x509name) 1203 { 1204 log_error ("policy_callback: failed to initialize DN"); 1205 goto bad; 1206 } 1207 if (!LC (X509_NAME_oneline, (x509name, remote_filter, 256))) 1208 { 1209 LOG_DBG ((LOG_POLICY, 50, 1210 "policy_callback: failed to decode name")); 1211 LC (X509_NAME_free, (x509name)); 1212 goto bad; 1213 } 1214 LC (X509_NAME_free, (x509name)); 1215 break; 1216 1217 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */ 1218 remote_filter_type = "ASN1 GN"; 1219 break; 1220 1221 case IPSEC_ID_KEY_ID: 1222 remote_filter_type = "Key ID"; 1223 remote_filter 1224 = calloc (2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, 1225 sizeof (char)); 1226 if (!remote_filter) 1227 { 1228 log_error ("policy_callback: calloc (%d, %d) failed", 1229 2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, 1230 sizeof (char)); 1231 goto bad; 1232 } 1233 /* Does it contain any non-printable characters ? */ 1234 for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++) 1235 if (!isprint (*(idremote + ISAKMP_ID_DATA_OFF + i))) 1236 break; 1237 if (i >= idremotesz - ISAKMP_ID_DATA_OFF) 1238 { 1239 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 1240 idremotesz - ISAKMP_ID_DATA_OFF); 1241 break; 1242 } 1243 /* Non-printable characters, convert to hex */ 1244 for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++) 1245 { 1246 remote_filter[2 * i] 1247 = hextab[*(idremote + ISAKMP_ID_DATA_OFF) >> 4]; 1248 remote_filter[2 * i + 1] 1249 = hextab[*(idremote + ISAKMP_ID_DATA_OFF) & 0xF]; 1250 } 1251 break; 1252 1253 default: 1254 log_print ("policy_callback: unknown Remote ID type %u", 1255 GET_ISAKMP_ID_TYPE (idremote)); 1256 goto bad; 1257 } 1258 1259 switch (idremote[ISAKMP_GEN_SZ + 1]) 1260 { 1261 case IPPROTO_TCP: 1262 remote_filter_proto = "tcp"; 1263 break; 1264 1265 case IPPROTO_UDP: 1266 remote_filter_proto = "udp"; 1267 break; 1268 1269 #ifdef IPPROTO_ETHERIP 1270 case IPPROTO_ETHERIP: 1271 remote_filter_proto = "etherip"; 1272 break; 1273 #endif 1274 1275 default: 1276 sprintf (remote_filter_proto_num, "%2d", 1277 idremote[ISAKMP_GEN_SZ + 1]); 1278 remote_filter_proto = remote_filter_proto_num; 1279 break; 1280 } 1281 1282 snprintf (remote_filter_port, sizeof remote_filter_port - 1, 1283 "%u", decode_16 (idremote + ISAKMP_GEN_SZ + 2)); 1284 } 1285 else 1286 { 1287 policy_sa->transport->vtbl->get_dst (policy_sa->transport, &sin); 1288 switch (sin->sa_family) 1289 { 1290 case AF_INET: 1291 remote_filter_type = "IPv4 address"; 1292 break; 1293 case AF_INET6: 1294 remote_filter_type = "IPv6 address"; 1295 break; 1296 default: 1297 log_print ("policy_callback: unsupported protocol family %d", 1298 sin->sa_family); 1299 goto bad; 1300 } 1301 if (sockaddr2text (sin, &addr, 1)) 1302 { 1303 log_error ("policy_callback: sockaddr2text failed"); 1304 goto bad; 1305 } 1306 memcpy (remote_filter_addr_upper, addr, 1307 sizeof remote_filter_addr_upper); 1308 memcpy (remote_filter_addr_lower, addr, 1309 sizeof remote_filter_addr_lower); 1310 free (addr); 1311 remote_filter = strdup (remote_filter_addr_upper); 1312 if (!remote_filter) 1313 { 1314 log_error ("policy_callback: strdup (\"%s\") failed", 1315 remote_filter_addr_upper); 1316 goto bad; 1317 } 1318 } 1319 1320 if (idlocal) 1321 { 1322 switch (GET_ISAKMP_ID_TYPE (idlocal)) 1323 { 1324 case IPSEC_ID_IPV4_ADDR: 1325 local_filter_type = "IPv4 address"; 1326 1327 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1328 my_inet_ntop4 (&net, local_filter_addr_upper, 1329 sizeof local_filter_addr_upper - 1, 1); 1330 my_inet_ntop4 (&net, local_filter_addr_lower, 1331 sizeof local_filter_addr_upper - 1, 1); 1332 local_filter = strdup (local_filter_addr_upper); 1333 if (!local_filter) 1334 { 1335 log_error ("policy_callback: strdup (\"%s\") failed", 1336 local_filter_addr_upper); 1337 goto bad; 1338 } 1339 break; 1340 1341 case IPSEC_ID_IPV4_RANGE: 1342 local_filter_type = "IPv4 range"; 1343 1344 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1345 my_inet_ntop4 (&net, local_filter_addr_lower, 1346 sizeof local_filter_addr_lower - 1, 1); 1347 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF + 4); 1348 my_inet_ntop4 (&net, local_filter_addr_upper, 1349 sizeof local_filter_addr_upper - 1, 1); 1350 local_filter = calloc (strlen (local_filter_addr_upper) 1351 + strlen (local_filter_addr_lower) + 2, 1352 sizeof (char)); 1353 if (!local_filter) 1354 { 1355 log_error ("policy_callback: calloc (%d, %d) failed", 1356 strlen (local_filter_addr_upper) 1357 + strlen (local_filter_addr_lower) + 2, 1358 sizeof (char)); 1359 goto bad; 1360 } 1361 strcpy (local_filter, local_filter_addr_lower); 1362 local_filter[strlen (local_filter_addr_lower)] = '-'; 1363 strcpy (local_filter + strlen (local_filter_addr_lower) + 1, 1364 local_filter_addr_upper); 1365 break; 1366 1367 case IPSEC_ID_IPV4_ADDR_SUBNET: 1368 local_filter_type = "IPv4 subnet"; 1369 1370 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1371 subnet = decode_32 (idlocal + ISAKMP_ID_DATA_OFF + 4); 1372 net &= subnet; 1373 my_inet_ntop4 (&net, local_filter_addr_lower, 1374 sizeof local_filter_addr_lower - 1, 1); 1375 net |= ~subnet; 1376 my_inet_ntop4 (&net, local_filter_addr_upper, 1377 sizeof local_filter_addr_upper - 1, 1); 1378 local_filter = calloc (strlen (local_filter_addr_upper) 1379 + strlen (local_filter_addr_lower) + 2, 1380 sizeof (char)); 1381 if (!local_filter) 1382 { 1383 log_error ("policy_callback: calloc (%d, %d) failed", 1384 strlen (local_filter_addr_upper) 1385 + strlen (local_filter_addr_lower) + 2, 1386 sizeof (char)); 1387 goto bad; 1388 } 1389 strcpy (local_filter, local_filter_addr_lower); 1390 local_filter[strlen (local_filter_addr_lower)] = '-'; 1391 strcpy (local_filter + strlen (local_filter_addr_lower) + 1, 1392 local_filter_addr_upper); 1393 break; 1394 1395 case IPSEC_ID_IPV6_ADDR: 1396 local_filter_type = "IPv6 address"; 1397 my_inet_ntop6 (idlocal + ISAKMP_ID_DATA_OFF, 1398 local_filter_addr_upper, 1399 sizeof local_filter_addr_upper - 1); 1400 strcpy (local_filter_addr_lower, local_filter_addr_upper); 1401 local_filter = strdup (local_filter_addr_upper); 1402 if (!local_filter) 1403 { 1404 log_error ("policy_callback: strdup (\"%s\") failed", 1405 local_filter_addr_upper); 1406 goto bad; 1407 } 1408 break; 1409 1410 case IPSEC_ID_IPV6_RANGE: 1411 local_filter_type = "IPv6 range"; 1412 1413 my_inet_ntop6 (idlocal + ISAKMP_ID_DATA_OFF, 1414 local_filter_addr_lower, 1415 sizeof local_filter_addr_lower - 1); 1416 1417 my_inet_ntop6 (idlocal + ISAKMP_ID_DATA_OFF + 16, 1418 local_filter_addr_upper, 1419 sizeof local_filter_addr_upper - 1); 1420 1421 local_filter = calloc (strlen (local_filter_addr_upper) + 1422 strlen (local_filter_addr_lower) + 2, 1423 sizeof (char)); 1424 if (!local_filter) 1425 { 1426 log_error ("policy_callback: calloc (%d, %d) failed", 1427 strlen (local_filter_addr_upper) + 1428 strlen (local_filter_addr_lower) + 2, 1429 sizeof (char)); 1430 goto bad; 1431 } 1432 1433 strcpy (local_filter, local_filter_addr_lower); 1434 local_filter[strlen (local_filter_addr_lower)] = '-'; 1435 strcpy (local_filter + strlen (local_filter_addr_lower) + 1, 1436 local_filter_addr_upper); 1437 break; 1438 1439 case IPSEC_ID_IPV6_ADDR_SUBNET: 1440 { 1441 struct in6_addr net, mask; 1442 1443 local_filter_type = "IPv6 subnet"; 1444 1445 bcopy (idlocal + ISAKMP_ID_DATA_OFF, &net, sizeof (net)); 1446 bcopy (idlocal + ISAKMP_ID_DATA_OFF + 16, &mask, sizeof (mask)); 1447 1448 for (i = 0; i < 16; i++) 1449 net.s6_addr[i] &= mask.s6_addr[i]; 1450 1451 my_inet_ntop6 ((char *) &net, local_filter_addr_lower, 1452 sizeof local_filter_addr_lower - 1); 1453 1454 for (i = 0; i < 16; i++) 1455 net.s6_addr[i] |= ~mask.s6_addr[i]; 1456 1457 my_inet_ntop6 ((char *) &net, local_filter_addr_upper, 1458 sizeof local_filter_addr_upper - 1); 1459 1460 local_filter = calloc (strlen (local_filter_addr_upper) + 1461 strlen (local_filter_addr_lower) + 2, 1462 sizeof (char)); 1463 if (!local_filter) 1464 { 1465 log_error ("policy_callback: calloc (%d, %d) failed", 1466 strlen (local_filter_addr_upper) + 1467 strlen (local_filter_addr_lower) + 2, 1468 sizeof (char)); 1469 goto bad; 1470 } 1471 1472 strcpy (local_filter, local_filter_addr_lower); 1473 local_filter[strlen (local_filter_addr_lower)] = '-'; 1474 strcpy (local_filter + strlen (local_filter_addr_lower) + 1, 1475 local_filter_addr_upper); 1476 break; 1477 } 1478 1479 case IPSEC_ID_FQDN: 1480 local_filter_type = "FQDN"; 1481 local_filter = calloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1482 sizeof (char)); 1483 if (!local_filter) 1484 { 1485 log_error ("policy_callback: calloc (%d, %d) failed", 1486 idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1487 sizeof (char)); 1488 goto bad; 1489 } 1490 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1491 idlocalsz); 1492 break; 1493 1494 case IPSEC_ID_USER_FQDN: 1495 local_filter_type = "User FQDN"; 1496 local_filter = calloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1497 sizeof (char)); 1498 if (!local_filter) 1499 { 1500 log_error ("policy_callback: calloc (%d, %d) failed", 1501 idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1502 sizeof (char)); 1503 goto bad; 1504 } 1505 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1506 idlocalsz); 1507 break; 1508 1509 case IPSEC_ID_DER_ASN1_DN: 1510 local_filter_type = "ASN1 DN"; 1511 1512 local_filter = calloc (257, sizeof (char)); 1513 if (!local_filter) 1514 { 1515 log_error ("policy_callback: calloc (%d, %d) failed", 257, 1516 sizeof (char)); 1517 goto bad; 1518 } 1519 1520 addr = idlocal + ISAKMP_ID_DATA_OFF; 1521 x509name = LC (d2i_X509_NAME, (NULL, (unsigned char **) &addr, 1522 idlocalsz - ISAKMP_ID_DATA_OFF)); 1523 if (!x509name) 1524 { 1525 log_error ("policy_callback: failed to initialize DN"); 1526 goto bad; 1527 } 1528 if (!LC (X509_NAME_oneline, (x509name, local_filter, 256))) 1529 { 1530 LOG_DBG ((LOG_POLICY, 50, 1531 "policy_callback: failed to decode name")); 1532 LC (X509_NAME_free, (x509name)); 1533 goto bad; 1534 } 1535 LC (X509_NAME_free, (x509name)); 1536 break; 1537 1538 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */ 1539 local_filter_type = "ASN1 GN"; 1540 break; 1541 1542 case IPSEC_ID_KEY_ID: 1543 local_filter_type = "Key ID"; 1544 local_filter = calloc (2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, 1545 sizeof (char)); 1546 if (!local_filter) 1547 { 1548 log_error ("policy_callback: calloc (%d, %d) failed", 1549 2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, 1550 sizeof (char)); 1551 goto bad; 1552 } 1553 /* Does it contain any non-printable characters ? */ 1554 for (i = 0; i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) 1555 if (!isprint (*(idlocal + ISAKMP_ID_DATA_OFF + i))) 1556 break; 1557 if (i >= idlocalsz - ISAKMP_ID_DATA_OFF) 1558 { 1559 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1560 idlocalsz - ISAKMP_ID_DATA_OFF); 1561 break; 1562 } 1563 /* Non-printable characters, convert to hex */ 1564 for (i = 0; i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) 1565 { 1566 local_filter[2 * i] 1567 = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) >> 4]; 1568 local_filter[2 * i + 1] 1569 = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) & 0xF]; 1570 } 1571 break; 1572 1573 default: 1574 log_print ("policy_callback: unknown Local ID type %u", 1575 GET_ISAKMP_ID_TYPE (idlocal)); 1576 goto bad; 1577 } 1578 1579 switch (idlocal[ISAKMP_GEN_SZ + 1]) 1580 { 1581 case IPPROTO_TCP: 1582 local_filter_proto = "tcp"; 1583 break; 1584 1585 case IPPROTO_UDP: 1586 local_filter_proto = "udp"; 1587 break; 1588 1589 #ifdef IPPROTO_ETHERIP 1590 case IPPROTO_ETHERIP: 1591 local_filter_proto = "etherip"; 1592 break; 1593 #endif 1594 1595 default: 1596 sprintf (local_filter_proto_num, "%2d", 1597 idlocal[ISAKMP_GEN_SZ + 1]); 1598 local_filter_proto = local_filter_proto_num; 1599 break; 1600 } 1601 1602 snprintf (local_filter_port, sizeof local_filter_port - 1, 1603 "%u", decode_16 (idlocal + ISAKMP_GEN_SZ + 2)); 1604 } 1605 else 1606 { 1607 policy_sa->transport->vtbl->get_src (policy_sa->transport, 1608 (struct sockaddr **)&sin); 1609 switch (sin->sa_family) 1610 { 1611 case AF_INET: 1612 local_filter_type = "IPv4 address"; 1613 break; 1614 case AF_INET6: 1615 local_filter_type = "IPv6 address"; 1616 break; 1617 default: 1618 log_print ("policy_callback: unsupported protocol family %d", 1619 sin->sa_family); 1620 goto bad; 1621 } 1622 1623 if (sockaddr2text (sin, &addr, 1)) 1624 { 1625 log_error ("policy_callback: sockaddr2text failed"); 1626 goto bad; 1627 } 1628 memcpy (local_filter_addr_upper, addr, 1629 sizeof local_filter_addr_upper); 1630 memcpy (local_filter_addr_lower, addr, 1631 sizeof local_filter_addr_lower); 1632 free (addr); 1633 local_filter = strdup (local_filter_addr_upper); 1634 if (!local_filter) 1635 { 1636 log_error ("policy_callback: strdup (\"%s\") failed", 1637 local_filter_addr_upper); 1638 goto bad; 1639 } 1640 } 1641 1642 LOG_DBG ((LOG_POLICY, 80, "Policy context (action attributes):")); 1643 LOG_DBG ((LOG_POLICY, 80, "esp_present == %s", esp_present)); 1644 LOG_DBG ((LOG_POLICY, 80, "ah_present == %s", ah_present)); 1645 LOG_DBG ((LOG_POLICY, 80, "comp_present == %s", comp_present)); 1646 LOG_DBG ((LOG_POLICY, 80, "ah_hash_alg == %s", ah_hash_alg)); 1647 LOG_DBG ((LOG_POLICY, 80, "esp_enc_alg == %s", esp_enc_alg)); 1648 LOG_DBG ((LOG_POLICY, 80, "comp_alg == %s", comp_alg)); 1649 LOG_DBG ((LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg)); 1650 LOG_DBG ((LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg)); 1651 LOG_DBG ((LOG_POLICY, 80, "ah_life_seconds == %s", ah_life_seconds)); 1652 LOG_DBG ((LOG_POLICY, 80, "ah_life_kbytes == %s", ah_life_kbytes)); 1653 LOG_DBG ((LOG_POLICY, 80, "esp_life_seconds == %s", esp_life_seconds)); 1654 LOG_DBG ((LOG_POLICY, 80, "esp_life_kbytes == %s", esp_life_kbytes)); 1655 LOG_DBG ((LOG_POLICY, 80, "comp_life_seconds == %s", comp_life_seconds)); 1656 LOG_DBG ((LOG_POLICY, 80, "comp_life_kbytes == %s", comp_life_kbytes)); 1657 LOG_DBG ((LOG_POLICY, 80, "ah_encapsulation == %s", ah_encapsulation)); 1658 LOG_DBG ((LOG_POLICY, 80, "esp_encapsulation == %s", esp_encapsulation)); 1659 LOG_DBG ((LOG_POLICY, 80, "comp_encapsulation == %s", 1660 comp_encapsulation)); 1661 LOG_DBG ((LOG_POLICY, 80, "comp_dict_size == %s", comp_dict_size)); 1662 LOG_DBG ((LOG_POLICY, 80, "comp_private_alg == %s", comp_private_alg)); 1663 LOG_DBG ((LOG_POLICY, 80, "ah_key_length == %s", ah_key_length)); 1664 LOG_DBG ((LOG_POLICY, 80, "ah_key_rounds == %s", ah_key_rounds)); 1665 LOG_DBG ((LOG_POLICY, 80, "esp_key_length == %s", esp_key_length)); 1666 LOG_DBG ((LOG_POLICY, 80, "esp_key_rounds == %s", esp_key_rounds)); 1667 LOG_DBG ((LOG_POLICY, 80, "ah_group_desc == %s", ah_group_desc)); 1668 LOG_DBG ((LOG_POLICY, 80, "esp_group_desc == %s", esp_group_desc)); 1669 LOG_DBG ((LOG_POLICY, 80, "comp_group_desc == %s", comp_group_desc)); 1670 LOG_DBG ((LOG_POLICY, 80, "remote_filter_type == %s", 1671 remote_filter_type)); 1672 LOG_DBG ((LOG_POLICY, 80, "remote_filter_addr_upper == %s", 1673 remote_filter_addr_upper)); 1674 LOG_DBG ((LOG_POLICY, 80, "remote_filter_addr_lower == %s", 1675 remote_filter_addr_lower)); 1676 LOG_DBG ((LOG_POLICY, 80, "remote_filter == %s", 1677 (remote_filter ? remote_filter : ""))); 1678 LOG_DBG ((LOG_POLICY, 80, "remote_filter_port == %s", 1679 remote_filter_port)); 1680 LOG_DBG ((LOG_POLICY, 80, "remote_filter_proto == %s", 1681 remote_filter_proto)); 1682 LOG_DBG ((LOG_POLICY, 80, "local_filter_type == %s", local_filter_type)); 1683 LOG_DBG ((LOG_POLICY, 80, "local_filter_addr_upper == %s", 1684 local_filter_addr_upper)); 1685 LOG_DBG ((LOG_POLICY, 80, "local_filter_addr_lower == %s", 1686 local_filter_addr_lower)); 1687 LOG_DBG ((LOG_POLICY, 80, "local_filter == %s", 1688 (local_filter ? local_filter : ""))); 1689 LOG_DBG ((LOG_POLICY, 80, "local_filter_port == %s", local_filter_port)); 1690 LOG_DBG ((LOG_POLICY, 80, "local_filter_proto == %s", 1691 local_filter_proto)); 1692 LOG_DBG ((LOG_POLICY, 80, "remote_id_type == %s", remote_id_type)); 1693 LOG_DBG ((LOG_POLICY, 80, "remote_id_addr_upper == %s", 1694 remote_id_addr_upper)); 1695 LOG_DBG ((LOG_POLICY, 80, "remote_id_addr_lower == %s", 1696 remote_id_addr_lower)); 1697 LOG_DBG ((LOG_POLICY, 80, "remote_id == %s", 1698 (remote_id ? remote_id : ""))); 1699 LOG_DBG ((LOG_POLICY, 80, "remote_id_port == %s", remote_id_port)); 1700 LOG_DBG ((LOG_POLICY, 80, "remote_id_proto == %s", remote_id_proto)); 1701 LOG_DBG ((LOG_POLICY, 80, "remote_negotiation_address == %s", 1702 remote_ike_address)); 1703 LOG_DBG ((LOG_POLICY, 80, "local_negotiation_address == %s", 1704 local_ike_address)); 1705 LOG_DBG ((LOG_POLICY, 80, "pfs == %s", pfs)); 1706 LOG_DBG ((LOG_POLICY, 80, "initiator == %s", initiator)); 1707 LOG_DBG ((LOG_POLICY, 80, "phase1_group_desc == %s", phase1_group)); 1708 1709 /* Unset dirty now. */ 1710 dirty = 0; 1711 } 1712 1713 if (strcmp (name, "phase_1") == 0) 1714 return phase_1; 1715 1716 if (strcmp (name, "GMTTimeOfDay") == 0) 1717 { 1718 tt = time ((time_t) NULL); 1719 strftime (mytimeofday, 14, "%G%m%d%H%M%S", gmtime (&tt)); 1720 return mytimeofday; 1721 } 1722 1723 if (strcmp (name, "LocalTimeOfDay") == 0) 1724 { 1725 tt = time ((time_t) NULL); 1726 strftime (mytimeofday, 14, "%G%m%d%H%M%S", localtime (&tt)); 1727 return mytimeofday; 1728 } 1729 1730 if (strcmp (name, "initiator") == 0) 1731 return initiator; 1732 1733 if (strcmp (name, "pfs") == 0) 1734 return pfs; 1735 1736 if (strcmp (name, "app_domain") == 0) 1737 return "IPsec policy"; 1738 1739 if (strcmp (name, "doi") == 0) 1740 return "ipsec"; 1741 1742 if (strcmp (name, "esp_present") == 0) 1743 return esp_present; 1744 1745 if (strcmp (name, "ah_present") == 0) 1746 return ah_present; 1747 1748 if (strcmp (name, "comp_present") == 0) 1749 return comp_present; 1750 1751 if (strcmp (name, "ah_hash_alg") == 0) 1752 return ah_hash_alg; 1753 1754 if (strcmp (name, "ah_auth_alg") == 0) 1755 return ah_auth_alg; 1756 1757 if (strcmp (name, "esp_auth_alg") == 0) 1758 return esp_auth_alg; 1759 1760 if (strcmp (name, "esp_enc_alg") == 0) 1761 return esp_enc_alg; 1762 1763 if (strcmp (name, "comp_alg") == 0) 1764 return comp_alg; 1765 1766 if (strcmp (name, "ah_life_kbytes") == 0) 1767 return ah_life_kbytes; 1768 1769 if (strcmp (name, "ah_life_seconds") == 0) 1770 return ah_life_seconds; 1771 1772 if (strcmp (name, "esp_life_kbytes") == 0) 1773 return esp_life_kbytes; 1774 1775 if (strcmp (name, "esp_life_seconds") == 0) 1776 return esp_life_seconds; 1777 1778 if (strcmp (name, "comp_life_kbytes") == 0) 1779 return comp_life_kbytes; 1780 1781 if (strcmp (name, "comp_life_seconds") == 0) 1782 return comp_life_seconds; 1783 1784 if (strcmp (name, "ah_encapsulation") == 0) 1785 return ah_encapsulation; 1786 1787 if (strcmp (name, "esp_encapsulation") == 0) 1788 return esp_encapsulation; 1789 1790 if (strcmp (name, "comp_encapsulation") == 0) 1791 return comp_encapsulation; 1792 1793 if (strcmp (name, "ah_key_length") == 0) 1794 return ah_key_length; 1795 1796 if (strcmp (name, "ah_key_rounds") == 0) 1797 return ah_key_rounds; 1798 1799 if (strcmp (name, "esp_key_length") == 0) 1800 return esp_key_length; 1801 1802 if (strcmp (name, "esp_key_rounds") == 0) 1803 return esp_key_rounds; 1804 1805 if (strcmp (name, "comp_dict_size") == 0) 1806 return comp_dict_size; 1807 1808 if (strcmp (name, "comp_private_alg") == 0) 1809 return comp_private_alg; 1810 1811 if (strcmp (name, "remote_filter_type") == 0) 1812 return remote_filter_type; 1813 1814 if (strcmp (name, "remote_filter") == 0) 1815 return (remote_filter ? remote_filter : ""); 1816 1817 if (strcmp (name, "remote_filter_addr_upper") == 0) 1818 return remote_filter_addr_upper; 1819 1820 if (strcmp (name, "remote_filter_addr_lower") == 0) 1821 return remote_filter_addr_lower; 1822 1823 if (strcmp (name, "remote_filter_port") == 0) 1824 return remote_filter_port; 1825 1826 if (strcmp (name, "remote_filter_proto") == 0) 1827 return remote_filter_proto; 1828 1829 if (strcmp (name, "local_filter_type") == 0) 1830 return local_filter_type; 1831 1832 if (strcmp (name, "local_filter") == 0) 1833 return (local_filter ? local_filter : ""); 1834 1835 if (strcmp (name, "local_filter_addr_upper") == 0) 1836 return local_filter_addr_upper; 1837 1838 if (strcmp (name, "local_filter_addr_lower") == 0) 1839 return local_filter_addr_lower; 1840 1841 if (strcmp (name, "local_filter_port") == 0) 1842 return local_filter_port; 1843 1844 if (strcmp (name, "local_filter_proto") == 0) 1845 return local_filter_proto; 1846 1847 if (strcmp (name, "remote_ike_address") == 0) 1848 return remote_ike_address; 1849 1850 if (strcmp (name, "remote_negotiation_address") == 0) 1851 return remote_ike_address; 1852 1853 if (strcmp (name, "local_ike_address") == 0) 1854 return local_ike_address; 1855 1856 if (strcmp (name, "local_negotiation_address") == 0) 1857 return local_ike_address; 1858 1859 if (strcmp (name, "remote_id_type") == 0) 1860 return remote_id_type; 1861 1862 if (strcmp (name, "remote_id") == 0) 1863 return (remote_id ? remote_id : ""); 1864 1865 if (strcmp (name, "remote_id_addr_upper") == 0) 1866 return remote_id_addr_upper; 1867 1868 if (strcmp (name, "remote_id_addr_lower") == 0) 1869 return remote_id_addr_lower; 1870 1871 if (strcmp (name, "remote_id_port") == 0) 1872 return remote_id_port; 1873 1874 if (strcmp (name, "remote_id_proto") == 0) 1875 return remote_id_proto; 1876 1877 if (strcmp (name, "phase1_group_desc") == 0) 1878 return phase1_group; 1879 1880 return ""; 1881 1882 bad: 1883 policy_callback (KEYNOTE_CALLBACK_INITIALIZE); 1884 return ""; 1885 } 1886 1887 void 1888 policy_init (void) 1889 { 1890 char *ptr, *policy_file; 1891 char **asserts; 1892 off_t sz; 1893 int fd, len, i; 1894 1895 LOG_DBG ((LOG_POLICY, 30, "policy_init: initializing")); 1896 1897 #if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE) 1898 if (!dyn_load (libkeynote_script)) 1899 return; 1900 #endif 1901 1902 /* Get policy file from configuration. */ 1903 policy_file = conf_get_str ("General", "Policy-file"); 1904 if (!policy_file) 1905 policy_file = POLICY_FILE_DEFAULT; 1906 1907 /* Check file modes and collect file size */ 1908 if (check_file_secrecy (policy_file, &sz)) 1909 log_fatal ("policy_init: cannot read %s", policy_file); 1910 1911 /* Open policy file. */ 1912 fd = open (policy_file, O_RDONLY); 1913 if (fd == -1) 1914 log_fatal ("policy_init: open (\"%s\", O_RDONLY) failed", policy_file); 1915 1916 /* Allocate memory to keep policies. */ 1917 ptr = calloc (sz + 1, sizeof (char)); 1918 if (!ptr) 1919 log_fatal ("policy_init: calloc (%d, %d) failed", sz + 1, 1920 sizeof (char)); 1921 1922 /* Just in case there are short reads... */ 1923 for (len = 0; len < sz; len += i) 1924 { 1925 i = read (fd, ptr + len, sz - len); 1926 if (i == -1) 1927 log_fatal ("policy_init: read (%d, %p, %d) failed", fd, ptr + len, 1928 sz - len); 1929 } 1930 1931 /* We're done with this. */ 1932 close (fd); 1933 1934 /* Parse buffer, break up into individual policies. */ 1935 asserts = LK (kn_read_asserts, (ptr, sz, &i)); 1936 1937 /* Begone! */ 1938 free (ptr); 1939 1940 if (asserts == (char **) NULL) 1941 log_print ("policy_init: all policies flushed"); 1942 1943 /* Cleanup */ 1944 if (keynote_policy_asserts) 1945 { 1946 for (fd = 0; fd < keynote_policy_asserts_num; fd++) 1947 if (keynote_policy_asserts && keynote_policy_asserts[fd]) 1948 free (keynote_policy_asserts[fd]); 1949 1950 free (keynote_policy_asserts); 1951 } 1952 1953 keynote_policy_asserts = asserts; 1954 keynote_policy_asserts_num = i; 1955 } 1956 1957 /* Nothing needed for initialization */ 1958 int 1959 keynote_cert_init (void) 1960 { 1961 return 1; 1962 } 1963 1964 /* Just copy and return. */ 1965 void * 1966 keynote_cert_get (u_int8_t *data, u_int32_t len) 1967 { 1968 char *foo = malloc (len + 1); 1969 1970 if (foo == NULL) 1971 return NULL; 1972 1973 memcpy (foo, data, len); 1974 foo[len] = '\0'; 1975 return foo; 1976 } 1977 1978 /* 1979 * We just verify the signature on the credentials. 1980 * On signature failure, just drop the whole payload. 1981 */ 1982 int 1983 keynote_cert_validate (void *scert) 1984 { 1985 char **foo; 1986 int num, i; 1987 1988 if (scert == NULL) 1989 return 0; 1990 1991 foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), 1992 &num)); 1993 if (foo == NULL) 1994 return 0; 1995 1996 for (i = 0; i < num; i++) 1997 { 1998 if (LK (kn_verify_assertion, (scert, strlen ((char *) scert))) 1999 != SIGRESULT_TRUE) 2000 { 2001 for (; i < num; i++) 2002 free (foo[i]); 2003 free (foo); 2004 return 0; 2005 } 2006 2007 free (foo[i]); 2008 } 2009 2010 free (foo); 2011 return 1; 2012 } 2013 2014 /* Add received credentials. */ 2015 int 2016 keynote_cert_insert (int sid, void *scert) 2017 { 2018 char **foo; 2019 int num; 2020 2021 if (scert == NULL) 2022 return 0; 2023 2024 foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), 2025 &num)); 2026 if (foo == NULL) 2027 return 0; 2028 2029 while (num--) 2030 LK (kn_add_assertion, (sid, foo[num], strlen (foo[num]), 0)); 2031 2032 return 1; 2033 } 2034 2035 /* Just regular memory free. */ 2036 void 2037 keynote_cert_free (void *cert) 2038 { 2039 free (cert); 2040 } 2041 2042 /* Verify that the key given to us is valid. */ 2043 int 2044 keynote_certreq_validate (u_int8_t *data, u_int32_t len) 2045 { 2046 struct keynote_deckey dc; 2047 int err = 1; 2048 char *dat; 2049 2050 dat = calloc (len + 1, sizeof (char)); 2051 if (!dat) 2052 { 2053 log_error ("keynote_certreq_validate: calloc (%d, %d) failed", len + 1, 2054 sizeof (char)); 2055 return 0; 2056 } 2057 2058 memcpy (dat, data, len); 2059 2060 if (LK (kn_decode_key, (&dc, dat, KEYNOTE_PUBLIC_KEY)) != 0) 2061 err = 0; 2062 else 2063 LK (kn_free_key, (&dc)); 2064 2065 free (dat); 2066 2067 return err; 2068 } 2069 2070 /* Beats me what we should be doing with this. */ 2071 void * 2072 keynote_certreq_decode (u_int8_t *data, u_int32_t len) 2073 { 2074 /* XXX */ 2075 return NULL; 2076 } 2077 2078 void 2079 keynote_free_aca (void *blob) 2080 { 2081 /* XXX */ 2082 } 2083 2084 int 2085 keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, 2086 u_int32_t *certlen) 2087 { 2088 char *dirname, *file, *addr_str; 2089 struct stat sb; 2090 int idtype, fd, len; 2091 2092 if (!id) 2093 { 2094 log_print ("keynote_cert_obtain: ID is missing"); 2095 return 0; 2096 } 2097 2098 /* Get type of ID. */ 2099 idtype = id[0]; 2100 id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2101 id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2102 2103 dirname = conf_get_str ("KeyNote", "Credential-directory"); 2104 if (!dirname) 2105 { 2106 LOG_DBG ((LOG_POLICY, 30, 2107 "keynote_cert_obtain: no Credential-directory")); 2108 return 0; 2109 } 2110 2111 len = strlen (dirname) + strlen (CREDENTIAL_FILE) + 3; 2112 2113 switch (idtype) 2114 { 2115 case IPSEC_ID_IPV4_ADDR: 2116 case IPSEC_ID_IPV6_ADDR: 2117 util_ntoa (&addr_str, idtype == IPSEC_ID_IPV4_ADDR ? AF_INET : AF_INET6, 2118 id); 2119 if (addr_str == 0) 2120 return 0; 2121 2122 file = calloc (len + strlen (addr_str), sizeof (char)); 2123 if (file == NULL) 2124 { 2125 log_error ("keynote_cert_obtain: failed to allocate %d bytes", 2126 len + strlen (addr_str)); 2127 free (addr_str); 2128 return 0; 2129 } 2130 2131 sprintf (file, "%s/%s/%s", dirname, addr_str, CREDENTIAL_FILE); 2132 free (addr_str); 2133 break; 2134 2135 case IPSEC_ID_FQDN: 2136 case IPSEC_ID_USER_FQDN: 2137 { 2138 file = calloc (len + id_len, sizeof (char)); 2139 if (file == NULL) 2140 { 2141 log_error ("keynote_cert_obtain: failed to allocate %d bytes", 2142 len + id_len); 2143 return 0; 2144 } 2145 2146 sprintf (file, "%s/", dirname); 2147 memcpy (file + strlen (file), id, id_len); 2148 sprintf (file + strlen (dirname) + 1 + id_len, "/%s", CREDENTIAL_FILE); 2149 break; 2150 } 2151 2152 default: 2153 return 0; 2154 } 2155 2156 if (stat (file, &sb) < 0) 2157 { 2158 LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to stat \"%s\"", 2159 file)); 2160 free (file); 2161 return 0; 2162 } 2163 2164 *cert = calloc (sb.st_size + 1, sizeof (char)); 2165 if (*cert == NULL) 2166 { 2167 log_error ("keynote_cert_obtain: failed to allocate %d bytes", 2168 sb.st_size); 2169 free (file); 2170 return 0; 2171 } 2172 2173 fd = open (file, O_RDONLY, 0); 2174 if (fd < 0) 2175 { 2176 LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to open \"%s\"", 2177 file)); 2178 free (file); 2179 return 0; 2180 } 2181 2182 if (read (fd, *cert, sb.st_size) != sb.st_size) 2183 { 2184 LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to read %d " 2185 "bytes from \"%s\"", sb.st_size, file)); 2186 free (file); 2187 close (fd); 2188 return 0; 2189 } 2190 2191 close (fd); 2192 free (file); 2193 *certlen = sb.st_size; 2194 return 1; 2195 } 2196 2197 /* This should never be called. */ 2198 int 2199 keynote_cert_get_subjects (void *scert, int *n, u_int8_t ***id, 2200 u_int32_t **id_len) 2201 { 2202 return 0; 2203 } 2204 2205 /* Get the authorizer key. */ 2206 int 2207 keynote_cert_get_key (void *scert, void *keyp) 2208 { 2209 struct keynote_keylist *kl; 2210 int sid, kid, num; 2211 char **foo; 2212 2213 foo = LK (kn_read_asserts, ((char *)scert, strlen ((char *)scert), &num)); 2214 if (foo == NULL || num == 0) 2215 { 2216 log_print ("keynote_cert_get_key: failed to decompose credentials"); 2217 return 0; 2218 } 2219 2220 kid = LK (kn_init, ()); 2221 if (kid == -1) 2222 { 2223 log_print ("keynote_cert_get_key: failed to initialize new policy " 2224 "session"); 2225 while (num--) 2226 free (foo[num]); 2227 free (foo); 2228 return 0; 2229 } 2230 2231 sid = LK (kn_add_assertion, (kid, foo[num - 1], 2232 strlen (foo[num - 1]), 0)); 2233 while (num--) 2234 free (foo[num]); 2235 free (foo); 2236 2237 if (sid == -1) 2238 { 2239 log_print ("keynote_cert_get_key: failed to add assertion"); 2240 LK (kn_close, (kid)); 2241 return 0; 2242 } 2243 2244 *(RSA **)keyp = NULL; 2245 2246 kl = LK (kn_get_licensees, (kid, sid)); 2247 while (kl) 2248 { 2249 if (kl->key_alg == KEYNOTE_ALGORITHM_RSA) 2250 { 2251 *(RSA **)keyp = LC (RSAPublicKey_dup, (kl->key_key)); 2252 break; 2253 } 2254 2255 kl = kl->key_next; 2256 } 2257 2258 LK (kn_remove_assertion, (kid, sid)); 2259 LK (kn_close, (kid)); 2260 return *(RSA **)keyp == NULL ? 0 : 1; 2261 } 2262 2263 void * 2264 keynote_cert_dup (void *cert) 2265 { 2266 return strdup((char *)cert); 2267 } 2268 2269 void 2270 keynote_serialize (void *cert, u_int8_t **data, u_int32_t *datalen) 2271 { 2272 *datalen = strlen ((char *)cert) + 1; 2273 *data = strdup (cert); /* So we allocate an extra character at the end... */ 2274 if (*data == NULL) 2275 log_error ("keynote_serialize: malloc (%d) failed", *datalen); 2276 } 2277 2278 /* From cert to printable */ 2279 char * 2280 keynote_printable (void *cert) 2281 { 2282 return strdup ((char *)cert); 2283 } 2284 2285 /* From printable to cert */ 2286 void * 2287 keynote_from_printable (char *cert) 2288 { 2289 return strdup (cert); 2290 } 2291