1 /* $OpenBSD: policy.c,v 1.93 2011/04/06 11:36:25 miod Exp $ */ 2 /* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ 3 4 /* 5 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. 6 * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. 7 * Copyright (c) 2001 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This code was written under funding by Ericsson Radio Systems. 32 */ 33 34 #include <sys/types.h> 35 #include <sys/param.h> 36 #include <sys/mman.h> 37 #include <sys/queue.h> 38 #include <sys/stat.h> 39 #include <regex.h> 40 #include <ctype.h> 41 #include <fcntl.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <string.h> 45 #include <unistd.h> 46 #include <keynote.h> 47 #include <sys/socket.h> 48 #include <netinet/in.h> 49 #include <arpa/inet.h> 50 #include <errno.h> 51 #include <openssl/ssl.h> 52 #include <netdb.h> 53 54 #include "conf.h" 55 #include "exchange.h" 56 #include "ipsec.h" 57 #include "isakmp_doi.h" 58 #include "sa.h" 59 #include "transport.h" 60 #include "log.h" 61 #include "message.h" 62 #include "monitor.h" 63 #include "util.h" 64 #include "policy.h" 65 #include "x509.h" 66 67 char **policy_asserts = NULL; 68 int ignore_policy = 0; 69 int policy_asserts_num = 0; 70 struct exchange *policy_exchange = 0; 71 struct sa *policy_sa = 0; 72 struct sa *policy_isakmp_sa = 0; 73 74 static const char hextab[] = { 75 '0', '1', '2', '3', '4', '5', '6', '7', 76 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' 77 }; 78 79 /* 80 * Adaptation of Vixie's inet_ntop4 () 81 */ 82 static const char * 83 my_inet_ntop4(const in_addr_t *src, char *dst, size_t size, int normalize) 84 { 85 static const char fmt[] = "%03u.%03u.%03u.%03u"; 86 char tmp[sizeof "255.255.255.255"]; 87 in_addr_t src2; 88 int len; 89 90 if (normalize) 91 src2 = ntohl(*src); 92 else 93 src2 = *src; 94 95 len = snprintf(tmp, sizeof tmp, fmt, ((u_int8_t *)&src2)[0], 96 ((u_int8_t *)&src2)[1], ((u_int8_t *)&src2)[2], 97 ((u_int8_t *)&src2)[3]); 98 if (len == -1 || len > (int)size) { 99 errno = ENOSPC; 100 return 0; 101 } 102 strlcpy(dst, tmp, size); 103 return dst; 104 } 105 106 static const char * 107 my_inet_ntop6(const unsigned char *src, char *dst, size_t size) 108 { 109 static const char fmt[] = 110 "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x"; 111 char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"]; 112 int len; 113 114 len = snprintf(tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3], 115 src[4], src[5], src[6], src[7], src[8], src[9], src[10], src[11], 116 src[12], src[13], src[14], src[15]); 117 if (len == -1 || len > (int)size) { 118 errno = ENOSPC; 119 return 0; 120 } 121 strlcpy(dst, tmp, size); 122 return dst; 123 } 124 125 char * 126 policy_callback(char *name) 127 { 128 struct proto *proto; 129 130 u_int8_t *attr, *value, *id, *idlocal, *idremote; 131 size_t id_sz, idlocalsz, idremotesz; 132 struct sockaddr *sin; 133 struct ipsec_exch *ie; 134 struct ipsec_sa *is; 135 size_t i; 136 int fmt, lifetype = 0; 137 in_addr_t net, subnet; 138 u_int16_t len, type; 139 time_t tt; 140 char *addr; 141 static char mytimeofday[15]; 142 143 /* We use all these as a cache. */ 144 #define PMAX 32 145 static char *esp_present, *ah_present, *comp_present; 146 static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg; 147 static char *comp_alg, ah_life_kbytes[PMAX], ah_life_seconds[PMAX]; 148 static char esp_life_kbytes[PMAX], esp_life_seconds[PMAX]; 149 static char comp_life_kbytes[PMAX]; 150 static char *ah_ecn, *esp_ecn, *comp_ecn; 151 static char comp_life_seconds[PMAX], *ah_encapsulation; 152 static char *esp_encapsulation, *comp_encapsulation; 153 static char ah_key_length[PMAX], esp_key_length[PMAX]; 154 static char ah_key_rounds[PMAX], esp_key_rounds[PMAX]; 155 static char comp_dict_size[PMAX], comp_private_alg[PMAX]; 156 static char *remote_filter_type, *local_filter_type; 157 static char remote_filter_addr_upper[NI_MAXHOST]; 158 static char remote_filter_addr_lower[NI_MAXHOST]; 159 static char local_filter_addr_upper[NI_MAXHOST]; 160 static char local_filter_addr_lower[NI_MAXHOST]; 161 static char ah_group_desc[PMAX], esp_group_desc[PMAX]; 162 static char comp_group_desc[PMAX], remote_ike_address[NI_MAXHOST]; 163 static char local_ike_address[NI_MAXHOST]; 164 static char *remote_id_type, remote_id_addr_upper[NI_MAXHOST]; 165 static char *phase_1, remote_id_addr_lower[NI_MAXHOST]; 166 static char *remote_id_proto, remote_id_port[PMAX]; 167 static char remote_filter_port[PMAX], local_filter_port[PMAX]; 168 static char *remote_filter_proto, *local_filter_proto, *pfs; 169 static char *initiator, remote_filter_proto_num[3]; 170 static char local_filter_proto_num[3], remote_id_proto_num[3]; 171 static char phase1_group[PMAX]; 172 173 /* Allocated. */ 174 static char *remote_filter = 0, *local_filter = 0, *remote_id = 0; 175 176 static int dirty = 1; 177 178 /* We only need to set dirty at initialization time really. */ 179 if (strcmp(name, KEYNOTE_CALLBACK_CLEANUP) == 0 || 180 strcmp(name, KEYNOTE_CALLBACK_INITIALIZE) == 0) { 181 esp_present = ah_present = comp_present = pfs = "no"; 182 ah_hash_alg = ah_auth_alg = phase_1 = ""; 183 esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = ""; 184 ah_ecn = esp_ecn = comp_ecn = "no"; 185 esp_encapsulation = comp_encapsulation = ""; 186 remote_filter_type = ""; 187 local_filter_type = remote_id_type = initiator = ""; 188 remote_filter_proto = local_filter_proto = ""; 189 remote_id_proto = ""; 190 191 free(remote_filter); 192 remote_filter = 0; 193 free(local_filter); 194 local_filter = 0; 195 free(remote_id); 196 remote_id = 0; 197 198 bzero(remote_ike_address, sizeof remote_ike_address); 199 bzero(local_ike_address, sizeof local_ike_address); 200 bzero(ah_life_kbytes, sizeof ah_life_kbytes); 201 bzero(ah_life_seconds, sizeof ah_life_seconds); 202 bzero(esp_life_kbytes, sizeof esp_life_kbytes); 203 bzero(esp_life_seconds, sizeof esp_life_seconds); 204 bzero(comp_life_kbytes, sizeof comp_life_kbytes); 205 bzero(comp_life_seconds, sizeof comp_life_seconds); 206 bzero(ah_key_length, sizeof ah_key_length); 207 bzero(ah_key_rounds, sizeof ah_key_rounds); 208 bzero(esp_key_length, sizeof esp_key_length); 209 bzero(esp_key_rounds, sizeof esp_key_rounds); 210 bzero(comp_dict_size, sizeof comp_dict_size); 211 bzero(comp_private_alg, sizeof comp_private_alg); 212 bzero(remote_filter_addr_upper, 213 sizeof remote_filter_addr_upper); 214 bzero(remote_filter_addr_lower, 215 sizeof remote_filter_addr_lower); 216 bzero(local_filter_addr_upper, 217 sizeof local_filter_addr_upper); 218 bzero(local_filter_addr_lower, 219 sizeof local_filter_addr_lower); 220 bzero(remote_id_addr_upper, sizeof remote_id_addr_upper); 221 bzero(remote_id_addr_lower, sizeof remote_id_addr_lower); 222 bzero(ah_group_desc, sizeof ah_group_desc); 223 bzero(esp_group_desc, sizeof esp_group_desc); 224 bzero(remote_id_port, sizeof remote_id_port); 225 bzero(remote_filter_port, sizeof remote_filter_port); 226 bzero(local_filter_port, sizeof local_filter_port); 227 bzero(phase1_group, sizeof phase1_group); 228 229 dirty = 1; 230 return ""; 231 } 232 /* 233 * If dirty is set, this is the first request for an attribute, so 234 * populate our value cache. 235 */ 236 if (dirty) { 237 ie = policy_exchange->data; 238 239 if (ie->pfs) 240 pfs = "yes"; 241 242 is = policy_isakmp_sa->data; 243 snprintf(phase1_group, sizeof phase1_group, "%u", 244 is->group_desc); 245 246 for (proto = TAILQ_FIRST(&policy_sa->protos); proto; 247 proto = TAILQ_NEXT(proto, link)) { 248 switch (proto->proto) { 249 case IPSEC_PROTO_IPSEC_AH: 250 ah_present = "yes"; 251 switch (proto->id) { 252 case IPSEC_AH_MD5: 253 ah_hash_alg = "md5"; 254 break; 255 256 case IPSEC_AH_SHA: 257 ah_hash_alg = "sha"; 258 break; 259 260 case IPSEC_AH_RIPEMD: 261 ah_hash_alg = "ripemd"; 262 break; 263 264 case IPSEC_AH_SHA2_256: 265 ah_auth_alg = "sha2-256"; 266 break; 267 268 case IPSEC_AH_SHA2_384: 269 ah_auth_alg = "sha2-384"; 270 break; 271 272 case IPSEC_AH_SHA2_512: 273 ah_auth_alg = "sha2-512"; 274 break; 275 276 case IPSEC_AH_DES: 277 ah_hash_alg = "des"; 278 break; 279 } 280 281 break; 282 283 case IPSEC_PROTO_IPSEC_ESP: 284 esp_present = "yes"; 285 switch (proto->id) { 286 case IPSEC_ESP_DES_IV64: 287 esp_enc_alg = "des-iv64"; 288 break; 289 290 case IPSEC_ESP_DES: 291 esp_enc_alg = "des"; 292 break; 293 294 case IPSEC_ESP_3DES: 295 esp_enc_alg = "3des"; 296 break; 297 298 case IPSEC_ESP_AES: 299 case IPSEC_ESP_AES_128_CTR: 300 case IPSEC_ESP_AES_GCM_16: 301 case IPSEC_ESP_AES_GMAC: 302 esp_enc_alg = "aes"; 303 break; 304 305 case IPSEC_ESP_RC5: 306 esp_enc_alg = "rc5"; 307 break; 308 309 case IPSEC_ESP_IDEA: 310 esp_enc_alg = "idea"; 311 break; 312 313 case IPSEC_ESP_CAST: 314 esp_enc_alg = "cast"; 315 break; 316 317 case IPSEC_ESP_BLOWFISH: 318 esp_enc_alg = "blowfish"; 319 break; 320 321 case IPSEC_ESP_3IDEA: 322 esp_enc_alg = "3idea"; 323 break; 324 325 case IPSEC_ESP_DES_IV32: 326 esp_enc_alg = "des-iv32"; 327 break; 328 329 case IPSEC_ESP_RC4: 330 esp_enc_alg = "rc4"; 331 break; 332 333 case IPSEC_ESP_NULL: 334 esp_enc_alg = "null"; 335 break; 336 } 337 338 break; 339 340 case IPSEC_PROTO_IPCOMP: 341 comp_present = "yes"; 342 switch (proto->id) { 343 case IPSEC_IPCOMP_OUI: 344 comp_alg = "oui"; 345 break; 346 347 case IPSEC_IPCOMP_DEFLATE: 348 comp_alg = "deflate"; 349 break; 350 351 case IPSEC_IPCOMP_LZS: 352 comp_alg = "lzs"; 353 break; 354 355 case IPSEC_IPCOMP_V42BIS: 356 comp_alg = "v42bis"; 357 break; 358 } 359 360 break; 361 } 362 363 for (attr = proto->chosen->p + 364 ISAKMP_TRANSFORM_SA_ATTRS_OFF; 365 attr < proto->chosen->p + 366 GET_ISAKMP_GEN_LENGTH(proto->chosen->p); 367 attr = value + len) { 368 if (attr + ISAKMP_ATTR_VALUE_OFF > 369 (proto->chosen->p + 370 GET_ISAKMP_GEN_LENGTH(proto->chosen->p))) 371 return ""; 372 373 type = GET_ISAKMP_ATTR_TYPE(attr); 374 fmt = ISAKMP_ATTR_FORMAT(type); 375 type = ISAKMP_ATTR_TYPE(type); 376 value = attr + (fmt ? 377 ISAKMP_ATTR_LENGTH_VALUE_OFF : 378 ISAKMP_ATTR_VALUE_OFF); 379 len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN : 380 GET_ISAKMP_ATTR_LENGTH_VALUE(attr)); 381 382 if (value + len > proto->chosen->p + 383 GET_ISAKMP_GEN_LENGTH(proto->chosen->p)) 384 return ""; 385 386 switch (type) { 387 case IPSEC_ATTR_SA_LIFE_TYPE: 388 lifetype = decode_16(value); 389 break; 390 391 case IPSEC_ATTR_SA_LIFE_DURATION: 392 switch (proto->proto) { 393 case IPSEC_PROTO_IPSEC_AH: 394 if (lifetype == IPSEC_DURATION_SECONDS) { 395 if (len == 2) 396 snprintf(ah_life_seconds, sizeof ah_life_seconds, 397 "%u", decode_16(value)); 398 else 399 snprintf(ah_life_seconds, sizeof ah_life_seconds, 400 "%u", decode_32(value)); 401 } else { 402 if (len == 2) 403 snprintf(ah_life_kbytes, sizeof ah_life_kbytes, 404 "%u", decode_16(value)); 405 else 406 snprintf(ah_life_kbytes, sizeof ah_life_kbytes, 407 "%u", decode_32(value)); 408 } 409 410 break; 411 412 case IPSEC_PROTO_IPSEC_ESP: 413 if (lifetype == IPSEC_DURATION_SECONDS) { 414 if (len == 2) 415 snprintf(esp_life_seconds, 416 sizeof esp_life_seconds, "%u", 417 decode_16(value)); 418 else 419 snprintf(esp_life_seconds, 420 sizeof esp_life_seconds, "%u", 421 decode_32(value)); 422 } else { 423 if (len == 2) 424 snprintf(esp_life_kbytes, 425 sizeof esp_life_kbytes, "%u", 426 decode_16(value)); 427 else 428 snprintf(esp_life_kbytes, 429 sizeof esp_life_kbytes, "%u", 430 decode_32(value)); 431 } 432 433 break; 434 435 case IPSEC_PROTO_IPCOMP: 436 if (lifetype == IPSEC_DURATION_SECONDS) { 437 if (len == 2) 438 snprintf(comp_life_seconds, 439 sizeof comp_life_seconds, "%u", 440 decode_16(value)); 441 else 442 snprintf(comp_life_seconds, 443 sizeof comp_life_seconds, "%u", 444 decode_32(value)); 445 } else { 446 if (len == 2) 447 snprintf(comp_life_kbytes, 448 sizeof comp_life_kbytes, "%u", 449 decode_16(value)); 450 else 451 snprintf(comp_life_kbytes, 452 sizeof comp_life_kbytes, "%u", 453 decode_32(value)); 454 } 455 break; 456 } 457 break; 458 459 case IPSEC_ATTR_GROUP_DESCRIPTION: 460 switch (proto->proto) { 461 case IPSEC_PROTO_IPSEC_AH: 462 snprintf(ah_group_desc, 463 sizeof ah_group_desc, "%u", 464 decode_16(value)); 465 break; 466 467 case IPSEC_PROTO_IPSEC_ESP: 468 snprintf(esp_group_desc, 469 sizeof esp_group_desc, "%u", 470 decode_16(value)); 471 break; 472 473 case IPSEC_PROTO_IPCOMP: 474 snprintf(comp_group_desc, 475 sizeof comp_group_desc, "%u", 476 decode_16(value)); 477 break; 478 } 479 break; 480 481 case IPSEC_ATTR_ECN_TUNNEL: 482 if (decode_16(value)) 483 switch (proto->proto) { 484 case IPSEC_PROTO_IPSEC_AH: 485 ah_ecn = "yes"; 486 break; 487 488 case IPSEC_PROTO_IPSEC_ESP: 489 esp_ecn = "yes"; 490 break; 491 492 case IPSEC_PROTO_IPCOMP: 493 comp_ecn = "yes"; 494 break; 495 } 496 497 case IPSEC_ATTR_ENCAPSULATION_MODE: 498 if (decode_16(value) == IPSEC_ENCAP_TUNNEL) 499 switch (proto->proto) { 500 case IPSEC_PROTO_IPSEC_AH: 501 ah_encapsulation = "tunnel"; 502 break; 503 504 case IPSEC_PROTO_IPSEC_ESP: 505 esp_encapsulation = "tunnel"; 506 break; 507 508 case IPSEC_PROTO_IPCOMP: 509 comp_encapsulation = "tunnel"; 510 break; 511 } 512 else if (decode_16(value) == 513 IPSEC_ENCAP_UDP_ENCAP_TUNNEL || 514 decode_16(value) == 515 IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT) 516 switch (proto->proto) { 517 case IPSEC_PROTO_IPSEC_AH: 518 ah_encapsulation = "udp-encap-tunnel"; 519 break; 520 521 case IPSEC_PROTO_IPSEC_ESP: 522 esp_encapsulation = "udp-encap-tunnel"; 523 break; 524 525 case IPSEC_PROTO_IPCOMP: 526 comp_encapsulation = "udp-encap-tunnel"; 527 break; 528 } 529 /* XXX IPSEC_ENCAP_UDP_ENCAP_TRANSPORT */ 530 else 531 switch (proto->proto) { 532 case IPSEC_PROTO_IPSEC_AH: 533 ah_encapsulation = "transport"; 534 break; 535 536 case IPSEC_PROTO_IPSEC_ESP: 537 esp_encapsulation = "transport"; 538 break; 539 540 case IPSEC_PROTO_IPCOMP: 541 comp_encapsulation = "transport"; 542 break; 543 } 544 break; 545 546 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: 547 switch (proto->proto) { 548 case IPSEC_PROTO_IPSEC_AH: 549 switch (decode_16(value)) { 550 case IPSEC_AUTH_HMAC_MD5: 551 ah_auth_alg = "hmac-md5"; 552 break; 553 554 case IPSEC_AUTH_HMAC_SHA: 555 ah_auth_alg = "hmac-sha"; 556 break; 557 558 case IPSEC_AUTH_HMAC_RIPEMD: 559 ah_auth_alg = "hmac-ripemd"; 560 break; 561 562 case IPSEC_AUTH_HMAC_SHA2_256: 563 ah_auth_alg = "hmac-sha2-256"; 564 break; 565 566 case IPSEC_AUTH_HMAC_SHA2_384: 567 ah_auth_alg = "hmac-sha2-384"; 568 break; 569 570 case IPSEC_AUTH_HMAC_SHA2_512: 571 ah_auth_alg = "hmac-sha2-512"; 572 break; 573 574 case IPSEC_AUTH_DES_MAC: 575 ah_auth_alg = "des-mac"; 576 break; 577 578 case IPSEC_AUTH_KPDK: 579 ah_auth_alg = "kpdk"; 580 break; 581 } 582 break; 583 584 case IPSEC_PROTO_IPSEC_ESP: 585 switch (decode_16(value)) { 586 case IPSEC_AUTH_HMAC_MD5: 587 esp_auth_alg = "hmac-md5"; 588 break; 589 590 case IPSEC_AUTH_HMAC_SHA: 591 esp_auth_alg = "hmac-sha"; 592 break; 593 594 case IPSEC_AUTH_HMAC_RIPEMD: 595 esp_auth_alg = "hmac-ripemd"; 596 break; 597 598 case IPSEC_AUTH_HMAC_SHA2_256: 599 esp_auth_alg = "hmac-sha2-256"; 600 break; 601 602 case IPSEC_AUTH_HMAC_SHA2_384: 603 esp_auth_alg = "hmac-sha2-384"; 604 break; 605 606 case IPSEC_AUTH_HMAC_SHA2_512: 607 esp_auth_alg = "hmac-sha2-512"; 608 break; 609 610 case IPSEC_AUTH_DES_MAC: 611 esp_auth_alg = "des-mac"; 612 break; 613 614 case IPSEC_AUTH_KPDK: 615 esp_auth_alg = "kpdk"; 616 break; 617 } 618 break; 619 } 620 break; 621 622 case IPSEC_ATTR_KEY_LENGTH: 623 switch (proto->proto) { 624 case IPSEC_PROTO_IPSEC_AH: 625 snprintf(ah_key_length, 626 sizeof ah_key_length, "%u", 627 decode_16(value)); 628 break; 629 630 case IPSEC_PROTO_IPSEC_ESP: 631 snprintf(esp_key_length, 632 sizeof esp_key_length, "%u", 633 decode_16(value)); 634 break; 635 } 636 break; 637 638 case IPSEC_ATTR_KEY_ROUNDS: 639 switch (proto->proto) { 640 case IPSEC_PROTO_IPSEC_AH: 641 snprintf(ah_key_rounds, 642 sizeof ah_key_rounds, "%u", 643 decode_16(value)); 644 break; 645 646 case IPSEC_PROTO_IPSEC_ESP: 647 snprintf(esp_key_rounds, 648 sizeof esp_key_rounds, "%u", 649 decode_16(value)); 650 break; 651 } 652 break; 653 654 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: 655 snprintf(comp_dict_size, 656 sizeof comp_dict_size, "%u", 657 decode_16(value)); 658 break; 659 660 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: 661 snprintf(comp_private_alg, 662 sizeof comp_private_alg, "%u", 663 decode_16(value)); 664 break; 665 } 666 } 667 } 668 669 policy_sa->transport->vtbl->get_src(policy_sa->transport, 670 &sin); 671 if (sockaddr2text(sin, &addr, 1)) { 672 log_error("policy_callback: sockaddr2text failed"); 673 goto bad; 674 } 675 strlcpy(local_ike_address, addr, sizeof local_ike_address); 676 free(addr); 677 678 policy_sa->transport->vtbl->get_dst(policy_sa->transport, 679 &sin); 680 if (sockaddr2text(sin, &addr, 1)) { 681 log_error("policy_callback: sockaddr2text failed"); 682 goto bad; 683 } 684 strlcpy(remote_ike_address, addr, sizeof remote_ike_address); 685 free(addr); 686 687 switch (policy_isakmp_sa->exch_type) { 688 case ISAKMP_EXCH_AGGRESSIVE: 689 phase_1 = "aggressive"; 690 break; 691 692 case ISAKMP_EXCH_ID_PROT: 693 phase_1 = "main"; 694 break; 695 } 696 697 if (policy_isakmp_sa->initiator) { 698 id = policy_isakmp_sa->id_r; 699 id_sz = policy_isakmp_sa->id_r_len; 700 } else { 701 id = policy_isakmp_sa->id_i; 702 id_sz = policy_isakmp_sa->id_i_len; 703 } 704 705 switch (id[0]) { 706 case IPSEC_ID_IPV4_ADDR: 707 remote_id_type = "IPv4 address"; 708 709 net = decode_32(id + ISAKMP_ID_DATA_OFF - 710 ISAKMP_GEN_SZ); 711 my_inet_ntop4(&net, remote_id_addr_upper, 712 sizeof remote_id_addr_upper - 1, 1); 713 my_inet_ntop4(&net, remote_id_addr_lower, 714 sizeof remote_id_addr_lower - 1, 1); 715 remote_id = strdup(remote_id_addr_upper); 716 if (!remote_id) { 717 log_error("policy_callback: " 718 "strdup (\"%s\") failed", 719 remote_id_addr_upper); 720 goto bad; 721 } 722 break; 723 724 case IPSEC_ID_IPV4_RANGE: 725 remote_id_type = "IPv4 range"; 726 727 net = decode_32(id + ISAKMP_ID_DATA_OFF - 728 ISAKMP_GEN_SZ); 729 my_inet_ntop4(&net, remote_id_addr_lower, 730 sizeof remote_id_addr_lower - 1, 1); 731 net = decode_32(id + ISAKMP_ID_DATA_OFF - 732 ISAKMP_GEN_SZ + 4); 733 my_inet_ntop4(&net, remote_id_addr_upper, 734 sizeof remote_id_addr_upper - 1, 1); 735 len = strlen(remote_id_addr_upper) + 736 strlen(remote_id_addr_lower) + 2; 737 remote_id = calloc(len, sizeof(char)); 738 if (!remote_id) { 739 log_error("policy_callback: " 740 "calloc (%d, %lu) failed", len, 741 (unsigned long)sizeof(char)); 742 goto bad; 743 } 744 strlcpy(remote_id, remote_id_addr_lower, len); 745 strlcat(remote_id, "-", len); 746 strlcat(remote_id, remote_id_addr_upper, len); 747 break; 748 749 case IPSEC_ID_IPV4_ADDR_SUBNET: 750 remote_id_type = "IPv4 subnet"; 751 752 net = decode_32(id + ISAKMP_ID_DATA_OFF - 753 ISAKMP_GEN_SZ); 754 subnet = decode_32(id + ISAKMP_ID_DATA_OFF - 755 ISAKMP_GEN_SZ + 4); 756 net &= subnet; 757 my_inet_ntop4(&net, remote_id_addr_lower, 758 sizeof remote_id_addr_lower - 1, 1); 759 net |= ~subnet; 760 my_inet_ntop4(&net, remote_id_addr_upper, 761 sizeof remote_id_addr_upper - 1, 1); 762 len = strlen(remote_id_addr_upper) + 763 strlen(remote_id_addr_lower) + 2; 764 remote_id = calloc(len, sizeof(char)); 765 if (!remote_id) { 766 log_error("policy_callback: " 767 "calloc (%d, %lu) failed", len, 768 (unsigned long)sizeof(char)); 769 goto bad; 770 } 771 strlcpy(remote_id, remote_id_addr_lower, len); 772 strlcat(remote_id, "-", len); 773 strlcat(remote_id, remote_id_addr_upper, len); 774 break; 775 776 case IPSEC_ID_IPV6_ADDR: 777 remote_id_type = "IPv6 address"; 778 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 779 remote_id_addr_upper, sizeof remote_id_addr_upper); 780 strlcpy(remote_id_addr_lower, remote_id_addr_upper, 781 sizeof remote_id_addr_lower); 782 remote_id = strdup(remote_id_addr_upper); 783 if (!remote_id) { 784 log_error("policy_callback: " 785 "strdup (\"%s\") failed", 786 remote_id_addr_upper); 787 goto bad; 788 } 789 break; 790 791 case IPSEC_ID_IPV6_RANGE: 792 remote_id_type = "IPv6 range"; 793 794 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 795 remote_id_addr_lower, 796 sizeof remote_id_addr_lower - 1); 797 798 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - 799 ISAKMP_GEN_SZ + 16, remote_id_addr_upper, 800 sizeof remote_id_addr_upper - 1); 801 802 len = strlen(remote_id_addr_upper) + 803 strlen(remote_id_addr_lower) + 2; 804 remote_id = calloc(len, sizeof(char)); 805 if (!remote_id) { 806 log_error("policy_callback: " 807 "calloc (%d, %lu) failed", len, 808 (unsigned long)sizeof(char)); 809 goto bad; 810 } 811 strlcpy(remote_id, remote_id_addr_lower, len); 812 strlcat(remote_id, "-", len); 813 strlcat(remote_id, remote_id_addr_upper, len); 814 break; 815 816 case IPSEC_ID_IPV6_ADDR_SUBNET: 817 { 818 struct in6_addr net, mask; 819 820 remote_id_type = "IPv6 subnet"; 821 822 bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, &net, 823 sizeof(net)); 824 bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, 825 &mask, sizeof(mask)); 826 827 for (i = 0; i < 16; i++) 828 net.s6_addr[i] &= mask.s6_addr[i]; 829 830 my_inet_ntop6((unsigned char *)&net, 831 remote_id_addr_lower, 832 sizeof remote_id_addr_lower - 1); 833 834 for (i = 0; i < 16; i++) 835 net.s6_addr[i] |= ~mask.s6_addr[i]; 836 837 my_inet_ntop6((unsigned char *)&net, 838 remote_id_addr_upper, 839 sizeof remote_id_addr_upper - 1); 840 841 len = strlen(remote_id_addr_upper) + 842 strlen(remote_id_addr_lower) + 2; 843 remote_id = calloc(len, sizeof(char)); 844 if (!remote_id) { 845 log_error("policy_callback: " 846 "calloc (%d, %lu) failed", len, 847 (unsigned long)sizeof(char)); 848 goto bad; 849 } 850 strlcpy(remote_id, remote_id_addr_lower, len); 851 strlcat(remote_id, "-", len); 852 strlcat(remote_id, remote_id_addr_upper, len); 853 break; 854 } 855 856 case IPSEC_ID_FQDN: 857 remote_id_type = "FQDN"; 858 remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF + 859 ISAKMP_GEN_SZ + 1, sizeof(char)); 860 if (!remote_id) { 861 log_error("policy_callback: " 862 "calloc (%lu, %lu) failed", 863 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + 864 ISAKMP_GEN_SZ + 1, 865 (unsigned long)sizeof(char)); 866 goto bad; 867 } 868 memcpy(remote_id, 869 id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 870 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 871 break; 872 873 case IPSEC_ID_USER_FQDN: 874 remote_id_type = "User FQDN"; 875 remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF + 876 ISAKMP_GEN_SZ + 1, sizeof(char)); 877 if (!remote_id) { 878 log_error("policy_callback: " 879 "calloc (%lu, %lu) failed", 880 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + 881 ISAKMP_GEN_SZ + 1, 882 (unsigned long)sizeof(char)); 883 goto bad; 884 } 885 memcpy(remote_id, 886 id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 887 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 888 break; 889 890 case IPSEC_ID_DER_ASN1_DN: 891 remote_id_type = "ASN1 DN"; 892 893 remote_id = x509_DN_string(id + ISAKMP_ID_DATA_OFF - 894 ISAKMP_GEN_SZ, 895 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 896 if (!remote_id) { 897 LOG_DBG((LOG_POLICY, 50, 898 "policy_callback: failed to decode name")); 899 goto bad; 900 } 901 break; 902 903 case IPSEC_ID_DER_ASN1_GN: /* XXX */ 904 remote_id_type = "ASN1 GN"; 905 break; 906 907 case IPSEC_ID_KEY_ID: 908 remote_id_type = "Key ID"; 909 remote_id = calloc(2 * (id_sz - ISAKMP_ID_DATA_OFF + 910 ISAKMP_GEN_SZ) + 1, sizeof(char)); 911 if (!remote_id) { 912 log_error("policy_callback: " 913 "calloc (%lu, %lu) failed", 914 2 * ((unsigned long)id_sz - 915 ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, 916 (unsigned long)sizeof(char)); 917 goto bad; 918 } 919 /* Does it contain any non-printable characters ? */ 920 for (i = 0; 921 i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; 922 i++) 923 if (!isprint(*(id + ISAKMP_ID_DATA_OFF - 924 ISAKMP_GEN_SZ + i))) 925 break; 926 if (i >= id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) { 927 memcpy(remote_id, id + ISAKMP_ID_DATA_OFF - 928 ISAKMP_GEN_SZ, 929 id_sz - ISAKMP_ID_DATA_OFF + 930 ISAKMP_GEN_SZ); 931 break; 932 } 933 /* Non-printable characters, convert to hex */ 934 for (i = 0; 935 i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; 936 i++) { 937 remote_id[2 * i] = hextab[*(id + 938 ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4]; 939 remote_id[2 * i + 1] = hextab[*(id + 940 ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF]; 941 } 942 break; 943 944 default: 945 log_print("policy_callback: " 946 "unknown remote ID type %u", id[0]); 947 goto bad; 948 } 949 950 switch (id[1]) { 951 case IPPROTO_TCP: 952 remote_id_proto = "tcp"; 953 break; 954 955 case IPPROTO_UDP: 956 remote_id_proto = "udp"; 957 break; 958 959 case IPPROTO_ETHERIP: 960 remote_id_proto = "etherip"; 961 break; 962 963 default: 964 snprintf(remote_id_proto_num, 965 sizeof remote_id_proto_num, "%d", 966 id[1]); 967 remote_id_proto = remote_id_proto_num; 968 break; 969 } 970 971 snprintf(remote_id_port, sizeof remote_id_port, "%u", 972 decode_16(id + 2)); 973 974 if (policy_exchange->initiator) { 975 initiator = "yes"; 976 idlocal = ie->id_ci; 977 idremote = ie->id_cr; 978 idlocalsz = ie->id_ci_sz; 979 idremotesz = ie->id_cr_sz; 980 } else { 981 initiator = "no"; 982 idlocal = ie->id_cr; 983 idremote = ie->id_ci; 984 idlocalsz = ie->id_cr_sz; 985 idremotesz = ie->id_ci_sz; 986 } 987 988 /* Initialize the ID variables. */ 989 if (idremote) { 990 switch (GET_ISAKMP_ID_TYPE(idremote)) { 991 case IPSEC_ID_IPV4_ADDR: 992 remote_filter_type = "IPv4 address"; 993 994 net = decode_32(idremote + ISAKMP_ID_DATA_OFF); 995 my_inet_ntop4(&net, remote_filter_addr_upper, 996 sizeof remote_filter_addr_upper - 1, 1); 997 my_inet_ntop4(&net, remote_filter_addr_lower, 998 sizeof remote_filter_addr_lower - 1, 1); 999 remote_filter = 1000 strdup(remote_filter_addr_upper); 1001 if (!remote_filter) { 1002 log_error("policy_callback: strdup " 1003 "(\"%s\") failed", 1004 remote_filter_addr_upper); 1005 goto bad; 1006 } 1007 break; 1008 1009 case IPSEC_ID_IPV4_RANGE: 1010 remote_filter_type = "IPv4 range"; 1011 1012 net = decode_32(idremote + ISAKMP_ID_DATA_OFF); 1013 my_inet_ntop4(&net, remote_filter_addr_lower, 1014 sizeof remote_filter_addr_lower - 1, 1); 1015 net = decode_32(idremote + ISAKMP_ID_DATA_OFF + 1016 4); 1017 my_inet_ntop4(&net, remote_filter_addr_upper, 1018 sizeof remote_filter_addr_upper - 1, 1); 1019 len = strlen(remote_filter_addr_upper) + 1020 strlen(remote_filter_addr_lower) + 2; 1021 remote_filter = calloc(len, sizeof(char)); 1022 if (!remote_filter) { 1023 log_error("policy_callback: calloc " 1024 "(%d, %lu) failed", len, 1025 (unsigned long)sizeof(char)); 1026 goto bad; 1027 } 1028 strlcpy(remote_filter, 1029 remote_filter_addr_lower, len); 1030 strlcat(remote_filter, "-", len); 1031 strlcat(remote_filter, 1032 remote_filter_addr_upper, len); 1033 break; 1034 1035 case IPSEC_ID_IPV4_ADDR_SUBNET: 1036 remote_filter_type = "IPv4 subnet"; 1037 1038 net = decode_32(idremote + ISAKMP_ID_DATA_OFF); 1039 subnet = decode_32(idremote + 1040 ISAKMP_ID_DATA_OFF + 4); 1041 net &= subnet; 1042 my_inet_ntop4(&net, remote_filter_addr_lower, 1043 sizeof remote_filter_addr_lower - 1, 1); 1044 net |= ~subnet; 1045 my_inet_ntop4(&net, remote_filter_addr_upper, 1046 sizeof remote_filter_addr_upper - 1, 1); 1047 len = strlen(remote_filter_addr_upper) + 1048 strlen(remote_filter_addr_lower) + 2; 1049 remote_filter = calloc(len, sizeof(char)); 1050 if (!remote_filter) { 1051 log_error("policy_callback: calloc " 1052 "(%d, %lu) failed", len, 1053 (unsigned long)sizeof(char)); 1054 goto bad; 1055 } 1056 strlcpy(remote_filter, 1057 remote_filter_addr_lower, len); 1058 strlcat(remote_filter, "-", len); 1059 strlcat(remote_filter, 1060 remote_filter_addr_upper, len); 1061 break; 1062 1063 case IPSEC_ID_IPV6_ADDR: 1064 remote_filter_type = "IPv6 address"; 1065 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF, 1066 remote_filter_addr_upper, 1067 sizeof remote_filter_addr_upper - 1); 1068 strlcpy(remote_filter_addr_lower, 1069 remote_filter_addr_upper, 1070 sizeof remote_filter_addr_lower); 1071 remote_filter = 1072 strdup(remote_filter_addr_upper); 1073 if (!remote_filter) { 1074 log_error("policy_callback: strdup " 1075 "(\"%s\") failed", 1076 remote_filter_addr_upper); 1077 goto bad; 1078 } 1079 break; 1080 1081 case IPSEC_ID_IPV6_RANGE: 1082 remote_filter_type = "IPv6 range"; 1083 1084 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF, 1085 remote_filter_addr_lower, 1086 sizeof remote_filter_addr_lower - 1); 1087 1088 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF + 1089 16, remote_filter_addr_upper, 1090 sizeof remote_filter_addr_upper - 1); 1091 1092 len = strlen(remote_filter_addr_upper) + 1093 strlen(remote_filter_addr_lower) + 2; 1094 remote_filter = calloc(len, sizeof(char)); 1095 if (!remote_filter) { 1096 log_error("policy_callback: calloc " 1097 "(%d, %lu) failed", len, 1098 (unsigned long)sizeof(char)); 1099 goto bad; 1100 } 1101 strlcpy(remote_filter, 1102 remote_filter_addr_lower, len); 1103 strlcat(remote_filter, "-", len); 1104 strlcat(remote_filter, 1105 remote_filter_addr_upper, len); 1106 break; 1107 1108 case IPSEC_ID_IPV6_ADDR_SUBNET: 1109 { 1110 struct in6_addr net, mask; 1111 1112 remote_filter_type = "IPv6 subnet"; 1113 1114 bcopy(idremote + ISAKMP_ID_DATA_OFF, 1115 &net, sizeof(net)); 1116 bcopy(idremote + ISAKMP_ID_DATA_OFF + 1117 16, &mask, sizeof(mask)); 1118 1119 for (i = 0; i < 16; i++) 1120 net.s6_addr[i] &= 1121 mask.s6_addr[i]; 1122 1123 my_inet_ntop6((unsigned char *)&net, 1124 remote_filter_addr_lower, 1125 sizeof remote_filter_addr_lower - 1); 1126 1127 for (i = 0; i < 16; i++) 1128 net.s6_addr[i] |= 1129 ~mask.s6_addr[i]; 1130 1131 my_inet_ntop6((unsigned char *)&net, 1132 remote_filter_addr_upper, 1133 sizeof remote_filter_addr_upper - 1); 1134 1135 len = strlen(remote_filter_addr_upper) 1136 + strlen(remote_filter_addr_lower) + 2; 1137 remote_filter = calloc(len, 1138 sizeof(char)); 1139 if (!remote_filter) { 1140 log_error("policy_callback: " 1141 "calloc (%d, %lu) failed", 1142 len, 1143 (unsigned long)sizeof(char)); 1144 goto bad; 1145 } 1146 strlcpy(remote_filter, 1147 remote_filter_addr_lower, len); 1148 strlcat(remote_filter, "-", len); 1149 strlcat(remote_filter, 1150 remote_filter_addr_upper, len); 1151 break; 1152 } 1153 1154 case IPSEC_ID_FQDN: 1155 remote_filter_type = "FQDN"; 1156 remote_filter = malloc(idremotesz - 1157 ISAKMP_ID_DATA_OFF + 1); 1158 if (!remote_filter) { 1159 log_error("policy_callback: " 1160 "malloc (%lu) failed", 1161 (unsigned long)idremotesz - 1162 ISAKMP_ID_DATA_OFF + 1); 1163 goto bad; 1164 } 1165 memcpy(remote_filter, 1166 idremote + ISAKMP_ID_DATA_OFF, 1167 idremotesz - ISAKMP_ID_DATA_OFF); 1168 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] 1169 = '\0'; 1170 break; 1171 1172 case IPSEC_ID_USER_FQDN: 1173 remote_filter_type = "User FQDN"; 1174 remote_filter = malloc(idremotesz - 1175 ISAKMP_ID_DATA_OFF + 1); 1176 if (!remote_filter) { 1177 log_error("policy_callback: " 1178 "malloc (%lu) failed", 1179 (unsigned long)idremotesz - 1180 ISAKMP_ID_DATA_OFF + 1); 1181 goto bad; 1182 } 1183 memcpy(remote_filter, 1184 idremote + ISAKMP_ID_DATA_OFF, 1185 idremotesz - ISAKMP_ID_DATA_OFF); 1186 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] 1187 = '\0'; 1188 break; 1189 1190 case IPSEC_ID_DER_ASN1_DN: 1191 remote_filter_type = "ASN1 DN"; 1192 1193 remote_filter = x509_DN_string(idremote + 1194 ISAKMP_ID_DATA_OFF, 1195 idremotesz - ISAKMP_ID_DATA_OFF); 1196 if (!remote_filter) { 1197 LOG_DBG((LOG_POLICY, 50, 1198 "policy_callback: " 1199 "failed to decode name")); 1200 goto bad; 1201 } 1202 break; 1203 1204 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure 1205 * what's in this. */ 1206 remote_filter_type = "ASN1 GN"; 1207 break; 1208 1209 case IPSEC_ID_KEY_ID: 1210 remote_filter_type = "Key ID"; 1211 remote_filter 1212 = calloc(2 * (idremotesz - 1213 ISAKMP_ID_DATA_OFF) + 1, 1214 sizeof(char)); 1215 if (!remote_filter) { 1216 log_error("policy_callback: " 1217 "calloc (%lu, %lu) failed", 1218 2 * ((unsigned long)idremotesz - 1219 ISAKMP_ID_DATA_OFF) + 1, 1220 (unsigned long)sizeof(char)); 1221 goto bad; 1222 } 1223 /* 1224 * Does it contain any non-printable 1225 * characters ? 1226 */ 1227 for (i = 0; 1228 i < idremotesz - ISAKMP_ID_DATA_OFF; i++) 1229 if (!isprint(*(idremote + 1230 ISAKMP_ID_DATA_OFF + i))) 1231 break; 1232 if (i >= idremotesz - ISAKMP_ID_DATA_OFF) { 1233 memcpy(remote_filter, 1234 idremote + ISAKMP_ID_DATA_OFF, 1235 idremotesz - ISAKMP_ID_DATA_OFF); 1236 break; 1237 } 1238 /* Non-printable characters, convert to hex */ 1239 for (i = 0; 1240 i < idremotesz - ISAKMP_ID_DATA_OFF; 1241 i++) { 1242 remote_filter[2 * i] 1243 = hextab[*(idremote + 1244 ISAKMP_ID_DATA_OFF) >> 4]; 1245 remote_filter[2 * i + 1] 1246 = hextab[*(idremote + 1247 ISAKMP_ID_DATA_OFF) & 0xF]; 1248 } 1249 break; 1250 1251 default: 1252 log_print("policy_callback: " 1253 "unknown Remote ID type %u", 1254 GET_ISAKMP_ID_TYPE(idremote)); 1255 goto bad; 1256 } 1257 1258 switch (idremote[ISAKMP_GEN_SZ + 1]) { 1259 case IPPROTO_TCP: 1260 remote_filter_proto = "tcp"; 1261 break; 1262 1263 case IPPROTO_UDP: 1264 remote_filter_proto = "udp"; 1265 break; 1266 1267 case IPPROTO_ETHERIP: 1268 remote_filter_proto = "etherip"; 1269 break; 1270 1271 default: 1272 snprintf(remote_filter_proto_num, 1273 sizeof remote_filter_proto_num, "%d", 1274 idremote[ISAKMP_GEN_SZ + 1]); 1275 remote_filter_proto = remote_filter_proto_num; 1276 break; 1277 } 1278 1279 snprintf(remote_filter_port, sizeof remote_filter_port, 1280 "%u", decode_16(idremote + ISAKMP_GEN_SZ + 2)); 1281 } else { 1282 policy_sa->transport->vtbl->get_dst(policy_sa->transport, &sin); 1283 switch (sin->sa_family) { 1284 case AF_INET: 1285 remote_filter_type = "IPv4 address"; 1286 break; 1287 case AF_INET6: 1288 remote_filter_type = "IPv6 address"; 1289 break; 1290 default: 1291 log_print("policy_callback: " 1292 "unsupported protocol family %d", 1293 sin->sa_family); 1294 goto bad; 1295 } 1296 if (sockaddr2text(sin, &addr, 1)) { 1297 log_error("policy_callback: " 1298 "sockaddr2text failed"); 1299 goto bad; 1300 } 1301 memcpy(remote_filter_addr_upper, addr, 1302 sizeof remote_filter_addr_upper); 1303 memcpy(remote_filter_addr_lower, addr, 1304 sizeof remote_filter_addr_lower); 1305 free(addr); 1306 remote_filter = strdup(remote_filter_addr_upper); 1307 if (!remote_filter) { 1308 log_error("policy_callback: " 1309 "strdup (\"%s\") failed", 1310 remote_filter_addr_upper); 1311 goto bad; 1312 } 1313 } 1314 1315 if (idlocal) { 1316 switch (GET_ISAKMP_ID_TYPE(idlocal)) { 1317 case IPSEC_ID_IPV4_ADDR: 1318 local_filter_type = "IPv4 address"; 1319 1320 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); 1321 my_inet_ntop4(&net, local_filter_addr_upper, 1322 sizeof local_filter_addr_upper - 1, 1); 1323 my_inet_ntop4(&net, local_filter_addr_lower, 1324 sizeof local_filter_addr_upper - 1, 1); 1325 local_filter = strdup(local_filter_addr_upper); 1326 if (!local_filter) { 1327 log_error("policy_callback: " 1328 "strdup (\"%s\") failed", 1329 local_filter_addr_upper); 1330 goto bad; 1331 } 1332 break; 1333 1334 case IPSEC_ID_IPV4_RANGE: 1335 local_filter_type = "IPv4 range"; 1336 1337 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); 1338 my_inet_ntop4(&net, local_filter_addr_lower, 1339 sizeof local_filter_addr_lower - 1, 1); 1340 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF + 1341 4); 1342 my_inet_ntop4(&net, local_filter_addr_upper, 1343 sizeof local_filter_addr_upper - 1, 1); 1344 len = strlen(local_filter_addr_upper) 1345 + strlen(local_filter_addr_lower) + 2; 1346 local_filter = calloc(len, sizeof(char)); 1347 if (!local_filter) { 1348 log_error("policy_callback: " 1349 "calloc (%d, %lu) failed", len, 1350 (unsigned long)sizeof(char)); 1351 goto bad; 1352 } 1353 strlcpy(local_filter, local_filter_addr_lower, 1354 len); 1355 strlcat(local_filter, "-", len); 1356 strlcat(local_filter, local_filter_addr_upper, 1357 len); 1358 break; 1359 1360 case IPSEC_ID_IPV4_ADDR_SUBNET: 1361 local_filter_type = "IPv4 subnet"; 1362 1363 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); 1364 subnet = decode_32(idlocal + 1365 ISAKMP_ID_DATA_OFF + 4); 1366 net &= subnet; 1367 my_inet_ntop4(&net, local_filter_addr_lower, 1368 sizeof local_filter_addr_lower - 1, 1); 1369 net |= ~subnet; 1370 my_inet_ntop4(&net, local_filter_addr_upper, 1371 sizeof local_filter_addr_upper - 1, 1); 1372 len = strlen(local_filter_addr_upper) + 1373 strlen(local_filter_addr_lower) + 2; 1374 local_filter = calloc(len, sizeof(char)); 1375 if (!local_filter) { 1376 log_error("policy_callback: " 1377 "calloc (%d, %lu) failed", len, 1378 (unsigned long)sizeof(char)); 1379 goto bad; 1380 } 1381 strlcpy(local_filter, local_filter_addr_lower, 1382 len); 1383 strlcat(local_filter, "-", len); 1384 strlcat(local_filter, local_filter_addr_upper, 1385 len); 1386 break; 1387 1388 case IPSEC_ID_IPV6_ADDR: 1389 local_filter_type = "IPv6 address"; 1390 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF, 1391 local_filter_addr_upper, 1392 sizeof local_filter_addr_upper - 1); 1393 strlcpy(local_filter_addr_lower, 1394 local_filter_addr_upper, 1395 sizeof local_filter_addr_lower); 1396 local_filter = strdup(local_filter_addr_upper); 1397 if (!local_filter) { 1398 log_error("policy_callback: " 1399 "strdup (\"%s\") failed", 1400 local_filter_addr_upper); 1401 goto bad; 1402 } 1403 break; 1404 1405 case IPSEC_ID_IPV6_RANGE: 1406 local_filter_type = "IPv6 range"; 1407 1408 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF, 1409 local_filter_addr_lower, 1410 sizeof local_filter_addr_lower - 1); 1411 1412 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF + 1413 16, local_filter_addr_upper, 1414 sizeof local_filter_addr_upper - 1); 1415 1416 len = strlen(local_filter_addr_upper) 1417 + strlen(local_filter_addr_lower) + 2; 1418 local_filter = calloc(len, sizeof(char)); 1419 if (!local_filter) { 1420 log_error("policy_callback: " 1421 "calloc (%d, %lu) failed", len, 1422 (unsigned long)sizeof(char)); 1423 goto bad; 1424 } 1425 strlcpy(local_filter, local_filter_addr_lower, 1426 len); 1427 strlcat(local_filter, "-", len); 1428 strlcat(local_filter, local_filter_addr_upper, 1429 len); 1430 break; 1431 1432 case IPSEC_ID_IPV6_ADDR_SUBNET: 1433 { 1434 struct in6_addr net, mask; 1435 1436 local_filter_type = "IPv6 subnet"; 1437 1438 bcopy(idlocal + ISAKMP_ID_DATA_OFF, 1439 &net, sizeof(net)); 1440 bcopy(idlocal + ISAKMP_ID_DATA_OFF + 1441 16, &mask, sizeof(mask)); 1442 1443 for (i = 0; i < 16; i++) 1444 net.s6_addr[i] &= 1445 mask.s6_addr[i]; 1446 1447 my_inet_ntop6((unsigned char *)&net, 1448 local_filter_addr_lower, 1449 sizeof local_filter_addr_lower - 1); 1450 1451 for (i = 0; i < 16; i++) 1452 net.s6_addr[i] |= 1453 ~mask.s6_addr[i]; 1454 1455 my_inet_ntop6((unsigned char *)&net, 1456 local_filter_addr_upper, 1457 sizeof local_filter_addr_upper - 1458 1); 1459 1460 len = strlen(local_filter_addr_upper) 1461 + strlen(local_filter_addr_lower) 1462 + 2; 1463 local_filter = calloc(len, 1464 sizeof(char)); 1465 if (!local_filter) { 1466 log_error("policy_callback: " 1467 "calloc (%d, %lu) failed", 1468 len, 1469 (unsigned long)sizeof(char)); 1470 goto bad; 1471 } 1472 strlcpy(local_filter, 1473 local_filter_addr_lower, len); 1474 strlcat(local_filter, "-", len); 1475 strlcat(local_filter, 1476 local_filter_addr_upper, len); 1477 break; 1478 } 1479 1480 case IPSEC_ID_FQDN: 1481 local_filter_type = "FQDN"; 1482 local_filter = malloc(idlocalsz - 1483 ISAKMP_ID_DATA_OFF + 1); 1484 if (!local_filter) { 1485 log_error("policy_callback: " 1486 "malloc (%lu) failed", 1487 (unsigned long)idlocalsz - 1488 ISAKMP_ID_DATA_OFF + 1); 1489 goto bad; 1490 } 1491 memcpy(local_filter, 1492 idlocal + ISAKMP_ID_DATA_OFF, 1493 idlocalsz - ISAKMP_ID_DATA_OFF); 1494 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; 1495 break; 1496 1497 case IPSEC_ID_USER_FQDN: 1498 local_filter_type = "User FQDN"; 1499 local_filter = malloc(idlocalsz - 1500 ISAKMP_ID_DATA_OFF + 1); 1501 if (!local_filter) { 1502 log_error("policy_callback: " 1503 "malloc (%lu) failed", 1504 (unsigned long)idlocalsz - 1505 ISAKMP_ID_DATA_OFF + 1); 1506 goto bad; 1507 } 1508 memcpy(local_filter, 1509 idlocal + ISAKMP_ID_DATA_OFF, 1510 idlocalsz - ISAKMP_ID_DATA_OFF); 1511 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; 1512 break; 1513 1514 case IPSEC_ID_DER_ASN1_DN: 1515 local_filter_type = "ASN1 DN"; 1516 1517 local_filter = x509_DN_string(idlocal + 1518 ISAKMP_ID_DATA_OFF, 1519 idlocalsz - ISAKMP_ID_DATA_OFF); 1520 if (!local_filter) { 1521 LOG_DBG((LOG_POLICY, 50, 1522 "policy_callback: failed to decode" 1523 " name")); 1524 goto bad; 1525 } 1526 break; 1527 1528 case IPSEC_ID_DER_ASN1_GN: 1529 /* XXX -- not sure what's in this. */ 1530 local_filter_type = "ASN1 GN"; 1531 break; 1532 1533 case IPSEC_ID_KEY_ID: 1534 local_filter_type = "Key ID"; 1535 local_filter = calloc(2 * (idlocalsz - 1536 ISAKMP_ID_DATA_OFF) + 1, 1537 sizeof(char)); 1538 if (!local_filter) { 1539 log_error("policy_callback: " 1540 "calloc (%lu, %lu) failed", 1541 2 * ((unsigned long)idlocalsz - 1542 ISAKMP_ID_DATA_OFF) + 1, 1543 (unsigned long)sizeof(char)); 1544 goto bad; 1545 } 1546 /* 1547 * Does it contain any non-printable 1548 * characters ? 1549 */ 1550 for (i = 0; 1551 i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) 1552 if (!isprint(*(idlocal + 1553 ISAKMP_ID_DATA_OFF + i))) 1554 break; 1555 if (i >= idlocalsz - ISAKMP_ID_DATA_OFF) { 1556 memcpy(local_filter, idlocal + 1557 ISAKMP_ID_DATA_OFF, 1558 idlocalsz - ISAKMP_ID_DATA_OFF); 1559 break; 1560 } 1561 /* Non-printable characters, convert to hex */ 1562 for (i = 0; 1563 i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) { 1564 local_filter[2 * i] = 1565 hextab[*(idlocal + 1566 ISAKMP_ID_DATA_OFF) >> 4]; 1567 local_filter[2 * i + 1] = 1568 hextab[*(idlocal + 1569 ISAKMP_ID_DATA_OFF) & 0xF]; 1570 } 1571 break; 1572 1573 default: 1574 log_print("policy_callback: " 1575 "unknown Local ID type %u", 1576 GET_ISAKMP_ID_TYPE(idlocal)); 1577 goto bad; 1578 } 1579 1580 switch (idlocal[ISAKMP_GEN_SZ + 1]) { 1581 case IPPROTO_TCP: 1582 local_filter_proto = "tcp"; 1583 break; 1584 1585 case IPPROTO_UDP: 1586 local_filter_proto = "udp"; 1587 break; 1588 1589 case IPPROTO_ETHERIP: 1590 local_filter_proto = "etherip"; 1591 break; 1592 1593 default: 1594 snprintf(local_filter_proto_num, 1595 sizeof local_filter_proto_num, 1596 "%d", idlocal[ISAKMP_GEN_SZ + 1]); 1597 local_filter_proto = local_filter_proto_num; 1598 break; 1599 } 1600 1601 snprintf(local_filter_port, sizeof local_filter_port, 1602 "%u", decode_16(idlocal + ISAKMP_GEN_SZ + 2)); 1603 } else { 1604 policy_sa->transport->vtbl->get_src(policy_sa->transport, 1605 (struct sockaddr **)&sin); 1606 switch (sin->sa_family) { 1607 case AF_INET: 1608 local_filter_type = "IPv4 address"; 1609 break; 1610 case AF_INET6: 1611 local_filter_type = "IPv6 address"; 1612 break; 1613 default: 1614 log_print("policy_callback: " 1615 "unsupported protocol family %d", 1616 sin->sa_family); 1617 goto bad; 1618 } 1619 1620 if (sockaddr2text(sin, &addr, 1)) { 1621 log_error("policy_callback: " 1622 "sockaddr2text failed"); 1623 goto bad; 1624 } 1625 memcpy(local_filter_addr_upper, addr, 1626 sizeof local_filter_addr_upper); 1627 memcpy(local_filter_addr_lower, addr, 1628 sizeof local_filter_addr_lower); 1629 free(addr); 1630 local_filter = strdup(local_filter_addr_upper); 1631 if (!local_filter) { 1632 log_error("policy_callback: " 1633 "strdup (\"%s\") failed", 1634 local_filter_addr_upper); 1635 goto bad; 1636 } 1637 } 1638 1639 LOG_DBG((LOG_POLICY, 80, 1640 "Policy context (action attributes):")); 1641 LOG_DBG((LOG_POLICY, 80, "esp_present == %s", esp_present)); 1642 LOG_DBG((LOG_POLICY, 80, "ah_present == %s", ah_present)); 1643 LOG_DBG((LOG_POLICY, 80, "comp_present == %s", comp_present)); 1644 LOG_DBG((LOG_POLICY, 80, "ah_hash_alg == %s", ah_hash_alg)); 1645 LOG_DBG((LOG_POLICY, 80, "esp_enc_alg == %s", esp_enc_alg)); 1646 LOG_DBG((LOG_POLICY, 80, "comp_alg == %s", comp_alg)); 1647 LOG_DBG((LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg)); 1648 LOG_DBG((LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg)); 1649 LOG_DBG((LOG_POLICY, 80, "ah_life_seconds == %s", 1650 ah_life_seconds)); 1651 LOG_DBG((LOG_POLICY, 80, "ah_life_kbytes == %s", 1652 ah_life_kbytes)); 1653 LOG_DBG((LOG_POLICY, 80, "esp_life_seconds == %s", 1654 esp_life_seconds)); 1655 LOG_DBG((LOG_POLICY, 80, "esp_life_kbytes == %s", 1656 esp_life_kbytes)); 1657 LOG_DBG((LOG_POLICY, 80, "comp_life_seconds == %s", 1658 comp_life_seconds)); 1659 LOG_DBG((LOG_POLICY, 80, "comp_life_kbytes == %s", 1660 comp_life_kbytes)); 1661 LOG_DBG((LOG_POLICY, 80, "ah_encapsulation == %s", 1662 ah_encapsulation)); 1663 LOG_DBG((LOG_POLICY, 80, "esp_encapsulation == %s", 1664 esp_encapsulation)); 1665 LOG_DBG((LOG_POLICY, 80, "comp_encapsulation == %s", 1666 comp_encapsulation)); 1667 LOG_DBG((LOG_POLICY, 80, "comp_dict_size == %s", 1668 comp_dict_size)); 1669 LOG_DBG((LOG_POLICY, 80, "comp_private_alg == %s", 1670 comp_private_alg)); 1671 LOG_DBG((LOG_POLICY, 80, "ah_key_length == %s", 1672 ah_key_length)); 1673 LOG_DBG((LOG_POLICY, 80, "ah_key_rounds == %s", 1674 ah_key_rounds)); 1675 LOG_DBG((LOG_POLICY, 80, "esp_key_length == %s", 1676 esp_key_length)); 1677 LOG_DBG((LOG_POLICY, 80, "esp_key_rounds == %s", 1678 esp_key_rounds)); 1679 LOG_DBG((LOG_POLICY, 80, "ah_group_desc == %s", 1680 ah_group_desc)); 1681 LOG_DBG((LOG_POLICY, 80, "esp_group_desc == %s", 1682 esp_group_desc)); 1683 LOG_DBG((LOG_POLICY, 80, "comp_group_desc == %s", 1684 comp_group_desc)); 1685 LOG_DBG((LOG_POLICY, 80, "ah_ecn == %s", ah_ecn)); 1686 LOG_DBG((LOG_POLICY, 80, "esp_ecn == %s", esp_ecn)); 1687 LOG_DBG((LOG_POLICY, 80, "comp_ecn == %s", comp_ecn)); 1688 LOG_DBG((LOG_POLICY, 80, "remote_filter_type == %s", 1689 remote_filter_type)); 1690 LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_upper == %s", 1691 remote_filter_addr_upper)); 1692 LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_lower == %s", 1693 remote_filter_addr_lower)); 1694 LOG_DBG((LOG_POLICY, 80, "remote_filter == %s", 1695 (remote_filter ? remote_filter : ""))); 1696 LOG_DBG((LOG_POLICY, 80, "remote_filter_port == %s", 1697 remote_filter_port)); 1698 LOG_DBG((LOG_POLICY, 80, "remote_filter_proto == %s", 1699 remote_filter_proto)); 1700 LOG_DBG((LOG_POLICY, 80, "local_filter_type == %s", 1701 local_filter_type)); 1702 LOG_DBG((LOG_POLICY, 80, "local_filter_addr_upper == %s", 1703 local_filter_addr_upper)); 1704 LOG_DBG((LOG_POLICY, 80, "local_filter_addr_lower == %s", 1705 local_filter_addr_lower)); 1706 LOG_DBG((LOG_POLICY, 80, "local_filter == %s", 1707 (local_filter ? local_filter : ""))); 1708 LOG_DBG((LOG_POLICY, 80, "local_filter_port == %s", 1709 local_filter_port)); 1710 LOG_DBG((LOG_POLICY, 80, "local_filter_proto == %s", 1711 local_filter_proto)); 1712 LOG_DBG((LOG_POLICY, 80, "remote_id_type == %s", 1713 remote_id_type)); 1714 LOG_DBG((LOG_POLICY, 80, "remote_id_addr_upper == %s", 1715 remote_id_addr_upper)); 1716 LOG_DBG((LOG_POLICY, 80, "remote_id_addr_lower == %s", 1717 remote_id_addr_lower)); 1718 LOG_DBG((LOG_POLICY, 80, "remote_id == %s", 1719 (remote_id ? remote_id : ""))); 1720 LOG_DBG((LOG_POLICY, 80, "remote_id_port == %s", 1721 remote_id_port)); 1722 LOG_DBG((LOG_POLICY, 80, "remote_id_proto == %s", 1723 remote_id_proto)); 1724 LOG_DBG((LOG_POLICY, 80, "remote_negotiation_address == %s", 1725 remote_ike_address)); 1726 LOG_DBG((LOG_POLICY, 80, "local_negotiation_address == %s", 1727 local_ike_address)); 1728 LOG_DBG((LOG_POLICY, 80, "pfs == %s", pfs)); 1729 LOG_DBG((LOG_POLICY, 80, "initiator == %s", initiator)); 1730 LOG_DBG((LOG_POLICY, 80, "phase1_group_desc == %s", 1731 phase1_group)); 1732 1733 /* Unset dirty now. */ 1734 dirty = 0; 1735 } 1736 if (strcmp(name, "phase_1") == 0) 1737 return phase_1; 1738 1739 if (strcmp(name, "GMTTimeOfDay") == 0) { 1740 tt = time((time_t *)NULL); 1741 strftime(mytimeofday, 14, "%Y%m%d%H%M%S", gmtime(&tt)); 1742 return mytimeofday; 1743 } 1744 if (strcmp(name, "LocalTimeOfDay") == 0) { 1745 tt = time((time_t *)NULL); 1746 strftime(mytimeofday, 14, "%Y%m%d%H%M%S", localtime(&tt)); 1747 return mytimeofday; 1748 } 1749 if (strcmp(name, "initiator") == 0) 1750 return initiator; 1751 1752 if (strcmp(name, "pfs") == 0) 1753 return pfs; 1754 1755 if (strcmp(name, "app_domain") == 0) 1756 return "IPsec policy"; 1757 1758 if (strcmp(name, "doi") == 0) 1759 return "ipsec"; 1760 1761 if (strcmp(name, "esp_present") == 0) 1762 return esp_present; 1763 1764 if (strcmp(name, "ah_present") == 0) 1765 return ah_present; 1766 1767 if (strcmp(name, "comp_present") == 0) 1768 return comp_present; 1769 1770 if (strcmp(name, "ah_hash_alg") == 0) 1771 return ah_hash_alg; 1772 1773 if (strcmp(name, "ah_auth_alg") == 0) 1774 return ah_auth_alg; 1775 1776 if (strcmp(name, "esp_auth_alg") == 0) 1777 return esp_auth_alg; 1778 1779 if (strcmp(name, "esp_enc_alg") == 0) 1780 return esp_enc_alg; 1781 1782 if (strcmp(name, "comp_alg") == 0) 1783 return comp_alg; 1784 1785 if (strcmp(name, "ah_life_kbytes") == 0) 1786 return ah_life_kbytes; 1787 1788 if (strcmp(name, "ah_life_seconds") == 0) 1789 return ah_life_seconds; 1790 1791 if (strcmp(name, "esp_life_kbytes") == 0) 1792 return esp_life_kbytes; 1793 1794 if (strcmp(name, "esp_life_seconds") == 0) 1795 return esp_life_seconds; 1796 1797 if (strcmp(name, "comp_life_kbytes") == 0) 1798 return comp_life_kbytes; 1799 1800 if (strcmp(name, "comp_life_seconds") == 0) 1801 return comp_life_seconds; 1802 1803 if (strcmp(name, "ah_encapsulation") == 0) 1804 return ah_encapsulation; 1805 1806 if (strcmp(name, "esp_encapsulation") == 0) 1807 return esp_encapsulation; 1808 1809 if (strcmp(name, "comp_encapsulation") == 0) 1810 return comp_encapsulation; 1811 1812 if (strcmp(name, "ah_key_length") == 0) 1813 return ah_key_length; 1814 1815 if (strcmp(name, "ah_key_rounds") == 0) 1816 return ah_key_rounds; 1817 1818 if (strcmp(name, "esp_key_length") == 0) 1819 return esp_key_length; 1820 1821 if (strcmp(name, "esp_key_rounds") == 0) 1822 return esp_key_rounds; 1823 1824 if (strcmp(name, "comp_dict_size") == 0) 1825 return comp_dict_size; 1826 1827 if (strcmp(name, "comp_private_alg") == 0) 1828 return comp_private_alg; 1829 1830 if (strcmp(name, "remote_filter_type") == 0) 1831 return remote_filter_type; 1832 1833 if (strcmp(name, "remote_filter") == 0) 1834 return (remote_filter ? remote_filter : ""); 1835 1836 if (strcmp(name, "remote_filter_addr_upper") == 0) 1837 return remote_filter_addr_upper; 1838 1839 if (strcmp(name, "remote_filter_addr_lower") == 0) 1840 return remote_filter_addr_lower; 1841 1842 if (strcmp(name, "remote_filter_port") == 0) 1843 return remote_filter_port; 1844 1845 if (strcmp(name, "remote_filter_proto") == 0) 1846 return remote_filter_proto; 1847 1848 if (strcmp(name, "local_filter_type") == 0) 1849 return local_filter_type; 1850 1851 if (strcmp(name, "local_filter") == 0) 1852 return (local_filter ? local_filter : ""); 1853 1854 if (strcmp(name, "local_filter_addr_upper") == 0) 1855 return local_filter_addr_upper; 1856 1857 if (strcmp(name, "local_filter_addr_lower") == 0) 1858 return local_filter_addr_lower; 1859 1860 if (strcmp(name, "local_filter_port") == 0) 1861 return local_filter_port; 1862 1863 if (strcmp(name, "local_filter_proto") == 0) 1864 return local_filter_proto; 1865 1866 if (strcmp(name, "remote_ike_address") == 0) 1867 return remote_ike_address; 1868 1869 if (strcmp(name, "remote_negotiation_address") == 0) 1870 return remote_ike_address; 1871 1872 if (strcmp(name, "local_ike_address") == 0) 1873 return local_ike_address; 1874 1875 if (strcmp(name, "local_negotiation_address") == 0) 1876 return local_ike_address; 1877 1878 if (strcmp(name, "remote_id_type") == 0) 1879 return remote_id_type; 1880 1881 if (strcmp(name, "remote_id") == 0) 1882 return (remote_id ? remote_id : ""); 1883 1884 if (strcmp(name, "remote_id_addr_upper") == 0) 1885 return remote_id_addr_upper; 1886 1887 if (strcmp(name, "remote_id_addr_lower") == 0) 1888 return remote_id_addr_lower; 1889 1890 if (strcmp(name, "remote_id_port") == 0) 1891 return remote_id_port; 1892 1893 if (strcmp(name, "remote_id_proto") == 0) 1894 return remote_id_proto; 1895 1896 if (strcmp(name, "phase1_group_desc") == 0) 1897 return phase1_group; 1898 1899 if (strcmp(name, "esp_group_desc") == 0) 1900 return esp_group_desc; 1901 1902 if (strcmp(name, "ah_group_desc") == 0) 1903 return ah_group_desc; 1904 1905 if (strcmp(name, "comp_group_desc") == 0) 1906 return comp_group_desc; 1907 1908 if (strcmp(name, "comp_ecn") == 0) 1909 return comp_ecn; 1910 1911 if (strcmp(name, "ah_ecn") == 0) 1912 return ah_ecn; 1913 1914 if (strcmp(name, "esp_ecn") == 0) 1915 return esp_ecn; 1916 1917 return ""; 1918 1919 bad: 1920 policy_callback(KEYNOTE_CALLBACK_INITIALIZE); 1921 return ""; 1922 } 1923 1924 void 1925 policy_init(void) 1926 { 1927 char *ptr, *policy_file; 1928 char **asserts; 1929 size_t sz, len; 1930 int fd, i; 1931 1932 LOG_DBG((LOG_POLICY, 30, "policy_init: initializing")); 1933 1934 /* Do we want to use the policy modules? */ 1935 if (ignore_policy || 1936 strncmp("yes", conf_get_str("General", "Use-Keynote"), 3)) 1937 return; 1938 1939 /* Get policy file from configuration. */ 1940 policy_file = conf_get_str("General", "Policy-file"); 1941 if (!policy_file) 1942 policy_file = CONF_DFLT_POLICY_FILE; 1943 1944 /* Open policy file. */ 1945 fd = monitor_open(policy_file, O_RDONLY, 0); 1946 if (fd == -1) 1947 log_fatal("policy_init: open (\"%s\", O_RDONLY) failed", 1948 policy_file); 1949 1950 /* Check file modes and collect file size */ 1951 if (check_file_secrecy_fd(fd, policy_file, &sz)) { 1952 close(fd); 1953 log_fatal("policy_init: cannot read %s", policy_file); 1954 } 1955 1956 /* Allocate memory to keep policies. */ 1957 ptr = calloc(sz + 1, sizeof(char)); 1958 if (!ptr) 1959 log_fatal("policy_init: calloc (%lu, %lu) failed", 1960 (unsigned long)sz + 1, (unsigned long)sizeof(char)); 1961 1962 /* Just in case there are short reads... */ 1963 for (len = 0; len < sz; len += i) { 1964 i = read(fd, ptr + len, sz - len); 1965 if (i == -1) 1966 log_fatal("policy_init: read (%d, %p, %lu) failed", fd, 1967 ptr + len, (unsigned long)(sz - len)); 1968 } 1969 1970 /* We're done with this. */ 1971 close(fd); 1972 1973 /* Parse buffer, break up into individual policies. */ 1974 asserts = kn_read_asserts(ptr, sz, &i); 1975 1976 /* Begone! */ 1977 free(ptr); 1978 1979 if (asserts == (char **)NULL) 1980 log_print("policy_init: all policies flushed"); 1981 1982 /* Cleanup */ 1983 if (policy_asserts) { 1984 for (fd = 0; fd < policy_asserts_num; fd++) 1985 if (policy_asserts) 1986 free(policy_asserts[fd]); 1987 1988 free(policy_asserts); 1989 } 1990 policy_asserts = asserts; 1991 policy_asserts_num = i; 1992 } 1993 1994 /* Nothing needed for initialization */ 1995 int 1996 keynote_cert_init(void) 1997 { 1998 return 1; 1999 } 2000 2001 /* Just copy and return. */ 2002 void * 2003 keynote_cert_get(u_int8_t *data, u_int32_t len) 2004 { 2005 char *foo = malloc(len + 1); 2006 2007 if (foo == NULL) 2008 return NULL; 2009 2010 memcpy(foo, data, len); 2011 foo[len] = '\0'; 2012 return foo; 2013 } 2014 2015 /* 2016 * We just verify the signature on the credentials. 2017 * On signature failure, just drop the whole payload. 2018 */ 2019 int 2020 keynote_cert_validate(void *scert) 2021 { 2022 char **foo; 2023 int num, i; 2024 2025 if (scert == NULL) 2026 return 0; 2027 2028 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); 2029 if (foo == NULL) 2030 return 0; 2031 2032 for (i = 0; i < num; i++) { 2033 if (kn_verify_assertion(scert, strlen((char *)scert)) 2034 != SIGRESULT_TRUE) { 2035 for (; i < num; i++) 2036 free(foo[i]); 2037 free(foo); 2038 return 0; 2039 } 2040 free(foo[i]); 2041 } 2042 2043 free(foo); 2044 return 1; 2045 } 2046 2047 /* Add received credentials. */ 2048 int 2049 keynote_cert_insert(int sid, void *scert) 2050 { 2051 char **foo; 2052 int num; 2053 2054 if (scert == NULL) 2055 return 0; 2056 2057 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); 2058 if (foo == NULL) 2059 return 0; 2060 2061 while (num--) 2062 kn_add_assertion(sid, foo[num], strlen(foo[num]), 0); 2063 2064 return 1; 2065 } 2066 2067 /* Just regular memory free. */ 2068 void 2069 keynote_cert_free(void *cert) 2070 { 2071 free(cert); 2072 } 2073 2074 /* Verify that the key given to us is valid. */ 2075 int 2076 keynote_certreq_validate(u_int8_t *data, u_int32_t len) 2077 { 2078 struct keynote_deckey dc; 2079 int err = 1; 2080 char *dat; 2081 2082 dat = calloc(len + 1, sizeof(char)); 2083 if (!dat) { 2084 log_error("keynote_certreq_validate: calloc (%d, %lu) failed", 2085 len + 1, (unsigned long)sizeof(char)); 2086 return 0; 2087 } 2088 memcpy(dat, data, len); 2089 2090 if (kn_decode_key(&dc, dat, KEYNOTE_PUBLIC_KEY) != 0) 2091 err = 0; 2092 else 2093 kn_free_key(&dc); 2094 2095 free(dat); 2096 2097 return err; 2098 } 2099 2100 /* Beats me what we should be doing with this. */ 2101 int 2102 keynote_certreq_decode(void **pdata, u_int8_t *data, u_int32_t len) 2103 { 2104 /* XXX */ 2105 return 0; 2106 } 2107 2108 void 2109 keynote_free_aca(void *blob) 2110 { 2111 /* XXX */ 2112 } 2113 2114 int 2115 keynote_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, 2116 u_int32_t *certlen) 2117 { 2118 char *dirname, *file, *addr_str; 2119 struct stat sb; 2120 size_t size; 2121 int idtype, fd, len; 2122 2123 if (!id) { 2124 log_print("keynote_cert_obtain: ID is missing"); 2125 return 0; 2126 } 2127 /* Get type of ID. */ 2128 idtype = id[0]; 2129 id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2130 id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2131 2132 dirname = conf_get_str("KeyNote", "Credential-directory"); 2133 if (!dirname) { 2134 LOG_DBG((LOG_POLICY, 30, 2135 "keynote_cert_obtain: no Credential-directory")); 2136 return 0; 2137 } 2138 len = strlen(dirname) + strlen(CREDENTIAL_FILE) + 3; 2139 2140 switch (idtype) { 2141 case IPSEC_ID_IPV4_ADDR: 2142 case IPSEC_ID_IPV6_ADDR: 2143 util_ntoa(&addr_str, idtype == IPSEC_ID_IPV4_ADDR ? 2144 AF_INET : AF_INET6, id); 2145 if (addr_str == 0) 2146 return 0; 2147 2148 if (asprintf(&file, "%s/%s/%s", dirname, 2149 addr_str, CREDENTIAL_FILE) == -1) { 2150 log_error("keynote_cert_obtain: failed to allocate " 2151 "%lu bytes", (unsigned long)len + 2152 strlen(addr_str)); 2153 free(addr_str); 2154 return 0; 2155 } 2156 free(addr_str); 2157 break; 2158 2159 case IPSEC_ID_FQDN: 2160 case IPSEC_ID_USER_FQDN: 2161 file = calloc(len + id_len, sizeof(char)); 2162 if (file == NULL) { 2163 log_error("keynote_cert_obtain: " 2164 "failed to allocate %lu bytes", 2165 (unsigned long)len + id_len); 2166 return 0; 2167 } 2168 snprintf(file, len + id_len, "%s/", dirname); 2169 memcpy(file + strlen(dirname) + 1, id, id_len); 2170 snprintf(file + strlen(dirname) + 1 + id_len, 2171 len - strlen(dirname) - 1, "/%s", CREDENTIAL_FILE); 2172 break; 2173 2174 default: 2175 return 0; 2176 } 2177 2178 fd = monitor_open(file, O_RDONLY, 0); 2179 if (fd < 0) { 2180 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " 2181 "failed to open \"%s\"", file)); 2182 free(file); 2183 return 0; 2184 } 2185 2186 if (fstat(fd, &sb) < 0) { 2187 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " 2188 "failed to stat \"%s\"", file)); 2189 free(file); 2190 close(fd); 2191 return 0; 2192 } 2193 size = (size_t)sb.st_size; 2194 2195 *cert = calloc(size + 1, sizeof(char)); 2196 if (*cert == NULL) { 2197 log_error("keynote_cert_obtain: failed to allocate %lu bytes", 2198 (unsigned long)size); 2199 free(file); 2200 close(fd); 2201 return 0; 2202 } 2203 2204 if (read(fd, *cert, size) != (int)size) { 2205 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " 2206 "failed to read %lu bytes from \"%s\"", 2207 (unsigned long)size, file)); 2208 free(cert); 2209 cert = NULL; 2210 free(file); 2211 close(fd); 2212 return 0; 2213 } 2214 close(fd); 2215 free(file); 2216 *certlen = size; 2217 return 1; 2218 } 2219 2220 /* This should never be called. */ 2221 int 2222 keynote_cert_get_subjects(void *scert, int *n, u_int8_t ***id, 2223 u_int32_t **id_len) 2224 { 2225 return 0; 2226 } 2227 2228 /* Get the authorizer key. */ 2229 int 2230 keynote_cert_get_key(void *scert, void *keyp) 2231 { 2232 struct keynote_keylist *kl; 2233 int sid, kid, num; 2234 char **foo; 2235 2236 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); 2237 if (foo == NULL || num == 0) { 2238 log_print("keynote_cert_get_key: " 2239 "failed to decompose credentials"); 2240 return 0; 2241 } 2242 kid = kn_init(); 2243 if (kid == -1) { 2244 log_print("keynote_cert_get_key: " 2245 "failed to initialize new policy session"); 2246 while (num--) 2247 free(foo[num]); 2248 free(foo); 2249 return 0; 2250 } 2251 sid = kn_add_assertion(kid, foo[num - 1], strlen(foo[num - 1]), 0); 2252 while (num--) 2253 free(foo[num]); 2254 free(foo); 2255 2256 if (sid == -1) { 2257 log_print("keynote_cert_get_key: failed to add assertion"); 2258 kn_close(kid); 2259 return 0; 2260 } 2261 *(RSA **)keyp = NULL; 2262 2263 kl = kn_get_licensees(kid, sid); 2264 while (kl) { 2265 if (kl->key_alg == KEYNOTE_ALGORITHM_RSA || 2266 kl->key_alg == KEYNOTE_ALGORITHM_X509) { 2267 *(RSA **)keyp = RSAPublicKey_dup(kl->key_key); 2268 break; 2269 } 2270 kl = kl->key_next; 2271 } 2272 2273 kn_remove_assertion(kid, sid); 2274 kn_close(kid); 2275 return *(RSA **)keyp == NULL ? 0 : 1; 2276 } 2277 2278 void * 2279 keynote_cert_dup(void *cert) 2280 { 2281 return strdup((char *)cert); 2282 } 2283 2284 void 2285 keynote_serialize(void *cert, u_int8_t **data, u_int32_t *datalen) 2286 { 2287 *datalen = strlen((char *)cert) + 1; 2288 *data = (u_int8_t *)strdup(cert); /* i.e an extra character at 2289 * the end... */ 2290 if (*data == NULL) 2291 log_error("keynote_serialize: malloc (%d) failed", *datalen); 2292 } 2293 2294 /* From cert to printable */ 2295 char * 2296 keynote_printable(void *cert) 2297 { 2298 return strdup((char *)cert); 2299 } 2300 2301 /* From printable to cert */ 2302 void * 2303 keynote_from_printable(char *cert) 2304 { 2305 return strdup(cert); 2306 } 2307 2308 /* Number of CAs we trust (currently this is x509 only) */ 2309 int 2310 keynote_ca_count(void) 2311 { 2312 return 0; 2313 } 2314