1 /* $OpenBSD: policy.c,v 1.103 2024/04/28 16:43:42 florian Exp $ */
2 /* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */
3
4 /*
5 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved.
6 * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved.
7 * Copyright (c) 2001 H�kan Olsson. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 /*
31 * This code was written under funding by Ericsson Radio Systems.
32 */
33
34 #include <sys/types.h>
35 #include <sys/mman.h>
36 #include <sys/queue.h>
37 #include <sys/stat.h>
38 #include <regex.h>
39 #include <ctype.h>
40 #include <fcntl.h>
41 #include <stdio.h>
42 #include <stdlib.h>
43 #include <string.h>
44 #include <unistd.h>
45 #include <keynote.h>
46 #include <sys/socket.h>
47 #include <netinet/in.h>
48 #include <arpa/inet.h>
49 #include <errno.h>
50 #include <openssl/ssl.h>
51 #include <netdb.h>
52
53 #include "conf.h"
54 #include "exchange.h"
55 #include "ipsec.h"
56 #include "isakmp_doi.h"
57 #include "sa.h"
58 #include "transport.h"
59 #include "log.h"
60 #include "message.h"
61 #include "monitor.h"
62 #include "util.h"
63 #include "policy.h"
64 #include "x509.h"
65
66 char **policy_asserts = NULL;
67 int ignore_policy = 0;
68 int policy_asserts_num = 0;
69 struct exchange *policy_exchange = 0;
70 struct sa *policy_sa = 0;
71 struct sa *policy_isakmp_sa = 0;
72
73 static const char hextab[] = {
74 '0', '1', '2', '3', '4', '5', '6', '7',
75 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
76 };
77
78 /*
79 * Adaptation of Vixie's inet_ntop4 ()
80 */
81 static const char *
my_inet_ntop4(const in_addr_t * src,char * dst,size_t size,int normalize)82 my_inet_ntop4(const in_addr_t *src, char *dst, size_t size, int normalize)
83 {
84 static const char fmt[] = "%03u.%03u.%03u.%03u";
85 char tmp[sizeof "255.255.255.255"];
86 in_addr_t src2;
87 int len;
88
89 if (normalize)
90 src2 = ntohl(*src);
91 else
92 src2 = *src;
93
94 len = snprintf(tmp, sizeof tmp, fmt, ((u_int8_t *)&src2)[0],
95 ((u_int8_t *)&src2)[1], ((u_int8_t *)&src2)[2],
96 ((u_int8_t *)&src2)[3]);
97 if (len < 0 || len > (int)size) {
98 errno = ENOSPC;
99 return 0;
100 }
101 strlcpy(dst, tmp, size);
102 return dst;
103 }
104
105 static const char *
my_inet_ntop6(const unsigned char * src,char * dst,size_t size)106 my_inet_ntop6(const unsigned char *src, char *dst, size_t size)
107 {
108 static const char fmt[] =
109 "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x";
110 char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"];
111 int len;
112
113 len = snprintf(tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3],
114 src[4], src[5], src[6], src[7], src[8], src[9], src[10], src[11],
115 src[12], src[13], src[14], src[15]);
116 if (len < 0 || len > (int)size) {
117 errno = ENOSPC;
118 return 0;
119 }
120 strlcpy(dst, tmp, size);
121 return dst;
122 }
123
124 char *
policy_callback(char * name)125 policy_callback(char *name)
126 {
127 struct proto *proto;
128
129 u_int8_t *attr, *value, *id, *idlocal, *idremote;
130 size_t id_sz, idlocalsz, idremotesz;
131 struct sockaddr *sin;
132 struct ipsec_exch *ie;
133 struct ipsec_sa *is;
134 size_t i;
135 int fmt, lifetype = 0;
136 in_addr_t net, subnet;
137 u_int16_t len, type;
138 time_t tt;
139 char *addr;
140 static char mytimeofday[15];
141
142 /* We use all these as a cache. */
143 #define PMAX 32
144 static char *esp_present, *ah_present, *comp_present;
145 static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg;
146 static char *comp_alg, ah_life_kbytes[PMAX], ah_life_seconds[PMAX];
147 static char esp_life_kbytes[PMAX], esp_life_seconds[PMAX];
148 static char comp_life_kbytes[PMAX];
149 static char *ah_ecn, *esp_ecn, *comp_ecn;
150 static char comp_life_seconds[PMAX], *ah_encapsulation;
151 static char *esp_encapsulation, *comp_encapsulation;
152 static char ah_key_length[PMAX], esp_key_length[PMAX];
153 static char ah_key_rounds[PMAX], esp_key_rounds[PMAX];
154 static char comp_dict_size[PMAX], comp_private_alg[PMAX];
155 static char *remote_filter_type, *local_filter_type;
156 static char remote_filter_addr_upper[NI_MAXHOST];
157 static char remote_filter_addr_lower[NI_MAXHOST];
158 static char local_filter_addr_upper[NI_MAXHOST];
159 static char local_filter_addr_lower[NI_MAXHOST];
160 static char ah_group_desc[PMAX], esp_group_desc[PMAX];
161 static char comp_group_desc[PMAX], remote_ike_address[NI_MAXHOST];
162 static char local_ike_address[NI_MAXHOST];
163 static char *remote_id_type, remote_id_addr_upper[NI_MAXHOST];
164 static char *phase_1, remote_id_addr_lower[NI_MAXHOST];
165 static char *remote_id_proto, remote_id_port[PMAX];
166 static char remote_filter_port[PMAX], local_filter_port[PMAX];
167 static char *remote_filter_proto, *local_filter_proto, *pfs;
168 static char *initiator, remote_filter_proto_num[3];
169 static char local_filter_proto_num[3], remote_id_proto_num[3];
170 static char phase1_group[PMAX];
171
172 /* Allocated. */
173 static char *remote_filter = 0, *local_filter = 0, *remote_id = 0;
174
175 static int dirty = 1;
176
177 /* We only need to set dirty at initialization time really. */
178 if (strcmp(name, KEYNOTE_CALLBACK_CLEANUP) == 0 ||
179 strcmp(name, KEYNOTE_CALLBACK_INITIALIZE) == 0) {
180 esp_present = ah_present = comp_present = pfs = "no";
181 ah_hash_alg = ah_auth_alg = phase_1 = "";
182 esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = "";
183 ah_ecn = esp_ecn = comp_ecn = "no";
184 esp_encapsulation = comp_encapsulation = "";
185 remote_filter_type = "";
186 local_filter_type = remote_id_type = initiator = "";
187 remote_filter_proto = local_filter_proto = "";
188 remote_id_proto = "";
189
190 free(remote_filter);
191 remote_filter = 0;
192 free(local_filter);
193 local_filter = 0;
194 free(remote_id);
195 remote_id = 0;
196
197 bzero(remote_ike_address, sizeof remote_ike_address);
198 bzero(local_ike_address, sizeof local_ike_address);
199 bzero(ah_life_kbytes, sizeof ah_life_kbytes);
200 bzero(ah_life_seconds, sizeof ah_life_seconds);
201 bzero(esp_life_kbytes, sizeof esp_life_kbytes);
202 bzero(esp_life_seconds, sizeof esp_life_seconds);
203 bzero(comp_life_kbytes, sizeof comp_life_kbytes);
204 bzero(comp_life_seconds, sizeof comp_life_seconds);
205 bzero(ah_key_length, sizeof ah_key_length);
206 bzero(ah_key_rounds, sizeof ah_key_rounds);
207 bzero(esp_key_length, sizeof esp_key_length);
208 bzero(esp_key_rounds, sizeof esp_key_rounds);
209 bzero(comp_dict_size, sizeof comp_dict_size);
210 bzero(comp_private_alg, sizeof comp_private_alg);
211 bzero(remote_filter_addr_upper,
212 sizeof remote_filter_addr_upper);
213 bzero(remote_filter_addr_lower,
214 sizeof remote_filter_addr_lower);
215 bzero(local_filter_addr_upper,
216 sizeof local_filter_addr_upper);
217 bzero(local_filter_addr_lower,
218 sizeof local_filter_addr_lower);
219 bzero(remote_id_addr_upper, sizeof remote_id_addr_upper);
220 bzero(remote_id_addr_lower, sizeof remote_id_addr_lower);
221 bzero(ah_group_desc, sizeof ah_group_desc);
222 bzero(esp_group_desc, sizeof esp_group_desc);
223 bzero(remote_id_port, sizeof remote_id_port);
224 bzero(remote_filter_port, sizeof remote_filter_port);
225 bzero(local_filter_port, sizeof local_filter_port);
226 bzero(phase1_group, sizeof phase1_group);
227
228 dirty = 1;
229 return "";
230 }
231 /*
232 * If dirty is set, this is the first request for an attribute, so
233 * populate our value cache.
234 */
235 if (dirty) {
236 ie = policy_exchange->data;
237
238 if (ie->pfs)
239 pfs = "yes";
240
241 is = policy_isakmp_sa->data;
242 snprintf(phase1_group, sizeof phase1_group, "%u",
243 is->group_desc);
244
245 for (proto = TAILQ_FIRST(&policy_sa->protos); proto;
246 proto = TAILQ_NEXT(proto, link)) {
247 switch (proto->proto) {
248 case IPSEC_PROTO_IPSEC_AH:
249 ah_present = "yes";
250 switch (proto->id) {
251 case IPSEC_AH_MD5:
252 ah_hash_alg = "md5";
253 break;
254
255 case IPSEC_AH_SHA:
256 ah_hash_alg = "sha";
257 break;
258
259 case IPSEC_AH_RIPEMD:
260 ah_hash_alg = "ripemd";
261 break;
262
263 case IPSEC_AH_SHA2_256:
264 ah_auth_alg = "sha2-256";
265 break;
266
267 case IPSEC_AH_SHA2_384:
268 ah_auth_alg = "sha2-384";
269 break;
270
271 case IPSEC_AH_SHA2_512:
272 ah_auth_alg = "sha2-512";
273 break;
274
275 case IPSEC_AH_DES:
276 ah_hash_alg = "des";
277 break;
278 }
279
280 break;
281
282 case IPSEC_PROTO_IPSEC_ESP:
283 esp_present = "yes";
284 switch (proto->id) {
285 case IPSEC_ESP_DES_IV64:
286 esp_enc_alg = "des-iv64";
287 break;
288
289 case IPSEC_ESP_DES:
290 esp_enc_alg = "des";
291 break;
292
293 case IPSEC_ESP_3DES:
294 esp_enc_alg = "3des";
295 break;
296
297 case IPSEC_ESP_AES:
298 case IPSEC_ESP_AES_CTR:
299 case IPSEC_ESP_AES_GCM_16:
300 case IPSEC_ESP_AES_GMAC:
301 esp_enc_alg = "aes";
302 break;
303
304 case IPSEC_ESP_RC5:
305 esp_enc_alg = "rc5";
306 break;
307
308 case IPSEC_ESP_IDEA:
309 esp_enc_alg = "idea";
310 break;
311
312 case IPSEC_ESP_CAST:
313 esp_enc_alg = "cast";
314 break;
315
316 case IPSEC_ESP_BLOWFISH:
317 esp_enc_alg = "blowfish";
318 break;
319
320 case IPSEC_ESP_3IDEA:
321 esp_enc_alg = "3idea";
322 break;
323
324 case IPSEC_ESP_DES_IV32:
325 esp_enc_alg = "des-iv32";
326 break;
327
328 case IPSEC_ESP_RC4:
329 esp_enc_alg = "rc4";
330 break;
331
332 case IPSEC_ESP_NULL:
333 esp_enc_alg = "null";
334 break;
335 }
336
337 break;
338
339 case IPSEC_PROTO_IPCOMP:
340 comp_present = "yes";
341 switch (proto->id) {
342 case IPSEC_IPCOMP_OUI:
343 comp_alg = "oui";
344 break;
345
346 case IPSEC_IPCOMP_DEFLATE:
347 comp_alg = "deflate";
348 break;
349 }
350
351 break;
352 }
353
354 for (attr = proto->chosen->p +
355 ISAKMP_TRANSFORM_SA_ATTRS_OFF;
356 attr < proto->chosen->p +
357 GET_ISAKMP_GEN_LENGTH(proto->chosen->p);
358 attr = value + len) {
359 if (attr + ISAKMP_ATTR_VALUE_OFF >
360 (proto->chosen->p +
361 GET_ISAKMP_GEN_LENGTH(proto->chosen->p)))
362 return "";
363
364 type = GET_ISAKMP_ATTR_TYPE(attr);
365 fmt = ISAKMP_ATTR_FORMAT(type);
366 type = ISAKMP_ATTR_TYPE(type);
367 value = attr + (fmt ?
368 ISAKMP_ATTR_LENGTH_VALUE_OFF :
369 ISAKMP_ATTR_VALUE_OFF);
370 len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN :
371 GET_ISAKMP_ATTR_LENGTH_VALUE(attr));
372
373 if (value + len > proto->chosen->p +
374 GET_ISAKMP_GEN_LENGTH(proto->chosen->p))
375 return "";
376
377 switch (type) {
378 case IPSEC_ATTR_SA_LIFE_TYPE:
379 lifetype = decode_16(value);
380 break;
381
382 case IPSEC_ATTR_SA_LIFE_DURATION:
383 switch (proto->proto) {
384 case IPSEC_PROTO_IPSEC_AH:
385 if (lifetype == IPSEC_DURATION_SECONDS) {
386 if (len == 2)
387 snprintf(ah_life_seconds, sizeof ah_life_seconds,
388 "%u", decode_16(value));
389 else
390 snprintf(ah_life_seconds, sizeof ah_life_seconds,
391 "%u", decode_32(value));
392 } else {
393 if (len == 2)
394 snprintf(ah_life_kbytes, sizeof ah_life_kbytes,
395 "%u", decode_16(value));
396 else
397 snprintf(ah_life_kbytes, sizeof ah_life_kbytes,
398 "%u", decode_32(value));
399 }
400
401 break;
402
403 case IPSEC_PROTO_IPSEC_ESP:
404 if (lifetype == IPSEC_DURATION_SECONDS) {
405 if (len == 2)
406 snprintf(esp_life_seconds,
407 sizeof esp_life_seconds, "%u",
408 decode_16(value));
409 else
410 snprintf(esp_life_seconds,
411 sizeof esp_life_seconds, "%u",
412 decode_32(value));
413 } else {
414 if (len == 2)
415 snprintf(esp_life_kbytes,
416 sizeof esp_life_kbytes, "%u",
417 decode_16(value));
418 else
419 snprintf(esp_life_kbytes,
420 sizeof esp_life_kbytes, "%u",
421 decode_32(value));
422 }
423
424 break;
425
426 case IPSEC_PROTO_IPCOMP:
427 if (lifetype == IPSEC_DURATION_SECONDS) {
428 if (len == 2)
429 snprintf(comp_life_seconds,
430 sizeof comp_life_seconds, "%u",
431 decode_16(value));
432 else
433 snprintf(comp_life_seconds,
434 sizeof comp_life_seconds, "%u",
435 decode_32(value));
436 } else {
437 if (len == 2)
438 snprintf(comp_life_kbytes,
439 sizeof comp_life_kbytes, "%u",
440 decode_16(value));
441 else
442 snprintf(comp_life_kbytes,
443 sizeof comp_life_kbytes, "%u",
444 decode_32(value));
445 }
446 break;
447 }
448 break;
449
450 case IPSEC_ATTR_GROUP_DESCRIPTION:
451 switch (proto->proto) {
452 case IPSEC_PROTO_IPSEC_AH:
453 snprintf(ah_group_desc,
454 sizeof ah_group_desc, "%u",
455 decode_16(value));
456 break;
457
458 case IPSEC_PROTO_IPSEC_ESP:
459 snprintf(esp_group_desc,
460 sizeof esp_group_desc, "%u",
461 decode_16(value));
462 break;
463
464 case IPSEC_PROTO_IPCOMP:
465 snprintf(comp_group_desc,
466 sizeof comp_group_desc, "%u",
467 decode_16(value));
468 break;
469 }
470 break;
471
472 case IPSEC_ATTR_ECN_TUNNEL:
473 if (decode_16(value))
474 switch (proto->proto) {
475 case IPSEC_PROTO_IPSEC_AH:
476 ah_ecn = "yes";
477 break;
478
479 case IPSEC_PROTO_IPSEC_ESP:
480 esp_ecn = "yes";
481 break;
482
483 case IPSEC_PROTO_IPCOMP:
484 comp_ecn = "yes";
485 break;
486 }
487
488 case IPSEC_ATTR_ENCAPSULATION_MODE:
489 if (decode_16(value) == IPSEC_ENCAP_TUNNEL)
490 switch (proto->proto) {
491 case IPSEC_PROTO_IPSEC_AH:
492 ah_encapsulation = "tunnel";
493 break;
494
495 case IPSEC_PROTO_IPSEC_ESP:
496 esp_encapsulation = "tunnel";
497 break;
498
499 case IPSEC_PROTO_IPCOMP:
500 comp_encapsulation = "tunnel";
501 break;
502 }
503 else if (decode_16(value) ==
504 IPSEC_ENCAP_UDP_ENCAP_TUNNEL ||
505 decode_16(value) ==
506 IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT)
507 switch (proto->proto) {
508 case IPSEC_PROTO_IPSEC_AH:
509 ah_encapsulation = "udp-encap-tunnel";
510 break;
511
512 case IPSEC_PROTO_IPSEC_ESP:
513 esp_encapsulation = "udp-encap-tunnel";
514 break;
515
516 case IPSEC_PROTO_IPCOMP:
517 comp_encapsulation = "udp-encap-tunnel";
518 break;
519 }
520 /* XXX IPSEC_ENCAP_UDP_ENCAP_TRANSPORT */
521 else
522 switch (proto->proto) {
523 case IPSEC_PROTO_IPSEC_AH:
524 ah_encapsulation = "transport";
525 break;
526
527 case IPSEC_PROTO_IPSEC_ESP:
528 esp_encapsulation = "transport";
529 break;
530
531 case IPSEC_PROTO_IPCOMP:
532 comp_encapsulation = "transport";
533 break;
534 }
535 break;
536
537 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM:
538 switch (proto->proto) {
539 case IPSEC_PROTO_IPSEC_AH:
540 switch (decode_16(value)) {
541 case IPSEC_AUTH_HMAC_MD5:
542 ah_auth_alg = "hmac-md5";
543 break;
544
545 case IPSEC_AUTH_HMAC_SHA:
546 ah_auth_alg = "hmac-sha";
547 break;
548
549 case IPSEC_AUTH_HMAC_RIPEMD:
550 ah_auth_alg = "hmac-ripemd";
551 break;
552
553 case IPSEC_AUTH_HMAC_SHA2_256:
554 ah_auth_alg = "hmac-sha2-256";
555 break;
556
557 case IPSEC_AUTH_HMAC_SHA2_384:
558 ah_auth_alg = "hmac-sha2-384";
559 break;
560
561 case IPSEC_AUTH_HMAC_SHA2_512:
562 ah_auth_alg = "hmac-sha2-512";
563 break;
564
565 case IPSEC_AUTH_DES_MAC:
566 ah_auth_alg = "des-mac";
567 break;
568
569 case IPSEC_AUTH_KPDK:
570 ah_auth_alg = "kpdk";
571 break;
572 }
573 break;
574
575 case IPSEC_PROTO_IPSEC_ESP:
576 switch (decode_16(value)) {
577 case IPSEC_AUTH_HMAC_MD5:
578 esp_auth_alg = "hmac-md5";
579 break;
580
581 case IPSEC_AUTH_HMAC_SHA:
582 esp_auth_alg = "hmac-sha";
583 break;
584
585 case IPSEC_AUTH_HMAC_RIPEMD:
586 esp_auth_alg = "hmac-ripemd";
587 break;
588
589 case IPSEC_AUTH_HMAC_SHA2_256:
590 esp_auth_alg = "hmac-sha2-256";
591 break;
592
593 case IPSEC_AUTH_HMAC_SHA2_384:
594 esp_auth_alg = "hmac-sha2-384";
595 break;
596
597 case IPSEC_AUTH_HMAC_SHA2_512:
598 esp_auth_alg = "hmac-sha2-512";
599 break;
600
601 case IPSEC_AUTH_DES_MAC:
602 esp_auth_alg = "des-mac";
603 break;
604
605 case IPSEC_AUTH_KPDK:
606 esp_auth_alg = "kpdk";
607 break;
608 }
609 break;
610 }
611 break;
612
613 case IPSEC_ATTR_KEY_LENGTH:
614 switch (proto->proto) {
615 case IPSEC_PROTO_IPSEC_AH:
616 snprintf(ah_key_length,
617 sizeof ah_key_length, "%u",
618 decode_16(value));
619 break;
620
621 case IPSEC_PROTO_IPSEC_ESP:
622 snprintf(esp_key_length,
623 sizeof esp_key_length, "%u",
624 decode_16(value));
625 break;
626 }
627 break;
628
629 case IPSEC_ATTR_KEY_ROUNDS:
630 switch (proto->proto) {
631 case IPSEC_PROTO_IPSEC_AH:
632 snprintf(ah_key_rounds,
633 sizeof ah_key_rounds, "%u",
634 decode_16(value));
635 break;
636
637 case IPSEC_PROTO_IPSEC_ESP:
638 snprintf(esp_key_rounds,
639 sizeof esp_key_rounds, "%u",
640 decode_16(value));
641 break;
642 }
643 break;
644
645 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE:
646 snprintf(comp_dict_size,
647 sizeof comp_dict_size, "%u",
648 decode_16(value));
649 break;
650
651 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM:
652 snprintf(comp_private_alg,
653 sizeof comp_private_alg, "%u",
654 decode_16(value));
655 break;
656 }
657 }
658 }
659
660 policy_sa->transport->vtbl->get_src(policy_sa->transport,
661 &sin);
662 if (sockaddr2text(sin, &addr, 1)) {
663 log_error("policy_callback: sockaddr2text failed");
664 goto bad;
665 }
666 strlcpy(local_ike_address, addr, sizeof local_ike_address);
667 free(addr);
668
669 policy_sa->transport->vtbl->get_dst(policy_sa->transport,
670 &sin);
671 if (sockaddr2text(sin, &addr, 1)) {
672 log_error("policy_callback: sockaddr2text failed");
673 goto bad;
674 }
675 strlcpy(remote_ike_address, addr, sizeof remote_ike_address);
676 free(addr);
677
678 switch (policy_isakmp_sa->exch_type) {
679 case ISAKMP_EXCH_AGGRESSIVE:
680 phase_1 = "aggressive";
681 break;
682
683 case ISAKMP_EXCH_ID_PROT:
684 phase_1 = "main";
685 break;
686 }
687
688 if (policy_isakmp_sa->initiator) {
689 id = policy_isakmp_sa->id_r;
690 id_sz = policy_isakmp_sa->id_r_len;
691 } else {
692 id = policy_isakmp_sa->id_i;
693 id_sz = policy_isakmp_sa->id_i_len;
694 }
695
696 switch (id[0]) {
697 case IPSEC_ID_IPV4_ADDR:
698 remote_id_type = "IPv4 address";
699
700 net = decode_32(id + ISAKMP_ID_DATA_OFF -
701 ISAKMP_GEN_SZ);
702 my_inet_ntop4(&net, remote_id_addr_upper,
703 sizeof remote_id_addr_upper - 1, 1);
704 my_inet_ntop4(&net, remote_id_addr_lower,
705 sizeof remote_id_addr_lower - 1, 1);
706 remote_id = strdup(remote_id_addr_upper);
707 if (!remote_id) {
708 log_error("policy_callback: "
709 "strdup (\"%s\") failed",
710 remote_id_addr_upper);
711 goto bad;
712 }
713 break;
714
715 case IPSEC_ID_IPV4_RANGE:
716 remote_id_type = "IPv4 range";
717
718 net = decode_32(id + ISAKMP_ID_DATA_OFF -
719 ISAKMP_GEN_SZ);
720 my_inet_ntop4(&net, remote_id_addr_lower,
721 sizeof remote_id_addr_lower - 1, 1);
722 net = decode_32(id + ISAKMP_ID_DATA_OFF -
723 ISAKMP_GEN_SZ + 4);
724 my_inet_ntop4(&net, remote_id_addr_upper,
725 sizeof remote_id_addr_upper - 1, 1);
726 len = strlen(remote_id_addr_upper) +
727 strlen(remote_id_addr_lower) + 2;
728 remote_id = calloc(len, sizeof(char));
729 if (!remote_id) {
730 log_error("policy_callback: "
731 "calloc (%d, %lu) failed", len,
732 (unsigned long)sizeof(char));
733 goto bad;
734 }
735 strlcpy(remote_id, remote_id_addr_lower, len);
736 strlcat(remote_id, "-", len);
737 strlcat(remote_id, remote_id_addr_upper, len);
738 break;
739
740 case IPSEC_ID_IPV4_ADDR_SUBNET:
741 remote_id_type = "IPv4 subnet";
742
743 net = decode_32(id + ISAKMP_ID_DATA_OFF -
744 ISAKMP_GEN_SZ);
745 subnet = decode_32(id + ISAKMP_ID_DATA_OFF -
746 ISAKMP_GEN_SZ + 4);
747 net &= subnet;
748 my_inet_ntop4(&net, remote_id_addr_lower,
749 sizeof remote_id_addr_lower - 1, 1);
750 net |= ~subnet;
751 my_inet_ntop4(&net, remote_id_addr_upper,
752 sizeof remote_id_addr_upper - 1, 1);
753 len = strlen(remote_id_addr_upper) +
754 strlen(remote_id_addr_lower) + 2;
755 remote_id = calloc(len, sizeof(char));
756 if (!remote_id) {
757 log_error("policy_callback: "
758 "calloc (%d, %lu) failed", len,
759 (unsigned long)sizeof(char));
760 goto bad;
761 }
762 strlcpy(remote_id, remote_id_addr_lower, len);
763 strlcat(remote_id, "-", len);
764 strlcat(remote_id, remote_id_addr_upper, len);
765 break;
766
767 case IPSEC_ID_IPV6_ADDR:
768 remote_id_type = "IPv6 address";
769 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ,
770 remote_id_addr_upper, sizeof remote_id_addr_upper);
771 strlcpy(remote_id_addr_lower, remote_id_addr_upper,
772 sizeof remote_id_addr_lower);
773 remote_id = strdup(remote_id_addr_upper);
774 if (!remote_id) {
775 log_error("policy_callback: "
776 "strdup (\"%s\") failed",
777 remote_id_addr_upper);
778 goto bad;
779 }
780 break;
781
782 case IPSEC_ID_IPV6_RANGE:
783 remote_id_type = "IPv6 range";
784
785 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ,
786 remote_id_addr_lower,
787 sizeof remote_id_addr_lower - 1);
788
789 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF -
790 ISAKMP_GEN_SZ + 16, remote_id_addr_upper,
791 sizeof remote_id_addr_upper - 1);
792
793 len = strlen(remote_id_addr_upper) +
794 strlen(remote_id_addr_lower) + 2;
795 remote_id = calloc(len, sizeof(char));
796 if (!remote_id) {
797 log_error("policy_callback: "
798 "calloc (%d, %lu) failed", len,
799 (unsigned long)sizeof(char));
800 goto bad;
801 }
802 strlcpy(remote_id, remote_id_addr_lower, len);
803 strlcat(remote_id, "-", len);
804 strlcat(remote_id, remote_id_addr_upper, len);
805 break;
806
807 case IPSEC_ID_IPV6_ADDR_SUBNET:
808 {
809 struct in6_addr net, mask;
810
811 remote_id_type = "IPv6 subnet";
812
813 bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, &net,
814 sizeof(net));
815 bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16,
816 &mask, sizeof(mask));
817
818 for (i = 0; i < 16; i++)
819 net.s6_addr[i] &= mask.s6_addr[i];
820
821 my_inet_ntop6((unsigned char *)&net,
822 remote_id_addr_lower,
823 sizeof remote_id_addr_lower - 1);
824
825 for (i = 0; i < 16; i++)
826 net.s6_addr[i] |= ~mask.s6_addr[i];
827
828 my_inet_ntop6((unsigned char *)&net,
829 remote_id_addr_upper,
830 sizeof remote_id_addr_upper - 1);
831
832 len = strlen(remote_id_addr_upper) +
833 strlen(remote_id_addr_lower) + 2;
834 remote_id = calloc(len, sizeof(char));
835 if (!remote_id) {
836 log_error("policy_callback: "
837 "calloc (%d, %lu) failed", len,
838 (unsigned long)sizeof(char));
839 goto bad;
840 }
841 strlcpy(remote_id, remote_id_addr_lower, len);
842 strlcat(remote_id, "-", len);
843 strlcat(remote_id, remote_id_addr_upper, len);
844 break;
845 }
846
847 case IPSEC_ID_FQDN:
848 remote_id_type = "FQDN";
849 remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF +
850 ISAKMP_GEN_SZ + 1, sizeof(char));
851 if (!remote_id) {
852 log_error("policy_callback: "
853 "calloc (%lu, %lu) failed",
854 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF +
855 ISAKMP_GEN_SZ + 1,
856 (unsigned long)sizeof(char));
857 goto bad;
858 }
859 memcpy(remote_id,
860 id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ,
861 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ);
862 break;
863
864 case IPSEC_ID_USER_FQDN:
865 remote_id_type = "User FQDN";
866 remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF +
867 ISAKMP_GEN_SZ + 1, sizeof(char));
868 if (!remote_id) {
869 log_error("policy_callback: "
870 "calloc (%lu, %lu) failed",
871 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF +
872 ISAKMP_GEN_SZ + 1,
873 (unsigned long)sizeof(char));
874 goto bad;
875 }
876 memcpy(remote_id,
877 id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ,
878 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ);
879 break;
880
881 case IPSEC_ID_DER_ASN1_DN:
882 remote_id_type = "ASN1 DN";
883
884 remote_id = x509_DN_string(id + ISAKMP_ID_DATA_OFF -
885 ISAKMP_GEN_SZ,
886 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ);
887 if (!remote_id) {
888 LOG_DBG((LOG_POLICY, 50,
889 "policy_callback: failed to decode name"));
890 goto bad;
891 }
892 break;
893
894 case IPSEC_ID_DER_ASN1_GN: /* XXX */
895 remote_id_type = "ASN1 GN";
896 break;
897
898 case IPSEC_ID_KEY_ID:
899 remote_id_type = "Key ID";
900 remote_id = calloc(2 * (id_sz - ISAKMP_ID_DATA_OFF +
901 ISAKMP_GEN_SZ) + 1, sizeof(char));
902 if (!remote_id) {
903 log_error("policy_callback: "
904 "calloc (%lu, %lu) failed",
905 2 * ((unsigned long)id_sz -
906 ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1,
907 (unsigned long)sizeof(char));
908 goto bad;
909 }
910 /* Does it contain any non-printable characters ? */
911 for (i = 0;
912 i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ;
913 i++)
914 if (!isprint((unsigned char)*(id + ISAKMP_ID_DATA_OFF -
915 ISAKMP_GEN_SZ + i)))
916 break;
917 if (i >= id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) {
918 memcpy(remote_id, id + ISAKMP_ID_DATA_OFF -
919 ISAKMP_GEN_SZ,
920 id_sz - ISAKMP_ID_DATA_OFF +
921 ISAKMP_GEN_SZ);
922 break;
923 }
924 /* Non-printable characters, convert to hex */
925 for (i = 0;
926 i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ;
927 i++) {
928 remote_id[2 * i] = hextab[*(id +
929 ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4];
930 remote_id[2 * i + 1] = hextab[*(id +
931 ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF];
932 }
933 break;
934
935 default:
936 log_print("policy_callback: "
937 "unknown remote ID type %u", id[0]);
938 goto bad;
939 }
940
941 switch (id[1]) {
942 case IPPROTO_TCP:
943 remote_id_proto = "tcp";
944 break;
945
946 case IPPROTO_UDP:
947 remote_id_proto = "udp";
948 break;
949
950 case IPPROTO_ETHERIP:
951 remote_id_proto = "etherip";
952 break;
953
954 default:
955 snprintf(remote_id_proto_num,
956 sizeof remote_id_proto_num, "%d",
957 id[1]);
958 remote_id_proto = remote_id_proto_num;
959 break;
960 }
961
962 snprintf(remote_id_port, sizeof remote_id_port, "%u",
963 decode_16(id + 2));
964
965 if (policy_exchange->initiator) {
966 initiator = "yes";
967 idlocal = ie->id_ci;
968 idremote = ie->id_cr;
969 idlocalsz = ie->id_ci_sz;
970 idremotesz = ie->id_cr_sz;
971 } else {
972 initiator = "no";
973 idlocal = ie->id_cr;
974 idremote = ie->id_ci;
975 idlocalsz = ie->id_cr_sz;
976 idremotesz = ie->id_ci_sz;
977 }
978
979 /* Initialize the ID variables. */
980 if (idremote) {
981 switch (GET_ISAKMP_ID_TYPE(idremote)) {
982 case IPSEC_ID_IPV4_ADDR:
983 remote_filter_type = "IPv4 address";
984
985 net = decode_32(idremote + ISAKMP_ID_DATA_OFF);
986 my_inet_ntop4(&net, remote_filter_addr_upper,
987 sizeof remote_filter_addr_upper - 1, 1);
988 my_inet_ntop4(&net, remote_filter_addr_lower,
989 sizeof remote_filter_addr_lower - 1, 1);
990 remote_filter =
991 strdup(remote_filter_addr_upper);
992 if (!remote_filter) {
993 log_error("policy_callback: strdup "
994 "(\"%s\") failed",
995 remote_filter_addr_upper);
996 goto bad;
997 }
998 break;
999
1000 case IPSEC_ID_IPV4_RANGE:
1001 remote_filter_type = "IPv4 range";
1002
1003 net = decode_32(idremote + ISAKMP_ID_DATA_OFF);
1004 my_inet_ntop4(&net, remote_filter_addr_lower,
1005 sizeof remote_filter_addr_lower - 1, 1);
1006 net = decode_32(idremote + ISAKMP_ID_DATA_OFF +
1007 4);
1008 my_inet_ntop4(&net, remote_filter_addr_upper,
1009 sizeof remote_filter_addr_upper - 1, 1);
1010 len = strlen(remote_filter_addr_upper) +
1011 strlen(remote_filter_addr_lower) + 2;
1012 remote_filter = calloc(len, sizeof(char));
1013 if (!remote_filter) {
1014 log_error("policy_callback: calloc "
1015 "(%d, %lu) failed", len,
1016 (unsigned long)sizeof(char));
1017 goto bad;
1018 }
1019 strlcpy(remote_filter,
1020 remote_filter_addr_lower, len);
1021 strlcat(remote_filter, "-", len);
1022 strlcat(remote_filter,
1023 remote_filter_addr_upper, len);
1024 break;
1025
1026 case IPSEC_ID_IPV4_ADDR_SUBNET:
1027 remote_filter_type = "IPv4 subnet";
1028
1029 net = decode_32(idremote + ISAKMP_ID_DATA_OFF);
1030 subnet = decode_32(idremote +
1031 ISAKMP_ID_DATA_OFF + 4);
1032 net &= subnet;
1033 my_inet_ntop4(&net, remote_filter_addr_lower,
1034 sizeof remote_filter_addr_lower - 1, 1);
1035 net |= ~subnet;
1036 my_inet_ntop4(&net, remote_filter_addr_upper,
1037 sizeof remote_filter_addr_upper - 1, 1);
1038 len = strlen(remote_filter_addr_upper) +
1039 strlen(remote_filter_addr_lower) + 2;
1040 remote_filter = calloc(len, sizeof(char));
1041 if (!remote_filter) {
1042 log_error("policy_callback: calloc "
1043 "(%d, %lu) failed", len,
1044 (unsigned long)sizeof(char));
1045 goto bad;
1046 }
1047 strlcpy(remote_filter,
1048 remote_filter_addr_lower, len);
1049 strlcat(remote_filter, "-", len);
1050 strlcat(remote_filter,
1051 remote_filter_addr_upper, len);
1052 break;
1053
1054 case IPSEC_ID_IPV6_ADDR:
1055 remote_filter_type = "IPv6 address";
1056 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF,
1057 remote_filter_addr_upper,
1058 sizeof remote_filter_addr_upper - 1);
1059 strlcpy(remote_filter_addr_lower,
1060 remote_filter_addr_upper,
1061 sizeof remote_filter_addr_lower);
1062 remote_filter =
1063 strdup(remote_filter_addr_upper);
1064 if (!remote_filter) {
1065 log_error("policy_callback: strdup "
1066 "(\"%s\") failed",
1067 remote_filter_addr_upper);
1068 goto bad;
1069 }
1070 break;
1071
1072 case IPSEC_ID_IPV6_RANGE:
1073 remote_filter_type = "IPv6 range";
1074
1075 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF,
1076 remote_filter_addr_lower,
1077 sizeof remote_filter_addr_lower - 1);
1078
1079 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF +
1080 16, remote_filter_addr_upper,
1081 sizeof remote_filter_addr_upper - 1);
1082
1083 len = strlen(remote_filter_addr_upper) +
1084 strlen(remote_filter_addr_lower) + 2;
1085 remote_filter = calloc(len, sizeof(char));
1086 if (!remote_filter) {
1087 log_error("policy_callback: calloc "
1088 "(%d, %lu) failed", len,
1089 (unsigned long)sizeof(char));
1090 goto bad;
1091 }
1092 strlcpy(remote_filter,
1093 remote_filter_addr_lower, len);
1094 strlcat(remote_filter, "-", len);
1095 strlcat(remote_filter,
1096 remote_filter_addr_upper, len);
1097 break;
1098
1099 case IPSEC_ID_IPV6_ADDR_SUBNET:
1100 {
1101 struct in6_addr net, mask;
1102
1103 remote_filter_type = "IPv6 subnet";
1104
1105 bcopy(idremote + ISAKMP_ID_DATA_OFF,
1106 &net, sizeof(net));
1107 bcopy(idremote + ISAKMP_ID_DATA_OFF +
1108 16, &mask, sizeof(mask));
1109
1110 for (i = 0; i < 16; i++)
1111 net.s6_addr[i] &=
1112 mask.s6_addr[i];
1113
1114 my_inet_ntop6((unsigned char *)&net,
1115 remote_filter_addr_lower,
1116 sizeof remote_filter_addr_lower - 1);
1117
1118 for (i = 0; i < 16; i++)
1119 net.s6_addr[i] |=
1120 ~mask.s6_addr[i];
1121
1122 my_inet_ntop6((unsigned char *)&net,
1123 remote_filter_addr_upper,
1124 sizeof remote_filter_addr_upper - 1);
1125
1126 len = strlen(remote_filter_addr_upper)
1127 + strlen(remote_filter_addr_lower) + 2;
1128 remote_filter = calloc(len,
1129 sizeof(char));
1130 if (!remote_filter) {
1131 log_error("policy_callback: "
1132 "calloc (%d, %lu) failed",
1133 len,
1134 (unsigned long)sizeof(char));
1135 goto bad;
1136 }
1137 strlcpy(remote_filter,
1138 remote_filter_addr_lower, len);
1139 strlcat(remote_filter, "-", len);
1140 strlcat(remote_filter,
1141 remote_filter_addr_upper, len);
1142 break;
1143 }
1144
1145 case IPSEC_ID_FQDN:
1146 remote_filter_type = "FQDN";
1147 remote_filter = malloc(idremotesz -
1148 ISAKMP_ID_DATA_OFF + 1);
1149 if (!remote_filter) {
1150 log_error("policy_callback: "
1151 "malloc (%lu) failed",
1152 (unsigned long)idremotesz -
1153 ISAKMP_ID_DATA_OFF + 1);
1154 goto bad;
1155 }
1156 memcpy(remote_filter,
1157 idremote + ISAKMP_ID_DATA_OFF,
1158 idremotesz - ISAKMP_ID_DATA_OFF);
1159 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF]
1160 = '\0';
1161 break;
1162
1163 case IPSEC_ID_USER_FQDN:
1164 remote_filter_type = "User FQDN";
1165 remote_filter = malloc(idremotesz -
1166 ISAKMP_ID_DATA_OFF + 1);
1167 if (!remote_filter) {
1168 log_error("policy_callback: "
1169 "malloc (%lu) failed",
1170 (unsigned long)idremotesz -
1171 ISAKMP_ID_DATA_OFF + 1);
1172 goto bad;
1173 }
1174 memcpy(remote_filter,
1175 idremote + ISAKMP_ID_DATA_OFF,
1176 idremotesz - ISAKMP_ID_DATA_OFF);
1177 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF]
1178 = '\0';
1179 break;
1180
1181 case IPSEC_ID_DER_ASN1_DN:
1182 remote_filter_type = "ASN1 DN";
1183
1184 remote_filter = x509_DN_string(idremote +
1185 ISAKMP_ID_DATA_OFF,
1186 idremotesz - ISAKMP_ID_DATA_OFF);
1187 if (!remote_filter) {
1188 LOG_DBG((LOG_POLICY, 50,
1189 "policy_callback: "
1190 "failed to decode name"));
1191 goto bad;
1192 }
1193 break;
1194
1195 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure
1196 * what's in this. */
1197 remote_filter_type = "ASN1 GN";
1198 break;
1199
1200 case IPSEC_ID_KEY_ID:
1201 remote_filter_type = "Key ID";
1202 remote_filter
1203 = calloc(2 * (idremotesz -
1204 ISAKMP_ID_DATA_OFF) + 1,
1205 sizeof(char));
1206 if (!remote_filter) {
1207 log_error("policy_callback: "
1208 "calloc (%lu, %lu) failed",
1209 2 * ((unsigned long)idremotesz -
1210 ISAKMP_ID_DATA_OFF) + 1,
1211 (unsigned long)sizeof(char));
1212 goto bad;
1213 }
1214 /*
1215 * Does it contain any non-printable
1216 * characters ?
1217 */
1218 for (i = 0;
1219 i < idremotesz - ISAKMP_ID_DATA_OFF; i++)
1220 if (!isprint((unsigned char)*(idremote +
1221 ISAKMP_ID_DATA_OFF + i)))
1222 break;
1223 if (i >= idremotesz - ISAKMP_ID_DATA_OFF) {
1224 memcpy(remote_filter,
1225 idremote + ISAKMP_ID_DATA_OFF,
1226 idremotesz - ISAKMP_ID_DATA_OFF);
1227 break;
1228 }
1229 /* Non-printable characters, convert to hex */
1230 for (i = 0;
1231 i < idremotesz - ISAKMP_ID_DATA_OFF;
1232 i++) {
1233 remote_filter[2 * i]
1234 = hextab[*(idremote +
1235 ISAKMP_ID_DATA_OFF) >> 4];
1236 remote_filter[2 * i + 1]
1237 = hextab[*(idremote +
1238 ISAKMP_ID_DATA_OFF) & 0xF];
1239 }
1240 break;
1241
1242 default:
1243 log_print("policy_callback: "
1244 "unknown Remote ID type %u",
1245 GET_ISAKMP_ID_TYPE(idremote));
1246 goto bad;
1247 }
1248
1249 switch (idremote[ISAKMP_GEN_SZ + 1]) {
1250 case IPPROTO_TCP:
1251 remote_filter_proto = "tcp";
1252 break;
1253
1254 case IPPROTO_UDP:
1255 remote_filter_proto = "udp";
1256 break;
1257
1258 case IPPROTO_ETHERIP:
1259 remote_filter_proto = "etherip";
1260 break;
1261
1262 default:
1263 snprintf(remote_filter_proto_num,
1264 sizeof remote_filter_proto_num, "%d",
1265 idremote[ISAKMP_GEN_SZ + 1]);
1266 remote_filter_proto = remote_filter_proto_num;
1267 break;
1268 }
1269
1270 snprintf(remote_filter_port, sizeof remote_filter_port,
1271 "%u", decode_16(idremote + ISAKMP_GEN_SZ + 2));
1272 } else {
1273 policy_sa->transport->vtbl->get_dst(policy_sa->transport, &sin);
1274 switch (sin->sa_family) {
1275 case AF_INET:
1276 remote_filter_type = "IPv4 address";
1277 break;
1278 case AF_INET6:
1279 remote_filter_type = "IPv6 address";
1280 break;
1281 default:
1282 log_print("policy_callback: "
1283 "unsupported protocol family %d",
1284 sin->sa_family);
1285 goto bad;
1286 }
1287 if (sockaddr2text(sin, &addr, 1)) {
1288 log_error("policy_callback: "
1289 "sockaddr2text failed");
1290 goto bad;
1291 }
1292 memcpy(remote_filter_addr_upper, addr,
1293 sizeof remote_filter_addr_upper);
1294 memcpy(remote_filter_addr_lower, addr,
1295 sizeof remote_filter_addr_lower);
1296 free(addr);
1297 remote_filter = strdup(remote_filter_addr_upper);
1298 if (!remote_filter) {
1299 log_error("policy_callback: "
1300 "strdup (\"%s\") failed",
1301 remote_filter_addr_upper);
1302 goto bad;
1303 }
1304 }
1305
1306 if (idlocal) {
1307 switch (GET_ISAKMP_ID_TYPE(idlocal)) {
1308 case IPSEC_ID_IPV4_ADDR:
1309 local_filter_type = "IPv4 address";
1310
1311 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF);
1312 my_inet_ntop4(&net, local_filter_addr_upper,
1313 sizeof local_filter_addr_upper - 1, 1);
1314 my_inet_ntop4(&net, local_filter_addr_lower,
1315 sizeof local_filter_addr_upper - 1, 1);
1316 local_filter = strdup(local_filter_addr_upper);
1317 if (!local_filter) {
1318 log_error("policy_callback: "
1319 "strdup (\"%s\") failed",
1320 local_filter_addr_upper);
1321 goto bad;
1322 }
1323 break;
1324
1325 case IPSEC_ID_IPV4_RANGE:
1326 local_filter_type = "IPv4 range";
1327
1328 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF);
1329 my_inet_ntop4(&net, local_filter_addr_lower,
1330 sizeof local_filter_addr_lower - 1, 1);
1331 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF +
1332 4);
1333 my_inet_ntop4(&net, local_filter_addr_upper,
1334 sizeof local_filter_addr_upper - 1, 1);
1335 len = strlen(local_filter_addr_upper)
1336 + strlen(local_filter_addr_lower) + 2;
1337 local_filter = calloc(len, sizeof(char));
1338 if (!local_filter) {
1339 log_error("policy_callback: "
1340 "calloc (%d, %lu) failed", len,
1341 (unsigned long)sizeof(char));
1342 goto bad;
1343 }
1344 strlcpy(local_filter, local_filter_addr_lower,
1345 len);
1346 strlcat(local_filter, "-", len);
1347 strlcat(local_filter, local_filter_addr_upper,
1348 len);
1349 break;
1350
1351 case IPSEC_ID_IPV4_ADDR_SUBNET:
1352 local_filter_type = "IPv4 subnet";
1353
1354 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF);
1355 subnet = decode_32(idlocal +
1356 ISAKMP_ID_DATA_OFF + 4);
1357 net &= subnet;
1358 my_inet_ntop4(&net, local_filter_addr_lower,
1359 sizeof local_filter_addr_lower - 1, 1);
1360 net |= ~subnet;
1361 my_inet_ntop4(&net, local_filter_addr_upper,
1362 sizeof local_filter_addr_upper - 1, 1);
1363 len = strlen(local_filter_addr_upper) +
1364 strlen(local_filter_addr_lower) + 2;
1365 local_filter = calloc(len, sizeof(char));
1366 if (!local_filter) {
1367 log_error("policy_callback: "
1368 "calloc (%d, %lu) failed", len,
1369 (unsigned long)sizeof(char));
1370 goto bad;
1371 }
1372 strlcpy(local_filter, local_filter_addr_lower,
1373 len);
1374 strlcat(local_filter, "-", len);
1375 strlcat(local_filter, local_filter_addr_upper,
1376 len);
1377 break;
1378
1379 case IPSEC_ID_IPV6_ADDR:
1380 local_filter_type = "IPv6 address";
1381 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF,
1382 local_filter_addr_upper,
1383 sizeof local_filter_addr_upper - 1);
1384 strlcpy(local_filter_addr_lower,
1385 local_filter_addr_upper,
1386 sizeof local_filter_addr_lower);
1387 local_filter = strdup(local_filter_addr_upper);
1388 if (!local_filter) {
1389 log_error("policy_callback: "
1390 "strdup (\"%s\") failed",
1391 local_filter_addr_upper);
1392 goto bad;
1393 }
1394 break;
1395
1396 case IPSEC_ID_IPV6_RANGE:
1397 local_filter_type = "IPv6 range";
1398
1399 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF,
1400 local_filter_addr_lower,
1401 sizeof local_filter_addr_lower - 1);
1402
1403 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF +
1404 16, local_filter_addr_upper,
1405 sizeof local_filter_addr_upper - 1);
1406
1407 len = strlen(local_filter_addr_upper)
1408 + strlen(local_filter_addr_lower) + 2;
1409 local_filter = calloc(len, sizeof(char));
1410 if (!local_filter) {
1411 log_error("policy_callback: "
1412 "calloc (%d, %lu) failed", len,
1413 (unsigned long)sizeof(char));
1414 goto bad;
1415 }
1416 strlcpy(local_filter, local_filter_addr_lower,
1417 len);
1418 strlcat(local_filter, "-", len);
1419 strlcat(local_filter, local_filter_addr_upper,
1420 len);
1421 break;
1422
1423 case IPSEC_ID_IPV6_ADDR_SUBNET:
1424 {
1425 struct in6_addr net, mask;
1426
1427 local_filter_type = "IPv6 subnet";
1428
1429 bcopy(idlocal + ISAKMP_ID_DATA_OFF,
1430 &net, sizeof(net));
1431 bcopy(idlocal + ISAKMP_ID_DATA_OFF +
1432 16, &mask, sizeof(mask));
1433
1434 for (i = 0; i < 16; i++)
1435 net.s6_addr[i] &=
1436 mask.s6_addr[i];
1437
1438 my_inet_ntop6((unsigned char *)&net,
1439 local_filter_addr_lower,
1440 sizeof local_filter_addr_lower - 1);
1441
1442 for (i = 0; i < 16; i++)
1443 net.s6_addr[i] |=
1444 ~mask.s6_addr[i];
1445
1446 my_inet_ntop6((unsigned char *)&net,
1447 local_filter_addr_upper,
1448 sizeof local_filter_addr_upper -
1449 1);
1450
1451 len = strlen(local_filter_addr_upper)
1452 + strlen(local_filter_addr_lower)
1453 + 2;
1454 local_filter = calloc(len,
1455 sizeof(char));
1456 if (!local_filter) {
1457 log_error("policy_callback: "
1458 "calloc (%d, %lu) failed",
1459 len,
1460 (unsigned long)sizeof(char));
1461 goto bad;
1462 }
1463 strlcpy(local_filter,
1464 local_filter_addr_lower, len);
1465 strlcat(local_filter, "-", len);
1466 strlcat(local_filter,
1467 local_filter_addr_upper, len);
1468 break;
1469 }
1470
1471 case IPSEC_ID_FQDN:
1472 local_filter_type = "FQDN";
1473 local_filter = malloc(idlocalsz -
1474 ISAKMP_ID_DATA_OFF + 1);
1475 if (!local_filter) {
1476 log_error("policy_callback: "
1477 "malloc (%lu) failed",
1478 (unsigned long)idlocalsz -
1479 ISAKMP_ID_DATA_OFF + 1);
1480 goto bad;
1481 }
1482 memcpy(local_filter,
1483 idlocal + ISAKMP_ID_DATA_OFF,
1484 idlocalsz - ISAKMP_ID_DATA_OFF);
1485 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0';
1486 break;
1487
1488 case IPSEC_ID_USER_FQDN:
1489 local_filter_type = "User FQDN";
1490 local_filter = malloc(idlocalsz -
1491 ISAKMP_ID_DATA_OFF + 1);
1492 if (!local_filter) {
1493 log_error("policy_callback: "
1494 "malloc (%lu) failed",
1495 (unsigned long)idlocalsz -
1496 ISAKMP_ID_DATA_OFF + 1);
1497 goto bad;
1498 }
1499 memcpy(local_filter,
1500 idlocal + ISAKMP_ID_DATA_OFF,
1501 idlocalsz - ISAKMP_ID_DATA_OFF);
1502 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0';
1503 break;
1504
1505 case IPSEC_ID_DER_ASN1_DN:
1506 local_filter_type = "ASN1 DN";
1507
1508 local_filter = x509_DN_string(idlocal +
1509 ISAKMP_ID_DATA_OFF,
1510 idlocalsz - ISAKMP_ID_DATA_OFF);
1511 if (!local_filter) {
1512 LOG_DBG((LOG_POLICY, 50,
1513 "policy_callback: failed to decode"
1514 " name"));
1515 goto bad;
1516 }
1517 break;
1518
1519 case IPSEC_ID_DER_ASN1_GN:
1520 /* XXX -- not sure what's in this. */
1521 local_filter_type = "ASN1 GN";
1522 break;
1523
1524 case IPSEC_ID_KEY_ID:
1525 local_filter_type = "Key ID";
1526 local_filter = calloc(2 * (idlocalsz -
1527 ISAKMP_ID_DATA_OFF) + 1,
1528 sizeof(char));
1529 if (!local_filter) {
1530 log_error("policy_callback: "
1531 "calloc (%lu, %lu) failed",
1532 2 * ((unsigned long)idlocalsz -
1533 ISAKMP_ID_DATA_OFF) + 1,
1534 (unsigned long)sizeof(char));
1535 goto bad;
1536 }
1537 /*
1538 * Does it contain any non-printable
1539 * characters ?
1540 */
1541 for (i = 0;
1542 i < idlocalsz - ISAKMP_ID_DATA_OFF; i++)
1543 if (!isprint((unsigned char)*(idlocal +
1544 ISAKMP_ID_DATA_OFF + i)))
1545 break;
1546 if (i >= idlocalsz - ISAKMP_ID_DATA_OFF) {
1547 memcpy(local_filter, idlocal +
1548 ISAKMP_ID_DATA_OFF,
1549 idlocalsz - ISAKMP_ID_DATA_OFF);
1550 break;
1551 }
1552 /* Non-printable characters, convert to hex */
1553 for (i = 0;
1554 i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) {
1555 local_filter[2 * i] =
1556 hextab[*(idlocal +
1557 ISAKMP_ID_DATA_OFF) >> 4];
1558 local_filter[2 * i + 1] =
1559 hextab[*(idlocal +
1560 ISAKMP_ID_DATA_OFF) & 0xF];
1561 }
1562 break;
1563
1564 default:
1565 log_print("policy_callback: "
1566 "unknown Local ID type %u",
1567 GET_ISAKMP_ID_TYPE(idlocal));
1568 goto bad;
1569 }
1570
1571 switch (idlocal[ISAKMP_GEN_SZ + 1]) {
1572 case IPPROTO_TCP:
1573 local_filter_proto = "tcp";
1574 break;
1575
1576 case IPPROTO_UDP:
1577 local_filter_proto = "udp";
1578 break;
1579
1580 case IPPROTO_ETHERIP:
1581 local_filter_proto = "etherip";
1582 break;
1583
1584 default:
1585 snprintf(local_filter_proto_num,
1586 sizeof local_filter_proto_num,
1587 "%d", idlocal[ISAKMP_GEN_SZ + 1]);
1588 local_filter_proto = local_filter_proto_num;
1589 break;
1590 }
1591
1592 snprintf(local_filter_port, sizeof local_filter_port,
1593 "%u", decode_16(idlocal + ISAKMP_GEN_SZ + 2));
1594 } else {
1595 policy_sa->transport->vtbl->get_src(policy_sa->transport,
1596 (struct sockaddr **)&sin);
1597 switch (sin->sa_family) {
1598 case AF_INET:
1599 local_filter_type = "IPv4 address";
1600 break;
1601 case AF_INET6:
1602 local_filter_type = "IPv6 address";
1603 break;
1604 default:
1605 log_print("policy_callback: "
1606 "unsupported protocol family %d",
1607 sin->sa_family);
1608 goto bad;
1609 }
1610
1611 if (sockaddr2text(sin, &addr, 1)) {
1612 log_error("policy_callback: "
1613 "sockaddr2text failed");
1614 goto bad;
1615 }
1616 memcpy(local_filter_addr_upper, addr,
1617 sizeof local_filter_addr_upper);
1618 memcpy(local_filter_addr_lower, addr,
1619 sizeof local_filter_addr_lower);
1620 free(addr);
1621 local_filter = strdup(local_filter_addr_upper);
1622 if (!local_filter) {
1623 log_error("policy_callback: "
1624 "strdup (\"%s\") failed",
1625 local_filter_addr_upper);
1626 goto bad;
1627 }
1628 }
1629
1630 LOG_DBG((LOG_POLICY, 80,
1631 "Policy context (action attributes):"));
1632 LOG_DBG((LOG_POLICY, 80, "esp_present == %s", esp_present));
1633 LOG_DBG((LOG_POLICY, 80, "ah_present == %s", ah_present));
1634 LOG_DBG((LOG_POLICY, 80, "comp_present == %s", comp_present));
1635 LOG_DBG((LOG_POLICY, 80, "ah_hash_alg == %s", ah_hash_alg));
1636 LOG_DBG((LOG_POLICY, 80, "esp_enc_alg == %s", esp_enc_alg));
1637 LOG_DBG((LOG_POLICY, 80, "comp_alg == %s", comp_alg));
1638 LOG_DBG((LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg));
1639 LOG_DBG((LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg));
1640 LOG_DBG((LOG_POLICY, 80, "ah_life_seconds == %s",
1641 ah_life_seconds));
1642 LOG_DBG((LOG_POLICY, 80, "ah_life_kbytes == %s",
1643 ah_life_kbytes));
1644 LOG_DBG((LOG_POLICY, 80, "esp_life_seconds == %s",
1645 esp_life_seconds));
1646 LOG_DBG((LOG_POLICY, 80, "esp_life_kbytes == %s",
1647 esp_life_kbytes));
1648 LOG_DBG((LOG_POLICY, 80, "comp_life_seconds == %s",
1649 comp_life_seconds));
1650 LOG_DBG((LOG_POLICY, 80, "comp_life_kbytes == %s",
1651 comp_life_kbytes));
1652 LOG_DBG((LOG_POLICY, 80, "ah_encapsulation == %s",
1653 ah_encapsulation));
1654 LOG_DBG((LOG_POLICY, 80, "esp_encapsulation == %s",
1655 esp_encapsulation));
1656 LOG_DBG((LOG_POLICY, 80, "comp_encapsulation == %s",
1657 comp_encapsulation));
1658 LOG_DBG((LOG_POLICY, 80, "comp_dict_size == %s",
1659 comp_dict_size));
1660 LOG_DBG((LOG_POLICY, 80, "comp_private_alg == %s",
1661 comp_private_alg));
1662 LOG_DBG((LOG_POLICY, 80, "ah_key_length == %s",
1663 ah_key_length));
1664 LOG_DBG((LOG_POLICY, 80, "ah_key_rounds == %s",
1665 ah_key_rounds));
1666 LOG_DBG((LOG_POLICY, 80, "esp_key_length == %s",
1667 esp_key_length));
1668 LOG_DBG((LOG_POLICY, 80, "esp_key_rounds == %s",
1669 esp_key_rounds));
1670 LOG_DBG((LOG_POLICY, 80, "ah_group_desc == %s",
1671 ah_group_desc));
1672 LOG_DBG((LOG_POLICY, 80, "esp_group_desc == %s",
1673 esp_group_desc));
1674 LOG_DBG((LOG_POLICY, 80, "comp_group_desc == %s",
1675 comp_group_desc));
1676 LOG_DBG((LOG_POLICY, 80, "ah_ecn == %s", ah_ecn));
1677 LOG_DBG((LOG_POLICY, 80, "esp_ecn == %s", esp_ecn));
1678 LOG_DBG((LOG_POLICY, 80, "comp_ecn == %s", comp_ecn));
1679 LOG_DBG((LOG_POLICY, 80, "remote_filter_type == %s",
1680 remote_filter_type));
1681 LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_upper == %s",
1682 remote_filter_addr_upper));
1683 LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_lower == %s",
1684 remote_filter_addr_lower));
1685 LOG_DBG((LOG_POLICY, 80, "remote_filter == %s",
1686 (remote_filter ? remote_filter : "")));
1687 LOG_DBG((LOG_POLICY, 80, "remote_filter_port == %s",
1688 remote_filter_port));
1689 LOG_DBG((LOG_POLICY, 80, "remote_filter_proto == %s",
1690 remote_filter_proto));
1691 LOG_DBG((LOG_POLICY, 80, "local_filter_type == %s",
1692 local_filter_type));
1693 LOG_DBG((LOG_POLICY, 80, "local_filter_addr_upper == %s",
1694 local_filter_addr_upper));
1695 LOG_DBG((LOG_POLICY, 80, "local_filter_addr_lower == %s",
1696 local_filter_addr_lower));
1697 LOG_DBG((LOG_POLICY, 80, "local_filter == %s",
1698 (local_filter ? local_filter : "")));
1699 LOG_DBG((LOG_POLICY, 80, "local_filter_port == %s",
1700 local_filter_port));
1701 LOG_DBG((LOG_POLICY, 80, "local_filter_proto == %s",
1702 local_filter_proto));
1703 LOG_DBG((LOG_POLICY, 80, "remote_id_type == %s",
1704 remote_id_type));
1705 LOG_DBG((LOG_POLICY, 80, "remote_id_addr_upper == %s",
1706 remote_id_addr_upper));
1707 LOG_DBG((LOG_POLICY, 80, "remote_id_addr_lower == %s",
1708 remote_id_addr_lower));
1709 LOG_DBG((LOG_POLICY, 80, "remote_id == %s",
1710 (remote_id ? remote_id : "")));
1711 LOG_DBG((LOG_POLICY, 80, "remote_id_port == %s",
1712 remote_id_port));
1713 LOG_DBG((LOG_POLICY, 80, "remote_id_proto == %s",
1714 remote_id_proto));
1715 LOG_DBG((LOG_POLICY, 80, "remote_negotiation_address == %s",
1716 remote_ike_address));
1717 LOG_DBG((LOG_POLICY, 80, "local_negotiation_address == %s",
1718 local_ike_address));
1719 LOG_DBG((LOG_POLICY, 80, "pfs == %s", pfs));
1720 LOG_DBG((LOG_POLICY, 80, "initiator == %s", initiator));
1721 LOG_DBG((LOG_POLICY, 80, "phase1_group_desc == %s",
1722 phase1_group));
1723
1724 /* Unset dirty now. */
1725 dirty = 0;
1726 }
1727 if (strcmp(name, "phase_1") == 0)
1728 return phase_1;
1729
1730 if (strcmp(name, "GMTTimeOfDay") == 0) {
1731 struct tm *tm;
1732 tt = time(NULL);
1733 if ((tm = gmtime(&tt)) == NULL) {
1734 log_error("policy_callback: invalid time %lld", tt);
1735 goto bad;
1736 }
1737 strftime(mytimeofday, 14, "%Y%m%d%H%M%S", tm);
1738 return mytimeofday;
1739 }
1740 if (strcmp(name, "LocalTimeOfDay") == 0) {
1741 struct tm *tm;
1742 tt = time(NULL);
1743 if ((tm = localtime(&tt)) == NULL) {
1744 log_error("policy_callback: invalid time %lld", tt);
1745 goto bad;
1746 }
1747 strftime(mytimeofday, 14, "%Y%m%d%H%M%S", tm);
1748 return mytimeofday;
1749 }
1750 if (strcmp(name, "initiator") == 0)
1751 return initiator;
1752
1753 if (strcmp(name, "pfs") == 0)
1754 return pfs;
1755
1756 if (strcmp(name, "app_domain") == 0)
1757 return "IPsec policy";
1758
1759 if (strcmp(name, "doi") == 0)
1760 return "ipsec";
1761
1762 if (strcmp(name, "esp_present") == 0)
1763 return esp_present;
1764
1765 if (strcmp(name, "ah_present") == 0)
1766 return ah_present;
1767
1768 if (strcmp(name, "comp_present") == 0)
1769 return comp_present;
1770
1771 if (strcmp(name, "ah_hash_alg") == 0)
1772 return ah_hash_alg;
1773
1774 if (strcmp(name, "ah_auth_alg") == 0)
1775 return ah_auth_alg;
1776
1777 if (strcmp(name, "esp_auth_alg") == 0)
1778 return esp_auth_alg;
1779
1780 if (strcmp(name, "esp_enc_alg") == 0)
1781 return esp_enc_alg;
1782
1783 if (strcmp(name, "comp_alg") == 0)
1784 return comp_alg;
1785
1786 if (strcmp(name, "ah_life_kbytes") == 0)
1787 return ah_life_kbytes;
1788
1789 if (strcmp(name, "ah_life_seconds") == 0)
1790 return ah_life_seconds;
1791
1792 if (strcmp(name, "esp_life_kbytes") == 0)
1793 return esp_life_kbytes;
1794
1795 if (strcmp(name, "esp_life_seconds") == 0)
1796 return esp_life_seconds;
1797
1798 if (strcmp(name, "comp_life_kbytes") == 0)
1799 return comp_life_kbytes;
1800
1801 if (strcmp(name, "comp_life_seconds") == 0)
1802 return comp_life_seconds;
1803
1804 if (strcmp(name, "ah_encapsulation") == 0)
1805 return ah_encapsulation;
1806
1807 if (strcmp(name, "esp_encapsulation") == 0)
1808 return esp_encapsulation;
1809
1810 if (strcmp(name, "comp_encapsulation") == 0)
1811 return comp_encapsulation;
1812
1813 if (strcmp(name, "ah_key_length") == 0)
1814 return ah_key_length;
1815
1816 if (strcmp(name, "ah_key_rounds") == 0)
1817 return ah_key_rounds;
1818
1819 if (strcmp(name, "esp_key_length") == 0)
1820 return esp_key_length;
1821
1822 if (strcmp(name, "esp_key_rounds") == 0)
1823 return esp_key_rounds;
1824
1825 if (strcmp(name, "comp_dict_size") == 0)
1826 return comp_dict_size;
1827
1828 if (strcmp(name, "comp_private_alg") == 0)
1829 return comp_private_alg;
1830
1831 if (strcmp(name, "remote_filter_type") == 0)
1832 return remote_filter_type;
1833
1834 if (strcmp(name, "remote_filter") == 0)
1835 return (remote_filter ? remote_filter : "");
1836
1837 if (strcmp(name, "remote_filter_addr_upper") == 0)
1838 return remote_filter_addr_upper;
1839
1840 if (strcmp(name, "remote_filter_addr_lower") == 0)
1841 return remote_filter_addr_lower;
1842
1843 if (strcmp(name, "remote_filter_port") == 0)
1844 return remote_filter_port;
1845
1846 if (strcmp(name, "remote_filter_proto") == 0)
1847 return remote_filter_proto;
1848
1849 if (strcmp(name, "local_filter_type") == 0)
1850 return local_filter_type;
1851
1852 if (strcmp(name, "local_filter") == 0)
1853 return (local_filter ? local_filter : "");
1854
1855 if (strcmp(name, "local_filter_addr_upper") == 0)
1856 return local_filter_addr_upper;
1857
1858 if (strcmp(name, "local_filter_addr_lower") == 0)
1859 return local_filter_addr_lower;
1860
1861 if (strcmp(name, "local_filter_port") == 0)
1862 return local_filter_port;
1863
1864 if (strcmp(name, "local_filter_proto") == 0)
1865 return local_filter_proto;
1866
1867 if (strcmp(name, "remote_ike_address") == 0)
1868 return remote_ike_address;
1869
1870 if (strcmp(name, "remote_negotiation_address") == 0)
1871 return remote_ike_address;
1872
1873 if (strcmp(name, "local_ike_address") == 0)
1874 return local_ike_address;
1875
1876 if (strcmp(name, "local_negotiation_address") == 0)
1877 return local_ike_address;
1878
1879 if (strcmp(name, "remote_id_type") == 0)
1880 return remote_id_type;
1881
1882 if (strcmp(name, "remote_id") == 0)
1883 return (remote_id ? remote_id : "");
1884
1885 if (strcmp(name, "remote_id_addr_upper") == 0)
1886 return remote_id_addr_upper;
1887
1888 if (strcmp(name, "remote_id_addr_lower") == 0)
1889 return remote_id_addr_lower;
1890
1891 if (strcmp(name, "remote_id_port") == 0)
1892 return remote_id_port;
1893
1894 if (strcmp(name, "remote_id_proto") == 0)
1895 return remote_id_proto;
1896
1897 if (strcmp(name, "phase1_group_desc") == 0)
1898 return phase1_group;
1899
1900 if (strcmp(name, "esp_group_desc") == 0)
1901 return esp_group_desc;
1902
1903 if (strcmp(name, "ah_group_desc") == 0)
1904 return ah_group_desc;
1905
1906 if (strcmp(name, "comp_group_desc") == 0)
1907 return comp_group_desc;
1908
1909 if (strcmp(name, "comp_ecn") == 0)
1910 return comp_ecn;
1911
1912 if (strcmp(name, "ah_ecn") == 0)
1913 return ah_ecn;
1914
1915 if (strcmp(name, "esp_ecn") == 0)
1916 return esp_ecn;
1917
1918 return "";
1919
1920 bad:
1921 policy_callback(KEYNOTE_CALLBACK_INITIALIZE);
1922 return "";
1923 }
1924
1925 void
policy_init(void)1926 policy_init(void)
1927 {
1928 char *ptr, *policy_file;
1929 char **asserts;
1930 size_t sz, len;
1931 int fd, i;
1932
1933 LOG_DBG((LOG_POLICY, 30, "policy_init: initializing"));
1934
1935 /* Do we want to use the policy modules? */
1936 if (ignore_policy ||
1937 strncmp("yes", conf_get_str("General", "Use-Keynote"), 3))
1938 return;
1939
1940 /* Get policy file from configuration. */
1941 policy_file = conf_get_str("General", "Policy-file");
1942 if (!policy_file)
1943 policy_file = CONF_DFLT_POLICY_FILE;
1944
1945 /* Open policy file. */
1946 fd = monitor_open(policy_file, O_RDONLY, 0);
1947 if (fd == -1)
1948 log_fatal("policy_init: open (\"%s\", O_RDONLY) failed",
1949 policy_file);
1950
1951 /* Check file modes and collect file size */
1952 if (check_file_secrecy_fd(fd, policy_file, &sz)) {
1953 close(fd);
1954 log_fatal("policy_init: cannot read %s", policy_file);
1955 }
1956
1957 /* Allocate memory to keep policies. */
1958 ptr = calloc(sz + 1, sizeof(char));
1959 if (!ptr)
1960 log_fatal("policy_init: calloc (%lu, %lu) failed",
1961 (unsigned long)sz + 1, (unsigned long)sizeof(char));
1962
1963 /* Just in case there are short reads... */
1964 for (len = 0; len < sz; len += i) {
1965 i = read(fd, ptr + len, sz - len);
1966 if (i == -1)
1967 log_fatal("policy_init: read (%d, %p, %lu) failed", fd,
1968 ptr + len, (unsigned long)(sz - len));
1969 }
1970
1971 /* We're done with this. */
1972 close(fd);
1973
1974 /* Parse buffer, break up into individual policies. */
1975 asserts = kn_read_asserts(ptr, sz, &i);
1976
1977 /* Begone! */
1978 free(ptr);
1979
1980 if (asserts == (char **)NULL)
1981 log_print("policy_init: all policies flushed");
1982
1983 /* Cleanup */
1984 if (policy_asserts) {
1985 for (fd = 0; fd < policy_asserts_num; fd++)
1986 if (policy_asserts)
1987 free(policy_asserts[fd]);
1988
1989 free(policy_asserts);
1990 }
1991 policy_asserts = asserts;
1992 policy_asserts_num = i;
1993 }
1994
1995 /* Nothing needed for initialization */
1996 int
keynote_cert_init(void)1997 keynote_cert_init(void)
1998 {
1999 return 1;
2000 }
2001
2002 /* Just copy and return. */
2003 void *
keynote_cert_get(u_int8_t * data,u_int32_t len)2004 keynote_cert_get(u_int8_t *data, u_int32_t len)
2005 {
2006 char *foo = malloc(len + 1);
2007
2008 if (foo == NULL)
2009 return NULL;
2010
2011 memcpy(foo, data, len);
2012 foo[len] = '\0';
2013 return foo;
2014 }
2015
2016 /*
2017 * We just verify the signature on the credentials.
2018 * On signature failure, just drop the whole payload.
2019 */
2020 int
keynote_cert_validate(void * scert)2021 keynote_cert_validate(void *scert)
2022 {
2023 char **foo;
2024 int num, i;
2025
2026 if (scert == NULL)
2027 return 0;
2028
2029 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num);
2030 if (foo == NULL)
2031 return 0;
2032
2033 for (i = 0; i < num; i++) {
2034 if (kn_verify_assertion(scert, strlen((char *)scert))
2035 != SIGRESULT_TRUE) {
2036 for (; i < num; i++)
2037 free(foo[i]);
2038 free(foo);
2039 return 0;
2040 }
2041 free(foo[i]);
2042 }
2043
2044 free(foo);
2045 return 1;
2046 }
2047
2048 /* Add received credentials. */
2049 int
keynote_cert_insert(int sid,void * scert)2050 keynote_cert_insert(int sid, void *scert)
2051 {
2052 char **foo;
2053 int num;
2054
2055 if (scert == NULL)
2056 return 0;
2057
2058 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num);
2059 if (foo == NULL)
2060 return 0;
2061
2062 while (num--)
2063 kn_add_assertion(sid, foo[num], strlen(foo[num]), 0);
2064
2065 return 1;
2066 }
2067
2068 /* Just regular memory free. */
2069 void
keynote_cert_free(void * cert)2070 keynote_cert_free(void *cert)
2071 {
2072 free(cert);
2073 }
2074
2075 /* Verify that the key given to us is valid. */
2076 int
keynote_certreq_validate(u_int8_t * data,u_int32_t len)2077 keynote_certreq_validate(u_int8_t *data, u_int32_t len)
2078 {
2079 struct keynote_deckey dc;
2080 int err = 1;
2081 char *dat;
2082
2083 dat = calloc(len + 1, sizeof(char));
2084 if (!dat) {
2085 log_error("keynote_certreq_validate: calloc (%d, %lu) failed",
2086 len + 1, (unsigned long)sizeof(char));
2087 return 0;
2088 }
2089 memcpy(dat, data, len);
2090
2091 if (kn_decode_key(&dc, dat, KEYNOTE_PUBLIC_KEY) != 0)
2092 err = 0;
2093 else
2094 kn_free_key(&dc);
2095
2096 free(dat);
2097
2098 return err;
2099 }
2100
2101 /* Beats me what we should be doing with this. */
2102 int
keynote_certreq_decode(void ** pdata,u_int8_t * data,u_int32_t len)2103 keynote_certreq_decode(void **pdata, u_int8_t *data, u_int32_t len)
2104 {
2105 /* XXX */
2106 return 0;
2107 }
2108
2109 void
keynote_free_aca(void * blob)2110 keynote_free_aca(void *blob)
2111 {
2112 /* XXX */
2113 }
2114
2115 int
keynote_cert_obtain(u_int8_t * id,size_t id_len,void * data,u_int8_t ** cert,u_int32_t * certlen)2116 keynote_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert,
2117 u_int32_t *certlen)
2118 {
2119 char *dirname, *file, *addr_str;
2120 struct stat sb;
2121 size_t size;
2122 int idtype, fd, len;
2123
2124 if (!id) {
2125 log_print("keynote_cert_obtain: ID is missing");
2126 return 0;
2127 }
2128 /* Get type of ID. */
2129 idtype = id[0];
2130 id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ;
2131 id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ;
2132
2133 dirname = conf_get_str("KeyNote", "Credential-directory");
2134 if (!dirname) {
2135 LOG_DBG((LOG_POLICY, 30,
2136 "keynote_cert_obtain: no Credential-directory"));
2137 return 0;
2138 }
2139 len = strlen(dirname) + strlen(CREDENTIAL_FILE) + 3;
2140
2141 switch (idtype) {
2142 case IPSEC_ID_IPV4_ADDR:
2143 case IPSEC_ID_IPV6_ADDR:
2144 util_ntoa(&addr_str, idtype == IPSEC_ID_IPV4_ADDR ?
2145 AF_INET : AF_INET6, id);
2146 if (addr_str == 0)
2147 return 0;
2148
2149 if (asprintf(&file, "%s/%s/%s", dirname,
2150 addr_str, CREDENTIAL_FILE) == -1) {
2151 log_error("keynote_cert_obtain: failed to allocate "
2152 "%lu bytes", (unsigned long)len +
2153 strlen(addr_str));
2154 free(addr_str);
2155 return 0;
2156 }
2157 free(addr_str);
2158 break;
2159
2160 case IPSEC_ID_FQDN:
2161 case IPSEC_ID_USER_FQDN:
2162 file = calloc(len + id_len, sizeof(char));
2163 if (file == NULL) {
2164 log_error("keynote_cert_obtain: "
2165 "failed to allocate %lu bytes",
2166 (unsigned long)len + id_len);
2167 return 0;
2168 }
2169 snprintf(file, len + id_len, "%s/", dirname);
2170 memcpy(file + strlen(dirname) + 1, id, id_len);
2171 snprintf(file + strlen(dirname) + 1 + id_len,
2172 len - strlen(dirname) - 1, "/%s", CREDENTIAL_FILE);
2173 break;
2174
2175 default:
2176 return 0;
2177 }
2178
2179 fd = monitor_open(file, O_RDONLY, 0);
2180 if (fd < 0) {
2181 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: "
2182 "failed to open \"%s\"", file));
2183 free(file);
2184 return 0;
2185 }
2186
2187 if (fstat(fd, &sb) == -1) {
2188 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: "
2189 "failed to stat \"%s\"", file));
2190 free(file);
2191 close(fd);
2192 return 0;
2193 }
2194 size = (size_t)sb.st_size;
2195
2196 *cert = calloc(size + 1, sizeof(char));
2197 if (*cert == NULL) {
2198 log_error("keynote_cert_obtain: failed to allocate %lu bytes",
2199 (unsigned long)size);
2200 free(file);
2201 close(fd);
2202 return 0;
2203 }
2204
2205 if (read(fd, *cert, size) != (int)size) {
2206 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: "
2207 "failed to read %lu bytes from \"%s\"",
2208 (unsigned long)size, file));
2209 free(cert);
2210 cert = NULL;
2211 free(file);
2212 close(fd);
2213 return 0;
2214 }
2215 close(fd);
2216 free(file);
2217 *certlen = size;
2218 return 1;
2219 }
2220
2221 /* This should never be called. */
2222 int
keynote_cert_get_subjects(void * scert,int * n,u_int8_t *** id,u_int32_t ** id_len)2223 keynote_cert_get_subjects(void *scert, int *n, u_int8_t ***id,
2224 u_int32_t **id_len)
2225 {
2226 return 0;
2227 }
2228
2229 /* Get the authorizer key. */
2230 int
keynote_cert_get_key(void * scert,void * keyp)2231 keynote_cert_get_key(void *scert, void *keyp)
2232 {
2233 struct keynote_keylist *kl;
2234 int sid, kid, num;
2235 char **foo;
2236
2237 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num);
2238 if (foo == NULL || num == 0) {
2239 log_print("keynote_cert_get_key: "
2240 "failed to decompose credentials");
2241 return 0;
2242 }
2243 kid = kn_init();
2244 if (kid == -1) {
2245 log_print("keynote_cert_get_key: "
2246 "failed to initialize new policy session");
2247 while (num--)
2248 free(foo[num]);
2249 free(foo);
2250 return 0;
2251 }
2252 sid = kn_add_assertion(kid, foo[num - 1], strlen(foo[num - 1]), 0);
2253 while (num--)
2254 free(foo[num]);
2255 free(foo);
2256
2257 if (sid == -1) {
2258 log_print("keynote_cert_get_key: failed to add assertion");
2259 kn_close(kid);
2260 return 0;
2261 }
2262 *(RSA **)keyp = NULL;
2263
2264 kl = kn_get_licensees(kid, sid);
2265 while (kl) {
2266 if (kl->key_alg == KEYNOTE_ALGORITHM_RSA ||
2267 kl->key_alg == KEYNOTE_ALGORITHM_X509) {
2268 *(RSA **)keyp = RSAPublicKey_dup(kl->key_key);
2269 break;
2270 }
2271 kl = kl->key_next;
2272 }
2273
2274 kn_remove_assertion(kid, sid);
2275 kn_close(kid);
2276 return *(RSA **)keyp == NULL ? 0 : 1;
2277 }
2278
2279 void *
keynote_cert_dup(void * cert)2280 keynote_cert_dup(void *cert)
2281 {
2282 return strdup((char *)cert);
2283 }
2284
2285 void
keynote_serialize(void * cert,u_int8_t ** data,u_int32_t * datalen)2286 keynote_serialize(void *cert, u_int8_t **data, u_int32_t *datalen)
2287 {
2288 *datalen = strlen((char *)cert) + 1;
2289 *data = (u_int8_t *)strdup(cert); /* i.e an extra character at
2290 * the end... */
2291 if (*data == NULL)
2292 log_error("keynote_serialize: malloc (%d) failed", *datalen);
2293 }
2294
2295 /* From cert to printable */
2296 char *
keynote_printable(void * cert)2297 keynote_printable(void *cert)
2298 {
2299 return strdup((char *)cert);
2300 }
2301
2302 /* From printable to cert */
2303 void *
keynote_from_printable(char * cert)2304 keynote_from_printable(char *cert)
2305 {
2306 return strdup(cert);
2307 }
2308
2309 /* Number of CAs we trust (currently this is x509 only) */
2310 int
keynote_ca_count(void)2311 keynote_ca_count(void)
2312 {
2313 return 0;
2314 }
2315