1 /* $OpenBSD: policy.c,v 1.102 2021/10/22 12:30:54 bluhm Exp $ */ 2 /* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ 3 4 /* 5 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. 6 * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. 7 * Copyright (c) 2001 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This code was written under funding by Ericsson Radio Systems. 32 */ 33 34 #include <sys/types.h> 35 #include <sys/mman.h> 36 #include <sys/queue.h> 37 #include <sys/stat.h> 38 #include <regex.h> 39 #include <ctype.h> 40 #include <fcntl.h> 41 #include <stdio.h> 42 #include <stdlib.h> 43 #include <string.h> 44 #include <unistd.h> 45 #include <keynote.h> 46 #include <sys/socket.h> 47 #include <netinet/in.h> 48 #include <arpa/inet.h> 49 #include <errno.h> 50 #include <openssl/ssl.h> 51 #include <netdb.h> 52 53 #include "conf.h" 54 #include "exchange.h" 55 #include "ipsec.h" 56 #include "isakmp_doi.h" 57 #include "sa.h" 58 #include "transport.h" 59 #include "log.h" 60 #include "message.h" 61 #include "monitor.h" 62 #include "util.h" 63 #include "policy.h" 64 #include "x509.h" 65 66 char **policy_asserts = NULL; 67 int ignore_policy = 0; 68 int policy_asserts_num = 0; 69 struct exchange *policy_exchange = 0; 70 struct sa *policy_sa = 0; 71 struct sa *policy_isakmp_sa = 0; 72 73 static const char hextab[] = { 74 '0', '1', '2', '3', '4', '5', '6', '7', 75 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' 76 }; 77 78 /* 79 * Adaptation of Vixie's inet_ntop4 () 80 */ 81 static const char * 82 my_inet_ntop4(const in_addr_t *src, char *dst, size_t size, int normalize) 83 { 84 static const char fmt[] = "%03u.%03u.%03u.%03u"; 85 char tmp[sizeof "255.255.255.255"]; 86 in_addr_t src2; 87 int len; 88 89 if (normalize) 90 src2 = ntohl(*src); 91 else 92 src2 = *src; 93 94 len = snprintf(tmp, sizeof tmp, fmt, ((u_int8_t *)&src2)[0], 95 ((u_int8_t *)&src2)[1], ((u_int8_t *)&src2)[2], 96 ((u_int8_t *)&src2)[3]); 97 if (len < 0 || len > (int)size) { 98 errno = ENOSPC; 99 return 0; 100 } 101 strlcpy(dst, tmp, size); 102 return dst; 103 } 104 105 static const char * 106 my_inet_ntop6(const unsigned char *src, char *dst, size_t size) 107 { 108 static const char fmt[] = 109 "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x"; 110 char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"]; 111 int len; 112 113 len = snprintf(tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3], 114 src[4], src[5], src[6], src[7], src[8], src[9], src[10], src[11], 115 src[12], src[13], src[14], src[15]); 116 if (len < 0 || len > (int)size) { 117 errno = ENOSPC; 118 return 0; 119 } 120 strlcpy(dst, tmp, size); 121 return dst; 122 } 123 124 char * 125 policy_callback(char *name) 126 { 127 struct proto *proto; 128 129 u_int8_t *attr, *value, *id, *idlocal, *idremote; 130 size_t id_sz, idlocalsz, idremotesz; 131 struct sockaddr *sin; 132 struct ipsec_exch *ie; 133 struct ipsec_sa *is; 134 size_t i; 135 int fmt, lifetype = 0; 136 in_addr_t net, subnet; 137 u_int16_t len, type; 138 time_t tt; 139 char *addr; 140 static char mytimeofday[15]; 141 142 /* We use all these as a cache. */ 143 #define PMAX 32 144 static char *esp_present, *ah_present, *comp_present; 145 static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg; 146 static char *comp_alg, ah_life_kbytes[PMAX], ah_life_seconds[PMAX]; 147 static char esp_life_kbytes[PMAX], esp_life_seconds[PMAX]; 148 static char comp_life_kbytes[PMAX]; 149 static char *ah_ecn, *esp_ecn, *comp_ecn; 150 static char comp_life_seconds[PMAX], *ah_encapsulation; 151 static char *esp_encapsulation, *comp_encapsulation; 152 static char ah_key_length[PMAX], esp_key_length[PMAX]; 153 static char ah_key_rounds[PMAX], esp_key_rounds[PMAX]; 154 static char comp_dict_size[PMAX], comp_private_alg[PMAX]; 155 static char *remote_filter_type, *local_filter_type; 156 static char remote_filter_addr_upper[NI_MAXHOST]; 157 static char remote_filter_addr_lower[NI_MAXHOST]; 158 static char local_filter_addr_upper[NI_MAXHOST]; 159 static char local_filter_addr_lower[NI_MAXHOST]; 160 static char ah_group_desc[PMAX], esp_group_desc[PMAX]; 161 static char comp_group_desc[PMAX], remote_ike_address[NI_MAXHOST]; 162 static char local_ike_address[NI_MAXHOST]; 163 static char *remote_id_type, remote_id_addr_upper[NI_MAXHOST]; 164 static char *phase_1, remote_id_addr_lower[NI_MAXHOST]; 165 static char *remote_id_proto, remote_id_port[PMAX]; 166 static char remote_filter_port[PMAX], local_filter_port[PMAX]; 167 static char *remote_filter_proto, *local_filter_proto, *pfs; 168 static char *initiator, remote_filter_proto_num[3]; 169 static char local_filter_proto_num[3], remote_id_proto_num[3]; 170 static char phase1_group[PMAX]; 171 172 /* Allocated. */ 173 static char *remote_filter = 0, *local_filter = 0, *remote_id = 0; 174 175 static int dirty = 1; 176 177 /* We only need to set dirty at initialization time really. */ 178 if (strcmp(name, KEYNOTE_CALLBACK_CLEANUP) == 0 || 179 strcmp(name, KEYNOTE_CALLBACK_INITIALIZE) == 0) { 180 esp_present = ah_present = comp_present = pfs = "no"; 181 ah_hash_alg = ah_auth_alg = phase_1 = ""; 182 esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = ""; 183 ah_ecn = esp_ecn = comp_ecn = "no"; 184 esp_encapsulation = comp_encapsulation = ""; 185 remote_filter_type = ""; 186 local_filter_type = remote_id_type = initiator = ""; 187 remote_filter_proto = local_filter_proto = ""; 188 remote_id_proto = ""; 189 190 free(remote_filter); 191 remote_filter = 0; 192 free(local_filter); 193 local_filter = 0; 194 free(remote_id); 195 remote_id = 0; 196 197 bzero(remote_ike_address, sizeof remote_ike_address); 198 bzero(local_ike_address, sizeof local_ike_address); 199 bzero(ah_life_kbytes, sizeof ah_life_kbytes); 200 bzero(ah_life_seconds, sizeof ah_life_seconds); 201 bzero(esp_life_kbytes, sizeof esp_life_kbytes); 202 bzero(esp_life_seconds, sizeof esp_life_seconds); 203 bzero(comp_life_kbytes, sizeof comp_life_kbytes); 204 bzero(comp_life_seconds, sizeof comp_life_seconds); 205 bzero(ah_key_length, sizeof ah_key_length); 206 bzero(ah_key_rounds, sizeof ah_key_rounds); 207 bzero(esp_key_length, sizeof esp_key_length); 208 bzero(esp_key_rounds, sizeof esp_key_rounds); 209 bzero(comp_dict_size, sizeof comp_dict_size); 210 bzero(comp_private_alg, sizeof comp_private_alg); 211 bzero(remote_filter_addr_upper, 212 sizeof remote_filter_addr_upper); 213 bzero(remote_filter_addr_lower, 214 sizeof remote_filter_addr_lower); 215 bzero(local_filter_addr_upper, 216 sizeof local_filter_addr_upper); 217 bzero(local_filter_addr_lower, 218 sizeof local_filter_addr_lower); 219 bzero(remote_id_addr_upper, sizeof remote_id_addr_upper); 220 bzero(remote_id_addr_lower, sizeof remote_id_addr_lower); 221 bzero(ah_group_desc, sizeof ah_group_desc); 222 bzero(esp_group_desc, sizeof esp_group_desc); 223 bzero(remote_id_port, sizeof remote_id_port); 224 bzero(remote_filter_port, sizeof remote_filter_port); 225 bzero(local_filter_port, sizeof local_filter_port); 226 bzero(phase1_group, sizeof phase1_group); 227 228 dirty = 1; 229 return ""; 230 } 231 /* 232 * If dirty is set, this is the first request for an attribute, so 233 * populate our value cache. 234 */ 235 if (dirty) { 236 ie = policy_exchange->data; 237 238 if (ie->pfs) 239 pfs = "yes"; 240 241 is = policy_isakmp_sa->data; 242 snprintf(phase1_group, sizeof phase1_group, "%u", 243 is->group_desc); 244 245 for (proto = TAILQ_FIRST(&policy_sa->protos); proto; 246 proto = TAILQ_NEXT(proto, link)) { 247 switch (proto->proto) { 248 case IPSEC_PROTO_IPSEC_AH: 249 ah_present = "yes"; 250 switch (proto->id) { 251 case IPSEC_AH_MD5: 252 ah_hash_alg = "md5"; 253 break; 254 255 case IPSEC_AH_SHA: 256 ah_hash_alg = "sha"; 257 break; 258 259 case IPSEC_AH_RIPEMD: 260 ah_hash_alg = "ripemd"; 261 break; 262 263 case IPSEC_AH_SHA2_256: 264 ah_auth_alg = "sha2-256"; 265 break; 266 267 case IPSEC_AH_SHA2_384: 268 ah_auth_alg = "sha2-384"; 269 break; 270 271 case IPSEC_AH_SHA2_512: 272 ah_auth_alg = "sha2-512"; 273 break; 274 275 case IPSEC_AH_DES: 276 ah_hash_alg = "des"; 277 break; 278 } 279 280 break; 281 282 case IPSEC_PROTO_IPSEC_ESP: 283 esp_present = "yes"; 284 switch (proto->id) { 285 case IPSEC_ESP_DES_IV64: 286 esp_enc_alg = "des-iv64"; 287 break; 288 289 case IPSEC_ESP_DES: 290 esp_enc_alg = "des"; 291 break; 292 293 case IPSEC_ESP_3DES: 294 esp_enc_alg = "3des"; 295 break; 296 297 case IPSEC_ESP_AES: 298 case IPSEC_ESP_AES_CTR: 299 case IPSEC_ESP_AES_GCM_16: 300 case IPSEC_ESP_AES_GMAC: 301 esp_enc_alg = "aes"; 302 break; 303 304 case IPSEC_ESP_RC5: 305 esp_enc_alg = "rc5"; 306 break; 307 308 case IPSEC_ESP_IDEA: 309 esp_enc_alg = "idea"; 310 break; 311 312 case IPSEC_ESP_CAST: 313 esp_enc_alg = "cast"; 314 break; 315 316 case IPSEC_ESP_BLOWFISH: 317 esp_enc_alg = "blowfish"; 318 break; 319 320 case IPSEC_ESP_3IDEA: 321 esp_enc_alg = "3idea"; 322 break; 323 324 case IPSEC_ESP_DES_IV32: 325 esp_enc_alg = "des-iv32"; 326 break; 327 328 case IPSEC_ESP_RC4: 329 esp_enc_alg = "rc4"; 330 break; 331 332 case IPSEC_ESP_NULL: 333 esp_enc_alg = "null"; 334 break; 335 } 336 337 break; 338 339 case IPSEC_PROTO_IPCOMP: 340 comp_present = "yes"; 341 switch (proto->id) { 342 case IPSEC_IPCOMP_OUI: 343 comp_alg = "oui"; 344 break; 345 346 case IPSEC_IPCOMP_DEFLATE: 347 comp_alg = "deflate"; 348 break; 349 } 350 351 break; 352 } 353 354 for (attr = proto->chosen->p + 355 ISAKMP_TRANSFORM_SA_ATTRS_OFF; 356 attr < proto->chosen->p + 357 GET_ISAKMP_GEN_LENGTH(proto->chosen->p); 358 attr = value + len) { 359 if (attr + ISAKMP_ATTR_VALUE_OFF > 360 (proto->chosen->p + 361 GET_ISAKMP_GEN_LENGTH(proto->chosen->p))) 362 return ""; 363 364 type = GET_ISAKMP_ATTR_TYPE(attr); 365 fmt = ISAKMP_ATTR_FORMAT(type); 366 type = ISAKMP_ATTR_TYPE(type); 367 value = attr + (fmt ? 368 ISAKMP_ATTR_LENGTH_VALUE_OFF : 369 ISAKMP_ATTR_VALUE_OFF); 370 len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN : 371 GET_ISAKMP_ATTR_LENGTH_VALUE(attr)); 372 373 if (value + len > proto->chosen->p + 374 GET_ISAKMP_GEN_LENGTH(proto->chosen->p)) 375 return ""; 376 377 switch (type) { 378 case IPSEC_ATTR_SA_LIFE_TYPE: 379 lifetype = decode_16(value); 380 break; 381 382 case IPSEC_ATTR_SA_LIFE_DURATION: 383 switch (proto->proto) { 384 case IPSEC_PROTO_IPSEC_AH: 385 if (lifetype == IPSEC_DURATION_SECONDS) { 386 if (len == 2) 387 snprintf(ah_life_seconds, sizeof ah_life_seconds, 388 "%u", decode_16(value)); 389 else 390 snprintf(ah_life_seconds, sizeof ah_life_seconds, 391 "%u", decode_32(value)); 392 } else { 393 if (len == 2) 394 snprintf(ah_life_kbytes, sizeof ah_life_kbytes, 395 "%u", decode_16(value)); 396 else 397 snprintf(ah_life_kbytes, sizeof ah_life_kbytes, 398 "%u", decode_32(value)); 399 } 400 401 break; 402 403 case IPSEC_PROTO_IPSEC_ESP: 404 if (lifetype == IPSEC_DURATION_SECONDS) { 405 if (len == 2) 406 snprintf(esp_life_seconds, 407 sizeof esp_life_seconds, "%u", 408 decode_16(value)); 409 else 410 snprintf(esp_life_seconds, 411 sizeof esp_life_seconds, "%u", 412 decode_32(value)); 413 } else { 414 if (len == 2) 415 snprintf(esp_life_kbytes, 416 sizeof esp_life_kbytes, "%u", 417 decode_16(value)); 418 else 419 snprintf(esp_life_kbytes, 420 sizeof esp_life_kbytes, "%u", 421 decode_32(value)); 422 } 423 424 break; 425 426 case IPSEC_PROTO_IPCOMP: 427 if (lifetype == IPSEC_DURATION_SECONDS) { 428 if (len == 2) 429 snprintf(comp_life_seconds, 430 sizeof comp_life_seconds, "%u", 431 decode_16(value)); 432 else 433 snprintf(comp_life_seconds, 434 sizeof comp_life_seconds, "%u", 435 decode_32(value)); 436 } else { 437 if (len == 2) 438 snprintf(comp_life_kbytes, 439 sizeof comp_life_kbytes, "%u", 440 decode_16(value)); 441 else 442 snprintf(comp_life_kbytes, 443 sizeof comp_life_kbytes, "%u", 444 decode_32(value)); 445 } 446 break; 447 } 448 break; 449 450 case IPSEC_ATTR_GROUP_DESCRIPTION: 451 switch (proto->proto) { 452 case IPSEC_PROTO_IPSEC_AH: 453 snprintf(ah_group_desc, 454 sizeof ah_group_desc, "%u", 455 decode_16(value)); 456 break; 457 458 case IPSEC_PROTO_IPSEC_ESP: 459 snprintf(esp_group_desc, 460 sizeof esp_group_desc, "%u", 461 decode_16(value)); 462 break; 463 464 case IPSEC_PROTO_IPCOMP: 465 snprintf(comp_group_desc, 466 sizeof comp_group_desc, "%u", 467 decode_16(value)); 468 break; 469 } 470 break; 471 472 case IPSEC_ATTR_ECN_TUNNEL: 473 if (decode_16(value)) 474 switch (proto->proto) { 475 case IPSEC_PROTO_IPSEC_AH: 476 ah_ecn = "yes"; 477 break; 478 479 case IPSEC_PROTO_IPSEC_ESP: 480 esp_ecn = "yes"; 481 break; 482 483 case IPSEC_PROTO_IPCOMP: 484 comp_ecn = "yes"; 485 break; 486 } 487 488 case IPSEC_ATTR_ENCAPSULATION_MODE: 489 if (decode_16(value) == IPSEC_ENCAP_TUNNEL) 490 switch (proto->proto) { 491 case IPSEC_PROTO_IPSEC_AH: 492 ah_encapsulation = "tunnel"; 493 break; 494 495 case IPSEC_PROTO_IPSEC_ESP: 496 esp_encapsulation = "tunnel"; 497 break; 498 499 case IPSEC_PROTO_IPCOMP: 500 comp_encapsulation = "tunnel"; 501 break; 502 } 503 else if (decode_16(value) == 504 IPSEC_ENCAP_UDP_ENCAP_TUNNEL || 505 decode_16(value) == 506 IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT) 507 switch (proto->proto) { 508 case IPSEC_PROTO_IPSEC_AH: 509 ah_encapsulation = "udp-encap-tunnel"; 510 break; 511 512 case IPSEC_PROTO_IPSEC_ESP: 513 esp_encapsulation = "udp-encap-tunnel"; 514 break; 515 516 case IPSEC_PROTO_IPCOMP: 517 comp_encapsulation = "udp-encap-tunnel"; 518 break; 519 } 520 /* XXX IPSEC_ENCAP_UDP_ENCAP_TRANSPORT */ 521 else 522 switch (proto->proto) { 523 case IPSEC_PROTO_IPSEC_AH: 524 ah_encapsulation = "transport"; 525 break; 526 527 case IPSEC_PROTO_IPSEC_ESP: 528 esp_encapsulation = "transport"; 529 break; 530 531 case IPSEC_PROTO_IPCOMP: 532 comp_encapsulation = "transport"; 533 break; 534 } 535 break; 536 537 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: 538 switch (proto->proto) { 539 case IPSEC_PROTO_IPSEC_AH: 540 switch (decode_16(value)) { 541 case IPSEC_AUTH_HMAC_MD5: 542 ah_auth_alg = "hmac-md5"; 543 break; 544 545 case IPSEC_AUTH_HMAC_SHA: 546 ah_auth_alg = "hmac-sha"; 547 break; 548 549 case IPSEC_AUTH_HMAC_RIPEMD: 550 ah_auth_alg = "hmac-ripemd"; 551 break; 552 553 case IPSEC_AUTH_HMAC_SHA2_256: 554 ah_auth_alg = "hmac-sha2-256"; 555 break; 556 557 case IPSEC_AUTH_HMAC_SHA2_384: 558 ah_auth_alg = "hmac-sha2-384"; 559 break; 560 561 case IPSEC_AUTH_HMAC_SHA2_512: 562 ah_auth_alg = "hmac-sha2-512"; 563 break; 564 565 case IPSEC_AUTH_DES_MAC: 566 ah_auth_alg = "des-mac"; 567 break; 568 569 case IPSEC_AUTH_KPDK: 570 ah_auth_alg = "kpdk"; 571 break; 572 } 573 break; 574 575 case IPSEC_PROTO_IPSEC_ESP: 576 switch (decode_16(value)) { 577 case IPSEC_AUTH_HMAC_MD5: 578 esp_auth_alg = "hmac-md5"; 579 break; 580 581 case IPSEC_AUTH_HMAC_SHA: 582 esp_auth_alg = "hmac-sha"; 583 break; 584 585 case IPSEC_AUTH_HMAC_RIPEMD: 586 esp_auth_alg = "hmac-ripemd"; 587 break; 588 589 case IPSEC_AUTH_HMAC_SHA2_256: 590 esp_auth_alg = "hmac-sha2-256"; 591 break; 592 593 case IPSEC_AUTH_HMAC_SHA2_384: 594 esp_auth_alg = "hmac-sha2-384"; 595 break; 596 597 case IPSEC_AUTH_HMAC_SHA2_512: 598 esp_auth_alg = "hmac-sha2-512"; 599 break; 600 601 case IPSEC_AUTH_DES_MAC: 602 esp_auth_alg = "des-mac"; 603 break; 604 605 case IPSEC_AUTH_KPDK: 606 esp_auth_alg = "kpdk"; 607 break; 608 } 609 break; 610 } 611 break; 612 613 case IPSEC_ATTR_KEY_LENGTH: 614 switch (proto->proto) { 615 case IPSEC_PROTO_IPSEC_AH: 616 snprintf(ah_key_length, 617 sizeof ah_key_length, "%u", 618 decode_16(value)); 619 break; 620 621 case IPSEC_PROTO_IPSEC_ESP: 622 snprintf(esp_key_length, 623 sizeof esp_key_length, "%u", 624 decode_16(value)); 625 break; 626 } 627 break; 628 629 case IPSEC_ATTR_KEY_ROUNDS: 630 switch (proto->proto) { 631 case IPSEC_PROTO_IPSEC_AH: 632 snprintf(ah_key_rounds, 633 sizeof ah_key_rounds, "%u", 634 decode_16(value)); 635 break; 636 637 case IPSEC_PROTO_IPSEC_ESP: 638 snprintf(esp_key_rounds, 639 sizeof esp_key_rounds, "%u", 640 decode_16(value)); 641 break; 642 } 643 break; 644 645 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: 646 snprintf(comp_dict_size, 647 sizeof comp_dict_size, "%u", 648 decode_16(value)); 649 break; 650 651 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: 652 snprintf(comp_private_alg, 653 sizeof comp_private_alg, "%u", 654 decode_16(value)); 655 break; 656 } 657 } 658 } 659 660 policy_sa->transport->vtbl->get_src(policy_sa->transport, 661 &sin); 662 if (sockaddr2text(sin, &addr, 1)) { 663 log_error("policy_callback: sockaddr2text failed"); 664 goto bad; 665 } 666 strlcpy(local_ike_address, addr, sizeof local_ike_address); 667 free(addr); 668 669 policy_sa->transport->vtbl->get_dst(policy_sa->transport, 670 &sin); 671 if (sockaddr2text(sin, &addr, 1)) { 672 log_error("policy_callback: sockaddr2text failed"); 673 goto bad; 674 } 675 strlcpy(remote_ike_address, addr, sizeof remote_ike_address); 676 free(addr); 677 678 switch (policy_isakmp_sa->exch_type) { 679 case ISAKMP_EXCH_AGGRESSIVE: 680 phase_1 = "aggressive"; 681 break; 682 683 case ISAKMP_EXCH_ID_PROT: 684 phase_1 = "main"; 685 break; 686 } 687 688 if (policy_isakmp_sa->initiator) { 689 id = policy_isakmp_sa->id_r; 690 id_sz = policy_isakmp_sa->id_r_len; 691 } else { 692 id = policy_isakmp_sa->id_i; 693 id_sz = policy_isakmp_sa->id_i_len; 694 } 695 696 switch (id[0]) { 697 case IPSEC_ID_IPV4_ADDR: 698 remote_id_type = "IPv4 address"; 699 700 net = decode_32(id + ISAKMP_ID_DATA_OFF - 701 ISAKMP_GEN_SZ); 702 my_inet_ntop4(&net, remote_id_addr_upper, 703 sizeof remote_id_addr_upper - 1, 1); 704 my_inet_ntop4(&net, remote_id_addr_lower, 705 sizeof remote_id_addr_lower - 1, 1); 706 remote_id = strdup(remote_id_addr_upper); 707 if (!remote_id) { 708 log_error("policy_callback: " 709 "strdup (\"%s\") failed", 710 remote_id_addr_upper); 711 goto bad; 712 } 713 break; 714 715 case IPSEC_ID_IPV4_RANGE: 716 remote_id_type = "IPv4 range"; 717 718 net = decode_32(id + ISAKMP_ID_DATA_OFF - 719 ISAKMP_GEN_SZ); 720 my_inet_ntop4(&net, remote_id_addr_lower, 721 sizeof remote_id_addr_lower - 1, 1); 722 net = decode_32(id + ISAKMP_ID_DATA_OFF - 723 ISAKMP_GEN_SZ + 4); 724 my_inet_ntop4(&net, remote_id_addr_upper, 725 sizeof remote_id_addr_upper - 1, 1); 726 len = strlen(remote_id_addr_upper) + 727 strlen(remote_id_addr_lower) + 2; 728 remote_id = calloc(len, sizeof(char)); 729 if (!remote_id) { 730 log_error("policy_callback: " 731 "calloc (%d, %lu) failed", len, 732 (unsigned long)sizeof(char)); 733 goto bad; 734 } 735 strlcpy(remote_id, remote_id_addr_lower, len); 736 strlcat(remote_id, "-", len); 737 strlcat(remote_id, remote_id_addr_upper, len); 738 break; 739 740 case IPSEC_ID_IPV4_ADDR_SUBNET: 741 remote_id_type = "IPv4 subnet"; 742 743 net = decode_32(id + ISAKMP_ID_DATA_OFF - 744 ISAKMP_GEN_SZ); 745 subnet = decode_32(id + ISAKMP_ID_DATA_OFF - 746 ISAKMP_GEN_SZ + 4); 747 net &= subnet; 748 my_inet_ntop4(&net, remote_id_addr_lower, 749 sizeof remote_id_addr_lower - 1, 1); 750 net |= ~subnet; 751 my_inet_ntop4(&net, remote_id_addr_upper, 752 sizeof remote_id_addr_upper - 1, 1); 753 len = strlen(remote_id_addr_upper) + 754 strlen(remote_id_addr_lower) + 2; 755 remote_id = calloc(len, sizeof(char)); 756 if (!remote_id) { 757 log_error("policy_callback: " 758 "calloc (%d, %lu) failed", len, 759 (unsigned long)sizeof(char)); 760 goto bad; 761 } 762 strlcpy(remote_id, remote_id_addr_lower, len); 763 strlcat(remote_id, "-", len); 764 strlcat(remote_id, remote_id_addr_upper, len); 765 break; 766 767 case IPSEC_ID_IPV6_ADDR: 768 remote_id_type = "IPv6 address"; 769 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 770 remote_id_addr_upper, sizeof remote_id_addr_upper); 771 strlcpy(remote_id_addr_lower, remote_id_addr_upper, 772 sizeof remote_id_addr_lower); 773 remote_id = strdup(remote_id_addr_upper); 774 if (!remote_id) { 775 log_error("policy_callback: " 776 "strdup (\"%s\") failed", 777 remote_id_addr_upper); 778 goto bad; 779 } 780 break; 781 782 case IPSEC_ID_IPV6_RANGE: 783 remote_id_type = "IPv6 range"; 784 785 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 786 remote_id_addr_lower, 787 sizeof remote_id_addr_lower - 1); 788 789 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - 790 ISAKMP_GEN_SZ + 16, remote_id_addr_upper, 791 sizeof remote_id_addr_upper - 1); 792 793 len = strlen(remote_id_addr_upper) + 794 strlen(remote_id_addr_lower) + 2; 795 remote_id = calloc(len, sizeof(char)); 796 if (!remote_id) { 797 log_error("policy_callback: " 798 "calloc (%d, %lu) failed", len, 799 (unsigned long)sizeof(char)); 800 goto bad; 801 } 802 strlcpy(remote_id, remote_id_addr_lower, len); 803 strlcat(remote_id, "-", len); 804 strlcat(remote_id, remote_id_addr_upper, len); 805 break; 806 807 case IPSEC_ID_IPV6_ADDR_SUBNET: 808 { 809 struct in6_addr net, mask; 810 811 remote_id_type = "IPv6 subnet"; 812 813 bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, &net, 814 sizeof(net)); 815 bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, 816 &mask, sizeof(mask)); 817 818 for (i = 0; i < 16; i++) 819 net.s6_addr[i] &= mask.s6_addr[i]; 820 821 my_inet_ntop6((unsigned char *)&net, 822 remote_id_addr_lower, 823 sizeof remote_id_addr_lower - 1); 824 825 for (i = 0; i < 16; i++) 826 net.s6_addr[i] |= ~mask.s6_addr[i]; 827 828 my_inet_ntop6((unsigned char *)&net, 829 remote_id_addr_upper, 830 sizeof remote_id_addr_upper - 1); 831 832 len = strlen(remote_id_addr_upper) + 833 strlen(remote_id_addr_lower) + 2; 834 remote_id = calloc(len, sizeof(char)); 835 if (!remote_id) { 836 log_error("policy_callback: " 837 "calloc (%d, %lu) failed", len, 838 (unsigned long)sizeof(char)); 839 goto bad; 840 } 841 strlcpy(remote_id, remote_id_addr_lower, len); 842 strlcat(remote_id, "-", len); 843 strlcat(remote_id, remote_id_addr_upper, len); 844 break; 845 } 846 847 case IPSEC_ID_FQDN: 848 remote_id_type = "FQDN"; 849 remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF + 850 ISAKMP_GEN_SZ + 1, sizeof(char)); 851 if (!remote_id) { 852 log_error("policy_callback: " 853 "calloc (%lu, %lu) failed", 854 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + 855 ISAKMP_GEN_SZ + 1, 856 (unsigned long)sizeof(char)); 857 goto bad; 858 } 859 memcpy(remote_id, 860 id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 861 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 862 break; 863 864 case IPSEC_ID_USER_FQDN: 865 remote_id_type = "User FQDN"; 866 remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF + 867 ISAKMP_GEN_SZ + 1, sizeof(char)); 868 if (!remote_id) { 869 log_error("policy_callback: " 870 "calloc (%lu, %lu) failed", 871 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + 872 ISAKMP_GEN_SZ + 1, 873 (unsigned long)sizeof(char)); 874 goto bad; 875 } 876 memcpy(remote_id, 877 id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 878 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 879 break; 880 881 case IPSEC_ID_DER_ASN1_DN: 882 remote_id_type = "ASN1 DN"; 883 884 remote_id = x509_DN_string(id + ISAKMP_ID_DATA_OFF - 885 ISAKMP_GEN_SZ, 886 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 887 if (!remote_id) { 888 LOG_DBG((LOG_POLICY, 50, 889 "policy_callback: failed to decode name")); 890 goto bad; 891 } 892 break; 893 894 case IPSEC_ID_DER_ASN1_GN: /* XXX */ 895 remote_id_type = "ASN1 GN"; 896 break; 897 898 case IPSEC_ID_KEY_ID: 899 remote_id_type = "Key ID"; 900 remote_id = calloc(2 * (id_sz - ISAKMP_ID_DATA_OFF + 901 ISAKMP_GEN_SZ) + 1, sizeof(char)); 902 if (!remote_id) { 903 log_error("policy_callback: " 904 "calloc (%lu, %lu) failed", 905 2 * ((unsigned long)id_sz - 906 ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, 907 (unsigned long)sizeof(char)); 908 goto bad; 909 } 910 /* Does it contain any non-printable characters ? */ 911 for (i = 0; 912 i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; 913 i++) 914 if (!isprint((unsigned char)*(id + ISAKMP_ID_DATA_OFF - 915 ISAKMP_GEN_SZ + i))) 916 break; 917 if (i >= id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) { 918 memcpy(remote_id, id + ISAKMP_ID_DATA_OFF - 919 ISAKMP_GEN_SZ, 920 id_sz - ISAKMP_ID_DATA_OFF + 921 ISAKMP_GEN_SZ); 922 break; 923 } 924 /* Non-printable characters, convert to hex */ 925 for (i = 0; 926 i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; 927 i++) { 928 remote_id[2 * i] = hextab[*(id + 929 ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4]; 930 remote_id[2 * i + 1] = hextab[*(id + 931 ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF]; 932 } 933 break; 934 935 default: 936 log_print("policy_callback: " 937 "unknown remote ID type %u", id[0]); 938 goto bad; 939 } 940 941 switch (id[1]) { 942 case IPPROTO_TCP: 943 remote_id_proto = "tcp"; 944 break; 945 946 case IPPROTO_UDP: 947 remote_id_proto = "udp"; 948 break; 949 950 case IPPROTO_ETHERIP: 951 remote_id_proto = "etherip"; 952 break; 953 954 default: 955 snprintf(remote_id_proto_num, 956 sizeof remote_id_proto_num, "%d", 957 id[1]); 958 remote_id_proto = remote_id_proto_num; 959 break; 960 } 961 962 snprintf(remote_id_port, sizeof remote_id_port, "%u", 963 decode_16(id + 2)); 964 965 if (policy_exchange->initiator) { 966 initiator = "yes"; 967 idlocal = ie->id_ci; 968 idremote = ie->id_cr; 969 idlocalsz = ie->id_ci_sz; 970 idremotesz = ie->id_cr_sz; 971 } else { 972 initiator = "no"; 973 idlocal = ie->id_cr; 974 idremote = ie->id_ci; 975 idlocalsz = ie->id_cr_sz; 976 idremotesz = ie->id_ci_sz; 977 } 978 979 /* Initialize the ID variables. */ 980 if (idremote) { 981 switch (GET_ISAKMP_ID_TYPE(idremote)) { 982 case IPSEC_ID_IPV4_ADDR: 983 remote_filter_type = "IPv4 address"; 984 985 net = decode_32(idremote + ISAKMP_ID_DATA_OFF); 986 my_inet_ntop4(&net, remote_filter_addr_upper, 987 sizeof remote_filter_addr_upper - 1, 1); 988 my_inet_ntop4(&net, remote_filter_addr_lower, 989 sizeof remote_filter_addr_lower - 1, 1); 990 remote_filter = 991 strdup(remote_filter_addr_upper); 992 if (!remote_filter) { 993 log_error("policy_callback: strdup " 994 "(\"%s\") failed", 995 remote_filter_addr_upper); 996 goto bad; 997 } 998 break; 999 1000 case IPSEC_ID_IPV4_RANGE: 1001 remote_filter_type = "IPv4 range"; 1002 1003 net = decode_32(idremote + ISAKMP_ID_DATA_OFF); 1004 my_inet_ntop4(&net, remote_filter_addr_lower, 1005 sizeof remote_filter_addr_lower - 1, 1); 1006 net = decode_32(idremote + ISAKMP_ID_DATA_OFF + 1007 4); 1008 my_inet_ntop4(&net, remote_filter_addr_upper, 1009 sizeof remote_filter_addr_upper - 1, 1); 1010 len = strlen(remote_filter_addr_upper) + 1011 strlen(remote_filter_addr_lower) + 2; 1012 remote_filter = calloc(len, sizeof(char)); 1013 if (!remote_filter) { 1014 log_error("policy_callback: calloc " 1015 "(%d, %lu) failed", len, 1016 (unsigned long)sizeof(char)); 1017 goto bad; 1018 } 1019 strlcpy(remote_filter, 1020 remote_filter_addr_lower, len); 1021 strlcat(remote_filter, "-", len); 1022 strlcat(remote_filter, 1023 remote_filter_addr_upper, len); 1024 break; 1025 1026 case IPSEC_ID_IPV4_ADDR_SUBNET: 1027 remote_filter_type = "IPv4 subnet"; 1028 1029 net = decode_32(idremote + ISAKMP_ID_DATA_OFF); 1030 subnet = decode_32(idremote + 1031 ISAKMP_ID_DATA_OFF + 4); 1032 net &= subnet; 1033 my_inet_ntop4(&net, remote_filter_addr_lower, 1034 sizeof remote_filter_addr_lower - 1, 1); 1035 net |= ~subnet; 1036 my_inet_ntop4(&net, remote_filter_addr_upper, 1037 sizeof remote_filter_addr_upper - 1, 1); 1038 len = strlen(remote_filter_addr_upper) + 1039 strlen(remote_filter_addr_lower) + 2; 1040 remote_filter = calloc(len, sizeof(char)); 1041 if (!remote_filter) { 1042 log_error("policy_callback: calloc " 1043 "(%d, %lu) failed", len, 1044 (unsigned long)sizeof(char)); 1045 goto bad; 1046 } 1047 strlcpy(remote_filter, 1048 remote_filter_addr_lower, len); 1049 strlcat(remote_filter, "-", len); 1050 strlcat(remote_filter, 1051 remote_filter_addr_upper, len); 1052 break; 1053 1054 case IPSEC_ID_IPV6_ADDR: 1055 remote_filter_type = "IPv6 address"; 1056 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF, 1057 remote_filter_addr_upper, 1058 sizeof remote_filter_addr_upper - 1); 1059 strlcpy(remote_filter_addr_lower, 1060 remote_filter_addr_upper, 1061 sizeof remote_filter_addr_lower); 1062 remote_filter = 1063 strdup(remote_filter_addr_upper); 1064 if (!remote_filter) { 1065 log_error("policy_callback: strdup " 1066 "(\"%s\") failed", 1067 remote_filter_addr_upper); 1068 goto bad; 1069 } 1070 break; 1071 1072 case IPSEC_ID_IPV6_RANGE: 1073 remote_filter_type = "IPv6 range"; 1074 1075 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF, 1076 remote_filter_addr_lower, 1077 sizeof remote_filter_addr_lower - 1); 1078 1079 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF + 1080 16, remote_filter_addr_upper, 1081 sizeof remote_filter_addr_upper - 1); 1082 1083 len = strlen(remote_filter_addr_upper) + 1084 strlen(remote_filter_addr_lower) + 2; 1085 remote_filter = calloc(len, sizeof(char)); 1086 if (!remote_filter) { 1087 log_error("policy_callback: calloc " 1088 "(%d, %lu) failed", len, 1089 (unsigned long)sizeof(char)); 1090 goto bad; 1091 } 1092 strlcpy(remote_filter, 1093 remote_filter_addr_lower, len); 1094 strlcat(remote_filter, "-", len); 1095 strlcat(remote_filter, 1096 remote_filter_addr_upper, len); 1097 break; 1098 1099 case IPSEC_ID_IPV6_ADDR_SUBNET: 1100 { 1101 struct in6_addr net, mask; 1102 1103 remote_filter_type = "IPv6 subnet"; 1104 1105 bcopy(idremote + ISAKMP_ID_DATA_OFF, 1106 &net, sizeof(net)); 1107 bcopy(idremote + ISAKMP_ID_DATA_OFF + 1108 16, &mask, sizeof(mask)); 1109 1110 for (i = 0; i < 16; i++) 1111 net.s6_addr[i] &= 1112 mask.s6_addr[i]; 1113 1114 my_inet_ntop6((unsigned char *)&net, 1115 remote_filter_addr_lower, 1116 sizeof remote_filter_addr_lower - 1); 1117 1118 for (i = 0; i < 16; i++) 1119 net.s6_addr[i] |= 1120 ~mask.s6_addr[i]; 1121 1122 my_inet_ntop6((unsigned char *)&net, 1123 remote_filter_addr_upper, 1124 sizeof remote_filter_addr_upper - 1); 1125 1126 len = strlen(remote_filter_addr_upper) 1127 + strlen(remote_filter_addr_lower) + 2; 1128 remote_filter = calloc(len, 1129 sizeof(char)); 1130 if (!remote_filter) { 1131 log_error("policy_callback: " 1132 "calloc (%d, %lu) failed", 1133 len, 1134 (unsigned long)sizeof(char)); 1135 goto bad; 1136 } 1137 strlcpy(remote_filter, 1138 remote_filter_addr_lower, len); 1139 strlcat(remote_filter, "-", len); 1140 strlcat(remote_filter, 1141 remote_filter_addr_upper, len); 1142 break; 1143 } 1144 1145 case IPSEC_ID_FQDN: 1146 remote_filter_type = "FQDN"; 1147 remote_filter = malloc(idremotesz - 1148 ISAKMP_ID_DATA_OFF + 1); 1149 if (!remote_filter) { 1150 log_error("policy_callback: " 1151 "malloc (%lu) failed", 1152 (unsigned long)idremotesz - 1153 ISAKMP_ID_DATA_OFF + 1); 1154 goto bad; 1155 } 1156 memcpy(remote_filter, 1157 idremote + ISAKMP_ID_DATA_OFF, 1158 idremotesz - ISAKMP_ID_DATA_OFF); 1159 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] 1160 = '\0'; 1161 break; 1162 1163 case IPSEC_ID_USER_FQDN: 1164 remote_filter_type = "User FQDN"; 1165 remote_filter = malloc(idremotesz - 1166 ISAKMP_ID_DATA_OFF + 1); 1167 if (!remote_filter) { 1168 log_error("policy_callback: " 1169 "malloc (%lu) failed", 1170 (unsigned long)idremotesz - 1171 ISAKMP_ID_DATA_OFF + 1); 1172 goto bad; 1173 } 1174 memcpy(remote_filter, 1175 idremote + ISAKMP_ID_DATA_OFF, 1176 idremotesz - ISAKMP_ID_DATA_OFF); 1177 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] 1178 = '\0'; 1179 break; 1180 1181 case IPSEC_ID_DER_ASN1_DN: 1182 remote_filter_type = "ASN1 DN"; 1183 1184 remote_filter = x509_DN_string(idremote + 1185 ISAKMP_ID_DATA_OFF, 1186 idremotesz - ISAKMP_ID_DATA_OFF); 1187 if (!remote_filter) { 1188 LOG_DBG((LOG_POLICY, 50, 1189 "policy_callback: " 1190 "failed to decode name")); 1191 goto bad; 1192 } 1193 break; 1194 1195 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure 1196 * what's in this. */ 1197 remote_filter_type = "ASN1 GN"; 1198 break; 1199 1200 case IPSEC_ID_KEY_ID: 1201 remote_filter_type = "Key ID"; 1202 remote_filter 1203 = calloc(2 * (idremotesz - 1204 ISAKMP_ID_DATA_OFF) + 1, 1205 sizeof(char)); 1206 if (!remote_filter) { 1207 log_error("policy_callback: " 1208 "calloc (%lu, %lu) failed", 1209 2 * ((unsigned long)idremotesz - 1210 ISAKMP_ID_DATA_OFF) + 1, 1211 (unsigned long)sizeof(char)); 1212 goto bad; 1213 } 1214 /* 1215 * Does it contain any non-printable 1216 * characters ? 1217 */ 1218 for (i = 0; 1219 i < idremotesz - ISAKMP_ID_DATA_OFF; i++) 1220 if (!isprint((unsigned char)*(idremote + 1221 ISAKMP_ID_DATA_OFF + i))) 1222 break; 1223 if (i >= idremotesz - ISAKMP_ID_DATA_OFF) { 1224 memcpy(remote_filter, 1225 idremote + ISAKMP_ID_DATA_OFF, 1226 idremotesz - ISAKMP_ID_DATA_OFF); 1227 break; 1228 } 1229 /* Non-printable characters, convert to hex */ 1230 for (i = 0; 1231 i < idremotesz - ISAKMP_ID_DATA_OFF; 1232 i++) { 1233 remote_filter[2 * i] 1234 = hextab[*(idremote + 1235 ISAKMP_ID_DATA_OFF) >> 4]; 1236 remote_filter[2 * i + 1] 1237 = hextab[*(idremote + 1238 ISAKMP_ID_DATA_OFF) & 0xF]; 1239 } 1240 break; 1241 1242 default: 1243 log_print("policy_callback: " 1244 "unknown Remote ID type %u", 1245 GET_ISAKMP_ID_TYPE(idremote)); 1246 goto bad; 1247 } 1248 1249 switch (idremote[ISAKMP_GEN_SZ + 1]) { 1250 case IPPROTO_TCP: 1251 remote_filter_proto = "tcp"; 1252 break; 1253 1254 case IPPROTO_UDP: 1255 remote_filter_proto = "udp"; 1256 break; 1257 1258 case IPPROTO_ETHERIP: 1259 remote_filter_proto = "etherip"; 1260 break; 1261 1262 default: 1263 snprintf(remote_filter_proto_num, 1264 sizeof remote_filter_proto_num, "%d", 1265 idremote[ISAKMP_GEN_SZ + 1]); 1266 remote_filter_proto = remote_filter_proto_num; 1267 break; 1268 } 1269 1270 snprintf(remote_filter_port, sizeof remote_filter_port, 1271 "%u", decode_16(idremote + ISAKMP_GEN_SZ + 2)); 1272 } else { 1273 policy_sa->transport->vtbl->get_dst(policy_sa->transport, &sin); 1274 switch (sin->sa_family) { 1275 case AF_INET: 1276 remote_filter_type = "IPv4 address"; 1277 break; 1278 case AF_INET6: 1279 remote_filter_type = "IPv6 address"; 1280 break; 1281 default: 1282 log_print("policy_callback: " 1283 "unsupported protocol family %d", 1284 sin->sa_family); 1285 goto bad; 1286 } 1287 if (sockaddr2text(sin, &addr, 1)) { 1288 log_error("policy_callback: " 1289 "sockaddr2text failed"); 1290 goto bad; 1291 } 1292 memcpy(remote_filter_addr_upper, addr, 1293 sizeof remote_filter_addr_upper); 1294 memcpy(remote_filter_addr_lower, addr, 1295 sizeof remote_filter_addr_lower); 1296 free(addr); 1297 remote_filter = strdup(remote_filter_addr_upper); 1298 if (!remote_filter) { 1299 log_error("policy_callback: " 1300 "strdup (\"%s\") failed", 1301 remote_filter_addr_upper); 1302 goto bad; 1303 } 1304 } 1305 1306 if (idlocal) { 1307 switch (GET_ISAKMP_ID_TYPE(idlocal)) { 1308 case IPSEC_ID_IPV4_ADDR: 1309 local_filter_type = "IPv4 address"; 1310 1311 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); 1312 my_inet_ntop4(&net, local_filter_addr_upper, 1313 sizeof local_filter_addr_upper - 1, 1); 1314 my_inet_ntop4(&net, local_filter_addr_lower, 1315 sizeof local_filter_addr_upper - 1, 1); 1316 local_filter = strdup(local_filter_addr_upper); 1317 if (!local_filter) { 1318 log_error("policy_callback: " 1319 "strdup (\"%s\") failed", 1320 local_filter_addr_upper); 1321 goto bad; 1322 } 1323 break; 1324 1325 case IPSEC_ID_IPV4_RANGE: 1326 local_filter_type = "IPv4 range"; 1327 1328 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); 1329 my_inet_ntop4(&net, local_filter_addr_lower, 1330 sizeof local_filter_addr_lower - 1, 1); 1331 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF + 1332 4); 1333 my_inet_ntop4(&net, local_filter_addr_upper, 1334 sizeof local_filter_addr_upper - 1, 1); 1335 len = strlen(local_filter_addr_upper) 1336 + strlen(local_filter_addr_lower) + 2; 1337 local_filter = calloc(len, sizeof(char)); 1338 if (!local_filter) { 1339 log_error("policy_callback: " 1340 "calloc (%d, %lu) failed", len, 1341 (unsigned long)sizeof(char)); 1342 goto bad; 1343 } 1344 strlcpy(local_filter, local_filter_addr_lower, 1345 len); 1346 strlcat(local_filter, "-", len); 1347 strlcat(local_filter, local_filter_addr_upper, 1348 len); 1349 break; 1350 1351 case IPSEC_ID_IPV4_ADDR_SUBNET: 1352 local_filter_type = "IPv4 subnet"; 1353 1354 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); 1355 subnet = decode_32(idlocal + 1356 ISAKMP_ID_DATA_OFF + 4); 1357 net &= subnet; 1358 my_inet_ntop4(&net, local_filter_addr_lower, 1359 sizeof local_filter_addr_lower - 1, 1); 1360 net |= ~subnet; 1361 my_inet_ntop4(&net, local_filter_addr_upper, 1362 sizeof local_filter_addr_upper - 1, 1); 1363 len = strlen(local_filter_addr_upper) + 1364 strlen(local_filter_addr_lower) + 2; 1365 local_filter = calloc(len, sizeof(char)); 1366 if (!local_filter) { 1367 log_error("policy_callback: " 1368 "calloc (%d, %lu) failed", len, 1369 (unsigned long)sizeof(char)); 1370 goto bad; 1371 } 1372 strlcpy(local_filter, local_filter_addr_lower, 1373 len); 1374 strlcat(local_filter, "-", len); 1375 strlcat(local_filter, local_filter_addr_upper, 1376 len); 1377 break; 1378 1379 case IPSEC_ID_IPV6_ADDR: 1380 local_filter_type = "IPv6 address"; 1381 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF, 1382 local_filter_addr_upper, 1383 sizeof local_filter_addr_upper - 1); 1384 strlcpy(local_filter_addr_lower, 1385 local_filter_addr_upper, 1386 sizeof local_filter_addr_lower); 1387 local_filter = strdup(local_filter_addr_upper); 1388 if (!local_filter) { 1389 log_error("policy_callback: " 1390 "strdup (\"%s\") failed", 1391 local_filter_addr_upper); 1392 goto bad; 1393 } 1394 break; 1395 1396 case IPSEC_ID_IPV6_RANGE: 1397 local_filter_type = "IPv6 range"; 1398 1399 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF, 1400 local_filter_addr_lower, 1401 sizeof local_filter_addr_lower - 1); 1402 1403 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF + 1404 16, local_filter_addr_upper, 1405 sizeof local_filter_addr_upper - 1); 1406 1407 len = strlen(local_filter_addr_upper) 1408 + strlen(local_filter_addr_lower) + 2; 1409 local_filter = calloc(len, sizeof(char)); 1410 if (!local_filter) { 1411 log_error("policy_callback: " 1412 "calloc (%d, %lu) failed", len, 1413 (unsigned long)sizeof(char)); 1414 goto bad; 1415 } 1416 strlcpy(local_filter, local_filter_addr_lower, 1417 len); 1418 strlcat(local_filter, "-", len); 1419 strlcat(local_filter, local_filter_addr_upper, 1420 len); 1421 break; 1422 1423 case IPSEC_ID_IPV6_ADDR_SUBNET: 1424 { 1425 struct in6_addr net, mask; 1426 1427 local_filter_type = "IPv6 subnet"; 1428 1429 bcopy(idlocal + ISAKMP_ID_DATA_OFF, 1430 &net, sizeof(net)); 1431 bcopy(idlocal + ISAKMP_ID_DATA_OFF + 1432 16, &mask, sizeof(mask)); 1433 1434 for (i = 0; i < 16; i++) 1435 net.s6_addr[i] &= 1436 mask.s6_addr[i]; 1437 1438 my_inet_ntop6((unsigned char *)&net, 1439 local_filter_addr_lower, 1440 sizeof local_filter_addr_lower - 1); 1441 1442 for (i = 0; i < 16; i++) 1443 net.s6_addr[i] |= 1444 ~mask.s6_addr[i]; 1445 1446 my_inet_ntop6((unsigned char *)&net, 1447 local_filter_addr_upper, 1448 sizeof local_filter_addr_upper - 1449 1); 1450 1451 len = strlen(local_filter_addr_upper) 1452 + strlen(local_filter_addr_lower) 1453 + 2; 1454 local_filter = calloc(len, 1455 sizeof(char)); 1456 if (!local_filter) { 1457 log_error("policy_callback: " 1458 "calloc (%d, %lu) failed", 1459 len, 1460 (unsigned long)sizeof(char)); 1461 goto bad; 1462 } 1463 strlcpy(local_filter, 1464 local_filter_addr_lower, len); 1465 strlcat(local_filter, "-", len); 1466 strlcat(local_filter, 1467 local_filter_addr_upper, len); 1468 break; 1469 } 1470 1471 case IPSEC_ID_FQDN: 1472 local_filter_type = "FQDN"; 1473 local_filter = malloc(idlocalsz - 1474 ISAKMP_ID_DATA_OFF + 1); 1475 if (!local_filter) { 1476 log_error("policy_callback: " 1477 "malloc (%lu) failed", 1478 (unsigned long)idlocalsz - 1479 ISAKMP_ID_DATA_OFF + 1); 1480 goto bad; 1481 } 1482 memcpy(local_filter, 1483 idlocal + ISAKMP_ID_DATA_OFF, 1484 idlocalsz - ISAKMP_ID_DATA_OFF); 1485 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; 1486 break; 1487 1488 case IPSEC_ID_USER_FQDN: 1489 local_filter_type = "User FQDN"; 1490 local_filter = malloc(idlocalsz - 1491 ISAKMP_ID_DATA_OFF + 1); 1492 if (!local_filter) { 1493 log_error("policy_callback: " 1494 "malloc (%lu) failed", 1495 (unsigned long)idlocalsz - 1496 ISAKMP_ID_DATA_OFF + 1); 1497 goto bad; 1498 } 1499 memcpy(local_filter, 1500 idlocal + ISAKMP_ID_DATA_OFF, 1501 idlocalsz - ISAKMP_ID_DATA_OFF); 1502 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; 1503 break; 1504 1505 case IPSEC_ID_DER_ASN1_DN: 1506 local_filter_type = "ASN1 DN"; 1507 1508 local_filter = x509_DN_string(idlocal + 1509 ISAKMP_ID_DATA_OFF, 1510 idlocalsz - ISAKMP_ID_DATA_OFF); 1511 if (!local_filter) { 1512 LOG_DBG((LOG_POLICY, 50, 1513 "policy_callback: failed to decode" 1514 " name")); 1515 goto bad; 1516 } 1517 break; 1518 1519 case IPSEC_ID_DER_ASN1_GN: 1520 /* XXX -- not sure what's in this. */ 1521 local_filter_type = "ASN1 GN"; 1522 break; 1523 1524 case IPSEC_ID_KEY_ID: 1525 local_filter_type = "Key ID"; 1526 local_filter = calloc(2 * (idlocalsz - 1527 ISAKMP_ID_DATA_OFF) + 1, 1528 sizeof(char)); 1529 if (!local_filter) { 1530 log_error("policy_callback: " 1531 "calloc (%lu, %lu) failed", 1532 2 * ((unsigned long)idlocalsz - 1533 ISAKMP_ID_DATA_OFF) + 1, 1534 (unsigned long)sizeof(char)); 1535 goto bad; 1536 } 1537 /* 1538 * Does it contain any non-printable 1539 * characters ? 1540 */ 1541 for (i = 0; 1542 i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) 1543 if (!isprint((unsigned char)*(idlocal + 1544 ISAKMP_ID_DATA_OFF + i))) 1545 break; 1546 if (i >= idlocalsz - ISAKMP_ID_DATA_OFF) { 1547 memcpy(local_filter, idlocal + 1548 ISAKMP_ID_DATA_OFF, 1549 idlocalsz - ISAKMP_ID_DATA_OFF); 1550 break; 1551 } 1552 /* Non-printable characters, convert to hex */ 1553 for (i = 0; 1554 i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) { 1555 local_filter[2 * i] = 1556 hextab[*(idlocal + 1557 ISAKMP_ID_DATA_OFF) >> 4]; 1558 local_filter[2 * i + 1] = 1559 hextab[*(idlocal + 1560 ISAKMP_ID_DATA_OFF) & 0xF]; 1561 } 1562 break; 1563 1564 default: 1565 log_print("policy_callback: " 1566 "unknown Local ID type %u", 1567 GET_ISAKMP_ID_TYPE(idlocal)); 1568 goto bad; 1569 } 1570 1571 switch (idlocal[ISAKMP_GEN_SZ + 1]) { 1572 case IPPROTO_TCP: 1573 local_filter_proto = "tcp"; 1574 break; 1575 1576 case IPPROTO_UDP: 1577 local_filter_proto = "udp"; 1578 break; 1579 1580 case IPPROTO_ETHERIP: 1581 local_filter_proto = "etherip"; 1582 break; 1583 1584 default: 1585 snprintf(local_filter_proto_num, 1586 sizeof local_filter_proto_num, 1587 "%d", idlocal[ISAKMP_GEN_SZ + 1]); 1588 local_filter_proto = local_filter_proto_num; 1589 break; 1590 } 1591 1592 snprintf(local_filter_port, sizeof local_filter_port, 1593 "%u", decode_16(idlocal + ISAKMP_GEN_SZ + 2)); 1594 } else { 1595 policy_sa->transport->vtbl->get_src(policy_sa->transport, 1596 (struct sockaddr **)&sin); 1597 switch (sin->sa_family) { 1598 case AF_INET: 1599 local_filter_type = "IPv4 address"; 1600 break; 1601 case AF_INET6: 1602 local_filter_type = "IPv6 address"; 1603 break; 1604 default: 1605 log_print("policy_callback: " 1606 "unsupported protocol family %d", 1607 sin->sa_family); 1608 goto bad; 1609 } 1610 1611 if (sockaddr2text(sin, &addr, 1)) { 1612 log_error("policy_callback: " 1613 "sockaddr2text failed"); 1614 goto bad; 1615 } 1616 memcpy(local_filter_addr_upper, addr, 1617 sizeof local_filter_addr_upper); 1618 memcpy(local_filter_addr_lower, addr, 1619 sizeof local_filter_addr_lower); 1620 free(addr); 1621 local_filter = strdup(local_filter_addr_upper); 1622 if (!local_filter) { 1623 log_error("policy_callback: " 1624 "strdup (\"%s\") failed", 1625 local_filter_addr_upper); 1626 goto bad; 1627 } 1628 } 1629 1630 LOG_DBG((LOG_POLICY, 80, 1631 "Policy context (action attributes):")); 1632 LOG_DBG((LOG_POLICY, 80, "esp_present == %s", esp_present)); 1633 LOG_DBG((LOG_POLICY, 80, "ah_present == %s", ah_present)); 1634 LOG_DBG((LOG_POLICY, 80, "comp_present == %s", comp_present)); 1635 LOG_DBG((LOG_POLICY, 80, "ah_hash_alg == %s", ah_hash_alg)); 1636 LOG_DBG((LOG_POLICY, 80, "esp_enc_alg == %s", esp_enc_alg)); 1637 LOG_DBG((LOG_POLICY, 80, "comp_alg == %s", comp_alg)); 1638 LOG_DBG((LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg)); 1639 LOG_DBG((LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg)); 1640 LOG_DBG((LOG_POLICY, 80, "ah_life_seconds == %s", 1641 ah_life_seconds)); 1642 LOG_DBG((LOG_POLICY, 80, "ah_life_kbytes == %s", 1643 ah_life_kbytes)); 1644 LOG_DBG((LOG_POLICY, 80, "esp_life_seconds == %s", 1645 esp_life_seconds)); 1646 LOG_DBG((LOG_POLICY, 80, "esp_life_kbytes == %s", 1647 esp_life_kbytes)); 1648 LOG_DBG((LOG_POLICY, 80, "comp_life_seconds == %s", 1649 comp_life_seconds)); 1650 LOG_DBG((LOG_POLICY, 80, "comp_life_kbytes == %s", 1651 comp_life_kbytes)); 1652 LOG_DBG((LOG_POLICY, 80, "ah_encapsulation == %s", 1653 ah_encapsulation)); 1654 LOG_DBG((LOG_POLICY, 80, "esp_encapsulation == %s", 1655 esp_encapsulation)); 1656 LOG_DBG((LOG_POLICY, 80, "comp_encapsulation == %s", 1657 comp_encapsulation)); 1658 LOG_DBG((LOG_POLICY, 80, "comp_dict_size == %s", 1659 comp_dict_size)); 1660 LOG_DBG((LOG_POLICY, 80, "comp_private_alg == %s", 1661 comp_private_alg)); 1662 LOG_DBG((LOG_POLICY, 80, "ah_key_length == %s", 1663 ah_key_length)); 1664 LOG_DBG((LOG_POLICY, 80, "ah_key_rounds == %s", 1665 ah_key_rounds)); 1666 LOG_DBG((LOG_POLICY, 80, "esp_key_length == %s", 1667 esp_key_length)); 1668 LOG_DBG((LOG_POLICY, 80, "esp_key_rounds == %s", 1669 esp_key_rounds)); 1670 LOG_DBG((LOG_POLICY, 80, "ah_group_desc == %s", 1671 ah_group_desc)); 1672 LOG_DBG((LOG_POLICY, 80, "esp_group_desc == %s", 1673 esp_group_desc)); 1674 LOG_DBG((LOG_POLICY, 80, "comp_group_desc == %s", 1675 comp_group_desc)); 1676 LOG_DBG((LOG_POLICY, 80, "ah_ecn == %s", ah_ecn)); 1677 LOG_DBG((LOG_POLICY, 80, "esp_ecn == %s", esp_ecn)); 1678 LOG_DBG((LOG_POLICY, 80, "comp_ecn == %s", comp_ecn)); 1679 LOG_DBG((LOG_POLICY, 80, "remote_filter_type == %s", 1680 remote_filter_type)); 1681 LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_upper == %s", 1682 remote_filter_addr_upper)); 1683 LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_lower == %s", 1684 remote_filter_addr_lower)); 1685 LOG_DBG((LOG_POLICY, 80, "remote_filter == %s", 1686 (remote_filter ? remote_filter : ""))); 1687 LOG_DBG((LOG_POLICY, 80, "remote_filter_port == %s", 1688 remote_filter_port)); 1689 LOG_DBG((LOG_POLICY, 80, "remote_filter_proto == %s", 1690 remote_filter_proto)); 1691 LOG_DBG((LOG_POLICY, 80, "local_filter_type == %s", 1692 local_filter_type)); 1693 LOG_DBG((LOG_POLICY, 80, "local_filter_addr_upper == %s", 1694 local_filter_addr_upper)); 1695 LOG_DBG((LOG_POLICY, 80, "local_filter_addr_lower == %s", 1696 local_filter_addr_lower)); 1697 LOG_DBG((LOG_POLICY, 80, "local_filter == %s", 1698 (local_filter ? local_filter : ""))); 1699 LOG_DBG((LOG_POLICY, 80, "local_filter_port == %s", 1700 local_filter_port)); 1701 LOG_DBG((LOG_POLICY, 80, "local_filter_proto == %s", 1702 local_filter_proto)); 1703 LOG_DBG((LOG_POLICY, 80, "remote_id_type == %s", 1704 remote_id_type)); 1705 LOG_DBG((LOG_POLICY, 80, "remote_id_addr_upper == %s", 1706 remote_id_addr_upper)); 1707 LOG_DBG((LOG_POLICY, 80, "remote_id_addr_lower == %s", 1708 remote_id_addr_lower)); 1709 LOG_DBG((LOG_POLICY, 80, "remote_id == %s", 1710 (remote_id ? remote_id : ""))); 1711 LOG_DBG((LOG_POLICY, 80, "remote_id_port == %s", 1712 remote_id_port)); 1713 LOG_DBG((LOG_POLICY, 80, "remote_id_proto == %s", 1714 remote_id_proto)); 1715 LOG_DBG((LOG_POLICY, 80, "remote_negotiation_address == %s", 1716 remote_ike_address)); 1717 LOG_DBG((LOG_POLICY, 80, "local_negotiation_address == %s", 1718 local_ike_address)); 1719 LOG_DBG((LOG_POLICY, 80, "pfs == %s", pfs)); 1720 LOG_DBG((LOG_POLICY, 80, "initiator == %s", initiator)); 1721 LOG_DBG((LOG_POLICY, 80, "phase1_group_desc == %s", 1722 phase1_group)); 1723 1724 /* Unset dirty now. */ 1725 dirty = 0; 1726 } 1727 if (strcmp(name, "phase_1") == 0) 1728 return phase_1; 1729 1730 if (strcmp(name, "GMTTimeOfDay") == 0) { 1731 tt = time(NULL); 1732 strftime(mytimeofday, 14, "%Y%m%d%H%M%S", gmtime(&tt)); 1733 return mytimeofday; 1734 } 1735 if (strcmp(name, "LocalTimeOfDay") == 0) { 1736 tt = time(NULL); 1737 strftime(mytimeofday, 14, "%Y%m%d%H%M%S", localtime(&tt)); 1738 return mytimeofday; 1739 } 1740 if (strcmp(name, "initiator") == 0) 1741 return initiator; 1742 1743 if (strcmp(name, "pfs") == 0) 1744 return pfs; 1745 1746 if (strcmp(name, "app_domain") == 0) 1747 return "IPsec policy"; 1748 1749 if (strcmp(name, "doi") == 0) 1750 return "ipsec"; 1751 1752 if (strcmp(name, "esp_present") == 0) 1753 return esp_present; 1754 1755 if (strcmp(name, "ah_present") == 0) 1756 return ah_present; 1757 1758 if (strcmp(name, "comp_present") == 0) 1759 return comp_present; 1760 1761 if (strcmp(name, "ah_hash_alg") == 0) 1762 return ah_hash_alg; 1763 1764 if (strcmp(name, "ah_auth_alg") == 0) 1765 return ah_auth_alg; 1766 1767 if (strcmp(name, "esp_auth_alg") == 0) 1768 return esp_auth_alg; 1769 1770 if (strcmp(name, "esp_enc_alg") == 0) 1771 return esp_enc_alg; 1772 1773 if (strcmp(name, "comp_alg") == 0) 1774 return comp_alg; 1775 1776 if (strcmp(name, "ah_life_kbytes") == 0) 1777 return ah_life_kbytes; 1778 1779 if (strcmp(name, "ah_life_seconds") == 0) 1780 return ah_life_seconds; 1781 1782 if (strcmp(name, "esp_life_kbytes") == 0) 1783 return esp_life_kbytes; 1784 1785 if (strcmp(name, "esp_life_seconds") == 0) 1786 return esp_life_seconds; 1787 1788 if (strcmp(name, "comp_life_kbytes") == 0) 1789 return comp_life_kbytes; 1790 1791 if (strcmp(name, "comp_life_seconds") == 0) 1792 return comp_life_seconds; 1793 1794 if (strcmp(name, "ah_encapsulation") == 0) 1795 return ah_encapsulation; 1796 1797 if (strcmp(name, "esp_encapsulation") == 0) 1798 return esp_encapsulation; 1799 1800 if (strcmp(name, "comp_encapsulation") == 0) 1801 return comp_encapsulation; 1802 1803 if (strcmp(name, "ah_key_length") == 0) 1804 return ah_key_length; 1805 1806 if (strcmp(name, "ah_key_rounds") == 0) 1807 return ah_key_rounds; 1808 1809 if (strcmp(name, "esp_key_length") == 0) 1810 return esp_key_length; 1811 1812 if (strcmp(name, "esp_key_rounds") == 0) 1813 return esp_key_rounds; 1814 1815 if (strcmp(name, "comp_dict_size") == 0) 1816 return comp_dict_size; 1817 1818 if (strcmp(name, "comp_private_alg") == 0) 1819 return comp_private_alg; 1820 1821 if (strcmp(name, "remote_filter_type") == 0) 1822 return remote_filter_type; 1823 1824 if (strcmp(name, "remote_filter") == 0) 1825 return (remote_filter ? remote_filter : ""); 1826 1827 if (strcmp(name, "remote_filter_addr_upper") == 0) 1828 return remote_filter_addr_upper; 1829 1830 if (strcmp(name, "remote_filter_addr_lower") == 0) 1831 return remote_filter_addr_lower; 1832 1833 if (strcmp(name, "remote_filter_port") == 0) 1834 return remote_filter_port; 1835 1836 if (strcmp(name, "remote_filter_proto") == 0) 1837 return remote_filter_proto; 1838 1839 if (strcmp(name, "local_filter_type") == 0) 1840 return local_filter_type; 1841 1842 if (strcmp(name, "local_filter") == 0) 1843 return (local_filter ? local_filter : ""); 1844 1845 if (strcmp(name, "local_filter_addr_upper") == 0) 1846 return local_filter_addr_upper; 1847 1848 if (strcmp(name, "local_filter_addr_lower") == 0) 1849 return local_filter_addr_lower; 1850 1851 if (strcmp(name, "local_filter_port") == 0) 1852 return local_filter_port; 1853 1854 if (strcmp(name, "local_filter_proto") == 0) 1855 return local_filter_proto; 1856 1857 if (strcmp(name, "remote_ike_address") == 0) 1858 return remote_ike_address; 1859 1860 if (strcmp(name, "remote_negotiation_address") == 0) 1861 return remote_ike_address; 1862 1863 if (strcmp(name, "local_ike_address") == 0) 1864 return local_ike_address; 1865 1866 if (strcmp(name, "local_negotiation_address") == 0) 1867 return local_ike_address; 1868 1869 if (strcmp(name, "remote_id_type") == 0) 1870 return remote_id_type; 1871 1872 if (strcmp(name, "remote_id") == 0) 1873 return (remote_id ? remote_id : ""); 1874 1875 if (strcmp(name, "remote_id_addr_upper") == 0) 1876 return remote_id_addr_upper; 1877 1878 if (strcmp(name, "remote_id_addr_lower") == 0) 1879 return remote_id_addr_lower; 1880 1881 if (strcmp(name, "remote_id_port") == 0) 1882 return remote_id_port; 1883 1884 if (strcmp(name, "remote_id_proto") == 0) 1885 return remote_id_proto; 1886 1887 if (strcmp(name, "phase1_group_desc") == 0) 1888 return phase1_group; 1889 1890 if (strcmp(name, "esp_group_desc") == 0) 1891 return esp_group_desc; 1892 1893 if (strcmp(name, "ah_group_desc") == 0) 1894 return ah_group_desc; 1895 1896 if (strcmp(name, "comp_group_desc") == 0) 1897 return comp_group_desc; 1898 1899 if (strcmp(name, "comp_ecn") == 0) 1900 return comp_ecn; 1901 1902 if (strcmp(name, "ah_ecn") == 0) 1903 return ah_ecn; 1904 1905 if (strcmp(name, "esp_ecn") == 0) 1906 return esp_ecn; 1907 1908 return ""; 1909 1910 bad: 1911 policy_callback(KEYNOTE_CALLBACK_INITIALIZE); 1912 return ""; 1913 } 1914 1915 void 1916 policy_init(void) 1917 { 1918 char *ptr, *policy_file; 1919 char **asserts; 1920 size_t sz, len; 1921 int fd, i; 1922 1923 LOG_DBG((LOG_POLICY, 30, "policy_init: initializing")); 1924 1925 /* Do we want to use the policy modules? */ 1926 if (ignore_policy || 1927 strncmp("yes", conf_get_str("General", "Use-Keynote"), 3)) 1928 return; 1929 1930 /* Get policy file from configuration. */ 1931 policy_file = conf_get_str("General", "Policy-file"); 1932 if (!policy_file) 1933 policy_file = CONF_DFLT_POLICY_FILE; 1934 1935 /* Open policy file. */ 1936 fd = monitor_open(policy_file, O_RDONLY, 0); 1937 if (fd == -1) 1938 log_fatal("policy_init: open (\"%s\", O_RDONLY) failed", 1939 policy_file); 1940 1941 /* Check file modes and collect file size */ 1942 if (check_file_secrecy_fd(fd, policy_file, &sz)) { 1943 close(fd); 1944 log_fatal("policy_init: cannot read %s", policy_file); 1945 } 1946 1947 /* Allocate memory to keep policies. */ 1948 ptr = calloc(sz + 1, sizeof(char)); 1949 if (!ptr) 1950 log_fatal("policy_init: calloc (%lu, %lu) failed", 1951 (unsigned long)sz + 1, (unsigned long)sizeof(char)); 1952 1953 /* Just in case there are short reads... */ 1954 for (len = 0; len < sz; len += i) { 1955 i = read(fd, ptr + len, sz - len); 1956 if (i == -1) 1957 log_fatal("policy_init: read (%d, %p, %lu) failed", fd, 1958 ptr + len, (unsigned long)(sz - len)); 1959 } 1960 1961 /* We're done with this. */ 1962 close(fd); 1963 1964 /* Parse buffer, break up into individual policies. */ 1965 asserts = kn_read_asserts(ptr, sz, &i); 1966 1967 /* Begone! */ 1968 free(ptr); 1969 1970 if (asserts == (char **)NULL) 1971 log_print("policy_init: all policies flushed"); 1972 1973 /* Cleanup */ 1974 if (policy_asserts) { 1975 for (fd = 0; fd < policy_asserts_num; fd++) 1976 if (policy_asserts) 1977 free(policy_asserts[fd]); 1978 1979 free(policy_asserts); 1980 } 1981 policy_asserts = asserts; 1982 policy_asserts_num = i; 1983 } 1984 1985 /* Nothing needed for initialization */ 1986 int 1987 keynote_cert_init(void) 1988 { 1989 return 1; 1990 } 1991 1992 /* Just copy and return. */ 1993 void * 1994 keynote_cert_get(u_int8_t *data, u_int32_t len) 1995 { 1996 char *foo = malloc(len + 1); 1997 1998 if (foo == NULL) 1999 return NULL; 2000 2001 memcpy(foo, data, len); 2002 foo[len] = '\0'; 2003 return foo; 2004 } 2005 2006 /* 2007 * We just verify the signature on the credentials. 2008 * On signature failure, just drop the whole payload. 2009 */ 2010 int 2011 keynote_cert_validate(void *scert) 2012 { 2013 char **foo; 2014 int num, i; 2015 2016 if (scert == NULL) 2017 return 0; 2018 2019 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); 2020 if (foo == NULL) 2021 return 0; 2022 2023 for (i = 0; i < num; i++) { 2024 if (kn_verify_assertion(scert, strlen((char *)scert)) 2025 != SIGRESULT_TRUE) { 2026 for (; i < num; i++) 2027 free(foo[i]); 2028 free(foo); 2029 return 0; 2030 } 2031 free(foo[i]); 2032 } 2033 2034 free(foo); 2035 return 1; 2036 } 2037 2038 /* Add received credentials. */ 2039 int 2040 keynote_cert_insert(int sid, void *scert) 2041 { 2042 char **foo; 2043 int num; 2044 2045 if (scert == NULL) 2046 return 0; 2047 2048 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); 2049 if (foo == NULL) 2050 return 0; 2051 2052 while (num--) 2053 kn_add_assertion(sid, foo[num], strlen(foo[num]), 0); 2054 2055 return 1; 2056 } 2057 2058 /* Just regular memory free. */ 2059 void 2060 keynote_cert_free(void *cert) 2061 { 2062 free(cert); 2063 } 2064 2065 /* Verify that the key given to us is valid. */ 2066 int 2067 keynote_certreq_validate(u_int8_t *data, u_int32_t len) 2068 { 2069 struct keynote_deckey dc; 2070 int err = 1; 2071 char *dat; 2072 2073 dat = calloc(len + 1, sizeof(char)); 2074 if (!dat) { 2075 log_error("keynote_certreq_validate: calloc (%d, %lu) failed", 2076 len + 1, (unsigned long)sizeof(char)); 2077 return 0; 2078 } 2079 memcpy(dat, data, len); 2080 2081 if (kn_decode_key(&dc, dat, KEYNOTE_PUBLIC_KEY) != 0) 2082 err = 0; 2083 else 2084 kn_free_key(&dc); 2085 2086 free(dat); 2087 2088 return err; 2089 } 2090 2091 /* Beats me what we should be doing with this. */ 2092 int 2093 keynote_certreq_decode(void **pdata, u_int8_t *data, u_int32_t len) 2094 { 2095 /* XXX */ 2096 return 0; 2097 } 2098 2099 void 2100 keynote_free_aca(void *blob) 2101 { 2102 /* XXX */ 2103 } 2104 2105 int 2106 keynote_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, 2107 u_int32_t *certlen) 2108 { 2109 char *dirname, *file, *addr_str; 2110 struct stat sb; 2111 size_t size; 2112 int idtype, fd, len; 2113 2114 if (!id) { 2115 log_print("keynote_cert_obtain: ID is missing"); 2116 return 0; 2117 } 2118 /* Get type of ID. */ 2119 idtype = id[0]; 2120 id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2121 id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 2122 2123 dirname = conf_get_str("KeyNote", "Credential-directory"); 2124 if (!dirname) { 2125 LOG_DBG((LOG_POLICY, 30, 2126 "keynote_cert_obtain: no Credential-directory")); 2127 return 0; 2128 } 2129 len = strlen(dirname) + strlen(CREDENTIAL_FILE) + 3; 2130 2131 switch (idtype) { 2132 case IPSEC_ID_IPV4_ADDR: 2133 case IPSEC_ID_IPV6_ADDR: 2134 util_ntoa(&addr_str, idtype == IPSEC_ID_IPV4_ADDR ? 2135 AF_INET : AF_INET6, id); 2136 if (addr_str == 0) 2137 return 0; 2138 2139 if (asprintf(&file, "%s/%s/%s", dirname, 2140 addr_str, CREDENTIAL_FILE) == -1) { 2141 log_error("keynote_cert_obtain: failed to allocate " 2142 "%lu bytes", (unsigned long)len + 2143 strlen(addr_str)); 2144 free(addr_str); 2145 return 0; 2146 } 2147 free(addr_str); 2148 break; 2149 2150 case IPSEC_ID_FQDN: 2151 case IPSEC_ID_USER_FQDN: 2152 file = calloc(len + id_len, sizeof(char)); 2153 if (file == NULL) { 2154 log_error("keynote_cert_obtain: " 2155 "failed to allocate %lu bytes", 2156 (unsigned long)len + id_len); 2157 return 0; 2158 } 2159 snprintf(file, len + id_len, "%s/", dirname); 2160 memcpy(file + strlen(dirname) + 1, id, id_len); 2161 snprintf(file + strlen(dirname) + 1 + id_len, 2162 len - strlen(dirname) - 1, "/%s", CREDENTIAL_FILE); 2163 break; 2164 2165 default: 2166 return 0; 2167 } 2168 2169 fd = monitor_open(file, O_RDONLY, 0); 2170 if (fd < 0) { 2171 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " 2172 "failed to open \"%s\"", file)); 2173 free(file); 2174 return 0; 2175 } 2176 2177 if (fstat(fd, &sb) == -1) { 2178 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " 2179 "failed to stat \"%s\"", file)); 2180 free(file); 2181 close(fd); 2182 return 0; 2183 } 2184 size = (size_t)sb.st_size; 2185 2186 *cert = calloc(size + 1, sizeof(char)); 2187 if (*cert == NULL) { 2188 log_error("keynote_cert_obtain: failed to allocate %lu bytes", 2189 (unsigned long)size); 2190 free(file); 2191 close(fd); 2192 return 0; 2193 } 2194 2195 if (read(fd, *cert, size) != (int)size) { 2196 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " 2197 "failed to read %lu bytes from \"%s\"", 2198 (unsigned long)size, file)); 2199 free(cert); 2200 cert = NULL; 2201 free(file); 2202 close(fd); 2203 return 0; 2204 } 2205 close(fd); 2206 free(file); 2207 *certlen = size; 2208 return 1; 2209 } 2210 2211 /* This should never be called. */ 2212 int 2213 keynote_cert_get_subjects(void *scert, int *n, u_int8_t ***id, 2214 u_int32_t **id_len) 2215 { 2216 return 0; 2217 } 2218 2219 /* Get the authorizer key. */ 2220 int 2221 keynote_cert_get_key(void *scert, void *keyp) 2222 { 2223 struct keynote_keylist *kl; 2224 int sid, kid, num; 2225 char **foo; 2226 2227 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); 2228 if (foo == NULL || num == 0) { 2229 log_print("keynote_cert_get_key: " 2230 "failed to decompose credentials"); 2231 return 0; 2232 } 2233 kid = kn_init(); 2234 if (kid == -1) { 2235 log_print("keynote_cert_get_key: " 2236 "failed to initialize new policy session"); 2237 while (num--) 2238 free(foo[num]); 2239 free(foo); 2240 return 0; 2241 } 2242 sid = kn_add_assertion(kid, foo[num - 1], strlen(foo[num - 1]), 0); 2243 while (num--) 2244 free(foo[num]); 2245 free(foo); 2246 2247 if (sid == -1) { 2248 log_print("keynote_cert_get_key: failed to add assertion"); 2249 kn_close(kid); 2250 return 0; 2251 } 2252 *(RSA **)keyp = NULL; 2253 2254 kl = kn_get_licensees(kid, sid); 2255 while (kl) { 2256 if (kl->key_alg == KEYNOTE_ALGORITHM_RSA || 2257 kl->key_alg == KEYNOTE_ALGORITHM_X509) { 2258 *(RSA **)keyp = RSAPublicKey_dup(kl->key_key); 2259 break; 2260 } 2261 kl = kl->key_next; 2262 } 2263 2264 kn_remove_assertion(kid, sid); 2265 kn_close(kid); 2266 return *(RSA **)keyp == NULL ? 0 : 1; 2267 } 2268 2269 void * 2270 keynote_cert_dup(void *cert) 2271 { 2272 return strdup((char *)cert); 2273 } 2274 2275 void 2276 keynote_serialize(void *cert, u_int8_t **data, u_int32_t *datalen) 2277 { 2278 *datalen = strlen((char *)cert) + 1; 2279 *data = (u_int8_t *)strdup(cert); /* i.e an extra character at 2280 * the end... */ 2281 if (*data == NULL) 2282 log_error("keynote_serialize: malloc (%d) failed", *datalen); 2283 } 2284 2285 /* From cert to printable */ 2286 char * 2287 keynote_printable(void *cert) 2288 { 2289 return strdup((char *)cert); 2290 } 2291 2292 /* From printable to cert */ 2293 void * 2294 keynote_from_printable(char *cert) 2295 { 2296 return strdup(cert); 2297 } 2298 2299 /* Number of CAs we trust (currently this is x509 only) */ 2300 int 2301 keynote_ca_count(void) 2302 { 2303 return 0; 2304 } 2305