Bug Summary

File:src/sbin/isakmpd/policy.c
Warning:line 2186, column 10
Result of 'calloc' is converted to a pointer of type 'u_int8_t', which is incompatible with sizeof operand type 'char'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name policy.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/sbin/isakmpd/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/sbin/isakmpd -I . -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/sbin/isakmpd/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/sbin/isakmpd/policy.c
1/* $OpenBSD: policy.c,v 1.102 2021/10/22 12:30:54 bluhm Exp $ */
2/* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */
3
4/*
5 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved.
6 * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved.
7 * Copyright (c) 2001 Håkan Olsson. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */
29
30/*
31 * This code was written under funding by Ericsson Radio Systems.
32 */
33
34#include <sys/types.h>
35#include <sys/mman.h>
36#include <sys/queue.h>
37#include <sys/stat.h>
38#include <regex.h>
39#include <ctype.h>
40#include <fcntl.h>
41#include <stdio.h>
42#include <stdlib.h>
43#include <string.h>
44#include <unistd.h>
45#include <keynote.h>
46#include <sys/socket.h>
47#include <netinet/in.h>
48#include <arpa/inet.h>
49#include <errno(*__errno()).h>
50#include <openssl/ssl.h>
51#include <netdb.h>
52
53#include "conf.h"
54#include "exchange.h"
55#include "ipsec.h"
56#include "isakmp_doi.h"
57#include "sa.h"
58#include "transport.h"
59#include "log.h"
60#include "message.h"
61#include "monitor.h"
62#include "util.h"
63#include "policy.h"
64#include "x509.h"
65
66char **policy_asserts = NULL((void*)0);
67int ignore_policy = 0;
68int policy_asserts_num = 0;
69struct exchange *policy_exchange = 0;
70struct sa *policy_sa = 0;
71struct sa *policy_isakmp_sa = 0;
72
73static const char hextab[] = {
74 '0', '1', '2', '3', '4', '5', '6', '7',
75 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
76};
77
78/*
79 * Adaptation of Vixie's inet_ntop4 ()
80 */
81static const char *
82my_inet_ntop4(const in_addr_t *src, char *dst, size_t size, int normalize)
83{
84 static const char fmt[] = "%03u.%03u.%03u.%03u";
85 char tmp[sizeof "255.255.255.255"];
86 in_addr_t src2;
87 int len;
88
89 if (normalize)
90 src2 = ntohl(*src)(__uint32_t)(__builtin_constant_p(*src) ? (__uint32_t)(((__uint32_t
)(*src) & 0xff) << 24 | ((__uint32_t)(*src) & 0xff00
) << 8 | ((__uint32_t)(*src) & 0xff0000) >> 8
| ((__uint32_t)(*src) & 0xff000000) >> 24) : __swap32md
(*src));
91 else
92 src2 = *src;
93
94 len = snprintf(tmp, sizeof tmp, fmt, ((u_int8_t *)&src2)[0],
95 ((u_int8_t *)&src2)[1], ((u_int8_t *)&src2)[2],
96 ((u_int8_t *)&src2)[3]);
97 if (len < 0 || len > (int)size) {
98 errno(*__errno()) = ENOSPC28;
99 return 0;
100 }
101 strlcpy(dst, tmp, size);
102 return dst;
103}
104
105static const char *
106my_inet_ntop6(const unsigned char *src, char *dst, size_t size)
107{
108 static const char fmt[] =
109 "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x";
110 char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"];
111 int len;
112
113 len = snprintf(tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3],
114 src[4], src[5], src[6], src[7], src[8], src[9], src[10], src[11],
115 src[12], src[13], src[14], src[15]);
116 if (len < 0 || len > (int)size) {
117 errno(*__errno()) = ENOSPC28;
118 return 0;
119 }
120 strlcpy(dst, tmp, size);
121 return dst;
122}
123
124char *
125policy_callback(char *name)
126{
127 struct proto *proto;
128
129 u_int8_t *attr, *value, *id, *idlocal, *idremote;
130 size_t id_sz, idlocalsz, idremotesz;
131 struct sockaddr *sin;
132 struct ipsec_exch *ie;
133 struct ipsec_sa *is;
134 size_t i;
135 int fmt, lifetype = 0;
136 in_addr_t net, subnet;
137 u_int16_t len, type;
138 time_t tt;
139 char *addr;
140 static char mytimeofday[15];
141
142 /* We use all these as a cache. */
143#define PMAX32 32
144 static char *esp_present, *ah_present, *comp_present;
145 static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg;
146 static char *comp_alg, ah_life_kbytes[PMAX32], ah_life_seconds[PMAX32];
147 static char esp_life_kbytes[PMAX32], esp_life_seconds[PMAX32];
148 static char comp_life_kbytes[PMAX32];
149 static char *ah_ecn, *esp_ecn, *comp_ecn;
150 static char comp_life_seconds[PMAX32], *ah_encapsulation;
151 static char *esp_encapsulation, *comp_encapsulation;
152 static char ah_key_length[PMAX32], esp_key_length[PMAX32];
153 static char ah_key_rounds[PMAX32], esp_key_rounds[PMAX32];
154 static char comp_dict_size[PMAX32], comp_private_alg[PMAX32];
155 static char *remote_filter_type, *local_filter_type;
156 static char remote_filter_addr_upper[NI_MAXHOST256];
157 static char remote_filter_addr_lower[NI_MAXHOST256];
158 static char local_filter_addr_upper[NI_MAXHOST256];
159 static char local_filter_addr_lower[NI_MAXHOST256];
160 static char ah_group_desc[PMAX32], esp_group_desc[PMAX32];
161 static char comp_group_desc[PMAX32], remote_ike_address[NI_MAXHOST256];
162 static char local_ike_address[NI_MAXHOST256];
163 static char *remote_id_type, remote_id_addr_upper[NI_MAXHOST256];
164 static char *phase_1, remote_id_addr_lower[NI_MAXHOST256];
165 static char *remote_id_proto, remote_id_port[PMAX32];
166 static char remote_filter_port[PMAX32], local_filter_port[PMAX32];
167 static char *remote_filter_proto, *local_filter_proto, *pfs;
168 static char *initiator, remote_filter_proto_num[3];
169 static char local_filter_proto_num[3], remote_id_proto_num[3];
170 static char phase1_group[PMAX32];
171
172 /* Allocated. */
173 static char *remote_filter = 0, *local_filter = 0, *remote_id = 0;
174
175 static int dirty = 1;
176
177 /* We only need to set dirty at initialization time really. */
178 if (strcmp(name, KEYNOTE_CALLBACK_CLEANUP"_KEYNOTE_CALLBACK_CLEANUP") == 0 ||
179 strcmp(name, KEYNOTE_CALLBACK_INITIALIZE"_KEYNOTE_CALLBACK_INITIALIZE") == 0) {
180 esp_present = ah_present = comp_present = pfs = "no";
181 ah_hash_alg = ah_auth_alg = phase_1 = "";
182 esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = "";
183 ah_ecn = esp_ecn = comp_ecn = "no";
184 esp_encapsulation = comp_encapsulation = "";
185 remote_filter_type = "";
186 local_filter_type = remote_id_type = initiator = "";
187 remote_filter_proto = local_filter_proto = "";
188 remote_id_proto = "";
189
190 free(remote_filter);
191 remote_filter = 0;
192 free(local_filter);
193 local_filter = 0;
194 free(remote_id);
195 remote_id = 0;
196
197 bzero(remote_ike_address, sizeof remote_ike_address);
198 bzero(local_ike_address, sizeof local_ike_address);
199 bzero(ah_life_kbytes, sizeof ah_life_kbytes);
200 bzero(ah_life_seconds, sizeof ah_life_seconds);
201 bzero(esp_life_kbytes, sizeof esp_life_kbytes);
202 bzero(esp_life_seconds, sizeof esp_life_seconds);
203 bzero(comp_life_kbytes, sizeof comp_life_kbytes);
204 bzero(comp_life_seconds, sizeof comp_life_seconds);
205 bzero(ah_key_length, sizeof ah_key_length);
206 bzero(ah_key_rounds, sizeof ah_key_rounds);
207 bzero(esp_key_length, sizeof esp_key_length);
208 bzero(esp_key_rounds, sizeof esp_key_rounds);
209 bzero(comp_dict_size, sizeof comp_dict_size);
210 bzero(comp_private_alg, sizeof comp_private_alg);
211 bzero(remote_filter_addr_upper,
212 sizeof remote_filter_addr_upper);
213 bzero(remote_filter_addr_lower,
214 sizeof remote_filter_addr_lower);
215 bzero(local_filter_addr_upper,
216 sizeof local_filter_addr_upper);
217 bzero(local_filter_addr_lower,
218 sizeof local_filter_addr_lower);
219 bzero(remote_id_addr_upper, sizeof remote_id_addr_upper);
220 bzero(remote_id_addr_lower, sizeof remote_id_addr_lower);
221 bzero(ah_group_desc, sizeof ah_group_desc);
222 bzero(esp_group_desc, sizeof esp_group_desc);
223 bzero(remote_id_port, sizeof remote_id_port);
224 bzero(remote_filter_port, sizeof remote_filter_port);
225 bzero(local_filter_port, sizeof local_filter_port);
226 bzero(phase1_group, sizeof phase1_group);
227
228 dirty = 1;
229 return "";
230 }
231 /*
232 * If dirty is set, this is the first request for an attribute, so
233 * populate our value cache.
234 */
235 if (dirty) {
236 ie = policy_exchange->data;
237
238 if (ie->pfs)
239 pfs = "yes";
240
241 is = policy_isakmp_sa->data;
242 snprintf(phase1_group, sizeof phase1_group, "%u",
243 is->group_desc);
244
245 for (proto = TAILQ_FIRST(&policy_sa->protos)((&policy_sa->protos)->tqh_first); proto;
246 proto = TAILQ_NEXT(proto, link)((proto)->link.tqe_next)) {
247 switch (proto->proto) {
248 case IPSEC_PROTO_IPSEC_AH2:
249 ah_present = "yes";
250 switch (proto->id) {
251 case IPSEC_AH_MD52:
252 ah_hash_alg = "md5";
253 break;
254
255 case IPSEC_AH_SHA3:
256 ah_hash_alg = "sha";
257 break;
258
259 case IPSEC_AH_RIPEMD8:
260 ah_hash_alg = "ripemd";
261 break;
262
263 case IPSEC_AH_SHA2_2565:
264 ah_auth_alg = "sha2-256";
265 break;
266
267 case IPSEC_AH_SHA2_3846:
268 ah_auth_alg = "sha2-384";
269 break;
270
271 case IPSEC_AH_SHA2_5127:
272 ah_auth_alg = "sha2-512";
273 break;
274
275 case IPSEC_AH_DES4:
276 ah_hash_alg = "des";
277 break;
278 }
279
280 break;
281
282 case IPSEC_PROTO_IPSEC_ESP3:
283 esp_present = "yes";
284 switch (proto->id) {
285 case IPSEC_ESP_DES_IV641:
286 esp_enc_alg = "des-iv64";
287 break;
288
289 case IPSEC_ESP_DES2:
290 esp_enc_alg = "des";
291 break;
292
293 case IPSEC_ESP_3DES3:
294 esp_enc_alg = "3des";
295 break;
296
297 case IPSEC_ESP_AES12:
298 case IPSEC_ESP_AES_CTR13:
299 case IPSEC_ESP_AES_GCM_1620:
300 case IPSEC_ESP_AES_GMAC23:
301 esp_enc_alg = "aes";
302 break;
303
304 case IPSEC_ESP_RC54:
305 esp_enc_alg = "rc5";
306 break;
307
308 case IPSEC_ESP_IDEA5:
309 esp_enc_alg = "idea";
310 break;
311
312 case IPSEC_ESP_CAST6:
313 esp_enc_alg = "cast";
314 break;
315
316 case IPSEC_ESP_BLOWFISH7:
317 esp_enc_alg = "blowfish";
318 break;
319
320 case IPSEC_ESP_3IDEA8:
321 esp_enc_alg = "3idea";
322 break;
323
324 case IPSEC_ESP_DES_IV329:
325 esp_enc_alg = "des-iv32";
326 break;
327
328 case IPSEC_ESP_RC410:
329 esp_enc_alg = "rc4";
330 break;
331
332 case IPSEC_ESP_NULL11:
333 esp_enc_alg = "null";
334 break;
335 }
336
337 break;
338
339 case IPSEC_PROTO_IPCOMP4:
340 comp_present = "yes";
341 switch (proto->id) {
342 case IPSEC_IPCOMP_OUI1:
343 comp_alg = "oui";
344 break;
345
346 case IPSEC_IPCOMP_DEFLATE2:
347 comp_alg = "deflate";
348 break;
349 }
350
351 break;
352 }
353
354 for (attr = proto->chosen->p +
355 ISAKMP_TRANSFORM_SA_ATTRS_OFF8;
356 attr < proto->chosen->p +
357 GET_ISAKMP_GEN_LENGTH(proto->chosen->p)field_get_num (isakmp_gen_fld + 2, proto->chosen->p);
358 attr = value + len) {
359 if (attr + ISAKMP_ATTR_VALUE_OFF4 >
360 (proto->chosen->p +
361 GET_ISAKMP_GEN_LENGTH(proto->chosen->p)field_get_num (isakmp_gen_fld + 2, proto->chosen->p)))
362 return "";
363
364 type = GET_ISAKMP_ATTR_TYPE(attr)field_get_num (isakmp_attr_fld + 0, attr);
365 fmt = ISAKMP_ATTR_FORMAT(type)((type) >> 15);
366 type = ISAKMP_ATTR_TYPE(type)((type) & 0x7fff);
367 value = attr + (fmt ?
368 ISAKMP_ATTR_LENGTH_VALUE_OFF2 :
369 ISAKMP_ATTR_VALUE_OFF4);
370 len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN2 :
371 GET_ISAKMP_ATTR_LENGTH_VALUE(attr)field_get_num (isakmp_attr_fld + 1, attr));
372
373 if (value + len > proto->chosen->p +
374 GET_ISAKMP_GEN_LENGTH(proto->chosen->p)field_get_num (isakmp_gen_fld + 2, proto->chosen->p))
375 return "";
376
377 switch (type) {
378 case IPSEC_ATTR_SA_LIFE_TYPE1:
379 lifetype = decode_16(value);
380 break;
381
382 case IPSEC_ATTR_SA_LIFE_DURATION2:
383 switch (proto->proto) {
384 case IPSEC_PROTO_IPSEC_AH2:
385 if (lifetype == IPSEC_DURATION_SECONDS1) {
386 if (len == 2)
387 snprintf(ah_life_seconds, sizeof ah_life_seconds,
388 "%u", decode_16(value));
389 else
390 snprintf(ah_life_seconds, sizeof ah_life_seconds,
391 "%u", decode_32(value));
392 } else {
393 if (len == 2)
394 snprintf(ah_life_kbytes, sizeof ah_life_kbytes,
395 "%u", decode_16(value));
396 else
397 snprintf(ah_life_kbytes, sizeof ah_life_kbytes,
398 "%u", decode_32(value));
399 }
400
401 break;
402
403 case IPSEC_PROTO_IPSEC_ESP3:
404 if (lifetype == IPSEC_DURATION_SECONDS1) {
405 if (len == 2)
406 snprintf(esp_life_seconds,
407 sizeof esp_life_seconds, "%u",
408 decode_16(value));
409 else
410 snprintf(esp_life_seconds,
411 sizeof esp_life_seconds, "%u",
412 decode_32(value));
413 } else {
414 if (len == 2)
415 snprintf(esp_life_kbytes,
416 sizeof esp_life_kbytes, "%u",
417 decode_16(value));
418 else
419 snprintf(esp_life_kbytes,
420 sizeof esp_life_kbytes, "%u",
421 decode_32(value));
422 }
423
424 break;
425
426 case IPSEC_PROTO_IPCOMP4:
427 if (lifetype == IPSEC_DURATION_SECONDS1) {
428 if (len == 2)
429 snprintf(comp_life_seconds,
430 sizeof comp_life_seconds, "%u",
431 decode_16(value));
432 else
433 snprintf(comp_life_seconds,
434 sizeof comp_life_seconds, "%u",
435 decode_32(value));
436 } else {
437 if (len == 2)
438 snprintf(comp_life_kbytes,
439 sizeof comp_life_kbytes, "%u",
440 decode_16(value));
441 else
442 snprintf(comp_life_kbytes,
443 sizeof comp_life_kbytes, "%u",
444 decode_32(value));
445 }
446 break;
447 }
448 break;
449
450 case IPSEC_ATTR_GROUP_DESCRIPTION3:
451 switch (proto->proto) {
452 case IPSEC_PROTO_IPSEC_AH2:
453 snprintf(ah_group_desc,
454 sizeof ah_group_desc, "%u",
455 decode_16(value));
456 break;
457
458 case IPSEC_PROTO_IPSEC_ESP3:
459 snprintf(esp_group_desc,
460 sizeof esp_group_desc, "%u",
461 decode_16(value));
462 break;
463
464 case IPSEC_PROTO_IPCOMP4:
465 snprintf(comp_group_desc,
466 sizeof comp_group_desc, "%u",
467 decode_16(value));
468 break;
469 }
470 break;
471
472 case IPSEC_ATTR_ECN_TUNNEL10:
473 if (decode_16(value))
474 switch (proto->proto) {
475 case IPSEC_PROTO_IPSEC_AH2:
476 ah_ecn = "yes";
477 break;
478
479 case IPSEC_PROTO_IPSEC_ESP3:
480 esp_ecn = "yes";
481 break;
482
483 case IPSEC_PROTO_IPCOMP4:
484 comp_ecn = "yes";
485 break;
486 }
487
488 case IPSEC_ATTR_ENCAPSULATION_MODE4:
489 if (decode_16(value) == IPSEC_ENCAP_TUNNEL1)
490 switch (proto->proto) {
491 case IPSEC_PROTO_IPSEC_AH2:
492 ah_encapsulation = "tunnel";
493 break;
494
495 case IPSEC_PROTO_IPSEC_ESP3:
496 esp_encapsulation = "tunnel";
497 break;
498
499 case IPSEC_PROTO_IPCOMP4:
500 comp_encapsulation = "tunnel";
501 break;
502 }
503 else if (decode_16(value) ==
504 IPSEC_ENCAP_UDP_ENCAP_TUNNEL3 ||
505 decode_16(value) ==
506 IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT61443)
507 switch (proto->proto) {
508 case IPSEC_PROTO_IPSEC_AH2:
509 ah_encapsulation = "udp-encap-tunnel";
510 break;
511
512 case IPSEC_PROTO_IPSEC_ESP3:
513 esp_encapsulation = "udp-encap-tunnel";
514 break;
515
516 case IPSEC_PROTO_IPCOMP4:
517 comp_encapsulation = "udp-encap-tunnel";
518 break;
519 }
520 /* XXX IPSEC_ENCAP_UDP_ENCAP_TRANSPORT */
521 else
522 switch (proto->proto) {
523 case IPSEC_PROTO_IPSEC_AH2:
524 ah_encapsulation = "transport";
525 break;
526
527 case IPSEC_PROTO_IPSEC_ESP3:
528 esp_encapsulation = "transport";
529 break;
530
531 case IPSEC_PROTO_IPCOMP4:
532 comp_encapsulation = "transport";
533 break;
534 }
535 break;
536
537 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM5:
538 switch (proto->proto) {
539 case IPSEC_PROTO_IPSEC_AH2:
540 switch (decode_16(value)) {
541 case IPSEC_AUTH_HMAC_MD51:
542 ah_auth_alg = "hmac-md5";
543 break;
544
545 case IPSEC_AUTH_HMAC_SHA2:
546 ah_auth_alg = "hmac-sha";
547 break;
548
549 case IPSEC_AUTH_HMAC_RIPEMD8:
550 ah_auth_alg = "hmac-ripemd";
551 break;
552
553 case IPSEC_AUTH_HMAC_SHA2_2565:
554 ah_auth_alg = "hmac-sha2-256";
555 break;
556
557 case IPSEC_AUTH_HMAC_SHA2_3846:
558 ah_auth_alg = "hmac-sha2-384";
559 break;
560
561 case IPSEC_AUTH_HMAC_SHA2_5127:
562 ah_auth_alg = "hmac-sha2-512";
563 break;
564
565 case IPSEC_AUTH_DES_MAC3:
566 ah_auth_alg = "des-mac";
567 break;
568
569 case IPSEC_AUTH_KPDK4:
570 ah_auth_alg = "kpdk";
571 break;
572 }
573 break;
574
575 case IPSEC_PROTO_IPSEC_ESP3:
576 switch (decode_16(value)) {
577 case IPSEC_AUTH_HMAC_MD51:
578 esp_auth_alg = "hmac-md5";
579 break;
580
581 case IPSEC_AUTH_HMAC_SHA2:
582 esp_auth_alg = "hmac-sha";
583 break;
584
585 case IPSEC_AUTH_HMAC_RIPEMD8:
586 esp_auth_alg = "hmac-ripemd";
587 break;
588
589 case IPSEC_AUTH_HMAC_SHA2_2565:
590 esp_auth_alg = "hmac-sha2-256";
591 break;
592
593 case IPSEC_AUTH_HMAC_SHA2_3846:
594 esp_auth_alg = "hmac-sha2-384";
595 break;
596
597 case IPSEC_AUTH_HMAC_SHA2_5127:
598 esp_auth_alg = "hmac-sha2-512";
599 break;
600
601 case IPSEC_AUTH_DES_MAC3:
602 esp_auth_alg = "des-mac";
603 break;
604
605 case IPSEC_AUTH_KPDK4:
606 esp_auth_alg = "kpdk";
607 break;
608 }
609 break;
610 }
611 break;
612
613 case IPSEC_ATTR_KEY_LENGTH6:
614 switch (proto->proto) {
615 case IPSEC_PROTO_IPSEC_AH2:
616 snprintf(ah_key_length,
617 sizeof ah_key_length, "%u",
618 decode_16(value));
619 break;
620
621 case IPSEC_PROTO_IPSEC_ESP3:
622 snprintf(esp_key_length,
623 sizeof esp_key_length, "%u",
624 decode_16(value));
625 break;
626 }
627 break;
628
629 case IPSEC_ATTR_KEY_ROUNDS7:
630 switch (proto->proto) {
631 case IPSEC_PROTO_IPSEC_AH2:
632 snprintf(ah_key_rounds,
633 sizeof ah_key_rounds, "%u",
634 decode_16(value));
635 break;
636
637 case IPSEC_PROTO_IPSEC_ESP3:
638 snprintf(esp_key_rounds,
639 sizeof esp_key_rounds, "%u",
640 decode_16(value));
641 break;
642 }
643 break;
644
645 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE8:
646 snprintf(comp_dict_size,
647 sizeof comp_dict_size, "%u",
648 decode_16(value));
649 break;
650
651 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM9:
652 snprintf(comp_private_alg,
653 sizeof comp_private_alg, "%u",
654 decode_16(value));
655 break;
656 }
657 }
658 }
659
660 policy_sa->transport->vtbl->get_src(policy_sa->transport,
661 &sin);
662 if (sockaddr2text(sin, &addr, 1)) {
663 log_error("policy_callback: sockaddr2text failed");
664 goto bad;
665 }
666 strlcpy(local_ike_address, addr, sizeof local_ike_address);
667 free(addr);
668
669 policy_sa->transport->vtbl->get_dst(policy_sa->transport,
670 &sin);
671 if (sockaddr2text(sin, &addr, 1)) {
672 log_error("policy_callback: sockaddr2text failed");
673 goto bad;
674 }
675 strlcpy(remote_ike_address, addr, sizeof remote_ike_address);
676 free(addr);
677
678 switch (policy_isakmp_sa->exch_type) {
679 case ISAKMP_EXCH_AGGRESSIVE4:
680 phase_1 = "aggressive";
681 break;
682
683 case ISAKMP_EXCH_ID_PROT2:
684 phase_1 = "main";
685 break;
686 }
687
688 if (policy_isakmp_sa->initiator) {
689 id = policy_isakmp_sa->id_r;
690 id_sz = policy_isakmp_sa->id_r_len;
691 } else {
692 id = policy_isakmp_sa->id_i;
693 id_sz = policy_isakmp_sa->id_i_len;
694 }
695
696 switch (id[0]) {
697 case IPSEC_ID_IPV4_ADDR1:
698 remote_id_type = "IPv4 address";
699
700 net = decode_32(id + ISAKMP_ID_DATA_OFF8 -
701 ISAKMP_GEN_SZ4);
702 my_inet_ntop4(&net, remote_id_addr_upper,
703 sizeof remote_id_addr_upper - 1, 1);
704 my_inet_ntop4(&net, remote_id_addr_lower,
705 sizeof remote_id_addr_lower - 1, 1);
706 remote_id = strdup(remote_id_addr_upper);
707 if (!remote_id) {
708 log_error("policy_callback: "
709 "strdup (\"%s\") failed",
710 remote_id_addr_upper);
711 goto bad;
712 }
713 break;
714
715 case IPSEC_ID_IPV4_RANGE7:
716 remote_id_type = "IPv4 range";
717
718 net = decode_32(id + ISAKMP_ID_DATA_OFF8 -
719 ISAKMP_GEN_SZ4);
720 my_inet_ntop4(&net, remote_id_addr_lower,
721 sizeof remote_id_addr_lower - 1, 1);
722 net = decode_32(id + ISAKMP_ID_DATA_OFF8 -
723 ISAKMP_GEN_SZ4 + 4);
724 my_inet_ntop4(&net, remote_id_addr_upper,
725 sizeof remote_id_addr_upper - 1, 1);
726 len = strlen(remote_id_addr_upper) +
727 strlen(remote_id_addr_lower) + 2;
728 remote_id = calloc(len, sizeof(char));
729 if (!remote_id) {
730 log_error("policy_callback: "
731 "calloc (%d, %lu) failed", len,
732 (unsigned long)sizeof(char));
733 goto bad;
734 }
735 strlcpy(remote_id, remote_id_addr_lower, len);
736 strlcat(remote_id, "-", len);
737 strlcat(remote_id, remote_id_addr_upper, len);
738 break;
739
740 case IPSEC_ID_IPV4_ADDR_SUBNET4:
741 remote_id_type = "IPv4 subnet";
742
743 net = decode_32(id + ISAKMP_ID_DATA_OFF8 -
744 ISAKMP_GEN_SZ4);
745 subnet = decode_32(id + ISAKMP_ID_DATA_OFF8 -
746 ISAKMP_GEN_SZ4 + 4);
747 net &= subnet;
748 my_inet_ntop4(&net, remote_id_addr_lower,
749 sizeof remote_id_addr_lower - 1, 1);
750 net |= ~subnet;
751 my_inet_ntop4(&net, remote_id_addr_upper,
752 sizeof remote_id_addr_upper - 1, 1);
753 len = strlen(remote_id_addr_upper) +
754 strlen(remote_id_addr_lower) + 2;
755 remote_id = calloc(len, sizeof(char));
756 if (!remote_id) {
757 log_error("policy_callback: "
758 "calloc (%d, %lu) failed", len,
759 (unsigned long)sizeof(char));
760 goto bad;
761 }
762 strlcpy(remote_id, remote_id_addr_lower, len);
763 strlcat(remote_id, "-", len);
764 strlcat(remote_id, remote_id_addr_upper, len);
765 break;
766
767 case IPSEC_ID_IPV6_ADDR5:
768 remote_id_type = "IPv6 address";
769 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF8 - ISAKMP_GEN_SZ4,
770 remote_id_addr_upper, sizeof remote_id_addr_upper);
771 strlcpy(remote_id_addr_lower, remote_id_addr_upper,
772 sizeof remote_id_addr_lower);
773 remote_id = strdup(remote_id_addr_upper);
774 if (!remote_id) {
775 log_error("policy_callback: "
776 "strdup (\"%s\") failed",
777 remote_id_addr_upper);
778 goto bad;
779 }
780 break;
781
782 case IPSEC_ID_IPV6_RANGE8:
783 remote_id_type = "IPv6 range";
784
785 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF8 - ISAKMP_GEN_SZ4,
786 remote_id_addr_lower,
787 sizeof remote_id_addr_lower - 1);
788
789 my_inet_ntop6(id + ISAKMP_ID_DATA_OFF8 -
790 ISAKMP_GEN_SZ4 + 16, remote_id_addr_upper,
791 sizeof remote_id_addr_upper - 1);
792
793 len = strlen(remote_id_addr_upper) +
794 strlen(remote_id_addr_lower) + 2;
795 remote_id = calloc(len, sizeof(char));
796 if (!remote_id) {
797 log_error("policy_callback: "
798 "calloc (%d, %lu) failed", len,
799 (unsigned long)sizeof(char));
800 goto bad;
801 }
802 strlcpy(remote_id, remote_id_addr_lower, len);
803 strlcat(remote_id, "-", len);
804 strlcat(remote_id, remote_id_addr_upper, len);
805 break;
806
807 case IPSEC_ID_IPV6_ADDR_SUBNET6:
808 {
809 struct in6_addr net, mask;
810
811 remote_id_type = "IPv6 subnet";
812
813 bcopy(id + ISAKMP_ID_DATA_OFF8 - ISAKMP_GEN_SZ4, &net,
814 sizeof(net));
815 bcopy(id + ISAKMP_ID_DATA_OFF8 - ISAKMP_GEN_SZ4 + 16,
816 &mask, sizeof(mask));
817
818 for (i = 0; i < 16; i++)
819 net.s6_addr__u6_addr.__u6_addr8[i] &= mask.s6_addr__u6_addr.__u6_addr8[i];
820
821 my_inet_ntop6((unsigned char *)&net,
822 remote_id_addr_lower,
823 sizeof remote_id_addr_lower - 1);
824
825 for (i = 0; i < 16; i++)
826 net.s6_addr__u6_addr.__u6_addr8[i] |= ~mask.s6_addr__u6_addr.__u6_addr8[i];
827
828 my_inet_ntop6((unsigned char *)&net,
829 remote_id_addr_upper,
830 sizeof remote_id_addr_upper - 1);
831
832 len = strlen(remote_id_addr_upper) +
833 strlen(remote_id_addr_lower) + 2;
834 remote_id = calloc(len, sizeof(char));
835 if (!remote_id) {
836 log_error("policy_callback: "
837 "calloc (%d, %lu) failed", len,
838 (unsigned long)sizeof(char));
839 goto bad;
840 }
841 strlcpy(remote_id, remote_id_addr_lower, len);
842 strlcat(remote_id, "-", len);
843 strlcat(remote_id, remote_id_addr_upper, len);
844 break;
845 }
846
847 case IPSEC_ID_FQDN2:
848 remote_id_type = "FQDN";
849 remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF8 +
850 ISAKMP_GEN_SZ4 + 1, sizeof(char));
851 if (!remote_id) {
852 log_error("policy_callback: "
853 "calloc (%lu, %lu) failed",
854 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF8 +
855 ISAKMP_GEN_SZ4 + 1,
856 (unsigned long)sizeof(char));
857 goto bad;
858 }
859 memcpy(remote_id,
860 id + ISAKMP_ID_DATA_OFF8 - ISAKMP_GEN_SZ4,
861 id_sz - ISAKMP_ID_DATA_OFF8 + ISAKMP_GEN_SZ4);
862 break;
863
864 case IPSEC_ID_USER_FQDN3:
865 remote_id_type = "User FQDN";
866 remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF8 +
867 ISAKMP_GEN_SZ4 + 1, sizeof(char));
868 if (!remote_id) {
869 log_error("policy_callback: "
870 "calloc (%lu, %lu) failed",
871 (unsigned long)id_sz - ISAKMP_ID_DATA_OFF8 +
872 ISAKMP_GEN_SZ4 + 1,
873 (unsigned long)sizeof(char));
874 goto bad;
875 }
876 memcpy(remote_id,
877 id + ISAKMP_ID_DATA_OFF8 - ISAKMP_GEN_SZ4,
878 id_sz - ISAKMP_ID_DATA_OFF8 + ISAKMP_GEN_SZ4);
879 break;
880
881 case IPSEC_ID_DER_ASN1_DN9:
882 remote_id_type = "ASN1 DN";
883
884 remote_id = x509_DN_string(id + ISAKMP_ID_DATA_OFF8 -
885 ISAKMP_GEN_SZ4,
886 id_sz - ISAKMP_ID_DATA_OFF8 + ISAKMP_GEN_SZ4);
887 if (!remote_id) {
888 LOG_DBG((LOG_POLICY, 50,log_debug (LOG_POLICY, 50, "policy_callback: failed to decode name"
)
889 "policy_callback: failed to decode name"))log_debug (LOG_POLICY, 50, "policy_callback: failed to decode name"
);
890 goto bad;
891 }
892 break;
893
894 case IPSEC_ID_DER_ASN1_GN10: /* XXX */
895 remote_id_type = "ASN1 GN";
896 break;
897
898 case IPSEC_ID_KEY_ID11:
899 remote_id_type = "Key ID";
900 remote_id = calloc(2 * (id_sz - ISAKMP_ID_DATA_OFF8 +
901 ISAKMP_GEN_SZ4) + 1, sizeof(char));
902 if (!remote_id) {
903 log_error("policy_callback: "
904 "calloc (%lu, %lu) failed",
905 2 * ((unsigned long)id_sz -
906 ISAKMP_ID_DATA_OFF8 + ISAKMP_GEN_SZ4) + 1,
907 (unsigned long)sizeof(char));
908 goto bad;
909 }
910 /* Does it contain any non-printable characters ? */
911 for (i = 0;
912 i < id_sz - ISAKMP_ID_DATA_OFF8 + ISAKMP_GEN_SZ4;
913 i++)
914 if (!isprint((unsigned char)*(id + ISAKMP_ID_DATA_OFF8 -
915 ISAKMP_GEN_SZ4 + i)))
916 break;
917 if (i >= id_sz - ISAKMP_ID_DATA_OFF8 + ISAKMP_GEN_SZ4) {
918 memcpy(remote_id, id + ISAKMP_ID_DATA_OFF8 -
919 ISAKMP_GEN_SZ4,
920 id_sz - ISAKMP_ID_DATA_OFF8 +
921 ISAKMP_GEN_SZ4);
922 break;
923 }
924 /* Non-printable characters, convert to hex */
925 for (i = 0;
926 i < id_sz - ISAKMP_ID_DATA_OFF8 + ISAKMP_GEN_SZ4;
927 i++) {
928 remote_id[2 * i] = hextab[*(id +
929 ISAKMP_ID_DATA_OFF8 - ISAKMP_GEN_SZ4) >> 4];
930 remote_id[2 * i + 1] = hextab[*(id +
931 ISAKMP_ID_DATA_OFF8 - ISAKMP_GEN_SZ4) & 0xF];
932 }
933 break;
934
935 default:
936 log_print("policy_callback: "
937 "unknown remote ID type %u", id[0]);
938 goto bad;
939 }
940
941 switch (id[1]) {
942 case IPPROTO_TCP6:
943 remote_id_proto = "tcp";
944 break;
945
946 case IPPROTO_UDP17:
947 remote_id_proto = "udp";
948 break;
949
950 case IPPROTO_ETHERIP97:
951 remote_id_proto = "etherip";
952 break;
953
954 default:
955 snprintf(remote_id_proto_num,
956 sizeof remote_id_proto_num, "%d",
957 id[1]);
958 remote_id_proto = remote_id_proto_num;
959 break;
960 }
961
962 snprintf(remote_id_port, sizeof remote_id_port, "%u",
963 decode_16(id + 2));
964
965 if (policy_exchange->initiator) {
966 initiator = "yes";
967 idlocal = ie->id_ci;
968 idremote = ie->id_cr;
969 idlocalsz = ie->id_ci_sz;
970 idremotesz = ie->id_cr_sz;
971 } else {
972 initiator = "no";
973 idlocal = ie->id_cr;
974 idremote = ie->id_ci;
975 idlocalsz = ie->id_cr_sz;
976 idremotesz = ie->id_ci_sz;
977 }
978
979 /* Initialize the ID variables. */
980 if (idremote) {
981 switch (GET_ISAKMP_ID_TYPE(idremote)field_get_num (isakmp_id_fld + 0, idremote)) {
982 case IPSEC_ID_IPV4_ADDR1:
983 remote_filter_type = "IPv4 address";
984
985 net = decode_32(idremote + ISAKMP_ID_DATA_OFF8);
986 my_inet_ntop4(&net, remote_filter_addr_upper,
987 sizeof remote_filter_addr_upper - 1, 1);
988 my_inet_ntop4(&net, remote_filter_addr_lower,
989 sizeof remote_filter_addr_lower - 1, 1);
990 remote_filter =
991 strdup(remote_filter_addr_upper);
992 if (!remote_filter) {
993 log_error("policy_callback: strdup "
994 "(\"%s\") failed",
995 remote_filter_addr_upper);
996 goto bad;
997 }
998 break;
999
1000 case IPSEC_ID_IPV4_RANGE7:
1001 remote_filter_type = "IPv4 range";
1002
1003 net = decode_32(idremote + ISAKMP_ID_DATA_OFF8);
1004 my_inet_ntop4(&net, remote_filter_addr_lower,
1005 sizeof remote_filter_addr_lower - 1, 1);
1006 net = decode_32(idremote + ISAKMP_ID_DATA_OFF8 +
1007 4);
1008 my_inet_ntop4(&net, remote_filter_addr_upper,
1009 sizeof remote_filter_addr_upper - 1, 1);
1010 len = strlen(remote_filter_addr_upper) +
1011 strlen(remote_filter_addr_lower) + 2;
1012 remote_filter = calloc(len, sizeof(char));
1013 if (!remote_filter) {
1014 log_error("policy_callback: calloc "
1015 "(%d, %lu) failed", len,
1016 (unsigned long)sizeof(char));
1017 goto bad;
1018 }
1019 strlcpy(remote_filter,
1020 remote_filter_addr_lower, len);
1021 strlcat(remote_filter, "-", len);
1022 strlcat(remote_filter,
1023 remote_filter_addr_upper, len);
1024 break;
1025
1026 case IPSEC_ID_IPV4_ADDR_SUBNET4:
1027 remote_filter_type = "IPv4 subnet";
1028
1029 net = decode_32(idremote + ISAKMP_ID_DATA_OFF8);
1030 subnet = decode_32(idremote +
1031 ISAKMP_ID_DATA_OFF8 + 4);
1032 net &= subnet;
1033 my_inet_ntop4(&net, remote_filter_addr_lower,
1034 sizeof remote_filter_addr_lower - 1, 1);
1035 net |= ~subnet;
1036 my_inet_ntop4(&net, remote_filter_addr_upper,
1037 sizeof remote_filter_addr_upper - 1, 1);
1038 len = strlen(remote_filter_addr_upper) +
1039 strlen(remote_filter_addr_lower) + 2;
1040 remote_filter = calloc(len, sizeof(char));
1041 if (!remote_filter) {
1042 log_error("policy_callback: calloc "
1043 "(%d, %lu) failed", len,
1044 (unsigned long)sizeof(char));
1045 goto bad;
1046 }
1047 strlcpy(remote_filter,
1048 remote_filter_addr_lower, len);
1049 strlcat(remote_filter, "-", len);
1050 strlcat(remote_filter,
1051 remote_filter_addr_upper, len);
1052 break;
1053
1054 case IPSEC_ID_IPV6_ADDR5:
1055 remote_filter_type = "IPv6 address";
1056 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF8,
1057 remote_filter_addr_upper,
1058 sizeof remote_filter_addr_upper - 1);
1059 strlcpy(remote_filter_addr_lower,
1060 remote_filter_addr_upper,
1061 sizeof remote_filter_addr_lower);
1062 remote_filter =
1063 strdup(remote_filter_addr_upper);
1064 if (!remote_filter) {
1065 log_error("policy_callback: strdup "
1066 "(\"%s\") failed",
1067 remote_filter_addr_upper);
1068 goto bad;
1069 }
1070 break;
1071
1072 case IPSEC_ID_IPV6_RANGE8:
1073 remote_filter_type = "IPv6 range";
1074
1075 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF8,
1076 remote_filter_addr_lower,
1077 sizeof remote_filter_addr_lower - 1);
1078
1079 my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF8 +
1080 16, remote_filter_addr_upper,
1081 sizeof remote_filter_addr_upper - 1);
1082
1083 len = strlen(remote_filter_addr_upper) +
1084 strlen(remote_filter_addr_lower) + 2;
1085 remote_filter = calloc(len, sizeof(char));
1086 if (!remote_filter) {
1087 log_error("policy_callback: calloc "
1088 "(%d, %lu) failed", len,
1089 (unsigned long)sizeof(char));
1090 goto bad;
1091 }
1092 strlcpy(remote_filter,
1093 remote_filter_addr_lower, len);
1094 strlcat(remote_filter, "-", len);
1095 strlcat(remote_filter,
1096 remote_filter_addr_upper, len);
1097 break;
1098
1099 case IPSEC_ID_IPV6_ADDR_SUBNET6:
1100 {
1101 struct in6_addr net, mask;
1102
1103 remote_filter_type = "IPv6 subnet";
1104
1105 bcopy(idremote + ISAKMP_ID_DATA_OFF8,
1106 &net, sizeof(net));
1107 bcopy(idremote + ISAKMP_ID_DATA_OFF8 +
1108 16, &mask, sizeof(mask));
1109
1110 for (i = 0; i < 16; i++)
1111 net.s6_addr__u6_addr.__u6_addr8[i] &=
1112 mask.s6_addr__u6_addr.__u6_addr8[i];
1113
1114 my_inet_ntop6((unsigned char *)&net,
1115 remote_filter_addr_lower,
1116 sizeof remote_filter_addr_lower - 1);
1117
1118 for (i = 0; i < 16; i++)
1119 net.s6_addr__u6_addr.__u6_addr8[i] |=
1120 ~mask.s6_addr__u6_addr.__u6_addr8[i];
1121
1122 my_inet_ntop6((unsigned char *)&net,
1123 remote_filter_addr_upper,
1124 sizeof remote_filter_addr_upper - 1);
1125
1126 len = strlen(remote_filter_addr_upper)
1127 + strlen(remote_filter_addr_lower) + 2;
1128 remote_filter = calloc(len,
1129 sizeof(char));
1130 if (!remote_filter) {
1131 log_error("policy_callback: "
1132 "calloc (%d, %lu) failed",
1133 len,
1134 (unsigned long)sizeof(char));
1135 goto bad;
1136 }
1137 strlcpy(remote_filter,
1138 remote_filter_addr_lower, len);
1139 strlcat(remote_filter, "-", len);
1140 strlcat(remote_filter,
1141 remote_filter_addr_upper, len);
1142 break;
1143 }
1144
1145 case IPSEC_ID_FQDN2:
1146 remote_filter_type = "FQDN";
1147 remote_filter = malloc(idremotesz -
1148 ISAKMP_ID_DATA_OFF8 + 1);
1149 if (!remote_filter) {
1150 log_error("policy_callback: "
1151 "malloc (%lu) failed",
1152 (unsigned long)idremotesz -
1153 ISAKMP_ID_DATA_OFF8 + 1);
1154 goto bad;
1155 }
1156 memcpy(remote_filter,
1157 idremote + ISAKMP_ID_DATA_OFF8,
1158 idremotesz - ISAKMP_ID_DATA_OFF8);
1159 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF8]
1160 = '\0';
1161 break;
1162
1163 case IPSEC_ID_USER_FQDN3:
1164 remote_filter_type = "User FQDN";
1165 remote_filter = malloc(idremotesz -
1166 ISAKMP_ID_DATA_OFF8 + 1);
1167 if (!remote_filter) {
1168 log_error("policy_callback: "
1169 "malloc (%lu) failed",
1170 (unsigned long)idremotesz -
1171 ISAKMP_ID_DATA_OFF8 + 1);
1172 goto bad;
1173 }
1174 memcpy(remote_filter,
1175 idremote + ISAKMP_ID_DATA_OFF8,
1176 idremotesz - ISAKMP_ID_DATA_OFF8);
1177 remote_filter[idremotesz - ISAKMP_ID_DATA_OFF8]
1178 = '\0';
1179 break;
1180
1181 case IPSEC_ID_DER_ASN1_DN9:
1182 remote_filter_type = "ASN1 DN";
1183
1184 remote_filter = x509_DN_string(idremote +
1185 ISAKMP_ID_DATA_OFF8,
1186 idremotesz - ISAKMP_ID_DATA_OFF8);
1187 if (!remote_filter) {
1188 LOG_DBG((LOG_POLICY, 50,log_debug (LOG_POLICY, 50, "policy_callback: " "failed to decode name"
)
1189 "policy_callback: "log_debug (LOG_POLICY, 50, "policy_callback: " "failed to decode name"
)
1190 "failed to decode name"))log_debug (LOG_POLICY, 50, "policy_callback: " "failed to decode name"
);
1191 goto bad;
1192 }
1193 break;
1194
1195 case IPSEC_ID_DER_ASN1_GN10: /* XXX -- not sure
1196 * what's in this. */
1197 remote_filter_type = "ASN1 GN";
1198 break;
1199
1200 case IPSEC_ID_KEY_ID11:
1201 remote_filter_type = "Key ID";
1202 remote_filter
1203 = calloc(2 * (idremotesz -
1204 ISAKMP_ID_DATA_OFF8) + 1,
1205 sizeof(char));
1206 if (!remote_filter) {
1207 log_error("policy_callback: "
1208 "calloc (%lu, %lu) failed",
1209 2 * ((unsigned long)idremotesz -
1210 ISAKMP_ID_DATA_OFF8) + 1,
1211 (unsigned long)sizeof(char));
1212 goto bad;
1213 }
1214 /*
1215 * Does it contain any non-printable
1216 * characters ?
1217 */
1218 for (i = 0;
1219 i < idremotesz - ISAKMP_ID_DATA_OFF8; i++)
1220 if (!isprint((unsigned char)*(idremote +
1221 ISAKMP_ID_DATA_OFF8 + i)))
1222 break;
1223 if (i >= idremotesz - ISAKMP_ID_DATA_OFF8) {
1224 memcpy(remote_filter,
1225 idremote + ISAKMP_ID_DATA_OFF8,
1226 idremotesz - ISAKMP_ID_DATA_OFF8);
1227 break;
1228 }
1229 /* Non-printable characters, convert to hex */
1230 for (i = 0;
1231 i < idremotesz - ISAKMP_ID_DATA_OFF8;
1232 i++) {
1233 remote_filter[2 * i]
1234 = hextab[*(idremote +
1235 ISAKMP_ID_DATA_OFF8) >> 4];
1236 remote_filter[2 * i + 1]
1237 = hextab[*(idremote +
1238 ISAKMP_ID_DATA_OFF8) & 0xF];
1239 }
1240 break;
1241
1242 default:
1243 log_print("policy_callback: "
1244 "unknown Remote ID type %u",
1245 GET_ISAKMP_ID_TYPE(idremote)field_get_num (isakmp_id_fld + 0, idremote));
1246 goto bad;
1247 }
1248
1249 switch (idremote[ISAKMP_GEN_SZ4 + 1]) {
1250 case IPPROTO_TCP6:
1251 remote_filter_proto = "tcp";
1252 break;
1253
1254 case IPPROTO_UDP17:
1255 remote_filter_proto = "udp";
1256 break;
1257
1258 case IPPROTO_ETHERIP97:
1259 remote_filter_proto = "etherip";
1260 break;
1261
1262 default:
1263 snprintf(remote_filter_proto_num,
1264 sizeof remote_filter_proto_num, "%d",
1265 idremote[ISAKMP_GEN_SZ4 + 1]);
1266 remote_filter_proto = remote_filter_proto_num;
1267 break;
1268 }
1269
1270 snprintf(remote_filter_port, sizeof remote_filter_port,
1271 "%u", decode_16(idremote + ISAKMP_GEN_SZ4 + 2));
1272 } else {
1273 policy_sa->transport->vtbl->get_dst(policy_sa->transport, &sin);
1274 switch (sin->sa_family) {
1275 case AF_INET2:
1276 remote_filter_type = "IPv4 address";
1277 break;
1278 case AF_INET624:
1279 remote_filter_type = "IPv6 address";
1280 break;
1281 default:
1282 log_print("policy_callback: "
1283 "unsupported protocol family %d",
1284 sin->sa_family);
1285 goto bad;
1286 }
1287 if (sockaddr2text(sin, &addr, 1)) {
1288 log_error("policy_callback: "
1289 "sockaddr2text failed");
1290 goto bad;
1291 }
1292 memcpy(remote_filter_addr_upper, addr,
1293 sizeof remote_filter_addr_upper);
1294 memcpy(remote_filter_addr_lower, addr,
1295 sizeof remote_filter_addr_lower);
1296 free(addr);
1297 remote_filter = strdup(remote_filter_addr_upper);
1298 if (!remote_filter) {
1299 log_error("policy_callback: "
1300 "strdup (\"%s\") failed",
1301 remote_filter_addr_upper);
1302 goto bad;
1303 }
1304 }
1305
1306 if (idlocal) {
1307 switch (GET_ISAKMP_ID_TYPE(idlocal)field_get_num (isakmp_id_fld + 0, idlocal)) {
1308 case IPSEC_ID_IPV4_ADDR1:
1309 local_filter_type = "IPv4 address";
1310
1311 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF8);
1312 my_inet_ntop4(&net, local_filter_addr_upper,
1313 sizeof local_filter_addr_upper - 1, 1);
1314 my_inet_ntop4(&net, local_filter_addr_lower,
1315 sizeof local_filter_addr_upper - 1, 1);
1316 local_filter = strdup(local_filter_addr_upper);
1317 if (!local_filter) {
1318 log_error("policy_callback: "
1319 "strdup (\"%s\") failed",
1320 local_filter_addr_upper);
1321 goto bad;
1322 }
1323 break;
1324
1325 case IPSEC_ID_IPV4_RANGE7:
1326 local_filter_type = "IPv4 range";
1327
1328 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF8);
1329 my_inet_ntop4(&net, local_filter_addr_lower,
1330 sizeof local_filter_addr_lower - 1, 1);
1331 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF8 +
1332 4);
1333 my_inet_ntop4(&net, local_filter_addr_upper,
1334 sizeof local_filter_addr_upper - 1, 1);
1335 len = strlen(local_filter_addr_upper)
1336 + strlen(local_filter_addr_lower) + 2;
1337 local_filter = calloc(len, sizeof(char));
1338 if (!local_filter) {
1339 log_error("policy_callback: "
1340 "calloc (%d, %lu) failed", len,
1341 (unsigned long)sizeof(char));
1342 goto bad;
1343 }
1344 strlcpy(local_filter, local_filter_addr_lower,
1345 len);
1346 strlcat(local_filter, "-", len);
1347 strlcat(local_filter, local_filter_addr_upper,
1348 len);
1349 break;
1350
1351 case IPSEC_ID_IPV4_ADDR_SUBNET4:
1352 local_filter_type = "IPv4 subnet";
1353
1354 net = decode_32(idlocal + ISAKMP_ID_DATA_OFF8);
1355 subnet = decode_32(idlocal +
1356 ISAKMP_ID_DATA_OFF8 + 4);
1357 net &= subnet;
1358 my_inet_ntop4(&net, local_filter_addr_lower,
1359 sizeof local_filter_addr_lower - 1, 1);
1360 net |= ~subnet;
1361 my_inet_ntop4(&net, local_filter_addr_upper,
1362 sizeof local_filter_addr_upper - 1, 1);
1363 len = strlen(local_filter_addr_upper) +
1364 strlen(local_filter_addr_lower) + 2;
1365 local_filter = calloc(len, sizeof(char));
1366 if (!local_filter) {
1367 log_error("policy_callback: "
1368 "calloc (%d, %lu) failed", len,
1369 (unsigned long)sizeof(char));
1370 goto bad;
1371 }
1372 strlcpy(local_filter, local_filter_addr_lower,
1373 len);
1374 strlcat(local_filter, "-", len);
1375 strlcat(local_filter, local_filter_addr_upper,
1376 len);
1377 break;
1378
1379 case IPSEC_ID_IPV6_ADDR5:
1380 local_filter_type = "IPv6 address";
1381 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF8,
1382 local_filter_addr_upper,
1383 sizeof local_filter_addr_upper - 1);
1384 strlcpy(local_filter_addr_lower,
1385 local_filter_addr_upper,
1386 sizeof local_filter_addr_lower);
1387 local_filter = strdup(local_filter_addr_upper);
1388 if (!local_filter) {
1389 log_error("policy_callback: "
1390 "strdup (\"%s\") failed",
1391 local_filter_addr_upper);
1392 goto bad;
1393 }
1394 break;
1395
1396 case IPSEC_ID_IPV6_RANGE8:
1397 local_filter_type = "IPv6 range";
1398
1399 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF8,
1400 local_filter_addr_lower,
1401 sizeof local_filter_addr_lower - 1);
1402
1403 my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF8 +
1404 16, local_filter_addr_upper,
1405 sizeof local_filter_addr_upper - 1);
1406
1407 len = strlen(local_filter_addr_upper)
1408 + strlen(local_filter_addr_lower) + 2;
1409 local_filter = calloc(len, sizeof(char));
1410 if (!local_filter) {
1411 log_error("policy_callback: "
1412 "calloc (%d, %lu) failed", len,
1413 (unsigned long)sizeof(char));
1414 goto bad;
1415 }
1416 strlcpy(local_filter, local_filter_addr_lower,
1417 len);
1418 strlcat(local_filter, "-", len);
1419 strlcat(local_filter, local_filter_addr_upper,
1420 len);
1421 break;
1422
1423 case IPSEC_ID_IPV6_ADDR_SUBNET6:
1424 {
1425 struct in6_addr net, mask;
1426
1427 local_filter_type = "IPv6 subnet";
1428
1429 bcopy(idlocal + ISAKMP_ID_DATA_OFF8,
1430 &net, sizeof(net));
1431 bcopy(idlocal + ISAKMP_ID_DATA_OFF8 +
1432 16, &mask, sizeof(mask));
1433
1434 for (i = 0; i < 16; i++)
1435 net.s6_addr__u6_addr.__u6_addr8[i] &=
1436 mask.s6_addr__u6_addr.__u6_addr8[i];
1437
1438 my_inet_ntop6((unsigned char *)&net,
1439 local_filter_addr_lower,
1440 sizeof local_filter_addr_lower - 1);
1441
1442 for (i = 0; i < 16; i++)
1443 net.s6_addr__u6_addr.__u6_addr8[i] |=
1444 ~mask.s6_addr__u6_addr.__u6_addr8[i];
1445
1446 my_inet_ntop6((unsigned char *)&net,
1447 local_filter_addr_upper,
1448 sizeof local_filter_addr_upper -
1449 1);
1450
1451 len = strlen(local_filter_addr_upper)
1452 + strlen(local_filter_addr_lower)
1453 + 2;
1454 local_filter = calloc(len,
1455 sizeof(char));
1456 if (!local_filter) {
1457 log_error("policy_callback: "
1458 "calloc (%d, %lu) failed",
1459 len,
1460 (unsigned long)sizeof(char));
1461 goto bad;
1462 }
1463 strlcpy(local_filter,
1464 local_filter_addr_lower, len);
1465 strlcat(local_filter, "-", len);
1466 strlcat(local_filter,
1467 local_filter_addr_upper, len);
1468 break;
1469 }
1470
1471 case IPSEC_ID_FQDN2:
1472 local_filter_type = "FQDN";
1473 local_filter = malloc(idlocalsz -
1474 ISAKMP_ID_DATA_OFF8 + 1);
1475 if (!local_filter) {
1476 log_error("policy_callback: "
1477 "malloc (%lu) failed",
1478 (unsigned long)idlocalsz -
1479 ISAKMP_ID_DATA_OFF8 + 1);
1480 goto bad;
1481 }
1482 memcpy(local_filter,
1483 idlocal + ISAKMP_ID_DATA_OFF8,
1484 idlocalsz - ISAKMP_ID_DATA_OFF8);
1485 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF8] = '\0';
1486 break;
1487
1488 case IPSEC_ID_USER_FQDN3:
1489 local_filter_type = "User FQDN";
1490 local_filter = malloc(idlocalsz -
1491 ISAKMP_ID_DATA_OFF8 + 1);
1492 if (!local_filter) {
1493 log_error("policy_callback: "
1494 "malloc (%lu) failed",
1495 (unsigned long)idlocalsz -
1496 ISAKMP_ID_DATA_OFF8 + 1);
1497 goto bad;
1498 }
1499 memcpy(local_filter,
1500 idlocal + ISAKMP_ID_DATA_OFF8,
1501 idlocalsz - ISAKMP_ID_DATA_OFF8);
1502 local_filter[idlocalsz - ISAKMP_ID_DATA_OFF8] = '\0';
1503 break;
1504
1505 case IPSEC_ID_DER_ASN1_DN9:
1506 local_filter_type = "ASN1 DN";
1507
1508 local_filter = x509_DN_string(idlocal +
1509 ISAKMP_ID_DATA_OFF8,
1510 idlocalsz - ISAKMP_ID_DATA_OFF8);
1511 if (!local_filter) {
1512 LOG_DBG((LOG_POLICY, 50,log_debug (LOG_POLICY, 50, "policy_callback: failed to decode"
" name")
1513 "policy_callback: failed to decode"log_debug (LOG_POLICY, 50, "policy_callback: failed to decode"
" name")
1514 " name"))log_debug (LOG_POLICY, 50, "policy_callback: failed to decode"
" name");
1515 goto bad;
1516 }
1517 break;
1518
1519 case IPSEC_ID_DER_ASN1_GN10:
1520 /* XXX -- not sure what's in this. */
1521 local_filter_type = "ASN1 GN";
1522 break;
1523
1524 case IPSEC_ID_KEY_ID11:
1525 local_filter_type = "Key ID";
1526 local_filter = calloc(2 * (idlocalsz -
1527 ISAKMP_ID_DATA_OFF8) + 1,
1528 sizeof(char));
1529 if (!local_filter) {
1530 log_error("policy_callback: "
1531 "calloc (%lu, %lu) failed",
1532 2 * ((unsigned long)idlocalsz -
1533 ISAKMP_ID_DATA_OFF8) + 1,
1534 (unsigned long)sizeof(char));
1535 goto bad;
1536 }
1537 /*
1538 * Does it contain any non-printable
1539 * characters ?
1540 */
1541 for (i = 0;
1542 i < idlocalsz - ISAKMP_ID_DATA_OFF8; i++)
1543 if (!isprint((unsigned char)*(idlocal +
1544 ISAKMP_ID_DATA_OFF8 + i)))
1545 break;
1546 if (i >= idlocalsz - ISAKMP_ID_DATA_OFF8) {
1547 memcpy(local_filter, idlocal +
1548 ISAKMP_ID_DATA_OFF8,
1549 idlocalsz - ISAKMP_ID_DATA_OFF8);
1550 break;
1551 }
1552 /* Non-printable characters, convert to hex */
1553 for (i = 0;
1554 i < idlocalsz - ISAKMP_ID_DATA_OFF8; i++) {
1555 local_filter[2 * i] =
1556 hextab[*(idlocal +
1557 ISAKMP_ID_DATA_OFF8) >> 4];
1558 local_filter[2 * i + 1] =
1559 hextab[*(idlocal +
1560 ISAKMP_ID_DATA_OFF8) & 0xF];
1561 }
1562 break;
1563
1564 default:
1565 log_print("policy_callback: "
1566 "unknown Local ID type %u",
1567 GET_ISAKMP_ID_TYPE(idlocal)field_get_num (isakmp_id_fld + 0, idlocal));
1568 goto bad;
1569 }
1570
1571 switch (idlocal[ISAKMP_GEN_SZ4 + 1]) {
1572 case IPPROTO_TCP6:
1573 local_filter_proto = "tcp";
1574 break;
1575
1576 case IPPROTO_UDP17:
1577 local_filter_proto = "udp";
1578 break;
1579
1580 case IPPROTO_ETHERIP97:
1581 local_filter_proto = "etherip";
1582 break;
1583
1584 default:
1585 snprintf(local_filter_proto_num,
1586 sizeof local_filter_proto_num,
1587 "%d", idlocal[ISAKMP_GEN_SZ4 + 1]);
1588 local_filter_proto = local_filter_proto_num;
1589 break;
1590 }
1591
1592 snprintf(local_filter_port, sizeof local_filter_port,
1593 "%u", decode_16(idlocal + ISAKMP_GEN_SZ4 + 2));
1594 } else {
1595 policy_sa->transport->vtbl->get_src(policy_sa->transport,
1596 (struct sockaddr **)&sin);
1597 switch (sin->sa_family) {
1598 case AF_INET2:
1599 local_filter_type = "IPv4 address";
1600 break;
1601 case AF_INET624:
1602 local_filter_type = "IPv6 address";
1603 break;
1604 default:
1605 log_print("policy_callback: "
1606 "unsupported protocol family %d",
1607 sin->sa_family);
1608 goto bad;
1609 }
1610
1611 if (sockaddr2text(sin, &addr, 1)) {
1612 log_error("policy_callback: "
1613 "sockaddr2text failed");
1614 goto bad;
1615 }
1616 memcpy(local_filter_addr_upper, addr,
1617 sizeof local_filter_addr_upper);
1618 memcpy(local_filter_addr_lower, addr,
1619 sizeof local_filter_addr_lower);
1620 free(addr);
1621 local_filter = strdup(local_filter_addr_upper);
1622 if (!local_filter) {
1623 log_error("policy_callback: "
1624 "strdup (\"%s\") failed",
1625 local_filter_addr_upper);
1626 goto bad;
1627 }
1628 }
1629
1630 LOG_DBG((LOG_POLICY, 80,log_debug (LOG_POLICY, 80, "Policy context (action attributes):"
)
1631 "Policy context (action attributes):"))log_debug (LOG_POLICY, 80, "Policy context (action attributes):"
);
1632 LOG_DBG((LOG_POLICY, 80, "esp_present == %s", esp_present))log_debug (LOG_POLICY, 80, "esp_present == %s", esp_present);
1633 LOG_DBG((LOG_POLICY, 80, "ah_present == %s", ah_present))log_debug (LOG_POLICY, 80, "ah_present == %s", ah_present);
1634 LOG_DBG((LOG_POLICY, 80, "comp_present == %s", comp_present))log_debug (LOG_POLICY, 80, "comp_present == %s", comp_present
);
1635 LOG_DBG((LOG_POLICY, 80, "ah_hash_alg == %s", ah_hash_alg))log_debug (LOG_POLICY, 80, "ah_hash_alg == %s", ah_hash_alg);
1636 LOG_DBG((LOG_POLICY, 80, "esp_enc_alg == %s", esp_enc_alg))log_debug (LOG_POLICY, 80, "esp_enc_alg == %s", esp_enc_alg);
1637 LOG_DBG((LOG_POLICY, 80, "comp_alg == %s", comp_alg))log_debug (LOG_POLICY, 80, "comp_alg == %s", comp_alg);
1638 LOG_DBG((LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg))log_debug (LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg);
1639 LOG_DBG((LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg))log_debug (LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg
);
1640 LOG_DBG((LOG_POLICY, 80, "ah_life_seconds == %s",log_debug (LOG_POLICY, 80, "ah_life_seconds == %s", ah_life_seconds
)
1641 ah_life_seconds))log_debug (LOG_POLICY, 80, "ah_life_seconds == %s", ah_life_seconds
);
1642 LOG_DBG((LOG_POLICY, 80, "ah_life_kbytes == %s",log_debug (LOG_POLICY, 80, "ah_life_kbytes == %s", ah_life_kbytes
)
1643 ah_life_kbytes))log_debug (LOG_POLICY, 80, "ah_life_kbytes == %s", ah_life_kbytes
);
1644 LOG_DBG((LOG_POLICY, 80, "esp_life_seconds == %s",log_debug (LOG_POLICY, 80, "esp_life_seconds == %s", esp_life_seconds
)
1645 esp_life_seconds))log_debug (LOG_POLICY, 80, "esp_life_seconds == %s", esp_life_seconds
);
1646 LOG_DBG((LOG_POLICY, 80, "esp_life_kbytes == %s",log_debug (LOG_POLICY, 80, "esp_life_kbytes == %s", esp_life_kbytes
)
1647 esp_life_kbytes))log_debug (LOG_POLICY, 80, "esp_life_kbytes == %s", esp_life_kbytes
);
1648 LOG_DBG((LOG_POLICY, 80, "comp_life_seconds == %s",log_debug (LOG_POLICY, 80, "comp_life_seconds == %s", comp_life_seconds
)
1649 comp_life_seconds))log_debug (LOG_POLICY, 80, "comp_life_seconds == %s", comp_life_seconds
);
1650 LOG_DBG((LOG_POLICY, 80, "comp_life_kbytes == %s",log_debug (LOG_POLICY, 80, "comp_life_kbytes == %s", comp_life_kbytes
)
1651 comp_life_kbytes))log_debug (LOG_POLICY, 80, "comp_life_kbytes == %s", comp_life_kbytes
);
1652 LOG_DBG((LOG_POLICY, 80, "ah_encapsulation == %s",log_debug (LOG_POLICY, 80, "ah_encapsulation == %s", ah_encapsulation
)
1653 ah_encapsulation))log_debug (LOG_POLICY, 80, "ah_encapsulation == %s", ah_encapsulation
);
1654 LOG_DBG((LOG_POLICY, 80, "esp_encapsulation == %s",log_debug (LOG_POLICY, 80, "esp_encapsulation == %s", esp_encapsulation
)
1655 esp_encapsulation))log_debug (LOG_POLICY, 80, "esp_encapsulation == %s", esp_encapsulation
);
1656 LOG_DBG((LOG_POLICY, 80, "comp_encapsulation == %s",log_debug (LOG_POLICY, 80, "comp_encapsulation == %s", comp_encapsulation
)
1657 comp_encapsulation))log_debug (LOG_POLICY, 80, "comp_encapsulation == %s", comp_encapsulation
);
1658 LOG_DBG((LOG_POLICY, 80, "comp_dict_size == %s",log_debug (LOG_POLICY, 80, "comp_dict_size == %s", comp_dict_size
)
1659 comp_dict_size))log_debug (LOG_POLICY, 80, "comp_dict_size == %s", comp_dict_size
);
1660 LOG_DBG((LOG_POLICY, 80, "comp_private_alg == %s",log_debug (LOG_POLICY, 80, "comp_private_alg == %s", comp_private_alg
)
1661 comp_private_alg))log_debug (LOG_POLICY, 80, "comp_private_alg == %s", comp_private_alg
);
1662 LOG_DBG((LOG_POLICY, 80, "ah_key_length == %s",log_debug (LOG_POLICY, 80, "ah_key_length == %s", ah_key_length
)
1663 ah_key_length))log_debug (LOG_POLICY, 80, "ah_key_length == %s", ah_key_length
);
1664 LOG_DBG((LOG_POLICY, 80, "ah_key_rounds == %s",log_debug (LOG_POLICY, 80, "ah_key_rounds == %s", ah_key_rounds
)
1665 ah_key_rounds))log_debug (LOG_POLICY, 80, "ah_key_rounds == %s", ah_key_rounds
);
1666 LOG_DBG((LOG_POLICY, 80, "esp_key_length == %s",log_debug (LOG_POLICY, 80, "esp_key_length == %s", esp_key_length
)
1667 esp_key_length))log_debug (LOG_POLICY, 80, "esp_key_length == %s", esp_key_length
);
1668 LOG_DBG((LOG_POLICY, 80, "esp_key_rounds == %s",log_debug (LOG_POLICY, 80, "esp_key_rounds == %s", esp_key_rounds
)
1669 esp_key_rounds))log_debug (LOG_POLICY, 80, "esp_key_rounds == %s", esp_key_rounds
);
1670 LOG_DBG((LOG_POLICY, 80, "ah_group_desc == %s",log_debug (LOG_POLICY, 80, "ah_group_desc == %s", ah_group_desc
)
1671 ah_group_desc))log_debug (LOG_POLICY, 80, "ah_group_desc == %s", ah_group_desc
);
1672 LOG_DBG((LOG_POLICY, 80, "esp_group_desc == %s",log_debug (LOG_POLICY, 80, "esp_group_desc == %s", esp_group_desc
)
1673 esp_group_desc))log_debug (LOG_POLICY, 80, "esp_group_desc == %s", esp_group_desc
);
1674 LOG_DBG((LOG_POLICY, 80, "comp_group_desc == %s",log_debug (LOG_POLICY, 80, "comp_group_desc == %s", comp_group_desc
)
1675 comp_group_desc))log_debug (LOG_POLICY, 80, "comp_group_desc == %s", comp_group_desc
);
1676 LOG_DBG((LOG_POLICY, 80, "ah_ecn == %s", ah_ecn))log_debug (LOG_POLICY, 80, "ah_ecn == %s", ah_ecn);
1677 LOG_DBG((LOG_POLICY, 80, "esp_ecn == %s", esp_ecn))log_debug (LOG_POLICY, 80, "esp_ecn == %s", esp_ecn);
1678 LOG_DBG((LOG_POLICY, 80, "comp_ecn == %s", comp_ecn))log_debug (LOG_POLICY, 80, "comp_ecn == %s", comp_ecn);
1679 LOG_DBG((LOG_POLICY, 80, "remote_filter_type == %s",log_debug (LOG_POLICY, 80, "remote_filter_type == %s", remote_filter_type
)
1680 remote_filter_type))log_debug (LOG_POLICY, 80, "remote_filter_type == %s", remote_filter_type
);
1681 LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_upper == %s",log_debug (LOG_POLICY, 80, "remote_filter_addr_upper == %s", remote_filter_addr_upper
)
1682 remote_filter_addr_upper))log_debug (LOG_POLICY, 80, "remote_filter_addr_upper == %s", remote_filter_addr_upper
);
1683 LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_lower == %s",log_debug (LOG_POLICY, 80, "remote_filter_addr_lower == %s", remote_filter_addr_lower
)
1684 remote_filter_addr_lower))log_debug (LOG_POLICY, 80, "remote_filter_addr_lower == %s", remote_filter_addr_lower
);
1685 LOG_DBG((LOG_POLICY, 80, "remote_filter == %s",log_debug (LOG_POLICY, 80, "remote_filter == %s", (remote_filter
? remote_filter : ""))
1686 (remote_filter ? remote_filter : "")))log_debug (LOG_POLICY, 80, "remote_filter == %s", (remote_filter
? remote_filter : ""));
1687 LOG_DBG((LOG_POLICY, 80, "remote_filter_port == %s",log_debug (LOG_POLICY, 80, "remote_filter_port == %s", remote_filter_port
)
1688 remote_filter_port))log_debug (LOG_POLICY, 80, "remote_filter_port == %s", remote_filter_port
);
1689 LOG_DBG((LOG_POLICY, 80, "remote_filter_proto == %s",log_debug (LOG_POLICY, 80, "remote_filter_proto == %s", remote_filter_proto
)
1690 remote_filter_proto))log_debug (LOG_POLICY, 80, "remote_filter_proto == %s", remote_filter_proto
);
1691 LOG_DBG((LOG_POLICY, 80, "local_filter_type == %s",log_debug (LOG_POLICY, 80, "local_filter_type == %s", local_filter_type
)
1692 local_filter_type))log_debug (LOG_POLICY, 80, "local_filter_type == %s", local_filter_type
);
1693 LOG_DBG((LOG_POLICY, 80, "local_filter_addr_upper == %s",log_debug (LOG_POLICY, 80, "local_filter_addr_upper == %s", local_filter_addr_upper
)
1694 local_filter_addr_upper))log_debug (LOG_POLICY, 80, "local_filter_addr_upper == %s", local_filter_addr_upper
);
1695 LOG_DBG((LOG_POLICY, 80, "local_filter_addr_lower == %s",log_debug (LOG_POLICY, 80, "local_filter_addr_lower == %s", local_filter_addr_lower
)
1696 local_filter_addr_lower))log_debug (LOG_POLICY, 80, "local_filter_addr_lower == %s", local_filter_addr_lower
);
1697 LOG_DBG((LOG_POLICY, 80, "local_filter == %s",log_debug (LOG_POLICY, 80, "local_filter == %s", (local_filter
? local_filter : ""))
1698 (local_filter ? local_filter : "")))log_debug (LOG_POLICY, 80, "local_filter == %s", (local_filter
? local_filter : ""));
1699 LOG_DBG((LOG_POLICY, 80, "local_filter_port == %s",log_debug (LOG_POLICY, 80, "local_filter_port == %s", local_filter_port
)
1700 local_filter_port))log_debug (LOG_POLICY, 80, "local_filter_port == %s", local_filter_port
);
1701 LOG_DBG((LOG_POLICY, 80, "local_filter_proto == %s",log_debug (LOG_POLICY, 80, "local_filter_proto == %s", local_filter_proto
)
1702 local_filter_proto))log_debug (LOG_POLICY, 80, "local_filter_proto == %s", local_filter_proto
);
1703 LOG_DBG((LOG_POLICY, 80, "remote_id_type == %s",log_debug (LOG_POLICY, 80, "remote_id_type == %s", remote_id_type
)
1704 remote_id_type))log_debug (LOG_POLICY, 80, "remote_id_type == %s", remote_id_type
);
1705 LOG_DBG((LOG_POLICY, 80, "remote_id_addr_upper == %s",log_debug (LOG_POLICY, 80, "remote_id_addr_upper == %s", remote_id_addr_upper
)
1706 remote_id_addr_upper))log_debug (LOG_POLICY, 80, "remote_id_addr_upper == %s", remote_id_addr_upper
);
1707 LOG_DBG((LOG_POLICY, 80, "remote_id_addr_lower == %s",log_debug (LOG_POLICY, 80, "remote_id_addr_lower == %s", remote_id_addr_lower
)
1708 remote_id_addr_lower))log_debug (LOG_POLICY, 80, "remote_id_addr_lower == %s", remote_id_addr_lower
);
1709 LOG_DBG((LOG_POLICY, 80, "remote_id == %s",log_debug (LOG_POLICY, 80, "remote_id == %s", (remote_id ? remote_id
: ""))
1710 (remote_id ? remote_id : "")))log_debug (LOG_POLICY, 80, "remote_id == %s", (remote_id ? remote_id
: ""));
1711 LOG_DBG((LOG_POLICY, 80, "remote_id_port == %s",log_debug (LOG_POLICY, 80, "remote_id_port == %s", remote_id_port
)
1712 remote_id_port))log_debug (LOG_POLICY, 80, "remote_id_port == %s", remote_id_port
);
1713 LOG_DBG((LOG_POLICY, 80, "remote_id_proto == %s",log_debug (LOG_POLICY, 80, "remote_id_proto == %s", remote_id_proto
)
1714 remote_id_proto))log_debug (LOG_POLICY, 80, "remote_id_proto == %s", remote_id_proto
);
1715 LOG_DBG((LOG_POLICY, 80, "remote_negotiation_address == %s",log_debug (LOG_POLICY, 80, "remote_negotiation_address == %s"
, remote_ike_address)
1716 remote_ike_address))log_debug (LOG_POLICY, 80, "remote_negotiation_address == %s"
, remote_ike_address);
1717 LOG_DBG((LOG_POLICY, 80, "local_negotiation_address == %s",log_debug (LOG_POLICY, 80, "local_negotiation_address == %s",
local_ike_address)
1718 local_ike_address))log_debug (LOG_POLICY, 80, "local_negotiation_address == %s",
local_ike_address);
1719 LOG_DBG((LOG_POLICY, 80, "pfs == %s", pfs))log_debug (LOG_POLICY, 80, "pfs == %s", pfs);
1720 LOG_DBG((LOG_POLICY, 80, "initiator == %s", initiator))log_debug (LOG_POLICY, 80, "initiator == %s", initiator);
1721 LOG_DBG((LOG_POLICY, 80, "phase1_group_desc == %s",log_debug (LOG_POLICY, 80, "phase1_group_desc == %s", phase1_group
)
1722 phase1_group))log_debug (LOG_POLICY, 80, "phase1_group_desc == %s", phase1_group
);
1723
1724 /* Unset dirty now. */
1725 dirty = 0;
1726 }
1727 if (strcmp(name, "phase_1") == 0)
1728 return phase_1;
1729
1730 if (strcmp(name, "GMTTimeOfDay") == 0) {
1731 tt = time(NULL((void*)0));
1732 strftime(mytimeofday, 14, "%Y%m%d%H%M%S", gmtime(&tt));
1733 return mytimeofday;
1734 }
1735 if (strcmp(name, "LocalTimeOfDay") == 0) {
1736 tt = time(NULL((void*)0));
1737 strftime(mytimeofday, 14, "%Y%m%d%H%M%S", localtime(&tt));
1738 return mytimeofday;
1739 }
1740 if (strcmp(name, "initiator") == 0)
1741 return initiator;
1742
1743 if (strcmp(name, "pfs") == 0)
1744 return pfs;
1745
1746 if (strcmp(name, "app_domain") == 0)
1747 return "IPsec policy";
1748
1749 if (strcmp(name, "doi") == 0)
1750 return "ipsec";
1751
1752 if (strcmp(name, "esp_present") == 0)
1753 return esp_present;
1754
1755 if (strcmp(name, "ah_present") == 0)
1756 return ah_present;
1757
1758 if (strcmp(name, "comp_present") == 0)
1759 return comp_present;
1760
1761 if (strcmp(name, "ah_hash_alg") == 0)
1762 return ah_hash_alg;
1763
1764 if (strcmp(name, "ah_auth_alg") == 0)
1765 return ah_auth_alg;
1766
1767 if (strcmp(name, "esp_auth_alg") == 0)
1768 return esp_auth_alg;
1769
1770 if (strcmp(name, "esp_enc_alg") == 0)
1771 return esp_enc_alg;
1772
1773 if (strcmp(name, "comp_alg") == 0)
1774 return comp_alg;
1775
1776 if (strcmp(name, "ah_life_kbytes") == 0)
1777 return ah_life_kbytes;
1778
1779 if (strcmp(name, "ah_life_seconds") == 0)
1780 return ah_life_seconds;
1781
1782 if (strcmp(name, "esp_life_kbytes") == 0)
1783 return esp_life_kbytes;
1784
1785 if (strcmp(name, "esp_life_seconds") == 0)
1786 return esp_life_seconds;
1787
1788 if (strcmp(name, "comp_life_kbytes") == 0)
1789 return comp_life_kbytes;
1790
1791 if (strcmp(name, "comp_life_seconds") == 0)
1792 return comp_life_seconds;
1793
1794 if (strcmp(name, "ah_encapsulation") == 0)
1795 return ah_encapsulation;
1796
1797 if (strcmp(name, "esp_encapsulation") == 0)
1798 return esp_encapsulation;
1799
1800 if (strcmp(name, "comp_encapsulation") == 0)
1801 return comp_encapsulation;
1802
1803 if (strcmp(name, "ah_key_length") == 0)
1804 return ah_key_length;
1805
1806 if (strcmp(name, "ah_key_rounds") == 0)
1807 return ah_key_rounds;
1808
1809 if (strcmp(name, "esp_key_length") == 0)
1810 return esp_key_length;
1811
1812 if (strcmp(name, "esp_key_rounds") == 0)
1813 return esp_key_rounds;
1814
1815 if (strcmp(name, "comp_dict_size") == 0)
1816 return comp_dict_size;
1817
1818 if (strcmp(name, "comp_private_alg") == 0)
1819 return comp_private_alg;
1820
1821 if (strcmp(name, "remote_filter_type") == 0)
1822 return remote_filter_type;
1823
1824 if (strcmp(name, "remote_filter") == 0)
1825 return (remote_filter ? remote_filter : "");
1826
1827 if (strcmp(name, "remote_filter_addr_upper") == 0)
1828 return remote_filter_addr_upper;
1829
1830 if (strcmp(name, "remote_filter_addr_lower") == 0)
1831 return remote_filter_addr_lower;
1832
1833 if (strcmp(name, "remote_filter_port") == 0)
1834 return remote_filter_port;
1835
1836 if (strcmp(name, "remote_filter_proto") == 0)
1837 return remote_filter_proto;
1838
1839 if (strcmp(name, "local_filter_type") == 0)
1840 return local_filter_type;
1841
1842 if (strcmp(name, "local_filter") == 0)
1843 return (local_filter ? local_filter : "");
1844
1845 if (strcmp(name, "local_filter_addr_upper") == 0)
1846 return local_filter_addr_upper;
1847
1848 if (strcmp(name, "local_filter_addr_lower") == 0)
1849 return local_filter_addr_lower;
1850
1851 if (strcmp(name, "local_filter_port") == 0)
1852 return local_filter_port;
1853
1854 if (strcmp(name, "local_filter_proto") == 0)
1855 return local_filter_proto;
1856
1857 if (strcmp(name, "remote_ike_address") == 0)
1858 return remote_ike_address;
1859
1860 if (strcmp(name, "remote_negotiation_address") == 0)
1861 return remote_ike_address;
1862
1863 if (strcmp(name, "local_ike_address") == 0)
1864 return local_ike_address;
1865
1866 if (strcmp(name, "local_negotiation_address") == 0)
1867 return local_ike_address;
1868
1869 if (strcmp(name, "remote_id_type") == 0)
1870 return remote_id_type;
1871
1872 if (strcmp(name, "remote_id") == 0)
1873 return (remote_id ? remote_id : "");
1874
1875 if (strcmp(name, "remote_id_addr_upper") == 0)
1876 return remote_id_addr_upper;
1877
1878 if (strcmp(name, "remote_id_addr_lower") == 0)
1879 return remote_id_addr_lower;
1880
1881 if (strcmp(name, "remote_id_port") == 0)
1882 return remote_id_port;
1883
1884 if (strcmp(name, "remote_id_proto") == 0)
1885 return remote_id_proto;
1886
1887 if (strcmp(name, "phase1_group_desc") == 0)
1888 return phase1_group;
1889
1890 if (strcmp(name, "esp_group_desc") == 0)
1891 return esp_group_desc;
1892
1893 if (strcmp(name, "ah_group_desc") == 0)
1894 return ah_group_desc;
1895
1896 if (strcmp(name, "comp_group_desc") == 0)
1897 return comp_group_desc;
1898
1899 if (strcmp(name, "comp_ecn") == 0)
1900 return comp_ecn;
1901
1902 if (strcmp(name, "ah_ecn") == 0)
1903 return ah_ecn;
1904
1905 if (strcmp(name, "esp_ecn") == 0)
1906 return esp_ecn;
1907
1908 return "";
1909
1910bad:
1911 policy_callback(KEYNOTE_CALLBACK_INITIALIZE"_KEYNOTE_CALLBACK_INITIALIZE");
1912 return "";
1913}
1914
1915void
1916policy_init(void)
1917{
1918 char *ptr, *policy_file;
1919 char **asserts;
1920 size_t sz, len;
1921 int fd, i;
1922
1923 LOG_DBG((LOG_POLICY, 30, "policy_init: initializing"))log_debug (LOG_POLICY, 30, "policy_init: initializing");
1924
1925 /* Do we want to use the policy modules? */
1926 if (ignore_policy ||
1927 strncmp("yes", conf_get_str("General", "Use-Keynote"), 3))
1928 return;
1929
1930 /* Get policy file from configuration. */
1931 policy_file = conf_get_str("General", "Policy-file");
1932 if (!policy_file)
1933 policy_file = CONF_DFLT_POLICY_FILE"/etc/isakmpd/" "isakmpd.policy";
1934
1935 /* Open policy file. */
1936 fd = monitor_open(policy_file, O_RDONLY0x0000, 0);
1937 if (fd == -1)
1938 log_fatal("policy_init: open (\"%s\", O_RDONLY) failed",
1939 policy_file);
1940
1941 /* Check file modes and collect file size */
1942 if (check_file_secrecy_fd(fd, policy_file, &sz)) {
1943 close(fd);
1944 log_fatal("policy_init: cannot read %s", policy_file);
1945 }
1946
1947 /* Allocate memory to keep policies. */
1948 ptr = calloc(sz + 1, sizeof(char));
1949 if (!ptr)
1950 log_fatal("policy_init: calloc (%lu, %lu) failed",
1951 (unsigned long)sz + 1, (unsigned long)sizeof(char));
1952
1953 /* Just in case there are short reads... */
1954 for (len = 0; len < sz; len += i) {
1955 i = read(fd, ptr + len, sz - len);
1956 if (i == -1)
1957 log_fatal("policy_init: read (%d, %p, %lu) failed", fd,
1958 ptr + len, (unsigned long)(sz - len));
1959 }
1960
1961 /* We're done with this. */
1962 close(fd);
1963
1964 /* Parse buffer, break up into individual policies. */
1965 asserts = kn_read_asserts(ptr, sz, &i);
1966
1967 /* Begone! */
1968 free(ptr);
1969
1970 if (asserts == (char **)NULL((void*)0))
1971 log_print("policy_init: all policies flushed");
1972
1973 /* Cleanup */
1974 if (policy_asserts) {
1975 for (fd = 0; fd < policy_asserts_num; fd++)
1976 if (policy_asserts)
1977 free(policy_asserts[fd]);
1978
1979 free(policy_asserts);
1980 }
1981 policy_asserts = asserts;
1982 policy_asserts_num = i;
1983}
1984
1985/* Nothing needed for initialization */
1986int
1987keynote_cert_init(void)
1988{
1989 return 1;
1990}
1991
1992/* Just copy and return. */
1993void *
1994keynote_cert_get(u_int8_t *data, u_int32_t len)
1995{
1996 char *foo = malloc(len + 1);
1997
1998 if (foo == NULL((void*)0))
1999 return NULL((void*)0);
2000
2001 memcpy(foo, data, len);
2002 foo[len] = '\0';
2003 return foo;
2004}
2005
2006/*
2007 * We just verify the signature on the credentials.
2008 * On signature failure, just drop the whole payload.
2009 */
2010int
2011keynote_cert_validate(void *scert)
2012{
2013 char **foo;
2014 int num, i;
2015
2016 if (scert == NULL((void*)0))
2017 return 0;
2018
2019 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num);
2020 if (foo == NULL((void*)0))
2021 return 0;
2022
2023 for (i = 0; i < num; i++) {
2024 if (kn_verify_assertion(scert, strlen((char *)scert))
2025 != SIGRESULT_TRUE2) {
2026 for (; i < num; i++)
2027 free(foo[i]);
2028 free(foo);
2029 return 0;
2030 }
2031 free(foo[i]);
2032 }
2033
2034 free(foo);
2035 return 1;
2036}
2037
2038/* Add received credentials. */
2039int
2040keynote_cert_insert(int sid, void *scert)
2041{
2042 char **foo;
2043 int num;
2044
2045 if (scert == NULL((void*)0))
2046 return 0;
2047
2048 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num);
2049 if (foo == NULL((void*)0))
2050 return 0;
2051
2052 while (num--)
2053 kn_add_assertion(sid, foo[num], strlen(foo[num]), 0);
2054
2055 return 1;
2056}
2057
2058/* Just regular memory free. */
2059void
2060keynote_cert_free(void *cert)
2061{
2062 free(cert);
2063}
2064
2065/* Verify that the key given to us is valid. */
2066int
2067keynote_certreq_validate(u_int8_t *data, u_int32_t len)
2068{
2069 struct keynote_deckey dc;
2070 int err = 1;
2071 char *dat;
2072
2073 dat = calloc(len + 1, sizeof(char));
2074 if (!dat) {
2075 log_error("keynote_certreq_validate: calloc (%d, %lu) failed",
2076 len + 1, (unsigned long)sizeof(char));
2077 return 0;
2078 }
2079 memcpy(dat, data, len);
2080
2081 if (kn_decode_key(&dc, dat, KEYNOTE_PUBLIC_KEY0) != 0)
2082 err = 0;
2083 else
2084 kn_free_key(&dc);
2085
2086 free(dat);
2087
2088 return err;
2089}
2090
2091/* Beats me what we should be doing with this. */
2092int
2093keynote_certreq_decode(void **pdata, u_int8_t *data, u_int32_t len)
2094{
2095 /* XXX */
2096 return 0;
2097}
2098
2099void
2100keynote_free_aca(void *blob)
2101{
2102 /* XXX */
2103}
2104
2105int
2106keynote_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert,
2107 u_int32_t *certlen)
2108{
2109 char *dirname, *file, *addr_str;
2110 struct stat sb;
2111 size_t size;
2112 int idtype, fd, len;
2113
2114 if (!id) {
2115 log_print("keynote_cert_obtain: ID is missing");
2116 return 0;
2117 }
2118 /* Get type of ID. */
2119 idtype = id[0];
2120 id += ISAKMP_ID_DATA_OFF8 - ISAKMP_GEN_SZ4;
2121 id_len -= ISAKMP_ID_DATA_OFF8 - ISAKMP_GEN_SZ4;
2122
2123 dirname = conf_get_str("KeyNote", "Credential-directory");
2124 if (!dirname) {
2125 LOG_DBG((LOG_POLICY, 30,log_debug (LOG_POLICY, 30, "keynote_cert_obtain: no Credential-directory"
)
2126 "keynote_cert_obtain: no Credential-directory"))log_debug (LOG_POLICY, 30, "keynote_cert_obtain: no Credential-directory"
);
2127 return 0;
2128 }
2129 len = strlen(dirname) + strlen(CREDENTIAL_FILE"credentials") + 3;
2130
2131 switch (idtype) {
2132 case IPSEC_ID_IPV4_ADDR1:
2133 case IPSEC_ID_IPV6_ADDR5:
2134 util_ntoa(&addr_str, idtype == IPSEC_ID_IPV4_ADDR1 ?
2135 AF_INET2 : AF_INET624, id);
2136 if (addr_str == 0)
2137 return 0;
2138
2139 if (asprintf(&file, "%s/%s/%s", dirname,
2140 addr_str, CREDENTIAL_FILE"credentials") == -1) {
2141 log_error("keynote_cert_obtain: failed to allocate "
2142 "%lu bytes", (unsigned long)len +
2143 strlen(addr_str));
2144 free(addr_str);
2145 return 0;
2146 }
2147 free(addr_str);
2148 break;
2149
2150 case IPSEC_ID_FQDN2:
2151 case IPSEC_ID_USER_FQDN3:
2152 file = calloc(len + id_len, sizeof(char));
2153 if (file == NULL((void*)0)) {
2154 log_error("keynote_cert_obtain: "
2155 "failed to allocate %lu bytes",
2156 (unsigned long)len + id_len);
2157 return 0;
2158 }
2159 snprintf(file, len + id_len, "%s/", dirname);
2160 memcpy(file + strlen(dirname) + 1, id, id_len);
2161 snprintf(file + strlen(dirname) + 1 + id_len,
2162 len - strlen(dirname) - 1, "/%s", CREDENTIAL_FILE"credentials");
2163 break;
2164
2165 default:
2166 return 0;
2167 }
2168
2169 fd = monitor_open(file, O_RDONLY0x0000, 0);
2170 if (fd < 0) {
2171 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: "log_debug (LOG_POLICY, 30, "keynote_cert_obtain: " "failed to open \"%s\""
, file)
2172 "failed to open \"%s\"", file))log_debug (LOG_POLICY, 30, "keynote_cert_obtain: " "failed to open \"%s\""
, file);
2173 free(file);
2174 return 0;
2175 }
2176
2177 if (fstat(fd, &sb) == -1) {
2178 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: "log_debug (LOG_POLICY, 30, "keynote_cert_obtain: " "failed to stat \"%s\""
, file)
2179 "failed to stat \"%s\"", file))log_debug (LOG_POLICY, 30, "keynote_cert_obtain: " "failed to stat \"%s\""
, file);
2180 free(file);
2181 close(fd);
2182 return 0;
2183 }
2184 size = (size_t)sb.st_size;
2185
2186 *cert = calloc(size + 1, sizeof(char));
Result of 'calloc' is converted to a pointer of type 'u_int8_t', which is incompatible with sizeof operand type 'char'
2187 if (*cert == NULL((void*)0)) {
2188 log_error("keynote_cert_obtain: failed to allocate %lu bytes",
2189 (unsigned long)size);
2190 free(file);
2191 close(fd);
2192 return 0;
2193 }
2194
2195 if (read(fd, *cert, size) != (int)size) {
2196 LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: "log_debug (LOG_POLICY, 30, "keynote_cert_obtain: " "failed to read %lu bytes from \"%s\""
, (unsigned long)size, file)
2197 "failed to read %lu bytes from \"%s\"",log_debug (LOG_POLICY, 30, "keynote_cert_obtain: " "failed to read %lu bytes from \"%s\""
, (unsigned long)size, file)
2198 (unsigned long)size, file))log_debug (LOG_POLICY, 30, "keynote_cert_obtain: " "failed to read %lu bytes from \"%s\""
, (unsigned long)size, file);
2199 free(cert);
2200 cert = NULL((void*)0);
2201 free(file);
2202 close(fd);
2203 return 0;
2204 }
2205 close(fd);
2206 free(file);
2207 *certlen = size;
2208 return 1;
2209}
2210
2211/* This should never be called. */
2212int
2213keynote_cert_get_subjects(void *scert, int *n, u_int8_t ***id,
2214 u_int32_t **id_len)
2215{
2216 return 0;
2217}
2218
2219/* Get the authorizer key. */
2220int
2221keynote_cert_get_key(void *scert, void *keyp)
2222{
2223 struct keynote_keylist *kl;
2224 int sid, kid, num;
2225 char **foo;
2226
2227 foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num);
2228 if (foo == NULL((void*)0) || num == 0) {
2229 log_print("keynote_cert_get_key: "
2230 "failed to decompose credentials");
2231 return 0;
2232 }
2233 kid = kn_init();
2234 if (kid == -1) {
2235 log_print("keynote_cert_get_key: "
2236 "failed to initialize new policy session");
2237 while (num--)
2238 free(foo[num]);
2239 free(foo);
2240 return 0;
2241 }
2242 sid = kn_add_assertion(kid, foo[num - 1], strlen(foo[num - 1]), 0);
2243 while (num--)
2244 free(foo[num]);
2245 free(foo);
2246
2247 if (sid == -1) {
2248 log_print("keynote_cert_get_key: failed to add assertion");
2249 kn_close(kid);
2250 return 0;
2251 }
2252 *(RSA **)keyp = NULL((void*)0);
2253
2254 kl = kn_get_licensees(kid, sid);
2255 while (kl) {
2256 if (kl->key_alg == KEYNOTE_ALGORITHM_RSA6 ||
2257 kl->key_alg == KEYNOTE_ALGORITHM_X5095) {
2258 *(RSA **)keyp = RSAPublicKey_dup(kl->key_key);
2259 break;
2260 }
2261 kl = kl->key_next;
2262 }
2263
2264 kn_remove_assertion(kid, sid);
2265 kn_close(kid);
2266 return *(RSA **)keyp == NULL((void*)0) ? 0 : 1;
2267}
2268
2269void *
2270keynote_cert_dup(void *cert)
2271{
2272 return strdup((char *)cert);
2273}
2274
2275void
2276keynote_serialize(void *cert, u_int8_t **data, u_int32_t *datalen)
2277{
2278 *datalen = strlen((char *)cert) + 1;
2279 *data = (u_int8_t *)strdup(cert); /* i.e an extra character at
2280 * the end... */
2281 if (*data == NULL((void*)0))
2282 log_error("keynote_serialize: malloc (%d) failed", *datalen);
2283}
2284
2285/* From cert to printable */
2286char *
2287keynote_printable(void *cert)
2288{
2289 return strdup((char *)cert);
2290}
2291
2292/* From printable to cert */
2293void *
2294keynote_from_printable(char *cert)
2295{
2296 return strdup(cert);
2297}
2298
2299/* Number of CAs we trust (currently this is x509 only) */
2300int
2301keynote_ca_count(void)
2302{
2303 return 0;
2304}