summaryrefslogtreecommitdiff
path: root/sbin/isakmpd/policy.c
diff options
context:
space:
mode:
Diffstat (limited to 'sbin/isakmpd/policy.c')
-rw-r--r--sbin/isakmpd/policy.c1486
1 files changed, 1074 insertions, 412 deletions
diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c
index c2c3e96138d..296f30aa16c 100644
--- a/sbin/isakmpd/policy.c
+++ b/sbin/isakmpd/policy.c
@@ -1,8 +1,9 @@
-/* $OpenBSD: policy.c,v 1.1 1999/07/07 22:10:28 niklas Exp $ */
-/* $EOM: policy.c,v 1.2 1999/06/07 08:46:34 niklas Exp $ */
+/* $OpenBSD: policy.c,v 1.2 1999/08/26 22:31:09 niklas Exp $ */
+/* $EOM: policy.c,v 1.7 1999/08/26 11:21:47 niklas Exp $ */
/*
* Copyright (c) 1999 Angelos D. Keromytis. All rights reserved.
+ * Copyright (c) 1999 Niklas Hallqvist. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -45,6 +46,10 @@
#include <string.h>
#include <unistd.h>
#include <keynote.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <errno.h>
#include "sysdep.h"
@@ -53,6 +58,7 @@
#include "connection.h"
#include "cookie.h"
#include "doi.h"
+#include "dyn.h"
#include "exchange.h"
#include "init.h"
#include "ipsec.h"
@@ -72,21 +78,90 @@
#define POLICY_FILE_DEFAULT "/etc/isakmpd.policy"
#endif /* POLICY_FILE_DEFAULT */
+#if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE)
+
+void *libkeynote = 0;
+
+/*
+ * These prototypes matches OpenBSD keynote.h 1.6. If you use
+ * a different version than that, you are on your own.
+ */
+int *lk_keynote_errno;
+int (*lk_kn_add_action) (int, char *, char *, int);
+int (*lk_kn_add_assertion) (int, char *, int, int);
+int (*lk_kn_add_authorizer) (int, char *);
+int (*lk_kn_close) (int);
+int (*lk_kn_do_query) (int, char **, int);
+char *(*lk_kn_encode_key) (struct keynote_deckey *, int, int, int);
+int (*lk_kn_init) (void);
+char **(*lk_kn_read_asserts) (char *, int, int *);
+int (*lk_kn_remove_authorizer) (int, char *);
+#define SYMENTRY(x) { SYM, SYM (x), (void **)&lk_ ## x }
+
+static struct dynload_script libkeynote_script[] = {
+ { LOAD, "libc.so", &libkeynote },
+ { LOAD, "libcrypto.so", &libkeynote },
+ { LOAD, "libm.so", &libkeynote },
+ { LOAD, "libkeynote.so", &libkeynote },
+ SYMENTRY (keynote_errno),
+ SYMENTRY (kn_add_action),
+ SYMENTRY (kn_add_assertion),
+ SYMENTRY (kn_add_authorizer),
+ SYMENTRY (kn_close),
+ SYMENTRY (kn_do_query),
+ SYMENTRY (kn_encode_key),
+ SYMENTRY (kn_init),
+ SYMENTRY (kn_read_asserts),
+ SYMENTRY (kn_remove_authorizer),
+ { EOS }
+};
+#endif
+
int keynote_sessid = -1;
-struct exchange *policy_exchange = NULL;
-struct sa *policy_sa = NULL;
+struct exchange *policy_exchange = 0;
+struct sa *policy_sa = 0;
+struct sa *policy_isakmp_sa = 0;
+
+/*
+ * Adaptation of Vixie's inet_ntop4 ()
+ */
+static const char *
+my_inet_ntop4 (const in_addr_t *src, char *dst, size_t size, int normalize)
+{
+ static const char fmt[] = "%03u.%03u.%03u.%03u";
+ char tmp[sizeof "255.255.255.255"];
+ in_addr_t src2;
+
+ if (normalize)
+ src2 = ntohl (*src);
+ else
+ src2 = *src;
+
+ if (sprintf (tmp, fmt, ((u_int8_t *) &src2)[0], ((u_int8_t *) &src2)[1],
+ ((u_int8_t *) &src2)[2], ((u_int8_t *) &src2)[3]) > size)
+ {
+ errno = ENOSPC;
+ return 0;
+ }
+ strcpy (dst, tmp);
+ return dst;
+}
static char *
policy_callback (char *name)
{
struct proto *proto;
- u_int8_t *attr, *value;
- u_int16_t len, type;
+ u_int8_t *attr, *value, *id;
+ struct sockaddr_in *sin;
+ struct ipsec_exch *ie;
int fmt, lifetype = 0;
+ in_addr_t net, subnet;
+ u_int16_t len, type;
+ size_t id_sz;
- /* We use all these as a cache */
+ /* We use all these as a cache. */
static char *esp_present, *ah_present, *comp_present;
static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg;
static char *comp_alg, ah_life_kbytes[32], ah_life_seconds[32];
@@ -94,163 +169,197 @@ policy_callback (char *name)
static char comp_life_seconds[32], *ah_encapsulation, *esp_encapsulation;
static char *comp_encapsulation, ah_key_length[32], esp_key_length[32];
static char ah_key_rounds[32], esp_key_rounds[32], comp_dict_size[32];
- static char comp_private_alg[32], *id_initiator_type, *id_responder_type;
- static char id_initiator_addr_upper[32], id_initiator_addr_lower[32];
- static char id_responder_addr_upper[32], id_responder_addr_lower[32];
- static char id_initiator[100], id_responder[100];
+ static char comp_private_alg[32], *remote_filter_type, *local_filter_type;
+ static char remote_filter_addr_upper[64], remote_filter_addr_lower[64];
+ static char local_filter_addr_upper[64], local_filter_addr_lower[64];
static char ah_group_desc[32], esp_group_desc[32], comp_group_desc[32];
-
+ static char remote_ike_address[64], local_ike_address[64];
+ static char *remote_id_type, remote_id_addr_upper[64];
+ static char remote_id_addr_lower[64], *remote_id_proto, remote_id_port[32];
+ static char remote_filter_port[32], local_filter_port[32];
+ static char *remote_filter_proto, *local_filter_proto;
+
+ /* Allocated. */
+ static char *remote_filter = 0, *local_filter = 0, *remote_id = 0;
+
static int dirty = 1;
- /* We only need to set dirty at initialization time really */
- if (strcmp (name, KEYNOTE_CALLBACK_CLEANUP) == 0 ||
- strcmp (name, KEYNOTE_CALLBACK_INITIALIZE) == 0)
+ /* We only need to set dirty at initialization time really. */
+ if (strcmp (name, KEYNOTE_CALLBACK_CLEANUP) == 0
+ || strcmp (name, KEYNOTE_CALLBACK_INITIALIZE) == 0)
{
esp_present = ah_present = comp_present = "no";
- ah_hash_alg = ah_auth_alg = NULL;
- esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = NULL;
- esp_encapsulation = comp_encapsulation = id_initiator_type = NULL;
- id_responder_type = NULL;
- memset (ah_life_kbytes, 0, 32);
- memset (ah_life_seconds, 0, 32);
- memset (esp_life_kbytes, 0, 32);
- memset (esp_life_seconds, 0, 32);
- memset (comp_life_kbytes, 0, 32);
- memset (comp_life_seconds, 0, 32);
- memset (ah_key_length, 0, 32);
- memset (ah_key_rounds, 0, 32);
- memset (esp_key_length, 0, 32);
- memset (esp_key_rounds, 0, 32);
- memset (comp_dict_size, 0, 32);
- memset (comp_private_alg, 0, 32);
- memset (id_initiator_addr_upper, 0, 32);
- memset (id_initiator_addr_lower, 0, 32);
- memset (id_responder_addr_upper, 0, 32);
- memset (id_responder_addr_lower, 0, 32);
- memset (ah_group_desc, 0, 32);
- memset (esp_group_desc, 0, 32);
- memset (comp_group_desc, 0, 32);
- memset (id_initiator, 0, 100); /* XX */
- memset (id_responder, 0, 100); /* XX */
-
+ ah_hash_alg = ah_auth_alg = "";
+ esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = "";
+ esp_encapsulation = comp_encapsulation = remote_filter_type = "";
+ local_filter_type = remote_id_type = "";
+ remote_filter_proto = local_filter_proto = remote_id_proto = "";
+
+ if (remote_filter != 0)
+ {
+ free (remote_filter);
+ remote_filter = 0;
+ }
+
+ if (local_filter != 0)
+ {
+ free (local_filter);
+ local_filter = 0;
+ }
+
+ if (remote_id != 0)
+ {
+ free (remote_id);
+ remote_id = 0;
+ }
+
+ memset (remote_ike_address, 0, sizeof remote_ike_address);
+ memset (local_ike_address, 0, sizeof local_ike_address);
+ memset (ah_life_kbytes, 0, sizeof ah_life_kbytes);
+ memset (ah_life_seconds, 0, sizeof ah_life_seconds);
+ memset (esp_life_kbytes, 0, sizeof esp_life_kbytes);
+ memset (esp_life_seconds, 0, sizeof esp_life_seconds);
+ memset (comp_life_kbytes, 0, sizeof comp_life_kbytes);
+ memset (comp_life_seconds, 0, sizeof comp_life_seconds);
+ memset (ah_key_length, 0, sizeof ah_key_length);
+ memset (ah_key_rounds, 0, sizeof ah_key_rounds);
+ memset (esp_key_length, 0, sizeof esp_key_length);
+ memset (esp_key_rounds, 0, sizeof esp_key_rounds);
+ memset (comp_dict_size, 0, sizeof comp_dict_size);
+ memset (comp_private_alg, 0, sizeof comp_private_alg);
+ memset (remote_filter_addr_upper, 0, sizeof remote_filter_addr_upper);
+ memset (remote_filter_addr_lower, 0, sizeof remote_filter_addr_lower);
+ memset (local_filter_addr_upper, 0, sizeof local_filter_addr_upper);
+ memset (local_filter_addr_lower, 0, sizeof local_filter_addr_lower);
+ memset (remote_id_addr_upper, 0, sizeof remote_id_addr_upper);
+ memset (remote_id_addr_lower, 0, sizeof remote_id_addr_lower);
+ memset (ah_group_desc, 0, sizeof ah_group_desc);
+ memset (esp_group_desc, 0, sizeof esp_group_desc);
+ memset (remote_id_port, 0, sizeof remote_id_port);
+ memset (remote_filter_port, 0, sizeof remote_filter_port);
+ memset (local_filter_port, 0, sizeof local_filter_port);
+
dirty = 1;
return "";
}
- /*
+ /*
* If dirty is set, this is the first request for an attribute, so
* populate our value cache.
*/
if (dirty)
- {
+ {
+ ie = policy_exchange->data;
+
for (proto = TAILQ_FIRST (&policy_sa->protos); proto;
proto = TAILQ_NEXT (proto, link))
- {
+ {
switch (proto->proto)
- {
- case IPSEC_PROTO_IPSEC_AH:
- ah_present = "yes";
- switch (proto->id)
- {
- case IPSEC_AH_MD5:
- ah_hash_alg = "md5";
- break;
-
- case IPSEC_AH_SHA:
- ah_hash_alg = "sha";
- break;
-
- case IPSEC_AH_DES:
- ah_hash_alg = "des";
- break;
- }
-
- break;
-
- case IPSEC_PROTO_IPSEC_ESP:
- esp_present = "yes";
- switch (proto->id)
- {
- case IPSEC_ESP_DES_IV64:
- esp_enc_alg = "des-iv64";
- break;
-
- case IPSEC_ESP_DES:
- esp_enc_alg = "des";
- break;
-
- case IPSEC_ESP_3DES:
- esp_enc_alg = "3des";
- break;
-
- case IPSEC_ESP_RC5:
- esp_enc_alg = "rc5";
- break;
-
- case IPSEC_ESP_IDEA:
- esp_enc_alg = "idea";
- break;
-
- case IPSEC_ESP_CAST:
- esp_enc_alg = "cast";
- break;
-
- case IPSEC_ESP_BLOWFISH:
- esp_enc_alg = "blowfish";
- break;
-
- case IPSEC_ESP_3IDEA:
- esp_enc_alg = "3idea";
- break;
-
- case IPSEC_ESP_DES_IV32:
- esp_enc_alg = "des-iv32";
- break;
-
- case IPSEC_ESP_RC4:
- esp_enc_alg = "rc4";
- break;
-
- case IPSEC_ESP_NULL:
- esp_enc_alg = "null";
- break;
- }
-
- break;
-
- case IPSEC_PROTO_IPCOMP:
- comp_present = "yes";
- switch (proto->id)
- {
- case IPSEC_IPCOMP_OUI:
- comp_alg = "oui";
- break;
-
- case IPSEC_IPCOMP_DEFLATE:
- comp_alg = "deflate";
- break;
-
- case IPSEC_IPCOMP_LZS:
- comp_alg = "lzs";
- break;
-
- case IPSEC_IPCOMP_V42BIS:
- comp_alg = "v42bis";
- break;
- }
-
- break;
- }
-
+ {
+ case IPSEC_PROTO_IPSEC_AH:
+ ah_present = "yes";
+ switch (proto->id)
+ {
+ case IPSEC_AH_MD5:
+ ah_hash_alg = "md5";
+ break;
+
+ case IPSEC_AH_SHA:
+ ah_hash_alg = "sha";
+ break;
+
+ case IPSEC_AH_DES:
+ ah_hash_alg = "des";
+ break;
+ }
+
+ break;
+
+ case IPSEC_PROTO_IPSEC_ESP:
+ esp_present = "yes";
+ switch (proto->id)
+ {
+ case IPSEC_ESP_DES_IV64:
+ esp_enc_alg = "des-iv64";
+ break;
+
+ case IPSEC_ESP_DES:
+ esp_enc_alg = "des";
+ break;
+
+ case IPSEC_ESP_3DES:
+ esp_enc_alg = "3des";
+ break;
+
+ case IPSEC_ESP_RC5:
+ esp_enc_alg = "rc5";
+ break;
+
+ case IPSEC_ESP_IDEA:
+ esp_enc_alg = "idea";
+ break;
+
+ case IPSEC_ESP_CAST:
+ esp_enc_alg = "cast";
+ break;
+
+ case IPSEC_ESP_BLOWFISH:
+ esp_enc_alg = "blowfish";
+ break;
+
+ case IPSEC_ESP_3IDEA:
+ esp_enc_alg = "3idea";
+ break;
+
+ case IPSEC_ESP_DES_IV32:
+ esp_enc_alg = "des-iv32";
+ break;
+
+ case IPSEC_ESP_RC4:
+ esp_enc_alg = "rc4";
+ break;
+
+ case IPSEC_ESP_NULL:
+ esp_enc_alg = "null";
+ break;
+ }
+
+ break;
+
+ case IPSEC_PROTO_IPCOMP:
+ comp_present = "yes";
+ switch (proto->id)
+ {
+ case IPSEC_IPCOMP_OUI:
+ comp_alg = "oui";
+ break;
+
+ case IPSEC_IPCOMP_DEFLATE:
+ comp_alg = "deflate";
+ break;
+
+ case IPSEC_IPCOMP_LZS:
+ comp_alg = "lzs";
+ break;
+
+ case IPSEC_IPCOMP_V42BIS:
+ comp_alg = "v42bis";
+ break;
+ }
+
+ break;
+ }
+
for (attr = proto->chosen->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF;
- attr < proto->chosen->p +
- GET_ISAKMP_GEN_LENGTH (proto->chosen->p);
+ attr
+ < proto->chosen->p + GET_ISAKMP_GEN_LENGTH (proto->chosen->p);
attr = value + len)
- {
- if (attr + ISAKMP_ATTR_VALUE_OFF > proto->chosen->p +
- GET_ISAKMP_GEN_LENGTH (proto->chosen->p))
+ {
+ if (attr + ISAKMP_ATTR_VALUE_OFF
+ > (proto->chosen->p
+ + GET_ISAKMP_GEN_LENGTH (proto->chosen->p)))
return "";
-
+
type = GET_ISAKMP_ATTR_TYPE (attr);
fmt = ISAKMP_ATTR_FORMAT (type);
type = ISAKMP_ATTR_TYPE (type);
@@ -264,225 +373,728 @@ policy_callback (char *name)
return "";
switch (type)
- {
- case IPSEC_ATTR_SA_LIFE_TYPE:
- lifetype = decode_16 (value);
+ {
+ case IPSEC_ATTR_SA_LIFE_TYPE:
+ lifetype = decode_16 (value);
+ break;
+
+ case IPSEC_ATTR_SA_LIFE_DURATION:
+ switch (proto->proto)
+ {
+ case IPSEC_PROTO_IPSEC_AH:
+ if (lifetype == IPSEC_DURATION_SECONDS)
+ {
+ if (len == 2)
+ sprintf (ah_life_seconds, "%d",
+ decode_16 (value));
+ else
+ sprintf (ah_life_seconds, "%d",
+ decode_32 (value));
+ }
+ else
+ {
+ if (len == 2)
+ sprintf (ah_life_kbytes, "%d",
+ decode_16 (value));
+ else
+ sprintf (ah_life_kbytes, "%d",
+ decode_32 (value));
+ }
+
break;
- case IPSEC_ATTR_SA_LIFE_DURATION:
- switch (proto->proto)
- {
- case IPSEC_PROTO_IPSEC_AH:
- if (lifetype == IPSEC_DURATION_SECONDS)
- {
- if (len == 2)
- sprintf (ah_life_seconds, "%d",
- decode_16 (value));
- else
- sprintf (ah_life_seconds, "%d",
- decode_32 (value));
- }
- else
- {
- if (len == 2)
- sprintf (ah_life_kbytes, "%d",
- decode_16 (value));
- else
- sprintf (ah_life_kbytes, "%d",
- decode_32 (value));
- }
-
- break;
-
- case IPSEC_PROTO_IPSEC_ESP:
- if (lifetype == IPSEC_DURATION_SECONDS)
- {
- if (len == 2)
- sprintf (esp_life_seconds, "%d",
- decode_16 (value));
- else
- sprintf (esp_life_seconds, "%d",
- decode_32 (value));
- }
- else
- {
- if (len == 2)
- sprintf (esp_life_kbytes, "%d",
- decode_16 (value));
- else
- sprintf (esp_life_kbytes, "%d",
- decode_32 (value));
- }
-
- break;
-
- case IPSEC_PROTO_IPCOMP:
- if (lifetype == IPSEC_DURATION_SECONDS)
- {
- if (len == 2)
- sprintf (comp_life_seconds, "%d",
- decode_16 (value));
- else
- sprintf (comp_life_seconds, "%d",
- decode_32 (value));
- }
- else
- {
- if (len == 2)
- sprintf (comp_life_kbytes, "%d",
- decode_16 (value));
- else
- sprintf (comp_life_kbytes, "%d",
- decode_32 (value));
- }
-
- break;
- }
- break;
+ case IPSEC_PROTO_IPSEC_ESP:
+ if (lifetype == IPSEC_DURATION_SECONDS)
+ {
+ if (len == 2)
+ sprintf (esp_life_seconds, "%d",
+ decode_16 (value));
+ else
+ sprintf (esp_life_seconds, "%d",
+ decode_32 (value));
+ }
+ else
+ {
+ if (len == 2)
+ sprintf (esp_life_kbytes, "%d",
+ decode_16 (value));
+ else
+ sprintf (esp_life_kbytes, "%d",
+ decode_32 (value));
+ }
- case IPSEC_ATTR_GROUP_DESCRIPTION:
- switch (proto->proto)
- {
- case IPSEC_PROTO_IPSEC_AH:
- sprintf (ah_group_desc, "%d", decode_16 (value));
- break;
-
- case IPSEC_PROTO_IPSEC_ESP:
- sprintf (esp_group_desc, "%d",
- decode_16 (value));
- break;
-
- case IPSEC_PROTO_IPCOMP:
- sprintf (comp_group_desc, "%d",
- decode_16 (value));
- break;
- }
break;
-
- case IPSEC_ATTR_ENCAPSULATION_MODE:
- if (decode_16(value) == IPSEC_ENCAP_TUNNEL)
- switch (proto->proto)
+
+ case IPSEC_PROTO_IPCOMP:
+ if (lifetype == IPSEC_DURATION_SECONDS)
+ {
+ if (len == 2)
+ sprintf (comp_life_seconds, "%d",
+ decode_16 (value));
+ else
+ sprintf (comp_life_seconds, "%d",
+ decode_32 (value));
+ }
+ else
+ {
+ if (len == 2)
+ sprintf (comp_life_kbytes, "%d",
+ decode_16 (value));
+ else
+ sprintf (comp_life_kbytes, "%d",
+ decode_32 (value));
+ }
+
+ break;
+ }
+ break;
+
+ case IPSEC_ATTR_GROUP_DESCRIPTION:
+ switch (proto->proto)
+ {
+ case IPSEC_PROTO_IPSEC_AH:
+ sprintf (ah_group_desc, "%d", decode_16 (value));
+ break;
+
+ case IPSEC_PROTO_IPSEC_ESP:
+ sprintf (esp_group_desc, "%d",
+ decode_16 (value));
+ break;
+
+ case IPSEC_PROTO_IPCOMP:
+ sprintf (comp_group_desc, "%d",
+ decode_16 (value));
+ break;
+ }
+ break;
+
+ case IPSEC_ATTR_ENCAPSULATION_MODE:
+ if (decode_16 (value) == IPSEC_ENCAP_TUNNEL)
+ switch (proto->proto)
{
- case IPSEC_PROTO_IPSEC_AH:
- ah_encapsulation = "tunnel";
- break;
-
- case IPSEC_PROTO_IPSEC_ESP:
- esp_encapsulation = "tunnel";
- break;
-
- case IPSEC_PROTO_IPCOMP:
- comp_encapsulation = "tunnel";
- break;
+ case IPSEC_PROTO_IPSEC_AH:
+ ah_encapsulation = "tunnel";
+ break;
+
+ case IPSEC_PROTO_IPSEC_ESP:
+ esp_encapsulation = "tunnel";
+ break;
+
+ case IPSEC_PROTO_IPCOMP:
+ comp_encapsulation = "tunnel";
+ break;
}
- else
- switch (proto->proto)
+ else
+ switch (proto->proto)
{
- case IPSEC_PROTO_IPSEC_AH:
- ah_encapsulation = "transport";
- break;
-
- case IPSEC_PROTO_IPSEC_ESP:
- esp_encapsulation = "transport";
- break;
-
- case IPSEC_PROTO_IPCOMP:
- comp_encapsulation = "transport";
- break;
- }
- break;
+ case IPSEC_PROTO_IPSEC_AH:
+ ah_encapsulation = "transport";
+ break;
- case IPSEC_ATTR_AUTHENTICATION_ALGORITHM:
- switch (proto->proto)
- {
- case IPSEC_PROTO_IPSEC_AH:
- switch (decode_16 (value))
- {
- case IPSEC_AUTH_HMAC_MD5:
- ah_auth_alg = "hmac-md5";
- break;
-
- case IPSEC_AUTH_HMAC_SHA:
- ah_auth_alg = "hmac-sha";
- break;
-
- case IPSEC_AUTH_DES_MAC:
- ah_auth_alg = "des-mac";
- break;
-
- case IPSEC_AUTH_KPDK:
- ah_auth_alg = "kpdk";
- break;
- }
- break;
-
- case IPSEC_PROTO_IPSEC_ESP:
- switch (decode_16 (value))
- {
- case IPSEC_AUTH_HMAC_MD5:
- esp_auth_alg = "hmac-md5";
- break;
-
- case IPSEC_AUTH_HMAC_SHA:
- esp_auth_alg = "hmac-sha";
- break;
-
- case IPSEC_AUTH_DES_MAC:
- esp_auth_alg = "des-mac";
- break;
-
- case IPSEC_AUTH_KPDK:
- esp_auth_alg = "kpdk";
- break;
- }
- break;
+ case IPSEC_PROTO_IPSEC_ESP:
+ esp_encapsulation = "transport";
+ break;
+
+ case IPSEC_PROTO_IPCOMP:
+ comp_encapsulation = "transport";
+ break;
}
+ break;
+
+ case IPSEC_ATTR_AUTHENTICATION_ALGORITHM:
+ switch (proto->proto)
+ {
+ case IPSEC_PROTO_IPSEC_AH:
+ switch (decode_16 (value))
+ {
+ case IPSEC_AUTH_HMAC_MD5:
+ ah_auth_alg = "hmac-md5";
+ break;
+
+ case IPSEC_AUTH_HMAC_SHA:
+ ah_auth_alg = "hmac-sha";
+ break;
+
+ case IPSEC_AUTH_DES_MAC:
+ ah_auth_alg = "des-mac";
+ break;
+
+ case IPSEC_AUTH_KPDK:
+ ah_auth_alg = "kpdk";
+ break;
+ }
break;
- case IPSEC_ATTR_KEY_LENGTH:
- switch (proto->proto)
- {
- case IPSEC_PROTO_IPSEC_AH:
- sprintf (ah_key_length, "%d", decode_16 (value));
- break;
-
- case IPSEC_PROTO_IPSEC_ESP:
- sprintf (esp_key_length, "%d",
- decode_16 (value));
- break;
- }
+ case IPSEC_PROTO_IPSEC_ESP:
+ switch (decode_16 (value))
+ {
+ case IPSEC_AUTH_HMAC_MD5:
+ esp_auth_alg = "hmac-md5";
+ break;
+
+ case IPSEC_AUTH_HMAC_SHA:
+ esp_auth_alg = "hmac-sha";
+ break;
+
+ case IPSEC_AUTH_DES_MAC:
+ esp_auth_alg = "des-mac";
+ break;
+
+ case IPSEC_AUTH_KPDK:
+ esp_auth_alg = "kpdk";
+ break;
+ }
break;
+ }
+ break;
- case IPSEC_ATTR_KEY_ROUNDS:
- switch (proto->proto)
- {
- case IPSEC_PROTO_IPSEC_AH:
- sprintf (ah_key_rounds, "%d", decode_16 (value));
- break;
-
- case IPSEC_PROTO_IPSEC_ESP:
- sprintf (esp_key_rounds, "%d",
- decode_16 (value));
- break;
- }
+ case IPSEC_ATTR_KEY_LENGTH:
+ switch (proto->proto)
+ {
+ case IPSEC_PROTO_IPSEC_AH:
+ sprintf (ah_key_length, "%d", decode_16 (value));
break;
-
- case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE:
- sprintf (comp_dict_size, "%d", decode_16(value));
- break;
-
- case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM:
- sprintf (comp_private_alg, "%d", decode_16 (value));
- break;
- }
- }
- }
-
- /* Unset dirty now */
- dirty = 0;
- }
- /* XXX Need to initialize the ID variables */
+ case IPSEC_PROTO_IPSEC_ESP:
+ sprintf (esp_key_length, "%d",
+ decode_16 (value));
+ break;
+ }
+ break;
+
+ case IPSEC_ATTR_KEY_ROUNDS:
+ switch (proto->proto)
+ {
+ case IPSEC_PROTO_IPSEC_AH:
+ sprintf (ah_key_rounds, "%d", decode_16 (value));
+ break;
+
+ case IPSEC_PROTO_IPSEC_ESP:
+ sprintf (esp_key_rounds, "%d",
+ decode_16 (value));
+ break;
+ }
+ break;
+
+ case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE:
+ sprintf (comp_dict_size, "%d", decode_16 (value));
+ break;
+
+ case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM:
+ sprintf (comp_private_alg, "%d", decode_16 (value));
+ break;
+ }
+ }
+ }
+
+ /* XXX IPv4-specific. */
+ policy_sa->transport->vtbl->get_src (policy_sa->transport,
+ (struct sockaddr **) &sin, &fmt);
+ my_inet_ntop4 (&(sin->sin_addr.s_addr), local_ike_address,
+ sizeof local_ike_address - 1, 0);
+
+ policy_sa->transport->vtbl->get_dst (policy_sa->transport,
+ (struct sockaddr **) &sin, &fmt);
+ my_inet_ntop4 (&(sin->sin_addr.s_addr), remote_ike_address,
+ sizeof remote_ike_address - 1, 0);
+
+ if (policy_isakmp_sa->initiator)
+ {
+ id = policy_isakmp_sa->id_r;
+ id_sz = policy_isakmp_sa->id_r_len;
+ }
+ else
+ {
+ id = policy_isakmp_sa->id_i;
+ id_sz = policy_isakmp_sa->id_i_len;
+ }
+
+ switch (id[0])
+ {
+ case IPSEC_ID_IPV4_ADDR:
+ remote_id_type = "IPv4 address";
+
+ net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ);
+ my_inet_ntop4 (&net, remote_id_addr_upper,
+ sizeof remote_id_addr_upper - 1, 1);
+ my_inet_ntop4 (&net, remote_id_addr_lower,
+ sizeof remote_id_addr_lower - 1, 1);
+ remote_id = strdup (remote_id_addr_upper);
+ if (!remote_id)
+ log_fatal ("policy_callback: strdup (\"%s\") failed",
+ remote_id_addr_upper);
+ break;
+
+ case IPSEC_ID_IPV4_RANGE:
+ remote_id_type = "IPv4 range";
+
+ net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ);
+ my_inet_ntop4 (&net, remote_id_addr_lower,
+ sizeof remote_id_addr_lower - 1, 1);
+ net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4);
+ my_inet_ntop4 (&net, remote_id_addr_upper,
+ sizeof remote_id_addr_upper - 1, 1);
+ remote_id = calloc (strlen (remote_id_addr_upper)
+ + strlen (remote_id_addr_lower) + 2,
+ sizeof (char));
+ if (!remote_id)
+ log_fatal ("policy_callback: calloc (%d, %d) failed",
+ strlen (remote_id_addr_upper)
+ + strlen (remote_id_addr_lower) + 2,
+ sizeof (char));
+
+ strcpy (remote_id, remote_id_addr_lower);
+ remote_id[strlen (remote_id_addr_lower)] = '-';
+ strcpy (remote_id + strlen (remote_id_addr_lower) + 1,
+ remote_id_addr_upper);
+ break;
+
+ case IPSEC_ID_IPV4_ADDR_SUBNET:
+ remote_id_type = "IPv4 subnet";
+
+ net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ);
+ subnet = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4);
+ net &= subnet;
+ my_inet_ntop4 (&net, remote_id_addr_lower,
+ sizeof remote_id_addr_lower - 1, 1);
+ net |= ~subnet;
+ my_inet_ntop4 (&net, remote_id_addr_upper,
+ sizeof remote_id_addr_upper - 1, 1);
+ remote_id = calloc (strlen (remote_id_addr_upper)
+ + strlen (remote_id_addr_lower) + 2,
+ sizeof (char));
+ if (!remote_id)
+ log_fatal ("policy_callback: calloc (%d, %d) failed",
+ strlen (remote_id_addr_upper)
+ + strlen (remote_id_addr_lower) + 2,
+ sizeof (char));
+
+ strcpy (remote_id, remote_id_addr_lower);
+ remote_id[strlen (remote_id_addr_lower)] = '-';
+ strcpy (remote_id + strlen (remote_id_addr_lower) + 1,
+ remote_id_addr_upper);
+ break;
+
+ case IPSEC_ID_IPV6_ADDR: /* XXX we need decode_128 (). */
+ remote_id_type = "IPv6 address";
+ break;
+
+ case IPSEC_ID_IPV6_RANGE: /* XXX we need decode_128 (). */
+ remote_id_type = "IPv6 range";
+ break;
+
+ case IPSEC_ID_IPV6_ADDR_SUBNET: /* XXX we need decode_128 (). */
+ remote_id_type = "IPv6 address";
+ break;
+
+ case IPSEC_ID_FQDN:
+ remote_id_type = "FQDN";
+ remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 1,
+ sizeof (char));
+ if (!remote_id)
+ log_fatal ("policy_callback: calloc (%d, %d) failed",
+ id_sz - ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 1,
+ sizeof (char));
+ memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, id_sz);
+ break;
+
+ case IPSEC_ID_USER_FQDN:
+ remote_id_type = "User FQDN";
+ remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 1,
+ sizeof (char));
+ if (!remote_id)
+ log_fatal ("policy_callback: calloc (%d, %d) failed",
+ id_sz - ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 1,
+ sizeof (char));
+ memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, id_sz);
+ break;
+
+ case IPSEC_ID_DER_ASN1_DN: /* XXX -- not sure what's in this. */
+ remote_id_type = "ASN1 DN";
+ break;
+
+ case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */
+ remote_id_type = "ASN1 GN";
+ break;
+
+ case IPSEC_ID_KEY_ID: /* XXX -- hex-encode this. */
+ remote_id_type = "Key ID";
+ break;
+
+ default:
+ log_print ("policy_callback: unknown remote ID type %d", id[0]);
+ return "";
+ }
+
+ switch (id[1])
+ {
+ case IPPROTO_TCP:
+ remote_id_proto = "tcp";
+ break;
+
+ case IPPROTO_UDP:
+ remote_id_proto = "udp";
+ break;
+ }
+
+ snprintf (remote_id_port, sizeof remote_id_port - 1, "%d",
+ decode_16 (id + 2));
+
+ /* Initialize the ID variables. */
+ if (ie->id_ci)
+ {
+ switch (GET_ISAKMP_ID_TYPE (ie->id_ci))
+ {
+ case IPSEC_ID_IPV4_ADDR:
+ remote_filter_type = "IPv4 address";
+
+ net = decode_32 (ie->id_ci + ISAKMP_ID_DATA_OFF);
+ my_inet_ntop4 (&net, remote_filter_addr_upper,
+ sizeof remote_filter_addr_upper - 1, 1);
+ my_inet_ntop4 (&net, remote_filter_addr_lower,
+ sizeof (remote_filter_addr_lower) - 1, 1);
+ remote_filter = strdup (remote_filter_addr_upper);
+ if (!remote_filter)
+ log_fatal ("policy_callback: strdup (\"%s\") failed",
+ remote_filter_addr_upper);
+ break;
+
+ case IPSEC_ID_IPV4_RANGE:
+ remote_filter_type = "IPv4 range";
+
+ net = decode_32 (ie->id_ci + ISAKMP_ID_DATA_OFF);
+ my_inet_ntop4 (&net, remote_filter_addr_lower,
+ sizeof remote_filter_addr_lower - 1, 1);
+ net = decode_32 (ie->id_ci + ISAKMP_ID_DATA_OFF + 4);
+ my_inet_ntop4 (&net, remote_filter_addr_upper,
+ sizeof remote_filter_addr_upper - 1, 1);
+ remote_filter = calloc (strlen (remote_filter_addr_upper)
+ + strlen (remote_filter_addr_lower) + 2,
+ sizeof (char));
+ if (!remote_filter)
+ log_fatal ("policy_callback: calloc (%d, %d) failed",
+ strlen (remote_filter_addr_upper)
+ + strlen (remote_filter_addr_lower) + 2,
+ sizeof (char));
+ strcpy (remote_filter, remote_filter_addr_lower);
+ remote_filter[strlen (remote_filter_addr_lower)] = '-';
+ strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1,
+ remote_filter_addr_upper);
+ break;
+
+ case IPSEC_ID_IPV4_ADDR_SUBNET:
+ remote_filter_type = "IPv4 subnet";
+
+ net = decode_32 (ie->id_ci + ISAKMP_ID_DATA_OFF);
+ subnet = decode_32 (ie->id_ci + ISAKMP_ID_DATA_OFF + 4);
+ net &= subnet;
+ my_inet_ntop4 (&net, remote_filter_addr_lower,
+ sizeof remote_filter_addr_lower - 1, 1);
+ net |= ~subnet;
+ my_inet_ntop4 (&net, remote_filter_addr_upper,
+ sizeof remote_filter_addr_upper - 1, 1);
+ remote_filter = calloc (strlen (remote_filter_addr_upper)
+ + strlen (remote_filter_addr_lower) + 2,
+ sizeof (char));
+ if (!remote_filter)
+ log_fatal ("policy_callback: calloc (%d, %d) failed",
+ strlen (remote_filter_addr_upper)
+ + strlen (remote_filter_addr_lower) + 2,
+ sizeof (char));
+ strcpy (remote_filter, remote_filter_addr_lower);
+ remote_filter[strlen (remote_filter_addr_lower)] = '-';
+ strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1,
+ remote_filter_addr_upper);
+ break;
+
+ case IPSEC_ID_IPV6_ADDR: /* XXX we need decode_128 (). */
+ remote_filter_type = "IPv6 address";
+ break;
+
+ case IPSEC_ID_IPV6_RANGE: /* XXX we need decode_128 (). */
+ remote_filter_type = "IPv6 range";
+ break;
+
+ case IPSEC_ID_IPV6_ADDR_SUBNET: /* XXX we need decode_128 (). */
+ remote_filter_type = "IPv6 address";
+ break;
+
+ case IPSEC_ID_FQDN:
+ remote_filter_type = "FQDN";
+ remote_filter = calloc (ie->id_ci_sz - ISAKMP_ID_DATA_OFF + 1,
+ sizeof (char));
+ if (!remote_filter)
+ log_fatal ("policy_callback: calloc (%d, %d) failed",
+ ie->id_ci_sz - ISAKMP_ID_DATA_OFF + 1,
+ sizeof (char));
+ memcpy (remote_filter, ie->id_ci + ISAKMP_ID_DATA_OFF,
+ ie->id_ci_sz);
+ break;
+
+ case IPSEC_ID_USER_FQDN:
+ remote_filter_type = "User FQDN";
+ remote_filter = calloc (ie->id_ci_sz - ISAKMP_ID_DATA_OFF + 1,
+ sizeof (char));
+ if (!remote_filter)
+ log_fatal ("policy_callback: calloc (%d, %d) failed",
+ ie->id_ci_sz - ISAKMP_ID_DATA_OFF + 1,
+ sizeof (char));
+ memcpy (remote_filter, ie->id_ci + ISAKMP_ID_DATA_OFF,
+ ie->id_ci_sz);
+ break;
+
+ case IPSEC_ID_DER_ASN1_DN: /* XXX -- not sure what's in this. */
+ remote_filter_type = "ASN1 DN";
+ break;
+
+ case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */
+ remote_filter_type = "ASN1 GN";
+ break;
+
+ case IPSEC_ID_KEY_ID: /* XXX -- hex-encode this. */
+ remote_filter_type = "Key ID";
+ break;
+
+ default:
+ log_print ("policy_callback: unknown initiator ID type %d",
+ GET_ISAKMP_ID_TYPE (ie->id_ci));
+ return "";
+ }
+
+ switch (ie->id_ci[ISAKMP_GEN_SZ + 1])
+ {
+ case IPPROTO_TCP:
+ remote_filter_proto = "tcp";
+ break;
+
+ case IPPROTO_UDP:
+ remote_filter_proto = "udp";
+ break;
+ }
+
+ snprintf (remote_filter_port, sizeof remote_filter_port - 1,
+ "%d", decode_16 (ie->id_ci + ISAKMP_GEN_SZ + 2));
+ }
+ else
+ {
+ policy_sa->transport->vtbl->get_src (policy_sa->transport,
+ (struct sockaddr **) &sin,
+ &fmt);
+ remote_filter_type = "IPv4 address";
+
+ my_inet_ntop4 (&(sin->sin_addr.s_addr), remote_filter_addr_upper,
+ sizeof remote_filter_addr_upper - 1, 0);
+ my_inet_ntop4 (&(sin->sin_addr.s_addr), remote_filter_addr_lower,
+ sizeof remote_filter_addr_lower - 1, 1);
+ remote_filter = strdup (remote_filter_addr_upper);
+ if (!remote_filter)
+ log_fatal ("policy_callback: strdup (\"%s\") failed",
+ remote_filter_addr_upper);
+ }
+
+ if (ie->id_cr)
+ {
+ switch (GET_ISAKMP_ID_TYPE (ie->id_cr))
+ {
+ case IPSEC_ID_IPV4_ADDR:
+ local_filter_type = "IPv4 address";
+
+ net = decode_32 (ie->id_cr + ISAKMP_ID_DATA_OFF);
+ my_inet_ntop4 (&net, local_filter_addr_upper,
+ sizeof local_filter_addr_upper - 1, 1);
+ my_inet_ntop4 (&net, local_filter_addr_lower,
+ sizeof local_filter_addr_upper - 1, 1);
+ local_filter = strdup (local_filter_addr_upper);
+ if (!local_filter)
+ log_fatal ("policy_callback: strdup (\"%s\") failed",
+ local_filter_addr_upper);
+ break;
+
+ case IPSEC_ID_IPV4_RANGE:
+ local_filter_type = "IPv4 range";
+
+ net = decode_32 (ie->id_cr + ISAKMP_ID_DATA_OFF);
+ my_inet_ntop4 (&net, local_filter_addr_lower,
+ sizeof local_filter_addr_lower - 1, 1);
+ net = decode_32 (ie->id_cr + ISAKMP_ID_DATA_OFF + 4);
+ my_inet_ntop4 (&net, local_filter_addr_upper,
+ sizeof local_filter_addr_upper - 1, 1);
+ local_filter = calloc (strlen (local_filter_addr_upper)
+ + strlen (local_filter_addr_lower) + 2,
+ sizeof (char));
+ if (!local_filter)
+ log_fatal ("policy_callback: calloc (%d, %d) failed",
+ strlen (local_filter_addr_upper)
+ + strlen (local_filter_addr_lower) + 2,
+ sizeof (char));
+ strcpy (local_filter, local_filter_addr_lower);
+ local_filter[strlen (local_filter_addr_lower)] = '-';
+ strcpy (local_filter + strlen (local_filter_addr_lower) + 1,
+ local_filter_addr_upper);
+ break;
+
+ case IPSEC_ID_IPV4_ADDR_SUBNET:
+ local_filter_type = "IPv4 subnet";
+
+ net = decode_32 (ie->id_cr + ISAKMP_ID_DATA_OFF);
+ subnet = decode_32 (ie->id_cr + ISAKMP_ID_DATA_OFF + 4);
+ net &= subnet;
+ my_inet_ntop4 (&net, local_filter_addr_lower,
+ sizeof local_filter_addr_lower - 1, 1);
+ net |= ~subnet;
+ my_inet_ntop4 (&net, local_filter_addr_upper,
+ sizeof local_filter_addr_upper - 1, 1);
+ local_filter = calloc (strlen (local_filter_addr_upper)
+ + strlen (local_filter_addr_lower) + 2,
+ sizeof (char));
+ if (!local_filter)
+ log_fatal ("policy_callback: calloc (%d, %d) failed",
+ strlen (local_filter_addr_upper)
+ + strlen (local_filter_addr_lower) + 2,
+ sizeof (char));
+ strcpy (local_filter, local_filter_addr_lower);
+ local_filter[strlen (local_filter_addr_lower)] = '-';
+ strcpy (local_filter + strlen (local_filter_addr_lower) + 1,
+ local_filter_addr_upper);
+ break;
+
+ case IPSEC_ID_IPV6_ADDR: /* XXX we need decode_128 (). */
+ local_filter_type = "IPv6 address";
+ break;
+
+ case IPSEC_ID_IPV6_RANGE: /* XXX we need decode_128 (). */
+ local_filter_type = "IPv6 range";
+ break;
+
+ case IPSEC_ID_IPV6_ADDR_SUBNET: /* XXX we need decode_128 (). */
+ local_filter_type = "IPv6 address";
+ break;
+
+ case IPSEC_ID_FQDN:
+ local_filter_type = "FQDN";
+ local_filter = calloc (ie->id_cr_sz - ISAKMP_ID_DATA_OFF + 1,
+ sizeof (char));
+ if (!local_filter)
+ log_fatal ("policy_callback: calloc (%d, %d) failed",
+ ie->id_cr_sz - ISAKMP_ID_DATA_OFF + 1,
+ sizeof (char));
+ memcpy (local_filter, ie->id_cr + ISAKMP_ID_DATA_OFF,
+ ie->id_cr_sz);
+ break;
+
+ case IPSEC_ID_USER_FQDN:
+ local_filter_type = "User FQDN";
+ local_filter = calloc (ie->id_cr_sz - ISAKMP_ID_DATA_OFF + 1,
+ sizeof (char));
+ if (!local_filter)
+ log_fatal ("policy_callback: calloc (%d, %d) failed",
+ ie->id_cr_sz - ISAKMP_ID_DATA_OFF + 1,
+ sizeof (char));
+ memcpy (local_filter, ie->id_cr + ISAKMP_ID_DATA_OFF,
+ ie->id_cr_sz);
+ break;
+
+ case IPSEC_ID_DER_ASN1_DN: /* XXX -- not sure what's in this. */
+ local_filter_type = "ASN1 DN";
+ break;
+
+ case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */
+ local_filter_type = "ASN1 GN";
+ break;
+
+ case IPSEC_ID_KEY_ID: /* XXX -- hex-encode this. */
+ local_filter_type = "Key ID";
+ break;
+
+ default:
+ log_print ("policy_callback: unknown responder ID type %d",
+ GET_ISAKMP_ID_TYPE (ie->id_cr));
+ return "";
+ }
+
+ switch (ie->id_cr[ISAKMP_GEN_SZ + 1])
+ {
+ case IPPROTO_TCP:
+ local_filter_proto = "tcp";
+ break;
+
+ case IPPROTO_UDP:
+ local_filter_proto = "udp";
+ break;
+ }
+
+ snprintf (local_filter_port, sizeof local_filter_port - 1,
+ "%d", decode_16 (ie->id_cr + ISAKMP_GEN_SZ + 2));
+ }
+ else
+ {
+ policy_sa->transport->vtbl->get_dst (policy_sa->transport,
+ (struct sockaddr **) &sin,
+ &fmt);
+ local_filter_type = "IPv4 address";
+
+ my_inet_ntop4 (&(sin->sin_addr.s_addr), local_filter_addr_upper,
+ sizeof local_filter_addr_upper - 1, 0);
+ my_inet_ntop4 (&(sin->sin_addr.s_addr), local_filter_addr_lower,
+ sizeof local_filter_addr_lower - 1, 1);
+ local_filter = strdup (local_filter_addr_upper);
+ if (!local_filter)
+ log_fatal ("policy_callback: strdup (\"%s\") failed",
+ local_filter_addr_upper);
+ }
+
+#if 0
+ printf ("esp_present == %s\n", esp_present);
+ printf ("ah_present == %s\n", ah_present);
+ printf ("comp_present == %s\n", comp_present);
+ printf ("ah_hash_alg == %s\n", ah_hash_alg);
+ printf ("esp_enc_alg == %s\n", esp_enc_alg);
+ printf ("comp_alg == %s\n", comp_alg);
+ printf ("ah_auth_alg == %s\n", ah_auth_alg);
+ printf ("esp_auth_alg == %s\n", esp_auth_alg);
+ printf ("ah_life_seconds == %s\n", ah_life_seconds);
+ printf ("ah_life_kbytes == %s\n", ah_life_kbytes);
+ printf ("esp_life_seconds == %s\n", esp_life_seconds);
+ printf ("esp_life_kbytes == %s\n", esp_life_kbytes);
+ printf ("comp_life_seconds == %s\n", comp_life_seconds);
+ printf ("comp_life_kbytes == %s\n", comp_life_kbytes);
+ printf ("ah_encapsulation == %s\n", ah_encapsulation);
+ printf ("esp_encapsulation == %s\n", esp_encapsulation);
+ printf ("comp_encapsulation == %s\n", comp_encapsulation);
+ printf ("comp_dict_size == %s\n", comp_dict_size);
+ printf ("comp_private_alg == %s\n", comp_private_alg);
+ printf ("ah_key_length == %s\n", ah_key_length);
+ printf ("ah_key_rounds == %s\n", ah_key_rounds);
+ printf ("esp_key_length == %s\n", esp_key_length);
+ printf ("esp_key_rounds == %s\n", esp_key_rounds);
+ printf ("ah_group_desc == %s\n", ah_group_desc);
+ printf ("esp_group_desc == %s\n", esp_group_desc);
+ printf ("comp_group_desc == %s\n", comp_group_desc);
+ printf ("remote_filter_type == %s\n", remote_filter_type);
+ printf ("remote_filter_addr_upper == %s\n", remote_filter_addr_upper);
+ printf ("remote_filter_addr_lower == %s\n", remote_filter_addr_lower);
+ printf ("remote_filter == %s\n", remote_filter);
+ printf ("remote_filter_port == %s\n", remote_filter_port);
+ printf ("remote_filter_proto == %s\n", remote_filter_proto);
+ printf ("local_filter_type == %s\n", local_filter_type);
+ printf ("local_filter_addr_upper == %s\n", local_filter_addr_upper);
+ printf ("local_filter_addr_lower == %s\n", local_filter_addr_lower);
+ printf ("local_filter == %s\n", local_filter);
+ printf ("local_filter_port == %s\n", local_filter_port);
+ printf ("local_filter_proto == %s\n", local_filter_proto);
+ printf ("remote_id_type == %s\n", remote_id_type);
+ printf ("remote_id_addr_upper == %s\n", remote_id_addr_upper);
+ printf ("remote_id_addr_lower == %s\n", remote_id_addr_lower);
+ printf ("remote_id == %s\n", remote_id);
+ printf ("remote_id_port == %s\n", remote_id_port);
+ printf ("remote_id_proto == %s\n", remote_id_proto);
+ printf ("remote_ike_address == %s\n", remote_ike_address);
+ printf ("local_ike_address == %s\n", local_ike_address);
+#endif /* 0 */
+
+ /* Unset dirty now. */
+ dirty = 0;
+ }
if (strcmp (name, "app_domain") == 0)
return "IPsec policy";
@@ -492,13 +1104,13 @@ policy_callback (char *name)
if (strcmp (name, "esp_present") == 0)
return esp_present;
-
+
if (strcmp (name, "ah_present") == 0)
return ah_present;
-
+
if (strcmp (name, "comp_present") == 0)
return comp_present;
-
+
if (strcmp (name, "ah_hash_alg") == 0)
return ah_hash_alg;
@@ -509,79 +1121,115 @@ policy_callback (char *name)
return esp_auth_alg;
if (strcmp (name, "esp_enc_alg") == 0)
- return esp_enc_alg;
+ return esp_enc_alg;
if (strcmp (name, "comp_alg") == 0)
return comp_alg;
-
+
if (strcmp (name, "ah_life_kbytes") == 0)
return ah_life_kbytes;
-
+
if (strcmp (name, "ah_life_seconds") == 0)
return ah_life_seconds;
-
+
if (strcmp (name, "esp_life_kbytes") == 0)
return ah_life_kbytes;
-
+
if (strcmp (name, "esp_life_seconds") == 0)
return ah_life_seconds;
-
+
if (strcmp (name, "comp_life_kbytes") == 0)
return comp_life_kbytes;
-
+
if (strcmp (name, "comp_life_seconds") == 0)
return comp_life_seconds;
-
+
if (strcmp (name, "ah_encapsulation") == 0)
return ah_encapsulation;
-
+
if (strcmp (name, "esp_encapsulation") == 0)
return esp_encapsulation;
-
+
if (strcmp (name, "comp_encapsulation") == 0)
return comp_encapsulation;
-
+
if (strcmp (name, "ah_key_length") == 0)
return ah_key_length;
-
+
if (strcmp (name, "ah_key_rounds") == 0)
return ah_key_rounds;
if (strcmp (name, "esp_key_length") == 0)
return esp_key_length;
-
+
if (strcmp (name, "esp_key_rounds") == 0)
return esp_key_rounds;
-
+
if (strcmp (name, "comp_dict_size") == 0)
return comp_dict_size;
-
+
if (strcmp (name, "comp_private_alg") == 0)
return comp_private_alg;
- if (strcmp (name, "id_initiator_type") == 0)
- return id_initiator_type;
+ if (strcmp (name, "remote_filter_type") == 0)
+ return remote_filter_type;
+
+ if (strcmp (name, "remote_filter") == 0)
+ return remote_filter;
+
+ if (strcmp (name, "remote_filter_addr_upper") == 0)
+ return remote_filter_addr_upper;
+
+ if (strcmp (name, "remote_filter_addr_lower") == 0)
+ return remote_filter_addr_lower;
+
+ if (strcmp (name, "remote_filter_port") == 0)
+ return remote_filter_port;
+
+ if (strcmp (name, "remote_filter_proto") == 0)
+ return remote_filter_proto;
- if (strcmp (name, "id_initiator") == 0)
- return id_initiator;
+ if (strcmp (name, "local_filter_type") == 0)
+ return local_filter_type;
- if (strcmp (name, "id_initiator_addr_upper") == 0)
- return id_initiator_addr_upper;
+ if (strcmp (name, "local_filter") == 0)
+ return local_filter;
- if (strcmp (name, "id_initiator_addr_lower") == 0)
- return id_initiator_addr_lower;
+ if (strcmp (name, "local_filter_addr_upper") == 0)
+ return local_filter_addr_upper;
- if (strcmp (name, "id_responder_type") == 0)
- return id_responder_type;
+ if (strcmp (name, "local_filter_addr_lower") == 0)
+ return local_filter_addr_lower;
- if (strcmp (name, "id_responder") == 0)
- return id_responder;
+ if (strcmp (name, "local_filter_port") == 0)
+ return local_filter_port;
- if (strcmp (name, "id_responder_addr_upper") == 0)
- return id_responder_addr_upper;
+ if (strcmp (name, "local_filter_proto") == 0)
+ return local_filter_proto;
- if (strcmp (name, "id_responder_addr_lower") == 0)
- return id_responder_addr_lower;
+ if (strcmp (name, "remote_ike_address") == 0)
+ return remote_ike_address;
+
+ if (strcmp (name, "local_ike_address") == 0)
+ return local_ike_address;
+
+ if (strcmp (name, "remote_id_type") == 0)
+ return remote_id_type;
+
+ if (strcmp (name, "remote_id") == 0)
+ return remote_id;
+
+ if (strcmp (name, "remote_id_addr_upper") == 0)
+ return remote_id_addr_upper;
+
+ if (strcmp (name, "remote_id_addr_lower") == 0)
+ return remote_id_addr_lower;
+
+ if (strcmp (name, "remote_id_port") == 0)
+ return remote_id_port;
+
+ if (strcmp (name, "remote_id_proto") == 0)
+ return remote_id_proto;
return "";
}
@@ -596,65 +1244,79 @@ policy_init (void)
log_debug (LOG_MISC, 50, "policy_init: initializing");
- /* If there exists a session already, release all its resources */
+#if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE)
+ if (!dyn_load (libkeynote_script))
+ return;
+#endif
+
+ /* If there exists a session already, release all its resources. */
if (keynote_sessid != -1)
- kn_close (keynote_sessid);
+ LK (kn_close, (keynote_sessid));
- /* Initialize a session */
- keynote_sessid = kn_init ();
+ /* Initialize a session. */
+ keynote_sessid = LK (kn_init, ());
if (keynote_sessid == -1)
- log_fatal ("kn_init()");
+ log_fatal ("policy_init: kn_init () failed");
- /* Get policy file from configuration */
+ /* Get policy file from configuration. */
policy_file = conf_get_str ("General", "policy-file");
if (!policy_file)
policy_file = POLICY_FILE_DEFAULT;
- /* Open policy file */
+ /* Open policy file. */
fd = open (policy_file, O_RDONLY);
if (fd == -1)
- log_fatal ("open (\"%s\", O_RDONLY)", policy_file);
+ log_fatal ("policy_init: open (\"%s\", O_RDONLY) failed", policy_file);
- /* Get size */
+ /* Get size. */
if (fstat (fd, &st) == -1)
- log_fatal ("fstat (%d, &st)", fd);
+ log_fatal ("policy_init: fstat (%d, &st) failed", fd);
- /* Allocate memory to keep policies */
+ /* Allocate memory to keep policies. */
ptr = calloc (st.st_size + 1, sizeof (char));
if (!ptr)
- log_fatal ("calloc (%d, %d)", st.st_size, sizeof (char));
+ log_fatal ("policy_init: calloc (%d, %d) failed", st.st_size,
+ sizeof (char));
- /* Just in case there's short reads... */
+ /* Just in case there are short reads... */
for (len = 0; len < st.st_size; len += i)
- if ((i = read (fd, ptr + len, st.st_size - len)) == -1)
- log_fatal ("read (%d, %p, %d)", fd, ptr + len, st.st_size - len);
+ {
+ i = read (fd, ptr + len, st.st_size - len);
+ if (i == -1)
+ log_fatal ("policy_init: read (%d, %p, %d) failed", fd, ptr + len,
+ st.st_size - len);
+ }
- /* We're done with this */
+ /* We're done with this. */
close (fd);
- /* Parse buffer, break up into individual policies */
- asserts = kn_read_asserts (ptr, st.st_size, &i);
+ /* Parse buffer, break up into individual policies. */
+ asserts = LK (kn_read_asserts, (ptr, st.st_size, &i));
- /* Begone */
+ /* Begone! */
free (ptr);
- /* Add each individual policy in the session */
+ /* Add each individual policy in the session. */
for (fd = 0; fd < i; fd++)
- {
- if (kn_add_assertion (keynote_sessid, asserts[fd], strlen (asserts[fd]),
- ASSERT_FLAG_LOCAL) == -1)
- log_fatal ("kn_add_assertion (%d, %p, %d, ASSERT_FLAG_LOCAL)",
+ {
+ if (LK (kn_add_assertion, (keynote_sessid, asserts[fd],
+ strlen (asserts[fd]), ASSERT_FLAG_LOCAL))
+ == -1)
+ log_print ("policy_init: "
+ "kn_add_assertion (%d, %p, %d, ASSERT_FLAG_LOCAL) failed",
keynote_sessid, asserts[fd], strlen (asserts[fd]));
free (asserts[fd]);
- }
+ }
if (asserts)
free (asserts);
- /* Add the callback that will handle attributes */
- if (kn_add_action (keynote_sessid, ".*", (char *) policy_callback,
- ENVIRONMENT_FLAG_FUNC | ENVIRONMENT_FLAG_REGEX) == -1)
- log_fatal ("kn_add_action (%d, \".*\", %p, FUNC | REGEX)",
+ /* Add the callback that will handle attributes. */
+ if (LK (kn_add_action, (keynote_sessid, ".*", (char *) policy_callback,
+ ENVIRONMENT_FLAG_FUNC | ENVIRONMENT_FLAG_REGEX))
+ == -1)
+ log_fatal ("policy_init: "
+ "kn_add_action (%d, \".*\", %p, FUNC | REGEX) failed",
keynote_sessid, policy_callback);
}