1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
|
/* error logging functions
* Copyright (C) 1997 Angelos D. Keromytis.
* Copyright (C) 1998-2001,2013 D. Hugh Redelmeier <hugh@mimosa.com>
* Copyright (C) 2005-2007 Michael Richardson
* Copyright (C) 2006-2010 Bart Trojanowski
* Copyright (C) 2008-2012 Paul Wouters
* Copyright (C) 2008-2010 David McCullough.
* Copyright (C) 2012 Paul Wouters <paul@libreswan.org>
* Copyright (C) 2013,2015 Paul Wouters <pwouters@redhat.com>
* Copyright (C) 2013 Tuomo Soini <tis@foobar.fi>
* Copyright (C) 2017-2019 Andrew Cagney <cagney@gnu.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <https://www.gnu.org/licenses/gpl2.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <syslog.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <signal.h> /* used only if MSG_NOSIGNAL not defined */
#include <libgen.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include "sysdep.h"
#include "constants.h"
#include "lswconf.h"
#include "fips_mode.h"
#include "defs.h"
#include "log.h"
#include "server.h"
#include "state.h"
#include "id.h"
#include "x509.h"
#include "certs.h"
#include "connections.h" /* needs id.h */
#include "kernel.h" /* needs connections.h */
#include "whack.h" /* needs connections.h */
#include "timer.h"
#include "kernel_alg.h"
#include "ike_alg.h"
#include "ike_alg_integ.h"
#include "plutoalg.h"
/* for show_virtual_private: */
#include "crypto.h"
#include "ip_address.h" /* for jam_address */
#include "pluto_stats.h"
#ifndef USE_LINUX_AUDIT
void linux_audit_conn(const struct state *st UNUSED, enum linux_audit_kind op UNUSED)
{
return;
}
#else
#include <libaudit.h>
void linux_audit_init(int do_audit, struct logger *logger)
{
llog(RC_LOG, logger, "Linux audit support [enabled]");
/* test and log if audit is enabled on the system */
int audit_fd;
audit_fd = audit_open();
if (audit_fd < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT) {
llog(RC_LOG, logger,
"Warning: kernel has no audit support");
close(audit_fd);
log_to_audit = false;
return;
} else {
fatal_errno(PLUTO_EXIT_AUDIT_FAIL, logger, errno,
"audit_open() failed");
}
} else {
if (do_audit)
log_to_audit = true;
}
close(audit_fd);
if (do_audit)
llog(RC_LOG, logger, "Linux audit activated");
}
static void linux_audit(const int type, const char *message, const char *laddr, const int result,
struct logger *logger)
{
int audit_fd, rc;
audit_fd = audit_open();
if (audit_fd < 0) {
fatal_errno(PLUTO_EXIT_AUDIT_FAIL, logger, errno,
"audit_open() failed");
}
/*
* audit_log_user_message() - log a general user message
*
* audit_fd - The fd returned by audit_open
* type - type of message, ex: AUDIT_USYS_CONFIG, AUDIT_USER_LOGIN
* message - the message text being sent
* hostname - the hostname if known, NULL if unknown
* addr - The network address of the user, NULL if unknown
* tty - The tty of the user, if NULL will attempt to figure out
* result - 1 is "success" and 0 is "failed"
*
* We log the remoteid instead of hostname
*/
rc = audit_log_user_message(audit_fd, type, message, NULL, laddr, NULL, result);
close(audit_fd);
if (rc < 0) {
fatal_errno(PLUTO_EXIT_AUDIT_FAIL, logger, errno,
"audit log failed");
}
}
/*
* any admin/network strings but go through audit_encode_nv_string()
*/
void linux_audit_conn(const struct state *st, enum linux_audit_kind op)
{
if (!log_to_audit) {
return;
}
char audit_str[AUDIT_LOG_SIZE];
struct jambuf buf = ARRAY_AS_JAMBUF(audit_str);
struct connection *const c = st->st_connection;
/* we need to free() this */
char *conn_encode = audit_encode_nv_string("conn-name", c->name, 0);
switch (op) {
case LAK_PARENT_START:
case LAK_PARENT_DESTROY:
case LAK_PARENT_FAIL:
{
/* head */
jam(&buf, "op=%s direction=%s %s connstate=%lu ike-version=%s",
op == LAK_PARENT_DESTROY ? "destroy" : "start", /* fail to start logged under op=start */
(st->st_sa_role == SA_INITIATOR ? "initiator" :
st->st_sa_role == SA_RESPONDER ? "responder" :
"????"),
conn_encode,
st->st_serialno,
(st->st_ike_version == IKEv2) ? "2.0" : "1");
jam(&buf, " auth=");
if (st->st_ike_version == IKEv2 ||
op == LAK_PARENT_FAIL) {
/*
* XXX: is this reliable; it's the intent not
* result. Is local correct?
*/
struct authby authby = c->local->host.config->authby;
jam_string(&buf, ((authby.psk) ? "PRESHARED_KEY" :
(authby.rsasig) ? "RSA_SIG" :
(authby.rsasig_v1_5) ? "RSA_SIG" :
(authby.ecdsa) ? "ECDSA" : "unknown"));
} else {
jam_enum_short(&buf, &oakley_auth_names, st->st_oakley.auth);
}
jam(&buf, " cipher=%s ksize=%d",
(st->st_oakley.ta_encrypt == NULL ? "none"
: st->st_oakley.ta_encrypt->encrypt_ike_audit_name),
st->st_oakley.enckeylen);
const char *prfname = (st->st_oakley.ta_prf == NULL ? "none"
: st->st_oakley.ta_prf->prf_ike_audit_name);
jam(&buf, " integ=");
if (st->st_oakley.ta_integ == &ike_alg_integ_none) {
/*
* XXX: dead code path? IKEv1 can't do
* INTEG==NONE; "none"'s name is "none".
*/
if (st->st_ike_version == IKEv1) {
/* IKE takes integ from prf, except of course gcm */
/* but IANA doesn't define gcm for IKE, only for ESP */
jam_string(&buf, prfname);
} else {
jam(&buf, "none");
}
} else if (st->st_oakley.ta_integ != NULL) {
/*
* XXX: merge bit-size into audit_name?
*/
jam(&buf, "%s_%zu",
st->st_oakley.ta_integ->integ_ike_audit_name,
st->st_oakley.ta_integ->integ_output_size * BITS_IN_BYTE);
} else {
/*
* XXX: dead code path? Integ is never NULL?
*/
if (st->st_ike_version == IKEv1) {
/* IKE takes integ from prf, except of course gcm */
/* but IANA doesn't define gcm for IKE, only for ESP */
jam_string(&buf, prfname);
} else {
jam(&buf, "none");
}
}
jam(&buf, " prf=%s", prfname); /* could be "none" */
jam(&buf, " pfs=%s", (st->st_oakley.ta_dh == NULL ? "none"
: st->st_oakley.ta_dh->common.fqn));
/* XXX: empty SPI to keep tests happy */
jam(&buf, " ");
break;
}
case LAK_CHILD_START:
case LAK_CHILD_DESTROY:
case LAK_CHILD_FAIL:
{
/* head */
jam(&buf, "op=%s %s connstate=%lu, satype=%s",
op == LAK_CHILD_DESTROY ? "destroy" : "start", /* fail uses op=start */
conn_encode,
st->st_serialno,
st->st_esp.protocol == &ip_protocol_esp ? "ipsec-esp" : st->st_ah.protocol == &ip_protocol_ah ? "ipsec-ah" : "ipsec-policy");
jam_string(&buf, " samode=");
jam_enum_short(&buf, &encap_mode_story, c->config->child_sa.encap_mode);
/*
* XXX: Instead of IKEv1_ESP_ID, this should use
* ->common.fqn or ->common.officname; however that
* means changing the output. So leave it roughly as
* is for now.
*/
const struct ipsec_proto_info *pi;
const struct encrypt_desc *encrypt;
const struct integ_desc *integ;
unsigned enckeylen;
if (st->st_esp.protocol == &ip_protocol_esp) {
pi = &st->st_esp;
encrypt = st->st_esp.trans_attrs.ta_encrypt;
integ = st->st_esp.trans_attrs.ta_integ;
enckeylen = st->st_esp.trans_attrs.enckeylen;
} else if (st->st_ah.protocol == &ip_protocol_ah) {
pi = &st->st_ah;
encrypt = NULL;
integ = st->st_ah.trans_attrs.ta_integ;
enckeylen = 0;
} else {
pi = &st->st_esp; /* hack: will yield zero SPIs, I think */
encrypt = NULL;
integ = NULL;
enckeylen = 0;
}
jam(&buf, " cipher=%s ksize=%u integ=%s",
(encrypt == NULL ? "none" : encrypt->encrypt_kernel_audit_name),
enckeylen,
(integ == NULL ? "none" : integ->integ_kernel_audit_name));
/* note: each arg appears twice because it is printed two ways */
jam(&buf, " in-spi=%" PRIu32 "(0x%08" PRIu32 ") out-spi=%" PRIu32 "(0x%08" PRIu32 ") in-ipcomp=%" PRIu32 "(0x%08" PRIu32 ") out-ipcomp=%" PRIu32 "(0x%08" PRIu32 ")",
ntohl(pi->outbound.spi),
ntohl(pi->outbound.spi),
ntohl(pi->inbound.spi),
ntohl(pi->inbound.spi),
ntohl(st->st_ipcomp.outbound.spi), /* zero if missing */
ntohl(st->st_ipcomp.outbound.spi), /* zero if missing */
ntohl(st->st_ipcomp.inbound.spi), /* zero if missing */
ntohl(st->st_ipcomp.inbound.spi)); /* zero if missing */
break;
}
default:
bad_case(op);
}
free(conn_encode); /* allocated by audit_encode_nv_string() */
/* note laddr_buf and laddr at same scope */
address_buf laddr_buf;
const char *laddr = str_address(&c->local->host.addr, &laddr_buf);
jam(&buf, " raddr=");
jam_address(&buf, &c->remote->host.addr);
linux_audit((op == LAK_CHILD_START || op == LAK_CHILD_DESTROY || op == LAK_CHILD_FAIL) ?
AUDIT_CRYPTO_IPSEC_SA : AUDIT_CRYPTO_IKE_SA,
audit_str, laddr,
(op == LAK_PARENT_FAIL || op == LAK_CHILD_FAIL) ? AUDIT_RESULT_FAIL : AUDIT_RESULT_OK,
st->logger);
}
#if __GNUC__ >= 7
#pragma GCC diagnostic pop
#endif
#endif
|
