1 /* $OpenBSD: policy.c,v 1.31 2014/02/21 20:52:38 markus Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * Copyright (c) 2001 Daniel Hartmeier 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/param.h> 21 #include <sys/queue.h> 22 #include <sys/socket.h> 23 #include <sys/uio.h> 24 #include <sys/tree.h> 25 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <unistd.h> 29 #include <string.h> 30 #include <errno.h> 31 #include <fcntl.h> 32 #include <event.h> 33 34 #include "iked.h" 35 #include "ikev2.h" 36 37 static __inline int 38 sa_cmp(struct iked_sa *, struct iked_sa *); 39 static __inline int 40 user_cmp(struct iked_user *, struct iked_user *); 41 static __inline int 42 childsa_cmp(struct iked_childsa *, struct iked_childsa *); 43 static __inline int 44 flow_cmp(struct iked_flow *, struct iked_flow *); 45 46 47 void 48 policy_init(struct iked *env) 49 { 50 TAILQ_INIT(&env->sc_policies); 51 RB_INIT(&env->sc_users); 52 RB_INIT(&env->sc_sas); 53 RB_INIT(&env->sc_activesas); 54 RB_INIT(&env->sc_activeflows); 55 } 56 57 int 58 policy_lookup(struct iked *env, struct iked_message *msg) 59 { 60 struct iked_policy pol; 61 char *s, idstr[IKED_ID_SIZE]; 62 63 64 if (msg->msg_sa != NULL && msg->msg_sa->sa_policy != NULL) { 65 /* Existing SA with policy */ 66 msg->msg_policy = msg->msg_sa->sa_policy; 67 goto found; 68 } 69 70 bzero(&pol, sizeof(pol)); 71 pol.pol_af = msg->msg_peer.ss_family; 72 memcpy(&pol.pol_peer.addr, &msg->msg_peer, sizeof(msg->msg_peer)); 73 memcpy(&pol.pol_local.addr, &msg->msg_local, sizeof(msg->msg_local)); 74 if (msg->msg_id.id_type && 75 ikev2_print_id(&msg->msg_id, idstr, IKED_ID_SIZE) == 0 && 76 (s = strchr(idstr, '/')) != NULL) { 77 pol.pol_peerid.id_type = msg->msg_id.id_type; 78 pol.pol_peerid.id_length = strlen(s+1); 79 strlcpy(pol.pol_peerid.id_data, s+1, 80 sizeof(pol.pol_peerid.id_data)); 81 log_debug("%s: peerid '%s'", __func__, s+1); 82 } 83 84 /* Try to find a matching policy for this message */ 85 if ((msg->msg_policy = policy_test(env, &pol)) != NULL) 86 goto found; 87 88 /* No matching policy found, try the default */ 89 if ((msg->msg_policy = env->sc_defaultcon) != NULL) 90 goto found; 91 92 /* No policy found */ 93 return (-1); 94 95 found: 96 return (0); 97 } 98 99 struct iked_policy * 100 policy_test(struct iked *env, struct iked_policy *key) 101 { 102 struct iked_policy *p = NULL, *pol = NULL; 103 struct iked_flow *flow = NULL, *flowkey; 104 u_int cnt = 0; 105 106 p = TAILQ_FIRST(&env->sc_policies); 107 while (p != NULL) { 108 cnt++; 109 if (p->pol_flags & IKED_POLICY_SKIP) 110 p = p->pol_skip[IKED_SKIP_FLAGS]; 111 else if (key->pol_af && p->pol_af && 112 key->pol_af != p->pol_af) 113 p = p->pol_skip[IKED_SKIP_AF]; 114 else if (key->pol_ipproto && p->pol_ipproto && 115 key->pol_ipproto != p->pol_ipproto) 116 p = p->pol_skip[IKED_SKIP_PROTO]; 117 else if (sockaddr_cmp((struct sockaddr *)&key->pol_peer.addr, 118 (struct sockaddr *)&p->pol_peer.addr, 119 p->pol_peer.addr_mask) != 0) 120 p = p->pol_skip[IKED_SKIP_DST_ADDR]; 121 else if (sockaddr_cmp((struct sockaddr *)&key->pol_local.addr, 122 (struct sockaddr *)&p->pol_local.addr, 123 p->pol_local.addr_mask) != 0) 124 p = p->pol_skip[IKED_SKIP_SRC_ADDR]; 125 else { 126 /* 127 * Check if a specific flow is requested 128 * (eg. for acquire messages from the kernel) 129 * and find a matching flow. 130 */ 131 if (key->pol_nflows && 132 (flowkey = RB_MIN(iked_flows, 133 &key->pol_flows)) != NULL && 134 (flow = RB_FIND(iked_flows, &p->pol_flows, 135 flowkey)) == NULL) { 136 p = TAILQ_NEXT(p, pol_entry); 137 continue; 138 } 139 /* make sure the peer ID matches */ 140 if (key->pol_peerid.id_type && 141 (key->pol_peerid.id_type != p->pol_peerid.id_type || 142 memcmp(key->pol_peerid.id_data, 143 p->pol_peerid.id_data, 144 sizeof(key->pol_peerid.id_data)) != 0)) { 145 p = TAILQ_NEXT(p, pol_entry); 146 continue; 147 } 148 149 /* Policy matched */ 150 pol = p; 151 152 if (pol->pol_flags & IKED_POLICY_QUICK) 153 break; 154 155 /* Continue to find last matching policy */ 156 p = TAILQ_NEXT(p, pol_entry); 157 } 158 } 159 160 return (pol); 161 } 162 163 #define IKED_SET_SKIP_STEPS(i) \ 164 do { \ 165 while (head[i] != cur) { \ 166 head[i]->pol_skip[i] = cur; \ 167 head[i] = TAILQ_NEXT(head[i], pol_entry); \ 168 } \ 169 } while (0) 170 171 /* This code is derived from pf_calc_skip_steps() from pf.c */ 172 void 173 policy_calc_skip_steps(struct iked_policies *policies) 174 { 175 struct iked_policy *head[IKED_SKIP_COUNT], *cur, *prev; 176 int i; 177 178 cur = TAILQ_FIRST(policies); 179 prev = cur; 180 for (i = 0; i < IKED_SKIP_COUNT; ++i) 181 head[i] = cur; 182 while (cur != NULL) { 183 if (cur->pol_flags & IKED_POLICY_SKIP) 184 IKED_SET_SKIP_STEPS(IKED_SKIP_FLAGS); 185 else if (cur->pol_af != AF_UNSPEC && 186 prev->pol_af != AF_UNSPEC && 187 cur->pol_af != prev->pol_af) 188 IKED_SET_SKIP_STEPS(IKED_SKIP_AF); 189 else if (cur->pol_ipproto && prev->pol_ipproto && 190 cur->pol_ipproto != prev->pol_ipproto) 191 IKED_SET_SKIP_STEPS(IKED_SKIP_PROTO); 192 else if (IKED_ADDR_NEQ(&cur->pol_peer, &prev->pol_peer)) 193 IKED_SET_SKIP_STEPS(IKED_SKIP_DST_ADDR); 194 else if (IKED_ADDR_NEQ(&cur->pol_local, &prev->pol_local)) 195 IKED_SET_SKIP_STEPS(IKED_SKIP_SRC_ADDR); 196 197 prev = cur; 198 cur = TAILQ_NEXT(cur, pol_entry); 199 } 200 for (i = 0; i < IKED_SKIP_COUNT; ++i) 201 IKED_SET_SKIP_STEPS(i); 202 } 203 204 void 205 policy_ref(struct iked *env, struct iked_policy *pol) 206 { 207 pol->pol_refcnt++; 208 pol->pol_flags |= IKED_POLICY_REFCNT; 209 } 210 211 void 212 policy_unref(struct iked *env, struct iked_policy *pol) 213 { 214 if (pol == NULL || (pol->pol_flags & IKED_POLICY_REFCNT) == 0) 215 return; 216 if (--(pol->pol_refcnt) <= 0) 217 config_free_policy(env, pol); 218 } 219 220 void 221 sa_state(struct iked *env, struct iked_sa *sa, int state) 222 { 223 const char *a; 224 const char *b; 225 226 a = print_map(sa->sa_state, ikev2_state_map); 227 b = print_map(state, ikev2_state_map); 228 229 if (state > sa->sa_state) { 230 switch (state) { 231 case IKEV2_STATE_ESTABLISHED: 232 case IKEV2_STATE_CLOSED: 233 log_info("%s: %s -> %s from %s to %s policy '%s'", 234 __func__, a, b, 235 print_host((struct sockaddr *)&sa->sa_peer.addr, 236 NULL, 0), 237 print_host((struct sockaddr *)&sa->sa_local.addr, 238 NULL, 0), 239 sa->sa_policy->pol_name); 240 break; 241 default: 242 log_debug("%s: %s -> %s", __func__, a, b); 243 break; 244 } 245 } 246 247 sa->sa_state = state; 248 } 249 250 void 251 sa_stateflags(struct iked_sa *sa, u_int flags) 252 { 253 u_int require; 254 255 if (sa->sa_state > IKEV2_STATE_SA_INIT) 256 require = sa->sa_statevalid; 257 else 258 require = sa->sa_stateinit; 259 260 log_debug("%s: 0x%02x -> 0x%02x %s (required 0x%02x %s)", __func__, 261 sa->sa_stateflags, sa->sa_stateflags | flags, 262 print_bits(sa->sa_stateflags | flags, IKED_REQ_BITS), require, 263 print_bits(require, IKED_REQ_BITS)); 264 265 sa->sa_stateflags |= flags; 266 } 267 268 int 269 sa_stateok(struct iked_sa *sa, int state) 270 { 271 u_int require; 272 273 if (sa->sa_state < state) 274 return (0); 275 276 if (state == IKEV2_STATE_SA_INIT) 277 require = sa->sa_stateinit; 278 else 279 require = sa->sa_statevalid; 280 281 if (state == IKEV2_STATE_SA_INIT || 282 state == IKEV2_STATE_VALID || 283 state == IKEV2_STATE_EAP) { 284 log_debug("%s: %s flags 0x%02x, require 0x%02x %s", __func__, 285 print_map(state, ikev2_state_map), 286 (sa->sa_stateflags & require), require, 287 print_bits(require, IKED_REQ_BITS)); 288 289 if ((sa->sa_stateflags & require) != require) 290 return (0); /* not ready, ignore */ 291 } 292 return (1); 293 } 294 295 struct iked_sa * 296 sa_new(struct iked *env, u_int64_t ispi, u_int64_t rspi, 297 u_int initiator, struct iked_policy *pol) 298 { 299 struct iked_sa *sa; 300 struct iked_sa *old; 301 struct iked_id *localid; 302 u_int diff; 303 304 if ((ispi == 0 && rspi == 0) || 305 (sa = sa_lookup(env, ispi, rspi, initiator)) == NULL) { 306 /* Create new SA */ 307 sa = config_new_sa(env, initiator); 308 } 309 if (sa == NULL) { 310 log_debug("%s: failed to get sa", __func__); 311 return (NULL); 312 } 313 if (sa->sa_policy == NULL) 314 sa->sa_policy = pol; 315 else 316 pol = sa->sa_policy; 317 318 sa->sa_statevalid = IKED_REQ_AUTH|IKED_REQ_SA; 319 if (pol != NULL && pol->pol_auth.auth_eap) { 320 sa->sa_statevalid |= IKED_REQ_CERT; 321 } else if (pol != NULL && pol->pol_auth.auth_method != 322 IKEV2_AUTH_SHARED_KEY_MIC) { 323 sa->sa_statevalid |= IKED_REQ_VALID|IKED_REQ_CERT; 324 } 325 326 if (initiator) { 327 localid = &sa->sa_iid; 328 diff = IKED_REQ_VALID|IKED_REQ_SA; 329 sa->sa_stateinit = sa->sa_statevalid & ~diff; 330 sa->sa_statevalid = sa->sa_statevalid & diff; 331 } else 332 localid = &sa->sa_rid; 333 334 if (!ibuf_length(localid->id_buf) && pol != NULL && 335 ikev2_policy2id(&pol->pol_localid, localid, 1) != 0) { 336 log_debug("%s: failed to get local id", __func__); 337 sa_free(env, sa); 338 return (NULL); 339 } 340 341 if (sa->sa_hdr.sh_ispi == 0) 342 sa->sa_hdr.sh_ispi = ispi; 343 if (sa->sa_hdr.sh_rspi == 0) 344 sa->sa_hdr.sh_rspi = rspi; 345 346 /* Re-insert node into the tree */ 347 old = RB_INSERT(iked_sas, &env->sc_sas, sa); 348 if (old && old != sa) { 349 log_debug("%s: duplicate ikesa", __func__); 350 sa_free(env, sa); 351 return (NULL); 352 } 353 354 return (sa); 355 } 356 357 void 358 sa_free(struct iked *env, struct iked_sa *sa) 359 { 360 log_debug("%s: ispi %s rspi %s", __func__, 361 print_spi(sa->sa_hdr.sh_ispi, 8), 362 print_spi(sa->sa_hdr.sh_rspi, 8)); 363 364 config_free_sa(env, sa); 365 } 366 367 void 368 sa_free_flows(struct iked *env, struct iked_saflows *head) 369 { 370 struct iked_flow *flow, *next; 371 372 for (flow = TAILQ_FIRST(head); flow != NULL; flow = next) { 373 next = TAILQ_NEXT(flow, flow_entry); 374 375 log_debug("%s: free %p", __func__, flow); 376 377 if (flow->flow_loaded) 378 RB_REMOVE(iked_flows, &env->sc_activeflows, flow); 379 TAILQ_REMOVE(head, flow, flow_entry); 380 (void)pfkey_flow_delete(env->sc_pfkey, flow); 381 flow_free(flow); 382 } 383 } 384 385 386 int 387 sa_address(struct iked_sa *sa, struct iked_addr *addr, 388 struct sockaddr_storage *peer, int initiator) 389 { 390 struct iked_policy *pol = sa->sa_policy; 391 392 if (pol == NULL) { 393 log_debug("%s: invalid policy", __func__); 394 return (-1); 395 } 396 397 bzero(addr, sizeof(*addr)); 398 addr->addr_af = peer->ss_family; 399 addr->addr_port = htons(socket_getport((struct sockaddr *)peer)); 400 memcpy(&addr->addr, peer, sizeof(*peer)); 401 if (socket_af((struct sockaddr *)&addr->addr, addr->addr_port) == -1) { 402 log_debug("%s: invalid address", __func__); 403 return (-1); 404 } 405 406 if (addr == &sa->sa_peer) { 407 /* XXX Re-insert node into the tree */ 408 RB_REMOVE(iked_sapeers, &pol->pol_sapeers, sa); 409 memcpy(&sa->sa_polpeer, initiator ? &pol->pol_peer : 410 &sa->sa_peer, sizeof(sa->sa_polpeer)); 411 RB_INSERT(iked_sapeers, &pol->pol_sapeers, sa); 412 } 413 414 return (0); 415 } 416 417 void 418 childsa_free(struct iked_childsa *csa) 419 { 420 if (csa->csa_children) { 421 /* XXX should not happen */ 422 log_warnx("%s: trying to remove CSA %p children %u", 423 __func__, csa, csa->csa_children); 424 return; 425 } 426 if (csa->csa_parent) 427 csa->csa_parent->csa_children--; 428 ibuf_release(csa->csa_encrkey); 429 ibuf_release(csa->csa_integrkey); 430 free(csa); 431 } 432 433 struct iked_childsa * 434 childsa_lookup(struct iked_sa *sa, u_int64_t spi, u_int8_t protoid) 435 { 436 struct iked_childsa *csa; 437 438 if (sa == NULL || spi == 0 || protoid == 0) 439 return (NULL); 440 441 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { 442 if (csa->csa_spi.spi_protoid == protoid && 443 (csa->csa_spi.spi == spi)) 444 break; 445 } 446 return (csa); 447 } 448 449 void 450 flow_free(struct iked_flow *flow) 451 { 452 free(flow); 453 } 454 455 struct iked_sa * 456 sa_lookup(struct iked *env, u_int64_t ispi, u_int64_t rspi, 457 u_int initiator) 458 { 459 struct iked_sa *sa, key; 460 461 key.sa_hdr.sh_ispi = ispi; 462 key.sa_hdr.sh_rspi = rspi; 463 key.sa_hdr.sh_initiator = initiator; 464 465 if ((sa = RB_FIND(iked_sas, &env->sc_sas, &key)) != NULL) { 466 gettimeofday(&sa->sa_timeused, NULL); 467 468 /* Validate if SPIr matches */ 469 if ((sa->sa_hdr.sh_rspi != 0) && 470 (rspi != 0) && 471 (sa->sa_hdr.sh_rspi != rspi)) 472 return (NULL); 473 } 474 475 return (sa); 476 } 477 478 static __inline int 479 sa_cmp(struct iked_sa *a, struct iked_sa *b) 480 { 481 if (a->sa_hdr.sh_initiator > b->sa_hdr.sh_initiator) 482 return (-1); 483 if (a->sa_hdr.sh_initiator < b->sa_hdr.sh_initiator) 484 return (1); 485 486 if (a->sa_hdr.sh_ispi > b->sa_hdr.sh_ispi) 487 return (-1); 488 if (a->sa_hdr.sh_ispi < b->sa_hdr.sh_ispi) 489 return (1); 490 491 #if 0 492 /* Responder SPI is not yet set in the local IKE SADB */ 493 if ((b->sa_type == IKED_SATYPE_LOCAL && b->sa_hdr.sh_rspi == 0) || 494 (a->sa_type == IKED_SATYPE_LOCAL && a->sa_hdr.sh_rspi == 0)) 495 return (0); 496 497 if (a->sa_hdr.sh_rspi > b->sa_hdr.sh_rspi) 498 return (-1); 499 if (a->sa_hdr.sh_rspi < b->sa_hdr.sh_rspi) 500 return (1); 501 #endif 502 503 return (0); 504 } 505 506 struct iked_sa * 507 sa_peer_lookup(struct iked_policy *pol, struct sockaddr_storage *peer) 508 { 509 struct iked_sa key; 510 511 memcpy(&key.sa_polpeer.addr, peer, sizeof(*peer)); 512 return (RB_FIND(iked_sapeers, &pol->pol_sapeers, &key)); 513 } 514 515 static __inline int 516 sa_peer_cmp(struct iked_sa *a, struct iked_sa *b) 517 { 518 return (sockaddr_cmp((struct sockaddr *)&a->sa_polpeer.addr, 519 (struct sockaddr *)&b->sa_polpeer.addr, -1)); 520 } 521 522 static __inline int 523 sa_addrpool_cmp(struct iked_sa *a, struct iked_sa *b) 524 { 525 return (sockaddr_cmp((struct sockaddr *)&a->sa_addrpool->addr, 526 (struct sockaddr *)&b->sa_addrpool->addr, -1)); 527 } 528 529 struct iked_user * 530 user_lookup(struct iked *env, const char *user) 531 { 532 struct iked_user key; 533 534 if (strlcpy(key.usr_name, user, 535 sizeof(key.usr_name)) >= sizeof(key.usr_name)) 536 return (NULL); 537 538 return (RB_FIND(iked_users, &env->sc_users, &key)); 539 } 540 541 static __inline int 542 user_cmp(struct iked_user *a, struct iked_user *b) 543 { 544 return (strcmp(a->usr_name, b->usr_name)); 545 } 546 547 static __inline int 548 childsa_cmp(struct iked_childsa *a, struct iked_childsa *b) 549 { 550 if (a->csa_spi.spi > b->csa_spi.spi) 551 return (1); 552 if (a->csa_spi.spi < b->csa_spi.spi) 553 return (-1); 554 return (0); 555 } 556 557 static __inline int 558 addr_cmp(struct iked_addr *a, struct iked_addr *b, int useports) 559 { 560 int diff = 0; 561 562 diff = sockaddr_cmp((struct sockaddr *)&a->addr, 563 (struct sockaddr *)&b->addr, 128); 564 if (!diff) 565 diff = (int)a->addr_mask - (int)b->addr_mask; 566 if (!diff && useports) 567 diff = a->addr_port - b->addr_port; 568 569 return (diff); 570 } 571 572 static __inline int 573 flow_cmp(struct iked_flow *a, struct iked_flow *b) 574 { 575 int diff = 0; 576 577 if (a->flow_peer && b->flow_peer) 578 diff = addr_cmp(a->flow_peer, b->flow_peer, 0); 579 if (!diff) 580 diff = addr_cmp(&a->flow_dst, &b->flow_dst, 1); 581 if (!diff) 582 diff = addr_cmp(&a->flow_src, &b->flow_src, 1); 583 if (!diff && a->flow_dir && b->flow_dir) 584 diff = (int)a->flow_dir - (int)b->flow_dir; 585 586 return (diff); 587 } 588 589 RB_GENERATE(iked_sas, iked_sa, sa_entry, sa_cmp); 590 RB_GENERATE(iked_sapeers, iked_sa, sa_peer_entry, sa_peer_cmp); 591 RB_GENERATE(iked_addrpool, iked_sa, sa_addrpool_entry, sa_addrpool_cmp); 592 RB_GENERATE(iked_users, iked_user, usr_entry, user_cmp); 593 RB_GENERATE(iked_activesas, iked_childsa, csa_node, childsa_cmp); 594 RB_GENERATE(iked_flows, iked_flow, flow_node, flow_cmp); 595