1 /* $OpenBSD: policy.c,v 1.34 2014/05/06 10:24:22 markus Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * Copyright (c) 2001 Daniel Hartmeier 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/param.h> 21 #include <sys/queue.h> 22 #include <sys/socket.h> 23 #include <sys/uio.h> 24 #include <sys/tree.h> 25 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <unistd.h> 29 #include <string.h> 30 #include <errno.h> 31 #include <fcntl.h> 32 #include <event.h> 33 34 #include "iked.h" 35 #include "ikev2.h" 36 37 static __inline int 38 sa_cmp(struct iked_sa *, struct iked_sa *); 39 static __inline int 40 user_cmp(struct iked_user *, struct iked_user *); 41 static __inline int 42 childsa_cmp(struct iked_childsa *, struct iked_childsa *); 43 static __inline int 44 flow_cmp(struct iked_flow *, struct iked_flow *); 45 46 47 void 48 policy_init(struct iked *env) 49 { 50 TAILQ_INIT(&env->sc_policies); 51 RB_INIT(&env->sc_users); 52 RB_INIT(&env->sc_sas); 53 RB_INIT(&env->sc_activesas); 54 RB_INIT(&env->sc_activeflows); 55 } 56 57 int 58 policy_lookup(struct iked *env, struct iked_message *msg) 59 { 60 struct iked_policy pol; 61 char *s, idstr[IKED_ID_SIZE]; 62 63 64 if (msg->msg_sa != NULL && msg->msg_sa->sa_policy != NULL) { 65 /* Existing SA with policy */ 66 msg->msg_policy = msg->msg_sa->sa_policy; 67 goto found; 68 } 69 70 bzero(&pol, sizeof(pol)); 71 pol.pol_af = msg->msg_peer.ss_family; 72 memcpy(&pol.pol_peer.addr, &msg->msg_peer, sizeof(msg->msg_peer)); 73 memcpy(&pol.pol_local.addr, &msg->msg_local, sizeof(msg->msg_local)); 74 if (msg->msg_id.id_type && 75 ikev2_print_id(&msg->msg_id, idstr, IKED_ID_SIZE) == 0 && 76 (s = strchr(idstr, '/')) != NULL) { 77 pol.pol_peerid.id_type = msg->msg_id.id_type; 78 pol.pol_peerid.id_length = strlen(s+1); 79 strlcpy(pol.pol_peerid.id_data, s+1, 80 sizeof(pol.pol_peerid.id_data)); 81 log_debug("%s: peerid '%s'", __func__, s+1); 82 } 83 84 /* Try to find a matching policy for this message */ 85 if ((msg->msg_policy = policy_test(env, &pol)) != NULL) 86 goto found; 87 88 /* No matching policy found, try the default */ 89 if ((msg->msg_policy = env->sc_defaultcon) != NULL) 90 goto found; 91 92 /* No policy found */ 93 return (-1); 94 95 found: 96 return (0); 97 } 98 99 struct iked_policy * 100 policy_test(struct iked *env, struct iked_policy *key) 101 { 102 struct iked_policy *p = NULL, *pol = NULL; 103 struct iked_flow *flow = NULL, *flowkey; 104 u_int cnt = 0; 105 106 p = TAILQ_FIRST(&env->sc_policies); 107 while (p != NULL) { 108 cnt++; 109 if (p->pol_flags & IKED_POLICY_SKIP) 110 p = p->pol_skip[IKED_SKIP_FLAGS]; 111 else if (key->pol_af && p->pol_af && 112 key->pol_af != p->pol_af) 113 p = p->pol_skip[IKED_SKIP_AF]; 114 else if (key->pol_ipproto && p->pol_ipproto && 115 key->pol_ipproto != p->pol_ipproto) 116 p = p->pol_skip[IKED_SKIP_PROTO]; 117 else if (sockaddr_cmp((struct sockaddr *)&key->pol_peer.addr, 118 (struct sockaddr *)&p->pol_peer.addr, 119 p->pol_peer.addr_mask) != 0) 120 p = p->pol_skip[IKED_SKIP_DST_ADDR]; 121 else if (sockaddr_cmp((struct sockaddr *)&key->pol_local.addr, 122 (struct sockaddr *)&p->pol_local.addr, 123 p->pol_local.addr_mask) != 0) 124 p = p->pol_skip[IKED_SKIP_SRC_ADDR]; 125 else { 126 /* 127 * Check if a specific flow is requested 128 * (eg. for acquire messages from the kernel) 129 * and find a matching flow. 130 */ 131 if (key->pol_nflows && 132 (flowkey = RB_MIN(iked_flows, 133 &key->pol_flows)) != NULL && 134 (flow = RB_FIND(iked_flows, &p->pol_flows, 135 flowkey)) == NULL) { 136 p = TAILQ_NEXT(p, pol_entry); 137 continue; 138 } 139 /* make sure the peer ID matches */ 140 if (key->pol_peerid.id_type && 141 (key->pol_peerid.id_type != p->pol_peerid.id_type || 142 memcmp(key->pol_peerid.id_data, 143 p->pol_peerid.id_data, 144 sizeof(key->pol_peerid.id_data)) != 0)) { 145 p = TAILQ_NEXT(p, pol_entry); 146 continue; 147 } 148 149 /* Policy matched */ 150 pol = p; 151 152 if (pol->pol_flags & IKED_POLICY_QUICK) 153 break; 154 155 /* Continue to find last matching policy */ 156 p = TAILQ_NEXT(p, pol_entry); 157 } 158 } 159 160 return (pol); 161 } 162 163 #define IKED_SET_SKIP_STEPS(i) \ 164 do { \ 165 while (head[i] != cur) { \ 166 head[i]->pol_skip[i] = cur; \ 167 head[i] = TAILQ_NEXT(head[i], pol_entry); \ 168 } \ 169 } while (0) 170 171 /* This code is derived from pf_calc_skip_steps() from pf.c */ 172 void 173 policy_calc_skip_steps(struct iked_policies *policies) 174 { 175 struct iked_policy *head[IKED_SKIP_COUNT], *cur, *prev; 176 int i; 177 178 cur = TAILQ_FIRST(policies); 179 prev = cur; 180 for (i = 0; i < IKED_SKIP_COUNT; ++i) 181 head[i] = cur; 182 while (cur != NULL) { 183 if (cur->pol_flags & IKED_POLICY_SKIP) 184 IKED_SET_SKIP_STEPS(IKED_SKIP_FLAGS); 185 else if (cur->pol_af != AF_UNSPEC && 186 prev->pol_af != AF_UNSPEC && 187 cur->pol_af != prev->pol_af) 188 IKED_SET_SKIP_STEPS(IKED_SKIP_AF); 189 else if (cur->pol_ipproto && prev->pol_ipproto && 190 cur->pol_ipproto != prev->pol_ipproto) 191 IKED_SET_SKIP_STEPS(IKED_SKIP_PROTO); 192 else if (IKED_ADDR_NEQ(&cur->pol_peer, &prev->pol_peer)) 193 IKED_SET_SKIP_STEPS(IKED_SKIP_DST_ADDR); 194 else if (IKED_ADDR_NEQ(&cur->pol_local, &prev->pol_local)) 195 IKED_SET_SKIP_STEPS(IKED_SKIP_SRC_ADDR); 196 197 prev = cur; 198 cur = TAILQ_NEXT(cur, pol_entry); 199 } 200 for (i = 0; i < IKED_SKIP_COUNT; ++i) 201 IKED_SET_SKIP_STEPS(i); 202 } 203 204 void 205 policy_ref(struct iked *env, struct iked_policy *pol) 206 { 207 pol->pol_refcnt++; 208 pol->pol_flags |= IKED_POLICY_REFCNT; 209 } 210 211 void 212 policy_unref(struct iked *env, struct iked_policy *pol) 213 { 214 if (pol == NULL || (pol->pol_flags & IKED_POLICY_REFCNT) == 0) 215 return; 216 if (--(pol->pol_refcnt) <= 0) 217 config_free_policy(env, pol); 218 } 219 220 void 221 sa_state(struct iked *env, struct iked_sa *sa, int state) 222 { 223 const char *a; 224 const char *b; 225 int ostate = sa->sa_state; 226 227 a = print_map(ostate, ikev2_state_map); 228 b = print_map(state, ikev2_state_map); 229 230 sa->sa_state = state; 231 if (ostate != IKEV2_STATE_INIT && 232 !sa_stateok(sa, state)) { 233 log_debug("%s: cannot switch: %s -> %s", __func__, a, b); 234 sa->sa_state = ostate; 235 } else if (ostate != sa->sa_state) { 236 switch (state) { 237 case IKEV2_STATE_ESTABLISHED: 238 case IKEV2_STATE_CLOSED: 239 log_info("%s: %s -> %s from %s to %s policy '%s'", 240 __func__, a, b, 241 print_host((struct sockaddr *)&sa->sa_peer.addr, 242 NULL, 0), 243 print_host((struct sockaddr *)&sa->sa_local.addr, 244 NULL, 0), 245 sa->sa_policy ? sa->sa_policy->pol_name : 246 "<unknown>"); 247 break; 248 default: 249 log_debug("%s: %s -> %s", __func__, a, b); 250 break; 251 } 252 } 253 254 } 255 256 void 257 sa_stateflags(struct iked_sa *sa, u_int flags) 258 { 259 u_int require; 260 261 if (sa->sa_state > IKEV2_STATE_SA_INIT) 262 require = sa->sa_statevalid; 263 else 264 require = sa->sa_stateinit; 265 266 log_debug("%s: 0x%02x -> 0x%02x %s (required 0x%02x %s)", __func__, 267 sa->sa_stateflags, sa->sa_stateflags | flags, 268 print_bits(sa->sa_stateflags | flags, IKED_REQ_BITS), require, 269 print_bits(require, IKED_REQ_BITS)); 270 271 sa->sa_stateflags |= flags; 272 } 273 274 int 275 sa_stateok(struct iked_sa *sa, int state) 276 { 277 u_int require; 278 279 if (sa->sa_state < state) 280 return (0); 281 282 if (state == IKEV2_STATE_SA_INIT) 283 require = sa->sa_stateinit; 284 else 285 require = sa->sa_statevalid; 286 287 if (state == IKEV2_STATE_SA_INIT || 288 state == IKEV2_STATE_VALID || 289 state == IKEV2_STATE_EAP_VALID || 290 state == IKEV2_STATE_EAP) { 291 log_debug("%s: %s flags 0x%02x, require 0x%02x %s", __func__, 292 print_map(state, ikev2_state_map), 293 (sa->sa_stateflags & require), require, 294 print_bits(require, IKED_REQ_BITS)); 295 296 if ((sa->sa_stateflags & require) != require) 297 return (0); /* not ready, ignore */ 298 } 299 return (1); 300 } 301 302 struct iked_sa * 303 sa_new(struct iked *env, u_int64_t ispi, u_int64_t rspi, 304 u_int initiator, struct iked_policy *pol) 305 { 306 struct iked_sa *sa; 307 struct iked_sa *old; 308 struct iked_id *localid; 309 u_int diff; 310 311 if ((ispi == 0 && rspi == 0) || 312 (sa = sa_lookup(env, ispi, rspi, initiator)) == NULL) { 313 /* Create new SA */ 314 if (!initiator && ispi == 0) { 315 log_debug("%s: cannot create responder IKE SA w/o ispi", 316 __func__); 317 return (NULL); 318 } 319 sa = config_new_sa(env, initiator); 320 if (sa == NULL) { 321 log_debug("%s: failed to allocate IKE SA", __func__); 322 return (NULL); 323 } 324 if (!initiator) 325 sa->sa_hdr.sh_ispi = ispi; 326 old = RB_INSERT(iked_sas, &env->sc_sas, sa); 327 if (old && old != sa) { 328 log_warnx("%s: duplicate IKE SA", __func__); 329 config_free_sa(env, sa); 330 return (NULL); 331 } 332 } 333 /* Update rspi in the initator case */ 334 if (initiator && sa->sa_hdr.sh_rspi == 0 && rspi) 335 sa->sa_hdr.sh_rspi = rspi; 336 337 if (sa->sa_policy == NULL) 338 sa->sa_policy = pol; 339 else 340 pol = sa->sa_policy; 341 342 sa->sa_statevalid = IKED_REQ_AUTH|IKED_REQ_AUTHVALID|IKED_REQ_SA; 343 if (pol != NULL && pol->pol_auth.auth_eap) { 344 sa->sa_statevalid |= IKED_REQ_CERT|IKED_REQ_EAPVALID; 345 } else if (pol != NULL && pol->pol_auth.auth_method != 346 IKEV2_AUTH_SHARED_KEY_MIC) { 347 sa->sa_statevalid |= IKED_REQ_CERTVALID|IKED_REQ_CERT; 348 } 349 350 if (initiator) { 351 localid = &sa->sa_iid; 352 diff = IKED_REQ_CERTVALID|IKED_REQ_AUTHVALID|IKED_REQ_SA| 353 IKED_REQ_EAPVALID; 354 sa->sa_stateinit = sa->sa_statevalid & ~diff; 355 sa->sa_statevalid = sa->sa_statevalid & diff; 356 } else 357 localid = &sa->sa_rid; 358 359 if (!ibuf_length(localid->id_buf) && pol != NULL && 360 ikev2_policy2id(&pol->pol_localid, localid, 1) != 0) { 361 log_debug("%s: failed to get local id", __func__); 362 sa_free(env, sa); 363 return (NULL); 364 } 365 366 return (sa); 367 } 368 369 void 370 sa_free(struct iked *env, struct iked_sa *sa) 371 { 372 log_debug("%s: ispi %s rspi %s", __func__, 373 print_spi(sa->sa_hdr.sh_ispi, 8), 374 print_spi(sa->sa_hdr.sh_rspi, 8)); 375 376 /* IKE rekeying running? */ 377 if (sa->sa_next) { 378 RB_REMOVE(iked_sas, &env->sc_sas, sa->sa_next); 379 config_free_sa(env, sa->sa_next); 380 } 381 RB_REMOVE(iked_sas, &env->sc_sas, sa); 382 config_free_sa(env, sa); 383 } 384 385 void 386 sa_free_flows(struct iked *env, struct iked_saflows *head) 387 { 388 struct iked_flow *flow, *next; 389 390 for (flow = TAILQ_FIRST(head); flow != NULL; flow = next) { 391 next = TAILQ_NEXT(flow, flow_entry); 392 393 log_debug("%s: free %p", __func__, flow); 394 395 if (flow->flow_loaded) 396 RB_REMOVE(iked_flows, &env->sc_activeflows, flow); 397 TAILQ_REMOVE(head, flow, flow_entry); 398 (void)pfkey_flow_delete(env->sc_pfkey, flow); 399 flow_free(flow); 400 } 401 } 402 403 404 int 405 sa_address(struct iked_sa *sa, struct iked_addr *addr, 406 struct sockaddr_storage *peer, int initiator) 407 { 408 struct iked_policy *pol = sa->sa_policy; 409 410 if (sa->sa_state != IKEV2_STATE_CLOSING && pol == NULL) { 411 log_debug("%s: missing policy", __func__); 412 return (-1); 413 } 414 415 bzero(addr, sizeof(*addr)); 416 addr->addr_af = peer->ss_family; 417 addr->addr_port = htons(socket_getport((struct sockaddr *)peer)); 418 memcpy(&addr->addr, peer, sizeof(*peer)); 419 if (socket_af((struct sockaddr *)&addr->addr, addr->addr_port) == -1) { 420 log_debug("%s: invalid address", __func__); 421 return (-1); 422 } 423 424 if (addr == &sa->sa_peer && pol) { 425 /* XXX Re-insert node into the tree */ 426 RB_REMOVE(iked_sapeers, &pol->pol_sapeers, sa); 427 memcpy(&sa->sa_polpeer, initiator ? &pol->pol_peer : 428 &sa->sa_peer, sizeof(sa->sa_polpeer)); 429 RB_INSERT(iked_sapeers, &pol->pol_sapeers, sa); 430 } 431 432 return (0); 433 } 434 435 void 436 childsa_free(struct iked_childsa *csa) 437 { 438 if (csa->csa_children) { 439 /* XXX should not happen */ 440 log_warnx("%s: trying to remove CSA %p children %u", 441 __func__, csa, csa->csa_children); 442 return; 443 } 444 if (csa->csa_parent) 445 csa->csa_parent->csa_children--; 446 ibuf_release(csa->csa_encrkey); 447 ibuf_release(csa->csa_integrkey); 448 free(csa); 449 } 450 451 struct iked_childsa * 452 childsa_lookup(struct iked_sa *sa, u_int64_t spi, u_int8_t protoid) 453 { 454 struct iked_childsa *csa; 455 456 if (sa == NULL || spi == 0 || protoid == 0) 457 return (NULL); 458 459 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { 460 if (csa->csa_spi.spi_protoid == protoid && 461 (csa->csa_spi.spi == spi)) 462 break; 463 } 464 return (csa); 465 } 466 467 void 468 flow_free(struct iked_flow *flow) 469 { 470 free(flow); 471 } 472 473 struct iked_sa * 474 sa_lookup(struct iked *env, u_int64_t ispi, u_int64_t rspi, 475 u_int initiator) 476 { 477 struct iked_sa *sa, key; 478 479 key.sa_hdr.sh_ispi = ispi; 480 /* key.sa_hdr.sh_rspi = rspi; */ 481 key.sa_hdr.sh_initiator = initiator; 482 483 if ((sa = RB_FIND(iked_sas, &env->sc_sas, &key)) != NULL) { 484 gettimeofday(&sa->sa_timeused, NULL); 485 486 /* Validate if SPIr matches */ 487 if ((sa->sa_hdr.sh_rspi != 0) && 488 (rspi != 0) && 489 (sa->sa_hdr.sh_rspi != rspi)) 490 return (NULL); 491 } 492 493 return (sa); 494 } 495 496 static __inline int 497 sa_cmp(struct iked_sa *a, struct iked_sa *b) 498 { 499 if (a->sa_hdr.sh_initiator > b->sa_hdr.sh_initiator) 500 return (-1); 501 if (a->sa_hdr.sh_initiator < b->sa_hdr.sh_initiator) 502 return (1); 503 504 if (a->sa_hdr.sh_ispi > b->sa_hdr.sh_ispi) 505 return (-1); 506 if (a->sa_hdr.sh_ispi < b->sa_hdr.sh_ispi) 507 return (1); 508 509 #if 0 510 /* Responder SPI is not yet set in the local IKE SADB */ 511 if ((b->sa_type == IKED_SATYPE_LOCAL && b->sa_hdr.sh_rspi == 0) || 512 (a->sa_type == IKED_SATYPE_LOCAL && a->sa_hdr.sh_rspi == 0)) 513 return (0); 514 515 if (a->sa_hdr.sh_rspi > b->sa_hdr.sh_rspi) 516 return (-1); 517 if (a->sa_hdr.sh_rspi < b->sa_hdr.sh_rspi) 518 return (1); 519 #endif 520 521 return (0); 522 } 523 524 struct iked_sa * 525 sa_peer_lookup(struct iked_policy *pol, struct sockaddr_storage *peer) 526 { 527 struct iked_sa key; 528 529 memcpy(&key.sa_polpeer.addr, peer, sizeof(*peer)); 530 return (RB_FIND(iked_sapeers, &pol->pol_sapeers, &key)); 531 } 532 533 static __inline int 534 sa_peer_cmp(struct iked_sa *a, struct iked_sa *b) 535 { 536 return (sockaddr_cmp((struct sockaddr *)&a->sa_polpeer.addr, 537 (struct sockaddr *)&b->sa_polpeer.addr, -1)); 538 } 539 540 static __inline int 541 sa_addrpool_cmp(struct iked_sa *a, struct iked_sa *b) 542 { 543 return (sockaddr_cmp((struct sockaddr *)&a->sa_addrpool->addr, 544 (struct sockaddr *)&b->sa_addrpool->addr, -1)); 545 } 546 547 struct iked_user * 548 user_lookup(struct iked *env, const char *user) 549 { 550 struct iked_user key; 551 552 if (strlcpy(key.usr_name, user, 553 sizeof(key.usr_name)) >= sizeof(key.usr_name)) 554 return (NULL); 555 556 return (RB_FIND(iked_users, &env->sc_users, &key)); 557 } 558 559 static __inline int 560 user_cmp(struct iked_user *a, struct iked_user *b) 561 { 562 return (strcmp(a->usr_name, b->usr_name)); 563 } 564 565 static __inline int 566 childsa_cmp(struct iked_childsa *a, struct iked_childsa *b) 567 { 568 if (a->csa_spi.spi > b->csa_spi.spi) 569 return (1); 570 if (a->csa_spi.spi < b->csa_spi.spi) 571 return (-1); 572 return (0); 573 } 574 575 static __inline int 576 addr_cmp(struct iked_addr *a, struct iked_addr *b, int useports) 577 { 578 int diff = 0; 579 580 diff = sockaddr_cmp((struct sockaddr *)&a->addr, 581 (struct sockaddr *)&b->addr, 128); 582 if (!diff) 583 diff = (int)a->addr_mask - (int)b->addr_mask; 584 if (!diff && useports) 585 diff = a->addr_port - b->addr_port; 586 587 return (diff); 588 } 589 590 static __inline int 591 flow_cmp(struct iked_flow *a, struct iked_flow *b) 592 { 593 int diff = 0; 594 595 if (a->flow_peer && b->flow_peer) 596 diff = addr_cmp(a->flow_peer, b->flow_peer, 0); 597 if (!diff) 598 diff = addr_cmp(&a->flow_dst, &b->flow_dst, 1); 599 if (!diff) 600 diff = addr_cmp(&a->flow_src, &b->flow_src, 1); 601 if (!diff && a->flow_dir && b->flow_dir) 602 diff = (int)a->flow_dir - (int)b->flow_dir; 603 604 return (diff); 605 } 606 607 RB_GENERATE(iked_sas, iked_sa, sa_entry, sa_cmp); 608 RB_GENERATE(iked_sapeers, iked_sa, sa_peer_entry, sa_peer_cmp); 609 RB_GENERATE(iked_addrpool, iked_sa, sa_addrpool_entry, sa_addrpool_cmp); 610 RB_GENERATE(iked_users, iked_user, usr_entry, user_cmp); 611 RB_GENERATE(iked_activesas, iked_childsa, csa_node, childsa_cmp); 612 RB_GENERATE(iked_flows, iked_flow, flow_node, flow_cmp); 613