1/* $NetBSD: policy.c,v 1.11 2009/07/03 06:41:46 tteras Exp $ */ 2 3/* $KAME: policy.c,v 1.46 2001/11/16 04:08:10 sakane Exp $ */ 4 5/* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include "config.h" 35 36#include <sys/param.h> 37#include <sys/types.h> 38#include <sys/socket.h> 39#include <sys/queue.h> 40 41#include <netinet/in.h> 42#include PATH_IPSEC_H 43 44#include <stdlib.h> 45#include <stdio.h> 46#include <string.h> 47#include <errno.h> 48 49#include "var.h" 50#include "misc.h" 51#include "vmbuf.h" 52#include "plog.h" 53#include "sockmisc.h" 54#include "debug.h" 55 56#include "policy.h" 57#include "localconf.h" 58#include "isakmp_var.h" 59#include "isakmp.h" 60#include "oakley.h" 61#include "handler.h" 62#include "strnames.h" 63#include "gcmalloc.h" 64 65static TAILQ_HEAD(_sptree, secpolicy) sptree; 66 67/* perform exact match against security policy table. */ 68struct secpolicy * 69getsp(spidx) 70 struct policyindex *spidx; 71{ 72 struct secpolicy *p; 73 74 for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) { 75 if (!cmpspidxstrict(spidx, &p->spidx)) 76 return p; 77 } 78 79 return NULL; 80} 81 82/* 83 * perform non-exact match against security policy table, only if this is 84 * transport mode SA negotiation. for example, 0.0.0.0/0 -> 0.0.0.0/0 85 * entry in policy.txt can be returned when we're negotiating transport 86 * mode SA. this is how the kernel works. 87 */ 88#if 1 89struct secpolicy * 90getsp_r(spidx) 91 struct policyindex *spidx; 92{ 93 struct secpolicy *p; 94 struct secpolicy *found = NULL; 95 96 for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) { 97 if (!cmpspidxstrict(spidx, &p->spidx)) 98 return p; 99 100 if (!found && !cmpspidxwild(spidx, &p->spidx)) 101 found = p; 102 } 103 104 return found; 105} 106#else 107struct secpolicy * 108getsp_r(spidx, iph2) 109 struct policyindex *spidx; 110 struct ph2handle *iph2; 111{ 112 struct secpolicy *p; 113 u_int8_t prefixlen; 114 115 plog(LLV_DEBUG, LOCATION, NULL, "checking for transport mode\n"); 116 117 if (spidx->src.ss_family != spidx->dst.ss_family) { 118 plog(LLV_ERROR, LOCATION, NULL, 119 "address family mismatch, src:%d dst:%d\n", 120 spidx->src.ss_family, 121 spidx->dst.ss_family); 122 return NULL; 123 } 124 switch (spidx->src.ss_family) { 125 case AF_INET: 126 prefixlen = sizeof(struct in_addr) << 3; 127 break; 128#ifdef INET6 129 case AF_INET6: 130 prefixlen = sizeof(struct in6_addr) << 3; 131 break; 132#endif 133 default: 134 plog(LLV_ERROR, LOCATION, NULL, 135 "invalid family: %d\n", spidx->src.ss_family); 136 return NULL; 137 } 138 139 /* is it transport mode SA negotiation? */ 140 plog(LLV_DEBUG, LOCATION, NULL, "src1: %s\n", 141 saddr2str(iph2->src)); 142 plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n", 143 saddr2str((struct sockaddr *)&spidx->src)); 144 145 if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) != CMPSADDR_MATCH || 146 spidx->prefs != prefixlen) 147 return NULL; 148 149 plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n", 150 saddr2str(iph2->dst)); 151 plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n", 152 saddr2str((struct sockaddr *)&spidx->dst)); 153 154 if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) != CMPSADDR_MATCH || 155 spidx->prefd != prefixlen) 156 return NULL; 157 158 plog(LLV_DEBUG, LOCATION, NULL, "looks to be transport mode\n"); 159 160 for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) { 161 if (!cmpspidx_wild(spidx, &p->spidx)) 162 return p; 163 } 164 165 return NULL; 166} 167#endif 168 169struct secpolicy * 170getspbyspid(spid) 171 u_int32_t spid; 172{ 173 struct secpolicy *p; 174 175 for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) { 176 if (p->id == spid) 177 return p; 178 } 179 180 return NULL; 181} 182 183/* 184 * compare policyindex. 185 * a: subject b: db 186 * OUT: 0: equal 187 * 1: not equal 188 */ 189int 190cmpspidxstrict(a, b) 191 struct policyindex *a, *b; 192{ 193 plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a)); 194 plog(LLV_DEBUG, LOCATION, NULL, "db :%p: %s\n", b, spidx2str(b)); 195 196 /* XXX don't check direction now, but it's to be checked carefully. */ 197 if (a->dir != b->dir 198 || a->prefs != b->prefs 199 || a->prefd != b->prefd 200 || a->ul_proto != b->ul_proto) 201 return 1; 202 203 if (cmpsaddr((struct sockaddr *) &a->src, 204 (struct sockaddr *) &b->src) != CMPSADDR_MATCH) 205 return 1; 206 if (cmpsaddr((struct sockaddr *) &a->dst, 207 (struct sockaddr *) &b->dst) != CMPSADDR_MATCH) 208 return 1; 209 210#ifdef HAVE_SECCTX 211 if (a->sec_ctx.ctx_alg != b->sec_ctx.ctx_alg 212 || a->sec_ctx.ctx_doi != b->sec_ctx.ctx_doi 213 || !within_range(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str)) 214 return 1; 215#endif 216 return 0; 217} 218 219/* 220 * compare policyindex, with wildcard address/protocol match. 221 * a: subject b: db, can contain wildcard things. 222 * OUT: 0: equal 223 * 1: not equal 224 */ 225int 226cmpspidxwild(a, b) 227 struct policyindex *a, *b; 228{ 229 struct sockaddr_storage sa1, sa2; 230 231 plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a)); 232 plog(LLV_DEBUG, LOCATION, NULL, "db: %p: %s\n", b, spidx2str(b)); 233 234 if (!(b->dir == IPSEC_DIR_ANY || a->dir == b->dir)) 235 return 1; 236 237 if (!(b->ul_proto == IPSEC_ULPROTO_ANY || 238 a->ul_proto == b->ul_proto)) 239 return 1; 240 241 if (a->src.ss_family != b->src.ss_family) 242 return 1; 243 if (a->dst.ss_family != b->dst.ss_family) 244 return 1; 245 246#ifndef __linux__ 247 /* compare src address */ 248 if (sizeof(sa1) < a->src.ss_len || sizeof(sa2) < b->src.ss_len) { 249 plog(LLV_ERROR, LOCATION, NULL, 250 "unexpected error: " 251 "src.ss_len:%d dst.ss_len:%d\n", 252 a->src.ss_len, b->src.ss_len); 253 return 1; 254 } 255#endif 256 mask_sockaddr((struct sockaddr *)&sa1, (struct sockaddr *)&a->src, 257 b->prefs); 258 mask_sockaddr((struct sockaddr *)&sa2, (struct sockaddr *)&b->src, 259 b->prefs); 260 plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", 261 a, b->prefs, saddr2str((struct sockaddr *)&sa1)); 262 plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", 263 b, b->prefs, saddr2str((struct sockaddr *)&sa2)); 264 if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH) 265 return 1; 266 267#ifndef __linux__ 268 /* compare dst address */ 269 if (sizeof(sa1) < a->dst.ss_len || sizeof(sa2) < b->dst.ss_len) { 270 plog(LLV_ERROR, LOCATION, NULL, "unexpected error\n"); 271 exit(1); 272 } 273#endif 274 mask_sockaddr((struct sockaddr *)&sa1, (struct sockaddr *)&a->dst, 275 b->prefd); 276 mask_sockaddr((struct sockaddr *)&sa2, (struct sockaddr *)&b->dst, 277 b->prefd); 278 plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", 279 a, b->prefd, saddr2str((struct sockaddr *)&sa1)); 280 plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", 281 b, b->prefd, saddr2str((struct sockaddr *)&sa2)); 282 if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH) 283 return 1; 284 285#ifdef HAVE_SECCTX 286 if (a->sec_ctx.ctx_alg != b->sec_ctx.ctx_alg 287 || a->sec_ctx.ctx_doi != b->sec_ctx.ctx_doi 288 || !within_range(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str)) 289 return 1; 290#endif 291 return 0; 292} 293 294struct secpolicy * 295newsp() 296{ 297 struct secpolicy *new; 298 299 new = racoon_calloc(1, sizeof(*new)); 300 if (new == NULL) 301 return NULL; 302 303 return new; 304} 305 306void 307delsp(sp) 308 struct secpolicy *sp; 309{ 310 struct ipsecrequest *req = NULL, *next; 311 312 for (req = sp->req; req; req = next) { 313 next = req->next; 314 racoon_free(req); 315 } 316 317 if (sp->local) 318 racoon_free(sp->local); 319 if (sp->remote) 320 racoon_free(sp->remote); 321 322 racoon_free(sp); 323} 324 325void 326delsp_bothdir(spidx0) 327 struct policyindex *spidx0; 328{ 329 struct policyindex spidx; 330 struct secpolicy *sp; 331 struct sockaddr_storage src, dst; 332 u_int8_t prefs, prefd; 333 334 memcpy(&spidx, spidx0, sizeof(spidx)); 335 switch (spidx.dir) { 336 case IPSEC_DIR_INBOUND: 337#ifdef HAVE_POLICY_FWD 338 case IPSEC_DIR_FWD: 339#endif 340 src = spidx.src; 341 dst = spidx.dst; 342 prefs = spidx.prefs; 343 prefd = spidx.prefd; 344 break; 345 case IPSEC_DIR_OUTBOUND: 346 src = spidx.dst; 347 dst = spidx.src; 348 prefs = spidx.prefd; 349 prefd = spidx.prefs; 350 break; 351 default: 352 return; 353 } 354 355 spidx.src = src; 356 spidx.dst = dst; 357 spidx.prefs = prefs; 358 spidx.prefd = prefd; 359 spidx.dir = IPSEC_DIR_INBOUND; 360 361 sp = getsp(&spidx); 362 if (sp) { 363 remsp(sp); 364 delsp(sp); 365 } 366 367#ifdef HAVE_POLICY_FWD 368 spidx.dir = IPSEC_DIR_FWD; 369 370 sp = getsp(&spidx); 371 if (sp) { 372 remsp(sp); 373 delsp(sp); 374 } 375#endif 376 377 spidx.src = dst; 378 spidx.dst = src; 379 spidx.prefs = prefd; 380 spidx.prefd = prefs; 381 spidx.dir = IPSEC_DIR_OUTBOUND; 382 383 sp = getsp(&spidx); 384 if (sp) { 385 remsp(sp); 386 delsp(sp); 387 } 388} 389 390void 391inssp(new) 392 struct secpolicy *new; 393{ 394#ifdef HAVE_PFKEY_POLICY_PRIORITY 395 struct secpolicy *p; 396 397 TAILQ_FOREACH(p, &sptree, chain) { 398 if (new->spidx.priority < p->spidx.priority) { 399 TAILQ_INSERT_BEFORE(p, new, chain); 400 return; 401 } 402 } 403 if (p == NULL) 404#endif 405 TAILQ_INSERT_TAIL(&sptree, new, chain); 406 407 return; 408} 409 410void 411remsp(sp) 412 struct secpolicy *sp; 413{ 414 TAILQ_REMOVE(&sptree, sp, chain); 415} 416 417void 418flushsp() 419{ 420 struct secpolicy *p, *next; 421 422 for (p = TAILQ_FIRST(&sptree); p; p = next) { 423 next = TAILQ_NEXT(p, chain); 424 remsp(p); 425 delsp(p); 426 } 427} 428 429void 430initsp() 431{ 432 TAILQ_INIT(&sptree); 433} 434 435struct ipsecrequest * 436newipsecreq() 437{ 438 struct ipsecrequest *new; 439 440 new = racoon_calloc(1, sizeof(*new)); 441 if (new == NULL) 442 return NULL; 443 444 return new; 445} 446 447const char * 448spidx2str(spidx) 449 const struct policyindex *spidx; 450{ 451 /* addr/pref[port] addr/pref[port] ul dir act */ 452 static char buf[256]; 453 char *p, *a, *b; 454 int blen, i; 455 456 blen = sizeof(buf) - 1; 457 p = buf; 458 459 a = saddr2str((const struct sockaddr *)&spidx->src); 460 for (b = a; *b != '\0'; b++) 461 if (*b == '[') { 462 *b = '\0'; 463 b++; 464 break; 465 } 466 i = snprintf(p, blen, "%s/%d[%s ", a, spidx->prefs, b); 467 if (i < 0 || i >= blen) 468 return NULL; 469 p += i; 470 blen -= i; 471 472 a = saddr2str((const struct sockaddr *)&spidx->dst); 473 for (b = a; *b != '\0'; b++) 474 if (*b == '[') { 475 *b = '\0'; 476 b++; 477 break; 478 } 479 i = snprintf(p, blen, "%s/%d[%s ", a, spidx->prefd, b); 480 if (i < 0 || i >= blen) 481 return NULL; 482 p += i; 483 blen -= i; 484 485 i = snprintf(p, blen, "proto=%s dir=%s", 486 s_proto(spidx->ul_proto), s_direction(spidx->dir)); 487 488#ifdef HAVE_SECCTX 489 if (spidx->sec_ctx.ctx_strlen) { 490 p += i; 491 blen -= i; 492 snprintf(p, blen, " sec_ctx:doi=%d,alg=%d,len=%d,str=%s", 493 spidx->sec_ctx.ctx_doi, spidx->sec_ctx.ctx_alg, 494 spidx->sec_ctx.ctx_strlen, spidx->sec_ctx.ctx_str); 495 } 496#endif 497 return buf; 498} 499