]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/policy.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-164.10.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / policy.c
1 /* $KAME: policy.c,v 1.46 2001/11/16 04:08:10 sakane Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include "config.h"
33
34 #include <sys/param.h>
35 #include <sys/types.h>
36 #include <sys/socket.h>
37 #include <sys/queue.h>
38
39 #include <netinet/in.h>
40 #ifdef HAVE_NETINET6_IPSEC
41 # include <netinet6/ipsec.h>
42 #else
43 # include <netinet/ipsec.h>
44 #endif
45
46 #include <stdlib.h>
47 #include <stdio.h>
48 #include <string.h>
49 #include <errno.h>
50
51 #include "var.h"
52 #include "misc.h"
53 #include "vmbuf.h"
54 #include "plog.h"
55 #include "sockmisc.h"
56 #include "debug.h"
57
58 #include "policy.h"
59 #include "localconf.h"
60 #include "isakmp_var.h"
61 #include "isakmp.h"
62 #include "oakley.h"
63 #include "handler.h"
64 #include "strnames.h"
65 #include "gcmalloc.h"
66 #include "session.h"
67
68 static TAILQ_HEAD(_sptree, secpolicy) sptree;
69
70 /* perform exact match against security policy table. */
71 struct secpolicy *
72 getsp(spidx)
73 struct policyindex *spidx;
74 {
75 struct secpolicy *p;
76
77 for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) {
78 if (!cmpspidxstrict(spidx, &p->spidx))
79 return p;
80 }
81
82 return NULL;
83 }
84
85 /*
86 * perform non-exact match against security policy table, only if this is
87 * transport mode SA negotiation. for example, 0.0.0.0/0 -> 0.0.0.0/0
88 * entry in policy.txt can be returned when we're negotiating transport
89 * mode SA. this is how the kernel works.
90 */
91 #if 1
92 struct secpolicy *
93 getsp_r(spidx, iph2)
94 struct policyindex *spidx;
95 struct ph2handle *iph2;
96 {
97 struct secpolicy *p;
98 int mismatched_outer_addr = 0;
99
100 for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) {
101 if (!cmpspidxwild(spidx, &p->spidx)) {
102 if (spidx->dir != IPSEC_DIR_ANY) {
103 struct ipsecrequest *isr;
104 for (isr = p->req; isr != NULL; isr = isr->next) {
105 if (isr->saidx.mode != IPSEC_MODE_TUNNEL) {
106 plog(LLV_DEBUG2, LOCATION, NULL, "%s, skipping policy. dir %d, mode %d\n",
107 __FUNCTION__, spidx->dir, isr->saidx.mode);
108 continue;
109 }
110
111 // for tunnel mode: verify the outer ip addresses match the phase2's addresses
112 if (spidx->dir == IPSEC_DIR_INBOUND) {
113 // TODO: look out for wildcards
114 if (!cmpsaddrwop(iph2->dst, &isr->saidx.src) &&
115 !cmpsaddrwop(iph2->src, &isr->saidx.dst)) {
116 plog(LLV_DEBUG2, LOCATION, NULL, "%s, inbound policy outer addresses matched phase2's addresses\n",
117 __FUNCTION__);
118 return p;
119 } else {
120 mismatched_outer_addr = 1;
121 }
122 } else if (spidx->dir == IPSEC_DIR_OUTBOUND) {
123 // TODO: look out for wildcards
124 if (!cmpsaddrwop(iph2->src, &isr->saidx.src) &&
125 !cmpsaddrwop(iph2->dst, &isr->saidx.dst)) {
126 plog(LLV_DEBUG2, LOCATION, NULL, "%s, outbound policy outer addresses matched phase2's addresses\n",
127 __FUNCTION__);
128 return p;
129 } else {
130 mismatched_outer_addr = 1;
131 }
132 } else {
133 mismatched_outer_addr = 1;
134 }
135 if (mismatched_outer_addr) {
136 plog(LLV_DEBUG2, LOCATION, NULL, "%s, policy outer addresses matched phase2's addresses: dir %d\n",
137 __FUNCTION__, spidx->dir);
138 plog(LLV_DEBUG, LOCATION, NULL, "src1: %s\n",
139 saddr2str((struct sockaddr *)iph2->src));
140 plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n",
141 saddr2str((struct sockaddr *)&isr->saidx.src));
142 plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n",
143 saddr2str((struct sockaddr *)iph2->dst));
144 plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n",
145 saddr2str((struct sockaddr *)&isr->saidx.dst));
146 }
147 }
148 }
149 if (!mismatched_outer_addr) {
150 return p;
151 }
152 }
153 }
154
155 return NULL;
156 }
157 #else
158 struct secpolicy *
159 getsp_r(spidx, iph2)
160 struct policyindex *spidx;
161 struct ph2handle *iph2;
162 {
163 struct secpolicy *p;
164 u_int8_t prefixlen;
165
166 plog(LLV_DEBUG, LOCATION, NULL, "checking for transport mode\n");
167
168 if (spidx->src.ss_family != spidx->dst.ss_family) {
169 plog(LLV_ERROR, LOCATION, NULL,
170 "address family mismatch, src:%d dst:%d\n",
171 spidx->src.ss_family,
172 spidx->dst.ss_family);
173 return NULL;
174 }
175 switch (spidx->src.ss_family) {
176 case AF_INET:
177 prefixlen = sizeof(struct in_addr) << 3;
178 break;
179 #ifdef INET6
180 case AF_INET6:
181 prefixlen = sizeof(struct in6_addr) << 3;
182 break;
183 #endif
184 default:
185 plog(LLV_ERROR, LOCATION, NULL,
186 "invalid family: %d\n", spidx->src.ss_family);
187 return NULL;
188 }
189
190 /* is it transport mode SA negotiation? */
191 plog(LLV_DEBUG, LOCATION, NULL, "src1: %s\n",
192 saddr2str(iph2->src));
193 plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n",
194 saddr2str(&spidx->src));
195 if (cmpsaddrwop(iph2->src, &spidx->src)
196 || spidx->prefs != prefixlen)
197 return NULL;
198
199 plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n",
200 saddr2str(iph2->dst));
201 plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n",
202 saddr2str(&spidx->dst));
203 if (cmpsaddrwop(iph2->dst, &spidx->dst)
204 || spidx->prefd != prefixlen)
205 return NULL;
206
207 plog(LLV_DEBUG, LOCATION, NULL, "looks to be transport mode\n");
208
209 for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) {
210 if (!cmpspidx_wild(spidx, &p->spidx))
211 return p;
212 }
213
214 return NULL;
215 }
216 #endif
217
218 struct secpolicy *
219 getspbyspid(spid)
220 u_int32_t spid;
221 {
222 struct secpolicy *p;
223
224 for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) {
225 if (p->id == spid)
226 return p;
227 }
228
229 return NULL;
230 }
231
232 /*
233 * compare policyindex.
234 * a: subject b: db
235 * OUT: 0: equal
236 * 1: not equal
237 */
238 int
239 cmpspidxstrict(a, b)
240 struct policyindex *a, *b;
241 {
242 //plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a));
243 //plog(LLV_DEBUG, LOCATION, NULL, "db :%p: %s\n", b, spidx2str(b));
244
245 /* XXX don't check direction now, but it's to be checked carefully. */
246 if (a->dir != b->dir
247 || a->prefs != b->prefs
248 || a->prefd != b->prefd
249 || a->ul_proto != b->ul_proto)
250 return 1;
251
252 if (cmpsaddrstrict(&a->src, &b->src))
253 return 1;
254 if (cmpsaddrstrict(&a->dst, &b->dst))
255 return 1;
256
257 return 0;
258 }
259
260 /*
261 * compare policyindex, with wildcard address/protocol match.
262 * a: subject b: db, can contain wildcard things.
263 * OUT: 0: equal
264 * 1: not equal
265 */
266 int
267 cmpspidxwild(a, b)
268 struct policyindex *a, *b;
269 {
270 struct sockaddr_storage sa1, sa2;
271
272 //plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a));
273 //plog(LLV_DEBUG, LOCATION, NULL, "db: %p: %s\n", b, spidx2str(b));
274
275 if (!(b->dir == IPSEC_DIR_ANY || a->dir == b->dir))
276 return 1;
277
278 if (!(a->ul_proto == IPSEC_ULPROTO_ANY ||
279 b->ul_proto == IPSEC_ULPROTO_ANY ||
280 a->ul_proto == b->ul_proto))
281 return 1;
282
283 if (a->src.ss_family != b->src.ss_family)
284 return 1;
285 if (a->dst.ss_family != b->dst.ss_family)
286 return 1;
287
288 /* compare src address */
289 if (sizeof(sa1) < a->src.ss_len || sizeof(sa2) < b->src.ss_len) {
290 plog(LLV_ERROR, LOCATION, NULL,
291 "unexpected error: "
292 "src.ss_len:%d dst.ss_len:%d\n",
293 a->src.ss_len, b->src.ss_len);
294 return 1;
295 }
296 mask_sockaddr(&sa1, &a->src, b->prefs);
297 mask_sockaddr(&sa2, &b->src, b->prefs);
298 plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
299 a, b->prefs, saddr2str((struct sockaddr *)&sa1));
300 plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
301 b, b->prefs, saddr2str((struct sockaddr *)&sa2));
302 if (cmpsaddrwild(&sa1, &sa2))
303 return 1;
304
305 /* compare dst address */
306 if (sizeof(sa1) < a->dst.ss_len || sizeof(sa2) < b->dst.ss_len) {
307 plog(LLV_ERROR, LOCATION, NULL, "unexpected error\n");
308 exit(1);
309 }
310 mask_sockaddr(&sa1, &a->dst, b->prefd);
311 mask_sockaddr(&sa2, &b->dst, b->prefd);
312 plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
313 a, b->prefd, saddr2str((struct sockaddr *)&sa1));
314 plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
315 b, b->prefd, saddr2str((struct sockaddr *)&sa2));
316 if (cmpsaddrwild(&sa1, &sa2))
317 return 1;
318
319 return 0;
320 }
321
322 struct secpolicy *
323 newsp()
324 {
325 struct secpolicy *new;
326
327 new = racoon_calloc(1, sizeof(*new));
328 if (new == NULL)
329 return NULL;
330
331 return new;
332 }
333
334 void
335 delsp(sp)
336 struct secpolicy *sp;
337 {
338 struct ipsecrequest *req = NULL, *next;
339
340 for (req = sp->req; req; req = next) {
341 next = req->next;
342 racoon_free(req);
343 }
344
345 racoon_free(sp);
346 }
347
348 void
349 delsp_bothdir(spidx0)
350 struct policyindex *spidx0;
351 {
352 struct policyindex spidx;
353 struct secpolicy *sp;
354 struct sockaddr_storage src, dst;
355 u_int8_t prefs, prefd;
356
357 memcpy(&spidx, spidx0, sizeof(spidx));
358 switch (spidx.dir) {
359 case IPSEC_DIR_INBOUND:
360 #ifdef HAVE_POLICY_FWD
361 case IPSEC_DIR_FWD:
362 #endif
363 src = spidx.src;
364 dst = spidx.dst;
365 prefs = spidx.prefs;
366 prefd = spidx.prefd;
367 break;
368 case IPSEC_DIR_OUTBOUND:
369 src = spidx.dst;
370 dst = spidx.src;
371 prefs = spidx.prefd;
372 prefd = spidx.prefs;
373 break;
374 default:
375 return;
376 }
377
378 spidx.src = src;
379 spidx.dst = dst;
380 spidx.prefs = prefs;
381 spidx.prefd = prefd;
382 spidx.dir = IPSEC_DIR_INBOUND;
383
384 sp = getsp(&spidx);
385 if (sp) {
386 remsp(sp);
387 delsp(sp);
388 }
389
390 #ifdef HAVE_POLICY_FWD
391 spidx.dir = IPSEC_DIR_FWD;
392
393 sp = getsp(&spidx);
394 if (sp) {
395 remsp(sp);
396 delsp(sp);
397 }
398 #endif
399
400 spidx.src = dst;
401 spidx.dst = src;
402 spidx.prefs = prefd;
403 spidx.prefd = prefs;
404 spidx.dir = IPSEC_DIR_OUTBOUND;
405
406 sp = getsp(&spidx);
407 if (sp) {
408 remsp(sp);
409 delsp(sp);
410 }
411 }
412
413 void
414 inssp(new)
415 struct secpolicy *new;
416 {
417 #ifdef HAVE_PFKEY_POLICY_PRIORITY
418 struct secpolicy *p;
419
420 TAILQ_FOREACH(p, &sptree, chain) {
421 if (new->spidx.priority < p->spidx.priority) {
422 TAILQ_INSERT_BEFORE(p, new, chain);
423 return;
424 }
425 }
426 if (p == NULL)
427 #endif
428 TAILQ_INSERT_HEAD(&sptree, new, chain);
429
430 check_auto_exit();
431 return;
432 }
433
434 void
435 remsp(sp)
436 struct secpolicy *sp;
437 {
438 TAILQ_REMOVE(&sptree, sp, chain);
439 check_auto_exit();
440 }
441
442 void
443 flushsp()
444 {
445 struct secpolicy *p, *next;
446
447 for (p = TAILQ_FIRST(&sptree); p; p = next) {
448 next = TAILQ_NEXT(p, chain);
449 remsp(p);
450 delsp(p);
451 }
452 }
453
454 int
455 policies_installed(void)
456 {
457 if (TAILQ_EMPTY(&sptree))
458 return 0;
459 else
460 return 1;
461 }
462
463 void
464 initsp()
465 {
466 TAILQ_INIT(&sptree);
467 }
468
469 struct ipsecrequest *
470 newipsecreq()
471 {
472 struct ipsecrequest *new;
473
474 new = racoon_calloc(1, sizeof(*new));
475 if (new == NULL)
476 return NULL;
477
478 return new;
479 }
480
481 const char *
482 spidx2str(spidx)
483 const struct policyindex *spidx;
484 {
485 /* addr/pref[port] addr/pref[port] ul dir act */
486 static char buf[256];
487 char *p, *a, *b;
488 int blen, i;
489
490 blen = sizeof(buf) - 1;
491 p = buf;
492
493 a = saddr2str((const struct sockaddr *)&spidx->src);
494 for (b = a; *b != '\0'; b++)
495 if (*b == '[') {
496 *b = '\0';
497 b++;
498 break;
499 }
500 i = snprintf(p, blen, "%s/%d[%s ", a, spidx->prefs, b);
501 if (i < 0 || i >= blen)
502 return NULL;
503 p += i;
504 blen -= i;
505
506 a = saddr2str((const struct sockaddr *)&spidx->dst);
507 for (b = a; *b != '\0'; b++)
508 if (*b == '[') {
509 *b = '\0';
510 b++;
511 break;
512 }
513 i = snprintf(p, blen, "%s/%d[%s ", a, spidx->prefd, b);
514 if (i < 0 || i >= blen)
515 return NULL;
516 p += i;
517 blen -= i;
518
519 snprintf(p, blen, "proto=%s dir=%s",
520 s_proto(spidx->ul_proto), s_direction(spidx->dir));
521
522 return buf;
523 }
mirror of ipsec