1 |
|
|
/* $OpenBSD: policy.c,v 1.46 2017/03/13 18:48:16 mikeb Exp $ */ |
2 |
|
|
|
3 |
|
|
/* |
4 |
|
|
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> |
5 |
|
|
* Copyright (c) 2001 Daniel Hartmeier |
6 |
|
|
* |
7 |
|
|
* Permission to use, copy, modify, and distribute this software for any |
8 |
|
|
* purpose with or without fee is hereby granted, provided that the above |
9 |
|
|
* copyright notice and this permission notice appear in all copies. |
10 |
|
|
* |
11 |
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
12 |
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
13 |
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
14 |
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
15 |
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
16 |
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
17 |
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
18 |
|
|
*/ |
19 |
|
|
|
20 |
|
|
#include <sys/queue.h> |
21 |
|
|
#include <sys/socket.h> |
22 |
|
|
#include <sys/uio.h> |
23 |
|
|
#include <sys/tree.h> |
24 |
|
|
|
25 |
|
|
#include <stdio.h> |
26 |
|
|
#include <stdlib.h> |
27 |
|
|
#include <unistd.h> |
28 |
|
|
#include <string.h> |
29 |
|
|
#include <errno.h> |
30 |
|
|
#include <fcntl.h> |
31 |
|
|
#include <event.h> |
32 |
|
|
|
33 |
|
|
#include "iked.h" |
34 |
|
|
#include "ikev2.h" |
35 |
|
|
|
36 |
|
|
static __inline int |
37 |
|
|
sa_cmp(struct iked_sa *, struct iked_sa *); |
38 |
|
|
static __inline int |
39 |
|
|
user_cmp(struct iked_user *, struct iked_user *); |
40 |
|
|
static __inline int |
41 |
|
|
childsa_cmp(struct iked_childsa *, struct iked_childsa *); |
42 |
|
|
static __inline int |
43 |
|
|
flow_cmp(struct iked_flow *, struct iked_flow *); |
44 |
|
|
|
45 |
|
|
|
46 |
|
|
void |
47 |
|
|
policy_init(struct iked *env) |
48 |
|
|
{ |
49 |
|
|
TAILQ_INIT(&env->sc_policies); |
50 |
|
|
TAILQ_INIT(&env->sc_ocsp); |
51 |
|
|
RB_INIT(&env->sc_users); |
52 |
|
|
RB_INIT(&env->sc_sas); |
53 |
|
|
RB_INIT(&env->sc_activesas); |
54 |
|
|
RB_INIT(&env->sc_activeflows); |
55 |
|
|
} |
56 |
|
|
|
57 |
|
|
int |
58 |
|
|
policy_lookup(struct iked *env, struct iked_message *msg) |
59 |
|
|
{ |
60 |
|
|
struct iked_policy pol; |
61 |
|
|
char *s, idstr[IKED_ID_SIZE]; |
62 |
|
|
|
63 |
|
|
|
64 |
|
|
if (msg->msg_sa != NULL && msg->msg_sa->sa_policy != NULL) { |
65 |
|
|
/* Existing SA with policy */ |
66 |
|
|
msg->msg_policy = msg->msg_sa->sa_policy; |
67 |
|
|
goto found; |
68 |
|
|
} |
69 |
|
|
|
70 |
|
|
bzero(&pol, sizeof(pol)); |
71 |
|
|
pol.pol_af = msg->msg_peer.ss_family; |
72 |
|
|
memcpy(&pol.pol_peer.addr, &msg->msg_peer, sizeof(msg->msg_peer)); |
73 |
|
|
memcpy(&pol.pol_local.addr, &msg->msg_local, sizeof(msg->msg_local)); |
74 |
|
|
if (msg->msg_id.id_type && |
75 |
|
|
ikev2_print_id(&msg->msg_id, idstr, IKED_ID_SIZE) == 0 && |
76 |
|
|
(s = strchr(idstr, '/')) != NULL) { |
77 |
|
|
pol.pol_peerid.id_type = msg->msg_id.id_type; |
78 |
|
|
pol.pol_peerid.id_length = strlen(s+1); |
79 |
|
|
strlcpy(pol.pol_peerid.id_data, s+1, |
80 |
|
|
sizeof(pol.pol_peerid.id_data)); |
81 |
|
|
log_debug("%s: peerid '%s'", __func__, s+1); |
82 |
|
|
} |
83 |
|
|
|
84 |
|
|
/* Try to find a matching policy for this message */ |
85 |
|
|
if ((msg->msg_policy = policy_test(env, &pol)) != NULL) |
86 |
|
|
goto found; |
87 |
|
|
|
88 |
|
|
/* No matching policy found, try the default */ |
89 |
|
|
if ((msg->msg_policy = env->sc_defaultcon) != NULL) |
90 |
|
|
goto found; |
91 |
|
|
|
92 |
|
|
/* No policy found */ |
93 |
|
|
return (-1); |
94 |
|
|
|
95 |
|
|
found: |
96 |
|
|
return (0); |
97 |
|
|
} |
98 |
|
|
|
99 |
|
|
struct iked_policy * |
100 |
|
|
policy_test(struct iked *env, struct iked_policy *key) |
101 |
|
|
{ |
102 |
|
|
struct iked_policy *p = NULL, *pol = NULL; |
103 |
|
|
struct iked_flow *flow = NULL, *flowkey; |
104 |
|
|
unsigned int cnt = 0; |
105 |
|
|
|
106 |
|
|
p = TAILQ_FIRST(&env->sc_policies); |
107 |
|
|
while (p != NULL) { |
108 |
|
|
cnt++; |
109 |
|
|
if (p->pol_flags & IKED_POLICY_SKIP) |
110 |
|
|
p = p->pol_skip[IKED_SKIP_FLAGS]; |
111 |
|
|
else if (key->pol_af && p->pol_af && |
112 |
|
|
key->pol_af != p->pol_af) |
113 |
|
|
p = p->pol_skip[IKED_SKIP_AF]; |
114 |
|
|
else if (key->pol_ipproto && p->pol_ipproto && |
115 |
|
|
key->pol_ipproto != p->pol_ipproto) |
116 |
|
|
p = p->pol_skip[IKED_SKIP_PROTO]; |
117 |
|
|
else if (sockaddr_cmp((struct sockaddr *)&key->pol_peer.addr, |
118 |
|
|
(struct sockaddr *)&p->pol_peer.addr, |
119 |
|
|
p->pol_peer.addr_mask) != 0) |
120 |
|
|
p = p->pol_skip[IKED_SKIP_DST_ADDR]; |
121 |
|
|
else if (sockaddr_cmp((struct sockaddr *)&key->pol_local.addr, |
122 |
|
|
(struct sockaddr *)&p->pol_local.addr, |
123 |
|
|
p->pol_local.addr_mask) != 0) |
124 |
|
|
p = p->pol_skip[IKED_SKIP_SRC_ADDR]; |
125 |
|
|
else { |
126 |
|
|
/* |
127 |
|
|
* Check if a specific flow is requested |
128 |
|
|
* (eg. for acquire messages from the kernel) |
129 |
|
|
* and find a matching flow. |
130 |
|
|
*/ |
131 |
|
|
if (key->pol_nflows && |
132 |
|
|
(flowkey = RB_MIN(iked_flows, |
133 |
|
|
&key->pol_flows)) != NULL && |
134 |
|
|
(flow = RB_FIND(iked_flows, &p->pol_flows, |
135 |
|
|
flowkey)) == NULL) { |
136 |
|
|
p = TAILQ_NEXT(p, pol_entry); |
137 |
|
|
continue; |
138 |
|
|
} |
139 |
|
|
/* make sure the peer ID matches */ |
140 |
|
|
if (key->pol_peerid.id_type && |
141 |
|
|
(key->pol_peerid.id_type != p->pol_peerid.id_type || |
142 |
|
|
memcmp(key->pol_peerid.id_data, |
143 |
|
|
p->pol_peerid.id_data, |
144 |
|
|
sizeof(key->pol_peerid.id_data)) != 0)) { |
145 |
|
|
p = TAILQ_NEXT(p, pol_entry); |
146 |
|
|
continue; |
147 |
|
|
} |
148 |
|
|
|
149 |
|
|
/* Policy matched */ |
150 |
|
|
pol = p; |
151 |
|
|
|
152 |
|
|
if (pol->pol_flags & IKED_POLICY_QUICK) |
153 |
|
|
break; |
154 |
|
|
|
155 |
|
|
/* Continue to find last matching policy */ |
156 |
|
|
p = TAILQ_NEXT(p, pol_entry); |
157 |
|
|
} |
158 |
|
|
} |
159 |
|
|
|
160 |
|
|
return (pol); |
161 |
|
|
} |
162 |
|
|
|
163 |
|
|
#define IKED_SET_SKIP_STEPS(i) \ |
164 |
|
|
do { \ |
165 |
|
|
while (head[i] != cur) { \ |
166 |
|
|
head[i]->pol_skip[i] = cur; \ |
167 |
|
|
head[i] = TAILQ_NEXT(head[i], pol_entry); \ |
168 |
|
|
} \ |
169 |
|
|
} while (0) |
170 |
|
|
|
171 |
|
|
/* This code is derived from pf_calc_skip_steps() from pf.c */ |
172 |
|
|
void |
173 |
|
|
policy_calc_skip_steps(struct iked_policies *policies) |
174 |
|
|
{ |
175 |
|
|
struct iked_policy *head[IKED_SKIP_COUNT], *cur, *prev; |
176 |
|
|
int i; |
177 |
|
|
|
178 |
|
|
cur = TAILQ_FIRST(policies); |
179 |
|
|
prev = cur; |
180 |
|
|
for (i = 0; i < IKED_SKIP_COUNT; ++i) |
181 |
|
|
head[i] = cur; |
182 |
|
|
while (cur != NULL) { |
183 |
|
|
if (cur->pol_flags & IKED_POLICY_SKIP) |
184 |
|
|
IKED_SET_SKIP_STEPS(IKED_SKIP_FLAGS); |
185 |
|
|
else if (cur->pol_af != AF_UNSPEC && |
186 |
|
|
prev->pol_af != AF_UNSPEC && |
187 |
|
|
cur->pol_af != prev->pol_af) |
188 |
|
|
IKED_SET_SKIP_STEPS(IKED_SKIP_AF); |
189 |
|
|
else if (cur->pol_ipproto && prev->pol_ipproto && |
190 |
|
|
cur->pol_ipproto != prev->pol_ipproto) |
191 |
|
|
IKED_SET_SKIP_STEPS(IKED_SKIP_PROTO); |
192 |
|
|
else if (IKED_ADDR_NEQ(&cur->pol_peer, &prev->pol_peer)) |
193 |
|
|
IKED_SET_SKIP_STEPS(IKED_SKIP_DST_ADDR); |
194 |
|
|
else if (IKED_ADDR_NEQ(&cur->pol_local, &prev->pol_local)) |
195 |
|
|
IKED_SET_SKIP_STEPS(IKED_SKIP_SRC_ADDR); |
196 |
|
|
|
197 |
|
|
prev = cur; |
198 |
|
|
cur = TAILQ_NEXT(cur, pol_entry); |
199 |
|
|
} |
200 |
|
|
for (i = 0; i < IKED_SKIP_COUNT; ++i) |
201 |
|
|
IKED_SET_SKIP_STEPS(i); |
202 |
|
|
} |
203 |
|
|
|
204 |
|
|
void |
205 |
|
|
policy_ref(struct iked *env, struct iked_policy *pol) |
206 |
|
|
{ |
207 |
|
|
pol->pol_refcnt++; |
208 |
|
|
pol->pol_flags |= IKED_POLICY_REFCNT; |
209 |
|
|
} |
210 |
|
|
|
211 |
|
|
void |
212 |
|
|
policy_unref(struct iked *env, struct iked_policy *pol) |
213 |
|
|
{ |
214 |
|
|
if (pol == NULL || (pol->pol_flags & IKED_POLICY_REFCNT) == 0) |
215 |
|
|
return; |
216 |
|
|
if (--(pol->pol_refcnt) <= 0) |
217 |
|
|
config_free_policy(env, pol); |
218 |
|
|
else { |
219 |
|
|
struct iked_sa *tmp; |
220 |
|
|
int count = 0; |
221 |
|
|
|
222 |
|
|
TAILQ_FOREACH(tmp, &pol->pol_sapeers, sa_peer_entry) |
223 |
|
|
count++; |
224 |
|
|
if (count != pol->pol_refcnt) |
225 |
|
|
log_warnx("%s: ERROR pol %p pol_refcnt %d != count %d", |
226 |
|
|
__func__, pol, pol->pol_refcnt, count); |
227 |
|
|
} |
228 |
|
|
} |
229 |
|
|
|
230 |
|
|
void |
231 |
|
|
sa_state(struct iked *env, struct iked_sa *sa, int state) |
232 |
|
|
{ |
233 |
|
|
const char *a; |
234 |
|
|
const char *b; |
235 |
|
|
int ostate = sa->sa_state; |
236 |
|
|
|
237 |
|
|
a = print_map(ostate, ikev2_state_map); |
238 |
|
|
b = print_map(state, ikev2_state_map); |
239 |
|
|
|
240 |
|
|
sa->sa_state = state; |
241 |
|
|
if (ostate != IKEV2_STATE_INIT && |
242 |
|
|
!sa_stateok(sa, state)) { |
243 |
|
|
log_debug("%s: cannot switch: %s -> %s", __func__, a, b); |
244 |
|
|
sa->sa_state = ostate; |
245 |
|
|
} else if (ostate != sa->sa_state) { |
246 |
|
|
switch (state) { |
247 |
|
|
case IKEV2_STATE_ESTABLISHED: |
248 |
|
|
case IKEV2_STATE_CLOSED: |
249 |
|
|
log_info("%s: %s -> %s from %s to %s policy '%s'", |
250 |
|
|
__func__, a, b, |
251 |
|
|
print_host((struct sockaddr *)&sa->sa_peer.addr, |
252 |
|
|
NULL, 0), |
253 |
|
|
print_host((struct sockaddr *)&sa->sa_local.addr, |
254 |
|
|
NULL, 0), |
255 |
|
|
sa->sa_policy ? sa->sa_policy->pol_name : |
256 |
|
|
"<unknown>"); |
257 |
|
|
break; |
258 |
|
|
default: |
259 |
|
|
log_debug("%s: %s -> %s", __func__, a, b); |
260 |
|
|
break; |
261 |
|
|
} |
262 |
|
|
} |
263 |
|
|
|
264 |
|
|
} |
265 |
|
|
|
266 |
|
|
void |
267 |
|
|
sa_stateflags(struct iked_sa *sa, unsigned int flags) |
268 |
|
|
{ |
269 |
|
|
unsigned int require; |
270 |
|
|
|
271 |
|
|
if (sa->sa_state > IKEV2_STATE_SA_INIT) |
272 |
|
|
require = sa->sa_statevalid; |
273 |
|
|
else |
274 |
|
|
require = sa->sa_stateinit; |
275 |
|
|
|
276 |
|
|
log_debug("%s: 0x%04x -> 0x%04x %s (required 0x%04x %s)", __func__, |
277 |
|
|
sa->sa_stateflags, sa->sa_stateflags | flags, |
278 |
|
|
print_bits(sa->sa_stateflags | flags, IKED_REQ_BITS), require, |
279 |
|
|
print_bits(require, IKED_REQ_BITS)); |
280 |
|
|
|
281 |
|
|
sa->sa_stateflags |= flags; |
282 |
|
|
} |
283 |
|
|
|
284 |
|
|
int |
285 |
|
|
sa_stateok(struct iked_sa *sa, int state) |
286 |
|
|
{ |
287 |
|
|
unsigned int require; |
288 |
|
|
|
289 |
|
|
if (sa->sa_state < state) |
290 |
|
|
return (0); |
291 |
|
|
|
292 |
|
|
if (state == IKEV2_STATE_SA_INIT) |
293 |
|
|
require = sa->sa_stateinit; |
294 |
|
|
else |
295 |
|
|
require = sa->sa_statevalid; |
296 |
|
|
|
297 |
|
|
if (state == IKEV2_STATE_SA_INIT || |
298 |
|
|
state == IKEV2_STATE_VALID || |
299 |
|
|
state == IKEV2_STATE_EAP_VALID) { |
300 |
|
|
log_debug("%s: %s flags 0x%04x, require 0x%04x %s", __func__, |
301 |
|
|
print_map(state, ikev2_state_map), |
302 |
|
|
(sa->sa_stateflags & require), require, |
303 |
|
|
print_bits(require, IKED_REQ_BITS)); |
304 |
|
|
|
305 |
|
|
if ((sa->sa_stateflags & require) != require) |
306 |
|
|
return (0); /* not ready, ignore */ |
307 |
|
|
} |
308 |
|
|
return (1); |
309 |
|
|
} |
310 |
|
|
|
311 |
|
|
struct iked_sa * |
312 |
|
|
sa_new(struct iked *env, uint64_t ispi, uint64_t rspi, |
313 |
|
|
unsigned int initiator, struct iked_policy *pol) |
314 |
|
|
{ |
315 |
|
|
struct iked_sa *sa; |
316 |
|
|
struct iked_sa *old; |
317 |
|
|
struct iked_id *localid; |
318 |
|
|
unsigned int diff; |
319 |
|
|
|
320 |
|
|
if ((ispi == 0 && rspi == 0) || |
321 |
|
|
(sa = sa_lookup(env, ispi, rspi, initiator)) == NULL) { |
322 |
|
|
/* Create new SA */ |
323 |
|
|
if (!initiator && ispi == 0) { |
324 |
|
|
log_debug("%s: cannot create responder IKE SA w/o ispi", |
325 |
|
|
__func__); |
326 |
|
|
return (NULL); |
327 |
|
|
} |
328 |
|
|
sa = config_new_sa(env, initiator); |
329 |
|
|
if (sa == NULL) { |
330 |
|
|
log_debug("%s: failed to allocate IKE SA", __func__); |
331 |
|
|
return (NULL); |
332 |
|
|
} |
333 |
|
|
if (!initiator) |
334 |
|
|
sa->sa_hdr.sh_ispi = ispi; |
335 |
|
|
old = RB_INSERT(iked_sas, &env->sc_sas, sa); |
336 |
|
|
if (old && old != sa) { |
337 |
|
|
log_warnx("%s: duplicate IKE SA", __func__); |
338 |
|
|
config_free_sa(env, sa); |
339 |
|
|
return (NULL); |
340 |
|
|
} |
341 |
|
|
} |
342 |
|
|
/* Update rspi in the initator case */ |
343 |
|
|
if (initiator && sa->sa_hdr.sh_rspi == 0 && rspi) |
344 |
|
|
sa->sa_hdr.sh_rspi = rspi; |
345 |
|
|
|
346 |
|
|
if (pol == NULL && sa->sa_policy == NULL) |
347 |
|
|
fatalx("%s: sa %p no policy", __func__, sa); |
348 |
|
|
else if (sa->sa_policy == NULL) { |
349 |
|
|
/* Increment refcount if the policy has refcounting enabled. */ |
350 |
|
|
if (pol->pol_flags & IKED_POLICY_REFCNT) { |
351 |
|
|
log_info("%s: sa %p old pol %p pol_refcnt %d", |
352 |
|
|
__func__, sa, pol, pol->pol_refcnt); |
353 |
|
|
policy_ref(env, pol); |
354 |
|
|
} |
355 |
|
|
sa->sa_policy = pol; |
356 |
|
|
TAILQ_INSERT_TAIL(&pol->pol_sapeers, sa, sa_peer_entry); |
357 |
|
|
} else |
358 |
|
|
pol = sa->sa_policy; |
359 |
|
|
|
360 |
|
|
sa->sa_statevalid = IKED_REQ_AUTH|IKED_REQ_AUTHVALID|IKED_REQ_SA; |
361 |
|
|
if (pol != NULL && pol->pol_auth.auth_eap) { |
362 |
|
|
sa->sa_statevalid |= IKED_REQ_CERT|IKED_REQ_EAPVALID; |
363 |
|
|
} else if (pol != NULL && pol->pol_auth.auth_method != |
364 |
|
|
IKEV2_AUTH_SHARED_KEY_MIC) { |
365 |
|
|
sa->sa_statevalid |= IKED_REQ_CERTVALID|IKED_REQ_CERT; |
366 |
|
|
} |
367 |
|
|
|
368 |
|
|
if (initiator) { |
369 |
|
|
localid = &sa->sa_iid; |
370 |
|
|
diff = IKED_REQ_CERTVALID|IKED_REQ_AUTHVALID|IKED_REQ_SA| |
371 |
|
|
IKED_REQ_EAPVALID; |
372 |
|
|
sa->sa_stateinit = sa->sa_statevalid & ~diff; |
373 |
|
|
sa->sa_statevalid = sa->sa_statevalid & diff; |
374 |
|
|
} else |
375 |
|
|
localid = &sa->sa_rid; |
376 |
|
|
|
377 |
|
|
if (!ibuf_length(localid->id_buf) && pol != NULL && |
378 |
|
|
ikev2_policy2id(&pol->pol_localid, localid, 1) != 0) { |
379 |
|
|
log_debug("%s: failed to get local id", __func__); |
380 |
|
|
sa_free(env, sa); |
381 |
|
|
return (NULL); |
382 |
|
|
} |
383 |
|
|
|
384 |
|
|
return (sa); |
385 |
|
|
} |
386 |
|
|
|
387 |
|
|
void |
388 |
|
|
sa_free(struct iked *env, struct iked_sa *sa) |
389 |
|
|
{ |
390 |
|
|
log_debug("%s: ispi %s rspi %s", __func__, |
391 |
|
|
print_spi(sa->sa_hdr.sh_ispi, 8), |
392 |
|
|
print_spi(sa->sa_hdr.sh_rspi, 8)); |
393 |
|
|
|
394 |
|
|
/* IKE rekeying running? */ |
395 |
|
|
if (sa->sa_nexti) { |
396 |
|
|
RB_REMOVE(iked_sas, &env->sc_sas, sa->sa_nexti); |
397 |
|
|
config_free_sa(env, sa->sa_nexti); |
398 |
|
|
} |
399 |
|
|
if (sa->sa_nextr) { |
400 |
|
|
RB_REMOVE(iked_sas, &env->sc_sas, sa->sa_nextr); |
401 |
|
|
config_free_sa(env, sa->sa_nextr); |
402 |
|
|
} |
403 |
|
|
RB_REMOVE(iked_sas, &env->sc_sas, sa); |
404 |
|
|
config_free_sa(env, sa); |
405 |
|
|
} |
406 |
|
|
|
407 |
|
|
void |
408 |
|
|
sa_free_flows(struct iked *env, struct iked_saflows *head) |
409 |
|
|
{ |
410 |
|
|
struct iked_flow *flow, *next; |
411 |
|
|
|
412 |
|
|
for (flow = TAILQ_FIRST(head); flow != NULL; flow = next) { |
413 |
|
|
next = TAILQ_NEXT(flow, flow_entry); |
414 |
|
|
|
415 |
|
|
log_debug("%s: free %p", __func__, flow); |
416 |
|
|
|
417 |
|
|
if (flow->flow_loaded) |
418 |
|
|
RB_REMOVE(iked_flows, &env->sc_activeflows, flow); |
419 |
|
|
TAILQ_REMOVE(head, flow, flow_entry); |
420 |
|
|
(void)pfkey_flow_delete(env->sc_pfkey, flow); |
421 |
|
|
flow_free(flow); |
422 |
|
|
} |
423 |
|
|
} |
424 |
|
|
|
425 |
|
|
|
426 |
|
|
int |
427 |
|
|
sa_address(struct iked_sa *sa, struct iked_addr *addr, |
428 |
|
|
struct sockaddr_storage *peer) |
429 |
|
|
{ |
430 |
|
|
bzero(addr, sizeof(*addr)); |
431 |
|
|
addr->addr_af = peer->ss_family; |
432 |
|
|
addr->addr_port = htons(socket_getport((struct sockaddr *)peer)); |
433 |
|
|
memcpy(&addr->addr, peer, sizeof(*peer)); |
434 |
|
|
if (socket_af((struct sockaddr *)&addr->addr, addr->addr_port) == -1) { |
435 |
|
|
log_debug("%s: invalid address", __func__); |
436 |
|
|
return (-1); |
437 |
|
|
} |
438 |
|
|
return (0); |
439 |
|
|
} |
440 |
|
|
|
441 |
|
|
void |
442 |
|
|
childsa_free(struct iked_childsa *csa) |
443 |
|
|
{ |
444 |
|
|
struct iked_childsa *csb; |
445 |
|
|
|
446 |
|
|
if (csa->csa_children) { |
447 |
|
|
/* XXX should not happen */ |
448 |
|
|
log_warnx("%s: trying to remove CSA %p children %u", |
449 |
|
|
__func__, csa, csa->csa_children); |
450 |
|
|
return; |
451 |
|
|
} |
452 |
|
|
if (csa->csa_parent) |
453 |
|
|
csa->csa_parent->csa_children--; |
454 |
|
|
if ((csb = csa->csa_peersa) != NULL) |
455 |
|
|
csb->csa_peersa = NULL; |
456 |
|
|
ibuf_release(csa->csa_encrkey); |
457 |
|
|
ibuf_release(csa->csa_integrkey); |
458 |
|
|
free(csa); |
459 |
|
|
} |
460 |
|
|
|
461 |
|
|
struct iked_childsa * |
462 |
|
|
childsa_lookup(struct iked_sa *sa, uint64_t spi, uint8_t protoid) |
463 |
|
|
{ |
464 |
|
|
struct iked_childsa *csa; |
465 |
|
|
|
466 |
|
|
if (sa == NULL || spi == 0 || protoid == 0) |
467 |
|
|
return (NULL); |
468 |
|
|
|
469 |
|
|
TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { |
470 |
|
|
if (csa->csa_spi.spi_protoid == protoid && |
471 |
|
|
(csa->csa_spi.spi == spi)) |
472 |
|
|
break; |
473 |
|
|
} |
474 |
|
|
return (csa); |
475 |
|
|
} |
476 |
|
|
|
477 |
|
|
void |
478 |
|
|
flow_free(struct iked_flow *flow) |
479 |
|
|
{ |
480 |
|
|
free(flow); |
481 |
|
|
} |
482 |
|
|
|
483 |
|
|
struct iked_sa * |
484 |
|
|
sa_lookup(struct iked *env, uint64_t ispi, uint64_t rspi, |
485 |
|
|
unsigned int initiator) |
486 |
|
|
{ |
487 |
|
|
struct iked_sa *sa, key; |
488 |
|
|
|
489 |
|
|
key.sa_hdr.sh_ispi = ispi; |
490 |
|
|
/* key.sa_hdr.sh_rspi = rspi; */ |
491 |
|
|
key.sa_hdr.sh_initiator = initiator; |
492 |
|
|
|
493 |
|
|
if ((sa = RB_FIND(iked_sas, &env->sc_sas, &key)) != NULL) { |
494 |
|
|
gettimeofday(&sa->sa_timeused, NULL); |
495 |
|
|
|
496 |
|
|
/* Validate if SPIr matches */ |
497 |
|
|
if ((sa->sa_hdr.sh_rspi != 0) && |
498 |
|
|
(rspi != 0) && |
499 |
|
|
(sa->sa_hdr.sh_rspi != rspi)) |
500 |
|
|
return (NULL); |
501 |
|
|
} |
502 |
|
|
|
503 |
|
|
return (sa); |
504 |
|
|
} |
505 |
|
|
|
506 |
|
|
static __inline int |
507 |
|
|
sa_cmp(struct iked_sa *a, struct iked_sa *b) |
508 |
|
|
{ |
509 |
|
|
if (a->sa_hdr.sh_initiator > b->sa_hdr.sh_initiator) |
510 |
|
|
return (-1); |
511 |
|
|
if (a->sa_hdr.sh_initiator < b->sa_hdr.sh_initiator) |
512 |
|
|
return (1); |
513 |
|
|
|
514 |
|
|
if (a->sa_hdr.sh_ispi > b->sa_hdr.sh_ispi) |
515 |
|
|
return (-1); |
516 |
|
|
if (a->sa_hdr.sh_ispi < b->sa_hdr.sh_ispi) |
517 |
|
|
return (1); |
518 |
|
|
|
519 |
|
|
#if 0 |
520 |
|
|
/* Responder SPI is not yet set in the local IKE SADB */ |
521 |
|
|
if ((b->sa_type == IKED_SATYPE_LOCAL && b->sa_hdr.sh_rspi == 0) || |
522 |
|
|
(a->sa_type == IKED_SATYPE_LOCAL && a->sa_hdr.sh_rspi == 0)) |
523 |
|
|
return (0); |
524 |
|
|
|
525 |
|
|
if (a->sa_hdr.sh_rspi > b->sa_hdr.sh_rspi) |
526 |
|
|
return (-1); |
527 |
|
|
if (a->sa_hdr.sh_rspi < b->sa_hdr.sh_rspi) |
528 |
|
|
return (1); |
529 |
|
|
#endif |
530 |
|
|
|
531 |
|
|
return (0); |
532 |
|
|
} |
533 |
|
|
|
534 |
|
|
static __inline int |
535 |
|
|
sa_addrpool_cmp(struct iked_sa *a, struct iked_sa *b) |
536 |
|
|
{ |
537 |
|
|
return (sockaddr_cmp((struct sockaddr *)&a->sa_addrpool->addr, |
538 |
|
|
(struct sockaddr *)&b->sa_addrpool->addr, -1)); |
539 |
|
|
} |
540 |
|
|
|
541 |
|
|
static __inline int |
542 |
|
|
sa_addrpool6_cmp(struct iked_sa *a, struct iked_sa *b) |
543 |
|
|
{ |
544 |
|
|
return (sockaddr_cmp((struct sockaddr *)&a->sa_addrpool6->addr, |
545 |
|
|
(struct sockaddr *)&b->sa_addrpool6->addr, -1)); |
546 |
|
|
} |
547 |
|
|
|
548 |
|
|
struct iked_user * |
549 |
|
|
user_lookup(struct iked *env, const char *user) |
550 |
|
|
{ |
551 |
|
|
struct iked_user key; |
552 |
|
|
|
553 |
|
|
if (strlcpy(key.usr_name, user, |
554 |
|
|
sizeof(key.usr_name)) >= sizeof(key.usr_name)) |
555 |
|
|
return (NULL); |
556 |
|
|
|
557 |
|
|
return (RB_FIND(iked_users, &env->sc_users, &key)); |
558 |
|
|
} |
559 |
|
|
|
560 |
|
|
static __inline int |
561 |
|
|
user_cmp(struct iked_user *a, struct iked_user *b) |
562 |
|
|
{ |
563 |
|
|
return (strcmp(a->usr_name, b->usr_name)); |
564 |
|
|
} |
565 |
|
|
|
566 |
|
|
static __inline int |
567 |
|
|
childsa_cmp(struct iked_childsa *a, struct iked_childsa *b) |
568 |
|
|
{ |
569 |
|
|
if (a->csa_spi.spi > b->csa_spi.spi) |
570 |
|
|
return (1); |
571 |
|
|
if (a->csa_spi.spi < b->csa_spi.spi) |
572 |
|
|
return (-1); |
573 |
|
|
return (0); |
574 |
|
|
} |
575 |
|
|
|
576 |
|
|
static __inline int |
577 |
|
|
addr_cmp(struct iked_addr *a, struct iked_addr *b, int useports) |
578 |
|
|
{ |
579 |
|
|
int diff = 0; |
580 |
|
|
|
581 |
|
|
diff = sockaddr_cmp((struct sockaddr *)&a->addr, |
582 |
|
|
(struct sockaddr *)&b->addr, 128); |
583 |
|
|
if (!diff) |
584 |
|
|
diff = (int)a->addr_mask - (int)b->addr_mask; |
585 |
|
|
if (!diff && useports) |
586 |
|
|
diff = a->addr_port - b->addr_port; |
587 |
|
|
|
588 |
|
|
return (diff); |
589 |
|
|
} |
590 |
|
|
|
591 |
|
|
static __inline int |
592 |
|
|
flow_cmp(struct iked_flow *a, struct iked_flow *b) |
593 |
|
|
{ |
594 |
|
|
int diff = 0; |
595 |
|
|
|
596 |
|
|
if (!diff) |
597 |
|
|
diff = (int)a->flow_ipproto - (int)b->flow_ipproto; |
598 |
|
|
if (!diff) |
599 |
|
|
diff = (int)a->flow_saproto - (int)b->flow_saproto; |
600 |
|
|
if (!diff) |
601 |
|
|
diff = (int)a->flow_dir - (int)b->flow_dir; |
602 |
|
|
if (!diff) |
603 |
|
|
diff = addr_cmp(&a->flow_dst, &b->flow_dst, 1); |
604 |
|
|
if (!diff) |
605 |
|
|
diff = addr_cmp(&a->flow_src, &b->flow_src, 1); |
606 |
|
|
|
607 |
|
|
return (diff); |
608 |
|
|
} |
609 |
|
|
|
610 |
|
|
int |
611 |
|
|
flow_equal(struct iked_flow *a, struct iked_flow *b) |
612 |
|
|
{ |
613 |
|
|
return (flow_cmp(a, b) == 0); |
614 |
|
|
} |
615 |
|
|
|
616 |
|
|
RB_GENERATE(iked_sas, iked_sa, sa_entry, sa_cmp); |
617 |
|
|
RB_GENERATE(iked_addrpool, iked_sa, sa_addrpool_entry, sa_addrpool_cmp); |
618 |
|
|
RB_GENERATE(iked_addrpool6, iked_sa, sa_addrpool6_entry, sa_addrpool6_cmp); |
619 |
|
|
RB_GENERATE(iked_users, iked_user, usr_entry, user_cmp); |
620 |
|
|
RB_GENERATE(iked_activesas, iked_childsa, csa_node, childsa_cmp); |
621 |
|
|
RB_GENERATE(iked_flows, iked_flow, flow_node, flow_cmp); |