1 /* $OpenBSD: ip_spd.c,v 1.58 2008/09/10 14:01:23 blambert Exp $ */ 2 /* 3 * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) 4 * 5 * Copyright (c) 2000-2001 Angelos D. Keromytis. 6 * 7 * Permission to use, copy, and modify this software with or without fee 8 * is hereby granted, provided that this entire notice is included in 9 * all copies of any software which is or includes a copy or 10 * modification of this software. 11 * You may use this code under the GNU public license if you so wish. Please 12 * contribute changes back to the authors under this freer than GPL license 13 * so that we may further the use of strong encryption without limitations to 14 * all. 15 * 16 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 17 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 18 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 19 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 20 * PURPOSE. 21 */ 22 23 #include <sys/param.h> 24 #include <sys/systm.h> 25 #include <sys/mbuf.h> 26 #include <sys/socket.h> 27 #include <sys/kernel.h> 28 #include <sys/socketvar.h> 29 #include <sys/protosw.h> 30 #include <sys/pool.h> 31 32 #include <net/if.h> 33 #include <net/route.h> 34 #include <net/netisr.h> 35 36 #ifdef INET 37 #include <netinet/in.h> 38 #include <netinet/in_systm.h> 39 #include <netinet/ip.h> 40 #include <netinet/in_pcb.h> 41 #include <netinet/in_var.h> 42 #endif /* INET */ 43 44 #ifdef INET6 45 #ifndef INET 46 #include <netinet/in.h> 47 #endif 48 #include <netinet6/in6_var.h> 49 #endif /* INET6 */ 50 51 #include <netinet/ip_ipsp.h> 52 #include <net/pfkeyv2.h> 53 54 #ifdef ENCDEBUG 55 #define DPRINTF(x) if (encdebug) printf x 56 #else 57 #define DPRINTF(x) 58 #endif 59 60 struct pool ipsec_policy_pool; 61 struct pool ipsec_acquire_pool; 62 int ipsec_policy_pool_initialized = 0; 63 int ipsec_acquire_pool_initialized = 0; 64 65 /* 66 * Lookup at the SPD based on the headers contained on the mbuf. The second 67 * argument indicates what protocol family the header at the beginning of 68 * the mbuf is. hlen is the offset of the transport protocol header 69 * in the mbuf. 70 * 71 * Return combinations (of return value and in *error): 72 * - NULL/0 -> no IPsec required on packet 73 * - NULL/-EINVAL -> silently drop the packet 74 * - NULL/errno -> drop packet and return error 75 * or a pointer to a TDB (and 0 in *error). 76 * 77 * In the case of incoming flows, only the first three combinations are 78 * returned. 79 */ 80 struct tdb * 81 ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, 82 struct tdb *tdbp, struct inpcb *inp) 83 { 84 struct route_enc re0, *re = &re0; 85 union sockaddr_union sdst, ssrc; 86 struct sockaddr_encap *ddst; 87 struct ipsec_policy *ipo; 88 int signore = 0, dignore = 0; 89 90 /* 91 * If there are no flows in place, there's no point 92 * continuing with the SPD lookup. 93 */ 94 if (!ipsec_in_use && inp == NULL) { 95 *error = 0; 96 return NULL; 97 } 98 99 /* 100 * If an input packet is destined to a BYPASS socket, just accept it. 101 */ 102 if ((inp != NULL) && (direction == IPSP_DIRECTION_IN) && 103 (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && 104 (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) && 105 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { 106 *error = 0; 107 return NULL; 108 } 109 110 bzero((caddr_t) re, sizeof(struct route_enc)); 111 bzero((caddr_t) &sdst, sizeof(union sockaddr_union)); 112 bzero((caddr_t) &ssrc, sizeof(union sockaddr_union)); 113 ddst = (struct sockaddr_encap *) &re->re_dst; 114 ddst->sen_family = PF_KEY; 115 ddst->sen_len = SENT_LEN; 116 117 switch (af) { 118 #ifdef INET 119 case AF_INET: 120 if (hlen < sizeof (struct ip) || m->m_pkthdr.len < hlen) { 121 *error = EINVAL; 122 return NULL; 123 } 124 ddst->sen_direction = direction; 125 ddst->sen_type = SENT_IP4; 126 127 m_copydata(m, offsetof(struct ip, ip_src), 128 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_src)); 129 m_copydata(m, offsetof(struct ip, ip_dst), 130 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_dst)); 131 m_copydata(m, offsetof(struct ip, ip_p), sizeof(u_int8_t), 132 (caddr_t) &(ddst->sen_proto)); 133 134 sdst.sin.sin_family = ssrc.sin.sin_family = AF_INET; 135 sdst.sin.sin_len = ssrc.sin.sin_len = 136 sizeof(struct sockaddr_in); 137 ssrc.sin.sin_addr = ddst->sen_ip_src; 138 sdst.sin.sin_addr = ddst->sen_ip_dst; 139 140 /* 141 * If TCP/UDP, extract the port numbers to use in the lookup. 142 */ 143 switch (ddst->sen_proto) { 144 case IPPROTO_UDP: 145 case IPPROTO_TCP: 146 /* Make sure there's enough data in the packet. */ 147 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) { 148 *error = EINVAL; 149 return NULL; 150 } 151 152 /* 153 * Luckily, the offset of the src/dst ports in 154 * both the UDP and TCP headers is the same (first 155 * two 16-bit values in the respective headers), 156 * so we can just copy them. 157 */ 158 m_copydata(m, hlen, sizeof(u_int16_t), 159 (caddr_t) &(ddst->sen_sport)); 160 m_copydata(m, hlen + sizeof(u_int16_t), sizeof(u_int16_t), 161 (caddr_t) &(ddst->sen_dport)); 162 break; 163 164 default: 165 ddst->sen_sport = 0; 166 ddst->sen_dport = 0; 167 } 168 169 break; 170 #endif /* INET */ 171 172 #ifdef INET6 173 case AF_INET6: 174 if (hlen < sizeof (struct ip6_hdr) || m->m_pkthdr.len < hlen) { 175 *error = EINVAL; 176 return NULL; 177 } 178 ddst->sen_type = SENT_IP6; 179 ddst->sen_ip6_direction = direction; 180 181 m_copydata(m, offsetof(struct ip6_hdr, ip6_src), 182 sizeof(struct in6_addr), 183 (caddr_t) &(ddst->sen_ip6_src)); 184 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 185 sizeof(struct in6_addr), 186 (caddr_t) &(ddst->sen_ip6_dst)); 187 m_copydata(m, offsetof(struct ip6_hdr, ip6_nxt), 188 sizeof(u_int8_t), 189 (caddr_t) &(ddst->sen_ip6_proto)); 190 191 sdst.sin6.sin6_family = ssrc.sin6.sin6_family = AF_INET6; 192 sdst.sin6.sin6_len = ssrc.sin6.sin6_len = 193 sizeof(struct sockaddr_in6); 194 in6_recoverscope(&ssrc.sin6, &ddst->sen_ip6_src, NULL); 195 in6_recoverscope(&sdst.sin6, &ddst->sen_ip6_dst, NULL); 196 197 /* 198 * If TCP/UDP, extract the port numbers to use in the lookup. 199 */ 200 switch (ddst->sen_ip6_proto) { 201 case IPPROTO_UDP: 202 case IPPROTO_TCP: 203 /* Make sure there's enough data in the packet. */ 204 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) { 205 *error = EINVAL; 206 return NULL; 207 } 208 209 /* 210 * Luckily, the offset of the src/dst ports in 211 * both the UDP and TCP headers is the same 212 * (first two 16-bit values in the respective 213 * headers), so we can just copy them. 214 */ 215 m_copydata(m, hlen, sizeof(u_int16_t), 216 (caddr_t) &(ddst->sen_ip6_sport)); 217 m_copydata(m, hlen + sizeof(u_int16_t), sizeof(u_int16_t), 218 (caddr_t) &(ddst->sen_ip6_dport)); 219 break; 220 221 default: 222 ddst->sen_ip6_sport = 0; 223 ddst->sen_ip6_dport = 0; 224 } 225 226 break; 227 #endif /* INET6 */ 228 229 default: 230 *error = EAFNOSUPPORT; 231 return NULL; 232 } 233 234 /* Actual SPD lookup. */ 235 rtalloc((struct route *) re); 236 if (re->re_rt == NULL) { 237 /* 238 * Return whatever the socket requirements are, there are no 239 * system-wide policies. 240 */ 241 *error = 0; 242 return ipsp_spd_inp(m, af, hlen, error, direction, 243 tdbp, inp, NULL); 244 } 245 246 /* Sanity check. */ 247 if ((re->re_rt->rt_gateway == NULL) || 248 (((struct sockaddr_encap *) re->re_rt->rt_gateway)->sen_type != 249 SENT_IPSP)) { 250 RTFREE(re->re_rt); 251 *error = EHOSTUNREACH; 252 DPRINTF(("ip_spd_lookup: no gateway in SPD entry!")); 253 return NULL; 254 } 255 256 ipo = ((struct sockaddr_encap *) (re->re_rt->rt_gateway))->sen_ipsp; 257 RTFREE(re->re_rt); 258 if (ipo == NULL) { 259 *error = EHOSTUNREACH; 260 DPRINTF(("ip_spd_lookup: no policy attached to SPD entry!")); 261 return NULL; 262 } 263 264 switch (ipo->ipo_type) { 265 case IPSP_PERMIT: 266 *error = 0; 267 return ipsp_spd_inp(m, af, hlen, error, direction, tdbp, 268 inp, ipo); 269 270 case IPSP_DENY: 271 *error = EHOSTUNREACH; 272 return NULL; 273 274 case IPSP_IPSEC_USE: 275 case IPSP_IPSEC_ACQUIRE: 276 case IPSP_IPSEC_REQUIRE: 277 case IPSP_IPSEC_DONTACQ: 278 /* Nothing more needed here. */ 279 break; 280 281 default: 282 *error = EINVAL; 283 return NULL; 284 } 285 286 /* Check for non-specific destination in the policy. */ 287 switch (ipo->ipo_dst.sa.sa_family) { 288 #ifdef INET 289 case AF_INET: 290 if ((ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_ANY) || 291 (ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_BROADCAST)) 292 dignore = 1; 293 break; 294 #endif /* INET */ 295 296 #ifdef INET6 297 case AF_INET6: 298 if ((IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_dst.sin6.sin6_addr)) || 299 (bcmp(&ipo->ipo_dst.sin6.sin6_addr, &in6mask128, 300 sizeof(in6mask128)) == 0)) 301 dignore = 1; 302 break; 303 #endif /* INET6 */ 304 } 305 306 /* Likewise for source. */ 307 switch (ipo->ipo_src.sa.sa_family) { 308 #ifdef INET 309 case AF_INET: 310 if (ipo->ipo_src.sin.sin_addr.s_addr == INADDR_ANY) 311 signore = 1; 312 break; 313 #endif /* INET */ 314 315 #ifdef INET6 316 case AF_INET6: 317 if (IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_src.sin6.sin6_addr)) 318 signore = 1; 319 break; 320 #endif /* INET6 */ 321 } 322 323 /* Do we have a cached entry ? If so, check if it's still valid. */ 324 if ((ipo->ipo_tdb) && (ipo->ipo_tdb->tdb_flags & TDBF_INVALID)) { 325 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 326 ipo_tdb_next); 327 ipo->ipo_tdb = NULL; 328 } 329 330 /* Outgoing packet policy check. */ 331 if (direction == IPSP_DIRECTION_OUT) { 332 /* 333 * If the packet is destined for the policy-specified 334 * gateway/endhost, and the socket has the BYPASS 335 * option set, skip IPsec processing. 336 */ 337 if ((inp != NULL) && 338 (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && 339 (inp->inp_seclevel[SL_ESP_NETWORK] == 340 IPSEC_LEVEL_BYPASS) && 341 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { 342 /* Direct match. */ 343 if (dignore || 344 !bcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) { 345 *error = 0; 346 return NULL; 347 } 348 } 349 350 /* Check that the cached TDB (if present), is appropriate. */ 351 if (ipo->ipo_tdb) { 352 if ((ipo->ipo_last_searched <= ipsec_last_added) || 353 (ipo->ipo_sproto != ipo->ipo_tdb->tdb_sproto) || 354 bcmp(dignore ? &sdst : &ipo->ipo_dst, 355 &ipo->ipo_tdb->tdb_dst, 356 ipo->ipo_tdb->tdb_dst.sa.sa_len)) 357 goto nomatchout; 358 359 if (!ipsp_aux_match(ipo->ipo_tdb, 360 ipo->ipo_srcid, ipo->ipo_dstid, 361 ipo->ipo_local_cred, NULL, 362 &ipo->ipo_addr, &ipo->ipo_mask)) 363 goto nomatchout; 364 365 /* Cached entry is good. */ 366 *error = 0; 367 return ipsp_spd_inp(m, af, hlen, error, direction, 368 tdbp, inp, ipo); 369 370 nomatchout: 371 /* Cached TDB was not good. */ 372 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 373 ipo_tdb_next); 374 ipo->ipo_tdb = NULL; 375 ipo->ipo_last_searched = 0; 376 } 377 378 /* 379 * If no SA has been added since the last time we did a 380 * lookup, there's no point searching for one. However, if the 381 * destination gateway is left unspecified (or is all-1's), 382 * always lookup since this is a generic-match rule 383 * (otherwise, we can have situations where SAs to some 384 * destinations exist but are not used, possibly leading to an 385 * explosion in the number of acquired SAs). 386 */ 387 if (ipo->ipo_last_searched <= ipsec_last_added) { 388 /* "Touch" the entry. */ 389 if (dignore == 0) 390 ipo->ipo_last_searched = time_second; 391 392 /* Find an appropriate SA from the existing ones. */ 393 ipo->ipo_tdb = 394 gettdbbyaddr(dignore ? &sdst : &ipo->ipo_dst, 395 ipo->ipo_sproto, ipo->ipo_srcid, 396 ipo->ipo_dstid, ipo->ipo_local_cred, m, af, 397 &ipo->ipo_addr, &ipo->ipo_mask); 398 if (ipo->ipo_tdb) { 399 TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, 400 ipo, ipo_tdb_next); 401 *error = 0; 402 return ipsp_spd_inp(m, af, hlen, error, 403 direction, tdbp, inp, ipo); 404 } 405 } 406 407 /* So, we don't have an SA -- just a policy. */ 408 switch (ipo->ipo_type) { 409 case IPSP_IPSEC_REQUIRE: 410 /* Acquire SA through key management. */ 411 if (ipsp_acquire_sa(ipo, 412 dignore ? &sdst : &ipo->ipo_dst, 413 signore ? NULL : &ipo->ipo_src, ddst, m) != 0) { 414 *error = EACCES; 415 return NULL; 416 } 417 418 /* FALLTHROUGH */ 419 case IPSP_IPSEC_DONTACQ: 420 *error = -EINVAL; /* Silently drop packet. */ 421 return NULL; 422 423 case IPSP_IPSEC_ACQUIRE: 424 /* Acquire SA through key management. */ 425 ipsp_acquire_sa(ipo, dignore ? &sdst : &ipo->ipo_dst, 426 signore ? NULL : &ipo->ipo_src, ddst, NULL); 427 428 /* FALLTHROUGH */ 429 case IPSP_IPSEC_USE: 430 *error = 0; 431 return ipsp_spd_inp(m, af, hlen, error, direction, 432 tdbp, inp, ipo); 433 } 434 } else { /* IPSP_DIRECTION_IN */ 435 if (tdbp != NULL) { 436 /* Direct match in the cache. */ 437 if (ipo->ipo_tdb == tdbp) { 438 *error = 0; 439 return ipsp_spd_inp(m, af, hlen, error, 440 direction, tdbp, inp, ipo); 441 } 442 443 if (bcmp(dignore ? &ssrc : &ipo->ipo_dst, 444 &tdbp->tdb_src, tdbp->tdb_src.sa.sa_len) || 445 (ipo->ipo_sproto != tdbp->tdb_sproto)) 446 goto nomatchin; 447 448 /* Match source ID. */ 449 if (ipo->ipo_srcid) { 450 if (tdbp->tdb_dstid == NULL || 451 !ipsp_ref_match(ipo->ipo_srcid, 452 tdbp->tdb_dstid)) 453 goto nomatchin; 454 } 455 456 /* Match destination ID. */ 457 if (ipo->ipo_dstid) { 458 if (tdbp->tdb_srcid == NULL || 459 !ipsp_ref_match(ipo->ipo_dstid, 460 tdbp->tdb_srcid)) 461 goto nomatchin; 462 } 463 464 /* Add it to the cache. */ 465 if (ipo->ipo_tdb) 466 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, 467 ipo, ipo_tdb_next); 468 ipo->ipo_tdb = tdbp; 469 TAILQ_INSERT_TAIL(&tdbp->tdb_policy_head, ipo, 470 ipo_tdb_next); 471 *error = 0; 472 return ipsp_spd_inp(m, af, hlen, error, direction, 473 tdbp, inp, ipo); 474 475 nomatchin: /* Nothing needed here, falling through */ 476 ; 477 } 478 479 /* Check whether cached entry applies. */ 480 if (ipo->ipo_tdb) { 481 /* 482 * We only need to check that the correct 483 * security protocol and security gateway are 484 * set; credentials/IDs will be the same, 485 * since the cached entry is linked on this 486 * policy. 487 */ 488 if (ipo->ipo_sproto == ipo->ipo_tdb->tdb_sproto && 489 !bcmp(&ipo->ipo_tdb->tdb_src, 490 dignore ? &ssrc : &ipo->ipo_dst, 491 ipo->ipo_tdb->tdb_src.sa.sa_len)) 492 goto skipinputsearch; 493 494 /* Not applicable, unlink. */ 495 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 496 ipo_tdb_next); 497 ipo->ipo_last_searched = 0; 498 ipo->ipo_tdb = NULL; 499 } 500 501 /* Find whether there exists an appropriate SA. */ 502 if (ipo->ipo_last_searched <= ipsec_last_added) { 503 if (dignore == 0) 504 ipo->ipo_last_searched = time_second; 505 506 ipo->ipo_tdb = 507 gettdbbysrc(dignore ? &ssrc : &ipo->ipo_dst, 508 ipo->ipo_sproto, ipo->ipo_srcid, 509 ipo->ipo_dstid, m, af, &ipo->ipo_addr, 510 &ipo->ipo_mask); 511 if (ipo->ipo_tdb) 512 TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, 513 ipo, ipo_tdb_next); 514 } 515 skipinputsearch: 516 517 switch (ipo->ipo_type) { 518 case IPSP_IPSEC_REQUIRE: 519 /* If appropriate SA exists, don't acquire another. */ 520 if (ipo->ipo_tdb) { 521 *error = -EINVAL; 522 return NULL; 523 } 524 525 /* Acquire SA through key management. */ 526 if ((*error = ipsp_acquire_sa(ipo, 527 dignore ? &ssrc : &ipo->ipo_dst, 528 signore ? NULL : &ipo->ipo_src, ddst, m)) != 0) 529 return NULL; 530 531 /* FALLTHROUGH */ 532 case IPSP_IPSEC_DONTACQ: 533 /* Drop packet. */ 534 *error = -EINVAL; 535 return NULL; 536 537 case IPSP_IPSEC_ACQUIRE: 538 /* If appropriate SA exists, don't acquire another. */ 539 if (ipo->ipo_tdb) { 540 *error = 0; 541 return ipsp_spd_inp(m, af, hlen, error, 542 direction, tdbp, inp, ipo); 543 } 544 545 /* Acquire SA through key management. */ 546 ipsp_acquire_sa(ipo, dignore ? &ssrc : &ipo->ipo_dst, 547 signore ? NULL : &ipo->ipo_src, ddst, NULL); 548 549 /* FALLTHROUGH */ 550 case IPSP_IPSEC_USE: 551 *error = 0; 552 return ipsp_spd_inp(m, af, hlen, error, direction, 553 tdbp, inp, ipo); 554 } 555 } 556 557 /* Shouldn't ever get this far. */ 558 *error = EINVAL; 559 return NULL; 560 } 561 562 /* 563 * Delete a policy from the SPD. 564 */ 565 int 566 ipsec_delete_policy(struct ipsec_policy *ipo) 567 { 568 struct rt_addrinfo info; 569 struct ipsec_acquire *ipa; 570 int err = 0; 571 572 if (--ipo->ipo_ref_count > 0) 573 return 0; 574 575 /* Delete from SPD. */ 576 if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET)) { 577 bzero(&info, sizeof(info)); 578 info.rti_info[RTAX_DST] = (struct sockaddr *)&ipo->ipo_addr; 579 info.rti_info[RTAX_NETMASK] = (struct sockaddr *)&ipo->ipo_mask; 580 581 /* XXX other tables? */ 582 err = rtrequest1(RTM_DELETE, &info, RTP_DEFAULT, NULL, 0); 583 } 584 if (ipo->ipo_tdb != NULL) 585 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 586 ipo_tdb_next); 587 588 while ((ipa = TAILQ_FIRST(&ipo->ipo_acquires)) != NULL) 589 ipsp_delete_acquire(ipa); 590 591 TAILQ_REMOVE(&ipsec_policy_head, ipo, ipo_list); 592 593 if (ipo->ipo_srcid) 594 ipsp_reffree(ipo->ipo_srcid); 595 if (ipo->ipo_dstid) 596 ipsp_reffree(ipo->ipo_dstid); 597 if (ipo->ipo_local_cred) 598 ipsp_reffree(ipo->ipo_local_cred); 599 if (ipo->ipo_local_auth) 600 ipsp_reffree(ipo->ipo_local_auth); 601 602 pool_put(&ipsec_policy_pool, ipo); 603 604 if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET)) 605 ipsec_in_use--; 606 607 return err; 608 } 609 610 /* 611 * Add a policy to the SPD. 612 */ 613 struct ipsec_policy * 614 ipsec_add_policy(struct inpcb *inp, int af, int direction) 615 { 616 struct ipsec_policy *ipon; 617 618 if (ipsec_policy_pool_initialized == 0) { 619 ipsec_policy_pool_initialized = 1; 620 pool_init(&ipsec_policy_pool, sizeof(struct ipsec_policy), 621 0, 0, 0, "ipsec policy", NULL); 622 } 623 624 ipon = pool_get(&ipsec_policy_pool, PR_NOWAIT); 625 if (ipon == NULL) 626 return NULL; 627 628 bzero(ipon, sizeof(struct ipsec_policy)); 629 630 ipon->ipo_ref_count = 1; 631 ipon->ipo_flags |= IPSP_POLICY_SOCKET; 632 633 ipon->ipo_type = IPSP_IPSEC_REQUIRE; /* XXX */ 634 635 /* XXX 636 * We should actually be creating a linked list of 637 * policies (for tunnel/transport and ESP/AH), as needed. 638 */ 639 ipon->ipo_sproto = IPPROTO_ESP; 640 641 TAILQ_INIT(&ipon->ipo_acquires); 642 TAILQ_INSERT_HEAD(&ipsec_policy_head, ipon, ipo_list); 643 644 ipsec_update_policy(inp, ipon, af, direction); 645 646 return ipon; 647 } 648 649 /* 650 * Update a PCB-attached policy. 651 */ 652 void 653 ipsec_update_policy(struct inpcb *inp, struct ipsec_policy *ipon, int af, 654 int direction) 655 { 656 ipon->ipo_addr.sen_len = ipon->ipo_mask.sen_len = SENT_LEN; 657 ipon->ipo_addr.sen_family = ipon->ipo_mask.sen_family = PF_KEY; 658 ipon->ipo_src.sa.sa_family = ipon->ipo_dst.sa.sa_family = af; 659 660 switch (af) { 661 case AF_INET: 662 #ifdef INET 663 ipon->ipo_addr.sen_type = ipon->ipo_mask.sen_type = SENT_IP4; 664 ipon->ipo_addr.sen_ip_src = inp->inp_laddr; 665 ipon->ipo_addr.sen_ip_dst = inp->inp_faddr; 666 ipon->ipo_addr.sen_sport = inp->inp_lport; 667 ipon->ipo_addr.sen_dport = inp->inp_fport; 668 ipon->ipo_addr.sen_proto = 669 inp->inp_socket->so_proto->pr_protocol; 670 ipon->ipo_addr.sen_direction = direction; 671 672 ipon->ipo_mask.sen_ip_src.s_addr = 0xffffffff; 673 ipon->ipo_mask.sen_ip_dst.s_addr = 0xffffffff; 674 ipon->ipo_mask.sen_sport = ipon->ipo_mask.sen_dport = 0xffff; 675 ipon->ipo_mask.sen_proto = 0xff; 676 ipon->ipo_mask.sen_direction = direction; 677 678 ipon->ipo_src.sa.sa_len = sizeof(struct sockaddr_in); 679 ipon->ipo_dst.sa.sa_len = sizeof(struct sockaddr_in); 680 ipon->ipo_src.sin.sin_addr = inp->inp_laddr; 681 ipon->ipo_dst.sin.sin_addr = inp->inp_faddr; 682 #endif /* INET */ 683 break; 684 685 case AF_INET6: 686 #ifdef INET6 687 ipon->ipo_addr.sen_type = ipon->ipo_mask.sen_type = SENT_IP6; 688 ipon->ipo_addr.sen_ip6_src = inp->inp_laddr6; 689 ipon->ipo_addr.sen_ip6_dst = inp->inp_faddr6; 690 ipon->ipo_addr.sen_ip6_sport = inp->inp_lport; 691 ipon->ipo_addr.sen_ip6_dport = inp->inp_fport; 692 ipon->ipo_addr.sen_ip6_proto = 693 inp->inp_socket->so_proto->pr_protocol; 694 ipon->ipo_addr.sen_ip6_direction = direction; 695 696 ipon->ipo_mask.sen_ip6_src = in6mask128; 697 ipon->ipo_mask.sen_ip6_dst = in6mask128; 698 ipon->ipo_mask.sen_ip6_sport = 0xffff; 699 ipon->ipo_mask.sen_ip6_dport = 0xffff; 700 ipon->ipo_mask.sen_ip6_proto = 0xff; 701 ipon->ipo_mask.sen_ip6_direction = direction; 702 703 ipon->ipo_src.sa.sa_len = sizeof(struct sockaddr_in6); 704 ipon->ipo_dst.sa.sa_len = sizeof(struct sockaddr_in6); 705 ipon->ipo_src.sin6.sin6_addr = inp->inp_laddr6; 706 ipon->ipo_dst.sin6.sin6_addr = inp->inp_faddr6; 707 #endif /* INET6 */ 708 break; 709 } 710 } 711 712 /* 713 * Delete a pending IPsec acquire record. 714 */ 715 void 716 ipsp_delete_acquire(void *v) 717 { 718 struct ipsec_acquire *ipa = v; 719 720 timeout_del(&ipa->ipa_timeout); 721 TAILQ_REMOVE(&ipsec_acquire_head, ipa, ipa_next); 722 if (ipa->ipa_policy != NULL) 723 TAILQ_REMOVE(&ipa->ipa_policy->ipo_acquires, ipa, 724 ipa_ipo_next); 725 pool_put(&ipsec_acquire_pool, ipa); 726 } 727 728 /* 729 * Find out if there's an ACQUIRE pending. 730 * XXX Need a better structure. 731 */ 732 struct ipsec_acquire * 733 ipsp_pending_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw) 734 { 735 struct ipsec_acquire *ipa; 736 737 TAILQ_FOREACH (ipa, &ipo->ipo_acquires, ipa_ipo_next) { 738 if (!bcmp(gw, &ipa->ipa_addr, gw->sa.sa_len)) 739 return ipa; 740 } 741 742 return NULL; 743 } 744 745 /* 746 * Signal key management that we need an SA. 747 * XXX For outgoing policies, we could try to hold on to the mbuf. 748 */ 749 int 750 ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, 751 union sockaddr_union *laddr, struct sockaddr_encap *ddst, struct mbuf *m) 752 { 753 struct ipsec_acquire *ipa; 754 755 /* 756 * If this is a socket policy, it has to have authentication 757 * information accompanying it --- can't tell key mgmt. to 758 * "find" it for us. This avoids abusing key mgmt. to authenticate 759 * on an application's behalf, even if the application doesn't 760 * have/know (and shouldn't) the appropriate authentication 761 * material (passphrase, private key, etc.) 762 */ 763 if (ipo->ipo_flags & IPSP_POLICY_SOCKET && 764 ipo->ipo_local_auth == NULL) 765 return EINVAL; 766 767 /* Check whether request has been made already. */ 768 if ((ipa = ipsp_pending_acquire(ipo, gw)) != NULL) 769 return 0; 770 771 /* Add request in cache and proceed. */ 772 if (ipsec_acquire_pool_initialized == 0) { 773 ipsec_acquire_pool_initialized = 1; 774 pool_init(&ipsec_acquire_pool, sizeof(struct ipsec_acquire), 775 0, 0, 0, "ipsec acquire", NULL); 776 } 777 778 ipa = pool_get(&ipsec_acquire_pool, 0); 779 if (ipa == NULL) 780 return ENOMEM; 781 782 bzero(ipa, sizeof(struct ipsec_acquire)); 783 bcopy(gw, &ipa->ipa_addr, sizeof(union sockaddr_union)); 784 785 timeout_set(&ipa->ipa_timeout, ipsp_delete_acquire, ipa); 786 787 ipa->ipa_info.sen_len = ipa->ipa_mask.sen_len = SENT_LEN; 788 ipa->ipa_info.sen_family = ipa->ipa_mask.sen_family = PF_KEY; 789 790 /* Just copy the right information. */ 791 switch (ipo->ipo_addr.sen_type) { 792 #ifdef INET 793 case SENT_IP4: 794 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP4; 795 ipa->ipa_info.sen_direction = ipo->ipo_addr.sen_direction; 796 ipa->ipa_mask.sen_direction = ipo->ipo_mask.sen_direction; 797 798 if (ipo->ipo_mask.sen_ip_src.s_addr == INADDR_ANY || 799 ipo->ipo_addr.sen_ip_src.s_addr == INADDR_ANY || 800 ipsp_is_unspecified(ipo->ipo_dst)) { 801 ipa->ipa_info.sen_ip_src = ddst->sen_ip_src; 802 ipa->ipa_mask.sen_ip_src.s_addr = INADDR_BROADCAST; 803 } else { 804 ipa->ipa_info.sen_ip_src = ipo->ipo_addr.sen_ip_src; 805 ipa->ipa_mask.sen_ip_src = ipo->ipo_mask.sen_ip_src; 806 } 807 808 if (ipo->ipo_mask.sen_ip_dst.s_addr == INADDR_ANY || 809 ipo->ipo_addr.sen_ip_dst.s_addr == INADDR_ANY || 810 ipsp_is_unspecified(ipo->ipo_dst)) { 811 ipa->ipa_info.sen_ip_dst = ddst->sen_ip_dst; 812 ipa->ipa_mask.sen_ip_dst.s_addr = INADDR_BROADCAST; 813 } else { 814 ipa->ipa_info.sen_ip_dst = ipo->ipo_addr.sen_ip_dst; 815 ipa->ipa_mask.sen_ip_dst = ipo->ipo_mask.sen_ip_dst; 816 } 817 818 ipa->ipa_info.sen_proto = ipo->ipo_addr.sen_proto; 819 ipa->ipa_mask.sen_proto = ipo->ipo_mask.sen_proto; 820 821 if (ipo->ipo_addr.sen_proto) { 822 ipa->ipa_info.sen_sport = ipo->ipo_addr.sen_sport; 823 ipa->ipa_mask.sen_sport = ipo->ipo_mask.sen_sport; 824 825 ipa->ipa_info.sen_dport = ipo->ipo_addr.sen_dport; 826 ipa->ipa_mask.sen_dport = ipo->ipo_mask.sen_dport; 827 } 828 break; 829 #endif /* INET */ 830 831 #ifdef INET6 832 case SENT_IP6: 833 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP6; 834 ipa->ipa_info.sen_ip6_direction = 835 ipo->ipo_addr.sen_ip6_direction; 836 ipa->ipa_mask.sen_ip6_direction = 837 ipo->ipo_mask.sen_ip6_direction; 838 839 if (IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_mask.sen_ip6_src) || 840 IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_addr.sen_ip6_src) || 841 ipsp_is_unspecified(ipo->ipo_dst)) { 842 ipa->ipa_info.sen_ip6_src = ddst->sen_ip6_src; 843 ipa->ipa_mask.sen_ip6_src = in6mask128; 844 } else { 845 ipa->ipa_info.sen_ip6_src = ipo->ipo_addr.sen_ip6_src; 846 ipa->ipa_mask.sen_ip6_src = ipo->ipo_mask.sen_ip6_src; 847 } 848 849 if (IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_mask.sen_ip6_dst) || 850 IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_addr.sen_ip6_dst) || 851 ipsp_is_unspecified(ipo->ipo_dst)) { 852 ipa->ipa_info.sen_ip6_dst = ddst->sen_ip6_dst; 853 ipa->ipa_mask.sen_ip6_dst = in6mask128; 854 } else { 855 ipa->ipa_info.sen_ip6_dst = ipo->ipo_addr.sen_ip6_dst; 856 ipa->ipa_mask.sen_ip6_dst = ipo->ipo_mask.sen_ip6_dst; 857 } 858 859 ipa->ipa_info.sen_ip6_proto = ipo->ipo_addr.sen_ip6_proto; 860 ipa->ipa_mask.sen_ip6_proto = ipo->ipo_mask.sen_ip6_proto; 861 862 if (ipo->ipo_mask.sen_ip6_proto) { 863 ipa->ipa_info.sen_ip6_sport = 864 ipo->ipo_addr.sen_ip6_sport; 865 ipa->ipa_mask.sen_ip6_sport = 866 ipo->ipo_mask.sen_ip6_sport; 867 ipa->ipa_info.sen_ip6_dport = 868 ipo->ipo_addr.sen_ip6_dport; 869 ipa->ipa_mask.sen_ip6_dport = 870 ipo->ipo_mask.sen_ip6_dport; 871 } 872 break; 873 #endif /* INET6 */ 874 875 default: 876 pool_put(&ipsec_acquire_pool, ipa); 877 return 0; 878 } 879 880 timeout_add_sec(&ipa->ipa_timeout, ipsec_expire_acquire); 881 882 TAILQ_INSERT_TAIL(&ipsec_acquire_head, ipa, ipa_next); 883 TAILQ_INSERT_TAIL(&ipo->ipo_acquires, ipa, ipa_ipo_next); 884 ipa->ipa_policy = ipo; 885 886 /* PF_KEYv2 notification message. */ 887 return pfkeyv2_acquire(ipo, gw, laddr, &ipa->ipa_seq, ddst); 888 } 889 890 /* 891 * Deal with PCB security requirements. 892 */ 893 struct tdb * 894 ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, 895 struct tdb *tdbp, struct inpcb *inp, struct ipsec_policy *ipo) 896 { 897 struct ipsec_policy sipon; 898 struct tdb_ident *tdbi; 899 struct m_tag *mtag; 900 struct tdb *tdb = NULL; 901 902 /* Sanity check. */ 903 if (inp == NULL) 904 goto justreturn; 905 906 /* Verify that we need to check for socket policy. */ 907 if ((inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS || 908 inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_NONE) && 909 (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS || 910 inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_NONE) && 911 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS || 912 inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_NONE)) 913 goto justreturn; 914 915 switch (direction) { 916 case IPSP_DIRECTION_IN: 917 /* 918 * Some further checking: if the socket has specified 919 * that it will accept unencrypted traffic, don't 920 * bother checking any further -- just accept the packet. 921 */ 922 if ((inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL || 923 inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_USE) && 924 (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL || 925 inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_USE) && 926 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL || 927 inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_USE)) 928 goto justreturn; 929 930 /* Initialize socket policy if unset. */ 931 if (inp->inp_ipo == NULL) { 932 inp->inp_ipo = ipsec_add_policy(inp, af, 933 IPSP_DIRECTION_OUT); 934 if (inp->inp_ipo == NULL) { 935 *error = ENOBUFS; 936 return NULL; 937 } 938 } 939 940 /* 941 * So we *must* have protected traffic. Let's see what 942 * we have received then. 943 */ 944 if (inp->inp_tdb_in != NULL) { 945 if (inp->inp_tdb_in == tdbp) 946 goto justreturn; /* We received packet under a 947 * previously-accepted TDB. */ 948 949 /* 950 * We should be receiving protected traffic, and 951 * have an SA in place, but packet was received 952 * unprotected. Simply discard. 953 */ 954 if (tdbp == NULL) { 955 *error = -EINVAL; 956 return NULL; 957 } 958 959 /* Update, since we may need all the relevant info. */ 960 ipsec_update_policy(inp, inp->inp_ipo, af, 961 IPSP_DIRECTION_OUT); 962 963 /* 964 * Check that the TDB the packet was received under 965 * is acceptable under the socket policy. If so, 966 * accept the packet; otherwise, discard. 967 */ 968 if (tdbp->tdb_sproto == inp->inp_ipo->ipo_sproto && 969 !bcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst, 970 SA_LEN(&tdbp->tdb_src.sa)) && 971 ipsp_aux_match(tdbp, 972 inp->inp_ipo->ipo_srcid, 973 inp->inp_ipo->ipo_dstid, 974 NULL, NULL, 975 &inp->inp_ipo->ipo_addr, 976 &inp->inp_ipo->ipo_mask)) 977 goto justreturn; 978 else { 979 *error = -EINVAL; 980 return NULL; 981 } 982 } else { 983 /* Update, since we may need all the relevant info. */ 984 ipsec_update_policy(inp, inp->inp_ipo, af, 985 IPSP_DIRECTION_OUT); 986 987 /* 988 * If the packet was received under an SA, see if 989 * it's acceptable under socket policy. If it is, 990 * accept the packet. 991 */ 992 if (tdbp != NULL && 993 tdbp->tdb_sproto == inp->inp_ipo->ipo_sproto && 994 !bcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst, 995 SA_LEN(&tdbp->tdb_src.sa)) && 996 ipsp_aux_match(tdbp, 997 inp->inp_ipo->ipo_srcid, 998 inp->inp_ipo->ipo_dstid, 999 NULL, NULL, 1000 &inp->inp_ipo->ipo_addr, 1001 &inp->inp_ipo->ipo_mask)) 1002 goto justreturn; 1003 1004 /* 1005 * If the packet was not received under an SA, or 1006 * if the SA it was received under is not acceptable, 1007 * see if we already have an acceptable SA 1008 * established. If we do, discard packet. 1009 */ 1010 if (inp->inp_ipo->ipo_last_searched <= 1011 ipsec_last_added) { 1012 inp->inp_ipo->ipo_last_searched = time_second; 1013 1014 /* Do we have an SA already established ? */ 1015 if (gettdbbysrc(&inp->inp_ipo->ipo_dst, 1016 inp->inp_ipo->ipo_sproto, 1017 inp->inp_ipo->ipo_srcid, 1018 inp->inp_ipo->ipo_dstid, m, af, 1019 &inp->inp_ipo->ipo_addr, 1020 &inp->inp_ipo->ipo_mask) != NULL) { 1021 *error = -EINVAL; 1022 return NULL; 1023 } 1024 /* Fall through */ 1025 } 1026 1027 /* 1028 * If we don't have an appropriate SA, acquire one 1029 * and discard the packet. 1030 */ 1031 ipsp_acquire_sa(inp->inp_ipo, &inp->inp_ipo->ipo_dst, 1032 &inp->inp_ipo->ipo_src, &inp->inp_ipo->ipo_addr, m); 1033 *error = -EINVAL; 1034 return NULL; 1035 } 1036 1037 break; 1038 1039 case IPSP_DIRECTION_OUT: 1040 /* Do we have a cached entry ? */ 1041 if (inp->inp_tdb_out != NULL) { 1042 /* 1043 * If we also have to apply a different TDB as 1044 * a result of a system-wide policy, add a tag 1045 * to the packet. 1046 */ 1047 if (ipo != NULL && m != NULL && 1048 ipo->ipo_tdb != NULL && 1049 ipo->ipo_tdb != inp->inp_tdb_out) { 1050 tdb = inp->inp_tdb_out; 1051 goto tagandreturn; 1052 } else 1053 return inp->inp_tdb_out; 1054 } 1055 1056 /* 1057 * We need to either find an SA with the appropriate 1058 * characteristics and link it to the PCB, or acquire 1059 * one. 1060 */ 1061 /* XXX Only support one policy/protocol for now. */ 1062 if (inp->inp_ipo != NULL) { 1063 if (inp->inp_ipo->ipo_last_searched <= 1064 ipsec_last_added) { 1065 inp->inp_ipo->ipo_last_searched = time_second; 1066 1067 /* Update, just in case. */ 1068 ipsec_update_policy(inp, inp->inp_ipo, af, 1069 IPSP_DIRECTION_OUT); 1070 1071 tdb = gettdbbyaddr(&inp->inp_ipo->ipo_dst, 1072 inp->inp_ipo->ipo_sproto, 1073 inp->inp_ipo->ipo_srcid, 1074 inp->inp_ipo->ipo_dstid, 1075 inp->inp_ipo->ipo_local_cred, m, af, 1076 &inp->inp_ipo->ipo_addr, 1077 &inp->inp_ipo->ipo_mask); 1078 } 1079 } else { 1080 /* 1081 * Construct a pseudo-policy, with just the necessary 1082 * fields. 1083 */ 1084 ipsec_update_policy(inp, &sipon, af, 1085 IPSP_DIRECTION_OUT); 1086 1087 tdb = gettdbbyaddr(&sipon.ipo_dst, IPPROTO_ESP, NULL, 1088 NULL, NULL, m, af, &sipon.ipo_addr, 1089 &sipon.ipo_mask); 1090 } 1091 1092 /* If we found an appropriate SA... */ 1093 if (tdb != NULL) { 1094 tdb_add_inp(tdb, inp, 0); /* Latch onto PCB. */ 1095 1096 if (ipo != NULL && ipo->ipo_tdb != NULL && 1097 ipo->ipo_tdb != inp->inp_tdb_out && m != NULL) 1098 goto tagandreturn; 1099 else 1100 return tdb; 1101 } else { 1102 /* Do we need to acquire one ? */ 1103 switch (inp->inp_seclevel[SL_ESP_TRANS]) { 1104 case IPSEC_LEVEL_BYPASS: 1105 case IPSEC_LEVEL_AVAIL: 1106 /* No need to do anything. */ 1107 goto justreturn; 1108 case IPSEC_LEVEL_USE: 1109 case IPSEC_LEVEL_REQUIRE: 1110 case IPSEC_LEVEL_UNIQUE: 1111 /* Initialize socket policy if unset. */ 1112 if (inp->inp_ipo == NULL) { 1113 inp->inp_ipo = ipsec_add_policy(inp, af, IPSP_DIRECTION_OUT); 1114 if (inp->inp_ipo == NULL) { 1115 *error = ENOBUFS; 1116 return NULL; 1117 } 1118 } 1119 1120 /* Acquire a new SA. */ 1121 if ((*error = ipsp_acquire_sa(inp->inp_ipo, 1122 &inp->inp_ipo->ipo_dst, 1123 &inp->inp_ipo->ipo_src, 1124 &inp->inp_ipo->ipo_addr, m)) == 0) 1125 *error = -EINVAL; 1126 1127 return NULL; 1128 default: 1129 DPRINTF(("ipsp_spd_inp: unknown sock security" 1130 " level %d", 1131 inp->inp_seclevel[SL_ESP_TRANS])); 1132 *error = -EINVAL; 1133 return NULL; 1134 } 1135 } 1136 break; 1137 1138 default: /* Should never happen. */ 1139 *error = -EINVAL; 1140 return NULL; 1141 } 1142 1143 tagandreturn: 1144 if (tdb == NULL) 1145 goto justreturn; 1146 1147 mtag = m_tag_get(PACKET_TAG_IPSEC_PENDING_TDB, 1148 sizeof (struct tdb_ident), M_NOWAIT); 1149 if (mtag == NULL) { 1150 *error = ENOMEM; 1151 return NULL; 1152 } 1153 1154 tdbi = (struct tdb_ident *)(mtag + 1); 1155 tdbi->spi = ipo->ipo_tdb->tdb_spi; 1156 tdbi->proto = ipo->ipo_tdb->tdb_sproto; 1157 bcopy(&ipo->ipo_tdb->tdb_dst, &tdbi->dst, 1158 ipo->ipo_tdb->tdb_dst.sa.sa_len); 1159 m_tag_prepend(m, mtag); 1160 return tdb; 1161 1162 justreturn: 1163 if (ipo != NULL) 1164 return ipo->ipo_tdb; 1165 else 1166 return NULL; 1167 } 1168 1169 /* 1170 * Find a pending ACQUIRE record based on its sequence number. 1171 * XXX Need to use a better data structure. 1172 */ 1173 struct ipsec_acquire * 1174 ipsec_get_acquire(u_int32_t seq) 1175 { 1176 struct ipsec_acquire *ipa; 1177 1178 TAILQ_FOREACH (ipa, &ipsec_acquire_head, ipa_next) 1179 if (ipa->ipa_seq == seq) 1180 return ipa; 1181 1182 return NULL; 1183 } 1184