1 /* $OpenBSD: ip_spd.c,v 1.59 2009/01/27 22:40:10 bluhm Exp $ */ 2 /* 3 * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) 4 * 5 * Copyright (c) 2000-2001 Angelos D. Keromytis. 6 * 7 * Permission to use, copy, and modify this software with or without fee 8 * is hereby granted, provided that this entire notice is included in 9 * all copies of any software which is or includes a copy or 10 * modification of this software. 11 * You may use this code under the GNU public license if you so wish. Please 12 * contribute changes back to the authors under this freer than GPL license 13 * so that we may further the use of strong encryption without limitations to 14 * all. 15 * 16 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 17 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 18 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 19 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 20 * PURPOSE. 21 */ 22 23 #include <sys/param.h> 24 #include <sys/systm.h> 25 #include <sys/mbuf.h> 26 #include <sys/socket.h> 27 #include <sys/kernel.h> 28 #include <sys/socketvar.h> 29 #include <sys/protosw.h> 30 #include <sys/pool.h> 31 32 #include <net/if.h> 33 #include <net/route.h> 34 #include <net/netisr.h> 35 36 #ifdef INET 37 #include <netinet/in.h> 38 #include <netinet/in_systm.h> 39 #include <netinet/ip.h> 40 #include <netinet/in_pcb.h> 41 #include <netinet/in_var.h> 42 #endif /* INET */ 43 44 #ifdef INET6 45 #ifndef INET 46 #include <netinet/in.h> 47 #endif 48 #include <netinet6/in6_var.h> 49 #endif /* INET6 */ 50 51 #include <netinet/ip_ipsp.h> 52 #include <net/pfkeyv2.h> 53 54 #ifdef ENCDEBUG 55 #define DPRINTF(x) if (encdebug) printf x 56 #else 57 #define DPRINTF(x) 58 #endif 59 60 struct pool ipsec_policy_pool; 61 struct pool ipsec_acquire_pool; 62 int ipsec_policy_pool_initialized = 0; 63 int ipsec_acquire_pool_initialized = 0; 64 65 /* 66 * Lookup at the SPD based on the headers contained on the mbuf. The second 67 * argument indicates what protocol family the header at the beginning of 68 * the mbuf is. hlen is the offset of the transport protocol header 69 * in the mbuf. 70 * 71 * Return combinations (of return value and in *error): 72 * - NULL/0 -> no IPsec required on packet 73 * - NULL/-EINVAL -> silently drop the packet 74 * - NULL/errno -> drop packet and return error 75 * or a pointer to a TDB (and 0 in *error). 76 * 77 * In the case of incoming flows, only the first three combinations are 78 * returned. 79 */ 80 struct tdb * 81 ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, 82 struct tdb *tdbp, struct inpcb *inp) 83 { 84 struct route_enc re0, *re = &re0; 85 union sockaddr_union sdst, ssrc; 86 struct sockaddr_encap *ddst; 87 struct ipsec_policy *ipo; 88 int signore = 0, dignore = 0; 89 90 /* 91 * If there are no flows in place, there's no point 92 * continuing with the SPD lookup. 93 */ 94 if (!ipsec_in_use && inp == NULL) { 95 *error = 0; 96 return NULL; 97 } 98 99 /* 100 * If an input packet is destined to a BYPASS socket, just accept it. 101 */ 102 if ((inp != NULL) && (direction == IPSP_DIRECTION_IN) && 103 (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && 104 (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) && 105 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { 106 *error = 0; 107 return NULL; 108 } 109 110 bzero((caddr_t) re, sizeof(struct route_enc)); 111 bzero((caddr_t) &sdst, sizeof(union sockaddr_union)); 112 bzero((caddr_t) &ssrc, sizeof(union sockaddr_union)); 113 ddst = (struct sockaddr_encap *) &re->re_dst; 114 ddst->sen_family = PF_KEY; 115 ddst->sen_len = SENT_LEN; 116 117 switch (af) { 118 #ifdef INET 119 case AF_INET: 120 if (hlen < sizeof (struct ip) || m->m_pkthdr.len < hlen) { 121 *error = EINVAL; 122 return NULL; 123 } 124 ddst->sen_direction = direction; 125 ddst->sen_type = SENT_IP4; 126 127 m_copydata(m, offsetof(struct ip, ip_src), 128 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_src)); 129 m_copydata(m, offsetof(struct ip, ip_dst), 130 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_dst)); 131 m_copydata(m, offsetof(struct ip, ip_p), sizeof(u_int8_t), 132 (caddr_t) &(ddst->sen_proto)); 133 134 sdst.sin.sin_family = ssrc.sin.sin_family = AF_INET; 135 sdst.sin.sin_len = ssrc.sin.sin_len = 136 sizeof(struct sockaddr_in); 137 ssrc.sin.sin_addr = ddst->sen_ip_src; 138 sdst.sin.sin_addr = ddst->sen_ip_dst; 139 140 /* 141 * If TCP/UDP, extract the port numbers to use in the lookup. 142 */ 143 switch (ddst->sen_proto) { 144 case IPPROTO_UDP: 145 case IPPROTO_TCP: 146 /* Make sure there's enough data in the packet. */ 147 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) { 148 *error = EINVAL; 149 return NULL; 150 } 151 152 /* 153 * Luckily, the offset of the src/dst ports in 154 * both the UDP and TCP headers is the same (first 155 * two 16-bit values in the respective headers), 156 * so we can just copy them. 157 */ 158 m_copydata(m, hlen, sizeof(u_int16_t), 159 (caddr_t) &(ddst->sen_sport)); 160 m_copydata(m, hlen + sizeof(u_int16_t), sizeof(u_int16_t), 161 (caddr_t) &(ddst->sen_dport)); 162 break; 163 164 default: 165 ddst->sen_sport = 0; 166 ddst->sen_dport = 0; 167 } 168 169 break; 170 #endif /* INET */ 171 172 #ifdef INET6 173 case AF_INET6: 174 if (hlen < sizeof (struct ip6_hdr) || m->m_pkthdr.len < hlen) { 175 *error = EINVAL; 176 return NULL; 177 } 178 ddst->sen_type = SENT_IP6; 179 ddst->sen_ip6_direction = direction; 180 181 m_copydata(m, offsetof(struct ip6_hdr, ip6_src), 182 sizeof(struct in6_addr), 183 (caddr_t) &(ddst->sen_ip6_src)); 184 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 185 sizeof(struct in6_addr), 186 (caddr_t) &(ddst->sen_ip6_dst)); 187 m_copydata(m, offsetof(struct ip6_hdr, ip6_nxt), 188 sizeof(u_int8_t), 189 (caddr_t) &(ddst->sen_ip6_proto)); 190 191 sdst.sin6.sin6_family = ssrc.sin6.sin6_family = AF_INET6; 192 sdst.sin6.sin6_len = ssrc.sin6.sin6_len = 193 sizeof(struct sockaddr_in6); 194 in6_recoverscope(&ssrc.sin6, &ddst->sen_ip6_src, NULL); 195 in6_recoverscope(&sdst.sin6, &ddst->sen_ip6_dst, NULL); 196 197 /* 198 * If TCP/UDP, extract the port numbers to use in the lookup. 199 */ 200 switch (ddst->sen_ip6_proto) { 201 case IPPROTO_UDP: 202 case IPPROTO_TCP: 203 /* Make sure there's enough data in the packet. */ 204 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) { 205 *error = EINVAL; 206 return NULL; 207 } 208 209 /* 210 * Luckily, the offset of the src/dst ports in 211 * both the UDP and TCP headers is the same 212 * (first two 16-bit values in the respective 213 * headers), so we can just copy them. 214 */ 215 m_copydata(m, hlen, sizeof(u_int16_t), 216 (caddr_t) &(ddst->sen_ip6_sport)); 217 m_copydata(m, hlen + sizeof(u_int16_t), sizeof(u_int16_t), 218 (caddr_t) &(ddst->sen_ip6_dport)); 219 break; 220 221 default: 222 ddst->sen_ip6_sport = 0; 223 ddst->sen_ip6_dport = 0; 224 } 225 226 break; 227 #endif /* INET6 */ 228 229 default: 230 *error = EAFNOSUPPORT; 231 return NULL; 232 } 233 234 /* Actual SPD lookup. */ 235 rtalloc((struct route *) re); 236 if (re->re_rt == NULL) { 237 /* 238 * Return whatever the socket requirements are, there are no 239 * system-wide policies. 240 */ 241 *error = 0; 242 return ipsp_spd_inp(m, af, hlen, error, direction, 243 tdbp, inp, NULL); 244 } 245 246 /* Sanity check. */ 247 if ((re->re_rt->rt_gateway == NULL) || 248 (((struct sockaddr_encap *) re->re_rt->rt_gateway)->sen_type != 249 SENT_IPSP)) { 250 RTFREE(re->re_rt); 251 *error = EHOSTUNREACH; 252 DPRINTF(("ip_spd_lookup: no gateway in SPD entry!")); 253 return NULL; 254 } 255 256 ipo = ((struct sockaddr_encap *) (re->re_rt->rt_gateway))->sen_ipsp; 257 RTFREE(re->re_rt); 258 if (ipo == NULL) { 259 *error = EHOSTUNREACH; 260 DPRINTF(("ip_spd_lookup: no policy attached to SPD entry!")); 261 return NULL; 262 } 263 264 switch (ipo->ipo_type) { 265 case IPSP_PERMIT: 266 *error = 0; 267 return ipsp_spd_inp(m, af, hlen, error, direction, tdbp, 268 inp, ipo); 269 270 case IPSP_DENY: 271 *error = EHOSTUNREACH; 272 return NULL; 273 274 case IPSP_IPSEC_USE: 275 case IPSP_IPSEC_ACQUIRE: 276 case IPSP_IPSEC_REQUIRE: 277 case IPSP_IPSEC_DONTACQ: 278 /* Nothing more needed here. */ 279 break; 280 281 default: 282 *error = EINVAL; 283 return NULL; 284 } 285 286 /* Check for non-specific destination in the policy. */ 287 switch (ipo->ipo_dst.sa.sa_family) { 288 #ifdef INET 289 case AF_INET: 290 if ((ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_ANY) || 291 (ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_BROADCAST)) 292 dignore = 1; 293 break; 294 #endif /* INET */ 295 296 #ifdef INET6 297 case AF_INET6: 298 if ((IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_dst.sin6.sin6_addr)) || 299 (bcmp(&ipo->ipo_dst.sin6.sin6_addr, &in6mask128, 300 sizeof(in6mask128)) == 0)) 301 dignore = 1; 302 break; 303 #endif /* INET6 */ 304 } 305 306 /* Likewise for source. */ 307 switch (ipo->ipo_src.sa.sa_family) { 308 #ifdef INET 309 case AF_INET: 310 if (ipo->ipo_src.sin.sin_addr.s_addr == INADDR_ANY) 311 signore = 1; 312 break; 313 #endif /* INET */ 314 315 #ifdef INET6 316 case AF_INET6: 317 if (IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_src.sin6.sin6_addr)) 318 signore = 1; 319 break; 320 #endif /* INET6 */ 321 } 322 323 /* Do we have a cached entry ? If so, check if it's still valid. */ 324 if ((ipo->ipo_tdb) && (ipo->ipo_tdb->tdb_flags & TDBF_INVALID)) { 325 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 326 ipo_tdb_next); 327 ipo->ipo_tdb = NULL; 328 } 329 330 /* Outgoing packet policy check. */ 331 if (direction == IPSP_DIRECTION_OUT) { 332 /* 333 * If the packet is destined for the policy-specified 334 * gateway/endhost, and the socket has the BYPASS 335 * option set, skip IPsec processing. 336 */ 337 if ((inp != NULL) && 338 (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && 339 (inp->inp_seclevel[SL_ESP_NETWORK] == 340 IPSEC_LEVEL_BYPASS) && 341 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { 342 /* Direct match. */ 343 if (dignore || 344 !bcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) { 345 *error = 0; 346 return NULL; 347 } 348 } 349 350 /* Check that the cached TDB (if present), is appropriate. */ 351 if (ipo->ipo_tdb) { 352 if ((ipo->ipo_last_searched <= ipsec_last_added) || 353 (ipo->ipo_sproto != ipo->ipo_tdb->tdb_sproto) || 354 bcmp(dignore ? &sdst : &ipo->ipo_dst, 355 &ipo->ipo_tdb->tdb_dst, 356 ipo->ipo_tdb->tdb_dst.sa.sa_len)) 357 goto nomatchout; 358 359 if (!ipsp_aux_match(ipo->ipo_tdb, 360 ipo->ipo_srcid, ipo->ipo_dstid, 361 ipo->ipo_local_cred, NULL, 362 &ipo->ipo_addr, &ipo->ipo_mask)) 363 goto nomatchout; 364 365 /* Cached entry is good. */ 366 *error = 0; 367 return ipsp_spd_inp(m, af, hlen, error, direction, 368 tdbp, inp, ipo); 369 370 nomatchout: 371 /* Cached TDB was not good. */ 372 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 373 ipo_tdb_next); 374 ipo->ipo_tdb = NULL; 375 ipo->ipo_last_searched = 0; 376 } 377 378 /* 379 * If no SA has been added since the last time we did a 380 * lookup, there's no point searching for one. However, if the 381 * destination gateway is left unspecified (or is all-1's), 382 * always lookup since this is a generic-match rule 383 * (otherwise, we can have situations where SAs to some 384 * destinations exist but are not used, possibly leading to an 385 * explosion in the number of acquired SAs). 386 */ 387 if (ipo->ipo_last_searched <= ipsec_last_added) { 388 /* "Touch" the entry. */ 389 if (dignore == 0) 390 ipo->ipo_last_searched = time_second; 391 392 /* Find an appropriate SA from the existing ones. */ 393 ipo->ipo_tdb = 394 gettdbbyaddr(dignore ? &sdst : &ipo->ipo_dst, 395 ipo->ipo_sproto, ipo->ipo_srcid, 396 ipo->ipo_dstid, ipo->ipo_local_cred, m, af, 397 &ipo->ipo_addr, &ipo->ipo_mask); 398 if (ipo->ipo_tdb) { 399 TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, 400 ipo, ipo_tdb_next); 401 *error = 0; 402 return ipsp_spd_inp(m, af, hlen, error, 403 direction, tdbp, inp, ipo); 404 } 405 } 406 407 /* So, we don't have an SA -- just a policy. */ 408 switch (ipo->ipo_type) { 409 case IPSP_IPSEC_REQUIRE: 410 /* Acquire SA through key management. */ 411 if (ipsp_acquire_sa(ipo, 412 dignore ? &sdst : &ipo->ipo_dst, 413 signore ? NULL : &ipo->ipo_src, ddst, m) != 0) { 414 *error = EACCES; 415 return NULL; 416 } 417 418 /* FALLTHROUGH */ 419 case IPSP_IPSEC_DONTACQ: 420 *error = -EINVAL; /* Silently drop packet. */ 421 return NULL; 422 423 case IPSP_IPSEC_ACQUIRE: 424 /* Acquire SA through key management. */ 425 ipsp_acquire_sa(ipo, dignore ? &sdst : &ipo->ipo_dst, 426 signore ? NULL : &ipo->ipo_src, ddst, NULL); 427 428 /* FALLTHROUGH */ 429 case IPSP_IPSEC_USE: 430 *error = 0; 431 return ipsp_spd_inp(m, af, hlen, error, direction, 432 tdbp, inp, ipo); 433 } 434 } else { /* IPSP_DIRECTION_IN */ 435 if (tdbp != NULL) { 436 /* Direct match in the cache. */ 437 if (ipo->ipo_tdb == tdbp) { 438 *error = 0; 439 return ipsp_spd_inp(m, af, hlen, error, 440 direction, tdbp, inp, ipo); 441 } 442 443 if (bcmp(dignore ? &ssrc : &ipo->ipo_dst, 444 &tdbp->tdb_src, tdbp->tdb_src.sa.sa_len) || 445 (ipo->ipo_sproto != tdbp->tdb_sproto)) 446 goto nomatchin; 447 448 /* Match source ID. */ 449 if (ipo->ipo_srcid) { 450 if (tdbp->tdb_dstid == NULL || 451 !ipsp_ref_match(ipo->ipo_srcid, 452 tdbp->tdb_dstid)) 453 goto nomatchin; 454 } 455 456 /* Match destination ID. */ 457 if (ipo->ipo_dstid) { 458 if (tdbp->tdb_srcid == NULL || 459 !ipsp_ref_match(ipo->ipo_dstid, 460 tdbp->tdb_srcid)) 461 goto nomatchin; 462 } 463 464 /* Add it to the cache. */ 465 if (ipo->ipo_tdb) 466 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, 467 ipo, ipo_tdb_next); 468 ipo->ipo_tdb = tdbp; 469 TAILQ_INSERT_TAIL(&tdbp->tdb_policy_head, ipo, 470 ipo_tdb_next); 471 *error = 0; 472 return ipsp_spd_inp(m, af, hlen, error, direction, 473 tdbp, inp, ipo); 474 475 nomatchin: /* Nothing needed here, falling through */ 476 ; 477 } 478 479 /* Check whether cached entry applies. */ 480 if (ipo->ipo_tdb) { 481 /* 482 * We only need to check that the correct 483 * security protocol and security gateway are 484 * set; credentials/IDs will be the same, 485 * since the cached entry is linked on this 486 * policy. 487 */ 488 if (ipo->ipo_sproto == ipo->ipo_tdb->tdb_sproto && 489 !bcmp(&ipo->ipo_tdb->tdb_src, 490 dignore ? &ssrc : &ipo->ipo_dst, 491 ipo->ipo_tdb->tdb_src.sa.sa_len)) 492 goto skipinputsearch; 493 494 /* Not applicable, unlink. */ 495 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 496 ipo_tdb_next); 497 ipo->ipo_last_searched = 0; 498 ipo->ipo_tdb = NULL; 499 } 500 501 /* Find whether there exists an appropriate SA. */ 502 if (ipo->ipo_last_searched <= ipsec_last_added) { 503 if (dignore == 0) 504 ipo->ipo_last_searched = time_second; 505 506 ipo->ipo_tdb = 507 gettdbbysrc(dignore ? &ssrc : &ipo->ipo_dst, 508 ipo->ipo_sproto, ipo->ipo_srcid, 509 ipo->ipo_dstid, m, af, &ipo->ipo_addr, 510 &ipo->ipo_mask); 511 if (ipo->ipo_tdb) 512 TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, 513 ipo, ipo_tdb_next); 514 } 515 skipinputsearch: 516 517 switch (ipo->ipo_type) { 518 case IPSP_IPSEC_REQUIRE: 519 /* If appropriate SA exists, don't acquire another. */ 520 if (ipo->ipo_tdb) { 521 *error = -EINVAL; 522 return NULL; 523 } 524 525 /* Acquire SA through key management. */ 526 if ((*error = ipsp_acquire_sa(ipo, 527 dignore ? &ssrc : &ipo->ipo_dst, 528 signore ? NULL : &ipo->ipo_src, ddst, m)) != 0) 529 return NULL; 530 531 /* FALLTHROUGH */ 532 case IPSP_IPSEC_DONTACQ: 533 /* Drop packet. */ 534 *error = -EINVAL; 535 return NULL; 536 537 case IPSP_IPSEC_ACQUIRE: 538 /* If appropriate SA exists, don't acquire another. */ 539 if (ipo->ipo_tdb) { 540 *error = 0; 541 return ipsp_spd_inp(m, af, hlen, error, 542 direction, tdbp, inp, ipo); 543 } 544 545 /* Acquire SA through key management. */ 546 ipsp_acquire_sa(ipo, dignore ? &ssrc : &ipo->ipo_dst, 547 signore ? NULL : &ipo->ipo_src, ddst, NULL); 548 549 /* FALLTHROUGH */ 550 case IPSP_IPSEC_USE: 551 *error = 0; 552 return ipsp_spd_inp(m, af, hlen, error, direction, 553 tdbp, inp, ipo); 554 } 555 } 556 557 /* Shouldn't ever get this far. */ 558 *error = EINVAL; 559 return NULL; 560 } 561 562 /* 563 * Delete a policy from the SPD. 564 */ 565 int 566 ipsec_delete_policy(struct ipsec_policy *ipo) 567 { 568 struct rt_addrinfo info; 569 struct ipsec_acquire *ipa; 570 int err = 0; 571 572 if (--ipo->ipo_ref_count > 0) 573 return 0; 574 575 /* Delete from SPD. */ 576 if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET)) { 577 bzero(&info, sizeof(info)); 578 info.rti_info[RTAX_DST] = (struct sockaddr *)&ipo->ipo_addr; 579 info.rti_info[RTAX_NETMASK] = (struct sockaddr *)&ipo->ipo_mask; 580 581 /* XXX other tables? */ 582 err = rtrequest1(RTM_DELETE, &info, RTP_DEFAULT, NULL, 0); 583 } 584 if (ipo->ipo_tdb != NULL) 585 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 586 ipo_tdb_next); 587 588 while ((ipa = TAILQ_FIRST(&ipo->ipo_acquires)) != NULL) 589 ipsp_delete_acquire(ipa); 590 591 TAILQ_REMOVE(&ipsec_policy_head, ipo, ipo_list); 592 593 if (ipo->ipo_srcid) 594 ipsp_reffree(ipo->ipo_srcid); 595 if (ipo->ipo_dstid) 596 ipsp_reffree(ipo->ipo_dstid); 597 if (ipo->ipo_local_cred) 598 ipsp_reffree(ipo->ipo_local_cred); 599 if (ipo->ipo_local_auth) 600 ipsp_reffree(ipo->ipo_local_auth); 601 602 pool_put(&ipsec_policy_pool, ipo); 603 604 if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET)) 605 ipsec_in_use--; 606 607 return err; 608 } 609 610 /* 611 * Add a policy to the SPD. 612 */ 613 struct ipsec_policy * 614 ipsec_add_policy(struct inpcb *inp, int af, int direction) 615 { 616 struct ipsec_policy *ipon; 617 618 if (ipsec_policy_pool_initialized == 0) { 619 ipsec_policy_pool_initialized = 1; 620 pool_init(&ipsec_policy_pool, sizeof(struct ipsec_policy), 621 0, 0, 0, "ipsec policy", NULL); 622 } 623 624 ipon = pool_get(&ipsec_policy_pool, PR_NOWAIT); 625 if (ipon == NULL) 626 return NULL; 627 628 bzero(ipon, sizeof(struct ipsec_policy)); 629 630 ipon->ipo_ref_count = 1; 631 ipon->ipo_flags |= IPSP_POLICY_SOCKET; 632 633 ipon->ipo_type = IPSP_IPSEC_REQUIRE; /* XXX */ 634 635 /* XXX 636 * We should actually be creating a linked list of 637 * policies (for tunnel/transport and ESP/AH), as needed. 638 */ 639 ipon->ipo_sproto = IPPROTO_ESP; 640 641 TAILQ_INIT(&ipon->ipo_acquires); 642 TAILQ_INSERT_HEAD(&ipsec_policy_head, ipon, ipo_list); 643 644 ipsec_update_policy(inp, ipon, af, direction); 645 646 return ipon; 647 } 648 649 /* 650 * Update a PCB-attached policy. 651 */ 652 void 653 ipsec_update_policy(struct inpcb *inp, struct ipsec_policy *ipon, int af, 654 int direction) 655 { 656 ipon->ipo_addr.sen_len = ipon->ipo_mask.sen_len = SENT_LEN; 657 ipon->ipo_addr.sen_family = ipon->ipo_mask.sen_family = PF_KEY; 658 ipon->ipo_src.sa.sa_family = ipon->ipo_dst.sa.sa_family = af; 659 660 switch (af) { 661 case AF_INET: 662 #ifdef INET 663 ipon->ipo_addr.sen_type = ipon->ipo_mask.sen_type = SENT_IP4; 664 ipon->ipo_addr.sen_ip_src = inp->inp_laddr; 665 ipon->ipo_addr.sen_ip_dst = inp->inp_faddr; 666 ipon->ipo_addr.sen_sport = inp->inp_lport; 667 ipon->ipo_addr.sen_dport = inp->inp_fport; 668 ipon->ipo_addr.sen_proto = 669 inp->inp_socket->so_proto->pr_protocol; 670 ipon->ipo_addr.sen_direction = direction; 671 672 ipon->ipo_mask.sen_ip_src.s_addr = 0xffffffff; 673 ipon->ipo_mask.sen_ip_dst.s_addr = 0xffffffff; 674 ipon->ipo_mask.sen_sport = ipon->ipo_mask.sen_dport = 0xffff; 675 ipon->ipo_mask.sen_proto = 0xff; 676 ipon->ipo_mask.sen_direction = direction; 677 678 ipon->ipo_src.sa.sa_len = sizeof(struct sockaddr_in); 679 ipon->ipo_dst.sa.sa_len = sizeof(struct sockaddr_in); 680 ipon->ipo_src.sin.sin_addr = inp->inp_laddr; 681 ipon->ipo_dst.sin.sin_addr = inp->inp_faddr; 682 #endif /* INET */ 683 break; 684 685 case AF_INET6: 686 #ifdef INET6 687 ipon->ipo_addr.sen_type = ipon->ipo_mask.sen_type = SENT_IP6; 688 ipon->ipo_addr.sen_ip6_src = inp->inp_laddr6; 689 ipon->ipo_addr.sen_ip6_dst = inp->inp_faddr6; 690 ipon->ipo_addr.sen_ip6_sport = inp->inp_lport; 691 ipon->ipo_addr.sen_ip6_dport = inp->inp_fport; 692 ipon->ipo_addr.sen_ip6_proto = 693 inp->inp_socket->so_proto->pr_protocol; 694 ipon->ipo_addr.sen_ip6_direction = direction; 695 696 ipon->ipo_mask.sen_ip6_src = in6mask128; 697 ipon->ipo_mask.sen_ip6_dst = in6mask128; 698 ipon->ipo_mask.sen_ip6_sport = 0xffff; 699 ipon->ipo_mask.sen_ip6_dport = 0xffff; 700 ipon->ipo_mask.sen_ip6_proto = 0xff; 701 ipon->ipo_mask.sen_ip6_direction = direction; 702 703 ipon->ipo_src.sa.sa_len = sizeof(struct sockaddr_in6); 704 ipon->ipo_dst.sa.sa_len = sizeof(struct sockaddr_in6); 705 ipon->ipo_src.sin6.sin6_addr = inp->inp_laddr6; 706 ipon->ipo_dst.sin6.sin6_addr = inp->inp_faddr6; 707 #endif /* INET6 */ 708 break; 709 } 710 } 711 712 /* 713 * Delete a pending IPsec acquire record. 714 */ 715 void 716 ipsp_delete_acquire(void *v) 717 { 718 struct ipsec_acquire *ipa = v; 719 720 timeout_del(&ipa->ipa_timeout); 721 TAILQ_REMOVE(&ipsec_acquire_head, ipa, ipa_next); 722 if (ipa->ipa_policy != NULL) 723 TAILQ_REMOVE(&ipa->ipa_policy->ipo_acquires, ipa, 724 ipa_ipo_next); 725 pool_put(&ipsec_acquire_pool, ipa); 726 } 727 728 /* 729 * Find out if there's an ACQUIRE pending. 730 * XXX Need a better structure. 731 */ 732 struct ipsec_acquire * 733 ipsp_pending_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw) 734 { 735 struct ipsec_acquire *ipa; 736 737 TAILQ_FOREACH (ipa, &ipo->ipo_acquires, ipa_ipo_next) { 738 if (!bcmp(gw, &ipa->ipa_addr, gw->sa.sa_len)) 739 return ipa; 740 } 741 742 return NULL; 743 } 744 745 /* 746 * Signal key management that we need an SA. 747 * XXX For outgoing policies, we could try to hold on to the mbuf. 748 */ 749 int 750 ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, 751 union sockaddr_union *laddr, struct sockaddr_encap *ddst, struct mbuf *m) 752 { 753 struct ipsec_acquire *ipa; 754 755 /* 756 * If this is a socket policy, it has to have authentication 757 * information accompanying it --- can't tell key mgmt. to 758 * "find" it for us. This avoids abusing key mgmt. to authenticate 759 * on an application's behalf, even if the application doesn't 760 * have/know (and shouldn't) the appropriate authentication 761 * material (passphrase, private key, etc.) 762 */ 763 if (ipo->ipo_flags & IPSP_POLICY_SOCKET && 764 ipo->ipo_local_auth == NULL) 765 return EINVAL; 766 767 /* Check whether request has been made already. */ 768 if ((ipa = ipsp_pending_acquire(ipo, gw)) != NULL) 769 return 0; 770 771 /* Add request in cache and proceed. */ 772 if (ipsec_acquire_pool_initialized == 0) { 773 ipsec_acquire_pool_initialized = 1; 774 pool_init(&ipsec_acquire_pool, sizeof(struct ipsec_acquire), 775 0, 0, 0, "ipsec acquire", NULL); 776 } 777 778 ipa = pool_get(&ipsec_acquire_pool, 0); 779 if (ipa == NULL) 780 return ENOMEM; 781 782 bzero(ipa, sizeof(struct ipsec_acquire)); 783 bcopy(gw, &ipa->ipa_addr, sizeof(union sockaddr_union)); 784 785 timeout_set(&ipa->ipa_timeout, ipsp_delete_acquire, ipa); 786 787 ipa->ipa_info.sen_len = ipa->ipa_mask.sen_len = SENT_LEN; 788 ipa->ipa_info.sen_family = ipa->ipa_mask.sen_family = PF_KEY; 789 790 /* Just copy the right information. */ 791 switch (ipo->ipo_addr.sen_type) { 792 #ifdef INET 793 case SENT_IP4: 794 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP4; 795 ipa->ipa_info.sen_direction = ipo->ipo_addr.sen_direction; 796 ipa->ipa_mask.sen_direction = ipo->ipo_mask.sen_direction; 797 798 if (ipsp_is_unspecified(ipo->ipo_dst)) { 799 ipa->ipa_info.sen_ip_src = ddst->sen_ip_src; 800 ipa->ipa_mask.sen_ip_src.s_addr = INADDR_BROADCAST; 801 } else { 802 ipa->ipa_info.sen_ip_src = ipo->ipo_addr.sen_ip_src; 803 ipa->ipa_mask.sen_ip_src = ipo->ipo_mask.sen_ip_src; 804 } 805 806 if (ipsp_is_unspecified(ipo->ipo_dst)) { 807 ipa->ipa_info.sen_ip_dst = ddst->sen_ip_dst; 808 ipa->ipa_mask.sen_ip_dst.s_addr = INADDR_BROADCAST; 809 } else { 810 ipa->ipa_info.sen_ip_dst = ipo->ipo_addr.sen_ip_dst; 811 ipa->ipa_mask.sen_ip_dst = ipo->ipo_mask.sen_ip_dst; 812 } 813 814 ipa->ipa_info.sen_proto = ipo->ipo_addr.sen_proto; 815 ipa->ipa_mask.sen_proto = ipo->ipo_mask.sen_proto; 816 817 if (ipo->ipo_addr.sen_proto) { 818 ipa->ipa_info.sen_sport = ipo->ipo_addr.sen_sport; 819 ipa->ipa_mask.sen_sport = ipo->ipo_mask.sen_sport; 820 821 ipa->ipa_info.sen_dport = ipo->ipo_addr.sen_dport; 822 ipa->ipa_mask.sen_dport = ipo->ipo_mask.sen_dport; 823 } 824 break; 825 #endif /* INET */ 826 827 #ifdef INET6 828 case SENT_IP6: 829 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP6; 830 ipa->ipa_info.sen_ip6_direction = 831 ipo->ipo_addr.sen_ip6_direction; 832 ipa->ipa_mask.sen_ip6_direction = 833 ipo->ipo_mask.sen_ip6_direction; 834 835 if (ipsp_is_unspecified(ipo->ipo_dst)) { 836 ipa->ipa_info.sen_ip6_src = ddst->sen_ip6_src; 837 ipa->ipa_mask.sen_ip6_src = in6mask128; 838 } else { 839 ipa->ipa_info.sen_ip6_src = ipo->ipo_addr.sen_ip6_src; 840 ipa->ipa_mask.sen_ip6_src = ipo->ipo_mask.sen_ip6_src; 841 } 842 843 if (ipsp_is_unspecified(ipo->ipo_dst)) { 844 ipa->ipa_info.sen_ip6_dst = ddst->sen_ip6_dst; 845 ipa->ipa_mask.sen_ip6_dst = in6mask128; 846 } else { 847 ipa->ipa_info.sen_ip6_dst = ipo->ipo_addr.sen_ip6_dst; 848 ipa->ipa_mask.sen_ip6_dst = ipo->ipo_mask.sen_ip6_dst; 849 } 850 851 ipa->ipa_info.sen_ip6_proto = ipo->ipo_addr.sen_ip6_proto; 852 ipa->ipa_mask.sen_ip6_proto = ipo->ipo_mask.sen_ip6_proto; 853 854 if (ipo->ipo_mask.sen_ip6_proto) { 855 ipa->ipa_info.sen_ip6_sport = 856 ipo->ipo_addr.sen_ip6_sport; 857 ipa->ipa_mask.sen_ip6_sport = 858 ipo->ipo_mask.sen_ip6_sport; 859 ipa->ipa_info.sen_ip6_dport = 860 ipo->ipo_addr.sen_ip6_dport; 861 ipa->ipa_mask.sen_ip6_dport = 862 ipo->ipo_mask.sen_ip6_dport; 863 } 864 break; 865 #endif /* INET6 */ 866 867 default: 868 pool_put(&ipsec_acquire_pool, ipa); 869 return 0; 870 } 871 872 timeout_add_sec(&ipa->ipa_timeout, ipsec_expire_acquire); 873 874 TAILQ_INSERT_TAIL(&ipsec_acquire_head, ipa, ipa_next); 875 TAILQ_INSERT_TAIL(&ipo->ipo_acquires, ipa, ipa_ipo_next); 876 ipa->ipa_policy = ipo; 877 878 /* PF_KEYv2 notification message. */ 879 return pfkeyv2_acquire(ipo, gw, laddr, &ipa->ipa_seq, ddst); 880 } 881 882 /* 883 * Deal with PCB security requirements. 884 */ 885 struct tdb * 886 ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, 887 struct tdb *tdbp, struct inpcb *inp, struct ipsec_policy *ipo) 888 { 889 struct ipsec_policy sipon; 890 struct tdb_ident *tdbi; 891 struct m_tag *mtag; 892 struct tdb *tdb = NULL; 893 894 /* Sanity check. */ 895 if (inp == NULL) 896 goto justreturn; 897 898 /* Verify that we need to check for socket policy. */ 899 if ((inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS || 900 inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_NONE) && 901 (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS || 902 inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_NONE) && 903 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS || 904 inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_NONE)) 905 goto justreturn; 906 907 switch (direction) { 908 case IPSP_DIRECTION_IN: 909 /* 910 * Some further checking: if the socket has specified 911 * that it will accept unencrypted traffic, don't 912 * bother checking any further -- just accept the packet. 913 */ 914 if ((inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL || 915 inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_USE) && 916 (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL || 917 inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_USE) && 918 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL || 919 inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_USE)) 920 goto justreturn; 921 922 /* Initialize socket policy if unset. */ 923 if (inp->inp_ipo == NULL) { 924 inp->inp_ipo = ipsec_add_policy(inp, af, 925 IPSP_DIRECTION_OUT); 926 if (inp->inp_ipo == NULL) { 927 *error = ENOBUFS; 928 return NULL; 929 } 930 } 931 932 /* 933 * So we *must* have protected traffic. Let's see what 934 * we have received then. 935 */ 936 if (inp->inp_tdb_in != NULL) { 937 if (inp->inp_tdb_in == tdbp) 938 goto justreturn; /* We received packet under a 939 * previously-accepted TDB. */ 940 941 /* 942 * We should be receiving protected traffic, and 943 * have an SA in place, but packet was received 944 * unprotected. Simply discard. 945 */ 946 if (tdbp == NULL) { 947 *error = -EINVAL; 948 return NULL; 949 } 950 951 /* Update, since we may need all the relevant info. */ 952 ipsec_update_policy(inp, inp->inp_ipo, af, 953 IPSP_DIRECTION_OUT); 954 955 /* 956 * Check that the TDB the packet was received under 957 * is acceptable under the socket policy. If so, 958 * accept the packet; otherwise, discard. 959 */ 960 if (tdbp->tdb_sproto == inp->inp_ipo->ipo_sproto && 961 !bcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst, 962 SA_LEN(&tdbp->tdb_src.sa)) && 963 ipsp_aux_match(tdbp, 964 inp->inp_ipo->ipo_srcid, 965 inp->inp_ipo->ipo_dstid, 966 NULL, NULL, 967 &inp->inp_ipo->ipo_addr, 968 &inp->inp_ipo->ipo_mask)) 969 goto justreturn; 970 else { 971 *error = -EINVAL; 972 return NULL; 973 } 974 } else { 975 /* Update, since we may need all the relevant info. */ 976 ipsec_update_policy(inp, inp->inp_ipo, af, 977 IPSP_DIRECTION_OUT); 978 979 /* 980 * If the packet was received under an SA, see if 981 * it's acceptable under socket policy. If it is, 982 * accept the packet. 983 */ 984 if (tdbp != NULL && 985 tdbp->tdb_sproto == inp->inp_ipo->ipo_sproto && 986 !bcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst, 987 SA_LEN(&tdbp->tdb_src.sa)) && 988 ipsp_aux_match(tdbp, 989 inp->inp_ipo->ipo_srcid, 990 inp->inp_ipo->ipo_dstid, 991 NULL, NULL, 992 &inp->inp_ipo->ipo_addr, 993 &inp->inp_ipo->ipo_mask)) 994 goto justreturn; 995 996 /* 997 * If the packet was not received under an SA, or 998 * if the SA it was received under is not acceptable, 999 * see if we already have an acceptable SA 1000 * established. If we do, discard packet. 1001 */ 1002 if (inp->inp_ipo->ipo_last_searched <= 1003 ipsec_last_added) { 1004 inp->inp_ipo->ipo_last_searched = time_second; 1005 1006 /* Do we have an SA already established ? */ 1007 if (gettdbbysrc(&inp->inp_ipo->ipo_dst, 1008 inp->inp_ipo->ipo_sproto, 1009 inp->inp_ipo->ipo_srcid, 1010 inp->inp_ipo->ipo_dstid, m, af, 1011 &inp->inp_ipo->ipo_addr, 1012 &inp->inp_ipo->ipo_mask) != NULL) { 1013 *error = -EINVAL; 1014 return NULL; 1015 } 1016 /* Fall through */ 1017 } 1018 1019 /* 1020 * If we don't have an appropriate SA, acquire one 1021 * and discard the packet. 1022 */ 1023 ipsp_acquire_sa(inp->inp_ipo, &inp->inp_ipo->ipo_dst, 1024 &inp->inp_ipo->ipo_src, &inp->inp_ipo->ipo_addr, m); 1025 *error = -EINVAL; 1026 return NULL; 1027 } 1028 1029 break; 1030 1031 case IPSP_DIRECTION_OUT: 1032 /* Do we have a cached entry ? */ 1033 if (inp->inp_tdb_out != NULL) { 1034 /* 1035 * If we also have to apply a different TDB as 1036 * a result of a system-wide policy, add a tag 1037 * to the packet. 1038 */ 1039 if (ipo != NULL && m != NULL && 1040 ipo->ipo_tdb != NULL && 1041 ipo->ipo_tdb != inp->inp_tdb_out) { 1042 tdb = inp->inp_tdb_out; 1043 goto tagandreturn; 1044 } else 1045 return inp->inp_tdb_out; 1046 } 1047 1048 /* 1049 * We need to either find an SA with the appropriate 1050 * characteristics and link it to the PCB, or acquire 1051 * one. 1052 */ 1053 /* XXX Only support one policy/protocol for now. */ 1054 if (inp->inp_ipo != NULL) { 1055 if (inp->inp_ipo->ipo_last_searched <= 1056 ipsec_last_added) { 1057 inp->inp_ipo->ipo_last_searched = time_second; 1058 1059 /* Update, just in case. */ 1060 ipsec_update_policy(inp, inp->inp_ipo, af, 1061 IPSP_DIRECTION_OUT); 1062 1063 tdb = gettdbbyaddr(&inp->inp_ipo->ipo_dst, 1064 inp->inp_ipo->ipo_sproto, 1065 inp->inp_ipo->ipo_srcid, 1066 inp->inp_ipo->ipo_dstid, 1067 inp->inp_ipo->ipo_local_cred, m, af, 1068 &inp->inp_ipo->ipo_addr, 1069 &inp->inp_ipo->ipo_mask); 1070 } 1071 } else { 1072 /* 1073 * Construct a pseudo-policy, with just the necessary 1074 * fields. 1075 */ 1076 ipsec_update_policy(inp, &sipon, af, 1077 IPSP_DIRECTION_OUT); 1078 1079 tdb = gettdbbyaddr(&sipon.ipo_dst, IPPROTO_ESP, NULL, 1080 NULL, NULL, m, af, &sipon.ipo_addr, 1081 &sipon.ipo_mask); 1082 } 1083 1084 /* If we found an appropriate SA... */ 1085 if (tdb != NULL) { 1086 tdb_add_inp(tdb, inp, 0); /* Latch onto PCB. */ 1087 1088 if (ipo != NULL && ipo->ipo_tdb != NULL && 1089 ipo->ipo_tdb != inp->inp_tdb_out && m != NULL) 1090 goto tagandreturn; 1091 else 1092 return tdb; 1093 } else { 1094 /* Do we need to acquire one ? */ 1095 switch (inp->inp_seclevel[SL_ESP_TRANS]) { 1096 case IPSEC_LEVEL_BYPASS: 1097 case IPSEC_LEVEL_AVAIL: 1098 /* No need to do anything. */ 1099 goto justreturn; 1100 case IPSEC_LEVEL_USE: 1101 case IPSEC_LEVEL_REQUIRE: 1102 case IPSEC_LEVEL_UNIQUE: 1103 /* Initialize socket policy if unset. */ 1104 if (inp->inp_ipo == NULL) { 1105 inp->inp_ipo = ipsec_add_policy(inp, af, IPSP_DIRECTION_OUT); 1106 if (inp->inp_ipo == NULL) { 1107 *error = ENOBUFS; 1108 return NULL; 1109 } 1110 } 1111 1112 /* Acquire a new SA. */ 1113 if ((*error = ipsp_acquire_sa(inp->inp_ipo, 1114 &inp->inp_ipo->ipo_dst, 1115 &inp->inp_ipo->ipo_src, 1116 &inp->inp_ipo->ipo_addr, m)) == 0) 1117 *error = -EINVAL; 1118 1119 return NULL; 1120 default: 1121 DPRINTF(("ipsp_spd_inp: unknown sock security" 1122 " level %d", 1123 inp->inp_seclevel[SL_ESP_TRANS])); 1124 *error = -EINVAL; 1125 return NULL; 1126 } 1127 } 1128 break; 1129 1130 default: /* Should never happen. */ 1131 *error = -EINVAL; 1132 return NULL; 1133 } 1134 1135 tagandreturn: 1136 if (tdb == NULL) 1137 goto justreturn; 1138 1139 mtag = m_tag_get(PACKET_TAG_IPSEC_PENDING_TDB, 1140 sizeof (struct tdb_ident), M_NOWAIT); 1141 if (mtag == NULL) { 1142 *error = ENOMEM; 1143 return NULL; 1144 } 1145 1146 tdbi = (struct tdb_ident *)(mtag + 1); 1147 tdbi->spi = ipo->ipo_tdb->tdb_spi; 1148 tdbi->proto = ipo->ipo_tdb->tdb_sproto; 1149 bcopy(&ipo->ipo_tdb->tdb_dst, &tdbi->dst, 1150 ipo->ipo_tdb->tdb_dst.sa.sa_len); 1151 m_tag_prepend(m, mtag); 1152 return tdb; 1153 1154 justreturn: 1155 if (ipo != NULL) 1156 return ipo->ipo_tdb; 1157 else 1158 return NULL; 1159 } 1160 1161 /* 1162 * Find a pending ACQUIRE record based on its sequence number. 1163 * XXX Need to use a better data structure. 1164 */ 1165 struct ipsec_acquire * 1166 ipsec_get_acquire(u_int32_t seq) 1167 { 1168 struct ipsec_acquire *ipa; 1169 1170 TAILQ_FOREACH (ipa, &ipsec_acquire_head, ipa_next) 1171 if (ipa->ipa_seq == seq) 1172 return ipa; 1173 1174 return NULL; 1175 } 1176