1 /*-
2 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27 #include <sys/cdefs.h>
28 #include "opt_inet.h"
29 #include "opt_inet6.h"
30 #include "opt_ipsec.h"
31
32 #include <sys/param.h>
33 #include <sys/systm.h>
34 #include <sys/kernel.h>
35 #include <sys/lock.h>
36 #include <sys/malloc.h>
37 #include <sys/mbuf.h>
38 #include <sys/priv.h>
39 #include <sys/socket.h>
40 #include <sys/sockopt.h>
41 #include <sys/syslog.h>
42 #include <sys/proc.h>
43
44 #include <netinet/in.h>
45 #include <netinet/in_pcb.h>
46
47 #include <netipsec/ipsec.h>
48 #include <netipsec/ipsec6.h>
49 #include <netipsec/ipsec_support.h>
50 #include <netipsec/key.h>
51 #include <netipsec/key_debug.h>
52
53 MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy");
54
55 static void
ipsec_setsockaddrs_inpcb(struct inpcb * inp,union sockaddr_union * src,union sockaddr_union * dst,u_int dir)56 ipsec_setsockaddrs_inpcb(struct inpcb *inp, union sockaddr_union *src,
57 union sockaddr_union *dst, u_int dir)
58 {
59
60 #ifdef INET6
61 if (inp->inp_vflag & INP_IPV6) {
62 struct sockaddr_in6 *sin6;
63
64 bzero(&src->sin6, sizeof(src->sin6));
65 bzero(&dst->sin6, sizeof(dst->sin6));
66 src->sin6.sin6_family = AF_INET6;
67 src->sin6.sin6_len = sizeof(struct sockaddr_in6);
68 dst->sin6.sin6_family = AF_INET6;
69 dst->sin6.sin6_len = sizeof(struct sockaddr_in6);
70
71 if (dir == IPSEC_DIR_OUTBOUND)
72 sin6 = &src->sin6;
73 else
74 sin6 = &dst->sin6;
75 sin6->sin6_addr = inp->in6p_laddr;
76 sin6->sin6_port = inp->inp_lport;
77 if (IN6_IS_SCOPE_LINKLOCAL(&inp->in6p_laddr)) {
78 /* XXXAE: use in6p_zoneid */
79 sin6->sin6_addr.s6_addr16[1] = 0;
80 sin6->sin6_scope_id = ntohs(
81 inp->in6p_laddr.s6_addr16[1]);
82 }
83
84 if (dir == IPSEC_DIR_OUTBOUND)
85 sin6 = &dst->sin6;
86 else
87 sin6 = &src->sin6;
88 sin6->sin6_addr = inp->in6p_faddr;
89 sin6->sin6_port = inp->inp_fport;
90 if (IN6_IS_SCOPE_LINKLOCAL(&inp->in6p_faddr)) {
91 /* XXXAE: use in6p_zoneid */
92 sin6->sin6_addr.s6_addr16[1] = 0;
93 sin6->sin6_scope_id = ntohs(
94 inp->in6p_faddr.s6_addr16[1]);
95 }
96 }
97 #endif
98 #ifdef INET
99 if (inp->inp_vflag & INP_IPV4) {
100 struct sockaddr_in *sin;
101
102 bzero(&src->sin, sizeof(src->sin));
103 bzero(&dst->sin, sizeof(dst->sin));
104 src->sin.sin_family = AF_INET;
105 src->sin.sin_len = sizeof(struct sockaddr_in);
106 dst->sin.sin_family = AF_INET;
107 dst->sin.sin_len = sizeof(struct sockaddr_in);
108
109 if (dir == IPSEC_DIR_OUTBOUND)
110 sin = &src->sin;
111 else
112 sin = &dst->sin;
113 sin->sin_addr = inp->inp_laddr;
114 sin->sin_port = inp->inp_lport;
115
116 if (dir == IPSEC_DIR_OUTBOUND)
117 sin = &dst->sin;
118 else
119 sin = &src->sin;
120 sin->sin_addr = inp->inp_faddr;
121 sin->sin_port = inp->inp_fport;
122 }
123 #endif
124 }
125
126 void
ipsec_setspidx_inpcb(struct inpcb * inp,struct secpolicyindex * spidx,u_int dir)127 ipsec_setspidx_inpcb(struct inpcb *inp, struct secpolicyindex *spidx,
128 u_int dir)
129 {
130
131 ipsec_setsockaddrs_inpcb(inp, &spidx->src, &spidx->dst, dir);
132 #ifdef INET6
133 if (inp->inp_vflag & INP_IPV6) {
134 spidx->prefs = sizeof(struct in6_addr) << 3;
135 spidx->prefd = sizeof(struct in6_addr) << 3;
136 }
137 #endif
138 #ifdef INET
139 if (inp->inp_vflag & INP_IPV4) {
140 spidx->prefs = sizeof(struct in_addr) << 3;
141 spidx->prefd = sizeof(struct in_addr) << 3;
142 }
143 #endif
144 spidx->ul_proto = IPPROTO_TCP; /* XXX: currently only TCP uses this */
145 spidx->dir = dir;
146 KEYDBG(IPSEC_DUMP,
147 printf("%s: ", __func__); kdebug_secpolicyindex(spidx, NULL));
148 }
149
150 /* Initialize PCB policy. */
151 int
ipsec_init_pcbpolicy(struct inpcb * inp)152 ipsec_init_pcbpolicy(struct inpcb *inp)
153 {
154
155 IPSEC_ASSERT(inp != NULL, ("null inp"));
156 IPSEC_ASSERT(inp->inp_sp == NULL, ("inp_sp already initialized"));
157
158 inp->inp_sp = malloc(sizeof(struct inpcbpolicy), M_IPSEC_INPCB,
159 M_NOWAIT | M_ZERO);
160 if (inp->inp_sp == NULL)
161 return (ENOBUFS);
162 return (0);
163 }
164
165 /* Delete PCB policy. */
166 int
ipsec_delete_pcbpolicy(struct inpcb * inp)167 ipsec_delete_pcbpolicy(struct inpcb *inp)
168 {
169
170 if (inp->inp_sp == NULL)
171 return (0);
172
173 if (inp->inp_sp->sp_in != NULL)
174 key_freesp(&inp->inp_sp->sp_in);
175
176 if (inp->inp_sp->sp_out != NULL)
177 key_freesp(&inp->inp_sp->sp_out);
178
179 free(inp->inp_sp, M_IPSEC_INPCB);
180 inp->inp_sp = NULL;
181 return (0);
182 }
183
184 /* Deep-copy a policy in PCB. */
185 static struct secpolicy *
ipsec_deepcopy_pcbpolicy(struct secpolicy * src)186 ipsec_deepcopy_pcbpolicy(struct secpolicy *src)
187 {
188 struct secpolicy *dst;
189 int i;
190
191 if (src == NULL)
192 return (NULL);
193
194 IPSEC_ASSERT(src->state == IPSEC_SPSTATE_PCB, ("SP isn't PCB"));
195
196 dst = key_newsp();
197 if (dst == NULL)
198 return (NULL);
199
200 /* spidx is not copied here */
201 dst->policy = src->policy;
202 dst->state = src->state;
203 dst->priority = src->priority;
204 /* Do not touch the refcnt field. */
205
206 /* Copy IPsec request chain. */
207 for (i = 0; i < src->tcount; i++) {
208 dst->req[i] = ipsec_newisr();
209 if (dst->req[i] == NULL) {
210 key_freesp(&dst);
211 return (NULL);
212 }
213 bcopy(src->req[i], dst->req[i], sizeof(struct ipsecrequest));
214 dst->tcount++;
215 }
216 KEYDBG(IPSEC_DUMP,
217 printf("%s: copied SP(%p) -> SP(%p)\n", __func__, src, dst);
218 kdebug_secpolicy(dst));
219 return (dst);
220 }
221
222 /*
223 * Copy IPsec policy from old INPCB into new.
224 * It is expected that new INPCB has not configured policies.
225 */
226 int
ipsec_copy_pcbpolicy(struct inpcb * old,struct inpcb * new)227 ipsec_copy_pcbpolicy(struct inpcb *old, struct inpcb *new)
228 {
229 struct secpolicy *sp;
230
231 /*
232 * old->inp_sp can be NULL if PCB was created when an IPsec
233 * support was unavailable. This is not an error, we don't have
234 * policies in this PCB, so nothing to copy.
235 */
236 if (old->inp_sp == NULL)
237 return (0);
238
239 IPSEC_ASSERT(new->inp_sp != NULL, ("new inp_sp is NULL"));
240 IPSEC_ASSERT((new->inp_sp->flags & (
241 INP_INBOUND_POLICY | INP_OUTBOUND_POLICY)) == 0,
242 ("new PCB already has configured policies"));
243 INP_WLOCK_ASSERT(new);
244 INP_LOCK_ASSERT(old);
245
246 if (old->inp_sp->flags & INP_INBOUND_POLICY) {
247 sp = ipsec_deepcopy_pcbpolicy(old->inp_sp->sp_in);
248 if (sp == NULL)
249 return (ENOBUFS);
250 ipsec_setspidx_inpcb(new, &sp->spidx, IPSEC_DIR_INBOUND);
251 if (new->inp_sp->sp_in != NULL)
252 key_freesp(&new->inp_sp->sp_in);
253 new->inp_sp->sp_in = sp;
254 new->inp_sp->flags |= INP_INBOUND_POLICY;
255 }
256 if (old->inp_sp->flags & INP_OUTBOUND_POLICY) {
257 sp = ipsec_deepcopy_pcbpolicy(old->inp_sp->sp_out);
258 if (sp == NULL)
259 return (ENOBUFS);
260 ipsec_setspidx_inpcb(new, &sp->spidx, IPSEC_DIR_OUTBOUND);
261 if (new->inp_sp->sp_out != NULL)
262 key_freesp(&new->inp_sp->sp_out);
263 new->inp_sp->sp_out = sp;
264 new->inp_sp->flags |= INP_OUTBOUND_POLICY;
265 }
266 return (0);
267 }
268
269 static int
ipsec_set_pcbpolicy(struct inpcb * inp,struct ucred * cred,void * request,size_t len)270 ipsec_set_pcbpolicy(struct inpcb *inp, struct ucred *cred,
271 void *request, size_t len)
272 {
273 struct sadb_x_policy *xpl;
274 struct secpolicy **spp, *newsp;
275 int error, flags;
276
277 xpl = (struct sadb_x_policy *)request;
278 /* Select direction. */
279 switch (xpl->sadb_x_policy_dir) {
280 case IPSEC_DIR_INBOUND:
281 case IPSEC_DIR_OUTBOUND:
282 break;
283 default:
284 ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
285 xpl->sadb_x_policy_dir));
286 return (EINVAL);
287 }
288 /*
289 * Privileged sockets are allowed to set own security policy
290 * and configure IPsec bypass. Unprivileged sockets only can
291 * have ENTRUST policy.
292 */
293 switch (xpl->sadb_x_policy_type) {
294 case IPSEC_POLICY_IPSEC:
295 case IPSEC_POLICY_BYPASS:
296 if (cred != NULL &&
297 priv_check_cred(cred, PRIV_NETINET_IPSEC) != 0)
298 return (EACCES);
299 /* Allocate new SP entry. */
300 newsp = key_msg2sp(xpl, len, &error);
301 if (newsp == NULL)
302 return (error);
303 newsp->state = IPSEC_SPSTATE_PCB;
304 newsp->spidx.ul_proto = IPSEC_ULPROTO_ANY;
305 #ifdef INET
306 if (inp->inp_vflag & INP_IPV4) {
307 newsp->spidx.src.sin.sin_family =
308 newsp->spidx.dst.sin.sin_family = AF_INET;
309 newsp->spidx.src.sin.sin_len =
310 newsp->spidx.dst.sin.sin_len =
311 sizeof(struct sockaddr_in);
312 }
313 #endif
314 #ifdef INET6
315 if (inp->inp_vflag & INP_IPV6) {
316 newsp->spidx.src.sin6.sin6_family =
317 newsp->spidx.dst.sin6.sin6_family = AF_INET6;
318 newsp->spidx.src.sin6.sin6_len =
319 newsp->spidx.dst.sin6.sin6_len =
320 sizeof(struct sockaddr_in6);
321 }
322 #endif
323 break;
324 case IPSEC_POLICY_ENTRUST:
325 /* We just use NULL pointer for ENTRUST policy */
326 newsp = NULL;
327 break;
328 default:
329 /* Other security policy types aren't allowed for PCB */
330 return (EINVAL);
331 }
332
333 INP_WLOCK(inp);
334 if (xpl->sadb_x_policy_dir == IPSEC_DIR_INBOUND) {
335 spp = &inp->inp_sp->sp_in;
336 flags = INP_INBOUND_POLICY;
337 } else {
338 spp = &inp->inp_sp->sp_out;
339 flags = INP_OUTBOUND_POLICY;
340 }
341 /* Clear old SP and set new SP. */
342 if (*spp != NULL)
343 key_freesp(spp);
344 *spp = newsp;
345 KEYDBG(IPSEC_DUMP,
346 printf("%s: new SP(%p)\n", __func__, newsp));
347 if (newsp == NULL)
348 inp->inp_sp->flags &= ~flags;
349 else {
350 inp->inp_sp->flags |= flags;
351 KEYDBG(IPSEC_DUMP, kdebug_secpolicy(newsp));
352 }
353 INP_WUNLOCK(inp);
354 return (0);
355 }
356
357 static int
ipsec_get_pcbpolicy(struct inpcb * inp,void * request,size_t * len)358 ipsec_get_pcbpolicy(struct inpcb *inp, void *request, size_t *len)
359 {
360 struct sadb_x_policy *xpl;
361 struct secpolicy *sp;
362 int error, flags;
363
364 xpl = (struct sadb_x_policy *)request;
365
366 INP_RLOCK(inp);
367 flags = inp->inp_sp->flags;
368 /* Select direction. */
369 switch (xpl->sadb_x_policy_dir) {
370 case IPSEC_DIR_INBOUND:
371 sp = inp->inp_sp->sp_in;
372 flags &= INP_INBOUND_POLICY;
373 break;
374 case IPSEC_DIR_OUTBOUND:
375 sp = inp->inp_sp->sp_out;
376 flags &= INP_OUTBOUND_POLICY;
377 break;
378 default:
379 INP_RUNLOCK(inp);
380 ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
381 xpl->sadb_x_policy_dir));
382 return (EINVAL);
383 }
384
385 if (flags == 0) {
386 /* Return ENTRUST policy */
387 INP_RUNLOCK(inp);
388 xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
389 xpl->sadb_x_policy_type = IPSEC_POLICY_ENTRUST;
390 xpl->sadb_x_policy_id = 0;
391 xpl->sadb_x_policy_priority = 0;
392 xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl));
393 *len = sizeof(*xpl);
394 return (0);
395 }
396
397 IPSEC_ASSERT(sp != NULL,
398 ("sp is NULL, but flags is 0x%04x", inp->inp_sp->flags));
399
400 key_addref(sp);
401 INP_RUNLOCK(inp);
402 error = key_sp2msg(sp, request, len);
403 key_freesp(&sp);
404 if (error == EINVAL)
405 return (error);
406 /*
407 * We return "success", but user should check *len.
408 * *len will be set to size of valid data and
409 * sadb_x_policy_len will contain needed size.
410 */
411 return (0);
412 }
413
414 /* Handle socket option control request for PCB */
415 static int
ipsec_control_pcbpolicy(struct inpcb * inp,struct sockopt * sopt)416 ipsec_control_pcbpolicy(struct inpcb *inp, struct sockopt *sopt)
417 {
418 void *optdata;
419 size_t optlen;
420 int error;
421
422 if (inp->inp_sp == NULL)
423 return (ENOPROTOOPT);
424
425 /* Limit maximum request size to PAGE_SIZE */
426 optlen = sopt->sopt_valsize;
427 if (optlen < sizeof(struct sadb_x_policy) || optlen > PAGE_SIZE)
428 return (EINVAL);
429
430 optdata = malloc(optlen, M_TEMP, sopt->sopt_td ? M_WAITOK: M_NOWAIT);
431 if (optdata == NULL)
432 return (ENOBUFS);
433 /*
434 * We need a hint from the user, what policy is requested - input
435 * or output? User should specify it in the buffer, even for
436 * setsockopt().
437 */
438 error = sooptcopyin(sopt, optdata, optlen, optlen);
439 if (error == 0) {
440 if (sopt->sopt_dir == SOPT_SET)
441 error = ipsec_set_pcbpolicy(inp,
442 sopt->sopt_td ? sopt->sopt_td->td_ucred: NULL,
443 optdata, optlen);
444 else {
445 error = ipsec_get_pcbpolicy(inp, optdata, &optlen);
446 if (error == 0)
447 error = sooptcopyout(sopt, optdata, optlen);
448 }
449 }
450 free(optdata, M_TEMP);
451 return (error);
452 }
453
454 #ifdef INET
455 /*
456 * IPSEC_PCBCTL() method implementation for IPv4.
457 */
458 int
ipsec4_pcbctl(struct inpcb * inp,struct sockopt * sopt)459 ipsec4_pcbctl(struct inpcb *inp, struct sockopt *sopt)
460 {
461
462 if (sopt->sopt_name != IP_IPSEC_POLICY)
463 return (ENOPROTOOPT);
464 return (ipsec_control_pcbpolicy(inp, sopt));
465 }
466 #endif
467
468 #ifdef INET6
469 /*
470 * IPSEC_PCBCTL() method implementation for IPv6.
471 */
472 int
ipsec6_pcbctl(struct inpcb * inp,struct sockopt * sopt)473 ipsec6_pcbctl(struct inpcb *inp, struct sockopt *sopt)
474 {
475
476 if (sopt->sopt_name != IPV6_IPSEC_POLICY)
477 return (ENOPROTOOPT);
478 return (ipsec_control_pcbpolicy(inp, sopt));
479 }
480 #endif
481