1 /* $OpenBSD: ip_spd.c,v 1.63 2010/09/28 01:44:57 deraadt Exp $ */ 2 /* 3 * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) 4 * 5 * Copyright (c) 2000-2001 Angelos D. Keromytis. 6 * 7 * Permission to use, copy, and modify this software with or without fee 8 * is hereby granted, provided that this entire notice is included in 9 * all copies of any software which is or includes a copy or 10 * modification of this software. 11 * You may use this code under the GNU public license if you so wish. Please 12 * contribute changes back to the authors under this freer than GPL license 13 * so that we may further the use of strong encryption without limitations to 14 * all. 15 * 16 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 17 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 18 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 19 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 20 * PURPOSE. 21 */ 22 23 #include <sys/param.h> 24 #include <sys/systm.h> 25 #include <sys/mbuf.h> 26 #include <sys/socket.h> 27 #include <sys/kernel.h> 28 #include <sys/socketvar.h> 29 #include <sys/protosw.h> 30 #include <sys/pool.h> 31 32 #include <net/if.h> 33 #include <net/route.h> 34 #include <net/netisr.h> 35 36 #ifdef INET 37 #include <netinet/in.h> 38 #include <netinet/in_systm.h> 39 #include <netinet/ip.h> 40 #include <netinet/in_pcb.h> 41 #include <netinet/in_var.h> 42 #endif /* INET */ 43 44 #ifdef INET6 45 #ifndef INET 46 #include <netinet/in.h> 47 #endif 48 #include <netinet6/in6_var.h> 49 #endif /* INET6 */ 50 51 #include <netinet/ip_ipsp.h> 52 #include <net/pfkeyv2.h> 53 54 #ifdef ENCDEBUG 55 #define DPRINTF(x) if (encdebug) printf x 56 #else 57 #define DPRINTF(x) 58 #endif 59 60 struct pool ipsec_policy_pool; 61 struct pool ipsec_acquire_pool; 62 int ipsec_policy_pool_initialized = 0; 63 int ipsec_acquire_pool_initialized = 0; 64 65 /* 66 * Lookup at the SPD based on the headers contained on the mbuf. The second 67 * argument indicates what protocol family the header at the beginning of 68 * the mbuf is. hlen is the offset of the transport protocol header 69 * in the mbuf. 70 * 71 * Return combinations (of return value and in *error): 72 * - NULL/0 -> no IPsec required on packet 73 * - NULL/-EINVAL -> silently drop the packet 74 * - NULL/errno -> drop packet and return error 75 * or a pointer to a TDB (and 0 in *error). 76 * 77 * In the case of incoming flows, only the first three combinations are 78 * returned. 79 */ 80 struct tdb * 81 ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, 82 struct tdb *tdbp, struct inpcb *inp) 83 { 84 struct route_enc re0, *re = &re0; 85 union sockaddr_union sdst, ssrc; 86 struct sockaddr_encap *ddst; 87 struct ipsec_policy *ipo; 88 int signore = 0, dignore = 0; 89 u_int rdomain = rtable_l2(m->m_pkthdr.rdomain); 90 91 /* 92 * If there are no flows in place, there's no point 93 * continuing with the SPD lookup. 94 */ 95 if (!ipsec_in_use && inp == NULL) { 96 *error = 0; 97 return NULL; 98 } 99 100 /* 101 * If an input packet is destined to a BYPASS socket, just accept it. 102 */ 103 if ((inp != NULL) && (direction == IPSP_DIRECTION_IN) && 104 (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && 105 (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) && 106 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { 107 *error = 0; 108 return NULL; 109 } 110 111 bzero((caddr_t) re, sizeof(struct route_enc)); 112 bzero((caddr_t) &sdst, sizeof(union sockaddr_union)); 113 bzero((caddr_t) &ssrc, sizeof(union sockaddr_union)); 114 ddst = (struct sockaddr_encap *) &re->re_dst; 115 ddst->sen_family = PF_KEY; 116 ddst->sen_len = SENT_LEN; 117 118 switch (af) { 119 #ifdef INET 120 case AF_INET: 121 if (hlen < sizeof (struct ip) || m->m_pkthdr.len < hlen) { 122 *error = EINVAL; 123 return NULL; 124 } 125 ddst->sen_direction = direction; 126 ddst->sen_type = SENT_IP4; 127 128 m_copydata(m, offsetof(struct ip, ip_src), 129 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_src)); 130 m_copydata(m, offsetof(struct ip, ip_dst), 131 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_dst)); 132 m_copydata(m, offsetof(struct ip, ip_p), sizeof(u_int8_t), 133 (caddr_t) &(ddst->sen_proto)); 134 135 sdst.sin.sin_family = ssrc.sin.sin_family = AF_INET; 136 sdst.sin.sin_len = ssrc.sin.sin_len = 137 sizeof(struct sockaddr_in); 138 ssrc.sin.sin_addr = ddst->sen_ip_src; 139 sdst.sin.sin_addr = ddst->sen_ip_dst; 140 141 /* 142 * If TCP/UDP, extract the port numbers to use in the lookup. 143 */ 144 switch (ddst->sen_proto) { 145 case IPPROTO_UDP: 146 case IPPROTO_TCP: 147 /* Make sure there's enough data in the packet. */ 148 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) { 149 *error = EINVAL; 150 return NULL; 151 } 152 153 /* 154 * Luckily, the offset of the src/dst ports in 155 * both the UDP and TCP headers is the same (first 156 * two 16-bit values in the respective headers), 157 * so we can just copy them. 158 */ 159 m_copydata(m, hlen, sizeof(u_int16_t), 160 (caddr_t) &(ddst->sen_sport)); 161 m_copydata(m, hlen + sizeof(u_int16_t), sizeof(u_int16_t), 162 (caddr_t) &(ddst->sen_dport)); 163 break; 164 165 default: 166 ddst->sen_sport = 0; 167 ddst->sen_dport = 0; 168 } 169 170 break; 171 #endif /* INET */ 172 173 #ifdef INET6 174 case AF_INET6: 175 if (hlen < sizeof (struct ip6_hdr) || m->m_pkthdr.len < hlen) { 176 *error = EINVAL; 177 return NULL; 178 } 179 ddst->sen_type = SENT_IP6; 180 ddst->sen_ip6_direction = direction; 181 182 m_copydata(m, offsetof(struct ip6_hdr, ip6_src), 183 sizeof(struct in6_addr), 184 (caddr_t) &(ddst->sen_ip6_src)); 185 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 186 sizeof(struct in6_addr), 187 (caddr_t) &(ddst->sen_ip6_dst)); 188 m_copydata(m, offsetof(struct ip6_hdr, ip6_nxt), 189 sizeof(u_int8_t), 190 (caddr_t) &(ddst->sen_ip6_proto)); 191 192 sdst.sin6.sin6_family = ssrc.sin6.sin6_family = AF_INET6; 193 sdst.sin6.sin6_len = ssrc.sin6.sin6_len = 194 sizeof(struct sockaddr_in6); 195 in6_recoverscope(&ssrc.sin6, &ddst->sen_ip6_src, NULL); 196 in6_recoverscope(&sdst.sin6, &ddst->sen_ip6_dst, NULL); 197 198 /* 199 * If TCP/UDP, extract the port numbers to use in the lookup. 200 */ 201 switch (ddst->sen_ip6_proto) { 202 case IPPROTO_UDP: 203 case IPPROTO_TCP: 204 /* Make sure there's enough data in the packet. */ 205 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) { 206 *error = EINVAL; 207 return NULL; 208 } 209 210 /* 211 * Luckily, the offset of the src/dst ports in 212 * both the UDP and TCP headers is the same 213 * (first two 16-bit values in the respective 214 * headers), so we can just copy them. 215 */ 216 m_copydata(m, hlen, sizeof(u_int16_t), 217 (caddr_t) &(ddst->sen_ip6_sport)); 218 m_copydata(m, hlen + sizeof(u_int16_t), sizeof(u_int16_t), 219 (caddr_t) &(ddst->sen_ip6_dport)); 220 break; 221 222 default: 223 ddst->sen_ip6_sport = 0; 224 ddst->sen_ip6_dport = 0; 225 } 226 227 break; 228 #endif /* INET6 */ 229 230 default: 231 *error = EAFNOSUPPORT; 232 return NULL; 233 } 234 235 /* Set the rdomain that was obtained from the mbuf */ 236 re->re_tableid = rdomain; 237 238 /* Actual SPD lookup. */ 239 rtalloc((struct route *) re); 240 if (re->re_rt == NULL) { 241 /* 242 * Return whatever the socket requirements are, there are no 243 * system-wide policies. 244 */ 245 *error = 0; 246 return ipsp_spd_inp(m, af, hlen, error, direction, 247 tdbp, inp, NULL); 248 } 249 250 /* Sanity check. */ 251 if ((re->re_rt->rt_gateway == NULL) || 252 (((struct sockaddr_encap *) re->re_rt->rt_gateway)->sen_type != 253 SENT_IPSP)) { 254 RTFREE(re->re_rt); 255 *error = EHOSTUNREACH; 256 DPRINTF(("ip_spd_lookup: no gateway in SPD entry!")); 257 return NULL; 258 } 259 260 ipo = ((struct sockaddr_encap *) (re->re_rt->rt_gateway))->sen_ipsp; 261 RTFREE(re->re_rt); 262 if (ipo == NULL) { 263 *error = EHOSTUNREACH; 264 DPRINTF(("ip_spd_lookup: no policy attached to SPD entry!")); 265 return NULL; 266 } 267 268 switch (ipo->ipo_type) { 269 case IPSP_PERMIT: 270 *error = 0; 271 return ipsp_spd_inp(m, af, hlen, error, direction, tdbp, 272 inp, ipo); 273 274 case IPSP_DENY: 275 *error = EHOSTUNREACH; 276 return NULL; 277 278 case IPSP_IPSEC_USE: 279 case IPSP_IPSEC_ACQUIRE: 280 case IPSP_IPSEC_REQUIRE: 281 case IPSP_IPSEC_DONTACQ: 282 /* Nothing more needed here. */ 283 break; 284 285 default: 286 *error = EINVAL; 287 return NULL; 288 } 289 290 /* Check for non-specific destination in the policy. */ 291 switch (ipo->ipo_dst.sa.sa_family) { 292 #ifdef INET 293 case AF_INET: 294 if ((ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_ANY) || 295 (ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_BROADCAST)) 296 dignore = 1; 297 break; 298 #endif /* INET */ 299 300 #ifdef INET6 301 case AF_INET6: 302 if ((IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_dst.sin6.sin6_addr)) || 303 (bcmp(&ipo->ipo_dst.sin6.sin6_addr, &in6mask128, 304 sizeof(in6mask128)) == 0)) 305 dignore = 1; 306 break; 307 #endif /* INET6 */ 308 } 309 310 /* Likewise for source. */ 311 switch (ipo->ipo_src.sa.sa_family) { 312 #ifdef INET 313 case AF_INET: 314 if (ipo->ipo_src.sin.sin_addr.s_addr == INADDR_ANY) 315 signore = 1; 316 break; 317 #endif /* INET */ 318 319 #ifdef INET6 320 case AF_INET6: 321 if (IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_src.sin6.sin6_addr)) 322 signore = 1; 323 break; 324 #endif /* INET6 */ 325 } 326 327 /* Do we have a cached entry ? If so, check if it's still valid. */ 328 if ((ipo->ipo_tdb) && (ipo->ipo_tdb->tdb_flags & TDBF_INVALID)) { 329 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 330 ipo_tdb_next); 331 ipo->ipo_tdb = NULL; 332 } 333 334 /* Outgoing packet policy check. */ 335 if (direction == IPSP_DIRECTION_OUT) { 336 /* 337 * If the packet is destined for the policy-specified 338 * gateway/endhost, and the socket has the BYPASS 339 * option set, skip IPsec processing. 340 */ 341 if ((inp != NULL) && 342 (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && 343 (inp->inp_seclevel[SL_ESP_NETWORK] == 344 IPSEC_LEVEL_BYPASS) && 345 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { 346 /* Direct match. */ 347 if (dignore || 348 !bcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) { 349 *error = 0; 350 return NULL; 351 } 352 } 353 354 /* Check that the cached TDB (if present), is appropriate. */ 355 if (ipo->ipo_tdb) { 356 if ((ipo->ipo_last_searched <= ipsec_last_added) || 357 (ipo->ipo_sproto != ipo->ipo_tdb->tdb_sproto) || 358 bcmp(dignore ? &sdst : &ipo->ipo_dst, 359 &ipo->ipo_tdb->tdb_dst, 360 ipo->ipo_tdb->tdb_dst.sa.sa_len)) 361 goto nomatchout; 362 363 if (!ipsp_aux_match(ipo->ipo_tdb, 364 ipo->ipo_srcid, ipo->ipo_dstid, 365 ipo->ipo_local_cred, NULL, 366 &ipo->ipo_addr, &ipo->ipo_mask)) 367 goto nomatchout; 368 369 /* Cached entry is good. */ 370 *error = 0; 371 return ipsp_spd_inp(m, af, hlen, error, direction, 372 tdbp, inp, ipo); 373 374 nomatchout: 375 /* Cached TDB was not good. */ 376 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 377 ipo_tdb_next); 378 ipo->ipo_tdb = NULL; 379 ipo->ipo_last_searched = 0; 380 } 381 382 /* 383 * If no SA has been added since the last time we did a 384 * lookup, there's no point searching for one. However, if the 385 * destination gateway is left unspecified (or is all-1's), 386 * always lookup since this is a generic-match rule 387 * (otherwise, we can have situations where SAs to some 388 * destinations exist but are not used, possibly leading to an 389 * explosion in the number of acquired SAs). 390 */ 391 if (ipo->ipo_last_searched <= ipsec_last_added) { 392 /* "Touch" the entry. */ 393 if (dignore == 0) 394 ipo->ipo_last_searched = time_second; 395 396 /* Find an appropriate SA from the existing ones. */ 397 ipo->ipo_tdb = 398 gettdbbyaddr(rdomain, 399 dignore ? &sdst : &ipo->ipo_dst, 400 ipo->ipo_sproto, ipo->ipo_srcid, 401 ipo->ipo_dstid, ipo->ipo_local_cred, m, af, 402 &ipo->ipo_addr, &ipo->ipo_mask); 403 if (ipo->ipo_tdb) { 404 TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, 405 ipo, ipo_tdb_next); 406 *error = 0; 407 return ipsp_spd_inp(m, af, hlen, error, 408 direction, tdbp, inp, ipo); 409 } 410 } 411 412 /* So, we don't have an SA -- just a policy. */ 413 switch (ipo->ipo_type) { 414 case IPSP_IPSEC_REQUIRE: 415 /* Acquire SA through key management. */ 416 if (ipsp_acquire_sa(ipo, 417 dignore ? &sdst : &ipo->ipo_dst, 418 signore ? NULL : &ipo->ipo_src, ddst, m) != 0) { 419 *error = EACCES; 420 return NULL; 421 } 422 423 /* FALLTHROUGH */ 424 case IPSP_IPSEC_DONTACQ: 425 *error = -EINVAL; /* Silently drop packet. */ 426 return NULL; 427 428 case IPSP_IPSEC_ACQUIRE: 429 /* Acquire SA through key management. */ 430 ipsp_acquire_sa(ipo, dignore ? &sdst : &ipo->ipo_dst, 431 signore ? NULL : &ipo->ipo_src, ddst, NULL); 432 433 /* FALLTHROUGH */ 434 case IPSP_IPSEC_USE: 435 *error = 0; 436 return ipsp_spd_inp(m, af, hlen, error, direction, 437 tdbp, inp, ipo); 438 } 439 } else { /* IPSP_DIRECTION_IN */ 440 if (tdbp != NULL) { 441 /* Direct match in the cache. */ 442 if (ipo->ipo_tdb == tdbp) { 443 *error = 0; 444 return ipsp_spd_inp(m, af, hlen, error, 445 direction, tdbp, inp, ipo); 446 } 447 448 if (bcmp(dignore ? &ssrc : &ipo->ipo_dst, 449 &tdbp->tdb_src, tdbp->tdb_src.sa.sa_len) || 450 (ipo->ipo_sproto != tdbp->tdb_sproto)) 451 goto nomatchin; 452 453 /* Match source ID. */ 454 if (ipo->ipo_srcid) { 455 if (tdbp->tdb_dstid == NULL || 456 !ipsp_ref_match(ipo->ipo_srcid, 457 tdbp->tdb_dstid)) 458 goto nomatchin; 459 } 460 461 /* Match destination ID. */ 462 if (ipo->ipo_dstid) { 463 if (tdbp->tdb_srcid == NULL || 464 !ipsp_ref_match(ipo->ipo_dstid, 465 tdbp->tdb_srcid)) 466 goto nomatchin; 467 } 468 469 /* Add it to the cache. */ 470 if (ipo->ipo_tdb) 471 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, 472 ipo, ipo_tdb_next); 473 ipo->ipo_tdb = tdbp; 474 TAILQ_INSERT_TAIL(&tdbp->tdb_policy_head, ipo, 475 ipo_tdb_next); 476 *error = 0; 477 return ipsp_spd_inp(m, af, hlen, error, direction, 478 tdbp, inp, ipo); 479 480 nomatchin: /* Nothing needed here, falling through */ 481 ; 482 } 483 484 /* Check whether cached entry applies. */ 485 if (ipo->ipo_tdb) { 486 /* 487 * We only need to check that the correct 488 * security protocol and security gateway are 489 * set; credentials/IDs will be the same, 490 * since the cached entry is linked on this 491 * policy. 492 */ 493 if (ipo->ipo_sproto == ipo->ipo_tdb->tdb_sproto && 494 !bcmp(&ipo->ipo_tdb->tdb_src, 495 dignore ? &ssrc : &ipo->ipo_dst, 496 ipo->ipo_tdb->tdb_src.sa.sa_len)) 497 goto skipinputsearch; 498 499 /* Not applicable, unlink. */ 500 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 501 ipo_tdb_next); 502 ipo->ipo_last_searched = 0; 503 ipo->ipo_tdb = NULL; 504 } 505 506 /* Find whether there exists an appropriate SA. */ 507 if (ipo->ipo_last_searched <= ipsec_last_added) { 508 if (dignore == 0) 509 ipo->ipo_last_searched = time_second; 510 511 ipo->ipo_tdb = 512 gettdbbysrc(rdomain, 513 dignore ? &ssrc : &ipo->ipo_dst, 514 ipo->ipo_sproto, ipo->ipo_srcid, 515 ipo->ipo_dstid, m, af, &ipo->ipo_addr, 516 &ipo->ipo_mask); 517 if (ipo->ipo_tdb) 518 TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, 519 ipo, ipo_tdb_next); 520 } 521 skipinputsearch: 522 523 switch (ipo->ipo_type) { 524 case IPSP_IPSEC_REQUIRE: 525 /* If appropriate SA exists, don't acquire another. */ 526 if (ipo->ipo_tdb) { 527 *error = -EINVAL; 528 return NULL; 529 } 530 531 /* Acquire SA through key management. */ 532 if ((*error = ipsp_acquire_sa(ipo, 533 dignore ? &ssrc : &ipo->ipo_dst, 534 signore ? NULL : &ipo->ipo_src, ddst, m)) != 0) 535 return NULL; 536 537 /* FALLTHROUGH */ 538 case IPSP_IPSEC_DONTACQ: 539 /* Drop packet. */ 540 *error = -EINVAL; 541 return NULL; 542 543 case IPSP_IPSEC_ACQUIRE: 544 /* If appropriate SA exists, don't acquire another. */ 545 if (ipo->ipo_tdb) { 546 *error = 0; 547 return ipsp_spd_inp(m, af, hlen, error, 548 direction, tdbp, inp, ipo); 549 } 550 551 /* Acquire SA through key management. */ 552 ipsp_acquire_sa(ipo, dignore ? &ssrc : &ipo->ipo_dst, 553 signore ? NULL : &ipo->ipo_src, ddst, NULL); 554 555 /* FALLTHROUGH */ 556 case IPSP_IPSEC_USE: 557 *error = 0; 558 return ipsp_spd_inp(m, af, hlen, error, direction, 559 tdbp, inp, ipo); 560 } 561 } 562 563 /* Shouldn't ever get this far. */ 564 *error = EINVAL; 565 return NULL; 566 } 567 568 /* 569 * Delete a policy from the SPD. 570 */ 571 int 572 ipsec_delete_policy(struct ipsec_policy *ipo) 573 { 574 struct rt_addrinfo info; 575 struct ipsec_acquire *ipa; 576 int err = 0; 577 578 if (--ipo->ipo_ref_count > 0) 579 return 0; 580 581 /* Delete from SPD. */ 582 if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET)) { 583 bzero(&info, sizeof(info)); 584 info.rti_info[RTAX_DST] = (struct sockaddr *)&ipo->ipo_addr; 585 info.rti_info[RTAX_NETMASK] = (struct sockaddr *)&ipo->ipo_mask; 586 587 /* XXX other tables? */ 588 err = rtrequest1(RTM_DELETE, &info, RTP_DEFAULT, NULL, 589 ipo->ipo_rdomain); 590 } 591 if (ipo->ipo_tdb != NULL) 592 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 593 ipo_tdb_next); 594 595 while ((ipa = TAILQ_FIRST(&ipo->ipo_acquires)) != NULL) 596 ipsp_delete_acquire(ipa); 597 598 TAILQ_REMOVE(&ipsec_policy_head, ipo, ipo_list); 599 600 if (ipo->ipo_srcid) 601 ipsp_reffree(ipo->ipo_srcid); 602 if (ipo->ipo_dstid) 603 ipsp_reffree(ipo->ipo_dstid); 604 if (ipo->ipo_local_cred) 605 ipsp_reffree(ipo->ipo_local_cred); 606 if (ipo->ipo_local_auth) 607 ipsp_reffree(ipo->ipo_local_auth); 608 609 if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET)) 610 ipsec_in_use--; 611 612 pool_put(&ipsec_policy_pool, ipo); 613 614 return err; 615 } 616 617 /* 618 * Add a policy to the SPD. 619 */ 620 struct ipsec_policy * 621 ipsec_add_policy(struct inpcb *inp, int af, int direction) 622 { 623 struct ipsec_policy *ipon; 624 625 if (ipsec_policy_pool_initialized == 0) { 626 ipsec_policy_pool_initialized = 1; 627 pool_init(&ipsec_policy_pool, sizeof(struct ipsec_policy), 628 0, 0, 0, "ipsec policy", NULL); 629 } 630 631 ipon = pool_get(&ipsec_policy_pool, PR_NOWAIT|PR_ZERO); 632 if (ipon == NULL) 633 return NULL; 634 635 ipon->ipo_ref_count = 1; 636 ipon->ipo_flags |= IPSP_POLICY_SOCKET; 637 638 ipon->ipo_type = IPSP_IPSEC_REQUIRE; /* XXX */ 639 640 /* XXX 641 * We should actually be creating a linked list of 642 * policies (for tunnel/transport and ESP/AH), as needed. 643 */ 644 ipon->ipo_sproto = IPPROTO_ESP; 645 ipon->ipo_rdomain = rtable_l2(inp->inp_rtableid); 646 647 TAILQ_INIT(&ipon->ipo_acquires); 648 TAILQ_INSERT_HEAD(&ipsec_policy_head, ipon, ipo_list); 649 650 ipsec_update_policy(inp, ipon, af, direction); 651 652 return ipon; 653 } 654 655 /* 656 * Update a PCB-attached policy. 657 */ 658 void 659 ipsec_update_policy(struct inpcb *inp, struct ipsec_policy *ipon, int af, 660 int direction) 661 { 662 ipon->ipo_addr.sen_len = ipon->ipo_mask.sen_len = SENT_LEN; 663 ipon->ipo_addr.sen_family = ipon->ipo_mask.sen_family = PF_KEY; 664 ipon->ipo_src.sa.sa_family = ipon->ipo_dst.sa.sa_family = af; 665 666 switch (af) { 667 case AF_INET: 668 #ifdef INET 669 ipon->ipo_addr.sen_type = ipon->ipo_mask.sen_type = SENT_IP4; 670 ipon->ipo_addr.sen_ip_src = inp->inp_laddr; 671 ipon->ipo_addr.sen_ip_dst = inp->inp_faddr; 672 ipon->ipo_addr.sen_sport = inp->inp_lport; 673 ipon->ipo_addr.sen_dport = inp->inp_fport; 674 ipon->ipo_addr.sen_proto = 675 inp->inp_socket->so_proto->pr_protocol; 676 ipon->ipo_addr.sen_direction = direction; 677 678 ipon->ipo_mask.sen_ip_src.s_addr = 0xffffffff; 679 ipon->ipo_mask.sen_ip_dst.s_addr = 0xffffffff; 680 ipon->ipo_mask.sen_sport = ipon->ipo_mask.sen_dport = 0xffff; 681 ipon->ipo_mask.sen_proto = 0xff; 682 ipon->ipo_mask.sen_direction = direction; 683 684 ipon->ipo_src.sa.sa_len = sizeof(struct sockaddr_in); 685 ipon->ipo_dst.sa.sa_len = sizeof(struct sockaddr_in); 686 ipon->ipo_src.sin.sin_addr = inp->inp_laddr; 687 ipon->ipo_dst.sin.sin_addr = inp->inp_faddr; 688 #endif /* INET */ 689 break; 690 691 case AF_INET6: 692 #ifdef INET6 693 ipon->ipo_addr.sen_type = ipon->ipo_mask.sen_type = SENT_IP6; 694 ipon->ipo_addr.sen_ip6_src = inp->inp_laddr6; 695 ipon->ipo_addr.sen_ip6_dst = inp->inp_faddr6; 696 ipon->ipo_addr.sen_ip6_sport = inp->inp_lport; 697 ipon->ipo_addr.sen_ip6_dport = inp->inp_fport; 698 ipon->ipo_addr.sen_ip6_proto = 699 inp->inp_socket->so_proto->pr_protocol; 700 ipon->ipo_addr.sen_ip6_direction = direction; 701 702 ipon->ipo_mask.sen_ip6_src = in6mask128; 703 ipon->ipo_mask.sen_ip6_dst = in6mask128; 704 ipon->ipo_mask.sen_ip6_sport = 0xffff; 705 ipon->ipo_mask.sen_ip6_dport = 0xffff; 706 ipon->ipo_mask.sen_ip6_proto = 0xff; 707 ipon->ipo_mask.sen_ip6_direction = direction; 708 709 ipon->ipo_src.sa.sa_len = sizeof(struct sockaddr_in6); 710 ipon->ipo_dst.sa.sa_len = sizeof(struct sockaddr_in6); 711 ipon->ipo_src.sin6.sin6_addr = inp->inp_laddr6; 712 ipon->ipo_dst.sin6.sin6_addr = inp->inp_faddr6; 713 #endif /* INET6 */ 714 break; 715 } 716 } 717 718 /* 719 * Delete a pending IPsec acquire record. 720 */ 721 void 722 ipsp_delete_acquire(void *v) 723 { 724 struct ipsec_acquire *ipa = v; 725 726 timeout_del(&ipa->ipa_timeout); 727 TAILQ_REMOVE(&ipsec_acquire_head, ipa, ipa_next); 728 if (ipa->ipa_policy != NULL) 729 TAILQ_REMOVE(&ipa->ipa_policy->ipo_acquires, ipa, 730 ipa_ipo_next); 731 pool_put(&ipsec_acquire_pool, ipa); 732 } 733 734 /* 735 * Find out if there's an ACQUIRE pending. 736 * XXX Need a better structure. 737 */ 738 struct ipsec_acquire * 739 ipsp_pending_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw) 740 { 741 struct ipsec_acquire *ipa; 742 743 TAILQ_FOREACH (ipa, &ipo->ipo_acquires, ipa_ipo_next) { 744 if (!bcmp(gw, &ipa->ipa_addr, gw->sa.sa_len)) 745 return ipa; 746 } 747 748 return NULL; 749 } 750 751 /* 752 * Signal key management that we need an SA. 753 * XXX For outgoing policies, we could try to hold on to the mbuf. 754 */ 755 int 756 ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, 757 union sockaddr_union *laddr, struct sockaddr_encap *ddst, struct mbuf *m) 758 { 759 struct ipsec_acquire *ipa; 760 761 /* 762 * If this is a socket policy, it has to have authentication 763 * information accompanying it --- can't tell key mgmt. to 764 * "find" it for us. This avoids abusing key mgmt. to authenticate 765 * on an application's behalf, even if the application doesn't 766 * have/know (and shouldn't) the appropriate authentication 767 * material (passphrase, private key, etc.) 768 */ 769 if (ipo->ipo_flags & IPSP_POLICY_SOCKET && 770 ipo->ipo_local_auth == NULL) 771 return EINVAL; 772 773 /* Check whether request has been made already. */ 774 if ((ipa = ipsp_pending_acquire(ipo, gw)) != NULL) 775 return 0; 776 777 /* Add request in cache and proceed. */ 778 if (ipsec_acquire_pool_initialized == 0) { 779 ipsec_acquire_pool_initialized = 1; 780 pool_init(&ipsec_acquire_pool, sizeof(struct ipsec_acquire), 781 0, 0, 0, "ipsec acquire", NULL); 782 } 783 784 ipa = pool_get(&ipsec_acquire_pool, PR_NOWAIT|PR_ZERO); 785 if (ipa == NULL) 786 return ENOMEM; 787 788 bcopy(gw, &ipa->ipa_addr, sizeof(union sockaddr_union)); 789 790 timeout_set(&ipa->ipa_timeout, ipsp_delete_acquire, ipa); 791 792 ipa->ipa_info.sen_len = ipa->ipa_mask.sen_len = SENT_LEN; 793 ipa->ipa_info.sen_family = ipa->ipa_mask.sen_family = PF_KEY; 794 795 /* Just copy the right information. */ 796 switch (ipo->ipo_addr.sen_type) { 797 #ifdef INET 798 case SENT_IP4: 799 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP4; 800 ipa->ipa_info.sen_direction = ipo->ipo_addr.sen_direction; 801 ipa->ipa_mask.sen_direction = ipo->ipo_mask.sen_direction; 802 803 if (ipsp_is_unspecified(ipo->ipo_dst)) { 804 ipa->ipa_info.sen_ip_src = ddst->sen_ip_src; 805 ipa->ipa_mask.sen_ip_src.s_addr = INADDR_BROADCAST; 806 } else { 807 ipa->ipa_info.sen_ip_src = ipo->ipo_addr.sen_ip_src; 808 ipa->ipa_mask.sen_ip_src = ipo->ipo_mask.sen_ip_src; 809 } 810 811 if (ipsp_is_unspecified(ipo->ipo_dst)) { 812 ipa->ipa_info.sen_ip_dst = ddst->sen_ip_dst; 813 ipa->ipa_mask.sen_ip_dst.s_addr = INADDR_BROADCAST; 814 } else { 815 ipa->ipa_info.sen_ip_dst = ipo->ipo_addr.sen_ip_dst; 816 ipa->ipa_mask.sen_ip_dst = ipo->ipo_mask.sen_ip_dst; 817 } 818 819 ipa->ipa_info.sen_proto = ipo->ipo_addr.sen_proto; 820 ipa->ipa_mask.sen_proto = ipo->ipo_mask.sen_proto; 821 822 if (ipo->ipo_addr.sen_proto) { 823 ipa->ipa_info.sen_sport = ipo->ipo_addr.sen_sport; 824 ipa->ipa_mask.sen_sport = ipo->ipo_mask.sen_sport; 825 826 ipa->ipa_info.sen_dport = ipo->ipo_addr.sen_dport; 827 ipa->ipa_mask.sen_dport = ipo->ipo_mask.sen_dport; 828 } 829 break; 830 #endif /* INET */ 831 832 #ifdef INET6 833 case SENT_IP6: 834 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP6; 835 ipa->ipa_info.sen_ip6_direction = 836 ipo->ipo_addr.sen_ip6_direction; 837 ipa->ipa_mask.sen_ip6_direction = 838 ipo->ipo_mask.sen_ip6_direction; 839 840 if (ipsp_is_unspecified(ipo->ipo_dst)) { 841 ipa->ipa_info.sen_ip6_src = ddst->sen_ip6_src; 842 ipa->ipa_mask.sen_ip6_src = in6mask128; 843 } else { 844 ipa->ipa_info.sen_ip6_src = ipo->ipo_addr.sen_ip6_src; 845 ipa->ipa_mask.sen_ip6_src = ipo->ipo_mask.sen_ip6_src; 846 } 847 848 if (ipsp_is_unspecified(ipo->ipo_dst)) { 849 ipa->ipa_info.sen_ip6_dst = ddst->sen_ip6_dst; 850 ipa->ipa_mask.sen_ip6_dst = in6mask128; 851 } else { 852 ipa->ipa_info.sen_ip6_dst = ipo->ipo_addr.sen_ip6_dst; 853 ipa->ipa_mask.sen_ip6_dst = ipo->ipo_mask.sen_ip6_dst; 854 } 855 856 ipa->ipa_info.sen_ip6_proto = ipo->ipo_addr.sen_ip6_proto; 857 ipa->ipa_mask.sen_ip6_proto = ipo->ipo_mask.sen_ip6_proto; 858 859 if (ipo->ipo_mask.sen_ip6_proto) { 860 ipa->ipa_info.sen_ip6_sport = 861 ipo->ipo_addr.sen_ip6_sport; 862 ipa->ipa_mask.sen_ip6_sport = 863 ipo->ipo_mask.sen_ip6_sport; 864 ipa->ipa_info.sen_ip6_dport = 865 ipo->ipo_addr.sen_ip6_dport; 866 ipa->ipa_mask.sen_ip6_dport = 867 ipo->ipo_mask.sen_ip6_dport; 868 } 869 break; 870 #endif /* INET6 */ 871 872 default: 873 pool_put(&ipsec_acquire_pool, ipa); 874 return 0; 875 } 876 877 timeout_add_sec(&ipa->ipa_timeout, ipsec_expire_acquire); 878 879 TAILQ_INSERT_TAIL(&ipsec_acquire_head, ipa, ipa_next); 880 TAILQ_INSERT_TAIL(&ipo->ipo_acquires, ipa, ipa_ipo_next); 881 ipa->ipa_policy = ipo; 882 883 /* PF_KEYv2 notification message. */ 884 return pfkeyv2_acquire(ipo, gw, laddr, &ipa->ipa_seq, ddst); 885 } 886 887 /* 888 * Deal with PCB security requirements. 889 */ 890 struct tdb * 891 ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, 892 struct tdb *tdbp, struct inpcb *inp, struct ipsec_policy *ipo) 893 { 894 struct ipsec_policy sipon; 895 struct tdb_ident *tdbi; 896 struct m_tag *mtag; 897 struct tdb *tdb = NULL; 898 899 /* Sanity check. */ 900 if (inp == NULL) 901 goto justreturn; 902 903 /* Verify that we need to check for socket policy. */ 904 if ((inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS || 905 inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_NONE) && 906 (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS || 907 inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_NONE) && 908 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS || 909 inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_NONE)) 910 goto justreturn; 911 912 switch (direction) { 913 case IPSP_DIRECTION_IN: 914 /* 915 * Some further checking: if the socket has specified 916 * that it will accept unencrypted traffic, don't 917 * bother checking any further -- just accept the packet. 918 */ 919 if ((inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL || 920 inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_USE) && 921 (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL || 922 inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_USE) && 923 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL || 924 inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_USE)) 925 goto justreturn; 926 927 /* Initialize socket policy if unset. */ 928 if (inp->inp_ipo == NULL) { 929 inp->inp_ipo = ipsec_add_policy(inp, af, 930 IPSP_DIRECTION_OUT); 931 if (inp->inp_ipo == NULL) { 932 *error = ENOBUFS; 933 return NULL; 934 } 935 } 936 937 /* 938 * So we *must* have protected traffic. Let's see what 939 * we have received then. 940 */ 941 if (inp->inp_tdb_in != NULL) { 942 if (inp->inp_tdb_in == tdbp) 943 goto justreturn; /* We received packet under a 944 * previously-accepted TDB. */ 945 946 /* 947 * We should be receiving protected traffic, and 948 * have an SA in place, but packet was received 949 * unprotected. Simply discard. 950 */ 951 if (tdbp == NULL) { 952 *error = -EINVAL; 953 return NULL; 954 } 955 956 /* Update, since we may need all the relevant info. */ 957 ipsec_update_policy(inp, inp->inp_ipo, af, 958 IPSP_DIRECTION_OUT); 959 960 /* 961 * Check that the TDB the packet was received under 962 * is acceptable under the socket policy. If so, 963 * accept the packet; otherwise, discard. 964 */ 965 if (tdbp->tdb_sproto == inp->inp_ipo->ipo_sproto && 966 !bcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst, 967 SA_LEN(&tdbp->tdb_src.sa)) && 968 ipsp_aux_match(tdbp, 969 inp->inp_ipo->ipo_srcid, 970 inp->inp_ipo->ipo_dstid, 971 NULL, NULL, 972 &inp->inp_ipo->ipo_addr, 973 &inp->inp_ipo->ipo_mask)) 974 goto justreturn; 975 else { 976 *error = -EINVAL; 977 return NULL; 978 } 979 } else { 980 /* Update, since we may need all the relevant info. */ 981 ipsec_update_policy(inp, inp->inp_ipo, af, 982 IPSP_DIRECTION_OUT); 983 984 /* 985 * If the packet was received under an SA, see if 986 * it's acceptable under socket policy. If it is, 987 * accept the packet. 988 */ 989 if (tdbp != NULL && 990 tdbp->tdb_sproto == inp->inp_ipo->ipo_sproto && 991 !bcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst, 992 SA_LEN(&tdbp->tdb_src.sa)) && 993 ipsp_aux_match(tdbp, 994 inp->inp_ipo->ipo_srcid, 995 inp->inp_ipo->ipo_dstid, 996 NULL, NULL, 997 &inp->inp_ipo->ipo_addr, 998 &inp->inp_ipo->ipo_mask)) 999 goto justreturn; 1000 1001 /* 1002 * If the packet was not received under an SA, or 1003 * if the SA it was received under is not acceptable, 1004 * see if we already have an acceptable SA 1005 * established. If we do, discard packet. 1006 */ 1007 if (inp->inp_ipo->ipo_last_searched <= 1008 ipsec_last_added) { 1009 inp->inp_ipo->ipo_last_searched = time_second; 1010 1011 /* Do we have an SA already established ? */ 1012 if (gettdbbysrc(rtable_l2(inp->inp_rtableid), 1013 &inp->inp_ipo->ipo_dst, 1014 inp->inp_ipo->ipo_sproto, 1015 inp->inp_ipo->ipo_srcid, 1016 inp->inp_ipo->ipo_dstid, m, af, 1017 &inp->inp_ipo->ipo_addr, 1018 &inp->inp_ipo->ipo_mask) != NULL) { 1019 *error = -EINVAL; 1020 return NULL; 1021 } 1022 /* Fall through */ 1023 } 1024 1025 /* 1026 * If we don't have an appropriate SA, acquire one 1027 * and discard the packet. 1028 */ 1029 ipsp_acquire_sa(inp->inp_ipo, &inp->inp_ipo->ipo_dst, 1030 &inp->inp_ipo->ipo_src, &inp->inp_ipo->ipo_addr, m); 1031 *error = -EINVAL; 1032 return NULL; 1033 } 1034 1035 break; 1036 1037 case IPSP_DIRECTION_OUT: 1038 /* Do we have a cached entry ? */ 1039 if (inp->inp_tdb_out != NULL) { 1040 /* 1041 * If we also have to apply a different TDB as 1042 * a result of a system-wide policy, add a tag 1043 * to the packet. 1044 */ 1045 if (ipo != NULL && m != NULL && 1046 ipo->ipo_tdb != NULL && 1047 ipo->ipo_tdb != inp->inp_tdb_out) { 1048 tdb = inp->inp_tdb_out; 1049 goto tagandreturn; 1050 } else 1051 return inp->inp_tdb_out; 1052 } 1053 1054 /* 1055 * We need to either find an SA with the appropriate 1056 * characteristics and link it to the PCB, or acquire 1057 * one. 1058 */ 1059 /* XXX Only support one policy/protocol for now. */ 1060 if (inp->inp_ipo != NULL) { 1061 if (inp->inp_ipo->ipo_last_searched <= 1062 ipsec_last_added) { 1063 inp->inp_ipo->ipo_last_searched = time_second; 1064 1065 /* Update, just in case. */ 1066 ipsec_update_policy(inp, inp->inp_ipo, af, 1067 IPSP_DIRECTION_OUT); 1068 1069 tdb = gettdbbyaddr(rtable_l2(inp->inp_rtableid), 1070 &inp->inp_ipo->ipo_dst, 1071 inp->inp_ipo->ipo_sproto, 1072 inp->inp_ipo->ipo_srcid, 1073 inp->inp_ipo->ipo_dstid, 1074 inp->inp_ipo->ipo_local_cred, m, af, 1075 &inp->inp_ipo->ipo_addr, 1076 &inp->inp_ipo->ipo_mask); 1077 } 1078 } else { 1079 /* 1080 * Construct a pseudo-policy, with just the necessary 1081 * fields. 1082 */ 1083 ipsec_update_policy(inp, &sipon, af, 1084 IPSP_DIRECTION_OUT); 1085 1086 tdb = gettdbbyaddr(rtable_l2(inp->inp_rtableid), 1087 &sipon.ipo_dst, IPPROTO_ESP, NULL, 1088 NULL, NULL, m, af, &sipon.ipo_addr, 1089 &sipon.ipo_mask); 1090 } 1091 1092 /* If we found an appropriate SA... */ 1093 if (tdb != NULL) { 1094 tdb_add_inp(tdb, inp, 0); /* Latch onto PCB. */ 1095 1096 if (ipo != NULL && ipo->ipo_tdb != NULL && 1097 ipo->ipo_tdb != inp->inp_tdb_out && m != NULL) 1098 goto tagandreturn; 1099 else 1100 return tdb; 1101 } else { 1102 /* Do we need to acquire one ? */ 1103 switch (inp->inp_seclevel[SL_ESP_TRANS]) { 1104 case IPSEC_LEVEL_BYPASS: 1105 case IPSEC_LEVEL_AVAIL: 1106 /* No need to do anything. */ 1107 goto justreturn; 1108 case IPSEC_LEVEL_USE: 1109 case IPSEC_LEVEL_REQUIRE: 1110 case IPSEC_LEVEL_UNIQUE: 1111 /* Initialize socket policy if unset. */ 1112 if (inp->inp_ipo == NULL) { 1113 inp->inp_ipo = ipsec_add_policy(inp, af, IPSP_DIRECTION_OUT); 1114 if (inp->inp_ipo == NULL) { 1115 *error = ENOBUFS; 1116 return NULL; 1117 } 1118 } 1119 1120 /* Acquire a new SA. */ 1121 if ((*error = ipsp_acquire_sa(inp->inp_ipo, 1122 &inp->inp_ipo->ipo_dst, 1123 &inp->inp_ipo->ipo_src, 1124 &inp->inp_ipo->ipo_addr, m)) == 0) 1125 *error = -EINVAL; 1126 1127 return NULL; 1128 default: 1129 DPRINTF(("ipsp_spd_inp: unknown sock security" 1130 " level %d", 1131 inp->inp_seclevel[SL_ESP_TRANS])); 1132 *error = -EINVAL; 1133 return NULL; 1134 } 1135 } 1136 break; 1137 1138 default: /* Should never happen. */ 1139 *error = -EINVAL; 1140 return NULL; 1141 } 1142 1143 tagandreturn: 1144 if (tdb == NULL) 1145 goto justreturn; 1146 1147 mtag = m_tag_get(PACKET_TAG_IPSEC_PENDING_TDB, 1148 sizeof (struct tdb_ident), M_NOWAIT); 1149 if (mtag == NULL) { 1150 *error = ENOMEM; 1151 return NULL; 1152 } 1153 1154 tdbi = (struct tdb_ident *)(mtag + 1); 1155 tdbi->spi = ipo->ipo_tdb->tdb_spi; 1156 tdbi->proto = ipo->ipo_tdb->tdb_sproto; 1157 tdbi->rdomain = rtable_l2(inp->inp_rtableid); 1158 bcopy(&ipo->ipo_tdb->tdb_dst, &tdbi->dst, 1159 ipo->ipo_tdb->tdb_dst.sa.sa_len); 1160 m_tag_prepend(m, mtag); 1161 return tdb; 1162 1163 justreturn: 1164 if (ipo != NULL) 1165 return ipo->ipo_tdb; 1166 else 1167 return NULL; 1168 } 1169 1170 /* 1171 * Find a pending ACQUIRE record based on its sequence number. 1172 * XXX Need to use a better data structure. 1173 */ 1174 struct ipsec_acquire * 1175 ipsec_get_acquire(u_int32_t seq) 1176 { 1177 struct ipsec_acquire *ipa; 1178 1179 TAILQ_FOREACH (ipa, &ipsec_acquire_head, ipa_next) 1180 if (ipa->ipa_seq == seq) 1181 return ipa; 1182 1183 return NULL; 1184 } 1185