1 /* 2 * Copyright (C) 2001-2003 by Darren Reed 3 * 4 * See the IPFILTER.LICENCE file for details on licencing. 5 * 6 * Simple ISAKMP transparent proxy for in-kernel use. For use with the NAT 7 * code. 8 * 9 * $Id: ip_ipsec_pxy.c,v 2.20.2.7 2005/07/15 21:56:50 darrenr Exp $ 10 * 11 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 12 * Use is subject to license terms. 13 */ 14 15 #pragma ident "%Z%%M% %I% %E% SMI" 16 17 #define IPF_IPSEC_PROXY 18 19 typedef struct ifs_ipsecpxy { 20 frentry_t ipsecfr; 21 ipftq_t *ipsecnattqe; 22 ipftq_t *ipsecstatetqe; 23 char ipsec_buffer[1500]; 24 int ipsec_proxy_init; 25 int ipsec_proxy_ttl; 26 } ifs_ipsecpxy_t; 27 28 int ippr_ipsec_init __P((void **, ipf_stack_t *)); 29 void ippr_ipsec_fini __P((void **, ipf_stack_t *)); 30 int ippr_ipsec_new __P((fr_info_t *, ap_session_t *, nat_t *, void *)); 31 void ippr_ipsec_del __P((ap_session_t *, void *, ipf_stack_t *)); 32 int ippr_ipsec_inout __P((fr_info_t *, ap_session_t *, nat_t *, void *)); 33 int ippr_ipsec_match __P((fr_info_t *, ap_session_t *, nat_t *, void *)); 34 35 /* 36 * IPSec application proxy initialization. 37 */ 38 int ippr_ipsec_init(private, ifs) 39 void **private; 40 ipf_stack_t *ifs; 41 { 42 ifs_ipsecpxy_t *ifsipsec; 43 44 KMALLOC(ifsipsec, ifs_ipsecpxy_t *); 45 if (ifsipsec == NULL) 46 return -1; 47 48 bzero((char *)&ifsipsec->ipsecfr, sizeof(ifsipsec->ipsecfr)); 49 ifsipsec->ipsecfr.fr_ref = 1; 50 ifsipsec->ipsecfr.fr_flags = FR_OUTQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE; 51 MUTEX_INIT(&ifsipsec->ipsecfr.fr_lock, "IPsec proxy rule lock"); 52 ifsipsec->ipsec_proxy_init = 1; 53 ifsipsec->ipsec_proxy_ttl = 60; 54 55 ifsipsec->ipsecnattqe = fr_addtimeoutqueue(&ifs->ifs_nat_utqe, ifsipsec->ipsec_proxy_ttl, ifs); 56 if (ifsipsec->ipsecnattqe == NULL) { 57 MUTEX_DESTROY(&ifsipsec->ipsecfr.fr_lock); 58 KFREE(ifsipsec); 59 return -1; 60 } 61 ifsipsec->ipsecstatetqe = fr_addtimeoutqueue(&ifs->ifs_ips_utqe, ifsipsec->ipsec_proxy_ttl, ifs); 62 if (ifsipsec->ipsecstatetqe == NULL) { 63 if (fr_deletetimeoutqueue(ifsipsec->ipsecnattqe) == 0) 64 fr_freetimeoutqueue(ifsipsec->ipsecnattqe, ifs); 65 ifsipsec->ipsecnattqe = NULL; 66 MUTEX_DESTROY(&ifsipsec->ipsecfr.fr_lock); 67 KFREE(ifsipsec); 68 return -1; 69 } 70 71 ifsipsec->ipsecnattqe->ifq_flags |= IFQF_PROXY; 72 ifsipsec->ipsecstatetqe->ifq_flags |= IFQF_PROXY; 73 74 ifsipsec->ipsecfr.fr_age[0] = ifsipsec->ipsec_proxy_ttl; 75 ifsipsec->ipsecfr.fr_age[1] = ifsipsec->ipsec_proxy_ttl; 76 77 *private = (void *)ifsipsec; 78 79 return 0; 80 } 81 82 83 void ippr_ipsec_fini(private, ifs) 84 void **private; 85 ipf_stack_t *ifs; 86 { 87 ifs_ipsecpxy_t *ifsipsec = *((ifs_ipsecpxy_t **)private); 88 89 if (ifsipsec->ipsecnattqe != NULL) { 90 if (fr_deletetimeoutqueue(ifsipsec->ipsecnattqe) == 0) 91 fr_freetimeoutqueue(ifsipsec->ipsecnattqe, ifs); 92 } 93 ifsipsec->ipsecnattqe = NULL; 94 if (ifsipsec->ipsecstatetqe != NULL) { 95 if (fr_deletetimeoutqueue(ifsipsec->ipsecstatetqe) == 0) 96 fr_freetimeoutqueue(ifsipsec->ipsecstatetqe, ifs); 97 } 98 ifsipsec->ipsecstatetqe = NULL; 99 100 if (ifsipsec->ipsec_proxy_init == 1) { 101 MUTEX_DESTROY(&ifsipsec->ipsecfr.fr_lock); 102 ifsipsec->ipsec_proxy_init = 0; 103 } 104 105 KFREE(ifsipsec); 106 *private = NULL; 107 } 108 109 110 /* 111 * Setup for a new IPSEC proxy. 112 */ 113 int ippr_ipsec_new(fin, aps, nat, private) 114 fr_info_t *fin; 115 ap_session_t *aps; 116 nat_t *nat; 117 void *private; 118 { 119 ipsec_pxy_t *ipsec; 120 fr_info_t fi; 121 ipnat_t *ipn; 122 char *ptr; 123 int p, off, dlen, ttl; 124 mb_t *m; 125 ip_t *ip; 126 ipf_stack_t *ifs = fin->fin_ifs; 127 ifs_ipsecpxy_t *ifsipsec = (ifs_ipsecpxy_t *)private; 128 129 off = fin->fin_plen - fin->fin_dlen + fin->fin_ipoff; 130 bzero(ifsipsec->ipsec_buffer, sizeof(ifsipsec->ipsec_buffer)); 131 ip = fin->fin_ip; 132 m = fin->fin_m; 133 134 dlen = M_LEN(m) - off; 135 if (dlen < 16) 136 return -1; 137 COPYDATA(m, off, MIN(sizeof(ifsipsec->ipsec_buffer), dlen), 138 ifsipsec->ipsec_buffer); 139 140 if (nat_outlookup(fin, 0, IPPROTO_ESP, nat->nat_inip, 141 ip->ip_dst) != NULL) 142 return -1; 143 144 aps->aps_psiz = sizeof(*ipsec); 145 KMALLOCS(aps->aps_data, ipsec_pxy_t *, sizeof(*ipsec)); 146 if (aps->aps_data == NULL) 147 return -1; 148 149 ipsec = aps->aps_data; 150 bzero((char *)ipsec, sizeof(*ipsec)); 151 152 /* 153 * Create NAT rule against which the tunnel/transport mapping is 154 * created. This is required because the current NAT rule does not 155 * describe ESP but UDP instead. 156 */ 157 ipn = &ipsec->ipsc_rule; 158 ttl = IPF_TTLVAL(ifsipsec->ipsecnattqe->ifq_ttl); 159 ipn->in_tqehead[0] = fr_addtimeoutqueue(&ifs->ifs_nat_utqe, ttl, ifs); 160 ipn->in_tqehead[1] = fr_addtimeoutqueue(&ifs->ifs_nat_utqe, ttl, ifs); 161 ipn->in_ifps[0] = fin->fin_ifp; 162 ipn->in_apr = NULL; 163 ipn->in_use = 1; 164 ipn->in_hits = 1; 165 ipn->in_nip = ntohl(nat->nat_outip.s_addr); 166 ipn->in_ippip = 1; 167 ipn->in_inip = nat->nat_inip.s_addr; 168 ipn->in_inmsk = 0xffffffff; 169 ipn->in_outip = fin->fin_saddr; 170 ipn->in_outmsk = nat->nat_outip.s_addr; 171 ipn->in_srcip = fin->fin_saddr; 172 ipn->in_srcmsk = 0xffffffff; 173 ipn->in_redir = NAT_MAP; 174 bcopy(nat->nat_ptr->in_ifnames[0], ipn->in_ifnames[0], 175 sizeof(ipn->in_ifnames[0])); 176 ipn->in_p = IPPROTO_ESP; 177 178 bcopy((char *)fin, (char *)&fi, sizeof(fi)); 179 fi.fin_state = NULL; 180 fi.fin_nat = NULL; 181 fi.fin_fi.fi_p = IPPROTO_ESP; 182 fi.fin_fr = &ifsipsec->ipsecfr; 183 fi.fin_data[0] = 0; 184 fi.fin_data[1] = 0; 185 p = ip->ip_p; 186 ip->ip_p = IPPROTO_ESP; 187 fi.fin_flx &= ~(FI_TCPUDP|FI_STATE|FI_FRAG); 188 fi.fin_flx |= FI_IGNORE; 189 190 ptr = ifsipsec->ipsec_buffer; 191 bcopy(ptr, (char *)ipsec->ipsc_icookie, sizeof(ipsec_cookie_t)); 192 ptr += sizeof(ipsec_cookie_t); 193 bcopy(ptr, (char *)ipsec->ipsc_rcookie, sizeof(ipsec_cookie_t)); 194 /* 195 * The responder cookie should only be non-zero if the initiator 196 * cookie is non-zero. Therefore, it is safe to assume(!) that the 197 * cookies are both set after copying if the responder is non-zero. 198 */ 199 if ((ipsec->ipsc_rcookie[0]|ipsec->ipsc_rcookie[1]) != 0) 200 ipsec->ipsc_rckset = 1; 201 202 ipsec->ipsc_nat = nat_new(&fi, ipn, &ipsec->ipsc_nat, 203 NAT_SLAVE|SI_WILDP, NAT_OUTBOUND); 204 if (ipsec->ipsc_nat != NULL) { 205 (void) nat_proto(&fi, ipsec->ipsc_nat, 0); 206 nat_update(&fi, ipsec->ipsc_nat, ipn); 207 208 fi.fin_data[0] = 0; 209 fi.fin_data[1] = 0; 210 ipsec->ipsc_state = fr_addstate(&fi, &ipsec->ipsc_state, 211 SI_WILDP); 212 if (fi.fin_state != NULL) 213 fr_statederef(&fi, (ipstate_t **)&fi.fin_state, ifs); 214 } 215 ip->ip_p = p & 0xff; 216 return 0; 217 } 218 219 220 /* 221 * For outgoing IKE packets. refresh timeouts for NAT & state entries, if 222 * we can. If they have disappeared, recreate them. 223 */ 224 int ippr_ipsec_inout(fin, aps, nat, private) 225 fr_info_t *fin; 226 ap_session_t *aps; 227 nat_t *nat; 228 void *private; 229 { 230 ipsec_pxy_t *ipsec; 231 fr_info_t fi; 232 ip_t *ip; 233 int p; 234 ipf_stack_t *ifs = fin->fin_ifs; 235 ifs_ipsecpxy_t *ifsipsec = (ifs_ipsecpxy_t *)private; 236 237 if ((fin->fin_out == 1) && (nat->nat_dir == NAT_INBOUND)) 238 return 0; 239 240 if ((fin->fin_out == 0) && (nat->nat_dir == NAT_OUTBOUND)) 241 return 0; 242 243 ipsec = aps->aps_data; 244 245 if (ipsec != NULL) { 246 ip = fin->fin_ip; 247 p = ip->ip_p; 248 249 if ((ipsec->ipsc_nat == NULL) || (ipsec->ipsc_state == NULL)) { 250 bcopy((char *)fin, (char *)&fi, sizeof(fi)); 251 fi.fin_state = NULL; 252 fi.fin_nat = NULL; 253 fi.fin_fi.fi_p = IPPROTO_ESP; 254 fi.fin_fr = &ifsipsec->ipsecfr; 255 fi.fin_data[0] = 0; 256 fi.fin_data[1] = 0; 257 ip->ip_p = IPPROTO_ESP; 258 fi.fin_flx &= ~(FI_TCPUDP|FI_STATE|FI_FRAG); 259 fi.fin_flx |= FI_IGNORE; 260 } 261 262 /* 263 * Update NAT timeout/create NAT if missing. 264 */ 265 if (ipsec->ipsc_nat != NULL) 266 fr_queueback(&ipsec->ipsc_nat->nat_tqe, ifs); 267 else { 268 ipsec->ipsc_nat = nat_new(&fi, &ipsec->ipsc_rule, 269 &ipsec->ipsc_nat, 270 NAT_SLAVE|SI_WILDP, 271 nat->nat_dir); 272 if (ipsec->ipsc_nat != NULL) { 273 (void) nat_proto(&fi, ipsec->ipsc_nat, 0); 274 nat_update(&fi, ipsec->ipsc_nat, 275 &ipsec->ipsc_rule); 276 } 277 } 278 279 /* 280 * Update state timeout/create state if missing. 281 */ 282 READ_ENTER(&ifs->ifs_ipf_state); 283 if (ipsec->ipsc_state != NULL) { 284 fr_queueback(&ipsec->ipsc_state->is_sti, ifs); 285 ipsec->ipsc_state->is_die = nat->nat_age; 286 RWLOCK_EXIT(&ifs->ifs_ipf_state); 287 } else { 288 RWLOCK_EXIT(&ifs->ifs_ipf_state); 289 fi.fin_data[0] = 0; 290 fi.fin_data[1] = 0; 291 ipsec->ipsc_state = fr_addstate(&fi, 292 &ipsec->ipsc_state, 293 SI_WILDP); 294 if (fi.fin_state != NULL) 295 fr_statederef(&fi, (ipstate_t **)&fi.fin_state, ifs); 296 } 297 ip->ip_p = p; 298 } 299 return 0; 300 } 301 302 303 /* 304 * This extends the NAT matching to be based on the cookies associated with 305 * a session and found at the front of IKE packets. The cookies are always 306 * in the same order (not reversed depending on packet flow direction as with 307 * UDP/TCP port numbers). 308 */ 309 /*ARGSUSED*/ 310 int ippr_ipsec_match(fin, aps, nat, private) 311 fr_info_t *fin; 312 ap_session_t *aps; 313 nat_t *nat; 314 void *private; 315 { 316 ipsec_pxy_t *ipsec; 317 u_32_t cookies[4]; 318 mb_t *m; 319 int off; 320 321 nat = nat; /* LINT */ 322 323 if ((fin->fin_dlen < sizeof(cookies)) || (fin->fin_flx & FI_FRAG)) 324 return -1; 325 326 off = fin->fin_plen - fin->fin_dlen + fin->fin_ipoff; 327 ipsec = aps->aps_data; 328 m = fin->fin_m; 329 COPYDATA(m, off, sizeof(cookies), (char *)cookies); 330 331 if ((cookies[0] != ipsec->ipsc_icookie[0]) || 332 (cookies[1] != ipsec->ipsc_icookie[1])) 333 return -1; 334 335 if (ipsec->ipsc_rckset == 0) { 336 if ((cookies[2]|cookies[3]) == 0) { 337 return 0; 338 } 339 ipsec->ipsc_rckset = 1; 340 ipsec->ipsc_rcookie[0] = cookies[2]; 341 ipsec->ipsc_rcookie[1] = cookies[3]; 342 return 0; 343 } 344 345 if ((cookies[2] != ipsec->ipsc_rcookie[0]) || 346 (cookies[3] != ipsec->ipsc_rcookie[1])) 347 return -1; 348 return 0; 349 } 350 351 352 /* 353 * clean up after ourselves. 354 */ 355 /*ARGSUSED*/ 356 void ippr_ipsec_del(aps, private, ifs) 357 ap_session_t *aps; 358 void *private; 359 ipf_stack_t *ifs; 360 { 361 ipsec_pxy_t *ipsec; 362 363 ipsec = aps->aps_data; 364 365 if (ipsec != NULL) { 366 /* 367 * Don't bother changing any of the NAT structure details, 368 * *_del() is on a callback from aps_free(), from nat_delete() 369 */ 370 371 READ_ENTER(&ifs->ifs_ipf_state); 372 if (ipsec->ipsc_state != NULL) { 373 ipsec->ipsc_state->is_die = ifs->ifs_fr_ticks + 1; 374 ipsec->ipsc_state->is_me = NULL; 375 fr_queuefront(&ipsec->ipsc_state->is_sti); 376 } 377 RWLOCK_EXIT(&ifs->ifs_ipf_state); 378 379 ipsec->ipsc_state = NULL; 380 ipsec->ipsc_nat = NULL; 381 } 382 } 383