sys/netipsec/ipsec_pcb.c

   1 /*-
   2  * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  *
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in the
  13  *    documentation and/or other materials provided with the distribution.
  14  *
  15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  25  */
  26
  27 #include <sys/cdefs.h>
  28 __FBSDID("$FreeBSD$");
  29
  30 #include "opt_inet.h"
  31 #include "opt_inet6.h"
  32 #include "opt_ipsec.h"
  33
  34 #include <sys/param.h>
  35 #include <sys/systm.h>
  36 #include <sys/kernel.h>
  37 #include <sys/lock.h>
  38 #include <sys/malloc.h>
  39 #include <sys/mbuf.h>
  40 #include <sys/priv.h>
  41 #include <sys/socket.h>
  42 #include <sys/sockopt.h>
  43 #include <sys/syslog.h>
  44 #include <sys/proc.h>
  45
  46 #include <netinet/in.h>
  47 #include <netinet/in_pcb.h>
  48
  49 #include <netipsec/ipsec.h>
  50 #include <netipsec/ipsec6.h>
  51 #include <netipsec/ipsec_support.h>
  52 #include <netipsec/key.h>
  53 #include <netipsec/key_debug.h>
  54
  55 MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy");
  56
  57 static void
  58 ipsec_setsockaddrs_inpcb(struct inpcb *inp, union sockaddr_union *src,
  59     union sockaddr_union *dst, u_int dir)
  60 {
  61
  62 #ifdef INET6
  63         if (inp->inp_vflag & INP_IPV6) {
  64                 struct sockaddr_in6 *sin6;
  65
  66                 bzero(&src->sin6, sizeof(src->sin6));
  67                 bzero(&dst->sin6, sizeof(dst->sin6));
  68                 src->sin6.sin6_family = AF_INET6;
  69                 src->sin6.sin6_len = sizeof(struct sockaddr_in6);
  70                 dst->sin6.sin6_family = AF_INET6;
  71                 dst->sin6.sin6_len = sizeof(struct sockaddr_in6);
  72
  73                 if (dir == IPSEC_DIR_OUTBOUND)
  74                         sin6 = &src->sin6;
  75                 else
  76                         sin6 = &dst->sin6;
  77                 sin6->sin6_addr = inp->in6p_laddr;
  78                 sin6->sin6_port = inp->inp_lport;
  79                 if (IN6_IS_SCOPE_LINKLOCAL(&inp->in6p_laddr)) {
  80                         /* XXXAE: use in6p_zoneid */
  81                         sin6->sin6_addr.s6_addr16[1] = 0;
  82                         sin6->sin6_scope_id = ntohs(
  83                             inp->in6p_laddr.s6_addr16[1]);
  84                 }
  85
  86                 if (dir == IPSEC_DIR_OUTBOUND)
  87                         sin6 = &dst->sin6;
  88                 else
  89                         sin6 = &src->sin6;
  90                 sin6->sin6_addr = inp->in6p_faddr;
  91                 sin6->sin6_port = inp->inp_fport;
  92                 if (IN6_IS_SCOPE_LINKLOCAL(&inp->in6p_faddr)) {
  93                         /* XXXAE: use in6p_zoneid */
  94                         sin6->sin6_addr.s6_addr16[1] = 0;
  95                         sin6->sin6_scope_id = ntohs(
  96                             inp->in6p_faddr.s6_addr16[1]);
  97                 }
  98         }
  99 #endif
 100 #ifdef INET
 101         if (inp->inp_vflag & INP_IPV4) {
 102                 struct sockaddr_in *sin;
 103
 104                 bzero(&src->sin, sizeof(src->sin));
 105                 bzero(&dst->sin, sizeof(dst->sin));
 106                 src->sin.sin_family = AF_INET;
 107                 src->sin.sin_len = sizeof(struct sockaddr_in);
 108                 dst->sin.sin_family = AF_INET;
 109                 dst->sin.sin_len = sizeof(struct sockaddr_in);
 110
 111                 if (dir == IPSEC_DIR_OUTBOUND)
 112                         sin = &src->sin;
 113                 else
 114                         sin = &dst->sin;
 115                 sin->sin_addr = inp->inp_laddr;
 116                 sin->sin_port = inp->inp_lport;
 117
 118                 if (dir == IPSEC_DIR_OUTBOUND)
 119                         sin = &dst->sin;
 120                 else
 121                         sin = &src->sin;
 122                 sin->sin_addr = inp->inp_faddr;
 123                 sin->sin_port = inp->inp_fport;
 124         }
 125 #endif
 126 }
 127
 128 void
 129 ipsec_setspidx_inpcb(struct inpcb *inp, struct secpolicyindex *spidx,
 130     u_int dir)
 131 {
 132
 133         ipsec_setsockaddrs_inpcb(inp, &spidx->src, &spidx->dst, dir);
 134 #ifdef INET6
 135         if (inp->inp_vflag & INP_IPV6) {
 136                 spidx->prefs = sizeof(struct in6_addr) << 3;
 137                 spidx->prefd = sizeof(struct in6_addr) << 3;
 138         }
 139 #endif
 140 #ifdef INET
 141         if (inp->inp_vflag & INP_IPV4) {
 142                 spidx->prefs = sizeof(struct in_addr) << 3;
 143                 spidx->prefd = sizeof(struct in_addr) << 3;
 144         }
 145 #endif
 146         spidx->ul_proto = IPPROTO_TCP; /* XXX: currently only TCP uses this */
 147         spidx->dir = dir;
 148         KEYDBG(IPSEC_DUMP,
 149             printf("%s: ", __func__); kdebug_secpolicyindex(spidx, NULL));
 150 }
 151
 152 /* Initialize PCB policy. */
 153 int
 154 ipsec_init_pcbpolicy(struct inpcb *inp)
 155 {
 156
 157         IPSEC_ASSERT(inp != NULL, ("null inp"));
 158         IPSEC_ASSERT(inp->inp_sp == NULL, ("inp_sp already initialized"));
 159
 160         inp->inp_sp = malloc(sizeof(struct inpcbpolicy), M_IPSEC_INPCB,
 161             M_NOWAIT | M_ZERO);
 162         if (inp->inp_sp == NULL)
 163                 return (ENOBUFS);
 164         return (0);
 165 }
 166
 167 /* Delete PCB policy. */
 168 int
 169 ipsec_delete_pcbpolicy(struct inpcb *inp)
 170 {
 171
 172         if (inp->inp_sp == NULL)
 173                 return (0);
 174
 175         if (inp->inp_sp->sp_in != NULL)
 176                 key_freesp(&inp->inp_sp->sp_in);
 177
 178         if (inp->inp_sp->sp_out != NULL)
 179                 key_freesp(&inp->inp_sp->sp_out);
 180
 181         free(inp->inp_sp, M_IPSEC_INPCB);
 182         inp->inp_sp = NULL;
 183         return (0);
 184 }
 185
 186 /* Deep-copy a policy in PCB. */
 187 static struct secpolicy *
 188 ipsec_deepcopy_pcbpolicy(struct secpolicy *src)
 189 {
 190         struct secpolicy *dst;
 191         int i;
 192
 193         if (src == NULL)
 194                 return (NULL);
 195
 196         IPSEC_ASSERT(src->state == IPSEC_SPSTATE_PCB, ("SP isn't PCB"));
 197
 198         dst = key_newsp();
 199         if (dst == NULL)
 200                 return (NULL);
 201
 202         /* spidx is not copied here */
 203         dst->policy = src->policy;
 204         dst->state = src->state;
 205         dst->priority = src->priority;
 206         /* Do not touch the refcnt field. */
 207
 208         /* Copy IPsec request chain. */
 209         for (i = 0; i < src->tcount; i++) {
 210                 dst->req[i] = ipsec_newisr();
 211                 if (dst->req[i] == NULL) {
 212                         key_freesp(&dst);
 213                         return (NULL);
 214                 }
 215                 bcopy(src->req[i], dst->req[i], sizeof(struct ipsecrequest));
 216                 dst->tcount++;
 217         }
 218         KEYDBG(IPSEC_DUMP,
 219             printf("%s: copied SP(%p) -> SP(%p)\n", __func__, src, dst);
 220             kdebug_secpolicy(dst));
 221         return (dst);
 222 }
 223
 224 /*
 225  * Copy IPsec policy from old INPCB into new.
 226  * It is expected that new INPCB has not configured policies.
 227  */
 228 int
 229 ipsec_copy_pcbpolicy(struct inpcb *old, struct inpcb *new)
 230 {
 231         struct secpolicy *sp;
 232
 233         /*
 234          * old->inp_sp can be NULL if PCB was created when an IPsec
 235          * support was unavailable. This is not an error, we don't have
 236          * policies in this PCB, so nothing to copy.
 237          */
 238         if (old->inp_sp == NULL)
 239                 return (0);
 240
 241         IPSEC_ASSERT(new->inp_sp != NULL, ("new inp_sp is NULL"));
 242         IPSEC_ASSERT((new->inp_sp->flags & (
 243             INP_INBOUND_POLICY | INP_OUTBOUND_POLICY)) == 0,
 244             ("new PCB already has configured policies"));
 245         INP_WLOCK_ASSERT(new);
 246         INP_LOCK_ASSERT(old);
 247
 248         if (old->inp_sp->flags & INP_INBOUND_POLICY) {
 249                 sp = ipsec_deepcopy_pcbpolicy(old->inp_sp->sp_in);
 250                 if (sp == NULL)
 251                         return (ENOBUFS);
 252                 ipsec_setspidx_inpcb(new, &sp->spidx, IPSEC_DIR_INBOUND);
 253                 if (new->inp_sp->sp_in != NULL)
 254                         key_freesp(&new->inp_sp->sp_in);
 255                 new->inp_sp->sp_in = sp;
 256                 new->inp_sp->flags |= INP_INBOUND_POLICY;
 257         }
 258         if (old->inp_sp->flags & INP_OUTBOUND_POLICY) {
 259                 sp = ipsec_deepcopy_pcbpolicy(old->inp_sp->sp_out);
 260                 if (sp == NULL)
 261                         return (ENOBUFS);
 262                 ipsec_setspidx_inpcb(new, &sp->spidx, IPSEC_DIR_OUTBOUND);
 263                 if (new->inp_sp->sp_out != NULL)
 264                         key_freesp(&new->inp_sp->sp_out);
 265                 new->inp_sp->sp_out = sp;
 266                 new->inp_sp->flags |= INP_OUTBOUND_POLICY;
 267         }
 268         return (0);
 269 }
 270
 271 static int
 272 ipsec_set_pcbpolicy(struct inpcb *inp, struct ucred *cred,
 273     void *request, size_t len)
 274 {
 275         struct sadb_x_policy *xpl;
 276         struct secpolicy **spp, *newsp;
 277         int error, flags;
 278
 279         xpl = (struct sadb_x_policy *)request;
 280         /* Select direction. */
 281         switch (xpl->sadb_x_policy_dir) {
 282         case IPSEC_DIR_INBOUND:
 283         case IPSEC_DIR_OUTBOUND:
 284                 break;
 285         default:
 286                 ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
 287                         xpl->sadb_x_policy_dir));
 288                 return (EINVAL);
 289         }
 290         /*
 291          * Privileged sockets are allowed to set own security policy
 292          * and configure IPsec bypass. Unprivileged sockets only can
 293          * have ENTRUST policy.
 294          */
 295         switch (xpl->sadb_x_policy_type) {
 296         case IPSEC_POLICY_IPSEC:
 297         case IPSEC_POLICY_BYPASS:
 298                 if (cred != NULL &&
 299                     priv_check_cred(cred, PRIV_NETINET_IPSEC) != 0)
 300                         return (EACCES);
 301                 /* Allocate new SP entry. */
 302                 newsp = key_msg2sp(xpl, len, &error);
 303                 if (newsp == NULL)
 304                         return (error);
 305                 newsp->state = IPSEC_SPSTATE_PCB;
 306                 newsp->spidx.ul_proto = IPSEC_ULPROTO_ANY;
 307 #ifdef INET
 308                 if (inp->inp_vflag & INP_IPV4) {
 309                         newsp->spidx.src.sin.sin_family =
 310                             newsp->spidx.dst.sin.sin_family = AF_INET;
 311                         newsp->spidx.src.sin.sin_len =
 312                             newsp->spidx.dst.sin.sin_len =
 313                             sizeof(struct sockaddr_in);
 314                 }
 315 #endif
 316 #ifdef INET6
 317                 if (inp->inp_vflag & INP_IPV6) {
 318                         newsp->spidx.src.sin6.sin6_family =
 319                             newsp->spidx.dst.sin6.sin6_family = AF_INET6;
 320                         newsp->spidx.src.sin6.sin6_len =
 321                             newsp->spidx.dst.sin6.sin6_len =
 322                             sizeof(struct sockaddr_in6);
 323                 }
 324 #endif
 325                 break;
 326         case IPSEC_POLICY_ENTRUST:
 327                 /* We just use NULL pointer for ENTRUST policy */
 328                 newsp = NULL;
 329                 break;
 330         default:
 331                 /* Other security policy types aren't allowed for PCB */
 332                 return (EINVAL);
 333         }
 334
 335         INP_WLOCK(inp);
 336         if (xpl->sadb_x_policy_dir == IPSEC_DIR_INBOUND) {
 337                 spp = &inp->inp_sp->sp_in;
 338                 flags = INP_INBOUND_POLICY;
 339         } else {
 340                 spp = &inp->inp_sp->sp_out;
 341                 flags = INP_OUTBOUND_POLICY;
 342         }
 343         /* Clear old SP and set new SP. */
 344         if (*spp != NULL)
 345                 key_freesp(spp);
 346         *spp = newsp;
 347         KEYDBG(IPSEC_DUMP,
 348             printf("%s: new SP(%p)\n", __func__, newsp));
 349         if (newsp == NULL)
 350                 inp->inp_sp->flags &= ~flags;
 351         else {
 352                 inp->inp_sp->flags |= flags;
 353                 KEYDBG(IPSEC_DUMP, kdebug_secpolicy(newsp));
 354         }
 355         INP_WUNLOCK(inp);
 356         return (0);
 357 }
 358
 359 static int
 360 ipsec_get_pcbpolicy(struct inpcb *inp, void *request, size_t *len)
 361 {
 362         struct sadb_x_policy *xpl;
 363         struct secpolicy *sp;
 364         int error, flags;
 365
 366         xpl = (struct sadb_x_policy *)request;
 367
 368         INP_RLOCK(inp);
 369         flags = inp->inp_sp->flags;
 370         /* Select direction. */
 371         switch (xpl->sadb_x_policy_dir) {
 372         case IPSEC_DIR_INBOUND:
 373                 sp = inp->inp_sp->sp_in;
 374                 flags &= INP_INBOUND_POLICY;
 375                 break;
 376         case IPSEC_DIR_OUTBOUND:
 377                 sp = inp->inp_sp->sp_out;
 378                 flags &= INP_OUTBOUND_POLICY;
 379                 break;
 380         default:
 381                 INP_RUNLOCK(inp);
 382                 ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
 383                         xpl->sadb_x_policy_dir));
 384                 return (EINVAL);
 385         }
 386
 387         if (flags == 0) {
 388                 /* Return ENTRUST policy */
 389                 INP_RUNLOCK(inp);
 390                 xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 391                 xpl->sadb_x_policy_type = IPSEC_POLICY_ENTRUST;
 392                 xpl->sadb_x_policy_id = 0;
 393                 xpl->sadb_x_policy_priority = 0;
 394                 xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl));
 395                 *len = sizeof(*xpl);
 396                 return (0);
 397         }
 398
 399         IPSEC_ASSERT(sp != NULL,
 400             ("sp is NULL, but flags is 0x%04x", inp->inp_sp->flags));
 401
 402         key_addref(sp);
 403         INP_RUNLOCK(inp);
 404         error = key_sp2msg(sp, request, len);
 405         key_freesp(&sp);
 406         if (error == EINVAL)
 407                 return (error);
 408         /*
 409          * We return "success", but user should check *len.
 410          * *len will be set to size of valid data and
 411          * sadb_x_policy_len will contain needed size.
 412          */
 413         return (0);
 414 }
 415
 416 /* Handle socket option control request for PCB */
 417 static int
 418 ipsec_control_pcbpolicy(struct inpcb *inp, struct sockopt *sopt)
 419 {
 420         void *optdata;
 421         size_t optlen;
 422         int error;
 423
 424         if (inp->inp_sp == NULL)
 425                 return (ENOPROTOOPT);
 426
 427         /* Limit maximum request size to PAGE_SIZE */
 428         optlen = sopt->sopt_valsize;
 429         if (optlen < sizeof(struct sadb_x_policy) || optlen > PAGE_SIZE)
 430                 return (EINVAL);
 431
 432         optdata = malloc(optlen, M_TEMP, sopt->sopt_td ? M_WAITOK: M_NOWAIT);
 433         if (optdata == NULL)
 434                 return (ENOBUFS);
 435         /*
 436          * We need a hint from the user, what policy is requested - input
 437          * or output? User should specify it in the buffer, even for
 438          * setsockopt().
 439          */
 440         error = sooptcopyin(sopt, optdata, optlen, optlen);
 441         if (error == 0) {
 442                 if (sopt->sopt_dir == SOPT_SET)
 443                         error = ipsec_set_pcbpolicy(inp,
 444                             sopt->sopt_td ? sopt->sopt_td->td_ucred: NULL,
 445                             optdata, optlen);
 446                 else {
 447                         error = ipsec_get_pcbpolicy(inp, optdata, &optlen);
 448                         if (error == 0)
 449                                 error = sooptcopyout(sopt, optdata, optlen);
 450                 }
 451         }
 452         free(optdata, M_TEMP);
 453         return (error);
 454 }
 455
 456 #ifdef INET
 457 /*
 458  * IPSEC_PCBCTL() method implementation for IPv4.
 459  */
 460 int
 461 ipsec4_pcbctl(struct inpcb *inp, struct sockopt *sopt)
 462 {
 463
 464         if (sopt->sopt_name != IP_IPSEC_POLICY)
 465                 return (ENOPROTOOPT);
 466         return (ipsec_control_pcbpolicy(inp, sopt));
 467 }
 468 #endif
 469
 470 #ifdef INET6
 471 /*
 472  * IPSEC_PCBCTL() method implementation for IPv6.
 473  */
 474 int
 475 ipsec6_pcbctl(struct inpcb *inp, struct sockopt *sopt)
 476 {
 477
 478         if (sopt->sopt_name != IPV6_IPSEC_POLICY)
 479                 return (ENOPROTOOPT);
 480         return (ipsec_control_pcbpolicy(inp, sopt));
 481 }
 482 #endif