xref: /freebsd/sys/netipsec/ipsec_pcb.c (revision ebacd8013fe5f7fdf9f6a5b286f6680dd2891036)
1 /*-
2  * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26 
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
29 
30 #include "opt_inet.h"
31 #include "opt_inet6.h"
32 #include "opt_ipsec.h"
33 
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/kernel.h>
37 #include <sys/lock.h>
38 #include <sys/malloc.h>
39 #include <sys/mbuf.h>
40 #include <sys/priv.h>
41 #include <sys/socket.h>
42 #include <sys/sockopt.h>
43 #include <sys/syslog.h>
44 #include <sys/proc.h>
45 
46 #include <netinet/in.h>
47 #include <netinet/in_pcb.h>
48 
49 #include <netipsec/ipsec.h>
50 #include <netipsec/ipsec6.h>
51 #include <netipsec/ipsec_support.h>
52 #include <netipsec/key.h>
53 #include <netipsec/key_debug.h>
54 
55 MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy");
56 
57 static void
58 ipsec_setsockaddrs_inpcb(struct inpcb *inp, union sockaddr_union *src,
59     union sockaddr_union *dst, u_int dir)
60 {
61 
62 #ifdef INET6
63 	if (inp->inp_vflag & INP_IPV6) {
64 		struct sockaddr_in6 *sin6;
65 
66 		bzero(&src->sin6, sizeof(src->sin6));
67 		bzero(&dst->sin6, sizeof(dst->sin6));
68 		src->sin6.sin6_family = AF_INET6;
69 		src->sin6.sin6_len = sizeof(struct sockaddr_in6);
70 		dst->sin6.sin6_family = AF_INET6;
71 		dst->sin6.sin6_len = sizeof(struct sockaddr_in6);
72 
73 		if (dir == IPSEC_DIR_OUTBOUND)
74 			sin6 = &src->sin6;
75 		else
76 			sin6 = &dst->sin6;
77 		sin6->sin6_addr = inp->in6p_laddr;
78 		sin6->sin6_port = inp->inp_lport;
79 		if (IN6_IS_SCOPE_LINKLOCAL(&inp->in6p_laddr)) {
80 			/* XXXAE: use in6p_zoneid */
81 			sin6->sin6_addr.s6_addr16[1] = 0;
82 			sin6->sin6_scope_id = ntohs(
83 			    inp->in6p_laddr.s6_addr16[1]);
84 		}
85 
86 		if (dir == IPSEC_DIR_OUTBOUND)
87 			sin6 = &dst->sin6;
88 		else
89 			sin6 = &src->sin6;
90 		sin6->sin6_addr = inp->in6p_faddr;
91 		sin6->sin6_port = inp->inp_fport;
92 		if (IN6_IS_SCOPE_LINKLOCAL(&inp->in6p_faddr)) {
93 			/* XXXAE: use in6p_zoneid */
94 			sin6->sin6_addr.s6_addr16[1] = 0;
95 			sin6->sin6_scope_id = ntohs(
96 			    inp->in6p_faddr.s6_addr16[1]);
97 		}
98 	}
99 #endif
100 #ifdef INET
101 	if (inp->inp_vflag & INP_IPV4) {
102 		struct sockaddr_in *sin;
103 
104 		bzero(&src->sin, sizeof(src->sin));
105 		bzero(&dst->sin, sizeof(dst->sin));
106 		src->sin.sin_family = AF_INET;
107 		src->sin.sin_len = sizeof(struct sockaddr_in);
108 		dst->sin.sin_family = AF_INET;
109 		dst->sin.sin_len = sizeof(struct sockaddr_in);
110 
111 		if (dir == IPSEC_DIR_OUTBOUND)
112 			sin = &src->sin;
113 		else
114 			sin = &dst->sin;
115 		sin->sin_addr = inp->inp_laddr;
116 		sin->sin_port = inp->inp_lport;
117 
118 		if (dir == IPSEC_DIR_OUTBOUND)
119 			sin = &dst->sin;
120 		else
121 			sin = &src->sin;
122 		sin->sin_addr = inp->inp_faddr;
123 		sin->sin_port = inp->inp_fport;
124 	}
125 #endif
126 }
127 
128 void
129 ipsec_setspidx_inpcb(struct inpcb *inp, struct secpolicyindex *spidx,
130     u_int dir)
131 {
132 
133 	ipsec_setsockaddrs_inpcb(inp, &spidx->src, &spidx->dst, dir);
134 #ifdef INET6
135 	if (inp->inp_vflag & INP_IPV6) {
136 		spidx->prefs = sizeof(struct in6_addr) << 3;
137 		spidx->prefd = sizeof(struct in6_addr) << 3;
138 	}
139 #endif
140 #ifdef INET
141 	if (inp->inp_vflag & INP_IPV4) {
142 		spidx->prefs = sizeof(struct in_addr) << 3;
143 		spidx->prefd = sizeof(struct in_addr) << 3;
144 	}
145 #endif
146 	spidx->ul_proto = IPPROTO_TCP; /* XXX: currently only TCP uses this */
147 	spidx->dir = dir;
148 	KEYDBG(IPSEC_DUMP,
149 	    printf("%s: ", __func__); kdebug_secpolicyindex(spidx, NULL));
150 }
151 
152 /* Initialize PCB policy. */
153 int
154 ipsec_init_pcbpolicy(struct inpcb *inp)
155 {
156 
157 	IPSEC_ASSERT(inp != NULL, ("null inp"));
158 	IPSEC_ASSERT(inp->inp_sp == NULL, ("inp_sp already initialized"));
159 
160 	inp->inp_sp = malloc(sizeof(struct inpcbpolicy), M_IPSEC_INPCB,
161 	    M_NOWAIT | M_ZERO);
162 	if (inp->inp_sp == NULL)
163 		return (ENOBUFS);
164 	return (0);
165 }
166 
167 /* Delete PCB policy. */
168 int
169 ipsec_delete_pcbpolicy(struct inpcb *inp)
170 {
171 
172 	if (inp->inp_sp == NULL)
173 		return (0);
174 
175 	if (inp->inp_sp->sp_in != NULL)
176 		key_freesp(&inp->inp_sp->sp_in);
177 
178 	if (inp->inp_sp->sp_out != NULL)
179 		key_freesp(&inp->inp_sp->sp_out);
180 
181 	free(inp->inp_sp, M_IPSEC_INPCB);
182 	inp->inp_sp = NULL;
183 	return (0);
184 }
185 
186 /* Deep-copy a policy in PCB. */
187 static struct secpolicy *
188 ipsec_deepcopy_pcbpolicy(struct secpolicy *src)
189 {
190 	struct secpolicy *dst;
191 	int i;
192 
193 	if (src == NULL)
194 		return (NULL);
195 
196 	IPSEC_ASSERT(src->state == IPSEC_SPSTATE_PCB, ("SP isn't PCB"));
197 
198 	dst = key_newsp();
199 	if (dst == NULL)
200 		return (NULL);
201 
202 	/* spidx is not copied here */
203 	dst->policy = src->policy;
204 	dst->state = src->state;
205 	dst->priority = src->priority;
206 	/* Do not touch the refcnt field. */
207 
208 	/* Copy IPsec request chain. */
209 	for (i = 0; i < src->tcount; i++) {
210 		dst->req[i] = ipsec_newisr();
211 		if (dst->req[i] == NULL) {
212 			key_freesp(&dst);
213 			return (NULL);
214 		}
215 		bcopy(src->req[i], dst->req[i], sizeof(struct ipsecrequest));
216 		dst->tcount++;
217 	}
218 	KEYDBG(IPSEC_DUMP,
219 	    printf("%s: copied SP(%p) -> SP(%p)\n", __func__, src, dst);
220 	    kdebug_secpolicy(dst));
221 	return (dst);
222 }
223 
224 /*
225  * Copy IPsec policy from old INPCB into new.
226  * It is expected that new INPCB has not configured policies.
227  */
228 int
229 ipsec_copy_pcbpolicy(struct inpcb *old, struct inpcb *new)
230 {
231 	struct secpolicy *sp;
232 
233 	/*
234 	 * old->inp_sp can be NULL if PCB was created when an IPsec
235 	 * support was unavailable. This is not an error, we don't have
236 	 * policies in this PCB, so nothing to copy.
237 	 */
238 	if (old->inp_sp == NULL)
239 		return (0);
240 
241 	IPSEC_ASSERT(new->inp_sp != NULL, ("new inp_sp is NULL"));
242 	IPSEC_ASSERT((new->inp_sp->flags & (
243 	    INP_INBOUND_POLICY | INP_OUTBOUND_POLICY)) == 0,
244 	    ("new PCB already has configured policies"));
245 	INP_WLOCK_ASSERT(new);
246 	INP_LOCK_ASSERT(old);
247 
248 	if (old->inp_sp->flags & INP_INBOUND_POLICY) {
249 		sp = ipsec_deepcopy_pcbpolicy(old->inp_sp->sp_in);
250 		if (sp == NULL)
251 			return (ENOBUFS);
252 		ipsec_setspidx_inpcb(new, &sp->spidx, IPSEC_DIR_INBOUND);
253 		if (new->inp_sp->sp_in != NULL)
254 			key_freesp(&new->inp_sp->sp_in);
255 		new->inp_sp->sp_in = sp;
256 		new->inp_sp->flags |= INP_INBOUND_POLICY;
257 	}
258 	if (old->inp_sp->flags & INP_OUTBOUND_POLICY) {
259 		sp = ipsec_deepcopy_pcbpolicy(old->inp_sp->sp_out);
260 		if (sp == NULL)
261 			return (ENOBUFS);
262 		ipsec_setspidx_inpcb(new, &sp->spidx, IPSEC_DIR_OUTBOUND);
263 		if (new->inp_sp->sp_out != NULL)
264 			key_freesp(&new->inp_sp->sp_out);
265 		new->inp_sp->sp_out = sp;
266 		new->inp_sp->flags |= INP_OUTBOUND_POLICY;
267 	}
268 	return (0);
269 }
270 
271 static int
272 ipsec_set_pcbpolicy(struct inpcb *inp, struct ucred *cred,
273     void *request, size_t len)
274 {
275 	struct sadb_x_policy *xpl;
276 	struct secpolicy **spp, *newsp;
277 	int error, flags;
278 
279 	xpl = (struct sadb_x_policy *)request;
280 	/* Select direction. */
281 	switch (xpl->sadb_x_policy_dir) {
282 	case IPSEC_DIR_INBOUND:
283 	case IPSEC_DIR_OUTBOUND:
284 		break;
285 	default:
286 		ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
287 			xpl->sadb_x_policy_dir));
288 		return (EINVAL);
289 	}
290 	/*
291 	 * Privileged sockets are allowed to set own security policy
292 	 * and configure IPsec bypass. Unprivileged sockets only can
293 	 * have ENTRUST policy.
294 	 */
295 	switch (xpl->sadb_x_policy_type) {
296 	case IPSEC_POLICY_IPSEC:
297 	case IPSEC_POLICY_BYPASS:
298 		if (cred != NULL &&
299 		    priv_check_cred(cred, PRIV_NETINET_IPSEC) != 0)
300 			return (EACCES);
301 		/* Allocate new SP entry. */
302 		newsp = key_msg2sp(xpl, len, &error);
303 		if (newsp == NULL)
304 			return (error);
305 		newsp->state = IPSEC_SPSTATE_PCB;
306 		newsp->spidx.ul_proto = IPSEC_ULPROTO_ANY;
307 #ifdef INET
308 		if (inp->inp_vflag & INP_IPV4) {
309 			newsp->spidx.src.sin.sin_family =
310 			    newsp->spidx.dst.sin.sin_family = AF_INET;
311 			newsp->spidx.src.sin.sin_len =
312 			    newsp->spidx.dst.sin.sin_len =
313 			    sizeof(struct sockaddr_in);
314 		}
315 #endif
316 #ifdef INET6
317 		if (inp->inp_vflag & INP_IPV6) {
318 			newsp->spidx.src.sin6.sin6_family =
319 			    newsp->spidx.dst.sin6.sin6_family = AF_INET6;
320 			newsp->spidx.src.sin6.sin6_len =
321 			    newsp->spidx.dst.sin6.sin6_len =
322 			    sizeof(struct sockaddr_in6);
323 		}
324 #endif
325 		break;
326 	case IPSEC_POLICY_ENTRUST:
327 		/* We just use NULL pointer for ENTRUST policy */
328 		newsp = NULL;
329 		break;
330 	default:
331 		/* Other security policy types aren't allowed for PCB */
332 		return (EINVAL);
333 	}
334 
335 	INP_WLOCK(inp);
336 	if (xpl->sadb_x_policy_dir == IPSEC_DIR_INBOUND) {
337 		spp = &inp->inp_sp->sp_in;
338 		flags = INP_INBOUND_POLICY;
339 	} else {
340 		spp = &inp->inp_sp->sp_out;
341 		flags = INP_OUTBOUND_POLICY;
342 	}
343 	/* Clear old SP and set new SP. */
344 	if (*spp != NULL)
345 		key_freesp(spp);
346 	*spp = newsp;
347 	KEYDBG(IPSEC_DUMP,
348 	    printf("%s: new SP(%p)\n", __func__, newsp));
349 	if (newsp == NULL)
350 		inp->inp_sp->flags &= ~flags;
351 	else {
352 		inp->inp_sp->flags |= flags;
353 		KEYDBG(IPSEC_DUMP, kdebug_secpolicy(newsp));
354 	}
355 	INP_WUNLOCK(inp);
356 	return (0);
357 }
358 
359 static int
360 ipsec_get_pcbpolicy(struct inpcb *inp, void *request, size_t *len)
361 {
362 	struct sadb_x_policy *xpl;
363 	struct secpolicy *sp;
364 	int error, flags;
365 
366 	xpl = (struct sadb_x_policy *)request;
367 
368 	INP_RLOCK(inp);
369 	flags = inp->inp_sp->flags;
370 	/* Select direction. */
371 	switch (xpl->sadb_x_policy_dir) {
372 	case IPSEC_DIR_INBOUND:
373 		sp = inp->inp_sp->sp_in;
374 		flags &= INP_INBOUND_POLICY;
375 		break;
376 	case IPSEC_DIR_OUTBOUND:
377 		sp = inp->inp_sp->sp_out;
378 		flags &= INP_OUTBOUND_POLICY;
379 		break;
380 	default:
381 		INP_RUNLOCK(inp);
382 		ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
383 			xpl->sadb_x_policy_dir));
384 		return (EINVAL);
385 	}
386 
387 	if (flags == 0) {
388 		/* Return ENTRUST policy */
389 		INP_RUNLOCK(inp);
390 		xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
391 		xpl->sadb_x_policy_type = IPSEC_POLICY_ENTRUST;
392 		xpl->sadb_x_policy_id = 0;
393 		xpl->sadb_x_policy_priority = 0;
394 		xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl));
395 		*len = sizeof(*xpl);
396 		return (0);
397 	}
398 
399 	IPSEC_ASSERT(sp != NULL,
400 	    ("sp is NULL, but flags is 0x%04x", inp->inp_sp->flags));
401 
402 	key_addref(sp);
403 	INP_RUNLOCK(inp);
404 	error = key_sp2msg(sp, request, len);
405 	key_freesp(&sp);
406 	if (error == EINVAL)
407 		return (error);
408 	/*
409 	 * We return "success", but user should check *len.
410 	 * *len will be set to size of valid data and
411 	 * sadb_x_policy_len will contain needed size.
412 	 */
413 	return (0);
414 }
415 
416 /* Handle socket option control request for PCB */
417 static int
418 ipsec_control_pcbpolicy(struct inpcb *inp, struct sockopt *sopt)
419 {
420 	void *optdata;
421 	size_t optlen;
422 	int error;
423 
424 	if (inp->inp_sp == NULL)
425 		return (ENOPROTOOPT);
426 
427 	/* Limit maximum request size to PAGE_SIZE */
428 	optlen = sopt->sopt_valsize;
429 	if (optlen < sizeof(struct sadb_x_policy) || optlen > PAGE_SIZE)
430 		return (EINVAL);
431 
432 	optdata = malloc(optlen, M_TEMP, sopt->sopt_td ? M_WAITOK: M_NOWAIT);
433 	if (optdata == NULL)
434 		return (ENOBUFS);
435 	/*
436 	 * We need a hint from the user, what policy is requested - input
437 	 * or output? User should specify it in the buffer, even for
438 	 * setsockopt().
439 	 */
440 	error = sooptcopyin(sopt, optdata, optlen, optlen);
441 	if (error == 0) {
442 		if (sopt->sopt_dir == SOPT_SET)
443 			error = ipsec_set_pcbpolicy(inp,
444 			    sopt->sopt_td ? sopt->sopt_td->td_ucred: NULL,
445 			    optdata, optlen);
446 		else {
447 			error = ipsec_get_pcbpolicy(inp, optdata, &optlen);
448 			if (error == 0)
449 				error = sooptcopyout(sopt, optdata, optlen);
450 		}
451 	}
452 	free(optdata, M_TEMP);
453 	return (error);
454 }
455 
456 #ifdef INET
457 /*
458  * IPSEC_PCBCTL() method implementation for IPv4.
459  */
460 int
461 ipsec4_pcbctl(struct inpcb *inp, struct sockopt *sopt)
462 {
463 
464 	if (sopt->sopt_name != IP_IPSEC_POLICY)
465 		return (ENOPROTOOPT);
466 	return (ipsec_control_pcbpolicy(inp, sopt));
467 }
468 #endif
469 
470 #ifdef INET6
471 /*
472  * IPSEC_PCBCTL() method implementation for IPv6.
473  */
474 int
475 ipsec6_pcbctl(struct inpcb *inp, struct sockopt *sopt)
476 {
477 
478 	if (sopt->sopt_name != IPV6_IPSEC_POLICY)
479 		return (ENOPROTOOPT);
480 	return (ipsec_control_pcbpolicy(inp, sopt));
481 }
482 #endif
483