1 /*
2 * Copyright (C) 2001-2003 by Darren Reed
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 *
6 * Simple ISAKMP transparent proxy for in-kernel use. For use with the NAT
7 * code.
8 *
9 * $Id: ip_ipsec_pxy.c,v 2.20.2.7 2005/07/15 21:56:50 darrenr Exp $
10 *
11 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
12 * Use is subject to license terms.
13 */
14
15 #define IPF_IPSEC_PROXY
16
17 typedef struct ifs_ipsecpxy {
18 frentry_t ipsecfr;
19 ipftq_t *ipsecnattqe;
20 ipftq_t *ipsecstatetqe;
21 char ipsec_buffer[1500];
22 int ipsec_proxy_init;
23 int ipsec_proxy_ttl;
24 } ifs_ipsecpxy_t;
25
26 int ippr_ipsec_init __P((void **, ipf_stack_t *));
27 void ippr_ipsec_fini __P((void **, ipf_stack_t *));
28 int ippr_ipsec_new __P((fr_info_t *, ap_session_t *, nat_t *, void *));
29 void ippr_ipsec_del __P((ap_session_t *, void *, ipf_stack_t *));
30 int ippr_ipsec_inout __P((fr_info_t *, ap_session_t *, nat_t *, void *));
31 int ippr_ipsec_match __P((fr_info_t *, ap_session_t *, nat_t *, void *));
32
33 /*
34 * IPSec application proxy initialization.
35 */
ippr_ipsec_init(private,ifs)36 int ippr_ipsec_init(private, ifs)
37 void **private;
38 ipf_stack_t *ifs;
39 {
40 ifs_ipsecpxy_t *ifsipsec;
41
42 KMALLOC(ifsipsec, ifs_ipsecpxy_t *);
43 if (ifsipsec == NULL)
44 return -1;
45
46 bzero((char *)&ifsipsec->ipsecfr, sizeof(ifsipsec->ipsecfr));
47 ifsipsec->ipsecfr.fr_ref = 1;
48 ifsipsec->ipsecfr.fr_flags = FR_OUTQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
49 MUTEX_INIT(&ifsipsec->ipsecfr.fr_lock, "IPsec proxy rule lock");
50 ifsipsec->ipsec_proxy_init = 1;
51 ifsipsec->ipsec_proxy_ttl = 60;
52
53 ifsipsec->ipsecnattqe = fr_addtimeoutqueue(&ifs->ifs_nat_utqe, ifsipsec->ipsec_proxy_ttl, ifs);
54 if (ifsipsec->ipsecnattqe == NULL) {
55 MUTEX_DESTROY(&ifsipsec->ipsecfr.fr_lock);
56 KFREE(ifsipsec);
57 return -1;
58 }
59 ifsipsec->ipsecstatetqe = fr_addtimeoutqueue(&ifs->ifs_ips_utqe, ifsipsec->ipsec_proxy_ttl, ifs);
60 if (ifsipsec->ipsecstatetqe == NULL) {
61 if (fr_deletetimeoutqueue(ifsipsec->ipsecnattqe) == 0)
62 fr_freetimeoutqueue(ifsipsec->ipsecnattqe, ifs);
63 ifsipsec->ipsecnattqe = NULL;
64 MUTEX_DESTROY(&ifsipsec->ipsecfr.fr_lock);
65 KFREE(ifsipsec);
66 return -1;
67 }
68
69 ifsipsec->ipsecnattqe->ifq_flags |= IFQF_PROXY;
70 ifsipsec->ipsecstatetqe->ifq_flags |= IFQF_PROXY;
71
72 ifsipsec->ipsecfr.fr_age[0] = ifsipsec->ipsec_proxy_ttl;
73 ifsipsec->ipsecfr.fr_age[1] = ifsipsec->ipsec_proxy_ttl;
74
75 *private = (void *)ifsipsec;
76
77 return 0;
78 }
79
80
ippr_ipsec_fini(private,ifs)81 void ippr_ipsec_fini(private, ifs)
82 void **private;
83 ipf_stack_t *ifs;
84 {
85 ifs_ipsecpxy_t *ifsipsec = *((ifs_ipsecpxy_t **)private);
86
87 if (ifsipsec->ipsecnattqe != NULL) {
88 if (fr_deletetimeoutqueue(ifsipsec->ipsecnattqe) == 0)
89 fr_freetimeoutqueue(ifsipsec->ipsecnattqe, ifs);
90 }
91 ifsipsec->ipsecnattqe = NULL;
92 if (ifsipsec->ipsecstatetqe != NULL) {
93 if (fr_deletetimeoutqueue(ifsipsec->ipsecstatetqe) == 0)
94 fr_freetimeoutqueue(ifsipsec->ipsecstatetqe, ifs);
95 }
96 ifsipsec->ipsecstatetqe = NULL;
97
98 if (ifsipsec->ipsec_proxy_init == 1) {
99 MUTEX_DESTROY(&ifsipsec->ipsecfr.fr_lock);
100 ifsipsec->ipsec_proxy_init = 0;
101 }
102
103 KFREE(ifsipsec);
104 *private = NULL;
105 }
106
107
108 /*
109 * Setup for a new IPSEC proxy.
110 */
ippr_ipsec_new(fin,aps,nat,private)111 int ippr_ipsec_new(fin, aps, nat, private)
112 fr_info_t *fin;
113 ap_session_t *aps;
114 nat_t *nat;
115 void *private;
116 {
117 ipsec_pxy_t *ipsec;
118 fr_info_t fi;
119 ipnat_t *ipn;
120 char *ptr;
121 int p, off, dlen, ttl;
122 mb_t *m;
123 ip_t *ip;
124 ipf_stack_t *ifs = fin->fin_ifs;
125 ifs_ipsecpxy_t *ifsipsec = (ifs_ipsecpxy_t *)private;
126
127 off = fin->fin_plen - fin->fin_dlen + fin->fin_ipoff;
128 bzero(ifsipsec->ipsec_buffer, sizeof(ifsipsec->ipsec_buffer));
129 ip = fin->fin_ip;
130 m = fin->fin_m;
131
132 dlen = M_LEN(m) - off;
133 if (dlen < 16)
134 return -1;
135 COPYDATA(m, off, MIN(sizeof(ifsipsec->ipsec_buffer), dlen),
136 ifsipsec->ipsec_buffer);
137
138 if (nat_outlookup(fin, 0, IPPROTO_ESP, nat->nat_inip,
139 ip->ip_dst) != NULL)
140 return -1;
141
142 aps->aps_psiz = sizeof(*ipsec);
143 KMALLOCS(aps->aps_data, ipsec_pxy_t *, sizeof(*ipsec));
144 if (aps->aps_data == NULL)
145 return -1;
146
147 ipsec = aps->aps_data;
148 bzero((char *)ipsec, sizeof(*ipsec));
149
150 /*
151 * Create NAT rule against which the tunnel/transport mapping is
152 * created. This is required because the current NAT rule does not
153 * describe ESP but UDP instead.
154 */
155 ipn = &ipsec->ipsc_rule;
156 ttl = IPF_TTLVAL(ifsipsec->ipsecnattqe->ifq_ttl);
157 ipn->in_tqehead[0] = fr_addtimeoutqueue(&ifs->ifs_nat_utqe, ttl, ifs);
158 ipn->in_tqehead[1] = fr_addtimeoutqueue(&ifs->ifs_nat_utqe, ttl, ifs);
159 ipn->in_ifps[0] = fin->fin_ifp;
160 ipn->in_apr = NULL;
161 ipn->in_use = 1;
162 ipn->in_hits = 1;
163 ipn->in_nip = ntohl(nat->nat_outip.s_addr);
164 ipn->in_ippip = 1;
165 ipn->in_inip = nat->nat_inip.s_addr;
166 ipn->in_inmsk = 0xffffffff;
167 ipn->in_outip = fin->fin_saddr;
168 ipn->in_outmsk = nat->nat_outip.s_addr;
169 ipn->in_srcip = fin->fin_saddr;
170 ipn->in_srcmsk = 0xffffffff;
171 ipn->in_redir = NAT_MAP;
172 bcopy(nat->nat_ptr->in_ifnames[0], ipn->in_ifnames[0],
173 sizeof(ipn->in_ifnames[0]));
174 ipn->in_p = IPPROTO_ESP;
175
176 bcopy((char *)fin, (char *)&fi, sizeof(fi));
177 fi.fin_fi.fi_p = IPPROTO_ESP;
178 fi.fin_fr = &ifsipsec->ipsecfr;
179 fi.fin_data[0] = 0;
180 fi.fin_data[1] = 0;
181 p = ip->ip_p;
182 ip->ip_p = IPPROTO_ESP;
183 fi.fin_flx &= ~(FI_TCPUDP|FI_STATE|FI_FRAG);
184 fi.fin_flx |= FI_IGNORE;
185
186 ptr = ifsipsec->ipsec_buffer;
187 bcopy(ptr, (char *)ipsec->ipsc_icookie, sizeof(ipsec_cookie_t));
188 ptr += sizeof(ipsec_cookie_t);
189 bcopy(ptr, (char *)ipsec->ipsc_rcookie, sizeof(ipsec_cookie_t));
190 /*
191 * The responder cookie should only be non-zero if the initiator
192 * cookie is non-zero. Therefore, it is safe to assume(!) that the
193 * cookies are both set after copying if the responder is non-zero.
194 */
195 if ((ipsec->ipsc_rcookie[0]|ipsec->ipsc_rcookie[1]) != 0)
196 ipsec->ipsc_rckset = 1;
197
198 ipsec->ipsc_nat = nat_new(&fi, ipn, &ipsec->ipsc_nat,
199 NAT_SLAVE|SI_WILDP, NAT_OUTBOUND);
200 if (ipsec->ipsc_nat != NULL) {
201 (void) nat_proto(&fi, ipsec->ipsc_nat, 0);
202 nat_update(&fi, ipsec->ipsc_nat, ipn);
203
204 fi.fin_data[0] = 0;
205 fi.fin_data[1] = 0;
206 ipsec->ipsc_state = fr_addstate(&fi, &ipsec->ipsc_state,
207 SI_WILDP);
208 }
209 ip->ip_p = p & 0xff;
210 return 0;
211 }
212
213
214 /*
215 * For outgoing IKE packets. refresh timeouts for NAT & state entries, if
216 * we can. If they have disappeared, recreate them.
217 */
ippr_ipsec_inout(fin,aps,nat,private)218 int ippr_ipsec_inout(fin, aps, nat, private)
219 fr_info_t *fin;
220 ap_session_t *aps;
221 nat_t *nat;
222 void *private;
223 {
224 ipsec_pxy_t *ipsec;
225 fr_info_t fi;
226 ip_t *ip;
227 int p;
228 ipf_stack_t *ifs = fin->fin_ifs;
229 ifs_ipsecpxy_t *ifsipsec = (ifs_ipsecpxy_t *)private;
230
231 if ((fin->fin_out == 1) && (nat->nat_dir == NAT_INBOUND))
232 return 0;
233
234 if ((fin->fin_out == 0) && (nat->nat_dir == NAT_OUTBOUND))
235 return 0;
236
237 ipsec = aps->aps_data;
238
239 if (ipsec != NULL) {
240 ip = fin->fin_ip;
241 p = ip->ip_p;
242
243 if ((ipsec->ipsc_nat == NULL) || (ipsec->ipsc_state == NULL)) {
244 bcopy((char *)fin, (char *)&fi, sizeof(fi));
245 fi.fin_fi.fi_p = IPPROTO_ESP;
246 fi.fin_fr = &ifsipsec->ipsecfr;
247 fi.fin_data[0] = 0;
248 fi.fin_data[1] = 0;
249 ip->ip_p = IPPROTO_ESP;
250 fi.fin_flx &= ~(FI_TCPUDP|FI_STATE|FI_FRAG);
251 fi.fin_flx |= FI_IGNORE;
252 }
253
254 /*
255 * Update NAT timeout/create NAT if missing.
256 */
257 if (ipsec->ipsc_nat != NULL)
258 fr_queueback(&ipsec->ipsc_nat->nat_tqe, ifs);
259 else {
260 ipsec->ipsc_nat = nat_new(&fi, &ipsec->ipsc_rule,
261 &ipsec->ipsc_nat,
262 NAT_SLAVE|SI_WILDP,
263 nat->nat_dir);
264 if (ipsec->ipsc_nat != NULL) {
265 (void) nat_proto(&fi, ipsec->ipsc_nat, 0);
266 nat_update(&fi, ipsec->ipsc_nat,
267 &ipsec->ipsc_rule);
268 }
269 }
270
271 /*
272 * Update state timeout/create state if missing.
273 */
274 READ_ENTER(&ifs->ifs_ipf_state);
275 if (ipsec->ipsc_state != NULL) {
276 fr_queueback(&ipsec->ipsc_state->is_sti, ifs);
277 ipsec->ipsc_state->is_die = nat->nat_age;
278 RWLOCK_EXIT(&ifs->ifs_ipf_state);
279 } else {
280 RWLOCK_EXIT(&ifs->ifs_ipf_state);
281 fi.fin_data[0] = 0;
282 fi.fin_data[1] = 0;
283 ipsec->ipsc_state = fr_addstate(&fi,
284 &ipsec->ipsc_state,
285 SI_WILDP);
286 }
287 ip->ip_p = p;
288 }
289 return 0;
290 }
291
292
293 /*
294 * This extends the NAT matching to be based on the cookies associated with
295 * a session and found at the front of IKE packets. The cookies are always
296 * in the same order (not reversed depending on packet flow direction as with
297 * UDP/TCP port numbers).
298 */
299 /*ARGSUSED*/
ippr_ipsec_match(fin,aps,nat,private)300 int ippr_ipsec_match(fin, aps, nat, private)
301 fr_info_t *fin;
302 ap_session_t *aps;
303 nat_t *nat;
304 void *private;
305 {
306 ipsec_pxy_t *ipsec;
307 u_32_t cookies[4];
308 mb_t *m;
309 int off;
310
311 nat = nat; /* LINT */
312
313 if ((fin->fin_dlen < sizeof(cookies)) || (fin->fin_flx & FI_FRAG))
314 return -1;
315
316 off = fin->fin_plen - fin->fin_dlen + fin->fin_ipoff;
317 ipsec = aps->aps_data;
318 m = fin->fin_m;
319 COPYDATA(m, off, sizeof(cookies), (char *)cookies);
320
321 if ((cookies[0] != ipsec->ipsc_icookie[0]) ||
322 (cookies[1] != ipsec->ipsc_icookie[1]))
323 return -1;
324
325 if (ipsec->ipsc_rckset == 0) {
326 if ((cookies[2]|cookies[3]) == 0) {
327 return 0;
328 }
329 ipsec->ipsc_rckset = 1;
330 ipsec->ipsc_rcookie[0] = cookies[2];
331 ipsec->ipsc_rcookie[1] = cookies[3];
332 return 0;
333 }
334
335 if ((cookies[2] != ipsec->ipsc_rcookie[0]) ||
336 (cookies[3] != ipsec->ipsc_rcookie[1]))
337 return -1;
338 return 0;
339 }
340
341
342 /*
343 * clean up after ourselves.
344 */
345 /*ARGSUSED*/
ippr_ipsec_del(aps,private,ifs)346 void ippr_ipsec_del(aps, private, ifs)
347 ap_session_t *aps;
348 void *private;
349 ipf_stack_t *ifs;
350 {
351 ipsec_pxy_t *ipsec;
352
353 ipsec = aps->aps_data;
354
355 if (ipsec != NULL) {
356 /*
357 * Don't bother changing any of the NAT structure details,
358 * *_del() is on a callback from aps_free(), from nat_delete()
359 */
360
361 READ_ENTER(&ifs->ifs_ipf_state);
362 if (ipsec->ipsc_state != NULL) {
363 ipsec->ipsc_state->is_die = ifs->ifs_fr_ticks + 1;
364 ipsec->ipsc_state->is_me = NULL;
365 fr_queuefront(&ipsec->ipsc_state->is_sti);
366 }
367 RWLOCK_EXIT(&ifs->ifs_ipf_state);
368
369 ipsec->ipsc_state = NULL;
370 ipsec->ipsc_nat = NULL;
371 }
372 }
373