1 /* $NetBSD: xform_ipip.c,v 1.74 2018/05/07 09:33:51 maxv Exp $ */ 2 /* $FreeBSD: xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ 3 /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ 4 5 /* 6 * The authors of this code are John Ioannidis (ji@tla.org), 7 * Angelos D. Keromytis (kermit@csd.uch.gr) and 8 * Niels Provos (provos@physnet.uni-hamburg.de). 9 * 10 * The original version of this code was written by John Ioannidis 11 * for BSD/OS in Athens, Greece, in November 1995. 12 * 13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 14 * by Angelos D. Keromytis. 15 * 16 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 17 * and Niels Provos. 18 * 19 * Additional features in 1999 by Angelos D. Keromytis. 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * Copyright (c) 2001, Angelos D. Keromytis. 24 * 25 * Permission to use, copy, and modify this software with or without fee 26 * is hereby granted, provided that this entire notice is included in 27 * all copies of any software which is or includes a copy or 28 * modification of this software. 29 * You may use this code under the GNU public license if you so wish. Please 30 * contribute changes back to the authors under this freer than GPL license 31 * so that we may further the use of strong encryption without limitations to 32 * all. 33 * 34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 38 * PURPOSE. 39 */ 40 41 #include <sys/cdefs.h> 42 __KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.74 2018/05/07 09:33:51 maxv Exp $"); 43 44 #if defined(_KERNEL_OPT) 45 #include "opt_inet.h" 46 #endif 47 48 /* 49 * IP-inside-IP processing. 50 * 51 * The input point is encapsw{4,6}, called via the encap callback. The 52 * output point is ipip_output, called directly. XF_IP4 has no more 53 * meaning here, ipe4_xformsw is dummy. 54 */ 55 56 #include <sys/param.h> 57 #include <sys/systm.h> 58 #include <sys/mbuf.h> 59 #include <sys/kernel.h> 60 #include <sys/protosw.h> 61 62 #include <net/if.h> 63 64 #include <netinet/in.h> 65 #include <netinet/in_systm.h> 66 #include <netinet/in_var.h> 67 #include <netinet/ip.h> 68 #include <netinet/ip_ecn.h> 69 #include <netinet/ip_var.h> 70 #include <netinet/ip_encap.h> 71 72 #include <netipsec/ipsec.h> 73 #include <netipsec/ipsec_private.h> 74 #include <netipsec/xform.h> 75 76 #include <netipsec/ipip_var.h> 77 78 #ifdef INET6 79 #include <netinet/ip6.h> 80 #include <netipsec/ipsec6.h> 81 #include <netinet6/in6_var.h> 82 #include <netinet6/ip6protosw.h> 83 #endif 84 85 #include <netipsec/key.h> 86 #include <netipsec/key_debug.h> 87 88 /* XXX IPCOMP */ 89 #define M_IPSEC (M_AUTHIPHDR|M_DECRYPTED) 90 91 int ipip_spoofcheck = 1; 92 percpu_t *ipipstat_percpu; 93 94 static void _ipip_input(struct mbuf *, int); 95 96 #ifdef INET6 97 static int 98 ip4_input6(struct mbuf **m, int *offp, int proto, void *eparg __unused) 99 { 100 _ipip_input(*m, *offp); 101 return IPPROTO_DONE; 102 } 103 #endif 104 105 #ifdef INET 106 static void 107 ip4_input(struct mbuf *m, int off, int proto, void *eparg __unused) 108 { 109 _ipip_input(m, off); 110 } 111 #endif 112 113 /* 114 * _ipip_input gets called when we receive an IP{46} encapsulated packet, 115 * because AH or ESP were being used in tunnel mode. 116 */ 117 static void 118 _ipip_input(struct mbuf *m, int iphlen) 119 { 120 register struct sockaddr_in *sin; 121 register struct ifnet *ifp; 122 register struct ifaddr *ifa; 123 pktqueue_t *pktq = NULL; 124 struct ip *ip4 = NULL; 125 #ifdef INET6 126 register struct sockaddr_in6 *sin6; 127 struct ip6_hdr *ip6 = NULL; 128 uint8_t itos; 129 #endif 130 uint8_t otos; 131 uint8_t v; 132 int hlen; 133 134 IPIP_STATINC(IPIP_STAT_IPACKETS); 135 136 m_copydata(m, 0, 1, &v); 137 138 switch (v >> 4) { 139 #ifdef INET 140 case 4: 141 hlen = sizeof(struct ip); 142 break; 143 #endif 144 #ifdef INET6 145 case 6: 146 hlen = sizeof(struct ip6_hdr); 147 break; 148 #endif 149 default: 150 DPRINTF(("%s: bad protocol version 0x%x (%u) " 151 "for outer header\n", __func__, v, v>>4)); 152 IPIP_STATINC(IPIP_STAT_FAMILY); 153 m_freem(m); 154 return; 155 } 156 157 /* Bring the IP header in the first mbuf, if not there already */ 158 if (m->m_len < hlen) { 159 if ((m = m_pullup(m, hlen)) == NULL) { 160 DPRINTF(("%s: m_pullup (1) failed\n", __func__)); 161 IPIP_STATINC(IPIP_STAT_HDROPS); 162 return; 163 } 164 } 165 166 /* Keep outer ecn field. */ 167 switch (v >> 4) { 168 #ifdef INET 169 case 4: 170 otos = mtod(m, struct ip *)->ip_tos; 171 break; 172 #endif 173 #ifdef INET6 174 case 6: 175 otos = (ntohl(mtod(m, struct ip6_hdr *)->ip6_flow) >> 20) & 0xff; 176 break; 177 #endif 178 default: 179 panic("%s: impossible (1)", __func__); 180 } 181 182 /* Remove outer IP header */ 183 m_adj(m, iphlen); 184 185 /* Sanity check */ 186 if (m->m_pkthdr.len < sizeof(struct ip)) { 187 IPIP_STATINC(IPIP_STAT_HDROPS); 188 m_freem(m); 189 return; 190 } 191 192 m_copydata(m, 0, 1, &v); 193 194 switch (v >> 4) { 195 #ifdef INET 196 case 4: 197 hlen = sizeof(struct ip); 198 pktq = ip_pktq; 199 break; 200 #endif 201 #ifdef INET6 202 case 6: 203 hlen = sizeof(struct ip6_hdr); 204 pktq = ip6_pktq; 205 break; 206 #endif 207 default: 208 DPRINTF(("%s: bad protocol version %#x (%u) " 209 "for inner header\n", __func__, v, v >> 4)); 210 IPIP_STATINC(IPIP_STAT_FAMILY); 211 m_freem(m); 212 return; 213 } 214 215 /* 216 * Bring the inner IP header in the first mbuf, if not there already. 217 */ 218 if (m->m_len < hlen) { 219 if ((m = m_pullup(m, hlen)) == NULL) { 220 DPRINTF(("%s: m_pullup (2) failed\n", __func__)); 221 IPIP_STATINC(IPIP_STAT_HDROPS); 222 return; 223 } 224 } 225 226 /* 227 * RFC 1853 specifies that the inner TTL should not be touched on 228 * decapsulation. There's no reason this comment should be here, but 229 * this is as good as any a position. 230 */ 231 232 /* Some sanity checks in the inner IP header */ 233 switch (v >> 4) { 234 #ifdef INET 235 case 4: 236 ip4 = mtod(m, struct ip *); 237 ip_ecn_egress(ip4_ipsec_ecn, &otos, &ip4->ip_tos); 238 break; 239 #endif 240 #ifdef INET6 241 case 6: 242 ip6 = mtod(m, struct ip6_hdr *); 243 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 244 ip_ecn_egress(ip6_ipsec_ecn, &otos, &itos); 245 ip6->ip6_flow &= ~htonl(0xff << 20); 246 ip6->ip6_flow |= htonl((uint32_t)itos << 20); 247 break; 248 #endif 249 default: 250 panic("%s: impossible (2)", __func__); 251 } 252 253 /* Check for local address spoofing. */ 254 if ((m_get_rcvif_NOMPSAFE(m) == NULL || 255 !(m_get_rcvif_NOMPSAFE(m)->if_flags & IFF_LOOPBACK)) && 256 ipip_spoofcheck) { 257 int s = pserialize_read_enter(); 258 IFNET_READER_FOREACH(ifp) { 259 IFADDR_READER_FOREACH(ifa, ifp) { 260 #ifdef INET 261 if (ip4) { 262 if (ifa->ifa_addr->sa_family != 263 AF_INET) 264 continue; 265 266 sin = (struct sockaddr_in *)ifa->ifa_addr; 267 268 if (sin->sin_addr.s_addr == 269 ip4->ip_src.s_addr) { 270 pserialize_read_exit(s); 271 IPIP_STATINC(IPIP_STAT_SPOOF); 272 m_freem(m); 273 return; 274 } 275 } 276 #endif 277 278 #ifdef INET6 279 if (ip6) { 280 if (ifa->ifa_addr->sa_family != 281 AF_INET6) 282 continue; 283 284 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 285 286 if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) { 287 pserialize_read_exit(s); 288 IPIP_STATINC(IPIP_STAT_SPOOF); 289 m_freem(m); 290 return; 291 } 292 293 } 294 #endif 295 } 296 } 297 pserialize_read_exit(s); 298 } 299 300 /* Statistics: m->m_pkthdr.len is the length of the inner packet */ 301 IPIP_STATADD(IPIP_STAT_IBYTES, m->m_pkthdr.len); 302 303 /* 304 * Interface pointer stays the same; if no IPsec processing has 305 * been done (or will be done), this will point to a normal 306 * interface. Otherwise, it'll point to an enc interface, which 307 * will allow a packet filter to distinguish between secure and 308 * untrusted packets. 309 */ 310 311 int s = splnet(); 312 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 313 IPIP_STATINC(IPIP_STAT_QFULL); 314 m_freem(m); 315 } 316 splx(s); 317 } 318 319 int 320 ipip_output(struct mbuf *m, struct secasvar *sav, struct mbuf **mp) 321 { 322 char buf[IPSEC_ADDRSTRLEN]; 323 uint8_t tp, otos; 324 struct secasindex *saidx; 325 int error, iphlen; 326 #ifdef INET 327 uint8_t itos; 328 struct ip *ipo; 329 #endif 330 #ifdef INET6 331 struct ip6_hdr *ip6, *ip6o; 332 #endif 333 334 KASSERT(sav != NULL); 335 336 /* XXX Deal with empty TDB source/destination addresses. */ 337 338 m_copydata(m, 0, 1, &tp); 339 tp = (tp >> 4) & 0xff; /* Get the IP version number. */ 340 341 saidx = &sav->sah->saidx; 342 switch (saidx->dst.sa.sa_family) { 343 #ifdef INET 344 case AF_INET: 345 if (saidx->src.sa.sa_family != AF_INET || 346 saidx->src.sin.sin_addr.s_addr == INADDR_ANY || 347 saidx->dst.sin.sin_addr.s_addr == INADDR_ANY) { 348 DPRINTF(("%s: unspecified tunnel endpoint " 349 "address in SA %s/%08lx\n", __func__, 350 ipsec_address(&saidx->dst, buf, sizeof(buf)), 351 (u_long)ntohl(sav->spi))); 352 IPIP_STATINC(IPIP_STAT_UNSPEC); 353 error = EINVAL; 354 goto bad; 355 } 356 357 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); 358 if (m == NULL) { 359 DPRINTF(("%s: M_PREPEND failed\n", __func__)); 360 IPIP_STATINC(IPIP_STAT_HDROPS); 361 error = ENOBUFS; 362 goto bad; 363 } 364 365 iphlen = sizeof(struct ip); 366 367 ipo = mtod(m, struct ip *); 368 ipo->ip_v = IPVERSION; 369 ipo->ip_hl = 5; 370 ipo->ip_len = htons(m->m_pkthdr.len); 371 ipo->ip_ttl = ip_defttl; 372 ipo->ip_sum = 0; 373 ipo->ip_src = saidx->src.sin.sin_addr; 374 ipo->ip_dst = saidx->dst.sin.sin_addr; 375 ipo->ip_id = ip_newid(NULL); 376 377 /* If the inner protocol is IP... */ 378 if (tp == IPVERSION) { 379 /* Save ECN notification */ 380 m_copydata(m, sizeof(struct ip) + 381 offsetof(struct ip, ip_tos), 382 sizeof(uint8_t), &itos); 383 384 ipo->ip_p = IPPROTO_IPIP; 385 386 /* 387 * We should be keeping tunnel soft-state and 388 * send back ICMPs if needed. 389 */ 390 m_copydata(m, sizeof(struct ip) + 391 offsetof(struct ip, ip_off), 392 sizeof(uint16_t), &ipo->ip_off); 393 ipo->ip_off &= ~ htons(IP_DF | IP_MF | IP_OFFMASK); 394 } 395 #ifdef INET6 396 else if (tp == (IPV6_VERSION >> 4)) { 397 uint32_t itos32; 398 399 /* Save ECN notification. */ 400 m_copydata(m, sizeof(struct ip) + 401 offsetof(struct ip6_hdr, ip6_flow), 402 sizeof(uint32_t), &itos32); 403 itos = ntohl(itos32) >> 20; 404 ipo->ip_p = IPPROTO_IPV6; 405 ipo->ip_off = 0; 406 } 407 #endif 408 else { 409 goto nofamily; 410 } 411 412 otos = 0; 413 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 414 ipo->ip_tos = otos; 415 break; 416 #endif /* INET */ 417 418 #ifdef INET6 419 case AF_INET6: 420 if (IN6_IS_ADDR_UNSPECIFIED(&saidx->dst.sin6.sin6_addr) || 421 saidx->src.sa.sa_family != AF_INET6 || 422 IN6_IS_ADDR_UNSPECIFIED(&saidx->src.sin6.sin6_addr)) { 423 DPRINTF(("%s: unspecified tunnel endpoint " 424 "address in SA %s/%08lx\n", __func__, 425 ipsec_address(&saidx->dst, buf, sizeof(buf)), 426 (u_long)ntohl(sav->spi))); 427 IPIP_STATINC(IPIP_STAT_UNSPEC); 428 error = ENOBUFS; 429 goto bad; 430 } 431 432 if (tp == (IPV6_VERSION >> 4)) { 433 /* scoped address handling */ 434 ip6 = mtod(m, struct ip6_hdr *); 435 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) 436 ip6->ip6_src.s6_addr16[1] = 0; 437 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) 438 ip6->ip6_dst.s6_addr16[1] = 0; 439 } 440 441 M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); 442 if (m == NULL) { 443 DPRINTF(("%s: M_PREPEND failed\n", __func__)); 444 IPIP_STATINC(IPIP_STAT_HDROPS); 445 error = ENOBUFS; 446 goto bad; 447 } 448 449 iphlen = sizeof(struct ip6_hdr); 450 451 /* Initialize IPv6 header */ 452 ip6o = mtod(m, struct ip6_hdr *); 453 ip6o->ip6_flow = 0; 454 ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; 455 ip6o->ip6_vfc |= IPV6_VERSION; 456 ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6o)); 457 ip6o->ip6_hlim = ip_defttl; 458 ip6o->ip6_dst = saidx->dst.sin6.sin6_addr; 459 ip6o->ip6_src = saidx->src.sin6.sin6_addr; 460 if (IN6_IS_SCOPE_LINKLOCAL(&ip6o->ip6_dst)) 461 ip6o->ip6_dst.s6_addr16[1] = htons(saidx->dst.sin6.sin6_scope_id); 462 if (IN6_IS_SCOPE_LINKLOCAL(&ip6o->ip6_src)) 463 ip6o->ip6_src.s6_addr16[1] = htons(saidx->src.sin6.sin6_scope_id); 464 465 #ifdef INET 466 if (tp == IPVERSION) { 467 /* Save ECN notification */ 468 m_copydata(m, sizeof(struct ip6_hdr) + 469 offsetof(struct ip, ip_tos), sizeof(uint8_t), 470 &itos); 471 472 /* This is really IPVERSION. */ 473 ip6o->ip6_nxt = IPPROTO_IPIP; 474 } else 475 #endif 476 if (tp == (IPV6_VERSION >> 4)) { 477 uint32_t itos32; 478 479 /* Save ECN notification. */ 480 m_copydata(m, sizeof(struct ip6_hdr) + 481 offsetof(struct ip6_hdr, ip6_flow), 482 sizeof(uint32_t), &itos32); 483 itos = ntohl(itos32) >> 20; 484 485 ip6o->ip6_nxt = IPPROTO_IPV6; 486 } else { 487 goto nofamily; 488 } 489 490 otos = 0; 491 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 492 ip6o->ip6_flow |= htonl((uint32_t)otos << 20); 493 break; 494 #endif /* INET6 */ 495 496 default: 497 nofamily: 498 DPRINTF(("%s: unsupported protocol family %u\n", __func__, 499 saidx->dst.sa.sa_family)); 500 IPIP_STATINC(IPIP_STAT_FAMILY); 501 error = EAFNOSUPPORT; 502 goto bad; 503 } 504 505 IPIP_STATINC(IPIP_STAT_OPACKETS); 506 IPIP_STATADD(IPIP_STAT_OBYTES, m->m_pkthdr.len - iphlen); 507 508 *mp = m; 509 return 0; 510 511 bad: 512 if (m) 513 m_freem(m); 514 *mp = NULL; 515 return error; 516 } 517 518 #ifdef INET 519 static struct encapsw ipe4_encapsw = { 520 .encapsw4 = { 521 .pr_input = ip4_input, 522 .pr_ctlinput = NULL, 523 } 524 }; 525 #endif 526 #ifdef INET6 527 static struct encapsw ipe4_encapsw6 = { 528 .encapsw6 = { 529 .pr_input = ip4_input6, 530 .pr_ctlinput = NULL, 531 } 532 }; 533 #endif 534 535 /* 536 * Check the encapsulated packet to see if we want it 537 */ 538 static int 539 ipe4_encapcheck(struct mbuf *m, int off, int proto, void *arg) 540 { 541 /* 542 * Only take packets coming from IPSEC tunnels; the rest 543 * must be handled by the gif tunnel code. Note that we 544 * also return a minimum priority when we want the packet 545 * so any explicit gif tunnels take precedence. 546 */ 547 return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0); 548 } 549 550 /* -------------------------------------------------------------------------- */ 551 552 static int 553 ipe4_init(struct secasvar *sav, const struct xformsw *xsp) 554 { 555 sav->tdb_xform = xsp; 556 return 0; 557 } 558 559 static int 560 ipe4_zeroize(struct secasvar *sav) 561 { 562 sav->tdb_xform = NULL; 563 return 0; 564 } 565 566 static int 567 ipe4_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) 568 { 569 /* This is a rather serious mistake, so no conditional printing. */ 570 printf("%s: should never be called\n", __func__); 571 if (m) 572 m_freem(m); 573 return EOPNOTSUPP; 574 } 575 576 static int 577 ipe4_output(struct mbuf *m, const struct ipsecrequest *isr, 578 struct secasvar *sav, int skip, int protoff) 579 { 580 panic("%s: should not have been called", __func__); 581 } 582 583 static struct xformsw ipe4_xformsw = { 584 .xf_type = XF_IP4, 585 .xf_flags = 0, 586 .xf_name = "IPv4 Simple Encapsulation", 587 .xf_init = ipe4_init, 588 .xf_zeroize = ipe4_zeroize, 589 .xf_input = ipe4_input, 590 .xf_output = ipe4_output, 591 .xf_next = NULL, 592 }; 593 594 /* -------------------------------------------------------------------------- */ 595 596 void 597 ipe4_attach(void) 598 { 599 600 ipipstat_percpu = percpu_alloc(sizeof(uint64_t) * IPIP_NSTATS); 601 602 xform_register(&ipe4_xformsw); 603 /* attach to encapsulation framework */ 604 /* XXX save return cookie for detach on module remove */ 605 606 encapinit(); 607 /* This function is called before ifinit(). Who else gets lock? */ 608 (void)encap_lock_enter(); 609 /* ipe4_encapsw and ipe4_encapsw must be added atomically */ 610 #ifdef INET 611 (void)encap_attach_func(AF_INET, -1, ipe4_encapcheck, &ipe4_encapsw, 612 NULL); 613 #endif 614 #ifdef INET6 615 (void)encap_attach_func(AF_INET6, -1, ipe4_encapcheck, &ipe4_encapsw6, 616 NULL); 617 #endif 618 encap_lock_exit(); 619 } 620