1 /* $OpenBSD: ipsec_input.c,v 1.207 2024/12/27 10:15:09 mvs Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 8 * in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 #include "pf.h" 39 #include "sec.h" 40 41 #include <sys/param.h> 42 #include <sys/systm.h> 43 #include <sys/protosw.h> 44 #include <sys/mbuf.h> 45 #include <sys/socket.h> 46 #include <sys/sysctl.h> 47 #include <sys/kernel.h> 48 #include <sys/timeout.h> 49 50 #include <net/if.h> 51 #include <net/if_var.h> 52 #include <net/netisr.h> 53 #include <net/bpf.h> 54 #include <net/route.h> 55 56 #include <netinet/in.h> 57 #include <netinet/ip.h> 58 #include <netinet/ip_var.h> 59 #include <netinet/ip_icmp.h> 60 #include <netinet/tcp.h> 61 #include <netinet/udp.h> 62 63 #if NPF > 0 64 #include <net/pfvar.h> 65 #endif 66 67 #if NSEC > 0 68 #include <net/if_sec.h> 69 #endif 70 71 #ifdef INET6 72 #include <netinet6/in6_var.h> 73 #include <netinet/ip6.h> 74 #include <netinet6/ip6_var.h> 75 #endif /* INET6 */ 76 77 #include <netinet/ip_ipsp.h> 78 #include <netinet/ip_esp.h> 79 #include <netinet/ip_ah.h> 80 #include <netinet/ip_ipcomp.h> 81 82 #include <net/if_enc.h> 83 84 #include <crypto/cryptodev.h> 85 #include <crypto/xform.h> 86 87 #include "bpfilter.h" 88 89 /* 90 * Locks used to protect data: 91 * a atomic 92 */ 93 94 void ipsec_common_ctlinput(u_int, int, struct sockaddr *, void *, int); 95 96 #ifdef ENCDEBUG 97 #define DPRINTF(fmt, args...) \ 98 do { \ 99 if (encdebug) \ 100 printf("%s: " fmt "\n", __func__, ## args); \ 101 } while (0) 102 #else 103 #define DPRINTF(fmt, args...) \ 104 do { } while (0) 105 #endif 106 107 /* sysctl variables */ 108 int encdebug = 0; 109 int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT; 110 int ipsec_require_pfs = IPSEC_DEFAULT_PFS; 111 int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS; 112 int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS; 113 int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES; 114 int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES; 115 int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT; 116 int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT; 117 int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE; 118 int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE; 119 int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE; 120 121 int esp_enable = 1; 122 int ah_enable = 1; /* [a] */ 123 int ipcomp_enable = 0; /* [a] */ 124 125 const struct sysctl_bounded_args espctl_vars[] = { 126 {ESPCTL_ENABLE, &esp_enable, 0, 1}, 127 {ESPCTL_UDPENCAP_ENABLE, &udpencap_enable, 0, 1}, 128 {ESPCTL_UDPENCAP_PORT, &udpencap_port, 0, 65535}, 129 }; 130 const struct sysctl_bounded_args ahctl_vars[] = { 131 {AHCTL_ENABLE, &ah_enable, 0, 1}, 132 }; 133 const struct sysctl_bounded_args ipcompctl_vars[] = { 134 {IPCOMPCTL_ENABLE, &ipcomp_enable, 0, 1}, 135 }; 136 137 struct cpumem *espcounters; 138 struct cpumem *ahcounters; 139 struct cpumem *ipcompcounters; 140 struct cpumem *ipseccounters; 141 142 char ipsec_def_enc[20]; 143 char ipsec_def_auth[20]; 144 char ipsec_def_comp[20]; 145 146 const struct sysctl_bounded_args ipsecctl_vars[] = { 147 { IPSEC_ENCDEBUG, &encdebug, 0, 1 }, 148 { IPSEC_EXPIRE_ACQUIRE, &ipsec_expire_acquire, 0, INT_MAX }, 149 { IPSEC_EMBRYONIC_SA_TIMEOUT, &ipsec_keep_invalid, 0, INT_MAX }, 150 { IPSEC_REQUIRE_PFS, &ipsec_require_pfs, 0, 1 }, 151 { IPSEC_SOFT_ALLOCATIONS, &ipsec_soft_allocations, 0, INT_MAX }, 152 { IPSEC_ALLOCATIONS, &ipsec_exp_allocations, 0, INT_MAX }, 153 { IPSEC_SOFT_BYTES, &ipsec_soft_bytes, 0, INT_MAX }, 154 { IPSEC_BYTES, &ipsec_exp_bytes, 0, INT_MAX }, 155 { IPSEC_TIMEOUT, &ipsec_exp_timeout, 0, INT_MAX }, 156 { IPSEC_SOFT_TIMEOUT, &ipsec_soft_timeout,0, INT_MAX }, 157 { IPSEC_SOFT_FIRSTUSE, &ipsec_soft_first_use, 0, INT_MAX }, 158 { IPSEC_FIRSTUSE, &ipsec_exp_first_use, 0, INT_MAX }, 159 }; 160 161 int esp_sysctl_espstat(void *, size_t *, void *); 162 int ah_sysctl_ahstat(void *, size_t *, void *); 163 int ipcomp_sysctl_ipcompstat(void *, size_t *, void *); 164 int ipsec_sysctl_ipsecstat(void *, size_t *, void *); 165 166 void 167 ipsec_init(void) 168 { 169 espcounters = counters_alloc(esps_ncounters); 170 ahcounters = counters_alloc(ahs_ncounters); 171 ipcompcounters = counters_alloc(ipcomps_ncounters); 172 ipseccounters = counters_alloc(ipsec_ncounters); 173 174 strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc)); 175 strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth)); 176 strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp)); 177 178 ipsp_init(); 179 } 180 181 /* 182 * ipsec_common_input() gets called when we receive an IPsec-protected packet 183 * in IPv4 or IPv6. All it does is find the right TDB and call the appropriate 184 * transform. The callback takes care of further processing (like ingress 185 * filtering). 186 */ 187 int 188 ipsec_common_input(struct mbuf **mp, int skip, int protoff, int af, int sproto, 189 int udpencap) 190 { 191 #define IPSEC_ISTAT(x,y,z) do { \ 192 if (sproto == IPPROTO_ESP) \ 193 espstat_inc(x); \ 194 else if (sproto == IPPROTO_AH) \ 195 ahstat_inc(y); \ 196 else \ 197 ipcompstat_inc(z); \ 198 } while (0) 199 200 struct mbuf *m = *mp; 201 union sockaddr_union dst_address; 202 struct tdb *tdbp = NULL; 203 u_int32_t spi; 204 u_int16_t cpi; 205 int prot; 206 #ifdef ENCDEBUG 207 char buf[INET6_ADDRSTRLEN]; 208 #endif 209 210 NET_ASSERT_LOCKED(); 211 212 ipsecstat_pkt(ipsec_ipackets, ipsec_ibytes, m->m_pkthdr.len); 213 IPSEC_ISTAT(esps_input, ahs_input, ipcomps_input); 214 215 if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) { 216 DPRINTF("repeated decompression"); 217 ipcompstat_inc(ipcomps_pdrops); 218 goto drop; 219 } 220 221 if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) { 222 DPRINTF("packet too small"); 223 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 224 goto drop; 225 } 226 227 /* Retrieve the SPI from the relevant IPsec header */ 228 switch (sproto) { 229 case IPPROTO_ESP: 230 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 231 break; 232 case IPPROTO_AH: 233 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 234 (caddr_t) &spi); 235 break; 236 case IPPROTO_IPCOMP: 237 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 238 (caddr_t) &cpi); 239 spi = ntohl(htons(cpi)); 240 break; 241 default: 242 panic("%s: unknown/unsupported security protocol %d", 243 __func__, sproto); 244 } 245 246 /* 247 * Find tunnel control block and (indirectly) call the appropriate 248 * kernel crypto routine. The resulting mbuf chain is a valid 249 * IP packet ready to go through input processing. 250 */ 251 252 memset(&dst_address, 0, sizeof(dst_address)); 253 dst_address.sa.sa_family = af; 254 255 switch (af) { 256 case AF_INET: 257 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 258 m_copydata(m, offsetof(struct ip, ip_dst), 259 sizeof(struct in_addr), 260 (caddr_t) &(dst_address.sin.sin_addr)); 261 break; 262 263 #ifdef INET6 264 case AF_INET6: 265 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 266 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 267 sizeof(struct in6_addr), 268 (caddr_t) &(dst_address.sin6.sin6_addr)); 269 in6_recoverscope(&dst_address.sin6, 270 &dst_address.sin6.sin6_addr); 271 break; 272 #endif /* INET6 */ 273 274 default: 275 DPRINTF("unsupported protocol family %d", af); 276 IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf); 277 goto drop; 278 } 279 280 tdbp = gettdb(rtable_l2(m->m_pkthdr.ph_rtableid), 281 spi, &dst_address, sproto); 282 if (tdbp == NULL) { 283 DPRINTF("could not find SA for packet to %s, spi %08x", 284 ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi)); 285 IPSEC_ISTAT(esps_notdb, ahs_notdb, ipcomps_notdb); 286 goto drop; 287 } 288 289 if (tdbp->tdb_flags & TDBF_INVALID) { 290 DPRINTF("attempted to use invalid SA %s/%08x/%u", 291 ipsp_address(&dst_address, buf, sizeof(buf)), 292 ntohl(spi), tdbp->tdb_sproto); 293 IPSEC_ISTAT(esps_invalid, ahs_invalid, ipcomps_invalid); 294 goto drop; 295 } 296 297 if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) { 298 DPRINTF("attempted to use non-udpencap SA %s/%08x/%u", 299 ipsp_address(&dst_address, buf, sizeof(buf)), 300 ntohl(spi), tdbp->tdb_sproto); 301 espstat_inc(esps_udpinval); 302 goto drop; 303 } 304 305 if (!udpencap && (tdbp->tdb_flags & TDBF_UDPENCAP)) { 306 DPRINTF("attempted to use udpencap SA %s/%08x/%u", 307 ipsp_address(&dst_address, buf, sizeof(buf)), 308 ntohl(spi), tdbp->tdb_sproto); 309 espstat_inc(esps_udpneeded); 310 goto drop; 311 } 312 313 if (tdbp->tdb_xform == NULL) { 314 DPRINTF("attempted to use uninitialized SA %s/%08x/%u", 315 ipsp_address(&dst_address, buf, sizeof(buf)), 316 ntohl(spi), tdbp->tdb_sproto); 317 IPSEC_ISTAT(esps_noxform, ahs_noxform, ipcomps_noxform); 318 goto drop; 319 } 320 321 KERNEL_LOCK(); 322 /* Register first use, setup expiration timer. */ 323 if (tdbp->tdb_first_use == 0) { 324 tdbp->tdb_first_use = gettime(); 325 if (tdbp->tdb_flags & TDBF_FIRSTUSE) { 326 if (timeout_add_sec(&tdbp->tdb_first_tmo, 327 tdbp->tdb_exp_first_use)) 328 tdb_ref(tdbp); 329 } 330 if (tdbp->tdb_flags & TDBF_SOFT_FIRSTUSE) { 331 if (timeout_add_sec(&tdbp->tdb_sfirst_tmo, 332 tdbp->tdb_soft_first_use)) 333 tdb_ref(tdbp); 334 } 335 } 336 337 tdbstat_pkt(tdbp, tdb_ipackets, tdb_ibytes, m->m_pkthdr.len); 338 339 /* 340 * Call appropriate transform and return -- callback takes care of 341 * everything else. 342 */ 343 prot = (*(tdbp->tdb_xform->xf_input))(mp, tdbp, skip, protoff); 344 if (prot == IPPROTO_DONE) { 345 ipsecstat_inc(ipsec_idrops); 346 tdbstat_inc(tdbp, tdb_idrops); 347 } 348 tdb_unref(tdbp); 349 KERNEL_UNLOCK(); 350 return prot; 351 352 drop: 353 m_freemp(mp); 354 ipsecstat_inc(ipsec_idrops); 355 if (tdbp != NULL) 356 tdbstat_inc(tdbp, tdb_idrops); 357 tdb_unref(tdbp); 358 return IPPROTO_DONE; 359 } 360 361 /* 362 * IPsec input callback, called by the transform callback. Takes care of 363 * filtering and other sanity checks on the processed packet. 364 */ 365 int 366 ipsec_common_input_cb(struct mbuf **mp, struct tdb *tdbp, int skip, int protoff) 367 { 368 struct mbuf *m = *mp; 369 int af, sproto; 370 u_int8_t prot; 371 #if NBPFILTER > 0 372 struct ifnet *encif; 373 #endif 374 struct ip *ip; 375 #ifdef INET6 376 struct ip6_hdr *ip6; 377 #endif /* INET6 */ 378 struct m_tag *mtag; 379 struct tdb_ident *tdbi; 380 #ifdef ENCDEBUG 381 char buf[INET6_ADDRSTRLEN]; 382 #endif 383 384 af = tdbp->tdb_dst.sa.sa_family; 385 sproto = tdbp->tdb_sproto; 386 387 tdbp->tdb_last_used = gettime(); 388 389 /* Fix IPv4 header */ 390 if (af == AF_INET) { 391 if (m->m_len < skip && 392 (m = *mp = m_pullup(m, skip)) == NULL) { 393 DPRINTF("processing failed for SA %s/%08x", 394 ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)), 395 ntohl(tdbp->tdb_spi)); 396 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 397 goto baddone; 398 } 399 400 ip = mtod(m, struct ip *); 401 ip->ip_len = htons(m->m_pkthdr.len); 402 in_hdr_cksum_out(m, NULL); 403 prot = ip->ip_p; 404 } 405 406 #ifdef INET6 407 /* Fix IPv6 header */ 408 if (af == AF_INET6) { 409 if (m->m_len < sizeof(struct ip6_hdr) && 410 (m = *mp = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 411 412 DPRINTF("processing failed for SA %s/%08x", 413 ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)), 414 ntohl(tdbp->tdb_spi)); 415 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 416 goto baddone; 417 } 418 419 ip6 = mtod(m, struct ip6_hdr *); 420 ip6->ip6_plen = htons(m->m_pkthdr.len - skip); 421 422 /* Save protocol */ 423 m_copydata(m, protoff, 1, (caddr_t) &prot); 424 } 425 #endif /* INET6 */ 426 427 /* 428 * Fix TCP/UDP checksum of UDP encapsulated transport mode ESP packet. 429 * (RFC3948 3.1.2) 430 */ 431 if ((af == AF_INET || af == AF_INET6) && 432 (tdbp->tdb_flags & TDBF_UDPENCAP) && 433 (tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 434 u_int16_t cksum; 435 436 switch (prot) { 437 case IPPROTO_UDP: 438 if (m->m_pkthdr.len < skip + sizeof(struct udphdr)) { 439 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 440 ipcomps_hdrops); 441 goto baddone; 442 } 443 cksum = 0; 444 m_copyback(m, skip + offsetof(struct udphdr, uh_sum), 445 sizeof(cksum), &cksum, M_NOWAIT); 446 #ifdef INET6 447 if (af == AF_INET6) { 448 cksum = in6_cksum(m, IPPROTO_UDP, skip, 449 m->m_pkthdr.len - skip); 450 m_copyback(m, skip + offsetof(struct udphdr, 451 uh_sum), sizeof(cksum), &cksum, M_NOWAIT); 452 } 453 #endif 454 break; 455 case IPPROTO_TCP: 456 if (m->m_pkthdr.len < skip + sizeof(struct tcphdr)) { 457 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 458 ipcomps_hdrops); 459 goto baddone; 460 } 461 cksum = 0; 462 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 463 sizeof(cksum), &cksum, M_NOWAIT); 464 if (af == AF_INET) 465 cksum = in4_cksum(m, IPPROTO_TCP, skip, 466 m->m_pkthdr.len - skip); 467 #ifdef INET6 468 else if (af == AF_INET6) 469 cksum = in6_cksum(m, IPPROTO_TCP, skip, 470 m->m_pkthdr.len - skip); 471 #endif 472 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 473 sizeof(cksum), &cksum, M_NOWAIT); 474 break; 475 } 476 } 477 478 /* 479 * Record what we've done to the packet (under what SA it was 480 * processed). 481 */ 482 if (tdbp->tdb_sproto != IPPROTO_IPCOMP) { 483 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 484 sizeof(struct tdb_ident), M_NOWAIT); 485 if (mtag == NULL) { 486 DPRINTF("failed to get tag"); 487 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 488 goto baddone; 489 } 490 491 tdbi = (struct tdb_ident *)(mtag + 1); 492 tdbi->dst = tdbp->tdb_dst; 493 tdbi->proto = tdbp->tdb_sproto; 494 tdbi->spi = tdbp->tdb_spi; 495 tdbi->rdomain = tdbp->tdb_rdomain; 496 497 m_tag_prepend(m, mtag); 498 } 499 500 switch (sproto) { 501 case IPPROTO_ESP: 502 /* Packet is confidential ? */ 503 if (tdbp->tdb_encalgxform) 504 m->m_flags |= M_CONF; 505 506 /* Check if we had authenticated ESP. */ 507 if (tdbp->tdb_authalgxform) 508 m->m_flags |= M_AUTH; 509 break; 510 case IPPROTO_AH: 511 m->m_flags |= M_AUTH; 512 break; 513 case IPPROTO_IPCOMP: 514 m->m_flags |= M_COMP; 515 break; 516 default: 517 panic("%s: unknown/unsupported security protocol %d", 518 __func__, sproto); 519 } 520 521 #if NPF > 0 522 /* Add pf tag if requested. */ 523 pf_tag_packet(m, tdbp->tdb_tag, -1); 524 pf_pkt_addr_changed(m); 525 #endif 526 if (tdbp->tdb_rdomain != tdbp->tdb_rdomain_post) 527 m->m_pkthdr.ph_rtableid = tdbp->tdb_rdomain_post; 528 529 if (tdbp->tdb_flags & TDBF_TUNNELING) 530 m->m_flags |= M_TUNNEL; 531 532 ipsecstat_add(ipsec_idecompbytes, m->m_pkthdr.len); 533 tdbstat_add(tdbp, tdb_idecompbytes, m->m_pkthdr.len); 534 535 #if NBPFILTER > 0 536 encif = enc_getif(tdbp->tdb_rdomain_post, tdbp->tdb_tap); 537 if (encif != NULL) { 538 encif->if_ipackets++; 539 encif->if_ibytes += m->m_pkthdr.len; 540 541 if (sproto != IPPROTO_IPCOMP) { 542 /* XXX This conflicts with the scoped nature of IPv6 */ 543 m->m_pkthdr.ph_ifidx = encif->if_index; 544 } 545 if (encif->if_bpf) { 546 struct enchdr hdr; 547 548 hdr.af = af; 549 hdr.spi = tdbp->tdb_spi; 550 hdr.flags = m->m_flags & (M_AUTH|M_CONF); 551 552 bpf_mtap_hdr(encif->if_bpf, (char *)&hdr, 553 ENC_HDRLEN, m, BPF_DIRECTION_IN); 554 } 555 } 556 #endif 557 558 if (ISSET(tdbp->tdb_flags, TDBF_IFACE)) { 559 #if NSEC > 0 560 if (ISSET(tdbp->tdb_flags, TDBF_TUNNELING) && 561 tdbp->tdb_iface_dir == IPSP_DIRECTION_IN) { 562 struct sec_softc *sc = sec_get(tdbp->tdb_iface); 563 if (sc == NULL) 564 goto baddone; 565 566 sec_input(sc, af, prot, m); 567 sec_put(sc); 568 return IPPROTO_DONE; 569 } 570 #endif /* NSEC > 0 */ 571 goto baddone; 572 } 573 574 #if NPF > 0 575 /* 576 * The ip_deliver() shortcut avoids running through ip_input() with the 577 * same IP header twice. Packets in transport mode have to be be 578 * passed to pf explicitly. In tunnel mode the inner IP header will 579 * run through ip_input() and pf anyway. 580 */ 581 if ((tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 582 struct ifnet *ifp; 583 584 /* This is the enc0 interface unless for ipcomp. */ 585 if ((ifp = if_get(m->m_pkthdr.ph_ifidx)) == NULL) { 586 goto baddone; 587 } 588 if (pf_test(af, PF_IN, ifp, mp) != PF_PASS) { 589 if_put(ifp); 590 goto baddone; 591 } 592 m = *mp; 593 if_put(ifp); 594 if (m == NULL) 595 return IPPROTO_DONE; 596 } 597 #endif 598 /* Return to the appropriate protocol handler in deliver loop. */ 599 return prot; 600 601 baddone: 602 m_freemp(mp); 603 return IPPROTO_DONE; 604 #undef IPSEC_ISTAT 605 } 606 607 int 608 ipsec_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 609 size_t newlen) 610 { 611 int error; 612 613 switch (name[0]) { 614 case IPCTL_IPSEC_ENC_ALGORITHM: 615 NET_LOCK(); 616 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 617 ipsec_def_enc, sizeof(ipsec_def_enc)); 618 NET_UNLOCK(); 619 return (error); 620 case IPCTL_IPSEC_AUTH_ALGORITHM: 621 NET_LOCK(); 622 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 623 ipsec_def_auth, sizeof(ipsec_def_auth)); 624 NET_UNLOCK(); 625 return (error); 626 case IPCTL_IPSEC_IPCOMP_ALGORITHM: 627 NET_LOCK(); 628 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 629 ipsec_def_comp, sizeof(ipsec_def_comp)); 630 NET_UNLOCK(); 631 return (error); 632 case IPCTL_IPSEC_STATS: 633 return (ipsec_sysctl_ipsecstat(oldp, oldlenp, newp)); 634 default: 635 NET_LOCK(); 636 error = sysctl_bounded_arr(ipsecctl_vars, nitems(ipsecctl_vars), 637 name, namelen, oldp, oldlenp, newp, newlen); 638 NET_UNLOCK(); 639 return (error); 640 } 641 } 642 643 int 644 esp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 645 size_t newlen) 646 { 647 int error; 648 649 /* All sysctl names at this level are terminal. */ 650 if (namelen != 1) 651 return (ENOTDIR); 652 653 switch (name[0]) { 654 case ESPCTL_STATS: 655 return (esp_sysctl_espstat(oldp, oldlenp, newp)); 656 default: 657 NET_LOCK(); 658 error = sysctl_bounded_arr(espctl_vars, nitems(espctl_vars), 659 name, namelen, oldp, oldlenp, newp, newlen); 660 NET_UNLOCK(); 661 return (error); 662 } 663 } 664 665 int 666 esp_sysctl_espstat(void *oldp, size_t *oldlenp, void *newp) 667 { 668 struct espstat espstat; 669 670 CTASSERT(sizeof(espstat) == (esps_ncounters * sizeof(uint64_t))); 671 memset(&espstat, 0, sizeof espstat); 672 counters_read(espcounters, (uint64_t *)&espstat, esps_ncounters, NULL); 673 return (sysctl_rdstruct(oldp, oldlenp, newp, &espstat, 674 sizeof(espstat))); 675 } 676 677 int 678 ah_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 679 size_t newlen) 680 { 681 /* All sysctl names at this level are terminal. */ 682 if (namelen != 1) 683 return (ENOTDIR); 684 685 switch (name[0]) { 686 case AHCTL_STATS: 687 return ah_sysctl_ahstat(oldp, oldlenp, newp); 688 default: 689 return sysctl_bounded_arr(ahctl_vars, nitems(ahctl_vars), name, 690 namelen, oldp, oldlenp, newp, newlen); 691 } 692 } 693 694 int 695 ah_sysctl_ahstat(void *oldp, size_t *oldlenp, void *newp) 696 { 697 struct ahstat ahstat; 698 699 CTASSERT(sizeof(ahstat) == (ahs_ncounters * sizeof(uint64_t))); 700 memset(&ahstat, 0, sizeof ahstat); 701 counters_read(ahcounters, (uint64_t *)&ahstat, ahs_ncounters, NULL); 702 return (sysctl_rdstruct(oldp, oldlenp, newp, &ahstat, sizeof(ahstat))); 703 } 704 705 int 706 ipcomp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 707 size_t newlen) 708 { 709 /* All sysctl names at this level are terminal. */ 710 if (namelen != 1) 711 return (ENOTDIR); 712 713 switch (name[0]) { 714 case IPCOMPCTL_STATS: 715 return ipcomp_sysctl_ipcompstat(oldp, oldlenp, newp); 716 default: 717 return sysctl_bounded_arr(ipcompctl_vars, 718 nitems(ipcompctl_vars), name, namelen, oldp, oldlenp, 719 newp, newlen); 720 } 721 } 722 723 int 724 ipcomp_sysctl_ipcompstat(void *oldp, size_t *oldlenp, void *newp) 725 { 726 struct ipcompstat ipcompstat; 727 728 CTASSERT(sizeof(ipcompstat) == (ipcomps_ncounters * sizeof(uint64_t))); 729 memset(&ipcompstat, 0, sizeof ipcompstat); 730 counters_read(ipcompcounters, (uint64_t *)&ipcompstat, 731 ipcomps_ncounters, NULL); 732 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipcompstat, 733 sizeof(ipcompstat))); 734 } 735 736 int 737 ipsec_sysctl_ipsecstat(void *oldp, size_t *oldlenp, void *newp) 738 { 739 struct ipsecstat ipsecstat; 740 741 CTASSERT(sizeof(ipsecstat) == (ipsec_ncounters * sizeof(uint64_t))); 742 memset(&ipsecstat, 0, sizeof ipsecstat); 743 counters_read(ipseccounters, (uint64_t *)&ipsecstat, ipsec_ncounters, 744 NULL); 745 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipsecstat, 746 sizeof(ipsecstat))); 747 } 748 749 int 750 ipsec_input_disabled(struct mbuf **mp, int *offp, int proto, int af) 751 { 752 switch (af) { 753 case AF_INET: 754 return rip_input(mp, offp, proto, af); 755 #ifdef INET6 756 case AF_INET6: 757 return rip6_input(mp, offp, proto, af); 758 #endif 759 default: 760 unhandled_af(af); 761 } 762 } 763 764 int 765 ah46_input(struct mbuf **mp, int *offp, int proto, int af) 766 { 767 int protoff; 768 769 if ( 770 #if NPF > 0 771 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 772 #endif 773 !atomic_load_int(&ah_enable)) 774 return ipsec_input_disabled(mp, offp, proto, af); 775 776 protoff = ipsec_protoff(*mp, *offp, af); 777 if (protoff < 0) { 778 DPRINTF("bad packet header chain"); 779 ahstat_inc(ahs_hdrops); 780 m_freemp(mp); 781 return IPPROTO_DONE; 782 } 783 784 return ipsec_common_input(mp, *offp, protoff, af, proto, 0); 785 } 786 787 void 788 ah4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 789 { 790 if (sa->sa_family != AF_INET || 791 sa->sa_len != sizeof(struct sockaddr_in)) 792 return; 793 794 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_AH); 795 } 796 797 int 798 esp46_input(struct mbuf **mp, int *offp, int proto, int af) 799 { 800 int protoff; 801 802 if ( 803 #if NPF > 0 804 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 805 #endif 806 !esp_enable) 807 return ipsec_input_disabled(mp, offp, proto, af); 808 809 protoff = ipsec_protoff(*mp, *offp, af); 810 if (protoff < 0) { 811 DPRINTF("bad packet header chain"); 812 espstat_inc(esps_hdrops); 813 m_freemp(mp); 814 return IPPROTO_DONE; 815 } 816 817 return ipsec_common_input(mp, *offp, protoff, af, proto, 0); 818 } 819 820 /* IPv4 IPCOMP wrapper */ 821 int 822 ipcomp46_input(struct mbuf **mp, int *offp, int proto, int af) 823 { 824 int protoff; 825 826 if ( 827 #if NPF > 0 828 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 829 #endif 830 !atomic_load_int(&ipcomp_enable)) 831 return ipsec_input_disabled(mp, offp, proto, af); 832 833 protoff = ipsec_protoff(*mp, *offp, af); 834 if (protoff < 0) { 835 DPRINTF("bad packet header chain"); 836 ipcompstat_inc(ipcomps_hdrops); 837 m_freemp(mp); 838 return IPPROTO_DONE; 839 } 840 841 return ipsec_common_input(mp, *offp, protoff, af, proto, 0); 842 } 843 844 void 845 ipsec_set_mtu(struct tdb *tdbp, u_int32_t mtu) 846 { 847 ssize_t adjust; 848 849 NET_ASSERT_LOCKED(); 850 851 /* Walk the chain backwards to the first tdb */ 852 for (; tdbp != NULL; tdbp = tdbp->tdb_inext) { 853 if (tdbp->tdb_flags & TDBF_INVALID || 854 (adjust = ipsec_hdrsz(tdbp)) == -1) 855 return; 856 857 mtu -= adjust; 858 859 /* Store adjusted MTU in tdb */ 860 tdbp->tdb_mtu = mtu; 861 tdbp->tdb_mtutimeout = gettime() + ip_mtudisc_timeout; 862 DPRINTF("spi %08x mtu %d adjust %ld", 863 ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust); 864 } 865 } 866 867 void 868 ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa, 869 void *v, int proto) 870 { 871 struct ip *ip = v; 872 873 if (cmd == PRC_MSGSIZE && ip && ip_mtudisc && ip->ip_v == 4) { 874 struct tdb *tdbp; 875 struct sockaddr_in dst; 876 struct icmp *icp; 877 int hlen = ip->ip_hl << 2; 878 u_int32_t spi, mtu; 879 880 /* Find the right MTU. */ 881 icp = (struct icmp *)((caddr_t) ip - 882 offsetof(struct icmp, icmp_ip)); 883 mtu = ntohs(icp->icmp_nextmtu); 884 885 /* 886 * Ignore the packet, if we do not receive a MTU 887 * or the MTU is too small to be acceptable. 888 */ 889 if (mtu < 296) 890 return; 891 892 memset(&dst, 0, sizeof(struct sockaddr_in)); 893 dst.sin_family = AF_INET; 894 dst.sin_len = sizeof(struct sockaddr_in); 895 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 896 897 memcpy(&spi, (caddr_t)ip + hlen, sizeof(u_int32_t)); 898 899 tdbp = gettdb_rev(rdomain, spi, (union sockaddr_union *)&dst, 900 proto); 901 ipsec_set_mtu(tdbp, mtu); 902 tdb_unref(tdbp); 903 } 904 } 905 906 void 907 udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 908 { 909 struct ip *ip = v; 910 struct tdb *tdbp, *first; 911 struct icmp *icp; 912 u_int32_t mtu; 913 struct sockaddr_in dst, src; 914 union sockaddr_union *su_dst, *su_src; 915 916 NET_ASSERT_LOCKED(); 917 918 icp = (struct icmp *)((caddr_t) ip - offsetof(struct icmp, icmp_ip)); 919 mtu = ntohs(icp->icmp_nextmtu); 920 921 /* 922 * Ignore the packet, if we do not receive a MTU 923 * or the MTU is too small to be acceptable. 924 */ 925 if (mtu < 296) 926 return; 927 928 memset(&dst, 0, sizeof(dst)); 929 dst.sin_family = AF_INET; 930 dst.sin_len = sizeof(struct sockaddr_in); 931 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 932 su_dst = (union sockaddr_union *)&dst; 933 memset(&src, 0, sizeof(src)); 934 src.sin_family = AF_INET; 935 src.sin_len = sizeof(struct sockaddr_in); 936 src.sin_addr.s_addr = ip->ip_src.s_addr; 937 su_src = (union sockaddr_union *)&src; 938 939 first = gettdbbysrcdst_rev(rdomain, 0, su_src, su_dst, IPPROTO_ESP); 940 941 mtx_enter(&tdb_sadb_mtx); 942 for (tdbp = first; tdbp != NULL; tdbp = tdbp->tdb_snext) { 943 if (tdbp->tdb_sproto == IPPROTO_ESP && 944 ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_UDPENCAP)) == 945 TDBF_UDPENCAP) && 946 !memcmp(&tdbp->tdb_dst, &dst, su_dst->sa.sa_len) && 947 !memcmp(&tdbp->tdb_src, &src, su_src->sa.sa_len)) 948 ipsec_set_mtu(tdbp, mtu); 949 } 950 mtx_leave(&tdb_sadb_mtx); 951 tdb_unref(first); 952 } 953 954 void 955 esp4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 956 { 957 if (sa->sa_family != AF_INET || 958 sa->sa_len != sizeof(struct sockaddr_in)) 959 return; 960 961 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_ESP); 962 } 963 964 /* Find the offset of the next protocol field in the previous header. */ 965 int 966 ipsec_protoff(struct mbuf *m, int off, int af) 967 { 968 #ifdef INET6 969 struct ip6_ext ip6e; 970 int protoff, nxt, l; 971 #endif /* INET6 */ 972 973 switch (af) { 974 case AF_INET: 975 return offsetof(struct ip, ip_p); 976 #ifdef INET6 977 case AF_INET6: 978 break; 979 #endif /* INET6 */ 980 default: 981 unhandled_af(af); 982 } 983 984 #ifdef INET6 985 if (off < sizeof(struct ip6_hdr)) 986 return -1; 987 988 if (off == sizeof(struct ip6_hdr)) 989 return offsetof(struct ip6_hdr, ip6_nxt); 990 991 /* Chase down the header chain... */ 992 protoff = sizeof(struct ip6_hdr); 993 nxt = (mtod(m, struct ip6_hdr *))->ip6_nxt; 994 l = 0; 995 996 do { 997 protoff += l; 998 m_copydata(m, protoff, sizeof(ip6e), 999 (caddr_t) &ip6e); 1000 1001 if (nxt == IPPROTO_AH) 1002 l = (ip6e.ip6e_len + 2) << 2; 1003 else 1004 l = (ip6e.ip6e_len + 1) << 3; 1005 #ifdef DIAGNOSTIC 1006 if (l <= 0) 1007 panic("%s: l went zero or negative", __func__); 1008 #endif 1009 1010 nxt = ip6e.ip6e_nxt; 1011 } while (protoff + l < off); 1012 1013 /* Malformed packet check */ 1014 if (protoff + l != off) 1015 return -1; 1016 1017 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1018 return protoff; 1019 #endif /* INET6 */ 1020 } 1021 1022 int 1023 ipsec_forward_check(struct mbuf *m, int hlen, int af) 1024 { 1025 struct tdb *tdb; 1026 struct tdb_ident *tdbi; 1027 struct m_tag *mtag; 1028 int error = 0; 1029 1030 /* 1031 * IPsec policy check for forwarded packets. Look at 1032 * inner-most IPsec SA used. 1033 */ 1034 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1035 if (mtag != NULL) { 1036 tdbi = (struct tdb_ident *)(mtag + 1); 1037 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); 1038 } else 1039 tdb = NULL; 1040 error = ipsp_spd_lookup(m, af, hlen, IPSP_DIRECTION_IN, 1041 tdb, NULL, NULL, NULL); 1042 tdb_unref(tdb); 1043 1044 return error; 1045 } 1046 1047 int 1048 ipsec_local_check(struct mbuf *m, int hlen, int proto, int af) 1049 { 1050 struct tdb *tdb; 1051 struct tdb_ident *tdbi; 1052 struct m_tag *mtag; 1053 int error = 0; 1054 1055 /* 1056 * If it's a protected packet for us, skip the policy check. 1057 * That's because we really only care about the properties of 1058 * the protected packet, and not the intermediate versions. 1059 * While this is not the most paranoid setting, it allows 1060 * some flexibility in handling nested tunnels (in setting up 1061 * the policies). 1062 */ 1063 if ((proto == IPPROTO_ESP) || (proto == IPPROTO_AH) || 1064 (proto == IPPROTO_IPCOMP)) 1065 return 0; 1066 1067 /* 1068 * If the protected packet was tunneled, then we need to 1069 * verify the protected packet's information, not the 1070 * external headers. Thus, skip the policy lookup for the 1071 * external packet, and keep the IPsec information linked on 1072 * the packet header (the encapsulation routines know how 1073 * to deal with that). 1074 */ 1075 if ((proto == IPPROTO_IPV4) || (proto == IPPROTO_IPV6)) 1076 return 0; 1077 1078 /* 1079 * When processing IPv6 header chains, do not look at the 1080 * outer header. The inner protocol is relevant and will 1081 * be checked by the local delivery loop later. 1082 */ 1083 if ((af == AF_INET6) && ((proto == IPPROTO_DSTOPTS) || 1084 (proto == IPPROTO_ROUTING) || (proto == IPPROTO_FRAGMENT))) 1085 return 0; 1086 1087 /* 1088 * If the protected packet is TCP or UDP, we'll do the 1089 * policy check in the respective input routine, so we can 1090 * check for bypass sockets. 1091 */ 1092 if ((proto == IPPROTO_TCP) || (proto == IPPROTO_UDP)) 1093 return 0; 1094 1095 /* 1096 * IPsec policy check for local-delivery packets. Look at the 1097 * inner-most SA that protected the packet. This is in fact 1098 * a bit too restrictive (it could end up causing packets to 1099 * be dropped that semantically follow the policy, e.g., in 1100 * certain SA-bundle configurations); but the alternative is 1101 * very complicated (and requires keeping track of what 1102 * kinds of tunneling headers have been seen in-between the 1103 * IPsec headers), and I don't think we lose much functionality 1104 * that's needed in the real world (who uses bundles anyway ?). 1105 */ 1106 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1107 if (mtag) { 1108 tdbi = (struct tdb_ident *)(mtag + 1); 1109 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, 1110 tdbi->proto); 1111 } else 1112 tdb = NULL; 1113 error = ipsp_spd_lookup(m, af, hlen, IPSP_DIRECTION_IN, 1114 tdb, NULL, NULL, NULL); 1115 tdb_unref(tdb); 1116 1117 return error; 1118 } 1119