1 /* $NetBSD: ipsec_netbsd.c,v 1.3 2003/10/06 22:05:15 tls Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.3 2003/10/06 22:05:15 tls Exp $"); 36 37 #include "opt_inet.h" 38 #include "opt_ipsec.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/malloc.h> 43 #include <sys/mbuf.h> 44 #include <sys/domain.h> 45 #include <sys/protosw.h> 46 #include <sys/socket.h> 47 #include <sys/errno.h> 48 #include <sys/time.h> 49 #include <sys/kernel.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/route.h> 54 #include <net/netisr.h> 55 #include <machine/cpu.h> 56 57 #include <netinet/in.h> 58 #include <netinet/in_systm.h> 59 #include <netinet/in_var.h> 60 #include <netinet/ip.h> 61 #include <netinet/ip_var.h> 62 #include <netinet/ip_ecn.h> 63 #include <netinet/ip_icmp.h> 64 65 #ifdef IPSEC 66 #include <netkey/key.h> 67 #include <netkey/keydb.h> 68 #include <netkey/key_debug.h> 69 #endif 70 71 #ifdef FAST_IPSEC 72 #include <netipsec/ipsec.h> 73 #include <netipsec/key.h> 74 #include <netipsec/keydb.h> 75 #include <netipsec/key_debug.h> 76 #include <netipsec/ah_var.h> 77 #endif 78 79 80 #include <machine/stdarg.h> 81 82 83 84 #include <netipsec/key.h> 85 86 /* assumes that ip header and ah header are contiguous on mbuf */ 87 void * 88 ah4_ctlinput(cmd, sa, v) 89 int cmd; 90 struct sockaddr *sa; 91 void *v; 92 { 93 struct ip *ip = v; 94 struct ah *ah; 95 struct icmp *icp; 96 struct secasvar *sav; 97 98 if (sa->sa_family != AF_INET || 99 sa->sa_len != sizeof(struct sockaddr_in)) 100 return NULL; 101 if ((unsigned)cmd >= PRC_NCMDS) 102 return NULL; 103 #ifndef notyet 104 (void) ip; (void) ah; (void) icp; (void) sav; 105 #else 106 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 107 /* 108 * Check to see if we have a valid SA corresponding to 109 * the address in the ICMP message payload. 110 */ 111 ah = (struct ah *)((caddr_t)ip + (ip->ip_hl << 2)); 112 if ((sav = key_allocsa(AF_INET, 113 (caddr_t) &ip->ip_src, 114 (caddr_t) &ip->ip_dst, 115 IPPROTO_AH, ah->ah_spi)) == NULL) 116 return NULL; 117 if (sav->state != SADB_SASTATE_MATURE && 118 sav->state != SADB_SASTATE_DYING) { 119 key_freesav(sav); 120 return NULL; 121 } 122 123 /* XXX Further validation? */ 124 125 key_freesav(sav); 126 127 /* 128 * Now that we've validated that we are actually communicating 129 * with the host indicated in the ICMP message, locate the 130 * ICMP header, recalculate the new MTU, and create the 131 * corresponding routing entry. 132 */ 133 icp = (struct icmp *)((caddr_t)ip - 134 offsetof(struct icmp, icmp_ip)); 135 icmp_mtudisc(icp, ip->ip_dst); 136 137 return NULL; 138 } 139 #endif 140 141 return NULL; 142 } 143 144 /* assumes that ip header and esp header are contiguous on mbuf */ 145 void * 146 esp4_ctlinput(cmd, sa, v) 147 int cmd; 148 struct sockaddr *sa; 149 void *v; 150 { 151 struct ip *ip = v; 152 struct esp *esp; 153 struct icmp *icp; 154 struct secasvar *sav; 155 156 if (sa->sa_family != AF_INET || 157 sa->sa_len != sizeof(struct sockaddr_in)) 158 return NULL; 159 if ((unsigned)cmd >= PRC_NCMDS) 160 return NULL; 161 #ifndef notyet 162 (void) ip; (void) esp; (void) icp; (void) sav; 163 #else 164 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 165 /* 166 * Check to see if we have a valid SA corresponding to 167 * the address in the ICMP message payload. 168 */ 169 esp = (struct esp *)((caddr_t)ip + (ip->ip_hl << 2)); 170 if ((sav = key_allocsa(AF_INET, 171 (caddr_t) &ip->ip_src, 172 (caddr_t) &ip->ip_dst, 173 IPPROTO_ESP, esp->esp_spi)) == NULL) 174 return NULL; 175 if (sav->state != SADB_SASTATE_MATURE && 176 sav->state != SADB_SASTATE_DYING) { 177 key_freesav(sav); 178 return NULL; 179 } 180 181 /* XXX Further validation? */ 182 183 key_freesav(sav); 184 185 /* 186 * Now that we've validated that we are actually communicating 187 * with the host indicated in the ICMP message, locate the 188 * ICMP header, recalculate the new MTU, and create the 189 * corresponding routing entry. 190 */ 191 icp = (struct icmp *)((caddr_t)ip - 192 offsetof(struct icmp, icmp_ip)); 193 icmp_mtudisc(icp, ip->ip_dst); 194 195 return NULL; 196 } 197 #endif 198 199 return NULL; 200 } 201 202 #ifdef INET6 203 void 204 esp6_ctlinput(cmd, sa, d) 205 int cmd; 206 struct sockaddr *sa; 207 void *d; 208 { 209 const struct newesp *espp; 210 struct newesp esp; 211 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 212 struct secasvar *sav; 213 struct ip6_hdr *ip6; 214 struct mbuf *m; 215 int off; 216 struct sockaddr_in6 *sa6_src, *sa6_dst; 217 218 if (sa->sa_family != AF_INET6 || 219 sa->sa_len != sizeof(struct sockaddr_in6)) 220 return; 221 if ((unsigned)cmd >= PRC_NCMDS) 222 return; 223 224 /* if the parameter is from icmp6, decode it. */ 225 if (d != NULL) { 226 ip6cp = (struct ip6ctlparam *)d; 227 m = ip6cp->ip6c_m; 228 ip6 = ip6cp->ip6c_ip6; 229 off = ip6cp->ip6c_off; 230 } else { 231 m = NULL; 232 ip6 = NULL; 233 } 234 235 if (ip6) { 236 /* 237 * Notify the error to all possible sockets via pfctlinput2. 238 * Since the upper layer information (such as protocol type, 239 * source and destination ports) is embedded in the encrypted 240 * data and might have been cut, we can't directly call 241 * an upper layer ctlinput function. However, the pcbnotify 242 * function will consider source and destination addresses 243 * as well as the flow info value, and may be able to find 244 * some PCB that should be notified. 245 * Although pfctlinput2 will call esp6_ctlinput(), there is 246 * no possibility of an infinite loop of function calls, 247 * because we don't pass the inner IPv6 header. 248 */ 249 bzero(&ip6cp1, sizeof(ip6cp1)); 250 ip6cp1.ip6c_src = ip6cp->ip6c_src; 251 pfctlinput2(cmd, sa, (void *)&ip6cp1); 252 253 /* 254 * Then go to special cases that need ESP header information. 255 * XXX: We assume that when ip6 is non NULL, 256 * M and OFF are valid. 257 */ 258 259 /* check if we can safely examine src and dst ports */ 260 if (m->m_pkthdr.len < off + sizeof(esp)) 261 return; 262 263 if (m->m_len < off + sizeof(esp)) { 264 /* 265 * this should be rare case, 266 * so we compromise on this copy... 267 */ 268 m_copydata(m, off, sizeof(esp), (caddr_t)&esp); 269 espp = &esp; 270 } else 271 espp = (struct newesp*)(mtod(m, caddr_t) + off); 272 273 if (cmd == PRC_MSGSIZE) { 274 int valid = 0; 275 276 /* 277 * Check to see if we have a valid SA corresponding to 278 * the address in the ICMP message payload. 279 */ 280 sa6_src = ip6cp->ip6c_src; 281 sa6_dst = (struct sockaddr_in6 *)sa; 282 sav = key_allocsa(AF_INET6, 283 (caddr_t)&sa6_src->sin6_addr, 284 (caddr_t)&sa6_dst->sin6_addr, 285 IPPROTO_ESP, espp->esp_spi); 286 if (sav) { 287 if (sav->state == SADB_SASTATE_MATURE || 288 sav->state == SADB_SASTATE_DYING) 289 valid++; 290 key_freesav(sav); 291 } 292 293 /* XXX Further validation? */ 294 295 /* 296 * Depending on the value of "valid" and routing table 297 * size (mtudisc_{hi,lo}wat), we will: 298 * - recalcurate the new MTU and create the 299 * corresponding routing entry, or 300 * - ignore the MTU change notification. 301 */ 302 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 303 } 304 } else { 305 /* we normally notify any pcb here */ 306 } 307 } 308 #endif /* INET6 */ 309 310 311 /*FIXME: placebo for invalpcbcacheall. Fast-IPsec has no pcb cache? */ 312 313 void ipsec_invalpcbcacheall(void); 314 void 315 ipsec_invalpcbcacheall(void) 316 { 317 } 318 319 /* XXX will need a different oid at parent */ 320 int 321 ipsec_sysctl(name, namelen, oldp, oldlenp, newp, newlen) 322 int *name; 323 u_int namelen; 324 void *oldp; 325 size_t *oldlenp; 326 void *newp; 327 size_t newlen; 328 { 329 /* All sysctl names at this level are terminal. */ 330 if (namelen != 1) 331 return ENOTDIR; 332 333 /* common sanity checks */ 334 switch (name[0]) { 335 case IPSECCTL_DEF_ESP_TRANSLEV: 336 case IPSECCTL_DEF_ESP_NETLEV: 337 case IPSECCTL_DEF_AH_TRANSLEV: 338 case IPSECCTL_DEF_AH_NETLEV: 339 if (newp != NULL && newlen == sizeof(int)) { 340 switch (*(int *)newp) { 341 case IPSEC_LEVEL_USE: 342 case IPSEC_LEVEL_REQUIRE: 343 break; 344 default: 345 return EINVAL; 346 } 347 } 348 break; 349 case IPSECCTL_DEF_POLICY: 350 if (newp != NULL && newlen == sizeof(int)) { 351 switch (*(int *)newp) { 352 case IPSEC_POLICY_DISCARD: 353 case IPSEC_POLICY_NONE: 354 break; 355 default: 356 return EINVAL; 357 } 358 ipsec_invalpcbcacheall(); 359 } 360 break; 361 } 362 363 switch (name[0]) { 364 case IPSECCTL_STATS: 365 return sysctl_struct(oldp, oldlenp, newp, newlen, 366 &ipsecstat, sizeof(ipsecstat)); 367 case IPSECCTL_DEF_POLICY: 368 return sysctl_int(oldp, oldlenp, newp, newlen, 369 &ip4_def_policy.policy); 370 case IPSECCTL_DEF_ESP_TRANSLEV: 371 if (newp != NULL) 372 ipsec_invalpcbcacheall(); 373 return sysctl_int(oldp, oldlenp, newp, newlen, 374 &ip4_esp_trans_deflev); 375 case IPSECCTL_DEF_ESP_NETLEV: 376 if (newp != NULL) 377 ipsec_invalpcbcacheall(); 378 return sysctl_int(oldp, oldlenp, newp, newlen, 379 &ip4_esp_net_deflev); 380 case IPSECCTL_DEF_AH_TRANSLEV: 381 if (newp != NULL) 382 ipsec_invalpcbcacheall(); 383 return sysctl_int(oldp, oldlenp, newp, newlen, 384 &ip4_ah_trans_deflev); 385 case IPSECCTL_DEF_AH_NETLEV: 386 if (newp != NULL) 387 ipsec_invalpcbcacheall(); 388 return sysctl_int(oldp, oldlenp, newp, newlen, 389 &ip4_ah_net_deflev); 390 case IPSECCTL_AH_CLEARTOS: 391 return sysctl_int(oldp, oldlenp, newp, newlen, 392 &/*ip4_*/ah_cleartos); 393 case IPSECCTL_AH_OFFSETMASK: 394 return sysctl_int(oldp, oldlenp, newp, newlen, 395 &ip4_ah_offsetmask); 396 case IPSECCTL_DFBIT: 397 return sysctl_int(oldp, oldlenp, newp, newlen, 398 &ip4_ipsec_dfbit); 399 case IPSECCTL_ECN: 400 return sysctl_int(oldp, oldlenp, newp, newlen, &ip4_ipsec_ecn); 401 case IPSECCTL_DEBUG: 402 return sysctl_int(oldp, oldlenp, newp, newlen, &ipsec_debug); 403 default: 404 return EOPNOTSUPP; 405 } 406 /* NOTREACHED */ 407 } 408