1 /* $NetBSD: xform_ipip.c,v 1.70 2018/04/29 14:35:35 maxv Exp $ */ 2 /* $FreeBSD: xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ 3 /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ 4 5 /* 6 * The authors of this code are John Ioannidis (ji@tla.org), 7 * Angelos D. Keromytis (kermit@csd.uch.gr) and 8 * Niels Provos (provos@physnet.uni-hamburg.de). 9 * 10 * The original version of this code was written by John Ioannidis 11 * for BSD/OS in Athens, Greece, in November 1995. 12 * 13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 14 * by Angelos D. Keromytis. 15 * 16 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 17 * and Niels Provos. 18 * 19 * Additional features in 1999 by Angelos D. Keromytis. 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * Copyright (c) 2001, Angelos D. Keromytis. 24 * 25 * Permission to use, copy, and modify this software with or without fee 26 * is hereby granted, provided that this entire notice is included in 27 * all copies of any software which is or includes a copy or 28 * modification of this software. 29 * You may use this code under the GNU public license if you so wish. Please 30 * contribute changes back to the authors under this freer than GPL license 31 * so that we may further the use of strong encryption without limitations to 32 * all. 33 * 34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 38 * PURPOSE. 39 */ 40 41 #include <sys/cdefs.h> 42 __KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.70 2018/04/29 14:35:35 maxv Exp $"); 43 44 /* 45 * IP-inside-IP processing 46 */ 47 #if defined(_KERNEL_OPT) 48 #include "opt_inet.h" 49 #endif 50 51 #include <sys/param.h> 52 #include <sys/systm.h> 53 #include <sys/mbuf.h> 54 #include <sys/socket.h> 55 #include <sys/kernel.h> 56 #include <sys/protosw.h> 57 #include <sys/sysctl.h> 58 59 #include <net/if.h> 60 #include <net/route.h> 61 #include <net/netisr.h> 62 63 #include <netinet/in.h> 64 #include <netinet/in_systm.h> 65 #include <netinet/in_var.h> 66 #include <netinet/ip.h> 67 #include <netinet/ip_ecn.h> 68 #include <netinet/ip_var.h> 69 #include <netinet/ip_encap.h> 70 71 #include <netipsec/ipsec.h> 72 #include <netipsec/ipsec_private.h> 73 #include <netipsec/xform.h> 74 75 #include <netipsec/ipip_var.h> 76 77 #ifdef INET6 78 #include <netinet/ip6.h> 79 #include <netipsec/ipsec6.h> 80 #include <netinet6/in6_var.h> 81 #include <netinet6/ip6protosw.h> 82 #endif 83 84 #include <netipsec/key.h> 85 #include <netipsec/key_debug.h> 86 87 /* XXX IPCOMP */ 88 #define M_IPSEC (M_AUTHIPHDR|M_DECRYPTED) 89 90 int ipip_spoofcheck = 1; 91 percpu_t *ipipstat_percpu; 92 93 void ipe4_attach(void); 94 95 static void _ipip_input(struct mbuf *, int); 96 97 #ifdef INET6 98 int 99 ip4_input6(struct mbuf **m, int *offp, int proto, void *eparg __unused) 100 { 101 _ipip_input(*m, *offp); 102 return IPPROTO_DONE; 103 } 104 #endif 105 106 #ifdef INET 107 void 108 ip4_input(struct mbuf *m, int off, int proto, void *eparg __unused) 109 { 110 _ipip_input(m, off); 111 } 112 #endif 113 114 /* 115 * _ipip_input gets called when we receive an IP{46} encapsulated packet, 116 * because AH or ESP were being used in tunnel mode. 117 */ 118 static void 119 _ipip_input(struct mbuf *m, int iphlen) 120 { 121 register struct sockaddr_in *sin; 122 register struct ifnet *ifp; 123 register struct ifaddr *ifa; 124 pktqueue_t *pktq = NULL; 125 struct ip *ip4 = NULL; 126 #ifdef INET6 127 register struct sockaddr_in6 *sin6; 128 struct ip6_hdr *ip6 = NULL; 129 uint8_t itos; 130 #endif 131 uint8_t otos; 132 uint8_t v; 133 int hlen; 134 135 IPIP_STATINC(IPIP_STAT_IPACKETS); 136 137 m_copydata(m, 0, 1, &v); 138 139 switch (v >> 4) { 140 #ifdef INET 141 case 4: 142 hlen = sizeof(struct ip); 143 break; 144 #endif 145 #ifdef INET6 146 case 6: 147 hlen = sizeof(struct ip6_hdr); 148 break; 149 #endif 150 default: 151 DPRINTF(("%s: bad protocol version 0x%x (%u) " 152 "for outer header\n", __func__, v, v>>4)); 153 IPIP_STATINC(IPIP_STAT_FAMILY); 154 m_freem(m); 155 return; 156 } 157 158 /* Bring the IP header in the first mbuf, if not there already */ 159 if (m->m_len < hlen) { 160 if ((m = m_pullup(m, hlen)) == NULL) { 161 DPRINTF(("%s: m_pullup (1) failed\n", __func__)); 162 IPIP_STATINC(IPIP_STAT_HDROPS); 163 return; 164 } 165 } 166 167 /* Keep outer ecn field. */ 168 switch (v >> 4) { 169 #ifdef INET 170 case 4: 171 otos = mtod(m, struct ip *)->ip_tos; 172 break; 173 #endif 174 #ifdef INET6 175 case 6: 176 otos = (ntohl(mtod(m, struct ip6_hdr *)->ip6_flow) >> 20) & 0xff; 177 break; 178 #endif 179 default: 180 panic("%s: impossible (1)", __func__); 181 } 182 183 /* Remove outer IP header */ 184 m_adj(m, iphlen); 185 186 /* Sanity check */ 187 if (m->m_pkthdr.len < sizeof(struct ip)) { 188 IPIP_STATINC(IPIP_STAT_HDROPS); 189 m_freem(m); 190 return; 191 } 192 193 m_copydata(m, 0, 1, &v); 194 195 switch (v >> 4) { 196 #ifdef INET 197 case 4: 198 hlen = sizeof(struct ip); 199 pktq = ip_pktq; 200 break; 201 #endif 202 #ifdef INET6 203 case 6: 204 hlen = sizeof(struct ip6_hdr); 205 pktq = ip6_pktq; 206 break; 207 #endif 208 default: 209 DPRINTF(("%s: bad protocol version %#x (%u) " 210 "for inner header\n", __func__, v, v >> 4)); 211 IPIP_STATINC(IPIP_STAT_FAMILY); 212 m_freem(m); 213 return; 214 } 215 216 /* 217 * Bring the inner IP header in the first mbuf, if not there already. 218 */ 219 if (m->m_len < hlen) { 220 if ((m = m_pullup(m, hlen)) == NULL) { 221 DPRINTF(("%s: m_pullup (2) failed\n", __func__)); 222 IPIP_STATINC(IPIP_STAT_HDROPS); 223 return; 224 } 225 } 226 227 /* 228 * RFC 1853 specifies that the inner TTL should not be touched on 229 * decapsulation. There's no reason this comment should be here, but 230 * this is as good as any a position. 231 */ 232 233 /* Some sanity checks in the inner IP header */ 234 switch (v >> 4) { 235 #ifdef INET 236 case 4: 237 ip4 = mtod(m, struct ip *); 238 ip_ecn_egress(ip4_ipsec_ecn, &otos, &ip4->ip_tos); 239 break; 240 #endif 241 #ifdef INET6 242 case 6: 243 ip6 = mtod(m, struct ip6_hdr *); 244 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 245 ip_ecn_egress(ip6_ipsec_ecn, &otos, &itos); 246 ip6->ip6_flow &= ~htonl(0xff << 20); 247 ip6->ip6_flow |= htonl((uint32_t)itos << 20); 248 break; 249 #endif 250 default: 251 panic("%s: impossible (2)", __func__); 252 } 253 254 /* Check for local address spoofing. */ 255 if ((m_get_rcvif_NOMPSAFE(m) == NULL || 256 !(m_get_rcvif_NOMPSAFE(m)->if_flags & IFF_LOOPBACK)) && 257 ipip_spoofcheck) { 258 int s = pserialize_read_enter(); 259 IFNET_READER_FOREACH(ifp) { 260 IFADDR_READER_FOREACH(ifa, ifp) { 261 #ifdef INET 262 if (ip4) { 263 if (ifa->ifa_addr->sa_family != 264 AF_INET) 265 continue; 266 267 sin = (struct sockaddr_in *)ifa->ifa_addr; 268 269 if (sin->sin_addr.s_addr == 270 ip4->ip_src.s_addr) { 271 pserialize_read_exit(s); 272 IPIP_STATINC(IPIP_STAT_SPOOF); 273 m_freem(m); 274 return; 275 } 276 } 277 #endif 278 279 #ifdef INET6 280 if (ip6) { 281 if (ifa->ifa_addr->sa_family != 282 AF_INET6) 283 continue; 284 285 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 286 287 if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) { 288 pserialize_read_exit(s); 289 IPIP_STATINC(IPIP_STAT_SPOOF); 290 m_freem(m); 291 return; 292 } 293 294 } 295 #endif 296 } 297 } 298 pserialize_read_exit(s); 299 } 300 301 /* Statistics: m->m_pkthdr.len is the length of the inner packet */ 302 IPIP_STATADD(IPIP_STAT_IBYTES, m->m_pkthdr.len); 303 304 /* 305 * Interface pointer stays the same; if no IPsec processing has 306 * been done (or will be done), this will point to a normal 307 * interface. Otherwise, it'll point to an enc interface, which 308 * will allow a packet filter to distinguish between secure and 309 * untrusted packets. 310 */ 311 312 int s = splnet(); 313 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 314 IPIP_STATINC(IPIP_STAT_QFULL); 315 m_freem(m); 316 } 317 splx(s); 318 } 319 320 int 321 ipip_output(struct mbuf *m, const struct ipsecrequest *isr, 322 struct secasvar *sav, struct mbuf **mp, int skip, int protoff) 323 { 324 char buf[IPSEC_ADDRSTRLEN]; 325 uint8_t tp, otos; 326 struct secasindex *saidx; 327 int error, iphlen; 328 #ifdef INET 329 uint8_t itos; 330 struct ip *ipo; 331 #endif 332 #ifdef INET6 333 struct ip6_hdr *ip6, *ip6o; 334 #endif 335 336 KASSERT(sav != NULL); 337 338 /* XXX Deal with empty TDB source/destination addresses. */ 339 340 m_copydata(m, 0, 1, &tp); 341 tp = (tp >> 4) & 0xff; /* Get the IP version number. */ 342 343 saidx = &sav->sah->saidx; 344 switch (saidx->dst.sa.sa_family) { 345 #ifdef INET 346 case AF_INET: 347 if (saidx->src.sa.sa_family != AF_INET || 348 saidx->src.sin.sin_addr.s_addr == INADDR_ANY || 349 saidx->dst.sin.sin_addr.s_addr == INADDR_ANY) { 350 DPRINTF(("%s: unspecified tunnel endpoint " 351 "address in SA %s/%08lx\n", __func__, 352 ipsec_address(&saidx->dst, buf, sizeof(buf)), 353 (u_long)ntohl(sav->spi))); 354 IPIP_STATINC(IPIP_STAT_UNSPEC); 355 error = EINVAL; 356 goto bad; 357 } 358 359 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); 360 if (m == NULL) { 361 DPRINTF(("%s: M_PREPEND failed\n", __func__)); 362 IPIP_STATINC(IPIP_STAT_HDROPS); 363 error = ENOBUFS; 364 goto bad; 365 } 366 367 iphlen = sizeof(struct ip); 368 369 ipo = mtod(m, struct ip *); 370 ipo->ip_v = IPVERSION; 371 ipo->ip_hl = 5; 372 ipo->ip_len = htons(m->m_pkthdr.len); 373 ipo->ip_ttl = ip_defttl; 374 ipo->ip_sum = 0; 375 ipo->ip_src = saidx->src.sin.sin_addr; 376 ipo->ip_dst = saidx->dst.sin.sin_addr; 377 ipo->ip_id = ip_newid(NULL); 378 379 /* If the inner protocol is IP... */ 380 if (tp == IPVERSION) { 381 /* Save ECN notification */ 382 m_copydata(m, sizeof(struct ip) + 383 offsetof(struct ip, ip_tos), 384 sizeof(uint8_t), &itos); 385 386 ipo->ip_p = IPPROTO_IPIP; 387 388 /* 389 * We should be keeping tunnel soft-state and 390 * send back ICMPs if needed. 391 */ 392 m_copydata(m, sizeof(struct ip) + 393 offsetof(struct ip, ip_off), 394 sizeof(uint16_t), &ipo->ip_off); 395 ipo->ip_off &= ~ htons(IP_DF | IP_MF | IP_OFFMASK); 396 } 397 #ifdef INET6 398 else if (tp == (IPV6_VERSION >> 4)) { 399 uint32_t itos32; 400 401 /* Save ECN notification. */ 402 m_copydata(m, sizeof(struct ip) + 403 offsetof(struct ip6_hdr, ip6_flow), 404 sizeof(uint32_t), &itos32); 405 itos = ntohl(itos32) >> 20; 406 ipo->ip_p = IPPROTO_IPV6; 407 ipo->ip_off = 0; 408 } 409 #endif 410 else { 411 goto nofamily; 412 } 413 414 otos = 0; 415 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 416 ipo->ip_tos = otos; 417 break; 418 #endif /* INET */ 419 420 #ifdef INET6 421 case AF_INET6: 422 if (IN6_IS_ADDR_UNSPECIFIED(&saidx->dst.sin6.sin6_addr) || 423 saidx->src.sa.sa_family != AF_INET6 || 424 IN6_IS_ADDR_UNSPECIFIED(&saidx->src.sin6.sin6_addr)) { 425 DPRINTF(("%s: unspecified tunnel endpoint " 426 "address in SA %s/%08lx\n", __func__, 427 ipsec_address(&saidx->dst, buf, sizeof(buf)), 428 (u_long)ntohl(sav->spi))); 429 IPIP_STATINC(IPIP_STAT_UNSPEC); 430 error = ENOBUFS; 431 goto bad; 432 } 433 434 if (tp == (IPV6_VERSION >> 4)) { 435 /* scoped address handling */ 436 ip6 = mtod(m, struct ip6_hdr *); 437 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) 438 ip6->ip6_src.s6_addr16[1] = 0; 439 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) 440 ip6->ip6_dst.s6_addr16[1] = 0; 441 } 442 443 M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); 444 if (m == NULL) { 445 DPRINTF(("%s: M_PREPEND failed\n", __func__)); 446 IPIP_STATINC(IPIP_STAT_HDROPS); 447 error = ENOBUFS; 448 goto bad; 449 } 450 451 iphlen = sizeof(struct ip6_hdr); 452 453 /* Initialize IPv6 header */ 454 ip6o = mtod(m, struct ip6_hdr *); 455 ip6o->ip6_flow = 0; 456 ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; 457 ip6o->ip6_vfc |= IPV6_VERSION; 458 ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6o)); 459 ip6o->ip6_hlim = ip_defttl; 460 ip6o->ip6_dst = saidx->dst.sin6.sin6_addr; 461 ip6o->ip6_src = saidx->src.sin6.sin6_addr; 462 if (IN6_IS_SCOPE_LINKLOCAL(&ip6o->ip6_dst)) 463 ip6o->ip6_dst.s6_addr16[1] = htons(saidx->dst.sin6.sin6_scope_id); 464 if (IN6_IS_SCOPE_LINKLOCAL(&ip6o->ip6_src)) 465 ip6o->ip6_src.s6_addr16[1] = htons(saidx->src.sin6.sin6_scope_id); 466 467 #ifdef INET 468 if (tp == IPVERSION) { 469 /* Save ECN notification */ 470 m_copydata(m, sizeof(struct ip6_hdr) + 471 offsetof(struct ip, ip_tos), sizeof(uint8_t), 472 &itos); 473 474 /* This is really IPVERSION. */ 475 ip6o->ip6_nxt = IPPROTO_IPIP; 476 } else 477 #endif 478 if (tp == (IPV6_VERSION >> 4)) { 479 uint32_t itos32; 480 481 /* Save ECN notification. */ 482 m_copydata(m, sizeof(struct ip6_hdr) + 483 offsetof(struct ip6_hdr, ip6_flow), 484 sizeof(uint32_t), &itos32); 485 itos = ntohl(itos32) >> 20; 486 487 ip6o->ip6_nxt = IPPROTO_IPV6; 488 } else { 489 goto nofamily; 490 } 491 492 otos = 0; 493 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 494 ip6o->ip6_flow |= htonl((uint32_t)otos << 20); 495 break; 496 #endif /* INET6 */ 497 498 default: 499 nofamily: 500 DPRINTF(("%s: unsupported protocol family %u\n", __func__, 501 saidx->dst.sa.sa_family)); 502 IPIP_STATINC(IPIP_STAT_FAMILY); 503 error = EAFNOSUPPORT; 504 goto bad; 505 } 506 507 IPIP_STATINC(IPIP_STAT_OPACKETS); 508 IPIP_STATADD(IPIP_STAT_OBYTES, m->m_pkthdr.len - iphlen); 509 510 *mp = m; 511 return 0; 512 513 bad: 514 if (m) 515 m_freem(m); 516 *mp = NULL; 517 return error; 518 } 519 520 static int 521 ipe4_init(struct secasvar *sav, const struct xformsw *xsp) 522 { 523 sav->tdb_xform = xsp; 524 return 0; 525 } 526 527 static int 528 ipe4_zeroize(struct secasvar *sav) 529 { 530 sav->tdb_xform = NULL; 531 return 0; 532 } 533 534 static int 535 ipe4_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) 536 { 537 /* This is a rather serious mistake, so no conditional printing. */ 538 printf("%s: should never be called\n", __func__); 539 if (m) 540 m_freem(m); 541 return EOPNOTSUPP; 542 } 543 544 static struct xformsw ipe4_xformsw = { 545 .xf_type = XF_IP4, 546 .xf_flags = 0, 547 .xf_name = "IPv4 Simple Encapsulation", 548 .xf_init = ipe4_init, 549 .xf_zeroize = ipe4_zeroize, 550 .xf_input = ipe4_input, 551 .xf_output = ipip_output, 552 .xf_next = NULL, 553 }; 554 555 #ifdef INET 556 static struct encapsw ipe4_encapsw = { 557 .encapsw4 = { 558 .pr_input = ip4_input, 559 .pr_ctlinput = NULL, 560 } 561 }; 562 #endif 563 #ifdef INET6 564 static struct encapsw ipe4_encapsw6 = { 565 .encapsw6 = { 566 .pr_input = ip4_input6, 567 .pr_ctlinput = NULL, 568 } 569 }; 570 #endif 571 572 /* 573 * Check the encapsulated packet to see if we want it 574 */ 575 static int 576 ipe4_encapcheck(struct mbuf *m, int off, int proto, void *arg) 577 { 578 /* 579 * Only take packets coming from IPSEC tunnels; the rest 580 * must be handled by the gif tunnel code. Note that we 581 * also return a minimum priority when we want the packet 582 * so any explicit gif tunnels take precedence. 583 */ 584 return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0); 585 } 586 587 void 588 ipe4_attach(void) 589 { 590 591 ipipstat_percpu = percpu_alloc(sizeof(uint64_t) * IPIP_NSTATS); 592 593 xform_register(&ipe4_xformsw); 594 /* attach to encapsulation framework */ 595 /* XXX save return cookie for detach on module remove */ 596 597 encapinit(); 598 /* This function is called before ifinit(). Who else gets lock? */ 599 (void)encap_lock_enter(); 600 /* ipe4_encapsw and ipe4_encapsw must be added atomically */ 601 #ifdef INET 602 (void)encap_attach_func(AF_INET, -1, ipe4_encapcheck, &ipe4_encapsw, 603 NULL); 604 #endif 605 #ifdef INET6 606 (void)encap_attach_func(AF_INET6, -1, ipe4_encapcheck, &ipe4_encapsw6, 607 NULL); 608 #endif 609 encap_lock_exit(); 610 } 611