1 /* $OpenBSD: ipsec_input.c,v 1.161 2017/11/20 10:35:24 mpi Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 8 * in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 #include "pf.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/protosw.h> 43 #include <sys/mbuf.h> 44 #include <sys/socket.h> 45 #include <sys/sysctl.h> 46 #include <sys/kernel.h> 47 #include <sys/timeout.h> 48 49 #include <net/if.h> 50 #include <net/if_var.h> 51 #include <net/netisr.h> 52 #include <net/bpf.h> 53 #include <net/route.h> 54 55 #include <netinet/in.h> 56 #include <netinet/ip.h> 57 #include <netinet/ip_var.h> 58 #include <netinet/ip_icmp.h> 59 #include <netinet/tcp.h> 60 #include <netinet/udp.h> 61 62 #if NPF > 0 63 #include <net/pfvar.h> 64 #endif 65 66 #ifdef INET6 67 #include <netinet6/in6_var.h> 68 #include <netinet/ip6.h> 69 #include <netinet6/ip6_var.h> 70 #include <netinet6/ip6protosw.h> 71 #endif /* INET6 */ 72 73 #include <netinet/ip_ipsp.h> 74 #include <netinet/ip_esp.h> 75 #include <netinet/ip_ah.h> 76 #include <netinet/ip_ipcomp.h> 77 78 #include <net/if_enc.h> 79 80 #include "bpfilter.h" 81 82 void ipsec_common_ctlinput(u_int, int, struct sockaddr *, void *, int); 83 84 #ifdef ENCDEBUG 85 #define DPRINTF(x) if (encdebug) printf x 86 #else 87 #define DPRINTF(x) 88 #endif 89 90 /* sysctl variables */ 91 int encdebug = 0; 92 int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT; 93 int ipsec_require_pfs = IPSEC_DEFAULT_PFS; 94 int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS; 95 int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS; 96 int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES; 97 int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES; 98 int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT; 99 int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT; 100 int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE; 101 int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE; 102 int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE; 103 104 int esp_enable = 1; 105 int ah_enable = 1; 106 int ipcomp_enable = 0; 107 108 int *espctl_vars[ESPCTL_MAXID] = ESPCTL_VARS; 109 int *ahctl_vars[AHCTL_MAXID] = AHCTL_VARS; 110 int *ipcompctl_vars[IPCOMPCTL_MAXID] = IPCOMPCTL_VARS; 111 112 struct cpumem *espcounters; 113 struct cpumem *ahcounters; 114 struct cpumem *ipcompcounters; 115 116 char ipsec_def_enc[20]; 117 char ipsec_def_auth[20]; 118 char ipsec_def_comp[20]; 119 120 int *ipsecctl_vars[IPSEC_MAXID] = IPSECCTL_VARS; 121 122 int esp_sysctl_espstat(void *, size_t *, void *); 123 int ah_sysctl_ahstat(void *, size_t *, void *); 124 int ipcomp_sysctl_ipcompstat(void *, size_t *, void *); 125 126 void 127 ipsec_init(void) 128 { 129 espcounters = counters_alloc(esps_ncounters); 130 ahcounters = counters_alloc(ahs_ncounters); 131 ipcompcounters = counters_alloc(ipcomps_ncounters); 132 133 strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc)); 134 strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth)); 135 strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp)); 136 137 } 138 139 /* 140 * ipsec_common_input() gets called when we receive an IPsec-protected packet 141 * in IPv4 or IPv6. All it does is find the right TDB and call the appropriate 142 * transform. The callback takes care of further processing (like ingress 143 * filtering). 144 */ 145 int 146 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, 147 int udpencap) 148 { 149 #define IPSEC_ISTAT(x,y,z) do { \ 150 if (sproto == IPPROTO_ESP) \ 151 espstat_inc(x); \ 152 else if (sproto == IPPROTO_AH) \ 153 ahstat_inc(y); \ 154 else \ 155 ipcompstat_inc(z); \ 156 } while (0) 157 158 union sockaddr_union dst_address; 159 struct tdb *tdbp; 160 struct ifnet *encif; 161 u_int32_t spi; 162 u_int16_t cpi; 163 int error; 164 #ifdef ENCDEBUG 165 char buf[INET6_ADDRSTRLEN]; 166 #endif 167 168 NET_ASSERT_LOCKED(); 169 170 IPSEC_ISTAT(esps_input, ahs_input, ipcomps_input); 171 172 if (m == NULL) { 173 DPRINTF(("%s: NULL packet received\n", __func__)); 174 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 175 return EINVAL; 176 } 177 178 if ((sproto == IPPROTO_ESP && !esp_enable) || 179 (sproto == IPPROTO_AH && !ah_enable) || 180 #if NPF > 0 181 (m->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 182 #endif 183 (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) { 184 switch (af) { 185 case AF_INET: 186 rip_input(&m, &skip, sproto, af); 187 break; 188 #ifdef INET6 189 case AF_INET6: 190 rip6_input(&m, &skip, sproto, af); 191 break; 192 #endif /* INET6 */ 193 default: 194 DPRINTF(("%s: unsupported protocol family %d\n", 195 __func__, af)); 196 m_freem(m); 197 IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf); 198 return EPFNOSUPPORT; 199 } 200 return 0; 201 } 202 if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) { 203 m_freem(m); 204 ipcompstat_inc(ipcomps_pdrops); 205 DPRINTF(("%s: repeated decompression\n", __func__)); 206 return EINVAL; 207 } 208 209 if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) { 210 m_freem(m); 211 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 212 DPRINTF(("%s: packet too small\n", __func__)); 213 return EINVAL; 214 } 215 216 /* Retrieve the SPI from the relevant IPsec header */ 217 switch (sproto) { 218 case IPPROTO_ESP: 219 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 220 break; 221 case IPPROTO_AH: 222 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 223 (caddr_t) &spi); 224 break; 225 case IPPROTO_IPCOMP: 226 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 227 (caddr_t) &cpi); 228 spi = ntohl(htons(cpi)); 229 break; 230 default: 231 panic("%s: unknown/unsupported security protocol %d", 232 __func__, sproto); 233 } 234 235 /* 236 * Find tunnel control block and (indirectly) call the appropriate 237 * kernel crypto routine. The resulting mbuf chain is a valid 238 * IP packet ready to go through input processing. 239 */ 240 241 memset(&dst_address, 0, sizeof(dst_address)); 242 dst_address.sa.sa_family = af; 243 244 switch (af) { 245 case AF_INET: 246 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 247 m_copydata(m, offsetof(struct ip, ip_dst), 248 sizeof(struct in_addr), 249 (caddr_t) &(dst_address.sin.sin_addr)); 250 break; 251 252 #ifdef INET6 253 case AF_INET6: 254 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 255 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 256 sizeof(struct in6_addr), 257 (caddr_t) &(dst_address.sin6.sin6_addr)); 258 in6_recoverscope(&dst_address.sin6, 259 &dst_address.sin6.sin6_addr); 260 break; 261 #endif /* INET6 */ 262 263 default: 264 DPRINTF(("%s: unsupported protocol family %d\n", __func__, af)); 265 m_freem(m); 266 IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf); 267 return EPFNOSUPPORT; 268 } 269 270 tdbp = gettdb(rtable_l2(m->m_pkthdr.ph_rtableid), 271 spi, &dst_address, sproto); 272 if (tdbp == NULL) { 273 DPRINTF(("%s: could not find SA for packet to %s, spi %08x\n", 274 __func__, 275 ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi))); 276 m_freem(m); 277 IPSEC_ISTAT(esps_notdb, ahs_notdb, ipcomps_notdb); 278 return ENOENT; 279 } 280 281 if (tdbp->tdb_flags & TDBF_INVALID) { 282 DPRINTF(("%s: attempted to use invalid SA %s/%08x/%u\n", 283 __func__, ipsp_address(&dst_address, buf, 284 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 285 m_freem(m); 286 IPSEC_ISTAT(esps_invalid, ahs_invalid, ipcomps_invalid); 287 return EINVAL; 288 } 289 290 if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) { 291 DPRINTF(("%s: attempted to use non-udpencap SA %s/%08x/%u\n", 292 __func__, ipsp_address(&dst_address, buf, 293 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 294 m_freem(m); 295 espstat_inc(esps_udpinval); 296 return EINVAL; 297 } 298 299 if (!udpencap && (tdbp->tdb_flags & TDBF_UDPENCAP)) { 300 DPRINTF(("%s: attempted to use udpencap SA %s/%08x/%u\n", 301 __func__, ipsp_address(&dst_address, buf, 302 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 303 m_freem(m); 304 espstat_inc(esps_udpneeded); 305 return EINVAL; 306 } 307 308 if (tdbp->tdb_xform == NULL) { 309 DPRINTF(("%s: attempted to use uninitialized SA %s/%08x/%u\n", 310 __func__, ipsp_address(&dst_address, buf, 311 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 312 m_freem(m); 313 IPSEC_ISTAT(esps_noxform, ahs_noxform, ipcomps_noxform); 314 return ENXIO; 315 } 316 317 if (sproto != IPPROTO_IPCOMP) { 318 if ((encif = enc_getif(tdbp->tdb_rdomain, 319 tdbp->tdb_tap)) == NULL) { 320 DPRINTF(("%s: no enc%u interface for SA %s/%08x/%u\n", 321 __func__, 322 tdbp->tdb_tap, ipsp_address(&dst_address, buf, 323 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 324 m_freem(m); 325 326 IPSEC_ISTAT(esps_pdrops, ahs_pdrops, ipcomps_pdrops); 327 return EACCES; 328 } 329 330 /* XXX This conflicts with the scoped nature of IPv6 */ 331 m->m_pkthdr.ph_ifidx = encif->if_index; 332 } 333 334 /* Register first use, setup expiration timer. */ 335 if (tdbp->tdb_first_use == 0) { 336 tdbp->tdb_first_use = time_second; 337 if (tdbp->tdb_flags & TDBF_FIRSTUSE) 338 timeout_add_sec(&tdbp->tdb_first_tmo, 339 tdbp->tdb_exp_first_use); 340 if (tdbp->tdb_flags & TDBF_SOFT_FIRSTUSE) 341 timeout_add_sec(&tdbp->tdb_sfirst_tmo, 342 tdbp->tdb_soft_first_use); 343 } 344 345 /* 346 * Call appropriate transform and return -- callback takes care of 347 * everything else. 348 */ 349 error = (*(tdbp->tdb_xform->xf_input))(m, tdbp, skip, protoff); 350 return error; 351 } 352 353 /* 354 * IPsec input callback, called by the transform callback. Takes care of 355 * filtering and other sanity checks on the processed packet. 356 */ 357 void 358 ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) 359 { 360 int af, sproto; 361 u_int8_t prot; 362 363 #if NBPFILTER > 0 364 struct ifnet *encif; 365 #endif 366 367 struct ip *ip, ipn; 368 369 #ifdef INET6 370 struct ip6_hdr *ip6, ip6n; 371 #endif /* INET6 */ 372 struct m_tag *mtag; 373 struct tdb_ident *tdbi; 374 375 #ifdef ENCDEBUG 376 char buf[INET6_ADDRSTRLEN]; 377 #endif 378 379 af = tdbp->tdb_dst.sa.sa_family; 380 sproto = tdbp->tdb_sproto; 381 382 tdbp->tdb_last_used = time_second; 383 384 /* Sanity check */ 385 if (m == NULL) { 386 /* The called routine will print a message if necessary */ 387 IPSEC_ISTAT(esps_badkcr, ahs_badkcr, ipcomps_badkcr); 388 return; 389 } 390 391 /* Fix IPv4 header */ 392 if (af == AF_INET) { 393 if ((m->m_len < skip) && ((m = m_pullup(m, skip)) == NULL)) { 394 DPRINTF(("%s: processing failed for SA %s/%08x\n", 395 __func__, ipsp_address(&tdbp->tdb_dst, 396 buf, sizeof(buf)), ntohl(tdbp->tdb_spi))); 397 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 398 return; 399 } 400 401 ip = mtod(m, struct ip *); 402 ip->ip_len = htons(m->m_pkthdr.len); 403 ip->ip_sum = 0; 404 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 405 prot = ip->ip_p; 406 407 /* IP-in-IP encapsulation */ 408 if (prot == IPPROTO_IPIP) { 409 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 410 m_freem(m); 411 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 412 ipcomps_hdrops); 413 return; 414 } 415 /* ipn will now contain the inner IPv4 header */ 416 m_copydata(m, skip, sizeof(struct ip), 417 (caddr_t) &ipn); 418 } 419 420 #ifdef INET6 421 /* IPv6-in-IP encapsulation. */ 422 if (prot == IPPROTO_IPV6) { 423 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 424 m_freem(m); 425 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 426 ipcomps_hdrops); 427 return; 428 } 429 /* ip6n will now contain the inner IPv6 header. */ 430 m_copydata(m, skip, sizeof(struct ip6_hdr), 431 (caddr_t) &ip6n); 432 } 433 #endif /* INET6 */ 434 } 435 436 #ifdef INET6 437 /* Fix IPv6 header */ 438 if (af == AF_INET6) 439 { 440 if (m->m_len < sizeof(struct ip6_hdr) && 441 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 442 443 DPRINTF(("%s: processing failed for SA %s/%08x\n", 444 __func__, ipsp_address(&tdbp->tdb_dst, 445 buf, sizeof(buf)), ntohl(tdbp->tdb_spi))); 446 447 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 448 return; 449 } 450 451 ip6 = mtod(m, struct ip6_hdr *); 452 ip6->ip6_plen = htons(m->m_pkthdr.len - skip); 453 454 /* Save protocol */ 455 m_copydata(m, protoff, 1, (caddr_t) &prot); 456 457 /* IP-in-IP encapsulation */ 458 if (prot == IPPROTO_IPIP) { 459 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 460 m_freem(m); 461 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 462 ipcomps_hdrops); 463 return; 464 } 465 /* ipn will now contain the inner IPv4 header */ 466 m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn); 467 } 468 469 /* IPv6-in-IP encapsulation */ 470 if (prot == IPPROTO_IPV6) { 471 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 472 m_freem(m); 473 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 474 ipcomps_hdrops); 475 return; 476 } 477 /* ip6n will now contain the inner IPv6 header. */ 478 m_copydata(m, skip, sizeof(struct ip6_hdr), 479 (caddr_t) &ip6n); 480 } 481 } 482 #endif /* INET6 */ 483 484 /* 485 * Fix TCP/UDP checksum of UDP encapsulated transport mode ESP packet. 486 * (RFC3948 3.1.2) 487 */ 488 if ((af == AF_INET || af == AF_INET6) && 489 (tdbp->tdb_flags & TDBF_UDPENCAP) && 490 (tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 491 u_int16_t cksum; 492 493 switch (prot) { 494 case IPPROTO_UDP: 495 if (m->m_pkthdr.len < skip + sizeof(struct udphdr)) { 496 m_freem(m); 497 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 498 ipcomps_hdrops); 499 return; 500 } 501 cksum = 0; 502 m_copyback(m, skip + offsetof(struct udphdr, uh_sum), 503 sizeof(cksum), &cksum, M_NOWAIT); 504 #ifdef INET6 505 if (af == AF_INET6) { 506 cksum = in6_cksum(m, IPPROTO_UDP, skip, 507 m->m_pkthdr.len - skip); 508 m_copyback(m, skip + offsetof(struct udphdr, 509 uh_sum), sizeof(cksum), &cksum, M_NOWAIT); 510 } 511 #endif 512 break; 513 case IPPROTO_TCP: 514 if (m->m_pkthdr.len < skip + sizeof(struct tcphdr)) { 515 m_freem(m); 516 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 517 ipcomps_hdrops); 518 return; 519 } 520 cksum = 0; 521 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 522 sizeof(cksum), &cksum, M_NOWAIT); 523 if (af == AF_INET) 524 cksum = in4_cksum(m, IPPROTO_TCP, skip, 525 m->m_pkthdr.len - skip); 526 #ifdef INET6 527 else if (af == AF_INET6) 528 cksum = in6_cksum(m, IPPROTO_TCP, skip, 529 m->m_pkthdr.len - skip); 530 #endif 531 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 532 sizeof(cksum), &cksum, M_NOWAIT); 533 break; 534 } 535 } 536 537 /* 538 * Record what we've done to the packet (under what SA it was 539 * processed). 540 */ 541 if (tdbp->tdb_sproto != IPPROTO_IPCOMP) { 542 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 543 sizeof(struct tdb_ident), M_NOWAIT); 544 if (mtag == NULL) { 545 m_freem(m); 546 DPRINTF(("%s: failed to get tag\n", __func__)); 547 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 548 return; 549 } 550 551 tdbi = (struct tdb_ident *)(mtag + 1); 552 tdbi->dst = tdbp->tdb_dst; 553 tdbi->proto = tdbp->tdb_sproto; 554 tdbi->spi = tdbp->tdb_spi; 555 tdbi->rdomain = tdbp->tdb_rdomain; 556 557 m_tag_prepend(m, mtag); 558 } 559 560 switch (sproto) { 561 case IPPROTO_ESP: 562 /* Packet is confidential ? */ 563 if (tdbp->tdb_encalgxform) 564 m->m_flags |= M_CONF; 565 566 /* Check if we had authenticated ESP. */ 567 if (tdbp->tdb_authalgxform) 568 m->m_flags |= M_AUTH; 569 break; 570 case IPPROTO_AH: 571 m->m_flags |= M_AUTH; 572 break; 573 case IPPROTO_IPCOMP: 574 m->m_flags |= M_COMP; 575 break; 576 default: 577 panic("%s: unknown/unsupported security protocol %d", 578 __func__, sproto); 579 } 580 581 #if NPF > 0 582 /* Add pf tag if requested. */ 583 pf_tag_packet(m, tdbp->tdb_tag, -1); 584 pf_pkt_addr_changed(m); 585 #endif 586 587 if (tdbp->tdb_flags & TDBF_TUNNELING) 588 m->m_flags |= M_TUNNEL; 589 590 #if NBPFILTER > 0 591 if ((encif = enc_getif(tdbp->tdb_rdomain, tdbp->tdb_tap)) != NULL) { 592 encif->if_ipackets++; 593 encif->if_ibytes += m->m_pkthdr.len; 594 595 if (encif->if_bpf) { 596 struct enchdr hdr; 597 598 hdr.af = af; 599 hdr.spi = tdbp->tdb_spi; 600 hdr.flags = m->m_flags & (M_AUTH|M_CONF); 601 602 bpf_mtap_hdr(encif->if_bpf, (char *)&hdr, 603 ENC_HDRLEN, m, BPF_DIRECTION_IN, NULL); 604 } 605 } 606 #endif 607 608 #if NPF > 0 609 /* 610 * The ip_deliver() shortcut avoids running through ip_input() with the 611 * same IP header twice. Packets in transport mode have to be be 612 * passed to pf explicitly. In tunnel mode the inner IP header will 613 * run through ip_input() and pf anyway. 614 */ 615 if ((tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 616 struct ifnet *ifp; 617 618 /* This is the enc0 interface unless for ipcomp. */ 619 if ((ifp = if_get(m->m_pkthdr.ph_ifidx)) == NULL) { 620 m_freem(m); 621 return; 622 } 623 if (pf_test(af, PF_IN, ifp, &m) != PF_PASS) { 624 if_put(ifp); 625 m_freem(m); 626 return; 627 } 628 if_put(ifp); 629 if (m == NULL) 630 return; 631 } 632 #endif 633 /* Call the appropriate IPsec transform callback. */ 634 ip_deliver(&m, &skip, prot, af); 635 #undef IPSEC_ISTAT 636 } 637 638 int 639 ipsec_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 640 size_t newlen) 641 { 642 int error; 643 644 switch (name[0]) { 645 case IPCTL_IPSEC_ENC_ALGORITHM: 646 NET_LOCK(); 647 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 648 ipsec_def_enc, sizeof(ipsec_def_enc)); 649 NET_UNLOCK(); 650 return (error); 651 case IPCTL_IPSEC_AUTH_ALGORITHM: 652 NET_LOCK(); 653 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 654 ipsec_def_auth, sizeof(ipsec_def_auth)); 655 NET_UNLOCK(); 656 return (error); 657 case IPCTL_IPSEC_IPCOMP_ALGORITHM: 658 NET_LOCK(); 659 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 660 ipsec_def_comp, sizeof(ipsec_def_comp)); 661 NET_UNLOCK(); 662 return (error); 663 default: 664 if (name[0] < IPSEC_MAXID) { 665 NET_LOCK(); 666 error = sysctl_int_arr(ipsecctl_vars, name, namelen, 667 oldp, oldlenp, newp, newlen); 668 NET_UNLOCK(); 669 return (error); 670 } 671 return (EOPNOTSUPP); 672 } 673 } 674 675 int 676 esp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 677 size_t newlen) 678 { 679 int error; 680 681 /* All sysctl names at this level are terminal. */ 682 if (namelen != 1) 683 return (ENOTDIR); 684 685 switch (name[0]) { 686 case ESPCTL_STATS: 687 return (esp_sysctl_espstat(oldp, oldlenp, newp)); 688 default: 689 if (name[0] < ESPCTL_MAXID) { 690 NET_LOCK(); 691 error = sysctl_int_arr(espctl_vars, name, namelen, 692 oldp, oldlenp, newp, newlen); 693 NET_UNLOCK(); 694 return (error); 695 } 696 return (ENOPROTOOPT); 697 } 698 } 699 700 int 701 esp_sysctl_espstat(void *oldp, size_t *oldlenp, void *newp) 702 { 703 struct espstat espstat; 704 705 CTASSERT(sizeof(espstat) == (esps_ncounters * sizeof(uint64_t))); 706 memset(&espstat, 0, sizeof espstat); 707 counters_read(espcounters, (uint64_t *)&espstat, esps_ncounters); 708 return (sysctl_rdstruct(oldp, oldlenp, newp, &espstat, 709 sizeof(espstat))); 710 } 711 712 int 713 ah_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 714 size_t newlen) 715 { 716 int error; 717 718 /* All sysctl names at this level are terminal. */ 719 if (namelen != 1) 720 return (ENOTDIR); 721 722 switch (name[0]) { 723 case AHCTL_STATS: 724 return ah_sysctl_ahstat(oldp, oldlenp, newp); 725 default: 726 if (name[0] < AHCTL_MAXID) { 727 NET_LOCK(); 728 error = sysctl_int_arr(ahctl_vars, name, namelen, 729 oldp, oldlenp, newp, newlen); 730 NET_UNLOCK(); 731 return (error); 732 } 733 return (ENOPROTOOPT); 734 } 735 } 736 737 int 738 ah_sysctl_ahstat(void *oldp, size_t *oldlenp, void *newp) 739 { 740 struct ahstat ahstat; 741 742 CTASSERT(sizeof(ahstat) == (ahs_ncounters * sizeof(uint64_t))); 743 memset(&ahstat, 0, sizeof ahstat); 744 counters_read(ahcounters, (uint64_t *)&ahstat, ahs_ncounters); 745 return (sysctl_rdstruct(oldp, oldlenp, newp, &ahstat, sizeof(ahstat))); 746 } 747 748 int 749 ipcomp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 750 size_t newlen) 751 { 752 int error; 753 754 /* All sysctl names at this level are terminal. */ 755 if (namelen != 1) 756 return (ENOTDIR); 757 758 switch (name[0]) { 759 case IPCOMPCTL_STATS: 760 return ipcomp_sysctl_ipcompstat(oldp, oldlenp, newp); 761 default: 762 if (name[0] < IPCOMPCTL_MAXID) { 763 NET_LOCK(); 764 error = sysctl_int_arr(ipcompctl_vars, name, namelen, 765 oldp, oldlenp, newp, newlen); 766 NET_UNLOCK(); 767 return (error); 768 } 769 return (ENOPROTOOPT); 770 } 771 } 772 773 int 774 ipcomp_sysctl_ipcompstat(void *oldp, size_t *oldlenp, void *newp) 775 { 776 struct ipcompstat ipcompstat; 777 778 CTASSERT(sizeof(ipcompstat) == (ipcomps_ncounters * sizeof(uint64_t))); 779 memset(&ipcompstat, 0, sizeof ipcompstat); 780 counters_read(ipcompcounters, (uint64_t *)&ipcompstat, 781 ipcomps_ncounters); 782 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipcompstat, 783 sizeof(ipcompstat))); 784 } 785 786 /* IPv4 AH wrapper. */ 787 int 788 ah4_input(struct mbuf **mp, int *offp, int proto, int af) 789 { 790 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 791 proto, 0); 792 return IPPROTO_DONE; 793 } 794 795 /* XXX rdomain */ 796 void 797 ah4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 798 { 799 if (sa->sa_family != AF_INET || 800 sa->sa_len != sizeof(struct sockaddr_in)) 801 return; 802 803 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_AH); 804 } 805 806 /* IPv4 ESP wrapper. */ 807 int 808 esp4_input(struct mbuf **mp, int *offp, int proto, int af) 809 { 810 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 811 proto, 0); 812 return IPPROTO_DONE; 813 } 814 815 /* IPv4 IPCOMP wrapper */ 816 int 817 ipcomp4_input(struct mbuf **mp, int *offp, int proto, int af) 818 { 819 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 820 proto, 0); 821 return IPPROTO_DONE; 822 } 823 824 void 825 ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa, 826 void *v, int proto) 827 { 828 struct ip *ip = v; 829 830 if (cmd == PRC_MSGSIZE && ip && ip_mtudisc && ip->ip_v == 4) { 831 struct tdb *tdbp; 832 struct sockaddr_in dst; 833 struct icmp *icp; 834 int hlen = ip->ip_hl << 2; 835 u_int32_t spi, mtu; 836 ssize_t adjust; 837 838 /* Find the right MTU. */ 839 icp = (struct icmp *)((caddr_t) ip - 840 offsetof(struct icmp, icmp_ip)); 841 mtu = ntohs(icp->icmp_nextmtu); 842 843 /* 844 * Ignore the packet, if we do not receive a MTU 845 * or the MTU is too small to be acceptable. 846 */ 847 if (mtu < 296) 848 return; 849 850 memset(&dst, 0, sizeof(struct sockaddr_in)); 851 dst.sin_family = AF_INET; 852 dst.sin_len = sizeof(struct sockaddr_in); 853 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 854 855 memcpy(&spi, (caddr_t)ip + hlen, sizeof(u_int32_t)); 856 857 tdbp = gettdb(rdomain, spi, (union sockaddr_union *)&dst, 858 proto); 859 if (tdbp == NULL || tdbp->tdb_flags & TDBF_INVALID) 860 return; 861 862 /* Walk the chain backwards to the first tdb */ 863 NET_ASSERT_LOCKED(); 864 for (; tdbp; tdbp = tdbp->tdb_inext) { 865 if (tdbp->tdb_flags & TDBF_INVALID || 866 (adjust = ipsec_hdrsz(tdbp)) == -1) 867 return; 868 869 mtu -= adjust; 870 871 /* Store adjusted MTU in tdb */ 872 tdbp->tdb_mtu = mtu; 873 tdbp->tdb_mtutimeout = time_second + 874 ip_mtudisc_timeout; 875 DPRINTF(("%s: spi %08x mtu %d adjust %ld\n", __func__, 876 ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, 877 adjust)); 878 } 879 } 880 } 881 882 /* XXX rdomain */ 883 void 884 udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 885 { 886 struct ip *ip = v; 887 struct tdb *tdbp; 888 struct icmp *icp; 889 u_int32_t mtu; 890 ssize_t adjust; 891 struct sockaddr_in dst, src; 892 union sockaddr_union *su_dst, *su_src; 893 894 NET_ASSERT_LOCKED(); 895 896 icp = (struct icmp *)((caddr_t) ip - offsetof(struct icmp, icmp_ip)); 897 mtu = ntohs(icp->icmp_nextmtu); 898 899 /* 900 * Ignore the packet, if we do not receive a MTU 901 * or the MTU is too small to be acceptable. 902 */ 903 if (mtu < 296) 904 return; 905 906 memset(&dst, 0, sizeof(dst)); 907 dst.sin_family = AF_INET; 908 dst.sin_len = sizeof(struct sockaddr_in); 909 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 910 su_dst = (union sockaddr_union *)&dst; 911 memset(&src, 0, sizeof(src)); 912 src.sin_family = AF_INET; 913 src.sin_len = sizeof(struct sockaddr_in); 914 src.sin_addr.s_addr = ip->ip_src.s_addr; 915 su_src = (union sockaddr_union *)&src; 916 917 tdbp = gettdbbysrcdst(rdomain, 0, su_src, su_dst, IPPROTO_ESP); 918 919 for (; tdbp != NULL; tdbp = tdbp->tdb_snext) { 920 if (tdbp->tdb_sproto == IPPROTO_ESP && 921 ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_UDPENCAP)) == 922 TDBF_UDPENCAP) && 923 !memcmp(&tdbp->tdb_dst, &dst, su_dst->sa.sa_len) && 924 !memcmp(&tdbp->tdb_src, &src, su_src->sa.sa_len)) { 925 if ((adjust = ipsec_hdrsz(tdbp)) != -1) { 926 /* Store adjusted MTU in tdb */ 927 tdbp->tdb_mtu = mtu - adjust; 928 tdbp->tdb_mtutimeout = time_second + 929 ip_mtudisc_timeout; 930 DPRINTF(("%s: spi %08x mtu %d adjust %ld\n", 931 __func__, 932 ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, 933 adjust)); 934 } 935 } 936 } 937 } 938 939 /* XXX rdomain */ 940 void 941 esp4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 942 { 943 if (sa->sa_family != AF_INET || 944 sa->sa_len != sizeof(struct sockaddr_in)) 945 return; 946 947 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_ESP); 948 } 949 950 #ifdef INET6 951 /* IPv6 AH wrapper. */ 952 int 953 ah6_input(struct mbuf **mp, int *offp, int proto, int af) 954 { 955 int l = 0; 956 int protoff, nxt; 957 struct ip6_ext ip6e; 958 959 if (*offp < sizeof(struct ip6_hdr)) { 960 DPRINTF(("%s: bad offset\n", __func__)); 961 ahstat_inc(ahs_hdrops); 962 m_freemp(mp); 963 return IPPROTO_DONE; 964 } else if (*offp == sizeof(struct ip6_hdr)) { 965 protoff = offsetof(struct ip6_hdr, ip6_nxt); 966 } else { 967 /* Chase down the header chain... */ 968 protoff = sizeof(struct ip6_hdr); 969 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 970 971 do { 972 protoff += l; 973 m_copydata(*mp, protoff, sizeof(ip6e), 974 (caddr_t) &ip6e); 975 976 if (nxt == IPPROTO_AH) 977 l = (ip6e.ip6e_len + 2) << 2; 978 else 979 l = (ip6e.ip6e_len + 1) << 3; 980 #ifdef DIAGNOSTIC 981 if (l <= 0) 982 panic("ah6_input: l went zero or negative"); 983 #endif 984 985 nxt = ip6e.ip6e_nxt; 986 } while (protoff + l < *offp); 987 988 /* Malformed packet check */ 989 if (protoff + l != *offp) { 990 DPRINTF(("%s: bad packet header chain\n", __func__)); 991 ahstat_inc(ahs_hdrops); 992 m_freemp(mp); 993 return IPPROTO_DONE; 994 } 995 protoff += offsetof(struct ip6_ext, ip6e_nxt); 996 } 997 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 998 return IPPROTO_DONE; 999 } 1000 1001 /* IPv6 ESP wrapper. */ 1002 int 1003 esp6_input(struct mbuf **mp, int *offp, int proto, int af) 1004 { 1005 int l = 0; 1006 int protoff, nxt; 1007 struct ip6_ext ip6e; 1008 1009 if (*offp < sizeof(struct ip6_hdr)) { 1010 DPRINTF(("%s: bad offset\n", __func__)); 1011 espstat_inc(esps_hdrops); 1012 m_freemp(mp); 1013 return IPPROTO_DONE; 1014 } else if (*offp == sizeof(struct ip6_hdr)) { 1015 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1016 } else { 1017 /* Chase down the header chain... */ 1018 protoff = sizeof(struct ip6_hdr); 1019 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1020 1021 do { 1022 protoff += l; 1023 m_copydata(*mp, protoff, sizeof(ip6e), 1024 (caddr_t) &ip6e); 1025 1026 if (nxt == IPPROTO_AH) 1027 l = (ip6e.ip6e_len + 2) << 2; 1028 else 1029 l = (ip6e.ip6e_len + 1) << 3; 1030 #ifdef DIAGNOSTIC 1031 if (l <= 0) 1032 panic("esp6_input: l went zero or negative"); 1033 #endif 1034 1035 nxt = ip6e.ip6e_nxt; 1036 } while (protoff + l < *offp); 1037 1038 /* Malformed packet check */ 1039 if (protoff + l != *offp) { 1040 DPRINTF(("%s: bad packet header chain\n", __func__)); 1041 espstat_inc(esps_hdrops); 1042 m_freemp(mp); 1043 return IPPROTO_DONE; 1044 } 1045 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1046 } 1047 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1048 return IPPROTO_DONE; 1049 1050 } 1051 1052 /* IPv6 IPcomp wrapper */ 1053 int 1054 ipcomp6_input(struct mbuf **mp, int *offp, int proto, int af) 1055 { 1056 int l = 0; 1057 int protoff, nxt; 1058 struct ip6_ext ip6e; 1059 1060 if (*offp < sizeof(struct ip6_hdr)) { 1061 DPRINTF(("%s: bad offset\n", __func__)); 1062 ipcompstat_inc(ipcomps_hdrops); 1063 m_freemp(mp); 1064 return IPPROTO_DONE; 1065 } else if (*offp == sizeof(struct ip6_hdr)) { 1066 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1067 } else { 1068 /* Chase down the header chain... */ 1069 protoff = sizeof(struct ip6_hdr); 1070 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1071 1072 do { 1073 protoff += l; 1074 m_copydata(*mp, protoff, sizeof(ip6e), 1075 (caddr_t) &ip6e); 1076 if (nxt == IPPROTO_AH) 1077 l = (ip6e.ip6e_len + 2) << 2; 1078 else 1079 l = (ip6e.ip6e_len + 1) << 3; 1080 #ifdef DIAGNOSTIC 1081 if (l <= 0) 1082 panic("l went zero or negative"); 1083 #endif 1084 1085 nxt = ip6e.ip6e_nxt; 1086 } while (protoff + l < *offp); 1087 1088 /* Malformed packet check */ 1089 if (protoff + l != *offp) { 1090 DPRINTF(("%s: bad packet header chain\n", __func__)); 1091 ipcompstat_inc(ipcomps_hdrops); 1092 m_freemp(mp); 1093 return IPPROTO_DONE; 1094 } 1095 1096 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1097 } 1098 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1099 return IPPROTO_DONE; 1100 } 1101 #endif /* INET6 */ 1102 1103 int 1104 ipsec_forward_check(struct mbuf *m, int hlen, int af) 1105 { 1106 struct tdb *tdb; 1107 struct tdb_ident *tdbi; 1108 struct m_tag *mtag; 1109 int error = 0; 1110 1111 /* 1112 * IPsec policy check for forwarded packets. Look at 1113 * inner-most IPsec SA used. 1114 */ 1115 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1116 if (mtag != NULL) { 1117 tdbi = (struct tdb_ident *)(mtag + 1); 1118 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); 1119 } else 1120 tdb = NULL; 1121 ipsp_spd_lookup(m, af, hlen, &error, IPSP_DIRECTION_IN, tdb, NULL, 0); 1122 1123 return error; 1124 } 1125 1126 int 1127 ipsec_local_check(struct mbuf *m, int hlen, int proto, int af) 1128 { 1129 struct tdb *tdb; 1130 struct tdb_ident *tdbi; 1131 struct m_tag *mtag; 1132 int error = 0; 1133 1134 /* 1135 * If it's a protected packet for us, skip the policy check. 1136 * That's because we really only care about the properties of 1137 * the protected packet, and not the intermediate versions. 1138 * While this is not the most paranoid setting, it allows 1139 * some flexibility in handling nested tunnels (in setting up 1140 * the policies). 1141 */ 1142 if ((proto == IPPROTO_ESP) || (proto == IPPROTO_AH) || 1143 (proto == IPPROTO_IPCOMP)) 1144 return 0; 1145 1146 /* 1147 * If the protected packet was tunneled, then we need to 1148 * verify the protected packet's information, not the 1149 * external headers. Thus, skip the policy lookup for the 1150 * external packet, and keep the IPsec information linked on 1151 * the packet header (the encapsulation routines know how 1152 * to deal with that). 1153 */ 1154 if ((proto == IPPROTO_IPV4) || (proto == IPPROTO_IPV6)) 1155 return 0; 1156 1157 /* 1158 * When processing IPv6 header chains, do not look at the 1159 * outer header. The inner protocol is relevant and will 1160 * be checked by the local delivery loop later. 1161 */ 1162 if ((af == AF_INET6) && ((proto == IPPROTO_DSTOPTS) || 1163 (proto == IPPROTO_ROUTING) || (proto == IPPROTO_FRAGMENT))) 1164 return 0; 1165 1166 /* 1167 * If the protected packet is TCP or UDP, we'll do the 1168 * policy check in the respective input routine, so we can 1169 * check for bypass sockets. 1170 */ 1171 if ((proto == IPPROTO_TCP) || (proto == IPPROTO_UDP)) 1172 return 0; 1173 1174 /* 1175 * IPsec policy check for local-delivery packets. Look at the 1176 * inner-most SA that protected the packet. This is in fact 1177 * a bit too restrictive (it could end up causing packets to 1178 * be dropped that semantically follow the policy, e.g., in 1179 * certain SA-bundle configurations); but the alternative is 1180 * very complicated (and requires keeping track of what 1181 * kinds of tunneling headers have been seen in-between the 1182 * IPsec headers), and I don't think we lose much functionality 1183 * that's needed in the real world (who uses bundles anyway ?). 1184 */ 1185 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1186 if (mtag) { 1187 tdbi = (struct tdb_ident *)(mtag + 1); 1188 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, 1189 tdbi->proto); 1190 } else 1191 tdb = NULL; 1192 ipsp_spd_lookup(m, af, hlen, &error, IPSP_DIRECTION_IN, 1193 tdb, NULL, 0); 1194 1195 return error; 1196 } 1197