1 /* $OpenBSD: ipsec_input.c,v 1.203 2022/02/22 01:35:40 guenther Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 8 * in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 #include "pf.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/protosw.h> 43 #include <sys/mbuf.h> 44 #include <sys/socket.h> 45 #include <sys/sysctl.h> 46 #include <sys/kernel.h> 47 #include <sys/timeout.h> 48 49 #include <net/if.h> 50 #include <net/if_var.h> 51 #include <net/netisr.h> 52 #include <net/bpf.h> 53 #include <net/route.h> 54 55 #include <netinet/in.h> 56 #include <netinet/ip.h> 57 #include <netinet/ip_var.h> 58 #include <netinet/ip_icmp.h> 59 #include <netinet/tcp.h> 60 #include <netinet/udp.h> 61 62 #if NPF > 0 63 #include <net/pfvar.h> 64 #endif 65 66 #ifdef INET6 67 #include <netinet6/in6_var.h> 68 #include <netinet/ip6.h> 69 #include <netinet6/ip6_var.h> 70 #endif /* INET6 */ 71 72 #include <netinet/ip_ipsp.h> 73 #include <netinet/ip_esp.h> 74 #include <netinet/ip_ah.h> 75 #include <netinet/ip_ipcomp.h> 76 77 #include <net/if_enc.h> 78 79 #include <crypto/cryptodev.h> 80 #include <crypto/xform.h> 81 82 #include "bpfilter.h" 83 84 void ipsec_common_ctlinput(u_int, int, struct sockaddr *, void *, int); 85 86 #ifdef ENCDEBUG 87 #define DPRINTF(fmt, args...) \ 88 do { \ 89 if (encdebug) \ 90 printf("%s: " fmt "\n", __func__, ## args); \ 91 } while (0) 92 #else 93 #define DPRINTF(fmt, args...) \ 94 do { } while (0) 95 #endif 96 97 /* sysctl variables */ 98 int encdebug = 0; 99 int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT; 100 int ipsec_require_pfs = IPSEC_DEFAULT_PFS; 101 int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS; 102 int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS; 103 int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES; 104 int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES; 105 int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT; 106 int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT; 107 int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE; 108 int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE; 109 int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE; 110 111 int esp_enable = 1; 112 int ah_enable = 1; 113 int ipcomp_enable = 0; 114 115 const struct sysctl_bounded_args espctl_vars[] = { 116 {ESPCTL_ENABLE, &esp_enable, 0, 1}, 117 {ESPCTL_UDPENCAP_ENABLE, &udpencap_enable, 0, 1}, 118 {ESPCTL_UDPENCAP_PORT, &udpencap_port, 0, 65535}, 119 }; 120 const struct sysctl_bounded_args ahctl_vars[] = { 121 {AHCTL_ENABLE, &ah_enable, 0, 1}, 122 }; 123 const struct sysctl_bounded_args ipcompctl_vars[] = { 124 {IPCOMPCTL_ENABLE, &ipcomp_enable, 0, 1}, 125 }; 126 127 struct cpumem *espcounters; 128 struct cpumem *ahcounters; 129 struct cpumem *ipcompcounters; 130 struct cpumem *ipseccounters; 131 132 char ipsec_def_enc[20]; 133 char ipsec_def_auth[20]; 134 char ipsec_def_comp[20]; 135 136 const struct sysctl_bounded_args ipsecctl_vars[] = { 137 { IPSEC_ENCDEBUG, &encdebug, 0, 1 }, 138 { IPSEC_EXPIRE_ACQUIRE, &ipsec_expire_acquire, 0, INT_MAX }, 139 { IPSEC_EMBRYONIC_SA_TIMEOUT, &ipsec_keep_invalid, 0, INT_MAX }, 140 { IPSEC_REQUIRE_PFS, &ipsec_require_pfs, 0, 1 }, 141 { IPSEC_SOFT_ALLOCATIONS, &ipsec_soft_allocations, 0, INT_MAX }, 142 { IPSEC_ALLOCATIONS, &ipsec_exp_allocations, 0, INT_MAX }, 143 { IPSEC_SOFT_BYTES, &ipsec_soft_bytes, 0, INT_MAX }, 144 { IPSEC_BYTES, &ipsec_exp_bytes, 0, INT_MAX }, 145 { IPSEC_TIMEOUT, &ipsec_exp_timeout, 0, INT_MAX }, 146 { IPSEC_SOFT_TIMEOUT, &ipsec_soft_timeout,0, INT_MAX }, 147 { IPSEC_SOFT_FIRSTUSE, &ipsec_soft_first_use, 0, INT_MAX }, 148 { IPSEC_FIRSTUSE, &ipsec_exp_first_use, 0, INT_MAX }, 149 }; 150 151 int esp_sysctl_espstat(void *, size_t *, void *); 152 int ah_sysctl_ahstat(void *, size_t *, void *); 153 int ipcomp_sysctl_ipcompstat(void *, size_t *, void *); 154 int ipsec_sysctl_ipsecstat(void *, size_t *, void *); 155 156 void 157 ipsec_init(void) 158 { 159 espcounters = counters_alloc(esps_ncounters); 160 ahcounters = counters_alloc(ahs_ncounters); 161 ipcompcounters = counters_alloc(ipcomps_ncounters); 162 ipseccounters = counters_alloc(ipsec_ncounters); 163 164 strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc)); 165 strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth)); 166 strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp)); 167 168 ipsp_init(); 169 } 170 171 /* 172 * ipsec_common_input() gets called when we receive an IPsec-protected packet 173 * in IPv4 or IPv6. All it does is find the right TDB and call the appropriate 174 * transform. The callback takes care of further processing (like ingress 175 * filtering). 176 */ 177 int 178 ipsec_common_input(struct mbuf **mp, int skip, int protoff, int af, int sproto, 179 int udpencap) 180 { 181 #define IPSEC_ISTAT(x,y,z) do { \ 182 if (sproto == IPPROTO_ESP) \ 183 espstat_inc(x); \ 184 else if (sproto == IPPROTO_AH) \ 185 ahstat_inc(y); \ 186 else \ 187 ipcompstat_inc(z); \ 188 } while (0) 189 190 struct mbuf *m = *mp; 191 union sockaddr_union dst_address; 192 struct tdb *tdbp = NULL; 193 u_int32_t spi; 194 u_int16_t cpi; 195 int prot; 196 #ifdef ENCDEBUG 197 char buf[INET6_ADDRSTRLEN]; 198 #endif 199 200 NET_ASSERT_LOCKED(); 201 202 ipsecstat_pkt(ipsec_ipackets, ipsec_ibytes, m->m_pkthdr.len); 203 IPSEC_ISTAT(esps_input, ahs_input, ipcomps_input); 204 205 if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) { 206 DPRINTF("repeated decompression"); 207 ipcompstat_inc(ipcomps_pdrops); 208 goto drop; 209 } 210 211 if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) { 212 DPRINTF("packet too small"); 213 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 214 goto drop; 215 } 216 217 /* Retrieve the SPI from the relevant IPsec header */ 218 switch (sproto) { 219 case IPPROTO_ESP: 220 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 221 break; 222 case IPPROTO_AH: 223 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 224 (caddr_t) &spi); 225 break; 226 case IPPROTO_IPCOMP: 227 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 228 (caddr_t) &cpi); 229 spi = ntohl(htons(cpi)); 230 break; 231 default: 232 panic("%s: unknown/unsupported security protocol %d", 233 __func__, sproto); 234 } 235 236 /* 237 * Find tunnel control block and (indirectly) call the appropriate 238 * kernel crypto routine. The resulting mbuf chain is a valid 239 * IP packet ready to go through input processing. 240 */ 241 242 memset(&dst_address, 0, sizeof(dst_address)); 243 dst_address.sa.sa_family = af; 244 245 switch (af) { 246 case AF_INET: 247 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 248 m_copydata(m, offsetof(struct ip, ip_dst), 249 sizeof(struct in_addr), 250 (caddr_t) &(dst_address.sin.sin_addr)); 251 break; 252 253 #ifdef INET6 254 case AF_INET6: 255 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 256 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 257 sizeof(struct in6_addr), 258 (caddr_t) &(dst_address.sin6.sin6_addr)); 259 in6_recoverscope(&dst_address.sin6, 260 &dst_address.sin6.sin6_addr); 261 break; 262 #endif /* INET6 */ 263 264 default: 265 DPRINTF("unsupported protocol family %d", af); 266 IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf); 267 goto drop; 268 } 269 270 tdbp = gettdb(rtable_l2(m->m_pkthdr.ph_rtableid), 271 spi, &dst_address, sproto); 272 if (tdbp == NULL) { 273 DPRINTF("could not find SA for packet to %s, spi %08x", 274 ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi)); 275 IPSEC_ISTAT(esps_notdb, ahs_notdb, ipcomps_notdb); 276 goto drop; 277 } 278 279 if (tdbp->tdb_flags & TDBF_INVALID) { 280 DPRINTF("attempted to use invalid SA %s/%08x/%u", 281 ipsp_address(&dst_address, buf, sizeof(buf)), 282 ntohl(spi), tdbp->tdb_sproto); 283 IPSEC_ISTAT(esps_invalid, ahs_invalid, ipcomps_invalid); 284 goto drop; 285 } 286 287 if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) { 288 DPRINTF("attempted to use non-udpencap SA %s/%08x/%u", 289 ipsp_address(&dst_address, buf, sizeof(buf)), 290 ntohl(spi), tdbp->tdb_sproto); 291 espstat_inc(esps_udpinval); 292 goto drop; 293 } 294 295 if (!udpencap && (tdbp->tdb_flags & TDBF_UDPENCAP)) { 296 DPRINTF("attempted to use udpencap SA %s/%08x/%u", 297 ipsp_address(&dst_address, buf, sizeof(buf)), 298 ntohl(spi), tdbp->tdb_sproto); 299 espstat_inc(esps_udpneeded); 300 goto drop; 301 } 302 303 if (tdbp->tdb_xform == NULL) { 304 DPRINTF("attempted to use uninitialized SA %s/%08x/%u", 305 ipsp_address(&dst_address, buf, sizeof(buf)), 306 ntohl(spi), tdbp->tdb_sproto); 307 IPSEC_ISTAT(esps_noxform, ahs_noxform, ipcomps_noxform); 308 goto drop; 309 } 310 311 KERNEL_LOCK(); 312 /* Register first use, setup expiration timer. */ 313 if (tdbp->tdb_first_use == 0) { 314 tdbp->tdb_first_use = gettime(); 315 if (tdbp->tdb_flags & TDBF_FIRSTUSE) { 316 if (timeout_add_sec(&tdbp->tdb_first_tmo, 317 tdbp->tdb_exp_first_use)) 318 tdb_ref(tdbp); 319 } 320 if (tdbp->tdb_flags & TDBF_SOFT_FIRSTUSE) { 321 if (timeout_add_sec(&tdbp->tdb_sfirst_tmo, 322 tdbp->tdb_soft_first_use)) 323 tdb_ref(tdbp); 324 } 325 } 326 327 tdbstat_pkt(tdbp, tdb_ipackets, tdb_ibytes, m->m_pkthdr.len); 328 329 /* 330 * Call appropriate transform and return -- callback takes care of 331 * everything else. 332 */ 333 prot = (*(tdbp->tdb_xform->xf_input))(mp, tdbp, skip, protoff); 334 if (prot == IPPROTO_DONE) { 335 ipsecstat_inc(ipsec_idrops); 336 tdbstat_inc(tdbp, tdb_idrops); 337 } 338 tdb_unref(tdbp); 339 KERNEL_UNLOCK(); 340 return prot; 341 342 drop: 343 m_freemp(mp); 344 ipsecstat_inc(ipsec_idrops); 345 if (tdbp != NULL) 346 tdbstat_inc(tdbp, tdb_idrops); 347 tdb_unref(tdbp); 348 return IPPROTO_DONE; 349 } 350 351 /* 352 * IPsec input callback, called by the transform callback. Takes care of 353 * filtering and other sanity checks on the processed packet. 354 */ 355 int 356 ipsec_common_input_cb(struct mbuf **mp, struct tdb *tdbp, int skip, int protoff) 357 { 358 struct mbuf *m = *mp; 359 int af, sproto; 360 u_int8_t prot; 361 #if NBPFILTER > 0 362 struct ifnet *encif; 363 #endif 364 struct ip *ip; 365 #ifdef INET6 366 struct ip6_hdr *ip6; 367 #endif /* INET6 */ 368 struct m_tag *mtag; 369 struct tdb_ident *tdbi; 370 #ifdef ENCDEBUG 371 char buf[INET6_ADDRSTRLEN]; 372 #endif 373 374 af = tdbp->tdb_dst.sa.sa_family; 375 sproto = tdbp->tdb_sproto; 376 377 tdbp->tdb_last_used = gettime(); 378 379 /* Fix IPv4 header */ 380 if (af == AF_INET) { 381 if (m->m_len < skip && 382 (m = *mp = m_pullup(m, skip)) == NULL) { 383 DPRINTF("processing failed for SA %s/%08x", 384 ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)), 385 ntohl(tdbp->tdb_spi)); 386 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 387 goto baddone; 388 } 389 390 ip = mtod(m, struct ip *); 391 ip->ip_len = htons(m->m_pkthdr.len); 392 ip->ip_sum = 0; 393 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 394 prot = ip->ip_p; 395 } 396 397 #ifdef INET6 398 /* Fix IPv6 header */ 399 if (af == AF_INET6) { 400 if (m->m_len < sizeof(struct ip6_hdr) && 401 (m = *mp = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 402 403 DPRINTF("processing failed for SA %s/%08x", 404 ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)), 405 ntohl(tdbp->tdb_spi)); 406 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 407 goto baddone; 408 } 409 410 ip6 = mtod(m, struct ip6_hdr *); 411 ip6->ip6_plen = htons(m->m_pkthdr.len - skip); 412 413 /* Save protocol */ 414 m_copydata(m, protoff, 1, (caddr_t) &prot); 415 } 416 #endif /* INET6 */ 417 418 /* 419 * Fix TCP/UDP checksum of UDP encapsulated transport mode ESP packet. 420 * (RFC3948 3.1.2) 421 */ 422 if ((af == AF_INET || af == AF_INET6) && 423 (tdbp->tdb_flags & TDBF_UDPENCAP) && 424 (tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 425 u_int16_t cksum; 426 427 switch (prot) { 428 case IPPROTO_UDP: 429 if (m->m_pkthdr.len < skip + sizeof(struct udphdr)) { 430 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 431 ipcomps_hdrops); 432 goto baddone; 433 } 434 cksum = 0; 435 m_copyback(m, skip + offsetof(struct udphdr, uh_sum), 436 sizeof(cksum), &cksum, M_NOWAIT); 437 #ifdef INET6 438 if (af == AF_INET6) { 439 cksum = in6_cksum(m, IPPROTO_UDP, skip, 440 m->m_pkthdr.len - skip); 441 m_copyback(m, skip + offsetof(struct udphdr, 442 uh_sum), sizeof(cksum), &cksum, M_NOWAIT); 443 } 444 #endif 445 break; 446 case IPPROTO_TCP: 447 if (m->m_pkthdr.len < skip + sizeof(struct tcphdr)) { 448 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 449 ipcomps_hdrops); 450 goto baddone; 451 } 452 cksum = 0; 453 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 454 sizeof(cksum), &cksum, M_NOWAIT); 455 if (af == AF_INET) 456 cksum = in4_cksum(m, IPPROTO_TCP, skip, 457 m->m_pkthdr.len - skip); 458 #ifdef INET6 459 else if (af == AF_INET6) 460 cksum = in6_cksum(m, IPPROTO_TCP, skip, 461 m->m_pkthdr.len - skip); 462 #endif 463 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 464 sizeof(cksum), &cksum, M_NOWAIT); 465 break; 466 } 467 } 468 469 /* 470 * Record what we've done to the packet (under what SA it was 471 * processed). 472 */ 473 if (tdbp->tdb_sproto != IPPROTO_IPCOMP) { 474 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 475 sizeof(struct tdb_ident), M_NOWAIT); 476 if (mtag == NULL) { 477 DPRINTF("failed to get tag"); 478 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 479 goto baddone; 480 } 481 482 tdbi = (struct tdb_ident *)(mtag + 1); 483 tdbi->dst = tdbp->tdb_dst; 484 tdbi->proto = tdbp->tdb_sproto; 485 tdbi->spi = tdbp->tdb_spi; 486 tdbi->rdomain = tdbp->tdb_rdomain; 487 488 m_tag_prepend(m, mtag); 489 } 490 491 switch (sproto) { 492 case IPPROTO_ESP: 493 /* Packet is confidential ? */ 494 if (tdbp->tdb_encalgxform) 495 m->m_flags |= M_CONF; 496 497 /* Check if we had authenticated ESP. */ 498 if (tdbp->tdb_authalgxform) 499 m->m_flags |= M_AUTH; 500 break; 501 case IPPROTO_AH: 502 m->m_flags |= M_AUTH; 503 break; 504 case IPPROTO_IPCOMP: 505 m->m_flags |= M_COMP; 506 break; 507 default: 508 panic("%s: unknown/unsupported security protocol %d", 509 __func__, sproto); 510 } 511 512 #if NPF > 0 513 /* Add pf tag if requested. */ 514 pf_tag_packet(m, tdbp->tdb_tag, -1); 515 pf_pkt_addr_changed(m); 516 #endif 517 if (tdbp->tdb_rdomain != tdbp->tdb_rdomain_post) 518 m->m_pkthdr.ph_rtableid = tdbp->tdb_rdomain_post; 519 520 if (tdbp->tdb_flags & TDBF_TUNNELING) 521 m->m_flags |= M_TUNNEL; 522 523 ipsecstat_add(ipsec_idecompbytes, m->m_pkthdr.len); 524 tdbstat_add(tdbp, tdb_idecompbytes, m->m_pkthdr.len); 525 526 #if NBPFILTER > 0 527 encif = enc_getif(tdbp->tdb_rdomain_post, tdbp->tdb_tap); 528 if (encif != NULL) { 529 encif->if_ipackets++; 530 encif->if_ibytes += m->m_pkthdr.len; 531 532 if (sproto != IPPROTO_IPCOMP) { 533 /* XXX This conflicts with the scoped nature of IPv6 */ 534 m->m_pkthdr.ph_ifidx = encif->if_index; 535 } 536 if (encif->if_bpf) { 537 struct enchdr hdr; 538 539 hdr.af = af; 540 hdr.spi = tdbp->tdb_spi; 541 hdr.flags = m->m_flags & (M_AUTH|M_CONF); 542 543 bpf_mtap_hdr(encif->if_bpf, (char *)&hdr, 544 ENC_HDRLEN, m, BPF_DIRECTION_IN); 545 } 546 } 547 #endif 548 549 #if NPF > 0 550 /* 551 * The ip_deliver() shortcut avoids running through ip_input() with the 552 * same IP header twice. Packets in transport mode have to be be 553 * passed to pf explicitly. In tunnel mode the inner IP header will 554 * run through ip_input() and pf anyway. 555 */ 556 if ((tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 557 struct ifnet *ifp; 558 559 /* This is the enc0 interface unless for ipcomp. */ 560 if ((ifp = if_get(m->m_pkthdr.ph_ifidx)) == NULL) { 561 goto baddone; 562 } 563 if (pf_test(af, PF_IN, ifp, mp) != PF_PASS) { 564 if_put(ifp); 565 goto baddone; 566 } 567 m = *mp; 568 if_put(ifp); 569 if (m == NULL) 570 return IPPROTO_DONE; 571 } 572 #endif 573 /* Return to the appropriate protocol handler in deliver loop. */ 574 return prot; 575 576 baddone: 577 m_freemp(mp); 578 return IPPROTO_DONE; 579 #undef IPSEC_ISTAT 580 } 581 582 int 583 ipsec_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 584 size_t newlen) 585 { 586 int error; 587 588 switch (name[0]) { 589 case IPCTL_IPSEC_ENC_ALGORITHM: 590 NET_LOCK(); 591 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 592 ipsec_def_enc, sizeof(ipsec_def_enc)); 593 NET_UNLOCK(); 594 return (error); 595 case IPCTL_IPSEC_AUTH_ALGORITHM: 596 NET_LOCK(); 597 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 598 ipsec_def_auth, sizeof(ipsec_def_auth)); 599 NET_UNLOCK(); 600 return (error); 601 case IPCTL_IPSEC_IPCOMP_ALGORITHM: 602 NET_LOCK(); 603 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 604 ipsec_def_comp, sizeof(ipsec_def_comp)); 605 NET_UNLOCK(); 606 return (error); 607 case IPCTL_IPSEC_STATS: 608 return (ipsec_sysctl_ipsecstat(oldp, oldlenp, newp)); 609 default: 610 NET_LOCK(); 611 error = sysctl_bounded_arr(ipsecctl_vars, nitems(ipsecctl_vars), 612 name, namelen, oldp, oldlenp, newp, newlen); 613 NET_UNLOCK(); 614 return (error); 615 } 616 } 617 618 int 619 esp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 620 size_t newlen) 621 { 622 int error; 623 624 /* All sysctl names at this level are terminal. */ 625 if (namelen != 1) 626 return (ENOTDIR); 627 628 switch (name[0]) { 629 case ESPCTL_STATS: 630 return (esp_sysctl_espstat(oldp, oldlenp, newp)); 631 default: 632 NET_LOCK(); 633 error = sysctl_bounded_arr(espctl_vars, nitems(espctl_vars), 634 name, namelen, oldp, oldlenp, newp, newlen); 635 NET_UNLOCK(); 636 return (error); 637 } 638 } 639 640 int 641 esp_sysctl_espstat(void *oldp, size_t *oldlenp, void *newp) 642 { 643 struct espstat espstat; 644 645 CTASSERT(sizeof(espstat) == (esps_ncounters * sizeof(uint64_t))); 646 memset(&espstat, 0, sizeof espstat); 647 counters_read(espcounters, (uint64_t *)&espstat, esps_ncounters); 648 return (sysctl_rdstruct(oldp, oldlenp, newp, &espstat, 649 sizeof(espstat))); 650 } 651 652 int 653 ah_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 654 size_t newlen) 655 { 656 int error; 657 658 /* All sysctl names at this level are terminal. */ 659 if (namelen != 1) 660 return (ENOTDIR); 661 662 switch (name[0]) { 663 case AHCTL_STATS: 664 return ah_sysctl_ahstat(oldp, oldlenp, newp); 665 default: 666 NET_LOCK(); 667 error = sysctl_bounded_arr(ahctl_vars, nitems(ahctl_vars), name, 668 namelen, oldp, oldlenp, newp, newlen); 669 NET_UNLOCK(); 670 return (error); 671 } 672 } 673 674 int 675 ah_sysctl_ahstat(void *oldp, size_t *oldlenp, void *newp) 676 { 677 struct ahstat ahstat; 678 679 CTASSERT(sizeof(ahstat) == (ahs_ncounters * sizeof(uint64_t))); 680 memset(&ahstat, 0, sizeof ahstat); 681 counters_read(ahcounters, (uint64_t *)&ahstat, ahs_ncounters); 682 return (sysctl_rdstruct(oldp, oldlenp, newp, &ahstat, sizeof(ahstat))); 683 } 684 685 int 686 ipcomp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 687 size_t newlen) 688 { 689 int error; 690 691 /* All sysctl names at this level are terminal. */ 692 if (namelen != 1) 693 return (ENOTDIR); 694 695 switch (name[0]) { 696 case IPCOMPCTL_STATS: 697 return ipcomp_sysctl_ipcompstat(oldp, oldlenp, newp); 698 default: 699 NET_LOCK(); 700 error = sysctl_bounded_arr(ipcompctl_vars, 701 nitems(ipcompctl_vars), name, namelen, oldp, oldlenp, 702 newp, newlen); 703 NET_UNLOCK(); 704 return (error); 705 } 706 } 707 708 int 709 ipcomp_sysctl_ipcompstat(void *oldp, size_t *oldlenp, void *newp) 710 { 711 struct ipcompstat ipcompstat; 712 713 CTASSERT(sizeof(ipcompstat) == (ipcomps_ncounters * sizeof(uint64_t))); 714 memset(&ipcompstat, 0, sizeof ipcompstat); 715 counters_read(ipcompcounters, (uint64_t *)&ipcompstat, 716 ipcomps_ncounters); 717 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipcompstat, 718 sizeof(ipcompstat))); 719 } 720 721 int 722 ipsec_sysctl_ipsecstat(void *oldp, size_t *oldlenp, void *newp) 723 { 724 struct ipsecstat ipsecstat; 725 726 CTASSERT(sizeof(ipsecstat) == (ipsec_ncounters * sizeof(uint64_t))); 727 memset(&ipsecstat, 0, sizeof ipsecstat); 728 counters_read(ipseccounters, (uint64_t *)&ipsecstat, ipsec_ncounters); 729 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipsecstat, 730 sizeof(ipsecstat))); 731 } 732 733 int 734 ipsec_input_disabled(struct mbuf **mp, int *offp, int proto, int af) 735 { 736 switch (af) { 737 case AF_INET: 738 return rip_input(mp, offp, proto, af); 739 #ifdef INET6 740 case AF_INET6: 741 return rip6_input(mp, offp, proto, af); 742 #endif 743 default: 744 unhandled_af(af); 745 } 746 } 747 748 int 749 ah46_input(struct mbuf **mp, int *offp, int proto, int af) 750 { 751 int protoff; 752 753 if ( 754 #if NPF > 0 755 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 756 #endif 757 !ah_enable) 758 return ipsec_input_disabled(mp, offp, proto, af); 759 760 protoff = ipsec_protoff(*mp, *offp, af); 761 if (protoff < 0) { 762 DPRINTF("bad packet header chain"); 763 ahstat_inc(ahs_hdrops); 764 m_freemp(mp); 765 return IPPROTO_DONE; 766 } 767 768 return ipsec_common_input(mp, *offp, protoff, af, proto, 0); 769 } 770 771 void 772 ah4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 773 { 774 if (sa->sa_family != AF_INET || 775 sa->sa_len != sizeof(struct sockaddr_in)) 776 return; 777 778 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_AH); 779 } 780 781 int 782 esp46_input(struct mbuf **mp, int *offp, int proto, int af) 783 { 784 int protoff; 785 786 if ( 787 #if NPF > 0 788 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 789 #endif 790 !esp_enable) 791 return ipsec_input_disabled(mp, offp, proto, af); 792 793 protoff = ipsec_protoff(*mp, *offp, af); 794 if (protoff < 0) { 795 DPRINTF("bad packet header chain"); 796 espstat_inc(esps_hdrops); 797 m_freemp(mp); 798 return IPPROTO_DONE; 799 } 800 801 return ipsec_common_input(mp, *offp, protoff, af, proto, 0); 802 } 803 804 /* IPv4 IPCOMP wrapper */ 805 int 806 ipcomp46_input(struct mbuf **mp, int *offp, int proto, int af) 807 { 808 int protoff; 809 810 if ( 811 #if NPF > 0 812 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 813 #endif 814 !ipcomp_enable) 815 return ipsec_input_disabled(mp, offp, proto, af); 816 817 protoff = ipsec_protoff(*mp, *offp, af); 818 if (protoff < 0) { 819 DPRINTF("bad packet header chain"); 820 ipcompstat_inc(ipcomps_hdrops); 821 m_freemp(mp); 822 return IPPROTO_DONE; 823 } 824 825 return ipsec_common_input(mp, *offp, protoff, af, proto, 0); 826 } 827 828 void 829 ipsec_set_mtu(struct tdb *tdbp, u_int32_t mtu) 830 { 831 ssize_t adjust; 832 833 NET_ASSERT_LOCKED(); 834 835 /* Walk the chain backwards to the first tdb */ 836 for (; tdbp != NULL; tdbp = tdbp->tdb_inext) { 837 if (tdbp->tdb_flags & TDBF_INVALID || 838 (adjust = ipsec_hdrsz(tdbp)) == -1) 839 return; 840 841 mtu -= adjust; 842 843 /* Store adjusted MTU in tdb */ 844 tdbp->tdb_mtu = mtu; 845 tdbp->tdb_mtutimeout = gettime() + ip_mtudisc_timeout; 846 DPRINTF("spi %08x mtu %d adjust %ld", 847 ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust); 848 } 849 } 850 851 void 852 ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa, 853 void *v, int proto) 854 { 855 struct ip *ip = v; 856 857 if (cmd == PRC_MSGSIZE && ip && ip_mtudisc && ip->ip_v == 4) { 858 struct tdb *tdbp; 859 struct sockaddr_in dst; 860 struct icmp *icp; 861 int hlen = ip->ip_hl << 2; 862 u_int32_t spi, mtu; 863 864 /* Find the right MTU. */ 865 icp = (struct icmp *)((caddr_t) ip - 866 offsetof(struct icmp, icmp_ip)); 867 mtu = ntohs(icp->icmp_nextmtu); 868 869 /* 870 * Ignore the packet, if we do not receive a MTU 871 * or the MTU is too small to be acceptable. 872 */ 873 if (mtu < 296) 874 return; 875 876 memset(&dst, 0, sizeof(struct sockaddr_in)); 877 dst.sin_family = AF_INET; 878 dst.sin_len = sizeof(struct sockaddr_in); 879 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 880 881 memcpy(&spi, (caddr_t)ip + hlen, sizeof(u_int32_t)); 882 883 tdbp = gettdb_rev(rdomain, spi, (union sockaddr_union *)&dst, 884 proto); 885 ipsec_set_mtu(tdbp, mtu); 886 tdb_unref(tdbp); 887 } 888 } 889 890 void 891 udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 892 { 893 struct ip *ip = v; 894 struct tdb *tdbp, *first; 895 struct icmp *icp; 896 u_int32_t mtu; 897 struct sockaddr_in dst, src; 898 union sockaddr_union *su_dst, *su_src; 899 900 NET_ASSERT_LOCKED(); 901 902 icp = (struct icmp *)((caddr_t) ip - offsetof(struct icmp, icmp_ip)); 903 mtu = ntohs(icp->icmp_nextmtu); 904 905 /* 906 * Ignore the packet, if we do not receive a MTU 907 * or the MTU is too small to be acceptable. 908 */ 909 if (mtu < 296) 910 return; 911 912 memset(&dst, 0, sizeof(dst)); 913 dst.sin_family = AF_INET; 914 dst.sin_len = sizeof(struct sockaddr_in); 915 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 916 su_dst = (union sockaddr_union *)&dst; 917 memset(&src, 0, sizeof(src)); 918 src.sin_family = AF_INET; 919 src.sin_len = sizeof(struct sockaddr_in); 920 src.sin_addr.s_addr = ip->ip_src.s_addr; 921 su_src = (union sockaddr_union *)&src; 922 923 first = gettdbbysrcdst_rev(rdomain, 0, su_src, su_dst, IPPROTO_ESP); 924 925 mtx_enter(&tdb_sadb_mtx); 926 for (tdbp = first; tdbp != NULL; tdbp = tdbp->tdb_snext) { 927 if (tdbp->tdb_sproto == IPPROTO_ESP && 928 ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_UDPENCAP)) == 929 TDBF_UDPENCAP) && 930 !memcmp(&tdbp->tdb_dst, &dst, su_dst->sa.sa_len) && 931 !memcmp(&tdbp->tdb_src, &src, su_src->sa.sa_len)) 932 ipsec_set_mtu(tdbp, mtu); 933 } 934 mtx_leave(&tdb_sadb_mtx); 935 tdb_unref(first); 936 } 937 938 void 939 esp4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 940 { 941 if (sa->sa_family != AF_INET || 942 sa->sa_len != sizeof(struct sockaddr_in)) 943 return; 944 945 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_ESP); 946 } 947 948 /* Find the offset of the next protocol field in the previous header. */ 949 int 950 ipsec_protoff(struct mbuf *m, int off, int af) 951 { 952 #ifdef INET6 953 struct ip6_ext ip6e; 954 int protoff, nxt, l; 955 #endif /* INET6 */ 956 957 switch (af) { 958 case AF_INET: 959 return offsetof(struct ip, ip_p); 960 #ifdef INET6 961 case AF_INET6: 962 break; 963 #endif /* INET6 */ 964 default: 965 unhandled_af(af); 966 } 967 968 #ifdef INET6 969 if (off < sizeof(struct ip6_hdr)) 970 return -1; 971 972 if (off == sizeof(struct ip6_hdr)) 973 return offsetof(struct ip6_hdr, ip6_nxt); 974 975 /* Chase down the header chain... */ 976 protoff = sizeof(struct ip6_hdr); 977 nxt = (mtod(m, struct ip6_hdr *))->ip6_nxt; 978 l = 0; 979 980 do { 981 protoff += l; 982 m_copydata(m, protoff, sizeof(ip6e), 983 (caddr_t) &ip6e); 984 985 if (nxt == IPPROTO_AH) 986 l = (ip6e.ip6e_len + 2) << 2; 987 else 988 l = (ip6e.ip6e_len + 1) << 3; 989 #ifdef DIAGNOSTIC 990 if (l <= 0) 991 panic("%s: l went zero or negative", __func__); 992 #endif 993 994 nxt = ip6e.ip6e_nxt; 995 } while (protoff + l < off); 996 997 /* Malformed packet check */ 998 if (protoff + l != off) 999 return -1; 1000 1001 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1002 return protoff; 1003 #endif /* INET6 */ 1004 } 1005 1006 int 1007 ipsec_forward_check(struct mbuf *m, int hlen, int af) 1008 { 1009 struct tdb *tdb; 1010 struct tdb_ident *tdbi; 1011 struct m_tag *mtag; 1012 int error = 0; 1013 1014 /* 1015 * IPsec policy check for forwarded packets. Look at 1016 * inner-most IPsec SA used. 1017 */ 1018 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1019 if (mtag != NULL) { 1020 tdbi = (struct tdb_ident *)(mtag + 1); 1021 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); 1022 } else 1023 tdb = NULL; 1024 error = ipsp_spd_lookup(m, af, hlen, IPSP_DIRECTION_IN, 1025 tdb, NULL, NULL, NULL); 1026 tdb_unref(tdb); 1027 1028 return error; 1029 } 1030 1031 int 1032 ipsec_local_check(struct mbuf *m, int hlen, int proto, int af) 1033 { 1034 struct tdb *tdb; 1035 struct tdb_ident *tdbi; 1036 struct m_tag *mtag; 1037 int error = 0; 1038 1039 /* 1040 * If it's a protected packet for us, skip the policy check. 1041 * That's because we really only care about the properties of 1042 * the protected packet, and not the intermediate versions. 1043 * While this is not the most paranoid setting, it allows 1044 * some flexibility in handling nested tunnels (in setting up 1045 * the policies). 1046 */ 1047 if ((proto == IPPROTO_ESP) || (proto == IPPROTO_AH) || 1048 (proto == IPPROTO_IPCOMP)) 1049 return 0; 1050 1051 /* 1052 * If the protected packet was tunneled, then we need to 1053 * verify the protected packet's information, not the 1054 * external headers. Thus, skip the policy lookup for the 1055 * external packet, and keep the IPsec information linked on 1056 * the packet header (the encapsulation routines know how 1057 * to deal with that). 1058 */ 1059 if ((proto == IPPROTO_IPV4) || (proto == IPPROTO_IPV6)) 1060 return 0; 1061 1062 /* 1063 * When processing IPv6 header chains, do not look at the 1064 * outer header. The inner protocol is relevant and will 1065 * be checked by the local delivery loop later. 1066 */ 1067 if ((af == AF_INET6) && ((proto == IPPROTO_DSTOPTS) || 1068 (proto == IPPROTO_ROUTING) || (proto == IPPROTO_FRAGMENT))) 1069 return 0; 1070 1071 /* 1072 * If the protected packet is TCP or UDP, we'll do the 1073 * policy check in the respective input routine, so we can 1074 * check for bypass sockets. 1075 */ 1076 if ((proto == IPPROTO_TCP) || (proto == IPPROTO_UDP)) 1077 return 0; 1078 1079 /* 1080 * IPsec policy check for local-delivery packets. Look at the 1081 * inner-most SA that protected the packet. This is in fact 1082 * a bit too restrictive (it could end up causing packets to 1083 * be dropped that semantically follow the policy, e.g., in 1084 * certain SA-bundle configurations); but the alternative is 1085 * very complicated (and requires keeping track of what 1086 * kinds of tunneling headers have been seen in-between the 1087 * IPsec headers), and I don't think we lose much functionality 1088 * that's needed in the real world (who uses bundles anyway ?). 1089 */ 1090 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1091 if (mtag) { 1092 tdbi = (struct tdb_ident *)(mtag + 1); 1093 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, 1094 tdbi->proto); 1095 } else 1096 tdb = NULL; 1097 error = ipsp_spd_lookup(m, af, hlen, IPSP_DIRECTION_IN, 1098 tdb, NULL, NULL, NULL); 1099 tdb_unref(tdb); 1100 1101 return error; 1102 } 1103