1 /* $OpenBSD: ipsec_input.c,v 1.207 2024/12/27 10:15:09 mvs Exp $ */
2 /*
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr) and
5 * Niels Provos (provos@physnet.uni-hamburg.de).
6 *
7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
8 * in November 1995.
9 *
10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
11 * by Angelos D. Keromytis.
12 *
13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
14 * and Niels Provos.
15 *
16 * Additional features in 1999 by Angelos D. Keromytis.
17 *
18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
19 * Angelos D. Keromytis and Niels Provos.
20 * Copyright (c) 2001, Angelos D. Keromytis.
21 *
22 * Permission to use, copy, and modify this software with or without fee
23 * is hereby granted, provided that this entire notice is included in
24 * all copies of any software which is or includes a copy or
25 * modification of this software.
26 * You may use this code under the GNU public license if you so wish. Please
27 * contribute changes back to the authors under this freer than GPL license
28 * so that we may further the use of strong encryption without limitations to
29 * all.
30 *
31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
35 * PURPOSE.
36 */
37
38 #include "pf.h"
39 #include "sec.h"
40
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/protosw.h>
44 #include <sys/mbuf.h>
45 #include <sys/socket.h>
46 #include <sys/sysctl.h>
47 #include <sys/kernel.h>
48 #include <sys/timeout.h>
49
50 #include <net/if.h>
51 #include <net/if_var.h>
52 #include <net/netisr.h>
53 #include <net/bpf.h>
54 #include <net/route.h>
55
56 #include <netinet/in.h>
57 #include <netinet/ip.h>
58 #include <netinet/ip_var.h>
59 #include <netinet/ip_icmp.h>
60 #include <netinet/tcp.h>
61 #include <netinet/udp.h>
62
63 #if NPF > 0
64 #include <net/pfvar.h>
65 #endif
66
67 #if NSEC > 0
68 #include <net/if_sec.h>
69 #endif
70
71 #ifdef INET6
72 #include <netinet6/in6_var.h>
73 #include <netinet/ip6.h>
74 #include <netinet6/ip6_var.h>
75 #endif /* INET6 */
76
77 #include <netinet/ip_ipsp.h>
78 #include <netinet/ip_esp.h>
79 #include <netinet/ip_ah.h>
80 #include <netinet/ip_ipcomp.h>
81
82 #include <net/if_enc.h>
83
84 #include <crypto/cryptodev.h>
85 #include <crypto/xform.h>
86
87 #include "bpfilter.h"
88
89 /*
90 * Locks used to protect data:
91 * a atomic
92 */
93
94 void ipsec_common_ctlinput(u_int, int, struct sockaddr *, void *, int);
95
96 #ifdef ENCDEBUG
97 #define DPRINTF(fmt, args...) \
98 do { \
99 if (encdebug) \
100 printf("%s: " fmt "\n", __func__, ## args); \
101 } while (0)
102 #else
103 #define DPRINTF(fmt, args...) \
104 do { } while (0)
105 #endif
106
107 /* sysctl variables */
108 int encdebug = 0;
109 int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT;
110 int ipsec_require_pfs = IPSEC_DEFAULT_PFS;
111 int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS;
112 int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS;
113 int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES;
114 int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES;
115 int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT;
116 int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT;
117 int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE;
118 int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE;
119 int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE;
120
121 int esp_enable = 1;
122 int ah_enable = 1; /* [a] */
123 int ipcomp_enable = 0; /* [a] */
124
125 const struct sysctl_bounded_args espctl_vars[] = {
126 {ESPCTL_ENABLE, &esp_enable, 0, 1},
127 {ESPCTL_UDPENCAP_ENABLE, &udpencap_enable, 0, 1},
128 {ESPCTL_UDPENCAP_PORT, &udpencap_port, 0, 65535},
129 };
130 const struct sysctl_bounded_args ahctl_vars[] = {
131 {AHCTL_ENABLE, &ah_enable, 0, 1},
132 };
133 const struct sysctl_bounded_args ipcompctl_vars[] = {
134 {IPCOMPCTL_ENABLE, &ipcomp_enable, 0, 1},
135 };
136
137 struct cpumem *espcounters;
138 struct cpumem *ahcounters;
139 struct cpumem *ipcompcounters;
140 struct cpumem *ipseccounters;
141
142 char ipsec_def_enc[20];
143 char ipsec_def_auth[20];
144 char ipsec_def_comp[20];
145
146 const struct sysctl_bounded_args ipsecctl_vars[] = {
147 { IPSEC_ENCDEBUG, &encdebug, 0, 1 },
148 { IPSEC_EXPIRE_ACQUIRE, &ipsec_expire_acquire, 0, INT_MAX },
149 { IPSEC_EMBRYONIC_SA_TIMEOUT, &ipsec_keep_invalid, 0, INT_MAX },
150 { IPSEC_REQUIRE_PFS, &ipsec_require_pfs, 0, 1 },
151 { IPSEC_SOFT_ALLOCATIONS, &ipsec_soft_allocations, 0, INT_MAX },
152 { IPSEC_ALLOCATIONS, &ipsec_exp_allocations, 0, INT_MAX },
153 { IPSEC_SOFT_BYTES, &ipsec_soft_bytes, 0, INT_MAX },
154 { IPSEC_BYTES, &ipsec_exp_bytes, 0, INT_MAX },
155 { IPSEC_TIMEOUT, &ipsec_exp_timeout, 0, INT_MAX },
156 { IPSEC_SOFT_TIMEOUT, &ipsec_soft_timeout,0, INT_MAX },
157 { IPSEC_SOFT_FIRSTUSE, &ipsec_soft_first_use, 0, INT_MAX },
158 { IPSEC_FIRSTUSE, &ipsec_exp_first_use, 0, INT_MAX },
159 };
160
161 int esp_sysctl_espstat(void *, size_t *, void *);
162 int ah_sysctl_ahstat(void *, size_t *, void *);
163 int ipcomp_sysctl_ipcompstat(void *, size_t *, void *);
164 int ipsec_sysctl_ipsecstat(void *, size_t *, void *);
165
166 void
ipsec_init(void)167 ipsec_init(void)
168 {
169 espcounters = counters_alloc(esps_ncounters);
170 ahcounters = counters_alloc(ahs_ncounters);
171 ipcompcounters = counters_alloc(ipcomps_ncounters);
172 ipseccounters = counters_alloc(ipsec_ncounters);
173
174 strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc));
175 strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth));
176 strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp));
177
178 ipsp_init();
179 }
180
181 /*
182 * ipsec_common_input() gets called when we receive an IPsec-protected packet
183 * in IPv4 or IPv6. All it does is find the right TDB and call the appropriate
184 * transform. The callback takes care of further processing (like ingress
185 * filtering).
186 */
187 int
ipsec_common_input(struct mbuf ** mp,int skip,int protoff,int af,int sproto,int udpencap)188 ipsec_common_input(struct mbuf **mp, int skip, int protoff, int af, int sproto,
189 int udpencap)
190 {
191 #define IPSEC_ISTAT(x,y,z) do { \
192 if (sproto == IPPROTO_ESP) \
193 espstat_inc(x); \
194 else if (sproto == IPPROTO_AH) \
195 ahstat_inc(y); \
196 else \
197 ipcompstat_inc(z); \
198 } while (0)
199
200 struct mbuf *m = *mp;
201 union sockaddr_union dst_address;
202 struct tdb *tdbp = NULL;
203 u_int32_t spi;
204 u_int16_t cpi;
205 int prot;
206 #ifdef ENCDEBUG
207 char buf[INET6_ADDRSTRLEN];
208 #endif
209
210 NET_ASSERT_LOCKED();
211
212 ipsecstat_pkt(ipsec_ipackets, ipsec_ibytes, m->m_pkthdr.len);
213 IPSEC_ISTAT(esps_input, ahs_input, ipcomps_input);
214
215 if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) {
216 DPRINTF("repeated decompression");
217 ipcompstat_inc(ipcomps_pdrops);
218 goto drop;
219 }
220
221 if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) {
222 DPRINTF("packet too small");
223 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops);
224 goto drop;
225 }
226
227 /* Retrieve the SPI from the relevant IPsec header */
228 switch (sproto) {
229 case IPPROTO_ESP:
230 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
231 break;
232 case IPPROTO_AH:
233 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
234 (caddr_t) &spi);
235 break;
236 case IPPROTO_IPCOMP:
237 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
238 (caddr_t) &cpi);
239 spi = ntohl(htons(cpi));
240 break;
241 default:
242 panic("%s: unknown/unsupported security protocol %d",
243 __func__, sproto);
244 }
245
246 /*
247 * Find tunnel control block and (indirectly) call the appropriate
248 * kernel crypto routine. The resulting mbuf chain is a valid
249 * IP packet ready to go through input processing.
250 */
251
252 memset(&dst_address, 0, sizeof(dst_address));
253 dst_address.sa.sa_family = af;
254
255 switch (af) {
256 case AF_INET:
257 dst_address.sin.sin_len = sizeof(struct sockaddr_in);
258 m_copydata(m, offsetof(struct ip, ip_dst),
259 sizeof(struct in_addr),
260 (caddr_t) &(dst_address.sin.sin_addr));
261 break;
262
263 #ifdef INET6
264 case AF_INET6:
265 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
266 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
267 sizeof(struct in6_addr),
268 (caddr_t) &(dst_address.sin6.sin6_addr));
269 in6_recoverscope(&dst_address.sin6,
270 &dst_address.sin6.sin6_addr);
271 break;
272 #endif /* INET6 */
273
274 default:
275 DPRINTF("unsupported protocol family %d", af);
276 IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf);
277 goto drop;
278 }
279
280 tdbp = gettdb(rtable_l2(m->m_pkthdr.ph_rtableid),
281 spi, &dst_address, sproto);
282 if (tdbp == NULL) {
283 DPRINTF("could not find SA for packet to %s, spi %08x",
284 ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi));
285 IPSEC_ISTAT(esps_notdb, ahs_notdb, ipcomps_notdb);
286 goto drop;
287 }
288
289 if (tdbp->tdb_flags & TDBF_INVALID) {
290 DPRINTF("attempted to use invalid SA %s/%08x/%u",
291 ipsp_address(&dst_address, buf, sizeof(buf)),
292 ntohl(spi), tdbp->tdb_sproto);
293 IPSEC_ISTAT(esps_invalid, ahs_invalid, ipcomps_invalid);
294 goto drop;
295 }
296
297 if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) {
298 DPRINTF("attempted to use non-udpencap SA %s/%08x/%u",
299 ipsp_address(&dst_address, buf, sizeof(buf)),
300 ntohl(spi), tdbp->tdb_sproto);
301 espstat_inc(esps_udpinval);
302 goto drop;
303 }
304
305 if (!udpencap && (tdbp->tdb_flags & TDBF_UDPENCAP)) {
306 DPRINTF("attempted to use udpencap SA %s/%08x/%u",
307 ipsp_address(&dst_address, buf, sizeof(buf)),
308 ntohl(spi), tdbp->tdb_sproto);
309 espstat_inc(esps_udpneeded);
310 goto drop;
311 }
312
313 if (tdbp->tdb_xform == NULL) {
314 DPRINTF("attempted to use uninitialized SA %s/%08x/%u",
315 ipsp_address(&dst_address, buf, sizeof(buf)),
316 ntohl(spi), tdbp->tdb_sproto);
317 IPSEC_ISTAT(esps_noxform, ahs_noxform, ipcomps_noxform);
318 goto drop;
319 }
320
321 KERNEL_LOCK();
322 /* Register first use, setup expiration timer. */
323 if (tdbp->tdb_first_use == 0) {
324 tdbp->tdb_first_use = gettime();
325 if (tdbp->tdb_flags & TDBF_FIRSTUSE) {
326 if (timeout_add_sec(&tdbp->tdb_first_tmo,
327 tdbp->tdb_exp_first_use))
328 tdb_ref(tdbp);
329 }
330 if (tdbp->tdb_flags & TDBF_SOFT_FIRSTUSE) {
331 if (timeout_add_sec(&tdbp->tdb_sfirst_tmo,
332 tdbp->tdb_soft_first_use))
333 tdb_ref(tdbp);
334 }
335 }
336
337 tdbstat_pkt(tdbp, tdb_ipackets, tdb_ibytes, m->m_pkthdr.len);
338
339 /*
340 * Call appropriate transform and return -- callback takes care of
341 * everything else.
342 */
343 prot = (*(tdbp->tdb_xform->xf_input))(mp, tdbp, skip, protoff);
344 if (prot == IPPROTO_DONE) {
345 ipsecstat_inc(ipsec_idrops);
346 tdbstat_inc(tdbp, tdb_idrops);
347 }
348 tdb_unref(tdbp);
349 KERNEL_UNLOCK();
350 return prot;
351
352 drop:
353 m_freemp(mp);
354 ipsecstat_inc(ipsec_idrops);
355 if (tdbp != NULL)
356 tdbstat_inc(tdbp, tdb_idrops);
357 tdb_unref(tdbp);
358 return IPPROTO_DONE;
359 }
360
361 /*
362 * IPsec input callback, called by the transform callback. Takes care of
363 * filtering and other sanity checks on the processed packet.
364 */
365 int
ipsec_common_input_cb(struct mbuf ** mp,struct tdb * tdbp,int skip,int protoff)366 ipsec_common_input_cb(struct mbuf **mp, struct tdb *tdbp, int skip, int protoff)
367 {
368 struct mbuf *m = *mp;
369 int af, sproto;
370 u_int8_t prot;
371 #if NBPFILTER > 0
372 struct ifnet *encif;
373 #endif
374 struct ip *ip;
375 #ifdef INET6
376 struct ip6_hdr *ip6;
377 #endif /* INET6 */
378 struct m_tag *mtag;
379 struct tdb_ident *tdbi;
380 #ifdef ENCDEBUG
381 char buf[INET6_ADDRSTRLEN];
382 #endif
383
384 af = tdbp->tdb_dst.sa.sa_family;
385 sproto = tdbp->tdb_sproto;
386
387 tdbp->tdb_last_used = gettime();
388
389 /* Fix IPv4 header */
390 if (af == AF_INET) {
391 if (m->m_len < skip &&
392 (m = *mp = m_pullup(m, skip)) == NULL) {
393 DPRINTF("processing failed for SA %s/%08x",
394 ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)),
395 ntohl(tdbp->tdb_spi));
396 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops);
397 goto baddone;
398 }
399
400 ip = mtod(m, struct ip *);
401 ip->ip_len = htons(m->m_pkthdr.len);
402 in_hdr_cksum_out(m, NULL);
403 prot = ip->ip_p;
404 }
405
406 #ifdef INET6
407 /* Fix IPv6 header */
408 if (af == AF_INET6) {
409 if (m->m_len < sizeof(struct ip6_hdr) &&
410 (m = *mp = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
411
412 DPRINTF("processing failed for SA %s/%08x",
413 ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)),
414 ntohl(tdbp->tdb_spi));
415 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops);
416 goto baddone;
417 }
418
419 ip6 = mtod(m, struct ip6_hdr *);
420 ip6->ip6_plen = htons(m->m_pkthdr.len - skip);
421
422 /* Save protocol */
423 m_copydata(m, protoff, 1, (caddr_t) &prot);
424 }
425 #endif /* INET6 */
426
427 /*
428 * Fix TCP/UDP checksum of UDP encapsulated transport mode ESP packet.
429 * (RFC3948 3.1.2)
430 */
431 if ((af == AF_INET || af == AF_INET6) &&
432 (tdbp->tdb_flags & TDBF_UDPENCAP) &&
433 (tdbp->tdb_flags & TDBF_TUNNELING) == 0) {
434 u_int16_t cksum;
435
436 switch (prot) {
437 case IPPROTO_UDP:
438 if (m->m_pkthdr.len < skip + sizeof(struct udphdr)) {
439 IPSEC_ISTAT(esps_hdrops, ahs_hdrops,
440 ipcomps_hdrops);
441 goto baddone;
442 }
443 cksum = 0;
444 m_copyback(m, skip + offsetof(struct udphdr, uh_sum),
445 sizeof(cksum), &cksum, M_NOWAIT);
446 #ifdef INET6
447 if (af == AF_INET6) {
448 cksum = in6_cksum(m, IPPROTO_UDP, skip,
449 m->m_pkthdr.len - skip);
450 m_copyback(m, skip + offsetof(struct udphdr,
451 uh_sum), sizeof(cksum), &cksum, M_NOWAIT);
452 }
453 #endif
454 break;
455 case IPPROTO_TCP:
456 if (m->m_pkthdr.len < skip + sizeof(struct tcphdr)) {
457 IPSEC_ISTAT(esps_hdrops, ahs_hdrops,
458 ipcomps_hdrops);
459 goto baddone;
460 }
461 cksum = 0;
462 m_copyback(m, skip + offsetof(struct tcphdr, th_sum),
463 sizeof(cksum), &cksum, M_NOWAIT);
464 if (af == AF_INET)
465 cksum = in4_cksum(m, IPPROTO_TCP, skip,
466 m->m_pkthdr.len - skip);
467 #ifdef INET6
468 else if (af == AF_INET6)
469 cksum = in6_cksum(m, IPPROTO_TCP, skip,
470 m->m_pkthdr.len - skip);
471 #endif
472 m_copyback(m, skip + offsetof(struct tcphdr, th_sum),
473 sizeof(cksum), &cksum, M_NOWAIT);
474 break;
475 }
476 }
477
478 /*
479 * Record what we've done to the packet (under what SA it was
480 * processed).
481 */
482 if (tdbp->tdb_sproto != IPPROTO_IPCOMP) {
483 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
484 sizeof(struct tdb_ident), M_NOWAIT);
485 if (mtag == NULL) {
486 DPRINTF("failed to get tag");
487 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops);
488 goto baddone;
489 }
490
491 tdbi = (struct tdb_ident *)(mtag + 1);
492 tdbi->dst = tdbp->tdb_dst;
493 tdbi->proto = tdbp->tdb_sproto;
494 tdbi->spi = tdbp->tdb_spi;
495 tdbi->rdomain = tdbp->tdb_rdomain;
496
497 m_tag_prepend(m, mtag);
498 }
499
500 switch (sproto) {
501 case IPPROTO_ESP:
502 /* Packet is confidential ? */
503 if (tdbp->tdb_encalgxform)
504 m->m_flags |= M_CONF;
505
506 /* Check if we had authenticated ESP. */
507 if (tdbp->tdb_authalgxform)
508 m->m_flags |= M_AUTH;
509 break;
510 case IPPROTO_AH:
511 m->m_flags |= M_AUTH;
512 break;
513 case IPPROTO_IPCOMP:
514 m->m_flags |= M_COMP;
515 break;
516 default:
517 panic("%s: unknown/unsupported security protocol %d",
518 __func__, sproto);
519 }
520
521 #if NPF > 0
522 /* Add pf tag if requested. */
523 pf_tag_packet(m, tdbp->tdb_tag, -1);
524 pf_pkt_addr_changed(m);
525 #endif
526 if (tdbp->tdb_rdomain != tdbp->tdb_rdomain_post)
527 m->m_pkthdr.ph_rtableid = tdbp->tdb_rdomain_post;
528
529 if (tdbp->tdb_flags & TDBF_TUNNELING)
530 m->m_flags |= M_TUNNEL;
531
532 ipsecstat_add(ipsec_idecompbytes, m->m_pkthdr.len);
533 tdbstat_add(tdbp, tdb_idecompbytes, m->m_pkthdr.len);
534
535 #if NBPFILTER > 0
536 encif = enc_getif(tdbp->tdb_rdomain_post, tdbp->tdb_tap);
537 if (encif != NULL) {
538 encif->if_ipackets++;
539 encif->if_ibytes += m->m_pkthdr.len;
540
541 if (sproto != IPPROTO_IPCOMP) {
542 /* XXX This conflicts with the scoped nature of IPv6 */
543 m->m_pkthdr.ph_ifidx = encif->if_index;
544 }
545 if (encif->if_bpf) {
546 struct enchdr hdr;
547
548 hdr.af = af;
549 hdr.spi = tdbp->tdb_spi;
550 hdr.flags = m->m_flags & (M_AUTH|M_CONF);
551
552 bpf_mtap_hdr(encif->if_bpf, (char *)&hdr,
553 ENC_HDRLEN, m, BPF_DIRECTION_IN);
554 }
555 }
556 #endif
557
558 if (ISSET(tdbp->tdb_flags, TDBF_IFACE)) {
559 #if NSEC > 0
560 if (ISSET(tdbp->tdb_flags, TDBF_TUNNELING) &&
561 tdbp->tdb_iface_dir == IPSP_DIRECTION_IN) {
562 struct sec_softc *sc = sec_get(tdbp->tdb_iface);
563 if (sc == NULL)
564 goto baddone;
565
566 sec_input(sc, af, prot, m);
567 sec_put(sc);
568 return IPPROTO_DONE;
569 }
570 #endif /* NSEC > 0 */
571 goto baddone;
572 }
573
574 #if NPF > 0
575 /*
576 * The ip_deliver() shortcut avoids running through ip_input() with the
577 * same IP header twice. Packets in transport mode have to be be
578 * passed to pf explicitly. In tunnel mode the inner IP header will
579 * run through ip_input() and pf anyway.
580 */
581 if ((tdbp->tdb_flags & TDBF_TUNNELING) == 0) {
582 struct ifnet *ifp;
583
584 /* This is the enc0 interface unless for ipcomp. */
585 if ((ifp = if_get(m->m_pkthdr.ph_ifidx)) == NULL) {
586 goto baddone;
587 }
588 if (pf_test(af, PF_IN, ifp, mp) != PF_PASS) {
589 if_put(ifp);
590 goto baddone;
591 }
592 m = *mp;
593 if_put(ifp);
594 if (m == NULL)
595 return IPPROTO_DONE;
596 }
597 #endif
598 /* Return to the appropriate protocol handler in deliver loop. */
599 return prot;
600
601 baddone:
602 m_freemp(mp);
603 return IPPROTO_DONE;
604 #undef IPSEC_ISTAT
605 }
606
607 int
ipsec_sysctl(int * name,u_int namelen,void * oldp,size_t * oldlenp,void * newp,size_t newlen)608 ipsec_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
609 size_t newlen)
610 {
611 int error;
612
613 switch (name[0]) {
614 case IPCTL_IPSEC_ENC_ALGORITHM:
615 NET_LOCK();
616 error = sysctl_tstring(oldp, oldlenp, newp, newlen,
617 ipsec_def_enc, sizeof(ipsec_def_enc));
618 NET_UNLOCK();
619 return (error);
620 case IPCTL_IPSEC_AUTH_ALGORITHM:
621 NET_LOCK();
622 error = sysctl_tstring(oldp, oldlenp, newp, newlen,
623 ipsec_def_auth, sizeof(ipsec_def_auth));
624 NET_UNLOCK();
625 return (error);
626 case IPCTL_IPSEC_IPCOMP_ALGORITHM:
627 NET_LOCK();
628 error = sysctl_tstring(oldp, oldlenp, newp, newlen,
629 ipsec_def_comp, sizeof(ipsec_def_comp));
630 NET_UNLOCK();
631 return (error);
632 case IPCTL_IPSEC_STATS:
633 return (ipsec_sysctl_ipsecstat(oldp, oldlenp, newp));
634 default:
635 NET_LOCK();
636 error = sysctl_bounded_arr(ipsecctl_vars, nitems(ipsecctl_vars),
637 name, namelen, oldp, oldlenp, newp, newlen);
638 NET_UNLOCK();
639 return (error);
640 }
641 }
642
643 int
esp_sysctl(int * name,u_int namelen,void * oldp,size_t * oldlenp,void * newp,size_t newlen)644 esp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
645 size_t newlen)
646 {
647 int error;
648
649 /* All sysctl names at this level are terminal. */
650 if (namelen != 1)
651 return (ENOTDIR);
652
653 switch (name[0]) {
654 case ESPCTL_STATS:
655 return (esp_sysctl_espstat(oldp, oldlenp, newp));
656 default:
657 NET_LOCK();
658 error = sysctl_bounded_arr(espctl_vars, nitems(espctl_vars),
659 name, namelen, oldp, oldlenp, newp, newlen);
660 NET_UNLOCK();
661 return (error);
662 }
663 }
664
665 int
esp_sysctl_espstat(void * oldp,size_t * oldlenp,void * newp)666 esp_sysctl_espstat(void *oldp, size_t *oldlenp, void *newp)
667 {
668 struct espstat espstat;
669
670 CTASSERT(sizeof(espstat) == (esps_ncounters * sizeof(uint64_t)));
671 memset(&espstat, 0, sizeof espstat);
672 counters_read(espcounters, (uint64_t *)&espstat, esps_ncounters, NULL);
673 return (sysctl_rdstruct(oldp, oldlenp, newp, &espstat,
674 sizeof(espstat)));
675 }
676
677 int
ah_sysctl(int * name,u_int namelen,void * oldp,size_t * oldlenp,void * newp,size_t newlen)678 ah_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
679 size_t newlen)
680 {
681 /* All sysctl names at this level are terminal. */
682 if (namelen != 1)
683 return (ENOTDIR);
684
685 switch (name[0]) {
686 case AHCTL_STATS:
687 return ah_sysctl_ahstat(oldp, oldlenp, newp);
688 default:
689 return sysctl_bounded_arr(ahctl_vars, nitems(ahctl_vars), name,
690 namelen, oldp, oldlenp, newp, newlen);
691 }
692 }
693
694 int
ah_sysctl_ahstat(void * oldp,size_t * oldlenp,void * newp)695 ah_sysctl_ahstat(void *oldp, size_t *oldlenp, void *newp)
696 {
697 struct ahstat ahstat;
698
699 CTASSERT(sizeof(ahstat) == (ahs_ncounters * sizeof(uint64_t)));
700 memset(&ahstat, 0, sizeof ahstat);
701 counters_read(ahcounters, (uint64_t *)&ahstat, ahs_ncounters, NULL);
702 return (sysctl_rdstruct(oldp, oldlenp, newp, &ahstat, sizeof(ahstat)));
703 }
704
705 int
ipcomp_sysctl(int * name,u_int namelen,void * oldp,size_t * oldlenp,void * newp,size_t newlen)706 ipcomp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
707 size_t newlen)
708 {
709 /* All sysctl names at this level are terminal. */
710 if (namelen != 1)
711 return (ENOTDIR);
712
713 switch (name[0]) {
714 case IPCOMPCTL_STATS:
715 return ipcomp_sysctl_ipcompstat(oldp, oldlenp, newp);
716 default:
717 return sysctl_bounded_arr(ipcompctl_vars,
718 nitems(ipcompctl_vars), name, namelen, oldp, oldlenp,
719 newp, newlen);
720 }
721 }
722
723 int
ipcomp_sysctl_ipcompstat(void * oldp,size_t * oldlenp,void * newp)724 ipcomp_sysctl_ipcompstat(void *oldp, size_t *oldlenp, void *newp)
725 {
726 struct ipcompstat ipcompstat;
727
728 CTASSERT(sizeof(ipcompstat) == (ipcomps_ncounters * sizeof(uint64_t)));
729 memset(&ipcompstat, 0, sizeof ipcompstat);
730 counters_read(ipcompcounters, (uint64_t *)&ipcompstat,
731 ipcomps_ncounters, NULL);
732 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipcompstat,
733 sizeof(ipcompstat)));
734 }
735
736 int
ipsec_sysctl_ipsecstat(void * oldp,size_t * oldlenp,void * newp)737 ipsec_sysctl_ipsecstat(void *oldp, size_t *oldlenp, void *newp)
738 {
739 struct ipsecstat ipsecstat;
740
741 CTASSERT(sizeof(ipsecstat) == (ipsec_ncounters * sizeof(uint64_t)));
742 memset(&ipsecstat, 0, sizeof ipsecstat);
743 counters_read(ipseccounters, (uint64_t *)&ipsecstat, ipsec_ncounters,
744 NULL);
745 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipsecstat,
746 sizeof(ipsecstat)));
747 }
748
749 int
ipsec_input_disabled(struct mbuf ** mp,int * offp,int proto,int af)750 ipsec_input_disabled(struct mbuf **mp, int *offp, int proto, int af)
751 {
752 switch (af) {
753 case AF_INET:
754 return rip_input(mp, offp, proto, af);
755 #ifdef INET6
756 case AF_INET6:
757 return rip6_input(mp, offp, proto, af);
758 #endif
759 default:
760 unhandled_af(af);
761 }
762 }
763
764 int
ah46_input(struct mbuf ** mp,int * offp,int proto,int af)765 ah46_input(struct mbuf **mp, int *offp, int proto, int af)
766 {
767 int protoff;
768
769 if (
770 #if NPF > 0
771 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) ||
772 #endif
773 !atomic_load_int(&ah_enable))
774 return ipsec_input_disabled(mp, offp, proto, af);
775
776 protoff = ipsec_protoff(*mp, *offp, af);
777 if (protoff < 0) {
778 DPRINTF("bad packet header chain");
779 ahstat_inc(ahs_hdrops);
780 m_freemp(mp);
781 return IPPROTO_DONE;
782 }
783
784 return ipsec_common_input(mp, *offp, protoff, af, proto, 0);
785 }
786
787 void
ah4_ctlinput(int cmd,struct sockaddr * sa,u_int rdomain,void * v)788 ah4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v)
789 {
790 if (sa->sa_family != AF_INET ||
791 sa->sa_len != sizeof(struct sockaddr_in))
792 return;
793
794 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_AH);
795 }
796
797 int
esp46_input(struct mbuf ** mp,int * offp,int proto,int af)798 esp46_input(struct mbuf **mp, int *offp, int proto, int af)
799 {
800 int protoff;
801
802 if (
803 #if NPF > 0
804 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) ||
805 #endif
806 !esp_enable)
807 return ipsec_input_disabled(mp, offp, proto, af);
808
809 protoff = ipsec_protoff(*mp, *offp, af);
810 if (protoff < 0) {
811 DPRINTF("bad packet header chain");
812 espstat_inc(esps_hdrops);
813 m_freemp(mp);
814 return IPPROTO_DONE;
815 }
816
817 return ipsec_common_input(mp, *offp, protoff, af, proto, 0);
818 }
819
820 /* IPv4 IPCOMP wrapper */
821 int
ipcomp46_input(struct mbuf ** mp,int * offp,int proto,int af)822 ipcomp46_input(struct mbuf **mp, int *offp, int proto, int af)
823 {
824 int protoff;
825
826 if (
827 #if NPF > 0
828 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) ||
829 #endif
830 !atomic_load_int(&ipcomp_enable))
831 return ipsec_input_disabled(mp, offp, proto, af);
832
833 protoff = ipsec_protoff(*mp, *offp, af);
834 if (protoff < 0) {
835 DPRINTF("bad packet header chain");
836 ipcompstat_inc(ipcomps_hdrops);
837 m_freemp(mp);
838 return IPPROTO_DONE;
839 }
840
841 return ipsec_common_input(mp, *offp, protoff, af, proto, 0);
842 }
843
844 void
ipsec_set_mtu(struct tdb * tdbp,u_int32_t mtu)845 ipsec_set_mtu(struct tdb *tdbp, u_int32_t mtu)
846 {
847 ssize_t adjust;
848
849 NET_ASSERT_LOCKED();
850
851 /* Walk the chain backwards to the first tdb */
852 for (; tdbp != NULL; tdbp = tdbp->tdb_inext) {
853 if (tdbp->tdb_flags & TDBF_INVALID ||
854 (adjust = ipsec_hdrsz(tdbp)) == -1)
855 return;
856
857 mtu -= adjust;
858
859 /* Store adjusted MTU in tdb */
860 tdbp->tdb_mtu = mtu;
861 tdbp->tdb_mtutimeout = gettime() + ip_mtudisc_timeout;
862 DPRINTF("spi %08x mtu %d adjust %ld",
863 ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust);
864 }
865 }
866
867 void
ipsec_common_ctlinput(u_int rdomain,int cmd,struct sockaddr * sa,void * v,int proto)868 ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa,
869 void *v, int proto)
870 {
871 struct ip *ip = v;
872
873 if (cmd == PRC_MSGSIZE && ip && ip_mtudisc && ip->ip_v == 4) {
874 struct tdb *tdbp;
875 struct sockaddr_in dst;
876 struct icmp *icp;
877 int hlen = ip->ip_hl << 2;
878 u_int32_t spi, mtu;
879
880 /* Find the right MTU. */
881 icp = (struct icmp *)((caddr_t) ip -
882 offsetof(struct icmp, icmp_ip));
883 mtu = ntohs(icp->icmp_nextmtu);
884
885 /*
886 * Ignore the packet, if we do not receive a MTU
887 * or the MTU is too small to be acceptable.
888 */
889 if (mtu < 296)
890 return;
891
892 memset(&dst, 0, sizeof(struct sockaddr_in));
893 dst.sin_family = AF_INET;
894 dst.sin_len = sizeof(struct sockaddr_in);
895 dst.sin_addr.s_addr = ip->ip_dst.s_addr;
896
897 memcpy(&spi, (caddr_t)ip + hlen, sizeof(u_int32_t));
898
899 tdbp = gettdb_rev(rdomain, spi, (union sockaddr_union *)&dst,
900 proto);
901 ipsec_set_mtu(tdbp, mtu);
902 tdb_unref(tdbp);
903 }
904 }
905
906 void
udpencap_ctlinput(int cmd,struct sockaddr * sa,u_int rdomain,void * v)907 udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v)
908 {
909 struct ip *ip = v;
910 struct tdb *tdbp, *first;
911 struct icmp *icp;
912 u_int32_t mtu;
913 struct sockaddr_in dst, src;
914 union sockaddr_union *su_dst, *su_src;
915
916 NET_ASSERT_LOCKED();
917
918 icp = (struct icmp *)((caddr_t) ip - offsetof(struct icmp, icmp_ip));
919 mtu = ntohs(icp->icmp_nextmtu);
920
921 /*
922 * Ignore the packet, if we do not receive a MTU
923 * or the MTU is too small to be acceptable.
924 */
925 if (mtu < 296)
926 return;
927
928 memset(&dst, 0, sizeof(dst));
929 dst.sin_family = AF_INET;
930 dst.sin_len = sizeof(struct sockaddr_in);
931 dst.sin_addr.s_addr = ip->ip_dst.s_addr;
932 su_dst = (union sockaddr_union *)&dst;
933 memset(&src, 0, sizeof(src));
934 src.sin_family = AF_INET;
935 src.sin_len = sizeof(struct sockaddr_in);
936 src.sin_addr.s_addr = ip->ip_src.s_addr;
937 su_src = (union sockaddr_union *)&src;
938
939 first = gettdbbysrcdst_rev(rdomain, 0, su_src, su_dst, IPPROTO_ESP);
940
941 mtx_enter(&tdb_sadb_mtx);
942 for (tdbp = first; tdbp != NULL; tdbp = tdbp->tdb_snext) {
943 if (tdbp->tdb_sproto == IPPROTO_ESP &&
944 ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_UDPENCAP)) ==
945 TDBF_UDPENCAP) &&
946 !memcmp(&tdbp->tdb_dst, &dst, su_dst->sa.sa_len) &&
947 !memcmp(&tdbp->tdb_src, &src, su_src->sa.sa_len))
948 ipsec_set_mtu(tdbp, mtu);
949 }
950 mtx_leave(&tdb_sadb_mtx);
951 tdb_unref(first);
952 }
953
954 void
esp4_ctlinput(int cmd,struct sockaddr * sa,u_int rdomain,void * v)955 esp4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v)
956 {
957 if (sa->sa_family != AF_INET ||
958 sa->sa_len != sizeof(struct sockaddr_in))
959 return;
960
961 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_ESP);
962 }
963
964 /* Find the offset of the next protocol field in the previous header. */
965 int
ipsec_protoff(struct mbuf * m,int off,int af)966 ipsec_protoff(struct mbuf *m, int off, int af)
967 {
968 #ifdef INET6
969 struct ip6_ext ip6e;
970 int protoff, nxt, l;
971 #endif /* INET6 */
972
973 switch (af) {
974 case AF_INET:
975 return offsetof(struct ip, ip_p);
976 #ifdef INET6
977 case AF_INET6:
978 break;
979 #endif /* INET6 */
980 default:
981 unhandled_af(af);
982 }
983
984 #ifdef INET6
985 if (off < sizeof(struct ip6_hdr))
986 return -1;
987
988 if (off == sizeof(struct ip6_hdr))
989 return offsetof(struct ip6_hdr, ip6_nxt);
990
991 /* Chase down the header chain... */
992 protoff = sizeof(struct ip6_hdr);
993 nxt = (mtod(m, struct ip6_hdr *))->ip6_nxt;
994 l = 0;
995
996 do {
997 protoff += l;
998 m_copydata(m, protoff, sizeof(ip6e),
999 (caddr_t) &ip6e);
1000
1001 if (nxt == IPPROTO_AH)
1002 l = (ip6e.ip6e_len + 2) << 2;
1003 else
1004 l = (ip6e.ip6e_len + 1) << 3;
1005 #ifdef DIAGNOSTIC
1006 if (l <= 0)
1007 panic("%s: l went zero or negative", __func__);
1008 #endif
1009
1010 nxt = ip6e.ip6e_nxt;
1011 } while (protoff + l < off);
1012
1013 /* Malformed packet check */
1014 if (protoff + l != off)
1015 return -1;
1016
1017 protoff += offsetof(struct ip6_ext, ip6e_nxt);
1018 return protoff;
1019 #endif /* INET6 */
1020 }
1021
1022 int
ipsec_forward_check(struct mbuf * m,int hlen,int af)1023 ipsec_forward_check(struct mbuf *m, int hlen, int af)
1024 {
1025 struct tdb *tdb;
1026 struct tdb_ident *tdbi;
1027 struct m_tag *mtag;
1028 int error = 0;
1029
1030 /*
1031 * IPsec policy check for forwarded packets. Look at
1032 * inner-most IPsec SA used.
1033 */
1034 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
1035 if (mtag != NULL) {
1036 tdbi = (struct tdb_ident *)(mtag + 1);
1037 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto);
1038 } else
1039 tdb = NULL;
1040 error = ipsp_spd_lookup(m, af, hlen, IPSP_DIRECTION_IN,
1041 tdb, NULL, NULL, NULL);
1042 tdb_unref(tdb);
1043
1044 return error;
1045 }
1046
1047 int
ipsec_local_check(struct mbuf * m,int hlen,int proto,int af)1048 ipsec_local_check(struct mbuf *m, int hlen, int proto, int af)
1049 {
1050 struct tdb *tdb;
1051 struct tdb_ident *tdbi;
1052 struct m_tag *mtag;
1053 int error = 0;
1054
1055 /*
1056 * If it's a protected packet for us, skip the policy check.
1057 * That's because we really only care about the properties of
1058 * the protected packet, and not the intermediate versions.
1059 * While this is not the most paranoid setting, it allows
1060 * some flexibility in handling nested tunnels (in setting up
1061 * the policies).
1062 */
1063 if ((proto == IPPROTO_ESP) || (proto == IPPROTO_AH) ||
1064 (proto == IPPROTO_IPCOMP))
1065 return 0;
1066
1067 /*
1068 * If the protected packet was tunneled, then we need to
1069 * verify the protected packet's information, not the
1070 * external headers. Thus, skip the policy lookup for the
1071 * external packet, and keep the IPsec information linked on
1072 * the packet header (the encapsulation routines know how
1073 * to deal with that).
1074 */
1075 if ((proto == IPPROTO_IPV4) || (proto == IPPROTO_IPV6))
1076 return 0;
1077
1078 /*
1079 * When processing IPv6 header chains, do not look at the
1080 * outer header. The inner protocol is relevant and will
1081 * be checked by the local delivery loop later.
1082 */
1083 if ((af == AF_INET6) && ((proto == IPPROTO_DSTOPTS) ||
1084 (proto == IPPROTO_ROUTING) || (proto == IPPROTO_FRAGMENT)))
1085 return 0;
1086
1087 /*
1088 * If the protected packet is TCP or UDP, we'll do the
1089 * policy check in the respective input routine, so we can
1090 * check for bypass sockets.
1091 */
1092 if ((proto == IPPROTO_TCP) || (proto == IPPROTO_UDP))
1093 return 0;
1094
1095 /*
1096 * IPsec policy check for local-delivery packets. Look at the
1097 * inner-most SA that protected the packet. This is in fact
1098 * a bit too restrictive (it could end up causing packets to
1099 * be dropped that semantically follow the policy, e.g., in
1100 * certain SA-bundle configurations); but the alternative is
1101 * very complicated (and requires keeping track of what
1102 * kinds of tunneling headers have been seen in-between the
1103 * IPsec headers), and I don't think we lose much functionality
1104 * that's needed in the real world (who uses bundles anyway ?).
1105 */
1106 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
1107 if (mtag) {
1108 tdbi = (struct tdb_ident *)(mtag + 1);
1109 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst,
1110 tdbi->proto);
1111 } else
1112 tdb = NULL;
1113 error = ipsp_spd_lookup(m, af, hlen, IPSP_DIRECTION_IN,
1114 tdb, NULL, NULL, NULL);
1115 tdb_unref(tdb);
1116
1117 return error;
1118 }
1119