jcs.org / openbsd-src
jcs's openbsd hax
openbsd
fork atom
openbsd-src / sys / netinet / ipsec_input.c
at jcs 1183 lines 31 kB view raw
dlg populate the enchdr in network byte order instead of host byte order.
426fd8bc
1/* $OpenBSD: ipsec_input.c,v 1.222 2025/12/11 05:06:02 dlg Exp $ */ 2/* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 8 * in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38#include "pf.h" 39#include "sec.h" 40 41#include <sys/param.h> 42#include <sys/systm.h> 43#include <sys/protosw.h> 44#include <sys/mbuf.h> 45#include <sys/socket.h> 46#include <sys/sysctl.h> 47#include <sys/timeout.h> 48 49#include <net/if.h> 50#include <net/if_var.h> 51#include <net/bpf.h> 52 53#include <netinet/in.h> 54#include <netinet/ip.h> 55#include <netinet/ip_var.h> 56#include <netinet/ip_icmp.h> 57#include <netinet/tcp.h> 58#include <netinet/udp.h> 59 60#if NPF > 0 61#include <net/pfvar.h> 62#endif 63 64#if NSEC > 0 65#include <net/if_sec.h> 66#endif 67 68#ifdef INET6 69#include <netinet/ip6.h> 70#include <netinet6/ip6_var.h> 71#endif /* INET6 */ 72 73#include <netinet/ip_ipsp.h> 74#include <netinet/ip_esp.h> 75#include <netinet/ip_ah.h> 76#include <netinet/ip_ipcomp.h> 77 78#include <net/if_enc.h> 79 80#include "bpfilter.h" 81 82/* 83 * Locks used to protect data: 84 * a atomic 85 */ 86 87void ipsec_common_ctlinput(u_int, int, struct sockaddr *, void *, int); 88 89#ifdef ENCDEBUG 90#define DPRINTF(fmt, args...) \ 91 do { \ 92 if (atomic_load_int(&encdebug)) \ 93 printf("%s: " fmt "\n", __func__, ## args); \ 94 } while (0) 95#else 96#define DPRINTF(fmt, args...) \ 97 do { } while (0) 98#endif 99 100/* sysctl variables */ 101int encdebug = 0; /* [a] */ 102int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT; /* [a] */ 103int ipsec_require_pfs = IPSEC_DEFAULT_PFS; /* [a] */ 104int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS; /* [a] */ 105int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS; /* [a] */ 106int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES; /* [a] */ 107int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES; /* [a] */ 108int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT; /* [a] */ 109int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT; /* [a] */ 110int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE; /* [a] */ 111int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE; /* [a] */ 112int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE; /* [a] */ 113 114int esp_enable = 1; /* [a] */ 115int ah_enable = 1; /* [a] */ 116int ipcomp_enable = 0; /* [a] */ 117 118const struct sysctl_bounded_args espctl_vars[] = { 119 {ESPCTL_ENABLE, &esp_enable, 0, 1}, 120 {ESPCTL_UDPENCAP_ENABLE, &udpencap_enable, 0, 1}, 121 {ESPCTL_UDPENCAP_PORT, &udpencap_port, 0, 65535}, 122}; 123 124const struct sysctl_bounded_args ahctl_vars[] = { 125 {AHCTL_ENABLE, &ah_enable, 0, 1}, 126}; 127const struct sysctl_bounded_args ipcompctl_vars[] = { 128 {IPCOMPCTL_ENABLE, &ipcomp_enable, 0, 1}, 129}; 130 131struct cpumem *espcounters; 132struct cpumem *ahcounters; 133struct cpumem *ipcompcounters; 134struct cpumem *ipseccounters; 135 136struct ipsec_sysctl_algorithm { 137 const char *name; 138 int val; 139}; 140 141const struct ipsec_sysctl_algorithm ipsec_sysctl_enc_algs[] = { 142 {"aes", IPSEC_ENC_AES}, 143 {"aesctr", IPSEC_ENC_AESCTR}, 144 {"3des", IPSEC_ENC_3DES}, 145 {"blowfish", IPSEC_ENC_BLOWFISH}, 146 {"cast128", IPSEC_ENC_CAST128}, 147 {NULL, -1}, 148}; 149 150const struct ipsec_sysctl_algorithm ipsec_sysctl_auth_algs[] = { 151 {"hmac-sha1", IPSEC_AUTH_HMAC_SHA1}, 152 {"hmac-ripemd160", IPSEC_AUTH_HMAC_RIPEMD160}, 153 {"hmac-md5", IPSEC_AUTH_MD5}, 154 {"hmac-sha2-256", IPSEC_AUTH_SHA2_256}, 155 {"hmac-sha2-384", IPSEC_AUTH_SHA2_384}, 156 {"hmac-sha2-512", IPSEC_AUTH_SHA2_512}, 157 {NULL, -1}, 158}; 159 160const struct ipsec_sysctl_algorithm ipsec_sysctl_comp_algs[] = { 161 {"deflate", IPSEC_COMP_DEFLATE}, 162 {NULL, -1}, 163}; 164 165int ipsec_def_enc = IPSEC_ENC_AES; /* [a] */ 166int ipsec_def_auth = IPSEC_AUTH_HMAC_SHA1; /* [a] */ 167int ipsec_def_comp = IPSEC_COMP_DEFLATE; /* [a] */ 168 169const struct sysctl_bounded_args ipsecctl_vars[] = { 170 { IPSEC_ENCDEBUG, &encdebug, 0, 1 }, 171 { IPSEC_EXPIRE_ACQUIRE, &ipsec_expire_acquire, 0, INT_MAX }, 172 { IPSEC_EMBRYONIC_SA_TIMEOUT, &ipsec_keep_invalid, 0, INT_MAX }, 173 { IPSEC_REQUIRE_PFS, &ipsec_require_pfs, 0, 1 }, 174 { IPSEC_SOFT_ALLOCATIONS, &ipsec_soft_allocations, 0, INT_MAX }, 175 { IPSEC_ALLOCATIONS, &ipsec_exp_allocations, 0, INT_MAX }, 176 { IPSEC_SOFT_BYTES, &ipsec_soft_bytes, 0, INT_MAX }, 177 { IPSEC_BYTES, &ipsec_exp_bytes, 0, INT_MAX }, 178 { IPSEC_TIMEOUT, &ipsec_exp_timeout, 0, INT_MAX }, 179 { IPSEC_SOFT_TIMEOUT, &ipsec_soft_timeout, 0, INT_MAX }, 180 { IPSEC_SOFT_FIRSTUSE, &ipsec_soft_first_use, 0, INT_MAX }, 181 { IPSEC_FIRSTUSE, &ipsec_exp_first_use, 0, INT_MAX }, 182}; 183 184int ipsec_sysctl_algorithm(int, void *, size_t *, void *, size_t); 185int esp_sysctl_espstat(void *, size_t *, void *); 186int ah_sysctl_ahstat(void *, size_t *, void *); 187int ipcomp_sysctl_ipcompstat(void *, size_t *, void *); 188int ipsec_sysctl_ipsecstat(void *, size_t *, void *); 189 190void 191ipsec_init(void) 192{ 193 espcounters = counters_alloc(esps_ncounters); 194 ahcounters = counters_alloc(ahs_ncounters); 195 ipcompcounters = counters_alloc(ipcomps_ncounters); 196 ipseccounters = counters_alloc(ipsec_ncounters); 197 198 ipsp_init(); 199} 200 201/* 202 * ipsec_common_input() gets called when we receive an IPsec-protected packet 203 * in IPv4 or IPv6. All it does is find the right TDB and call the appropriate 204 * transform. The callback takes care of further processing (like ingress 205 * filtering). 206 */ 207int 208ipsec_common_input(struct mbuf **mp, int skip, int protoff, int af, int sproto, 209 int udpencap, struct netstack *ns) 210{ 211#define IPSEC_ISTAT(x,y,z) do { \ 212 if (sproto == IPPROTO_ESP) \ 213 espstat_inc(x); \ 214 else if (sproto == IPPROTO_AH) \ 215 ahstat_inc(y); \ 216 else \ 217 ipcompstat_inc(z); \ 218} while (0) 219 220 struct mbuf *m = *mp; 221 union sockaddr_union dst_address; 222 struct tdb *tdbp = NULL; 223 u_int32_t spi; 224 u_int16_t cpi; 225 int prot; 226#ifdef ENCDEBUG 227 char buf[INET6_ADDRSTRLEN]; 228#endif 229 230 NET_ASSERT_LOCKED(); 231 232 ipsecstat_pkt(ipsec_ipackets, ipsec_ibytes, m->m_pkthdr.len); 233 IPSEC_ISTAT(esps_input, ahs_input, ipcomps_input); 234 235 if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) { 236 DPRINTF("repeated decompression"); 237 ipcompstat_inc(ipcomps_pdrops); 238 goto drop; 239 } 240 241 if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) { 242 DPRINTF("packet too small"); 243 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 244 goto drop; 245 } 246 247 /* Retrieve the SPI from the relevant IPsec header */ 248 switch (sproto) { 249 case IPPROTO_ESP: 250 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 251 break; 252 case IPPROTO_AH: 253 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 254 (caddr_t) &spi); 255 break; 256 case IPPROTO_IPCOMP: 257 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 258 (caddr_t) &cpi); 259 spi = ntohl(htons(cpi)); 260 break; 261 default: 262 panic("%s: unknown/unsupported security protocol %d", 263 __func__, sproto); 264 } 265 266 /* 267 * Find tunnel control block and (indirectly) call the appropriate 268 * kernel crypto routine. The resulting mbuf chain is a valid 269 * IP packet ready to go through input processing. 270 */ 271 272 memset(&dst_address, 0, sizeof(dst_address)); 273 dst_address.sa.sa_family = af; 274 275 switch (af) { 276 case AF_INET: 277 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 278 m_copydata(m, offsetof(struct ip, ip_dst), 279 sizeof(struct in_addr), 280 (caddr_t) &(dst_address.sin.sin_addr)); 281 break; 282 283#ifdef INET6 284 case AF_INET6: 285 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 286 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 287 sizeof(struct in6_addr), 288 (caddr_t) &(dst_address.sin6.sin6_addr)); 289 in6_recoverscope(&dst_address.sin6, 290 &dst_address.sin6.sin6_addr); 291 break; 292#endif /* INET6 */ 293 294 default: 295 DPRINTF("unsupported protocol family %d", af); 296 IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf); 297 goto drop; 298 } 299 300 tdbp = gettdb(rtable_l2(m->m_pkthdr.ph_rtableid), 301 spi, &dst_address, sproto); 302 if (tdbp == NULL) { 303 DPRINTF("could not find SA for packet to %s, spi %08x", 304 ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi)); 305 IPSEC_ISTAT(esps_notdb, ahs_notdb, ipcomps_notdb); 306 goto drop; 307 } 308 309 if (tdbp->tdb_flags & TDBF_INVALID) { 310 DPRINTF("attempted to use invalid SA %s/%08x/%u", 311 ipsp_address(&dst_address, buf, sizeof(buf)), 312 ntohl(spi), tdbp->tdb_sproto); 313 IPSEC_ISTAT(esps_invalid, ahs_invalid, ipcomps_invalid); 314 goto drop; 315 } 316 317 if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) { 318 DPRINTF("attempted to use non-udpencap SA %s/%08x/%u", 319 ipsp_address(&dst_address, buf, sizeof(buf)), 320 ntohl(spi), tdbp->tdb_sproto); 321 espstat_inc(esps_udpinval); 322 goto drop; 323 } 324 325 if (!udpencap && (tdbp->tdb_flags & TDBF_UDPENCAP)) { 326 DPRINTF("attempted to use udpencap SA %s/%08x/%u", 327 ipsp_address(&dst_address, buf, sizeof(buf)), 328 ntohl(spi), tdbp->tdb_sproto); 329 espstat_inc(esps_udpneeded); 330 goto drop; 331 } 332 333 if (tdbp->tdb_xform == NULL) { 334 DPRINTF("attempted to use uninitialized SA %s/%08x/%u", 335 ipsp_address(&dst_address, buf, sizeof(buf)), 336 ntohl(spi), tdbp->tdb_sproto); 337 IPSEC_ISTAT(esps_noxform, ahs_noxform, ipcomps_noxform); 338 goto drop; 339 } 340 341 KERNEL_LOCK(); 342 /* Register first use, setup expiration timer. */ 343 if (tdbp->tdb_first_use == 0) { 344 tdbp->tdb_first_use = gettime(); 345 if (tdbp->tdb_flags & TDBF_FIRSTUSE) { 346 if (timeout_add_sec(&tdbp->tdb_first_tmo, 347 tdbp->tdb_exp_first_use)) 348 tdb_ref(tdbp); 349 } 350 if (tdbp->tdb_flags & TDBF_SOFT_FIRSTUSE) { 351 if (timeout_add_sec(&tdbp->tdb_sfirst_tmo, 352 tdbp->tdb_soft_first_use)) 353 tdb_ref(tdbp); 354 } 355 } 356 357 tdbstat_pkt(tdbp, tdb_ipackets, tdb_ibytes, m->m_pkthdr.len); 358 359 /* 360 * Call appropriate transform and return -- callback takes care of 361 * everything else. 362 */ 363 prot = (*(tdbp->tdb_xform->xf_input))(mp, tdbp, skip, protoff, ns); 364 if (prot == IPPROTO_DONE) { 365 ipsecstat_inc(ipsec_idrops); 366 tdbstat_inc(tdbp, tdb_idrops); 367 } 368 tdb_unref(tdbp); 369 KERNEL_UNLOCK(); 370 return prot; 371 372 drop: 373 m_freemp(mp); 374 ipsecstat_inc(ipsec_idrops); 375 if (tdbp != NULL) 376 tdbstat_inc(tdbp, tdb_idrops); 377 tdb_unref(tdbp); 378 return IPPROTO_DONE; 379} 380 381/* 382 * IPsec input callback, called by the transform callback. Takes care of 383 * filtering and other sanity checks on the processed packet. 384 */ 385int 386ipsec_common_input_cb(struct mbuf **mp, struct tdb *tdbp, int skip, 387 int protoff, struct netstack *ns) 388{ 389 struct mbuf *m = *mp; 390 int af, sproto; 391 u_int8_t prot; 392#if NBPFILTER > 0 393 struct ifnet *encif; 394#endif 395 struct ip *ip; 396#ifdef INET6 397 struct ip6_hdr *ip6; 398#endif /* INET6 */ 399 struct m_tag *mtag; 400 struct tdb_ident *tdbi; 401#ifdef ENCDEBUG 402 char buf[INET6_ADDRSTRLEN]; 403#endif 404 405 af = tdbp->tdb_dst.sa.sa_family; 406 sproto = tdbp->tdb_sproto; 407 408 tdbp->tdb_last_used = gettime(); 409 410 /* Fix IPv4 header */ 411 if (af == AF_INET) { 412 if (m->m_len < skip && 413 (m = *mp = m_pullup(m, skip)) == NULL) { 414 DPRINTF("processing failed for SA %s/%08x", 415 ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)), 416 ntohl(tdbp->tdb_spi)); 417 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 418 goto baddone; 419 } 420 421 ip = mtod(m, struct ip *); 422 ip->ip_len = htons(m->m_pkthdr.len); 423 in_hdr_cksum_out(m, NULL); 424 prot = ip->ip_p; 425 } 426 427#ifdef INET6 428 /* Fix IPv6 header */ 429 if (af == AF_INET6) { 430 if (m->m_len < sizeof(struct ip6_hdr) && 431 (m = *mp = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 432 433 DPRINTF("processing failed for SA %s/%08x", 434 ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)), 435 ntohl(tdbp->tdb_spi)); 436 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 437 goto baddone; 438 } 439 440 ip6 = mtod(m, struct ip6_hdr *); 441 ip6->ip6_plen = htons(m->m_pkthdr.len - skip); 442 443 /* Save protocol */ 444 m_copydata(m, protoff, 1, (caddr_t) &prot); 445 } 446#endif /* INET6 */ 447 448 /* 449 * Fix TCP/UDP checksum of UDP encapsulated transport mode ESP packet. 450 * (RFC3948 3.1.2) 451 */ 452 if ((af == AF_INET || af == AF_INET6) && 453 (tdbp->tdb_flags & TDBF_UDPENCAP) && 454 (tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 455 u_int16_t cksum; 456 457 switch (prot) { 458 case IPPROTO_UDP: 459 if (m->m_pkthdr.len < skip + sizeof(struct udphdr)) { 460 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 461 ipcomps_hdrops); 462 goto baddone; 463 } 464 cksum = 0; 465 m_copyback(m, skip + offsetof(struct udphdr, uh_sum), 466 sizeof(cksum), &cksum, M_NOWAIT); 467#ifdef INET6 468 if (af == AF_INET6) { 469 cksum = in6_cksum(m, IPPROTO_UDP, skip, 470 m->m_pkthdr.len - skip); 471 m_copyback(m, skip + offsetof(struct udphdr, 472 uh_sum), sizeof(cksum), &cksum, M_NOWAIT); 473 } 474#endif 475 break; 476 case IPPROTO_TCP: 477 if (m->m_pkthdr.len < skip + sizeof(struct tcphdr)) { 478 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 479 ipcomps_hdrops); 480 goto baddone; 481 } 482 cksum = 0; 483 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 484 sizeof(cksum), &cksum, M_NOWAIT); 485 if (af == AF_INET) 486 cksum = in4_cksum(m, IPPROTO_TCP, skip, 487 m->m_pkthdr.len - skip); 488#ifdef INET6 489 else if (af == AF_INET6) 490 cksum = in6_cksum(m, IPPROTO_TCP, skip, 491 m->m_pkthdr.len - skip); 492#endif 493 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 494 sizeof(cksum), &cksum, M_NOWAIT); 495 break; 496 } 497 } 498 499 /* 500 * Record what we've done to the packet (under what SA it was 501 * processed). 502 */ 503 if (tdbp->tdb_sproto != IPPROTO_IPCOMP) { 504 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 505 sizeof(struct tdb_ident), M_NOWAIT); 506 if (mtag == NULL) { 507 DPRINTF("failed to get tag"); 508 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 509 goto baddone; 510 } 511 512 tdbi = (struct tdb_ident *)(mtag + 1); 513 tdbi->dst = tdbp->tdb_dst; 514 tdbi->proto = tdbp->tdb_sproto; 515 tdbi->spi = tdbp->tdb_spi; 516 tdbi->rdomain = tdbp->tdb_rdomain; 517 518 m_tag_prepend(m, mtag); 519 } 520 521 switch (sproto) { 522 case IPPROTO_ESP: 523 /* Packet is confidential ? */ 524 if (tdbp->tdb_encalgxform) 525 m->m_flags |= M_CONF; 526 527 /* Check if we had authenticated ESP. */ 528 if (tdbp->tdb_authalgxform) 529 m->m_flags |= M_AUTH; 530 break; 531 case IPPROTO_AH: 532 m->m_flags |= M_AUTH; 533 break; 534 case IPPROTO_IPCOMP: 535 m->m_flags |= M_COMP; 536 break; 537 default: 538 panic("%s: unknown/unsupported security protocol %d", 539 __func__, sproto); 540 } 541 542#if NPF > 0 543 /* Add pf tag if requested. */ 544 pf_tag_packet(m, tdbp->tdb_tag, -1); 545 pf_pkt_addr_changed(m); 546#endif 547 if (tdbp->tdb_rdomain != tdbp->tdb_rdomain_post) 548 m->m_pkthdr.ph_rtableid = tdbp->tdb_rdomain_post; 549 550 if (tdbp->tdb_flags & TDBF_TUNNELING) 551 m->m_flags |= M_TUNNEL; 552 553 ipsecstat_add(ipsec_idecompbytes, m->m_pkthdr.len); 554 tdbstat_add(tdbp, tdb_idecompbytes, m->m_pkthdr.len); 555 556#if NBPFILTER > 0 557 encif = enc_getif(tdbp->tdb_rdomain_post, tdbp->tdb_tap); 558 if (encif != NULL) { 559 encif->if_ipackets++; 560 encif->if_ibytes += m->m_pkthdr.len; 561 562 if (sproto != IPPROTO_IPCOMP) { 563 /* XXX This conflicts with the scoped nature of IPv6 */ 564 m->m_pkthdr.ph_ifidx = encif->if_index; 565 } 566 if (encif->if_bpf) { 567 struct enchdr hdr = { 568 .af = htonl(af), 569 .spi = tdbp->tdb_spi, 570 .flags = htonl(m->m_flags & (M_AUTH|M_CONF)), 571 }; 572 573 bpf_mtap_hdr(encif->if_bpf, (char *)&hdr, 574 ENC_HDRLEN, m, BPF_DIRECTION_IN); 575 } 576 } 577#endif 578 579 if (ISSET(tdbp->tdb_flags, TDBF_IFACE)) { 580#if NSEC > 0 581 if (ISSET(tdbp->tdb_flags, TDBF_TUNNELING) && 582 tdbp->tdb_iface_dir == IPSP_DIRECTION_IN) { 583 struct sec_softc *sc = sec_get(tdbp->tdb_iface); 584 if (sc == NULL) 585 goto baddone; 586 587 sec_input(sc, af, prot, m, ns); 588 sec_put(sc); 589 return IPPROTO_DONE; 590 } 591#endif /* NSEC > 0 */ 592 goto baddone; 593 } 594 595#if NPF > 0 596 /* 597 * The ip_deliver() shortcut avoids running through ip_input() with the 598 * same IP header twice. Packets in transport mode have to be be 599 * passed to pf explicitly. In tunnel mode the inner IP header will 600 * run through ip_input() and pf anyway. 601 */ 602 if ((tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 603 struct ifnet *ifp; 604 605 /* This is the enc0 interface unless for ipcomp. */ 606 if ((ifp = if_get(m->m_pkthdr.ph_ifidx)) == NULL) { 607 goto baddone; 608 } 609 if (pf_test(af, PF_IN, ifp, mp) != PF_PASS) { 610 if_put(ifp); 611 goto baddone; 612 } 613 m = *mp; 614 if_put(ifp); 615 if (m == NULL) 616 return IPPROTO_DONE; 617 } 618#endif 619 /* Return to the appropriate protocol handler in deliver loop. */ 620 return prot; 621 622 baddone: 623 m_freemp(mp); 624 return IPPROTO_DONE; 625#undef IPSEC_ISTAT 626} 627 628int 629ipsec_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 630 size_t newlen) 631{ 632 switch (name[0]) { 633 case IPCTL_IPSEC_ENC_ALGORITHM: 634 case IPCTL_IPSEC_AUTH_ALGORITHM: 635 case IPCTL_IPSEC_IPCOMP_ALGORITHM: 636 return (ipsec_sysctl_algorithm(name[0], oldp, oldlenp, 637 newp, newlen)); 638 case IPCTL_IPSEC_STATS: 639 return (ipsec_sysctl_ipsecstat(oldp, oldlenp, newp)); 640 default: 641 return (sysctl_bounded_arr(ipsecctl_vars, nitems(ipsecctl_vars), 642 name, namelen, oldp, oldlenp, newp, newlen)); 643 } 644} 645 646int 647ipsec_sysctl_algorithm(int name, void *oldp, size_t *oldlenp, 648 void *newp, size_t newlen) 649{ 650 const struct ipsec_sysctl_algorithm *algs, *p; 651 int *var, oldval, error; 652 char buf[20]; 653 654 switch (name) { 655 case IPCTL_IPSEC_ENC_ALGORITHM: 656 algs = ipsec_sysctl_enc_algs; 657 var = &ipsec_def_enc; 658 break; 659 case IPCTL_IPSEC_AUTH_ALGORITHM: 660 algs = ipsec_sysctl_auth_algs; 661 var = &ipsec_def_auth; 662 break; 663 case IPCTL_IPSEC_IPCOMP_ALGORITHM: 664 algs = ipsec_sysctl_comp_algs; 665 var = &ipsec_def_comp; 666 break; 667 default: 668 return (EOPNOTSUPP); 669 } 670 671 oldval = atomic_load_int(var); 672 673 for (p = algs; p->name != NULL; p++) { 674 if (p->val == oldval) { 675 strlcpy(buf, p->name, sizeof(buf)); 676 break; 677 } 678 } 679 680 KASSERT(p->name != NULL); 681 682 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 683 buf, sizeof(buf)); 684 if (error) 685 return (error); 686 687 if (newp) { 688 size_t buflen; 689 690 if ((buflen = strlen(buf)) == 0) 691 return (EINVAL); 692 693 for (p = algs; p->name != NULL; p++) { 694 if (strncasecmp(buf, p->name, buflen) == 0) 695 break; 696 } 697 698 if (p->name == NULL) 699 return (EINVAL); 700 701 if (p->val != oldval) 702 atomic_store_int(var, p->val); 703 } 704 705 return (0); 706} 707 708int 709esp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 710 size_t newlen) 711{ 712 /* All sysctl names at this level are terminal. */ 713 if (namelen != 1) 714 return (ENOTDIR); 715 716 switch (name[0]) { 717 case ESPCTL_STATS: 718 return (esp_sysctl_espstat(oldp, oldlenp, newp)); 719 default: 720 return (sysctl_bounded_arr(espctl_vars, nitems(espctl_vars), 721 name, namelen, oldp, oldlenp, newp, newlen)); 722 } 723} 724 725int 726esp_sysctl_espstat(void *oldp, size_t *oldlenp, void *newp) 727{ 728 struct espstat espstat; 729 730 CTASSERT(sizeof(espstat) == (esps_ncounters * sizeof(uint64_t))); 731 memset(&espstat, 0, sizeof espstat); 732 counters_read(espcounters, (uint64_t *)&espstat, esps_ncounters, NULL); 733 return (sysctl_rdstruct(oldp, oldlenp, newp, &espstat, 734 sizeof(espstat))); 735} 736 737int 738ah_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 739 size_t newlen) 740{ 741 /* All sysctl names at this level are terminal. */ 742 if (namelen != 1) 743 return (ENOTDIR); 744 745 switch (name[0]) { 746 case AHCTL_STATS: 747 return ah_sysctl_ahstat(oldp, oldlenp, newp); 748 default: 749 return sysctl_bounded_arr(ahctl_vars, nitems(ahctl_vars), name, 750 namelen, oldp, oldlenp, newp, newlen); 751 } 752} 753 754int 755ah_sysctl_ahstat(void *oldp, size_t *oldlenp, void *newp) 756{ 757 struct ahstat ahstat; 758 759 CTASSERT(sizeof(ahstat) == (ahs_ncounters * sizeof(uint64_t))); 760 memset(&ahstat, 0, sizeof ahstat); 761 counters_read(ahcounters, (uint64_t *)&ahstat, ahs_ncounters, NULL); 762 return (sysctl_rdstruct(oldp, oldlenp, newp, &ahstat, sizeof(ahstat))); 763} 764 765int 766ipcomp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 767 size_t newlen) 768{ 769 /* All sysctl names at this level are terminal. */ 770 if (namelen != 1) 771 return (ENOTDIR); 772 773 switch (name[0]) { 774 case IPCOMPCTL_STATS: 775 return ipcomp_sysctl_ipcompstat(oldp, oldlenp, newp); 776 default: 777 return sysctl_bounded_arr(ipcompctl_vars, 778 nitems(ipcompctl_vars), name, namelen, oldp, oldlenp, 779 newp, newlen); 780 } 781} 782 783int 784ipcomp_sysctl_ipcompstat(void *oldp, size_t *oldlenp, void *newp) 785{ 786 struct ipcompstat ipcompstat; 787 788 CTASSERT(sizeof(ipcompstat) == (ipcomps_ncounters * sizeof(uint64_t))); 789 memset(&ipcompstat, 0, sizeof ipcompstat); 790 counters_read(ipcompcounters, (uint64_t *)&ipcompstat, 791 ipcomps_ncounters, NULL); 792 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipcompstat, 793 sizeof(ipcompstat))); 794} 795 796int 797ipsec_sysctl_ipsecstat(void *oldp, size_t *oldlenp, void *newp) 798{ 799 struct ipsecstat ipsecstat; 800 801 CTASSERT(sizeof(ipsecstat) == (ipsec_ncounters * sizeof(uint64_t))); 802 memset(&ipsecstat, 0, sizeof ipsecstat); 803 counters_read(ipseccounters, (uint64_t *)&ipsecstat, ipsec_ncounters, 804 NULL); 805 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipsecstat, 806 sizeof(ipsecstat))); 807} 808 809int 810ipsec_input_disabled(struct mbuf **mp, int *offp, int proto, int af, 811 struct netstack *ns) 812{ 813 switch (af) { 814 case AF_INET: 815 return rip_input(mp, offp, proto, af, ns); 816#ifdef INET6 817 case AF_INET6: 818 return rip6_input(mp, offp, proto, af, ns); 819#endif 820 default: 821 unhandled_af(af); 822 } 823} 824 825int 826ah46_input(struct mbuf **mp, int *offp, int proto, int af, struct netstack *ns) 827{ 828 int protoff; 829 830 if ( 831#if NPF > 0 832 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 833#endif 834 !atomic_load_int(&ah_enable)) 835 return ipsec_input_disabled(mp, offp, proto, af, ns); 836 837 protoff = ipsec_protoff(*mp, *offp, af); 838 if (protoff < 0) { 839 DPRINTF("bad packet header chain"); 840 ahstat_inc(ahs_hdrops); 841 m_freemp(mp); 842 return IPPROTO_DONE; 843 } 844 845 return ipsec_common_input(mp, *offp, protoff, af, proto, 0, ns); 846} 847 848void 849ah4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 850{ 851 if (sa->sa_family != AF_INET || 852 sa->sa_len != sizeof(struct sockaddr_in)) 853 return; 854 855 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_AH); 856} 857 858int 859esp46_input(struct mbuf **mp, int *offp, int proto, int af, 860 struct netstack *ns) 861{ 862 int protoff; 863 864 if ( 865#if NPF > 0 866 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 867#endif 868 !atomic_load_int(&esp_enable)) 869 return ipsec_input_disabled(mp, offp, proto, af, ns); 870 871 protoff = ipsec_protoff(*mp, *offp, af); 872 if (protoff < 0) { 873 DPRINTF("bad packet header chain"); 874 espstat_inc(esps_hdrops); 875 m_freemp(mp); 876 return IPPROTO_DONE; 877 } 878 879 return ipsec_common_input(mp, *offp, protoff, af, proto, 0, ns); 880} 881 882/* IPv4 IPCOMP wrapper */ 883int 884ipcomp46_input(struct mbuf **mp, int *offp, int proto, int af, 885 struct netstack *ns) 886{ 887 int protoff; 888 889 if ( 890#if NPF > 0 891 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 892#endif 893 !atomic_load_int(&ipcomp_enable)) 894 return ipsec_input_disabled(mp, offp, proto, af, ns); 895 896 protoff = ipsec_protoff(*mp, *offp, af); 897 if (protoff < 0) { 898 DPRINTF("bad packet header chain"); 899 ipcompstat_inc(ipcomps_hdrops); 900 m_freemp(mp); 901 return IPPROTO_DONE; 902 } 903 904 return ipsec_common_input(mp, *offp, protoff, af, proto, 0, ns); 905} 906 907void 908ipsec_set_mtu(struct tdb *tdbp, u_int32_t mtu) 909{ 910 ssize_t adjust; 911 912 NET_ASSERT_LOCKED(); 913 914 /* Walk the chain backwards to the first tdb */ 915 for (; tdbp != NULL; tdbp = tdbp->tdb_inext) { 916 if (tdbp->tdb_flags & TDBF_INVALID || 917 (adjust = ipsec_hdrsz(tdbp)) == -1) 918 return; 919 920 mtu -= adjust; 921 922 /* Store adjusted MTU in tdb */ 923 tdbp->tdb_mtu = mtu; 924 tdbp->tdb_mtutimeout = gettime() + 925 atomic_load_int(&ip_mtudisc_timeout); 926 DPRINTF("spi %08x mtu %d adjust %ld", 927 ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust); 928 } 929} 930 931void 932ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa, 933 void *v, int proto) 934{ 935 struct ip *ip = v; 936 937 if (cmd == PRC_MSGSIZE && ip && atomic_load_int(&ip_mtudisc) && 938 ip->ip_v == 4) { 939 struct tdb *tdbp; 940 struct sockaddr_in dst; 941 struct icmp *icp; 942 int hlen = ip->ip_hl << 2; 943 u_int32_t spi, mtu; 944 945 /* Find the right MTU. */ 946 icp = (struct icmp *)((caddr_t) ip - 947 offsetof(struct icmp, icmp_ip)); 948 mtu = ntohs(icp->icmp_nextmtu); 949 950 /* 951 * Ignore the packet, if we do not receive a MTU 952 * or the MTU is too small to be acceptable. 953 */ 954 if (mtu < 296) 955 return; 956 957 memset(&dst, 0, sizeof(struct sockaddr_in)); 958 dst.sin_family = AF_INET; 959 dst.sin_len = sizeof(struct sockaddr_in); 960 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 961 962 memcpy(&spi, (caddr_t)ip + hlen, sizeof(u_int32_t)); 963 964 tdbp = gettdb_rev(rdomain, spi, (union sockaddr_union *)&dst, 965 proto); 966 ipsec_set_mtu(tdbp, mtu); 967 tdb_unref(tdbp); 968 } 969} 970 971void 972udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 973{ 974 struct ip *ip = v; 975 struct tdb *tdbp, *first; 976 struct icmp *icp; 977 u_int32_t mtu; 978 struct sockaddr_in dst, src; 979 union sockaddr_union *su_dst, *su_src; 980 981 NET_ASSERT_LOCKED(); 982 983 icp = (struct icmp *)((caddr_t) ip - offsetof(struct icmp, icmp_ip)); 984 mtu = ntohs(icp->icmp_nextmtu); 985 986 /* 987 * Ignore the packet, if we do not receive a MTU 988 * or the MTU is too small to be acceptable. 989 */ 990 if (mtu < 296) 991 return; 992 993 memset(&dst, 0, sizeof(dst)); 994 dst.sin_family = AF_INET; 995 dst.sin_len = sizeof(struct sockaddr_in); 996 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 997 su_dst = (union sockaddr_union *)&dst; 998 memset(&src, 0, sizeof(src)); 999 src.sin_family = AF_INET; 1000 src.sin_len = sizeof(struct sockaddr_in); 1001 src.sin_addr.s_addr = ip->ip_src.s_addr; 1002 su_src = (union sockaddr_union *)&src; 1003 1004 first = gettdbbysrcdst_rev(rdomain, 0, su_src, su_dst, IPPROTO_ESP); 1005 1006 mtx_enter(&tdb_sadb_mtx); 1007 for (tdbp = first; tdbp != NULL; tdbp = tdbp->tdb_snext) { 1008 if (tdbp->tdb_sproto == IPPROTO_ESP && 1009 ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_UDPENCAP)) == 1010 TDBF_UDPENCAP) && 1011 !memcmp(&tdbp->tdb_dst, &dst, su_dst->sa.sa_len) && 1012 !memcmp(&tdbp->tdb_src, &src, su_src->sa.sa_len)) 1013 ipsec_set_mtu(tdbp, mtu); 1014 } 1015 mtx_leave(&tdb_sadb_mtx); 1016 tdb_unref(first); 1017} 1018 1019void 1020esp4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 1021{ 1022 if (sa->sa_family != AF_INET || 1023 sa->sa_len != sizeof(struct sockaddr_in)) 1024 return; 1025 1026 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_ESP); 1027} 1028 1029/* Find the offset of the next protocol field in the previous header. */ 1030int 1031ipsec_protoff(struct mbuf *m, int off, int af) 1032{ 1033#ifdef INET6 1034 struct ip6_ext ip6e; 1035 int protoff, nxt, l; 1036#endif /* INET6 */ 1037 1038 switch (af) { 1039 case AF_INET: 1040 return offsetof(struct ip, ip_p); 1041#ifdef INET6 1042 case AF_INET6: 1043 break; 1044#endif /* INET6 */ 1045 default: 1046 unhandled_af(af); 1047 } 1048 1049#ifdef INET6 1050 if (off < sizeof(struct ip6_hdr)) 1051 return -1; 1052 1053 if (off == sizeof(struct ip6_hdr)) 1054 return offsetof(struct ip6_hdr, ip6_nxt); 1055 1056 /* Chase down the header chain... */ 1057 protoff = sizeof(struct ip6_hdr); 1058 nxt = (mtod(m, struct ip6_hdr *))->ip6_nxt; 1059 l = 0; 1060 1061 do { 1062 protoff += l; 1063 m_copydata(m, protoff, sizeof(ip6e), 1064 (caddr_t) &ip6e); 1065 1066 if (nxt == IPPROTO_AH) 1067 l = (ip6e.ip6e_len + 2) << 2; 1068 else 1069 l = (ip6e.ip6e_len + 1) << 3; 1070#ifdef DIAGNOSTIC 1071 if (l <= 0) 1072 panic("%s: l went zero or negative", __func__); 1073#endif 1074 1075 nxt = ip6e.ip6e_nxt; 1076 } while (protoff + l < off); 1077 1078 /* Malformed packet check */ 1079 if (protoff + l != off) 1080 return -1; 1081 1082 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1083 return protoff; 1084#endif /* INET6 */ 1085} 1086 1087int 1088ipsec_forward_check(struct mbuf *m, int hlen, int af) 1089{ 1090 struct tdb *tdb; 1091 struct tdb_ident *tdbi; 1092 struct m_tag *mtag; 1093 int error = 0; 1094 1095 /* 1096 * IPsec policy check for forwarded packets. Look at 1097 * inner-most IPsec SA used. 1098 */ 1099 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1100 if (mtag != NULL) { 1101 tdbi = (struct tdb_ident *)(mtag + 1); 1102 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); 1103 } else 1104 tdb = NULL; 1105 error = ipsp_spd_lookup(m, af, hlen, IPSP_DIRECTION_IN, 1106 tdb, NULL, NULL, NULL); 1107 tdb_unref(tdb); 1108 1109 return error; 1110} 1111 1112int 1113ipsec_local_check(struct mbuf *m, int hlen, int proto, int af) 1114{ 1115 struct tdb *tdb; 1116 struct tdb_ident *tdbi; 1117 struct m_tag *mtag; 1118 int error = 0; 1119 1120 /* 1121 * If it's a protected packet for us, skip the policy check. 1122 * That's because we really only care about the properties of 1123 * the protected packet, and not the intermediate versions. 1124 * While this is not the most paranoid setting, it allows 1125 * some flexibility in handling nested tunnels (in setting up 1126 * the policies). 1127 */ 1128 if ((proto == IPPROTO_ESP) || (proto == IPPROTO_AH) || 1129 (proto == IPPROTO_IPCOMP)) 1130 return 0; 1131 1132 /* 1133 * If the protected packet was tunneled, then we need to 1134 * verify the protected packet's information, not the 1135 * external headers. Thus, skip the policy lookup for the 1136 * external packet, and keep the IPsec information linked on 1137 * the packet header (the encapsulation routines know how 1138 * to deal with that). 1139 */ 1140 if ((proto == IPPROTO_IPV4) || (proto == IPPROTO_IPV6)) 1141 return 0; 1142 1143 /* 1144 * When processing IPv6 header chains, do not look at the 1145 * outer header. The inner protocol is relevant and will 1146 * be checked by the local delivery loop later. 1147 */ 1148 if ((af == AF_INET6) && ((proto == IPPROTO_DSTOPTS) || 1149 (proto == IPPROTO_ROUTING) || (proto == IPPROTO_FRAGMENT))) 1150 return 0; 1151 1152 /* 1153 * If the protected packet is TCP or UDP, we'll do the 1154 * policy check in the respective input routine, so we can 1155 * check for bypass sockets. 1156 */ 1157 if ((proto == IPPROTO_TCP) || (proto == IPPROTO_UDP)) 1158 return 0; 1159 1160 /* 1161 * IPsec policy check for local-delivery packets. Look at the 1162 * inner-most SA that protected the packet. This is in fact 1163 * a bit too restrictive (it could end up causing packets to 1164 * be dropped that semantically follow the policy, e.g., in 1165 * certain SA-bundle configurations); but the alternative is 1166 * very complicated (and requires keeping track of what 1167 * kinds of tunneling headers have been seen in-between the 1168 * IPsec headers), and I don't think we lose much functionality 1169 * that's needed in the real world (who uses bundles anyway ?). 1170 */ 1171 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1172 if (mtag) { 1173 tdbi = (struct tdb_ident *)(mtag + 1); 1174 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, 1175 tdbi->proto); 1176 } else 1177 tdb = NULL; 1178 error = ipsp_spd_lookup(m, af, hlen, IPSP_DIRECTION_IN, 1179 tdb, NULL, NULL, NULL); 1180 tdb_unref(tdb); 1181 1182 return error; 1183}