ipsec.c revision 1.109
1 /* $NetBSD: ipsec.c,v 1.109 2017/07/21 04:39:08 ozaki-r Exp $ */ 2 /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ 3 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.109 2017/07/21 04:39:08 ozaki-r Exp $"); 36 37 /* 38 * IPsec controller part. 39 */ 40 41 #if defined(_KERNEL_OPT) 42 #include "opt_inet.h" 43 #include "opt_ipsec.h" 44 #endif 45 46 #include <sys/param.h> 47 #include <sys/systm.h> 48 #include <sys/mbuf.h> 49 #include <sys/domain.h> 50 #include <sys/protosw.h> 51 #include <sys/socket.h> 52 #include <sys/socketvar.h> 53 #include <sys/errno.h> 54 #include <sys/time.h> 55 #include <sys/kernel.h> 56 #include <sys/syslog.h> 57 #include <sys/sysctl.h> 58 #include <sys/proc.h> 59 #include <sys/kauth.h> 60 #include <sys/cpu.h> 61 #include <sys/kmem.h> 62 63 #include <net/if.h> 64 #include <net/route.h> 65 66 #include <netinet/in.h> 67 #include <netinet/in_systm.h> 68 #include <netinet/ip.h> 69 #include <netinet/ip_var.h> 70 #include <netinet/in_var.h> 71 #include <netinet/udp.h> 72 #include <netinet/udp_var.h> 73 #include <netinet/tcp.h> 74 #include <netinet/udp.h> 75 #include <netinet/ip_icmp.h> 76 #include <netinet/ip_private.h> 77 78 #include <netinet/ip6.h> 79 #ifdef INET6 80 #include <netinet6/ip6_var.h> 81 #endif 82 #include <netinet/in_pcb.h> 83 #ifdef INET6 84 #include <netinet6/in6_pcb.h> 85 #include <netinet/icmp6.h> 86 #endif 87 88 #include <netipsec/ipsec.h> 89 #include <netipsec/ipsec_var.h> 90 #include <netipsec/ipsec_private.h> 91 #ifdef INET6 92 #include <netipsec/ipsec6.h> 93 #endif 94 #include <netipsec/ah_var.h> 95 #include <netipsec/esp_var.h> 96 #include <netipsec/ipcomp.h> /*XXX*/ 97 #include <netipsec/ipcomp_var.h> 98 99 #include <netipsec/key.h> 100 #include <netipsec/keydb.h> 101 #include <netipsec/key_debug.h> 102 103 #include <netipsec/xform.h> 104 105 #include <net/net_osdep.h> 106 107 int ipsec_used = 0; 108 int ipsec_enabled = 1; 109 110 #ifdef IPSEC_DEBUG 111 int ipsec_debug = 1; 112 113 /* 114 * When set to 1, IPsec will send packets with the same sequence number. 115 * This allows to verify if the other side has proper replay attacks detection. 116 */ 117 int ipsec_replay = 0; 118 119 /* 120 * When set 1, IPsec will send packets with corrupted HMAC. 121 * This allows to verify if the other side properly detects modified packets. 122 */ 123 int ipsec_integrity = 0; 124 #else 125 int ipsec_debug = 0; 126 #endif 127 128 percpu_t *ipsecstat_percpu; 129 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ 130 int ip4_ipsec_dfbit = 2; /* DF bit on encap. 0: clear 1: set 2: copy */ 131 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; 132 int ip4_esp_net_deflev = IPSEC_LEVEL_USE; 133 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; 134 int ip4_ah_net_deflev = IPSEC_LEVEL_USE; 135 struct secpolicy ip4_def_policy; 136 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 137 int ip4_esp_randpad = -1; 138 139 u_int ipsec_spdgen = 1; /* SPD generation # */ 140 141 static struct secpolicy *ipsec_checkpcbcache (struct mbuf *, 142 struct inpcbpolicy *, int); 143 static int ipsec_fillpcbcache (struct inpcbpolicy *, struct mbuf *, 144 struct secpolicy *, int); 145 static int ipsec_invalpcbcache (struct inpcbpolicy *, int); 146 147 /* 148 * Crypto support requirements: 149 * 150 * 1 require hardware support 151 * -1 require software support 152 * 0 take anything 153 */ 154 int crypto_support = 0; 155 156 static struct secpolicy *ipsec_getpolicybysock(struct mbuf *, u_int, 157 struct inpcb_hdr *, int *); 158 159 #ifdef __FreeBSD__ 160 /* net.inet.ipsec */ 161 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD, 162 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, ""); 163 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, 164 crypto_support, CTLFLAG_RW, &crypto_support,0, ""); 165 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_replay, CTLFLAG_RW, &ipsec_replay, 0, 166 "Emulate replay attack"); 167 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW, 168 &ipsec_integrity, 0, "Emulate man-in-the-middle attack"); 169 #endif /* __FreeBSD__ */ 170 171 #ifdef INET6 172 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; 173 int ip6_esp_net_deflev = IPSEC_LEVEL_USE; 174 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; 175 int ip6_ah_net_deflev = IPSEC_LEVEL_USE; 176 struct secpolicy ip6_def_policy; 177 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 178 int ip6_esp_randpad = -1; 179 180 181 #ifdef __FreeBSD__ 182 /* net.inet6.ipsec6 */ 183 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, 184 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, ""); 185 #endif /* __FreeBSD__ */ 186 #endif /* INET6 */ 187 188 static int ipsec4_setspidx_inpcb (struct mbuf *, struct inpcb *); 189 #ifdef INET6 190 static int ipsec6_setspidx_in6pcb (struct mbuf *, struct in6pcb *); 191 #endif 192 static int ipsec_setspidx (struct mbuf *, struct secpolicyindex *, int); 193 static void ipsec4_get_ulp (struct mbuf *m, struct secpolicyindex *, int); 194 static int ipsec4_setspidx_ipaddr (struct mbuf *, struct secpolicyindex *); 195 #ifdef INET6 196 static void ipsec6_get_ulp (struct mbuf *m, struct secpolicyindex *, int); 197 static int ipsec6_setspidx_ipaddr (struct mbuf *, struct secpolicyindex *); 198 #endif 199 static void ipsec_delpcbpolicy (struct inpcbpolicy *); 200 static struct secpolicy *ipsec_deepcopy_policy (const struct secpolicy *); 201 static int ipsec_set_policy (struct secpolicy **, int, const void *, size_t, 202 kauth_cred_t); 203 static int ipsec_get_policy (struct secpolicy *, struct mbuf **); 204 static void vshiftl (unsigned char *, int, int); 205 static size_t ipsec_hdrsiz (const struct secpolicy *); 206 207 /* 208 * Try to validate and use cached policy on a PCB. 209 */ 210 static struct secpolicy * 211 ipsec_checkpcbcache(struct mbuf *m, struct inpcbpolicy *pcbsp, int dir) 212 { 213 struct secpolicyindex spidx; 214 215 KASSERT(IPSEC_DIR_IS_VALID(dir)); 216 KASSERT(pcbsp != NULL); 217 KASSERT(dir < __arraycount(pcbsp->sp_cache)); 218 KASSERT(inph_locked(pcbsp->sp_inph)); 219 220 /* SPD table change invalidate all the caches. */ 221 if (ipsec_spdgen != pcbsp->sp_cache[dir].cachegen) { 222 ipsec_invalpcbcache(pcbsp, dir); 223 return NULL; 224 } 225 if (!pcbsp->sp_cache[dir].cachesp) 226 return NULL; 227 if (pcbsp->sp_cache[dir].cachesp->state != IPSEC_SPSTATE_ALIVE) { 228 ipsec_invalpcbcache(pcbsp, dir); 229 return NULL; 230 } 231 if ((pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) == 0) { 232 if (ipsec_setspidx(m, &spidx, 1) != 0) 233 return NULL; 234 235 /* 236 * We have to make an exact match here since the cached rule 237 * might have lower priority than a rule that would otherwise 238 * have matched the packet. 239 */ 240 if (memcmp(&pcbsp->sp_cache[dir].cacheidx, &spidx, sizeof(spidx))) 241 return NULL; 242 } else { 243 /* 244 * The pcb is connected, and the L4 code is sure that: 245 * - outgoing side uses inp_[lf]addr 246 * - incoming side looks up policy after inpcb lookup 247 * and address pair is know to be stable. We do not need 248 * to generate spidx again, nor check the address match again. 249 * 250 * For IPv4/v6 SOCK_STREAM sockets, this assumptions holds 251 * and there are calls to ipsec_pcbconn() from in_pcbconnect(). 252 */ 253 } 254 255 pcbsp->sp_cache[dir].cachesp->lastused = time_second; 256 KEY_SP_REF(pcbsp->sp_cache[dir].cachesp); 257 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, 258 "DP cause refcnt++:%d SP:%p\n", 259 pcbsp->sp_cache[dir].cachesp->refcnt, 260 pcbsp->sp_cache[dir].cachesp); 261 return pcbsp->sp_cache[dir].cachesp; 262 } 263 264 static int 265 ipsec_fillpcbcache(struct inpcbpolicy *pcbsp, struct mbuf *m, 266 struct secpolicy *sp, int dir) 267 { 268 269 KASSERT(IPSEC_DIR_IS_INOROUT(dir)); 270 KASSERT(dir < __arraycount(pcbsp->sp_cache)); 271 KASSERT(inph_locked(pcbsp->sp_inph)); 272 273 if (pcbsp->sp_cache[dir].cachesp) 274 KEY_FREESP(&pcbsp->sp_cache[dir].cachesp); 275 pcbsp->sp_cache[dir].cachesp = NULL; 276 pcbsp->sp_cache[dir].cachehint = IPSEC_PCBHINT_UNKNOWN; 277 if (ipsec_setspidx(m, &pcbsp->sp_cache[dir].cacheidx, 1) != 0) { 278 return EINVAL; 279 } 280 pcbsp->sp_cache[dir].cachesp = sp; 281 if (pcbsp->sp_cache[dir].cachesp) { 282 KEY_SP_REF(pcbsp->sp_cache[dir].cachesp); 283 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, 284 "DP cause refcnt++:%d SP:%p\n", 285 pcbsp->sp_cache[dir].cachesp->refcnt, 286 pcbsp->sp_cache[dir].cachesp); 287 288 /* 289 * If the PCB is connected, we can remember a hint to 290 * possibly short-circuit IPsec processing in other places. 291 */ 292 if (pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) { 293 switch (pcbsp->sp_cache[dir].cachesp->policy) { 294 case IPSEC_POLICY_NONE: 295 case IPSEC_POLICY_BYPASS: 296 pcbsp->sp_cache[dir].cachehint = 297 IPSEC_PCBHINT_NO; 298 break; 299 default: 300 pcbsp->sp_cache[dir].cachehint = 301 IPSEC_PCBHINT_YES; 302 } 303 } 304 } 305 pcbsp->sp_cache[dir].cachegen = ipsec_spdgen; 306 307 return 0; 308 } 309 310 static int 311 ipsec_invalpcbcache(struct inpcbpolicy *pcbsp, int dir) 312 { 313 int i; 314 315 KASSERT(inph_locked(pcbsp->sp_inph)); 316 317 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) { 318 if (dir != IPSEC_DIR_ANY && i != dir) 319 continue; 320 if (pcbsp->sp_cache[i].cachesp) 321 KEY_FREESP(&pcbsp->sp_cache[i].cachesp); 322 pcbsp->sp_cache[i].cachesp = NULL; 323 pcbsp->sp_cache[i].cachehint = IPSEC_PCBHINT_UNKNOWN; 324 pcbsp->sp_cache[i].cachegen = 0; 325 memset(&pcbsp->sp_cache[i].cacheidx, 0, 326 sizeof(pcbsp->sp_cache[i].cacheidx)); 327 } 328 return 0; 329 } 330 331 void 332 ipsec_pcbconn(struct inpcbpolicy *pcbsp) 333 { 334 335 KASSERT(inph_locked(pcbsp->sp_inph)); 336 337 pcbsp->sp_cacheflags |= IPSEC_PCBSP_CONNECTED; 338 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 339 } 340 341 void 342 ipsec_pcbdisconn(struct inpcbpolicy *pcbsp) 343 { 344 345 KASSERT(inph_locked(pcbsp->sp_inph)); 346 347 pcbsp->sp_cacheflags &= ~IPSEC_PCBSP_CONNECTED; 348 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 349 } 350 351 void 352 ipsec_invalpcbcacheall(void) 353 { 354 355 if (ipsec_spdgen == UINT_MAX) 356 ipsec_spdgen = 1; 357 else 358 ipsec_spdgen++; 359 } 360 361 /* 362 * Return a held reference to the default SP. 363 */ 364 static struct secpolicy * 365 key_get_default_sp(int af, const char *where, int tag) 366 { 367 struct secpolicy *sp; 368 369 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag); 370 371 switch(af) { 372 case AF_INET: 373 sp = &ip4_def_policy; 374 break; 375 #ifdef INET6 376 case AF_INET6: 377 sp = &ip6_def_policy; 378 break; 379 #endif 380 default: 381 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, 382 "unexpected protocol family %u\n", af); 383 return NULL; 384 } 385 386 if (sp->policy != IPSEC_POLICY_DISCARD && 387 sp->policy != IPSEC_POLICY_NONE) { 388 IPSECLOG(LOG_INFO, "fixed system default policy: %d->%d\n", 389 sp->policy, IPSEC_POLICY_NONE); 390 sp->policy = IPSEC_POLICY_NONE; 391 } 392 KEY_SP_REF(sp); 393 394 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP returns SP:%p (%u)\n", 395 sp, sp->refcnt); 396 return sp; 397 } 398 #define KEY_GET_DEFAULT_SP(af) \ 399 key_get_default_sp((af), __func__, __LINE__) 400 401 /* 402 * For OUTBOUND packet having a socket. Searching SPD for packet, 403 * and return a pointer to SP. 404 * OUT: NULL: no apropreate SP found, the following value is set to error. 405 * 0 : bypass 406 * EACCES : discard packet. 407 * ENOENT : ipsec_acquire() in progress, maybe. 408 * others : error occurred. 409 * others: a pointer to SP 410 * 411 * NOTE: IPv6 mapped address concern is implemented here. 412 */ 413 static struct secpolicy * 414 ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb_hdr *inph, 415 int *error) 416 { 417 struct inpcbpolicy *pcbsp = NULL; 418 struct secpolicy *currsp = NULL; /* policy on socket */ 419 struct secpolicy *sp; 420 int af; 421 422 KASSERT(m != NULL); 423 KASSERT(inph != NULL); 424 KASSERT(error != NULL); 425 KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir); 426 427 KASSERT(inph->inph_socket != NULL); 428 KASSERT(inph_locked(inph)); 429 430 /* XXX FIXME inpcb/in6pcb vs socket*/ 431 af = inph->inph_af; 432 KASSERTMSG(af == AF_INET || af == AF_INET6, 433 "unexpected protocol family %u", af); 434 435 KASSERT(inph->inph_sp != NULL); 436 /* If we have a cached entry, and if it is still valid, use it. */ 437 IPSEC_STATINC(IPSEC_STAT_SPDCACHELOOKUP); 438 currsp = ipsec_checkpcbcache(m, inph->inph_sp, dir); 439 if (currsp) { 440 *error = 0; 441 return currsp; 442 } 443 IPSEC_STATINC(IPSEC_STAT_SPDCACHEMISS); 444 445 switch (af) { 446 case AF_INET: { 447 struct inpcb *in4p = (struct inpcb *)inph; 448 /* set spidx in pcb */ 449 *error = ipsec4_setspidx_inpcb(m, in4p); 450 pcbsp = in4p->inp_sp; 451 break; 452 } 453 454 #if defined(INET6) 455 case AF_INET6: { 456 struct in6pcb *in6p = (struct in6pcb *)inph; 457 /* set spidx in pcb */ 458 *error = ipsec6_setspidx_in6pcb(m, in6p); 459 pcbsp = in6p->in6p_sp; 460 break; 461 } 462 #endif 463 default: 464 *error = EPFNOSUPPORT; 465 break; 466 } 467 if (*error) 468 return NULL; 469 470 KASSERT(pcbsp != NULL); 471 switch (dir) { 472 case IPSEC_DIR_INBOUND: 473 currsp = pcbsp->sp_in; 474 break; 475 case IPSEC_DIR_OUTBOUND: 476 currsp = pcbsp->sp_out; 477 break; 478 } 479 KASSERT(currsp != NULL); 480 481 if (pcbsp->priv) { /* when privilieged socket */ 482 switch (currsp->policy) { 483 case IPSEC_POLICY_BYPASS: 484 case IPSEC_POLICY_IPSEC: 485 KEY_SP_REF(currsp); 486 sp = currsp; 487 break; 488 489 case IPSEC_POLICY_ENTRUST: 490 /* look for a policy in SPD */ 491 sp = KEY_LOOKUP_SP_BYSPIDX(&currsp->spidx, dir); 492 if (sp == NULL) /* no SP found */ 493 sp = KEY_GET_DEFAULT_SP(af); 494 break; 495 496 default: 497 IPSECLOG(LOG_ERR, "Invalid policy for PCB %d\n", 498 currsp->policy); 499 *error = EINVAL; 500 return NULL; 501 } 502 } else { /* unpriv, SPD has policy */ 503 sp = KEY_LOOKUP_SP_BYSPIDX(&currsp->spidx, dir); 504 if (sp == NULL) { /* no SP found */ 505 switch (currsp->policy) { 506 case IPSEC_POLICY_BYPASS: 507 IPSECLOG(LOG_ERR, "Illegal policy for " 508 "non-priviliged defined %d\n", 509 currsp->policy); 510 *error = EINVAL; 511 return NULL; 512 513 case IPSEC_POLICY_ENTRUST: 514 sp = KEY_GET_DEFAULT_SP(af); 515 break; 516 517 case IPSEC_POLICY_IPSEC: 518 KEY_SP_REF(currsp); 519 sp = currsp; 520 break; 521 522 default: 523 IPSECLOG(LOG_ERR, "Invalid policy for " 524 "PCB %d\n", currsp->policy); 525 *error = EINVAL; 526 return NULL; 527 } 528 } 529 } 530 KASSERTMSG(sp != NULL, "null SP (priv %u policy %u", pcbsp->priv, 531 currsp->policy); 532 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, 533 "DP (priv %u policy %u) allocates SP:%p (refcnt %u)\n", 534 pcbsp->priv, currsp->policy, sp, sp->refcnt); 535 ipsec_fillpcbcache(pcbsp, m, sp, dir); 536 return sp; 537 } 538 539 /* 540 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 541 * and return a pointer to SP. 542 * OUT: positive: a pointer to the entry for security policy leaf matched. 543 * NULL: no apropreate SP found, the following value is set to error. 544 * 0 : bypass 545 * EACCES : discard packet. 546 * ENOENT : ipsec_acquire() in progress, maybe. 547 * others : error occurred. 548 */ 549 struct secpolicy * 550 ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error) 551 { 552 struct secpolicyindex spidx; 553 struct secpolicy *sp; 554 555 KASSERT(m != NULL); 556 KASSERT(error != NULL); 557 KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir); 558 559 sp = NULL; 560 561 /* Make an index to look for a policy. */ 562 *error = ipsec_setspidx(m, &spidx, (flag & IP_FORWARDING) ? 0 : 1); 563 if (*error != 0) { 564 IPSECLOG(LOG_DEBUG, "setpidx failed, dir %u flag %u\n", dir, flag); 565 memset(&spidx, 0, sizeof (spidx)); 566 return NULL; 567 } 568 569 spidx.dir = dir; 570 571 if (key_havesp(dir)) { 572 sp = KEY_LOOKUP_SP_BYSPIDX(&spidx, dir); 573 } 574 575 if (sp == NULL) /* no SP found, use system default */ 576 sp = KEY_GET_DEFAULT_SP(spidx.dst.sa.sa_family); 577 KASSERT(sp != NULL); 578 return sp; 579 } 580 581 struct secpolicy * 582 ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error, 583 struct inpcb *inp) 584 { 585 struct secpolicy *sp; 586 587 *error = 0; 588 589 if (inp == NULL) { 590 sp = ipsec_getpolicybyaddr(m, dir, flag, error); 591 } else { 592 KASSERT(inp->inp_socket != NULL); 593 sp = ipsec_getpolicybysock(m, dir, (struct inpcb_hdr *)inp, error); 594 } 595 if (sp == NULL) { 596 KASSERTMSG(*error != 0, "getpolicy failed w/o error"); 597 IPSEC_STATINC(IPSEC_STAT_OUT_INVAL); 598 return NULL; 599 } 600 KASSERTMSG(*error == 0, "sp w/ error set to %u", *error); 601 switch (sp->policy) { 602 case IPSEC_POLICY_ENTRUST: 603 default: 604 printf("%s: invalid policy %u\n", __func__, sp->policy); 605 /* fall thru... */ 606 case IPSEC_POLICY_DISCARD: 607 IPSEC_STATINC(IPSEC_STAT_OUT_POLVIO); 608 *error = -EINVAL; /* packet is discarded by caller */ 609 break; 610 case IPSEC_POLICY_BYPASS: 611 case IPSEC_POLICY_NONE: 612 KEY_FREESP(&sp); 613 sp = NULL; /* NB: force NULL result */ 614 break; 615 case IPSEC_POLICY_IPSEC: 616 KASSERT(sp->req != NULL); 617 break; 618 } 619 if (*error != 0) { 620 KEY_FREESP(&sp); 621 sp = NULL; 622 IPSECLOG(LOG_DEBUG, "done, error %d\n", *error); 623 } 624 return sp; 625 } 626 627 int 628 ipsec4_output(struct mbuf *m, struct inpcb *inp, int flags, 629 u_long *mtu, bool *natt_frag, bool *done) 630 { 631 struct secpolicy *sp = NULL; 632 int error, s; 633 634 /* 635 * Check the security policy (SP) for the packet and, if required, 636 * do IPsec-related processing. There are two cases here; the first 637 * time a packet is sent through it will be untagged and handled by 638 * ipsec4_checkpolicy(). If the packet is resubmitted to ip_output 639 * (e.g. after AH, ESP, etc. processing), there will be a tag to 640 * bypass the lookup and related policy checking. 641 */ 642 if (ipsec_outdone(m)) { 643 return 0; 644 } 645 s = splsoftnet(); 646 if (inp && ipsec_pcb_skip_ipsec(inp->inp_sp, IPSEC_DIR_OUTBOUND)) { 647 splx(s); 648 return 0; 649 } 650 sp = ipsec4_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, inp); 651 652 /* 653 * There are four return cases: 654 * sp != NULL apply IPsec policy 655 * sp == NULL, error == 0 no IPsec handling needed 656 * sp == NULL, error == -EINVAL discard packet w/o error 657 * sp == NULL, error != 0 discard packet, report error 658 */ 659 if (sp == NULL) { 660 splx(s); 661 if (error) { 662 /* 663 * Hack: -EINVAL is used to signal that a packet 664 * should be silently discarded. This is typically 665 * because we asked key management for an SA and 666 * it was delayed (e.g. kicked up to IKE). 667 */ 668 if (error == -EINVAL) 669 error = 0; 670 m_freem(m); 671 *done = true; 672 return error; 673 } 674 /* No IPsec processing for this packet. */ 675 return 0; 676 } 677 678 /* 679 * Do delayed checksums now because we send before 680 * this is done in the normal processing path. 681 */ 682 if (m->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) { 683 in_delayed_cksum(m); 684 m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4|M_CSUM_UDPv4); 685 } 686 687 { 688 u_long _mtu = 0; 689 690 /* Note: callee frees mbuf */ 691 error = ipsec4_process_packet(m, sp->req, &_mtu); 692 693 if (error == 0 && _mtu != 0) { 694 /* 695 * NAT-T ESP fragmentation: do not do IPSec processing 696 * now, we will do it on each fragmented packet. 697 */ 698 *mtu = _mtu; 699 *natt_frag = true; 700 KEY_FREESP(&sp); 701 splx(s); 702 return 0; 703 } 704 } 705 /* 706 * Preserve KAME behaviour: ENOENT can be returned 707 * when an SA acquire is in progress. Don't propagate 708 * this to user-level; it confuses applications. 709 * 710 * XXX this will go away when the SADB is redone. 711 */ 712 if (error == ENOENT) 713 error = 0; 714 KEY_FREESP(&sp); 715 splx(s); 716 *done = true; 717 return error; 718 } 719 720 int 721 ipsec4_input(struct mbuf *m, int flags) 722 { 723 struct secpolicy *sp; 724 int error, s; 725 726 s = splsoftnet(); 727 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 728 if (sp == NULL) { 729 splx(s); 730 return EINVAL; 731 } 732 733 /* 734 * Check security policy against packet attributes. 735 */ 736 error = ipsec_in_reject(sp, m); 737 KEY_FREESP(&sp); 738 splx(s); 739 if (error) { 740 return error; 741 } 742 743 if (flags == 0) { 744 /* We are done. */ 745 return 0; 746 } 747 748 /* 749 * Peek at the outbound SP for this packet to determine if 750 * it is a Fast Forward candidate. 751 */ 752 s = splsoftnet(); 753 sp = ipsec4_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, NULL); 754 if (sp != NULL) { 755 m->m_flags &= ~M_CANFASTFWD; 756 KEY_FREESP(&sp); 757 } 758 splx(s); 759 return 0; 760 } 761 762 int 763 ipsec4_forward(struct mbuf *m, int *destmtu) 764 { 765 /* 766 * If the packet is routed over IPsec tunnel, tell the 767 * originator the tunnel MTU. 768 * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz 769 * XXX quickhack!!! 770 */ 771 struct secpolicy *sp; 772 size_t ipsechdr; 773 int error; 774 775 sp = ipsec4_getpolicybyaddr(m, 776 IPSEC_DIR_OUTBOUND, IP_FORWARDING, &error); 777 if (sp == NULL) { 778 return EINVAL; 779 } 780 781 /* Count IPsec header size. */ 782 ipsechdr = ipsec4_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL); 783 784 /* 785 * Find the correct route for outer IPv4 header, compute tunnel MTU. 786 */ 787 if (sp->req) { 788 struct route *ro; 789 struct rtentry *rt; 790 struct secasvar *sav = NULL; 791 792 error = key_checkrequest(sp->req, &sav); 793 if (error != 0) 794 return error; 795 ro = &sav->sah->sa_route; 796 rt = rtcache_validate(ro); 797 if (rt && rt->rt_ifp) { 798 *destmtu = rt->rt_rmx.rmx_mtu ? 799 rt->rt_rmx.rmx_mtu : rt->rt_ifp->if_mtu; 800 *destmtu -= ipsechdr; 801 } 802 rtcache_unref(rt, ro); 803 KEY_FREESAV(&sav); 804 } 805 KEY_FREESP(&sp); 806 return 0; 807 } 808 809 #ifdef INET6 810 struct secpolicy * 811 ipsec6_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error, 812 struct in6pcb *in6p) 813 { 814 struct secpolicy *sp; 815 816 *error = 0; 817 818 if (in6p == NULL) { 819 sp = ipsec_getpolicybyaddr(m, dir, flag, error); 820 } else { 821 KASSERT(in6p->in6p_socket != NULL); 822 sp = ipsec_getpolicybysock(m, dir, (struct inpcb_hdr *)in6p, error); 823 } 824 if (sp == NULL) { 825 KASSERTMSG(*error != 0, "getpolicy failed w/o error"); 826 IPSEC_STATINC(IPSEC_STAT_OUT_INVAL); 827 return NULL; 828 } 829 KASSERTMSG(*error == 0, "sp w/ error set to %u", *error); 830 switch (sp->policy) { 831 case IPSEC_POLICY_ENTRUST: 832 default: 833 printf("%s: invalid policy %u\n", __func__, sp->policy); 834 /* fall thru... */ 835 case IPSEC_POLICY_DISCARD: 836 IPSEC_STATINC(IPSEC_STAT_OUT_POLVIO); 837 *error = -EINVAL; /* packet is discarded by caller */ 838 break; 839 case IPSEC_POLICY_BYPASS: 840 case IPSEC_POLICY_NONE: 841 KEY_FREESP(&sp); 842 sp = NULL; /* NB: force NULL result */ 843 break; 844 case IPSEC_POLICY_IPSEC: 845 KASSERT(sp->req != NULL); 846 break; 847 } 848 if (*error != 0) { 849 KEY_FREESP(&sp); 850 sp = NULL; 851 IPSECLOG(LOG_DEBUG, "done, error %d\n", *error); 852 } 853 return sp; 854 } 855 #endif /* INET6 */ 856 857 static int 858 ipsec4_setspidx_inpcb(struct mbuf *m, struct inpcb *pcb) 859 { 860 int error; 861 862 KASSERT(pcb != NULL); 863 KASSERT(pcb->inp_sp != NULL); 864 KASSERT(pcb->inp_sp->sp_out != NULL); 865 KASSERT(pcb->inp_sp->sp_in != NULL); 866 867 error = ipsec_setspidx(m, &pcb->inp_sp->sp_in->spidx, 1); 868 if (error == 0) { 869 pcb->inp_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND; 870 pcb->inp_sp->sp_out->spidx = pcb->inp_sp->sp_in->spidx; 871 pcb->inp_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND; 872 } else { 873 memset(&pcb->inp_sp->sp_in->spidx, 0, 874 sizeof(pcb->inp_sp->sp_in->spidx)); 875 memset(&pcb->inp_sp->sp_out->spidx, 0, 876 sizeof(pcb->inp_sp->sp_in->spidx)); 877 } 878 return error; 879 } 880 881 #ifdef INET6 882 static int 883 ipsec6_setspidx_in6pcb(struct mbuf *m, struct in6pcb *pcb) 884 { 885 struct secpolicyindex *spidx; 886 int error; 887 888 KASSERT(pcb != NULL); 889 KASSERT(pcb->in6p_sp != NULL); 890 KASSERT(pcb->in6p_sp->sp_out != NULL); 891 KASSERT(pcb->in6p_sp->sp_in != NULL); 892 893 memset(&pcb->in6p_sp->sp_in->spidx, 0, sizeof(*spidx)); 894 memset(&pcb->in6p_sp->sp_out->spidx, 0, sizeof(*spidx)); 895 896 spidx = &pcb->in6p_sp->sp_in->spidx; 897 error = ipsec_setspidx(m, spidx, 1); 898 if (error) 899 goto bad; 900 spidx->dir = IPSEC_DIR_INBOUND; 901 902 spidx = &pcb->in6p_sp->sp_out->spidx; 903 error = ipsec_setspidx(m, spidx, 1); 904 if (error) 905 goto bad; 906 spidx->dir = IPSEC_DIR_OUTBOUND; 907 908 return 0; 909 910 bad: 911 memset(&pcb->in6p_sp->sp_in->spidx, 0, sizeof(*spidx)); 912 memset(&pcb->in6p_sp->sp_out->spidx, 0, sizeof(*spidx)); 913 return error; 914 } 915 #endif 916 917 /* 918 * configure security policy index (src/dst/proto/sport/dport) 919 * by looking at the content of mbuf. 920 * the caller is responsible for error recovery (like clearing up spidx). 921 */ 922 static int 923 ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport) 924 { 925 struct ip *ip = NULL; 926 struct ip ipbuf; 927 u_int v; 928 struct mbuf *n; 929 int len; 930 int error; 931 932 KASSERT(m != NULL); 933 934 /* 935 * validate m->m_pkthdr.len. we see incorrect length if we 936 * mistakenly call this function with inconsistent mbuf chain 937 * (like 4.4BSD tcp/udp processing). XXX should we panic here? 938 */ 939 len = 0; 940 for (n = m; n; n = n->m_next) 941 len += n->m_len; 942 if (m->m_pkthdr.len != len) { 943 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP, 944 "total of m_len(%d) != pkthdr.len(%d), ignored.\n", 945 len, m->m_pkthdr.len); 946 return EINVAL; 947 } 948 949 if (m->m_pkthdr.len < sizeof(struct ip)) { 950 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP, 951 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n", 952 m->m_pkthdr.len); 953 return EINVAL; 954 } 955 956 if (m->m_len >= sizeof(*ip)) 957 ip = mtod(m, struct ip *); 958 else { 959 m_copydata(m, 0, sizeof(ipbuf), &ipbuf); 960 ip = &ipbuf; 961 } 962 v = ip->ip_v; 963 switch (v) { 964 case 4: 965 error = ipsec4_setspidx_ipaddr(m, spidx); 966 if (error) 967 return error; 968 ipsec4_get_ulp(m, spidx, needport); 969 return 0; 970 #ifdef INET6 971 case 6: 972 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { 973 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP, 974 "pkthdr.len(%d) < sizeof(struct ip6_hdr), " 975 "ignored.\n", m->m_pkthdr.len); 976 return EINVAL; 977 } 978 error = ipsec6_setspidx_ipaddr(m, spidx); 979 if (error) 980 return error; 981 ipsec6_get_ulp(m, spidx, needport); 982 return 0; 983 #endif 984 default: 985 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP, 986 "unknown IP version %u, ignored.\n", v); 987 return EINVAL; 988 } 989 } 990 991 static void 992 ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) 993 { 994 u_int8_t nxt; 995 int off; 996 997 /* sanity check */ 998 KASSERT(m != NULL); 999 KASSERTMSG(m->m_pkthdr.len >= sizeof(struct ip), "packet too short"); 1000 1001 /* NB: ip_input() flips it into host endian XXX need more checking */ 1002 if (m->m_len >= sizeof(struct ip)) { 1003 struct ip *ip = mtod(m, struct ip *); 1004 if (ip->ip_off & htons(IP_MF | IP_OFFMASK)) 1005 goto done; 1006 off = ip->ip_hl << 2; 1007 nxt = ip->ip_p; 1008 } else { 1009 struct ip ih; 1010 1011 m_copydata(m, 0, sizeof (struct ip), &ih); 1012 if (ih.ip_off & htons(IP_MF | IP_OFFMASK)) 1013 goto done; 1014 off = ih.ip_hl << 2; 1015 nxt = ih.ip_p; 1016 } 1017 1018 while (off < m->m_pkthdr.len) { 1019 struct ip6_ext ip6e; 1020 struct tcphdr th; 1021 struct udphdr uh; 1022 struct icmp icmph; 1023 1024 switch (nxt) { 1025 case IPPROTO_TCP: 1026 spidx->ul_proto = nxt; 1027 if (!needport) 1028 goto done_proto; 1029 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1030 goto done; 1031 m_copydata(m, off, sizeof (th), &th); 1032 spidx->src.sin.sin_port = th.th_sport; 1033 spidx->dst.sin.sin_port = th.th_dport; 1034 return; 1035 case IPPROTO_UDP: 1036 spidx->ul_proto = nxt; 1037 if (!needport) 1038 goto done_proto; 1039 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1040 goto done; 1041 m_copydata(m, off, sizeof (uh), &uh); 1042 spidx->src.sin.sin_port = uh.uh_sport; 1043 spidx->dst.sin.sin_port = uh.uh_dport; 1044 return; 1045 case IPPROTO_AH: 1046 if (m->m_pkthdr.len > off + sizeof(ip6e)) 1047 goto done; 1048 /* XXX sigh, this works but is totally bogus */ 1049 m_copydata(m, off, sizeof(ip6e), &ip6e); 1050 off += (ip6e.ip6e_len + 2) << 2; 1051 nxt = ip6e.ip6e_nxt; 1052 break; 1053 case IPPROTO_ICMP: 1054 spidx->ul_proto = nxt; 1055 if (off + sizeof(struct icmp) > m->m_pkthdr.len) 1056 return; 1057 m_copydata(m, off, sizeof(icmph), &icmph); 1058 ((struct sockaddr_in *)&spidx->src)->sin_port = 1059 htons((uint16_t)icmph.icmp_type); 1060 ((struct sockaddr_in *)&spidx->dst)->sin_port = 1061 htons((uint16_t)icmph.icmp_code); 1062 return; 1063 default: 1064 /* XXX intermediate headers??? */ 1065 spidx->ul_proto = nxt; 1066 goto done_proto; 1067 } 1068 } 1069 done: 1070 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1071 done_proto: 1072 spidx->src.sin.sin_port = IPSEC_PORT_ANY; 1073 spidx->dst.sin.sin_port = IPSEC_PORT_ANY; 1074 } 1075 1076 /* assumes that m is sane */ 1077 static int 1078 ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx) 1079 { 1080 static const struct sockaddr_in template = { 1081 sizeof (struct sockaddr_in), 1082 AF_INET, 1083 0, { 0 }, { 0, 0, 0, 0, 0, 0, 0, 0 } 1084 }; 1085 1086 spidx->src.sin = template; 1087 spidx->dst.sin = template; 1088 1089 if (m->m_len < sizeof (struct ip)) { 1090 m_copydata(m, offsetof(struct ip, ip_src), 1091 sizeof(struct in_addr), &spidx->src.sin.sin_addr); 1092 m_copydata(m, offsetof(struct ip, ip_dst), 1093 sizeof(struct in_addr), &spidx->dst.sin.sin_addr); 1094 } else { 1095 struct ip *ip = mtod(m, struct ip *); 1096 spidx->src.sin.sin_addr = ip->ip_src; 1097 spidx->dst.sin.sin_addr = ip->ip_dst; 1098 } 1099 1100 spidx->prefs = sizeof(struct in_addr) << 3; 1101 spidx->prefd = sizeof(struct in_addr) << 3; 1102 1103 return 0; 1104 } 1105 1106 #ifdef INET6 1107 static void 1108 ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, 1109 int needport) 1110 { 1111 int off, nxt; 1112 struct tcphdr th; 1113 struct udphdr uh; 1114 struct icmp6_hdr icmph; 1115 1116 KASSERT(m != NULL); 1117 1118 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) { 1119 printf("%s:\n", __func__); 1120 kdebug_mbuf(m); 1121 } 1122 1123 /* set default */ 1124 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1125 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY; 1126 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY; 1127 1128 nxt = -1; 1129 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt); 1130 if (off < 0 || m->m_pkthdr.len < off) 1131 return; 1132 1133 switch (nxt) { 1134 case IPPROTO_TCP: 1135 spidx->ul_proto = nxt; 1136 if (!needport) 1137 break; 1138 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1139 break; 1140 m_copydata(m, off, sizeof(th), &th); 1141 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport; 1142 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport; 1143 break; 1144 case IPPROTO_UDP: 1145 spidx->ul_proto = nxt; 1146 if (!needport) 1147 break; 1148 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1149 break; 1150 m_copydata(m, off, sizeof(uh), &uh); 1151 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport; 1152 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport; 1153 break; 1154 case IPPROTO_ICMPV6: 1155 spidx->ul_proto = nxt; 1156 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len) 1157 break; 1158 m_copydata(m, off, sizeof(icmph), &icmph); 1159 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = 1160 htons((uint16_t)icmph.icmp6_type); 1161 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = 1162 htons((uint16_t)icmph.icmp6_code); 1163 break; 1164 default: 1165 /* XXX intermediate headers??? */ 1166 spidx->ul_proto = nxt; 1167 break; 1168 } 1169 } 1170 1171 /* assumes that m is sane */ 1172 static int 1173 ipsec6_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx) 1174 { 1175 struct ip6_hdr *ip6 = NULL; 1176 struct ip6_hdr ip6buf; 1177 struct sockaddr_in6 *sin6; 1178 1179 if (m->m_len >= sizeof(*ip6)) 1180 ip6 = mtod(m, struct ip6_hdr *); 1181 else { 1182 m_copydata(m, 0, sizeof(ip6buf), &ip6buf); 1183 ip6 = &ip6buf; 1184 } 1185 1186 sin6 = (struct sockaddr_in6 *)&spidx->src; 1187 memset(sin6, 0, sizeof(*sin6)); 1188 sin6->sin6_family = AF_INET6; 1189 sin6->sin6_len = sizeof(struct sockaddr_in6); 1190 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src)); 1191 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { 1192 sin6->sin6_addr.s6_addr16[1] = 0; 1193 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); 1194 } 1195 spidx->prefs = sizeof(struct in6_addr) << 3; 1196 1197 sin6 = (struct sockaddr_in6 *)&spidx->dst; 1198 memset(sin6, 0, sizeof(*sin6)); 1199 sin6->sin6_family = AF_INET6; 1200 sin6->sin6_len = sizeof(struct sockaddr_in6); 1201 memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst)); 1202 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { 1203 sin6->sin6_addr.s6_addr16[1] = 0; 1204 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); 1205 } 1206 spidx->prefd = sizeof(struct in6_addr) << 3; 1207 1208 return 0; 1209 } 1210 #endif 1211 1212 static void 1213 ipsec_delpcbpolicy(struct inpcbpolicy *p) 1214 { 1215 1216 kmem_intr_free(p, sizeof(*p)); 1217 } 1218 1219 /* initialize policy in PCB */ 1220 int 1221 ipsec_init_policy(struct socket *so, struct inpcbpolicy **policy) 1222 { 1223 struct inpcbpolicy *new; 1224 1225 KASSERT(so != NULL); 1226 KASSERT(policy != NULL); 1227 1228 new = kmem_intr_zalloc(sizeof(*new), KM_NOSLEEP); 1229 if (new == NULL) { 1230 IPSECLOG(LOG_DEBUG, "No more memory.\n"); 1231 return ENOBUFS; 1232 } 1233 1234 if (IPSEC_PRIVILEGED_SO(so)) 1235 new->priv = 1; 1236 else 1237 new->priv = 0; 1238 1239 if ((new->sp_in = KEY_NEWSP()) == NULL) { 1240 ipsec_delpcbpolicy(new); 1241 return ENOBUFS; 1242 } 1243 new->sp_in->state = IPSEC_SPSTATE_ALIVE; 1244 new->sp_in->policy = IPSEC_POLICY_ENTRUST; 1245 1246 if ((new->sp_out = KEY_NEWSP()) == NULL) { 1247 KEY_FREESP(&new->sp_in); 1248 ipsec_delpcbpolicy(new); 1249 return ENOBUFS; 1250 } 1251 new->sp_out->state = IPSEC_SPSTATE_ALIVE; 1252 new->sp_out->policy = IPSEC_POLICY_ENTRUST; 1253 1254 *policy = new; 1255 1256 return 0; 1257 } 1258 1259 /* copy old ipsec policy into new */ 1260 int 1261 ipsec_copy_policy(const struct inpcbpolicy *old, struct inpcbpolicy *new) 1262 { 1263 struct secpolicy *sp; 1264 1265 sp = ipsec_deepcopy_policy(old->sp_in); 1266 if (sp) { 1267 KEY_FREESP(&new->sp_in); 1268 new->sp_in = sp; 1269 } else 1270 return ENOBUFS; 1271 1272 sp = ipsec_deepcopy_policy(old->sp_out); 1273 if (sp) { 1274 KEY_FREESP(&new->sp_out); 1275 new->sp_out = sp; 1276 } else 1277 return ENOBUFS; 1278 1279 new->priv = old->priv; 1280 1281 return 0; 1282 } 1283 1284 /* deep-copy a policy in PCB */ 1285 static struct secpolicy * 1286 ipsec_deepcopy_policy(const struct secpolicy *src) 1287 { 1288 struct ipsecrequest *newchain = NULL; 1289 const struct ipsecrequest *p; 1290 struct ipsecrequest **q; 1291 struct secpolicy *dst; 1292 1293 if (src == NULL) 1294 return NULL; 1295 dst = KEY_NEWSP(); 1296 if (dst == NULL) 1297 return NULL; 1298 1299 /* 1300 * deep-copy IPsec request chain. This is required since struct 1301 * ipsecrequest is not reference counted. 1302 */ 1303 q = &newchain; 1304 for (p = src->req; p; p = p->next) { 1305 *q = kmem_zalloc(sizeof(**q), KM_SLEEP); 1306 (*q)->next = NULL; 1307 1308 (*q)->saidx.proto = p->saidx.proto; 1309 (*q)->saidx.mode = p->saidx.mode; 1310 (*q)->level = p->level; 1311 (*q)->saidx.reqid = p->saidx.reqid; 1312 1313 memcpy(&(*q)->saidx.src, &p->saidx.src, sizeof((*q)->saidx.src)); 1314 memcpy(&(*q)->saidx.dst, &p->saidx.dst, sizeof((*q)->saidx.dst)); 1315 1316 (*q)->sav = NULL; 1317 (*q)->sp = dst; 1318 1319 q = &((*q)->next); 1320 } 1321 1322 dst->req = newchain; 1323 dst->state = src->state; 1324 dst->policy = src->policy; 1325 /* do not touch the refcnt fields */ 1326 1327 return dst; 1328 } 1329 1330 /* set policy and ipsec request if present. */ 1331 static int 1332 ipsec_set_policy( 1333 struct secpolicy **policy, 1334 int optname, 1335 const void *request, 1336 size_t len, 1337 kauth_cred_t cred 1338 ) 1339 { 1340 const struct sadb_x_policy *xpl; 1341 struct secpolicy *newsp = NULL; 1342 int error; 1343 1344 KASSERT(!cpu_softintr_p()); 1345 1346 /* sanity check. */ 1347 if (policy == NULL || *policy == NULL || request == NULL) 1348 return EINVAL; 1349 if (len < sizeof(*xpl)) 1350 return EINVAL; 1351 xpl = (const struct sadb_x_policy *)request; 1352 1353 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) { 1354 printf("%s: passed policy\n", __func__); 1355 kdebug_sadb_x_policy((const struct sadb_ext *)xpl); 1356 } 1357 1358 /* check policy type */ 1359 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */ 1360 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD 1361 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) 1362 return EINVAL; 1363 1364 /* check privileged socket */ 1365 if (xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) { 1366 error = kauth_authorize_network(cred, KAUTH_NETWORK_IPSEC, 1367 KAUTH_REQ_NETWORK_IPSEC_BYPASS, NULL, NULL, NULL); 1368 if (error) 1369 return (error); 1370 } 1371 1372 /* allocation new SP entry */ 1373 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) 1374 return error; 1375 1376 newsp->state = IPSEC_SPSTATE_ALIVE; 1377 1378 /* clear old SP and set new SP */ 1379 KEY_FREESP(policy); 1380 *policy = newsp; 1381 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) { 1382 printf("%s: new policy\n", __func__); 1383 kdebug_secpolicy(newsp); 1384 } 1385 1386 return 0; 1387 } 1388 1389 static int 1390 ipsec_get_policy(struct secpolicy *policy, struct mbuf **mp) 1391 { 1392 1393 /* sanity check. */ 1394 if (policy == NULL || mp == NULL) 1395 return EINVAL; 1396 1397 *mp = key_sp2msg(policy); 1398 if (!*mp) { 1399 IPSECLOG(LOG_DEBUG, "No more memory.\n"); 1400 return ENOBUFS; 1401 } 1402 1403 (*mp)->m_type = MT_DATA; 1404 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) { 1405 printf("%s:\n", __func__); 1406 kdebug_mbuf(*mp); 1407 } 1408 1409 return 0; 1410 } 1411 1412 int 1413 ipsec4_set_policy(struct inpcb *inp, int optname, const void *request, 1414 size_t len, kauth_cred_t cred) 1415 { 1416 const struct sadb_x_policy *xpl; 1417 struct secpolicy **policy; 1418 1419 KASSERT(!cpu_softintr_p()); 1420 1421 /* sanity check. */ 1422 if (inp == NULL || request == NULL) 1423 return EINVAL; 1424 if (len < sizeof(*xpl)) 1425 return EINVAL; 1426 xpl = (const struct sadb_x_policy *)request; 1427 1428 KASSERT(inp->inp_sp != NULL); 1429 1430 /* select direction */ 1431 switch (xpl->sadb_x_policy_dir) { 1432 case IPSEC_DIR_INBOUND: 1433 policy = &inp->inp_sp->sp_in; 1434 break; 1435 case IPSEC_DIR_OUTBOUND: 1436 policy = &inp->inp_sp->sp_out; 1437 break; 1438 default: 1439 IPSECLOG(LOG_ERR, "invalid direction=%u\n", 1440 xpl->sadb_x_policy_dir); 1441 return EINVAL; 1442 } 1443 1444 return ipsec_set_policy(policy, optname, request, len, cred); 1445 } 1446 1447 int 1448 ipsec4_get_policy(struct inpcb *inp, const void *request, size_t len, 1449 struct mbuf **mp) 1450 { 1451 const struct sadb_x_policy *xpl; 1452 struct secpolicy *policy; 1453 1454 /* sanity check. */ 1455 if (inp == NULL || request == NULL || mp == NULL) 1456 return EINVAL; 1457 KASSERT(inp->inp_sp != NULL); 1458 if (len < sizeof(*xpl)) 1459 return EINVAL; 1460 xpl = (const struct sadb_x_policy *)request; 1461 1462 /* select direction */ 1463 switch (xpl->sadb_x_policy_dir) { 1464 case IPSEC_DIR_INBOUND: 1465 policy = inp->inp_sp->sp_in; 1466 break; 1467 case IPSEC_DIR_OUTBOUND: 1468 policy = inp->inp_sp->sp_out; 1469 break; 1470 default: 1471 IPSECLOG(LOG_ERR, "invalid direction=%u\n", 1472 xpl->sadb_x_policy_dir); 1473 return EINVAL; 1474 } 1475 1476 return ipsec_get_policy(policy, mp); 1477 } 1478 1479 /* delete policy in PCB */ 1480 int 1481 ipsec4_delete_pcbpolicy(struct inpcb *inp) 1482 { 1483 1484 KASSERT(inp != NULL); 1485 1486 if (inp->inp_sp == NULL) 1487 return 0; 1488 1489 if (inp->inp_sp->sp_in != NULL) 1490 KEY_FREESP(&inp->inp_sp->sp_in); 1491 1492 if (inp->inp_sp->sp_out != NULL) 1493 KEY_FREESP(&inp->inp_sp->sp_out); 1494 1495 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY); 1496 1497 ipsec_delpcbpolicy(inp->inp_sp); 1498 inp->inp_sp = NULL; 1499 1500 return 0; 1501 } 1502 1503 #ifdef INET6 1504 int 1505 ipsec6_set_policy(struct in6pcb *in6p, int optname, const void *request, 1506 size_t len, kauth_cred_t cred) 1507 { 1508 const struct sadb_x_policy *xpl; 1509 struct secpolicy **policy; 1510 1511 KASSERT(!cpu_softintr_p()); 1512 1513 /* sanity check. */ 1514 if (in6p == NULL || request == NULL) 1515 return EINVAL; 1516 if (len < sizeof(*xpl)) 1517 return EINVAL; 1518 xpl = (const struct sadb_x_policy *)request; 1519 1520 /* select direction */ 1521 switch (xpl->sadb_x_policy_dir) { 1522 case IPSEC_DIR_INBOUND: 1523 policy = &in6p->in6p_sp->sp_in; 1524 break; 1525 case IPSEC_DIR_OUTBOUND: 1526 policy = &in6p->in6p_sp->sp_out; 1527 break; 1528 default: 1529 IPSECLOG(LOG_ERR, "invalid direction=%u\n", 1530 xpl->sadb_x_policy_dir); 1531 return EINVAL; 1532 } 1533 1534 return ipsec_set_policy(policy, optname, request, len, cred); 1535 } 1536 1537 int 1538 ipsec6_get_policy(struct in6pcb *in6p, const void *request, size_t len, 1539 struct mbuf **mp) 1540 { 1541 const struct sadb_x_policy *xpl; 1542 struct secpolicy *policy; 1543 1544 /* sanity check. */ 1545 if (in6p == NULL || request == NULL || mp == NULL) 1546 return EINVAL; 1547 KASSERT(in6p->in6p_sp != NULL); 1548 if (len < sizeof(*xpl)) 1549 return EINVAL; 1550 xpl = (const struct sadb_x_policy *)request; 1551 1552 /* select direction */ 1553 switch (xpl->sadb_x_policy_dir) { 1554 case IPSEC_DIR_INBOUND: 1555 policy = in6p->in6p_sp->sp_in; 1556 break; 1557 case IPSEC_DIR_OUTBOUND: 1558 policy = in6p->in6p_sp->sp_out; 1559 break; 1560 default: 1561 IPSECLOG(LOG_ERR, "invalid direction=%u\n", 1562 xpl->sadb_x_policy_dir); 1563 return EINVAL; 1564 } 1565 1566 return ipsec_get_policy(policy, mp); 1567 } 1568 1569 int 1570 ipsec6_delete_pcbpolicy(struct in6pcb *in6p) 1571 { 1572 1573 KASSERT(in6p != NULL); 1574 1575 if (in6p->in6p_sp == NULL) 1576 return 0; 1577 1578 if (in6p->in6p_sp->sp_in != NULL) 1579 KEY_FREESP(&in6p->in6p_sp->sp_in); 1580 1581 if (in6p->in6p_sp->sp_out != NULL) 1582 KEY_FREESP(&in6p->in6p_sp->sp_out); 1583 1584 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY); 1585 1586 ipsec_delpcbpolicy(in6p->in6p_sp); 1587 in6p->in6p_sp = NULL; 1588 1589 return 0; 1590 } 1591 #endif 1592 1593 /* 1594 * return current level. 1595 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. 1596 */ 1597 u_int 1598 ipsec_get_reqlevel(const struct ipsecrequest *isr) 1599 { 1600 u_int level = 0; 1601 u_int esp_trans_deflev, esp_net_deflev; 1602 u_int ah_trans_deflev, ah_net_deflev; 1603 1604 KASSERT(isr != NULL); 1605 KASSERT(isr->sp != NULL); 1606 KASSERTMSG( 1607 isr->sp->spidx.src.sa.sa_family == isr->sp->spidx.dst.sa.sa_family, 1608 "af family mismatch, src %u, dst %u", 1609 isr->sp->spidx.src.sa.sa_family, isr->sp->spidx.dst.sa.sa_family); 1610 1611 /* XXX note that we have ipseclog() expanded here - code sync issue */ 1612 #define IPSEC_CHECK_DEFAULT(lev) \ 1613 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \ 1614 && (lev) != IPSEC_LEVEL_UNIQUE) ? \ 1615 (ipsec_debug ? log(LOG_INFO, "fixed system default level " #lev \ 1616 ":%d->%d\n", (lev), IPSEC_LEVEL_REQUIRE) : (void)0), \ 1617 (lev) = IPSEC_LEVEL_REQUIRE, (lev) \ 1618 : (lev)) 1619 1620 /* set default level */ 1621 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) { 1622 #ifdef INET 1623 case AF_INET: 1624 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev); 1625 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev); 1626 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev); 1627 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev); 1628 break; 1629 #endif 1630 #ifdef INET6 1631 case AF_INET6: 1632 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev); 1633 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev); 1634 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev); 1635 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev); 1636 break; 1637 #endif /* INET6 */ 1638 default: 1639 panic("%s: unknown af %u", __func__, 1640 isr->sp->spidx.src.sa.sa_family); 1641 } 1642 1643 #undef IPSEC_CHECK_DEFAULT 1644 1645 /* set level */ 1646 switch (isr->level) { 1647 case IPSEC_LEVEL_DEFAULT: 1648 switch (isr->saidx.proto) { 1649 case IPPROTO_ESP: 1650 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1651 level = esp_net_deflev; 1652 else 1653 level = esp_trans_deflev; 1654 break; 1655 case IPPROTO_AH: 1656 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1657 level = ah_net_deflev; 1658 else 1659 level = ah_trans_deflev; 1660 break; 1661 case IPPROTO_IPCOMP: 1662 /* 1663 * we don't really care, as IPcomp document says that 1664 * we shouldn't compress small packets 1665 */ 1666 level = IPSEC_LEVEL_USE; 1667 break; 1668 default: 1669 panic("%s: Illegal protocol defined %u", __func__, 1670 isr->saidx.proto); 1671 } 1672 break; 1673 1674 case IPSEC_LEVEL_USE: 1675 case IPSEC_LEVEL_REQUIRE: 1676 level = isr->level; 1677 break; 1678 case IPSEC_LEVEL_UNIQUE: 1679 level = IPSEC_LEVEL_REQUIRE; 1680 break; 1681 1682 default: 1683 panic("%s: Illegal IPsec level %u", __func__, isr->level); 1684 } 1685 1686 return level; 1687 } 1688 1689 /* 1690 * Check security policy requirements against the actual 1691 * packet contents. Return one if the packet should be 1692 * reject as "invalid"; otherwiser return zero to have the 1693 * packet treated as "valid". 1694 * 1695 * OUT: 1696 * 0: valid 1697 * 1: invalid 1698 */ 1699 int 1700 ipsec_in_reject(const struct secpolicy *sp, const struct mbuf *m) 1701 { 1702 struct ipsecrequest *isr; 1703 1704 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) { 1705 printf("%s: using SP\n", __func__); 1706 kdebug_secpolicy(sp); 1707 } 1708 1709 /* check policy */ 1710 switch (sp->policy) { 1711 case IPSEC_POLICY_DISCARD: 1712 return 1; 1713 case IPSEC_POLICY_BYPASS: 1714 case IPSEC_POLICY_NONE: 1715 return 0; 1716 } 1717 1718 KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC, 1719 "invalid policy %u", sp->policy); 1720 1721 /* XXX should compare policy against ipsec header history */ 1722 1723 for (isr = sp->req; isr != NULL; isr = isr->next) { 1724 if (ipsec_get_reqlevel(isr) != IPSEC_LEVEL_REQUIRE) 1725 continue; 1726 switch (isr->saidx.proto) { 1727 case IPPROTO_ESP: 1728 if ((m->m_flags & M_DECRYPTED) == 0) { 1729 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP, 1730 "ESP m_flags:%x\n", m->m_flags); 1731 return 1; 1732 } 1733 break; 1734 case IPPROTO_AH: 1735 if ((m->m_flags & M_AUTHIPHDR) == 0) { 1736 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP, 1737 "AH m_flags:%x\n", m->m_flags); 1738 return 1; 1739 } 1740 break; 1741 case IPPROTO_IPCOMP: 1742 /* 1743 * we don't really care, as IPcomp document 1744 * says that we shouldn't compress small 1745 * packets, IPComp policy should always be 1746 * treated as being in "use" level. 1747 */ 1748 break; 1749 } 1750 } 1751 return 0; /* valid */ 1752 } 1753 1754 /* 1755 * Check AH/ESP integrity. 1756 * This function is called from tcp_input(), udp_input(), 1757 * and {ah,esp}4_input for tunnel mode 1758 */ 1759 int 1760 ipsec4_in_reject(struct mbuf *m, struct inpcb *inp) 1761 { 1762 struct secpolicy *sp; 1763 int error; 1764 int result; 1765 1766 KASSERT(m != NULL); 1767 1768 /* get SP for this packet. 1769 * When we are called from ip_forward(), we call 1770 * ipsec_getpolicybyaddr() with IP_FORWARDING flag. 1771 */ 1772 if (inp == NULL) 1773 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 1774 else 1775 sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND, 1776 (struct inpcb_hdr *)inp, &error); 1777 1778 if (sp != NULL) { 1779 result = ipsec_in_reject(sp, m); 1780 if (result) 1781 IPSEC_STATINC(IPSEC_STAT_IN_POLVIO); 1782 KEY_FREESP(&sp); 1783 } else { 1784 result = 0; /* XXX should be panic ? 1785 * -> No, there may be error. */ 1786 } 1787 return result; 1788 } 1789 1790 1791 #ifdef INET6 1792 /* 1793 * Check AH/ESP integrity. 1794 * This function is called from tcp6_input(), udp6_input(), 1795 * and {ah,esp}6_input for tunnel mode 1796 */ 1797 int 1798 ipsec6_in_reject(struct mbuf *m, struct in6pcb *in6p) 1799 { 1800 struct secpolicy *sp = NULL; 1801 int error; 1802 int result; 1803 1804 KASSERT(m != NULL); 1805 1806 /* get SP for this packet. 1807 * When we are called from ip_forward(), we call 1808 * ipsec_getpolicybyaddr() with IP_FORWARDING flag. 1809 */ 1810 if (in6p == NULL) 1811 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 1812 else 1813 sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND, 1814 (struct inpcb_hdr *)in6p, 1815 &error); 1816 1817 if (sp != NULL) { 1818 result = ipsec_in_reject(sp, m); 1819 if (result) 1820 IPSEC_STATINC(IPSEC_STAT_IN_POLVIO); 1821 KEY_FREESP(&sp); 1822 } else { 1823 result = 0; 1824 } 1825 return result; 1826 } 1827 #endif 1828 1829 /* 1830 * compute the byte size to be occupied by IPsec header. 1831 * in case it is tunneled, it includes the size of outer IP header. 1832 * NOTE: SP passed is free in this function. 1833 */ 1834 static size_t 1835 ipsec_hdrsiz(const struct secpolicy *sp) 1836 { 1837 struct ipsecrequest *isr; 1838 size_t siz; 1839 1840 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) { 1841 printf("%s: using SP\n", __func__); 1842 kdebug_secpolicy(sp); 1843 } 1844 1845 switch (sp->policy) { 1846 case IPSEC_POLICY_DISCARD: 1847 case IPSEC_POLICY_BYPASS: 1848 case IPSEC_POLICY_NONE: 1849 return 0; 1850 } 1851 1852 KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC, 1853 "invalid policy %u", sp->policy); 1854 1855 siz = 0; 1856 for (isr = sp->req; isr != NULL; isr = isr->next) { 1857 size_t clen = 0; 1858 struct secasvar *sav = NULL; 1859 int error; 1860 1861 switch (isr->saidx.proto) { 1862 case IPPROTO_ESP: 1863 error = key_checkrequest(isr, &sav); 1864 if (error == 0) { 1865 clen = esp_hdrsiz(sav); 1866 KEY_FREESAV(&sav); 1867 } else 1868 clen = esp_hdrsiz(NULL); 1869 break; 1870 case IPPROTO_AH: 1871 error = key_checkrequest(isr, &sav); 1872 if (error == 0) { 1873 clen = ah_hdrsiz(sav); 1874 KEY_FREESAV(&sav); 1875 } else 1876 clen = ah_hdrsiz(NULL); 1877 break; 1878 case IPPROTO_IPCOMP: 1879 clen = sizeof(struct ipcomp); 1880 break; 1881 } 1882 1883 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 1884 switch (isr->saidx.dst.sa.sa_family) { 1885 case AF_INET: 1886 clen += sizeof(struct ip); 1887 break; 1888 #ifdef INET6 1889 case AF_INET6: 1890 clen += sizeof(struct ip6_hdr); 1891 break; 1892 #endif 1893 default: 1894 IPSECLOG(LOG_ERR, "unknown AF %d in " 1895 "IPsec tunnel SA\n", 1896 ((const struct sockaddr *)&isr->saidx.dst) 1897 ->sa_family); 1898 break; 1899 } 1900 } 1901 siz += clen; 1902 } 1903 1904 return siz; 1905 } 1906 1907 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */ 1908 size_t 1909 ipsec4_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp) 1910 { 1911 struct secpolicy *sp; 1912 int error; 1913 size_t size; 1914 1915 KASSERT(m != NULL); 1916 KASSERTMSG(inp == NULL || inp->inp_socket != NULL, "socket w/o inpcb"); 1917 1918 /* get SP for this packet. 1919 * When we are called from ip_forward(), we call 1920 * ipsec_getpolicybyaddr() with IP_FORWARDING flag. 1921 */ 1922 if (inp == NULL) 1923 sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 1924 else 1925 sp = ipsec_getpolicybysock(m, dir, 1926 (struct inpcb_hdr *)inp, &error); 1927 1928 if (sp != NULL) { 1929 size = ipsec_hdrsiz(sp); 1930 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DATA, "size:%lu.\n", 1931 (unsigned long)size); 1932 1933 KEY_FREESP(&sp); 1934 } else { 1935 size = 0; /* XXX should be panic ? */ 1936 } 1937 return size; 1938 } 1939 1940 #ifdef INET6 1941 /* This function is called from ipsec6_hdrsize_tcp(), 1942 * and maybe from ip6_forward.() 1943 */ 1944 size_t 1945 ipsec6_hdrsiz(struct mbuf *m, u_int dir, struct in6pcb *in6p) 1946 { 1947 struct secpolicy *sp; 1948 int error; 1949 size_t size; 1950 1951 KASSERT(m != NULL); 1952 KASSERTMSG(in6p == NULL || in6p->in6p_socket != NULL, 1953 "socket w/o inpcb"); 1954 1955 /* get SP for this packet */ 1956 /* XXX Is it right to call with IP_FORWARDING. */ 1957 if (in6p == NULL) 1958 sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 1959 else 1960 sp = ipsec_getpolicybysock(m, dir, 1961 (struct inpcb_hdr *)in6p, 1962 &error); 1963 1964 if (sp == NULL) 1965 return 0; 1966 size = ipsec_hdrsiz(sp); 1967 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DATA, "size:%zu.\n", size); 1968 KEY_FREESP(&sp); 1969 1970 return size; 1971 } 1972 #endif /*INET6*/ 1973 1974 /* 1975 * Check the variable replay window. 1976 * ipsec_chkreplay() performs replay check before ICV verification. 1977 * ipsec_updatereplay() updates replay bitmap. This must be called after 1978 * ICV verification (it also performs replay check, which is usually done 1979 * beforehand). 1980 * 0 (zero) is returned if packet disallowed, 1 if packet permitted. 1981 * 1982 * based on RFC 2401. 1983 */ 1984 int 1985 ipsec_chkreplay(u_int32_t seq, const struct secasvar *sav) 1986 { 1987 const struct secreplay *replay; 1988 u_int32_t diff; 1989 int fr; 1990 u_int32_t wsizeb; /* constant: bits of window size */ 1991 int frlast; /* constant: last frame */ 1992 1993 IPSEC_SPLASSERT_SOFTNET(__func__); 1994 1995 KASSERT(sav != NULL); 1996 KASSERT(sav->replay != NULL); 1997 1998 replay = sav->replay; 1999 2000 if (replay->wsize == 0) 2001 return 1; /* no need to check replay. */ 2002 2003 /* constant */ 2004 frlast = replay->wsize - 1; 2005 wsizeb = replay->wsize << 3; 2006 2007 /* sequence number of 0 is invalid */ 2008 if (seq == 0) 2009 return 0; 2010 2011 /* first time is always okay */ 2012 if (replay->count == 0) 2013 return 1; 2014 2015 if (seq > replay->lastseq) { 2016 /* larger sequences are okay */ 2017 return 1; 2018 } else { 2019 /* seq is equal or less than lastseq. */ 2020 diff = replay->lastseq - seq; 2021 2022 /* over range to check, i.e. too old or wrapped */ 2023 if (diff >= wsizeb) 2024 return 0; 2025 2026 fr = frlast - diff / 8; 2027 2028 /* this packet already seen ? */ 2029 if ((replay->bitmap)[fr] & (1 << (diff % 8))) 2030 return 0; 2031 2032 /* out of order but good */ 2033 return 1; 2034 } 2035 } 2036 2037 /* 2038 * check replay counter whether to update or not. 2039 * OUT: 0: OK 2040 * 1: NG 2041 */ 2042 int 2043 ipsec_updatereplay(u_int32_t seq, const struct secasvar *sav) 2044 { 2045 struct secreplay *replay; 2046 u_int32_t diff; 2047 int fr; 2048 u_int32_t wsizeb; /* constant: bits of window size */ 2049 int frlast; /* constant: last frame */ 2050 char buf[INET6_ADDRSTRLEN]; 2051 2052 IPSEC_SPLASSERT_SOFTNET(__func__); 2053 2054 KASSERT(sav != NULL); 2055 KASSERT(sav->replay != NULL); 2056 2057 replay = sav->replay; 2058 2059 if (replay->wsize == 0) 2060 goto ok; /* no need to check replay. */ 2061 2062 /* constant */ 2063 frlast = replay->wsize - 1; 2064 wsizeb = replay->wsize << 3; 2065 2066 /* sequence number of 0 is invalid */ 2067 if (seq == 0) 2068 return 1; 2069 2070 /* first time */ 2071 if (replay->count == 0) { 2072 replay->lastseq = seq; 2073 memset(replay->bitmap, 0, replay->wsize); 2074 (replay->bitmap)[frlast] = 1; 2075 goto ok; 2076 } 2077 2078 if (seq > replay->lastseq) { 2079 /* seq is larger than lastseq. */ 2080 diff = seq - replay->lastseq; 2081 2082 /* new larger sequence number */ 2083 if (diff < wsizeb) { 2084 /* In window */ 2085 /* set bit for this packet */ 2086 vshiftl(replay->bitmap, diff, replay->wsize); 2087 (replay->bitmap)[frlast] |= 1; 2088 } else { 2089 /* this packet has a "way larger" */ 2090 memset(replay->bitmap, 0, replay->wsize); 2091 (replay->bitmap)[frlast] = 1; 2092 } 2093 replay->lastseq = seq; 2094 2095 /* larger is good */ 2096 } else { 2097 /* seq is equal or less than lastseq. */ 2098 diff = replay->lastseq - seq; 2099 2100 /* over range to check, i.e. too old or wrapped */ 2101 if (diff >= wsizeb) 2102 return 1; 2103 2104 fr = frlast - diff / 8; 2105 2106 /* this packet already seen ? */ 2107 if ((replay->bitmap)[fr] & (1 << (diff % 8))) 2108 return 1; 2109 2110 /* mark as seen */ 2111 (replay->bitmap)[fr] |= (1 << (diff % 8)); 2112 2113 /* out of order but good */ 2114 } 2115 2116 ok: 2117 if (replay->count == ~0) { 2118 2119 /* set overflow flag */ 2120 replay->overflow++; 2121 2122 /* don't increment, no more packets accepted */ 2123 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) 2124 return 1; 2125 2126 IPSECLOG(LOG_WARNING, "replay counter made %d cycle. %s\n", 2127 replay->overflow, ipsec_logsastr(sav, buf, sizeof(buf))); 2128 } 2129 2130 replay->count++; 2131 2132 return 0; 2133 } 2134 2135 /* 2136 * shift variable length bunffer to left. 2137 * IN: bitmap: pointer to the buffer 2138 * nbit: the number of to shift. 2139 * wsize: buffer size (bytes). 2140 */ 2141 static void 2142 vshiftl(unsigned char *bitmap, int nbit, int wsize) 2143 { 2144 int s, j, i; 2145 unsigned char over; 2146 2147 for (j = 0; j < nbit; j += 8) { 2148 s = (nbit - j < 8) ? (nbit - j): 8; 2149 bitmap[0] <<= s; 2150 for (i = 1; i < wsize; i++) { 2151 over = (bitmap[i] >> (8 - s)); 2152 bitmap[i] <<= s; 2153 bitmap[i-1] |= over; 2154 } 2155 } 2156 2157 return; 2158 } 2159 2160 /* Return a printable string for the address. */ 2161 const char * 2162 ipsec_address(const union sockaddr_union *sa, char *buf, size_t size) 2163 { 2164 switch (sa->sa.sa_family) { 2165 #if INET 2166 case AF_INET: 2167 in_print(buf, size, &sa->sin.sin_addr); 2168 return buf; 2169 #endif /* INET */ 2170 2171 #if INET6 2172 case AF_INET6: 2173 in6_print(buf, size, &sa->sin6.sin6_addr); 2174 return buf; 2175 #endif /* INET6 */ 2176 2177 default: 2178 return "(unknown address family)"; 2179 } 2180 } 2181 2182 const char * 2183 ipsec_logsastr(const struct secasvar *sav, char *buf, size_t size) 2184 { 2185 const struct secasindex *saidx = &sav->sah->saidx; 2186 char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; 2187 2188 KASSERTMSG(saidx->src.sa.sa_family == saidx->dst.sa.sa_family, 2189 "af family mismatch, src %u, dst %u", 2190 saidx->src.sa.sa_family, saidx->dst.sa.sa_family); 2191 2192 snprintf(buf, size, "SA(SPI=%u src=%s dst=%s)", 2193 (u_int32_t)ntohl(sav->spi), 2194 ipsec_address(&saidx->src, sbuf, sizeof(sbuf)), 2195 ipsec_address(&saidx->dst, dbuf, sizeof(dbuf))); 2196 2197 return buf; 2198 } 2199 2200 void 2201 ipsec_dumpmbuf(struct mbuf *m) 2202 { 2203 int totlen; 2204 int i; 2205 u_char *p; 2206 2207 totlen = 0; 2208 printf("---\n"); 2209 while (m) { 2210 p = mtod(m, u_char *); 2211 for (i = 0; i < m->m_len; i++) { 2212 printf("%02x ", p[i]); 2213 totlen++; 2214 if (totlen % 16 == 0) 2215 printf("\n"); 2216 } 2217 m = m->m_next; 2218 } 2219 if (totlen % 16 != 0) 2220 printf("\n"); 2221 printf("---\n"); 2222 } 2223 2224 #ifdef INET6 2225 struct secpolicy * 2226 ipsec6_check_policy(struct mbuf *m, struct in6pcb *in6p, 2227 int flags, int *needipsecp, int *errorp) 2228 { 2229 struct secpolicy *sp = NULL; 2230 int s; 2231 int error = 0; 2232 int needipsec = 0; 2233 2234 if (!ipsec_outdone(m)) { 2235 s = splsoftnet(); 2236 if (in6p != NULL && 2237 ipsec_pcb_skip_ipsec(in6p->in6p_sp, IPSEC_DIR_OUTBOUND)) { 2238 splx(s); 2239 goto skippolicycheck; 2240 } 2241 sp = ipsec6_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error,in6p); 2242 2243 /* 2244 * There are four return cases: 2245 * sp != NULL apply IPsec policy 2246 * sp == NULL, error == 0 no IPsec handling needed 2247 * sp == NULL, error == -EINVAL discard packet w/o error 2248 * sp == NULL, error != 0 discard packet, report error 2249 */ 2250 2251 splx(s); 2252 if (sp == NULL) { 2253 /* 2254 * Caller must check the error return to see if it needs to discard 2255 * the packet. 2256 */ 2257 needipsec = 0; 2258 } else { 2259 needipsec = 1; 2260 } 2261 } 2262 skippolicycheck:; 2263 2264 *errorp = error; 2265 *needipsecp = needipsec; 2266 return sp; 2267 } 2268 2269 int 2270 ipsec6_input(struct mbuf *m) 2271 { 2272 struct secpolicy *sp; 2273 int s, error; 2274 2275 s = splsoftnet(); 2276 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 2277 if (sp != NULL) { 2278 /* 2279 * Check security policy against packet 2280 * attributes. 2281 */ 2282 error = ipsec_in_reject(sp, m); 2283 KEY_FREESP(&sp); 2284 } else { 2285 /* XXX error stat??? */ 2286 error = EINVAL; 2287 IPSECLOG(LOG_DEBUG, "no SP, packet discarded\n");/*XXX*/ 2288 } 2289 splx(s); 2290 2291 return error; 2292 } 2293 #endif /* INET6 */ 2294 2295 2296 2297 /* XXX this stuff doesn't belong here... */ 2298 2299 static struct xformsw *xforms = NULL; 2300 2301 /* 2302 * Register a transform; typically at system startup. 2303 */ 2304 void 2305 xform_register(struct xformsw *xsp) 2306 { 2307 xsp->xf_next = xforms; 2308 xforms = xsp; 2309 } 2310 2311 /* 2312 * Initialize transform support in an sav. 2313 */ 2314 int 2315 xform_init(struct secasvar *sav, int xftype) 2316 { 2317 struct xformsw *xsp; 2318 2319 if (sav->tdb_xform != NULL) /* previously initialized */ 2320 return 0; 2321 for (xsp = xforms; xsp; xsp = xsp->xf_next) 2322 if (xsp->xf_type == xftype) 2323 return (*xsp->xf_init)(sav, xsp); 2324 2325 IPSECLOG(LOG_DEBUG, "no match for xform type %d\n", xftype); 2326 return EINVAL; 2327 } 2328 2329 void 2330 nat_t_ports_get(struct mbuf *m, u_int16_t *dport, u_int16_t *sport) { 2331 struct m_tag *tag; 2332 2333 if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) { 2334 *sport = ((u_int16_t *)(tag + 1))[0]; 2335 *dport = ((u_int16_t *)(tag + 1))[1]; 2336 } else 2337 *sport = *dport = 0; 2338 } 2339 2340 /* 2341 * XXXJRT This should be done as a protosw init call. 2342 */ 2343 void 2344 ipsec_attach(void) 2345 { 2346 2347 ipsecstat_percpu = percpu_alloc(sizeof(uint64_t) * IPSEC_NSTATS); 2348 2349 sysctl_net_inet_ipsec_setup(NULL); 2350 #ifdef INET6 2351 sysctl_net_inet6_ipsec6_setup(NULL); 2352 #endif 2353 2354 ah_attach(); 2355 esp_attach(); 2356 ipcomp_attach(); 2357 ipe4_attach(); 2358 #ifdef TCP_SIGNATURE 2359 tcpsignature_attach(); 2360 #endif 2361 } 2362
Indexes created Mon Sep 22 13:09:51 GMT 2025