ipsec.c revision 1.126
1 /* $NetBSD: ipsec.c,v 1.126 2018/02/16 08:51:28 maxv Exp $ */ 2 /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ 3 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.126 2018/02/16 08:51:28 maxv Exp $"); 36 37 /* 38 * IPsec controller part. 39 */ 40 41 #if defined(_KERNEL_OPT) 42 #include "opt_inet.h" 43 #include "opt_ipsec.h" 44 #endif 45 46 #include <sys/param.h> 47 #include <sys/systm.h> 48 #include <sys/mbuf.h> 49 #include <sys/domain.h> 50 #include <sys/protosw.h> 51 #include <sys/socket.h> 52 #include <sys/socketvar.h> 53 #include <sys/errno.h> 54 #include <sys/time.h> 55 #include <sys/kernel.h> 56 #include <sys/syslog.h> 57 #include <sys/sysctl.h> 58 #include <sys/proc.h> 59 #include <sys/kauth.h> 60 #include <sys/cpu.h> 61 #include <sys/kmem.h> 62 #include <sys/pserialize.h> 63 64 #include <net/if.h> 65 #include <net/route.h> 66 67 #include <netinet/in.h> 68 #include <netinet/in_systm.h> 69 #include <netinet/ip.h> 70 #include <netinet/ip_var.h> 71 #include <netinet/in_var.h> 72 #include <netinet/udp.h> 73 #include <netinet/udp_var.h> 74 #include <netinet/tcp.h> 75 #include <netinet/udp.h> 76 #include <netinet/ip_icmp.h> 77 #include <netinet/ip_private.h> 78 79 #include <netinet/ip6.h> 80 #ifdef INET6 81 #include <netinet6/ip6_var.h> 82 #endif 83 #include <netinet/in_pcb.h> 84 #ifdef INET6 85 #include <netinet6/in6_pcb.h> 86 #include <netinet/icmp6.h> 87 #endif 88 89 #include <netipsec/ipsec.h> 90 #include <netipsec/ipsec_var.h> 91 #include <netipsec/ipsec_private.h> 92 #ifdef INET6 93 #include <netipsec/ipsec6.h> 94 #endif 95 #include <netipsec/ah_var.h> 96 #include <netipsec/esp_var.h> 97 #include <netipsec/ipcomp.h> /*XXX*/ 98 #include <netipsec/ipcomp_var.h> 99 100 #include <netipsec/key.h> 101 #include <netipsec/keydb.h> 102 #include <netipsec/key_debug.h> 103 104 #include <netipsec/xform.h> 105 106 int ipsec_used = 0; 107 int ipsec_enabled = 1; 108 109 #ifdef IPSEC_DEBUG 110 int ipsec_debug = 1; 111 112 /* 113 * When set to 1, IPsec will send packets with the same sequence number. 114 * This allows to verify if the other side has proper replay attacks detection. 115 */ 116 int ipsec_replay = 0; 117 118 /* 119 * When set 1, IPsec will send packets with corrupted HMAC. 120 * This allows to verify if the other side properly detects modified packets. 121 */ 122 int ipsec_integrity = 0; 123 #else 124 int ipsec_debug = 0; 125 #endif 126 127 percpu_t *ipsecstat_percpu; 128 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ 129 int ip4_ipsec_dfbit = 2; /* DF bit on encap. 0: clear 1: set 2: copy */ 130 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; 131 int ip4_esp_net_deflev = IPSEC_LEVEL_USE; 132 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; 133 int ip4_ah_net_deflev = IPSEC_LEVEL_USE; 134 struct secpolicy ip4_def_policy; 135 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 136 137 u_int ipsec_spdgen = 1; /* SPD generation # */ 138 139 static struct secpolicy ipsec_dummy_sp __read_mostly = { 140 .state = IPSEC_SPSTATE_ALIVE, 141 /* If ENTRUST, the dummy SP never be used. See ipsec_getpolicybysock. */ 142 .policy = IPSEC_POLICY_ENTRUST, 143 }; 144 145 static struct secpolicy *ipsec_checkpcbcache (struct mbuf *, 146 struct inpcbpolicy *, int); 147 static int ipsec_fillpcbcache (struct inpcbpolicy *, struct mbuf *, 148 struct secpolicy *, int); 149 static int ipsec_invalpcbcache (struct inpcbpolicy *, int); 150 151 /* 152 * Crypto support requirements: 153 * 154 * 1 require hardware support 155 * -1 require software support 156 * 0 take anything 157 */ 158 int crypto_support = 0; 159 160 static struct secpolicy *ipsec_getpolicybysock(struct mbuf *, u_int, 161 struct inpcb_hdr *, int *); 162 163 #ifdef __FreeBSD__ 164 /* net.inet.ipsec */ 165 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, 166 crypto_support, CTLFLAG_RW, &crypto_support,0, ""); 167 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_replay, CTLFLAG_RW, &ipsec_replay, 0, 168 "Emulate replay attack"); 169 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW, 170 &ipsec_integrity, 0, "Emulate man-in-the-middle attack"); 171 #endif /* __FreeBSD__ */ 172 173 #ifdef INET6 174 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; 175 int ip6_esp_net_deflev = IPSEC_LEVEL_USE; 176 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; 177 int ip6_ah_net_deflev = IPSEC_LEVEL_USE; 178 struct secpolicy ip6_def_policy; 179 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 180 #endif /* INET6 */ 181 182 static int ipsec4_setspidx_inpcb (struct mbuf *, struct inpcb *); 183 #ifdef INET6 184 static int ipsec6_setspidx_in6pcb (struct mbuf *, struct in6pcb *); 185 #endif 186 static int ipsec_setspidx (struct mbuf *, struct secpolicyindex *, int); 187 static void ipsec4_get_ulp (struct mbuf *m, struct secpolicyindex *, int); 188 static int ipsec4_setspidx_ipaddr (struct mbuf *, struct secpolicyindex *); 189 #ifdef INET6 190 static void ipsec6_get_ulp (struct mbuf *m, struct secpolicyindex *, int); 191 static int ipsec6_setspidx_ipaddr (struct mbuf *, struct secpolicyindex *); 192 #endif 193 static void ipsec_delpcbpolicy (struct inpcbpolicy *); 194 #if 0 /* unused */ 195 static struct secpolicy *ipsec_deepcopy_policy (const struct secpolicy *); 196 #endif 197 static int ipsec_set_policy (struct secpolicy **, int, const void *, size_t, 198 kauth_cred_t); 199 static int ipsec_get_policy (struct secpolicy *, struct mbuf **); 200 static void ipsec_destroy_policy(struct secpolicy *); 201 static void vshiftl (unsigned char *, int, int); 202 static size_t ipsec_hdrsiz(const struct secpolicy *, const struct mbuf *); 203 204 /* 205 * Try to validate and use cached policy on a PCB. 206 */ 207 static struct secpolicy * 208 ipsec_checkpcbcache(struct mbuf *m, struct inpcbpolicy *pcbsp, int dir) 209 { 210 struct secpolicyindex spidx; 211 struct secpolicy *sp = NULL; 212 int s; 213 214 KASSERT(IPSEC_DIR_IS_VALID(dir)); 215 KASSERT(pcbsp != NULL); 216 KASSERT(dir < __arraycount(pcbsp->sp_cache)); 217 KASSERT(inph_locked(pcbsp->sp_inph)); 218 219 /* 220 * Checking the generation and sp->state and taking a reference to an SP 221 * must be in a critical section of pserialize. See key_unlink_sp. 222 */ 223 s = pserialize_read_enter(); 224 /* SPD table change invalidate all the caches. */ 225 if (ipsec_spdgen != pcbsp->sp_cache[dir].cachegen) { 226 ipsec_invalpcbcache(pcbsp, dir); 227 goto out; 228 } 229 sp = pcbsp->sp_cache[dir].cachesp; 230 if (sp == NULL) 231 goto out; 232 if (sp->state != IPSEC_SPSTATE_ALIVE) { 233 sp = NULL; 234 ipsec_invalpcbcache(pcbsp, dir); 235 goto out; 236 } 237 if ((pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) == 0) { 238 /* NB: assume ipsec_setspidx never sleep */ 239 if (ipsec_setspidx(m, &spidx, 1) != 0) { 240 sp = NULL; 241 goto out; 242 } 243 244 /* 245 * We have to make an exact match here since the cached rule 246 * might have lower priority than a rule that would otherwise 247 * have matched the packet. 248 */ 249 if (memcmp(&pcbsp->sp_cache[dir].cacheidx, &spidx, 250 sizeof(spidx))) { 251 sp = NULL; 252 goto out; 253 } 254 } else { 255 /* 256 * The pcb is connected, and the L4 code is sure that: 257 * - outgoing side uses inp_[lf]addr 258 * - incoming side looks up policy after inpcb lookup 259 * and address pair is know to be stable. We do not need 260 * to generate spidx again, nor check the address match again. 261 * 262 * For IPv4/v6 SOCK_STREAM sockets, this assumptions holds 263 * and there are calls to ipsec_pcbconn() from in_pcbconnect(). 264 */ 265 } 266 267 sp->lastused = time_second; 268 KEY_SP_REF(sp); 269 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, 270 "DP cause refcnt++:%d SP:%p\n", 271 key_sp_refcnt(sp), pcbsp->sp_cache[dir].cachesp); 272 out: 273 pserialize_read_exit(s); 274 return sp; 275 } 276 277 static int 278 ipsec_fillpcbcache(struct inpcbpolicy *pcbsp, struct mbuf *m, 279 struct secpolicy *sp, int dir) 280 { 281 282 KASSERT(IPSEC_DIR_IS_INOROUT(dir)); 283 KASSERT(dir < __arraycount(pcbsp->sp_cache)); 284 KASSERT(inph_locked(pcbsp->sp_inph)); 285 286 pcbsp->sp_cache[dir].cachesp = NULL; 287 pcbsp->sp_cache[dir].cachehint = IPSEC_PCBHINT_UNKNOWN; 288 if (ipsec_setspidx(m, &pcbsp->sp_cache[dir].cacheidx, 1) != 0) { 289 return EINVAL; 290 } 291 pcbsp->sp_cache[dir].cachesp = sp; 292 if (pcbsp->sp_cache[dir].cachesp) { 293 /* 294 * If the PCB is connected, we can remember a hint to 295 * possibly short-circuit IPsec processing in other places. 296 */ 297 if (pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) { 298 switch (pcbsp->sp_cache[dir].cachesp->policy) { 299 case IPSEC_POLICY_NONE: 300 case IPSEC_POLICY_BYPASS: 301 pcbsp->sp_cache[dir].cachehint = 302 IPSEC_PCBHINT_NO; 303 break; 304 default: 305 pcbsp->sp_cache[dir].cachehint = 306 IPSEC_PCBHINT_YES; 307 } 308 } 309 } 310 pcbsp->sp_cache[dir].cachegen = ipsec_spdgen; 311 312 return 0; 313 } 314 315 static int 316 ipsec_invalpcbcache(struct inpcbpolicy *pcbsp, int dir) 317 { 318 int i; 319 320 KASSERT(inph_locked(pcbsp->sp_inph)); 321 322 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) { 323 if (dir != IPSEC_DIR_ANY && i != dir) 324 continue; 325 pcbsp->sp_cache[i].cachesp = NULL; 326 pcbsp->sp_cache[i].cachehint = IPSEC_PCBHINT_UNKNOWN; 327 pcbsp->sp_cache[i].cachegen = 0; 328 memset(&pcbsp->sp_cache[i].cacheidx, 0, 329 sizeof(pcbsp->sp_cache[i].cacheidx)); 330 } 331 return 0; 332 } 333 334 void 335 ipsec_pcbconn(struct inpcbpolicy *pcbsp) 336 { 337 338 KASSERT(inph_locked(pcbsp->sp_inph)); 339 340 pcbsp->sp_cacheflags |= IPSEC_PCBSP_CONNECTED; 341 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 342 } 343 344 void 345 ipsec_pcbdisconn(struct inpcbpolicy *pcbsp) 346 { 347 348 KASSERT(inph_locked(pcbsp->sp_inph)); 349 350 pcbsp->sp_cacheflags &= ~IPSEC_PCBSP_CONNECTED; 351 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 352 } 353 354 void 355 ipsec_invalpcbcacheall(void) 356 { 357 358 if (ipsec_spdgen == UINT_MAX) 359 ipsec_spdgen = 1; 360 else 361 ipsec_spdgen++; 362 } 363 364 /* 365 * Return a held reference to the default SP. 366 */ 367 static struct secpolicy * 368 key_get_default_sp(int af, const char *where, int tag) 369 { 370 struct secpolicy *sp; 371 372 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag); 373 374 switch(af) { 375 case AF_INET: 376 sp = &ip4_def_policy; 377 break; 378 #ifdef INET6 379 case AF_INET6: 380 sp = &ip6_def_policy; 381 break; 382 #endif 383 default: 384 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, 385 "unexpected protocol family %u\n", af); 386 return NULL; 387 } 388 389 if (sp->policy != IPSEC_POLICY_DISCARD && 390 sp->policy != IPSEC_POLICY_NONE) { 391 IPSECLOG(LOG_INFO, "fixed system default policy: %d->%d\n", 392 sp->policy, IPSEC_POLICY_NONE); 393 sp->policy = IPSEC_POLICY_NONE; 394 } 395 KEY_SP_REF(sp); 396 397 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP returns SP:%p (%u)\n", 398 sp, key_sp_refcnt(sp)); 399 return sp; 400 } 401 #define KEY_GET_DEFAULT_SP(af) \ 402 key_get_default_sp((af), __func__, __LINE__) 403 404 /* 405 * For OUTBOUND packet having a socket. Searching SPD for packet, 406 * and return a pointer to SP. 407 * OUT: NULL: no apropreate SP found, the following value is set to error. 408 * 0 : bypass 409 * EACCES : discard packet. 410 * ENOENT : ipsec_acquire() in progress, maybe. 411 * others : error occurred. 412 * others: a pointer to SP 413 * 414 * NOTE: IPv6 mapped address concern is implemented here. 415 */ 416 static struct secpolicy * 417 ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb_hdr *inph, 418 int *error) 419 { 420 struct inpcbpolicy *pcbsp = NULL; 421 struct secpolicy *currsp = NULL; /* policy on socket */ 422 struct secpolicy *sp; 423 int af; 424 425 KASSERT(m != NULL); 426 KASSERT(inph != NULL); 427 KASSERT(error != NULL); 428 KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir); 429 430 KASSERT(inph->inph_socket != NULL); 431 KASSERT(inph_locked(inph)); 432 433 /* XXX FIXME inpcb/in6pcb vs socket*/ 434 af = inph->inph_af; 435 KASSERTMSG(af == AF_INET || af == AF_INET6, 436 "unexpected protocol family %u", af); 437 438 KASSERT(inph->inph_sp != NULL); 439 /* If we have a cached entry, and if it is still valid, use it. */ 440 IPSEC_STATINC(IPSEC_STAT_SPDCACHELOOKUP); 441 currsp = ipsec_checkpcbcache(m, inph->inph_sp, dir); 442 if (currsp) { 443 *error = 0; 444 return currsp; 445 } 446 IPSEC_STATINC(IPSEC_STAT_SPDCACHEMISS); 447 448 switch (af) { 449 case AF_INET: { 450 struct inpcb *in4p = (struct inpcb *)inph; 451 /* set spidx in pcb */ 452 *error = ipsec4_setspidx_inpcb(m, in4p); 453 pcbsp = in4p->inp_sp; 454 break; 455 } 456 457 #if defined(INET6) 458 case AF_INET6: { 459 struct in6pcb *in6p = (struct in6pcb *)inph; 460 /* set spidx in pcb */ 461 *error = ipsec6_setspidx_in6pcb(m, in6p); 462 pcbsp = in6p->in6p_sp; 463 break; 464 } 465 #endif 466 default: 467 *error = EPFNOSUPPORT; 468 break; 469 } 470 if (*error) 471 return NULL; 472 473 KASSERT(pcbsp != NULL); 474 switch (dir) { 475 case IPSEC_DIR_INBOUND: 476 currsp = pcbsp->sp_in; 477 break; 478 case IPSEC_DIR_OUTBOUND: 479 currsp = pcbsp->sp_out; 480 break; 481 } 482 KASSERT(currsp != NULL); 483 484 if (pcbsp->priv) { /* when privilieged socket */ 485 switch (currsp->policy) { 486 case IPSEC_POLICY_BYPASS: 487 case IPSEC_POLICY_IPSEC: 488 KEY_SP_REF(currsp); 489 sp = currsp; 490 break; 491 492 case IPSEC_POLICY_ENTRUST: 493 /* look for a policy in SPD */ 494 sp = KEY_LOOKUP_SP_BYSPIDX(&currsp->spidx, dir); 495 if (sp == NULL) /* no SP found */ 496 sp = KEY_GET_DEFAULT_SP(af); 497 break; 498 499 default: 500 IPSECLOG(LOG_ERR, "Invalid policy for PCB %d\n", 501 currsp->policy); 502 *error = EINVAL; 503 return NULL; 504 } 505 } else { /* unpriv, SPD has policy */ 506 sp = KEY_LOOKUP_SP_BYSPIDX(&currsp->spidx, dir); 507 if (sp == NULL) { /* no SP found */ 508 switch (currsp->policy) { 509 case IPSEC_POLICY_BYPASS: 510 IPSECLOG(LOG_ERR, "Illegal policy for " 511 "non-priviliged defined %d\n", 512 currsp->policy); 513 *error = EINVAL; 514 return NULL; 515 516 case IPSEC_POLICY_ENTRUST: 517 sp = KEY_GET_DEFAULT_SP(af); 518 break; 519 520 case IPSEC_POLICY_IPSEC: 521 KEY_SP_REF(currsp); 522 sp = currsp; 523 break; 524 525 default: 526 IPSECLOG(LOG_ERR, "Invalid policy for " 527 "PCB %d\n", currsp->policy); 528 *error = EINVAL; 529 return NULL; 530 } 531 } 532 } 533 KASSERTMSG(sp != NULL, "null SP (priv %u policy %u", pcbsp->priv, 534 currsp->policy); 535 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, 536 "DP (priv %u policy %u) allocates SP:%p (refcnt %u)\n", 537 pcbsp->priv, currsp->policy, sp, key_sp_refcnt(sp)); 538 ipsec_fillpcbcache(pcbsp, m, sp, dir); 539 return sp; 540 } 541 542 /* 543 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 544 * and return a pointer to SP. 545 * OUT: positive: a pointer to the entry for security policy leaf matched. 546 * NULL: no apropreate SP found, the following value is set to error. 547 * 0 : bypass 548 * EACCES : discard packet. 549 * ENOENT : ipsec_acquire() in progress, maybe. 550 * others : error occurred. 551 */ 552 struct secpolicy * 553 ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error) 554 { 555 struct secpolicyindex spidx; 556 struct secpolicy *sp; 557 558 KASSERT(m != NULL); 559 KASSERT(error != NULL); 560 KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir); 561 562 sp = NULL; 563 564 /* Make an index to look for a policy. */ 565 *error = ipsec_setspidx(m, &spidx, (flag & IP_FORWARDING) ? 0 : 1); 566 if (*error != 0) { 567 IPSECLOG(LOG_DEBUG, "setpidx failed, dir %u flag %u\n", dir, flag); 568 memset(&spidx, 0, sizeof (spidx)); 569 return NULL; 570 } 571 572 spidx.dir = dir; 573 574 if (key_havesp(dir)) { 575 sp = KEY_LOOKUP_SP_BYSPIDX(&spidx, dir); 576 } 577 578 if (sp == NULL) /* no SP found, use system default */ 579 sp = KEY_GET_DEFAULT_SP(spidx.dst.sa.sa_family); 580 KASSERT(sp != NULL); 581 return sp; 582 } 583 584 struct secpolicy * 585 ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error, 586 struct inpcb *inp) 587 { 588 struct secpolicy *sp; 589 590 *error = 0; 591 592 if (inp == NULL) { 593 sp = ipsec_getpolicybyaddr(m, dir, flag, error); 594 } else { 595 KASSERT(inp->inp_socket != NULL); 596 sp = ipsec_getpolicybysock(m, dir, (struct inpcb_hdr *)inp, error); 597 } 598 if (sp == NULL) { 599 KASSERTMSG(*error != 0, "getpolicy failed w/o error"); 600 IPSEC_STATINC(IPSEC_STAT_OUT_INVAL); 601 return NULL; 602 } 603 KASSERTMSG(*error == 0, "sp w/ error set to %u", *error); 604 switch (sp->policy) { 605 case IPSEC_POLICY_ENTRUST: 606 default: 607 printf("%s: invalid policy %u\n", __func__, sp->policy); 608 /* fall thru... */ 609 case IPSEC_POLICY_DISCARD: 610 IPSEC_STATINC(IPSEC_STAT_OUT_POLVIO); 611 *error = -EINVAL; /* packet is discarded by caller */ 612 break; 613 case IPSEC_POLICY_BYPASS: 614 case IPSEC_POLICY_NONE: 615 KEY_SP_UNREF(&sp); 616 sp = NULL; /* NB: force NULL result */ 617 break; 618 case IPSEC_POLICY_IPSEC: 619 KASSERT(sp->req != NULL); 620 break; 621 } 622 if (*error != 0) { 623 KEY_SP_UNREF(&sp); 624 sp = NULL; 625 IPSECLOG(LOG_DEBUG, "done, error %d\n", *error); 626 } 627 return sp; 628 } 629 630 int 631 ipsec4_output(struct mbuf *m, struct inpcb *inp, int flags, 632 u_long *mtu, bool *natt_frag, bool *done) 633 { 634 struct secpolicy *sp = NULL; 635 int error, s; 636 637 /* 638 * Check the security policy (SP) for the packet and, if required, 639 * do IPsec-related processing. There are two cases here; the first 640 * time a packet is sent through it will be untagged and handled by 641 * ipsec4_checkpolicy(). If the packet is resubmitted to ip_output 642 * (e.g. after AH, ESP, etc. processing), there will be a tag to 643 * bypass the lookup and related policy checking. 644 */ 645 if (ipsec_outdone(m)) { 646 return 0; 647 } 648 s = splsoftnet(); 649 if (inp && ipsec_pcb_skip_ipsec(inp->inp_sp, IPSEC_DIR_OUTBOUND)) { 650 splx(s); 651 return 0; 652 } 653 sp = ipsec4_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, inp); 654 655 /* 656 * There are four return cases: 657 * sp != NULL apply IPsec policy 658 * sp == NULL, error == 0 no IPsec handling needed 659 * sp == NULL, error == -EINVAL discard packet w/o error 660 * sp == NULL, error != 0 discard packet, report error 661 */ 662 if (sp == NULL) { 663 splx(s); 664 if (error) { 665 /* 666 * Hack: -EINVAL is used to signal that a packet 667 * should be silently discarded. This is typically 668 * because we asked key management for an SA and 669 * it was delayed (e.g. kicked up to IKE). 670 */ 671 if (error == -EINVAL) 672 error = 0; 673 m_freem(m); 674 *done = true; 675 return error; 676 } 677 /* No IPsec processing for this packet. */ 678 return 0; 679 } 680 681 /* 682 * Do delayed checksums now because we send before 683 * this is done in the normal processing path. 684 */ 685 if (m->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) { 686 in_delayed_cksum(m); 687 m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4|M_CSUM_UDPv4); 688 } 689 690 { 691 u_long _mtu = 0; 692 693 /* Note: callee frees mbuf */ 694 error = ipsec4_process_packet(m, sp->req, &_mtu); 695 696 if (error == 0 && _mtu != 0) { 697 /* 698 * NAT-T ESP fragmentation: do not do IPSec processing 699 * now, we will do it on each fragmented packet. 700 */ 701 *mtu = _mtu; 702 *natt_frag = true; 703 KEY_SP_UNREF(&sp); 704 splx(s); 705 return 0; 706 } 707 } 708 /* 709 * Preserve KAME behaviour: ENOENT can be returned 710 * when an SA acquire is in progress. Don't propagate 711 * this to user-level; it confuses applications. 712 * 713 * XXX this will go away when the SADB is redone. 714 */ 715 if (error == ENOENT) 716 error = 0; 717 KEY_SP_UNREF(&sp); 718 splx(s); 719 *done = true; 720 return error; 721 } 722 723 int 724 ipsec4_input(struct mbuf *m, int flags) 725 { 726 struct secpolicy *sp; 727 int error, s; 728 729 s = splsoftnet(); 730 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 731 if (sp == NULL) { 732 splx(s); 733 return EINVAL; 734 } 735 736 /* 737 * Check security policy against packet attributes. 738 */ 739 error = ipsec_in_reject(sp, m); 740 KEY_SP_UNREF(&sp); 741 splx(s); 742 if (error) { 743 return error; 744 } 745 746 if (flags == 0) { 747 /* We are done. */ 748 return 0; 749 } 750 751 /* 752 * Peek at the outbound SP for this packet to determine if 753 * it is a Fast Forward candidate. 754 */ 755 s = splsoftnet(); 756 sp = ipsec4_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, NULL); 757 if (sp != NULL) { 758 m->m_flags &= ~M_CANFASTFWD; 759 KEY_SP_UNREF(&sp); 760 } 761 splx(s); 762 return 0; 763 } 764 765 int 766 ipsec4_forward(struct mbuf *m, int *destmtu) 767 { 768 /* 769 * If the packet is routed over IPsec tunnel, tell the 770 * originator the tunnel MTU. 771 * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz 772 * XXX quickhack!!! 773 */ 774 struct secpolicy *sp; 775 size_t ipsechdr; 776 int error; 777 778 sp = ipsec4_getpolicybyaddr(m, 779 IPSEC_DIR_OUTBOUND, IP_FORWARDING, &error); 780 if (sp == NULL) { 781 return EINVAL; 782 } 783 784 /* Count IPsec header size. */ 785 ipsechdr = ipsec4_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL); 786 787 /* 788 * Find the correct route for outer IPv4 header, compute tunnel MTU. 789 */ 790 if (sp->req) { 791 struct secasvar *sav; 792 793 sav = ipsec_lookup_sa(sp->req, m); 794 if (sav != NULL) { 795 struct route *ro; 796 struct rtentry *rt; 797 798 ro = &sav->sah->sa_route; 799 rt = rtcache_validate(ro); 800 if (rt && rt->rt_ifp) { 801 *destmtu = rt->rt_rmx.rmx_mtu ? 802 rt->rt_rmx.rmx_mtu : rt->rt_ifp->if_mtu; 803 *destmtu -= ipsechdr; 804 } 805 rtcache_unref(rt, ro); 806 KEY_SA_UNREF(&sav); 807 } 808 } 809 KEY_SP_UNREF(&sp); 810 return 0; 811 } 812 813 #ifdef INET6 814 struct secpolicy * 815 ipsec6_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error, 816 struct in6pcb *in6p) 817 { 818 struct secpolicy *sp; 819 820 *error = 0; 821 822 if (in6p == NULL) { 823 sp = ipsec_getpolicybyaddr(m, dir, flag, error); 824 } else { 825 KASSERT(in6p->in6p_socket != NULL); 826 sp = ipsec_getpolicybysock(m, dir, (struct inpcb_hdr *)in6p, error); 827 } 828 if (sp == NULL) { 829 KASSERTMSG(*error != 0, "getpolicy failed w/o error"); 830 IPSEC_STATINC(IPSEC_STAT_OUT_INVAL); 831 return NULL; 832 } 833 KASSERTMSG(*error == 0, "sp w/ error set to %u", *error); 834 switch (sp->policy) { 835 case IPSEC_POLICY_ENTRUST: 836 default: 837 printf("%s: invalid policy %u\n", __func__, sp->policy); 838 /* fall thru... */ 839 case IPSEC_POLICY_DISCARD: 840 IPSEC_STATINC(IPSEC_STAT_OUT_POLVIO); 841 *error = -EINVAL; /* packet is discarded by caller */ 842 break; 843 case IPSEC_POLICY_BYPASS: 844 case IPSEC_POLICY_NONE: 845 KEY_SP_UNREF(&sp); 846 sp = NULL; /* NB: force NULL result */ 847 break; 848 case IPSEC_POLICY_IPSEC: 849 KASSERT(sp->req != NULL); 850 break; 851 } 852 if (*error != 0) { 853 KEY_SP_UNREF(&sp); 854 sp = NULL; 855 IPSECLOG(LOG_DEBUG, "done, error %d\n", *error); 856 } 857 return sp; 858 } 859 #endif /* INET6 */ 860 861 static int 862 ipsec4_setspidx_inpcb(struct mbuf *m, struct inpcb *pcb) 863 { 864 int error; 865 866 KASSERT(pcb != NULL); 867 KASSERT(pcb->inp_sp != NULL); 868 KASSERT(pcb->inp_sp->sp_out != NULL); 869 KASSERT(pcb->inp_sp->sp_in != NULL); 870 871 error = ipsec_setspidx(m, &pcb->inp_sp->sp_in->spidx, 1); 872 if (error == 0) { 873 pcb->inp_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND; 874 pcb->inp_sp->sp_out->spidx = pcb->inp_sp->sp_in->spidx; 875 pcb->inp_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND; 876 } else { 877 memset(&pcb->inp_sp->sp_in->spidx, 0, 878 sizeof(pcb->inp_sp->sp_in->spidx)); 879 memset(&pcb->inp_sp->sp_out->spidx, 0, 880 sizeof(pcb->inp_sp->sp_in->spidx)); 881 } 882 return error; 883 } 884 885 #ifdef INET6 886 static int 887 ipsec6_setspidx_in6pcb(struct mbuf *m, struct in6pcb *pcb) 888 { 889 struct secpolicyindex *spidx; 890 int error; 891 892 KASSERT(pcb != NULL); 893 KASSERT(pcb->in6p_sp != NULL); 894 KASSERT(pcb->in6p_sp->sp_out != NULL); 895 KASSERT(pcb->in6p_sp->sp_in != NULL); 896 897 memset(&pcb->in6p_sp->sp_in->spidx, 0, sizeof(*spidx)); 898 memset(&pcb->in6p_sp->sp_out->spidx, 0, sizeof(*spidx)); 899 900 spidx = &pcb->in6p_sp->sp_in->spidx; 901 error = ipsec_setspidx(m, spidx, 1); 902 if (error) 903 goto bad; 904 spidx->dir = IPSEC_DIR_INBOUND; 905 906 spidx = &pcb->in6p_sp->sp_out->spidx; 907 error = ipsec_setspidx(m, spidx, 1); 908 if (error) 909 goto bad; 910 spidx->dir = IPSEC_DIR_OUTBOUND; 911 912 return 0; 913 914 bad: 915 memset(&pcb->in6p_sp->sp_in->spidx, 0, sizeof(*spidx)); 916 memset(&pcb->in6p_sp->sp_out->spidx, 0, sizeof(*spidx)); 917 return error; 918 } 919 #endif 920 921 /* 922 * configure security policy index (src/dst/proto/sport/dport) 923 * by looking at the content of mbuf. 924 * the caller is responsible for error recovery (like clearing up spidx). 925 */ 926 static int 927 ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport) 928 { 929 struct ip *ip = NULL; 930 struct ip ipbuf; 931 u_int v; 932 struct mbuf *n; 933 int len; 934 int error; 935 936 KASSERT(m != NULL); 937 938 /* 939 * validate m->m_pkthdr.len. we see incorrect length if we 940 * mistakenly call this function with inconsistent mbuf chain 941 * (like 4.4BSD tcp/udp processing). XXX should we panic here? 942 */ 943 len = 0; 944 for (n = m; n; n = n->m_next) 945 len += n->m_len; 946 if (m->m_pkthdr.len != len) { 947 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP, 948 "total of m_len(%d) != pkthdr.len(%d), ignored.\n", 949 len, m->m_pkthdr.len); 950 return EINVAL; 951 } 952 953 if (m->m_pkthdr.len < sizeof(struct ip)) { 954 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP, 955 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n", 956 m->m_pkthdr.len); 957 return EINVAL; 958 } 959 960 if (m->m_len >= sizeof(*ip)) 961 ip = mtod(m, struct ip *); 962 else { 963 m_copydata(m, 0, sizeof(ipbuf), &ipbuf); 964 ip = &ipbuf; 965 } 966 v = ip->ip_v; 967 switch (v) { 968 case 4: 969 error = ipsec4_setspidx_ipaddr(m, spidx); 970 if (error) 971 return error; 972 ipsec4_get_ulp(m, spidx, needport); 973 return 0; 974 #ifdef INET6 975 case 6: 976 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { 977 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP, 978 "pkthdr.len(%d) < sizeof(struct ip6_hdr), " 979 "ignored.\n", m->m_pkthdr.len); 980 return EINVAL; 981 } 982 error = ipsec6_setspidx_ipaddr(m, spidx); 983 if (error) 984 return error; 985 ipsec6_get_ulp(m, spidx, needport); 986 return 0; 987 #endif 988 default: 989 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP, 990 "unknown IP version %u, ignored.\n", v); 991 return EINVAL; 992 } 993 } 994 995 static void 996 ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) 997 { 998 u_int8_t nxt; 999 int off; 1000 1001 /* sanity check */ 1002 KASSERT(m != NULL); 1003 KASSERTMSG(m->m_pkthdr.len >= sizeof(struct ip), "packet too short"); 1004 1005 /* NB: ip_input() flips it into host endian XXX need more checking */ 1006 if (m->m_len >= sizeof(struct ip)) { 1007 struct ip *ip = mtod(m, struct ip *); 1008 if (ip->ip_off & htons(IP_MF | IP_OFFMASK)) 1009 goto done; 1010 off = ip->ip_hl << 2; 1011 nxt = ip->ip_p; 1012 } else { 1013 struct ip ih; 1014 1015 m_copydata(m, 0, sizeof (struct ip), &ih); 1016 if (ih.ip_off & htons(IP_MF | IP_OFFMASK)) 1017 goto done; 1018 off = ih.ip_hl << 2; 1019 nxt = ih.ip_p; 1020 } 1021 1022 while (off < m->m_pkthdr.len) { 1023 struct ip6_ext ip6e; 1024 struct tcphdr th; 1025 struct udphdr uh; 1026 struct icmp icmph; 1027 1028 switch (nxt) { 1029 case IPPROTO_TCP: 1030 spidx->ul_proto = nxt; 1031 if (!needport) 1032 goto done_proto; 1033 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1034 goto done; 1035 m_copydata(m, off, sizeof (th), &th); 1036 spidx->src.sin.sin_port = th.th_sport; 1037 spidx->dst.sin.sin_port = th.th_dport; 1038 return; 1039 case IPPROTO_UDP: 1040 spidx->ul_proto = nxt; 1041 if (!needport) 1042 goto done_proto; 1043 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1044 goto done; 1045 m_copydata(m, off, sizeof (uh), &uh); 1046 spidx->src.sin.sin_port = uh.uh_sport; 1047 spidx->dst.sin.sin_port = uh.uh_dport; 1048 return; 1049 case IPPROTO_AH: 1050 if (m->m_pkthdr.len > off + sizeof(ip6e)) 1051 goto done; 1052 /* XXX sigh, this works but is totally bogus */ 1053 m_copydata(m, off, sizeof(ip6e), &ip6e); 1054 off += (ip6e.ip6e_len + 2) << 2; 1055 nxt = ip6e.ip6e_nxt; 1056 break; 1057 case IPPROTO_ICMP: 1058 spidx->ul_proto = nxt; 1059 if (off + sizeof(struct icmp) > m->m_pkthdr.len) 1060 return; 1061 m_copydata(m, off, sizeof(icmph), &icmph); 1062 ((struct sockaddr_in *)&spidx->src)->sin_port = 1063 htons((uint16_t)icmph.icmp_type); 1064 ((struct sockaddr_in *)&spidx->dst)->sin_port = 1065 htons((uint16_t)icmph.icmp_code); 1066 return; 1067 default: 1068 /* XXX intermediate headers??? */ 1069 spidx->ul_proto = nxt; 1070 goto done_proto; 1071 } 1072 } 1073 done: 1074 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1075 done_proto: 1076 spidx->src.sin.sin_port = IPSEC_PORT_ANY; 1077 spidx->dst.sin.sin_port = IPSEC_PORT_ANY; 1078 } 1079 1080 /* assumes that m is sane */ 1081 static int 1082 ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx) 1083 { 1084 static const struct sockaddr_in template = { 1085 sizeof (struct sockaddr_in), 1086 AF_INET, 1087 0, { 0 }, { 0, 0, 0, 0, 0, 0, 0, 0 } 1088 }; 1089 1090 spidx->src.sin = template; 1091 spidx->dst.sin = template; 1092 1093 if (m->m_len < sizeof (struct ip)) { 1094 m_copydata(m, offsetof(struct ip, ip_src), 1095 sizeof(struct in_addr), &spidx->src.sin.sin_addr); 1096 m_copydata(m, offsetof(struct ip, ip_dst), 1097 sizeof(struct in_addr), &spidx->dst.sin.sin_addr); 1098 } else { 1099 struct ip *ip = mtod(m, struct ip *); 1100 spidx->src.sin.sin_addr = ip->ip_src; 1101 spidx->dst.sin.sin_addr = ip->ip_dst; 1102 } 1103 1104 spidx->prefs = sizeof(struct in_addr) << 3; 1105 spidx->prefd = sizeof(struct in_addr) << 3; 1106 1107 return 0; 1108 } 1109 1110 #ifdef INET6 1111 static void 1112 ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, 1113 int needport) 1114 { 1115 int off, nxt; 1116 struct tcphdr th; 1117 struct udphdr uh; 1118 struct icmp6_hdr icmph; 1119 1120 KASSERT(m != NULL); 1121 1122 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) { 1123 kdebug_mbuf(__func__, m); 1124 } 1125 1126 /* set default */ 1127 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1128 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY; 1129 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY; 1130 1131 nxt = -1; 1132 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt); 1133 if (off < 0 || m->m_pkthdr.len < off) 1134 return; 1135 1136 switch (nxt) { 1137 case IPPROTO_TCP: 1138 spidx->ul_proto = nxt; 1139 if (!needport) 1140 break; 1141 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1142 break; 1143 m_copydata(m, off, sizeof(th), &th); 1144 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport; 1145 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport; 1146 break; 1147 case IPPROTO_UDP: 1148 spidx->ul_proto = nxt; 1149 if (!needport) 1150 break; 1151 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1152 break; 1153 m_copydata(m, off, sizeof(uh), &uh); 1154 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport; 1155 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport; 1156 break; 1157 case IPPROTO_ICMPV6: 1158 spidx->ul_proto = nxt; 1159 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len) 1160 break; 1161 m_copydata(m, off, sizeof(icmph), &icmph); 1162 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = 1163 htons((uint16_t)icmph.icmp6_type); 1164 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = 1165 htons((uint16_t)icmph.icmp6_code); 1166 break; 1167 default: 1168 /* XXX intermediate headers??? */ 1169 spidx->ul_proto = nxt; 1170 break; 1171 } 1172 } 1173 1174 /* assumes that m is sane */ 1175 static int 1176 ipsec6_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx) 1177 { 1178 struct ip6_hdr *ip6 = NULL; 1179 struct ip6_hdr ip6buf; 1180 struct sockaddr_in6 *sin6; 1181 1182 if (m->m_len >= sizeof(*ip6)) 1183 ip6 = mtod(m, struct ip6_hdr *); 1184 else { 1185 m_copydata(m, 0, sizeof(ip6buf), &ip6buf); 1186 ip6 = &ip6buf; 1187 } 1188 1189 sin6 = (struct sockaddr_in6 *)&spidx->src; 1190 memset(sin6, 0, sizeof(*sin6)); 1191 sin6->sin6_family = AF_INET6; 1192 sin6->sin6_len = sizeof(struct sockaddr_in6); 1193 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src)); 1194 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { 1195 sin6->sin6_addr.s6_addr16[1] = 0; 1196 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); 1197 } 1198 spidx->prefs = sizeof(struct in6_addr) << 3; 1199 1200 sin6 = (struct sockaddr_in6 *)&spidx->dst; 1201 memset(sin6, 0, sizeof(*sin6)); 1202 sin6->sin6_family = AF_INET6; 1203 sin6->sin6_len = sizeof(struct sockaddr_in6); 1204 memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst)); 1205 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { 1206 sin6->sin6_addr.s6_addr16[1] = 0; 1207 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); 1208 } 1209 spidx->prefd = sizeof(struct in6_addr) << 3; 1210 1211 return 0; 1212 } 1213 #endif 1214 1215 static void 1216 ipsec_delpcbpolicy(struct inpcbpolicy *p) 1217 { 1218 1219 kmem_intr_free(p, sizeof(*p)); 1220 } 1221 1222 /* initialize policy in PCB */ 1223 int 1224 ipsec_init_policy(struct socket *so, struct inpcbpolicy **policy) 1225 { 1226 struct inpcbpolicy *new; 1227 1228 KASSERT(so != NULL); 1229 KASSERT(policy != NULL); 1230 1231 new = kmem_intr_zalloc(sizeof(*new), KM_NOSLEEP); 1232 if (new == NULL) { 1233 IPSECLOG(LOG_DEBUG, "No more memory.\n"); 1234 return ENOBUFS; 1235 } 1236 1237 if (IPSEC_PRIVILEGED_SO(so)) 1238 new->priv = 1; 1239 else 1240 new->priv = 0; 1241 1242 /* 1243 * Set dummy SPs. Actual SPs will be allocated later if needed. 1244 */ 1245 new->sp_in = &ipsec_dummy_sp; 1246 new->sp_out = &ipsec_dummy_sp; 1247 1248 *policy = new; 1249 1250 return 0; 1251 } 1252 1253 #if 0 /* unused */ 1254 /* copy old ipsec policy into new */ 1255 int 1256 ipsec_copy_policy(const struct inpcbpolicy *old, struct inpcbpolicy *new) 1257 { 1258 struct secpolicy *sp; 1259 1260 sp = ipsec_deepcopy_policy(old->sp_in); 1261 if (sp) { 1262 KEY_SP_UNREF(&new->sp_in); 1263 new->sp_in = sp; 1264 } else 1265 return ENOBUFS; 1266 1267 sp = ipsec_deepcopy_policy(old->sp_out); 1268 if (sp) { 1269 KEY_SP_UNREF(&new->sp_out); 1270 new->sp_out = sp; 1271 } else 1272 return ENOBUFS; 1273 1274 new->priv = old->priv; 1275 1276 return 0; 1277 } 1278 1279 /* deep-copy a policy in PCB */ 1280 static struct secpolicy * 1281 ipsec_deepcopy_policy(const struct secpolicy *src) 1282 { 1283 struct ipsecrequest *newchain = NULL; 1284 const struct ipsecrequest *p; 1285 struct ipsecrequest **q; 1286 struct secpolicy *dst; 1287 1288 if (src == NULL) 1289 return NULL; 1290 dst = KEY_NEWSP(); 1291 if (dst == NULL) 1292 return NULL; 1293 1294 /* 1295 * deep-copy IPsec request chain. This is required since struct 1296 * ipsecrequest is not reference counted. 1297 */ 1298 q = &newchain; 1299 for (p = src->req; p; p = p->next) { 1300 *q = kmem_zalloc(sizeof(**q), KM_SLEEP); 1301 (*q)->next = NULL; 1302 1303 (*q)->saidx.proto = p->saidx.proto; 1304 (*q)->saidx.mode = p->saidx.mode; 1305 (*q)->level = p->level; 1306 (*q)->saidx.reqid = p->saidx.reqid; 1307 1308 memcpy(&(*q)->saidx.src, &p->saidx.src, sizeof((*q)->saidx.src)); 1309 memcpy(&(*q)->saidx.dst, &p->saidx.dst, sizeof((*q)->saidx.dst)); 1310 1311 (*q)->sp = dst; 1312 1313 q = &((*q)->next); 1314 } 1315 1316 dst->req = newchain; 1317 dst->state = src->state; 1318 dst->policy = src->policy; 1319 /* do not touch the refcnt fields */ 1320 1321 return dst; 1322 } 1323 #endif 1324 1325 static void 1326 ipsec_destroy_policy(struct secpolicy *sp) 1327 { 1328 1329 if (sp == &ipsec_dummy_sp) 1330 ; /* It's dummy. No need to free it. */ 1331 else { 1332 /* 1333 * We cannot destroy here because it can be called in 1334 * softint. So mark the SP as DEAD and let the timer 1335 * destroy it. See key_timehandler_spd. 1336 */ 1337 sp->state = IPSEC_SPSTATE_DEAD; 1338 } 1339 } 1340 1341 /* set policy and ipsec request if present. */ 1342 static int 1343 ipsec_set_policy( 1344 struct secpolicy **policy, 1345 int optname, 1346 const void *request, 1347 size_t len, 1348 kauth_cred_t cred 1349 ) 1350 { 1351 const struct sadb_x_policy *xpl; 1352 struct secpolicy *newsp = NULL, *oldsp; 1353 int error; 1354 1355 KASSERT(!cpu_softintr_p()); 1356 1357 /* sanity check. */ 1358 if (policy == NULL || *policy == NULL || request == NULL) 1359 return EINVAL; 1360 if (len < sizeof(*xpl)) 1361 return EINVAL; 1362 xpl = (const struct sadb_x_policy *)request; 1363 1364 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) { 1365 kdebug_sadb_xpolicy("set passed policy", request); 1366 } 1367 1368 /* check policy type */ 1369 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */ 1370 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD 1371 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) 1372 return EINVAL; 1373 1374 /* check privileged socket */ 1375 if (xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) { 1376 error = kauth_authorize_network(cred, KAUTH_NETWORK_IPSEC, 1377 KAUTH_REQ_NETWORK_IPSEC_BYPASS, NULL, NULL, NULL); 1378 if (error) 1379 return (error); 1380 } 1381 1382 /* allocation new SP entry */ 1383 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) 1384 return error; 1385 1386 key_init_sp(newsp); 1387 newsp->created = time_uptime; 1388 /* Insert the global list for SPs for sockets */ 1389 key_socksplist_add(newsp); 1390 1391 /* clear old SP and set new SP */ 1392 oldsp = *policy; 1393 *policy = newsp; 1394 ipsec_destroy_policy(oldsp); 1395 1396 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) { 1397 printf("%s: new policy\n", __func__); 1398 kdebug_secpolicy(newsp); 1399 } 1400 1401 return 0; 1402 } 1403 1404 static int 1405 ipsec_get_policy(struct secpolicy *policy, struct mbuf **mp) 1406 { 1407 1408 /* sanity check. */ 1409 if (policy == NULL || mp == NULL) 1410 return EINVAL; 1411 1412 *mp = key_sp2msg(policy, M_NOWAIT); 1413 if (!*mp) { 1414 IPSECLOG(LOG_DEBUG, "No more memory.\n"); 1415 return ENOBUFS; 1416 } 1417 1418 (*mp)->m_type = MT_DATA; 1419 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) { 1420 kdebug_mbuf(__func__, *mp); 1421 } 1422 1423 return 0; 1424 } 1425 1426 int 1427 ipsec4_set_policy(struct inpcb *inp, int optname, const void *request, 1428 size_t len, kauth_cred_t cred) 1429 { 1430 const struct sadb_x_policy *xpl; 1431 struct secpolicy **policy; 1432 1433 KASSERT(!cpu_softintr_p()); 1434 KASSERT(inp != NULL); 1435 KASSERT(inp_locked(inp)); 1436 KASSERT(request != NULL); 1437 1438 if (len < sizeof(*xpl)) 1439 return EINVAL; 1440 xpl = (const struct sadb_x_policy *)request; 1441 1442 KASSERT(inp->inp_sp != NULL); 1443 1444 /* select direction */ 1445 switch (xpl->sadb_x_policy_dir) { 1446 case IPSEC_DIR_INBOUND: 1447 policy = &inp->inp_sp->sp_in; 1448 break; 1449 case IPSEC_DIR_OUTBOUND: 1450 policy = &inp->inp_sp->sp_out; 1451 break; 1452 default: 1453 IPSECLOG(LOG_ERR, "invalid direction=%u\n", 1454 xpl->sadb_x_policy_dir); 1455 return EINVAL; 1456 } 1457 1458 return ipsec_set_policy(policy, optname, request, len, cred); 1459 } 1460 1461 int 1462 ipsec4_get_policy(struct inpcb *inp, const void *request, size_t len, 1463 struct mbuf **mp) 1464 { 1465 const struct sadb_x_policy *xpl; 1466 struct secpolicy *policy; 1467 1468 /* sanity check. */ 1469 if (inp == NULL || request == NULL || mp == NULL) 1470 return EINVAL; 1471 KASSERT(inp->inp_sp != NULL); 1472 if (len < sizeof(*xpl)) 1473 return EINVAL; 1474 xpl = (const struct sadb_x_policy *)request; 1475 1476 /* select direction */ 1477 switch (xpl->sadb_x_policy_dir) { 1478 case IPSEC_DIR_INBOUND: 1479 policy = inp->inp_sp->sp_in; 1480 break; 1481 case IPSEC_DIR_OUTBOUND: 1482 policy = inp->inp_sp->sp_out; 1483 break; 1484 default: 1485 IPSECLOG(LOG_ERR, "invalid direction=%u\n", 1486 xpl->sadb_x_policy_dir); 1487 return EINVAL; 1488 } 1489 1490 return ipsec_get_policy(policy, mp); 1491 } 1492 1493 /* delete policy in PCB */ 1494 int 1495 ipsec4_delete_pcbpolicy(struct inpcb *inp) 1496 { 1497 1498 KASSERT(inp != NULL); 1499 1500 if (inp->inp_sp == NULL) 1501 return 0; 1502 1503 if (inp->inp_sp->sp_in != NULL) 1504 ipsec_destroy_policy(inp->inp_sp->sp_in); 1505 1506 if (inp->inp_sp->sp_out != NULL) 1507 ipsec_destroy_policy(inp->inp_sp->sp_out); 1508 1509 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY); 1510 1511 ipsec_delpcbpolicy(inp->inp_sp); 1512 inp->inp_sp = NULL; 1513 1514 return 0; 1515 } 1516 1517 #ifdef INET6 1518 int 1519 ipsec6_set_policy(struct in6pcb *in6p, int optname, const void *request, 1520 size_t len, kauth_cred_t cred) 1521 { 1522 const struct sadb_x_policy *xpl; 1523 struct secpolicy **policy; 1524 1525 KASSERT(!cpu_softintr_p()); 1526 KASSERT(in6p_locked(in6p)); 1527 1528 /* sanity check. */ 1529 if (in6p == NULL || request == NULL) 1530 return EINVAL; 1531 if (len < sizeof(*xpl)) 1532 return EINVAL; 1533 xpl = (const struct sadb_x_policy *)request; 1534 1535 /* select direction */ 1536 switch (xpl->sadb_x_policy_dir) { 1537 case IPSEC_DIR_INBOUND: 1538 policy = &in6p->in6p_sp->sp_in; 1539 break; 1540 case IPSEC_DIR_OUTBOUND: 1541 policy = &in6p->in6p_sp->sp_out; 1542 break; 1543 default: 1544 IPSECLOG(LOG_ERR, "invalid direction=%u\n", 1545 xpl->sadb_x_policy_dir); 1546 return EINVAL; 1547 } 1548 1549 return ipsec_set_policy(policy, optname, request, len, cred); 1550 } 1551 1552 int 1553 ipsec6_get_policy(struct in6pcb *in6p, const void *request, size_t len, 1554 struct mbuf **mp) 1555 { 1556 const struct sadb_x_policy *xpl; 1557 struct secpolicy *policy; 1558 1559 /* sanity check. */ 1560 if (in6p == NULL || request == NULL || mp == NULL) 1561 return EINVAL; 1562 KASSERT(in6p->in6p_sp != NULL); 1563 if (len < sizeof(*xpl)) 1564 return EINVAL; 1565 xpl = (const struct sadb_x_policy *)request; 1566 1567 /* select direction */ 1568 switch (xpl->sadb_x_policy_dir) { 1569 case IPSEC_DIR_INBOUND: 1570 policy = in6p->in6p_sp->sp_in; 1571 break; 1572 case IPSEC_DIR_OUTBOUND: 1573 policy = in6p->in6p_sp->sp_out; 1574 break; 1575 default: 1576 IPSECLOG(LOG_ERR, "invalid direction=%u\n", 1577 xpl->sadb_x_policy_dir); 1578 return EINVAL; 1579 } 1580 1581 return ipsec_get_policy(policy, mp); 1582 } 1583 1584 int 1585 ipsec6_delete_pcbpolicy(struct in6pcb *in6p) 1586 { 1587 1588 KASSERT(in6p != NULL); 1589 1590 if (in6p->in6p_sp == NULL) 1591 return 0; 1592 1593 if (in6p->in6p_sp->sp_in != NULL) 1594 ipsec_destroy_policy(in6p->in6p_sp->sp_in); 1595 1596 if (in6p->in6p_sp->sp_out != NULL) 1597 ipsec_destroy_policy(in6p->in6p_sp->sp_out); 1598 1599 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY); 1600 1601 ipsec_delpcbpolicy(in6p->in6p_sp); 1602 in6p->in6p_sp = NULL; 1603 1604 return 0; 1605 } 1606 #endif 1607 1608 /* 1609 * return current level. 1610 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. 1611 */ 1612 u_int 1613 ipsec_get_reqlevel(const struct ipsecrequest *isr) 1614 { 1615 u_int level = 0; 1616 u_int esp_trans_deflev, esp_net_deflev; 1617 u_int ah_trans_deflev, ah_net_deflev; 1618 1619 KASSERT(isr != NULL); 1620 KASSERT(isr->sp != NULL); 1621 KASSERTMSG( 1622 isr->sp->spidx.src.sa.sa_family == isr->sp->spidx.dst.sa.sa_family, 1623 "af family mismatch, src %u, dst %u", 1624 isr->sp->spidx.src.sa.sa_family, isr->sp->spidx.dst.sa.sa_family); 1625 1626 /* XXX note that we have ipseclog() expanded here - code sync issue */ 1627 #define IPSEC_CHECK_DEFAULT(lev) \ 1628 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \ 1629 && (lev) != IPSEC_LEVEL_UNIQUE) ? \ 1630 (ipsec_debug ? log(LOG_INFO, "fixed system default level " #lev \ 1631 ":%d->%d\n", (lev), IPSEC_LEVEL_REQUIRE) : (void)0), \ 1632 (lev) = IPSEC_LEVEL_REQUIRE, (lev) \ 1633 : (lev)) 1634 1635 /* set default level */ 1636 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) { 1637 #ifdef INET 1638 case AF_INET: 1639 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev); 1640 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev); 1641 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev); 1642 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev); 1643 break; 1644 #endif 1645 #ifdef INET6 1646 case AF_INET6: 1647 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev); 1648 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev); 1649 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev); 1650 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev); 1651 break; 1652 #endif /* INET6 */ 1653 default: 1654 panic("%s: unknown af %u", __func__, 1655 isr->sp->spidx.src.sa.sa_family); 1656 } 1657 1658 #undef IPSEC_CHECK_DEFAULT 1659 1660 /* set level */ 1661 switch (isr->level) { 1662 case IPSEC_LEVEL_DEFAULT: 1663 switch (isr->saidx.proto) { 1664 case IPPROTO_ESP: 1665 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1666 level = esp_net_deflev; 1667 else 1668 level = esp_trans_deflev; 1669 break; 1670 case IPPROTO_AH: 1671 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1672 level = ah_net_deflev; 1673 else 1674 level = ah_trans_deflev; 1675 break; 1676 case IPPROTO_IPCOMP: 1677 /* 1678 * we don't really care, as IPcomp document says that 1679 * we shouldn't compress small packets 1680 */ 1681 level = IPSEC_LEVEL_USE; 1682 break; 1683 default: 1684 panic("%s: Illegal protocol defined %u", __func__, 1685 isr->saidx.proto); 1686 } 1687 break; 1688 1689 case IPSEC_LEVEL_USE: 1690 case IPSEC_LEVEL_REQUIRE: 1691 level = isr->level; 1692 break; 1693 case IPSEC_LEVEL_UNIQUE: 1694 level = IPSEC_LEVEL_REQUIRE; 1695 break; 1696 1697 default: 1698 panic("%s: Illegal IPsec level %u", __func__, isr->level); 1699 } 1700 1701 return level; 1702 } 1703 1704 /* 1705 * Check security policy requirements against the actual 1706 * packet contents. Return one if the packet should be 1707 * reject as "invalid"; otherwiser return zero to have the 1708 * packet treated as "valid". 1709 * 1710 * OUT: 1711 * 0: valid 1712 * 1: invalid 1713 */ 1714 int 1715 ipsec_in_reject(const struct secpolicy *sp, const struct mbuf *m) 1716 { 1717 struct ipsecrequest *isr; 1718 1719 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) { 1720 printf("%s: using SP\n", __func__); 1721 kdebug_secpolicy(sp); 1722 } 1723 1724 /* check policy */ 1725 switch (sp->policy) { 1726 case IPSEC_POLICY_DISCARD: 1727 return 1; 1728 case IPSEC_POLICY_BYPASS: 1729 case IPSEC_POLICY_NONE: 1730 return 0; 1731 } 1732 1733 KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC, 1734 "invalid policy %u", sp->policy); 1735 1736 /* XXX should compare policy against ipsec header history */ 1737 1738 for (isr = sp->req; isr != NULL; isr = isr->next) { 1739 if (ipsec_get_reqlevel(isr) != IPSEC_LEVEL_REQUIRE) 1740 continue; 1741 switch (isr->saidx.proto) { 1742 case IPPROTO_ESP: 1743 if ((m->m_flags & M_DECRYPTED) == 0) { 1744 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP, 1745 "ESP m_flags:%x\n", m->m_flags); 1746 return 1; 1747 } 1748 break; 1749 case IPPROTO_AH: 1750 if ((m->m_flags & M_AUTHIPHDR) == 0) { 1751 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP, 1752 "AH m_flags:%x\n", m->m_flags); 1753 return 1; 1754 } 1755 break; 1756 case IPPROTO_IPCOMP: 1757 /* 1758 * we don't really care, as IPcomp document 1759 * says that we shouldn't compress small 1760 * packets, IPComp policy should always be 1761 * treated as being in "use" level. 1762 */ 1763 break; 1764 } 1765 } 1766 return 0; /* valid */ 1767 } 1768 1769 /* 1770 * Check AH/ESP integrity. 1771 * This function is called from tcp_input(), udp_input(), 1772 * and {ah,esp}4_input for tunnel mode 1773 */ 1774 int 1775 ipsec4_in_reject(struct mbuf *m, struct inpcb *inp) 1776 { 1777 struct secpolicy *sp; 1778 int error; 1779 int result; 1780 1781 KASSERT(m != NULL); 1782 1783 /* get SP for this packet. 1784 * When we are called from ip_forward(), we call 1785 * ipsec_getpolicybyaddr() with IP_FORWARDING flag. 1786 */ 1787 if (inp == NULL) 1788 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 1789 else 1790 sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND, 1791 (struct inpcb_hdr *)inp, &error); 1792 1793 if (sp != NULL) { 1794 result = ipsec_in_reject(sp, m); 1795 if (result) 1796 IPSEC_STATINC(IPSEC_STAT_IN_POLVIO); 1797 KEY_SP_UNREF(&sp); 1798 } else { 1799 result = 0; /* XXX should be panic ? 1800 * -> No, there may be error. */ 1801 } 1802 return result; 1803 } 1804 1805 1806 #ifdef INET6 1807 /* 1808 * Check AH/ESP integrity. 1809 * This function is called from tcp6_input(), udp6_input(), 1810 * and {ah,esp}6_input for tunnel mode 1811 */ 1812 int 1813 ipsec6_in_reject(struct mbuf *m, struct in6pcb *in6p) 1814 { 1815 struct secpolicy *sp = NULL; 1816 int error; 1817 int result; 1818 1819 KASSERT(m != NULL); 1820 1821 /* get SP for this packet. 1822 * When we are called from ip_forward(), we call 1823 * ipsec_getpolicybyaddr() with IP_FORWARDING flag. 1824 */ 1825 if (in6p == NULL) 1826 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 1827 else 1828 sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND, 1829 (struct inpcb_hdr *)in6p, 1830 &error); 1831 1832 if (sp != NULL) { 1833 result = ipsec_in_reject(sp, m); 1834 if (result) 1835 IPSEC_STATINC(IPSEC_STAT_IN_POLVIO); 1836 KEY_SP_UNREF(&sp); 1837 } else { 1838 result = 0; 1839 } 1840 return result; 1841 } 1842 #endif 1843 1844 /* 1845 * compute the byte size to be occupied by IPsec header. 1846 * in case it is tunneled, it includes the size of outer IP header. 1847 * NOTE: SP passed is free in this function. 1848 */ 1849 static size_t 1850 ipsec_hdrsiz(const struct secpolicy *sp, const struct mbuf *m) 1851 { 1852 struct ipsecrequest *isr; 1853 size_t siz; 1854 1855 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) { 1856 printf("%s: using SP\n", __func__); 1857 kdebug_secpolicy(sp); 1858 } 1859 1860 switch (sp->policy) { 1861 case IPSEC_POLICY_DISCARD: 1862 case IPSEC_POLICY_BYPASS: 1863 case IPSEC_POLICY_NONE: 1864 return 0; 1865 } 1866 1867 KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC, 1868 "invalid policy %u", sp->policy); 1869 1870 siz = 0; 1871 for (isr = sp->req; isr != NULL; isr = isr->next) { 1872 size_t clen = 0; 1873 struct secasvar *sav; 1874 1875 switch (isr->saidx.proto) { 1876 case IPPROTO_ESP: 1877 sav = ipsec_lookup_sa(isr, m); 1878 if (sav != NULL) { 1879 clen = esp_hdrsiz(sav); 1880 KEY_SA_UNREF(&sav); 1881 } else 1882 clen = esp_hdrsiz(NULL); 1883 break; 1884 case IPPROTO_AH: 1885 sav = ipsec_lookup_sa(isr, m); 1886 if (sav != NULL) { 1887 clen = ah_hdrsiz(sav); 1888 KEY_SA_UNREF(&sav); 1889 } else 1890 clen = ah_hdrsiz(NULL); 1891 break; 1892 case IPPROTO_IPCOMP: 1893 clen = sizeof(struct ipcomp); 1894 break; 1895 } 1896 1897 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 1898 switch (isr->saidx.dst.sa.sa_family) { 1899 case AF_INET: 1900 clen += sizeof(struct ip); 1901 break; 1902 #ifdef INET6 1903 case AF_INET6: 1904 clen += sizeof(struct ip6_hdr); 1905 break; 1906 #endif 1907 default: 1908 IPSECLOG(LOG_ERR, "unknown AF %d in " 1909 "IPsec tunnel SA\n", 1910 ((const struct sockaddr *)&isr->saidx.dst) 1911 ->sa_family); 1912 break; 1913 } 1914 } 1915 siz += clen; 1916 } 1917 1918 return siz; 1919 } 1920 1921 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */ 1922 size_t 1923 ipsec4_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp) 1924 { 1925 struct secpolicy *sp; 1926 int error; 1927 size_t size; 1928 1929 KASSERT(m != NULL); 1930 KASSERTMSG(inp == NULL || inp->inp_socket != NULL, "socket w/o inpcb"); 1931 1932 /* get SP for this packet. 1933 * When we are called from ip_forward(), we call 1934 * ipsec_getpolicybyaddr() with IP_FORWARDING flag. 1935 */ 1936 if (inp == NULL) 1937 sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 1938 else 1939 sp = ipsec_getpolicybysock(m, dir, 1940 (struct inpcb_hdr *)inp, &error); 1941 1942 if (sp != NULL) { 1943 size = ipsec_hdrsiz(sp, m); 1944 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DATA, "size:%lu.\n", 1945 (unsigned long)size); 1946 1947 KEY_SP_UNREF(&sp); 1948 } else { 1949 size = 0; /* XXX should be panic ? */ 1950 } 1951 return size; 1952 } 1953 1954 #ifdef INET6 1955 /* This function is called from ipsec6_hdrsize_tcp(), 1956 * and maybe from ip6_forward.() 1957 */ 1958 size_t 1959 ipsec6_hdrsiz(struct mbuf *m, u_int dir, struct in6pcb *in6p) 1960 { 1961 struct secpolicy *sp; 1962 int error; 1963 size_t size; 1964 1965 KASSERT(m != NULL); 1966 KASSERTMSG(in6p == NULL || in6p->in6p_socket != NULL, 1967 "socket w/o inpcb"); 1968 1969 /* get SP for this packet */ 1970 /* XXX Is it right to call with IP_FORWARDING. */ 1971 if (in6p == NULL) 1972 sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 1973 else 1974 sp = ipsec_getpolicybysock(m, dir, 1975 (struct inpcb_hdr *)in6p, 1976 &error); 1977 1978 if (sp == NULL) 1979 return 0; 1980 size = ipsec_hdrsiz(sp, m); 1981 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DATA, "size:%zu.\n", size); 1982 KEY_SP_UNREF(&sp); 1983 1984 return size; 1985 } 1986 #endif /*INET6*/ 1987 1988 /* 1989 * Check the variable replay window. 1990 * ipsec_chkreplay() performs replay check before ICV verification. 1991 * ipsec_updatereplay() updates replay bitmap. This must be called after 1992 * ICV verification (it also performs replay check, which is usually done 1993 * beforehand). 1994 * 0 (zero) is returned if packet disallowed, 1 if packet permitted. 1995 * 1996 * based on RFC 2401. 1997 */ 1998 int 1999 ipsec_chkreplay(u_int32_t seq, const struct secasvar *sav) 2000 { 2001 const struct secreplay *replay; 2002 u_int32_t diff; 2003 int fr; 2004 u_int32_t wsizeb; /* constant: bits of window size */ 2005 int frlast; /* constant: last frame */ 2006 2007 IPSEC_SPLASSERT_SOFTNET(__func__); 2008 2009 KASSERT(sav != NULL); 2010 KASSERT(sav->replay != NULL); 2011 2012 replay = sav->replay; 2013 2014 if (replay->wsize == 0) 2015 return 1; /* no need to check replay. */ 2016 2017 /* constant */ 2018 frlast = replay->wsize - 1; 2019 wsizeb = replay->wsize << 3; 2020 2021 /* sequence number of 0 is invalid */ 2022 if (seq == 0) 2023 return 0; 2024 2025 /* first time is always okay */ 2026 if (replay->count == 0) 2027 return 1; 2028 2029 if (seq > replay->lastseq) { 2030 /* larger sequences are okay */ 2031 return 1; 2032 } else { 2033 /* seq is equal or less than lastseq. */ 2034 diff = replay->lastseq - seq; 2035 2036 /* over range to check, i.e. too old or wrapped */ 2037 if (diff >= wsizeb) 2038 return 0; 2039 2040 fr = frlast - diff / 8; 2041 2042 /* this packet already seen ? */ 2043 if ((replay->bitmap)[fr] & (1 << (diff % 8))) 2044 return 0; 2045 2046 /* out of order but good */ 2047 return 1; 2048 } 2049 } 2050 2051 /* 2052 * check replay counter whether to update or not. 2053 * OUT: 0: OK 2054 * 1: NG 2055 */ 2056 int 2057 ipsec_updatereplay(u_int32_t seq, const struct secasvar *sav) 2058 { 2059 struct secreplay *replay; 2060 u_int32_t diff; 2061 int fr; 2062 u_int32_t wsizeb; /* constant: bits of window size */ 2063 int frlast; /* constant: last frame */ 2064 2065 IPSEC_SPLASSERT_SOFTNET(__func__); 2066 2067 KASSERT(sav != NULL); 2068 KASSERT(sav->replay != NULL); 2069 2070 replay = sav->replay; 2071 2072 if (replay->wsize == 0) 2073 goto ok; /* no need to check replay. */ 2074 2075 /* constant */ 2076 frlast = replay->wsize - 1; 2077 wsizeb = replay->wsize << 3; 2078 2079 /* sequence number of 0 is invalid */ 2080 if (seq == 0) 2081 return 1; 2082 2083 /* first time */ 2084 if (replay->count == 0) { 2085 replay->lastseq = seq; 2086 memset(replay->bitmap, 0, replay->wsize); 2087 (replay->bitmap)[frlast] = 1; 2088 goto ok; 2089 } 2090 2091 if (seq > replay->lastseq) { 2092 /* seq is larger than lastseq. */ 2093 diff = seq - replay->lastseq; 2094 2095 /* new larger sequence number */ 2096 if (diff < wsizeb) { 2097 /* In window */ 2098 /* set bit for this packet */ 2099 vshiftl(replay->bitmap, diff, replay->wsize); 2100 (replay->bitmap)[frlast] |= 1; 2101 } else { 2102 /* this packet has a "way larger" */ 2103 memset(replay->bitmap, 0, replay->wsize); 2104 (replay->bitmap)[frlast] = 1; 2105 } 2106 replay->lastseq = seq; 2107 2108 /* larger is good */ 2109 } else { 2110 /* seq is equal or less than lastseq. */ 2111 diff = replay->lastseq - seq; 2112 2113 /* over range to check, i.e. too old or wrapped */ 2114 if (diff >= wsizeb) 2115 return 1; 2116 2117 fr = frlast - diff / 8; 2118 2119 /* this packet already seen ? */ 2120 if ((replay->bitmap)[fr] & (1 << (diff % 8))) 2121 return 1; 2122 2123 /* mark as seen */ 2124 (replay->bitmap)[fr] |= (1 << (diff % 8)); 2125 2126 /* out of order but good */ 2127 } 2128 2129 ok: 2130 if (replay->count == ~0) { 2131 char buf[IPSEC_LOGSASTRLEN]; 2132 2133 /* set overflow flag */ 2134 replay->overflow++; 2135 2136 /* don't increment, no more packets accepted */ 2137 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) 2138 return 1; 2139 2140 IPSECLOG(LOG_WARNING, "replay counter made %d cycle. %s\n", 2141 replay->overflow, ipsec_logsastr(sav, buf, sizeof(buf))); 2142 } 2143 2144 replay->count++; 2145 2146 return 0; 2147 } 2148 2149 /* 2150 * shift variable length bunffer to left. 2151 * IN: bitmap: pointer to the buffer 2152 * nbit: the number of to shift. 2153 * wsize: buffer size (bytes). 2154 */ 2155 static void 2156 vshiftl(unsigned char *bitmap, int nbit, int wsize) 2157 { 2158 int s, j, i; 2159 unsigned char over; 2160 2161 for (j = 0; j < nbit; j += 8) { 2162 s = (nbit - j < 8) ? (nbit - j): 8; 2163 bitmap[0] <<= s; 2164 for (i = 1; i < wsize; i++) { 2165 over = (bitmap[i] >> (8 - s)); 2166 bitmap[i] <<= s; 2167 bitmap[i-1] |= over; 2168 } 2169 } 2170 2171 return; 2172 } 2173 2174 /* Return a printable string for the address. */ 2175 const char * 2176 ipsec_address(const union sockaddr_union *sa, char *buf, size_t size) 2177 { 2178 switch (sa->sa.sa_family) { 2179 #if INET 2180 case AF_INET: 2181 in_print(buf, size, &sa->sin.sin_addr); 2182 return buf; 2183 #endif /* INET */ 2184 2185 #if INET6 2186 case AF_INET6: 2187 in6_print(buf, size, &sa->sin6.sin6_addr); 2188 return buf; 2189 #endif /* INET6 */ 2190 2191 default: 2192 return "(unknown address family)"; 2193 } 2194 } 2195 2196 const char * 2197 ipsec_logsastr(const struct secasvar *sav, char *buf, size_t size) 2198 { 2199 const struct secasindex *saidx = &sav->sah->saidx; 2200 char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; 2201 2202 KASSERTMSG(saidx->src.sa.sa_family == saidx->dst.sa.sa_family, 2203 "af family mismatch, src %u, dst %u", 2204 saidx->src.sa.sa_family, saidx->dst.sa.sa_family); 2205 2206 snprintf(buf, size, "SA(SPI=%u src=%s dst=%s)", 2207 (u_int32_t)ntohl(sav->spi), 2208 ipsec_address(&saidx->src, sbuf, sizeof(sbuf)), 2209 ipsec_address(&saidx->dst, dbuf, sizeof(dbuf))); 2210 2211 return buf; 2212 } 2213 2214 void 2215 ipsec_dumpmbuf(struct mbuf *m) 2216 { 2217 int totlen; 2218 int i; 2219 u_char *p; 2220 2221 totlen = 0; 2222 printf("---\n"); 2223 while (m) { 2224 p = mtod(m, u_char *); 2225 for (i = 0; i < m->m_len; i++) { 2226 printf("%02x ", p[i]); 2227 totlen++; 2228 if (totlen % 16 == 0) 2229 printf("\n"); 2230 } 2231 m = m->m_next; 2232 } 2233 if (totlen % 16 != 0) 2234 printf("\n"); 2235 printf("---\n"); 2236 } 2237 2238 #ifdef INET6 2239 struct secpolicy * 2240 ipsec6_check_policy(struct mbuf *m, struct in6pcb *in6p, 2241 int flags, int *needipsecp, int *errorp) 2242 { 2243 struct secpolicy *sp = NULL; 2244 int s; 2245 int error = 0; 2246 int needipsec = 0; 2247 2248 if (!ipsec_outdone(m)) { 2249 s = splsoftnet(); 2250 if (in6p != NULL && 2251 ipsec_pcb_skip_ipsec(in6p->in6p_sp, IPSEC_DIR_OUTBOUND)) { 2252 splx(s); 2253 goto skippolicycheck; 2254 } 2255 sp = ipsec6_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error,in6p); 2256 2257 /* 2258 * There are four return cases: 2259 * sp != NULL apply IPsec policy 2260 * sp == NULL, error == 0 no IPsec handling needed 2261 * sp == NULL, error == -EINVAL discard packet w/o error 2262 * sp == NULL, error != 0 discard packet, report error 2263 */ 2264 2265 splx(s); 2266 if (sp == NULL) { 2267 /* 2268 * Caller must check the error return to see if it needs to discard 2269 * the packet. 2270 */ 2271 needipsec = 0; 2272 } else { 2273 needipsec = 1; 2274 } 2275 } 2276 skippolicycheck:; 2277 2278 *errorp = error; 2279 *needipsecp = needipsec; 2280 return sp; 2281 } 2282 2283 int 2284 ipsec6_input(struct mbuf *m) 2285 { 2286 struct secpolicy *sp; 2287 int s, error; 2288 2289 s = splsoftnet(); 2290 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 2291 if (sp != NULL) { 2292 /* 2293 * Check security policy against packet 2294 * attributes. 2295 */ 2296 error = ipsec_in_reject(sp, m); 2297 KEY_SP_UNREF(&sp); 2298 } else { 2299 /* XXX error stat??? */ 2300 error = EINVAL; 2301 IPSECLOG(LOG_DEBUG, "no SP, packet discarded\n");/*XXX*/ 2302 } 2303 splx(s); 2304 2305 return error; 2306 } 2307 #endif /* INET6 */ 2308 2309 2310 2311 /* XXX this stuff doesn't belong here... */ 2312 2313 static struct xformsw *xforms = NULL; 2314 2315 /* 2316 * Register a transform; typically at system startup. 2317 */ 2318 void 2319 xform_register(struct xformsw *xsp) 2320 { 2321 xsp->xf_next = xforms; 2322 xforms = xsp; 2323 } 2324 2325 /* 2326 * Initialize transform support in an sav. 2327 */ 2328 int 2329 xform_init(struct secasvar *sav, int xftype) 2330 { 2331 struct xformsw *xsp; 2332 2333 if (sav->tdb_xform != NULL) /* previously initialized */ 2334 return 0; 2335 for (xsp = xforms; xsp; xsp = xsp->xf_next) 2336 if (xsp->xf_type == xftype) 2337 return (*xsp->xf_init)(sav, xsp); 2338 2339 IPSECLOG(LOG_DEBUG, "no match for xform type %d\n", xftype); 2340 return EINVAL; 2341 } 2342 2343 void 2344 nat_t_ports_get(struct mbuf *m, u_int16_t *dport, u_int16_t *sport) { 2345 struct m_tag *tag; 2346 2347 if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) { 2348 *sport = ((u_int16_t *)(tag + 1))[0]; 2349 *dport = ((u_int16_t *)(tag + 1))[1]; 2350 } else 2351 *sport = *dport = 0; 2352 } 2353 2354 /* 2355 * XXXJRT This should be done as a protosw init call. 2356 */ 2357 void 2358 ipsec_attach(void) 2359 { 2360 2361 ipsec_output_init(); 2362 2363 ipsecstat_percpu = percpu_alloc(sizeof(uint64_t) * IPSEC_NSTATS); 2364 2365 sysctl_net_inet_ipsec_setup(NULL); 2366 #ifdef INET6 2367 sysctl_net_inet6_ipsec6_setup(NULL); 2368 #endif 2369 2370 ah_attach(); 2371 esp_attach(); 2372 ipcomp_attach(); 2373 ipe4_attach(); 2374 #ifdef TCP_SIGNATURE 2375 tcpsignature_attach(); 2376 #endif 2377 } 2378
Indexes created Tue Sep 30 10:09:55 GMT 2025