ipsec.c revision 1.159 1 /* $NetBSD: ipsec.c,v 1.159 2018/04/28 14:21:03 maxv Exp $ */
2 /* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
3 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include <sys/cdefs.h>
35 __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.159 2018/04/28 14:21:03 maxv Exp $");
36
37 /*
38 * IPsec controller part.
39 */
40
41 #if defined(_KERNEL_OPT)
42 #include "opt_inet.h"
43 #include "opt_ipsec.h"
44 #endif
45
46 #include <sys/param.h>
47 #include <sys/systm.h>
48 #include <sys/mbuf.h>
49 #include <sys/domain.h>
50 #include <sys/protosw.h>
51 #include <sys/socket.h>
52 #include <sys/socketvar.h>
53 #include <sys/errno.h>
54 #include <sys/time.h>
55 #include <sys/kernel.h>
56 #include <sys/syslog.h>
57 #include <sys/sysctl.h>
58 #include <sys/proc.h>
59 #include <sys/kauth.h>
60 #include <sys/cpu.h>
61 #include <sys/kmem.h>
62 #include <sys/pserialize.h>
63
64 #include <net/if.h>
65 #include <net/route.h>
66
67 #include <netinet/in.h>
68 #include <netinet/in_systm.h>
69 #include <netinet/ip.h>
70 #include <netinet/ip_var.h>
71 #include <netinet/in_var.h>
72 #include <netinet/udp.h>
73 #include <netinet/udp_var.h>
74 #include <netinet/tcp.h>
75 #include <netinet/udp.h>
76 #include <netinet/ip_icmp.h>
77 #include <netinet/ip_private.h>
78
79 #include <netinet/ip6.h>
80 #ifdef INET6
81 #include <netinet6/ip6_var.h>
82 #endif
83 #include <netinet/in_pcb.h>
84 #ifdef INET6
85 #include <netinet6/in6_pcb.h>
86 #include <netinet/icmp6.h>
87 #endif
88
89 #include <netipsec/ipsec.h>
90 #include <netipsec/ipsec_var.h>
91 #include <netipsec/ipsec_private.h>
92 #ifdef INET6
93 #include <netipsec/ipsec6.h>
94 #endif
95 #include <netipsec/ah_var.h>
96 #include <netipsec/esp_var.h>
97 #include <netipsec/ipcomp.h> /*XXX*/
98 #include <netipsec/ipcomp_var.h>
99
100 #include <netipsec/key.h>
101 #include <netipsec/keydb.h>
102 #include <netipsec/key_debug.h>
103
104 #include <netipsec/xform.h>
105
106 int ipsec_used = 0;
107 int ipsec_enabled = 1;
108
109 #ifdef IPSEC_DEBUG
110 int ipsec_debug = 1;
111
112 /*
113 * When set to 1, IPsec will send packets with the same sequence number.
114 * This allows to verify if the other side has proper replay attacks detection.
115 */
116 int ipsec_replay = 0;
117
118 /*
119 * When set 1, IPsec will send packets with corrupted HMAC.
120 * This allows to verify if the other side properly detects modified packets.
121 */
122 int ipsec_integrity = 0;
123 #else
124 int ipsec_debug = 0;
125 #endif
126
127 percpu_t *ipsecstat_percpu;
128
129 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
130 int ip4_ipsec_dfbit = 2; /* DF bit on encap. 0: clear 1: set 2: copy */
131 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
132 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
133 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
134 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
135 struct secpolicy ip4_def_policy;
136 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
137
138 u_int ipsec_spdgen = 1; /* SPD generation # */
139
140 static struct secpolicy ipsec_dummy_sp __read_mostly = {
141 .state = IPSEC_SPSTATE_ALIVE,
142 /* If ENTRUST, the dummy SP never be used. See ipsec_getpolicybysock. */
143 .policy = IPSEC_POLICY_ENTRUST,
144 };
145
146 static struct secpolicy *ipsec_checkpcbcache(struct mbuf *,
147 struct inpcbpolicy *, int);
148 static int ipsec_fillpcbcache(struct inpcbpolicy *, struct mbuf *,
149 struct secpolicy *, int);
150 static int ipsec_invalpcbcache(struct inpcbpolicy *, int);
151
152 /*
153 * Crypto support requirements:
154 *
155 * 1 require hardware support
156 * -1 require software support
157 * 0 take anything
158 */
159 int crypto_support = 0;
160
161 static struct secpolicy *ipsec_getpolicybysock(struct mbuf *, u_int,
162 struct inpcb_hdr *, int *);
163
164 #ifdef INET6
165 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
166 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
167 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
168 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
169 struct secpolicy ip6_def_policy;
170 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
171 #endif
172
173 static int ipsec_setspidx_inpcb(struct mbuf *, void *);
174 static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int);
175 static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
176 static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
177 #ifdef INET6
178 static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
179 static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
180 #endif
181 static void ipsec_delpcbpolicy(struct inpcbpolicy *);
182 static void ipsec_destroy_policy(struct secpolicy *);
183 static int ipsec_sp_reject(const struct secpolicy *, const struct mbuf *);
184 static void vshiftl(unsigned char *, int, int);
185 static size_t ipsec_sp_hdrsiz(const struct secpolicy *, const struct mbuf *);
186
187 /*
188 * Try to validate and use cached policy on a PCB.
189 */
190 static struct secpolicy *
191 ipsec_checkpcbcache(struct mbuf *m, struct inpcbpolicy *pcbsp, int dir)
192 {
193 struct secpolicyindex spidx;
194 struct secpolicy *sp = NULL;
195 int s;
196
197 KASSERT(IPSEC_DIR_IS_VALID(dir));
198 KASSERT(pcbsp != NULL);
199 KASSERT(dir < __arraycount(pcbsp->sp_cache));
200 KASSERT(inph_locked(pcbsp->sp_inph));
201
202 /*
203 * Checking the generation and sp->state and taking a reference to an SP
204 * must be in a critical section of pserialize. See key_unlink_sp.
205 */
206 s = pserialize_read_enter();
207 /* SPD table change invalidate all the caches. */
208 if (ipsec_spdgen != pcbsp->sp_cache[dir].cachegen) {
209 ipsec_invalpcbcache(pcbsp, dir);
210 goto out;
211 }
212 sp = pcbsp->sp_cache[dir].cachesp;
213 if (sp == NULL)
214 goto out;
215 if (sp->state != IPSEC_SPSTATE_ALIVE) {
216 sp = NULL;
217 ipsec_invalpcbcache(pcbsp, dir);
218 goto out;
219 }
220 if ((pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
221 /* NB: assume ipsec_setspidx never sleep */
222 if (ipsec_setspidx(m, &spidx, 1) != 0) {
223 sp = NULL;
224 goto out;
225 }
226
227 /*
228 * We have to make an exact match here since the cached rule
229 * might have lower priority than a rule that would otherwise
230 * have matched the packet.
231 */
232 if (memcmp(&pcbsp->sp_cache[dir].cacheidx, &spidx,
233 sizeof(spidx))) {
234 sp = NULL;
235 goto out;
236 }
237 } else {
238 /*
239 * The pcb is connected, and the L4 code is sure that:
240 * - outgoing side uses inp_[lf]addr
241 * - incoming side looks up policy after inpcb lookup
242 * and address pair is know to be stable. We do not need
243 * to generate spidx again, nor check the address match again.
244 *
245 * For IPv4/v6 SOCK_STREAM sockets, this assumptions holds
246 * and there are calls to ipsec_pcbconn() from in_pcbconnect().
247 */
248 }
249
250 sp->lastused = time_second;
251 KEY_SP_REF(sp);
252 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
253 "DP cause refcnt++:%d SP:%p\n",
254 key_sp_refcnt(sp), pcbsp->sp_cache[dir].cachesp);
255 out:
256 pserialize_read_exit(s);
257 return sp;
258 }
259
260 static int
261 ipsec_fillpcbcache(struct inpcbpolicy *pcbsp, struct mbuf *m,
262 struct secpolicy *sp, int dir)
263 {
264
265 KASSERT(IPSEC_DIR_IS_INOROUT(dir));
266 KASSERT(dir < __arraycount(pcbsp->sp_cache));
267 KASSERT(inph_locked(pcbsp->sp_inph));
268
269 pcbsp->sp_cache[dir].cachesp = NULL;
270 pcbsp->sp_cache[dir].cachehint = IPSEC_PCBHINT_UNKNOWN;
271 if (ipsec_setspidx(m, &pcbsp->sp_cache[dir].cacheidx, 1) != 0) {
272 return EINVAL;
273 }
274 pcbsp->sp_cache[dir].cachesp = sp;
275 if (pcbsp->sp_cache[dir].cachesp) {
276 /*
277 * If the PCB is connected, we can remember a hint to
278 * possibly short-circuit IPsec processing in other places.
279 */
280 if (pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) {
281 switch (pcbsp->sp_cache[dir].cachesp->policy) {
282 case IPSEC_POLICY_NONE:
283 case IPSEC_POLICY_BYPASS:
284 pcbsp->sp_cache[dir].cachehint =
285 IPSEC_PCBHINT_NO;
286 break;
287 default:
288 pcbsp->sp_cache[dir].cachehint =
289 IPSEC_PCBHINT_YES;
290 }
291 }
292 }
293 pcbsp->sp_cache[dir].cachegen = ipsec_spdgen;
294
295 return 0;
296 }
297
298 static int
299 ipsec_invalpcbcache(struct inpcbpolicy *pcbsp, int dir)
300 {
301 int i;
302
303 KASSERT(inph_locked(pcbsp->sp_inph));
304
305 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
306 if (dir != IPSEC_DIR_ANY && i != dir)
307 continue;
308 pcbsp->sp_cache[i].cachesp = NULL;
309 pcbsp->sp_cache[i].cachehint = IPSEC_PCBHINT_UNKNOWN;
310 pcbsp->sp_cache[i].cachegen = 0;
311 memset(&pcbsp->sp_cache[i].cacheidx, 0,
312 sizeof(pcbsp->sp_cache[i].cacheidx));
313 }
314 return 0;
315 }
316
317 void
318 ipsec_pcbconn(struct inpcbpolicy *pcbsp)
319 {
320
321 KASSERT(inph_locked(pcbsp->sp_inph));
322
323 pcbsp->sp_cacheflags |= IPSEC_PCBSP_CONNECTED;
324 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
325 }
326
327 void
328 ipsec_pcbdisconn(struct inpcbpolicy *pcbsp)
329 {
330
331 KASSERT(inph_locked(pcbsp->sp_inph));
332
333 pcbsp->sp_cacheflags &= ~IPSEC_PCBSP_CONNECTED;
334 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
335 }
336
337 void
338 ipsec_invalpcbcacheall(void)
339 {
340
341 if (ipsec_spdgen == UINT_MAX)
342 ipsec_spdgen = 1;
343 else
344 ipsec_spdgen++;
345 }
346
347 /*
348 * Return a held reference to the default SP.
349 */
350 static struct secpolicy *
351 key_get_default_sp(int af, const char *where, int tag)
352 {
353 struct secpolicy *sp;
354
355 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag);
356
357 switch(af) {
358 case AF_INET:
359 sp = &ip4_def_policy;
360 break;
361 #ifdef INET6
362 case AF_INET6:
363 sp = &ip6_def_policy;
364 break;
365 #endif
366 default:
367 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
368 "unexpected protocol family %u\n", af);
369 return NULL;
370 }
371
372 if (sp->policy != IPSEC_POLICY_DISCARD &&
373 sp->policy != IPSEC_POLICY_NONE) {
374 IPSECLOG(LOG_INFO, "fixed system default policy: %d->%d\n",
375 sp->policy, IPSEC_POLICY_NONE);
376 sp->policy = IPSEC_POLICY_NONE;
377 }
378 KEY_SP_REF(sp);
379
380 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP returns SP:%p (%u)\n",
381 sp, key_sp_refcnt(sp));
382 return sp;
383 }
384
385 #define KEY_GET_DEFAULT_SP(af) \
386 key_get_default_sp((af), __func__, __LINE__)
387
388 /*
389 * For OUTBOUND packet having a socket. Searching SPD for packet,
390 * and return a pointer to SP.
391 * OUT: NULL: no appropriate SP found, the following value is set to error.
392 * 0 : bypass
393 * EACCES : discard packet.
394 * ENOENT : ipsec_acquire() in progress, maybe.
395 * others : error occurred.
396 * others: a pointer to SP
397 *
398 * NOTE: IPv6 mapped address concern is implemented here.
399 */
400 static struct secpolicy *
401 ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb_hdr *inph,
402 int *error)
403 {
404 struct inpcbpolicy *pcbsp = NULL;
405 struct secpolicy *currsp = NULL; /* policy on socket */
406 struct secpolicy *sp;
407 int af;
408
409 KASSERT(m != NULL);
410 KASSERT(inph != NULL);
411 KASSERT(error != NULL);
412 KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir);
413
414 KASSERT(inph->inph_socket != NULL);
415 KASSERT(inph_locked(inph));
416
417 /* XXX FIXME inpcb/in6pcb vs socket*/
418 af = inph->inph_af;
419 KASSERTMSG(af == AF_INET || af == AF_INET6,
420 "unexpected protocol family %u", af);
421
422 KASSERT(inph->inph_sp != NULL);
423 /* If we have a cached entry, and if it is still valid, use it. */
424 IPSEC_STATINC(IPSEC_STAT_SPDCACHELOOKUP);
425 currsp = ipsec_checkpcbcache(m, inph->inph_sp, dir);
426 if (currsp) {
427 *error = 0;
428 return currsp;
429 }
430 IPSEC_STATINC(IPSEC_STAT_SPDCACHEMISS);
431
432 switch (af) {
433 case AF_INET:
434 #if defined(INET6)
435 case AF_INET6:
436 #endif
437 *error = ipsec_setspidx_inpcb(m, inph);
438 pcbsp = inph->inph_sp;
439 break;
440 default:
441 *error = EPFNOSUPPORT;
442 break;
443 }
444 if (*error)
445 return NULL;
446
447 KASSERT(pcbsp != NULL);
448 switch (dir) {
449 case IPSEC_DIR_INBOUND:
450 currsp = pcbsp->sp_in;
451 break;
452 case IPSEC_DIR_OUTBOUND:
453 currsp = pcbsp->sp_out;
454 break;
455 }
456 KASSERT(currsp != NULL);
457
458 if (pcbsp->priv) { /* when privileged socket */
459 switch (currsp->policy) {
460 case IPSEC_POLICY_BYPASS:
461 case IPSEC_POLICY_IPSEC:
462 KEY_SP_REF(currsp);
463 sp = currsp;
464 break;
465
466 case IPSEC_POLICY_ENTRUST:
467 /* look for a policy in SPD */
468 sp = KEY_LOOKUP_SP_BYSPIDX(&currsp->spidx, dir);
469 if (sp == NULL) /* no SP found */
470 sp = KEY_GET_DEFAULT_SP(af);
471 break;
472
473 default:
474 IPSECLOG(LOG_ERR, "Invalid policy for PCB %d\n",
475 currsp->policy);
476 *error = EINVAL;
477 return NULL;
478 }
479 } else { /* unpriv, SPD has policy */
480 sp = KEY_LOOKUP_SP_BYSPIDX(&currsp->spidx, dir);
481 if (sp == NULL) { /* no SP found */
482 switch (currsp->policy) {
483 case IPSEC_POLICY_BYPASS:
484 IPSECLOG(LOG_ERR, "Illegal policy for "
485 "non-priviliged defined %d\n",
486 currsp->policy);
487 *error = EINVAL;
488 return NULL;
489
490 case IPSEC_POLICY_ENTRUST:
491 sp = KEY_GET_DEFAULT_SP(af);
492 break;
493
494 case IPSEC_POLICY_IPSEC:
495 KEY_SP_REF(currsp);
496 sp = currsp;
497 break;
498
499 default:
500 IPSECLOG(LOG_ERR, "Invalid policy for "
501 "PCB %d\n", currsp->policy);
502 *error = EINVAL;
503 return NULL;
504 }
505 }
506 }
507 KASSERTMSG(sp != NULL, "null SP (priv %u policy %u", pcbsp->priv,
508 currsp->policy);
509 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
510 "DP (priv %u policy %u) allocates SP:%p (refcnt %u)\n",
511 pcbsp->priv, currsp->policy, sp, key_sp_refcnt(sp));
512 ipsec_fillpcbcache(pcbsp, m, sp, dir);
513 return sp;
514 }
515
516 /*
517 * For FORWARDING packet or OUTBOUND without a socket. Searching SPD for packet,
518 * and return a pointer to SP.
519 * OUT: positive: a pointer to the entry for security policy leaf matched.
520 * NULL: no appropriate SP found, the following value is set to error.
521 * 0 : bypass
522 * EACCES : discard packet.
523 * ENOENT : ipsec_acquire() in progress, maybe.
524 * others : error occurred.
525 */
526 static struct secpolicy *
527 ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
528 {
529 struct secpolicyindex spidx;
530 struct secpolicy *sp;
531
532 KASSERT(m != NULL);
533 KASSERT(error != NULL);
534 KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir);
535
536 sp = NULL;
537
538 /* Make an index to look for a policy. */
539 *error = ipsec_setspidx(m, &spidx, (flag & IP_FORWARDING) ? 0 : 1);
540 if (*error != 0) {
541 IPSECLOG(LOG_DEBUG, "setpidx failed, dir %u flag %u\n", dir, flag);
542 memset(&spidx, 0, sizeof(spidx));
543 return NULL;
544 }
545
546 spidx.dir = dir;
547
548 if (key_havesp(dir)) {
549 sp = KEY_LOOKUP_SP_BYSPIDX(&spidx, dir);
550 }
551 if (sp == NULL) {
552 /* no SP found, use system default */
553 sp = KEY_GET_DEFAULT_SP(spidx.dst.sa.sa_family);
554 }
555
556 KASSERT(sp != NULL);
557 return sp;
558 }
559
560 static struct secpolicy *
561 ipsec_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error,
562 void *inp)
563 {
564 struct secpolicy *sp;
565
566 *error = 0;
567
568 if (inp == NULL) {
569 sp = ipsec_getpolicybyaddr(m, dir, flag, error);
570 } else {
571 struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
572 KASSERT(inph->inph_socket != NULL);
573 sp = ipsec_getpolicybysock(m, dir, inph, error);
574 }
575 if (sp == NULL) {
576 KASSERTMSG(*error != 0, "getpolicy failed w/o error");
577 IPSEC_STATINC(IPSEC_STAT_OUT_INVAL);
578 return NULL;
579 }
580 KASSERTMSG(*error == 0, "sp w/ error set to %u", *error);
581
582 switch (sp->policy) {
583 case IPSEC_POLICY_ENTRUST:
584 default:
585 printf("%s: invalid policy %u\n", __func__, sp->policy);
586 /* fall thru... */
587 case IPSEC_POLICY_DISCARD:
588 IPSEC_STATINC(IPSEC_STAT_OUT_POLVIO);
589 *error = -EINVAL; /* packet is discarded by caller */
590 break;
591 case IPSEC_POLICY_BYPASS:
592 case IPSEC_POLICY_NONE:
593 KEY_SP_UNREF(&sp);
594 sp = NULL; /* NB: force NULL result */
595 break;
596 case IPSEC_POLICY_IPSEC:
597 KASSERT(sp->req != NULL);
598 break;
599 }
600
601 if (*error != 0) {
602 KEY_SP_UNREF(&sp);
603 sp = NULL;
604 IPSECLOG(LOG_DEBUG, "done, error %d\n", *error);
605 }
606
607 return sp;
608 }
609
610 int
611 ipsec4_output(struct mbuf *m, struct inpcb *inp, int flags,
612 u_long *mtu, bool *natt_frag, bool *done)
613 {
614 struct secpolicy *sp = NULL;
615 u_long _mtu = 0;
616 int error, s;
617
618 /*
619 * Check the security policy (SP) for the packet and, if required,
620 * do IPsec-related processing. There are two cases here; the first
621 * time a packet is sent through it will be untagged and handled by
622 * ipsec_checkpolicy(). If the packet is resubmitted to ip_output
623 * (e.g. after AH, ESP, etc. processing), there will be a tag to
624 * bypass the lookup and related policy checking.
625 */
626 if (ipsec_outdone(m)) {
627 return 0;
628 }
629 s = splsoftnet();
630 if (inp && ipsec_pcb_skip_ipsec(inp->inp_sp, IPSEC_DIR_OUTBOUND)) {
631 splx(s);
632 return 0;
633 }
634 sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, inp);
635
636 /*
637 * There are four return cases:
638 * sp != NULL apply IPsec policy
639 * sp == NULL, error == 0 no IPsec handling needed
640 * sp == NULL, error == -EINVAL discard packet w/o error
641 * sp == NULL, error != 0 discard packet, report error
642 */
643 if (sp == NULL) {
644 splx(s);
645 if (error) {
646 /*
647 * Hack: -EINVAL is used to signal that a packet
648 * should be silently discarded. This is typically
649 * because we asked key management for an SA and
650 * it was delayed (e.g. kicked up to IKE).
651 */
652 if (error == -EINVAL)
653 error = 0;
654 m_freem(m);
655 *done = true;
656 return error;
657 }
658 /* No IPsec processing for this packet. */
659 return 0;
660 }
661
662 /*
663 * Do delayed checksums now because we send before
664 * this is done in the normal processing path.
665 */
666 if (m->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
667 in_delayed_cksum(m);
668 m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
669 }
670
671 error = ipsec4_process_packet(m, sp->req, &_mtu);
672 if (error == 0 && _mtu != 0) {
673 /*
674 * NAT-T ESP fragmentation: do not do IPSec processing
675 * now, we will do it on each fragmented packet.
676 */
677 *mtu = _mtu;
678 *natt_frag = true;
679 KEY_SP_UNREF(&sp);
680 splx(s);
681 return 0;
682 }
683
684 /*
685 * Preserve KAME behaviour: ENOENT can be returned
686 * when an SA acquire is in progress. Don't propagate
687 * this to user-level; it confuses applications.
688 *
689 * XXX this will go away when the SADB is redone.
690 */
691 if (error == ENOENT)
692 error = 0;
693 KEY_SP_UNREF(&sp);
694 splx(s);
695 *done = true;
696 return error;
697 }
698
699 int
700 ipsec4_input(struct mbuf *m, int flags)
701 {
702 struct secpolicy *sp;
703 int error, s;
704
705 s = splsoftnet();
706 error = ipsec_in_reject(m, NULL);
707 splx(s);
708 if (error) {
709 return EINVAL;
710 }
711
712 if (flags == 0) {
713 /* We are done. */
714 return 0;
715 }
716
717 /*
718 * Peek at the outbound SP for this packet to determine if
719 * it is a Fast Forward candidate.
720 */
721 s = splsoftnet();
722 sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, NULL);
723 if (sp != NULL) {
724 m->m_flags &= ~M_CANFASTFWD;
725 KEY_SP_UNREF(&sp);
726 }
727 splx(s);
728 return 0;
729 }
730
731 /*
732 * If the packet is routed over IPsec tunnel, tell the originator the
733 * tunnel MTU.
734 * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
735 *
736 * XXX: Quick hack!!!
737 *
738 * XXX: And what if the MTU goes negative?
739 */
740 int
741 ipsec4_forward(struct mbuf *m, int *destmtu)
742 {
743 struct secpolicy *sp;
744 size_t ipsechdr;
745 int error;
746
747 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING,
748 &error);
749 if (sp == NULL) {
750 return EINVAL;
751 }
752
753 /* Count IPsec header size. */
754 ipsechdr = ipsec_sp_hdrsiz(sp, m);
755
756 /*
757 * Find the correct route for outer IPv4 header, compute tunnel MTU.
758 */
759 if (sp->req) {
760 struct secasvar *sav;
761
762 sav = ipsec_lookup_sa(sp->req, m);
763 if (sav != NULL) {
764 struct route *ro;
765 struct rtentry *rt;
766
767 ro = &sav->sah->sa_route;
768 rt = rtcache_validate(ro);
769 if (rt && rt->rt_ifp) {
770 *destmtu = rt->rt_rmx.rmx_mtu ?
771 rt->rt_rmx.rmx_mtu : rt->rt_ifp->if_mtu;
772 *destmtu -= ipsechdr;
773 }
774 rtcache_unref(rt, ro);
775 KEY_SA_UNREF(&sav);
776 }
777 }
778 KEY_SP_UNREF(&sp);
779 return 0;
780 }
781
782 static int
783 ipsec_setspidx_inpcb(struct mbuf *m, void *pcb)
784 {
785 struct inpcb_hdr *inph = (struct inpcb_hdr *)pcb;
786 int error;
787
788 KASSERT(inph != NULL);
789 KASSERT(inph->inph_sp != NULL);
790 KASSERT(inph->inph_sp->sp_out != NULL);
791 KASSERT(inph->inph_sp->sp_in != NULL);
792
793 error = ipsec_setspidx(m, &inph->inph_sp->sp_in->spidx, 1);
794 if (error == 0) {
795 inph->inph_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND;
796 inph->inph_sp->sp_out->spidx = inph->inph_sp->sp_in->spidx;
797 inph->inph_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND;
798 } else {
799 memset(&inph->inph_sp->sp_in->spidx, 0,
800 sizeof(inph->inph_sp->sp_in->spidx));
801 memset(&inph->inph_sp->sp_out->spidx, 0,
802 sizeof(inph->inph_sp->sp_out->spidx));
803 }
804 return error;
805 }
806
807 /*
808 * configure security policy index (src/dst/proto/sport/dport)
809 * by looking at the content of mbuf.
810 * the caller is responsible for error recovery (like clearing up spidx).
811 */
812 static int
813 ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport)
814 {
815 struct ip *ip = NULL;
816 struct ip ipbuf;
817 u_int v;
818 struct mbuf *n;
819 int len;
820 int error;
821
822 KASSERT(m != NULL);
823
824 /*
825 * validate m->m_pkthdr.len. we see incorrect length if we
826 * mistakenly call this function with inconsistent mbuf chain
827 * (like 4.4BSD tcp/udp processing).
828 *
829 * XXX XXX XXX: We should remove this.
830 */
831 len = 0;
832 for (n = m; n; n = n->m_next)
833 len += n->m_len;
834 if (m->m_pkthdr.len != len) {
835 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
836 "total of m_len(%d) != pkthdr.len(%d), ignored.\n",
837 len, m->m_pkthdr.len);
838 KASSERTMSG(0, "impossible");
839 return EINVAL;
840 }
841
842 if (m->m_pkthdr.len < sizeof(struct ip)) {
843 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
844 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
845 m->m_pkthdr.len);
846 return EINVAL;
847 }
848
849 if (m->m_len >= sizeof(*ip)) {
850 ip = mtod(m, struct ip *);
851 } else {
852 m_copydata(m, 0, sizeof(ipbuf), &ipbuf);
853 ip = &ipbuf;
854 }
855 v = ip->ip_v;
856 switch (v) {
857 case 4:
858 error = ipsec4_setspidx_ipaddr(m, spidx);
859 if (error)
860 return error;
861 ipsec4_get_ulp(m, spidx, needport);
862 return 0;
863 #ifdef INET6
864 case 6:
865 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
866 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
867 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
868 "ignored.\n", m->m_pkthdr.len);
869 return EINVAL;
870 }
871 error = ipsec6_setspidx_ipaddr(m, spidx);
872 if (error)
873 return error;
874 ipsec6_get_ulp(m, spidx, needport);
875 return 0;
876 #endif
877 default:
878 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
879 "unknown IP version %u, ignored.\n", v);
880 return EINVAL;
881 }
882 }
883
884 static void
885 ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
886 {
887 u_int8_t nxt;
888 int off;
889
890 KASSERT(m != NULL);
891 KASSERTMSG(m->m_pkthdr.len >= sizeof(struct ip), "packet too short");
892
893 /* NB: ip_input() flips it into host endian XXX need more checking */
894 if (m->m_len >= sizeof(struct ip)) {
895 struct ip *ip = mtod(m, struct ip *);
896 if (ip->ip_off & htons(IP_MF | IP_OFFMASK))
897 goto done;
898 off = ip->ip_hl << 2;
899 nxt = ip->ip_p;
900 } else {
901 struct ip ih;
902
903 m_copydata(m, 0, sizeof(struct ip), &ih);
904 if (ih.ip_off & htons(IP_MF | IP_OFFMASK))
905 goto done;
906 off = ih.ip_hl << 2;
907 nxt = ih.ip_p;
908 }
909
910 while (off < m->m_pkthdr.len) {
911 struct ip6_ext ip6e;
912 struct tcphdr th;
913 struct udphdr uh;
914 struct icmp icmph;
915
916 switch (nxt) {
917 case IPPROTO_TCP:
918 spidx->ul_proto = nxt;
919 if (!needport)
920 goto done_proto;
921 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
922 goto done;
923 m_copydata(m, off, sizeof(th), &th);
924 spidx->src.sin.sin_port = th.th_sport;
925 spidx->dst.sin.sin_port = th.th_dport;
926 return;
927 case IPPROTO_UDP:
928 spidx->ul_proto = nxt;
929 if (!needport)
930 goto done_proto;
931 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
932 goto done;
933 m_copydata(m, off, sizeof(uh), &uh);
934 spidx->src.sin.sin_port = uh.uh_sport;
935 spidx->dst.sin.sin_port = uh.uh_dport;
936 return;
937 case IPPROTO_AH:
938 if (off + sizeof(ip6e) > m->m_pkthdr.len)
939 goto done;
940 /* XXX sigh, this works but is totally bogus */
941 m_copydata(m, off, sizeof(ip6e), &ip6e);
942 off += (ip6e.ip6e_len + 2) << 2;
943 nxt = ip6e.ip6e_nxt;
944 break;
945 case IPPROTO_ICMP:
946 spidx->ul_proto = nxt;
947 if (off + sizeof(struct icmp) > m->m_pkthdr.len)
948 goto done;
949 m_copydata(m, off, sizeof(icmph), &icmph);
950 ((struct sockaddr_in *)&spidx->src)->sin_port =
951 htons((uint16_t)icmph.icmp_type);
952 ((struct sockaddr_in *)&spidx->dst)->sin_port =
953 htons((uint16_t)icmph.icmp_code);
954 return;
955 default:
956 /* XXX intermediate headers??? */
957 spidx->ul_proto = nxt;
958 goto done_proto;
959 }
960 }
961 done:
962 spidx->ul_proto = IPSEC_ULPROTO_ANY;
963 done_proto:
964 spidx->src.sin.sin_port = IPSEC_PORT_ANY;
965 spidx->dst.sin.sin_port = IPSEC_PORT_ANY;
966 }
967
968 static int
969 ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
970 {
971 static const struct sockaddr_in template = {
972 sizeof(struct sockaddr_in),
973 AF_INET,
974 0, { 0 }, { 0, 0, 0, 0, 0, 0, 0, 0 }
975 };
976
977 spidx->src.sin = template;
978 spidx->dst.sin = template;
979
980 if (m->m_len < sizeof(struct ip)) {
981 m_copydata(m, offsetof(struct ip, ip_src),
982 sizeof(struct in_addr), &spidx->src.sin.sin_addr);
983 m_copydata(m, offsetof(struct ip, ip_dst),
984 sizeof(struct in_addr), &spidx->dst.sin.sin_addr);
985 } else {
986 struct ip *ip = mtod(m, struct ip *);
987 spidx->src.sin.sin_addr = ip->ip_src;
988 spidx->dst.sin.sin_addr = ip->ip_dst;
989 }
990
991 spidx->prefs = sizeof(struct in_addr) << 3;
992 spidx->prefd = sizeof(struct in_addr) << 3;
993
994 return 0;
995 }
996
997 #ifdef INET6
998 static void
999 ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
1000 {
1001 int off, nxt;
1002 struct tcphdr th;
1003 struct udphdr uh;
1004 struct icmp6_hdr icmph;
1005
1006 KASSERT(m != NULL);
1007
1008 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
1009 kdebug_mbuf(__func__, m);
1010 }
1011
1012 /* set default */
1013 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1014 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1015 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1016
1017 nxt = -1;
1018 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1019 if (off < 0 || m->m_pkthdr.len < off)
1020 return;
1021
1022 switch (nxt) {
1023 case IPPROTO_TCP:
1024 spidx->ul_proto = nxt;
1025 if (!needport)
1026 break;
1027 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1028 break;
1029 m_copydata(m, off, sizeof(th), &th);
1030 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1031 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1032 break;
1033 case IPPROTO_UDP:
1034 spidx->ul_proto = nxt;
1035 if (!needport)
1036 break;
1037 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1038 break;
1039 m_copydata(m, off, sizeof(uh), &uh);
1040 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1041 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1042 break;
1043 case IPPROTO_ICMPV6:
1044 spidx->ul_proto = nxt;
1045 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len)
1046 break;
1047 m_copydata(m, off, sizeof(icmph), &icmph);
1048 ((struct sockaddr_in6 *)&spidx->src)->sin6_port =
1049 htons((uint16_t)icmph.icmp6_type);
1050 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port =
1051 htons((uint16_t)icmph.icmp6_code);
1052 break;
1053 default:
1054 /* XXX intermediate headers??? */
1055 spidx->ul_proto = nxt;
1056 break;
1057 }
1058 }
1059
1060 static int
1061 ipsec6_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
1062 {
1063 struct ip6_hdr *ip6 = NULL;
1064 struct ip6_hdr ip6buf;
1065 struct sockaddr_in6 *sin6;
1066
1067 if (m->m_len >= sizeof(*ip6)) {
1068 ip6 = mtod(m, struct ip6_hdr *);
1069 } else {
1070 m_copydata(m, 0, sizeof(ip6buf), &ip6buf);
1071 ip6 = &ip6buf;
1072 }
1073
1074 sin6 = (struct sockaddr_in6 *)&spidx->src;
1075 memset(sin6, 0, sizeof(*sin6));
1076 sin6->sin6_family = AF_INET6;
1077 sin6->sin6_len = sizeof(struct sockaddr_in6);
1078 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
1079 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1080 sin6->sin6_addr.s6_addr16[1] = 0;
1081 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
1082 }
1083 spidx->prefs = sizeof(struct in6_addr) << 3;
1084
1085 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1086 memset(sin6, 0, sizeof(*sin6));
1087 sin6->sin6_family = AF_INET6;
1088 sin6->sin6_len = sizeof(struct sockaddr_in6);
1089 memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
1090 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1091 sin6->sin6_addr.s6_addr16[1] = 0;
1092 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
1093 }
1094 spidx->prefd = sizeof(struct in6_addr) << 3;
1095
1096 return 0;
1097 }
1098 #endif
1099
1100 static void
1101 ipsec_delpcbpolicy(struct inpcbpolicy *p)
1102 {
1103
1104 kmem_intr_free(p, sizeof(*p));
1105 }
1106
1107 int
1108 ipsec_init_pcbpolicy(struct socket *so, struct inpcbpolicy **policy)
1109 {
1110 struct inpcbpolicy *new;
1111
1112 KASSERT(so != NULL);
1113 KASSERT(policy != NULL);
1114
1115 new = kmem_intr_zalloc(sizeof(*new), KM_NOSLEEP);
1116 if (new == NULL) {
1117 IPSECLOG(LOG_DEBUG, "No more memory.\n");
1118 return ENOBUFS;
1119 }
1120
1121 if (IPSEC_PRIVILEGED_SO(so))
1122 new->priv = 1;
1123 else
1124 new->priv = 0;
1125
1126 /*
1127 * Set dummy SPs. Actual SPs will be allocated later if needed.
1128 */
1129 new->sp_in = &ipsec_dummy_sp;
1130 new->sp_out = &ipsec_dummy_sp;
1131
1132 *policy = new;
1133
1134 return 0;
1135 }
1136
1137 static void
1138 ipsec_destroy_policy(struct secpolicy *sp)
1139 {
1140
1141 if (sp == &ipsec_dummy_sp) {
1142 ; /* It's dummy. No need to free it. */
1143 } else {
1144 /*
1145 * We cannot destroy here because it can be called in
1146 * softint. So mark the SP as DEAD and let the timer
1147 * destroy it. See key_timehandler_spd.
1148 */
1149 sp->state = IPSEC_SPSTATE_DEAD;
1150 }
1151 }
1152
1153 int
1154 ipsec_set_policy(void *inp, int optname, const void *request, size_t len,
1155 kauth_cred_t cred)
1156 {
1157 struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
1158 const struct sadb_x_policy *xpl;
1159 struct secpolicy *newsp, *oldsp;
1160 struct secpolicy **policy;
1161 int error;
1162
1163 KASSERT(!cpu_softintr_p());
1164 KASSERT(inph != NULL);
1165 KASSERT(inph_locked(inph));
1166 KASSERT(request != NULL);
1167
1168 if (len < sizeof(*xpl))
1169 return EINVAL;
1170 xpl = (const struct sadb_x_policy *)request;
1171
1172 KASSERT(inph->inph_sp != NULL);
1173
1174 /* select direction */
1175 switch (xpl->sadb_x_policy_dir) {
1176 case IPSEC_DIR_INBOUND:
1177 policy = &inph->inph_sp->sp_in;
1178 break;
1179 case IPSEC_DIR_OUTBOUND:
1180 policy = &inph->inph_sp->sp_out;
1181 break;
1182 default:
1183 IPSECLOG(LOG_ERR, "invalid direction=%u\n",
1184 xpl->sadb_x_policy_dir);
1185 return EINVAL;
1186 }
1187
1188 /* sanity check. */
1189 if (policy == NULL || *policy == NULL)
1190 return EINVAL;
1191
1192 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
1193 kdebug_sadb_xpolicy("set passed policy", request);
1194 }
1195
1196 /* check policy type */
1197 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1198 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
1199 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1200 return EINVAL;
1201
1202 /* check privileged socket */
1203 if (xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) {
1204 error = kauth_authorize_network(cred, KAUTH_NETWORK_IPSEC,
1205 KAUTH_REQ_NETWORK_IPSEC_BYPASS, NULL, NULL, NULL);
1206 if (error)
1207 return error;
1208 }
1209
1210 /* allocation new SP entry */
1211 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1212 return error;
1213
1214 key_init_sp(newsp);
1215 newsp->created = time_uptime;
1216 /* Insert the global list for SPs for sockets */
1217 key_socksplist_add(newsp);
1218
1219 /* clear old SP and set new SP */
1220 oldsp = *policy;
1221 *policy = newsp;
1222 ipsec_destroy_policy(oldsp);
1223
1224 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
1225 printf("%s: new policy\n", __func__);
1226 kdebug_secpolicy(newsp);
1227 }
1228
1229 return 0;
1230 }
1231
1232 int
1233 ipsec_get_policy(void *inp, const void *request, size_t len,
1234 struct mbuf **mp)
1235 {
1236 struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
1237 const struct sadb_x_policy *xpl;
1238 struct secpolicy *policy;
1239
1240 /* sanity check. */
1241 if (inph == NULL || request == NULL || mp == NULL)
1242 return EINVAL;
1243 KASSERT(inph->inph_sp != NULL);
1244 if (len < sizeof(*xpl))
1245 return EINVAL;
1246 xpl = (const struct sadb_x_policy *)request;
1247
1248 /* select direction */
1249 switch (xpl->sadb_x_policy_dir) {
1250 case IPSEC_DIR_INBOUND:
1251 policy = inph->inph_sp->sp_in;
1252 break;
1253 case IPSEC_DIR_OUTBOUND:
1254 policy = inph->inph_sp->sp_out;
1255 break;
1256 default:
1257 IPSECLOG(LOG_ERR, "invalid direction=%u\n",
1258 xpl->sadb_x_policy_dir);
1259 return EINVAL;
1260 }
1261
1262 if (policy == NULL)
1263 return EINVAL;
1264
1265 *mp = key_sp2msg(policy, M_NOWAIT);
1266 if (!*mp) {
1267 IPSECLOG(LOG_DEBUG, "No more memory.\n");
1268 return ENOBUFS;
1269 }
1270
1271 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
1272 kdebug_mbuf(__func__, *mp);
1273 }
1274
1275 return 0;
1276 }
1277
1278 int
1279 ipsec_delete_pcbpolicy(void *inp)
1280 {
1281 struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
1282
1283 KASSERT(inph != NULL);
1284
1285 if (inph->inph_sp == NULL)
1286 return 0;
1287
1288 if (inph->inph_sp->sp_in != NULL)
1289 ipsec_destroy_policy(inph->inph_sp->sp_in);
1290
1291 if (inph->inph_sp->sp_out != NULL)
1292 ipsec_destroy_policy(inph->inph_sp->sp_out);
1293
1294 ipsec_invalpcbcache(inph->inph_sp, IPSEC_DIR_ANY);
1295
1296 ipsec_delpcbpolicy(inph->inph_sp);
1297 inph->inph_sp = NULL;
1298
1299 return 0;
1300 }
1301
1302 /*
1303 * Return the current level (either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE).
1304 */
1305 u_int
1306 ipsec_get_reqlevel(const struct ipsecrequest *isr)
1307 {
1308 u_int level = 0;
1309 u_int esp_trans_deflev, esp_net_deflev;
1310 u_int ah_trans_deflev, ah_net_deflev;
1311
1312 KASSERT(isr != NULL);
1313 KASSERT(isr->sp != NULL);
1314 KASSERTMSG(
1315 isr->sp->spidx.src.sa.sa_family == isr->sp->spidx.dst.sa.sa_family,
1316 "af family mismatch, src %u, dst %u",
1317 isr->sp->spidx.src.sa.sa_family, isr->sp->spidx.dst.sa.sa_family);
1318
1319 /* XXX note that we have ipseclog() expanded here - code sync issue */
1320 #define IPSEC_CHECK_DEFAULT(lev) \
1321 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1322 && (lev) != IPSEC_LEVEL_UNIQUE) ? \
1323 (ipsec_debug ? log(LOG_INFO, "fixed system default level " #lev \
1324 ":%d->%d\n", (lev), IPSEC_LEVEL_REQUIRE) : (void)0), \
1325 (lev) = IPSEC_LEVEL_REQUIRE, (lev) \
1326 : (lev))
1327
1328 /* set default level */
1329 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1330 #ifdef INET
1331 case AF_INET:
1332 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1333 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1334 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1335 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1336 break;
1337 #endif
1338 #ifdef INET6
1339 case AF_INET6:
1340 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1341 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1342 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1343 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1344 break;
1345 #endif
1346 default:
1347 panic("%s: unknown af %u", __func__,
1348 isr->sp->spidx.src.sa.sa_family);
1349 }
1350
1351 #undef IPSEC_CHECK_DEFAULT
1352
1353 /* set level */
1354 switch (isr->level) {
1355 case IPSEC_LEVEL_DEFAULT:
1356 switch (isr->saidx.proto) {
1357 case IPPROTO_ESP:
1358 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1359 level = esp_net_deflev;
1360 else
1361 level = esp_trans_deflev;
1362 break;
1363 case IPPROTO_AH:
1364 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1365 level = ah_net_deflev;
1366 else
1367 level = ah_trans_deflev;
1368 break;
1369 case IPPROTO_IPCOMP:
1370 /*
1371 * we don't really care, as IPcomp document says that
1372 * we shouldn't compress small packets
1373 */
1374 level = IPSEC_LEVEL_USE;
1375 break;
1376 default:
1377 panic("%s: Illegal protocol defined %u", __func__,
1378 isr->saidx.proto);
1379 }
1380 break;
1381
1382 case IPSEC_LEVEL_USE:
1383 case IPSEC_LEVEL_REQUIRE:
1384 level = isr->level;
1385 break;
1386 case IPSEC_LEVEL_UNIQUE:
1387 level = IPSEC_LEVEL_REQUIRE;
1388 break;
1389
1390 default:
1391 panic("%s: Illegal IPsec level %u", __func__, isr->level);
1392 }
1393
1394 return level;
1395 }
1396
1397 /*
1398 * Check security policy requirements against the actual packet contents.
1399 *
1400 * If the SP requires an IPsec packet, and the packet was neither AH nor ESP,
1401 * then kick it.
1402 */
1403 static int
1404 ipsec_sp_reject(const struct secpolicy *sp, const struct mbuf *m)
1405 {
1406 struct ipsecrequest *isr;
1407
1408 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
1409 printf("%s: using SP\n", __func__);
1410 kdebug_secpolicy(sp);
1411 }
1412
1413 /* check policy */
1414 switch (sp->policy) {
1415 case IPSEC_POLICY_DISCARD:
1416 return 1;
1417 case IPSEC_POLICY_BYPASS:
1418 case IPSEC_POLICY_NONE:
1419 return 0;
1420 }
1421
1422 KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC,
1423 "invalid policy %u", sp->policy);
1424
1425 /* XXX should compare policy against ipsec header history */
1426
1427 for (isr = sp->req; isr != NULL; isr = isr->next) {
1428 if (ipsec_get_reqlevel(isr) != IPSEC_LEVEL_REQUIRE)
1429 continue;
1430 switch (isr->saidx.proto) {
1431 case IPPROTO_ESP:
1432 if ((m->m_flags & M_DECRYPTED) == 0) {
1433 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
1434 "ESP m_flags:%x\n", m->m_flags);
1435 return 1;
1436 }
1437 break;
1438 case IPPROTO_AH:
1439 if ((m->m_flags & M_AUTHIPHDR) == 0) {
1440 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
1441 "AH m_flags:%x\n", m->m_flags);
1442 return 1;
1443 }
1444 break;
1445 case IPPROTO_IPCOMP:
1446 /*
1447 * We don't really care, as IPcomp document
1448 * says that we shouldn't compress small
1449 * packets, IPComp policy should always be
1450 * treated as being in "use" level.
1451 */
1452 break;
1453 }
1454 }
1455
1456 return 0;
1457 }
1458
1459 /*
1460 * Check security policy requirements.
1461 */
1462 int
1463 ipsec_in_reject(struct mbuf *m, void *inp)
1464 {
1465 struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
1466 struct secpolicy *sp;
1467 int error;
1468 int result;
1469
1470 KASSERT(m != NULL);
1471
1472 if (inph == NULL)
1473 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1474 IP_FORWARDING, &error);
1475 else
1476 sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND,
1477 inph, &error);
1478
1479 if (sp != NULL) {
1480 result = ipsec_sp_reject(sp, m);
1481 if (result)
1482 IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
1483 KEY_SP_UNREF(&sp);
1484 } else {
1485 result = 0;
1486 }
1487 return result;
1488 }
1489
1490 /*
1491 * Compute the byte size to be occupied by the IPsec header. If it is
1492 * tunneled, it includes the size of outer IP header.
1493 */
1494 static size_t
1495 ipsec_sp_hdrsiz(const struct secpolicy *sp, const struct mbuf *m)
1496 {
1497 struct ipsecrequest *isr;
1498 size_t siz;
1499
1500 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
1501 printf("%s: using SP\n", __func__);
1502 kdebug_secpolicy(sp);
1503 }
1504
1505 switch (sp->policy) {
1506 case IPSEC_POLICY_DISCARD:
1507 case IPSEC_POLICY_BYPASS:
1508 case IPSEC_POLICY_NONE:
1509 return 0;
1510 }
1511
1512 KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC,
1513 "invalid policy %u", sp->policy);
1514
1515 siz = 0;
1516 for (isr = sp->req; isr != NULL; isr = isr->next) {
1517 size_t clen = 0;
1518 struct secasvar *sav;
1519
1520 switch (isr->saidx.proto) {
1521 case IPPROTO_ESP:
1522 sav = ipsec_lookup_sa(isr, m);
1523 if (sav != NULL) {
1524 clen = esp_hdrsiz(sav);
1525 KEY_SA_UNREF(&sav);
1526 } else
1527 clen = esp_hdrsiz(NULL);
1528 break;
1529 case IPPROTO_AH:
1530 sav = ipsec_lookup_sa(isr, m);
1531 if (sav != NULL) {
1532 clen = ah_hdrsiz(sav);
1533 KEY_SA_UNREF(&sav);
1534 } else
1535 clen = ah_hdrsiz(NULL);
1536 break;
1537 case IPPROTO_IPCOMP:
1538 clen = sizeof(struct ipcomp);
1539 break;
1540 }
1541
1542 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1543 switch (isr->saidx.dst.sa.sa_family) {
1544 case AF_INET:
1545 clen += sizeof(struct ip);
1546 break;
1547 #ifdef INET6
1548 case AF_INET6:
1549 clen += sizeof(struct ip6_hdr);
1550 break;
1551 #endif
1552 default:
1553 IPSECLOG(LOG_ERR, "unknown AF %d in "
1554 "IPsec tunnel SA\n",
1555 ((const struct sockaddr *)&isr->saidx.dst)
1556 ->sa_family);
1557 break;
1558 }
1559 }
1560 siz += clen;
1561 }
1562
1563 return siz;
1564 }
1565
1566 size_t
1567 ipsec_hdrsiz(struct mbuf *m, u_int dir, void *inp)
1568 {
1569 struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
1570 struct secpolicy *sp;
1571 int error;
1572 size_t size;
1573
1574 KASSERT(m != NULL);
1575 KASSERTMSG(inph == NULL || inph->inph_socket != NULL,
1576 "socket w/o inpcb");
1577
1578 if (inph == NULL)
1579 sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1580 else
1581 sp = ipsec_getpolicybysock(m, dir, inph, &error);
1582
1583 if (sp != NULL) {
1584 size = ipsec_sp_hdrsiz(sp, m);
1585 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DATA, "size:%zu.\n", size);
1586 KEY_SP_UNREF(&sp);
1587 } else {
1588 size = 0;
1589 }
1590
1591 return size;
1592 }
1593
1594 /*
1595 * Check the variable replay window.
1596 * ipsec_chkreplay() performs replay check before ICV verification.
1597 * ipsec_updatereplay() updates replay bitmap. This must be called after
1598 * ICV verification (it also performs replay check, which is usually done
1599 * beforehand).
1600 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
1601 *
1602 * based on RFC 2401.
1603 */
1604 int
1605 ipsec_chkreplay(u_int32_t seq, const struct secasvar *sav)
1606 {
1607 const struct secreplay *replay;
1608 u_int32_t diff;
1609 int fr;
1610 u_int32_t wsizeb; /* constant: bits of window size */
1611 int frlast; /* constant: last frame */
1612
1613 IPSEC_SPLASSERT_SOFTNET(__func__);
1614
1615 KASSERT(sav != NULL);
1616 KASSERT(sav->replay != NULL);
1617
1618 replay = sav->replay;
1619
1620 if (replay->wsize == 0)
1621 return 1; /* no need to check replay. */
1622
1623 /* constant */
1624 frlast = replay->wsize - 1;
1625 wsizeb = replay->wsize << 3;
1626
1627 /* sequence number of 0 is invalid */
1628 if (seq == 0)
1629 return 0;
1630
1631 /* first time is always okay */
1632 if (replay->count == 0)
1633 return 1;
1634
1635 if (seq > replay->lastseq) {
1636 /* larger sequences are okay */
1637 return 1;
1638 } else {
1639 /* seq is equal or less than lastseq. */
1640 diff = replay->lastseq - seq;
1641
1642 /* over range to check, i.e. too old or wrapped */
1643 if (diff >= wsizeb)
1644 return 0;
1645
1646 fr = frlast - diff / 8;
1647
1648 /* this packet already seen ? */
1649 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
1650 return 0;
1651
1652 /* out of order but good */
1653 return 1;
1654 }
1655 }
1656
1657 /*
1658 * check replay counter whether to update or not.
1659 * OUT: 0: OK
1660 * 1: NG
1661 */
1662 int
1663 ipsec_updatereplay(u_int32_t seq, const struct secasvar *sav)
1664 {
1665 struct secreplay *replay;
1666 u_int32_t diff;
1667 int fr;
1668 u_int32_t wsizeb; /* constant: bits of window size */
1669 int frlast; /* constant: last frame */
1670
1671 IPSEC_SPLASSERT_SOFTNET(__func__);
1672
1673 KASSERT(sav != NULL);
1674 KASSERT(sav->replay != NULL);
1675
1676 replay = sav->replay;
1677
1678 if (replay->wsize == 0)
1679 goto ok; /* no need to check replay. */
1680
1681 /* constant */
1682 frlast = replay->wsize - 1;
1683 wsizeb = replay->wsize << 3;
1684
1685 /* sequence number of 0 is invalid */
1686 if (seq == 0)
1687 return 1;
1688
1689 /* first time */
1690 if (replay->count == 0) {
1691 replay->lastseq = seq;
1692 memset(replay->bitmap, 0, replay->wsize);
1693 (replay->bitmap)[frlast] = 1;
1694 goto ok;
1695 }
1696
1697 if (seq > replay->lastseq) {
1698 /* seq is larger than lastseq. */
1699 diff = seq - replay->lastseq;
1700
1701 /* new larger sequence number */
1702 if (diff < wsizeb) {
1703 /* In window */
1704 /* set bit for this packet */
1705 vshiftl(replay->bitmap, diff, replay->wsize);
1706 (replay->bitmap)[frlast] |= 1;
1707 } else {
1708 /* this packet has a "way larger" */
1709 memset(replay->bitmap, 0, replay->wsize);
1710 (replay->bitmap)[frlast] = 1;
1711 }
1712 replay->lastseq = seq;
1713
1714 /* larger is good */
1715 } else {
1716 /* seq is equal or less than lastseq. */
1717 diff = replay->lastseq - seq;
1718
1719 /* over range to check, i.e. too old or wrapped */
1720 if (diff >= wsizeb)
1721 return 1;
1722
1723 fr = frlast - diff / 8;
1724
1725 /* this packet already seen ? */
1726 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
1727 return 1;
1728
1729 /* mark as seen */
1730 (replay->bitmap)[fr] |= (1 << (diff % 8));
1731
1732 /* out of order but good */
1733 }
1734
1735 ok:
1736 if (replay->count == ~0) {
1737 char buf[IPSEC_LOGSASTRLEN];
1738
1739 /* set overflow flag */
1740 replay->overflow++;
1741
1742 /* don't increment, no more packets accepted */
1743 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
1744 return 1;
1745
1746 IPSECLOG(LOG_WARNING, "replay counter made %d cycle. %s\n",
1747 replay->overflow, ipsec_logsastr(sav, buf, sizeof(buf)));
1748 }
1749
1750 replay->count++;
1751
1752 return 0;
1753 }
1754
1755 /*
1756 * shift variable length buffer to left.
1757 * IN: bitmap: pointer to the buffer
1758 * nbit: the number of to shift.
1759 * wsize: buffer size (bytes).
1760 */
1761 static void
1762 vshiftl(unsigned char *bitmap, int nbit, int wsize)
1763 {
1764 int s, j, i;
1765 unsigned char over;
1766
1767 for (j = 0; j < nbit; j += 8) {
1768 s = (nbit - j < 8) ? (nbit - j): 8;
1769 bitmap[0] <<= s;
1770 for (i = 1; i < wsize; i++) {
1771 over = (bitmap[i] >> (8 - s));
1772 bitmap[i] <<= s;
1773 bitmap[i-1] |= over;
1774 }
1775 }
1776
1777 return;
1778 }
1779
1780 /* Return a printable string for the address. */
1781 const char *
1782 ipsec_address(const union sockaddr_union *sa, char *buf, size_t size)
1783 {
1784 switch (sa->sa.sa_family) {
1785 case AF_INET:
1786 in_print(buf, size, &sa->sin.sin_addr);
1787 return buf;
1788 #if INET6
1789 case AF_INET6:
1790 in6_print(buf, size, &sa->sin6.sin6_addr);
1791 return buf;
1792 #endif
1793 default:
1794 return "(unknown address family)";
1795 }
1796 }
1797
1798 const char *
1799 ipsec_logsastr(const struct secasvar *sav, char *buf, size_t size)
1800 {
1801 const struct secasindex *saidx = &sav->sah->saidx;
1802 char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
1803
1804 KASSERTMSG(saidx->src.sa.sa_family == saidx->dst.sa.sa_family,
1805 "af family mismatch, src %u, dst %u",
1806 saidx->src.sa.sa_family, saidx->dst.sa.sa_family);
1807
1808 snprintf(buf, size, "SA(SPI=%u src=%s dst=%s)",
1809 (u_int32_t)ntohl(sav->spi),
1810 ipsec_address(&saidx->src, sbuf, sizeof(sbuf)),
1811 ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)));
1812
1813 return buf;
1814 }
1815
1816 #ifdef INET6
1817 struct secpolicy *
1818 ipsec6_check_policy(struct mbuf *m, struct in6pcb *in6p, int flags,
1819 int *needipsecp, int *errorp)
1820 {
1821 struct secpolicy *sp = NULL;
1822 int s;
1823 int error = 0;
1824 int needipsec = 0;
1825
1826 if (ipsec_outdone(m)) {
1827 goto skippolicycheck;
1828 }
1829 s = splsoftnet();
1830 if (in6p && ipsec_pcb_skip_ipsec(in6p->in6p_sp, IPSEC_DIR_OUTBOUND)) {
1831 splx(s);
1832 goto skippolicycheck;
1833 }
1834 sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, in6p);
1835 splx(s);
1836
1837 /*
1838 * There are four return cases:
1839 * sp != NULL apply IPsec policy
1840 * sp == NULL, error == 0 no IPsec handling needed
1841 * sp == NULL, error == -EINVAL discard packet w/o error
1842 * sp == NULL, error != 0 discard packet, report error
1843 */
1844 if (sp == NULL) {
1845 needipsec = 0;
1846 } else {
1847 needipsec = 1;
1848 }
1849
1850 skippolicycheck:
1851 *errorp = error;
1852 *needipsecp = needipsec;
1853 return sp;
1854 }
1855
1856 int
1857 ipsec6_input(struct mbuf *m)
1858 {
1859 int s, error;
1860
1861 s = splsoftnet();
1862 error = ipsec_in_reject(m, NULL);
1863 splx(s);
1864 if (error) {
1865 return EINVAL;
1866 }
1867
1868 return 0;
1869 }
1870 #endif /* INET6 */
1871
1872 /*
1873 * -----------------------------------------------------------------------------
1874 */
1875
1876 /* XXX this stuff doesn't belong here... */
1877
1878 static struct xformsw *xforms = NULL;
1879
1880 /*
1881 * Register a transform; typically at system startup.
1882 */
1883 void
1884 xform_register(struct xformsw *xsp)
1885 {
1886 xsp->xf_next = xforms;
1887 xforms = xsp;
1888 }
1889
1890 /*
1891 * Initialize transform support in an sav.
1892 */
1893 int
1894 xform_init(struct secasvar *sav, int xftype)
1895 {
1896 struct xformsw *xsp;
1897
1898 if (sav->tdb_xform != NULL) /* previously initialized */
1899 return 0;
1900 for (xsp = xforms; xsp; xsp = xsp->xf_next)
1901 if (xsp->xf_type == xftype)
1902 return (*xsp->xf_init)(sav, xsp);
1903
1904 IPSECLOG(LOG_DEBUG, "no match for xform type %d\n", xftype);
1905 return EINVAL;
1906 }
1907
1908 void
1909 nat_t_ports_get(struct mbuf *m, u_int16_t *dport, u_int16_t *sport)
1910 {
1911 struct m_tag *tag;
1912
1913 if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
1914 *sport = ((u_int16_t *)(tag + 1))[0];
1915 *dport = ((u_int16_t *)(tag + 1))[1];
1916 } else
1917 *sport = *dport = 0;
1918 }
1919
1920 /*
1921 * XXXJRT This should be done as a protosw init call.
1922 */
1923 void
1924 ipsec_attach(void)
1925 {
1926
1927 ipsec_output_init();
1928
1929 ipsecstat_percpu = percpu_alloc(sizeof(uint64_t) * IPSEC_NSTATS);
1930
1931 sysctl_net_inet_ipsec_setup(NULL);
1932 #ifdef INET6
1933 sysctl_net_inet6_ipsec6_setup(NULL);
1934 #endif
1935
1936 ah_attach();
1937 esp_attach();
1938 ipcomp_attach();
1939 ipe4_attach();
1940 #ifdef TCP_SIGNATURE
1941 tcpsignature_attach();
1942 #endif
1943 }
1944