ipsec_netbsd.c revision 1.8
1 /* $NetBSD: ipsec_netbsd.c,v 1.8 2004/03/24 15:34:55 atatat Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.8 2004/03/24 15:34:55 atatat Exp $"); 36 37 #include "opt_inet.h" 38 #include "opt_ipsec.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/malloc.h> 43 #include <sys/mbuf.h> 44 #include <sys/domain.h> 45 #include <sys/protosw.h> 46 #include <sys/socket.h> 47 #include <sys/errno.h> 48 #include <sys/time.h> 49 #include <sys/kernel.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/route.h> 54 #include <net/netisr.h> 55 #include <machine/cpu.h> 56 57 #include <netinet/in.h> 58 #include <netinet/in_systm.h> 59 #include <netinet/in_var.h> 60 #include <netinet/ip.h> 61 #include <netinet/ip_var.h> 62 #include <netinet/ip_ecn.h> 63 #include <netinet/ip_icmp.h> 64 65 66 #include <netipsec/ipsec.h> 67 #include <netipsec/key.h> 68 #include <netipsec/keydb.h> 69 #include <netipsec/key_debug.h> 70 #include <netipsec/ah_var.h> 71 #include <netipsec/esp.h> 72 73 #ifdef INET6 74 #include <netipsec/ipsec6.h> 75 #include <netinet6/ip6protosw.h> 76 #include <netinet/icmp6.h> 77 #endif 78 79 #include <machine/stdarg.h> 80 81 82 83 #include <netipsec/key.h> 84 85 /* assumes that ip header and ah header are contiguous on mbuf */ 86 void * 87 ah4_ctlinput(cmd, sa, v) 88 int cmd; 89 struct sockaddr *sa; 90 void *v; 91 { 92 struct ip *ip = v; 93 struct ah *ah; 94 struct icmp *icp; 95 struct secasvar *sav; 96 97 if (sa->sa_family != AF_INET || 98 sa->sa_len != sizeof(struct sockaddr_in)) 99 return NULL; 100 if ((unsigned)cmd >= PRC_NCMDS) 101 return NULL; 102 #ifndef notyet 103 /* jonathan (at) netbsd.org: XXX FIXME */ 104 (void) ip; (void) ah; (void) icp; (void) sav; 105 #else 106 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 107 /* 108 * Check to see if we have a valid SA corresponding to 109 * the address in the ICMP message payload. 110 */ 111 ah = (struct ah *)((caddr_t)ip + (ip->ip_hl << 2)); 112 if ((sav = key_allocsa(AF_INET, 113 (caddr_t) &ip->ip_src, 114 (caddr_t) &ip->ip_dst, 115 IPPROTO_AH, ah->ah_spi)) == NULL) 116 return NULL; 117 if (sav->state != SADB_SASTATE_MATURE && 118 sav->state != SADB_SASTATE_DYING) { 119 key_freesav(sav); 120 return NULL; 121 } 122 123 /* XXX Further validation? */ 124 125 key_freesav(sav); 126 127 /* 128 * Now that we've validated that we are actually communicating 129 * with the host indicated in the ICMP message, locate the 130 * ICMP header, recalculate the new MTU, and create the 131 * corresponding routing entry. 132 */ 133 icp = (struct icmp *)((caddr_t)ip - 134 offsetof(struct icmp, icmp_ip)); 135 icmp_mtudisc(icp, ip->ip_dst); 136 137 return NULL; 138 } 139 #endif 140 141 return NULL; 142 } 143 144 /* assumes that ip header and esp header are contiguous on mbuf */ 145 void * 146 esp4_ctlinput(cmd, sa, v) 147 int cmd; 148 struct sockaddr *sa; 149 void *v; 150 { 151 struct ip *ip = v; 152 struct esp *esp; 153 struct icmp *icp; 154 struct secasvar *sav; 155 156 if (sa->sa_family != AF_INET || 157 sa->sa_len != sizeof(struct sockaddr_in)) 158 return NULL; 159 if ((unsigned)cmd >= PRC_NCMDS) 160 return NULL; 161 #ifndef notyet 162 /* jonathan (at) netbsd.org: XXX FIXME */ 163 (void) ip; (void) esp; (void) icp; (void) sav; 164 #else 165 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 166 /* 167 * Check to see if we have a valid SA corresponding to 168 * the address in the ICMP message payload. 169 */ 170 esp = (struct esp *)((caddr_t)ip + (ip->ip_hl << 2)); 171 if ((sav = key_allocsa(AF_INET, 172 (caddr_t) &ip->ip_src, 173 (caddr_t) &ip->ip_dst, 174 IPPROTO_ESP, esp->esp_spi)) == NULL) 175 return NULL; 176 if (sav->state != SADB_SASTATE_MATURE && 177 sav->state != SADB_SASTATE_DYING) { 178 key_freesav(sav); 179 return NULL; 180 } 181 182 /* XXX Further validation? */ 183 184 key_freesav(sav); 185 186 /* 187 * Now that we've validated that we are actually communicating 188 * with the host indicated in the ICMP message, locate the 189 * ICMP header, recalculate the new MTU, and create the 190 * corresponding routing entry. 191 */ 192 icp = (struct icmp *)((caddr_t)ip - 193 offsetof(struct icmp, icmp_ip)); 194 icmp_mtudisc(icp, ip->ip_dst); 195 196 return NULL; 197 } 198 #endif 199 200 return NULL; 201 } 202 203 #ifdef INET6 204 void 205 esp6_ctlinput(cmd, sa, d) 206 int cmd; 207 struct sockaddr *sa; 208 void *d; 209 { 210 const struct newesp *espp; 211 struct newesp esp; 212 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 213 struct secasvar *sav; 214 struct ip6_hdr *ip6; 215 struct mbuf *m; 216 int off; 217 struct sockaddr_in6 *sa6_src, *sa6_dst; 218 219 if (sa->sa_family != AF_INET6 || 220 sa->sa_len != sizeof(struct sockaddr_in6)) 221 return; 222 if ((unsigned)cmd >= PRC_NCMDS) 223 return; 224 225 /* if the parameter is from icmp6, decode it. */ 226 if (d != NULL) { 227 ip6cp = (struct ip6ctlparam *)d; 228 m = ip6cp->ip6c_m; 229 ip6 = ip6cp->ip6c_ip6; 230 off = ip6cp->ip6c_off; 231 } else { 232 m = NULL; 233 ip6 = NULL; 234 off = 0; 235 } 236 237 if (ip6) { 238 /* 239 * Notify the error to all possible sockets via pfctlinput2. 240 * Since the upper layer information (such as protocol type, 241 * source and destination ports) is embedded in the encrypted 242 * data and might have been cut, we can't directly call 243 * an upper layer ctlinput function. However, the pcbnotify 244 * function will consider source and destination addresses 245 * as well as the flow info value, and may be able to find 246 * some PCB that should be notified. 247 * Although pfctlinput2 will call esp6_ctlinput(), there is 248 * no possibility of an infinite loop of function calls, 249 * because we don't pass the inner IPv6 header. 250 */ 251 bzero(&ip6cp1, sizeof(ip6cp1)); 252 ip6cp1.ip6c_src = ip6cp->ip6c_src; 253 pfctlinput2(cmd, sa, (void *)&ip6cp1); 254 255 /* 256 * Then go to special cases that need ESP header information. 257 * XXX: We assume that when ip6 is non NULL, 258 * M and OFF are valid. 259 */ 260 261 /* check if we can safely examine src and dst ports */ 262 if (m->m_pkthdr.len < off + sizeof(esp)) 263 return; 264 265 if (m->m_len < off + sizeof(esp)) { 266 /* 267 * this should be rare case, 268 * so we compromise on this copy... 269 */ 270 m_copydata(m, off, sizeof(esp), (caddr_t)&esp); 271 espp = &esp; 272 } else 273 espp = (struct newesp*)(mtod(m, caddr_t) + off); 274 275 if (cmd == PRC_MSGSIZE) { 276 int valid = 0; 277 278 /* 279 * Check to see if we have a valid SA corresponding to 280 * the address in the ICMP message payload. 281 */ 282 sa6_src = ip6cp->ip6c_src; 283 sa6_dst = (struct sockaddr_in6 *)sa; 284 #ifdef KAME 285 sav = key_allocsa(AF_INET6, 286 (caddr_t)&sa6_src->sin6_addr, 287 (caddr_t)&sa6_dst->sin6_addr, 288 IPPROTO_ESP, espp->esp_spi); 289 #else 290 /* jonathan (at) netbsd.org: XXX FIXME */ 291 (void)sa6_src; (void)sa6_dst; 292 sav = KEY_ALLOCSA((union sockaddr_union*)sa, 293 IPPROTO_ESP, espp->esp_spi); 294 295 #endif 296 if (sav) { 297 if (sav->state == SADB_SASTATE_MATURE || 298 sav->state == SADB_SASTATE_DYING) 299 valid++; 300 KEY_FREESAV(&sav); 301 } 302 303 /* XXX Further validation? */ 304 305 /* 306 * Depending on the value of "valid" and routing table 307 * size (mtudisc_{hi,lo}wat), we will: 308 * - recalcurate the new MTU and create the 309 * corresponding routing entry, or 310 * - ignore the MTU change notification. 311 */ 312 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 313 } 314 } else { 315 /* we normally notify any pcb here */ 316 } 317 } 318 #endif /* INET6 */ 319 320 static int 321 sysctl_fast_ipsec(SYSCTLFN_ARGS) 322 { 323 int error, t; 324 struct sysctlnode node; 325 326 node = *rnode; 327 t = *(int*)rnode->sysctl_data; 328 node.sysctl_data = &t; 329 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 330 if (error || newp == NULL) 331 return (error); 332 333 switch (rnode->sysctl_num) { 334 case IPSECCTL_DEF_ESP_TRANSLEV: 335 case IPSECCTL_DEF_ESP_NETLEV: 336 case IPSECCTL_DEF_AH_TRANSLEV: 337 case IPSECCTL_DEF_AH_NETLEV: 338 if (t != IPSEC_LEVEL_USE && 339 t != IPSEC_LEVEL_REQUIRE) 340 return (EINVAL); 341 ipsec_invalpcbcacheall(); 342 break; 343 case IPSECCTL_DEF_POLICY: 344 if (t != IPSEC_POLICY_DISCARD && 345 t != IPSEC_POLICY_NONE) 346 return (EINVAL); 347 ipsec_invalpcbcacheall(); 348 break; 349 default: 350 return (EINVAL); 351 } 352 353 *(int*)rnode->sysctl_data = t; 354 355 return (0); 356 } 357 358 /* XXX will need a different oid at parent */ 359 /* @@@ i have called it "fast_ipsec" instead of "ipsec" */ 360 SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.fast_ipsec subtree setup") 361 { 362 363 sysctl_createv(clog, 0, NULL, NULL, 364 CTLFLAG_PERMANENT, 365 CTLTYPE_NODE, "net", NULL, 366 NULL, 0, NULL, 0, 367 CTL_NET, CTL_EOL); 368 sysctl_createv(clog, 0, NULL, NULL, 369 CTLFLAG_PERMANENT, 370 CTLTYPE_NODE, "inet", NULL, 371 NULL, 0, NULL, 0, 372 CTL_NET, PF_INET, CTL_EOL); 373 sysctl_createv(clog, 0, NULL, NULL, 374 CTLFLAG_PERMANENT, 375 CTLTYPE_NODE, "fast_ipsec", NULL, 376 NULL, 0, NULL, 0, 377 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 378 379 sysctl_createv(clog, 0, NULL, NULL, 380 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 381 CTLTYPE_STRUCT, "stats", NULL, 382 NULL, 0, &ipsecstat, sizeof(ipsecstat), 383 CTL_NET, PF_INET, IPPROTO_AH, 384 IPSECCTL_STATS, CTL_EOL); 385 sysctl_createv(clog, 0, NULL, NULL, 386 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 387 CTLTYPE_INT, "def_policy", NULL, 388 sysctl_fast_ipsec, 0, &ip4_def_policy.policy, 0, 389 CTL_NET, PF_INET, IPPROTO_AH, 390 IPSECCTL_DEF_POLICY, CTL_EOL); 391 sysctl_createv(clog, 0, NULL, NULL, 392 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 393 CTLTYPE_INT, "esp_trans_deflev", NULL, 394 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, 395 CTL_NET, PF_INET, IPPROTO_AH, 396 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 397 sysctl_createv(clog, 0, NULL, NULL, 398 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 399 CTLTYPE_INT, "esp_net_deflev", NULL, 400 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, 401 CTL_NET, PF_INET, IPPROTO_AH, 402 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 403 sysctl_createv(clog, 0, NULL, NULL, 404 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 405 CTLTYPE_INT, "ah_trans_deflev", NULL, 406 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, 407 CTL_NET, PF_INET, IPPROTO_AH, 408 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 409 sysctl_createv(clog, 0, NULL, NULL, 410 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 411 CTLTYPE_INT, "ah_net_deflev", NULL, 412 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, 413 CTL_NET, PF_INET, IPPROTO_AH, 414 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 415 sysctl_createv(clog, 0, NULL, NULL, 416 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 417 CTLTYPE_INT, "ah_cleartos", NULL, 418 NULL, 0, &/*ip4_*/ah_cleartos, 0, 419 CTL_NET, PF_INET, IPPROTO_AH, 420 IPSECCTL_AH_CLEARTOS, CTL_EOL); 421 sysctl_createv(clog, 0, NULL, NULL, 422 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 423 CTLTYPE_INT, "ah_offsetmask", NULL, 424 NULL, 0, &ip4_ah_offsetmask, 0, 425 CTL_NET, PF_INET, IPPROTO_AH, 426 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 427 sysctl_createv(clog, 0, NULL, NULL, 428 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 429 CTLTYPE_INT, "dfbit", NULL, 430 NULL, 0, &ip4_ipsec_dfbit, 0, 431 CTL_NET, PF_INET, IPPROTO_AH, 432 IPSECCTL_DFBIT, CTL_EOL); 433 sysctl_createv(clog, 0, NULL, NULL, 434 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 435 CTLTYPE_INT, "ecn", NULL, 436 NULL, 0, &ip4_ipsec_ecn, 0, 437 CTL_NET, PF_INET, IPPROTO_AH, 438 IPSECCTL_ECN, CTL_EOL); 439 sysctl_createv(clog, 0, NULL, NULL, 440 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 441 CTLTYPE_INT, "debug", NULL, 442 NULL, 0, &ipsec_debug, 0, 443 CTL_NET, PF_INET, IPPROTO_AH, 444 IPSECCTL_DEBUG, CTL_EOL); 445 446 /* 447 * "aliases" for the fast ipsec subtree 448 */ 449 sysctl_createv(clog, 0, NULL, NULL, 450 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 451 CTLTYPE_NODE, "fast_esp", NULL, 452 NULL, IPPROTO_AH, NULL, 0, 453 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 454 sysctl_createv(clog, 0, NULL, NULL, 455 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 456 CTLTYPE_NODE, "fast_ipcomp", NULL, 457 NULL, IPPROTO_AH, NULL, 0, 458 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 459 sysctl_createv(clog, 0, NULL, NULL, 460 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 461 CTLTYPE_NODE, "fast_ah", NULL, 462 NULL, IPPROTO_AH, NULL, 0, 463 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 464 } 465
Indexes created Mon Sep 22 10:09:38 GMT 2025