1/*- 2 * Copyright (c) 1982, 1986, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 4. Neither the name of the University nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h>
| 1/*- 2 * Copyright (c) 1982, 1986, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 4. Neither the name of the University nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h>
|
31__FBSDID("$FreeBSD: head/sys/netinet/ip_ipsec.c 257176 2013-10-26 17:58:36Z glebius $");
| 31__FBSDID("$FreeBSD: head/sys/netinet/ip_ipsec.c 262763 2014-03-05 01:17:47Z glebius $");
|
32 33#include "opt_ipsec.h" 34#include "opt_sctp.h" 35 36#include <sys/param.h> 37#include <sys/systm.h> 38#include <sys/errno.h> 39#include <sys/kernel.h> 40#include <sys/malloc.h> 41#include <sys/mbuf.h> 42#include <sys/protosw.h> 43#include <sys/socket.h> 44#include <sys/socketvar.h> 45#include <sys/sysctl.h> 46 47#include <net/if.h> 48#include <net/if_var.h> 49#include <net/route.h> 50#include <net/vnet.h> 51 52#include <netinet/in.h> 53#include <netinet/in_systm.h> 54#include <netinet/in_var.h> 55#include <netinet/ip.h> 56#include <netinet/in_pcb.h> 57#include <netinet/ip_var.h> 58#include <netinet/ip_options.h> 59#include <netinet/ip_ipsec.h> 60#ifdef SCTP 61#include <netinet/sctp_crc32.h> 62#endif 63 64#include <machine/in_cksum.h> 65 66#ifdef IPSEC 67#include <netipsec/ipsec.h> 68#include <netipsec/xform.h> 69#include <netipsec/key.h> 70#endif /*IPSEC*/ 71 72extern struct protosw inetsw[]; 73 74#ifdef IPSEC 75#ifdef IPSEC_FILTERTUNNEL 76static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 1; 77#else 78static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 0; 79#endif 80#define V_ip4_ipsec_filtertunnel VNET(ip4_ipsec_filtertunnel) 81 82SYSCTL_DECL(_net_inet_ipsec); 83SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, filtertunnel, 84 CTLFLAG_RW, &VNET_NAME(ip4_ipsec_filtertunnel), 0, 85 "If set filter packets from an IPsec tunnel."); 86#endif /* IPSEC */ 87 88/* 89 * Check if we have to jump over firewall processing for this packet. 90 * Called from ip_input(). 91 * 1 = jump over firewall, 0 = packet goes through firewall. 92 */ 93int 94ip_ipsec_filtertunnel(struct mbuf *m) 95{ 96#ifdef IPSEC 97 98 /* 99 * Bypass packet filtering for packets previously handled by IPsec. 100 */ 101 if (!V_ip4_ipsec_filtertunnel && 102 m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) 103 return 1; 104#endif 105 return 0; 106} 107 108/* 109 * Check if this packet has an active SA and needs to be dropped instead 110 * of forwarded. 111 * Called from ip_input(). 112 * 1 = drop packet, 0 = forward packet. 113 */ 114int 115ip_ipsec_fwd(struct mbuf *m) 116{ 117#ifdef IPSEC 118 struct m_tag *mtag; 119 struct tdb_ident *tdbi; 120 struct secpolicy *sp; 121 int error; 122 123 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 124 if (mtag != NULL) { 125 tdbi = (struct tdb_ident *)(mtag + 1); 126 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); 127 } else { 128 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 129 IP_FORWARDING, &error); 130 } 131 if (sp == NULL) { /* NB: can happen if error */ 132 /*XXX error stat???*/ 133 DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/ 134 return 1; 135 } 136 137 /* 138 * Check security policy against packet attributes. 139 */ 140 error = ipsec_in_reject(sp, m); 141 KEY_FREESP(&sp); 142 if (error) { 143 IPSTAT_INC(ips_cantforward); 144 return 1; 145 } 146#endif /* IPSEC */ 147 return 0; 148} 149 150/* 151 * Check if protocol type doesn't have a further header and do IPSEC 152 * decryption or reject right now. Protocols with further headers get 153 * their IPSEC treatment within the protocol specific processing. 154 * Called from ip_input(). 155 * 1 = drop packet, 0 = continue processing packet. 156 */ 157int 158ip_ipsec_input(struct mbuf *m) 159{ 160#ifdef IPSEC 161 struct ip *ip = mtod(m, struct ip *); 162 struct m_tag *mtag; 163 struct tdb_ident *tdbi; 164 struct secpolicy *sp; 165 int error; 166 /* 167 * enforce IPsec policy checking if we are seeing last header. 168 * note that we do not visit this with protocols with pcb layer 169 * code - like udp/tcp/raw ip. 170 */ 171 if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) { 172 /* 173 * Check if the packet has already had IPsec processing 174 * done. If so, then just pass it along. This tag gets 175 * set during AH, ESP, etc. input handling, before the 176 * packet is returned to the ip input queue for delivery. 177 */ 178 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 179 if (mtag != NULL) { 180 tdbi = (struct tdb_ident *)(mtag + 1); 181 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); 182 } else { 183 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 184 IP_FORWARDING, &error); 185 } 186 if (sp != NULL) { 187 /* 188 * Check security policy against packet attributes. 189 */ 190 error = ipsec_in_reject(sp, m); 191 KEY_FREESP(&sp); 192 } else { 193 /* XXX error stat??? */ 194 error = EINVAL; 195 DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/ 196 return 1; 197 } 198 if (error) 199 return 1; 200 } 201#endif /* IPSEC */ 202 return 0; 203} 204 205/* 206 * Compute the MTU for a forwarded packet that gets IPSEC encapsulated. 207 * Called from ip_forward(). 208 * Returns MTU suggestion for ICMP needfrag reply. 209 */ 210int 211ip_ipsec_mtu(struct mbuf *m, int mtu) 212{ 213 /* 214 * If the packet is routed over IPsec tunnel, tell the 215 * originator the tunnel MTU. 216 * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz 217 * XXX quickhack!!! 218 */ 219 struct secpolicy *sp = NULL; 220 int ipsecerror; 221 int ipsechdr; 222 struct route *ro; 223 sp = ipsec_getpolicybyaddr(m, 224 IPSEC_DIR_OUTBOUND, 225 IP_FORWARDING, 226 &ipsecerror); 227 if (sp != NULL) { 228 /* count IPsec header size */ 229 ipsechdr = ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL); 230 231 /* 232 * find the correct route for outer IPv4 233 * header, compute tunnel MTU. 234 */ 235 if (sp->req != NULL && 236 sp->req->sav != NULL && 237 sp->req->sav->sah != NULL) { 238 ro = &sp->req->sav->sah->route_cache.sa_route; 239 if (ro->ro_rt && ro->ro_rt->rt_ifp) {
| 32 33#include "opt_ipsec.h" 34#include "opt_sctp.h" 35 36#include <sys/param.h> 37#include <sys/systm.h> 38#include <sys/errno.h> 39#include <sys/kernel.h> 40#include <sys/malloc.h> 41#include <sys/mbuf.h> 42#include <sys/protosw.h> 43#include <sys/socket.h> 44#include <sys/socketvar.h> 45#include <sys/sysctl.h> 46 47#include <net/if.h> 48#include <net/if_var.h> 49#include <net/route.h> 50#include <net/vnet.h> 51 52#include <netinet/in.h> 53#include <netinet/in_systm.h> 54#include <netinet/in_var.h> 55#include <netinet/ip.h> 56#include <netinet/in_pcb.h> 57#include <netinet/ip_var.h> 58#include <netinet/ip_options.h> 59#include <netinet/ip_ipsec.h> 60#ifdef SCTP 61#include <netinet/sctp_crc32.h> 62#endif 63 64#include <machine/in_cksum.h> 65 66#ifdef IPSEC 67#include <netipsec/ipsec.h> 68#include <netipsec/xform.h> 69#include <netipsec/key.h> 70#endif /*IPSEC*/ 71 72extern struct protosw inetsw[]; 73 74#ifdef IPSEC 75#ifdef IPSEC_FILTERTUNNEL 76static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 1; 77#else 78static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 0; 79#endif 80#define V_ip4_ipsec_filtertunnel VNET(ip4_ipsec_filtertunnel) 81 82SYSCTL_DECL(_net_inet_ipsec); 83SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, filtertunnel, 84 CTLFLAG_RW, &VNET_NAME(ip4_ipsec_filtertunnel), 0, 85 "If set filter packets from an IPsec tunnel."); 86#endif /* IPSEC */ 87 88/* 89 * Check if we have to jump over firewall processing for this packet. 90 * Called from ip_input(). 91 * 1 = jump over firewall, 0 = packet goes through firewall. 92 */ 93int 94ip_ipsec_filtertunnel(struct mbuf *m) 95{ 96#ifdef IPSEC 97 98 /* 99 * Bypass packet filtering for packets previously handled by IPsec. 100 */ 101 if (!V_ip4_ipsec_filtertunnel && 102 m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) 103 return 1; 104#endif 105 return 0; 106} 107 108/* 109 * Check if this packet has an active SA and needs to be dropped instead 110 * of forwarded. 111 * Called from ip_input(). 112 * 1 = drop packet, 0 = forward packet. 113 */ 114int 115ip_ipsec_fwd(struct mbuf *m) 116{ 117#ifdef IPSEC 118 struct m_tag *mtag; 119 struct tdb_ident *tdbi; 120 struct secpolicy *sp; 121 int error; 122 123 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 124 if (mtag != NULL) { 125 tdbi = (struct tdb_ident *)(mtag + 1); 126 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); 127 } else { 128 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 129 IP_FORWARDING, &error); 130 } 131 if (sp == NULL) { /* NB: can happen if error */ 132 /*XXX error stat???*/ 133 DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/ 134 return 1; 135 } 136 137 /* 138 * Check security policy against packet attributes. 139 */ 140 error = ipsec_in_reject(sp, m); 141 KEY_FREESP(&sp); 142 if (error) { 143 IPSTAT_INC(ips_cantforward); 144 return 1; 145 } 146#endif /* IPSEC */ 147 return 0; 148} 149 150/* 151 * Check if protocol type doesn't have a further header and do IPSEC 152 * decryption or reject right now. Protocols with further headers get 153 * their IPSEC treatment within the protocol specific processing. 154 * Called from ip_input(). 155 * 1 = drop packet, 0 = continue processing packet. 156 */ 157int 158ip_ipsec_input(struct mbuf *m) 159{ 160#ifdef IPSEC 161 struct ip *ip = mtod(m, struct ip *); 162 struct m_tag *mtag; 163 struct tdb_ident *tdbi; 164 struct secpolicy *sp; 165 int error; 166 /* 167 * enforce IPsec policy checking if we are seeing last header. 168 * note that we do not visit this with protocols with pcb layer 169 * code - like udp/tcp/raw ip. 170 */ 171 if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) { 172 /* 173 * Check if the packet has already had IPsec processing 174 * done. If so, then just pass it along. This tag gets 175 * set during AH, ESP, etc. input handling, before the 176 * packet is returned to the ip input queue for delivery. 177 */ 178 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 179 if (mtag != NULL) { 180 tdbi = (struct tdb_ident *)(mtag + 1); 181 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); 182 } else { 183 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 184 IP_FORWARDING, &error); 185 } 186 if (sp != NULL) { 187 /* 188 * Check security policy against packet attributes. 189 */ 190 error = ipsec_in_reject(sp, m); 191 KEY_FREESP(&sp); 192 } else { 193 /* XXX error stat??? */ 194 error = EINVAL; 195 DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/ 196 return 1; 197 } 198 if (error) 199 return 1; 200 } 201#endif /* IPSEC */ 202 return 0; 203} 204 205/* 206 * Compute the MTU for a forwarded packet that gets IPSEC encapsulated. 207 * Called from ip_forward(). 208 * Returns MTU suggestion for ICMP needfrag reply. 209 */ 210int 211ip_ipsec_mtu(struct mbuf *m, int mtu) 212{ 213 /* 214 * If the packet is routed over IPsec tunnel, tell the 215 * originator the tunnel MTU. 216 * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz 217 * XXX quickhack!!! 218 */ 219 struct secpolicy *sp = NULL; 220 int ipsecerror; 221 int ipsechdr; 222 struct route *ro; 223 sp = ipsec_getpolicybyaddr(m, 224 IPSEC_DIR_OUTBOUND, 225 IP_FORWARDING, 226 &ipsecerror); 227 if (sp != NULL) { 228 /* count IPsec header size */ 229 ipsechdr = ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL); 230 231 /* 232 * find the correct route for outer IPv4 233 * header, compute tunnel MTU. 234 */ 235 if (sp->req != NULL && 236 sp->req->sav != NULL && 237 sp->req->sav->sah != NULL) { 238 ro = &sp->req->sav->sah->route_cache.sa_route; 239 if (ro->ro_rt && ro->ro_rt->rt_ifp) {
|
240 mtu = 241 ro->ro_rt->rt_rmx.rmx_mtu ? 242 ro->ro_rt->rt_rmx.rmx_mtu :
| 240 mtu = ro->ro_rt->rt_mtu ? ro->ro_rt->rt_mtu :
|
243 ro->ro_rt->rt_ifp->if_mtu; 244 mtu -= ipsechdr; 245 } 246 } 247 KEY_FREESP(&sp); 248 } 249 return mtu; 250} 251 252/* 253 * 254 * Called from ip_output(). 255 * 1 = drop packet, 0 = continue processing packet, 256 * -1 = packet was reinjected and stop processing packet 257 */ 258int 259ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error) 260{ 261#ifdef IPSEC 262 struct secpolicy *sp = NULL; 263 struct tdb_ident *tdbi; 264 struct m_tag *mtag; 265 /* 266 * Check the security policy (SP) for the packet and, if 267 * required, do IPsec-related processing. There are two 268 * cases here; the first time a packet is sent through 269 * it will be untagged and handled by ipsec4_checkpolicy. 270 * If the packet is resubmitted to ip_output (e.g. after 271 * AH, ESP, etc. processing), there will be a tag to bypass 272 * the lookup and related policy checking. 273 */ 274 mtag = m_tag_find(*m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); 275 if (mtag != NULL) { 276 tdbi = (struct tdb_ident *)(mtag + 1); 277 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_OUTBOUND); 278 if (sp == NULL) 279 *error = -EINVAL; /* force silent drop */ 280 m_tag_delete(*m, mtag); 281 } else { 282 sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, *flags, 283 error, inp); 284 } 285 /* 286 * There are four return cases: 287 * sp != NULL apply IPsec policy 288 * sp == NULL, error == 0 no IPsec handling needed 289 * sp == NULL, error == -EINVAL discard packet w/o error 290 * sp == NULL, error != 0 discard packet, report error 291 */ 292 if (sp != NULL) { 293 /* Loop detection, check if ipsec processing already done */ 294 KASSERT(sp->req != NULL, ("ip_output: no ipsec request")); 295 for (mtag = m_tag_first(*m); mtag != NULL; 296 mtag = m_tag_next(*m, mtag)) { 297 if (mtag->m_tag_cookie != MTAG_ABI_COMPAT) 298 continue; 299 if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE && 300 mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED) 301 continue; 302 /* 303 * Check if policy has an SA associated with it. 304 * This can happen when an SP has yet to acquire 305 * an SA; e.g. on first reference. If it occurs, 306 * then we let ipsec4_process_packet do its thing. 307 */ 308 if (sp->req->sav == NULL) 309 break; 310 tdbi = (struct tdb_ident *)(mtag + 1); 311 if (tdbi->spi == sp->req->sav->spi && 312 tdbi->proto == sp->req->sav->sah->saidx.proto && 313 bcmp(&tdbi->dst, &sp->req->sav->sah->saidx.dst, 314 sizeof (union sockaddr_union)) == 0) { 315 /* 316 * No IPsec processing is needed, free 317 * reference to SP. 318 * 319 * NB: null pointer to avoid free at 320 * done: below. 321 */ 322 KEY_FREESP(&sp), sp = NULL; 323 goto done; 324 } 325 } 326 327 /* 328 * Do delayed checksums now because we send before 329 * this is done in the normal processing path. 330 */ 331 if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 332 in_delayed_cksum(*m); 333 (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 334 } 335#ifdef SCTP 336 if ((*m)->m_pkthdr.csum_flags & CSUM_SCTP) { 337 struct ip *ip = mtod(*m, struct ip *); 338 339 sctp_delayed_cksum(*m, (uint32_t)(ip->ip_hl << 2)); 340 (*m)->m_pkthdr.csum_flags &= ~CSUM_SCTP; 341 } 342#endif 343 344 /* NB: callee frees mbuf */ 345 *error = ipsec4_process_packet(*m, sp->req, *flags, 0); 346 if (*error == EJUSTRETURN) { 347 /* 348 * We had a SP with a level of 'use' and no SA. We 349 * will just continue to process the packet without 350 * IPsec processing and return without error. 351 */ 352 *error = 0; 353 goto done; 354 } 355 /* 356 * Preserve KAME behaviour: ENOENT can be returned 357 * when an SA acquire is in progress. Don't propagate 358 * this to user-level; it confuses applications. 359 * 360 * XXX this will go away when the SADB is redone. 361 */ 362 if (*error == ENOENT) 363 *error = 0; 364 goto reinjected; 365 } else { /* sp == NULL */ 366 367 if (*error != 0) { 368 /* 369 * Hack: -EINVAL is used to signal that a packet 370 * should be silently discarded. This is typically 371 * because we asked key management for an SA and 372 * it was delayed (e.g. kicked up to IKE). 373 */ 374 if (*error == -EINVAL) 375 *error = 0; 376 goto bad; 377 } else { 378 /* No IPsec processing for this packet. */ 379 } 380 } 381done: 382 if (sp != NULL) 383 KEY_FREESP(&sp); 384 return 0; 385reinjected: 386 if (sp != NULL) 387 KEY_FREESP(&sp); 388 return -1; 389bad: 390 if (sp != NULL) 391 KEY_FREESP(&sp); 392 return 1; 393#endif /* IPSEC */ 394 return 0; 395}
| 241 ro->ro_rt->rt_ifp->if_mtu; 242 mtu -= ipsechdr; 243 } 244 } 245 KEY_FREESP(&sp); 246 } 247 return mtu; 248} 249 250/* 251 * 252 * Called from ip_output(). 253 * 1 = drop packet, 0 = continue processing packet, 254 * -1 = packet was reinjected and stop processing packet 255 */ 256int 257ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error) 258{ 259#ifdef IPSEC 260 struct secpolicy *sp = NULL; 261 struct tdb_ident *tdbi; 262 struct m_tag *mtag; 263 /* 264 * Check the security policy (SP) for the packet and, if 265 * required, do IPsec-related processing. There are two 266 * cases here; the first time a packet is sent through 267 * it will be untagged and handled by ipsec4_checkpolicy. 268 * If the packet is resubmitted to ip_output (e.g. after 269 * AH, ESP, etc. processing), there will be a tag to bypass 270 * the lookup and related policy checking. 271 */ 272 mtag = m_tag_find(*m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); 273 if (mtag != NULL) { 274 tdbi = (struct tdb_ident *)(mtag + 1); 275 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_OUTBOUND); 276 if (sp == NULL) 277 *error = -EINVAL; /* force silent drop */ 278 m_tag_delete(*m, mtag); 279 } else { 280 sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, *flags, 281 error, inp); 282 } 283 /* 284 * There are four return cases: 285 * sp != NULL apply IPsec policy 286 * sp == NULL, error == 0 no IPsec handling needed 287 * sp == NULL, error == -EINVAL discard packet w/o error 288 * sp == NULL, error != 0 discard packet, report error 289 */ 290 if (sp != NULL) { 291 /* Loop detection, check if ipsec processing already done */ 292 KASSERT(sp->req != NULL, ("ip_output: no ipsec request")); 293 for (mtag = m_tag_first(*m); mtag != NULL; 294 mtag = m_tag_next(*m, mtag)) { 295 if (mtag->m_tag_cookie != MTAG_ABI_COMPAT) 296 continue; 297 if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE && 298 mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED) 299 continue; 300 /* 301 * Check if policy has an SA associated with it. 302 * This can happen when an SP has yet to acquire 303 * an SA; e.g. on first reference. If it occurs, 304 * then we let ipsec4_process_packet do its thing. 305 */ 306 if (sp->req->sav == NULL) 307 break; 308 tdbi = (struct tdb_ident *)(mtag + 1); 309 if (tdbi->spi == sp->req->sav->spi && 310 tdbi->proto == sp->req->sav->sah->saidx.proto && 311 bcmp(&tdbi->dst, &sp->req->sav->sah->saidx.dst, 312 sizeof (union sockaddr_union)) == 0) { 313 /* 314 * No IPsec processing is needed, free 315 * reference to SP. 316 * 317 * NB: null pointer to avoid free at 318 * done: below. 319 */ 320 KEY_FREESP(&sp), sp = NULL; 321 goto done; 322 } 323 } 324 325 /* 326 * Do delayed checksums now because we send before 327 * this is done in the normal processing path. 328 */ 329 if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 330 in_delayed_cksum(*m); 331 (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 332 } 333#ifdef SCTP 334 if ((*m)->m_pkthdr.csum_flags & CSUM_SCTP) { 335 struct ip *ip = mtod(*m, struct ip *); 336 337 sctp_delayed_cksum(*m, (uint32_t)(ip->ip_hl << 2)); 338 (*m)->m_pkthdr.csum_flags &= ~CSUM_SCTP; 339 } 340#endif 341 342 /* NB: callee frees mbuf */ 343 *error = ipsec4_process_packet(*m, sp->req, *flags, 0); 344 if (*error == EJUSTRETURN) { 345 /* 346 * We had a SP with a level of 'use' and no SA. We 347 * will just continue to process the packet without 348 * IPsec processing and return without error. 349 */ 350 *error = 0; 351 goto done; 352 } 353 /* 354 * Preserve KAME behaviour: ENOENT can be returned 355 * when an SA acquire is in progress. Don't propagate 356 * this to user-level; it confuses applications. 357 * 358 * XXX this will go away when the SADB is redone. 359 */ 360 if (*error == ENOENT) 361 *error = 0; 362 goto reinjected; 363 } else { /* sp == NULL */ 364 365 if (*error != 0) { 366 /* 367 * Hack: -EINVAL is used to signal that a packet 368 * should be silently discarded. This is typically 369 * because we asked key management for an SA and 370 * it was delayed (e.g. kicked up to IKE). 371 */ 372 if (*error == -EINVAL) 373 *error = 0; 374 goto bad; 375 } else { 376 /* No IPsec processing for this packet. */ 377 } 378 } 379done: 380 if (sp != NULL) 381 KEY_FREESP(&sp); 382 return 0; 383reinjected: 384 if (sp != NULL) 385 KEY_FREESP(&sp); 386 return -1; 387bad: 388 if (sp != NULL) 389 KEY_FREESP(&sp); 390 return 1; 391#endif /* IPSEC */ 392 return 0; 393}
|