1/*- 2 * Copyright (c) 1982, 1986, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 4. Neither the name of the University nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> 31__FBSDID("$FreeBSD$"); 32 33#include "opt_ipsec.h" 34#include "opt_sctp.h" 35 36#include <sys/param.h> 37#include <sys/systm.h> 38#include <sys/errno.h> 39#include <sys/kernel.h> 40#include <sys/malloc.h> 41#include <sys/mbuf.h> 42#include <sys/protosw.h> 43#include <sys/socket.h> 44#include <sys/socketvar.h> 45#include <sys/sysctl.h> 46 47#include <net/if.h> 48#include <net/route.h> 49#include <net/vnet.h> 50 51#include <netinet/in.h> 52#include <netinet/in_systm.h> 53#include <netinet/in_var.h> 54#include <netinet/ip.h> 55#include <netinet/in_pcb.h> 56#include <netinet/ip_var.h> 57#include <netinet/ip_options.h> 58#include <netinet/ip_ipsec.h> 59#ifdef SCTP 60#include <netinet/sctp_crc32.h> 61#endif 62 63#include <machine/in_cksum.h> 64 65#ifdef IPSEC 66#include <netipsec/ipsec.h> 67#include <netipsec/xform.h> 68#include <netipsec/key.h> 69#endif /*IPSEC*/ 70 71extern struct protosw inetsw[]; 72 73#ifdef IPSEC 74#ifdef IPSEC_FILTERTUNNEL 75static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 1; 76#else 77static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 0; 78#endif 79#define V_ip4_ipsec_filtertunnel VNET(ip4_ipsec_filtertunnel) 80 81SYSCTL_DECL(_net_inet_ipsec); 82SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, filtertunnel, 83 CTLFLAG_RW, &VNET_NAME(ip4_ipsec_filtertunnel), 0, 84 "If set filter packets from an IPsec tunnel."); 85#endif /* IPSEC */ 86 87/* 88 * Check if we have to jump over firewall processing for this packet. 89 * Called from ip_input(). 90 * 1 = jump over firewall, 0 = packet goes through firewall. 91 */ 92int 93ip_ipsec_filtertunnel(struct mbuf *m) 94{ 95#ifdef IPSEC 96 97 /* 98 * Bypass packet filtering for packets previously handled by IPsec. 99 */ 100 if (!V_ip4_ipsec_filtertunnel && 101 m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) 102 return 1; 103#endif 104 return 0; 105} 106 107/* 108 * Check if this packet has an active SA and needs to be dropped instead 109 * of forwarded. 110 * Called from ip_input(). 111 * 1 = drop packet, 0 = forward packet. 112 */ 113int 114ip_ipsec_fwd(struct mbuf *m) 115{ 116#ifdef IPSEC 117 struct m_tag *mtag; 118 struct tdb_ident *tdbi; 119 struct secpolicy *sp; 120 int error; 121 122 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 123 if (mtag != NULL) { 124 tdbi = (struct tdb_ident *)(mtag + 1); 125 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); 126 } else { 127 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 128 IP_FORWARDING, &error); 129 } 130 if (sp == NULL) { /* NB: can happen if error */ 131 /*XXX error stat???*/ 132 DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/ 133 return 1; 134 } 135 136 /* 137 * Check security policy against packet attributes. 138 */ 139 error = ipsec_in_reject(sp, m); 140 KEY_FREESP(&sp); 141 if (error) { 142 IPSTAT_INC(ips_cantforward); 143 return 1; 144 } 145#endif /* IPSEC */ 146 return 0; 147} 148 149/* 150 * Check if protocol type doesn't have a further header and do IPSEC 151 * decryption or reject right now. Protocols with further headers get 152 * their IPSEC treatment within the protocol specific processing. 153 * Called from ip_input(). 154 * 1 = drop packet, 0 = continue processing packet. 155 */ 156int 157ip_ipsec_input(struct mbuf *m) 158{ 159#ifdef IPSEC 160 struct ip *ip = mtod(m, struct ip *); 161 struct m_tag *mtag; 162 struct tdb_ident *tdbi; 163 struct secpolicy *sp; 164 int error; 165 /* 166 * enforce IPsec policy checking if we are seeing last header. 167 * note that we do not visit this with protocols with pcb layer 168 * code - like udp/tcp/raw ip. 169 */ 170 if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) { 171 /* 172 * Check if the packet has already had IPsec processing 173 * done. If so, then just pass it along. This tag gets 174 * set during AH, ESP, etc. input handling, before the 175 * packet is returned to the ip input queue for delivery. 176 */ 177 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 178 if (mtag != NULL) { 179 tdbi = (struct tdb_ident *)(mtag + 1); 180 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); 181 } else { 182 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 183 IP_FORWARDING, &error); 184 } 185 if (sp != NULL) { 186 /* 187 * Check security policy against packet attributes. 188 */ 189 error = ipsec_in_reject(sp, m); 190 KEY_FREESP(&sp); 191 } else { 192 /* XXX error stat??? */ 193 error = EINVAL; 194 DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/ 195 return 1; 196 } 197 if (error) 198 return 1; 199 } 200#endif /* IPSEC */ 201 return 0; 202} 203 204/* 205 * Compute the MTU for a forwarded packet that gets IPSEC encapsulated. 206 * Called from ip_forward(). 207 * Returns MTU suggestion for ICMP needfrag reply. 208 */ 209int 210ip_ipsec_mtu(struct mbuf *m, int mtu) 211{ 212 /* 213 * If the packet is routed over IPsec tunnel, tell the 214 * originator the tunnel MTU. 215 * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz 216 * XXX quickhack!!! 217 */ 218 struct secpolicy *sp = NULL; 219 int ipsecerror; 220 int ipsechdr; 221 struct route *ro; 222 sp = ipsec_getpolicybyaddr(m, 223 IPSEC_DIR_OUTBOUND, 224 IP_FORWARDING, 225 &ipsecerror); 226 if (sp != NULL) { 227 /* count IPsec header size */ 228 ipsechdr = ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL); 229 230 /* 231 * find the correct route for outer IPv4 232 * header, compute tunnel MTU. 233 */ 234 if (sp->req != NULL && 235 sp->req->sav != NULL && 236 sp->req->sav->sah != NULL) { 237 ro = &sp->req->sav->sah->route_cache.sa_route; 238 if (ro->ro_rt && ro->ro_rt->rt_ifp) { 239 mtu = 240 ro->ro_rt->rt_rmx.rmx_mtu ? 241 ro->ro_rt->rt_rmx.rmx_mtu : 242 ro->ro_rt->rt_ifp->if_mtu; 243 mtu -= ipsechdr; 244 } 245 } 246 KEY_FREESP(&sp); 247 } 248 return mtu; 249} 250 251/* 252 * 253 * Called from ip_output(). 254 * 1 = drop packet, 0 = continue processing packet, 255 * -1 = packet was reinjected and stop processing packet 256 */ 257int 258ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error) 259{ 260#ifdef IPSEC 261 struct secpolicy *sp = NULL; 262 struct tdb_ident *tdbi; 263 struct m_tag *mtag; 264 /* 265 * Check the security policy (SP) for the packet and, if 266 * required, do IPsec-related processing. There are two 267 * cases here; the first time a packet is sent through 268 * it will be untagged and handled by ipsec4_checkpolicy. 269 * If the packet is resubmitted to ip_output (e.g. after 270 * AH, ESP, etc. processing), there will be a tag to bypass 271 * the lookup and related policy checking. 272 */ 273 mtag = m_tag_find(*m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); 274 if (mtag != NULL) { 275 tdbi = (struct tdb_ident *)(mtag + 1); 276 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_OUTBOUND); 277 if (sp == NULL) 278 *error = -EINVAL; /* force silent drop */ 279 m_tag_delete(*m, mtag); 280 } else { 281 sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, *flags, 282 error, inp); 283 } 284 /* 285 * There are four return cases: 286 * sp != NULL apply IPsec policy 287 * sp == NULL, error == 0 no IPsec handling needed 288 * sp == NULL, error == -EINVAL discard packet w/o error 289 * sp == NULL, error != 0 discard packet, report error 290 */ 291 if (sp != NULL) { 292 /* Loop detection, check if ipsec processing already done */ 293 KASSERT(sp->req != NULL, ("ip_output: no ipsec request")); 294 for (mtag = m_tag_first(*m); mtag != NULL; 295 mtag = m_tag_next(*m, mtag)) { 296 if (mtag->m_tag_cookie != MTAG_ABI_COMPAT) 297 continue; 298 if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE && 299 mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED) 300 continue; 301 /* 302 * Check if policy has an SA associated with it. 303 * This can happen when an SP has yet to acquire 304 * an SA; e.g. on first reference. If it occurs, 305 * then we let ipsec4_process_packet do its thing. 306 */ 307 if (sp->req->sav == NULL) 308 break; 309 tdbi = (struct tdb_ident *)(mtag + 1); 310 if (tdbi->spi == sp->req->sav->spi && 311 tdbi->proto == sp->req->sav->sah->saidx.proto && 312 bcmp(&tdbi->dst, &sp->req->sav->sah->saidx.dst, 313 sizeof (union sockaddr_union)) == 0) { 314 /* 315 * No IPsec processing is needed, free 316 * reference to SP. 317 * 318 * NB: null pointer to avoid free at 319 * done: below. 320 */ 321 KEY_FREESP(&sp), sp = NULL; 322 goto done; 323 } 324 } 325 326 /* 327 * Do delayed checksums now because we send before 328 * this is done in the normal processing path. 329 */ 330 if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 331 in_delayed_cksum(*m); 332 (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 333 } 334#ifdef SCTP 335 if ((*m)->m_pkthdr.csum_flags & CSUM_SCTP) { 336 struct ip *ip = mtod(*m, struct ip *); 337 338 sctp_delayed_cksum(*m, (uint32_t)(ip->ip_hl << 2)); 339 (*m)->m_pkthdr.csum_flags &= ~CSUM_SCTP; 340 } 341#endif 342 343 /* NB: callee frees mbuf */ 344 *error = ipsec4_process_packet(*m, sp->req, *flags, 0); 345 if (*error == EJUSTRETURN) { 346 /* 347 * We had a SP with a level of 'use' and no SA. We 348 * will just continue to process the packet without 349 * IPsec processing and return without error. 350 */ 351 *error = 0; 352 goto done; 353 } 354 /* 355 * Preserve KAME behaviour: ENOENT can be returned 356 * when an SA acquire is in progress. Don't propagate 357 * this to user-level; it confuses applications. 358 * 359 * XXX this will go away when the SADB is redone. 360 */ 361 if (*error == ENOENT) 362 *error = 0; 363 goto reinjected; 364 } else { /* sp == NULL */ 365 366 if (*error != 0) { 367 /* 368 * Hack: -EINVAL is used to signal that a packet 369 * should be silently discarded. This is typically 370 * because we asked key management for an SA and 371 * it was delayed (e.g. kicked up to IKE). 372 */ 373 if (*error == -EINVAL) 374 *error = 0; 375 goto bad; 376 } else { 377 /* No IPsec processing for this packet. */ 378 } 379 } 380done: 381 if (sp != NULL) 382 KEY_FREESP(&sp); 383 return 0; 384reinjected: 385 if (sp != NULL) 386 KEY_FREESP(&sp); 387 return -1; 388bad: 389 if (sp != NULL) 390 KEY_FREESP(&sp); 391 return 1; 392#endif /* IPSEC */ 393 return 0; 394} 395