ip6_ipsec.c revision 192648
1/*- 2 * Copyright (c) 1982, 1986, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 4. Neither the name of the University nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> 31__FBSDID("$FreeBSD: head/sys/netinet6/ip6_ipsec.c 192648 2009-05-23 16:42:38Z bz $"); 32 33#include "opt_ipsec.h" 34 35#include <sys/param.h> 36#include <sys/systm.h> 37#include <sys/kernel.h> 38#include <sys/mac.h> 39#include <sys/malloc.h> 40#include <sys/mbuf.h> 41#include <sys/protosw.h> 42#include <sys/socket.h> 43#include <sys/socketvar.h> 44#include <sys/sysctl.h> 45#include <sys/vimage.h> 46 47#include <net/if.h> 48#include <net/route.h> 49 50#include <netinet/in.h> 51#include <netinet/in_systm.h> 52#include <netinet/in_var.h> 53#include <netinet/ip.h> 54#include <netinet/ip6.h> 55#include <netinet/in_pcb.h> 56#include <netinet/ip_var.h> 57#include <netinet/ip_options.h> 58 59#include <machine/in_cksum.h> 60 61#ifdef IPSEC 62#include <netipsec/ipsec.h> 63#include <netipsec/ipsec6.h> 64#include <netipsec/xform.h> 65#include <netipsec/key.h> 66#ifdef IPSEC_DEBUG 67#include <netipsec/key_debug.h> 68#else 69#define KEYDEBUG(lev,arg) 70#endif 71#endif /*IPSEC*/ 72 73#include <netinet6/ip6_ipsec.h> 74#include <netinet6/ip6_var.h> 75#include <netinet6/vinet6.h> 76 77extern struct protosw inet6sw[]; 78 79#ifdef VIMAGE_GLOBALS 80int ip6_ipsec6_filtertunnel; 81#endif 82 83/* 84 * Check if we have to jump over firewall processing for this packet. 85 * Called from ip_input(). 86 * 1 = jump over firewall, 0 = packet goes through firewall. 87 */ 88int 89ip6_ipsec_filtertunnel(struct mbuf *m) 90{ 91#if defined(IPSEC) 92 INIT_VNET_IPSEC(curvnet); 93 94 /* 95 * Bypass packet filtering for packets from a tunnel. 96 */ 97 if (!V_ip6_ipsec6_filtertunnel && 98 m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) 99 return 1; 100#endif 101 return 0; 102} 103 104/* 105 * Check if this packet has an active SA and needs to be dropped instead 106 * of forwarded. 107 * Called from ip_input(). 108 * 1 = drop packet, 0 = forward packet. 109 */ 110int 111ip6_ipsec_fwd(struct mbuf *m) 112{ 113#ifdef IPSEC 114 INIT_VNET_INET6(curvnet); 115 INIT_VNET_IPSEC(curvnet); 116 struct m_tag *mtag; 117 struct tdb_ident *tdbi; 118 struct secpolicy *sp; 119 int s, error; 120 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 121 s = splnet(); 122 if (mtag != NULL) { 123 tdbi = (struct tdb_ident *)(mtag + 1); 124 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); 125 } else { 126 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 127 IP_FORWARDING, &error); 128 } 129 if (sp == NULL) { /* NB: can happen if error */ 130 splx(s); 131 /*XXX error stat???*/ 132 DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/ 133 return 1; 134 } 135 136 /* 137 * Check security policy against packet attributes. 138 */ 139 error = ipsec_in_reject(sp, m); 140 KEY_FREESP(&sp); 141 splx(s); 142 if (error) { 143 V_ip6stat.ip6s_cantforward++; 144 return 1; 145 } 146#endif /* IPSEC */ 147 return 0; 148} 149 150/* 151 * Check if protocol type doesn't have a further header and do IPSEC 152 * decryption or reject right now. Protocols with further headers get 153 * their IPSEC treatment within the protocol specific processing. 154 * Called from ip_input(). 155 * 1 = drop packet, 0 = continue processing packet. 156 */ 157int 158ip6_ipsec_input(struct mbuf *m, int nxt) 159{ 160#ifdef IPSEC 161 INIT_VNET_IPSEC(curvnet); 162 struct m_tag *mtag; 163 struct tdb_ident *tdbi; 164 struct secpolicy *sp; 165 int s, error; 166 /* 167 * enforce IPsec policy checking if we are seeing last header. 168 * note that we do not visit this with protocols with pcb layer 169 * code - like udp/tcp/raw ip. 170 */ 171 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && 172 ipsec6_in_reject(m, NULL)) { 173 174 /* 175 * Check if the packet has already had IPsec processing 176 * done. If so, then just pass it along. This tag gets 177 * set during AH, ESP, etc. input handling, before the 178 * packet is returned to the ip input queue for delivery. 179 */ 180 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 181 s = splnet(); 182 if (mtag != NULL) { 183 tdbi = (struct tdb_ident *)(mtag + 1); 184 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); 185 } else { 186 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 187 IP_FORWARDING, &error); 188 } 189 if (sp != NULL) { 190 /* 191 * Check security policy against packet attributes. 192 */ 193 error = ipsec_in_reject(sp, m); 194 KEY_FREESP(&sp); 195 } else { 196 /* XXX error stat??? */ 197 error = EINVAL; 198 DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/ 199 return 1; 200 } 201 splx(s); 202 if (error) 203 return 1; 204 } 205#endif /* IPSEC */ 206 return 0; 207} 208 209/* 210 * Called from ip6_output(). 211 * 1 = drop packet, 0 = continue processing packet, 212 * -1 = packet was reinjected and stop processing packet 213 */ 214 215int 216ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error, 217 struct ifnet **ifp, struct secpolicy **sp) 218{ 219#ifdef IPSEC 220 struct tdb_ident *tdbi; 221 struct m_tag *mtag; 222 /* XXX int s; */ 223 if (sp == NULL) 224 return 1; 225 mtag = m_tag_find(*m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); 226 if (mtag != NULL) { 227 tdbi = (struct tdb_ident *)(mtag + 1); 228 *sp = ipsec_getpolicy(tdbi, IPSEC_DIR_OUTBOUND); 229 if (*sp == NULL) 230 *error = -EINVAL; /* force silent drop */ 231 m_tag_delete(*m, mtag); 232 } else { 233 *sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, *flags, 234 error, inp); 235 } 236 237 /* 238 * There are four return cases: 239 * sp != NULL apply IPsec policy 240 * sp == NULL, error == 0 no IPsec handling needed 241 * sp == NULL, error == -EINVAL discard packet w/o error 242 * sp == NULL, error != 0 discard packet, report error 243 */ 244 if (*sp != NULL) { 245 /* Loop detection, check if ipsec processing already done */ 246 KASSERT((*sp)->req != NULL, ("ip_output: no ipsec request")); 247 for (mtag = m_tag_first(*m); mtag != NULL; 248 mtag = m_tag_next(*m, mtag)) { 249 if (mtag->m_tag_cookie != MTAG_ABI_COMPAT) 250 continue; 251 if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE && 252 mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED) 253 continue; 254 /* 255 * Check if policy has an SA associated with it. 256 * This can happen when an SP has yet to acquire 257 * an SA; e.g. on first reference. If it occurs, 258 * then we let ipsec4_process_packet do its thing. 259 */ 260 if ((*sp)->req->sav == NULL) 261 break; 262 tdbi = (struct tdb_ident *)(mtag + 1); 263 if (tdbi->spi == (*sp)->req->sav->spi && 264 tdbi->proto == (*sp)->req->sav->sah->saidx.proto && 265 bcmp(&tdbi->dst, &(*sp)->req->sav->sah->saidx.dst, 266 sizeof (union sockaddr_union)) == 0) { 267 /* 268 * No IPsec processing is needed, free 269 * reference to SP. 270 * 271 * NB: null pointer to avoid free at 272 * done: below. 273 */ 274 KEY_FREESP(sp), *sp = NULL; 275 /* XXX splx(s); */ 276 goto done; 277 } 278 } 279 280 /* 281 * Do delayed checksums now because we send before 282 * this is done in the normal processing path. 283 */ 284 if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 285 in_delayed_cksum(*m); 286 (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 287 } 288 289 /* 290 * Preserve KAME behaviour: ENOENT can be returned 291 * when an SA acquire is in progress. Don't propagate 292 * this to user-level; it confuses applications. 293 * 294 * XXX this will go away when the SADB is redone. 295 */ 296 if (*error == ENOENT) 297 *error = 0; 298 goto do_ipsec; 299 } else { /* sp == NULL */ 300 if (*error != 0) { 301 /* 302 * Hack: -EINVAL is used to signal that a packet 303 * should be silently discarded. This is typically 304 * because we asked key management for an SA and 305 * it was delayed (e.g. kicked up to IKE). 306 */ 307 if (*error == -EINVAL) 308 *error = 0; 309 goto bad; 310 } else { 311 /* No IPsec processing for this packet. */ 312 } 313 } 314done: 315 return 0; 316do_ipsec: 317 return -1; 318bad: 319 return 1; 320#endif /* IPSEC */ 321 return 0; 322} 323 324#if 0 325/* 326 * Compute the MTU for a forwarded packet that gets IPSEC encapsulated. 327 * Called from ip_forward(). 328 * Returns MTU suggestion for ICMP needfrag reply. 329 */ 330int 331ip6_ipsec_mtu(struct mbuf *m) 332{ 333 int mtu = 0; 334 /* 335 * If the packet is routed over IPsec tunnel, tell the 336 * originator the tunnel MTU. 337 * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz 338 * XXX quickhack!!! 339 */ 340#ifdef IPSEC 341 struct secpolicy *sp = NULL; 342 int ipsecerror; 343 int ipsechdr; 344 struct route *ro; 345 sp = ipsec_getpolicybyaddr(m, 346 IPSEC_DIR_OUTBOUND, 347 IP_FORWARDING, 348 &ipsecerror); 349 if (sp != NULL) { 350 /* count IPsec header size */ 351 ipsechdr = ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL); 352 353 /* 354 * find the correct route for outer IPv4 355 * header, compute tunnel MTU. 356 */ 357 if (sp->req != NULL && 358 sp->req->sav != NULL && 359 sp->req->sav->sah != NULL) { 360 ro = &sp->req->sav->sah->sa_route; 361 if (ro->ro_rt && ro->ro_rt->rt_ifp) { 362 mtu = 363 ro->ro_rt->rt_rmx.rmx_mtu ? 364 ro->ro_rt->rt_rmx.rmx_mtu : 365 ro->ro_rt->rt_ifp->if_mtu; 366 mtu -= ipsechdr; 367 } 368 } 369 KEY_FREESP(&sp); 370 } 371#endif /* IPSEC */ 372 /* XXX else case missing. */ 373 return mtu; 374} 375#endif 376