1155179Sandre/*-
2155179Sandre * Copyright (c) 1982, 1986, 1988, 1993
3155179Sandre *      The Regents of the University of California.  All rights reserved.
4155179Sandre *
5155179Sandre * Redistribution and use in source and binary forms, with or without
6155179Sandre * modification, are permitted provided that the following conditions
7155179Sandre * are met:
8155179Sandre * 1. Redistributions of source code must retain the above copyright
9155179Sandre *    notice, this list of conditions and the following disclaimer.
10155179Sandre * 2. Redistributions in binary form must reproduce the above copyright
11155179Sandre *    notice, this list of conditions and the following disclaimer in the
12155179Sandre *    documentation and/or other materials provided with the distribution.
13155179Sandre * 4. Neither the name of the University nor the names of its contributors
14155179Sandre *    may be used to endorse or promote products derived from this software
15155179Sandre *    without specific prior written permission.
16155179Sandre *
17155179Sandre * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18155179Sandre * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19155179Sandre * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20155179Sandre * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21155179Sandre * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22155179Sandre * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23155179Sandre * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24155179Sandre * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25155179Sandre * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26155179Sandre * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27155179Sandre * SUCH DAMAGE.
28155179Sandre */
29155179Sandre
30172467Ssilby#include <sys/cdefs.h>
31172467Ssilby__FBSDID("$FreeBSD$");
32172467Ssilby
33155179Sandre#include "opt_ipsec.h"
34188066Srrs#include "opt_sctp.h"
35155179Sandre
36155179Sandre#include <sys/param.h>
37155179Sandre#include <sys/systm.h>
38177175Sbz#include <sys/errno.h>
39155179Sandre#include <sys/kernel.h>
40155179Sandre#include <sys/malloc.h>
41155179Sandre#include <sys/mbuf.h>
42155179Sandre#include <sys/protosw.h>
43155179Sandre#include <sys/socket.h>
44155179Sandre#include <sys/socketvar.h>
45155179Sandre#include <sys/sysctl.h>
46155179Sandre
47155179Sandre#include <net/if.h>
48195699Srwatson#include <net/vnet.h>
49155179Sandre
50155179Sandre#include <netinet/in.h>
51155179Sandre#include <netinet/in_systm.h>
52155179Sandre#include <netinet/in_var.h>
53155179Sandre#include <netinet/ip.h>
54155179Sandre#include <netinet/in_pcb.h>
55155179Sandre#include <netinet/ip_var.h>
56155179Sandre#include <netinet/ip_options.h>
57155179Sandre#include <netinet/ip_ipsec.h>
58188066Srrs#ifdef SCTP
59188066Srrs#include <netinet/sctp_crc32.h>
60188066Srrs#endif
61155179Sandre
62155179Sandre#include <machine/in_cksum.h>
63155179Sandre
64171167Sgnn#ifdef IPSEC
65155179Sandre#include <netipsec/ipsec.h>
66155179Sandre#include <netipsec/xform.h>
67155179Sandre#include <netipsec/key.h>
68171167Sgnn#endif /*IPSEC*/
69155179Sandre
70155179Sandreextern	struct protosw inetsw[];
71155179Sandre
72195699Srwatson#ifdef IPSEC
73195699Srwatson#ifdef IPSEC_FILTERTUNNEL
74215701Sdimstatic VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 1;
75195699Srwatson#else
76215701Sdimstatic VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 0;
77192648Sbz#endif
78195727Srwatson#define	V_ip4_ipsec_filtertunnel VNET(ip4_ipsec_filtertunnel)
79192648Sbz
80195699SrwatsonSYSCTL_DECL(_net_inet_ipsec);
81195699SrwatsonSYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, filtertunnel,
82195699Srwatson	CTLFLAG_RW, &VNET_NAME(ip4_ipsec_filtertunnel), 0,
83195699Srwatson	"If set filter packets from an IPsec tunnel.");
84195699Srwatson#endif /* IPSEC */
85195699Srwatson
86155179Sandre/*
87155179Sandre * Check if we have to jump over firewall processing for this packet.
88155179Sandre * Called from ip_input().
89155179Sandre * 1 = jump over firewall, 0 = packet goes through firewall.
90155179Sandre */
91155179Sandreint
92171732Sbzip_ipsec_filtertunnel(struct mbuf *m)
93155179Sandre{
94230442Sbz#ifdef IPSEC
95192648Sbz
96155179Sandre	/*
97222845Sbz	 * Bypass packet filtering for packets previously handled by IPsec.
98155179Sandre	 */
99192648Sbz	if (!V_ip4_ipsec_filtertunnel &&
100192648Sbz	    m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
101155179Sandre		return 1;
102155179Sandre#endif
103155179Sandre	return 0;
104155179Sandre}
105155179Sandre
106155179Sandre/*
107155179Sandre * Check if this packet has an active SA and needs to be dropped instead
108155179Sandre * of forwarded.
109155179Sandre * Called from ip_input().
110155179Sandre * 1 = drop packet, 0 = forward packet.
111155179Sandre */
112155179Sandreint
113155179Sandreip_ipsec_fwd(struct mbuf *m)
114155179Sandre{
115171167Sgnn#ifdef IPSEC
116155179Sandre	struct m_tag *mtag;
117155179Sandre	struct tdb_ident *tdbi;
118155179Sandre	struct secpolicy *sp;
119241686Sandre	int error;
120171133Sgnn
121155179Sandre	mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
122155179Sandre	if (mtag != NULL) {
123155179Sandre		tdbi = (struct tdb_ident *)(mtag + 1);
124155179Sandre		sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
125155179Sandre	} else {
126155179Sandre		sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
127155179Sandre					   IP_FORWARDING, &error);
128155179Sandre	}
129155179Sandre	if (sp == NULL) {	/* NB: can happen if error */
130155179Sandre		/*XXX error stat???*/
131155179Sandre		DPRINTF(("ip_input: no SP for forwarding\n"));	/*XXX*/
132155179Sandre		return 1;
133155179Sandre	}
134155179Sandre
135155179Sandre	/*
136155179Sandre	 * Check security policy against packet attributes.
137155179Sandre	 */
138155179Sandre	error = ipsec_in_reject(sp, m);
139155179Sandre	KEY_FREESP(&sp);
140155179Sandre	if (error) {
141190951Srwatson		IPSTAT_INC(ips_cantforward);
142155179Sandre		return 1;
143155179Sandre	}
144171167Sgnn#endif /* IPSEC */
145155179Sandre	return 0;
146155179Sandre}
147155179Sandre
148155179Sandre/*
149155179Sandre * Check if protocol type doesn't have a further header and do IPSEC
150155179Sandre * decryption or reject right now.  Protocols with further headers get
151155179Sandre * their IPSEC treatment within the protocol specific processing.
152155179Sandre * Called from ip_input().
153155179Sandre * 1 = drop packet, 0 = continue processing packet.
154155179Sandre */
155155179Sandreint
156155179Sandreip_ipsec_input(struct mbuf *m)
157155179Sandre{
158195699Srwatson#ifdef IPSEC
159155179Sandre	struct ip *ip = mtod(m, struct ip *);
160155179Sandre	struct m_tag *mtag;
161155179Sandre	struct tdb_ident *tdbi;
162155179Sandre	struct secpolicy *sp;
163241686Sandre	int error;
164155179Sandre	/*
165155179Sandre	 * enforce IPsec policy checking if we are seeing last header.
166155179Sandre	 * note that we do not visit this with protocols with pcb layer
167155179Sandre	 * code - like udp/tcp/raw ip.
168155179Sandre	 */
169155179Sandre	if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) {
170155179Sandre		/*
171155179Sandre		 * Check if the packet has already had IPsec processing
172155179Sandre		 * done.  If so, then just pass it along.  This tag gets
173155179Sandre		 * set during AH, ESP, etc. input handling, before the
174155179Sandre		 * packet is returned to the ip input queue for delivery.
175155179Sandre		 */
176155179Sandre		mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
177155179Sandre		if (mtag != NULL) {
178155179Sandre			tdbi = (struct tdb_ident *)(mtag + 1);
179155179Sandre			sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
180155179Sandre		} else {
181155179Sandre			sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
182155179Sandre						   IP_FORWARDING, &error);
183155179Sandre		}
184155179Sandre		if (sp != NULL) {
185155179Sandre			/*
186155179Sandre			 * Check security policy against packet attributes.
187155179Sandre			 */
188155179Sandre			error = ipsec_in_reject(sp, m);
189155179Sandre			KEY_FREESP(&sp);
190155179Sandre		} else {
191155179Sandre			/* XXX error stat??? */
192155179Sandre			error = EINVAL;
193155179Sandre			DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/
194155179Sandre			return 1;
195155179Sandre		}
196155179Sandre		if (error)
197155179Sandre			return 1;
198155179Sandre	}
199171167Sgnn#endif /* IPSEC */
200155179Sandre	return 0;
201155179Sandre}
202155179Sandre
203155179Sandre/*
204155179Sandre * Compute the MTU for a forwarded packet that gets IPSEC encapsulated.
205155179Sandre * Called from ip_forward().
206155179Sandre * Returns MTU suggestion for ICMP needfrag reply.
207155179Sandre */
208155179Sandreint
209178029Sbzip_ipsec_mtu(struct mbuf *m, int mtu)
210155179Sandre{
211155179Sandre	/*
212155179Sandre	 * If the packet is routed over IPsec tunnel, tell the
213155179Sandre	 * originator the tunnel MTU.
214155179Sandre	 *	tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
215155179Sandre	 * XXX quickhack!!!
216155179Sandre	 */
217283901Sae	return (mtu - ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL));
218155179Sandre}
219155179Sandre
220155179Sandre/*
221155179Sandre *
222155179Sandre * Called from ip_output().
223155179Sandre * 1 = drop packet, 0 = continue processing packet,
224171167Sgnn * -1 = packet was reinjected and stop processing packet
225155179Sandre */
226155179Sandreint
227199102Straszip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error)
228155179Sandre{
229171167Sgnn#ifdef IPSEC
230155179Sandre	struct secpolicy *sp = NULL;
231155179Sandre	struct tdb_ident *tdbi;
232155179Sandre	struct m_tag *mtag;
233291355Sgnn
234291355Sgnn	if (!key_havesp(IPSEC_DIR_OUTBOUND))
235291355Sgnn		return 0;
236291355Sgnn
237155179Sandre	/*
238155179Sandre	 * Check the security policy (SP) for the packet and, if
239155179Sandre	 * required, do IPsec-related processing.  There are two
240155179Sandre	 * cases here; the first time a packet is sent through
241155179Sandre	 * it will be untagged and handled by ipsec4_checkpolicy.
242155179Sandre	 * If the packet is resubmitted to ip_output (e.g. after
243155179Sandre	 * AH, ESP, etc. processing), there will be a tag to bypass
244155179Sandre	 * the lookup and related policy checking.
245155179Sandre	 */
246155179Sandre	mtag = m_tag_find(*m, PACKET_TAG_IPSEC_PENDING_TDB, NULL);
247155179Sandre	if (mtag != NULL) {
248155179Sandre		tdbi = (struct tdb_ident *)(mtag + 1);
249155179Sandre		sp = ipsec_getpolicy(tdbi, IPSEC_DIR_OUTBOUND);
250155179Sandre		if (sp == NULL)
251155179Sandre			*error = -EINVAL;	/* force silent drop */
252155179Sandre		m_tag_delete(*m, mtag);
253155179Sandre	} else {
254155179Sandre		sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, *flags,
255155179Sandre					error, inp);
256155179Sandre	}
257155179Sandre	/*
258155179Sandre	 * There are four return cases:
259155179Sandre	 *    sp != NULL	 	    apply IPsec policy
260155179Sandre	 *    sp == NULL, error == 0	    no IPsec handling needed
261155179Sandre	 *    sp == NULL, error == -EINVAL  discard packet w/o error
262155179Sandre	 *    sp == NULL, error != 0	    discard packet, report error
263155179Sandre	 */
264155179Sandre	if (sp != NULL) {
265155179Sandre		/* Loop detection, check if ipsec processing already done */
266155179Sandre		KASSERT(sp->req != NULL, ("ip_output: no ipsec request"));
267155179Sandre		for (mtag = m_tag_first(*m); mtag != NULL;
268155179Sandre		     mtag = m_tag_next(*m, mtag)) {
269155179Sandre			if (mtag->m_tag_cookie != MTAG_ABI_COMPAT)
270155179Sandre				continue;
271155179Sandre			if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE &&
272155179Sandre			    mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED)
273155179Sandre				continue;
274155179Sandre			/*
275155179Sandre			 * Check if policy has an SA associated with it.
276155179Sandre			 * This can happen when an SP has yet to acquire
277155179Sandre			 * an SA; e.g. on first reference.  If it occurs,
278155179Sandre			 * then we let ipsec4_process_packet do its thing.
279155179Sandre			 */
280155179Sandre			if (sp->req->sav == NULL)
281155179Sandre				break;
282155179Sandre			tdbi = (struct tdb_ident *)(mtag + 1);
283155179Sandre			if (tdbi->spi == sp->req->sav->spi &&
284155179Sandre			    tdbi->proto == sp->req->sav->sah->saidx.proto &&
285155179Sandre			    bcmp(&tdbi->dst, &sp->req->sav->sah->saidx.dst,
286155179Sandre				 sizeof (union sockaddr_union)) == 0) {
287155179Sandre				/*
288155179Sandre				 * No IPsec processing is needed, free
289155179Sandre				 * reference to SP.
290155179Sandre				 *
291155179Sandre				 * NB: null pointer to avoid free at
292155179Sandre				 *     done: below.
293155179Sandre				 */
294155179Sandre				KEY_FREESP(&sp), sp = NULL;
295155179Sandre				goto done;
296155179Sandre			}
297155179Sandre		}
298155179Sandre
299155179Sandre		/*
300155179Sandre		 * Do delayed checksums now because we send before
301155179Sandre		 * this is done in the normal processing path.
302155179Sandre		 */
303155179Sandre		if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
304155179Sandre			in_delayed_cksum(*m);
305155179Sandre			(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
306155179Sandre		}
307188066Srrs#ifdef SCTP
308188066Srrs		if ((*m)->m_pkthdr.csum_flags & CSUM_SCTP) {
309241913Sglebius			struct ip *ip = mtod(*m, struct ip *);
310241913Sglebius
311205104Srrs			sctp_delayed_cksum(*m, (uint32_t)(ip->ip_hl << 2));
312188066Srrs			(*m)->m_pkthdr.csum_flags &= ~CSUM_SCTP;
313188066Srrs		}
314188066Srrs#endif
315155179Sandre
316155179Sandre		/* NB: callee frees mbuf */
317155179Sandre		*error = ipsec4_process_packet(*m, sp->req, *flags, 0);
318177175Sbz		if (*error == EJUSTRETURN) {
319177175Sbz			/*
320177175Sbz			 * We had a SP with a level of 'use' and no SA. We
321177175Sbz			 * will just continue to process the packet without
322177175Sbz			 * IPsec processing and return without error.
323177175Sbz			 */
324177175Sbz			*error = 0;
325177175Sbz			goto done;
326177175Sbz		}
327155179Sandre		/*
328155179Sandre		 * Preserve KAME behaviour: ENOENT can be returned
329155179Sandre		 * when an SA acquire is in progress.  Don't propagate
330155179Sandre		 * this to user-level; it confuses applications.
331155179Sandre		 *
332155179Sandre		 * XXX this will go away when the SADB is redone.
333155179Sandre		 */
334155179Sandre		if (*error == ENOENT)
335155179Sandre			*error = 0;
336155179Sandre		goto reinjected;
337155179Sandre	} else {	/* sp == NULL */
338155179Sandre
339155179Sandre		if (*error != 0) {
340155179Sandre			/*
341155179Sandre			 * Hack: -EINVAL is used to signal that a packet
342155179Sandre			 * should be silently discarded.  This is typically
343155179Sandre			 * because we asked key management for an SA and
344155179Sandre			 * it was delayed (e.g. kicked up to IKE).
345155179Sandre			 */
346155179Sandre			if (*error == -EINVAL)
347155179Sandre				*error = 0;
348155179Sandre			goto bad;
349155179Sandre		} else {
350155179Sandre			/* No IPsec processing for this packet. */
351155179Sandre		}
352155179Sandre	}
353155179Sandredone:
354155179Sandre	if (sp != NULL)
355155179Sandre		KEY_FREESP(&sp);
356155179Sandre	return 0;
357155179Sandrereinjected:
358155179Sandre	if (sp != NULL)
359155179Sandre		KEY_FREESP(&sp);
360155179Sandre	return -1;
361155179Sandrebad:
362155179Sandre	if (sp != NULL)
363155179Sandre		KEY_FREESP(&sp);
364155179Sandre	return 1;
365171167Sgnn#endif /* IPSEC */
366155179Sandre	return 0;
367155179Sandre}
368