1/*- 2 * Copyright (c) 1982, 1986, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 4. Neither the name of the University nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> 31__FBSDID("$FreeBSD$"); 32 33#include "opt_ipsec.h" 34#include "opt_sctp.h" 35 36#include <sys/param.h> 37#include <sys/systm.h> 38#include <sys/errno.h> 39#include <sys/kernel.h> 40#include <sys/malloc.h> 41#include <sys/mbuf.h> 42#include <sys/protosw.h> 43#include <sys/socket.h> 44#include <sys/socketvar.h> 45#include <sys/sysctl.h> 46 47#include <net/if.h> 48#include <net/route.h> 49#include <net/vnet.h> 50 51#include <netinet/in.h> 52#include <netinet/in_systm.h> 53#include <netinet/in_var.h> 54#include <netinet/ip.h> 55#include <netinet/in_pcb.h> 56#include <netinet/ip_var.h> 57#include <netinet/ip_options.h> 58#include <netinet/ip_ipsec.h> 59#ifdef SCTP 60#include <netinet/sctp_crc32.h> 61#endif 62 63#include <machine/in_cksum.h> 64 65#ifdef IPSEC 66#include <netipsec/ipsec.h> 67#include <netipsec/xform.h> 68#include <netipsec/key.h> 69#endif /*IPSEC*/ 70 71extern struct protosw inetsw[]; 72 73#ifdef IPSEC 74#ifdef IPSEC_FILTERTUNNEL 75static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 1; 76#else 77static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 0; 78#endif 79#define V_ip4_ipsec_filtertunnel VNET(ip4_ipsec_filtertunnel) 80 81SYSCTL_DECL(_net_inet_ipsec); 82SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, filtertunnel, 83 CTLFLAG_RW, &VNET_NAME(ip4_ipsec_filtertunnel), 0, 84 "If set filter packets from an IPsec tunnel."); 85#endif /* IPSEC */ 86 87/* 88 * Check if we have to jump over firewall processing for this packet. 89 * Called from ip_input(). 90 * 1 = jump over firewall, 0 = packet goes through firewall. 91 */ 92int 93ip_ipsec_filtertunnel(struct mbuf *m) 94{ 95#ifdef IPSEC 96 97 /* 98 * Bypass packet filtering for packets previously handled by IPsec. 99 */ 100 if (!V_ip4_ipsec_filtertunnel && 101 m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) 102 return 1; 103#endif 104 return 0; 105} 106 107/* 108 * Check if this packet has an active SA and needs to be dropped instead 109 * of forwarded. 110 * Called from ip_input(). 111 * 1 = drop packet, 0 = forward packet. 112 */ 113int 114ip_ipsec_fwd(struct mbuf *m) 115{ 116#ifdef IPSEC 117 struct m_tag *mtag; 118 struct tdb_ident *tdbi; 119 struct secpolicy *sp; 120 int error; 121 122 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 123 if (mtag != NULL) { 124 tdbi = (struct tdb_ident *)(mtag + 1); 125 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); 126 } else { 127 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 128 IP_FORWARDING, &error); 129 } 130 if (sp == NULL) { /* NB: can happen if error */ 131 /*XXX error stat???*/ 132 DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/ 133 return 1; 134 } 135 136 /* 137 * Check security policy against packet attributes. 138 */ 139 error = ipsec_in_reject(sp, m); 140 KEY_FREESP(&sp); 141 if (error) { 142 IPSTAT_INC(ips_cantforward); 143 return 1; 144 } 145#endif /* IPSEC */ 146 return 0; 147} 148 149/* 150 * Check if protocol type doesn't have a further header and do IPSEC 151 * decryption or reject right now. Protocols with further headers get 152 * their IPSEC treatment within the protocol specific processing. 153 * Called from ip_input(). 154 * 1 = drop packet, 0 = continue processing packet. 155 */ 156int 157ip_ipsec_input(struct mbuf *m) 158{ 159#ifdef IPSEC 160 struct ip *ip = mtod(m, struct ip *); 161 struct m_tag *mtag; 162 struct tdb_ident *tdbi; 163 struct secpolicy *sp; 164 int error; 165 /* 166 * enforce IPsec policy checking if we are seeing last header. 167 * note that we do not visit this with protocols with pcb layer 168 * code - like udp/tcp/raw ip. 169 */ 170 if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) { 171 /* 172 * Check if the packet has already had IPsec processing 173 * done. If so, then just pass it along. This tag gets 174 * set during AH, ESP, etc. input handling, before the 175 * packet is returned to the ip input queue for delivery. 176 */ 177 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 178 if (mtag != NULL) { 179 tdbi = (struct tdb_ident *)(mtag + 1); 180 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); 181 } else { 182 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 183 IP_FORWARDING, &error); 184 } 185 if (sp != NULL) { 186 /* 187 * Check security policy against packet attributes. 188 */ 189 error = ipsec_in_reject(sp, m); 190 KEY_FREESP(&sp); 191 } else { 192 /* XXX error stat??? */ 193 error = EINVAL; 194 DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/ 195 return 1; 196 } 197 if (error) 198 return 1; 199 } 200#endif /* IPSEC */ 201 return 0; 202} 203 204/* 205 * Compute the MTU for a forwarded packet that gets IPSEC encapsulated. 206 * Called from ip_forward(). 207 * Returns MTU suggestion for ICMP needfrag reply. 208 */ 209int 210ip_ipsec_mtu(struct mbuf *m, int mtu) 211{ 212 /* 213 * If the packet is routed over IPsec tunnel, tell the 214 * originator the tunnel MTU. 215 * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz 216 * XXX quickhack!!! 217 */ 218 struct secpolicy *sp = NULL; 219 int ipsecerror; 220 int ipsechdr; 221 struct route *ro; 222 sp = ipsec_getpolicybyaddr(m, 223 IPSEC_DIR_OUTBOUND, 224 IP_FORWARDING, 225 &ipsecerror); 226 if (sp != NULL) { 227 /* count IPsec header size */ 228 ipsechdr = ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL); 229 230 /* 231 * find the correct route for outer IPv4 232 * header, compute tunnel MTU. 233 */ 234 if (sp->req != NULL && 235 sp->req->sav != NULL && 236 sp->req->sav->sah != NULL) { 237 ro = &sp->req->sav->sah->route_cache.sa_route; 238 if (ro->ro_rt && ro->ro_rt->rt_ifp) { 239 mtu = ro->ro_rt->rt_mtu ? ro->ro_rt->rt_mtu : 240 ro->ro_rt->rt_ifp->if_mtu; 241 mtu -= ipsechdr; 242 } 243 } 244 KEY_FREESP(&sp); 245 } 246 return mtu; 247} 248 249/* 250 * 251 * Called from ip_output(). 252 * 1 = drop packet, 0 = continue processing packet, 253 * -1 = packet was reinjected and stop processing packet 254 */ 255int 256ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error) 257{ 258#ifdef IPSEC 259 struct secpolicy *sp = NULL; 260 struct tdb_ident *tdbi; 261 struct m_tag *mtag; 262 /* 263 * Check the security policy (SP) for the packet and, if 264 * required, do IPsec-related processing. There are two 265 * cases here; the first time a packet is sent through 266 * it will be untagged and handled by ipsec4_checkpolicy. 267 * If the packet is resubmitted to ip_output (e.g. after 268 * AH, ESP, etc. processing), there will be a tag to bypass 269 * the lookup and related policy checking. 270 */ 271 mtag = m_tag_find(*m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); 272 if (mtag != NULL) { 273 tdbi = (struct tdb_ident *)(mtag + 1); 274 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_OUTBOUND); 275 if (sp == NULL) 276 *error = -EINVAL; /* force silent drop */ 277 m_tag_delete(*m, mtag); 278 } else { 279 sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, *flags, 280 error, inp); 281 } 282 /* 283 * There are four return cases: 284 * sp != NULL apply IPsec policy 285 * sp == NULL, error == 0 no IPsec handling needed 286 * sp == NULL, error == -EINVAL discard packet w/o error 287 * sp == NULL, error != 0 discard packet, report error 288 */ 289 if (sp != NULL) { 290 /* Loop detection, check if ipsec processing already done */ 291 KASSERT(sp->req != NULL, ("ip_output: no ipsec request")); 292 for (mtag = m_tag_first(*m); mtag != NULL; 293 mtag = m_tag_next(*m, mtag)) { 294 if (mtag->m_tag_cookie != MTAG_ABI_COMPAT) 295 continue; 296 if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE && 297 mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED) 298 continue; 299 /* 300 * Check if policy has an SA associated with it. 301 * This can happen when an SP has yet to acquire 302 * an SA; e.g. on first reference. If it occurs, 303 * then we let ipsec4_process_packet do its thing. 304 */ 305 if (sp->req->sav == NULL) 306 break; 307 tdbi = (struct tdb_ident *)(mtag + 1); 308 if (tdbi->spi == sp->req->sav->spi && 309 tdbi->proto == sp->req->sav->sah->saidx.proto && 310 bcmp(&tdbi->dst, &sp->req->sav->sah->saidx.dst, 311 sizeof (union sockaddr_union)) == 0) { 312 /* 313 * No IPsec processing is needed, free 314 * reference to SP. 315 * 316 * NB: null pointer to avoid free at 317 * done: below. 318 */ 319 KEY_FREESP(&sp), sp = NULL; 320 goto done; 321 } 322 } 323 324 /* 325 * Do delayed checksums now because we send before 326 * this is done in the normal processing path. 327 */ 328 if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 329 in_delayed_cksum(*m); 330 (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 331 } 332#ifdef SCTP 333 if ((*m)->m_pkthdr.csum_flags & CSUM_SCTP) { 334 struct ip *ip = mtod(*m, struct ip *); 335 336 sctp_delayed_cksum(*m, (uint32_t)(ip->ip_hl << 2)); 337 (*m)->m_pkthdr.csum_flags &= ~CSUM_SCTP; 338 } 339#endif 340 341 /* NB: callee frees mbuf */ 342 *error = ipsec4_process_packet(*m, sp->req, *flags, 0); 343 if (*error == EJUSTRETURN) { 344 /* 345 * We had a SP with a level of 'use' and no SA. We 346 * will just continue to process the packet without 347 * IPsec processing and return without error. 348 */ 349 *error = 0; 350 goto done; 351 } 352 /* 353 * Preserve KAME behaviour: ENOENT can be returned 354 * when an SA acquire is in progress. Don't propagate 355 * this to user-level; it confuses applications. 356 * 357 * XXX this will go away when the SADB is redone. 358 */ 359 if (*error == ENOENT) 360 *error = 0; 361 goto reinjected; 362 } else { /* sp == NULL */ 363 364 if (*error != 0) { 365 /* 366 * Hack: -EINVAL is used to signal that a packet 367 * should be silently discarded. This is typically 368 * because we asked key management for an SA and 369 * it was delayed (e.g. kicked up to IKE). 370 */ 371 if (*error == -EINVAL) 372 *error = 0; 373 goto bad; 374 } else { 375 /* No IPsec processing for this packet. */ 376 } 377 } 378done: 379 if (sp != NULL) 380 KEY_FREESP(&sp); 381 return 0; 382reinjected: 383 if (sp != NULL) 384 KEY_FREESP(&sp); 385 return -1; 386bad: 387 if (sp != NULL) 388 KEY_FREESP(&sp); 389 return 1; 390#endif /* IPSEC */ 391 return 0; 392} 393