xref: /trueos/sys/netinet/ip_ipsec.c (revision 5868f7205430cd67aa3b655419d3f15f83b70119)
1 /*-
2  * Copyright (c) 1982, 1986, 1988, 1993
3  *      The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 4. Neither the name of the University nor the names of its contributors
14  *    may be used to endorse or promote products derived from this software
15  *    without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  */
29 
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
32 
33 #include "opt_ipsec.h"
34 #include "opt_sctp.h"
35 
36 #include <sys/param.h>
37 #include <sys/systm.h>
38 #include <sys/errno.h>
39 #include <sys/kernel.h>
40 #include <sys/malloc.h>
41 #include <sys/mbuf.h>
42 #include <sys/protosw.h>
43 #include <sys/socket.h>
44 #include <sys/socketvar.h>
45 #include <sys/sysctl.h>
46 
47 #include <net/if.h>
48 #include <net/vnet.h>
49 
50 #include <netinet/in.h>
51 #include <netinet/in_systm.h>
52 #include <netinet/in_var.h>
53 #include <netinet/ip.h>
54 #include <netinet/in_pcb.h>
55 #include <netinet/ip_var.h>
56 #include <netinet/ip_options.h>
57 #include <netinet/ip_ipsec.h>
58 #ifdef SCTP
59 #include <netinet/sctp_crc32.h>
60 #endif
61 
62 #include <machine/in_cksum.h>
63 
64 #ifdef IPSEC
65 #include <netipsec/ipsec.h>
66 #include <netipsec/xform.h>
67 #include <netipsec/key.h>
68 #endif /*IPSEC*/
69 
70 extern	struct protosw inetsw[];
71 
72 #ifdef IPSEC
73 #ifdef IPSEC_FILTERTUNNEL
74 static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 1;
75 #else
76 static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 0;
77 #endif
78 #define	V_ip4_ipsec_filtertunnel VNET(ip4_ipsec_filtertunnel)
79 
80 SYSCTL_DECL(_net_inet_ipsec);
81 SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, filtertunnel,
82 	CTLFLAG_RW, &VNET_NAME(ip4_ipsec_filtertunnel), 0,
83 	"If set filter packets from an IPsec tunnel.");
84 #endif /* IPSEC */
85 
86 /*
87  * Check if we have to jump over firewall processing for this packet.
88  * Called from ip_input().
89  * 1 = jump over firewall, 0 = packet goes through firewall.
90  */
91 int
ip_ipsec_filtertunnel(struct mbuf * m)92 ip_ipsec_filtertunnel(struct mbuf *m)
93 {
94 #ifdef IPSEC
95 
96 	/*
97 	 * Bypass packet filtering for packets previously handled by IPsec.
98 	 */
99 	if (!V_ip4_ipsec_filtertunnel &&
100 	    m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
101 		return 1;
102 #endif
103 	return 0;
104 }
105 
106 /*
107  * Check if this packet has an active SA and needs to be dropped instead
108  * of forwarded.
109  * Called from ip_input().
110  * 1 = drop packet, 0 = forward packet.
111  */
112 int
ip_ipsec_fwd(struct mbuf * m)113 ip_ipsec_fwd(struct mbuf *m)
114 {
115 #ifdef IPSEC
116 	struct m_tag *mtag;
117 	struct tdb_ident *tdbi;
118 	struct secpolicy *sp;
119 	int error;
120 
121 	mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
122 	if (mtag != NULL) {
123 		tdbi = (struct tdb_ident *)(mtag + 1);
124 		sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
125 	} else {
126 		sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
127 					   IP_FORWARDING, &error);
128 	}
129 	if (sp == NULL) {	/* NB: can happen if error */
130 		/*XXX error stat???*/
131 		DPRINTF(("ip_input: no SP for forwarding\n"));	/*XXX*/
132 		return 1;
133 	}
134 
135 	/*
136 	 * Check security policy against packet attributes.
137 	 */
138 	error = ipsec_in_reject(sp, m);
139 	KEY_FREESP(&sp);
140 	if (error) {
141 		IPSTAT_INC(ips_cantforward);
142 		return 1;
143 	}
144 #endif /* IPSEC */
145 	return 0;
146 }
147 
148 /*
149  * Check if protocol type doesn't have a further header and do IPSEC
150  * decryption or reject right now.  Protocols with further headers get
151  * their IPSEC treatment within the protocol specific processing.
152  * Called from ip_input().
153  * 1 = drop packet, 0 = continue processing packet.
154  */
155 int
ip_ipsec_input(struct mbuf * m)156 ip_ipsec_input(struct mbuf *m)
157 {
158 #ifdef IPSEC
159 	struct ip *ip = mtod(m, struct ip *);
160 	struct m_tag *mtag;
161 	struct tdb_ident *tdbi;
162 	struct secpolicy *sp;
163 	int error;
164 	/*
165 	 * enforce IPsec policy checking if we are seeing last header.
166 	 * note that we do not visit this with protocols with pcb layer
167 	 * code - like udp/tcp/raw ip.
168 	 */
169 	if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) {
170 		/*
171 		 * Check if the packet has already had IPsec processing
172 		 * done.  If so, then just pass it along.  This tag gets
173 		 * set during AH, ESP, etc. input handling, before the
174 		 * packet is returned to the ip input queue for delivery.
175 		 */
176 		mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
177 		if (mtag != NULL) {
178 			tdbi = (struct tdb_ident *)(mtag + 1);
179 			sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
180 		} else {
181 			sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
182 						   IP_FORWARDING, &error);
183 		}
184 		if (sp != NULL) {
185 			/*
186 			 * Check security policy against packet attributes.
187 			 */
188 			error = ipsec_in_reject(sp, m);
189 			KEY_FREESP(&sp);
190 		} else {
191 			/* XXX error stat??? */
192 			error = EINVAL;
193 			DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/
194 			return 1;
195 		}
196 		if (error)
197 			return 1;
198 	}
199 #endif /* IPSEC */
200 	return 0;
201 }
202 
203 /*
204  * Compute the MTU for a forwarded packet that gets IPSEC encapsulated.
205  * Called from ip_forward().
206  * Returns MTU suggestion for ICMP needfrag reply.
207  */
208 int
ip_ipsec_mtu(struct mbuf * m,int mtu)209 ip_ipsec_mtu(struct mbuf *m, int mtu)
210 {
211 	/*
212 	 * If the packet is routed over IPsec tunnel, tell the
213 	 * originator the tunnel MTU.
214 	 *	tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
215 	 * XXX quickhack!!!
216 	 */
217 	return (mtu - ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL));
218 }
219 
220 /*
221  *
222  * Called from ip_output().
223  * 1 = drop packet, 0 = continue processing packet,
224  * -1 = packet was reinjected and stop processing packet
225  */
226 int
ip_ipsec_output(struct mbuf ** m,struct inpcb * inp,int * flags,int * error)227 ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error)
228 {
229 #ifdef IPSEC
230 	struct secpolicy *sp = NULL;
231 	struct tdb_ident *tdbi;
232 	struct m_tag *mtag;
233 	/*
234 	 * Check the security policy (SP) for the packet and, if
235 	 * required, do IPsec-related processing.  There are two
236 	 * cases here; the first time a packet is sent through
237 	 * it will be untagged and handled by ipsec4_checkpolicy.
238 	 * If the packet is resubmitted to ip_output (e.g. after
239 	 * AH, ESP, etc. processing), there will be a tag to bypass
240 	 * the lookup and related policy checking.
241 	 */
242 	mtag = m_tag_find(*m, PACKET_TAG_IPSEC_PENDING_TDB, NULL);
243 	if (mtag != NULL) {
244 		tdbi = (struct tdb_ident *)(mtag + 1);
245 		sp = ipsec_getpolicy(tdbi, IPSEC_DIR_OUTBOUND);
246 		if (sp == NULL)
247 			*error = -EINVAL;	/* force silent drop */
248 		m_tag_delete(*m, mtag);
249 	} else {
250 		sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, *flags,
251 					error, inp);
252 	}
253 	/*
254 	 * There are four return cases:
255 	 *    sp != NULL	 	    apply IPsec policy
256 	 *    sp == NULL, error == 0	    no IPsec handling needed
257 	 *    sp == NULL, error == -EINVAL  discard packet w/o error
258 	 *    sp == NULL, error != 0	    discard packet, report error
259 	 */
260 	if (sp != NULL) {
261 		/* Loop detection, check if ipsec processing already done */
262 		KASSERT(sp->req != NULL, ("ip_output: no ipsec request"));
263 		for (mtag = m_tag_first(*m); mtag != NULL;
264 		     mtag = m_tag_next(*m, mtag)) {
265 			if (mtag->m_tag_cookie != MTAG_ABI_COMPAT)
266 				continue;
267 			if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE &&
268 			    mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED)
269 				continue;
270 			/*
271 			 * Check if policy has an SA associated with it.
272 			 * This can happen when an SP has yet to acquire
273 			 * an SA; e.g. on first reference.  If it occurs,
274 			 * then we let ipsec4_process_packet do its thing.
275 			 */
276 			if (sp->req->sav == NULL)
277 				break;
278 			tdbi = (struct tdb_ident *)(mtag + 1);
279 			if (tdbi->spi == sp->req->sav->spi &&
280 			    tdbi->proto == sp->req->sav->sah->saidx.proto &&
281 			    bcmp(&tdbi->dst, &sp->req->sav->sah->saidx.dst,
282 				 sizeof (union sockaddr_union)) == 0) {
283 				/*
284 				 * No IPsec processing is needed, free
285 				 * reference to SP.
286 				 *
287 				 * NB: null pointer to avoid free at
288 				 *     done: below.
289 				 */
290 				KEY_FREESP(&sp), sp = NULL;
291 				goto done;
292 			}
293 		}
294 
295 		/*
296 		 * Do delayed checksums now because we send before
297 		 * this is done in the normal processing path.
298 		 */
299 		if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
300 			in_delayed_cksum(*m);
301 			(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
302 		}
303 #ifdef SCTP
304 		if ((*m)->m_pkthdr.csum_flags & CSUM_SCTP) {
305 			struct ip *ip = mtod(*m, struct ip *);
306 
307 			sctp_delayed_cksum(*m, (uint32_t)(ip->ip_hl << 2));
308 			(*m)->m_pkthdr.csum_flags &= ~CSUM_SCTP;
309 		}
310 #endif
311 
312 		/* NB: callee frees mbuf */
313 		*error = ipsec4_process_packet(*m, sp->req, *flags, 0);
314 		if (*error == EJUSTRETURN) {
315 			/*
316 			 * We had a SP with a level of 'use' and no SA. We
317 			 * will just continue to process the packet without
318 			 * IPsec processing and return without error.
319 			 */
320 			*error = 0;
321 			goto done;
322 		}
323 		/*
324 		 * Preserve KAME behaviour: ENOENT can be returned
325 		 * when an SA acquire is in progress.  Don't propagate
326 		 * this to user-level; it confuses applications.
327 		 *
328 		 * XXX this will go away when the SADB is redone.
329 		 */
330 		if (*error == ENOENT)
331 			*error = 0;
332 		goto reinjected;
333 	} else {	/* sp == NULL */
334 
335 		if (*error != 0) {
336 			/*
337 			 * Hack: -EINVAL is used to signal that a packet
338 			 * should be silently discarded.  This is typically
339 			 * because we asked key management for an SA and
340 			 * it was delayed (e.g. kicked up to IKE).
341 			 */
342 			if (*error == -EINVAL)
343 				*error = 0;
344 			goto bad;
345 		} else {
346 			/* No IPsec processing for this packet. */
347 		}
348 	}
349 done:
350 	if (sp != NULL)
351 		KEY_FREESP(&sp);
352 	return 0;
353 reinjected:
354 	if (sp != NULL)
355 		KEY_FREESP(&sp);
356 	return -1;
357 bad:
358 	if (sp != NULL)
359 		KEY_FREESP(&sp);
360 	return 1;
361 #endif /* IPSEC */
362 	return 0;
363 }
364