1 /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr) and
5 * Niels Provos (provos@physnet.uni-hamburg.de).
7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
11 * by Angelos D. Keromytis.
13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
16 * Additional features in 1999 by Angelos D. Keromytis.
18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
19 * Angelos D. Keromytis and Niels Provos.
20 * Copyright (c) 2001, Angelos D. Keromytis.
21 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
23 * Permission to use, copy, and modify this software with or without fee
24 * is hereby granted, provided that this entire notice is included in
25 * all copies of any software which is or includes a copy or
26 * modification of this software.
27 * You may use this code under the GNU public license if you so wish. Please
28 * contribute changes back to the authors under this freer than GPL license
29 * so that we may further the use of strong encryption without limitations to
32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
40 * IPsec input processing.
43 #include <sys/cdefs.h>
44 __FBSDID("$FreeBSD$");
47 #include "opt_inet6.h"
48 #include "opt_ipsec.h"
50 #include <sys/param.h>
51 #include <sys/systm.h>
52 #include <sys/malloc.h>
54 #include <sys/domain.h>
55 #include <sys/protosw.h>
56 #include <sys/socket.h>
57 #include <sys/errno.h>
58 #include <sys/hhook.h>
59 #include <sys/syslog.h>
62 #include <net/if_var.h>
63 #include <net/if_enc.h>
64 #include <net/if_private.h>
65 #include <net/netisr.h>
68 #include <netinet/in.h>
69 #include <netinet/in_pcb.h>
70 #include <netinet/in_systm.h>
71 #include <netinet/ip.h>
72 #include <netinet/ip_var.h>
73 #include <netinet/ip_icmp.h>
74 #include <netinet/in_var.h>
75 #include <netinet/tcp_var.h>
77 #include <netinet/ip6.h>
79 #include <netinet6/ip6_var.h>
81 #include <netinet/in_pcb.h>
83 #include <netinet/icmp6.h>
86 #include <netipsec/ipsec.h>
88 #include <netipsec/ipsec6.h>
90 #include <netipsec/ipsec_support.h>
91 #include <netipsec/ah_var.h>
92 #include <netipsec/esp.h>
93 #include <netipsec/esp_var.h>
94 #include <netipsec/ipcomp_var.h>
96 #include <netipsec/key.h>
97 #include <netipsec/keydb.h>
98 #include <netipsec/key_debug.h>
100 #include <netipsec/xform.h>
102 #include <machine/in_cksum.h>
103 #include <machine/stdarg.h>
105 #define IPSEC_ISTAT(proto, name) do { \
106 if ((proto) == IPPROTO_ESP) \
107 ESPSTAT_INC(esps_##name); \
108 else if ((proto) == IPPROTO_AH) \
109 AHSTAT_INC(ahs_##name); \
111 IPCOMPSTAT_INC(ipcomps_##name); \
115 * ipsec_common_input gets called when an IPsec-protected packet
116 * is received by IPv4 or IPv6. Its job is to find the right SA
117 * and call the appropriate transform. The transform callback
118 * takes care of further processing (like ingress filtering).
121 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
123 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
124 union sockaddr_union dst_address;
125 struct secasvar *sav;
129 IPSEC_ISTAT(sproto, input);
131 IPSEC_ASSERT(m != NULL, ("null packet"));
133 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
134 sproto == IPPROTO_IPCOMP,
135 ("unexpected security protocol %u", sproto));
137 if ((sproto == IPPROTO_ESP && !V_esp_enable) ||
138 (sproto == IPPROTO_AH && !V_ah_enable) ||
139 (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
141 IPSEC_ISTAT(sproto, pdrops);
145 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
147 IPSEC_ISTAT(sproto, hdrops);
148 DPRINTF(("%s: packet too small\n", __func__));
152 /* Retrieve the SPI from the relevant IPsec header */
153 if (sproto == IPPROTO_ESP)
154 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
155 else if (sproto == IPPROTO_AH)
156 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
158 else if (sproto == IPPROTO_IPCOMP) {
160 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
162 spi = ntohl(htons(cpi));
166 * Find the SA and (indirectly) call the appropriate
167 * kernel crypto routine. The resulting mbuf chain is a valid
168 * IP packet ready to go through input processing.
170 bzero(&dst_address, sizeof (dst_address));
171 dst_address.sa.sa_family = af;
175 dst_address.sin.sin_len = sizeof(struct sockaddr_in);
176 m_copydata(m, offsetof(struct ip, ip_dst),
177 sizeof(struct in_addr),
178 (caddr_t) &dst_address.sin.sin_addr);
183 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
184 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
185 sizeof(struct in6_addr),
186 (caddr_t) &dst_address.sin6.sin6_addr);
187 /* We keep addresses in SADB without embedded scope id */
188 if (IN6_IS_SCOPE_LINKLOCAL(&dst_address.sin6.sin6_addr)) {
189 /* XXX: sa6_recoverscope() */
190 dst_address.sin6.sin6_scope_id =
191 ntohs(dst_address.sin6.sin6_addr.s6_addr16[1]);
192 dst_address.sin6.sin6_addr.s6_addr16[1] = 0;
197 DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
199 IPSEC_ISTAT(sproto, nopf);
203 /* NB: only pass dst since key_allocsa follows RFC2401 */
204 sav = key_allocsa(&dst_address, sproto, spi);
206 DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
207 __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
208 (u_long) ntohl(spi), sproto));
209 IPSEC_ISTAT(sproto, notdb);
214 if (sav->tdb_xform == NULL) {
215 DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
216 __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
217 (u_long) ntohl(spi), sproto));
218 IPSEC_ISTAT(sproto, noxform);
225 * Call appropriate transform and return -- callback takes care of
228 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
234 * IPSEC_INPUT() method implementation for IPv4.
235 * 0 - Permitted by inbound security policy for further processing.
236 * EACCES - Forbidden by inbound security policy.
237 * EINPROGRESS - consumed by IPsec.
240 ipsec4_input(struct mbuf *m, int offset, int proto)
247 /* Do inbound IPsec processing for AH/ESP/IPCOMP */
248 ipsec_common_input(m, offset,
249 offsetof(struct ip, ip_p), AF_INET, proto);
250 return (EINPROGRESS); /* mbuf consumed by IPsec */
253 * Protocols with further headers get their IPsec treatment
254 * within the protocol specific processing.
264 case IPPROTO_ETHERIP:
273 * Enforce IPsec policy checking if we are seeing last header.
275 if (ipsec4_in_reject(m, NULL) != 0) {
276 /* Forbidden by inbound security policy */
284 ipsec4_ctlinput(ipsec_ctlinput_param_t param)
286 struct icmp *icp = param.icmp;
287 struct ip *ip = &icp->icmp_ip;
288 struct sockaddr_in icmpsrc = {
289 .sin_len = sizeof(struct sockaddr_in),
290 .sin_family = AF_INET,
291 .sin_addr = ip->ip_dst,
293 struct in_conninfo inc;
294 struct secasvar *sav;
299 pmtu = ntohs(icp->icmp_nextmtu);
301 if (pmtu < V_ip4_ipsec_min_pmtu)
305 if (proto != IPPROTO_ESP && proto != IPPROTO_AH &&
306 proto != IPPROTO_IPCOMP)
309 memcpy(&spi, (caddr_t)ip + (ip->ip_hl << 2), sizeof(spi));
310 sav = key_allocsa((union sockaddr_union *)&icmpsrc, proto, spi);
316 memset(&inc, 0, sizeof(inc));
317 inc.inc_faddr = ip->ip_dst;
319 /* Update pmtu only if its smaller than the current one. */
320 max_pmtu = tcp_hc_getmtu(&inc);
322 max_pmtu = tcp_maxmtu(&inc, NULL);
325 tcp_hc_updatemtu(&inc, pmtu);
331 * IPsec input callback for INET protocols.
332 * This routine is called as the transform callback.
333 * Takes care of filtering and other sanity checks on
334 * the processed packet.
337 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
340 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
341 struct epoch_tracker et;
342 struct ipsec_ctx_data ctx;
343 struct xform_history *xh;
344 struct secasindex *saidx;
347 int error, prot, af, sproto, isr_prot;
349 IPSEC_ASSERT(sav != NULL, ("null SA"));
350 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
351 saidx = &sav->sah->saidx;
352 af = saidx->dst.sa.sa_family;
353 IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af));
354 sproto = saidx->proto;
355 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
356 sproto == IPPROTO_IPCOMP,
357 ("unexpected security protocol %u", sproto));
363 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
364 DPRINTF(("%s: processing failed for SA %s/%08lx\n",
365 __func__, ipsec_address(&sav->sah->saidx.dst,
366 buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
367 IPSEC_ISTAT(sproto, hdrops);
372 ip = mtod(m, struct ip *);
373 ip->ip_len = htons(m->m_pkthdr.len);
375 ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
377 ip = mtod(m, struct ip *);
381 * Check that we have NAT-T enabled and apply transport mode
382 * decapsulation NAT procedure (RFC3948).
383 * Do this before invoking into the PFIL.
385 if (sav->natt != NULL &&
386 (prot == IPPROTO_UDP || prot == IPPROTO_TCP))
387 udp_ipsec_adjust_cksum(m, sav, prot, skip);
390 * Needed for ipsec_run_hooks and netisr_queue_src
394 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE);
395 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
397 ip = mtod(m, struct ip *); /* update pointer */
399 /* IP-in-IP encapsulation */
400 if (prot == IPPROTO_IPIP &&
401 saidx->mode != IPSEC_MODE_TRANSPORT) {
402 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
403 IPSEC_ISTAT(sproto, hdrops);
407 /* enc0: strip outer IPv4 header */
408 m_striphdr(m, 0, ip->ip_hl << 2);
411 /* IPv6-in-IP encapsulation. */
412 else if (prot == IPPROTO_IPV6 &&
413 saidx->mode != IPSEC_MODE_TRANSPORT) {
414 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
415 IPSEC_ISTAT(sproto, hdrops);
419 /* enc0: strip IPv4 header, keep IPv6 header only */
420 m_striphdr(m, 0, ip->ip_hl << 2);
423 else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) {
425 * When mode is wildcard, inner protocol is IPv6 and
426 * we have no INET6 support - drop this packet a bit later.
427 * In other cases we assume transport mode. Set prot to
428 * correctly choose netisr.
434 * Record what we've done to the packet (under what SA it was
437 if (sproto != IPPROTO_IPCOMP) {
438 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
439 sizeof(struct xform_history), M_NOWAIT);
441 DPRINTF(("%s: failed to get tag\n", __func__));
442 IPSEC_ISTAT(sproto, hdrops);
447 xh = (struct xform_history *)(mtag + 1);
448 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
451 xh->mode = saidx->mode;
452 m_tag_prepend(m, mtag);
455 key_sa_recordxfer(sav, m); /* record data transfer */
458 * In transport mode requeue decrypted mbuf back to IPv4 protocol
459 * handler. This is necessary to correctly expose rcvif.
461 if (saidx->mode == IPSEC_MODE_TRANSPORT)
464 * Re-dispatch via software interrupt.
468 isr_prot = NETISR_IP;
473 isr_prot = NETISR_IPV6;
478 DPRINTF(("%s: cannot handle inner ip proto %d\n",
480 IPSEC_ISTAT(sproto, nopf);
481 error = EPFNOSUPPORT;
485 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
486 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
489 /* Handle virtual tunneling interfaces */
490 if (saidx->mode == IPSEC_MODE_TUNNEL)
491 error = ipsec_if_input(m, sav, af);
493 error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
495 IPSEC_ISTAT(sproto, qfull);
496 DPRINTF(("%s: queue full; proto %u packet dropped\n",
515 ipsec6_lasthdr(int proto)
523 case IPPROTO_ETHERIP:
533 * IPSEC_INPUT() method implementation for IPv6.
534 * 0 - Permitted by inbound security policy for further processing.
535 * EACCES - Forbidden by inbound security policy.
536 * EINPROGRESS - consumed by IPsec.
539 ipsec6_input(struct mbuf *m, int offset, int proto)
546 /* Do inbound IPsec processing for AH/ESP/IPCOMP */
547 ipsec_common_input(m, offset,
548 offsetof(struct ip6_hdr, ip6_nxt), AF_INET6, proto);
549 return (EINPROGRESS); /* mbuf consumed by IPsec */
552 * Protocols with further headers get their IPsec treatment
553 * within the protocol specific processing.
555 if (!ipsec6_lasthdr(proto))
560 * Enforce IPsec policy checking if we are seeing last header.
562 if (ipsec6_in_reject(m, NULL) != 0) {
563 /* Forbidden by inbound security policy */
571 ipsec6_ctlinput(ipsec_ctlinput_param_t param)
576 extern ipproto_input_t *ip6_protox[];
579 * IPsec input callback, called by the transform callback. Takes care of
580 * filtering and other sanity checks on the processed packet.
583 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
586 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
587 struct epoch_tracker et;
588 struct ipsec_ctx_data ctx;
589 struct xform_history *xh;
590 struct secasindex *saidx;
593 int prot, af, sproto;
598 IPSEC_ASSERT(sav != NULL, ("null SA"));
599 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
600 saidx = &sav->sah->saidx;
601 af = saidx->dst.sa.sa_family;
602 IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af));
603 sproto = saidx->proto;
604 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
605 sproto == IPPROTO_IPCOMP,
606 ("unexpected security protocol %u", sproto));
610 /* Fix IPv6 header */
611 if (m->m_len < sizeof(struct ip6_hdr) &&
612 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
613 DPRINTF(("%s: processing failed for SA %s/%08lx\n",
614 __func__, ipsec_address(&sav->sah->saidx.dst, buf,
615 sizeof(buf)), (u_long) ntohl(sav->spi)));
617 IPSEC_ISTAT(sproto, hdrops);
622 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE);
623 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
626 ip6 = mtod(m, struct ip6_hdr *);
627 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
630 m_copydata(m, protoff, 1, &nxt8);
633 /* IPv6-in-IP encapsulation */
634 if (prot == IPPROTO_IPV6 &&
635 saidx->mode != IPSEC_MODE_TRANSPORT) {
636 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
637 IPSEC_ISTAT(sproto, hdrops);
641 /* ip6n will now contain the inner IPv6 header. */
642 m_striphdr(m, 0, skip);
646 /* IP-in-IP encapsulation */
647 else if (prot == IPPROTO_IPIP &&
648 saidx->mode != IPSEC_MODE_TRANSPORT) {
649 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
650 IPSEC_ISTAT(sproto, hdrops);
654 /* ipn will now contain the inner IPv4 header */
655 m_striphdr(m, 0, skip);
660 prot = IPPROTO_IPV6; /* for correct BPF processing */
664 * Record what we've done to the packet (under what SA it was
667 if (sproto != IPPROTO_IPCOMP) {
668 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
669 sizeof(struct xform_history), M_NOWAIT);
671 DPRINTF(("%s: failed to get tag\n", __func__));
672 IPSEC_ISTAT(sproto, hdrops);
677 xh = (struct xform_history *)(mtag + 1);
678 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
681 xh->mode = saidx->mode;
682 m_tag_prepend(m, mtag);
685 key_sa_recordxfer(sav, m);
688 if (prot == IPPROTO_IPIP)
693 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
694 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
698 * We stripped outer IPv6 header.
699 * Now we should requeue decrypted packet via netisr.
704 isr_prot = NETISR_IP;
708 isr_prot = NETISR_IPV6;
711 DPRINTF(("%s: cannot handle inner ip proto %d\n",
713 IPSEC_ISTAT(sproto, nopf);
714 error = EPFNOSUPPORT;
717 /* Handle virtual tunneling interfaces */
718 if (saidx->mode == IPSEC_MODE_TUNNEL)
719 error = ipsec_if_input(m, sav, af);
721 error = netisr_queue_src(isr_prot,
722 (uintptr_t)sav->spi, m);
724 IPSEC_ISTAT(sproto, qfull);
725 DPRINTF(("%s: queue full; proto %u packet"
726 " dropped\n", __func__, sproto));
734 * See the end of ip6_input for this logic.
735 * IPPROTO_IPV[46] case will be processed just like other ones
739 while (nxt != IPPROTO_DONE) {
740 if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) {
741 IP6STAT_INC(ip6s_toomanyhdr);
747 * Protection against faulty packet - there should be
748 * more sanity checks in header chain processing.
750 if (m->m_pkthdr.len < skip) {
751 IP6STAT_INC(ip6s_tooshort);
752 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
757 * Enforce IPsec policy checking if we are seeing last header.
758 * note that we do not visit this with protocols with pcb layer
759 * code - like udp/tcp/raw ip.
761 if (ipsec6_lasthdr(nxt) && ipsec6_in_reject(m, NULL)) {
765 nxt = ip6_protox[nxt](&m, &skip, nxt);