Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_ipsec.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /*- 2 * Copyright (c) 1982, 1986, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 4. Neither the name of the University nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 __FBSDID("$FreeBSD: releng/11.0/sys/netinet/ip_ipsec.c 290165 2015-10-29 21:26:32Z gnn $"); 32 33 #include "opt_ipsec.h" 34 #include "opt_sctp.h" 35 36 #include <sys/param.h> 37 #include <sys/systm.h> 38 #include <sys/errno.h> 39 #include <sys/kernel.h> 40 #include <sys/malloc.h> 41 #include <sys/mbuf.h> 42 #include <sys/protosw.h> 43 #include <sys/socket.h> 44 #include <sys/socketvar.h> 45 #include <sys/sysctl.h> 46 47 #include <net/if.h> 48 #include <net/if_var.h> 49 #include <net/vnet.h> 50 51 #include <netinet/in.h> 52 #include <netinet/in_systm.h> 53 #include <netinet/in_var.h> 54 #include <netinet/ip.h> 55 #include <netinet/in_pcb.h> 56 #include <netinet/ip_var.h> 57 #include <netinet/ip_options.h> 58 #include <netinet/ip_ipsec.h> 59 #ifdef SCTP 60 #include <netinet/sctp_crc32.h> 61 #endif 62 63 #include <machine/in_cksum.h> 64 65 #include <netipsec/ipsec.h> 66 #include <netipsec/xform.h> 67 #include <netipsec/key.h> 68 69 extern struct protosw inetsw[]; 70 71 #ifdef IPSEC_FILTERTUNNEL 72 static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 1; 73 #else 74 static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 0; 75 #endif 76 #define V_ip4_ipsec_filtertunnel VNET(ip4_ipsec_filtertunnel) 77 78 SYSCTL_DECL(_net_inet_ipsec); 79 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, filtertunnel, 80 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_filtertunnel), 0, 81 "If set filter packets from an IPsec tunnel."); 82 83 /* 84 * Check if we have to jump over firewall processing for this packet. 85 * Called from ip_input(). 86 * 1 = jump over firewall, 0 = packet goes through firewall. 87 */ 88 int 89 ip_ipsec_filtertunnel(struct mbuf *m) 90 { 91 92 /* 93 * Bypass packet filtering for packets previously handled by IPsec. 94 */ 95 if (!V_ip4_ipsec_filtertunnel && 96 m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) 97 return 1; 98 return 0; 99 } 100 101 /* 102 * Check if this packet has an active SA and needs to be dropped instead 103 * of forwarded. 104 * Called from ip_forward(). 105 * 1 = drop packet, 0 = forward packet. 106 */ 107 int 108 ip_ipsec_fwd(struct mbuf *m) 109 { 110 111 return (ipsec4_in_reject(m, NULL)); 112 } 113 114 /* 115 * Check if protocol type doesn't have a further header and do IPSEC 116 * decryption or reject right now. Protocols with further headers get 117 * their IPSEC treatment within the protocol specific processing. 118 * Called from ip_input(). 119 * 1 = drop packet, 0 = continue processing packet. 120 */ 121 int 122 ip_ipsec_input(struct mbuf *m, int nxt) 123 { 124 /* 125 * enforce IPsec policy checking if we are seeing last header. 126 * note that we do not visit this with protocols with pcb layer 127 * code - like udp/tcp/raw ip. 128 */ 129 if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) 130 return (ipsec4_in_reject(m, NULL)); 131 return (0); 132 } 133 134 /* 135 * Compute the MTU for a forwarded packet that gets IPSEC encapsulated. 136 * Called from ip_forward(). 137 * Returns MTU suggestion for ICMP needfrag reply. 138 */ 139 int 140 ip_ipsec_mtu(struct mbuf *m, int mtu) 141 { 142 /* 143 * If the packet is routed over IPsec tunnel, tell the 144 * originator the tunnel MTU. 145 * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz 146 * XXX quickhack!!! 147 */ 148 return (mtu - ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL)); 149 } 150 151 /* 152 * 153 * Called from ip_output(). 154 * 1 = drop packet, 0 = continue processing packet, 155 * -1 = packet was reinjected and stop processing packet 156 */ 157 int 158 ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *error) 159 { 160 struct secpolicy *sp; 161 162 if (!key_havesp(IPSEC_DIR_OUTBOUND)) 163 return 0; 164 165 /* 166 * Check the security policy (SP) for the packet and, if 167 * required, do IPsec-related processing. There are two 168 * cases here; the first time a packet is sent through 169 * it will be untagged and handled by ipsec4_checkpolicy. 170 * If the packet is resubmitted to ip_output (e.g. after 171 * AH, ESP, etc. processing), there will be a tag to bypass 172 * the lookup and related policy checking. 173 */ 174 if (m_tag_find(*m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) { 175 *error = 0; 176 return (0); 177 } 178 sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, error, inp); 179 /* 180 * There are four return cases: 181 * sp != NULL apply IPsec policy 182 * sp == NULL, error == 0 no IPsec handling needed 183 * sp == NULL, error == -EINVAL discard packet w/o error 184 * sp == NULL, error != 0 discard packet, report error 185 */ 186 if (sp != NULL) { 187 /* 188 * Do delayed checksums now because we send before 189 * this is done in the normal processing path. 190 */ 191 if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 192 in_delayed_cksum(*m); 193 (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 194 } 195 #ifdef SCTP 196 if ((*m)->m_pkthdr.csum_flags & CSUM_SCTP) { 197 struct ip *ip = mtod(*m, struct ip *); 198 199 sctp_delayed_cksum(*m, (uint32_t)(ip->ip_hl << 2)); 200 (*m)->m_pkthdr.csum_flags &= ~CSUM_SCTP; 201 } 202 #endif 203 204 /* NB: callee frees mbuf */ 205 *error = ipsec4_process_packet(*m, sp->req); 206 KEY_FREESP(&sp); 207 if (*error == EJUSTRETURN) { 208 /* 209 * We had a SP with a level of 'use' and no SA. We 210 * will just continue to process the packet without 211 * IPsec processing and return without error. 212 */ 213 *error = 0; 214 goto done; 215 } 216 /* 217 * Preserve KAME behaviour: ENOENT can be returned 218 * when an SA acquire is in progress. Don't propagate 219 * this to user-level; it confuses applications. 220 * 221 * XXX this will go away when the SADB is redone. 222 */ 223 if (*error == ENOENT) 224 *error = 0; 225 goto reinjected; 226 } else { /* sp == NULL */ 227 228 if (*error != 0) { 229 /* 230 * Hack: -EINVAL is used to signal that a packet 231 * should be silently discarded. This is typically 232 * because we asked key management for an SA and 233 * it was delayed (e.g. kicked up to IKE). 234 */ 235 if (*error == -EINVAL) 236 *error = 0; 237 goto bad; 238 } 239 /* No IPsec processing for this packet. */ 240 } 241 done: 242 return (0); 243 reinjected: 244 return (-1); 245 bad: 246 if (sp != NULL) 247 KEY_FREESP(&sp); 248 return 1; 249 }
Cache object: a65d25649ad498f360408c8d152acb2e
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]