Date: Wed, 26 Nov 2014 17:44:50 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r275133 - in head: . sys/netipsec Message-ID: <201411261744.sAQHiomi073114@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Wed Nov 26 17:44:49 2014 New Revision: 275133 URL: https://svnweb.freebsd.org/changeset/base/275133 Log: Do not use xform_ipip as decapsulation fallback. xform_ipip was used as fallback with low priority for IPIP encapsulated packets that were decrypted. In some cases it can decapsulate packets, that it shouldn't. This leads to situations, when wrong configurations are magically working. Also it can propagate wrong ingress interface and this can break security. Now we redesigned the IPSEC code and IPIP encapsulation is called directly from ipsec_output, and decapsulation is done in the ipsec_input with m_striphdr. Differential Revision: https://reviews.freebsd.org/D1220 MFC after: 1 month Sponsored by: Yandex LLC Deleted: head/sys/netipsec/ipip_var.h Modified: head/ObsoleteFiles.inc head/sys/netipsec/xform.h head/sys/netipsec/xform_ipip.c Modified: head/ObsoleteFiles.inc ============================================================================== --- head/ObsoleteFiles.inc Wed Nov 26 17:40:03 2014 (r275132) +++ head/ObsoleteFiles.inc Wed Nov 26 17:44:49 2014 (r275133) @@ -38,6 +38,8 @@ # xargs -n1 | sort | uniq -d; # done +# 20141126: remove xform_ipip decapsulation fallback +OLD_FILES+=usr/include/netipsec/ipip_var.h # 20141109: faith/faithd removal OLD_FILES+=etc/rc.d/faith OLD_FILES+=usr/share/man/man4/faith.4.gz Modified: head/sys/netipsec/xform.h ============================================================================== --- head/sys/netipsec/xform.h Wed Nov 26 17:40:03 2014 (r275132) +++ head/sys/netipsec/xform.h Wed Nov 26 17:44:49 2014 (r275133) @@ -109,7 +109,6 @@ extern int xform_init(struct secasvar *s struct cryptoini; /* XF_IP4 */ -extern int ip4_input6(struct mbuf **m, int *offp, int proto); extern int ip4_input(struct mbuf **, int *, int); extern int ipip_output(struct mbuf *, struct ipsecrequest *, struct mbuf **, int, int); Modified: head/sys/netipsec/xform_ipip.c ============================================================================== --- head/sys/netipsec/xform_ipip.c Wed Nov 26 17:40:03 2014 (r275132) +++ head/sys/netipsec/xform_ipip.c Wed Nov 26 17:44:49 2014 (r275133) @@ -64,290 +64,24 @@ #include <netinet/ip.h> #include <netinet/ip_ecn.h> #include <netinet/ip_var.h> -#include <netinet/ip_encap.h> #include <netipsec/ipsec.h> #include <netipsec/xform.h> -#include <netipsec/ipip_var.h> - #ifdef INET6 #include <netinet/ip6.h> #include <netipsec/ipsec6.h> #include <netinet6/ip6_ecn.h> #include <netinet6/in6_var.h> -#include <netinet6/ip6protosw.h> +#include <netinet6/scope6_var.h> #endif #include <netipsec/key.h> #include <netipsec/key_debug.h> -#include <machine/stdarg.h> - -/* - * We can control the acceptance of IP4 packets by altering the sysctl - * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. - */ -VNET_DEFINE(int, ipip_allow) = 0; -VNET_PCPUSTAT_DEFINE(struct ipipstat, ipipstat); -VNET_PCPUSTAT_SYSINIT(ipipstat); - -#ifdef VIMAGE -VNET_PCPUSTAT_SYSUNINIT(ipipstat); -#endif /* VIMAGE */ - -SYSCTL_DECL(_net_inet_ipip); -SYSCTL_INT(_net_inet_ipip, OID_AUTO, ipip_allow, CTLFLAG_VNET | CTLFLAG_RW, - &VNET_NAME(ipip_allow), 0, ""); -SYSCTL_VNET_PCPUSTAT(_net_inet_ipip, IPSECCTL_STATS, stats, - struct ipipstat, ipipstat, - "IPIP statistics (struct ipipstat, netipsec/ipip_var.h)"); - -/* XXX IPCOMP */ -#define M_IPSEC (M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED) - -static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp); - -#ifdef INET6 -/* - * Really only a wrapper for ipip_input(), for use with IPv6. - */ -int -ip4_input6(struct mbuf **m, int *offp, int proto) -{ -#if 0 - /* If we do not accept IP-in-IP explicitly, drop. */ - if (!V_ipip_allow && ((*m)->m_flags & M_IPSEC) == 0) { - DPRINTF(("%s: dropped due to policy\n", __func__)); - IPIPSTAT_INC(ipips_pdrops); - m_freem(*m); - return IPPROTO_DONE; - } -#endif - _ipip_input(*m, *offp, NULL); - return IPPROTO_DONE; -} -#endif /* INET6 */ - -#ifdef INET -/* - * Really only a wrapper for ipip_input(), for use with IPv4. - */ -int -ip4_input(struct mbuf **mp, int *offp, int proto) -{ -#if 0 - /* If we do not accept IP-in-IP explicitly, drop. */ - if (!V_ipip_allow && (m->m_flags & M_IPSEC) == 0) { - DPRINTF(("%s: dropped due to policy\n", __func__)); - IPIPSTAT_INC(ipips_pdrops); - m_freem(m); - return; - } -#endif - _ipip_input(*mp, *offp, NULL); - return (IPPROTO_DONE); -} -#endif /* INET */ - -/* - * ipip_input gets called when we receive an IP{46} encapsulated packet, - * either because we got it at a real interface, or because AH or ESP - * were being used in tunnel mode (in which case the rcvif element will - * contain the address of the encX interface associated with the tunnel. - */ - -static void -_ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) -{ - struct ip *ipo; -#ifdef INET6 - struct ip6_hdr *ip6 = NULL; - u_int8_t itos; -#endif - int isr; - u_int8_t otos; - u_int8_t v; - int hlen; - - IPIPSTAT_INC(ipips_ipackets); - - m_copydata(m, 0, 1, &v); - - switch (v >> 4) { -#ifdef INET - case 4: - hlen = sizeof(struct ip); - break; -#endif /* INET */ -#ifdef INET6 - case 6: - hlen = sizeof(struct ip6_hdr); - break; -#endif - default: - IPIPSTAT_INC(ipips_family); - m_freem(m); - return /* EAFNOSUPPORT */; - } - - /* Bring the IP header in the first mbuf, if not there already */ - if (m->m_len < hlen) { - if ((m = m_pullup(m, hlen)) == NULL) { - DPRINTF(("%s: m_pullup (1) failed\n", __func__)); - IPIPSTAT_INC(ipips_hdrops); - return; - } - } - ipo = mtod(m, struct ip *); - - /* Keep outer ecn field. */ - switch (v >> 4) { -#ifdef INET - case 4: - otos = ipo->ip_tos; - break; -#endif /* INET */ -#ifdef INET6 - case 6: - otos = (ntohl(mtod(m, struct ip6_hdr *)->ip6_flow) >> 20) & 0xff; - break; -#endif - default: - panic("ipip_input: unknown ip version %u (outer)", v>>4); - } - - /* Remove outer IP header */ - m_adj(m, iphlen); - - /* Sanity check */ - if (m->m_pkthdr.len < sizeof(struct ip)) { - IPIPSTAT_INC(ipips_hdrops); - m_freem(m); - return; - } - - m_copydata(m, 0, 1, &v); - - switch (v >> 4) { -#ifdef INET - case 4: - hlen = sizeof(struct ip); - break; -#endif /* INET */ - -#ifdef INET6 - case 6: - hlen = sizeof(struct ip6_hdr); - break; -#endif - default: - IPIPSTAT_INC(ipips_family); - m_freem(m); - return; /* EAFNOSUPPORT */ - } - - /* - * Bring the inner IP header in the first mbuf, if not there already. - */ - if (m->m_len < hlen) { - if ((m = m_pullup(m, hlen)) == NULL) { - DPRINTF(("%s: m_pullup (2) failed\n", __func__)); - IPIPSTAT_INC(ipips_hdrops); - return; - } - } - - /* - * RFC 1853 specifies that the inner TTL should not be touched on - * decapsulation. There's no reason this comment should be here, but - * this is as good as any a position. - */ - - /* Some sanity checks in the inner IP header */ - switch (v >> 4) { -#ifdef INET - case 4: - ipo = mtod(m, struct ip *); - ip_ecn_egress(V_ip4_ipsec_ecn, &otos, &ipo->ip_tos); - break; -#endif /* INET */ -#ifdef INET6 - case 6: - ip6 = (struct ip6_hdr *) ipo; - itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; - ip_ecn_egress(V_ip6_ipsec_ecn, &otos, &itos); - ip6->ip6_flow &= ~htonl(0xff << 20); - ip6->ip6_flow |= htonl((u_int32_t) itos << 20); - break; -#endif - default: - panic("ipip_input: unknown ip version %u (inner)", v>>4); - } - - /* Check for local address spoofing. */ - if ((m->m_pkthdr.rcvif == NULL || - !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) && - V_ipip_allow != 2) { -#ifdef INET - if ((v >> 4) == IPVERSION && - in_localip(ipo->ip_src) != 0) { - IPIPSTAT_INC(ipips_spoof); - m_freem(m); - return; - } -#endif -#ifdef INET6 - if ((v & IPV6_VERSION_MASK) == IPV6_VERSION && - in6_localip(&ip6->ip6_src) != 0) { - IPIPSTAT_INC(ipips_spoof); - m_freem(m); - return; - } -#endif - } - - /* Statistics */ - IPIPSTAT_ADD(ipips_ibytes, m->m_pkthdr.len - iphlen); - - /* - * Interface pointer stays the same; if no IPsec processing has - * been done (or will be done), this will point to a normal - * interface. Otherwise, it'll point to an enc interface, which - * will allow a packet filter to distinguish between secure and - * untrusted packets. - */ - - switch (v >> 4) { -#ifdef INET - case 4: - isr = NETISR_IP; - break; -#endif -#ifdef INET6 - case 6: - isr = NETISR_IPV6; - break; -#endif - default: - panic("%s: bogus ip version %u", __func__, v>>4); - } - - if (netisr_queue(isr, m)) { /* (0) on success. */ - IPIPSTAT_INC(ipips_qfull); - DPRINTF(("%s: packet dropped because of full queue\n", - __func__)); - } -} - int -ipip_output( - struct mbuf *m, - struct ipsecrequest *isr, - struct mbuf **mp, - int skip, - int protoff -) +ipip_output(struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp, + int skip, int protoff) { struct secasvar *sav; u_int8_t tp, otos; @@ -383,7 +117,6 @@ ipip_output( "address in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPIPSTAT_INC(ipips_unspec); error = EINVAL; goto bad; } @@ -391,7 +124,6 @@ ipip_output( M_PREPEND(m, sizeof(struct ip), M_NOWAIT); if (m == 0) { DPRINTF(("%s: M_PREPEND failed\n", __func__)); - IPIPSTAT_INC(ipips_hdrops); error = ENOBUFS; goto bad; } @@ -463,22 +195,17 @@ ipip_output( "address in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPIPSTAT_INC(ipips_unspec); error = ENOBUFS; goto bad; } /* scoped address handling */ ip6 = mtod(m, struct ip6_hdr *); - if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) - ip6->ip6_src.s6_addr16[1] = 0; - if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) - ip6->ip6_dst.s6_addr16[1] = 0; - + in6_clearscope(&ip6->ip6_src); + in6_clearscope(&ip6->ip6_dst); M_PREPEND(m, sizeof(struct ip6_hdr), M_NOWAIT); if (m == 0) { DPRINTF(("%s: M_PREPEND failed\n", __func__)); - IPIPSTAT_INC(ipips_hdrops); error = ENOBUFS; goto bad; } @@ -532,39 +259,12 @@ ipip_output( nofamily: DPRINTF(("%s: unsupported protocol family %u\n", __func__, saidx->dst.sa.sa_family)); - IPIPSTAT_INC(ipips_family); error = EAFNOSUPPORT; /* XXX diffs from openbsd */ goto bad; } - IPIPSTAT_INC(ipips_opackets); *mp = m; - -#ifdef INET - if (saidx->dst.sa.sa_family == AF_INET) { -#if 0 - if (sav->tdb_xform->xf_type == XF_IP4) - tdb->tdb_cur_bytes += - m->m_pkthdr.len - sizeof(struct ip); -#endif - IPIPSTAT_ADD(ipips_obytes, - m->m_pkthdr.len - sizeof(struct ip)); - } -#endif /* INET */ - -#ifdef INET6 - if (saidx->dst.sa.sa_family == AF_INET6) { -#if 0 - if (sav->tdb_xform->xf_type == XF_IP4) - tdb->tdb_cur_bytes += - m->m_pkthdr.len - sizeof(struct ip6_hdr); -#endif - IPIPSTAT_ADD(ipips_obytes, - m->m_pkthdr.len - sizeof(struct ip6_hdr)); - } -#endif /* INET6 */ - - return 0; + return (0); bad: if (m) m_freem(m); @@ -572,8 +272,6 @@ bad: return (error); } -#ifdef IPSEC -#if defined(INET) || defined(INET6) static int ipe4_init(struct secasvar *sav, struct xformsw *xsp) { @@ -603,63 +301,10 @@ static struct xformsw ipe4_xformsw = { ipe4_init, ipe4_zeroize, ipe4_input, ipip_output, }; -extern struct domain inetdomain; -#endif /* INET || INET6 */ -#ifdef INET -static struct protosw ipe4_protosw = { - .pr_type = SOCK_RAW, - .pr_domain = &inetdomain, - .pr_protocol = IPPROTO_IPV4, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, - .pr_input = ip4_input, - .pr_ctloutput = rip_ctloutput, - .pr_usrreqs = &rip_usrreqs -}; -#endif /* INET */ -#if defined(INET6) && defined(INET) -static struct protosw ipe6_protosw = { - .pr_type = SOCK_RAW, - .pr_domain = &inetdomain, - .pr_protocol = IPPROTO_IPV6, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, - .pr_input = ip4_input6, - .pr_ctloutput = rip_ctloutput, - .pr_usrreqs = &rip_usrreqs -}; -#endif /* INET6 && INET */ - -#ifdef INET -/* - * Check the encapsulated packet to see if we want it - */ -static int -ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg) -{ - /* - * Only take packets coming from IPSEC tunnels; the rest - * must be handled by the gif tunnel code. Note that we - * also return a minimum priority when we want the packet - * so any explicit gif tunnels take precedence. - */ - return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0); -} -#endif /* INET */ - static void ipe4_attach(void) { xform_register(&ipe4_xformsw); - /* attach to encapsulation framework */ - /* XXX save return cookie for detach on module remove */ -#ifdef INET - (void) encap_attach_func(AF_INET, -1, - ipe4_encapcheck, &ipe4_protosw, NULL); -#endif -#if defined(INET6) && defined(INET) - (void) encap_attach_func(AF_INET6, -1, - ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL); -#endif } SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL); -#endif /* IPSEC */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201411261744.sAQHiomi073114>