1 /* $NetBSD: ipcomp_output.c,v 1.18 2004/02/13 11:36:23 wiz Exp $ */
2 /* $KAME: ipcomp_output.c,v 1.24 2001/07/26 06:53:18 jinmei Exp $ */
3
4 /*
5 * Copyright (C) 1999 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * RFC2393 IP payload compression protocol (IPComp).
35 */
36
37 #include <sys/cdefs.h>
38 __KERNEL_RCSID(0, "$NetBSD: ipcomp_output.c,v 1.18 2004/02/13 11:36:23 wiz Exp $");
39
40 #include "opt_inet.h"
41
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/malloc.h>
45 #include <sys/mbuf.h>
46 #include <sys/domain.h>
47 #include <sys/protosw.h>
48 #include <sys/socket.h>
49 #include <sys/errno.h>
50 #include <sys/time.h>
51 #include <sys/kernel.h>
52 #include <sys/syslog.h>
53
54 #include <net/if.h>
55 #include <net/route.h>
56 #include <net/netisr.h>
57 #include <net/zlib.h>
58 #include <machine/cpu.h>
59
60 #include <netinet/in.h>
61 #include <netinet/in_systm.h>
62 #include <netinet/in_var.h>
63 #include <netinet/ip.h>
64 #include <netinet/ip_var.h>
65 #include <netinet/ip_ecn.h>
66
67 #ifdef INET6
68 #include <netinet/ip6.h>
69 #include <netinet6/ip6_var.h>
70 #endif
71 #include <netinet6/ipcomp.h>
72
73 #include <netinet6/ipsec.h>
74 #include <netkey/key.h>
75 #include <netkey/keydb.h>
76
77 #include <machine/stdarg.h>
78
79 #include <net/net_osdep.h>
80
81 static int ipcomp_output __P((struct mbuf *, u_char *, struct mbuf *,
82 struct ipsecrequest *, int));
83
84 /*
85 * Modify the packet so that the payload is compressed.
86 * The mbuf (m) must start with IPv4 or IPv6 header.
87 * On failure, free the given mbuf and return non-zero.
88 *
89 * on invocation:
90 * m nexthdrp md
91 * v v v
92 * IP ......... payload
93 * during the encryption:
94 * m nexthdrp mprev md
95 * v v v v
96 * IP ............... ipcomp payload
97 * <-----><----->
98 * complen plen
99 * <-> hlen
100 * <-----------------> compoff
101 */
102 static int
103 ipcomp_output(m, nexthdrp, md, isr, af)
104 struct mbuf *m;
105 u_char *nexthdrp;
106 struct mbuf *md;
107 struct ipsecrequest *isr;
108 int af;
109 {
110 struct mbuf *n;
111 struct mbuf *md0;
112 struct mbuf *mcopy;
113 struct mbuf *mprev;
114 struct ipcomp *ipcomp;
115 struct secasvar *sav = isr->sav;
116 const struct ipcomp_algorithm *algo;
117 u_int16_t cpi; /* host order */
118 size_t plen0, plen; /* payload length to be compressed */
119 size_t compoff;
120 int afnumber;
121 int error = 0;
122 struct ipsecstat *stat;
123
124 switch (af) {
125 #ifdef INET
126 case AF_INET:
127 afnumber = 4;
128 stat = &ipsecstat;
129 break;
130 #endif
131 #ifdef INET6
132 case AF_INET6:
133 afnumber = 6;
134 stat = &ipsec6stat;
135 break;
136 #endif
137 default:
138 ipseclog((LOG_ERR, "ipcomp_output: unsupported af %d\n", af));
139 return 0; /* no change at all */
140 }
141
142 /* grab parameters */
143 algo = ipcomp_algorithm_lookup(sav->alg_enc);
144 if ((ntohl(sav->spi) & ~0xffff) != 0 || !algo) {
145 stat->out_inval++;
146 m_freem(m);
147 return EINVAL;
148 }
149 if ((sav->flags & SADB_X_EXT_RAWCPI) == 0)
150 cpi = sav->alg_enc;
151 else
152 cpi = ntohl(sav->spi) & 0xffff;
153
154 /* compute original payload length */
155 plen = 0;
156 for (n = md; n; n = n->m_next)
157 plen += n->m_len;
158
159 /* if the payload is short enough, we don't need to compress */
160 if (plen < algo->minplen)
161 return 0;
162
163 /*
164 * retain the original packet for two purposes:
165 * (1) we need to backout our changes when compression is not necessary.
166 * (2) byte lifetime computation should use the original packet.
167 * see RFC2401 page 23.
168 * compromise two m_copym(). we will be going through every byte of
169 * the payload during compression process anyways.
170 */
171 mcopy = m_copym(m, 0, M_COPYALL, M_NOWAIT);
172 if (mcopy == NULL) {
173 error = ENOBUFS;
174 return 0;
175 }
176 md0 = m_copym(md, 0, M_COPYALL, M_NOWAIT);
177 if (md0 == NULL) {
178 m_freem(mcopy);
179 error = ENOBUFS;
180 return 0;
181 }
182 plen0 = plen;
183
184 /* make the packet over-writable */
185 for (mprev = m; mprev && mprev->m_next != md; mprev = mprev->m_next)
186 ;
187 if (mprev == NULL || mprev->m_next != md) {
188 ipseclog((LOG_DEBUG, "ipcomp%d_output: md is not in chain\n",
189 afnumber));
190 stat->out_inval++;
191 m_freem(m);
192 m_freem(md0);
193 m_freem(mcopy);
194 return EINVAL;
195 }
196 mprev->m_next = NULL;
197 if ((md = ipsec_copypkt(md)) == NULL) {
198 m_freem(m);
199 m_freem(md0);
200 m_freem(mcopy);
201 error = ENOBUFS;
202 goto fail;
203 }
204 mprev->m_next = md;
205
206 /* compress data part */
207 if ((*algo->compress)(m, md, &plen) || mprev->m_next == NULL) {
208 ipseclog((LOG_ERR, "packet compression failure\n"));
209 m = NULL;
210 m_freem(md0);
211 m_freem(mcopy);
212 stat->out_inval++;
213 error = EINVAL;
214 goto fail;
215 }
216 stat->out_comphist[sav->alg_enc]++;
217 md = mprev->m_next;
218
219 /*
220 * if the packet became bigger, meaningless to use IPComp.
221 * we've only wasted our CPU time.
222 */
223 if (plen0 < plen) {
224 m_freem(md);
225 m_freem(mcopy);
226 mprev->m_next = md0;
227 return 0;
228 }
229
230 /*
231 * no need to backout change beyond here.
232 */
233 m_freem(md0);
234 md0 = NULL;
235
236 m->m_pkthdr.len -= plen0;
237 m->m_pkthdr.len += plen;
238
239 {
240 /*
241 * insert IPComp header.
242 */
243 #ifdef INET
244 struct ip *ip = NULL;
245 #endif
246 #ifdef INET6
247 struct ip6_hdr *ip6 = NULL;
248 #endif
249 size_t hlen = 0; /* ip header len */
250 size_t complen = sizeof(struct ipcomp);
251
252 switch (af) {
253 #ifdef INET
254 case AF_INET:
255 ip = mtod(m, struct ip *);
256 #ifdef _IP_VHL
257 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
258 #else
259 hlen = ip->ip_hl << 2;
260 #endif
261 break;
262 #endif
263 #ifdef INET6
264 case AF_INET6:
265 ip6 = mtod(m, struct ip6_hdr *);
266 hlen = sizeof(*ip6);
267 break;
268 #endif
269 }
270
271 compoff = m->m_pkthdr.len - plen;
272
273 /*
274 * grow the mbuf to accomodate ipcomp header.
275 * before: IP ... payload
276 * after: IP ... ipcomp payload
277 */
278 if (M_LEADINGSPACE(md) < complen) {
279 MGET(n, M_DONTWAIT, MT_DATA);
280 if (!n) {
281 m_freem(m);
282 error = ENOBUFS;
283 goto fail;
284 }
285 n->m_len = complen;
286 mprev->m_next = n;
287 n->m_next = md;
288 m->m_pkthdr.len += complen;
289 ipcomp = mtod(n, struct ipcomp *);
290 } else {
291 md->m_len += complen;
292 md->m_data -= complen;
293 m->m_pkthdr.len += complen;
294 ipcomp = mtod(md, struct ipcomp *);
295 }
296
297 bzero(ipcomp, sizeof(*ipcomp));
298 ipcomp->comp_nxt = *nexthdrp;
299 *nexthdrp = IPPROTO_IPCOMP;
300 ipcomp->comp_cpi = htons(cpi);
301 switch (af) {
302 #ifdef INET
303 case AF_INET:
304 if (compoff + complen + plen < IP_MAXPACKET)
305 ip->ip_len = htons(compoff + complen + plen);
306 else {
307 ipseclog((LOG_ERR,
308 "IPv4 ESP output: size exceeds limit\n"));
309 ipsecstat.out_inval++;
310 m_freem(m);
311 error = EMSGSIZE;
312 goto fail;
313 }
314 break;
315 #endif
316 #ifdef INET6
317 case AF_INET6:
318 /* total packet length will be computed in ip6_output() */
319 break;
320 #endif
321 }
322 }
323
324 if (!m) {
325 ipseclog((LOG_DEBUG,
326 "NULL mbuf after compression in ipcomp%d_output",
327 afnumber));
328 stat->out_inval++;
329 }
330 stat->out_success++;
331
332 /* compute byte lifetime against original packet */
333 key_sa_recordxfer(sav, mcopy);
334 m_freem(mcopy);
335
336 return 0;
337
338 fail:
339 #if 1
340 return error;
341 #else
342 panic("something bad in ipcomp_output");
343 #endif
344 }
345
346 #ifdef INET
347 int
348 ipcomp4_output(m, isr)
349 struct mbuf *m;
350 struct ipsecrequest *isr;
351 {
352 struct ip *ip;
353 if (m->m_len < sizeof(struct ip)) {
354 ipseclog((LOG_DEBUG, "ipcomp4_output: first mbuf too short\n"));
355 ipsecstat.out_inval++;
356 m_freem(m);
357 return 0;
358 }
359 ip = mtod(m, struct ip *);
360 /* XXX assumes that m->m_next points to payload */
361 return ipcomp_output(m, &ip->ip_p, m->m_next, isr, AF_INET);
362 }
363 #endif /* INET */
364
365 #ifdef INET6
366 int
367 ipcomp6_output(m, nexthdrp, md, isr)
368 struct mbuf *m;
369 u_char *nexthdrp;
370 struct mbuf *md;
371 struct ipsecrequest *isr;
372 {
373 if (m->m_len < sizeof(struct ip6_hdr)) {
374 ipseclog((LOG_DEBUG, "ipcomp6_output: first mbuf too short\n"));
375 ipsec6stat.out_inval++;
376 m_freem(m);
377 return 0;
378 }
379 return ipcomp_output(m, nexthdrp, md, isr, AF_INET6);
380 }
381 #endif /* INET6 */
Cache object: ad02dbc0772f74d463e5f4b29d633148
|