FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c
1 /* $FreeBSD: releng/5.1/sys/netinet6/ipsec.c 114205 2003-04-29 08:43:56Z suz $ */
2 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * IPsec controller part.
35 */
36
37 #include "opt_inet.h"
38 #include "opt_inet6.h"
39 #include "opt_ipsec.h"
40
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/malloc.h>
44 #include <sys/mbuf.h>
45 #include <sys/domain.h>
46 #include <sys/protosw.h>
47 #include <sys/socket.h>
48 #include <sys/socketvar.h>
49 #include <sys/errno.h>
50 #include <sys/time.h>
51 #include <sys/kernel.h>
52 #include <sys/syslog.h>
53 #include <sys/sysctl.h>
54 #include <sys/proc.h>
55
56 #include <net/if.h>
57 #include <net/route.h>
58
59 #include <netinet/in.h>
60 #include <netinet/in_systm.h>
61 #include <netinet/ip.h>
62 #include <netinet/ip_var.h>
63 #include <netinet/in_var.h>
64 #include <netinet/udp.h>
65 #include <netinet/udp_var.h>
66 #include <netinet/ip_ecn.h>
67 #ifdef INET6
68 #include <netinet6/ip6_ecn.h>
69 #endif
70 #include <netinet/tcp.h>
71 #include <netinet/udp.h>
72
73 #include <netinet/ip6.h>
74 #ifdef INET6
75 #include <netinet6/ip6_var.h>
76 #endif
77 #include <netinet/in_pcb.h>
78 #ifdef INET6
79 #include <netinet/icmp6.h>
80 #endif
81
82 #include <netinet6/ipsec.h>
83 #ifdef INET6
84 #include <netinet6/ipsec6.h>
85 #endif
86 #include <netinet6/ah.h>
87 #ifdef INET6
88 #include <netinet6/ah6.h>
89 #endif
90 #ifdef IPSEC_ESP
91 #include <netinet6/esp.h>
92 #ifdef INET6
93 #include <netinet6/esp6.h>
94 #endif
95 #endif
96 #include <netinet6/ipcomp.h>
97 #ifdef INET6
98 #include <netinet6/ipcomp6.h>
99 #endif
100 #include <netkey/key.h>
101 #include <netkey/keydb.h>
102 #include <netkey/key_debug.h>
103
104 #include <machine/in_cksum.h>
105
106 #include <net/net_osdep.h>
107
108 #ifdef IPSEC_DEBUG
109 int ipsec_debug = 1;
110 #else
111 int ipsec_debug = 0;
112 #endif
113
114 struct ipsecstat ipsecstat;
115 int ip4_ah_cleartos = 1;
116 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
117 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
118 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
119 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
120 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
121 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
122 struct secpolicy ip4_def_policy;
123 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
124 int ip4_esp_randpad = -1;
125
126 #ifdef SYSCTL_DECL
127 SYSCTL_DECL(_net_inet_ipsec);
128 #ifdef INET6
129 SYSCTL_DECL(_net_inet6_ipsec6);
130 #endif
131 #endif
132
133 /* net.inet.ipsec */
134 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
135 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, "");
136 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
137 def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, "");
138 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
139 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
140 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
141 CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
142 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
143 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
144 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
145 CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
146 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
147 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, "");
148 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
149 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
150 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
151 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
152 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
153 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
154 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
155 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
156 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
157 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, "");
158
159 #ifdef INET6
160 struct ipsecstat ipsec6stat;
161 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
162 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
163 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
164 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
165 struct secpolicy ip6_def_policy;
166 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
167 int ip6_esp_randpad = -1;
168
169 /* net.inet6.ipsec6 */
170 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
171 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
172 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
173 def_policy, CTLFLAG_RW, &ip6_def_policy.policy, 0, "");
174 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
175 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
176 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
177 CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
178 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
179 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
180 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
181 CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
182 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
183 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
184 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
185 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
186 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
187 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
188 #endif /* INET6 */
189
190 static int ipsec_setspidx_mbuf
191 __P((struct secpolicyindex *, u_int, u_int, struct mbuf *, int));
192 static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb));
193 #ifdef INET6
194 static int ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *pcb));
195 #endif
196 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
197 static void ipsec4_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
198 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
199 #ifdef INET6
200 static void ipsec6_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
201 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
202 #endif
203 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
204 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
205 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *src));
206 static int ipsec_set_policy __P((struct secpolicy **pcb_sp,
207 int optname, caddr_t request, size_t len, int priv));
208 static int ipsec_get_policy __P((struct secpolicy *pcb_sp, struct mbuf **mp));
209 static void vshiftl __P((unsigned char *, int, int));
210 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
211 static size_t ipsec_hdrsiz __P((struct secpolicy *));
212 #ifdef INET
213 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
214 #endif
215 #ifdef INET6
216 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
217 #endif
218 #ifdef INET
219 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
220 #endif
221 #ifdef INET6
222 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
223 #endif
224
225 /*
226 * For OUTBOUND packet having a socket. Searching SPD for packet,
227 * and return a pointer to SP.
228 * OUT: NULL: no apropreate SP found, the following value is set to error.
229 * 0 : bypass
230 * EACCES : discard packet.
231 * ENOENT : ipsec_acquire() in progress, maybe.
232 * others : error occured.
233 * others: a pointer to SP
234 *
235 * NOTE: IPv6 mapped adddress concern is implemented here.
236 */
237 struct secpolicy *
238 ipsec4_getpolicybypcb(m, dir, inp, error)
239 struct mbuf *m;
240 u_int dir;
241 struct inpcb *inp;
242 int *error;
243 {
244 struct inpcbpolicy *pcbsp = NULL;
245 struct secpolicy *currsp = NULL; /* policy on socket */
246 struct secpolicy *kernsp = NULL; /* policy on kernel */
247
248 /* sanity check */
249 if (m == NULL || inp == NULL || error == NULL)
250 panic("ipsec4_getpolicybysock: NULL pointer was passed.");
251
252 /* set spidx in pcb */
253 #ifdef INET6
254 if (inp->inp_vflag & INP_IPV6PROTO)
255 *error = ipsec6_setspidx_in6pcb(m, inp);
256 else
257 #endif
258 *error = ipsec4_setspidx_inpcb(m, inp);
259 if (*error)
260 return NULL;
261 pcbsp = inp->inp_sp;
262
263 /* sanity check */
264 if (pcbsp == NULL)
265 panic("ipsec4_getpolicybysock: pcbsp is NULL.");
266
267 switch (dir) {
268 case IPSEC_DIR_INBOUND:
269 currsp = pcbsp->sp_in;
270 break;
271 case IPSEC_DIR_OUTBOUND:
272 currsp = pcbsp->sp_out;
273 break;
274 default:
275 panic("ipsec4_getpolicybysock: illegal direction.");
276 }
277
278 /* sanity check */
279 if (currsp == NULL)
280 panic("ipsec4_getpolicybysock: currsp is NULL.");
281
282 /* when privilieged socket */
283 if (pcbsp->priv) {
284 switch (currsp->policy) {
285 case IPSEC_POLICY_BYPASS:
286 currsp->refcnt++;
287 *error = 0;
288 return currsp;
289
290 case IPSEC_POLICY_ENTRUST:
291 /* look for a policy in SPD */
292 kernsp = key_allocsp(&currsp->spidx, dir);
293
294 /* SP found */
295 if (kernsp != NULL) {
296 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
297 printf("DP ipsec4_getpolicybysock called "
298 "to allocate SP:%p\n", kernsp));
299 *error = 0;
300 return kernsp;
301 }
302
303 /* no SP found */
304 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
305 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
306 ipseclog((LOG_INFO,
307 "fixed system default policy: %d->%d\n",
308 ip4_def_policy.policy, IPSEC_POLICY_NONE));
309 ip4_def_policy.policy = IPSEC_POLICY_NONE;
310 }
311 ip4_def_policy.refcnt++;
312 *error = 0;
313 return &ip4_def_policy;
314
315 case IPSEC_POLICY_IPSEC:
316 currsp->refcnt++;
317 *error = 0;
318 return currsp;
319
320 default:
321 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
322 "Invalid policy for PCB %d\n", currsp->policy));
323 *error = EINVAL;
324 return NULL;
325 }
326 /* NOTREACHED */
327 }
328
329 /* when non-privilieged socket */
330 /* look for a policy in SPD */
331 kernsp = key_allocsp(&currsp->spidx, dir);
332
333 /* SP found */
334 if (kernsp != NULL) {
335 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
336 printf("DP ipsec4_getpolicybysock called "
337 "to allocate SP:%p\n", kernsp));
338 *error = 0;
339 return kernsp;
340 }
341
342 /* no SP found */
343 switch (currsp->policy) {
344 case IPSEC_POLICY_BYPASS:
345 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
346 "Illegal policy for non-priviliged defined %d\n",
347 currsp->policy));
348 *error = EINVAL;
349 return NULL;
350
351 case IPSEC_POLICY_ENTRUST:
352 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
353 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
354 ipseclog((LOG_INFO,
355 "fixed system default policy: %d->%d\n",
356 ip4_def_policy.policy, IPSEC_POLICY_NONE));
357 ip4_def_policy.policy = IPSEC_POLICY_NONE;
358 }
359 ip4_def_policy.refcnt++;
360 *error = 0;
361 return &ip4_def_policy;
362
363 case IPSEC_POLICY_IPSEC:
364 currsp->refcnt++;
365 *error = 0;
366 return currsp;
367
368 default:
369 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
370 "Invalid policy for PCB %d\n", currsp->policy));
371 *error = EINVAL;
372 return NULL;
373 }
374 /* NOTREACHED */
375 }
376
377 struct secpolicy *
378 ipsec4_getpolicybysock(m, dir, so, error)
379 struct mbuf *m;
380 u_int dir;
381 struct socket *so;
382 int *error;
383 {
384
385 if (so == NULL)
386 panic("ipsec4_getpolicybysock: NULL pointer was passed.");
387 return (ipsec4_getpolicybypcb(m, dir, sotoinpcb(so), error));
388 }
389
390 /*
391 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
392 * and return a pointer to SP.
393 * OUT: positive: a pointer to the entry for security policy leaf matched.
394 * NULL: no apropreate SP found, the following value is set to error.
395 * 0 : bypass
396 * EACCES : discard packet.
397 * ENOENT : ipsec_acquire() in progress, maybe.
398 * others : error occured.
399 */
400 struct secpolicy *
401 ipsec4_getpolicybyaddr(m, dir, flag, error)
402 struct mbuf *m;
403 u_int dir;
404 int flag;
405 int *error;
406 {
407 struct secpolicy *sp = NULL;
408
409 /* sanity check */
410 if (m == NULL || error == NULL)
411 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
412
413 {
414 struct secpolicyindex spidx;
415
416 bzero(&spidx, sizeof(spidx));
417
418 /* Make an index to look for a policy. */
419 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
420 (flag & IP_FORWARDING) ? 0 : 1);
421
422 if (*error != 0)
423 return NULL;
424
425 sp = key_allocsp(&spidx, dir);
426 }
427
428 /* SP found */
429 if (sp != NULL) {
430 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
431 printf("DP ipsec4_getpolicybyaddr called "
432 "to allocate SP:%p\n", sp));
433 *error = 0;
434 return sp;
435 }
436
437 /* no SP found */
438 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
439 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
440 ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
441 ip4_def_policy.policy,
442 IPSEC_POLICY_NONE));
443 ip4_def_policy.policy = IPSEC_POLICY_NONE;
444 }
445 ip4_def_policy.refcnt++;
446 *error = 0;
447 return &ip4_def_policy;
448 }
449
450 #ifdef INET6
451 /*
452 * For OUTBOUND packet having a socket. Searching SPD for packet,
453 * and return a pointer to SP.
454 * OUT: NULL: no apropreate SP found, the following value is set to error.
455 * 0 : bypass
456 * EACCES : discard packet.
457 * ENOENT : ipsec_acquire() in progress, maybe.
458 * others : error occured.
459 * others: a pointer to SP
460 */
461 struct secpolicy *
462 ipsec6_getpolicybypcb(m, dir, inp, error)
463 struct mbuf *m;
464 u_int dir;
465 struct inpcb *inp;
466 int *error;
467 {
468 struct inpcbpolicy *pcbsp = NULL;
469 struct secpolicy *currsp = NULL; /* policy on socket */
470 struct secpolicy *kernsp = NULL; /* policy on kernel */
471
472 /* sanity check */
473 if (m == NULL || inp == NULL || error == NULL)
474 panic("ipsec6_getpolicybysock: NULL pointer was passed.");
475
476 #ifdef DIAGNOSTIC
477 if ((inp->inp_vflag & INP_IPV6PROTO) == 0)
478 panic("ipsec6_getpolicybysock: socket domain != inet6");
479 #endif
480
481 /* set spidx in pcb */
482 ipsec6_setspidx_in6pcb(m, inp);
483 pcbsp = inp->in6p_sp;
484
485 /* sanity check */
486 if (pcbsp == NULL)
487 panic("ipsec6_getpolicybysock: pcbsp is NULL.");
488
489 switch (dir) {
490 case IPSEC_DIR_INBOUND:
491 currsp = pcbsp->sp_in;
492 break;
493 case IPSEC_DIR_OUTBOUND:
494 currsp = pcbsp->sp_out;
495 break;
496 default:
497 panic("ipsec6_getpolicybysock: illegal direction.");
498 }
499
500 /* sanity check */
501 if (currsp == NULL)
502 panic("ipsec6_getpolicybysock: currsp is NULL.");
503
504 /* when privilieged socket */
505 if (pcbsp->priv) {
506 switch (currsp->policy) {
507 case IPSEC_POLICY_BYPASS:
508 currsp->refcnt++;
509 *error = 0;
510 return currsp;
511
512 case IPSEC_POLICY_ENTRUST:
513 /* look for a policy in SPD */
514 kernsp = key_allocsp(&currsp->spidx, dir);
515
516 /* SP found */
517 if (kernsp != NULL) {
518 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
519 printf("DP ipsec6_getpolicybysock called "
520 "to allocate SP:%p\n", kernsp));
521 *error = 0;
522 return kernsp;
523 }
524
525 /* no SP found */
526 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
527 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
528 ipseclog((LOG_INFO,
529 "fixed system default policy: %d->%d\n",
530 ip6_def_policy.policy, IPSEC_POLICY_NONE));
531 ip6_def_policy.policy = IPSEC_POLICY_NONE;
532 }
533 ip6_def_policy.refcnt++;
534 *error = 0;
535 return &ip6_def_policy;
536
537 case IPSEC_POLICY_IPSEC:
538 currsp->refcnt++;
539 *error = 0;
540 return currsp;
541
542 default:
543 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
544 "Invalid policy for PCB %d\n", currsp->policy));
545 *error = EINVAL;
546 return NULL;
547 }
548 /* NOTREACHED */
549 }
550
551 /* when non-privilieged socket */
552 /* look for a policy in SPD */
553 kernsp = key_allocsp(&currsp->spidx, dir);
554
555 /* SP found */
556 if (kernsp != NULL) {
557 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
558 printf("DP ipsec6_getpolicybysock called "
559 "to allocate SP:%p\n", kernsp));
560 *error = 0;
561 return kernsp;
562 }
563
564 /* no SP found */
565 switch (currsp->policy) {
566 case IPSEC_POLICY_BYPASS:
567 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
568 "Illegal policy for non-priviliged defined %d\n",
569 currsp->policy));
570 *error = EINVAL;
571 return NULL;
572
573 case IPSEC_POLICY_ENTRUST:
574 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
575 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
576 ipseclog((LOG_INFO,
577 "fixed system default policy: %d->%d\n",
578 ip6_def_policy.policy, IPSEC_POLICY_NONE));
579 ip6_def_policy.policy = IPSEC_POLICY_NONE;
580 }
581 ip6_def_policy.refcnt++;
582 *error = 0;
583 return &ip6_def_policy;
584
585 case IPSEC_POLICY_IPSEC:
586 currsp->refcnt++;
587 *error = 0;
588 return currsp;
589
590 default:
591 ipseclog((LOG_ERR,
592 "ipsec6_policybysock: Invalid policy for PCB %d\n",
593 currsp->policy));
594 *error = EINVAL;
595 return NULL;
596 }
597 /* NOTREACHED */
598 }
599
600 struct secpolicy *
601 ipsec6_getpolicybysock(m, dir, so, error)
602 struct mbuf *m;
603 u_int dir;
604 struct socket *so;
605 int *error;
606 {
607
608 if (so == NULL)
609 panic("ipsec6_getpolicybysock: NULL pointer was passed.");
610 return (ipsec6_getpolicybypcb(m, dir, sotoin6pcb(so), error));
611 }
612
613 /*
614 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
615 * and return a pointer to SP.
616 * `flag' means that packet is to be forwarded whether or not.
617 * flag = 1: forwad
618 * OUT: positive: a pointer to the entry for security policy leaf matched.
619 * NULL: no apropreate SP found, the following value is set to error.
620 * 0 : bypass
621 * EACCES : discard packet.
622 * ENOENT : ipsec_acquire() in progress, maybe.
623 * others : error occured.
624 */
625 #ifndef IP_FORWARDING
626 #define IP_FORWARDING 1
627 #endif
628
629 struct secpolicy *
630 ipsec6_getpolicybyaddr(m, dir, flag, error)
631 struct mbuf *m;
632 u_int dir;
633 int flag;
634 int *error;
635 {
636 struct secpolicy *sp = NULL;
637
638 /* sanity check */
639 if (m == NULL || error == NULL)
640 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
641
642 {
643 struct secpolicyindex spidx;
644
645 bzero(&spidx, sizeof(spidx));
646
647 /* Make an index to look for a policy. */
648 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m,
649 (flag & IP_FORWARDING) ? 0 : 1);
650
651 if (*error != 0)
652 return NULL;
653
654 sp = key_allocsp(&spidx, dir);
655 }
656
657 /* SP found */
658 if (sp != NULL) {
659 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
660 printf("DP ipsec6_getpolicybyaddr called "
661 "to allocate SP:%p\n", sp));
662 *error = 0;
663 return sp;
664 }
665
666 /* no SP found */
667 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
668 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
669 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
670 ip6_def_policy.policy, IPSEC_POLICY_NONE));
671 ip6_def_policy.policy = IPSEC_POLICY_NONE;
672 }
673 ip6_def_policy.refcnt++;
674 *error = 0;
675 return &ip6_def_policy;
676 }
677 #endif /* INET6 */
678
679 /*
680 * set IP address into spidx from mbuf.
681 * When Forwarding packet and ICMP echo reply, this function is used.
682 *
683 * IN: get the followings from mbuf.
684 * protocol family, src, dst, next protocol
685 * OUT:
686 * 0: success.
687 * other: failure, and set errno.
688 */
689 int
690 ipsec_setspidx_mbuf(spidx, dir, family, m, needport)
691 struct secpolicyindex *spidx;
692 u_int dir, family;
693 struct mbuf *m;
694 int needport;
695 {
696 int error;
697
698 /* sanity check */
699 if (spidx == NULL || m == NULL)
700 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
701
702 bzero(spidx, sizeof(*spidx));
703
704 error = ipsec_setspidx(m, spidx, needport);
705 if (error)
706 goto bad;
707 spidx->dir = dir;
708
709 return 0;
710
711 bad:
712 /* XXX initialize */
713 bzero(spidx, sizeof(*spidx));
714 return EINVAL;
715 }
716
717 static int
718 ipsec4_setspidx_inpcb(m, pcb)
719 struct mbuf *m;
720 struct inpcb *pcb;
721 {
722 struct secpolicyindex *spidx;
723 int error;
724
725 /* sanity check */
726 if (pcb == NULL)
727 panic("ipsec4_setspidx_inpcb: no PCB found.");
728 if (pcb->inp_sp == NULL)
729 panic("ipsec4_setspidx_inpcb: no inp_sp found.");
730 if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL)
731 panic("ipsec4_setspidx_inpcb: no sp_in/out found.");
732
733 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
734 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
735
736 spidx = &pcb->inp_sp->sp_in->spidx;
737 error = ipsec_setspidx(m, spidx, 1);
738 if (error)
739 goto bad;
740 spidx->dir = IPSEC_DIR_INBOUND;
741
742 spidx = &pcb->inp_sp->sp_out->spidx;
743 error = ipsec_setspidx(m, spidx, 1);
744 if (error)
745 goto bad;
746 spidx->dir = IPSEC_DIR_OUTBOUND;
747
748 return 0;
749
750 bad:
751 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
752 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
753 return error;
754 }
755
756 #ifdef INET6
757 static int
758 ipsec6_setspidx_in6pcb(m, pcb)
759 struct mbuf *m;
760 struct in6pcb *pcb;
761 {
762 struct secpolicyindex *spidx;
763 int error;
764
765 /* sanity check */
766 if (pcb == NULL)
767 panic("ipsec6_setspidx_in6pcb: no PCB found.");
768 if (pcb->in6p_sp == NULL)
769 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.");
770 if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL)
771 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.");
772
773 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
774 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
775
776 spidx = &pcb->in6p_sp->sp_in->spidx;
777 error = ipsec_setspidx(m, spidx, 1);
778 if (error)
779 goto bad;
780 spidx->dir = IPSEC_DIR_INBOUND;
781
782 spidx = &pcb->in6p_sp->sp_out->spidx;
783 error = ipsec_setspidx(m, spidx, 1);
784 if (error)
785 goto bad;
786 spidx->dir = IPSEC_DIR_OUTBOUND;
787
788 return 0;
789
790 bad:
791 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
792 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
793 return error;
794 }
795 #endif
796
797 /*
798 * configure security policy index (src/dst/proto/sport/dport)
799 * by looking at the content of mbuf.
800 * the caller is responsible for error recovery (like clearing up spidx).
801 */
802 static int
803 ipsec_setspidx(m, spidx, needport)
804 struct mbuf *m;
805 struct secpolicyindex *spidx;
806 int needport;
807 {
808 struct ip *ip = NULL;
809 struct ip ipbuf;
810 u_int v;
811 struct mbuf *n;
812 int len;
813 int error;
814
815 if (m == NULL)
816 panic("ipsec_setspidx: m == 0 passed.");
817
818 /*
819 * validate m->m_pkthdr.len. we see incorrect length if we
820 * mistakenly call this function with inconsistent mbuf chain
821 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
822 */
823 len = 0;
824 for (n = m; n; n = n->m_next)
825 len += n->m_len;
826 if (m->m_pkthdr.len != len) {
827 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
828 printf("ipsec_setspidx: "
829 "total of m_len(%d) != pkthdr.len(%d), "
830 "ignored.\n",
831 len, m->m_pkthdr.len));
832 return EINVAL;
833 }
834
835 if (m->m_pkthdr.len < sizeof(struct ip)) {
836 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
837 printf("ipsec_setspidx: "
838 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
839 m->m_pkthdr.len));
840 return EINVAL;
841 }
842
843 if (m->m_len >= sizeof(*ip))
844 ip = mtod(m, struct ip *);
845 else {
846 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
847 ip = &ipbuf;
848 }
849 #ifdef _IP_VHL
850 v = _IP_VHL_V(ip->ip_vhl);
851 #else
852 v = ip->ip_v;
853 #endif
854 switch (v) {
855 case 4:
856 error = ipsec4_setspidx_ipaddr(m, spidx);
857 if (error)
858 return error;
859 ipsec4_get_ulp(m, spidx, needport);
860 return 0;
861 #ifdef INET6
862 case 6:
863 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
864 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
865 printf("ipsec_setspidx: "
866 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
867 "ignored.\n", m->m_pkthdr.len));
868 return EINVAL;
869 }
870 error = ipsec6_setspidx_ipaddr(m, spidx);
871 if (error)
872 return error;
873 ipsec6_get_ulp(m, spidx, needport);
874 return 0;
875 #endif
876 default:
877 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
878 printf("ipsec_setspidx: "
879 "unknown IP version %u, ignored.\n", v));
880 return EINVAL;
881 }
882 }
883
884 static void
885 ipsec4_get_ulp(m, spidx, needport)
886 struct mbuf *m;
887 struct secpolicyindex *spidx;
888 int needport;
889 {
890 struct ip ip;
891 struct ip6_ext ip6e;
892 u_int8_t nxt;
893 int off;
894 struct tcphdr th;
895 struct udphdr uh;
896
897 /* sanity check */
898 if (m == NULL)
899 panic("ipsec4_get_ulp: NULL pointer was passed.");
900 if (m->m_pkthdr.len < sizeof(ip))
901 panic("ipsec4_get_ulp: too short");
902
903 /* set default */
904 spidx->ul_proto = IPSEC_ULPROTO_ANY;
905 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
906 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
907
908 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
909 /* ip_input() flips it into host endian XXX need more checking */
910 if (ip.ip_off & (IP_MF | IP_OFFMASK))
911 return;
912
913 nxt = ip.ip_p;
914 #ifdef _IP_VHL
915 off = _IP_VHL_HL(ip->ip_vhl) << 2;
916 #else
917 off = ip.ip_hl << 2;
918 #endif
919 while (off < m->m_pkthdr.len) {
920 switch (nxt) {
921 case IPPROTO_TCP:
922 spidx->ul_proto = nxt;
923 if (!needport)
924 return;
925 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
926 return;
927 m_copydata(m, off, sizeof(th), (caddr_t)&th);
928 ((struct sockaddr_in *)&spidx->src)->sin_port =
929 th.th_sport;
930 ((struct sockaddr_in *)&spidx->dst)->sin_port =
931 th.th_dport;
932 return;
933 case IPPROTO_UDP:
934 spidx->ul_proto = nxt;
935 if (!needport)
936 return;
937 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
938 return;
939 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
940 ((struct sockaddr_in *)&spidx->src)->sin_port =
941 uh.uh_sport;
942 ((struct sockaddr_in *)&spidx->dst)->sin_port =
943 uh.uh_dport;
944 return;
945 case IPPROTO_AH:
946 if (m->m_pkthdr.len > off + sizeof(ip6e))
947 return;
948 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
949 off += (ip6e.ip6e_len + 2) << 2;
950 nxt = ip6e.ip6e_nxt;
951 break;
952 case IPPROTO_ICMP:
953 default:
954 /* XXX intermediate headers??? */
955 spidx->ul_proto = nxt;
956 return;
957 }
958 }
959 }
960
961 /* assumes that m is sane */
962 static int
963 ipsec4_setspidx_ipaddr(m, spidx)
964 struct mbuf *m;
965 struct secpolicyindex *spidx;
966 {
967 struct ip *ip = NULL;
968 struct ip ipbuf;
969 struct sockaddr_in *sin;
970
971 if (m->m_len >= sizeof(*ip))
972 ip = mtod(m, struct ip *);
973 else {
974 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
975 ip = &ipbuf;
976 }
977
978 sin = (struct sockaddr_in *)&spidx->src;
979 bzero(sin, sizeof(*sin));
980 sin->sin_family = AF_INET;
981 sin->sin_len = sizeof(struct sockaddr_in);
982 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
983 spidx->prefs = sizeof(struct in_addr) << 3;
984
985 sin = (struct sockaddr_in *)&spidx->dst;
986 bzero(sin, sizeof(*sin));
987 sin->sin_family = AF_INET;
988 sin->sin_len = sizeof(struct sockaddr_in);
989 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
990 spidx->prefd = sizeof(struct in_addr) << 3;
991 return 0;
992 }
993
994 #ifdef INET6
995 static void
996 ipsec6_get_ulp(m, spidx, needport)
997 struct mbuf *m;
998 struct secpolicyindex *spidx;
999 int needport;
1000 {
1001 int off, nxt;
1002 struct tcphdr th;
1003 struct udphdr uh;
1004
1005 /* sanity check */
1006 if (m == NULL)
1007 panic("ipsec6_get_ulp: NULL pointer was passed.");
1008
1009 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1010 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
1011
1012 /* set default */
1013 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1014 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1015 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1016
1017 nxt = -1;
1018 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1019 if (off < 0 || m->m_pkthdr.len < off)
1020 return;
1021
1022 switch (nxt) {
1023 case IPPROTO_TCP:
1024 spidx->ul_proto = nxt;
1025 if (!needport)
1026 break;
1027 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1028 break;
1029 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1030 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1031 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1032 break;
1033 case IPPROTO_UDP:
1034 spidx->ul_proto = nxt;
1035 if (!needport)
1036 break;
1037 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1038 break;
1039 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1040 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1041 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1042 break;
1043 case IPPROTO_ICMPV6:
1044 default:
1045 /* XXX intermediate headers??? */
1046 spidx->ul_proto = nxt;
1047 break;
1048 }
1049 }
1050
1051 /* assumes that m is sane */
1052 static int
1053 ipsec6_setspidx_ipaddr(m, spidx)
1054 struct mbuf *m;
1055 struct secpolicyindex *spidx;
1056 {
1057 struct ip6_hdr *ip6 = NULL;
1058 struct ip6_hdr ip6buf;
1059 struct sockaddr_in6 *sin6;
1060
1061 if (m->m_len >= sizeof(*ip6))
1062 ip6 = mtod(m, struct ip6_hdr *);
1063 else {
1064 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1065 ip6 = &ip6buf;
1066 }
1067
1068 sin6 = (struct sockaddr_in6 *)&spidx->src;
1069 bzero(sin6, sizeof(*sin6));
1070 sin6->sin6_family = AF_INET6;
1071 sin6->sin6_len = sizeof(struct sockaddr_in6);
1072 bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src));
1073 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1074 sin6->sin6_addr.s6_addr16[1] = 0;
1075 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
1076 }
1077 spidx->prefs = sizeof(struct in6_addr) << 3;
1078
1079 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1080 bzero(sin6, sizeof(*sin6));
1081 sin6->sin6_family = AF_INET6;
1082 sin6->sin6_len = sizeof(struct sockaddr_in6);
1083 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst));
1084 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1085 sin6->sin6_addr.s6_addr16[1] = 0;
1086 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
1087 }
1088 spidx->prefd = sizeof(struct in6_addr) << 3;
1089
1090 return 0;
1091 }
1092 #endif
1093
1094 static struct inpcbpolicy *
1095 ipsec_newpcbpolicy()
1096 {
1097 struct inpcbpolicy *p;
1098
1099 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
1100 return p;
1101 }
1102
1103 static void
1104 ipsec_delpcbpolicy(p)
1105 struct inpcbpolicy *p;
1106 {
1107 free(p, M_SECA);
1108 }
1109
1110 /* initialize policy in PCB */
1111 int
1112 ipsec_init_policy(so, pcb_sp)
1113 struct socket *so;
1114 struct inpcbpolicy **pcb_sp;
1115 {
1116 struct inpcbpolicy *new;
1117
1118 /* sanity check. */
1119 if (so == NULL || pcb_sp == NULL)
1120 panic("ipsec_init_policy: NULL pointer was passed.");
1121
1122 new = ipsec_newpcbpolicy();
1123 if (new == NULL) {
1124 ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n"));
1125 return ENOBUFS;
1126 }
1127 bzero(new, sizeof(*new));
1128
1129 if (so->so_cred != 0 && so->so_cred->cr_uid == 0)
1130 new->priv = 1;
1131 else
1132 new->priv = 0;
1133
1134 if ((new->sp_in = key_newsp()) == NULL) {
1135 ipsec_delpcbpolicy(new);
1136 return ENOBUFS;
1137 }
1138 new->sp_in->state = IPSEC_SPSTATE_ALIVE;
1139 new->sp_in->policy = IPSEC_POLICY_ENTRUST;
1140
1141 if ((new->sp_out = key_newsp()) == NULL) {
1142 key_freesp(new->sp_in);
1143 ipsec_delpcbpolicy(new);
1144 return ENOBUFS;
1145 }
1146 new->sp_out->state = IPSEC_SPSTATE_ALIVE;
1147 new->sp_out->policy = IPSEC_POLICY_ENTRUST;
1148
1149 *pcb_sp = new;
1150
1151 return 0;
1152 }
1153
1154 /* copy old ipsec policy into new */
1155 int
1156 ipsec_copy_policy(old, new)
1157 struct inpcbpolicy *old, *new;
1158 {
1159 struct secpolicy *sp;
1160
1161 sp = ipsec_deepcopy_policy(old->sp_in);
1162 if (sp) {
1163 key_freesp(new->sp_in);
1164 new->sp_in = sp;
1165 } else
1166 return ENOBUFS;
1167
1168 sp = ipsec_deepcopy_policy(old->sp_out);
1169 if (sp) {
1170 key_freesp(new->sp_out);
1171 new->sp_out = sp;
1172 } else
1173 return ENOBUFS;
1174
1175 new->priv = old->priv;
1176
1177 return 0;
1178 }
1179
1180 /* deep-copy a policy in PCB */
1181 static struct secpolicy *
1182 ipsec_deepcopy_policy(src)
1183 struct secpolicy *src;
1184 {
1185 struct ipsecrequest *newchain = NULL;
1186 struct ipsecrequest *p;
1187 struct ipsecrequest **q;
1188 struct ipsecrequest *r;
1189 struct secpolicy *dst;
1190
1191 dst = key_newsp();
1192 if (src == NULL || dst == NULL)
1193 return NULL;
1194
1195 /*
1196 * deep-copy IPsec request chain. This is required since struct
1197 * ipsecrequest is not reference counted.
1198 */
1199 q = &newchain;
1200 for (p = src->req; p; p = p->next) {
1201 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest),
1202 M_SECA, M_NOWAIT);
1203 if (*q == NULL)
1204 goto fail;
1205 bzero(*q, sizeof(**q));
1206 (*q)->next = NULL;
1207
1208 (*q)->saidx.proto = p->saidx.proto;
1209 (*q)->saidx.mode = p->saidx.mode;
1210 (*q)->level = p->level;
1211 (*q)->saidx.reqid = p->saidx.reqid;
1212
1213 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1214 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1215
1216 (*q)->sav = NULL;
1217 (*q)->sp = dst;
1218
1219 q = &((*q)->next);
1220 }
1221
1222 dst->req = newchain;
1223 dst->state = src->state;
1224 dst->policy = src->policy;
1225 /* do not touch the refcnt fields */
1226
1227 return dst;
1228
1229 fail:
1230 for (p = newchain; p; p = r) {
1231 r = p->next;
1232 free(p, M_SECA);
1233 p = NULL;
1234 }
1235 return NULL;
1236 }
1237
1238 /* set policy and ipsec request if present. */
1239 static int
1240 ipsec_set_policy(pcb_sp, optname, request, len, priv)
1241 struct secpolicy **pcb_sp;
1242 int optname;
1243 caddr_t request;
1244 size_t len;
1245 int priv;
1246 {
1247 struct sadb_x_policy *xpl;
1248 struct secpolicy *newsp = NULL;
1249 int error;
1250
1251 /* sanity check. */
1252 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL)
1253 return EINVAL;
1254 if (len < sizeof(*xpl))
1255 return EINVAL;
1256 xpl = (struct sadb_x_policy *)request;
1257
1258 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1259 printf("ipsec_set_policy: passed policy\n");
1260 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1261
1262 /* check policy type */
1263 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1264 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
1265 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1266 return EINVAL;
1267
1268 /* check privileged socket */
1269 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1270 return EACCES;
1271
1272 /* allocation new SP entry */
1273 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1274 return error;
1275
1276 newsp->state = IPSEC_SPSTATE_ALIVE;
1277
1278 /* clear old SP and set new SP */
1279 key_freesp(*pcb_sp);
1280 *pcb_sp = newsp;
1281 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1282 printf("ipsec_set_policy: new policy\n");
1283 kdebug_secpolicy(newsp));
1284
1285 return 0;
1286 }
1287
1288 static int
1289 ipsec_get_policy(pcb_sp, mp)
1290 struct secpolicy *pcb_sp;
1291 struct mbuf **mp;
1292 {
1293
1294 /* sanity check. */
1295 if (pcb_sp == NULL || mp == NULL)
1296 return EINVAL;
1297
1298 *mp = key_sp2msg(pcb_sp);
1299 if (!*mp) {
1300 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1301 return ENOBUFS;
1302 }
1303
1304 (*mp)->m_type = MT_DATA;
1305 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1306 printf("ipsec_get_policy:\n");
1307 kdebug_mbuf(*mp));
1308
1309 return 0;
1310 }
1311
1312 int
1313 ipsec4_set_policy(inp, optname, request, len, priv)
1314 struct inpcb *inp;
1315 int optname;
1316 caddr_t request;
1317 size_t len;
1318 int priv;
1319 {
1320 struct sadb_x_policy *xpl;
1321 struct secpolicy **pcb_sp;
1322
1323 /* sanity check. */
1324 if (inp == NULL || request == NULL)
1325 return EINVAL;
1326 if (len < sizeof(*xpl))
1327 return EINVAL;
1328 xpl = (struct sadb_x_policy *)request;
1329
1330 /* select direction */
1331 switch (xpl->sadb_x_policy_dir) {
1332 case IPSEC_DIR_INBOUND:
1333 pcb_sp = &inp->inp_sp->sp_in;
1334 break;
1335 case IPSEC_DIR_OUTBOUND:
1336 pcb_sp = &inp->inp_sp->sp_out;
1337 break;
1338 default:
1339 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1340 xpl->sadb_x_policy_dir));
1341 return EINVAL;
1342 }
1343
1344 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1345 }
1346
1347 int
1348 ipsec4_get_policy(inp, request, len, mp)
1349 struct inpcb *inp;
1350 caddr_t request;
1351 size_t len;
1352 struct mbuf **mp;
1353 {
1354 struct sadb_x_policy *xpl;
1355 struct secpolicy *pcb_sp;
1356
1357 /* sanity check. */
1358 if (inp == NULL || request == NULL || mp == NULL)
1359 return EINVAL;
1360 if (inp->inp_sp == NULL)
1361 panic("policy in PCB is NULL");
1362 if (len < sizeof(*xpl))
1363 return EINVAL;
1364 xpl = (struct sadb_x_policy *)request;
1365
1366 /* select direction */
1367 switch (xpl->sadb_x_policy_dir) {
1368 case IPSEC_DIR_INBOUND:
1369 pcb_sp = inp->inp_sp->sp_in;
1370 break;
1371 case IPSEC_DIR_OUTBOUND:
1372 pcb_sp = inp->inp_sp->sp_out;
1373 break;
1374 default:
1375 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1376 xpl->sadb_x_policy_dir));
1377 return EINVAL;
1378 }
1379
1380 return ipsec_get_policy(pcb_sp, mp);
1381 }
1382
1383 /* delete policy in PCB */
1384 int
1385 ipsec4_delete_pcbpolicy(inp)
1386 struct inpcb *inp;
1387 {
1388 /* sanity check. */
1389 if (inp == NULL)
1390 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
1391
1392 if (inp->inp_sp == NULL)
1393 return 0;
1394
1395 if (inp->inp_sp->sp_in != NULL) {
1396 key_freesp(inp->inp_sp->sp_in);
1397 inp->inp_sp->sp_in = NULL;
1398 }
1399
1400 if (inp->inp_sp->sp_out != NULL) {
1401 key_freesp(inp->inp_sp->sp_out);
1402 inp->inp_sp->sp_out = NULL;
1403 }
1404
1405 ipsec_delpcbpolicy(inp->inp_sp);
1406 inp->inp_sp = NULL;
1407
1408 return 0;
1409 }
1410
1411 #ifdef INET6
1412 int
1413 ipsec6_set_policy(in6p, optname, request, len, priv)
1414 struct in6pcb *in6p;
1415 int optname;
1416 caddr_t request;
1417 size_t len;
1418 int priv;
1419 {
1420 struct sadb_x_policy *xpl;
1421 struct secpolicy **pcb_sp;
1422
1423 /* sanity check. */
1424 if (in6p == NULL || request == NULL)
1425 return EINVAL;
1426 if (len < sizeof(*xpl))
1427 return EINVAL;
1428 xpl = (struct sadb_x_policy *)request;
1429
1430 /* select direction */
1431 switch (xpl->sadb_x_policy_dir) {
1432 case IPSEC_DIR_INBOUND:
1433 pcb_sp = &in6p->in6p_sp->sp_in;
1434 break;
1435 case IPSEC_DIR_OUTBOUND:
1436 pcb_sp = &in6p->in6p_sp->sp_out;
1437 break;
1438 default:
1439 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1440 xpl->sadb_x_policy_dir));
1441 return EINVAL;
1442 }
1443
1444 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1445 }
1446
1447 int
1448 ipsec6_get_policy(in6p, request, len, mp)
1449 struct in6pcb *in6p;
1450 caddr_t request;
1451 size_t len;
1452 struct mbuf **mp;
1453 {
1454 struct sadb_x_policy *xpl;
1455 struct secpolicy *pcb_sp;
1456
1457 /* sanity check. */
1458 if (in6p == NULL || request == NULL || mp == NULL)
1459 return EINVAL;
1460 if (in6p->in6p_sp == NULL)
1461 panic("policy in PCB is NULL");
1462 if (len < sizeof(*xpl))
1463 return EINVAL;
1464 xpl = (struct sadb_x_policy *)request;
1465
1466 /* select direction */
1467 switch (xpl->sadb_x_policy_dir) {
1468 case IPSEC_DIR_INBOUND:
1469 pcb_sp = in6p->in6p_sp->sp_in;
1470 break;
1471 case IPSEC_DIR_OUTBOUND:
1472 pcb_sp = in6p->in6p_sp->sp_out;
1473 break;
1474 default:
1475 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1476 xpl->sadb_x_policy_dir));
1477 return EINVAL;
1478 }
1479
1480 return ipsec_get_policy(pcb_sp, mp);
1481 }
1482
1483 int
1484 ipsec6_delete_pcbpolicy(in6p)
1485 struct in6pcb *in6p;
1486 {
1487 /* sanity check. */
1488 if (in6p == NULL)
1489 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
1490
1491 if (in6p->in6p_sp == NULL)
1492 return 0;
1493
1494 if (in6p->in6p_sp->sp_in != NULL) {
1495 key_freesp(in6p->in6p_sp->sp_in);
1496 in6p->in6p_sp->sp_in = NULL;
1497 }
1498
1499 if (in6p->in6p_sp->sp_out != NULL) {
1500 key_freesp(in6p->in6p_sp->sp_out);
1501 in6p->in6p_sp->sp_out = NULL;
1502 }
1503
1504 ipsec_delpcbpolicy(in6p->in6p_sp);
1505 in6p->in6p_sp = NULL;
1506
1507 return 0;
1508 }
1509 #endif
1510
1511 /*
1512 * return current level.
1513 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1514 */
1515 u_int
1516 ipsec_get_reqlevel(isr)
1517 struct ipsecrequest *isr;
1518 {
1519 u_int level = 0;
1520 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1521
1522 /* sanity check */
1523 if (isr == NULL || isr->sp == NULL)
1524 panic("ipsec_get_reqlevel: NULL pointer is passed.");
1525 if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family
1526 != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family)
1527 panic("ipsec_get_reqlevel: family mismatched.");
1528
1529 /* XXX note that we have ipseclog() expanded here - code sync issue */
1530 #define IPSEC_CHECK_DEFAULT(lev) \
1531 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1532 && (lev) != IPSEC_LEVEL_UNIQUE) \
1533 ? (ipsec_debug \
1534 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1535 (lev), IPSEC_LEVEL_REQUIRE) \
1536 : 0), \
1537 (lev) = IPSEC_LEVEL_REQUIRE, \
1538 (lev) \
1539 : (lev))
1540
1541 /* set default level */
1542 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1543 #ifdef INET
1544 case AF_INET:
1545 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1546 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1547 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1548 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1549 break;
1550 #endif
1551 #ifdef INET6
1552 case AF_INET6:
1553 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1554 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1555 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1556 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1557 break;
1558 #endif /* INET6 */
1559 default:
1560 panic("key_get_reqlevel: Unknown family. %d",
1561 ((struct sockaddr *)&isr->sp->spidx.src)->sa_family);
1562 }
1563
1564 #undef IPSEC_CHECK_DEFAULT
1565
1566 /* set level */
1567 switch (isr->level) {
1568 case IPSEC_LEVEL_DEFAULT:
1569 switch (isr->saidx.proto) {
1570 case IPPROTO_ESP:
1571 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1572 level = esp_net_deflev;
1573 else
1574 level = esp_trans_deflev;
1575 break;
1576 case IPPROTO_AH:
1577 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1578 level = ah_net_deflev;
1579 else
1580 level = ah_trans_deflev;
1581 case IPPROTO_IPCOMP:
1582 /*
1583 * we don't really care, as IPcomp document says that
1584 * we shouldn't compress small packets
1585 */
1586 level = IPSEC_LEVEL_USE;
1587 break;
1588 default:
1589 panic("ipsec_get_reqlevel: "
1590 "Illegal protocol defined %u",
1591 isr->saidx.proto);
1592 }
1593 break;
1594
1595 case IPSEC_LEVEL_USE:
1596 case IPSEC_LEVEL_REQUIRE:
1597 level = isr->level;
1598 break;
1599 case IPSEC_LEVEL_UNIQUE:
1600 level = IPSEC_LEVEL_REQUIRE;
1601 break;
1602
1603 default:
1604 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
1605 isr->level);
1606 }
1607
1608 return level;
1609 }
1610
1611 /*
1612 * Check AH/ESP integrity.
1613 * OUT:
1614 * 0: valid
1615 * 1: invalid
1616 */
1617 static int
1618 ipsec_in_reject(sp, m)
1619 struct secpolicy *sp;
1620 struct mbuf *m;
1621 {
1622 struct ipsecrequest *isr;
1623 u_int level;
1624 int need_auth, need_conf, need_icv;
1625
1626 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1627 printf("ipsec_in_reject: using SP\n");
1628 kdebug_secpolicy(sp));
1629
1630 /* check policy */
1631 switch (sp->policy) {
1632 case IPSEC_POLICY_DISCARD:
1633 return 1;
1634 case IPSEC_POLICY_BYPASS:
1635 case IPSEC_POLICY_NONE:
1636 return 0;
1637
1638 case IPSEC_POLICY_IPSEC:
1639 break;
1640
1641 case IPSEC_POLICY_ENTRUST:
1642 default:
1643 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1644 }
1645
1646 need_auth = 0;
1647 need_conf = 0;
1648 need_icv = 0;
1649
1650 /* XXX should compare policy against ipsec header history */
1651
1652 for (isr = sp->req; isr != NULL; isr = isr->next) {
1653
1654 /* get current level */
1655 level = ipsec_get_reqlevel(isr);
1656
1657 switch (isr->saidx.proto) {
1658 case IPPROTO_ESP:
1659 if (level == IPSEC_LEVEL_REQUIRE) {
1660 need_conf++;
1661
1662 if (isr->sav != NULL
1663 && isr->sav->flags == SADB_X_EXT_NONE
1664 && isr->sav->alg_auth != SADB_AALG_NONE)
1665 need_icv++;
1666 }
1667 break;
1668 case IPPROTO_AH:
1669 if (level == IPSEC_LEVEL_REQUIRE) {
1670 need_auth++;
1671 need_icv++;
1672 }
1673 break;
1674 case IPPROTO_IPCOMP:
1675 /*
1676 * we don't really care, as IPcomp document says that
1677 * we shouldn't compress small packets, IPComp policy
1678 * should always be treated as being in "use" level.
1679 */
1680 break;
1681 }
1682 }
1683
1684 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1685 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1686 need_auth, need_conf, need_icv, m->m_flags));
1687
1688 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1689 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1690 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1691 return 1;
1692
1693 return 0;
1694 }
1695
1696 /*
1697 * Check AH/ESP integrity.
1698 * This function is called from tcp_input(), udp_input(),
1699 * and {ah,esp}4_input for tunnel mode
1700 */
1701 int
1702 ipsec4_in_reject(m, inp)
1703 struct mbuf *m;
1704 struct inpcb *inp;
1705 {
1706 struct secpolicy *sp = NULL;
1707 int error;
1708 int result;
1709
1710 /* sanity check */
1711 if (m == NULL)
1712 return 0; /* XXX should be panic ? */
1713
1714 /* get SP for this packet.
1715 * When we are called from ip_forward(), we call
1716 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1717 */
1718 if (inp == NULL)
1719 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1720 else
1721 sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_INBOUND, inp, &error);
1722
1723 if (sp == NULL)
1724 return 0; /* XXX should be panic ?
1725 * -> No, there may be error. */
1726
1727 result = ipsec_in_reject(sp, m);
1728 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1729 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
1730 key_freesp(sp);
1731
1732 return result;
1733 }
1734
1735 int
1736 ipsec4_in_reject_so(m, so)
1737 struct mbuf *m;
1738 struct socket *so;
1739 {
1740 if (so == NULL)
1741 return ipsec4_in_reject(m, NULL);
1742 return ipsec4_in_reject(m, sotoinpcb(so));
1743 }
1744
1745
1746 #ifdef INET6
1747 /*
1748 * Check AH/ESP integrity.
1749 * This function is called from tcp6_input(), udp6_input(),
1750 * and {ah,esp}6_input for tunnel mode
1751 */
1752 int
1753 ipsec6_in_reject(m, in6p)
1754 struct mbuf *m;
1755 struct in6pcb *in6p;
1756 {
1757 struct secpolicy *sp = NULL;
1758 int error;
1759 int result;
1760
1761 /* sanity check */
1762 if (m == NULL)
1763 return 0; /* XXX should be panic ? */
1764
1765 /* get SP for this packet.
1766 * When we are called from ip_forward(), we call
1767 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1768 */
1769 if (in6p == NULL)
1770 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1771 else
1772 sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_INBOUND, in6p, &error);
1773
1774 if (sp == NULL)
1775 return 0; /* XXX should be panic ? */
1776
1777 result = ipsec_in_reject(sp, m);
1778 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1779 printf("DP ipsec6_in_reject call free SP:%p\n", sp));
1780 key_freesp(sp);
1781
1782 return result;
1783 }
1784
1785 int
1786 ipsec6_in_reject_so(m, so)
1787 struct mbuf *m;
1788 struct socket *so;
1789 {
1790 if (so == NULL)
1791 return ipsec6_in_reject(m, NULL);
1792 return ipsec6_in_reject(m, sotoin6pcb(so));
1793 }
1794 #endif
1795
1796 /*
1797 * compute the byte size to be occupied by IPsec header.
1798 * in case it is tunneled, it includes the size of outer IP header.
1799 * NOTE: SP passed is free in this function.
1800 */
1801 static size_t
1802 ipsec_hdrsiz(sp)
1803 struct secpolicy *sp;
1804 {
1805 struct ipsecrequest *isr;
1806 size_t siz, clen;
1807
1808 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1809 printf("ipsec_hdrsiz: using SP\n");
1810 kdebug_secpolicy(sp));
1811
1812 /* check policy */
1813 switch (sp->policy) {
1814 case IPSEC_POLICY_DISCARD:
1815 case IPSEC_POLICY_BYPASS:
1816 case IPSEC_POLICY_NONE:
1817 return 0;
1818
1819 case IPSEC_POLICY_IPSEC:
1820 break;
1821
1822 case IPSEC_POLICY_ENTRUST:
1823 default:
1824 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1825 }
1826
1827 siz = 0;
1828
1829 for (isr = sp->req; isr != NULL; isr = isr->next) {
1830
1831 clen = 0;
1832
1833 switch (isr->saidx.proto) {
1834 case IPPROTO_ESP:
1835 #ifdef IPSEC_ESP
1836 clen = esp_hdrsiz(isr);
1837 #else
1838 clen = 0; /* XXX */
1839 #endif
1840 break;
1841 case IPPROTO_AH:
1842 clen = ah_hdrsiz(isr);
1843 break;
1844 case IPPROTO_IPCOMP:
1845 clen = sizeof(struct ipcomp);
1846 break;
1847 }
1848
1849 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1850 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1851 case AF_INET:
1852 clen += sizeof(struct ip);
1853 break;
1854 #ifdef INET6
1855 case AF_INET6:
1856 clen += sizeof(struct ip6_hdr);
1857 break;
1858 #endif
1859 default:
1860 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1861 "unknown AF %d in IPsec tunnel SA\n",
1862 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1863 break;
1864 }
1865 }
1866 siz += clen;
1867 }
1868
1869 return siz;
1870 }
1871
1872 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1873 size_t
1874 ipsec4_hdrsiz(m, dir, inp)
1875 struct mbuf *m;
1876 u_int dir;
1877 struct inpcb *inp;
1878 {
1879 struct secpolicy *sp = NULL;
1880 int error;
1881 size_t size;
1882
1883 /* sanity check */
1884 if (m == NULL)
1885 return 0; /* XXX should be panic ? */
1886 #if 0
1887 /* this is possible in TIME_WAIT state */
1888 if (inp != NULL && inp->inp_socket == NULL)
1889 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
1890 #endif
1891
1892 /* get SP for this packet.
1893 * When we are called from ip_forward(), we call
1894 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1895 */
1896 if (inp == NULL)
1897 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1898 else
1899 sp = ipsec4_getpolicybypcb(m, dir, inp, &error);
1900
1901 if (sp == NULL)
1902 return 0; /* XXX should be panic ? */
1903
1904 size = ipsec_hdrsiz(sp);
1905 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1906 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
1907 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1908 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
1909 key_freesp(sp);
1910
1911 return size;
1912 }
1913
1914 #ifdef INET6
1915 /* This function is called from ipsec6_hdrsize_tcp(),
1916 * and maybe from ip6_forward.()
1917 */
1918 size_t
1919 ipsec6_hdrsiz(m, dir, in6p)
1920 struct mbuf *m;
1921 u_int dir;
1922 struct in6pcb *in6p;
1923 {
1924 struct secpolicy *sp = NULL;
1925 int error;
1926 size_t size;
1927
1928 /* sanity check */
1929 if (m == NULL)
1930 return 0; /* XXX shoud be panic ? */
1931 #if 0
1932 /* this is possible in TIME_WAIT state */
1933 if (in6p != NULL && in6p->in6p_socket == NULL)
1934 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
1935 #endif
1936
1937 /* get SP for this packet */
1938 /* XXX Is it right to call with IP_FORWARDING. */
1939 if (in6p == NULL)
1940 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1941 else
1942 sp = ipsec6_getpolicybypcb(m, dir, in6p, &error);
1943
1944 if (sp == NULL)
1945 return 0;
1946 size = ipsec_hdrsiz(sp);
1947 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1948 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
1949 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1950 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
1951 key_freesp(sp);
1952
1953 return size;
1954 }
1955 #endif /* INET6 */
1956
1957 #ifdef INET
1958 /*
1959 * encapsulate for ipsec tunnel.
1960 * ip->ip_src must be fixed later on.
1961 */
1962 static int
1963 ipsec4_encapsulate(m, sav)
1964 struct mbuf *m;
1965 struct secasvar *sav;
1966 {
1967 struct ip *oip;
1968 struct ip *ip;
1969 size_t hlen;
1970 size_t plen;
1971
1972 /* can't tunnel between different AFs */
1973 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
1974 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
1975 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
1976 m_freem(m);
1977 return EINVAL;
1978 }
1979 #if 0
1980 /* XXX if the dst is myself, perform nothing. */
1981 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
1982 m_freem(m);
1983 return EINVAL;
1984 }
1985 #endif
1986
1987 if (m->m_len < sizeof(*ip))
1988 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1989
1990 ip = mtod(m, struct ip *);
1991 #ifdef _IP_VHL
1992 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
1993 #else
1994 hlen = ip->ip_hl << 2;
1995 #endif
1996
1997 if (m->m_len != hlen)
1998 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1999
2000 /* generate header checksum */
2001 ip->ip_sum = 0;
2002 #ifdef _IP_VHL
2003 if (ip->ip_vhl == IP_VHL_BORING)
2004 ip->ip_sum = in_cksum_hdr(ip);
2005 else
2006 ip->ip_sum = in_cksum(m, hlen);
2007 #else
2008 ip->ip_sum = in_cksum(m, hlen);
2009 #endif
2010
2011 plen = m->m_pkthdr.len;
2012
2013 /*
2014 * grow the mbuf to accomodate the new IPv4 header.
2015 * NOTE: IPv4 options will never be copied.
2016 */
2017 if (M_LEADINGSPACE(m->m_next) < hlen) {
2018 struct mbuf *n;
2019 MGET(n, M_DONTWAIT, MT_DATA);
2020 if (!n) {
2021 m_freem(m);
2022 return ENOBUFS;
2023 }
2024 n->m_len = hlen;
2025 n->m_next = m->m_next;
2026 m->m_next = n;
2027 m->m_pkthdr.len += hlen;
2028 oip = mtod(n, struct ip *);
2029 } else {
2030 m->m_next->m_len += hlen;
2031 m->m_next->m_data -= hlen;
2032 m->m_pkthdr.len += hlen;
2033 oip = mtod(m->m_next, struct ip *);
2034 }
2035 ip = mtod(m, struct ip *);
2036 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2037 m->m_len = sizeof(struct ip);
2038 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2039
2040 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2041 /* ECN consideration. */
2042 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2043 #ifdef _IP_VHL
2044 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
2045 #else
2046 ip->ip_hl = sizeof(struct ip) >> 2;
2047 #endif
2048 ip->ip_off &= htons(~IP_OFFMASK);
2049 ip->ip_off &= htons(~IP_MF);
2050 switch (ip4_ipsec_dfbit) {
2051 case 0: /* clear DF bit */
2052 ip->ip_off &= htons(~IP_DF);
2053 break;
2054 case 1: /* set DF bit */
2055 ip->ip_off |= htons(IP_DF);
2056 break;
2057 default: /* copy DF bit */
2058 break;
2059 }
2060 ip->ip_p = IPPROTO_IPIP;
2061 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2062 ip->ip_len = htons(plen + sizeof(struct ip));
2063 else {
2064 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2065 "leave ip_len as is (invalid packet)\n"));
2066 }
2067 #ifdef RANDOM_IP_ID
2068 ip->ip_id = ip_randomid();
2069 #else
2070 ip->ip_id = htons(ip_id++);
2071 #endif
2072 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2073 &ip->ip_src, sizeof(ip->ip_src));
2074 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2075 &ip->ip_dst, sizeof(ip->ip_dst));
2076 ip->ip_ttl = IPDEFTTL;
2077
2078 /* XXX Should ip_src be updated later ? */
2079
2080 return 0;
2081 }
2082 #endif /* INET */
2083
2084 #ifdef INET6
2085 static int
2086 ipsec6_encapsulate(m, sav)
2087 struct mbuf *m;
2088 struct secasvar *sav;
2089 {
2090 struct ip6_hdr *oip6;
2091 struct ip6_hdr *ip6;
2092 size_t plen;
2093
2094 /* can't tunnel between different AFs */
2095 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2096 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2097 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2098 m_freem(m);
2099 return EINVAL;
2100 }
2101 #if 0
2102 /* XXX if the dst is myself, perform nothing. */
2103 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2104 m_freem(m);
2105 return EINVAL;
2106 }
2107 #endif
2108
2109 plen = m->m_pkthdr.len;
2110
2111 /*
2112 * grow the mbuf to accomodate the new IPv6 header.
2113 */
2114 if (m->m_len != sizeof(struct ip6_hdr))
2115 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2116 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2117 struct mbuf *n;
2118 MGET(n, M_DONTWAIT, MT_DATA);
2119 if (!n) {
2120 m_freem(m);
2121 return ENOBUFS;
2122 }
2123 n->m_len = sizeof(struct ip6_hdr);
2124 n->m_next = m->m_next;
2125 m->m_next = n;
2126 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2127 oip6 = mtod(n, struct ip6_hdr *);
2128 } else {
2129 m->m_next->m_len += sizeof(struct ip6_hdr);
2130 m->m_next->m_data -= sizeof(struct ip6_hdr);
2131 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2132 oip6 = mtod(m->m_next, struct ip6_hdr *);
2133 }
2134 ip6 = mtod(m, struct ip6_hdr *);
2135 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2136
2137 /* Fake link-local scope-class addresses */
2138 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src))
2139 oip6->ip6_src.s6_addr16[1] = 0;
2140 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst))
2141 oip6->ip6_dst.s6_addr16[1] = 0;
2142
2143 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2144 /* ECN consideration. */
2145 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2146 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2147 ip6->ip6_plen = htons(plen);
2148 else {
2149 /* ip6->ip6_plen will be updated in ip6_output() */
2150 }
2151 ip6->ip6_nxt = IPPROTO_IPV6;
2152 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2153 &ip6->ip6_src, sizeof(ip6->ip6_src));
2154 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2155 &ip6->ip6_dst, sizeof(ip6->ip6_dst));
2156 ip6->ip6_hlim = IPV6_DEFHLIM;
2157
2158 /* XXX Should ip6_src be updated later ? */
2159
2160 return 0;
2161 }
2162 #endif /* INET6 */
2163
2164 /*
2165 * Check the variable replay window.
2166 * ipsec_chkreplay() performs replay check before ICV verification.
2167 * ipsec_updatereplay() updates replay bitmap. This must be called after
2168 * ICV verification (it also performs replay check, which is usually done
2169 * beforehand).
2170 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2171 *
2172 * based on RFC 2401.
2173 */
2174 int
2175 ipsec_chkreplay(seq, sav)
2176 u_int32_t seq;
2177 struct secasvar *sav;
2178 {
2179 const struct secreplay *replay;
2180 u_int32_t diff;
2181 int fr;
2182 u_int32_t wsizeb; /* constant: bits of window size */
2183 int frlast; /* constant: last frame */
2184
2185 /* sanity check */
2186 if (sav == NULL)
2187 panic("ipsec_chkreplay: NULL pointer was passed.");
2188
2189 replay = sav->replay;
2190
2191 if (replay->wsize == 0)
2192 return 1; /* no need to check replay. */
2193
2194 /* constant */
2195 frlast = replay->wsize - 1;
2196 wsizeb = replay->wsize << 3;
2197
2198 /* sequence number of 0 is invalid */
2199 if (seq == 0)
2200 return 0;
2201
2202 /* first time is always okay */
2203 if (replay->count == 0)
2204 return 1;
2205
2206 if (seq > replay->lastseq) {
2207 /* larger sequences are okay */
2208 return 1;
2209 } else {
2210 /* seq is equal or less than lastseq. */
2211 diff = replay->lastseq - seq;
2212
2213 /* over range to check, i.e. too old or wrapped */
2214 if (diff >= wsizeb)
2215 return 0;
2216
2217 fr = frlast - diff / 8;
2218
2219 /* this packet already seen ? */
2220 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2221 return 0;
2222
2223 /* out of order but good */
2224 return 1;
2225 }
2226 }
2227
2228 /*
2229 * check replay counter whether to update or not.
2230 * OUT: 0: OK
2231 * 1: NG
2232 */
2233 int
2234 ipsec_updatereplay(seq, sav)
2235 u_int32_t seq;
2236 struct secasvar *sav;
2237 {
2238 struct secreplay *replay;
2239 u_int32_t diff;
2240 int fr;
2241 u_int32_t wsizeb; /* constant: bits of window size */
2242 int frlast; /* constant: last frame */
2243
2244 /* sanity check */
2245 if (sav == NULL)
2246 panic("ipsec_chkreplay: NULL pointer was passed.");
2247
2248 replay = sav->replay;
2249
2250 if (replay->wsize == 0)
2251 goto ok; /* no need to check replay. */
2252
2253 /* constant */
2254 frlast = replay->wsize - 1;
2255 wsizeb = replay->wsize << 3;
2256
2257 /* sequence number of 0 is invalid */
2258 if (seq == 0)
2259 return 1;
2260
2261 /* first time */
2262 if (replay->count == 0) {
2263 replay->lastseq = seq;
2264 bzero(replay->bitmap, replay->wsize);
2265 (replay->bitmap)[frlast] = 1;
2266 goto ok;
2267 }
2268
2269 if (seq > replay->lastseq) {
2270 /* seq is larger than lastseq. */
2271 diff = seq - replay->lastseq;
2272
2273 /* new larger sequence number */
2274 if (diff < wsizeb) {
2275 /* In window */
2276 /* set bit for this packet */
2277 vshiftl(replay->bitmap, diff, replay->wsize);
2278 (replay->bitmap)[frlast] |= 1;
2279 } else {
2280 /* this packet has a "way larger" */
2281 bzero(replay->bitmap, replay->wsize);
2282 (replay->bitmap)[frlast] = 1;
2283 }
2284 replay->lastseq = seq;
2285
2286 /* larger is good */
2287 } else {
2288 /* seq is equal or less than lastseq. */
2289 diff = replay->lastseq - seq;
2290
2291 /* over range to check, i.e. too old or wrapped */
2292 if (diff >= wsizeb)
2293 return 1;
2294
2295 fr = frlast - diff / 8;
2296
2297 /* this packet already seen ? */
2298 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2299 return 1;
2300
2301 /* mark as seen */
2302 (replay->bitmap)[fr] |= (1 << (diff % 8));
2303
2304 /* out of order but good */
2305 }
2306
2307 ok:
2308 if (replay->count == ~0) {
2309
2310 /* set overflow flag */
2311 replay->overflow++;
2312
2313 /* don't increment, no more packets accepted */
2314 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2315 return 1;
2316
2317 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2318 replay->overflow, ipsec_logsastr(sav)));
2319 }
2320
2321 replay->count++;
2322
2323 return 0;
2324 }
2325
2326 /*
2327 * shift variable length buffer to left.
2328 * IN: bitmap: pointer to the buffer
2329 * nbit: the number of to shift.
2330 * wsize: buffer size (bytes).
2331 */
2332 static void
2333 vshiftl(bitmap, nbit, wsize)
2334 unsigned char *bitmap;
2335 int nbit, wsize;
2336 {
2337 int s, j, i;
2338 unsigned char over;
2339
2340 for (j = 0; j < nbit; j += 8) {
2341 s = (nbit - j < 8) ? (nbit - j): 8;
2342 bitmap[0] <<= s;
2343 for (i = 1; i < wsize; i++) {
2344 over = (bitmap[i] >> (8 - s));
2345 bitmap[i] <<= s;
2346 bitmap[i-1] |= over;
2347 }
2348 }
2349
2350 return;
2351 }
2352
2353 const char *
2354 ipsec4_logpacketstr(ip, spi)
2355 struct ip *ip;
2356 u_int32_t spi;
2357 {
2358 static char buf[256];
2359 char *p;
2360 u_int8_t *s, *d;
2361
2362 s = (u_int8_t *)(&ip->ip_src);
2363 d = (u_int8_t *)(&ip->ip_dst);
2364
2365 p = buf;
2366 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2367 while (p && *p)
2368 p++;
2369 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2370 s[0], s[1], s[2], s[3]);
2371 while (p && *p)
2372 p++;
2373 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2374 d[0], d[1], d[2], d[3]);
2375 while (p && *p)
2376 p++;
2377 snprintf(p, sizeof(buf) - (p - buf), ")");
2378
2379 return buf;
2380 }
2381
2382 #ifdef INET6
2383 const char *
2384 ipsec6_logpacketstr(ip6, spi)
2385 struct ip6_hdr *ip6;
2386 u_int32_t spi;
2387 {
2388 static char buf[256];
2389 char *p;
2390
2391 p = buf;
2392 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2393 while (p && *p)
2394 p++;
2395 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
2396 ip6_sprintf(&ip6->ip6_src));
2397 while (p && *p)
2398 p++;
2399 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2400 ip6_sprintf(&ip6->ip6_dst));
2401 while (p && *p)
2402 p++;
2403 snprintf(p, sizeof(buf) - (p - buf), ")");
2404
2405 return buf;
2406 }
2407 #endif /* INET6 */
2408
2409 const char *
2410 ipsec_logsastr(sav)
2411 struct secasvar *sav;
2412 {
2413 static char buf[256];
2414 char *p;
2415 struct secasindex *saidx = &sav->sah->saidx;
2416
2417 /* validity check */
2418 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2419 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2420 panic("ipsec_logsastr: family mismatched.");
2421
2422 p = buf;
2423 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2424 while (p && *p)
2425 p++;
2426 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2427 u_int8_t *s, *d;
2428 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2429 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2430 snprintf(p, sizeof(buf) - (p - buf),
2431 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2432 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2433 }
2434 #ifdef INET6
2435 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2436 snprintf(p, sizeof(buf) - (p - buf),
2437 "src=%s",
2438 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2439 while (p && *p)
2440 p++;
2441 snprintf(p, sizeof(buf) - (p - buf),
2442 " dst=%s",
2443 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2444 }
2445 #endif
2446 while (p && *p)
2447 p++;
2448 snprintf(p, sizeof(buf) - (p - buf), ")");
2449
2450 return buf;
2451 }
2452
2453 void
2454 ipsec_dumpmbuf(m)
2455 struct mbuf *m;
2456 {
2457 int totlen;
2458 int i;
2459 u_char *p;
2460
2461 totlen = 0;
2462 printf("---\n");
2463 while (m) {
2464 p = mtod(m, u_char *);
2465 for (i = 0; i < m->m_len; i++) {
2466 printf("%02x ", p[i]);
2467 totlen++;
2468 if (totlen % 16 == 0)
2469 printf("\n");
2470 }
2471 m = m->m_next;
2472 }
2473 if (totlen % 16 != 0)
2474 printf("\n");
2475 printf("---\n");
2476 }
2477
2478 #ifdef INET
2479 /*
2480 * IPsec output logic for IPv4.
2481 */
2482 int
2483 ipsec4_output(state, sp, flags)
2484 struct ipsec_output_state *state;
2485 struct secpolicy *sp;
2486 int flags;
2487 {
2488 struct ip *ip = NULL;
2489 struct ipsecrequest *isr = NULL;
2490 struct secasindex saidx;
2491 int s;
2492 int error;
2493 struct sockaddr_in *dst4;
2494 struct sockaddr_in *sin;
2495
2496 if (!state)
2497 panic("state == NULL in ipsec4_output");
2498 if (!state->m)
2499 panic("state->m == NULL in ipsec4_output");
2500 if (!state->ro)
2501 panic("state->ro == NULL in ipsec4_output");
2502 if (!state->dst)
2503 panic("state->dst == NULL in ipsec4_output");
2504
2505 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2506 printf("ipsec4_output: applyed SP\n");
2507 kdebug_secpolicy(sp));
2508
2509 for (isr = sp->req; isr != NULL; isr = isr->next) {
2510
2511 #if 0 /* give up to check restriction of transport mode */
2512 /* XXX but should be checked somewhere */
2513 /*
2514 * some of the IPsec operation must be performed only in
2515 * originating case.
2516 */
2517 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2518 && (flags & IP_FORWARDING))
2519 continue;
2520 #endif
2521
2522 /* make SA index for search proper SA */
2523 ip = mtod(state->m, struct ip *);
2524 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2525 saidx.mode = isr->saidx.mode;
2526 saidx.reqid = isr->saidx.reqid;
2527 sin = (struct sockaddr_in *)&saidx.src;
2528 if (sin->sin_len == 0) {
2529 sin->sin_len = sizeof(*sin);
2530 sin->sin_family = AF_INET;
2531 sin->sin_port = IPSEC_PORT_ANY;
2532 bcopy(&ip->ip_src, &sin->sin_addr,
2533 sizeof(sin->sin_addr));
2534 }
2535 sin = (struct sockaddr_in *)&saidx.dst;
2536 if (sin->sin_len == 0) {
2537 sin->sin_len = sizeof(*sin);
2538 sin->sin_family = AF_INET;
2539 sin->sin_port = IPSEC_PORT_ANY;
2540 bcopy(&ip->ip_dst, &sin->sin_addr,
2541 sizeof(sin->sin_addr));
2542 }
2543
2544 if ((error = key_checkrequest(isr, &saidx)) != 0) {
2545 /*
2546 * IPsec processing is required, but no SA found.
2547 * I assume that key_acquire() had been called
2548 * to get/establish the SA. Here I discard
2549 * this packet because it is responsibility for
2550 * upper layer to retransmit the packet.
2551 */
2552 ipsecstat.out_nosa++;
2553 goto bad;
2554 }
2555
2556 /* validity check */
2557 if (isr->sav == NULL) {
2558 switch (ipsec_get_reqlevel(isr)) {
2559 case IPSEC_LEVEL_USE:
2560 continue;
2561 case IPSEC_LEVEL_REQUIRE:
2562 /* must be not reached here. */
2563 panic("ipsec4_output: no SA found, but required.");
2564 }
2565 }
2566
2567 /*
2568 * If there is no valid SA, we give up to process any
2569 * more. In such a case, the SA's status is changed
2570 * from DYING to DEAD after allocating. If a packet
2571 * send to the receiver by dead SA, the receiver can
2572 * not decode a packet because SA has been dead.
2573 */
2574 if (isr->sav->state != SADB_SASTATE_MATURE
2575 && isr->sav->state != SADB_SASTATE_DYING) {
2576 ipsecstat.out_nosa++;
2577 error = EINVAL;
2578 goto bad;
2579 }
2580
2581 /*
2582 * There may be the case that SA status will be changed when
2583 * we are refering to one. So calling splsoftnet().
2584 */
2585 s = splnet();
2586
2587 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2588 /*
2589 * build IPsec tunnel.
2590 */
2591 /* XXX should be processed with other familiy */
2592 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2593 ipseclog((LOG_ERR, "ipsec4_output: "
2594 "family mismatched between inner and outer spi=%u\n",
2595 (u_int32_t)ntohl(isr->sav->spi)));
2596 splx(s);
2597 error = EAFNOSUPPORT;
2598 goto bad;
2599 }
2600
2601 state->m = ipsec4_splithdr(state->m);
2602 if (!state->m) {
2603 splx(s);
2604 error = ENOMEM;
2605 goto bad;
2606 }
2607 error = ipsec4_encapsulate(state->m, isr->sav);
2608 splx(s);
2609 if (error) {
2610 state->m = NULL;
2611 goto bad;
2612 }
2613 ip = mtod(state->m, struct ip *);
2614
2615 state->ro = &isr->sav->sah->sa_route;
2616 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2617 dst4 = (struct sockaddr_in *)state->dst;
2618 if (state->ro->ro_rt
2619 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2620 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2621 RTFREE(state->ro->ro_rt);
2622 state->ro->ro_rt = NULL;
2623 }
2624 if (state->ro->ro_rt == 0) {
2625 dst4->sin_family = AF_INET;
2626 dst4->sin_len = sizeof(*dst4);
2627 dst4->sin_addr = ip->ip_dst;
2628 rtalloc(state->ro);
2629 }
2630 if (state->ro->ro_rt == 0) {
2631 ipstat.ips_noroute++;
2632 error = EHOSTUNREACH;
2633 goto bad;
2634 }
2635
2636 /* adjust state->dst if tunnel endpoint is offlink */
2637 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2638 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2639 dst4 = (struct sockaddr_in *)state->dst;
2640 }
2641 } else
2642 splx(s);
2643
2644 state->m = ipsec4_splithdr(state->m);
2645 if (!state->m) {
2646 error = ENOMEM;
2647 goto bad;
2648 }
2649 switch (isr->saidx.proto) {
2650 case IPPROTO_ESP:
2651 #ifdef IPSEC_ESP
2652 if ((error = esp4_output(state->m, isr)) != 0) {
2653 state->m = NULL;
2654 goto bad;
2655 }
2656 break;
2657 #else
2658 m_freem(state->m);
2659 state->m = NULL;
2660 error = EINVAL;
2661 goto bad;
2662 #endif
2663 case IPPROTO_AH:
2664 if ((error = ah4_output(state->m, isr)) != 0) {
2665 state->m = NULL;
2666 goto bad;
2667 }
2668 break;
2669 case IPPROTO_IPCOMP:
2670 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2671 state->m = NULL;
2672 goto bad;
2673 }
2674 break;
2675 default:
2676 ipseclog((LOG_ERR,
2677 "ipsec4_output: unknown ipsec protocol %d\n",
2678 isr->saidx.proto));
2679 m_freem(state->m);
2680 state->m = NULL;
2681 error = EINVAL;
2682 goto bad;
2683 }
2684
2685 if (state->m == 0) {
2686 error = ENOMEM;
2687 goto bad;
2688 }
2689 ip = mtod(state->m, struct ip *);
2690 }
2691
2692 return 0;
2693
2694 bad:
2695 m_freem(state->m);
2696 state->m = NULL;
2697 return error;
2698 }
2699 #endif
2700
2701 #ifdef INET6
2702 /*
2703 * IPsec output logic for IPv6, transport mode.
2704 */
2705 int
2706 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
2707 struct ipsec_output_state *state;
2708 u_char *nexthdrp;
2709 struct mbuf *mprev;
2710 struct secpolicy *sp;
2711 int flags;
2712 int *tun;
2713 {
2714 struct ip6_hdr *ip6;
2715 struct ipsecrequest *isr = NULL;
2716 struct secasindex saidx;
2717 int error = 0;
2718 int plen;
2719 struct sockaddr_in6 *sin6;
2720
2721 if (!state)
2722 panic("state == NULL in ipsec6_output_trans");
2723 if (!state->m)
2724 panic("state->m == NULL in ipsec6_output_trans");
2725 if (!nexthdrp)
2726 panic("nexthdrp == NULL in ipsec6_output_trans");
2727 if (!mprev)
2728 panic("mprev == NULL in ipsec6_output_trans");
2729 if (!sp)
2730 panic("sp == NULL in ipsec6_output_trans");
2731 if (!tun)
2732 panic("tun == NULL in ipsec6_output_trans");
2733
2734 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2735 printf("ipsec6_output_trans: applyed SP\n");
2736 kdebug_secpolicy(sp));
2737
2738 *tun = 0;
2739 for (isr = sp->req; isr; isr = isr->next) {
2740 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2741 /* the rest will be handled by ipsec6_output_tunnel() */
2742 break;
2743 }
2744
2745 /* make SA index for search proper SA */
2746 ip6 = mtod(state->m, struct ip6_hdr *);
2747 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2748 saidx.mode = isr->saidx.mode;
2749 saidx.reqid = isr->saidx.reqid;
2750 sin6 = (struct sockaddr_in6 *)&saidx.src;
2751 if (sin6->sin6_len == 0) {
2752 sin6->sin6_len = sizeof(*sin6);
2753 sin6->sin6_family = AF_INET6;
2754 sin6->sin6_port = IPSEC_PORT_ANY;
2755 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2756 sizeof(ip6->ip6_src));
2757 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2758 /* fix scope id for comparing SPD */
2759 sin6->sin6_addr.s6_addr16[1] = 0;
2760 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2761 }
2762 }
2763 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2764 if (sin6->sin6_len == 0) {
2765 sin6->sin6_len = sizeof(*sin6);
2766 sin6->sin6_family = AF_INET6;
2767 sin6->sin6_port = IPSEC_PORT_ANY;
2768 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2769 sizeof(ip6->ip6_dst));
2770 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2771 /* fix scope id for comparing SPD */
2772 sin6->sin6_addr.s6_addr16[1] = 0;
2773 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2774 }
2775 }
2776
2777 if (key_checkrequest(isr, &saidx) == ENOENT) {
2778 /*
2779 * IPsec processing is required, but no SA found.
2780 * I assume that key_acquire() had been called
2781 * to get/establish the SA. Here I discard
2782 * this packet because it is responsibility for
2783 * upper layer to retransmit the packet.
2784 */
2785 ipsec6stat.out_nosa++;
2786 error = ENOENT;
2787
2788 /*
2789 * Notify the fact that the packet is discarded
2790 * to ourselves. I believe this is better than
2791 * just silently discarding. (jinmei@kame.net)
2792 * XXX: should we restrict the error to TCP packets?
2793 * XXX: should we directly notify sockets via
2794 * pfctlinputs?
2795 */
2796 icmp6_error(state->m, ICMP6_DST_UNREACH,
2797 ICMP6_DST_UNREACH_ADMIN, 0);
2798 state->m = NULL; /* icmp6_error freed the mbuf */
2799 goto bad;
2800 }
2801
2802 /* validity check */
2803 if (isr->sav == NULL) {
2804 switch (ipsec_get_reqlevel(isr)) {
2805 case IPSEC_LEVEL_USE:
2806 continue;
2807 case IPSEC_LEVEL_REQUIRE:
2808 /* must be not reached here. */
2809 panic("ipsec6_output_trans: no SA found, but required.");
2810 }
2811 }
2812
2813 /*
2814 * If there is no valid SA, we give up to process.
2815 * see same place at ipsec4_output().
2816 */
2817 if (isr->sav->state != SADB_SASTATE_MATURE
2818 && isr->sav->state != SADB_SASTATE_DYING) {
2819 ipsec6stat.out_nosa++;
2820 error = EINVAL;
2821 goto bad;
2822 }
2823
2824 switch (isr->saidx.proto) {
2825 case IPPROTO_ESP:
2826 #ifdef IPSEC_ESP
2827 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2828 #else
2829 m_freem(state->m);
2830 error = EINVAL;
2831 #endif
2832 break;
2833 case IPPROTO_AH:
2834 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2835 break;
2836 case IPPROTO_IPCOMP:
2837 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2838 break;
2839 default:
2840 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2841 "unknown ipsec protocol %d\n", isr->saidx.proto));
2842 m_freem(state->m);
2843 ipsec6stat.out_inval++;
2844 error = EINVAL;
2845 break;
2846 }
2847 if (error) {
2848 state->m = NULL;
2849 goto bad;
2850 }
2851 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2852 if (plen > IPV6_MAXPACKET) {
2853 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2854 "IPsec with IPv6 jumbogram is not supported\n"));
2855 ipsec6stat.out_inval++;
2856 error = EINVAL; /* XXX */
2857 goto bad;
2858 }
2859 ip6 = mtod(state->m, struct ip6_hdr *);
2860 ip6->ip6_plen = htons(plen);
2861 }
2862
2863 /* if we have more to go, we need a tunnel mode processing */
2864 if (isr != NULL)
2865 *tun = 1;
2866
2867 return 0;
2868
2869 bad:
2870 m_freem(state->m);
2871 state->m = NULL;
2872 return error;
2873 }
2874
2875 /*
2876 * IPsec output logic for IPv6, tunnel mode.
2877 */
2878 int
2879 ipsec6_output_tunnel(state, sp, flags)
2880 struct ipsec_output_state *state;
2881 struct secpolicy *sp;
2882 int flags;
2883 {
2884 struct ip6_hdr *ip6;
2885 struct ipsecrequest *isr = NULL;
2886 struct secasindex saidx;
2887 int error = 0;
2888 int plen;
2889 struct sockaddr_in6* dst6;
2890 int s;
2891
2892 if (!state)
2893 panic("state == NULL in ipsec6_output_tunnel");
2894 if (!state->m)
2895 panic("state->m == NULL in ipsec6_output_tunnel");
2896 if (!sp)
2897 panic("sp == NULL in ipsec6_output_tunnel");
2898
2899 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2900 printf("ipsec6_output_tunnel: applyed SP\n");
2901 kdebug_secpolicy(sp));
2902
2903 /*
2904 * transport mode ipsec (before the 1st tunnel mode) is already
2905 * processed by ipsec6_output_trans().
2906 */
2907 for (isr = sp->req; isr; isr = isr->next) {
2908 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
2909 break;
2910 }
2911
2912 for (/* already initialized */; isr; isr = isr->next) {
2913 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2914 /* When tunnel mode, SA peers must be specified. */
2915 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2916 } else {
2917 /* make SA index to look for a proper SA */
2918 struct sockaddr_in6 *sin6;
2919
2920 bzero(&saidx, sizeof(saidx));
2921 saidx.proto = isr->saidx.proto;
2922 saidx.mode = isr->saidx.mode;
2923 saidx.reqid = isr->saidx.reqid;
2924
2925 ip6 = mtod(state->m, struct ip6_hdr *);
2926 sin6 = (struct sockaddr_in6 *)&saidx.src;
2927 if (sin6->sin6_len == 0) {
2928 sin6->sin6_len = sizeof(*sin6);
2929 sin6->sin6_family = AF_INET6;
2930 sin6->sin6_port = IPSEC_PORT_ANY;
2931 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2932 sizeof(ip6->ip6_src));
2933 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2934 /* fix scope id for comparing SPD */
2935 sin6->sin6_addr.s6_addr16[1] = 0;
2936 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2937 }
2938 }
2939 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2940 if (sin6->sin6_len == 0) {
2941 sin6->sin6_len = sizeof(*sin6);
2942 sin6->sin6_family = AF_INET6;
2943 sin6->sin6_port = IPSEC_PORT_ANY;
2944 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2945 sizeof(ip6->ip6_dst));
2946 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2947 /* fix scope id for comparing SPD */
2948 sin6->sin6_addr.s6_addr16[1] = 0;
2949 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2950 }
2951 }
2952 }
2953
2954 if (key_checkrequest(isr, &saidx) == ENOENT) {
2955 /*
2956 * IPsec processing is required, but no SA found.
2957 * I assume that key_acquire() had been called
2958 * to get/establish the SA. Here I discard
2959 * this packet because it is responsibility for
2960 * upper layer to retransmit the packet.
2961 */
2962 ipsec6stat.out_nosa++;
2963 error = ENOENT;
2964 goto bad;
2965 }
2966
2967 /* validity check */
2968 if (isr->sav == NULL) {
2969 switch (ipsec_get_reqlevel(isr)) {
2970 case IPSEC_LEVEL_USE:
2971 continue;
2972 case IPSEC_LEVEL_REQUIRE:
2973 /* must be not reached here. */
2974 panic("ipsec6_output_tunnel: no SA found, but required.");
2975 }
2976 }
2977
2978 /*
2979 * If there is no valid SA, we give up to process.
2980 * see same place at ipsec4_output().
2981 */
2982 if (isr->sav->state != SADB_SASTATE_MATURE
2983 && isr->sav->state != SADB_SASTATE_DYING) {
2984 ipsec6stat.out_nosa++;
2985 error = EINVAL;
2986 goto bad;
2987 }
2988
2989 /*
2990 * There may be the case that SA status will be changed when
2991 * we are refering to one. So calling splsoftnet().
2992 */
2993 s = splnet();
2994
2995 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2996 /*
2997 * build IPsec tunnel.
2998 */
2999 /* XXX should be processed with other familiy */
3000 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
3001 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3002 "family mismatched between inner and outer, spi=%u\n",
3003 (u_int32_t)ntohl(isr->sav->spi)));
3004 splx(s);
3005 ipsec6stat.out_inval++;
3006 error = EAFNOSUPPORT;
3007 goto bad;
3008 }
3009
3010 state->m = ipsec6_splithdr(state->m);
3011 if (!state->m) {
3012 splx(s);
3013 ipsec6stat.out_nomem++;
3014 error = ENOMEM;
3015 goto bad;
3016 }
3017 error = ipsec6_encapsulate(state->m, isr->sav);
3018 splx(s);
3019 if (error) {
3020 state->m = 0;
3021 goto bad;
3022 }
3023 ip6 = mtod(state->m, struct ip6_hdr *);
3024
3025 state->ro = &isr->sav->sah->sa_route;
3026 state->dst = (struct sockaddr *)&state->ro->ro_dst;
3027 dst6 = (struct sockaddr_in6 *)state->dst;
3028 if (state->ro->ro_rt
3029 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
3030 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
3031 RTFREE(state->ro->ro_rt);
3032 state->ro->ro_rt = NULL;
3033 }
3034 if (state->ro->ro_rt == 0) {
3035 bzero(dst6, sizeof(*dst6));
3036 dst6->sin6_family = AF_INET6;
3037 dst6->sin6_len = sizeof(*dst6);
3038 dst6->sin6_addr = ip6->ip6_dst;
3039 rtalloc(state->ro);
3040 }
3041 if (state->ro->ro_rt == 0) {
3042 ip6stat.ip6s_noroute++;
3043 ipsec6stat.out_noroute++;
3044 error = EHOSTUNREACH;
3045 goto bad;
3046 }
3047
3048 /* adjust state->dst if tunnel endpoint is offlink */
3049 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
3050 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
3051 dst6 = (struct sockaddr_in6 *)state->dst;
3052 }
3053 } else
3054 splx(s);
3055
3056 state->m = ipsec6_splithdr(state->m);
3057 if (!state->m) {
3058 ipsec6stat.out_nomem++;
3059 error = ENOMEM;
3060 goto bad;
3061 }
3062 ip6 = mtod(state->m, struct ip6_hdr *);
3063 switch (isr->saidx.proto) {
3064 case IPPROTO_ESP:
3065 #ifdef IPSEC_ESP
3066 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
3067 #else
3068 m_freem(state->m);
3069 error = EINVAL;
3070 #endif
3071 break;
3072 case IPPROTO_AH:
3073 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
3074 break;
3075 case IPPROTO_IPCOMP:
3076 /* XXX code should be here */
3077 /* FALLTHROUGH */
3078 default:
3079 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3080 "unknown ipsec protocol %d\n", isr->saidx.proto));
3081 m_freem(state->m);
3082 ipsec6stat.out_inval++;
3083 error = EINVAL;
3084 break;
3085 }
3086 if (error) {
3087 state->m = NULL;
3088 goto bad;
3089 }
3090 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3091 if (plen > IPV6_MAXPACKET) {
3092 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3093 "IPsec with IPv6 jumbogram is not supported\n"));
3094 ipsec6stat.out_inval++;
3095 error = EINVAL; /* XXX */
3096 goto bad;
3097 }
3098 ip6 = mtod(state->m, struct ip6_hdr *);
3099 ip6->ip6_plen = htons(plen);
3100 }
3101
3102 return 0;
3103
3104 bad:
3105 m_freem(state->m);
3106 state->m = NULL;
3107 return error;
3108 }
3109 #endif /* INET6 */
3110
3111 #ifdef INET
3112 /*
3113 * Chop IP header and option off from the payload.
3114 */
3115 static struct mbuf *
3116 ipsec4_splithdr(m)
3117 struct mbuf *m;
3118 {
3119 struct mbuf *mh;
3120 struct ip *ip;
3121 int hlen;
3122
3123 if (m->m_len < sizeof(struct ip))
3124 panic("ipsec4_splithdr: first mbuf too short");
3125 ip = mtod(m, struct ip *);
3126 #ifdef _IP_VHL
3127 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
3128 #else
3129 hlen = ip->ip_hl << 2;
3130 #endif
3131 if (m->m_len > hlen) {
3132 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3133 if (!mh) {
3134 m_freem(m);
3135 return NULL;
3136 }
3137 M_MOVE_PKTHDR(mh, m);
3138 MH_ALIGN(mh, hlen);
3139 m->m_len -= hlen;
3140 m->m_data += hlen;
3141 mh->m_next = m;
3142 m = mh;
3143 m->m_len = hlen;
3144 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3145 } else if (m->m_len < hlen) {
3146 m = m_pullup(m, hlen);
3147 if (!m)
3148 return NULL;
3149 }
3150 return m;
3151 }
3152 #endif
3153
3154 #ifdef INET6
3155 static struct mbuf *
3156 ipsec6_splithdr(m)
3157 struct mbuf *m;
3158 {
3159 struct mbuf *mh;
3160 struct ip6_hdr *ip6;
3161 int hlen;
3162
3163 if (m->m_len < sizeof(struct ip6_hdr))
3164 panic("ipsec6_splithdr: first mbuf too short");
3165 ip6 = mtod(m, struct ip6_hdr *);
3166 hlen = sizeof(struct ip6_hdr);
3167 if (m->m_len > hlen) {
3168 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3169 if (!mh) {
3170 m_freem(m);
3171 return NULL;
3172 }
3173 M_MOVE_PKTHDR(mh, m);
3174 MH_ALIGN(mh, hlen);
3175 m->m_len -= hlen;
3176 m->m_data += hlen;
3177 mh->m_next = m;
3178 m = mh;
3179 m->m_len = hlen;
3180 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3181 } else if (m->m_len < hlen) {
3182 m = m_pullup(m, hlen);
3183 if (!m)
3184 return NULL;
3185 }
3186 return m;
3187 }
3188 #endif
3189
3190 /* validate inbound IPsec tunnel packet. */
3191 int
3192 ipsec4_tunnel_validate(m, off, nxt0, sav)
3193 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3194 int off;
3195 u_int nxt0;
3196 struct secasvar *sav;
3197 {
3198 u_int8_t nxt = nxt0 & 0xff;
3199 struct sockaddr_in *sin;
3200 struct sockaddr_in osrc, odst, isrc, idst;
3201 int hlen;
3202 struct secpolicy *sp;
3203 struct ip *oip;
3204
3205 #ifdef DIAGNOSTIC
3206 if (m->m_len < sizeof(struct ip))
3207 panic("too short mbuf on ipsec4_tunnel_validate");
3208 #endif
3209 if (nxt != IPPROTO_IPV4)
3210 return 0;
3211 if (m->m_pkthdr.len < off + sizeof(struct ip))
3212 return 0;
3213 /* do not decapsulate if the SA is for transport mode only */
3214 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3215 return 0;
3216
3217 oip = mtod(m, struct ip *);
3218 #ifdef _IP_VHL
3219 hlen = _IP_VHL_HL(oip->ip_vhl) << 2;
3220 #else
3221 hlen = oip->ip_hl << 2;
3222 #endif
3223 if (hlen != sizeof(struct ip))
3224 return 0;
3225
3226 /* AF_INET6 should be supported, but at this moment we don't. */
3227 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3228 if (sin->sin_family != AF_INET)
3229 return 0;
3230 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
3231 return 0;
3232
3233 /* XXX slow */
3234 bzero(&osrc, sizeof(osrc));
3235 bzero(&odst, sizeof(odst));
3236 bzero(&isrc, sizeof(isrc));
3237 bzero(&idst, sizeof(idst));
3238 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
3239 AF_INET;
3240 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
3241 sizeof(struct sockaddr_in);
3242 osrc.sin_addr = oip->ip_src;
3243 odst.sin_addr = oip->ip_dst;
3244 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
3245 (caddr_t)&isrc.sin_addr);
3246 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
3247 (caddr_t)&idst.sin_addr);
3248
3249 /*
3250 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
3251 * - if the inner destination is multicast address, there can be
3252 * multiple permissible inner source address. implementation
3253 * may want to skip verification of inner source address against
3254 * SPD selector.
3255 * - if the inner protocol is ICMP, the packet may be an error report
3256 * from routers on the other side of the VPN cloud (R in the
3257 * following diagram). in this case, we cannot verify inner source
3258 * address against SPD selector.
3259 * me -- gw === gw -- R -- you
3260 *
3261 * we consider the first bullet to be users responsibility on SPD entry
3262 * configuration (if you need to encrypt multicast traffic, set
3263 * the source range of SPD selector to 0.0.0.0/0, or have explicit
3264 * address ranges for possible senders).
3265 * the second bullet is not taken care of (yet).
3266 *
3267 * therefore, we do not do anything special about inner source.
3268 */
3269
3270 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3271 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3272 if (!sp)
3273 return 0;
3274 key_freesp(sp);
3275
3276 return 1;
3277 }
3278
3279 #ifdef INET6
3280 /* validate inbound IPsec tunnel packet. */
3281 int
3282 ipsec6_tunnel_validate(m, off, nxt0, sav)
3283 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3284 int off;
3285 u_int nxt0;
3286 struct secasvar *sav;
3287 {
3288 u_int8_t nxt = nxt0 & 0xff;
3289 struct sockaddr_in6 *sin6;
3290 struct sockaddr_in6 osrc, odst, isrc, idst;
3291 struct secpolicy *sp;
3292 struct ip6_hdr *oip6;
3293
3294 #ifdef DIAGNOSTIC
3295 if (m->m_len < sizeof(struct ip6_hdr))
3296 panic("too short mbuf on ipsec6_tunnel_validate");
3297 #endif
3298 if (nxt != IPPROTO_IPV6)
3299 return 0;
3300 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
3301 return 0;
3302 /* do not decapsulate if the SA is for transport mode only */
3303 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3304 return 0;
3305
3306 oip6 = mtod(m, struct ip6_hdr *);
3307 /* AF_INET should be supported, but at this moment we don't. */
3308 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
3309 if (sin6->sin6_family != AF_INET6)
3310 return 0;
3311 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
3312 return 0;
3313
3314 /* XXX slow */
3315 bzero(&osrc, sizeof(osrc));
3316 bzero(&odst, sizeof(odst));
3317 bzero(&isrc, sizeof(isrc));
3318 bzero(&idst, sizeof(idst));
3319 osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
3320 idst.sin6_family = AF_INET6;
3321 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len =
3322 sizeof(struct sockaddr_in6);
3323 osrc.sin6_addr = oip6->ip6_src;
3324 odst.sin6_addr = oip6->ip6_dst;
3325 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
3326 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
3327 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
3328 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
3329
3330 /*
3331 * regarding to inner source address validation, see a long comment
3332 * in ipsec4_tunnel_validate.
3333 */
3334
3335 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3336 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3337 /*
3338 * when there is no suitable inbound policy for the packet of the ipsec
3339 * tunnel mode, the kernel never decapsulate the tunneled packet
3340 * as the ipsec tunnel mode even when the system wide policy is "none".
3341 * then the kernel leaves the generic tunnel module to process this
3342 * packet. if there is no rule of the generic tunnel, the packet
3343 * is rejected and the statistics will be counted up.
3344 */
3345 if (!sp)
3346 return 0;
3347 key_freesp(sp);
3348
3349 return 1;
3350 }
3351 #endif
3352
3353 /*
3354 * Make a mbuf chain for encryption.
3355 * If the original mbuf chain contains a mbuf with a cluster,
3356 * allocate a new cluster and copy the data to the new cluster.
3357 * XXX: this hack is inefficient, but is necessary to handle cases
3358 * of TCP retransmission...
3359 */
3360 struct mbuf *
3361 ipsec_copypkt(m)
3362 struct mbuf *m;
3363 {
3364 struct mbuf *n, **mpp, *mnew;
3365
3366 for (n = m, mpp = &m; n; n = n->m_next) {
3367 if (n->m_flags & M_EXT) {
3368 /*
3369 * Make a copy only if there are more than one
3370 * references to the cluster.
3371 * XXX: is this approach effective?
3372 */
3373 if (n->m_ext.ext_type != EXT_CLUSTER || MEXT_IS_REF(n))
3374 {
3375 int remain, copied;
3376 struct mbuf *mm;
3377
3378 if (n->m_flags & M_PKTHDR) {
3379 MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3380 if (mnew == NULL)
3381 goto fail;
3382 if (!m_dup_pkthdr(mnew, n, M_DONTWAIT)) {
3383 m_free(mnew);
3384 goto fail;
3385 }
3386 }
3387 else {
3388 MGET(mnew, M_DONTWAIT, MT_DATA);
3389 if (mnew == NULL)
3390 goto fail;
3391 }
3392 mnew->m_len = 0;
3393 mm = mnew;
3394
3395 /*
3396 * Copy data. If we don't have enough space to
3397 * store the whole data, allocate a cluster
3398 * or additional mbufs.
3399 * XXX: we don't use m_copyback(), since the
3400 * function does not use clusters and thus is
3401 * inefficient.
3402 */
3403 remain = n->m_len;
3404 copied = 0;
3405 while (1) {
3406 int len;
3407 struct mbuf *mn;
3408
3409 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3410 len = remain;
3411 else { /* allocate a cluster */
3412 MCLGET(mm, M_DONTWAIT);
3413 if (!(mm->m_flags & M_EXT)) {
3414 m_free(mm);
3415 goto fail;
3416 }
3417 len = remain < MCLBYTES ?
3418 remain : MCLBYTES;
3419 }
3420
3421 bcopy(n->m_data + copied, mm->m_data,
3422 len);
3423
3424 copied += len;
3425 remain -= len;
3426 mm->m_len = len;
3427
3428 if (remain <= 0) /* completed? */
3429 break;
3430
3431 /* need another mbuf */
3432 MGETHDR(mn, M_DONTWAIT, MT_HEADER);
3433 if (mn == NULL)
3434 goto fail;
3435 mn->m_pkthdr.rcvif = NULL;
3436 mm->m_next = mn;
3437 mm = mn;
3438 }
3439
3440 /* adjust chain */
3441 mm->m_next = m_free(n);
3442 n = mm;
3443 *mpp = mnew;
3444 mpp = &n->m_next;
3445
3446 continue;
3447 }
3448 }
3449 *mpp = n;
3450 mpp = &n->m_next;
3451 }
3452
3453 return(m);
3454 fail:
3455 m_freem(m);
3456 return(NULL);
3457 }
3458
3459 void
3460 ipsec_delaux(m)
3461 struct mbuf *m;
3462 {
3463 struct m_tag *tag;
3464
3465 while ((tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL)) != NULL)
3466 m_tag_delete(m, tag);
3467 }
3468
3469 int
3470 ipsec_addhist(m, proto, spi)
3471 struct mbuf *m;
3472 int proto;
3473 u_int32_t spi;
3474 {
3475 struct m_tag *tag;
3476 struct ipsec_history *p;
3477
3478 tag = m_tag_get(PACKET_TAG_IPSEC_HISTORY,
3479 sizeof (struct ipsec_history), M_NOWAIT);
3480 if (tag == NULL)
3481 return ENOBUFS;
3482 p = (struct ipsec_history *)(tag+1);
3483 bzero(p, sizeof(*p));
3484 p->ih_proto = proto;
3485 p->ih_spi = spi;
3486 m_tag_prepend(m, tag);
3487 return 0;
3488 }
3489
3490 struct ipsec_history *
3491 ipsec_gethist(m, lenp)
3492 struct mbuf *m;
3493 int *lenp;
3494 {
3495 struct m_tag *tag;
3496
3497 tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3498 if (tag == NULL)
3499 return NULL;
3500 /* XXX NB: noone uses this so fake it */
3501 if (lenp)
3502 *lenp = sizeof (struct ipsec_history);
3503 return ((struct ipsec_history *)(tag+1));
3504 }
Cache object: 242b1101919a36339948384edcc2bd5c
|