Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* $FreeBSD: releng/5.2/sys/netinet6/ipsec.c 125090 2004-01-27 15:59:26Z ume $ */ 2 /* $KAME: ipsec.c,v 1.204 2003/09/19 10:53:38 jinmei Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * IPsec controller part. 35 */ 36 37 #include "opt_inet.h" 38 #include "opt_inet6.h" 39 #include "opt_ipsec.h" 40 #include "opt_random_ip_id.h" 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/malloc.h> 45 #include <sys/mbuf.h> 46 #include <sys/domain.h> 47 #include <sys/protosw.h> 48 #include <sys/socket.h> 49 #include <sys/socketvar.h> 50 #include <sys/errno.h> 51 #include <sys/time.h> 52 #include <sys/kernel.h> 53 #include <sys/syslog.h> 54 #include <sys/sysctl.h> 55 #include <sys/proc.h> 56 57 #include <net/if.h> 58 #include <net/route.h> 59 60 #include <netinet/in.h> 61 #include <netinet/in_systm.h> 62 #include <netinet/ip.h> 63 #include <netinet/ip_var.h> 64 #include <netinet/in_var.h> 65 #include <netinet/udp.h> 66 #include <netinet/udp_var.h> 67 #include <netinet/ip_ecn.h> 68 #ifdef INET6 69 #include <netinet6/ip6_ecn.h> 70 #endif 71 #include <netinet/tcp.h> 72 #include <netinet/udp.h> 73 74 #include <netinet/ip6.h> 75 #ifdef INET6 76 #include <netinet6/ip6_var.h> 77 #endif 78 #include <netinet/in_pcb.h> 79 #ifdef INET6 80 #include <netinet/icmp6.h> 81 #endif 82 83 #include <netinet6/ipsec.h> 84 #ifdef INET6 85 #include <netinet6/ipsec6.h> 86 #endif 87 #include <netinet6/ah.h> 88 #ifdef INET6 89 #include <netinet6/ah6.h> 90 #endif 91 #ifdef IPSEC_ESP 92 #include <netinet6/esp.h> 93 #ifdef INET6 94 #include <netinet6/esp6.h> 95 #endif 96 #endif 97 #include <netinet6/ipcomp.h> 98 #ifdef INET6 99 #include <netinet6/ipcomp6.h> 100 #endif 101 #include <netkey/key.h> 102 #include <netkey/keydb.h> 103 #include <netkey/key_debug.h> 104 105 #include <machine/in_cksum.h> 106 #include <net/net_osdep.h> 107 108 #ifdef IPSEC_DEBUG 109 int ipsec_debug = 1; 110 #else 111 int ipsec_debug = 0; 112 #endif 113 114 struct ipsecstat ipsecstat; 115 int ip4_ah_cleartos = 1; 116 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ 117 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ 118 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; 119 int ip4_esp_net_deflev = IPSEC_LEVEL_USE; 120 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; 121 int ip4_ah_net_deflev = IPSEC_LEVEL_USE; 122 struct secpolicy *ip4_def_policy; 123 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 124 int ip4_esp_randpad = -1; 125 126 static int sp_cachegen = 1; /* cache generation # */ 127 128 SYSCTL_DECL(_net_inet_ipsec); 129 #ifdef INET6 130 SYSCTL_DECL(_net_inet6_ipsec6); 131 #endif 132 133 /* net.inet.ipsec */ 134 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS, 135 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, ""); 136 #if 0 137 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY, 138 def_policy, CTLFLAG_RW, &ip4_def_policy->policy, 0, ""); 139 #endif 140 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, 141 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, ""); 142 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, 143 CTLFLAG_RW, &ip4_esp_net_deflev, 0, ""); 144 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, 145 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, ""); 146 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, 147 CTLFLAG_RW, &ip4_ah_net_deflev, 0, ""); 148 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, 149 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, ""); 150 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, 151 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, ""); 152 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, 153 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, ""); 154 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, 155 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, ""); 156 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, 157 debug, CTLFLAG_RW, &ipsec_debug, 0, ""); 158 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD, 159 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, ""); 160 161 #ifdef INET6 162 struct ipsecstat ipsec6stat; 163 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; 164 int ip6_esp_net_deflev = IPSEC_LEVEL_USE; 165 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; 166 int ip6_ah_net_deflev = IPSEC_LEVEL_USE; 167 struct secpolicy *ip6_def_policy; 168 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 169 int ip6_esp_randpad = -1; 170 171 /* net.inet6.ipsec6 */ 172 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, 173 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, ""); 174 #if 0 175 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, 176 def_policy, CTLFLAG_RW, &ip6_def_policy->policy, 0, ""); 177 #endif 178 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, 179 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, ""); 180 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, 181 CTLFLAG_RW, &ip6_esp_net_deflev, 0, ""); 182 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, 183 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, ""); 184 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, 185 CTLFLAG_RW, &ip6_ah_net_deflev, 0, ""); 186 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN, 187 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, ""); 188 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, 189 debug, CTLFLAG_RW, &ipsec_debug, 0, ""); 190 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, 191 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, ""); 192 #endif /* INET6 */ 193 194 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *, 195 struct inpcbpolicy *, int)); 196 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *, 197 struct secpolicy *, int)); 198 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int)); 199 static int ipsec_setspidx_mbuf 200 __P((struct secpolicyindex *, int, struct mbuf *, int)); 201 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int)); 202 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int)); 203 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); 204 #ifdef INET6 205 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int)); 206 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); 207 #endif 208 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void)); 209 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *)); 210 #if 0 211 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *)); 212 #endif 213 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *)); 214 static int ipsec_set_policy 215 __P((struct secpolicy **, int, caddr_t, size_t, int)); 216 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **)); 217 static void vshiftl __P((unsigned char *, int, int)); 218 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *)); 219 static size_t ipsec_hdrsiz __P((struct secpolicy *)); 220 #ifdef INET 221 static struct mbuf *ipsec4_splithdr __P((struct mbuf *)); 222 #endif 223 #ifdef INET6 224 static struct mbuf *ipsec6_splithdr __P((struct mbuf *)); 225 #endif 226 #ifdef INET 227 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *)); 228 #endif 229 #ifdef INET6 230 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *)); 231 #endif 232 static struct ipsecaux *ipsec_addaux __P((struct mbuf *)); 233 static struct ipsecaux *ipsec_findaux __P((struct mbuf *)); 234 static void ipsec_optaux __P((struct mbuf *, struct ipsecaux *)); 235 #ifdef INET 236 static int ipsec4_checksa __P((struct ipsecrequest *, 237 struct ipsec_output_state *)); 238 #endif 239 #ifdef INET6 240 static int ipsec6_checksa __P((struct ipsecrequest *, 241 struct ipsec_output_state *, int)); 242 #endif 243 244 /* 245 * try to validate and use cached policy on a pcb. 246 */ 247 static struct secpolicy * 248 ipsec_checkpcbcache(m, pcbsp, dir) 249 struct mbuf *m; 250 struct inpcbpolicy *pcbsp; 251 int dir; 252 { 253 struct secpolicyindex spidx; 254 struct timeval mono_time; 255 256 microtime(&mono_time); 257 258 switch (dir) { 259 case IPSEC_DIR_INBOUND: 260 case IPSEC_DIR_OUTBOUND: 261 case IPSEC_DIR_ANY: 262 break; 263 default: 264 return NULL; 265 } 266 #ifdef DIAGNOSTIC 267 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0])) 268 panic("dir too big in ipsec_checkpcbcache"); 269 #endif 270 /* SPD table change invalidates all the caches */ 271 if (pcbsp->cachegen[dir] == 0 || sp_cachegen > pcbsp->cachegen[dir]) { 272 ipsec_invalpcbcache(pcbsp, dir); 273 return NULL; 274 } 275 if (!pcbsp->cache[dir]) 276 return NULL; 277 if (pcbsp->cache[dir]->state != IPSEC_SPSTATE_ALIVE) { 278 ipsec_invalpcbcache(pcbsp, dir); 279 return NULL; 280 } 281 if ((pcbsp->cacheflags & IPSEC_PCBSP_CONNECTED) == 0) { 282 if (!pcbsp->cache[dir]) 283 return NULL; 284 if (ipsec_setspidx(m, &spidx, 1) != 0) 285 return NULL; 286 if (bcmp(&pcbsp->cacheidx[dir], &spidx, sizeof(spidx))) { 287 if (!pcbsp->cache[dir]->spidx || 288 !key_cmpspidx_withmask(pcbsp->cache[dir]->spidx, 289 &spidx)) 290 return NULL; 291 pcbsp->cacheidx[dir] = spidx; 292 } 293 } else { 294 /* 295 * The pcb is connected, and the L4 code is sure that: 296 * - outgoing side uses inp_[lf]addr 297 * - incoming side looks up policy after inpcb lookup 298 * and address pair is known to be stable. We do not need 299 * to generate spidx again, nor check the address match again. 300 * 301 * For IPv4/v6 SOCK_STREAM sockets, this assumption holds 302 * and there are calls to ipsec_pcbconn() from in_pcbconnect(). 303 */ 304 } 305 306 pcbsp->cache[dir]->lastused = mono_time.tv_sec; 307 pcbsp->cache[dir]->refcnt++; 308 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 309 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n", 310 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir])); 311 return pcbsp->cache[dir]; 312 } 313 314 static int 315 ipsec_fillpcbcache(pcbsp, m, sp, dir) 316 struct inpcbpolicy *pcbsp; 317 struct mbuf *m; 318 struct secpolicy *sp; 319 int dir; 320 { 321 322 switch (dir) { 323 case IPSEC_DIR_INBOUND: 324 case IPSEC_DIR_OUTBOUND: 325 break; 326 default: 327 return EINVAL; 328 } 329 #ifdef DIAGNOSTIC 330 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0])) 331 panic("dir too big in ipsec_checkpcbcache"); 332 #endif 333 334 if (pcbsp->cache[dir]) 335 key_freesp(pcbsp->cache[dir]); 336 pcbsp->cache[dir] = NULL; 337 if (ipsec_setspidx(m, &pcbsp->cacheidx[dir], 1) != 0) { 338 return EINVAL; 339 } 340 pcbsp->cache[dir] = sp; 341 if (pcbsp->cache[dir]) { 342 pcbsp->cache[dir]->refcnt++; 343 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 344 printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n", 345 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir])); 346 } 347 pcbsp->cachegen[dir] = sp_cachegen; 348 349 return 0; 350 } 351 352 static int 353 ipsec_invalpcbcache(pcbsp, dir) 354 struct inpcbpolicy *pcbsp; 355 int dir; 356 { 357 int i; 358 359 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) { 360 if (dir != IPSEC_DIR_ANY && i != dir) 361 continue; 362 if (pcbsp->cache[i]) 363 key_freesp(pcbsp->cache[i]); 364 pcbsp->cache[i] = NULL; 365 pcbsp->cachegen[i] = 0; 366 bzero(&pcbsp->cacheidx[i], sizeof(pcbsp->cacheidx[i])); 367 } 368 return 0; 369 } 370 371 int 372 ipsec_pcbconn(pcbsp) 373 struct inpcbpolicy *pcbsp; 374 { 375 376 pcbsp->cacheflags |= IPSEC_PCBSP_CONNECTED; 377 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 378 return 0; 379 } 380 381 int 382 ipsec_pcbdisconn(pcbsp) 383 struct inpcbpolicy *pcbsp; 384 { 385 386 pcbsp->cacheflags &= ~IPSEC_PCBSP_CONNECTED; 387 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 388 return 0; 389 } 390 391 int 392 ipsec_invalpcbcacheall() 393 { 394 395 sp_cachegen++; 396 return 0; 397 } 398 399 /* 400 * For OUTBOUND packet having a socket. Searching SPD for packet, 401 * and return a pointer to SP. 402 * OUT: NULL: no apropreate SP found, the following value is set to error. 403 * 0 : bypass 404 * EACCES : discard packet. 405 * ENOENT : ipsec_acquire() in progress, maybe. 406 * others : error occured. 407 * others: a pointer to SP 408 * 409 * NOTE: IPv6 mapped adddress concern is implemented here. 410 */ 411 struct secpolicy * 412 ipsec4_getpolicybysock(m, dir, so, error) 413 struct mbuf *m; 414 u_int dir; 415 struct socket *so; 416 int *error; 417 { 418 struct inpcbpolicy *pcbsp = NULL; 419 struct secpolicy *currsp = NULL; /* policy on socket */ 420 struct secpolicy *kernsp = NULL; /* policy on kernel */ 421 struct secpolicyindex spidx; 422 u_int16_t tag; 423 424 /* sanity check */ 425 if (m == NULL || so == NULL || error == NULL) 426 panic("ipsec4_getpolicybysock: NULL pointer was passed."); 427 428 switch (so->so_proto->pr_domain->dom_family) { 429 case AF_INET: 430 pcbsp = sotoinpcb(so)->inp_sp; 431 break; 432 #ifdef INET6 433 case AF_INET6: 434 pcbsp = sotoin6pcb(so)->in6p_sp; 435 break; 436 #endif 437 default: 438 panic("ipsec4_getpolicybysock: unsupported address family"); 439 } 440 441 #ifdef DIAGNOSTIC 442 if (pcbsp == NULL) 443 panic("ipsec4_getpolicybysock: pcbsp is NULL."); 444 #endif 445 446 tag = 0; 447 448 /* if we have a cached entry, and if it is still valid, use it. */ 449 ipsecstat.spdcachelookup++; 450 currsp = ipsec_checkpcbcache(m, pcbsp, dir); 451 if (currsp) { 452 *error = 0; 453 return currsp; 454 } 455 ipsecstat.spdcachemiss++; 456 457 switch (dir) { 458 case IPSEC_DIR_INBOUND: 459 currsp = pcbsp->sp_in; 460 break; 461 case IPSEC_DIR_OUTBOUND: 462 currsp = pcbsp->sp_out; 463 break; 464 default: 465 panic("ipsec4_getpolicybysock: illegal direction."); 466 } 467 468 /* sanity check */ 469 if (currsp == NULL) 470 panic("ipsec4_getpolicybysock: currsp is NULL."); 471 472 /* when privilieged socket */ 473 if (pcbsp->priv) { 474 switch (currsp->policy) { 475 case IPSEC_POLICY_BYPASS: 476 currsp->refcnt++; 477 *error = 0; 478 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 479 return currsp; 480 481 case IPSEC_POLICY_ENTRUST: 482 /* look for a policy in SPD */ 483 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 && 484 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 485 /* SP found */ 486 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 487 printf("DP ipsec4_getpolicybysock called " 488 "to allocate SP:%p\n", kernsp)); 489 *error = 0; 490 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 491 return kernsp; 492 } 493 494 /* no SP found */ 495 ip4_def_policy->refcnt++; 496 *error = 0; 497 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir); 498 return ip4_def_policy; 499 500 case IPSEC_POLICY_IPSEC: 501 currsp->refcnt++; 502 *error = 0; 503 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 504 return currsp; 505 506 default: 507 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 508 "Invalid policy for PCB %d\n", currsp->policy)); 509 *error = EINVAL; 510 return NULL; 511 } 512 /* NOTREACHED */ 513 } 514 515 /* when non-privilieged socket */ 516 /* look for a policy in SPD */ 517 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 && 518 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 519 /* SP found */ 520 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 521 printf("DP ipsec4_getpolicybysock called " 522 "to allocate SP:%p\n", kernsp)); 523 *error = 0; 524 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 525 return kernsp; 526 } 527 528 /* no SP found */ 529 switch (currsp->policy) { 530 case IPSEC_POLICY_BYPASS: 531 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 532 "Illegal policy for non-priviliged defined %d\n", 533 currsp->policy)); 534 *error = EINVAL; 535 return NULL; 536 537 case IPSEC_POLICY_ENTRUST: 538 ip4_def_policy->refcnt++; 539 *error = 0; 540 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir); 541 return ip4_def_policy; 542 543 case IPSEC_POLICY_IPSEC: 544 currsp->refcnt++; 545 *error = 0; 546 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 547 return currsp; 548 549 default: 550 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 551 "Invalid policy for PCB %d\n", currsp->policy)); 552 *error = EINVAL; 553 return NULL; 554 } 555 /* NOTREACHED */ 556 } 557 558 /* 559 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 560 * and return a pointer to SP. 561 * OUT: positive: a pointer to the entry for security policy leaf matched. 562 * NULL: no apropreate SP found, the following value is set to error. 563 * 0 : bypass 564 * EACCES : discard packet. 565 * ENOENT : ipsec_acquire() in progress, maybe. 566 * others : error occured. 567 */ 568 struct secpolicy * 569 ipsec4_getpolicybyaddr(m, dir, flag, error) 570 struct mbuf *m; 571 u_int dir; 572 int flag; 573 int *error; 574 { 575 struct secpolicy *sp = NULL; 576 u_int16_t tag; 577 578 /* sanity check */ 579 if (m == NULL || error == NULL) 580 panic("ipsec4_getpolicybyaddr: NULL pointer was passed."); 581 582 /* get a policy entry matched with the packet */ 583 { 584 struct secpolicyindex spidx; 585 586 bzero(&spidx, sizeof(spidx)); 587 588 /* make an index to look for a policy */ 589 *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m, 590 (flag & IP_FORWARDING) ? 0 : 1); 591 592 if (*error != 0) 593 return NULL; 594 595 tag = 0; 596 597 sp = key_allocsp(tag, &spidx, dir); 598 } 599 600 /* SP found */ 601 if (sp != NULL) { 602 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 603 printf("DP ipsec4_getpolicybyaddr called " 604 "to allocate SP:%p\n", sp)); 605 *error = 0; 606 return sp; 607 } 608 609 /* no SP found */ 610 ip4_def_policy->refcnt++; 611 *error = 0; 612 return ip4_def_policy; 613 } 614 615 #ifdef INET6 616 /* 617 * For OUTBOUND packet having a socket. Searching SPD for packet, 618 * and return a pointer to SP. 619 * OUT: NULL: no apropreate SP found, the following value is set to error. 620 * 0 : bypass 621 * EACCES : discard packet. 622 * ENOENT : ipsec_acquire() in progress, maybe. 623 * others : error occured. 624 * others: a pointer to SP 625 */ 626 struct secpolicy * 627 ipsec6_getpolicybysock(m, dir, so, error) 628 struct mbuf *m; 629 u_int dir; 630 struct socket *so; 631 int *error; 632 { 633 struct inpcbpolicy *pcbsp = NULL; 634 struct secpolicy *currsp = NULL; /* policy on socket */ 635 struct secpolicy *kernsp = NULL; /* policy on kernel */ 636 struct secpolicyindex spidx; 637 u_int16_t tag; 638 639 /* sanity check */ 640 if (m == NULL || so == NULL || error == NULL) 641 panic("ipsec6_getpolicybysock: NULL pointer was passed."); 642 643 #ifdef DIAGNOSTIC 644 if (so->so_proto->pr_domain->dom_family != AF_INET6) 645 panic("ipsec6_getpolicybysock: socket domain != inet6"); 646 #endif 647 648 pcbsp = sotoin6pcb(so)->in6p_sp; 649 650 #ifdef DIAGNOSTIC 651 if (pcbsp == NULL) 652 panic("ipsec6_getpolicybysock: pcbsp is NULL."); 653 #endif 654 655 tag = 0; 656 657 /* if we have a cached entry, and if it is still valid, use it. */ 658 ipsec6stat.spdcachelookup++; 659 currsp = ipsec_checkpcbcache(m, pcbsp, dir); 660 if (currsp) { 661 *error = 0; 662 return currsp; 663 } 664 ipsec6stat.spdcachemiss++; 665 666 switch (dir) { 667 case IPSEC_DIR_INBOUND: 668 currsp = pcbsp->sp_in; 669 break; 670 case IPSEC_DIR_OUTBOUND: 671 currsp = pcbsp->sp_out; 672 break; 673 default: 674 panic("ipsec6_getpolicybysock: illegal direction."); 675 } 676 677 /* sanity check */ 678 if (currsp == NULL) 679 panic("ipsec6_getpolicybysock: currsp is NULL."); 680 681 /* when privilieged socket */ 682 if (pcbsp->priv) { 683 switch (currsp->policy) { 684 case IPSEC_POLICY_BYPASS: 685 currsp->refcnt++; 686 *error = 0; 687 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 688 return currsp; 689 690 case IPSEC_POLICY_ENTRUST: 691 /* look for a policy in SPD */ 692 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 && 693 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 694 /* SP found */ 695 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 696 printf("DP ipsec6_getpolicybysock called " 697 "to allocate SP:%p\n", kernsp)); 698 *error = 0; 699 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 700 return kernsp; 701 } 702 703 /* no SP found */ 704 ip6_def_policy->refcnt++; 705 *error = 0; 706 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir); 707 return ip6_def_policy; 708 709 case IPSEC_POLICY_IPSEC: 710 currsp->refcnt++; 711 *error = 0; 712 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 713 return currsp; 714 715 default: 716 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " 717 "Invalid policy for PCB %d\n", currsp->policy)); 718 *error = EINVAL; 719 return NULL; 720 } 721 /* NOTREACHED */ 722 } 723 724 /* when non-privilieged socket */ 725 /* look for a policy in SPD */ 726 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 && 727 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 728 /* SP found */ 729 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 730 printf("DP ipsec6_getpolicybysock called " 731 "to allocate SP:%p\n", kernsp)); 732 *error = 0; 733 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 734 return kernsp; 735 } 736 737 /* no SP found */ 738 switch (currsp->policy) { 739 case IPSEC_POLICY_BYPASS: 740 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " 741 "Illegal policy for non-priviliged defined %d\n", 742 currsp->policy)); 743 *error = EINVAL; 744 return NULL; 745 746 case IPSEC_POLICY_ENTRUST: 747 ip6_def_policy->refcnt++; 748 *error = 0; 749 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir); 750 return ip6_def_policy; 751 752 case IPSEC_POLICY_IPSEC: 753 currsp->refcnt++; 754 *error = 0; 755 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 756 return currsp; 757 758 default: 759 ipseclog((LOG_ERR, 760 "ipsec6_policybysock: Invalid policy for PCB %d\n", 761 currsp->policy)); 762 *error = EINVAL; 763 return NULL; 764 } 765 /* NOTREACHED */ 766 } 767 768 /* 769 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 770 * and return a pointer to SP. 771 * `flag' means that packet is to be forwarded whether or not. 772 * flag = 1: forwad 773 * OUT: positive: a pointer to the entry for security policy leaf matched. 774 * NULL: no apropreate SP found, the following value is set to error. 775 * 0 : bypass 776 * EACCES : discard packet. 777 * ENOENT : ipsec_acquire() in progress, maybe. 778 * others : error occured. 779 */ 780 #ifndef IP_FORWARDING 781 #define IP_FORWARDING 1 782 #endif 783 784 struct secpolicy * 785 ipsec6_getpolicybyaddr(m, dir, flag, error) 786 struct mbuf *m; 787 u_int dir; 788 int flag; 789 int *error; 790 { 791 struct secpolicy *sp = NULL; 792 u_int16_t tag; 793 794 /* sanity check */ 795 if (m == NULL || error == NULL) 796 panic("ipsec6_getpolicybyaddr: NULL pointer was passed."); 797 798 /* get a policy entry matched with the packet */ 799 { 800 struct secpolicyindex spidx; 801 802 bzero(&spidx, sizeof(spidx)); 803 804 /* make an index to look for a policy */ 805 *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 806 (flag & IP_FORWARDING) ? 0 : 1); 807 808 if (*error != 0) 809 return NULL; 810 811 tag = 0; 812 813 sp = key_allocsp(tag, &spidx, dir); 814 } 815 816 /* SP found */ 817 if (sp != NULL) { 818 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 819 printf("DP ipsec6_getpolicybyaddr called " 820 "to allocate SP:%p\n", sp)); 821 *error = 0; 822 return sp; 823 } 824 825 /* no SP found */ 826 ip6_def_policy->refcnt++; 827 *error = 0; 828 return ip6_def_policy; 829 } 830 #endif /* INET6 */ 831 832 /* 833 * set IP address into spidx from mbuf. 834 * When Forwarding packet and ICMP echo reply, this function is used. 835 * 836 * IN: get the followings from mbuf. 837 * protocol family, src, dst, next protocol 838 * OUT: 839 * 0: success. 840 * other: failure, and set errno. 841 */ 842 int 843 ipsec_setspidx_mbuf(spidx, family, m, needport) 844 struct secpolicyindex *spidx; 845 int family; 846 struct mbuf *m; 847 int needport; 848 { 849 int error; 850 851 /* sanity check */ 852 if (spidx == NULL || m == NULL) 853 panic("ipsec_setspidx_mbuf: NULL pointer was passed."); 854 855 bzero(spidx, sizeof(*spidx)); 856 857 error = ipsec_setspidx(m, spidx, needport); 858 if (error) 859 goto bad; 860 861 return 0; 862 863 bad: 864 /* XXX initialize */ 865 bzero(spidx, sizeof(*spidx)); 866 return EINVAL; 867 } 868 869 /* 870 * configure security policy index (src/dst/proto/sport/dport) 871 * by looking at the content of mbuf. 872 * the caller is responsible for error recovery (like clearing up spidx). 873 */ 874 static int 875 ipsec_setspidx(m, spidx, needport) 876 struct mbuf *m; 877 struct secpolicyindex *spidx; 878 int needport; 879 { 880 struct ip *ip = NULL; 881 struct ip ipbuf; 882 u_int v; 883 struct mbuf *n; 884 int len; 885 int error; 886 887 if (m == NULL) 888 panic("ipsec_setspidx: m == 0 passed."); 889 890 bzero(spidx, sizeof(*spidx)); 891 892 /* 893 * validate m->m_pkthdr.len. we see incorrect length if we 894 * mistakenly call this function with inconsistent mbuf chain 895 * (like 4.4BSD tcp/udp processing). XXX should we panic here? 896 */ 897 len = 0; 898 for (n = m; n; n = n->m_next) 899 len += n->m_len; 900 if (m->m_pkthdr.len != len) { 901 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 902 printf("ipsec_setspidx: " 903 "total of m_len(%d) != pkthdr.len(%d), " 904 "ignored.\n", 905 len, m->m_pkthdr.len)); 906 return EINVAL; 907 } 908 909 if (m->m_pkthdr.len < sizeof(struct ip)) { 910 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 911 printf("ipsec_setspidx: " 912 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n", 913 m->m_pkthdr.len)); 914 return EINVAL; 915 } 916 917 if (m->m_len >= sizeof(*ip)) 918 ip = mtod(m, struct ip *); 919 else { 920 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 921 ip = &ipbuf; 922 } 923 #ifdef _IP_VHL 924 v = _IP_VHL_V(ip->ip_vhl); 925 #else 926 v = ip->ip_v; 927 #endif 928 switch (v) { 929 case 4: 930 error = ipsec4_setspidx_ipaddr(m, spidx); 931 if (error) 932 return error; 933 ipsec4_get_ulp(m, spidx, needport); 934 return 0; 935 #ifdef INET6 936 case 6: 937 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { 938 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 939 printf("ipsec_setspidx: " 940 "pkthdr.len(%d) < sizeof(struct ip6_hdr), " 941 "ignored.\n", m->m_pkthdr.len)); 942 return EINVAL; 943 } 944 error = ipsec6_setspidx_ipaddr(m, spidx); 945 if (error) 946 return error; 947 ipsec6_get_ulp(m, spidx, needport); 948 return 0; 949 #endif 950 default: 951 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 952 printf("ipsec_setspidx: " 953 "unknown IP version %u, ignored.\n", v)); 954 return EINVAL; 955 } 956 } 957 958 static void 959 ipsec4_get_ulp(m, spidx, needport) 960 struct mbuf *m; 961 struct secpolicyindex *spidx; 962 int needport; 963 { 964 struct ip ip; 965 struct ip6_ext ip6e; 966 u_int8_t nxt; 967 int off; 968 struct tcphdr th; 969 struct udphdr uh; 970 971 /* sanity check */ 972 if (m == NULL) 973 panic("ipsec4_get_ulp: NULL pointer was passed."); 974 if (m->m_pkthdr.len < sizeof(ip)) 975 panic("ipsec4_get_ulp: too short"); 976 977 /* set default */ 978 spidx->ul_proto = IPSEC_ULPROTO_ANY; 979 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY; 980 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY; 981 982 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip); 983 /* ip_input() flips it into host endian XXX need more checking */ 984 if (ip.ip_off & (IP_MF | IP_OFFMASK)) 985 return; 986 987 nxt = ip.ip_p; 988 #ifdef _IP_VHL 989 off = _IP_VHL_HL(ip->ip_vhl) << 2; 990 #else 991 off = ip.ip_hl << 2; 992 #endif 993 while (off < m->m_pkthdr.len) { 994 switch (nxt) { 995 case IPPROTO_TCP: 996 spidx->ul_proto = nxt; 997 if (!needport) 998 return; 999 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1000 return; 1001 m_copydata(m, off, sizeof(th), (caddr_t)&th); 1002 ((struct sockaddr_in *)&spidx->src)->sin_port = 1003 th.th_sport; 1004 ((struct sockaddr_in *)&spidx->dst)->sin_port = 1005 th.th_dport; 1006 return; 1007 case IPPROTO_UDP: 1008 spidx->ul_proto = nxt; 1009 if (!needport) 1010 return; 1011 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1012 return; 1013 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1014 ((struct sockaddr_in *)&spidx->src)->sin_port = 1015 uh.uh_sport; 1016 ((struct sockaddr_in *)&spidx->dst)->sin_port = 1017 uh.uh_dport; 1018 return; 1019 case IPPROTO_AH: 1020 if (m->m_pkthdr.len > off + sizeof(ip6e)) 1021 return; 1022 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1023 off += (ip6e.ip6e_len + 2) << 2; 1024 nxt = ip6e.ip6e_nxt; 1025 break; 1026 case IPPROTO_ICMP: 1027 default: 1028 /* XXX intermediate headers??? */ 1029 spidx->ul_proto = nxt; 1030 return; 1031 } 1032 } 1033 } 1034 1035 /* assumes that m is sane */ 1036 static int 1037 ipsec4_setspidx_ipaddr(m, spidx) 1038 struct mbuf *m; 1039 struct secpolicyindex *spidx; 1040 { 1041 struct ip *ip = NULL; 1042 struct ip ipbuf; 1043 struct sockaddr_in *sin; 1044 1045 if (m->m_len >= sizeof(*ip)) 1046 ip = mtod(m, struct ip *); 1047 else { 1048 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 1049 ip = &ipbuf; 1050 } 1051 1052 sin = (struct sockaddr_in *)&spidx->src; 1053 bzero(sin, sizeof(*sin)); 1054 sin->sin_family = AF_INET; 1055 sin->sin_len = sizeof(struct sockaddr_in); 1056 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src)); 1057 spidx->prefs = sizeof(struct in_addr) << 3; 1058 1059 sin = (struct sockaddr_in *)&spidx->dst; 1060 bzero(sin, sizeof(*sin)); 1061 sin->sin_family = AF_INET; 1062 sin->sin_len = sizeof(struct sockaddr_in); 1063 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)); 1064 spidx->prefd = sizeof(struct in_addr) << 3; 1065 return 0; 1066 } 1067 1068 #ifdef INET6 1069 static void 1070 ipsec6_get_ulp(m, spidx, needport) 1071 struct mbuf *m; 1072 struct secpolicyindex *spidx; 1073 int needport; 1074 { 1075 int off, nxt; 1076 struct tcphdr th; 1077 struct udphdr uh; 1078 struct icmp6_hdr ih; 1079 1080 /* sanity check */ 1081 if (m == NULL) 1082 panic("ipsec6_get_ulp: NULL pointer was passed."); 1083 1084 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1085 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m)); 1086 1087 /* set default */ 1088 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1089 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY; 1090 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY; 1091 1092 nxt = -1; 1093 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt); 1094 if (off < 0 || m->m_pkthdr.len < off) 1095 return; 1096 1097 switch (nxt) { 1098 case IPPROTO_TCP: 1099 spidx->ul_proto = nxt; 1100 if (!needport) 1101 break; 1102 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1103 break; 1104 m_copydata(m, off, sizeof(th), (caddr_t)&th); 1105 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport; 1106 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport; 1107 break; 1108 case IPPROTO_UDP: 1109 spidx->ul_proto = nxt; 1110 if (!needport) 1111 break; 1112 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1113 break; 1114 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1115 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport; 1116 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport; 1117 break; 1118 case IPPROTO_ICMPV6: 1119 spidx->ul_proto = nxt; 1120 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len) 1121 break; 1122 m_copydata(m, off, sizeof(ih), (caddr_t)&ih); 1123 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = 1124 htons((u_int16_t)ih.icmp6_type); 1125 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = 1126 htons((u_int16_t)ih.icmp6_code); 1127 break; 1128 default: 1129 /* XXX intermediate headers??? */ 1130 spidx->ul_proto = nxt; 1131 break; 1132 } 1133 } 1134 1135 /* assumes that m is sane */ 1136 static int 1137 ipsec6_setspidx_ipaddr(m, spidx) 1138 struct mbuf *m; 1139 struct secpolicyindex *spidx; 1140 { 1141 struct ip6_hdr *ip6 = NULL; 1142 struct ip6_hdr ip6buf; 1143 struct sockaddr_in6 *sin6; 1144 1145 if (m->m_len >= sizeof(*ip6)) 1146 ip6 = mtod(m, struct ip6_hdr *); 1147 else { 1148 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf); 1149 ip6 = &ip6buf; 1150 } 1151 1152 sin6 = (struct sockaddr_in6 *)&spidx->src; 1153 bzero(sin6, sizeof(*sin6)); 1154 sin6->sin6_family = AF_INET6; 1155 sin6->sin6_len = sizeof(struct sockaddr_in6); 1156 in6_recoverscope(sin6, &ip6->ip6_src, NULL); 1157 spidx->prefs = sizeof(struct in6_addr) << 3; 1158 1159 sin6 = (struct sockaddr_in6 *)&spidx->dst; 1160 bzero(sin6, sizeof(*sin6)); 1161 sin6->sin6_family = AF_INET6; 1162 sin6->sin6_len = sizeof(struct sockaddr_in6); 1163 in6_recoverscope(sin6, &ip6->ip6_dst, NULL); 1164 spidx->prefd = sizeof(struct in6_addr) << 3; 1165 1166 return 0; 1167 } 1168 #endif 1169 1170 static struct inpcbpolicy * 1171 ipsec_newpcbpolicy() 1172 { 1173 struct inpcbpolicy *p; 1174 1175 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT); 1176 return p; 1177 } 1178 1179 static void 1180 ipsec_delpcbpolicy(p) 1181 struct inpcbpolicy *p; 1182 { 1183 1184 free(p, M_SECA); 1185 } 1186 1187 /* initialize policy in PCB */ 1188 int 1189 ipsec_init_pcbpolicy(so, pcb_sp) 1190 struct socket *so; 1191 struct inpcbpolicy **pcb_sp; 1192 { 1193 struct inpcbpolicy *new; 1194 static int initialized = 0; 1195 static struct secpolicy *in = NULL, *out = NULL; 1196 1197 /* sanity check. */ 1198 if (so == NULL || pcb_sp == NULL) 1199 panic("ipsec_init_pcbpolicy: NULL pointer was passed."); 1200 1201 if (!initialized) { 1202 if ((in = key_newsp(0)) == NULL) 1203 return ENOBUFS; 1204 if ((out = key_newsp(0)) == NULL) { 1205 key_freesp(in); 1206 in = NULL; 1207 return ENOBUFS; 1208 } 1209 1210 in->state = IPSEC_SPSTATE_ALIVE; 1211 in->policy = IPSEC_POLICY_ENTRUST; 1212 in->dir = IPSEC_DIR_INBOUND; 1213 in->readonly = 1; 1214 in->persist = 1; 1215 in->so = NULL; 1216 1217 out->state = IPSEC_SPSTATE_ALIVE; 1218 out->policy = IPSEC_POLICY_ENTRUST; 1219 out->dir = IPSEC_DIR_OUTBOUND; 1220 out->readonly = 1; 1221 out->persist = 1; 1222 out->so = NULL; 1223 1224 initialized++; 1225 } 1226 1227 new = ipsec_newpcbpolicy(); 1228 if (new == NULL) { 1229 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n")); 1230 return ENOBUFS; 1231 } 1232 bzero(new, sizeof(*new)); 1233 1234 if (so->so_cred != 0 && so->so_cred->cr_uid == 0) 1235 new->priv = 1; 1236 else 1237 new->priv = 0; 1238 1239 new->sp_in = in; 1240 new->sp_in->refcnt++; 1241 new->sp_out = out; 1242 new->sp_out->refcnt++; 1243 1244 *pcb_sp = new; 1245 1246 return 0; 1247 } 1248 1249 /* copy old ipsec policy into new */ 1250 int 1251 ipsec_copy_pcbpolicy(old, new) 1252 struct inpcbpolicy *old, *new; 1253 { 1254 1255 if (new->sp_in) 1256 key_freesp(new->sp_in); 1257 if (old->sp_in->policy == IPSEC_POLICY_IPSEC) 1258 new->sp_in = ipsec_deepcopy_policy(old->sp_in); 1259 else { 1260 new->sp_in = old->sp_in; 1261 new->sp_in->refcnt++; 1262 } 1263 1264 if (new->sp_out) 1265 key_freesp(new->sp_out); 1266 if (old->sp_out->policy == IPSEC_POLICY_IPSEC) 1267 new->sp_out = ipsec_deepcopy_policy(old->sp_out); 1268 else { 1269 new->sp_out = old->sp_out; 1270 new->sp_out->refcnt++; 1271 } 1272 1273 new->priv = old->priv; 1274 1275 return 0; 1276 } 1277 1278 #if 0 1279 static int 1280 ipsec_deepcopy_pcbpolicy(pcb_sp) 1281 struct inpcbpolicy *pcb_sp; 1282 { 1283 struct secpolicy *sp; 1284 1285 sp = ipsec_deepcopy_policy(pcb_sp->sp_in); 1286 if (sp) { 1287 key_freesp(pcb_sp->sp_in); 1288 pcb_sp->sp_in = sp; 1289 } else 1290 return ENOBUFS; 1291 1292 sp = ipsec_deepcopy_policy(pcb_sp->sp_out); 1293 if (sp) { 1294 key_freesp(pcb_sp->sp_out); 1295 pcb_sp->sp_out = sp; 1296 } else 1297 return ENOBUFS; 1298 1299 return 0; 1300 } 1301 #endif 1302 1303 /* deep-copy a policy in PCB */ 1304 static struct secpolicy * 1305 ipsec_deepcopy_policy(src) 1306 struct secpolicy *src; 1307 { 1308 struct ipsecrequest *newchain = NULL; 1309 struct ipsecrequest *p; 1310 struct ipsecrequest **q; 1311 struct ipsecrequest *r; 1312 struct secpolicy *dst; 1313 1314 if (src == NULL) 1315 return NULL; 1316 1317 dst = key_newsp(0); 1318 if (dst == NULL) 1319 return NULL; 1320 1321 /* 1322 * deep-copy IPsec request chain. This is required since struct 1323 * ipsecrequest is not reference counted. 1324 */ 1325 q = &newchain; 1326 for (p = src->req; p; p = p->next) { 1327 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest), 1328 M_SECA, M_NOWAIT); 1329 if (*q == NULL) 1330 goto fail; 1331 bzero(*q, sizeof(**q)); 1332 (*q)->next = NULL; 1333 1334 (*q)->saidx.proto = p->saidx.proto; 1335 (*q)->saidx.mode = p->saidx.mode; 1336 (*q)->level = p->level; 1337 (*q)->saidx.reqid = p->saidx.reqid; 1338 1339 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src)); 1340 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst)); 1341 1342 (*q)->sav = NULL; 1343 (*q)->sp = dst; 1344 1345 q = &((*q)->next); 1346 } 1347 1348 if (src->spidx) 1349 if (keydb_setsecpolicyindex(dst, src->spidx) != 0) 1350 goto fail; 1351 1352 dst->req = newchain; 1353 dst->state = src->state; 1354 dst->policy = src->policy; 1355 dst->dir = src->dir; 1356 dst->so = src->so; 1357 /* do not touch the refcnt fields */ 1358 1359 return dst; 1360 1361 fail: 1362 for (p = newchain; p; p = r) { 1363 r = p->next; 1364 free(p, M_SECA); 1365 p = NULL; 1366 } 1367 key_freesp(dst); 1368 return NULL; 1369 } 1370 1371 /* set policy and ipsec request if present. */ 1372 static int 1373 ipsec_set_policy(spp, optname, request, len, priv) 1374 struct secpolicy **spp; 1375 int optname; 1376 caddr_t request; 1377 size_t len; 1378 int priv; 1379 { 1380 struct sadb_x_policy *xpl; 1381 struct secpolicy *newsp = NULL; 1382 int error; 1383 1384 /* sanity check. */ 1385 if (spp == NULL || *spp == NULL || request == NULL) 1386 return EINVAL; 1387 if (len < sizeof(*xpl)) 1388 return EINVAL; 1389 xpl = (struct sadb_x_policy *)request; 1390 1391 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1392 printf("ipsec_set_policy: passed policy\n"); 1393 kdebug_sadb_x_policy((struct sadb_ext *)xpl)); 1394 1395 /* check policy type */ 1396 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */ 1397 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD || 1398 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) 1399 return EINVAL; 1400 1401 /* check privileged socket */ 1402 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) 1403 return EACCES; 1404 1405 /* allocation new SP entry */ 1406 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) 1407 return error; 1408 1409 newsp->state = IPSEC_SPSTATE_ALIVE; 1410 1411 /* clear old SP and set new SP */ 1412 key_freesp(*spp); 1413 *spp = newsp; 1414 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1415 printf("ipsec_set_policy: new policy\n"); 1416 kdebug_secpolicy(newsp)); 1417 1418 return 0; 1419 } 1420 1421 static int 1422 ipsec_get_policy(sp, mp) 1423 struct secpolicy *sp; 1424 struct mbuf **mp; 1425 { 1426 1427 /* sanity check. */ 1428 if (sp == NULL || mp == NULL) 1429 return EINVAL; 1430 1431 *mp = key_sp2msg(sp); 1432 if (!*mp) { 1433 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n")); 1434 return ENOBUFS; 1435 } 1436 1437 (*mp)->m_type = MT_DATA; 1438 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1439 printf("ipsec_get_policy:\n"); 1440 kdebug_mbuf(*mp)); 1441 1442 return 0; 1443 } 1444 1445 int 1446 ipsec4_set_policy(inp, optname, request, len, priv) 1447 struct inpcb *inp; 1448 int optname; 1449 caddr_t request; 1450 size_t len; 1451 int priv; 1452 { 1453 struct sadb_x_policy *xpl; 1454 struct secpolicy **spp; 1455 1456 /* sanity check. */ 1457 if (inp == NULL || request == NULL) 1458 return EINVAL; 1459 if (len < sizeof(*xpl)) 1460 return EINVAL; 1461 xpl = (struct sadb_x_policy *)request; 1462 1463 /* select direction */ 1464 switch (xpl->sadb_x_policy_dir) { 1465 case IPSEC_DIR_INBOUND: 1466 spp = &inp->inp_sp->sp_in; 1467 break; 1468 case IPSEC_DIR_OUTBOUND: 1469 spp = &inp->inp_sp->sp_out; 1470 break; 1471 default: 1472 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n", 1473 xpl->sadb_x_policy_dir)); 1474 return EINVAL; 1475 } 1476 1477 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY); 1478 return ipsec_set_policy(spp, optname, request, len, priv); 1479 } 1480 1481 int 1482 ipsec4_get_policy(inp, request, len, mp) 1483 struct inpcb *inp; 1484 caddr_t request; 1485 size_t len; 1486 struct mbuf **mp; 1487 { 1488 struct sadb_x_policy *xpl; 1489 struct secpolicy *sp; 1490 1491 /* sanity check. */ 1492 if (inp == NULL || request == NULL || mp == NULL) 1493 return EINVAL; 1494 if (inp->inp_sp == NULL) 1495 panic("policy in PCB is NULL"); 1496 if (len < sizeof(*xpl)) 1497 return EINVAL; 1498 xpl = (struct sadb_x_policy *)request; 1499 1500 /* select direction */ 1501 switch (xpl->sadb_x_policy_dir) { 1502 case IPSEC_DIR_INBOUND: 1503 sp = inp->inp_sp->sp_in; 1504 break; 1505 case IPSEC_DIR_OUTBOUND: 1506 sp = inp->inp_sp->sp_out; 1507 break; 1508 default: 1509 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n", 1510 xpl->sadb_x_policy_dir)); 1511 return EINVAL; 1512 } 1513 1514 return ipsec_get_policy(sp, mp); 1515 } 1516 1517 /* delete policy in PCB */ 1518 int 1519 ipsec4_delete_pcbpolicy(inp) 1520 struct inpcb *inp; 1521 { 1522 /* sanity check. */ 1523 if (inp == NULL) 1524 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed."); 1525 1526 if (inp->inp_sp == NULL) 1527 return 0; 1528 1529 if (inp->inp_sp->sp_in != NULL) { 1530 key_freesp(inp->inp_sp->sp_in); 1531 inp->inp_sp->sp_in = NULL; 1532 } 1533 1534 if (inp->inp_sp->sp_out != NULL) { 1535 key_freesp(inp->inp_sp->sp_out); 1536 inp->inp_sp->sp_out = NULL; 1537 } 1538 1539 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY); 1540 1541 ipsec_delpcbpolicy(inp->inp_sp); 1542 inp->inp_sp = NULL; 1543 1544 return 0; 1545 } 1546 1547 #ifdef INET6 1548 int 1549 ipsec6_set_policy(in6p, optname, request, len, priv) 1550 struct in6pcb *in6p; 1551 int optname; 1552 caddr_t request; 1553 size_t len; 1554 int priv; 1555 { 1556 struct sadb_x_policy *xpl; 1557 struct secpolicy **spp; 1558 1559 /* sanity check. */ 1560 if (in6p == NULL || request == NULL) 1561 return EINVAL; 1562 if (len < sizeof(*xpl)) 1563 return EINVAL; 1564 xpl = (struct sadb_x_policy *)request; 1565 1566 /* select direction */ 1567 switch (xpl->sadb_x_policy_dir) { 1568 case IPSEC_DIR_INBOUND: 1569 spp = &in6p->in6p_sp->sp_in; 1570 break; 1571 case IPSEC_DIR_OUTBOUND: 1572 spp = &in6p->in6p_sp->sp_out; 1573 break; 1574 default: 1575 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n", 1576 xpl->sadb_x_policy_dir)); 1577 return EINVAL; 1578 } 1579 1580 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY); 1581 return ipsec_set_policy(spp, optname, request, len, priv); 1582 } 1583 1584 int 1585 ipsec6_get_policy(in6p, request, len, mp) 1586 struct in6pcb *in6p; 1587 caddr_t request; 1588 size_t len; 1589 struct mbuf **mp; 1590 { 1591 struct sadb_x_policy *xpl; 1592 struct secpolicy *sp; 1593 1594 /* sanity check. */ 1595 if (in6p == NULL || request == NULL || mp == NULL) 1596 return EINVAL; 1597 if (in6p->in6p_sp == NULL) 1598 panic("policy in PCB is NULL"); 1599 if (len < sizeof(*xpl)) 1600 return EINVAL; 1601 xpl = (struct sadb_x_policy *)request; 1602 1603 /* select direction */ 1604 switch (xpl->sadb_x_policy_dir) { 1605 case IPSEC_DIR_INBOUND: 1606 sp = in6p->in6p_sp->sp_in; 1607 break; 1608 case IPSEC_DIR_OUTBOUND: 1609 sp = in6p->in6p_sp->sp_out; 1610 break; 1611 default: 1612 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n", 1613 xpl->sadb_x_policy_dir)); 1614 return EINVAL; 1615 } 1616 1617 return ipsec_get_policy(sp, mp); 1618 } 1619 1620 int 1621 ipsec6_delete_pcbpolicy(in6p) 1622 struct in6pcb *in6p; 1623 { 1624 /* sanity check. */ 1625 if (in6p == NULL) 1626 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed."); 1627 1628 if (in6p->in6p_sp == NULL) 1629 return 0; 1630 1631 if (in6p->in6p_sp->sp_in != NULL) { 1632 key_freesp(in6p->in6p_sp->sp_in); 1633 in6p->in6p_sp->sp_in = NULL; 1634 } 1635 1636 if (in6p->in6p_sp->sp_out != NULL) { 1637 key_freesp(in6p->in6p_sp->sp_out); 1638 in6p->in6p_sp->sp_out = NULL; 1639 } 1640 1641 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY); 1642 1643 ipsec_delpcbpolicy(in6p->in6p_sp); 1644 in6p->in6p_sp = NULL; 1645 1646 return 0; 1647 } 1648 #endif 1649 1650 /* 1651 * return current level. 1652 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. 1653 */ 1654 u_int 1655 ipsec_get_reqlevel(isr, af) 1656 struct ipsecrequest *isr; 1657 int af; 1658 { 1659 u_int level = 0; 1660 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev; 1661 1662 /* sanity check */ 1663 if (isr == NULL || isr->sp == NULL) 1664 panic("ipsec_get_reqlevel: NULL pointer is passed."); 1665 1666 /* set default level */ 1667 switch (af) { 1668 #ifdef INET 1669 case AF_INET: 1670 esp_trans_deflev = ip4_esp_trans_deflev; 1671 esp_net_deflev = ip4_esp_net_deflev; 1672 ah_trans_deflev = ip4_ah_trans_deflev; 1673 ah_net_deflev = ip4_ah_net_deflev; 1674 break; 1675 #endif 1676 #ifdef INET6 1677 case AF_INET6: 1678 esp_trans_deflev = ip6_esp_trans_deflev; 1679 esp_net_deflev = ip6_esp_net_deflev; 1680 ah_trans_deflev = ip6_ah_trans_deflev; 1681 ah_net_deflev = ip6_ah_net_deflev; 1682 break; 1683 #endif /* INET6 */ 1684 default: 1685 panic("key_get_reqlevel: Unknown family. %d", 1686 ((struct sockaddr *)&isr->sp->spidx->src)->sa_family); 1687 } 1688 1689 /* set level */ 1690 switch (isr->level) { 1691 case IPSEC_LEVEL_DEFAULT: 1692 switch (isr->saidx.proto) { 1693 case IPPROTO_ESP: 1694 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1695 level = esp_net_deflev; 1696 else 1697 level = esp_trans_deflev; 1698 break; 1699 case IPPROTO_AH: 1700 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1701 level = ah_net_deflev; 1702 else 1703 level = ah_trans_deflev; 1704 case IPPROTO_IPCOMP: 1705 /* 1706 * we don't really care, as IPcomp document says that 1707 * we shouldn't compress small packets 1708 */ 1709 level = IPSEC_LEVEL_USE; 1710 break; 1711 default: 1712 panic("ipsec_get_reqlevel: " 1713 "Illegal protocol defined %u\n", 1714 isr->saidx.proto); 1715 } 1716 break; 1717 1718 case IPSEC_LEVEL_USE: 1719 case IPSEC_LEVEL_REQUIRE: 1720 level = isr->level; 1721 break; 1722 case IPSEC_LEVEL_UNIQUE: 1723 level = IPSEC_LEVEL_REQUIRE; 1724 break; 1725 1726 default: 1727 panic("ipsec_get_reqlevel: Illegal IPsec level %u", 1728 isr->level); 1729 } 1730 1731 return level; 1732 } 1733 1734 /* 1735 * Check AH/ESP integrity. 1736 * OUT: 1737 * 0: valid 1738 * 1: invalid 1739 */ 1740 static int 1741 ipsec_in_reject(sp, m) 1742 struct secpolicy *sp; 1743 struct mbuf *m; 1744 { 1745 struct ipsecrequest *isr; 1746 u_int level; 1747 int need_auth, need_conf, need_icv; 1748 1749 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1750 printf("ipsec_in_reject: using SP\n"); 1751 kdebug_secpolicy(sp)); 1752 1753 /* check policy */ 1754 switch (sp->policy) { 1755 case IPSEC_POLICY_DISCARD: 1756 return 1; 1757 case IPSEC_POLICY_BYPASS: 1758 case IPSEC_POLICY_NONE: 1759 return 0; 1760 1761 case IPSEC_POLICY_IPSEC: 1762 break; 1763 1764 case IPSEC_POLICY_ENTRUST: 1765 default: 1766 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy); 1767 } 1768 1769 need_auth = 0; 1770 need_conf = 0; 1771 need_icv = 0; 1772 1773 /* XXX should compare policy against ipsec header history */ 1774 1775 for (isr = sp->req; isr != NULL; isr = isr->next) { 1776 /* get current level */ 1777 level = ipsec_get_reqlevel(isr, AF_INET); 1778 1779 switch (isr->saidx.proto) { 1780 case IPPROTO_ESP: 1781 if (level == IPSEC_LEVEL_REQUIRE) { 1782 need_conf++; 1783 1784 if (isr->sav != NULL 1785 && isr->sav->flags == SADB_X_EXT_NONE 1786 && isr->sav->alg_auth != SADB_AALG_NONE) 1787 need_icv++; 1788 } 1789 break; 1790 case IPPROTO_AH: 1791 if (level == IPSEC_LEVEL_REQUIRE) { 1792 need_auth++; 1793 need_icv++; 1794 } 1795 break; 1796 case IPPROTO_IPCOMP: 1797 /* 1798 * we don't really care, as IPcomp document says that 1799 * we shouldn't compress small packets, IPComp policy 1800 * should always be treated as being in "use" level. 1801 */ 1802 break; 1803 } 1804 } 1805 1806 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1807 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n", 1808 need_auth, need_conf, need_icv, m->m_flags)); 1809 1810 if ((need_conf && !(m->m_flags & M_DECRYPTED)) 1811 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM)) 1812 || (need_auth && !(m->m_flags & M_AUTHIPHDR))) 1813 return 1; 1814 1815 return 0; 1816 } 1817 1818 /* 1819 * Check AH/ESP integrity. 1820 * This function is called from tcp_input(), udp_input(), 1821 * and {ah,esp}4_input for tunnel mode 1822 */ 1823 int 1824 ipsec4_in_reject_so(m, so) 1825 struct mbuf *m; 1826 struct socket *so; 1827 { 1828 struct secpolicy *sp = NULL; 1829 int error; 1830 int result; 1831 1832 /* sanity check */ 1833 if (m == NULL) 1834 return 0; /* XXX should be panic ? */ 1835 1836 /* get SP for this packet. 1837 * When we are called from ip_forward(), we call 1838 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 1839 */ 1840 if (so == NULL) 1841 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 1842 IP_FORWARDING, &error); 1843 else 1844 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error); 1845 1846 /* XXX should be panic ? -> No, there may be error. */ 1847 if (sp == NULL) 1848 return 0; 1849 1850 result = ipsec_in_reject(sp, m); 1851 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1852 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp)); 1853 key_freesp(sp); 1854 1855 return result; 1856 } 1857 1858 int 1859 ipsec4_in_reject(m, inp) 1860 struct mbuf *m; 1861 struct inpcb *inp; 1862 { 1863 if (inp == NULL) 1864 return ipsec4_in_reject_so(m, NULL); 1865 if (inp->inp_socket) 1866 return ipsec4_in_reject_so(m, inp->inp_socket); 1867 else 1868 panic("ipsec4_in_reject: invalid inpcb/socket"); 1869 } 1870 1871 #ifdef INET6 1872 /* 1873 * Check AH/ESP integrity. 1874 * This function is called from tcp6_input(), udp6_input(), 1875 * and {ah,esp}6_input for tunnel mode 1876 */ 1877 int 1878 ipsec6_in_reject_so(m, so) 1879 struct mbuf *m; 1880 struct socket *so; 1881 { 1882 struct secpolicy *sp = NULL; 1883 int error; 1884 int result; 1885 1886 /* sanity check */ 1887 if (m == NULL) 1888 return 0; /* XXX should be panic ? */ 1889 1890 /* get SP for this packet. 1891 * When we are called from ip_forward(), we call 1892 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag. 1893 */ 1894 if (so == NULL) 1895 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 1896 IP_FORWARDING, &error); 1897 else 1898 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error); 1899 1900 if (sp == NULL) 1901 return 0; /* XXX should be panic ? */ 1902 1903 result = ipsec_in_reject(sp, m); 1904 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1905 printf("DP ipsec6_in_reject_so call free SP:%p\n", sp)); 1906 key_freesp(sp); 1907 1908 return result; 1909 } 1910 1911 int 1912 ipsec6_in_reject(m, in6p) 1913 struct mbuf *m; 1914 struct in6pcb *in6p; 1915 { 1916 if (in6p == NULL) 1917 return ipsec6_in_reject_so(m, NULL); 1918 if (in6p->in6p_socket) 1919 return ipsec6_in_reject_so(m, in6p->in6p_socket); 1920 else 1921 panic("ipsec6_in_reject: invalid in6p/socket"); 1922 } 1923 #endif 1924 1925 /* 1926 * compute the byte size to be occupied by IPsec header. 1927 * in case it is tunneled, it includes the size of outer IP header. 1928 * NOTE: SP passed is free in this function. 1929 */ 1930 static size_t 1931 ipsec_hdrsiz(sp) 1932 struct secpolicy *sp; 1933 { 1934 struct ipsecrequest *isr; 1935 size_t siz, clen; 1936 1937 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1938 printf("ipsec_hdrsiz: using SP\n"); 1939 kdebug_secpolicy(sp)); 1940 1941 /* check policy */ 1942 switch (sp->policy) { 1943 case IPSEC_POLICY_DISCARD: 1944 case IPSEC_POLICY_BYPASS: 1945 case IPSEC_POLICY_NONE: 1946 return 0; 1947 1948 case IPSEC_POLICY_IPSEC: 1949 break; 1950 1951 case IPSEC_POLICY_ENTRUST: 1952 default: 1953 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy); 1954 } 1955 1956 siz = 0; 1957 1958 for (isr = sp->req; isr != NULL; isr = isr->next) { 1959 1960 clen = 0; 1961 1962 switch (isr->saidx.proto) { 1963 case IPPROTO_ESP: 1964 #ifdef IPSEC_ESP 1965 clen = esp_hdrsiz(isr); 1966 #else 1967 clen = 0; /* XXX */ 1968 #endif 1969 break; 1970 case IPPROTO_AH: 1971 clen = ah_hdrsiz(isr); 1972 break; 1973 case IPPROTO_IPCOMP: 1974 clen = sizeof(struct ipcomp); 1975 break; 1976 } 1977 1978 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 1979 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) { 1980 case AF_INET: 1981 clen += sizeof(struct ip); 1982 break; 1983 #ifdef INET6 1984 case AF_INET6: 1985 clen += sizeof(struct ip6_hdr); 1986 break; 1987 #endif 1988 default: 1989 ipseclog((LOG_ERR, "ipsec_hdrsiz: " 1990 "unknown AF %d in IPsec tunnel SA\n", 1991 ((struct sockaddr *)&isr->saidx.dst)->sa_family)); 1992 break; 1993 } 1994 } 1995 siz += clen; 1996 } 1997 1998 return siz; 1999 } 2000 2001 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */ 2002 size_t 2003 ipsec4_hdrsiz(m, dir, inp) 2004 struct mbuf *m; 2005 u_int dir; 2006 struct inpcb *inp; 2007 { 2008 struct secpolicy *sp = NULL; 2009 int error; 2010 size_t size; 2011 2012 /* sanity check */ 2013 if (m == NULL) 2014 return 0; /* XXX should be panic ? */ 2015 if (inp != NULL && inp->inp_socket == NULL) 2016 panic("ipsec4_hdrsize: why is socket NULL but there is PCB."); 2017 2018 /* get SP for this packet. 2019 * When we are called from ip_forward(), we call 2020 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 2021 */ 2022 if (inp == NULL) 2023 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 2024 else 2025 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error); 2026 2027 if (sp == NULL) 2028 return 0; /* XXX should be panic ? */ 2029 2030 size = ipsec_hdrsiz(sp); 2031 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2032 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp)); 2033 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2034 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size)); 2035 key_freesp(sp); 2036 2037 return size; 2038 } 2039 2040 #ifdef INET6 2041 /* This function is called from ipsec6_hdrsize_tcp(), 2042 * and maybe from ip6_forward.() 2043 */ 2044 size_t 2045 ipsec6_hdrsiz(m, dir, in6p) 2046 struct mbuf *m; 2047 u_int dir; 2048 struct in6pcb *in6p; 2049 { 2050 struct secpolicy *sp = NULL; 2051 int error; 2052 size_t size; 2053 2054 /* sanity check */ 2055 if (m == NULL) 2056 return 0; /* XXX should be panic ? */ 2057 if (in6p != NULL && in6p->in6p_socket == NULL) 2058 panic("ipsec6_hdrsize: why is socket NULL but there is PCB."); 2059 2060 /* get SP for this packet */ 2061 /* XXX Is it right to call with IP_FORWARDING. */ 2062 if (in6p == NULL) 2063 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 2064 else 2065 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error); 2066 2067 if (sp == NULL) 2068 return 0; 2069 size = ipsec_hdrsiz(sp); 2070 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2071 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp)); 2072 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2073 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size)); 2074 key_freesp(sp); 2075 2076 return size; 2077 } 2078 #endif /* INET6 */ 2079 2080 #ifdef INET 2081 /* 2082 * encapsulate for ipsec tunnel. 2083 * ip->ip_src must be fixed later on. 2084 */ 2085 static int 2086 ipsec4_encapsulate(m, sav) 2087 struct mbuf *m; 2088 struct secasvar *sav; 2089 { 2090 struct ip *oip; 2091 struct ip *ip; 2092 size_t hlen; 2093 size_t plen; 2094 2095 /* can't tunnel between different AFs */ 2096 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2097 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2098 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 2099 m_freem(m); 2100 return EINVAL; 2101 } 2102 #if 0 2103 /* XXX if the dst is myself, perform nothing. */ 2104 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2105 m_freem(m); 2106 return EINVAL; 2107 } 2108 #endif 2109 2110 if (m->m_len < sizeof(*ip)) 2111 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2112 2113 ip = mtod(m, struct ip *); 2114 #ifdef _IP_VHL 2115 hlen = _IP_VHL_HL(ip->ip_vhl) << 2; 2116 #else 2117 hlen = ip->ip_hl << 2; 2118 #endif 2119 2120 if (m->m_len != hlen) 2121 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2122 2123 /* generate header checksum */ 2124 ip->ip_sum = 0; 2125 #ifdef _IP_VHL 2126 if (ip->ip_vhl == IP_VHL_BORING) 2127 ip->ip_sum = in_cksum_hdr(ip); 2128 else 2129 ip->ip_sum = in_cksum(m, hlen); 2130 #else 2131 ip->ip_sum = in_cksum(m, hlen); 2132 #endif 2133 2134 plen = m->m_pkthdr.len; 2135 2136 /* 2137 * grow the mbuf to accomodate the new IPv4 header. 2138 * NOTE: IPv4 options will never be copied. 2139 */ 2140 if (M_LEADINGSPACE(m->m_next) < hlen) { 2141 struct mbuf *n; 2142 MGET(n, M_DONTWAIT, MT_DATA); 2143 if (!n) { 2144 m_freem(m); 2145 return ENOBUFS; 2146 } 2147 n->m_len = hlen; 2148 n->m_next = m->m_next; 2149 m->m_next = n; 2150 m->m_pkthdr.len += hlen; 2151 oip = mtod(n, struct ip *); 2152 } else { 2153 m->m_next->m_len += hlen; 2154 m->m_next->m_data -= hlen; 2155 m->m_pkthdr.len += hlen; 2156 oip = mtod(m->m_next, struct ip *); 2157 } 2158 ip = mtod(m, struct ip *); 2159 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen); 2160 m->m_len = sizeof(struct ip); 2161 m->m_pkthdr.len -= (hlen - sizeof(struct ip)); 2162 2163 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ 2164 /* ECN consideration. */ 2165 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); 2166 #ifdef _IP_VHL 2167 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2); 2168 #else 2169 ip->ip_hl = sizeof(struct ip) >> 2; 2170 #endif 2171 ip->ip_off &= htons(~IP_OFFMASK); 2172 ip->ip_off &= htons(~IP_MF); 2173 switch (ip4_ipsec_dfbit) { 2174 case 0: /* clear DF bit */ 2175 ip->ip_off &= htons(~IP_DF); 2176 break; 2177 case 1: /* set DF bit */ 2178 ip->ip_off |= htons(IP_DF); 2179 break; 2180 default: /* copy DF bit */ 2181 break; 2182 } 2183 ip->ip_p = IPPROTO_IPIP; 2184 if (plen + sizeof(struct ip) < IP_MAXPACKET) 2185 ip->ip_len = htons(plen + sizeof(struct ip)); 2186 else { 2187 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " 2188 "leave ip_len as is (invalid packet)\n")); 2189 } 2190 #ifdef RANDOM_IP_ID 2191 ip->ip_id = ip_randomid(); 2192 #else 2193 ip->ip_id = htons(ip_id++); 2194 #endif 2195 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, 2196 &ip->ip_src, sizeof(ip->ip_src)); 2197 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, 2198 &ip->ip_dst, sizeof(ip->ip_dst)); 2199 ip->ip_ttl = IPDEFTTL; 2200 2201 /* XXX Should ip_src be updated later ? */ 2202 2203 return 0; 2204 } 2205 #endif /* INET */ 2206 2207 #ifdef INET6 2208 static int 2209 ipsec6_encapsulate(m, sav) 2210 struct mbuf *m; 2211 struct secasvar *sav; 2212 { 2213 struct ip6_hdr *oip6; 2214 struct ip6_hdr *ip6; 2215 size_t plen; 2216 2217 /* can't tunnel between different AFs */ 2218 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2219 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2220 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) { 2221 m_freem(m); 2222 return EINVAL; 2223 } 2224 #if 0 2225 /* XXX if the dst is myself, perform nothing. */ 2226 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2227 m_freem(m); 2228 return EINVAL; 2229 } 2230 #endif 2231 2232 plen = m->m_pkthdr.len; 2233 2234 /* 2235 * grow the mbuf to accomodate the new IPv6 header. 2236 */ 2237 if (m->m_len != sizeof(struct ip6_hdr)) 2238 panic("ipsec6_encapsulate: assumption failed (first mbuf length)"); 2239 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { 2240 struct mbuf *n; 2241 MGET(n, M_DONTWAIT, MT_DATA); 2242 if (!n) { 2243 m_freem(m); 2244 return ENOBUFS; 2245 } 2246 n->m_len = sizeof(struct ip6_hdr); 2247 n->m_next = m->m_next; 2248 m->m_next = n; 2249 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2250 oip6 = mtod(n, struct ip6_hdr *); 2251 } else { 2252 m->m_next->m_len += sizeof(struct ip6_hdr); 2253 m->m_next->m_data -= sizeof(struct ip6_hdr); 2254 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2255 oip6 = mtod(m->m_next, struct ip6_hdr *); 2256 } 2257 ip6 = mtod(m, struct ip6_hdr *); 2258 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr)); 2259 2260 /* XXX: Fake scoped addresses */ 2261 in6_clearscope(&oip6->ip6_src); 2262 in6_clearscope(&oip6->ip6_dst); 2263 2264 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ 2265 /* ECN consideration. */ 2266 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow); 2267 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) 2268 ip6->ip6_plen = htons(plen); 2269 else { 2270 /* ip6->ip6_plen will be updated in ip6_output() */ 2271 } 2272 ip6->ip6_nxt = IPPROTO_IPV6; 2273 in6_embedscope(&ip6->ip6_src, 2274 (struct sockaddr_in6 *)&sav->sah->saidx.src, NULL, NULL); 2275 in6_embedscope(&ip6->ip6_dst, 2276 (struct sockaddr_in6 *)&sav->sah->saidx.dst, NULL, NULL); 2277 ip6->ip6_hlim = IPV6_DEFHLIM; 2278 2279 /* XXX Should ip6_src be updated later ? */ 2280 2281 return 0; 2282 } 2283 #endif /* INET6 */ 2284 2285 /* 2286 * Check the variable replay window. 2287 * ipsec_chkreplay() performs replay check before ICV verification. 2288 * ipsec_updatereplay() updates replay bitmap. This must be called after 2289 * ICV verification (it also performs replay check, which is usually done 2290 * beforehand). 2291 * 0 (zero) is returned if packet disallowed, 1 if packet permitted. 2292 * 2293 * based on RFC 2401. 2294 * 2295 * XXX need to update for 64bit sequence number - 2401bis 2296 */ 2297 int 2298 ipsec_chkreplay(seq, sav) 2299 u_int32_t seq; 2300 struct secasvar *sav; 2301 { 2302 const struct secreplay *replay; 2303 u_int32_t diff; 2304 int fr; 2305 u_int32_t wsizeb; /* constant: bits of window size */ 2306 int frlast; /* constant: last frame */ 2307 2308 /* sanity check */ 2309 if (sav == NULL) 2310 panic("ipsec_chkreplay: NULL pointer was passed."); 2311 2312 replay = sav->replay; 2313 2314 if (replay->wsize == 0) 2315 return 1; /* no need to check replay. */ 2316 2317 /* constant */ 2318 frlast = replay->wsize - 1; 2319 wsizeb = replay->wsize << 3; 2320 2321 /* sequence number of 0 is invalid */ 2322 if (seq == 0) 2323 return 0; 2324 2325 /* first time is always okay */ 2326 if (replay->count == 0) 2327 return 1; 2328 2329 if (seq > replay->lastseq) { 2330 /* larger sequences are okay */ 2331 return 1; 2332 } else { 2333 /* seq is equal or less than lastseq. */ 2334 diff = replay->lastseq - seq; 2335 2336 /* over range to check, i.e. too old or wrapped */ 2337 if (diff >= wsizeb) 2338 return 0; 2339 2340 fr = frlast - diff / 8; 2341 2342 /* this packet already seen ? */ 2343 if (replay->bitmap[fr] & (1 << (diff % 8))) 2344 return 0; 2345 2346 /* out of order but good */ 2347 return 1; 2348 } 2349 } 2350 2351 /* 2352 * check replay counter whether to update or not. 2353 * OUT: 0: OK 2354 * 1: NG 2355 * XXX need to update for 64bit sequence number - 2401bis 2356 */ 2357 int 2358 ipsec_updatereplay(seq, sav) 2359 u_int32_t seq; 2360 struct secasvar *sav; 2361 { 2362 struct secreplay *replay; 2363 u_int64_t diff; 2364 int fr; 2365 u_int32_t wsizeb; /* constant: bits of window size */ 2366 int frlast; /* constant: last frame */ 2367 2368 /* sanity check */ 2369 if (sav == NULL) 2370 panic("ipsec_chkreplay: NULL pointer was passed."); 2371 2372 replay = sav->replay; 2373 2374 if (replay->wsize == 0) 2375 goto ok; /* no need to check replay. */ 2376 2377 /* constant */ 2378 frlast = replay->wsize - 1; 2379 wsizeb = replay->wsize << 3; 2380 2381 /* sequence number of 0 is invalid */ 2382 if (seq == 0) 2383 return 1; 2384 2385 /* first time */ 2386 if (replay->count == 0) { 2387 replay->lastseq = seq; 2388 bzero(replay->bitmap, replay->wsize); 2389 replay->bitmap[frlast] = 1; 2390 goto ok; 2391 } 2392 2393 if (seq > replay->lastseq) { 2394 /* seq is larger than lastseq. */ 2395 diff = seq - replay->lastseq; 2396 2397 /* new larger sequence number */ 2398 if (diff < wsizeb) { 2399 /* In window */ 2400 /* set bit for this packet */ 2401 vshiftl(replay->bitmap, diff, replay->wsize); 2402 replay->bitmap[frlast] |= 1; 2403 } else { 2404 /* this packet has a "way larger" */ 2405 bzero(replay->bitmap, replay->wsize); 2406 replay->bitmap[frlast] = 1; 2407 } 2408 replay->lastseq = seq; 2409 2410 /* larger is good */ 2411 } else { 2412 /* seq is equal or less than lastseq. */ 2413 diff = replay->lastseq - seq; 2414 2415 /* over range to check, i.e. too old or wrapped */ 2416 if (diff >= wsizeb) 2417 return 1; 2418 2419 fr = frlast - diff / 8; 2420 2421 /* this packet already seen ? */ 2422 if (replay->bitmap[fr] & (1 << (diff % 8))) 2423 return 1; 2424 2425 /* mark as seen */ 2426 replay->bitmap[fr] |= (1 << (diff % 8)); 2427 2428 /* out of order but good */ 2429 } 2430 2431 ok: 2432 if (replay->count == 0xffffffff) { 2433 2434 /* set overflow flag */ 2435 replay->overflow++; 2436 2437 /* don't increment, no more packets accepted */ 2438 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) 2439 return 1; 2440 2441 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n", 2442 replay->overflow, ipsec_logsastr(sav))); 2443 } 2444 2445 replay->count++; 2446 2447 return 0; 2448 } 2449 2450 /* 2451 * shift variable length buffer to left. 2452 * IN: bitmap: pointer to the buffer 2453 * nbit: the number of to shift. 2454 * wsize: buffer size (bytes). 2455 */ 2456 static void 2457 vshiftl(bitmap, nbit, wsize) 2458 unsigned char *bitmap; 2459 int nbit, wsize; 2460 { 2461 int s, j, i; 2462 unsigned char over; 2463 2464 for (j = 0; j < nbit; j += 8) { 2465 s = (nbit - j < 8) ? (nbit - j): 8; 2466 bitmap[0] <<= s; 2467 for (i = 1; i < wsize; i++) { 2468 over = (bitmap[i] >> (8 - s)); 2469 bitmap[i] <<= s; 2470 bitmap[i - 1] |= over; 2471 } 2472 } 2473 2474 return; 2475 } 2476 2477 const char * 2478 ipsec4_logpacketstr(ip, spi) 2479 struct ip *ip; 2480 u_int32_t spi; 2481 { 2482 static char buf[256]; 2483 char *p; 2484 u_int8_t *s, *d; 2485 2486 s = (u_int8_t *)(&ip->ip_src); 2487 d = (u_int8_t *)(&ip->ip_dst); 2488 2489 p = buf; 2490 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2491 while (p && *p) 2492 p++; 2493 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u", 2494 s[0], s[1], s[2], s[3]); 2495 while (p && *p) 2496 p++; 2497 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u", 2498 d[0], d[1], d[2], d[3]); 2499 while (p && *p) 2500 p++; 2501 snprintf(p, sizeof(buf) - (p - buf), ")"); 2502 2503 return buf; 2504 } 2505 2506 #ifdef INET6 2507 const char * 2508 ipsec6_logpacketstr(ip6, spi) 2509 struct ip6_hdr *ip6; 2510 u_int32_t spi; 2511 { 2512 static char buf[256]; 2513 char *p; 2514 2515 p = buf; 2516 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2517 while (p && *p) 2518 p++; 2519 snprintf(p, sizeof(buf) - (p - buf), "src=%s", 2520 ip6_sprintf(&ip6->ip6_src)); 2521 while (p && *p) 2522 p++; 2523 snprintf(p, sizeof(buf) - (p - buf), " dst=%s", 2524 ip6_sprintf(&ip6->ip6_dst)); 2525 while (p && *p) 2526 p++; 2527 snprintf(p, sizeof(buf) - (p - buf), ")"); 2528 2529 return buf; 2530 } 2531 #endif /* INET6 */ 2532 2533 const char * 2534 ipsec_logsastr(sav) 2535 struct secasvar *sav; 2536 { 2537 static char buf[256]; 2538 char *p; 2539 struct secasindex *saidx = &sav->sah->saidx; 2540 2541 /* validity check */ 2542 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2543 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) 2544 panic("ipsec_logsastr: family mismatched."); 2545 2546 p = buf; 2547 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi)); 2548 while (p && *p) 2549 p++; 2550 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) { 2551 u_int8_t *s, *d; 2552 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr; 2553 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr; 2554 snprintf(p, sizeof(buf) - (p - buf), 2555 "src=%d.%d.%d.%d dst=%d.%d.%d.%d", 2556 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]); 2557 } 2558 #ifdef INET6 2559 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) { 2560 snprintf(p, sizeof(buf) - (p - buf), 2561 "src=%s", 2562 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr)); 2563 while (p && *p) 2564 p++; 2565 snprintf(p, sizeof(buf) - (p - buf), 2566 " dst=%s", 2567 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr)); 2568 } 2569 #endif 2570 while (p && *p) 2571 p++; 2572 snprintf(p, sizeof(buf) - (p - buf), ")"); 2573 2574 return buf; 2575 } 2576 2577 void 2578 ipsec_dumpmbuf(m) 2579 struct mbuf *m; 2580 { 2581 int totlen; 2582 int i; 2583 u_char *p; 2584 2585 totlen = 0; 2586 printf("---\n"); 2587 while (m) { 2588 p = mtod(m, u_char *); 2589 for (i = 0; i < m->m_len; i++) { 2590 printf("%02x ", p[i]); 2591 totlen++; 2592 if (totlen % 16 == 0) 2593 printf("\n"); 2594 } 2595 m = m->m_next; 2596 } 2597 if (totlen % 16 != 0) 2598 printf("\n"); 2599 printf("---\n"); 2600 } 2601 2602 #ifdef INET 2603 static int 2604 ipsec4_checksa(isr, state) 2605 struct ipsecrequest *isr; 2606 struct ipsec_output_state *state; 2607 { 2608 struct ip *ip; 2609 struct secasindex saidx; 2610 struct sockaddr_in *sin; 2611 2612 /* make SA index for search proper SA */ 2613 ip = mtod(state->m, struct ip *); 2614 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 2615 saidx.mode = isr->saidx.mode; 2616 saidx.reqid = isr->saidx.reqid; 2617 sin = (struct sockaddr_in *)&saidx.src; 2618 if (sin->sin_len == 0) { 2619 sin->sin_len = sizeof(*sin); 2620 sin->sin_family = AF_INET; 2621 sin->sin_port = IPSEC_PORT_ANY; 2622 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr)); 2623 } 2624 sin = (struct sockaddr_in *)&saidx.dst; 2625 if (sin->sin_len == 0) { 2626 sin->sin_len = sizeof(*sin); 2627 sin->sin_family = AF_INET; 2628 sin->sin_port = IPSEC_PORT_ANY; 2629 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr)); 2630 } 2631 2632 return key_checkrequest(isr, &saidx); 2633 } 2634 /* 2635 * IPsec output logic for IPv4. 2636 */ 2637 int 2638 ipsec4_output(state, sp, flags) 2639 struct ipsec_output_state *state; 2640 struct secpolicy *sp; 2641 int flags; 2642 { 2643 struct ip *ip = NULL; 2644 struct ipsecrequest *isr = NULL; 2645 int s; 2646 int error; 2647 struct sockaddr_in *dst4; 2648 2649 if (!state) 2650 panic("state == NULL in ipsec4_output"); 2651 if (!state->m) 2652 panic("state->m == NULL in ipsec4_output"); 2653 if (!state->ro) 2654 panic("state->ro == NULL in ipsec4_output"); 2655 if (!state->dst) 2656 panic("state->dst == NULL in ipsec4_output"); 2657 state->encap = 0; 2658 2659 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2660 printf("ipsec4_output: applyed SP\n"); 2661 kdebug_secpolicy(sp)); 2662 2663 for (isr = sp->req; isr != NULL; isr = isr->next) { 2664 2665 #if 0 /* give up to check restriction of transport mode */ 2666 /* XXX but should be checked somewhere */ 2667 /* 2668 * some of the IPsec operation must be performed only in 2669 * originating case. 2670 */ 2671 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT 2672 && (flags & IP_FORWARDING)) 2673 continue; 2674 #endif 2675 error = ipsec4_checksa(isr, state); 2676 if (error != 0) { 2677 /* 2678 * IPsec processing is required, but no SA found. 2679 * I assume that key_acquire() had been called 2680 * to get/establish the SA. Here I discard 2681 * this packet because it is responsibility for 2682 * upper layer to retransmit the packet. 2683 */ 2684 ipsecstat.out_nosa++; 2685 goto bad; 2686 } 2687 2688 /* validity check */ 2689 if (isr->sav == NULL) { 2690 switch (ipsec_get_reqlevel(isr, AF_INET)) { 2691 case IPSEC_LEVEL_USE: 2692 continue; 2693 case IPSEC_LEVEL_REQUIRE: 2694 /* must be not reached here. */ 2695 panic("ipsec4_output: no SA found, but required."); 2696 } 2697 } 2698 2699 /* 2700 * If there is no valid SA, we give up to process any 2701 * more. In such a case, the SA's status is changed 2702 * from DYING to DEAD after allocating. If a packet 2703 * send to the receiver by dead SA, the receiver can 2704 * not decode a packet because SA has been dead. 2705 */ 2706 if (isr->sav->state != SADB_SASTATE_MATURE 2707 && isr->sav->state != SADB_SASTATE_DYING) { 2708 ipsecstat.out_nosa++; 2709 error = EINVAL; 2710 goto bad; 2711 } 2712 2713 /* 2714 * There may be the case that SA status will be changed when 2715 * we are refering to one. So calling splsoftnet(). 2716 */ 2717 s = splnet(); 2718 2719 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2720 /* 2721 * build IPsec tunnel. 2722 */ 2723 /* XXX should be processed with other familiy */ 2724 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) { 2725 ipseclog((LOG_ERR, "ipsec4_output: " 2726 "family mismatched between inner and outer spi=%u\n", 2727 (u_int32_t)ntohl(isr->sav->spi))); 2728 splx(s); 2729 error = EAFNOSUPPORT; 2730 goto bad; 2731 } 2732 2733 state->m = ipsec4_splithdr(state->m); 2734 if (!state->m) { 2735 splx(s); 2736 error = ENOMEM; 2737 goto bad; 2738 } 2739 error = ipsec4_encapsulate(state->m, isr->sav); 2740 splx(s); 2741 if (error) { 2742 state->m = NULL; 2743 goto bad; 2744 } 2745 ip = mtod(state->m, struct ip *); 2746 2747 state->ro = &isr->sav->sah->sa_route; 2748 state->dst = (struct sockaddr *)&state->ro->ro_dst; 2749 dst4 = (struct sockaddr_in *)state->dst; 2750 if (state->ro->ro_rt 2751 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0 2752 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) { 2753 RTFREE(state->ro->ro_rt); 2754 state->ro->ro_rt = NULL; 2755 } 2756 if (state->ro->ro_rt == 0) { 2757 dst4->sin_family = AF_INET; 2758 dst4->sin_len = sizeof(*dst4); 2759 dst4->sin_addr = ip->ip_dst; 2760 rtalloc(state->ro); 2761 } 2762 if (state->ro->ro_rt == 0) { 2763 ipstat.ips_noroute++; 2764 error = EHOSTUNREACH; 2765 goto bad; 2766 } 2767 2768 /* adjust state->dst if tunnel endpoint is offlink */ 2769 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) { 2770 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway; 2771 dst4 = (struct sockaddr_in *)state->dst; 2772 } 2773 2774 state->encap++; 2775 } else 2776 splx(s); 2777 2778 state->m = ipsec4_splithdr(state->m); 2779 if (!state->m) { 2780 error = ENOMEM; 2781 goto bad; 2782 } 2783 switch (isr->saidx.proto) { 2784 case IPPROTO_ESP: 2785 #ifdef IPSEC_ESP 2786 if ((error = esp4_output(state->m, isr)) != 0) { 2787 state->m = NULL; 2788 goto bad; 2789 } 2790 break; 2791 #else 2792 m_freem(state->m); 2793 state->m = NULL; 2794 error = EINVAL; 2795 goto bad; 2796 #endif 2797 case IPPROTO_AH: 2798 if ((error = ah4_output(state->m, isr)) != 0) { 2799 state->m = NULL; 2800 goto bad; 2801 } 2802 break; 2803 case IPPROTO_IPCOMP: 2804 if ((error = ipcomp4_output(state->m, isr)) != 0) { 2805 state->m = NULL; 2806 goto bad; 2807 } 2808 break; 2809 default: 2810 ipseclog((LOG_ERR, 2811 "ipsec4_output: unknown ipsec protocol %d\n", 2812 isr->saidx.proto)); 2813 m_freem(state->m); 2814 state->m = NULL; 2815 error = EINVAL; 2816 goto bad; 2817 } 2818 2819 if (state->m == 0) { 2820 error = ENOMEM; 2821 goto bad; 2822 } 2823 ip = mtod(state->m, struct ip *); 2824 } 2825 2826 return 0; 2827 2828 bad: 2829 m_freem(state->m); 2830 state->m = NULL; 2831 return error; 2832 } 2833 #endif 2834 2835 #ifdef INET6 2836 static int 2837 ipsec6_checksa(isr, state, tunnel) 2838 struct ipsecrequest *isr; 2839 struct ipsec_output_state *state; 2840 int tunnel; 2841 { 2842 struct ip6_hdr *ip6; 2843 struct secasindex saidx; 2844 struct sockaddr_in6 *sin6; 2845 2846 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2847 #ifdef DIAGNOSTIC 2848 if (!tunnel) 2849 panic("ipsec6_checksa/inconsistent tunnel attribute"); 2850 #endif 2851 /* When tunnel mode, SA peers must be specified. */ 2852 return key_checkrequest(isr, &isr->saidx); 2853 } 2854 2855 /* make SA index for search proper SA */ 2856 ip6 = mtod(state->m, struct ip6_hdr *); 2857 if (tunnel) { 2858 bzero(&saidx, sizeof(saidx)); 2859 saidx.proto = isr->saidx.proto; 2860 } else 2861 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 2862 saidx.mode = isr->saidx.mode; 2863 saidx.reqid = isr->saidx.reqid; 2864 sin6 = (struct sockaddr_in6 *)&saidx.src; 2865 if (sin6->sin6_len == 0 || tunnel) { 2866 sin6->sin6_len = sizeof(*sin6); 2867 sin6->sin6_family = AF_INET6; 2868 sin6->sin6_port = IPSEC_PORT_ANY; 2869 in6_recoverscope(sin6, &ip6->ip6_src, NULL); 2870 } 2871 sin6 = (struct sockaddr_in6 *)&saidx.dst; 2872 if (sin6->sin6_len == 0 || tunnel) { 2873 sin6->sin6_len = sizeof(*sin6); 2874 sin6->sin6_family = AF_INET6; 2875 sin6->sin6_port = IPSEC_PORT_ANY; 2876 in6_recoverscope(sin6, &ip6->ip6_dst, NULL); 2877 } 2878 2879 return key_checkrequest(isr, &saidx); 2880 } 2881 2882 /* 2883 * IPsec output logic for IPv6, transport mode. 2884 */ 2885 int 2886 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun) 2887 struct ipsec_output_state *state; 2888 u_char *nexthdrp; 2889 struct mbuf *mprev; 2890 struct secpolicy *sp; 2891 int flags; 2892 int *tun; 2893 { 2894 struct ip6_hdr *ip6; 2895 struct ipsecrequest *isr = NULL; 2896 int error = 0; 2897 int plen; 2898 2899 if (!state) 2900 panic("state == NULL in ipsec6_output_trans"); 2901 if (!state->m) 2902 panic("state->m == NULL in ipsec6_output_trans"); 2903 if (!nexthdrp) 2904 panic("nexthdrp == NULL in ipsec6_output_trans"); 2905 if (!mprev) 2906 panic("mprev == NULL in ipsec6_output_trans"); 2907 if (!sp) 2908 panic("sp == NULL in ipsec6_output_trans"); 2909 if (!tun) 2910 panic("tun == NULL in ipsec6_output_trans"); 2911 2912 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2913 printf("ipsec6_output_trans: applyed SP\n"); 2914 kdebug_secpolicy(sp)); 2915 2916 *tun = 0; 2917 for (isr = sp->req; isr; isr = isr->next) { 2918 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2919 /* the rest will be handled by ipsec6_output_tunnel() */ 2920 break; 2921 } 2922 2923 error = ipsec6_checksa(isr, state, 0); 2924 if (error == EIO) 2925 goto bad; 2926 if (error == ENOENT) { 2927 /* 2928 * IPsec processing is required, but no SA found. 2929 * I assume that key_acquire() had been called 2930 * to get/establish the SA. Here I discard 2931 * this packet because it is responsibility for 2932 * upper layer to retransmit the packet. 2933 */ 2934 ipsec6stat.out_nosa++; 2935 2936 /* 2937 * Notify the fact that the packet is discarded 2938 * to ourselves. I believe this is better than 2939 * just silently discarding. (jinmei@kame.net) 2940 * XXX: should we restrict the error to TCP packets? 2941 * XXX: should we directly notify sockets via 2942 * pfctlinputs? 2943 * 2944 * Noone have initialized rcvif until this point, 2945 * so clear it. 2946 */ 2947 if ((state->m->m_flags & M_PKTHDR) != 0) 2948 state->m->m_pkthdr.rcvif = NULL; 2949 icmp6_error(state->m, ICMP6_DST_UNREACH, 2950 ICMP6_DST_UNREACH_ADMIN, 0); 2951 state->m = NULL; /* icmp6_error freed the mbuf */ 2952 goto bad; 2953 } 2954 2955 /* validity check */ 2956 if (isr->sav == NULL) { 2957 switch (ipsec_get_reqlevel(isr, AF_INET6)) { 2958 case IPSEC_LEVEL_USE: 2959 continue; 2960 case IPSEC_LEVEL_REQUIRE: 2961 /* must be not reached here. */ 2962 panic("ipsec6_output_trans: no SA found, but required."); 2963 } 2964 } 2965 2966 /* 2967 * If there is no valid SA, we give up to process. 2968 * see same place at ipsec4_output(). 2969 */ 2970 if (isr->sav->state != SADB_SASTATE_MATURE 2971 && isr->sav->state != SADB_SASTATE_DYING) { 2972 ipsec6stat.out_nosa++; 2973 error = EINVAL; 2974 goto bad; 2975 } 2976 2977 switch (isr->saidx.proto) { 2978 case IPPROTO_ESP: 2979 #ifdef IPSEC_ESP 2980 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr); 2981 #else 2982 m_freem(state->m); 2983 error = EINVAL; 2984 #endif 2985 break; 2986 case IPPROTO_AH: 2987 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr); 2988 break; 2989 case IPPROTO_IPCOMP: 2990 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr); 2991 break; 2992 default: 2993 ipseclog((LOG_ERR, "ipsec6_output_trans: " 2994 "unknown ipsec protocol %d\n", isr->saidx.proto)); 2995 m_freem(state->m); 2996 ipsec6stat.out_inval++; 2997 error = EINVAL; 2998 break; 2999 } 3000 if (error) { 3001 state->m = NULL; 3002 goto bad; 3003 } 3004 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 3005 if (plen > IPV6_MAXPACKET) { 3006 ipseclog((LOG_ERR, "ipsec6_output_trans: " 3007 "IPsec with IPv6 jumbogram is not supported\n")); 3008 ipsec6stat.out_inval++; 3009 error = EINVAL; /* XXX */ 3010 goto bad; 3011 } 3012 ip6 = mtod(state->m, struct ip6_hdr *); 3013 ip6->ip6_plen = htons(plen); 3014 } 3015 3016 /* if we have more to go, we need a tunnel mode processing */ 3017 if (isr != NULL) 3018 *tun = 1; 3019 3020 return 0; 3021 3022 bad: 3023 m_freem(state->m); 3024 state->m = NULL; 3025 return error; 3026 } 3027 3028 /* 3029 * IPsec output logic for IPv6, tunnel mode. 3030 */ 3031 int 3032 ipsec6_output_tunnel(state, sp, flags) 3033 struct ipsec_output_state *state; 3034 struct secpolicy *sp; 3035 int flags; 3036 { 3037 struct ip6_hdr *ip6; 3038 struct ipsecrequest *isr = NULL; 3039 int error = 0; 3040 int plen; 3041 struct sockaddr_in6 *dst6; 3042 int s; 3043 3044 if (!state) 3045 panic("state == NULL in ipsec6_output_tunnel"); 3046 if (!state->m) 3047 panic("state->m == NULL in ipsec6_output_tunnel"); 3048 if (!sp) 3049 panic("sp == NULL in ipsec6_output_tunnel"); 3050 3051 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 3052 printf("ipsec6_output_tunnel: applyed SP\n"); 3053 kdebug_secpolicy(sp)); 3054 3055 /* 3056 * transport mode ipsec (before the 1st tunnel mode) is already 3057 * processed by ipsec6_output_trans(). 3058 */ 3059 for (isr = sp->req; isr; isr = isr->next) { 3060 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 3061 break; 3062 } 3063 3064 for (/* already initialized */; isr; isr = isr->next) { 3065 error = ipsec6_checksa(isr, state, 1); 3066 if (error == EIO) 3067 goto bad; 3068 if (error == ENOENT) { 3069 /* 3070 * IPsec processing is required, but no SA found. 3071 * I assume that key_acquire() had been called 3072 * to get/establish the SA. Here I discard 3073 * this packet because it is responsibility for 3074 * upper layer to retransmit the packet. 3075 */ 3076 ipsec6stat.out_nosa++; 3077 error = ENOENT; 3078 goto bad; 3079 } 3080 3081 /* validity check */ 3082 if (isr->sav == NULL) { 3083 switch (ipsec_get_reqlevel(isr, AF_INET6)) { 3084 case IPSEC_LEVEL_USE: 3085 continue; 3086 case IPSEC_LEVEL_REQUIRE: 3087 /* must be not reached here. */ 3088 panic("ipsec6_output_tunnel: no SA found, but required."); 3089 } 3090 } 3091 3092 /* 3093 * If there is no valid SA, we give up to process. 3094 * see same place at ipsec4_output(). 3095 */ 3096 if (isr->sav->state != SADB_SASTATE_MATURE 3097 && isr->sav->state != SADB_SASTATE_DYING) { 3098 ipsec6stat.out_nosa++; 3099 error = EINVAL; 3100 goto bad; 3101 } 3102 3103 /* 3104 * There may be the case that SA status will be changed when 3105 * we are refering to one. So calling splsoftnet(). 3106 */ 3107 s = splnet(); 3108 3109 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 3110 /* 3111 * build IPsec tunnel. 3112 */ 3113 /* XXX should be processed with other familiy */ 3114 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) { 3115 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3116 "family mismatched between inner and outer, spi=%u\n", 3117 (u_int32_t)ntohl(isr->sav->spi))); 3118 splx(s); 3119 ipsec6stat.out_inval++; 3120 error = EAFNOSUPPORT; 3121 goto bad; 3122 } 3123 3124 state->m = ipsec6_splithdr(state->m); 3125 if (!state->m) { 3126 splx(s); 3127 ipsec6stat.out_nomem++; 3128 error = ENOMEM; 3129 goto bad; 3130 } 3131 error = ipsec6_encapsulate(state->m, isr->sav); 3132 splx(s); 3133 if (error) { 3134 state->m = 0; 3135 goto bad; 3136 } 3137 ip6 = mtod(state->m, struct ip6_hdr *); 3138 3139 state->ro = &isr->sav->sah->sa_route; 3140 state->dst = (struct sockaddr *)&state->ro->ro_dst; 3141 dst6 = (struct sockaddr_in6 *)state->dst; 3142 if (state->ro->ro_rt && 3143 (!(state->ro->ro_rt->rt_flags & RTF_UP) || 3144 !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, 3145 &ip6->ip6_dst))) { 3146 RTFREE(state->ro->ro_rt); 3147 state->ro->ro_rt = NULL; 3148 } 3149 if (state->ro->ro_rt == 0) { 3150 bzero(dst6, sizeof(*dst6)); 3151 dst6->sin6_family = AF_INET6; 3152 dst6->sin6_len = sizeof(*dst6); 3153 dst6->sin6_addr = ip6->ip6_dst; 3154 rtalloc(state->ro); 3155 } 3156 if (state->ro->ro_rt == 0) { 3157 ip6stat.ip6s_noroute++; 3158 ipsec6stat.out_noroute++; 3159 error = EHOSTUNREACH; 3160 goto bad; 3161 } 3162 3163 /* adjust state->dst if tunnel endpoint is offlink */ 3164 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) { 3165 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway; 3166 dst6 = (struct sockaddr_in6 *)state->dst; 3167 } 3168 } else 3169 splx(s); 3170 3171 state->m = ipsec6_splithdr(state->m); 3172 if (!state->m) { 3173 ipsec6stat.out_nomem++; 3174 error = ENOMEM; 3175 goto bad; 3176 } 3177 ip6 = mtod(state->m, struct ip6_hdr *); 3178 switch (isr->saidx.proto) { 3179 case IPPROTO_ESP: 3180 #ifdef IPSEC_ESP 3181 error = esp6_output(state->m, &ip6->ip6_nxt, 3182 state->m->m_next, isr); 3183 #else 3184 m_freem(state->m); 3185 error = EINVAL; 3186 #endif 3187 break; 3188 case IPPROTO_AH: 3189 error = ah6_output(state->m, &ip6->ip6_nxt, 3190 state->m->m_next, isr); 3191 break; 3192 case IPPROTO_IPCOMP: 3193 /* XXX code should be here */ 3194 /* FALLTHROUGH */ 3195 default: 3196 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3197 "unknown ipsec protocol %d\n", isr->saidx.proto)); 3198 m_freem(state->m); 3199 ipsec6stat.out_inval++; 3200 error = EINVAL; 3201 break; 3202 } 3203 if (error) { 3204 state->m = NULL; 3205 goto bad; 3206 } 3207 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 3208 if (plen > IPV6_MAXPACKET) { 3209 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3210 "IPsec with IPv6 jumbogram is not supported\n")); 3211 ipsec6stat.out_inval++; 3212 error = EINVAL; /* XXX */ 3213 goto bad; 3214 } 3215 ip6 = mtod(state->m, struct ip6_hdr *); 3216 ip6->ip6_plen = htons(plen); 3217 } 3218 3219 return 0; 3220 3221 bad: 3222 m_freem(state->m); 3223 state->m = NULL; 3224 return error; 3225 } 3226 #endif /* INET6 */ 3227 3228 #ifdef INET 3229 /* 3230 * Chop IP header and option off from the payload. 3231 */ 3232 static struct mbuf * 3233 ipsec4_splithdr(m) 3234 struct mbuf *m; 3235 { 3236 struct mbuf *mh; 3237 struct ip *ip; 3238 int hlen; 3239 3240 if (m->m_len < sizeof(struct ip)) 3241 panic("ipsec4_splithdr: first mbuf too short"); 3242 ip = mtod(m, struct ip *); 3243 #ifdef _IP_VHL 3244 hlen = _IP_VHL_HL(ip->ip_vhl) << 2; 3245 #else 3246 hlen = ip->ip_hl << 2; 3247 #endif 3248 if (m->m_len > hlen) { 3249 MGETHDR(mh, M_DONTWAIT, MT_HEADER); 3250 if (!mh) { 3251 m_freem(m); 3252 return NULL; 3253 } 3254 M_MOVE_PKTHDR(mh, m); 3255 MH_ALIGN(mh, hlen); 3256 m->m_len -= hlen; 3257 m->m_data += hlen; 3258 mh->m_next = m; 3259 m = mh; 3260 m->m_len = hlen; 3261 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen); 3262 } else if (m->m_len < hlen) { 3263 m = m_pullup(m, hlen); 3264 if (!m) 3265 return NULL; 3266 } 3267 return m; 3268 } 3269 #endif 3270 3271 #ifdef INET6 3272 static struct mbuf * 3273 ipsec6_splithdr(m) 3274 struct mbuf *m; 3275 { 3276 struct mbuf *mh; 3277 struct ip6_hdr *ip6; 3278 int hlen; 3279 3280 if (m->m_len < sizeof(struct ip6_hdr)) 3281 panic("ipsec6_splithdr: first mbuf too short"); 3282 ip6 = mtod(m, struct ip6_hdr *); 3283 hlen = sizeof(struct ip6_hdr); 3284 if (m->m_len > hlen) { 3285 MGETHDR(mh, M_DONTWAIT, MT_HEADER); 3286 if (!mh) { 3287 m_freem(m); 3288 return NULL; 3289 } 3290 M_MOVE_PKTHDR(mh, m); 3291 MH_ALIGN(mh, hlen); 3292 m->m_len -= hlen; 3293 m->m_data += hlen; 3294 mh->m_next = m; 3295 m = mh; 3296 m->m_len = hlen; 3297 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen); 3298 } else if (m->m_len < hlen) { 3299 m = m_pullup(m, hlen); 3300 if (!m) 3301 return NULL; 3302 } 3303 return m; 3304 } 3305 #endif 3306 3307 /* validate inbound IPsec tunnel packet. */ 3308 int 3309 ipsec4_tunnel_validate(m, off, nxt0, sav) 3310 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */ 3311 int off; 3312 u_int nxt0; 3313 struct secasvar *sav; 3314 { 3315 u_int8_t nxt = nxt0 & 0xff; 3316 struct sockaddr_in *sin; 3317 struct sockaddr_in osrc, odst, isrc, idst; 3318 int hlen; 3319 struct secpolicy *sp; 3320 struct ip *oip; 3321 3322 #ifdef DIAGNOSTIC 3323 if (m->m_len < sizeof(struct ip)) 3324 panic("too short mbuf on ipsec4_tunnel_validate"); 3325 #endif 3326 if (nxt != IPPROTO_IPV4) 3327 return 0; 3328 if (m->m_pkthdr.len < off + sizeof(struct ip)) 3329 return 0; 3330 /* do not decapsulate if the SA is for transport mode only */ 3331 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 3332 return 0; 3333 3334 oip = mtod(m, struct ip *); 3335 hlen = oip->ip_hl << 2; 3336 if (hlen != sizeof(struct ip)) 3337 return 0; 3338 3339 /* AF_INET6 should be supported, but at this moment we don't. */ 3340 sin = (struct sockaddr_in *)&sav->sah->saidx.dst; 3341 if (sin->sin_family != AF_INET) 3342 return 0; 3343 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0) 3344 return 0; 3345 3346 /* XXX slow */ 3347 bzero(&osrc, sizeof(osrc)); 3348 bzero(&odst, sizeof(odst)); 3349 bzero(&isrc, sizeof(isrc)); 3350 bzero(&idst, sizeof(idst)); 3351 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family = 3352 AF_INET; 3353 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len = 3354 sizeof(struct sockaddr_in); 3355 osrc.sin_addr = oip->ip_src; 3356 odst.sin_addr = oip->ip_dst; 3357 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr), 3358 (caddr_t)&isrc.sin_addr); 3359 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr), 3360 (caddr_t)&idst.sin_addr); 3361 3362 /* 3363 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode) 3364 * - if the inner destination is multicast address, there can be 3365 * multiple permissible inner source address. implementation 3366 * may want to skip verification of inner source address against 3367 * SPD selector. 3368 * - if the inner protocol is ICMP, the packet may be an error report 3369 * from routers on the other side of the VPN cloud (R in the 3370 * following diagram). in this case, we cannot verify inner source 3371 * address against SPD selector. 3372 * me -- gw === gw -- R -- you 3373 * 3374 * we consider the first bullet to be users responsibility on SPD entry 3375 * configuration (if you need to encrypt multicast traffic, set 3376 * the source range of SPD selector to 0.0.0.0/0, or have explicit 3377 * address ranges for possible senders). 3378 * the second bullet is not taken care of (yet). 3379 * 3380 * therefore, we do not do anything special about inner source. 3381 */ 3382 3383 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 3384 (struct sockaddr *)&isrc, (struct sockaddr *)&idst); 3385 /* 3386 * when there is no suitable inbound policy for the packet of the ipsec 3387 * tunnel mode, the kernel never decapsulate the tunneled packet 3388 * as the ipsec tunnel mode even when the system wide policy is "none". 3389 * then the kernel leaves the generic tunnel module to process this 3390 * packet. if there is no rule of the generic tunnel, the packet 3391 * is rejected and the statistics will be counted up. 3392 */ 3393 if (!sp) 3394 return 0; 3395 key_freesp(sp); 3396 3397 return 1; 3398 } 3399 3400 #ifdef INET6 3401 /* validate inbound IPsec tunnel packet. */ 3402 int 3403 ipsec6_tunnel_validate(m, off, nxt0, sav) 3404 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */ 3405 int off; 3406 u_int nxt0; 3407 struct secasvar *sav; 3408 { 3409 u_int8_t nxt = nxt0 & 0xff; 3410 struct sockaddr_in6 *sin6; 3411 struct sockaddr_in6 osrc, odst, isrc, idst; 3412 struct secpolicy *sp; 3413 struct ip6_hdr *oip6; 3414 3415 #ifdef DIAGNOSTIC 3416 if (m->m_len < sizeof(struct ip6_hdr)) 3417 panic("too short mbuf on ipsec6_tunnel_validate"); 3418 #endif 3419 if (nxt != IPPROTO_IPV6) 3420 return 0; 3421 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr)) 3422 return 0; 3423 /* do not decapsulate if the SA is for transport mode only */ 3424 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 3425 return 0; 3426 3427 oip6 = mtod(m, struct ip6_hdr *); 3428 3429 /* AF_INET should be supported, but at this moment we don't. */ 3430 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst; 3431 if (sin6->sin6_family != AF_INET6) 3432 return 0; 3433 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr)) 3434 return 0; 3435 3436 /* XXX slow */ 3437 bzero(&osrc, sizeof(osrc)); 3438 bzero(&odst, sizeof(odst)); 3439 bzero(&isrc, sizeof(isrc)); 3440 bzero(&idst, sizeof(idst)); 3441 osrc.sin6_family = odst.sin6_family = isrc.sin6_family = 3442 idst.sin6_family = AF_INET6; 3443 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len = 3444 sizeof(struct sockaddr_in6); 3445 osrc.sin6_addr = oip6->ip6_src; 3446 odst.sin6_addr = oip6->ip6_dst; 3447 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), 3448 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr); 3449 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), 3450 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr); 3451 3452 /* 3453 * regarding to inner source address validation, see a long comment 3454 * in ipsec4_tunnel_validate. 3455 */ 3456 3457 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 3458 (struct sockaddr *)&isrc, (struct sockaddr *)&idst); 3459 if (!sp) 3460 return 0; 3461 key_freesp(sp); 3462 3463 return 1; 3464 } 3465 #endif 3466 3467 /* 3468 * Make a mbuf chain for encryption. 3469 * If the original mbuf chain contains a mbuf with a cluster, 3470 * allocate a new cluster and copy the data to the new cluster. 3471 * XXX: this hack is inefficient, but is necessary to handle cases 3472 * of TCP retransmission... 3473 */ 3474 struct mbuf * 3475 ipsec_copypkt(m) 3476 struct mbuf *m; 3477 { 3478 struct mbuf *n, **mpp, *mnew; 3479 3480 for (n = m, mpp = &m; n; n = n->m_next) { 3481 if (n->m_flags & M_EXT) { 3482 /* 3483 * Make a copy only if there is more than one 3484 * references to the cluster. 3485 * XXX: is this approach effective? 3486 */ 3487 if (!M_WRITABLE(n)) { 3488 int remain, copied; 3489 struct mbuf *mm; 3490 3491 if (n->m_flags & M_PKTHDR) { 3492 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); 3493 if (mnew == NULL) 3494 goto fail; 3495 mnew->m_pkthdr = n->m_pkthdr; 3496 #if 0 3497 /* XXX: convert to m_tag or delete? */ 3498 if (n->m_pkthdr.aux) { 3499 mnew->m_pkthdr.aux = 3500 m_copym(n->m_pkthdr.aux, 3501 0, M_COPYALL, M_DONTWAIT); 3502 } 3503 #endif 3504 M_MOVE_PKTHDR(mnew, n); 3505 } 3506 else { 3507 MGET(mnew, M_DONTWAIT, MT_DATA); 3508 if (mnew == NULL) 3509 goto fail; 3510 } 3511 mnew->m_len = 0; 3512 mm = mnew; 3513 3514 /* 3515 * Copy data. If we don't have enough space to 3516 * store the whole data, allocate a cluster 3517 * or additional mbufs. 3518 * XXX: we don't use m_copyback(), since the 3519 * function does not use clusters and thus is 3520 * inefficient. 3521 */ 3522 remain = n->m_len; 3523 copied = 0; 3524 while (1) { 3525 int len; 3526 struct mbuf *mn; 3527 3528 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN)) 3529 len = remain; 3530 else { /* allocate a cluster */ 3531 MCLGET(mm, M_DONTWAIT); 3532 if (!(mm->m_flags & M_EXT)) { 3533 m_free(mm); 3534 goto fail; 3535 } 3536 len = remain < MCLBYTES ? 3537 remain : MCLBYTES; 3538 } 3539 3540 bcopy(n->m_data + copied, mm->m_data, 3541 len); 3542 3543 copied += len; 3544 remain -= len; 3545 mm->m_len = len; 3546 3547 if (remain <= 0) /* completed? */ 3548 break; 3549 3550 /* need another mbuf */ 3551 MGETHDR(mn, M_DONTWAIT, MT_HEADER); 3552 if (mn == NULL) 3553 goto fail; 3554 mn->m_pkthdr.rcvif = NULL; 3555 mm->m_next = mn; 3556 mm = mn; 3557 } 3558 3559 /* adjust chain */ 3560 mm->m_next = m_free(n); 3561 n = mm; 3562 *mpp = mnew; 3563 mpp = &n->m_next; 3564 3565 continue; 3566 } 3567 } 3568 *mpp = n; 3569 mpp = &n->m_next; 3570 } 3571 3572 return (m); 3573 fail: 3574 m_freem(m); 3575 return (NULL); 3576 } 3577 3578 static struct ipsecaux * 3579 ipsec_addaux(m) 3580 struct mbuf *m; 3581 { 3582 struct m_tag *mtag; 3583 3584 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL); 3585 if (mtag == NULL) { 3586 mtag = m_tag_get(PACKET_TAG_IPSEC_HISTORY, 3587 sizeof(struct ipsecaux), M_NOWAIT); 3588 if (mtag != NULL) 3589 m_tag_prepend(m, mtag); 3590 } 3591 if (mtag == NULL) 3592 return NULL; /* ENOBUFS */ 3593 /* XXX is this necessary? */ 3594 bzero((void *)(mtag + 1), sizeof(struct ipsecaux)); 3595 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL; 3596 } 3597 3598 static struct ipsecaux * 3599 ipsec_findaux(m) 3600 struct mbuf *m; 3601 { 3602 struct m_tag *mtag; 3603 3604 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL); 3605 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL; 3606 } 3607 3608 void 3609 ipsec_delaux(m) 3610 struct mbuf *m; 3611 { 3612 struct m_tag *mtag; 3613 3614 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL); 3615 if (mtag != NULL) 3616 m_tag_delete(m, mtag); 3617 } 3618 3619 /* if the aux buffer is unnecessary, nuke it. */ 3620 static void 3621 ipsec_optaux(m, aux) 3622 struct mbuf *m; 3623 struct ipsecaux *aux; 3624 { 3625 3626 if (aux == NULL) 3627 return; 3628 if (!aux->so && !aux->sp) 3629 ipsec_delaux(m); 3630 } 3631 3632 int 3633 ipsec_setsocket(m, so) 3634 struct mbuf *m; 3635 struct socket *so; 3636 { 3637 struct ipsecaux *aux; 3638 3639 /* if so == NULL, don't insist on getting the aux mbuf */ 3640 if (so) { 3641 aux = ipsec_addaux(m); 3642 if (aux == NULL) 3643 return ENOBUFS; 3644 } else 3645 aux = ipsec_findaux(m); 3646 if (aux != NULL) { 3647 aux->so = so; 3648 } 3649 ipsec_optaux(m, aux); 3650 return 0; 3651 } 3652 3653 struct socket * 3654 ipsec_getsocket(m) 3655 struct mbuf *m; 3656 { 3657 struct ipsecaux *aux; 3658 3659 aux = ipsec_findaux(m); 3660 if (aux != NULL) 3661 return aux->so; 3662 else 3663 return NULL; 3664 } 3665 3666 int 3667 ipsec_addhist(m, proto, spi) 3668 struct mbuf *m; 3669 int proto; 3670 u_int32_t spi; 3671 { 3672 struct ipsecaux *aux; 3673 3674 aux = ipsec_addaux(m); 3675 if (aux == NULL) 3676 return ENOBUFS; 3677 aux->hdrs++; 3678 return 0; 3679 } 3680 3681 int 3682 ipsec_getnhist(m) 3683 struct mbuf *m; 3684 { 3685 struct ipsecaux *aux; 3686 3687 aux = ipsec_findaux(m); 3688 if (aux == NULL) 3689 return 0; 3690 return aux->hdrs; 3691 } 3692 3693 void 3694 ipsec_clearhist(m) 3695 struct mbuf *m; 3696 { 3697 struct ipsecaux *aux; 3698 3699 aux = ipsec_findaux(m); 3700 ipsec_optaux(m, aux); 3701 }
Cache object: 265e400cc69f1910157a63dce3903c2f
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]