FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c
1 /* $FreeBSD: releng/5.2/sys/netinet6/ipsec.c 125090 2004-01-27 15:59:26Z ume $ */
2 /* $KAME: ipsec.c,v 1.204 2003/09/19 10:53:38 jinmei Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * IPsec controller part.
35 */
36
37 #include "opt_inet.h"
38 #include "opt_inet6.h"
39 #include "opt_ipsec.h"
40 #include "opt_random_ip_id.h"
41
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/malloc.h>
45 #include <sys/mbuf.h>
46 #include <sys/domain.h>
47 #include <sys/protosw.h>
48 #include <sys/socket.h>
49 #include <sys/socketvar.h>
50 #include <sys/errno.h>
51 #include <sys/time.h>
52 #include <sys/kernel.h>
53 #include <sys/syslog.h>
54 #include <sys/sysctl.h>
55 #include <sys/proc.h>
56
57 #include <net/if.h>
58 #include <net/route.h>
59
60 #include <netinet/in.h>
61 #include <netinet/in_systm.h>
62 #include <netinet/ip.h>
63 #include <netinet/ip_var.h>
64 #include <netinet/in_var.h>
65 #include <netinet/udp.h>
66 #include <netinet/udp_var.h>
67 #include <netinet/ip_ecn.h>
68 #ifdef INET6
69 #include <netinet6/ip6_ecn.h>
70 #endif
71 #include <netinet/tcp.h>
72 #include <netinet/udp.h>
73
74 #include <netinet/ip6.h>
75 #ifdef INET6
76 #include <netinet6/ip6_var.h>
77 #endif
78 #include <netinet/in_pcb.h>
79 #ifdef INET6
80 #include <netinet/icmp6.h>
81 #endif
82
83 #include <netinet6/ipsec.h>
84 #ifdef INET6
85 #include <netinet6/ipsec6.h>
86 #endif
87 #include <netinet6/ah.h>
88 #ifdef INET6
89 #include <netinet6/ah6.h>
90 #endif
91 #ifdef IPSEC_ESP
92 #include <netinet6/esp.h>
93 #ifdef INET6
94 #include <netinet6/esp6.h>
95 #endif
96 #endif
97 #include <netinet6/ipcomp.h>
98 #ifdef INET6
99 #include <netinet6/ipcomp6.h>
100 #endif
101 #include <netkey/key.h>
102 #include <netkey/keydb.h>
103 #include <netkey/key_debug.h>
104
105 #include <machine/in_cksum.h>
106 #include <net/net_osdep.h>
107
108 #ifdef IPSEC_DEBUG
109 int ipsec_debug = 1;
110 #else
111 int ipsec_debug = 0;
112 #endif
113
114 struct ipsecstat ipsecstat;
115 int ip4_ah_cleartos = 1;
116 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
117 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
118 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
119 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
120 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
121 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
122 struct secpolicy *ip4_def_policy;
123 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
124 int ip4_esp_randpad = -1;
125
126 static int sp_cachegen = 1; /* cache generation # */
127
128 SYSCTL_DECL(_net_inet_ipsec);
129 #ifdef INET6
130 SYSCTL_DECL(_net_inet6_ipsec6);
131 #endif
132
133 /* net.inet.ipsec */
134 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
135 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, "");
136 #if 0
137 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
138 def_policy, CTLFLAG_RW, &ip4_def_policy->policy, 0, "");
139 #endif
140 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
141 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
142 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
143 CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
144 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
145 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
146 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
147 CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
148 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
149 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, "");
150 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
151 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
152 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
153 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
154 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
155 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
156 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
157 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
158 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
159 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, "");
160
161 #ifdef INET6
162 struct ipsecstat ipsec6stat;
163 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
164 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
165 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
166 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
167 struct secpolicy *ip6_def_policy;
168 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
169 int ip6_esp_randpad = -1;
170
171 /* net.inet6.ipsec6 */
172 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
173 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
174 #if 0
175 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
176 def_policy, CTLFLAG_RW, &ip6_def_policy->policy, 0, "");
177 #endif
178 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
179 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
180 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
181 CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
182 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
183 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
184 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
185 CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
186 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
187 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
188 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
189 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
190 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
191 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
192 #endif /* INET6 */
193
194 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *,
195 struct inpcbpolicy *, int));
196 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *,
197 struct secpolicy *, int));
198 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int));
199 static int ipsec_setspidx_mbuf
200 __P((struct secpolicyindex *, int, struct mbuf *, int));
201 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
202 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
203 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
204 #ifdef INET6
205 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
206 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
207 #endif
208 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
209 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
210 #if 0
211 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *));
212 #endif
213 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *));
214 static int ipsec_set_policy
215 __P((struct secpolicy **, int, caddr_t, size_t, int));
216 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **));
217 static void vshiftl __P((unsigned char *, int, int));
218 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
219 static size_t ipsec_hdrsiz __P((struct secpolicy *));
220 #ifdef INET
221 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
222 #endif
223 #ifdef INET6
224 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
225 #endif
226 #ifdef INET
227 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
228 #endif
229 #ifdef INET6
230 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
231 #endif
232 static struct ipsecaux *ipsec_addaux __P((struct mbuf *));
233 static struct ipsecaux *ipsec_findaux __P((struct mbuf *));
234 static void ipsec_optaux __P((struct mbuf *, struct ipsecaux *));
235 #ifdef INET
236 static int ipsec4_checksa __P((struct ipsecrequest *,
237 struct ipsec_output_state *));
238 #endif
239 #ifdef INET6
240 static int ipsec6_checksa __P((struct ipsecrequest *,
241 struct ipsec_output_state *, int));
242 #endif
243
244 /*
245 * try to validate and use cached policy on a pcb.
246 */
247 static struct secpolicy *
248 ipsec_checkpcbcache(m, pcbsp, dir)
249 struct mbuf *m;
250 struct inpcbpolicy *pcbsp;
251 int dir;
252 {
253 struct secpolicyindex spidx;
254 struct timeval mono_time;
255
256 microtime(&mono_time);
257
258 switch (dir) {
259 case IPSEC_DIR_INBOUND:
260 case IPSEC_DIR_OUTBOUND:
261 case IPSEC_DIR_ANY:
262 break;
263 default:
264 return NULL;
265 }
266 #ifdef DIAGNOSTIC
267 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0]))
268 panic("dir too big in ipsec_checkpcbcache");
269 #endif
270 /* SPD table change invalidates all the caches */
271 if (pcbsp->cachegen[dir] == 0 || sp_cachegen > pcbsp->cachegen[dir]) {
272 ipsec_invalpcbcache(pcbsp, dir);
273 return NULL;
274 }
275 if (!pcbsp->cache[dir])
276 return NULL;
277 if (pcbsp->cache[dir]->state != IPSEC_SPSTATE_ALIVE) {
278 ipsec_invalpcbcache(pcbsp, dir);
279 return NULL;
280 }
281 if ((pcbsp->cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
282 if (!pcbsp->cache[dir])
283 return NULL;
284 if (ipsec_setspidx(m, &spidx, 1) != 0)
285 return NULL;
286 if (bcmp(&pcbsp->cacheidx[dir], &spidx, sizeof(spidx))) {
287 if (!pcbsp->cache[dir]->spidx ||
288 !key_cmpspidx_withmask(pcbsp->cache[dir]->spidx,
289 &spidx))
290 return NULL;
291 pcbsp->cacheidx[dir] = spidx;
292 }
293 } else {
294 /*
295 * The pcb is connected, and the L4 code is sure that:
296 * - outgoing side uses inp_[lf]addr
297 * - incoming side looks up policy after inpcb lookup
298 * and address pair is known to be stable. We do not need
299 * to generate spidx again, nor check the address match again.
300 *
301 * For IPv4/v6 SOCK_STREAM sockets, this assumption holds
302 * and there are calls to ipsec_pcbconn() from in_pcbconnect().
303 */
304 }
305
306 pcbsp->cache[dir]->lastused = mono_time.tv_sec;
307 pcbsp->cache[dir]->refcnt++;
308 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
309 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n",
310 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir]));
311 return pcbsp->cache[dir];
312 }
313
314 static int
315 ipsec_fillpcbcache(pcbsp, m, sp, dir)
316 struct inpcbpolicy *pcbsp;
317 struct mbuf *m;
318 struct secpolicy *sp;
319 int dir;
320 {
321
322 switch (dir) {
323 case IPSEC_DIR_INBOUND:
324 case IPSEC_DIR_OUTBOUND:
325 break;
326 default:
327 return EINVAL;
328 }
329 #ifdef DIAGNOSTIC
330 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0]))
331 panic("dir too big in ipsec_checkpcbcache");
332 #endif
333
334 if (pcbsp->cache[dir])
335 key_freesp(pcbsp->cache[dir]);
336 pcbsp->cache[dir] = NULL;
337 if (ipsec_setspidx(m, &pcbsp->cacheidx[dir], 1) != 0) {
338 return EINVAL;
339 }
340 pcbsp->cache[dir] = sp;
341 if (pcbsp->cache[dir]) {
342 pcbsp->cache[dir]->refcnt++;
343 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
344 printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n",
345 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir]));
346 }
347 pcbsp->cachegen[dir] = sp_cachegen;
348
349 return 0;
350 }
351
352 static int
353 ipsec_invalpcbcache(pcbsp, dir)
354 struct inpcbpolicy *pcbsp;
355 int dir;
356 {
357 int i;
358
359 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
360 if (dir != IPSEC_DIR_ANY && i != dir)
361 continue;
362 if (pcbsp->cache[i])
363 key_freesp(pcbsp->cache[i]);
364 pcbsp->cache[i] = NULL;
365 pcbsp->cachegen[i] = 0;
366 bzero(&pcbsp->cacheidx[i], sizeof(pcbsp->cacheidx[i]));
367 }
368 return 0;
369 }
370
371 int
372 ipsec_pcbconn(pcbsp)
373 struct inpcbpolicy *pcbsp;
374 {
375
376 pcbsp->cacheflags |= IPSEC_PCBSP_CONNECTED;
377 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
378 return 0;
379 }
380
381 int
382 ipsec_pcbdisconn(pcbsp)
383 struct inpcbpolicy *pcbsp;
384 {
385
386 pcbsp->cacheflags &= ~IPSEC_PCBSP_CONNECTED;
387 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
388 return 0;
389 }
390
391 int
392 ipsec_invalpcbcacheall()
393 {
394
395 sp_cachegen++;
396 return 0;
397 }
398
399 /*
400 * For OUTBOUND packet having a socket. Searching SPD for packet,
401 * and return a pointer to SP.
402 * OUT: NULL: no apropreate SP found, the following value is set to error.
403 * 0 : bypass
404 * EACCES : discard packet.
405 * ENOENT : ipsec_acquire() in progress, maybe.
406 * others : error occured.
407 * others: a pointer to SP
408 *
409 * NOTE: IPv6 mapped adddress concern is implemented here.
410 */
411 struct secpolicy *
412 ipsec4_getpolicybysock(m, dir, so, error)
413 struct mbuf *m;
414 u_int dir;
415 struct socket *so;
416 int *error;
417 {
418 struct inpcbpolicy *pcbsp = NULL;
419 struct secpolicy *currsp = NULL; /* policy on socket */
420 struct secpolicy *kernsp = NULL; /* policy on kernel */
421 struct secpolicyindex spidx;
422 u_int16_t tag;
423
424 /* sanity check */
425 if (m == NULL || so == NULL || error == NULL)
426 panic("ipsec4_getpolicybysock: NULL pointer was passed.");
427
428 switch (so->so_proto->pr_domain->dom_family) {
429 case AF_INET:
430 pcbsp = sotoinpcb(so)->inp_sp;
431 break;
432 #ifdef INET6
433 case AF_INET6:
434 pcbsp = sotoin6pcb(so)->in6p_sp;
435 break;
436 #endif
437 default:
438 panic("ipsec4_getpolicybysock: unsupported address family");
439 }
440
441 #ifdef DIAGNOSTIC
442 if (pcbsp == NULL)
443 panic("ipsec4_getpolicybysock: pcbsp is NULL.");
444 #endif
445
446 tag = 0;
447
448 /* if we have a cached entry, and if it is still valid, use it. */
449 ipsecstat.spdcachelookup++;
450 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
451 if (currsp) {
452 *error = 0;
453 return currsp;
454 }
455 ipsecstat.spdcachemiss++;
456
457 switch (dir) {
458 case IPSEC_DIR_INBOUND:
459 currsp = pcbsp->sp_in;
460 break;
461 case IPSEC_DIR_OUTBOUND:
462 currsp = pcbsp->sp_out;
463 break;
464 default:
465 panic("ipsec4_getpolicybysock: illegal direction.");
466 }
467
468 /* sanity check */
469 if (currsp == NULL)
470 panic("ipsec4_getpolicybysock: currsp is NULL.");
471
472 /* when privilieged socket */
473 if (pcbsp->priv) {
474 switch (currsp->policy) {
475 case IPSEC_POLICY_BYPASS:
476 currsp->refcnt++;
477 *error = 0;
478 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
479 return currsp;
480
481 case IPSEC_POLICY_ENTRUST:
482 /* look for a policy in SPD */
483 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
484 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
485 /* SP found */
486 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
487 printf("DP ipsec4_getpolicybysock called "
488 "to allocate SP:%p\n", kernsp));
489 *error = 0;
490 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
491 return kernsp;
492 }
493
494 /* no SP found */
495 ip4_def_policy->refcnt++;
496 *error = 0;
497 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
498 return ip4_def_policy;
499
500 case IPSEC_POLICY_IPSEC:
501 currsp->refcnt++;
502 *error = 0;
503 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
504 return currsp;
505
506 default:
507 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
508 "Invalid policy for PCB %d\n", currsp->policy));
509 *error = EINVAL;
510 return NULL;
511 }
512 /* NOTREACHED */
513 }
514
515 /* when non-privilieged socket */
516 /* look for a policy in SPD */
517 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
518 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
519 /* SP found */
520 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
521 printf("DP ipsec4_getpolicybysock called "
522 "to allocate SP:%p\n", kernsp));
523 *error = 0;
524 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
525 return kernsp;
526 }
527
528 /* no SP found */
529 switch (currsp->policy) {
530 case IPSEC_POLICY_BYPASS:
531 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
532 "Illegal policy for non-priviliged defined %d\n",
533 currsp->policy));
534 *error = EINVAL;
535 return NULL;
536
537 case IPSEC_POLICY_ENTRUST:
538 ip4_def_policy->refcnt++;
539 *error = 0;
540 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
541 return ip4_def_policy;
542
543 case IPSEC_POLICY_IPSEC:
544 currsp->refcnt++;
545 *error = 0;
546 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
547 return currsp;
548
549 default:
550 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
551 "Invalid policy for PCB %d\n", currsp->policy));
552 *error = EINVAL;
553 return NULL;
554 }
555 /* NOTREACHED */
556 }
557
558 /*
559 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
560 * and return a pointer to SP.
561 * OUT: positive: a pointer to the entry for security policy leaf matched.
562 * NULL: no apropreate SP found, the following value is set to error.
563 * 0 : bypass
564 * EACCES : discard packet.
565 * ENOENT : ipsec_acquire() in progress, maybe.
566 * others : error occured.
567 */
568 struct secpolicy *
569 ipsec4_getpolicybyaddr(m, dir, flag, error)
570 struct mbuf *m;
571 u_int dir;
572 int flag;
573 int *error;
574 {
575 struct secpolicy *sp = NULL;
576 u_int16_t tag;
577
578 /* sanity check */
579 if (m == NULL || error == NULL)
580 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
581
582 /* get a policy entry matched with the packet */
583 {
584 struct secpolicyindex spidx;
585
586 bzero(&spidx, sizeof(spidx));
587
588 /* make an index to look for a policy */
589 *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m,
590 (flag & IP_FORWARDING) ? 0 : 1);
591
592 if (*error != 0)
593 return NULL;
594
595 tag = 0;
596
597 sp = key_allocsp(tag, &spidx, dir);
598 }
599
600 /* SP found */
601 if (sp != NULL) {
602 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
603 printf("DP ipsec4_getpolicybyaddr called "
604 "to allocate SP:%p\n", sp));
605 *error = 0;
606 return sp;
607 }
608
609 /* no SP found */
610 ip4_def_policy->refcnt++;
611 *error = 0;
612 return ip4_def_policy;
613 }
614
615 #ifdef INET6
616 /*
617 * For OUTBOUND packet having a socket. Searching SPD for packet,
618 * and return a pointer to SP.
619 * OUT: NULL: no apropreate SP found, the following value is set to error.
620 * 0 : bypass
621 * EACCES : discard packet.
622 * ENOENT : ipsec_acquire() in progress, maybe.
623 * others : error occured.
624 * others: a pointer to SP
625 */
626 struct secpolicy *
627 ipsec6_getpolicybysock(m, dir, so, error)
628 struct mbuf *m;
629 u_int dir;
630 struct socket *so;
631 int *error;
632 {
633 struct inpcbpolicy *pcbsp = NULL;
634 struct secpolicy *currsp = NULL; /* policy on socket */
635 struct secpolicy *kernsp = NULL; /* policy on kernel */
636 struct secpolicyindex spidx;
637 u_int16_t tag;
638
639 /* sanity check */
640 if (m == NULL || so == NULL || error == NULL)
641 panic("ipsec6_getpolicybysock: NULL pointer was passed.");
642
643 #ifdef DIAGNOSTIC
644 if (so->so_proto->pr_domain->dom_family != AF_INET6)
645 panic("ipsec6_getpolicybysock: socket domain != inet6");
646 #endif
647
648 pcbsp = sotoin6pcb(so)->in6p_sp;
649
650 #ifdef DIAGNOSTIC
651 if (pcbsp == NULL)
652 panic("ipsec6_getpolicybysock: pcbsp is NULL.");
653 #endif
654
655 tag = 0;
656
657 /* if we have a cached entry, and if it is still valid, use it. */
658 ipsec6stat.spdcachelookup++;
659 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
660 if (currsp) {
661 *error = 0;
662 return currsp;
663 }
664 ipsec6stat.spdcachemiss++;
665
666 switch (dir) {
667 case IPSEC_DIR_INBOUND:
668 currsp = pcbsp->sp_in;
669 break;
670 case IPSEC_DIR_OUTBOUND:
671 currsp = pcbsp->sp_out;
672 break;
673 default:
674 panic("ipsec6_getpolicybysock: illegal direction.");
675 }
676
677 /* sanity check */
678 if (currsp == NULL)
679 panic("ipsec6_getpolicybysock: currsp is NULL.");
680
681 /* when privilieged socket */
682 if (pcbsp->priv) {
683 switch (currsp->policy) {
684 case IPSEC_POLICY_BYPASS:
685 currsp->refcnt++;
686 *error = 0;
687 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
688 return currsp;
689
690 case IPSEC_POLICY_ENTRUST:
691 /* look for a policy in SPD */
692 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
693 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
694 /* SP found */
695 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
696 printf("DP ipsec6_getpolicybysock called "
697 "to allocate SP:%p\n", kernsp));
698 *error = 0;
699 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
700 return kernsp;
701 }
702
703 /* no SP found */
704 ip6_def_policy->refcnt++;
705 *error = 0;
706 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
707 return ip6_def_policy;
708
709 case IPSEC_POLICY_IPSEC:
710 currsp->refcnt++;
711 *error = 0;
712 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
713 return currsp;
714
715 default:
716 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
717 "Invalid policy for PCB %d\n", currsp->policy));
718 *error = EINVAL;
719 return NULL;
720 }
721 /* NOTREACHED */
722 }
723
724 /* when non-privilieged socket */
725 /* look for a policy in SPD */
726 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
727 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
728 /* SP found */
729 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
730 printf("DP ipsec6_getpolicybysock called "
731 "to allocate SP:%p\n", kernsp));
732 *error = 0;
733 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
734 return kernsp;
735 }
736
737 /* no SP found */
738 switch (currsp->policy) {
739 case IPSEC_POLICY_BYPASS:
740 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
741 "Illegal policy for non-priviliged defined %d\n",
742 currsp->policy));
743 *error = EINVAL;
744 return NULL;
745
746 case IPSEC_POLICY_ENTRUST:
747 ip6_def_policy->refcnt++;
748 *error = 0;
749 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
750 return ip6_def_policy;
751
752 case IPSEC_POLICY_IPSEC:
753 currsp->refcnt++;
754 *error = 0;
755 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
756 return currsp;
757
758 default:
759 ipseclog((LOG_ERR,
760 "ipsec6_policybysock: Invalid policy for PCB %d\n",
761 currsp->policy));
762 *error = EINVAL;
763 return NULL;
764 }
765 /* NOTREACHED */
766 }
767
768 /*
769 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
770 * and return a pointer to SP.
771 * `flag' means that packet is to be forwarded whether or not.
772 * flag = 1: forwad
773 * OUT: positive: a pointer to the entry for security policy leaf matched.
774 * NULL: no apropreate SP found, the following value is set to error.
775 * 0 : bypass
776 * EACCES : discard packet.
777 * ENOENT : ipsec_acquire() in progress, maybe.
778 * others : error occured.
779 */
780 #ifndef IP_FORWARDING
781 #define IP_FORWARDING 1
782 #endif
783
784 struct secpolicy *
785 ipsec6_getpolicybyaddr(m, dir, flag, error)
786 struct mbuf *m;
787 u_int dir;
788 int flag;
789 int *error;
790 {
791 struct secpolicy *sp = NULL;
792 u_int16_t tag;
793
794 /* sanity check */
795 if (m == NULL || error == NULL)
796 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
797
798 /* get a policy entry matched with the packet */
799 {
800 struct secpolicyindex spidx;
801
802 bzero(&spidx, sizeof(spidx));
803
804 /* make an index to look for a policy */
805 *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m,
806 (flag & IP_FORWARDING) ? 0 : 1);
807
808 if (*error != 0)
809 return NULL;
810
811 tag = 0;
812
813 sp = key_allocsp(tag, &spidx, dir);
814 }
815
816 /* SP found */
817 if (sp != NULL) {
818 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
819 printf("DP ipsec6_getpolicybyaddr called "
820 "to allocate SP:%p\n", sp));
821 *error = 0;
822 return sp;
823 }
824
825 /* no SP found */
826 ip6_def_policy->refcnt++;
827 *error = 0;
828 return ip6_def_policy;
829 }
830 #endif /* INET6 */
831
832 /*
833 * set IP address into spidx from mbuf.
834 * When Forwarding packet and ICMP echo reply, this function is used.
835 *
836 * IN: get the followings from mbuf.
837 * protocol family, src, dst, next protocol
838 * OUT:
839 * 0: success.
840 * other: failure, and set errno.
841 */
842 int
843 ipsec_setspidx_mbuf(spidx, family, m, needport)
844 struct secpolicyindex *spidx;
845 int family;
846 struct mbuf *m;
847 int needport;
848 {
849 int error;
850
851 /* sanity check */
852 if (spidx == NULL || m == NULL)
853 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
854
855 bzero(spidx, sizeof(*spidx));
856
857 error = ipsec_setspidx(m, spidx, needport);
858 if (error)
859 goto bad;
860
861 return 0;
862
863 bad:
864 /* XXX initialize */
865 bzero(spidx, sizeof(*spidx));
866 return EINVAL;
867 }
868
869 /*
870 * configure security policy index (src/dst/proto/sport/dport)
871 * by looking at the content of mbuf.
872 * the caller is responsible for error recovery (like clearing up spidx).
873 */
874 static int
875 ipsec_setspidx(m, spidx, needport)
876 struct mbuf *m;
877 struct secpolicyindex *spidx;
878 int needport;
879 {
880 struct ip *ip = NULL;
881 struct ip ipbuf;
882 u_int v;
883 struct mbuf *n;
884 int len;
885 int error;
886
887 if (m == NULL)
888 panic("ipsec_setspidx: m == 0 passed.");
889
890 bzero(spidx, sizeof(*spidx));
891
892 /*
893 * validate m->m_pkthdr.len. we see incorrect length if we
894 * mistakenly call this function with inconsistent mbuf chain
895 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
896 */
897 len = 0;
898 for (n = m; n; n = n->m_next)
899 len += n->m_len;
900 if (m->m_pkthdr.len != len) {
901 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
902 printf("ipsec_setspidx: "
903 "total of m_len(%d) != pkthdr.len(%d), "
904 "ignored.\n",
905 len, m->m_pkthdr.len));
906 return EINVAL;
907 }
908
909 if (m->m_pkthdr.len < sizeof(struct ip)) {
910 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
911 printf("ipsec_setspidx: "
912 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
913 m->m_pkthdr.len));
914 return EINVAL;
915 }
916
917 if (m->m_len >= sizeof(*ip))
918 ip = mtod(m, struct ip *);
919 else {
920 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
921 ip = &ipbuf;
922 }
923 #ifdef _IP_VHL
924 v = _IP_VHL_V(ip->ip_vhl);
925 #else
926 v = ip->ip_v;
927 #endif
928 switch (v) {
929 case 4:
930 error = ipsec4_setspidx_ipaddr(m, spidx);
931 if (error)
932 return error;
933 ipsec4_get_ulp(m, spidx, needport);
934 return 0;
935 #ifdef INET6
936 case 6:
937 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
938 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
939 printf("ipsec_setspidx: "
940 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
941 "ignored.\n", m->m_pkthdr.len));
942 return EINVAL;
943 }
944 error = ipsec6_setspidx_ipaddr(m, spidx);
945 if (error)
946 return error;
947 ipsec6_get_ulp(m, spidx, needport);
948 return 0;
949 #endif
950 default:
951 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
952 printf("ipsec_setspidx: "
953 "unknown IP version %u, ignored.\n", v));
954 return EINVAL;
955 }
956 }
957
958 static void
959 ipsec4_get_ulp(m, spidx, needport)
960 struct mbuf *m;
961 struct secpolicyindex *spidx;
962 int needport;
963 {
964 struct ip ip;
965 struct ip6_ext ip6e;
966 u_int8_t nxt;
967 int off;
968 struct tcphdr th;
969 struct udphdr uh;
970
971 /* sanity check */
972 if (m == NULL)
973 panic("ipsec4_get_ulp: NULL pointer was passed.");
974 if (m->m_pkthdr.len < sizeof(ip))
975 panic("ipsec4_get_ulp: too short");
976
977 /* set default */
978 spidx->ul_proto = IPSEC_ULPROTO_ANY;
979 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
980 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
981
982 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
983 /* ip_input() flips it into host endian XXX need more checking */
984 if (ip.ip_off & (IP_MF | IP_OFFMASK))
985 return;
986
987 nxt = ip.ip_p;
988 #ifdef _IP_VHL
989 off = _IP_VHL_HL(ip->ip_vhl) << 2;
990 #else
991 off = ip.ip_hl << 2;
992 #endif
993 while (off < m->m_pkthdr.len) {
994 switch (nxt) {
995 case IPPROTO_TCP:
996 spidx->ul_proto = nxt;
997 if (!needport)
998 return;
999 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1000 return;
1001 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1002 ((struct sockaddr_in *)&spidx->src)->sin_port =
1003 th.th_sport;
1004 ((struct sockaddr_in *)&spidx->dst)->sin_port =
1005 th.th_dport;
1006 return;
1007 case IPPROTO_UDP:
1008 spidx->ul_proto = nxt;
1009 if (!needport)
1010 return;
1011 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1012 return;
1013 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1014 ((struct sockaddr_in *)&spidx->src)->sin_port =
1015 uh.uh_sport;
1016 ((struct sockaddr_in *)&spidx->dst)->sin_port =
1017 uh.uh_dport;
1018 return;
1019 case IPPROTO_AH:
1020 if (m->m_pkthdr.len > off + sizeof(ip6e))
1021 return;
1022 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1023 off += (ip6e.ip6e_len + 2) << 2;
1024 nxt = ip6e.ip6e_nxt;
1025 break;
1026 case IPPROTO_ICMP:
1027 default:
1028 /* XXX intermediate headers??? */
1029 spidx->ul_proto = nxt;
1030 return;
1031 }
1032 }
1033 }
1034
1035 /* assumes that m is sane */
1036 static int
1037 ipsec4_setspidx_ipaddr(m, spidx)
1038 struct mbuf *m;
1039 struct secpolicyindex *spidx;
1040 {
1041 struct ip *ip = NULL;
1042 struct ip ipbuf;
1043 struct sockaddr_in *sin;
1044
1045 if (m->m_len >= sizeof(*ip))
1046 ip = mtod(m, struct ip *);
1047 else {
1048 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
1049 ip = &ipbuf;
1050 }
1051
1052 sin = (struct sockaddr_in *)&spidx->src;
1053 bzero(sin, sizeof(*sin));
1054 sin->sin_family = AF_INET;
1055 sin->sin_len = sizeof(struct sockaddr_in);
1056 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
1057 spidx->prefs = sizeof(struct in_addr) << 3;
1058
1059 sin = (struct sockaddr_in *)&spidx->dst;
1060 bzero(sin, sizeof(*sin));
1061 sin->sin_family = AF_INET;
1062 sin->sin_len = sizeof(struct sockaddr_in);
1063 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
1064 spidx->prefd = sizeof(struct in_addr) << 3;
1065 return 0;
1066 }
1067
1068 #ifdef INET6
1069 static void
1070 ipsec6_get_ulp(m, spidx, needport)
1071 struct mbuf *m;
1072 struct secpolicyindex *spidx;
1073 int needport;
1074 {
1075 int off, nxt;
1076 struct tcphdr th;
1077 struct udphdr uh;
1078 struct icmp6_hdr ih;
1079
1080 /* sanity check */
1081 if (m == NULL)
1082 panic("ipsec6_get_ulp: NULL pointer was passed.");
1083
1084 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1085 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
1086
1087 /* set default */
1088 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1089 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1090 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1091
1092 nxt = -1;
1093 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1094 if (off < 0 || m->m_pkthdr.len < off)
1095 return;
1096
1097 switch (nxt) {
1098 case IPPROTO_TCP:
1099 spidx->ul_proto = nxt;
1100 if (!needport)
1101 break;
1102 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1103 break;
1104 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1105 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1106 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1107 break;
1108 case IPPROTO_UDP:
1109 spidx->ul_proto = nxt;
1110 if (!needport)
1111 break;
1112 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1113 break;
1114 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1115 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1116 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1117 break;
1118 case IPPROTO_ICMPV6:
1119 spidx->ul_proto = nxt;
1120 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len)
1121 break;
1122 m_copydata(m, off, sizeof(ih), (caddr_t)&ih);
1123 ((struct sockaddr_in6 *)&spidx->src)->sin6_port =
1124 htons((u_int16_t)ih.icmp6_type);
1125 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port =
1126 htons((u_int16_t)ih.icmp6_code);
1127 break;
1128 default:
1129 /* XXX intermediate headers??? */
1130 spidx->ul_proto = nxt;
1131 break;
1132 }
1133 }
1134
1135 /* assumes that m is sane */
1136 static int
1137 ipsec6_setspidx_ipaddr(m, spidx)
1138 struct mbuf *m;
1139 struct secpolicyindex *spidx;
1140 {
1141 struct ip6_hdr *ip6 = NULL;
1142 struct ip6_hdr ip6buf;
1143 struct sockaddr_in6 *sin6;
1144
1145 if (m->m_len >= sizeof(*ip6))
1146 ip6 = mtod(m, struct ip6_hdr *);
1147 else {
1148 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1149 ip6 = &ip6buf;
1150 }
1151
1152 sin6 = (struct sockaddr_in6 *)&spidx->src;
1153 bzero(sin6, sizeof(*sin6));
1154 sin6->sin6_family = AF_INET6;
1155 sin6->sin6_len = sizeof(struct sockaddr_in6);
1156 in6_recoverscope(sin6, &ip6->ip6_src, NULL);
1157 spidx->prefs = sizeof(struct in6_addr) << 3;
1158
1159 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1160 bzero(sin6, sizeof(*sin6));
1161 sin6->sin6_family = AF_INET6;
1162 sin6->sin6_len = sizeof(struct sockaddr_in6);
1163 in6_recoverscope(sin6, &ip6->ip6_dst, NULL);
1164 spidx->prefd = sizeof(struct in6_addr) << 3;
1165
1166 return 0;
1167 }
1168 #endif
1169
1170 static struct inpcbpolicy *
1171 ipsec_newpcbpolicy()
1172 {
1173 struct inpcbpolicy *p;
1174
1175 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
1176 return p;
1177 }
1178
1179 static void
1180 ipsec_delpcbpolicy(p)
1181 struct inpcbpolicy *p;
1182 {
1183
1184 free(p, M_SECA);
1185 }
1186
1187 /* initialize policy in PCB */
1188 int
1189 ipsec_init_pcbpolicy(so, pcb_sp)
1190 struct socket *so;
1191 struct inpcbpolicy **pcb_sp;
1192 {
1193 struct inpcbpolicy *new;
1194 static int initialized = 0;
1195 static struct secpolicy *in = NULL, *out = NULL;
1196
1197 /* sanity check. */
1198 if (so == NULL || pcb_sp == NULL)
1199 panic("ipsec_init_pcbpolicy: NULL pointer was passed.");
1200
1201 if (!initialized) {
1202 if ((in = key_newsp(0)) == NULL)
1203 return ENOBUFS;
1204 if ((out = key_newsp(0)) == NULL) {
1205 key_freesp(in);
1206 in = NULL;
1207 return ENOBUFS;
1208 }
1209
1210 in->state = IPSEC_SPSTATE_ALIVE;
1211 in->policy = IPSEC_POLICY_ENTRUST;
1212 in->dir = IPSEC_DIR_INBOUND;
1213 in->readonly = 1;
1214 in->persist = 1;
1215 in->so = NULL;
1216
1217 out->state = IPSEC_SPSTATE_ALIVE;
1218 out->policy = IPSEC_POLICY_ENTRUST;
1219 out->dir = IPSEC_DIR_OUTBOUND;
1220 out->readonly = 1;
1221 out->persist = 1;
1222 out->so = NULL;
1223
1224 initialized++;
1225 }
1226
1227 new = ipsec_newpcbpolicy();
1228 if (new == NULL) {
1229 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n"));
1230 return ENOBUFS;
1231 }
1232 bzero(new, sizeof(*new));
1233
1234 if (so->so_cred != 0 && so->so_cred->cr_uid == 0)
1235 new->priv = 1;
1236 else
1237 new->priv = 0;
1238
1239 new->sp_in = in;
1240 new->sp_in->refcnt++;
1241 new->sp_out = out;
1242 new->sp_out->refcnt++;
1243
1244 *pcb_sp = new;
1245
1246 return 0;
1247 }
1248
1249 /* copy old ipsec policy into new */
1250 int
1251 ipsec_copy_pcbpolicy(old, new)
1252 struct inpcbpolicy *old, *new;
1253 {
1254
1255 if (new->sp_in)
1256 key_freesp(new->sp_in);
1257 if (old->sp_in->policy == IPSEC_POLICY_IPSEC)
1258 new->sp_in = ipsec_deepcopy_policy(old->sp_in);
1259 else {
1260 new->sp_in = old->sp_in;
1261 new->sp_in->refcnt++;
1262 }
1263
1264 if (new->sp_out)
1265 key_freesp(new->sp_out);
1266 if (old->sp_out->policy == IPSEC_POLICY_IPSEC)
1267 new->sp_out = ipsec_deepcopy_policy(old->sp_out);
1268 else {
1269 new->sp_out = old->sp_out;
1270 new->sp_out->refcnt++;
1271 }
1272
1273 new->priv = old->priv;
1274
1275 return 0;
1276 }
1277
1278 #if 0
1279 static int
1280 ipsec_deepcopy_pcbpolicy(pcb_sp)
1281 struct inpcbpolicy *pcb_sp;
1282 {
1283 struct secpolicy *sp;
1284
1285 sp = ipsec_deepcopy_policy(pcb_sp->sp_in);
1286 if (sp) {
1287 key_freesp(pcb_sp->sp_in);
1288 pcb_sp->sp_in = sp;
1289 } else
1290 return ENOBUFS;
1291
1292 sp = ipsec_deepcopy_policy(pcb_sp->sp_out);
1293 if (sp) {
1294 key_freesp(pcb_sp->sp_out);
1295 pcb_sp->sp_out = sp;
1296 } else
1297 return ENOBUFS;
1298
1299 return 0;
1300 }
1301 #endif
1302
1303 /* deep-copy a policy in PCB */
1304 static struct secpolicy *
1305 ipsec_deepcopy_policy(src)
1306 struct secpolicy *src;
1307 {
1308 struct ipsecrequest *newchain = NULL;
1309 struct ipsecrequest *p;
1310 struct ipsecrequest **q;
1311 struct ipsecrequest *r;
1312 struct secpolicy *dst;
1313
1314 if (src == NULL)
1315 return NULL;
1316
1317 dst = key_newsp(0);
1318 if (dst == NULL)
1319 return NULL;
1320
1321 /*
1322 * deep-copy IPsec request chain. This is required since struct
1323 * ipsecrequest is not reference counted.
1324 */
1325 q = &newchain;
1326 for (p = src->req; p; p = p->next) {
1327 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest),
1328 M_SECA, M_NOWAIT);
1329 if (*q == NULL)
1330 goto fail;
1331 bzero(*q, sizeof(**q));
1332 (*q)->next = NULL;
1333
1334 (*q)->saidx.proto = p->saidx.proto;
1335 (*q)->saidx.mode = p->saidx.mode;
1336 (*q)->level = p->level;
1337 (*q)->saidx.reqid = p->saidx.reqid;
1338
1339 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1340 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1341
1342 (*q)->sav = NULL;
1343 (*q)->sp = dst;
1344
1345 q = &((*q)->next);
1346 }
1347
1348 if (src->spidx)
1349 if (keydb_setsecpolicyindex(dst, src->spidx) != 0)
1350 goto fail;
1351
1352 dst->req = newchain;
1353 dst->state = src->state;
1354 dst->policy = src->policy;
1355 dst->dir = src->dir;
1356 dst->so = src->so;
1357 /* do not touch the refcnt fields */
1358
1359 return dst;
1360
1361 fail:
1362 for (p = newchain; p; p = r) {
1363 r = p->next;
1364 free(p, M_SECA);
1365 p = NULL;
1366 }
1367 key_freesp(dst);
1368 return NULL;
1369 }
1370
1371 /* set policy and ipsec request if present. */
1372 static int
1373 ipsec_set_policy(spp, optname, request, len, priv)
1374 struct secpolicy **spp;
1375 int optname;
1376 caddr_t request;
1377 size_t len;
1378 int priv;
1379 {
1380 struct sadb_x_policy *xpl;
1381 struct secpolicy *newsp = NULL;
1382 int error;
1383
1384 /* sanity check. */
1385 if (spp == NULL || *spp == NULL || request == NULL)
1386 return EINVAL;
1387 if (len < sizeof(*xpl))
1388 return EINVAL;
1389 xpl = (struct sadb_x_policy *)request;
1390
1391 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1392 printf("ipsec_set_policy: passed policy\n");
1393 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1394
1395 /* check policy type */
1396 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1397 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
1398 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1399 return EINVAL;
1400
1401 /* check privileged socket */
1402 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1403 return EACCES;
1404
1405 /* allocation new SP entry */
1406 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1407 return error;
1408
1409 newsp->state = IPSEC_SPSTATE_ALIVE;
1410
1411 /* clear old SP and set new SP */
1412 key_freesp(*spp);
1413 *spp = newsp;
1414 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1415 printf("ipsec_set_policy: new policy\n");
1416 kdebug_secpolicy(newsp));
1417
1418 return 0;
1419 }
1420
1421 static int
1422 ipsec_get_policy(sp, mp)
1423 struct secpolicy *sp;
1424 struct mbuf **mp;
1425 {
1426
1427 /* sanity check. */
1428 if (sp == NULL || mp == NULL)
1429 return EINVAL;
1430
1431 *mp = key_sp2msg(sp);
1432 if (!*mp) {
1433 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1434 return ENOBUFS;
1435 }
1436
1437 (*mp)->m_type = MT_DATA;
1438 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1439 printf("ipsec_get_policy:\n");
1440 kdebug_mbuf(*mp));
1441
1442 return 0;
1443 }
1444
1445 int
1446 ipsec4_set_policy(inp, optname, request, len, priv)
1447 struct inpcb *inp;
1448 int optname;
1449 caddr_t request;
1450 size_t len;
1451 int priv;
1452 {
1453 struct sadb_x_policy *xpl;
1454 struct secpolicy **spp;
1455
1456 /* sanity check. */
1457 if (inp == NULL || request == NULL)
1458 return EINVAL;
1459 if (len < sizeof(*xpl))
1460 return EINVAL;
1461 xpl = (struct sadb_x_policy *)request;
1462
1463 /* select direction */
1464 switch (xpl->sadb_x_policy_dir) {
1465 case IPSEC_DIR_INBOUND:
1466 spp = &inp->inp_sp->sp_in;
1467 break;
1468 case IPSEC_DIR_OUTBOUND:
1469 spp = &inp->inp_sp->sp_out;
1470 break;
1471 default:
1472 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1473 xpl->sadb_x_policy_dir));
1474 return EINVAL;
1475 }
1476
1477 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1478 return ipsec_set_policy(spp, optname, request, len, priv);
1479 }
1480
1481 int
1482 ipsec4_get_policy(inp, request, len, mp)
1483 struct inpcb *inp;
1484 caddr_t request;
1485 size_t len;
1486 struct mbuf **mp;
1487 {
1488 struct sadb_x_policy *xpl;
1489 struct secpolicy *sp;
1490
1491 /* sanity check. */
1492 if (inp == NULL || request == NULL || mp == NULL)
1493 return EINVAL;
1494 if (inp->inp_sp == NULL)
1495 panic("policy in PCB is NULL");
1496 if (len < sizeof(*xpl))
1497 return EINVAL;
1498 xpl = (struct sadb_x_policy *)request;
1499
1500 /* select direction */
1501 switch (xpl->sadb_x_policy_dir) {
1502 case IPSEC_DIR_INBOUND:
1503 sp = inp->inp_sp->sp_in;
1504 break;
1505 case IPSEC_DIR_OUTBOUND:
1506 sp = inp->inp_sp->sp_out;
1507 break;
1508 default:
1509 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n",
1510 xpl->sadb_x_policy_dir));
1511 return EINVAL;
1512 }
1513
1514 return ipsec_get_policy(sp, mp);
1515 }
1516
1517 /* delete policy in PCB */
1518 int
1519 ipsec4_delete_pcbpolicy(inp)
1520 struct inpcb *inp;
1521 {
1522 /* sanity check. */
1523 if (inp == NULL)
1524 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
1525
1526 if (inp->inp_sp == NULL)
1527 return 0;
1528
1529 if (inp->inp_sp->sp_in != NULL) {
1530 key_freesp(inp->inp_sp->sp_in);
1531 inp->inp_sp->sp_in = NULL;
1532 }
1533
1534 if (inp->inp_sp->sp_out != NULL) {
1535 key_freesp(inp->inp_sp->sp_out);
1536 inp->inp_sp->sp_out = NULL;
1537 }
1538
1539 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1540
1541 ipsec_delpcbpolicy(inp->inp_sp);
1542 inp->inp_sp = NULL;
1543
1544 return 0;
1545 }
1546
1547 #ifdef INET6
1548 int
1549 ipsec6_set_policy(in6p, optname, request, len, priv)
1550 struct in6pcb *in6p;
1551 int optname;
1552 caddr_t request;
1553 size_t len;
1554 int priv;
1555 {
1556 struct sadb_x_policy *xpl;
1557 struct secpolicy **spp;
1558
1559 /* sanity check. */
1560 if (in6p == NULL || request == NULL)
1561 return EINVAL;
1562 if (len < sizeof(*xpl))
1563 return EINVAL;
1564 xpl = (struct sadb_x_policy *)request;
1565
1566 /* select direction */
1567 switch (xpl->sadb_x_policy_dir) {
1568 case IPSEC_DIR_INBOUND:
1569 spp = &in6p->in6p_sp->sp_in;
1570 break;
1571 case IPSEC_DIR_OUTBOUND:
1572 spp = &in6p->in6p_sp->sp_out;
1573 break;
1574 default:
1575 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1576 xpl->sadb_x_policy_dir));
1577 return EINVAL;
1578 }
1579
1580 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1581 return ipsec_set_policy(spp, optname, request, len, priv);
1582 }
1583
1584 int
1585 ipsec6_get_policy(in6p, request, len, mp)
1586 struct in6pcb *in6p;
1587 caddr_t request;
1588 size_t len;
1589 struct mbuf **mp;
1590 {
1591 struct sadb_x_policy *xpl;
1592 struct secpolicy *sp;
1593
1594 /* sanity check. */
1595 if (in6p == NULL || request == NULL || mp == NULL)
1596 return EINVAL;
1597 if (in6p->in6p_sp == NULL)
1598 panic("policy in PCB is NULL");
1599 if (len < sizeof(*xpl))
1600 return EINVAL;
1601 xpl = (struct sadb_x_policy *)request;
1602
1603 /* select direction */
1604 switch (xpl->sadb_x_policy_dir) {
1605 case IPSEC_DIR_INBOUND:
1606 sp = in6p->in6p_sp->sp_in;
1607 break;
1608 case IPSEC_DIR_OUTBOUND:
1609 sp = in6p->in6p_sp->sp_out;
1610 break;
1611 default:
1612 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n",
1613 xpl->sadb_x_policy_dir));
1614 return EINVAL;
1615 }
1616
1617 return ipsec_get_policy(sp, mp);
1618 }
1619
1620 int
1621 ipsec6_delete_pcbpolicy(in6p)
1622 struct in6pcb *in6p;
1623 {
1624 /* sanity check. */
1625 if (in6p == NULL)
1626 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
1627
1628 if (in6p->in6p_sp == NULL)
1629 return 0;
1630
1631 if (in6p->in6p_sp->sp_in != NULL) {
1632 key_freesp(in6p->in6p_sp->sp_in);
1633 in6p->in6p_sp->sp_in = NULL;
1634 }
1635
1636 if (in6p->in6p_sp->sp_out != NULL) {
1637 key_freesp(in6p->in6p_sp->sp_out);
1638 in6p->in6p_sp->sp_out = NULL;
1639 }
1640
1641 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1642
1643 ipsec_delpcbpolicy(in6p->in6p_sp);
1644 in6p->in6p_sp = NULL;
1645
1646 return 0;
1647 }
1648 #endif
1649
1650 /*
1651 * return current level.
1652 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1653 */
1654 u_int
1655 ipsec_get_reqlevel(isr, af)
1656 struct ipsecrequest *isr;
1657 int af;
1658 {
1659 u_int level = 0;
1660 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1661
1662 /* sanity check */
1663 if (isr == NULL || isr->sp == NULL)
1664 panic("ipsec_get_reqlevel: NULL pointer is passed.");
1665
1666 /* set default level */
1667 switch (af) {
1668 #ifdef INET
1669 case AF_INET:
1670 esp_trans_deflev = ip4_esp_trans_deflev;
1671 esp_net_deflev = ip4_esp_net_deflev;
1672 ah_trans_deflev = ip4_ah_trans_deflev;
1673 ah_net_deflev = ip4_ah_net_deflev;
1674 break;
1675 #endif
1676 #ifdef INET6
1677 case AF_INET6:
1678 esp_trans_deflev = ip6_esp_trans_deflev;
1679 esp_net_deflev = ip6_esp_net_deflev;
1680 ah_trans_deflev = ip6_ah_trans_deflev;
1681 ah_net_deflev = ip6_ah_net_deflev;
1682 break;
1683 #endif /* INET6 */
1684 default:
1685 panic("key_get_reqlevel: Unknown family. %d",
1686 ((struct sockaddr *)&isr->sp->spidx->src)->sa_family);
1687 }
1688
1689 /* set level */
1690 switch (isr->level) {
1691 case IPSEC_LEVEL_DEFAULT:
1692 switch (isr->saidx.proto) {
1693 case IPPROTO_ESP:
1694 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1695 level = esp_net_deflev;
1696 else
1697 level = esp_trans_deflev;
1698 break;
1699 case IPPROTO_AH:
1700 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1701 level = ah_net_deflev;
1702 else
1703 level = ah_trans_deflev;
1704 case IPPROTO_IPCOMP:
1705 /*
1706 * we don't really care, as IPcomp document says that
1707 * we shouldn't compress small packets
1708 */
1709 level = IPSEC_LEVEL_USE;
1710 break;
1711 default:
1712 panic("ipsec_get_reqlevel: "
1713 "Illegal protocol defined %u\n",
1714 isr->saidx.proto);
1715 }
1716 break;
1717
1718 case IPSEC_LEVEL_USE:
1719 case IPSEC_LEVEL_REQUIRE:
1720 level = isr->level;
1721 break;
1722 case IPSEC_LEVEL_UNIQUE:
1723 level = IPSEC_LEVEL_REQUIRE;
1724 break;
1725
1726 default:
1727 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
1728 isr->level);
1729 }
1730
1731 return level;
1732 }
1733
1734 /*
1735 * Check AH/ESP integrity.
1736 * OUT:
1737 * 0: valid
1738 * 1: invalid
1739 */
1740 static int
1741 ipsec_in_reject(sp, m)
1742 struct secpolicy *sp;
1743 struct mbuf *m;
1744 {
1745 struct ipsecrequest *isr;
1746 u_int level;
1747 int need_auth, need_conf, need_icv;
1748
1749 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1750 printf("ipsec_in_reject: using SP\n");
1751 kdebug_secpolicy(sp));
1752
1753 /* check policy */
1754 switch (sp->policy) {
1755 case IPSEC_POLICY_DISCARD:
1756 return 1;
1757 case IPSEC_POLICY_BYPASS:
1758 case IPSEC_POLICY_NONE:
1759 return 0;
1760
1761 case IPSEC_POLICY_IPSEC:
1762 break;
1763
1764 case IPSEC_POLICY_ENTRUST:
1765 default:
1766 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy);
1767 }
1768
1769 need_auth = 0;
1770 need_conf = 0;
1771 need_icv = 0;
1772
1773 /* XXX should compare policy against ipsec header history */
1774
1775 for (isr = sp->req; isr != NULL; isr = isr->next) {
1776 /* get current level */
1777 level = ipsec_get_reqlevel(isr, AF_INET);
1778
1779 switch (isr->saidx.proto) {
1780 case IPPROTO_ESP:
1781 if (level == IPSEC_LEVEL_REQUIRE) {
1782 need_conf++;
1783
1784 if (isr->sav != NULL
1785 && isr->sav->flags == SADB_X_EXT_NONE
1786 && isr->sav->alg_auth != SADB_AALG_NONE)
1787 need_icv++;
1788 }
1789 break;
1790 case IPPROTO_AH:
1791 if (level == IPSEC_LEVEL_REQUIRE) {
1792 need_auth++;
1793 need_icv++;
1794 }
1795 break;
1796 case IPPROTO_IPCOMP:
1797 /*
1798 * we don't really care, as IPcomp document says that
1799 * we shouldn't compress small packets, IPComp policy
1800 * should always be treated as being in "use" level.
1801 */
1802 break;
1803 }
1804 }
1805
1806 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1807 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1808 need_auth, need_conf, need_icv, m->m_flags));
1809
1810 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1811 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1812 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1813 return 1;
1814
1815 return 0;
1816 }
1817
1818 /*
1819 * Check AH/ESP integrity.
1820 * This function is called from tcp_input(), udp_input(),
1821 * and {ah,esp}4_input for tunnel mode
1822 */
1823 int
1824 ipsec4_in_reject_so(m, so)
1825 struct mbuf *m;
1826 struct socket *so;
1827 {
1828 struct secpolicy *sp = NULL;
1829 int error;
1830 int result;
1831
1832 /* sanity check */
1833 if (m == NULL)
1834 return 0; /* XXX should be panic ? */
1835
1836 /* get SP for this packet.
1837 * When we are called from ip_forward(), we call
1838 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1839 */
1840 if (so == NULL)
1841 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1842 IP_FORWARDING, &error);
1843 else
1844 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1845
1846 /* XXX should be panic ? -> No, there may be error. */
1847 if (sp == NULL)
1848 return 0;
1849
1850 result = ipsec_in_reject(sp, m);
1851 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1852 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
1853 key_freesp(sp);
1854
1855 return result;
1856 }
1857
1858 int
1859 ipsec4_in_reject(m, inp)
1860 struct mbuf *m;
1861 struct inpcb *inp;
1862 {
1863 if (inp == NULL)
1864 return ipsec4_in_reject_so(m, NULL);
1865 if (inp->inp_socket)
1866 return ipsec4_in_reject_so(m, inp->inp_socket);
1867 else
1868 panic("ipsec4_in_reject: invalid inpcb/socket");
1869 }
1870
1871 #ifdef INET6
1872 /*
1873 * Check AH/ESP integrity.
1874 * This function is called from tcp6_input(), udp6_input(),
1875 * and {ah,esp}6_input for tunnel mode
1876 */
1877 int
1878 ipsec6_in_reject_so(m, so)
1879 struct mbuf *m;
1880 struct socket *so;
1881 {
1882 struct secpolicy *sp = NULL;
1883 int error;
1884 int result;
1885
1886 /* sanity check */
1887 if (m == NULL)
1888 return 0; /* XXX should be panic ? */
1889
1890 /* get SP for this packet.
1891 * When we are called from ip_forward(), we call
1892 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1893 */
1894 if (so == NULL)
1895 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1896 IP_FORWARDING, &error);
1897 else
1898 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1899
1900 if (sp == NULL)
1901 return 0; /* XXX should be panic ? */
1902
1903 result = ipsec_in_reject(sp, m);
1904 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1905 printf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
1906 key_freesp(sp);
1907
1908 return result;
1909 }
1910
1911 int
1912 ipsec6_in_reject(m, in6p)
1913 struct mbuf *m;
1914 struct in6pcb *in6p;
1915 {
1916 if (in6p == NULL)
1917 return ipsec6_in_reject_so(m, NULL);
1918 if (in6p->in6p_socket)
1919 return ipsec6_in_reject_so(m, in6p->in6p_socket);
1920 else
1921 panic("ipsec6_in_reject: invalid in6p/socket");
1922 }
1923 #endif
1924
1925 /*
1926 * compute the byte size to be occupied by IPsec header.
1927 * in case it is tunneled, it includes the size of outer IP header.
1928 * NOTE: SP passed is free in this function.
1929 */
1930 static size_t
1931 ipsec_hdrsiz(sp)
1932 struct secpolicy *sp;
1933 {
1934 struct ipsecrequest *isr;
1935 size_t siz, clen;
1936
1937 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1938 printf("ipsec_hdrsiz: using SP\n");
1939 kdebug_secpolicy(sp));
1940
1941 /* check policy */
1942 switch (sp->policy) {
1943 case IPSEC_POLICY_DISCARD:
1944 case IPSEC_POLICY_BYPASS:
1945 case IPSEC_POLICY_NONE:
1946 return 0;
1947
1948 case IPSEC_POLICY_IPSEC:
1949 break;
1950
1951 case IPSEC_POLICY_ENTRUST:
1952 default:
1953 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1954 }
1955
1956 siz = 0;
1957
1958 for (isr = sp->req; isr != NULL; isr = isr->next) {
1959
1960 clen = 0;
1961
1962 switch (isr->saidx.proto) {
1963 case IPPROTO_ESP:
1964 #ifdef IPSEC_ESP
1965 clen = esp_hdrsiz(isr);
1966 #else
1967 clen = 0; /* XXX */
1968 #endif
1969 break;
1970 case IPPROTO_AH:
1971 clen = ah_hdrsiz(isr);
1972 break;
1973 case IPPROTO_IPCOMP:
1974 clen = sizeof(struct ipcomp);
1975 break;
1976 }
1977
1978 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1979 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1980 case AF_INET:
1981 clen += sizeof(struct ip);
1982 break;
1983 #ifdef INET6
1984 case AF_INET6:
1985 clen += sizeof(struct ip6_hdr);
1986 break;
1987 #endif
1988 default:
1989 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1990 "unknown AF %d in IPsec tunnel SA\n",
1991 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1992 break;
1993 }
1994 }
1995 siz += clen;
1996 }
1997
1998 return siz;
1999 }
2000
2001 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
2002 size_t
2003 ipsec4_hdrsiz(m, dir, inp)
2004 struct mbuf *m;
2005 u_int dir;
2006 struct inpcb *inp;
2007 {
2008 struct secpolicy *sp = NULL;
2009 int error;
2010 size_t size;
2011
2012 /* sanity check */
2013 if (m == NULL)
2014 return 0; /* XXX should be panic ? */
2015 if (inp != NULL && inp->inp_socket == NULL)
2016 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
2017
2018 /* get SP for this packet.
2019 * When we are called from ip_forward(), we call
2020 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
2021 */
2022 if (inp == NULL)
2023 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2024 else
2025 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
2026
2027 if (sp == NULL)
2028 return 0; /* XXX should be panic ? */
2029
2030 size = ipsec_hdrsiz(sp);
2031 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2032 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
2033 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2034 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
2035 key_freesp(sp);
2036
2037 return size;
2038 }
2039
2040 #ifdef INET6
2041 /* This function is called from ipsec6_hdrsize_tcp(),
2042 * and maybe from ip6_forward.()
2043 */
2044 size_t
2045 ipsec6_hdrsiz(m, dir, in6p)
2046 struct mbuf *m;
2047 u_int dir;
2048 struct in6pcb *in6p;
2049 {
2050 struct secpolicy *sp = NULL;
2051 int error;
2052 size_t size;
2053
2054 /* sanity check */
2055 if (m == NULL)
2056 return 0; /* XXX should be panic ? */
2057 if (in6p != NULL && in6p->in6p_socket == NULL)
2058 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
2059
2060 /* get SP for this packet */
2061 /* XXX Is it right to call with IP_FORWARDING. */
2062 if (in6p == NULL)
2063 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2064 else
2065 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
2066
2067 if (sp == NULL)
2068 return 0;
2069 size = ipsec_hdrsiz(sp);
2070 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2071 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
2072 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2073 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
2074 key_freesp(sp);
2075
2076 return size;
2077 }
2078 #endif /* INET6 */
2079
2080 #ifdef INET
2081 /*
2082 * encapsulate for ipsec tunnel.
2083 * ip->ip_src must be fixed later on.
2084 */
2085 static int
2086 ipsec4_encapsulate(m, sav)
2087 struct mbuf *m;
2088 struct secasvar *sav;
2089 {
2090 struct ip *oip;
2091 struct ip *ip;
2092 size_t hlen;
2093 size_t plen;
2094
2095 /* can't tunnel between different AFs */
2096 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2097 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2098 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2099 m_freem(m);
2100 return EINVAL;
2101 }
2102 #if 0
2103 /* XXX if the dst is myself, perform nothing. */
2104 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2105 m_freem(m);
2106 return EINVAL;
2107 }
2108 #endif
2109
2110 if (m->m_len < sizeof(*ip))
2111 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2112
2113 ip = mtod(m, struct ip *);
2114 #ifdef _IP_VHL
2115 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
2116 #else
2117 hlen = ip->ip_hl << 2;
2118 #endif
2119
2120 if (m->m_len != hlen)
2121 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2122
2123 /* generate header checksum */
2124 ip->ip_sum = 0;
2125 #ifdef _IP_VHL
2126 if (ip->ip_vhl == IP_VHL_BORING)
2127 ip->ip_sum = in_cksum_hdr(ip);
2128 else
2129 ip->ip_sum = in_cksum(m, hlen);
2130 #else
2131 ip->ip_sum = in_cksum(m, hlen);
2132 #endif
2133
2134 plen = m->m_pkthdr.len;
2135
2136 /*
2137 * grow the mbuf to accomodate the new IPv4 header.
2138 * NOTE: IPv4 options will never be copied.
2139 */
2140 if (M_LEADINGSPACE(m->m_next) < hlen) {
2141 struct mbuf *n;
2142 MGET(n, M_DONTWAIT, MT_DATA);
2143 if (!n) {
2144 m_freem(m);
2145 return ENOBUFS;
2146 }
2147 n->m_len = hlen;
2148 n->m_next = m->m_next;
2149 m->m_next = n;
2150 m->m_pkthdr.len += hlen;
2151 oip = mtod(n, struct ip *);
2152 } else {
2153 m->m_next->m_len += hlen;
2154 m->m_next->m_data -= hlen;
2155 m->m_pkthdr.len += hlen;
2156 oip = mtod(m->m_next, struct ip *);
2157 }
2158 ip = mtod(m, struct ip *);
2159 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2160 m->m_len = sizeof(struct ip);
2161 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2162
2163 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2164 /* ECN consideration. */
2165 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2166 #ifdef _IP_VHL
2167 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
2168 #else
2169 ip->ip_hl = sizeof(struct ip) >> 2;
2170 #endif
2171 ip->ip_off &= htons(~IP_OFFMASK);
2172 ip->ip_off &= htons(~IP_MF);
2173 switch (ip4_ipsec_dfbit) {
2174 case 0: /* clear DF bit */
2175 ip->ip_off &= htons(~IP_DF);
2176 break;
2177 case 1: /* set DF bit */
2178 ip->ip_off |= htons(IP_DF);
2179 break;
2180 default: /* copy DF bit */
2181 break;
2182 }
2183 ip->ip_p = IPPROTO_IPIP;
2184 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2185 ip->ip_len = htons(plen + sizeof(struct ip));
2186 else {
2187 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2188 "leave ip_len as is (invalid packet)\n"));
2189 }
2190 #ifdef RANDOM_IP_ID
2191 ip->ip_id = ip_randomid();
2192 #else
2193 ip->ip_id = htons(ip_id++);
2194 #endif
2195 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2196 &ip->ip_src, sizeof(ip->ip_src));
2197 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2198 &ip->ip_dst, sizeof(ip->ip_dst));
2199 ip->ip_ttl = IPDEFTTL;
2200
2201 /* XXX Should ip_src be updated later ? */
2202
2203 return 0;
2204 }
2205 #endif /* INET */
2206
2207 #ifdef INET6
2208 static int
2209 ipsec6_encapsulate(m, sav)
2210 struct mbuf *m;
2211 struct secasvar *sav;
2212 {
2213 struct ip6_hdr *oip6;
2214 struct ip6_hdr *ip6;
2215 size_t plen;
2216
2217 /* can't tunnel between different AFs */
2218 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2219 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2220 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2221 m_freem(m);
2222 return EINVAL;
2223 }
2224 #if 0
2225 /* XXX if the dst is myself, perform nothing. */
2226 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2227 m_freem(m);
2228 return EINVAL;
2229 }
2230 #endif
2231
2232 plen = m->m_pkthdr.len;
2233
2234 /*
2235 * grow the mbuf to accomodate the new IPv6 header.
2236 */
2237 if (m->m_len != sizeof(struct ip6_hdr))
2238 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2239 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2240 struct mbuf *n;
2241 MGET(n, M_DONTWAIT, MT_DATA);
2242 if (!n) {
2243 m_freem(m);
2244 return ENOBUFS;
2245 }
2246 n->m_len = sizeof(struct ip6_hdr);
2247 n->m_next = m->m_next;
2248 m->m_next = n;
2249 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2250 oip6 = mtod(n, struct ip6_hdr *);
2251 } else {
2252 m->m_next->m_len += sizeof(struct ip6_hdr);
2253 m->m_next->m_data -= sizeof(struct ip6_hdr);
2254 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2255 oip6 = mtod(m->m_next, struct ip6_hdr *);
2256 }
2257 ip6 = mtod(m, struct ip6_hdr *);
2258 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2259
2260 /* XXX: Fake scoped addresses */
2261 in6_clearscope(&oip6->ip6_src);
2262 in6_clearscope(&oip6->ip6_dst);
2263
2264 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2265 /* ECN consideration. */
2266 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2267 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2268 ip6->ip6_plen = htons(plen);
2269 else {
2270 /* ip6->ip6_plen will be updated in ip6_output() */
2271 }
2272 ip6->ip6_nxt = IPPROTO_IPV6;
2273 in6_embedscope(&ip6->ip6_src,
2274 (struct sockaddr_in6 *)&sav->sah->saidx.src, NULL, NULL);
2275 in6_embedscope(&ip6->ip6_dst,
2276 (struct sockaddr_in6 *)&sav->sah->saidx.dst, NULL, NULL);
2277 ip6->ip6_hlim = IPV6_DEFHLIM;
2278
2279 /* XXX Should ip6_src be updated later ? */
2280
2281 return 0;
2282 }
2283 #endif /* INET6 */
2284
2285 /*
2286 * Check the variable replay window.
2287 * ipsec_chkreplay() performs replay check before ICV verification.
2288 * ipsec_updatereplay() updates replay bitmap. This must be called after
2289 * ICV verification (it also performs replay check, which is usually done
2290 * beforehand).
2291 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2292 *
2293 * based on RFC 2401.
2294 *
2295 * XXX need to update for 64bit sequence number - 2401bis
2296 */
2297 int
2298 ipsec_chkreplay(seq, sav)
2299 u_int32_t seq;
2300 struct secasvar *sav;
2301 {
2302 const struct secreplay *replay;
2303 u_int32_t diff;
2304 int fr;
2305 u_int32_t wsizeb; /* constant: bits of window size */
2306 int frlast; /* constant: last frame */
2307
2308 /* sanity check */
2309 if (sav == NULL)
2310 panic("ipsec_chkreplay: NULL pointer was passed.");
2311
2312 replay = sav->replay;
2313
2314 if (replay->wsize == 0)
2315 return 1; /* no need to check replay. */
2316
2317 /* constant */
2318 frlast = replay->wsize - 1;
2319 wsizeb = replay->wsize << 3;
2320
2321 /* sequence number of 0 is invalid */
2322 if (seq == 0)
2323 return 0;
2324
2325 /* first time is always okay */
2326 if (replay->count == 0)
2327 return 1;
2328
2329 if (seq > replay->lastseq) {
2330 /* larger sequences are okay */
2331 return 1;
2332 } else {
2333 /* seq is equal or less than lastseq. */
2334 diff = replay->lastseq - seq;
2335
2336 /* over range to check, i.e. too old or wrapped */
2337 if (diff >= wsizeb)
2338 return 0;
2339
2340 fr = frlast - diff / 8;
2341
2342 /* this packet already seen ? */
2343 if (replay->bitmap[fr] & (1 << (diff % 8)))
2344 return 0;
2345
2346 /* out of order but good */
2347 return 1;
2348 }
2349 }
2350
2351 /*
2352 * check replay counter whether to update or not.
2353 * OUT: 0: OK
2354 * 1: NG
2355 * XXX need to update for 64bit sequence number - 2401bis
2356 */
2357 int
2358 ipsec_updatereplay(seq, sav)
2359 u_int32_t seq;
2360 struct secasvar *sav;
2361 {
2362 struct secreplay *replay;
2363 u_int64_t diff;
2364 int fr;
2365 u_int32_t wsizeb; /* constant: bits of window size */
2366 int frlast; /* constant: last frame */
2367
2368 /* sanity check */
2369 if (sav == NULL)
2370 panic("ipsec_chkreplay: NULL pointer was passed.");
2371
2372 replay = sav->replay;
2373
2374 if (replay->wsize == 0)
2375 goto ok; /* no need to check replay. */
2376
2377 /* constant */
2378 frlast = replay->wsize - 1;
2379 wsizeb = replay->wsize << 3;
2380
2381 /* sequence number of 0 is invalid */
2382 if (seq == 0)
2383 return 1;
2384
2385 /* first time */
2386 if (replay->count == 0) {
2387 replay->lastseq = seq;
2388 bzero(replay->bitmap, replay->wsize);
2389 replay->bitmap[frlast] = 1;
2390 goto ok;
2391 }
2392
2393 if (seq > replay->lastseq) {
2394 /* seq is larger than lastseq. */
2395 diff = seq - replay->lastseq;
2396
2397 /* new larger sequence number */
2398 if (diff < wsizeb) {
2399 /* In window */
2400 /* set bit for this packet */
2401 vshiftl(replay->bitmap, diff, replay->wsize);
2402 replay->bitmap[frlast] |= 1;
2403 } else {
2404 /* this packet has a "way larger" */
2405 bzero(replay->bitmap, replay->wsize);
2406 replay->bitmap[frlast] = 1;
2407 }
2408 replay->lastseq = seq;
2409
2410 /* larger is good */
2411 } else {
2412 /* seq is equal or less than lastseq. */
2413 diff = replay->lastseq - seq;
2414
2415 /* over range to check, i.e. too old or wrapped */
2416 if (diff >= wsizeb)
2417 return 1;
2418
2419 fr = frlast - diff / 8;
2420
2421 /* this packet already seen ? */
2422 if (replay->bitmap[fr] & (1 << (diff % 8)))
2423 return 1;
2424
2425 /* mark as seen */
2426 replay->bitmap[fr] |= (1 << (diff % 8));
2427
2428 /* out of order but good */
2429 }
2430
2431 ok:
2432 if (replay->count == 0xffffffff) {
2433
2434 /* set overflow flag */
2435 replay->overflow++;
2436
2437 /* don't increment, no more packets accepted */
2438 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2439 return 1;
2440
2441 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2442 replay->overflow, ipsec_logsastr(sav)));
2443 }
2444
2445 replay->count++;
2446
2447 return 0;
2448 }
2449
2450 /*
2451 * shift variable length buffer to left.
2452 * IN: bitmap: pointer to the buffer
2453 * nbit: the number of to shift.
2454 * wsize: buffer size (bytes).
2455 */
2456 static void
2457 vshiftl(bitmap, nbit, wsize)
2458 unsigned char *bitmap;
2459 int nbit, wsize;
2460 {
2461 int s, j, i;
2462 unsigned char over;
2463
2464 for (j = 0; j < nbit; j += 8) {
2465 s = (nbit - j < 8) ? (nbit - j): 8;
2466 bitmap[0] <<= s;
2467 for (i = 1; i < wsize; i++) {
2468 over = (bitmap[i] >> (8 - s));
2469 bitmap[i] <<= s;
2470 bitmap[i - 1] |= over;
2471 }
2472 }
2473
2474 return;
2475 }
2476
2477 const char *
2478 ipsec4_logpacketstr(ip, spi)
2479 struct ip *ip;
2480 u_int32_t spi;
2481 {
2482 static char buf[256];
2483 char *p;
2484 u_int8_t *s, *d;
2485
2486 s = (u_int8_t *)(&ip->ip_src);
2487 d = (u_int8_t *)(&ip->ip_dst);
2488
2489 p = buf;
2490 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2491 while (p && *p)
2492 p++;
2493 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2494 s[0], s[1], s[2], s[3]);
2495 while (p && *p)
2496 p++;
2497 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2498 d[0], d[1], d[2], d[3]);
2499 while (p && *p)
2500 p++;
2501 snprintf(p, sizeof(buf) - (p - buf), ")");
2502
2503 return buf;
2504 }
2505
2506 #ifdef INET6
2507 const char *
2508 ipsec6_logpacketstr(ip6, spi)
2509 struct ip6_hdr *ip6;
2510 u_int32_t spi;
2511 {
2512 static char buf[256];
2513 char *p;
2514
2515 p = buf;
2516 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2517 while (p && *p)
2518 p++;
2519 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
2520 ip6_sprintf(&ip6->ip6_src));
2521 while (p && *p)
2522 p++;
2523 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2524 ip6_sprintf(&ip6->ip6_dst));
2525 while (p && *p)
2526 p++;
2527 snprintf(p, sizeof(buf) - (p - buf), ")");
2528
2529 return buf;
2530 }
2531 #endif /* INET6 */
2532
2533 const char *
2534 ipsec_logsastr(sav)
2535 struct secasvar *sav;
2536 {
2537 static char buf[256];
2538 char *p;
2539 struct secasindex *saidx = &sav->sah->saidx;
2540
2541 /* validity check */
2542 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2543 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2544 panic("ipsec_logsastr: family mismatched.");
2545
2546 p = buf;
2547 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2548 while (p && *p)
2549 p++;
2550 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2551 u_int8_t *s, *d;
2552 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2553 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2554 snprintf(p, sizeof(buf) - (p - buf),
2555 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2556 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2557 }
2558 #ifdef INET6
2559 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2560 snprintf(p, sizeof(buf) - (p - buf),
2561 "src=%s",
2562 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2563 while (p && *p)
2564 p++;
2565 snprintf(p, sizeof(buf) - (p - buf),
2566 " dst=%s",
2567 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2568 }
2569 #endif
2570 while (p && *p)
2571 p++;
2572 snprintf(p, sizeof(buf) - (p - buf), ")");
2573
2574 return buf;
2575 }
2576
2577 void
2578 ipsec_dumpmbuf(m)
2579 struct mbuf *m;
2580 {
2581 int totlen;
2582 int i;
2583 u_char *p;
2584
2585 totlen = 0;
2586 printf("---\n");
2587 while (m) {
2588 p = mtod(m, u_char *);
2589 for (i = 0; i < m->m_len; i++) {
2590 printf("%02x ", p[i]);
2591 totlen++;
2592 if (totlen % 16 == 0)
2593 printf("\n");
2594 }
2595 m = m->m_next;
2596 }
2597 if (totlen % 16 != 0)
2598 printf("\n");
2599 printf("---\n");
2600 }
2601
2602 #ifdef INET
2603 static int
2604 ipsec4_checksa(isr, state)
2605 struct ipsecrequest *isr;
2606 struct ipsec_output_state *state;
2607 {
2608 struct ip *ip;
2609 struct secasindex saidx;
2610 struct sockaddr_in *sin;
2611
2612 /* make SA index for search proper SA */
2613 ip = mtod(state->m, struct ip *);
2614 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2615 saidx.mode = isr->saidx.mode;
2616 saidx.reqid = isr->saidx.reqid;
2617 sin = (struct sockaddr_in *)&saidx.src;
2618 if (sin->sin_len == 0) {
2619 sin->sin_len = sizeof(*sin);
2620 sin->sin_family = AF_INET;
2621 sin->sin_port = IPSEC_PORT_ANY;
2622 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr));
2623 }
2624 sin = (struct sockaddr_in *)&saidx.dst;
2625 if (sin->sin_len == 0) {
2626 sin->sin_len = sizeof(*sin);
2627 sin->sin_family = AF_INET;
2628 sin->sin_port = IPSEC_PORT_ANY;
2629 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr));
2630 }
2631
2632 return key_checkrequest(isr, &saidx);
2633 }
2634 /*
2635 * IPsec output logic for IPv4.
2636 */
2637 int
2638 ipsec4_output(state, sp, flags)
2639 struct ipsec_output_state *state;
2640 struct secpolicy *sp;
2641 int flags;
2642 {
2643 struct ip *ip = NULL;
2644 struct ipsecrequest *isr = NULL;
2645 int s;
2646 int error;
2647 struct sockaddr_in *dst4;
2648
2649 if (!state)
2650 panic("state == NULL in ipsec4_output");
2651 if (!state->m)
2652 panic("state->m == NULL in ipsec4_output");
2653 if (!state->ro)
2654 panic("state->ro == NULL in ipsec4_output");
2655 if (!state->dst)
2656 panic("state->dst == NULL in ipsec4_output");
2657 state->encap = 0;
2658
2659 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2660 printf("ipsec4_output: applyed SP\n");
2661 kdebug_secpolicy(sp));
2662
2663 for (isr = sp->req; isr != NULL; isr = isr->next) {
2664
2665 #if 0 /* give up to check restriction of transport mode */
2666 /* XXX but should be checked somewhere */
2667 /*
2668 * some of the IPsec operation must be performed only in
2669 * originating case.
2670 */
2671 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2672 && (flags & IP_FORWARDING))
2673 continue;
2674 #endif
2675 error = ipsec4_checksa(isr, state);
2676 if (error != 0) {
2677 /*
2678 * IPsec processing is required, but no SA found.
2679 * I assume that key_acquire() had been called
2680 * to get/establish the SA. Here I discard
2681 * this packet because it is responsibility for
2682 * upper layer to retransmit the packet.
2683 */
2684 ipsecstat.out_nosa++;
2685 goto bad;
2686 }
2687
2688 /* validity check */
2689 if (isr->sav == NULL) {
2690 switch (ipsec_get_reqlevel(isr, AF_INET)) {
2691 case IPSEC_LEVEL_USE:
2692 continue;
2693 case IPSEC_LEVEL_REQUIRE:
2694 /* must be not reached here. */
2695 panic("ipsec4_output: no SA found, but required.");
2696 }
2697 }
2698
2699 /*
2700 * If there is no valid SA, we give up to process any
2701 * more. In such a case, the SA's status is changed
2702 * from DYING to DEAD after allocating. If a packet
2703 * send to the receiver by dead SA, the receiver can
2704 * not decode a packet because SA has been dead.
2705 */
2706 if (isr->sav->state != SADB_SASTATE_MATURE
2707 && isr->sav->state != SADB_SASTATE_DYING) {
2708 ipsecstat.out_nosa++;
2709 error = EINVAL;
2710 goto bad;
2711 }
2712
2713 /*
2714 * There may be the case that SA status will be changed when
2715 * we are refering to one. So calling splsoftnet().
2716 */
2717 s = splnet();
2718
2719 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2720 /*
2721 * build IPsec tunnel.
2722 */
2723 /* XXX should be processed with other familiy */
2724 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2725 ipseclog((LOG_ERR, "ipsec4_output: "
2726 "family mismatched between inner and outer spi=%u\n",
2727 (u_int32_t)ntohl(isr->sav->spi)));
2728 splx(s);
2729 error = EAFNOSUPPORT;
2730 goto bad;
2731 }
2732
2733 state->m = ipsec4_splithdr(state->m);
2734 if (!state->m) {
2735 splx(s);
2736 error = ENOMEM;
2737 goto bad;
2738 }
2739 error = ipsec4_encapsulate(state->m, isr->sav);
2740 splx(s);
2741 if (error) {
2742 state->m = NULL;
2743 goto bad;
2744 }
2745 ip = mtod(state->m, struct ip *);
2746
2747 state->ro = &isr->sav->sah->sa_route;
2748 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2749 dst4 = (struct sockaddr_in *)state->dst;
2750 if (state->ro->ro_rt
2751 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2752 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2753 RTFREE(state->ro->ro_rt);
2754 state->ro->ro_rt = NULL;
2755 }
2756 if (state->ro->ro_rt == 0) {
2757 dst4->sin_family = AF_INET;
2758 dst4->sin_len = sizeof(*dst4);
2759 dst4->sin_addr = ip->ip_dst;
2760 rtalloc(state->ro);
2761 }
2762 if (state->ro->ro_rt == 0) {
2763 ipstat.ips_noroute++;
2764 error = EHOSTUNREACH;
2765 goto bad;
2766 }
2767
2768 /* adjust state->dst if tunnel endpoint is offlink */
2769 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2770 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2771 dst4 = (struct sockaddr_in *)state->dst;
2772 }
2773
2774 state->encap++;
2775 } else
2776 splx(s);
2777
2778 state->m = ipsec4_splithdr(state->m);
2779 if (!state->m) {
2780 error = ENOMEM;
2781 goto bad;
2782 }
2783 switch (isr->saidx.proto) {
2784 case IPPROTO_ESP:
2785 #ifdef IPSEC_ESP
2786 if ((error = esp4_output(state->m, isr)) != 0) {
2787 state->m = NULL;
2788 goto bad;
2789 }
2790 break;
2791 #else
2792 m_freem(state->m);
2793 state->m = NULL;
2794 error = EINVAL;
2795 goto bad;
2796 #endif
2797 case IPPROTO_AH:
2798 if ((error = ah4_output(state->m, isr)) != 0) {
2799 state->m = NULL;
2800 goto bad;
2801 }
2802 break;
2803 case IPPROTO_IPCOMP:
2804 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2805 state->m = NULL;
2806 goto bad;
2807 }
2808 break;
2809 default:
2810 ipseclog((LOG_ERR,
2811 "ipsec4_output: unknown ipsec protocol %d\n",
2812 isr->saidx.proto));
2813 m_freem(state->m);
2814 state->m = NULL;
2815 error = EINVAL;
2816 goto bad;
2817 }
2818
2819 if (state->m == 0) {
2820 error = ENOMEM;
2821 goto bad;
2822 }
2823 ip = mtod(state->m, struct ip *);
2824 }
2825
2826 return 0;
2827
2828 bad:
2829 m_freem(state->m);
2830 state->m = NULL;
2831 return error;
2832 }
2833 #endif
2834
2835 #ifdef INET6
2836 static int
2837 ipsec6_checksa(isr, state, tunnel)
2838 struct ipsecrequest *isr;
2839 struct ipsec_output_state *state;
2840 int tunnel;
2841 {
2842 struct ip6_hdr *ip6;
2843 struct secasindex saidx;
2844 struct sockaddr_in6 *sin6;
2845
2846 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2847 #ifdef DIAGNOSTIC
2848 if (!tunnel)
2849 panic("ipsec6_checksa/inconsistent tunnel attribute");
2850 #endif
2851 /* When tunnel mode, SA peers must be specified. */
2852 return key_checkrequest(isr, &isr->saidx);
2853 }
2854
2855 /* make SA index for search proper SA */
2856 ip6 = mtod(state->m, struct ip6_hdr *);
2857 if (tunnel) {
2858 bzero(&saidx, sizeof(saidx));
2859 saidx.proto = isr->saidx.proto;
2860 } else
2861 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2862 saidx.mode = isr->saidx.mode;
2863 saidx.reqid = isr->saidx.reqid;
2864 sin6 = (struct sockaddr_in6 *)&saidx.src;
2865 if (sin6->sin6_len == 0 || tunnel) {
2866 sin6->sin6_len = sizeof(*sin6);
2867 sin6->sin6_family = AF_INET6;
2868 sin6->sin6_port = IPSEC_PORT_ANY;
2869 in6_recoverscope(sin6, &ip6->ip6_src, NULL);
2870 }
2871 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2872 if (sin6->sin6_len == 0 || tunnel) {
2873 sin6->sin6_len = sizeof(*sin6);
2874 sin6->sin6_family = AF_INET6;
2875 sin6->sin6_port = IPSEC_PORT_ANY;
2876 in6_recoverscope(sin6, &ip6->ip6_dst, NULL);
2877 }
2878
2879 return key_checkrequest(isr, &saidx);
2880 }
2881
2882 /*
2883 * IPsec output logic for IPv6, transport mode.
2884 */
2885 int
2886 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
2887 struct ipsec_output_state *state;
2888 u_char *nexthdrp;
2889 struct mbuf *mprev;
2890 struct secpolicy *sp;
2891 int flags;
2892 int *tun;
2893 {
2894 struct ip6_hdr *ip6;
2895 struct ipsecrequest *isr = NULL;
2896 int error = 0;
2897 int plen;
2898
2899 if (!state)
2900 panic("state == NULL in ipsec6_output_trans");
2901 if (!state->m)
2902 panic("state->m == NULL in ipsec6_output_trans");
2903 if (!nexthdrp)
2904 panic("nexthdrp == NULL in ipsec6_output_trans");
2905 if (!mprev)
2906 panic("mprev == NULL in ipsec6_output_trans");
2907 if (!sp)
2908 panic("sp == NULL in ipsec6_output_trans");
2909 if (!tun)
2910 panic("tun == NULL in ipsec6_output_trans");
2911
2912 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2913 printf("ipsec6_output_trans: applyed SP\n");
2914 kdebug_secpolicy(sp));
2915
2916 *tun = 0;
2917 for (isr = sp->req; isr; isr = isr->next) {
2918 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2919 /* the rest will be handled by ipsec6_output_tunnel() */
2920 break;
2921 }
2922
2923 error = ipsec6_checksa(isr, state, 0);
2924 if (error == EIO)
2925 goto bad;
2926 if (error == ENOENT) {
2927 /*
2928 * IPsec processing is required, but no SA found.
2929 * I assume that key_acquire() had been called
2930 * to get/establish the SA. Here I discard
2931 * this packet because it is responsibility for
2932 * upper layer to retransmit the packet.
2933 */
2934 ipsec6stat.out_nosa++;
2935
2936 /*
2937 * Notify the fact that the packet is discarded
2938 * to ourselves. I believe this is better than
2939 * just silently discarding. (jinmei@kame.net)
2940 * XXX: should we restrict the error to TCP packets?
2941 * XXX: should we directly notify sockets via
2942 * pfctlinputs?
2943 *
2944 * Noone have initialized rcvif until this point,
2945 * so clear it.
2946 */
2947 if ((state->m->m_flags & M_PKTHDR) != 0)
2948 state->m->m_pkthdr.rcvif = NULL;
2949 icmp6_error(state->m, ICMP6_DST_UNREACH,
2950 ICMP6_DST_UNREACH_ADMIN, 0);
2951 state->m = NULL; /* icmp6_error freed the mbuf */
2952 goto bad;
2953 }
2954
2955 /* validity check */
2956 if (isr->sav == NULL) {
2957 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
2958 case IPSEC_LEVEL_USE:
2959 continue;
2960 case IPSEC_LEVEL_REQUIRE:
2961 /* must be not reached here. */
2962 panic("ipsec6_output_trans: no SA found, but required.");
2963 }
2964 }
2965
2966 /*
2967 * If there is no valid SA, we give up to process.
2968 * see same place at ipsec4_output().
2969 */
2970 if (isr->sav->state != SADB_SASTATE_MATURE
2971 && isr->sav->state != SADB_SASTATE_DYING) {
2972 ipsec6stat.out_nosa++;
2973 error = EINVAL;
2974 goto bad;
2975 }
2976
2977 switch (isr->saidx.proto) {
2978 case IPPROTO_ESP:
2979 #ifdef IPSEC_ESP
2980 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2981 #else
2982 m_freem(state->m);
2983 error = EINVAL;
2984 #endif
2985 break;
2986 case IPPROTO_AH:
2987 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2988 break;
2989 case IPPROTO_IPCOMP:
2990 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2991 break;
2992 default:
2993 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2994 "unknown ipsec protocol %d\n", isr->saidx.proto));
2995 m_freem(state->m);
2996 ipsec6stat.out_inval++;
2997 error = EINVAL;
2998 break;
2999 }
3000 if (error) {
3001 state->m = NULL;
3002 goto bad;
3003 }
3004 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3005 if (plen > IPV6_MAXPACKET) {
3006 ipseclog((LOG_ERR, "ipsec6_output_trans: "
3007 "IPsec with IPv6 jumbogram is not supported\n"));
3008 ipsec6stat.out_inval++;
3009 error = EINVAL; /* XXX */
3010 goto bad;
3011 }
3012 ip6 = mtod(state->m, struct ip6_hdr *);
3013 ip6->ip6_plen = htons(plen);
3014 }
3015
3016 /* if we have more to go, we need a tunnel mode processing */
3017 if (isr != NULL)
3018 *tun = 1;
3019
3020 return 0;
3021
3022 bad:
3023 m_freem(state->m);
3024 state->m = NULL;
3025 return error;
3026 }
3027
3028 /*
3029 * IPsec output logic for IPv6, tunnel mode.
3030 */
3031 int
3032 ipsec6_output_tunnel(state, sp, flags)
3033 struct ipsec_output_state *state;
3034 struct secpolicy *sp;
3035 int flags;
3036 {
3037 struct ip6_hdr *ip6;
3038 struct ipsecrequest *isr = NULL;
3039 int error = 0;
3040 int plen;
3041 struct sockaddr_in6 *dst6;
3042 int s;
3043
3044 if (!state)
3045 panic("state == NULL in ipsec6_output_tunnel");
3046 if (!state->m)
3047 panic("state->m == NULL in ipsec6_output_tunnel");
3048 if (!sp)
3049 panic("sp == NULL in ipsec6_output_tunnel");
3050
3051 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3052 printf("ipsec6_output_tunnel: applyed SP\n");
3053 kdebug_secpolicy(sp));
3054
3055 /*
3056 * transport mode ipsec (before the 1st tunnel mode) is already
3057 * processed by ipsec6_output_trans().
3058 */
3059 for (isr = sp->req; isr; isr = isr->next) {
3060 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
3061 break;
3062 }
3063
3064 for (/* already initialized */; isr; isr = isr->next) {
3065 error = ipsec6_checksa(isr, state, 1);
3066 if (error == EIO)
3067 goto bad;
3068 if (error == ENOENT) {
3069 /*
3070 * IPsec processing is required, but no SA found.
3071 * I assume that key_acquire() had been called
3072 * to get/establish the SA. Here I discard
3073 * this packet because it is responsibility for
3074 * upper layer to retransmit the packet.
3075 */
3076 ipsec6stat.out_nosa++;
3077 error = ENOENT;
3078 goto bad;
3079 }
3080
3081 /* validity check */
3082 if (isr->sav == NULL) {
3083 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
3084 case IPSEC_LEVEL_USE:
3085 continue;
3086 case IPSEC_LEVEL_REQUIRE:
3087 /* must be not reached here. */
3088 panic("ipsec6_output_tunnel: no SA found, but required.");
3089 }
3090 }
3091
3092 /*
3093 * If there is no valid SA, we give up to process.
3094 * see same place at ipsec4_output().
3095 */
3096 if (isr->sav->state != SADB_SASTATE_MATURE
3097 && isr->sav->state != SADB_SASTATE_DYING) {
3098 ipsec6stat.out_nosa++;
3099 error = EINVAL;
3100 goto bad;
3101 }
3102
3103 /*
3104 * There may be the case that SA status will be changed when
3105 * we are refering to one. So calling splsoftnet().
3106 */
3107 s = splnet();
3108
3109 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3110 /*
3111 * build IPsec tunnel.
3112 */
3113 /* XXX should be processed with other familiy */
3114 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
3115 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3116 "family mismatched between inner and outer, spi=%u\n",
3117 (u_int32_t)ntohl(isr->sav->spi)));
3118 splx(s);
3119 ipsec6stat.out_inval++;
3120 error = EAFNOSUPPORT;
3121 goto bad;
3122 }
3123
3124 state->m = ipsec6_splithdr(state->m);
3125 if (!state->m) {
3126 splx(s);
3127 ipsec6stat.out_nomem++;
3128 error = ENOMEM;
3129 goto bad;
3130 }
3131 error = ipsec6_encapsulate(state->m, isr->sav);
3132 splx(s);
3133 if (error) {
3134 state->m = 0;
3135 goto bad;
3136 }
3137 ip6 = mtod(state->m, struct ip6_hdr *);
3138
3139 state->ro = &isr->sav->sah->sa_route;
3140 state->dst = (struct sockaddr *)&state->ro->ro_dst;
3141 dst6 = (struct sockaddr_in6 *)state->dst;
3142 if (state->ro->ro_rt &&
3143 (!(state->ro->ro_rt->rt_flags & RTF_UP) ||
3144 !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr,
3145 &ip6->ip6_dst))) {
3146 RTFREE(state->ro->ro_rt);
3147 state->ro->ro_rt = NULL;
3148 }
3149 if (state->ro->ro_rt == 0) {
3150 bzero(dst6, sizeof(*dst6));
3151 dst6->sin6_family = AF_INET6;
3152 dst6->sin6_len = sizeof(*dst6);
3153 dst6->sin6_addr = ip6->ip6_dst;
3154 rtalloc(state->ro);
3155 }
3156 if (state->ro->ro_rt == 0) {
3157 ip6stat.ip6s_noroute++;
3158 ipsec6stat.out_noroute++;
3159 error = EHOSTUNREACH;
3160 goto bad;
3161 }
3162
3163 /* adjust state->dst if tunnel endpoint is offlink */
3164 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
3165 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
3166 dst6 = (struct sockaddr_in6 *)state->dst;
3167 }
3168 } else
3169 splx(s);
3170
3171 state->m = ipsec6_splithdr(state->m);
3172 if (!state->m) {
3173 ipsec6stat.out_nomem++;
3174 error = ENOMEM;
3175 goto bad;
3176 }
3177 ip6 = mtod(state->m, struct ip6_hdr *);
3178 switch (isr->saidx.proto) {
3179 case IPPROTO_ESP:
3180 #ifdef IPSEC_ESP
3181 error = esp6_output(state->m, &ip6->ip6_nxt,
3182 state->m->m_next, isr);
3183 #else
3184 m_freem(state->m);
3185 error = EINVAL;
3186 #endif
3187 break;
3188 case IPPROTO_AH:
3189 error = ah6_output(state->m, &ip6->ip6_nxt,
3190 state->m->m_next, isr);
3191 break;
3192 case IPPROTO_IPCOMP:
3193 /* XXX code should be here */
3194 /* FALLTHROUGH */
3195 default:
3196 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3197 "unknown ipsec protocol %d\n", isr->saidx.proto));
3198 m_freem(state->m);
3199 ipsec6stat.out_inval++;
3200 error = EINVAL;
3201 break;
3202 }
3203 if (error) {
3204 state->m = NULL;
3205 goto bad;
3206 }
3207 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3208 if (plen > IPV6_MAXPACKET) {
3209 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3210 "IPsec with IPv6 jumbogram is not supported\n"));
3211 ipsec6stat.out_inval++;
3212 error = EINVAL; /* XXX */
3213 goto bad;
3214 }
3215 ip6 = mtod(state->m, struct ip6_hdr *);
3216 ip6->ip6_plen = htons(plen);
3217 }
3218
3219 return 0;
3220
3221 bad:
3222 m_freem(state->m);
3223 state->m = NULL;
3224 return error;
3225 }
3226 #endif /* INET6 */
3227
3228 #ifdef INET
3229 /*
3230 * Chop IP header and option off from the payload.
3231 */
3232 static struct mbuf *
3233 ipsec4_splithdr(m)
3234 struct mbuf *m;
3235 {
3236 struct mbuf *mh;
3237 struct ip *ip;
3238 int hlen;
3239
3240 if (m->m_len < sizeof(struct ip))
3241 panic("ipsec4_splithdr: first mbuf too short");
3242 ip = mtod(m, struct ip *);
3243 #ifdef _IP_VHL
3244 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
3245 #else
3246 hlen = ip->ip_hl << 2;
3247 #endif
3248 if (m->m_len > hlen) {
3249 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3250 if (!mh) {
3251 m_freem(m);
3252 return NULL;
3253 }
3254 M_MOVE_PKTHDR(mh, m);
3255 MH_ALIGN(mh, hlen);
3256 m->m_len -= hlen;
3257 m->m_data += hlen;
3258 mh->m_next = m;
3259 m = mh;
3260 m->m_len = hlen;
3261 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3262 } else if (m->m_len < hlen) {
3263 m = m_pullup(m, hlen);
3264 if (!m)
3265 return NULL;
3266 }
3267 return m;
3268 }
3269 #endif
3270
3271 #ifdef INET6
3272 static struct mbuf *
3273 ipsec6_splithdr(m)
3274 struct mbuf *m;
3275 {
3276 struct mbuf *mh;
3277 struct ip6_hdr *ip6;
3278 int hlen;
3279
3280 if (m->m_len < sizeof(struct ip6_hdr))
3281 panic("ipsec6_splithdr: first mbuf too short");
3282 ip6 = mtod(m, struct ip6_hdr *);
3283 hlen = sizeof(struct ip6_hdr);
3284 if (m->m_len > hlen) {
3285 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3286 if (!mh) {
3287 m_freem(m);
3288 return NULL;
3289 }
3290 M_MOVE_PKTHDR(mh, m);
3291 MH_ALIGN(mh, hlen);
3292 m->m_len -= hlen;
3293 m->m_data += hlen;
3294 mh->m_next = m;
3295 m = mh;
3296 m->m_len = hlen;
3297 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3298 } else if (m->m_len < hlen) {
3299 m = m_pullup(m, hlen);
3300 if (!m)
3301 return NULL;
3302 }
3303 return m;
3304 }
3305 #endif
3306
3307 /* validate inbound IPsec tunnel packet. */
3308 int
3309 ipsec4_tunnel_validate(m, off, nxt0, sav)
3310 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3311 int off;
3312 u_int nxt0;
3313 struct secasvar *sav;
3314 {
3315 u_int8_t nxt = nxt0 & 0xff;
3316 struct sockaddr_in *sin;
3317 struct sockaddr_in osrc, odst, isrc, idst;
3318 int hlen;
3319 struct secpolicy *sp;
3320 struct ip *oip;
3321
3322 #ifdef DIAGNOSTIC
3323 if (m->m_len < sizeof(struct ip))
3324 panic("too short mbuf on ipsec4_tunnel_validate");
3325 #endif
3326 if (nxt != IPPROTO_IPV4)
3327 return 0;
3328 if (m->m_pkthdr.len < off + sizeof(struct ip))
3329 return 0;
3330 /* do not decapsulate if the SA is for transport mode only */
3331 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3332 return 0;
3333
3334 oip = mtod(m, struct ip *);
3335 hlen = oip->ip_hl << 2;
3336 if (hlen != sizeof(struct ip))
3337 return 0;
3338
3339 /* AF_INET6 should be supported, but at this moment we don't. */
3340 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3341 if (sin->sin_family != AF_INET)
3342 return 0;
3343 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
3344 return 0;
3345
3346 /* XXX slow */
3347 bzero(&osrc, sizeof(osrc));
3348 bzero(&odst, sizeof(odst));
3349 bzero(&isrc, sizeof(isrc));
3350 bzero(&idst, sizeof(idst));
3351 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
3352 AF_INET;
3353 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
3354 sizeof(struct sockaddr_in);
3355 osrc.sin_addr = oip->ip_src;
3356 odst.sin_addr = oip->ip_dst;
3357 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
3358 (caddr_t)&isrc.sin_addr);
3359 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
3360 (caddr_t)&idst.sin_addr);
3361
3362 /*
3363 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
3364 * - if the inner destination is multicast address, there can be
3365 * multiple permissible inner source address. implementation
3366 * may want to skip verification of inner source address against
3367 * SPD selector.
3368 * - if the inner protocol is ICMP, the packet may be an error report
3369 * from routers on the other side of the VPN cloud (R in the
3370 * following diagram). in this case, we cannot verify inner source
3371 * address against SPD selector.
3372 * me -- gw === gw -- R -- you
3373 *
3374 * we consider the first bullet to be users responsibility on SPD entry
3375 * configuration (if you need to encrypt multicast traffic, set
3376 * the source range of SPD selector to 0.0.0.0/0, or have explicit
3377 * address ranges for possible senders).
3378 * the second bullet is not taken care of (yet).
3379 *
3380 * therefore, we do not do anything special about inner source.
3381 */
3382
3383 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3384 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3385 /*
3386 * when there is no suitable inbound policy for the packet of the ipsec
3387 * tunnel mode, the kernel never decapsulate the tunneled packet
3388 * as the ipsec tunnel mode even when the system wide policy is "none".
3389 * then the kernel leaves the generic tunnel module to process this
3390 * packet. if there is no rule of the generic tunnel, the packet
3391 * is rejected and the statistics will be counted up.
3392 */
3393 if (!sp)
3394 return 0;
3395 key_freesp(sp);
3396
3397 return 1;
3398 }
3399
3400 #ifdef INET6
3401 /* validate inbound IPsec tunnel packet. */
3402 int
3403 ipsec6_tunnel_validate(m, off, nxt0, sav)
3404 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3405 int off;
3406 u_int nxt0;
3407 struct secasvar *sav;
3408 {
3409 u_int8_t nxt = nxt0 & 0xff;
3410 struct sockaddr_in6 *sin6;
3411 struct sockaddr_in6 osrc, odst, isrc, idst;
3412 struct secpolicy *sp;
3413 struct ip6_hdr *oip6;
3414
3415 #ifdef DIAGNOSTIC
3416 if (m->m_len < sizeof(struct ip6_hdr))
3417 panic("too short mbuf on ipsec6_tunnel_validate");
3418 #endif
3419 if (nxt != IPPROTO_IPV6)
3420 return 0;
3421 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
3422 return 0;
3423 /* do not decapsulate if the SA is for transport mode only */
3424 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3425 return 0;
3426
3427 oip6 = mtod(m, struct ip6_hdr *);
3428
3429 /* AF_INET should be supported, but at this moment we don't. */
3430 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
3431 if (sin6->sin6_family != AF_INET6)
3432 return 0;
3433 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
3434 return 0;
3435
3436 /* XXX slow */
3437 bzero(&osrc, sizeof(osrc));
3438 bzero(&odst, sizeof(odst));
3439 bzero(&isrc, sizeof(isrc));
3440 bzero(&idst, sizeof(idst));
3441 osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
3442 idst.sin6_family = AF_INET6;
3443 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len =
3444 sizeof(struct sockaddr_in6);
3445 osrc.sin6_addr = oip6->ip6_src;
3446 odst.sin6_addr = oip6->ip6_dst;
3447 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
3448 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
3449 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
3450 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
3451
3452 /*
3453 * regarding to inner source address validation, see a long comment
3454 * in ipsec4_tunnel_validate.
3455 */
3456
3457 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3458 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3459 if (!sp)
3460 return 0;
3461 key_freesp(sp);
3462
3463 return 1;
3464 }
3465 #endif
3466
3467 /*
3468 * Make a mbuf chain for encryption.
3469 * If the original mbuf chain contains a mbuf with a cluster,
3470 * allocate a new cluster and copy the data to the new cluster.
3471 * XXX: this hack is inefficient, but is necessary to handle cases
3472 * of TCP retransmission...
3473 */
3474 struct mbuf *
3475 ipsec_copypkt(m)
3476 struct mbuf *m;
3477 {
3478 struct mbuf *n, **mpp, *mnew;
3479
3480 for (n = m, mpp = &m; n; n = n->m_next) {
3481 if (n->m_flags & M_EXT) {
3482 /*
3483 * Make a copy only if there is more than one
3484 * references to the cluster.
3485 * XXX: is this approach effective?
3486 */
3487 if (!M_WRITABLE(n)) {
3488 int remain, copied;
3489 struct mbuf *mm;
3490
3491 if (n->m_flags & M_PKTHDR) {
3492 MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3493 if (mnew == NULL)
3494 goto fail;
3495 mnew->m_pkthdr = n->m_pkthdr;
3496 #if 0
3497 /* XXX: convert to m_tag or delete? */
3498 if (n->m_pkthdr.aux) {
3499 mnew->m_pkthdr.aux =
3500 m_copym(n->m_pkthdr.aux,
3501 0, M_COPYALL, M_DONTWAIT);
3502 }
3503 #endif
3504 M_MOVE_PKTHDR(mnew, n);
3505 }
3506 else {
3507 MGET(mnew, M_DONTWAIT, MT_DATA);
3508 if (mnew == NULL)
3509 goto fail;
3510 }
3511 mnew->m_len = 0;
3512 mm = mnew;
3513
3514 /*
3515 * Copy data. If we don't have enough space to
3516 * store the whole data, allocate a cluster
3517 * or additional mbufs.
3518 * XXX: we don't use m_copyback(), since the
3519 * function does not use clusters and thus is
3520 * inefficient.
3521 */
3522 remain = n->m_len;
3523 copied = 0;
3524 while (1) {
3525 int len;
3526 struct mbuf *mn;
3527
3528 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3529 len = remain;
3530 else { /* allocate a cluster */
3531 MCLGET(mm, M_DONTWAIT);
3532 if (!(mm->m_flags & M_EXT)) {
3533 m_free(mm);
3534 goto fail;
3535 }
3536 len = remain < MCLBYTES ?
3537 remain : MCLBYTES;
3538 }
3539
3540 bcopy(n->m_data + copied, mm->m_data,
3541 len);
3542
3543 copied += len;
3544 remain -= len;
3545 mm->m_len = len;
3546
3547 if (remain <= 0) /* completed? */
3548 break;
3549
3550 /* need another mbuf */
3551 MGETHDR(mn, M_DONTWAIT, MT_HEADER);
3552 if (mn == NULL)
3553 goto fail;
3554 mn->m_pkthdr.rcvif = NULL;
3555 mm->m_next = mn;
3556 mm = mn;
3557 }
3558
3559 /* adjust chain */
3560 mm->m_next = m_free(n);
3561 n = mm;
3562 *mpp = mnew;
3563 mpp = &n->m_next;
3564
3565 continue;
3566 }
3567 }
3568 *mpp = n;
3569 mpp = &n->m_next;
3570 }
3571
3572 return (m);
3573 fail:
3574 m_freem(m);
3575 return (NULL);
3576 }
3577
3578 static struct ipsecaux *
3579 ipsec_addaux(m)
3580 struct mbuf *m;
3581 {
3582 struct m_tag *mtag;
3583
3584 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3585 if (mtag == NULL) {
3586 mtag = m_tag_get(PACKET_TAG_IPSEC_HISTORY,
3587 sizeof(struct ipsecaux), M_NOWAIT);
3588 if (mtag != NULL)
3589 m_tag_prepend(m, mtag);
3590 }
3591 if (mtag == NULL)
3592 return NULL; /* ENOBUFS */
3593 /* XXX is this necessary? */
3594 bzero((void *)(mtag + 1), sizeof(struct ipsecaux));
3595 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL;
3596 }
3597
3598 static struct ipsecaux *
3599 ipsec_findaux(m)
3600 struct mbuf *m;
3601 {
3602 struct m_tag *mtag;
3603
3604 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3605 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL;
3606 }
3607
3608 void
3609 ipsec_delaux(m)
3610 struct mbuf *m;
3611 {
3612 struct m_tag *mtag;
3613
3614 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3615 if (mtag != NULL)
3616 m_tag_delete(m, mtag);
3617 }
3618
3619 /* if the aux buffer is unnecessary, nuke it. */
3620 static void
3621 ipsec_optaux(m, aux)
3622 struct mbuf *m;
3623 struct ipsecaux *aux;
3624 {
3625
3626 if (aux == NULL)
3627 return;
3628 if (!aux->so && !aux->sp)
3629 ipsec_delaux(m);
3630 }
3631
3632 int
3633 ipsec_setsocket(m, so)
3634 struct mbuf *m;
3635 struct socket *so;
3636 {
3637 struct ipsecaux *aux;
3638
3639 /* if so == NULL, don't insist on getting the aux mbuf */
3640 if (so) {
3641 aux = ipsec_addaux(m);
3642 if (aux == NULL)
3643 return ENOBUFS;
3644 } else
3645 aux = ipsec_findaux(m);
3646 if (aux != NULL) {
3647 aux->so = so;
3648 }
3649 ipsec_optaux(m, aux);
3650 return 0;
3651 }
3652
3653 struct socket *
3654 ipsec_getsocket(m)
3655 struct mbuf *m;
3656 {
3657 struct ipsecaux *aux;
3658
3659 aux = ipsec_findaux(m);
3660 if (aux != NULL)
3661 return aux->so;
3662 else
3663 return NULL;
3664 }
3665
3666 int
3667 ipsec_addhist(m, proto, spi)
3668 struct mbuf *m;
3669 int proto;
3670 u_int32_t spi;
3671 {
3672 struct ipsecaux *aux;
3673
3674 aux = ipsec_addaux(m);
3675 if (aux == NULL)
3676 return ENOBUFS;
3677 aux->hdrs++;
3678 return 0;
3679 }
3680
3681 int
3682 ipsec_getnhist(m)
3683 struct mbuf *m;
3684 {
3685 struct ipsecaux *aux;
3686
3687 aux = ipsec_findaux(m);
3688 if (aux == NULL)
3689 return 0;
3690 return aux->hdrs;
3691 }
3692
3693 void
3694 ipsec_clearhist(m)
3695 struct mbuf *m;
3696 {
3697 struct ipsecaux *aux;
3698
3699 aux = ipsec_findaux(m);
3700 ipsec_optaux(m, aux);
3701 }
Cache object: 265e400cc69f1910157a63dce3903c2f
|