Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* $FreeBSD: releng/5.3/sys/netinet6/ipsec.c 136588 2004-10-16 08:43:07Z cvs2svn $ */ 2 /* $KAME: ipsec.c,v 1.207 2004/01/13 03:30:42 itojun Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * IPsec controller part. 35 */ 36 37 #include "opt_inet.h" 38 #include "opt_inet6.h" 39 #include "opt_ipsec.h" 40 41 #include <sys/param.h> 42 #include <sys/systm.h> 43 #include <sys/malloc.h> 44 #include <sys/mbuf.h> 45 #include <sys/domain.h> 46 #include <sys/protosw.h> 47 #include <sys/socket.h> 48 #include <sys/socketvar.h> 49 #include <sys/errno.h> 50 #include <sys/time.h> 51 #include <sys/kernel.h> 52 #include <sys/syslog.h> 53 #include <sys/sysctl.h> 54 #include <sys/proc.h> 55 56 #include <net/if.h> 57 #include <net/route.h> 58 59 #include <netinet/in.h> 60 #include <netinet/in_systm.h> 61 #include <netinet/ip.h> 62 #include <netinet/ip_var.h> 63 #include <netinet/in_var.h> 64 #include <netinet/udp.h> 65 #include <netinet/udp_var.h> 66 #include <netinet/ip_ecn.h> 67 #ifdef INET6 68 #include <netinet6/ip6_ecn.h> 69 #endif 70 #include <netinet/tcp.h> 71 #include <netinet/udp.h> 72 73 #include <netinet/ip6.h> 74 #ifdef INET6 75 #include <netinet6/ip6_var.h> 76 #endif 77 #include <netinet/in_pcb.h> 78 #ifdef INET6 79 #include <netinet/icmp6.h> 80 #endif 81 82 #include <netinet6/ipsec.h> 83 #ifdef INET6 84 #include <netinet6/ipsec6.h> 85 #endif 86 #include <netinet6/ah.h> 87 #ifdef INET6 88 #include <netinet6/ah6.h> 89 #endif 90 #ifdef IPSEC_ESP 91 #include <netinet6/esp.h> 92 #ifdef INET6 93 #include <netinet6/esp6.h> 94 #endif 95 #endif 96 #include <netinet6/ipcomp.h> 97 #ifdef INET6 98 #include <netinet6/ipcomp6.h> 99 #endif 100 #include <netkey/key.h> 101 #include <netkey/keydb.h> 102 #include <netkey/key_debug.h> 103 104 #include <machine/in_cksum.h> 105 #include <net/net_osdep.h> 106 107 #ifdef IPSEC_DEBUG 108 int ipsec_debug = 1; 109 #else 110 int ipsec_debug = 0; 111 #endif 112 113 NET_NEEDS_GIANT("ipsec"); 114 115 struct ipsecstat ipsecstat; 116 int ip4_ah_cleartos = 1; 117 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ 118 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ 119 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; 120 int ip4_esp_net_deflev = IPSEC_LEVEL_USE; 121 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; 122 int ip4_ah_net_deflev = IPSEC_LEVEL_USE; 123 struct secpolicy *ip4_def_policy; 124 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 125 int ip4_esp_randpad = -1; 126 127 static int sp_cachegen = 1; /* cache generation # */ 128 129 SYSCTL_DECL(_net_inet_ipsec); 130 #ifdef INET6 131 SYSCTL_DECL(_net_inet6_ipsec6); 132 #endif 133 134 /* net.inet.ipsec */ 135 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS, 136 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, ""); 137 #if 0 138 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY, 139 def_policy, CTLFLAG_RW, &ip4_def_policy->policy, 0, ""); 140 #endif 141 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, 142 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, ""); 143 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, 144 CTLFLAG_RW, &ip4_esp_net_deflev, 0, ""); 145 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, 146 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, ""); 147 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, 148 CTLFLAG_RW, &ip4_ah_net_deflev, 0, ""); 149 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, 150 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, ""); 151 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, 152 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, ""); 153 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, 154 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, ""); 155 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, 156 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, ""); 157 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, 158 debug, CTLFLAG_RW, &ipsec_debug, 0, ""); 159 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD, 160 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, ""); 161 162 #ifdef INET6 163 struct ipsecstat ipsec6stat; 164 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; 165 int ip6_esp_net_deflev = IPSEC_LEVEL_USE; 166 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; 167 int ip6_ah_net_deflev = IPSEC_LEVEL_USE; 168 struct secpolicy *ip6_def_policy; 169 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 170 int ip6_esp_randpad = -1; 171 172 /* net.inet6.ipsec6 */ 173 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, 174 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, ""); 175 #if 0 176 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, 177 def_policy, CTLFLAG_RW, &ip6_def_policy->policy, 0, ""); 178 #endif 179 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, 180 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, ""); 181 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, 182 CTLFLAG_RW, &ip6_esp_net_deflev, 0, ""); 183 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, 184 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, ""); 185 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, 186 CTLFLAG_RW, &ip6_ah_net_deflev, 0, ""); 187 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN, 188 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, ""); 189 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, 190 debug, CTLFLAG_RW, &ipsec_debug, 0, ""); 191 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, 192 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, ""); 193 #endif /* INET6 */ 194 195 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *, 196 struct inpcbpolicy *, int)); 197 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *, 198 struct secpolicy *, int)); 199 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int)); 200 static int ipsec_setspidx_mbuf 201 __P((struct secpolicyindex *, int, struct mbuf *, int)); 202 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int)); 203 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int)); 204 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); 205 #ifdef INET6 206 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int)); 207 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); 208 #endif 209 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void)); 210 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *)); 211 #if 0 212 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *)); 213 #endif 214 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *)); 215 static int ipsec_set_policy 216 __P((struct secpolicy **, int, caddr_t, size_t, int)); 217 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **)); 218 static void vshiftl __P((unsigned char *, int, int)); 219 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *)); 220 static size_t ipsec_hdrsiz __P((struct secpolicy *)); 221 #ifdef INET 222 static struct mbuf *ipsec4_splithdr __P((struct mbuf *)); 223 #endif 224 #ifdef INET6 225 static struct mbuf *ipsec6_splithdr __P((struct mbuf *)); 226 #endif 227 #ifdef INET 228 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *)); 229 #endif 230 #ifdef INET6 231 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *)); 232 #endif 233 static struct ipsecaux *ipsec_addaux __P((struct mbuf *)); 234 static struct ipsecaux *ipsec_findaux __P((struct mbuf *)); 235 static void ipsec_optaux __P((struct mbuf *, struct ipsecaux *)); 236 #ifdef INET 237 static int ipsec4_checksa __P((struct ipsecrequest *, 238 struct ipsec_output_state *)); 239 #endif 240 #ifdef INET6 241 static int ipsec6_checksa __P((struct ipsecrequest *, 242 struct ipsec_output_state *, int)); 243 #endif 244 245 /* 246 * try to validate and use cached policy on a pcb. 247 */ 248 static struct secpolicy * 249 ipsec_checkpcbcache(m, pcbsp, dir) 250 struct mbuf *m; 251 struct inpcbpolicy *pcbsp; 252 int dir; 253 { 254 struct secpolicyindex spidx; 255 struct timeval mono_time; 256 257 microtime(&mono_time); 258 259 switch (dir) { 260 case IPSEC_DIR_INBOUND: 261 case IPSEC_DIR_OUTBOUND: 262 case IPSEC_DIR_ANY: 263 break; 264 default: 265 return NULL; 266 } 267 #ifdef DIAGNOSTIC 268 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0])) 269 panic("dir too big in ipsec_checkpcbcache"); 270 #endif 271 /* SPD table change invalidates all the caches */ 272 if (pcbsp->cachegen[dir] == 0 || sp_cachegen > pcbsp->cachegen[dir]) { 273 ipsec_invalpcbcache(pcbsp, dir); 274 return NULL; 275 } 276 if (!pcbsp->cache[dir]) 277 return NULL; 278 if (pcbsp->cache[dir]->state != IPSEC_SPSTATE_ALIVE) { 279 ipsec_invalpcbcache(pcbsp, dir); 280 return NULL; 281 } 282 if ((pcbsp->cacheflags & IPSEC_PCBSP_CONNECTED) == 0) { 283 if (!pcbsp->cache[dir]) 284 return NULL; 285 if (ipsec_setspidx(m, &spidx, 1) != 0) 286 return NULL; 287 if (bcmp(&pcbsp->cacheidx[dir], &spidx, sizeof(spidx))) { 288 if (!pcbsp->cache[dir]->spidx || 289 !key_cmpspidx_withmask(pcbsp->cache[dir]->spidx, 290 &spidx)) 291 return NULL; 292 pcbsp->cacheidx[dir] = spidx; 293 } 294 } else { 295 /* 296 * The pcb is connected, and the L4 code is sure that: 297 * - outgoing side uses inp_[lf]addr 298 * - incoming side looks up policy after inpcb lookup 299 * and address pair is known to be stable. We do not need 300 * to generate spidx again, nor check the address match again. 301 * 302 * For IPv4/v6 SOCK_STREAM sockets, this assumption holds 303 * and there are calls to ipsec_pcbconn() from in_pcbconnect(). 304 */ 305 } 306 307 pcbsp->cache[dir]->lastused = mono_time.tv_sec; 308 pcbsp->cache[dir]->refcnt++; 309 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 310 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n", 311 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir])); 312 return pcbsp->cache[dir]; 313 } 314 315 static int 316 ipsec_fillpcbcache(pcbsp, m, sp, dir) 317 struct inpcbpolicy *pcbsp; 318 struct mbuf *m; 319 struct secpolicy *sp; 320 int dir; 321 { 322 323 switch (dir) { 324 case IPSEC_DIR_INBOUND: 325 case IPSEC_DIR_OUTBOUND: 326 break; 327 default: 328 return EINVAL; 329 } 330 #ifdef DIAGNOSTIC 331 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0])) 332 panic("dir too big in ipsec_checkpcbcache"); 333 #endif 334 335 if (pcbsp->cache[dir]) 336 key_freesp(pcbsp->cache[dir]); 337 pcbsp->cache[dir] = NULL; 338 if (ipsec_setspidx(m, &pcbsp->cacheidx[dir], 1) != 0) { 339 return EINVAL; 340 } 341 pcbsp->cache[dir] = sp; 342 if (pcbsp->cache[dir]) { 343 pcbsp->cache[dir]->refcnt++; 344 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 345 printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n", 346 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir])); 347 } 348 pcbsp->cachegen[dir] = sp_cachegen; 349 350 return 0; 351 } 352 353 static int 354 ipsec_invalpcbcache(pcbsp, dir) 355 struct inpcbpolicy *pcbsp; 356 int dir; 357 { 358 int i; 359 360 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) { 361 if (dir != IPSEC_DIR_ANY && i != dir) 362 continue; 363 if (pcbsp->cache[i]) 364 key_freesp(pcbsp->cache[i]); 365 pcbsp->cache[i] = NULL; 366 pcbsp->cachegen[i] = 0; 367 bzero(&pcbsp->cacheidx[i], sizeof(pcbsp->cacheidx[i])); 368 } 369 return 0; 370 } 371 372 int 373 ipsec_pcbconn(pcbsp) 374 struct inpcbpolicy *pcbsp; 375 { 376 377 pcbsp->cacheflags |= IPSEC_PCBSP_CONNECTED; 378 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 379 return 0; 380 } 381 382 int 383 ipsec_pcbdisconn(pcbsp) 384 struct inpcbpolicy *pcbsp; 385 { 386 387 pcbsp->cacheflags &= ~IPSEC_PCBSP_CONNECTED; 388 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 389 return 0; 390 } 391 392 int 393 ipsec_invalpcbcacheall() 394 { 395 396 sp_cachegen++; 397 return 0; 398 } 399 400 /* 401 * For OUTBOUND packet having a socket. Searching SPD for packet, 402 * and return a pointer to SP. 403 * OUT: NULL: no apropreate SP found, the following value is set to error. 404 * 0 : bypass 405 * EACCES : discard packet. 406 * ENOENT : ipsec_acquire() in progress, maybe. 407 * others : error occured. 408 * others: a pointer to SP 409 * 410 * NOTE: IPv6 mapped adddress concern is implemented here. 411 */ 412 struct secpolicy * 413 ipsec4_getpolicybypcb(m, dir, inp, error) 414 struct mbuf *m; 415 u_int dir; 416 struct inpcb *inp; 417 int *error; 418 { 419 struct inpcbpolicy *pcbsp = NULL; 420 struct secpolicy *currsp = NULL; /* policy on socket */ 421 struct secpolicy *kernsp = NULL; /* policy on kernel */ 422 struct secpolicyindex spidx; 423 u_int16_t tag; 424 425 /* sanity check */ 426 if (m == NULL || inp == NULL || error == NULL) 427 panic("ipsec4_getpolicybypcb: NULL pointer was passed."); 428 429 pcbsp = inp->inp_sp; 430 431 #ifdef DIAGNOSTIC 432 if (pcbsp == NULL) 433 panic("ipsec4_getpolicybypcb: pcbsp is NULL."); 434 #endif 435 436 tag = 0; 437 438 /* if we have a cached entry, and if it is still valid, use it. */ 439 ipsecstat.spdcachelookup++; 440 currsp = ipsec_checkpcbcache(m, pcbsp, dir); 441 if (currsp) { 442 *error = 0; 443 return currsp; 444 } 445 ipsecstat.spdcachemiss++; 446 447 switch (dir) { 448 case IPSEC_DIR_INBOUND: 449 currsp = pcbsp->sp_in; 450 break; 451 case IPSEC_DIR_OUTBOUND: 452 currsp = pcbsp->sp_out; 453 break; 454 default: 455 panic("ipsec4_getpolicybypcb: illegal direction."); 456 } 457 458 /* sanity check */ 459 if (currsp == NULL) 460 panic("ipsec4_getpolicybypcb: currsp is NULL."); 461 462 /* when privileged socket */ 463 if (pcbsp->priv) { 464 switch (currsp->policy) { 465 case IPSEC_POLICY_BYPASS: 466 currsp->refcnt++; 467 *error = 0; 468 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 469 return currsp; 470 471 case IPSEC_POLICY_ENTRUST: 472 /* look for a policy in SPD */ 473 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 && 474 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 475 /* SP found */ 476 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 477 printf("DP ipsec4_getpolicybypcb called " 478 "to allocate SP:%p\n", kernsp)); 479 *error = 0; 480 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 481 return kernsp; 482 } 483 484 /* no SP found */ 485 ip4_def_policy->refcnt++; 486 *error = 0; 487 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir); 488 return ip4_def_policy; 489 490 case IPSEC_POLICY_IPSEC: 491 currsp->refcnt++; 492 *error = 0; 493 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 494 return currsp; 495 496 default: 497 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: " 498 "Invalid policy for PCB %d\n", currsp->policy)); 499 *error = EINVAL; 500 return NULL; 501 } 502 /* NOTREACHED */ 503 } 504 505 /* when non-privileged socket */ 506 /* look for a policy in SPD */ 507 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 && 508 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 509 /* SP found */ 510 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 511 printf("DP ipsec4_getpolicybypcb called " 512 "to allocate SP:%p\n", kernsp)); 513 *error = 0; 514 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 515 return kernsp; 516 } 517 518 /* no SP found */ 519 switch (currsp->policy) { 520 case IPSEC_POLICY_BYPASS: 521 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: " 522 "Illegal policy for non-privileged defined %d\n", 523 currsp->policy)); 524 *error = EINVAL; 525 return NULL; 526 527 case IPSEC_POLICY_ENTRUST: 528 ip4_def_policy->refcnt++; 529 *error = 0; 530 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir); 531 return ip4_def_policy; 532 533 case IPSEC_POLICY_IPSEC: 534 currsp->refcnt++; 535 *error = 0; 536 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 537 return currsp; 538 539 default: 540 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: " 541 "Invalid policy for PCB %d\n", currsp->policy)); 542 *error = EINVAL; 543 return NULL; 544 } 545 /* NOTREACHED */ 546 } 547 548 /* 549 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 550 * and return a pointer to SP. 551 * OUT: positive: a pointer to the entry for security policy leaf matched. 552 * NULL: no apropreate SP found, the following value is set to error. 553 * 0 : bypass 554 * EACCES : discard packet. 555 * ENOENT : ipsec_acquire() in progress, maybe. 556 * others : error occured. 557 */ 558 struct secpolicy * 559 ipsec4_getpolicybyaddr(m, dir, flag, error) 560 struct mbuf *m; 561 u_int dir; 562 int flag; 563 int *error; 564 { 565 struct secpolicy *sp = NULL; 566 u_int16_t tag; 567 568 /* sanity check */ 569 if (m == NULL || error == NULL) 570 panic("ipsec4_getpolicybyaddr: NULL pointer was passed."); 571 572 /* get a policy entry matched with the packet */ 573 { 574 struct secpolicyindex spidx; 575 576 bzero(&spidx, sizeof(spidx)); 577 578 /* make an index to look for a policy */ 579 *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m, 580 (flag & IP_FORWARDING) ? 0 : 1); 581 582 if (*error != 0) 583 return NULL; 584 585 tag = 0; 586 587 sp = key_allocsp(tag, &spidx, dir); 588 } 589 590 /* SP found */ 591 if (sp != NULL) { 592 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 593 printf("DP ipsec4_getpolicybyaddr called " 594 "to allocate SP:%p\n", sp)); 595 *error = 0; 596 return sp; 597 } 598 599 /* no SP found */ 600 ip4_def_policy->refcnt++; 601 *error = 0; 602 return ip4_def_policy; 603 } 604 605 #ifdef INET6 606 /* 607 * For OUTBOUND packet having a socket. Searching SPD for packet, 608 * and return a pointer to SP. 609 * OUT: NULL: no apropreate SP found, the following value is set to error. 610 * 0 : bypass 611 * EACCES : discard packet. 612 * ENOENT : ipsec_acquire() in progress, maybe. 613 * others : error occured. 614 * others: a pointer to SP 615 */ 616 struct secpolicy * 617 ipsec6_getpolicybypcb(m, dir, inp, error) 618 struct mbuf *m; 619 u_int dir; 620 struct inpcb *inp; 621 int *error; 622 { 623 struct inpcbpolicy *pcbsp = NULL; 624 struct secpolicy *currsp = NULL; /* policy on socket */ 625 struct secpolicy *kernsp = NULL; /* policy on kernel */ 626 struct secpolicyindex spidx; 627 u_int16_t tag; 628 629 /* sanity check */ 630 if (m == NULL || inp == NULL || error == NULL) 631 panic("ipsec6_getpolicybypcb: NULL pointer was passed."); 632 633 #ifdef DIAGNOSTIC 634 if ((inp->inp_vflag & INP_IPV6PROTO) == 0) 635 panic("ipsec6_getpolicybypcb: socket domain != inet6"); 636 #endif 637 638 pcbsp = inp->in6p_sp; 639 640 #ifdef DIAGNOSTIC 641 if (pcbsp == NULL) 642 panic("ipsec6_getpolicybypcb: pcbsp is NULL."); 643 #endif 644 645 tag = 0; 646 647 /* if we have a cached entry, and if it is still valid, use it. */ 648 ipsec6stat.spdcachelookup++; 649 currsp = ipsec_checkpcbcache(m, pcbsp, dir); 650 if (currsp) { 651 *error = 0; 652 return currsp; 653 } 654 ipsec6stat.spdcachemiss++; 655 656 switch (dir) { 657 case IPSEC_DIR_INBOUND: 658 currsp = pcbsp->sp_in; 659 break; 660 case IPSEC_DIR_OUTBOUND: 661 currsp = pcbsp->sp_out; 662 break; 663 default: 664 panic("ipsec6_getpolicybypcb: illegal direction."); 665 } 666 667 /* sanity check */ 668 if (currsp == NULL) 669 panic("ipsec6_getpolicybypcb: currsp is NULL."); 670 671 /* when privileged socket */ 672 if (pcbsp->priv) { 673 switch (currsp->policy) { 674 case IPSEC_POLICY_BYPASS: 675 currsp->refcnt++; 676 *error = 0; 677 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 678 return currsp; 679 680 case IPSEC_POLICY_ENTRUST: 681 /* look for a policy in SPD */ 682 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 && 683 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 684 /* SP found */ 685 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 686 printf("DP ipsec6_getpolicybypcb called " 687 "to allocate SP:%p\n", kernsp)); 688 *error = 0; 689 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 690 return kernsp; 691 } 692 693 /* no SP found */ 694 ip6_def_policy->refcnt++; 695 *error = 0; 696 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir); 697 return ip6_def_policy; 698 699 case IPSEC_POLICY_IPSEC: 700 currsp->refcnt++; 701 *error = 0; 702 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 703 return currsp; 704 705 default: 706 ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: " 707 "Invalid policy for PCB %d\n", currsp->policy)); 708 *error = EINVAL; 709 return NULL; 710 } 711 /* NOTREACHED */ 712 } 713 714 /* when non-privileged socket */ 715 /* look for a policy in SPD */ 716 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 && 717 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 718 /* SP found */ 719 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 720 printf("DP ipsec6_getpolicybypcb called " 721 "to allocate SP:%p\n", kernsp)); 722 *error = 0; 723 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 724 return kernsp; 725 } 726 727 /* no SP found */ 728 switch (currsp->policy) { 729 case IPSEC_POLICY_BYPASS: 730 ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: " 731 "Illegal policy for non-privileged defined %d\n", 732 currsp->policy)); 733 *error = EINVAL; 734 return NULL; 735 736 case IPSEC_POLICY_ENTRUST: 737 ip6_def_policy->refcnt++; 738 *error = 0; 739 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir); 740 return ip6_def_policy; 741 742 case IPSEC_POLICY_IPSEC: 743 currsp->refcnt++; 744 *error = 0; 745 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 746 return currsp; 747 748 default: 749 ipseclog((LOG_ERR, 750 "ipsec6_policybysock: Invalid policy for PCB %d\n", 751 currsp->policy)); 752 *error = EINVAL; 753 return NULL; 754 } 755 /* NOTREACHED */ 756 } 757 758 /* 759 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 760 * and return a pointer to SP. 761 * `flag' means that packet is to be forwarded whether or not. 762 * flag = 1: forwad 763 * OUT: positive: a pointer to the entry for security policy leaf matched. 764 * NULL: no apropreate SP found, the following value is set to error. 765 * 0 : bypass 766 * EACCES : discard packet. 767 * ENOENT : ipsec_acquire() in progress, maybe. 768 * others : error occured. 769 */ 770 #ifndef IP_FORWARDING 771 #define IP_FORWARDING 1 772 #endif 773 774 struct secpolicy * 775 ipsec6_getpolicybyaddr(m, dir, flag, error) 776 struct mbuf *m; 777 u_int dir; 778 int flag; 779 int *error; 780 { 781 struct secpolicy *sp = NULL; 782 u_int16_t tag; 783 784 /* sanity check */ 785 if (m == NULL || error == NULL) 786 panic("ipsec6_getpolicybyaddr: NULL pointer was passed."); 787 788 /* get a policy entry matched with the packet */ 789 { 790 struct secpolicyindex spidx; 791 792 bzero(&spidx, sizeof(spidx)); 793 794 /* make an index to look for a policy */ 795 *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 796 (flag & IP_FORWARDING) ? 0 : 1); 797 798 if (*error != 0) 799 return NULL; 800 801 tag = 0; 802 803 sp = key_allocsp(tag, &spidx, dir); 804 } 805 806 /* SP found */ 807 if (sp != NULL) { 808 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 809 printf("DP ipsec6_getpolicybyaddr called " 810 "to allocate SP:%p\n", sp)); 811 *error = 0; 812 return sp; 813 } 814 815 /* no SP found */ 816 ip6_def_policy->refcnt++; 817 *error = 0; 818 return ip6_def_policy; 819 } 820 #endif /* INET6 */ 821 822 /* 823 * set IP address into spidx from mbuf. 824 * When Forwarding packet and ICMP echo reply, this function is used. 825 * 826 * IN: get the followings from mbuf. 827 * protocol family, src, dst, next protocol 828 * OUT: 829 * 0: success. 830 * other: failure, and set errno. 831 */ 832 int 833 ipsec_setspidx_mbuf(spidx, family, m, needport) 834 struct secpolicyindex *spidx; 835 int family; 836 struct mbuf *m; 837 int needport; 838 { 839 int error; 840 841 /* sanity check */ 842 if (spidx == NULL || m == NULL) 843 panic("ipsec_setspidx_mbuf: NULL pointer was passed."); 844 845 bzero(spidx, sizeof(*spidx)); 846 847 error = ipsec_setspidx(m, spidx, needport); 848 if (error) 849 goto bad; 850 851 return 0; 852 853 bad: 854 /* XXX initialize */ 855 bzero(spidx, sizeof(*spidx)); 856 return EINVAL; 857 } 858 859 /* 860 * configure security policy index (src/dst/proto/sport/dport) 861 * by looking at the content of mbuf. 862 * the caller is responsible for error recovery (like clearing up spidx). 863 */ 864 static int 865 ipsec_setspidx(m, spidx, needport) 866 struct mbuf *m; 867 struct secpolicyindex *spidx; 868 int needport; 869 { 870 struct ip *ip = NULL; 871 struct ip ipbuf; 872 u_int v; 873 struct mbuf *n; 874 int len; 875 int error; 876 877 if (m == NULL) 878 panic("ipsec_setspidx: m == 0 passed."); 879 880 bzero(spidx, sizeof(*spidx)); 881 882 /* 883 * validate m->m_pkthdr.len. we see incorrect length if we 884 * mistakenly call this function with inconsistent mbuf chain 885 * (like 4.4BSD tcp/udp processing). XXX should we panic here? 886 */ 887 len = 0; 888 for (n = m; n; n = n->m_next) 889 len += n->m_len; 890 if (m->m_pkthdr.len != len) { 891 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 892 printf("ipsec_setspidx: " 893 "total of m_len(%d) != pkthdr.len(%d), " 894 "ignored.\n", 895 len, m->m_pkthdr.len)); 896 return EINVAL; 897 } 898 899 if (m->m_pkthdr.len < sizeof(struct ip)) { 900 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 901 printf("ipsec_setspidx: " 902 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n", 903 m->m_pkthdr.len)); 904 return EINVAL; 905 } 906 907 if (m->m_len >= sizeof(*ip)) 908 ip = mtod(m, struct ip *); 909 else { 910 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 911 ip = &ipbuf; 912 } 913 #ifdef _IP_VHL 914 v = _IP_VHL_V(ip->ip_vhl); 915 #else 916 v = ip->ip_v; 917 #endif 918 switch (v) { 919 case 4: 920 error = ipsec4_setspidx_ipaddr(m, spidx); 921 if (error) 922 return error; 923 ipsec4_get_ulp(m, spidx, needport); 924 return 0; 925 #ifdef INET6 926 case 6: 927 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { 928 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 929 printf("ipsec_setspidx: " 930 "pkthdr.len(%d) < sizeof(struct ip6_hdr), " 931 "ignored.\n", m->m_pkthdr.len)); 932 return EINVAL; 933 } 934 error = ipsec6_setspidx_ipaddr(m, spidx); 935 if (error) 936 return error; 937 ipsec6_get_ulp(m, spidx, needport); 938 return 0; 939 #endif 940 default: 941 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 942 printf("ipsec_setspidx: " 943 "unknown IP version %u, ignored.\n", v)); 944 return EINVAL; 945 } 946 } 947 948 static void 949 ipsec4_get_ulp(m, spidx, needport) 950 struct mbuf *m; 951 struct secpolicyindex *spidx; 952 int needport; 953 { 954 struct ip ip; 955 struct ip6_ext ip6e; 956 u_int8_t nxt; 957 int off; 958 struct tcphdr th; 959 struct udphdr uh; 960 961 /* sanity check */ 962 if (m == NULL) 963 panic("ipsec4_get_ulp: NULL pointer was passed."); 964 if (m->m_pkthdr.len < sizeof(ip)) 965 panic("ipsec4_get_ulp: too short"); 966 967 /* set default */ 968 spidx->ul_proto = IPSEC_ULPROTO_ANY; 969 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY; 970 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY; 971 972 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip); 973 /* ip_input() flips it into host endian XXX need more checking */ 974 if (ip.ip_off & (IP_MF | IP_OFFMASK)) 975 return; 976 977 nxt = ip.ip_p; 978 #ifdef _IP_VHL 979 off = _IP_VHL_HL(ip->ip_vhl) << 2; 980 #else 981 off = ip.ip_hl << 2; 982 #endif 983 while (off < m->m_pkthdr.len) { 984 switch (nxt) { 985 case IPPROTO_TCP: 986 spidx->ul_proto = nxt; 987 if (!needport) 988 return; 989 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 990 return; 991 m_copydata(m, off, sizeof(th), (caddr_t)&th); 992 ((struct sockaddr_in *)&spidx->src)->sin_port = 993 th.th_sport; 994 ((struct sockaddr_in *)&spidx->dst)->sin_port = 995 th.th_dport; 996 return; 997 case IPPROTO_UDP: 998 spidx->ul_proto = nxt; 999 if (!needport) 1000 return; 1001 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1002 return; 1003 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1004 ((struct sockaddr_in *)&spidx->src)->sin_port = 1005 uh.uh_sport; 1006 ((struct sockaddr_in *)&spidx->dst)->sin_port = 1007 uh.uh_dport; 1008 return; 1009 case IPPROTO_AH: 1010 if (m->m_pkthdr.len > off + sizeof(ip6e)) 1011 return; 1012 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1013 off += (ip6e.ip6e_len + 2) << 2; 1014 nxt = ip6e.ip6e_nxt; 1015 break; 1016 case IPPROTO_ICMP: 1017 default: 1018 /* XXX intermediate headers??? */ 1019 spidx->ul_proto = nxt; 1020 return; 1021 } 1022 } 1023 } 1024 1025 /* assumes that m is sane */ 1026 static int 1027 ipsec4_setspidx_ipaddr(m, spidx) 1028 struct mbuf *m; 1029 struct secpolicyindex *spidx; 1030 { 1031 struct ip *ip = NULL; 1032 struct ip ipbuf; 1033 struct sockaddr_in *sin; 1034 1035 if (m->m_len >= sizeof(*ip)) 1036 ip = mtod(m, struct ip *); 1037 else { 1038 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 1039 ip = &ipbuf; 1040 } 1041 1042 sin = (struct sockaddr_in *)&spidx->src; 1043 bzero(sin, sizeof(*sin)); 1044 sin->sin_family = AF_INET; 1045 sin->sin_len = sizeof(struct sockaddr_in); 1046 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src)); 1047 spidx->prefs = sizeof(struct in_addr) << 3; 1048 1049 sin = (struct sockaddr_in *)&spidx->dst; 1050 bzero(sin, sizeof(*sin)); 1051 sin->sin_family = AF_INET; 1052 sin->sin_len = sizeof(struct sockaddr_in); 1053 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)); 1054 spidx->prefd = sizeof(struct in_addr) << 3; 1055 return 0; 1056 } 1057 1058 #ifdef INET6 1059 static void 1060 ipsec6_get_ulp(m, spidx, needport) 1061 struct mbuf *m; 1062 struct secpolicyindex *spidx; 1063 int needport; 1064 { 1065 int off, nxt; 1066 struct tcphdr th; 1067 struct udphdr uh; 1068 struct icmp6_hdr ih; 1069 1070 /* sanity check */ 1071 if (m == NULL) 1072 panic("ipsec6_get_ulp: NULL pointer was passed."); 1073 1074 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1075 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m)); 1076 1077 /* set default */ 1078 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1079 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY; 1080 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY; 1081 1082 nxt = -1; 1083 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt); 1084 if (off < 0 || m->m_pkthdr.len < off) 1085 return; 1086 1087 switch (nxt) { 1088 case IPPROTO_TCP: 1089 spidx->ul_proto = nxt; 1090 if (!needport) 1091 break; 1092 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1093 break; 1094 m_copydata(m, off, sizeof(th), (caddr_t)&th); 1095 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport; 1096 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport; 1097 break; 1098 case IPPROTO_UDP: 1099 spidx->ul_proto = nxt; 1100 if (!needport) 1101 break; 1102 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1103 break; 1104 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1105 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport; 1106 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport; 1107 break; 1108 case IPPROTO_ICMPV6: 1109 spidx->ul_proto = nxt; 1110 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len) 1111 break; 1112 m_copydata(m, off, sizeof(ih), (caddr_t)&ih); 1113 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = 1114 htons((u_int16_t)ih.icmp6_type); 1115 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = 1116 htons((u_int16_t)ih.icmp6_code); 1117 break; 1118 default: 1119 /* XXX intermediate headers??? */ 1120 spidx->ul_proto = nxt; 1121 break; 1122 } 1123 } 1124 1125 /* assumes that m is sane */ 1126 static int 1127 ipsec6_setspidx_ipaddr(m, spidx) 1128 struct mbuf *m; 1129 struct secpolicyindex *spidx; 1130 { 1131 struct ip6_hdr *ip6 = NULL; 1132 struct ip6_hdr ip6buf; 1133 struct sockaddr_in6 *sin6; 1134 1135 if (m->m_len >= sizeof(*ip6)) 1136 ip6 = mtod(m, struct ip6_hdr *); 1137 else { 1138 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf); 1139 ip6 = &ip6buf; 1140 } 1141 1142 sin6 = (struct sockaddr_in6 *)&spidx->src; 1143 bzero(sin6, sizeof(*sin6)); 1144 sin6->sin6_family = AF_INET6; 1145 sin6->sin6_len = sizeof(struct sockaddr_in6); 1146 in6_recoverscope(sin6, &ip6->ip6_src, NULL); 1147 spidx->prefs = sizeof(struct in6_addr) << 3; 1148 1149 sin6 = (struct sockaddr_in6 *)&spidx->dst; 1150 bzero(sin6, sizeof(*sin6)); 1151 sin6->sin6_family = AF_INET6; 1152 sin6->sin6_len = sizeof(struct sockaddr_in6); 1153 in6_recoverscope(sin6, &ip6->ip6_dst, NULL); 1154 spidx->prefd = sizeof(struct in6_addr) << 3; 1155 1156 return 0; 1157 } 1158 #endif 1159 1160 static struct inpcbpolicy * 1161 ipsec_newpcbpolicy() 1162 { 1163 struct inpcbpolicy *p; 1164 1165 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT); 1166 return p; 1167 } 1168 1169 static void 1170 ipsec_delpcbpolicy(p) 1171 struct inpcbpolicy *p; 1172 { 1173 1174 free(p, M_SECA); 1175 } 1176 1177 /* initialize policy in PCB */ 1178 int 1179 ipsec_init_pcbpolicy(so, pcb_sp) 1180 struct socket *so; 1181 struct inpcbpolicy **pcb_sp; 1182 { 1183 struct inpcbpolicy *new; 1184 static int initialized = 0; 1185 static struct secpolicy *in = NULL, *out = NULL; 1186 1187 /* sanity check. */ 1188 if (so == NULL || pcb_sp == NULL) 1189 panic("ipsec_init_pcbpolicy: NULL pointer was passed."); 1190 1191 if (!initialized) { 1192 if ((in = key_newsp(0)) == NULL) 1193 return ENOBUFS; 1194 if ((out = key_newsp(0)) == NULL) { 1195 key_freesp(in); 1196 in = NULL; 1197 return ENOBUFS; 1198 } 1199 1200 in->state = IPSEC_SPSTATE_ALIVE; 1201 in->policy = IPSEC_POLICY_ENTRUST; 1202 in->dir = IPSEC_DIR_INBOUND; 1203 in->readonly = 1; 1204 in->persist = 1; 1205 in->so = NULL; 1206 1207 out->state = IPSEC_SPSTATE_ALIVE; 1208 out->policy = IPSEC_POLICY_ENTRUST; 1209 out->dir = IPSEC_DIR_OUTBOUND; 1210 out->readonly = 1; 1211 out->persist = 1; 1212 out->so = NULL; 1213 1214 initialized++; 1215 } 1216 1217 new = ipsec_newpcbpolicy(); 1218 if (new == NULL) { 1219 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n")); 1220 return ENOBUFS; 1221 } 1222 bzero(new, sizeof(*new)); 1223 1224 if (so->so_cred != 0 && so->so_cred->cr_uid == 0) 1225 new->priv = 1; 1226 else 1227 new->priv = 0; 1228 1229 new->sp_in = in; 1230 new->sp_in->refcnt++; 1231 new->sp_out = out; 1232 new->sp_out->refcnt++; 1233 1234 *pcb_sp = new; 1235 1236 return 0; 1237 } 1238 1239 /* copy old ipsec policy into new */ 1240 int 1241 ipsec_copy_pcbpolicy(old, new) 1242 struct inpcbpolicy *old, *new; 1243 { 1244 1245 if (new->sp_in) 1246 key_freesp(new->sp_in); 1247 if (old->sp_in->policy == IPSEC_POLICY_IPSEC) 1248 new->sp_in = ipsec_deepcopy_policy(old->sp_in); 1249 else { 1250 new->sp_in = old->sp_in; 1251 new->sp_in->refcnt++; 1252 } 1253 1254 if (new->sp_out) 1255 key_freesp(new->sp_out); 1256 if (old->sp_out->policy == IPSEC_POLICY_IPSEC) 1257 new->sp_out = ipsec_deepcopy_policy(old->sp_out); 1258 else { 1259 new->sp_out = old->sp_out; 1260 new->sp_out->refcnt++; 1261 } 1262 1263 new->priv = old->priv; 1264 1265 return 0; 1266 } 1267 1268 #if 0 1269 static int 1270 ipsec_deepcopy_pcbpolicy(pcb_sp) 1271 struct inpcbpolicy *pcb_sp; 1272 { 1273 struct secpolicy *sp; 1274 1275 sp = ipsec_deepcopy_policy(pcb_sp->sp_in); 1276 if (sp) { 1277 key_freesp(pcb_sp->sp_in); 1278 pcb_sp->sp_in = sp; 1279 } else 1280 return ENOBUFS; 1281 1282 sp = ipsec_deepcopy_policy(pcb_sp->sp_out); 1283 if (sp) { 1284 key_freesp(pcb_sp->sp_out); 1285 pcb_sp->sp_out = sp; 1286 } else 1287 return ENOBUFS; 1288 1289 return 0; 1290 } 1291 #endif 1292 1293 /* deep-copy a policy in PCB */ 1294 static struct secpolicy * 1295 ipsec_deepcopy_policy(src) 1296 struct secpolicy *src; 1297 { 1298 struct ipsecrequest *newchain = NULL; 1299 struct ipsecrequest *p; 1300 struct ipsecrequest **q; 1301 struct ipsecrequest *r; 1302 struct secpolicy *dst; 1303 1304 if (src == NULL) 1305 return NULL; 1306 1307 dst = key_newsp(0); 1308 if (dst == NULL) 1309 return NULL; 1310 1311 /* 1312 * deep-copy IPsec request chain. This is required since struct 1313 * ipsecrequest is not reference counted. 1314 */ 1315 q = &newchain; 1316 for (p = src->req; p; p = p->next) { 1317 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest), 1318 M_SECA, M_NOWAIT); 1319 if (*q == NULL) 1320 goto fail; 1321 bzero(*q, sizeof(**q)); 1322 (*q)->next = NULL; 1323 1324 (*q)->saidx.proto = p->saidx.proto; 1325 (*q)->saidx.mode = p->saidx.mode; 1326 (*q)->level = p->level; 1327 (*q)->saidx.reqid = p->saidx.reqid; 1328 1329 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src)); 1330 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst)); 1331 1332 (*q)->sav = NULL; 1333 (*q)->sp = dst; 1334 1335 q = &((*q)->next); 1336 } 1337 1338 if (src->spidx) 1339 if (keydb_setsecpolicyindex(dst, src->spidx) != 0) 1340 goto fail; 1341 1342 dst->req = newchain; 1343 dst->state = src->state; 1344 dst->policy = src->policy; 1345 dst->dir = src->dir; 1346 dst->so = src->so; 1347 /* do not touch the refcnt fields */ 1348 1349 return dst; 1350 1351 fail: 1352 for (p = newchain; p; p = r) { 1353 r = p->next; 1354 free(p, M_SECA); 1355 p = NULL; 1356 } 1357 key_freesp(dst); 1358 return NULL; 1359 } 1360 1361 /* set policy and ipsec request if present. */ 1362 static int 1363 ipsec_set_policy(spp, optname, request, len, priv) 1364 struct secpolicy **spp; 1365 int optname; 1366 caddr_t request; 1367 size_t len; 1368 int priv; 1369 { 1370 struct sadb_x_policy *xpl; 1371 struct secpolicy *newsp = NULL; 1372 int error; 1373 1374 /* sanity check. */ 1375 if (spp == NULL || *spp == NULL || request == NULL) 1376 return EINVAL; 1377 if (len < sizeof(*xpl)) 1378 return EINVAL; 1379 xpl = (struct sadb_x_policy *)request; 1380 1381 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1382 printf("ipsec_set_policy: passed policy\n"); 1383 kdebug_sadb_x_policy((struct sadb_ext *)xpl)); 1384 1385 /* check policy type */ 1386 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */ 1387 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD || 1388 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) 1389 return EINVAL; 1390 1391 /* check privileged socket */ 1392 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) 1393 return EACCES; 1394 1395 /* allocation new SP entry */ 1396 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) 1397 return error; 1398 1399 newsp->state = IPSEC_SPSTATE_ALIVE; 1400 1401 /* clear old SP and set new SP */ 1402 key_freesp(*spp); 1403 *spp = newsp; 1404 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1405 printf("ipsec_set_policy: new policy\n"); 1406 kdebug_secpolicy(newsp)); 1407 1408 return 0; 1409 } 1410 1411 static int 1412 ipsec_get_policy(sp, mp) 1413 struct secpolicy *sp; 1414 struct mbuf **mp; 1415 { 1416 1417 /* sanity check. */ 1418 if (sp == NULL || mp == NULL) 1419 return EINVAL; 1420 1421 *mp = key_sp2msg(sp); 1422 if (!*mp) { 1423 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n")); 1424 return ENOBUFS; 1425 } 1426 1427 (*mp)->m_type = MT_DATA; 1428 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1429 printf("ipsec_get_policy:\n"); 1430 kdebug_mbuf(*mp)); 1431 1432 return 0; 1433 } 1434 1435 int 1436 ipsec4_set_policy(inp, optname, request, len, priv) 1437 struct inpcb *inp; 1438 int optname; 1439 caddr_t request; 1440 size_t len; 1441 int priv; 1442 { 1443 struct sadb_x_policy *xpl; 1444 struct secpolicy **spp; 1445 1446 /* sanity check. */ 1447 if (inp == NULL || request == NULL) 1448 return EINVAL; 1449 if (len < sizeof(*xpl)) 1450 return EINVAL; 1451 xpl = (struct sadb_x_policy *)request; 1452 1453 /* select direction */ 1454 switch (xpl->sadb_x_policy_dir) { 1455 case IPSEC_DIR_INBOUND: 1456 spp = &inp->inp_sp->sp_in; 1457 break; 1458 case IPSEC_DIR_OUTBOUND: 1459 spp = &inp->inp_sp->sp_out; 1460 break; 1461 default: 1462 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n", 1463 xpl->sadb_x_policy_dir)); 1464 return EINVAL; 1465 } 1466 1467 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY); 1468 return ipsec_set_policy(spp, optname, request, len, priv); 1469 } 1470 1471 int 1472 ipsec4_get_policy(inp, request, len, mp) 1473 struct inpcb *inp; 1474 caddr_t request; 1475 size_t len; 1476 struct mbuf **mp; 1477 { 1478 struct sadb_x_policy *xpl; 1479 struct secpolicy *sp; 1480 1481 /* sanity check. */ 1482 if (inp == NULL || request == NULL || mp == NULL) 1483 return EINVAL; 1484 if (inp->inp_sp == NULL) 1485 panic("policy in PCB is NULL"); 1486 if (len < sizeof(*xpl)) 1487 return EINVAL; 1488 xpl = (struct sadb_x_policy *)request; 1489 1490 /* select direction */ 1491 switch (xpl->sadb_x_policy_dir) { 1492 case IPSEC_DIR_INBOUND: 1493 sp = inp->inp_sp->sp_in; 1494 break; 1495 case IPSEC_DIR_OUTBOUND: 1496 sp = inp->inp_sp->sp_out; 1497 break; 1498 default: 1499 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n", 1500 xpl->sadb_x_policy_dir)); 1501 return EINVAL; 1502 } 1503 1504 return ipsec_get_policy(sp, mp); 1505 } 1506 1507 /* delete policy in PCB */ 1508 int 1509 ipsec4_delete_pcbpolicy(inp) 1510 struct inpcb *inp; 1511 { 1512 /* sanity check. */ 1513 if (inp == NULL) 1514 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed."); 1515 1516 if (inp->inp_sp == NULL) 1517 return 0; 1518 1519 if (inp->inp_sp->sp_in != NULL) { 1520 key_freesp(inp->inp_sp->sp_in); 1521 inp->inp_sp->sp_in = NULL; 1522 } 1523 1524 if (inp->inp_sp->sp_out != NULL) { 1525 key_freesp(inp->inp_sp->sp_out); 1526 inp->inp_sp->sp_out = NULL; 1527 } 1528 1529 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY); 1530 1531 ipsec_delpcbpolicy(inp->inp_sp); 1532 inp->inp_sp = NULL; 1533 1534 return 0; 1535 } 1536 1537 #ifdef INET6 1538 int 1539 ipsec6_set_policy(in6p, optname, request, len, priv) 1540 struct in6pcb *in6p; 1541 int optname; 1542 caddr_t request; 1543 size_t len; 1544 int priv; 1545 { 1546 struct sadb_x_policy *xpl; 1547 struct secpolicy **spp; 1548 1549 /* sanity check. */ 1550 if (in6p == NULL || request == NULL) 1551 return EINVAL; 1552 if (len < sizeof(*xpl)) 1553 return EINVAL; 1554 xpl = (struct sadb_x_policy *)request; 1555 1556 /* select direction */ 1557 switch (xpl->sadb_x_policy_dir) { 1558 case IPSEC_DIR_INBOUND: 1559 spp = &in6p->in6p_sp->sp_in; 1560 break; 1561 case IPSEC_DIR_OUTBOUND: 1562 spp = &in6p->in6p_sp->sp_out; 1563 break; 1564 default: 1565 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n", 1566 xpl->sadb_x_policy_dir)); 1567 return EINVAL; 1568 } 1569 1570 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY); 1571 return ipsec_set_policy(spp, optname, request, len, priv); 1572 } 1573 1574 int 1575 ipsec6_get_policy(in6p, request, len, mp) 1576 struct in6pcb *in6p; 1577 caddr_t request; 1578 size_t len; 1579 struct mbuf **mp; 1580 { 1581 struct sadb_x_policy *xpl; 1582 struct secpolicy *sp; 1583 1584 /* sanity check. */ 1585 if (in6p == NULL || request == NULL || mp == NULL) 1586 return EINVAL; 1587 if (in6p->in6p_sp == NULL) 1588 panic("policy in PCB is NULL"); 1589 if (len < sizeof(*xpl)) 1590 return EINVAL; 1591 xpl = (struct sadb_x_policy *)request; 1592 1593 /* select direction */ 1594 switch (xpl->sadb_x_policy_dir) { 1595 case IPSEC_DIR_INBOUND: 1596 sp = in6p->in6p_sp->sp_in; 1597 break; 1598 case IPSEC_DIR_OUTBOUND: 1599 sp = in6p->in6p_sp->sp_out; 1600 break; 1601 default: 1602 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n", 1603 xpl->sadb_x_policy_dir)); 1604 return EINVAL; 1605 } 1606 1607 return ipsec_get_policy(sp, mp); 1608 } 1609 1610 int 1611 ipsec6_delete_pcbpolicy(in6p) 1612 struct in6pcb *in6p; 1613 { 1614 /* sanity check. */ 1615 if (in6p == NULL) 1616 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed."); 1617 1618 if (in6p->in6p_sp == NULL) 1619 return 0; 1620 1621 if (in6p->in6p_sp->sp_in != NULL) { 1622 key_freesp(in6p->in6p_sp->sp_in); 1623 in6p->in6p_sp->sp_in = NULL; 1624 } 1625 1626 if (in6p->in6p_sp->sp_out != NULL) { 1627 key_freesp(in6p->in6p_sp->sp_out); 1628 in6p->in6p_sp->sp_out = NULL; 1629 } 1630 1631 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY); 1632 1633 ipsec_delpcbpolicy(in6p->in6p_sp); 1634 in6p->in6p_sp = NULL; 1635 1636 return 0; 1637 } 1638 #endif 1639 1640 /* 1641 * return current level. 1642 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. 1643 */ 1644 u_int 1645 ipsec_get_reqlevel(isr, af) 1646 struct ipsecrequest *isr; 1647 int af; 1648 { 1649 u_int level = 0; 1650 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev; 1651 1652 /* sanity check */ 1653 if (isr == NULL || isr->sp == NULL) 1654 panic("ipsec_get_reqlevel: NULL pointer is passed."); 1655 1656 /* set default level */ 1657 switch (af) { 1658 #ifdef INET 1659 case AF_INET: 1660 esp_trans_deflev = ip4_esp_trans_deflev; 1661 esp_net_deflev = ip4_esp_net_deflev; 1662 ah_trans_deflev = ip4_ah_trans_deflev; 1663 ah_net_deflev = ip4_ah_net_deflev; 1664 break; 1665 #endif 1666 #ifdef INET6 1667 case AF_INET6: 1668 esp_trans_deflev = ip6_esp_trans_deflev; 1669 esp_net_deflev = ip6_esp_net_deflev; 1670 ah_trans_deflev = ip6_ah_trans_deflev; 1671 ah_net_deflev = ip6_ah_net_deflev; 1672 break; 1673 #endif /* INET6 */ 1674 default: 1675 panic("key_get_reqlevel: Unknown family. %d", 1676 ((struct sockaddr *)&isr->sp->spidx->src)->sa_family); 1677 } 1678 1679 /* set level */ 1680 switch (isr->level) { 1681 case IPSEC_LEVEL_DEFAULT: 1682 switch (isr->saidx.proto) { 1683 case IPPROTO_ESP: 1684 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1685 level = esp_net_deflev; 1686 else 1687 level = esp_trans_deflev; 1688 break; 1689 case IPPROTO_AH: 1690 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1691 level = ah_net_deflev; 1692 else 1693 level = ah_trans_deflev; 1694 case IPPROTO_IPCOMP: 1695 /* 1696 * we don't really care, as IPcomp document says that 1697 * we shouldn't compress small packets 1698 */ 1699 level = IPSEC_LEVEL_USE; 1700 break; 1701 default: 1702 panic("ipsec_get_reqlevel: " 1703 "Illegal protocol defined %u\n", 1704 isr->saidx.proto); 1705 } 1706 break; 1707 1708 case IPSEC_LEVEL_USE: 1709 case IPSEC_LEVEL_REQUIRE: 1710 level = isr->level; 1711 break; 1712 case IPSEC_LEVEL_UNIQUE: 1713 level = IPSEC_LEVEL_REQUIRE; 1714 break; 1715 1716 default: 1717 panic("ipsec_get_reqlevel: Illegal IPsec level %u", 1718 isr->level); 1719 } 1720 1721 return level; 1722 } 1723 1724 /* 1725 * Check AH/ESP integrity. 1726 * OUT: 1727 * 0: valid 1728 * 1: invalid 1729 */ 1730 static int 1731 ipsec_in_reject(sp, m) 1732 struct secpolicy *sp; 1733 struct mbuf *m; 1734 { 1735 struct ipsecrequest *isr; 1736 u_int level; 1737 int need_auth, need_conf, need_icv; 1738 1739 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1740 printf("ipsec_in_reject: using SP\n"); 1741 kdebug_secpolicy(sp)); 1742 1743 /* check policy */ 1744 switch (sp->policy) { 1745 case IPSEC_POLICY_DISCARD: 1746 return 1; 1747 case IPSEC_POLICY_BYPASS: 1748 case IPSEC_POLICY_NONE: 1749 return 0; 1750 1751 case IPSEC_POLICY_IPSEC: 1752 break; 1753 1754 case IPSEC_POLICY_ENTRUST: 1755 default: 1756 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy); 1757 } 1758 1759 need_auth = 0; 1760 need_conf = 0; 1761 need_icv = 0; 1762 1763 /* XXX should compare policy against ipsec header history */ 1764 1765 for (isr = sp->req; isr != NULL; isr = isr->next) { 1766 /* get current level */ 1767 level = ipsec_get_reqlevel(isr, AF_INET); 1768 1769 switch (isr->saidx.proto) { 1770 case IPPROTO_ESP: 1771 if (level == IPSEC_LEVEL_REQUIRE) { 1772 need_conf++; 1773 1774 if (isr->sav != NULL 1775 && isr->sav->flags == SADB_X_EXT_NONE 1776 && isr->sav->alg_auth != SADB_AALG_NONE) 1777 need_icv++; 1778 } 1779 break; 1780 case IPPROTO_AH: 1781 if (level == IPSEC_LEVEL_REQUIRE) { 1782 need_auth++; 1783 need_icv++; 1784 } 1785 break; 1786 case IPPROTO_IPCOMP: 1787 /* 1788 * we don't really care, as IPcomp document says that 1789 * we shouldn't compress small packets, IPComp policy 1790 * should always be treated as being in "use" level. 1791 */ 1792 break; 1793 } 1794 } 1795 1796 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1797 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n", 1798 need_auth, need_conf, need_icv, m->m_flags)); 1799 1800 if ((need_conf && !(m->m_flags & M_DECRYPTED)) 1801 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM)) 1802 || (need_auth && !(m->m_flags & M_AUTHIPHDR))) 1803 return 1; 1804 1805 return 0; 1806 } 1807 1808 /* 1809 * Check AH/ESP integrity. 1810 * This function is called from tcp_input(), udp_input(), 1811 * and {ah,esp}4_input for tunnel mode 1812 */ 1813 int 1814 ipsec4_in_reject(m, inp) 1815 struct mbuf *m; 1816 struct inpcb *inp; 1817 { 1818 struct secpolicy *sp = NULL; 1819 int error; 1820 int result; 1821 1822 /* sanity check */ 1823 if (m == NULL) 1824 return 0; /* XXX should be panic ? */ 1825 1826 /* get SP for this packet. 1827 * When we are called from ip_forward(), we call 1828 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 1829 */ 1830 if (inp == NULL) 1831 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 1832 IP_FORWARDING, &error); 1833 else 1834 sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_INBOUND, inp, &error); 1835 1836 /* XXX should be panic ? -> No, there may be error. */ 1837 if (sp == NULL) 1838 return 0; 1839 1840 result = ipsec_in_reject(sp, m); 1841 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1842 printf("DP ipsec4_in_reject call free SP:%p\n", sp)); 1843 key_freesp(sp); 1844 1845 return result; 1846 } 1847 1848 #ifdef INET6 1849 /* 1850 * Check AH/ESP integrity. 1851 * This function is called from tcp6_input(), udp6_input(), 1852 * and {ah,esp}6_input for tunnel mode 1853 */ 1854 int 1855 ipsec6_in_reject(m, in6p) 1856 struct mbuf *m; 1857 struct in6pcb *in6p; 1858 { 1859 struct secpolicy *sp = NULL; 1860 int error; 1861 int result; 1862 1863 /* sanity check */ 1864 if (m == NULL) 1865 return 0; /* XXX should be panic ? */ 1866 1867 /* get SP for this packet. 1868 * When we are called from ip_forward(), we call 1869 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag. 1870 */ 1871 if (in6p == NULL) 1872 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 1873 IP_FORWARDING, &error); 1874 else 1875 sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_INBOUND, in6p, &error); 1876 1877 if (sp == NULL) 1878 return 0; /* XXX should be panic ? */ 1879 1880 result = ipsec_in_reject(sp, m); 1881 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1882 printf("DP ipsec6_in_reject call free SP:%p\n", sp)); 1883 key_freesp(sp); 1884 1885 return result; 1886 } 1887 #endif 1888 1889 /* 1890 * compute the byte size to be occupied by IPsec header. 1891 * in case it is tunneled, it includes the size of outer IP header. 1892 * NOTE: SP passed is free in this function. 1893 */ 1894 static size_t 1895 ipsec_hdrsiz(sp) 1896 struct secpolicy *sp; 1897 { 1898 struct ipsecrequest *isr; 1899 size_t siz, clen; 1900 1901 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1902 printf("ipsec_hdrsiz: using SP\n"); 1903 kdebug_secpolicy(sp)); 1904 1905 /* check policy */ 1906 switch (sp->policy) { 1907 case IPSEC_POLICY_DISCARD: 1908 case IPSEC_POLICY_BYPASS: 1909 case IPSEC_POLICY_NONE: 1910 return 0; 1911 1912 case IPSEC_POLICY_IPSEC: 1913 break; 1914 1915 case IPSEC_POLICY_ENTRUST: 1916 default: 1917 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy); 1918 } 1919 1920 siz = 0; 1921 1922 for (isr = sp->req; isr != NULL; isr = isr->next) { 1923 1924 clen = 0; 1925 1926 switch (isr->saidx.proto) { 1927 case IPPROTO_ESP: 1928 #ifdef IPSEC_ESP 1929 clen = esp_hdrsiz(isr); 1930 #else 1931 clen = 0; /* XXX */ 1932 #endif 1933 break; 1934 case IPPROTO_AH: 1935 clen = ah_hdrsiz(isr); 1936 break; 1937 case IPPROTO_IPCOMP: 1938 clen = sizeof(struct ipcomp); 1939 break; 1940 } 1941 1942 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 1943 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) { 1944 case AF_INET: 1945 clen += sizeof(struct ip); 1946 break; 1947 #ifdef INET6 1948 case AF_INET6: 1949 clen += sizeof(struct ip6_hdr); 1950 break; 1951 #endif 1952 default: 1953 ipseclog((LOG_ERR, "ipsec_hdrsiz: " 1954 "unknown AF %d in IPsec tunnel SA\n", 1955 ((struct sockaddr *)&isr->saidx.dst)->sa_family)); 1956 break; 1957 } 1958 } 1959 siz += clen; 1960 } 1961 1962 return siz; 1963 } 1964 1965 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */ 1966 size_t 1967 ipsec4_hdrsiz(m, dir, inp) 1968 struct mbuf *m; 1969 u_int dir; 1970 struct inpcb *inp; 1971 { 1972 struct secpolicy *sp = NULL; 1973 int error; 1974 size_t size; 1975 1976 /* sanity check */ 1977 if (m == NULL) 1978 return 0; /* XXX should be panic ? */ 1979 #if 0 1980 /* this is possible in TIME_WAIT state */ 1981 if (inp != NULL && inp->inp_socket == NULL) 1982 panic("ipsec4_hdrsize: why is socket NULL but there is PCB."); 1983 #endif 1984 1985 /* get SP for this packet. 1986 * When we are called from ip_forward(), we call 1987 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 1988 */ 1989 if (inp == NULL) 1990 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 1991 else 1992 sp = ipsec4_getpolicybypcb(m, dir, inp, &error); 1993 1994 if (sp == NULL) 1995 return 0; /* XXX should be panic ? */ 1996 1997 size = ipsec_hdrsiz(sp); 1998 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1999 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp)); 2000 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2001 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size)); 2002 key_freesp(sp); 2003 2004 return size; 2005 } 2006 2007 #ifdef INET6 2008 /* This function is called from ipsec6_hdrsize_tcp(), 2009 * and maybe from ip6_forward.() 2010 */ 2011 size_t 2012 ipsec6_hdrsiz(m, dir, in6p) 2013 struct mbuf *m; 2014 u_int dir; 2015 struct in6pcb *in6p; 2016 { 2017 struct secpolicy *sp = NULL; 2018 int error; 2019 size_t size; 2020 2021 /* sanity check */ 2022 if (m == NULL) 2023 return 0; /* XXX should be panic ? */ 2024 #if 0 2025 /* this is possible in TIME_WAIT state */ 2026 if (in6p != NULL && in6p->in6p_socket == NULL) 2027 panic("ipsec6_hdrsize: why is socket NULL but there is PCB."); 2028 #endif 2029 2030 /* get SP for this packet */ 2031 /* XXX Is it right to call with IP_FORWARDING. */ 2032 if (in6p == NULL) 2033 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 2034 else 2035 sp = ipsec6_getpolicybypcb(m, dir, in6p, &error); 2036 2037 if (sp == NULL) 2038 return 0; 2039 size = ipsec_hdrsiz(sp); 2040 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2041 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp)); 2042 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2043 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size)); 2044 key_freesp(sp); 2045 2046 return size; 2047 } 2048 #endif /* INET6 */ 2049 2050 #ifdef INET 2051 /* 2052 * encapsulate for ipsec tunnel. 2053 * ip->ip_src must be fixed later on. 2054 */ 2055 static int 2056 ipsec4_encapsulate(m, sav) 2057 struct mbuf *m; 2058 struct secasvar *sav; 2059 { 2060 struct ip *oip; 2061 struct ip *ip; 2062 size_t hlen; 2063 size_t plen; 2064 2065 /* can't tunnel between different AFs */ 2066 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2067 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2068 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 2069 m_freem(m); 2070 return EINVAL; 2071 } 2072 #if 0 2073 /* XXX if the dst is myself, perform nothing. */ 2074 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2075 m_freem(m); 2076 return EINVAL; 2077 } 2078 #endif 2079 2080 if (m->m_len < sizeof(*ip)) 2081 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2082 2083 ip = mtod(m, struct ip *); 2084 #ifdef _IP_VHL 2085 hlen = _IP_VHL_HL(ip->ip_vhl) << 2; 2086 #else 2087 hlen = ip->ip_hl << 2; 2088 #endif 2089 2090 if (m->m_len != hlen) 2091 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2092 2093 /* generate header checksum */ 2094 ip->ip_sum = 0; 2095 #ifdef _IP_VHL 2096 if (ip->ip_vhl == IP_VHL_BORING) 2097 ip->ip_sum = in_cksum_hdr(ip); 2098 else 2099 ip->ip_sum = in_cksum(m, hlen); 2100 #else 2101 ip->ip_sum = in_cksum(m, hlen); 2102 #endif 2103 2104 plen = m->m_pkthdr.len; 2105 2106 /* 2107 * grow the mbuf to accomodate the new IPv4 header. 2108 * NOTE: IPv4 options will never be copied. 2109 */ 2110 if (M_LEADINGSPACE(m->m_next) < hlen) { 2111 struct mbuf *n; 2112 MGET(n, M_DONTWAIT, MT_DATA); 2113 if (!n) { 2114 m_freem(m); 2115 return ENOBUFS; 2116 } 2117 n->m_len = hlen; 2118 n->m_next = m->m_next; 2119 m->m_next = n; 2120 m->m_pkthdr.len += hlen; 2121 oip = mtod(n, struct ip *); 2122 } else { 2123 m->m_next->m_len += hlen; 2124 m->m_next->m_data -= hlen; 2125 m->m_pkthdr.len += hlen; 2126 oip = mtod(m->m_next, struct ip *); 2127 } 2128 ip = mtod(m, struct ip *); 2129 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen); 2130 m->m_len = sizeof(struct ip); 2131 m->m_pkthdr.len -= (hlen - sizeof(struct ip)); 2132 2133 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ 2134 /* ECN consideration. */ 2135 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); 2136 #ifdef _IP_VHL 2137 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2); 2138 #else 2139 ip->ip_hl = sizeof(struct ip) >> 2; 2140 #endif 2141 ip->ip_off &= htons(~IP_OFFMASK); 2142 ip->ip_off &= htons(~IP_MF); 2143 switch (ip4_ipsec_dfbit) { 2144 case 0: /* clear DF bit */ 2145 ip->ip_off &= htons(~IP_DF); 2146 break; 2147 case 1: /* set DF bit */ 2148 ip->ip_off |= htons(IP_DF); 2149 break; 2150 default: /* copy DF bit */ 2151 break; 2152 } 2153 ip->ip_p = IPPROTO_IPIP; 2154 if (plen + sizeof(struct ip) < IP_MAXPACKET) 2155 ip->ip_len = htons(plen + sizeof(struct ip)); 2156 else { 2157 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " 2158 "leave ip_len as is (invalid packet)\n")); 2159 } 2160 ip->ip_id = ip_newid(); 2161 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, 2162 &ip->ip_src, sizeof(ip->ip_src)); 2163 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, 2164 &ip->ip_dst, sizeof(ip->ip_dst)); 2165 ip->ip_ttl = IPDEFTTL; 2166 2167 /* XXX Should ip_src be updated later ? */ 2168 2169 return 0; 2170 } 2171 #endif /* INET */ 2172 2173 #ifdef INET6 2174 static int 2175 ipsec6_encapsulate(m, sav) 2176 struct mbuf *m; 2177 struct secasvar *sav; 2178 { 2179 struct ip6_hdr *oip6; 2180 struct ip6_hdr *ip6; 2181 size_t plen; 2182 2183 /* can't tunnel between different AFs */ 2184 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2185 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2186 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) { 2187 m_freem(m); 2188 return EINVAL; 2189 } 2190 #if 0 2191 /* XXX if the dst is myself, perform nothing. */ 2192 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2193 m_freem(m); 2194 return EINVAL; 2195 } 2196 #endif 2197 2198 plen = m->m_pkthdr.len; 2199 2200 /* 2201 * grow the mbuf to accomodate the new IPv6 header. 2202 */ 2203 if (m->m_len != sizeof(struct ip6_hdr)) 2204 panic("ipsec6_encapsulate: assumption failed (first mbuf length)"); 2205 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { 2206 struct mbuf *n; 2207 MGET(n, M_DONTWAIT, MT_DATA); 2208 if (!n) { 2209 m_freem(m); 2210 return ENOBUFS; 2211 } 2212 n->m_len = sizeof(struct ip6_hdr); 2213 n->m_next = m->m_next; 2214 m->m_next = n; 2215 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2216 oip6 = mtod(n, struct ip6_hdr *); 2217 } else { 2218 m->m_next->m_len += sizeof(struct ip6_hdr); 2219 m->m_next->m_data -= sizeof(struct ip6_hdr); 2220 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2221 oip6 = mtod(m->m_next, struct ip6_hdr *); 2222 } 2223 ip6 = mtod(m, struct ip6_hdr *); 2224 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr)); 2225 2226 /* XXX: Fake scoped addresses */ 2227 in6_clearscope(&oip6->ip6_src); 2228 in6_clearscope(&oip6->ip6_dst); 2229 2230 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ 2231 /* ECN consideration. */ 2232 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow); 2233 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) 2234 ip6->ip6_plen = htons(plen); 2235 else { 2236 /* ip6->ip6_plen will be updated in ip6_output() */ 2237 } 2238 ip6->ip6_nxt = IPPROTO_IPV6; 2239 in6_embedscope(&ip6->ip6_src, 2240 (struct sockaddr_in6 *)&sav->sah->saidx.src, NULL, NULL); 2241 in6_embedscope(&ip6->ip6_dst, 2242 (struct sockaddr_in6 *)&sav->sah->saidx.dst, NULL, NULL); 2243 ip6->ip6_hlim = IPV6_DEFHLIM; 2244 2245 /* XXX Should ip6_src be updated later ? */ 2246 2247 return 0; 2248 } 2249 #endif /* INET6 */ 2250 2251 /* 2252 * Check the variable replay window. 2253 * ipsec_chkreplay() performs replay check before ICV verification. 2254 * ipsec_updatereplay() updates replay bitmap. This must be called after 2255 * ICV verification (it also performs replay check, which is usually done 2256 * beforehand). 2257 * 0 (zero) is returned if packet disallowed, 1 if packet permitted. 2258 * 2259 * based on RFC 2401. 2260 * 2261 * XXX need to update for 64bit sequence number - 2401bis 2262 */ 2263 int 2264 ipsec_chkreplay(seq, sav) 2265 u_int32_t seq; 2266 struct secasvar *sav; 2267 { 2268 const struct secreplay *replay; 2269 u_int32_t diff; 2270 int fr; 2271 u_int32_t wsizeb; /* constant: bits of window size */ 2272 int frlast; /* constant: last frame */ 2273 2274 /* sanity check */ 2275 if (sav == NULL) 2276 panic("ipsec_chkreplay: NULL pointer was passed."); 2277 2278 replay = sav->replay; 2279 2280 if (replay->wsize == 0) 2281 return 1; /* no need to check replay. */ 2282 2283 /* constant */ 2284 frlast = replay->wsize - 1; 2285 wsizeb = replay->wsize << 3; 2286 2287 /* sequence number of 0 is invalid */ 2288 if (seq == 0) 2289 return 0; 2290 2291 /* first time is always okay */ 2292 if (replay->count == 0) 2293 return 1; 2294 2295 if (seq > replay->lastseq) { 2296 /* larger sequences are okay */ 2297 return 1; 2298 } else { 2299 /* seq is equal or less than lastseq. */ 2300 diff = replay->lastseq - seq; 2301 2302 /* over range to check, i.e. too old or wrapped */ 2303 if (diff >= wsizeb) 2304 return 0; 2305 2306 fr = frlast - diff / 8; 2307 2308 /* this packet already seen ? */ 2309 if (replay->bitmap[fr] & (1 << (diff % 8))) 2310 return 0; 2311 2312 /* out of order but good */ 2313 return 1; 2314 } 2315 } 2316 2317 /* 2318 * check replay counter whether to update or not. 2319 * OUT: 0: OK 2320 * 1: NG 2321 * XXX need to update for 64bit sequence number - 2401bis 2322 */ 2323 int 2324 ipsec_updatereplay(seq, sav) 2325 u_int32_t seq; 2326 struct secasvar *sav; 2327 { 2328 struct secreplay *replay; 2329 u_int64_t diff; 2330 int fr; 2331 u_int32_t wsizeb; /* constant: bits of window size */ 2332 int frlast; /* constant: last frame */ 2333 2334 /* sanity check */ 2335 if (sav == NULL) 2336 panic("ipsec_chkreplay: NULL pointer was passed."); 2337 2338 replay = sav->replay; 2339 2340 if (replay->wsize == 0) 2341 goto ok; /* no need to check replay. */ 2342 2343 /* constant */ 2344 frlast = replay->wsize - 1; 2345 wsizeb = replay->wsize << 3; 2346 2347 /* sequence number of 0 is invalid */ 2348 if (seq == 0) 2349 return 1; 2350 2351 /* first time */ 2352 if (replay->count == 0) { 2353 replay->lastseq = seq; 2354 bzero(replay->bitmap, replay->wsize); 2355 replay->bitmap[frlast] = 1; 2356 goto ok; 2357 } 2358 2359 if (seq > replay->lastseq) { 2360 /* seq is larger than lastseq. */ 2361 diff = seq - replay->lastseq; 2362 2363 /* new larger sequence number */ 2364 if (diff < wsizeb) { 2365 /* In window */ 2366 /* set bit for this packet */ 2367 vshiftl(replay->bitmap, diff, replay->wsize); 2368 replay->bitmap[frlast] |= 1; 2369 } else { 2370 /* this packet has a "way larger" */ 2371 bzero(replay->bitmap, replay->wsize); 2372 replay->bitmap[frlast] = 1; 2373 } 2374 replay->lastseq = seq; 2375 2376 /* larger is good */ 2377 } else { 2378 /* seq is equal or less than lastseq. */ 2379 diff = replay->lastseq - seq; 2380 2381 /* over range to check, i.e. too old or wrapped */ 2382 if (diff >= wsizeb) 2383 return 1; 2384 2385 fr = frlast - diff / 8; 2386 2387 /* this packet already seen ? */ 2388 if (replay->bitmap[fr] & (1 << (diff % 8))) 2389 return 1; 2390 2391 /* mark as seen */ 2392 replay->bitmap[fr] |= (1 << (diff % 8)); 2393 2394 /* out of order but good */ 2395 } 2396 2397 ok: 2398 if (replay->count == 0xffffffff) { 2399 2400 /* set overflow flag */ 2401 replay->overflow++; 2402 2403 /* don't increment, no more packets accepted */ 2404 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) 2405 return 1; 2406 2407 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n", 2408 replay->overflow, ipsec_logsastr(sav))); 2409 } 2410 2411 replay->count++; 2412 2413 return 0; 2414 } 2415 2416 /* 2417 * shift variable length buffer to left. 2418 * IN: bitmap: pointer to the buffer 2419 * nbit: the number of to shift. 2420 * wsize: buffer size (bytes). 2421 */ 2422 static void 2423 vshiftl(bitmap, nbit, wsize) 2424 unsigned char *bitmap; 2425 int nbit, wsize; 2426 { 2427 int s, j, i; 2428 unsigned char over; 2429 2430 for (j = 0; j < nbit; j += 8) { 2431 s = (nbit - j < 8) ? (nbit - j): 8; 2432 bitmap[0] <<= s; 2433 for (i = 1; i < wsize; i++) { 2434 over = (bitmap[i] >> (8 - s)); 2435 bitmap[i] <<= s; 2436 bitmap[i - 1] |= over; 2437 } 2438 } 2439 2440 return; 2441 } 2442 2443 const char * 2444 ipsec4_logpacketstr(ip, spi) 2445 struct ip *ip; 2446 u_int32_t spi; 2447 { 2448 static char buf[256]; 2449 char *p; 2450 u_int8_t *s, *d; 2451 2452 s = (u_int8_t *)(&ip->ip_src); 2453 d = (u_int8_t *)(&ip->ip_dst); 2454 2455 p = buf; 2456 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2457 while (p && *p) 2458 p++; 2459 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u", 2460 s[0], s[1], s[2], s[3]); 2461 while (p && *p) 2462 p++; 2463 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u", 2464 d[0], d[1], d[2], d[3]); 2465 while (p && *p) 2466 p++; 2467 snprintf(p, sizeof(buf) - (p - buf), ")"); 2468 2469 return buf; 2470 } 2471 2472 #ifdef INET6 2473 const char * 2474 ipsec6_logpacketstr(ip6, spi) 2475 struct ip6_hdr *ip6; 2476 u_int32_t spi; 2477 { 2478 static char buf[256]; 2479 char *p; 2480 2481 p = buf; 2482 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2483 while (p && *p) 2484 p++; 2485 snprintf(p, sizeof(buf) - (p - buf), "src=%s", 2486 ip6_sprintf(&ip6->ip6_src)); 2487 while (p && *p) 2488 p++; 2489 snprintf(p, sizeof(buf) - (p - buf), " dst=%s", 2490 ip6_sprintf(&ip6->ip6_dst)); 2491 while (p && *p) 2492 p++; 2493 snprintf(p, sizeof(buf) - (p - buf), ")"); 2494 2495 return buf; 2496 } 2497 #endif /* INET6 */ 2498 2499 const char * 2500 ipsec_logsastr(sav) 2501 struct secasvar *sav; 2502 { 2503 static char buf[256]; 2504 char *p; 2505 struct secasindex *saidx = &sav->sah->saidx; 2506 2507 /* validity check */ 2508 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2509 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) 2510 panic("ipsec_logsastr: family mismatched."); 2511 2512 p = buf; 2513 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi)); 2514 while (p && *p) 2515 p++; 2516 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) { 2517 u_int8_t *s, *d; 2518 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr; 2519 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr; 2520 snprintf(p, sizeof(buf) - (p - buf), 2521 "src=%d.%d.%d.%d dst=%d.%d.%d.%d", 2522 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]); 2523 } 2524 #ifdef INET6 2525 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) { 2526 snprintf(p, sizeof(buf) - (p - buf), 2527 "src=%s", 2528 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr)); 2529 while (p && *p) 2530 p++; 2531 snprintf(p, sizeof(buf) - (p - buf), 2532 " dst=%s", 2533 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr)); 2534 } 2535 #endif 2536 while (p && *p) 2537 p++; 2538 snprintf(p, sizeof(buf) - (p - buf), ")"); 2539 2540 return buf; 2541 } 2542 2543 void 2544 ipsec_dumpmbuf(m) 2545 struct mbuf *m; 2546 { 2547 int totlen; 2548 int i; 2549 u_char *p; 2550 2551 totlen = 0; 2552 printf("---\n"); 2553 while (m) { 2554 p = mtod(m, u_char *); 2555 for (i = 0; i < m->m_len; i++) { 2556 printf("%02x ", p[i]); 2557 totlen++; 2558 if (totlen % 16 == 0) 2559 printf("\n"); 2560 } 2561 m = m->m_next; 2562 } 2563 if (totlen % 16 != 0) 2564 printf("\n"); 2565 printf("---\n"); 2566 } 2567 2568 #ifdef INET 2569 static int 2570 ipsec4_checksa(isr, state) 2571 struct ipsecrequest *isr; 2572 struct ipsec_output_state *state; 2573 { 2574 struct ip *ip; 2575 struct secasindex saidx; 2576 struct sockaddr_in *sin; 2577 2578 /* make SA index for search proper SA */ 2579 ip = mtod(state->m, struct ip *); 2580 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 2581 saidx.mode = isr->saidx.mode; 2582 saidx.reqid = isr->saidx.reqid; 2583 sin = (struct sockaddr_in *)&saidx.src; 2584 if (sin->sin_len == 0) { 2585 sin->sin_len = sizeof(*sin); 2586 sin->sin_family = AF_INET; 2587 sin->sin_port = IPSEC_PORT_ANY; 2588 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr)); 2589 } 2590 sin = (struct sockaddr_in *)&saidx.dst; 2591 if (sin->sin_len == 0) { 2592 sin->sin_len = sizeof(*sin); 2593 sin->sin_family = AF_INET; 2594 sin->sin_port = IPSEC_PORT_ANY; 2595 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr)); 2596 } 2597 2598 return key_checkrequest(isr, &saidx); 2599 } 2600 /* 2601 * IPsec output logic for IPv4. 2602 */ 2603 int 2604 ipsec4_output(state, sp, flags) 2605 struct ipsec_output_state *state; 2606 struct secpolicy *sp; 2607 int flags; 2608 { 2609 struct ip *ip = NULL; 2610 struct ipsecrequest *isr = NULL; 2611 int s; 2612 int error; 2613 struct sockaddr_in *dst4; 2614 2615 if (!state) 2616 panic("state == NULL in ipsec4_output"); 2617 if (!state->m) 2618 panic("state->m == NULL in ipsec4_output"); 2619 if (!state->ro) 2620 panic("state->ro == NULL in ipsec4_output"); 2621 if (!state->dst) 2622 panic("state->dst == NULL in ipsec4_output"); 2623 state->encap = 0; 2624 2625 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2626 printf("ipsec4_output: applyed SP\n"); 2627 kdebug_secpolicy(sp)); 2628 2629 for (isr = sp->req; isr != NULL; isr = isr->next) { 2630 2631 #if 0 /* give up to check restriction of transport mode */ 2632 /* XXX but should be checked somewhere */ 2633 /* 2634 * some of the IPsec operation must be performed only in 2635 * originating case. 2636 */ 2637 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT 2638 && (flags & IP_FORWARDING)) 2639 continue; 2640 #endif 2641 error = ipsec4_checksa(isr, state); 2642 if (error != 0) { 2643 /* 2644 * IPsec processing is required, but no SA found. 2645 * I assume that key_acquire() had been called 2646 * to get/establish the SA. Here I discard 2647 * this packet because it is responsibility for 2648 * upper layer to retransmit the packet. 2649 */ 2650 ipsecstat.out_nosa++; 2651 goto bad; 2652 } 2653 2654 /* validity check */ 2655 if (isr->sav == NULL) { 2656 switch (ipsec_get_reqlevel(isr, AF_INET)) { 2657 case IPSEC_LEVEL_USE: 2658 continue; 2659 case IPSEC_LEVEL_REQUIRE: 2660 /* must be not reached here. */ 2661 panic("ipsec4_output: no SA found, but required."); 2662 } 2663 } 2664 2665 /* 2666 * If there is no valid SA, we give up to process any 2667 * more. In such a case, the SA's status is changed 2668 * from DYING to DEAD after allocating. If a packet 2669 * send to the receiver by dead SA, the receiver can 2670 * not decode a packet because SA has been dead. 2671 */ 2672 if (isr->sav->state != SADB_SASTATE_MATURE 2673 && isr->sav->state != SADB_SASTATE_DYING) { 2674 ipsecstat.out_nosa++; 2675 error = EINVAL; 2676 goto bad; 2677 } 2678 2679 /* 2680 * There may be the case that SA status will be changed when 2681 * we are refering to one. So calling splsoftnet(). 2682 */ 2683 s = splnet(); 2684 2685 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2686 /* 2687 * build IPsec tunnel. 2688 */ 2689 /* XXX should be processed with other familiy */ 2690 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) { 2691 ipseclog((LOG_ERR, "ipsec4_output: " 2692 "family mismatched between inner and outer spi=%u\n", 2693 (u_int32_t)ntohl(isr->sav->spi))); 2694 splx(s); 2695 error = EAFNOSUPPORT; 2696 goto bad; 2697 } 2698 2699 state->m = ipsec4_splithdr(state->m); 2700 if (!state->m) { 2701 splx(s); 2702 error = ENOMEM; 2703 goto bad; 2704 } 2705 error = ipsec4_encapsulate(state->m, isr->sav); 2706 splx(s); 2707 if (error) { 2708 state->m = NULL; 2709 goto bad; 2710 } 2711 ip = mtod(state->m, struct ip *); 2712 2713 state->ro = &isr->sav->sah->sa_route; 2714 state->dst = (struct sockaddr *)&state->ro->ro_dst; 2715 dst4 = (struct sockaddr_in *)state->dst; 2716 if (state->ro->ro_rt 2717 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0 2718 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) { 2719 RTFREE(state->ro->ro_rt); 2720 state->ro->ro_rt = NULL; 2721 } 2722 if (state->ro->ro_rt == 0) { 2723 dst4->sin_family = AF_INET; 2724 dst4->sin_len = sizeof(*dst4); 2725 dst4->sin_addr = ip->ip_dst; 2726 rtalloc(state->ro); 2727 } 2728 if (state->ro->ro_rt == 0) { 2729 ipstat.ips_noroute++; 2730 error = EHOSTUNREACH; 2731 goto bad; 2732 } 2733 2734 /* adjust state->dst if tunnel endpoint is offlink */ 2735 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) { 2736 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway; 2737 dst4 = (struct sockaddr_in *)state->dst; 2738 } 2739 2740 state->encap++; 2741 } else 2742 splx(s); 2743 2744 state->m = ipsec4_splithdr(state->m); 2745 if (!state->m) { 2746 error = ENOMEM; 2747 goto bad; 2748 } 2749 switch (isr->saidx.proto) { 2750 case IPPROTO_ESP: 2751 #ifdef IPSEC_ESP 2752 if ((error = esp4_output(state->m, isr)) != 0) { 2753 state->m = NULL; 2754 goto bad; 2755 } 2756 break; 2757 #else 2758 m_freem(state->m); 2759 state->m = NULL; 2760 error = EINVAL; 2761 goto bad; 2762 #endif 2763 case IPPROTO_AH: 2764 if ((error = ah4_output(state->m, isr)) != 0) { 2765 state->m = NULL; 2766 goto bad; 2767 } 2768 break; 2769 case IPPROTO_IPCOMP: 2770 if ((error = ipcomp4_output(state->m, isr)) != 0) { 2771 state->m = NULL; 2772 goto bad; 2773 } 2774 break; 2775 default: 2776 ipseclog((LOG_ERR, 2777 "ipsec4_output: unknown ipsec protocol %d\n", 2778 isr->saidx.proto)); 2779 m_freem(state->m); 2780 state->m = NULL; 2781 error = EINVAL; 2782 goto bad; 2783 } 2784 2785 if (state->m == 0) { 2786 error = ENOMEM; 2787 goto bad; 2788 } 2789 ip = mtod(state->m, struct ip *); 2790 } 2791 2792 return 0; 2793 2794 bad: 2795 m_freem(state->m); 2796 state->m = NULL; 2797 return error; 2798 } 2799 #endif 2800 2801 #ifdef INET6 2802 static int 2803 ipsec6_checksa(isr, state, tunnel) 2804 struct ipsecrequest *isr; 2805 struct ipsec_output_state *state; 2806 int tunnel; 2807 { 2808 struct ip6_hdr *ip6; 2809 struct secasindex saidx; 2810 struct sockaddr_in6 *sin6; 2811 2812 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2813 #ifdef DIAGNOSTIC 2814 if (!tunnel) 2815 panic("ipsec6_checksa/inconsistent tunnel attribute"); 2816 #endif 2817 /* When tunnel mode, SA peers must be specified. */ 2818 return key_checkrequest(isr, &isr->saidx); 2819 } 2820 2821 /* make SA index for search proper SA */ 2822 ip6 = mtod(state->m, struct ip6_hdr *); 2823 if (tunnel) { 2824 bzero(&saidx, sizeof(saidx)); 2825 saidx.proto = isr->saidx.proto; 2826 } else 2827 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 2828 saidx.mode = isr->saidx.mode; 2829 saidx.reqid = isr->saidx.reqid; 2830 sin6 = (struct sockaddr_in6 *)&saidx.src; 2831 if (sin6->sin6_len == 0 || tunnel) { 2832 sin6->sin6_len = sizeof(*sin6); 2833 sin6->sin6_family = AF_INET6; 2834 sin6->sin6_port = IPSEC_PORT_ANY; 2835 in6_recoverscope(sin6, &ip6->ip6_src, NULL); 2836 } 2837 sin6 = (struct sockaddr_in6 *)&saidx.dst; 2838 if (sin6->sin6_len == 0 || tunnel) { 2839 sin6->sin6_len = sizeof(*sin6); 2840 sin6->sin6_family = AF_INET6; 2841 sin6->sin6_port = IPSEC_PORT_ANY; 2842 in6_recoverscope(sin6, &ip6->ip6_dst, NULL); 2843 } 2844 2845 return key_checkrequest(isr, &saidx); 2846 } 2847 2848 /* 2849 * IPsec output logic for IPv6, transport mode. 2850 */ 2851 int 2852 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun) 2853 struct ipsec_output_state *state; 2854 u_char *nexthdrp; 2855 struct mbuf *mprev; 2856 struct secpolicy *sp; 2857 int flags; 2858 int *tun; 2859 { 2860 struct ip6_hdr *ip6; 2861 struct ipsecrequest *isr = NULL; 2862 int error = 0; 2863 int plen; 2864 2865 if (!state) 2866 panic("state == NULL in ipsec6_output_trans"); 2867 if (!state->m) 2868 panic("state->m == NULL in ipsec6_output_trans"); 2869 if (!nexthdrp) 2870 panic("nexthdrp == NULL in ipsec6_output_trans"); 2871 if (!mprev) 2872 panic("mprev == NULL in ipsec6_output_trans"); 2873 if (!sp) 2874 panic("sp == NULL in ipsec6_output_trans"); 2875 if (!tun) 2876 panic("tun == NULL in ipsec6_output_trans"); 2877 2878 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2879 printf("ipsec6_output_trans: applyed SP\n"); 2880 kdebug_secpolicy(sp)); 2881 2882 *tun = 0; 2883 for (isr = sp->req; isr; isr = isr->next) { 2884 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2885 /* the rest will be handled by ipsec6_output_tunnel() */ 2886 break; 2887 } 2888 2889 error = ipsec6_checksa(isr, state, 0); 2890 if (error == EIO) 2891 goto bad; 2892 if (error == ENOENT) { 2893 /* 2894 * IPsec processing is required, but no SA found. 2895 * I assume that key_acquire() had been called 2896 * to get/establish the SA. Here I discard 2897 * this packet because it is responsibility for 2898 * upper layer to retransmit the packet. 2899 */ 2900 ipsec6stat.out_nosa++; 2901 2902 /* 2903 * Notify the fact that the packet is discarded 2904 * to ourselves. I believe this is better than 2905 * just silently discarding. (jinmei@kame.net) 2906 * XXX: should we restrict the error to TCP packets? 2907 * XXX: should we directly notify sockets via 2908 * pfctlinputs? 2909 * 2910 * Noone have initialized rcvif until this point, 2911 * so clear it. 2912 */ 2913 if ((state->m->m_flags & M_PKTHDR) != 0) 2914 state->m->m_pkthdr.rcvif = NULL; 2915 icmp6_error(state->m, ICMP6_DST_UNREACH, 2916 ICMP6_DST_UNREACH_ADMIN, 0); 2917 state->m = NULL; /* icmp6_error freed the mbuf */ 2918 goto bad; 2919 } 2920 2921 /* validity check */ 2922 if (isr->sav == NULL) { 2923 switch (ipsec_get_reqlevel(isr, AF_INET6)) { 2924 case IPSEC_LEVEL_USE: 2925 continue; 2926 case IPSEC_LEVEL_REQUIRE: 2927 /* must be not reached here. */ 2928 panic("ipsec6_output_trans: no SA found, but required."); 2929 } 2930 } 2931 2932 /* 2933 * If there is no valid SA, we give up to process. 2934 * see same place at ipsec4_output(). 2935 */ 2936 if (isr->sav->state != SADB_SASTATE_MATURE 2937 && isr->sav->state != SADB_SASTATE_DYING) { 2938 ipsec6stat.out_nosa++; 2939 error = EINVAL; 2940 goto bad; 2941 } 2942 2943 switch (isr->saidx.proto) { 2944 case IPPROTO_ESP: 2945 #ifdef IPSEC_ESP 2946 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr); 2947 #else 2948 m_freem(state->m); 2949 error = EINVAL; 2950 #endif 2951 break; 2952 case IPPROTO_AH: 2953 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr); 2954 break; 2955 case IPPROTO_IPCOMP: 2956 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr); 2957 break; 2958 default: 2959 ipseclog((LOG_ERR, "ipsec6_output_trans: " 2960 "unknown ipsec protocol %d\n", isr->saidx.proto)); 2961 m_freem(state->m); 2962 ipsec6stat.out_inval++; 2963 error = EINVAL; 2964 break; 2965 } 2966 if (error) { 2967 state->m = NULL; 2968 goto bad; 2969 } 2970 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 2971 if (plen > IPV6_MAXPACKET) { 2972 ipseclog((LOG_ERR, "ipsec6_output_trans: " 2973 "IPsec with IPv6 jumbogram is not supported\n")); 2974 ipsec6stat.out_inval++; 2975 error = EINVAL; /* XXX */ 2976 goto bad; 2977 } 2978 ip6 = mtod(state->m, struct ip6_hdr *); 2979 ip6->ip6_plen = htons(plen); 2980 } 2981 2982 /* if we have more to go, we need a tunnel mode processing */ 2983 if (isr != NULL) 2984 *tun = 1; 2985 2986 return 0; 2987 2988 bad: 2989 m_freem(state->m); 2990 state->m = NULL; 2991 return error; 2992 } 2993 2994 /* 2995 * IPsec output logic for IPv6, tunnel mode. 2996 */ 2997 int 2998 ipsec6_output_tunnel(state, sp, flags) 2999 struct ipsec_output_state *state; 3000 struct secpolicy *sp; 3001 int flags; 3002 { 3003 struct ip6_hdr *ip6; 3004 struct ipsecrequest *isr = NULL; 3005 int error = 0; 3006 int plen; 3007 struct sockaddr_in6 *dst6; 3008 int s; 3009 3010 if (!state) 3011 panic("state == NULL in ipsec6_output_tunnel"); 3012 if (!state->m) 3013 panic("state->m == NULL in ipsec6_output_tunnel"); 3014 if (!sp) 3015 panic("sp == NULL in ipsec6_output_tunnel"); 3016 3017 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 3018 printf("ipsec6_output_tunnel: applyed SP\n"); 3019 kdebug_secpolicy(sp)); 3020 3021 /* 3022 * transport mode ipsec (before the 1st tunnel mode) is already 3023 * processed by ipsec6_output_trans(). 3024 */ 3025 for (isr = sp->req; isr; isr = isr->next) { 3026 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 3027 break; 3028 } 3029 3030 for (/* already initialized */; isr; isr = isr->next) { 3031 error = ipsec6_checksa(isr, state, 1); 3032 if (error == EIO) 3033 goto bad; 3034 if (error == ENOENT) { 3035 /* 3036 * IPsec processing is required, but no SA found. 3037 * I assume that key_acquire() had been called 3038 * to get/establish the SA. Here I discard 3039 * this packet because it is responsibility for 3040 * upper layer to retransmit the packet. 3041 */ 3042 ipsec6stat.out_nosa++; 3043 error = ENOENT; 3044 goto bad; 3045 } 3046 3047 /* validity check */ 3048 if (isr->sav == NULL) { 3049 switch (ipsec_get_reqlevel(isr, AF_INET6)) { 3050 case IPSEC_LEVEL_USE: 3051 continue; 3052 case IPSEC_LEVEL_REQUIRE: 3053 /* must be not reached here. */ 3054 panic("ipsec6_output_tunnel: no SA found, but required."); 3055 } 3056 } 3057 3058 /* 3059 * If there is no valid SA, we give up to process. 3060 * see same place at ipsec4_output(). 3061 */ 3062 if (isr->sav->state != SADB_SASTATE_MATURE 3063 && isr->sav->state != SADB_SASTATE_DYING) { 3064 ipsec6stat.out_nosa++; 3065 error = EINVAL; 3066 goto bad; 3067 } 3068 3069 /* 3070 * There may be the case that SA status will be changed when 3071 * we are refering to one. So calling splsoftnet(). 3072 */ 3073 s = splnet(); 3074 3075 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 3076 /* 3077 * build IPsec tunnel. 3078 */ 3079 /* XXX should be processed with other familiy */ 3080 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) { 3081 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3082 "family mismatched between inner and outer, spi=%u\n", 3083 (u_int32_t)ntohl(isr->sav->spi))); 3084 splx(s); 3085 ipsec6stat.out_inval++; 3086 error = EAFNOSUPPORT; 3087 goto bad; 3088 } 3089 3090 state->m = ipsec6_splithdr(state->m); 3091 if (!state->m) { 3092 splx(s); 3093 ipsec6stat.out_nomem++; 3094 error = ENOMEM; 3095 goto bad; 3096 } 3097 error = ipsec6_encapsulate(state->m, isr->sav); 3098 splx(s); 3099 if (error) { 3100 state->m = 0; 3101 goto bad; 3102 } 3103 ip6 = mtod(state->m, struct ip6_hdr *); 3104 3105 state->ro = &isr->sav->sah->sa_route; 3106 state->dst = (struct sockaddr *)&state->ro->ro_dst; 3107 dst6 = (struct sockaddr_in6 *)state->dst; 3108 if (state->ro->ro_rt && 3109 (!(state->ro->ro_rt->rt_flags & RTF_UP) || 3110 !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, 3111 &ip6->ip6_dst))) { 3112 RTFREE(state->ro->ro_rt); 3113 state->ro->ro_rt = NULL; 3114 } 3115 if (state->ro->ro_rt == 0) { 3116 bzero(dst6, sizeof(*dst6)); 3117 dst6->sin6_family = AF_INET6; 3118 dst6->sin6_len = sizeof(*dst6); 3119 dst6->sin6_addr = ip6->ip6_dst; 3120 rtalloc(state->ro); 3121 } 3122 if (state->ro->ro_rt == 0) { 3123 ip6stat.ip6s_noroute++; 3124 ipsec6stat.out_noroute++; 3125 error = EHOSTUNREACH; 3126 goto bad; 3127 } 3128 3129 /* adjust state->dst if tunnel endpoint is offlink */ 3130 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) { 3131 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway; 3132 dst6 = (struct sockaddr_in6 *)state->dst; 3133 } 3134 } else 3135 splx(s); 3136 3137 state->m = ipsec6_splithdr(state->m); 3138 if (!state->m) { 3139 ipsec6stat.out_nomem++; 3140 error = ENOMEM; 3141 goto bad; 3142 } 3143 ip6 = mtod(state->m, struct ip6_hdr *); 3144 switch (isr->saidx.proto) { 3145 case IPPROTO_ESP: 3146 #ifdef IPSEC_ESP 3147 error = esp6_output(state->m, &ip6->ip6_nxt, 3148 state->m->m_next, isr); 3149 #else 3150 m_freem(state->m); 3151 error = EINVAL; 3152 #endif 3153 break; 3154 case IPPROTO_AH: 3155 error = ah6_output(state->m, &ip6->ip6_nxt, 3156 state->m->m_next, isr); 3157 break; 3158 case IPPROTO_IPCOMP: 3159 /* XXX code should be here */ 3160 /* FALLTHROUGH */ 3161 default: 3162 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3163 "unknown ipsec protocol %d\n", isr->saidx.proto)); 3164 m_freem(state->m); 3165 ipsec6stat.out_inval++; 3166 error = EINVAL; 3167 break; 3168 } 3169 if (error) { 3170 state->m = NULL; 3171 goto bad; 3172 } 3173 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 3174 if (plen > IPV6_MAXPACKET) { 3175 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3176 "IPsec with IPv6 jumbogram is not supported\n")); 3177 ipsec6stat.out_inval++; 3178 error = EINVAL; /* XXX */ 3179 goto bad; 3180 } 3181 ip6 = mtod(state->m, struct ip6_hdr *); 3182 ip6->ip6_plen = htons(plen); 3183 } 3184 3185 return 0; 3186 3187 bad: 3188 m_freem(state->m); 3189 state->m = NULL; 3190 return error; 3191 } 3192 #endif /* INET6 */ 3193 3194 #ifdef INET 3195 /* 3196 * Chop IP header and option off from the payload. 3197 */ 3198 static struct mbuf * 3199 ipsec4_splithdr(m) 3200 struct mbuf *m; 3201 { 3202 struct mbuf *mh; 3203 struct ip *ip; 3204 int hlen; 3205 3206 if (m->m_len < sizeof(struct ip)) 3207 panic("ipsec4_splithdr: first mbuf too short"); 3208 ip = mtod(m, struct ip *); 3209 #ifdef _IP_VHL 3210 hlen = _IP_VHL_HL(ip->ip_vhl) << 2; 3211 #else 3212 hlen = ip->ip_hl << 2; 3213 #endif 3214 if (m->m_len > hlen) { 3215 MGETHDR(mh, M_DONTWAIT, MT_HEADER); 3216 if (!mh) { 3217 m_freem(m); 3218 return NULL; 3219 } 3220 M_MOVE_PKTHDR(mh, m); 3221 MH_ALIGN(mh, hlen); 3222 m->m_len -= hlen; 3223 m->m_data += hlen; 3224 mh->m_next = m; 3225 m = mh; 3226 m->m_len = hlen; 3227 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen); 3228 } else if (m->m_len < hlen) { 3229 m = m_pullup(m, hlen); 3230 if (!m) 3231 return NULL; 3232 } 3233 return m; 3234 } 3235 #endif 3236 3237 #ifdef INET6 3238 static struct mbuf * 3239 ipsec6_splithdr(m) 3240 struct mbuf *m; 3241 { 3242 struct mbuf *mh; 3243 struct ip6_hdr *ip6; 3244 int hlen; 3245 3246 if (m->m_len < sizeof(struct ip6_hdr)) 3247 panic("ipsec6_splithdr: first mbuf too short"); 3248 ip6 = mtod(m, struct ip6_hdr *); 3249 hlen = sizeof(struct ip6_hdr); 3250 if (m->m_len > hlen) { 3251 MGETHDR(mh, M_DONTWAIT, MT_HEADER); 3252 if (!mh) { 3253 m_freem(m); 3254 return NULL; 3255 } 3256 M_MOVE_PKTHDR(mh, m); 3257 MH_ALIGN(mh, hlen); 3258 m->m_len -= hlen; 3259 m->m_data += hlen; 3260 mh->m_next = m; 3261 m = mh; 3262 m->m_len = hlen; 3263 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen); 3264 } else if (m->m_len < hlen) { 3265 m = m_pullup(m, hlen); 3266 if (!m) 3267 return NULL; 3268 } 3269 return m; 3270 } 3271 #endif 3272 3273 /* validate inbound IPsec tunnel packet. */ 3274 int 3275 ipsec4_tunnel_validate(m, off, nxt0, sav) 3276 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */ 3277 int off; 3278 u_int nxt0; 3279 struct secasvar *sav; 3280 { 3281 u_int8_t nxt = nxt0 & 0xff; 3282 struct sockaddr_in *sin; 3283 struct sockaddr_in osrc, odst, isrc, idst; 3284 int hlen; 3285 struct secpolicy *sp; 3286 struct ip *oip; 3287 3288 #ifdef DIAGNOSTIC 3289 if (m->m_len < sizeof(struct ip)) 3290 panic("too short mbuf on ipsec4_tunnel_validate"); 3291 #endif 3292 if (nxt != IPPROTO_IPV4) 3293 return 0; 3294 if (m->m_pkthdr.len < off + sizeof(struct ip)) 3295 return 0; 3296 /* do not decapsulate if the SA is for transport mode only */ 3297 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 3298 return 0; 3299 3300 oip = mtod(m, struct ip *); 3301 hlen = oip->ip_hl << 2; 3302 if (hlen != sizeof(struct ip)) 3303 return 0; 3304 3305 /* AF_INET6 should be supported, but at this moment we don't. */ 3306 sin = (struct sockaddr_in *)&sav->sah->saidx.dst; 3307 if (sin->sin_family != AF_INET) 3308 return 0; 3309 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0) 3310 return 0; 3311 3312 /* XXX slow */ 3313 bzero(&osrc, sizeof(osrc)); 3314 bzero(&odst, sizeof(odst)); 3315 bzero(&isrc, sizeof(isrc)); 3316 bzero(&idst, sizeof(idst)); 3317 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family = 3318 AF_INET; 3319 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len = 3320 sizeof(struct sockaddr_in); 3321 osrc.sin_addr = oip->ip_src; 3322 odst.sin_addr = oip->ip_dst; 3323 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr), 3324 (caddr_t)&isrc.sin_addr); 3325 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr), 3326 (caddr_t)&idst.sin_addr); 3327 3328 /* 3329 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode) 3330 * - if the inner destination is multicast address, there can be 3331 * multiple permissible inner source address. implementation 3332 * may want to skip verification of inner source address against 3333 * SPD selector. 3334 * - if the inner protocol is ICMP, the packet may be an error report 3335 * from routers on the other side of the VPN cloud (R in the 3336 * following diagram). in this case, we cannot verify inner source 3337 * address against SPD selector. 3338 * me -- gw === gw -- R -- you 3339 * 3340 * we consider the first bullet to be users responsibility on SPD entry 3341 * configuration (if you need to encrypt multicast traffic, set 3342 * the source range of SPD selector to 0.0.0.0/0, or have explicit 3343 * address ranges for possible senders). 3344 * the second bullet is not taken care of (yet). 3345 * 3346 * therefore, we do not do anything special about inner source. 3347 */ 3348 3349 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 3350 (struct sockaddr *)&isrc, (struct sockaddr *)&idst); 3351 /* 3352 * when there is no suitable inbound policy for the packet of the ipsec 3353 * tunnel mode, the kernel never decapsulate the tunneled packet 3354 * as the ipsec tunnel mode even when the system wide policy is "none". 3355 * then the kernel leaves the generic tunnel module to process this 3356 * packet. if there is no rule of the generic tunnel, the packet 3357 * is rejected and the statistics will be counted up. 3358 */ 3359 if (!sp) 3360 return 0; 3361 key_freesp(sp); 3362 3363 return 1; 3364 } 3365 3366 #ifdef INET6 3367 /* validate inbound IPsec tunnel packet. */ 3368 int 3369 ipsec6_tunnel_validate(m, off, nxt0, sav) 3370 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */ 3371 int off; 3372 u_int nxt0; 3373 struct secasvar *sav; 3374 { 3375 u_int8_t nxt = nxt0 & 0xff; 3376 struct sockaddr_in6 *sin6; 3377 struct sockaddr_in6 osrc, odst, isrc, idst; 3378 struct secpolicy *sp; 3379 struct ip6_hdr *oip6; 3380 3381 #ifdef DIAGNOSTIC 3382 if (m->m_len < sizeof(struct ip6_hdr)) 3383 panic("too short mbuf on ipsec6_tunnel_validate"); 3384 #endif 3385 if (nxt != IPPROTO_IPV6) 3386 return 0; 3387 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr)) 3388 return 0; 3389 /* do not decapsulate if the SA is for transport mode only */ 3390 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 3391 return 0; 3392 3393 oip6 = mtod(m, struct ip6_hdr *); 3394 3395 /* AF_INET should be supported, but at this moment we don't. */ 3396 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst; 3397 if (sin6->sin6_family != AF_INET6) 3398 return 0; 3399 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr)) 3400 return 0; 3401 3402 /* XXX slow */ 3403 bzero(&osrc, sizeof(osrc)); 3404 bzero(&odst, sizeof(odst)); 3405 bzero(&isrc, sizeof(isrc)); 3406 bzero(&idst, sizeof(idst)); 3407 osrc.sin6_family = odst.sin6_family = isrc.sin6_family = 3408 idst.sin6_family = AF_INET6; 3409 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len = 3410 sizeof(struct sockaddr_in6); 3411 osrc.sin6_addr = oip6->ip6_src; 3412 odst.sin6_addr = oip6->ip6_dst; 3413 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), 3414 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr); 3415 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), 3416 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr); 3417 3418 /* 3419 * regarding to inner source address validation, see a long comment 3420 * in ipsec4_tunnel_validate. 3421 */ 3422 3423 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 3424 (struct sockaddr *)&isrc, (struct sockaddr *)&idst); 3425 if (!sp) 3426 return 0; 3427 key_freesp(sp); 3428 3429 return 1; 3430 } 3431 #endif 3432 3433 /* 3434 * Make a mbuf chain for encryption. 3435 * If the original mbuf chain contains a mbuf with a cluster, 3436 * allocate a new cluster and copy the data to the new cluster. 3437 * XXX: this hack is inefficient, but is necessary to handle cases 3438 * of TCP retransmission... 3439 */ 3440 struct mbuf * 3441 ipsec_copypkt(m) 3442 struct mbuf *m; 3443 { 3444 struct mbuf *n, **mpp, *mnew; 3445 3446 for (n = m, mpp = &m; n; n = n->m_next) { 3447 if (n->m_flags & M_EXT) { 3448 /* 3449 * Make a copy only if there is more than one 3450 * references to the cluster. 3451 * XXX: is this approach effective? 3452 */ 3453 if (!M_WRITABLE(n)) { 3454 int remain, copied; 3455 struct mbuf *mm; 3456 3457 if (n->m_flags & M_PKTHDR) { 3458 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); 3459 if (mnew == NULL) 3460 goto fail; 3461 mnew->m_pkthdr = n->m_pkthdr; 3462 #if 0 3463 /* XXX: convert to m_tag or delete? */ 3464 if (n->m_pkthdr.aux) { 3465 mnew->m_pkthdr.aux = 3466 m_copym(n->m_pkthdr.aux, 3467 0, M_COPYALL, M_DONTWAIT); 3468 } 3469 #endif 3470 M_MOVE_PKTHDR(mnew, n); 3471 } 3472 else { 3473 MGET(mnew, M_DONTWAIT, MT_DATA); 3474 if (mnew == NULL) 3475 goto fail; 3476 } 3477 mnew->m_len = 0; 3478 mm = mnew; 3479 3480 /* 3481 * Copy data. If we don't have enough space to 3482 * store the whole data, allocate a cluster 3483 * or additional mbufs. 3484 * XXX: we don't use m_copyback(), since the 3485 * function does not use clusters and thus is 3486 * inefficient. 3487 */ 3488 remain = n->m_len; 3489 copied = 0; 3490 while (1) { 3491 int len; 3492 struct mbuf *mn; 3493 3494 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN)) 3495 len = remain; 3496 else { /* allocate a cluster */ 3497 MCLGET(mm, M_DONTWAIT); 3498 if (!(mm->m_flags & M_EXT)) { 3499 m_free(mm); 3500 goto fail; 3501 } 3502 len = remain < MCLBYTES ? 3503 remain : MCLBYTES; 3504 } 3505 3506 bcopy(n->m_data + copied, mm->m_data, 3507 len); 3508 3509 copied += len; 3510 remain -= len; 3511 mm->m_len = len; 3512 3513 if (remain <= 0) /* completed? */ 3514 break; 3515 3516 /* need another mbuf */ 3517 MGETHDR(mn, M_DONTWAIT, MT_HEADER); 3518 if (mn == NULL) 3519 goto fail; 3520 mn->m_pkthdr.rcvif = NULL; 3521 mm->m_next = mn; 3522 mm = mn; 3523 } 3524 3525 /* adjust chain */ 3526 mm->m_next = m_free(n); 3527 n = mm; 3528 *mpp = mnew; 3529 mpp = &n->m_next; 3530 3531 continue; 3532 } 3533 } 3534 *mpp = n; 3535 mpp = &n->m_next; 3536 } 3537 3538 return (m); 3539 fail: 3540 m_freem(m); 3541 return (NULL); 3542 } 3543 3544 static struct ipsecaux * 3545 ipsec_addaux(m) 3546 struct mbuf *m; 3547 { 3548 struct m_tag *mtag; 3549 3550 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL); 3551 if (mtag == NULL) { 3552 mtag = m_tag_get(PACKET_TAG_IPSEC_HISTORY, 3553 sizeof(struct ipsecaux), M_NOWAIT); 3554 if (mtag != NULL) 3555 m_tag_prepend(m, mtag); 3556 } 3557 if (mtag == NULL) 3558 return NULL; /* ENOBUFS */ 3559 /* XXX is this necessary? */ 3560 bzero((void *)(mtag + 1), sizeof(struct ipsecaux)); 3561 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL; 3562 } 3563 3564 static struct ipsecaux * 3565 ipsec_findaux(m) 3566 struct mbuf *m; 3567 { 3568 struct m_tag *mtag; 3569 3570 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL); 3571 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL; 3572 } 3573 3574 void 3575 ipsec_delaux(m) 3576 struct mbuf *m; 3577 { 3578 struct m_tag *mtag; 3579 3580 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL); 3581 if (mtag != NULL) 3582 m_tag_delete(m, mtag); 3583 } 3584 3585 /* if the aux buffer is unnecessary, nuke it. */ 3586 static void 3587 ipsec_optaux(m, aux) 3588 struct mbuf *m; 3589 struct ipsecaux *aux; 3590 { 3591 3592 if (aux == NULL) 3593 return; 3594 ipsec_delaux(m); 3595 } 3596 3597 int 3598 ipsec_addhist(m, proto, spi) 3599 struct mbuf *m; 3600 int proto; 3601 u_int32_t spi; 3602 { 3603 struct ipsecaux *aux; 3604 3605 aux = ipsec_addaux(m); 3606 if (aux == NULL) 3607 return ENOBUFS; 3608 aux->hdrs++; 3609 return 0; 3610 } 3611 3612 int 3613 ipsec_getnhist(m) 3614 struct mbuf *m; 3615 { 3616 struct ipsecaux *aux; 3617 3618 aux = ipsec_findaux(m); 3619 if (aux == NULL) 3620 return 0; 3621 return aux->hdrs; 3622 } 3623 3624 void 3625 ipsec_clearhist(m) 3626 struct mbuf *m; 3627 { 3628 struct ipsecaux *aux; 3629 3630 aux = ipsec_findaux(m); 3631 ipsec_optaux(m, aux); 3632 }
Cache object: 6eb96d2ca7d441b8d21198e7b11c71ee
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]