FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c
1 /* $FreeBSD: releng/5.4/sys/netinet6/ipsec.c 143940 2005-03-21 19:31:39Z ume $ */
2 /* $KAME: ipsec.c,v 1.207 2004/01/13 03:30:42 itojun Exp $ */
3
4 /*-
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * IPsec controller part.
35 */
36
37 #include "opt_inet.h"
38 #include "opt_inet6.h"
39 #include "opt_ipsec.h"
40
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/malloc.h>
44 #include <sys/mbuf.h>
45 #include <sys/domain.h>
46 #include <sys/protosw.h>
47 #include <sys/socket.h>
48 #include <sys/socketvar.h>
49 #include <sys/errno.h>
50 #include <sys/time.h>
51 #include <sys/kernel.h>
52 #include <sys/syslog.h>
53 #include <sys/sysctl.h>
54 #include <sys/proc.h>
55
56 #include <net/if.h>
57 #include <net/route.h>
58
59 #include <netinet/in.h>
60 #include <netinet/in_systm.h>
61 #include <netinet/ip.h>
62 #include <netinet/ip_var.h>
63 #include <netinet/in_var.h>
64 #include <netinet/udp.h>
65 #include <netinet/udp_var.h>
66 #include <netinet/ip_ecn.h>
67 #ifdef INET6
68 #include <netinet6/ip6_ecn.h>
69 #endif
70 #include <netinet/tcp.h>
71 #include <netinet/udp.h>
72
73 #include <netinet/ip6.h>
74 #ifdef INET6
75 #include <netinet6/ip6_var.h>
76 #endif
77 #include <netinet/in_pcb.h>
78 #ifdef INET6
79 #include <netinet/icmp6.h>
80 #endif
81
82 #include <netinet6/ipsec.h>
83 #ifdef INET6
84 #include <netinet6/ipsec6.h>
85 #endif
86 #include <netinet6/ah.h>
87 #ifdef INET6
88 #include <netinet6/ah6.h>
89 #endif
90 #ifdef IPSEC_ESP
91 #include <netinet6/esp.h>
92 #ifdef INET6
93 #include <netinet6/esp6.h>
94 #endif
95 #endif
96 #include <netinet6/ipcomp.h>
97 #ifdef INET6
98 #include <netinet6/ipcomp6.h>
99 #endif
100 #include <netkey/key.h>
101 #include <netkey/keydb.h>
102 #include <netkey/key_debug.h>
103
104 #include <machine/in_cksum.h>
105 #include <net/net_osdep.h>
106
107 #ifdef IPSEC_DEBUG
108 int ipsec_debug = 1;
109 #else
110 int ipsec_debug = 0;
111 #endif
112
113 NET_NEEDS_GIANT("ipsec");
114
115 struct ipsecstat ipsecstat;
116 int ip4_ah_cleartos = 1;
117 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
118 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
119 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
120 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
121 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
122 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
123 struct secpolicy *ip4_def_policy;
124 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
125 int ip4_esp_randpad = -1;
126
127 static int sp_cachegen = 1; /* cache generation # */
128
129 SYSCTL_DECL(_net_inet_ipsec);
130 #ifdef INET6
131 SYSCTL_DECL(_net_inet6_ipsec6);
132 #endif
133
134 /* net.inet.ipsec */
135 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
136 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, "");
137 #if 0
138 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
139 def_policy, CTLFLAG_RW, &ip4_def_policy->policy, 0, "");
140 #endif
141 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
142 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
143 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
144 CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
145 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
146 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
147 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
148 CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
149 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
150 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, "");
151 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
152 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
153 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
154 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
155 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
156 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
157 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
158 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
159 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
160 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, "");
161
162 #ifdef INET6
163 struct ipsecstat ipsec6stat;
164 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
165 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
166 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
167 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
168 struct secpolicy *ip6_def_policy;
169 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
170 int ip6_esp_randpad = -1;
171
172 /* net.inet6.ipsec6 */
173 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
174 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
175 #if 0
176 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
177 def_policy, CTLFLAG_RW, &ip6_def_policy->policy, 0, "");
178 #endif
179 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
180 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
181 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
182 CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
183 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
184 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
185 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
186 CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
187 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
188 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
189 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
190 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
191 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
192 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
193 #endif /* INET6 */
194
195 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *,
196 struct inpcbpolicy *, int));
197 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *,
198 struct secpolicy *, int));
199 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int));
200 static int ipsec_setspidx_mbuf
201 __P((struct secpolicyindex *, int, struct mbuf *, int));
202 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
203 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
204 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
205 #ifdef INET6
206 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
207 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
208 #endif
209 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
210 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
211 #if 0
212 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *));
213 #endif
214 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *));
215 static int ipsec_set_policy
216 __P((struct secpolicy **, int, caddr_t, size_t, int));
217 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **));
218 static void vshiftl __P((unsigned char *, int, int));
219 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
220 static size_t ipsec_hdrsiz __P((struct secpolicy *));
221 #ifdef INET
222 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
223 #endif
224 #ifdef INET6
225 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
226 #endif
227 #ifdef INET
228 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
229 #endif
230 #ifdef INET6
231 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
232 #endif
233 static struct ipsecaux *ipsec_addaux __P((struct mbuf *));
234 static struct ipsecaux *ipsec_findaux __P((struct mbuf *));
235 static void ipsec_optaux __P((struct mbuf *, struct ipsecaux *));
236 #ifdef INET
237 static int ipsec4_checksa __P((struct ipsecrequest *,
238 struct ipsec_output_state *));
239 #endif
240 #ifdef INET6
241 static int ipsec6_checksa __P((struct ipsecrequest *,
242 struct ipsec_output_state *, int));
243 #endif
244
245 /*
246 * try to validate and use cached policy on a pcb.
247 */
248 static struct secpolicy *
249 ipsec_checkpcbcache(m, pcbsp, dir)
250 struct mbuf *m;
251 struct inpcbpolicy *pcbsp;
252 int dir;
253 {
254 struct secpolicyindex spidx;
255 struct timeval mono_time;
256
257 microtime(&mono_time);
258
259 switch (dir) {
260 case IPSEC_DIR_INBOUND:
261 case IPSEC_DIR_OUTBOUND:
262 case IPSEC_DIR_ANY:
263 break;
264 default:
265 return NULL;
266 }
267 #ifdef DIAGNOSTIC
268 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0]))
269 panic("dir too big in ipsec_checkpcbcache");
270 #endif
271 /* SPD table change invalidates all the caches */
272 if (pcbsp->cachegen[dir] == 0 || sp_cachegen > pcbsp->cachegen[dir]) {
273 ipsec_invalpcbcache(pcbsp, dir);
274 return NULL;
275 }
276 if (!pcbsp->cache[dir])
277 return NULL;
278 if (pcbsp->cache[dir]->state != IPSEC_SPSTATE_ALIVE) {
279 ipsec_invalpcbcache(pcbsp, dir);
280 return NULL;
281 }
282 if ((pcbsp->cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
283 if (!pcbsp->cache[dir])
284 return NULL;
285 if (ipsec_setspidx(m, &spidx, 1) != 0)
286 return NULL;
287 if (bcmp(&pcbsp->cacheidx[dir], &spidx, sizeof(spidx))) {
288 if (!pcbsp->cache[dir]->spidx ||
289 !key_cmpspidx_withmask(pcbsp->cache[dir]->spidx,
290 &spidx))
291 return NULL;
292 pcbsp->cacheidx[dir] = spidx;
293 }
294 } else {
295 /*
296 * The pcb is connected, and the L4 code is sure that:
297 * - outgoing side uses inp_[lf]addr
298 * - incoming side looks up policy after inpcb lookup
299 * and address pair is known to be stable. We do not need
300 * to generate spidx again, nor check the address match again.
301 *
302 * For IPv4/v6 SOCK_STREAM sockets, this assumption holds
303 * and there are calls to ipsec_pcbconn() from in_pcbconnect().
304 */
305 }
306
307 pcbsp->cache[dir]->lastused = mono_time.tv_sec;
308 pcbsp->cache[dir]->refcnt++;
309 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
310 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n",
311 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir]));
312 return pcbsp->cache[dir];
313 }
314
315 static int
316 ipsec_fillpcbcache(pcbsp, m, sp, dir)
317 struct inpcbpolicy *pcbsp;
318 struct mbuf *m;
319 struct secpolicy *sp;
320 int dir;
321 {
322
323 switch (dir) {
324 case IPSEC_DIR_INBOUND:
325 case IPSEC_DIR_OUTBOUND:
326 break;
327 default:
328 return EINVAL;
329 }
330 #ifdef DIAGNOSTIC
331 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0]))
332 panic("dir too big in ipsec_checkpcbcache");
333 #endif
334
335 if (pcbsp->cache[dir])
336 key_freesp(pcbsp->cache[dir]);
337 pcbsp->cache[dir] = NULL;
338 if (ipsec_setspidx(m, &pcbsp->cacheidx[dir], 1) != 0) {
339 return EINVAL;
340 }
341 pcbsp->cache[dir] = sp;
342 if (pcbsp->cache[dir]) {
343 pcbsp->cache[dir]->refcnt++;
344 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
345 printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n",
346 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir]));
347 }
348 pcbsp->cachegen[dir] = sp_cachegen;
349
350 return 0;
351 }
352
353 static int
354 ipsec_invalpcbcache(pcbsp, dir)
355 struct inpcbpolicy *pcbsp;
356 int dir;
357 {
358 int i;
359
360 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
361 if (dir != IPSEC_DIR_ANY && i != dir)
362 continue;
363 if (pcbsp->cache[i])
364 key_freesp(pcbsp->cache[i]);
365 pcbsp->cache[i] = NULL;
366 pcbsp->cachegen[i] = 0;
367 bzero(&pcbsp->cacheidx[i], sizeof(pcbsp->cacheidx[i]));
368 }
369 return 0;
370 }
371
372 int
373 ipsec_pcbconn(pcbsp)
374 struct inpcbpolicy *pcbsp;
375 {
376
377 pcbsp->cacheflags |= IPSEC_PCBSP_CONNECTED;
378 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
379 return 0;
380 }
381
382 int
383 ipsec_pcbdisconn(pcbsp)
384 struct inpcbpolicy *pcbsp;
385 {
386
387 pcbsp->cacheflags &= ~IPSEC_PCBSP_CONNECTED;
388 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
389 return 0;
390 }
391
392 int
393 ipsec_invalpcbcacheall()
394 {
395
396 sp_cachegen++;
397 return 0;
398 }
399
400 /*
401 * For OUTBOUND packet having a socket. Searching SPD for packet,
402 * and return a pointer to SP.
403 * OUT: NULL: no apropreate SP found, the following value is set to error.
404 * 0 : bypass
405 * EACCES : discard packet.
406 * ENOENT : ipsec_acquire() in progress, maybe.
407 * others : error occured.
408 * others: a pointer to SP
409 *
410 * NOTE: IPv6 mapped adddress concern is implemented here.
411 */
412 struct secpolicy *
413 ipsec4_getpolicybypcb(m, dir, inp, error)
414 struct mbuf *m;
415 u_int dir;
416 struct inpcb *inp;
417 int *error;
418 {
419 struct inpcbpolicy *pcbsp = NULL;
420 struct secpolicy *currsp = NULL; /* policy on socket */
421 struct secpolicy *kernsp = NULL; /* policy on kernel */
422 struct secpolicyindex spidx;
423 u_int16_t tag;
424
425 /* sanity check */
426 if (m == NULL || inp == NULL || error == NULL)
427 panic("ipsec4_getpolicybypcb: NULL pointer was passed.");
428
429 pcbsp = inp->inp_sp;
430
431 #ifdef DIAGNOSTIC
432 if (pcbsp == NULL)
433 panic("ipsec4_getpolicybypcb: pcbsp is NULL.");
434 #endif
435
436 tag = 0;
437
438 /* if we have a cached entry, and if it is still valid, use it. */
439 ipsecstat.spdcachelookup++;
440 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
441 if (currsp) {
442 *error = 0;
443 return currsp;
444 }
445 ipsecstat.spdcachemiss++;
446
447 switch (dir) {
448 case IPSEC_DIR_INBOUND:
449 currsp = pcbsp->sp_in;
450 break;
451 case IPSEC_DIR_OUTBOUND:
452 currsp = pcbsp->sp_out;
453 break;
454 default:
455 panic("ipsec4_getpolicybypcb: illegal direction.");
456 }
457
458 /* sanity check */
459 if (currsp == NULL)
460 panic("ipsec4_getpolicybypcb: currsp is NULL.");
461
462 /* when privileged socket */
463 if (pcbsp->priv) {
464 switch (currsp->policy) {
465 case IPSEC_POLICY_BYPASS:
466 currsp->refcnt++;
467 *error = 0;
468 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
469 return currsp;
470
471 case IPSEC_POLICY_ENTRUST:
472 /* look for a policy in SPD */
473 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
474 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
475 /* SP found */
476 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
477 printf("DP ipsec4_getpolicybypcb called "
478 "to allocate SP:%p\n", kernsp));
479 *error = 0;
480 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
481 return kernsp;
482 }
483
484 /* no SP found */
485 ip4_def_policy->refcnt++;
486 *error = 0;
487 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
488 return ip4_def_policy;
489
490 case IPSEC_POLICY_IPSEC:
491 currsp->refcnt++;
492 *error = 0;
493 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
494 return currsp;
495
496 default:
497 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: "
498 "Invalid policy for PCB %d\n", currsp->policy));
499 *error = EINVAL;
500 return NULL;
501 }
502 /* NOTREACHED */
503 }
504
505 /* when non-privileged socket */
506 /* look for a policy in SPD */
507 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
508 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
509 /* SP found */
510 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
511 printf("DP ipsec4_getpolicybypcb called "
512 "to allocate SP:%p\n", kernsp));
513 *error = 0;
514 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
515 return kernsp;
516 }
517
518 /* no SP found */
519 switch (currsp->policy) {
520 case IPSEC_POLICY_BYPASS:
521 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: "
522 "Illegal policy for non-privileged defined %d\n",
523 currsp->policy));
524 *error = EINVAL;
525 return NULL;
526
527 case IPSEC_POLICY_ENTRUST:
528 ip4_def_policy->refcnt++;
529 *error = 0;
530 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
531 return ip4_def_policy;
532
533 case IPSEC_POLICY_IPSEC:
534 currsp->refcnt++;
535 *error = 0;
536 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
537 return currsp;
538
539 default:
540 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: "
541 "Invalid policy for PCB %d\n", currsp->policy));
542 *error = EINVAL;
543 return NULL;
544 }
545 /* NOTREACHED */
546 }
547
548 /*
549 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
550 * and return a pointer to SP.
551 * OUT: positive: a pointer to the entry for security policy leaf matched.
552 * NULL: no apropreate SP found, the following value is set to error.
553 * 0 : bypass
554 * EACCES : discard packet.
555 * ENOENT : ipsec_acquire() in progress, maybe.
556 * others : error occured.
557 */
558 struct secpolicy *
559 ipsec4_getpolicybyaddr(m, dir, flag, error)
560 struct mbuf *m;
561 u_int dir;
562 int flag;
563 int *error;
564 {
565 struct secpolicy *sp = NULL;
566 u_int16_t tag;
567
568 /* sanity check */
569 if (m == NULL || error == NULL)
570 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
571
572 /* get a policy entry matched with the packet */
573 {
574 struct secpolicyindex spidx;
575
576 bzero(&spidx, sizeof(spidx));
577
578 /* make an index to look for a policy */
579 *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m,
580 (flag & IP_FORWARDING) ? 0 : 1);
581
582 if (*error != 0)
583 return NULL;
584
585 tag = 0;
586
587 sp = key_allocsp(tag, &spidx, dir);
588 }
589
590 /* SP found */
591 if (sp != NULL) {
592 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
593 printf("DP ipsec4_getpolicybyaddr called "
594 "to allocate SP:%p\n", sp));
595 *error = 0;
596 return sp;
597 }
598
599 /* no SP found */
600 ip4_def_policy->refcnt++;
601 *error = 0;
602 return ip4_def_policy;
603 }
604
605 #ifdef INET6
606 /*
607 * For OUTBOUND packet having a socket. Searching SPD for packet,
608 * and return a pointer to SP.
609 * OUT: NULL: no apropreate SP found, the following value is set to error.
610 * 0 : bypass
611 * EACCES : discard packet.
612 * ENOENT : ipsec_acquire() in progress, maybe.
613 * others : error occured.
614 * others: a pointer to SP
615 */
616 struct secpolicy *
617 ipsec6_getpolicybypcb(m, dir, inp, error)
618 struct mbuf *m;
619 u_int dir;
620 struct inpcb *inp;
621 int *error;
622 {
623 struct inpcbpolicy *pcbsp = NULL;
624 struct secpolicy *currsp = NULL; /* policy on socket */
625 struct secpolicy *kernsp = NULL; /* policy on kernel */
626 struct secpolicyindex spidx;
627 u_int16_t tag;
628
629 /* sanity check */
630 if (m == NULL || inp == NULL || error == NULL)
631 panic("ipsec6_getpolicybypcb: NULL pointer was passed.");
632
633 #ifdef DIAGNOSTIC
634 if ((inp->inp_vflag & INP_IPV6PROTO) == 0)
635 panic("ipsec6_getpolicybypcb: socket domain != inet6");
636 #endif
637
638 pcbsp = inp->in6p_sp;
639
640 #ifdef DIAGNOSTIC
641 if (pcbsp == NULL)
642 panic("ipsec6_getpolicybypcb: pcbsp is NULL.");
643 #endif
644
645 tag = 0;
646
647 /* if we have a cached entry, and if it is still valid, use it. */
648 ipsec6stat.spdcachelookup++;
649 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
650 if (currsp) {
651 *error = 0;
652 return currsp;
653 }
654 ipsec6stat.spdcachemiss++;
655
656 switch (dir) {
657 case IPSEC_DIR_INBOUND:
658 currsp = pcbsp->sp_in;
659 break;
660 case IPSEC_DIR_OUTBOUND:
661 currsp = pcbsp->sp_out;
662 break;
663 default:
664 panic("ipsec6_getpolicybypcb: illegal direction.");
665 }
666
667 /* sanity check */
668 if (currsp == NULL)
669 panic("ipsec6_getpolicybypcb: currsp is NULL.");
670
671 /* when privileged socket */
672 if (pcbsp->priv) {
673 switch (currsp->policy) {
674 case IPSEC_POLICY_BYPASS:
675 currsp->refcnt++;
676 *error = 0;
677 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
678 return currsp;
679
680 case IPSEC_POLICY_ENTRUST:
681 /* look for a policy in SPD */
682 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
683 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
684 /* SP found */
685 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
686 printf("DP ipsec6_getpolicybypcb called "
687 "to allocate SP:%p\n", kernsp));
688 *error = 0;
689 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
690 return kernsp;
691 }
692
693 /* no SP found */
694 ip6_def_policy->refcnt++;
695 *error = 0;
696 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
697 return ip6_def_policy;
698
699 case IPSEC_POLICY_IPSEC:
700 currsp->refcnt++;
701 *error = 0;
702 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
703 return currsp;
704
705 default:
706 ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: "
707 "Invalid policy for PCB %d\n", currsp->policy));
708 *error = EINVAL;
709 return NULL;
710 }
711 /* NOTREACHED */
712 }
713
714 /* when non-privileged socket */
715 /* look for a policy in SPD */
716 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
717 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
718 /* SP found */
719 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
720 printf("DP ipsec6_getpolicybypcb called "
721 "to allocate SP:%p\n", kernsp));
722 *error = 0;
723 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
724 return kernsp;
725 }
726
727 /* no SP found */
728 switch (currsp->policy) {
729 case IPSEC_POLICY_BYPASS:
730 ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: "
731 "Illegal policy for non-privileged defined %d\n",
732 currsp->policy));
733 *error = EINVAL;
734 return NULL;
735
736 case IPSEC_POLICY_ENTRUST:
737 ip6_def_policy->refcnt++;
738 *error = 0;
739 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
740 return ip6_def_policy;
741
742 case IPSEC_POLICY_IPSEC:
743 currsp->refcnt++;
744 *error = 0;
745 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
746 return currsp;
747
748 default:
749 ipseclog((LOG_ERR,
750 "ipsec6_policybysock: Invalid policy for PCB %d\n",
751 currsp->policy));
752 *error = EINVAL;
753 return NULL;
754 }
755 /* NOTREACHED */
756 }
757
758 /*
759 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
760 * and return a pointer to SP.
761 * `flag' means that packet is to be forwarded whether or not.
762 * flag = 1: forwad
763 * OUT: positive: a pointer to the entry for security policy leaf matched.
764 * NULL: no apropreate SP found, the following value is set to error.
765 * 0 : bypass
766 * EACCES : discard packet.
767 * ENOENT : ipsec_acquire() in progress, maybe.
768 * others : error occured.
769 */
770 #ifndef IP_FORWARDING
771 #define IP_FORWARDING 1
772 #endif
773
774 struct secpolicy *
775 ipsec6_getpolicybyaddr(m, dir, flag, error)
776 struct mbuf *m;
777 u_int dir;
778 int flag;
779 int *error;
780 {
781 struct secpolicy *sp = NULL;
782 u_int16_t tag;
783
784 /* sanity check */
785 if (m == NULL || error == NULL)
786 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
787
788 /* get a policy entry matched with the packet */
789 {
790 struct secpolicyindex spidx;
791
792 bzero(&spidx, sizeof(spidx));
793
794 /* make an index to look for a policy */
795 *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m,
796 (flag & IP_FORWARDING) ? 0 : 1);
797
798 if (*error != 0)
799 return NULL;
800
801 tag = 0;
802
803 sp = key_allocsp(tag, &spidx, dir);
804 }
805
806 /* SP found */
807 if (sp != NULL) {
808 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
809 printf("DP ipsec6_getpolicybyaddr called "
810 "to allocate SP:%p\n", sp));
811 *error = 0;
812 return sp;
813 }
814
815 /* no SP found */
816 ip6_def_policy->refcnt++;
817 *error = 0;
818 return ip6_def_policy;
819 }
820 #endif /* INET6 */
821
822 /*
823 * set IP address into spidx from mbuf.
824 * When Forwarding packet and ICMP echo reply, this function is used.
825 *
826 * IN: get the followings from mbuf.
827 * protocol family, src, dst, next protocol
828 * OUT:
829 * 0: success.
830 * other: failure, and set errno.
831 */
832 int
833 ipsec_setspidx_mbuf(spidx, family, m, needport)
834 struct secpolicyindex *spidx;
835 int family;
836 struct mbuf *m;
837 int needport;
838 {
839 int error;
840
841 /* sanity check */
842 if (spidx == NULL || m == NULL)
843 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
844
845 bzero(spidx, sizeof(*spidx));
846
847 error = ipsec_setspidx(m, spidx, needport);
848 if (error)
849 goto bad;
850
851 return 0;
852
853 bad:
854 /* XXX initialize */
855 bzero(spidx, sizeof(*spidx));
856 return EINVAL;
857 }
858
859 /*
860 * configure security policy index (src/dst/proto/sport/dport)
861 * by looking at the content of mbuf.
862 * the caller is responsible for error recovery (like clearing up spidx).
863 */
864 static int
865 ipsec_setspidx(m, spidx, needport)
866 struct mbuf *m;
867 struct secpolicyindex *spidx;
868 int needport;
869 {
870 struct ip *ip = NULL;
871 struct ip ipbuf;
872 u_int v;
873 struct mbuf *n;
874 int len;
875 int error;
876
877 if (m == NULL)
878 panic("ipsec_setspidx: m == 0 passed.");
879
880 bzero(spidx, sizeof(*spidx));
881
882 /*
883 * validate m->m_pkthdr.len. we see incorrect length if we
884 * mistakenly call this function with inconsistent mbuf chain
885 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
886 */
887 len = 0;
888 for (n = m; n; n = n->m_next)
889 len += n->m_len;
890 if (m->m_pkthdr.len != len) {
891 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
892 printf("ipsec_setspidx: "
893 "total of m_len(%d) != pkthdr.len(%d), "
894 "ignored.\n",
895 len, m->m_pkthdr.len));
896 return EINVAL;
897 }
898
899 if (m->m_pkthdr.len < sizeof(struct ip)) {
900 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
901 printf("ipsec_setspidx: "
902 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
903 m->m_pkthdr.len));
904 return EINVAL;
905 }
906
907 if (m->m_len >= sizeof(*ip))
908 ip = mtod(m, struct ip *);
909 else {
910 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
911 ip = &ipbuf;
912 }
913 #ifdef _IP_VHL
914 v = _IP_VHL_V(ip->ip_vhl);
915 #else
916 v = ip->ip_v;
917 #endif
918 switch (v) {
919 case 4:
920 error = ipsec4_setspidx_ipaddr(m, spidx);
921 if (error)
922 return error;
923 ipsec4_get_ulp(m, spidx, needport);
924 return 0;
925 #ifdef INET6
926 case 6:
927 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
928 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
929 printf("ipsec_setspidx: "
930 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
931 "ignored.\n", m->m_pkthdr.len));
932 return EINVAL;
933 }
934 error = ipsec6_setspidx_ipaddr(m, spidx);
935 if (error)
936 return error;
937 ipsec6_get_ulp(m, spidx, needport);
938 return 0;
939 #endif
940 default:
941 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
942 printf("ipsec_setspidx: "
943 "unknown IP version %u, ignored.\n", v));
944 return EINVAL;
945 }
946 }
947
948 static void
949 ipsec4_get_ulp(m, spidx, needport)
950 struct mbuf *m;
951 struct secpolicyindex *spidx;
952 int needport;
953 {
954 struct ip ip;
955 struct ip6_ext ip6e;
956 u_int8_t nxt;
957 int off;
958 struct tcphdr th;
959 struct udphdr uh;
960
961 /* sanity check */
962 if (m == NULL)
963 panic("ipsec4_get_ulp: NULL pointer was passed.");
964 if (m->m_pkthdr.len < sizeof(ip))
965 panic("ipsec4_get_ulp: too short");
966
967 /* set default */
968 spidx->ul_proto = IPSEC_ULPROTO_ANY;
969 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
970 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
971
972 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
973 /* ip_input() flips it into host endian XXX need more checking */
974 if (ip.ip_off & (IP_MF | IP_OFFMASK))
975 return;
976
977 nxt = ip.ip_p;
978 #ifdef _IP_VHL
979 off = _IP_VHL_HL(ip->ip_vhl) << 2;
980 #else
981 off = ip.ip_hl << 2;
982 #endif
983 while (off < m->m_pkthdr.len) {
984 switch (nxt) {
985 case IPPROTO_TCP:
986 spidx->ul_proto = nxt;
987 if (!needport)
988 return;
989 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
990 return;
991 m_copydata(m, off, sizeof(th), (caddr_t)&th);
992 ((struct sockaddr_in *)&spidx->src)->sin_port =
993 th.th_sport;
994 ((struct sockaddr_in *)&spidx->dst)->sin_port =
995 th.th_dport;
996 return;
997 case IPPROTO_UDP:
998 spidx->ul_proto = nxt;
999 if (!needport)
1000 return;
1001 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1002 return;
1003 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1004 ((struct sockaddr_in *)&spidx->src)->sin_port =
1005 uh.uh_sport;
1006 ((struct sockaddr_in *)&spidx->dst)->sin_port =
1007 uh.uh_dport;
1008 return;
1009 case IPPROTO_AH:
1010 if (off + sizeof(ip6e) > m->m_pkthdr.len)
1011 return;
1012 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1013 off += (ip6e.ip6e_len + 2) << 2;
1014 nxt = ip6e.ip6e_nxt;
1015 break;
1016 case IPPROTO_ICMP:
1017 default:
1018 /* XXX intermediate headers??? */
1019 spidx->ul_proto = nxt;
1020 return;
1021 }
1022 }
1023 }
1024
1025 /* assumes that m is sane */
1026 static int
1027 ipsec4_setspidx_ipaddr(m, spidx)
1028 struct mbuf *m;
1029 struct secpolicyindex *spidx;
1030 {
1031 struct ip *ip = NULL;
1032 struct ip ipbuf;
1033 struct sockaddr_in *sin;
1034
1035 if (m->m_len >= sizeof(*ip))
1036 ip = mtod(m, struct ip *);
1037 else {
1038 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
1039 ip = &ipbuf;
1040 }
1041
1042 sin = (struct sockaddr_in *)&spidx->src;
1043 bzero(sin, sizeof(*sin));
1044 sin->sin_family = AF_INET;
1045 sin->sin_len = sizeof(struct sockaddr_in);
1046 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
1047 spidx->prefs = sizeof(struct in_addr) << 3;
1048
1049 sin = (struct sockaddr_in *)&spidx->dst;
1050 bzero(sin, sizeof(*sin));
1051 sin->sin_family = AF_INET;
1052 sin->sin_len = sizeof(struct sockaddr_in);
1053 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
1054 spidx->prefd = sizeof(struct in_addr) << 3;
1055 return 0;
1056 }
1057
1058 #ifdef INET6
1059 static void
1060 ipsec6_get_ulp(m, spidx, needport)
1061 struct mbuf *m;
1062 struct secpolicyindex *spidx;
1063 int needport;
1064 {
1065 int off, nxt;
1066 struct tcphdr th;
1067 struct udphdr uh;
1068 struct icmp6_hdr ih;
1069
1070 /* sanity check */
1071 if (m == NULL)
1072 panic("ipsec6_get_ulp: NULL pointer was passed.");
1073
1074 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1075 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
1076
1077 /* set default */
1078 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1079 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1080 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1081
1082 nxt = -1;
1083 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1084 if (off < 0 || m->m_pkthdr.len < off)
1085 return;
1086
1087 switch (nxt) {
1088 case IPPROTO_TCP:
1089 spidx->ul_proto = nxt;
1090 if (!needport)
1091 break;
1092 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1093 break;
1094 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1095 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1096 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1097 break;
1098 case IPPROTO_UDP:
1099 spidx->ul_proto = nxt;
1100 if (!needport)
1101 break;
1102 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1103 break;
1104 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1105 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1106 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1107 break;
1108 case IPPROTO_ICMPV6:
1109 spidx->ul_proto = nxt;
1110 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len)
1111 break;
1112 m_copydata(m, off, sizeof(ih), (caddr_t)&ih);
1113 ((struct sockaddr_in6 *)&spidx->src)->sin6_port =
1114 htons((u_int16_t)ih.icmp6_type);
1115 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port =
1116 htons((u_int16_t)ih.icmp6_code);
1117 break;
1118 default:
1119 /* XXX intermediate headers??? */
1120 spidx->ul_proto = nxt;
1121 break;
1122 }
1123 }
1124
1125 /* assumes that m is sane */
1126 static int
1127 ipsec6_setspidx_ipaddr(m, spidx)
1128 struct mbuf *m;
1129 struct secpolicyindex *spidx;
1130 {
1131 struct ip6_hdr *ip6 = NULL;
1132 struct ip6_hdr ip6buf;
1133 struct sockaddr_in6 *sin6;
1134
1135 if (m->m_len >= sizeof(*ip6))
1136 ip6 = mtod(m, struct ip6_hdr *);
1137 else {
1138 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1139 ip6 = &ip6buf;
1140 }
1141
1142 sin6 = (struct sockaddr_in6 *)&spidx->src;
1143 bzero(sin6, sizeof(*sin6));
1144 sin6->sin6_family = AF_INET6;
1145 sin6->sin6_len = sizeof(struct sockaddr_in6);
1146 in6_recoverscope(sin6, &ip6->ip6_src, NULL);
1147 spidx->prefs = sizeof(struct in6_addr) << 3;
1148
1149 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1150 bzero(sin6, sizeof(*sin6));
1151 sin6->sin6_family = AF_INET6;
1152 sin6->sin6_len = sizeof(struct sockaddr_in6);
1153 in6_recoverscope(sin6, &ip6->ip6_dst, NULL);
1154 spidx->prefd = sizeof(struct in6_addr) << 3;
1155
1156 return 0;
1157 }
1158 #endif
1159
1160 static struct inpcbpolicy *
1161 ipsec_newpcbpolicy()
1162 {
1163 struct inpcbpolicy *p;
1164
1165 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
1166 return p;
1167 }
1168
1169 static void
1170 ipsec_delpcbpolicy(p)
1171 struct inpcbpolicy *p;
1172 {
1173
1174 free(p, M_SECA);
1175 }
1176
1177 /* initialize policy in PCB */
1178 int
1179 ipsec_init_pcbpolicy(so, pcb_sp)
1180 struct socket *so;
1181 struct inpcbpolicy **pcb_sp;
1182 {
1183 struct inpcbpolicy *new;
1184 static int initialized = 0;
1185 static struct secpolicy *in = NULL, *out = NULL;
1186
1187 /* sanity check. */
1188 if (so == NULL || pcb_sp == NULL)
1189 panic("ipsec_init_pcbpolicy: NULL pointer was passed.");
1190
1191 if (!initialized) {
1192 if ((in = key_newsp(0)) == NULL)
1193 return ENOBUFS;
1194 if ((out = key_newsp(0)) == NULL) {
1195 key_freesp(in);
1196 in = NULL;
1197 return ENOBUFS;
1198 }
1199
1200 in->state = IPSEC_SPSTATE_ALIVE;
1201 in->policy = IPSEC_POLICY_ENTRUST;
1202 in->dir = IPSEC_DIR_INBOUND;
1203 in->readonly = 1;
1204 in->persist = 1;
1205 in->so = NULL;
1206
1207 out->state = IPSEC_SPSTATE_ALIVE;
1208 out->policy = IPSEC_POLICY_ENTRUST;
1209 out->dir = IPSEC_DIR_OUTBOUND;
1210 out->readonly = 1;
1211 out->persist = 1;
1212 out->so = NULL;
1213
1214 initialized++;
1215 }
1216
1217 new = ipsec_newpcbpolicy();
1218 if (new == NULL) {
1219 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n"));
1220 return ENOBUFS;
1221 }
1222 bzero(new, sizeof(*new));
1223
1224 if (so->so_cred != 0 && so->so_cred->cr_uid == 0)
1225 new->priv = 1;
1226 else
1227 new->priv = 0;
1228
1229 new->sp_in = in;
1230 new->sp_in->refcnt++;
1231 new->sp_out = out;
1232 new->sp_out->refcnt++;
1233
1234 *pcb_sp = new;
1235
1236 return 0;
1237 }
1238
1239 /* copy old ipsec policy into new */
1240 int
1241 ipsec_copy_pcbpolicy(old, new)
1242 struct inpcbpolicy *old, *new;
1243 {
1244
1245 if (new->sp_in)
1246 key_freesp(new->sp_in);
1247 if (old->sp_in->policy == IPSEC_POLICY_IPSEC)
1248 new->sp_in = ipsec_deepcopy_policy(old->sp_in);
1249 else {
1250 new->sp_in = old->sp_in;
1251 new->sp_in->refcnt++;
1252 }
1253
1254 if (new->sp_out)
1255 key_freesp(new->sp_out);
1256 if (old->sp_out->policy == IPSEC_POLICY_IPSEC)
1257 new->sp_out = ipsec_deepcopy_policy(old->sp_out);
1258 else {
1259 new->sp_out = old->sp_out;
1260 new->sp_out->refcnt++;
1261 }
1262
1263 new->priv = old->priv;
1264
1265 return 0;
1266 }
1267
1268 #if 0
1269 static int
1270 ipsec_deepcopy_pcbpolicy(pcb_sp)
1271 struct inpcbpolicy *pcb_sp;
1272 {
1273 struct secpolicy *sp;
1274
1275 sp = ipsec_deepcopy_policy(pcb_sp->sp_in);
1276 if (sp) {
1277 key_freesp(pcb_sp->sp_in);
1278 pcb_sp->sp_in = sp;
1279 } else
1280 return ENOBUFS;
1281
1282 sp = ipsec_deepcopy_policy(pcb_sp->sp_out);
1283 if (sp) {
1284 key_freesp(pcb_sp->sp_out);
1285 pcb_sp->sp_out = sp;
1286 } else
1287 return ENOBUFS;
1288
1289 return 0;
1290 }
1291 #endif
1292
1293 /* deep-copy a policy in PCB */
1294 static struct secpolicy *
1295 ipsec_deepcopy_policy(src)
1296 struct secpolicy *src;
1297 {
1298 struct ipsecrequest *newchain = NULL;
1299 struct ipsecrequest *p;
1300 struct ipsecrequest **q;
1301 struct ipsecrequest *r;
1302 struct secpolicy *dst;
1303
1304 if (src == NULL)
1305 return NULL;
1306
1307 dst = key_newsp(0);
1308 if (dst == NULL)
1309 return NULL;
1310
1311 /*
1312 * deep-copy IPsec request chain. This is required since struct
1313 * ipsecrequest is not reference counted.
1314 */
1315 q = &newchain;
1316 for (p = src->req; p; p = p->next) {
1317 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest),
1318 M_SECA, M_NOWAIT);
1319 if (*q == NULL)
1320 goto fail;
1321 bzero(*q, sizeof(**q));
1322 (*q)->next = NULL;
1323
1324 (*q)->saidx.proto = p->saidx.proto;
1325 (*q)->saidx.mode = p->saidx.mode;
1326 (*q)->level = p->level;
1327 (*q)->saidx.reqid = p->saidx.reqid;
1328
1329 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1330 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1331
1332 (*q)->sav = NULL;
1333 (*q)->sp = dst;
1334
1335 q = &((*q)->next);
1336 }
1337
1338 if (src->spidx)
1339 if (keydb_setsecpolicyindex(dst, src->spidx) != 0)
1340 goto fail;
1341
1342 dst->req = newchain;
1343 dst->state = src->state;
1344 dst->policy = src->policy;
1345 dst->dir = src->dir;
1346 dst->so = src->so;
1347 /* do not touch the refcnt fields */
1348
1349 return dst;
1350
1351 fail:
1352 for (p = newchain; p; p = r) {
1353 r = p->next;
1354 free(p, M_SECA);
1355 p = NULL;
1356 }
1357 key_freesp(dst);
1358 return NULL;
1359 }
1360
1361 /* set policy and ipsec request if present. */
1362 static int
1363 ipsec_set_policy(spp, optname, request, len, priv)
1364 struct secpolicy **spp;
1365 int optname;
1366 caddr_t request;
1367 size_t len;
1368 int priv;
1369 {
1370 struct sadb_x_policy *xpl;
1371 struct secpolicy *newsp = NULL;
1372 int error;
1373
1374 /* sanity check. */
1375 if (spp == NULL || *spp == NULL || request == NULL)
1376 return EINVAL;
1377 if (len < sizeof(*xpl))
1378 return EINVAL;
1379 xpl = (struct sadb_x_policy *)request;
1380
1381 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1382 printf("ipsec_set_policy: passed policy\n");
1383 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1384
1385 /* check policy type */
1386 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1387 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
1388 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1389 return EINVAL;
1390
1391 /* check privileged socket */
1392 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1393 return EACCES;
1394
1395 /* allocation new SP entry */
1396 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1397 return error;
1398
1399 newsp->state = IPSEC_SPSTATE_ALIVE;
1400
1401 /* clear old SP and set new SP */
1402 key_freesp(*spp);
1403 *spp = newsp;
1404 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1405 printf("ipsec_set_policy: new policy\n");
1406 kdebug_secpolicy(newsp));
1407
1408 return 0;
1409 }
1410
1411 static int
1412 ipsec_get_policy(sp, mp)
1413 struct secpolicy *sp;
1414 struct mbuf **mp;
1415 {
1416
1417 /* sanity check. */
1418 if (sp == NULL || mp == NULL)
1419 return EINVAL;
1420
1421 *mp = key_sp2msg(sp);
1422 if (!*mp) {
1423 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1424 return ENOBUFS;
1425 }
1426
1427 (*mp)->m_type = MT_DATA;
1428 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1429 printf("ipsec_get_policy:\n");
1430 kdebug_mbuf(*mp));
1431
1432 return 0;
1433 }
1434
1435 int
1436 ipsec4_set_policy(inp, optname, request, len, priv)
1437 struct inpcb *inp;
1438 int optname;
1439 caddr_t request;
1440 size_t len;
1441 int priv;
1442 {
1443 struct sadb_x_policy *xpl;
1444 struct secpolicy **spp;
1445
1446 /* sanity check. */
1447 if (inp == NULL || request == NULL)
1448 return EINVAL;
1449 if (len < sizeof(*xpl))
1450 return EINVAL;
1451 xpl = (struct sadb_x_policy *)request;
1452
1453 /* select direction */
1454 switch (xpl->sadb_x_policy_dir) {
1455 case IPSEC_DIR_INBOUND:
1456 spp = &inp->inp_sp->sp_in;
1457 break;
1458 case IPSEC_DIR_OUTBOUND:
1459 spp = &inp->inp_sp->sp_out;
1460 break;
1461 default:
1462 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1463 xpl->sadb_x_policy_dir));
1464 return EINVAL;
1465 }
1466
1467 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1468 return ipsec_set_policy(spp, optname, request, len, priv);
1469 }
1470
1471 int
1472 ipsec4_get_policy(inp, request, len, mp)
1473 struct inpcb *inp;
1474 caddr_t request;
1475 size_t len;
1476 struct mbuf **mp;
1477 {
1478 struct sadb_x_policy *xpl;
1479 struct secpolicy *sp;
1480
1481 /* sanity check. */
1482 if (inp == NULL || request == NULL || mp == NULL)
1483 return EINVAL;
1484 if (inp->inp_sp == NULL)
1485 panic("policy in PCB is NULL");
1486 if (len < sizeof(*xpl))
1487 return EINVAL;
1488 xpl = (struct sadb_x_policy *)request;
1489
1490 /* select direction */
1491 switch (xpl->sadb_x_policy_dir) {
1492 case IPSEC_DIR_INBOUND:
1493 sp = inp->inp_sp->sp_in;
1494 break;
1495 case IPSEC_DIR_OUTBOUND:
1496 sp = inp->inp_sp->sp_out;
1497 break;
1498 default:
1499 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n",
1500 xpl->sadb_x_policy_dir));
1501 return EINVAL;
1502 }
1503
1504 return ipsec_get_policy(sp, mp);
1505 }
1506
1507 /* delete policy in PCB */
1508 int
1509 ipsec4_delete_pcbpolicy(inp)
1510 struct inpcb *inp;
1511 {
1512 /* sanity check. */
1513 if (inp == NULL)
1514 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
1515
1516 if (inp->inp_sp == NULL)
1517 return 0;
1518
1519 if (inp->inp_sp->sp_in != NULL) {
1520 key_freesp(inp->inp_sp->sp_in);
1521 inp->inp_sp->sp_in = NULL;
1522 }
1523
1524 if (inp->inp_sp->sp_out != NULL) {
1525 key_freesp(inp->inp_sp->sp_out);
1526 inp->inp_sp->sp_out = NULL;
1527 }
1528
1529 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1530
1531 ipsec_delpcbpolicy(inp->inp_sp);
1532 inp->inp_sp = NULL;
1533
1534 return 0;
1535 }
1536
1537 #ifdef INET6
1538 int
1539 ipsec6_set_policy(in6p, optname, request, len, priv)
1540 struct in6pcb *in6p;
1541 int optname;
1542 caddr_t request;
1543 size_t len;
1544 int priv;
1545 {
1546 struct sadb_x_policy *xpl;
1547 struct secpolicy **spp;
1548
1549 /* sanity check. */
1550 if (in6p == NULL || request == NULL)
1551 return EINVAL;
1552 if (len < sizeof(*xpl))
1553 return EINVAL;
1554 xpl = (struct sadb_x_policy *)request;
1555
1556 /* select direction */
1557 switch (xpl->sadb_x_policy_dir) {
1558 case IPSEC_DIR_INBOUND:
1559 spp = &in6p->in6p_sp->sp_in;
1560 break;
1561 case IPSEC_DIR_OUTBOUND:
1562 spp = &in6p->in6p_sp->sp_out;
1563 break;
1564 default:
1565 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1566 xpl->sadb_x_policy_dir));
1567 return EINVAL;
1568 }
1569
1570 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1571 return ipsec_set_policy(spp, optname, request, len, priv);
1572 }
1573
1574 int
1575 ipsec6_get_policy(in6p, request, len, mp)
1576 struct in6pcb *in6p;
1577 caddr_t request;
1578 size_t len;
1579 struct mbuf **mp;
1580 {
1581 struct sadb_x_policy *xpl;
1582 struct secpolicy *sp;
1583
1584 /* sanity check. */
1585 if (in6p == NULL || request == NULL || mp == NULL)
1586 return EINVAL;
1587 if (in6p->in6p_sp == NULL)
1588 panic("policy in PCB is NULL");
1589 if (len < sizeof(*xpl))
1590 return EINVAL;
1591 xpl = (struct sadb_x_policy *)request;
1592
1593 /* select direction */
1594 switch (xpl->sadb_x_policy_dir) {
1595 case IPSEC_DIR_INBOUND:
1596 sp = in6p->in6p_sp->sp_in;
1597 break;
1598 case IPSEC_DIR_OUTBOUND:
1599 sp = in6p->in6p_sp->sp_out;
1600 break;
1601 default:
1602 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n",
1603 xpl->sadb_x_policy_dir));
1604 return EINVAL;
1605 }
1606
1607 return ipsec_get_policy(sp, mp);
1608 }
1609
1610 int
1611 ipsec6_delete_pcbpolicy(in6p)
1612 struct in6pcb *in6p;
1613 {
1614 /* sanity check. */
1615 if (in6p == NULL)
1616 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
1617
1618 if (in6p->in6p_sp == NULL)
1619 return 0;
1620
1621 if (in6p->in6p_sp->sp_in != NULL) {
1622 key_freesp(in6p->in6p_sp->sp_in);
1623 in6p->in6p_sp->sp_in = NULL;
1624 }
1625
1626 if (in6p->in6p_sp->sp_out != NULL) {
1627 key_freesp(in6p->in6p_sp->sp_out);
1628 in6p->in6p_sp->sp_out = NULL;
1629 }
1630
1631 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1632
1633 ipsec_delpcbpolicy(in6p->in6p_sp);
1634 in6p->in6p_sp = NULL;
1635
1636 return 0;
1637 }
1638 #endif
1639
1640 /*
1641 * return current level.
1642 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1643 */
1644 u_int
1645 ipsec_get_reqlevel(isr, af)
1646 struct ipsecrequest *isr;
1647 int af;
1648 {
1649 u_int level = 0;
1650 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1651
1652 /* sanity check */
1653 if (isr == NULL || isr->sp == NULL)
1654 panic("ipsec_get_reqlevel: NULL pointer is passed.");
1655
1656 /* set default level */
1657 switch (af) {
1658 #ifdef INET
1659 case AF_INET:
1660 esp_trans_deflev = ip4_esp_trans_deflev;
1661 esp_net_deflev = ip4_esp_net_deflev;
1662 ah_trans_deflev = ip4_ah_trans_deflev;
1663 ah_net_deflev = ip4_ah_net_deflev;
1664 break;
1665 #endif
1666 #ifdef INET6
1667 case AF_INET6:
1668 esp_trans_deflev = ip6_esp_trans_deflev;
1669 esp_net_deflev = ip6_esp_net_deflev;
1670 ah_trans_deflev = ip6_ah_trans_deflev;
1671 ah_net_deflev = ip6_ah_net_deflev;
1672 break;
1673 #endif /* INET6 */
1674 default:
1675 panic("key_get_reqlevel: Unknown family. %d",
1676 ((struct sockaddr *)&isr->sp->spidx->src)->sa_family);
1677 }
1678
1679 /* set level */
1680 switch (isr->level) {
1681 case IPSEC_LEVEL_DEFAULT:
1682 switch (isr->saidx.proto) {
1683 case IPPROTO_ESP:
1684 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1685 level = esp_net_deflev;
1686 else
1687 level = esp_trans_deflev;
1688 break;
1689 case IPPROTO_AH:
1690 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1691 level = ah_net_deflev;
1692 else
1693 level = ah_trans_deflev;
1694 case IPPROTO_IPCOMP:
1695 /*
1696 * we don't really care, as IPcomp document says that
1697 * we shouldn't compress small packets
1698 */
1699 level = IPSEC_LEVEL_USE;
1700 break;
1701 default:
1702 panic("ipsec_get_reqlevel: "
1703 "Illegal protocol defined %u\n",
1704 isr->saidx.proto);
1705 }
1706 break;
1707
1708 case IPSEC_LEVEL_USE:
1709 case IPSEC_LEVEL_REQUIRE:
1710 level = isr->level;
1711 break;
1712 case IPSEC_LEVEL_UNIQUE:
1713 level = IPSEC_LEVEL_REQUIRE;
1714 break;
1715
1716 default:
1717 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
1718 isr->level);
1719 }
1720
1721 return level;
1722 }
1723
1724 /*
1725 * Check AH/ESP integrity.
1726 * OUT:
1727 * 0: valid
1728 * 1: invalid
1729 */
1730 static int
1731 ipsec_in_reject(sp, m)
1732 struct secpolicy *sp;
1733 struct mbuf *m;
1734 {
1735 struct ipsecrequest *isr;
1736 u_int level;
1737 int need_auth, need_conf, need_icv;
1738
1739 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1740 printf("ipsec_in_reject: using SP\n");
1741 kdebug_secpolicy(sp));
1742
1743 /* check policy */
1744 switch (sp->policy) {
1745 case IPSEC_POLICY_DISCARD:
1746 return 1;
1747 case IPSEC_POLICY_BYPASS:
1748 case IPSEC_POLICY_NONE:
1749 return 0;
1750
1751 case IPSEC_POLICY_IPSEC:
1752 break;
1753
1754 case IPSEC_POLICY_ENTRUST:
1755 default:
1756 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy);
1757 }
1758
1759 need_auth = 0;
1760 need_conf = 0;
1761 need_icv = 0;
1762
1763 /* XXX should compare policy against ipsec header history */
1764
1765 for (isr = sp->req; isr != NULL; isr = isr->next) {
1766 /* get current level */
1767 level = ipsec_get_reqlevel(isr, AF_INET);
1768
1769 switch (isr->saidx.proto) {
1770 case IPPROTO_ESP:
1771 if (level == IPSEC_LEVEL_REQUIRE) {
1772 need_conf++;
1773
1774 if (isr->sav != NULL
1775 && isr->sav->flags == SADB_X_EXT_NONE
1776 && isr->sav->alg_auth != SADB_AALG_NONE)
1777 need_icv++;
1778 }
1779 break;
1780 case IPPROTO_AH:
1781 if (level == IPSEC_LEVEL_REQUIRE) {
1782 need_auth++;
1783 need_icv++;
1784 }
1785 break;
1786 case IPPROTO_IPCOMP:
1787 /*
1788 * we don't really care, as IPcomp document says that
1789 * we shouldn't compress small packets, IPComp policy
1790 * should always be treated as being in "use" level.
1791 */
1792 break;
1793 }
1794 }
1795
1796 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1797 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1798 need_auth, need_conf, need_icv, m->m_flags));
1799
1800 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1801 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1802 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1803 return 1;
1804
1805 return 0;
1806 }
1807
1808 /*
1809 * Check AH/ESP integrity.
1810 * This function is called from tcp_input(), udp_input(),
1811 * and {ah,esp}4_input for tunnel mode
1812 */
1813 int
1814 ipsec4_in_reject(m, inp)
1815 struct mbuf *m;
1816 struct inpcb *inp;
1817 {
1818 struct secpolicy *sp = NULL;
1819 int error;
1820 int result;
1821
1822 /* sanity check */
1823 if (m == NULL)
1824 return 0; /* XXX should be panic ? */
1825
1826 /* get SP for this packet.
1827 * When we are called from ip_forward(), we call
1828 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1829 */
1830 if (inp == NULL)
1831 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1832 IP_FORWARDING, &error);
1833 else
1834 sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_INBOUND, inp, &error);
1835
1836 /* XXX should be panic ? -> No, there may be error. */
1837 if (sp == NULL)
1838 return 0;
1839
1840 result = ipsec_in_reject(sp, m);
1841 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1842 printf("DP ipsec4_in_reject call free SP:%p\n", sp));
1843 key_freesp(sp);
1844
1845 return result;
1846 }
1847
1848 #ifdef INET6
1849 /*
1850 * Check AH/ESP integrity.
1851 * This function is called from tcp6_input(), udp6_input(),
1852 * and {ah,esp}6_input for tunnel mode
1853 */
1854 int
1855 ipsec6_in_reject(m, in6p)
1856 struct mbuf *m;
1857 struct in6pcb *in6p;
1858 {
1859 struct secpolicy *sp = NULL;
1860 int error;
1861 int result;
1862
1863 /* sanity check */
1864 if (m == NULL)
1865 return 0; /* XXX should be panic ? */
1866
1867 /* get SP for this packet.
1868 * When we are called from ip_forward(), we call
1869 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1870 */
1871 if (in6p == NULL)
1872 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1873 IP_FORWARDING, &error);
1874 else
1875 sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_INBOUND, in6p, &error);
1876
1877 if (sp == NULL)
1878 return 0; /* XXX should be panic ? */
1879
1880 result = ipsec_in_reject(sp, m);
1881 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1882 printf("DP ipsec6_in_reject call free SP:%p\n", sp));
1883 key_freesp(sp);
1884
1885 return result;
1886 }
1887 #endif
1888
1889 /*
1890 * compute the byte size to be occupied by IPsec header.
1891 * in case it is tunneled, it includes the size of outer IP header.
1892 * NOTE: SP passed is free in this function.
1893 */
1894 static size_t
1895 ipsec_hdrsiz(sp)
1896 struct secpolicy *sp;
1897 {
1898 struct ipsecrequest *isr;
1899 size_t siz, clen;
1900
1901 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1902 printf("ipsec_hdrsiz: using SP\n");
1903 kdebug_secpolicy(sp));
1904
1905 /* check policy */
1906 switch (sp->policy) {
1907 case IPSEC_POLICY_DISCARD:
1908 case IPSEC_POLICY_BYPASS:
1909 case IPSEC_POLICY_NONE:
1910 return 0;
1911
1912 case IPSEC_POLICY_IPSEC:
1913 break;
1914
1915 case IPSEC_POLICY_ENTRUST:
1916 default:
1917 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1918 }
1919
1920 siz = 0;
1921
1922 for (isr = sp->req; isr != NULL; isr = isr->next) {
1923
1924 clen = 0;
1925
1926 switch (isr->saidx.proto) {
1927 case IPPROTO_ESP:
1928 #ifdef IPSEC_ESP
1929 clen = esp_hdrsiz(isr);
1930 #else
1931 clen = 0; /* XXX */
1932 #endif
1933 break;
1934 case IPPROTO_AH:
1935 clen = ah_hdrsiz(isr);
1936 break;
1937 case IPPROTO_IPCOMP:
1938 clen = sizeof(struct ipcomp);
1939 break;
1940 }
1941
1942 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1943 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1944 case AF_INET:
1945 clen += sizeof(struct ip);
1946 break;
1947 #ifdef INET6
1948 case AF_INET6:
1949 clen += sizeof(struct ip6_hdr);
1950 break;
1951 #endif
1952 default:
1953 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1954 "unknown AF %d in IPsec tunnel SA\n",
1955 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1956 break;
1957 }
1958 }
1959 siz += clen;
1960 }
1961
1962 return siz;
1963 }
1964
1965 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1966 size_t
1967 ipsec4_hdrsiz(m, dir, inp)
1968 struct mbuf *m;
1969 u_int dir;
1970 struct inpcb *inp;
1971 {
1972 struct secpolicy *sp = NULL;
1973 int error;
1974 size_t size;
1975
1976 /* sanity check */
1977 if (m == NULL)
1978 return 0; /* XXX should be panic ? */
1979 #if 0
1980 /* this is possible in TIME_WAIT state */
1981 if (inp != NULL && inp->inp_socket == NULL)
1982 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
1983 #endif
1984
1985 /* get SP for this packet.
1986 * When we are called from ip_forward(), we call
1987 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1988 */
1989 if (inp == NULL)
1990 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1991 else
1992 sp = ipsec4_getpolicybypcb(m, dir, inp, &error);
1993
1994 if (sp == NULL)
1995 return 0; /* XXX should be panic ? */
1996
1997 size = ipsec_hdrsiz(sp);
1998 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1999 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
2000 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2001 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
2002 key_freesp(sp);
2003
2004 return size;
2005 }
2006
2007 #ifdef INET6
2008 /* This function is called from ipsec6_hdrsize_tcp(),
2009 * and maybe from ip6_forward.()
2010 */
2011 size_t
2012 ipsec6_hdrsiz(m, dir, in6p)
2013 struct mbuf *m;
2014 u_int dir;
2015 struct in6pcb *in6p;
2016 {
2017 struct secpolicy *sp = NULL;
2018 int error;
2019 size_t size;
2020
2021 /* sanity check */
2022 if (m == NULL)
2023 return 0; /* XXX should be panic ? */
2024 #if 0
2025 /* this is possible in TIME_WAIT state */
2026 if (in6p != NULL && in6p->in6p_socket == NULL)
2027 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
2028 #endif
2029
2030 /* get SP for this packet */
2031 /* XXX Is it right to call with IP_FORWARDING. */
2032 if (in6p == NULL)
2033 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2034 else
2035 sp = ipsec6_getpolicybypcb(m, dir, in6p, &error);
2036
2037 if (sp == NULL)
2038 return 0;
2039 size = ipsec_hdrsiz(sp);
2040 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2041 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
2042 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2043 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
2044 key_freesp(sp);
2045
2046 return size;
2047 }
2048 #endif /* INET6 */
2049
2050 #ifdef INET
2051 /*
2052 * encapsulate for ipsec tunnel.
2053 * ip->ip_src must be fixed later on.
2054 */
2055 static int
2056 ipsec4_encapsulate(m, sav)
2057 struct mbuf *m;
2058 struct secasvar *sav;
2059 {
2060 struct ip *oip;
2061 struct ip *ip;
2062 size_t hlen;
2063 size_t plen;
2064
2065 /* can't tunnel between different AFs */
2066 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2067 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2068 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2069 m_freem(m);
2070 return EINVAL;
2071 }
2072 #if 0
2073 /* XXX if the dst is myself, perform nothing. */
2074 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2075 m_freem(m);
2076 return EINVAL;
2077 }
2078 #endif
2079
2080 if (m->m_len < sizeof(*ip))
2081 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2082
2083 ip = mtod(m, struct ip *);
2084 #ifdef _IP_VHL
2085 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
2086 #else
2087 hlen = ip->ip_hl << 2;
2088 #endif
2089
2090 if (m->m_len != hlen)
2091 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2092
2093 /* generate header checksum */
2094 ip->ip_sum = 0;
2095 #ifdef _IP_VHL
2096 if (ip->ip_vhl == IP_VHL_BORING)
2097 ip->ip_sum = in_cksum_hdr(ip);
2098 else
2099 ip->ip_sum = in_cksum(m, hlen);
2100 #else
2101 ip->ip_sum = in_cksum(m, hlen);
2102 #endif
2103
2104 plen = m->m_pkthdr.len;
2105
2106 /*
2107 * grow the mbuf to accomodate the new IPv4 header.
2108 * NOTE: IPv4 options will never be copied.
2109 */
2110 if (M_LEADINGSPACE(m->m_next) < hlen) {
2111 struct mbuf *n;
2112 MGET(n, M_DONTWAIT, MT_DATA);
2113 if (!n) {
2114 m_freem(m);
2115 return ENOBUFS;
2116 }
2117 n->m_len = hlen;
2118 n->m_next = m->m_next;
2119 m->m_next = n;
2120 m->m_pkthdr.len += hlen;
2121 oip = mtod(n, struct ip *);
2122 } else {
2123 m->m_next->m_len += hlen;
2124 m->m_next->m_data -= hlen;
2125 m->m_pkthdr.len += hlen;
2126 oip = mtod(m->m_next, struct ip *);
2127 }
2128 ip = mtod(m, struct ip *);
2129 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2130 m->m_len = sizeof(struct ip);
2131 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2132
2133 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2134 /* ECN consideration. */
2135 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2136 #ifdef _IP_VHL
2137 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
2138 #else
2139 ip->ip_hl = sizeof(struct ip) >> 2;
2140 #endif
2141 ip->ip_off &= htons(~IP_OFFMASK);
2142 ip->ip_off &= htons(~IP_MF);
2143 switch (ip4_ipsec_dfbit) {
2144 case 0: /* clear DF bit */
2145 ip->ip_off &= htons(~IP_DF);
2146 break;
2147 case 1: /* set DF bit */
2148 ip->ip_off |= htons(IP_DF);
2149 break;
2150 default: /* copy DF bit */
2151 break;
2152 }
2153 ip->ip_p = IPPROTO_IPIP;
2154 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2155 ip->ip_len = htons(plen + sizeof(struct ip));
2156 else {
2157 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2158 "leave ip_len as is (invalid packet)\n"));
2159 }
2160 ip->ip_id = ip_newid();
2161 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2162 &ip->ip_src, sizeof(ip->ip_src));
2163 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2164 &ip->ip_dst, sizeof(ip->ip_dst));
2165 ip->ip_ttl = IPDEFTTL;
2166
2167 /* XXX Should ip_src be updated later ? */
2168
2169 return 0;
2170 }
2171 #endif /* INET */
2172
2173 #ifdef INET6
2174 static int
2175 ipsec6_encapsulate(m, sav)
2176 struct mbuf *m;
2177 struct secasvar *sav;
2178 {
2179 struct ip6_hdr *oip6;
2180 struct ip6_hdr *ip6;
2181 size_t plen;
2182
2183 /* can't tunnel between different AFs */
2184 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2185 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2186 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2187 m_freem(m);
2188 return EINVAL;
2189 }
2190 #if 0
2191 /* XXX if the dst is myself, perform nothing. */
2192 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2193 m_freem(m);
2194 return EINVAL;
2195 }
2196 #endif
2197
2198 plen = m->m_pkthdr.len;
2199
2200 /*
2201 * grow the mbuf to accomodate the new IPv6 header.
2202 */
2203 if (m->m_len != sizeof(struct ip6_hdr))
2204 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2205 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2206 struct mbuf *n;
2207 MGET(n, M_DONTWAIT, MT_DATA);
2208 if (!n) {
2209 m_freem(m);
2210 return ENOBUFS;
2211 }
2212 n->m_len = sizeof(struct ip6_hdr);
2213 n->m_next = m->m_next;
2214 m->m_next = n;
2215 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2216 oip6 = mtod(n, struct ip6_hdr *);
2217 } else {
2218 m->m_next->m_len += sizeof(struct ip6_hdr);
2219 m->m_next->m_data -= sizeof(struct ip6_hdr);
2220 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2221 oip6 = mtod(m->m_next, struct ip6_hdr *);
2222 }
2223 ip6 = mtod(m, struct ip6_hdr *);
2224 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2225
2226 /* XXX: Fake scoped addresses */
2227 in6_clearscope(&oip6->ip6_src);
2228 in6_clearscope(&oip6->ip6_dst);
2229
2230 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2231 /* ECN consideration. */
2232 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2233 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2234 ip6->ip6_plen = htons(plen);
2235 else {
2236 /* ip6->ip6_plen will be updated in ip6_output() */
2237 }
2238 ip6->ip6_nxt = IPPROTO_IPV6;
2239 in6_embedscope(&ip6->ip6_src,
2240 (struct sockaddr_in6 *)&sav->sah->saidx.src, NULL, NULL);
2241 in6_embedscope(&ip6->ip6_dst,
2242 (struct sockaddr_in6 *)&sav->sah->saidx.dst, NULL, NULL);
2243 ip6->ip6_hlim = IPV6_DEFHLIM;
2244
2245 /* XXX Should ip6_src be updated later ? */
2246
2247 return 0;
2248 }
2249 #endif /* INET6 */
2250
2251 /*
2252 * Check the variable replay window.
2253 * ipsec_chkreplay() performs replay check before ICV verification.
2254 * ipsec_updatereplay() updates replay bitmap. This must be called after
2255 * ICV verification (it also performs replay check, which is usually done
2256 * beforehand).
2257 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2258 *
2259 * based on RFC 2401.
2260 *
2261 * XXX need to update for 64bit sequence number - 2401bis
2262 */
2263 int
2264 ipsec_chkreplay(seq, sav)
2265 u_int32_t seq;
2266 struct secasvar *sav;
2267 {
2268 const struct secreplay *replay;
2269 u_int32_t diff;
2270 int fr;
2271 u_int32_t wsizeb; /* constant: bits of window size */
2272 int frlast; /* constant: last frame */
2273
2274 /* sanity check */
2275 if (sav == NULL)
2276 panic("ipsec_chkreplay: NULL pointer was passed.");
2277
2278 replay = sav->replay;
2279
2280 if (replay->wsize == 0)
2281 return 1; /* no need to check replay. */
2282
2283 /* constant */
2284 frlast = replay->wsize - 1;
2285 wsizeb = replay->wsize << 3;
2286
2287 /* sequence number of 0 is invalid */
2288 if (seq == 0)
2289 return 0;
2290
2291 /* first time is always okay */
2292 if (replay->count == 0)
2293 return 1;
2294
2295 if (seq > replay->lastseq) {
2296 /* larger sequences are okay */
2297 return 1;
2298 } else {
2299 /* seq is equal or less than lastseq. */
2300 diff = replay->lastseq - seq;
2301
2302 /* over range to check, i.e. too old or wrapped */
2303 if (diff >= wsizeb)
2304 return 0;
2305
2306 fr = frlast - diff / 8;
2307
2308 /* this packet already seen ? */
2309 if (replay->bitmap[fr] & (1 << (diff % 8)))
2310 return 0;
2311
2312 /* out of order but good */
2313 return 1;
2314 }
2315 }
2316
2317 /*
2318 * check replay counter whether to update or not.
2319 * OUT: 0: OK
2320 * 1: NG
2321 * XXX need to update for 64bit sequence number - 2401bis
2322 */
2323 int
2324 ipsec_updatereplay(seq, sav)
2325 u_int32_t seq;
2326 struct secasvar *sav;
2327 {
2328 struct secreplay *replay;
2329 u_int64_t diff;
2330 int fr;
2331 u_int32_t wsizeb; /* constant: bits of window size */
2332 int frlast; /* constant: last frame */
2333
2334 /* sanity check */
2335 if (sav == NULL)
2336 panic("ipsec_chkreplay: NULL pointer was passed.");
2337
2338 replay = sav->replay;
2339
2340 if (replay->wsize == 0)
2341 goto ok; /* no need to check replay. */
2342
2343 /* constant */
2344 frlast = replay->wsize - 1;
2345 wsizeb = replay->wsize << 3;
2346
2347 /* sequence number of 0 is invalid */
2348 if (seq == 0)
2349 return 1;
2350
2351 /* first time */
2352 if (replay->count == 0) {
2353 replay->lastseq = seq;
2354 bzero(replay->bitmap, replay->wsize);
2355 replay->bitmap[frlast] = 1;
2356 goto ok;
2357 }
2358
2359 if (seq > replay->lastseq) {
2360 /* seq is larger than lastseq. */
2361 diff = seq - replay->lastseq;
2362
2363 /* new larger sequence number */
2364 if (diff < wsizeb) {
2365 /* In window */
2366 /* set bit for this packet */
2367 vshiftl(replay->bitmap, diff, replay->wsize);
2368 replay->bitmap[frlast] |= 1;
2369 } else {
2370 /* this packet has a "way larger" */
2371 bzero(replay->bitmap, replay->wsize);
2372 replay->bitmap[frlast] = 1;
2373 }
2374 replay->lastseq = seq;
2375
2376 /* larger is good */
2377 } else {
2378 /* seq is equal or less than lastseq. */
2379 diff = replay->lastseq - seq;
2380
2381 /* over range to check, i.e. too old or wrapped */
2382 if (diff >= wsizeb)
2383 return 1;
2384
2385 fr = frlast - diff / 8;
2386
2387 /* this packet already seen ? */
2388 if (replay->bitmap[fr] & (1 << (diff % 8)))
2389 return 1;
2390
2391 /* mark as seen */
2392 replay->bitmap[fr] |= (1 << (diff % 8));
2393
2394 /* out of order but good */
2395 }
2396
2397 ok:
2398 if (replay->count == 0xffffffff) {
2399
2400 /* set overflow flag */
2401 replay->overflow++;
2402
2403 /* don't increment, no more packets accepted */
2404 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2405 return 1;
2406
2407 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2408 replay->overflow, ipsec_logsastr(sav)));
2409 }
2410
2411 replay->count++;
2412
2413 return 0;
2414 }
2415
2416 /*
2417 * shift variable length buffer to left.
2418 * IN: bitmap: pointer to the buffer
2419 * nbit: the number of to shift.
2420 * wsize: buffer size (bytes).
2421 */
2422 static void
2423 vshiftl(bitmap, nbit, wsize)
2424 unsigned char *bitmap;
2425 int nbit, wsize;
2426 {
2427 int s, j, i;
2428 unsigned char over;
2429
2430 for (j = 0; j < nbit; j += 8) {
2431 s = (nbit - j < 8) ? (nbit - j): 8;
2432 bitmap[0] <<= s;
2433 for (i = 1; i < wsize; i++) {
2434 over = (bitmap[i] >> (8 - s));
2435 bitmap[i] <<= s;
2436 bitmap[i - 1] |= over;
2437 }
2438 }
2439
2440 return;
2441 }
2442
2443 const char *
2444 ipsec4_logpacketstr(ip, spi)
2445 struct ip *ip;
2446 u_int32_t spi;
2447 {
2448 static char buf[256];
2449 char *p;
2450 u_int8_t *s, *d;
2451
2452 s = (u_int8_t *)(&ip->ip_src);
2453 d = (u_int8_t *)(&ip->ip_dst);
2454
2455 p = buf;
2456 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2457 while (p && *p)
2458 p++;
2459 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2460 s[0], s[1], s[2], s[3]);
2461 while (p && *p)
2462 p++;
2463 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2464 d[0], d[1], d[2], d[3]);
2465 while (p && *p)
2466 p++;
2467 snprintf(p, sizeof(buf) - (p - buf), ")");
2468
2469 return buf;
2470 }
2471
2472 #ifdef INET6
2473 const char *
2474 ipsec6_logpacketstr(ip6, spi)
2475 struct ip6_hdr *ip6;
2476 u_int32_t spi;
2477 {
2478 static char buf[256];
2479 char *p;
2480
2481 p = buf;
2482 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2483 while (p && *p)
2484 p++;
2485 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
2486 ip6_sprintf(&ip6->ip6_src));
2487 while (p && *p)
2488 p++;
2489 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2490 ip6_sprintf(&ip6->ip6_dst));
2491 while (p && *p)
2492 p++;
2493 snprintf(p, sizeof(buf) - (p - buf), ")");
2494
2495 return buf;
2496 }
2497 #endif /* INET6 */
2498
2499 const char *
2500 ipsec_logsastr(sav)
2501 struct secasvar *sav;
2502 {
2503 static char buf[256];
2504 char *p;
2505 struct secasindex *saidx = &sav->sah->saidx;
2506
2507 /* validity check */
2508 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2509 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2510 panic("ipsec_logsastr: family mismatched.");
2511
2512 p = buf;
2513 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2514 while (p && *p)
2515 p++;
2516 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2517 u_int8_t *s, *d;
2518 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2519 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2520 snprintf(p, sizeof(buf) - (p - buf),
2521 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2522 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2523 }
2524 #ifdef INET6
2525 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2526 snprintf(p, sizeof(buf) - (p - buf),
2527 "src=%s",
2528 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2529 while (p && *p)
2530 p++;
2531 snprintf(p, sizeof(buf) - (p - buf),
2532 " dst=%s",
2533 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2534 }
2535 #endif
2536 while (p && *p)
2537 p++;
2538 snprintf(p, sizeof(buf) - (p - buf), ")");
2539
2540 return buf;
2541 }
2542
2543 void
2544 ipsec_dumpmbuf(m)
2545 struct mbuf *m;
2546 {
2547 int totlen;
2548 int i;
2549 u_char *p;
2550
2551 totlen = 0;
2552 printf("---\n");
2553 while (m) {
2554 p = mtod(m, u_char *);
2555 for (i = 0; i < m->m_len; i++) {
2556 printf("%02x ", p[i]);
2557 totlen++;
2558 if (totlen % 16 == 0)
2559 printf("\n");
2560 }
2561 m = m->m_next;
2562 }
2563 if (totlen % 16 != 0)
2564 printf("\n");
2565 printf("---\n");
2566 }
2567
2568 #ifdef INET
2569 static int
2570 ipsec4_checksa(isr, state)
2571 struct ipsecrequest *isr;
2572 struct ipsec_output_state *state;
2573 {
2574 struct ip *ip;
2575 struct secasindex saidx;
2576 struct sockaddr_in *sin;
2577
2578 /* make SA index for search proper SA */
2579 ip = mtod(state->m, struct ip *);
2580 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2581 saidx.mode = isr->saidx.mode;
2582 saidx.reqid = isr->saidx.reqid;
2583 sin = (struct sockaddr_in *)&saidx.src;
2584 if (sin->sin_len == 0) {
2585 sin->sin_len = sizeof(*sin);
2586 sin->sin_family = AF_INET;
2587 sin->sin_port = IPSEC_PORT_ANY;
2588 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr));
2589 }
2590 sin = (struct sockaddr_in *)&saidx.dst;
2591 if (sin->sin_len == 0) {
2592 sin->sin_len = sizeof(*sin);
2593 sin->sin_family = AF_INET;
2594 sin->sin_port = IPSEC_PORT_ANY;
2595 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr));
2596 }
2597
2598 return key_checkrequest(isr, &saidx);
2599 }
2600 /*
2601 * IPsec output logic for IPv4.
2602 */
2603 int
2604 ipsec4_output(state, sp, flags)
2605 struct ipsec_output_state *state;
2606 struct secpolicy *sp;
2607 int flags;
2608 {
2609 struct ip *ip = NULL;
2610 struct ipsecrequest *isr = NULL;
2611 int s;
2612 int error;
2613 struct sockaddr_in *dst4;
2614
2615 if (!state)
2616 panic("state == NULL in ipsec4_output");
2617 if (!state->m)
2618 panic("state->m == NULL in ipsec4_output");
2619 if (!state->ro)
2620 panic("state->ro == NULL in ipsec4_output");
2621 if (!state->dst)
2622 panic("state->dst == NULL in ipsec4_output");
2623 state->encap = 0;
2624
2625 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2626 printf("ipsec4_output: applyed SP\n");
2627 kdebug_secpolicy(sp));
2628
2629 for (isr = sp->req; isr != NULL; isr = isr->next) {
2630
2631 #if 0 /* give up to check restriction of transport mode */
2632 /* XXX but should be checked somewhere */
2633 /*
2634 * some of the IPsec operation must be performed only in
2635 * originating case.
2636 */
2637 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2638 && (flags & IP_FORWARDING))
2639 continue;
2640 #endif
2641 error = ipsec4_checksa(isr, state);
2642 if (error != 0) {
2643 /*
2644 * IPsec processing is required, but no SA found.
2645 * I assume that key_acquire() had been called
2646 * to get/establish the SA. Here I discard
2647 * this packet because it is responsibility for
2648 * upper layer to retransmit the packet.
2649 */
2650 ipsecstat.out_nosa++;
2651 goto bad;
2652 }
2653
2654 /* validity check */
2655 if (isr->sav == NULL) {
2656 switch (ipsec_get_reqlevel(isr, AF_INET)) {
2657 case IPSEC_LEVEL_USE:
2658 continue;
2659 case IPSEC_LEVEL_REQUIRE:
2660 /* must be not reached here. */
2661 panic("ipsec4_output: no SA found, but required.");
2662 }
2663 }
2664
2665 /*
2666 * If there is no valid SA, we give up to process any
2667 * more. In such a case, the SA's status is changed
2668 * from DYING to DEAD after allocating. If a packet
2669 * send to the receiver by dead SA, the receiver can
2670 * not decode a packet because SA has been dead.
2671 */
2672 if (isr->sav->state != SADB_SASTATE_MATURE
2673 && isr->sav->state != SADB_SASTATE_DYING) {
2674 ipsecstat.out_nosa++;
2675 error = EINVAL;
2676 goto bad;
2677 }
2678
2679 /*
2680 * There may be the case that SA status will be changed when
2681 * we are refering to one. So calling splsoftnet().
2682 */
2683 s = splnet();
2684
2685 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2686 /*
2687 * build IPsec tunnel.
2688 */
2689 /* XXX should be processed with other familiy */
2690 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2691 ipseclog((LOG_ERR, "ipsec4_output: "
2692 "family mismatched between inner and outer spi=%u\n",
2693 (u_int32_t)ntohl(isr->sav->spi)));
2694 splx(s);
2695 error = EAFNOSUPPORT;
2696 goto bad;
2697 }
2698
2699 state->m = ipsec4_splithdr(state->m);
2700 if (!state->m) {
2701 splx(s);
2702 error = ENOMEM;
2703 goto bad;
2704 }
2705 error = ipsec4_encapsulate(state->m, isr->sav);
2706 splx(s);
2707 if (error) {
2708 state->m = NULL;
2709 goto bad;
2710 }
2711 ip = mtod(state->m, struct ip *);
2712
2713 state->ro = &isr->sav->sah->sa_route;
2714 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2715 dst4 = (struct sockaddr_in *)state->dst;
2716 if (state->ro->ro_rt
2717 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2718 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2719 RTFREE(state->ro->ro_rt);
2720 state->ro->ro_rt = NULL;
2721 }
2722 if (state->ro->ro_rt == 0) {
2723 dst4->sin_family = AF_INET;
2724 dst4->sin_len = sizeof(*dst4);
2725 dst4->sin_addr = ip->ip_dst;
2726 rtalloc(state->ro);
2727 }
2728 if (state->ro->ro_rt == 0) {
2729 ipstat.ips_noroute++;
2730 error = EHOSTUNREACH;
2731 goto bad;
2732 }
2733
2734 /* adjust state->dst if tunnel endpoint is offlink */
2735 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2736 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2737 dst4 = (struct sockaddr_in *)state->dst;
2738 }
2739
2740 state->encap++;
2741 } else
2742 splx(s);
2743
2744 state->m = ipsec4_splithdr(state->m);
2745 if (!state->m) {
2746 error = ENOMEM;
2747 goto bad;
2748 }
2749 switch (isr->saidx.proto) {
2750 case IPPROTO_ESP:
2751 #ifdef IPSEC_ESP
2752 if ((error = esp4_output(state->m, isr)) != 0) {
2753 state->m = NULL;
2754 goto bad;
2755 }
2756 break;
2757 #else
2758 m_freem(state->m);
2759 state->m = NULL;
2760 error = EINVAL;
2761 goto bad;
2762 #endif
2763 case IPPROTO_AH:
2764 if ((error = ah4_output(state->m, isr)) != 0) {
2765 state->m = NULL;
2766 goto bad;
2767 }
2768 break;
2769 case IPPROTO_IPCOMP:
2770 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2771 state->m = NULL;
2772 goto bad;
2773 }
2774 break;
2775 default:
2776 ipseclog((LOG_ERR,
2777 "ipsec4_output: unknown ipsec protocol %d\n",
2778 isr->saidx.proto));
2779 m_freem(state->m);
2780 state->m = NULL;
2781 error = EINVAL;
2782 goto bad;
2783 }
2784
2785 if (state->m == 0) {
2786 error = ENOMEM;
2787 goto bad;
2788 }
2789 ip = mtod(state->m, struct ip *);
2790 }
2791
2792 return 0;
2793
2794 bad:
2795 m_freem(state->m);
2796 state->m = NULL;
2797 return error;
2798 }
2799 #endif
2800
2801 #ifdef INET6
2802 static int
2803 ipsec6_checksa(isr, state, tunnel)
2804 struct ipsecrequest *isr;
2805 struct ipsec_output_state *state;
2806 int tunnel;
2807 {
2808 struct ip6_hdr *ip6;
2809 struct secasindex saidx;
2810 struct sockaddr_in6 *sin6;
2811
2812 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2813 #ifdef DIAGNOSTIC
2814 if (!tunnel)
2815 panic("ipsec6_checksa/inconsistent tunnel attribute");
2816 #endif
2817 /* When tunnel mode, SA peers must be specified. */
2818 return key_checkrequest(isr, &isr->saidx);
2819 }
2820
2821 /* make SA index for search proper SA */
2822 ip6 = mtod(state->m, struct ip6_hdr *);
2823 if (tunnel) {
2824 bzero(&saidx, sizeof(saidx));
2825 saidx.proto = isr->saidx.proto;
2826 } else
2827 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2828 saidx.mode = isr->saidx.mode;
2829 saidx.reqid = isr->saidx.reqid;
2830 sin6 = (struct sockaddr_in6 *)&saidx.src;
2831 if (sin6->sin6_len == 0 || tunnel) {
2832 sin6->sin6_len = sizeof(*sin6);
2833 sin6->sin6_family = AF_INET6;
2834 sin6->sin6_port = IPSEC_PORT_ANY;
2835 in6_recoverscope(sin6, &ip6->ip6_src, NULL);
2836 }
2837 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2838 if (sin6->sin6_len == 0 || tunnel) {
2839 sin6->sin6_len = sizeof(*sin6);
2840 sin6->sin6_family = AF_INET6;
2841 sin6->sin6_port = IPSEC_PORT_ANY;
2842 in6_recoverscope(sin6, &ip6->ip6_dst, NULL);
2843 }
2844
2845 return key_checkrequest(isr, &saidx);
2846 }
2847
2848 /*
2849 * IPsec output logic for IPv6, transport mode.
2850 */
2851 int
2852 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
2853 struct ipsec_output_state *state;
2854 u_char *nexthdrp;
2855 struct mbuf *mprev;
2856 struct secpolicy *sp;
2857 int flags;
2858 int *tun;
2859 {
2860 struct ip6_hdr *ip6;
2861 struct ipsecrequest *isr = NULL;
2862 int error = 0;
2863 int plen;
2864
2865 if (!state)
2866 panic("state == NULL in ipsec6_output_trans");
2867 if (!state->m)
2868 panic("state->m == NULL in ipsec6_output_trans");
2869 if (!nexthdrp)
2870 panic("nexthdrp == NULL in ipsec6_output_trans");
2871 if (!mprev)
2872 panic("mprev == NULL in ipsec6_output_trans");
2873 if (!sp)
2874 panic("sp == NULL in ipsec6_output_trans");
2875 if (!tun)
2876 panic("tun == NULL in ipsec6_output_trans");
2877
2878 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2879 printf("ipsec6_output_trans: applyed SP\n");
2880 kdebug_secpolicy(sp));
2881
2882 *tun = 0;
2883 for (isr = sp->req; isr; isr = isr->next) {
2884 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2885 /* the rest will be handled by ipsec6_output_tunnel() */
2886 break;
2887 }
2888
2889 error = ipsec6_checksa(isr, state, 0);
2890 if (error == EIO)
2891 goto bad;
2892 if (error == ENOENT) {
2893 /*
2894 * IPsec processing is required, but no SA found.
2895 * I assume that key_acquire() had been called
2896 * to get/establish the SA. Here I discard
2897 * this packet because it is responsibility for
2898 * upper layer to retransmit the packet.
2899 */
2900 ipsec6stat.out_nosa++;
2901
2902 /*
2903 * Notify the fact that the packet is discarded
2904 * to ourselves. I believe this is better than
2905 * just silently discarding. (jinmei@kame.net)
2906 * XXX: should we restrict the error to TCP packets?
2907 * XXX: should we directly notify sockets via
2908 * pfctlinputs?
2909 *
2910 * Noone have initialized rcvif until this point,
2911 * so clear it.
2912 */
2913 if ((state->m->m_flags & M_PKTHDR) != 0)
2914 state->m->m_pkthdr.rcvif = NULL;
2915 icmp6_error(state->m, ICMP6_DST_UNREACH,
2916 ICMP6_DST_UNREACH_ADMIN, 0);
2917 state->m = NULL; /* icmp6_error freed the mbuf */
2918 goto bad;
2919 }
2920
2921 /* validity check */
2922 if (isr->sav == NULL) {
2923 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
2924 case IPSEC_LEVEL_USE:
2925 continue;
2926 case IPSEC_LEVEL_REQUIRE:
2927 /* must be not reached here. */
2928 panic("ipsec6_output_trans: no SA found, but required.");
2929 }
2930 }
2931
2932 /*
2933 * If there is no valid SA, we give up to process.
2934 * see same place at ipsec4_output().
2935 */
2936 if (isr->sav->state != SADB_SASTATE_MATURE
2937 && isr->sav->state != SADB_SASTATE_DYING) {
2938 ipsec6stat.out_nosa++;
2939 error = EINVAL;
2940 goto bad;
2941 }
2942
2943 switch (isr->saidx.proto) {
2944 case IPPROTO_ESP:
2945 #ifdef IPSEC_ESP
2946 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2947 #else
2948 m_freem(state->m);
2949 error = EINVAL;
2950 #endif
2951 break;
2952 case IPPROTO_AH:
2953 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2954 break;
2955 case IPPROTO_IPCOMP:
2956 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2957 break;
2958 default:
2959 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2960 "unknown ipsec protocol %d\n", isr->saidx.proto));
2961 m_freem(state->m);
2962 ipsec6stat.out_inval++;
2963 error = EINVAL;
2964 break;
2965 }
2966 if (error) {
2967 state->m = NULL;
2968 goto bad;
2969 }
2970 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2971 if (plen > IPV6_MAXPACKET) {
2972 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2973 "IPsec with IPv6 jumbogram is not supported\n"));
2974 ipsec6stat.out_inval++;
2975 error = EINVAL; /* XXX */
2976 goto bad;
2977 }
2978 ip6 = mtod(state->m, struct ip6_hdr *);
2979 ip6->ip6_plen = htons(plen);
2980 }
2981
2982 /* if we have more to go, we need a tunnel mode processing */
2983 if (isr != NULL)
2984 *tun = 1;
2985
2986 return 0;
2987
2988 bad:
2989 m_freem(state->m);
2990 state->m = NULL;
2991 return error;
2992 }
2993
2994 /*
2995 * IPsec output logic for IPv6, tunnel mode.
2996 */
2997 int
2998 ipsec6_output_tunnel(state, sp, flags)
2999 struct ipsec_output_state *state;
3000 struct secpolicy *sp;
3001 int flags;
3002 {
3003 struct ip6_hdr *ip6;
3004 struct ipsecrequest *isr = NULL;
3005 int error = 0;
3006 int plen;
3007 struct sockaddr_in6 *dst6;
3008 int s;
3009
3010 if (!state)
3011 panic("state == NULL in ipsec6_output_tunnel");
3012 if (!state->m)
3013 panic("state->m == NULL in ipsec6_output_tunnel");
3014 if (!sp)
3015 panic("sp == NULL in ipsec6_output_tunnel");
3016
3017 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3018 printf("ipsec6_output_tunnel: applyed SP\n");
3019 kdebug_secpolicy(sp));
3020
3021 /*
3022 * transport mode ipsec (before the 1st tunnel mode) is already
3023 * processed by ipsec6_output_trans().
3024 */
3025 for (isr = sp->req; isr; isr = isr->next) {
3026 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
3027 break;
3028 }
3029
3030 for (/* already initialized */; isr; isr = isr->next) {
3031 error = ipsec6_checksa(isr, state, 1);
3032 if (error == EIO)
3033 goto bad;
3034 if (error == ENOENT) {
3035 /*
3036 * IPsec processing is required, but no SA found.
3037 * I assume that key_acquire() had been called
3038 * to get/establish the SA. Here I discard
3039 * this packet because it is responsibility for
3040 * upper layer to retransmit the packet.
3041 */
3042 ipsec6stat.out_nosa++;
3043 error = ENOENT;
3044 goto bad;
3045 }
3046
3047 /* validity check */
3048 if (isr->sav == NULL) {
3049 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
3050 case IPSEC_LEVEL_USE:
3051 continue;
3052 case IPSEC_LEVEL_REQUIRE:
3053 /* must be not reached here. */
3054 panic("ipsec6_output_tunnel: no SA found, but required.");
3055 }
3056 }
3057
3058 /*
3059 * If there is no valid SA, we give up to process.
3060 * see same place at ipsec4_output().
3061 */
3062 if (isr->sav->state != SADB_SASTATE_MATURE
3063 && isr->sav->state != SADB_SASTATE_DYING) {
3064 ipsec6stat.out_nosa++;
3065 error = EINVAL;
3066 goto bad;
3067 }
3068
3069 /*
3070 * There may be the case that SA status will be changed when
3071 * we are refering to one. So calling splsoftnet().
3072 */
3073 s = splnet();
3074
3075 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3076 /*
3077 * build IPsec tunnel.
3078 */
3079 /* XXX should be processed with other familiy */
3080 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
3081 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3082 "family mismatched between inner and outer, spi=%u\n",
3083 (u_int32_t)ntohl(isr->sav->spi)));
3084 splx(s);
3085 ipsec6stat.out_inval++;
3086 error = EAFNOSUPPORT;
3087 goto bad;
3088 }
3089
3090 state->m = ipsec6_splithdr(state->m);
3091 if (!state->m) {
3092 splx(s);
3093 ipsec6stat.out_nomem++;
3094 error = ENOMEM;
3095 goto bad;
3096 }
3097 error = ipsec6_encapsulate(state->m, isr->sav);
3098 splx(s);
3099 if (error) {
3100 state->m = 0;
3101 goto bad;
3102 }
3103 ip6 = mtod(state->m, struct ip6_hdr *);
3104
3105 state->ro = &isr->sav->sah->sa_route;
3106 state->dst = (struct sockaddr *)&state->ro->ro_dst;
3107 dst6 = (struct sockaddr_in6 *)state->dst;
3108 if (state->ro->ro_rt &&
3109 (!(state->ro->ro_rt->rt_flags & RTF_UP) ||
3110 !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr,
3111 &ip6->ip6_dst))) {
3112 RTFREE(state->ro->ro_rt);
3113 state->ro->ro_rt = NULL;
3114 }
3115 if (state->ro->ro_rt == 0) {
3116 bzero(dst6, sizeof(*dst6));
3117 dst6->sin6_family = AF_INET6;
3118 dst6->sin6_len = sizeof(*dst6);
3119 dst6->sin6_addr = ip6->ip6_dst;
3120 rtalloc(state->ro);
3121 }
3122 if (state->ro->ro_rt == 0) {
3123 ip6stat.ip6s_noroute++;
3124 ipsec6stat.out_noroute++;
3125 error = EHOSTUNREACH;
3126 goto bad;
3127 }
3128
3129 /* adjust state->dst if tunnel endpoint is offlink */
3130 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
3131 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
3132 dst6 = (struct sockaddr_in6 *)state->dst;
3133 }
3134 } else
3135 splx(s);
3136
3137 state->m = ipsec6_splithdr(state->m);
3138 if (!state->m) {
3139 ipsec6stat.out_nomem++;
3140 error = ENOMEM;
3141 goto bad;
3142 }
3143 ip6 = mtod(state->m, struct ip6_hdr *);
3144 switch (isr->saidx.proto) {
3145 case IPPROTO_ESP:
3146 #ifdef IPSEC_ESP
3147 error = esp6_output(state->m, &ip6->ip6_nxt,
3148 state->m->m_next, isr);
3149 #else
3150 m_freem(state->m);
3151 error = EINVAL;
3152 #endif
3153 break;
3154 case IPPROTO_AH:
3155 error = ah6_output(state->m, &ip6->ip6_nxt,
3156 state->m->m_next, isr);
3157 break;
3158 case IPPROTO_IPCOMP:
3159 /* XXX code should be here */
3160 /* FALLTHROUGH */
3161 default:
3162 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3163 "unknown ipsec protocol %d\n", isr->saidx.proto));
3164 m_freem(state->m);
3165 ipsec6stat.out_inval++;
3166 error = EINVAL;
3167 break;
3168 }
3169 if (error) {
3170 state->m = NULL;
3171 goto bad;
3172 }
3173 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3174 if (plen > IPV6_MAXPACKET) {
3175 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3176 "IPsec with IPv6 jumbogram is not supported\n"));
3177 ipsec6stat.out_inval++;
3178 error = EINVAL; /* XXX */
3179 goto bad;
3180 }
3181 ip6 = mtod(state->m, struct ip6_hdr *);
3182 ip6->ip6_plen = htons(plen);
3183 }
3184
3185 return 0;
3186
3187 bad:
3188 m_freem(state->m);
3189 state->m = NULL;
3190 return error;
3191 }
3192 #endif /* INET6 */
3193
3194 #ifdef INET
3195 /*
3196 * Chop IP header and option off from the payload.
3197 */
3198 static struct mbuf *
3199 ipsec4_splithdr(m)
3200 struct mbuf *m;
3201 {
3202 struct mbuf *mh;
3203 struct ip *ip;
3204 int hlen;
3205
3206 if (m->m_len < sizeof(struct ip))
3207 panic("ipsec4_splithdr: first mbuf too short");
3208 ip = mtod(m, struct ip *);
3209 #ifdef _IP_VHL
3210 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
3211 #else
3212 hlen = ip->ip_hl << 2;
3213 #endif
3214 if (m->m_len > hlen) {
3215 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3216 if (!mh) {
3217 m_freem(m);
3218 return NULL;
3219 }
3220 M_MOVE_PKTHDR(mh, m);
3221 MH_ALIGN(mh, hlen);
3222 m->m_len -= hlen;
3223 m->m_data += hlen;
3224 mh->m_next = m;
3225 m = mh;
3226 m->m_len = hlen;
3227 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3228 } else if (m->m_len < hlen) {
3229 m = m_pullup(m, hlen);
3230 if (!m)
3231 return NULL;
3232 }
3233 return m;
3234 }
3235 #endif
3236
3237 #ifdef INET6
3238 static struct mbuf *
3239 ipsec6_splithdr(m)
3240 struct mbuf *m;
3241 {
3242 struct mbuf *mh;
3243 struct ip6_hdr *ip6;
3244 int hlen;
3245
3246 if (m->m_len < sizeof(struct ip6_hdr))
3247 panic("ipsec6_splithdr: first mbuf too short");
3248 ip6 = mtod(m, struct ip6_hdr *);
3249 hlen = sizeof(struct ip6_hdr);
3250 if (m->m_len > hlen) {
3251 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3252 if (!mh) {
3253 m_freem(m);
3254 return NULL;
3255 }
3256 M_MOVE_PKTHDR(mh, m);
3257 MH_ALIGN(mh, hlen);
3258 m->m_len -= hlen;
3259 m->m_data += hlen;
3260 mh->m_next = m;
3261 m = mh;
3262 m->m_len = hlen;
3263 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3264 } else if (m->m_len < hlen) {
3265 m = m_pullup(m, hlen);
3266 if (!m)
3267 return NULL;
3268 }
3269 return m;
3270 }
3271 #endif
3272
3273 /* validate inbound IPsec tunnel packet. */
3274 int
3275 ipsec4_tunnel_validate(m, off, nxt0, sav)
3276 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3277 int off;
3278 u_int nxt0;
3279 struct secasvar *sav;
3280 {
3281 u_int8_t nxt = nxt0 & 0xff;
3282 struct sockaddr_in *sin;
3283 struct sockaddr_in osrc, odst, isrc, idst;
3284 int hlen;
3285 struct secpolicy *sp;
3286 struct ip *oip;
3287
3288 #ifdef DIAGNOSTIC
3289 if (m->m_len < sizeof(struct ip))
3290 panic("too short mbuf on ipsec4_tunnel_validate");
3291 #endif
3292 if (nxt != IPPROTO_IPV4)
3293 return 0;
3294 if (m->m_pkthdr.len < off + sizeof(struct ip))
3295 return 0;
3296 /* do not decapsulate if the SA is for transport mode only */
3297 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3298 return 0;
3299
3300 oip = mtod(m, struct ip *);
3301 hlen = oip->ip_hl << 2;
3302 if (hlen != sizeof(struct ip))
3303 return 0;
3304
3305 /* AF_INET6 should be supported, but at this moment we don't. */
3306 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3307 if (sin->sin_family != AF_INET)
3308 return 0;
3309 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
3310 return 0;
3311
3312 /* XXX slow */
3313 bzero(&osrc, sizeof(osrc));
3314 bzero(&odst, sizeof(odst));
3315 bzero(&isrc, sizeof(isrc));
3316 bzero(&idst, sizeof(idst));
3317 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
3318 AF_INET;
3319 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
3320 sizeof(struct sockaddr_in);
3321 osrc.sin_addr = oip->ip_src;
3322 odst.sin_addr = oip->ip_dst;
3323 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
3324 (caddr_t)&isrc.sin_addr);
3325 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
3326 (caddr_t)&idst.sin_addr);
3327
3328 /*
3329 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
3330 * - if the inner destination is multicast address, there can be
3331 * multiple permissible inner source address. implementation
3332 * may want to skip verification of inner source address against
3333 * SPD selector.
3334 * - if the inner protocol is ICMP, the packet may be an error report
3335 * from routers on the other side of the VPN cloud (R in the
3336 * following diagram). in this case, we cannot verify inner source
3337 * address against SPD selector.
3338 * me -- gw === gw -- R -- you
3339 *
3340 * we consider the first bullet to be users responsibility on SPD entry
3341 * configuration (if you need to encrypt multicast traffic, set
3342 * the source range of SPD selector to 0.0.0.0/0, or have explicit
3343 * address ranges for possible senders).
3344 * the second bullet is not taken care of (yet).
3345 *
3346 * therefore, we do not do anything special about inner source.
3347 */
3348
3349 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3350 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3351 /*
3352 * when there is no suitable inbound policy for the packet of the ipsec
3353 * tunnel mode, the kernel never decapsulate the tunneled packet
3354 * as the ipsec tunnel mode even when the system wide policy is "none".
3355 * then the kernel leaves the generic tunnel module to process this
3356 * packet. if there is no rule of the generic tunnel, the packet
3357 * is rejected and the statistics will be counted up.
3358 */
3359 if (!sp)
3360 return 0;
3361 key_freesp(sp);
3362
3363 return 1;
3364 }
3365
3366 #ifdef INET6
3367 /* validate inbound IPsec tunnel packet. */
3368 int
3369 ipsec6_tunnel_validate(m, off, nxt0, sav)
3370 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3371 int off;
3372 u_int nxt0;
3373 struct secasvar *sav;
3374 {
3375 u_int8_t nxt = nxt0 & 0xff;
3376 struct sockaddr_in6 *sin6;
3377 struct sockaddr_in6 osrc, odst, isrc, idst;
3378 struct secpolicy *sp;
3379 struct ip6_hdr *oip6;
3380
3381 #ifdef DIAGNOSTIC
3382 if (m->m_len < sizeof(struct ip6_hdr))
3383 panic("too short mbuf on ipsec6_tunnel_validate");
3384 #endif
3385 if (nxt != IPPROTO_IPV6)
3386 return 0;
3387 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
3388 return 0;
3389 /* do not decapsulate if the SA is for transport mode only */
3390 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3391 return 0;
3392
3393 oip6 = mtod(m, struct ip6_hdr *);
3394
3395 /* AF_INET should be supported, but at this moment we don't. */
3396 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
3397 if (sin6->sin6_family != AF_INET6)
3398 return 0;
3399 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
3400 return 0;
3401
3402 /* XXX slow */
3403 bzero(&osrc, sizeof(osrc));
3404 bzero(&odst, sizeof(odst));
3405 bzero(&isrc, sizeof(isrc));
3406 bzero(&idst, sizeof(idst));
3407 osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
3408 idst.sin6_family = AF_INET6;
3409 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len =
3410 sizeof(struct sockaddr_in6);
3411 osrc.sin6_addr = oip6->ip6_src;
3412 odst.sin6_addr = oip6->ip6_dst;
3413 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
3414 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
3415 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
3416 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
3417
3418 /*
3419 * regarding to inner source address validation, see a long comment
3420 * in ipsec4_tunnel_validate.
3421 */
3422
3423 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3424 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3425 if (!sp)
3426 return 0;
3427 key_freesp(sp);
3428
3429 return 1;
3430 }
3431 #endif
3432
3433 /*
3434 * Make a mbuf chain for encryption.
3435 * If the original mbuf chain contains a mbuf with a cluster,
3436 * allocate a new cluster and copy the data to the new cluster.
3437 * XXX: this hack is inefficient, but is necessary to handle cases
3438 * of TCP retransmission...
3439 */
3440 struct mbuf *
3441 ipsec_copypkt(m)
3442 struct mbuf *m;
3443 {
3444 struct mbuf *n, **mpp, *mnew;
3445
3446 for (n = m, mpp = &m; n; n = n->m_next) {
3447 if (n->m_flags & M_EXT) {
3448 /*
3449 * Make a copy only if there is more than one
3450 * references to the cluster.
3451 * XXX: is this approach effective?
3452 */
3453 if (!M_WRITABLE(n)) {
3454 int remain, copied;
3455 struct mbuf *mm;
3456
3457 if (n->m_flags & M_PKTHDR) {
3458 MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3459 if (mnew == NULL)
3460 goto fail;
3461 mnew->m_pkthdr = n->m_pkthdr;
3462 #if 0
3463 /* XXX: convert to m_tag or delete? */
3464 if (n->m_pkthdr.aux) {
3465 mnew->m_pkthdr.aux =
3466 m_copym(n->m_pkthdr.aux,
3467 0, M_COPYALL, M_DONTWAIT);
3468 }
3469 #endif
3470 M_MOVE_PKTHDR(mnew, n);
3471 }
3472 else {
3473 MGET(mnew, M_DONTWAIT, MT_DATA);
3474 if (mnew == NULL)
3475 goto fail;
3476 }
3477 mnew->m_len = 0;
3478 mm = mnew;
3479
3480 /*
3481 * Copy data. If we don't have enough space to
3482 * store the whole data, allocate a cluster
3483 * or additional mbufs.
3484 * XXX: we don't use m_copyback(), since the
3485 * function does not use clusters and thus is
3486 * inefficient.
3487 */
3488 remain = n->m_len;
3489 copied = 0;
3490 while (1) {
3491 int len;
3492 struct mbuf *mn;
3493
3494 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3495 len = remain;
3496 else { /* allocate a cluster */
3497 MCLGET(mm, M_DONTWAIT);
3498 if (!(mm->m_flags & M_EXT)) {
3499 m_free(mm);
3500 goto fail;
3501 }
3502 len = remain < MCLBYTES ?
3503 remain : MCLBYTES;
3504 }
3505
3506 bcopy(n->m_data + copied, mm->m_data,
3507 len);
3508
3509 copied += len;
3510 remain -= len;
3511 mm->m_len = len;
3512
3513 if (remain <= 0) /* completed? */
3514 break;
3515
3516 /* need another mbuf */
3517 MGETHDR(mn, M_DONTWAIT, MT_HEADER);
3518 if (mn == NULL)
3519 goto fail;
3520 mn->m_pkthdr.rcvif = NULL;
3521 mm->m_next = mn;
3522 mm = mn;
3523 }
3524
3525 /* adjust chain */
3526 mm->m_next = m_free(n);
3527 n = mm;
3528 *mpp = mnew;
3529 mpp = &n->m_next;
3530
3531 continue;
3532 }
3533 }
3534 *mpp = n;
3535 mpp = &n->m_next;
3536 }
3537
3538 return (m);
3539 fail:
3540 m_freem(m);
3541 return (NULL);
3542 }
3543
3544 static struct ipsecaux *
3545 ipsec_addaux(m)
3546 struct mbuf *m;
3547 {
3548 struct m_tag *mtag;
3549
3550 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3551 if (mtag == NULL) {
3552 mtag = m_tag_get(PACKET_TAG_IPSEC_HISTORY,
3553 sizeof(struct ipsecaux), M_NOWAIT);
3554 if (mtag != NULL)
3555 m_tag_prepend(m, mtag);
3556 }
3557 if (mtag == NULL)
3558 return NULL; /* ENOBUFS */
3559 /* XXX is this necessary? */
3560 bzero((void *)(mtag + 1), sizeof(struct ipsecaux));
3561 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL;
3562 }
3563
3564 static struct ipsecaux *
3565 ipsec_findaux(m)
3566 struct mbuf *m;
3567 {
3568 struct m_tag *mtag;
3569
3570 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3571 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL;
3572 }
3573
3574 void
3575 ipsec_delaux(m)
3576 struct mbuf *m;
3577 {
3578 struct m_tag *mtag;
3579
3580 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3581 if (mtag != NULL)
3582 m_tag_delete(m, mtag);
3583 }
3584
3585 /* if the aux buffer is unnecessary, nuke it. */
3586 static void
3587 ipsec_optaux(m, aux)
3588 struct mbuf *m;
3589 struct ipsecaux *aux;
3590 {
3591
3592 if (aux == NULL)
3593 return;
3594 ipsec_delaux(m);
3595 }
3596
3597 int
3598 ipsec_addhist(m, proto, spi)
3599 struct mbuf *m;
3600 int proto;
3601 u_int32_t spi;
3602 {
3603 struct ipsecaux *aux;
3604
3605 aux = ipsec_addaux(m);
3606 if (aux == NULL)
3607 return ENOBUFS;
3608 aux->hdrs++;
3609 return 0;
3610 }
3611
3612 int
3613 ipsec_getnhist(m)
3614 struct mbuf *m;
3615 {
3616 struct ipsecaux *aux;
3617
3618 aux = ipsec_findaux(m);
3619 if (aux == NULL)
3620 return 0;
3621 return aux->hdrs;
3622 }
3623
3624 void
3625 ipsec_clearhist(m)
3626 struct mbuf *m;
3627 {
3628 struct ipsecaux *aux;
3629
3630 aux = ipsec_findaux(m);
3631 ipsec_optaux(m, aux);
3632 }
Cache object: 346bf072508c071933ac3d2a38b519cf
|