FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c
1 /* $FreeBSD$ */
2 /* $KAME: ipsec.c,v 1.207 2004/01/13 03:30:42 itojun Exp $ */
3
4 /*-
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * IPsec controller part.
35 */
36
37 #include "opt_inet.h"
38 #include "opt_inet6.h"
39 #include "opt_ipsec.h"
40
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/malloc.h>
44 #include <sys/mbuf.h>
45 #include <sys/domain.h>
46 #include <sys/protosw.h>
47 #include <sys/socket.h>
48 #include <sys/socketvar.h>
49 #include <sys/errno.h>
50 #include <sys/time.h>
51 #include <sys/kernel.h>
52 #include <sys/syslog.h>
53 #include <sys/sysctl.h>
54 #include <sys/proc.h>
55
56 #include <net/if.h>
57 #include <net/route.h>
58
59 #include <netinet/in.h>
60 #include <netinet/in_systm.h>
61 #include <netinet/ip.h>
62 #include <netinet/ip_var.h>
63 #include <netinet/in_var.h>
64 #include <netinet/udp.h>
65 #include <netinet/udp_var.h>
66 #include <netinet/ip_ecn.h>
67 #ifdef INET6
68 #include <netinet6/ip6_ecn.h>
69 #endif
70 #include <netinet/tcp.h>
71 #include <netinet/udp.h>
72
73 #include <netinet/ip6.h>
74 #ifdef INET6
75 #include <netinet6/ip6_var.h>
76 #endif
77 #include <netinet/in_pcb.h>
78 #ifdef INET6
79 #include <netinet/icmp6.h>
80 #endif
81
82 #include <netinet6/ipsec.h>
83 #ifdef INET6
84 #include <netinet6/ipsec6.h>
85 #endif
86 #include <netinet6/ah.h>
87 #ifdef INET6
88 #include <netinet6/ah6.h>
89 #endif
90 #ifdef IPSEC_ESP
91 #include <netinet6/esp.h>
92 #ifdef INET6
93 #include <netinet6/esp6.h>
94 #endif
95 #endif
96 #include <netinet6/ipcomp.h>
97 #ifdef INET6
98 #include <netinet6/ipcomp6.h>
99 #endif
100 #include <netkey/key.h>
101 #include <netkey/keydb.h>
102 #include <netkey/key_debug.h>
103
104 #include <machine/in_cksum.h>
105 #include <net/net_osdep.h>
106
107 #ifdef IPSEC_DEBUG
108 int ipsec_debug = 1;
109 #else
110 int ipsec_debug = 0;
111 #endif
112
113 NET_NEEDS_GIANT("ipsec");
114
115 struct ipsecstat ipsecstat;
116 int ip4_ah_cleartos = 1;
117 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
118 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
119 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
120 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
121 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
122 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
123 struct secpolicy *ip4_def_policy;
124 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
125 int ip4_esp_randpad = -1;
126
127 static int sp_cachegen = 1; /* cache generation # */
128
129 SYSCTL_DECL(_net_inet_ipsec);
130 #ifdef INET6
131 SYSCTL_DECL(_net_inet6_ipsec6);
132 #endif
133
134 /* net.inet.ipsec */
135 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
136 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, "");
137 #if 0
138 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
139 def_policy, CTLFLAG_RW, &ip4_def_policy->policy, 0, "");
140 #endif
141 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
142 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
143 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
144 CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
145 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
146 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
147 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
148 CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
149 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
150 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, "");
151 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
152 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
153 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
154 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
155 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
156 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
157 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
158 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
159 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
160 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, "");
161
162 #ifdef INET6
163 struct ipsecstat ipsec6stat;
164 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
165 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
166 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
167 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
168 struct secpolicy *ip6_def_policy;
169 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
170 int ip6_esp_randpad = -1;
171
172 /* net.inet6.ipsec6 */
173 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
174 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
175 #if 0
176 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
177 def_policy, CTLFLAG_RW, &ip6_def_policy->policy, 0, "");
178 #endif
179 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
180 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
181 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
182 CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
183 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
184 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
185 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
186 CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
187 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
188 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
189 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
190 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
191 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
192 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
193 #endif /* INET6 */
194
195 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *,
196 struct inpcbpolicy *, int));
197 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *,
198 struct secpolicy *, int));
199 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int));
200 static int ipsec_setspidx_mbuf
201 __P((struct secpolicyindex *, int, struct mbuf *, int));
202 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
203 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
204 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
205 #ifdef INET6
206 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
207 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
208 #endif
209 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
210 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
211 #if 0
212 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *));
213 #endif
214 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *));
215 static int ipsec_set_policy
216 __P((struct secpolicy **, int, caddr_t, size_t, int));
217 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **));
218 static void vshiftl __P((unsigned char *, int, int));
219 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
220 static size_t ipsec_hdrsiz __P((struct secpolicy *));
221 #ifdef INET
222 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
223 #endif
224 #ifdef INET6
225 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
226 #endif
227 #ifdef INET
228 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
229 #endif
230 #ifdef INET6
231 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
232 #endif
233 static struct ipsecaux *ipsec_addaux __P((struct mbuf *));
234 static struct ipsecaux *ipsec_findaux __P((struct mbuf *));
235 static void ipsec_optaux __P((struct mbuf *, struct ipsecaux *));
236 #ifdef INET
237 static int ipsec4_checksa __P((struct ipsecrequest *,
238 struct ipsec_output_state *));
239 #endif
240 #ifdef INET6
241 static int ipsec6_checksa __P((struct ipsecrequest *,
242 struct ipsec_output_state *, int));
243 #endif
244
245 /*
246 * try to validate and use cached policy on a pcb.
247 */
248 static struct secpolicy *
249 ipsec_checkpcbcache(m, pcbsp, dir)
250 struct mbuf *m;
251 struct inpcbpolicy *pcbsp;
252 int dir;
253 {
254 struct secpolicyindex spidx;
255 struct timeval mono_time;
256
257 microtime(&mono_time);
258
259 switch (dir) {
260 case IPSEC_DIR_INBOUND:
261 case IPSEC_DIR_OUTBOUND:
262 case IPSEC_DIR_ANY:
263 break;
264 default:
265 return NULL;
266 }
267 #ifdef DIAGNOSTIC
268 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0]))
269 panic("dir too big in ipsec_checkpcbcache");
270 #endif
271 /* SPD table change invalidates all the caches */
272 if (pcbsp->cachegen[dir] == 0 || sp_cachegen > pcbsp->cachegen[dir]) {
273 ipsec_invalpcbcache(pcbsp, dir);
274 return NULL;
275 }
276 if (!pcbsp->cache[dir])
277 return NULL;
278 if (pcbsp->cache[dir]->state != IPSEC_SPSTATE_ALIVE) {
279 ipsec_invalpcbcache(pcbsp, dir);
280 return NULL;
281 }
282 if ((pcbsp->cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
283 if (!pcbsp->cache[dir])
284 return NULL;
285 if (ipsec_setspidx(m, &spidx, 1) != 0)
286 return NULL;
287 if (bcmp(&pcbsp->cacheidx[dir], &spidx, sizeof(spidx))) {
288 if (!pcbsp->cache[dir]->spidx ||
289 !key_cmpspidx_withmask(pcbsp->cache[dir]->spidx,
290 &spidx))
291 return NULL;
292 pcbsp->cacheidx[dir] = spidx;
293 }
294 } else {
295 /*
296 * The pcb is connected, and the L4 code is sure that:
297 * - outgoing side uses inp_[lf]addr
298 * - incoming side looks up policy after inpcb lookup
299 * and address pair is known to be stable. We do not need
300 * to generate spidx again, nor check the address match again.
301 *
302 * For IPv4/v6 SOCK_STREAM sockets, this assumption holds
303 * and there are calls to ipsec_pcbconn() from in_pcbconnect().
304 */
305 }
306
307 pcbsp->cache[dir]->lastused = mono_time.tv_sec;
308 pcbsp->cache[dir]->refcnt++;
309 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
310 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n",
311 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir]));
312 return pcbsp->cache[dir];
313 }
314
315 static int
316 ipsec_fillpcbcache(pcbsp, m, sp, dir)
317 struct inpcbpolicy *pcbsp;
318 struct mbuf *m;
319 struct secpolicy *sp;
320 int dir;
321 {
322
323 switch (dir) {
324 case IPSEC_DIR_INBOUND:
325 case IPSEC_DIR_OUTBOUND:
326 break;
327 default:
328 return EINVAL;
329 }
330 #ifdef DIAGNOSTIC
331 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0]))
332 panic("dir too big in ipsec_checkpcbcache");
333 #endif
334
335 if (pcbsp->cache[dir])
336 key_freesp(pcbsp->cache[dir]);
337 pcbsp->cache[dir] = NULL;
338 if (ipsec_setspidx(m, &pcbsp->cacheidx[dir], 1) != 0) {
339 return EINVAL;
340 }
341 pcbsp->cache[dir] = sp;
342 if (pcbsp->cache[dir]) {
343 pcbsp->cache[dir]->refcnt++;
344 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
345 printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n",
346 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir]));
347 }
348 pcbsp->cachegen[dir] = sp_cachegen;
349
350 return 0;
351 }
352
353 static int
354 ipsec_invalpcbcache(pcbsp, dir)
355 struct inpcbpolicy *pcbsp;
356 int dir;
357 {
358 int i;
359
360 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
361 if (dir != IPSEC_DIR_ANY && i != dir)
362 continue;
363 if (pcbsp->cache[i])
364 key_freesp(pcbsp->cache[i]);
365 pcbsp->cache[i] = NULL;
366 pcbsp->cachegen[i] = 0;
367 bzero(&pcbsp->cacheidx[i], sizeof(pcbsp->cacheidx[i]));
368 }
369 return 0;
370 }
371
372 int
373 ipsec_pcbconn(pcbsp)
374 struct inpcbpolicy *pcbsp;
375 {
376
377 pcbsp->cacheflags |= IPSEC_PCBSP_CONNECTED;
378 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
379 return 0;
380 }
381
382 int
383 ipsec_pcbdisconn(pcbsp)
384 struct inpcbpolicy *pcbsp;
385 {
386
387 pcbsp->cacheflags &= ~IPSEC_PCBSP_CONNECTED;
388 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
389 return 0;
390 }
391
392 int
393 ipsec_invalpcbcacheall()
394 {
395
396 sp_cachegen++;
397 return 0;
398 }
399
400 /*
401 * For OUTBOUND packet having a socket. Searching SPD for packet,
402 * and return a pointer to SP.
403 * OUT: NULL: no apropreate SP found, the following value is set to error.
404 * 0 : bypass
405 * EACCES : discard packet.
406 * ENOENT : ipsec_acquire() in progress, maybe.
407 * others : error occured.
408 * others: a pointer to SP
409 *
410 * NOTE: IPv6 mapped adddress concern is implemented here.
411 */
412 struct secpolicy *
413 ipsec4_getpolicybypcb(m, dir, inp, error)
414 struct mbuf *m;
415 u_int dir;
416 struct inpcb *inp;
417 int *error;
418 {
419 struct inpcbpolicy *pcbsp = NULL;
420 struct secpolicy *currsp = NULL; /* policy on socket */
421 struct secpolicy *kernsp = NULL; /* policy on kernel */
422 struct secpolicyindex spidx;
423 u_int16_t tag;
424
425 /* sanity check */
426 if (m == NULL || inp == NULL || error == NULL)
427 panic("ipsec4_getpolicybypcb: NULL pointer was passed.");
428
429 pcbsp = inp->inp_sp;
430
431 #ifdef DIAGNOSTIC
432 if (pcbsp == NULL)
433 panic("ipsec4_getpolicybypcb: pcbsp is NULL.");
434 #endif
435
436 tag = 0;
437
438 /* if we have a cached entry, and if it is still valid, use it. */
439 ipsecstat.spdcachelookup++;
440 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
441 if (currsp) {
442 *error = 0;
443 return currsp;
444 }
445 ipsecstat.spdcachemiss++;
446
447 switch (dir) {
448 case IPSEC_DIR_INBOUND:
449 currsp = pcbsp->sp_in;
450 break;
451 case IPSEC_DIR_OUTBOUND:
452 currsp = pcbsp->sp_out;
453 break;
454 default:
455 panic("ipsec4_getpolicybypcb: illegal direction.");
456 }
457
458 /* sanity check */
459 if (currsp == NULL)
460 panic("ipsec4_getpolicybypcb: currsp is NULL.");
461
462 /* when privileged socket */
463 if (pcbsp->priv) {
464 switch (currsp->policy) {
465 case IPSEC_POLICY_BYPASS:
466 currsp->refcnt++;
467 *error = 0;
468 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
469 return currsp;
470
471 case IPSEC_POLICY_ENTRUST:
472 /* look for a policy in SPD */
473 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
474 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
475 /* SP found */
476 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
477 printf("DP ipsec4_getpolicybypcb called "
478 "to allocate SP:%p\n", kernsp));
479 *error = 0;
480 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
481 return kernsp;
482 }
483
484 /* no SP found */
485 ip4_def_policy->refcnt++;
486 *error = 0;
487 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
488 return ip4_def_policy;
489
490 case IPSEC_POLICY_IPSEC:
491 currsp->refcnt++;
492 *error = 0;
493 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
494 return currsp;
495
496 default:
497 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: "
498 "Invalid policy for PCB %d\n", currsp->policy));
499 *error = EINVAL;
500 return NULL;
501 }
502 /* NOTREACHED */
503 }
504
505 /* when non-privileged socket */
506 /* look for a policy in SPD */
507 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
508 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
509 /* SP found */
510 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
511 printf("DP ipsec4_getpolicybypcb called "
512 "to allocate SP:%p\n", kernsp));
513 *error = 0;
514 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
515 return kernsp;
516 }
517
518 /* no SP found */
519 switch (currsp->policy) {
520 case IPSEC_POLICY_BYPASS:
521 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: "
522 "Illegal policy for non-privileged defined %d\n",
523 currsp->policy));
524 *error = EINVAL;
525 return NULL;
526
527 case IPSEC_POLICY_ENTRUST:
528 ip4_def_policy->refcnt++;
529 *error = 0;
530 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
531 return ip4_def_policy;
532
533 case IPSEC_POLICY_IPSEC:
534 currsp->refcnt++;
535 *error = 0;
536 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
537 return currsp;
538
539 default:
540 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: "
541 "Invalid policy for PCB %d\n", currsp->policy));
542 *error = EINVAL;
543 return NULL;
544 }
545 /* NOTREACHED */
546 }
547
548 /*
549 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
550 * and return a pointer to SP.
551 * OUT: positive: a pointer to the entry for security policy leaf matched.
552 * NULL: no apropreate SP found, the following value is set to error.
553 * 0 : bypass
554 * EACCES : discard packet.
555 * ENOENT : ipsec_acquire() in progress, maybe.
556 * others : error occured.
557 */
558 struct secpolicy *
559 ipsec4_getpolicybyaddr(m, dir, flag, error)
560 struct mbuf *m;
561 u_int dir;
562 int flag;
563 int *error;
564 {
565 struct secpolicy *sp = NULL;
566 u_int16_t tag;
567
568 /* sanity check */
569 if (m == NULL || error == NULL)
570 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
571
572 /* get a policy entry matched with the packet */
573 {
574 struct secpolicyindex spidx;
575
576 bzero(&spidx, sizeof(spidx));
577
578 /* make an index to look for a policy */
579 *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m,
580 (flag & IP_FORWARDING) ? 0 : 1);
581
582 if (*error != 0)
583 return NULL;
584
585 tag = 0;
586
587 sp = key_allocsp(tag, &spidx, dir);
588 }
589
590 /* SP found */
591 if (sp != NULL) {
592 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
593 printf("DP ipsec4_getpolicybyaddr called "
594 "to allocate SP:%p\n", sp));
595 *error = 0;
596 return sp;
597 }
598
599 /* no SP found */
600 ip4_def_policy->refcnt++;
601 *error = 0;
602 return ip4_def_policy;
603 }
604
605 #ifdef INET6
606 /*
607 * For OUTBOUND packet having a socket. Searching SPD for packet,
608 * and return a pointer to SP.
609 * OUT: NULL: no apropreate SP found, the following value is set to error.
610 * 0 : bypass
611 * EACCES : discard packet.
612 * ENOENT : ipsec_acquire() in progress, maybe.
613 * others : error occured.
614 * others: a pointer to SP
615 */
616 struct secpolicy *
617 ipsec6_getpolicybypcb(m, dir, inp, error)
618 struct mbuf *m;
619 u_int dir;
620 struct inpcb *inp;
621 int *error;
622 {
623 struct inpcbpolicy *pcbsp = NULL;
624 struct secpolicy *currsp = NULL; /* policy on socket */
625 struct secpolicy *kernsp = NULL; /* policy on kernel */
626 struct secpolicyindex spidx;
627 u_int16_t tag;
628
629 /* sanity check */
630 if (m == NULL || inp == NULL || error == NULL)
631 panic("ipsec6_getpolicybypcb: NULL pointer was passed.");
632
633 #ifdef DIAGNOSTIC
634 if ((inp->inp_vflag & INP_IPV6PROTO) == 0)
635 panic("ipsec6_getpolicybypcb: socket domain != inet6");
636 #endif
637
638 pcbsp = inp->in6p_sp;
639
640 #ifdef DIAGNOSTIC
641 if (pcbsp == NULL)
642 panic("ipsec6_getpolicybypcb: pcbsp is NULL.");
643 #endif
644
645 tag = 0;
646
647 /* if we have a cached entry, and if it is still valid, use it. */
648 ipsec6stat.spdcachelookup++;
649 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
650 if (currsp) {
651 *error = 0;
652 return currsp;
653 }
654 ipsec6stat.spdcachemiss++;
655
656 switch (dir) {
657 case IPSEC_DIR_INBOUND:
658 currsp = pcbsp->sp_in;
659 break;
660 case IPSEC_DIR_OUTBOUND:
661 currsp = pcbsp->sp_out;
662 break;
663 default:
664 panic("ipsec6_getpolicybypcb: illegal direction.");
665 }
666
667 /* sanity check */
668 if (currsp == NULL)
669 panic("ipsec6_getpolicybypcb: currsp is NULL.");
670
671 /* when privileged socket */
672 if (pcbsp->priv) {
673 switch (currsp->policy) {
674 case IPSEC_POLICY_BYPASS:
675 currsp->refcnt++;
676 *error = 0;
677 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
678 return currsp;
679
680 case IPSEC_POLICY_ENTRUST:
681 /* look for a policy in SPD */
682 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
683 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
684 /* SP found */
685 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
686 printf("DP ipsec6_getpolicybypcb called "
687 "to allocate SP:%p\n", kernsp));
688 *error = 0;
689 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
690 return kernsp;
691 }
692
693 /* no SP found */
694 ip6_def_policy->refcnt++;
695 *error = 0;
696 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
697 return ip6_def_policy;
698
699 case IPSEC_POLICY_IPSEC:
700 currsp->refcnt++;
701 *error = 0;
702 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
703 return currsp;
704
705 default:
706 ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: "
707 "Invalid policy for PCB %d\n", currsp->policy));
708 *error = EINVAL;
709 return NULL;
710 }
711 /* NOTREACHED */
712 }
713
714 /* when non-privileged socket */
715 /* look for a policy in SPD */
716 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
717 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
718 /* SP found */
719 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
720 printf("DP ipsec6_getpolicybypcb called "
721 "to allocate SP:%p\n", kernsp));
722 *error = 0;
723 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
724 return kernsp;
725 }
726
727 /* no SP found */
728 switch (currsp->policy) {
729 case IPSEC_POLICY_BYPASS:
730 ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: "
731 "Illegal policy for non-privileged defined %d\n",
732 currsp->policy));
733 *error = EINVAL;
734 return NULL;
735
736 case IPSEC_POLICY_ENTRUST:
737 ip6_def_policy->refcnt++;
738 *error = 0;
739 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
740 return ip6_def_policy;
741
742 case IPSEC_POLICY_IPSEC:
743 currsp->refcnt++;
744 *error = 0;
745 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
746 return currsp;
747
748 default:
749 ipseclog((LOG_ERR,
750 "ipsec6_policybysock: Invalid policy for PCB %d\n",
751 currsp->policy));
752 *error = EINVAL;
753 return NULL;
754 }
755 /* NOTREACHED */
756 }
757
758 /*
759 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
760 * and return a pointer to SP.
761 * `flag' means that packet is to be forwarded whether or not.
762 * flag = 1: forwad
763 * OUT: positive: a pointer to the entry for security policy leaf matched.
764 * NULL: no apropreate SP found, the following value is set to error.
765 * 0 : bypass
766 * EACCES : discard packet.
767 * ENOENT : ipsec_acquire() in progress, maybe.
768 * others : error occured.
769 */
770 #ifndef IP_FORWARDING
771 #define IP_FORWARDING 1
772 #endif
773
774 struct secpolicy *
775 ipsec6_getpolicybyaddr(m, dir, flag, error)
776 struct mbuf *m;
777 u_int dir;
778 int flag;
779 int *error;
780 {
781 struct secpolicy *sp = NULL;
782 u_int16_t tag;
783
784 /* sanity check */
785 if (m == NULL || error == NULL)
786 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
787
788 /* get a policy entry matched with the packet */
789 {
790 struct secpolicyindex spidx;
791
792 bzero(&spidx, sizeof(spidx));
793
794 /* make an index to look for a policy */
795 *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m,
796 (flag & IP_FORWARDING) ? 0 : 1);
797
798 if (*error != 0)
799 return NULL;
800
801 tag = 0;
802
803 sp = key_allocsp(tag, &spidx, dir);
804 }
805
806 /* SP found */
807 if (sp != NULL) {
808 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
809 printf("DP ipsec6_getpolicybyaddr called "
810 "to allocate SP:%p\n", sp));
811 *error = 0;
812 return sp;
813 }
814
815 /* no SP found */
816 ip6_def_policy->refcnt++;
817 *error = 0;
818 return ip6_def_policy;
819 }
820 #endif /* INET6 */
821
822 /*
823 * set IP address into spidx from mbuf.
824 * When Forwarding packet and ICMP echo reply, this function is used.
825 *
826 * IN: get the followings from mbuf.
827 * protocol family, src, dst, next protocol
828 * OUT:
829 * 0: success.
830 * other: failure, and set errno.
831 */
832 int
833 ipsec_setspidx_mbuf(spidx, family, m, needport)
834 struct secpolicyindex *spidx;
835 int family;
836 struct mbuf *m;
837 int needport;
838 {
839 int error;
840
841 /* sanity check */
842 if (spidx == NULL || m == NULL)
843 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
844
845 bzero(spidx, sizeof(*spidx));
846
847 error = ipsec_setspidx(m, spidx, needport);
848 if (error)
849 goto bad;
850
851 return 0;
852
853 bad:
854 /* XXX initialize */
855 bzero(spidx, sizeof(*spidx));
856 return EINVAL;
857 }
858
859 /*
860 * configure security policy index (src/dst/proto/sport/dport)
861 * by looking at the content of mbuf.
862 * the caller is responsible for error recovery (like clearing up spidx).
863 */
864 static int
865 ipsec_setspidx(m, spidx, needport)
866 struct mbuf *m;
867 struct secpolicyindex *spidx;
868 int needport;
869 {
870 struct ip *ip = NULL;
871 struct ip ipbuf;
872 u_int v;
873 struct mbuf *n;
874 int len;
875 int error;
876
877 if (m == NULL)
878 panic("ipsec_setspidx: m == 0 passed.");
879
880 bzero(spidx, sizeof(*spidx));
881
882 /*
883 * validate m->m_pkthdr.len. we see incorrect length if we
884 * mistakenly call this function with inconsistent mbuf chain
885 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
886 */
887 len = 0;
888 for (n = m; n; n = n->m_next)
889 len += n->m_len;
890 if (m->m_pkthdr.len != len) {
891 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
892 printf("ipsec_setspidx: "
893 "total of m_len(%d) != pkthdr.len(%d), "
894 "ignored.\n",
895 len, m->m_pkthdr.len));
896 return EINVAL;
897 }
898
899 if (m->m_pkthdr.len < sizeof(struct ip)) {
900 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
901 printf("ipsec_setspidx: "
902 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
903 m->m_pkthdr.len));
904 return EINVAL;
905 }
906
907 if (m->m_len >= sizeof(*ip))
908 ip = mtod(m, struct ip *);
909 else {
910 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
911 ip = &ipbuf;
912 }
913 #ifdef _IP_VHL
914 v = _IP_VHL_V(ip->ip_vhl);
915 #else
916 v = ip->ip_v;
917 #endif
918 switch (v) {
919 case 4:
920 error = ipsec4_setspidx_ipaddr(m, spidx);
921 if (error)
922 return error;
923 ipsec4_get_ulp(m, spidx, needport);
924 return 0;
925 #ifdef INET6
926 case 6:
927 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
928 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
929 printf("ipsec_setspidx: "
930 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
931 "ignored.\n", m->m_pkthdr.len));
932 return EINVAL;
933 }
934 error = ipsec6_setspidx_ipaddr(m, spidx);
935 if (error)
936 return error;
937 ipsec6_get_ulp(m, spidx, needport);
938 return 0;
939 #endif
940 default:
941 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
942 printf("ipsec_setspidx: "
943 "unknown IP version %u, ignored.\n", v));
944 return EINVAL;
945 }
946 }
947
948 static void
949 ipsec4_get_ulp(m, spidx, needport)
950 struct mbuf *m;
951 struct secpolicyindex *spidx;
952 int needport;
953 {
954 struct ip ip;
955 struct ip6_ext ip6e;
956 u_int8_t nxt;
957 int off;
958 struct tcphdr th;
959 struct udphdr uh;
960
961 /* sanity check */
962 if (m == NULL)
963 panic("ipsec4_get_ulp: NULL pointer was passed.");
964 if (m->m_pkthdr.len < sizeof(ip))
965 panic("ipsec4_get_ulp: too short");
966
967 /* set default */
968 spidx->ul_proto = IPSEC_ULPROTO_ANY;
969 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
970 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
971
972 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
973 /* ip_input() flips it into host endian XXX need more checking */
974 if (ip.ip_off & (IP_MF | IP_OFFMASK))
975 return;
976
977 nxt = ip.ip_p;
978 #ifdef _IP_VHL
979 off = _IP_VHL_HL(ip->ip_vhl) << 2;
980 #else
981 off = ip.ip_hl << 2;
982 #endif
983 while (off < m->m_pkthdr.len) {
984 switch (nxt) {
985 case IPPROTO_TCP:
986 spidx->ul_proto = nxt;
987 if (!needport)
988 return;
989 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
990 return;
991 m_copydata(m, off, sizeof(th), (caddr_t)&th);
992 ((struct sockaddr_in *)&spidx->src)->sin_port =
993 th.th_sport;
994 ((struct sockaddr_in *)&spidx->dst)->sin_port =
995 th.th_dport;
996 return;
997 case IPPROTO_UDP:
998 spidx->ul_proto = nxt;
999 if (!needport)
1000 return;
1001 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1002 return;
1003 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1004 ((struct sockaddr_in *)&spidx->src)->sin_port =
1005 uh.uh_sport;
1006 ((struct sockaddr_in *)&spidx->dst)->sin_port =
1007 uh.uh_dport;
1008 return;
1009 case IPPROTO_AH:
1010 if (off + sizeof(ip6e) > m->m_pkthdr.len)
1011 return;
1012 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1013 off += (ip6e.ip6e_len + 2) << 2;
1014 nxt = ip6e.ip6e_nxt;
1015 break;
1016 case IPPROTO_ICMP:
1017 default:
1018 /* XXX intermediate headers??? */
1019 spidx->ul_proto = nxt;
1020 return;
1021 }
1022 }
1023 }
1024
1025 /* assumes that m is sane */
1026 static int
1027 ipsec4_setspidx_ipaddr(m, spidx)
1028 struct mbuf *m;
1029 struct secpolicyindex *spidx;
1030 {
1031 struct ip *ip = NULL;
1032 struct ip ipbuf;
1033 struct sockaddr_in *sin;
1034
1035 if (m->m_len >= sizeof(*ip))
1036 ip = mtod(m, struct ip *);
1037 else {
1038 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
1039 ip = &ipbuf;
1040 }
1041
1042 sin = (struct sockaddr_in *)&spidx->src;
1043 bzero(sin, sizeof(*sin));
1044 sin->sin_family = AF_INET;
1045 sin->sin_len = sizeof(struct sockaddr_in);
1046 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
1047 spidx->prefs = sizeof(struct in_addr) << 3;
1048
1049 sin = (struct sockaddr_in *)&spidx->dst;
1050 bzero(sin, sizeof(*sin));
1051 sin->sin_family = AF_INET;
1052 sin->sin_len = sizeof(struct sockaddr_in);
1053 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
1054 spidx->prefd = sizeof(struct in_addr) << 3;
1055 return 0;
1056 }
1057
1058 #ifdef INET6
1059 static void
1060 ipsec6_get_ulp(m, spidx, needport)
1061 struct mbuf *m;
1062 struct secpolicyindex *spidx;
1063 int needport;
1064 {
1065 int off, nxt;
1066 struct tcphdr th;
1067 struct udphdr uh;
1068 struct icmp6_hdr ih;
1069
1070 /* sanity check */
1071 if (m == NULL)
1072 panic("ipsec6_get_ulp: NULL pointer was passed.");
1073
1074 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1075 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
1076
1077 /* set default */
1078 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1079 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1080 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1081
1082 nxt = -1;
1083 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1084 if (off < 0 || m->m_pkthdr.len < off)
1085 return;
1086
1087 switch (nxt) {
1088 case IPPROTO_TCP:
1089 spidx->ul_proto = nxt;
1090 if (!needport)
1091 break;
1092 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1093 break;
1094 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1095 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1096 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1097 break;
1098 case IPPROTO_UDP:
1099 spidx->ul_proto = nxt;
1100 if (!needport)
1101 break;
1102 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1103 break;
1104 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1105 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1106 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1107 break;
1108 case IPPROTO_ICMPV6:
1109 spidx->ul_proto = nxt;
1110 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len)
1111 break;
1112 m_copydata(m, off, sizeof(ih), (caddr_t)&ih);
1113 ((struct sockaddr_in6 *)&spidx->src)->sin6_port =
1114 htons((u_int16_t)ih.icmp6_type);
1115 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port =
1116 htons((u_int16_t)ih.icmp6_code);
1117 break;
1118 default:
1119 /* XXX intermediate headers??? */
1120 spidx->ul_proto = nxt;
1121 break;
1122 }
1123 }
1124
1125 /* assumes that m is sane */
1126 static int
1127 ipsec6_setspidx_ipaddr(m, spidx)
1128 struct mbuf *m;
1129 struct secpolicyindex *spidx;
1130 {
1131 struct ip6_hdr *ip6 = NULL;
1132 struct ip6_hdr ip6buf;
1133 struct sockaddr_in6 *sin6;
1134
1135 if (m->m_len >= sizeof(*ip6))
1136 ip6 = mtod(m, struct ip6_hdr *);
1137 else {
1138 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1139 ip6 = &ip6buf;
1140 }
1141
1142 sin6 = (struct sockaddr_in6 *)&spidx->src;
1143 bzero(sin6, sizeof(*sin6));
1144 sin6->sin6_family = AF_INET6;
1145 sin6->sin6_len = sizeof(struct sockaddr_in6);
1146 in6_recoverscope(sin6, &ip6->ip6_src, NULL);
1147 spidx->prefs = sizeof(struct in6_addr) << 3;
1148
1149 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1150 bzero(sin6, sizeof(*sin6));
1151 sin6->sin6_family = AF_INET6;
1152 sin6->sin6_len = sizeof(struct sockaddr_in6);
1153 in6_recoverscope(sin6, &ip6->ip6_dst, NULL);
1154 spidx->prefd = sizeof(struct in6_addr) << 3;
1155
1156 return 0;
1157 }
1158 #endif
1159
1160 static struct inpcbpolicy *
1161 ipsec_newpcbpolicy()
1162 {
1163 struct inpcbpolicy *p;
1164
1165 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
1166 return p;
1167 }
1168
1169 static void
1170 ipsec_delpcbpolicy(p)
1171 struct inpcbpolicy *p;
1172 {
1173
1174 free(p, M_SECA);
1175 }
1176
1177 /* initialize policy in PCB */
1178 int
1179 ipsec_init_pcbpolicy(so, pcb_sp)
1180 struct socket *so;
1181 struct inpcbpolicy **pcb_sp;
1182 {
1183 struct inpcbpolicy *new;
1184 static int initialized = 0;
1185 static struct secpolicy *in = NULL, *out = NULL;
1186
1187 /* sanity check. */
1188 if (so == NULL || pcb_sp == NULL)
1189 panic("ipsec_init_pcbpolicy: NULL pointer was passed.");
1190
1191 if (!initialized) {
1192 if ((in = key_newsp(0)) == NULL)
1193 return ENOBUFS;
1194 if ((out = key_newsp(0)) == NULL) {
1195 key_freesp(in);
1196 in = NULL;
1197 return ENOBUFS;
1198 }
1199
1200 in->state = IPSEC_SPSTATE_ALIVE;
1201 in->policy = IPSEC_POLICY_ENTRUST;
1202 in->dir = IPSEC_DIR_INBOUND;
1203 in->readonly = 1;
1204 in->persist = 1;
1205 in->so = NULL;
1206
1207 out->state = IPSEC_SPSTATE_ALIVE;
1208 out->policy = IPSEC_POLICY_ENTRUST;
1209 out->dir = IPSEC_DIR_OUTBOUND;
1210 out->readonly = 1;
1211 out->persist = 1;
1212 out->so = NULL;
1213
1214 initialized++;
1215 }
1216
1217 new = ipsec_newpcbpolicy();
1218 if (new == NULL) {
1219 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n"));
1220 return ENOBUFS;
1221 }
1222 bzero(new, sizeof(*new));
1223
1224 if (so->so_cred != 0 && so->so_cred->cr_uid == 0)
1225 new->priv = 1;
1226 else
1227 new->priv = 0;
1228
1229 new->sp_in = in;
1230 new->sp_in->refcnt++;
1231 new->sp_out = out;
1232 new->sp_out->refcnt++;
1233
1234 *pcb_sp = new;
1235
1236 return 0;
1237 }
1238
1239 /* copy old ipsec policy into new */
1240 int
1241 ipsec_copy_pcbpolicy(old, new)
1242 struct inpcbpolicy *old, *new;
1243 {
1244
1245 if (new->sp_in)
1246 key_freesp(new->sp_in);
1247 if (old->sp_in->policy == IPSEC_POLICY_IPSEC)
1248 new->sp_in = ipsec_deepcopy_policy(old->sp_in);
1249 else {
1250 new->sp_in = old->sp_in;
1251 new->sp_in->refcnt++;
1252 }
1253
1254 if (new->sp_out)
1255 key_freesp(new->sp_out);
1256 if (old->sp_out->policy == IPSEC_POLICY_IPSEC)
1257 new->sp_out = ipsec_deepcopy_policy(old->sp_out);
1258 else {
1259 new->sp_out = old->sp_out;
1260 new->sp_out->refcnt++;
1261 }
1262
1263 new->priv = old->priv;
1264
1265 return 0;
1266 }
1267
1268 #if 0
1269 static int
1270 ipsec_deepcopy_pcbpolicy(pcb_sp)
1271 struct inpcbpolicy *pcb_sp;
1272 {
1273 struct secpolicy *sp;
1274
1275 sp = ipsec_deepcopy_policy(pcb_sp->sp_in);
1276 if (sp) {
1277 key_freesp(pcb_sp->sp_in);
1278 pcb_sp->sp_in = sp;
1279 } else
1280 return ENOBUFS;
1281
1282 sp = ipsec_deepcopy_policy(pcb_sp->sp_out);
1283 if (sp) {
1284 key_freesp(pcb_sp->sp_out);
1285 pcb_sp->sp_out = sp;
1286 } else
1287 return ENOBUFS;
1288
1289 return 0;
1290 }
1291 #endif
1292
1293 /* deep-copy a policy in PCB */
1294 static struct secpolicy *
1295 ipsec_deepcopy_policy(src)
1296 struct secpolicy *src;
1297 {
1298 struct ipsecrequest *newchain = NULL;
1299 struct ipsecrequest *p;
1300 struct ipsecrequest **q;
1301 struct ipsecrequest *r;
1302 struct secpolicy *dst;
1303
1304 if (src == NULL)
1305 return NULL;
1306
1307 dst = key_newsp(0);
1308 if (dst == NULL)
1309 return NULL;
1310
1311 /*
1312 * deep-copy IPsec request chain. This is required since struct
1313 * ipsecrequest is not reference counted.
1314 */
1315 q = &newchain;
1316 for (p = src->req; p; p = p->next) {
1317 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest),
1318 M_SECA, M_NOWAIT);
1319 if (*q == NULL)
1320 goto fail;
1321 bzero(*q, sizeof(**q));
1322 (*q)->next = NULL;
1323
1324 (*q)->saidx.proto = p->saidx.proto;
1325 (*q)->saidx.mode = p->saidx.mode;
1326 (*q)->level = p->level;
1327 (*q)->saidx.reqid = p->saidx.reqid;
1328
1329 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1330 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1331
1332 (*q)->sav = NULL;
1333 (*q)->sp = dst;
1334
1335 q = &((*q)->next);
1336 }
1337
1338 if (src->spidx)
1339 if (keydb_setsecpolicyindex(dst, src->spidx) != 0)
1340 goto fail;
1341
1342 dst->req = newchain;
1343 dst->state = src->state;
1344 dst->policy = src->policy;
1345 dst->dir = src->dir;
1346 dst->so = src->so;
1347 /* do not touch the refcnt fields */
1348
1349 return dst;
1350
1351 fail:
1352 for (p = newchain; p; p = r) {
1353 r = p->next;
1354 free(p, M_SECA);
1355 p = NULL;
1356 }
1357 key_freesp(dst);
1358 return NULL;
1359 }
1360
1361 /* set policy and ipsec request if present. */
1362 static int
1363 ipsec_set_policy(spp, optname, request, len, priv)
1364 struct secpolicy **spp;
1365 int optname;
1366 caddr_t request;
1367 size_t len;
1368 int priv;
1369 {
1370 struct sadb_x_policy *xpl;
1371 struct secpolicy *newsp = NULL;
1372 int error;
1373
1374 /* sanity check. */
1375 if (spp == NULL || *spp == NULL || request == NULL)
1376 return EINVAL;
1377 if (len < sizeof(*xpl))
1378 return EINVAL;
1379 xpl = (struct sadb_x_policy *)request;
1380
1381 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1382 printf("ipsec_set_policy: passed policy\n");
1383 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1384
1385 /* check policy type */
1386 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1387 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
1388 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1389 return EINVAL;
1390
1391 /* check privileged socket */
1392 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1393 return EACCES;
1394
1395 /* allocation new SP entry */
1396 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1397 return error;
1398
1399 newsp->state = IPSEC_SPSTATE_ALIVE;
1400
1401 /* clear old SP and set new SP */
1402 key_freesp(*spp);
1403 *spp = newsp;
1404 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1405 printf("ipsec_set_policy: new policy\n");
1406 kdebug_secpolicy(newsp));
1407
1408 return 0;
1409 }
1410
1411 static int
1412 ipsec_get_policy(sp, mp)
1413 struct secpolicy *sp;
1414 struct mbuf **mp;
1415 {
1416
1417 /* sanity check. */
1418 if (sp == NULL || mp == NULL)
1419 return EINVAL;
1420
1421 *mp = key_sp2msg(sp);
1422 if (!*mp) {
1423 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1424 return ENOBUFS;
1425 }
1426
1427 (*mp)->m_type = MT_DATA;
1428 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1429 printf("ipsec_get_policy:\n");
1430 kdebug_mbuf(*mp));
1431
1432 return 0;
1433 }
1434
1435 int
1436 ipsec4_set_policy(inp, optname, request, len, priv)
1437 struct inpcb *inp;
1438 int optname;
1439 caddr_t request;
1440 size_t len;
1441 int priv;
1442 {
1443 struct sadb_x_policy *xpl;
1444 struct secpolicy **spp;
1445
1446 /* sanity check. */
1447 if (inp == NULL || request == NULL)
1448 return EINVAL;
1449 if (len < sizeof(*xpl))
1450 return EINVAL;
1451 xpl = (struct sadb_x_policy *)request;
1452
1453 /* select direction */
1454 switch (xpl->sadb_x_policy_dir) {
1455 case IPSEC_DIR_INBOUND:
1456 spp = &inp->inp_sp->sp_in;
1457 break;
1458 case IPSEC_DIR_OUTBOUND:
1459 spp = &inp->inp_sp->sp_out;
1460 break;
1461 default:
1462 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1463 xpl->sadb_x_policy_dir));
1464 return EINVAL;
1465 }
1466
1467 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1468 return ipsec_set_policy(spp, optname, request, len, priv);
1469 }
1470
1471 int
1472 ipsec4_get_policy(inp, request, len, mp)
1473 struct inpcb *inp;
1474 caddr_t request;
1475 size_t len;
1476 struct mbuf **mp;
1477 {
1478 struct sadb_x_policy *xpl;
1479 struct secpolicy *sp;
1480
1481 /* sanity check. */
1482 if (inp == NULL || request == NULL || mp == NULL)
1483 return EINVAL;
1484 if (inp->inp_sp == NULL)
1485 panic("policy in PCB is NULL");
1486 if (len < sizeof(*xpl))
1487 return EINVAL;
1488 xpl = (struct sadb_x_policy *)request;
1489
1490 /* select direction */
1491 switch (xpl->sadb_x_policy_dir) {
1492 case IPSEC_DIR_INBOUND:
1493 sp = inp->inp_sp->sp_in;
1494 break;
1495 case IPSEC_DIR_OUTBOUND:
1496 sp = inp->inp_sp->sp_out;
1497 break;
1498 default:
1499 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n",
1500 xpl->sadb_x_policy_dir));
1501 return EINVAL;
1502 }
1503
1504 return ipsec_get_policy(sp, mp);
1505 }
1506
1507 /* delete policy in PCB */
1508 int
1509 ipsec4_delete_pcbpolicy(inp)
1510 struct inpcb *inp;
1511 {
1512 /* sanity check. */
1513 if (inp == NULL)
1514 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
1515
1516 if (inp->inp_sp == NULL)
1517 return 0;
1518
1519 if (inp->inp_sp->sp_in != NULL) {
1520 key_freesp(inp->inp_sp->sp_in);
1521 inp->inp_sp->sp_in = NULL;
1522 }
1523
1524 if (inp->inp_sp->sp_out != NULL) {
1525 key_freesp(inp->inp_sp->sp_out);
1526 inp->inp_sp->sp_out = NULL;
1527 }
1528
1529 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1530
1531 ipsec_delpcbpolicy(inp->inp_sp);
1532 inp->inp_sp = NULL;
1533
1534 return 0;
1535 }
1536
1537 #ifdef INET6
1538 int
1539 ipsec6_set_policy(in6p, optname, request, len, priv)
1540 struct in6pcb *in6p;
1541 int optname;
1542 caddr_t request;
1543 size_t len;
1544 int priv;
1545 {
1546 struct sadb_x_policy *xpl;
1547 struct secpolicy **spp;
1548
1549 /* sanity check. */
1550 if (in6p == NULL || request == NULL)
1551 return EINVAL;
1552 if (len < sizeof(*xpl))
1553 return EINVAL;
1554 xpl = (struct sadb_x_policy *)request;
1555
1556 /* select direction */
1557 switch (xpl->sadb_x_policy_dir) {
1558 case IPSEC_DIR_INBOUND:
1559 spp = &in6p->in6p_sp->sp_in;
1560 break;
1561 case IPSEC_DIR_OUTBOUND:
1562 spp = &in6p->in6p_sp->sp_out;
1563 break;
1564 default:
1565 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1566 xpl->sadb_x_policy_dir));
1567 return EINVAL;
1568 }
1569
1570 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1571 return ipsec_set_policy(spp, optname, request, len, priv);
1572 }
1573
1574 int
1575 ipsec6_get_policy(in6p, request, len, mp)
1576 struct in6pcb *in6p;
1577 caddr_t request;
1578 size_t len;
1579 struct mbuf **mp;
1580 {
1581 struct sadb_x_policy *xpl;
1582 struct secpolicy *sp;
1583
1584 /* sanity check. */
1585 if (in6p == NULL || request == NULL || mp == NULL)
1586 return EINVAL;
1587 if (in6p->in6p_sp == NULL)
1588 panic("policy in PCB is NULL");
1589 if (len < sizeof(*xpl))
1590 return EINVAL;
1591 xpl = (struct sadb_x_policy *)request;
1592
1593 /* select direction */
1594 switch (xpl->sadb_x_policy_dir) {
1595 case IPSEC_DIR_INBOUND:
1596 sp = in6p->in6p_sp->sp_in;
1597 break;
1598 case IPSEC_DIR_OUTBOUND:
1599 sp = in6p->in6p_sp->sp_out;
1600 break;
1601 default:
1602 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n",
1603 xpl->sadb_x_policy_dir));
1604 return EINVAL;
1605 }
1606
1607 return ipsec_get_policy(sp, mp);
1608 }
1609
1610 int
1611 ipsec6_delete_pcbpolicy(in6p)
1612 struct in6pcb *in6p;
1613 {
1614 /* sanity check. */
1615 if (in6p == NULL)
1616 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
1617
1618 if (in6p->in6p_sp == NULL)
1619 return 0;
1620
1621 if (in6p->in6p_sp->sp_in != NULL) {
1622 key_freesp(in6p->in6p_sp->sp_in);
1623 in6p->in6p_sp->sp_in = NULL;
1624 }
1625
1626 if (in6p->in6p_sp->sp_out != NULL) {
1627 key_freesp(in6p->in6p_sp->sp_out);
1628 in6p->in6p_sp->sp_out = NULL;
1629 }
1630
1631 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1632
1633 ipsec_delpcbpolicy(in6p->in6p_sp);
1634 in6p->in6p_sp = NULL;
1635
1636 return 0;
1637 }
1638 #endif
1639
1640 /*
1641 * return current level.
1642 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1643 */
1644 u_int
1645 ipsec_get_reqlevel(isr, af)
1646 struct ipsecrequest *isr;
1647 int af;
1648 {
1649 u_int level = 0;
1650 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1651
1652 /* sanity check */
1653 if (isr == NULL || isr->sp == NULL)
1654 panic("ipsec_get_reqlevel: NULL pointer is passed.");
1655
1656 /* set default level */
1657 switch (af) {
1658 #ifdef INET
1659 case AF_INET:
1660 esp_trans_deflev = ip4_esp_trans_deflev;
1661 esp_net_deflev = ip4_esp_net_deflev;
1662 ah_trans_deflev = ip4_ah_trans_deflev;
1663 ah_net_deflev = ip4_ah_net_deflev;
1664 break;
1665 #endif
1666 #ifdef INET6
1667 case AF_INET6:
1668 esp_trans_deflev = ip6_esp_trans_deflev;
1669 esp_net_deflev = ip6_esp_net_deflev;
1670 ah_trans_deflev = ip6_ah_trans_deflev;
1671 ah_net_deflev = ip6_ah_net_deflev;
1672 break;
1673 #endif /* INET6 */
1674 default:
1675 panic("key_get_reqlevel: Unknown family. %d",
1676 ((struct sockaddr *)&isr->sp->spidx->src)->sa_family);
1677 }
1678
1679 /* set level */
1680 switch (isr->level) {
1681 case IPSEC_LEVEL_DEFAULT:
1682 switch (isr->saidx.proto) {
1683 case IPPROTO_ESP:
1684 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1685 level = esp_net_deflev;
1686 else
1687 level = esp_trans_deflev;
1688 break;
1689 case IPPROTO_AH:
1690 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1691 level = ah_net_deflev;
1692 else
1693 level = ah_trans_deflev;
1694 break;
1695 case IPPROTO_IPCOMP:
1696 /*
1697 * we don't really care, as IPcomp document says that
1698 * we shouldn't compress small packets
1699 */
1700 level = IPSEC_LEVEL_USE;
1701 break;
1702 default:
1703 panic("ipsec_get_reqlevel: "
1704 "Illegal protocol defined %u\n",
1705 isr->saidx.proto);
1706 }
1707 break;
1708
1709 case IPSEC_LEVEL_USE:
1710 case IPSEC_LEVEL_REQUIRE:
1711 level = isr->level;
1712 break;
1713 case IPSEC_LEVEL_UNIQUE:
1714 level = IPSEC_LEVEL_REQUIRE;
1715 break;
1716
1717 default:
1718 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
1719 isr->level);
1720 }
1721
1722 return level;
1723 }
1724
1725 /*
1726 * Check AH/ESP integrity.
1727 * OUT:
1728 * 0: valid
1729 * 1: invalid
1730 */
1731 static int
1732 ipsec_in_reject(sp, m)
1733 struct secpolicy *sp;
1734 struct mbuf *m;
1735 {
1736 struct ipsecrequest *isr;
1737 u_int level;
1738 int need_auth, need_conf, need_icv;
1739
1740 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1741 printf("ipsec_in_reject: using SP\n");
1742 kdebug_secpolicy(sp));
1743
1744 /* check policy */
1745 switch (sp->policy) {
1746 case IPSEC_POLICY_DISCARD:
1747 return 1;
1748 case IPSEC_POLICY_BYPASS:
1749 case IPSEC_POLICY_NONE:
1750 return 0;
1751
1752 case IPSEC_POLICY_IPSEC:
1753 break;
1754
1755 case IPSEC_POLICY_ENTRUST:
1756 default:
1757 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy);
1758 }
1759
1760 need_auth = 0;
1761 need_conf = 0;
1762 need_icv = 0;
1763
1764 /* XXX should compare policy against ipsec header history */
1765
1766 for (isr = sp->req; isr != NULL; isr = isr->next) {
1767 /* get current level */
1768 level = ipsec_get_reqlevel(isr, AF_INET);
1769
1770 switch (isr->saidx.proto) {
1771 case IPPROTO_ESP:
1772 if (level == IPSEC_LEVEL_REQUIRE) {
1773 need_conf++;
1774
1775 if (isr->sav != NULL
1776 && isr->sav->flags == SADB_X_EXT_NONE
1777 && isr->sav->alg_auth != SADB_AALG_NONE)
1778 need_icv++;
1779 }
1780 break;
1781 case IPPROTO_AH:
1782 if (level == IPSEC_LEVEL_REQUIRE) {
1783 need_auth++;
1784 need_icv++;
1785 }
1786 break;
1787 case IPPROTO_IPCOMP:
1788 /*
1789 * we don't really care, as IPcomp document says that
1790 * we shouldn't compress small packets, IPComp policy
1791 * should always be treated as being in "use" level.
1792 */
1793 break;
1794 }
1795 }
1796
1797 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1798 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1799 need_auth, need_conf, need_icv, m->m_flags));
1800
1801 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1802 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1803 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1804 return 1;
1805
1806 return 0;
1807 }
1808
1809 /*
1810 * Check AH/ESP integrity.
1811 * This function is called from tcp_input(), udp_input(),
1812 * and {ah,esp}4_input for tunnel mode
1813 */
1814 int
1815 ipsec4_in_reject(m, inp)
1816 struct mbuf *m;
1817 struct inpcb *inp;
1818 {
1819 struct secpolicy *sp = NULL;
1820 int error;
1821 int result;
1822
1823 /* sanity check */
1824 if (m == NULL)
1825 return 0; /* XXX should be panic ? */
1826
1827 /* get SP for this packet.
1828 * When we are called from ip_forward(), we call
1829 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1830 */
1831 if (inp == NULL)
1832 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1833 IP_FORWARDING, &error);
1834 else
1835 sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_INBOUND, inp, &error);
1836
1837 /* XXX should be panic ? -> No, there may be error. */
1838 if (sp == NULL)
1839 return 0;
1840
1841 result = ipsec_in_reject(sp, m);
1842 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1843 printf("DP ipsec4_in_reject call free SP:%p\n", sp));
1844 key_freesp(sp);
1845
1846 return result;
1847 }
1848
1849 #ifdef INET6
1850 /*
1851 * Check AH/ESP integrity.
1852 * This function is called from tcp6_input(), udp6_input(),
1853 * and {ah,esp}6_input for tunnel mode
1854 */
1855 int
1856 ipsec6_in_reject(m, in6p)
1857 struct mbuf *m;
1858 struct in6pcb *in6p;
1859 {
1860 struct secpolicy *sp = NULL;
1861 int error;
1862 int result;
1863
1864 /* sanity check */
1865 if (m == NULL)
1866 return 0; /* XXX should be panic ? */
1867
1868 /* get SP for this packet.
1869 * When we are called from ip_forward(), we call
1870 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1871 */
1872 if (in6p == NULL)
1873 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1874 IP_FORWARDING, &error);
1875 else
1876 sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_INBOUND, in6p, &error);
1877
1878 if (sp == NULL)
1879 return 0; /* XXX should be panic ? */
1880
1881 result = ipsec_in_reject(sp, m);
1882 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1883 printf("DP ipsec6_in_reject call free SP:%p\n", sp));
1884 key_freesp(sp);
1885
1886 return result;
1887 }
1888 #endif
1889
1890 /*
1891 * compute the byte size to be occupied by IPsec header.
1892 * in case it is tunneled, it includes the size of outer IP header.
1893 * NOTE: SP passed is free in this function.
1894 */
1895 static size_t
1896 ipsec_hdrsiz(sp)
1897 struct secpolicy *sp;
1898 {
1899 struct ipsecrequest *isr;
1900 size_t siz, clen;
1901
1902 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1903 printf("ipsec_hdrsiz: using SP\n");
1904 kdebug_secpolicy(sp));
1905
1906 /* check policy */
1907 switch (sp->policy) {
1908 case IPSEC_POLICY_DISCARD:
1909 case IPSEC_POLICY_BYPASS:
1910 case IPSEC_POLICY_NONE:
1911 return 0;
1912
1913 case IPSEC_POLICY_IPSEC:
1914 break;
1915
1916 case IPSEC_POLICY_ENTRUST:
1917 default:
1918 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1919 }
1920
1921 siz = 0;
1922
1923 for (isr = sp->req; isr != NULL; isr = isr->next) {
1924
1925 clen = 0;
1926
1927 switch (isr->saidx.proto) {
1928 case IPPROTO_ESP:
1929 #ifdef IPSEC_ESP
1930 clen = esp_hdrsiz(isr);
1931 #else
1932 clen = 0; /* XXX */
1933 #endif
1934 break;
1935 case IPPROTO_AH:
1936 clen = ah_hdrsiz(isr);
1937 break;
1938 case IPPROTO_IPCOMP:
1939 clen = sizeof(struct ipcomp);
1940 break;
1941 }
1942
1943 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1944 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1945 case AF_INET:
1946 clen += sizeof(struct ip);
1947 break;
1948 #ifdef INET6
1949 case AF_INET6:
1950 clen += sizeof(struct ip6_hdr);
1951 break;
1952 #endif
1953 default:
1954 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1955 "unknown AF %d in IPsec tunnel SA\n",
1956 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1957 break;
1958 }
1959 }
1960 siz += clen;
1961 }
1962
1963 return siz;
1964 }
1965
1966 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1967 size_t
1968 ipsec4_hdrsiz(m, dir, inp)
1969 struct mbuf *m;
1970 u_int dir;
1971 struct inpcb *inp;
1972 {
1973 struct secpolicy *sp = NULL;
1974 int error;
1975 size_t size;
1976
1977 /* sanity check */
1978 if (m == NULL)
1979 return 0; /* XXX should be panic ? */
1980 #if 0
1981 /* this is possible in TIME_WAIT state */
1982 if (inp != NULL && inp->inp_socket == NULL)
1983 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
1984 #endif
1985
1986 /* get SP for this packet.
1987 * When we are called from ip_forward(), we call
1988 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1989 */
1990 if (inp == NULL)
1991 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1992 else
1993 sp = ipsec4_getpolicybypcb(m, dir, inp, &error);
1994
1995 if (sp == NULL)
1996 return 0; /* XXX should be panic ? */
1997
1998 size = ipsec_hdrsiz(sp);
1999 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2000 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
2001 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2002 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
2003 key_freesp(sp);
2004
2005 return size;
2006 }
2007
2008 #ifdef INET6
2009 /* This function is called from ipsec6_hdrsize_tcp(),
2010 * and maybe from ip6_forward.()
2011 */
2012 size_t
2013 ipsec6_hdrsiz(m, dir, in6p)
2014 struct mbuf *m;
2015 u_int dir;
2016 struct in6pcb *in6p;
2017 {
2018 struct secpolicy *sp = NULL;
2019 int error;
2020 size_t size;
2021
2022 /* sanity check */
2023 if (m == NULL)
2024 return 0; /* XXX should be panic ? */
2025 #if 0
2026 /* this is possible in TIME_WAIT state */
2027 if (in6p != NULL && in6p->in6p_socket == NULL)
2028 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
2029 #endif
2030
2031 /* get SP for this packet */
2032 /* XXX Is it right to call with IP_FORWARDING. */
2033 if (in6p == NULL)
2034 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2035 else
2036 sp = ipsec6_getpolicybypcb(m, dir, in6p, &error);
2037
2038 if (sp == NULL)
2039 return 0;
2040 size = ipsec_hdrsiz(sp);
2041 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2042 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
2043 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2044 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
2045 key_freesp(sp);
2046
2047 return size;
2048 }
2049 #endif /* INET6 */
2050
2051 #ifdef INET
2052 /*
2053 * encapsulate for ipsec tunnel.
2054 * ip->ip_src must be fixed later on.
2055 */
2056 static int
2057 ipsec4_encapsulate(m, sav)
2058 struct mbuf *m;
2059 struct secasvar *sav;
2060 {
2061 struct ip *oip;
2062 struct ip *ip;
2063 size_t hlen;
2064 size_t plen;
2065
2066 /* can't tunnel between different AFs */
2067 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2068 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2069 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2070 m_freem(m);
2071 return EINVAL;
2072 }
2073 #if 0
2074 /* XXX if the dst is myself, perform nothing. */
2075 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2076 m_freem(m);
2077 return EINVAL;
2078 }
2079 #endif
2080
2081 if (m->m_len < sizeof(*ip))
2082 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2083
2084 ip = mtod(m, struct ip *);
2085 #ifdef _IP_VHL
2086 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
2087 #else
2088 hlen = ip->ip_hl << 2;
2089 #endif
2090
2091 if (m->m_len != hlen)
2092 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2093
2094 /* generate header checksum */
2095 ip->ip_sum = 0;
2096 #ifdef _IP_VHL
2097 if (ip->ip_vhl == IP_VHL_BORING)
2098 ip->ip_sum = in_cksum_hdr(ip);
2099 else
2100 ip->ip_sum = in_cksum(m, hlen);
2101 #else
2102 ip->ip_sum = in_cksum(m, hlen);
2103 #endif
2104
2105 plen = m->m_pkthdr.len;
2106
2107 /*
2108 * grow the mbuf to accomodate the new IPv4 header.
2109 * NOTE: IPv4 options will never be copied.
2110 */
2111 if (M_LEADINGSPACE(m->m_next) < hlen) {
2112 struct mbuf *n;
2113 MGET(n, M_DONTWAIT, MT_DATA);
2114 if (!n) {
2115 m_freem(m);
2116 return ENOBUFS;
2117 }
2118 n->m_len = hlen;
2119 n->m_next = m->m_next;
2120 m->m_next = n;
2121 m->m_pkthdr.len += hlen;
2122 oip = mtod(n, struct ip *);
2123 } else {
2124 m->m_next->m_len += hlen;
2125 m->m_next->m_data -= hlen;
2126 m->m_pkthdr.len += hlen;
2127 oip = mtod(m->m_next, struct ip *);
2128 }
2129 ip = mtod(m, struct ip *);
2130 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2131 m->m_len = sizeof(struct ip);
2132 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2133
2134 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2135 /* ECN consideration. */
2136 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2137 #ifdef _IP_VHL
2138 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
2139 #else
2140 ip->ip_hl = sizeof(struct ip) >> 2;
2141 #endif
2142 ip->ip_off &= htons(~IP_OFFMASK);
2143 ip->ip_off &= htons(~IP_MF);
2144 switch (ip4_ipsec_dfbit) {
2145 case 0: /* clear DF bit */
2146 ip->ip_off &= htons(~IP_DF);
2147 break;
2148 case 1: /* set DF bit */
2149 ip->ip_off |= htons(IP_DF);
2150 break;
2151 default: /* copy DF bit */
2152 break;
2153 }
2154 ip->ip_p = IPPROTO_IPIP;
2155 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2156 ip->ip_len = htons(plen + sizeof(struct ip));
2157 else {
2158 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2159 "leave ip_len as is (invalid packet)\n"));
2160 }
2161 ip->ip_id = ip_newid();
2162 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2163 &ip->ip_src, sizeof(ip->ip_src));
2164 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2165 &ip->ip_dst, sizeof(ip->ip_dst));
2166 ip->ip_ttl = IPDEFTTL;
2167
2168 /* XXX Should ip_src be updated later ? */
2169
2170 return 0;
2171 }
2172 #endif /* INET */
2173
2174 #ifdef INET6
2175 static int
2176 ipsec6_encapsulate(m, sav)
2177 struct mbuf *m;
2178 struct secasvar *sav;
2179 {
2180 struct ip6_hdr *oip6;
2181 struct ip6_hdr *ip6;
2182 size_t plen;
2183
2184 /* can't tunnel between different AFs */
2185 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2186 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2187 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2188 m_freem(m);
2189 return EINVAL;
2190 }
2191 #if 0
2192 /* XXX if the dst is myself, perform nothing. */
2193 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2194 m_freem(m);
2195 return EINVAL;
2196 }
2197 #endif
2198
2199 plen = m->m_pkthdr.len;
2200
2201 /*
2202 * grow the mbuf to accomodate the new IPv6 header.
2203 */
2204 if (m->m_len != sizeof(struct ip6_hdr))
2205 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2206 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2207 struct mbuf *n;
2208 MGET(n, M_DONTWAIT, MT_DATA);
2209 if (!n) {
2210 m_freem(m);
2211 return ENOBUFS;
2212 }
2213 n->m_len = sizeof(struct ip6_hdr);
2214 n->m_next = m->m_next;
2215 m->m_next = n;
2216 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2217 oip6 = mtod(n, struct ip6_hdr *);
2218 } else {
2219 m->m_next->m_len += sizeof(struct ip6_hdr);
2220 m->m_next->m_data -= sizeof(struct ip6_hdr);
2221 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2222 oip6 = mtod(m->m_next, struct ip6_hdr *);
2223 }
2224 ip6 = mtod(m, struct ip6_hdr *);
2225 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2226
2227 /* XXX: Fake scoped addresses */
2228 in6_clearscope(&oip6->ip6_src);
2229 in6_clearscope(&oip6->ip6_dst);
2230
2231 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2232 /* ECN consideration. */
2233 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2234 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2235 ip6->ip6_plen = htons(plen);
2236 else {
2237 /* ip6->ip6_plen will be updated in ip6_output() */
2238 }
2239 ip6->ip6_nxt = IPPROTO_IPV6;
2240 in6_embedscope(&ip6->ip6_src,
2241 (struct sockaddr_in6 *)&sav->sah->saidx.src, NULL, NULL);
2242 in6_embedscope(&ip6->ip6_dst,
2243 (struct sockaddr_in6 *)&sav->sah->saidx.dst, NULL, NULL);
2244 ip6->ip6_hlim = IPV6_DEFHLIM;
2245
2246 /* XXX Should ip6_src be updated later ? */
2247
2248 return 0;
2249 }
2250 #endif /* INET6 */
2251
2252 /*
2253 * Check the variable replay window.
2254 * ipsec_chkreplay() performs replay check before ICV verification.
2255 * ipsec_updatereplay() updates replay bitmap. This must be called after
2256 * ICV verification (it also performs replay check, which is usually done
2257 * beforehand).
2258 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2259 *
2260 * based on RFC 2401.
2261 *
2262 * XXX need to update for 64bit sequence number - 2401bis
2263 */
2264 int
2265 ipsec_chkreplay(seq, sav)
2266 u_int32_t seq;
2267 struct secasvar *sav;
2268 {
2269 const struct secreplay *replay;
2270 u_int32_t diff;
2271 int fr;
2272 u_int32_t wsizeb; /* constant: bits of window size */
2273 int frlast; /* constant: last frame */
2274
2275 /* sanity check */
2276 if (sav == NULL)
2277 panic("ipsec_chkreplay: NULL pointer was passed.");
2278
2279 replay = sav->replay;
2280
2281 if (replay->wsize == 0)
2282 return 1; /* no need to check replay. */
2283
2284 /* constant */
2285 frlast = replay->wsize - 1;
2286 wsizeb = replay->wsize << 3;
2287
2288 /* sequence number of 0 is invalid */
2289 if (seq == 0)
2290 return 0;
2291
2292 /* first time is always okay */
2293 if (replay->count == 0)
2294 return 1;
2295
2296 if (seq > replay->lastseq) {
2297 /* larger sequences are okay */
2298 return 1;
2299 } else {
2300 /* seq is equal or less than lastseq. */
2301 diff = replay->lastseq - seq;
2302
2303 /* over range to check, i.e. too old or wrapped */
2304 if (diff >= wsizeb)
2305 return 0;
2306
2307 fr = frlast - diff / 8;
2308
2309 /* this packet already seen ? */
2310 if (replay->bitmap[fr] & (1 << (diff % 8)))
2311 return 0;
2312
2313 /* out of order but good */
2314 return 1;
2315 }
2316 }
2317
2318 /*
2319 * check replay counter whether to update or not.
2320 * OUT: 0: OK
2321 * 1: NG
2322 * XXX need to update for 64bit sequence number - 2401bis
2323 */
2324 int
2325 ipsec_updatereplay(seq, sav)
2326 u_int32_t seq;
2327 struct secasvar *sav;
2328 {
2329 struct secreplay *replay;
2330 u_int64_t diff;
2331 int fr;
2332 u_int32_t wsizeb; /* constant: bits of window size */
2333 int frlast; /* constant: last frame */
2334
2335 /* sanity check */
2336 if (sav == NULL)
2337 panic("ipsec_chkreplay: NULL pointer was passed.");
2338
2339 replay = sav->replay;
2340
2341 if (replay->wsize == 0)
2342 goto ok; /* no need to check replay. */
2343
2344 /* constant */
2345 frlast = replay->wsize - 1;
2346 wsizeb = replay->wsize << 3;
2347
2348 /* sequence number of 0 is invalid */
2349 if (seq == 0)
2350 return 1;
2351
2352 /* first time */
2353 if (replay->count == 0) {
2354 replay->lastseq = seq;
2355 bzero(replay->bitmap, replay->wsize);
2356 replay->bitmap[frlast] = 1;
2357 goto ok;
2358 }
2359
2360 if (seq > replay->lastseq) {
2361 /* seq is larger than lastseq. */
2362 diff = seq - replay->lastseq;
2363
2364 /* new larger sequence number */
2365 if (diff < wsizeb) {
2366 /* In window */
2367 /* set bit for this packet */
2368 vshiftl(replay->bitmap, diff, replay->wsize);
2369 replay->bitmap[frlast] |= 1;
2370 } else {
2371 /* this packet has a "way larger" */
2372 bzero(replay->bitmap, replay->wsize);
2373 replay->bitmap[frlast] = 1;
2374 }
2375 replay->lastseq = seq;
2376
2377 /* larger is good */
2378 } else {
2379 /* seq is equal or less than lastseq. */
2380 diff = replay->lastseq - seq;
2381
2382 /* over range to check, i.e. too old or wrapped */
2383 if (diff >= wsizeb)
2384 return 1;
2385
2386 fr = frlast - diff / 8;
2387
2388 /* this packet already seen ? */
2389 if (replay->bitmap[fr] & (1 << (diff % 8)))
2390 return 1;
2391
2392 /* mark as seen */
2393 replay->bitmap[fr] |= (1 << (diff % 8));
2394
2395 /* out of order but good */
2396 }
2397
2398 ok:
2399 if (replay->count == 0xffffffff) {
2400
2401 /* set overflow flag */
2402 replay->overflow++;
2403
2404 /* don't increment, no more packets accepted */
2405 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2406 return 1;
2407
2408 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2409 replay->overflow, ipsec_logsastr(sav)));
2410 }
2411
2412 replay->count++;
2413
2414 return 0;
2415 }
2416
2417 /*
2418 * shift variable length buffer to left.
2419 * IN: bitmap: pointer to the buffer
2420 * nbit: the number of to shift.
2421 * wsize: buffer size (bytes).
2422 */
2423 static void
2424 vshiftl(bitmap, nbit, wsize)
2425 unsigned char *bitmap;
2426 int nbit, wsize;
2427 {
2428 int s, j, i;
2429 unsigned char over;
2430
2431 for (j = 0; j < nbit; j += 8) {
2432 s = (nbit - j < 8) ? (nbit - j): 8;
2433 bitmap[0] <<= s;
2434 for (i = 1; i < wsize; i++) {
2435 over = (bitmap[i] >> (8 - s));
2436 bitmap[i] <<= s;
2437 bitmap[i - 1] |= over;
2438 }
2439 }
2440
2441 return;
2442 }
2443
2444 const char *
2445 ipsec4_logpacketstr(ip, spi)
2446 struct ip *ip;
2447 u_int32_t spi;
2448 {
2449 static char buf[256];
2450 char *p;
2451 u_int8_t *s, *d;
2452
2453 s = (u_int8_t *)(&ip->ip_src);
2454 d = (u_int8_t *)(&ip->ip_dst);
2455
2456 p = buf;
2457 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2458 while (p && *p)
2459 p++;
2460 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2461 s[0], s[1], s[2], s[3]);
2462 while (p && *p)
2463 p++;
2464 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2465 d[0], d[1], d[2], d[3]);
2466 while (p && *p)
2467 p++;
2468 snprintf(p, sizeof(buf) - (p - buf), ")");
2469
2470 return buf;
2471 }
2472
2473 #ifdef INET6
2474 const char *
2475 ipsec6_logpacketstr(ip6, spi)
2476 struct ip6_hdr *ip6;
2477 u_int32_t spi;
2478 {
2479 static char buf[256];
2480 char *p;
2481
2482 p = buf;
2483 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2484 while (p && *p)
2485 p++;
2486 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
2487 ip6_sprintf(&ip6->ip6_src));
2488 while (p && *p)
2489 p++;
2490 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2491 ip6_sprintf(&ip6->ip6_dst));
2492 while (p && *p)
2493 p++;
2494 snprintf(p, sizeof(buf) - (p - buf), ")");
2495
2496 return buf;
2497 }
2498 #endif /* INET6 */
2499
2500 const char *
2501 ipsec_logsastr(sav)
2502 struct secasvar *sav;
2503 {
2504 static char buf[256];
2505 char *p;
2506 struct secasindex *saidx = &sav->sah->saidx;
2507
2508 /* validity check */
2509 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2510 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2511 panic("ipsec_logsastr: family mismatched.");
2512
2513 p = buf;
2514 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2515 while (p && *p)
2516 p++;
2517 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2518 u_int8_t *s, *d;
2519 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2520 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2521 snprintf(p, sizeof(buf) - (p - buf),
2522 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2523 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2524 }
2525 #ifdef INET6
2526 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2527 snprintf(p, sizeof(buf) - (p - buf),
2528 "src=%s",
2529 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2530 while (p && *p)
2531 p++;
2532 snprintf(p, sizeof(buf) - (p - buf),
2533 " dst=%s",
2534 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2535 }
2536 #endif
2537 while (p && *p)
2538 p++;
2539 snprintf(p, sizeof(buf) - (p - buf), ")");
2540
2541 return buf;
2542 }
2543
2544 void
2545 ipsec_dumpmbuf(m)
2546 struct mbuf *m;
2547 {
2548 int totlen;
2549 int i;
2550 u_char *p;
2551
2552 totlen = 0;
2553 printf("---\n");
2554 while (m) {
2555 p = mtod(m, u_char *);
2556 for (i = 0; i < m->m_len; i++) {
2557 printf("%02x ", p[i]);
2558 totlen++;
2559 if (totlen % 16 == 0)
2560 printf("\n");
2561 }
2562 m = m->m_next;
2563 }
2564 if (totlen % 16 != 0)
2565 printf("\n");
2566 printf("---\n");
2567 }
2568
2569 #ifdef INET
2570 static int
2571 ipsec4_checksa(isr, state)
2572 struct ipsecrequest *isr;
2573 struct ipsec_output_state *state;
2574 {
2575 struct ip *ip;
2576 struct secasindex saidx;
2577 struct sockaddr_in *sin;
2578
2579 /* make SA index for search proper SA */
2580 ip = mtod(state->m, struct ip *);
2581 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2582 saidx.mode = isr->saidx.mode;
2583 saidx.reqid = isr->saidx.reqid;
2584 sin = (struct sockaddr_in *)&saidx.src;
2585 if (sin->sin_len == 0) {
2586 sin->sin_len = sizeof(*sin);
2587 sin->sin_family = AF_INET;
2588 sin->sin_port = IPSEC_PORT_ANY;
2589 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr));
2590 }
2591 sin = (struct sockaddr_in *)&saidx.dst;
2592 if (sin->sin_len == 0) {
2593 sin->sin_len = sizeof(*sin);
2594 sin->sin_family = AF_INET;
2595 sin->sin_port = IPSEC_PORT_ANY;
2596 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr));
2597 }
2598
2599 return key_checkrequest(isr, &saidx);
2600 }
2601 /*
2602 * IPsec output logic for IPv4.
2603 */
2604 int
2605 ipsec4_output(state, sp, flags)
2606 struct ipsec_output_state *state;
2607 struct secpolicy *sp;
2608 int flags;
2609 {
2610 struct ip *ip = NULL;
2611 struct ipsecrequest *isr = NULL;
2612 int s;
2613 int error;
2614 struct sockaddr_in *dst4;
2615
2616 if (!state)
2617 panic("state == NULL in ipsec4_output");
2618 if (!state->m)
2619 panic("state->m == NULL in ipsec4_output");
2620 if (!state->ro)
2621 panic("state->ro == NULL in ipsec4_output");
2622 if (!state->dst)
2623 panic("state->dst == NULL in ipsec4_output");
2624 state->encap = 0;
2625
2626 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2627 printf("ipsec4_output: applyed SP\n");
2628 kdebug_secpolicy(sp));
2629
2630 for (isr = sp->req; isr != NULL; isr = isr->next) {
2631
2632 #if 0 /* give up to check restriction of transport mode */
2633 /* XXX but should be checked somewhere */
2634 /*
2635 * some of the IPsec operation must be performed only in
2636 * originating case.
2637 */
2638 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2639 && (flags & IP_FORWARDING))
2640 continue;
2641 #endif
2642 error = ipsec4_checksa(isr, state);
2643 if (error != 0) {
2644 /*
2645 * IPsec processing is required, but no SA found.
2646 * I assume that key_acquire() had been called
2647 * to get/establish the SA. Here I discard
2648 * this packet because it is responsibility for
2649 * upper layer to retransmit the packet.
2650 */
2651 ipsecstat.out_nosa++;
2652 goto bad;
2653 }
2654
2655 /* validity check */
2656 if (isr->sav == NULL) {
2657 switch (ipsec_get_reqlevel(isr, AF_INET)) {
2658 case IPSEC_LEVEL_USE:
2659 continue;
2660 case IPSEC_LEVEL_REQUIRE:
2661 /* must be not reached here. */
2662 panic("ipsec4_output: no SA found, but required.");
2663 }
2664 }
2665
2666 /*
2667 * If there is no valid SA, we give up to process any
2668 * more. In such a case, the SA's status is changed
2669 * from DYING to DEAD after allocating. If a packet
2670 * send to the receiver by dead SA, the receiver can
2671 * not decode a packet because SA has been dead.
2672 */
2673 if (isr->sav->state != SADB_SASTATE_MATURE
2674 && isr->sav->state != SADB_SASTATE_DYING) {
2675 ipsecstat.out_nosa++;
2676 error = EINVAL;
2677 goto bad;
2678 }
2679
2680 /*
2681 * There may be the case that SA status will be changed when
2682 * we are refering to one. So calling splsoftnet().
2683 */
2684 s = splnet();
2685
2686 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2687 /*
2688 * build IPsec tunnel.
2689 */
2690 /* XXX should be processed with other familiy */
2691 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2692 ipseclog((LOG_ERR, "ipsec4_output: "
2693 "family mismatched between inner and outer spi=%u\n",
2694 (u_int32_t)ntohl(isr->sav->spi)));
2695 splx(s);
2696 error = EAFNOSUPPORT;
2697 goto bad;
2698 }
2699
2700 state->m = ipsec4_splithdr(state->m);
2701 if (!state->m) {
2702 splx(s);
2703 error = ENOMEM;
2704 goto bad;
2705 }
2706 error = ipsec4_encapsulate(state->m, isr->sav);
2707 splx(s);
2708 if (error) {
2709 state->m = NULL;
2710 goto bad;
2711 }
2712 ip = mtod(state->m, struct ip *);
2713
2714 state->ro = &isr->sav->sah->sa_route;
2715 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2716 dst4 = (struct sockaddr_in *)state->dst;
2717 if (state->ro->ro_rt
2718 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2719 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2720 RTFREE(state->ro->ro_rt);
2721 state->ro->ro_rt = NULL;
2722 }
2723 if (state->ro->ro_rt == 0) {
2724 dst4->sin_family = AF_INET;
2725 dst4->sin_len = sizeof(*dst4);
2726 dst4->sin_addr = ip->ip_dst;
2727 rtalloc(state->ro);
2728 }
2729 if (state->ro->ro_rt == 0) {
2730 ipstat.ips_noroute++;
2731 error = EHOSTUNREACH;
2732 goto bad;
2733 }
2734
2735 /* adjust state->dst if tunnel endpoint is offlink */
2736 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2737 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2738 dst4 = (struct sockaddr_in *)state->dst;
2739 }
2740
2741 state->encap++;
2742 } else
2743 splx(s);
2744
2745 state->m = ipsec4_splithdr(state->m);
2746 if (!state->m) {
2747 error = ENOMEM;
2748 goto bad;
2749 }
2750 switch (isr->saidx.proto) {
2751 case IPPROTO_ESP:
2752 #ifdef IPSEC_ESP
2753 if ((error = esp4_output(state->m, isr)) != 0) {
2754 state->m = NULL;
2755 goto bad;
2756 }
2757 break;
2758 #else
2759 m_freem(state->m);
2760 state->m = NULL;
2761 error = EINVAL;
2762 goto bad;
2763 #endif
2764 case IPPROTO_AH:
2765 if ((error = ah4_output(state->m, isr)) != 0) {
2766 state->m = NULL;
2767 goto bad;
2768 }
2769 break;
2770 case IPPROTO_IPCOMP:
2771 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2772 state->m = NULL;
2773 goto bad;
2774 }
2775 break;
2776 default:
2777 ipseclog((LOG_ERR,
2778 "ipsec4_output: unknown ipsec protocol %d\n",
2779 isr->saidx.proto));
2780 m_freem(state->m);
2781 state->m = NULL;
2782 error = EINVAL;
2783 goto bad;
2784 }
2785
2786 if (state->m == 0) {
2787 error = ENOMEM;
2788 goto bad;
2789 }
2790 ip = mtod(state->m, struct ip *);
2791 }
2792
2793 return 0;
2794
2795 bad:
2796 m_freem(state->m);
2797 state->m = NULL;
2798 return error;
2799 }
2800 #endif
2801
2802 #ifdef INET6
2803 static int
2804 ipsec6_checksa(isr, state, tunnel)
2805 struct ipsecrequest *isr;
2806 struct ipsec_output_state *state;
2807 int tunnel;
2808 {
2809 struct ip6_hdr *ip6;
2810 struct secasindex saidx;
2811 struct sockaddr_in6 *sin6;
2812
2813 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2814 #ifdef DIAGNOSTIC
2815 if (!tunnel)
2816 panic("ipsec6_checksa/inconsistent tunnel attribute");
2817 #endif
2818 /* When tunnel mode, SA peers must be specified. */
2819 return key_checkrequest(isr, &isr->saidx);
2820 }
2821
2822 /* make SA index for search proper SA */
2823 ip6 = mtod(state->m, struct ip6_hdr *);
2824 if (tunnel) {
2825 bzero(&saidx, sizeof(saidx));
2826 saidx.proto = isr->saidx.proto;
2827 } else
2828 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2829 saidx.mode = isr->saidx.mode;
2830 saidx.reqid = isr->saidx.reqid;
2831 sin6 = (struct sockaddr_in6 *)&saidx.src;
2832 if (sin6->sin6_len == 0 || tunnel) {
2833 sin6->sin6_len = sizeof(*sin6);
2834 sin6->sin6_family = AF_INET6;
2835 sin6->sin6_port = IPSEC_PORT_ANY;
2836 in6_recoverscope(sin6, &ip6->ip6_src, NULL);
2837 }
2838 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2839 if (sin6->sin6_len == 0 || tunnel) {
2840 sin6->sin6_len = sizeof(*sin6);
2841 sin6->sin6_family = AF_INET6;
2842 sin6->sin6_port = IPSEC_PORT_ANY;
2843 in6_recoverscope(sin6, &ip6->ip6_dst, NULL);
2844 }
2845
2846 return key_checkrequest(isr, &saidx);
2847 }
2848
2849 /*
2850 * IPsec output logic for IPv6, transport mode.
2851 */
2852 int
2853 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
2854 struct ipsec_output_state *state;
2855 u_char *nexthdrp;
2856 struct mbuf *mprev;
2857 struct secpolicy *sp;
2858 int flags;
2859 int *tun;
2860 {
2861 struct ip6_hdr *ip6;
2862 struct ipsecrequest *isr = NULL;
2863 int error = 0;
2864 int plen;
2865
2866 if (!state)
2867 panic("state == NULL in ipsec6_output_trans");
2868 if (!state->m)
2869 panic("state->m == NULL in ipsec6_output_trans");
2870 if (!nexthdrp)
2871 panic("nexthdrp == NULL in ipsec6_output_trans");
2872 if (!mprev)
2873 panic("mprev == NULL in ipsec6_output_trans");
2874 if (!sp)
2875 panic("sp == NULL in ipsec6_output_trans");
2876 if (!tun)
2877 panic("tun == NULL in ipsec6_output_trans");
2878
2879 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2880 printf("ipsec6_output_trans: applyed SP\n");
2881 kdebug_secpolicy(sp));
2882
2883 *tun = 0;
2884 for (isr = sp->req; isr; isr = isr->next) {
2885 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2886 /* the rest will be handled by ipsec6_output_tunnel() */
2887 break;
2888 }
2889
2890 error = ipsec6_checksa(isr, state, 0);
2891 if (error == EIO)
2892 goto bad;
2893 if (error == ENOENT) {
2894 /*
2895 * IPsec processing is required, but no SA found.
2896 * I assume that key_acquire() had been called
2897 * to get/establish the SA. Here I discard
2898 * this packet because it is responsibility for
2899 * upper layer to retransmit the packet.
2900 */
2901 ipsec6stat.out_nosa++;
2902
2903 /*
2904 * Notify the fact that the packet is discarded
2905 * to ourselves. I believe this is better than
2906 * just silently discarding. (jinmei@kame.net)
2907 * XXX: should we restrict the error to TCP packets?
2908 * XXX: should we directly notify sockets via
2909 * pfctlinputs?
2910 *
2911 * Noone have initialized rcvif until this point,
2912 * so clear it.
2913 */
2914 if ((state->m->m_flags & M_PKTHDR) != 0)
2915 state->m->m_pkthdr.rcvif = NULL;
2916 icmp6_error(state->m, ICMP6_DST_UNREACH,
2917 ICMP6_DST_UNREACH_ADMIN, 0);
2918 state->m = NULL; /* icmp6_error freed the mbuf */
2919 goto bad;
2920 }
2921
2922 /* validity check */
2923 if (isr->sav == NULL) {
2924 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
2925 case IPSEC_LEVEL_USE:
2926 continue;
2927 case IPSEC_LEVEL_REQUIRE:
2928 /* must be not reached here. */
2929 panic("ipsec6_output_trans: no SA found, but required.");
2930 }
2931 }
2932
2933 /*
2934 * If there is no valid SA, we give up to process.
2935 * see same place at ipsec4_output().
2936 */
2937 if (isr->sav->state != SADB_SASTATE_MATURE
2938 && isr->sav->state != SADB_SASTATE_DYING) {
2939 ipsec6stat.out_nosa++;
2940 error = EINVAL;
2941 goto bad;
2942 }
2943
2944 switch (isr->saidx.proto) {
2945 case IPPROTO_ESP:
2946 #ifdef IPSEC_ESP
2947 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2948 #else
2949 m_freem(state->m);
2950 error = EINVAL;
2951 #endif
2952 break;
2953 case IPPROTO_AH:
2954 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2955 break;
2956 case IPPROTO_IPCOMP:
2957 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2958 break;
2959 default:
2960 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2961 "unknown ipsec protocol %d\n", isr->saidx.proto));
2962 m_freem(state->m);
2963 ipsec6stat.out_inval++;
2964 error = EINVAL;
2965 break;
2966 }
2967 if (error) {
2968 state->m = NULL;
2969 goto bad;
2970 }
2971 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2972 if (plen > IPV6_MAXPACKET) {
2973 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2974 "IPsec with IPv6 jumbogram is not supported\n"));
2975 ipsec6stat.out_inval++;
2976 error = EINVAL; /* XXX */
2977 goto bad;
2978 }
2979 ip6 = mtod(state->m, struct ip6_hdr *);
2980 ip6->ip6_plen = htons(plen);
2981 }
2982
2983 /* if we have more to go, we need a tunnel mode processing */
2984 if (isr != NULL)
2985 *tun = 1;
2986
2987 return 0;
2988
2989 bad:
2990 m_freem(state->m);
2991 state->m = NULL;
2992 return error;
2993 }
2994
2995 /*
2996 * IPsec output logic for IPv6, tunnel mode.
2997 */
2998 int
2999 ipsec6_output_tunnel(state, sp, flags)
3000 struct ipsec_output_state *state;
3001 struct secpolicy *sp;
3002 int flags;
3003 {
3004 struct ip6_hdr *ip6;
3005 struct ipsecrequest *isr = NULL;
3006 int error = 0;
3007 int plen;
3008 struct sockaddr_in6 *dst6;
3009 int s;
3010
3011 if (!state)
3012 panic("state == NULL in ipsec6_output_tunnel");
3013 if (!state->m)
3014 panic("state->m == NULL in ipsec6_output_tunnel");
3015 if (!sp)
3016 panic("sp == NULL in ipsec6_output_tunnel");
3017
3018 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3019 printf("ipsec6_output_tunnel: applyed SP\n");
3020 kdebug_secpolicy(sp));
3021
3022 /*
3023 * transport mode ipsec (before the 1st tunnel mode) is already
3024 * processed by ipsec6_output_trans().
3025 */
3026 for (isr = sp->req; isr; isr = isr->next) {
3027 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
3028 break;
3029 }
3030
3031 for (/* already initialized */; isr; isr = isr->next) {
3032 error = ipsec6_checksa(isr, state, 1);
3033 if (error == EIO)
3034 goto bad;
3035 if (error == ENOENT) {
3036 /*
3037 * IPsec processing is required, but no SA found.
3038 * I assume that key_acquire() had been called
3039 * to get/establish the SA. Here I discard
3040 * this packet because it is responsibility for
3041 * upper layer to retransmit the packet.
3042 */
3043 ipsec6stat.out_nosa++;
3044 error = ENOENT;
3045 goto bad;
3046 }
3047
3048 /* validity check */
3049 if (isr->sav == NULL) {
3050 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
3051 case IPSEC_LEVEL_USE:
3052 continue;
3053 case IPSEC_LEVEL_REQUIRE:
3054 /* must be not reached here. */
3055 panic("ipsec6_output_tunnel: no SA found, but required.");
3056 }
3057 }
3058
3059 /*
3060 * If there is no valid SA, we give up to process.
3061 * see same place at ipsec4_output().
3062 */
3063 if (isr->sav->state != SADB_SASTATE_MATURE
3064 && isr->sav->state != SADB_SASTATE_DYING) {
3065 ipsec6stat.out_nosa++;
3066 error = EINVAL;
3067 goto bad;
3068 }
3069
3070 /*
3071 * There may be the case that SA status will be changed when
3072 * we are refering to one. So calling splsoftnet().
3073 */
3074 s = splnet();
3075
3076 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3077 /*
3078 * build IPsec tunnel.
3079 */
3080 /* XXX should be processed with other familiy */
3081 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
3082 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3083 "family mismatched between inner and outer, spi=%u\n",
3084 (u_int32_t)ntohl(isr->sav->spi)));
3085 splx(s);
3086 ipsec6stat.out_inval++;
3087 error = EAFNOSUPPORT;
3088 goto bad;
3089 }
3090
3091 state->m = ipsec6_splithdr(state->m);
3092 if (!state->m) {
3093 splx(s);
3094 ipsec6stat.out_nomem++;
3095 error = ENOMEM;
3096 goto bad;
3097 }
3098 error = ipsec6_encapsulate(state->m, isr->sav);
3099 splx(s);
3100 if (error) {
3101 state->m = 0;
3102 goto bad;
3103 }
3104 ip6 = mtod(state->m, struct ip6_hdr *);
3105
3106 state->ro = &isr->sav->sah->sa_route;
3107 state->dst = (struct sockaddr *)&state->ro->ro_dst;
3108 dst6 = (struct sockaddr_in6 *)state->dst;
3109 if (state->ro->ro_rt &&
3110 (!(state->ro->ro_rt->rt_flags & RTF_UP) ||
3111 !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr,
3112 &ip6->ip6_dst))) {
3113 RTFREE(state->ro->ro_rt);
3114 state->ro->ro_rt = NULL;
3115 }
3116 if (state->ro->ro_rt == 0) {
3117 bzero(dst6, sizeof(*dst6));
3118 dst6->sin6_family = AF_INET6;
3119 dst6->sin6_len = sizeof(*dst6);
3120 dst6->sin6_addr = ip6->ip6_dst;
3121 rtalloc(state->ro);
3122 }
3123 if (state->ro->ro_rt == 0) {
3124 ip6stat.ip6s_noroute++;
3125 ipsec6stat.out_noroute++;
3126 error = EHOSTUNREACH;
3127 goto bad;
3128 }
3129
3130 /* adjust state->dst if tunnel endpoint is offlink */
3131 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
3132 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
3133 dst6 = (struct sockaddr_in6 *)state->dst;
3134 }
3135 } else
3136 splx(s);
3137
3138 state->m = ipsec6_splithdr(state->m);
3139 if (!state->m) {
3140 ipsec6stat.out_nomem++;
3141 error = ENOMEM;
3142 goto bad;
3143 }
3144 ip6 = mtod(state->m, struct ip6_hdr *);
3145 switch (isr->saidx.proto) {
3146 case IPPROTO_ESP:
3147 #ifdef IPSEC_ESP
3148 error = esp6_output(state->m, &ip6->ip6_nxt,
3149 state->m->m_next, isr);
3150 #else
3151 m_freem(state->m);
3152 error = EINVAL;
3153 #endif
3154 break;
3155 case IPPROTO_AH:
3156 error = ah6_output(state->m, &ip6->ip6_nxt,
3157 state->m->m_next, isr);
3158 break;
3159 case IPPROTO_IPCOMP:
3160 /* XXX code should be here */
3161 /* FALLTHROUGH */
3162 default:
3163 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3164 "unknown ipsec protocol %d\n", isr->saidx.proto));
3165 m_freem(state->m);
3166 ipsec6stat.out_inval++;
3167 error = EINVAL;
3168 break;
3169 }
3170 if (error) {
3171 state->m = NULL;
3172 goto bad;
3173 }
3174 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3175 if (plen > IPV6_MAXPACKET) {
3176 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3177 "IPsec with IPv6 jumbogram is not supported\n"));
3178 ipsec6stat.out_inval++;
3179 error = EINVAL; /* XXX */
3180 goto bad;
3181 }
3182 ip6 = mtod(state->m, struct ip6_hdr *);
3183 ip6->ip6_plen = htons(plen);
3184 }
3185
3186 return 0;
3187
3188 bad:
3189 m_freem(state->m);
3190 state->m = NULL;
3191 return error;
3192 }
3193 #endif /* INET6 */
3194
3195 #ifdef INET
3196 /*
3197 * Chop IP header and option off from the payload.
3198 */
3199 static struct mbuf *
3200 ipsec4_splithdr(m)
3201 struct mbuf *m;
3202 {
3203 struct mbuf *mh;
3204 struct ip *ip;
3205 int hlen;
3206
3207 if (m->m_len < sizeof(struct ip))
3208 panic("ipsec4_splithdr: first mbuf too short");
3209 ip = mtod(m, struct ip *);
3210 #ifdef _IP_VHL
3211 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
3212 #else
3213 hlen = ip->ip_hl << 2;
3214 #endif
3215 if (m->m_len > hlen) {
3216 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3217 if (!mh) {
3218 m_freem(m);
3219 return NULL;
3220 }
3221 M_MOVE_PKTHDR(mh, m);
3222 MH_ALIGN(mh, hlen);
3223 m->m_len -= hlen;
3224 m->m_data += hlen;
3225 mh->m_next = m;
3226 m = mh;
3227 m->m_len = hlen;
3228 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3229 } else if (m->m_len < hlen) {
3230 m = m_pullup(m, hlen);
3231 if (!m)
3232 return NULL;
3233 }
3234 return m;
3235 }
3236 #endif
3237
3238 #ifdef INET6
3239 static struct mbuf *
3240 ipsec6_splithdr(m)
3241 struct mbuf *m;
3242 {
3243 struct mbuf *mh;
3244 struct ip6_hdr *ip6;
3245 int hlen;
3246
3247 if (m->m_len < sizeof(struct ip6_hdr))
3248 panic("ipsec6_splithdr: first mbuf too short");
3249 ip6 = mtod(m, struct ip6_hdr *);
3250 hlen = sizeof(struct ip6_hdr);
3251 if (m->m_len > hlen) {
3252 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3253 if (!mh) {
3254 m_freem(m);
3255 return NULL;
3256 }
3257 M_MOVE_PKTHDR(mh, m);
3258 MH_ALIGN(mh, hlen);
3259 m->m_len -= hlen;
3260 m->m_data += hlen;
3261 mh->m_next = m;
3262 m = mh;
3263 m->m_len = hlen;
3264 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3265 } else if (m->m_len < hlen) {
3266 m = m_pullup(m, hlen);
3267 if (!m)
3268 return NULL;
3269 }
3270 return m;
3271 }
3272 #endif
3273
3274 /* validate inbound IPsec tunnel packet. */
3275 int
3276 ipsec4_tunnel_validate(m, off, nxt0, sav)
3277 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3278 int off;
3279 u_int nxt0;
3280 struct secasvar *sav;
3281 {
3282 u_int8_t nxt = nxt0 & 0xff;
3283 struct sockaddr_in *sin;
3284 struct sockaddr_in osrc, odst, isrc, idst;
3285 int hlen;
3286 struct secpolicy *sp;
3287 struct ip *oip;
3288
3289 #ifdef DIAGNOSTIC
3290 if (m->m_len < sizeof(struct ip))
3291 panic("too short mbuf on ipsec4_tunnel_validate");
3292 #endif
3293 if (nxt != IPPROTO_IPV4)
3294 return 0;
3295 if (m->m_pkthdr.len < off + sizeof(struct ip))
3296 return 0;
3297 /* do not decapsulate if the SA is for transport mode only */
3298 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3299 return 0;
3300
3301 oip = mtod(m, struct ip *);
3302 hlen = oip->ip_hl << 2;
3303 if (hlen != sizeof(struct ip))
3304 return 0;
3305
3306 /* AF_INET6 should be supported, but at this moment we don't. */
3307 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3308 if (sin->sin_family != AF_INET)
3309 return 0;
3310 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
3311 return 0;
3312
3313 /* XXX slow */
3314 bzero(&osrc, sizeof(osrc));
3315 bzero(&odst, sizeof(odst));
3316 bzero(&isrc, sizeof(isrc));
3317 bzero(&idst, sizeof(idst));
3318 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
3319 AF_INET;
3320 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
3321 sizeof(struct sockaddr_in);
3322 osrc.sin_addr = oip->ip_src;
3323 odst.sin_addr = oip->ip_dst;
3324 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
3325 (caddr_t)&isrc.sin_addr);
3326 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
3327 (caddr_t)&idst.sin_addr);
3328
3329 /*
3330 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
3331 * - if the inner destination is multicast address, there can be
3332 * multiple permissible inner source address. implementation
3333 * may want to skip verification of inner source address against
3334 * SPD selector.
3335 * - if the inner protocol is ICMP, the packet may be an error report
3336 * from routers on the other side of the VPN cloud (R in the
3337 * following diagram). in this case, we cannot verify inner source
3338 * address against SPD selector.
3339 * me -- gw === gw -- R -- you
3340 *
3341 * we consider the first bullet to be users responsibility on SPD entry
3342 * configuration (if you need to encrypt multicast traffic, set
3343 * the source range of SPD selector to 0.0.0.0/0, or have explicit
3344 * address ranges for possible senders).
3345 * the second bullet is not taken care of (yet).
3346 *
3347 * therefore, we do not do anything special about inner source.
3348 */
3349
3350 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3351 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3352 /*
3353 * when there is no suitable inbound policy for the packet of the ipsec
3354 * tunnel mode, the kernel never decapsulate the tunneled packet
3355 * as the ipsec tunnel mode even when the system wide policy is "none".
3356 * then the kernel leaves the generic tunnel module to process this
3357 * packet. if there is no rule of the generic tunnel, the packet
3358 * is rejected and the statistics will be counted up.
3359 */
3360 if (!sp)
3361 return 0;
3362 key_freesp(sp);
3363
3364 return 1;
3365 }
3366
3367 #ifdef INET6
3368 /* validate inbound IPsec tunnel packet. */
3369 int
3370 ipsec6_tunnel_validate(m, off, nxt0, sav)
3371 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3372 int off;
3373 u_int nxt0;
3374 struct secasvar *sav;
3375 {
3376 u_int8_t nxt = nxt0 & 0xff;
3377 struct sockaddr_in6 *sin6;
3378 struct sockaddr_in6 osrc, odst, isrc, idst;
3379 struct secpolicy *sp;
3380 struct ip6_hdr *oip6;
3381
3382 #ifdef DIAGNOSTIC
3383 if (m->m_len < sizeof(struct ip6_hdr))
3384 panic("too short mbuf on ipsec6_tunnel_validate");
3385 #endif
3386 if (nxt != IPPROTO_IPV6)
3387 return 0;
3388 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
3389 return 0;
3390 /* do not decapsulate if the SA is for transport mode only */
3391 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3392 return 0;
3393
3394 oip6 = mtod(m, struct ip6_hdr *);
3395
3396 /* AF_INET should be supported, but at this moment we don't. */
3397 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
3398 if (sin6->sin6_family != AF_INET6)
3399 return 0;
3400 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
3401 return 0;
3402
3403 /* XXX slow */
3404 bzero(&osrc, sizeof(osrc));
3405 bzero(&odst, sizeof(odst));
3406 bzero(&isrc, sizeof(isrc));
3407 bzero(&idst, sizeof(idst));
3408 osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
3409 idst.sin6_family = AF_INET6;
3410 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len =
3411 sizeof(struct sockaddr_in6);
3412 osrc.sin6_addr = oip6->ip6_src;
3413 odst.sin6_addr = oip6->ip6_dst;
3414 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
3415 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
3416 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
3417 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
3418
3419 /*
3420 * regarding to inner source address validation, see a long comment
3421 * in ipsec4_tunnel_validate.
3422 */
3423
3424 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3425 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3426 if (!sp)
3427 return 0;
3428 key_freesp(sp);
3429
3430 return 1;
3431 }
3432 #endif
3433
3434 /*
3435 * Make a mbuf chain for encryption.
3436 * If the original mbuf chain contains a mbuf with a cluster,
3437 * allocate a new cluster and copy the data to the new cluster.
3438 * XXX: this hack is inefficient, but is necessary to handle cases
3439 * of TCP retransmission...
3440 */
3441 struct mbuf *
3442 ipsec_copypkt(m)
3443 struct mbuf *m;
3444 {
3445 struct mbuf *n, **mpp, *mnew;
3446
3447 for (n = m, mpp = &m; n; n = n->m_next) {
3448 if (n->m_flags & M_EXT) {
3449 /*
3450 * Make a copy only if there is more than one
3451 * references to the cluster.
3452 * XXX: is this approach effective?
3453 */
3454 if (!M_WRITABLE(n)) {
3455 int remain, copied;
3456 struct mbuf *mm;
3457
3458 if (n->m_flags & M_PKTHDR) {
3459 MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3460 if (mnew == NULL)
3461 goto fail;
3462 M_MOVE_PKTHDR(mnew, n);
3463 }
3464 else {
3465 MGET(mnew, M_DONTWAIT, MT_DATA);
3466 if (mnew == NULL)
3467 goto fail;
3468 }
3469 mnew->m_len = 0;
3470 mm = mnew;
3471
3472 /*
3473 * Copy data. If we don't have enough space to
3474 * store the whole data, allocate a cluster
3475 * or additional mbufs.
3476 * XXX: we don't use m_copyback(), since the
3477 * function does not use clusters and thus is
3478 * inefficient.
3479 */
3480 remain = n->m_len;
3481 copied = 0;
3482 while (1) {
3483 int len;
3484 struct mbuf *mn;
3485
3486 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3487 len = remain;
3488 else { /* allocate a cluster */
3489 MCLGET(mm, M_DONTWAIT);
3490 if (!(mm->m_flags & M_EXT)) {
3491 m_free(mm);
3492 goto fail;
3493 }
3494 len = remain < MCLBYTES ?
3495 remain : MCLBYTES;
3496 }
3497
3498 bcopy(n->m_data + copied, mm->m_data,
3499 len);
3500
3501 copied += len;
3502 remain -= len;
3503 mm->m_len = len;
3504
3505 if (remain <= 0) /* completed? */
3506 break;
3507
3508 /* need another mbuf */
3509 MGETHDR(mn, M_DONTWAIT, MT_HEADER);
3510 if (mn == NULL)
3511 goto fail;
3512 mn->m_pkthdr.rcvif = NULL;
3513 mm->m_next = mn;
3514 mm = mn;
3515 }
3516
3517 /* adjust chain */
3518 mm->m_next = m_free(n);
3519 n = mm;
3520 *mpp = mnew;
3521 mpp = &n->m_next;
3522
3523 continue;
3524 }
3525 }
3526 *mpp = n;
3527 mpp = &n->m_next;
3528 }
3529
3530 return (m);
3531 fail:
3532 m_freem(m);
3533 return (NULL);
3534 }
3535
3536 static struct ipsecaux *
3537 ipsec_addaux(m)
3538 struct mbuf *m;
3539 {
3540 struct m_tag *mtag;
3541
3542 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3543 if (mtag == NULL) {
3544 mtag = m_tag_get(PACKET_TAG_IPSEC_HISTORY,
3545 sizeof(struct ipsecaux), M_NOWAIT);
3546 if (mtag != NULL)
3547 m_tag_prepend(m, mtag);
3548 }
3549 if (mtag == NULL)
3550 return NULL; /* ENOBUFS */
3551 /* XXX is this necessary? */
3552 bzero((void *)(mtag + 1), sizeof(struct ipsecaux));
3553 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL;
3554 }
3555
3556 static struct ipsecaux *
3557 ipsec_findaux(m)
3558 struct mbuf *m;
3559 {
3560 struct m_tag *mtag;
3561
3562 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3563 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL;
3564 }
3565
3566 void
3567 ipsec_delaux(m)
3568 struct mbuf *m;
3569 {
3570 struct m_tag *mtag;
3571
3572 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3573 if (mtag != NULL)
3574 m_tag_delete(m, mtag);
3575 }
3576
3577 /* if the aux buffer is unnecessary, nuke it. */
3578 static void
3579 ipsec_optaux(m, aux)
3580 struct mbuf *m;
3581 struct ipsecaux *aux;
3582 {
3583
3584 if (aux == NULL)
3585 return;
3586 ipsec_delaux(m);
3587 }
3588
3589 int
3590 ipsec_addhist(m, proto, spi)
3591 struct mbuf *m;
3592 int proto;
3593 u_int32_t spi;
3594 {
3595 struct ipsecaux *aux;
3596
3597 aux = ipsec_addaux(m);
3598 if (aux == NULL)
3599 return ENOBUFS;
3600 aux->hdrs++;
3601 return 0;
3602 }
3603
3604 int
3605 ipsec_getnhist(m)
3606 struct mbuf *m;
3607 {
3608 struct ipsecaux *aux;
3609
3610 aux = ipsec_findaux(m);
3611 if (aux == NULL)
3612 return 0;
3613 return aux->hdrs;
3614 }
3615
3616 void
3617 ipsec_clearhist(m)
3618 struct mbuf *m;
3619 {
3620 struct ipsecaux *aux;
3621
3622 aux = ipsec_findaux(m);
3623 ipsec_optaux(m, aux);
3624 }
Cache object: 10a068bcdb70c861d5b6dc126556473a
|