FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c
1 /* $FreeBSD: releng/6.1/sys/netinet6/ipsec.c 158179 2006-04-30 16:44:43Z cvs2svn $ */
2 /* $KAME: ipsec.c,v 1.207 2004/01/13 03:30:42 itojun Exp $ */
3
4 /*-
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * IPsec controller part.
35 */
36
37 #include "opt_inet.h"
38 #include "opt_inet6.h"
39 #include "opt_ipsec.h"
40
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/malloc.h>
44 #include <sys/mbuf.h>
45 #include <sys/domain.h>
46 #include <sys/protosw.h>
47 #include <sys/socket.h>
48 #include <sys/socketvar.h>
49 #include <sys/errno.h>
50 #include <sys/time.h>
51 #include <sys/kernel.h>
52 #include <sys/syslog.h>
53 #include <sys/sysctl.h>
54 #include <sys/proc.h>
55
56 #include <net/if.h>
57 #include <net/route.h>
58
59 #include <netinet/in.h>
60 #include <netinet/in_systm.h>
61 #include <netinet/ip.h>
62 #include <netinet/ip_var.h>
63 #include <netinet/in_var.h>
64 #include <netinet/udp.h>
65 #include <netinet/udp_var.h>
66 #include <netinet/ip_ecn.h>
67 #ifdef INET6
68 #include <netinet6/ip6_ecn.h>
69 #endif
70 #include <netinet/tcp.h>
71 #include <netinet/udp.h>
72
73 #include <netinet/ip6.h>
74 #ifdef INET6
75 #include <netinet6/ip6_var.h>
76 #include <netinet6/scope6_var.h>
77 #endif
78 #include <netinet/in_pcb.h>
79 #ifdef INET6
80 #include <netinet/icmp6.h>
81 #endif
82
83 #include <netinet6/ipsec.h>
84 #ifdef INET6
85 #include <netinet6/ipsec6.h>
86 #endif
87 #include <netinet6/ah.h>
88 #ifdef INET6
89 #include <netinet6/ah6.h>
90 #endif
91 #ifdef IPSEC_ESP
92 #include <netinet6/esp.h>
93 #ifdef INET6
94 #include <netinet6/esp6.h>
95 #endif
96 #endif
97 #include <netinet6/ipcomp.h>
98 #ifdef INET6
99 #include <netinet6/ipcomp6.h>
100 #endif
101 #include <netkey/key.h>
102 #include <netkey/keydb.h>
103 #include <netkey/key_debug.h>
104
105 #include <machine/in_cksum.h>
106 #include <net/net_osdep.h>
107
108 #ifdef IPSEC_DEBUG
109 int ipsec_debug = 1;
110 #else
111 int ipsec_debug = 0;
112 #endif
113
114 NET_NEEDS_GIANT("ipsec");
115
116 struct ipsecstat ipsecstat;
117 int ip4_ah_cleartos = 1;
118 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
119 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
120 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
121 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
122 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
123 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
124 struct secpolicy *ip4_def_policy;
125 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
126 int ip4_esp_randpad = -1;
127
128 static int sp_cachegen = 1; /* cache generation # */
129
130 SYSCTL_DECL(_net_inet_ipsec);
131 #ifdef INET6
132 SYSCTL_DECL(_net_inet6_ipsec6);
133 #endif
134
135 /* net.inet.ipsec */
136 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
137 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, "");
138 #if 0
139 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
140 def_policy, CTLFLAG_RW, &ip4_def_policy->policy, 0, "");
141 #endif
142 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
143 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
144 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
145 CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
146 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
147 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
148 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
149 CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
150 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
151 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, "");
152 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
153 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
154 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
155 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
156 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
157 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
158 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
159 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
160 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
161 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, "");
162
163 #ifdef INET6
164 struct ipsecstat ipsec6stat;
165 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
166 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
167 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
168 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
169 struct secpolicy *ip6_def_policy;
170 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
171 int ip6_esp_randpad = -1;
172
173 /* net.inet6.ipsec6 */
174 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
175 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
176 #if 0
177 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
178 def_policy, CTLFLAG_RW, &ip6_def_policy->policy, 0, "");
179 #endif
180 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
181 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
182 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
183 CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
184 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
185 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
186 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
187 CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
188 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
189 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
190 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
191 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
192 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
193 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
194 #endif /* INET6 */
195
196 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *,
197 struct inpcbpolicy *, int));
198 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *,
199 struct secpolicy *, int));
200 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int));
201 static int ipsec_setspidx_mbuf
202 __P((struct secpolicyindex *, int, struct mbuf *, int));
203 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
204 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
205 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
206 #ifdef INET6
207 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
208 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
209 #endif
210 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
211 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
212 #if 0
213 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *));
214 #endif
215 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *));
216 static int ipsec_set_policy
217 __P((struct secpolicy **, int, caddr_t, size_t, int));
218 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **));
219 static void vshiftl __P((unsigned char *, int, int));
220 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
221 static size_t ipsec_hdrsiz __P((struct secpolicy *));
222 #ifdef INET
223 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
224 #endif
225 #ifdef INET6
226 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
227 #endif
228 #ifdef INET
229 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
230 #endif
231 #ifdef INET6
232 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
233 #endif
234 static struct ipsecaux *ipsec_addaux __P((struct mbuf *));
235 static struct ipsecaux *ipsec_findaux __P((struct mbuf *));
236 static void ipsec_optaux __P((struct mbuf *, struct ipsecaux *));
237 #ifdef INET
238 static int ipsec4_checksa __P((struct ipsecrequest *,
239 struct ipsec_output_state *));
240 #endif
241 #ifdef INET6
242 static int ipsec6_checksa __P((struct ipsecrequest *,
243 struct ipsec_output_state *, int));
244 #endif
245
246 /*
247 * try to validate and use cached policy on a pcb.
248 */
249 static struct secpolicy *
250 ipsec_checkpcbcache(m, pcbsp, dir)
251 struct mbuf *m;
252 struct inpcbpolicy *pcbsp;
253 int dir;
254 {
255 struct secpolicyindex spidx;
256 struct timeval mono_time;
257
258 microtime(&mono_time);
259
260 switch (dir) {
261 case IPSEC_DIR_INBOUND:
262 case IPSEC_DIR_OUTBOUND:
263 case IPSEC_DIR_ANY:
264 break;
265 default:
266 return NULL;
267 }
268 #ifdef DIAGNOSTIC
269 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0]))
270 panic("dir too big in ipsec_checkpcbcache");
271 #endif
272 /* SPD table change invalidates all the caches */
273 if (pcbsp->cachegen[dir] == 0 || sp_cachegen > pcbsp->cachegen[dir]) {
274 ipsec_invalpcbcache(pcbsp, dir);
275 return NULL;
276 }
277 if (!pcbsp->cache[dir])
278 return NULL;
279 if (pcbsp->cache[dir]->state != IPSEC_SPSTATE_ALIVE) {
280 ipsec_invalpcbcache(pcbsp, dir);
281 return NULL;
282 }
283 if ((pcbsp->cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
284 if (!pcbsp->cache[dir])
285 return NULL;
286 if (ipsec_setspidx(m, &spidx, 1) != 0)
287 return NULL;
288 if (bcmp(&pcbsp->cacheidx[dir], &spidx, sizeof(spidx))) {
289 if (!pcbsp->cache[dir]->spidx ||
290 !key_cmpspidx_withmask(pcbsp->cache[dir]->spidx,
291 &spidx))
292 return NULL;
293 pcbsp->cacheidx[dir] = spidx;
294 }
295 } else {
296 /*
297 * The pcb is connected, and the L4 code is sure that:
298 * - outgoing side uses inp_[lf]addr
299 * - incoming side looks up policy after inpcb lookup
300 * and address pair is known to be stable. We do not need
301 * to generate spidx again, nor check the address match again.
302 *
303 * For IPv4/v6 SOCK_STREAM sockets, this assumption holds
304 * and there are calls to ipsec_pcbconn() from in_pcbconnect().
305 */
306 }
307
308 pcbsp->cache[dir]->lastused = mono_time.tv_sec;
309 pcbsp->cache[dir]->refcnt++;
310 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
311 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n",
312 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir]));
313 return pcbsp->cache[dir];
314 }
315
316 static int
317 ipsec_fillpcbcache(pcbsp, m, sp, dir)
318 struct inpcbpolicy *pcbsp;
319 struct mbuf *m;
320 struct secpolicy *sp;
321 int dir;
322 {
323
324 switch (dir) {
325 case IPSEC_DIR_INBOUND:
326 case IPSEC_DIR_OUTBOUND:
327 break;
328 default:
329 return EINVAL;
330 }
331 #ifdef DIAGNOSTIC
332 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0]))
333 panic("dir too big in ipsec_checkpcbcache");
334 #endif
335
336 if (pcbsp->cache[dir])
337 key_freesp(pcbsp->cache[dir]);
338 pcbsp->cache[dir] = NULL;
339 if (ipsec_setspidx(m, &pcbsp->cacheidx[dir], 1) != 0) {
340 return EINVAL;
341 }
342 pcbsp->cache[dir] = sp;
343 if (pcbsp->cache[dir]) {
344 pcbsp->cache[dir]->refcnt++;
345 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
346 printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n",
347 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir]));
348 }
349 pcbsp->cachegen[dir] = sp_cachegen;
350
351 return 0;
352 }
353
354 static int
355 ipsec_invalpcbcache(pcbsp, dir)
356 struct inpcbpolicy *pcbsp;
357 int dir;
358 {
359 int i;
360
361 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
362 if (dir != IPSEC_DIR_ANY && i != dir)
363 continue;
364 if (pcbsp->cache[i])
365 key_freesp(pcbsp->cache[i]);
366 pcbsp->cache[i] = NULL;
367 pcbsp->cachegen[i] = 0;
368 bzero(&pcbsp->cacheidx[i], sizeof(pcbsp->cacheidx[i]));
369 }
370 return 0;
371 }
372
373 int
374 ipsec_pcbconn(pcbsp)
375 struct inpcbpolicy *pcbsp;
376 {
377
378 pcbsp->cacheflags |= IPSEC_PCBSP_CONNECTED;
379 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
380 return 0;
381 }
382
383 int
384 ipsec_pcbdisconn(pcbsp)
385 struct inpcbpolicy *pcbsp;
386 {
387
388 pcbsp->cacheflags &= ~IPSEC_PCBSP_CONNECTED;
389 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
390 return 0;
391 }
392
393 int
394 ipsec_invalpcbcacheall()
395 {
396
397 sp_cachegen++;
398 return 0;
399 }
400
401 /*
402 * For OUTBOUND packet having a socket. Searching SPD for packet,
403 * and return a pointer to SP.
404 * OUT: NULL: no apropreate SP found, the following value is set to error.
405 * 0 : bypass
406 * EACCES : discard packet.
407 * ENOENT : ipsec_acquire() in progress, maybe.
408 * others : error occured.
409 * others: a pointer to SP
410 *
411 * NOTE: IPv6 mapped adddress concern is implemented here.
412 */
413 struct secpolicy *
414 ipsec4_getpolicybypcb(m, dir, inp, error)
415 struct mbuf *m;
416 u_int dir;
417 struct inpcb *inp;
418 int *error;
419 {
420 struct inpcbpolicy *pcbsp = NULL;
421 struct secpolicy *currsp = NULL; /* policy on socket */
422 struct secpolicy *kernsp = NULL; /* policy on kernel */
423 struct secpolicyindex spidx;
424 u_int16_t tag;
425
426 /* sanity check */
427 if (m == NULL || inp == NULL || error == NULL)
428 panic("ipsec4_getpolicybypcb: NULL pointer was passed.");
429
430 pcbsp = inp->inp_sp;
431
432 #ifdef DIAGNOSTIC
433 if (pcbsp == NULL)
434 panic("ipsec4_getpolicybypcb: pcbsp is NULL.");
435 #endif
436
437 tag = 0;
438
439 /* if we have a cached entry, and if it is still valid, use it. */
440 ipsecstat.spdcachelookup++;
441 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
442 if (currsp) {
443 *error = 0;
444 return currsp;
445 }
446 ipsecstat.spdcachemiss++;
447
448 switch (dir) {
449 case IPSEC_DIR_INBOUND:
450 currsp = pcbsp->sp_in;
451 break;
452 case IPSEC_DIR_OUTBOUND:
453 currsp = pcbsp->sp_out;
454 break;
455 default:
456 panic("ipsec4_getpolicybypcb: illegal direction.");
457 }
458
459 /* sanity check */
460 if (currsp == NULL)
461 panic("ipsec4_getpolicybypcb: currsp is NULL.");
462
463 /* when privileged socket */
464 if (pcbsp->priv) {
465 switch (currsp->policy) {
466 case IPSEC_POLICY_BYPASS:
467 currsp->refcnt++;
468 *error = 0;
469 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
470 return currsp;
471
472 case IPSEC_POLICY_ENTRUST:
473 /* look for a policy in SPD */
474 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
475 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
476 /* SP found */
477 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
478 printf("DP ipsec4_getpolicybypcb called "
479 "to allocate SP:%p\n", kernsp));
480 *error = 0;
481 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
482 return kernsp;
483 }
484
485 /* no SP found */
486 ip4_def_policy->refcnt++;
487 *error = 0;
488 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
489 return ip4_def_policy;
490
491 case IPSEC_POLICY_IPSEC:
492 currsp->refcnt++;
493 *error = 0;
494 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
495 return currsp;
496
497 default:
498 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: "
499 "Invalid policy for PCB %d\n", currsp->policy));
500 *error = EINVAL;
501 return NULL;
502 }
503 /* NOTREACHED */
504 }
505
506 /* when non-privileged socket */
507 /* look for a policy in SPD */
508 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
509 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
510 /* SP found */
511 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
512 printf("DP ipsec4_getpolicybypcb called "
513 "to allocate SP:%p\n", kernsp));
514 *error = 0;
515 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
516 return kernsp;
517 }
518
519 /* no SP found */
520 switch (currsp->policy) {
521 case IPSEC_POLICY_BYPASS:
522 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: "
523 "Illegal policy for non-privileged defined %d\n",
524 currsp->policy));
525 *error = EINVAL;
526 return NULL;
527
528 case IPSEC_POLICY_ENTRUST:
529 ip4_def_policy->refcnt++;
530 *error = 0;
531 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
532 return ip4_def_policy;
533
534 case IPSEC_POLICY_IPSEC:
535 currsp->refcnt++;
536 *error = 0;
537 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
538 return currsp;
539
540 default:
541 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: "
542 "Invalid policy for PCB %d\n", currsp->policy));
543 *error = EINVAL;
544 return NULL;
545 }
546 /* NOTREACHED */
547 }
548
549 /*
550 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
551 * and return a pointer to SP.
552 * OUT: positive: a pointer to the entry for security policy leaf matched.
553 * NULL: no apropreate SP found, the following value is set to error.
554 * 0 : bypass
555 * EACCES : discard packet.
556 * ENOENT : ipsec_acquire() in progress, maybe.
557 * others : error occured.
558 */
559 struct secpolicy *
560 ipsec4_getpolicybyaddr(m, dir, flag, error)
561 struct mbuf *m;
562 u_int dir;
563 int flag;
564 int *error;
565 {
566 struct secpolicy *sp = NULL;
567 u_int16_t tag;
568
569 /* sanity check */
570 if (m == NULL || error == NULL)
571 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
572
573 /* get a policy entry matched with the packet */
574 {
575 struct secpolicyindex spidx;
576
577 bzero(&spidx, sizeof(spidx));
578
579 /* make an index to look for a policy */
580 *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m,
581 (flag & IP_FORWARDING) ? 0 : 1);
582
583 if (*error != 0)
584 return NULL;
585
586 tag = 0;
587
588 sp = key_allocsp(tag, &spidx, dir);
589 }
590
591 /* SP found */
592 if (sp != NULL) {
593 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
594 printf("DP ipsec4_getpolicybyaddr called "
595 "to allocate SP:%p\n", sp));
596 *error = 0;
597 return sp;
598 }
599
600 /* no SP found */
601 ip4_def_policy->refcnt++;
602 *error = 0;
603 return ip4_def_policy;
604 }
605
606 #ifdef INET6
607 /*
608 * For OUTBOUND packet having a socket. Searching SPD for packet,
609 * and return a pointer to SP.
610 * OUT: NULL: no apropreate SP found, the following value is set to error.
611 * 0 : bypass
612 * EACCES : discard packet.
613 * ENOENT : ipsec_acquire() in progress, maybe.
614 * others : error occured.
615 * others: a pointer to SP
616 */
617 struct secpolicy *
618 ipsec6_getpolicybypcb(m, dir, inp, error)
619 struct mbuf *m;
620 u_int dir;
621 struct inpcb *inp;
622 int *error;
623 {
624 struct inpcbpolicy *pcbsp = NULL;
625 struct secpolicy *currsp = NULL; /* policy on socket */
626 struct secpolicy *kernsp = NULL; /* policy on kernel */
627 struct secpolicyindex spidx;
628 u_int16_t tag;
629
630 /* sanity check */
631 if (m == NULL || inp == NULL || error == NULL)
632 panic("ipsec6_getpolicybypcb: NULL pointer was passed.");
633
634 #ifdef DIAGNOSTIC
635 if ((inp->inp_vflag & INP_IPV6PROTO) == 0)
636 panic("ipsec6_getpolicybypcb: socket domain != inet6");
637 #endif
638
639 pcbsp = inp->in6p_sp;
640
641 #ifdef DIAGNOSTIC
642 if (pcbsp == NULL)
643 panic("ipsec6_getpolicybypcb: pcbsp is NULL.");
644 #endif
645
646 tag = 0;
647
648 /* if we have a cached entry, and if it is still valid, use it. */
649 ipsec6stat.spdcachelookup++;
650 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
651 if (currsp) {
652 *error = 0;
653 return currsp;
654 }
655 ipsec6stat.spdcachemiss++;
656
657 switch (dir) {
658 case IPSEC_DIR_INBOUND:
659 currsp = pcbsp->sp_in;
660 break;
661 case IPSEC_DIR_OUTBOUND:
662 currsp = pcbsp->sp_out;
663 break;
664 default:
665 panic("ipsec6_getpolicybypcb: illegal direction.");
666 }
667
668 /* sanity check */
669 if (currsp == NULL)
670 panic("ipsec6_getpolicybypcb: currsp is NULL.");
671
672 /* when privileged socket */
673 if (pcbsp->priv) {
674 switch (currsp->policy) {
675 case IPSEC_POLICY_BYPASS:
676 currsp->refcnt++;
677 *error = 0;
678 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
679 return currsp;
680
681 case IPSEC_POLICY_ENTRUST:
682 /* look for a policy in SPD */
683 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
684 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
685 /* SP found */
686 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
687 printf("DP ipsec6_getpolicybypcb called "
688 "to allocate SP:%p\n", kernsp));
689 *error = 0;
690 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
691 return kernsp;
692 }
693
694 /* no SP found */
695 ip6_def_policy->refcnt++;
696 *error = 0;
697 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
698 return ip6_def_policy;
699
700 case IPSEC_POLICY_IPSEC:
701 currsp->refcnt++;
702 *error = 0;
703 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
704 return currsp;
705
706 default:
707 ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: "
708 "Invalid policy for PCB %d\n", currsp->policy));
709 *error = EINVAL;
710 return NULL;
711 }
712 /* NOTREACHED */
713 }
714
715 /* when non-privileged socket */
716 /* look for a policy in SPD */
717 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
718 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
719 /* SP found */
720 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
721 printf("DP ipsec6_getpolicybypcb called "
722 "to allocate SP:%p\n", kernsp));
723 *error = 0;
724 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
725 return kernsp;
726 }
727
728 /* no SP found */
729 switch (currsp->policy) {
730 case IPSEC_POLICY_BYPASS:
731 ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: "
732 "Illegal policy for non-privileged defined %d\n",
733 currsp->policy));
734 *error = EINVAL;
735 return NULL;
736
737 case IPSEC_POLICY_ENTRUST:
738 ip6_def_policy->refcnt++;
739 *error = 0;
740 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
741 return ip6_def_policy;
742
743 case IPSEC_POLICY_IPSEC:
744 currsp->refcnt++;
745 *error = 0;
746 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
747 return currsp;
748
749 default:
750 ipseclog((LOG_ERR,
751 "ipsec6_policybysock: Invalid policy for PCB %d\n",
752 currsp->policy));
753 *error = EINVAL;
754 return NULL;
755 }
756 /* NOTREACHED */
757 }
758
759 /*
760 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
761 * and return a pointer to SP.
762 * `flag' means that packet is to be forwarded whether or not.
763 * flag = 1: forwad
764 * OUT: positive: a pointer to the entry for security policy leaf matched.
765 * NULL: no apropreate SP found, the following value is set to error.
766 * 0 : bypass
767 * EACCES : discard packet.
768 * ENOENT : ipsec_acquire() in progress, maybe.
769 * others : error occured.
770 */
771 #ifndef IP_FORWARDING
772 #define IP_FORWARDING 1
773 #endif
774
775 struct secpolicy *
776 ipsec6_getpolicybyaddr(m, dir, flag, error)
777 struct mbuf *m;
778 u_int dir;
779 int flag;
780 int *error;
781 {
782 struct secpolicy *sp = NULL;
783 u_int16_t tag;
784
785 /* sanity check */
786 if (m == NULL || error == NULL)
787 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
788
789 /* get a policy entry matched with the packet */
790 {
791 struct secpolicyindex spidx;
792
793 bzero(&spidx, sizeof(spidx));
794
795 /* make an index to look for a policy */
796 *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m,
797 (flag & IP_FORWARDING) ? 0 : 1);
798
799 if (*error != 0)
800 return NULL;
801
802 tag = 0;
803
804 sp = key_allocsp(tag, &spidx, dir);
805 }
806
807 /* SP found */
808 if (sp != NULL) {
809 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
810 printf("DP ipsec6_getpolicybyaddr called "
811 "to allocate SP:%p\n", sp));
812 *error = 0;
813 return sp;
814 }
815
816 /* no SP found */
817 ip6_def_policy->refcnt++;
818 *error = 0;
819 return ip6_def_policy;
820 }
821 #endif /* INET6 */
822
823 /*
824 * set IP address into spidx from mbuf.
825 * When Forwarding packet and ICMP echo reply, this function is used.
826 *
827 * IN: get the followings from mbuf.
828 * protocol family, src, dst, next protocol
829 * OUT:
830 * 0: success.
831 * other: failure, and set errno.
832 */
833 int
834 ipsec_setspidx_mbuf(spidx, family, m, needport)
835 struct secpolicyindex *spidx;
836 int family;
837 struct mbuf *m;
838 int needport;
839 {
840 int error;
841
842 /* sanity check */
843 if (spidx == NULL || m == NULL)
844 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
845
846 bzero(spidx, sizeof(*spidx));
847
848 error = ipsec_setspidx(m, spidx, needport);
849 if (error)
850 goto bad;
851
852 return 0;
853
854 bad:
855 /* XXX initialize */
856 bzero(spidx, sizeof(*spidx));
857 return EINVAL;
858 }
859
860 /*
861 * configure security policy index (src/dst/proto/sport/dport)
862 * by looking at the content of mbuf.
863 * the caller is responsible for error recovery (like clearing up spidx).
864 */
865 static int
866 ipsec_setspidx(m, spidx, needport)
867 struct mbuf *m;
868 struct secpolicyindex *spidx;
869 int needport;
870 {
871 struct ip *ip = NULL;
872 struct ip ipbuf;
873 u_int v;
874 struct mbuf *n;
875 int len;
876 int error;
877
878 if (m == NULL)
879 panic("ipsec_setspidx: m == 0 passed.");
880
881 bzero(spidx, sizeof(*spidx));
882
883 /*
884 * validate m->m_pkthdr.len. we see incorrect length if we
885 * mistakenly call this function with inconsistent mbuf chain
886 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
887 */
888 len = 0;
889 for (n = m; n; n = n->m_next)
890 len += n->m_len;
891 if (m->m_pkthdr.len != len) {
892 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
893 printf("ipsec_setspidx: "
894 "total of m_len(%d) != pkthdr.len(%d), "
895 "ignored.\n",
896 len, m->m_pkthdr.len));
897 return EINVAL;
898 }
899
900 if (m->m_pkthdr.len < sizeof(struct ip)) {
901 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
902 printf("ipsec_setspidx: "
903 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
904 m->m_pkthdr.len));
905 return EINVAL;
906 }
907
908 if (m->m_len >= sizeof(*ip))
909 ip = mtod(m, struct ip *);
910 else {
911 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
912 ip = &ipbuf;
913 }
914 #ifdef _IP_VHL
915 v = _IP_VHL_V(ip->ip_vhl);
916 #else
917 v = ip->ip_v;
918 #endif
919 switch (v) {
920 case 4:
921 error = ipsec4_setspidx_ipaddr(m, spidx);
922 if (error)
923 return error;
924 ipsec4_get_ulp(m, spidx, needport);
925 return 0;
926 #ifdef INET6
927 case 6:
928 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
929 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
930 printf("ipsec_setspidx: "
931 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
932 "ignored.\n", m->m_pkthdr.len));
933 return EINVAL;
934 }
935 error = ipsec6_setspidx_ipaddr(m, spidx);
936 if (error)
937 return error;
938 ipsec6_get_ulp(m, spidx, needport);
939 return 0;
940 #endif
941 default:
942 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
943 printf("ipsec_setspidx: "
944 "unknown IP version %u, ignored.\n", v));
945 return EINVAL;
946 }
947 }
948
949 static void
950 ipsec4_get_ulp(m, spidx, needport)
951 struct mbuf *m;
952 struct secpolicyindex *spidx;
953 int needport;
954 {
955 struct ip ip;
956 struct ip6_ext ip6e;
957 u_int8_t nxt;
958 int off;
959 struct tcphdr th;
960 struct udphdr uh;
961
962 /* sanity check */
963 if (m == NULL)
964 panic("ipsec4_get_ulp: NULL pointer was passed.");
965 if (m->m_pkthdr.len < sizeof(ip))
966 panic("ipsec4_get_ulp: too short");
967
968 /* set default */
969 spidx->ul_proto = IPSEC_ULPROTO_ANY;
970 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
971 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
972
973 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
974 /* ip_input() flips it into host endian XXX need more checking */
975 if (ip.ip_off & (IP_MF | IP_OFFMASK))
976 return;
977
978 nxt = ip.ip_p;
979 #ifdef _IP_VHL
980 off = _IP_VHL_HL(ip->ip_vhl) << 2;
981 #else
982 off = ip.ip_hl << 2;
983 #endif
984 while (off < m->m_pkthdr.len) {
985 switch (nxt) {
986 case IPPROTO_TCP:
987 spidx->ul_proto = nxt;
988 if (!needport)
989 return;
990 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
991 return;
992 m_copydata(m, off, sizeof(th), (caddr_t)&th);
993 ((struct sockaddr_in *)&spidx->src)->sin_port =
994 th.th_sport;
995 ((struct sockaddr_in *)&spidx->dst)->sin_port =
996 th.th_dport;
997 return;
998 case IPPROTO_UDP:
999 spidx->ul_proto = nxt;
1000 if (!needport)
1001 return;
1002 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1003 return;
1004 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1005 ((struct sockaddr_in *)&spidx->src)->sin_port =
1006 uh.uh_sport;
1007 ((struct sockaddr_in *)&spidx->dst)->sin_port =
1008 uh.uh_dport;
1009 return;
1010 case IPPROTO_AH:
1011 if (off + sizeof(ip6e) > m->m_pkthdr.len)
1012 return;
1013 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1014 off += (ip6e.ip6e_len + 2) << 2;
1015 nxt = ip6e.ip6e_nxt;
1016 break;
1017 case IPPROTO_ICMP:
1018 default:
1019 /* XXX intermediate headers??? */
1020 spidx->ul_proto = nxt;
1021 return;
1022 }
1023 }
1024 }
1025
1026 /* assumes that m is sane */
1027 static int
1028 ipsec4_setspidx_ipaddr(m, spidx)
1029 struct mbuf *m;
1030 struct secpolicyindex *spidx;
1031 {
1032 struct ip *ip = NULL;
1033 struct ip ipbuf;
1034 struct sockaddr_in *sin;
1035
1036 if (m->m_len >= sizeof(*ip))
1037 ip = mtod(m, struct ip *);
1038 else {
1039 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
1040 ip = &ipbuf;
1041 }
1042
1043 sin = (struct sockaddr_in *)&spidx->src;
1044 bzero(sin, sizeof(*sin));
1045 sin->sin_family = AF_INET;
1046 sin->sin_len = sizeof(struct sockaddr_in);
1047 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
1048 spidx->prefs = sizeof(struct in_addr) << 3;
1049
1050 sin = (struct sockaddr_in *)&spidx->dst;
1051 bzero(sin, sizeof(*sin));
1052 sin->sin_family = AF_INET;
1053 sin->sin_len = sizeof(struct sockaddr_in);
1054 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
1055 spidx->prefd = sizeof(struct in_addr) << 3;
1056 return 0;
1057 }
1058
1059 #ifdef INET6
1060 static void
1061 ipsec6_get_ulp(m, spidx, needport)
1062 struct mbuf *m;
1063 struct secpolicyindex *spidx;
1064 int needport;
1065 {
1066 int off, nxt;
1067 struct tcphdr th;
1068 struct udphdr uh;
1069 struct icmp6_hdr ih;
1070
1071 /* sanity check */
1072 if (m == NULL)
1073 panic("ipsec6_get_ulp: NULL pointer was passed.");
1074
1075 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1076 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
1077
1078 /* set default */
1079 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1080 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1081 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1082
1083 nxt = -1;
1084 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1085 if (off < 0 || m->m_pkthdr.len < off)
1086 return;
1087
1088 switch (nxt) {
1089 case IPPROTO_TCP:
1090 spidx->ul_proto = nxt;
1091 if (!needport)
1092 break;
1093 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1094 break;
1095 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1096 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1097 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1098 break;
1099 case IPPROTO_UDP:
1100 spidx->ul_proto = nxt;
1101 if (!needport)
1102 break;
1103 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1104 break;
1105 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1106 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1107 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1108 break;
1109 case IPPROTO_ICMPV6:
1110 spidx->ul_proto = nxt;
1111 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len)
1112 break;
1113 m_copydata(m, off, sizeof(ih), (caddr_t)&ih);
1114 ((struct sockaddr_in6 *)&spidx->src)->sin6_port =
1115 htons((u_int16_t)ih.icmp6_type);
1116 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port =
1117 htons((u_int16_t)ih.icmp6_code);
1118 break;
1119 default:
1120 /* XXX intermediate headers??? */
1121 spidx->ul_proto = nxt;
1122 break;
1123 }
1124 }
1125
1126 /* assumes that m is sane */
1127 static int
1128 ipsec6_setspidx_ipaddr(m, spidx)
1129 struct mbuf *m;
1130 struct secpolicyindex *spidx;
1131 {
1132 struct ip6_hdr *ip6 = NULL;
1133 struct ip6_hdr ip6buf;
1134 struct sockaddr_in6 *sin6;
1135
1136 if (m->m_len >= sizeof(*ip6))
1137 ip6 = mtod(m, struct ip6_hdr *);
1138 else {
1139 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1140 ip6 = &ip6buf;
1141 }
1142
1143 sin6 = (struct sockaddr_in6 *)&spidx->src;
1144 bzero(sin6, sizeof(*sin6));
1145 sin6->sin6_family = AF_INET6;
1146 sin6->sin6_len = sizeof(struct sockaddr_in6);
1147 sin6->sin6_addr = ip6->ip6_src;
1148 spidx->prefs = sizeof(struct in6_addr) << 3;
1149
1150 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1151 bzero(sin6, sizeof(*sin6));
1152 sin6->sin6_family = AF_INET6;
1153 sin6->sin6_len = sizeof(struct sockaddr_in6);
1154 sin6->sin6_addr = ip6->ip6_dst;
1155 spidx->prefd = sizeof(struct in6_addr) << 3;
1156
1157 return 0;
1158 }
1159 #endif
1160
1161 static struct inpcbpolicy *
1162 ipsec_newpcbpolicy()
1163 {
1164 struct inpcbpolicy *p;
1165
1166 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
1167 return p;
1168 }
1169
1170 static void
1171 ipsec_delpcbpolicy(p)
1172 struct inpcbpolicy *p;
1173 {
1174
1175 free(p, M_SECA);
1176 }
1177
1178 /* initialize policy in PCB */
1179 int
1180 ipsec_init_pcbpolicy(so, pcb_sp)
1181 struct socket *so;
1182 struct inpcbpolicy **pcb_sp;
1183 {
1184 struct inpcbpolicy *new;
1185 static int initialized = 0;
1186 static struct secpolicy *in = NULL, *out = NULL;
1187
1188 /* sanity check. */
1189 if (so == NULL || pcb_sp == NULL)
1190 panic("ipsec_init_pcbpolicy: NULL pointer was passed.");
1191
1192 if (!initialized) {
1193 if ((in = key_newsp(0)) == NULL)
1194 return ENOBUFS;
1195 if ((out = key_newsp(0)) == NULL) {
1196 key_freesp(in);
1197 in = NULL;
1198 return ENOBUFS;
1199 }
1200
1201 in->state = IPSEC_SPSTATE_ALIVE;
1202 in->policy = IPSEC_POLICY_ENTRUST;
1203 in->dir = IPSEC_DIR_INBOUND;
1204 in->readonly = 1;
1205 in->persist = 1;
1206 in->so = NULL;
1207
1208 out->state = IPSEC_SPSTATE_ALIVE;
1209 out->policy = IPSEC_POLICY_ENTRUST;
1210 out->dir = IPSEC_DIR_OUTBOUND;
1211 out->readonly = 1;
1212 out->persist = 1;
1213 out->so = NULL;
1214
1215 initialized++;
1216 }
1217
1218 new = ipsec_newpcbpolicy();
1219 if (new == NULL) {
1220 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n"));
1221 return ENOBUFS;
1222 }
1223 bzero(new, sizeof(*new));
1224
1225 if (so->so_cred != 0 && so->so_cred->cr_uid == 0)
1226 new->priv = 1;
1227 else
1228 new->priv = 0;
1229
1230 new->sp_in = in;
1231 new->sp_in->refcnt++;
1232 new->sp_out = out;
1233 new->sp_out->refcnt++;
1234
1235 *pcb_sp = new;
1236
1237 return 0;
1238 }
1239
1240 /* copy old ipsec policy into new */
1241 int
1242 ipsec_copy_pcbpolicy(old, new)
1243 struct inpcbpolicy *old, *new;
1244 {
1245
1246 if (new->sp_in)
1247 key_freesp(new->sp_in);
1248 if (old->sp_in->policy == IPSEC_POLICY_IPSEC)
1249 new->sp_in = ipsec_deepcopy_policy(old->sp_in);
1250 else {
1251 new->sp_in = old->sp_in;
1252 new->sp_in->refcnt++;
1253 }
1254
1255 if (new->sp_out)
1256 key_freesp(new->sp_out);
1257 if (old->sp_out->policy == IPSEC_POLICY_IPSEC)
1258 new->sp_out = ipsec_deepcopy_policy(old->sp_out);
1259 else {
1260 new->sp_out = old->sp_out;
1261 new->sp_out->refcnt++;
1262 }
1263
1264 new->priv = old->priv;
1265
1266 return 0;
1267 }
1268
1269 #if 0
1270 static int
1271 ipsec_deepcopy_pcbpolicy(pcb_sp)
1272 struct inpcbpolicy *pcb_sp;
1273 {
1274 struct secpolicy *sp;
1275
1276 sp = ipsec_deepcopy_policy(pcb_sp->sp_in);
1277 if (sp) {
1278 key_freesp(pcb_sp->sp_in);
1279 pcb_sp->sp_in = sp;
1280 } else
1281 return ENOBUFS;
1282
1283 sp = ipsec_deepcopy_policy(pcb_sp->sp_out);
1284 if (sp) {
1285 key_freesp(pcb_sp->sp_out);
1286 pcb_sp->sp_out = sp;
1287 } else
1288 return ENOBUFS;
1289
1290 return 0;
1291 }
1292 #endif
1293
1294 /* deep-copy a policy in PCB */
1295 static struct secpolicy *
1296 ipsec_deepcopy_policy(src)
1297 struct secpolicy *src;
1298 {
1299 struct ipsecrequest *newchain = NULL;
1300 struct ipsecrequest *p;
1301 struct ipsecrequest **q;
1302 struct ipsecrequest *r;
1303 struct secpolicy *dst;
1304
1305 if (src == NULL)
1306 return NULL;
1307
1308 dst = key_newsp(0);
1309 if (dst == NULL)
1310 return NULL;
1311
1312 /*
1313 * deep-copy IPsec request chain. This is required since struct
1314 * ipsecrequest is not reference counted.
1315 */
1316 q = &newchain;
1317 for (p = src->req; p; p = p->next) {
1318 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest),
1319 M_SECA, M_NOWAIT);
1320 if (*q == NULL)
1321 goto fail;
1322 bzero(*q, sizeof(**q));
1323 (*q)->next = NULL;
1324
1325 (*q)->saidx.proto = p->saidx.proto;
1326 (*q)->saidx.mode = p->saidx.mode;
1327 (*q)->level = p->level;
1328 (*q)->saidx.reqid = p->saidx.reqid;
1329
1330 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1331 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1332
1333 (*q)->sav = NULL;
1334 (*q)->sp = dst;
1335
1336 q = &((*q)->next);
1337 }
1338
1339 if (src->spidx)
1340 if (keydb_setsecpolicyindex(dst, src->spidx) != 0)
1341 goto fail;
1342
1343 dst->req = newchain;
1344 dst->state = src->state;
1345 dst->policy = src->policy;
1346 dst->dir = src->dir;
1347 dst->so = src->so;
1348 /* do not touch the refcnt fields */
1349
1350 return dst;
1351
1352 fail:
1353 for (p = newchain; p; p = r) {
1354 r = p->next;
1355 free(p, M_SECA);
1356 p = NULL;
1357 }
1358 key_freesp(dst);
1359 return NULL;
1360 }
1361
1362 /* set policy and ipsec request if present. */
1363 static int
1364 ipsec_set_policy(spp, optname, request, len, priv)
1365 struct secpolicy **spp;
1366 int optname;
1367 caddr_t request;
1368 size_t len;
1369 int priv;
1370 {
1371 struct sadb_x_policy *xpl;
1372 struct secpolicy *newsp = NULL;
1373 int error;
1374
1375 /* sanity check. */
1376 if (spp == NULL || *spp == NULL || request == NULL)
1377 return EINVAL;
1378 if (len < sizeof(*xpl))
1379 return EINVAL;
1380 xpl = (struct sadb_x_policy *)request;
1381
1382 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1383 printf("ipsec_set_policy: passed policy\n");
1384 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1385
1386 /* check policy type */
1387 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1388 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
1389 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1390 return EINVAL;
1391
1392 /* check privileged socket */
1393 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1394 return EACCES;
1395
1396 /* allocation new SP entry */
1397 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1398 return error;
1399
1400 newsp->state = IPSEC_SPSTATE_ALIVE;
1401
1402 /* clear old SP and set new SP */
1403 key_freesp(*spp);
1404 *spp = newsp;
1405 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1406 printf("ipsec_set_policy: new policy\n");
1407 kdebug_secpolicy(newsp));
1408
1409 return 0;
1410 }
1411
1412 static int
1413 ipsec_get_policy(sp, mp)
1414 struct secpolicy *sp;
1415 struct mbuf **mp;
1416 {
1417
1418 /* sanity check. */
1419 if (sp == NULL || mp == NULL)
1420 return EINVAL;
1421
1422 *mp = key_sp2msg(sp);
1423 if (!*mp) {
1424 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1425 return ENOBUFS;
1426 }
1427
1428 (*mp)->m_type = MT_DATA;
1429 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1430 printf("ipsec_get_policy:\n");
1431 kdebug_mbuf(*mp));
1432
1433 return 0;
1434 }
1435
1436 int
1437 ipsec4_set_policy(inp, optname, request, len, priv)
1438 struct inpcb *inp;
1439 int optname;
1440 caddr_t request;
1441 size_t len;
1442 int priv;
1443 {
1444 struct sadb_x_policy *xpl;
1445 struct secpolicy **spp;
1446
1447 /* sanity check. */
1448 if (inp == NULL || request == NULL)
1449 return EINVAL;
1450 if (len < sizeof(*xpl))
1451 return EINVAL;
1452 xpl = (struct sadb_x_policy *)request;
1453
1454 /* select direction */
1455 switch (xpl->sadb_x_policy_dir) {
1456 case IPSEC_DIR_INBOUND:
1457 spp = &inp->inp_sp->sp_in;
1458 break;
1459 case IPSEC_DIR_OUTBOUND:
1460 spp = &inp->inp_sp->sp_out;
1461 break;
1462 default:
1463 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1464 xpl->sadb_x_policy_dir));
1465 return EINVAL;
1466 }
1467
1468 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1469 return ipsec_set_policy(spp, optname, request, len, priv);
1470 }
1471
1472 int
1473 ipsec4_get_policy(inp, request, len, mp)
1474 struct inpcb *inp;
1475 caddr_t request;
1476 size_t len;
1477 struct mbuf **mp;
1478 {
1479 struct sadb_x_policy *xpl;
1480 struct secpolicy *sp;
1481
1482 /* sanity check. */
1483 if (inp == NULL || request == NULL || mp == NULL)
1484 return EINVAL;
1485 if (inp->inp_sp == NULL)
1486 panic("policy in PCB is NULL");
1487 if (len < sizeof(*xpl))
1488 return EINVAL;
1489 xpl = (struct sadb_x_policy *)request;
1490
1491 /* select direction */
1492 switch (xpl->sadb_x_policy_dir) {
1493 case IPSEC_DIR_INBOUND:
1494 sp = inp->inp_sp->sp_in;
1495 break;
1496 case IPSEC_DIR_OUTBOUND:
1497 sp = inp->inp_sp->sp_out;
1498 break;
1499 default:
1500 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n",
1501 xpl->sadb_x_policy_dir));
1502 return EINVAL;
1503 }
1504
1505 return ipsec_get_policy(sp, mp);
1506 }
1507
1508 /* delete policy in PCB */
1509 int
1510 ipsec4_delete_pcbpolicy(inp)
1511 struct inpcb *inp;
1512 {
1513 /* sanity check. */
1514 if (inp == NULL)
1515 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
1516
1517 if (inp->inp_sp == NULL)
1518 return 0;
1519
1520 if (inp->inp_sp->sp_in != NULL) {
1521 key_freesp(inp->inp_sp->sp_in);
1522 inp->inp_sp->sp_in = NULL;
1523 }
1524
1525 if (inp->inp_sp->sp_out != NULL) {
1526 key_freesp(inp->inp_sp->sp_out);
1527 inp->inp_sp->sp_out = NULL;
1528 }
1529
1530 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1531
1532 ipsec_delpcbpolicy(inp->inp_sp);
1533 inp->inp_sp = NULL;
1534
1535 return 0;
1536 }
1537
1538 #ifdef INET6
1539 int
1540 ipsec6_set_policy(in6p, optname, request, len, priv)
1541 struct in6pcb *in6p;
1542 int optname;
1543 caddr_t request;
1544 size_t len;
1545 int priv;
1546 {
1547 struct sadb_x_policy *xpl;
1548 struct secpolicy **spp;
1549
1550 /* sanity check. */
1551 if (in6p == NULL || request == NULL)
1552 return EINVAL;
1553 if (len < sizeof(*xpl))
1554 return EINVAL;
1555 xpl = (struct sadb_x_policy *)request;
1556
1557 /* select direction */
1558 switch (xpl->sadb_x_policy_dir) {
1559 case IPSEC_DIR_INBOUND:
1560 spp = &in6p->in6p_sp->sp_in;
1561 break;
1562 case IPSEC_DIR_OUTBOUND:
1563 spp = &in6p->in6p_sp->sp_out;
1564 break;
1565 default:
1566 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1567 xpl->sadb_x_policy_dir));
1568 return EINVAL;
1569 }
1570
1571 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1572 return ipsec_set_policy(spp, optname, request, len, priv);
1573 }
1574
1575 int
1576 ipsec6_get_policy(in6p, request, len, mp)
1577 struct in6pcb *in6p;
1578 caddr_t request;
1579 size_t len;
1580 struct mbuf **mp;
1581 {
1582 struct sadb_x_policy *xpl;
1583 struct secpolicy *sp;
1584
1585 /* sanity check. */
1586 if (in6p == NULL || request == NULL || mp == NULL)
1587 return EINVAL;
1588 if (in6p->in6p_sp == NULL)
1589 panic("policy in PCB is NULL");
1590 if (len < sizeof(*xpl))
1591 return EINVAL;
1592 xpl = (struct sadb_x_policy *)request;
1593
1594 /* select direction */
1595 switch (xpl->sadb_x_policy_dir) {
1596 case IPSEC_DIR_INBOUND:
1597 sp = in6p->in6p_sp->sp_in;
1598 break;
1599 case IPSEC_DIR_OUTBOUND:
1600 sp = in6p->in6p_sp->sp_out;
1601 break;
1602 default:
1603 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n",
1604 xpl->sadb_x_policy_dir));
1605 return EINVAL;
1606 }
1607
1608 return ipsec_get_policy(sp, mp);
1609 }
1610
1611 int
1612 ipsec6_delete_pcbpolicy(in6p)
1613 struct in6pcb *in6p;
1614 {
1615 /* sanity check. */
1616 if (in6p == NULL)
1617 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
1618
1619 if (in6p->in6p_sp == NULL)
1620 return 0;
1621
1622 if (in6p->in6p_sp->sp_in != NULL) {
1623 key_freesp(in6p->in6p_sp->sp_in);
1624 in6p->in6p_sp->sp_in = NULL;
1625 }
1626
1627 if (in6p->in6p_sp->sp_out != NULL) {
1628 key_freesp(in6p->in6p_sp->sp_out);
1629 in6p->in6p_sp->sp_out = NULL;
1630 }
1631
1632 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1633
1634 ipsec_delpcbpolicy(in6p->in6p_sp);
1635 in6p->in6p_sp = NULL;
1636
1637 return 0;
1638 }
1639 #endif
1640
1641 /*
1642 * return current level.
1643 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1644 */
1645 u_int
1646 ipsec_get_reqlevel(isr, af)
1647 struct ipsecrequest *isr;
1648 int af;
1649 {
1650 u_int level = 0;
1651 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1652
1653 /* sanity check */
1654 if (isr == NULL || isr->sp == NULL)
1655 panic("ipsec_get_reqlevel: NULL pointer is passed.");
1656
1657 /* set default level */
1658 switch (af) {
1659 #ifdef INET
1660 case AF_INET:
1661 esp_trans_deflev = ip4_esp_trans_deflev;
1662 esp_net_deflev = ip4_esp_net_deflev;
1663 ah_trans_deflev = ip4_ah_trans_deflev;
1664 ah_net_deflev = ip4_ah_net_deflev;
1665 break;
1666 #endif
1667 #ifdef INET6
1668 case AF_INET6:
1669 esp_trans_deflev = ip6_esp_trans_deflev;
1670 esp_net_deflev = ip6_esp_net_deflev;
1671 ah_trans_deflev = ip6_ah_trans_deflev;
1672 ah_net_deflev = ip6_ah_net_deflev;
1673 break;
1674 #endif /* INET6 */
1675 default:
1676 panic("key_get_reqlevel: Unknown family. %d",
1677 ((struct sockaddr *)&isr->sp->spidx->src)->sa_family);
1678 }
1679
1680 /* set level */
1681 switch (isr->level) {
1682 case IPSEC_LEVEL_DEFAULT:
1683 switch (isr->saidx.proto) {
1684 case IPPROTO_ESP:
1685 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1686 level = esp_net_deflev;
1687 else
1688 level = esp_trans_deflev;
1689 break;
1690 case IPPROTO_AH:
1691 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1692 level = ah_net_deflev;
1693 else
1694 level = ah_trans_deflev;
1695 break;
1696 case IPPROTO_IPCOMP:
1697 /*
1698 * we don't really care, as IPcomp document says that
1699 * we shouldn't compress small packets
1700 */
1701 level = IPSEC_LEVEL_USE;
1702 break;
1703 default:
1704 panic("ipsec_get_reqlevel: "
1705 "Illegal protocol defined %u\n",
1706 isr->saidx.proto);
1707 }
1708 break;
1709
1710 case IPSEC_LEVEL_USE:
1711 case IPSEC_LEVEL_REQUIRE:
1712 level = isr->level;
1713 break;
1714 case IPSEC_LEVEL_UNIQUE:
1715 level = IPSEC_LEVEL_REQUIRE;
1716 break;
1717
1718 default:
1719 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
1720 isr->level);
1721 }
1722
1723 return level;
1724 }
1725
1726 /*
1727 * Check AH/ESP integrity.
1728 * OUT:
1729 * 0: valid
1730 * 1: invalid
1731 */
1732 static int
1733 ipsec_in_reject(sp, m)
1734 struct secpolicy *sp;
1735 struct mbuf *m;
1736 {
1737 struct ipsecrequest *isr;
1738 u_int level;
1739 int need_auth, need_conf, need_icv;
1740
1741 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1742 printf("ipsec_in_reject: using SP\n");
1743 kdebug_secpolicy(sp));
1744
1745 /* check policy */
1746 switch (sp->policy) {
1747 case IPSEC_POLICY_DISCARD:
1748 return 1;
1749 case IPSEC_POLICY_BYPASS:
1750 case IPSEC_POLICY_NONE:
1751 return 0;
1752
1753 case IPSEC_POLICY_IPSEC:
1754 break;
1755
1756 case IPSEC_POLICY_ENTRUST:
1757 default:
1758 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy);
1759 }
1760
1761 need_auth = 0;
1762 need_conf = 0;
1763 need_icv = 0;
1764
1765 /* XXX should compare policy against ipsec header history */
1766
1767 for (isr = sp->req; isr != NULL; isr = isr->next) {
1768 /* get current level */
1769 level = ipsec_get_reqlevel(isr, AF_INET);
1770
1771 switch (isr->saidx.proto) {
1772 case IPPROTO_ESP:
1773 if (level == IPSEC_LEVEL_REQUIRE) {
1774 need_conf++;
1775
1776 if (isr->sav != NULL
1777 && isr->sav->flags == SADB_X_EXT_NONE
1778 && isr->sav->alg_auth != SADB_AALG_NONE)
1779 need_icv++;
1780 }
1781 break;
1782 case IPPROTO_AH:
1783 if (level == IPSEC_LEVEL_REQUIRE) {
1784 need_auth++;
1785 need_icv++;
1786 }
1787 break;
1788 case IPPROTO_IPCOMP:
1789 /*
1790 * we don't really care, as IPcomp document says that
1791 * we shouldn't compress small packets, IPComp policy
1792 * should always be treated as being in "use" level.
1793 */
1794 break;
1795 }
1796 }
1797
1798 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1799 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1800 need_auth, need_conf, need_icv, m->m_flags));
1801
1802 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1803 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1804 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1805 return 1;
1806
1807 return 0;
1808 }
1809
1810 /*
1811 * Check AH/ESP integrity.
1812 * This function is called from tcp_input(), udp_input(),
1813 * and {ah,esp}4_input for tunnel mode
1814 */
1815 int
1816 ipsec4_in_reject(m, inp)
1817 struct mbuf *m;
1818 struct inpcb *inp;
1819 {
1820 struct secpolicy *sp = NULL;
1821 int error;
1822 int result;
1823
1824 /* sanity check */
1825 if (m == NULL)
1826 return 0; /* XXX should be panic ? */
1827
1828 /* get SP for this packet.
1829 * When we are called from ip_forward(), we call
1830 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1831 */
1832 if (inp == NULL)
1833 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1834 IP_FORWARDING, &error);
1835 else
1836 sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_INBOUND, inp, &error);
1837
1838 /* XXX should be panic ? -> No, there may be error. */
1839 if (sp == NULL)
1840 return 0;
1841
1842 result = ipsec_in_reject(sp, m);
1843 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1844 printf("DP ipsec4_in_reject call free SP:%p\n", sp));
1845 key_freesp(sp);
1846
1847 return result;
1848 }
1849
1850 #ifdef INET6
1851 /*
1852 * Check AH/ESP integrity.
1853 * This function is called from tcp6_input(), udp6_input(),
1854 * and {ah,esp}6_input for tunnel mode
1855 */
1856 int
1857 ipsec6_in_reject(m, in6p)
1858 struct mbuf *m;
1859 struct in6pcb *in6p;
1860 {
1861 struct secpolicy *sp = NULL;
1862 int error;
1863 int result;
1864
1865 /* sanity check */
1866 if (m == NULL)
1867 return 0; /* XXX should be panic ? */
1868
1869 /* get SP for this packet.
1870 * When we are called from ip_forward(), we call
1871 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1872 */
1873 if (in6p == NULL)
1874 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1875 IP_FORWARDING, &error);
1876 else
1877 sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_INBOUND, in6p, &error);
1878
1879 if (sp == NULL)
1880 return 0; /* XXX should be panic ? */
1881
1882 result = ipsec_in_reject(sp, m);
1883 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1884 printf("DP ipsec6_in_reject call free SP:%p\n", sp));
1885 key_freesp(sp);
1886
1887 return result;
1888 }
1889 #endif
1890
1891 /*
1892 * compute the byte size to be occupied by IPsec header.
1893 * in case it is tunneled, it includes the size of outer IP header.
1894 * NOTE: SP passed is free in this function.
1895 */
1896 static size_t
1897 ipsec_hdrsiz(sp)
1898 struct secpolicy *sp;
1899 {
1900 struct ipsecrequest *isr;
1901 size_t siz, clen;
1902
1903 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1904 printf("ipsec_hdrsiz: using SP\n");
1905 kdebug_secpolicy(sp));
1906
1907 /* check policy */
1908 switch (sp->policy) {
1909 case IPSEC_POLICY_DISCARD:
1910 case IPSEC_POLICY_BYPASS:
1911 case IPSEC_POLICY_NONE:
1912 return 0;
1913
1914 case IPSEC_POLICY_IPSEC:
1915 break;
1916
1917 case IPSEC_POLICY_ENTRUST:
1918 default:
1919 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1920 }
1921
1922 siz = 0;
1923
1924 for (isr = sp->req; isr != NULL; isr = isr->next) {
1925
1926 clen = 0;
1927
1928 switch (isr->saidx.proto) {
1929 case IPPROTO_ESP:
1930 #ifdef IPSEC_ESP
1931 clen = esp_hdrsiz(isr);
1932 #else
1933 clen = 0; /* XXX */
1934 #endif
1935 break;
1936 case IPPROTO_AH:
1937 clen = ah_hdrsiz(isr);
1938 break;
1939 case IPPROTO_IPCOMP:
1940 clen = sizeof(struct ipcomp);
1941 break;
1942 }
1943
1944 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1945 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1946 case AF_INET:
1947 clen += sizeof(struct ip);
1948 break;
1949 #ifdef INET6
1950 case AF_INET6:
1951 clen += sizeof(struct ip6_hdr);
1952 break;
1953 #endif
1954 default:
1955 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1956 "unknown AF %d in IPsec tunnel SA\n",
1957 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1958 break;
1959 }
1960 }
1961 siz += clen;
1962 }
1963
1964 return siz;
1965 }
1966
1967 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1968 size_t
1969 ipsec4_hdrsiz(m, dir, inp)
1970 struct mbuf *m;
1971 u_int dir;
1972 struct inpcb *inp;
1973 {
1974 struct secpolicy *sp = NULL;
1975 int error;
1976 size_t size;
1977
1978 /* sanity check */
1979 if (m == NULL)
1980 return 0; /* XXX should be panic ? */
1981 #if 0
1982 /* this is possible in TIME_WAIT state */
1983 if (inp != NULL && inp->inp_socket == NULL)
1984 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
1985 #endif
1986
1987 /* get SP for this packet.
1988 * When we are called from ip_forward(), we call
1989 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1990 */
1991 if (inp == NULL)
1992 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1993 else
1994 sp = ipsec4_getpolicybypcb(m, dir, inp, &error);
1995
1996 if (sp == NULL)
1997 return 0; /* XXX should be panic ? */
1998
1999 size = ipsec_hdrsiz(sp);
2000 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2001 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
2002 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2003 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
2004 key_freesp(sp);
2005
2006 return size;
2007 }
2008
2009 #ifdef INET6
2010 /* This function is called from ipsec6_hdrsize_tcp(),
2011 * and maybe from ip6_forward.()
2012 */
2013 size_t
2014 ipsec6_hdrsiz(m, dir, in6p)
2015 struct mbuf *m;
2016 u_int dir;
2017 struct in6pcb *in6p;
2018 {
2019 struct secpolicy *sp = NULL;
2020 int error;
2021 size_t size;
2022
2023 /* sanity check */
2024 if (m == NULL)
2025 return 0; /* XXX should be panic ? */
2026 #if 0
2027 /* this is possible in TIME_WAIT state */
2028 if (in6p != NULL && in6p->in6p_socket == NULL)
2029 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
2030 #endif
2031
2032 /* get SP for this packet */
2033 /* XXX Is it right to call with IP_FORWARDING. */
2034 if (in6p == NULL)
2035 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2036 else
2037 sp = ipsec6_getpolicybypcb(m, dir, in6p, &error);
2038
2039 if (sp == NULL)
2040 return 0;
2041 size = ipsec_hdrsiz(sp);
2042 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2043 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
2044 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2045 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
2046 key_freesp(sp);
2047
2048 return size;
2049 }
2050 #endif /* INET6 */
2051
2052 #ifdef INET
2053 /*
2054 * encapsulate for ipsec tunnel.
2055 * ip->ip_src must be fixed later on.
2056 */
2057 static int
2058 ipsec4_encapsulate(m, sav)
2059 struct mbuf *m;
2060 struct secasvar *sav;
2061 {
2062 struct ip *oip;
2063 struct ip *ip;
2064 size_t hlen;
2065 size_t plen;
2066
2067 /* can't tunnel between different AFs */
2068 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2069 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2070 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2071 m_freem(m);
2072 return EINVAL;
2073 }
2074 #if 0
2075 /* XXX if the dst is myself, perform nothing. */
2076 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2077 m_freem(m);
2078 return EINVAL;
2079 }
2080 #endif
2081
2082 if (m->m_len < sizeof(*ip))
2083 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2084
2085 ip = mtod(m, struct ip *);
2086 #ifdef _IP_VHL
2087 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
2088 #else
2089 hlen = ip->ip_hl << 2;
2090 #endif
2091
2092 if (m->m_len != hlen)
2093 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2094
2095 /* generate header checksum */
2096 ip->ip_sum = 0;
2097 #ifdef _IP_VHL
2098 if (ip->ip_vhl == IP_VHL_BORING)
2099 ip->ip_sum = in_cksum_hdr(ip);
2100 else
2101 ip->ip_sum = in_cksum(m, hlen);
2102 #else
2103 ip->ip_sum = in_cksum(m, hlen);
2104 #endif
2105
2106 plen = m->m_pkthdr.len;
2107
2108 /*
2109 * grow the mbuf to accomodate the new IPv4 header.
2110 * NOTE: IPv4 options will never be copied.
2111 */
2112 if (M_LEADINGSPACE(m->m_next) < hlen) {
2113 struct mbuf *n;
2114 MGET(n, M_DONTWAIT, MT_DATA);
2115 if (!n) {
2116 m_freem(m);
2117 return ENOBUFS;
2118 }
2119 n->m_len = hlen;
2120 n->m_next = m->m_next;
2121 m->m_next = n;
2122 m->m_pkthdr.len += hlen;
2123 oip = mtod(n, struct ip *);
2124 } else {
2125 m->m_next->m_len += hlen;
2126 m->m_next->m_data -= hlen;
2127 m->m_pkthdr.len += hlen;
2128 oip = mtod(m->m_next, struct ip *);
2129 }
2130 ip = mtod(m, struct ip *);
2131 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2132 m->m_len = sizeof(struct ip);
2133 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2134
2135 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2136 /* ECN consideration. */
2137 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2138 #ifdef _IP_VHL
2139 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
2140 #else
2141 ip->ip_hl = sizeof(struct ip) >> 2;
2142 #endif
2143 ip->ip_off &= htons(~IP_OFFMASK);
2144 ip->ip_off &= htons(~IP_MF);
2145 switch (ip4_ipsec_dfbit) {
2146 case 0: /* clear DF bit */
2147 ip->ip_off &= htons(~IP_DF);
2148 break;
2149 case 1: /* set DF bit */
2150 ip->ip_off |= htons(IP_DF);
2151 break;
2152 default: /* copy DF bit */
2153 break;
2154 }
2155 ip->ip_p = IPPROTO_IPIP;
2156 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2157 ip->ip_len = htons(plen + sizeof(struct ip));
2158 else {
2159 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2160 "leave ip_len as is (invalid packet)\n"));
2161 }
2162 ip->ip_id = ip_newid();
2163 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2164 &ip->ip_src, sizeof(ip->ip_src));
2165 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2166 &ip->ip_dst, sizeof(ip->ip_dst));
2167 ip->ip_ttl = IPDEFTTL;
2168
2169 /* XXX Should ip_src be updated later ? */
2170
2171 return 0;
2172 }
2173 #endif /* INET */
2174
2175 #ifdef INET6
2176 static int
2177 ipsec6_encapsulate(m, sav)
2178 struct mbuf *m;
2179 struct secasvar *sav;
2180 {
2181 struct sockaddr_in6 sa6;
2182 struct ip6_hdr *oip6;
2183 struct ip6_hdr *ip6;
2184 size_t plen;
2185 int error;
2186
2187 /* can't tunnel between different AFs */
2188 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2189 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2190 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2191 m_freem(m);
2192 return EINVAL;
2193 }
2194 #if 0
2195 /* XXX if the dst is myself, perform nothing. */
2196 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2197 m_freem(m);
2198 return EINVAL;
2199 }
2200 #endif
2201
2202 plen = m->m_pkthdr.len;
2203
2204 /*
2205 * grow the mbuf to accomodate the new IPv6 header.
2206 */
2207 if (m->m_len != sizeof(struct ip6_hdr))
2208 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2209 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2210 struct mbuf *n;
2211 MGET(n, M_DONTWAIT, MT_DATA);
2212 if (!n) {
2213 m_freem(m);
2214 return ENOBUFS;
2215 }
2216 n->m_len = sizeof(struct ip6_hdr);
2217 n->m_next = m->m_next;
2218 m->m_next = n;
2219 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2220 oip6 = mtod(n, struct ip6_hdr *);
2221 } else {
2222 m->m_next->m_len += sizeof(struct ip6_hdr);
2223 m->m_next->m_data -= sizeof(struct ip6_hdr);
2224 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2225 oip6 = mtod(m->m_next, struct ip6_hdr *);
2226 }
2227 ip6 = mtod(m, struct ip6_hdr *);
2228 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2229
2230 /* XXX: Fake scoped addresses */
2231 in6_clearscope(&oip6->ip6_src);
2232 in6_clearscope(&oip6->ip6_dst);
2233
2234 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2235 /* ECN consideration. */
2236 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2237 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2238 ip6->ip6_plen = htons(plen);
2239 else {
2240 /* ip6->ip6_plen will be updated in ip6_output() */
2241 }
2242 ip6->ip6_nxt = IPPROTO_IPV6;
2243
2244 sa6 = *(struct sockaddr_in6 *)&sav->sah->saidx.src;
2245 if ((error = sa6_embedscope(&sa6, 0)) != 0)
2246 return (error);
2247 ip6->ip6_src = sa6.sin6_addr;
2248
2249 sa6 = *(struct sockaddr_in6 *)&sav->sah->saidx.dst;
2250 if ((error = sa6_embedscope(&sa6, 0)) != 0)
2251 return (error);
2252 ip6->ip6_dst = sa6.sin6_addr;
2253
2254 ip6->ip6_hlim = IPV6_DEFHLIM;
2255
2256 /* XXX Should ip6_src be updated later ? */
2257
2258 return 0;
2259 }
2260 #endif /* INET6 */
2261
2262 /*
2263 * Check the variable replay window.
2264 * ipsec_chkreplay() performs replay check before ICV verification.
2265 * ipsec_updatereplay() updates replay bitmap. This must be called after
2266 * ICV verification (it also performs replay check, which is usually done
2267 * beforehand).
2268 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2269 *
2270 * based on RFC 2401.
2271 *
2272 * XXX need to update for 64bit sequence number - 2401bis
2273 */
2274 int
2275 ipsec_chkreplay(seq, sav)
2276 u_int32_t seq;
2277 struct secasvar *sav;
2278 {
2279 const struct secreplay *replay;
2280 u_int32_t diff;
2281 int fr;
2282 u_int32_t wsizeb; /* constant: bits of window size */
2283 int frlast; /* constant: last frame */
2284
2285 /* sanity check */
2286 if (sav == NULL)
2287 panic("ipsec_chkreplay: NULL pointer was passed.");
2288
2289 replay = sav->replay;
2290
2291 if (replay->wsize == 0)
2292 return 1; /* no need to check replay. */
2293
2294 /* constant */
2295 frlast = replay->wsize - 1;
2296 wsizeb = replay->wsize << 3;
2297
2298 /* sequence number of 0 is invalid */
2299 if (seq == 0)
2300 return 0;
2301
2302 /* first time is always okay */
2303 if (replay->count == 0)
2304 return 1;
2305
2306 if (seq > replay->lastseq) {
2307 /* larger sequences are okay */
2308 return 1;
2309 } else {
2310 /* seq is equal or less than lastseq. */
2311 diff = replay->lastseq - seq;
2312
2313 /* over range to check, i.e. too old or wrapped */
2314 if (diff >= wsizeb)
2315 return 0;
2316
2317 fr = frlast - diff / 8;
2318
2319 /* this packet already seen ? */
2320 if (replay->bitmap[fr] & (1 << (diff % 8)))
2321 return 0;
2322
2323 /* out of order but good */
2324 return 1;
2325 }
2326 }
2327
2328 /*
2329 * check replay counter whether to update or not.
2330 * OUT: 0: OK
2331 * 1: NG
2332 * XXX need to update for 64bit sequence number - 2401bis
2333 */
2334 int
2335 ipsec_updatereplay(seq, sav)
2336 u_int32_t seq;
2337 struct secasvar *sav;
2338 {
2339 struct secreplay *replay;
2340 u_int64_t diff;
2341 int fr;
2342 u_int32_t wsizeb; /* constant: bits of window size */
2343 int frlast; /* constant: last frame */
2344
2345 /* sanity check */
2346 if (sav == NULL)
2347 panic("ipsec_chkreplay: NULL pointer was passed.");
2348
2349 replay = sav->replay;
2350
2351 if (replay->wsize == 0)
2352 goto ok; /* no need to check replay. */
2353
2354 /* constant */
2355 frlast = replay->wsize - 1;
2356 wsizeb = replay->wsize << 3;
2357
2358 /* sequence number of 0 is invalid */
2359 if (seq == 0)
2360 return 1;
2361
2362 /* first time */
2363 if (replay->count == 0) {
2364 replay->lastseq = seq;
2365 bzero(replay->bitmap, replay->wsize);
2366 replay->bitmap[frlast] = 1;
2367 goto ok;
2368 }
2369
2370 if (seq > replay->lastseq) {
2371 /* seq is larger than lastseq. */
2372 diff = seq - replay->lastseq;
2373
2374 /* new larger sequence number */
2375 if (diff < wsizeb) {
2376 /* In window */
2377 /* set bit for this packet */
2378 vshiftl(replay->bitmap, diff, replay->wsize);
2379 replay->bitmap[frlast] |= 1;
2380 } else {
2381 /* this packet has a "way larger" */
2382 bzero(replay->bitmap, replay->wsize);
2383 replay->bitmap[frlast] = 1;
2384 }
2385 replay->lastseq = seq;
2386
2387 /* larger is good */
2388 } else {
2389 /* seq is equal or less than lastseq. */
2390 diff = replay->lastseq - seq;
2391
2392 /* over range to check, i.e. too old or wrapped */
2393 if (diff >= wsizeb)
2394 return 1;
2395
2396 fr = frlast - diff / 8;
2397
2398 /* this packet already seen ? */
2399 if (replay->bitmap[fr] & (1 << (diff % 8)))
2400 return 1;
2401
2402 /* mark as seen */
2403 replay->bitmap[fr] |= (1 << (diff % 8));
2404
2405 /* out of order but good */
2406 }
2407
2408 ok:
2409 if (replay->count == 0xffffffff) {
2410
2411 /* set overflow flag */
2412 replay->overflow++;
2413
2414 /* don't increment, no more packets accepted */
2415 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2416 return 1;
2417
2418 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2419 replay->overflow, ipsec_logsastr(sav)));
2420 }
2421
2422 replay->count++;
2423
2424 return 0;
2425 }
2426
2427 /*
2428 * shift variable length buffer to left.
2429 * IN: bitmap: pointer to the buffer
2430 * nbit: the number of to shift.
2431 * wsize: buffer size (bytes).
2432 */
2433 static void
2434 vshiftl(bitmap, nbit, wsize)
2435 unsigned char *bitmap;
2436 int nbit, wsize;
2437 {
2438 int s, j, i;
2439 unsigned char over;
2440
2441 for (j = 0; j < nbit; j += 8) {
2442 s = (nbit - j < 8) ? (nbit - j): 8;
2443 bitmap[0] <<= s;
2444 for (i = 1; i < wsize; i++) {
2445 over = (bitmap[i] >> (8 - s));
2446 bitmap[i] <<= s;
2447 bitmap[i - 1] |= over;
2448 }
2449 }
2450
2451 return;
2452 }
2453
2454 const char *
2455 ipsec4_logpacketstr(ip, spi)
2456 struct ip *ip;
2457 u_int32_t spi;
2458 {
2459 static char buf[256];
2460 char *p;
2461 u_int8_t *s, *d;
2462
2463 s = (u_int8_t *)(&ip->ip_src);
2464 d = (u_int8_t *)(&ip->ip_dst);
2465
2466 p = buf;
2467 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2468 while (*p)
2469 p++;
2470 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2471 s[0], s[1], s[2], s[3]);
2472 while (*p)
2473 p++;
2474 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2475 d[0], d[1], d[2], d[3]);
2476 while (*p)
2477 p++;
2478 snprintf(p, sizeof(buf) - (p - buf), ")");
2479
2480 return buf;
2481 }
2482
2483 #ifdef INET6
2484 const char *
2485 ipsec6_logpacketstr(ip6, spi)
2486 struct ip6_hdr *ip6;
2487 u_int32_t spi;
2488 {
2489 static char buf[256];
2490 char *p;
2491
2492 p = buf;
2493 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2494 while (*p)
2495 p++;
2496 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
2497 ip6_sprintf(&ip6->ip6_src));
2498 while (*p)
2499 p++;
2500 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2501 ip6_sprintf(&ip6->ip6_dst));
2502 while (*p)
2503 p++;
2504 snprintf(p, sizeof(buf) - (p - buf), ")");
2505
2506 return buf;
2507 }
2508 #endif /* INET6 */
2509
2510 const char *
2511 ipsec_logsastr(sav)
2512 struct secasvar *sav;
2513 {
2514 static char buf[256];
2515 char *p;
2516 struct secasindex *saidx = &sav->sah->saidx;
2517
2518 /* validity check */
2519 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2520 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2521 panic("ipsec_logsastr: family mismatched.");
2522
2523 p = buf;
2524 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2525 while (*p)
2526 p++;
2527 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2528 u_int8_t *s, *d;
2529 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2530 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2531 snprintf(p, sizeof(buf) - (p - buf),
2532 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2533 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2534 }
2535 #ifdef INET6
2536 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2537 snprintf(p, sizeof(buf) - (p - buf),
2538 "src=%s",
2539 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2540 while (*p)
2541 p++;
2542 snprintf(p, sizeof(buf) - (p - buf),
2543 " dst=%s",
2544 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2545 }
2546 #endif
2547 while (*p)
2548 p++;
2549 snprintf(p, sizeof(buf) - (p - buf), ")");
2550
2551 return buf;
2552 }
2553
2554 void
2555 ipsec_dumpmbuf(m)
2556 struct mbuf *m;
2557 {
2558 int totlen;
2559 int i;
2560 u_char *p;
2561
2562 totlen = 0;
2563 printf("---\n");
2564 while (m) {
2565 p = mtod(m, u_char *);
2566 for (i = 0; i < m->m_len; i++) {
2567 printf("%02x ", p[i]);
2568 totlen++;
2569 if (totlen % 16 == 0)
2570 printf("\n");
2571 }
2572 m = m->m_next;
2573 }
2574 if (totlen % 16 != 0)
2575 printf("\n");
2576 printf("---\n");
2577 }
2578
2579 #ifdef INET
2580 static int
2581 ipsec4_checksa(isr, state)
2582 struct ipsecrequest *isr;
2583 struct ipsec_output_state *state;
2584 {
2585 struct ip *ip;
2586 struct secasindex saidx;
2587 struct sockaddr_in *sin;
2588
2589 /* make SA index for search proper SA */
2590 ip = mtod(state->m, struct ip *);
2591 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2592 saidx.mode = isr->saidx.mode;
2593 saidx.reqid = isr->saidx.reqid;
2594 sin = (struct sockaddr_in *)&saidx.src;
2595 if (sin->sin_len == 0) {
2596 sin->sin_len = sizeof(*sin);
2597 sin->sin_family = AF_INET;
2598 sin->sin_port = IPSEC_PORT_ANY;
2599 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr));
2600 }
2601 sin = (struct sockaddr_in *)&saidx.dst;
2602 if (sin->sin_len == 0) {
2603 sin->sin_len = sizeof(*sin);
2604 sin->sin_family = AF_INET;
2605 sin->sin_port = IPSEC_PORT_ANY;
2606 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr));
2607 }
2608
2609 return key_checkrequest(isr, &saidx);
2610 }
2611 /*
2612 * IPsec output logic for IPv4.
2613 */
2614 int
2615 ipsec4_output(state, sp, flags)
2616 struct ipsec_output_state *state;
2617 struct secpolicy *sp;
2618 int flags;
2619 {
2620 struct ip *ip = NULL;
2621 struct ipsecrequest *isr = NULL;
2622 int s;
2623 int error;
2624 struct sockaddr_in *dst4;
2625
2626 if (!state)
2627 panic("state == NULL in ipsec4_output");
2628 if (!state->m)
2629 panic("state->m == NULL in ipsec4_output");
2630 if (!state->ro)
2631 panic("state->ro == NULL in ipsec4_output");
2632 if (!state->dst)
2633 panic("state->dst == NULL in ipsec4_output");
2634 state->encap = 0;
2635
2636 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2637 printf("ipsec4_output: applyed SP\n");
2638 kdebug_secpolicy(sp));
2639
2640 for (isr = sp->req; isr != NULL; isr = isr->next) {
2641
2642 #if 0 /* give up to check restriction of transport mode */
2643 /* XXX but should be checked somewhere */
2644 /*
2645 * some of the IPsec operation must be performed only in
2646 * originating case.
2647 */
2648 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2649 && (flags & IP_FORWARDING))
2650 continue;
2651 #endif
2652 error = ipsec4_checksa(isr, state);
2653 if (error != 0) {
2654 /*
2655 * IPsec processing is required, but no SA found.
2656 * I assume that key_acquire() had been called
2657 * to get/establish the SA. Here I discard
2658 * this packet because it is responsibility for
2659 * upper layer to retransmit the packet.
2660 */
2661 ipsecstat.out_nosa++;
2662 goto bad;
2663 }
2664
2665 /* validity check */
2666 if (isr->sav == NULL) {
2667 switch (ipsec_get_reqlevel(isr, AF_INET)) {
2668 case IPSEC_LEVEL_USE:
2669 continue;
2670 case IPSEC_LEVEL_REQUIRE:
2671 /* must be not reached here. */
2672 panic("ipsec4_output: no SA found, but required.");
2673 }
2674 }
2675
2676 /*
2677 * If there is no valid SA, we give up to process any
2678 * more. In such a case, the SA's status is changed
2679 * from DYING to DEAD after allocating. If a packet
2680 * send to the receiver by dead SA, the receiver can
2681 * not decode a packet because SA has been dead.
2682 */
2683 if (isr->sav->state != SADB_SASTATE_MATURE
2684 && isr->sav->state != SADB_SASTATE_DYING) {
2685 ipsecstat.out_nosa++;
2686 error = EINVAL;
2687 goto bad;
2688 }
2689
2690 /*
2691 * There may be the case that SA status will be changed when
2692 * we are refering to one. So calling splsoftnet().
2693 */
2694 s = splnet();
2695
2696 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2697 /*
2698 * build IPsec tunnel.
2699 */
2700 /* XXX should be processed with other familiy */
2701 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2702 ipseclog((LOG_ERR, "ipsec4_output: "
2703 "family mismatched between inner and outer spi=%u\n",
2704 (u_int32_t)ntohl(isr->sav->spi)));
2705 splx(s);
2706 error = EAFNOSUPPORT;
2707 goto bad;
2708 }
2709
2710 state->m = ipsec4_splithdr(state->m);
2711 if (!state->m) {
2712 splx(s);
2713 error = ENOMEM;
2714 goto bad;
2715 }
2716 error = ipsec4_encapsulate(state->m, isr->sav);
2717 splx(s);
2718 if (error) {
2719 state->m = NULL;
2720 goto bad;
2721 }
2722 ip = mtod(state->m, struct ip *);
2723
2724 state->ro = &isr->sav->sah->sa_route;
2725 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2726 dst4 = (struct sockaddr_in *)state->dst;
2727 if (state->ro->ro_rt
2728 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2729 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2730 RTFREE(state->ro->ro_rt);
2731 state->ro->ro_rt = NULL;
2732 }
2733 if (state->ro->ro_rt == 0) {
2734 dst4->sin_family = AF_INET;
2735 dst4->sin_len = sizeof(*dst4);
2736 dst4->sin_addr = ip->ip_dst;
2737 rtalloc(state->ro);
2738 }
2739 if (state->ro->ro_rt == 0) {
2740 ipstat.ips_noroute++;
2741 error = EHOSTUNREACH;
2742 goto bad;
2743 }
2744
2745 /* adjust state->dst if tunnel endpoint is offlink */
2746 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2747 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2748 dst4 = (struct sockaddr_in *)state->dst;
2749 }
2750
2751 state->encap++;
2752 } else
2753 splx(s);
2754
2755 state->m = ipsec4_splithdr(state->m);
2756 if (!state->m) {
2757 error = ENOMEM;
2758 goto bad;
2759 }
2760 switch (isr->saidx.proto) {
2761 case IPPROTO_ESP:
2762 #ifdef IPSEC_ESP
2763 if ((error = esp4_output(state->m, isr)) != 0) {
2764 state->m = NULL;
2765 goto bad;
2766 }
2767 break;
2768 #else
2769 m_freem(state->m);
2770 state->m = NULL;
2771 error = EINVAL;
2772 goto bad;
2773 #endif
2774 case IPPROTO_AH:
2775 if ((error = ah4_output(state->m, isr)) != 0) {
2776 state->m = NULL;
2777 goto bad;
2778 }
2779 break;
2780 case IPPROTO_IPCOMP:
2781 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2782 state->m = NULL;
2783 goto bad;
2784 }
2785 break;
2786 default:
2787 ipseclog((LOG_ERR,
2788 "ipsec4_output: unknown ipsec protocol %d\n",
2789 isr->saidx.proto));
2790 m_freem(state->m);
2791 state->m = NULL;
2792 error = EINVAL;
2793 goto bad;
2794 }
2795
2796 if (state->m == 0) {
2797 error = ENOMEM;
2798 goto bad;
2799 }
2800 ip = mtod(state->m, struct ip *);
2801 }
2802
2803 return 0;
2804
2805 bad:
2806 m_freem(state->m);
2807 state->m = NULL;
2808 return error;
2809 }
2810 #endif
2811
2812 #ifdef INET6
2813 static int
2814 ipsec6_checksa(isr, state, tunnel)
2815 struct ipsecrequest *isr;
2816 struct ipsec_output_state *state;
2817 int tunnel;
2818 {
2819 struct ip6_hdr *ip6;
2820 struct secasindex saidx;
2821 struct sockaddr_in6 *sin6;
2822
2823 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2824 #ifdef DIAGNOSTIC
2825 if (!tunnel)
2826 panic("ipsec6_checksa/inconsistent tunnel attribute");
2827 #endif
2828 /* When tunnel mode, SA peers must be specified. */
2829 return key_checkrequest(isr, &isr->saidx);
2830 }
2831
2832 /* make SA index for search proper SA */
2833 ip6 = mtod(state->m, struct ip6_hdr *);
2834 if (tunnel) {
2835 bzero(&saidx, sizeof(saidx));
2836 saidx.proto = isr->saidx.proto;
2837 } else
2838 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2839 saidx.mode = isr->saidx.mode;
2840 saidx.reqid = isr->saidx.reqid;
2841 sin6 = (struct sockaddr_in6 *)&saidx.src;
2842 if (sin6->sin6_len == 0 || tunnel) {
2843 sin6->sin6_len = sizeof(*sin6);
2844 sin6->sin6_family = AF_INET6;
2845 sin6->sin6_port = IPSEC_PORT_ANY;
2846 sin6->sin6_addr = ip6->ip6_src;
2847 }
2848 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2849 if (sin6->sin6_len == 0 || tunnel) {
2850 sin6->sin6_len = sizeof(*sin6);
2851 sin6->sin6_family = AF_INET6;
2852 sin6->sin6_port = IPSEC_PORT_ANY;
2853 sin6->sin6_addr = ip6->ip6_dst;
2854 }
2855
2856 return key_checkrequest(isr, &saidx);
2857 }
2858
2859 /*
2860 * IPsec output logic for IPv6, transport mode.
2861 */
2862 int
2863 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
2864 struct ipsec_output_state *state;
2865 u_char *nexthdrp;
2866 struct mbuf *mprev;
2867 struct secpolicy *sp;
2868 int flags;
2869 int *tun;
2870 {
2871 struct ip6_hdr *ip6;
2872 struct ipsecrequest *isr = NULL;
2873 int error = 0;
2874 int plen;
2875
2876 if (!state)
2877 panic("state == NULL in ipsec6_output_trans");
2878 if (!state->m)
2879 panic("state->m == NULL in ipsec6_output_trans");
2880 if (!nexthdrp)
2881 panic("nexthdrp == NULL in ipsec6_output_trans");
2882 if (!mprev)
2883 panic("mprev == NULL in ipsec6_output_trans");
2884 if (!sp)
2885 panic("sp == NULL in ipsec6_output_trans");
2886 if (!tun)
2887 panic("tun == NULL in ipsec6_output_trans");
2888
2889 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2890 printf("ipsec6_output_trans: applyed SP\n");
2891 kdebug_secpolicy(sp));
2892
2893 *tun = 0;
2894 for (isr = sp->req; isr; isr = isr->next) {
2895 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2896 /* the rest will be handled by ipsec6_output_tunnel() */
2897 break;
2898 }
2899
2900 error = ipsec6_checksa(isr, state, 0);
2901 if (error == EIO)
2902 goto bad;
2903 if (error == ENOENT) {
2904 /*
2905 * IPsec processing is required, but no SA found.
2906 * I assume that key_acquire() had been called
2907 * to get/establish the SA. Here I discard
2908 * this packet because it is responsibility for
2909 * upper layer to retransmit the packet.
2910 */
2911 ipsec6stat.out_nosa++;
2912
2913 /*
2914 * Notify the fact that the packet is discarded
2915 * to ourselves. I believe this is better than
2916 * just silently discarding. (jinmei@kame.net)
2917 * XXX: should we restrict the error to TCP packets?
2918 * XXX: should we directly notify sockets via
2919 * pfctlinputs?
2920 *
2921 * Noone have initialized rcvif until this point,
2922 * so clear it.
2923 */
2924 if ((state->m->m_flags & M_PKTHDR) != 0)
2925 state->m->m_pkthdr.rcvif = NULL;
2926 icmp6_error(state->m, ICMP6_DST_UNREACH,
2927 ICMP6_DST_UNREACH_ADMIN, 0);
2928 state->m = NULL; /* icmp6_error freed the mbuf */
2929 goto bad;
2930 }
2931
2932 /* validity check */
2933 if (isr->sav == NULL) {
2934 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
2935 case IPSEC_LEVEL_USE:
2936 continue;
2937 case IPSEC_LEVEL_REQUIRE:
2938 /* must be not reached here. */
2939 panic("ipsec6_output_trans: no SA found, but required.");
2940 }
2941 }
2942
2943 /*
2944 * If there is no valid SA, we give up to process.
2945 * see same place at ipsec4_output().
2946 */
2947 if (isr->sav->state != SADB_SASTATE_MATURE
2948 && isr->sav->state != SADB_SASTATE_DYING) {
2949 ipsec6stat.out_nosa++;
2950 error = EINVAL;
2951 goto bad;
2952 }
2953
2954 switch (isr->saidx.proto) {
2955 case IPPROTO_ESP:
2956 #ifdef IPSEC_ESP
2957 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2958 #else
2959 m_freem(state->m);
2960 error = EINVAL;
2961 #endif
2962 break;
2963 case IPPROTO_AH:
2964 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2965 break;
2966 case IPPROTO_IPCOMP:
2967 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2968 break;
2969 default:
2970 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2971 "unknown ipsec protocol %d\n", isr->saidx.proto));
2972 m_freem(state->m);
2973 ipsec6stat.out_inval++;
2974 error = EINVAL;
2975 break;
2976 }
2977 if (error) {
2978 state->m = NULL;
2979 goto bad;
2980 }
2981 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2982 if (plen > IPV6_MAXPACKET) {
2983 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2984 "IPsec with IPv6 jumbogram is not supported\n"));
2985 ipsec6stat.out_inval++;
2986 error = EINVAL; /* XXX */
2987 goto bad;
2988 }
2989 ip6 = mtod(state->m, struct ip6_hdr *);
2990 ip6->ip6_plen = htons(plen);
2991 }
2992
2993 /* if we have more to go, we need a tunnel mode processing */
2994 if (isr != NULL)
2995 *tun = 1;
2996
2997 return 0;
2998
2999 bad:
3000 m_freem(state->m);
3001 state->m = NULL;
3002 return error;
3003 }
3004
3005 /*
3006 * IPsec output logic for IPv6, tunnel mode.
3007 */
3008 int
3009 ipsec6_output_tunnel(state, sp, flags)
3010 struct ipsec_output_state *state;
3011 struct secpolicy *sp;
3012 int flags;
3013 {
3014 struct ip6_hdr *ip6;
3015 struct ipsecrequest *isr = NULL;
3016 int error = 0;
3017 int plen;
3018 struct sockaddr_in6 *dst6;
3019 int s;
3020
3021 if (!state)
3022 panic("state == NULL in ipsec6_output_tunnel");
3023 if (!state->m)
3024 panic("state->m == NULL in ipsec6_output_tunnel");
3025 if (!sp)
3026 panic("sp == NULL in ipsec6_output_tunnel");
3027
3028 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3029 printf("ipsec6_output_tunnel: applyed SP\n");
3030 kdebug_secpolicy(sp));
3031
3032 /*
3033 * transport mode ipsec (before the 1st tunnel mode) is already
3034 * processed by ipsec6_output_trans().
3035 */
3036 for (isr = sp->req; isr; isr = isr->next) {
3037 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
3038 break;
3039 }
3040
3041 for (/* already initialized */; isr; isr = isr->next) {
3042 error = ipsec6_checksa(isr, state, 1);
3043 if (error == EIO)
3044 goto bad;
3045 if (error == ENOENT) {
3046 /*
3047 * IPsec processing is required, but no SA found.
3048 * I assume that key_acquire() had been called
3049 * to get/establish the SA. Here I discard
3050 * this packet because it is responsibility for
3051 * upper layer to retransmit the packet.
3052 */
3053 ipsec6stat.out_nosa++;
3054 error = ENOENT;
3055 goto bad;
3056 }
3057
3058 /* validity check */
3059 if (isr->sav == NULL) {
3060 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
3061 case IPSEC_LEVEL_USE:
3062 continue;
3063 case IPSEC_LEVEL_REQUIRE:
3064 /* must be not reached here. */
3065 panic("ipsec6_output_tunnel: no SA found, but required.");
3066 }
3067 }
3068
3069 /*
3070 * If there is no valid SA, we give up to process.
3071 * see same place at ipsec4_output().
3072 */
3073 if (isr->sav->state != SADB_SASTATE_MATURE
3074 && isr->sav->state != SADB_SASTATE_DYING) {
3075 ipsec6stat.out_nosa++;
3076 error = EINVAL;
3077 goto bad;
3078 }
3079
3080 /*
3081 * There may be the case that SA status will be changed when
3082 * we are refering to one. So calling splsoftnet().
3083 */
3084 s = splnet();
3085
3086 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3087 /*
3088 * build IPsec tunnel.
3089 */
3090 /* XXX should be processed with other familiy */
3091 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
3092 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3093 "family mismatched between inner and outer, spi=%u\n",
3094 (u_int32_t)ntohl(isr->sav->spi)));
3095 splx(s);
3096 ipsec6stat.out_inval++;
3097 error = EAFNOSUPPORT;
3098 goto bad;
3099 }
3100
3101 state->m = ipsec6_splithdr(state->m);
3102 if (!state->m) {
3103 splx(s);
3104 ipsec6stat.out_nomem++;
3105 error = ENOMEM;
3106 goto bad;
3107 }
3108 error = ipsec6_encapsulate(state->m, isr->sav);
3109 splx(s);
3110 if (error) {
3111 state->m = 0;
3112 goto bad;
3113 }
3114 ip6 = mtod(state->m, struct ip6_hdr *);
3115
3116 state->ro = &isr->sav->sah->sa_route;
3117 state->dst = (struct sockaddr *)&state->ro->ro_dst;
3118 dst6 = (struct sockaddr_in6 *)state->dst;
3119 if (state->ro->ro_rt &&
3120 (!(state->ro->ro_rt->rt_flags & RTF_UP) ||
3121 !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr,
3122 &ip6->ip6_dst))) {
3123 RTFREE(state->ro->ro_rt);
3124 state->ro->ro_rt = NULL;
3125 }
3126 if (state->ro->ro_rt == 0) {
3127 bzero(dst6, sizeof(*dst6));
3128 dst6->sin6_family = AF_INET6;
3129 dst6->sin6_len = sizeof(*dst6);
3130 dst6->sin6_addr = ip6->ip6_dst;
3131 rtalloc(state->ro);
3132 }
3133 if (state->ro->ro_rt == 0) {
3134 ip6stat.ip6s_noroute++;
3135 ipsec6stat.out_noroute++;
3136 error = EHOSTUNREACH;
3137 goto bad;
3138 }
3139
3140 /* adjust state->dst if tunnel endpoint is offlink */
3141 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
3142 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
3143 dst6 = (struct sockaddr_in6 *)state->dst;
3144 }
3145 } else
3146 splx(s);
3147
3148 state->m = ipsec6_splithdr(state->m);
3149 if (!state->m) {
3150 ipsec6stat.out_nomem++;
3151 error = ENOMEM;
3152 goto bad;
3153 }
3154 ip6 = mtod(state->m, struct ip6_hdr *);
3155 switch (isr->saidx.proto) {
3156 case IPPROTO_ESP:
3157 #ifdef IPSEC_ESP
3158 error = esp6_output(state->m, &ip6->ip6_nxt,
3159 state->m->m_next, isr);
3160 #else
3161 m_freem(state->m);
3162 error = EINVAL;
3163 #endif
3164 break;
3165 case IPPROTO_AH:
3166 error = ah6_output(state->m, &ip6->ip6_nxt,
3167 state->m->m_next, isr);
3168 break;
3169 case IPPROTO_IPCOMP:
3170 /* XXX code should be here */
3171 /* FALLTHROUGH */
3172 default:
3173 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3174 "unknown ipsec protocol %d\n", isr->saidx.proto));
3175 m_freem(state->m);
3176 ipsec6stat.out_inval++;
3177 error = EINVAL;
3178 break;
3179 }
3180 if (error) {
3181 state->m = NULL;
3182 goto bad;
3183 }
3184 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3185 if (plen > IPV6_MAXPACKET) {
3186 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3187 "IPsec with IPv6 jumbogram is not supported\n"));
3188 ipsec6stat.out_inval++;
3189 error = EINVAL; /* XXX */
3190 goto bad;
3191 }
3192 ip6 = mtod(state->m, struct ip6_hdr *);
3193 ip6->ip6_plen = htons(plen);
3194 }
3195
3196 return 0;
3197
3198 bad:
3199 m_freem(state->m);
3200 state->m = NULL;
3201 return error;
3202 }
3203 #endif /* INET6 */
3204
3205 #ifdef INET
3206 /*
3207 * Chop IP header and option off from the payload.
3208 */
3209 static struct mbuf *
3210 ipsec4_splithdr(m)
3211 struct mbuf *m;
3212 {
3213 struct mbuf *mh;
3214 struct ip *ip;
3215 int hlen;
3216
3217 if (m->m_len < sizeof(struct ip))
3218 panic("ipsec4_splithdr: first mbuf too short");
3219 ip = mtod(m, struct ip *);
3220 #ifdef _IP_VHL
3221 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
3222 #else
3223 hlen = ip->ip_hl << 2;
3224 #endif
3225 if (m->m_len > hlen) {
3226 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3227 if (!mh) {
3228 m_freem(m);
3229 return NULL;
3230 }
3231 M_MOVE_PKTHDR(mh, m);
3232 MH_ALIGN(mh, hlen);
3233 m->m_len -= hlen;
3234 m->m_data += hlen;
3235 mh->m_next = m;
3236 m = mh;
3237 m->m_len = hlen;
3238 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3239 } else if (m->m_len < hlen) {
3240 m = m_pullup(m, hlen);
3241 if (!m)
3242 return NULL;
3243 }
3244 return m;
3245 }
3246 #endif
3247
3248 #ifdef INET6
3249 static struct mbuf *
3250 ipsec6_splithdr(m)
3251 struct mbuf *m;
3252 {
3253 struct mbuf *mh;
3254 struct ip6_hdr *ip6;
3255 int hlen;
3256
3257 if (m->m_len < sizeof(struct ip6_hdr))
3258 panic("ipsec6_splithdr: first mbuf too short");
3259 ip6 = mtod(m, struct ip6_hdr *);
3260 hlen = sizeof(struct ip6_hdr);
3261 if (m->m_len > hlen) {
3262 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3263 if (!mh) {
3264 m_freem(m);
3265 return NULL;
3266 }
3267 M_MOVE_PKTHDR(mh, m);
3268 MH_ALIGN(mh, hlen);
3269 m->m_len -= hlen;
3270 m->m_data += hlen;
3271 mh->m_next = m;
3272 m = mh;
3273 m->m_len = hlen;
3274 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3275 } else if (m->m_len < hlen) {
3276 m = m_pullup(m, hlen);
3277 if (!m)
3278 return NULL;
3279 }
3280 return m;
3281 }
3282 #endif
3283
3284 /* validate inbound IPsec tunnel packet. */
3285 int
3286 ipsec4_tunnel_validate(m, off, nxt0, sav)
3287 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3288 int off;
3289 u_int nxt0;
3290 struct secasvar *sav;
3291 {
3292 u_int8_t nxt = nxt0 & 0xff;
3293 struct sockaddr_in *sin;
3294 struct sockaddr_in osrc, odst, isrc, idst;
3295 int hlen;
3296 struct secpolicy *sp;
3297 struct ip *oip;
3298
3299 #ifdef DIAGNOSTIC
3300 if (m->m_len < sizeof(struct ip))
3301 panic("too short mbuf on ipsec4_tunnel_validate");
3302 #endif
3303 if (nxt != IPPROTO_IPV4)
3304 return 0;
3305 if (m->m_pkthdr.len < off + sizeof(struct ip))
3306 return 0;
3307 /* do not decapsulate if the SA is for transport mode only */
3308 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3309 return 0;
3310
3311 oip = mtod(m, struct ip *);
3312 hlen = oip->ip_hl << 2;
3313 if (hlen != sizeof(struct ip))
3314 return 0;
3315
3316 /* AF_INET6 should be supported, but at this moment we don't. */
3317 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3318 if (sin->sin_family != AF_INET)
3319 return 0;
3320 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
3321 return 0;
3322
3323 /* XXX slow */
3324 bzero(&osrc, sizeof(osrc));
3325 bzero(&odst, sizeof(odst));
3326 bzero(&isrc, sizeof(isrc));
3327 bzero(&idst, sizeof(idst));
3328 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
3329 AF_INET;
3330 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
3331 sizeof(struct sockaddr_in);
3332 osrc.sin_addr = oip->ip_src;
3333 odst.sin_addr = oip->ip_dst;
3334 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
3335 (caddr_t)&isrc.sin_addr);
3336 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
3337 (caddr_t)&idst.sin_addr);
3338
3339 /*
3340 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
3341 * - if the inner destination is multicast address, there can be
3342 * multiple permissible inner source address. implementation
3343 * may want to skip verification of inner source address against
3344 * SPD selector.
3345 * - if the inner protocol is ICMP, the packet may be an error report
3346 * from routers on the other side of the VPN cloud (R in the
3347 * following diagram). in this case, we cannot verify inner source
3348 * address against SPD selector.
3349 * me -- gw === gw -- R -- you
3350 *
3351 * we consider the first bullet to be users responsibility on SPD entry
3352 * configuration (if you need to encrypt multicast traffic, set
3353 * the source range of SPD selector to 0.0.0.0/0, or have explicit
3354 * address ranges for possible senders).
3355 * the second bullet is not taken care of (yet).
3356 *
3357 * therefore, we do not do anything special about inner source.
3358 */
3359
3360 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3361 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3362 /*
3363 * when there is no suitable inbound policy for the packet of the ipsec
3364 * tunnel mode, the kernel never decapsulate the tunneled packet
3365 * as the ipsec tunnel mode even when the system wide policy is "none".
3366 * then the kernel leaves the generic tunnel module to process this
3367 * packet. if there is no rule of the generic tunnel, the packet
3368 * is rejected and the statistics will be counted up.
3369 */
3370 if (!sp)
3371 return 0;
3372 key_freesp(sp);
3373
3374 return 1;
3375 }
3376
3377 #ifdef INET6
3378 /* validate inbound IPsec tunnel packet. */
3379 int
3380 ipsec6_tunnel_validate(m, off, nxt0, sav)
3381 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3382 int off;
3383 u_int nxt0;
3384 struct secasvar *sav;
3385 {
3386 u_int8_t nxt = nxt0 & 0xff;
3387 struct sockaddr_in6 *sin6;
3388 struct sockaddr_in6 osrc, odst, isrc, idst;
3389 struct secpolicy *sp;
3390 struct ip6_hdr *oip6;
3391
3392 #ifdef DIAGNOSTIC
3393 if (m->m_len < sizeof(struct ip6_hdr))
3394 panic("too short mbuf on ipsec6_tunnel_validate");
3395 #endif
3396 if (nxt != IPPROTO_IPV6)
3397 return 0;
3398 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
3399 return 0;
3400 /* do not decapsulate if the SA is for transport mode only */
3401 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3402 return 0;
3403
3404 oip6 = mtod(m, struct ip6_hdr *);
3405
3406 /* AF_INET should be supported, but at this moment we don't. */
3407 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
3408 if (sin6->sin6_family != AF_INET6)
3409 return 0;
3410 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
3411 return 0;
3412
3413 /* XXX slow */
3414 bzero(&osrc, sizeof(osrc));
3415 bzero(&odst, sizeof(odst));
3416 bzero(&isrc, sizeof(isrc));
3417 bzero(&idst, sizeof(idst));
3418 osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
3419 idst.sin6_family = AF_INET6;
3420 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len =
3421 sizeof(struct sockaddr_in6);
3422 osrc.sin6_addr = oip6->ip6_src;
3423 odst.sin6_addr = oip6->ip6_dst;
3424 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
3425 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
3426 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
3427 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
3428
3429 /*
3430 * regarding to inner source address validation, see a long comment
3431 * in ipsec4_tunnel_validate.
3432 */
3433
3434 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3435 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3436 if (!sp)
3437 return 0;
3438 key_freesp(sp);
3439
3440 return 1;
3441 }
3442 #endif
3443
3444 /*
3445 * Make a mbuf chain for encryption.
3446 * If the original mbuf chain contains a mbuf with a cluster,
3447 * allocate a new cluster and copy the data to the new cluster.
3448 * XXX: this hack is inefficient, but is necessary to handle cases
3449 * of TCP retransmission...
3450 */
3451 struct mbuf *
3452 ipsec_copypkt(m)
3453 struct mbuf *m;
3454 {
3455 struct mbuf *n, **mpp, *mnew;
3456
3457 for (n = m, mpp = &m; n; n = n->m_next) {
3458 if (n->m_flags & M_EXT) {
3459 /*
3460 * Make a copy only if there is more than one
3461 * references to the cluster.
3462 * XXX: is this approach effective?
3463 */
3464 if (!M_WRITABLE(n)) {
3465 int remain, copied;
3466 struct mbuf *mm;
3467
3468 if (n->m_flags & M_PKTHDR) {
3469 MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3470 if (mnew == NULL)
3471 goto fail;
3472 M_MOVE_PKTHDR(mnew, n);
3473 }
3474 else {
3475 MGET(mnew, M_DONTWAIT, MT_DATA);
3476 if (mnew == NULL)
3477 goto fail;
3478 }
3479 mnew->m_len = 0;
3480 mm = mnew;
3481
3482 /*
3483 * Copy data. If we don't have enough space to
3484 * store the whole data, allocate a cluster
3485 * or additional mbufs.
3486 * XXX: we don't use m_copyback(), since the
3487 * function does not use clusters and thus is
3488 * inefficient.
3489 */
3490 remain = n->m_len;
3491 copied = 0;
3492 while (1) {
3493 int len;
3494 struct mbuf *mn;
3495
3496 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3497 len = remain;
3498 else { /* allocate a cluster */
3499 MCLGET(mm, M_DONTWAIT);
3500 if (!(mm->m_flags & M_EXT)) {
3501 m_free(mm);
3502 goto fail;
3503 }
3504 len = remain < MCLBYTES ?
3505 remain : MCLBYTES;
3506 }
3507
3508 bcopy(n->m_data + copied, mm->m_data,
3509 len);
3510
3511 copied += len;
3512 remain -= len;
3513 mm->m_len = len;
3514
3515 if (remain <= 0) /* completed? */
3516 break;
3517
3518 /* need another mbuf */
3519 MGETHDR(mn, M_DONTWAIT, MT_HEADER);
3520 if (mn == NULL)
3521 goto fail;
3522 mn->m_pkthdr.rcvif = NULL;
3523 mm->m_next = mn;
3524 mm = mn;
3525 }
3526
3527 /* adjust chain */
3528 mm->m_next = m_free(n);
3529 n = mm;
3530 *mpp = mnew;
3531 mpp = &n->m_next;
3532
3533 continue;
3534 }
3535 }
3536 *mpp = n;
3537 mpp = &n->m_next;
3538 }
3539
3540 return (m);
3541 fail:
3542 m_freem(m);
3543 return (NULL);
3544 }
3545
3546 static struct ipsecaux *
3547 ipsec_addaux(m)
3548 struct mbuf *m;
3549 {
3550 struct m_tag *mtag;
3551
3552 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3553 if (mtag == NULL) {
3554 mtag = m_tag_get(PACKET_TAG_IPSEC_HISTORY,
3555 sizeof(struct ipsecaux), M_NOWAIT);
3556 if (mtag != NULL)
3557 m_tag_prepend(m, mtag);
3558 }
3559 if (mtag == NULL)
3560 return NULL; /* ENOBUFS */
3561 /* XXX is this necessary? */
3562 bzero((void *)(mtag + 1), sizeof(struct ipsecaux));
3563 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL;
3564 }
3565
3566 static struct ipsecaux *
3567 ipsec_findaux(m)
3568 struct mbuf *m;
3569 {
3570 struct m_tag *mtag;
3571
3572 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3573 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL;
3574 }
3575
3576 void
3577 ipsec_delaux(m)
3578 struct mbuf *m;
3579 {
3580 struct m_tag *mtag;
3581
3582 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3583 if (mtag != NULL)
3584 m_tag_delete(m, mtag);
3585 }
3586
3587 /* if the aux buffer is unnecessary, nuke it. */
3588 static void
3589 ipsec_optaux(m, aux)
3590 struct mbuf *m;
3591 struct ipsecaux *aux;
3592 {
3593
3594 if (aux == NULL)
3595 return;
3596 ipsec_delaux(m);
3597 }
3598
3599 int
3600 ipsec_addhist(m, proto, spi)
3601 struct mbuf *m;
3602 int proto;
3603 u_int32_t spi;
3604 {
3605 struct ipsecaux *aux;
3606
3607 aux = ipsec_addaux(m);
3608 if (aux == NULL)
3609 return ENOBUFS;
3610 aux->hdrs++;
3611 return 0;
3612 }
3613
3614 int
3615 ipsec_getnhist(m)
3616 struct mbuf *m;
3617 {
3618 struct ipsecaux *aux;
3619
3620 aux = ipsec_findaux(m);
3621 if (aux == NULL)
3622 return 0;
3623 return aux->hdrs;
3624 }
3625
3626 void
3627 ipsec_clearhist(m)
3628 struct mbuf *m;
3629 {
3630 struct ipsecaux *aux;
3631
3632 aux = ipsec_findaux(m);
3633 ipsec_optaux(m, aux);
3634 }
Cache object: ddda948286215aab2a206b1027740165
|