Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* $FreeBSD: releng/6.1/sys/netinet6/ipsec.c 158179 2006-04-30 16:44:43Z cvs2svn $ */ 2 /* $KAME: ipsec.c,v 1.207 2004/01/13 03:30:42 itojun Exp $ */ 3 4 /*- 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * IPsec controller part. 35 */ 36 37 #include "opt_inet.h" 38 #include "opt_inet6.h" 39 #include "opt_ipsec.h" 40 41 #include <sys/param.h> 42 #include <sys/systm.h> 43 #include <sys/malloc.h> 44 #include <sys/mbuf.h> 45 #include <sys/domain.h> 46 #include <sys/protosw.h> 47 #include <sys/socket.h> 48 #include <sys/socketvar.h> 49 #include <sys/errno.h> 50 #include <sys/time.h> 51 #include <sys/kernel.h> 52 #include <sys/syslog.h> 53 #include <sys/sysctl.h> 54 #include <sys/proc.h> 55 56 #include <net/if.h> 57 #include <net/route.h> 58 59 #include <netinet/in.h> 60 #include <netinet/in_systm.h> 61 #include <netinet/ip.h> 62 #include <netinet/ip_var.h> 63 #include <netinet/in_var.h> 64 #include <netinet/udp.h> 65 #include <netinet/udp_var.h> 66 #include <netinet/ip_ecn.h> 67 #ifdef INET6 68 #include <netinet6/ip6_ecn.h> 69 #endif 70 #include <netinet/tcp.h> 71 #include <netinet/udp.h> 72 73 #include <netinet/ip6.h> 74 #ifdef INET6 75 #include <netinet6/ip6_var.h> 76 #include <netinet6/scope6_var.h> 77 #endif 78 #include <netinet/in_pcb.h> 79 #ifdef INET6 80 #include <netinet/icmp6.h> 81 #endif 82 83 #include <netinet6/ipsec.h> 84 #ifdef INET6 85 #include <netinet6/ipsec6.h> 86 #endif 87 #include <netinet6/ah.h> 88 #ifdef INET6 89 #include <netinet6/ah6.h> 90 #endif 91 #ifdef IPSEC_ESP 92 #include <netinet6/esp.h> 93 #ifdef INET6 94 #include <netinet6/esp6.h> 95 #endif 96 #endif 97 #include <netinet6/ipcomp.h> 98 #ifdef INET6 99 #include <netinet6/ipcomp6.h> 100 #endif 101 #include <netkey/key.h> 102 #include <netkey/keydb.h> 103 #include <netkey/key_debug.h> 104 105 #include <machine/in_cksum.h> 106 #include <net/net_osdep.h> 107 108 #ifdef IPSEC_DEBUG 109 int ipsec_debug = 1; 110 #else 111 int ipsec_debug = 0; 112 #endif 113 114 NET_NEEDS_GIANT("ipsec"); 115 116 struct ipsecstat ipsecstat; 117 int ip4_ah_cleartos = 1; 118 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ 119 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ 120 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; 121 int ip4_esp_net_deflev = IPSEC_LEVEL_USE; 122 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; 123 int ip4_ah_net_deflev = IPSEC_LEVEL_USE; 124 struct secpolicy *ip4_def_policy; 125 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 126 int ip4_esp_randpad = -1; 127 128 static int sp_cachegen = 1; /* cache generation # */ 129 130 SYSCTL_DECL(_net_inet_ipsec); 131 #ifdef INET6 132 SYSCTL_DECL(_net_inet6_ipsec6); 133 #endif 134 135 /* net.inet.ipsec */ 136 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS, 137 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, ""); 138 #if 0 139 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY, 140 def_policy, CTLFLAG_RW, &ip4_def_policy->policy, 0, ""); 141 #endif 142 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, 143 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, ""); 144 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, 145 CTLFLAG_RW, &ip4_esp_net_deflev, 0, ""); 146 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, 147 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, ""); 148 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, 149 CTLFLAG_RW, &ip4_ah_net_deflev, 0, ""); 150 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, 151 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, ""); 152 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, 153 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, ""); 154 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, 155 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, ""); 156 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, 157 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, ""); 158 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, 159 debug, CTLFLAG_RW, &ipsec_debug, 0, ""); 160 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD, 161 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, ""); 162 163 #ifdef INET6 164 struct ipsecstat ipsec6stat; 165 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; 166 int ip6_esp_net_deflev = IPSEC_LEVEL_USE; 167 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; 168 int ip6_ah_net_deflev = IPSEC_LEVEL_USE; 169 struct secpolicy *ip6_def_policy; 170 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 171 int ip6_esp_randpad = -1; 172 173 /* net.inet6.ipsec6 */ 174 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, 175 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, ""); 176 #if 0 177 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, 178 def_policy, CTLFLAG_RW, &ip6_def_policy->policy, 0, ""); 179 #endif 180 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, 181 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, ""); 182 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, 183 CTLFLAG_RW, &ip6_esp_net_deflev, 0, ""); 184 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, 185 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, ""); 186 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, 187 CTLFLAG_RW, &ip6_ah_net_deflev, 0, ""); 188 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN, 189 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, ""); 190 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, 191 debug, CTLFLAG_RW, &ipsec_debug, 0, ""); 192 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, 193 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, ""); 194 #endif /* INET6 */ 195 196 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *, 197 struct inpcbpolicy *, int)); 198 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *, 199 struct secpolicy *, int)); 200 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int)); 201 static int ipsec_setspidx_mbuf 202 __P((struct secpolicyindex *, int, struct mbuf *, int)); 203 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int)); 204 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int)); 205 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); 206 #ifdef INET6 207 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int)); 208 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); 209 #endif 210 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void)); 211 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *)); 212 #if 0 213 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *)); 214 #endif 215 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *)); 216 static int ipsec_set_policy 217 __P((struct secpolicy **, int, caddr_t, size_t, int)); 218 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **)); 219 static void vshiftl __P((unsigned char *, int, int)); 220 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *)); 221 static size_t ipsec_hdrsiz __P((struct secpolicy *)); 222 #ifdef INET 223 static struct mbuf *ipsec4_splithdr __P((struct mbuf *)); 224 #endif 225 #ifdef INET6 226 static struct mbuf *ipsec6_splithdr __P((struct mbuf *)); 227 #endif 228 #ifdef INET 229 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *)); 230 #endif 231 #ifdef INET6 232 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *)); 233 #endif 234 static struct ipsecaux *ipsec_addaux __P((struct mbuf *)); 235 static struct ipsecaux *ipsec_findaux __P((struct mbuf *)); 236 static void ipsec_optaux __P((struct mbuf *, struct ipsecaux *)); 237 #ifdef INET 238 static int ipsec4_checksa __P((struct ipsecrequest *, 239 struct ipsec_output_state *)); 240 #endif 241 #ifdef INET6 242 static int ipsec6_checksa __P((struct ipsecrequest *, 243 struct ipsec_output_state *, int)); 244 #endif 245 246 /* 247 * try to validate and use cached policy on a pcb. 248 */ 249 static struct secpolicy * 250 ipsec_checkpcbcache(m, pcbsp, dir) 251 struct mbuf *m; 252 struct inpcbpolicy *pcbsp; 253 int dir; 254 { 255 struct secpolicyindex spidx; 256 struct timeval mono_time; 257 258 microtime(&mono_time); 259 260 switch (dir) { 261 case IPSEC_DIR_INBOUND: 262 case IPSEC_DIR_OUTBOUND: 263 case IPSEC_DIR_ANY: 264 break; 265 default: 266 return NULL; 267 } 268 #ifdef DIAGNOSTIC 269 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0])) 270 panic("dir too big in ipsec_checkpcbcache"); 271 #endif 272 /* SPD table change invalidates all the caches */ 273 if (pcbsp->cachegen[dir] == 0 || sp_cachegen > pcbsp->cachegen[dir]) { 274 ipsec_invalpcbcache(pcbsp, dir); 275 return NULL; 276 } 277 if (!pcbsp->cache[dir]) 278 return NULL; 279 if (pcbsp->cache[dir]->state != IPSEC_SPSTATE_ALIVE) { 280 ipsec_invalpcbcache(pcbsp, dir); 281 return NULL; 282 } 283 if ((pcbsp->cacheflags & IPSEC_PCBSP_CONNECTED) == 0) { 284 if (!pcbsp->cache[dir]) 285 return NULL; 286 if (ipsec_setspidx(m, &spidx, 1) != 0) 287 return NULL; 288 if (bcmp(&pcbsp->cacheidx[dir], &spidx, sizeof(spidx))) { 289 if (!pcbsp->cache[dir]->spidx || 290 !key_cmpspidx_withmask(pcbsp->cache[dir]->spidx, 291 &spidx)) 292 return NULL; 293 pcbsp->cacheidx[dir] = spidx; 294 } 295 } else { 296 /* 297 * The pcb is connected, and the L4 code is sure that: 298 * - outgoing side uses inp_[lf]addr 299 * - incoming side looks up policy after inpcb lookup 300 * and address pair is known to be stable. We do not need 301 * to generate spidx again, nor check the address match again. 302 * 303 * For IPv4/v6 SOCK_STREAM sockets, this assumption holds 304 * and there are calls to ipsec_pcbconn() from in_pcbconnect(). 305 */ 306 } 307 308 pcbsp->cache[dir]->lastused = mono_time.tv_sec; 309 pcbsp->cache[dir]->refcnt++; 310 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 311 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n", 312 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir])); 313 return pcbsp->cache[dir]; 314 } 315 316 static int 317 ipsec_fillpcbcache(pcbsp, m, sp, dir) 318 struct inpcbpolicy *pcbsp; 319 struct mbuf *m; 320 struct secpolicy *sp; 321 int dir; 322 { 323 324 switch (dir) { 325 case IPSEC_DIR_INBOUND: 326 case IPSEC_DIR_OUTBOUND: 327 break; 328 default: 329 return EINVAL; 330 } 331 #ifdef DIAGNOSTIC 332 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0])) 333 panic("dir too big in ipsec_checkpcbcache"); 334 #endif 335 336 if (pcbsp->cache[dir]) 337 key_freesp(pcbsp->cache[dir]); 338 pcbsp->cache[dir] = NULL; 339 if (ipsec_setspidx(m, &pcbsp->cacheidx[dir], 1) != 0) { 340 return EINVAL; 341 } 342 pcbsp->cache[dir] = sp; 343 if (pcbsp->cache[dir]) { 344 pcbsp->cache[dir]->refcnt++; 345 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 346 printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n", 347 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir])); 348 } 349 pcbsp->cachegen[dir] = sp_cachegen; 350 351 return 0; 352 } 353 354 static int 355 ipsec_invalpcbcache(pcbsp, dir) 356 struct inpcbpolicy *pcbsp; 357 int dir; 358 { 359 int i; 360 361 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) { 362 if (dir != IPSEC_DIR_ANY && i != dir) 363 continue; 364 if (pcbsp->cache[i]) 365 key_freesp(pcbsp->cache[i]); 366 pcbsp->cache[i] = NULL; 367 pcbsp->cachegen[i] = 0; 368 bzero(&pcbsp->cacheidx[i], sizeof(pcbsp->cacheidx[i])); 369 } 370 return 0; 371 } 372 373 int 374 ipsec_pcbconn(pcbsp) 375 struct inpcbpolicy *pcbsp; 376 { 377 378 pcbsp->cacheflags |= IPSEC_PCBSP_CONNECTED; 379 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 380 return 0; 381 } 382 383 int 384 ipsec_pcbdisconn(pcbsp) 385 struct inpcbpolicy *pcbsp; 386 { 387 388 pcbsp->cacheflags &= ~IPSEC_PCBSP_CONNECTED; 389 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 390 return 0; 391 } 392 393 int 394 ipsec_invalpcbcacheall() 395 { 396 397 sp_cachegen++; 398 return 0; 399 } 400 401 /* 402 * For OUTBOUND packet having a socket. Searching SPD for packet, 403 * and return a pointer to SP. 404 * OUT: NULL: no apropreate SP found, the following value is set to error. 405 * 0 : bypass 406 * EACCES : discard packet. 407 * ENOENT : ipsec_acquire() in progress, maybe. 408 * others : error occured. 409 * others: a pointer to SP 410 * 411 * NOTE: IPv6 mapped adddress concern is implemented here. 412 */ 413 struct secpolicy * 414 ipsec4_getpolicybypcb(m, dir, inp, error) 415 struct mbuf *m; 416 u_int dir; 417 struct inpcb *inp; 418 int *error; 419 { 420 struct inpcbpolicy *pcbsp = NULL; 421 struct secpolicy *currsp = NULL; /* policy on socket */ 422 struct secpolicy *kernsp = NULL; /* policy on kernel */ 423 struct secpolicyindex spidx; 424 u_int16_t tag; 425 426 /* sanity check */ 427 if (m == NULL || inp == NULL || error == NULL) 428 panic("ipsec4_getpolicybypcb: NULL pointer was passed."); 429 430 pcbsp = inp->inp_sp; 431 432 #ifdef DIAGNOSTIC 433 if (pcbsp == NULL) 434 panic("ipsec4_getpolicybypcb: pcbsp is NULL."); 435 #endif 436 437 tag = 0; 438 439 /* if we have a cached entry, and if it is still valid, use it. */ 440 ipsecstat.spdcachelookup++; 441 currsp = ipsec_checkpcbcache(m, pcbsp, dir); 442 if (currsp) { 443 *error = 0; 444 return currsp; 445 } 446 ipsecstat.spdcachemiss++; 447 448 switch (dir) { 449 case IPSEC_DIR_INBOUND: 450 currsp = pcbsp->sp_in; 451 break; 452 case IPSEC_DIR_OUTBOUND: 453 currsp = pcbsp->sp_out; 454 break; 455 default: 456 panic("ipsec4_getpolicybypcb: illegal direction."); 457 } 458 459 /* sanity check */ 460 if (currsp == NULL) 461 panic("ipsec4_getpolicybypcb: currsp is NULL."); 462 463 /* when privileged socket */ 464 if (pcbsp->priv) { 465 switch (currsp->policy) { 466 case IPSEC_POLICY_BYPASS: 467 currsp->refcnt++; 468 *error = 0; 469 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 470 return currsp; 471 472 case IPSEC_POLICY_ENTRUST: 473 /* look for a policy in SPD */ 474 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 && 475 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 476 /* SP found */ 477 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 478 printf("DP ipsec4_getpolicybypcb called " 479 "to allocate SP:%p\n", kernsp)); 480 *error = 0; 481 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 482 return kernsp; 483 } 484 485 /* no SP found */ 486 ip4_def_policy->refcnt++; 487 *error = 0; 488 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir); 489 return ip4_def_policy; 490 491 case IPSEC_POLICY_IPSEC: 492 currsp->refcnt++; 493 *error = 0; 494 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 495 return currsp; 496 497 default: 498 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: " 499 "Invalid policy for PCB %d\n", currsp->policy)); 500 *error = EINVAL; 501 return NULL; 502 } 503 /* NOTREACHED */ 504 } 505 506 /* when non-privileged socket */ 507 /* look for a policy in SPD */ 508 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 && 509 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 510 /* SP found */ 511 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 512 printf("DP ipsec4_getpolicybypcb called " 513 "to allocate SP:%p\n", kernsp)); 514 *error = 0; 515 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 516 return kernsp; 517 } 518 519 /* no SP found */ 520 switch (currsp->policy) { 521 case IPSEC_POLICY_BYPASS: 522 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: " 523 "Illegal policy for non-privileged defined %d\n", 524 currsp->policy)); 525 *error = EINVAL; 526 return NULL; 527 528 case IPSEC_POLICY_ENTRUST: 529 ip4_def_policy->refcnt++; 530 *error = 0; 531 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir); 532 return ip4_def_policy; 533 534 case IPSEC_POLICY_IPSEC: 535 currsp->refcnt++; 536 *error = 0; 537 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 538 return currsp; 539 540 default: 541 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: " 542 "Invalid policy for PCB %d\n", currsp->policy)); 543 *error = EINVAL; 544 return NULL; 545 } 546 /* NOTREACHED */ 547 } 548 549 /* 550 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 551 * and return a pointer to SP. 552 * OUT: positive: a pointer to the entry for security policy leaf matched. 553 * NULL: no apropreate SP found, the following value is set to error. 554 * 0 : bypass 555 * EACCES : discard packet. 556 * ENOENT : ipsec_acquire() in progress, maybe. 557 * others : error occured. 558 */ 559 struct secpolicy * 560 ipsec4_getpolicybyaddr(m, dir, flag, error) 561 struct mbuf *m; 562 u_int dir; 563 int flag; 564 int *error; 565 { 566 struct secpolicy *sp = NULL; 567 u_int16_t tag; 568 569 /* sanity check */ 570 if (m == NULL || error == NULL) 571 panic("ipsec4_getpolicybyaddr: NULL pointer was passed."); 572 573 /* get a policy entry matched with the packet */ 574 { 575 struct secpolicyindex spidx; 576 577 bzero(&spidx, sizeof(spidx)); 578 579 /* make an index to look for a policy */ 580 *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m, 581 (flag & IP_FORWARDING) ? 0 : 1); 582 583 if (*error != 0) 584 return NULL; 585 586 tag = 0; 587 588 sp = key_allocsp(tag, &spidx, dir); 589 } 590 591 /* SP found */ 592 if (sp != NULL) { 593 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 594 printf("DP ipsec4_getpolicybyaddr called " 595 "to allocate SP:%p\n", sp)); 596 *error = 0; 597 return sp; 598 } 599 600 /* no SP found */ 601 ip4_def_policy->refcnt++; 602 *error = 0; 603 return ip4_def_policy; 604 } 605 606 #ifdef INET6 607 /* 608 * For OUTBOUND packet having a socket. Searching SPD for packet, 609 * and return a pointer to SP. 610 * OUT: NULL: no apropreate SP found, the following value is set to error. 611 * 0 : bypass 612 * EACCES : discard packet. 613 * ENOENT : ipsec_acquire() in progress, maybe. 614 * others : error occured. 615 * others: a pointer to SP 616 */ 617 struct secpolicy * 618 ipsec6_getpolicybypcb(m, dir, inp, error) 619 struct mbuf *m; 620 u_int dir; 621 struct inpcb *inp; 622 int *error; 623 { 624 struct inpcbpolicy *pcbsp = NULL; 625 struct secpolicy *currsp = NULL; /* policy on socket */ 626 struct secpolicy *kernsp = NULL; /* policy on kernel */ 627 struct secpolicyindex spidx; 628 u_int16_t tag; 629 630 /* sanity check */ 631 if (m == NULL || inp == NULL || error == NULL) 632 panic("ipsec6_getpolicybypcb: NULL pointer was passed."); 633 634 #ifdef DIAGNOSTIC 635 if ((inp->inp_vflag & INP_IPV6PROTO) == 0) 636 panic("ipsec6_getpolicybypcb: socket domain != inet6"); 637 #endif 638 639 pcbsp = inp->in6p_sp; 640 641 #ifdef DIAGNOSTIC 642 if (pcbsp == NULL) 643 panic("ipsec6_getpolicybypcb: pcbsp is NULL."); 644 #endif 645 646 tag = 0; 647 648 /* if we have a cached entry, and if it is still valid, use it. */ 649 ipsec6stat.spdcachelookup++; 650 currsp = ipsec_checkpcbcache(m, pcbsp, dir); 651 if (currsp) { 652 *error = 0; 653 return currsp; 654 } 655 ipsec6stat.spdcachemiss++; 656 657 switch (dir) { 658 case IPSEC_DIR_INBOUND: 659 currsp = pcbsp->sp_in; 660 break; 661 case IPSEC_DIR_OUTBOUND: 662 currsp = pcbsp->sp_out; 663 break; 664 default: 665 panic("ipsec6_getpolicybypcb: illegal direction."); 666 } 667 668 /* sanity check */ 669 if (currsp == NULL) 670 panic("ipsec6_getpolicybypcb: currsp is NULL."); 671 672 /* when privileged socket */ 673 if (pcbsp->priv) { 674 switch (currsp->policy) { 675 case IPSEC_POLICY_BYPASS: 676 currsp->refcnt++; 677 *error = 0; 678 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 679 return currsp; 680 681 case IPSEC_POLICY_ENTRUST: 682 /* look for a policy in SPD */ 683 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 && 684 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 685 /* SP found */ 686 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 687 printf("DP ipsec6_getpolicybypcb called " 688 "to allocate SP:%p\n", kernsp)); 689 *error = 0; 690 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 691 return kernsp; 692 } 693 694 /* no SP found */ 695 ip6_def_policy->refcnt++; 696 *error = 0; 697 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir); 698 return ip6_def_policy; 699 700 case IPSEC_POLICY_IPSEC: 701 currsp->refcnt++; 702 *error = 0; 703 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 704 return currsp; 705 706 default: 707 ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: " 708 "Invalid policy for PCB %d\n", currsp->policy)); 709 *error = EINVAL; 710 return NULL; 711 } 712 /* NOTREACHED */ 713 } 714 715 /* when non-privileged socket */ 716 /* look for a policy in SPD */ 717 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 && 718 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 719 /* SP found */ 720 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 721 printf("DP ipsec6_getpolicybypcb called " 722 "to allocate SP:%p\n", kernsp)); 723 *error = 0; 724 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 725 return kernsp; 726 } 727 728 /* no SP found */ 729 switch (currsp->policy) { 730 case IPSEC_POLICY_BYPASS: 731 ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: " 732 "Illegal policy for non-privileged defined %d\n", 733 currsp->policy)); 734 *error = EINVAL; 735 return NULL; 736 737 case IPSEC_POLICY_ENTRUST: 738 ip6_def_policy->refcnt++; 739 *error = 0; 740 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir); 741 return ip6_def_policy; 742 743 case IPSEC_POLICY_IPSEC: 744 currsp->refcnt++; 745 *error = 0; 746 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 747 return currsp; 748 749 default: 750 ipseclog((LOG_ERR, 751 "ipsec6_policybysock: Invalid policy for PCB %d\n", 752 currsp->policy)); 753 *error = EINVAL; 754 return NULL; 755 } 756 /* NOTREACHED */ 757 } 758 759 /* 760 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 761 * and return a pointer to SP. 762 * `flag' means that packet is to be forwarded whether or not. 763 * flag = 1: forwad 764 * OUT: positive: a pointer to the entry for security policy leaf matched. 765 * NULL: no apropreate SP found, the following value is set to error. 766 * 0 : bypass 767 * EACCES : discard packet. 768 * ENOENT : ipsec_acquire() in progress, maybe. 769 * others : error occured. 770 */ 771 #ifndef IP_FORWARDING 772 #define IP_FORWARDING 1 773 #endif 774 775 struct secpolicy * 776 ipsec6_getpolicybyaddr(m, dir, flag, error) 777 struct mbuf *m; 778 u_int dir; 779 int flag; 780 int *error; 781 { 782 struct secpolicy *sp = NULL; 783 u_int16_t tag; 784 785 /* sanity check */ 786 if (m == NULL || error == NULL) 787 panic("ipsec6_getpolicybyaddr: NULL pointer was passed."); 788 789 /* get a policy entry matched with the packet */ 790 { 791 struct secpolicyindex spidx; 792 793 bzero(&spidx, sizeof(spidx)); 794 795 /* make an index to look for a policy */ 796 *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 797 (flag & IP_FORWARDING) ? 0 : 1); 798 799 if (*error != 0) 800 return NULL; 801 802 tag = 0; 803 804 sp = key_allocsp(tag, &spidx, dir); 805 } 806 807 /* SP found */ 808 if (sp != NULL) { 809 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 810 printf("DP ipsec6_getpolicybyaddr called " 811 "to allocate SP:%p\n", sp)); 812 *error = 0; 813 return sp; 814 } 815 816 /* no SP found */ 817 ip6_def_policy->refcnt++; 818 *error = 0; 819 return ip6_def_policy; 820 } 821 #endif /* INET6 */ 822 823 /* 824 * set IP address into spidx from mbuf. 825 * When Forwarding packet and ICMP echo reply, this function is used. 826 * 827 * IN: get the followings from mbuf. 828 * protocol family, src, dst, next protocol 829 * OUT: 830 * 0: success. 831 * other: failure, and set errno. 832 */ 833 int 834 ipsec_setspidx_mbuf(spidx, family, m, needport) 835 struct secpolicyindex *spidx; 836 int family; 837 struct mbuf *m; 838 int needport; 839 { 840 int error; 841 842 /* sanity check */ 843 if (spidx == NULL || m == NULL) 844 panic("ipsec_setspidx_mbuf: NULL pointer was passed."); 845 846 bzero(spidx, sizeof(*spidx)); 847 848 error = ipsec_setspidx(m, spidx, needport); 849 if (error) 850 goto bad; 851 852 return 0; 853 854 bad: 855 /* XXX initialize */ 856 bzero(spidx, sizeof(*spidx)); 857 return EINVAL; 858 } 859 860 /* 861 * configure security policy index (src/dst/proto/sport/dport) 862 * by looking at the content of mbuf. 863 * the caller is responsible for error recovery (like clearing up spidx). 864 */ 865 static int 866 ipsec_setspidx(m, spidx, needport) 867 struct mbuf *m; 868 struct secpolicyindex *spidx; 869 int needport; 870 { 871 struct ip *ip = NULL; 872 struct ip ipbuf; 873 u_int v; 874 struct mbuf *n; 875 int len; 876 int error; 877 878 if (m == NULL) 879 panic("ipsec_setspidx: m == 0 passed."); 880 881 bzero(spidx, sizeof(*spidx)); 882 883 /* 884 * validate m->m_pkthdr.len. we see incorrect length if we 885 * mistakenly call this function with inconsistent mbuf chain 886 * (like 4.4BSD tcp/udp processing). XXX should we panic here? 887 */ 888 len = 0; 889 for (n = m; n; n = n->m_next) 890 len += n->m_len; 891 if (m->m_pkthdr.len != len) { 892 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 893 printf("ipsec_setspidx: " 894 "total of m_len(%d) != pkthdr.len(%d), " 895 "ignored.\n", 896 len, m->m_pkthdr.len)); 897 return EINVAL; 898 } 899 900 if (m->m_pkthdr.len < sizeof(struct ip)) { 901 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 902 printf("ipsec_setspidx: " 903 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n", 904 m->m_pkthdr.len)); 905 return EINVAL; 906 } 907 908 if (m->m_len >= sizeof(*ip)) 909 ip = mtod(m, struct ip *); 910 else { 911 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 912 ip = &ipbuf; 913 } 914 #ifdef _IP_VHL 915 v = _IP_VHL_V(ip->ip_vhl); 916 #else 917 v = ip->ip_v; 918 #endif 919 switch (v) { 920 case 4: 921 error = ipsec4_setspidx_ipaddr(m, spidx); 922 if (error) 923 return error; 924 ipsec4_get_ulp(m, spidx, needport); 925 return 0; 926 #ifdef INET6 927 case 6: 928 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { 929 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 930 printf("ipsec_setspidx: " 931 "pkthdr.len(%d) < sizeof(struct ip6_hdr), " 932 "ignored.\n", m->m_pkthdr.len)); 933 return EINVAL; 934 } 935 error = ipsec6_setspidx_ipaddr(m, spidx); 936 if (error) 937 return error; 938 ipsec6_get_ulp(m, spidx, needport); 939 return 0; 940 #endif 941 default: 942 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 943 printf("ipsec_setspidx: " 944 "unknown IP version %u, ignored.\n", v)); 945 return EINVAL; 946 } 947 } 948 949 static void 950 ipsec4_get_ulp(m, spidx, needport) 951 struct mbuf *m; 952 struct secpolicyindex *spidx; 953 int needport; 954 { 955 struct ip ip; 956 struct ip6_ext ip6e; 957 u_int8_t nxt; 958 int off; 959 struct tcphdr th; 960 struct udphdr uh; 961 962 /* sanity check */ 963 if (m == NULL) 964 panic("ipsec4_get_ulp: NULL pointer was passed."); 965 if (m->m_pkthdr.len < sizeof(ip)) 966 panic("ipsec4_get_ulp: too short"); 967 968 /* set default */ 969 spidx->ul_proto = IPSEC_ULPROTO_ANY; 970 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY; 971 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY; 972 973 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip); 974 /* ip_input() flips it into host endian XXX need more checking */ 975 if (ip.ip_off & (IP_MF | IP_OFFMASK)) 976 return; 977 978 nxt = ip.ip_p; 979 #ifdef _IP_VHL 980 off = _IP_VHL_HL(ip->ip_vhl) << 2; 981 #else 982 off = ip.ip_hl << 2; 983 #endif 984 while (off < m->m_pkthdr.len) { 985 switch (nxt) { 986 case IPPROTO_TCP: 987 spidx->ul_proto = nxt; 988 if (!needport) 989 return; 990 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 991 return; 992 m_copydata(m, off, sizeof(th), (caddr_t)&th); 993 ((struct sockaddr_in *)&spidx->src)->sin_port = 994 th.th_sport; 995 ((struct sockaddr_in *)&spidx->dst)->sin_port = 996 th.th_dport; 997 return; 998 case IPPROTO_UDP: 999 spidx->ul_proto = nxt; 1000 if (!needport) 1001 return; 1002 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1003 return; 1004 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1005 ((struct sockaddr_in *)&spidx->src)->sin_port = 1006 uh.uh_sport; 1007 ((struct sockaddr_in *)&spidx->dst)->sin_port = 1008 uh.uh_dport; 1009 return; 1010 case IPPROTO_AH: 1011 if (off + sizeof(ip6e) > m->m_pkthdr.len) 1012 return; 1013 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1014 off += (ip6e.ip6e_len + 2) << 2; 1015 nxt = ip6e.ip6e_nxt; 1016 break; 1017 case IPPROTO_ICMP: 1018 default: 1019 /* XXX intermediate headers??? */ 1020 spidx->ul_proto = nxt; 1021 return; 1022 } 1023 } 1024 } 1025 1026 /* assumes that m is sane */ 1027 static int 1028 ipsec4_setspidx_ipaddr(m, spidx) 1029 struct mbuf *m; 1030 struct secpolicyindex *spidx; 1031 { 1032 struct ip *ip = NULL; 1033 struct ip ipbuf; 1034 struct sockaddr_in *sin; 1035 1036 if (m->m_len >= sizeof(*ip)) 1037 ip = mtod(m, struct ip *); 1038 else { 1039 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 1040 ip = &ipbuf; 1041 } 1042 1043 sin = (struct sockaddr_in *)&spidx->src; 1044 bzero(sin, sizeof(*sin)); 1045 sin->sin_family = AF_INET; 1046 sin->sin_len = sizeof(struct sockaddr_in); 1047 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src)); 1048 spidx->prefs = sizeof(struct in_addr) << 3; 1049 1050 sin = (struct sockaddr_in *)&spidx->dst; 1051 bzero(sin, sizeof(*sin)); 1052 sin->sin_family = AF_INET; 1053 sin->sin_len = sizeof(struct sockaddr_in); 1054 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)); 1055 spidx->prefd = sizeof(struct in_addr) << 3; 1056 return 0; 1057 } 1058 1059 #ifdef INET6 1060 static void 1061 ipsec6_get_ulp(m, spidx, needport) 1062 struct mbuf *m; 1063 struct secpolicyindex *spidx; 1064 int needport; 1065 { 1066 int off, nxt; 1067 struct tcphdr th; 1068 struct udphdr uh; 1069 struct icmp6_hdr ih; 1070 1071 /* sanity check */ 1072 if (m == NULL) 1073 panic("ipsec6_get_ulp: NULL pointer was passed."); 1074 1075 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1076 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m)); 1077 1078 /* set default */ 1079 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1080 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY; 1081 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY; 1082 1083 nxt = -1; 1084 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt); 1085 if (off < 0 || m->m_pkthdr.len < off) 1086 return; 1087 1088 switch (nxt) { 1089 case IPPROTO_TCP: 1090 spidx->ul_proto = nxt; 1091 if (!needport) 1092 break; 1093 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1094 break; 1095 m_copydata(m, off, sizeof(th), (caddr_t)&th); 1096 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport; 1097 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport; 1098 break; 1099 case IPPROTO_UDP: 1100 spidx->ul_proto = nxt; 1101 if (!needport) 1102 break; 1103 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1104 break; 1105 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1106 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport; 1107 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport; 1108 break; 1109 case IPPROTO_ICMPV6: 1110 spidx->ul_proto = nxt; 1111 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len) 1112 break; 1113 m_copydata(m, off, sizeof(ih), (caddr_t)&ih); 1114 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = 1115 htons((u_int16_t)ih.icmp6_type); 1116 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = 1117 htons((u_int16_t)ih.icmp6_code); 1118 break; 1119 default: 1120 /* XXX intermediate headers??? */ 1121 spidx->ul_proto = nxt; 1122 break; 1123 } 1124 } 1125 1126 /* assumes that m is sane */ 1127 static int 1128 ipsec6_setspidx_ipaddr(m, spidx) 1129 struct mbuf *m; 1130 struct secpolicyindex *spidx; 1131 { 1132 struct ip6_hdr *ip6 = NULL; 1133 struct ip6_hdr ip6buf; 1134 struct sockaddr_in6 *sin6; 1135 1136 if (m->m_len >= sizeof(*ip6)) 1137 ip6 = mtod(m, struct ip6_hdr *); 1138 else { 1139 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf); 1140 ip6 = &ip6buf; 1141 } 1142 1143 sin6 = (struct sockaddr_in6 *)&spidx->src; 1144 bzero(sin6, sizeof(*sin6)); 1145 sin6->sin6_family = AF_INET6; 1146 sin6->sin6_len = sizeof(struct sockaddr_in6); 1147 sin6->sin6_addr = ip6->ip6_src; 1148 spidx->prefs = sizeof(struct in6_addr) << 3; 1149 1150 sin6 = (struct sockaddr_in6 *)&spidx->dst; 1151 bzero(sin6, sizeof(*sin6)); 1152 sin6->sin6_family = AF_INET6; 1153 sin6->sin6_len = sizeof(struct sockaddr_in6); 1154 sin6->sin6_addr = ip6->ip6_dst; 1155 spidx->prefd = sizeof(struct in6_addr) << 3; 1156 1157 return 0; 1158 } 1159 #endif 1160 1161 static struct inpcbpolicy * 1162 ipsec_newpcbpolicy() 1163 { 1164 struct inpcbpolicy *p; 1165 1166 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT); 1167 return p; 1168 } 1169 1170 static void 1171 ipsec_delpcbpolicy(p) 1172 struct inpcbpolicy *p; 1173 { 1174 1175 free(p, M_SECA); 1176 } 1177 1178 /* initialize policy in PCB */ 1179 int 1180 ipsec_init_pcbpolicy(so, pcb_sp) 1181 struct socket *so; 1182 struct inpcbpolicy **pcb_sp; 1183 { 1184 struct inpcbpolicy *new; 1185 static int initialized = 0; 1186 static struct secpolicy *in = NULL, *out = NULL; 1187 1188 /* sanity check. */ 1189 if (so == NULL || pcb_sp == NULL) 1190 panic("ipsec_init_pcbpolicy: NULL pointer was passed."); 1191 1192 if (!initialized) { 1193 if ((in = key_newsp(0)) == NULL) 1194 return ENOBUFS; 1195 if ((out = key_newsp(0)) == NULL) { 1196 key_freesp(in); 1197 in = NULL; 1198 return ENOBUFS; 1199 } 1200 1201 in->state = IPSEC_SPSTATE_ALIVE; 1202 in->policy = IPSEC_POLICY_ENTRUST; 1203 in->dir = IPSEC_DIR_INBOUND; 1204 in->readonly = 1; 1205 in->persist = 1; 1206 in->so = NULL; 1207 1208 out->state = IPSEC_SPSTATE_ALIVE; 1209 out->policy = IPSEC_POLICY_ENTRUST; 1210 out->dir = IPSEC_DIR_OUTBOUND; 1211 out->readonly = 1; 1212 out->persist = 1; 1213 out->so = NULL; 1214 1215 initialized++; 1216 } 1217 1218 new = ipsec_newpcbpolicy(); 1219 if (new == NULL) { 1220 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n")); 1221 return ENOBUFS; 1222 } 1223 bzero(new, sizeof(*new)); 1224 1225 if (so->so_cred != 0 && so->so_cred->cr_uid == 0) 1226 new->priv = 1; 1227 else 1228 new->priv = 0; 1229 1230 new->sp_in = in; 1231 new->sp_in->refcnt++; 1232 new->sp_out = out; 1233 new->sp_out->refcnt++; 1234 1235 *pcb_sp = new; 1236 1237 return 0; 1238 } 1239 1240 /* copy old ipsec policy into new */ 1241 int 1242 ipsec_copy_pcbpolicy(old, new) 1243 struct inpcbpolicy *old, *new; 1244 { 1245 1246 if (new->sp_in) 1247 key_freesp(new->sp_in); 1248 if (old->sp_in->policy == IPSEC_POLICY_IPSEC) 1249 new->sp_in = ipsec_deepcopy_policy(old->sp_in); 1250 else { 1251 new->sp_in = old->sp_in; 1252 new->sp_in->refcnt++; 1253 } 1254 1255 if (new->sp_out) 1256 key_freesp(new->sp_out); 1257 if (old->sp_out->policy == IPSEC_POLICY_IPSEC) 1258 new->sp_out = ipsec_deepcopy_policy(old->sp_out); 1259 else { 1260 new->sp_out = old->sp_out; 1261 new->sp_out->refcnt++; 1262 } 1263 1264 new->priv = old->priv; 1265 1266 return 0; 1267 } 1268 1269 #if 0 1270 static int 1271 ipsec_deepcopy_pcbpolicy(pcb_sp) 1272 struct inpcbpolicy *pcb_sp; 1273 { 1274 struct secpolicy *sp; 1275 1276 sp = ipsec_deepcopy_policy(pcb_sp->sp_in); 1277 if (sp) { 1278 key_freesp(pcb_sp->sp_in); 1279 pcb_sp->sp_in = sp; 1280 } else 1281 return ENOBUFS; 1282 1283 sp = ipsec_deepcopy_policy(pcb_sp->sp_out); 1284 if (sp) { 1285 key_freesp(pcb_sp->sp_out); 1286 pcb_sp->sp_out = sp; 1287 } else 1288 return ENOBUFS; 1289 1290 return 0; 1291 } 1292 #endif 1293 1294 /* deep-copy a policy in PCB */ 1295 static struct secpolicy * 1296 ipsec_deepcopy_policy(src) 1297 struct secpolicy *src; 1298 { 1299 struct ipsecrequest *newchain = NULL; 1300 struct ipsecrequest *p; 1301 struct ipsecrequest **q; 1302 struct ipsecrequest *r; 1303 struct secpolicy *dst; 1304 1305 if (src == NULL) 1306 return NULL; 1307 1308 dst = key_newsp(0); 1309 if (dst == NULL) 1310 return NULL; 1311 1312 /* 1313 * deep-copy IPsec request chain. This is required since struct 1314 * ipsecrequest is not reference counted. 1315 */ 1316 q = &newchain; 1317 for (p = src->req; p; p = p->next) { 1318 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest), 1319 M_SECA, M_NOWAIT); 1320 if (*q == NULL) 1321 goto fail; 1322 bzero(*q, sizeof(**q)); 1323 (*q)->next = NULL; 1324 1325 (*q)->saidx.proto = p->saidx.proto; 1326 (*q)->saidx.mode = p->saidx.mode; 1327 (*q)->level = p->level; 1328 (*q)->saidx.reqid = p->saidx.reqid; 1329 1330 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src)); 1331 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst)); 1332 1333 (*q)->sav = NULL; 1334 (*q)->sp = dst; 1335 1336 q = &((*q)->next); 1337 } 1338 1339 if (src->spidx) 1340 if (keydb_setsecpolicyindex(dst, src->spidx) != 0) 1341 goto fail; 1342 1343 dst->req = newchain; 1344 dst->state = src->state; 1345 dst->policy = src->policy; 1346 dst->dir = src->dir; 1347 dst->so = src->so; 1348 /* do not touch the refcnt fields */ 1349 1350 return dst; 1351 1352 fail: 1353 for (p = newchain; p; p = r) { 1354 r = p->next; 1355 free(p, M_SECA); 1356 p = NULL; 1357 } 1358 key_freesp(dst); 1359 return NULL; 1360 } 1361 1362 /* set policy and ipsec request if present. */ 1363 static int 1364 ipsec_set_policy(spp, optname, request, len, priv) 1365 struct secpolicy **spp; 1366 int optname; 1367 caddr_t request; 1368 size_t len; 1369 int priv; 1370 { 1371 struct sadb_x_policy *xpl; 1372 struct secpolicy *newsp = NULL; 1373 int error; 1374 1375 /* sanity check. */ 1376 if (spp == NULL || *spp == NULL || request == NULL) 1377 return EINVAL; 1378 if (len < sizeof(*xpl)) 1379 return EINVAL; 1380 xpl = (struct sadb_x_policy *)request; 1381 1382 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1383 printf("ipsec_set_policy: passed policy\n"); 1384 kdebug_sadb_x_policy((struct sadb_ext *)xpl)); 1385 1386 /* check policy type */ 1387 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */ 1388 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD || 1389 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) 1390 return EINVAL; 1391 1392 /* check privileged socket */ 1393 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) 1394 return EACCES; 1395 1396 /* allocation new SP entry */ 1397 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) 1398 return error; 1399 1400 newsp->state = IPSEC_SPSTATE_ALIVE; 1401 1402 /* clear old SP and set new SP */ 1403 key_freesp(*spp); 1404 *spp = newsp; 1405 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1406 printf("ipsec_set_policy: new policy\n"); 1407 kdebug_secpolicy(newsp)); 1408 1409 return 0; 1410 } 1411 1412 static int 1413 ipsec_get_policy(sp, mp) 1414 struct secpolicy *sp; 1415 struct mbuf **mp; 1416 { 1417 1418 /* sanity check. */ 1419 if (sp == NULL || mp == NULL) 1420 return EINVAL; 1421 1422 *mp = key_sp2msg(sp); 1423 if (!*mp) { 1424 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n")); 1425 return ENOBUFS; 1426 } 1427 1428 (*mp)->m_type = MT_DATA; 1429 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1430 printf("ipsec_get_policy:\n"); 1431 kdebug_mbuf(*mp)); 1432 1433 return 0; 1434 } 1435 1436 int 1437 ipsec4_set_policy(inp, optname, request, len, priv) 1438 struct inpcb *inp; 1439 int optname; 1440 caddr_t request; 1441 size_t len; 1442 int priv; 1443 { 1444 struct sadb_x_policy *xpl; 1445 struct secpolicy **spp; 1446 1447 /* sanity check. */ 1448 if (inp == NULL || request == NULL) 1449 return EINVAL; 1450 if (len < sizeof(*xpl)) 1451 return EINVAL; 1452 xpl = (struct sadb_x_policy *)request; 1453 1454 /* select direction */ 1455 switch (xpl->sadb_x_policy_dir) { 1456 case IPSEC_DIR_INBOUND: 1457 spp = &inp->inp_sp->sp_in; 1458 break; 1459 case IPSEC_DIR_OUTBOUND: 1460 spp = &inp->inp_sp->sp_out; 1461 break; 1462 default: 1463 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n", 1464 xpl->sadb_x_policy_dir)); 1465 return EINVAL; 1466 } 1467 1468 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY); 1469 return ipsec_set_policy(spp, optname, request, len, priv); 1470 } 1471 1472 int 1473 ipsec4_get_policy(inp, request, len, mp) 1474 struct inpcb *inp; 1475 caddr_t request; 1476 size_t len; 1477 struct mbuf **mp; 1478 { 1479 struct sadb_x_policy *xpl; 1480 struct secpolicy *sp; 1481 1482 /* sanity check. */ 1483 if (inp == NULL || request == NULL || mp == NULL) 1484 return EINVAL; 1485 if (inp->inp_sp == NULL) 1486 panic("policy in PCB is NULL"); 1487 if (len < sizeof(*xpl)) 1488 return EINVAL; 1489 xpl = (struct sadb_x_policy *)request; 1490 1491 /* select direction */ 1492 switch (xpl->sadb_x_policy_dir) { 1493 case IPSEC_DIR_INBOUND: 1494 sp = inp->inp_sp->sp_in; 1495 break; 1496 case IPSEC_DIR_OUTBOUND: 1497 sp = inp->inp_sp->sp_out; 1498 break; 1499 default: 1500 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n", 1501 xpl->sadb_x_policy_dir)); 1502 return EINVAL; 1503 } 1504 1505 return ipsec_get_policy(sp, mp); 1506 } 1507 1508 /* delete policy in PCB */ 1509 int 1510 ipsec4_delete_pcbpolicy(inp) 1511 struct inpcb *inp; 1512 { 1513 /* sanity check. */ 1514 if (inp == NULL) 1515 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed."); 1516 1517 if (inp->inp_sp == NULL) 1518 return 0; 1519 1520 if (inp->inp_sp->sp_in != NULL) { 1521 key_freesp(inp->inp_sp->sp_in); 1522 inp->inp_sp->sp_in = NULL; 1523 } 1524 1525 if (inp->inp_sp->sp_out != NULL) { 1526 key_freesp(inp->inp_sp->sp_out); 1527 inp->inp_sp->sp_out = NULL; 1528 } 1529 1530 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY); 1531 1532 ipsec_delpcbpolicy(inp->inp_sp); 1533 inp->inp_sp = NULL; 1534 1535 return 0; 1536 } 1537 1538 #ifdef INET6 1539 int 1540 ipsec6_set_policy(in6p, optname, request, len, priv) 1541 struct in6pcb *in6p; 1542 int optname; 1543 caddr_t request; 1544 size_t len; 1545 int priv; 1546 { 1547 struct sadb_x_policy *xpl; 1548 struct secpolicy **spp; 1549 1550 /* sanity check. */ 1551 if (in6p == NULL || request == NULL) 1552 return EINVAL; 1553 if (len < sizeof(*xpl)) 1554 return EINVAL; 1555 xpl = (struct sadb_x_policy *)request; 1556 1557 /* select direction */ 1558 switch (xpl->sadb_x_policy_dir) { 1559 case IPSEC_DIR_INBOUND: 1560 spp = &in6p->in6p_sp->sp_in; 1561 break; 1562 case IPSEC_DIR_OUTBOUND: 1563 spp = &in6p->in6p_sp->sp_out; 1564 break; 1565 default: 1566 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n", 1567 xpl->sadb_x_policy_dir)); 1568 return EINVAL; 1569 } 1570 1571 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY); 1572 return ipsec_set_policy(spp, optname, request, len, priv); 1573 } 1574 1575 int 1576 ipsec6_get_policy(in6p, request, len, mp) 1577 struct in6pcb *in6p; 1578 caddr_t request; 1579 size_t len; 1580 struct mbuf **mp; 1581 { 1582 struct sadb_x_policy *xpl; 1583 struct secpolicy *sp; 1584 1585 /* sanity check. */ 1586 if (in6p == NULL || request == NULL || mp == NULL) 1587 return EINVAL; 1588 if (in6p->in6p_sp == NULL) 1589 panic("policy in PCB is NULL"); 1590 if (len < sizeof(*xpl)) 1591 return EINVAL; 1592 xpl = (struct sadb_x_policy *)request; 1593 1594 /* select direction */ 1595 switch (xpl->sadb_x_policy_dir) { 1596 case IPSEC_DIR_INBOUND: 1597 sp = in6p->in6p_sp->sp_in; 1598 break; 1599 case IPSEC_DIR_OUTBOUND: 1600 sp = in6p->in6p_sp->sp_out; 1601 break; 1602 default: 1603 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n", 1604 xpl->sadb_x_policy_dir)); 1605 return EINVAL; 1606 } 1607 1608 return ipsec_get_policy(sp, mp); 1609 } 1610 1611 int 1612 ipsec6_delete_pcbpolicy(in6p) 1613 struct in6pcb *in6p; 1614 { 1615 /* sanity check. */ 1616 if (in6p == NULL) 1617 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed."); 1618 1619 if (in6p->in6p_sp == NULL) 1620 return 0; 1621 1622 if (in6p->in6p_sp->sp_in != NULL) { 1623 key_freesp(in6p->in6p_sp->sp_in); 1624 in6p->in6p_sp->sp_in = NULL; 1625 } 1626 1627 if (in6p->in6p_sp->sp_out != NULL) { 1628 key_freesp(in6p->in6p_sp->sp_out); 1629 in6p->in6p_sp->sp_out = NULL; 1630 } 1631 1632 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY); 1633 1634 ipsec_delpcbpolicy(in6p->in6p_sp); 1635 in6p->in6p_sp = NULL; 1636 1637 return 0; 1638 } 1639 #endif 1640 1641 /* 1642 * return current level. 1643 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. 1644 */ 1645 u_int 1646 ipsec_get_reqlevel(isr, af) 1647 struct ipsecrequest *isr; 1648 int af; 1649 { 1650 u_int level = 0; 1651 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev; 1652 1653 /* sanity check */ 1654 if (isr == NULL || isr->sp == NULL) 1655 panic("ipsec_get_reqlevel: NULL pointer is passed."); 1656 1657 /* set default level */ 1658 switch (af) { 1659 #ifdef INET 1660 case AF_INET: 1661 esp_trans_deflev = ip4_esp_trans_deflev; 1662 esp_net_deflev = ip4_esp_net_deflev; 1663 ah_trans_deflev = ip4_ah_trans_deflev; 1664 ah_net_deflev = ip4_ah_net_deflev; 1665 break; 1666 #endif 1667 #ifdef INET6 1668 case AF_INET6: 1669 esp_trans_deflev = ip6_esp_trans_deflev; 1670 esp_net_deflev = ip6_esp_net_deflev; 1671 ah_trans_deflev = ip6_ah_trans_deflev; 1672 ah_net_deflev = ip6_ah_net_deflev; 1673 break; 1674 #endif /* INET6 */ 1675 default: 1676 panic("key_get_reqlevel: Unknown family. %d", 1677 ((struct sockaddr *)&isr->sp->spidx->src)->sa_family); 1678 } 1679 1680 /* set level */ 1681 switch (isr->level) { 1682 case IPSEC_LEVEL_DEFAULT: 1683 switch (isr->saidx.proto) { 1684 case IPPROTO_ESP: 1685 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1686 level = esp_net_deflev; 1687 else 1688 level = esp_trans_deflev; 1689 break; 1690 case IPPROTO_AH: 1691 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1692 level = ah_net_deflev; 1693 else 1694 level = ah_trans_deflev; 1695 break; 1696 case IPPROTO_IPCOMP: 1697 /* 1698 * we don't really care, as IPcomp document says that 1699 * we shouldn't compress small packets 1700 */ 1701 level = IPSEC_LEVEL_USE; 1702 break; 1703 default: 1704 panic("ipsec_get_reqlevel: " 1705 "Illegal protocol defined %u\n", 1706 isr->saidx.proto); 1707 } 1708 break; 1709 1710 case IPSEC_LEVEL_USE: 1711 case IPSEC_LEVEL_REQUIRE: 1712 level = isr->level; 1713 break; 1714 case IPSEC_LEVEL_UNIQUE: 1715 level = IPSEC_LEVEL_REQUIRE; 1716 break; 1717 1718 default: 1719 panic("ipsec_get_reqlevel: Illegal IPsec level %u", 1720 isr->level); 1721 } 1722 1723 return level; 1724 } 1725 1726 /* 1727 * Check AH/ESP integrity. 1728 * OUT: 1729 * 0: valid 1730 * 1: invalid 1731 */ 1732 static int 1733 ipsec_in_reject(sp, m) 1734 struct secpolicy *sp; 1735 struct mbuf *m; 1736 { 1737 struct ipsecrequest *isr; 1738 u_int level; 1739 int need_auth, need_conf, need_icv; 1740 1741 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1742 printf("ipsec_in_reject: using SP\n"); 1743 kdebug_secpolicy(sp)); 1744 1745 /* check policy */ 1746 switch (sp->policy) { 1747 case IPSEC_POLICY_DISCARD: 1748 return 1; 1749 case IPSEC_POLICY_BYPASS: 1750 case IPSEC_POLICY_NONE: 1751 return 0; 1752 1753 case IPSEC_POLICY_IPSEC: 1754 break; 1755 1756 case IPSEC_POLICY_ENTRUST: 1757 default: 1758 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy); 1759 } 1760 1761 need_auth = 0; 1762 need_conf = 0; 1763 need_icv = 0; 1764 1765 /* XXX should compare policy against ipsec header history */ 1766 1767 for (isr = sp->req; isr != NULL; isr = isr->next) { 1768 /* get current level */ 1769 level = ipsec_get_reqlevel(isr, AF_INET); 1770 1771 switch (isr->saidx.proto) { 1772 case IPPROTO_ESP: 1773 if (level == IPSEC_LEVEL_REQUIRE) { 1774 need_conf++; 1775 1776 if (isr->sav != NULL 1777 && isr->sav->flags == SADB_X_EXT_NONE 1778 && isr->sav->alg_auth != SADB_AALG_NONE) 1779 need_icv++; 1780 } 1781 break; 1782 case IPPROTO_AH: 1783 if (level == IPSEC_LEVEL_REQUIRE) { 1784 need_auth++; 1785 need_icv++; 1786 } 1787 break; 1788 case IPPROTO_IPCOMP: 1789 /* 1790 * we don't really care, as IPcomp document says that 1791 * we shouldn't compress small packets, IPComp policy 1792 * should always be treated as being in "use" level. 1793 */ 1794 break; 1795 } 1796 } 1797 1798 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1799 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n", 1800 need_auth, need_conf, need_icv, m->m_flags)); 1801 1802 if ((need_conf && !(m->m_flags & M_DECRYPTED)) 1803 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM)) 1804 || (need_auth && !(m->m_flags & M_AUTHIPHDR))) 1805 return 1; 1806 1807 return 0; 1808 } 1809 1810 /* 1811 * Check AH/ESP integrity. 1812 * This function is called from tcp_input(), udp_input(), 1813 * and {ah,esp}4_input for tunnel mode 1814 */ 1815 int 1816 ipsec4_in_reject(m, inp) 1817 struct mbuf *m; 1818 struct inpcb *inp; 1819 { 1820 struct secpolicy *sp = NULL; 1821 int error; 1822 int result; 1823 1824 /* sanity check */ 1825 if (m == NULL) 1826 return 0; /* XXX should be panic ? */ 1827 1828 /* get SP for this packet. 1829 * When we are called from ip_forward(), we call 1830 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 1831 */ 1832 if (inp == NULL) 1833 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 1834 IP_FORWARDING, &error); 1835 else 1836 sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_INBOUND, inp, &error); 1837 1838 /* XXX should be panic ? -> No, there may be error. */ 1839 if (sp == NULL) 1840 return 0; 1841 1842 result = ipsec_in_reject(sp, m); 1843 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1844 printf("DP ipsec4_in_reject call free SP:%p\n", sp)); 1845 key_freesp(sp); 1846 1847 return result; 1848 } 1849 1850 #ifdef INET6 1851 /* 1852 * Check AH/ESP integrity. 1853 * This function is called from tcp6_input(), udp6_input(), 1854 * and {ah,esp}6_input for tunnel mode 1855 */ 1856 int 1857 ipsec6_in_reject(m, in6p) 1858 struct mbuf *m; 1859 struct in6pcb *in6p; 1860 { 1861 struct secpolicy *sp = NULL; 1862 int error; 1863 int result; 1864 1865 /* sanity check */ 1866 if (m == NULL) 1867 return 0; /* XXX should be panic ? */ 1868 1869 /* get SP for this packet. 1870 * When we are called from ip_forward(), we call 1871 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag. 1872 */ 1873 if (in6p == NULL) 1874 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 1875 IP_FORWARDING, &error); 1876 else 1877 sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_INBOUND, in6p, &error); 1878 1879 if (sp == NULL) 1880 return 0; /* XXX should be panic ? */ 1881 1882 result = ipsec_in_reject(sp, m); 1883 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1884 printf("DP ipsec6_in_reject call free SP:%p\n", sp)); 1885 key_freesp(sp); 1886 1887 return result; 1888 } 1889 #endif 1890 1891 /* 1892 * compute the byte size to be occupied by IPsec header. 1893 * in case it is tunneled, it includes the size of outer IP header. 1894 * NOTE: SP passed is free in this function. 1895 */ 1896 static size_t 1897 ipsec_hdrsiz(sp) 1898 struct secpolicy *sp; 1899 { 1900 struct ipsecrequest *isr; 1901 size_t siz, clen; 1902 1903 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1904 printf("ipsec_hdrsiz: using SP\n"); 1905 kdebug_secpolicy(sp)); 1906 1907 /* check policy */ 1908 switch (sp->policy) { 1909 case IPSEC_POLICY_DISCARD: 1910 case IPSEC_POLICY_BYPASS: 1911 case IPSEC_POLICY_NONE: 1912 return 0; 1913 1914 case IPSEC_POLICY_IPSEC: 1915 break; 1916 1917 case IPSEC_POLICY_ENTRUST: 1918 default: 1919 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy); 1920 } 1921 1922 siz = 0; 1923 1924 for (isr = sp->req; isr != NULL; isr = isr->next) { 1925 1926 clen = 0; 1927 1928 switch (isr->saidx.proto) { 1929 case IPPROTO_ESP: 1930 #ifdef IPSEC_ESP 1931 clen = esp_hdrsiz(isr); 1932 #else 1933 clen = 0; /* XXX */ 1934 #endif 1935 break; 1936 case IPPROTO_AH: 1937 clen = ah_hdrsiz(isr); 1938 break; 1939 case IPPROTO_IPCOMP: 1940 clen = sizeof(struct ipcomp); 1941 break; 1942 } 1943 1944 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 1945 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) { 1946 case AF_INET: 1947 clen += sizeof(struct ip); 1948 break; 1949 #ifdef INET6 1950 case AF_INET6: 1951 clen += sizeof(struct ip6_hdr); 1952 break; 1953 #endif 1954 default: 1955 ipseclog((LOG_ERR, "ipsec_hdrsiz: " 1956 "unknown AF %d in IPsec tunnel SA\n", 1957 ((struct sockaddr *)&isr->saidx.dst)->sa_family)); 1958 break; 1959 } 1960 } 1961 siz += clen; 1962 } 1963 1964 return siz; 1965 } 1966 1967 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */ 1968 size_t 1969 ipsec4_hdrsiz(m, dir, inp) 1970 struct mbuf *m; 1971 u_int dir; 1972 struct inpcb *inp; 1973 { 1974 struct secpolicy *sp = NULL; 1975 int error; 1976 size_t size; 1977 1978 /* sanity check */ 1979 if (m == NULL) 1980 return 0; /* XXX should be panic ? */ 1981 #if 0 1982 /* this is possible in TIME_WAIT state */ 1983 if (inp != NULL && inp->inp_socket == NULL) 1984 panic("ipsec4_hdrsize: why is socket NULL but there is PCB."); 1985 #endif 1986 1987 /* get SP for this packet. 1988 * When we are called from ip_forward(), we call 1989 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 1990 */ 1991 if (inp == NULL) 1992 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 1993 else 1994 sp = ipsec4_getpolicybypcb(m, dir, inp, &error); 1995 1996 if (sp == NULL) 1997 return 0; /* XXX should be panic ? */ 1998 1999 size = ipsec_hdrsiz(sp); 2000 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2001 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp)); 2002 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2003 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size)); 2004 key_freesp(sp); 2005 2006 return size; 2007 } 2008 2009 #ifdef INET6 2010 /* This function is called from ipsec6_hdrsize_tcp(), 2011 * and maybe from ip6_forward.() 2012 */ 2013 size_t 2014 ipsec6_hdrsiz(m, dir, in6p) 2015 struct mbuf *m; 2016 u_int dir; 2017 struct in6pcb *in6p; 2018 { 2019 struct secpolicy *sp = NULL; 2020 int error; 2021 size_t size; 2022 2023 /* sanity check */ 2024 if (m == NULL) 2025 return 0; /* XXX should be panic ? */ 2026 #if 0 2027 /* this is possible in TIME_WAIT state */ 2028 if (in6p != NULL && in6p->in6p_socket == NULL) 2029 panic("ipsec6_hdrsize: why is socket NULL but there is PCB."); 2030 #endif 2031 2032 /* get SP for this packet */ 2033 /* XXX Is it right to call with IP_FORWARDING. */ 2034 if (in6p == NULL) 2035 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 2036 else 2037 sp = ipsec6_getpolicybypcb(m, dir, in6p, &error); 2038 2039 if (sp == NULL) 2040 return 0; 2041 size = ipsec_hdrsiz(sp); 2042 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2043 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp)); 2044 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2045 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size)); 2046 key_freesp(sp); 2047 2048 return size; 2049 } 2050 #endif /* INET6 */ 2051 2052 #ifdef INET 2053 /* 2054 * encapsulate for ipsec tunnel. 2055 * ip->ip_src must be fixed later on. 2056 */ 2057 static int 2058 ipsec4_encapsulate(m, sav) 2059 struct mbuf *m; 2060 struct secasvar *sav; 2061 { 2062 struct ip *oip; 2063 struct ip *ip; 2064 size_t hlen; 2065 size_t plen; 2066 2067 /* can't tunnel between different AFs */ 2068 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2069 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2070 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 2071 m_freem(m); 2072 return EINVAL; 2073 } 2074 #if 0 2075 /* XXX if the dst is myself, perform nothing. */ 2076 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2077 m_freem(m); 2078 return EINVAL; 2079 } 2080 #endif 2081 2082 if (m->m_len < sizeof(*ip)) 2083 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2084 2085 ip = mtod(m, struct ip *); 2086 #ifdef _IP_VHL 2087 hlen = _IP_VHL_HL(ip->ip_vhl) << 2; 2088 #else 2089 hlen = ip->ip_hl << 2; 2090 #endif 2091 2092 if (m->m_len != hlen) 2093 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2094 2095 /* generate header checksum */ 2096 ip->ip_sum = 0; 2097 #ifdef _IP_VHL 2098 if (ip->ip_vhl == IP_VHL_BORING) 2099 ip->ip_sum = in_cksum_hdr(ip); 2100 else 2101 ip->ip_sum = in_cksum(m, hlen); 2102 #else 2103 ip->ip_sum = in_cksum(m, hlen); 2104 #endif 2105 2106 plen = m->m_pkthdr.len; 2107 2108 /* 2109 * grow the mbuf to accomodate the new IPv4 header. 2110 * NOTE: IPv4 options will never be copied. 2111 */ 2112 if (M_LEADINGSPACE(m->m_next) < hlen) { 2113 struct mbuf *n; 2114 MGET(n, M_DONTWAIT, MT_DATA); 2115 if (!n) { 2116 m_freem(m); 2117 return ENOBUFS; 2118 } 2119 n->m_len = hlen; 2120 n->m_next = m->m_next; 2121 m->m_next = n; 2122 m->m_pkthdr.len += hlen; 2123 oip = mtod(n, struct ip *); 2124 } else { 2125 m->m_next->m_len += hlen; 2126 m->m_next->m_data -= hlen; 2127 m->m_pkthdr.len += hlen; 2128 oip = mtod(m->m_next, struct ip *); 2129 } 2130 ip = mtod(m, struct ip *); 2131 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen); 2132 m->m_len = sizeof(struct ip); 2133 m->m_pkthdr.len -= (hlen - sizeof(struct ip)); 2134 2135 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ 2136 /* ECN consideration. */ 2137 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); 2138 #ifdef _IP_VHL 2139 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2); 2140 #else 2141 ip->ip_hl = sizeof(struct ip) >> 2; 2142 #endif 2143 ip->ip_off &= htons(~IP_OFFMASK); 2144 ip->ip_off &= htons(~IP_MF); 2145 switch (ip4_ipsec_dfbit) { 2146 case 0: /* clear DF bit */ 2147 ip->ip_off &= htons(~IP_DF); 2148 break; 2149 case 1: /* set DF bit */ 2150 ip->ip_off |= htons(IP_DF); 2151 break; 2152 default: /* copy DF bit */ 2153 break; 2154 } 2155 ip->ip_p = IPPROTO_IPIP; 2156 if (plen + sizeof(struct ip) < IP_MAXPACKET) 2157 ip->ip_len = htons(plen + sizeof(struct ip)); 2158 else { 2159 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " 2160 "leave ip_len as is (invalid packet)\n")); 2161 } 2162 ip->ip_id = ip_newid(); 2163 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, 2164 &ip->ip_src, sizeof(ip->ip_src)); 2165 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, 2166 &ip->ip_dst, sizeof(ip->ip_dst)); 2167 ip->ip_ttl = IPDEFTTL; 2168 2169 /* XXX Should ip_src be updated later ? */ 2170 2171 return 0; 2172 } 2173 #endif /* INET */ 2174 2175 #ifdef INET6 2176 static int 2177 ipsec6_encapsulate(m, sav) 2178 struct mbuf *m; 2179 struct secasvar *sav; 2180 { 2181 struct sockaddr_in6 sa6; 2182 struct ip6_hdr *oip6; 2183 struct ip6_hdr *ip6; 2184 size_t plen; 2185 int error; 2186 2187 /* can't tunnel between different AFs */ 2188 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2189 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2190 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) { 2191 m_freem(m); 2192 return EINVAL; 2193 } 2194 #if 0 2195 /* XXX if the dst is myself, perform nothing. */ 2196 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2197 m_freem(m); 2198 return EINVAL; 2199 } 2200 #endif 2201 2202 plen = m->m_pkthdr.len; 2203 2204 /* 2205 * grow the mbuf to accomodate the new IPv6 header. 2206 */ 2207 if (m->m_len != sizeof(struct ip6_hdr)) 2208 panic("ipsec6_encapsulate: assumption failed (first mbuf length)"); 2209 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { 2210 struct mbuf *n; 2211 MGET(n, M_DONTWAIT, MT_DATA); 2212 if (!n) { 2213 m_freem(m); 2214 return ENOBUFS; 2215 } 2216 n->m_len = sizeof(struct ip6_hdr); 2217 n->m_next = m->m_next; 2218 m->m_next = n; 2219 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2220 oip6 = mtod(n, struct ip6_hdr *); 2221 } else { 2222 m->m_next->m_len += sizeof(struct ip6_hdr); 2223 m->m_next->m_data -= sizeof(struct ip6_hdr); 2224 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2225 oip6 = mtod(m->m_next, struct ip6_hdr *); 2226 } 2227 ip6 = mtod(m, struct ip6_hdr *); 2228 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr)); 2229 2230 /* XXX: Fake scoped addresses */ 2231 in6_clearscope(&oip6->ip6_src); 2232 in6_clearscope(&oip6->ip6_dst); 2233 2234 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ 2235 /* ECN consideration. */ 2236 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow); 2237 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) 2238 ip6->ip6_plen = htons(plen); 2239 else { 2240 /* ip6->ip6_plen will be updated in ip6_output() */ 2241 } 2242 ip6->ip6_nxt = IPPROTO_IPV6; 2243 2244 sa6 = *(struct sockaddr_in6 *)&sav->sah->saidx.src; 2245 if ((error = sa6_embedscope(&sa6, 0)) != 0) 2246 return (error); 2247 ip6->ip6_src = sa6.sin6_addr; 2248 2249 sa6 = *(struct sockaddr_in6 *)&sav->sah->saidx.dst; 2250 if ((error = sa6_embedscope(&sa6, 0)) != 0) 2251 return (error); 2252 ip6->ip6_dst = sa6.sin6_addr; 2253 2254 ip6->ip6_hlim = IPV6_DEFHLIM; 2255 2256 /* XXX Should ip6_src be updated later ? */ 2257 2258 return 0; 2259 } 2260 #endif /* INET6 */ 2261 2262 /* 2263 * Check the variable replay window. 2264 * ipsec_chkreplay() performs replay check before ICV verification. 2265 * ipsec_updatereplay() updates replay bitmap. This must be called after 2266 * ICV verification (it also performs replay check, which is usually done 2267 * beforehand). 2268 * 0 (zero) is returned if packet disallowed, 1 if packet permitted. 2269 * 2270 * based on RFC 2401. 2271 * 2272 * XXX need to update for 64bit sequence number - 2401bis 2273 */ 2274 int 2275 ipsec_chkreplay(seq, sav) 2276 u_int32_t seq; 2277 struct secasvar *sav; 2278 { 2279 const struct secreplay *replay; 2280 u_int32_t diff; 2281 int fr; 2282 u_int32_t wsizeb; /* constant: bits of window size */ 2283 int frlast; /* constant: last frame */ 2284 2285 /* sanity check */ 2286 if (sav == NULL) 2287 panic("ipsec_chkreplay: NULL pointer was passed."); 2288 2289 replay = sav->replay; 2290 2291 if (replay->wsize == 0) 2292 return 1; /* no need to check replay. */ 2293 2294 /* constant */ 2295 frlast = replay->wsize - 1; 2296 wsizeb = replay->wsize << 3; 2297 2298 /* sequence number of 0 is invalid */ 2299 if (seq == 0) 2300 return 0; 2301 2302 /* first time is always okay */ 2303 if (replay->count == 0) 2304 return 1; 2305 2306 if (seq > replay->lastseq) { 2307 /* larger sequences are okay */ 2308 return 1; 2309 } else { 2310 /* seq is equal or less than lastseq. */ 2311 diff = replay->lastseq - seq; 2312 2313 /* over range to check, i.e. too old or wrapped */ 2314 if (diff >= wsizeb) 2315 return 0; 2316 2317 fr = frlast - diff / 8; 2318 2319 /* this packet already seen ? */ 2320 if (replay->bitmap[fr] & (1 << (diff % 8))) 2321 return 0; 2322 2323 /* out of order but good */ 2324 return 1; 2325 } 2326 } 2327 2328 /* 2329 * check replay counter whether to update or not. 2330 * OUT: 0: OK 2331 * 1: NG 2332 * XXX need to update for 64bit sequence number - 2401bis 2333 */ 2334 int 2335 ipsec_updatereplay(seq, sav) 2336 u_int32_t seq; 2337 struct secasvar *sav; 2338 { 2339 struct secreplay *replay; 2340 u_int64_t diff; 2341 int fr; 2342 u_int32_t wsizeb; /* constant: bits of window size */ 2343 int frlast; /* constant: last frame */ 2344 2345 /* sanity check */ 2346 if (sav == NULL) 2347 panic("ipsec_chkreplay: NULL pointer was passed."); 2348 2349 replay = sav->replay; 2350 2351 if (replay->wsize == 0) 2352 goto ok; /* no need to check replay. */ 2353 2354 /* constant */ 2355 frlast = replay->wsize - 1; 2356 wsizeb = replay->wsize << 3; 2357 2358 /* sequence number of 0 is invalid */ 2359 if (seq == 0) 2360 return 1; 2361 2362 /* first time */ 2363 if (replay->count == 0) { 2364 replay->lastseq = seq; 2365 bzero(replay->bitmap, replay->wsize); 2366 replay->bitmap[frlast] = 1; 2367 goto ok; 2368 } 2369 2370 if (seq > replay->lastseq) { 2371 /* seq is larger than lastseq. */ 2372 diff = seq - replay->lastseq; 2373 2374 /* new larger sequence number */ 2375 if (diff < wsizeb) { 2376 /* In window */ 2377 /* set bit for this packet */ 2378 vshiftl(replay->bitmap, diff, replay->wsize); 2379 replay->bitmap[frlast] |= 1; 2380 } else { 2381 /* this packet has a "way larger" */ 2382 bzero(replay->bitmap, replay->wsize); 2383 replay->bitmap[frlast] = 1; 2384 } 2385 replay->lastseq = seq; 2386 2387 /* larger is good */ 2388 } else { 2389 /* seq is equal or less than lastseq. */ 2390 diff = replay->lastseq - seq; 2391 2392 /* over range to check, i.e. too old or wrapped */ 2393 if (diff >= wsizeb) 2394 return 1; 2395 2396 fr = frlast - diff / 8; 2397 2398 /* this packet already seen ? */ 2399 if (replay->bitmap[fr] & (1 << (diff % 8))) 2400 return 1; 2401 2402 /* mark as seen */ 2403 replay->bitmap[fr] |= (1 << (diff % 8)); 2404 2405 /* out of order but good */ 2406 } 2407 2408 ok: 2409 if (replay->count == 0xffffffff) { 2410 2411 /* set overflow flag */ 2412 replay->overflow++; 2413 2414 /* don't increment, no more packets accepted */ 2415 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) 2416 return 1; 2417 2418 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n", 2419 replay->overflow, ipsec_logsastr(sav))); 2420 } 2421 2422 replay->count++; 2423 2424 return 0; 2425 } 2426 2427 /* 2428 * shift variable length buffer to left. 2429 * IN: bitmap: pointer to the buffer 2430 * nbit: the number of to shift. 2431 * wsize: buffer size (bytes). 2432 */ 2433 static void 2434 vshiftl(bitmap, nbit, wsize) 2435 unsigned char *bitmap; 2436 int nbit, wsize; 2437 { 2438 int s, j, i; 2439 unsigned char over; 2440 2441 for (j = 0; j < nbit; j += 8) { 2442 s = (nbit - j < 8) ? (nbit - j): 8; 2443 bitmap[0] <<= s; 2444 for (i = 1; i < wsize; i++) { 2445 over = (bitmap[i] >> (8 - s)); 2446 bitmap[i] <<= s; 2447 bitmap[i - 1] |= over; 2448 } 2449 } 2450 2451 return; 2452 } 2453 2454 const char * 2455 ipsec4_logpacketstr(ip, spi) 2456 struct ip *ip; 2457 u_int32_t spi; 2458 { 2459 static char buf[256]; 2460 char *p; 2461 u_int8_t *s, *d; 2462 2463 s = (u_int8_t *)(&ip->ip_src); 2464 d = (u_int8_t *)(&ip->ip_dst); 2465 2466 p = buf; 2467 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2468 while (*p) 2469 p++; 2470 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u", 2471 s[0], s[1], s[2], s[3]); 2472 while (*p) 2473 p++; 2474 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u", 2475 d[0], d[1], d[2], d[3]); 2476 while (*p) 2477 p++; 2478 snprintf(p, sizeof(buf) - (p - buf), ")"); 2479 2480 return buf; 2481 } 2482 2483 #ifdef INET6 2484 const char * 2485 ipsec6_logpacketstr(ip6, spi) 2486 struct ip6_hdr *ip6; 2487 u_int32_t spi; 2488 { 2489 static char buf[256]; 2490 char *p; 2491 2492 p = buf; 2493 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2494 while (*p) 2495 p++; 2496 snprintf(p, sizeof(buf) - (p - buf), "src=%s", 2497 ip6_sprintf(&ip6->ip6_src)); 2498 while (*p) 2499 p++; 2500 snprintf(p, sizeof(buf) - (p - buf), " dst=%s", 2501 ip6_sprintf(&ip6->ip6_dst)); 2502 while (*p) 2503 p++; 2504 snprintf(p, sizeof(buf) - (p - buf), ")"); 2505 2506 return buf; 2507 } 2508 #endif /* INET6 */ 2509 2510 const char * 2511 ipsec_logsastr(sav) 2512 struct secasvar *sav; 2513 { 2514 static char buf[256]; 2515 char *p; 2516 struct secasindex *saidx = &sav->sah->saidx; 2517 2518 /* validity check */ 2519 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2520 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) 2521 panic("ipsec_logsastr: family mismatched."); 2522 2523 p = buf; 2524 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi)); 2525 while (*p) 2526 p++; 2527 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) { 2528 u_int8_t *s, *d; 2529 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr; 2530 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr; 2531 snprintf(p, sizeof(buf) - (p - buf), 2532 "src=%d.%d.%d.%d dst=%d.%d.%d.%d", 2533 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]); 2534 } 2535 #ifdef INET6 2536 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) { 2537 snprintf(p, sizeof(buf) - (p - buf), 2538 "src=%s", 2539 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr)); 2540 while (*p) 2541 p++; 2542 snprintf(p, sizeof(buf) - (p - buf), 2543 " dst=%s", 2544 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr)); 2545 } 2546 #endif 2547 while (*p) 2548 p++; 2549 snprintf(p, sizeof(buf) - (p - buf), ")"); 2550 2551 return buf; 2552 } 2553 2554 void 2555 ipsec_dumpmbuf(m) 2556 struct mbuf *m; 2557 { 2558 int totlen; 2559 int i; 2560 u_char *p; 2561 2562 totlen = 0; 2563 printf("---\n"); 2564 while (m) { 2565 p = mtod(m, u_char *); 2566 for (i = 0; i < m->m_len; i++) { 2567 printf("%02x ", p[i]); 2568 totlen++; 2569 if (totlen % 16 == 0) 2570 printf("\n"); 2571 } 2572 m = m->m_next; 2573 } 2574 if (totlen % 16 != 0) 2575 printf("\n"); 2576 printf("---\n"); 2577 } 2578 2579 #ifdef INET 2580 static int 2581 ipsec4_checksa(isr, state) 2582 struct ipsecrequest *isr; 2583 struct ipsec_output_state *state; 2584 { 2585 struct ip *ip; 2586 struct secasindex saidx; 2587 struct sockaddr_in *sin; 2588 2589 /* make SA index for search proper SA */ 2590 ip = mtod(state->m, struct ip *); 2591 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 2592 saidx.mode = isr->saidx.mode; 2593 saidx.reqid = isr->saidx.reqid; 2594 sin = (struct sockaddr_in *)&saidx.src; 2595 if (sin->sin_len == 0) { 2596 sin->sin_len = sizeof(*sin); 2597 sin->sin_family = AF_INET; 2598 sin->sin_port = IPSEC_PORT_ANY; 2599 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr)); 2600 } 2601 sin = (struct sockaddr_in *)&saidx.dst; 2602 if (sin->sin_len == 0) { 2603 sin->sin_len = sizeof(*sin); 2604 sin->sin_family = AF_INET; 2605 sin->sin_port = IPSEC_PORT_ANY; 2606 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr)); 2607 } 2608 2609 return key_checkrequest(isr, &saidx); 2610 } 2611 /* 2612 * IPsec output logic for IPv4. 2613 */ 2614 int 2615 ipsec4_output(state, sp, flags) 2616 struct ipsec_output_state *state; 2617 struct secpolicy *sp; 2618 int flags; 2619 { 2620 struct ip *ip = NULL; 2621 struct ipsecrequest *isr = NULL; 2622 int s; 2623 int error; 2624 struct sockaddr_in *dst4; 2625 2626 if (!state) 2627 panic("state == NULL in ipsec4_output"); 2628 if (!state->m) 2629 panic("state->m == NULL in ipsec4_output"); 2630 if (!state->ro) 2631 panic("state->ro == NULL in ipsec4_output"); 2632 if (!state->dst) 2633 panic("state->dst == NULL in ipsec4_output"); 2634 state->encap = 0; 2635 2636 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2637 printf("ipsec4_output: applyed SP\n"); 2638 kdebug_secpolicy(sp)); 2639 2640 for (isr = sp->req; isr != NULL; isr = isr->next) { 2641 2642 #if 0 /* give up to check restriction of transport mode */ 2643 /* XXX but should be checked somewhere */ 2644 /* 2645 * some of the IPsec operation must be performed only in 2646 * originating case. 2647 */ 2648 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT 2649 && (flags & IP_FORWARDING)) 2650 continue; 2651 #endif 2652 error = ipsec4_checksa(isr, state); 2653 if (error != 0) { 2654 /* 2655 * IPsec processing is required, but no SA found. 2656 * I assume that key_acquire() had been called 2657 * to get/establish the SA. Here I discard 2658 * this packet because it is responsibility for 2659 * upper layer to retransmit the packet. 2660 */ 2661 ipsecstat.out_nosa++; 2662 goto bad; 2663 } 2664 2665 /* validity check */ 2666 if (isr->sav == NULL) { 2667 switch (ipsec_get_reqlevel(isr, AF_INET)) { 2668 case IPSEC_LEVEL_USE: 2669 continue; 2670 case IPSEC_LEVEL_REQUIRE: 2671 /* must be not reached here. */ 2672 panic("ipsec4_output: no SA found, but required."); 2673 } 2674 } 2675 2676 /* 2677 * If there is no valid SA, we give up to process any 2678 * more. In such a case, the SA's status is changed 2679 * from DYING to DEAD after allocating. If a packet 2680 * send to the receiver by dead SA, the receiver can 2681 * not decode a packet because SA has been dead. 2682 */ 2683 if (isr->sav->state != SADB_SASTATE_MATURE 2684 && isr->sav->state != SADB_SASTATE_DYING) { 2685 ipsecstat.out_nosa++; 2686 error = EINVAL; 2687 goto bad; 2688 } 2689 2690 /* 2691 * There may be the case that SA status will be changed when 2692 * we are refering to one. So calling splsoftnet(). 2693 */ 2694 s = splnet(); 2695 2696 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2697 /* 2698 * build IPsec tunnel. 2699 */ 2700 /* XXX should be processed with other familiy */ 2701 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) { 2702 ipseclog((LOG_ERR, "ipsec4_output: " 2703 "family mismatched between inner and outer spi=%u\n", 2704 (u_int32_t)ntohl(isr->sav->spi))); 2705 splx(s); 2706 error = EAFNOSUPPORT; 2707 goto bad; 2708 } 2709 2710 state->m = ipsec4_splithdr(state->m); 2711 if (!state->m) { 2712 splx(s); 2713 error = ENOMEM; 2714 goto bad; 2715 } 2716 error = ipsec4_encapsulate(state->m, isr->sav); 2717 splx(s); 2718 if (error) { 2719 state->m = NULL; 2720 goto bad; 2721 } 2722 ip = mtod(state->m, struct ip *); 2723 2724 state->ro = &isr->sav->sah->sa_route; 2725 state->dst = (struct sockaddr *)&state->ro->ro_dst; 2726 dst4 = (struct sockaddr_in *)state->dst; 2727 if (state->ro->ro_rt 2728 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0 2729 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) { 2730 RTFREE(state->ro->ro_rt); 2731 state->ro->ro_rt = NULL; 2732 } 2733 if (state->ro->ro_rt == 0) { 2734 dst4->sin_family = AF_INET; 2735 dst4->sin_len = sizeof(*dst4); 2736 dst4->sin_addr = ip->ip_dst; 2737 rtalloc(state->ro); 2738 } 2739 if (state->ro->ro_rt == 0) { 2740 ipstat.ips_noroute++; 2741 error = EHOSTUNREACH; 2742 goto bad; 2743 } 2744 2745 /* adjust state->dst if tunnel endpoint is offlink */ 2746 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) { 2747 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway; 2748 dst4 = (struct sockaddr_in *)state->dst; 2749 } 2750 2751 state->encap++; 2752 } else 2753 splx(s); 2754 2755 state->m = ipsec4_splithdr(state->m); 2756 if (!state->m) { 2757 error = ENOMEM; 2758 goto bad; 2759 } 2760 switch (isr->saidx.proto) { 2761 case IPPROTO_ESP: 2762 #ifdef IPSEC_ESP 2763 if ((error = esp4_output(state->m, isr)) != 0) { 2764 state->m = NULL; 2765 goto bad; 2766 } 2767 break; 2768 #else 2769 m_freem(state->m); 2770 state->m = NULL; 2771 error = EINVAL; 2772 goto bad; 2773 #endif 2774 case IPPROTO_AH: 2775 if ((error = ah4_output(state->m, isr)) != 0) { 2776 state->m = NULL; 2777 goto bad; 2778 } 2779 break; 2780 case IPPROTO_IPCOMP: 2781 if ((error = ipcomp4_output(state->m, isr)) != 0) { 2782 state->m = NULL; 2783 goto bad; 2784 } 2785 break; 2786 default: 2787 ipseclog((LOG_ERR, 2788 "ipsec4_output: unknown ipsec protocol %d\n", 2789 isr->saidx.proto)); 2790 m_freem(state->m); 2791 state->m = NULL; 2792 error = EINVAL; 2793 goto bad; 2794 } 2795 2796 if (state->m == 0) { 2797 error = ENOMEM; 2798 goto bad; 2799 } 2800 ip = mtod(state->m, struct ip *); 2801 } 2802 2803 return 0; 2804 2805 bad: 2806 m_freem(state->m); 2807 state->m = NULL; 2808 return error; 2809 } 2810 #endif 2811 2812 #ifdef INET6 2813 static int 2814 ipsec6_checksa(isr, state, tunnel) 2815 struct ipsecrequest *isr; 2816 struct ipsec_output_state *state; 2817 int tunnel; 2818 { 2819 struct ip6_hdr *ip6; 2820 struct secasindex saidx; 2821 struct sockaddr_in6 *sin6; 2822 2823 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2824 #ifdef DIAGNOSTIC 2825 if (!tunnel) 2826 panic("ipsec6_checksa/inconsistent tunnel attribute"); 2827 #endif 2828 /* When tunnel mode, SA peers must be specified. */ 2829 return key_checkrequest(isr, &isr->saidx); 2830 } 2831 2832 /* make SA index for search proper SA */ 2833 ip6 = mtod(state->m, struct ip6_hdr *); 2834 if (tunnel) { 2835 bzero(&saidx, sizeof(saidx)); 2836 saidx.proto = isr->saidx.proto; 2837 } else 2838 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 2839 saidx.mode = isr->saidx.mode; 2840 saidx.reqid = isr->saidx.reqid; 2841 sin6 = (struct sockaddr_in6 *)&saidx.src; 2842 if (sin6->sin6_len == 0 || tunnel) { 2843 sin6->sin6_len = sizeof(*sin6); 2844 sin6->sin6_family = AF_INET6; 2845 sin6->sin6_port = IPSEC_PORT_ANY; 2846 sin6->sin6_addr = ip6->ip6_src; 2847 } 2848 sin6 = (struct sockaddr_in6 *)&saidx.dst; 2849 if (sin6->sin6_len == 0 || tunnel) { 2850 sin6->sin6_len = sizeof(*sin6); 2851 sin6->sin6_family = AF_INET6; 2852 sin6->sin6_port = IPSEC_PORT_ANY; 2853 sin6->sin6_addr = ip6->ip6_dst; 2854 } 2855 2856 return key_checkrequest(isr, &saidx); 2857 } 2858 2859 /* 2860 * IPsec output logic for IPv6, transport mode. 2861 */ 2862 int 2863 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun) 2864 struct ipsec_output_state *state; 2865 u_char *nexthdrp; 2866 struct mbuf *mprev; 2867 struct secpolicy *sp; 2868 int flags; 2869 int *tun; 2870 { 2871 struct ip6_hdr *ip6; 2872 struct ipsecrequest *isr = NULL; 2873 int error = 0; 2874 int plen; 2875 2876 if (!state) 2877 panic("state == NULL in ipsec6_output_trans"); 2878 if (!state->m) 2879 panic("state->m == NULL in ipsec6_output_trans"); 2880 if (!nexthdrp) 2881 panic("nexthdrp == NULL in ipsec6_output_trans"); 2882 if (!mprev) 2883 panic("mprev == NULL in ipsec6_output_trans"); 2884 if (!sp) 2885 panic("sp == NULL in ipsec6_output_trans"); 2886 if (!tun) 2887 panic("tun == NULL in ipsec6_output_trans"); 2888 2889 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2890 printf("ipsec6_output_trans: applyed SP\n"); 2891 kdebug_secpolicy(sp)); 2892 2893 *tun = 0; 2894 for (isr = sp->req; isr; isr = isr->next) { 2895 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2896 /* the rest will be handled by ipsec6_output_tunnel() */ 2897 break; 2898 } 2899 2900 error = ipsec6_checksa(isr, state, 0); 2901 if (error == EIO) 2902 goto bad; 2903 if (error == ENOENT) { 2904 /* 2905 * IPsec processing is required, but no SA found. 2906 * I assume that key_acquire() had been called 2907 * to get/establish the SA. Here I discard 2908 * this packet because it is responsibility for 2909 * upper layer to retransmit the packet. 2910 */ 2911 ipsec6stat.out_nosa++; 2912 2913 /* 2914 * Notify the fact that the packet is discarded 2915 * to ourselves. I believe this is better than 2916 * just silently discarding. (jinmei@kame.net) 2917 * XXX: should we restrict the error to TCP packets? 2918 * XXX: should we directly notify sockets via 2919 * pfctlinputs? 2920 * 2921 * Noone have initialized rcvif until this point, 2922 * so clear it. 2923 */ 2924 if ((state->m->m_flags & M_PKTHDR) != 0) 2925 state->m->m_pkthdr.rcvif = NULL; 2926 icmp6_error(state->m, ICMP6_DST_UNREACH, 2927 ICMP6_DST_UNREACH_ADMIN, 0); 2928 state->m = NULL; /* icmp6_error freed the mbuf */ 2929 goto bad; 2930 } 2931 2932 /* validity check */ 2933 if (isr->sav == NULL) { 2934 switch (ipsec_get_reqlevel(isr, AF_INET6)) { 2935 case IPSEC_LEVEL_USE: 2936 continue; 2937 case IPSEC_LEVEL_REQUIRE: 2938 /* must be not reached here. */ 2939 panic("ipsec6_output_trans: no SA found, but required."); 2940 } 2941 } 2942 2943 /* 2944 * If there is no valid SA, we give up to process. 2945 * see same place at ipsec4_output(). 2946 */ 2947 if (isr->sav->state != SADB_SASTATE_MATURE 2948 && isr->sav->state != SADB_SASTATE_DYING) { 2949 ipsec6stat.out_nosa++; 2950 error = EINVAL; 2951 goto bad; 2952 } 2953 2954 switch (isr->saidx.proto) { 2955 case IPPROTO_ESP: 2956 #ifdef IPSEC_ESP 2957 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr); 2958 #else 2959 m_freem(state->m); 2960 error = EINVAL; 2961 #endif 2962 break; 2963 case IPPROTO_AH: 2964 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr); 2965 break; 2966 case IPPROTO_IPCOMP: 2967 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr); 2968 break; 2969 default: 2970 ipseclog((LOG_ERR, "ipsec6_output_trans: " 2971 "unknown ipsec protocol %d\n", isr->saidx.proto)); 2972 m_freem(state->m); 2973 ipsec6stat.out_inval++; 2974 error = EINVAL; 2975 break; 2976 } 2977 if (error) { 2978 state->m = NULL; 2979 goto bad; 2980 } 2981 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 2982 if (plen > IPV6_MAXPACKET) { 2983 ipseclog((LOG_ERR, "ipsec6_output_trans: " 2984 "IPsec with IPv6 jumbogram is not supported\n")); 2985 ipsec6stat.out_inval++; 2986 error = EINVAL; /* XXX */ 2987 goto bad; 2988 } 2989 ip6 = mtod(state->m, struct ip6_hdr *); 2990 ip6->ip6_plen = htons(plen); 2991 } 2992 2993 /* if we have more to go, we need a tunnel mode processing */ 2994 if (isr != NULL) 2995 *tun = 1; 2996 2997 return 0; 2998 2999 bad: 3000 m_freem(state->m); 3001 state->m = NULL; 3002 return error; 3003 } 3004 3005 /* 3006 * IPsec output logic for IPv6, tunnel mode. 3007 */ 3008 int 3009 ipsec6_output_tunnel(state, sp, flags) 3010 struct ipsec_output_state *state; 3011 struct secpolicy *sp; 3012 int flags; 3013 { 3014 struct ip6_hdr *ip6; 3015 struct ipsecrequest *isr = NULL; 3016 int error = 0; 3017 int plen; 3018 struct sockaddr_in6 *dst6; 3019 int s; 3020 3021 if (!state) 3022 panic("state == NULL in ipsec6_output_tunnel"); 3023 if (!state->m) 3024 panic("state->m == NULL in ipsec6_output_tunnel"); 3025 if (!sp) 3026 panic("sp == NULL in ipsec6_output_tunnel"); 3027 3028 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 3029 printf("ipsec6_output_tunnel: applyed SP\n"); 3030 kdebug_secpolicy(sp)); 3031 3032 /* 3033 * transport mode ipsec (before the 1st tunnel mode) is already 3034 * processed by ipsec6_output_trans(). 3035 */ 3036 for (isr = sp->req; isr; isr = isr->next) { 3037 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 3038 break; 3039 } 3040 3041 for (/* already initialized */; isr; isr = isr->next) { 3042 error = ipsec6_checksa(isr, state, 1); 3043 if (error == EIO) 3044 goto bad; 3045 if (error == ENOENT) { 3046 /* 3047 * IPsec processing is required, but no SA found. 3048 * I assume that key_acquire() had been called 3049 * to get/establish the SA. Here I discard 3050 * this packet because it is responsibility for 3051 * upper layer to retransmit the packet. 3052 */ 3053 ipsec6stat.out_nosa++; 3054 error = ENOENT; 3055 goto bad; 3056 } 3057 3058 /* validity check */ 3059 if (isr->sav == NULL) { 3060 switch (ipsec_get_reqlevel(isr, AF_INET6)) { 3061 case IPSEC_LEVEL_USE: 3062 continue; 3063 case IPSEC_LEVEL_REQUIRE: 3064 /* must be not reached here. */ 3065 panic("ipsec6_output_tunnel: no SA found, but required."); 3066 } 3067 } 3068 3069 /* 3070 * If there is no valid SA, we give up to process. 3071 * see same place at ipsec4_output(). 3072 */ 3073 if (isr->sav->state != SADB_SASTATE_MATURE 3074 && isr->sav->state != SADB_SASTATE_DYING) { 3075 ipsec6stat.out_nosa++; 3076 error = EINVAL; 3077 goto bad; 3078 } 3079 3080 /* 3081 * There may be the case that SA status will be changed when 3082 * we are refering to one. So calling splsoftnet(). 3083 */ 3084 s = splnet(); 3085 3086 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 3087 /* 3088 * build IPsec tunnel. 3089 */ 3090 /* XXX should be processed with other familiy */ 3091 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) { 3092 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3093 "family mismatched between inner and outer, spi=%u\n", 3094 (u_int32_t)ntohl(isr->sav->spi))); 3095 splx(s); 3096 ipsec6stat.out_inval++; 3097 error = EAFNOSUPPORT; 3098 goto bad; 3099 } 3100 3101 state->m = ipsec6_splithdr(state->m); 3102 if (!state->m) { 3103 splx(s); 3104 ipsec6stat.out_nomem++; 3105 error = ENOMEM; 3106 goto bad; 3107 } 3108 error = ipsec6_encapsulate(state->m, isr->sav); 3109 splx(s); 3110 if (error) { 3111 state->m = 0; 3112 goto bad; 3113 } 3114 ip6 = mtod(state->m, struct ip6_hdr *); 3115 3116 state->ro = &isr->sav->sah->sa_route; 3117 state->dst = (struct sockaddr *)&state->ro->ro_dst; 3118 dst6 = (struct sockaddr_in6 *)state->dst; 3119 if (state->ro->ro_rt && 3120 (!(state->ro->ro_rt->rt_flags & RTF_UP) || 3121 !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, 3122 &ip6->ip6_dst))) { 3123 RTFREE(state->ro->ro_rt); 3124 state->ro->ro_rt = NULL; 3125 } 3126 if (state->ro->ro_rt == 0) { 3127 bzero(dst6, sizeof(*dst6)); 3128 dst6->sin6_family = AF_INET6; 3129 dst6->sin6_len = sizeof(*dst6); 3130 dst6->sin6_addr = ip6->ip6_dst; 3131 rtalloc(state->ro); 3132 } 3133 if (state->ro->ro_rt == 0) { 3134 ip6stat.ip6s_noroute++; 3135 ipsec6stat.out_noroute++; 3136 error = EHOSTUNREACH; 3137 goto bad; 3138 } 3139 3140 /* adjust state->dst if tunnel endpoint is offlink */ 3141 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) { 3142 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway; 3143 dst6 = (struct sockaddr_in6 *)state->dst; 3144 } 3145 } else 3146 splx(s); 3147 3148 state->m = ipsec6_splithdr(state->m); 3149 if (!state->m) { 3150 ipsec6stat.out_nomem++; 3151 error = ENOMEM; 3152 goto bad; 3153 } 3154 ip6 = mtod(state->m, struct ip6_hdr *); 3155 switch (isr->saidx.proto) { 3156 case IPPROTO_ESP: 3157 #ifdef IPSEC_ESP 3158 error = esp6_output(state->m, &ip6->ip6_nxt, 3159 state->m->m_next, isr); 3160 #else 3161 m_freem(state->m); 3162 error = EINVAL; 3163 #endif 3164 break; 3165 case IPPROTO_AH: 3166 error = ah6_output(state->m, &ip6->ip6_nxt, 3167 state->m->m_next, isr); 3168 break; 3169 case IPPROTO_IPCOMP: 3170 /* XXX code should be here */ 3171 /* FALLTHROUGH */ 3172 default: 3173 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3174 "unknown ipsec protocol %d\n", isr->saidx.proto)); 3175 m_freem(state->m); 3176 ipsec6stat.out_inval++; 3177 error = EINVAL; 3178 break; 3179 } 3180 if (error) { 3181 state->m = NULL; 3182 goto bad; 3183 } 3184 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 3185 if (plen > IPV6_MAXPACKET) { 3186 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3187 "IPsec with IPv6 jumbogram is not supported\n")); 3188 ipsec6stat.out_inval++; 3189 error = EINVAL; /* XXX */ 3190 goto bad; 3191 } 3192 ip6 = mtod(state->m, struct ip6_hdr *); 3193 ip6->ip6_plen = htons(plen); 3194 } 3195 3196 return 0; 3197 3198 bad: 3199 m_freem(state->m); 3200 state->m = NULL; 3201 return error; 3202 } 3203 #endif /* INET6 */ 3204 3205 #ifdef INET 3206 /* 3207 * Chop IP header and option off from the payload. 3208 */ 3209 static struct mbuf * 3210 ipsec4_splithdr(m) 3211 struct mbuf *m; 3212 { 3213 struct mbuf *mh; 3214 struct ip *ip; 3215 int hlen; 3216 3217 if (m->m_len < sizeof(struct ip)) 3218 panic("ipsec4_splithdr: first mbuf too short"); 3219 ip = mtod(m, struct ip *); 3220 #ifdef _IP_VHL 3221 hlen = _IP_VHL_HL(ip->ip_vhl) << 2; 3222 #else 3223 hlen = ip->ip_hl << 2; 3224 #endif 3225 if (m->m_len > hlen) { 3226 MGETHDR(mh, M_DONTWAIT, MT_HEADER); 3227 if (!mh) { 3228 m_freem(m); 3229 return NULL; 3230 } 3231 M_MOVE_PKTHDR(mh, m); 3232 MH_ALIGN(mh, hlen); 3233 m->m_len -= hlen; 3234 m->m_data += hlen; 3235 mh->m_next = m; 3236 m = mh; 3237 m->m_len = hlen; 3238 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen); 3239 } else if (m->m_len < hlen) { 3240 m = m_pullup(m, hlen); 3241 if (!m) 3242 return NULL; 3243 } 3244 return m; 3245 } 3246 #endif 3247 3248 #ifdef INET6 3249 static struct mbuf * 3250 ipsec6_splithdr(m) 3251 struct mbuf *m; 3252 { 3253 struct mbuf *mh; 3254 struct ip6_hdr *ip6; 3255 int hlen; 3256 3257 if (m->m_len < sizeof(struct ip6_hdr)) 3258 panic("ipsec6_splithdr: first mbuf too short"); 3259 ip6 = mtod(m, struct ip6_hdr *); 3260 hlen = sizeof(struct ip6_hdr); 3261 if (m->m_len > hlen) { 3262 MGETHDR(mh, M_DONTWAIT, MT_HEADER); 3263 if (!mh) { 3264 m_freem(m); 3265 return NULL; 3266 } 3267 M_MOVE_PKTHDR(mh, m); 3268 MH_ALIGN(mh, hlen); 3269 m->m_len -= hlen; 3270 m->m_data += hlen; 3271 mh->m_next = m; 3272 m = mh; 3273 m->m_len = hlen; 3274 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen); 3275 } else if (m->m_len < hlen) { 3276 m = m_pullup(m, hlen); 3277 if (!m) 3278 return NULL; 3279 } 3280 return m; 3281 } 3282 #endif 3283 3284 /* validate inbound IPsec tunnel packet. */ 3285 int 3286 ipsec4_tunnel_validate(m, off, nxt0, sav) 3287 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */ 3288 int off; 3289 u_int nxt0; 3290 struct secasvar *sav; 3291 { 3292 u_int8_t nxt = nxt0 & 0xff; 3293 struct sockaddr_in *sin; 3294 struct sockaddr_in osrc, odst, isrc, idst; 3295 int hlen; 3296 struct secpolicy *sp; 3297 struct ip *oip; 3298 3299 #ifdef DIAGNOSTIC 3300 if (m->m_len < sizeof(struct ip)) 3301 panic("too short mbuf on ipsec4_tunnel_validate"); 3302 #endif 3303 if (nxt != IPPROTO_IPV4) 3304 return 0; 3305 if (m->m_pkthdr.len < off + sizeof(struct ip)) 3306 return 0; 3307 /* do not decapsulate if the SA is for transport mode only */ 3308 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 3309 return 0; 3310 3311 oip = mtod(m, struct ip *); 3312 hlen = oip->ip_hl << 2; 3313 if (hlen != sizeof(struct ip)) 3314 return 0; 3315 3316 /* AF_INET6 should be supported, but at this moment we don't. */ 3317 sin = (struct sockaddr_in *)&sav->sah->saidx.dst; 3318 if (sin->sin_family != AF_INET) 3319 return 0; 3320 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0) 3321 return 0; 3322 3323 /* XXX slow */ 3324 bzero(&osrc, sizeof(osrc)); 3325 bzero(&odst, sizeof(odst)); 3326 bzero(&isrc, sizeof(isrc)); 3327 bzero(&idst, sizeof(idst)); 3328 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family = 3329 AF_INET; 3330 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len = 3331 sizeof(struct sockaddr_in); 3332 osrc.sin_addr = oip->ip_src; 3333 odst.sin_addr = oip->ip_dst; 3334 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr), 3335 (caddr_t)&isrc.sin_addr); 3336 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr), 3337 (caddr_t)&idst.sin_addr); 3338 3339 /* 3340 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode) 3341 * - if the inner destination is multicast address, there can be 3342 * multiple permissible inner source address. implementation 3343 * may want to skip verification of inner source address against 3344 * SPD selector. 3345 * - if the inner protocol is ICMP, the packet may be an error report 3346 * from routers on the other side of the VPN cloud (R in the 3347 * following diagram). in this case, we cannot verify inner source 3348 * address against SPD selector. 3349 * me -- gw === gw -- R -- you 3350 * 3351 * we consider the first bullet to be users responsibility on SPD entry 3352 * configuration (if you need to encrypt multicast traffic, set 3353 * the source range of SPD selector to 0.0.0.0/0, or have explicit 3354 * address ranges for possible senders). 3355 * the second bullet is not taken care of (yet). 3356 * 3357 * therefore, we do not do anything special about inner source. 3358 */ 3359 3360 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 3361 (struct sockaddr *)&isrc, (struct sockaddr *)&idst); 3362 /* 3363 * when there is no suitable inbound policy for the packet of the ipsec 3364 * tunnel mode, the kernel never decapsulate the tunneled packet 3365 * as the ipsec tunnel mode even when the system wide policy is "none". 3366 * then the kernel leaves the generic tunnel module to process this 3367 * packet. if there is no rule of the generic tunnel, the packet 3368 * is rejected and the statistics will be counted up. 3369 */ 3370 if (!sp) 3371 return 0; 3372 key_freesp(sp); 3373 3374 return 1; 3375 } 3376 3377 #ifdef INET6 3378 /* validate inbound IPsec tunnel packet. */ 3379 int 3380 ipsec6_tunnel_validate(m, off, nxt0, sav) 3381 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */ 3382 int off; 3383 u_int nxt0; 3384 struct secasvar *sav; 3385 { 3386 u_int8_t nxt = nxt0 & 0xff; 3387 struct sockaddr_in6 *sin6; 3388 struct sockaddr_in6 osrc, odst, isrc, idst; 3389 struct secpolicy *sp; 3390 struct ip6_hdr *oip6; 3391 3392 #ifdef DIAGNOSTIC 3393 if (m->m_len < sizeof(struct ip6_hdr)) 3394 panic("too short mbuf on ipsec6_tunnel_validate"); 3395 #endif 3396 if (nxt != IPPROTO_IPV6) 3397 return 0; 3398 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr)) 3399 return 0; 3400 /* do not decapsulate if the SA is for transport mode only */ 3401 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 3402 return 0; 3403 3404 oip6 = mtod(m, struct ip6_hdr *); 3405 3406 /* AF_INET should be supported, but at this moment we don't. */ 3407 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst; 3408 if (sin6->sin6_family != AF_INET6) 3409 return 0; 3410 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr)) 3411 return 0; 3412 3413 /* XXX slow */ 3414 bzero(&osrc, sizeof(osrc)); 3415 bzero(&odst, sizeof(odst)); 3416 bzero(&isrc, sizeof(isrc)); 3417 bzero(&idst, sizeof(idst)); 3418 osrc.sin6_family = odst.sin6_family = isrc.sin6_family = 3419 idst.sin6_family = AF_INET6; 3420 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len = 3421 sizeof(struct sockaddr_in6); 3422 osrc.sin6_addr = oip6->ip6_src; 3423 odst.sin6_addr = oip6->ip6_dst; 3424 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), 3425 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr); 3426 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), 3427 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr); 3428 3429 /* 3430 * regarding to inner source address validation, see a long comment 3431 * in ipsec4_tunnel_validate. 3432 */ 3433 3434 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 3435 (struct sockaddr *)&isrc, (struct sockaddr *)&idst); 3436 if (!sp) 3437 return 0; 3438 key_freesp(sp); 3439 3440 return 1; 3441 } 3442 #endif 3443 3444 /* 3445 * Make a mbuf chain for encryption. 3446 * If the original mbuf chain contains a mbuf with a cluster, 3447 * allocate a new cluster and copy the data to the new cluster. 3448 * XXX: this hack is inefficient, but is necessary to handle cases 3449 * of TCP retransmission... 3450 */ 3451 struct mbuf * 3452 ipsec_copypkt(m) 3453 struct mbuf *m; 3454 { 3455 struct mbuf *n, **mpp, *mnew; 3456 3457 for (n = m, mpp = &m; n; n = n->m_next) { 3458 if (n->m_flags & M_EXT) { 3459 /* 3460 * Make a copy only if there is more than one 3461 * references to the cluster. 3462 * XXX: is this approach effective? 3463 */ 3464 if (!M_WRITABLE(n)) { 3465 int remain, copied; 3466 struct mbuf *mm; 3467 3468 if (n->m_flags & M_PKTHDR) { 3469 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); 3470 if (mnew == NULL) 3471 goto fail; 3472 M_MOVE_PKTHDR(mnew, n); 3473 } 3474 else { 3475 MGET(mnew, M_DONTWAIT, MT_DATA); 3476 if (mnew == NULL) 3477 goto fail; 3478 } 3479 mnew->m_len = 0; 3480 mm = mnew; 3481 3482 /* 3483 * Copy data. If we don't have enough space to 3484 * store the whole data, allocate a cluster 3485 * or additional mbufs. 3486 * XXX: we don't use m_copyback(), since the 3487 * function does not use clusters and thus is 3488 * inefficient. 3489 */ 3490 remain = n->m_len; 3491 copied = 0; 3492 while (1) { 3493 int len; 3494 struct mbuf *mn; 3495 3496 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN)) 3497 len = remain; 3498 else { /* allocate a cluster */ 3499 MCLGET(mm, M_DONTWAIT); 3500 if (!(mm->m_flags & M_EXT)) { 3501 m_free(mm); 3502 goto fail; 3503 } 3504 len = remain < MCLBYTES ? 3505 remain : MCLBYTES; 3506 } 3507 3508 bcopy(n->m_data + copied, mm->m_data, 3509 len); 3510 3511 copied += len; 3512 remain -= len; 3513 mm->m_len = len; 3514 3515 if (remain <= 0) /* completed? */ 3516 break; 3517 3518 /* need another mbuf */ 3519 MGETHDR(mn, M_DONTWAIT, MT_HEADER); 3520 if (mn == NULL) 3521 goto fail; 3522 mn->m_pkthdr.rcvif = NULL; 3523 mm->m_next = mn; 3524 mm = mn; 3525 } 3526 3527 /* adjust chain */ 3528 mm->m_next = m_free(n); 3529 n = mm; 3530 *mpp = mnew; 3531 mpp = &n->m_next; 3532 3533 continue; 3534 } 3535 } 3536 *mpp = n; 3537 mpp = &n->m_next; 3538 } 3539 3540 return (m); 3541 fail: 3542 m_freem(m); 3543 return (NULL); 3544 } 3545 3546 static struct ipsecaux * 3547 ipsec_addaux(m) 3548 struct mbuf *m; 3549 { 3550 struct m_tag *mtag; 3551 3552 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL); 3553 if (mtag == NULL) { 3554 mtag = m_tag_get(PACKET_TAG_IPSEC_HISTORY, 3555 sizeof(struct ipsecaux), M_NOWAIT); 3556 if (mtag != NULL) 3557 m_tag_prepend(m, mtag); 3558 } 3559 if (mtag == NULL) 3560 return NULL; /* ENOBUFS */ 3561 /* XXX is this necessary? */ 3562 bzero((void *)(mtag + 1), sizeof(struct ipsecaux)); 3563 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL; 3564 } 3565 3566 static struct ipsecaux * 3567 ipsec_findaux(m) 3568 struct mbuf *m; 3569 { 3570 struct m_tag *mtag; 3571 3572 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL); 3573 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL; 3574 } 3575 3576 void 3577 ipsec_delaux(m) 3578 struct mbuf *m; 3579 { 3580 struct m_tag *mtag; 3581 3582 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL); 3583 if (mtag != NULL) 3584 m_tag_delete(m, mtag); 3585 } 3586 3587 /* if the aux buffer is unnecessary, nuke it. */ 3588 static void 3589 ipsec_optaux(m, aux) 3590 struct mbuf *m; 3591 struct ipsecaux *aux; 3592 { 3593 3594 if (aux == NULL) 3595 return; 3596 ipsec_delaux(m); 3597 } 3598 3599 int 3600 ipsec_addhist(m, proto, spi) 3601 struct mbuf *m; 3602 int proto; 3603 u_int32_t spi; 3604 { 3605 struct ipsecaux *aux; 3606 3607 aux = ipsec_addaux(m); 3608 if (aux == NULL) 3609 return ENOBUFS; 3610 aux->hdrs++; 3611 return 0; 3612 } 3613 3614 int 3615 ipsec_getnhist(m) 3616 struct mbuf *m; 3617 { 3618 struct ipsecaux *aux; 3619 3620 aux = ipsec_findaux(m); 3621 if (aux == NULL) 3622 return 0; 3623 return aux->hdrs; 3624 } 3625 3626 void 3627 ipsec_clearhist(m) 3628 struct mbuf *m; 3629 { 3630 struct ipsecaux *aux; 3631 3632 aux = ipsec_findaux(m); 3633 ipsec_optaux(m, aux); 3634 }
Cache object: ddda948286215aab2a206b1027740165
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]