Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* $FreeBSD: releng/6.3/sys/netinet6/ipsec.c 161985 2006-09-04 10:35:07Z pjd $ */ 2 /* $KAME: ipsec.c,v 1.207 2004/01/13 03:30:42 itojun Exp $ */ 3 4 /*- 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * IPsec controller part. 35 */ 36 37 #include "opt_inet.h" 38 #include "opt_inet6.h" 39 #include "opt_ipsec.h" 40 41 #include <sys/param.h> 42 #include <sys/systm.h> 43 #include <sys/malloc.h> 44 #include <sys/mbuf.h> 45 #include <sys/domain.h> 46 #include <sys/protosw.h> 47 #include <sys/socket.h> 48 #include <sys/socketvar.h> 49 #include <sys/errno.h> 50 #include <sys/time.h> 51 #include <sys/kernel.h> 52 #include <sys/syslog.h> 53 #include <sys/sysctl.h> 54 #include <sys/proc.h> 55 56 #include <net/if.h> 57 #include <net/route.h> 58 59 #include <netinet/in.h> 60 #include <netinet/in_systm.h> 61 #include <netinet/ip.h> 62 #include <netinet/ip_var.h> 63 #include <netinet/in_var.h> 64 #include <netinet/udp.h> 65 #include <netinet/udp_var.h> 66 #include <netinet/ip_ecn.h> 67 #ifdef INET6 68 #include <netinet6/ip6_ecn.h> 69 #endif 70 #include <netinet/tcp.h> 71 #include <netinet/udp.h> 72 73 #include <netinet/ip6.h> 74 #ifdef INET6 75 #include <netinet6/ip6_var.h> 76 #include <netinet6/scope6_var.h> 77 #endif 78 #include <netinet/in_pcb.h> 79 #ifdef INET6 80 #include <netinet/icmp6.h> 81 #endif 82 83 #include <netinet6/ipsec.h> 84 #ifdef INET6 85 #include <netinet6/ipsec6.h> 86 #endif 87 #include <netinet6/ah.h> 88 #ifdef INET6 89 #include <netinet6/ah6.h> 90 #endif 91 #ifdef IPSEC_ESP 92 #include <netinet6/esp.h> 93 #ifdef INET6 94 #include <netinet6/esp6.h> 95 #endif 96 #endif 97 #include <netinet6/ipcomp.h> 98 #ifdef INET6 99 #include <netinet6/ipcomp6.h> 100 #endif 101 #include <netkey/key.h> 102 #include <netkey/keydb.h> 103 #include <netkey/key_debug.h> 104 105 #include <machine/in_cksum.h> 106 #include <net/net_osdep.h> 107 108 #ifdef IPSEC_DEBUG 109 int ipsec_debug = 1; 110 #else 111 int ipsec_debug = 0; 112 #endif 113 114 NET_NEEDS_GIANT("ipsec"); 115 116 struct ipsecstat ipsecstat; 117 int ip4_ah_cleartos = 1; 118 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ 119 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ 120 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; 121 int ip4_esp_net_deflev = IPSEC_LEVEL_USE; 122 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; 123 int ip4_ah_net_deflev = IPSEC_LEVEL_USE; 124 struct secpolicy *ip4_def_policy; 125 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 126 int ip4_esp_randpad = -1; 127 128 static int sp_cachegen = 1; /* cache generation # */ 129 130 SYSCTL_DECL(_net_inet_ipsec); 131 #ifdef INET6 132 SYSCTL_DECL(_net_inet6_ipsec6); 133 #endif 134 135 /* net.inet.ipsec */ 136 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS, 137 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, ""); 138 #if 0 139 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY, 140 def_policy, CTLFLAG_RW, &ip4_def_policy->policy, 0, ""); 141 #endif 142 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, 143 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, ""); 144 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, 145 CTLFLAG_RW, &ip4_esp_net_deflev, 0, ""); 146 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, 147 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, ""); 148 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, 149 CTLFLAG_RW, &ip4_ah_net_deflev, 0, ""); 150 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, 151 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, ""); 152 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, 153 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, ""); 154 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, 155 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, ""); 156 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, 157 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, ""); 158 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, 159 debug, CTLFLAG_RW, &ipsec_debug, 0, ""); 160 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD, 161 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, ""); 162 163 #ifdef INET6 164 struct ipsecstat ipsec6stat; 165 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; 166 int ip6_esp_net_deflev = IPSEC_LEVEL_USE; 167 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; 168 int ip6_ah_net_deflev = IPSEC_LEVEL_USE; 169 struct secpolicy *ip6_def_policy; 170 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 171 int ip6_esp_randpad = -1; 172 173 /* net.inet6.ipsec6 */ 174 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, 175 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, ""); 176 #if 0 177 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, 178 def_policy, CTLFLAG_RW, &ip6_def_policy->policy, 0, ""); 179 #endif 180 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, 181 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, ""); 182 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, 183 CTLFLAG_RW, &ip6_esp_net_deflev, 0, ""); 184 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, 185 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, ""); 186 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, 187 CTLFLAG_RW, &ip6_ah_net_deflev, 0, ""); 188 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN, 189 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, ""); 190 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, 191 debug, CTLFLAG_RW, &ipsec_debug, 0, ""); 192 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, 193 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, ""); 194 #endif /* INET6 */ 195 196 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *, 197 struct inpcbpolicy *, int)); 198 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *, 199 struct secpolicy *, int)); 200 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int)); 201 static int ipsec_setspidx_mbuf 202 __P((struct secpolicyindex *, int, struct mbuf *, int)); 203 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int)); 204 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int)); 205 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); 206 #ifdef INET6 207 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int)); 208 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); 209 #endif 210 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void)); 211 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *)); 212 #if 0 213 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *)); 214 #endif 215 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *)); 216 static int ipsec_set_policy 217 __P((struct secpolicy **, int, caddr_t, size_t, int)); 218 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **)); 219 static void vshiftl __P((unsigned char *, int, int)); 220 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *)); 221 static size_t ipsec_hdrsiz __P((struct secpolicy *)); 222 #ifdef INET 223 static struct mbuf *ipsec4_splithdr __P((struct mbuf *)); 224 #endif 225 #ifdef INET6 226 static struct mbuf *ipsec6_splithdr __P((struct mbuf *)); 227 #endif 228 #ifdef INET 229 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *)); 230 #endif 231 #ifdef INET6 232 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *)); 233 #endif 234 static struct ipsecaux *ipsec_addaux __P((struct mbuf *)); 235 static struct ipsecaux *ipsec_findaux __P((struct mbuf *)); 236 static void ipsec_optaux __P((struct mbuf *, struct ipsecaux *)); 237 #ifdef INET 238 static int ipsec4_checksa __P((struct ipsecrequest *, 239 struct ipsec_output_state *)); 240 #endif 241 #ifdef INET6 242 static int ipsec6_checksa __P((struct ipsecrequest *, 243 struct ipsec_output_state *, int)); 244 #endif 245 246 /* 247 * try to validate and use cached policy on a pcb. 248 */ 249 static struct secpolicy * 250 ipsec_checkpcbcache(m, pcbsp, dir) 251 struct mbuf *m; 252 struct inpcbpolicy *pcbsp; 253 int dir; 254 { 255 struct secpolicyindex spidx; 256 struct timeval mono_time; 257 258 microtime(&mono_time); 259 260 switch (dir) { 261 case IPSEC_DIR_INBOUND: 262 case IPSEC_DIR_OUTBOUND: 263 case IPSEC_DIR_ANY: 264 break; 265 default: 266 return NULL; 267 } 268 #ifdef DIAGNOSTIC 269 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0])) 270 panic("dir too big in ipsec_checkpcbcache"); 271 #endif 272 /* SPD table change invalidates all the caches */ 273 if (pcbsp->cachegen[dir] == 0 || sp_cachegen > pcbsp->cachegen[dir]) { 274 ipsec_invalpcbcache(pcbsp, dir); 275 return NULL; 276 } 277 if (!pcbsp->cache[dir]) 278 return NULL; 279 if (pcbsp->cache[dir]->state != IPSEC_SPSTATE_ALIVE) { 280 ipsec_invalpcbcache(pcbsp, dir); 281 return NULL; 282 } 283 if ((pcbsp->cacheflags & IPSEC_PCBSP_CONNECTED) == 0) { 284 if (!pcbsp->cache[dir]) 285 return NULL; 286 if (ipsec_setspidx(m, &spidx, 1) != 0) 287 return NULL; 288 if (bcmp(&pcbsp->cacheidx[dir], &spidx, sizeof(spidx))) { 289 if (!pcbsp->cache[dir]->spidx || 290 !key_cmpspidx_withmask(pcbsp->cache[dir]->spidx, 291 &spidx)) 292 return NULL; 293 pcbsp->cacheidx[dir] = spidx; 294 } 295 } else { 296 /* 297 * The pcb is connected, and the L4 code is sure that: 298 * - outgoing side uses inp_[lf]addr 299 * - incoming side looks up policy after inpcb lookup 300 * and address pair is known to be stable. We do not need 301 * to generate spidx again, nor check the address match again. 302 * 303 * For IPv4/v6 SOCK_STREAM sockets, this assumption holds 304 * and there are calls to ipsec_pcbconn() from in_pcbconnect(). 305 */ 306 } 307 308 pcbsp->cache[dir]->lastused = mono_time.tv_sec; 309 pcbsp->cache[dir]->refcnt++; 310 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 311 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n", 312 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir])); 313 return pcbsp->cache[dir]; 314 } 315 316 static int 317 ipsec_fillpcbcache(pcbsp, m, sp, dir) 318 struct inpcbpolicy *pcbsp; 319 struct mbuf *m; 320 struct secpolicy *sp; 321 int dir; 322 { 323 324 switch (dir) { 325 case IPSEC_DIR_INBOUND: 326 case IPSEC_DIR_OUTBOUND: 327 break; 328 default: 329 return EINVAL; 330 } 331 #ifdef DIAGNOSTIC 332 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0])) 333 panic("dir too big in ipsec_checkpcbcache"); 334 #endif 335 336 if (pcbsp->cache[dir]) 337 key_freesp(pcbsp->cache[dir]); 338 pcbsp->cache[dir] = NULL; 339 if (ipsec_setspidx(m, &pcbsp->cacheidx[dir], 1) != 0) { 340 return EINVAL; 341 } 342 pcbsp->cache[dir] = sp; 343 if (pcbsp->cache[dir]) { 344 pcbsp->cache[dir]->refcnt++; 345 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 346 printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n", 347 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir])); 348 } 349 pcbsp->cachegen[dir] = sp_cachegen; 350 351 return 0; 352 } 353 354 static int 355 ipsec_invalpcbcache(pcbsp, dir) 356 struct inpcbpolicy *pcbsp; 357 int dir; 358 { 359 int i; 360 361 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) { 362 if (dir != IPSEC_DIR_ANY && i != dir) 363 continue; 364 if (pcbsp->cache[i]) 365 key_freesp(pcbsp->cache[i]); 366 pcbsp->cache[i] = NULL; 367 pcbsp->cachegen[i] = 0; 368 bzero(&pcbsp->cacheidx[i], sizeof(pcbsp->cacheidx[i])); 369 } 370 return 0; 371 } 372 373 int 374 ipsec_pcbconn(pcbsp) 375 struct inpcbpolicy *pcbsp; 376 { 377 378 pcbsp->cacheflags |= IPSEC_PCBSP_CONNECTED; 379 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 380 return 0; 381 } 382 383 int 384 ipsec_pcbdisconn(pcbsp) 385 struct inpcbpolicy *pcbsp; 386 { 387 388 pcbsp->cacheflags &= ~IPSEC_PCBSP_CONNECTED; 389 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 390 return 0; 391 } 392 393 int 394 ipsec_invalpcbcacheall() 395 { 396 397 sp_cachegen++; 398 return 0; 399 } 400 401 /* 402 * For OUTBOUND packet having a socket. Searching SPD for packet, 403 * and return a pointer to SP. 404 * OUT: NULL: no apropreate SP found, the following value is set to error. 405 * 0 : bypass 406 * EACCES : discard packet. 407 * ENOENT : ipsec_acquire() in progress, maybe. 408 * others : error occured. 409 * others: a pointer to SP 410 * 411 * NOTE: IPv6 mapped adddress concern is implemented here. 412 */ 413 struct secpolicy * 414 ipsec4_getpolicybypcb(m, dir, inp, error) 415 struct mbuf *m; 416 u_int dir; 417 struct inpcb *inp; 418 int *error; 419 { 420 struct inpcbpolicy *pcbsp = NULL; 421 struct secpolicy *currsp = NULL; /* policy on socket */ 422 struct secpolicy *kernsp = NULL; /* policy on kernel */ 423 struct secpolicyindex spidx; 424 u_int16_t tag; 425 426 /* sanity check */ 427 if (m == NULL || inp == NULL || error == NULL) 428 panic("ipsec4_getpolicybypcb: NULL pointer was passed."); 429 430 pcbsp = inp->inp_sp; 431 432 #ifdef DIAGNOSTIC 433 if (pcbsp == NULL) 434 panic("ipsec4_getpolicybypcb: pcbsp is NULL."); 435 #endif 436 437 tag = 0; 438 439 /* if we have a cached entry, and if it is still valid, use it. */ 440 ipsecstat.spdcachelookup++; 441 currsp = ipsec_checkpcbcache(m, pcbsp, dir); 442 if (currsp) { 443 *error = 0; 444 return currsp; 445 } 446 ipsecstat.spdcachemiss++; 447 448 switch (dir) { 449 case IPSEC_DIR_INBOUND: 450 currsp = pcbsp->sp_in; 451 break; 452 case IPSEC_DIR_OUTBOUND: 453 currsp = pcbsp->sp_out; 454 break; 455 default: 456 panic("ipsec4_getpolicybypcb: illegal direction."); 457 } 458 459 /* sanity check */ 460 if (currsp == NULL) 461 panic("ipsec4_getpolicybypcb: currsp is NULL."); 462 463 /* when privileged socket */ 464 if (pcbsp->priv) { 465 switch (currsp->policy) { 466 case IPSEC_POLICY_BYPASS: 467 currsp->refcnt++; 468 *error = 0; 469 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 470 return currsp; 471 472 case IPSEC_POLICY_ENTRUST: 473 /* look for a policy in SPD */ 474 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 && 475 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 476 /* SP found */ 477 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 478 printf("DP ipsec4_getpolicybypcb called " 479 "to allocate SP:%p\n", kernsp)); 480 *error = 0; 481 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 482 return kernsp; 483 } 484 485 /* no SP found */ 486 ip4_def_policy->refcnt++; 487 *error = 0; 488 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir); 489 return ip4_def_policy; 490 491 case IPSEC_POLICY_IPSEC: 492 currsp->refcnt++; 493 *error = 0; 494 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 495 return currsp; 496 497 default: 498 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: " 499 "Invalid policy for PCB %d\n", currsp->policy)); 500 *error = EINVAL; 501 return NULL; 502 } 503 /* NOTREACHED */ 504 } 505 506 /* when non-privileged socket */ 507 /* look for a policy in SPD */ 508 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 && 509 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 510 /* SP found */ 511 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 512 printf("DP ipsec4_getpolicybypcb called " 513 "to allocate SP:%p\n", kernsp)); 514 *error = 0; 515 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 516 return kernsp; 517 } 518 519 /* no SP found */ 520 switch (currsp->policy) { 521 case IPSEC_POLICY_BYPASS: 522 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: " 523 "Illegal policy for non-privileged defined %d\n", 524 currsp->policy)); 525 *error = EINVAL; 526 return NULL; 527 528 case IPSEC_POLICY_ENTRUST: 529 ip4_def_policy->refcnt++; 530 *error = 0; 531 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir); 532 return ip4_def_policy; 533 534 case IPSEC_POLICY_IPSEC: 535 currsp->refcnt++; 536 *error = 0; 537 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 538 return currsp; 539 540 default: 541 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: " 542 "Invalid policy for PCB %d\n", currsp->policy)); 543 *error = EINVAL; 544 return NULL; 545 } 546 /* NOTREACHED */ 547 } 548 549 /* 550 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 551 * and return a pointer to SP. 552 * OUT: positive: a pointer to the entry for security policy leaf matched. 553 * NULL: no apropreate SP found, the following value is set to error. 554 * 0 : bypass 555 * EACCES : discard packet. 556 * ENOENT : ipsec_acquire() in progress, maybe. 557 * others : error occured. 558 */ 559 struct secpolicy * 560 ipsec4_getpolicybyaddr(m, dir, flag, error) 561 struct mbuf *m; 562 u_int dir; 563 int flag; 564 int *error; 565 { 566 struct secpolicy *sp = NULL; 567 u_int16_t tag; 568 569 /* sanity check */ 570 if (m == NULL || error == NULL) 571 panic("ipsec4_getpolicybyaddr: NULL pointer was passed."); 572 573 /* get a policy entry matched with the packet */ 574 { 575 struct secpolicyindex spidx; 576 577 bzero(&spidx, sizeof(spidx)); 578 579 /* make an index to look for a policy */ 580 *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m, 581 (flag & IP_FORWARDING) ? 0 : 1); 582 583 if (*error != 0) 584 return NULL; 585 586 tag = 0; 587 588 sp = key_allocsp(tag, &spidx, dir); 589 } 590 591 /* SP found */ 592 if (sp != NULL) { 593 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 594 printf("DP ipsec4_getpolicybyaddr called " 595 "to allocate SP:%p\n", sp)); 596 *error = 0; 597 return sp; 598 } 599 600 /* no SP found */ 601 ip4_def_policy->refcnt++; 602 *error = 0; 603 return ip4_def_policy; 604 } 605 606 #ifdef INET6 607 /* 608 * For OUTBOUND packet having a socket. Searching SPD for packet, 609 * and return a pointer to SP. 610 * OUT: NULL: no apropreate SP found, the following value is set to error. 611 * 0 : bypass 612 * EACCES : discard packet. 613 * ENOENT : ipsec_acquire() in progress, maybe. 614 * others : error occured. 615 * others: a pointer to SP 616 */ 617 struct secpolicy * 618 ipsec6_getpolicybypcb(m, dir, inp, error) 619 struct mbuf *m; 620 u_int dir; 621 struct inpcb *inp; 622 int *error; 623 { 624 struct inpcbpolicy *pcbsp = NULL; 625 struct secpolicy *currsp = NULL; /* policy on socket */ 626 struct secpolicy *kernsp = NULL; /* policy on kernel */ 627 struct secpolicyindex spidx; 628 u_int16_t tag; 629 630 /* sanity check */ 631 if (m == NULL || inp == NULL || error == NULL) 632 panic("ipsec6_getpolicybypcb: NULL pointer was passed."); 633 634 #ifdef DIAGNOSTIC 635 if ((inp->inp_vflag & INP_IPV6PROTO) == 0) 636 panic("ipsec6_getpolicybypcb: socket domain != inet6"); 637 #endif 638 639 pcbsp = inp->in6p_sp; 640 641 #ifdef DIAGNOSTIC 642 if (pcbsp == NULL) 643 panic("ipsec6_getpolicybypcb: pcbsp is NULL."); 644 #endif 645 646 tag = 0; 647 648 /* if we have a cached entry, and if it is still valid, use it. */ 649 ipsec6stat.spdcachelookup++; 650 currsp = ipsec_checkpcbcache(m, pcbsp, dir); 651 if (currsp) { 652 *error = 0; 653 return currsp; 654 } 655 ipsec6stat.spdcachemiss++; 656 657 switch (dir) { 658 case IPSEC_DIR_INBOUND: 659 currsp = pcbsp->sp_in; 660 break; 661 case IPSEC_DIR_OUTBOUND: 662 currsp = pcbsp->sp_out; 663 break; 664 default: 665 panic("ipsec6_getpolicybypcb: illegal direction."); 666 } 667 668 /* sanity check */ 669 if (currsp == NULL) 670 panic("ipsec6_getpolicybypcb: currsp is NULL."); 671 672 /* when privileged socket */ 673 if (pcbsp->priv) { 674 switch (currsp->policy) { 675 case IPSEC_POLICY_BYPASS: 676 currsp->refcnt++; 677 *error = 0; 678 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 679 return currsp; 680 681 case IPSEC_POLICY_ENTRUST: 682 /* look for a policy in SPD */ 683 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 && 684 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 685 /* SP found */ 686 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 687 printf("DP ipsec6_getpolicybypcb called " 688 "to allocate SP:%p\n", kernsp)); 689 *error = 0; 690 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 691 return kernsp; 692 } 693 694 /* no SP found */ 695 ip6_def_policy->refcnt++; 696 *error = 0; 697 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir); 698 return ip6_def_policy; 699 700 case IPSEC_POLICY_IPSEC: 701 currsp->refcnt++; 702 *error = 0; 703 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 704 return currsp; 705 706 default: 707 ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: " 708 "Invalid policy for PCB %d\n", currsp->policy)); 709 *error = EINVAL; 710 return NULL; 711 } 712 /* NOTREACHED */ 713 } 714 715 /* when non-privileged socket */ 716 /* look for a policy in SPD */ 717 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 && 718 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 719 /* SP found */ 720 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 721 printf("DP ipsec6_getpolicybypcb called " 722 "to allocate SP:%p\n", kernsp)); 723 *error = 0; 724 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 725 return kernsp; 726 } 727 728 /* no SP found */ 729 switch (currsp->policy) { 730 case IPSEC_POLICY_BYPASS: 731 ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: " 732 "Illegal policy for non-privileged defined %d\n", 733 currsp->policy)); 734 *error = EINVAL; 735 return NULL; 736 737 case IPSEC_POLICY_ENTRUST: 738 ip6_def_policy->refcnt++; 739 *error = 0; 740 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir); 741 return ip6_def_policy; 742 743 case IPSEC_POLICY_IPSEC: 744 currsp->refcnt++; 745 *error = 0; 746 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 747 return currsp; 748 749 default: 750 ipseclog((LOG_ERR, 751 "ipsec6_policybysock: Invalid policy for PCB %d\n", 752 currsp->policy)); 753 *error = EINVAL; 754 return NULL; 755 } 756 /* NOTREACHED */ 757 } 758 759 /* 760 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 761 * and return a pointer to SP. 762 * `flag' means that packet is to be forwarded whether or not. 763 * flag = 1: forwad 764 * OUT: positive: a pointer to the entry for security policy leaf matched. 765 * NULL: no apropreate SP found, the following value is set to error. 766 * 0 : bypass 767 * EACCES : discard packet. 768 * ENOENT : ipsec_acquire() in progress, maybe. 769 * others : error occured. 770 */ 771 #ifndef IP_FORWARDING 772 #define IP_FORWARDING 1 773 #endif 774 775 struct secpolicy * 776 ipsec6_getpolicybyaddr(m, dir, flag, error) 777 struct mbuf *m; 778 u_int dir; 779 int flag; 780 int *error; 781 { 782 struct secpolicy *sp = NULL; 783 u_int16_t tag; 784 785 /* sanity check */ 786 if (m == NULL || error == NULL) 787 panic("ipsec6_getpolicybyaddr: NULL pointer was passed."); 788 789 /* get a policy entry matched with the packet */ 790 { 791 struct secpolicyindex spidx; 792 793 bzero(&spidx, sizeof(spidx)); 794 795 /* make an index to look for a policy */ 796 *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 797 (flag & IP_FORWARDING) ? 0 : 1); 798 799 if (*error != 0) 800 return NULL; 801 802 tag = 0; 803 804 sp = key_allocsp(tag, &spidx, dir); 805 } 806 807 /* SP found */ 808 if (sp != NULL) { 809 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 810 printf("DP ipsec6_getpolicybyaddr called " 811 "to allocate SP:%p\n", sp)); 812 *error = 0; 813 return sp; 814 } 815 816 /* no SP found */ 817 ip6_def_policy->refcnt++; 818 *error = 0; 819 return ip6_def_policy; 820 } 821 #endif /* INET6 */ 822 823 /* 824 * set IP address into spidx from mbuf. 825 * When Forwarding packet and ICMP echo reply, this function is used. 826 * 827 * IN: get the followings from mbuf. 828 * protocol family, src, dst, next protocol 829 * OUT: 830 * 0: success. 831 * other: failure, and set errno. 832 */ 833 int 834 ipsec_setspidx_mbuf(spidx, family, m, needport) 835 struct secpolicyindex *spidx; 836 int family; 837 struct mbuf *m; 838 int needport; 839 { 840 int error; 841 842 /* sanity check */ 843 if (spidx == NULL || m == NULL) 844 panic("ipsec_setspidx_mbuf: NULL pointer was passed."); 845 846 bzero(spidx, sizeof(*spidx)); 847 848 error = ipsec_setspidx(m, spidx, needport); 849 if (error) 850 goto bad; 851 852 return 0; 853 854 bad: 855 /* XXX initialize */ 856 bzero(spidx, sizeof(*spidx)); 857 return EINVAL; 858 } 859 860 /* 861 * configure security policy index (src/dst/proto/sport/dport) 862 * by looking at the content of mbuf. 863 * the caller is responsible for error recovery (like clearing up spidx). 864 */ 865 static int 866 ipsec_setspidx(m, spidx, needport) 867 struct mbuf *m; 868 struct secpolicyindex *spidx; 869 int needport; 870 { 871 struct ip *ip = NULL; 872 struct ip ipbuf; 873 u_int v; 874 struct mbuf *n; 875 int len; 876 int error; 877 878 if (m == NULL) 879 panic("ipsec_setspidx: m == 0 passed."); 880 881 bzero(spidx, sizeof(*spidx)); 882 883 /* 884 * validate m->m_pkthdr.len. we see incorrect length if we 885 * mistakenly call this function with inconsistent mbuf chain 886 * (like 4.4BSD tcp/udp processing). XXX should we panic here? 887 */ 888 len = 0; 889 for (n = m; n; n = n->m_next) 890 len += n->m_len; 891 if (m->m_pkthdr.len != len) { 892 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 893 printf("ipsec_setspidx: " 894 "total of m_len(%d) != pkthdr.len(%d), " 895 "ignored.\n", 896 len, m->m_pkthdr.len)); 897 return EINVAL; 898 } 899 900 if (m->m_pkthdr.len < sizeof(struct ip)) { 901 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 902 printf("ipsec_setspidx: " 903 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n", 904 m->m_pkthdr.len)); 905 return EINVAL; 906 } 907 908 if (m->m_len >= sizeof(*ip)) 909 ip = mtod(m, struct ip *); 910 else { 911 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 912 ip = &ipbuf; 913 } 914 #ifdef _IP_VHL 915 v = _IP_VHL_V(ip->ip_vhl); 916 #else 917 v = ip->ip_v; 918 #endif 919 switch (v) { 920 case 4: 921 error = ipsec4_setspidx_ipaddr(m, spidx); 922 if (error) 923 return error; 924 ipsec4_get_ulp(m, spidx, needport); 925 return 0; 926 #ifdef INET6 927 case 6: 928 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { 929 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 930 printf("ipsec_setspidx: " 931 "pkthdr.len(%d) < sizeof(struct ip6_hdr), " 932 "ignored.\n", m->m_pkthdr.len)); 933 return EINVAL; 934 } 935 error = ipsec6_setspidx_ipaddr(m, spidx); 936 if (error) 937 return error; 938 ipsec6_get_ulp(m, spidx, needport); 939 return 0; 940 #endif 941 default: 942 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 943 printf("ipsec_setspidx: " 944 "unknown IP version %u, ignored.\n", v)); 945 return EINVAL; 946 } 947 } 948 949 static void 950 ipsec4_get_ulp(m, spidx, needport) 951 struct mbuf *m; 952 struct secpolicyindex *spidx; 953 int needport; 954 { 955 struct ip ip; 956 struct ip6_ext ip6e; 957 u_int8_t nxt; 958 int off; 959 struct tcphdr th; 960 struct udphdr uh; 961 962 /* sanity check */ 963 if (m == NULL) 964 panic("ipsec4_get_ulp: NULL pointer was passed."); 965 if (m->m_pkthdr.len < sizeof(ip)) 966 panic("ipsec4_get_ulp: too short"); 967 968 /* set default */ 969 spidx->ul_proto = IPSEC_ULPROTO_ANY; 970 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY; 971 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY; 972 973 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip); 974 /* ip_input() flips it into host endian XXX need more checking */ 975 if (ip.ip_off & (IP_MF | IP_OFFMASK)) 976 return; 977 978 nxt = ip.ip_p; 979 #ifdef _IP_VHL 980 off = _IP_VHL_HL(ip->ip_vhl) << 2; 981 #else 982 off = ip.ip_hl << 2; 983 #endif 984 while (off < m->m_pkthdr.len) { 985 switch (nxt) { 986 case IPPROTO_TCP: 987 spidx->ul_proto = nxt; 988 if (!needport) 989 return; 990 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 991 return; 992 m_copydata(m, off, sizeof(th), (caddr_t)&th); 993 ((struct sockaddr_in *)&spidx->src)->sin_port = 994 th.th_sport; 995 ((struct sockaddr_in *)&spidx->dst)->sin_port = 996 th.th_dport; 997 return; 998 case IPPROTO_UDP: 999 spidx->ul_proto = nxt; 1000 if (!needport) 1001 return; 1002 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1003 return; 1004 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1005 ((struct sockaddr_in *)&spidx->src)->sin_port = 1006 uh.uh_sport; 1007 ((struct sockaddr_in *)&spidx->dst)->sin_port = 1008 uh.uh_dport; 1009 return; 1010 case IPPROTO_AH: 1011 if (off + sizeof(ip6e) > m->m_pkthdr.len) 1012 return; 1013 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1014 off += (ip6e.ip6e_len + 2) << 2; 1015 nxt = ip6e.ip6e_nxt; 1016 break; 1017 case IPPROTO_ICMP: 1018 default: 1019 /* XXX intermediate headers??? */ 1020 spidx->ul_proto = nxt; 1021 return; 1022 } 1023 } 1024 } 1025 1026 /* assumes that m is sane */ 1027 static int 1028 ipsec4_setspidx_ipaddr(m, spidx) 1029 struct mbuf *m; 1030 struct secpolicyindex *spidx; 1031 { 1032 struct ip *ip = NULL; 1033 struct ip ipbuf; 1034 struct sockaddr_in *sin; 1035 1036 if (m->m_len >= sizeof(*ip)) 1037 ip = mtod(m, struct ip *); 1038 else { 1039 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 1040 ip = &ipbuf; 1041 } 1042 1043 sin = (struct sockaddr_in *)&spidx->src; 1044 bzero(sin, sizeof(*sin)); 1045 sin->sin_family = AF_INET; 1046 sin->sin_len = sizeof(struct sockaddr_in); 1047 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src)); 1048 spidx->prefs = sizeof(struct in_addr) << 3; 1049 1050 sin = (struct sockaddr_in *)&spidx->dst; 1051 bzero(sin, sizeof(*sin)); 1052 sin->sin_family = AF_INET; 1053 sin->sin_len = sizeof(struct sockaddr_in); 1054 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)); 1055 spidx->prefd = sizeof(struct in_addr) << 3; 1056 return 0; 1057 } 1058 1059 #ifdef INET6 1060 static void 1061 ipsec6_get_ulp(m, spidx, needport) 1062 struct mbuf *m; 1063 struct secpolicyindex *spidx; 1064 int needport; 1065 { 1066 int off, nxt; 1067 struct tcphdr th; 1068 struct udphdr uh; 1069 struct icmp6_hdr ih; 1070 1071 /* sanity check */ 1072 if (m == NULL) 1073 panic("ipsec6_get_ulp: NULL pointer was passed."); 1074 1075 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1076 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m)); 1077 1078 /* set default */ 1079 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1080 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY; 1081 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY; 1082 1083 nxt = -1; 1084 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt); 1085 if (off < 0 || m->m_pkthdr.len < off) 1086 return; 1087 1088 switch (nxt) { 1089 case IPPROTO_TCP: 1090 spidx->ul_proto = nxt; 1091 if (!needport) 1092 break; 1093 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1094 break; 1095 m_copydata(m, off, sizeof(th), (caddr_t)&th); 1096 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport; 1097 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport; 1098 break; 1099 case IPPROTO_UDP: 1100 spidx->ul_proto = nxt; 1101 if (!needport) 1102 break; 1103 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1104 break; 1105 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1106 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport; 1107 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport; 1108 break; 1109 case IPPROTO_ICMPV6: 1110 spidx->ul_proto = nxt; 1111 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len) 1112 break; 1113 m_copydata(m, off, sizeof(ih), (caddr_t)&ih); 1114 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = 1115 htons((u_int16_t)ih.icmp6_type); 1116 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = 1117 htons((u_int16_t)ih.icmp6_code); 1118 break; 1119 default: 1120 /* XXX intermediate headers??? */ 1121 spidx->ul_proto = nxt; 1122 break; 1123 } 1124 } 1125 1126 /* assumes that m is sane */ 1127 static int 1128 ipsec6_setspidx_ipaddr(m, spidx) 1129 struct mbuf *m; 1130 struct secpolicyindex *spidx; 1131 { 1132 struct ip6_hdr *ip6 = NULL; 1133 struct ip6_hdr ip6buf; 1134 struct sockaddr_in6 *sin6; 1135 1136 if (m->m_len >= sizeof(*ip6)) 1137 ip6 = mtod(m, struct ip6_hdr *); 1138 else { 1139 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf); 1140 ip6 = &ip6buf; 1141 } 1142 1143 sin6 = (struct sockaddr_in6 *)&spidx->src; 1144 bzero(sin6, sizeof(*sin6)); 1145 sin6->sin6_family = AF_INET6; 1146 sin6->sin6_len = sizeof(struct sockaddr_in6); 1147 sin6->sin6_addr = ip6->ip6_src; 1148 spidx->prefs = sizeof(struct in6_addr) << 3; 1149 1150 sin6 = (struct sockaddr_in6 *)&spidx->dst; 1151 bzero(sin6, sizeof(*sin6)); 1152 sin6->sin6_family = AF_INET6; 1153 sin6->sin6_len = sizeof(struct sockaddr_in6); 1154 sin6->sin6_addr = ip6->ip6_dst; 1155 spidx->prefd = sizeof(struct in6_addr) << 3; 1156 1157 return 0; 1158 } 1159 #endif 1160 1161 static struct inpcbpolicy * 1162 ipsec_newpcbpolicy() 1163 { 1164 struct inpcbpolicy *p; 1165 1166 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT); 1167 return p; 1168 } 1169 1170 static void 1171 ipsec_delpcbpolicy(p) 1172 struct inpcbpolicy *p; 1173 { 1174 1175 free(p, M_SECA); 1176 } 1177 1178 /* initialize policy in PCB */ 1179 int 1180 ipsec_init_pcbpolicy(so, pcb_sp) 1181 struct socket *so; 1182 struct inpcbpolicy **pcb_sp; 1183 { 1184 struct inpcbpolicy *new; 1185 static int initialized = 0; 1186 static struct secpolicy *in = NULL, *out = NULL; 1187 1188 /* sanity check. */ 1189 if (so == NULL || pcb_sp == NULL) 1190 panic("ipsec_init_pcbpolicy: NULL pointer was passed."); 1191 1192 if (!initialized) { 1193 if ((in = key_newsp(0)) == NULL) 1194 return ENOBUFS; 1195 if ((out = key_newsp(0)) == NULL) { 1196 key_freesp(in); 1197 in = NULL; 1198 return ENOBUFS; 1199 } 1200 1201 in->state = IPSEC_SPSTATE_ALIVE; 1202 in->policy = IPSEC_POLICY_ENTRUST; 1203 in->dir = IPSEC_DIR_INBOUND; 1204 in->readonly = 1; 1205 in->persist = 1; 1206 in->so = NULL; 1207 1208 out->state = IPSEC_SPSTATE_ALIVE; 1209 out->policy = IPSEC_POLICY_ENTRUST; 1210 out->dir = IPSEC_DIR_OUTBOUND; 1211 out->readonly = 1; 1212 out->persist = 1; 1213 out->so = NULL; 1214 1215 initialized++; 1216 } 1217 1218 new = ipsec_newpcbpolicy(); 1219 if (new == NULL) { 1220 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n")); 1221 return ENOBUFS; 1222 } 1223 bzero(new, sizeof(*new)); 1224 1225 if (so->so_cred != NULL && 1226 suser_cred(so->so_cred, SUSER_ALLOWJAIL) == 0) 1227 new->priv = 1; 1228 else 1229 new->priv = 0; 1230 1231 new->sp_in = in; 1232 new->sp_in->refcnt++; 1233 new->sp_out = out; 1234 new->sp_out->refcnt++; 1235 1236 *pcb_sp = new; 1237 1238 return 0; 1239 } 1240 1241 /* copy old ipsec policy into new */ 1242 int 1243 ipsec_copy_pcbpolicy(old, new) 1244 struct inpcbpolicy *old, *new; 1245 { 1246 1247 if (new->sp_in) 1248 key_freesp(new->sp_in); 1249 if (old->sp_in->policy == IPSEC_POLICY_IPSEC) 1250 new->sp_in = ipsec_deepcopy_policy(old->sp_in); 1251 else { 1252 new->sp_in = old->sp_in; 1253 new->sp_in->refcnt++; 1254 } 1255 1256 if (new->sp_out) 1257 key_freesp(new->sp_out); 1258 if (old->sp_out->policy == IPSEC_POLICY_IPSEC) 1259 new->sp_out = ipsec_deepcopy_policy(old->sp_out); 1260 else { 1261 new->sp_out = old->sp_out; 1262 new->sp_out->refcnt++; 1263 } 1264 1265 new->priv = old->priv; 1266 1267 return 0; 1268 } 1269 1270 #if 0 1271 static int 1272 ipsec_deepcopy_pcbpolicy(pcb_sp) 1273 struct inpcbpolicy *pcb_sp; 1274 { 1275 struct secpolicy *sp; 1276 1277 sp = ipsec_deepcopy_policy(pcb_sp->sp_in); 1278 if (sp) { 1279 key_freesp(pcb_sp->sp_in); 1280 pcb_sp->sp_in = sp; 1281 } else 1282 return ENOBUFS; 1283 1284 sp = ipsec_deepcopy_policy(pcb_sp->sp_out); 1285 if (sp) { 1286 key_freesp(pcb_sp->sp_out); 1287 pcb_sp->sp_out = sp; 1288 } else 1289 return ENOBUFS; 1290 1291 return 0; 1292 } 1293 #endif 1294 1295 /* deep-copy a policy in PCB */ 1296 static struct secpolicy * 1297 ipsec_deepcopy_policy(src) 1298 struct secpolicy *src; 1299 { 1300 struct ipsecrequest *newchain = NULL; 1301 struct ipsecrequest *p; 1302 struct ipsecrequest **q; 1303 struct ipsecrequest *r; 1304 struct secpolicy *dst; 1305 1306 if (src == NULL) 1307 return NULL; 1308 1309 dst = key_newsp(0); 1310 if (dst == NULL) 1311 return NULL; 1312 1313 /* 1314 * deep-copy IPsec request chain. This is required since struct 1315 * ipsecrequest is not reference counted. 1316 */ 1317 q = &newchain; 1318 for (p = src->req; p; p = p->next) { 1319 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest), 1320 M_SECA, M_NOWAIT); 1321 if (*q == NULL) 1322 goto fail; 1323 bzero(*q, sizeof(**q)); 1324 (*q)->next = NULL; 1325 1326 (*q)->saidx.proto = p->saidx.proto; 1327 (*q)->saidx.mode = p->saidx.mode; 1328 (*q)->level = p->level; 1329 (*q)->saidx.reqid = p->saidx.reqid; 1330 1331 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src)); 1332 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst)); 1333 1334 (*q)->sav = NULL; 1335 (*q)->sp = dst; 1336 1337 q = &((*q)->next); 1338 } 1339 1340 if (src->spidx) 1341 if (keydb_setsecpolicyindex(dst, src->spidx) != 0) 1342 goto fail; 1343 1344 dst->req = newchain; 1345 dst->state = src->state; 1346 dst->policy = src->policy; 1347 dst->dir = src->dir; 1348 dst->so = src->so; 1349 /* do not touch the refcnt fields */ 1350 1351 return dst; 1352 1353 fail: 1354 for (p = newchain; p; p = r) { 1355 r = p->next; 1356 free(p, M_SECA); 1357 p = NULL; 1358 } 1359 key_freesp(dst); 1360 return NULL; 1361 } 1362 1363 /* set policy and ipsec request if present. */ 1364 static int 1365 ipsec_set_policy(spp, optname, request, len, priv) 1366 struct secpolicy **spp; 1367 int optname; 1368 caddr_t request; 1369 size_t len; 1370 int priv; 1371 { 1372 struct sadb_x_policy *xpl; 1373 struct secpolicy *newsp = NULL; 1374 int error; 1375 1376 /* sanity check. */ 1377 if (spp == NULL || *spp == NULL || request == NULL) 1378 return EINVAL; 1379 if (len < sizeof(*xpl)) 1380 return EINVAL; 1381 xpl = (struct sadb_x_policy *)request; 1382 1383 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1384 printf("ipsec_set_policy: passed policy\n"); 1385 kdebug_sadb_x_policy((struct sadb_ext *)xpl)); 1386 1387 /* check policy type */ 1388 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */ 1389 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD || 1390 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) 1391 return EINVAL; 1392 1393 /* check privileged socket */ 1394 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) 1395 return EACCES; 1396 1397 /* allocation new SP entry */ 1398 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) 1399 return error; 1400 1401 newsp->state = IPSEC_SPSTATE_ALIVE; 1402 1403 /* clear old SP and set new SP */ 1404 key_freesp(*spp); 1405 *spp = newsp; 1406 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1407 printf("ipsec_set_policy: new policy\n"); 1408 kdebug_secpolicy(newsp)); 1409 1410 return 0; 1411 } 1412 1413 static int 1414 ipsec_get_policy(sp, mp) 1415 struct secpolicy *sp; 1416 struct mbuf **mp; 1417 { 1418 1419 /* sanity check. */ 1420 if (sp == NULL || mp == NULL) 1421 return EINVAL; 1422 1423 *mp = key_sp2msg(sp); 1424 if (!*mp) { 1425 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n")); 1426 return ENOBUFS; 1427 } 1428 1429 (*mp)->m_type = MT_DATA; 1430 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1431 printf("ipsec_get_policy:\n"); 1432 kdebug_mbuf(*mp)); 1433 1434 return 0; 1435 } 1436 1437 int 1438 ipsec4_set_policy(inp, optname, request, len, priv) 1439 struct inpcb *inp; 1440 int optname; 1441 caddr_t request; 1442 size_t len; 1443 int priv; 1444 { 1445 struct sadb_x_policy *xpl; 1446 struct secpolicy **spp; 1447 1448 /* sanity check. */ 1449 if (inp == NULL || request == NULL) 1450 return EINVAL; 1451 if (len < sizeof(*xpl)) 1452 return EINVAL; 1453 xpl = (struct sadb_x_policy *)request; 1454 1455 /* select direction */ 1456 switch (xpl->sadb_x_policy_dir) { 1457 case IPSEC_DIR_INBOUND: 1458 spp = &inp->inp_sp->sp_in; 1459 break; 1460 case IPSEC_DIR_OUTBOUND: 1461 spp = &inp->inp_sp->sp_out; 1462 break; 1463 default: 1464 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n", 1465 xpl->sadb_x_policy_dir)); 1466 return EINVAL; 1467 } 1468 1469 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY); 1470 return ipsec_set_policy(spp, optname, request, len, priv); 1471 } 1472 1473 int 1474 ipsec4_get_policy(inp, request, len, mp) 1475 struct inpcb *inp; 1476 caddr_t request; 1477 size_t len; 1478 struct mbuf **mp; 1479 { 1480 struct sadb_x_policy *xpl; 1481 struct secpolicy *sp; 1482 1483 /* sanity check. */ 1484 if (inp == NULL || request == NULL || mp == NULL) 1485 return EINVAL; 1486 if (inp->inp_sp == NULL) 1487 panic("policy in PCB is NULL"); 1488 if (len < sizeof(*xpl)) 1489 return EINVAL; 1490 xpl = (struct sadb_x_policy *)request; 1491 1492 /* select direction */ 1493 switch (xpl->sadb_x_policy_dir) { 1494 case IPSEC_DIR_INBOUND: 1495 sp = inp->inp_sp->sp_in; 1496 break; 1497 case IPSEC_DIR_OUTBOUND: 1498 sp = inp->inp_sp->sp_out; 1499 break; 1500 default: 1501 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n", 1502 xpl->sadb_x_policy_dir)); 1503 return EINVAL; 1504 } 1505 1506 return ipsec_get_policy(sp, mp); 1507 } 1508 1509 /* delete policy in PCB */ 1510 int 1511 ipsec4_delete_pcbpolicy(inp) 1512 struct inpcb *inp; 1513 { 1514 /* sanity check. */ 1515 if (inp == NULL) 1516 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed."); 1517 1518 if (inp->inp_sp == NULL) 1519 return 0; 1520 1521 if (inp->inp_sp->sp_in != NULL) { 1522 key_freesp(inp->inp_sp->sp_in); 1523 inp->inp_sp->sp_in = NULL; 1524 } 1525 1526 if (inp->inp_sp->sp_out != NULL) { 1527 key_freesp(inp->inp_sp->sp_out); 1528 inp->inp_sp->sp_out = NULL; 1529 } 1530 1531 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY); 1532 1533 ipsec_delpcbpolicy(inp->inp_sp); 1534 inp->inp_sp = NULL; 1535 1536 return 0; 1537 } 1538 1539 #ifdef INET6 1540 int 1541 ipsec6_set_policy(in6p, optname, request, len, priv) 1542 struct in6pcb *in6p; 1543 int optname; 1544 caddr_t request; 1545 size_t len; 1546 int priv; 1547 { 1548 struct sadb_x_policy *xpl; 1549 struct secpolicy **spp; 1550 1551 /* sanity check. */ 1552 if (in6p == NULL || request == NULL) 1553 return EINVAL; 1554 if (len < sizeof(*xpl)) 1555 return EINVAL; 1556 xpl = (struct sadb_x_policy *)request; 1557 1558 /* select direction */ 1559 switch (xpl->sadb_x_policy_dir) { 1560 case IPSEC_DIR_INBOUND: 1561 spp = &in6p->in6p_sp->sp_in; 1562 break; 1563 case IPSEC_DIR_OUTBOUND: 1564 spp = &in6p->in6p_sp->sp_out; 1565 break; 1566 default: 1567 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n", 1568 xpl->sadb_x_policy_dir)); 1569 return EINVAL; 1570 } 1571 1572 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY); 1573 return ipsec_set_policy(spp, optname, request, len, priv); 1574 } 1575 1576 int 1577 ipsec6_get_policy(in6p, request, len, mp) 1578 struct in6pcb *in6p; 1579 caddr_t request; 1580 size_t len; 1581 struct mbuf **mp; 1582 { 1583 struct sadb_x_policy *xpl; 1584 struct secpolicy *sp; 1585 1586 /* sanity check. */ 1587 if (in6p == NULL || request == NULL || mp == NULL) 1588 return EINVAL; 1589 if (in6p->in6p_sp == NULL) 1590 panic("policy in PCB is NULL"); 1591 if (len < sizeof(*xpl)) 1592 return EINVAL; 1593 xpl = (struct sadb_x_policy *)request; 1594 1595 /* select direction */ 1596 switch (xpl->sadb_x_policy_dir) { 1597 case IPSEC_DIR_INBOUND: 1598 sp = in6p->in6p_sp->sp_in; 1599 break; 1600 case IPSEC_DIR_OUTBOUND: 1601 sp = in6p->in6p_sp->sp_out; 1602 break; 1603 default: 1604 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n", 1605 xpl->sadb_x_policy_dir)); 1606 return EINVAL; 1607 } 1608 1609 return ipsec_get_policy(sp, mp); 1610 } 1611 1612 int 1613 ipsec6_delete_pcbpolicy(in6p) 1614 struct in6pcb *in6p; 1615 { 1616 /* sanity check. */ 1617 if (in6p == NULL) 1618 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed."); 1619 1620 if (in6p->in6p_sp == NULL) 1621 return 0; 1622 1623 if (in6p->in6p_sp->sp_in != NULL) { 1624 key_freesp(in6p->in6p_sp->sp_in); 1625 in6p->in6p_sp->sp_in = NULL; 1626 } 1627 1628 if (in6p->in6p_sp->sp_out != NULL) { 1629 key_freesp(in6p->in6p_sp->sp_out); 1630 in6p->in6p_sp->sp_out = NULL; 1631 } 1632 1633 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY); 1634 1635 ipsec_delpcbpolicy(in6p->in6p_sp); 1636 in6p->in6p_sp = NULL; 1637 1638 return 0; 1639 } 1640 #endif 1641 1642 /* 1643 * return current level. 1644 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. 1645 */ 1646 u_int 1647 ipsec_get_reqlevel(isr, af) 1648 struct ipsecrequest *isr; 1649 int af; 1650 { 1651 u_int level = 0; 1652 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev; 1653 1654 /* sanity check */ 1655 if (isr == NULL || isr->sp == NULL) 1656 panic("ipsec_get_reqlevel: NULL pointer is passed."); 1657 1658 /* set default level */ 1659 switch (af) { 1660 #ifdef INET 1661 case AF_INET: 1662 esp_trans_deflev = ip4_esp_trans_deflev; 1663 esp_net_deflev = ip4_esp_net_deflev; 1664 ah_trans_deflev = ip4_ah_trans_deflev; 1665 ah_net_deflev = ip4_ah_net_deflev; 1666 break; 1667 #endif 1668 #ifdef INET6 1669 case AF_INET6: 1670 esp_trans_deflev = ip6_esp_trans_deflev; 1671 esp_net_deflev = ip6_esp_net_deflev; 1672 ah_trans_deflev = ip6_ah_trans_deflev; 1673 ah_net_deflev = ip6_ah_net_deflev; 1674 break; 1675 #endif /* INET6 */ 1676 default: 1677 panic("key_get_reqlevel: Unknown family. %d", 1678 ((struct sockaddr *)&isr->sp->spidx->src)->sa_family); 1679 } 1680 1681 /* set level */ 1682 switch (isr->level) { 1683 case IPSEC_LEVEL_DEFAULT: 1684 switch (isr->saidx.proto) { 1685 case IPPROTO_ESP: 1686 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1687 level = esp_net_deflev; 1688 else 1689 level = esp_trans_deflev; 1690 break; 1691 case IPPROTO_AH: 1692 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1693 level = ah_net_deflev; 1694 else 1695 level = ah_trans_deflev; 1696 break; 1697 case IPPROTO_IPCOMP: 1698 /* 1699 * we don't really care, as IPcomp document says that 1700 * we shouldn't compress small packets 1701 */ 1702 level = IPSEC_LEVEL_USE; 1703 break; 1704 default: 1705 panic("ipsec_get_reqlevel: " 1706 "Illegal protocol defined %u\n", 1707 isr->saidx.proto); 1708 } 1709 break; 1710 1711 case IPSEC_LEVEL_USE: 1712 case IPSEC_LEVEL_REQUIRE: 1713 level = isr->level; 1714 break; 1715 case IPSEC_LEVEL_UNIQUE: 1716 level = IPSEC_LEVEL_REQUIRE; 1717 break; 1718 1719 default: 1720 panic("ipsec_get_reqlevel: Illegal IPsec level %u", 1721 isr->level); 1722 } 1723 1724 return level; 1725 } 1726 1727 /* 1728 * Check AH/ESP integrity. 1729 * OUT: 1730 * 0: valid 1731 * 1: invalid 1732 */ 1733 static int 1734 ipsec_in_reject(sp, m) 1735 struct secpolicy *sp; 1736 struct mbuf *m; 1737 { 1738 struct ipsecrequest *isr; 1739 u_int level; 1740 int need_auth, need_conf, need_icv; 1741 1742 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1743 printf("ipsec_in_reject: using SP\n"); 1744 kdebug_secpolicy(sp)); 1745 1746 /* check policy */ 1747 switch (sp->policy) { 1748 case IPSEC_POLICY_DISCARD: 1749 return 1; 1750 case IPSEC_POLICY_BYPASS: 1751 case IPSEC_POLICY_NONE: 1752 return 0; 1753 1754 case IPSEC_POLICY_IPSEC: 1755 break; 1756 1757 case IPSEC_POLICY_ENTRUST: 1758 default: 1759 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy); 1760 } 1761 1762 need_auth = 0; 1763 need_conf = 0; 1764 need_icv = 0; 1765 1766 /* XXX should compare policy against ipsec header history */ 1767 1768 for (isr = sp->req; isr != NULL; isr = isr->next) { 1769 /* get current level */ 1770 level = ipsec_get_reqlevel(isr, AF_INET); 1771 1772 switch (isr->saidx.proto) { 1773 case IPPROTO_ESP: 1774 if (level == IPSEC_LEVEL_REQUIRE) { 1775 need_conf++; 1776 1777 if (isr->sav != NULL 1778 && isr->sav->flags == SADB_X_EXT_NONE 1779 && isr->sav->alg_auth != SADB_AALG_NONE) 1780 need_icv++; 1781 } 1782 break; 1783 case IPPROTO_AH: 1784 if (level == IPSEC_LEVEL_REQUIRE) { 1785 need_auth++; 1786 need_icv++; 1787 } 1788 break; 1789 case IPPROTO_IPCOMP: 1790 /* 1791 * we don't really care, as IPcomp document says that 1792 * we shouldn't compress small packets, IPComp policy 1793 * should always be treated as being in "use" level. 1794 */ 1795 break; 1796 } 1797 } 1798 1799 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1800 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n", 1801 need_auth, need_conf, need_icv, m->m_flags)); 1802 1803 if ((need_conf && !(m->m_flags & M_DECRYPTED)) 1804 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM)) 1805 || (need_auth && !(m->m_flags & M_AUTHIPHDR))) 1806 return 1; 1807 1808 return 0; 1809 } 1810 1811 /* 1812 * Check AH/ESP integrity. 1813 * This function is called from tcp_input(), udp_input(), 1814 * and {ah,esp}4_input for tunnel mode 1815 */ 1816 int 1817 ipsec4_in_reject(m, inp) 1818 struct mbuf *m; 1819 struct inpcb *inp; 1820 { 1821 struct secpolicy *sp = NULL; 1822 int error; 1823 int result; 1824 1825 /* sanity check */ 1826 if (m == NULL) 1827 return 0; /* XXX should be panic ? */ 1828 1829 /* get SP for this packet. 1830 * When we are called from ip_forward(), we call 1831 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 1832 */ 1833 if (inp == NULL) 1834 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 1835 IP_FORWARDING, &error); 1836 else 1837 sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_INBOUND, inp, &error); 1838 1839 /* XXX should be panic ? -> No, there may be error. */ 1840 if (sp == NULL) 1841 return 0; 1842 1843 result = ipsec_in_reject(sp, m); 1844 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1845 printf("DP ipsec4_in_reject call free SP:%p\n", sp)); 1846 key_freesp(sp); 1847 1848 return result; 1849 } 1850 1851 #ifdef INET6 1852 /* 1853 * Check AH/ESP integrity. 1854 * This function is called from tcp6_input(), udp6_input(), 1855 * and {ah,esp}6_input for tunnel mode 1856 */ 1857 int 1858 ipsec6_in_reject(m, in6p) 1859 struct mbuf *m; 1860 struct in6pcb *in6p; 1861 { 1862 struct secpolicy *sp = NULL; 1863 int error; 1864 int result; 1865 1866 /* sanity check */ 1867 if (m == NULL) 1868 return 0; /* XXX should be panic ? */ 1869 1870 /* get SP for this packet. 1871 * When we are called from ip_forward(), we call 1872 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag. 1873 */ 1874 if (in6p == NULL) 1875 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 1876 IP_FORWARDING, &error); 1877 else 1878 sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_INBOUND, in6p, &error); 1879 1880 if (sp == NULL) 1881 return 0; /* XXX should be panic ? */ 1882 1883 result = ipsec_in_reject(sp, m); 1884 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1885 printf("DP ipsec6_in_reject call free SP:%p\n", sp)); 1886 key_freesp(sp); 1887 1888 return result; 1889 } 1890 #endif 1891 1892 /* 1893 * compute the byte size to be occupied by IPsec header. 1894 * in case it is tunneled, it includes the size of outer IP header. 1895 * NOTE: SP passed is free in this function. 1896 */ 1897 static size_t 1898 ipsec_hdrsiz(sp) 1899 struct secpolicy *sp; 1900 { 1901 struct ipsecrequest *isr; 1902 size_t siz, clen; 1903 1904 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1905 printf("ipsec_hdrsiz: using SP\n"); 1906 kdebug_secpolicy(sp)); 1907 1908 /* check policy */ 1909 switch (sp->policy) { 1910 case IPSEC_POLICY_DISCARD: 1911 case IPSEC_POLICY_BYPASS: 1912 case IPSEC_POLICY_NONE: 1913 return 0; 1914 1915 case IPSEC_POLICY_IPSEC: 1916 break; 1917 1918 case IPSEC_POLICY_ENTRUST: 1919 default: 1920 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy); 1921 } 1922 1923 siz = 0; 1924 1925 for (isr = sp->req; isr != NULL; isr = isr->next) { 1926 1927 clen = 0; 1928 1929 switch (isr->saidx.proto) { 1930 case IPPROTO_ESP: 1931 #ifdef IPSEC_ESP 1932 clen = esp_hdrsiz(isr); 1933 #else 1934 clen = 0; /* XXX */ 1935 #endif 1936 break; 1937 case IPPROTO_AH: 1938 clen = ah_hdrsiz(isr); 1939 break; 1940 case IPPROTO_IPCOMP: 1941 clen = sizeof(struct ipcomp); 1942 break; 1943 } 1944 1945 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 1946 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) { 1947 case AF_INET: 1948 clen += sizeof(struct ip); 1949 break; 1950 #ifdef INET6 1951 case AF_INET6: 1952 clen += sizeof(struct ip6_hdr); 1953 break; 1954 #endif 1955 default: 1956 ipseclog((LOG_ERR, "ipsec_hdrsiz: " 1957 "unknown AF %d in IPsec tunnel SA\n", 1958 ((struct sockaddr *)&isr->saidx.dst)->sa_family)); 1959 break; 1960 } 1961 } 1962 siz += clen; 1963 } 1964 1965 return siz; 1966 } 1967 1968 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */ 1969 size_t 1970 ipsec4_hdrsiz(m, dir, inp) 1971 struct mbuf *m; 1972 u_int dir; 1973 struct inpcb *inp; 1974 { 1975 struct secpolicy *sp = NULL; 1976 int error; 1977 size_t size; 1978 1979 /* sanity check */ 1980 if (m == NULL) 1981 return 0; /* XXX should be panic ? */ 1982 #if 0 1983 /* this is possible in TIME_WAIT state */ 1984 if (inp != NULL && inp->inp_socket == NULL) 1985 panic("ipsec4_hdrsize: why is socket NULL but there is PCB."); 1986 #endif 1987 1988 /* get SP for this packet. 1989 * When we are called from ip_forward(), we call 1990 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 1991 */ 1992 if (inp == NULL) 1993 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 1994 else 1995 sp = ipsec4_getpolicybypcb(m, dir, inp, &error); 1996 1997 if (sp == NULL) 1998 return 0; /* XXX should be panic ? */ 1999 2000 size = ipsec_hdrsiz(sp); 2001 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2002 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp)); 2003 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2004 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size)); 2005 key_freesp(sp); 2006 2007 return size; 2008 } 2009 2010 #ifdef INET6 2011 /* This function is called from ipsec6_hdrsize_tcp(), 2012 * and maybe from ip6_forward.() 2013 */ 2014 size_t 2015 ipsec6_hdrsiz(m, dir, in6p) 2016 struct mbuf *m; 2017 u_int dir; 2018 struct in6pcb *in6p; 2019 { 2020 struct secpolicy *sp = NULL; 2021 int error; 2022 size_t size; 2023 2024 /* sanity check */ 2025 if (m == NULL) 2026 return 0; /* XXX should be panic ? */ 2027 #if 0 2028 /* this is possible in TIME_WAIT state */ 2029 if (in6p != NULL && in6p->in6p_socket == NULL) 2030 panic("ipsec6_hdrsize: why is socket NULL but there is PCB."); 2031 #endif 2032 2033 /* get SP for this packet */ 2034 /* XXX Is it right to call with IP_FORWARDING. */ 2035 if (in6p == NULL) 2036 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 2037 else 2038 sp = ipsec6_getpolicybypcb(m, dir, in6p, &error); 2039 2040 if (sp == NULL) 2041 return 0; 2042 size = ipsec_hdrsiz(sp); 2043 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2044 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp)); 2045 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2046 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size)); 2047 key_freesp(sp); 2048 2049 return size; 2050 } 2051 #endif /* INET6 */ 2052 2053 #ifdef INET 2054 /* 2055 * encapsulate for ipsec tunnel. 2056 * ip->ip_src must be fixed later on. 2057 */ 2058 static int 2059 ipsec4_encapsulate(m, sav) 2060 struct mbuf *m; 2061 struct secasvar *sav; 2062 { 2063 struct ip *oip; 2064 struct ip *ip; 2065 size_t hlen; 2066 size_t plen; 2067 2068 /* can't tunnel between different AFs */ 2069 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2070 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2071 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 2072 m_freem(m); 2073 return EINVAL; 2074 } 2075 #if 0 2076 /* XXX if the dst is myself, perform nothing. */ 2077 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2078 m_freem(m); 2079 return EINVAL; 2080 } 2081 #endif 2082 2083 if (m->m_len < sizeof(*ip)) 2084 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2085 2086 ip = mtod(m, struct ip *); 2087 #ifdef _IP_VHL 2088 hlen = _IP_VHL_HL(ip->ip_vhl) << 2; 2089 #else 2090 hlen = ip->ip_hl << 2; 2091 #endif 2092 2093 if (m->m_len != hlen) 2094 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2095 2096 /* generate header checksum */ 2097 ip->ip_sum = 0; 2098 #ifdef _IP_VHL 2099 if (ip->ip_vhl == IP_VHL_BORING) 2100 ip->ip_sum = in_cksum_hdr(ip); 2101 else 2102 ip->ip_sum = in_cksum(m, hlen); 2103 #else 2104 ip->ip_sum = in_cksum(m, hlen); 2105 #endif 2106 2107 plen = m->m_pkthdr.len; 2108 2109 /* 2110 * grow the mbuf to accomodate the new IPv4 header. 2111 * NOTE: IPv4 options will never be copied. 2112 */ 2113 if (M_LEADINGSPACE(m->m_next) < hlen) { 2114 struct mbuf *n; 2115 MGET(n, M_DONTWAIT, MT_DATA); 2116 if (!n) { 2117 m_freem(m); 2118 return ENOBUFS; 2119 } 2120 n->m_len = hlen; 2121 n->m_next = m->m_next; 2122 m->m_next = n; 2123 m->m_pkthdr.len += hlen; 2124 oip = mtod(n, struct ip *); 2125 } else { 2126 m->m_next->m_len += hlen; 2127 m->m_next->m_data -= hlen; 2128 m->m_pkthdr.len += hlen; 2129 oip = mtod(m->m_next, struct ip *); 2130 } 2131 ip = mtod(m, struct ip *); 2132 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen); 2133 m->m_len = sizeof(struct ip); 2134 m->m_pkthdr.len -= (hlen - sizeof(struct ip)); 2135 2136 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ 2137 /* ECN consideration. */ 2138 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); 2139 #ifdef _IP_VHL 2140 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2); 2141 #else 2142 ip->ip_hl = sizeof(struct ip) >> 2; 2143 #endif 2144 ip->ip_off &= htons(~IP_OFFMASK); 2145 ip->ip_off &= htons(~IP_MF); 2146 switch (ip4_ipsec_dfbit) { 2147 case 0: /* clear DF bit */ 2148 ip->ip_off &= htons(~IP_DF); 2149 break; 2150 case 1: /* set DF bit */ 2151 ip->ip_off |= htons(IP_DF); 2152 break; 2153 default: /* copy DF bit */ 2154 break; 2155 } 2156 ip->ip_p = IPPROTO_IPIP; 2157 if (plen + sizeof(struct ip) < IP_MAXPACKET) 2158 ip->ip_len = htons(plen + sizeof(struct ip)); 2159 else { 2160 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " 2161 "leave ip_len as is (invalid packet)\n")); 2162 } 2163 ip->ip_id = ip_newid(); 2164 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, 2165 &ip->ip_src, sizeof(ip->ip_src)); 2166 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, 2167 &ip->ip_dst, sizeof(ip->ip_dst)); 2168 ip->ip_ttl = IPDEFTTL; 2169 2170 /* XXX Should ip_src be updated later ? */ 2171 2172 return 0; 2173 } 2174 #endif /* INET */ 2175 2176 #ifdef INET6 2177 static int 2178 ipsec6_encapsulate(m, sav) 2179 struct mbuf *m; 2180 struct secasvar *sav; 2181 { 2182 struct sockaddr_in6 sa6; 2183 struct ip6_hdr *oip6; 2184 struct ip6_hdr *ip6; 2185 size_t plen; 2186 int error; 2187 2188 /* can't tunnel between different AFs */ 2189 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2190 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2191 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) { 2192 m_freem(m); 2193 return EINVAL; 2194 } 2195 #if 0 2196 /* XXX if the dst is myself, perform nothing. */ 2197 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2198 m_freem(m); 2199 return EINVAL; 2200 } 2201 #endif 2202 2203 plen = m->m_pkthdr.len; 2204 2205 /* 2206 * grow the mbuf to accomodate the new IPv6 header. 2207 */ 2208 if (m->m_len != sizeof(struct ip6_hdr)) 2209 panic("ipsec6_encapsulate: assumption failed (first mbuf length)"); 2210 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { 2211 struct mbuf *n; 2212 MGET(n, M_DONTWAIT, MT_DATA); 2213 if (!n) { 2214 m_freem(m); 2215 return ENOBUFS; 2216 } 2217 n->m_len = sizeof(struct ip6_hdr); 2218 n->m_next = m->m_next; 2219 m->m_next = n; 2220 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2221 oip6 = mtod(n, struct ip6_hdr *); 2222 } else { 2223 m->m_next->m_len += sizeof(struct ip6_hdr); 2224 m->m_next->m_data -= sizeof(struct ip6_hdr); 2225 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2226 oip6 = mtod(m->m_next, struct ip6_hdr *); 2227 } 2228 ip6 = mtod(m, struct ip6_hdr *); 2229 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr)); 2230 2231 /* XXX: Fake scoped addresses */ 2232 in6_clearscope(&oip6->ip6_src); 2233 in6_clearscope(&oip6->ip6_dst); 2234 2235 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ 2236 /* ECN consideration. */ 2237 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow); 2238 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) 2239 ip6->ip6_plen = htons(plen); 2240 else { 2241 /* ip6->ip6_plen will be updated in ip6_output() */ 2242 } 2243 ip6->ip6_nxt = IPPROTO_IPV6; 2244 2245 sa6 = *(struct sockaddr_in6 *)&sav->sah->saidx.src; 2246 if ((error = sa6_embedscope(&sa6, 0)) != 0) 2247 return (error); 2248 ip6->ip6_src = sa6.sin6_addr; 2249 2250 sa6 = *(struct sockaddr_in6 *)&sav->sah->saidx.dst; 2251 if ((error = sa6_embedscope(&sa6, 0)) != 0) 2252 return (error); 2253 ip6->ip6_dst = sa6.sin6_addr; 2254 2255 ip6->ip6_hlim = IPV6_DEFHLIM; 2256 2257 /* XXX Should ip6_src be updated later ? */ 2258 2259 return 0; 2260 } 2261 #endif /* INET6 */ 2262 2263 /* 2264 * Check the variable replay window. 2265 * ipsec_chkreplay() performs replay check before ICV verification. 2266 * ipsec_updatereplay() updates replay bitmap. This must be called after 2267 * ICV verification (it also performs replay check, which is usually done 2268 * beforehand). 2269 * 0 (zero) is returned if packet disallowed, 1 if packet permitted. 2270 * 2271 * based on RFC 2401. 2272 * 2273 * XXX need to update for 64bit sequence number - 2401bis 2274 */ 2275 int 2276 ipsec_chkreplay(seq, sav) 2277 u_int32_t seq; 2278 struct secasvar *sav; 2279 { 2280 const struct secreplay *replay; 2281 u_int32_t diff; 2282 int fr; 2283 u_int32_t wsizeb; /* constant: bits of window size */ 2284 int frlast; /* constant: last frame */ 2285 2286 /* sanity check */ 2287 if (sav == NULL) 2288 panic("ipsec_chkreplay: NULL pointer was passed."); 2289 2290 replay = sav->replay; 2291 2292 if (replay->wsize == 0) 2293 return 1; /* no need to check replay. */ 2294 2295 /* constant */ 2296 frlast = replay->wsize - 1; 2297 wsizeb = replay->wsize << 3; 2298 2299 /* sequence number of 0 is invalid */ 2300 if (seq == 0) 2301 return 0; 2302 2303 /* first time is always okay */ 2304 if (replay->count == 0) 2305 return 1; 2306 2307 if (seq > replay->lastseq) { 2308 /* larger sequences are okay */ 2309 return 1; 2310 } else { 2311 /* seq is equal or less than lastseq. */ 2312 diff = replay->lastseq - seq; 2313 2314 /* over range to check, i.e. too old or wrapped */ 2315 if (diff >= wsizeb) 2316 return 0; 2317 2318 fr = frlast - diff / 8; 2319 2320 /* this packet already seen ? */ 2321 if (replay->bitmap[fr] & (1 << (diff % 8))) 2322 return 0; 2323 2324 /* out of order but good */ 2325 return 1; 2326 } 2327 } 2328 2329 /* 2330 * check replay counter whether to update or not. 2331 * OUT: 0: OK 2332 * 1: NG 2333 * XXX need to update for 64bit sequence number - 2401bis 2334 */ 2335 int 2336 ipsec_updatereplay(seq, sav) 2337 u_int32_t seq; 2338 struct secasvar *sav; 2339 { 2340 struct secreplay *replay; 2341 u_int64_t diff; 2342 int fr; 2343 u_int32_t wsizeb; /* constant: bits of window size */ 2344 int frlast; /* constant: last frame */ 2345 2346 /* sanity check */ 2347 if (sav == NULL) 2348 panic("ipsec_chkreplay: NULL pointer was passed."); 2349 2350 replay = sav->replay; 2351 2352 if (replay->wsize == 0) 2353 goto ok; /* no need to check replay. */ 2354 2355 /* constant */ 2356 frlast = replay->wsize - 1; 2357 wsizeb = replay->wsize << 3; 2358 2359 /* sequence number of 0 is invalid */ 2360 if (seq == 0) 2361 return 1; 2362 2363 /* first time */ 2364 if (replay->count == 0) { 2365 replay->lastseq = seq; 2366 bzero(replay->bitmap, replay->wsize); 2367 replay->bitmap[frlast] = 1; 2368 goto ok; 2369 } 2370 2371 if (seq > replay->lastseq) { 2372 /* seq is larger than lastseq. */ 2373 diff = seq - replay->lastseq; 2374 2375 /* new larger sequence number */ 2376 if (diff < wsizeb) { 2377 /* In window */ 2378 /* set bit for this packet */ 2379 vshiftl(replay->bitmap, diff, replay->wsize); 2380 replay->bitmap[frlast] |= 1; 2381 } else { 2382 /* this packet has a "way larger" */ 2383 bzero(replay->bitmap, replay->wsize); 2384 replay->bitmap[frlast] = 1; 2385 } 2386 replay->lastseq = seq; 2387 2388 /* larger is good */ 2389 } else { 2390 /* seq is equal or less than lastseq. */ 2391 diff = replay->lastseq - seq; 2392 2393 /* over range to check, i.e. too old or wrapped */ 2394 if (diff >= wsizeb) 2395 return 1; 2396 2397 fr = frlast - diff / 8; 2398 2399 /* this packet already seen ? */ 2400 if (replay->bitmap[fr] & (1 << (diff % 8))) 2401 return 1; 2402 2403 /* mark as seen */ 2404 replay->bitmap[fr] |= (1 << (diff % 8)); 2405 2406 /* out of order but good */ 2407 } 2408 2409 ok: 2410 if (replay->count == 0xffffffff) { 2411 2412 /* set overflow flag */ 2413 replay->overflow++; 2414 2415 /* don't increment, no more packets accepted */ 2416 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) 2417 return 1; 2418 2419 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n", 2420 replay->overflow, ipsec_logsastr(sav))); 2421 } 2422 2423 replay->count++; 2424 2425 return 0; 2426 } 2427 2428 /* 2429 * shift variable length buffer to left. 2430 * IN: bitmap: pointer to the buffer 2431 * nbit: the number of to shift. 2432 * wsize: buffer size (bytes). 2433 */ 2434 static void 2435 vshiftl(bitmap, nbit, wsize) 2436 unsigned char *bitmap; 2437 int nbit, wsize; 2438 { 2439 int s, j, i; 2440 unsigned char over; 2441 2442 for (j = 0; j < nbit; j += 8) { 2443 s = (nbit - j < 8) ? (nbit - j): 8; 2444 bitmap[0] <<= s; 2445 for (i = 1; i < wsize; i++) { 2446 over = (bitmap[i] >> (8 - s)); 2447 bitmap[i] <<= s; 2448 bitmap[i - 1] |= over; 2449 } 2450 } 2451 2452 return; 2453 } 2454 2455 const char * 2456 ipsec4_logpacketstr(ip, spi) 2457 struct ip *ip; 2458 u_int32_t spi; 2459 { 2460 static char buf[256]; 2461 char *p; 2462 u_int8_t *s, *d; 2463 2464 s = (u_int8_t *)(&ip->ip_src); 2465 d = (u_int8_t *)(&ip->ip_dst); 2466 2467 p = buf; 2468 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2469 while (*p) 2470 p++; 2471 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u", 2472 s[0], s[1], s[2], s[3]); 2473 while (*p) 2474 p++; 2475 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u", 2476 d[0], d[1], d[2], d[3]); 2477 while (*p) 2478 p++; 2479 snprintf(p, sizeof(buf) - (p - buf), ")"); 2480 2481 return buf; 2482 } 2483 2484 #ifdef INET6 2485 const char * 2486 ipsec6_logpacketstr(ip6, spi) 2487 struct ip6_hdr *ip6; 2488 u_int32_t spi; 2489 { 2490 static char buf[256]; 2491 char *p; 2492 2493 p = buf; 2494 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2495 while (*p) 2496 p++; 2497 snprintf(p, sizeof(buf) - (p - buf), "src=%s", 2498 ip6_sprintf(&ip6->ip6_src)); 2499 while (*p) 2500 p++; 2501 snprintf(p, sizeof(buf) - (p - buf), " dst=%s", 2502 ip6_sprintf(&ip6->ip6_dst)); 2503 while (*p) 2504 p++; 2505 snprintf(p, sizeof(buf) - (p - buf), ")"); 2506 2507 return buf; 2508 } 2509 #endif /* INET6 */ 2510 2511 const char * 2512 ipsec_logsastr(sav) 2513 struct secasvar *sav; 2514 { 2515 static char buf[256]; 2516 char *p; 2517 struct secasindex *saidx = &sav->sah->saidx; 2518 2519 /* validity check */ 2520 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2521 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) 2522 panic("ipsec_logsastr: family mismatched."); 2523 2524 p = buf; 2525 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi)); 2526 while (*p) 2527 p++; 2528 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) { 2529 u_int8_t *s, *d; 2530 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr; 2531 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr; 2532 snprintf(p, sizeof(buf) - (p - buf), 2533 "src=%d.%d.%d.%d dst=%d.%d.%d.%d", 2534 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]); 2535 } 2536 #ifdef INET6 2537 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) { 2538 snprintf(p, sizeof(buf) - (p - buf), 2539 "src=%s", 2540 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr)); 2541 while (*p) 2542 p++; 2543 snprintf(p, sizeof(buf) - (p - buf), 2544 " dst=%s", 2545 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr)); 2546 } 2547 #endif 2548 while (*p) 2549 p++; 2550 snprintf(p, sizeof(buf) - (p - buf), ")"); 2551 2552 return buf; 2553 } 2554 2555 void 2556 ipsec_dumpmbuf(m) 2557 struct mbuf *m; 2558 { 2559 int totlen; 2560 int i; 2561 u_char *p; 2562 2563 totlen = 0; 2564 printf("---\n"); 2565 while (m) { 2566 p = mtod(m, u_char *); 2567 for (i = 0; i < m->m_len; i++) { 2568 printf("%02x ", p[i]); 2569 totlen++; 2570 if (totlen % 16 == 0) 2571 printf("\n"); 2572 } 2573 m = m->m_next; 2574 } 2575 if (totlen % 16 != 0) 2576 printf("\n"); 2577 printf("---\n"); 2578 } 2579 2580 #ifdef INET 2581 static int 2582 ipsec4_checksa(isr, state) 2583 struct ipsecrequest *isr; 2584 struct ipsec_output_state *state; 2585 { 2586 struct ip *ip; 2587 struct secasindex saidx; 2588 struct sockaddr_in *sin; 2589 2590 /* make SA index for search proper SA */ 2591 ip = mtod(state->m, struct ip *); 2592 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 2593 saidx.mode = isr->saidx.mode; 2594 saidx.reqid = isr->saidx.reqid; 2595 sin = (struct sockaddr_in *)&saidx.src; 2596 if (sin->sin_len == 0) { 2597 sin->sin_len = sizeof(*sin); 2598 sin->sin_family = AF_INET; 2599 sin->sin_port = IPSEC_PORT_ANY; 2600 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr)); 2601 } 2602 sin = (struct sockaddr_in *)&saidx.dst; 2603 if (sin->sin_len == 0) { 2604 sin->sin_len = sizeof(*sin); 2605 sin->sin_family = AF_INET; 2606 sin->sin_port = IPSEC_PORT_ANY; 2607 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr)); 2608 } 2609 2610 return key_checkrequest(isr, &saidx); 2611 } 2612 /* 2613 * IPsec output logic for IPv4. 2614 */ 2615 int 2616 ipsec4_output(state, sp, flags) 2617 struct ipsec_output_state *state; 2618 struct secpolicy *sp; 2619 int flags; 2620 { 2621 struct ip *ip = NULL; 2622 struct ipsecrequest *isr = NULL; 2623 int s; 2624 int error; 2625 struct sockaddr_in *dst4; 2626 2627 if (!state) 2628 panic("state == NULL in ipsec4_output"); 2629 if (!state->m) 2630 panic("state->m == NULL in ipsec4_output"); 2631 if (!state->ro) 2632 panic("state->ro == NULL in ipsec4_output"); 2633 if (!state->dst) 2634 panic("state->dst == NULL in ipsec4_output"); 2635 state->encap = 0; 2636 2637 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2638 printf("ipsec4_output: applyed SP\n"); 2639 kdebug_secpolicy(sp)); 2640 2641 for (isr = sp->req; isr != NULL; isr = isr->next) { 2642 2643 #if 0 /* give up to check restriction of transport mode */ 2644 /* XXX but should be checked somewhere */ 2645 /* 2646 * some of the IPsec operation must be performed only in 2647 * originating case. 2648 */ 2649 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT 2650 && (flags & IP_FORWARDING)) 2651 continue; 2652 #endif 2653 error = ipsec4_checksa(isr, state); 2654 if (error != 0) { 2655 /* 2656 * IPsec processing is required, but no SA found. 2657 * I assume that key_acquire() had been called 2658 * to get/establish the SA. Here I discard 2659 * this packet because it is responsibility for 2660 * upper layer to retransmit the packet. 2661 */ 2662 ipsecstat.out_nosa++; 2663 goto bad; 2664 } 2665 2666 /* validity check */ 2667 if (isr->sav == NULL) { 2668 switch (ipsec_get_reqlevel(isr, AF_INET)) { 2669 case IPSEC_LEVEL_USE: 2670 continue; 2671 case IPSEC_LEVEL_REQUIRE: 2672 /* must be not reached here. */ 2673 panic("ipsec4_output: no SA found, but required."); 2674 } 2675 } 2676 2677 /* 2678 * If there is no valid SA, we give up to process any 2679 * more. In such a case, the SA's status is changed 2680 * from DYING to DEAD after allocating. If a packet 2681 * send to the receiver by dead SA, the receiver can 2682 * not decode a packet because SA has been dead. 2683 */ 2684 if (isr->sav->state != SADB_SASTATE_MATURE 2685 && isr->sav->state != SADB_SASTATE_DYING) { 2686 ipsecstat.out_nosa++; 2687 error = EINVAL; 2688 goto bad; 2689 } 2690 2691 /* 2692 * There may be the case that SA status will be changed when 2693 * we are refering to one. So calling splsoftnet(). 2694 */ 2695 s = splnet(); 2696 2697 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2698 /* 2699 * build IPsec tunnel. 2700 */ 2701 /* XXX should be processed with other familiy */ 2702 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) { 2703 ipseclog((LOG_ERR, "ipsec4_output: " 2704 "family mismatched between inner and outer spi=%u\n", 2705 (u_int32_t)ntohl(isr->sav->spi))); 2706 splx(s); 2707 error = EAFNOSUPPORT; 2708 goto bad; 2709 } 2710 2711 state->m = ipsec4_splithdr(state->m); 2712 if (!state->m) { 2713 splx(s); 2714 error = ENOMEM; 2715 goto bad; 2716 } 2717 error = ipsec4_encapsulate(state->m, isr->sav); 2718 splx(s); 2719 if (error) { 2720 state->m = NULL; 2721 goto bad; 2722 } 2723 ip = mtod(state->m, struct ip *); 2724 2725 state->ro = &isr->sav->sah->sa_route; 2726 state->dst = (struct sockaddr *)&state->ro->ro_dst; 2727 dst4 = (struct sockaddr_in *)state->dst; 2728 if (state->ro->ro_rt 2729 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0 2730 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) { 2731 RTFREE(state->ro->ro_rt); 2732 state->ro->ro_rt = NULL; 2733 } 2734 if (state->ro->ro_rt == 0) { 2735 dst4->sin_family = AF_INET; 2736 dst4->sin_len = sizeof(*dst4); 2737 dst4->sin_addr = ip->ip_dst; 2738 rtalloc(state->ro); 2739 } 2740 if (state->ro->ro_rt == 0) { 2741 ipstat.ips_noroute++; 2742 error = EHOSTUNREACH; 2743 goto bad; 2744 } 2745 2746 /* adjust state->dst if tunnel endpoint is offlink */ 2747 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) { 2748 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway; 2749 dst4 = (struct sockaddr_in *)state->dst; 2750 } 2751 2752 state->encap++; 2753 } else 2754 splx(s); 2755 2756 state->m = ipsec4_splithdr(state->m); 2757 if (!state->m) { 2758 error = ENOMEM; 2759 goto bad; 2760 } 2761 switch (isr->saidx.proto) { 2762 case IPPROTO_ESP: 2763 #ifdef IPSEC_ESP 2764 if ((error = esp4_output(state->m, isr)) != 0) { 2765 state->m = NULL; 2766 goto bad; 2767 } 2768 break; 2769 #else 2770 m_freem(state->m); 2771 state->m = NULL; 2772 error = EINVAL; 2773 goto bad; 2774 #endif 2775 case IPPROTO_AH: 2776 if ((error = ah4_output(state->m, isr)) != 0) { 2777 state->m = NULL; 2778 goto bad; 2779 } 2780 break; 2781 case IPPROTO_IPCOMP: 2782 if ((error = ipcomp4_output(state->m, isr)) != 0) { 2783 state->m = NULL; 2784 goto bad; 2785 } 2786 break; 2787 default: 2788 ipseclog((LOG_ERR, 2789 "ipsec4_output: unknown ipsec protocol %d\n", 2790 isr->saidx.proto)); 2791 m_freem(state->m); 2792 state->m = NULL; 2793 error = EINVAL; 2794 goto bad; 2795 } 2796 2797 if (state->m == 0) { 2798 error = ENOMEM; 2799 goto bad; 2800 } 2801 ip = mtod(state->m, struct ip *); 2802 } 2803 2804 return 0; 2805 2806 bad: 2807 m_freem(state->m); 2808 state->m = NULL; 2809 return error; 2810 } 2811 #endif 2812 2813 #ifdef INET6 2814 static int 2815 ipsec6_checksa(isr, state, tunnel) 2816 struct ipsecrequest *isr; 2817 struct ipsec_output_state *state; 2818 int tunnel; 2819 { 2820 struct ip6_hdr *ip6; 2821 struct secasindex saidx; 2822 struct sockaddr_in6 *sin6; 2823 2824 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2825 #ifdef DIAGNOSTIC 2826 if (!tunnel) 2827 panic("ipsec6_checksa/inconsistent tunnel attribute"); 2828 #endif 2829 /* When tunnel mode, SA peers must be specified. */ 2830 return key_checkrequest(isr, &isr->saidx); 2831 } 2832 2833 /* make SA index for search proper SA */ 2834 ip6 = mtod(state->m, struct ip6_hdr *); 2835 if (tunnel) { 2836 bzero(&saidx, sizeof(saidx)); 2837 saidx.proto = isr->saidx.proto; 2838 } else 2839 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 2840 saidx.mode = isr->saidx.mode; 2841 saidx.reqid = isr->saidx.reqid; 2842 sin6 = (struct sockaddr_in6 *)&saidx.src; 2843 if (sin6->sin6_len == 0 || tunnel) { 2844 sin6->sin6_len = sizeof(*sin6); 2845 sin6->sin6_family = AF_INET6; 2846 sin6->sin6_port = IPSEC_PORT_ANY; 2847 sin6->sin6_addr = ip6->ip6_src; 2848 } 2849 sin6 = (struct sockaddr_in6 *)&saidx.dst; 2850 if (sin6->sin6_len == 0 || tunnel) { 2851 sin6->sin6_len = sizeof(*sin6); 2852 sin6->sin6_family = AF_INET6; 2853 sin6->sin6_port = IPSEC_PORT_ANY; 2854 sin6->sin6_addr = ip6->ip6_dst; 2855 } 2856 2857 return key_checkrequest(isr, &saidx); 2858 } 2859 2860 /* 2861 * IPsec output logic for IPv6, transport mode. 2862 */ 2863 int 2864 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun) 2865 struct ipsec_output_state *state; 2866 u_char *nexthdrp; 2867 struct mbuf *mprev; 2868 struct secpolicy *sp; 2869 int flags; 2870 int *tun; 2871 { 2872 struct ip6_hdr *ip6; 2873 struct ipsecrequest *isr = NULL; 2874 int error = 0; 2875 int plen; 2876 2877 if (!state) 2878 panic("state == NULL in ipsec6_output_trans"); 2879 if (!state->m) 2880 panic("state->m == NULL in ipsec6_output_trans"); 2881 if (!nexthdrp) 2882 panic("nexthdrp == NULL in ipsec6_output_trans"); 2883 if (!mprev) 2884 panic("mprev == NULL in ipsec6_output_trans"); 2885 if (!sp) 2886 panic("sp == NULL in ipsec6_output_trans"); 2887 if (!tun) 2888 panic("tun == NULL in ipsec6_output_trans"); 2889 2890 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2891 printf("ipsec6_output_trans: applyed SP\n"); 2892 kdebug_secpolicy(sp)); 2893 2894 *tun = 0; 2895 for (isr = sp->req; isr; isr = isr->next) { 2896 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2897 /* the rest will be handled by ipsec6_output_tunnel() */ 2898 break; 2899 } 2900 2901 error = ipsec6_checksa(isr, state, 0); 2902 if (error == EIO) 2903 goto bad; 2904 if (error == ENOENT) { 2905 /* 2906 * IPsec processing is required, but no SA found. 2907 * I assume that key_acquire() had been called 2908 * to get/establish the SA. Here I discard 2909 * this packet because it is responsibility for 2910 * upper layer to retransmit the packet. 2911 */ 2912 ipsec6stat.out_nosa++; 2913 2914 /* 2915 * Notify the fact that the packet is discarded 2916 * to ourselves. I believe this is better than 2917 * just silently discarding. (jinmei@kame.net) 2918 * XXX: should we restrict the error to TCP packets? 2919 * XXX: should we directly notify sockets via 2920 * pfctlinputs? 2921 * 2922 * Noone have initialized rcvif until this point, 2923 * so clear it. 2924 */ 2925 if ((state->m->m_flags & M_PKTHDR) != 0) 2926 state->m->m_pkthdr.rcvif = NULL; 2927 icmp6_error(state->m, ICMP6_DST_UNREACH, 2928 ICMP6_DST_UNREACH_ADMIN, 0); 2929 state->m = NULL; /* icmp6_error freed the mbuf */ 2930 goto bad; 2931 } 2932 2933 /* validity check */ 2934 if (isr->sav == NULL) { 2935 switch (ipsec_get_reqlevel(isr, AF_INET6)) { 2936 case IPSEC_LEVEL_USE: 2937 continue; 2938 case IPSEC_LEVEL_REQUIRE: 2939 /* must be not reached here. */ 2940 panic("ipsec6_output_trans: no SA found, but required."); 2941 } 2942 } 2943 2944 /* 2945 * If there is no valid SA, we give up to process. 2946 * see same place at ipsec4_output(). 2947 */ 2948 if (isr->sav->state != SADB_SASTATE_MATURE 2949 && isr->sav->state != SADB_SASTATE_DYING) { 2950 ipsec6stat.out_nosa++; 2951 error = EINVAL; 2952 goto bad; 2953 } 2954 2955 switch (isr->saidx.proto) { 2956 case IPPROTO_ESP: 2957 #ifdef IPSEC_ESP 2958 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr); 2959 #else 2960 m_freem(state->m); 2961 error = EINVAL; 2962 #endif 2963 break; 2964 case IPPROTO_AH: 2965 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr); 2966 break; 2967 case IPPROTO_IPCOMP: 2968 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr); 2969 break; 2970 default: 2971 ipseclog((LOG_ERR, "ipsec6_output_trans: " 2972 "unknown ipsec protocol %d\n", isr->saidx.proto)); 2973 m_freem(state->m); 2974 ipsec6stat.out_inval++; 2975 error = EINVAL; 2976 break; 2977 } 2978 if (error) { 2979 state->m = NULL; 2980 goto bad; 2981 } 2982 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 2983 if (plen > IPV6_MAXPACKET) { 2984 ipseclog((LOG_ERR, "ipsec6_output_trans: " 2985 "IPsec with IPv6 jumbogram is not supported\n")); 2986 ipsec6stat.out_inval++; 2987 error = EINVAL; /* XXX */ 2988 goto bad; 2989 } 2990 ip6 = mtod(state->m, struct ip6_hdr *); 2991 ip6->ip6_plen = htons(plen); 2992 } 2993 2994 /* if we have more to go, we need a tunnel mode processing */ 2995 if (isr != NULL) 2996 *tun = 1; 2997 2998 return 0; 2999 3000 bad: 3001 m_freem(state->m); 3002 state->m = NULL; 3003 return error; 3004 } 3005 3006 /* 3007 * IPsec output logic for IPv6, tunnel mode. 3008 */ 3009 int 3010 ipsec6_output_tunnel(state, sp, flags) 3011 struct ipsec_output_state *state; 3012 struct secpolicy *sp; 3013 int flags; 3014 { 3015 struct ip6_hdr *ip6; 3016 struct ipsecrequest *isr = NULL; 3017 int error = 0; 3018 int plen; 3019 struct sockaddr_in6 *dst6; 3020 int s; 3021 3022 if (!state) 3023 panic("state == NULL in ipsec6_output_tunnel"); 3024 if (!state->m) 3025 panic("state->m == NULL in ipsec6_output_tunnel"); 3026 if (!sp) 3027 panic("sp == NULL in ipsec6_output_tunnel"); 3028 3029 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 3030 printf("ipsec6_output_tunnel: applyed SP\n"); 3031 kdebug_secpolicy(sp)); 3032 3033 /* 3034 * transport mode ipsec (before the 1st tunnel mode) is already 3035 * processed by ipsec6_output_trans(). 3036 */ 3037 for (isr = sp->req; isr; isr = isr->next) { 3038 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 3039 break; 3040 } 3041 3042 for (/* already initialized */; isr; isr = isr->next) { 3043 error = ipsec6_checksa(isr, state, 1); 3044 if (error == EIO) 3045 goto bad; 3046 if (error == ENOENT) { 3047 /* 3048 * IPsec processing is required, but no SA found. 3049 * I assume that key_acquire() had been called 3050 * to get/establish the SA. Here I discard 3051 * this packet because it is responsibility for 3052 * upper layer to retransmit the packet. 3053 */ 3054 ipsec6stat.out_nosa++; 3055 error = ENOENT; 3056 goto bad; 3057 } 3058 3059 /* validity check */ 3060 if (isr->sav == NULL) { 3061 switch (ipsec_get_reqlevel(isr, AF_INET6)) { 3062 case IPSEC_LEVEL_USE: 3063 continue; 3064 case IPSEC_LEVEL_REQUIRE: 3065 /* must be not reached here. */ 3066 panic("ipsec6_output_tunnel: no SA found, but required."); 3067 } 3068 } 3069 3070 /* 3071 * If there is no valid SA, we give up to process. 3072 * see same place at ipsec4_output(). 3073 */ 3074 if (isr->sav->state != SADB_SASTATE_MATURE 3075 && isr->sav->state != SADB_SASTATE_DYING) { 3076 ipsec6stat.out_nosa++; 3077 error = EINVAL; 3078 goto bad; 3079 } 3080 3081 /* 3082 * There may be the case that SA status will be changed when 3083 * we are refering to one. So calling splsoftnet(). 3084 */ 3085 s = splnet(); 3086 3087 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 3088 /* 3089 * build IPsec tunnel. 3090 */ 3091 /* XXX should be processed with other familiy */ 3092 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) { 3093 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3094 "family mismatched between inner and outer, spi=%u\n", 3095 (u_int32_t)ntohl(isr->sav->spi))); 3096 splx(s); 3097 ipsec6stat.out_inval++; 3098 error = EAFNOSUPPORT; 3099 goto bad; 3100 } 3101 3102 state->m = ipsec6_splithdr(state->m); 3103 if (!state->m) { 3104 splx(s); 3105 ipsec6stat.out_nomem++; 3106 error = ENOMEM; 3107 goto bad; 3108 } 3109 error = ipsec6_encapsulate(state->m, isr->sav); 3110 splx(s); 3111 if (error) { 3112 state->m = 0; 3113 goto bad; 3114 } 3115 ip6 = mtod(state->m, struct ip6_hdr *); 3116 3117 state->ro = &isr->sav->sah->sa_route; 3118 state->dst = (struct sockaddr *)&state->ro->ro_dst; 3119 dst6 = (struct sockaddr_in6 *)state->dst; 3120 if (state->ro->ro_rt && 3121 (!(state->ro->ro_rt->rt_flags & RTF_UP) || 3122 !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, 3123 &ip6->ip6_dst))) { 3124 RTFREE(state->ro->ro_rt); 3125 state->ro->ro_rt = NULL; 3126 } 3127 if (state->ro->ro_rt == 0) { 3128 bzero(dst6, sizeof(*dst6)); 3129 dst6->sin6_family = AF_INET6; 3130 dst6->sin6_len = sizeof(*dst6); 3131 dst6->sin6_addr = ip6->ip6_dst; 3132 rtalloc(state->ro); 3133 } 3134 if (state->ro->ro_rt == 0) { 3135 ip6stat.ip6s_noroute++; 3136 ipsec6stat.out_noroute++; 3137 error = EHOSTUNREACH; 3138 goto bad; 3139 } 3140 3141 /* adjust state->dst if tunnel endpoint is offlink */ 3142 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) { 3143 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway; 3144 dst6 = (struct sockaddr_in6 *)state->dst; 3145 } 3146 } else 3147 splx(s); 3148 3149 state->m = ipsec6_splithdr(state->m); 3150 if (!state->m) { 3151 ipsec6stat.out_nomem++; 3152 error = ENOMEM; 3153 goto bad; 3154 } 3155 ip6 = mtod(state->m, struct ip6_hdr *); 3156 switch (isr->saidx.proto) { 3157 case IPPROTO_ESP: 3158 #ifdef IPSEC_ESP 3159 error = esp6_output(state->m, &ip6->ip6_nxt, 3160 state->m->m_next, isr); 3161 #else 3162 m_freem(state->m); 3163 error = EINVAL; 3164 #endif 3165 break; 3166 case IPPROTO_AH: 3167 error = ah6_output(state->m, &ip6->ip6_nxt, 3168 state->m->m_next, isr); 3169 break; 3170 case IPPROTO_IPCOMP: 3171 /* XXX code should be here */ 3172 /* FALLTHROUGH */ 3173 default: 3174 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3175 "unknown ipsec protocol %d\n", isr->saidx.proto)); 3176 m_freem(state->m); 3177 ipsec6stat.out_inval++; 3178 error = EINVAL; 3179 break; 3180 } 3181 if (error) { 3182 state->m = NULL; 3183 goto bad; 3184 } 3185 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 3186 if (plen > IPV6_MAXPACKET) { 3187 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3188 "IPsec with IPv6 jumbogram is not supported\n")); 3189 ipsec6stat.out_inval++; 3190 error = EINVAL; /* XXX */ 3191 goto bad; 3192 } 3193 ip6 = mtod(state->m, struct ip6_hdr *); 3194 ip6->ip6_plen = htons(plen); 3195 } 3196 3197 return 0; 3198 3199 bad: 3200 m_freem(state->m); 3201 state->m = NULL; 3202 return error; 3203 } 3204 #endif /* INET6 */ 3205 3206 #ifdef INET 3207 /* 3208 * Chop IP header and option off from the payload. 3209 */ 3210 static struct mbuf * 3211 ipsec4_splithdr(m) 3212 struct mbuf *m; 3213 { 3214 struct mbuf *mh; 3215 struct ip *ip; 3216 int hlen; 3217 3218 if (m->m_len < sizeof(struct ip)) 3219 panic("ipsec4_splithdr: first mbuf too short"); 3220 ip = mtod(m, struct ip *); 3221 #ifdef _IP_VHL 3222 hlen = _IP_VHL_HL(ip->ip_vhl) << 2; 3223 #else 3224 hlen = ip->ip_hl << 2; 3225 #endif 3226 if (m->m_len > hlen) { 3227 MGETHDR(mh, M_DONTWAIT, MT_HEADER); 3228 if (!mh) { 3229 m_freem(m); 3230 return NULL; 3231 } 3232 M_MOVE_PKTHDR(mh, m); 3233 MH_ALIGN(mh, hlen); 3234 m->m_len -= hlen; 3235 m->m_data += hlen; 3236 mh->m_next = m; 3237 m = mh; 3238 m->m_len = hlen; 3239 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen); 3240 } else if (m->m_len < hlen) { 3241 m = m_pullup(m, hlen); 3242 if (!m) 3243 return NULL; 3244 } 3245 return m; 3246 } 3247 #endif 3248 3249 #ifdef INET6 3250 static struct mbuf * 3251 ipsec6_splithdr(m) 3252 struct mbuf *m; 3253 { 3254 struct mbuf *mh; 3255 struct ip6_hdr *ip6; 3256 int hlen; 3257 3258 if (m->m_len < sizeof(struct ip6_hdr)) 3259 panic("ipsec6_splithdr: first mbuf too short"); 3260 ip6 = mtod(m, struct ip6_hdr *); 3261 hlen = sizeof(struct ip6_hdr); 3262 if (m->m_len > hlen) { 3263 MGETHDR(mh, M_DONTWAIT, MT_HEADER); 3264 if (!mh) { 3265 m_freem(m); 3266 return NULL; 3267 } 3268 M_MOVE_PKTHDR(mh, m); 3269 MH_ALIGN(mh, hlen); 3270 m->m_len -= hlen; 3271 m->m_data += hlen; 3272 mh->m_next = m; 3273 m = mh; 3274 m->m_len = hlen; 3275 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen); 3276 } else if (m->m_len < hlen) { 3277 m = m_pullup(m, hlen); 3278 if (!m) 3279 return NULL; 3280 } 3281 return m; 3282 } 3283 #endif 3284 3285 /* validate inbound IPsec tunnel packet. */ 3286 int 3287 ipsec4_tunnel_validate(m, off, nxt0, sav) 3288 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */ 3289 int off; 3290 u_int nxt0; 3291 struct secasvar *sav; 3292 { 3293 u_int8_t nxt = nxt0 & 0xff; 3294 struct sockaddr_in *sin; 3295 struct sockaddr_in osrc, odst, isrc, idst; 3296 int hlen; 3297 struct secpolicy *sp; 3298 struct ip *oip; 3299 3300 #ifdef DIAGNOSTIC 3301 if (m->m_len < sizeof(struct ip)) 3302 panic("too short mbuf on ipsec4_tunnel_validate"); 3303 #endif 3304 if (nxt != IPPROTO_IPV4) 3305 return 0; 3306 if (m->m_pkthdr.len < off + sizeof(struct ip)) 3307 return 0; 3308 /* do not decapsulate if the SA is for transport mode only */ 3309 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 3310 return 0; 3311 3312 oip = mtod(m, struct ip *); 3313 hlen = oip->ip_hl << 2; 3314 if (hlen != sizeof(struct ip)) 3315 return 0; 3316 3317 /* AF_INET6 should be supported, but at this moment we don't. */ 3318 sin = (struct sockaddr_in *)&sav->sah->saidx.dst; 3319 if (sin->sin_family != AF_INET) 3320 return 0; 3321 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0) 3322 return 0; 3323 3324 /* XXX slow */ 3325 bzero(&osrc, sizeof(osrc)); 3326 bzero(&odst, sizeof(odst)); 3327 bzero(&isrc, sizeof(isrc)); 3328 bzero(&idst, sizeof(idst)); 3329 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family = 3330 AF_INET; 3331 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len = 3332 sizeof(struct sockaddr_in); 3333 osrc.sin_addr = oip->ip_src; 3334 odst.sin_addr = oip->ip_dst; 3335 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr), 3336 (caddr_t)&isrc.sin_addr); 3337 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr), 3338 (caddr_t)&idst.sin_addr); 3339 3340 /* 3341 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode) 3342 * - if the inner destination is multicast address, there can be 3343 * multiple permissible inner source address. implementation 3344 * may want to skip verification of inner source address against 3345 * SPD selector. 3346 * - if the inner protocol is ICMP, the packet may be an error report 3347 * from routers on the other side of the VPN cloud (R in the 3348 * following diagram). in this case, we cannot verify inner source 3349 * address against SPD selector. 3350 * me -- gw === gw -- R -- you 3351 * 3352 * we consider the first bullet to be users responsibility on SPD entry 3353 * configuration (if you need to encrypt multicast traffic, set 3354 * the source range of SPD selector to 0.0.0.0/0, or have explicit 3355 * address ranges for possible senders). 3356 * the second bullet is not taken care of (yet). 3357 * 3358 * therefore, we do not do anything special about inner source. 3359 */ 3360 3361 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 3362 (struct sockaddr *)&isrc, (struct sockaddr *)&idst); 3363 /* 3364 * when there is no suitable inbound policy for the packet of the ipsec 3365 * tunnel mode, the kernel never decapsulate the tunneled packet 3366 * as the ipsec tunnel mode even when the system wide policy is "none". 3367 * then the kernel leaves the generic tunnel module to process this 3368 * packet. if there is no rule of the generic tunnel, the packet 3369 * is rejected and the statistics will be counted up. 3370 */ 3371 if (!sp) 3372 return 0; 3373 key_freesp(sp); 3374 3375 return 1; 3376 } 3377 3378 #ifdef INET6 3379 /* validate inbound IPsec tunnel packet. */ 3380 int 3381 ipsec6_tunnel_validate(m, off, nxt0, sav) 3382 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */ 3383 int off; 3384 u_int nxt0; 3385 struct secasvar *sav; 3386 { 3387 u_int8_t nxt = nxt0 & 0xff; 3388 struct sockaddr_in6 *sin6; 3389 struct sockaddr_in6 osrc, odst, isrc, idst; 3390 struct secpolicy *sp; 3391 struct ip6_hdr *oip6; 3392 3393 #ifdef DIAGNOSTIC 3394 if (m->m_len < sizeof(struct ip6_hdr)) 3395 panic("too short mbuf on ipsec6_tunnel_validate"); 3396 #endif 3397 if (nxt != IPPROTO_IPV6) 3398 return 0; 3399 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr)) 3400 return 0; 3401 /* do not decapsulate if the SA is for transport mode only */ 3402 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 3403 return 0; 3404 3405 oip6 = mtod(m, struct ip6_hdr *); 3406 3407 /* AF_INET should be supported, but at this moment we don't. */ 3408 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst; 3409 if (sin6->sin6_family != AF_INET6) 3410 return 0; 3411 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr)) 3412 return 0; 3413 3414 /* XXX slow */ 3415 bzero(&osrc, sizeof(osrc)); 3416 bzero(&odst, sizeof(odst)); 3417 bzero(&isrc, sizeof(isrc)); 3418 bzero(&idst, sizeof(idst)); 3419 osrc.sin6_family = odst.sin6_family = isrc.sin6_family = 3420 idst.sin6_family = AF_INET6; 3421 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len = 3422 sizeof(struct sockaddr_in6); 3423 osrc.sin6_addr = oip6->ip6_src; 3424 odst.sin6_addr = oip6->ip6_dst; 3425 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), 3426 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr); 3427 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), 3428 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr); 3429 3430 /* 3431 * regarding to inner source address validation, see a long comment 3432 * in ipsec4_tunnel_validate. 3433 */ 3434 3435 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 3436 (struct sockaddr *)&isrc, (struct sockaddr *)&idst); 3437 if (!sp) 3438 return 0; 3439 key_freesp(sp); 3440 3441 return 1; 3442 } 3443 #endif 3444 3445 /* 3446 * Make a mbuf chain for encryption. 3447 * If the original mbuf chain contains a mbuf with a cluster, 3448 * allocate a new cluster and copy the data to the new cluster. 3449 * XXX: this hack is inefficient, but is necessary to handle cases 3450 * of TCP retransmission... 3451 */ 3452 struct mbuf * 3453 ipsec_copypkt(m) 3454 struct mbuf *m; 3455 { 3456 struct mbuf *n, **mpp, *mnew; 3457 3458 for (n = m, mpp = &m; n; n = n->m_next) { 3459 if (n->m_flags & M_EXT) { 3460 /* 3461 * Make a copy only if there is more than one 3462 * references to the cluster. 3463 * XXX: is this approach effective? 3464 */ 3465 if (!M_WRITABLE(n)) { 3466 int remain, copied; 3467 struct mbuf *mm; 3468 3469 if (n->m_flags & M_PKTHDR) { 3470 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); 3471 if (mnew == NULL) 3472 goto fail; 3473 M_MOVE_PKTHDR(mnew, n); 3474 } 3475 else { 3476 MGET(mnew, M_DONTWAIT, MT_DATA); 3477 if (mnew == NULL) 3478 goto fail; 3479 } 3480 mnew->m_len = 0; 3481 mm = mnew; 3482 3483 /* 3484 * Copy data. If we don't have enough space to 3485 * store the whole data, allocate a cluster 3486 * or additional mbufs. 3487 * XXX: we don't use m_copyback(), since the 3488 * function does not use clusters and thus is 3489 * inefficient. 3490 */ 3491 remain = n->m_len; 3492 copied = 0; 3493 while (1) { 3494 int len; 3495 struct mbuf *mn; 3496 3497 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN)) 3498 len = remain; 3499 else { /* allocate a cluster */ 3500 MCLGET(mm, M_DONTWAIT); 3501 if (!(mm->m_flags & M_EXT)) { 3502 m_free(mm); 3503 goto fail; 3504 } 3505 len = remain < MCLBYTES ? 3506 remain : MCLBYTES; 3507 } 3508 3509 bcopy(n->m_data + copied, mm->m_data, 3510 len); 3511 3512 copied += len; 3513 remain -= len; 3514 mm->m_len = len; 3515 3516 if (remain <= 0) /* completed? */ 3517 break; 3518 3519 /* need another mbuf */ 3520 MGETHDR(mn, M_DONTWAIT, MT_HEADER); 3521 if (mn == NULL) 3522 goto fail; 3523 mn->m_pkthdr.rcvif = NULL; 3524 mm->m_next = mn; 3525 mm = mn; 3526 } 3527 3528 /* adjust chain */ 3529 mm->m_next = m_free(n); 3530 n = mm; 3531 *mpp = mnew; 3532 mpp = &n->m_next; 3533 3534 continue; 3535 } 3536 } 3537 *mpp = n; 3538 mpp = &n->m_next; 3539 } 3540 3541 return (m); 3542 fail: 3543 m_freem(m); 3544 return (NULL); 3545 } 3546 3547 static struct ipsecaux * 3548 ipsec_addaux(m) 3549 struct mbuf *m; 3550 { 3551 struct m_tag *mtag; 3552 3553 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL); 3554 if (mtag == NULL) { 3555 mtag = m_tag_get(PACKET_TAG_IPSEC_HISTORY, 3556 sizeof(struct ipsecaux), M_NOWAIT); 3557 if (mtag != NULL) 3558 m_tag_prepend(m, mtag); 3559 } 3560 if (mtag == NULL) 3561 return NULL; /* ENOBUFS */ 3562 /* XXX is this necessary? */ 3563 bzero((void *)(mtag + 1), sizeof(struct ipsecaux)); 3564 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL; 3565 } 3566 3567 static struct ipsecaux * 3568 ipsec_findaux(m) 3569 struct mbuf *m; 3570 { 3571 struct m_tag *mtag; 3572 3573 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL); 3574 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL; 3575 } 3576 3577 void 3578 ipsec_delaux(m) 3579 struct mbuf *m; 3580 { 3581 struct m_tag *mtag; 3582 3583 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL); 3584 if (mtag != NULL) 3585 m_tag_delete(m, mtag); 3586 } 3587 3588 /* if the aux buffer is unnecessary, nuke it. */ 3589 static void 3590 ipsec_optaux(m, aux) 3591 struct mbuf *m; 3592 struct ipsecaux *aux; 3593 { 3594 3595 if (aux == NULL) 3596 return; 3597 ipsec_delaux(m); 3598 } 3599 3600 int 3601 ipsec_addhist(m, proto, spi) 3602 struct mbuf *m; 3603 int proto; 3604 u_int32_t spi; 3605 { 3606 struct ipsecaux *aux; 3607 3608 aux = ipsec_addaux(m); 3609 if (aux == NULL) 3610 return ENOBUFS; 3611 aux->hdrs++; 3612 return 0; 3613 } 3614 3615 int 3616 ipsec_getnhist(m) 3617 struct mbuf *m; 3618 { 3619 struct ipsecaux *aux; 3620 3621 aux = ipsec_findaux(m); 3622 if (aux == NULL) 3623 return 0; 3624 return aux->hdrs; 3625 } 3626 3627 void 3628 ipsec_clearhist(m) 3629 struct mbuf *m; 3630 { 3631 struct ipsecaux *aux; 3632 3633 aux = ipsec_findaux(m); 3634 ipsec_optaux(m, aux); 3635 }
Cache object: 75e4c2d11d4f37bf2d1013fa560351db
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]