FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c
1 /* $FreeBSD$ */
2 /* $KAME: ipsec.c,v 1.207 2004/01/13 03:30:42 itojun Exp $ */
3
4 /*-
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * IPsec controller part.
35 */
36
37 #include "opt_inet.h"
38 #include "opt_inet6.h"
39 #include "opt_ipsec.h"
40
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/malloc.h>
44 #include <sys/mbuf.h>
45 #include <sys/domain.h>
46 #include <sys/protosw.h>
47 #include <sys/socket.h>
48 #include <sys/socketvar.h>
49 #include <sys/errno.h>
50 #include <sys/time.h>
51 #include <sys/kernel.h>
52 #include <sys/syslog.h>
53 #include <sys/sysctl.h>
54 #include <sys/proc.h>
55
56 #include <net/if.h>
57 #include <net/route.h>
58
59 #include <netinet/in.h>
60 #include <netinet/in_systm.h>
61 #include <netinet/ip.h>
62 #include <netinet/ip_var.h>
63 #include <netinet/in_var.h>
64 #include <netinet/udp.h>
65 #include <netinet/udp_var.h>
66 #include <netinet/ip_ecn.h>
67 #ifdef INET6
68 #include <netinet6/ip6_ecn.h>
69 #endif
70 #include <netinet/tcp.h>
71 #include <netinet/udp.h>
72
73 #include <netinet/ip6.h>
74 #ifdef INET6
75 #include <netinet6/ip6_var.h>
76 #include <netinet6/scope6_var.h>
77 #endif
78 #include <netinet/in_pcb.h>
79 #ifdef INET6
80 #include <netinet/icmp6.h>
81 #endif
82
83 #include <netinet6/ipsec.h>
84 #ifdef INET6
85 #include <netinet6/ipsec6.h>
86 #endif
87 #include <netinet6/ah.h>
88 #ifdef INET6
89 #include <netinet6/ah6.h>
90 #endif
91 #ifdef IPSEC_ESP
92 #include <netinet6/esp.h>
93 #ifdef INET6
94 #include <netinet6/esp6.h>
95 #endif
96 #endif
97 #include <netinet6/ipcomp.h>
98 #ifdef INET6
99 #include <netinet6/ipcomp6.h>
100 #endif
101 #include <netkey/key.h>
102 #include <netkey/keydb.h>
103 #include <netkey/key_debug.h>
104
105 #include <machine/in_cksum.h>
106 #include <net/net_osdep.h>
107
108 #ifdef IPSEC_DEBUG
109 int ipsec_debug = 1;
110 #else
111 int ipsec_debug = 0;
112 #endif
113
114 NET_NEEDS_GIANT("ipsec");
115
116 struct ipsecstat ipsecstat;
117 int ip4_ah_cleartos = 1;
118 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
119 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
120 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
121 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
122 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
123 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
124 struct secpolicy *ip4_def_policy;
125 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
126 int ip4_esp_randpad = -1;
127
128 static int sp_cachegen = 1; /* cache generation # */
129
130 SYSCTL_DECL(_net_inet_ipsec);
131 #ifdef INET6
132 SYSCTL_DECL(_net_inet6_ipsec6);
133 #endif
134
135 /* net.inet.ipsec */
136 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
137 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, "");
138 #if 0
139 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
140 def_policy, CTLFLAG_RW, &ip4_def_policy->policy, 0, "");
141 #endif
142 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
143 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
144 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
145 CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
146 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
147 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
148 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
149 CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
150 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
151 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, "");
152 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
153 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
154 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
155 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
156 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
157 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
158 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
159 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
160 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
161 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, "");
162
163 #ifdef INET6
164 struct ipsecstat ipsec6stat;
165 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
166 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
167 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
168 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
169 struct secpolicy *ip6_def_policy;
170 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
171 int ip6_esp_randpad = -1;
172
173 /* net.inet6.ipsec6 */
174 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
175 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
176 #if 0
177 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
178 def_policy, CTLFLAG_RW, &ip6_def_policy->policy, 0, "");
179 #endif
180 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
181 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
182 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
183 CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
184 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
185 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
186 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
187 CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
188 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
189 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
190 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
191 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
192 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
193 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
194 #endif /* INET6 */
195
196 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *,
197 struct inpcbpolicy *, int));
198 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *,
199 struct secpolicy *, int));
200 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int));
201 static int ipsec_setspidx_mbuf
202 __P((struct secpolicyindex *, int, struct mbuf *, int));
203 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
204 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
205 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
206 #ifdef INET6
207 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
208 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
209 #endif
210 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
211 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
212 #if 0
213 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *));
214 #endif
215 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *));
216 static int ipsec_set_policy
217 __P((struct secpolicy **, int, caddr_t, size_t, int));
218 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **));
219 static void vshiftl __P((unsigned char *, int, int));
220 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
221 static size_t ipsec_hdrsiz __P((struct secpolicy *));
222 #ifdef INET
223 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
224 #endif
225 #ifdef INET6
226 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
227 #endif
228 #ifdef INET
229 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
230 #endif
231 #ifdef INET6
232 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
233 #endif
234 static struct ipsecaux *ipsec_addaux __P((struct mbuf *));
235 static struct ipsecaux *ipsec_findaux __P((struct mbuf *));
236 static void ipsec_optaux __P((struct mbuf *, struct ipsecaux *));
237 #ifdef INET
238 static int ipsec4_checksa __P((struct ipsecrequest *,
239 struct ipsec_output_state *));
240 #endif
241 #ifdef INET6
242 static int ipsec6_checksa __P((struct ipsecrequest *,
243 struct ipsec_output_state *, int));
244 #endif
245
246 /*
247 * try to validate and use cached policy on a pcb.
248 */
249 static struct secpolicy *
250 ipsec_checkpcbcache(m, pcbsp, dir)
251 struct mbuf *m;
252 struct inpcbpolicy *pcbsp;
253 int dir;
254 {
255 struct secpolicyindex spidx;
256 struct timeval mono_time;
257
258 microtime(&mono_time);
259
260 switch (dir) {
261 case IPSEC_DIR_INBOUND:
262 case IPSEC_DIR_OUTBOUND:
263 case IPSEC_DIR_ANY:
264 break;
265 default:
266 return NULL;
267 }
268 #ifdef DIAGNOSTIC
269 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0]))
270 panic("dir too big in ipsec_checkpcbcache");
271 #endif
272 /* SPD table change invalidates all the caches */
273 if (pcbsp->cachegen[dir] == 0 || sp_cachegen > pcbsp->cachegen[dir]) {
274 ipsec_invalpcbcache(pcbsp, dir);
275 return NULL;
276 }
277 if (!pcbsp->cache[dir])
278 return NULL;
279 if (pcbsp->cache[dir]->state != IPSEC_SPSTATE_ALIVE) {
280 ipsec_invalpcbcache(pcbsp, dir);
281 return NULL;
282 }
283 if ((pcbsp->cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
284 if (!pcbsp->cache[dir])
285 return NULL;
286 if (ipsec_setspidx(m, &spidx, 1) != 0)
287 return NULL;
288 if (bcmp(&pcbsp->cacheidx[dir], &spidx, sizeof(spidx))) {
289 if (!pcbsp->cache[dir]->spidx ||
290 !key_cmpspidx_withmask(pcbsp->cache[dir]->spidx,
291 &spidx))
292 return NULL;
293 pcbsp->cacheidx[dir] = spidx;
294 }
295 } else {
296 /*
297 * The pcb is connected, and the L4 code is sure that:
298 * - outgoing side uses inp_[lf]addr
299 * - incoming side looks up policy after inpcb lookup
300 * and address pair is known to be stable. We do not need
301 * to generate spidx again, nor check the address match again.
302 *
303 * For IPv4/v6 SOCK_STREAM sockets, this assumption holds
304 * and there are calls to ipsec_pcbconn() from in_pcbconnect().
305 */
306 }
307
308 pcbsp->cache[dir]->lastused = mono_time.tv_sec;
309 pcbsp->cache[dir]->refcnt++;
310 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
311 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n",
312 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir]));
313 return pcbsp->cache[dir];
314 }
315
316 static int
317 ipsec_fillpcbcache(pcbsp, m, sp, dir)
318 struct inpcbpolicy *pcbsp;
319 struct mbuf *m;
320 struct secpolicy *sp;
321 int dir;
322 {
323
324 switch (dir) {
325 case IPSEC_DIR_INBOUND:
326 case IPSEC_DIR_OUTBOUND:
327 break;
328 default:
329 return EINVAL;
330 }
331 #ifdef DIAGNOSTIC
332 if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0]))
333 panic("dir too big in ipsec_checkpcbcache");
334 #endif
335
336 if (pcbsp->cache[dir])
337 key_freesp(pcbsp->cache[dir]);
338 pcbsp->cache[dir] = NULL;
339 if (ipsec_setspidx(m, &pcbsp->cacheidx[dir], 1) != 0) {
340 return EINVAL;
341 }
342 pcbsp->cache[dir] = sp;
343 if (pcbsp->cache[dir]) {
344 pcbsp->cache[dir]->refcnt++;
345 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
346 printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n",
347 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir]));
348 }
349 pcbsp->cachegen[dir] = sp_cachegen;
350
351 return 0;
352 }
353
354 static int
355 ipsec_invalpcbcache(pcbsp, dir)
356 struct inpcbpolicy *pcbsp;
357 int dir;
358 {
359 int i;
360
361 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
362 if (dir != IPSEC_DIR_ANY && i != dir)
363 continue;
364 if (pcbsp->cache[i])
365 key_freesp(pcbsp->cache[i]);
366 pcbsp->cache[i] = NULL;
367 pcbsp->cachegen[i] = 0;
368 bzero(&pcbsp->cacheidx[i], sizeof(pcbsp->cacheidx[i]));
369 }
370 return 0;
371 }
372
373 int
374 ipsec_pcbconn(pcbsp)
375 struct inpcbpolicy *pcbsp;
376 {
377
378 pcbsp->cacheflags |= IPSEC_PCBSP_CONNECTED;
379 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
380 return 0;
381 }
382
383 int
384 ipsec_pcbdisconn(pcbsp)
385 struct inpcbpolicy *pcbsp;
386 {
387
388 pcbsp->cacheflags &= ~IPSEC_PCBSP_CONNECTED;
389 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
390 return 0;
391 }
392
393 int
394 ipsec_invalpcbcacheall()
395 {
396
397 sp_cachegen++;
398 return 0;
399 }
400
401 /*
402 * For OUTBOUND packet having a socket. Searching SPD for packet,
403 * and return a pointer to SP.
404 * OUT: NULL: no apropreate SP found, the following value is set to error.
405 * 0 : bypass
406 * EACCES : discard packet.
407 * ENOENT : ipsec_acquire() in progress, maybe.
408 * others : error occured.
409 * others: a pointer to SP
410 *
411 * NOTE: IPv6 mapped adddress concern is implemented here.
412 */
413 struct secpolicy *
414 ipsec4_getpolicybypcb(m, dir, inp, error)
415 struct mbuf *m;
416 u_int dir;
417 struct inpcb *inp;
418 int *error;
419 {
420 struct inpcbpolicy *pcbsp = NULL;
421 struct secpolicy *currsp = NULL; /* policy on socket */
422 struct secpolicy *kernsp = NULL; /* policy on kernel */
423 struct secpolicyindex spidx;
424 u_int16_t tag;
425
426 /* sanity check */
427 if (m == NULL || inp == NULL || error == NULL)
428 panic("ipsec4_getpolicybypcb: NULL pointer was passed.");
429
430 pcbsp = inp->inp_sp;
431
432 #ifdef DIAGNOSTIC
433 if (pcbsp == NULL)
434 panic("ipsec4_getpolicybypcb: pcbsp is NULL.");
435 #endif
436
437 tag = 0;
438
439 /* if we have a cached entry, and if it is still valid, use it. */
440 ipsecstat.spdcachelookup++;
441 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
442 if (currsp) {
443 *error = 0;
444 return currsp;
445 }
446 ipsecstat.spdcachemiss++;
447
448 switch (dir) {
449 case IPSEC_DIR_INBOUND:
450 currsp = pcbsp->sp_in;
451 break;
452 case IPSEC_DIR_OUTBOUND:
453 currsp = pcbsp->sp_out;
454 break;
455 default:
456 panic("ipsec4_getpolicybypcb: illegal direction.");
457 }
458
459 /* sanity check */
460 if (currsp == NULL)
461 panic("ipsec4_getpolicybypcb: currsp is NULL.");
462
463 /* when privileged socket */
464 if (pcbsp->priv) {
465 switch (currsp->policy) {
466 case IPSEC_POLICY_BYPASS:
467 currsp->refcnt++;
468 *error = 0;
469 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
470 return currsp;
471
472 case IPSEC_POLICY_ENTRUST:
473 /* look for a policy in SPD */
474 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
475 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
476 /* SP found */
477 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
478 printf("DP ipsec4_getpolicybypcb called "
479 "to allocate SP:%p\n", kernsp));
480 *error = 0;
481 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
482 return kernsp;
483 }
484
485 /* no SP found */
486 ip4_def_policy->refcnt++;
487 *error = 0;
488 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
489 return ip4_def_policy;
490
491 case IPSEC_POLICY_IPSEC:
492 currsp->refcnt++;
493 *error = 0;
494 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
495 return currsp;
496
497 default:
498 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: "
499 "Invalid policy for PCB %d\n", currsp->policy));
500 *error = EINVAL;
501 return NULL;
502 }
503 /* NOTREACHED */
504 }
505
506 /* when non-privileged socket */
507 /* look for a policy in SPD */
508 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
509 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
510 /* SP found */
511 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
512 printf("DP ipsec4_getpolicybypcb called "
513 "to allocate SP:%p\n", kernsp));
514 *error = 0;
515 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
516 return kernsp;
517 }
518
519 /* no SP found */
520 switch (currsp->policy) {
521 case IPSEC_POLICY_BYPASS:
522 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: "
523 "Illegal policy for non-privileged defined %d\n",
524 currsp->policy));
525 *error = EINVAL;
526 return NULL;
527
528 case IPSEC_POLICY_ENTRUST:
529 ip4_def_policy->refcnt++;
530 *error = 0;
531 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
532 return ip4_def_policy;
533
534 case IPSEC_POLICY_IPSEC:
535 currsp->refcnt++;
536 *error = 0;
537 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
538 return currsp;
539
540 default:
541 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: "
542 "Invalid policy for PCB %d\n", currsp->policy));
543 *error = EINVAL;
544 return NULL;
545 }
546 /* NOTREACHED */
547 }
548
549 /*
550 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
551 * and return a pointer to SP.
552 * OUT: positive: a pointer to the entry for security policy leaf matched.
553 * NULL: no apropreate SP found, the following value is set to error.
554 * 0 : bypass
555 * EACCES : discard packet.
556 * ENOENT : ipsec_acquire() in progress, maybe.
557 * others : error occured.
558 */
559 struct secpolicy *
560 ipsec4_getpolicybyaddr(m, dir, flag, error)
561 struct mbuf *m;
562 u_int dir;
563 int flag;
564 int *error;
565 {
566 struct secpolicy *sp = NULL;
567 u_int16_t tag;
568
569 /* sanity check */
570 if (m == NULL || error == NULL)
571 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
572
573 /* get a policy entry matched with the packet */
574 {
575 struct secpolicyindex spidx;
576
577 bzero(&spidx, sizeof(spidx));
578
579 /* make an index to look for a policy */
580 *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m,
581 (flag & IP_FORWARDING) ? 0 : 1);
582
583 if (*error != 0)
584 return NULL;
585
586 tag = 0;
587
588 sp = key_allocsp(tag, &spidx, dir);
589 }
590
591 /* SP found */
592 if (sp != NULL) {
593 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
594 printf("DP ipsec4_getpolicybyaddr called "
595 "to allocate SP:%p\n", sp));
596 *error = 0;
597 return sp;
598 }
599
600 /* no SP found */
601 ip4_def_policy->refcnt++;
602 *error = 0;
603 return ip4_def_policy;
604 }
605
606 #ifdef INET6
607 /*
608 * For OUTBOUND packet having a socket. Searching SPD for packet,
609 * and return a pointer to SP.
610 * OUT: NULL: no apropreate SP found, the following value is set to error.
611 * 0 : bypass
612 * EACCES : discard packet.
613 * ENOENT : ipsec_acquire() in progress, maybe.
614 * others : error occured.
615 * others: a pointer to SP
616 */
617 struct secpolicy *
618 ipsec6_getpolicybypcb(m, dir, inp, error)
619 struct mbuf *m;
620 u_int dir;
621 struct inpcb *inp;
622 int *error;
623 {
624 struct inpcbpolicy *pcbsp = NULL;
625 struct secpolicy *currsp = NULL; /* policy on socket */
626 struct secpolicy *kernsp = NULL; /* policy on kernel */
627 struct secpolicyindex spidx;
628 u_int16_t tag;
629
630 /* sanity check */
631 if (m == NULL || inp == NULL || error == NULL)
632 panic("ipsec6_getpolicybypcb: NULL pointer was passed.");
633
634 #ifdef DIAGNOSTIC
635 if ((inp->inp_vflag & INP_IPV6PROTO) == 0)
636 panic("ipsec6_getpolicybypcb: socket domain != inet6");
637 #endif
638
639 pcbsp = inp->in6p_sp;
640
641 #ifdef DIAGNOSTIC
642 if (pcbsp == NULL)
643 panic("ipsec6_getpolicybypcb: pcbsp is NULL.");
644 #endif
645
646 tag = 0;
647
648 /* if we have a cached entry, and if it is still valid, use it. */
649 ipsec6stat.spdcachelookup++;
650 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
651 if (currsp) {
652 *error = 0;
653 return currsp;
654 }
655 ipsec6stat.spdcachemiss++;
656
657 switch (dir) {
658 case IPSEC_DIR_INBOUND:
659 currsp = pcbsp->sp_in;
660 break;
661 case IPSEC_DIR_OUTBOUND:
662 currsp = pcbsp->sp_out;
663 break;
664 default:
665 panic("ipsec6_getpolicybypcb: illegal direction.");
666 }
667
668 /* sanity check */
669 if (currsp == NULL)
670 panic("ipsec6_getpolicybypcb: currsp is NULL.");
671
672 /* when privileged socket */
673 if (pcbsp->priv) {
674 switch (currsp->policy) {
675 case IPSEC_POLICY_BYPASS:
676 currsp->refcnt++;
677 *error = 0;
678 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
679 return currsp;
680
681 case IPSEC_POLICY_ENTRUST:
682 /* look for a policy in SPD */
683 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
684 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
685 /* SP found */
686 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
687 printf("DP ipsec6_getpolicybypcb called "
688 "to allocate SP:%p\n", kernsp));
689 *error = 0;
690 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
691 return kernsp;
692 }
693
694 /* no SP found */
695 ip6_def_policy->refcnt++;
696 *error = 0;
697 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
698 return ip6_def_policy;
699
700 case IPSEC_POLICY_IPSEC:
701 currsp->refcnt++;
702 *error = 0;
703 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
704 return currsp;
705
706 default:
707 ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: "
708 "Invalid policy for PCB %d\n", currsp->policy));
709 *error = EINVAL;
710 return NULL;
711 }
712 /* NOTREACHED */
713 }
714
715 /* when non-privileged socket */
716 /* look for a policy in SPD */
717 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
718 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
719 /* SP found */
720 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
721 printf("DP ipsec6_getpolicybypcb called "
722 "to allocate SP:%p\n", kernsp));
723 *error = 0;
724 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
725 return kernsp;
726 }
727
728 /* no SP found */
729 switch (currsp->policy) {
730 case IPSEC_POLICY_BYPASS:
731 ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: "
732 "Illegal policy for non-privileged defined %d\n",
733 currsp->policy));
734 *error = EINVAL;
735 return NULL;
736
737 case IPSEC_POLICY_ENTRUST:
738 ip6_def_policy->refcnt++;
739 *error = 0;
740 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
741 return ip6_def_policy;
742
743 case IPSEC_POLICY_IPSEC:
744 currsp->refcnt++;
745 *error = 0;
746 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
747 return currsp;
748
749 default:
750 ipseclog((LOG_ERR,
751 "ipsec6_policybysock: Invalid policy for PCB %d\n",
752 currsp->policy));
753 *error = EINVAL;
754 return NULL;
755 }
756 /* NOTREACHED */
757 }
758
759 /*
760 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
761 * and return a pointer to SP.
762 * `flag' means that packet is to be forwarded whether or not.
763 * flag = 1: forwad
764 * OUT: positive: a pointer to the entry for security policy leaf matched.
765 * NULL: no apropreate SP found, the following value is set to error.
766 * 0 : bypass
767 * EACCES : discard packet.
768 * ENOENT : ipsec_acquire() in progress, maybe.
769 * others : error occured.
770 */
771 #ifndef IP_FORWARDING
772 #define IP_FORWARDING 1
773 #endif
774
775 struct secpolicy *
776 ipsec6_getpolicybyaddr(m, dir, flag, error)
777 struct mbuf *m;
778 u_int dir;
779 int flag;
780 int *error;
781 {
782 struct secpolicy *sp = NULL;
783 u_int16_t tag;
784
785 /* sanity check */
786 if (m == NULL || error == NULL)
787 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
788
789 /* get a policy entry matched with the packet */
790 {
791 struct secpolicyindex spidx;
792
793 bzero(&spidx, sizeof(spidx));
794
795 /* make an index to look for a policy */
796 *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m,
797 (flag & IP_FORWARDING) ? 0 : 1);
798
799 if (*error != 0)
800 return NULL;
801
802 tag = 0;
803
804 sp = key_allocsp(tag, &spidx, dir);
805 }
806
807 /* SP found */
808 if (sp != NULL) {
809 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
810 printf("DP ipsec6_getpolicybyaddr called "
811 "to allocate SP:%p\n", sp));
812 *error = 0;
813 return sp;
814 }
815
816 /* no SP found */
817 ip6_def_policy->refcnt++;
818 *error = 0;
819 return ip6_def_policy;
820 }
821 #endif /* INET6 */
822
823 /*
824 * set IP address into spidx from mbuf.
825 * When Forwarding packet and ICMP echo reply, this function is used.
826 *
827 * IN: get the followings from mbuf.
828 * protocol family, src, dst, next protocol
829 * OUT:
830 * 0: success.
831 * other: failure, and set errno.
832 */
833 int
834 ipsec_setspidx_mbuf(spidx, family, m, needport)
835 struct secpolicyindex *spidx;
836 int family;
837 struct mbuf *m;
838 int needport;
839 {
840 int error;
841
842 /* sanity check */
843 if (spidx == NULL || m == NULL)
844 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
845
846 bzero(spidx, sizeof(*spidx));
847
848 error = ipsec_setspidx(m, spidx, needport);
849 if (error)
850 goto bad;
851
852 return 0;
853
854 bad:
855 /* XXX initialize */
856 bzero(spidx, sizeof(*spidx));
857 return EINVAL;
858 }
859
860 /*
861 * configure security policy index (src/dst/proto/sport/dport)
862 * by looking at the content of mbuf.
863 * the caller is responsible for error recovery (like clearing up spidx).
864 */
865 static int
866 ipsec_setspidx(m, spidx, needport)
867 struct mbuf *m;
868 struct secpolicyindex *spidx;
869 int needport;
870 {
871 struct ip *ip = NULL;
872 struct ip ipbuf;
873 u_int v;
874 struct mbuf *n;
875 int len;
876 int error;
877
878 if (m == NULL)
879 panic("ipsec_setspidx: m == 0 passed.");
880
881 bzero(spidx, sizeof(*spidx));
882
883 /*
884 * validate m->m_pkthdr.len. we see incorrect length if we
885 * mistakenly call this function with inconsistent mbuf chain
886 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
887 */
888 len = 0;
889 for (n = m; n; n = n->m_next)
890 len += n->m_len;
891 if (m->m_pkthdr.len != len) {
892 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
893 printf("ipsec_setspidx: "
894 "total of m_len(%d) != pkthdr.len(%d), "
895 "ignored.\n",
896 len, m->m_pkthdr.len));
897 return EINVAL;
898 }
899
900 if (m->m_pkthdr.len < sizeof(struct ip)) {
901 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
902 printf("ipsec_setspidx: "
903 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
904 m->m_pkthdr.len));
905 return EINVAL;
906 }
907
908 if (m->m_len >= sizeof(*ip))
909 ip = mtod(m, struct ip *);
910 else {
911 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
912 ip = &ipbuf;
913 }
914 #ifdef _IP_VHL
915 v = _IP_VHL_V(ip->ip_vhl);
916 #else
917 v = ip->ip_v;
918 #endif
919 switch (v) {
920 case 4:
921 error = ipsec4_setspidx_ipaddr(m, spidx);
922 if (error)
923 return error;
924 ipsec4_get_ulp(m, spidx, needport);
925 return 0;
926 #ifdef INET6
927 case 6:
928 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
929 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
930 printf("ipsec_setspidx: "
931 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
932 "ignored.\n", m->m_pkthdr.len));
933 return EINVAL;
934 }
935 error = ipsec6_setspidx_ipaddr(m, spidx);
936 if (error)
937 return error;
938 ipsec6_get_ulp(m, spidx, needport);
939 return 0;
940 #endif
941 default:
942 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
943 printf("ipsec_setspidx: "
944 "unknown IP version %u, ignored.\n", v));
945 return EINVAL;
946 }
947 }
948
949 static void
950 ipsec4_get_ulp(m, spidx, needport)
951 struct mbuf *m;
952 struct secpolicyindex *spidx;
953 int needport;
954 {
955 struct ip ip;
956 struct ip6_ext ip6e;
957 u_int8_t nxt;
958 int off;
959 struct tcphdr th;
960 struct udphdr uh;
961
962 /* sanity check */
963 if (m == NULL)
964 panic("ipsec4_get_ulp: NULL pointer was passed.");
965 if (m->m_pkthdr.len < sizeof(ip))
966 panic("ipsec4_get_ulp: too short");
967
968 /* set default */
969 spidx->ul_proto = IPSEC_ULPROTO_ANY;
970 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
971 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
972
973 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
974 /* ip_input() flips it into host endian XXX need more checking */
975 if (ip.ip_off & (IP_MF | IP_OFFMASK))
976 return;
977
978 nxt = ip.ip_p;
979 #ifdef _IP_VHL
980 off = _IP_VHL_HL(ip->ip_vhl) << 2;
981 #else
982 off = ip.ip_hl << 2;
983 #endif
984 while (off < m->m_pkthdr.len) {
985 switch (nxt) {
986 case IPPROTO_TCP:
987 spidx->ul_proto = nxt;
988 if (!needport)
989 return;
990 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
991 return;
992 m_copydata(m, off, sizeof(th), (caddr_t)&th);
993 ((struct sockaddr_in *)&spidx->src)->sin_port =
994 th.th_sport;
995 ((struct sockaddr_in *)&spidx->dst)->sin_port =
996 th.th_dport;
997 return;
998 case IPPROTO_UDP:
999 spidx->ul_proto = nxt;
1000 if (!needport)
1001 return;
1002 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1003 return;
1004 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1005 ((struct sockaddr_in *)&spidx->src)->sin_port =
1006 uh.uh_sport;
1007 ((struct sockaddr_in *)&spidx->dst)->sin_port =
1008 uh.uh_dport;
1009 return;
1010 case IPPROTO_AH:
1011 if (off + sizeof(ip6e) > m->m_pkthdr.len)
1012 return;
1013 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1014 off += (ip6e.ip6e_len + 2) << 2;
1015 nxt = ip6e.ip6e_nxt;
1016 break;
1017 case IPPROTO_ICMP:
1018 default:
1019 /* XXX intermediate headers??? */
1020 spidx->ul_proto = nxt;
1021 return;
1022 }
1023 }
1024 }
1025
1026 /* assumes that m is sane */
1027 static int
1028 ipsec4_setspidx_ipaddr(m, spidx)
1029 struct mbuf *m;
1030 struct secpolicyindex *spidx;
1031 {
1032 struct ip *ip = NULL;
1033 struct ip ipbuf;
1034 struct sockaddr_in *sin;
1035
1036 if (m->m_len >= sizeof(*ip))
1037 ip = mtod(m, struct ip *);
1038 else {
1039 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
1040 ip = &ipbuf;
1041 }
1042
1043 sin = (struct sockaddr_in *)&spidx->src;
1044 bzero(sin, sizeof(*sin));
1045 sin->sin_family = AF_INET;
1046 sin->sin_len = sizeof(struct sockaddr_in);
1047 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
1048 spidx->prefs = sizeof(struct in_addr) << 3;
1049
1050 sin = (struct sockaddr_in *)&spidx->dst;
1051 bzero(sin, sizeof(*sin));
1052 sin->sin_family = AF_INET;
1053 sin->sin_len = sizeof(struct sockaddr_in);
1054 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
1055 spidx->prefd = sizeof(struct in_addr) << 3;
1056 return 0;
1057 }
1058
1059 #ifdef INET6
1060 static void
1061 ipsec6_get_ulp(m, spidx, needport)
1062 struct mbuf *m;
1063 struct secpolicyindex *spidx;
1064 int needport;
1065 {
1066 int off, nxt;
1067 struct tcphdr th;
1068 struct udphdr uh;
1069 struct icmp6_hdr ih;
1070
1071 /* sanity check */
1072 if (m == NULL)
1073 panic("ipsec6_get_ulp: NULL pointer was passed.");
1074
1075 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1076 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
1077
1078 /* set default */
1079 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1080 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1081 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1082
1083 nxt = -1;
1084 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1085 if (off < 0 || m->m_pkthdr.len < off)
1086 return;
1087
1088 switch (nxt) {
1089 case IPPROTO_TCP:
1090 spidx->ul_proto = nxt;
1091 if (!needport)
1092 break;
1093 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1094 break;
1095 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1096 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1097 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1098 break;
1099 case IPPROTO_UDP:
1100 spidx->ul_proto = nxt;
1101 if (!needport)
1102 break;
1103 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1104 break;
1105 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1106 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1107 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1108 break;
1109 case IPPROTO_ICMPV6:
1110 spidx->ul_proto = nxt;
1111 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len)
1112 break;
1113 m_copydata(m, off, sizeof(ih), (caddr_t)&ih);
1114 ((struct sockaddr_in6 *)&spidx->src)->sin6_port =
1115 htons((u_int16_t)ih.icmp6_type);
1116 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port =
1117 htons((u_int16_t)ih.icmp6_code);
1118 break;
1119 default:
1120 /* XXX intermediate headers??? */
1121 spidx->ul_proto = nxt;
1122 break;
1123 }
1124 }
1125
1126 /* assumes that m is sane */
1127 static int
1128 ipsec6_setspidx_ipaddr(m, spidx)
1129 struct mbuf *m;
1130 struct secpolicyindex *spidx;
1131 {
1132 struct ip6_hdr *ip6 = NULL;
1133 struct ip6_hdr ip6buf;
1134 struct sockaddr_in6 *sin6;
1135
1136 if (m->m_len >= sizeof(*ip6))
1137 ip6 = mtod(m, struct ip6_hdr *);
1138 else {
1139 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1140 ip6 = &ip6buf;
1141 }
1142
1143 sin6 = (struct sockaddr_in6 *)&spidx->src;
1144 bzero(sin6, sizeof(*sin6));
1145 sin6->sin6_family = AF_INET6;
1146 sin6->sin6_len = sizeof(struct sockaddr_in6);
1147 sin6->sin6_addr = ip6->ip6_src;
1148 spidx->prefs = sizeof(struct in6_addr) << 3;
1149
1150 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1151 bzero(sin6, sizeof(*sin6));
1152 sin6->sin6_family = AF_INET6;
1153 sin6->sin6_len = sizeof(struct sockaddr_in6);
1154 sin6->sin6_addr = ip6->ip6_dst;
1155 spidx->prefd = sizeof(struct in6_addr) << 3;
1156
1157 return 0;
1158 }
1159 #endif
1160
1161 static struct inpcbpolicy *
1162 ipsec_newpcbpolicy()
1163 {
1164 struct inpcbpolicy *p;
1165
1166 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
1167 return p;
1168 }
1169
1170 static void
1171 ipsec_delpcbpolicy(p)
1172 struct inpcbpolicy *p;
1173 {
1174
1175 free(p, M_SECA);
1176 }
1177
1178 /* initialize policy in PCB */
1179 int
1180 ipsec_init_pcbpolicy(so, pcb_sp)
1181 struct socket *so;
1182 struct inpcbpolicy **pcb_sp;
1183 {
1184 struct inpcbpolicy *new;
1185 static int initialized = 0;
1186 static struct secpolicy *in = NULL, *out = NULL;
1187
1188 /* sanity check. */
1189 if (so == NULL || pcb_sp == NULL)
1190 panic("ipsec_init_pcbpolicy: NULL pointer was passed.");
1191
1192 if (!initialized) {
1193 if ((in = key_newsp(0)) == NULL)
1194 return ENOBUFS;
1195 if ((out = key_newsp(0)) == NULL) {
1196 key_freesp(in);
1197 in = NULL;
1198 return ENOBUFS;
1199 }
1200
1201 in->state = IPSEC_SPSTATE_ALIVE;
1202 in->policy = IPSEC_POLICY_ENTRUST;
1203 in->dir = IPSEC_DIR_INBOUND;
1204 in->readonly = 1;
1205 in->persist = 1;
1206 in->so = NULL;
1207
1208 out->state = IPSEC_SPSTATE_ALIVE;
1209 out->policy = IPSEC_POLICY_ENTRUST;
1210 out->dir = IPSEC_DIR_OUTBOUND;
1211 out->readonly = 1;
1212 out->persist = 1;
1213 out->so = NULL;
1214
1215 initialized++;
1216 }
1217
1218 new = ipsec_newpcbpolicy();
1219 if (new == NULL) {
1220 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n"));
1221 return ENOBUFS;
1222 }
1223 bzero(new, sizeof(*new));
1224
1225 if (so->so_cred != NULL &&
1226 suser_cred(so->so_cred, SUSER_ALLOWJAIL) == 0)
1227 new->priv = 1;
1228 else
1229 new->priv = 0;
1230
1231 new->sp_in = in;
1232 new->sp_in->refcnt++;
1233 new->sp_out = out;
1234 new->sp_out->refcnt++;
1235
1236 *pcb_sp = new;
1237
1238 return 0;
1239 }
1240
1241 /* copy old ipsec policy into new */
1242 int
1243 ipsec_copy_pcbpolicy(old, new)
1244 struct inpcbpolicy *old, *new;
1245 {
1246
1247 if (new->sp_in)
1248 key_freesp(new->sp_in);
1249 if (old->sp_in->policy == IPSEC_POLICY_IPSEC)
1250 new->sp_in = ipsec_deepcopy_policy(old->sp_in);
1251 else {
1252 new->sp_in = old->sp_in;
1253 new->sp_in->refcnt++;
1254 }
1255
1256 if (new->sp_out)
1257 key_freesp(new->sp_out);
1258 if (old->sp_out->policy == IPSEC_POLICY_IPSEC)
1259 new->sp_out = ipsec_deepcopy_policy(old->sp_out);
1260 else {
1261 new->sp_out = old->sp_out;
1262 new->sp_out->refcnt++;
1263 }
1264
1265 new->priv = old->priv;
1266
1267 return 0;
1268 }
1269
1270 #if 0
1271 static int
1272 ipsec_deepcopy_pcbpolicy(pcb_sp)
1273 struct inpcbpolicy *pcb_sp;
1274 {
1275 struct secpolicy *sp;
1276
1277 sp = ipsec_deepcopy_policy(pcb_sp->sp_in);
1278 if (sp) {
1279 key_freesp(pcb_sp->sp_in);
1280 pcb_sp->sp_in = sp;
1281 } else
1282 return ENOBUFS;
1283
1284 sp = ipsec_deepcopy_policy(pcb_sp->sp_out);
1285 if (sp) {
1286 key_freesp(pcb_sp->sp_out);
1287 pcb_sp->sp_out = sp;
1288 } else
1289 return ENOBUFS;
1290
1291 return 0;
1292 }
1293 #endif
1294
1295 /* deep-copy a policy in PCB */
1296 static struct secpolicy *
1297 ipsec_deepcopy_policy(src)
1298 struct secpolicy *src;
1299 {
1300 struct ipsecrequest *newchain = NULL;
1301 struct ipsecrequest *p;
1302 struct ipsecrequest **q;
1303 struct ipsecrequest *r;
1304 struct secpolicy *dst;
1305
1306 if (src == NULL)
1307 return NULL;
1308
1309 dst = key_newsp(0);
1310 if (dst == NULL)
1311 return NULL;
1312
1313 /*
1314 * deep-copy IPsec request chain. This is required since struct
1315 * ipsecrequest is not reference counted.
1316 */
1317 q = &newchain;
1318 for (p = src->req; p; p = p->next) {
1319 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest),
1320 M_SECA, M_NOWAIT);
1321 if (*q == NULL)
1322 goto fail;
1323 bzero(*q, sizeof(**q));
1324 (*q)->next = NULL;
1325
1326 (*q)->saidx.proto = p->saidx.proto;
1327 (*q)->saidx.mode = p->saidx.mode;
1328 (*q)->level = p->level;
1329 (*q)->saidx.reqid = p->saidx.reqid;
1330
1331 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1332 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1333
1334 (*q)->sav = NULL;
1335 (*q)->sp = dst;
1336
1337 q = &((*q)->next);
1338 }
1339
1340 if (src->spidx)
1341 if (keydb_setsecpolicyindex(dst, src->spidx) != 0)
1342 goto fail;
1343
1344 dst->req = newchain;
1345 dst->state = src->state;
1346 dst->policy = src->policy;
1347 dst->dir = src->dir;
1348 dst->so = src->so;
1349 /* do not touch the refcnt fields */
1350
1351 return dst;
1352
1353 fail:
1354 for (p = newchain; p; p = r) {
1355 r = p->next;
1356 free(p, M_SECA);
1357 p = NULL;
1358 }
1359 key_freesp(dst);
1360 return NULL;
1361 }
1362
1363 /* set policy and ipsec request if present. */
1364 static int
1365 ipsec_set_policy(spp, optname, request, len, priv)
1366 struct secpolicy **spp;
1367 int optname;
1368 caddr_t request;
1369 size_t len;
1370 int priv;
1371 {
1372 struct sadb_x_policy *xpl;
1373 struct secpolicy *newsp = NULL;
1374 int error;
1375
1376 /* sanity check. */
1377 if (spp == NULL || *spp == NULL || request == NULL)
1378 return EINVAL;
1379 if (len < sizeof(*xpl))
1380 return EINVAL;
1381 xpl = (struct sadb_x_policy *)request;
1382
1383 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1384 printf("ipsec_set_policy: passed policy\n");
1385 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1386
1387 /* check policy type */
1388 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1389 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
1390 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1391 return EINVAL;
1392
1393 /* check privileged socket */
1394 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1395 return EACCES;
1396
1397 /* allocation new SP entry */
1398 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1399 return error;
1400
1401 newsp->state = IPSEC_SPSTATE_ALIVE;
1402
1403 /* clear old SP and set new SP */
1404 key_freesp(*spp);
1405 *spp = newsp;
1406 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1407 printf("ipsec_set_policy: new policy\n");
1408 kdebug_secpolicy(newsp));
1409
1410 return 0;
1411 }
1412
1413 static int
1414 ipsec_get_policy(sp, mp)
1415 struct secpolicy *sp;
1416 struct mbuf **mp;
1417 {
1418
1419 /* sanity check. */
1420 if (sp == NULL || mp == NULL)
1421 return EINVAL;
1422
1423 *mp = key_sp2msg(sp);
1424 if (!*mp) {
1425 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1426 return ENOBUFS;
1427 }
1428
1429 (*mp)->m_type = MT_DATA;
1430 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1431 printf("ipsec_get_policy:\n");
1432 kdebug_mbuf(*mp));
1433
1434 return 0;
1435 }
1436
1437 int
1438 ipsec4_set_policy(inp, optname, request, len, priv)
1439 struct inpcb *inp;
1440 int optname;
1441 caddr_t request;
1442 size_t len;
1443 int priv;
1444 {
1445 struct sadb_x_policy *xpl;
1446 struct secpolicy **spp;
1447
1448 /* sanity check. */
1449 if (inp == NULL || request == NULL)
1450 return EINVAL;
1451 if (len < sizeof(*xpl))
1452 return EINVAL;
1453 xpl = (struct sadb_x_policy *)request;
1454
1455 /* select direction */
1456 switch (xpl->sadb_x_policy_dir) {
1457 case IPSEC_DIR_INBOUND:
1458 spp = &inp->inp_sp->sp_in;
1459 break;
1460 case IPSEC_DIR_OUTBOUND:
1461 spp = &inp->inp_sp->sp_out;
1462 break;
1463 default:
1464 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1465 xpl->sadb_x_policy_dir));
1466 return EINVAL;
1467 }
1468
1469 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1470 return ipsec_set_policy(spp, optname, request, len, priv);
1471 }
1472
1473 int
1474 ipsec4_get_policy(inp, request, len, mp)
1475 struct inpcb *inp;
1476 caddr_t request;
1477 size_t len;
1478 struct mbuf **mp;
1479 {
1480 struct sadb_x_policy *xpl;
1481 struct secpolicy *sp;
1482
1483 /* sanity check. */
1484 if (inp == NULL || request == NULL || mp == NULL)
1485 return EINVAL;
1486 if (inp->inp_sp == NULL)
1487 panic("policy in PCB is NULL");
1488 if (len < sizeof(*xpl))
1489 return EINVAL;
1490 xpl = (struct sadb_x_policy *)request;
1491
1492 /* select direction */
1493 switch (xpl->sadb_x_policy_dir) {
1494 case IPSEC_DIR_INBOUND:
1495 sp = inp->inp_sp->sp_in;
1496 break;
1497 case IPSEC_DIR_OUTBOUND:
1498 sp = inp->inp_sp->sp_out;
1499 break;
1500 default:
1501 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n",
1502 xpl->sadb_x_policy_dir));
1503 return EINVAL;
1504 }
1505
1506 return ipsec_get_policy(sp, mp);
1507 }
1508
1509 /* delete policy in PCB */
1510 int
1511 ipsec4_delete_pcbpolicy(inp)
1512 struct inpcb *inp;
1513 {
1514 /* sanity check. */
1515 if (inp == NULL)
1516 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
1517
1518 if (inp->inp_sp == NULL)
1519 return 0;
1520
1521 if (inp->inp_sp->sp_in != NULL) {
1522 key_freesp(inp->inp_sp->sp_in);
1523 inp->inp_sp->sp_in = NULL;
1524 }
1525
1526 if (inp->inp_sp->sp_out != NULL) {
1527 key_freesp(inp->inp_sp->sp_out);
1528 inp->inp_sp->sp_out = NULL;
1529 }
1530
1531 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1532
1533 ipsec_delpcbpolicy(inp->inp_sp);
1534 inp->inp_sp = NULL;
1535
1536 return 0;
1537 }
1538
1539 #ifdef INET6
1540 int
1541 ipsec6_set_policy(in6p, optname, request, len, priv)
1542 struct in6pcb *in6p;
1543 int optname;
1544 caddr_t request;
1545 size_t len;
1546 int priv;
1547 {
1548 struct sadb_x_policy *xpl;
1549 struct secpolicy **spp;
1550
1551 /* sanity check. */
1552 if (in6p == NULL || request == NULL)
1553 return EINVAL;
1554 if (len < sizeof(*xpl))
1555 return EINVAL;
1556 xpl = (struct sadb_x_policy *)request;
1557
1558 /* select direction */
1559 switch (xpl->sadb_x_policy_dir) {
1560 case IPSEC_DIR_INBOUND:
1561 spp = &in6p->in6p_sp->sp_in;
1562 break;
1563 case IPSEC_DIR_OUTBOUND:
1564 spp = &in6p->in6p_sp->sp_out;
1565 break;
1566 default:
1567 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1568 xpl->sadb_x_policy_dir));
1569 return EINVAL;
1570 }
1571
1572 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1573 return ipsec_set_policy(spp, optname, request, len, priv);
1574 }
1575
1576 int
1577 ipsec6_get_policy(in6p, request, len, mp)
1578 struct in6pcb *in6p;
1579 caddr_t request;
1580 size_t len;
1581 struct mbuf **mp;
1582 {
1583 struct sadb_x_policy *xpl;
1584 struct secpolicy *sp;
1585
1586 /* sanity check. */
1587 if (in6p == NULL || request == NULL || mp == NULL)
1588 return EINVAL;
1589 if (in6p->in6p_sp == NULL)
1590 panic("policy in PCB is NULL");
1591 if (len < sizeof(*xpl))
1592 return EINVAL;
1593 xpl = (struct sadb_x_policy *)request;
1594
1595 /* select direction */
1596 switch (xpl->sadb_x_policy_dir) {
1597 case IPSEC_DIR_INBOUND:
1598 sp = in6p->in6p_sp->sp_in;
1599 break;
1600 case IPSEC_DIR_OUTBOUND:
1601 sp = in6p->in6p_sp->sp_out;
1602 break;
1603 default:
1604 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n",
1605 xpl->sadb_x_policy_dir));
1606 return EINVAL;
1607 }
1608
1609 return ipsec_get_policy(sp, mp);
1610 }
1611
1612 int
1613 ipsec6_delete_pcbpolicy(in6p)
1614 struct in6pcb *in6p;
1615 {
1616 /* sanity check. */
1617 if (in6p == NULL)
1618 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
1619
1620 if (in6p->in6p_sp == NULL)
1621 return 0;
1622
1623 if (in6p->in6p_sp->sp_in != NULL) {
1624 key_freesp(in6p->in6p_sp->sp_in);
1625 in6p->in6p_sp->sp_in = NULL;
1626 }
1627
1628 if (in6p->in6p_sp->sp_out != NULL) {
1629 key_freesp(in6p->in6p_sp->sp_out);
1630 in6p->in6p_sp->sp_out = NULL;
1631 }
1632
1633 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1634
1635 ipsec_delpcbpolicy(in6p->in6p_sp);
1636 in6p->in6p_sp = NULL;
1637
1638 return 0;
1639 }
1640 #endif
1641
1642 /*
1643 * return current level.
1644 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1645 */
1646 u_int
1647 ipsec_get_reqlevel(isr, af)
1648 struct ipsecrequest *isr;
1649 int af;
1650 {
1651 u_int level = 0;
1652 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1653
1654 /* sanity check */
1655 if (isr == NULL || isr->sp == NULL)
1656 panic("ipsec_get_reqlevel: NULL pointer is passed.");
1657
1658 /* set default level */
1659 switch (af) {
1660 #ifdef INET
1661 case AF_INET:
1662 esp_trans_deflev = ip4_esp_trans_deflev;
1663 esp_net_deflev = ip4_esp_net_deflev;
1664 ah_trans_deflev = ip4_ah_trans_deflev;
1665 ah_net_deflev = ip4_ah_net_deflev;
1666 break;
1667 #endif
1668 #ifdef INET6
1669 case AF_INET6:
1670 esp_trans_deflev = ip6_esp_trans_deflev;
1671 esp_net_deflev = ip6_esp_net_deflev;
1672 ah_trans_deflev = ip6_ah_trans_deflev;
1673 ah_net_deflev = ip6_ah_net_deflev;
1674 break;
1675 #endif /* INET6 */
1676 default:
1677 panic("key_get_reqlevel: Unknown family. %d",
1678 ((struct sockaddr *)&isr->sp->spidx->src)->sa_family);
1679 }
1680
1681 /* set level */
1682 switch (isr->level) {
1683 case IPSEC_LEVEL_DEFAULT:
1684 switch (isr->saidx.proto) {
1685 case IPPROTO_ESP:
1686 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1687 level = esp_net_deflev;
1688 else
1689 level = esp_trans_deflev;
1690 break;
1691 case IPPROTO_AH:
1692 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1693 level = ah_net_deflev;
1694 else
1695 level = ah_trans_deflev;
1696 break;
1697 case IPPROTO_IPCOMP:
1698 /*
1699 * we don't really care, as IPcomp document says that
1700 * we shouldn't compress small packets
1701 */
1702 level = IPSEC_LEVEL_USE;
1703 break;
1704 default:
1705 panic("ipsec_get_reqlevel: "
1706 "Illegal protocol defined %u\n",
1707 isr->saidx.proto);
1708 }
1709 break;
1710
1711 case IPSEC_LEVEL_USE:
1712 case IPSEC_LEVEL_REQUIRE:
1713 level = isr->level;
1714 break;
1715 case IPSEC_LEVEL_UNIQUE:
1716 level = IPSEC_LEVEL_REQUIRE;
1717 break;
1718
1719 default:
1720 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
1721 isr->level);
1722 }
1723
1724 return level;
1725 }
1726
1727 /*
1728 * Check AH/ESP integrity.
1729 * OUT:
1730 * 0: valid
1731 * 1: invalid
1732 */
1733 static int
1734 ipsec_in_reject(sp, m)
1735 struct secpolicy *sp;
1736 struct mbuf *m;
1737 {
1738 struct ipsecrequest *isr;
1739 u_int level;
1740 int need_auth, need_conf, need_icv;
1741
1742 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1743 printf("ipsec_in_reject: using SP\n");
1744 kdebug_secpolicy(sp));
1745
1746 /* check policy */
1747 switch (sp->policy) {
1748 case IPSEC_POLICY_DISCARD:
1749 return 1;
1750 case IPSEC_POLICY_BYPASS:
1751 case IPSEC_POLICY_NONE:
1752 return 0;
1753
1754 case IPSEC_POLICY_IPSEC:
1755 break;
1756
1757 case IPSEC_POLICY_ENTRUST:
1758 default:
1759 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy);
1760 }
1761
1762 need_auth = 0;
1763 need_conf = 0;
1764 need_icv = 0;
1765
1766 /* XXX should compare policy against ipsec header history */
1767
1768 for (isr = sp->req; isr != NULL; isr = isr->next) {
1769 /* get current level */
1770 level = ipsec_get_reqlevel(isr, AF_INET);
1771
1772 switch (isr->saidx.proto) {
1773 case IPPROTO_ESP:
1774 if (level == IPSEC_LEVEL_REQUIRE) {
1775 need_conf++;
1776
1777 if (isr->sav != NULL
1778 && isr->sav->flags == SADB_X_EXT_NONE
1779 && isr->sav->alg_auth != SADB_AALG_NONE)
1780 need_icv++;
1781 }
1782 break;
1783 case IPPROTO_AH:
1784 if (level == IPSEC_LEVEL_REQUIRE) {
1785 need_auth++;
1786 need_icv++;
1787 }
1788 break;
1789 case IPPROTO_IPCOMP:
1790 /*
1791 * we don't really care, as IPcomp document says that
1792 * we shouldn't compress small packets, IPComp policy
1793 * should always be treated as being in "use" level.
1794 */
1795 break;
1796 }
1797 }
1798
1799 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1800 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1801 need_auth, need_conf, need_icv, m->m_flags));
1802
1803 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1804 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1805 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1806 return 1;
1807
1808 return 0;
1809 }
1810
1811 /*
1812 * Check AH/ESP integrity.
1813 * This function is called from tcp_input(), udp_input(),
1814 * and {ah,esp}4_input for tunnel mode
1815 */
1816 int
1817 ipsec4_in_reject(m, inp)
1818 struct mbuf *m;
1819 struct inpcb *inp;
1820 {
1821 struct secpolicy *sp = NULL;
1822 int error;
1823 int result;
1824
1825 /* sanity check */
1826 if (m == NULL)
1827 return 0; /* XXX should be panic ? */
1828
1829 /* get SP for this packet.
1830 * When we are called from ip_forward(), we call
1831 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1832 */
1833 if (inp == NULL)
1834 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1835 IP_FORWARDING, &error);
1836 else
1837 sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_INBOUND, inp, &error);
1838
1839 /* XXX should be panic ? -> No, there may be error. */
1840 if (sp == NULL)
1841 return 0;
1842
1843 result = ipsec_in_reject(sp, m);
1844 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1845 printf("DP ipsec4_in_reject call free SP:%p\n", sp));
1846 key_freesp(sp);
1847
1848 return result;
1849 }
1850
1851 #ifdef INET6
1852 /*
1853 * Check AH/ESP integrity.
1854 * This function is called from tcp6_input(), udp6_input(),
1855 * and {ah,esp}6_input for tunnel mode
1856 */
1857 int
1858 ipsec6_in_reject(m, in6p)
1859 struct mbuf *m;
1860 struct in6pcb *in6p;
1861 {
1862 struct secpolicy *sp = NULL;
1863 int error;
1864 int result;
1865
1866 /* sanity check */
1867 if (m == NULL)
1868 return 0; /* XXX should be panic ? */
1869
1870 /* get SP for this packet.
1871 * When we are called from ip_forward(), we call
1872 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1873 */
1874 if (in6p == NULL)
1875 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1876 IP_FORWARDING, &error);
1877 else
1878 sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_INBOUND, in6p, &error);
1879
1880 if (sp == NULL)
1881 return 0; /* XXX should be panic ? */
1882
1883 result = ipsec_in_reject(sp, m);
1884 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1885 printf("DP ipsec6_in_reject call free SP:%p\n", sp));
1886 key_freesp(sp);
1887
1888 return result;
1889 }
1890 #endif
1891
1892 /*
1893 * compute the byte size to be occupied by IPsec header.
1894 * in case it is tunneled, it includes the size of outer IP header.
1895 * NOTE: SP passed is free in this function.
1896 */
1897 static size_t
1898 ipsec_hdrsiz(sp)
1899 struct secpolicy *sp;
1900 {
1901 struct ipsecrequest *isr;
1902 size_t siz, clen;
1903
1904 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1905 printf("ipsec_hdrsiz: using SP\n");
1906 kdebug_secpolicy(sp));
1907
1908 /* check policy */
1909 switch (sp->policy) {
1910 case IPSEC_POLICY_DISCARD:
1911 case IPSEC_POLICY_BYPASS:
1912 case IPSEC_POLICY_NONE:
1913 return 0;
1914
1915 case IPSEC_POLICY_IPSEC:
1916 break;
1917
1918 case IPSEC_POLICY_ENTRUST:
1919 default:
1920 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1921 }
1922
1923 siz = 0;
1924
1925 for (isr = sp->req; isr != NULL; isr = isr->next) {
1926
1927 clen = 0;
1928
1929 switch (isr->saidx.proto) {
1930 case IPPROTO_ESP:
1931 #ifdef IPSEC_ESP
1932 clen = esp_hdrsiz(isr);
1933 #else
1934 clen = 0; /* XXX */
1935 #endif
1936 break;
1937 case IPPROTO_AH:
1938 clen = ah_hdrsiz(isr);
1939 break;
1940 case IPPROTO_IPCOMP:
1941 clen = sizeof(struct ipcomp);
1942 break;
1943 }
1944
1945 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1946 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1947 case AF_INET:
1948 clen += sizeof(struct ip);
1949 break;
1950 #ifdef INET6
1951 case AF_INET6:
1952 clen += sizeof(struct ip6_hdr);
1953 break;
1954 #endif
1955 default:
1956 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1957 "unknown AF %d in IPsec tunnel SA\n",
1958 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1959 break;
1960 }
1961 }
1962 siz += clen;
1963 }
1964
1965 return siz;
1966 }
1967
1968 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1969 size_t
1970 ipsec4_hdrsiz(m, dir, inp)
1971 struct mbuf *m;
1972 u_int dir;
1973 struct inpcb *inp;
1974 {
1975 struct secpolicy *sp = NULL;
1976 int error;
1977 size_t size;
1978
1979 /* sanity check */
1980 if (m == NULL)
1981 return 0; /* XXX should be panic ? */
1982 #if 0
1983 /* this is possible in TIME_WAIT state */
1984 if (inp != NULL && inp->inp_socket == NULL)
1985 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
1986 #endif
1987
1988 /* get SP for this packet.
1989 * When we are called from ip_forward(), we call
1990 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1991 */
1992 if (inp == NULL)
1993 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1994 else
1995 sp = ipsec4_getpolicybypcb(m, dir, inp, &error);
1996
1997 if (sp == NULL)
1998 return 0; /* XXX should be panic ? */
1999
2000 size = ipsec_hdrsiz(sp);
2001 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2002 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
2003 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2004 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
2005 key_freesp(sp);
2006
2007 return size;
2008 }
2009
2010 #ifdef INET6
2011 /* This function is called from ipsec6_hdrsize_tcp(),
2012 * and maybe from ip6_forward.()
2013 */
2014 size_t
2015 ipsec6_hdrsiz(m, dir, in6p)
2016 struct mbuf *m;
2017 u_int dir;
2018 struct in6pcb *in6p;
2019 {
2020 struct secpolicy *sp = NULL;
2021 int error;
2022 size_t size;
2023
2024 /* sanity check */
2025 if (m == NULL)
2026 return 0; /* XXX should be panic ? */
2027 #if 0
2028 /* this is possible in TIME_WAIT state */
2029 if (in6p != NULL && in6p->in6p_socket == NULL)
2030 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
2031 #endif
2032
2033 /* get SP for this packet */
2034 /* XXX Is it right to call with IP_FORWARDING. */
2035 if (in6p == NULL)
2036 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2037 else
2038 sp = ipsec6_getpolicybypcb(m, dir, in6p, &error);
2039
2040 if (sp == NULL)
2041 return 0;
2042 size = ipsec_hdrsiz(sp);
2043 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2044 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
2045 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2046 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
2047 key_freesp(sp);
2048
2049 return size;
2050 }
2051 #endif /* INET6 */
2052
2053 #ifdef INET
2054 /*
2055 * encapsulate for ipsec tunnel.
2056 * ip->ip_src must be fixed later on.
2057 */
2058 static int
2059 ipsec4_encapsulate(m, sav)
2060 struct mbuf *m;
2061 struct secasvar *sav;
2062 {
2063 struct ip *oip;
2064 struct ip *ip;
2065 size_t hlen;
2066 size_t plen;
2067
2068 /* can't tunnel between different AFs */
2069 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2070 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2071 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2072 m_freem(m);
2073 return EINVAL;
2074 }
2075 #if 0
2076 /* XXX if the dst is myself, perform nothing. */
2077 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2078 m_freem(m);
2079 return EINVAL;
2080 }
2081 #endif
2082
2083 if (m->m_len < sizeof(*ip))
2084 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2085
2086 ip = mtod(m, struct ip *);
2087 #ifdef _IP_VHL
2088 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
2089 #else
2090 hlen = ip->ip_hl << 2;
2091 #endif
2092
2093 if (m->m_len != hlen)
2094 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2095
2096 /* generate header checksum */
2097 ip->ip_sum = 0;
2098 #ifdef _IP_VHL
2099 if (ip->ip_vhl == IP_VHL_BORING)
2100 ip->ip_sum = in_cksum_hdr(ip);
2101 else
2102 ip->ip_sum = in_cksum(m, hlen);
2103 #else
2104 ip->ip_sum = in_cksum(m, hlen);
2105 #endif
2106
2107 plen = m->m_pkthdr.len;
2108
2109 /*
2110 * grow the mbuf to accomodate the new IPv4 header.
2111 * NOTE: IPv4 options will never be copied.
2112 */
2113 if (M_LEADINGSPACE(m->m_next) < hlen) {
2114 struct mbuf *n;
2115 MGET(n, M_DONTWAIT, MT_DATA);
2116 if (!n) {
2117 m_freem(m);
2118 return ENOBUFS;
2119 }
2120 n->m_len = hlen;
2121 n->m_next = m->m_next;
2122 m->m_next = n;
2123 m->m_pkthdr.len += hlen;
2124 oip = mtod(n, struct ip *);
2125 } else {
2126 m->m_next->m_len += hlen;
2127 m->m_next->m_data -= hlen;
2128 m->m_pkthdr.len += hlen;
2129 oip = mtod(m->m_next, struct ip *);
2130 }
2131 ip = mtod(m, struct ip *);
2132 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2133 m->m_len = sizeof(struct ip);
2134 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2135
2136 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2137 /* ECN consideration. */
2138 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2139 #ifdef _IP_VHL
2140 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
2141 #else
2142 ip->ip_hl = sizeof(struct ip) >> 2;
2143 #endif
2144 ip->ip_off &= htons(~IP_OFFMASK);
2145 ip->ip_off &= htons(~IP_MF);
2146 switch (ip4_ipsec_dfbit) {
2147 case 0: /* clear DF bit */
2148 ip->ip_off &= htons(~IP_DF);
2149 break;
2150 case 1: /* set DF bit */
2151 ip->ip_off |= htons(IP_DF);
2152 break;
2153 default: /* copy DF bit */
2154 break;
2155 }
2156 ip->ip_p = IPPROTO_IPIP;
2157 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2158 ip->ip_len = htons(plen + sizeof(struct ip));
2159 else {
2160 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2161 "leave ip_len as is (invalid packet)\n"));
2162 }
2163 ip->ip_id = ip_newid();
2164 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2165 &ip->ip_src, sizeof(ip->ip_src));
2166 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2167 &ip->ip_dst, sizeof(ip->ip_dst));
2168 ip->ip_ttl = IPDEFTTL;
2169
2170 /* XXX Should ip_src be updated later ? */
2171
2172 return 0;
2173 }
2174 #endif /* INET */
2175
2176 #ifdef INET6
2177 static int
2178 ipsec6_encapsulate(m, sav)
2179 struct mbuf *m;
2180 struct secasvar *sav;
2181 {
2182 struct sockaddr_in6 sa6;
2183 struct ip6_hdr *oip6;
2184 struct ip6_hdr *ip6;
2185 size_t plen;
2186 int error;
2187
2188 /* can't tunnel between different AFs */
2189 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2190 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2191 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2192 m_freem(m);
2193 return EINVAL;
2194 }
2195 #if 0
2196 /* XXX if the dst is myself, perform nothing. */
2197 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2198 m_freem(m);
2199 return EINVAL;
2200 }
2201 #endif
2202
2203 plen = m->m_pkthdr.len;
2204
2205 /*
2206 * grow the mbuf to accomodate the new IPv6 header.
2207 */
2208 if (m->m_len != sizeof(struct ip6_hdr))
2209 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2210 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2211 struct mbuf *n;
2212 MGET(n, M_DONTWAIT, MT_DATA);
2213 if (!n) {
2214 m_freem(m);
2215 return ENOBUFS;
2216 }
2217 n->m_len = sizeof(struct ip6_hdr);
2218 n->m_next = m->m_next;
2219 m->m_next = n;
2220 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2221 oip6 = mtod(n, struct ip6_hdr *);
2222 } else {
2223 m->m_next->m_len += sizeof(struct ip6_hdr);
2224 m->m_next->m_data -= sizeof(struct ip6_hdr);
2225 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2226 oip6 = mtod(m->m_next, struct ip6_hdr *);
2227 }
2228 ip6 = mtod(m, struct ip6_hdr *);
2229 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2230
2231 /* XXX: Fake scoped addresses */
2232 in6_clearscope(&oip6->ip6_src);
2233 in6_clearscope(&oip6->ip6_dst);
2234
2235 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2236 /* ECN consideration. */
2237 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2238 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2239 ip6->ip6_plen = htons(plen);
2240 else {
2241 /* ip6->ip6_plen will be updated in ip6_output() */
2242 }
2243 ip6->ip6_nxt = IPPROTO_IPV6;
2244
2245 sa6 = *(struct sockaddr_in6 *)&sav->sah->saidx.src;
2246 if ((error = sa6_embedscope(&sa6, 0)) != 0)
2247 return (error);
2248 ip6->ip6_src = sa6.sin6_addr;
2249
2250 sa6 = *(struct sockaddr_in6 *)&sav->sah->saidx.dst;
2251 if ((error = sa6_embedscope(&sa6, 0)) != 0)
2252 return (error);
2253 ip6->ip6_dst = sa6.sin6_addr;
2254
2255 ip6->ip6_hlim = IPV6_DEFHLIM;
2256
2257 /* XXX Should ip6_src be updated later ? */
2258
2259 return 0;
2260 }
2261 #endif /* INET6 */
2262
2263 /*
2264 * Check the variable replay window.
2265 * ipsec_chkreplay() performs replay check before ICV verification.
2266 * ipsec_updatereplay() updates replay bitmap. This must be called after
2267 * ICV verification (it also performs replay check, which is usually done
2268 * beforehand).
2269 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2270 *
2271 * based on RFC 2401.
2272 *
2273 * XXX need to update for 64bit sequence number - 2401bis
2274 */
2275 int
2276 ipsec_chkreplay(seq, sav)
2277 u_int32_t seq;
2278 struct secasvar *sav;
2279 {
2280 const struct secreplay *replay;
2281 u_int32_t diff;
2282 int fr;
2283 u_int32_t wsizeb; /* constant: bits of window size */
2284 int frlast; /* constant: last frame */
2285
2286 /* sanity check */
2287 if (sav == NULL)
2288 panic("ipsec_chkreplay: NULL pointer was passed.");
2289
2290 replay = sav->replay;
2291
2292 if (replay->wsize == 0)
2293 return 1; /* no need to check replay. */
2294
2295 /* constant */
2296 frlast = replay->wsize - 1;
2297 wsizeb = replay->wsize << 3;
2298
2299 /* sequence number of 0 is invalid */
2300 if (seq == 0)
2301 return 0;
2302
2303 /* first time is always okay */
2304 if (replay->count == 0)
2305 return 1;
2306
2307 if (seq > replay->lastseq) {
2308 /* larger sequences are okay */
2309 return 1;
2310 } else {
2311 /* seq is equal or less than lastseq. */
2312 diff = replay->lastseq - seq;
2313
2314 /* over range to check, i.e. too old or wrapped */
2315 if (diff >= wsizeb)
2316 return 0;
2317
2318 fr = frlast - diff / 8;
2319
2320 /* this packet already seen ? */
2321 if (replay->bitmap[fr] & (1 << (diff % 8)))
2322 return 0;
2323
2324 /* out of order but good */
2325 return 1;
2326 }
2327 }
2328
2329 /*
2330 * check replay counter whether to update or not.
2331 * OUT: 0: OK
2332 * 1: NG
2333 * XXX need to update for 64bit sequence number - 2401bis
2334 */
2335 int
2336 ipsec_updatereplay(seq, sav)
2337 u_int32_t seq;
2338 struct secasvar *sav;
2339 {
2340 struct secreplay *replay;
2341 u_int64_t diff;
2342 int fr;
2343 u_int32_t wsizeb; /* constant: bits of window size */
2344 int frlast; /* constant: last frame */
2345
2346 /* sanity check */
2347 if (sav == NULL)
2348 panic("ipsec_chkreplay: NULL pointer was passed.");
2349
2350 replay = sav->replay;
2351
2352 if (replay->wsize == 0)
2353 goto ok; /* no need to check replay. */
2354
2355 /* constant */
2356 frlast = replay->wsize - 1;
2357 wsizeb = replay->wsize << 3;
2358
2359 /* sequence number of 0 is invalid */
2360 if (seq == 0)
2361 return 1;
2362
2363 /* first time */
2364 if (replay->count == 0) {
2365 replay->lastseq = seq;
2366 bzero(replay->bitmap, replay->wsize);
2367 replay->bitmap[frlast] = 1;
2368 goto ok;
2369 }
2370
2371 if (seq > replay->lastseq) {
2372 /* seq is larger than lastseq. */
2373 diff = seq - replay->lastseq;
2374
2375 /* new larger sequence number */
2376 if (diff < wsizeb) {
2377 /* In window */
2378 /* set bit for this packet */
2379 vshiftl(replay->bitmap, diff, replay->wsize);
2380 replay->bitmap[frlast] |= 1;
2381 } else {
2382 /* this packet has a "way larger" */
2383 bzero(replay->bitmap, replay->wsize);
2384 replay->bitmap[frlast] = 1;
2385 }
2386 replay->lastseq = seq;
2387
2388 /* larger is good */
2389 } else {
2390 /* seq is equal or less than lastseq. */
2391 diff = replay->lastseq - seq;
2392
2393 /* over range to check, i.e. too old or wrapped */
2394 if (diff >= wsizeb)
2395 return 1;
2396
2397 fr = frlast - diff / 8;
2398
2399 /* this packet already seen ? */
2400 if (replay->bitmap[fr] & (1 << (diff % 8)))
2401 return 1;
2402
2403 /* mark as seen */
2404 replay->bitmap[fr] |= (1 << (diff % 8));
2405
2406 /* out of order but good */
2407 }
2408
2409 ok:
2410 if (replay->count == 0xffffffff) {
2411
2412 /* set overflow flag */
2413 replay->overflow++;
2414
2415 /* don't increment, no more packets accepted */
2416 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2417 return 1;
2418
2419 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2420 replay->overflow, ipsec_logsastr(sav)));
2421 }
2422
2423 replay->count++;
2424
2425 return 0;
2426 }
2427
2428 /*
2429 * shift variable length buffer to left.
2430 * IN: bitmap: pointer to the buffer
2431 * nbit: the number of to shift.
2432 * wsize: buffer size (bytes).
2433 */
2434 static void
2435 vshiftl(bitmap, nbit, wsize)
2436 unsigned char *bitmap;
2437 int nbit, wsize;
2438 {
2439 int s, j, i;
2440 unsigned char over;
2441
2442 for (j = 0; j < nbit; j += 8) {
2443 s = (nbit - j < 8) ? (nbit - j): 8;
2444 bitmap[0] <<= s;
2445 for (i = 1; i < wsize; i++) {
2446 over = (bitmap[i] >> (8 - s));
2447 bitmap[i] <<= s;
2448 bitmap[i - 1] |= over;
2449 }
2450 }
2451
2452 return;
2453 }
2454
2455 const char *
2456 ipsec4_logpacketstr(ip, spi)
2457 struct ip *ip;
2458 u_int32_t spi;
2459 {
2460 static char buf[256];
2461 char *p;
2462 u_int8_t *s, *d;
2463
2464 s = (u_int8_t *)(&ip->ip_src);
2465 d = (u_int8_t *)(&ip->ip_dst);
2466
2467 p = buf;
2468 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2469 while (*p)
2470 p++;
2471 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2472 s[0], s[1], s[2], s[3]);
2473 while (*p)
2474 p++;
2475 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2476 d[0], d[1], d[2], d[3]);
2477 while (*p)
2478 p++;
2479 snprintf(p, sizeof(buf) - (p - buf), ")");
2480
2481 return buf;
2482 }
2483
2484 #ifdef INET6
2485 const char *
2486 ipsec6_logpacketstr(ip6, spi)
2487 struct ip6_hdr *ip6;
2488 u_int32_t spi;
2489 {
2490 static char buf[256];
2491 char *p;
2492
2493 p = buf;
2494 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2495 while (*p)
2496 p++;
2497 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
2498 ip6_sprintf(&ip6->ip6_src));
2499 while (*p)
2500 p++;
2501 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2502 ip6_sprintf(&ip6->ip6_dst));
2503 while (*p)
2504 p++;
2505 snprintf(p, sizeof(buf) - (p - buf), ")");
2506
2507 return buf;
2508 }
2509 #endif /* INET6 */
2510
2511 const char *
2512 ipsec_logsastr(sav)
2513 struct secasvar *sav;
2514 {
2515 static char buf[256];
2516 char *p;
2517 struct secasindex *saidx = &sav->sah->saidx;
2518
2519 /* validity check */
2520 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2521 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2522 panic("ipsec_logsastr: family mismatched.");
2523
2524 p = buf;
2525 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2526 while (*p)
2527 p++;
2528 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2529 u_int8_t *s, *d;
2530 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2531 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2532 snprintf(p, sizeof(buf) - (p - buf),
2533 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2534 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2535 }
2536 #ifdef INET6
2537 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2538 snprintf(p, sizeof(buf) - (p - buf),
2539 "src=%s",
2540 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2541 while (*p)
2542 p++;
2543 snprintf(p, sizeof(buf) - (p - buf),
2544 " dst=%s",
2545 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2546 }
2547 #endif
2548 while (*p)
2549 p++;
2550 snprintf(p, sizeof(buf) - (p - buf), ")");
2551
2552 return buf;
2553 }
2554
2555 void
2556 ipsec_dumpmbuf(m)
2557 struct mbuf *m;
2558 {
2559 int totlen;
2560 int i;
2561 u_char *p;
2562
2563 totlen = 0;
2564 printf("---\n");
2565 while (m) {
2566 p = mtod(m, u_char *);
2567 for (i = 0; i < m->m_len; i++) {
2568 printf("%02x ", p[i]);
2569 totlen++;
2570 if (totlen % 16 == 0)
2571 printf("\n");
2572 }
2573 m = m->m_next;
2574 }
2575 if (totlen % 16 != 0)
2576 printf("\n");
2577 printf("---\n");
2578 }
2579
2580 #ifdef INET
2581 static int
2582 ipsec4_checksa(isr, state)
2583 struct ipsecrequest *isr;
2584 struct ipsec_output_state *state;
2585 {
2586 struct ip *ip;
2587 struct secasindex saidx;
2588 struct sockaddr_in *sin;
2589
2590 /* make SA index for search proper SA */
2591 ip = mtod(state->m, struct ip *);
2592 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2593 saidx.mode = isr->saidx.mode;
2594 saidx.reqid = isr->saidx.reqid;
2595 sin = (struct sockaddr_in *)&saidx.src;
2596 if (sin->sin_len == 0) {
2597 sin->sin_len = sizeof(*sin);
2598 sin->sin_family = AF_INET;
2599 sin->sin_port = IPSEC_PORT_ANY;
2600 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr));
2601 }
2602 sin = (struct sockaddr_in *)&saidx.dst;
2603 if (sin->sin_len == 0) {
2604 sin->sin_len = sizeof(*sin);
2605 sin->sin_family = AF_INET;
2606 sin->sin_port = IPSEC_PORT_ANY;
2607 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr));
2608 }
2609
2610 return key_checkrequest(isr, &saidx);
2611 }
2612 /*
2613 * IPsec output logic for IPv4.
2614 */
2615 int
2616 ipsec4_output(state, sp, flags)
2617 struct ipsec_output_state *state;
2618 struct secpolicy *sp;
2619 int flags;
2620 {
2621 struct ip *ip = NULL;
2622 struct ipsecrequest *isr = NULL;
2623 int s;
2624 int error;
2625 struct sockaddr_in *dst4;
2626
2627 if (!state)
2628 panic("state == NULL in ipsec4_output");
2629 if (!state->m)
2630 panic("state->m == NULL in ipsec4_output");
2631 if (!state->ro)
2632 panic("state->ro == NULL in ipsec4_output");
2633 if (!state->dst)
2634 panic("state->dst == NULL in ipsec4_output");
2635 state->encap = 0;
2636
2637 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2638 printf("ipsec4_output: applyed SP\n");
2639 kdebug_secpolicy(sp));
2640
2641 for (isr = sp->req; isr != NULL; isr = isr->next) {
2642
2643 #if 0 /* give up to check restriction of transport mode */
2644 /* XXX but should be checked somewhere */
2645 /*
2646 * some of the IPsec operation must be performed only in
2647 * originating case.
2648 */
2649 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2650 && (flags & IP_FORWARDING))
2651 continue;
2652 #endif
2653 error = ipsec4_checksa(isr, state);
2654 if (error != 0) {
2655 /*
2656 * IPsec processing is required, but no SA found.
2657 * I assume that key_acquire() had been called
2658 * to get/establish the SA. Here I discard
2659 * this packet because it is responsibility for
2660 * upper layer to retransmit the packet.
2661 */
2662 ipsecstat.out_nosa++;
2663 goto bad;
2664 }
2665
2666 /* validity check */
2667 if (isr->sav == NULL) {
2668 switch (ipsec_get_reqlevel(isr, AF_INET)) {
2669 case IPSEC_LEVEL_USE:
2670 continue;
2671 case IPSEC_LEVEL_REQUIRE:
2672 /* must be not reached here. */
2673 panic("ipsec4_output: no SA found, but required.");
2674 }
2675 }
2676
2677 /*
2678 * If there is no valid SA, we give up to process any
2679 * more. In such a case, the SA's status is changed
2680 * from DYING to DEAD after allocating. If a packet
2681 * send to the receiver by dead SA, the receiver can
2682 * not decode a packet because SA has been dead.
2683 */
2684 if (isr->sav->state != SADB_SASTATE_MATURE
2685 && isr->sav->state != SADB_SASTATE_DYING) {
2686 ipsecstat.out_nosa++;
2687 error = EINVAL;
2688 goto bad;
2689 }
2690
2691 /*
2692 * There may be the case that SA status will be changed when
2693 * we are refering to one. So calling splsoftnet().
2694 */
2695 s = splnet();
2696
2697 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2698 /*
2699 * build IPsec tunnel.
2700 */
2701 /* XXX should be processed with other familiy */
2702 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2703 ipseclog((LOG_ERR, "ipsec4_output: "
2704 "family mismatched between inner and outer spi=%u\n",
2705 (u_int32_t)ntohl(isr->sav->spi)));
2706 splx(s);
2707 error = EAFNOSUPPORT;
2708 goto bad;
2709 }
2710
2711 state->m = ipsec4_splithdr(state->m);
2712 if (!state->m) {
2713 splx(s);
2714 error = ENOMEM;
2715 goto bad;
2716 }
2717 error = ipsec4_encapsulate(state->m, isr->sav);
2718 splx(s);
2719 if (error) {
2720 state->m = NULL;
2721 goto bad;
2722 }
2723 ip = mtod(state->m, struct ip *);
2724
2725 state->ro = &isr->sav->sah->sa_route;
2726 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2727 dst4 = (struct sockaddr_in *)state->dst;
2728 if (state->ro->ro_rt
2729 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2730 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2731 RTFREE(state->ro->ro_rt);
2732 state->ro->ro_rt = NULL;
2733 }
2734 if (state->ro->ro_rt == 0) {
2735 dst4->sin_family = AF_INET;
2736 dst4->sin_len = sizeof(*dst4);
2737 dst4->sin_addr = ip->ip_dst;
2738 rtalloc(state->ro);
2739 }
2740 if (state->ro->ro_rt == 0) {
2741 ipstat.ips_noroute++;
2742 error = EHOSTUNREACH;
2743 goto bad;
2744 }
2745
2746 /* adjust state->dst if tunnel endpoint is offlink */
2747 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2748 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2749 dst4 = (struct sockaddr_in *)state->dst;
2750 }
2751
2752 state->encap++;
2753 } else
2754 splx(s);
2755
2756 state->m = ipsec4_splithdr(state->m);
2757 if (!state->m) {
2758 error = ENOMEM;
2759 goto bad;
2760 }
2761 switch (isr->saidx.proto) {
2762 case IPPROTO_ESP:
2763 #ifdef IPSEC_ESP
2764 if ((error = esp4_output(state->m, isr)) != 0) {
2765 state->m = NULL;
2766 goto bad;
2767 }
2768 break;
2769 #else
2770 m_freem(state->m);
2771 state->m = NULL;
2772 error = EINVAL;
2773 goto bad;
2774 #endif
2775 case IPPROTO_AH:
2776 if ((error = ah4_output(state->m, isr)) != 0) {
2777 state->m = NULL;
2778 goto bad;
2779 }
2780 break;
2781 case IPPROTO_IPCOMP:
2782 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2783 state->m = NULL;
2784 goto bad;
2785 }
2786 break;
2787 default:
2788 ipseclog((LOG_ERR,
2789 "ipsec4_output: unknown ipsec protocol %d\n",
2790 isr->saidx.proto));
2791 m_freem(state->m);
2792 state->m = NULL;
2793 error = EINVAL;
2794 goto bad;
2795 }
2796
2797 if (state->m == 0) {
2798 error = ENOMEM;
2799 goto bad;
2800 }
2801 ip = mtod(state->m, struct ip *);
2802 }
2803
2804 return 0;
2805
2806 bad:
2807 m_freem(state->m);
2808 state->m = NULL;
2809 return error;
2810 }
2811 #endif
2812
2813 #ifdef INET6
2814 static int
2815 ipsec6_checksa(isr, state, tunnel)
2816 struct ipsecrequest *isr;
2817 struct ipsec_output_state *state;
2818 int tunnel;
2819 {
2820 struct ip6_hdr *ip6;
2821 struct secasindex saidx;
2822 struct sockaddr_in6 *sin6;
2823
2824 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2825 #ifdef DIAGNOSTIC
2826 if (!tunnel)
2827 panic("ipsec6_checksa/inconsistent tunnel attribute");
2828 #endif
2829 /* When tunnel mode, SA peers must be specified. */
2830 return key_checkrequest(isr, &isr->saidx);
2831 }
2832
2833 /* make SA index for search proper SA */
2834 ip6 = mtod(state->m, struct ip6_hdr *);
2835 if (tunnel) {
2836 bzero(&saidx, sizeof(saidx));
2837 saidx.proto = isr->saidx.proto;
2838 } else
2839 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2840 saidx.mode = isr->saidx.mode;
2841 saidx.reqid = isr->saidx.reqid;
2842 sin6 = (struct sockaddr_in6 *)&saidx.src;
2843 if (sin6->sin6_len == 0 || tunnel) {
2844 sin6->sin6_len = sizeof(*sin6);
2845 sin6->sin6_family = AF_INET6;
2846 sin6->sin6_port = IPSEC_PORT_ANY;
2847 sin6->sin6_addr = ip6->ip6_src;
2848 }
2849 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2850 if (sin6->sin6_len == 0 || tunnel) {
2851 sin6->sin6_len = sizeof(*sin6);
2852 sin6->sin6_family = AF_INET6;
2853 sin6->sin6_port = IPSEC_PORT_ANY;
2854 sin6->sin6_addr = ip6->ip6_dst;
2855 }
2856
2857 return key_checkrequest(isr, &saidx);
2858 }
2859
2860 /*
2861 * IPsec output logic for IPv6, transport mode.
2862 */
2863 int
2864 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
2865 struct ipsec_output_state *state;
2866 u_char *nexthdrp;
2867 struct mbuf *mprev;
2868 struct secpolicy *sp;
2869 int flags;
2870 int *tun;
2871 {
2872 struct ip6_hdr *ip6;
2873 struct ipsecrequest *isr = NULL;
2874 int error = 0;
2875 int plen;
2876
2877 if (!state)
2878 panic("state == NULL in ipsec6_output_trans");
2879 if (!state->m)
2880 panic("state->m == NULL in ipsec6_output_trans");
2881 if (!nexthdrp)
2882 panic("nexthdrp == NULL in ipsec6_output_trans");
2883 if (!mprev)
2884 panic("mprev == NULL in ipsec6_output_trans");
2885 if (!sp)
2886 panic("sp == NULL in ipsec6_output_trans");
2887 if (!tun)
2888 panic("tun == NULL in ipsec6_output_trans");
2889
2890 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2891 printf("ipsec6_output_trans: applyed SP\n");
2892 kdebug_secpolicy(sp));
2893
2894 *tun = 0;
2895 for (isr = sp->req; isr; isr = isr->next) {
2896 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2897 /* the rest will be handled by ipsec6_output_tunnel() */
2898 break;
2899 }
2900
2901 error = ipsec6_checksa(isr, state, 0);
2902 if (error == EIO)
2903 goto bad;
2904 if (error == ENOENT) {
2905 /*
2906 * IPsec processing is required, but no SA found.
2907 * I assume that key_acquire() had been called
2908 * to get/establish the SA. Here I discard
2909 * this packet because it is responsibility for
2910 * upper layer to retransmit the packet.
2911 */
2912 ipsec6stat.out_nosa++;
2913
2914 /*
2915 * Notify the fact that the packet is discarded
2916 * to ourselves. I believe this is better than
2917 * just silently discarding. (jinmei@kame.net)
2918 * XXX: should we restrict the error to TCP packets?
2919 * XXX: should we directly notify sockets via
2920 * pfctlinputs?
2921 *
2922 * Noone have initialized rcvif until this point,
2923 * so clear it.
2924 */
2925 if ((state->m->m_flags & M_PKTHDR) != 0)
2926 state->m->m_pkthdr.rcvif = NULL;
2927 icmp6_error(state->m, ICMP6_DST_UNREACH,
2928 ICMP6_DST_UNREACH_ADMIN, 0);
2929 state->m = NULL; /* icmp6_error freed the mbuf */
2930 goto bad;
2931 }
2932
2933 /* validity check */
2934 if (isr->sav == NULL) {
2935 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
2936 case IPSEC_LEVEL_USE:
2937 continue;
2938 case IPSEC_LEVEL_REQUIRE:
2939 /* must be not reached here. */
2940 panic("ipsec6_output_trans: no SA found, but required.");
2941 }
2942 }
2943
2944 /*
2945 * If there is no valid SA, we give up to process.
2946 * see same place at ipsec4_output().
2947 */
2948 if (isr->sav->state != SADB_SASTATE_MATURE
2949 && isr->sav->state != SADB_SASTATE_DYING) {
2950 ipsec6stat.out_nosa++;
2951 error = EINVAL;
2952 goto bad;
2953 }
2954
2955 switch (isr->saidx.proto) {
2956 case IPPROTO_ESP:
2957 #ifdef IPSEC_ESP
2958 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2959 #else
2960 m_freem(state->m);
2961 error = EINVAL;
2962 #endif
2963 break;
2964 case IPPROTO_AH:
2965 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2966 break;
2967 case IPPROTO_IPCOMP:
2968 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2969 break;
2970 default:
2971 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2972 "unknown ipsec protocol %d\n", isr->saidx.proto));
2973 m_freem(state->m);
2974 ipsec6stat.out_inval++;
2975 error = EINVAL;
2976 break;
2977 }
2978 if (error) {
2979 state->m = NULL;
2980 goto bad;
2981 }
2982 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2983 if (plen > IPV6_MAXPACKET) {
2984 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2985 "IPsec with IPv6 jumbogram is not supported\n"));
2986 ipsec6stat.out_inval++;
2987 error = EINVAL; /* XXX */
2988 goto bad;
2989 }
2990 ip6 = mtod(state->m, struct ip6_hdr *);
2991 ip6->ip6_plen = htons(plen);
2992 }
2993
2994 /* if we have more to go, we need a tunnel mode processing */
2995 if (isr != NULL)
2996 *tun = 1;
2997
2998 return 0;
2999
3000 bad:
3001 m_freem(state->m);
3002 state->m = NULL;
3003 return error;
3004 }
3005
3006 /*
3007 * IPsec output logic for IPv6, tunnel mode.
3008 */
3009 int
3010 ipsec6_output_tunnel(state, sp, flags)
3011 struct ipsec_output_state *state;
3012 struct secpolicy *sp;
3013 int flags;
3014 {
3015 struct ip6_hdr *ip6;
3016 struct ipsecrequest *isr = NULL;
3017 int error = 0;
3018 int plen;
3019 struct sockaddr_in6 *dst6;
3020 int s;
3021
3022 if (!state)
3023 panic("state == NULL in ipsec6_output_tunnel");
3024 if (!state->m)
3025 panic("state->m == NULL in ipsec6_output_tunnel");
3026 if (!sp)
3027 panic("sp == NULL in ipsec6_output_tunnel");
3028
3029 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3030 printf("ipsec6_output_tunnel: applyed SP\n");
3031 kdebug_secpolicy(sp));
3032
3033 /*
3034 * transport mode ipsec (before the 1st tunnel mode) is already
3035 * processed by ipsec6_output_trans().
3036 */
3037 for (isr = sp->req; isr; isr = isr->next) {
3038 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
3039 break;
3040 }
3041
3042 for (/* already initialized */; isr; isr = isr->next) {
3043 error = ipsec6_checksa(isr, state, 1);
3044 if (error == EIO)
3045 goto bad;
3046 if (error == ENOENT) {
3047 /*
3048 * IPsec processing is required, but no SA found.
3049 * I assume that key_acquire() had been called
3050 * to get/establish the SA. Here I discard
3051 * this packet because it is responsibility for
3052 * upper layer to retransmit the packet.
3053 */
3054 ipsec6stat.out_nosa++;
3055 error = ENOENT;
3056 goto bad;
3057 }
3058
3059 /* validity check */
3060 if (isr->sav == NULL) {
3061 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
3062 case IPSEC_LEVEL_USE:
3063 continue;
3064 case IPSEC_LEVEL_REQUIRE:
3065 /* must be not reached here. */
3066 panic("ipsec6_output_tunnel: no SA found, but required.");
3067 }
3068 }
3069
3070 /*
3071 * If there is no valid SA, we give up to process.
3072 * see same place at ipsec4_output().
3073 */
3074 if (isr->sav->state != SADB_SASTATE_MATURE
3075 && isr->sav->state != SADB_SASTATE_DYING) {
3076 ipsec6stat.out_nosa++;
3077 error = EINVAL;
3078 goto bad;
3079 }
3080
3081 /*
3082 * There may be the case that SA status will be changed when
3083 * we are refering to one. So calling splsoftnet().
3084 */
3085 s = splnet();
3086
3087 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3088 /*
3089 * build IPsec tunnel.
3090 */
3091 /* XXX should be processed with other familiy */
3092 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
3093 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3094 "family mismatched between inner and outer, spi=%u\n",
3095 (u_int32_t)ntohl(isr->sav->spi)));
3096 splx(s);
3097 ipsec6stat.out_inval++;
3098 error = EAFNOSUPPORT;
3099 goto bad;
3100 }
3101
3102 state->m = ipsec6_splithdr(state->m);
3103 if (!state->m) {
3104 splx(s);
3105 ipsec6stat.out_nomem++;
3106 error = ENOMEM;
3107 goto bad;
3108 }
3109 error = ipsec6_encapsulate(state->m, isr->sav);
3110 splx(s);
3111 if (error) {
3112 state->m = 0;
3113 goto bad;
3114 }
3115 ip6 = mtod(state->m, struct ip6_hdr *);
3116
3117 state->ro = &isr->sav->sah->sa_route;
3118 state->dst = (struct sockaddr *)&state->ro->ro_dst;
3119 dst6 = (struct sockaddr_in6 *)state->dst;
3120 if (state->ro->ro_rt &&
3121 (!(state->ro->ro_rt->rt_flags & RTF_UP) ||
3122 !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr,
3123 &ip6->ip6_dst))) {
3124 RTFREE(state->ro->ro_rt);
3125 state->ro->ro_rt = NULL;
3126 }
3127 if (state->ro->ro_rt == 0) {
3128 bzero(dst6, sizeof(*dst6));
3129 dst6->sin6_family = AF_INET6;
3130 dst6->sin6_len = sizeof(*dst6);
3131 dst6->sin6_addr = ip6->ip6_dst;
3132 rtalloc(state->ro);
3133 }
3134 if (state->ro->ro_rt == 0) {
3135 ip6stat.ip6s_noroute++;
3136 ipsec6stat.out_noroute++;
3137 error = EHOSTUNREACH;
3138 goto bad;
3139 }
3140
3141 /* adjust state->dst if tunnel endpoint is offlink */
3142 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
3143 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
3144 dst6 = (struct sockaddr_in6 *)state->dst;
3145 }
3146 } else
3147 splx(s);
3148
3149 state->m = ipsec6_splithdr(state->m);
3150 if (!state->m) {
3151 ipsec6stat.out_nomem++;
3152 error = ENOMEM;
3153 goto bad;
3154 }
3155 ip6 = mtod(state->m, struct ip6_hdr *);
3156 switch (isr->saidx.proto) {
3157 case IPPROTO_ESP:
3158 #ifdef IPSEC_ESP
3159 error = esp6_output(state->m, &ip6->ip6_nxt,
3160 state->m->m_next, isr);
3161 #else
3162 m_freem(state->m);
3163 error = EINVAL;
3164 #endif
3165 break;
3166 case IPPROTO_AH:
3167 error = ah6_output(state->m, &ip6->ip6_nxt,
3168 state->m->m_next, isr);
3169 break;
3170 case IPPROTO_IPCOMP:
3171 /* XXX code should be here */
3172 /* FALLTHROUGH */
3173 default:
3174 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3175 "unknown ipsec protocol %d\n", isr->saidx.proto));
3176 m_freem(state->m);
3177 ipsec6stat.out_inval++;
3178 error = EINVAL;
3179 break;
3180 }
3181 if (error) {
3182 state->m = NULL;
3183 goto bad;
3184 }
3185 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3186 if (plen > IPV6_MAXPACKET) {
3187 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3188 "IPsec with IPv6 jumbogram is not supported\n"));
3189 ipsec6stat.out_inval++;
3190 error = EINVAL; /* XXX */
3191 goto bad;
3192 }
3193 ip6 = mtod(state->m, struct ip6_hdr *);
3194 ip6->ip6_plen = htons(plen);
3195 }
3196
3197 return 0;
3198
3199 bad:
3200 m_freem(state->m);
3201 state->m = NULL;
3202 return error;
3203 }
3204 #endif /* INET6 */
3205
3206 #ifdef INET
3207 /*
3208 * Chop IP header and option off from the payload.
3209 */
3210 static struct mbuf *
3211 ipsec4_splithdr(m)
3212 struct mbuf *m;
3213 {
3214 struct mbuf *mh;
3215 struct ip *ip;
3216 int hlen;
3217
3218 if (m->m_len < sizeof(struct ip))
3219 panic("ipsec4_splithdr: first mbuf too short");
3220 ip = mtod(m, struct ip *);
3221 #ifdef _IP_VHL
3222 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
3223 #else
3224 hlen = ip->ip_hl << 2;
3225 #endif
3226 if (m->m_len > hlen) {
3227 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3228 if (!mh) {
3229 m_freem(m);
3230 return NULL;
3231 }
3232 M_MOVE_PKTHDR(mh, m);
3233 MH_ALIGN(mh, hlen);
3234 m->m_len -= hlen;
3235 m->m_data += hlen;
3236 mh->m_next = m;
3237 m = mh;
3238 m->m_len = hlen;
3239 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3240 } else if (m->m_len < hlen) {
3241 m = m_pullup(m, hlen);
3242 if (!m)
3243 return NULL;
3244 }
3245 return m;
3246 }
3247 #endif
3248
3249 #ifdef INET6
3250 static struct mbuf *
3251 ipsec6_splithdr(m)
3252 struct mbuf *m;
3253 {
3254 struct mbuf *mh;
3255 struct ip6_hdr *ip6;
3256 int hlen;
3257
3258 if (m->m_len < sizeof(struct ip6_hdr))
3259 panic("ipsec6_splithdr: first mbuf too short");
3260 ip6 = mtod(m, struct ip6_hdr *);
3261 hlen = sizeof(struct ip6_hdr);
3262 if (m->m_len > hlen) {
3263 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3264 if (!mh) {
3265 m_freem(m);
3266 return NULL;
3267 }
3268 M_MOVE_PKTHDR(mh, m);
3269 MH_ALIGN(mh, hlen);
3270 m->m_len -= hlen;
3271 m->m_data += hlen;
3272 mh->m_next = m;
3273 m = mh;
3274 m->m_len = hlen;
3275 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3276 } else if (m->m_len < hlen) {
3277 m = m_pullup(m, hlen);
3278 if (!m)
3279 return NULL;
3280 }
3281 return m;
3282 }
3283 #endif
3284
3285 /* validate inbound IPsec tunnel packet. */
3286 int
3287 ipsec4_tunnel_validate(m, off, nxt0, sav)
3288 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3289 int off;
3290 u_int nxt0;
3291 struct secasvar *sav;
3292 {
3293 u_int8_t nxt = nxt0 & 0xff;
3294 struct sockaddr_in *sin;
3295 struct sockaddr_in osrc, odst, isrc, idst;
3296 int hlen;
3297 struct secpolicy *sp;
3298 struct ip *oip;
3299
3300 #ifdef DIAGNOSTIC
3301 if (m->m_len < sizeof(struct ip))
3302 panic("too short mbuf on ipsec4_tunnel_validate");
3303 #endif
3304 if (nxt != IPPROTO_IPV4)
3305 return 0;
3306 if (m->m_pkthdr.len < off + sizeof(struct ip))
3307 return 0;
3308 /* do not decapsulate if the SA is for transport mode only */
3309 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3310 return 0;
3311
3312 oip = mtod(m, struct ip *);
3313 hlen = oip->ip_hl << 2;
3314 if (hlen != sizeof(struct ip))
3315 return 0;
3316
3317 /* AF_INET6 should be supported, but at this moment we don't. */
3318 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3319 if (sin->sin_family != AF_INET)
3320 return 0;
3321 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
3322 return 0;
3323
3324 /* XXX slow */
3325 bzero(&osrc, sizeof(osrc));
3326 bzero(&odst, sizeof(odst));
3327 bzero(&isrc, sizeof(isrc));
3328 bzero(&idst, sizeof(idst));
3329 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
3330 AF_INET;
3331 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
3332 sizeof(struct sockaddr_in);
3333 osrc.sin_addr = oip->ip_src;
3334 odst.sin_addr = oip->ip_dst;
3335 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
3336 (caddr_t)&isrc.sin_addr);
3337 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
3338 (caddr_t)&idst.sin_addr);
3339
3340 /*
3341 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
3342 * - if the inner destination is multicast address, there can be
3343 * multiple permissible inner source address. implementation
3344 * may want to skip verification of inner source address against
3345 * SPD selector.
3346 * - if the inner protocol is ICMP, the packet may be an error report
3347 * from routers on the other side of the VPN cloud (R in the
3348 * following diagram). in this case, we cannot verify inner source
3349 * address against SPD selector.
3350 * me -- gw === gw -- R -- you
3351 *
3352 * we consider the first bullet to be users responsibility on SPD entry
3353 * configuration (if you need to encrypt multicast traffic, set
3354 * the source range of SPD selector to 0.0.0.0/0, or have explicit
3355 * address ranges for possible senders).
3356 * the second bullet is not taken care of (yet).
3357 *
3358 * therefore, we do not do anything special about inner source.
3359 */
3360
3361 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3362 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3363 /*
3364 * when there is no suitable inbound policy for the packet of the ipsec
3365 * tunnel mode, the kernel never decapsulate the tunneled packet
3366 * as the ipsec tunnel mode even when the system wide policy is "none".
3367 * then the kernel leaves the generic tunnel module to process this
3368 * packet. if there is no rule of the generic tunnel, the packet
3369 * is rejected and the statistics will be counted up.
3370 */
3371 if (!sp)
3372 return 0;
3373 key_freesp(sp);
3374
3375 return 1;
3376 }
3377
3378 #ifdef INET6
3379 /* validate inbound IPsec tunnel packet. */
3380 int
3381 ipsec6_tunnel_validate(m, off, nxt0, sav)
3382 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3383 int off;
3384 u_int nxt0;
3385 struct secasvar *sav;
3386 {
3387 u_int8_t nxt = nxt0 & 0xff;
3388 struct sockaddr_in6 *sin6;
3389 struct sockaddr_in6 osrc, odst, isrc, idst;
3390 struct secpolicy *sp;
3391 struct ip6_hdr *oip6;
3392
3393 #ifdef DIAGNOSTIC
3394 if (m->m_len < sizeof(struct ip6_hdr))
3395 panic("too short mbuf on ipsec6_tunnel_validate");
3396 #endif
3397 if (nxt != IPPROTO_IPV6)
3398 return 0;
3399 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
3400 return 0;
3401 /* do not decapsulate if the SA is for transport mode only */
3402 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3403 return 0;
3404
3405 oip6 = mtod(m, struct ip6_hdr *);
3406
3407 /* AF_INET should be supported, but at this moment we don't. */
3408 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
3409 if (sin6->sin6_family != AF_INET6)
3410 return 0;
3411 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
3412 return 0;
3413
3414 /* XXX slow */
3415 bzero(&osrc, sizeof(osrc));
3416 bzero(&odst, sizeof(odst));
3417 bzero(&isrc, sizeof(isrc));
3418 bzero(&idst, sizeof(idst));
3419 osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
3420 idst.sin6_family = AF_INET6;
3421 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len =
3422 sizeof(struct sockaddr_in6);
3423 osrc.sin6_addr = oip6->ip6_src;
3424 odst.sin6_addr = oip6->ip6_dst;
3425 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
3426 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
3427 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
3428 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
3429
3430 /*
3431 * regarding to inner source address validation, see a long comment
3432 * in ipsec4_tunnel_validate.
3433 */
3434
3435 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3436 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3437 if (!sp)
3438 return 0;
3439 key_freesp(sp);
3440
3441 return 1;
3442 }
3443 #endif
3444
3445 /*
3446 * Make a mbuf chain for encryption.
3447 * If the original mbuf chain contains a mbuf with a cluster,
3448 * allocate a new cluster and copy the data to the new cluster.
3449 * XXX: this hack is inefficient, but is necessary to handle cases
3450 * of TCP retransmission...
3451 */
3452 struct mbuf *
3453 ipsec_copypkt(m)
3454 struct mbuf *m;
3455 {
3456 struct mbuf *n, **mpp, *mnew;
3457
3458 for (n = m, mpp = &m; n; n = n->m_next) {
3459 if (n->m_flags & M_EXT) {
3460 /*
3461 * Make a copy only if there is more than one
3462 * references to the cluster.
3463 * XXX: is this approach effective?
3464 */
3465 if (!M_WRITABLE(n)) {
3466 int remain, copied;
3467 struct mbuf *mm;
3468
3469 if (n->m_flags & M_PKTHDR) {
3470 MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3471 if (mnew == NULL)
3472 goto fail;
3473 M_MOVE_PKTHDR(mnew, n);
3474 }
3475 else {
3476 MGET(mnew, M_DONTWAIT, MT_DATA);
3477 if (mnew == NULL)
3478 goto fail;
3479 }
3480 mnew->m_len = 0;
3481 mm = mnew;
3482
3483 /*
3484 * Copy data. If we don't have enough space to
3485 * store the whole data, allocate a cluster
3486 * or additional mbufs.
3487 * XXX: we don't use m_copyback(), since the
3488 * function does not use clusters and thus is
3489 * inefficient.
3490 */
3491 remain = n->m_len;
3492 copied = 0;
3493 while (1) {
3494 int len;
3495 struct mbuf *mn;
3496
3497 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3498 len = remain;
3499 else { /* allocate a cluster */
3500 MCLGET(mm, M_DONTWAIT);
3501 if (!(mm->m_flags & M_EXT)) {
3502 m_free(mm);
3503 goto fail;
3504 }
3505 len = remain < MCLBYTES ?
3506 remain : MCLBYTES;
3507 }
3508
3509 bcopy(n->m_data + copied, mm->m_data,
3510 len);
3511
3512 copied += len;
3513 remain -= len;
3514 mm->m_len = len;
3515
3516 if (remain <= 0) /* completed? */
3517 break;
3518
3519 /* need another mbuf */
3520 MGETHDR(mn, M_DONTWAIT, MT_HEADER);
3521 if (mn == NULL)
3522 goto fail;
3523 mn->m_pkthdr.rcvif = NULL;
3524 mm->m_next = mn;
3525 mm = mn;
3526 }
3527
3528 /* adjust chain */
3529 mm->m_next = m_free(n);
3530 n = mm;
3531 *mpp = mnew;
3532 mpp = &n->m_next;
3533
3534 continue;
3535 }
3536 }
3537 *mpp = n;
3538 mpp = &n->m_next;
3539 }
3540
3541 return (m);
3542 fail:
3543 m_freem(m);
3544 return (NULL);
3545 }
3546
3547 static struct ipsecaux *
3548 ipsec_addaux(m)
3549 struct mbuf *m;
3550 {
3551 struct m_tag *mtag;
3552
3553 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3554 if (mtag == NULL) {
3555 mtag = m_tag_get(PACKET_TAG_IPSEC_HISTORY,
3556 sizeof(struct ipsecaux), M_NOWAIT);
3557 if (mtag != NULL)
3558 m_tag_prepend(m, mtag);
3559 }
3560 if (mtag == NULL)
3561 return NULL; /* ENOBUFS */
3562 /* XXX is this necessary? */
3563 bzero((void *)(mtag + 1), sizeof(struct ipsecaux));
3564 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL;
3565 }
3566
3567 static struct ipsecaux *
3568 ipsec_findaux(m)
3569 struct mbuf *m;
3570 {
3571 struct m_tag *mtag;
3572
3573 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3574 return mtag ? (struct ipsecaux *)(mtag + 1) : NULL;
3575 }
3576
3577 void
3578 ipsec_delaux(m)
3579 struct mbuf *m;
3580 {
3581 struct m_tag *mtag;
3582
3583 mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3584 if (mtag != NULL)
3585 m_tag_delete(m, mtag);
3586 }
3587
3588 /* if the aux buffer is unnecessary, nuke it. */
3589 static void
3590 ipsec_optaux(m, aux)
3591 struct mbuf *m;
3592 struct ipsecaux *aux;
3593 {
3594
3595 if (aux == NULL)
3596 return;
3597 ipsec_delaux(m);
3598 }
3599
3600 int
3601 ipsec_addhist(m, proto, spi)
3602 struct mbuf *m;
3603 int proto;
3604 u_int32_t spi;
3605 {
3606 struct ipsecaux *aux;
3607
3608 aux = ipsec_addaux(m);
3609 if (aux == NULL)
3610 return ENOBUFS;
3611 aux->hdrs++;
3612 return 0;
3613 }
3614
3615 int
3616 ipsec_getnhist(m)
3617 struct mbuf *m;
3618 {
3619 struct ipsecaux *aux;
3620
3621 aux = ipsec_findaux(m);
3622 if (aux == NULL)
3623 return 0;
3624 return aux->hdrs;
3625 }
3626
3627 void
3628 ipsec_clearhist(m)
3629 struct mbuf *m;
3630 {
3631 struct ipsecaux *aux;
3632
3633 aux = ipsec_findaux(m);
3634 ipsec_optaux(m, aux);
3635 }
Cache object: aa2112204add920b97d25b6c6ba8aec9
|