FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c
1 /* $NetBSD: ipsec.c,v 1.95.2.2 2005/03/16 22:59:06 tron Exp $ */
2 /* $KAME: ipsec.c,v 1.136 2002/05/19 00:36:39 itojun Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * IPsec controller part.
35 */
36
37 #include <sys/cdefs.h>
38 __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.95.2.2 2005/03/16 22:59:06 tron Exp $");
39
40 #include "opt_inet.h"
41 #include "opt_ipsec.h"
42
43 #include <sys/param.h>
44 #include <sys/systm.h>
45 #include <sys/malloc.h>
46 #include <sys/mbuf.h>
47 #include <sys/domain.h>
48 #include <sys/protosw.h>
49 #include <sys/socket.h>
50 #include <sys/socketvar.h>
51 #include <sys/errno.h>
52 #include <sys/time.h>
53 #include <sys/kernel.h>
54 #include <sys/syslog.h>
55 #include <sys/sysctl.h>
56
57 #include <net/if.h>
58 #include <net/route.h>
59
60 #include <netinet/in.h>
61 #include <netinet/in_systm.h>
62 #include <netinet/ip.h>
63 #include <netinet/ip_var.h>
64 #include <netinet/in_var.h>
65 #include <netinet/udp.h>
66 #include <netinet/udp_var.h>
67 #include <netinet/ip_ecn.h>
68 #include <netinet/tcp.h>
69 #include <netinet/udp.h>
70
71 #include <netinet/ip6.h>
72 #ifdef INET6
73 #include <netinet6/ip6_var.h>
74 #endif
75 #include <netinet/in_pcb.h>
76 #ifdef INET6
77 #include <netinet6/in6_pcb.h>
78 #include <netinet/icmp6.h>
79 #endif
80
81 #include <netinet6/ipsec.h>
82 #include <netinet6/ah.h>
83 #ifdef IPSEC_ESP
84 #include <netinet6/esp.h>
85 #endif
86 #include <netinet6/ipcomp.h>
87 #include <netkey/key.h>
88 #include <netkey/keydb.h>
89 #include <netkey/key_debug.h>
90
91 #include <net/net_osdep.h>
92
93 #ifdef IPSEC_DEBUG
94 int ipsec_debug = 1;
95 #else
96 int ipsec_debug = 0;
97 #endif
98
99 struct ipsecstat ipsecstat;
100 int ip4_ah_cleartos = 1;
101 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
102 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
103 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
104 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
105 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
106 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
107 struct secpolicy *ip4_def_policy;
108 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
109
110 #ifdef INET6
111 struct ipsecstat ipsec6stat;
112 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
113 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
114 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
115 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
116 struct secpolicy *ip6_def_policy;
117 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
118
119 #endif /* INET6 */
120
121 u_int ipsec_spdgen = 1; /* SPD generation # */
122
123 #ifdef SADB_X_EXT_TAG
124 static struct pf_tag *ipsec_get_tag __P((struct mbuf *));
125 #endif
126 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *,
127 struct inpcbpolicy *, int));
128 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *,
129 struct secpolicy *, int));
130 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int));
131 static int ipsec_setspidx_mbuf
132 __P((struct secpolicyindex *, int, struct mbuf *, int));
133 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
134 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
135 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
136 #ifdef INET6
137 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
138 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
139 #endif
140 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
141 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
142 #if 0
143 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *));
144 #endif
145 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *));
146 static int ipsec_set_policy
147 __P((struct secpolicy **, int, caddr_t, size_t, int));
148 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **));
149 static void vshiftl __P((unsigned char *, int, int));
150 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
151 static size_t ipsec_hdrsiz __P((struct secpolicy *));
152 #ifdef INET
153 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
154 #endif
155 #ifdef INET6
156 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
157 #endif
158 #ifdef INET
159 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
160 #endif
161 #ifdef INET6
162 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
163 #endif
164 static struct m_tag *ipsec_addaux __P((struct mbuf *));
165 static struct m_tag *ipsec_findaux __P((struct mbuf *));
166 static void ipsec_optaux __P((struct mbuf *, struct m_tag *));
167 #ifdef INET
168 static int ipsec4_checksa __P((struct ipsecrequest *,
169 struct ipsec_output_state *));
170 #endif
171 #ifdef INET6
172 static int ipsec6_checksa __P((struct ipsecrequest *,
173 struct ipsec_output_state *, int));
174 #endif
175
176 /*
177 * try to validate and use cached policy on a pcb.
178 */
179 static struct secpolicy *
180 ipsec_checkpcbcache(m, pcbsp, dir)
181 struct mbuf *m;
182 struct inpcbpolicy *pcbsp;
183 int dir;
184 {
185 struct secpolicyindex spidx;
186
187 switch (dir) {
188 case IPSEC_DIR_INBOUND:
189 case IPSEC_DIR_OUTBOUND:
190 case IPSEC_DIR_ANY:
191 break;
192 default:
193 return NULL;
194 }
195 #ifdef DIAGNOSTIC
196 if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0]))
197 panic("dir too big in ipsec_checkpcbcache");
198 #endif
199 /* SPD table change invalidates all the caches */
200 if (ipsec_spdgen != pcbsp->sp_cache[dir].cachegen) {
201 ipsec_invalpcbcache(pcbsp, dir);
202 return NULL;
203 }
204 if (!pcbsp->sp_cache[dir].cachesp)
205 return NULL;
206 if (pcbsp->sp_cache[dir].cachesp->state != IPSEC_SPSTATE_ALIVE) {
207 ipsec_invalpcbcache(pcbsp, dir);
208 return NULL;
209 }
210 if ((pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
211 if (!pcbsp->sp_cache[dir].cachesp)
212 return NULL;
213 if (ipsec_setspidx(m, &spidx, 1) != 0)
214 return NULL;
215 if (bcmp(&pcbsp->sp_cache[dir].cacheidx, &spidx,
216 sizeof(spidx))) {
217 if (!pcbsp->sp_cache[dir].cachesp->spidx ||
218 !key_cmpspidx_withmask(pcbsp->sp_cache[dir].cachesp->spidx,
219 &spidx))
220 return NULL;
221 pcbsp->sp_cache[dir].cacheidx = spidx;
222 }
223 } else {
224 /*
225 * The pcb is connected, and the L4 code is sure that:
226 * - outgoing side uses inp_[lf]addr
227 * - incoming side looks up policy after inpcb lookup
228 * and address pair is known to be stable. We do not need
229 * to generate spidx again, nor check the address match again.
230 *
231 * For IPv4/v6 SOCK_STREAM sockets, this assumption holds
232 * and there are calls to ipsec_pcbconn() from in_pcbconnect().
233 */
234 }
235
236 pcbsp->sp_cache[dir].cachesp->lastused = mono_time.tv_sec;
237 pcbsp->sp_cache[dir].cachesp->refcnt++;
238 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
239 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n",
240 pcbsp->sp_cache[dir].cachesp->refcnt,
241 pcbsp->sp_cache[dir].cachesp));
242 return pcbsp->sp_cache[dir].cachesp;
243 }
244
245 static int
246 ipsec_fillpcbcache(pcbsp, m, sp, dir)
247 struct inpcbpolicy *pcbsp;
248 struct mbuf *m;
249 struct secpolicy *sp;
250 int dir;
251 {
252
253 switch (dir) {
254 case IPSEC_DIR_INBOUND:
255 case IPSEC_DIR_OUTBOUND:
256 break;
257 default:
258 return EINVAL;
259 }
260 #ifdef DIAGNOSTIC
261 if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0]))
262 panic("dir too big in ipsec_checkpcbcache");
263 #endif
264
265 if (pcbsp->sp_cache[dir].cachesp)
266 key_freesp(pcbsp->sp_cache[dir].cachesp);
267 pcbsp->sp_cache[dir].cachesp = NULL;
268 pcbsp->sp_cache[dir].cachehint = IPSEC_PCBHINT_MAYBE;
269 if (ipsec_setspidx(m, &pcbsp->sp_cache[dir].cacheidx, 1) != 0) {
270 return EINVAL;
271 }
272 pcbsp->sp_cache[dir].cachesp = sp;
273 if (pcbsp->sp_cache[dir].cachesp) {
274 pcbsp->sp_cache[dir].cachesp->refcnt++;
275 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
276 printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n",
277 pcbsp->sp_cache[dir].cachesp->refcnt,
278 pcbsp->sp_cache[dir].cachesp));
279
280 /*
281 * If the PCB is connected, we can remember a hint to
282 * possibly short-circuit IPsec processing in other places.
283 */
284 if (pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) {
285 switch (pcbsp->sp_cache[dir].cachesp->policy) {
286 case IPSEC_POLICY_NONE:
287 case IPSEC_POLICY_BYPASS:
288 pcbsp->sp_cache[dir].cachehint =
289 IPSEC_PCBHINT_NO;
290 break;
291 default:
292 pcbsp->sp_cache[dir].cachehint =
293 IPSEC_PCBHINT_YES;
294 }
295 }
296 }
297 pcbsp->sp_cache[dir].cachegen = ipsec_spdgen;
298
299 return 0;
300 }
301
302 static int
303 ipsec_invalpcbcache(pcbsp, dir)
304 struct inpcbpolicy *pcbsp;
305 int dir;
306 {
307 int i;
308
309 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
310 if (dir != IPSEC_DIR_ANY && i != dir)
311 continue;
312 if (pcbsp->sp_cache[i].cachesp)
313 key_freesp(pcbsp->sp_cache[i].cachesp);
314 pcbsp->sp_cache[i].cachesp = NULL;
315 pcbsp->sp_cache[i].cachehint = IPSEC_PCBHINT_MAYBE;
316 pcbsp->sp_cache[i].cachegen = 0;
317 bzero(&pcbsp->sp_cache[i].cacheidx,
318 sizeof(pcbsp->sp_cache[i].cacheidx));
319 }
320 return 0;
321 }
322
323 int
324 ipsec_pcbconn(pcbsp)
325 struct inpcbpolicy *pcbsp;
326 {
327
328 pcbsp->sp_cacheflags |= IPSEC_PCBSP_CONNECTED;
329 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
330 return 0;
331 }
332
333 int
334 ipsec_pcbdisconn(pcbsp)
335 struct inpcbpolicy *pcbsp;
336 {
337
338 pcbsp->sp_cacheflags &= ~IPSEC_PCBSP_CONNECTED;
339 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
340 return 0;
341 }
342
343 void
344 ipsec_invalpcbcacheall()
345 {
346
347 if (ipsec_spdgen == UINT_MAX)
348 ipsec_spdgen = 1;
349 else
350 ipsec_spdgen++;
351 }
352
353 #ifdef SADB_X_EXT_TAG
354 static struct pf_tag *
355 ipsec_get_tag(m)
356 struct mbuf *m;
357 {
358 struct m_tag *mtag;
359
360 if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL)
361 return ((struct pf_tag *)(mtag + 1));
362 else
363 return (NULL);
364 }
365 #endif
366
367 /*
368 * For OUTBOUND packet having a socket. Searching SPD for packet,
369 * and return a pointer to SP.
370 * OUT: NULL: no apropreate SP found, the following value is set to error.
371 * 0 : bypass
372 * EACCES : discard packet.
373 * ENOENT : ipsec_acquire() in progress, maybe.
374 * others : error occurred.
375 * others: a pointer to SP
376 *
377 * NOTE: IPv6 mapped adddress concern is implemented here.
378 */
379 struct secpolicy *
380 ipsec4_getpolicybysock(m, dir, so, error)
381 struct mbuf *m;
382 u_int dir;
383 struct socket *so;
384 int *error;
385 {
386 struct inpcbpolicy *pcbsp = NULL;
387 struct secpolicy *currsp = NULL; /* policy on socket */
388 struct secpolicy *kernsp = NULL; /* policy on kernel */
389 struct secpolicyindex spidx;
390 #ifdef SADB_X_EXT_TAG
391 struct pf_tag *t;
392 #endif
393 u_int16_t tag;
394
395 /* sanity check */
396 if (m == NULL || so == NULL || error == NULL)
397 panic("ipsec4_getpolicybysock: NULL pointer was passed.");
398
399 switch (so->so_proto->pr_domain->dom_family) {
400 case AF_INET:
401 pcbsp = sotoinpcb(so)->inp_sp;
402 break;
403 #ifdef INET6
404 case AF_INET6:
405 pcbsp = sotoin6pcb(so)->in6p_sp;
406 break;
407 #endif
408 default:
409 panic("ipsec4_getpolicybysock: unsupported address family");
410 }
411
412 #ifdef DIAGNOSTIC
413 if (pcbsp == NULL)
414 panic("ipsec4_getpolicybysock: pcbsp is NULL.");
415 #endif
416
417 #ifdef SADB_X_EXT_TAG
418 t = ipsec_get_tag(m);
419 tag = t ? t->tag : 0;
420 #else
421 tag = 0;
422 #endif
423
424 /* if we have a cached entry, and if it is still valid, use it. */
425 ipsecstat.spdcachelookup++;
426 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
427 if (currsp) {
428 *error = 0;
429 return currsp;
430 }
431 ipsecstat.spdcachemiss++;
432
433 switch (dir) {
434 case IPSEC_DIR_INBOUND:
435 currsp = pcbsp->sp_in;
436 break;
437 case IPSEC_DIR_OUTBOUND:
438 currsp = pcbsp->sp_out;
439 break;
440 default:
441 panic("ipsec4_getpolicybysock: illegal direction.");
442 }
443
444 /* sanity check */
445 if (currsp == NULL)
446 panic("ipsec4_getpolicybysock: currsp is NULL.");
447
448 /* when privileged socket */
449 if (pcbsp->priv) {
450 switch (currsp->policy) {
451 case IPSEC_POLICY_BYPASS:
452 currsp->refcnt++;
453 *error = 0;
454 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
455 return currsp;
456
457 case IPSEC_POLICY_ENTRUST:
458 /* look for a policy in SPD */
459 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
460 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
461 /* SP found */
462 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
463 printf("DP ipsec4_getpolicybysock called "
464 "to allocate SP:%p\n", kernsp));
465 *error = 0;
466 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
467 return kernsp;
468 }
469
470 /* no SP found */
471 ip4_def_policy->refcnt++;
472 *error = 0;
473 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
474 return ip4_def_policy;
475
476 case IPSEC_POLICY_IPSEC:
477 currsp->refcnt++;
478 *error = 0;
479 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
480 return currsp;
481
482 default:
483 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
484 "Invalid policy for PCB %d\n", currsp->policy));
485 *error = EINVAL;
486 return NULL;
487 }
488 /* NOTREACHED */
489 }
490
491 /* when non-privileged socket */
492 /* look for a policy in SPD */
493 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
494 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
495 /* SP found */
496 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
497 printf("DP ipsec4_getpolicybysock called "
498 "to allocate SP:%p\n", kernsp));
499 *error = 0;
500 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
501 return kernsp;
502 }
503
504 /* no SP found */
505 switch (currsp->policy) {
506 case IPSEC_POLICY_BYPASS:
507 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
508 "Illegal policy for non-privileged defined %d\n",
509 currsp->policy));
510 *error = EINVAL;
511 return NULL;
512
513 case IPSEC_POLICY_ENTRUST:
514 ip4_def_policy->refcnt++;
515 *error = 0;
516 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
517 return ip4_def_policy;
518
519 case IPSEC_POLICY_IPSEC:
520 currsp->refcnt++;
521 *error = 0;
522 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
523 return currsp;
524
525 default:
526 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
527 "Invalid policy for PCB %d\n", currsp->policy));
528 *error = EINVAL;
529 return NULL;
530 }
531 /* NOTREACHED */
532 }
533
534 /*
535 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
536 * and return a pointer to SP.
537 * OUT: positive: a pointer to the entry for security policy leaf matched.
538 * NULL: no apropreate SP found, the following value is set to error.
539 * 0 : bypass
540 * EACCES : discard packet.
541 * ENOENT : ipsec_acquire() in progress, maybe.
542 * others : error occurred.
543 */
544 struct secpolicy *
545 ipsec4_getpolicybyaddr(m, dir, flag, error)
546 struct mbuf *m;
547 u_int dir;
548 int flag;
549 int *error;
550 {
551 struct secpolicy *sp = NULL;
552 #ifdef SADB_X_EXT_TAG
553 struct pf_tag *t;
554 #endif
555 u_int16_t tag;
556
557 /* sanity check */
558 if (m == NULL || error == NULL)
559 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
560
561 /* get a policy entry matched with the packet */
562 {
563 struct secpolicyindex spidx;
564
565 bzero(&spidx, sizeof(spidx));
566
567 /* make an index to look for a policy */
568 *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m,
569 (flag & IP_FORWARDING) ? 0 : 1);
570
571 if (*error != 0)
572 return NULL;
573
574 #ifdef SADB_X_EXT_TAG
575 t = ipsec_get_tag(m);
576 tag = t ? t->tag : 0;
577 #else
578 tag = 0;
579 #endif
580
581 sp = key_allocsp(tag, &spidx, dir);
582 }
583
584 /* SP found */
585 if (sp != NULL) {
586 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
587 printf("DP ipsec4_getpolicybyaddr called "
588 "to allocate SP:%p\n", sp));
589 *error = 0;
590 return sp;
591 }
592
593 /* no SP found */
594 ip4_def_policy->refcnt++;
595 *error = 0;
596 return ip4_def_policy;
597 }
598
599 #ifdef INET6
600 /*
601 * For OUTBOUND packet having a socket. Searching SPD for packet,
602 * and return a pointer to SP.
603 * OUT: NULL: no apropreate SP found, the following value is set to error.
604 * 0 : bypass
605 * EACCES : discard packet.
606 * ENOENT : ipsec_acquire() in progress, maybe.
607 * others : error occurred.
608 * others: a pointer to SP
609 */
610 struct secpolicy *
611 ipsec6_getpolicybysock(m, dir, so, error)
612 struct mbuf *m;
613 u_int dir;
614 struct socket *so;
615 int *error;
616 {
617 struct inpcbpolicy *pcbsp = NULL;
618 struct secpolicy *currsp = NULL; /* policy on socket */
619 struct secpolicy *kernsp = NULL; /* policy on kernel */
620 struct secpolicyindex spidx;
621 #ifdef SADB_X_EXT_TAG
622 struct pf_tag *t;
623 #endif
624 u_int16_t tag;
625
626 /* sanity check */
627 if (m == NULL || so == NULL || error == NULL)
628 panic("ipsec6_getpolicybysock: NULL pointer was passed.");
629
630 #ifdef DIAGNOSTIC
631 if (so->so_proto->pr_domain->dom_family != AF_INET6)
632 panic("ipsec6_getpolicybysock: socket domain != inet6");
633 #endif
634
635 pcbsp = sotoin6pcb(so)->in6p_sp;
636
637 #ifdef DIAGNOSTIC
638 if (pcbsp == NULL)
639 panic("ipsec6_getpolicybysock: pcbsp is NULL.");
640 #endif
641
642 #ifdef SADB_X_EXT_TAG
643 t = ipsec_get_tag(m);
644 tag = t ? t->tag : 0;
645 #else
646 tag = 0;
647 #endif
648
649 /* if we have a cached entry, and if it is still valid, use it. */
650 ipsec6stat.spdcachelookup++;
651 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
652 if (currsp) {
653 *error = 0;
654 return currsp;
655 }
656 ipsec6stat.spdcachemiss++;
657
658 switch (dir) {
659 case IPSEC_DIR_INBOUND:
660 currsp = pcbsp->sp_in;
661 break;
662 case IPSEC_DIR_OUTBOUND:
663 currsp = pcbsp->sp_out;
664 break;
665 default:
666 panic("ipsec6_getpolicybysock: illegal direction.");
667 }
668
669 /* sanity check */
670 if (currsp == NULL)
671 panic("ipsec6_getpolicybysock: currsp is NULL.");
672
673 /* when privileged socket */
674 if (pcbsp->priv) {
675 switch (currsp->policy) {
676 case IPSEC_POLICY_BYPASS:
677 currsp->refcnt++;
678 *error = 0;
679 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
680 return currsp;
681
682 case IPSEC_POLICY_ENTRUST:
683 /* look for a policy in SPD */
684 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
685 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
686 /* SP found */
687 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
688 printf("DP ipsec6_getpolicybysock called "
689 "to allocate SP:%p\n", kernsp));
690 *error = 0;
691 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
692 return kernsp;
693 }
694
695 /* no SP found */
696 ip6_def_policy->refcnt++;
697 *error = 0;
698 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
699 return ip6_def_policy;
700
701 case IPSEC_POLICY_IPSEC:
702 currsp->refcnt++;
703 *error = 0;
704 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
705 return currsp;
706
707 default:
708 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
709 "Invalid policy for PCB %d\n", currsp->policy));
710 *error = EINVAL;
711 return NULL;
712 }
713 /* NOTREACHED */
714 }
715
716 /* when non-privileged socket */
717 /* look for a policy in SPD */
718 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
719 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
720 /* SP found */
721 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
722 printf("DP ipsec6_getpolicybysock called "
723 "to allocate SP:%p\n", kernsp));
724 *error = 0;
725 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
726 return kernsp;
727 }
728
729 /* no SP found */
730 switch (currsp->policy) {
731 case IPSEC_POLICY_BYPASS:
732 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
733 "Illegal policy for non-privileged defined %d\n",
734 currsp->policy));
735 *error = EINVAL;
736 return NULL;
737
738 case IPSEC_POLICY_ENTRUST:
739 ip6_def_policy->refcnt++;
740 *error = 0;
741 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
742 return ip6_def_policy;
743
744 case IPSEC_POLICY_IPSEC:
745 currsp->refcnt++;
746 *error = 0;
747 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
748 return currsp;
749
750 default:
751 ipseclog((LOG_ERR,
752 "ipsec6_policybysock: Invalid policy for PCB %d\n",
753 currsp->policy));
754 *error = EINVAL;
755 return NULL;
756 }
757 /* NOTREACHED */
758 }
759
760 /*
761 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
762 * and return a pointer to SP.
763 * `flag' means that packet is to be forwarded whether or not.
764 * flag = 1: forwad
765 * OUT: positive: a pointer to the entry for security policy leaf matched.
766 * NULL: no apropreate SP found, the following value is set to error.
767 * 0 : bypass
768 * EACCES : discard packet.
769 * ENOENT : ipsec_acquire() in progress, maybe.
770 * others : error occurred.
771 */
772 #ifndef IP_FORWARDING
773 #define IP_FORWARDING 1
774 #endif
775
776 struct secpolicy *
777 ipsec6_getpolicybyaddr(m, dir, flag, error)
778 struct mbuf *m;
779 u_int dir;
780 int flag;
781 int *error;
782 {
783 struct secpolicy *sp = NULL;
784 #ifdef SADB_X_EXT_TAG
785 struct pf_tag *t;
786 #endif
787 u_int16_t tag;
788
789 /* sanity check */
790 if (m == NULL || error == NULL)
791 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
792
793 /* get a policy entry matched with the packet */
794 {
795 struct secpolicyindex spidx;
796
797 bzero(&spidx, sizeof(spidx));
798
799 /* make an index to look for a policy */
800 *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m,
801 (flag & IP_FORWARDING) ? 0 : 1);
802
803 if (*error != 0)
804 return NULL;
805
806 #ifdef SADB_X_EXT_TAG
807 t = ipsec_get_tag(m);
808 tag = t ? t->tag : 0;
809 #else
810 tag = 0;
811 #endif
812
813 sp = key_allocsp(tag, &spidx, dir);
814 }
815
816 /* SP found */
817 if (sp != NULL) {
818 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
819 printf("DP ipsec6_getpolicybyaddr called "
820 "to allocate SP:%p\n", sp));
821 *error = 0;
822 return sp;
823 }
824
825 /* no SP found */
826 ip6_def_policy->refcnt++;
827 *error = 0;
828 return ip6_def_policy;
829 }
830 #endif /* INET6 */
831
832 /*
833 * set IP address into spidx from mbuf.
834 * When Forwarding packet and ICMP echo reply, this function is used.
835 *
836 * IN: get the followings from mbuf.
837 * protocol family, src, dst, next protocol
838 * OUT:
839 * 0: success.
840 * other: failure, and set errno.
841 */
842 int
843 ipsec_setspidx_mbuf(spidx, family, m, needport)
844 struct secpolicyindex *spidx;
845 int family;
846 struct mbuf *m;
847 int needport;
848 {
849 int error;
850
851 /* sanity check */
852 if (spidx == NULL || m == NULL)
853 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
854
855 bzero(spidx, sizeof(*spidx));
856
857 error = ipsec_setspidx(m, spidx, needport);
858 if (error)
859 goto bad;
860
861 return 0;
862
863 bad:
864 /* XXX initialize */
865 bzero(spidx, sizeof(*spidx));
866 return EINVAL;
867 }
868
869 /*
870 * configure security policy index (src/dst/proto/sport/dport)
871 * by looking at the content of mbuf.
872 * the caller is responsible for error recovery (like clearing up spidx).
873 */
874 static int
875 ipsec_setspidx(m, spidx, needport)
876 struct mbuf *m;
877 struct secpolicyindex *spidx;
878 int needport;
879 {
880 struct ip *ip = NULL;
881 struct ip ipbuf;
882 u_int v;
883 struct mbuf *n;
884 int len;
885 int error;
886
887 if (m == NULL)
888 panic("ipsec_setspidx: m == 0 passed.");
889
890 bzero(spidx, sizeof(*spidx));
891
892 /*
893 * validate m->m_pkthdr.len. we see incorrect length if we
894 * mistakenly call this function with inconsistent mbuf chain
895 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
896 */
897 len = 0;
898 for (n = m; n; n = n->m_next)
899 len += n->m_len;
900 if (m->m_pkthdr.len != len) {
901 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
902 printf("ipsec_setspidx: "
903 "total of m_len(%d) != pkthdr.len(%d), "
904 "ignored.\n",
905 len, m->m_pkthdr.len));
906 return EINVAL;
907 }
908
909 if (m->m_pkthdr.len < sizeof(struct ip)) {
910 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
911 printf("ipsec_setspidx: "
912 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
913 m->m_pkthdr.len));
914 return EINVAL;
915 }
916
917 if (m->m_len >= sizeof(*ip))
918 ip = mtod(m, struct ip *);
919 else {
920 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
921 ip = &ipbuf;
922 }
923 v = ip->ip_v;
924 switch (v) {
925 case 4:
926 error = ipsec4_setspidx_ipaddr(m, spidx);
927 if (error)
928 return error;
929 ipsec4_get_ulp(m, spidx, needport);
930 return 0;
931 #ifdef INET6
932 case 6:
933 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
934 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
935 printf("ipsec_setspidx: "
936 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
937 "ignored.\n", m->m_pkthdr.len));
938 return EINVAL;
939 }
940 error = ipsec6_setspidx_ipaddr(m, spidx);
941 if (error)
942 return error;
943 ipsec6_get_ulp(m, spidx, needport);
944 return 0;
945 #endif
946 default:
947 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
948 printf("ipsec_setspidx: "
949 "unknown IP version %u, ignored.\n", v));
950 return EINVAL;
951 }
952 }
953
954 static void
955 ipsec4_get_ulp(m, spidx, needport)
956 struct mbuf *m;
957 struct secpolicyindex *spidx;
958 int needport;
959 {
960 struct ip ip;
961 struct ip6_ext ip6e;
962 u_int8_t nxt;
963 int off;
964 struct tcphdr th;
965 struct udphdr uh;
966
967 /* sanity check */
968 if (m == NULL)
969 panic("ipsec4_get_ulp: NULL pointer was passed.");
970 if (m->m_pkthdr.len < sizeof(ip))
971 panic("ipsec4_get_ulp: too short");
972
973 /* set default */
974 spidx->ul_proto = IPSEC_ULPROTO_ANY;
975 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
976 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
977
978 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
979 if (ip.ip_off & htons(IP_MF | IP_OFFMASK))
980 return;
981
982 nxt = ip.ip_p;
983 off = ip.ip_hl << 2;
984 while (off < m->m_pkthdr.len) {
985 switch (nxt) {
986 case IPPROTO_TCP:
987 spidx->ul_proto = nxt;
988 if (!needport)
989 return;
990 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
991 return;
992 m_copydata(m, off, sizeof(th), (caddr_t)&th);
993 ((struct sockaddr_in *)&spidx->src)->sin_port =
994 th.th_sport;
995 ((struct sockaddr_in *)&spidx->dst)->sin_port =
996 th.th_dport;
997 return;
998 case IPPROTO_UDP:
999 spidx->ul_proto = nxt;
1000 if (!needport)
1001 return;
1002 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1003 return;
1004 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1005 ((struct sockaddr_in *)&spidx->src)->sin_port =
1006 uh.uh_sport;
1007 ((struct sockaddr_in *)&spidx->dst)->sin_port =
1008 uh.uh_dport;
1009 return;
1010 case IPPROTO_AH:
1011 if (off + sizeof(ip6e) > m->m_pkthdr.len)
1012 return;
1013 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1014 off += (ip6e.ip6e_len + 2) << 2;
1015 nxt = ip6e.ip6e_nxt;
1016 break;
1017 case IPPROTO_ICMP:
1018 default:
1019 /* XXX intermediate headers??? */
1020 spidx->ul_proto = nxt;
1021 return;
1022 }
1023 }
1024 }
1025
1026 /* assumes that m is sane */
1027 static int
1028 ipsec4_setspidx_ipaddr(m, spidx)
1029 struct mbuf *m;
1030 struct secpolicyindex *spidx;
1031 {
1032 struct ip *ip = NULL;
1033 struct ip ipbuf;
1034 struct sockaddr_in *sin;
1035
1036 if (m->m_len >= sizeof(*ip))
1037 ip = mtod(m, struct ip *);
1038 else {
1039 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
1040 ip = &ipbuf;
1041 }
1042
1043 sin = (struct sockaddr_in *)&spidx->src;
1044 bzero(sin, sizeof(*sin));
1045 sin->sin_family = AF_INET;
1046 sin->sin_len = sizeof(struct sockaddr_in);
1047 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
1048 spidx->prefs = sizeof(struct in_addr) << 3;
1049
1050 sin = (struct sockaddr_in *)&spidx->dst;
1051 bzero(sin, sizeof(*sin));
1052 sin->sin_family = AF_INET;
1053 sin->sin_len = sizeof(struct sockaddr_in);
1054 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
1055 spidx->prefd = sizeof(struct in_addr) << 3;
1056 return 0;
1057 }
1058
1059 #ifdef INET6
1060 static void
1061 ipsec6_get_ulp(m, spidx, needport)
1062 struct mbuf *m;
1063 struct secpolicyindex *spidx;
1064 int needport;
1065 {
1066 int off, nxt;
1067 struct tcphdr th;
1068 struct udphdr uh;
1069
1070 /* sanity check */
1071 if (m == NULL)
1072 panic("ipsec6_get_ulp: NULL pointer was passed.");
1073
1074 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1075 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
1076
1077 /* set default */
1078 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1079 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1080 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1081
1082 nxt = -1;
1083 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1084 if (off < 0 || m->m_pkthdr.len < off)
1085 return;
1086
1087 switch (nxt) {
1088 case IPPROTO_TCP:
1089 spidx->ul_proto = nxt;
1090 if (!needport)
1091 break;
1092 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1093 break;
1094 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1095 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1096 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1097 break;
1098 case IPPROTO_UDP:
1099 spidx->ul_proto = nxt;
1100 if (!needport)
1101 break;
1102 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1103 break;
1104 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1105 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1106 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1107 break;
1108 case IPPROTO_ICMPV6:
1109 default:
1110 /* XXX intermediate headers??? */
1111 spidx->ul_proto = nxt;
1112 break;
1113 }
1114 }
1115
1116 /* assumes that m is sane */
1117 static int
1118 ipsec6_setspidx_ipaddr(m, spidx)
1119 struct mbuf *m;
1120 struct secpolicyindex *spidx;
1121 {
1122 struct ip6_hdr *ip6 = NULL;
1123 struct ip6_hdr ip6buf;
1124 struct sockaddr_in6 *sin6;
1125
1126 if (m->m_len >= sizeof(*ip6))
1127 ip6 = mtod(m, struct ip6_hdr *);
1128 else {
1129 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1130 ip6 = &ip6buf;
1131 }
1132
1133 sin6 = (struct sockaddr_in6 *)&spidx->src;
1134 bzero(sin6, sizeof(*sin6));
1135 sin6->sin6_family = AF_INET6;
1136 sin6->sin6_len = sizeof(struct sockaddr_in6);
1137 in6_recoverscope(sin6, &ip6->ip6_src, NULL);
1138 spidx->prefs = sizeof(struct in6_addr) << 3;
1139
1140 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1141 bzero(sin6, sizeof(*sin6));
1142 sin6->sin6_family = AF_INET6;
1143 sin6->sin6_len = sizeof(struct sockaddr_in6);
1144 in6_recoverscope(sin6, &ip6->ip6_dst, NULL);
1145 spidx->prefd = sizeof(struct in6_addr) << 3;
1146
1147 return 0;
1148 }
1149 #endif
1150
1151 static struct inpcbpolicy *
1152 ipsec_newpcbpolicy()
1153 {
1154 struct inpcbpolicy *p;
1155
1156 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
1157 return p;
1158 }
1159
1160 static void
1161 ipsec_delpcbpolicy(p)
1162 struct inpcbpolicy *p;
1163 {
1164
1165 free(p, M_SECA);
1166 }
1167
1168 /* initialize policy in PCB */
1169 int
1170 ipsec_init_pcbpolicy(so, pcb_sp)
1171 struct socket *so;
1172 struct inpcbpolicy **pcb_sp;
1173 {
1174 struct inpcbpolicy *new;
1175 static int initialized = 0;
1176 static struct secpolicy *in = NULL, *out = NULL;
1177
1178 /* sanity check. */
1179 if (so == NULL || pcb_sp == NULL)
1180 panic("ipsec_init_pcbpolicy: NULL pointer was passed.");
1181
1182 if (!initialized) {
1183 if ((in = key_newsp(0)) == NULL)
1184 return ENOBUFS;
1185 if ((out = key_newsp(0)) == NULL) {
1186 key_freesp(in);
1187 in = NULL;
1188 return ENOBUFS;
1189 }
1190
1191 in->state = IPSEC_SPSTATE_ALIVE;
1192 in->policy = IPSEC_POLICY_ENTRUST;
1193 in->dir = IPSEC_DIR_INBOUND;
1194 in->readonly = 1;
1195 in->persist = 1;
1196 in->so = NULL;
1197
1198 out->state = IPSEC_SPSTATE_ALIVE;
1199 out->policy = IPSEC_POLICY_ENTRUST;
1200 out->dir = IPSEC_DIR_OUTBOUND;
1201 out->readonly = 1;
1202 out->persist = 1;
1203 out->so = NULL;
1204
1205 initialized++;
1206 }
1207
1208 new = ipsec_newpcbpolicy();
1209 if (new == NULL) {
1210 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n"));
1211 return ENOBUFS;
1212 }
1213 bzero(new, sizeof(*new));
1214
1215 if (so->so_uid == 0) /* XXX */
1216 new->priv = 1;
1217 else
1218 new->priv = 0;
1219
1220 new->sp_in = in;
1221 new->sp_in->refcnt++;
1222 new->sp_out = out;
1223 new->sp_out->refcnt++;
1224
1225 *pcb_sp = new;
1226
1227 return 0;
1228 }
1229
1230 /* copy old ipsec policy into new */
1231 int
1232 ipsec_copy_pcbpolicy(old, new)
1233 struct inpcbpolicy *old, *new;
1234 {
1235
1236 if (new->sp_in)
1237 key_freesp(new->sp_in);
1238 if (old->sp_in->policy == IPSEC_POLICY_IPSEC)
1239 new->sp_in = ipsec_deepcopy_policy(old->sp_in);
1240 else {
1241 new->sp_in = old->sp_in;
1242 new->sp_in->refcnt++;
1243 }
1244
1245 if (new->sp_out)
1246 key_freesp(new->sp_out);
1247 if (old->sp_out->policy == IPSEC_POLICY_IPSEC)
1248 new->sp_out = ipsec_deepcopy_policy(old->sp_out);
1249 else {
1250 new->sp_out = old->sp_out;
1251 new->sp_out->refcnt++;
1252 }
1253
1254 new->priv = old->priv;
1255
1256 return 0;
1257 }
1258
1259 #if 0
1260 static int
1261 ipsec_deepcopy_pcbpolicy(pcb_sp)
1262 struct inpcbpolicy *pcb_sp;
1263 {
1264 struct secpolicy *sp;
1265
1266 sp = ipsec_deepcopy_policy(pcb_sp->sp_in);
1267 if (sp) {
1268 key_freesp(pcb_sp->sp_in);
1269 pcb_sp->sp_in = sp;
1270 } else
1271 return ENOBUFS;
1272
1273 sp = ipsec_deepcopy_policy(pcb_sp->sp_out);
1274 if (sp) {
1275 key_freesp(pcb_sp->sp_out);
1276 pcb_sp->sp_out = sp;
1277 } else
1278 return ENOBUFS;
1279
1280 return 0;
1281 }
1282 #endif
1283
1284 /* deep-copy a policy in PCB */
1285 static struct secpolicy *
1286 ipsec_deepcopy_policy(src)
1287 struct secpolicy *src;
1288 {
1289 struct ipsecrequest *newchain = NULL;
1290 struct ipsecrequest *p;
1291 struct ipsecrequest **q;
1292 struct ipsecrequest *r;
1293 struct secpolicy *dst;
1294
1295 if (src == NULL)
1296 return NULL;
1297
1298 dst = key_newsp(0);
1299 if (dst == NULL)
1300 return NULL;
1301
1302 /*
1303 * deep-copy IPsec request chain. This is required since struct
1304 * ipsecrequest is not reference counted.
1305 */
1306 q = &newchain;
1307 for (p = src->req; p; p = p->next) {
1308 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest),
1309 M_SECA, M_NOWAIT);
1310 if (*q == NULL)
1311 goto fail;
1312 bzero(*q, sizeof(**q));
1313 (*q)->next = NULL;
1314
1315 (*q)->saidx.proto = p->saidx.proto;
1316 (*q)->saidx.mode = p->saidx.mode;
1317 (*q)->level = p->level;
1318 (*q)->saidx.reqid = p->saidx.reqid;
1319
1320 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1321 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1322
1323 (*q)->sav = NULL;
1324 (*q)->sp = dst;
1325
1326 q = &((*q)->next);
1327 }
1328
1329 if (src->spidx)
1330 if (keydb_setsecpolicyindex(dst, src->spidx) != 0)
1331 goto fail;
1332
1333 dst->req = newchain;
1334 dst->state = src->state;
1335 dst->policy = src->policy;
1336 dst->dir = src->dir;
1337 dst->so = src->so;
1338 /* do not touch the refcnt fields */
1339
1340 return dst;
1341
1342 fail:
1343 for (p = newchain; p; p = r) {
1344 r = p->next;
1345 free(p, M_SECA);
1346 p = NULL;
1347 }
1348 key_freesp(dst);
1349 return NULL;
1350 }
1351
1352 /* set policy and ipsec request if present. */
1353 static int
1354 ipsec_set_policy(spp, optname, request, len, priv)
1355 struct secpolicy **spp;
1356 int optname;
1357 caddr_t request;
1358 size_t len;
1359 int priv;
1360 {
1361 struct sadb_x_policy *xpl;
1362 struct secpolicy *newsp = NULL;
1363 int error;
1364
1365 /* sanity check. */
1366 if (spp == NULL || *spp == NULL || request == NULL)
1367 return EINVAL;
1368 if (len < sizeof(*xpl))
1369 return EINVAL;
1370 xpl = (struct sadb_x_policy *)request;
1371
1372 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1373 printf("ipsec_set_policy: passed policy\n");
1374 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1375
1376 /* check policy type */
1377 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1378 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
1379 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1380 return EINVAL;
1381
1382 /* check privileged socket */
1383 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1384 return EACCES;
1385
1386 /* allocation new SP entry */
1387 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1388 return error;
1389
1390 newsp->state = IPSEC_SPSTATE_ALIVE;
1391
1392 /* clear old SP and set new SP */
1393 key_freesp(*spp);
1394 *spp = newsp;
1395 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1396 printf("ipsec_set_policy: new policy\n");
1397 kdebug_secpolicy(newsp));
1398
1399 return 0;
1400 }
1401
1402 static int
1403 ipsec_get_policy(sp, mp)
1404 struct secpolicy *sp;
1405 struct mbuf **mp;
1406 {
1407
1408 /* sanity check. */
1409 if (sp == NULL || mp == NULL)
1410 return EINVAL;
1411
1412 *mp = key_sp2msg(sp);
1413 if (!*mp) {
1414 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1415 return ENOBUFS;
1416 }
1417
1418 (*mp)->m_type = MT_SOOPTS;
1419 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1420 printf("ipsec_get_policy:\n");
1421 kdebug_mbuf(*mp));
1422
1423 return 0;
1424 }
1425
1426 int
1427 ipsec4_set_policy(inp, optname, request, len, priv)
1428 struct inpcb *inp;
1429 int optname;
1430 caddr_t request;
1431 size_t len;
1432 int priv;
1433 {
1434 struct sadb_x_policy *xpl;
1435 struct secpolicy **spp;
1436
1437 /* sanity check. */
1438 if (inp == NULL || request == NULL)
1439 return EINVAL;
1440 if (len < sizeof(*xpl))
1441 return EINVAL;
1442 xpl = (struct sadb_x_policy *)request;
1443
1444 /* select direction */
1445 switch (xpl->sadb_x_policy_dir) {
1446 case IPSEC_DIR_INBOUND:
1447 spp = &inp->inp_sp->sp_in;
1448 break;
1449 case IPSEC_DIR_OUTBOUND:
1450 spp = &inp->inp_sp->sp_out;
1451 break;
1452 default:
1453 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1454 xpl->sadb_x_policy_dir));
1455 return EINVAL;
1456 }
1457
1458 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1459 return ipsec_set_policy(spp, optname, request, len, priv);
1460 }
1461
1462 int
1463 ipsec4_get_policy(inp, request, len, mp)
1464 struct inpcb *inp;
1465 caddr_t request;
1466 size_t len;
1467 struct mbuf **mp;
1468 {
1469 struct sadb_x_policy *xpl;
1470 struct secpolicy *sp;
1471
1472 /* sanity check. */
1473 if (inp == NULL || request == NULL || mp == NULL)
1474 return EINVAL;
1475 if (inp->inp_sp == NULL)
1476 panic("policy in PCB is NULL");
1477 if (len < sizeof(*xpl))
1478 return EINVAL;
1479 xpl = (struct sadb_x_policy *)request;
1480
1481 /* select direction */
1482 switch (xpl->sadb_x_policy_dir) {
1483 case IPSEC_DIR_INBOUND:
1484 sp = inp->inp_sp->sp_in;
1485 break;
1486 case IPSEC_DIR_OUTBOUND:
1487 sp = inp->inp_sp->sp_out;
1488 break;
1489 default:
1490 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n",
1491 xpl->sadb_x_policy_dir));
1492 return EINVAL;
1493 }
1494
1495 return ipsec_get_policy(sp, mp);
1496 }
1497
1498 /* delete policy in PCB */
1499 int
1500 ipsec4_delete_pcbpolicy(inp)
1501 struct inpcb *inp;
1502 {
1503 /* sanity check. */
1504 if (inp == NULL)
1505 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
1506
1507 if (inp->inp_sp == NULL)
1508 return 0;
1509
1510 if (inp->inp_sp->sp_in != NULL) {
1511 key_freesp(inp->inp_sp->sp_in);
1512 inp->inp_sp->sp_in = NULL;
1513 }
1514
1515 if (inp->inp_sp->sp_out != NULL) {
1516 key_freesp(inp->inp_sp->sp_out);
1517 inp->inp_sp->sp_out = NULL;
1518 }
1519
1520 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1521
1522 ipsec_delpcbpolicy(inp->inp_sp);
1523 inp->inp_sp = NULL;
1524
1525 return 0;
1526 }
1527
1528 #ifdef INET6
1529 int
1530 ipsec6_set_policy(in6p, optname, request, len, priv)
1531 struct in6pcb *in6p;
1532 int optname;
1533 caddr_t request;
1534 size_t len;
1535 int priv;
1536 {
1537 struct sadb_x_policy *xpl;
1538 struct secpolicy **spp;
1539
1540 /* sanity check. */
1541 if (in6p == NULL || request == NULL)
1542 return EINVAL;
1543 if (len < sizeof(*xpl))
1544 return EINVAL;
1545 xpl = (struct sadb_x_policy *)request;
1546
1547 /* select direction */
1548 switch (xpl->sadb_x_policy_dir) {
1549 case IPSEC_DIR_INBOUND:
1550 spp = &in6p->in6p_sp->sp_in;
1551 break;
1552 case IPSEC_DIR_OUTBOUND:
1553 spp = &in6p->in6p_sp->sp_out;
1554 break;
1555 default:
1556 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1557 xpl->sadb_x_policy_dir));
1558 return EINVAL;
1559 }
1560
1561 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1562 return ipsec_set_policy(spp, optname, request, len, priv);
1563 }
1564
1565 int
1566 ipsec6_get_policy(in6p, request, len, mp)
1567 struct in6pcb *in6p;
1568 caddr_t request;
1569 size_t len;
1570 struct mbuf **mp;
1571 {
1572 struct sadb_x_policy *xpl;
1573 struct secpolicy *sp;
1574
1575 /* sanity check. */
1576 if (in6p == NULL || request == NULL || mp == NULL)
1577 return EINVAL;
1578 if (in6p->in6p_sp == NULL)
1579 panic("policy in PCB is NULL");
1580 if (len < sizeof(*xpl))
1581 return EINVAL;
1582 xpl = (struct sadb_x_policy *)request;
1583
1584 /* select direction */
1585 switch (xpl->sadb_x_policy_dir) {
1586 case IPSEC_DIR_INBOUND:
1587 sp = in6p->in6p_sp->sp_in;
1588 break;
1589 case IPSEC_DIR_OUTBOUND:
1590 sp = in6p->in6p_sp->sp_out;
1591 break;
1592 default:
1593 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n",
1594 xpl->sadb_x_policy_dir));
1595 return EINVAL;
1596 }
1597
1598 return ipsec_get_policy(sp, mp);
1599 }
1600
1601 int
1602 ipsec6_delete_pcbpolicy(in6p)
1603 struct in6pcb *in6p;
1604 {
1605 /* sanity check. */
1606 if (in6p == NULL)
1607 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
1608
1609 if (in6p->in6p_sp == NULL)
1610 return 0;
1611
1612 if (in6p->in6p_sp->sp_in != NULL) {
1613 key_freesp(in6p->in6p_sp->sp_in);
1614 in6p->in6p_sp->sp_in = NULL;
1615 }
1616
1617 if (in6p->in6p_sp->sp_out != NULL) {
1618 key_freesp(in6p->in6p_sp->sp_out);
1619 in6p->in6p_sp->sp_out = NULL;
1620 }
1621
1622 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1623
1624 ipsec_delpcbpolicy(in6p->in6p_sp);
1625 in6p->in6p_sp = NULL;
1626
1627 return 0;
1628 }
1629 #endif
1630
1631 /*
1632 * return current level.
1633 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1634 */
1635 u_int
1636 ipsec_get_reqlevel(isr, af)
1637 struct ipsecrequest *isr;
1638 int af;
1639 {
1640 u_int level = 0;
1641 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1642
1643 /* sanity check */
1644 if (isr == NULL || isr->sp == NULL)
1645 panic("ipsec_get_reqlevel: NULL pointer is passed.");
1646
1647 /* set default level */
1648 switch (af) {
1649 #ifdef INET
1650 case AF_INET:
1651 esp_trans_deflev = ip4_esp_trans_deflev;
1652 esp_net_deflev = ip4_esp_net_deflev;
1653 ah_trans_deflev = ip4_ah_trans_deflev;
1654 ah_net_deflev = ip4_ah_net_deflev;
1655 break;
1656 #endif
1657 #ifdef INET6
1658 case AF_INET6:
1659 esp_trans_deflev = ip6_esp_trans_deflev;
1660 esp_net_deflev = ip6_esp_net_deflev;
1661 ah_trans_deflev = ip6_ah_trans_deflev;
1662 ah_net_deflev = ip6_ah_net_deflev;
1663 break;
1664 #endif /* INET6 */
1665 default:
1666 panic("key_get_reqlevel: Unknown family. %d",
1667 ((struct sockaddr *)&isr->sp->spidx->src)->sa_family);
1668 }
1669
1670 /* set level */
1671 switch (isr->level) {
1672 case IPSEC_LEVEL_DEFAULT:
1673 switch (isr->saidx.proto) {
1674 case IPPROTO_ESP:
1675 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1676 level = esp_net_deflev;
1677 else
1678 level = esp_trans_deflev;
1679 break;
1680 case IPPROTO_AH:
1681 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1682 level = ah_net_deflev;
1683 else
1684 level = ah_trans_deflev;
1685 case IPPROTO_IPCOMP:
1686 /*
1687 * we don't really care, as IPcomp document says that
1688 * we shouldn't compress small packets
1689 */
1690 level = IPSEC_LEVEL_USE;
1691 break;
1692 case IPPROTO_IPV4:
1693 case IPPROTO_IPV6:
1694 /* should never go into here */
1695 level = IPSEC_LEVEL_REQUIRE;
1696 break;
1697 default:
1698 panic("ipsec_get_reqlevel: "
1699 "Illegal protocol defined %u\n",
1700 isr->saidx.proto);
1701 }
1702 break;
1703
1704 case IPSEC_LEVEL_USE:
1705 case IPSEC_LEVEL_REQUIRE:
1706 level = isr->level;
1707 break;
1708 case IPSEC_LEVEL_UNIQUE:
1709 level = IPSEC_LEVEL_REQUIRE;
1710 break;
1711
1712 default:
1713 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
1714 isr->level);
1715 }
1716
1717 return level;
1718 }
1719
1720 /*
1721 * Check AH/ESP integrity.
1722 * OUT:
1723 * 0: valid
1724 * 1: invalid
1725 */
1726 static int
1727 ipsec_in_reject(sp, m)
1728 struct secpolicy *sp;
1729 struct mbuf *m;
1730 {
1731 struct ipsecrequest *isr;
1732 u_int level;
1733 int need_auth, need_conf, need_icv;
1734
1735 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1736 printf("ipsec_in_reject: using SP\n");
1737 kdebug_secpolicy(sp));
1738
1739 /* check policy */
1740 switch (sp->policy) {
1741 case IPSEC_POLICY_DISCARD:
1742 return 1;
1743 case IPSEC_POLICY_BYPASS:
1744 case IPSEC_POLICY_NONE:
1745 return 0;
1746
1747 case IPSEC_POLICY_IPSEC:
1748 break;
1749
1750 case IPSEC_POLICY_ENTRUST:
1751 default:
1752 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy);
1753 }
1754
1755 need_auth = 0;
1756 need_conf = 0;
1757 need_icv = 0;
1758
1759 /* XXX should compare policy against ipsec header history */
1760
1761 for (isr = sp->req; isr != NULL; isr = isr->next) {
1762 /* get current level */
1763 level = ipsec_get_reqlevel(isr, AF_INET);
1764
1765 switch (isr->saidx.proto) {
1766 case IPPROTO_ESP:
1767 if (level == IPSEC_LEVEL_REQUIRE) {
1768 need_conf++;
1769
1770 if (isr->sav != NULL
1771 && isr->sav->flags == SADB_X_EXT_NONE
1772 && isr->sav->alg_auth != SADB_AALG_NONE)
1773 need_icv++;
1774 }
1775 break;
1776 case IPPROTO_AH:
1777 if (level == IPSEC_LEVEL_REQUIRE) {
1778 need_auth++;
1779 need_icv++;
1780 }
1781 break;
1782 case IPPROTO_IPCOMP:
1783 /*
1784 * we don't really care, as IPcomp document says that
1785 * we shouldn't compress small packets, IPComp policy
1786 * should always be treated as being in "use" level.
1787 */
1788 break;
1789 case IPPROTO_IPV4:
1790 case IPPROTO_IPV6:
1791 /*
1792 * XXX what shall we do, until introducing more complex
1793 * policy checking code?
1794 */
1795 break;
1796 }
1797 }
1798
1799 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1800 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1801 need_auth, need_conf, need_icv, m->m_flags));
1802
1803 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1804 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1805 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1806 return 1;
1807
1808 return 0;
1809 }
1810
1811 /*
1812 * Check AH/ESP integrity.
1813 * This function is called from tcp_input(), udp_input(),
1814 * and {ah,esp}4_input for tunnel mode
1815 */
1816 int
1817 ipsec4_in_reject_so(m, so)
1818 struct mbuf *m;
1819 struct socket *so;
1820 {
1821 struct secpolicy *sp = NULL;
1822 int error;
1823 int result;
1824
1825 /* sanity check */
1826 if (m == NULL)
1827 return 0; /* XXX should be panic ? */
1828
1829 /* get SP for this packet.
1830 * When we are called from ip_forward(), we call
1831 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1832 */
1833 if (so == NULL)
1834 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1835 IP_FORWARDING, &error);
1836 else
1837 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1838
1839 /* XXX should be panic ? -> No, there may be error. */
1840 if (sp == NULL)
1841 return 0;
1842
1843 result = ipsec_in_reject(sp, m);
1844 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1845 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
1846 key_freesp(sp);
1847
1848 return result;
1849 }
1850
1851 int
1852 ipsec4_in_reject(m, inp)
1853 struct mbuf *m;
1854 struct inpcb *inp;
1855 {
1856 if (inp == NULL)
1857 return ipsec4_in_reject_so(m, NULL);
1858 if (inp->inp_socket)
1859 return ipsec4_in_reject_so(m, inp->inp_socket);
1860 else
1861 panic("ipsec4_in_reject: invalid inpcb/socket");
1862 }
1863
1864 #ifdef INET6
1865 /*
1866 * Check AH/ESP integrity.
1867 * This function is called from tcp6_input(), udp6_input(),
1868 * and {ah,esp}6_input for tunnel mode
1869 */
1870 int
1871 ipsec6_in_reject_so(m, so)
1872 struct mbuf *m;
1873 struct socket *so;
1874 {
1875 struct secpolicy *sp = NULL;
1876 int error;
1877 int result;
1878
1879 /* sanity check */
1880 if (m == NULL)
1881 return 0; /* XXX should be panic ? */
1882
1883 /* get SP for this packet.
1884 * When we are called from ip_forward(), we call
1885 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1886 */
1887 if (so == NULL)
1888 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1889 IP_FORWARDING, &error);
1890 else
1891 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1892
1893 if (sp == NULL)
1894 return 0; /* XXX should be panic ? */
1895
1896 result = ipsec_in_reject(sp, m);
1897 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1898 printf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
1899 key_freesp(sp);
1900
1901 return result;
1902 }
1903
1904 int
1905 ipsec6_in_reject(m, in6p)
1906 struct mbuf *m;
1907 struct in6pcb *in6p;
1908 {
1909 if (in6p == NULL)
1910 return ipsec6_in_reject_so(m, NULL);
1911 if (in6p->in6p_socket)
1912 return ipsec6_in_reject_so(m, in6p->in6p_socket);
1913 else
1914 panic("ipsec6_in_reject: invalid in6p/socket");
1915 }
1916 #endif
1917
1918 /*
1919 * compute the byte size to be occupied by IPsec header.
1920 * in case it is tunneled, it includes the size of outer IP header.
1921 * NOTE: SP passed is free in this function.
1922 */
1923 static size_t
1924 ipsec_hdrsiz(sp)
1925 struct secpolicy *sp;
1926 {
1927 struct ipsecrequest *isr;
1928 size_t siz, clen;
1929
1930 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1931 printf("ipsec_hdrsiz: using SP\n");
1932 kdebug_secpolicy(sp));
1933
1934 /* check policy */
1935 switch (sp->policy) {
1936 case IPSEC_POLICY_DISCARD:
1937 case IPSEC_POLICY_BYPASS:
1938 case IPSEC_POLICY_NONE:
1939 return 0;
1940
1941 case IPSEC_POLICY_IPSEC:
1942 break;
1943
1944 case IPSEC_POLICY_ENTRUST:
1945 default:
1946 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1947 }
1948
1949 siz = 0;
1950
1951 for (isr = sp->req; isr != NULL; isr = isr->next) {
1952
1953 clen = 0;
1954
1955 switch (isr->saidx.proto) {
1956 case IPPROTO_ESP:
1957 #ifdef IPSEC_ESP
1958 clen = esp_hdrsiz(isr);
1959 #else
1960 clen = 0; /* XXX */
1961 #endif
1962 break;
1963 case IPPROTO_AH:
1964 clen = ah_hdrsiz(isr);
1965 break;
1966 case IPPROTO_IPCOMP:
1967 clen = sizeof(struct ipcomp);
1968 break;
1969 case IPPROTO_IPV4:
1970 case IPPROTO_IPV6:
1971 /* the next "if" clause will compute it */
1972 clen = 0;
1973 break;
1974 }
1975
1976 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1977 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1978 case AF_INET:
1979 clen += sizeof(struct ip);
1980 break;
1981 #ifdef INET6
1982 case AF_INET6:
1983 clen += sizeof(struct ip6_hdr);
1984 break;
1985 #endif
1986 default:
1987 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1988 "unknown AF %d in IPsec tunnel SA\n",
1989 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1990 break;
1991 }
1992 }
1993 siz += clen;
1994 }
1995
1996 return siz;
1997 }
1998
1999 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
2000 size_t
2001 ipsec4_hdrsiz(m, dir, inp)
2002 struct mbuf *m;
2003 u_int dir;
2004 struct inpcb *inp;
2005 {
2006 struct secpolicy *sp = NULL;
2007 int error;
2008 size_t size;
2009
2010 /* sanity check */
2011 if (m == NULL)
2012 return 0; /* XXX should be panic ? */
2013 if (inp != NULL && inp->inp_socket == NULL)
2014 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
2015
2016 /* get SP for this packet.
2017 * When we are called from ip_forward(), we call
2018 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
2019 */
2020 if (inp == NULL)
2021 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2022 else
2023 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
2024
2025 if (sp == NULL)
2026 return 0; /* XXX should be panic ? */
2027
2028 size = ipsec_hdrsiz(sp);
2029 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2030 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
2031 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2032 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
2033 key_freesp(sp);
2034
2035 return size;
2036 }
2037
2038 #ifdef INET6
2039 /* This function is called from ipsec6_hdrsize_tcp(),
2040 * and maybe from ip6_forward.()
2041 */
2042 size_t
2043 ipsec6_hdrsiz(m, dir, in6p)
2044 struct mbuf *m;
2045 u_int dir;
2046 struct in6pcb *in6p;
2047 {
2048 struct secpolicy *sp = NULL;
2049 int error;
2050 size_t size;
2051
2052 /* sanity check */
2053 if (m == NULL)
2054 return 0; /* XXX should be panic ? */
2055 if (in6p != NULL && in6p->in6p_socket == NULL)
2056 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
2057
2058 /* get SP for this packet */
2059 /* XXX Is it right to call with IP_FORWARDING. */
2060 if (in6p == NULL)
2061 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2062 else
2063 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
2064
2065 if (sp == NULL)
2066 return 0;
2067 size = ipsec_hdrsiz(sp);
2068 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2069 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
2070 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2071 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
2072 key_freesp(sp);
2073
2074 return size;
2075 }
2076 #endif /* INET6 */
2077
2078 #ifdef INET
2079 /*
2080 * encapsulate for ipsec tunnel.
2081 * ip->ip_src must be fixed later on.
2082 */
2083 static int
2084 ipsec4_encapsulate(m, sav)
2085 struct mbuf *m;
2086 struct secasvar *sav;
2087 {
2088 struct ip *oip;
2089 struct ip *ip;
2090 size_t hlen;
2091 size_t plen;
2092
2093 /* can't tunnel between different AFs */
2094 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2095 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2096 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2097 m_freem(m);
2098 return EINVAL;
2099 }
2100 #if 0
2101 /* XXX if the dst is myself, perform nothing. */
2102 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2103 m_freem(m);
2104 return EINVAL;
2105 }
2106 #endif
2107
2108 if (m->m_len < sizeof(*ip))
2109 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2110
2111 ip = mtod(m, struct ip *);
2112 hlen = ip->ip_hl << 2;
2113
2114 if (m->m_len != hlen)
2115 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2116
2117 /* generate header checksum */
2118 ip->ip_sum = 0;
2119 ip->ip_sum = in_cksum(m, hlen);
2120
2121 plen = m->m_pkthdr.len;
2122
2123 /*
2124 * grow the mbuf to accomodate the new IPv4 header.
2125 * NOTE: IPv4 options will never be copied.
2126 */
2127 if (M_LEADINGSPACE(m->m_next) < hlen) {
2128 struct mbuf *n;
2129 MGET(n, M_DONTWAIT, MT_DATA);
2130 if (!n) {
2131 m_freem(m);
2132 return ENOBUFS;
2133 }
2134 n->m_len = hlen;
2135 n->m_next = m->m_next;
2136 m->m_next = n;
2137 } else {
2138 m->m_next->m_len += hlen;
2139 m->m_next->m_data -= hlen;
2140 }
2141 oip = mtod(m->m_next, struct ip *);
2142 m->m_pkthdr.len += hlen;
2143 ip = mtod(m, struct ip *);
2144 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2145 m->m_len = sizeof(struct ip);
2146 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2147
2148 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2149 /* ECN consideration. */
2150 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2151 ip->ip_hl = sizeof(struct ip) >> 2;
2152 ip->ip_off &= htons(~IP_OFFMASK);
2153 ip->ip_off &= htons(~IP_MF);
2154 switch (ip4_ipsec_dfbit) {
2155 case 0: /* clear DF bit */
2156 ip->ip_off &= htons(~IP_DF);
2157 break;
2158 case 1: /* set DF bit */
2159 ip->ip_off |= htons(IP_DF);
2160 break;
2161 default: /* copy DF bit */
2162 break;
2163 }
2164 ip->ip_p = IPPROTO_IPIP;
2165 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2166 ip->ip_len = htons(plen + sizeof(struct ip));
2167 else {
2168 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2169 "leave ip_len as is (invalid packet)\n"));
2170 }
2171 ip->ip_id = ip_newid();
2172 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2173 &ip->ip_src, sizeof(ip->ip_src));
2174 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2175 &ip->ip_dst, sizeof(ip->ip_dst));
2176 ip->ip_ttl = IPDEFTTL;
2177
2178 /* XXX Should ip_src be updated later ? */
2179
2180 return 0;
2181 }
2182 #endif /* INET */
2183
2184 #ifdef INET6
2185 static int
2186 ipsec6_encapsulate(m, sav)
2187 struct mbuf *m;
2188 struct secasvar *sav;
2189 {
2190 struct ip6_hdr *oip6;
2191 struct ip6_hdr *ip6;
2192 size_t plen;
2193
2194 /* can't tunnel between different AFs */
2195 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2196 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2197 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2198 m_freem(m);
2199 return EINVAL;
2200 }
2201 #if 0
2202 /* XXX if the dst is myself, perform nothing. */
2203 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2204 m_freem(m);
2205 return EINVAL;
2206 }
2207 #endif
2208
2209 plen = m->m_pkthdr.len;
2210
2211 /*
2212 * grow the mbuf to accomodate the new IPv6 header.
2213 */
2214 if (m->m_len != sizeof(struct ip6_hdr))
2215 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2216 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2217 struct mbuf *n;
2218 MGET(n, M_DONTWAIT, MT_DATA);
2219 if (!n) {
2220 m_freem(m);
2221 return ENOBUFS;
2222 }
2223 n->m_len = sizeof(struct ip6_hdr);
2224 n->m_next = m->m_next;
2225 m->m_next = n;
2226 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2227 oip6 = mtod(n, struct ip6_hdr *);
2228 } else {
2229 m->m_next->m_len += sizeof(struct ip6_hdr);
2230 m->m_next->m_data -= sizeof(struct ip6_hdr);
2231 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2232 oip6 = mtod(m->m_next, struct ip6_hdr *);
2233 }
2234 ip6 = mtod(m, struct ip6_hdr *);
2235 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2236
2237 /* Fake link-local scope-class addresses */
2238 in6_clearscope(&oip6->ip6_src);
2239 in6_clearscope(&oip6->ip6_dst);
2240
2241 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2242 /* ECN consideration. */
2243 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2244 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2245 ip6->ip6_plen = htons(plen);
2246 else {
2247 /* ip6->ip6_plen will be updated in ip6_output() */
2248 }
2249 ip6->ip6_nxt = IPPROTO_IPV6;
2250 in6_embedscope(&ip6->ip6_src,
2251 (struct sockaddr_in6 *)&sav->sah->saidx.src, NULL, NULL);
2252 in6_embedscope(&ip6->ip6_dst,
2253 (struct sockaddr_in6 *)&sav->sah->saidx.dst, NULL, NULL);
2254 ip6->ip6_hlim = IPV6_DEFHLIM;
2255
2256 /* XXX Should ip6_src be updated later ? */
2257
2258 return 0;
2259 }
2260 #endif /* INET6 */
2261
2262 /*
2263 * Check the variable replay window.
2264 * ipsec_chkreplay() performs replay check before ICV verification.
2265 * ipsec_updatereplay() updates replay bitmap. This must be called after
2266 * ICV verification (it also performs replay check, which is usually done
2267 * beforehand).
2268 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2269 *
2270 * based on RFC 2401.
2271 *
2272 * XXX need to update for 64bit sequence number - 2401bis
2273 */
2274 int
2275 ipsec_chkreplay(seq, sav)
2276 u_int32_t seq;
2277 struct secasvar *sav;
2278 {
2279 const struct secreplay *replay;
2280 u_int32_t diff;
2281 int fr;
2282 u_int32_t wsizeb; /* constant: bits of window size */
2283 int frlast; /* constant: last frame */
2284
2285 /* sanity check */
2286 if (sav == NULL)
2287 panic("ipsec_chkreplay: NULL pointer was passed.");
2288
2289 replay = sav->replay;
2290
2291 if (replay->wsize == 0)
2292 return 1; /* no need to check replay. */
2293
2294 /* constant */
2295 frlast = replay->wsize - 1;
2296 wsizeb = replay->wsize << 3;
2297
2298 /* sequence number of 0 is invalid */
2299 if (seq == 0)
2300 return 0;
2301
2302 /* first time is always okay */
2303 if (replay->count == 0)
2304 return 1;
2305
2306 if (seq > replay->lastseq) {
2307 /* larger sequences are okay */
2308 return 1;
2309 } else {
2310 /* seq is equal or less than lastseq. */
2311 diff = replay->lastseq - seq;
2312
2313 /* over range to check, i.e. too old or wrapped */
2314 if (diff >= wsizeb)
2315 return 0;
2316
2317 fr = frlast - diff / 8;
2318
2319 /* this packet already seen ? */
2320 if (replay->bitmap[fr] & (1 << (diff % 8)))
2321 return 0;
2322
2323 /* out of order but good */
2324 return 1;
2325 }
2326 }
2327
2328 /*
2329 * check replay counter whether to update or not.
2330 * OUT: 0: OK
2331 * 1: NG
2332 * XXX need to update for 64bit sequence number - 2401bis
2333 */
2334 int
2335 ipsec_updatereplay(seq, sav)
2336 u_int32_t seq;
2337 struct secasvar *sav;
2338 {
2339 struct secreplay *replay;
2340 u_int64_t diff;
2341 int fr;
2342 u_int32_t wsizeb; /* constant: bits of window size */
2343 int frlast; /* constant: last frame */
2344
2345 /* sanity check */
2346 if (sav == NULL)
2347 panic("ipsec_chkreplay: NULL pointer was passed.");
2348
2349 replay = sav->replay;
2350
2351 if (replay->wsize == 0)
2352 goto ok; /* no need to check replay. */
2353
2354 /* constant */
2355 frlast = replay->wsize - 1;
2356 wsizeb = replay->wsize << 3;
2357
2358 /* sequence number of 0 is invalid */
2359 if (seq == 0)
2360 return 1;
2361
2362 /* first time */
2363 if (replay->count == 0) {
2364 replay->lastseq = seq;
2365 bzero(replay->bitmap, replay->wsize);
2366 replay->bitmap[frlast] = 1;
2367 goto ok;
2368 }
2369
2370 if (seq > replay->lastseq) {
2371 /* seq is larger than lastseq. */
2372 diff = seq - replay->lastseq;
2373
2374 /* new larger sequence number */
2375 if (diff < wsizeb) {
2376 /* In window */
2377 /* set bit for this packet */
2378 vshiftl(replay->bitmap, diff, replay->wsize);
2379 replay->bitmap[frlast] |= 1;
2380 } else {
2381 /* this packet has a "way larger" */
2382 bzero(replay->bitmap, replay->wsize);
2383 replay->bitmap[frlast] = 1;
2384 }
2385 replay->lastseq = seq;
2386
2387 /* larger is good */
2388 } else {
2389 /* seq is equal or less than lastseq. */
2390 diff = replay->lastseq - seq;
2391
2392 /* over range to check, i.e. too old or wrapped */
2393 if (diff >= wsizeb)
2394 return 1;
2395
2396 fr = frlast - diff / 8;
2397
2398 /* this packet already seen ? */
2399 if (replay->bitmap[fr] & (1 << (diff % 8)))
2400 return 1;
2401
2402 /* mark as seen */
2403 replay->bitmap[fr] |= (1 << (diff % 8));
2404
2405 /* out of order but good */
2406 }
2407
2408 ok:
2409 if (replay->count == 0xffffffff) {
2410
2411 /* set overflow flag */
2412 replay->overflow++;
2413
2414 /* don't increment, no more packets accepted */
2415 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2416 return 1;
2417
2418 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2419 replay->overflow, ipsec_logsastr(sav)));
2420 }
2421
2422 replay->count++;
2423
2424 return 0;
2425 }
2426
2427 /*
2428 * shift variable length buffer to left.
2429 * IN: bitmap: pointer to the buffer
2430 * nbit: the number of to shift.
2431 * wsize: buffer size (bytes).
2432 */
2433 static void
2434 vshiftl(bitmap, nbit, wsize)
2435 unsigned char *bitmap;
2436 int nbit, wsize;
2437 {
2438 int s, j, i;
2439 unsigned char over;
2440
2441 for (j = 0; j < nbit; j += 8) {
2442 s = (nbit - j < 8) ? (nbit - j): 8;
2443 bitmap[0] <<= s;
2444 for (i = 1; i < wsize; i++) {
2445 over = (bitmap[i] >> (8 - s));
2446 bitmap[i] <<= s;
2447 bitmap[i - 1] |= over;
2448 }
2449 }
2450
2451 return;
2452 }
2453
2454 const char *
2455 ipsec4_logpacketstr(ip, spi)
2456 struct ip *ip;
2457 u_int32_t spi;
2458 {
2459 static char buf[256];
2460 char *p;
2461 u_int8_t *s, *d;
2462
2463 s = (u_int8_t *)(&ip->ip_src);
2464 d = (u_int8_t *)(&ip->ip_dst);
2465
2466 p = buf;
2467 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2468 while (p && *p)
2469 p++;
2470 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2471 s[0], s[1], s[2], s[3]);
2472 while (p && *p)
2473 p++;
2474 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2475 d[0], d[1], d[2], d[3]);
2476 while (p && *p)
2477 p++;
2478 snprintf(p, sizeof(buf) - (p - buf), ")");
2479
2480 return buf;
2481 }
2482
2483 #ifdef INET6
2484 const char *
2485 ipsec6_logpacketstr(ip6, spi)
2486 struct ip6_hdr *ip6;
2487 u_int32_t spi;
2488 {
2489 static char buf[256];
2490 char *p;
2491
2492 p = buf;
2493 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2494 while (p && *p)
2495 p++;
2496 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
2497 ip6_sprintf(&ip6->ip6_src));
2498 while (p && *p)
2499 p++;
2500 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2501 ip6_sprintf(&ip6->ip6_dst));
2502 while (p && *p)
2503 p++;
2504 snprintf(p, sizeof(buf) - (p - buf), ")");
2505
2506 return buf;
2507 }
2508 #endif /* INET6 */
2509
2510 const char *
2511 ipsec_logsastr(sav)
2512 struct secasvar *sav;
2513 {
2514 static char buf[256];
2515 char *p;
2516 struct secasindex *saidx = &sav->sah->saidx;
2517
2518 /* validity check */
2519 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2520 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2521 panic("ipsec_logsastr: family mismatched.");
2522
2523 p = buf;
2524 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2525 while (p && *p)
2526 p++;
2527 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2528 u_int8_t *s, *d;
2529 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2530 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2531 snprintf(p, sizeof(buf) - (p - buf),
2532 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2533 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2534 }
2535 #ifdef INET6
2536 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2537 snprintf(p, sizeof(buf) - (p - buf),
2538 "src=%s",
2539 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2540 while (p && *p)
2541 p++;
2542 snprintf(p, sizeof(buf) - (p - buf),
2543 " dst=%s",
2544 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2545 }
2546 #endif
2547 while (p && *p)
2548 p++;
2549 snprintf(p, sizeof(buf) - (p - buf), ")");
2550
2551 return buf;
2552 }
2553
2554 void
2555 ipsec_dumpmbuf(m)
2556 struct mbuf *m;
2557 {
2558 int totlen;
2559 int i;
2560 u_char *p;
2561
2562 totlen = 0;
2563 printf("---\n");
2564 while (m) {
2565 p = mtod(m, u_char *);
2566 for (i = 0; i < m->m_len; i++) {
2567 printf("%02x ", p[i]);
2568 totlen++;
2569 if (totlen % 16 == 0)
2570 printf("\n");
2571 }
2572 m = m->m_next;
2573 }
2574 if (totlen % 16 != 0)
2575 printf("\n");
2576 printf("---\n");
2577 }
2578
2579 #ifdef INET
2580 static int
2581 ipsec4_checksa(isr, state)
2582 struct ipsecrequest *isr;
2583 struct ipsec_output_state *state;
2584 {
2585 struct ip *ip;
2586 struct secasindex saidx;
2587 struct sockaddr_in *sin;
2588
2589 /* make SA index for search proper SA */
2590 ip = mtod(state->m, struct ip *);
2591 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2592 saidx.mode = isr->saidx.mode;
2593 saidx.reqid = isr->saidx.reqid;
2594 sin = (struct sockaddr_in *)&saidx.src;
2595 if (sin->sin_len == 0) {
2596 bzero(sin, sizeof(*sin));
2597 sin->sin_len = sizeof(*sin);
2598 sin->sin_family = AF_INET;
2599 sin->sin_port = IPSEC_PORT_ANY;
2600 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr));
2601 }
2602 sin = (struct sockaddr_in *)&saidx.dst;
2603 if (sin->sin_len == 0) {
2604 bzero(sin, sizeof(*sin));
2605 sin->sin_len = sizeof(*sin);
2606 sin->sin_family = AF_INET;
2607 sin->sin_port = IPSEC_PORT_ANY;
2608 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr));
2609 }
2610
2611 return key_checkrequest(isr, &saidx);
2612 }
2613 /*
2614 * IPsec output logic for IPv4.
2615 */
2616 int
2617 ipsec4_output(state, sp, flags)
2618 struct ipsec_output_state *state;
2619 struct secpolicy *sp;
2620 int flags;
2621 {
2622 struct ip *ip = NULL;
2623 struct ipsecrequest *isr = NULL;
2624 int s;
2625 int error;
2626 struct sockaddr_in *dst4;
2627
2628 if (!state)
2629 panic("state == NULL in ipsec4_output");
2630 if (!state->m)
2631 panic("state->m == NULL in ipsec4_output");
2632 if (!state->ro)
2633 panic("state->ro == NULL in ipsec4_output");
2634 if (!state->dst)
2635 panic("state->dst == NULL in ipsec4_output");
2636 state->encap = 0;
2637
2638 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2639 printf("ipsec4_output: applyed SP\n");
2640 kdebug_secpolicy(sp));
2641
2642 for (isr = sp->req; isr != NULL; isr = isr->next) {
2643
2644 #if 0 /* give up to check restriction of transport mode */
2645 /* XXX but should be checked somewhere */
2646 /*
2647 * some of the IPsec operation must be performed only in
2648 * originating case.
2649 */
2650 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2651 && (flags & IP_FORWARDING))
2652 continue;
2653 #endif
2654 error = ipsec4_checksa(isr, state);
2655 if (error != 0) {
2656 /*
2657 * IPsec processing is required, but no SA found.
2658 * I assume that key_acquire() had been called
2659 * to get/establish the SA. Here I discard
2660 * this packet because it is responsibility for
2661 * upper layer to retransmit the packet.
2662 */
2663 ipsecstat.out_nosa++;
2664 goto bad;
2665 }
2666
2667 /* validity check */
2668 if (isr->sav == NULL) {
2669 switch (ipsec_get_reqlevel(isr, AF_INET)) {
2670 case IPSEC_LEVEL_USE:
2671 continue;
2672 case IPSEC_LEVEL_REQUIRE:
2673 if (isr->saidx.proto == AF_INET ||
2674 isr->saidx.proto == AF_INET6)
2675 break;
2676 /* must be not reached here. */
2677 panic("ipsec4_output: no SA found, but required.");
2678 }
2679 }
2680
2681 /*
2682 * If there is no valid SA, we give up to process any
2683 * more. In such a case, the SA's status is changed
2684 * from DYING to DEAD after allocating. If a packet
2685 * send to the receiver by dead SA, the receiver can
2686 * not decode a packet because SA has been dead.
2687 */
2688 if (isr->sav->state != SADB_SASTATE_MATURE
2689 && isr->sav->state != SADB_SASTATE_DYING) {
2690 ipsecstat.out_nosa++;
2691 error = EINVAL;
2692 goto bad;
2693 }
2694
2695 /*
2696 * There may be the case that SA status will be changed when
2697 * we are refering to one. So calling splsoftnet().
2698 */
2699 s = splsoftnet();
2700
2701 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2702 /*
2703 * build IPsec tunnel.
2704 */
2705 /* XXX should be processed with other familiy */
2706 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2707 ipseclog((LOG_ERR, "ipsec4_output: "
2708 "family mismatched between inner and outer spi=%u\n",
2709 (u_int32_t)ntohl(isr->sav->spi)));
2710 splx(s);
2711 error = EAFNOSUPPORT;
2712 goto bad;
2713 }
2714
2715 state->m = ipsec4_splithdr(state->m);
2716 if (!state->m) {
2717 splx(s);
2718 error = ENOMEM;
2719 goto bad;
2720 }
2721 error = ipsec4_encapsulate(state->m, isr->sav);
2722 splx(s);
2723 if (error) {
2724 state->m = NULL;
2725 goto bad;
2726 }
2727 ip = mtod(state->m, struct ip *);
2728
2729 state->ro = &isr->sav->sah->sa_route;
2730 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2731 dst4 = (struct sockaddr_in *)state->dst;
2732 if (state->ro->ro_rt
2733 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2734 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2735 RTFREE(state->ro->ro_rt);
2736 bzero((caddr_t)state->ro, sizeof (*state->ro));
2737 }
2738 if (state->ro->ro_rt == 0) {
2739 dst4->sin_family = AF_INET;
2740 dst4->sin_len = sizeof(*dst4);
2741 dst4->sin_addr = ip->ip_dst;
2742 rtalloc(state->ro);
2743 }
2744 if (state->ro->ro_rt == 0) {
2745 ipstat.ips_noroute++;
2746 error = EHOSTUNREACH;
2747 goto bad;
2748 }
2749
2750 /* adjust state->dst if tunnel endpoint is offlink */
2751 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2752 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2753 dst4 = (struct sockaddr_in *)state->dst;
2754 }
2755
2756 state->encap++;
2757 } else
2758 splx(s);
2759
2760 state->m = ipsec4_splithdr(state->m);
2761 if (!state->m) {
2762 error = ENOMEM;
2763 goto bad;
2764 }
2765 switch (isr->saidx.proto) {
2766 case IPPROTO_ESP:
2767 #ifdef IPSEC_ESP
2768 if ((error = esp4_output(state->m, isr)) != 0) {
2769 state->m = NULL;
2770 goto bad;
2771 }
2772 break;
2773 #else
2774 m_freem(state->m);
2775 state->m = NULL;
2776 error = EINVAL;
2777 goto bad;
2778 #endif
2779 case IPPROTO_AH:
2780 if ((error = ah4_output(state->m, isr)) != 0) {
2781 state->m = NULL;
2782 goto bad;
2783 }
2784 break;
2785 case IPPROTO_IPCOMP:
2786 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2787 state->m = NULL;
2788 goto bad;
2789 }
2790 break;
2791 case IPPROTO_IPV4:
2792 break;
2793 case IPPROTO_IPV6:
2794 ipseclog((LOG_ERR, "ipsec4_output: "
2795 "family mismatched between inner and outer "
2796 "header\n"));
2797 error = EAFNOSUPPORT;
2798 goto bad;
2799 default:
2800 ipseclog((LOG_ERR,
2801 "ipsec4_output: unknown ipsec protocol %d\n",
2802 isr->saidx.proto));
2803 m_freem(state->m);
2804 state->m = NULL;
2805 error = EINVAL;
2806 goto bad;
2807 }
2808
2809 if (state->m == 0) {
2810 error = ENOMEM;
2811 goto bad;
2812 }
2813 ip = mtod(state->m, struct ip *);
2814 }
2815
2816 return 0;
2817
2818 bad:
2819 m_freem(state->m);
2820 state->m = NULL;
2821 return error;
2822 }
2823 #endif
2824
2825 #ifdef INET6
2826 static int
2827 ipsec6_checksa(isr, state, tunnel)
2828 struct ipsecrequest *isr;
2829 struct ipsec_output_state *state;
2830 int tunnel;
2831 {
2832 struct ip6_hdr *ip6;
2833 struct secasindex saidx;
2834 struct sockaddr_in6 *sin6;
2835
2836 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2837 #ifdef DIAGNOSTIC
2838 if (!tunnel)
2839 panic("ipsec6_checksa/inconsistent tunnel attribute");
2840 #endif
2841 /* When tunnel mode, SA peers must be specified. */
2842 return key_checkrequest(isr, &isr->saidx);
2843 }
2844
2845 /* make SA index for search proper SA */
2846 ip6 = mtod(state->m, struct ip6_hdr *);
2847 if (tunnel) {
2848 bzero(&saidx, sizeof(saidx));
2849 saidx.proto = isr->saidx.proto;
2850 } else
2851 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2852 saidx.mode = isr->saidx.mode;
2853 saidx.reqid = isr->saidx.reqid;
2854 sin6 = (struct sockaddr_in6 *)&saidx.src;
2855 if (sin6->sin6_len == 0 || tunnel) {
2856 bzero(sin6, sizeof(*sin6));
2857 sin6->sin6_len = sizeof(*sin6);
2858 sin6->sin6_family = AF_INET6;
2859 sin6->sin6_port = IPSEC_PORT_ANY;
2860 in6_recoverscope(sin6, &ip6->ip6_src, NULL);
2861 }
2862 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2863 if (sin6->sin6_len == 0 || tunnel) {
2864 bzero(sin6, sizeof(*sin6));
2865 sin6->sin6_len = sizeof(*sin6);
2866 sin6->sin6_family = AF_INET6;
2867 sin6->sin6_port = IPSEC_PORT_ANY;
2868 in6_recoverscope(sin6, &ip6->ip6_dst, NULL);
2869 }
2870
2871 return key_checkrequest(isr, &saidx);
2872 }
2873 /*
2874 * IPsec output logic for IPv6, transport mode.
2875 */
2876 int
2877 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
2878 struct ipsec_output_state *state;
2879 u_char *nexthdrp;
2880 struct mbuf *mprev;
2881 struct secpolicy *sp;
2882 int flags;
2883 int *tun;
2884 {
2885 struct ip6_hdr *ip6;
2886 struct ipsecrequest *isr = NULL;
2887 int error = 0;
2888 int plen;
2889
2890 if (!state)
2891 panic("state == NULL in ipsec6_output_trans");
2892 if (!state->m)
2893 panic("state->m == NULL in ipsec6_output_trans");
2894 if (!nexthdrp)
2895 panic("nexthdrp == NULL in ipsec6_output_trans");
2896 if (!mprev)
2897 panic("mprev == NULL in ipsec6_output_trans");
2898 if (!sp)
2899 panic("sp == NULL in ipsec6_output_trans");
2900 if (!tun)
2901 panic("tun == NULL in ipsec6_output_trans");
2902
2903 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2904 printf("ipsec6_output_trans: applyed SP\n");
2905 kdebug_secpolicy(sp));
2906
2907 *tun = 0;
2908 for (isr = sp->req; isr; isr = isr->next) {
2909 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2910 /* the rest will be handled by ipsec6_output_tunnel() */
2911 break;
2912 }
2913
2914 error = ipsec6_checksa(isr, state, 0);
2915 if (error == ENOENT) {
2916 /*
2917 * IPsec processing is required, but no SA found.
2918 * I assume that key_acquire() had been called
2919 * to get/establish the SA. Here I discard
2920 * this packet because it is responsibility for
2921 * upper layer to retransmit the packet.
2922 */
2923 ipsec6stat.out_nosa++;
2924
2925 /*
2926 * Notify the fact that the packet is discarded
2927 * to ourselves. I believe this is better than
2928 * just silently discarding. (jinmei@kame.net)
2929 * XXX: should we restrict the error to TCP packets?
2930 * XXX: should we directly notify sockets via
2931 * pfctlinputs?
2932 *
2933 * Noone have initialized rcvif until this point,
2934 * so clear it.
2935 */
2936 if ((state->m->m_flags & M_PKTHDR) != 0)
2937 state->m->m_pkthdr.rcvif = NULL;
2938 icmp6_error(state->m, ICMP6_DST_UNREACH,
2939 ICMP6_DST_UNREACH_ADMIN, 0);
2940 state->m = NULL; /* icmp6_error freed the mbuf */
2941 goto bad;
2942 }
2943
2944 /* validity check */
2945 if (isr->sav == NULL) {
2946 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
2947 case IPSEC_LEVEL_USE:
2948 continue;
2949 case IPSEC_LEVEL_REQUIRE:
2950 /* must be not reached here. */
2951 panic("ipsec6_output_trans: no SA found, but required.");
2952 }
2953 }
2954
2955 /*
2956 * If there is no valid SA, we give up to process.
2957 * see same place at ipsec4_output().
2958 */
2959 if (isr->sav->state != SADB_SASTATE_MATURE
2960 && isr->sav->state != SADB_SASTATE_DYING) {
2961 ipsec6stat.out_nosa++;
2962 error = EINVAL;
2963 goto bad;
2964 }
2965
2966 switch (isr->saidx.proto) {
2967 case IPPROTO_ESP:
2968 #ifdef IPSEC_ESP
2969 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2970 #else
2971 m_freem(state->m);
2972 error = EINVAL;
2973 #endif
2974 break;
2975 case IPPROTO_AH:
2976 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2977 break;
2978 case IPPROTO_IPCOMP:
2979 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2980 break;
2981 default:
2982 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2983 "unknown ipsec protocol %d\n", isr->saidx.proto));
2984 m_freem(state->m);
2985 ipsec6stat.out_inval++;
2986 error = EINVAL;
2987 break;
2988 }
2989 if (error) {
2990 state->m = NULL;
2991 goto bad;
2992 }
2993 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2994 if (plen > IPV6_MAXPACKET) {
2995 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2996 "IPsec with IPv6 jumbogram is not supported\n"));
2997 ipsec6stat.out_inval++;
2998 error = EINVAL; /* XXX */
2999 goto bad;
3000 }
3001 ip6 = mtod(state->m, struct ip6_hdr *);
3002 ip6->ip6_plen = htons(plen);
3003 }
3004
3005 /* if we have more to go, we need a tunnel mode processing */
3006 if (isr != NULL)
3007 *tun = 1;
3008
3009 return 0;
3010
3011 bad:
3012 m_freem(state->m);
3013 state->m = NULL;
3014 return error;
3015 }
3016
3017 /*
3018 * IPsec output logic for IPv6, tunnel mode.
3019 */
3020 int
3021 ipsec6_output_tunnel(state, sp, flags)
3022 struct ipsec_output_state *state;
3023 struct secpolicy *sp;
3024 int flags;
3025 {
3026 struct ip6_hdr *ip6;
3027 struct ipsecrequest *isr = NULL;
3028 int error = 0;
3029 int plen;
3030 struct sockaddr_in6* dst6;
3031 int s;
3032
3033 if (!state)
3034 panic("state == NULL in ipsec6_output_tunnel");
3035 if (!state->m)
3036 panic("state->m == NULL in ipsec6_output_tunnel");
3037 if (!sp)
3038 panic("sp == NULL in ipsec6_output_tunnel");
3039
3040 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3041 printf("ipsec6_output_tunnel: applyed SP\n");
3042 kdebug_secpolicy(sp));
3043
3044 /*
3045 * transport mode ipsec (before the 1st tunnel mode) is already
3046 * processed by ipsec6_output_trans().
3047 */
3048 for (isr = sp->req; isr; isr = isr->next) {
3049 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
3050 break;
3051 }
3052
3053 for (/* already initialized */; isr; isr = isr->next) {
3054 error = ipsec6_checksa(isr, state, 1);
3055 if (error == ENOENT) {
3056 /*
3057 * IPsec processing is required, but no SA found.
3058 * I assume that key_acquire() had been called
3059 * to get/establish the SA. Here I discard
3060 * this packet because it is responsibility for
3061 * upper layer to retransmit the packet.
3062 */
3063 ipsec6stat.out_nosa++;
3064 error = ENOENT;
3065 goto bad;
3066 }
3067
3068 /* validity check */
3069 if (isr->sav == NULL) {
3070 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
3071 case IPSEC_LEVEL_USE:
3072 continue;
3073 case IPSEC_LEVEL_REQUIRE:
3074 /* must be not reached here. */
3075 panic("ipsec6_output_tunnel: no SA found, but required.");
3076 }
3077 }
3078
3079 /*
3080 * If there is no valid SA, we give up to process.
3081 * see same place at ipsec4_output().
3082 */
3083 if (isr->sav->state != SADB_SASTATE_MATURE
3084 && isr->sav->state != SADB_SASTATE_DYING) {
3085 ipsec6stat.out_nosa++;
3086 error = EINVAL;
3087 goto bad;
3088 }
3089
3090 /*
3091 * There may be the case that SA status will be changed when
3092 * we are refering to one. So calling splsoftnet().
3093 */
3094 s = splsoftnet();
3095
3096 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3097 /*
3098 * build IPsec tunnel.
3099 */
3100 /* XXX should be processed with other familiy */
3101 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
3102 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3103 "family mismatched between inner and outer, spi=%u\n",
3104 (u_int32_t)ntohl(isr->sav->spi)));
3105 splx(s);
3106 ipsec6stat.out_inval++;
3107 error = EAFNOSUPPORT;
3108 goto bad;
3109 }
3110
3111 state->m = ipsec6_splithdr(state->m);
3112 if (!state->m) {
3113 splx(s);
3114 ipsec6stat.out_nomem++;
3115 error = ENOMEM;
3116 goto bad;
3117 }
3118 error = ipsec6_encapsulate(state->m, isr->sav);
3119 splx(s);
3120 if (error) {
3121 state->m = 0;
3122 goto bad;
3123 }
3124 ip6 = mtod(state->m, struct ip6_hdr *);
3125
3126 state->ro = &isr->sav->sah->sa_route;
3127 state->dst = (struct sockaddr *)&state->ro->ro_dst;
3128 dst6 = (struct sockaddr_in6 *)state->dst;
3129 if (state->ro->ro_rt
3130 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
3131 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
3132 RTFREE(state->ro->ro_rt);
3133 bzero((caddr_t)state->ro, sizeof (*state->ro));
3134 }
3135 if (state->ro->ro_rt == 0) {
3136 bzero(dst6, sizeof(*dst6));
3137 dst6->sin6_family = AF_INET6;
3138 dst6->sin6_len = sizeof(*dst6);
3139 dst6->sin6_addr = ip6->ip6_dst;
3140 rtalloc(state->ro);
3141 }
3142 if (state->ro->ro_rt == 0) {
3143 ip6stat.ip6s_noroute++;
3144 ipsec6stat.out_noroute++;
3145 error = EHOSTUNREACH;
3146 goto bad;
3147 }
3148
3149 /* adjust state->dst if tunnel endpoint is offlink */
3150 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
3151 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
3152 dst6 = (struct sockaddr_in6 *)state->dst;
3153 }
3154 } else
3155 splx(s);
3156
3157 state->m = ipsec6_splithdr(state->m);
3158 if (!state->m) {
3159 ipsec6stat.out_nomem++;
3160 error = ENOMEM;
3161 goto bad;
3162 }
3163 ip6 = mtod(state->m, struct ip6_hdr *);
3164 switch (isr->saidx.proto) {
3165 case IPPROTO_ESP:
3166 #ifdef IPSEC_ESP
3167 error = esp6_output(state->m, &ip6->ip6_nxt,
3168 state->m->m_next, isr);
3169 #else
3170 m_freem(state->m);
3171 error = EINVAL;
3172 #endif
3173 break;
3174 case IPPROTO_AH:
3175 error = ah6_output(state->m, &ip6->ip6_nxt,
3176 state->m->m_next, isr);
3177 break;
3178 case IPPROTO_IPCOMP:
3179 /* XXX code should be here */
3180 /* FALLTHROUGH */
3181 default:
3182 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3183 "unknown ipsec protocol %d\n", isr->saidx.proto));
3184 m_freem(state->m);
3185 ipsec6stat.out_inval++;
3186 error = EINVAL;
3187 break;
3188 }
3189 if (error) {
3190 state->m = NULL;
3191 goto bad;
3192 }
3193 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3194 if (plen > IPV6_MAXPACKET) {
3195 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3196 "IPsec with IPv6 jumbogram is not supported\n"));
3197 ipsec6stat.out_inval++;
3198 error = EINVAL; /* XXX */
3199 goto bad;
3200 }
3201 ip6 = mtod(state->m, struct ip6_hdr *);
3202 ip6->ip6_plen = htons(plen);
3203 }
3204
3205 return 0;
3206
3207 bad:
3208 m_freem(state->m);
3209 state->m = NULL;
3210 return error;
3211 }
3212 #endif /* INET6 */
3213
3214 #ifdef INET
3215 /*
3216 * Chop IP header and option off from the payload.
3217 */
3218 static struct mbuf *
3219 ipsec4_splithdr(m)
3220 struct mbuf *m;
3221 {
3222 struct mbuf *mh;
3223 struct ip *ip;
3224 int hlen;
3225
3226 if (m->m_len < sizeof(struct ip))
3227 panic("ipsec4_splithdr: first mbuf too short");
3228 ip = mtod(m, struct ip *);
3229 hlen = ip->ip_hl << 2;
3230 if (m->m_len > hlen) {
3231 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3232 if (!mh) {
3233 m_freem(m);
3234 return NULL;
3235 }
3236 M_COPY_PKTHDR(mh, m);
3237 MH_ALIGN(mh, hlen);
3238 m_tag_delete_chain(m, NULL);
3239 m->m_flags &= ~M_PKTHDR;
3240 m->m_len -= hlen;
3241 m->m_data += hlen;
3242 mh->m_next = m;
3243 m = mh;
3244 m->m_len = hlen;
3245 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3246 } else if (m->m_len < hlen) {
3247 m = m_pullup(m, hlen);
3248 if (!m)
3249 return NULL;
3250 }
3251 return m;
3252 }
3253 #endif
3254
3255 #ifdef INET6
3256 static struct mbuf *
3257 ipsec6_splithdr(m)
3258 struct mbuf *m;
3259 {
3260 struct mbuf *mh;
3261 struct ip6_hdr *ip6;
3262 int hlen;
3263
3264 if (m->m_len < sizeof(struct ip6_hdr))
3265 panic("ipsec6_splithdr: first mbuf too short");
3266 ip6 = mtod(m, struct ip6_hdr *);
3267 hlen = sizeof(struct ip6_hdr);
3268 if (m->m_len > hlen) {
3269 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3270 if (!mh) {
3271 m_freem(m);
3272 return NULL;
3273 }
3274 M_COPY_PKTHDR(mh, m);
3275 MH_ALIGN(mh, hlen);
3276 m_tag_delete_chain(m, NULL);
3277 m->m_flags &= ~M_PKTHDR;
3278 m->m_len -= hlen;
3279 m->m_data += hlen;
3280 mh->m_next = m;
3281 m = mh;
3282 m->m_len = hlen;
3283 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3284 } else if (m->m_len < hlen) {
3285 m = m_pullup(m, hlen);
3286 if (!m)
3287 return NULL;
3288 }
3289 return m;
3290 }
3291 #endif
3292
3293 /* validate inbound IPsec tunnel packet. */
3294 int
3295 ipsec4_tunnel_validate(ip, nxt0, sav)
3296 struct ip *ip;
3297 u_int nxt0;
3298 struct secasvar *sav;
3299 {
3300 u_int8_t nxt = nxt0 & 0xff;
3301 struct sockaddr_in *sin;
3302 int hlen;
3303
3304 if (nxt != IPPROTO_IPV4)
3305 return 0;
3306 /* do not decapsulate if the SA is for transport mode only */
3307 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3308 return 0;
3309 hlen = ip->ip_hl << 2;
3310 if (hlen != sizeof(struct ip))
3311 return 0;
3312 switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
3313 case AF_INET:
3314 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3315 if (bcmp(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)) != 0)
3316 return 0;
3317 break;
3318 #ifdef INET6
3319 case AF_INET6:
3320 /* should be supported, but at this moment we don't. */
3321 /*FALLTHROUGH*/
3322 #endif
3323 default:
3324 return 0;
3325 }
3326
3327 return 1;
3328 }
3329
3330 #ifdef INET6
3331 /* validate inbound IPsec tunnel packet. */
3332 int
3333 ipsec6_tunnel_validate(ip6, nxt0, sav)
3334 struct ip6_hdr *ip6;
3335 u_int nxt0;
3336 struct secasvar *sav;
3337 {
3338 u_int8_t nxt = nxt0 & 0xff;
3339 struct sockaddr_in6 *sin6;
3340 struct in6_addr in6;
3341
3342 if (nxt != IPPROTO_IPV6)
3343 return 0;
3344 /* do not decapsulate if the SA is for transport mode only */
3345 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3346 return 0;
3347 switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
3348 case AF_INET6:
3349 sin6 = ((struct sockaddr_in6 *)&sav->sah->saidx.dst);
3350 in6_embedscope(&in6, sin6, NULL, NULL);
3351 if (!IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &in6))
3352 return 0;
3353 break;
3354 case AF_INET:
3355 /* should be supported, but at this moment we don't. */
3356 /*FALLTHROUGH*/
3357 default:
3358 return 0;
3359 }
3360
3361 return 1;
3362 }
3363 #endif
3364
3365 /*
3366 * Make a mbuf chain for encryption.
3367 * If the original mbuf chain contains a mbuf with a cluster,
3368 * allocate a new cluster and copy the data to the new cluster.
3369 * XXX: this hack is inefficient, but is necessary to handle cases
3370 * of TCP retransmission...
3371 */
3372 struct mbuf *
3373 ipsec_copypkt(m)
3374 struct mbuf *m;
3375 {
3376 struct mbuf *n, **mpp, *mnew;
3377
3378 for (n = m, mpp = &m; n; n = n->m_next) {
3379 if (n->m_flags & M_EXT) {
3380 /*
3381 * Make a copy only if there is more than one
3382 * references to the cluster.
3383 * XXX: is this approach effective?
3384 */
3385 if (M_READONLY(n))
3386 {
3387 int remain, copied;
3388 struct mbuf *mm;
3389
3390 if (n->m_flags & M_PKTHDR) {
3391 MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3392 if (mnew == NULL)
3393 goto fail;
3394 mnew->m_pkthdr = n->m_pkthdr;
3395 #if 0
3396 /* XXX: convert to m_tag or delete? */
3397 if (n->m_pkthdr.aux) {
3398 mnew->m_pkthdr.aux =
3399 m_copym(n->m_pkthdr.aux,
3400 0, M_COPYALL, M_DONTWAIT);
3401 }
3402 #endif
3403 M_COPY_PKTHDR(mnew, n);
3404 }
3405 else {
3406 MGET(mnew, M_DONTWAIT, MT_DATA);
3407 if (mnew == NULL)
3408 goto fail;
3409 }
3410 mnew->m_len = 0;
3411 mm = mnew;
3412
3413 /*
3414 * Copy data. If we don't have enough space to
3415 * store the whole data, allocate a cluster
3416 * or additional mbufs.
3417 * XXX: we don't use m_copyback(), since the
3418 * function does not use clusters and thus is
3419 * inefficient.
3420 */
3421 remain = n->m_len;
3422 copied = 0;
3423 while (1) {
3424 int len;
3425 struct mbuf *mn;
3426
3427 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3428 len = remain;
3429 else { /* allocate a cluster */
3430 MCLGET(mm, M_DONTWAIT);
3431 if (!(mm->m_flags & M_EXT)) {
3432 m_free(mm);
3433 goto fail;
3434 }
3435 len = remain < MCLBYTES ?
3436 remain : MCLBYTES;
3437 }
3438
3439 bcopy(n->m_data + copied, mm->m_data,
3440 len);
3441
3442 copied += len;
3443 remain -= len;
3444 mm->m_len = len;
3445
3446 if (remain <= 0) /* completed? */
3447 break;
3448
3449 /* need another mbuf */
3450 MGETHDR(mn, M_DONTWAIT, MT_HEADER);
3451 if (mn == NULL)
3452 goto fail;
3453 mn->m_pkthdr.rcvif = NULL;
3454 mm->m_next = mn;
3455 mm = mn;
3456 }
3457
3458 /* adjust chain */
3459 mm->m_next = m_free(n);
3460 n = mm;
3461 *mpp = mnew;
3462 mpp = &n->m_next;
3463
3464 continue;
3465 }
3466 }
3467 *mpp = n;
3468 mpp = &n->m_next;
3469 }
3470
3471 return (m);
3472 fail:
3473 m_freem(m);
3474 return (NULL);
3475 }
3476
3477 static struct m_tag *
3478 ipsec_addaux(m)
3479 struct mbuf *m;
3480 {
3481 struct m_tag *mtag;
3482
3483 mtag = m_tag_find(m, PACKET_TAG_ESP, NULL);
3484 if (mtag == NULL) {
3485 mtag = m_tag_get(PACKET_TAG_ESP, sizeof(struct ipsecaux),
3486 M_NOWAIT);
3487 if (mtag != NULL)
3488 m_tag_prepend(m, mtag);
3489 }
3490 if (mtag == NULL)
3491 return NULL; /* ENOBUFS */
3492 /* XXX is this necessary? */
3493 bzero((void *)(mtag + 1), sizeof(struct ipsecaux));
3494 return mtag;
3495 }
3496
3497 static struct m_tag *
3498 ipsec_findaux(m)
3499 struct mbuf *m;
3500 {
3501 return m_tag_find(m, PACKET_TAG_ESP, NULL);
3502 }
3503
3504 void
3505 ipsec_delaux(m)
3506 struct mbuf *m;
3507 {
3508 struct m_tag *mtag;
3509
3510 mtag = m_tag_find(m, PACKET_TAG_ESP, NULL);
3511 if (mtag != NULL)
3512 m_tag_delete(m, mtag);
3513 }
3514
3515 /* if the aux buffer is unnecessary, nuke it. */
3516 static void
3517 ipsec_optaux(m, mtag)
3518 struct mbuf *m;
3519 struct m_tag *mtag;
3520 {
3521 struct ipsecaux *aux;
3522
3523 if (mtag == NULL)
3524 return;
3525 aux = (struct ipsecaux *)(mtag + 1);
3526 if (!aux->so && !aux->sp)
3527 ipsec_delaux(m);
3528 }
3529
3530 int
3531 ipsec_addhist(m, proto, spi)
3532 struct mbuf *m;
3533 int proto;
3534 u_int32_t spi;
3535 {
3536 struct m_tag *mtag;
3537 struct ipsecaux *aux;
3538
3539 mtag = ipsec_addaux(m);
3540 if (mtag == NULL)
3541 return ENOBUFS;
3542 aux = (struct ipsecaux *)(mtag + 1);
3543 aux->hdrs++;
3544 return 0;
3545 }
3546
3547 int
3548 ipsec_getnhist(m)
3549 struct mbuf *m;
3550 {
3551 struct m_tag *mtag;
3552 struct ipsecaux *aux;
3553
3554 mtag = ipsec_findaux(m);
3555 if (mtag == NULL)
3556 return 0;
3557 aux = (struct ipsecaux *)(mtag + 1);
3558 return aux->hdrs;
3559 }
3560
3561 struct ipsec_history *
3562 ipsec_gethist(m, lenp)
3563 struct mbuf *m;
3564 int *lenp;
3565 {
3566
3567 panic("ipsec_gethist: obsolete API");
3568 }
3569
3570 void
3571 ipsec_clearhist(m)
3572 struct mbuf *m;
3573 {
3574 struct m_tag *mtag;
3575
3576 mtag = ipsec_findaux(m);
3577 ipsec_optaux(m, mtag);
3578 }
3579
3580 /*
3581 * System control for IPSEC
3582 */
3583 u_char ipsecctlermap[PRC_NCMDS] = {
3584 0, 0, 0, 0,
3585 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
3586 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
3587 EMSGSIZE, EHOSTUNREACH, 0, 0,
3588 0, 0, 0, 0,
3589 ENOPROTOOPT
3590 };
3591
3592 /*
3593 * sysctl helper routine for some net.inet.ipsec and net.inet6.ipnet6
3594 * nodes. ensures that the given value is correct and clears the
3595 * ipsec cache accordingly.
3596 */
3597 static int
3598 sysctl_ipsec(SYSCTLFN_ARGS)
3599 {
3600 int error, t;
3601 struct sysctlnode node;
3602
3603 node = *rnode;
3604 if (rnode->sysctl_num == IPSECCTL_DEF_POLICY)
3605 t = (*((struct secpolicy**)rnode->sysctl_data))->policy;
3606 else
3607 t = *(int*)rnode->sysctl_data;
3608 node.sysctl_data = &t;
3609 error = sysctl_lookup(SYSCTLFN_CALL(&node));
3610 if (error || newp == NULL)
3611 return (error);
3612
3613 switch (rnode->sysctl_num) {
3614 case IPSECCTL_DEF_ESP_TRANSLEV:
3615 case IPSECCTL_DEF_ESP_NETLEV:
3616 case IPSECCTL_DEF_AH_TRANSLEV:
3617 case IPSECCTL_DEF_AH_NETLEV:
3618 if (t != IPSEC_LEVEL_USE &&
3619 t != IPSEC_LEVEL_REQUIRE)
3620 return (EINVAL);
3621 ipsec_invalpcbcacheall();
3622 break;
3623 case IPSECCTL_DEF_POLICY:
3624 if (t != IPSEC_POLICY_DISCARD &&
3625 t != IPSEC_POLICY_NONE)
3626 return (EINVAL);
3627 ipsec_invalpcbcacheall();
3628 break;
3629 default:
3630 return (EINVAL);
3631 }
3632
3633 if (rnode->sysctl_num == IPSECCTL_DEF_POLICY)
3634 (*((struct secpolicy**)rnode->sysctl_data))->policy = t;
3635 else
3636 *(int*)rnode->sysctl_data = t;
3637
3638 return (0);
3639 }
3640
3641 SYSCTL_SETUP(sysctl_net_inet_ipsec_setup, "sysctl net.inet.ipsec subtree setup")
3642 {
3643
3644 sysctl_createv(clog, 0, NULL, NULL,
3645 CTLFLAG_PERMANENT,
3646 CTLTYPE_NODE, "net", NULL,
3647 NULL, 0, NULL, 0,
3648 CTL_NET, CTL_EOL);
3649 sysctl_createv(clog, 0, NULL, NULL,
3650 CTLFLAG_PERMANENT,
3651 CTLTYPE_NODE, "inet", NULL,
3652 NULL, 0, NULL, 0,
3653 CTL_NET, PF_INET, CTL_EOL);
3654 sysctl_createv(clog, 0, NULL, NULL,
3655 CTLFLAG_PERMANENT,
3656 CTLTYPE_NODE, "ipsec",
3657 SYSCTL_DESCR("IPv4 related IPSec settings"),
3658 NULL, 0, NULL, 0,
3659 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL);
3660
3661 sysctl_createv(clog, 0, NULL, NULL,
3662 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3663 CTLTYPE_STRUCT, "stats",
3664 SYSCTL_DESCR("IPSec statistics and counters"),
3665 NULL, 0, &ipsecstat, sizeof(ipsecstat),
3666 CTL_NET, PF_INET, IPPROTO_AH,
3667 IPSECCTL_STATS, CTL_EOL);
3668 sysctl_createv(clog, 0, NULL, NULL,
3669 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3670 CTLTYPE_INT, "def_policy",
3671 SYSCTL_DESCR("Default action for non-IPSec packets"),
3672 sysctl_ipsec, 0, &ip4_def_policy, 0,
3673 CTL_NET, PF_INET, IPPROTO_AH,
3674 IPSECCTL_DEF_POLICY, CTL_EOL);
3675 sysctl_createv(clog, 0, NULL, NULL,
3676 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3677 CTLTYPE_INT, "esp_trans_deflev",
3678 SYSCTL_DESCR("Default required security level for "
3679 "transport mode traffic"),
3680 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0,
3681 CTL_NET, PF_INET, IPPROTO_AH,
3682 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
3683 sysctl_createv(clog, 0, NULL, NULL,
3684 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3685 CTLTYPE_INT, "esp_net_deflev",
3686 SYSCTL_DESCR("Default required security level for "
3687 "tunneled traffic"),
3688 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0,
3689 CTL_NET, PF_INET, IPPROTO_AH,
3690 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
3691 sysctl_createv(clog, 0, NULL, NULL,
3692 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3693 CTLTYPE_INT, "ah_trans_deflev",
3694 SYSCTL_DESCR("Default required security level for "
3695 "transport mode headers"),
3696 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0,
3697 CTL_NET, PF_INET, IPPROTO_AH,
3698 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
3699 sysctl_createv(clog, 0, NULL, NULL,
3700 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3701 CTLTYPE_INT, "ah_net_deflev",
3702 SYSCTL_DESCR("Default required security level for "
3703 "tunneled headers"),
3704 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0,
3705 CTL_NET, PF_INET, IPPROTO_AH,
3706 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
3707 #if 0 /* obsolete, do not reuse */
3708 sysctl_createv(clog, 0, NULL, NULL,
3709 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3710 CTLTYPE_INT, "inbound_call_ike", NULL,
3711 NULL, 0, &ip4_inbound_call_ike, 0,
3712 CTL_NET, PF_INET, IPPROTO_AH,
3713 IPSECCTL_INBOUND_CALL_IKE, CTL_EOL);
3714 #endif
3715 sysctl_createv(clog, 0, NULL, NULL,
3716 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3717 CTLTYPE_INT, "ah_cleartos",
3718 SYSCTL_DESCR("Clear IP TOS field before calculating AH"),
3719 NULL, 0, &ip4_ah_cleartos, 0,
3720 CTL_NET, PF_INET, IPPROTO_AH,
3721 IPSECCTL_AH_CLEARTOS, CTL_EOL);
3722 sysctl_createv(clog, 0, NULL, NULL,
3723 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3724 CTLTYPE_INT, "ah_offsetmask",
3725 SYSCTL_DESCR("Mask for IP fragment offset field when "
3726 "calculating AH"),
3727 NULL, 0, &ip4_ah_offsetmask, 0,
3728 CTL_NET, PF_INET, IPPROTO_AH,
3729 IPSECCTL_AH_OFFSETMASK, CTL_EOL);
3730 sysctl_createv(clog, 0, NULL, NULL,
3731 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3732 CTLTYPE_INT, "dfbit",
3733 SYSCTL_DESCR("IP header DF bit setting for tunneled "
3734 "traffic"),
3735 NULL, 0, &ip4_ipsec_dfbit, 0,
3736 CTL_NET, PF_INET, IPPROTO_AH,
3737 IPSECCTL_DFBIT, CTL_EOL);
3738 sysctl_createv(clog, 0, NULL, NULL,
3739 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3740 CTLTYPE_INT, "ecn",
3741 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
3742 NULL, 0, &ip4_ipsec_ecn, 0,
3743 CTL_NET, PF_INET, IPPROTO_AH,
3744 IPSECCTL_ECN, CTL_EOL);
3745 sysctl_createv(clog, 0, NULL, NULL,
3746 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3747 CTLTYPE_INT, "debug",
3748 SYSCTL_DESCR("Enable IPSec debugging output"),
3749 NULL, 0, &ipsec_debug, 0,
3750 CTL_NET, PF_INET, IPPROTO_AH,
3751 IPSECCTL_DEBUG, CTL_EOL);
3752
3753 /*
3754 * "aliases" for the ipsec subtree
3755 */
3756 sysctl_createv(clog, 0, NULL, NULL,
3757 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3758 CTLTYPE_NODE, "esp", NULL,
3759 NULL, IPPROTO_AH, NULL, 0,
3760 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL);
3761 sysctl_createv(clog, 0, NULL, NULL,
3762 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3763 CTLTYPE_NODE, "ipcomp", NULL,
3764 NULL, IPPROTO_AH, NULL, 0,
3765 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL);
3766 sysctl_createv(clog, 0, NULL, NULL,
3767 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3768 CTLTYPE_NODE, "ah", NULL,
3769 NULL, IPPROTO_AH, NULL, 0,
3770 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL);
3771 }
3772
3773 #ifdef INET6
3774 /*
3775 * System control for IPSEC6
3776 */
3777 u_char ipsec6ctlermap[PRC_NCMDS] = {
3778 0, 0, 0, 0,
3779 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
3780 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
3781 EMSGSIZE, EHOSTUNREACH, 0, 0,
3782 0, 0, 0, 0,
3783 ENOPROTOOPT
3784 };
3785
3786 SYSCTL_SETUP(sysctl_net_inet6_ipsec6_setup,
3787 "sysctl net.inet6.ipsec6 subtree setup")
3788 {
3789
3790 sysctl_createv(clog, 0, NULL, NULL,
3791 CTLFLAG_PERMANENT,
3792 CTLTYPE_NODE, "net", NULL,
3793 NULL, 0, NULL, 0,
3794 CTL_NET, CTL_EOL);
3795 sysctl_createv(clog, 0, NULL, NULL,
3796 CTLFLAG_PERMANENT,
3797 CTLTYPE_NODE, "inet6", NULL,
3798 NULL, 0, NULL, 0,
3799 CTL_NET, PF_INET6, CTL_EOL);
3800 sysctl_createv(clog, 0, NULL, NULL,
3801 CTLFLAG_PERMANENT,
3802 CTLTYPE_NODE, "ipsec6",
3803 SYSCTL_DESCR("IPv6 related IPSec settings"),
3804 NULL, 0, NULL, 0,
3805 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL);
3806
3807 sysctl_createv(clog, 0, NULL, NULL,
3808 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3809 CTLTYPE_STRUCT, "stats",
3810 SYSCTL_DESCR("IPSec statistics and counters"),
3811 NULL, 0, &ipsec6stat, sizeof(ipsec6stat),
3812 CTL_NET, PF_INET6, IPPROTO_AH,
3813 IPSECCTL_STATS, CTL_EOL);
3814 sysctl_createv(clog, 0, NULL, NULL,
3815 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3816 CTLTYPE_INT, "def_policy",
3817 SYSCTL_DESCR("Default action for non-IPSec packets"),
3818 sysctl_ipsec, 0, &ip6_def_policy, 0,
3819 CTL_NET, PF_INET6, IPPROTO_AH,
3820 IPSECCTL_DEF_POLICY, CTL_EOL);
3821 sysctl_createv(clog, 0, NULL, NULL,
3822 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3823 CTLTYPE_INT, "esp_trans_deflev",
3824 SYSCTL_DESCR("Default required security level for "
3825 "transport mode traffic"),
3826 sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0,
3827 CTL_NET, PF_INET6, IPPROTO_AH,
3828 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
3829 sysctl_createv(clog, 0, NULL, NULL,
3830 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3831 CTLTYPE_INT, "esp_net_deflev",
3832 SYSCTL_DESCR("Default required security level for "
3833 "tunneled traffic"),
3834 sysctl_ipsec, 0, &ip6_esp_net_deflev, 0,
3835 CTL_NET, PF_INET6, IPPROTO_AH,
3836 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
3837 sysctl_createv(clog, 0, NULL, NULL,
3838 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3839 CTLTYPE_INT, "ah_trans_deflev",
3840 SYSCTL_DESCR("Default required security level for "
3841 "transport mode headers"),
3842 sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0,
3843 CTL_NET, PF_INET6, IPPROTO_AH,
3844 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
3845 sysctl_createv(clog, 0, NULL, NULL,
3846 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3847 CTLTYPE_INT, "ah_net_deflev",
3848 SYSCTL_DESCR("Default required security level for "
3849 "tunneled headers"),
3850 sysctl_ipsec, 0, &ip6_ah_net_deflev, 0,
3851 CTL_NET, PF_INET6, IPPROTO_AH,
3852 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
3853 sysctl_createv(clog, 0, NULL, NULL,
3854 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3855 CTLTYPE_INT, "ecn",
3856 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
3857 NULL, 0, &ip6_ipsec_ecn, 0,
3858 CTL_NET, PF_INET6, IPPROTO_AH,
3859 IPSECCTL_ECN, CTL_EOL);
3860 sysctl_createv(clog, 0, NULL, NULL,
3861 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3862 CTLTYPE_INT, "debug",
3863 SYSCTL_DESCR("Enable IPSec debugging output"),
3864 NULL, 0, &ipsec_debug, 0,
3865 CTL_NET, PF_INET6, IPPROTO_AH,
3866 IPSECCTL_DEBUG, CTL_EOL);
3867
3868 /*
3869 * "aliases" for the ipsec6 subtree
3870 */
3871 sysctl_createv(clog, 0, NULL, NULL,
3872 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3873 CTLTYPE_NODE, "esp6", NULL,
3874 NULL, IPPROTO_AH, NULL, 0,
3875 CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL);
3876 sysctl_createv(clog, 0, NULL, NULL,
3877 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3878 CTLTYPE_NODE, "ipcomp6", NULL,
3879 NULL, IPPROTO_AH, NULL, 0,
3880 CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL);
3881 sysctl_createv(clog, 0, NULL, NULL,
3882 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3883 CTLTYPE_NODE, "ah6", NULL,
3884 NULL, IPPROTO_AH, NULL, 0,
3885 CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL);
3886 }
3887 #endif /* INET6 */
Cache object: 10a4b887ed54d18dda49c1d679018d32
|