Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* $NetBSD: ipsec.c,v 1.95.2.2 2005/03/16 22:59:06 tron Exp $ */ 2 /* $KAME: ipsec.c,v 1.136 2002/05/19 00:36:39 itojun Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * IPsec controller part. 35 */ 36 37 #include <sys/cdefs.h> 38 __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.95.2.2 2005/03/16 22:59:06 tron Exp $"); 39 40 #include "opt_inet.h" 41 #include "opt_ipsec.h" 42 43 #include <sys/param.h> 44 #include <sys/systm.h> 45 #include <sys/malloc.h> 46 #include <sys/mbuf.h> 47 #include <sys/domain.h> 48 #include <sys/protosw.h> 49 #include <sys/socket.h> 50 #include <sys/socketvar.h> 51 #include <sys/errno.h> 52 #include <sys/time.h> 53 #include <sys/kernel.h> 54 #include <sys/syslog.h> 55 #include <sys/sysctl.h> 56 57 #include <net/if.h> 58 #include <net/route.h> 59 60 #include <netinet/in.h> 61 #include <netinet/in_systm.h> 62 #include <netinet/ip.h> 63 #include <netinet/ip_var.h> 64 #include <netinet/in_var.h> 65 #include <netinet/udp.h> 66 #include <netinet/udp_var.h> 67 #include <netinet/ip_ecn.h> 68 #include <netinet/tcp.h> 69 #include <netinet/udp.h> 70 71 #include <netinet/ip6.h> 72 #ifdef INET6 73 #include <netinet6/ip6_var.h> 74 #endif 75 #include <netinet/in_pcb.h> 76 #ifdef INET6 77 #include <netinet6/in6_pcb.h> 78 #include <netinet/icmp6.h> 79 #endif 80 81 #include <netinet6/ipsec.h> 82 #include <netinet6/ah.h> 83 #ifdef IPSEC_ESP 84 #include <netinet6/esp.h> 85 #endif 86 #include <netinet6/ipcomp.h> 87 #include <netkey/key.h> 88 #include <netkey/keydb.h> 89 #include <netkey/key_debug.h> 90 91 #include <net/net_osdep.h> 92 93 #ifdef IPSEC_DEBUG 94 int ipsec_debug = 1; 95 #else 96 int ipsec_debug = 0; 97 #endif 98 99 struct ipsecstat ipsecstat; 100 int ip4_ah_cleartos = 1; 101 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ 102 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ 103 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; 104 int ip4_esp_net_deflev = IPSEC_LEVEL_USE; 105 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; 106 int ip4_ah_net_deflev = IPSEC_LEVEL_USE; 107 struct secpolicy *ip4_def_policy; 108 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 109 110 #ifdef INET6 111 struct ipsecstat ipsec6stat; 112 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; 113 int ip6_esp_net_deflev = IPSEC_LEVEL_USE; 114 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; 115 int ip6_ah_net_deflev = IPSEC_LEVEL_USE; 116 struct secpolicy *ip6_def_policy; 117 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 118 119 #endif /* INET6 */ 120 121 u_int ipsec_spdgen = 1; /* SPD generation # */ 122 123 #ifdef SADB_X_EXT_TAG 124 static struct pf_tag *ipsec_get_tag __P((struct mbuf *)); 125 #endif 126 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *, 127 struct inpcbpolicy *, int)); 128 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *, 129 struct secpolicy *, int)); 130 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int)); 131 static int ipsec_setspidx_mbuf 132 __P((struct secpolicyindex *, int, struct mbuf *, int)); 133 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int)); 134 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int)); 135 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); 136 #ifdef INET6 137 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int)); 138 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); 139 #endif 140 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void)); 141 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *)); 142 #if 0 143 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *)); 144 #endif 145 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *)); 146 static int ipsec_set_policy 147 __P((struct secpolicy **, int, caddr_t, size_t, int)); 148 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **)); 149 static void vshiftl __P((unsigned char *, int, int)); 150 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *)); 151 static size_t ipsec_hdrsiz __P((struct secpolicy *)); 152 #ifdef INET 153 static struct mbuf *ipsec4_splithdr __P((struct mbuf *)); 154 #endif 155 #ifdef INET6 156 static struct mbuf *ipsec6_splithdr __P((struct mbuf *)); 157 #endif 158 #ifdef INET 159 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *)); 160 #endif 161 #ifdef INET6 162 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *)); 163 #endif 164 static struct m_tag *ipsec_addaux __P((struct mbuf *)); 165 static struct m_tag *ipsec_findaux __P((struct mbuf *)); 166 static void ipsec_optaux __P((struct mbuf *, struct m_tag *)); 167 #ifdef INET 168 static int ipsec4_checksa __P((struct ipsecrequest *, 169 struct ipsec_output_state *)); 170 #endif 171 #ifdef INET6 172 static int ipsec6_checksa __P((struct ipsecrequest *, 173 struct ipsec_output_state *, int)); 174 #endif 175 176 /* 177 * try to validate and use cached policy on a pcb. 178 */ 179 static struct secpolicy * 180 ipsec_checkpcbcache(m, pcbsp, dir) 181 struct mbuf *m; 182 struct inpcbpolicy *pcbsp; 183 int dir; 184 { 185 struct secpolicyindex spidx; 186 187 switch (dir) { 188 case IPSEC_DIR_INBOUND: 189 case IPSEC_DIR_OUTBOUND: 190 case IPSEC_DIR_ANY: 191 break; 192 default: 193 return NULL; 194 } 195 #ifdef DIAGNOSTIC 196 if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0])) 197 panic("dir too big in ipsec_checkpcbcache"); 198 #endif 199 /* SPD table change invalidates all the caches */ 200 if (ipsec_spdgen != pcbsp->sp_cache[dir].cachegen) { 201 ipsec_invalpcbcache(pcbsp, dir); 202 return NULL; 203 } 204 if (!pcbsp->sp_cache[dir].cachesp) 205 return NULL; 206 if (pcbsp->sp_cache[dir].cachesp->state != IPSEC_SPSTATE_ALIVE) { 207 ipsec_invalpcbcache(pcbsp, dir); 208 return NULL; 209 } 210 if ((pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) == 0) { 211 if (!pcbsp->sp_cache[dir].cachesp) 212 return NULL; 213 if (ipsec_setspidx(m, &spidx, 1) != 0) 214 return NULL; 215 if (bcmp(&pcbsp->sp_cache[dir].cacheidx, &spidx, 216 sizeof(spidx))) { 217 if (!pcbsp->sp_cache[dir].cachesp->spidx || 218 !key_cmpspidx_withmask(pcbsp->sp_cache[dir].cachesp->spidx, 219 &spidx)) 220 return NULL; 221 pcbsp->sp_cache[dir].cacheidx = spidx; 222 } 223 } else { 224 /* 225 * The pcb is connected, and the L4 code is sure that: 226 * - outgoing side uses inp_[lf]addr 227 * - incoming side looks up policy after inpcb lookup 228 * and address pair is known to be stable. We do not need 229 * to generate spidx again, nor check the address match again. 230 * 231 * For IPv4/v6 SOCK_STREAM sockets, this assumption holds 232 * and there are calls to ipsec_pcbconn() from in_pcbconnect(). 233 */ 234 } 235 236 pcbsp->sp_cache[dir].cachesp->lastused = mono_time.tv_sec; 237 pcbsp->sp_cache[dir].cachesp->refcnt++; 238 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 239 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n", 240 pcbsp->sp_cache[dir].cachesp->refcnt, 241 pcbsp->sp_cache[dir].cachesp)); 242 return pcbsp->sp_cache[dir].cachesp; 243 } 244 245 static int 246 ipsec_fillpcbcache(pcbsp, m, sp, dir) 247 struct inpcbpolicy *pcbsp; 248 struct mbuf *m; 249 struct secpolicy *sp; 250 int dir; 251 { 252 253 switch (dir) { 254 case IPSEC_DIR_INBOUND: 255 case IPSEC_DIR_OUTBOUND: 256 break; 257 default: 258 return EINVAL; 259 } 260 #ifdef DIAGNOSTIC 261 if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0])) 262 panic("dir too big in ipsec_checkpcbcache"); 263 #endif 264 265 if (pcbsp->sp_cache[dir].cachesp) 266 key_freesp(pcbsp->sp_cache[dir].cachesp); 267 pcbsp->sp_cache[dir].cachesp = NULL; 268 pcbsp->sp_cache[dir].cachehint = IPSEC_PCBHINT_MAYBE; 269 if (ipsec_setspidx(m, &pcbsp->sp_cache[dir].cacheidx, 1) != 0) { 270 return EINVAL; 271 } 272 pcbsp->sp_cache[dir].cachesp = sp; 273 if (pcbsp->sp_cache[dir].cachesp) { 274 pcbsp->sp_cache[dir].cachesp->refcnt++; 275 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 276 printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n", 277 pcbsp->sp_cache[dir].cachesp->refcnt, 278 pcbsp->sp_cache[dir].cachesp)); 279 280 /* 281 * If the PCB is connected, we can remember a hint to 282 * possibly short-circuit IPsec processing in other places. 283 */ 284 if (pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) { 285 switch (pcbsp->sp_cache[dir].cachesp->policy) { 286 case IPSEC_POLICY_NONE: 287 case IPSEC_POLICY_BYPASS: 288 pcbsp->sp_cache[dir].cachehint = 289 IPSEC_PCBHINT_NO; 290 break; 291 default: 292 pcbsp->sp_cache[dir].cachehint = 293 IPSEC_PCBHINT_YES; 294 } 295 } 296 } 297 pcbsp->sp_cache[dir].cachegen = ipsec_spdgen; 298 299 return 0; 300 } 301 302 static int 303 ipsec_invalpcbcache(pcbsp, dir) 304 struct inpcbpolicy *pcbsp; 305 int dir; 306 { 307 int i; 308 309 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) { 310 if (dir != IPSEC_DIR_ANY && i != dir) 311 continue; 312 if (pcbsp->sp_cache[i].cachesp) 313 key_freesp(pcbsp->sp_cache[i].cachesp); 314 pcbsp->sp_cache[i].cachesp = NULL; 315 pcbsp->sp_cache[i].cachehint = IPSEC_PCBHINT_MAYBE; 316 pcbsp->sp_cache[i].cachegen = 0; 317 bzero(&pcbsp->sp_cache[i].cacheidx, 318 sizeof(pcbsp->sp_cache[i].cacheidx)); 319 } 320 return 0; 321 } 322 323 int 324 ipsec_pcbconn(pcbsp) 325 struct inpcbpolicy *pcbsp; 326 { 327 328 pcbsp->sp_cacheflags |= IPSEC_PCBSP_CONNECTED; 329 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 330 return 0; 331 } 332 333 int 334 ipsec_pcbdisconn(pcbsp) 335 struct inpcbpolicy *pcbsp; 336 { 337 338 pcbsp->sp_cacheflags &= ~IPSEC_PCBSP_CONNECTED; 339 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 340 return 0; 341 } 342 343 void 344 ipsec_invalpcbcacheall() 345 { 346 347 if (ipsec_spdgen == UINT_MAX) 348 ipsec_spdgen = 1; 349 else 350 ipsec_spdgen++; 351 } 352 353 #ifdef SADB_X_EXT_TAG 354 static struct pf_tag * 355 ipsec_get_tag(m) 356 struct mbuf *m; 357 { 358 struct m_tag *mtag; 359 360 if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL) 361 return ((struct pf_tag *)(mtag + 1)); 362 else 363 return (NULL); 364 } 365 #endif 366 367 /* 368 * For OUTBOUND packet having a socket. Searching SPD for packet, 369 * and return a pointer to SP. 370 * OUT: NULL: no apropreate SP found, the following value is set to error. 371 * 0 : bypass 372 * EACCES : discard packet. 373 * ENOENT : ipsec_acquire() in progress, maybe. 374 * others : error occurred. 375 * others: a pointer to SP 376 * 377 * NOTE: IPv6 mapped adddress concern is implemented here. 378 */ 379 struct secpolicy * 380 ipsec4_getpolicybysock(m, dir, so, error) 381 struct mbuf *m; 382 u_int dir; 383 struct socket *so; 384 int *error; 385 { 386 struct inpcbpolicy *pcbsp = NULL; 387 struct secpolicy *currsp = NULL; /* policy on socket */ 388 struct secpolicy *kernsp = NULL; /* policy on kernel */ 389 struct secpolicyindex spidx; 390 #ifdef SADB_X_EXT_TAG 391 struct pf_tag *t; 392 #endif 393 u_int16_t tag; 394 395 /* sanity check */ 396 if (m == NULL || so == NULL || error == NULL) 397 panic("ipsec4_getpolicybysock: NULL pointer was passed."); 398 399 switch (so->so_proto->pr_domain->dom_family) { 400 case AF_INET: 401 pcbsp = sotoinpcb(so)->inp_sp; 402 break; 403 #ifdef INET6 404 case AF_INET6: 405 pcbsp = sotoin6pcb(so)->in6p_sp; 406 break; 407 #endif 408 default: 409 panic("ipsec4_getpolicybysock: unsupported address family"); 410 } 411 412 #ifdef DIAGNOSTIC 413 if (pcbsp == NULL) 414 panic("ipsec4_getpolicybysock: pcbsp is NULL."); 415 #endif 416 417 #ifdef SADB_X_EXT_TAG 418 t = ipsec_get_tag(m); 419 tag = t ? t->tag : 0; 420 #else 421 tag = 0; 422 #endif 423 424 /* if we have a cached entry, and if it is still valid, use it. */ 425 ipsecstat.spdcachelookup++; 426 currsp = ipsec_checkpcbcache(m, pcbsp, dir); 427 if (currsp) { 428 *error = 0; 429 return currsp; 430 } 431 ipsecstat.spdcachemiss++; 432 433 switch (dir) { 434 case IPSEC_DIR_INBOUND: 435 currsp = pcbsp->sp_in; 436 break; 437 case IPSEC_DIR_OUTBOUND: 438 currsp = pcbsp->sp_out; 439 break; 440 default: 441 panic("ipsec4_getpolicybysock: illegal direction."); 442 } 443 444 /* sanity check */ 445 if (currsp == NULL) 446 panic("ipsec4_getpolicybysock: currsp is NULL."); 447 448 /* when privileged socket */ 449 if (pcbsp->priv) { 450 switch (currsp->policy) { 451 case IPSEC_POLICY_BYPASS: 452 currsp->refcnt++; 453 *error = 0; 454 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 455 return currsp; 456 457 case IPSEC_POLICY_ENTRUST: 458 /* look for a policy in SPD */ 459 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 && 460 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 461 /* SP found */ 462 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 463 printf("DP ipsec4_getpolicybysock called " 464 "to allocate SP:%p\n", kernsp)); 465 *error = 0; 466 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 467 return kernsp; 468 } 469 470 /* no SP found */ 471 ip4_def_policy->refcnt++; 472 *error = 0; 473 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir); 474 return ip4_def_policy; 475 476 case IPSEC_POLICY_IPSEC: 477 currsp->refcnt++; 478 *error = 0; 479 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 480 return currsp; 481 482 default: 483 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 484 "Invalid policy for PCB %d\n", currsp->policy)); 485 *error = EINVAL; 486 return NULL; 487 } 488 /* NOTREACHED */ 489 } 490 491 /* when non-privileged socket */ 492 /* look for a policy in SPD */ 493 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 && 494 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 495 /* SP found */ 496 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 497 printf("DP ipsec4_getpolicybysock called " 498 "to allocate SP:%p\n", kernsp)); 499 *error = 0; 500 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 501 return kernsp; 502 } 503 504 /* no SP found */ 505 switch (currsp->policy) { 506 case IPSEC_POLICY_BYPASS: 507 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 508 "Illegal policy for non-privileged defined %d\n", 509 currsp->policy)); 510 *error = EINVAL; 511 return NULL; 512 513 case IPSEC_POLICY_ENTRUST: 514 ip4_def_policy->refcnt++; 515 *error = 0; 516 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir); 517 return ip4_def_policy; 518 519 case IPSEC_POLICY_IPSEC: 520 currsp->refcnt++; 521 *error = 0; 522 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 523 return currsp; 524 525 default: 526 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 527 "Invalid policy for PCB %d\n", currsp->policy)); 528 *error = EINVAL; 529 return NULL; 530 } 531 /* NOTREACHED */ 532 } 533 534 /* 535 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 536 * and return a pointer to SP. 537 * OUT: positive: a pointer to the entry for security policy leaf matched. 538 * NULL: no apropreate SP found, the following value is set to error. 539 * 0 : bypass 540 * EACCES : discard packet. 541 * ENOENT : ipsec_acquire() in progress, maybe. 542 * others : error occurred. 543 */ 544 struct secpolicy * 545 ipsec4_getpolicybyaddr(m, dir, flag, error) 546 struct mbuf *m; 547 u_int dir; 548 int flag; 549 int *error; 550 { 551 struct secpolicy *sp = NULL; 552 #ifdef SADB_X_EXT_TAG 553 struct pf_tag *t; 554 #endif 555 u_int16_t tag; 556 557 /* sanity check */ 558 if (m == NULL || error == NULL) 559 panic("ipsec4_getpolicybyaddr: NULL pointer was passed."); 560 561 /* get a policy entry matched with the packet */ 562 { 563 struct secpolicyindex spidx; 564 565 bzero(&spidx, sizeof(spidx)); 566 567 /* make an index to look for a policy */ 568 *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m, 569 (flag & IP_FORWARDING) ? 0 : 1); 570 571 if (*error != 0) 572 return NULL; 573 574 #ifdef SADB_X_EXT_TAG 575 t = ipsec_get_tag(m); 576 tag = t ? t->tag : 0; 577 #else 578 tag = 0; 579 #endif 580 581 sp = key_allocsp(tag, &spidx, dir); 582 } 583 584 /* SP found */ 585 if (sp != NULL) { 586 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 587 printf("DP ipsec4_getpolicybyaddr called " 588 "to allocate SP:%p\n", sp)); 589 *error = 0; 590 return sp; 591 } 592 593 /* no SP found */ 594 ip4_def_policy->refcnt++; 595 *error = 0; 596 return ip4_def_policy; 597 } 598 599 #ifdef INET6 600 /* 601 * For OUTBOUND packet having a socket. Searching SPD for packet, 602 * and return a pointer to SP. 603 * OUT: NULL: no apropreate SP found, the following value is set to error. 604 * 0 : bypass 605 * EACCES : discard packet. 606 * ENOENT : ipsec_acquire() in progress, maybe. 607 * others : error occurred. 608 * others: a pointer to SP 609 */ 610 struct secpolicy * 611 ipsec6_getpolicybysock(m, dir, so, error) 612 struct mbuf *m; 613 u_int dir; 614 struct socket *so; 615 int *error; 616 { 617 struct inpcbpolicy *pcbsp = NULL; 618 struct secpolicy *currsp = NULL; /* policy on socket */ 619 struct secpolicy *kernsp = NULL; /* policy on kernel */ 620 struct secpolicyindex spidx; 621 #ifdef SADB_X_EXT_TAG 622 struct pf_tag *t; 623 #endif 624 u_int16_t tag; 625 626 /* sanity check */ 627 if (m == NULL || so == NULL || error == NULL) 628 panic("ipsec6_getpolicybysock: NULL pointer was passed."); 629 630 #ifdef DIAGNOSTIC 631 if (so->so_proto->pr_domain->dom_family != AF_INET6) 632 panic("ipsec6_getpolicybysock: socket domain != inet6"); 633 #endif 634 635 pcbsp = sotoin6pcb(so)->in6p_sp; 636 637 #ifdef DIAGNOSTIC 638 if (pcbsp == NULL) 639 panic("ipsec6_getpolicybysock: pcbsp is NULL."); 640 #endif 641 642 #ifdef SADB_X_EXT_TAG 643 t = ipsec_get_tag(m); 644 tag = t ? t->tag : 0; 645 #else 646 tag = 0; 647 #endif 648 649 /* if we have a cached entry, and if it is still valid, use it. */ 650 ipsec6stat.spdcachelookup++; 651 currsp = ipsec_checkpcbcache(m, pcbsp, dir); 652 if (currsp) { 653 *error = 0; 654 return currsp; 655 } 656 ipsec6stat.spdcachemiss++; 657 658 switch (dir) { 659 case IPSEC_DIR_INBOUND: 660 currsp = pcbsp->sp_in; 661 break; 662 case IPSEC_DIR_OUTBOUND: 663 currsp = pcbsp->sp_out; 664 break; 665 default: 666 panic("ipsec6_getpolicybysock: illegal direction."); 667 } 668 669 /* sanity check */ 670 if (currsp == NULL) 671 panic("ipsec6_getpolicybysock: currsp is NULL."); 672 673 /* when privileged socket */ 674 if (pcbsp->priv) { 675 switch (currsp->policy) { 676 case IPSEC_POLICY_BYPASS: 677 currsp->refcnt++; 678 *error = 0; 679 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 680 return currsp; 681 682 case IPSEC_POLICY_ENTRUST: 683 /* look for a policy in SPD */ 684 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 && 685 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 686 /* SP found */ 687 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 688 printf("DP ipsec6_getpolicybysock called " 689 "to allocate SP:%p\n", kernsp)); 690 *error = 0; 691 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 692 return kernsp; 693 } 694 695 /* no SP found */ 696 ip6_def_policy->refcnt++; 697 *error = 0; 698 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir); 699 return ip6_def_policy; 700 701 case IPSEC_POLICY_IPSEC: 702 currsp->refcnt++; 703 *error = 0; 704 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 705 return currsp; 706 707 default: 708 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " 709 "Invalid policy for PCB %d\n", currsp->policy)); 710 *error = EINVAL; 711 return NULL; 712 } 713 /* NOTREACHED */ 714 } 715 716 /* when non-privileged socket */ 717 /* look for a policy in SPD */ 718 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 && 719 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 720 /* SP found */ 721 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 722 printf("DP ipsec6_getpolicybysock called " 723 "to allocate SP:%p\n", kernsp)); 724 *error = 0; 725 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 726 return kernsp; 727 } 728 729 /* no SP found */ 730 switch (currsp->policy) { 731 case IPSEC_POLICY_BYPASS: 732 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " 733 "Illegal policy for non-privileged defined %d\n", 734 currsp->policy)); 735 *error = EINVAL; 736 return NULL; 737 738 case IPSEC_POLICY_ENTRUST: 739 ip6_def_policy->refcnt++; 740 *error = 0; 741 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir); 742 return ip6_def_policy; 743 744 case IPSEC_POLICY_IPSEC: 745 currsp->refcnt++; 746 *error = 0; 747 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 748 return currsp; 749 750 default: 751 ipseclog((LOG_ERR, 752 "ipsec6_policybysock: Invalid policy for PCB %d\n", 753 currsp->policy)); 754 *error = EINVAL; 755 return NULL; 756 } 757 /* NOTREACHED */ 758 } 759 760 /* 761 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 762 * and return a pointer to SP. 763 * `flag' means that packet is to be forwarded whether or not. 764 * flag = 1: forwad 765 * OUT: positive: a pointer to the entry for security policy leaf matched. 766 * NULL: no apropreate SP found, the following value is set to error. 767 * 0 : bypass 768 * EACCES : discard packet. 769 * ENOENT : ipsec_acquire() in progress, maybe. 770 * others : error occurred. 771 */ 772 #ifndef IP_FORWARDING 773 #define IP_FORWARDING 1 774 #endif 775 776 struct secpolicy * 777 ipsec6_getpolicybyaddr(m, dir, flag, error) 778 struct mbuf *m; 779 u_int dir; 780 int flag; 781 int *error; 782 { 783 struct secpolicy *sp = NULL; 784 #ifdef SADB_X_EXT_TAG 785 struct pf_tag *t; 786 #endif 787 u_int16_t tag; 788 789 /* sanity check */ 790 if (m == NULL || error == NULL) 791 panic("ipsec6_getpolicybyaddr: NULL pointer was passed."); 792 793 /* get a policy entry matched with the packet */ 794 { 795 struct secpolicyindex spidx; 796 797 bzero(&spidx, sizeof(spidx)); 798 799 /* make an index to look for a policy */ 800 *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 801 (flag & IP_FORWARDING) ? 0 : 1); 802 803 if (*error != 0) 804 return NULL; 805 806 #ifdef SADB_X_EXT_TAG 807 t = ipsec_get_tag(m); 808 tag = t ? t->tag : 0; 809 #else 810 tag = 0; 811 #endif 812 813 sp = key_allocsp(tag, &spidx, dir); 814 } 815 816 /* SP found */ 817 if (sp != NULL) { 818 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 819 printf("DP ipsec6_getpolicybyaddr called " 820 "to allocate SP:%p\n", sp)); 821 *error = 0; 822 return sp; 823 } 824 825 /* no SP found */ 826 ip6_def_policy->refcnt++; 827 *error = 0; 828 return ip6_def_policy; 829 } 830 #endif /* INET6 */ 831 832 /* 833 * set IP address into spidx from mbuf. 834 * When Forwarding packet and ICMP echo reply, this function is used. 835 * 836 * IN: get the followings from mbuf. 837 * protocol family, src, dst, next protocol 838 * OUT: 839 * 0: success. 840 * other: failure, and set errno. 841 */ 842 int 843 ipsec_setspidx_mbuf(spidx, family, m, needport) 844 struct secpolicyindex *spidx; 845 int family; 846 struct mbuf *m; 847 int needport; 848 { 849 int error; 850 851 /* sanity check */ 852 if (spidx == NULL || m == NULL) 853 panic("ipsec_setspidx_mbuf: NULL pointer was passed."); 854 855 bzero(spidx, sizeof(*spidx)); 856 857 error = ipsec_setspidx(m, spidx, needport); 858 if (error) 859 goto bad; 860 861 return 0; 862 863 bad: 864 /* XXX initialize */ 865 bzero(spidx, sizeof(*spidx)); 866 return EINVAL; 867 } 868 869 /* 870 * configure security policy index (src/dst/proto/sport/dport) 871 * by looking at the content of mbuf. 872 * the caller is responsible for error recovery (like clearing up spidx). 873 */ 874 static int 875 ipsec_setspidx(m, spidx, needport) 876 struct mbuf *m; 877 struct secpolicyindex *spidx; 878 int needport; 879 { 880 struct ip *ip = NULL; 881 struct ip ipbuf; 882 u_int v; 883 struct mbuf *n; 884 int len; 885 int error; 886 887 if (m == NULL) 888 panic("ipsec_setspidx: m == 0 passed."); 889 890 bzero(spidx, sizeof(*spidx)); 891 892 /* 893 * validate m->m_pkthdr.len. we see incorrect length if we 894 * mistakenly call this function with inconsistent mbuf chain 895 * (like 4.4BSD tcp/udp processing). XXX should we panic here? 896 */ 897 len = 0; 898 for (n = m; n; n = n->m_next) 899 len += n->m_len; 900 if (m->m_pkthdr.len != len) { 901 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 902 printf("ipsec_setspidx: " 903 "total of m_len(%d) != pkthdr.len(%d), " 904 "ignored.\n", 905 len, m->m_pkthdr.len)); 906 return EINVAL; 907 } 908 909 if (m->m_pkthdr.len < sizeof(struct ip)) { 910 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 911 printf("ipsec_setspidx: " 912 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n", 913 m->m_pkthdr.len)); 914 return EINVAL; 915 } 916 917 if (m->m_len >= sizeof(*ip)) 918 ip = mtod(m, struct ip *); 919 else { 920 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 921 ip = &ipbuf; 922 } 923 v = ip->ip_v; 924 switch (v) { 925 case 4: 926 error = ipsec4_setspidx_ipaddr(m, spidx); 927 if (error) 928 return error; 929 ipsec4_get_ulp(m, spidx, needport); 930 return 0; 931 #ifdef INET6 932 case 6: 933 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { 934 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 935 printf("ipsec_setspidx: " 936 "pkthdr.len(%d) < sizeof(struct ip6_hdr), " 937 "ignored.\n", m->m_pkthdr.len)); 938 return EINVAL; 939 } 940 error = ipsec6_setspidx_ipaddr(m, spidx); 941 if (error) 942 return error; 943 ipsec6_get_ulp(m, spidx, needport); 944 return 0; 945 #endif 946 default: 947 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 948 printf("ipsec_setspidx: " 949 "unknown IP version %u, ignored.\n", v)); 950 return EINVAL; 951 } 952 } 953 954 static void 955 ipsec4_get_ulp(m, spidx, needport) 956 struct mbuf *m; 957 struct secpolicyindex *spidx; 958 int needport; 959 { 960 struct ip ip; 961 struct ip6_ext ip6e; 962 u_int8_t nxt; 963 int off; 964 struct tcphdr th; 965 struct udphdr uh; 966 967 /* sanity check */ 968 if (m == NULL) 969 panic("ipsec4_get_ulp: NULL pointer was passed."); 970 if (m->m_pkthdr.len < sizeof(ip)) 971 panic("ipsec4_get_ulp: too short"); 972 973 /* set default */ 974 spidx->ul_proto = IPSEC_ULPROTO_ANY; 975 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY; 976 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY; 977 978 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip); 979 if (ip.ip_off & htons(IP_MF | IP_OFFMASK)) 980 return; 981 982 nxt = ip.ip_p; 983 off = ip.ip_hl << 2; 984 while (off < m->m_pkthdr.len) { 985 switch (nxt) { 986 case IPPROTO_TCP: 987 spidx->ul_proto = nxt; 988 if (!needport) 989 return; 990 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 991 return; 992 m_copydata(m, off, sizeof(th), (caddr_t)&th); 993 ((struct sockaddr_in *)&spidx->src)->sin_port = 994 th.th_sport; 995 ((struct sockaddr_in *)&spidx->dst)->sin_port = 996 th.th_dport; 997 return; 998 case IPPROTO_UDP: 999 spidx->ul_proto = nxt; 1000 if (!needport) 1001 return; 1002 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1003 return; 1004 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1005 ((struct sockaddr_in *)&spidx->src)->sin_port = 1006 uh.uh_sport; 1007 ((struct sockaddr_in *)&spidx->dst)->sin_port = 1008 uh.uh_dport; 1009 return; 1010 case IPPROTO_AH: 1011 if (off + sizeof(ip6e) > m->m_pkthdr.len) 1012 return; 1013 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1014 off += (ip6e.ip6e_len + 2) << 2; 1015 nxt = ip6e.ip6e_nxt; 1016 break; 1017 case IPPROTO_ICMP: 1018 default: 1019 /* XXX intermediate headers??? */ 1020 spidx->ul_proto = nxt; 1021 return; 1022 } 1023 } 1024 } 1025 1026 /* assumes that m is sane */ 1027 static int 1028 ipsec4_setspidx_ipaddr(m, spidx) 1029 struct mbuf *m; 1030 struct secpolicyindex *spidx; 1031 { 1032 struct ip *ip = NULL; 1033 struct ip ipbuf; 1034 struct sockaddr_in *sin; 1035 1036 if (m->m_len >= sizeof(*ip)) 1037 ip = mtod(m, struct ip *); 1038 else { 1039 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 1040 ip = &ipbuf; 1041 } 1042 1043 sin = (struct sockaddr_in *)&spidx->src; 1044 bzero(sin, sizeof(*sin)); 1045 sin->sin_family = AF_INET; 1046 sin->sin_len = sizeof(struct sockaddr_in); 1047 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src)); 1048 spidx->prefs = sizeof(struct in_addr) << 3; 1049 1050 sin = (struct sockaddr_in *)&spidx->dst; 1051 bzero(sin, sizeof(*sin)); 1052 sin->sin_family = AF_INET; 1053 sin->sin_len = sizeof(struct sockaddr_in); 1054 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)); 1055 spidx->prefd = sizeof(struct in_addr) << 3; 1056 return 0; 1057 } 1058 1059 #ifdef INET6 1060 static void 1061 ipsec6_get_ulp(m, spidx, needport) 1062 struct mbuf *m; 1063 struct secpolicyindex *spidx; 1064 int needport; 1065 { 1066 int off, nxt; 1067 struct tcphdr th; 1068 struct udphdr uh; 1069 1070 /* sanity check */ 1071 if (m == NULL) 1072 panic("ipsec6_get_ulp: NULL pointer was passed."); 1073 1074 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1075 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m)); 1076 1077 /* set default */ 1078 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1079 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY; 1080 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY; 1081 1082 nxt = -1; 1083 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt); 1084 if (off < 0 || m->m_pkthdr.len < off) 1085 return; 1086 1087 switch (nxt) { 1088 case IPPROTO_TCP: 1089 spidx->ul_proto = nxt; 1090 if (!needport) 1091 break; 1092 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1093 break; 1094 m_copydata(m, off, sizeof(th), (caddr_t)&th); 1095 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport; 1096 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport; 1097 break; 1098 case IPPROTO_UDP: 1099 spidx->ul_proto = nxt; 1100 if (!needport) 1101 break; 1102 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1103 break; 1104 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1105 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport; 1106 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport; 1107 break; 1108 case IPPROTO_ICMPV6: 1109 default: 1110 /* XXX intermediate headers??? */ 1111 spidx->ul_proto = nxt; 1112 break; 1113 } 1114 } 1115 1116 /* assumes that m is sane */ 1117 static int 1118 ipsec6_setspidx_ipaddr(m, spidx) 1119 struct mbuf *m; 1120 struct secpolicyindex *spidx; 1121 { 1122 struct ip6_hdr *ip6 = NULL; 1123 struct ip6_hdr ip6buf; 1124 struct sockaddr_in6 *sin6; 1125 1126 if (m->m_len >= sizeof(*ip6)) 1127 ip6 = mtod(m, struct ip6_hdr *); 1128 else { 1129 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf); 1130 ip6 = &ip6buf; 1131 } 1132 1133 sin6 = (struct sockaddr_in6 *)&spidx->src; 1134 bzero(sin6, sizeof(*sin6)); 1135 sin6->sin6_family = AF_INET6; 1136 sin6->sin6_len = sizeof(struct sockaddr_in6); 1137 in6_recoverscope(sin6, &ip6->ip6_src, NULL); 1138 spidx->prefs = sizeof(struct in6_addr) << 3; 1139 1140 sin6 = (struct sockaddr_in6 *)&spidx->dst; 1141 bzero(sin6, sizeof(*sin6)); 1142 sin6->sin6_family = AF_INET6; 1143 sin6->sin6_len = sizeof(struct sockaddr_in6); 1144 in6_recoverscope(sin6, &ip6->ip6_dst, NULL); 1145 spidx->prefd = sizeof(struct in6_addr) << 3; 1146 1147 return 0; 1148 } 1149 #endif 1150 1151 static struct inpcbpolicy * 1152 ipsec_newpcbpolicy() 1153 { 1154 struct inpcbpolicy *p; 1155 1156 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT); 1157 return p; 1158 } 1159 1160 static void 1161 ipsec_delpcbpolicy(p) 1162 struct inpcbpolicy *p; 1163 { 1164 1165 free(p, M_SECA); 1166 } 1167 1168 /* initialize policy in PCB */ 1169 int 1170 ipsec_init_pcbpolicy(so, pcb_sp) 1171 struct socket *so; 1172 struct inpcbpolicy **pcb_sp; 1173 { 1174 struct inpcbpolicy *new; 1175 static int initialized = 0; 1176 static struct secpolicy *in = NULL, *out = NULL; 1177 1178 /* sanity check. */ 1179 if (so == NULL || pcb_sp == NULL) 1180 panic("ipsec_init_pcbpolicy: NULL pointer was passed."); 1181 1182 if (!initialized) { 1183 if ((in = key_newsp(0)) == NULL) 1184 return ENOBUFS; 1185 if ((out = key_newsp(0)) == NULL) { 1186 key_freesp(in); 1187 in = NULL; 1188 return ENOBUFS; 1189 } 1190 1191 in->state = IPSEC_SPSTATE_ALIVE; 1192 in->policy = IPSEC_POLICY_ENTRUST; 1193 in->dir = IPSEC_DIR_INBOUND; 1194 in->readonly = 1; 1195 in->persist = 1; 1196 in->so = NULL; 1197 1198 out->state = IPSEC_SPSTATE_ALIVE; 1199 out->policy = IPSEC_POLICY_ENTRUST; 1200 out->dir = IPSEC_DIR_OUTBOUND; 1201 out->readonly = 1; 1202 out->persist = 1; 1203 out->so = NULL; 1204 1205 initialized++; 1206 } 1207 1208 new = ipsec_newpcbpolicy(); 1209 if (new == NULL) { 1210 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n")); 1211 return ENOBUFS; 1212 } 1213 bzero(new, sizeof(*new)); 1214 1215 if (so->so_uid == 0) /* XXX */ 1216 new->priv = 1; 1217 else 1218 new->priv = 0; 1219 1220 new->sp_in = in; 1221 new->sp_in->refcnt++; 1222 new->sp_out = out; 1223 new->sp_out->refcnt++; 1224 1225 *pcb_sp = new; 1226 1227 return 0; 1228 } 1229 1230 /* copy old ipsec policy into new */ 1231 int 1232 ipsec_copy_pcbpolicy(old, new) 1233 struct inpcbpolicy *old, *new; 1234 { 1235 1236 if (new->sp_in) 1237 key_freesp(new->sp_in); 1238 if (old->sp_in->policy == IPSEC_POLICY_IPSEC) 1239 new->sp_in = ipsec_deepcopy_policy(old->sp_in); 1240 else { 1241 new->sp_in = old->sp_in; 1242 new->sp_in->refcnt++; 1243 } 1244 1245 if (new->sp_out) 1246 key_freesp(new->sp_out); 1247 if (old->sp_out->policy == IPSEC_POLICY_IPSEC) 1248 new->sp_out = ipsec_deepcopy_policy(old->sp_out); 1249 else { 1250 new->sp_out = old->sp_out; 1251 new->sp_out->refcnt++; 1252 } 1253 1254 new->priv = old->priv; 1255 1256 return 0; 1257 } 1258 1259 #if 0 1260 static int 1261 ipsec_deepcopy_pcbpolicy(pcb_sp) 1262 struct inpcbpolicy *pcb_sp; 1263 { 1264 struct secpolicy *sp; 1265 1266 sp = ipsec_deepcopy_policy(pcb_sp->sp_in); 1267 if (sp) { 1268 key_freesp(pcb_sp->sp_in); 1269 pcb_sp->sp_in = sp; 1270 } else 1271 return ENOBUFS; 1272 1273 sp = ipsec_deepcopy_policy(pcb_sp->sp_out); 1274 if (sp) { 1275 key_freesp(pcb_sp->sp_out); 1276 pcb_sp->sp_out = sp; 1277 } else 1278 return ENOBUFS; 1279 1280 return 0; 1281 } 1282 #endif 1283 1284 /* deep-copy a policy in PCB */ 1285 static struct secpolicy * 1286 ipsec_deepcopy_policy(src) 1287 struct secpolicy *src; 1288 { 1289 struct ipsecrequest *newchain = NULL; 1290 struct ipsecrequest *p; 1291 struct ipsecrequest **q; 1292 struct ipsecrequest *r; 1293 struct secpolicy *dst; 1294 1295 if (src == NULL) 1296 return NULL; 1297 1298 dst = key_newsp(0); 1299 if (dst == NULL) 1300 return NULL; 1301 1302 /* 1303 * deep-copy IPsec request chain. This is required since struct 1304 * ipsecrequest is not reference counted. 1305 */ 1306 q = &newchain; 1307 for (p = src->req; p; p = p->next) { 1308 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest), 1309 M_SECA, M_NOWAIT); 1310 if (*q == NULL) 1311 goto fail; 1312 bzero(*q, sizeof(**q)); 1313 (*q)->next = NULL; 1314 1315 (*q)->saidx.proto = p->saidx.proto; 1316 (*q)->saidx.mode = p->saidx.mode; 1317 (*q)->level = p->level; 1318 (*q)->saidx.reqid = p->saidx.reqid; 1319 1320 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src)); 1321 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst)); 1322 1323 (*q)->sav = NULL; 1324 (*q)->sp = dst; 1325 1326 q = &((*q)->next); 1327 } 1328 1329 if (src->spidx) 1330 if (keydb_setsecpolicyindex(dst, src->spidx) != 0) 1331 goto fail; 1332 1333 dst->req = newchain; 1334 dst->state = src->state; 1335 dst->policy = src->policy; 1336 dst->dir = src->dir; 1337 dst->so = src->so; 1338 /* do not touch the refcnt fields */ 1339 1340 return dst; 1341 1342 fail: 1343 for (p = newchain; p; p = r) { 1344 r = p->next; 1345 free(p, M_SECA); 1346 p = NULL; 1347 } 1348 key_freesp(dst); 1349 return NULL; 1350 } 1351 1352 /* set policy and ipsec request if present. */ 1353 static int 1354 ipsec_set_policy(spp, optname, request, len, priv) 1355 struct secpolicy **spp; 1356 int optname; 1357 caddr_t request; 1358 size_t len; 1359 int priv; 1360 { 1361 struct sadb_x_policy *xpl; 1362 struct secpolicy *newsp = NULL; 1363 int error; 1364 1365 /* sanity check. */ 1366 if (spp == NULL || *spp == NULL || request == NULL) 1367 return EINVAL; 1368 if (len < sizeof(*xpl)) 1369 return EINVAL; 1370 xpl = (struct sadb_x_policy *)request; 1371 1372 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1373 printf("ipsec_set_policy: passed policy\n"); 1374 kdebug_sadb_x_policy((struct sadb_ext *)xpl)); 1375 1376 /* check policy type */ 1377 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */ 1378 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD || 1379 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) 1380 return EINVAL; 1381 1382 /* check privileged socket */ 1383 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) 1384 return EACCES; 1385 1386 /* allocation new SP entry */ 1387 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) 1388 return error; 1389 1390 newsp->state = IPSEC_SPSTATE_ALIVE; 1391 1392 /* clear old SP and set new SP */ 1393 key_freesp(*spp); 1394 *spp = newsp; 1395 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1396 printf("ipsec_set_policy: new policy\n"); 1397 kdebug_secpolicy(newsp)); 1398 1399 return 0; 1400 } 1401 1402 static int 1403 ipsec_get_policy(sp, mp) 1404 struct secpolicy *sp; 1405 struct mbuf **mp; 1406 { 1407 1408 /* sanity check. */ 1409 if (sp == NULL || mp == NULL) 1410 return EINVAL; 1411 1412 *mp = key_sp2msg(sp); 1413 if (!*mp) { 1414 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n")); 1415 return ENOBUFS; 1416 } 1417 1418 (*mp)->m_type = MT_SOOPTS; 1419 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1420 printf("ipsec_get_policy:\n"); 1421 kdebug_mbuf(*mp)); 1422 1423 return 0; 1424 } 1425 1426 int 1427 ipsec4_set_policy(inp, optname, request, len, priv) 1428 struct inpcb *inp; 1429 int optname; 1430 caddr_t request; 1431 size_t len; 1432 int priv; 1433 { 1434 struct sadb_x_policy *xpl; 1435 struct secpolicy **spp; 1436 1437 /* sanity check. */ 1438 if (inp == NULL || request == NULL) 1439 return EINVAL; 1440 if (len < sizeof(*xpl)) 1441 return EINVAL; 1442 xpl = (struct sadb_x_policy *)request; 1443 1444 /* select direction */ 1445 switch (xpl->sadb_x_policy_dir) { 1446 case IPSEC_DIR_INBOUND: 1447 spp = &inp->inp_sp->sp_in; 1448 break; 1449 case IPSEC_DIR_OUTBOUND: 1450 spp = &inp->inp_sp->sp_out; 1451 break; 1452 default: 1453 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n", 1454 xpl->sadb_x_policy_dir)); 1455 return EINVAL; 1456 } 1457 1458 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY); 1459 return ipsec_set_policy(spp, optname, request, len, priv); 1460 } 1461 1462 int 1463 ipsec4_get_policy(inp, request, len, mp) 1464 struct inpcb *inp; 1465 caddr_t request; 1466 size_t len; 1467 struct mbuf **mp; 1468 { 1469 struct sadb_x_policy *xpl; 1470 struct secpolicy *sp; 1471 1472 /* sanity check. */ 1473 if (inp == NULL || request == NULL || mp == NULL) 1474 return EINVAL; 1475 if (inp->inp_sp == NULL) 1476 panic("policy in PCB is NULL"); 1477 if (len < sizeof(*xpl)) 1478 return EINVAL; 1479 xpl = (struct sadb_x_policy *)request; 1480 1481 /* select direction */ 1482 switch (xpl->sadb_x_policy_dir) { 1483 case IPSEC_DIR_INBOUND: 1484 sp = inp->inp_sp->sp_in; 1485 break; 1486 case IPSEC_DIR_OUTBOUND: 1487 sp = inp->inp_sp->sp_out; 1488 break; 1489 default: 1490 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n", 1491 xpl->sadb_x_policy_dir)); 1492 return EINVAL; 1493 } 1494 1495 return ipsec_get_policy(sp, mp); 1496 } 1497 1498 /* delete policy in PCB */ 1499 int 1500 ipsec4_delete_pcbpolicy(inp) 1501 struct inpcb *inp; 1502 { 1503 /* sanity check. */ 1504 if (inp == NULL) 1505 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed."); 1506 1507 if (inp->inp_sp == NULL) 1508 return 0; 1509 1510 if (inp->inp_sp->sp_in != NULL) { 1511 key_freesp(inp->inp_sp->sp_in); 1512 inp->inp_sp->sp_in = NULL; 1513 } 1514 1515 if (inp->inp_sp->sp_out != NULL) { 1516 key_freesp(inp->inp_sp->sp_out); 1517 inp->inp_sp->sp_out = NULL; 1518 } 1519 1520 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY); 1521 1522 ipsec_delpcbpolicy(inp->inp_sp); 1523 inp->inp_sp = NULL; 1524 1525 return 0; 1526 } 1527 1528 #ifdef INET6 1529 int 1530 ipsec6_set_policy(in6p, optname, request, len, priv) 1531 struct in6pcb *in6p; 1532 int optname; 1533 caddr_t request; 1534 size_t len; 1535 int priv; 1536 { 1537 struct sadb_x_policy *xpl; 1538 struct secpolicy **spp; 1539 1540 /* sanity check. */ 1541 if (in6p == NULL || request == NULL) 1542 return EINVAL; 1543 if (len < sizeof(*xpl)) 1544 return EINVAL; 1545 xpl = (struct sadb_x_policy *)request; 1546 1547 /* select direction */ 1548 switch (xpl->sadb_x_policy_dir) { 1549 case IPSEC_DIR_INBOUND: 1550 spp = &in6p->in6p_sp->sp_in; 1551 break; 1552 case IPSEC_DIR_OUTBOUND: 1553 spp = &in6p->in6p_sp->sp_out; 1554 break; 1555 default: 1556 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n", 1557 xpl->sadb_x_policy_dir)); 1558 return EINVAL; 1559 } 1560 1561 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY); 1562 return ipsec_set_policy(spp, optname, request, len, priv); 1563 } 1564 1565 int 1566 ipsec6_get_policy(in6p, request, len, mp) 1567 struct in6pcb *in6p; 1568 caddr_t request; 1569 size_t len; 1570 struct mbuf **mp; 1571 { 1572 struct sadb_x_policy *xpl; 1573 struct secpolicy *sp; 1574 1575 /* sanity check. */ 1576 if (in6p == NULL || request == NULL || mp == NULL) 1577 return EINVAL; 1578 if (in6p->in6p_sp == NULL) 1579 panic("policy in PCB is NULL"); 1580 if (len < sizeof(*xpl)) 1581 return EINVAL; 1582 xpl = (struct sadb_x_policy *)request; 1583 1584 /* select direction */ 1585 switch (xpl->sadb_x_policy_dir) { 1586 case IPSEC_DIR_INBOUND: 1587 sp = in6p->in6p_sp->sp_in; 1588 break; 1589 case IPSEC_DIR_OUTBOUND: 1590 sp = in6p->in6p_sp->sp_out; 1591 break; 1592 default: 1593 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n", 1594 xpl->sadb_x_policy_dir)); 1595 return EINVAL; 1596 } 1597 1598 return ipsec_get_policy(sp, mp); 1599 } 1600 1601 int 1602 ipsec6_delete_pcbpolicy(in6p) 1603 struct in6pcb *in6p; 1604 { 1605 /* sanity check. */ 1606 if (in6p == NULL) 1607 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed."); 1608 1609 if (in6p->in6p_sp == NULL) 1610 return 0; 1611 1612 if (in6p->in6p_sp->sp_in != NULL) { 1613 key_freesp(in6p->in6p_sp->sp_in); 1614 in6p->in6p_sp->sp_in = NULL; 1615 } 1616 1617 if (in6p->in6p_sp->sp_out != NULL) { 1618 key_freesp(in6p->in6p_sp->sp_out); 1619 in6p->in6p_sp->sp_out = NULL; 1620 } 1621 1622 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY); 1623 1624 ipsec_delpcbpolicy(in6p->in6p_sp); 1625 in6p->in6p_sp = NULL; 1626 1627 return 0; 1628 } 1629 #endif 1630 1631 /* 1632 * return current level. 1633 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. 1634 */ 1635 u_int 1636 ipsec_get_reqlevel(isr, af) 1637 struct ipsecrequest *isr; 1638 int af; 1639 { 1640 u_int level = 0; 1641 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev; 1642 1643 /* sanity check */ 1644 if (isr == NULL || isr->sp == NULL) 1645 panic("ipsec_get_reqlevel: NULL pointer is passed."); 1646 1647 /* set default level */ 1648 switch (af) { 1649 #ifdef INET 1650 case AF_INET: 1651 esp_trans_deflev = ip4_esp_trans_deflev; 1652 esp_net_deflev = ip4_esp_net_deflev; 1653 ah_trans_deflev = ip4_ah_trans_deflev; 1654 ah_net_deflev = ip4_ah_net_deflev; 1655 break; 1656 #endif 1657 #ifdef INET6 1658 case AF_INET6: 1659 esp_trans_deflev = ip6_esp_trans_deflev; 1660 esp_net_deflev = ip6_esp_net_deflev; 1661 ah_trans_deflev = ip6_ah_trans_deflev; 1662 ah_net_deflev = ip6_ah_net_deflev; 1663 break; 1664 #endif /* INET6 */ 1665 default: 1666 panic("key_get_reqlevel: Unknown family. %d", 1667 ((struct sockaddr *)&isr->sp->spidx->src)->sa_family); 1668 } 1669 1670 /* set level */ 1671 switch (isr->level) { 1672 case IPSEC_LEVEL_DEFAULT: 1673 switch (isr->saidx.proto) { 1674 case IPPROTO_ESP: 1675 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1676 level = esp_net_deflev; 1677 else 1678 level = esp_trans_deflev; 1679 break; 1680 case IPPROTO_AH: 1681 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1682 level = ah_net_deflev; 1683 else 1684 level = ah_trans_deflev; 1685 case IPPROTO_IPCOMP: 1686 /* 1687 * we don't really care, as IPcomp document says that 1688 * we shouldn't compress small packets 1689 */ 1690 level = IPSEC_LEVEL_USE; 1691 break; 1692 case IPPROTO_IPV4: 1693 case IPPROTO_IPV6: 1694 /* should never go into here */ 1695 level = IPSEC_LEVEL_REQUIRE; 1696 break; 1697 default: 1698 panic("ipsec_get_reqlevel: " 1699 "Illegal protocol defined %u\n", 1700 isr->saidx.proto); 1701 } 1702 break; 1703 1704 case IPSEC_LEVEL_USE: 1705 case IPSEC_LEVEL_REQUIRE: 1706 level = isr->level; 1707 break; 1708 case IPSEC_LEVEL_UNIQUE: 1709 level = IPSEC_LEVEL_REQUIRE; 1710 break; 1711 1712 default: 1713 panic("ipsec_get_reqlevel: Illegal IPsec level %u", 1714 isr->level); 1715 } 1716 1717 return level; 1718 } 1719 1720 /* 1721 * Check AH/ESP integrity. 1722 * OUT: 1723 * 0: valid 1724 * 1: invalid 1725 */ 1726 static int 1727 ipsec_in_reject(sp, m) 1728 struct secpolicy *sp; 1729 struct mbuf *m; 1730 { 1731 struct ipsecrequest *isr; 1732 u_int level; 1733 int need_auth, need_conf, need_icv; 1734 1735 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1736 printf("ipsec_in_reject: using SP\n"); 1737 kdebug_secpolicy(sp)); 1738 1739 /* check policy */ 1740 switch (sp->policy) { 1741 case IPSEC_POLICY_DISCARD: 1742 return 1; 1743 case IPSEC_POLICY_BYPASS: 1744 case IPSEC_POLICY_NONE: 1745 return 0; 1746 1747 case IPSEC_POLICY_IPSEC: 1748 break; 1749 1750 case IPSEC_POLICY_ENTRUST: 1751 default: 1752 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy); 1753 } 1754 1755 need_auth = 0; 1756 need_conf = 0; 1757 need_icv = 0; 1758 1759 /* XXX should compare policy against ipsec header history */ 1760 1761 for (isr = sp->req; isr != NULL; isr = isr->next) { 1762 /* get current level */ 1763 level = ipsec_get_reqlevel(isr, AF_INET); 1764 1765 switch (isr->saidx.proto) { 1766 case IPPROTO_ESP: 1767 if (level == IPSEC_LEVEL_REQUIRE) { 1768 need_conf++; 1769 1770 if (isr->sav != NULL 1771 && isr->sav->flags == SADB_X_EXT_NONE 1772 && isr->sav->alg_auth != SADB_AALG_NONE) 1773 need_icv++; 1774 } 1775 break; 1776 case IPPROTO_AH: 1777 if (level == IPSEC_LEVEL_REQUIRE) { 1778 need_auth++; 1779 need_icv++; 1780 } 1781 break; 1782 case IPPROTO_IPCOMP: 1783 /* 1784 * we don't really care, as IPcomp document says that 1785 * we shouldn't compress small packets, IPComp policy 1786 * should always be treated as being in "use" level. 1787 */ 1788 break; 1789 case IPPROTO_IPV4: 1790 case IPPROTO_IPV6: 1791 /* 1792 * XXX what shall we do, until introducing more complex 1793 * policy checking code? 1794 */ 1795 break; 1796 } 1797 } 1798 1799 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1800 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n", 1801 need_auth, need_conf, need_icv, m->m_flags)); 1802 1803 if ((need_conf && !(m->m_flags & M_DECRYPTED)) 1804 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM)) 1805 || (need_auth && !(m->m_flags & M_AUTHIPHDR))) 1806 return 1; 1807 1808 return 0; 1809 } 1810 1811 /* 1812 * Check AH/ESP integrity. 1813 * This function is called from tcp_input(), udp_input(), 1814 * and {ah,esp}4_input for tunnel mode 1815 */ 1816 int 1817 ipsec4_in_reject_so(m, so) 1818 struct mbuf *m; 1819 struct socket *so; 1820 { 1821 struct secpolicy *sp = NULL; 1822 int error; 1823 int result; 1824 1825 /* sanity check */ 1826 if (m == NULL) 1827 return 0; /* XXX should be panic ? */ 1828 1829 /* get SP for this packet. 1830 * When we are called from ip_forward(), we call 1831 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 1832 */ 1833 if (so == NULL) 1834 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 1835 IP_FORWARDING, &error); 1836 else 1837 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error); 1838 1839 /* XXX should be panic ? -> No, there may be error. */ 1840 if (sp == NULL) 1841 return 0; 1842 1843 result = ipsec_in_reject(sp, m); 1844 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1845 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp)); 1846 key_freesp(sp); 1847 1848 return result; 1849 } 1850 1851 int 1852 ipsec4_in_reject(m, inp) 1853 struct mbuf *m; 1854 struct inpcb *inp; 1855 { 1856 if (inp == NULL) 1857 return ipsec4_in_reject_so(m, NULL); 1858 if (inp->inp_socket) 1859 return ipsec4_in_reject_so(m, inp->inp_socket); 1860 else 1861 panic("ipsec4_in_reject: invalid inpcb/socket"); 1862 } 1863 1864 #ifdef INET6 1865 /* 1866 * Check AH/ESP integrity. 1867 * This function is called from tcp6_input(), udp6_input(), 1868 * and {ah,esp}6_input for tunnel mode 1869 */ 1870 int 1871 ipsec6_in_reject_so(m, so) 1872 struct mbuf *m; 1873 struct socket *so; 1874 { 1875 struct secpolicy *sp = NULL; 1876 int error; 1877 int result; 1878 1879 /* sanity check */ 1880 if (m == NULL) 1881 return 0; /* XXX should be panic ? */ 1882 1883 /* get SP for this packet. 1884 * When we are called from ip_forward(), we call 1885 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag. 1886 */ 1887 if (so == NULL) 1888 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 1889 IP_FORWARDING, &error); 1890 else 1891 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error); 1892 1893 if (sp == NULL) 1894 return 0; /* XXX should be panic ? */ 1895 1896 result = ipsec_in_reject(sp, m); 1897 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1898 printf("DP ipsec6_in_reject_so call free SP:%p\n", sp)); 1899 key_freesp(sp); 1900 1901 return result; 1902 } 1903 1904 int 1905 ipsec6_in_reject(m, in6p) 1906 struct mbuf *m; 1907 struct in6pcb *in6p; 1908 { 1909 if (in6p == NULL) 1910 return ipsec6_in_reject_so(m, NULL); 1911 if (in6p->in6p_socket) 1912 return ipsec6_in_reject_so(m, in6p->in6p_socket); 1913 else 1914 panic("ipsec6_in_reject: invalid in6p/socket"); 1915 } 1916 #endif 1917 1918 /* 1919 * compute the byte size to be occupied by IPsec header. 1920 * in case it is tunneled, it includes the size of outer IP header. 1921 * NOTE: SP passed is free in this function. 1922 */ 1923 static size_t 1924 ipsec_hdrsiz(sp) 1925 struct secpolicy *sp; 1926 { 1927 struct ipsecrequest *isr; 1928 size_t siz, clen; 1929 1930 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1931 printf("ipsec_hdrsiz: using SP\n"); 1932 kdebug_secpolicy(sp)); 1933 1934 /* check policy */ 1935 switch (sp->policy) { 1936 case IPSEC_POLICY_DISCARD: 1937 case IPSEC_POLICY_BYPASS: 1938 case IPSEC_POLICY_NONE: 1939 return 0; 1940 1941 case IPSEC_POLICY_IPSEC: 1942 break; 1943 1944 case IPSEC_POLICY_ENTRUST: 1945 default: 1946 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy); 1947 } 1948 1949 siz = 0; 1950 1951 for (isr = sp->req; isr != NULL; isr = isr->next) { 1952 1953 clen = 0; 1954 1955 switch (isr->saidx.proto) { 1956 case IPPROTO_ESP: 1957 #ifdef IPSEC_ESP 1958 clen = esp_hdrsiz(isr); 1959 #else 1960 clen = 0; /* XXX */ 1961 #endif 1962 break; 1963 case IPPROTO_AH: 1964 clen = ah_hdrsiz(isr); 1965 break; 1966 case IPPROTO_IPCOMP: 1967 clen = sizeof(struct ipcomp); 1968 break; 1969 case IPPROTO_IPV4: 1970 case IPPROTO_IPV6: 1971 /* the next "if" clause will compute it */ 1972 clen = 0; 1973 break; 1974 } 1975 1976 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 1977 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) { 1978 case AF_INET: 1979 clen += sizeof(struct ip); 1980 break; 1981 #ifdef INET6 1982 case AF_INET6: 1983 clen += sizeof(struct ip6_hdr); 1984 break; 1985 #endif 1986 default: 1987 ipseclog((LOG_ERR, "ipsec_hdrsiz: " 1988 "unknown AF %d in IPsec tunnel SA\n", 1989 ((struct sockaddr *)&isr->saidx.dst)->sa_family)); 1990 break; 1991 } 1992 } 1993 siz += clen; 1994 } 1995 1996 return siz; 1997 } 1998 1999 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */ 2000 size_t 2001 ipsec4_hdrsiz(m, dir, inp) 2002 struct mbuf *m; 2003 u_int dir; 2004 struct inpcb *inp; 2005 { 2006 struct secpolicy *sp = NULL; 2007 int error; 2008 size_t size; 2009 2010 /* sanity check */ 2011 if (m == NULL) 2012 return 0; /* XXX should be panic ? */ 2013 if (inp != NULL && inp->inp_socket == NULL) 2014 panic("ipsec4_hdrsize: why is socket NULL but there is PCB."); 2015 2016 /* get SP for this packet. 2017 * When we are called from ip_forward(), we call 2018 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 2019 */ 2020 if (inp == NULL) 2021 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 2022 else 2023 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error); 2024 2025 if (sp == NULL) 2026 return 0; /* XXX should be panic ? */ 2027 2028 size = ipsec_hdrsiz(sp); 2029 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2030 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp)); 2031 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2032 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size)); 2033 key_freesp(sp); 2034 2035 return size; 2036 } 2037 2038 #ifdef INET6 2039 /* This function is called from ipsec6_hdrsize_tcp(), 2040 * and maybe from ip6_forward.() 2041 */ 2042 size_t 2043 ipsec6_hdrsiz(m, dir, in6p) 2044 struct mbuf *m; 2045 u_int dir; 2046 struct in6pcb *in6p; 2047 { 2048 struct secpolicy *sp = NULL; 2049 int error; 2050 size_t size; 2051 2052 /* sanity check */ 2053 if (m == NULL) 2054 return 0; /* XXX should be panic ? */ 2055 if (in6p != NULL && in6p->in6p_socket == NULL) 2056 panic("ipsec6_hdrsize: why is socket NULL but there is PCB."); 2057 2058 /* get SP for this packet */ 2059 /* XXX Is it right to call with IP_FORWARDING. */ 2060 if (in6p == NULL) 2061 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 2062 else 2063 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error); 2064 2065 if (sp == NULL) 2066 return 0; 2067 size = ipsec_hdrsiz(sp); 2068 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2069 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp)); 2070 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2071 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size)); 2072 key_freesp(sp); 2073 2074 return size; 2075 } 2076 #endif /* INET6 */ 2077 2078 #ifdef INET 2079 /* 2080 * encapsulate for ipsec tunnel. 2081 * ip->ip_src must be fixed later on. 2082 */ 2083 static int 2084 ipsec4_encapsulate(m, sav) 2085 struct mbuf *m; 2086 struct secasvar *sav; 2087 { 2088 struct ip *oip; 2089 struct ip *ip; 2090 size_t hlen; 2091 size_t plen; 2092 2093 /* can't tunnel between different AFs */ 2094 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2095 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2096 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 2097 m_freem(m); 2098 return EINVAL; 2099 } 2100 #if 0 2101 /* XXX if the dst is myself, perform nothing. */ 2102 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2103 m_freem(m); 2104 return EINVAL; 2105 } 2106 #endif 2107 2108 if (m->m_len < sizeof(*ip)) 2109 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2110 2111 ip = mtod(m, struct ip *); 2112 hlen = ip->ip_hl << 2; 2113 2114 if (m->m_len != hlen) 2115 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2116 2117 /* generate header checksum */ 2118 ip->ip_sum = 0; 2119 ip->ip_sum = in_cksum(m, hlen); 2120 2121 plen = m->m_pkthdr.len; 2122 2123 /* 2124 * grow the mbuf to accomodate the new IPv4 header. 2125 * NOTE: IPv4 options will never be copied. 2126 */ 2127 if (M_LEADINGSPACE(m->m_next) < hlen) { 2128 struct mbuf *n; 2129 MGET(n, M_DONTWAIT, MT_DATA); 2130 if (!n) { 2131 m_freem(m); 2132 return ENOBUFS; 2133 } 2134 n->m_len = hlen; 2135 n->m_next = m->m_next; 2136 m->m_next = n; 2137 } else { 2138 m->m_next->m_len += hlen; 2139 m->m_next->m_data -= hlen; 2140 } 2141 oip = mtod(m->m_next, struct ip *); 2142 m->m_pkthdr.len += hlen; 2143 ip = mtod(m, struct ip *); 2144 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen); 2145 m->m_len = sizeof(struct ip); 2146 m->m_pkthdr.len -= (hlen - sizeof(struct ip)); 2147 2148 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ 2149 /* ECN consideration. */ 2150 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); 2151 ip->ip_hl = sizeof(struct ip) >> 2; 2152 ip->ip_off &= htons(~IP_OFFMASK); 2153 ip->ip_off &= htons(~IP_MF); 2154 switch (ip4_ipsec_dfbit) { 2155 case 0: /* clear DF bit */ 2156 ip->ip_off &= htons(~IP_DF); 2157 break; 2158 case 1: /* set DF bit */ 2159 ip->ip_off |= htons(IP_DF); 2160 break; 2161 default: /* copy DF bit */ 2162 break; 2163 } 2164 ip->ip_p = IPPROTO_IPIP; 2165 if (plen + sizeof(struct ip) < IP_MAXPACKET) 2166 ip->ip_len = htons(plen + sizeof(struct ip)); 2167 else { 2168 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " 2169 "leave ip_len as is (invalid packet)\n")); 2170 } 2171 ip->ip_id = ip_newid(); 2172 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, 2173 &ip->ip_src, sizeof(ip->ip_src)); 2174 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, 2175 &ip->ip_dst, sizeof(ip->ip_dst)); 2176 ip->ip_ttl = IPDEFTTL; 2177 2178 /* XXX Should ip_src be updated later ? */ 2179 2180 return 0; 2181 } 2182 #endif /* INET */ 2183 2184 #ifdef INET6 2185 static int 2186 ipsec6_encapsulate(m, sav) 2187 struct mbuf *m; 2188 struct secasvar *sav; 2189 { 2190 struct ip6_hdr *oip6; 2191 struct ip6_hdr *ip6; 2192 size_t plen; 2193 2194 /* can't tunnel between different AFs */ 2195 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2196 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2197 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) { 2198 m_freem(m); 2199 return EINVAL; 2200 } 2201 #if 0 2202 /* XXX if the dst is myself, perform nothing. */ 2203 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2204 m_freem(m); 2205 return EINVAL; 2206 } 2207 #endif 2208 2209 plen = m->m_pkthdr.len; 2210 2211 /* 2212 * grow the mbuf to accomodate the new IPv6 header. 2213 */ 2214 if (m->m_len != sizeof(struct ip6_hdr)) 2215 panic("ipsec6_encapsulate: assumption failed (first mbuf length)"); 2216 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { 2217 struct mbuf *n; 2218 MGET(n, M_DONTWAIT, MT_DATA); 2219 if (!n) { 2220 m_freem(m); 2221 return ENOBUFS; 2222 } 2223 n->m_len = sizeof(struct ip6_hdr); 2224 n->m_next = m->m_next; 2225 m->m_next = n; 2226 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2227 oip6 = mtod(n, struct ip6_hdr *); 2228 } else { 2229 m->m_next->m_len += sizeof(struct ip6_hdr); 2230 m->m_next->m_data -= sizeof(struct ip6_hdr); 2231 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2232 oip6 = mtod(m->m_next, struct ip6_hdr *); 2233 } 2234 ip6 = mtod(m, struct ip6_hdr *); 2235 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr)); 2236 2237 /* Fake link-local scope-class addresses */ 2238 in6_clearscope(&oip6->ip6_src); 2239 in6_clearscope(&oip6->ip6_dst); 2240 2241 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ 2242 /* ECN consideration. */ 2243 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow); 2244 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) 2245 ip6->ip6_plen = htons(plen); 2246 else { 2247 /* ip6->ip6_plen will be updated in ip6_output() */ 2248 } 2249 ip6->ip6_nxt = IPPROTO_IPV6; 2250 in6_embedscope(&ip6->ip6_src, 2251 (struct sockaddr_in6 *)&sav->sah->saidx.src, NULL, NULL); 2252 in6_embedscope(&ip6->ip6_dst, 2253 (struct sockaddr_in6 *)&sav->sah->saidx.dst, NULL, NULL); 2254 ip6->ip6_hlim = IPV6_DEFHLIM; 2255 2256 /* XXX Should ip6_src be updated later ? */ 2257 2258 return 0; 2259 } 2260 #endif /* INET6 */ 2261 2262 /* 2263 * Check the variable replay window. 2264 * ipsec_chkreplay() performs replay check before ICV verification. 2265 * ipsec_updatereplay() updates replay bitmap. This must be called after 2266 * ICV verification (it also performs replay check, which is usually done 2267 * beforehand). 2268 * 0 (zero) is returned if packet disallowed, 1 if packet permitted. 2269 * 2270 * based on RFC 2401. 2271 * 2272 * XXX need to update for 64bit sequence number - 2401bis 2273 */ 2274 int 2275 ipsec_chkreplay(seq, sav) 2276 u_int32_t seq; 2277 struct secasvar *sav; 2278 { 2279 const struct secreplay *replay; 2280 u_int32_t diff; 2281 int fr; 2282 u_int32_t wsizeb; /* constant: bits of window size */ 2283 int frlast; /* constant: last frame */ 2284 2285 /* sanity check */ 2286 if (sav == NULL) 2287 panic("ipsec_chkreplay: NULL pointer was passed."); 2288 2289 replay = sav->replay; 2290 2291 if (replay->wsize == 0) 2292 return 1; /* no need to check replay. */ 2293 2294 /* constant */ 2295 frlast = replay->wsize - 1; 2296 wsizeb = replay->wsize << 3; 2297 2298 /* sequence number of 0 is invalid */ 2299 if (seq == 0) 2300 return 0; 2301 2302 /* first time is always okay */ 2303 if (replay->count == 0) 2304 return 1; 2305 2306 if (seq > replay->lastseq) { 2307 /* larger sequences are okay */ 2308 return 1; 2309 } else { 2310 /* seq is equal or less than lastseq. */ 2311 diff = replay->lastseq - seq; 2312 2313 /* over range to check, i.e. too old or wrapped */ 2314 if (diff >= wsizeb) 2315 return 0; 2316 2317 fr = frlast - diff / 8; 2318 2319 /* this packet already seen ? */ 2320 if (replay->bitmap[fr] & (1 << (diff % 8))) 2321 return 0; 2322 2323 /* out of order but good */ 2324 return 1; 2325 } 2326 } 2327 2328 /* 2329 * check replay counter whether to update or not. 2330 * OUT: 0: OK 2331 * 1: NG 2332 * XXX need to update for 64bit sequence number - 2401bis 2333 */ 2334 int 2335 ipsec_updatereplay(seq, sav) 2336 u_int32_t seq; 2337 struct secasvar *sav; 2338 { 2339 struct secreplay *replay; 2340 u_int64_t diff; 2341 int fr; 2342 u_int32_t wsizeb; /* constant: bits of window size */ 2343 int frlast; /* constant: last frame */ 2344 2345 /* sanity check */ 2346 if (sav == NULL) 2347 panic("ipsec_chkreplay: NULL pointer was passed."); 2348 2349 replay = sav->replay; 2350 2351 if (replay->wsize == 0) 2352 goto ok; /* no need to check replay. */ 2353 2354 /* constant */ 2355 frlast = replay->wsize - 1; 2356 wsizeb = replay->wsize << 3; 2357 2358 /* sequence number of 0 is invalid */ 2359 if (seq == 0) 2360 return 1; 2361 2362 /* first time */ 2363 if (replay->count == 0) { 2364 replay->lastseq = seq; 2365 bzero(replay->bitmap, replay->wsize); 2366 replay->bitmap[frlast] = 1; 2367 goto ok; 2368 } 2369 2370 if (seq > replay->lastseq) { 2371 /* seq is larger than lastseq. */ 2372 diff = seq - replay->lastseq; 2373 2374 /* new larger sequence number */ 2375 if (diff < wsizeb) { 2376 /* In window */ 2377 /* set bit for this packet */ 2378 vshiftl(replay->bitmap, diff, replay->wsize); 2379 replay->bitmap[frlast] |= 1; 2380 } else { 2381 /* this packet has a "way larger" */ 2382 bzero(replay->bitmap, replay->wsize); 2383 replay->bitmap[frlast] = 1; 2384 } 2385 replay->lastseq = seq; 2386 2387 /* larger is good */ 2388 } else { 2389 /* seq is equal or less than lastseq. */ 2390 diff = replay->lastseq - seq; 2391 2392 /* over range to check, i.e. too old or wrapped */ 2393 if (diff >= wsizeb) 2394 return 1; 2395 2396 fr = frlast - diff / 8; 2397 2398 /* this packet already seen ? */ 2399 if (replay->bitmap[fr] & (1 << (diff % 8))) 2400 return 1; 2401 2402 /* mark as seen */ 2403 replay->bitmap[fr] |= (1 << (diff % 8)); 2404 2405 /* out of order but good */ 2406 } 2407 2408 ok: 2409 if (replay->count == 0xffffffff) { 2410 2411 /* set overflow flag */ 2412 replay->overflow++; 2413 2414 /* don't increment, no more packets accepted */ 2415 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) 2416 return 1; 2417 2418 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n", 2419 replay->overflow, ipsec_logsastr(sav))); 2420 } 2421 2422 replay->count++; 2423 2424 return 0; 2425 } 2426 2427 /* 2428 * shift variable length buffer to left. 2429 * IN: bitmap: pointer to the buffer 2430 * nbit: the number of to shift. 2431 * wsize: buffer size (bytes). 2432 */ 2433 static void 2434 vshiftl(bitmap, nbit, wsize) 2435 unsigned char *bitmap; 2436 int nbit, wsize; 2437 { 2438 int s, j, i; 2439 unsigned char over; 2440 2441 for (j = 0; j < nbit; j += 8) { 2442 s = (nbit - j < 8) ? (nbit - j): 8; 2443 bitmap[0] <<= s; 2444 for (i = 1; i < wsize; i++) { 2445 over = (bitmap[i] >> (8 - s)); 2446 bitmap[i] <<= s; 2447 bitmap[i - 1] |= over; 2448 } 2449 } 2450 2451 return; 2452 } 2453 2454 const char * 2455 ipsec4_logpacketstr(ip, spi) 2456 struct ip *ip; 2457 u_int32_t spi; 2458 { 2459 static char buf[256]; 2460 char *p; 2461 u_int8_t *s, *d; 2462 2463 s = (u_int8_t *)(&ip->ip_src); 2464 d = (u_int8_t *)(&ip->ip_dst); 2465 2466 p = buf; 2467 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2468 while (p && *p) 2469 p++; 2470 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u", 2471 s[0], s[1], s[2], s[3]); 2472 while (p && *p) 2473 p++; 2474 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u", 2475 d[0], d[1], d[2], d[3]); 2476 while (p && *p) 2477 p++; 2478 snprintf(p, sizeof(buf) - (p - buf), ")"); 2479 2480 return buf; 2481 } 2482 2483 #ifdef INET6 2484 const char * 2485 ipsec6_logpacketstr(ip6, spi) 2486 struct ip6_hdr *ip6; 2487 u_int32_t spi; 2488 { 2489 static char buf[256]; 2490 char *p; 2491 2492 p = buf; 2493 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2494 while (p && *p) 2495 p++; 2496 snprintf(p, sizeof(buf) - (p - buf), "src=%s", 2497 ip6_sprintf(&ip6->ip6_src)); 2498 while (p && *p) 2499 p++; 2500 snprintf(p, sizeof(buf) - (p - buf), " dst=%s", 2501 ip6_sprintf(&ip6->ip6_dst)); 2502 while (p && *p) 2503 p++; 2504 snprintf(p, sizeof(buf) - (p - buf), ")"); 2505 2506 return buf; 2507 } 2508 #endif /* INET6 */ 2509 2510 const char * 2511 ipsec_logsastr(sav) 2512 struct secasvar *sav; 2513 { 2514 static char buf[256]; 2515 char *p; 2516 struct secasindex *saidx = &sav->sah->saidx; 2517 2518 /* validity check */ 2519 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2520 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) 2521 panic("ipsec_logsastr: family mismatched."); 2522 2523 p = buf; 2524 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi)); 2525 while (p && *p) 2526 p++; 2527 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) { 2528 u_int8_t *s, *d; 2529 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr; 2530 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr; 2531 snprintf(p, sizeof(buf) - (p - buf), 2532 "src=%d.%d.%d.%d dst=%d.%d.%d.%d", 2533 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]); 2534 } 2535 #ifdef INET6 2536 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) { 2537 snprintf(p, sizeof(buf) - (p - buf), 2538 "src=%s", 2539 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr)); 2540 while (p && *p) 2541 p++; 2542 snprintf(p, sizeof(buf) - (p - buf), 2543 " dst=%s", 2544 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr)); 2545 } 2546 #endif 2547 while (p && *p) 2548 p++; 2549 snprintf(p, sizeof(buf) - (p - buf), ")"); 2550 2551 return buf; 2552 } 2553 2554 void 2555 ipsec_dumpmbuf(m) 2556 struct mbuf *m; 2557 { 2558 int totlen; 2559 int i; 2560 u_char *p; 2561 2562 totlen = 0; 2563 printf("---\n"); 2564 while (m) { 2565 p = mtod(m, u_char *); 2566 for (i = 0; i < m->m_len; i++) { 2567 printf("%02x ", p[i]); 2568 totlen++; 2569 if (totlen % 16 == 0) 2570 printf("\n"); 2571 } 2572 m = m->m_next; 2573 } 2574 if (totlen % 16 != 0) 2575 printf("\n"); 2576 printf("---\n"); 2577 } 2578 2579 #ifdef INET 2580 static int 2581 ipsec4_checksa(isr, state) 2582 struct ipsecrequest *isr; 2583 struct ipsec_output_state *state; 2584 { 2585 struct ip *ip; 2586 struct secasindex saidx; 2587 struct sockaddr_in *sin; 2588 2589 /* make SA index for search proper SA */ 2590 ip = mtod(state->m, struct ip *); 2591 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 2592 saidx.mode = isr->saidx.mode; 2593 saidx.reqid = isr->saidx.reqid; 2594 sin = (struct sockaddr_in *)&saidx.src; 2595 if (sin->sin_len == 0) { 2596 bzero(sin, sizeof(*sin)); 2597 sin->sin_len = sizeof(*sin); 2598 sin->sin_family = AF_INET; 2599 sin->sin_port = IPSEC_PORT_ANY; 2600 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr)); 2601 } 2602 sin = (struct sockaddr_in *)&saidx.dst; 2603 if (sin->sin_len == 0) { 2604 bzero(sin, sizeof(*sin)); 2605 sin->sin_len = sizeof(*sin); 2606 sin->sin_family = AF_INET; 2607 sin->sin_port = IPSEC_PORT_ANY; 2608 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr)); 2609 } 2610 2611 return key_checkrequest(isr, &saidx); 2612 } 2613 /* 2614 * IPsec output logic for IPv4. 2615 */ 2616 int 2617 ipsec4_output(state, sp, flags) 2618 struct ipsec_output_state *state; 2619 struct secpolicy *sp; 2620 int flags; 2621 { 2622 struct ip *ip = NULL; 2623 struct ipsecrequest *isr = NULL; 2624 int s; 2625 int error; 2626 struct sockaddr_in *dst4; 2627 2628 if (!state) 2629 panic("state == NULL in ipsec4_output"); 2630 if (!state->m) 2631 panic("state->m == NULL in ipsec4_output"); 2632 if (!state->ro) 2633 panic("state->ro == NULL in ipsec4_output"); 2634 if (!state->dst) 2635 panic("state->dst == NULL in ipsec4_output"); 2636 state->encap = 0; 2637 2638 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2639 printf("ipsec4_output: applyed SP\n"); 2640 kdebug_secpolicy(sp)); 2641 2642 for (isr = sp->req; isr != NULL; isr = isr->next) { 2643 2644 #if 0 /* give up to check restriction of transport mode */ 2645 /* XXX but should be checked somewhere */ 2646 /* 2647 * some of the IPsec operation must be performed only in 2648 * originating case. 2649 */ 2650 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT 2651 && (flags & IP_FORWARDING)) 2652 continue; 2653 #endif 2654 error = ipsec4_checksa(isr, state); 2655 if (error != 0) { 2656 /* 2657 * IPsec processing is required, but no SA found. 2658 * I assume that key_acquire() had been called 2659 * to get/establish the SA. Here I discard 2660 * this packet because it is responsibility for 2661 * upper layer to retransmit the packet. 2662 */ 2663 ipsecstat.out_nosa++; 2664 goto bad; 2665 } 2666 2667 /* validity check */ 2668 if (isr->sav == NULL) { 2669 switch (ipsec_get_reqlevel(isr, AF_INET)) { 2670 case IPSEC_LEVEL_USE: 2671 continue; 2672 case IPSEC_LEVEL_REQUIRE: 2673 if (isr->saidx.proto == AF_INET || 2674 isr->saidx.proto == AF_INET6) 2675 break; 2676 /* must be not reached here. */ 2677 panic("ipsec4_output: no SA found, but required."); 2678 } 2679 } 2680 2681 /* 2682 * If there is no valid SA, we give up to process any 2683 * more. In such a case, the SA's status is changed 2684 * from DYING to DEAD after allocating. If a packet 2685 * send to the receiver by dead SA, the receiver can 2686 * not decode a packet because SA has been dead. 2687 */ 2688 if (isr->sav->state != SADB_SASTATE_MATURE 2689 && isr->sav->state != SADB_SASTATE_DYING) { 2690 ipsecstat.out_nosa++; 2691 error = EINVAL; 2692 goto bad; 2693 } 2694 2695 /* 2696 * There may be the case that SA status will be changed when 2697 * we are refering to one. So calling splsoftnet(). 2698 */ 2699 s = splsoftnet(); 2700 2701 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2702 /* 2703 * build IPsec tunnel. 2704 */ 2705 /* XXX should be processed with other familiy */ 2706 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) { 2707 ipseclog((LOG_ERR, "ipsec4_output: " 2708 "family mismatched between inner and outer spi=%u\n", 2709 (u_int32_t)ntohl(isr->sav->spi))); 2710 splx(s); 2711 error = EAFNOSUPPORT; 2712 goto bad; 2713 } 2714 2715 state->m = ipsec4_splithdr(state->m); 2716 if (!state->m) { 2717 splx(s); 2718 error = ENOMEM; 2719 goto bad; 2720 } 2721 error = ipsec4_encapsulate(state->m, isr->sav); 2722 splx(s); 2723 if (error) { 2724 state->m = NULL; 2725 goto bad; 2726 } 2727 ip = mtod(state->m, struct ip *); 2728 2729 state->ro = &isr->sav->sah->sa_route; 2730 state->dst = (struct sockaddr *)&state->ro->ro_dst; 2731 dst4 = (struct sockaddr_in *)state->dst; 2732 if (state->ro->ro_rt 2733 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0 2734 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) { 2735 RTFREE(state->ro->ro_rt); 2736 bzero((caddr_t)state->ro, sizeof (*state->ro)); 2737 } 2738 if (state->ro->ro_rt == 0) { 2739 dst4->sin_family = AF_INET; 2740 dst4->sin_len = sizeof(*dst4); 2741 dst4->sin_addr = ip->ip_dst; 2742 rtalloc(state->ro); 2743 } 2744 if (state->ro->ro_rt == 0) { 2745 ipstat.ips_noroute++; 2746 error = EHOSTUNREACH; 2747 goto bad; 2748 } 2749 2750 /* adjust state->dst if tunnel endpoint is offlink */ 2751 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) { 2752 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway; 2753 dst4 = (struct sockaddr_in *)state->dst; 2754 } 2755 2756 state->encap++; 2757 } else 2758 splx(s); 2759 2760 state->m = ipsec4_splithdr(state->m); 2761 if (!state->m) { 2762 error = ENOMEM; 2763 goto bad; 2764 } 2765 switch (isr->saidx.proto) { 2766 case IPPROTO_ESP: 2767 #ifdef IPSEC_ESP 2768 if ((error = esp4_output(state->m, isr)) != 0) { 2769 state->m = NULL; 2770 goto bad; 2771 } 2772 break; 2773 #else 2774 m_freem(state->m); 2775 state->m = NULL; 2776 error = EINVAL; 2777 goto bad; 2778 #endif 2779 case IPPROTO_AH: 2780 if ((error = ah4_output(state->m, isr)) != 0) { 2781 state->m = NULL; 2782 goto bad; 2783 } 2784 break; 2785 case IPPROTO_IPCOMP: 2786 if ((error = ipcomp4_output(state->m, isr)) != 0) { 2787 state->m = NULL; 2788 goto bad; 2789 } 2790 break; 2791 case IPPROTO_IPV4: 2792 break; 2793 case IPPROTO_IPV6: 2794 ipseclog((LOG_ERR, "ipsec4_output: " 2795 "family mismatched between inner and outer " 2796 "header\n")); 2797 error = EAFNOSUPPORT; 2798 goto bad; 2799 default: 2800 ipseclog((LOG_ERR, 2801 "ipsec4_output: unknown ipsec protocol %d\n", 2802 isr->saidx.proto)); 2803 m_freem(state->m); 2804 state->m = NULL; 2805 error = EINVAL; 2806 goto bad; 2807 } 2808 2809 if (state->m == 0) { 2810 error = ENOMEM; 2811 goto bad; 2812 } 2813 ip = mtod(state->m, struct ip *); 2814 } 2815 2816 return 0; 2817 2818 bad: 2819 m_freem(state->m); 2820 state->m = NULL; 2821 return error; 2822 } 2823 #endif 2824 2825 #ifdef INET6 2826 static int 2827 ipsec6_checksa(isr, state, tunnel) 2828 struct ipsecrequest *isr; 2829 struct ipsec_output_state *state; 2830 int tunnel; 2831 { 2832 struct ip6_hdr *ip6; 2833 struct secasindex saidx; 2834 struct sockaddr_in6 *sin6; 2835 2836 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2837 #ifdef DIAGNOSTIC 2838 if (!tunnel) 2839 panic("ipsec6_checksa/inconsistent tunnel attribute"); 2840 #endif 2841 /* When tunnel mode, SA peers must be specified. */ 2842 return key_checkrequest(isr, &isr->saidx); 2843 } 2844 2845 /* make SA index for search proper SA */ 2846 ip6 = mtod(state->m, struct ip6_hdr *); 2847 if (tunnel) { 2848 bzero(&saidx, sizeof(saidx)); 2849 saidx.proto = isr->saidx.proto; 2850 } else 2851 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 2852 saidx.mode = isr->saidx.mode; 2853 saidx.reqid = isr->saidx.reqid; 2854 sin6 = (struct sockaddr_in6 *)&saidx.src; 2855 if (sin6->sin6_len == 0 || tunnel) { 2856 bzero(sin6, sizeof(*sin6)); 2857 sin6->sin6_len = sizeof(*sin6); 2858 sin6->sin6_family = AF_INET6; 2859 sin6->sin6_port = IPSEC_PORT_ANY; 2860 in6_recoverscope(sin6, &ip6->ip6_src, NULL); 2861 } 2862 sin6 = (struct sockaddr_in6 *)&saidx.dst; 2863 if (sin6->sin6_len == 0 || tunnel) { 2864 bzero(sin6, sizeof(*sin6)); 2865 sin6->sin6_len = sizeof(*sin6); 2866 sin6->sin6_family = AF_INET6; 2867 sin6->sin6_port = IPSEC_PORT_ANY; 2868 in6_recoverscope(sin6, &ip6->ip6_dst, NULL); 2869 } 2870 2871 return key_checkrequest(isr, &saidx); 2872 } 2873 /* 2874 * IPsec output logic for IPv6, transport mode. 2875 */ 2876 int 2877 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun) 2878 struct ipsec_output_state *state; 2879 u_char *nexthdrp; 2880 struct mbuf *mprev; 2881 struct secpolicy *sp; 2882 int flags; 2883 int *tun; 2884 { 2885 struct ip6_hdr *ip6; 2886 struct ipsecrequest *isr = NULL; 2887 int error = 0; 2888 int plen; 2889 2890 if (!state) 2891 panic("state == NULL in ipsec6_output_trans"); 2892 if (!state->m) 2893 panic("state->m == NULL in ipsec6_output_trans"); 2894 if (!nexthdrp) 2895 panic("nexthdrp == NULL in ipsec6_output_trans"); 2896 if (!mprev) 2897 panic("mprev == NULL in ipsec6_output_trans"); 2898 if (!sp) 2899 panic("sp == NULL in ipsec6_output_trans"); 2900 if (!tun) 2901 panic("tun == NULL in ipsec6_output_trans"); 2902 2903 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2904 printf("ipsec6_output_trans: applyed SP\n"); 2905 kdebug_secpolicy(sp)); 2906 2907 *tun = 0; 2908 for (isr = sp->req; isr; isr = isr->next) { 2909 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2910 /* the rest will be handled by ipsec6_output_tunnel() */ 2911 break; 2912 } 2913 2914 error = ipsec6_checksa(isr, state, 0); 2915 if (error == ENOENT) { 2916 /* 2917 * IPsec processing is required, but no SA found. 2918 * I assume that key_acquire() had been called 2919 * to get/establish the SA. Here I discard 2920 * this packet because it is responsibility for 2921 * upper layer to retransmit the packet. 2922 */ 2923 ipsec6stat.out_nosa++; 2924 2925 /* 2926 * Notify the fact that the packet is discarded 2927 * to ourselves. I believe this is better than 2928 * just silently discarding. (jinmei@kame.net) 2929 * XXX: should we restrict the error to TCP packets? 2930 * XXX: should we directly notify sockets via 2931 * pfctlinputs? 2932 * 2933 * Noone have initialized rcvif until this point, 2934 * so clear it. 2935 */ 2936 if ((state->m->m_flags & M_PKTHDR) != 0) 2937 state->m->m_pkthdr.rcvif = NULL; 2938 icmp6_error(state->m, ICMP6_DST_UNREACH, 2939 ICMP6_DST_UNREACH_ADMIN, 0); 2940 state->m = NULL; /* icmp6_error freed the mbuf */ 2941 goto bad; 2942 } 2943 2944 /* validity check */ 2945 if (isr->sav == NULL) { 2946 switch (ipsec_get_reqlevel(isr, AF_INET6)) { 2947 case IPSEC_LEVEL_USE: 2948 continue; 2949 case IPSEC_LEVEL_REQUIRE: 2950 /* must be not reached here. */ 2951 panic("ipsec6_output_trans: no SA found, but required."); 2952 } 2953 } 2954 2955 /* 2956 * If there is no valid SA, we give up to process. 2957 * see same place at ipsec4_output(). 2958 */ 2959 if (isr->sav->state != SADB_SASTATE_MATURE 2960 && isr->sav->state != SADB_SASTATE_DYING) { 2961 ipsec6stat.out_nosa++; 2962 error = EINVAL; 2963 goto bad; 2964 } 2965 2966 switch (isr->saidx.proto) { 2967 case IPPROTO_ESP: 2968 #ifdef IPSEC_ESP 2969 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr); 2970 #else 2971 m_freem(state->m); 2972 error = EINVAL; 2973 #endif 2974 break; 2975 case IPPROTO_AH: 2976 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr); 2977 break; 2978 case IPPROTO_IPCOMP: 2979 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr); 2980 break; 2981 default: 2982 ipseclog((LOG_ERR, "ipsec6_output_trans: " 2983 "unknown ipsec protocol %d\n", isr->saidx.proto)); 2984 m_freem(state->m); 2985 ipsec6stat.out_inval++; 2986 error = EINVAL; 2987 break; 2988 } 2989 if (error) { 2990 state->m = NULL; 2991 goto bad; 2992 } 2993 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 2994 if (plen > IPV6_MAXPACKET) { 2995 ipseclog((LOG_ERR, "ipsec6_output_trans: " 2996 "IPsec with IPv6 jumbogram is not supported\n")); 2997 ipsec6stat.out_inval++; 2998 error = EINVAL; /* XXX */ 2999 goto bad; 3000 } 3001 ip6 = mtod(state->m, struct ip6_hdr *); 3002 ip6->ip6_plen = htons(plen); 3003 } 3004 3005 /* if we have more to go, we need a tunnel mode processing */ 3006 if (isr != NULL) 3007 *tun = 1; 3008 3009 return 0; 3010 3011 bad: 3012 m_freem(state->m); 3013 state->m = NULL; 3014 return error; 3015 } 3016 3017 /* 3018 * IPsec output logic for IPv6, tunnel mode. 3019 */ 3020 int 3021 ipsec6_output_tunnel(state, sp, flags) 3022 struct ipsec_output_state *state; 3023 struct secpolicy *sp; 3024 int flags; 3025 { 3026 struct ip6_hdr *ip6; 3027 struct ipsecrequest *isr = NULL; 3028 int error = 0; 3029 int plen; 3030 struct sockaddr_in6* dst6; 3031 int s; 3032 3033 if (!state) 3034 panic("state == NULL in ipsec6_output_tunnel"); 3035 if (!state->m) 3036 panic("state->m == NULL in ipsec6_output_tunnel"); 3037 if (!sp) 3038 panic("sp == NULL in ipsec6_output_tunnel"); 3039 3040 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 3041 printf("ipsec6_output_tunnel: applyed SP\n"); 3042 kdebug_secpolicy(sp)); 3043 3044 /* 3045 * transport mode ipsec (before the 1st tunnel mode) is already 3046 * processed by ipsec6_output_trans(). 3047 */ 3048 for (isr = sp->req; isr; isr = isr->next) { 3049 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 3050 break; 3051 } 3052 3053 for (/* already initialized */; isr; isr = isr->next) { 3054 error = ipsec6_checksa(isr, state, 1); 3055 if (error == ENOENT) { 3056 /* 3057 * IPsec processing is required, but no SA found. 3058 * I assume that key_acquire() had been called 3059 * to get/establish the SA. Here I discard 3060 * this packet because it is responsibility for 3061 * upper layer to retransmit the packet. 3062 */ 3063 ipsec6stat.out_nosa++; 3064 error = ENOENT; 3065 goto bad; 3066 } 3067 3068 /* validity check */ 3069 if (isr->sav == NULL) { 3070 switch (ipsec_get_reqlevel(isr, AF_INET6)) { 3071 case IPSEC_LEVEL_USE: 3072 continue; 3073 case IPSEC_LEVEL_REQUIRE: 3074 /* must be not reached here. */ 3075 panic("ipsec6_output_tunnel: no SA found, but required."); 3076 } 3077 } 3078 3079 /* 3080 * If there is no valid SA, we give up to process. 3081 * see same place at ipsec4_output(). 3082 */ 3083 if (isr->sav->state != SADB_SASTATE_MATURE 3084 && isr->sav->state != SADB_SASTATE_DYING) { 3085 ipsec6stat.out_nosa++; 3086 error = EINVAL; 3087 goto bad; 3088 } 3089 3090 /* 3091 * There may be the case that SA status will be changed when 3092 * we are refering to one. So calling splsoftnet(). 3093 */ 3094 s = splsoftnet(); 3095 3096 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 3097 /* 3098 * build IPsec tunnel. 3099 */ 3100 /* XXX should be processed with other familiy */ 3101 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) { 3102 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3103 "family mismatched between inner and outer, spi=%u\n", 3104 (u_int32_t)ntohl(isr->sav->spi))); 3105 splx(s); 3106 ipsec6stat.out_inval++; 3107 error = EAFNOSUPPORT; 3108 goto bad; 3109 } 3110 3111 state->m = ipsec6_splithdr(state->m); 3112 if (!state->m) { 3113 splx(s); 3114 ipsec6stat.out_nomem++; 3115 error = ENOMEM; 3116 goto bad; 3117 } 3118 error = ipsec6_encapsulate(state->m, isr->sav); 3119 splx(s); 3120 if (error) { 3121 state->m = 0; 3122 goto bad; 3123 } 3124 ip6 = mtod(state->m, struct ip6_hdr *); 3125 3126 state->ro = &isr->sav->sah->sa_route; 3127 state->dst = (struct sockaddr *)&state->ro->ro_dst; 3128 dst6 = (struct sockaddr_in6 *)state->dst; 3129 if (state->ro->ro_rt 3130 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0 3131 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) { 3132 RTFREE(state->ro->ro_rt); 3133 bzero((caddr_t)state->ro, sizeof (*state->ro)); 3134 } 3135 if (state->ro->ro_rt == 0) { 3136 bzero(dst6, sizeof(*dst6)); 3137 dst6->sin6_family = AF_INET6; 3138 dst6->sin6_len = sizeof(*dst6); 3139 dst6->sin6_addr = ip6->ip6_dst; 3140 rtalloc(state->ro); 3141 } 3142 if (state->ro->ro_rt == 0) { 3143 ip6stat.ip6s_noroute++; 3144 ipsec6stat.out_noroute++; 3145 error = EHOSTUNREACH; 3146 goto bad; 3147 } 3148 3149 /* adjust state->dst if tunnel endpoint is offlink */ 3150 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) { 3151 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway; 3152 dst6 = (struct sockaddr_in6 *)state->dst; 3153 } 3154 } else 3155 splx(s); 3156 3157 state->m = ipsec6_splithdr(state->m); 3158 if (!state->m) { 3159 ipsec6stat.out_nomem++; 3160 error = ENOMEM; 3161 goto bad; 3162 } 3163 ip6 = mtod(state->m, struct ip6_hdr *); 3164 switch (isr->saidx.proto) { 3165 case IPPROTO_ESP: 3166 #ifdef IPSEC_ESP 3167 error = esp6_output(state->m, &ip6->ip6_nxt, 3168 state->m->m_next, isr); 3169 #else 3170 m_freem(state->m); 3171 error = EINVAL; 3172 #endif 3173 break; 3174 case IPPROTO_AH: 3175 error = ah6_output(state->m, &ip6->ip6_nxt, 3176 state->m->m_next, isr); 3177 break; 3178 case IPPROTO_IPCOMP: 3179 /* XXX code should be here */ 3180 /* FALLTHROUGH */ 3181 default: 3182 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3183 "unknown ipsec protocol %d\n", isr->saidx.proto)); 3184 m_freem(state->m); 3185 ipsec6stat.out_inval++; 3186 error = EINVAL; 3187 break; 3188 } 3189 if (error) { 3190 state->m = NULL; 3191 goto bad; 3192 } 3193 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 3194 if (plen > IPV6_MAXPACKET) { 3195 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3196 "IPsec with IPv6 jumbogram is not supported\n")); 3197 ipsec6stat.out_inval++; 3198 error = EINVAL; /* XXX */ 3199 goto bad; 3200 } 3201 ip6 = mtod(state->m, struct ip6_hdr *); 3202 ip6->ip6_plen = htons(plen); 3203 } 3204 3205 return 0; 3206 3207 bad: 3208 m_freem(state->m); 3209 state->m = NULL; 3210 return error; 3211 } 3212 #endif /* INET6 */ 3213 3214 #ifdef INET 3215 /* 3216 * Chop IP header and option off from the payload. 3217 */ 3218 static struct mbuf * 3219 ipsec4_splithdr(m) 3220 struct mbuf *m; 3221 { 3222 struct mbuf *mh; 3223 struct ip *ip; 3224 int hlen; 3225 3226 if (m->m_len < sizeof(struct ip)) 3227 panic("ipsec4_splithdr: first mbuf too short"); 3228 ip = mtod(m, struct ip *); 3229 hlen = ip->ip_hl << 2; 3230 if (m->m_len > hlen) { 3231 MGETHDR(mh, M_DONTWAIT, MT_HEADER); 3232 if (!mh) { 3233 m_freem(m); 3234 return NULL; 3235 } 3236 M_COPY_PKTHDR(mh, m); 3237 MH_ALIGN(mh, hlen); 3238 m_tag_delete_chain(m, NULL); 3239 m->m_flags &= ~M_PKTHDR; 3240 m->m_len -= hlen; 3241 m->m_data += hlen; 3242 mh->m_next = m; 3243 m = mh; 3244 m->m_len = hlen; 3245 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen); 3246 } else if (m->m_len < hlen) { 3247 m = m_pullup(m, hlen); 3248 if (!m) 3249 return NULL; 3250 } 3251 return m; 3252 } 3253 #endif 3254 3255 #ifdef INET6 3256 static struct mbuf * 3257 ipsec6_splithdr(m) 3258 struct mbuf *m; 3259 { 3260 struct mbuf *mh; 3261 struct ip6_hdr *ip6; 3262 int hlen; 3263 3264 if (m->m_len < sizeof(struct ip6_hdr)) 3265 panic("ipsec6_splithdr: first mbuf too short"); 3266 ip6 = mtod(m, struct ip6_hdr *); 3267 hlen = sizeof(struct ip6_hdr); 3268 if (m->m_len > hlen) { 3269 MGETHDR(mh, M_DONTWAIT, MT_HEADER); 3270 if (!mh) { 3271 m_freem(m); 3272 return NULL; 3273 } 3274 M_COPY_PKTHDR(mh, m); 3275 MH_ALIGN(mh, hlen); 3276 m_tag_delete_chain(m, NULL); 3277 m->m_flags &= ~M_PKTHDR; 3278 m->m_len -= hlen; 3279 m->m_data += hlen; 3280 mh->m_next = m; 3281 m = mh; 3282 m->m_len = hlen; 3283 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen); 3284 } else if (m->m_len < hlen) { 3285 m = m_pullup(m, hlen); 3286 if (!m) 3287 return NULL; 3288 } 3289 return m; 3290 } 3291 #endif 3292 3293 /* validate inbound IPsec tunnel packet. */ 3294 int 3295 ipsec4_tunnel_validate(ip, nxt0, sav) 3296 struct ip *ip; 3297 u_int nxt0; 3298 struct secasvar *sav; 3299 { 3300 u_int8_t nxt = nxt0 & 0xff; 3301 struct sockaddr_in *sin; 3302 int hlen; 3303 3304 if (nxt != IPPROTO_IPV4) 3305 return 0; 3306 /* do not decapsulate if the SA is for transport mode only */ 3307 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 3308 return 0; 3309 hlen = ip->ip_hl << 2; 3310 if (hlen != sizeof(struct ip)) 3311 return 0; 3312 switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) { 3313 case AF_INET: 3314 sin = (struct sockaddr_in *)&sav->sah->saidx.dst; 3315 if (bcmp(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)) != 0) 3316 return 0; 3317 break; 3318 #ifdef INET6 3319 case AF_INET6: 3320 /* should be supported, but at this moment we don't. */ 3321 /*FALLTHROUGH*/ 3322 #endif 3323 default: 3324 return 0; 3325 } 3326 3327 return 1; 3328 } 3329 3330 #ifdef INET6 3331 /* validate inbound IPsec tunnel packet. */ 3332 int 3333 ipsec6_tunnel_validate(ip6, nxt0, sav) 3334 struct ip6_hdr *ip6; 3335 u_int nxt0; 3336 struct secasvar *sav; 3337 { 3338 u_int8_t nxt = nxt0 & 0xff; 3339 struct sockaddr_in6 *sin6; 3340 struct in6_addr in6; 3341 3342 if (nxt != IPPROTO_IPV6) 3343 return 0; 3344 /* do not decapsulate if the SA is for transport mode only */ 3345 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 3346 return 0; 3347 switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) { 3348 case AF_INET6: 3349 sin6 = ((struct sockaddr_in6 *)&sav->sah->saidx.dst); 3350 in6_embedscope(&in6, sin6, NULL, NULL); 3351 if (!IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &in6)) 3352 return 0; 3353 break; 3354 case AF_INET: 3355 /* should be supported, but at this moment we don't. */ 3356 /*FALLTHROUGH*/ 3357 default: 3358 return 0; 3359 } 3360 3361 return 1; 3362 } 3363 #endif 3364 3365 /* 3366 * Make a mbuf chain for encryption. 3367 * If the original mbuf chain contains a mbuf with a cluster, 3368 * allocate a new cluster and copy the data to the new cluster. 3369 * XXX: this hack is inefficient, but is necessary to handle cases 3370 * of TCP retransmission... 3371 */ 3372 struct mbuf * 3373 ipsec_copypkt(m) 3374 struct mbuf *m; 3375 { 3376 struct mbuf *n, **mpp, *mnew; 3377 3378 for (n = m, mpp = &m; n; n = n->m_next) { 3379 if (n->m_flags & M_EXT) { 3380 /* 3381 * Make a copy only if there is more than one 3382 * references to the cluster. 3383 * XXX: is this approach effective? 3384 */ 3385 if (M_READONLY(n)) 3386 { 3387 int remain, copied; 3388 struct mbuf *mm; 3389 3390 if (n->m_flags & M_PKTHDR) { 3391 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); 3392 if (mnew == NULL) 3393 goto fail; 3394 mnew->m_pkthdr = n->m_pkthdr; 3395 #if 0 3396 /* XXX: convert to m_tag or delete? */ 3397 if (n->m_pkthdr.aux) { 3398 mnew->m_pkthdr.aux = 3399 m_copym(n->m_pkthdr.aux, 3400 0, M_COPYALL, M_DONTWAIT); 3401 } 3402 #endif 3403 M_COPY_PKTHDR(mnew, n); 3404 } 3405 else { 3406 MGET(mnew, M_DONTWAIT, MT_DATA); 3407 if (mnew == NULL) 3408 goto fail; 3409 } 3410 mnew->m_len = 0; 3411 mm = mnew; 3412 3413 /* 3414 * Copy data. If we don't have enough space to 3415 * store the whole data, allocate a cluster 3416 * or additional mbufs. 3417 * XXX: we don't use m_copyback(), since the 3418 * function does not use clusters and thus is 3419 * inefficient. 3420 */ 3421 remain = n->m_len; 3422 copied = 0; 3423 while (1) { 3424 int len; 3425 struct mbuf *mn; 3426 3427 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN)) 3428 len = remain; 3429 else { /* allocate a cluster */ 3430 MCLGET(mm, M_DONTWAIT); 3431 if (!(mm->m_flags & M_EXT)) { 3432 m_free(mm); 3433 goto fail; 3434 } 3435 len = remain < MCLBYTES ? 3436 remain : MCLBYTES; 3437 } 3438 3439 bcopy(n->m_data + copied, mm->m_data, 3440 len); 3441 3442 copied += len; 3443 remain -= len; 3444 mm->m_len = len; 3445 3446 if (remain <= 0) /* completed? */ 3447 break; 3448 3449 /* need another mbuf */ 3450 MGETHDR(mn, M_DONTWAIT, MT_HEADER); 3451 if (mn == NULL) 3452 goto fail; 3453 mn->m_pkthdr.rcvif = NULL; 3454 mm->m_next = mn; 3455 mm = mn; 3456 } 3457 3458 /* adjust chain */ 3459 mm->m_next = m_free(n); 3460 n = mm; 3461 *mpp = mnew; 3462 mpp = &n->m_next; 3463 3464 continue; 3465 } 3466 } 3467 *mpp = n; 3468 mpp = &n->m_next; 3469 } 3470 3471 return (m); 3472 fail: 3473 m_freem(m); 3474 return (NULL); 3475 } 3476 3477 static struct m_tag * 3478 ipsec_addaux(m) 3479 struct mbuf *m; 3480 { 3481 struct m_tag *mtag; 3482 3483 mtag = m_tag_find(m, PACKET_TAG_ESP, NULL); 3484 if (mtag == NULL) { 3485 mtag = m_tag_get(PACKET_TAG_ESP, sizeof(struct ipsecaux), 3486 M_NOWAIT); 3487 if (mtag != NULL) 3488 m_tag_prepend(m, mtag); 3489 } 3490 if (mtag == NULL) 3491 return NULL; /* ENOBUFS */ 3492 /* XXX is this necessary? */ 3493 bzero((void *)(mtag + 1), sizeof(struct ipsecaux)); 3494 return mtag; 3495 } 3496 3497 static struct m_tag * 3498 ipsec_findaux(m) 3499 struct mbuf *m; 3500 { 3501 return m_tag_find(m, PACKET_TAG_ESP, NULL); 3502 } 3503 3504 void 3505 ipsec_delaux(m) 3506 struct mbuf *m; 3507 { 3508 struct m_tag *mtag; 3509 3510 mtag = m_tag_find(m, PACKET_TAG_ESP, NULL); 3511 if (mtag != NULL) 3512 m_tag_delete(m, mtag); 3513 } 3514 3515 /* if the aux buffer is unnecessary, nuke it. */ 3516 static void 3517 ipsec_optaux(m, mtag) 3518 struct mbuf *m; 3519 struct m_tag *mtag; 3520 { 3521 struct ipsecaux *aux; 3522 3523 if (mtag == NULL) 3524 return; 3525 aux = (struct ipsecaux *)(mtag + 1); 3526 if (!aux->so && !aux->sp) 3527 ipsec_delaux(m); 3528 } 3529 3530 int 3531 ipsec_addhist(m, proto, spi) 3532 struct mbuf *m; 3533 int proto; 3534 u_int32_t spi; 3535 { 3536 struct m_tag *mtag; 3537 struct ipsecaux *aux; 3538 3539 mtag = ipsec_addaux(m); 3540 if (mtag == NULL) 3541 return ENOBUFS; 3542 aux = (struct ipsecaux *)(mtag + 1); 3543 aux->hdrs++; 3544 return 0; 3545 } 3546 3547 int 3548 ipsec_getnhist(m) 3549 struct mbuf *m; 3550 { 3551 struct m_tag *mtag; 3552 struct ipsecaux *aux; 3553 3554 mtag = ipsec_findaux(m); 3555 if (mtag == NULL) 3556 return 0; 3557 aux = (struct ipsecaux *)(mtag + 1); 3558 return aux->hdrs; 3559 } 3560 3561 struct ipsec_history * 3562 ipsec_gethist(m, lenp) 3563 struct mbuf *m; 3564 int *lenp; 3565 { 3566 3567 panic("ipsec_gethist: obsolete API"); 3568 } 3569 3570 void 3571 ipsec_clearhist(m) 3572 struct mbuf *m; 3573 { 3574 struct m_tag *mtag; 3575 3576 mtag = ipsec_findaux(m); 3577 ipsec_optaux(m, mtag); 3578 } 3579 3580 /* 3581 * System control for IPSEC 3582 */ 3583 u_char ipsecctlermap[PRC_NCMDS] = { 3584 0, 0, 0, 0, 3585 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 3586 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 3587 EMSGSIZE, EHOSTUNREACH, 0, 0, 3588 0, 0, 0, 0, 3589 ENOPROTOOPT 3590 }; 3591 3592 /* 3593 * sysctl helper routine for some net.inet.ipsec and net.inet6.ipnet6 3594 * nodes. ensures that the given value is correct and clears the 3595 * ipsec cache accordingly. 3596 */ 3597 static int 3598 sysctl_ipsec(SYSCTLFN_ARGS) 3599 { 3600 int error, t; 3601 struct sysctlnode node; 3602 3603 node = *rnode; 3604 if (rnode->sysctl_num == IPSECCTL_DEF_POLICY) 3605 t = (*((struct secpolicy**)rnode->sysctl_data))->policy; 3606 else 3607 t = *(int*)rnode->sysctl_data; 3608 node.sysctl_data = &t; 3609 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 3610 if (error || newp == NULL) 3611 return (error); 3612 3613 switch (rnode->sysctl_num) { 3614 case IPSECCTL_DEF_ESP_TRANSLEV: 3615 case IPSECCTL_DEF_ESP_NETLEV: 3616 case IPSECCTL_DEF_AH_TRANSLEV: 3617 case IPSECCTL_DEF_AH_NETLEV: 3618 if (t != IPSEC_LEVEL_USE && 3619 t != IPSEC_LEVEL_REQUIRE) 3620 return (EINVAL); 3621 ipsec_invalpcbcacheall(); 3622 break; 3623 case IPSECCTL_DEF_POLICY: 3624 if (t != IPSEC_POLICY_DISCARD && 3625 t != IPSEC_POLICY_NONE) 3626 return (EINVAL); 3627 ipsec_invalpcbcacheall(); 3628 break; 3629 default: 3630 return (EINVAL); 3631 } 3632 3633 if (rnode->sysctl_num == IPSECCTL_DEF_POLICY) 3634 (*((struct secpolicy**)rnode->sysctl_data))->policy = t; 3635 else 3636 *(int*)rnode->sysctl_data = t; 3637 3638 return (0); 3639 } 3640 3641 SYSCTL_SETUP(sysctl_net_inet_ipsec_setup, "sysctl net.inet.ipsec subtree setup") 3642 { 3643 3644 sysctl_createv(clog, 0, NULL, NULL, 3645 CTLFLAG_PERMANENT, 3646 CTLTYPE_NODE, "net", NULL, 3647 NULL, 0, NULL, 0, 3648 CTL_NET, CTL_EOL); 3649 sysctl_createv(clog, 0, NULL, NULL, 3650 CTLFLAG_PERMANENT, 3651 CTLTYPE_NODE, "inet", NULL, 3652 NULL, 0, NULL, 0, 3653 CTL_NET, PF_INET, CTL_EOL); 3654 sysctl_createv(clog, 0, NULL, NULL, 3655 CTLFLAG_PERMANENT, 3656 CTLTYPE_NODE, "ipsec", 3657 SYSCTL_DESCR("IPv4 related IPSec settings"), 3658 NULL, 0, NULL, 0, 3659 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 3660 3661 sysctl_createv(clog, 0, NULL, NULL, 3662 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3663 CTLTYPE_STRUCT, "stats", 3664 SYSCTL_DESCR("IPSec statistics and counters"), 3665 NULL, 0, &ipsecstat, sizeof(ipsecstat), 3666 CTL_NET, PF_INET, IPPROTO_AH, 3667 IPSECCTL_STATS, CTL_EOL); 3668 sysctl_createv(clog, 0, NULL, NULL, 3669 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3670 CTLTYPE_INT, "def_policy", 3671 SYSCTL_DESCR("Default action for non-IPSec packets"), 3672 sysctl_ipsec, 0, &ip4_def_policy, 0, 3673 CTL_NET, PF_INET, IPPROTO_AH, 3674 IPSECCTL_DEF_POLICY, CTL_EOL); 3675 sysctl_createv(clog, 0, NULL, NULL, 3676 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3677 CTLTYPE_INT, "esp_trans_deflev", 3678 SYSCTL_DESCR("Default required security level for " 3679 "transport mode traffic"), 3680 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0, 3681 CTL_NET, PF_INET, IPPROTO_AH, 3682 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 3683 sysctl_createv(clog, 0, NULL, NULL, 3684 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3685 CTLTYPE_INT, "esp_net_deflev", 3686 SYSCTL_DESCR("Default required security level for " 3687 "tunneled traffic"), 3688 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0, 3689 CTL_NET, PF_INET, IPPROTO_AH, 3690 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 3691 sysctl_createv(clog, 0, NULL, NULL, 3692 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3693 CTLTYPE_INT, "ah_trans_deflev", 3694 SYSCTL_DESCR("Default required security level for " 3695 "transport mode headers"), 3696 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0, 3697 CTL_NET, PF_INET, IPPROTO_AH, 3698 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 3699 sysctl_createv(clog, 0, NULL, NULL, 3700 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3701 CTLTYPE_INT, "ah_net_deflev", 3702 SYSCTL_DESCR("Default required security level for " 3703 "tunneled headers"), 3704 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0, 3705 CTL_NET, PF_INET, IPPROTO_AH, 3706 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 3707 #if 0 /* obsolete, do not reuse */ 3708 sysctl_createv(clog, 0, NULL, NULL, 3709 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3710 CTLTYPE_INT, "inbound_call_ike", NULL, 3711 NULL, 0, &ip4_inbound_call_ike, 0, 3712 CTL_NET, PF_INET, IPPROTO_AH, 3713 IPSECCTL_INBOUND_CALL_IKE, CTL_EOL); 3714 #endif 3715 sysctl_createv(clog, 0, NULL, NULL, 3716 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3717 CTLTYPE_INT, "ah_cleartos", 3718 SYSCTL_DESCR("Clear IP TOS field before calculating AH"), 3719 NULL, 0, &ip4_ah_cleartos, 0, 3720 CTL_NET, PF_INET, IPPROTO_AH, 3721 IPSECCTL_AH_CLEARTOS, CTL_EOL); 3722 sysctl_createv(clog, 0, NULL, NULL, 3723 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3724 CTLTYPE_INT, "ah_offsetmask", 3725 SYSCTL_DESCR("Mask for IP fragment offset field when " 3726 "calculating AH"), 3727 NULL, 0, &ip4_ah_offsetmask, 0, 3728 CTL_NET, PF_INET, IPPROTO_AH, 3729 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 3730 sysctl_createv(clog, 0, NULL, NULL, 3731 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3732 CTLTYPE_INT, "dfbit", 3733 SYSCTL_DESCR("IP header DF bit setting for tunneled " 3734 "traffic"), 3735 NULL, 0, &ip4_ipsec_dfbit, 0, 3736 CTL_NET, PF_INET, IPPROTO_AH, 3737 IPSECCTL_DFBIT, CTL_EOL); 3738 sysctl_createv(clog, 0, NULL, NULL, 3739 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3740 CTLTYPE_INT, "ecn", 3741 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"), 3742 NULL, 0, &ip4_ipsec_ecn, 0, 3743 CTL_NET, PF_INET, IPPROTO_AH, 3744 IPSECCTL_ECN, CTL_EOL); 3745 sysctl_createv(clog, 0, NULL, NULL, 3746 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3747 CTLTYPE_INT, "debug", 3748 SYSCTL_DESCR("Enable IPSec debugging output"), 3749 NULL, 0, &ipsec_debug, 0, 3750 CTL_NET, PF_INET, IPPROTO_AH, 3751 IPSECCTL_DEBUG, CTL_EOL); 3752 3753 /* 3754 * "aliases" for the ipsec subtree 3755 */ 3756 sysctl_createv(clog, 0, NULL, NULL, 3757 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 3758 CTLTYPE_NODE, "esp", NULL, 3759 NULL, IPPROTO_AH, NULL, 0, 3760 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 3761 sysctl_createv(clog, 0, NULL, NULL, 3762 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 3763 CTLTYPE_NODE, "ipcomp", NULL, 3764 NULL, IPPROTO_AH, NULL, 0, 3765 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 3766 sysctl_createv(clog, 0, NULL, NULL, 3767 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 3768 CTLTYPE_NODE, "ah", NULL, 3769 NULL, IPPROTO_AH, NULL, 0, 3770 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 3771 } 3772 3773 #ifdef INET6 3774 /* 3775 * System control for IPSEC6 3776 */ 3777 u_char ipsec6ctlermap[PRC_NCMDS] = { 3778 0, 0, 0, 0, 3779 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 3780 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 3781 EMSGSIZE, EHOSTUNREACH, 0, 0, 3782 0, 0, 0, 0, 3783 ENOPROTOOPT 3784 }; 3785 3786 SYSCTL_SETUP(sysctl_net_inet6_ipsec6_setup, 3787 "sysctl net.inet6.ipsec6 subtree setup") 3788 { 3789 3790 sysctl_createv(clog, 0, NULL, NULL, 3791 CTLFLAG_PERMANENT, 3792 CTLTYPE_NODE, "net", NULL, 3793 NULL, 0, NULL, 0, 3794 CTL_NET, CTL_EOL); 3795 sysctl_createv(clog, 0, NULL, NULL, 3796 CTLFLAG_PERMANENT, 3797 CTLTYPE_NODE, "inet6", NULL, 3798 NULL, 0, NULL, 0, 3799 CTL_NET, PF_INET6, CTL_EOL); 3800 sysctl_createv(clog, 0, NULL, NULL, 3801 CTLFLAG_PERMANENT, 3802 CTLTYPE_NODE, "ipsec6", 3803 SYSCTL_DESCR("IPv6 related IPSec settings"), 3804 NULL, 0, NULL, 0, 3805 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL); 3806 3807 sysctl_createv(clog, 0, NULL, NULL, 3808 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3809 CTLTYPE_STRUCT, "stats", 3810 SYSCTL_DESCR("IPSec statistics and counters"), 3811 NULL, 0, &ipsec6stat, sizeof(ipsec6stat), 3812 CTL_NET, PF_INET6, IPPROTO_AH, 3813 IPSECCTL_STATS, CTL_EOL); 3814 sysctl_createv(clog, 0, NULL, NULL, 3815 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3816 CTLTYPE_INT, "def_policy", 3817 SYSCTL_DESCR("Default action for non-IPSec packets"), 3818 sysctl_ipsec, 0, &ip6_def_policy, 0, 3819 CTL_NET, PF_INET6, IPPROTO_AH, 3820 IPSECCTL_DEF_POLICY, CTL_EOL); 3821 sysctl_createv(clog, 0, NULL, NULL, 3822 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3823 CTLTYPE_INT, "esp_trans_deflev", 3824 SYSCTL_DESCR("Default required security level for " 3825 "transport mode traffic"), 3826 sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0, 3827 CTL_NET, PF_INET6, IPPROTO_AH, 3828 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 3829 sysctl_createv(clog, 0, NULL, NULL, 3830 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3831 CTLTYPE_INT, "esp_net_deflev", 3832 SYSCTL_DESCR("Default required security level for " 3833 "tunneled traffic"), 3834 sysctl_ipsec, 0, &ip6_esp_net_deflev, 0, 3835 CTL_NET, PF_INET6, IPPROTO_AH, 3836 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 3837 sysctl_createv(clog, 0, NULL, NULL, 3838 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3839 CTLTYPE_INT, "ah_trans_deflev", 3840 SYSCTL_DESCR("Default required security level for " 3841 "transport mode headers"), 3842 sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0, 3843 CTL_NET, PF_INET6, IPPROTO_AH, 3844 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 3845 sysctl_createv(clog, 0, NULL, NULL, 3846 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3847 CTLTYPE_INT, "ah_net_deflev", 3848 SYSCTL_DESCR("Default required security level for " 3849 "tunneled headers"), 3850 sysctl_ipsec, 0, &ip6_ah_net_deflev, 0, 3851 CTL_NET, PF_INET6, IPPROTO_AH, 3852 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 3853 sysctl_createv(clog, 0, NULL, NULL, 3854 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3855 CTLTYPE_INT, "ecn", 3856 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"), 3857 NULL, 0, &ip6_ipsec_ecn, 0, 3858 CTL_NET, PF_INET6, IPPROTO_AH, 3859 IPSECCTL_ECN, CTL_EOL); 3860 sysctl_createv(clog, 0, NULL, NULL, 3861 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3862 CTLTYPE_INT, "debug", 3863 SYSCTL_DESCR("Enable IPSec debugging output"), 3864 NULL, 0, &ipsec_debug, 0, 3865 CTL_NET, PF_INET6, IPPROTO_AH, 3866 IPSECCTL_DEBUG, CTL_EOL); 3867 3868 /* 3869 * "aliases" for the ipsec6 subtree 3870 */ 3871 sysctl_createv(clog, 0, NULL, NULL, 3872 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 3873 CTLTYPE_NODE, "esp6", NULL, 3874 NULL, IPPROTO_AH, NULL, 0, 3875 CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL); 3876 sysctl_createv(clog, 0, NULL, NULL, 3877 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 3878 CTLTYPE_NODE, "ipcomp6", NULL, 3879 NULL, IPPROTO_AH, NULL, 0, 3880 CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL); 3881 sysctl_createv(clog, 0, NULL, NULL, 3882 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 3883 CTLTYPE_NODE, "ah6", NULL, 3884 NULL, IPPROTO_AH, NULL, 0, 3885 CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL); 3886 } 3887 #endif /* INET6 */
Cache object: 10a4b887ed54d18dda49c1d679018d32
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]