Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* $NetBSD: ipsec.c,v 1.101 2005/03/09 14:17:13 itojun Exp $ */ 2 /* $KAME: ipsec.c,v 1.136 2002/05/19 00:36:39 itojun Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * IPsec controller part. 35 */ 36 37 #include <sys/cdefs.h> 38 __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.101 2005/03/09 14:17:13 itojun Exp $"); 39 40 #include "opt_inet.h" 41 #include "opt_ipsec.h" 42 43 #include <sys/param.h> 44 #include <sys/systm.h> 45 #include <sys/malloc.h> 46 #include <sys/mbuf.h> 47 #include <sys/domain.h> 48 #include <sys/protosw.h> 49 #include <sys/socket.h> 50 #include <sys/socketvar.h> 51 #include <sys/errno.h> 52 #include <sys/time.h> 53 #include <sys/kernel.h> 54 #include <sys/syslog.h> 55 #include <sys/sysctl.h> 56 57 #include <net/if.h> 58 #include <net/route.h> 59 60 #include <netinet/in.h> 61 #include <netinet/in_systm.h> 62 #include <netinet/ip.h> 63 #include <netinet/ip_var.h> 64 #include <netinet/in_var.h> 65 #include <netinet/udp.h> 66 #include <netinet/udp_var.h> 67 #include <netinet/ip_ecn.h> 68 #include <netinet/tcp.h> 69 70 #include <netinet/ip6.h> 71 #ifdef INET6 72 #include <netinet6/ip6_var.h> 73 #endif 74 #include <netinet/in_pcb.h> 75 #ifdef INET6 76 #include <netinet6/in6_pcb.h> 77 #include <netinet/icmp6.h> 78 #endif 79 80 #include <netinet6/ipsec.h> 81 #include <netinet6/ah.h> 82 #ifdef IPSEC_ESP 83 #include <netinet6/esp.h> 84 #endif 85 #include <netinet6/ipcomp.h> 86 #include <netkey/key.h> 87 #include <netkey/keydb.h> 88 #include <netkey/key_debug.h> 89 90 #include <net/net_osdep.h> 91 92 #ifdef IPSEC_DEBUG 93 int ipsec_debug = 1; 94 #else 95 int ipsec_debug = 0; 96 #endif 97 98 struct ipsecstat ipsecstat; 99 int ip4_ah_cleartos = 1; 100 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ 101 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ 102 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; 103 int ip4_esp_net_deflev = IPSEC_LEVEL_USE; 104 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; 105 int ip4_ah_net_deflev = IPSEC_LEVEL_USE; 106 struct secpolicy *ip4_def_policy; 107 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 108 109 #ifdef INET6 110 struct ipsecstat ipsec6stat; 111 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; 112 int ip6_esp_net_deflev = IPSEC_LEVEL_USE; 113 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; 114 int ip6_ah_net_deflev = IPSEC_LEVEL_USE; 115 struct secpolicy *ip6_def_policy; 116 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 117 118 #endif /* INET6 */ 119 120 u_int ipsec_spdgen = 1; /* SPD generation # */ 121 122 #ifdef SADB_X_EXT_TAG 123 static struct pf_tag *ipsec_get_tag __P((struct mbuf *)); 124 #endif 125 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *, 126 struct inpcbpolicy *, int)); 127 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *, 128 struct secpolicy *, int)); 129 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int)); 130 static int ipsec_setspidx_mbuf 131 __P((struct secpolicyindex *, int, struct mbuf *, int)); 132 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int)); 133 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int)); 134 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); 135 #ifdef INET6 136 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int)); 137 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); 138 #endif 139 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void)); 140 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *)); 141 #if 0 142 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *)); 143 #endif 144 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *)); 145 static int ipsec_set_policy 146 __P((struct secpolicy **, int, caddr_t, size_t, int)); 147 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **)); 148 static void vshiftl __P((unsigned char *, int, int)); 149 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *)); 150 static size_t ipsec_hdrsiz __P((struct secpolicy *)); 151 #ifdef INET 152 static struct mbuf *ipsec4_splithdr __P((struct mbuf *)); 153 #endif 154 #ifdef INET6 155 static struct mbuf *ipsec6_splithdr __P((struct mbuf *)); 156 #endif 157 #ifdef INET 158 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *)); 159 #endif 160 #ifdef INET6 161 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *)); 162 #endif 163 static struct m_tag *ipsec_addaux __P((struct mbuf *)); 164 static struct m_tag *ipsec_findaux __P((struct mbuf *)); 165 static void ipsec_optaux __P((struct mbuf *, struct m_tag *)); 166 #ifdef INET 167 static int ipsec4_checksa __P((struct ipsecrequest *, 168 struct ipsec_output_state *)); 169 #endif 170 #ifdef INET6 171 static int ipsec6_checksa __P((struct ipsecrequest *, 172 struct ipsec_output_state *, int)); 173 #endif 174 175 /* 176 * try to validate and use cached policy on a pcb. 177 */ 178 static struct secpolicy * 179 ipsec_checkpcbcache(m, pcbsp, dir) 180 struct mbuf *m; 181 struct inpcbpolicy *pcbsp; 182 int dir; 183 { 184 struct secpolicyindex spidx; 185 186 switch (dir) { 187 case IPSEC_DIR_INBOUND: 188 case IPSEC_DIR_OUTBOUND: 189 case IPSEC_DIR_ANY: 190 break; 191 default: 192 return NULL; 193 } 194 #ifdef DIAGNOSTIC 195 if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0])) 196 panic("dir too big in ipsec_checkpcbcache"); 197 #endif 198 /* SPD table change invalidates all the caches */ 199 if (ipsec_spdgen != pcbsp->sp_cache[dir].cachegen) { 200 ipsec_invalpcbcache(pcbsp, dir); 201 return NULL; 202 } 203 if (!pcbsp->sp_cache[dir].cachesp) 204 return NULL; 205 if (pcbsp->sp_cache[dir].cachesp->state != IPSEC_SPSTATE_ALIVE) { 206 ipsec_invalpcbcache(pcbsp, dir); 207 return NULL; 208 } 209 if ((pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) == 0) { 210 if (!pcbsp->sp_cache[dir].cachesp) 211 return NULL; 212 if (ipsec_setspidx(m, &spidx, 1) != 0) 213 return NULL; 214 if (bcmp(&pcbsp->sp_cache[dir].cacheidx, &spidx, 215 sizeof(spidx))) { 216 if (!pcbsp->sp_cache[dir].cachesp->spidx || 217 !key_cmpspidx_withmask(pcbsp->sp_cache[dir].cachesp->spidx, 218 &spidx)) 219 return NULL; 220 pcbsp->sp_cache[dir].cacheidx = spidx; 221 } 222 } else { 223 /* 224 * The pcb is connected, and the L4 code is sure that: 225 * - outgoing side uses inp_[lf]addr 226 * - incoming side looks up policy after inpcb lookup 227 * and address pair is known to be stable. We do not need 228 * to generate spidx again, nor check the address match again. 229 * 230 * For IPv4/v6 SOCK_STREAM sockets, this assumption holds 231 * and there are calls to ipsec_pcbconn() from in_pcbconnect(). 232 */ 233 } 234 235 pcbsp->sp_cache[dir].cachesp->lastused = mono_time.tv_sec; 236 pcbsp->sp_cache[dir].cachesp->refcnt++; 237 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 238 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n", 239 pcbsp->sp_cache[dir].cachesp->refcnt, 240 pcbsp->sp_cache[dir].cachesp)); 241 return pcbsp->sp_cache[dir].cachesp; 242 } 243 244 static int 245 ipsec_fillpcbcache(pcbsp, m, sp, dir) 246 struct inpcbpolicy *pcbsp; 247 struct mbuf *m; 248 struct secpolicy *sp; 249 int dir; 250 { 251 252 switch (dir) { 253 case IPSEC_DIR_INBOUND: 254 case IPSEC_DIR_OUTBOUND: 255 break; 256 default: 257 return EINVAL; 258 } 259 #ifdef DIAGNOSTIC 260 if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0])) 261 panic("dir too big in ipsec_checkpcbcache"); 262 #endif 263 264 if (pcbsp->sp_cache[dir].cachesp) 265 key_freesp(pcbsp->sp_cache[dir].cachesp); 266 pcbsp->sp_cache[dir].cachesp = NULL; 267 pcbsp->sp_cache[dir].cachehint = IPSEC_PCBHINT_MAYBE; 268 if (ipsec_setspidx(m, &pcbsp->sp_cache[dir].cacheidx, 1) != 0) { 269 return EINVAL; 270 } 271 pcbsp->sp_cache[dir].cachesp = sp; 272 if (pcbsp->sp_cache[dir].cachesp) { 273 pcbsp->sp_cache[dir].cachesp->refcnt++; 274 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 275 printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n", 276 pcbsp->sp_cache[dir].cachesp->refcnt, 277 pcbsp->sp_cache[dir].cachesp)); 278 279 /* 280 * If the PCB is connected, we can remember a hint to 281 * possibly short-circuit IPsec processing in other places. 282 */ 283 if (pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) { 284 switch (pcbsp->sp_cache[dir].cachesp->policy) { 285 case IPSEC_POLICY_NONE: 286 case IPSEC_POLICY_BYPASS: 287 pcbsp->sp_cache[dir].cachehint = 288 IPSEC_PCBHINT_NO; 289 break; 290 default: 291 pcbsp->sp_cache[dir].cachehint = 292 IPSEC_PCBHINT_YES; 293 } 294 } 295 } 296 pcbsp->sp_cache[dir].cachegen = ipsec_spdgen; 297 298 return 0; 299 } 300 301 static int 302 ipsec_invalpcbcache(pcbsp, dir) 303 struct inpcbpolicy *pcbsp; 304 int dir; 305 { 306 int i; 307 308 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) { 309 if (dir != IPSEC_DIR_ANY && i != dir) 310 continue; 311 if (pcbsp->sp_cache[i].cachesp) 312 key_freesp(pcbsp->sp_cache[i].cachesp); 313 pcbsp->sp_cache[i].cachesp = NULL; 314 pcbsp->sp_cache[i].cachehint = IPSEC_PCBHINT_MAYBE; 315 pcbsp->sp_cache[i].cachegen = 0; 316 bzero(&pcbsp->sp_cache[i].cacheidx, 317 sizeof(pcbsp->sp_cache[i].cacheidx)); 318 } 319 return 0; 320 } 321 322 int 323 ipsec_pcbconn(pcbsp) 324 struct inpcbpolicy *pcbsp; 325 { 326 327 pcbsp->sp_cacheflags |= IPSEC_PCBSP_CONNECTED; 328 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 329 return 0; 330 } 331 332 int 333 ipsec_pcbdisconn(pcbsp) 334 struct inpcbpolicy *pcbsp; 335 { 336 337 pcbsp->sp_cacheflags &= ~IPSEC_PCBSP_CONNECTED; 338 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY); 339 return 0; 340 } 341 342 void 343 ipsec_invalpcbcacheall() 344 { 345 346 if (ipsec_spdgen == UINT_MAX) 347 ipsec_spdgen = 1; 348 else 349 ipsec_spdgen++; 350 } 351 352 #ifdef SADB_X_EXT_TAG 353 static struct pf_tag * 354 ipsec_get_tag(m) 355 struct mbuf *m; 356 { 357 struct m_tag *mtag; 358 359 if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL) 360 return ((struct pf_tag *)(mtag + 1)); 361 else 362 return (NULL); 363 } 364 #endif 365 366 /* 367 * For OUTBOUND packet having a socket. Searching SPD for packet, 368 * and return a pointer to SP. 369 * OUT: NULL: no apropreate SP found, the following value is set to error. 370 * 0 : bypass 371 * EACCES : discard packet. 372 * ENOENT : ipsec_acquire() in progress, maybe. 373 * others : error occurred. 374 * others: a pointer to SP 375 * 376 * NOTE: IPv6 mapped adddress concern is implemented here. 377 */ 378 struct secpolicy * 379 ipsec4_getpolicybysock(m, dir, so, error) 380 struct mbuf *m; 381 u_int dir; 382 struct socket *so; 383 int *error; 384 { 385 struct inpcbpolicy *pcbsp = NULL; 386 struct secpolicy *currsp = NULL; /* policy on socket */ 387 struct secpolicy *kernsp = NULL; /* policy on kernel */ 388 struct secpolicyindex spidx; 389 #ifdef SADB_X_EXT_TAG 390 struct pf_tag *t; 391 #endif 392 u_int16_t tag; 393 394 /* sanity check */ 395 if (m == NULL || so == NULL || error == NULL) 396 panic("ipsec4_getpolicybysock: NULL pointer was passed."); 397 398 switch (so->so_proto->pr_domain->dom_family) { 399 case AF_INET: 400 pcbsp = sotoinpcb(so)->inp_sp; 401 break; 402 #ifdef INET6 403 case AF_INET6: 404 pcbsp = sotoin6pcb(so)->in6p_sp; 405 break; 406 #endif 407 default: 408 panic("ipsec4_getpolicybysock: unsupported address family"); 409 } 410 411 #ifdef DIAGNOSTIC 412 if (pcbsp == NULL) 413 panic("ipsec4_getpolicybysock: pcbsp is NULL."); 414 #endif 415 416 #ifdef SADB_X_EXT_TAG 417 t = ipsec_get_tag(m); 418 tag = t ? t->tag : 0; 419 #else 420 tag = 0; 421 #endif 422 423 /* if we have a cached entry, and if it is still valid, use it. */ 424 ipsecstat.spdcachelookup++; 425 currsp = ipsec_checkpcbcache(m, pcbsp, dir); 426 if (currsp) { 427 *error = 0; 428 return currsp; 429 } 430 ipsecstat.spdcachemiss++; 431 432 switch (dir) { 433 case IPSEC_DIR_INBOUND: 434 currsp = pcbsp->sp_in; 435 break; 436 case IPSEC_DIR_OUTBOUND: 437 currsp = pcbsp->sp_out; 438 break; 439 default: 440 panic("ipsec4_getpolicybysock: illegal direction."); 441 } 442 443 /* sanity check */ 444 if (currsp == NULL) 445 panic("ipsec4_getpolicybysock: currsp is NULL."); 446 447 /* when privileged socket */ 448 if (pcbsp->priv) { 449 switch (currsp->policy) { 450 case IPSEC_POLICY_BYPASS: 451 currsp->refcnt++; 452 *error = 0; 453 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 454 return currsp; 455 456 case IPSEC_POLICY_ENTRUST: 457 /* look for a policy in SPD */ 458 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 && 459 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 460 /* SP found */ 461 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 462 printf("DP ipsec4_getpolicybysock called " 463 "to allocate SP:%p\n", kernsp)); 464 *error = 0; 465 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 466 return kernsp; 467 } 468 469 /* no SP found */ 470 ip4_def_policy->refcnt++; 471 *error = 0; 472 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir); 473 return ip4_def_policy; 474 475 case IPSEC_POLICY_IPSEC: 476 currsp->refcnt++; 477 *error = 0; 478 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 479 return currsp; 480 481 default: 482 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 483 "Invalid policy for PCB %d\n", currsp->policy)); 484 *error = EINVAL; 485 return NULL; 486 } 487 /* NOTREACHED */ 488 } 489 490 /* when non-privileged socket */ 491 /* look for a policy in SPD */ 492 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 && 493 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 494 /* SP found */ 495 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 496 printf("DP ipsec4_getpolicybysock called " 497 "to allocate SP:%p\n", kernsp)); 498 *error = 0; 499 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 500 return kernsp; 501 } 502 503 /* no SP found */ 504 switch (currsp->policy) { 505 case IPSEC_POLICY_BYPASS: 506 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 507 "Illegal policy for non-privileged defined %d\n", 508 currsp->policy)); 509 *error = EINVAL; 510 return NULL; 511 512 case IPSEC_POLICY_ENTRUST: 513 ip4_def_policy->refcnt++; 514 *error = 0; 515 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir); 516 return ip4_def_policy; 517 518 case IPSEC_POLICY_IPSEC: 519 currsp->refcnt++; 520 *error = 0; 521 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 522 return currsp; 523 524 default: 525 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 526 "Invalid policy for PCB %d\n", currsp->policy)); 527 *error = EINVAL; 528 return NULL; 529 } 530 /* NOTREACHED */ 531 } 532 533 /* 534 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 535 * and return a pointer to SP. 536 * OUT: positive: a pointer to the entry for security policy leaf matched. 537 * NULL: no apropreate SP found, the following value is set to error. 538 * 0 : bypass 539 * EACCES : discard packet. 540 * ENOENT : ipsec_acquire() in progress, maybe. 541 * others : error occurred. 542 */ 543 struct secpolicy * 544 ipsec4_getpolicybyaddr(m, dir, flag, error) 545 struct mbuf *m; 546 u_int dir; 547 int flag; 548 int *error; 549 { 550 struct secpolicy *sp = NULL; 551 #ifdef SADB_X_EXT_TAG 552 struct pf_tag *t; 553 #endif 554 u_int16_t tag; 555 556 /* sanity check */ 557 if (m == NULL || error == NULL) 558 panic("ipsec4_getpolicybyaddr: NULL pointer was passed."); 559 560 /* get a policy entry matched with the packet */ 561 { 562 struct secpolicyindex spidx; 563 564 bzero(&spidx, sizeof(spidx)); 565 566 /* make an index to look for a policy */ 567 *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m, 568 (flag & IP_FORWARDING) ? 0 : 1); 569 570 if (*error != 0) 571 return NULL; 572 573 #ifdef SADB_X_EXT_TAG 574 t = ipsec_get_tag(m); 575 tag = t ? t->tag : 0; 576 #else 577 tag = 0; 578 #endif 579 580 sp = key_allocsp(tag, &spidx, dir); 581 } 582 583 /* SP found */ 584 if (sp != NULL) { 585 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 586 printf("DP ipsec4_getpolicybyaddr called " 587 "to allocate SP:%p\n", sp)); 588 *error = 0; 589 return sp; 590 } 591 592 /* no SP found */ 593 ip4_def_policy->refcnt++; 594 *error = 0; 595 return ip4_def_policy; 596 } 597 598 #ifdef INET6 599 /* 600 * For OUTBOUND packet having a socket. Searching SPD for packet, 601 * and return a pointer to SP. 602 * OUT: NULL: no apropreate SP found, the following value is set to error. 603 * 0 : bypass 604 * EACCES : discard packet. 605 * ENOENT : ipsec_acquire() in progress, maybe. 606 * others : error occurred. 607 * others: a pointer to SP 608 */ 609 struct secpolicy * 610 ipsec6_getpolicybysock(m, dir, so, error) 611 struct mbuf *m; 612 u_int dir; 613 struct socket *so; 614 int *error; 615 { 616 struct inpcbpolicy *pcbsp = NULL; 617 struct secpolicy *currsp = NULL; /* policy on socket */ 618 struct secpolicy *kernsp = NULL; /* policy on kernel */ 619 struct secpolicyindex spidx; 620 #ifdef SADB_X_EXT_TAG 621 struct pf_tag *t; 622 #endif 623 u_int16_t tag; 624 625 /* sanity check */ 626 if (m == NULL || so == NULL || error == NULL) 627 panic("ipsec6_getpolicybysock: NULL pointer was passed."); 628 629 #ifdef DIAGNOSTIC 630 if (so->so_proto->pr_domain->dom_family != AF_INET6) 631 panic("ipsec6_getpolicybysock: socket domain != inet6"); 632 #endif 633 634 pcbsp = sotoin6pcb(so)->in6p_sp; 635 636 #ifdef DIAGNOSTIC 637 if (pcbsp == NULL) 638 panic("ipsec6_getpolicybysock: pcbsp is NULL."); 639 #endif 640 641 #ifdef SADB_X_EXT_TAG 642 t = ipsec_get_tag(m); 643 tag = t ? t->tag : 0; 644 #else 645 tag = 0; 646 #endif 647 648 /* if we have a cached entry, and if it is still valid, use it. */ 649 ipsec6stat.spdcachelookup++; 650 currsp = ipsec_checkpcbcache(m, pcbsp, dir); 651 if (currsp) { 652 *error = 0; 653 return currsp; 654 } 655 ipsec6stat.spdcachemiss++; 656 657 switch (dir) { 658 case IPSEC_DIR_INBOUND: 659 currsp = pcbsp->sp_in; 660 break; 661 case IPSEC_DIR_OUTBOUND: 662 currsp = pcbsp->sp_out; 663 break; 664 default: 665 panic("ipsec6_getpolicybysock: illegal direction."); 666 } 667 668 /* sanity check */ 669 if (currsp == NULL) 670 panic("ipsec6_getpolicybysock: currsp is NULL."); 671 672 /* when privileged socket */ 673 if (pcbsp->priv) { 674 switch (currsp->policy) { 675 case IPSEC_POLICY_BYPASS: 676 currsp->refcnt++; 677 *error = 0; 678 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 679 return currsp; 680 681 case IPSEC_POLICY_ENTRUST: 682 /* look for a policy in SPD */ 683 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 && 684 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 685 /* SP found */ 686 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 687 printf("DP ipsec6_getpolicybysock called " 688 "to allocate SP:%p\n", kernsp)); 689 *error = 0; 690 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 691 return kernsp; 692 } 693 694 /* no SP found */ 695 ip6_def_policy->refcnt++; 696 *error = 0; 697 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir); 698 return ip6_def_policy; 699 700 case IPSEC_POLICY_IPSEC: 701 currsp->refcnt++; 702 *error = 0; 703 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 704 return currsp; 705 706 default: 707 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " 708 "Invalid policy for PCB %d\n", currsp->policy)); 709 *error = EINVAL; 710 return NULL; 711 } 712 /* NOTREACHED */ 713 } 714 715 /* when non-privileged socket */ 716 /* look for a policy in SPD */ 717 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 && 718 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) { 719 /* SP found */ 720 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 721 printf("DP ipsec6_getpolicybysock called " 722 "to allocate SP:%p\n", kernsp)); 723 *error = 0; 724 ipsec_fillpcbcache(pcbsp, m, kernsp, dir); 725 return kernsp; 726 } 727 728 /* no SP found */ 729 switch (currsp->policy) { 730 case IPSEC_POLICY_BYPASS: 731 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " 732 "Illegal policy for non-privileged defined %d\n", 733 currsp->policy)); 734 *error = EINVAL; 735 return NULL; 736 737 case IPSEC_POLICY_ENTRUST: 738 ip6_def_policy->refcnt++; 739 *error = 0; 740 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir); 741 return ip6_def_policy; 742 743 case IPSEC_POLICY_IPSEC: 744 currsp->refcnt++; 745 *error = 0; 746 ipsec_fillpcbcache(pcbsp, m, currsp, dir); 747 return currsp; 748 749 default: 750 ipseclog((LOG_ERR, 751 "ipsec6_policybysock: Invalid policy for PCB %d\n", 752 currsp->policy)); 753 *error = EINVAL; 754 return NULL; 755 } 756 /* NOTREACHED */ 757 } 758 759 /* 760 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 761 * and return a pointer to SP. 762 * `flag' means that packet is to be forwarded whether or not. 763 * flag = 1: forwad 764 * OUT: positive: a pointer to the entry for security policy leaf matched. 765 * NULL: no apropreate SP found, the following value is set to error. 766 * 0 : bypass 767 * EACCES : discard packet. 768 * ENOENT : ipsec_acquire() in progress, maybe. 769 * others : error occurred. 770 */ 771 #ifndef IP_FORWARDING 772 #define IP_FORWARDING 1 773 #endif 774 775 struct secpolicy * 776 ipsec6_getpolicybyaddr(m, dir, flag, error) 777 struct mbuf *m; 778 u_int dir; 779 int flag; 780 int *error; 781 { 782 struct secpolicy *sp = NULL; 783 #ifdef SADB_X_EXT_TAG 784 struct pf_tag *t; 785 #endif 786 u_int16_t tag; 787 788 /* sanity check */ 789 if (m == NULL || error == NULL) 790 panic("ipsec6_getpolicybyaddr: NULL pointer was passed."); 791 792 /* get a policy entry matched with the packet */ 793 { 794 struct secpolicyindex spidx; 795 796 bzero(&spidx, sizeof(spidx)); 797 798 /* make an index to look for a policy */ 799 *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 800 (flag & IP_FORWARDING) ? 0 : 1); 801 802 if (*error != 0) 803 return NULL; 804 805 #ifdef SADB_X_EXT_TAG 806 t = ipsec_get_tag(m); 807 tag = t ? t->tag : 0; 808 #else 809 tag = 0; 810 #endif 811 812 sp = key_allocsp(tag, &spidx, dir); 813 } 814 815 /* SP found */ 816 if (sp != NULL) { 817 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 818 printf("DP ipsec6_getpolicybyaddr called " 819 "to allocate SP:%p\n", sp)); 820 *error = 0; 821 return sp; 822 } 823 824 /* no SP found */ 825 ip6_def_policy->refcnt++; 826 *error = 0; 827 return ip6_def_policy; 828 } 829 #endif /* INET6 */ 830 831 /* 832 * set IP address into spidx from mbuf. 833 * When Forwarding packet and ICMP echo reply, this function is used. 834 * 835 * IN: get the followings from mbuf. 836 * protocol family, src, dst, next protocol 837 * OUT: 838 * 0: success. 839 * other: failure, and set errno. 840 */ 841 int 842 ipsec_setspidx_mbuf(spidx, family, m, needport) 843 struct secpolicyindex *spidx; 844 int family; 845 struct mbuf *m; 846 int needport; 847 { 848 int error; 849 850 /* sanity check */ 851 if (spidx == NULL || m == NULL) 852 panic("ipsec_setspidx_mbuf: NULL pointer was passed."); 853 854 bzero(spidx, sizeof(*spidx)); 855 856 error = ipsec_setspidx(m, spidx, needport); 857 if (error) 858 goto bad; 859 860 return 0; 861 862 bad: 863 /* XXX initialize */ 864 bzero(spidx, sizeof(*spidx)); 865 return EINVAL; 866 } 867 868 /* 869 * configure security policy index (src/dst/proto/sport/dport) 870 * by looking at the content of mbuf. 871 * the caller is responsible for error recovery (like clearing up spidx). 872 */ 873 static int 874 ipsec_setspidx(m, spidx, needport) 875 struct mbuf *m; 876 struct secpolicyindex *spidx; 877 int needport; 878 { 879 struct ip *ip = NULL; 880 struct ip ipbuf; 881 u_int v; 882 struct mbuf *n; 883 int len; 884 int error; 885 886 if (m == NULL) 887 panic("ipsec_setspidx: m == 0 passed."); 888 889 bzero(spidx, sizeof(*spidx)); 890 891 /* 892 * validate m->m_pkthdr.len. we see incorrect length if we 893 * mistakenly call this function with inconsistent mbuf chain 894 * (like 4.4BSD tcp/udp processing). XXX should we panic here? 895 */ 896 len = 0; 897 for (n = m; n; n = n->m_next) 898 len += n->m_len; 899 if (m->m_pkthdr.len != len) { 900 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 901 printf("ipsec_setspidx: " 902 "total of m_len(%d) != pkthdr.len(%d), " 903 "ignored.\n", 904 len, m->m_pkthdr.len)); 905 return EINVAL; 906 } 907 908 if (m->m_pkthdr.len < sizeof(struct ip)) { 909 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 910 printf("ipsec_setspidx: " 911 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n", 912 m->m_pkthdr.len)); 913 return EINVAL; 914 } 915 916 if (m->m_len >= sizeof(*ip)) 917 ip = mtod(m, struct ip *); 918 else { 919 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 920 ip = &ipbuf; 921 } 922 v = ip->ip_v; 923 switch (v) { 924 case 4: 925 error = ipsec4_setspidx_ipaddr(m, spidx); 926 if (error) 927 return error; 928 ipsec4_get_ulp(m, spidx, needport); 929 return 0; 930 #ifdef INET6 931 case 6: 932 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { 933 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 934 printf("ipsec_setspidx: " 935 "pkthdr.len(%d) < sizeof(struct ip6_hdr), " 936 "ignored.\n", m->m_pkthdr.len)); 937 return EINVAL; 938 } 939 error = ipsec6_setspidx_ipaddr(m, spidx); 940 if (error) 941 return error; 942 ipsec6_get_ulp(m, spidx, needport); 943 return 0; 944 #endif 945 default: 946 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 947 printf("ipsec_setspidx: " 948 "unknown IP version %u, ignored.\n", v)); 949 return EINVAL; 950 } 951 } 952 953 static void 954 ipsec4_get_ulp(m, spidx, needport) 955 struct mbuf *m; 956 struct secpolicyindex *spidx; 957 int needport; 958 { 959 struct ip ip; 960 struct ip6_ext ip6e; 961 u_int8_t nxt; 962 int off; 963 struct tcphdr th; 964 struct udphdr uh; 965 966 /* sanity check */ 967 if (m == NULL) 968 panic("ipsec4_get_ulp: NULL pointer was passed."); 969 if (m->m_pkthdr.len < sizeof(ip)) 970 panic("ipsec4_get_ulp: too short"); 971 972 /* set default */ 973 spidx->ul_proto = IPSEC_ULPROTO_ANY; 974 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY; 975 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY; 976 977 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip); 978 if (ip.ip_off & htons(IP_MF | IP_OFFMASK)) 979 return; 980 981 nxt = ip.ip_p; 982 off = ip.ip_hl << 2; 983 while (off < m->m_pkthdr.len) { 984 switch (nxt) { 985 case IPPROTO_TCP: 986 spidx->ul_proto = nxt; 987 if (!needport) 988 return; 989 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 990 return; 991 m_copydata(m, off, sizeof(th), (caddr_t)&th); 992 ((struct sockaddr_in *)&spidx->src)->sin_port = 993 th.th_sport; 994 ((struct sockaddr_in *)&spidx->dst)->sin_port = 995 th.th_dport; 996 return; 997 case IPPROTO_UDP: 998 spidx->ul_proto = nxt; 999 if (!needport) 1000 return; 1001 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1002 return; 1003 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1004 ((struct sockaddr_in *)&spidx->src)->sin_port = 1005 uh.uh_sport; 1006 ((struct sockaddr_in *)&spidx->dst)->sin_port = 1007 uh.uh_dport; 1008 return; 1009 case IPPROTO_AH: 1010 if (off + sizeof(ip6e) > m->m_pkthdr.len) 1011 return; 1012 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1013 off += (ip6e.ip6e_len + 2) << 2; 1014 nxt = ip6e.ip6e_nxt; 1015 break; 1016 case IPPROTO_ICMP: 1017 default: 1018 /* XXX intermediate headers??? */ 1019 spidx->ul_proto = nxt; 1020 return; 1021 } 1022 } 1023 } 1024 1025 /* assumes that m is sane */ 1026 static int 1027 ipsec4_setspidx_ipaddr(m, spidx) 1028 struct mbuf *m; 1029 struct secpolicyindex *spidx; 1030 { 1031 struct ip *ip = NULL; 1032 struct ip ipbuf; 1033 struct sockaddr_in *sin; 1034 1035 if (m->m_len >= sizeof(*ip)) 1036 ip = mtod(m, struct ip *); 1037 else { 1038 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 1039 ip = &ipbuf; 1040 } 1041 1042 sin = (struct sockaddr_in *)&spidx->src; 1043 bzero(sin, sizeof(*sin)); 1044 sin->sin_family = AF_INET; 1045 sin->sin_len = sizeof(struct sockaddr_in); 1046 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src)); 1047 spidx->prefs = sizeof(struct in_addr) << 3; 1048 1049 sin = (struct sockaddr_in *)&spidx->dst; 1050 bzero(sin, sizeof(*sin)); 1051 sin->sin_family = AF_INET; 1052 sin->sin_len = sizeof(struct sockaddr_in); 1053 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)); 1054 spidx->prefd = sizeof(struct in_addr) << 3; 1055 return 0; 1056 } 1057 1058 #ifdef INET6 1059 static void 1060 ipsec6_get_ulp(m, spidx, needport) 1061 struct mbuf *m; 1062 struct secpolicyindex *spidx; 1063 int needport; 1064 { 1065 int off, nxt; 1066 struct tcphdr th; 1067 struct udphdr uh; 1068 1069 /* sanity check */ 1070 if (m == NULL) 1071 panic("ipsec6_get_ulp: NULL pointer was passed."); 1072 1073 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1074 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m)); 1075 1076 /* set default */ 1077 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1078 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY; 1079 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY; 1080 1081 nxt = -1; 1082 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt); 1083 if (off < 0 || m->m_pkthdr.len < off) 1084 return; 1085 1086 switch (nxt) { 1087 case IPPROTO_TCP: 1088 spidx->ul_proto = nxt; 1089 if (!needport) 1090 break; 1091 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1092 break; 1093 m_copydata(m, off, sizeof(th), (caddr_t)&th); 1094 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport; 1095 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport; 1096 break; 1097 case IPPROTO_UDP: 1098 spidx->ul_proto = nxt; 1099 if (!needport) 1100 break; 1101 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1102 break; 1103 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1104 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport; 1105 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport; 1106 break; 1107 case IPPROTO_ICMPV6: 1108 default: 1109 /* XXX intermediate headers??? */ 1110 spidx->ul_proto = nxt; 1111 break; 1112 } 1113 } 1114 1115 /* assumes that m is sane */ 1116 static int 1117 ipsec6_setspidx_ipaddr(m, spidx) 1118 struct mbuf *m; 1119 struct secpolicyindex *spidx; 1120 { 1121 struct ip6_hdr *ip6 = NULL; 1122 struct ip6_hdr ip6buf; 1123 struct sockaddr_in6 *sin6; 1124 1125 if (m->m_len >= sizeof(*ip6)) 1126 ip6 = mtod(m, struct ip6_hdr *); 1127 else { 1128 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf); 1129 ip6 = &ip6buf; 1130 } 1131 1132 sin6 = (struct sockaddr_in6 *)&spidx->src; 1133 bzero(sin6, sizeof(*sin6)); 1134 sin6->sin6_family = AF_INET6; 1135 sin6->sin6_len = sizeof(struct sockaddr_in6); 1136 in6_recoverscope(sin6, &ip6->ip6_src, NULL); 1137 spidx->prefs = sizeof(struct in6_addr) << 3; 1138 1139 sin6 = (struct sockaddr_in6 *)&spidx->dst; 1140 bzero(sin6, sizeof(*sin6)); 1141 sin6->sin6_family = AF_INET6; 1142 sin6->sin6_len = sizeof(struct sockaddr_in6); 1143 in6_recoverscope(sin6, &ip6->ip6_dst, NULL); 1144 spidx->prefd = sizeof(struct in6_addr) << 3; 1145 1146 return 0; 1147 } 1148 #endif 1149 1150 static struct inpcbpolicy * 1151 ipsec_newpcbpolicy() 1152 { 1153 struct inpcbpolicy *p; 1154 1155 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT); 1156 return p; 1157 } 1158 1159 static void 1160 ipsec_delpcbpolicy(p) 1161 struct inpcbpolicy *p; 1162 { 1163 1164 free(p, M_SECA); 1165 } 1166 1167 /* initialize policy in PCB */ 1168 int 1169 ipsec_init_pcbpolicy(so, pcb_sp) 1170 struct socket *so; 1171 struct inpcbpolicy **pcb_sp; 1172 { 1173 struct inpcbpolicy *new; 1174 static int initialized = 0; 1175 static struct secpolicy *in = NULL, *out = NULL; 1176 1177 /* sanity check. */ 1178 if (so == NULL || pcb_sp == NULL) 1179 panic("ipsec_init_pcbpolicy: NULL pointer was passed."); 1180 1181 if (!initialized) { 1182 if ((in = key_newsp(0)) == NULL) 1183 return ENOBUFS; 1184 if ((out = key_newsp(0)) == NULL) { 1185 key_freesp(in); 1186 in = NULL; 1187 return ENOBUFS; 1188 } 1189 1190 in->state = IPSEC_SPSTATE_ALIVE; 1191 in->policy = IPSEC_POLICY_ENTRUST; 1192 in->dir = IPSEC_DIR_INBOUND; 1193 in->readonly = 1; 1194 in->persist = 1; 1195 in->so = NULL; 1196 1197 out->state = IPSEC_SPSTATE_ALIVE; 1198 out->policy = IPSEC_POLICY_ENTRUST; 1199 out->dir = IPSEC_DIR_OUTBOUND; 1200 out->readonly = 1; 1201 out->persist = 1; 1202 out->so = NULL; 1203 1204 initialized++; 1205 } 1206 1207 new = ipsec_newpcbpolicy(); 1208 if (new == NULL) { 1209 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n")); 1210 return ENOBUFS; 1211 } 1212 bzero(new, sizeof(*new)); 1213 1214 if (so->so_uid == 0) /* XXX */ 1215 new->priv = 1; 1216 else 1217 new->priv = 0; 1218 1219 new->sp_in = in; 1220 new->sp_in->refcnt++; 1221 new->sp_out = out; 1222 new->sp_out->refcnt++; 1223 1224 *pcb_sp = new; 1225 1226 return 0; 1227 } 1228 1229 /* copy old ipsec policy into new */ 1230 int 1231 ipsec_copy_pcbpolicy(old, new) 1232 struct inpcbpolicy *old, *new; 1233 { 1234 1235 if (new->sp_in) 1236 key_freesp(new->sp_in); 1237 if (old->sp_in->policy == IPSEC_POLICY_IPSEC) 1238 new->sp_in = ipsec_deepcopy_policy(old->sp_in); 1239 else { 1240 new->sp_in = old->sp_in; 1241 new->sp_in->refcnt++; 1242 } 1243 1244 if (new->sp_out) 1245 key_freesp(new->sp_out); 1246 if (old->sp_out->policy == IPSEC_POLICY_IPSEC) 1247 new->sp_out = ipsec_deepcopy_policy(old->sp_out); 1248 else { 1249 new->sp_out = old->sp_out; 1250 new->sp_out->refcnt++; 1251 } 1252 1253 new->priv = old->priv; 1254 1255 return 0; 1256 } 1257 1258 #if 0 1259 static int 1260 ipsec_deepcopy_pcbpolicy(pcb_sp) 1261 struct inpcbpolicy *pcb_sp; 1262 { 1263 struct secpolicy *sp; 1264 1265 sp = ipsec_deepcopy_policy(pcb_sp->sp_in); 1266 if (sp) { 1267 key_freesp(pcb_sp->sp_in); 1268 pcb_sp->sp_in = sp; 1269 } else 1270 return ENOBUFS; 1271 1272 sp = ipsec_deepcopy_policy(pcb_sp->sp_out); 1273 if (sp) { 1274 key_freesp(pcb_sp->sp_out); 1275 pcb_sp->sp_out = sp; 1276 } else 1277 return ENOBUFS; 1278 1279 return 0; 1280 } 1281 #endif 1282 1283 /* deep-copy a policy in PCB */ 1284 static struct secpolicy * 1285 ipsec_deepcopy_policy(src) 1286 struct secpolicy *src; 1287 { 1288 struct ipsecrequest *newchain = NULL; 1289 struct ipsecrequest *p; 1290 struct ipsecrequest **q; 1291 struct ipsecrequest *r; 1292 struct secpolicy *dst; 1293 1294 if (src == NULL) 1295 return NULL; 1296 1297 dst = key_newsp(0); 1298 if (dst == NULL) 1299 return NULL; 1300 1301 /* 1302 * deep-copy IPsec request chain. This is required since struct 1303 * ipsecrequest is not reference counted. 1304 */ 1305 q = &newchain; 1306 for (p = src->req; p; p = p->next) { 1307 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest), 1308 M_SECA, M_NOWAIT); 1309 if (*q == NULL) 1310 goto fail; 1311 bzero(*q, sizeof(**q)); 1312 (*q)->next = NULL; 1313 1314 (*q)->saidx.proto = p->saidx.proto; 1315 (*q)->saidx.mode = p->saidx.mode; 1316 (*q)->level = p->level; 1317 (*q)->saidx.reqid = p->saidx.reqid; 1318 1319 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src)); 1320 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst)); 1321 1322 (*q)->sav = NULL; 1323 (*q)->sp = dst; 1324 1325 q = &((*q)->next); 1326 } 1327 1328 if (src->spidx) 1329 if (keydb_setsecpolicyindex(dst, src->spidx) != 0) 1330 goto fail; 1331 1332 dst->req = newchain; 1333 dst->state = src->state; 1334 dst->policy = src->policy; 1335 dst->dir = src->dir; 1336 dst->so = src->so; 1337 /* do not touch the refcnt fields */ 1338 1339 return dst; 1340 1341 fail: 1342 for (p = newchain; p; p = r) { 1343 r = p->next; 1344 free(p, M_SECA); 1345 p = NULL; 1346 } 1347 key_freesp(dst); 1348 return NULL; 1349 } 1350 1351 /* set policy and ipsec request if present. */ 1352 static int 1353 ipsec_set_policy(spp, optname, request, len, priv) 1354 struct secpolicy **spp; 1355 int optname; 1356 caddr_t request; 1357 size_t len; 1358 int priv; 1359 { 1360 struct sadb_x_policy *xpl; 1361 struct secpolicy *newsp = NULL; 1362 int error; 1363 1364 /* sanity check. */ 1365 if (spp == NULL || *spp == NULL || request == NULL) 1366 return EINVAL; 1367 if (len < sizeof(*xpl)) 1368 return EINVAL; 1369 xpl = (struct sadb_x_policy *)request; 1370 1371 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1372 printf("ipsec_set_policy: passed policy\n"); 1373 kdebug_sadb_x_policy((struct sadb_ext *)xpl)); 1374 1375 /* check policy type */ 1376 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */ 1377 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD || 1378 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) 1379 return EINVAL; 1380 1381 /* check privileged socket */ 1382 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) 1383 return EACCES; 1384 1385 /* allocation new SP entry */ 1386 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) 1387 return error; 1388 1389 newsp->state = IPSEC_SPSTATE_ALIVE; 1390 1391 /* clear old SP and set new SP */ 1392 key_freesp(*spp); 1393 *spp = newsp; 1394 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1395 printf("ipsec_set_policy: new policy\n"); 1396 kdebug_secpolicy(newsp)); 1397 1398 return 0; 1399 } 1400 1401 static int 1402 ipsec_get_policy(sp, mp) 1403 struct secpolicy *sp; 1404 struct mbuf **mp; 1405 { 1406 1407 /* sanity check. */ 1408 if (sp == NULL || mp == NULL) 1409 return EINVAL; 1410 1411 *mp = key_sp2msg(sp); 1412 if (!*mp) { 1413 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n")); 1414 return ENOBUFS; 1415 } 1416 1417 (*mp)->m_type = MT_SOOPTS; 1418 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1419 printf("ipsec_get_policy:\n"); 1420 kdebug_mbuf(*mp)); 1421 1422 return 0; 1423 } 1424 1425 int 1426 ipsec4_set_policy(inp, optname, request, len, priv) 1427 struct inpcb *inp; 1428 int optname; 1429 caddr_t request; 1430 size_t len; 1431 int priv; 1432 { 1433 struct sadb_x_policy *xpl; 1434 struct secpolicy **spp; 1435 1436 /* sanity check. */ 1437 if (inp == NULL || request == NULL) 1438 return EINVAL; 1439 if (len < sizeof(*xpl)) 1440 return EINVAL; 1441 xpl = (struct sadb_x_policy *)request; 1442 1443 /* select direction */ 1444 switch (xpl->sadb_x_policy_dir) { 1445 case IPSEC_DIR_INBOUND: 1446 spp = &inp->inp_sp->sp_in; 1447 break; 1448 case IPSEC_DIR_OUTBOUND: 1449 spp = &inp->inp_sp->sp_out; 1450 break; 1451 default: 1452 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n", 1453 xpl->sadb_x_policy_dir)); 1454 return EINVAL; 1455 } 1456 1457 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY); 1458 return ipsec_set_policy(spp, optname, request, len, priv); 1459 } 1460 1461 int 1462 ipsec4_get_policy(inp, request, len, mp) 1463 struct inpcb *inp; 1464 caddr_t request; 1465 size_t len; 1466 struct mbuf **mp; 1467 { 1468 struct sadb_x_policy *xpl; 1469 struct secpolicy *sp; 1470 1471 /* sanity check. */ 1472 if (inp == NULL || request == NULL || mp == NULL) 1473 return EINVAL; 1474 if (inp->inp_sp == NULL) 1475 panic("policy in PCB is NULL"); 1476 if (len < sizeof(*xpl)) 1477 return EINVAL; 1478 xpl = (struct sadb_x_policy *)request; 1479 1480 /* select direction */ 1481 switch (xpl->sadb_x_policy_dir) { 1482 case IPSEC_DIR_INBOUND: 1483 sp = inp->inp_sp->sp_in; 1484 break; 1485 case IPSEC_DIR_OUTBOUND: 1486 sp = inp->inp_sp->sp_out; 1487 break; 1488 default: 1489 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n", 1490 xpl->sadb_x_policy_dir)); 1491 return EINVAL; 1492 } 1493 1494 return ipsec_get_policy(sp, mp); 1495 } 1496 1497 /* delete policy in PCB */ 1498 int 1499 ipsec4_delete_pcbpolicy(inp) 1500 struct inpcb *inp; 1501 { 1502 /* sanity check. */ 1503 if (inp == NULL) 1504 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed."); 1505 1506 if (inp->inp_sp == NULL) 1507 return 0; 1508 1509 if (inp->inp_sp->sp_in != NULL) { 1510 key_freesp(inp->inp_sp->sp_in); 1511 inp->inp_sp->sp_in = NULL; 1512 } 1513 1514 if (inp->inp_sp->sp_out != NULL) { 1515 key_freesp(inp->inp_sp->sp_out); 1516 inp->inp_sp->sp_out = NULL; 1517 } 1518 1519 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY); 1520 1521 ipsec_delpcbpolicy(inp->inp_sp); 1522 inp->inp_sp = NULL; 1523 1524 return 0; 1525 } 1526 1527 #ifdef INET6 1528 int 1529 ipsec6_set_policy(in6p, optname, request, len, priv) 1530 struct in6pcb *in6p; 1531 int optname; 1532 caddr_t request; 1533 size_t len; 1534 int priv; 1535 { 1536 struct sadb_x_policy *xpl; 1537 struct secpolicy **spp; 1538 1539 /* sanity check. */ 1540 if (in6p == NULL || request == NULL) 1541 return EINVAL; 1542 if (len < sizeof(*xpl)) 1543 return EINVAL; 1544 xpl = (struct sadb_x_policy *)request; 1545 1546 /* select direction */ 1547 switch (xpl->sadb_x_policy_dir) { 1548 case IPSEC_DIR_INBOUND: 1549 spp = &in6p->in6p_sp->sp_in; 1550 break; 1551 case IPSEC_DIR_OUTBOUND: 1552 spp = &in6p->in6p_sp->sp_out; 1553 break; 1554 default: 1555 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n", 1556 xpl->sadb_x_policy_dir)); 1557 return EINVAL; 1558 } 1559 1560 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY); 1561 return ipsec_set_policy(spp, optname, request, len, priv); 1562 } 1563 1564 int 1565 ipsec6_get_policy(in6p, request, len, mp) 1566 struct in6pcb *in6p; 1567 caddr_t request; 1568 size_t len; 1569 struct mbuf **mp; 1570 { 1571 struct sadb_x_policy *xpl; 1572 struct secpolicy *sp; 1573 1574 /* sanity check. */ 1575 if (in6p == NULL || request == NULL || mp == NULL) 1576 return EINVAL; 1577 if (in6p->in6p_sp == NULL) 1578 panic("policy in PCB is NULL"); 1579 if (len < sizeof(*xpl)) 1580 return EINVAL; 1581 xpl = (struct sadb_x_policy *)request; 1582 1583 /* select direction */ 1584 switch (xpl->sadb_x_policy_dir) { 1585 case IPSEC_DIR_INBOUND: 1586 sp = in6p->in6p_sp->sp_in; 1587 break; 1588 case IPSEC_DIR_OUTBOUND: 1589 sp = in6p->in6p_sp->sp_out; 1590 break; 1591 default: 1592 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n", 1593 xpl->sadb_x_policy_dir)); 1594 return EINVAL; 1595 } 1596 1597 return ipsec_get_policy(sp, mp); 1598 } 1599 1600 int 1601 ipsec6_delete_pcbpolicy(in6p) 1602 struct in6pcb *in6p; 1603 { 1604 /* sanity check. */ 1605 if (in6p == NULL) 1606 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed."); 1607 1608 if (in6p->in6p_sp == NULL) 1609 return 0; 1610 1611 if (in6p->in6p_sp->sp_in != NULL) { 1612 key_freesp(in6p->in6p_sp->sp_in); 1613 in6p->in6p_sp->sp_in = NULL; 1614 } 1615 1616 if (in6p->in6p_sp->sp_out != NULL) { 1617 key_freesp(in6p->in6p_sp->sp_out); 1618 in6p->in6p_sp->sp_out = NULL; 1619 } 1620 1621 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY); 1622 1623 ipsec_delpcbpolicy(in6p->in6p_sp); 1624 in6p->in6p_sp = NULL; 1625 1626 return 0; 1627 } 1628 #endif 1629 1630 /* 1631 * return current level. 1632 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. 1633 */ 1634 u_int 1635 ipsec_get_reqlevel(isr, af) 1636 struct ipsecrequest *isr; 1637 int af; 1638 { 1639 u_int level = 0; 1640 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev; 1641 1642 /* sanity check */ 1643 if (isr == NULL || isr->sp == NULL) 1644 panic("ipsec_get_reqlevel: NULL pointer is passed."); 1645 1646 /* set default level */ 1647 switch (af) { 1648 #ifdef INET 1649 case AF_INET: 1650 esp_trans_deflev = ip4_esp_trans_deflev; 1651 esp_net_deflev = ip4_esp_net_deflev; 1652 ah_trans_deflev = ip4_ah_trans_deflev; 1653 ah_net_deflev = ip4_ah_net_deflev; 1654 break; 1655 #endif 1656 #ifdef INET6 1657 case AF_INET6: 1658 esp_trans_deflev = ip6_esp_trans_deflev; 1659 esp_net_deflev = ip6_esp_net_deflev; 1660 ah_trans_deflev = ip6_ah_trans_deflev; 1661 ah_net_deflev = ip6_ah_net_deflev; 1662 break; 1663 #endif /* INET6 */ 1664 default: 1665 panic("key_get_reqlevel: Unknown family. %d", 1666 ((struct sockaddr *)&isr->sp->spidx->src)->sa_family); 1667 } 1668 1669 /* set level */ 1670 switch (isr->level) { 1671 case IPSEC_LEVEL_DEFAULT: 1672 switch (isr->saidx.proto) { 1673 case IPPROTO_ESP: 1674 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1675 level = esp_net_deflev; 1676 else 1677 level = esp_trans_deflev; 1678 break; 1679 case IPPROTO_AH: 1680 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1681 level = ah_net_deflev; 1682 else 1683 level = ah_trans_deflev; 1684 break; 1685 case IPPROTO_IPCOMP: 1686 /* 1687 * we don't really care, as IPcomp document says that 1688 * we shouldn't compress small packets 1689 */ 1690 level = IPSEC_LEVEL_USE; 1691 break; 1692 case IPPROTO_IPV4: 1693 case IPPROTO_IPV6: 1694 /* should never go into here */ 1695 level = IPSEC_LEVEL_REQUIRE; 1696 break; 1697 default: 1698 panic("ipsec_get_reqlevel: " 1699 "Illegal protocol defined %u\n", 1700 isr->saidx.proto); 1701 } 1702 break; 1703 1704 case IPSEC_LEVEL_USE: 1705 case IPSEC_LEVEL_REQUIRE: 1706 level = isr->level; 1707 break; 1708 case IPSEC_LEVEL_UNIQUE: 1709 level = IPSEC_LEVEL_REQUIRE; 1710 break; 1711 1712 default: 1713 panic("ipsec_get_reqlevel: Illegal IPsec level %u", 1714 isr->level); 1715 } 1716 1717 return level; 1718 } 1719 1720 /* 1721 * Check AH/ESP integrity. 1722 * OUT: 1723 * 0: valid 1724 * 1: invalid 1725 */ 1726 static int 1727 ipsec_in_reject(sp, m) 1728 struct secpolicy *sp; 1729 struct mbuf *m; 1730 { 1731 struct ipsecrequest *isr; 1732 u_int level; 1733 int need_auth, need_conf, need_icv; 1734 1735 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1736 printf("ipsec_in_reject: using SP\n"); 1737 kdebug_secpolicy(sp)); 1738 1739 /* check policy */ 1740 switch (sp->policy) { 1741 case IPSEC_POLICY_DISCARD: 1742 return 1; 1743 case IPSEC_POLICY_BYPASS: 1744 case IPSEC_POLICY_NONE: 1745 return 0; 1746 1747 case IPSEC_POLICY_IPSEC: 1748 break; 1749 1750 case IPSEC_POLICY_ENTRUST: 1751 default: 1752 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy); 1753 } 1754 1755 need_auth = 0; 1756 need_conf = 0; 1757 need_icv = 0; 1758 1759 /* XXX should compare policy against ipsec header history */ 1760 1761 for (isr = sp->req; isr != NULL; isr = isr->next) { 1762 /* get current level */ 1763 level = ipsec_get_reqlevel(isr, AF_INET); 1764 1765 switch (isr->saidx.proto) { 1766 case IPPROTO_ESP: 1767 if (level == IPSEC_LEVEL_REQUIRE) { 1768 need_conf++; 1769 1770 if (isr->sav != NULL 1771 && isr->sav->flags == SADB_X_EXT_NONE 1772 && isr->sav->alg_auth != SADB_AALG_NONE) 1773 need_icv++; 1774 } 1775 break; 1776 case IPPROTO_AH: 1777 if (level == IPSEC_LEVEL_REQUIRE) { 1778 need_auth++; 1779 need_icv++; 1780 } 1781 break; 1782 case IPPROTO_IPCOMP: 1783 /* 1784 * we don't really care, as IPcomp document says that 1785 * we shouldn't compress small packets, IPComp policy 1786 * should always be treated as being in "use" level. 1787 */ 1788 break; 1789 case IPPROTO_IPV4: 1790 case IPPROTO_IPV6: 1791 /* 1792 * XXX what shall we do, until introducing more complex 1793 * policy checking code? 1794 */ 1795 break; 1796 } 1797 } 1798 1799 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1800 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n", 1801 need_auth, need_conf, need_icv, m->m_flags)); 1802 1803 if ((need_conf && !(m->m_flags & M_DECRYPTED)) 1804 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM)) 1805 || (need_auth && !(m->m_flags & M_AUTHIPHDR))) 1806 return 1; 1807 1808 return 0; 1809 } 1810 1811 /* 1812 * Check AH/ESP integrity. 1813 * This function is called from tcp_input(), udp_input(), 1814 * and {ah,esp}4_input for tunnel mode 1815 */ 1816 int 1817 ipsec4_in_reject_so(m, so) 1818 struct mbuf *m; 1819 struct socket *so; 1820 { 1821 struct secpolicy *sp = NULL; 1822 int error; 1823 int result; 1824 1825 /* sanity check */ 1826 if (m == NULL) 1827 return 0; /* XXX should be panic ? */ 1828 1829 /* get SP for this packet. 1830 * When we are called from ip_forward(), we call 1831 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 1832 */ 1833 if (so == NULL) 1834 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 1835 IP_FORWARDING, &error); 1836 else 1837 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error); 1838 1839 /* XXX should be panic ? -> No, there may be error. */ 1840 if (sp == NULL) 1841 return 0; 1842 1843 result = ipsec_in_reject(sp, m); 1844 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1845 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp)); 1846 key_freesp(sp); 1847 1848 return result; 1849 } 1850 1851 int 1852 ipsec4_in_reject(m, inp) 1853 struct mbuf *m; 1854 struct inpcb *inp; 1855 { 1856 if (inp == NULL) 1857 return ipsec4_in_reject_so(m, NULL); 1858 if (inp->inp_socket) 1859 return ipsec4_in_reject_so(m, inp->inp_socket); 1860 else 1861 panic("ipsec4_in_reject: invalid inpcb/socket"); 1862 } 1863 1864 #ifdef INET6 1865 /* 1866 * Check AH/ESP integrity. 1867 * This function is called from tcp6_input(), udp6_input(), 1868 * and {ah,esp}6_input for tunnel mode 1869 */ 1870 int 1871 ipsec6_in_reject_so(m, so) 1872 struct mbuf *m; 1873 struct socket *so; 1874 { 1875 struct secpolicy *sp = NULL; 1876 int error; 1877 int result; 1878 1879 /* sanity check */ 1880 if (m == NULL) 1881 return 0; /* XXX should be panic ? */ 1882 1883 /* get SP for this packet. 1884 * When we are called from ip_forward(), we call 1885 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag. 1886 */ 1887 if (so == NULL) 1888 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 1889 IP_FORWARDING, &error); 1890 else 1891 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error); 1892 1893 if (sp == NULL) 1894 return 0; /* XXX should be panic ? */ 1895 1896 result = ipsec_in_reject(sp, m); 1897 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1898 printf("DP ipsec6_in_reject_so call free SP:%p\n", sp)); 1899 key_freesp(sp); 1900 1901 return result; 1902 } 1903 1904 int 1905 ipsec6_in_reject(m, in6p) 1906 struct mbuf *m; 1907 struct in6pcb *in6p; 1908 { 1909 if (in6p == NULL) 1910 return ipsec6_in_reject_so(m, NULL); 1911 if (in6p->in6p_socket) 1912 return ipsec6_in_reject_so(m, in6p->in6p_socket); 1913 else 1914 panic("ipsec6_in_reject: invalid in6p/socket"); 1915 } 1916 #endif 1917 1918 /* 1919 * compute the byte size to be occupied by IPsec header. 1920 * in case it is tunneled, it includes the size of outer IP header. 1921 * NOTE: SP passed is free in this function. 1922 */ 1923 static size_t 1924 ipsec_hdrsiz(sp) 1925 struct secpolicy *sp; 1926 { 1927 struct ipsecrequest *isr; 1928 size_t siz, clen; 1929 1930 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1931 printf("ipsec_hdrsiz: using SP\n"); 1932 kdebug_secpolicy(sp)); 1933 1934 /* check policy */ 1935 switch (sp->policy) { 1936 case IPSEC_POLICY_DISCARD: 1937 case IPSEC_POLICY_BYPASS: 1938 case IPSEC_POLICY_NONE: 1939 return 0; 1940 1941 case IPSEC_POLICY_IPSEC: 1942 break; 1943 1944 case IPSEC_POLICY_ENTRUST: 1945 default: 1946 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy); 1947 } 1948 1949 siz = 0; 1950 1951 for (isr = sp->req; isr != NULL; isr = isr->next) { 1952 1953 clen = 0; 1954 1955 switch (isr->saidx.proto) { 1956 case IPPROTO_ESP: 1957 #ifdef IPSEC_ESP 1958 clen = esp_hdrsiz(isr); 1959 #else 1960 clen = 0; /* XXX */ 1961 #endif 1962 break; 1963 case IPPROTO_AH: 1964 clen = ah_hdrsiz(isr); 1965 break; 1966 case IPPROTO_IPCOMP: 1967 clen = sizeof(struct ipcomp); 1968 break; 1969 case IPPROTO_IPV4: 1970 case IPPROTO_IPV6: 1971 /* the next "if" clause will compute it */ 1972 clen = 0; 1973 break; 1974 } 1975 1976 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 1977 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) { 1978 case AF_INET: 1979 clen += sizeof(struct ip); 1980 break; 1981 #ifdef INET6 1982 case AF_INET6: 1983 clen += sizeof(struct ip6_hdr); 1984 break; 1985 #endif 1986 default: 1987 ipseclog((LOG_ERR, "ipsec_hdrsiz: " 1988 "unknown AF %d in IPsec tunnel SA\n", 1989 ((struct sockaddr *)&isr->saidx.dst)->sa_family)); 1990 break; 1991 } 1992 } 1993 siz += clen; 1994 } 1995 1996 return siz; 1997 } 1998 1999 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */ 2000 size_t 2001 ipsec4_hdrsiz(m, dir, inp) 2002 struct mbuf *m; 2003 u_int dir; 2004 struct inpcb *inp; 2005 { 2006 struct secpolicy *sp = NULL; 2007 int error; 2008 size_t size; 2009 2010 /* sanity check */ 2011 if (m == NULL) 2012 return 0; /* XXX should be panic ? */ 2013 if (inp != NULL && inp->inp_socket == NULL) 2014 panic("ipsec4_hdrsize: why is socket NULL but there is PCB."); 2015 2016 /* get SP for this packet. 2017 * When we are called from ip_forward(), we call 2018 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 2019 */ 2020 if (inp == NULL) 2021 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 2022 else 2023 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error); 2024 2025 if (sp == NULL) 2026 return 0; /* XXX should be panic ? */ 2027 2028 size = ipsec_hdrsiz(sp); 2029 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2030 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp)); 2031 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2032 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size)); 2033 key_freesp(sp); 2034 2035 return size; 2036 } 2037 2038 #ifdef INET6 2039 /* This function is called from ipsec6_hdrsize_tcp(), 2040 * and maybe from ip6_forward.() 2041 */ 2042 size_t 2043 ipsec6_hdrsiz(m, dir, in6p) 2044 struct mbuf *m; 2045 u_int dir; 2046 struct in6pcb *in6p; 2047 { 2048 struct secpolicy *sp = NULL; 2049 int error; 2050 size_t size; 2051 2052 /* sanity check */ 2053 if (m == NULL) 2054 return 0; /* XXX should be panic ? */ 2055 if (in6p != NULL && in6p->in6p_socket == NULL) 2056 panic("ipsec6_hdrsize: why is socket NULL but there is PCB."); 2057 2058 /* get SP for this packet */ 2059 /* XXX Is it right to call with IP_FORWARDING. */ 2060 if (in6p == NULL) 2061 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 2062 else 2063 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error); 2064 2065 if (sp == NULL) 2066 return 0; 2067 size = ipsec_hdrsiz(sp); 2068 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2069 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp)); 2070 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2071 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size)); 2072 key_freesp(sp); 2073 2074 return size; 2075 } 2076 #endif /* INET6 */ 2077 2078 #ifdef INET 2079 /* 2080 * encapsulate for ipsec tunnel. 2081 * ip->ip_src must be fixed later on. 2082 */ 2083 static int 2084 ipsec4_encapsulate(m, sav) 2085 struct mbuf *m; 2086 struct secasvar *sav; 2087 { 2088 struct ip *oip; 2089 struct ip *ip; 2090 size_t hlen; 2091 size_t plen; 2092 2093 /* can't tunnel between different AFs */ 2094 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2095 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2096 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 2097 m_freem(m); 2098 return EINVAL; 2099 } 2100 #if 0 2101 /* XXX if the dst is myself, perform nothing. */ 2102 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2103 m_freem(m); 2104 return EINVAL; 2105 } 2106 #endif 2107 2108 if (m->m_len < sizeof(*ip)) 2109 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2110 2111 ip = mtod(m, struct ip *); 2112 hlen = ip->ip_hl << 2; 2113 2114 if (m->m_len != hlen) 2115 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2116 2117 /* generate header checksum */ 2118 ip->ip_sum = 0; 2119 ip->ip_sum = in_cksum(m, hlen); 2120 2121 plen = m->m_pkthdr.len; 2122 2123 /* 2124 * grow the mbuf to accomodate the new IPv4 header. 2125 * NOTE: IPv4 options will never be copied. 2126 */ 2127 if (M_LEADINGSPACE(m->m_next) < hlen) { 2128 struct mbuf *n; 2129 MGET(n, M_DONTWAIT, MT_DATA); 2130 if (!n) { 2131 m_freem(m); 2132 return ENOBUFS; 2133 } 2134 n->m_len = hlen; 2135 n->m_next = m->m_next; 2136 m->m_next = n; 2137 } else { 2138 m->m_next->m_len += hlen; 2139 m->m_next->m_data -= hlen; 2140 } 2141 oip = mtod(m->m_next, struct ip *); 2142 m->m_pkthdr.len += hlen; 2143 ip = mtod(m, struct ip *); 2144 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen); 2145 m->m_len = sizeof(struct ip); 2146 m->m_pkthdr.len -= (hlen - sizeof(struct ip)); 2147 2148 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ 2149 /* ECN consideration. */ 2150 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); 2151 ip->ip_hl = sizeof(struct ip) >> 2; 2152 ip->ip_off &= htons(~IP_OFFMASK); 2153 ip->ip_off &= htons(~IP_MF); 2154 switch (ip4_ipsec_dfbit) { 2155 case 0: /* clear DF bit */ 2156 ip->ip_off &= htons(~IP_DF); 2157 break; 2158 case 1: /* set DF bit */ 2159 ip->ip_off |= htons(IP_DF); 2160 break; 2161 default: /* copy DF bit */ 2162 break; 2163 } 2164 ip->ip_p = IPPROTO_IPIP; 2165 if (plen + sizeof(struct ip) < IP_MAXPACKET) 2166 ip->ip_len = htons(plen + sizeof(struct ip)); 2167 else { 2168 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " 2169 "leave ip_len as is (invalid packet)\n")); 2170 } 2171 ip->ip_id = ip_newid(); 2172 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, 2173 &ip->ip_src, sizeof(ip->ip_src)); 2174 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, 2175 &ip->ip_dst, sizeof(ip->ip_dst)); 2176 ip->ip_ttl = IPDEFTTL; 2177 2178 /* XXX Should ip_src be updated later ? */ 2179 2180 return 0; 2181 } 2182 #endif /* INET */ 2183 2184 #ifdef INET6 2185 static int 2186 ipsec6_encapsulate(m, sav) 2187 struct mbuf *m; 2188 struct secasvar *sav; 2189 { 2190 struct ip6_hdr *oip6; 2191 struct ip6_hdr *ip6; 2192 size_t plen; 2193 2194 /* can't tunnel between different AFs */ 2195 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2196 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2197 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) { 2198 m_freem(m); 2199 return EINVAL; 2200 } 2201 #if 0 2202 /* XXX if the dst is myself, perform nothing. */ 2203 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2204 m_freem(m); 2205 return EINVAL; 2206 } 2207 #endif 2208 2209 plen = m->m_pkthdr.len; 2210 2211 /* 2212 * grow the mbuf to accomodate the new IPv6 header. 2213 */ 2214 if (m->m_len != sizeof(struct ip6_hdr)) 2215 panic("ipsec6_encapsulate: assumption failed (first mbuf length)"); 2216 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { 2217 struct mbuf *n; 2218 MGET(n, M_DONTWAIT, MT_DATA); 2219 if (!n) { 2220 m_freem(m); 2221 return ENOBUFS; 2222 } 2223 n->m_len = sizeof(struct ip6_hdr); 2224 n->m_next = m->m_next; 2225 m->m_next = n; 2226 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2227 oip6 = mtod(n, struct ip6_hdr *); 2228 } else { 2229 m->m_next->m_len += sizeof(struct ip6_hdr); 2230 m->m_next->m_data -= sizeof(struct ip6_hdr); 2231 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2232 oip6 = mtod(m->m_next, struct ip6_hdr *); 2233 } 2234 ip6 = mtod(m, struct ip6_hdr *); 2235 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr)); 2236 2237 /* Fake link-local scope-class addresses */ 2238 in6_clearscope(&oip6->ip6_src); 2239 in6_clearscope(&oip6->ip6_dst); 2240 2241 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ 2242 /* ECN consideration. */ 2243 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow); 2244 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) 2245 ip6->ip6_plen = htons(plen); 2246 else { 2247 /* ip6->ip6_plen will be updated in ip6_output() */ 2248 } 2249 ip6->ip6_nxt = IPPROTO_IPV6; 2250 in6_embedscope(&ip6->ip6_src, 2251 (struct sockaddr_in6 *)&sav->sah->saidx.src, NULL, NULL); 2252 in6_embedscope(&ip6->ip6_dst, 2253 (struct sockaddr_in6 *)&sav->sah->saidx.dst, NULL, NULL); 2254 ip6->ip6_hlim = IPV6_DEFHLIM; 2255 2256 /* XXX Should ip6_src be updated later ? */ 2257 2258 return 0; 2259 } 2260 #endif /* INET6 */ 2261 2262 /* 2263 * Check the variable replay window. 2264 * ipsec_chkreplay() performs replay check before ICV verification. 2265 * ipsec_updatereplay() updates replay bitmap. This must be called after 2266 * ICV verification (it also performs replay check, which is usually done 2267 * beforehand). 2268 * 0 (zero) is returned if packet disallowed, 1 if packet permitted. 2269 * 2270 * based on RFC 2401. 2271 * 2272 * XXX need to update for 64bit sequence number - 2401bis 2273 */ 2274 int 2275 ipsec_chkreplay(seq, sav) 2276 u_int32_t seq; 2277 struct secasvar *sav; 2278 { 2279 const struct secreplay *replay; 2280 u_int32_t diff; 2281 int fr; 2282 u_int32_t wsizeb; /* constant: bits of window size */ 2283 int frlast; /* constant: last frame */ 2284 2285 /* sanity check */ 2286 if (sav == NULL) 2287 panic("ipsec_chkreplay: NULL pointer was passed."); 2288 2289 replay = sav->replay; 2290 2291 if (replay->wsize == 0) 2292 return 1; /* no need to check replay. */ 2293 2294 /* constant */ 2295 frlast = replay->wsize - 1; 2296 wsizeb = replay->wsize << 3; 2297 2298 /* sequence number of 0 is invalid */ 2299 if (seq == 0) 2300 return 0; 2301 2302 /* first time is always okay */ 2303 if (replay->count == 0) 2304 return 1; 2305 2306 if (seq > replay->lastseq) { 2307 /* larger sequences are okay */ 2308 return 1; 2309 } else { 2310 /* seq is equal or less than lastseq. */ 2311 diff = replay->lastseq - seq; 2312 2313 /* over range to check, i.e. too old or wrapped */ 2314 if (diff >= wsizeb) 2315 return 0; 2316 2317 fr = frlast - diff / 8; 2318 2319 /* this packet already seen ? */ 2320 if (replay->bitmap[fr] & (1 << (diff % 8))) 2321 return 0; 2322 2323 /* out of order but good */ 2324 return 1; 2325 } 2326 } 2327 2328 /* 2329 * check replay counter whether to update or not. 2330 * OUT: 0: OK 2331 * 1: NG 2332 * XXX need to update for 64bit sequence number - 2401bis 2333 */ 2334 int 2335 ipsec_updatereplay(seq, sav) 2336 u_int32_t seq; 2337 struct secasvar *sav; 2338 { 2339 struct secreplay *replay; 2340 u_int64_t diff; 2341 int fr; 2342 u_int32_t wsizeb; /* constant: bits of window size */ 2343 int frlast; /* constant: last frame */ 2344 2345 /* sanity check */ 2346 if (sav == NULL) 2347 panic("ipsec_chkreplay: NULL pointer was passed."); 2348 2349 replay = sav->replay; 2350 2351 if (replay->wsize == 0) 2352 goto ok; /* no need to check replay. */ 2353 2354 /* constant */ 2355 frlast = replay->wsize - 1; 2356 wsizeb = replay->wsize << 3; 2357 2358 /* sequence number of 0 is invalid */ 2359 if (seq == 0) 2360 return 1; 2361 2362 /* first time */ 2363 if (replay->count == 0) { 2364 replay->lastseq = seq; 2365 bzero(replay->bitmap, replay->wsize); 2366 replay->bitmap[frlast] = 1; 2367 goto ok; 2368 } 2369 2370 if (seq > replay->lastseq) { 2371 /* seq is larger than lastseq. */ 2372 diff = seq - replay->lastseq; 2373 2374 /* new larger sequence number */ 2375 if (diff < wsizeb) { 2376 /* In window */ 2377 /* set bit for this packet */ 2378 vshiftl(replay->bitmap, diff, replay->wsize); 2379 replay->bitmap[frlast] |= 1; 2380 } else { 2381 /* this packet has a "way larger" */ 2382 bzero(replay->bitmap, replay->wsize); 2383 replay->bitmap[frlast] = 1; 2384 } 2385 replay->lastseq = seq; 2386 2387 /* larger is good */ 2388 } else { 2389 /* seq is equal or less than lastseq. */ 2390 diff = replay->lastseq - seq; 2391 2392 /* over range to check, i.e. too old or wrapped */ 2393 if (diff >= wsizeb) 2394 return 1; 2395 2396 fr = frlast - diff / 8; 2397 2398 /* this packet already seen ? */ 2399 if (replay->bitmap[fr] & (1 << (diff % 8))) 2400 return 1; 2401 2402 /* mark as seen */ 2403 replay->bitmap[fr] |= (1 << (diff % 8)); 2404 2405 /* out of order but good */ 2406 } 2407 2408 ok: 2409 if (replay->count == 0xffffffff) { 2410 2411 /* set overflow flag */ 2412 replay->overflow++; 2413 2414 /* don't increment, no more packets accepted */ 2415 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) 2416 return 1; 2417 2418 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n", 2419 replay->overflow, ipsec_logsastr(sav))); 2420 } 2421 2422 replay->count++; 2423 2424 return 0; 2425 } 2426 2427 /* 2428 * shift variable length buffer to left. 2429 * IN: bitmap: pointer to the buffer 2430 * nbit: the number of to shift. 2431 * wsize: buffer size (bytes). 2432 */ 2433 static void 2434 vshiftl(bitmap, nbit, wsize) 2435 unsigned char *bitmap; 2436 int nbit, wsize; 2437 { 2438 int s, j, i; 2439 unsigned char over; 2440 2441 for (j = 0; j < nbit; j += 8) { 2442 s = (nbit - j < 8) ? (nbit - j): 8; 2443 bitmap[0] <<= s; 2444 for (i = 1; i < wsize; i++) { 2445 over = (bitmap[i] >> (8 - s)); 2446 bitmap[i] <<= s; 2447 bitmap[i - 1] |= over; 2448 } 2449 } 2450 2451 return; 2452 } 2453 2454 const char * 2455 ipsec4_logpacketstr(ip, spi) 2456 struct ip *ip; 2457 u_int32_t spi; 2458 { 2459 static char buf[256]; 2460 char *p; 2461 u_int8_t *s, *d; 2462 2463 s = (u_int8_t *)(&ip->ip_src); 2464 d = (u_int8_t *)(&ip->ip_dst); 2465 2466 p = buf; 2467 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2468 while (p && *p) 2469 p++; 2470 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u", 2471 s[0], s[1], s[2], s[3]); 2472 while (p && *p) 2473 p++; 2474 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u", 2475 d[0], d[1], d[2], d[3]); 2476 while (p && *p) 2477 p++; 2478 snprintf(p, sizeof(buf) - (p - buf), ")"); 2479 2480 return buf; 2481 } 2482 2483 #ifdef INET6 2484 const char * 2485 ipsec6_logpacketstr(ip6, spi) 2486 struct ip6_hdr *ip6; 2487 u_int32_t spi; 2488 { 2489 static char buf[256]; 2490 char *p; 2491 2492 p = buf; 2493 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2494 while (p && *p) 2495 p++; 2496 snprintf(p, sizeof(buf) - (p - buf), "src=%s", 2497 ip6_sprintf(&ip6->ip6_src)); 2498 while (p && *p) 2499 p++; 2500 snprintf(p, sizeof(buf) - (p - buf), " dst=%s", 2501 ip6_sprintf(&ip6->ip6_dst)); 2502 while (p && *p) 2503 p++; 2504 snprintf(p, sizeof(buf) - (p - buf), ")"); 2505 2506 return buf; 2507 } 2508 #endif /* INET6 */ 2509 2510 const char * 2511 ipsec_logsastr(sav) 2512 struct secasvar *sav; 2513 { 2514 static char buf[256]; 2515 char *p; 2516 struct secasindex *saidx = &sav->sah->saidx; 2517 2518 /* validity check */ 2519 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2520 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) 2521 panic("ipsec_logsastr: family mismatched."); 2522 2523 p = buf; 2524 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi)); 2525 while (p && *p) 2526 p++; 2527 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) { 2528 u_int8_t *s, *d; 2529 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr; 2530 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr; 2531 snprintf(p, sizeof(buf) - (p - buf), 2532 "src=%d.%d.%d.%d dst=%d.%d.%d.%d", 2533 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]); 2534 } 2535 #ifdef INET6 2536 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) { 2537 snprintf(p, sizeof(buf) - (p - buf), 2538 "src=%s", 2539 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr)); 2540 while (p && *p) 2541 p++; 2542 snprintf(p, sizeof(buf) - (p - buf), 2543 " dst=%s", 2544 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr)); 2545 } 2546 #endif 2547 while (p && *p) 2548 p++; 2549 snprintf(p, sizeof(buf) - (p - buf), ")"); 2550 2551 return buf; 2552 } 2553 2554 void 2555 ipsec_dumpmbuf(m) 2556 struct mbuf *m; 2557 { 2558 int totlen; 2559 int i; 2560 u_char *p; 2561 2562 totlen = 0; 2563 printf("---\n"); 2564 while (m) { 2565 p = mtod(m, u_char *); 2566 for (i = 0; i < m->m_len; i++) { 2567 printf("%02x ", p[i]); 2568 totlen++; 2569 if (totlen % 16 == 0) 2570 printf("\n"); 2571 } 2572 m = m->m_next; 2573 } 2574 if (totlen % 16 != 0) 2575 printf("\n"); 2576 printf("---\n"); 2577 } 2578 2579 #ifdef INET 2580 static int 2581 ipsec4_checksa(isr, state) 2582 struct ipsecrequest *isr; 2583 struct ipsec_output_state *state; 2584 { 2585 struct ip *ip; 2586 struct secasindex saidx; 2587 struct sockaddr_in *sin; 2588 2589 /* make SA index for search proper SA */ 2590 ip = mtod(state->m, struct ip *); 2591 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 2592 saidx.mode = isr->saidx.mode; 2593 saidx.reqid = isr->saidx.reqid; 2594 sin = (struct sockaddr_in *)&saidx.src; 2595 if (sin->sin_len == 0) { 2596 bzero(sin, sizeof(*sin)); 2597 sin->sin_len = sizeof(*sin); 2598 sin->sin_family = AF_INET; 2599 sin->sin_port = IPSEC_PORT_ANY; 2600 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr)); 2601 } 2602 sin = (struct sockaddr_in *)&saidx.dst; 2603 if (sin->sin_len == 0) { 2604 bzero(sin, sizeof(*sin)); 2605 sin->sin_len = sizeof(*sin); 2606 sin->sin_family = AF_INET; 2607 sin->sin_port = IPSEC_PORT_ANY; 2608 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr)); 2609 } 2610 2611 return key_checkrequest(isr, &saidx); 2612 } 2613 /* 2614 * IPsec output logic for IPv4. 2615 */ 2616 int 2617 ipsec4_output(state, sp, flags) 2618 struct ipsec_output_state *state; 2619 struct secpolicy *sp; 2620 int flags; 2621 { 2622 struct ip *ip = NULL; 2623 struct ipsecrequest *isr = NULL; 2624 int s; 2625 int error; 2626 struct sockaddr_in *dst4; 2627 2628 if (!state) 2629 panic("state == NULL in ipsec4_output"); 2630 if (!state->m) 2631 panic("state->m == NULL in ipsec4_output"); 2632 if (!state->ro) 2633 panic("state->ro == NULL in ipsec4_output"); 2634 if (!state->dst) 2635 panic("state->dst == NULL in ipsec4_output"); 2636 state->encap = 0; 2637 2638 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2639 printf("ipsec4_output: applyed SP\n"); 2640 kdebug_secpolicy(sp)); 2641 2642 for (isr = sp->req; isr != NULL; isr = isr->next) { 2643 2644 #if 0 /* give up to check restriction of transport mode */ 2645 /* XXX but should be checked somewhere */ 2646 /* 2647 * some of the IPsec operation must be performed only in 2648 * originating case. 2649 */ 2650 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT 2651 && (flags & IP_FORWARDING)) 2652 continue; 2653 #endif 2654 error = ipsec4_checksa(isr, state); 2655 if (error != 0) { 2656 /* 2657 * IPsec processing is required, but no SA found. 2658 * I assume that key_acquire() had been called 2659 * to get/establish the SA. Here I discard 2660 * this packet because it is responsibility for 2661 * upper layer to retransmit the packet. 2662 */ 2663 ipsecstat.out_nosa++; 2664 goto bad; 2665 } 2666 2667 /* validity check */ 2668 if (isr->sav == NULL) { 2669 switch (ipsec_get_reqlevel(isr, AF_INET)) { 2670 case IPSEC_LEVEL_USE: 2671 continue; 2672 case IPSEC_LEVEL_REQUIRE: 2673 if (isr->saidx.proto == AF_INET || 2674 isr->saidx.proto == AF_INET6) 2675 break; 2676 /* must be not reached here. */ 2677 panic("ipsec4_output: no SA found, but required."); 2678 } 2679 } 2680 2681 /* 2682 * If there is no valid SA, we give up to process any 2683 * more. In such a case, the SA's status is changed 2684 * from DYING to DEAD after allocating. If a packet 2685 * send to the receiver by dead SA, the receiver can 2686 * not decode a packet because SA has been dead. 2687 */ 2688 if (isr->sav->state != SADB_SASTATE_MATURE 2689 && isr->sav->state != SADB_SASTATE_DYING) { 2690 ipsecstat.out_nosa++; 2691 error = EINVAL; 2692 goto bad; 2693 } 2694 2695 /* 2696 * There may be the case that SA status will be changed when 2697 * we are refering to one. So calling splsoftnet(). 2698 */ 2699 s = splsoftnet(); 2700 2701 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2702 /* 2703 * build IPsec tunnel. 2704 */ 2705 /* XXX should be processed with other familiy */ 2706 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) { 2707 ipseclog((LOG_ERR, "ipsec4_output: " 2708 "family mismatched between inner and outer spi=%u\n", 2709 (u_int32_t)ntohl(isr->sav->spi))); 2710 splx(s); 2711 error = EAFNOSUPPORT; 2712 goto bad; 2713 } 2714 2715 state->m = ipsec4_splithdr(state->m); 2716 if (!state->m) { 2717 splx(s); 2718 error = ENOMEM; 2719 goto bad; 2720 } 2721 error = ipsec4_encapsulate(state->m, isr->sav); 2722 splx(s); 2723 if (error) { 2724 state->m = NULL; 2725 goto bad; 2726 } 2727 ip = mtod(state->m, struct ip *); 2728 2729 state->ro = &isr->sav->sah->sa_route; 2730 state->dst = (struct sockaddr *)&state->ro->ro_dst; 2731 dst4 = (struct sockaddr_in *)state->dst; 2732 if (state->ro->ro_rt 2733 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0 2734 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) { 2735 RTFREE(state->ro->ro_rt); 2736 bzero((caddr_t)state->ro, sizeof (*state->ro)); 2737 } 2738 if (state->ro->ro_rt == 0) { 2739 dst4->sin_family = AF_INET; 2740 dst4->sin_len = sizeof(*dst4); 2741 dst4->sin_addr = ip->ip_dst; 2742 rtalloc(state->ro); 2743 } 2744 if (state->ro->ro_rt == 0) { 2745 ipstat.ips_noroute++; 2746 error = EHOSTUNREACH; 2747 goto bad; 2748 } 2749 2750 /* adjust state->dst if tunnel endpoint is offlink */ 2751 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) { 2752 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway; 2753 dst4 = (struct sockaddr_in *)state->dst; 2754 } 2755 2756 state->encap++; 2757 } else 2758 splx(s); 2759 2760 state->m = ipsec4_splithdr(state->m); 2761 if (!state->m) { 2762 error = ENOMEM; 2763 goto bad; 2764 } 2765 switch (isr->saidx.proto) { 2766 case IPPROTO_ESP: 2767 #ifdef IPSEC_ESP 2768 if ((error = esp4_output(state->m, isr)) != 0) { 2769 state->m = NULL; 2770 goto bad; 2771 } 2772 break; 2773 #else 2774 m_freem(state->m); 2775 state->m = NULL; 2776 error = EINVAL; 2777 goto bad; 2778 #endif 2779 case IPPROTO_AH: 2780 if ((error = ah4_output(state->m, isr)) != 0) { 2781 state->m = NULL; 2782 goto bad; 2783 } 2784 break; 2785 case IPPROTO_IPCOMP: 2786 if ((error = ipcomp4_output(state->m, isr)) != 0) { 2787 state->m = NULL; 2788 goto bad; 2789 } 2790 break; 2791 case IPPROTO_IPV4: 2792 break; 2793 case IPPROTO_IPV6: 2794 ipseclog((LOG_ERR, "ipsec4_output: " 2795 "family mismatched between inner and outer " 2796 "header\n")); 2797 error = EAFNOSUPPORT; 2798 goto bad; 2799 default: 2800 ipseclog((LOG_ERR, 2801 "ipsec4_output: unknown ipsec protocol %d\n", 2802 isr->saidx.proto)); 2803 m_freem(state->m); 2804 state->m = NULL; 2805 error = EINVAL; 2806 goto bad; 2807 } 2808 2809 if (state->m == 0) { 2810 error = ENOMEM; 2811 goto bad; 2812 } 2813 ip = mtod(state->m, struct ip *); 2814 } 2815 2816 return 0; 2817 2818 bad: 2819 m_freem(state->m); 2820 state->m = NULL; 2821 return error; 2822 } 2823 #endif 2824 2825 #ifdef INET6 2826 static int 2827 ipsec6_checksa(isr, state, tunnel) 2828 struct ipsecrequest *isr; 2829 struct ipsec_output_state *state; 2830 int tunnel; 2831 { 2832 struct ip6_hdr *ip6; 2833 struct secasindex saidx; 2834 struct sockaddr_in6 *sin6; 2835 2836 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2837 #ifdef DIAGNOSTIC 2838 if (!tunnel) 2839 panic("ipsec6_checksa/inconsistent tunnel attribute"); 2840 #endif 2841 /* When tunnel mode, SA peers must be specified. */ 2842 return key_checkrequest(isr, &isr->saidx); 2843 } 2844 2845 /* make SA index for search proper SA */ 2846 ip6 = mtod(state->m, struct ip6_hdr *); 2847 if (tunnel) { 2848 bzero(&saidx, sizeof(saidx)); 2849 saidx.proto = isr->saidx.proto; 2850 } else 2851 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 2852 saidx.mode = isr->saidx.mode; 2853 saidx.reqid = isr->saidx.reqid; 2854 sin6 = (struct sockaddr_in6 *)&saidx.src; 2855 if (sin6->sin6_len == 0 || tunnel) { 2856 bzero(sin6, sizeof(*sin6)); 2857 sin6->sin6_len = sizeof(*sin6); 2858 sin6->sin6_family = AF_INET6; 2859 sin6->sin6_port = IPSEC_PORT_ANY; 2860 in6_recoverscope(sin6, &ip6->ip6_src, NULL); 2861 } 2862 sin6 = (struct sockaddr_in6 *)&saidx.dst; 2863 if (sin6->sin6_len == 0 || tunnel) { 2864 bzero(sin6, sizeof(*sin6)); 2865 sin6->sin6_len = sizeof(*sin6); 2866 sin6->sin6_family = AF_INET6; 2867 sin6->sin6_port = IPSEC_PORT_ANY; 2868 in6_recoverscope(sin6, &ip6->ip6_dst, NULL); 2869 } 2870 2871 return key_checkrequest(isr, &saidx); 2872 } 2873 /* 2874 * IPsec output logic for IPv6, transport mode. 2875 */ 2876 int 2877 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun) 2878 struct ipsec_output_state *state; 2879 u_char *nexthdrp; 2880 struct mbuf *mprev; 2881 struct secpolicy *sp; 2882 int flags; 2883 int *tun; 2884 { 2885 struct ip6_hdr *ip6; 2886 struct ipsecrequest *isr = NULL; 2887 int error = 0; 2888 int plen; 2889 2890 if (!state) 2891 panic("state == NULL in ipsec6_output_trans"); 2892 if (!state->m) 2893 panic("state->m == NULL in ipsec6_output_trans"); 2894 if (!nexthdrp) 2895 panic("nexthdrp == NULL in ipsec6_output_trans"); 2896 if (!mprev) 2897 panic("mprev == NULL in ipsec6_output_trans"); 2898 if (!sp) 2899 panic("sp == NULL in ipsec6_output_trans"); 2900 if (!tun) 2901 panic("tun == NULL in ipsec6_output_trans"); 2902 2903 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2904 printf("ipsec6_output_trans: applyed SP\n"); 2905 kdebug_secpolicy(sp)); 2906 2907 *tun = 0; 2908 for (isr = sp->req; isr; isr = isr->next) { 2909 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2910 /* the rest will be handled by ipsec6_output_tunnel() */ 2911 break; 2912 } 2913 2914 error = ipsec6_checksa(isr, state, 0); 2915 if (error == ENOENT) { 2916 /* 2917 * IPsec processing is required, but no SA found. 2918 * I assume that key_acquire() had been called 2919 * to get/establish the SA. Here I discard 2920 * this packet because it is responsibility for 2921 * upper layer to retransmit the packet. 2922 */ 2923 ipsec6stat.out_nosa++; 2924 2925 /* 2926 * Notify the fact that the packet is discarded 2927 * to ourselves. I believe this is better than 2928 * just silently discarding. (jinmei@kame.net) 2929 * XXX: should we restrict the error to TCP packets? 2930 * XXX: should we directly notify sockets via 2931 * pfctlinputs? 2932 * 2933 * Noone have initialized rcvif until this point, 2934 * so clear it. 2935 */ 2936 if ((state->m->m_flags & M_PKTHDR) != 0) 2937 state->m->m_pkthdr.rcvif = NULL; 2938 icmp6_error(state->m, ICMP6_DST_UNREACH, 2939 ICMP6_DST_UNREACH_ADMIN, 0); 2940 state->m = NULL; /* icmp6_error freed the mbuf */ 2941 goto bad; 2942 } 2943 2944 /* validity check */ 2945 if (isr->sav == NULL) { 2946 switch (ipsec_get_reqlevel(isr, AF_INET6)) { 2947 case IPSEC_LEVEL_USE: 2948 continue; 2949 case IPSEC_LEVEL_REQUIRE: 2950 /* must be not reached here. */ 2951 panic("ipsec6_output_trans: no SA found, but required."); 2952 } 2953 } 2954 2955 /* 2956 * If there is no valid SA, we give up to process. 2957 * see same place at ipsec4_output(). 2958 */ 2959 if (isr->sav->state != SADB_SASTATE_MATURE 2960 && isr->sav->state != SADB_SASTATE_DYING) { 2961 ipsec6stat.out_nosa++; 2962 error = EINVAL; 2963 goto bad; 2964 } 2965 2966 switch (isr->saidx.proto) { 2967 case IPPROTO_ESP: 2968 #ifdef IPSEC_ESP 2969 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr); 2970 #else 2971 m_freem(state->m); 2972 error = EINVAL; 2973 #endif 2974 break; 2975 case IPPROTO_AH: 2976 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr); 2977 break; 2978 case IPPROTO_IPCOMP: 2979 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr); 2980 break; 2981 default: 2982 ipseclog((LOG_ERR, "ipsec6_output_trans: " 2983 "unknown ipsec protocol %d\n", isr->saidx.proto)); 2984 m_freem(state->m); 2985 ipsec6stat.out_inval++; 2986 error = EINVAL; 2987 break; 2988 } 2989 if (error) { 2990 state->m = NULL; 2991 goto bad; 2992 } 2993 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 2994 if (plen > IPV6_MAXPACKET) { 2995 ipseclog((LOG_ERR, "ipsec6_output_trans: " 2996 "IPsec with IPv6 jumbogram is not supported\n")); 2997 ipsec6stat.out_inval++; 2998 error = EINVAL; /* XXX */ 2999 goto bad; 3000 } 3001 ip6 = mtod(state->m, struct ip6_hdr *); 3002 ip6->ip6_plen = htons(plen); 3003 } 3004 3005 /* if we have more to go, we need a tunnel mode processing */ 3006 if (isr != NULL) 3007 *tun = 1; 3008 3009 return 0; 3010 3011 bad: 3012 m_freem(state->m); 3013 state->m = NULL; 3014 return error; 3015 } 3016 3017 /* 3018 * IPsec output logic for IPv6, tunnel mode. 3019 */ 3020 int 3021 ipsec6_output_tunnel(state, sp, flags) 3022 struct ipsec_output_state *state; 3023 struct secpolicy *sp; 3024 int flags; 3025 { 3026 struct ip6_hdr *ip6; 3027 struct ipsecrequest *isr = NULL; 3028 int error = 0; 3029 int plen; 3030 struct sockaddr_in6* dst6; 3031 int s; 3032 3033 if (!state) 3034 panic("state == NULL in ipsec6_output_tunnel"); 3035 if (!state->m) 3036 panic("state->m == NULL in ipsec6_output_tunnel"); 3037 if (!sp) 3038 panic("sp == NULL in ipsec6_output_tunnel"); 3039 3040 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 3041 printf("ipsec6_output_tunnel: applyed SP\n"); 3042 kdebug_secpolicy(sp)); 3043 3044 /* 3045 * transport mode ipsec (before the 1st tunnel mode) is already 3046 * processed by ipsec6_output_trans(). 3047 */ 3048 for (isr = sp->req; isr; isr = isr->next) { 3049 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 3050 break; 3051 } 3052 3053 for (/* already initialized */; isr; isr = isr->next) { 3054 error = ipsec6_checksa(isr, state, 1); 3055 if (error == ENOENT) { 3056 /* 3057 * IPsec processing is required, but no SA found. 3058 * I assume that key_acquire() had been called 3059 * to get/establish the SA. Here I discard 3060 * this packet because it is responsibility for 3061 * upper layer to retransmit the packet. 3062 */ 3063 ipsec6stat.out_nosa++; 3064 error = ENOENT; 3065 goto bad; 3066 } 3067 3068 /* validity check */ 3069 if (isr->sav == NULL) { 3070 switch (ipsec_get_reqlevel(isr, AF_INET6)) { 3071 case IPSEC_LEVEL_USE: 3072 continue; 3073 case IPSEC_LEVEL_REQUIRE: 3074 /* must be not reached here. */ 3075 panic("ipsec6_output_tunnel: no SA found, but required."); 3076 } 3077 } 3078 3079 /* 3080 * If there is no valid SA, we give up to process. 3081 * see same place at ipsec4_output(). 3082 */ 3083 if (isr->sav->state != SADB_SASTATE_MATURE 3084 && isr->sav->state != SADB_SASTATE_DYING) { 3085 ipsec6stat.out_nosa++; 3086 error = EINVAL; 3087 goto bad; 3088 } 3089 3090 /* 3091 * There may be the case that SA status will be changed when 3092 * we are refering to one. So calling splsoftnet(). 3093 */ 3094 s = splsoftnet(); 3095 3096 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 3097 /* 3098 * build IPsec tunnel. 3099 */ 3100 /* XXX should be processed with other familiy */ 3101 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) { 3102 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3103 "family mismatched between inner and outer, spi=%u\n", 3104 (u_int32_t)ntohl(isr->sav->spi))); 3105 splx(s); 3106 ipsec6stat.out_inval++; 3107 error = EAFNOSUPPORT; 3108 goto bad; 3109 } 3110 3111 state->m = ipsec6_splithdr(state->m); 3112 if (!state->m) { 3113 splx(s); 3114 ipsec6stat.out_nomem++; 3115 error = ENOMEM; 3116 goto bad; 3117 } 3118 error = ipsec6_encapsulate(state->m, isr->sav); 3119 splx(s); 3120 if (error) { 3121 state->m = 0; 3122 goto bad; 3123 } 3124 ip6 = mtod(state->m, struct ip6_hdr *); 3125 3126 state->ro = &isr->sav->sah->sa_route; 3127 state->dst = (struct sockaddr *)&state->ro->ro_dst; 3128 dst6 = (struct sockaddr_in6 *)state->dst; 3129 if (state->ro->ro_rt 3130 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0 3131 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) { 3132 RTFREE(state->ro->ro_rt); 3133 bzero((caddr_t)state->ro, sizeof (*state->ro)); 3134 } 3135 if (state->ro->ro_rt == 0) { 3136 bzero(dst6, sizeof(*dst6)); 3137 dst6->sin6_family = AF_INET6; 3138 dst6->sin6_len = sizeof(*dst6); 3139 dst6->sin6_addr = ip6->ip6_dst; 3140 rtalloc(state->ro); 3141 } 3142 if (state->ro->ro_rt == 0) { 3143 ip6stat.ip6s_noroute++; 3144 ipsec6stat.out_noroute++; 3145 error = EHOSTUNREACH; 3146 goto bad; 3147 } 3148 3149 /* adjust state->dst if tunnel endpoint is offlink */ 3150 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) { 3151 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway; 3152 dst6 = (struct sockaddr_in6 *)state->dst; 3153 } 3154 } else 3155 splx(s); 3156 3157 state->m = ipsec6_splithdr(state->m); 3158 if (!state->m) { 3159 ipsec6stat.out_nomem++; 3160 error = ENOMEM; 3161 goto bad; 3162 } 3163 ip6 = mtod(state->m, struct ip6_hdr *); 3164 switch (isr->saidx.proto) { 3165 case IPPROTO_ESP: 3166 #ifdef IPSEC_ESP 3167 error = esp6_output(state->m, &ip6->ip6_nxt, 3168 state->m->m_next, isr); 3169 #else 3170 m_freem(state->m); 3171 error = EINVAL; 3172 #endif 3173 break; 3174 case IPPROTO_AH: 3175 error = ah6_output(state->m, &ip6->ip6_nxt, 3176 state->m->m_next, isr); 3177 break; 3178 case IPPROTO_IPCOMP: 3179 /* XXX code should be here */ 3180 /* FALLTHROUGH */ 3181 default: 3182 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3183 "unknown ipsec protocol %d\n", isr->saidx.proto)); 3184 m_freem(state->m); 3185 ipsec6stat.out_inval++; 3186 error = EINVAL; 3187 break; 3188 } 3189 if (error) { 3190 state->m = NULL; 3191 goto bad; 3192 } 3193 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 3194 if (plen > IPV6_MAXPACKET) { 3195 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3196 "IPsec with IPv6 jumbogram is not supported\n")); 3197 ipsec6stat.out_inval++; 3198 error = EINVAL; /* XXX */ 3199 goto bad; 3200 } 3201 ip6 = mtod(state->m, struct ip6_hdr *); 3202 ip6->ip6_plen = htons(plen); 3203 } 3204 3205 return 0; 3206 3207 bad: 3208 m_freem(state->m); 3209 state->m = NULL; 3210 return error; 3211 } 3212 #endif /* INET6 */ 3213 3214 #ifdef INET 3215 /* 3216 * Chop IP header and option off from the payload. 3217 */ 3218 static struct mbuf * 3219 ipsec4_splithdr(m) 3220 struct mbuf *m; 3221 { 3222 struct mbuf *mh; 3223 struct ip *ip; 3224 int hlen; 3225 3226 if (m->m_len < sizeof(struct ip)) 3227 panic("ipsec4_splithdr: first mbuf too short"); 3228 ip = mtod(m, struct ip *); 3229 hlen = ip->ip_hl << 2; 3230 if (m->m_len > hlen) { 3231 MGETHDR(mh, M_DONTWAIT, MT_HEADER); 3232 if (!mh) { 3233 m_freem(m); 3234 return NULL; 3235 } 3236 M_COPY_PKTHDR(mh, m); 3237 MH_ALIGN(mh, hlen); 3238 m_tag_delete_chain(m, NULL); 3239 m->m_flags &= ~M_PKTHDR; 3240 m->m_len -= hlen; 3241 m->m_data += hlen; 3242 mh->m_next = m; 3243 m = mh; 3244 m->m_len = hlen; 3245 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen); 3246 } else if (m->m_len < hlen) { 3247 m = m_pullup(m, hlen); 3248 if (!m) 3249 return NULL; 3250 } 3251 return m; 3252 } 3253 #endif 3254 3255 #ifdef INET6 3256 static struct mbuf * 3257 ipsec6_splithdr(m) 3258 struct mbuf *m; 3259 { 3260 struct mbuf *mh; 3261 struct ip6_hdr *ip6; 3262 int hlen; 3263 3264 if (m->m_len < sizeof(struct ip6_hdr)) 3265 panic("ipsec6_splithdr: first mbuf too short"); 3266 ip6 = mtod(m, struct ip6_hdr *); 3267 hlen = sizeof(struct ip6_hdr); 3268 if (m->m_len > hlen) { 3269 MGETHDR(mh, M_DONTWAIT, MT_HEADER); 3270 if (!mh) { 3271 m_freem(m); 3272 return NULL; 3273 } 3274 M_COPY_PKTHDR(mh, m); 3275 MH_ALIGN(mh, hlen); 3276 m_tag_delete_chain(m, NULL); 3277 m->m_flags &= ~M_PKTHDR; 3278 m->m_len -= hlen; 3279 m->m_data += hlen; 3280 mh->m_next = m; 3281 m = mh; 3282 m->m_len = hlen; 3283 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen); 3284 } else if (m->m_len < hlen) { 3285 m = m_pullup(m, hlen); 3286 if (!m) 3287 return NULL; 3288 } 3289 return m; 3290 } 3291 #endif 3292 3293 /* validate inbound IPsec tunnel packet. */ 3294 int 3295 ipsec4_tunnel_validate(ip, nxt0, sav) 3296 struct ip *ip; 3297 u_int nxt0; 3298 struct secasvar *sav; 3299 { 3300 u_int8_t nxt = nxt0 & 0xff; 3301 struct sockaddr_in *sin; 3302 int hlen; 3303 3304 if (nxt != IPPROTO_IPV4) 3305 return 0; 3306 /* do not decapsulate if the SA is for transport mode only */ 3307 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 3308 return 0; 3309 hlen = ip->ip_hl << 2; 3310 if (hlen != sizeof(struct ip)) 3311 return 0; 3312 switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) { 3313 case AF_INET: 3314 sin = (struct sockaddr_in *)&sav->sah->saidx.dst; 3315 if (bcmp(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)) != 0) 3316 return 0; 3317 break; 3318 #ifdef INET6 3319 case AF_INET6: 3320 /* should be supported, but at this moment we don't. */ 3321 /*FALLTHROUGH*/ 3322 #endif 3323 default: 3324 return 0; 3325 } 3326 3327 return 1; 3328 } 3329 3330 #ifdef INET6 3331 /* validate inbound IPsec tunnel packet. */ 3332 int 3333 ipsec6_tunnel_validate(ip6, nxt0, sav) 3334 struct ip6_hdr *ip6; 3335 u_int nxt0; 3336 struct secasvar *sav; 3337 { 3338 u_int8_t nxt = nxt0 & 0xff; 3339 struct sockaddr_in6 *sin6; 3340 struct in6_addr in6; 3341 3342 if (nxt != IPPROTO_IPV6) 3343 return 0; 3344 /* do not decapsulate if the SA is for transport mode only */ 3345 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 3346 return 0; 3347 switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) { 3348 case AF_INET6: 3349 sin6 = ((struct sockaddr_in6 *)&sav->sah->saidx.dst); 3350 in6_embedscope(&in6, sin6, NULL, NULL); 3351 if (!IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &in6)) 3352 return 0; 3353 break; 3354 case AF_INET: 3355 /* should be supported, but at this moment we don't. */ 3356 /*FALLTHROUGH*/ 3357 default: 3358 return 0; 3359 } 3360 3361 return 1; 3362 } 3363 #endif 3364 3365 /* 3366 * Make a mbuf chain for encryption. 3367 * If the original mbuf chain contains a mbuf with a cluster, 3368 * allocate a new cluster and copy the data to the new cluster. 3369 * XXX: this hack is inefficient, but is necessary to handle cases 3370 * of TCP retransmission... 3371 */ 3372 struct mbuf * 3373 ipsec_copypkt(m) 3374 struct mbuf *m; 3375 { 3376 struct mbuf *n, **mpp, *mnew; 3377 3378 for (n = m, mpp = &m; n; n = n->m_next) { 3379 if (n->m_flags & M_EXT) { 3380 /* 3381 * Make a copy only if there is more than one 3382 * references to the cluster. 3383 * XXX: is this approach effective? 3384 */ 3385 if (M_READONLY(n)) 3386 { 3387 int remain, copied; 3388 struct mbuf *mm; 3389 3390 if (n->m_flags & M_PKTHDR) { 3391 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); 3392 if (mnew == NULL) 3393 goto fail; 3394 mnew->m_pkthdr = n->m_pkthdr; 3395 #if 0 3396 /* XXX: convert to m_tag or delete? */ 3397 if (n->m_pkthdr.aux) { 3398 mnew->m_pkthdr.aux = 3399 m_copym(n->m_pkthdr.aux, 3400 0, M_COPYALL, M_DONTWAIT); 3401 } 3402 #endif 3403 M_COPY_PKTHDR(mnew, n); 3404 } 3405 else { 3406 MGET(mnew, M_DONTWAIT, MT_DATA); 3407 if (mnew == NULL) 3408 goto fail; 3409 } 3410 mnew->m_len = 0; 3411 mm = mnew; 3412 3413 /* 3414 * Copy data. If we don't have enough space to 3415 * store the whole data, allocate a cluster 3416 * or additional mbufs. 3417 * XXX: we don't use m_copyback(), since the 3418 * function does not use clusters and thus is 3419 * inefficient. 3420 */ 3421 remain = n->m_len; 3422 copied = 0; 3423 while (1) { 3424 int len; 3425 struct mbuf *mn; 3426 3427 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN)) 3428 len = remain; 3429 else { /* allocate a cluster */ 3430 MCLGET(mm, M_DONTWAIT); 3431 if (!(mm->m_flags & M_EXT)) { 3432 m_free(mm); 3433 goto fail; 3434 } 3435 len = remain < MCLBYTES ? 3436 remain : MCLBYTES; 3437 } 3438 3439 bcopy(n->m_data + copied, mm->m_data, 3440 len); 3441 3442 copied += len; 3443 remain -= len; 3444 mm->m_len = len; 3445 3446 if (remain <= 0) /* completed? */ 3447 break; 3448 3449 /* need another mbuf */ 3450 MGETHDR(mn, M_DONTWAIT, MT_HEADER); 3451 if (mn == NULL) 3452 goto fail; 3453 mn->m_pkthdr.rcvif = NULL; 3454 mm->m_next = mn; 3455 mm = mn; 3456 } 3457 3458 /* adjust chain */ 3459 mm->m_next = m_free(n); 3460 n = mm; 3461 *mpp = mnew; 3462 mpp = &n->m_next; 3463 3464 continue; 3465 } 3466 } 3467 *mpp = n; 3468 mpp = &n->m_next; 3469 } 3470 3471 return (m); 3472 fail: 3473 m_freem(m); 3474 return (NULL); 3475 } 3476 3477 static struct m_tag * 3478 ipsec_addaux(m) 3479 struct mbuf *m; 3480 { 3481 struct m_tag *mtag; 3482 3483 mtag = m_tag_find(m, PACKET_TAG_ESP, NULL); 3484 if (mtag == NULL) { 3485 mtag = m_tag_get(PACKET_TAG_ESP, sizeof(struct ipsecaux), 3486 M_NOWAIT); 3487 if (mtag != NULL) 3488 m_tag_prepend(m, mtag); 3489 } 3490 if (mtag == NULL) 3491 return NULL; /* ENOBUFS */ 3492 /* XXX is this necessary? */ 3493 bzero((void *)(mtag + 1), sizeof(struct ipsecaux)); 3494 return mtag; 3495 } 3496 3497 static struct m_tag * 3498 ipsec_findaux(m) 3499 struct mbuf *m; 3500 { 3501 return m_tag_find(m, PACKET_TAG_ESP, NULL); 3502 } 3503 3504 void 3505 ipsec_delaux(m) 3506 struct mbuf *m; 3507 { 3508 struct m_tag *mtag; 3509 3510 mtag = m_tag_find(m, PACKET_TAG_ESP, NULL); 3511 if (mtag != NULL) 3512 m_tag_delete(m, mtag); 3513 } 3514 3515 /* if the aux buffer is unnecessary, nuke it. */ 3516 static void 3517 ipsec_optaux(m, mtag) 3518 struct mbuf *m; 3519 struct m_tag *mtag; 3520 { 3521 struct ipsecaux *aux; 3522 3523 if (mtag == NULL) 3524 return; 3525 aux = (struct ipsecaux *)(mtag + 1); 3526 if (!aux->so && !aux->sp) 3527 ipsec_delaux(m); 3528 } 3529 3530 int 3531 ipsec_addhist(m, proto, spi) 3532 struct mbuf *m; 3533 int proto; 3534 u_int32_t spi; 3535 { 3536 struct m_tag *mtag; 3537 struct ipsecaux *aux; 3538 3539 mtag = ipsec_addaux(m); 3540 if (mtag == NULL) 3541 return ENOBUFS; 3542 aux = (struct ipsecaux *)(mtag + 1); 3543 aux->hdrs++; 3544 return 0; 3545 } 3546 3547 int 3548 ipsec_getnhist(m) 3549 struct mbuf *m; 3550 { 3551 struct m_tag *mtag; 3552 struct ipsecaux *aux; 3553 3554 mtag = ipsec_findaux(m); 3555 if (mtag == NULL) 3556 return 0; 3557 aux = (struct ipsecaux *)(mtag + 1); 3558 return aux->hdrs; 3559 } 3560 3561 struct ipsec_history * 3562 ipsec_gethist(m, lenp) 3563 struct mbuf *m; 3564 int *lenp; 3565 { 3566 3567 panic("ipsec_gethist: obsolete API"); 3568 } 3569 3570 void 3571 ipsec_clearhist(m) 3572 struct mbuf *m; 3573 { 3574 struct m_tag *mtag; 3575 3576 mtag = ipsec_findaux(m); 3577 ipsec_optaux(m, mtag); 3578 } 3579 3580 /* 3581 * System control for IPSEC 3582 */ 3583 u_char ipsecctlermap[PRC_NCMDS] = { 3584 0, 0, 0, 0, 3585 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 3586 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 3587 EMSGSIZE, EHOSTUNREACH, 0, 0, 3588 0, 0, 0, 0, 3589 ENOPROTOOPT 3590 }; 3591 3592 /* 3593 * sysctl helper routine for some net.inet.ipsec and net.inet6.ipnet6 3594 * nodes. ensures that the given value is correct and clears the 3595 * ipsec cache accordingly. 3596 */ 3597 static int 3598 sysctl_ipsec(SYSCTLFN_ARGS) 3599 { 3600 int error, t; 3601 struct sysctlnode node; 3602 3603 node = *rnode; 3604 if (rnode->sysctl_num == IPSECCTL_DEF_POLICY) 3605 t = (*((struct secpolicy**)rnode->sysctl_data))->policy; 3606 else 3607 t = *(int*)rnode->sysctl_data; 3608 node.sysctl_data = &t; 3609 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 3610 if (error || newp == NULL) 3611 return (error); 3612 3613 switch (rnode->sysctl_num) { 3614 case IPSECCTL_DEF_ESP_TRANSLEV: 3615 case IPSECCTL_DEF_ESP_NETLEV: 3616 case IPSECCTL_DEF_AH_TRANSLEV: 3617 case IPSECCTL_DEF_AH_NETLEV: 3618 if (t != IPSEC_LEVEL_USE && 3619 t != IPSEC_LEVEL_REQUIRE) 3620 return (EINVAL); 3621 ipsec_invalpcbcacheall(); 3622 break; 3623 case IPSECCTL_DEF_POLICY: 3624 if (t != IPSEC_POLICY_DISCARD && 3625 t != IPSEC_POLICY_NONE) 3626 return (EINVAL); 3627 ipsec_invalpcbcacheall(); 3628 break; 3629 default: 3630 return (EINVAL); 3631 } 3632 3633 if (rnode->sysctl_num == IPSECCTL_DEF_POLICY) 3634 (*((struct secpolicy**)rnode->sysctl_data))->policy = t; 3635 else 3636 *(int*)rnode->sysctl_data = t; 3637 3638 return (0); 3639 } 3640 3641 SYSCTL_SETUP(sysctl_net_inet_ipsec_setup, "sysctl net.inet.ipsec subtree setup") 3642 { 3643 3644 sysctl_createv(clog, 0, NULL, NULL, 3645 CTLFLAG_PERMANENT, 3646 CTLTYPE_NODE, "net", NULL, 3647 NULL, 0, NULL, 0, 3648 CTL_NET, CTL_EOL); 3649 sysctl_createv(clog, 0, NULL, NULL, 3650 CTLFLAG_PERMANENT, 3651 CTLTYPE_NODE, "inet", NULL, 3652 NULL, 0, NULL, 0, 3653 CTL_NET, PF_INET, CTL_EOL); 3654 sysctl_createv(clog, 0, NULL, NULL, 3655 CTLFLAG_PERMANENT, 3656 CTLTYPE_NODE, "ipsec", 3657 SYSCTL_DESCR("IPv4 related IPSec settings"), 3658 NULL, 0, NULL, 0, 3659 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 3660 3661 sysctl_createv(clog, 0, NULL, NULL, 3662 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3663 CTLTYPE_STRUCT, "stats", 3664 SYSCTL_DESCR("IPSec statistics and counters"), 3665 NULL, 0, &ipsecstat, sizeof(ipsecstat), 3666 CTL_NET, PF_INET, IPPROTO_AH, 3667 IPSECCTL_STATS, CTL_EOL); 3668 sysctl_createv(clog, 0, NULL, NULL, 3669 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3670 CTLTYPE_INT, "def_policy", 3671 SYSCTL_DESCR("Default action for non-IPSec packets"), 3672 sysctl_ipsec, 0, &ip4_def_policy, 0, 3673 CTL_NET, PF_INET, IPPROTO_AH, 3674 IPSECCTL_DEF_POLICY, CTL_EOL); 3675 sysctl_createv(clog, 0, NULL, NULL, 3676 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3677 CTLTYPE_INT, "esp_trans_deflev", 3678 SYSCTL_DESCR("Default required security level for " 3679 "transport mode traffic"), 3680 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0, 3681 CTL_NET, PF_INET, IPPROTO_AH, 3682 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 3683 sysctl_createv(clog, 0, NULL, NULL, 3684 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3685 CTLTYPE_INT, "esp_net_deflev", 3686 SYSCTL_DESCR("Default required security level for " 3687 "tunneled traffic"), 3688 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0, 3689 CTL_NET, PF_INET, IPPROTO_AH, 3690 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 3691 sysctl_createv(clog, 0, NULL, NULL, 3692 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3693 CTLTYPE_INT, "ah_trans_deflev", 3694 SYSCTL_DESCR("Default required security level for " 3695 "transport mode headers"), 3696 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0, 3697 CTL_NET, PF_INET, IPPROTO_AH, 3698 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 3699 sysctl_createv(clog, 0, NULL, NULL, 3700 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3701 CTLTYPE_INT, "ah_net_deflev", 3702 SYSCTL_DESCR("Default required security level for " 3703 "tunneled headers"), 3704 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0, 3705 CTL_NET, PF_INET, IPPROTO_AH, 3706 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 3707 #if 0 /* obsolete, do not reuse */ 3708 sysctl_createv(clog, 0, NULL, NULL, 3709 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3710 CTLTYPE_INT, "inbound_call_ike", NULL, 3711 NULL, 0, &ip4_inbound_call_ike, 0, 3712 CTL_NET, PF_INET, IPPROTO_AH, 3713 IPSECCTL_INBOUND_CALL_IKE, CTL_EOL); 3714 #endif 3715 sysctl_createv(clog, 0, NULL, NULL, 3716 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3717 CTLTYPE_INT, "ah_cleartos", 3718 SYSCTL_DESCR("Clear IP TOS field before calculating AH"), 3719 NULL, 0, &ip4_ah_cleartos, 0, 3720 CTL_NET, PF_INET, IPPROTO_AH, 3721 IPSECCTL_AH_CLEARTOS, CTL_EOL); 3722 sysctl_createv(clog, 0, NULL, NULL, 3723 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3724 CTLTYPE_INT, "ah_offsetmask", 3725 SYSCTL_DESCR("Mask for IP fragment offset field when " 3726 "calculating AH"), 3727 NULL, 0, &ip4_ah_offsetmask, 0, 3728 CTL_NET, PF_INET, IPPROTO_AH, 3729 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 3730 sysctl_createv(clog, 0, NULL, NULL, 3731 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3732 CTLTYPE_INT, "dfbit", 3733 SYSCTL_DESCR("IP header DF bit setting for tunneled " 3734 "traffic"), 3735 NULL, 0, &ip4_ipsec_dfbit, 0, 3736 CTL_NET, PF_INET, IPPROTO_AH, 3737 IPSECCTL_DFBIT, CTL_EOL); 3738 sysctl_createv(clog, 0, NULL, NULL, 3739 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3740 CTLTYPE_INT, "ecn", 3741 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"), 3742 NULL, 0, &ip4_ipsec_ecn, 0, 3743 CTL_NET, PF_INET, IPPROTO_AH, 3744 IPSECCTL_ECN, CTL_EOL); 3745 sysctl_createv(clog, 0, NULL, NULL, 3746 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3747 CTLTYPE_INT, "debug", 3748 SYSCTL_DESCR("Enable IPSec debugging output"), 3749 NULL, 0, &ipsec_debug, 0, 3750 CTL_NET, PF_INET, IPPROTO_AH, 3751 IPSECCTL_DEBUG, CTL_EOL); 3752 3753 /* 3754 * "aliases" for the ipsec subtree 3755 */ 3756 sysctl_createv(clog, 0, NULL, NULL, 3757 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 3758 CTLTYPE_NODE, "esp", NULL, 3759 NULL, IPPROTO_AH, NULL, 0, 3760 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 3761 sysctl_createv(clog, 0, NULL, NULL, 3762 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 3763 CTLTYPE_NODE, "ipcomp", NULL, 3764 NULL, IPPROTO_AH, NULL, 0, 3765 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 3766 sysctl_createv(clog, 0, NULL, NULL, 3767 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 3768 CTLTYPE_NODE, "ah", NULL, 3769 NULL, IPPROTO_AH, NULL, 0, 3770 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 3771 } 3772 3773 #ifdef INET6 3774 /* 3775 * System control for IPSEC6 3776 */ 3777 u_char ipsec6ctlermap[PRC_NCMDS] = { 3778 0, 0, 0, 0, 3779 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 3780 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 3781 EMSGSIZE, EHOSTUNREACH, 0, 0, 3782 0, 0, 0, 0, 3783 ENOPROTOOPT 3784 }; 3785 3786 SYSCTL_SETUP(sysctl_net_inet6_ipsec6_setup, 3787 "sysctl net.inet6.ipsec6 subtree setup") 3788 { 3789 3790 sysctl_createv(clog, 0, NULL, NULL, 3791 CTLFLAG_PERMANENT, 3792 CTLTYPE_NODE, "net", NULL, 3793 NULL, 0, NULL, 0, 3794 CTL_NET, CTL_EOL); 3795 sysctl_createv(clog, 0, NULL, NULL, 3796 CTLFLAG_PERMANENT, 3797 CTLTYPE_NODE, "inet6", NULL, 3798 NULL, 0, NULL, 0, 3799 CTL_NET, PF_INET6, CTL_EOL); 3800 sysctl_createv(clog, 0, NULL, NULL, 3801 CTLFLAG_PERMANENT, 3802 CTLTYPE_NODE, "ipsec6", 3803 SYSCTL_DESCR("IPv6 related IPSec settings"), 3804 NULL, 0, NULL, 0, 3805 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL); 3806 3807 sysctl_createv(clog, 0, NULL, NULL, 3808 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3809 CTLTYPE_STRUCT, "stats", 3810 SYSCTL_DESCR("IPSec statistics and counters"), 3811 NULL, 0, &ipsec6stat, sizeof(ipsec6stat), 3812 CTL_NET, PF_INET6, IPPROTO_AH, 3813 IPSECCTL_STATS, CTL_EOL); 3814 sysctl_createv(clog, 0, NULL, NULL, 3815 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3816 CTLTYPE_INT, "def_policy", 3817 SYSCTL_DESCR("Default action for non-IPSec packets"), 3818 sysctl_ipsec, 0, &ip6_def_policy, 0, 3819 CTL_NET, PF_INET6, IPPROTO_AH, 3820 IPSECCTL_DEF_POLICY, CTL_EOL); 3821 sysctl_createv(clog, 0, NULL, NULL, 3822 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3823 CTLTYPE_INT, "esp_trans_deflev", 3824 SYSCTL_DESCR("Default required security level for " 3825 "transport mode traffic"), 3826 sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0, 3827 CTL_NET, PF_INET6, IPPROTO_AH, 3828 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 3829 sysctl_createv(clog, 0, NULL, NULL, 3830 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3831 CTLTYPE_INT, "esp_net_deflev", 3832 SYSCTL_DESCR("Default required security level for " 3833 "tunneled traffic"), 3834 sysctl_ipsec, 0, &ip6_esp_net_deflev, 0, 3835 CTL_NET, PF_INET6, IPPROTO_AH, 3836 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 3837 sysctl_createv(clog, 0, NULL, NULL, 3838 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3839 CTLTYPE_INT, "ah_trans_deflev", 3840 SYSCTL_DESCR("Default required security level for " 3841 "transport mode headers"), 3842 sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0, 3843 CTL_NET, PF_INET6, IPPROTO_AH, 3844 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 3845 sysctl_createv(clog, 0, NULL, NULL, 3846 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3847 CTLTYPE_INT, "ah_net_deflev", 3848 SYSCTL_DESCR("Default required security level for " 3849 "tunneled headers"), 3850 sysctl_ipsec, 0, &ip6_ah_net_deflev, 0, 3851 CTL_NET, PF_INET6, IPPROTO_AH, 3852 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 3853 sysctl_createv(clog, 0, NULL, NULL, 3854 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3855 CTLTYPE_INT, "ecn", 3856 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"), 3857 NULL, 0, &ip6_ipsec_ecn, 0, 3858 CTL_NET, PF_INET6, IPPROTO_AH, 3859 IPSECCTL_ECN, CTL_EOL); 3860 sysctl_createv(clog, 0, NULL, NULL, 3861 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 3862 CTLTYPE_INT, "debug", 3863 SYSCTL_DESCR("Enable IPSec debugging output"), 3864 NULL, 0, &ipsec_debug, 0, 3865 CTL_NET, PF_INET6, IPPROTO_AH, 3866 IPSECCTL_DEBUG, CTL_EOL); 3867 3868 /* 3869 * "aliases" for the ipsec6 subtree 3870 */ 3871 sysctl_createv(clog, 0, NULL, NULL, 3872 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 3873 CTLTYPE_NODE, "esp6", NULL, 3874 NULL, IPPROTO_AH, NULL, 0, 3875 CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL); 3876 sysctl_createv(clog, 0, NULL, NULL, 3877 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 3878 CTLTYPE_NODE, "ipcomp6", NULL, 3879 NULL, IPPROTO_AH, NULL, 0, 3880 CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL); 3881 sysctl_createv(clog, 0, NULL, NULL, 3882 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 3883 CTLTYPE_NODE, "ah6", NULL, 3884 NULL, IPPROTO_AH, NULL, 0, 3885 CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL); 3886 } 3887 #endif /* INET6 */
Cache object: 2dda6bfbf9401b41a31f60e6e414d11e
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]