FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c
1 /* $NetBSD: ipsec.c,v 1.101 2005/03/09 14:17:13 itojun Exp $ */
2 /* $KAME: ipsec.c,v 1.136 2002/05/19 00:36:39 itojun Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * IPsec controller part.
35 */
36
37 #include <sys/cdefs.h>
38 __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.101 2005/03/09 14:17:13 itojun Exp $");
39
40 #include "opt_inet.h"
41 #include "opt_ipsec.h"
42
43 #include <sys/param.h>
44 #include <sys/systm.h>
45 #include <sys/malloc.h>
46 #include <sys/mbuf.h>
47 #include <sys/domain.h>
48 #include <sys/protosw.h>
49 #include <sys/socket.h>
50 #include <sys/socketvar.h>
51 #include <sys/errno.h>
52 #include <sys/time.h>
53 #include <sys/kernel.h>
54 #include <sys/syslog.h>
55 #include <sys/sysctl.h>
56
57 #include <net/if.h>
58 #include <net/route.h>
59
60 #include <netinet/in.h>
61 #include <netinet/in_systm.h>
62 #include <netinet/ip.h>
63 #include <netinet/ip_var.h>
64 #include <netinet/in_var.h>
65 #include <netinet/udp.h>
66 #include <netinet/udp_var.h>
67 #include <netinet/ip_ecn.h>
68 #include <netinet/tcp.h>
69
70 #include <netinet/ip6.h>
71 #ifdef INET6
72 #include <netinet6/ip6_var.h>
73 #endif
74 #include <netinet/in_pcb.h>
75 #ifdef INET6
76 #include <netinet6/in6_pcb.h>
77 #include <netinet/icmp6.h>
78 #endif
79
80 #include <netinet6/ipsec.h>
81 #include <netinet6/ah.h>
82 #ifdef IPSEC_ESP
83 #include <netinet6/esp.h>
84 #endif
85 #include <netinet6/ipcomp.h>
86 #include <netkey/key.h>
87 #include <netkey/keydb.h>
88 #include <netkey/key_debug.h>
89
90 #include <net/net_osdep.h>
91
92 #ifdef IPSEC_DEBUG
93 int ipsec_debug = 1;
94 #else
95 int ipsec_debug = 0;
96 #endif
97
98 struct ipsecstat ipsecstat;
99 int ip4_ah_cleartos = 1;
100 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
101 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
102 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
103 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
104 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
105 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
106 struct secpolicy *ip4_def_policy;
107 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
108
109 #ifdef INET6
110 struct ipsecstat ipsec6stat;
111 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
112 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
113 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
114 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
115 struct secpolicy *ip6_def_policy;
116 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
117
118 #endif /* INET6 */
119
120 u_int ipsec_spdgen = 1; /* SPD generation # */
121
122 #ifdef SADB_X_EXT_TAG
123 static struct pf_tag *ipsec_get_tag __P((struct mbuf *));
124 #endif
125 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *,
126 struct inpcbpolicy *, int));
127 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *,
128 struct secpolicy *, int));
129 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int));
130 static int ipsec_setspidx_mbuf
131 __P((struct secpolicyindex *, int, struct mbuf *, int));
132 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
133 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
134 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
135 #ifdef INET6
136 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
137 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
138 #endif
139 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
140 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
141 #if 0
142 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *));
143 #endif
144 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *));
145 static int ipsec_set_policy
146 __P((struct secpolicy **, int, caddr_t, size_t, int));
147 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **));
148 static void vshiftl __P((unsigned char *, int, int));
149 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
150 static size_t ipsec_hdrsiz __P((struct secpolicy *));
151 #ifdef INET
152 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
153 #endif
154 #ifdef INET6
155 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
156 #endif
157 #ifdef INET
158 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
159 #endif
160 #ifdef INET6
161 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
162 #endif
163 static struct m_tag *ipsec_addaux __P((struct mbuf *));
164 static struct m_tag *ipsec_findaux __P((struct mbuf *));
165 static void ipsec_optaux __P((struct mbuf *, struct m_tag *));
166 #ifdef INET
167 static int ipsec4_checksa __P((struct ipsecrequest *,
168 struct ipsec_output_state *));
169 #endif
170 #ifdef INET6
171 static int ipsec6_checksa __P((struct ipsecrequest *,
172 struct ipsec_output_state *, int));
173 #endif
174
175 /*
176 * try to validate and use cached policy on a pcb.
177 */
178 static struct secpolicy *
179 ipsec_checkpcbcache(m, pcbsp, dir)
180 struct mbuf *m;
181 struct inpcbpolicy *pcbsp;
182 int dir;
183 {
184 struct secpolicyindex spidx;
185
186 switch (dir) {
187 case IPSEC_DIR_INBOUND:
188 case IPSEC_DIR_OUTBOUND:
189 case IPSEC_DIR_ANY:
190 break;
191 default:
192 return NULL;
193 }
194 #ifdef DIAGNOSTIC
195 if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0]))
196 panic("dir too big in ipsec_checkpcbcache");
197 #endif
198 /* SPD table change invalidates all the caches */
199 if (ipsec_spdgen != pcbsp->sp_cache[dir].cachegen) {
200 ipsec_invalpcbcache(pcbsp, dir);
201 return NULL;
202 }
203 if (!pcbsp->sp_cache[dir].cachesp)
204 return NULL;
205 if (pcbsp->sp_cache[dir].cachesp->state != IPSEC_SPSTATE_ALIVE) {
206 ipsec_invalpcbcache(pcbsp, dir);
207 return NULL;
208 }
209 if ((pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
210 if (!pcbsp->sp_cache[dir].cachesp)
211 return NULL;
212 if (ipsec_setspidx(m, &spidx, 1) != 0)
213 return NULL;
214 if (bcmp(&pcbsp->sp_cache[dir].cacheidx, &spidx,
215 sizeof(spidx))) {
216 if (!pcbsp->sp_cache[dir].cachesp->spidx ||
217 !key_cmpspidx_withmask(pcbsp->sp_cache[dir].cachesp->spidx,
218 &spidx))
219 return NULL;
220 pcbsp->sp_cache[dir].cacheidx = spidx;
221 }
222 } else {
223 /*
224 * The pcb is connected, and the L4 code is sure that:
225 * - outgoing side uses inp_[lf]addr
226 * - incoming side looks up policy after inpcb lookup
227 * and address pair is known to be stable. We do not need
228 * to generate spidx again, nor check the address match again.
229 *
230 * For IPv4/v6 SOCK_STREAM sockets, this assumption holds
231 * and there are calls to ipsec_pcbconn() from in_pcbconnect().
232 */
233 }
234
235 pcbsp->sp_cache[dir].cachesp->lastused = mono_time.tv_sec;
236 pcbsp->sp_cache[dir].cachesp->refcnt++;
237 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
238 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n",
239 pcbsp->sp_cache[dir].cachesp->refcnt,
240 pcbsp->sp_cache[dir].cachesp));
241 return pcbsp->sp_cache[dir].cachesp;
242 }
243
244 static int
245 ipsec_fillpcbcache(pcbsp, m, sp, dir)
246 struct inpcbpolicy *pcbsp;
247 struct mbuf *m;
248 struct secpolicy *sp;
249 int dir;
250 {
251
252 switch (dir) {
253 case IPSEC_DIR_INBOUND:
254 case IPSEC_DIR_OUTBOUND:
255 break;
256 default:
257 return EINVAL;
258 }
259 #ifdef DIAGNOSTIC
260 if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0]))
261 panic("dir too big in ipsec_checkpcbcache");
262 #endif
263
264 if (pcbsp->sp_cache[dir].cachesp)
265 key_freesp(pcbsp->sp_cache[dir].cachesp);
266 pcbsp->sp_cache[dir].cachesp = NULL;
267 pcbsp->sp_cache[dir].cachehint = IPSEC_PCBHINT_MAYBE;
268 if (ipsec_setspidx(m, &pcbsp->sp_cache[dir].cacheidx, 1) != 0) {
269 return EINVAL;
270 }
271 pcbsp->sp_cache[dir].cachesp = sp;
272 if (pcbsp->sp_cache[dir].cachesp) {
273 pcbsp->sp_cache[dir].cachesp->refcnt++;
274 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
275 printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n",
276 pcbsp->sp_cache[dir].cachesp->refcnt,
277 pcbsp->sp_cache[dir].cachesp));
278
279 /*
280 * If the PCB is connected, we can remember a hint to
281 * possibly short-circuit IPsec processing in other places.
282 */
283 if (pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) {
284 switch (pcbsp->sp_cache[dir].cachesp->policy) {
285 case IPSEC_POLICY_NONE:
286 case IPSEC_POLICY_BYPASS:
287 pcbsp->sp_cache[dir].cachehint =
288 IPSEC_PCBHINT_NO;
289 break;
290 default:
291 pcbsp->sp_cache[dir].cachehint =
292 IPSEC_PCBHINT_YES;
293 }
294 }
295 }
296 pcbsp->sp_cache[dir].cachegen = ipsec_spdgen;
297
298 return 0;
299 }
300
301 static int
302 ipsec_invalpcbcache(pcbsp, dir)
303 struct inpcbpolicy *pcbsp;
304 int dir;
305 {
306 int i;
307
308 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
309 if (dir != IPSEC_DIR_ANY && i != dir)
310 continue;
311 if (pcbsp->sp_cache[i].cachesp)
312 key_freesp(pcbsp->sp_cache[i].cachesp);
313 pcbsp->sp_cache[i].cachesp = NULL;
314 pcbsp->sp_cache[i].cachehint = IPSEC_PCBHINT_MAYBE;
315 pcbsp->sp_cache[i].cachegen = 0;
316 bzero(&pcbsp->sp_cache[i].cacheidx,
317 sizeof(pcbsp->sp_cache[i].cacheidx));
318 }
319 return 0;
320 }
321
322 int
323 ipsec_pcbconn(pcbsp)
324 struct inpcbpolicy *pcbsp;
325 {
326
327 pcbsp->sp_cacheflags |= IPSEC_PCBSP_CONNECTED;
328 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
329 return 0;
330 }
331
332 int
333 ipsec_pcbdisconn(pcbsp)
334 struct inpcbpolicy *pcbsp;
335 {
336
337 pcbsp->sp_cacheflags &= ~IPSEC_PCBSP_CONNECTED;
338 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
339 return 0;
340 }
341
342 void
343 ipsec_invalpcbcacheall()
344 {
345
346 if (ipsec_spdgen == UINT_MAX)
347 ipsec_spdgen = 1;
348 else
349 ipsec_spdgen++;
350 }
351
352 #ifdef SADB_X_EXT_TAG
353 static struct pf_tag *
354 ipsec_get_tag(m)
355 struct mbuf *m;
356 {
357 struct m_tag *mtag;
358
359 if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL)
360 return ((struct pf_tag *)(mtag + 1));
361 else
362 return (NULL);
363 }
364 #endif
365
366 /*
367 * For OUTBOUND packet having a socket. Searching SPD for packet,
368 * and return a pointer to SP.
369 * OUT: NULL: no apropreate SP found, the following value is set to error.
370 * 0 : bypass
371 * EACCES : discard packet.
372 * ENOENT : ipsec_acquire() in progress, maybe.
373 * others : error occurred.
374 * others: a pointer to SP
375 *
376 * NOTE: IPv6 mapped adddress concern is implemented here.
377 */
378 struct secpolicy *
379 ipsec4_getpolicybysock(m, dir, so, error)
380 struct mbuf *m;
381 u_int dir;
382 struct socket *so;
383 int *error;
384 {
385 struct inpcbpolicy *pcbsp = NULL;
386 struct secpolicy *currsp = NULL; /* policy on socket */
387 struct secpolicy *kernsp = NULL; /* policy on kernel */
388 struct secpolicyindex spidx;
389 #ifdef SADB_X_EXT_TAG
390 struct pf_tag *t;
391 #endif
392 u_int16_t tag;
393
394 /* sanity check */
395 if (m == NULL || so == NULL || error == NULL)
396 panic("ipsec4_getpolicybysock: NULL pointer was passed.");
397
398 switch (so->so_proto->pr_domain->dom_family) {
399 case AF_INET:
400 pcbsp = sotoinpcb(so)->inp_sp;
401 break;
402 #ifdef INET6
403 case AF_INET6:
404 pcbsp = sotoin6pcb(so)->in6p_sp;
405 break;
406 #endif
407 default:
408 panic("ipsec4_getpolicybysock: unsupported address family");
409 }
410
411 #ifdef DIAGNOSTIC
412 if (pcbsp == NULL)
413 panic("ipsec4_getpolicybysock: pcbsp is NULL.");
414 #endif
415
416 #ifdef SADB_X_EXT_TAG
417 t = ipsec_get_tag(m);
418 tag = t ? t->tag : 0;
419 #else
420 tag = 0;
421 #endif
422
423 /* if we have a cached entry, and if it is still valid, use it. */
424 ipsecstat.spdcachelookup++;
425 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
426 if (currsp) {
427 *error = 0;
428 return currsp;
429 }
430 ipsecstat.spdcachemiss++;
431
432 switch (dir) {
433 case IPSEC_DIR_INBOUND:
434 currsp = pcbsp->sp_in;
435 break;
436 case IPSEC_DIR_OUTBOUND:
437 currsp = pcbsp->sp_out;
438 break;
439 default:
440 panic("ipsec4_getpolicybysock: illegal direction.");
441 }
442
443 /* sanity check */
444 if (currsp == NULL)
445 panic("ipsec4_getpolicybysock: currsp is NULL.");
446
447 /* when privileged socket */
448 if (pcbsp->priv) {
449 switch (currsp->policy) {
450 case IPSEC_POLICY_BYPASS:
451 currsp->refcnt++;
452 *error = 0;
453 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
454 return currsp;
455
456 case IPSEC_POLICY_ENTRUST:
457 /* look for a policy in SPD */
458 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
459 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
460 /* SP found */
461 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
462 printf("DP ipsec4_getpolicybysock called "
463 "to allocate SP:%p\n", kernsp));
464 *error = 0;
465 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
466 return kernsp;
467 }
468
469 /* no SP found */
470 ip4_def_policy->refcnt++;
471 *error = 0;
472 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
473 return ip4_def_policy;
474
475 case IPSEC_POLICY_IPSEC:
476 currsp->refcnt++;
477 *error = 0;
478 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
479 return currsp;
480
481 default:
482 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
483 "Invalid policy for PCB %d\n", currsp->policy));
484 *error = EINVAL;
485 return NULL;
486 }
487 /* NOTREACHED */
488 }
489
490 /* when non-privileged socket */
491 /* look for a policy in SPD */
492 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
493 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
494 /* SP found */
495 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
496 printf("DP ipsec4_getpolicybysock called "
497 "to allocate SP:%p\n", kernsp));
498 *error = 0;
499 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
500 return kernsp;
501 }
502
503 /* no SP found */
504 switch (currsp->policy) {
505 case IPSEC_POLICY_BYPASS:
506 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
507 "Illegal policy for non-privileged defined %d\n",
508 currsp->policy));
509 *error = EINVAL;
510 return NULL;
511
512 case IPSEC_POLICY_ENTRUST:
513 ip4_def_policy->refcnt++;
514 *error = 0;
515 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
516 return ip4_def_policy;
517
518 case IPSEC_POLICY_IPSEC:
519 currsp->refcnt++;
520 *error = 0;
521 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
522 return currsp;
523
524 default:
525 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
526 "Invalid policy for PCB %d\n", currsp->policy));
527 *error = EINVAL;
528 return NULL;
529 }
530 /* NOTREACHED */
531 }
532
533 /*
534 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
535 * and return a pointer to SP.
536 * OUT: positive: a pointer to the entry for security policy leaf matched.
537 * NULL: no apropreate SP found, the following value is set to error.
538 * 0 : bypass
539 * EACCES : discard packet.
540 * ENOENT : ipsec_acquire() in progress, maybe.
541 * others : error occurred.
542 */
543 struct secpolicy *
544 ipsec4_getpolicybyaddr(m, dir, flag, error)
545 struct mbuf *m;
546 u_int dir;
547 int flag;
548 int *error;
549 {
550 struct secpolicy *sp = NULL;
551 #ifdef SADB_X_EXT_TAG
552 struct pf_tag *t;
553 #endif
554 u_int16_t tag;
555
556 /* sanity check */
557 if (m == NULL || error == NULL)
558 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
559
560 /* get a policy entry matched with the packet */
561 {
562 struct secpolicyindex spidx;
563
564 bzero(&spidx, sizeof(spidx));
565
566 /* make an index to look for a policy */
567 *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m,
568 (flag & IP_FORWARDING) ? 0 : 1);
569
570 if (*error != 0)
571 return NULL;
572
573 #ifdef SADB_X_EXT_TAG
574 t = ipsec_get_tag(m);
575 tag = t ? t->tag : 0;
576 #else
577 tag = 0;
578 #endif
579
580 sp = key_allocsp(tag, &spidx, dir);
581 }
582
583 /* SP found */
584 if (sp != NULL) {
585 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
586 printf("DP ipsec4_getpolicybyaddr called "
587 "to allocate SP:%p\n", sp));
588 *error = 0;
589 return sp;
590 }
591
592 /* no SP found */
593 ip4_def_policy->refcnt++;
594 *error = 0;
595 return ip4_def_policy;
596 }
597
598 #ifdef INET6
599 /*
600 * For OUTBOUND packet having a socket. Searching SPD for packet,
601 * and return a pointer to SP.
602 * OUT: NULL: no apropreate SP found, the following value is set to error.
603 * 0 : bypass
604 * EACCES : discard packet.
605 * ENOENT : ipsec_acquire() in progress, maybe.
606 * others : error occurred.
607 * others: a pointer to SP
608 */
609 struct secpolicy *
610 ipsec6_getpolicybysock(m, dir, so, error)
611 struct mbuf *m;
612 u_int dir;
613 struct socket *so;
614 int *error;
615 {
616 struct inpcbpolicy *pcbsp = NULL;
617 struct secpolicy *currsp = NULL; /* policy on socket */
618 struct secpolicy *kernsp = NULL; /* policy on kernel */
619 struct secpolicyindex spidx;
620 #ifdef SADB_X_EXT_TAG
621 struct pf_tag *t;
622 #endif
623 u_int16_t tag;
624
625 /* sanity check */
626 if (m == NULL || so == NULL || error == NULL)
627 panic("ipsec6_getpolicybysock: NULL pointer was passed.");
628
629 #ifdef DIAGNOSTIC
630 if (so->so_proto->pr_domain->dom_family != AF_INET6)
631 panic("ipsec6_getpolicybysock: socket domain != inet6");
632 #endif
633
634 pcbsp = sotoin6pcb(so)->in6p_sp;
635
636 #ifdef DIAGNOSTIC
637 if (pcbsp == NULL)
638 panic("ipsec6_getpolicybysock: pcbsp is NULL.");
639 #endif
640
641 #ifdef SADB_X_EXT_TAG
642 t = ipsec_get_tag(m);
643 tag = t ? t->tag : 0;
644 #else
645 tag = 0;
646 #endif
647
648 /* if we have a cached entry, and if it is still valid, use it. */
649 ipsec6stat.spdcachelookup++;
650 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
651 if (currsp) {
652 *error = 0;
653 return currsp;
654 }
655 ipsec6stat.spdcachemiss++;
656
657 switch (dir) {
658 case IPSEC_DIR_INBOUND:
659 currsp = pcbsp->sp_in;
660 break;
661 case IPSEC_DIR_OUTBOUND:
662 currsp = pcbsp->sp_out;
663 break;
664 default:
665 panic("ipsec6_getpolicybysock: illegal direction.");
666 }
667
668 /* sanity check */
669 if (currsp == NULL)
670 panic("ipsec6_getpolicybysock: currsp is NULL.");
671
672 /* when privileged socket */
673 if (pcbsp->priv) {
674 switch (currsp->policy) {
675 case IPSEC_POLICY_BYPASS:
676 currsp->refcnt++;
677 *error = 0;
678 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
679 return currsp;
680
681 case IPSEC_POLICY_ENTRUST:
682 /* look for a policy in SPD */
683 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
684 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
685 /* SP found */
686 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
687 printf("DP ipsec6_getpolicybysock called "
688 "to allocate SP:%p\n", kernsp));
689 *error = 0;
690 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
691 return kernsp;
692 }
693
694 /* no SP found */
695 ip6_def_policy->refcnt++;
696 *error = 0;
697 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
698 return ip6_def_policy;
699
700 case IPSEC_POLICY_IPSEC:
701 currsp->refcnt++;
702 *error = 0;
703 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
704 return currsp;
705
706 default:
707 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
708 "Invalid policy for PCB %d\n", currsp->policy));
709 *error = EINVAL;
710 return NULL;
711 }
712 /* NOTREACHED */
713 }
714
715 /* when non-privileged socket */
716 /* look for a policy in SPD */
717 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
718 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
719 /* SP found */
720 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
721 printf("DP ipsec6_getpolicybysock called "
722 "to allocate SP:%p\n", kernsp));
723 *error = 0;
724 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
725 return kernsp;
726 }
727
728 /* no SP found */
729 switch (currsp->policy) {
730 case IPSEC_POLICY_BYPASS:
731 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
732 "Illegal policy for non-privileged defined %d\n",
733 currsp->policy));
734 *error = EINVAL;
735 return NULL;
736
737 case IPSEC_POLICY_ENTRUST:
738 ip6_def_policy->refcnt++;
739 *error = 0;
740 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
741 return ip6_def_policy;
742
743 case IPSEC_POLICY_IPSEC:
744 currsp->refcnt++;
745 *error = 0;
746 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
747 return currsp;
748
749 default:
750 ipseclog((LOG_ERR,
751 "ipsec6_policybysock: Invalid policy for PCB %d\n",
752 currsp->policy));
753 *error = EINVAL;
754 return NULL;
755 }
756 /* NOTREACHED */
757 }
758
759 /*
760 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
761 * and return a pointer to SP.
762 * `flag' means that packet is to be forwarded whether or not.
763 * flag = 1: forwad
764 * OUT: positive: a pointer to the entry for security policy leaf matched.
765 * NULL: no apropreate SP found, the following value is set to error.
766 * 0 : bypass
767 * EACCES : discard packet.
768 * ENOENT : ipsec_acquire() in progress, maybe.
769 * others : error occurred.
770 */
771 #ifndef IP_FORWARDING
772 #define IP_FORWARDING 1
773 #endif
774
775 struct secpolicy *
776 ipsec6_getpolicybyaddr(m, dir, flag, error)
777 struct mbuf *m;
778 u_int dir;
779 int flag;
780 int *error;
781 {
782 struct secpolicy *sp = NULL;
783 #ifdef SADB_X_EXT_TAG
784 struct pf_tag *t;
785 #endif
786 u_int16_t tag;
787
788 /* sanity check */
789 if (m == NULL || error == NULL)
790 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
791
792 /* get a policy entry matched with the packet */
793 {
794 struct secpolicyindex spidx;
795
796 bzero(&spidx, sizeof(spidx));
797
798 /* make an index to look for a policy */
799 *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m,
800 (flag & IP_FORWARDING) ? 0 : 1);
801
802 if (*error != 0)
803 return NULL;
804
805 #ifdef SADB_X_EXT_TAG
806 t = ipsec_get_tag(m);
807 tag = t ? t->tag : 0;
808 #else
809 tag = 0;
810 #endif
811
812 sp = key_allocsp(tag, &spidx, dir);
813 }
814
815 /* SP found */
816 if (sp != NULL) {
817 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
818 printf("DP ipsec6_getpolicybyaddr called "
819 "to allocate SP:%p\n", sp));
820 *error = 0;
821 return sp;
822 }
823
824 /* no SP found */
825 ip6_def_policy->refcnt++;
826 *error = 0;
827 return ip6_def_policy;
828 }
829 #endif /* INET6 */
830
831 /*
832 * set IP address into spidx from mbuf.
833 * When Forwarding packet and ICMP echo reply, this function is used.
834 *
835 * IN: get the followings from mbuf.
836 * protocol family, src, dst, next protocol
837 * OUT:
838 * 0: success.
839 * other: failure, and set errno.
840 */
841 int
842 ipsec_setspidx_mbuf(spidx, family, m, needport)
843 struct secpolicyindex *spidx;
844 int family;
845 struct mbuf *m;
846 int needport;
847 {
848 int error;
849
850 /* sanity check */
851 if (spidx == NULL || m == NULL)
852 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
853
854 bzero(spidx, sizeof(*spidx));
855
856 error = ipsec_setspidx(m, spidx, needport);
857 if (error)
858 goto bad;
859
860 return 0;
861
862 bad:
863 /* XXX initialize */
864 bzero(spidx, sizeof(*spidx));
865 return EINVAL;
866 }
867
868 /*
869 * configure security policy index (src/dst/proto/sport/dport)
870 * by looking at the content of mbuf.
871 * the caller is responsible for error recovery (like clearing up spidx).
872 */
873 static int
874 ipsec_setspidx(m, spidx, needport)
875 struct mbuf *m;
876 struct secpolicyindex *spidx;
877 int needport;
878 {
879 struct ip *ip = NULL;
880 struct ip ipbuf;
881 u_int v;
882 struct mbuf *n;
883 int len;
884 int error;
885
886 if (m == NULL)
887 panic("ipsec_setspidx: m == 0 passed.");
888
889 bzero(spidx, sizeof(*spidx));
890
891 /*
892 * validate m->m_pkthdr.len. we see incorrect length if we
893 * mistakenly call this function with inconsistent mbuf chain
894 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
895 */
896 len = 0;
897 for (n = m; n; n = n->m_next)
898 len += n->m_len;
899 if (m->m_pkthdr.len != len) {
900 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
901 printf("ipsec_setspidx: "
902 "total of m_len(%d) != pkthdr.len(%d), "
903 "ignored.\n",
904 len, m->m_pkthdr.len));
905 return EINVAL;
906 }
907
908 if (m->m_pkthdr.len < sizeof(struct ip)) {
909 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
910 printf("ipsec_setspidx: "
911 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
912 m->m_pkthdr.len));
913 return EINVAL;
914 }
915
916 if (m->m_len >= sizeof(*ip))
917 ip = mtod(m, struct ip *);
918 else {
919 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
920 ip = &ipbuf;
921 }
922 v = ip->ip_v;
923 switch (v) {
924 case 4:
925 error = ipsec4_setspidx_ipaddr(m, spidx);
926 if (error)
927 return error;
928 ipsec4_get_ulp(m, spidx, needport);
929 return 0;
930 #ifdef INET6
931 case 6:
932 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
933 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
934 printf("ipsec_setspidx: "
935 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
936 "ignored.\n", m->m_pkthdr.len));
937 return EINVAL;
938 }
939 error = ipsec6_setspidx_ipaddr(m, spidx);
940 if (error)
941 return error;
942 ipsec6_get_ulp(m, spidx, needport);
943 return 0;
944 #endif
945 default:
946 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
947 printf("ipsec_setspidx: "
948 "unknown IP version %u, ignored.\n", v));
949 return EINVAL;
950 }
951 }
952
953 static void
954 ipsec4_get_ulp(m, spidx, needport)
955 struct mbuf *m;
956 struct secpolicyindex *spidx;
957 int needport;
958 {
959 struct ip ip;
960 struct ip6_ext ip6e;
961 u_int8_t nxt;
962 int off;
963 struct tcphdr th;
964 struct udphdr uh;
965
966 /* sanity check */
967 if (m == NULL)
968 panic("ipsec4_get_ulp: NULL pointer was passed.");
969 if (m->m_pkthdr.len < sizeof(ip))
970 panic("ipsec4_get_ulp: too short");
971
972 /* set default */
973 spidx->ul_proto = IPSEC_ULPROTO_ANY;
974 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
975 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
976
977 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
978 if (ip.ip_off & htons(IP_MF | IP_OFFMASK))
979 return;
980
981 nxt = ip.ip_p;
982 off = ip.ip_hl << 2;
983 while (off < m->m_pkthdr.len) {
984 switch (nxt) {
985 case IPPROTO_TCP:
986 spidx->ul_proto = nxt;
987 if (!needport)
988 return;
989 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
990 return;
991 m_copydata(m, off, sizeof(th), (caddr_t)&th);
992 ((struct sockaddr_in *)&spidx->src)->sin_port =
993 th.th_sport;
994 ((struct sockaddr_in *)&spidx->dst)->sin_port =
995 th.th_dport;
996 return;
997 case IPPROTO_UDP:
998 spidx->ul_proto = nxt;
999 if (!needport)
1000 return;
1001 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1002 return;
1003 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1004 ((struct sockaddr_in *)&spidx->src)->sin_port =
1005 uh.uh_sport;
1006 ((struct sockaddr_in *)&spidx->dst)->sin_port =
1007 uh.uh_dport;
1008 return;
1009 case IPPROTO_AH:
1010 if (off + sizeof(ip6e) > m->m_pkthdr.len)
1011 return;
1012 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1013 off += (ip6e.ip6e_len + 2) << 2;
1014 nxt = ip6e.ip6e_nxt;
1015 break;
1016 case IPPROTO_ICMP:
1017 default:
1018 /* XXX intermediate headers??? */
1019 spidx->ul_proto = nxt;
1020 return;
1021 }
1022 }
1023 }
1024
1025 /* assumes that m is sane */
1026 static int
1027 ipsec4_setspidx_ipaddr(m, spidx)
1028 struct mbuf *m;
1029 struct secpolicyindex *spidx;
1030 {
1031 struct ip *ip = NULL;
1032 struct ip ipbuf;
1033 struct sockaddr_in *sin;
1034
1035 if (m->m_len >= sizeof(*ip))
1036 ip = mtod(m, struct ip *);
1037 else {
1038 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
1039 ip = &ipbuf;
1040 }
1041
1042 sin = (struct sockaddr_in *)&spidx->src;
1043 bzero(sin, sizeof(*sin));
1044 sin->sin_family = AF_INET;
1045 sin->sin_len = sizeof(struct sockaddr_in);
1046 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
1047 spidx->prefs = sizeof(struct in_addr) << 3;
1048
1049 sin = (struct sockaddr_in *)&spidx->dst;
1050 bzero(sin, sizeof(*sin));
1051 sin->sin_family = AF_INET;
1052 sin->sin_len = sizeof(struct sockaddr_in);
1053 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
1054 spidx->prefd = sizeof(struct in_addr) << 3;
1055 return 0;
1056 }
1057
1058 #ifdef INET6
1059 static void
1060 ipsec6_get_ulp(m, spidx, needport)
1061 struct mbuf *m;
1062 struct secpolicyindex *spidx;
1063 int needport;
1064 {
1065 int off, nxt;
1066 struct tcphdr th;
1067 struct udphdr uh;
1068
1069 /* sanity check */
1070 if (m == NULL)
1071 panic("ipsec6_get_ulp: NULL pointer was passed.");
1072
1073 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1074 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
1075
1076 /* set default */
1077 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1078 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1079 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1080
1081 nxt = -1;
1082 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1083 if (off < 0 || m->m_pkthdr.len < off)
1084 return;
1085
1086 switch (nxt) {
1087 case IPPROTO_TCP:
1088 spidx->ul_proto = nxt;
1089 if (!needport)
1090 break;
1091 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1092 break;
1093 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1094 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1095 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1096 break;
1097 case IPPROTO_UDP:
1098 spidx->ul_proto = nxt;
1099 if (!needport)
1100 break;
1101 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1102 break;
1103 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1104 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1105 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1106 break;
1107 case IPPROTO_ICMPV6:
1108 default:
1109 /* XXX intermediate headers??? */
1110 spidx->ul_proto = nxt;
1111 break;
1112 }
1113 }
1114
1115 /* assumes that m is sane */
1116 static int
1117 ipsec6_setspidx_ipaddr(m, spidx)
1118 struct mbuf *m;
1119 struct secpolicyindex *spidx;
1120 {
1121 struct ip6_hdr *ip6 = NULL;
1122 struct ip6_hdr ip6buf;
1123 struct sockaddr_in6 *sin6;
1124
1125 if (m->m_len >= sizeof(*ip6))
1126 ip6 = mtod(m, struct ip6_hdr *);
1127 else {
1128 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1129 ip6 = &ip6buf;
1130 }
1131
1132 sin6 = (struct sockaddr_in6 *)&spidx->src;
1133 bzero(sin6, sizeof(*sin6));
1134 sin6->sin6_family = AF_INET6;
1135 sin6->sin6_len = sizeof(struct sockaddr_in6);
1136 in6_recoverscope(sin6, &ip6->ip6_src, NULL);
1137 spidx->prefs = sizeof(struct in6_addr) << 3;
1138
1139 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1140 bzero(sin6, sizeof(*sin6));
1141 sin6->sin6_family = AF_INET6;
1142 sin6->sin6_len = sizeof(struct sockaddr_in6);
1143 in6_recoverscope(sin6, &ip6->ip6_dst, NULL);
1144 spidx->prefd = sizeof(struct in6_addr) << 3;
1145
1146 return 0;
1147 }
1148 #endif
1149
1150 static struct inpcbpolicy *
1151 ipsec_newpcbpolicy()
1152 {
1153 struct inpcbpolicy *p;
1154
1155 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
1156 return p;
1157 }
1158
1159 static void
1160 ipsec_delpcbpolicy(p)
1161 struct inpcbpolicy *p;
1162 {
1163
1164 free(p, M_SECA);
1165 }
1166
1167 /* initialize policy in PCB */
1168 int
1169 ipsec_init_pcbpolicy(so, pcb_sp)
1170 struct socket *so;
1171 struct inpcbpolicy **pcb_sp;
1172 {
1173 struct inpcbpolicy *new;
1174 static int initialized = 0;
1175 static struct secpolicy *in = NULL, *out = NULL;
1176
1177 /* sanity check. */
1178 if (so == NULL || pcb_sp == NULL)
1179 panic("ipsec_init_pcbpolicy: NULL pointer was passed.");
1180
1181 if (!initialized) {
1182 if ((in = key_newsp(0)) == NULL)
1183 return ENOBUFS;
1184 if ((out = key_newsp(0)) == NULL) {
1185 key_freesp(in);
1186 in = NULL;
1187 return ENOBUFS;
1188 }
1189
1190 in->state = IPSEC_SPSTATE_ALIVE;
1191 in->policy = IPSEC_POLICY_ENTRUST;
1192 in->dir = IPSEC_DIR_INBOUND;
1193 in->readonly = 1;
1194 in->persist = 1;
1195 in->so = NULL;
1196
1197 out->state = IPSEC_SPSTATE_ALIVE;
1198 out->policy = IPSEC_POLICY_ENTRUST;
1199 out->dir = IPSEC_DIR_OUTBOUND;
1200 out->readonly = 1;
1201 out->persist = 1;
1202 out->so = NULL;
1203
1204 initialized++;
1205 }
1206
1207 new = ipsec_newpcbpolicy();
1208 if (new == NULL) {
1209 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n"));
1210 return ENOBUFS;
1211 }
1212 bzero(new, sizeof(*new));
1213
1214 if (so->so_uid == 0) /* XXX */
1215 new->priv = 1;
1216 else
1217 new->priv = 0;
1218
1219 new->sp_in = in;
1220 new->sp_in->refcnt++;
1221 new->sp_out = out;
1222 new->sp_out->refcnt++;
1223
1224 *pcb_sp = new;
1225
1226 return 0;
1227 }
1228
1229 /* copy old ipsec policy into new */
1230 int
1231 ipsec_copy_pcbpolicy(old, new)
1232 struct inpcbpolicy *old, *new;
1233 {
1234
1235 if (new->sp_in)
1236 key_freesp(new->sp_in);
1237 if (old->sp_in->policy == IPSEC_POLICY_IPSEC)
1238 new->sp_in = ipsec_deepcopy_policy(old->sp_in);
1239 else {
1240 new->sp_in = old->sp_in;
1241 new->sp_in->refcnt++;
1242 }
1243
1244 if (new->sp_out)
1245 key_freesp(new->sp_out);
1246 if (old->sp_out->policy == IPSEC_POLICY_IPSEC)
1247 new->sp_out = ipsec_deepcopy_policy(old->sp_out);
1248 else {
1249 new->sp_out = old->sp_out;
1250 new->sp_out->refcnt++;
1251 }
1252
1253 new->priv = old->priv;
1254
1255 return 0;
1256 }
1257
1258 #if 0
1259 static int
1260 ipsec_deepcopy_pcbpolicy(pcb_sp)
1261 struct inpcbpolicy *pcb_sp;
1262 {
1263 struct secpolicy *sp;
1264
1265 sp = ipsec_deepcopy_policy(pcb_sp->sp_in);
1266 if (sp) {
1267 key_freesp(pcb_sp->sp_in);
1268 pcb_sp->sp_in = sp;
1269 } else
1270 return ENOBUFS;
1271
1272 sp = ipsec_deepcopy_policy(pcb_sp->sp_out);
1273 if (sp) {
1274 key_freesp(pcb_sp->sp_out);
1275 pcb_sp->sp_out = sp;
1276 } else
1277 return ENOBUFS;
1278
1279 return 0;
1280 }
1281 #endif
1282
1283 /* deep-copy a policy in PCB */
1284 static struct secpolicy *
1285 ipsec_deepcopy_policy(src)
1286 struct secpolicy *src;
1287 {
1288 struct ipsecrequest *newchain = NULL;
1289 struct ipsecrequest *p;
1290 struct ipsecrequest **q;
1291 struct ipsecrequest *r;
1292 struct secpolicy *dst;
1293
1294 if (src == NULL)
1295 return NULL;
1296
1297 dst = key_newsp(0);
1298 if (dst == NULL)
1299 return NULL;
1300
1301 /*
1302 * deep-copy IPsec request chain. This is required since struct
1303 * ipsecrequest is not reference counted.
1304 */
1305 q = &newchain;
1306 for (p = src->req; p; p = p->next) {
1307 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest),
1308 M_SECA, M_NOWAIT);
1309 if (*q == NULL)
1310 goto fail;
1311 bzero(*q, sizeof(**q));
1312 (*q)->next = NULL;
1313
1314 (*q)->saidx.proto = p->saidx.proto;
1315 (*q)->saidx.mode = p->saidx.mode;
1316 (*q)->level = p->level;
1317 (*q)->saidx.reqid = p->saidx.reqid;
1318
1319 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1320 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1321
1322 (*q)->sav = NULL;
1323 (*q)->sp = dst;
1324
1325 q = &((*q)->next);
1326 }
1327
1328 if (src->spidx)
1329 if (keydb_setsecpolicyindex(dst, src->spidx) != 0)
1330 goto fail;
1331
1332 dst->req = newchain;
1333 dst->state = src->state;
1334 dst->policy = src->policy;
1335 dst->dir = src->dir;
1336 dst->so = src->so;
1337 /* do not touch the refcnt fields */
1338
1339 return dst;
1340
1341 fail:
1342 for (p = newchain; p; p = r) {
1343 r = p->next;
1344 free(p, M_SECA);
1345 p = NULL;
1346 }
1347 key_freesp(dst);
1348 return NULL;
1349 }
1350
1351 /* set policy and ipsec request if present. */
1352 static int
1353 ipsec_set_policy(spp, optname, request, len, priv)
1354 struct secpolicy **spp;
1355 int optname;
1356 caddr_t request;
1357 size_t len;
1358 int priv;
1359 {
1360 struct sadb_x_policy *xpl;
1361 struct secpolicy *newsp = NULL;
1362 int error;
1363
1364 /* sanity check. */
1365 if (spp == NULL || *spp == NULL || request == NULL)
1366 return EINVAL;
1367 if (len < sizeof(*xpl))
1368 return EINVAL;
1369 xpl = (struct sadb_x_policy *)request;
1370
1371 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1372 printf("ipsec_set_policy: passed policy\n");
1373 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1374
1375 /* check policy type */
1376 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1377 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
1378 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1379 return EINVAL;
1380
1381 /* check privileged socket */
1382 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1383 return EACCES;
1384
1385 /* allocation new SP entry */
1386 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1387 return error;
1388
1389 newsp->state = IPSEC_SPSTATE_ALIVE;
1390
1391 /* clear old SP and set new SP */
1392 key_freesp(*spp);
1393 *spp = newsp;
1394 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1395 printf("ipsec_set_policy: new policy\n");
1396 kdebug_secpolicy(newsp));
1397
1398 return 0;
1399 }
1400
1401 static int
1402 ipsec_get_policy(sp, mp)
1403 struct secpolicy *sp;
1404 struct mbuf **mp;
1405 {
1406
1407 /* sanity check. */
1408 if (sp == NULL || mp == NULL)
1409 return EINVAL;
1410
1411 *mp = key_sp2msg(sp);
1412 if (!*mp) {
1413 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1414 return ENOBUFS;
1415 }
1416
1417 (*mp)->m_type = MT_SOOPTS;
1418 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1419 printf("ipsec_get_policy:\n");
1420 kdebug_mbuf(*mp));
1421
1422 return 0;
1423 }
1424
1425 int
1426 ipsec4_set_policy(inp, optname, request, len, priv)
1427 struct inpcb *inp;
1428 int optname;
1429 caddr_t request;
1430 size_t len;
1431 int priv;
1432 {
1433 struct sadb_x_policy *xpl;
1434 struct secpolicy **spp;
1435
1436 /* sanity check. */
1437 if (inp == NULL || request == NULL)
1438 return EINVAL;
1439 if (len < sizeof(*xpl))
1440 return EINVAL;
1441 xpl = (struct sadb_x_policy *)request;
1442
1443 /* select direction */
1444 switch (xpl->sadb_x_policy_dir) {
1445 case IPSEC_DIR_INBOUND:
1446 spp = &inp->inp_sp->sp_in;
1447 break;
1448 case IPSEC_DIR_OUTBOUND:
1449 spp = &inp->inp_sp->sp_out;
1450 break;
1451 default:
1452 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1453 xpl->sadb_x_policy_dir));
1454 return EINVAL;
1455 }
1456
1457 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1458 return ipsec_set_policy(spp, optname, request, len, priv);
1459 }
1460
1461 int
1462 ipsec4_get_policy(inp, request, len, mp)
1463 struct inpcb *inp;
1464 caddr_t request;
1465 size_t len;
1466 struct mbuf **mp;
1467 {
1468 struct sadb_x_policy *xpl;
1469 struct secpolicy *sp;
1470
1471 /* sanity check. */
1472 if (inp == NULL || request == NULL || mp == NULL)
1473 return EINVAL;
1474 if (inp->inp_sp == NULL)
1475 panic("policy in PCB is NULL");
1476 if (len < sizeof(*xpl))
1477 return EINVAL;
1478 xpl = (struct sadb_x_policy *)request;
1479
1480 /* select direction */
1481 switch (xpl->sadb_x_policy_dir) {
1482 case IPSEC_DIR_INBOUND:
1483 sp = inp->inp_sp->sp_in;
1484 break;
1485 case IPSEC_DIR_OUTBOUND:
1486 sp = inp->inp_sp->sp_out;
1487 break;
1488 default:
1489 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n",
1490 xpl->sadb_x_policy_dir));
1491 return EINVAL;
1492 }
1493
1494 return ipsec_get_policy(sp, mp);
1495 }
1496
1497 /* delete policy in PCB */
1498 int
1499 ipsec4_delete_pcbpolicy(inp)
1500 struct inpcb *inp;
1501 {
1502 /* sanity check. */
1503 if (inp == NULL)
1504 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
1505
1506 if (inp->inp_sp == NULL)
1507 return 0;
1508
1509 if (inp->inp_sp->sp_in != NULL) {
1510 key_freesp(inp->inp_sp->sp_in);
1511 inp->inp_sp->sp_in = NULL;
1512 }
1513
1514 if (inp->inp_sp->sp_out != NULL) {
1515 key_freesp(inp->inp_sp->sp_out);
1516 inp->inp_sp->sp_out = NULL;
1517 }
1518
1519 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1520
1521 ipsec_delpcbpolicy(inp->inp_sp);
1522 inp->inp_sp = NULL;
1523
1524 return 0;
1525 }
1526
1527 #ifdef INET6
1528 int
1529 ipsec6_set_policy(in6p, optname, request, len, priv)
1530 struct in6pcb *in6p;
1531 int optname;
1532 caddr_t request;
1533 size_t len;
1534 int priv;
1535 {
1536 struct sadb_x_policy *xpl;
1537 struct secpolicy **spp;
1538
1539 /* sanity check. */
1540 if (in6p == NULL || request == NULL)
1541 return EINVAL;
1542 if (len < sizeof(*xpl))
1543 return EINVAL;
1544 xpl = (struct sadb_x_policy *)request;
1545
1546 /* select direction */
1547 switch (xpl->sadb_x_policy_dir) {
1548 case IPSEC_DIR_INBOUND:
1549 spp = &in6p->in6p_sp->sp_in;
1550 break;
1551 case IPSEC_DIR_OUTBOUND:
1552 spp = &in6p->in6p_sp->sp_out;
1553 break;
1554 default:
1555 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1556 xpl->sadb_x_policy_dir));
1557 return EINVAL;
1558 }
1559
1560 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1561 return ipsec_set_policy(spp, optname, request, len, priv);
1562 }
1563
1564 int
1565 ipsec6_get_policy(in6p, request, len, mp)
1566 struct in6pcb *in6p;
1567 caddr_t request;
1568 size_t len;
1569 struct mbuf **mp;
1570 {
1571 struct sadb_x_policy *xpl;
1572 struct secpolicy *sp;
1573
1574 /* sanity check. */
1575 if (in6p == NULL || request == NULL || mp == NULL)
1576 return EINVAL;
1577 if (in6p->in6p_sp == NULL)
1578 panic("policy in PCB is NULL");
1579 if (len < sizeof(*xpl))
1580 return EINVAL;
1581 xpl = (struct sadb_x_policy *)request;
1582
1583 /* select direction */
1584 switch (xpl->sadb_x_policy_dir) {
1585 case IPSEC_DIR_INBOUND:
1586 sp = in6p->in6p_sp->sp_in;
1587 break;
1588 case IPSEC_DIR_OUTBOUND:
1589 sp = in6p->in6p_sp->sp_out;
1590 break;
1591 default:
1592 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n",
1593 xpl->sadb_x_policy_dir));
1594 return EINVAL;
1595 }
1596
1597 return ipsec_get_policy(sp, mp);
1598 }
1599
1600 int
1601 ipsec6_delete_pcbpolicy(in6p)
1602 struct in6pcb *in6p;
1603 {
1604 /* sanity check. */
1605 if (in6p == NULL)
1606 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
1607
1608 if (in6p->in6p_sp == NULL)
1609 return 0;
1610
1611 if (in6p->in6p_sp->sp_in != NULL) {
1612 key_freesp(in6p->in6p_sp->sp_in);
1613 in6p->in6p_sp->sp_in = NULL;
1614 }
1615
1616 if (in6p->in6p_sp->sp_out != NULL) {
1617 key_freesp(in6p->in6p_sp->sp_out);
1618 in6p->in6p_sp->sp_out = NULL;
1619 }
1620
1621 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1622
1623 ipsec_delpcbpolicy(in6p->in6p_sp);
1624 in6p->in6p_sp = NULL;
1625
1626 return 0;
1627 }
1628 #endif
1629
1630 /*
1631 * return current level.
1632 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1633 */
1634 u_int
1635 ipsec_get_reqlevel(isr, af)
1636 struct ipsecrequest *isr;
1637 int af;
1638 {
1639 u_int level = 0;
1640 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1641
1642 /* sanity check */
1643 if (isr == NULL || isr->sp == NULL)
1644 panic("ipsec_get_reqlevel: NULL pointer is passed.");
1645
1646 /* set default level */
1647 switch (af) {
1648 #ifdef INET
1649 case AF_INET:
1650 esp_trans_deflev = ip4_esp_trans_deflev;
1651 esp_net_deflev = ip4_esp_net_deflev;
1652 ah_trans_deflev = ip4_ah_trans_deflev;
1653 ah_net_deflev = ip4_ah_net_deflev;
1654 break;
1655 #endif
1656 #ifdef INET6
1657 case AF_INET6:
1658 esp_trans_deflev = ip6_esp_trans_deflev;
1659 esp_net_deflev = ip6_esp_net_deflev;
1660 ah_trans_deflev = ip6_ah_trans_deflev;
1661 ah_net_deflev = ip6_ah_net_deflev;
1662 break;
1663 #endif /* INET6 */
1664 default:
1665 panic("key_get_reqlevel: Unknown family. %d",
1666 ((struct sockaddr *)&isr->sp->spidx->src)->sa_family);
1667 }
1668
1669 /* set level */
1670 switch (isr->level) {
1671 case IPSEC_LEVEL_DEFAULT:
1672 switch (isr->saidx.proto) {
1673 case IPPROTO_ESP:
1674 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1675 level = esp_net_deflev;
1676 else
1677 level = esp_trans_deflev;
1678 break;
1679 case IPPROTO_AH:
1680 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1681 level = ah_net_deflev;
1682 else
1683 level = ah_trans_deflev;
1684 break;
1685 case IPPROTO_IPCOMP:
1686 /*
1687 * we don't really care, as IPcomp document says that
1688 * we shouldn't compress small packets
1689 */
1690 level = IPSEC_LEVEL_USE;
1691 break;
1692 case IPPROTO_IPV4:
1693 case IPPROTO_IPV6:
1694 /* should never go into here */
1695 level = IPSEC_LEVEL_REQUIRE;
1696 break;
1697 default:
1698 panic("ipsec_get_reqlevel: "
1699 "Illegal protocol defined %u\n",
1700 isr->saidx.proto);
1701 }
1702 break;
1703
1704 case IPSEC_LEVEL_USE:
1705 case IPSEC_LEVEL_REQUIRE:
1706 level = isr->level;
1707 break;
1708 case IPSEC_LEVEL_UNIQUE:
1709 level = IPSEC_LEVEL_REQUIRE;
1710 break;
1711
1712 default:
1713 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
1714 isr->level);
1715 }
1716
1717 return level;
1718 }
1719
1720 /*
1721 * Check AH/ESP integrity.
1722 * OUT:
1723 * 0: valid
1724 * 1: invalid
1725 */
1726 static int
1727 ipsec_in_reject(sp, m)
1728 struct secpolicy *sp;
1729 struct mbuf *m;
1730 {
1731 struct ipsecrequest *isr;
1732 u_int level;
1733 int need_auth, need_conf, need_icv;
1734
1735 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1736 printf("ipsec_in_reject: using SP\n");
1737 kdebug_secpolicy(sp));
1738
1739 /* check policy */
1740 switch (sp->policy) {
1741 case IPSEC_POLICY_DISCARD:
1742 return 1;
1743 case IPSEC_POLICY_BYPASS:
1744 case IPSEC_POLICY_NONE:
1745 return 0;
1746
1747 case IPSEC_POLICY_IPSEC:
1748 break;
1749
1750 case IPSEC_POLICY_ENTRUST:
1751 default:
1752 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy);
1753 }
1754
1755 need_auth = 0;
1756 need_conf = 0;
1757 need_icv = 0;
1758
1759 /* XXX should compare policy against ipsec header history */
1760
1761 for (isr = sp->req; isr != NULL; isr = isr->next) {
1762 /* get current level */
1763 level = ipsec_get_reqlevel(isr, AF_INET);
1764
1765 switch (isr->saidx.proto) {
1766 case IPPROTO_ESP:
1767 if (level == IPSEC_LEVEL_REQUIRE) {
1768 need_conf++;
1769
1770 if (isr->sav != NULL
1771 && isr->sav->flags == SADB_X_EXT_NONE
1772 && isr->sav->alg_auth != SADB_AALG_NONE)
1773 need_icv++;
1774 }
1775 break;
1776 case IPPROTO_AH:
1777 if (level == IPSEC_LEVEL_REQUIRE) {
1778 need_auth++;
1779 need_icv++;
1780 }
1781 break;
1782 case IPPROTO_IPCOMP:
1783 /*
1784 * we don't really care, as IPcomp document says that
1785 * we shouldn't compress small packets, IPComp policy
1786 * should always be treated as being in "use" level.
1787 */
1788 break;
1789 case IPPROTO_IPV4:
1790 case IPPROTO_IPV6:
1791 /*
1792 * XXX what shall we do, until introducing more complex
1793 * policy checking code?
1794 */
1795 break;
1796 }
1797 }
1798
1799 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1800 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1801 need_auth, need_conf, need_icv, m->m_flags));
1802
1803 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1804 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1805 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1806 return 1;
1807
1808 return 0;
1809 }
1810
1811 /*
1812 * Check AH/ESP integrity.
1813 * This function is called from tcp_input(), udp_input(),
1814 * and {ah,esp}4_input for tunnel mode
1815 */
1816 int
1817 ipsec4_in_reject_so(m, so)
1818 struct mbuf *m;
1819 struct socket *so;
1820 {
1821 struct secpolicy *sp = NULL;
1822 int error;
1823 int result;
1824
1825 /* sanity check */
1826 if (m == NULL)
1827 return 0; /* XXX should be panic ? */
1828
1829 /* get SP for this packet.
1830 * When we are called from ip_forward(), we call
1831 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1832 */
1833 if (so == NULL)
1834 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1835 IP_FORWARDING, &error);
1836 else
1837 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1838
1839 /* XXX should be panic ? -> No, there may be error. */
1840 if (sp == NULL)
1841 return 0;
1842
1843 result = ipsec_in_reject(sp, m);
1844 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1845 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
1846 key_freesp(sp);
1847
1848 return result;
1849 }
1850
1851 int
1852 ipsec4_in_reject(m, inp)
1853 struct mbuf *m;
1854 struct inpcb *inp;
1855 {
1856 if (inp == NULL)
1857 return ipsec4_in_reject_so(m, NULL);
1858 if (inp->inp_socket)
1859 return ipsec4_in_reject_so(m, inp->inp_socket);
1860 else
1861 panic("ipsec4_in_reject: invalid inpcb/socket");
1862 }
1863
1864 #ifdef INET6
1865 /*
1866 * Check AH/ESP integrity.
1867 * This function is called from tcp6_input(), udp6_input(),
1868 * and {ah,esp}6_input for tunnel mode
1869 */
1870 int
1871 ipsec6_in_reject_so(m, so)
1872 struct mbuf *m;
1873 struct socket *so;
1874 {
1875 struct secpolicy *sp = NULL;
1876 int error;
1877 int result;
1878
1879 /* sanity check */
1880 if (m == NULL)
1881 return 0; /* XXX should be panic ? */
1882
1883 /* get SP for this packet.
1884 * When we are called from ip_forward(), we call
1885 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1886 */
1887 if (so == NULL)
1888 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1889 IP_FORWARDING, &error);
1890 else
1891 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1892
1893 if (sp == NULL)
1894 return 0; /* XXX should be panic ? */
1895
1896 result = ipsec_in_reject(sp, m);
1897 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1898 printf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
1899 key_freesp(sp);
1900
1901 return result;
1902 }
1903
1904 int
1905 ipsec6_in_reject(m, in6p)
1906 struct mbuf *m;
1907 struct in6pcb *in6p;
1908 {
1909 if (in6p == NULL)
1910 return ipsec6_in_reject_so(m, NULL);
1911 if (in6p->in6p_socket)
1912 return ipsec6_in_reject_so(m, in6p->in6p_socket);
1913 else
1914 panic("ipsec6_in_reject: invalid in6p/socket");
1915 }
1916 #endif
1917
1918 /*
1919 * compute the byte size to be occupied by IPsec header.
1920 * in case it is tunneled, it includes the size of outer IP header.
1921 * NOTE: SP passed is free in this function.
1922 */
1923 static size_t
1924 ipsec_hdrsiz(sp)
1925 struct secpolicy *sp;
1926 {
1927 struct ipsecrequest *isr;
1928 size_t siz, clen;
1929
1930 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1931 printf("ipsec_hdrsiz: using SP\n");
1932 kdebug_secpolicy(sp));
1933
1934 /* check policy */
1935 switch (sp->policy) {
1936 case IPSEC_POLICY_DISCARD:
1937 case IPSEC_POLICY_BYPASS:
1938 case IPSEC_POLICY_NONE:
1939 return 0;
1940
1941 case IPSEC_POLICY_IPSEC:
1942 break;
1943
1944 case IPSEC_POLICY_ENTRUST:
1945 default:
1946 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1947 }
1948
1949 siz = 0;
1950
1951 for (isr = sp->req; isr != NULL; isr = isr->next) {
1952
1953 clen = 0;
1954
1955 switch (isr->saidx.proto) {
1956 case IPPROTO_ESP:
1957 #ifdef IPSEC_ESP
1958 clen = esp_hdrsiz(isr);
1959 #else
1960 clen = 0; /* XXX */
1961 #endif
1962 break;
1963 case IPPROTO_AH:
1964 clen = ah_hdrsiz(isr);
1965 break;
1966 case IPPROTO_IPCOMP:
1967 clen = sizeof(struct ipcomp);
1968 break;
1969 case IPPROTO_IPV4:
1970 case IPPROTO_IPV6:
1971 /* the next "if" clause will compute it */
1972 clen = 0;
1973 break;
1974 }
1975
1976 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1977 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1978 case AF_INET:
1979 clen += sizeof(struct ip);
1980 break;
1981 #ifdef INET6
1982 case AF_INET6:
1983 clen += sizeof(struct ip6_hdr);
1984 break;
1985 #endif
1986 default:
1987 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1988 "unknown AF %d in IPsec tunnel SA\n",
1989 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1990 break;
1991 }
1992 }
1993 siz += clen;
1994 }
1995
1996 return siz;
1997 }
1998
1999 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
2000 size_t
2001 ipsec4_hdrsiz(m, dir, inp)
2002 struct mbuf *m;
2003 u_int dir;
2004 struct inpcb *inp;
2005 {
2006 struct secpolicy *sp = NULL;
2007 int error;
2008 size_t size;
2009
2010 /* sanity check */
2011 if (m == NULL)
2012 return 0; /* XXX should be panic ? */
2013 if (inp != NULL && inp->inp_socket == NULL)
2014 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
2015
2016 /* get SP for this packet.
2017 * When we are called from ip_forward(), we call
2018 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
2019 */
2020 if (inp == NULL)
2021 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2022 else
2023 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
2024
2025 if (sp == NULL)
2026 return 0; /* XXX should be panic ? */
2027
2028 size = ipsec_hdrsiz(sp);
2029 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2030 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
2031 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2032 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
2033 key_freesp(sp);
2034
2035 return size;
2036 }
2037
2038 #ifdef INET6
2039 /* This function is called from ipsec6_hdrsize_tcp(),
2040 * and maybe from ip6_forward.()
2041 */
2042 size_t
2043 ipsec6_hdrsiz(m, dir, in6p)
2044 struct mbuf *m;
2045 u_int dir;
2046 struct in6pcb *in6p;
2047 {
2048 struct secpolicy *sp = NULL;
2049 int error;
2050 size_t size;
2051
2052 /* sanity check */
2053 if (m == NULL)
2054 return 0; /* XXX should be panic ? */
2055 if (in6p != NULL && in6p->in6p_socket == NULL)
2056 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
2057
2058 /* get SP for this packet */
2059 /* XXX Is it right to call with IP_FORWARDING. */
2060 if (in6p == NULL)
2061 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2062 else
2063 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
2064
2065 if (sp == NULL)
2066 return 0;
2067 size = ipsec_hdrsiz(sp);
2068 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2069 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
2070 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2071 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
2072 key_freesp(sp);
2073
2074 return size;
2075 }
2076 #endif /* INET6 */
2077
2078 #ifdef INET
2079 /*
2080 * encapsulate for ipsec tunnel.
2081 * ip->ip_src must be fixed later on.
2082 */
2083 static int
2084 ipsec4_encapsulate(m, sav)
2085 struct mbuf *m;
2086 struct secasvar *sav;
2087 {
2088 struct ip *oip;
2089 struct ip *ip;
2090 size_t hlen;
2091 size_t plen;
2092
2093 /* can't tunnel between different AFs */
2094 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2095 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2096 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2097 m_freem(m);
2098 return EINVAL;
2099 }
2100 #if 0
2101 /* XXX if the dst is myself, perform nothing. */
2102 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2103 m_freem(m);
2104 return EINVAL;
2105 }
2106 #endif
2107
2108 if (m->m_len < sizeof(*ip))
2109 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2110
2111 ip = mtod(m, struct ip *);
2112 hlen = ip->ip_hl << 2;
2113
2114 if (m->m_len != hlen)
2115 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2116
2117 /* generate header checksum */
2118 ip->ip_sum = 0;
2119 ip->ip_sum = in_cksum(m, hlen);
2120
2121 plen = m->m_pkthdr.len;
2122
2123 /*
2124 * grow the mbuf to accomodate the new IPv4 header.
2125 * NOTE: IPv4 options will never be copied.
2126 */
2127 if (M_LEADINGSPACE(m->m_next) < hlen) {
2128 struct mbuf *n;
2129 MGET(n, M_DONTWAIT, MT_DATA);
2130 if (!n) {
2131 m_freem(m);
2132 return ENOBUFS;
2133 }
2134 n->m_len = hlen;
2135 n->m_next = m->m_next;
2136 m->m_next = n;
2137 } else {
2138 m->m_next->m_len += hlen;
2139 m->m_next->m_data -= hlen;
2140 }
2141 oip = mtod(m->m_next, struct ip *);
2142 m->m_pkthdr.len += hlen;
2143 ip = mtod(m, struct ip *);
2144 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2145 m->m_len = sizeof(struct ip);
2146 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2147
2148 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2149 /* ECN consideration. */
2150 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2151 ip->ip_hl = sizeof(struct ip) >> 2;
2152 ip->ip_off &= htons(~IP_OFFMASK);
2153 ip->ip_off &= htons(~IP_MF);
2154 switch (ip4_ipsec_dfbit) {
2155 case 0: /* clear DF bit */
2156 ip->ip_off &= htons(~IP_DF);
2157 break;
2158 case 1: /* set DF bit */
2159 ip->ip_off |= htons(IP_DF);
2160 break;
2161 default: /* copy DF bit */
2162 break;
2163 }
2164 ip->ip_p = IPPROTO_IPIP;
2165 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2166 ip->ip_len = htons(plen + sizeof(struct ip));
2167 else {
2168 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2169 "leave ip_len as is (invalid packet)\n"));
2170 }
2171 ip->ip_id = ip_newid();
2172 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2173 &ip->ip_src, sizeof(ip->ip_src));
2174 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2175 &ip->ip_dst, sizeof(ip->ip_dst));
2176 ip->ip_ttl = IPDEFTTL;
2177
2178 /* XXX Should ip_src be updated later ? */
2179
2180 return 0;
2181 }
2182 #endif /* INET */
2183
2184 #ifdef INET6
2185 static int
2186 ipsec6_encapsulate(m, sav)
2187 struct mbuf *m;
2188 struct secasvar *sav;
2189 {
2190 struct ip6_hdr *oip6;
2191 struct ip6_hdr *ip6;
2192 size_t plen;
2193
2194 /* can't tunnel between different AFs */
2195 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2196 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2197 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2198 m_freem(m);
2199 return EINVAL;
2200 }
2201 #if 0
2202 /* XXX if the dst is myself, perform nothing. */
2203 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2204 m_freem(m);
2205 return EINVAL;
2206 }
2207 #endif
2208
2209 plen = m->m_pkthdr.len;
2210
2211 /*
2212 * grow the mbuf to accomodate the new IPv6 header.
2213 */
2214 if (m->m_len != sizeof(struct ip6_hdr))
2215 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2216 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2217 struct mbuf *n;
2218 MGET(n, M_DONTWAIT, MT_DATA);
2219 if (!n) {
2220 m_freem(m);
2221 return ENOBUFS;
2222 }
2223 n->m_len = sizeof(struct ip6_hdr);
2224 n->m_next = m->m_next;
2225 m->m_next = n;
2226 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2227 oip6 = mtod(n, struct ip6_hdr *);
2228 } else {
2229 m->m_next->m_len += sizeof(struct ip6_hdr);
2230 m->m_next->m_data -= sizeof(struct ip6_hdr);
2231 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2232 oip6 = mtod(m->m_next, struct ip6_hdr *);
2233 }
2234 ip6 = mtod(m, struct ip6_hdr *);
2235 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2236
2237 /* Fake link-local scope-class addresses */
2238 in6_clearscope(&oip6->ip6_src);
2239 in6_clearscope(&oip6->ip6_dst);
2240
2241 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2242 /* ECN consideration. */
2243 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2244 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2245 ip6->ip6_plen = htons(plen);
2246 else {
2247 /* ip6->ip6_plen will be updated in ip6_output() */
2248 }
2249 ip6->ip6_nxt = IPPROTO_IPV6;
2250 in6_embedscope(&ip6->ip6_src,
2251 (struct sockaddr_in6 *)&sav->sah->saidx.src, NULL, NULL);
2252 in6_embedscope(&ip6->ip6_dst,
2253 (struct sockaddr_in6 *)&sav->sah->saidx.dst, NULL, NULL);
2254 ip6->ip6_hlim = IPV6_DEFHLIM;
2255
2256 /* XXX Should ip6_src be updated later ? */
2257
2258 return 0;
2259 }
2260 #endif /* INET6 */
2261
2262 /*
2263 * Check the variable replay window.
2264 * ipsec_chkreplay() performs replay check before ICV verification.
2265 * ipsec_updatereplay() updates replay bitmap. This must be called after
2266 * ICV verification (it also performs replay check, which is usually done
2267 * beforehand).
2268 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2269 *
2270 * based on RFC 2401.
2271 *
2272 * XXX need to update for 64bit sequence number - 2401bis
2273 */
2274 int
2275 ipsec_chkreplay(seq, sav)
2276 u_int32_t seq;
2277 struct secasvar *sav;
2278 {
2279 const struct secreplay *replay;
2280 u_int32_t diff;
2281 int fr;
2282 u_int32_t wsizeb; /* constant: bits of window size */
2283 int frlast; /* constant: last frame */
2284
2285 /* sanity check */
2286 if (sav == NULL)
2287 panic("ipsec_chkreplay: NULL pointer was passed.");
2288
2289 replay = sav->replay;
2290
2291 if (replay->wsize == 0)
2292 return 1; /* no need to check replay. */
2293
2294 /* constant */
2295 frlast = replay->wsize - 1;
2296 wsizeb = replay->wsize << 3;
2297
2298 /* sequence number of 0 is invalid */
2299 if (seq == 0)
2300 return 0;
2301
2302 /* first time is always okay */
2303 if (replay->count == 0)
2304 return 1;
2305
2306 if (seq > replay->lastseq) {
2307 /* larger sequences are okay */
2308 return 1;
2309 } else {
2310 /* seq is equal or less than lastseq. */
2311 diff = replay->lastseq - seq;
2312
2313 /* over range to check, i.e. too old or wrapped */
2314 if (diff >= wsizeb)
2315 return 0;
2316
2317 fr = frlast - diff / 8;
2318
2319 /* this packet already seen ? */
2320 if (replay->bitmap[fr] & (1 << (diff % 8)))
2321 return 0;
2322
2323 /* out of order but good */
2324 return 1;
2325 }
2326 }
2327
2328 /*
2329 * check replay counter whether to update or not.
2330 * OUT: 0: OK
2331 * 1: NG
2332 * XXX need to update for 64bit sequence number - 2401bis
2333 */
2334 int
2335 ipsec_updatereplay(seq, sav)
2336 u_int32_t seq;
2337 struct secasvar *sav;
2338 {
2339 struct secreplay *replay;
2340 u_int64_t diff;
2341 int fr;
2342 u_int32_t wsizeb; /* constant: bits of window size */
2343 int frlast; /* constant: last frame */
2344
2345 /* sanity check */
2346 if (sav == NULL)
2347 panic("ipsec_chkreplay: NULL pointer was passed.");
2348
2349 replay = sav->replay;
2350
2351 if (replay->wsize == 0)
2352 goto ok; /* no need to check replay. */
2353
2354 /* constant */
2355 frlast = replay->wsize - 1;
2356 wsizeb = replay->wsize << 3;
2357
2358 /* sequence number of 0 is invalid */
2359 if (seq == 0)
2360 return 1;
2361
2362 /* first time */
2363 if (replay->count == 0) {
2364 replay->lastseq = seq;
2365 bzero(replay->bitmap, replay->wsize);
2366 replay->bitmap[frlast] = 1;
2367 goto ok;
2368 }
2369
2370 if (seq > replay->lastseq) {
2371 /* seq is larger than lastseq. */
2372 diff = seq - replay->lastseq;
2373
2374 /* new larger sequence number */
2375 if (diff < wsizeb) {
2376 /* In window */
2377 /* set bit for this packet */
2378 vshiftl(replay->bitmap, diff, replay->wsize);
2379 replay->bitmap[frlast] |= 1;
2380 } else {
2381 /* this packet has a "way larger" */
2382 bzero(replay->bitmap, replay->wsize);
2383 replay->bitmap[frlast] = 1;
2384 }
2385 replay->lastseq = seq;
2386
2387 /* larger is good */
2388 } else {
2389 /* seq is equal or less than lastseq. */
2390 diff = replay->lastseq - seq;
2391
2392 /* over range to check, i.e. too old or wrapped */
2393 if (diff >= wsizeb)
2394 return 1;
2395
2396 fr = frlast - diff / 8;
2397
2398 /* this packet already seen ? */
2399 if (replay->bitmap[fr] & (1 << (diff % 8)))
2400 return 1;
2401
2402 /* mark as seen */
2403 replay->bitmap[fr] |= (1 << (diff % 8));
2404
2405 /* out of order but good */
2406 }
2407
2408 ok:
2409 if (replay->count == 0xffffffff) {
2410
2411 /* set overflow flag */
2412 replay->overflow++;
2413
2414 /* don't increment, no more packets accepted */
2415 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2416 return 1;
2417
2418 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2419 replay->overflow, ipsec_logsastr(sav)));
2420 }
2421
2422 replay->count++;
2423
2424 return 0;
2425 }
2426
2427 /*
2428 * shift variable length buffer to left.
2429 * IN: bitmap: pointer to the buffer
2430 * nbit: the number of to shift.
2431 * wsize: buffer size (bytes).
2432 */
2433 static void
2434 vshiftl(bitmap, nbit, wsize)
2435 unsigned char *bitmap;
2436 int nbit, wsize;
2437 {
2438 int s, j, i;
2439 unsigned char over;
2440
2441 for (j = 0; j < nbit; j += 8) {
2442 s = (nbit - j < 8) ? (nbit - j): 8;
2443 bitmap[0] <<= s;
2444 for (i = 1; i < wsize; i++) {
2445 over = (bitmap[i] >> (8 - s));
2446 bitmap[i] <<= s;
2447 bitmap[i - 1] |= over;
2448 }
2449 }
2450
2451 return;
2452 }
2453
2454 const char *
2455 ipsec4_logpacketstr(ip, spi)
2456 struct ip *ip;
2457 u_int32_t spi;
2458 {
2459 static char buf[256];
2460 char *p;
2461 u_int8_t *s, *d;
2462
2463 s = (u_int8_t *)(&ip->ip_src);
2464 d = (u_int8_t *)(&ip->ip_dst);
2465
2466 p = buf;
2467 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2468 while (p && *p)
2469 p++;
2470 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2471 s[0], s[1], s[2], s[3]);
2472 while (p && *p)
2473 p++;
2474 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2475 d[0], d[1], d[2], d[3]);
2476 while (p && *p)
2477 p++;
2478 snprintf(p, sizeof(buf) - (p - buf), ")");
2479
2480 return buf;
2481 }
2482
2483 #ifdef INET6
2484 const char *
2485 ipsec6_logpacketstr(ip6, spi)
2486 struct ip6_hdr *ip6;
2487 u_int32_t spi;
2488 {
2489 static char buf[256];
2490 char *p;
2491
2492 p = buf;
2493 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2494 while (p && *p)
2495 p++;
2496 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
2497 ip6_sprintf(&ip6->ip6_src));
2498 while (p && *p)
2499 p++;
2500 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2501 ip6_sprintf(&ip6->ip6_dst));
2502 while (p && *p)
2503 p++;
2504 snprintf(p, sizeof(buf) - (p - buf), ")");
2505
2506 return buf;
2507 }
2508 #endif /* INET6 */
2509
2510 const char *
2511 ipsec_logsastr(sav)
2512 struct secasvar *sav;
2513 {
2514 static char buf[256];
2515 char *p;
2516 struct secasindex *saidx = &sav->sah->saidx;
2517
2518 /* validity check */
2519 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2520 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2521 panic("ipsec_logsastr: family mismatched.");
2522
2523 p = buf;
2524 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2525 while (p && *p)
2526 p++;
2527 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2528 u_int8_t *s, *d;
2529 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2530 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2531 snprintf(p, sizeof(buf) - (p - buf),
2532 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2533 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2534 }
2535 #ifdef INET6
2536 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2537 snprintf(p, sizeof(buf) - (p - buf),
2538 "src=%s",
2539 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2540 while (p && *p)
2541 p++;
2542 snprintf(p, sizeof(buf) - (p - buf),
2543 " dst=%s",
2544 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2545 }
2546 #endif
2547 while (p && *p)
2548 p++;
2549 snprintf(p, sizeof(buf) - (p - buf), ")");
2550
2551 return buf;
2552 }
2553
2554 void
2555 ipsec_dumpmbuf(m)
2556 struct mbuf *m;
2557 {
2558 int totlen;
2559 int i;
2560 u_char *p;
2561
2562 totlen = 0;
2563 printf("---\n");
2564 while (m) {
2565 p = mtod(m, u_char *);
2566 for (i = 0; i < m->m_len; i++) {
2567 printf("%02x ", p[i]);
2568 totlen++;
2569 if (totlen % 16 == 0)
2570 printf("\n");
2571 }
2572 m = m->m_next;
2573 }
2574 if (totlen % 16 != 0)
2575 printf("\n");
2576 printf("---\n");
2577 }
2578
2579 #ifdef INET
2580 static int
2581 ipsec4_checksa(isr, state)
2582 struct ipsecrequest *isr;
2583 struct ipsec_output_state *state;
2584 {
2585 struct ip *ip;
2586 struct secasindex saidx;
2587 struct sockaddr_in *sin;
2588
2589 /* make SA index for search proper SA */
2590 ip = mtod(state->m, struct ip *);
2591 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2592 saidx.mode = isr->saidx.mode;
2593 saidx.reqid = isr->saidx.reqid;
2594 sin = (struct sockaddr_in *)&saidx.src;
2595 if (sin->sin_len == 0) {
2596 bzero(sin, sizeof(*sin));
2597 sin->sin_len = sizeof(*sin);
2598 sin->sin_family = AF_INET;
2599 sin->sin_port = IPSEC_PORT_ANY;
2600 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr));
2601 }
2602 sin = (struct sockaddr_in *)&saidx.dst;
2603 if (sin->sin_len == 0) {
2604 bzero(sin, sizeof(*sin));
2605 sin->sin_len = sizeof(*sin);
2606 sin->sin_family = AF_INET;
2607 sin->sin_port = IPSEC_PORT_ANY;
2608 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr));
2609 }
2610
2611 return key_checkrequest(isr, &saidx);
2612 }
2613 /*
2614 * IPsec output logic for IPv4.
2615 */
2616 int
2617 ipsec4_output(state, sp, flags)
2618 struct ipsec_output_state *state;
2619 struct secpolicy *sp;
2620 int flags;
2621 {
2622 struct ip *ip = NULL;
2623 struct ipsecrequest *isr = NULL;
2624 int s;
2625 int error;
2626 struct sockaddr_in *dst4;
2627
2628 if (!state)
2629 panic("state == NULL in ipsec4_output");
2630 if (!state->m)
2631 panic("state->m == NULL in ipsec4_output");
2632 if (!state->ro)
2633 panic("state->ro == NULL in ipsec4_output");
2634 if (!state->dst)
2635 panic("state->dst == NULL in ipsec4_output");
2636 state->encap = 0;
2637
2638 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2639 printf("ipsec4_output: applyed SP\n");
2640 kdebug_secpolicy(sp));
2641
2642 for (isr = sp->req; isr != NULL; isr = isr->next) {
2643
2644 #if 0 /* give up to check restriction of transport mode */
2645 /* XXX but should be checked somewhere */
2646 /*
2647 * some of the IPsec operation must be performed only in
2648 * originating case.
2649 */
2650 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2651 && (flags & IP_FORWARDING))
2652 continue;
2653 #endif
2654 error = ipsec4_checksa(isr, state);
2655 if (error != 0) {
2656 /*
2657 * IPsec processing is required, but no SA found.
2658 * I assume that key_acquire() had been called
2659 * to get/establish the SA. Here I discard
2660 * this packet because it is responsibility for
2661 * upper layer to retransmit the packet.
2662 */
2663 ipsecstat.out_nosa++;
2664 goto bad;
2665 }
2666
2667 /* validity check */
2668 if (isr->sav == NULL) {
2669 switch (ipsec_get_reqlevel(isr, AF_INET)) {
2670 case IPSEC_LEVEL_USE:
2671 continue;
2672 case IPSEC_LEVEL_REQUIRE:
2673 if (isr->saidx.proto == AF_INET ||
2674 isr->saidx.proto == AF_INET6)
2675 break;
2676 /* must be not reached here. */
2677 panic("ipsec4_output: no SA found, but required.");
2678 }
2679 }
2680
2681 /*
2682 * If there is no valid SA, we give up to process any
2683 * more. In such a case, the SA's status is changed
2684 * from DYING to DEAD after allocating. If a packet
2685 * send to the receiver by dead SA, the receiver can
2686 * not decode a packet because SA has been dead.
2687 */
2688 if (isr->sav->state != SADB_SASTATE_MATURE
2689 && isr->sav->state != SADB_SASTATE_DYING) {
2690 ipsecstat.out_nosa++;
2691 error = EINVAL;
2692 goto bad;
2693 }
2694
2695 /*
2696 * There may be the case that SA status will be changed when
2697 * we are refering to one. So calling splsoftnet().
2698 */
2699 s = splsoftnet();
2700
2701 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2702 /*
2703 * build IPsec tunnel.
2704 */
2705 /* XXX should be processed with other familiy */
2706 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2707 ipseclog((LOG_ERR, "ipsec4_output: "
2708 "family mismatched between inner and outer spi=%u\n",
2709 (u_int32_t)ntohl(isr->sav->spi)));
2710 splx(s);
2711 error = EAFNOSUPPORT;
2712 goto bad;
2713 }
2714
2715 state->m = ipsec4_splithdr(state->m);
2716 if (!state->m) {
2717 splx(s);
2718 error = ENOMEM;
2719 goto bad;
2720 }
2721 error = ipsec4_encapsulate(state->m, isr->sav);
2722 splx(s);
2723 if (error) {
2724 state->m = NULL;
2725 goto bad;
2726 }
2727 ip = mtod(state->m, struct ip *);
2728
2729 state->ro = &isr->sav->sah->sa_route;
2730 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2731 dst4 = (struct sockaddr_in *)state->dst;
2732 if (state->ro->ro_rt
2733 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2734 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2735 RTFREE(state->ro->ro_rt);
2736 bzero((caddr_t)state->ro, sizeof (*state->ro));
2737 }
2738 if (state->ro->ro_rt == 0) {
2739 dst4->sin_family = AF_INET;
2740 dst4->sin_len = sizeof(*dst4);
2741 dst4->sin_addr = ip->ip_dst;
2742 rtalloc(state->ro);
2743 }
2744 if (state->ro->ro_rt == 0) {
2745 ipstat.ips_noroute++;
2746 error = EHOSTUNREACH;
2747 goto bad;
2748 }
2749
2750 /* adjust state->dst if tunnel endpoint is offlink */
2751 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2752 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2753 dst4 = (struct sockaddr_in *)state->dst;
2754 }
2755
2756 state->encap++;
2757 } else
2758 splx(s);
2759
2760 state->m = ipsec4_splithdr(state->m);
2761 if (!state->m) {
2762 error = ENOMEM;
2763 goto bad;
2764 }
2765 switch (isr->saidx.proto) {
2766 case IPPROTO_ESP:
2767 #ifdef IPSEC_ESP
2768 if ((error = esp4_output(state->m, isr)) != 0) {
2769 state->m = NULL;
2770 goto bad;
2771 }
2772 break;
2773 #else
2774 m_freem(state->m);
2775 state->m = NULL;
2776 error = EINVAL;
2777 goto bad;
2778 #endif
2779 case IPPROTO_AH:
2780 if ((error = ah4_output(state->m, isr)) != 0) {
2781 state->m = NULL;
2782 goto bad;
2783 }
2784 break;
2785 case IPPROTO_IPCOMP:
2786 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2787 state->m = NULL;
2788 goto bad;
2789 }
2790 break;
2791 case IPPROTO_IPV4:
2792 break;
2793 case IPPROTO_IPV6:
2794 ipseclog((LOG_ERR, "ipsec4_output: "
2795 "family mismatched between inner and outer "
2796 "header\n"));
2797 error = EAFNOSUPPORT;
2798 goto bad;
2799 default:
2800 ipseclog((LOG_ERR,
2801 "ipsec4_output: unknown ipsec protocol %d\n",
2802 isr->saidx.proto));
2803 m_freem(state->m);
2804 state->m = NULL;
2805 error = EINVAL;
2806 goto bad;
2807 }
2808
2809 if (state->m == 0) {
2810 error = ENOMEM;
2811 goto bad;
2812 }
2813 ip = mtod(state->m, struct ip *);
2814 }
2815
2816 return 0;
2817
2818 bad:
2819 m_freem(state->m);
2820 state->m = NULL;
2821 return error;
2822 }
2823 #endif
2824
2825 #ifdef INET6
2826 static int
2827 ipsec6_checksa(isr, state, tunnel)
2828 struct ipsecrequest *isr;
2829 struct ipsec_output_state *state;
2830 int tunnel;
2831 {
2832 struct ip6_hdr *ip6;
2833 struct secasindex saidx;
2834 struct sockaddr_in6 *sin6;
2835
2836 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2837 #ifdef DIAGNOSTIC
2838 if (!tunnel)
2839 panic("ipsec6_checksa/inconsistent tunnel attribute");
2840 #endif
2841 /* When tunnel mode, SA peers must be specified. */
2842 return key_checkrequest(isr, &isr->saidx);
2843 }
2844
2845 /* make SA index for search proper SA */
2846 ip6 = mtod(state->m, struct ip6_hdr *);
2847 if (tunnel) {
2848 bzero(&saidx, sizeof(saidx));
2849 saidx.proto = isr->saidx.proto;
2850 } else
2851 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2852 saidx.mode = isr->saidx.mode;
2853 saidx.reqid = isr->saidx.reqid;
2854 sin6 = (struct sockaddr_in6 *)&saidx.src;
2855 if (sin6->sin6_len == 0 || tunnel) {
2856 bzero(sin6, sizeof(*sin6));
2857 sin6->sin6_len = sizeof(*sin6);
2858 sin6->sin6_family = AF_INET6;
2859 sin6->sin6_port = IPSEC_PORT_ANY;
2860 in6_recoverscope(sin6, &ip6->ip6_src, NULL);
2861 }
2862 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2863 if (sin6->sin6_len == 0 || tunnel) {
2864 bzero(sin6, sizeof(*sin6));
2865 sin6->sin6_len = sizeof(*sin6);
2866 sin6->sin6_family = AF_INET6;
2867 sin6->sin6_port = IPSEC_PORT_ANY;
2868 in6_recoverscope(sin6, &ip6->ip6_dst, NULL);
2869 }
2870
2871 return key_checkrequest(isr, &saidx);
2872 }
2873 /*
2874 * IPsec output logic for IPv6, transport mode.
2875 */
2876 int
2877 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
2878 struct ipsec_output_state *state;
2879 u_char *nexthdrp;
2880 struct mbuf *mprev;
2881 struct secpolicy *sp;
2882 int flags;
2883 int *tun;
2884 {
2885 struct ip6_hdr *ip6;
2886 struct ipsecrequest *isr = NULL;
2887 int error = 0;
2888 int plen;
2889
2890 if (!state)
2891 panic("state == NULL in ipsec6_output_trans");
2892 if (!state->m)
2893 panic("state->m == NULL in ipsec6_output_trans");
2894 if (!nexthdrp)
2895 panic("nexthdrp == NULL in ipsec6_output_trans");
2896 if (!mprev)
2897 panic("mprev == NULL in ipsec6_output_trans");
2898 if (!sp)
2899 panic("sp == NULL in ipsec6_output_trans");
2900 if (!tun)
2901 panic("tun == NULL in ipsec6_output_trans");
2902
2903 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2904 printf("ipsec6_output_trans: applyed SP\n");
2905 kdebug_secpolicy(sp));
2906
2907 *tun = 0;
2908 for (isr = sp->req; isr; isr = isr->next) {
2909 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2910 /* the rest will be handled by ipsec6_output_tunnel() */
2911 break;
2912 }
2913
2914 error = ipsec6_checksa(isr, state, 0);
2915 if (error == ENOENT) {
2916 /*
2917 * IPsec processing is required, but no SA found.
2918 * I assume that key_acquire() had been called
2919 * to get/establish the SA. Here I discard
2920 * this packet because it is responsibility for
2921 * upper layer to retransmit the packet.
2922 */
2923 ipsec6stat.out_nosa++;
2924
2925 /*
2926 * Notify the fact that the packet is discarded
2927 * to ourselves. I believe this is better than
2928 * just silently discarding. (jinmei@kame.net)
2929 * XXX: should we restrict the error to TCP packets?
2930 * XXX: should we directly notify sockets via
2931 * pfctlinputs?
2932 *
2933 * Noone have initialized rcvif until this point,
2934 * so clear it.
2935 */
2936 if ((state->m->m_flags & M_PKTHDR) != 0)
2937 state->m->m_pkthdr.rcvif = NULL;
2938 icmp6_error(state->m, ICMP6_DST_UNREACH,
2939 ICMP6_DST_UNREACH_ADMIN, 0);
2940 state->m = NULL; /* icmp6_error freed the mbuf */
2941 goto bad;
2942 }
2943
2944 /* validity check */
2945 if (isr->sav == NULL) {
2946 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
2947 case IPSEC_LEVEL_USE:
2948 continue;
2949 case IPSEC_LEVEL_REQUIRE:
2950 /* must be not reached here. */
2951 panic("ipsec6_output_trans: no SA found, but required.");
2952 }
2953 }
2954
2955 /*
2956 * If there is no valid SA, we give up to process.
2957 * see same place at ipsec4_output().
2958 */
2959 if (isr->sav->state != SADB_SASTATE_MATURE
2960 && isr->sav->state != SADB_SASTATE_DYING) {
2961 ipsec6stat.out_nosa++;
2962 error = EINVAL;
2963 goto bad;
2964 }
2965
2966 switch (isr->saidx.proto) {
2967 case IPPROTO_ESP:
2968 #ifdef IPSEC_ESP
2969 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2970 #else
2971 m_freem(state->m);
2972 error = EINVAL;
2973 #endif
2974 break;
2975 case IPPROTO_AH:
2976 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2977 break;
2978 case IPPROTO_IPCOMP:
2979 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2980 break;
2981 default:
2982 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2983 "unknown ipsec protocol %d\n", isr->saidx.proto));
2984 m_freem(state->m);
2985 ipsec6stat.out_inval++;
2986 error = EINVAL;
2987 break;
2988 }
2989 if (error) {
2990 state->m = NULL;
2991 goto bad;
2992 }
2993 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2994 if (plen > IPV6_MAXPACKET) {
2995 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2996 "IPsec with IPv6 jumbogram is not supported\n"));
2997 ipsec6stat.out_inval++;
2998 error = EINVAL; /* XXX */
2999 goto bad;
3000 }
3001 ip6 = mtod(state->m, struct ip6_hdr *);
3002 ip6->ip6_plen = htons(plen);
3003 }
3004
3005 /* if we have more to go, we need a tunnel mode processing */
3006 if (isr != NULL)
3007 *tun = 1;
3008
3009 return 0;
3010
3011 bad:
3012 m_freem(state->m);
3013 state->m = NULL;
3014 return error;
3015 }
3016
3017 /*
3018 * IPsec output logic for IPv6, tunnel mode.
3019 */
3020 int
3021 ipsec6_output_tunnel(state, sp, flags)
3022 struct ipsec_output_state *state;
3023 struct secpolicy *sp;
3024 int flags;
3025 {
3026 struct ip6_hdr *ip6;
3027 struct ipsecrequest *isr = NULL;
3028 int error = 0;
3029 int plen;
3030 struct sockaddr_in6* dst6;
3031 int s;
3032
3033 if (!state)
3034 panic("state == NULL in ipsec6_output_tunnel");
3035 if (!state->m)
3036 panic("state->m == NULL in ipsec6_output_tunnel");
3037 if (!sp)
3038 panic("sp == NULL in ipsec6_output_tunnel");
3039
3040 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3041 printf("ipsec6_output_tunnel: applyed SP\n");
3042 kdebug_secpolicy(sp));
3043
3044 /*
3045 * transport mode ipsec (before the 1st tunnel mode) is already
3046 * processed by ipsec6_output_trans().
3047 */
3048 for (isr = sp->req; isr; isr = isr->next) {
3049 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
3050 break;
3051 }
3052
3053 for (/* already initialized */; isr; isr = isr->next) {
3054 error = ipsec6_checksa(isr, state, 1);
3055 if (error == ENOENT) {
3056 /*
3057 * IPsec processing is required, but no SA found.
3058 * I assume that key_acquire() had been called
3059 * to get/establish the SA. Here I discard
3060 * this packet because it is responsibility for
3061 * upper layer to retransmit the packet.
3062 */
3063 ipsec6stat.out_nosa++;
3064 error = ENOENT;
3065 goto bad;
3066 }
3067
3068 /* validity check */
3069 if (isr->sav == NULL) {
3070 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
3071 case IPSEC_LEVEL_USE:
3072 continue;
3073 case IPSEC_LEVEL_REQUIRE:
3074 /* must be not reached here. */
3075 panic("ipsec6_output_tunnel: no SA found, but required.");
3076 }
3077 }
3078
3079 /*
3080 * If there is no valid SA, we give up to process.
3081 * see same place at ipsec4_output().
3082 */
3083 if (isr->sav->state != SADB_SASTATE_MATURE
3084 && isr->sav->state != SADB_SASTATE_DYING) {
3085 ipsec6stat.out_nosa++;
3086 error = EINVAL;
3087 goto bad;
3088 }
3089
3090 /*
3091 * There may be the case that SA status will be changed when
3092 * we are refering to one. So calling splsoftnet().
3093 */
3094 s = splsoftnet();
3095
3096 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3097 /*
3098 * build IPsec tunnel.
3099 */
3100 /* XXX should be processed with other familiy */
3101 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
3102 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3103 "family mismatched between inner and outer, spi=%u\n",
3104 (u_int32_t)ntohl(isr->sav->spi)));
3105 splx(s);
3106 ipsec6stat.out_inval++;
3107 error = EAFNOSUPPORT;
3108 goto bad;
3109 }
3110
3111 state->m = ipsec6_splithdr(state->m);
3112 if (!state->m) {
3113 splx(s);
3114 ipsec6stat.out_nomem++;
3115 error = ENOMEM;
3116 goto bad;
3117 }
3118 error = ipsec6_encapsulate(state->m, isr->sav);
3119 splx(s);
3120 if (error) {
3121 state->m = 0;
3122 goto bad;
3123 }
3124 ip6 = mtod(state->m, struct ip6_hdr *);
3125
3126 state->ro = &isr->sav->sah->sa_route;
3127 state->dst = (struct sockaddr *)&state->ro->ro_dst;
3128 dst6 = (struct sockaddr_in6 *)state->dst;
3129 if (state->ro->ro_rt
3130 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
3131 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
3132 RTFREE(state->ro->ro_rt);
3133 bzero((caddr_t)state->ro, sizeof (*state->ro));
3134 }
3135 if (state->ro->ro_rt == 0) {
3136 bzero(dst6, sizeof(*dst6));
3137 dst6->sin6_family = AF_INET6;
3138 dst6->sin6_len = sizeof(*dst6);
3139 dst6->sin6_addr = ip6->ip6_dst;
3140 rtalloc(state->ro);
3141 }
3142 if (state->ro->ro_rt == 0) {
3143 ip6stat.ip6s_noroute++;
3144 ipsec6stat.out_noroute++;
3145 error = EHOSTUNREACH;
3146 goto bad;
3147 }
3148
3149 /* adjust state->dst if tunnel endpoint is offlink */
3150 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
3151 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
3152 dst6 = (struct sockaddr_in6 *)state->dst;
3153 }
3154 } else
3155 splx(s);
3156
3157 state->m = ipsec6_splithdr(state->m);
3158 if (!state->m) {
3159 ipsec6stat.out_nomem++;
3160 error = ENOMEM;
3161 goto bad;
3162 }
3163 ip6 = mtod(state->m, struct ip6_hdr *);
3164 switch (isr->saidx.proto) {
3165 case IPPROTO_ESP:
3166 #ifdef IPSEC_ESP
3167 error = esp6_output(state->m, &ip6->ip6_nxt,
3168 state->m->m_next, isr);
3169 #else
3170 m_freem(state->m);
3171 error = EINVAL;
3172 #endif
3173 break;
3174 case IPPROTO_AH:
3175 error = ah6_output(state->m, &ip6->ip6_nxt,
3176 state->m->m_next, isr);
3177 break;
3178 case IPPROTO_IPCOMP:
3179 /* XXX code should be here */
3180 /* FALLTHROUGH */
3181 default:
3182 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3183 "unknown ipsec protocol %d\n", isr->saidx.proto));
3184 m_freem(state->m);
3185 ipsec6stat.out_inval++;
3186 error = EINVAL;
3187 break;
3188 }
3189 if (error) {
3190 state->m = NULL;
3191 goto bad;
3192 }
3193 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3194 if (plen > IPV6_MAXPACKET) {
3195 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3196 "IPsec with IPv6 jumbogram is not supported\n"));
3197 ipsec6stat.out_inval++;
3198 error = EINVAL; /* XXX */
3199 goto bad;
3200 }
3201 ip6 = mtod(state->m, struct ip6_hdr *);
3202 ip6->ip6_plen = htons(plen);
3203 }
3204
3205 return 0;
3206
3207 bad:
3208 m_freem(state->m);
3209 state->m = NULL;
3210 return error;
3211 }
3212 #endif /* INET6 */
3213
3214 #ifdef INET
3215 /*
3216 * Chop IP header and option off from the payload.
3217 */
3218 static struct mbuf *
3219 ipsec4_splithdr(m)
3220 struct mbuf *m;
3221 {
3222 struct mbuf *mh;
3223 struct ip *ip;
3224 int hlen;
3225
3226 if (m->m_len < sizeof(struct ip))
3227 panic("ipsec4_splithdr: first mbuf too short");
3228 ip = mtod(m, struct ip *);
3229 hlen = ip->ip_hl << 2;
3230 if (m->m_len > hlen) {
3231 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3232 if (!mh) {
3233 m_freem(m);
3234 return NULL;
3235 }
3236 M_COPY_PKTHDR(mh, m);
3237 MH_ALIGN(mh, hlen);
3238 m_tag_delete_chain(m, NULL);
3239 m->m_flags &= ~M_PKTHDR;
3240 m->m_len -= hlen;
3241 m->m_data += hlen;
3242 mh->m_next = m;
3243 m = mh;
3244 m->m_len = hlen;
3245 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3246 } else if (m->m_len < hlen) {
3247 m = m_pullup(m, hlen);
3248 if (!m)
3249 return NULL;
3250 }
3251 return m;
3252 }
3253 #endif
3254
3255 #ifdef INET6
3256 static struct mbuf *
3257 ipsec6_splithdr(m)
3258 struct mbuf *m;
3259 {
3260 struct mbuf *mh;
3261 struct ip6_hdr *ip6;
3262 int hlen;
3263
3264 if (m->m_len < sizeof(struct ip6_hdr))
3265 panic("ipsec6_splithdr: first mbuf too short");
3266 ip6 = mtod(m, struct ip6_hdr *);
3267 hlen = sizeof(struct ip6_hdr);
3268 if (m->m_len > hlen) {
3269 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3270 if (!mh) {
3271 m_freem(m);
3272 return NULL;
3273 }
3274 M_COPY_PKTHDR(mh, m);
3275 MH_ALIGN(mh, hlen);
3276 m_tag_delete_chain(m, NULL);
3277 m->m_flags &= ~M_PKTHDR;
3278 m->m_len -= hlen;
3279 m->m_data += hlen;
3280 mh->m_next = m;
3281 m = mh;
3282 m->m_len = hlen;
3283 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3284 } else if (m->m_len < hlen) {
3285 m = m_pullup(m, hlen);
3286 if (!m)
3287 return NULL;
3288 }
3289 return m;
3290 }
3291 #endif
3292
3293 /* validate inbound IPsec tunnel packet. */
3294 int
3295 ipsec4_tunnel_validate(ip, nxt0, sav)
3296 struct ip *ip;
3297 u_int nxt0;
3298 struct secasvar *sav;
3299 {
3300 u_int8_t nxt = nxt0 & 0xff;
3301 struct sockaddr_in *sin;
3302 int hlen;
3303
3304 if (nxt != IPPROTO_IPV4)
3305 return 0;
3306 /* do not decapsulate if the SA is for transport mode only */
3307 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3308 return 0;
3309 hlen = ip->ip_hl << 2;
3310 if (hlen != sizeof(struct ip))
3311 return 0;
3312 switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
3313 case AF_INET:
3314 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3315 if (bcmp(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)) != 0)
3316 return 0;
3317 break;
3318 #ifdef INET6
3319 case AF_INET6:
3320 /* should be supported, but at this moment we don't. */
3321 /*FALLTHROUGH*/
3322 #endif
3323 default:
3324 return 0;
3325 }
3326
3327 return 1;
3328 }
3329
3330 #ifdef INET6
3331 /* validate inbound IPsec tunnel packet. */
3332 int
3333 ipsec6_tunnel_validate(ip6, nxt0, sav)
3334 struct ip6_hdr *ip6;
3335 u_int nxt0;
3336 struct secasvar *sav;
3337 {
3338 u_int8_t nxt = nxt0 & 0xff;
3339 struct sockaddr_in6 *sin6;
3340 struct in6_addr in6;
3341
3342 if (nxt != IPPROTO_IPV6)
3343 return 0;
3344 /* do not decapsulate if the SA is for transport mode only */
3345 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3346 return 0;
3347 switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
3348 case AF_INET6:
3349 sin6 = ((struct sockaddr_in6 *)&sav->sah->saidx.dst);
3350 in6_embedscope(&in6, sin6, NULL, NULL);
3351 if (!IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &in6))
3352 return 0;
3353 break;
3354 case AF_INET:
3355 /* should be supported, but at this moment we don't. */
3356 /*FALLTHROUGH*/
3357 default:
3358 return 0;
3359 }
3360
3361 return 1;
3362 }
3363 #endif
3364
3365 /*
3366 * Make a mbuf chain for encryption.
3367 * If the original mbuf chain contains a mbuf with a cluster,
3368 * allocate a new cluster and copy the data to the new cluster.
3369 * XXX: this hack is inefficient, but is necessary to handle cases
3370 * of TCP retransmission...
3371 */
3372 struct mbuf *
3373 ipsec_copypkt(m)
3374 struct mbuf *m;
3375 {
3376 struct mbuf *n, **mpp, *mnew;
3377
3378 for (n = m, mpp = &m; n; n = n->m_next) {
3379 if (n->m_flags & M_EXT) {
3380 /*
3381 * Make a copy only if there is more than one
3382 * references to the cluster.
3383 * XXX: is this approach effective?
3384 */
3385 if (M_READONLY(n))
3386 {
3387 int remain, copied;
3388 struct mbuf *mm;
3389
3390 if (n->m_flags & M_PKTHDR) {
3391 MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3392 if (mnew == NULL)
3393 goto fail;
3394 mnew->m_pkthdr = n->m_pkthdr;
3395 #if 0
3396 /* XXX: convert to m_tag or delete? */
3397 if (n->m_pkthdr.aux) {
3398 mnew->m_pkthdr.aux =
3399 m_copym(n->m_pkthdr.aux,
3400 0, M_COPYALL, M_DONTWAIT);
3401 }
3402 #endif
3403 M_COPY_PKTHDR(mnew, n);
3404 }
3405 else {
3406 MGET(mnew, M_DONTWAIT, MT_DATA);
3407 if (mnew == NULL)
3408 goto fail;
3409 }
3410 mnew->m_len = 0;
3411 mm = mnew;
3412
3413 /*
3414 * Copy data. If we don't have enough space to
3415 * store the whole data, allocate a cluster
3416 * or additional mbufs.
3417 * XXX: we don't use m_copyback(), since the
3418 * function does not use clusters and thus is
3419 * inefficient.
3420 */
3421 remain = n->m_len;
3422 copied = 0;
3423 while (1) {
3424 int len;
3425 struct mbuf *mn;
3426
3427 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3428 len = remain;
3429 else { /* allocate a cluster */
3430 MCLGET(mm, M_DONTWAIT);
3431 if (!(mm->m_flags & M_EXT)) {
3432 m_free(mm);
3433 goto fail;
3434 }
3435 len = remain < MCLBYTES ?
3436 remain : MCLBYTES;
3437 }
3438
3439 bcopy(n->m_data + copied, mm->m_data,
3440 len);
3441
3442 copied += len;
3443 remain -= len;
3444 mm->m_len = len;
3445
3446 if (remain <= 0) /* completed? */
3447 break;
3448
3449 /* need another mbuf */
3450 MGETHDR(mn, M_DONTWAIT, MT_HEADER);
3451 if (mn == NULL)
3452 goto fail;
3453 mn->m_pkthdr.rcvif = NULL;
3454 mm->m_next = mn;
3455 mm = mn;
3456 }
3457
3458 /* adjust chain */
3459 mm->m_next = m_free(n);
3460 n = mm;
3461 *mpp = mnew;
3462 mpp = &n->m_next;
3463
3464 continue;
3465 }
3466 }
3467 *mpp = n;
3468 mpp = &n->m_next;
3469 }
3470
3471 return (m);
3472 fail:
3473 m_freem(m);
3474 return (NULL);
3475 }
3476
3477 static struct m_tag *
3478 ipsec_addaux(m)
3479 struct mbuf *m;
3480 {
3481 struct m_tag *mtag;
3482
3483 mtag = m_tag_find(m, PACKET_TAG_ESP, NULL);
3484 if (mtag == NULL) {
3485 mtag = m_tag_get(PACKET_TAG_ESP, sizeof(struct ipsecaux),
3486 M_NOWAIT);
3487 if (mtag != NULL)
3488 m_tag_prepend(m, mtag);
3489 }
3490 if (mtag == NULL)
3491 return NULL; /* ENOBUFS */
3492 /* XXX is this necessary? */
3493 bzero((void *)(mtag + 1), sizeof(struct ipsecaux));
3494 return mtag;
3495 }
3496
3497 static struct m_tag *
3498 ipsec_findaux(m)
3499 struct mbuf *m;
3500 {
3501 return m_tag_find(m, PACKET_TAG_ESP, NULL);
3502 }
3503
3504 void
3505 ipsec_delaux(m)
3506 struct mbuf *m;
3507 {
3508 struct m_tag *mtag;
3509
3510 mtag = m_tag_find(m, PACKET_TAG_ESP, NULL);
3511 if (mtag != NULL)
3512 m_tag_delete(m, mtag);
3513 }
3514
3515 /* if the aux buffer is unnecessary, nuke it. */
3516 static void
3517 ipsec_optaux(m, mtag)
3518 struct mbuf *m;
3519 struct m_tag *mtag;
3520 {
3521 struct ipsecaux *aux;
3522
3523 if (mtag == NULL)
3524 return;
3525 aux = (struct ipsecaux *)(mtag + 1);
3526 if (!aux->so && !aux->sp)
3527 ipsec_delaux(m);
3528 }
3529
3530 int
3531 ipsec_addhist(m, proto, spi)
3532 struct mbuf *m;
3533 int proto;
3534 u_int32_t spi;
3535 {
3536 struct m_tag *mtag;
3537 struct ipsecaux *aux;
3538
3539 mtag = ipsec_addaux(m);
3540 if (mtag == NULL)
3541 return ENOBUFS;
3542 aux = (struct ipsecaux *)(mtag + 1);
3543 aux->hdrs++;
3544 return 0;
3545 }
3546
3547 int
3548 ipsec_getnhist(m)
3549 struct mbuf *m;
3550 {
3551 struct m_tag *mtag;
3552 struct ipsecaux *aux;
3553
3554 mtag = ipsec_findaux(m);
3555 if (mtag == NULL)
3556 return 0;
3557 aux = (struct ipsecaux *)(mtag + 1);
3558 return aux->hdrs;
3559 }
3560
3561 struct ipsec_history *
3562 ipsec_gethist(m, lenp)
3563 struct mbuf *m;
3564 int *lenp;
3565 {
3566
3567 panic("ipsec_gethist: obsolete API");
3568 }
3569
3570 void
3571 ipsec_clearhist(m)
3572 struct mbuf *m;
3573 {
3574 struct m_tag *mtag;
3575
3576 mtag = ipsec_findaux(m);
3577 ipsec_optaux(m, mtag);
3578 }
3579
3580 /*
3581 * System control for IPSEC
3582 */
3583 u_char ipsecctlermap[PRC_NCMDS] = {
3584 0, 0, 0, 0,
3585 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
3586 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
3587 EMSGSIZE, EHOSTUNREACH, 0, 0,
3588 0, 0, 0, 0,
3589 ENOPROTOOPT
3590 };
3591
3592 /*
3593 * sysctl helper routine for some net.inet.ipsec and net.inet6.ipnet6
3594 * nodes. ensures that the given value is correct and clears the
3595 * ipsec cache accordingly.
3596 */
3597 static int
3598 sysctl_ipsec(SYSCTLFN_ARGS)
3599 {
3600 int error, t;
3601 struct sysctlnode node;
3602
3603 node = *rnode;
3604 if (rnode->sysctl_num == IPSECCTL_DEF_POLICY)
3605 t = (*((struct secpolicy**)rnode->sysctl_data))->policy;
3606 else
3607 t = *(int*)rnode->sysctl_data;
3608 node.sysctl_data = &t;
3609 error = sysctl_lookup(SYSCTLFN_CALL(&node));
3610 if (error || newp == NULL)
3611 return (error);
3612
3613 switch (rnode->sysctl_num) {
3614 case IPSECCTL_DEF_ESP_TRANSLEV:
3615 case IPSECCTL_DEF_ESP_NETLEV:
3616 case IPSECCTL_DEF_AH_TRANSLEV:
3617 case IPSECCTL_DEF_AH_NETLEV:
3618 if (t != IPSEC_LEVEL_USE &&
3619 t != IPSEC_LEVEL_REQUIRE)
3620 return (EINVAL);
3621 ipsec_invalpcbcacheall();
3622 break;
3623 case IPSECCTL_DEF_POLICY:
3624 if (t != IPSEC_POLICY_DISCARD &&
3625 t != IPSEC_POLICY_NONE)
3626 return (EINVAL);
3627 ipsec_invalpcbcacheall();
3628 break;
3629 default:
3630 return (EINVAL);
3631 }
3632
3633 if (rnode->sysctl_num == IPSECCTL_DEF_POLICY)
3634 (*((struct secpolicy**)rnode->sysctl_data))->policy = t;
3635 else
3636 *(int*)rnode->sysctl_data = t;
3637
3638 return (0);
3639 }
3640
3641 SYSCTL_SETUP(sysctl_net_inet_ipsec_setup, "sysctl net.inet.ipsec subtree setup")
3642 {
3643
3644 sysctl_createv(clog, 0, NULL, NULL,
3645 CTLFLAG_PERMANENT,
3646 CTLTYPE_NODE, "net", NULL,
3647 NULL, 0, NULL, 0,
3648 CTL_NET, CTL_EOL);
3649 sysctl_createv(clog, 0, NULL, NULL,
3650 CTLFLAG_PERMANENT,
3651 CTLTYPE_NODE, "inet", NULL,
3652 NULL, 0, NULL, 0,
3653 CTL_NET, PF_INET, CTL_EOL);
3654 sysctl_createv(clog, 0, NULL, NULL,
3655 CTLFLAG_PERMANENT,
3656 CTLTYPE_NODE, "ipsec",
3657 SYSCTL_DESCR("IPv4 related IPSec settings"),
3658 NULL, 0, NULL, 0,
3659 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL);
3660
3661 sysctl_createv(clog, 0, NULL, NULL,
3662 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3663 CTLTYPE_STRUCT, "stats",
3664 SYSCTL_DESCR("IPSec statistics and counters"),
3665 NULL, 0, &ipsecstat, sizeof(ipsecstat),
3666 CTL_NET, PF_INET, IPPROTO_AH,
3667 IPSECCTL_STATS, CTL_EOL);
3668 sysctl_createv(clog, 0, NULL, NULL,
3669 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3670 CTLTYPE_INT, "def_policy",
3671 SYSCTL_DESCR("Default action for non-IPSec packets"),
3672 sysctl_ipsec, 0, &ip4_def_policy, 0,
3673 CTL_NET, PF_INET, IPPROTO_AH,
3674 IPSECCTL_DEF_POLICY, CTL_EOL);
3675 sysctl_createv(clog, 0, NULL, NULL,
3676 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3677 CTLTYPE_INT, "esp_trans_deflev",
3678 SYSCTL_DESCR("Default required security level for "
3679 "transport mode traffic"),
3680 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0,
3681 CTL_NET, PF_INET, IPPROTO_AH,
3682 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
3683 sysctl_createv(clog, 0, NULL, NULL,
3684 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3685 CTLTYPE_INT, "esp_net_deflev",
3686 SYSCTL_DESCR("Default required security level for "
3687 "tunneled traffic"),
3688 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0,
3689 CTL_NET, PF_INET, IPPROTO_AH,
3690 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
3691 sysctl_createv(clog, 0, NULL, NULL,
3692 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3693 CTLTYPE_INT, "ah_trans_deflev",
3694 SYSCTL_DESCR("Default required security level for "
3695 "transport mode headers"),
3696 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0,
3697 CTL_NET, PF_INET, IPPROTO_AH,
3698 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
3699 sysctl_createv(clog, 0, NULL, NULL,
3700 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3701 CTLTYPE_INT, "ah_net_deflev",
3702 SYSCTL_DESCR("Default required security level for "
3703 "tunneled headers"),
3704 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0,
3705 CTL_NET, PF_INET, IPPROTO_AH,
3706 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
3707 #if 0 /* obsolete, do not reuse */
3708 sysctl_createv(clog, 0, NULL, NULL,
3709 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3710 CTLTYPE_INT, "inbound_call_ike", NULL,
3711 NULL, 0, &ip4_inbound_call_ike, 0,
3712 CTL_NET, PF_INET, IPPROTO_AH,
3713 IPSECCTL_INBOUND_CALL_IKE, CTL_EOL);
3714 #endif
3715 sysctl_createv(clog, 0, NULL, NULL,
3716 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3717 CTLTYPE_INT, "ah_cleartos",
3718 SYSCTL_DESCR("Clear IP TOS field before calculating AH"),
3719 NULL, 0, &ip4_ah_cleartos, 0,
3720 CTL_NET, PF_INET, IPPROTO_AH,
3721 IPSECCTL_AH_CLEARTOS, CTL_EOL);
3722 sysctl_createv(clog, 0, NULL, NULL,
3723 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3724 CTLTYPE_INT, "ah_offsetmask",
3725 SYSCTL_DESCR("Mask for IP fragment offset field when "
3726 "calculating AH"),
3727 NULL, 0, &ip4_ah_offsetmask, 0,
3728 CTL_NET, PF_INET, IPPROTO_AH,
3729 IPSECCTL_AH_OFFSETMASK, CTL_EOL);
3730 sysctl_createv(clog, 0, NULL, NULL,
3731 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3732 CTLTYPE_INT, "dfbit",
3733 SYSCTL_DESCR("IP header DF bit setting for tunneled "
3734 "traffic"),
3735 NULL, 0, &ip4_ipsec_dfbit, 0,
3736 CTL_NET, PF_INET, IPPROTO_AH,
3737 IPSECCTL_DFBIT, CTL_EOL);
3738 sysctl_createv(clog, 0, NULL, NULL,
3739 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3740 CTLTYPE_INT, "ecn",
3741 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
3742 NULL, 0, &ip4_ipsec_ecn, 0,
3743 CTL_NET, PF_INET, IPPROTO_AH,
3744 IPSECCTL_ECN, CTL_EOL);
3745 sysctl_createv(clog, 0, NULL, NULL,
3746 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3747 CTLTYPE_INT, "debug",
3748 SYSCTL_DESCR("Enable IPSec debugging output"),
3749 NULL, 0, &ipsec_debug, 0,
3750 CTL_NET, PF_INET, IPPROTO_AH,
3751 IPSECCTL_DEBUG, CTL_EOL);
3752
3753 /*
3754 * "aliases" for the ipsec subtree
3755 */
3756 sysctl_createv(clog, 0, NULL, NULL,
3757 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3758 CTLTYPE_NODE, "esp", NULL,
3759 NULL, IPPROTO_AH, NULL, 0,
3760 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL);
3761 sysctl_createv(clog, 0, NULL, NULL,
3762 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3763 CTLTYPE_NODE, "ipcomp", NULL,
3764 NULL, IPPROTO_AH, NULL, 0,
3765 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL);
3766 sysctl_createv(clog, 0, NULL, NULL,
3767 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3768 CTLTYPE_NODE, "ah", NULL,
3769 NULL, IPPROTO_AH, NULL, 0,
3770 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL);
3771 }
3772
3773 #ifdef INET6
3774 /*
3775 * System control for IPSEC6
3776 */
3777 u_char ipsec6ctlermap[PRC_NCMDS] = {
3778 0, 0, 0, 0,
3779 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
3780 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
3781 EMSGSIZE, EHOSTUNREACH, 0, 0,
3782 0, 0, 0, 0,
3783 ENOPROTOOPT
3784 };
3785
3786 SYSCTL_SETUP(sysctl_net_inet6_ipsec6_setup,
3787 "sysctl net.inet6.ipsec6 subtree setup")
3788 {
3789
3790 sysctl_createv(clog, 0, NULL, NULL,
3791 CTLFLAG_PERMANENT,
3792 CTLTYPE_NODE, "net", NULL,
3793 NULL, 0, NULL, 0,
3794 CTL_NET, CTL_EOL);
3795 sysctl_createv(clog, 0, NULL, NULL,
3796 CTLFLAG_PERMANENT,
3797 CTLTYPE_NODE, "inet6", NULL,
3798 NULL, 0, NULL, 0,
3799 CTL_NET, PF_INET6, CTL_EOL);
3800 sysctl_createv(clog, 0, NULL, NULL,
3801 CTLFLAG_PERMANENT,
3802 CTLTYPE_NODE, "ipsec6",
3803 SYSCTL_DESCR("IPv6 related IPSec settings"),
3804 NULL, 0, NULL, 0,
3805 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL);
3806
3807 sysctl_createv(clog, 0, NULL, NULL,
3808 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3809 CTLTYPE_STRUCT, "stats",
3810 SYSCTL_DESCR("IPSec statistics and counters"),
3811 NULL, 0, &ipsec6stat, sizeof(ipsec6stat),
3812 CTL_NET, PF_INET6, IPPROTO_AH,
3813 IPSECCTL_STATS, CTL_EOL);
3814 sysctl_createv(clog, 0, NULL, NULL,
3815 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3816 CTLTYPE_INT, "def_policy",
3817 SYSCTL_DESCR("Default action for non-IPSec packets"),
3818 sysctl_ipsec, 0, &ip6_def_policy, 0,
3819 CTL_NET, PF_INET6, IPPROTO_AH,
3820 IPSECCTL_DEF_POLICY, CTL_EOL);
3821 sysctl_createv(clog, 0, NULL, NULL,
3822 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3823 CTLTYPE_INT, "esp_trans_deflev",
3824 SYSCTL_DESCR("Default required security level for "
3825 "transport mode traffic"),
3826 sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0,
3827 CTL_NET, PF_INET6, IPPROTO_AH,
3828 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
3829 sysctl_createv(clog, 0, NULL, NULL,
3830 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3831 CTLTYPE_INT, "esp_net_deflev",
3832 SYSCTL_DESCR("Default required security level for "
3833 "tunneled traffic"),
3834 sysctl_ipsec, 0, &ip6_esp_net_deflev, 0,
3835 CTL_NET, PF_INET6, IPPROTO_AH,
3836 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
3837 sysctl_createv(clog, 0, NULL, NULL,
3838 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3839 CTLTYPE_INT, "ah_trans_deflev",
3840 SYSCTL_DESCR("Default required security level for "
3841 "transport mode headers"),
3842 sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0,
3843 CTL_NET, PF_INET6, IPPROTO_AH,
3844 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
3845 sysctl_createv(clog, 0, NULL, NULL,
3846 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3847 CTLTYPE_INT, "ah_net_deflev",
3848 SYSCTL_DESCR("Default required security level for "
3849 "tunneled headers"),
3850 sysctl_ipsec, 0, &ip6_ah_net_deflev, 0,
3851 CTL_NET, PF_INET6, IPPROTO_AH,
3852 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
3853 sysctl_createv(clog, 0, NULL, NULL,
3854 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3855 CTLTYPE_INT, "ecn",
3856 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
3857 NULL, 0, &ip6_ipsec_ecn, 0,
3858 CTL_NET, PF_INET6, IPPROTO_AH,
3859 IPSECCTL_ECN, CTL_EOL);
3860 sysctl_createv(clog, 0, NULL, NULL,
3861 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3862 CTLTYPE_INT, "debug",
3863 SYSCTL_DESCR("Enable IPSec debugging output"),
3864 NULL, 0, &ipsec_debug, 0,
3865 CTL_NET, PF_INET6, IPPROTO_AH,
3866 IPSECCTL_DEBUG, CTL_EOL);
3867
3868 /*
3869 * "aliases" for the ipsec6 subtree
3870 */
3871 sysctl_createv(clog, 0, NULL, NULL,
3872 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3873 CTLTYPE_NODE, "esp6", NULL,
3874 NULL, IPPROTO_AH, NULL, 0,
3875 CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL);
3876 sysctl_createv(clog, 0, NULL, NULL,
3877 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3878 CTLTYPE_NODE, "ipcomp6", NULL,
3879 NULL, IPPROTO_AH, NULL, 0,
3880 CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL);
3881 sysctl_createv(clog, 0, NULL, NULL,
3882 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3883 CTLTYPE_NODE, "ah6", NULL,
3884 NULL, IPPROTO_AH, NULL, 0,
3885 CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL);
3886 }
3887 #endif /* INET6 */
Cache object: 2dda6bfbf9401b41a31f60e6e414d11e
|