FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c
1 /* $NetBSD: ipsec.c,v 1.110.2.3 2007/07/26 12:26:40 liamjfoy Exp $ */
2 /* $KAME: ipsec.c,v 1.136 2002/05/19 00:36:39 itojun Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * IPsec controller part.
35 */
36
37 #include <sys/cdefs.h>
38 __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.110.2.3 2007/07/26 12:26:40 liamjfoy Exp $");
39
40 #include "opt_inet.h"
41 #include "opt_ipsec.h"
42
43 #include <sys/param.h>
44 #include <sys/systm.h>
45 #include <sys/malloc.h>
46 #include <sys/mbuf.h>
47 #include <sys/domain.h>
48 #include <sys/protosw.h>
49 #include <sys/socket.h>
50 #include <sys/socketvar.h>
51 #include <sys/errno.h>
52 #include <sys/time.h>
53 #include <sys/kernel.h>
54 #include <sys/syslog.h>
55 #include <sys/sysctl.h>
56
57 #include <net/if.h>
58 #include <net/route.h>
59
60 #include <netinet/in.h>
61 #include <netinet/in_systm.h>
62 #include <netinet/ip.h>
63 #include <netinet/ip_var.h>
64 #include <netinet/in_var.h>
65 #include <netinet/udp.h>
66 #include <netinet/udp_var.h>
67 #include <netinet/ip_ecn.h>
68 #include <netinet/tcp.h>
69
70 #include <netinet/ip6.h>
71 #ifdef INET6
72 #include <netinet6/ip6_var.h>
73 #endif
74 #include <netinet/in_pcb.h>
75 #ifdef INET6
76 #include <netinet6/in6_pcb.h>
77 #include <netinet/icmp6.h>
78 #include <netinet6/scope6_var.h>
79 #endif
80
81 #include <netinet6/ipsec.h>
82 #include <netinet6/ah.h>
83 #ifdef IPSEC_ESP
84 #include <netinet6/esp.h>
85 #endif
86 #include <netinet6/ipcomp.h>
87 #include <netkey/key.h>
88 #include <netkey/keydb.h>
89 #include <netkey/key_debug.h>
90
91 #include <net/net_osdep.h>
92
93 #ifdef IPSEC_DEBUG
94 int ipsec_debug = 1;
95 #else
96 int ipsec_debug = 0;
97 #endif
98
99 struct ipsecstat ipsecstat;
100 int ip4_ah_cleartos = 1;
101 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
102 int ip4_ipsec_dfbit = 2; /* DF bit on encap. 0: clear 1: set 2: copy */
103 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
104 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
105 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
106 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
107 struct secpolicy *ip4_def_policy;
108 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
109
110 #ifdef INET6
111 struct ipsecstat ipsec6stat;
112 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
113 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
114 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
115 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
116 struct secpolicy *ip6_def_policy;
117 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
118
119 #endif /* INET6 */
120
121 u_int ipsec_spdgen = 1; /* SPD generation # */
122
123 #ifdef SADB_X_EXT_TAG
124 static struct pf_tag *ipsec_get_tag __P((struct mbuf *));
125 #endif
126 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *,
127 struct inpcbpolicy *, int));
128 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *,
129 struct secpolicy *, int));
130 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int));
131 static int ipsec_setspidx_mbuf
132 __P((struct secpolicyindex *, int, struct mbuf *, int));
133 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
134 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
135 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
136 #ifdef INET6
137 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
138 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
139 #endif
140 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
141 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
142 #if 0
143 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *));
144 #endif
145 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *));
146 static int ipsec_set_policy
147 __P((struct secpolicy **, int, caddr_t, size_t, int));
148 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **));
149 static void vshiftl __P((unsigned char *, int, int));
150 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
151 static size_t ipsec_hdrsiz __P((struct secpolicy *));
152 #ifdef INET
153 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
154 #endif
155 #ifdef INET6
156 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
157 #endif
158 #ifdef INET
159 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
160 #endif
161 #ifdef INET6
162 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
163 #endif
164 static struct m_tag *ipsec_addaux __P((struct mbuf *));
165 static struct m_tag *ipsec_findaux __P((struct mbuf *));
166 static void ipsec_optaux __P((struct mbuf *, struct m_tag *));
167 #ifdef INET
168 static int ipsec4_checksa __P((struct ipsecrequest *,
169 struct ipsec_output_state *));
170 #endif
171 #ifdef INET6
172 static int ipsec6_checksa __P((struct ipsecrequest *,
173 struct ipsec_output_state *, int));
174 #endif
175
176 /*
177 * try to validate and use cached policy on a pcb.
178 */
179 static struct secpolicy *
180 ipsec_checkpcbcache(m, pcbsp, dir)
181 struct mbuf *m;
182 struct inpcbpolicy *pcbsp;
183 int dir;
184 {
185 struct secpolicyindex spidx;
186 struct bintime bt;
187
188 switch (dir) {
189 case IPSEC_DIR_INBOUND:
190 case IPSEC_DIR_OUTBOUND:
191 case IPSEC_DIR_ANY:
192 break;
193 default:
194 return NULL;
195 }
196 #ifdef DIAGNOSTIC
197 if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0]))
198 panic("dir too big in ipsec_checkpcbcache");
199 #endif
200 /* SPD table change invalidates all the caches */
201 if (ipsec_spdgen != pcbsp->sp_cache[dir].cachegen) {
202 ipsec_invalpcbcache(pcbsp, dir);
203 return NULL;
204 }
205 if (!pcbsp->sp_cache[dir].cachesp)
206 return NULL;
207 if (pcbsp->sp_cache[dir].cachesp->state != IPSEC_SPSTATE_ALIVE) {
208 ipsec_invalpcbcache(pcbsp, dir);
209 return NULL;
210 }
211 if ((pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
212 if (!pcbsp->sp_cache[dir].cachesp)
213 return NULL;
214 if (ipsec_setspidx(m, &spidx, 1) != 0)
215 return NULL;
216
217 /*
218 * We have to make an exact match here since the cached rule
219 * might have lower priority than a rule that would otherwise
220 * have matched the packet.
221 */
222
223 if (bcmp(&pcbsp->sp_cache[dir].cacheidx, &spidx, sizeof(spidx)))
224 return NULL;
225
226 } else {
227 /*
228 * The pcb is connected, and the L4 code is sure that:
229 * - outgoing side uses inp_[lf]addr
230 * - incoming side looks up policy after inpcb lookup
231 * and address pair is known to be stable. We do not need
232 * to generate spidx again, nor check the address match again.
233 *
234 * For IPv4/v6 SOCK_STREAM sockets, this assumption holds
235 * and there are calls to ipsec_pcbconn() from in_pcbconnect().
236 */
237 }
238
239 getbinuptime(&bt);
240 pcbsp->sp_cache[dir].cachesp->lastused = bt.sec;
241 pcbsp->sp_cache[dir].cachesp->refcnt++;
242 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
243 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n",
244 pcbsp->sp_cache[dir].cachesp->refcnt,
245 pcbsp->sp_cache[dir].cachesp));
246 return pcbsp->sp_cache[dir].cachesp;
247 }
248
249 static int
250 ipsec_fillpcbcache(pcbsp, m, sp, dir)
251 struct inpcbpolicy *pcbsp;
252 struct mbuf *m;
253 struct secpolicy *sp;
254 int dir;
255 {
256
257 switch (dir) {
258 case IPSEC_DIR_INBOUND:
259 case IPSEC_DIR_OUTBOUND:
260 break;
261 default:
262 return EINVAL;
263 }
264 #ifdef DIAGNOSTIC
265 if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0]))
266 panic("dir too big in ipsec_checkpcbcache");
267 #endif
268
269 if (pcbsp->sp_cache[dir].cachesp)
270 key_freesp(pcbsp->sp_cache[dir].cachesp);
271 pcbsp->sp_cache[dir].cachesp = NULL;
272 pcbsp->sp_cache[dir].cachehint = IPSEC_PCBHINT_MAYBE;
273 if (ipsec_setspidx(m, &pcbsp->sp_cache[dir].cacheidx, 1) != 0) {
274 return EINVAL;
275 }
276 pcbsp->sp_cache[dir].cachesp = sp;
277 if (pcbsp->sp_cache[dir].cachesp) {
278 pcbsp->sp_cache[dir].cachesp->refcnt++;
279 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
280 printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n",
281 pcbsp->sp_cache[dir].cachesp->refcnt,
282 pcbsp->sp_cache[dir].cachesp));
283
284 /*
285 * If the PCB is connected, we can remember a hint to
286 * possibly short-circuit IPsec processing in other places.
287 */
288 if (pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) {
289 switch (pcbsp->sp_cache[dir].cachesp->policy) {
290 case IPSEC_POLICY_NONE:
291 case IPSEC_POLICY_BYPASS:
292 pcbsp->sp_cache[dir].cachehint =
293 IPSEC_PCBHINT_NO;
294 break;
295 default:
296 pcbsp->sp_cache[dir].cachehint =
297 IPSEC_PCBHINT_YES;
298 }
299 }
300 }
301 pcbsp->sp_cache[dir].cachegen = ipsec_spdgen;
302
303 return 0;
304 }
305
306 static int
307 ipsec_invalpcbcache(pcbsp, dir)
308 struct inpcbpolicy *pcbsp;
309 int dir;
310 {
311 int i;
312
313 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
314 if (dir != IPSEC_DIR_ANY && i != dir)
315 continue;
316 if (pcbsp->sp_cache[i].cachesp)
317 key_freesp(pcbsp->sp_cache[i].cachesp);
318 pcbsp->sp_cache[i].cachesp = NULL;
319 pcbsp->sp_cache[i].cachehint = IPSEC_PCBHINT_MAYBE;
320 pcbsp->sp_cache[i].cachegen = 0;
321 bzero(&pcbsp->sp_cache[i].cacheidx,
322 sizeof(pcbsp->sp_cache[i].cacheidx));
323 }
324 return 0;
325 }
326
327 int
328 ipsec_pcbconn(pcbsp)
329 struct inpcbpolicy *pcbsp;
330 {
331
332 pcbsp->sp_cacheflags |= IPSEC_PCBSP_CONNECTED;
333 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
334 return 0;
335 }
336
337 int
338 ipsec_pcbdisconn(pcbsp)
339 struct inpcbpolicy *pcbsp;
340 {
341
342 pcbsp->sp_cacheflags &= ~IPSEC_PCBSP_CONNECTED;
343 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
344 return 0;
345 }
346
347 void
348 ipsec_invalpcbcacheall()
349 {
350
351 if (ipsec_spdgen == UINT_MAX)
352 ipsec_spdgen = 1;
353 else
354 ipsec_spdgen++;
355 }
356
357 #ifdef SADB_X_EXT_TAG
358 static struct pf_tag *
359 ipsec_get_tag(m)
360 struct mbuf *m;
361 {
362 struct m_tag *mtag;
363
364 if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL)
365 return ((struct pf_tag *)(mtag + 1));
366 else
367 return (NULL);
368 }
369 #endif
370
371 /*
372 * For OUTBOUND packet having a socket. Searching SPD for packet,
373 * and return a pointer to SP.
374 * OUT: NULL: no apropreate SP found, the following value is set to error.
375 * 0 : bypass
376 * EACCES : discard packet.
377 * ENOENT : ipsec_acquire() in progress, maybe.
378 * others : error occurred.
379 * others: a pointer to SP
380 *
381 * NOTE: IPv6 mapped address concern is implemented here.
382 */
383 struct secpolicy *
384 ipsec4_getpolicybysock(m, dir, so, error)
385 struct mbuf *m;
386 u_int dir;
387 struct socket *so;
388 int *error;
389 {
390 struct inpcbpolicy *pcbsp = NULL;
391 struct secpolicy *currsp = NULL; /* policy on socket */
392 struct secpolicy *kernsp = NULL; /* policy on kernel */
393 struct secpolicyindex spidx;
394 #ifdef SADB_X_EXT_TAG
395 struct pf_tag *t;
396 #endif
397 u_int16_t tag;
398
399 /* sanity check */
400 if (m == NULL || so == NULL || error == NULL)
401 panic("ipsec4_getpolicybysock: NULL pointer was passed.");
402
403 switch (so->so_proto->pr_domain->dom_family) {
404 case AF_INET:
405 pcbsp = sotoinpcb(so)->inp_sp;
406 break;
407 #ifdef INET6
408 case AF_INET6:
409 pcbsp = sotoin6pcb(so)->in6p_sp;
410 break;
411 #endif
412 default:
413 panic("ipsec4_getpolicybysock: unsupported address family");
414 }
415
416 #ifdef DIAGNOSTIC
417 if (pcbsp == NULL)
418 panic("ipsec4_getpolicybysock: pcbsp is NULL.");
419 #endif
420
421 #ifdef SADB_X_EXT_TAG
422 t = ipsec_get_tag(m);
423 tag = t ? t->tag : 0;
424 #else
425 tag = 0;
426 #endif
427
428 /* if we have a cached entry, and if it is still valid, use it. */
429 ipsecstat.spdcachelookup++;
430 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
431 if (currsp) {
432 *error = 0;
433 return currsp;
434 }
435 ipsecstat.spdcachemiss++;
436
437 switch (dir) {
438 case IPSEC_DIR_INBOUND:
439 currsp = pcbsp->sp_in;
440 break;
441 case IPSEC_DIR_OUTBOUND:
442 currsp = pcbsp->sp_out;
443 break;
444 default:
445 panic("ipsec4_getpolicybysock: illegal direction.");
446 }
447
448 /* sanity check */
449 if (currsp == NULL)
450 panic("ipsec4_getpolicybysock: currsp is NULL.");
451
452 /* when privileged socket */
453 if (pcbsp->priv) {
454 switch (currsp->policy) {
455 case IPSEC_POLICY_BYPASS:
456 currsp->refcnt++;
457 *error = 0;
458 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
459 return currsp;
460
461 case IPSEC_POLICY_ENTRUST:
462 /* look for a policy in SPD */
463 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
464 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
465 /* SP found */
466 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
467 printf("DP ipsec4_getpolicybysock called "
468 "to allocate SP:%p\n", kernsp));
469 *error = 0;
470 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
471 return kernsp;
472 }
473
474 /* no SP found */
475 ip4_def_policy->refcnt++;
476 *error = 0;
477 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
478 return ip4_def_policy;
479
480 case IPSEC_POLICY_IPSEC:
481 currsp->refcnt++;
482 *error = 0;
483 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
484 return currsp;
485
486 default:
487 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
488 "Invalid policy for PCB %d\n", currsp->policy));
489 *error = EINVAL;
490 return NULL;
491 }
492 /* NOTREACHED */
493 }
494
495 /* when non-privileged socket */
496 /* look for a policy in SPD */
497 if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
498 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
499 /* SP found */
500 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
501 printf("DP ipsec4_getpolicybysock called "
502 "to allocate SP:%p\n", kernsp));
503 *error = 0;
504 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
505 return kernsp;
506 }
507
508 /* no SP found */
509 switch (currsp->policy) {
510 case IPSEC_POLICY_BYPASS:
511 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
512 "Illegal policy for non-privileged defined %d\n",
513 currsp->policy));
514 *error = EINVAL;
515 return NULL;
516
517 case IPSEC_POLICY_ENTRUST:
518 ip4_def_policy->refcnt++;
519 *error = 0;
520 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
521 return ip4_def_policy;
522
523 case IPSEC_POLICY_IPSEC:
524 currsp->refcnt++;
525 *error = 0;
526 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
527 return currsp;
528
529 default:
530 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
531 "Invalid policy for PCB %d\n", currsp->policy));
532 *error = EINVAL;
533 return NULL;
534 }
535 /* NOTREACHED */
536 }
537
538 /*
539 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
540 * and return a pointer to SP.
541 * OUT: positive: a pointer to the entry for security policy leaf matched.
542 * NULL: no apropreate SP found, the following value is set to error.
543 * 0 : bypass
544 * EACCES : discard packet.
545 * ENOENT : ipsec_acquire() in progress, maybe.
546 * others : error occurred.
547 */
548 struct secpolicy *
549 ipsec4_getpolicybyaddr(m, dir, flag, error)
550 struct mbuf *m;
551 u_int dir;
552 int flag;
553 int *error;
554 {
555 struct secpolicy *sp = NULL;
556 #ifdef SADB_X_EXT_TAG
557 struct pf_tag *t;
558 #endif
559 u_int16_t tag;
560
561 /* sanity check */
562 if (m == NULL || error == NULL)
563 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
564
565 /* get a policy entry matched with the packet */
566 {
567 struct secpolicyindex spidx;
568
569 bzero(&spidx, sizeof(spidx));
570
571 /* make an index to look for a policy */
572 *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m,
573 (flag & IP_FORWARDING) ? 0 : 1);
574
575 if (*error != 0)
576 return NULL;
577
578 #ifdef SADB_X_EXT_TAG
579 t = ipsec_get_tag(m);
580 tag = t ? t->tag : 0;
581 #else
582 tag = 0;
583 #endif
584
585 sp = key_allocsp(tag, &spidx, dir);
586 }
587
588 /* SP found */
589 if (sp != NULL) {
590 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
591 printf("DP ipsec4_getpolicybyaddr called "
592 "to allocate SP:%p\n", sp));
593 *error = 0;
594 return sp;
595 }
596
597 /* no SP found */
598 ip4_def_policy->refcnt++;
599 *error = 0;
600 return ip4_def_policy;
601 }
602
603 #ifdef INET6
604 /*
605 * For OUTBOUND packet having a socket. Searching SPD for packet,
606 * and return a pointer to SP.
607 * OUT: NULL: no apropreate SP found, the following value is set to error.
608 * 0 : bypass
609 * EACCES : discard packet.
610 * ENOENT : ipsec_acquire() in progress, maybe.
611 * others : error occurred.
612 * others: a pointer to SP
613 */
614 struct secpolicy *
615 ipsec6_getpolicybysock(m, dir, so, error)
616 struct mbuf *m;
617 u_int dir;
618 struct socket *so;
619 int *error;
620 {
621 struct inpcbpolicy *pcbsp = NULL;
622 struct secpolicy *currsp = NULL; /* policy on socket */
623 struct secpolicy *kernsp = NULL; /* policy on kernel */
624 struct secpolicyindex spidx;
625 #ifdef SADB_X_EXT_TAG
626 struct pf_tag *t;
627 #endif
628 u_int16_t tag;
629
630 /* sanity check */
631 if (m == NULL || so == NULL || error == NULL)
632 panic("ipsec6_getpolicybysock: NULL pointer was passed.");
633
634 #ifdef DIAGNOSTIC
635 if (so->so_proto->pr_domain->dom_family != AF_INET6)
636 panic("ipsec6_getpolicybysock: socket domain != inet6");
637 #endif
638
639 pcbsp = sotoin6pcb(so)->in6p_sp;
640
641 #ifdef DIAGNOSTIC
642 if (pcbsp == NULL)
643 panic("ipsec6_getpolicybysock: pcbsp is NULL.");
644 #endif
645
646 #ifdef SADB_X_EXT_TAG
647 t = ipsec_get_tag(m);
648 tag = t ? t->tag : 0;
649 #else
650 tag = 0;
651 #endif
652
653 /* if we have a cached entry, and if it is still valid, use it. */
654 ipsec6stat.spdcachelookup++;
655 currsp = ipsec_checkpcbcache(m, pcbsp, dir);
656 if (currsp) {
657 *error = 0;
658 return currsp;
659 }
660 ipsec6stat.spdcachemiss++;
661
662 switch (dir) {
663 case IPSEC_DIR_INBOUND:
664 currsp = pcbsp->sp_in;
665 break;
666 case IPSEC_DIR_OUTBOUND:
667 currsp = pcbsp->sp_out;
668 break;
669 default:
670 panic("ipsec6_getpolicybysock: illegal direction.");
671 }
672
673 /* sanity check */
674 if (currsp == NULL)
675 panic("ipsec6_getpolicybysock: currsp is NULL.");
676
677 /* when privileged socket */
678 if (pcbsp->priv) {
679 switch (currsp->policy) {
680 case IPSEC_POLICY_BYPASS:
681 currsp->refcnt++;
682 *error = 0;
683 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
684 return currsp;
685
686 case IPSEC_POLICY_ENTRUST:
687 /* look for a policy in SPD */
688 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
689 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
690 /* SP found */
691 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
692 printf("DP ipsec6_getpolicybysock called "
693 "to allocate SP:%p\n", kernsp));
694 *error = 0;
695 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
696 return kernsp;
697 }
698
699 /* no SP found */
700 ip6_def_policy->refcnt++;
701 *error = 0;
702 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
703 return ip6_def_policy;
704
705 case IPSEC_POLICY_IPSEC:
706 currsp->refcnt++;
707 *error = 0;
708 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
709 return currsp;
710
711 default:
712 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
713 "Invalid policy for PCB %d\n", currsp->policy));
714 *error = EINVAL;
715 return NULL;
716 }
717 /* NOTREACHED */
718 }
719
720 /* when non-privileged socket */
721 /* look for a policy in SPD */
722 if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
723 (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
724 /* SP found */
725 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
726 printf("DP ipsec6_getpolicybysock called "
727 "to allocate SP:%p\n", kernsp));
728 *error = 0;
729 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
730 return kernsp;
731 }
732
733 /* no SP found */
734 switch (currsp->policy) {
735 case IPSEC_POLICY_BYPASS:
736 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
737 "Illegal policy for non-privileged defined %d\n",
738 currsp->policy));
739 *error = EINVAL;
740 return NULL;
741
742 case IPSEC_POLICY_ENTRUST:
743 ip6_def_policy->refcnt++;
744 *error = 0;
745 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
746 return ip6_def_policy;
747
748 case IPSEC_POLICY_IPSEC:
749 currsp->refcnt++;
750 *error = 0;
751 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
752 return currsp;
753
754 default:
755 ipseclog((LOG_ERR,
756 "ipsec6_policybysock: Invalid policy for PCB %d\n",
757 currsp->policy));
758 *error = EINVAL;
759 return NULL;
760 }
761 /* NOTREACHED */
762 }
763
764 /*
765 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
766 * and return a pointer to SP.
767 * `flag' means that packet is to be forwarded whether or not.
768 * flag = 1: forwad
769 * OUT: positive: a pointer to the entry for security policy leaf matched.
770 * NULL: no apropreate SP found, the following value is set to error.
771 * 0 : bypass
772 * EACCES : discard packet.
773 * ENOENT : ipsec_acquire() in progress, maybe.
774 * others : error occurred.
775 */
776 #ifndef IP_FORWARDING
777 #define IP_FORWARDING 1
778 #endif
779
780 struct secpolicy *
781 ipsec6_getpolicybyaddr(m, dir, flag, error)
782 struct mbuf *m;
783 u_int dir;
784 int flag;
785 int *error;
786 {
787 struct secpolicy *sp = NULL;
788 #ifdef SADB_X_EXT_TAG
789 struct pf_tag *t;
790 #endif
791 u_int16_t tag;
792
793 /* sanity check */
794 if (m == NULL || error == NULL)
795 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
796
797 /* get a policy entry matched with the packet */
798 {
799 struct secpolicyindex spidx;
800
801 bzero(&spidx, sizeof(spidx));
802
803 /* make an index to look for a policy */
804 *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m,
805 (flag & IP_FORWARDING) ? 0 : 1);
806
807 if (*error != 0)
808 return NULL;
809
810 #ifdef SADB_X_EXT_TAG
811 t = ipsec_get_tag(m);
812 tag = t ? t->tag : 0;
813 #else
814 tag = 0;
815 #endif
816
817 sp = key_allocsp(tag, &spidx, dir);
818 }
819
820 /* SP found */
821 if (sp != NULL) {
822 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
823 printf("DP ipsec6_getpolicybyaddr called "
824 "to allocate SP:%p\n", sp));
825 *error = 0;
826 return sp;
827 }
828
829 /* no SP found */
830 ip6_def_policy->refcnt++;
831 *error = 0;
832 return ip6_def_policy;
833 }
834 #endif /* INET6 */
835
836 /*
837 * set IP address into spidx from mbuf.
838 * When Forwarding packet and ICMP echo reply, this function is used.
839 *
840 * IN: get the followings from mbuf.
841 * protocol family, src, dst, next protocol
842 * OUT:
843 * 0: success.
844 * other: failure, and set errno.
845 */
846 int
847 ipsec_setspidx_mbuf(struct secpolicyindex *spidx, int family,
848 struct mbuf *m, int needport)
849 {
850 int error;
851
852 /* sanity check */
853 if (spidx == NULL || m == NULL)
854 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
855
856 bzero(spidx, sizeof(*spidx));
857
858 error = ipsec_setspidx(m, spidx, needport);
859 if (error)
860 goto bad;
861
862 return 0;
863
864 bad:
865 /* XXX initialize */
866 bzero(spidx, sizeof(*spidx));
867 return EINVAL;
868 }
869
870 /*
871 * configure security policy index (src/dst/proto/sport/dport)
872 * by looking at the content of mbuf.
873 * the caller is responsible for error recovery (like clearing up spidx).
874 */
875 static int
876 ipsec_setspidx(m, spidx, needport)
877 struct mbuf *m;
878 struct secpolicyindex *spidx;
879 int needport;
880 {
881 struct ip *ip = NULL;
882 struct ip ipbuf;
883 u_int v;
884 struct mbuf *n;
885 int len;
886 int error;
887
888 if (m == NULL)
889 panic("ipsec_setspidx: m == 0 passed.");
890
891 bzero(spidx, sizeof(*spidx));
892
893 /*
894 * validate m->m_pkthdr.len. we see incorrect length if we
895 * mistakenly call this function with inconsistent mbuf chain
896 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
897 */
898 len = 0;
899 for (n = m; n; n = n->m_next)
900 len += n->m_len;
901 if (m->m_pkthdr.len != len) {
902 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
903 printf("ipsec_setspidx: "
904 "total of m_len(%d) != pkthdr.len(%d), "
905 "ignored.\n",
906 len, m->m_pkthdr.len));
907 return EINVAL;
908 }
909
910 if (m->m_pkthdr.len < sizeof(struct ip)) {
911 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
912 printf("ipsec_setspidx: "
913 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
914 m->m_pkthdr.len));
915 return EINVAL;
916 }
917
918 if (m->m_len >= sizeof(*ip))
919 ip = mtod(m, struct ip *);
920 else {
921 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
922 ip = &ipbuf;
923 }
924 v = ip->ip_v;
925 switch (v) {
926 case 4:
927 error = ipsec4_setspidx_ipaddr(m, spidx);
928 if (error)
929 return error;
930 ipsec4_get_ulp(m, spidx, needport);
931 return 0;
932 #ifdef INET6
933 case 6:
934 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
935 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
936 printf("ipsec_setspidx: "
937 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
938 "ignored.\n", m->m_pkthdr.len));
939 return EINVAL;
940 }
941 error = ipsec6_setspidx_ipaddr(m, spidx);
942 if (error)
943 return error;
944 ipsec6_get_ulp(m, spidx, needport);
945 return 0;
946 #endif
947 default:
948 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
949 printf("ipsec_setspidx: "
950 "unknown IP version %u, ignored.\n", v));
951 return EINVAL;
952 }
953 }
954
955 static void
956 ipsec4_get_ulp(m, spidx, needport)
957 struct mbuf *m;
958 struct secpolicyindex *spidx;
959 int needport;
960 {
961 struct ip ip;
962 struct ip6_ext ip6e;
963 u_int8_t nxt;
964 int off;
965 struct tcphdr th;
966 struct udphdr uh;
967
968 /* sanity check */
969 if (m == NULL)
970 panic("ipsec4_get_ulp: NULL pointer was passed.");
971 if (m->m_pkthdr.len < sizeof(ip))
972 panic("ipsec4_get_ulp: too short");
973
974 /* set default */
975 spidx->ul_proto = IPSEC_ULPROTO_ANY;
976 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
977 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
978
979 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
980 if (ip.ip_off & htons(IP_MF | IP_OFFMASK))
981 return;
982
983 nxt = ip.ip_p;
984 off = ip.ip_hl << 2;
985 while (off < m->m_pkthdr.len) {
986 switch (nxt) {
987 case IPPROTO_TCP:
988 spidx->ul_proto = nxt;
989 if (!needport)
990 return;
991 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
992 return;
993 m_copydata(m, off, sizeof(th), (caddr_t)&th);
994 ((struct sockaddr_in *)&spidx->src)->sin_port =
995 th.th_sport;
996 ((struct sockaddr_in *)&spidx->dst)->sin_port =
997 th.th_dport;
998 return;
999 case IPPROTO_UDP:
1000 spidx->ul_proto = nxt;
1001 if (!needport)
1002 return;
1003 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1004 return;
1005 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1006 ((struct sockaddr_in *)&spidx->src)->sin_port =
1007 uh.uh_sport;
1008 ((struct sockaddr_in *)&spidx->dst)->sin_port =
1009 uh.uh_dport;
1010 return;
1011 case IPPROTO_AH:
1012 if (off + sizeof(ip6e) > m->m_pkthdr.len)
1013 return;
1014 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1015 off += (ip6e.ip6e_len + 2) << 2;
1016 nxt = ip6e.ip6e_nxt;
1017 break;
1018 case IPPROTO_ICMP:
1019 default:
1020 /* XXX intermediate headers??? */
1021 spidx->ul_proto = nxt;
1022 return;
1023 }
1024 }
1025 }
1026
1027 /* assumes that m is sane */
1028 static int
1029 ipsec4_setspidx_ipaddr(m, spidx)
1030 struct mbuf *m;
1031 struct secpolicyindex *spidx;
1032 {
1033 struct ip *ip = NULL;
1034 struct ip ipbuf;
1035 struct sockaddr_in *sin;
1036
1037 if (m->m_len >= sizeof(*ip))
1038 ip = mtod(m, struct ip *);
1039 else {
1040 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
1041 ip = &ipbuf;
1042 }
1043
1044 sin = (struct sockaddr_in *)&spidx->src;
1045 bzero(sin, sizeof(*sin));
1046 sin->sin_family = AF_INET;
1047 sin->sin_len = sizeof(struct sockaddr_in);
1048 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
1049 spidx->prefs = sizeof(struct in_addr) << 3;
1050
1051 sin = (struct sockaddr_in *)&spidx->dst;
1052 bzero(sin, sizeof(*sin));
1053 sin->sin_family = AF_INET;
1054 sin->sin_len = sizeof(struct sockaddr_in);
1055 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
1056 spidx->prefd = sizeof(struct in_addr) << 3;
1057 return 0;
1058 }
1059
1060 #ifdef INET6
1061 static void
1062 ipsec6_get_ulp(m, spidx, needport)
1063 struct mbuf *m;
1064 struct secpolicyindex *spidx;
1065 int needport;
1066 {
1067 int off, nxt;
1068 struct tcphdr th;
1069 struct udphdr uh;
1070
1071 /* sanity check */
1072 if (m == NULL)
1073 panic("ipsec6_get_ulp: NULL pointer was passed.");
1074
1075 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1076 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
1077
1078 /* set default */
1079 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1080 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1081 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1082
1083 nxt = -1;
1084 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1085 if (off < 0 || m->m_pkthdr.len < off)
1086 return;
1087
1088 switch (nxt) {
1089 case IPPROTO_TCP:
1090 spidx->ul_proto = nxt;
1091 if (!needport)
1092 break;
1093 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1094 break;
1095 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1096 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1097 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1098 break;
1099 case IPPROTO_UDP:
1100 spidx->ul_proto = nxt;
1101 if (!needport)
1102 break;
1103 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1104 break;
1105 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1106 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1107 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1108 break;
1109 case IPPROTO_ICMPV6:
1110 default:
1111 /* XXX intermediate headers??? */
1112 spidx->ul_proto = nxt;
1113 break;
1114 }
1115 }
1116
1117 /* assumes that m is sane */
1118 static int
1119 ipsec6_setspidx_ipaddr(m, spidx)
1120 struct mbuf *m;
1121 struct secpolicyindex *spidx;
1122 {
1123 struct ip6_hdr *ip6 = NULL;
1124 struct ip6_hdr ip6buf;
1125 struct sockaddr_in6 *sin6;
1126
1127 if (m->m_len >= sizeof(*ip6))
1128 ip6 = mtod(m, struct ip6_hdr *);
1129 else {
1130 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1131 ip6 = &ip6buf;
1132 }
1133
1134 sin6 = (struct sockaddr_in6 *)&spidx->src;
1135 bzero(sin6, sizeof(*sin6));
1136 sin6->sin6_family = AF_INET6;
1137 sin6->sin6_len = sizeof(struct sockaddr_in6);
1138 sin6->sin6_addr = ip6->ip6_src;
1139 spidx->prefs = sizeof(struct in6_addr) << 3;
1140
1141 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1142 bzero(sin6, sizeof(*sin6));
1143 sin6->sin6_family = AF_INET6;
1144 sin6->sin6_len = sizeof(struct sockaddr_in6);
1145 sin6->sin6_addr = ip6->ip6_dst;
1146 spidx->prefd = sizeof(struct in6_addr) << 3;
1147
1148 return 0;
1149 }
1150 #endif
1151
1152 static struct inpcbpolicy *
1153 ipsec_newpcbpolicy()
1154 {
1155 struct inpcbpolicy *p;
1156
1157 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
1158 return p;
1159 }
1160
1161 static void
1162 ipsec_delpcbpolicy(p)
1163 struct inpcbpolicy *p;
1164 {
1165
1166 free(p, M_SECA);
1167 }
1168
1169 /* initialize policy in PCB */
1170 int
1171 ipsec_init_pcbpolicy(so, pcb_sp)
1172 struct socket *so;
1173 struct inpcbpolicy **pcb_sp;
1174 {
1175 struct inpcbpolicy *new;
1176 static int initialized = 0;
1177 static struct secpolicy *in = NULL, *out = NULL;
1178
1179 /* sanity check. */
1180 if (so == NULL || pcb_sp == NULL)
1181 panic("ipsec_init_pcbpolicy: NULL pointer was passed.");
1182
1183 if (!initialized) {
1184 if ((in = key_newsp(0)) == NULL)
1185 return ENOBUFS;
1186 if ((out = key_newsp(0)) == NULL) {
1187 key_freesp(in);
1188 in = NULL;
1189 return ENOBUFS;
1190 }
1191
1192 in->state = IPSEC_SPSTATE_ALIVE;
1193 in->policy = IPSEC_POLICY_ENTRUST;
1194 in->dir = IPSEC_DIR_INBOUND;
1195 in->readonly = 1;
1196 in->persist = 1;
1197 in->so = NULL;
1198
1199 out->state = IPSEC_SPSTATE_ALIVE;
1200 out->policy = IPSEC_POLICY_ENTRUST;
1201 out->dir = IPSEC_DIR_OUTBOUND;
1202 out->readonly = 1;
1203 out->persist = 1;
1204 out->so = NULL;
1205
1206 initialized++;
1207 }
1208
1209 new = ipsec_newpcbpolicy();
1210 if (new == NULL) {
1211 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n"));
1212 return ENOBUFS;
1213 }
1214 bzero(new, sizeof(*new));
1215
1216 if (so->so_uidinfo->ui_uid == 0) /* XXX */
1217 new->priv = 1;
1218 else
1219 new->priv = 0;
1220
1221 new->sp_in = in;
1222 new->sp_in->refcnt++;
1223 new->sp_out = out;
1224 new->sp_out->refcnt++;
1225
1226 *pcb_sp = new;
1227
1228 return 0;
1229 }
1230
1231 /* copy old ipsec policy into new */
1232 int
1233 ipsec_copy_pcbpolicy(old, new)
1234 struct inpcbpolicy *old, *new;
1235 {
1236
1237 if (new->sp_in)
1238 key_freesp(new->sp_in);
1239 if (old->sp_in->policy == IPSEC_POLICY_IPSEC)
1240 new->sp_in = ipsec_deepcopy_policy(old->sp_in);
1241 else {
1242 new->sp_in = old->sp_in;
1243 new->sp_in->refcnt++;
1244 }
1245
1246 if (new->sp_out)
1247 key_freesp(new->sp_out);
1248 if (old->sp_out->policy == IPSEC_POLICY_IPSEC)
1249 new->sp_out = ipsec_deepcopy_policy(old->sp_out);
1250 else {
1251 new->sp_out = old->sp_out;
1252 new->sp_out->refcnt++;
1253 }
1254
1255 new->priv = old->priv;
1256
1257 return 0;
1258 }
1259
1260 #if 0
1261 static int
1262 ipsec_deepcopy_pcbpolicy(pcb_sp)
1263 struct inpcbpolicy *pcb_sp;
1264 {
1265 struct secpolicy *sp;
1266
1267 sp = ipsec_deepcopy_policy(pcb_sp->sp_in);
1268 if (sp) {
1269 key_freesp(pcb_sp->sp_in);
1270 pcb_sp->sp_in = sp;
1271 } else
1272 return ENOBUFS;
1273
1274 sp = ipsec_deepcopy_policy(pcb_sp->sp_out);
1275 if (sp) {
1276 key_freesp(pcb_sp->sp_out);
1277 pcb_sp->sp_out = sp;
1278 } else
1279 return ENOBUFS;
1280
1281 return 0;
1282 }
1283 #endif
1284
1285 /* deep-copy a policy in PCB */
1286 static struct secpolicy *
1287 ipsec_deepcopy_policy(src)
1288 struct secpolicy *src;
1289 {
1290 struct ipsecrequest *newchain = NULL;
1291 struct ipsecrequest *p;
1292 struct ipsecrequest **q;
1293 struct ipsecrequest *r;
1294 struct secpolicy *dst;
1295
1296 if (src == NULL)
1297 return NULL;
1298
1299 dst = key_newsp(0);
1300 if (dst == NULL)
1301 return NULL;
1302
1303 /*
1304 * deep-copy IPsec request chain. This is required since struct
1305 * ipsecrequest is not reference counted.
1306 */
1307 q = &newchain;
1308 for (p = src->req; p; p = p->next) {
1309 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest),
1310 M_SECA, M_NOWAIT);
1311 if (*q == NULL)
1312 goto fail;
1313 bzero(*q, sizeof(**q));
1314 (*q)->next = NULL;
1315
1316 (*q)->saidx.proto = p->saidx.proto;
1317 (*q)->saidx.mode = p->saidx.mode;
1318 (*q)->level = p->level;
1319 (*q)->saidx.reqid = p->saidx.reqid;
1320
1321 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1322 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1323
1324 (*q)->sav = NULL;
1325 (*q)->sp = dst;
1326
1327 q = &((*q)->next);
1328 }
1329
1330 if (src->spidx)
1331 if (keydb_setsecpolicyindex(dst, src->spidx) != 0)
1332 goto fail;
1333
1334 dst->req = newchain;
1335 dst->state = src->state;
1336 dst->policy = src->policy;
1337 dst->dir = src->dir;
1338 dst->so = src->so;
1339 /* do not touch the refcnt fields */
1340
1341 return dst;
1342
1343 fail:
1344 for (p = newchain; p; p = r) {
1345 r = p->next;
1346 free(p, M_SECA);
1347 p = NULL;
1348 }
1349 key_freesp(dst);
1350 return NULL;
1351 }
1352
1353 /* set policy and ipsec request if present. */
1354 static int
1355 ipsec_set_policy(struct secpolicy **spp, int optname, caddr_t request,
1356 size_t len, int priv)
1357 {
1358 struct sadb_x_policy *xpl;
1359 struct secpolicy *newsp = NULL;
1360 int error;
1361
1362 /* sanity check. */
1363 if (spp == NULL || *spp == NULL || request == NULL)
1364 return EINVAL;
1365 if (len < sizeof(*xpl))
1366 return EINVAL;
1367 xpl = (struct sadb_x_policy *)request;
1368
1369 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1370 printf("ipsec_set_policy: passed policy\n");
1371 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1372
1373 /* check policy type */
1374 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1375 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
1376 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1377 return EINVAL;
1378
1379 /* check privileged socket */
1380 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1381 return EACCES;
1382
1383 /* allocation new SP entry */
1384 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1385 return error;
1386
1387 newsp->state = IPSEC_SPSTATE_ALIVE;
1388
1389 /* clear old SP and set new SP */
1390 key_freesp(*spp);
1391 *spp = newsp;
1392 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1393 printf("ipsec_set_policy: new policy\n");
1394 kdebug_secpolicy(newsp));
1395
1396 return 0;
1397 }
1398
1399 static int
1400 ipsec_get_policy(sp, mp)
1401 struct secpolicy *sp;
1402 struct mbuf **mp;
1403 {
1404
1405 /* sanity check. */
1406 if (sp == NULL || mp == NULL)
1407 return EINVAL;
1408
1409 *mp = key_sp2msg(sp);
1410 if (!*mp) {
1411 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1412 return ENOBUFS;
1413 }
1414
1415 (*mp)->m_type = MT_SOOPTS;
1416 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1417 printf("ipsec_get_policy:\n");
1418 kdebug_mbuf(*mp));
1419
1420 return 0;
1421 }
1422
1423 int
1424 ipsec4_set_policy(inp, optname, request, len, priv)
1425 struct inpcb *inp;
1426 int optname;
1427 caddr_t request;
1428 size_t len;
1429 int priv;
1430 {
1431 struct sadb_x_policy *xpl;
1432 struct secpolicy **spp;
1433
1434 /* sanity check. */
1435 if (inp == NULL || request == NULL)
1436 return EINVAL;
1437 if (len < sizeof(*xpl))
1438 return EINVAL;
1439 xpl = (struct sadb_x_policy *)request;
1440
1441 /* select direction */
1442 switch (xpl->sadb_x_policy_dir) {
1443 case IPSEC_DIR_INBOUND:
1444 spp = &inp->inp_sp->sp_in;
1445 break;
1446 case IPSEC_DIR_OUTBOUND:
1447 spp = &inp->inp_sp->sp_out;
1448 break;
1449 default:
1450 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1451 xpl->sadb_x_policy_dir));
1452 return EINVAL;
1453 }
1454
1455 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1456 return ipsec_set_policy(spp, optname, request, len, priv);
1457 }
1458
1459 int
1460 ipsec4_get_policy(inp, request, len, mp)
1461 struct inpcb *inp;
1462 caddr_t request;
1463 size_t len;
1464 struct mbuf **mp;
1465 {
1466 struct sadb_x_policy *xpl;
1467 struct secpolicy *sp;
1468
1469 /* sanity check. */
1470 if (inp == NULL || request == NULL || mp == NULL)
1471 return EINVAL;
1472 if (inp->inp_sp == NULL)
1473 panic("policy in PCB is NULL");
1474 if (len < sizeof(*xpl))
1475 return EINVAL;
1476 xpl = (struct sadb_x_policy *)request;
1477
1478 /* select direction */
1479 switch (xpl->sadb_x_policy_dir) {
1480 case IPSEC_DIR_INBOUND:
1481 sp = inp->inp_sp->sp_in;
1482 break;
1483 case IPSEC_DIR_OUTBOUND:
1484 sp = inp->inp_sp->sp_out;
1485 break;
1486 default:
1487 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n",
1488 xpl->sadb_x_policy_dir));
1489 return EINVAL;
1490 }
1491
1492 return ipsec_get_policy(sp, mp);
1493 }
1494
1495 /* delete policy in PCB */
1496 int
1497 ipsec4_delete_pcbpolicy(inp)
1498 struct inpcb *inp;
1499 {
1500 /* sanity check. */
1501 if (inp == NULL)
1502 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
1503
1504 if (inp->inp_sp == NULL)
1505 return 0;
1506
1507 if (inp->inp_sp->sp_in != NULL) {
1508 key_freesp(inp->inp_sp->sp_in);
1509 inp->inp_sp->sp_in = NULL;
1510 }
1511
1512 if (inp->inp_sp->sp_out != NULL) {
1513 key_freesp(inp->inp_sp->sp_out);
1514 inp->inp_sp->sp_out = NULL;
1515 }
1516
1517 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1518
1519 ipsec_delpcbpolicy(inp->inp_sp);
1520 inp->inp_sp = NULL;
1521
1522 return 0;
1523 }
1524
1525 #ifdef INET6
1526 int
1527 ipsec6_set_policy(in6p, optname, request, len, priv)
1528 struct in6pcb *in6p;
1529 int optname;
1530 caddr_t request;
1531 size_t len;
1532 int priv;
1533 {
1534 struct sadb_x_policy *xpl;
1535 struct secpolicy **spp;
1536
1537 /* sanity check. */
1538 if (in6p == NULL || request == NULL)
1539 return EINVAL;
1540 if (len < sizeof(*xpl))
1541 return EINVAL;
1542 xpl = (struct sadb_x_policy *)request;
1543
1544 /* select direction */
1545 switch (xpl->sadb_x_policy_dir) {
1546 case IPSEC_DIR_INBOUND:
1547 spp = &in6p->in6p_sp->sp_in;
1548 break;
1549 case IPSEC_DIR_OUTBOUND:
1550 spp = &in6p->in6p_sp->sp_out;
1551 break;
1552 default:
1553 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1554 xpl->sadb_x_policy_dir));
1555 return EINVAL;
1556 }
1557
1558 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1559 return ipsec_set_policy(spp, optname, request, len, priv);
1560 }
1561
1562 int
1563 ipsec6_get_policy(in6p, request, len, mp)
1564 struct in6pcb *in6p;
1565 caddr_t request;
1566 size_t len;
1567 struct mbuf **mp;
1568 {
1569 struct sadb_x_policy *xpl;
1570 struct secpolicy *sp;
1571
1572 /* sanity check. */
1573 if (in6p == NULL || request == NULL || mp == NULL)
1574 return EINVAL;
1575 if (in6p->in6p_sp == NULL)
1576 panic("policy in PCB is NULL");
1577 if (len < sizeof(*xpl))
1578 return EINVAL;
1579 xpl = (struct sadb_x_policy *)request;
1580
1581 /* select direction */
1582 switch (xpl->sadb_x_policy_dir) {
1583 case IPSEC_DIR_INBOUND:
1584 sp = in6p->in6p_sp->sp_in;
1585 break;
1586 case IPSEC_DIR_OUTBOUND:
1587 sp = in6p->in6p_sp->sp_out;
1588 break;
1589 default:
1590 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n",
1591 xpl->sadb_x_policy_dir));
1592 return EINVAL;
1593 }
1594
1595 return ipsec_get_policy(sp, mp);
1596 }
1597
1598 int
1599 ipsec6_delete_pcbpolicy(in6p)
1600 struct in6pcb *in6p;
1601 {
1602 /* sanity check. */
1603 if (in6p == NULL)
1604 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
1605
1606 if (in6p->in6p_sp == NULL)
1607 return 0;
1608
1609 if (in6p->in6p_sp->sp_in != NULL) {
1610 key_freesp(in6p->in6p_sp->sp_in);
1611 in6p->in6p_sp->sp_in = NULL;
1612 }
1613
1614 if (in6p->in6p_sp->sp_out != NULL) {
1615 key_freesp(in6p->in6p_sp->sp_out);
1616 in6p->in6p_sp->sp_out = NULL;
1617 }
1618
1619 ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1620
1621 ipsec_delpcbpolicy(in6p->in6p_sp);
1622 in6p->in6p_sp = NULL;
1623
1624 return 0;
1625 }
1626 #endif
1627
1628 /*
1629 * return current level.
1630 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1631 */
1632 u_int
1633 ipsec_get_reqlevel(isr, af)
1634 struct ipsecrequest *isr;
1635 int af;
1636 {
1637 u_int level = 0;
1638 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1639
1640 /* sanity check */
1641 if (isr == NULL || isr->sp == NULL)
1642 panic("ipsec_get_reqlevel: NULL pointer is passed.");
1643
1644 /* set default level */
1645 switch (af) {
1646 #ifdef INET
1647 case AF_INET:
1648 esp_trans_deflev = ip4_esp_trans_deflev;
1649 esp_net_deflev = ip4_esp_net_deflev;
1650 ah_trans_deflev = ip4_ah_trans_deflev;
1651 ah_net_deflev = ip4_ah_net_deflev;
1652 break;
1653 #endif
1654 #ifdef INET6
1655 case AF_INET6:
1656 esp_trans_deflev = ip6_esp_trans_deflev;
1657 esp_net_deflev = ip6_esp_net_deflev;
1658 ah_trans_deflev = ip6_ah_trans_deflev;
1659 ah_net_deflev = ip6_ah_net_deflev;
1660 break;
1661 #endif /* INET6 */
1662 default:
1663 panic("key_get_reqlevel: Unknown family. %d",
1664 ((struct sockaddr *)&isr->sp->spidx->src)->sa_family);
1665 }
1666
1667 /* set level */
1668 switch (isr->level) {
1669 case IPSEC_LEVEL_DEFAULT:
1670 switch (isr->saidx.proto) {
1671 case IPPROTO_ESP:
1672 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1673 level = esp_net_deflev;
1674 else
1675 level = esp_trans_deflev;
1676 break;
1677 case IPPROTO_AH:
1678 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1679 level = ah_net_deflev;
1680 else
1681 level = ah_trans_deflev;
1682 break;
1683 case IPPROTO_IPCOMP:
1684 /*
1685 * we don't really care, as IPcomp document says that
1686 * we shouldn't compress small packets
1687 */
1688 level = IPSEC_LEVEL_USE;
1689 break;
1690 case IPPROTO_IPV4:
1691 case IPPROTO_IPV6:
1692 /* should never go into here */
1693 level = IPSEC_LEVEL_REQUIRE;
1694 break;
1695 default:
1696 panic("ipsec_get_reqlevel: "
1697 "Illegal protocol defined %u\n",
1698 isr->saidx.proto);
1699 }
1700 break;
1701
1702 case IPSEC_LEVEL_USE:
1703 case IPSEC_LEVEL_REQUIRE:
1704 level = isr->level;
1705 break;
1706 case IPSEC_LEVEL_UNIQUE:
1707 level = IPSEC_LEVEL_REQUIRE;
1708 break;
1709
1710 default:
1711 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
1712 isr->level);
1713 }
1714
1715 return level;
1716 }
1717
1718 /*
1719 * Check AH/ESP integrity.
1720 * OUT:
1721 * 0: valid
1722 * 1: invalid
1723 */
1724 static int
1725 ipsec_in_reject(sp, m)
1726 struct secpolicy *sp;
1727 struct mbuf *m;
1728 {
1729 struct ipsecrequest *isr;
1730 u_int level;
1731 int need_auth, need_conf, need_icv;
1732
1733 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1734 printf("ipsec_in_reject: using SP\n");
1735 kdebug_secpolicy(sp));
1736
1737 /* check policy */
1738 switch (sp->policy) {
1739 case IPSEC_POLICY_DISCARD:
1740 return 1;
1741 case IPSEC_POLICY_BYPASS:
1742 case IPSEC_POLICY_NONE:
1743 return 0;
1744
1745 case IPSEC_POLICY_IPSEC:
1746 break;
1747
1748 case IPSEC_POLICY_ENTRUST:
1749 default:
1750 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy);
1751 }
1752
1753 need_auth = 0;
1754 need_conf = 0;
1755 need_icv = 0;
1756
1757 /* XXX should compare policy against ipsec header history */
1758
1759 for (isr = sp->req; isr != NULL; isr = isr->next) {
1760 /* get current level */
1761 level = ipsec_get_reqlevel(isr, AF_INET);
1762
1763 switch (isr->saidx.proto) {
1764 case IPPROTO_ESP:
1765 if (level == IPSEC_LEVEL_REQUIRE) {
1766 need_conf++;
1767
1768 if (isr->sav != NULL
1769 && isr->sav->flags == SADB_X_EXT_NONE
1770 && isr->sav->alg_auth != SADB_AALG_NONE)
1771 need_icv++;
1772 }
1773 break;
1774 case IPPROTO_AH:
1775 if (level == IPSEC_LEVEL_REQUIRE) {
1776 need_auth++;
1777 need_icv++;
1778 }
1779 break;
1780 case IPPROTO_IPCOMP:
1781 /*
1782 * we don't really care, as IPcomp document says that
1783 * we shouldn't compress small packets, IPComp policy
1784 * should always be treated as being in "use" level.
1785 */
1786 break;
1787 case IPPROTO_IPV4:
1788 case IPPROTO_IPV6:
1789 /*
1790 * XXX what shall we do, until introducing more complex
1791 * policy checking code?
1792 */
1793 break;
1794 }
1795 }
1796
1797 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1798 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1799 need_auth, need_conf, need_icv, m->m_flags));
1800
1801 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1802 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1803 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1804 return 1;
1805
1806 return 0;
1807 }
1808
1809 /*
1810 * Check AH/ESP integrity.
1811 * This function is called from tcp_input(), udp_input(),
1812 * and {ah,esp}4_input for tunnel mode
1813 */
1814 int
1815 ipsec4_in_reject_so(m, so)
1816 struct mbuf *m;
1817 struct socket *so;
1818 {
1819 struct secpolicy *sp = NULL;
1820 int error;
1821 int result;
1822
1823 /* sanity check */
1824 if (m == NULL)
1825 return 0; /* XXX should be panic ? */
1826
1827 /* get SP for this packet.
1828 * When we are called from ip_forward(), we call
1829 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1830 */
1831 if (so == NULL)
1832 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1833 IP_FORWARDING, &error);
1834 else
1835 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1836
1837 /* XXX should be panic ? -> No, there may be error. */
1838 if (sp == NULL)
1839 return 0;
1840
1841 result = ipsec_in_reject(sp, m);
1842 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1843 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
1844 key_freesp(sp);
1845
1846 return result;
1847 }
1848
1849 int
1850 ipsec4_in_reject(m, inp)
1851 struct mbuf *m;
1852 struct inpcb *inp;
1853 {
1854 if (inp == NULL)
1855 return ipsec4_in_reject_so(m, NULL);
1856 if (inp->inp_socket)
1857 return ipsec4_in_reject_so(m, inp->inp_socket);
1858 else
1859 panic("ipsec4_in_reject: invalid inpcb/socket");
1860 }
1861
1862 #ifdef INET6
1863 /*
1864 * Check AH/ESP integrity.
1865 * This function is called from tcp6_input(), udp6_input(),
1866 * and {ah,esp}6_input for tunnel mode
1867 */
1868 int
1869 ipsec6_in_reject_so(m, so)
1870 struct mbuf *m;
1871 struct socket *so;
1872 {
1873 struct secpolicy *sp = NULL;
1874 int error;
1875 int result;
1876
1877 /* sanity check */
1878 if (m == NULL)
1879 return 0; /* XXX should be panic ? */
1880
1881 /* get SP for this packet.
1882 * When we are called from ip_forward(), we call
1883 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1884 */
1885 if (so == NULL)
1886 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1887 IP_FORWARDING, &error);
1888 else
1889 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1890
1891 if (sp == NULL)
1892 return 0; /* XXX should be panic ? */
1893
1894 result = ipsec_in_reject(sp, m);
1895 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1896 printf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
1897 key_freesp(sp);
1898
1899 return result;
1900 }
1901
1902 int
1903 ipsec6_in_reject(m, in6p)
1904 struct mbuf *m;
1905 struct in6pcb *in6p;
1906 {
1907 if (in6p == NULL)
1908 return ipsec6_in_reject_so(m, NULL);
1909 if (in6p->in6p_socket)
1910 return ipsec6_in_reject_so(m, in6p->in6p_socket);
1911 else
1912 panic("ipsec6_in_reject: invalid in6p/socket");
1913 }
1914 #endif
1915
1916 /*
1917 * compute the byte size to be occupied by IPsec header.
1918 * in case it is tunneled, it includes the size of outer IP header.
1919 * NOTE: SP passed is free in this function.
1920 */
1921 static size_t
1922 ipsec_hdrsiz(sp)
1923 struct secpolicy *sp;
1924 {
1925 struct ipsecrequest *isr;
1926 size_t siz, clen;
1927
1928 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1929 printf("ipsec_hdrsiz: using SP\n");
1930 kdebug_secpolicy(sp));
1931
1932 /* check policy */
1933 switch (sp->policy) {
1934 case IPSEC_POLICY_DISCARD:
1935 case IPSEC_POLICY_BYPASS:
1936 case IPSEC_POLICY_NONE:
1937 return 0;
1938
1939 case IPSEC_POLICY_IPSEC:
1940 break;
1941
1942 case IPSEC_POLICY_ENTRUST:
1943 default:
1944 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1945 }
1946
1947 siz = 0;
1948
1949 for (isr = sp->req; isr != NULL; isr = isr->next) {
1950
1951 clen = 0;
1952
1953 switch (isr->saidx.proto) {
1954 case IPPROTO_ESP:
1955 #ifdef IPSEC_ESP
1956 clen = esp_hdrsiz(isr);
1957 #else
1958 clen = 0; /* XXX */
1959 #endif
1960 break;
1961 case IPPROTO_AH:
1962 clen = ah_hdrsiz(isr);
1963 break;
1964 case IPPROTO_IPCOMP:
1965 clen = sizeof(struct ipcomp);
1966 break;
1967 case IPPROTO_IPV4:
1968 case IPPROTO_IPV6:
1969 /* the next "if" clause will compute it */
1970 clen = 0;
1971 break;
1972 }
1973
1974 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1975 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1976 case AF_INET:
1977 clen += sizeof(struct ip);
1978 break;
1979 #ifdef INET6
1980 case AF_INET6:
1981 clen += sizeof(struct ip6_hdr);
1982 break;
1983 #endif
1984 default:
1985 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1986 "unknown AF %d in IPsec tunnel SA\n",
1987 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1988 break;
1989 }
1990 }
1991 siz += clen;
1992 }
1993
1994 return siz;
1995 }
1996
1997 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1998 size_t
1999 ipsec4_hdrsiz(m, dir, inp)
2000 struct mbuf *m;
2001 u_int dir;
2002 struct inpcb *inp;
2003 {
2004 struct secpolicy *sp = NULL;
2005 int error;
2006 size_t size;
2007
2008 /* sanity check */
2009 if (m == NULL)
2010 return 0; /* XXX should be panic ? */
2011 if (inp != NULL && inp->inp_socket == NULL)
2012 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
2013
2014 /* get SP for this packet.
2015 * When we are called from ip_forward(), we call
2016 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
2017 */
2018 if (inp == NULL)
2019 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2020 else
2021 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
2022
2023 if (sp == NULL)
2024 return 0; /* XXX should be panic ? */
2025
2026 size = ipsec_hdrsiz(sp);
2027 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2028 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
2029 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2030 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
2031 key_freesp(sp);
2032
2033 return size;
2034 }
2035
2036 #ifdef INET6
2037 /* This function is called from ipsec6_hdrsize_tcp(),
2038 * and maybe from ip6_forward.()
2039 */
2040 size_t
2041 ipsec6_hdrsiz(m, dir, in6p)
2042 struct mbuf *m;
2043 u_int dir;
2044 struct in6pcb *in6p;
2045 {
2046 struct secpolicy *sp = NULL;
2047 int error;
2048 size_t size;
2049
2050 /* sanity check */
2051 if (m == NULL)
2052 return 0; /* XXX should be panic ? */
2053 if (in6p != NULL && in6p->in6p_socket == NULL)
2054 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
2055
2056 /* get SP for this packet */
2057 /* XXX Is it right to call with IP_FORWARDING. */
2058 if (in6p == NULL)
2059 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2060 else
2061 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
2062
2063 if (sp == NULL)
2064 return 0;
2065 size = ipsec_hdrsiz(sp);
2066 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2067 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
2068 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2069 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
2070 key_freesp(sp);
2071
2072 return size;
2073 }
2074 #endif /* INET6 */
2075
2076 #ifdef INET
2077 /*
2078 * encapsulate for ipsec tunnel.
2079 * ip->ip_src must be fixed later on.
2080 */
2081 static int
2082 ipsec4_encapsulate(m, sav)
2083 struct mbuf *m;
2084 struct secasvar *sav;
2085 {
2086 struct ip *oip;
2087 struct ip *ip;
2088 size_t hlen;
2089 size_t plen;
2090
2091 /* can't tunnel between different AFs */
2092 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2093 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2094 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2095 m_freem(m);
2096 return EINVAL;
2097 }
2098 #if 0
2099 /* XXX if the dst is myself, perform nothing. */
2100 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2101 m_freem(m);
2102 return EINVAL;
2103 }
2104 #endif
2105
2106 if (m->m_len < sizeof(*ip))
2107 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2108
2109 ip = mtod(m, struct ip *);
2110 hlen = ip->ip_hl << 2;
2111
2112 if (m->m_len != hlen)
2113 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2114
2115 /* generate header checksum */
2116 ip->ip_sum = 0;
2117 ip->ip_sum = in_cksum(m, hlen);
2118
2119 plen = m->m_pkthdr.len;
2120
2121 /*
2122 * grow the mbuf to accomodate the new IPv4 header.
2123 * NOTE: IPv4 options will never be copied.
2124 */
2125 if (M_LEADINGSPACE(m->m_next) < hlen) {
2126 struct mbuf *n;
2127 MGET(n, M_DONTWAIT, MT_DATA);
2128 if (!n) {
2129 m_freem(m);
2130 return ENOBUFS;
2131 }
2132 n->m_len = hlen;
2133 n->m_next = m->m_next;
2134 m->m_next = n;
2135 } else {
2136 m->m_next->m_len += hlen;
2137 m->m_next->m_data -= hlen;
2138 }
2139 oip = mtod(m->m_next, struct ip *);
2140 m->m_pkthdr.len += hlen;
2141 ip = mtod(m, struct ip *);
2142 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2143 m->m_len = sizeof(struct ip);
2144 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2145
2146 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2147 /* ECN consideration. */
2148 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2149 ip->ip_hl = sizeof(struct ip) >> 2;
2150 ip->ip_off &= htons(~IP_OFFMASK);
2151 ip->ip_off &= htons(~IP_MF);
2152 switch (ip4_ipsec_dfbit) {
2153 case 0: /* clear DF bit */
2154 ip->ip_off &= htons(~IP_DF);
2155 break;
2156 case 1: /* set DF bit */
2157 ip->ip_off |= htons(IP_DF);
2158 break;
2159 default: /* copy DF bit */
2160 break;
2161 }
2162 ip->ip_p = IPPROTO_IPIP;
2163 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2164 ip->ip_len = htons(plen + sizeof(struct ip));
2165 else {
2166 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2167 "leave ip_len as is (invalid packet)\n"));
2168 }
2169 ip->ip_id = ip_newid();
2170 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2171 &ip->ip_src, sizeof(ip->ip_src));
2172 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2173 &ip->ip_dst, sizeof(ip->ip_dst));
2174 ip->ip_ttl = IPDEFTTL;
2175
2176 /* XXX Should ip_src be updated later ? */
2177
2178 return 0;
2179 }
2180 #endif /* INET */
2181
2182 #ifdef INET6
2183 static int
2184 ipsec6_encapsulate(m, sav)
2185 struct mbuf *m;
2186 struct secasvar *sav;
2187 {
2188 struct ip6_hdr *oip6;
2189 struct ip6_hdr *ip6;
2190 size_t plen;
2191 int error;
2192 struct sockaddr_in6 sa6;
2193
2194 /* can't tunnel between different AFs */
2195 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2196 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2197 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2198 m_freem(m);
2199 return EINVAL;
2200 }
2201 #if 0
2202 /* XXX if the dst is myself, perform nothing. */
2203 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2204 m_freem(m);
2205 return EINVAL;
2206 }
2207 #endif
2208
2209 plen = m->m_pkthdr.len;
2210
2211 /*
2212 * grow the mbuf to accomodate the new IPv6 header.
2213 */
2214 if (m->m_len != sizeof(struct ip6_hdr))
2215 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2216 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2217 struct mbuf *n;
2218 MGET(n, M_DONTWAIT, MT_DATA);
2219 if (!n) {
2220 m_freem(m);
2221 return ENOBUFS;
2222 }
2223 n->m_len = sizeof(struct ip6_hdr);
2224 n->m_next = m->m_next;
2225 m->m_next = n;
2226 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2227 oip6 = mtod(n, struct ip6_hdr *);
2228 } else {
2229 m->m_next->m_len += sizeof(struct ip6_hdr);
2230 m->m_next->m_data -= sizeof(struct ip6_hdr);
2231 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2232 oip6 = mtod(m->m_next, struct ip6_hdr *);
2233 }
2234 ip6 = mtod(m, struct ip6_hdr *);
2235 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2236
2237 /* Fake link-local scope-class addresses */
2238 in6_clearscope(&oip6->ip6_src);
2239 in6_clearscope(&oip6->ip6_dst);
2240
2241 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2242 /* ECN consideration. */
2243 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2244 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2245 ip6->ip6_plen = htons(plen);
2246 else {
2247 /* ip6->ip6_plen will be updated in ip6_output() */
2248 }
2249 ip6->ip6_nxt = IPPROTO_IPV6;
2250
2251 sa6 = *(struct sockaddr_in6 *)&sav->sah->saidx.src;
2252 if ((error = sa6_embedscope(&sa6, 0)) != 0)
2253 return (error);
2254 ip6->ip6_src = sa6.sin6_addr;
2255
2256 sa6 = *(struct sockaddr_in6 *)&sav->sah->saidx.dst;
2257 if ((error = sa6_embedscope(&sa6, 0)) != 0)
2258 return (error);
2259 ip6->ip6_dst = sa6.sin6_addr;
2260
2261 ip6->ip6_hlim = IPV6_DEFHLIM;
2262
2263 /* XXX Should ip6_src be updated later ? */
2264
2265 return 0;
2266 }
2267 #endif /* INET6 */
2268
2269 /*
2270 * Check the variable replay window.
2271 * ipsec_chkreplay() performs replay check before ICV verification.
2272 * ipsec_updatereplay() updates replay bitmap. This must be called after
2273 * ICV verification (it also performs replay check, which is usually done
2274 * beforehand).
2275 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2276 *
2277 * based on RFC 2401.
2278 *
2279 * XXX need to update for 64bit sequence number - 2401bis
2280 */
2281 int
2282 ipsec_chkreplay(seq, sav)
2283 u_int32_t seq;
2284 struct secasvar *sav;
2285 {
2286 const struct secreplay *replay;
2287 u_int32_t diff;
2288 int fr;
2289 u_int32_t wsizeb; /* constant: bits of window size */
2290 int frlast; /* constant: last frame */
2291
2292 /* sanity check */
2293 if (sav == NULL)
2294 panic("ipsec_chkreplay: NULL pointer was passed.");
2295
2296 replay = sav->replay;
2297
2298 if (replay->wsize == 0)
2299 return 1; /* no need to check replay. */
2300
2301 /* constant */
2302 frlast = replay->wsize - 1;
2303 wsizeb = replay->wsize << 3;
2304
2305 /* sequence number of 0 is invalid */
2306 if (seq == 0)
2307 return 0;
2308
2309 /* first time is always okay */
2310 if (replay->count == 0)
2311 return 1;
2312
2313 if (seq > replay->lastseq) {
2314 /* larger sequences are okay */
2315 return 1;
2316 } else {
2317 /* seq is equal or less than lastseq. */
2318 diff = replay->lastseq - seq;
2319
2320 /* over range to check, i.e. too old or wrapped */
2321 if (diff >= wsizeb)
2322 return 0;
2323
2324 fr = frlast - diff / 8;
2325
2326 /* this packet already seen ? */
2327 if (replay->bitmap[fr] & (1 << (diff % 8)))
2328 return 0;
2329
2330 /* out of order but good */
2331 return 1;
2332 }
2333 }
2334
2335 /*
2336 * check replay counter whether to update or not.
2337 * OUT: 0: OK
2338 * 1: NG
2339 * XXX need to update for 64bit sequence number - 2401bis
2340 */
2341 int
2342 ipsec_updatereplay(seq, sav)
2343 u_int32_t seq;
2344 struct secasvar *sav;
2345 {
2346 struct secreplay *replay;
2347 u_int64_t diff;
2348 int fr;
2349 u_int32_t wsizeb; /* constant: bits of window size */
2350 int frlast; /* constant: last frame */
2351
2352 /* sanity check */
2353 if (sav == NULL)
2354 panic("ipsec_chkreplay: NULL pointer was passed.");
2355
2356 replay = sav->replay;
2357
2358 if (replay->wsize == 0)
2359 goto ok; /* no need to check replay. */
2360
2361 /* constant */
2362 frlast = replay->wsize - 1;
2363 wsizeb = replay->wsize << 3;
2364
2365 /* sequence number of 0 is invalid */
2366 if (seq == 0)
2367 return 1;
2368
2369 /* first time */
2370 if (replay->count == 0) {
2371 replay->lastseq = seq;
2372 bzero(replay->bitmap, replay->wsize);
2373 replay->bitmap[frlast] = 1;
2374 goto ok;
2375 }
2376
2377 if (seq > replay->lastseq) {
2378 /* seq is larger than lastseq. */
2379 diff = seq - replay->lastseq;
2380
2381 /* new larger sequence number */
2382 if (diff < wsizeb) {
2383 /* In window */
2384 /* set bit for this packet */
2385 vshiftl(replay->bitmap, diff, replay->wsize);
2386 replay->bitmap[frlast] |= 1;
2387 } else {
2388 /* this packet has a "way larger" */
2389 bzero(replay->bitmap, replay->wsize);
2390 replay->bitmap[frlast] = 1;
2391 }
2392 replay->lastseq = seq;
2393
2394 /* larger is good */
2395 } else {
2396 /* seq is equal or less than lastseq. */
2397 diff = replay->lastseq - seq;
2398
2399 /* over range to check, i.e. too old or wrapped */
2400 if (diff >= wsizeb)
2401 return 1;
2402
2403 fr = frlast - diff / 8;
2404
2405 /* this packet already seen ? */
2406 if (replay->bitmap[fr] & (1 << (diff % 8)))
2407 return 1;
2408
2409 /* mark as seen */
2410 replay->bitmap[fr] |= (1 << (diff % 8));
2411
2412 /* out of order but good */
2413 }
2414
2415 ok:
2416 if (replay->count == 0xffffffff) {
2417
2418 /* set overflow flag */
2419 replay->overflow++;
2420
2421 /* don't increment, no more packets accepted */
2422 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2423 return 1;
2424
2425 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2426 replay->overflow, ipsec_logsastr(sav)));
2427 }
2428
2429 replay->count++;
2430
2431 return 0;
2432 }
2433
2434 /*
2435 * shift variable length buffer to left.
2436 * IN: bitmap: pointer to the buffer
2437 * nbit: the number of to shift.
2438 * wsize: buffer size (bytes).
2439 */
2440 static void
2441 vshiftl(bitmap, nbit, wsize)
2442 unsigned char *bitmap;
2443 int nbit, wsize;
2444 {
2445 int s, j, i;
2446 unsigned char over;
2447
2448 for (j = 0; j < nbit; j += 8) {
2449 s = (nbit - j < 8) ? (nbit - j): 8;
2450 bitmap[0] <<= s;
2451 for (i = 1; i < wsize; i++) {
2452 over = (bitmap[i] >> (8 - s));
2453 bitmap[i] <<= s;
2454 bitmap[i - 1] |= over;
2455 }
2456 }
2457
2458 return;
2459 }
2460
2461 const char *
2462 ipsec4_logpacketstr(ip, spi)
2463 struct ip *ip;
2464 u_int32_t spi;
2465 {
2466 static char buf[256];
2467 char *p;
2468 u_int8_t *s, *d;
2469
2470 s = (u_int8_t *)(&ip->ip_src);
2471 d = (u_int8_t *)(&ip->ip_dst);
2472
2473 p = buf;
2474 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2475 while (p && *p)
2476 p++;
2477 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2478 s[0], s[1], s[2], s[3]);
2479 while (p && *p)
2480 p++;
2481 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2482 d[0], d[1], d[2], d[3]);
2483 while (p && *p)
2484 p++;
2485 snprintf(p, sizeof(buf) - (p - buf), ")");
2486
2487 return buf;
2488 }
2489
2490 #ifdef INET6
2491 const char *
2492 ipsec6_logpacketstr(ip6, spi)
2493 struct ip6_hdr *ip6;
2494 u_int32_t spi;
2495 {
2496 static char buf[256];
2497 char *p;
2498
2499 p = buf;
2500 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2501 while (p && *p)
2502 p++;
2503 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
2504 ip6_sprintf(&ip6->ip6_src));
2505 while (p && *p)
2506 p++;
2507 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2508 ip6_sprintf(&ip6->ip6_dst));
2509 while (p && *p)
2510 p++;
2511 snprintf(p, sizeof(buf) - (p - buf), ")");
2512
2513 return buf;
2514 }
2515 #endif /* INET6 */
2516
2517 const char *
2518 ipsec_logsastr(sav)
2519 struct secasvar *sav;
2520 {
2521 static char buf[256];
2522 char *p;
2523 struct secasindex *saidx = &sav->sah->saidx;
2524
2525 /* validity check */
2526 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2527 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2528 panic("ipsec_logsastr: family mismatched.");
2529
2530 p = buf;
2531 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2532 while (p && *p)
2533 p++;
2534 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2535 u_int8_t *s, *d;
2536 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2537 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2538 snprintf(p, sizeof(buf) - (p - buf),
2539 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2540 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2541 }
2542 #ifdef INET6
2543 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2544 snprintf(p, sizeof(buf) - (p - buf),
2545 "src=%s",
2546 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2547 while (p && *p)
2548 p++;
2549 snprintf(p, sizeof(buf) - (p - buf),
2550 " dst=%s",
2551 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2552 }
2553 #endif
2554 while (p && *p)
2555 p++;
2556 snprintf(p, sizeof(buf) - (p - buf), ")");
2557
2558 return buf;
2559 }
2560
2561 void
2562 ipsec_dumpmbuf(m)
2563 struct mbuf *m;
2564 {
2565 int totlen;
2566 int i;
2567 u_char *p;
2568
2569 totlen = 0;
2570 printf("---\n");
2571 while (m) {
2572 p = mtod(m, u_char *);
2573 for (i = 0; i < m->m_len; i++) {
2574 printf("%02x ", p[i]);
2575 totlen++;
2576 if (totlen % 16 == 0)
2577 printf("\n");
2578 }
2579 m = m->m_next;
2580 }
2581 if (totlen % 16 != 0)
2582 printf("\n");
2583 printf("---\n");
2584 }
2585
2586 #ifdef INET
2587 static int
2588 ipsec4_checksa(isr, state)
2589 struct ipsecrequest *isr;
2590 struct ipsec_output_state *state;
2591 {
2592 struct ip *ip;
2593 struct secasindex saidx;
2594 struct sockaddr_in *sin;
2595
2596 /* make SA index for search proper SA */
2597 ip = mtod(state->m, struct ip *);
2598 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2599 saidx.mode = isr->saidx.mode;
2600 saidx.reqid = isr->saidx.reqid;
2601 sin = (struct sockaddr_in *)&saidx.src;
2602 if (sin->sin_len == 0) {
2603 bzero(sin, sizeof(*sin));
2604 sin->sin_len = sizeof(*sin);
2605 sin->sin_family = AF_INET;
2606 sin->sin_port = IPSEC_PORT_ANY;
2607 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr));
2608 }
2609 sin = (struct sockaddr_in *)&saidx.dst;
2610 if (sin->sin_len == 0) {
2611 bzero(sin, sizeof(*sin));
2612 sin->sin_len = sizeof(*sin);
2613 sin->sin_family = AF_INET;
2614 sin->sin_port = IPSEC_PORT_ANY;
2615 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr));
2616 }
2617
2618 return key_checkrequest(isr, &saidx);
2619 }
2620 /*
2621 * IPsec output logic for IPv4.
2622 */
2623 int
2624 ipsec4_output(struct ipsec_output_state *state, struct secpolicy *sp,
2625 int flags)
2626 {
2627 struct ip *ip = NULL;
2628 struct ipsecrequest *isr = NULL;
2629 int s;
2630 int error;
2631 struct sockaddr_in *dst4;
2632
2633 if (!state)
2634 panic("state == NULL in ipsec4_output");
2635 if (!state->m)
2636 panic("state->m == NULL in ipsec4_output");
2637 if (!state->ro)
2638 panic("state->ro == NULL in ipsec4_output");
2639 if (!state->dst)
2640 panic("state->dst == NULL in ipsec4_output");
2641 state->encap = 0;
2642
2643 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2644 printf("ipsec4_output: applyed SP\n");
2645 kdebug_secpolicy(sp));
2646
2647 for (isr = sp->req; isr != NULL; isr = isr->next) {
2648
2649 #if 0 /* give up to check restriction of transport mode */
2650 /* XXX but should be checked somewhere */
2651 /*
2652 * some of the IPsec operation must be performed only in
2653 * originating case.
2654 */
2655 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2656 && (flags & IP_FORWARDING))
2657 continue;
2658 #endif
2659 error = ipsec4_checksa(isr, state);
2660 if (error != 0) {
2661 /*
2662 * IPsec processing is required, but no SA found.
2663 * I assume that key_acquire() had been called
2664 * to get/establish the SA. Here I discard
2665 * this packet because it is responsibility for
2666 * upper layer to retransmit the packet.
2667 */
2668 ipsecstat.out_nosa++;
2669 goto bad;
2670 }
2671
2672 /* validity check */
2673 if (isr->sav == NULL) {
2674 switch (ipsec_get_reqlevel(isr, AF_INET)) {
2675 case IPSEC_LEVEL_USE:
2676 continue;
2677 case IPSEC_LEVEL_REQUIRE:
2678 if (isr->saidx.proto == AF_INET ||
2679 isr->saidx.proto == AF_INET6)
2680 break;
2681 /* must be not reached here. */
2682 panic("ipsec4_output: no SA found, but required.");
2683 }
2684 }
2685
2686 /*
2687 * If there is no valid SA, we give up to process any
2688 * more. In such a case, the SA's status is changed
2689 * from DYING to DEAD after allocating. If a packet
2690 * send to the receiver by dead SA, the receiver can
2691 * not decode a packet because SA has been dead.
2692 */
2693 if (isr->sav->state != SADB_SASTATE_MATURE
2694 && isr->sav->state != SADB_SASTATE_DYING) {
2695 ipsecstat.out_nosa++;
2696 error = EINVAL;
2697 goto bad;
2698 }
2699
2700 /*
2701 * There may be the case that SA status will be changed when
2702 * we are refering to one. So calling splsoftnet().
2703 */
2704 s = splsoftnet();
2705
2706 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2707 /*
2708 * build IPsec tunnel.
2709 */
2710 /* XXX should be processed with other familiy */
2711 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2712 ipseclog((LOG_ERR, "ipsec4_output: "
2713 "family mismatched between inner and outer spi=%u\n",
2714 (u_int32_t)ntohl(isr->sav->spi)));
2715 splx(s);
2716 error = EAFNOSUPPORT;
2717 goto bad;
2718 }
2719
2720 state->m = ipsec4_splithdr(state->m);
2721 if (!state->m) {
2722 splx(s);
2723 error = ENOMEM;
2724 goto bad;
2725 }
2726 error = ipsec4_encapsulate(state->m, isr->sav);
2727 splx(s);
2728 if (error) {
2729 state->m = NULL;
2730 goto bad;
2731 }
2732 ip = mtod(state->m, struct ip *);
2733
2734 state->ro = &isr->sav->sah->sa_route;
2735 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2736 dst4 = (struct sockaddr_in *)state->dst;
2737 if (state->ro->ro_rt
2738 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2739 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2740 RTFREE(state->ro->ro_rt);
2741 bzero((caddr_t)state->ro, sizeof (*state->ro));
2742 }
2743 if (state->ro->ro_rt == 0) {
2744 dst4->sin_family = AF_INET;
2745 dst4->sin_len = sizeof(*dst4);
2746 dst4->sin_addr = ip->ip_dst;
2747 rtalloc(state->ro);
2748 }
2749 if (state->ro->ro_rt == 0) {
2750 ipstat.ips_noroute++;
2751 error = EHOSTUNREACH;
2752 goto bad;
2753 }
2754
2755 /* adjust state->dst if tunnel endpoint is offlink */
2756 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2757 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2758 dst4 = (struct sockaddr_in *)state->dst;
2759 }
2760
2761 state->encap++;
2762 } else
2763 splx(s);
2764
2765 state->m = ipsec4_splithdr(state->m);
2766 if (!state->m) {
2767 error = ENOMEM;
2768 goto bad;
2769 }
2770 switch (isr->saidx.proto) {
2771 case IPPROTO_ESP:
2772 #ifdef IPSEC_ESP
2773 if ((error = esp4_output(state->m, isr)) != 0) {
2774 state->m = NULL;
2775 goto bad;
2776 }
2777 break;
2778 #else
2779 m_freem(state->m);
2780 state->m = NULL;
2781 error = EINVAL;
2782 goto bad;
2783 #endif
2784 case IPPROTO_AH:
2785 if ((error = ah4_output(state->m, isr)) != 0) {
2786 state->m = NULL;
2787 goto bad;
2788 }
2789 break;
2790 case IPPROTO_IPCOMP:
2791 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2792 state->m = NULL;
2793 goto bad;
2794 }
2795 break;
2796 case IPPROTO_IPV4:
2797 break;
2798 case IPPROTO_IPV6:
2799 ipseclog((LOG_ERR, "ipsec4_output: "
2800 "family mismatched between inner and outer "
2801 "header\n"));
2802 error = EAFNOSUPPORT;
2803 goto bad;
2804 default:
2805 ipseclog((LOG_ERR,
2806 "ipsec4_output: unknown ipsec protocol %d\n",
2807 isr->saidx.proto));
2808 m_freem(state->m);
2809 state->m = NULL;
2810 error = EINVAL;
2811 goto bad;
2812 }
2813
2814 if (state->m == 0) {
2815 error = ENOMEM;
2816 goto bad;
2817 }
2818 ip = mtod(state->m, struct ip *);
2819 }
2820
2821 return 0;
2822
2823 bad:
2824 m_freem(state->m);
2825 state->m = NULL;
2826 return error;
2827 }
2828 #endif
2829
2830 #ifdef INET6
2831 static int
2832 ipsec6_checksa(isr, state, tunnel)
2833 struct ipsecrequest *isr;
2834 struct ipsec_output_state *state;
2835 int tunnel;
2836 {
2837 struct ip6_hdr *ip6;
2838 struct secasindex saidx;
2839 struct sockaddr_in6 *sin6;
2840
2841 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2842 #ifdef DIAGNOSTIC
2843 if (!tunnel)
2844 panic("ipsec6_checksa/inconsistent tunnel attribute");
2845 #endif
2846 /* When tunnel mode, SA peers must be specified. */
2847 return key_checkrequest(isr, &isr->saidx);
2848 }
2849
2850 /* make SA index for search proper SA */
2851 ip6 = mtod(state->m, struct ip6_hdr *);
2852 if (tunnel) {
2853 bzero(&saidx, sizeof(saidx));
2854 saidx.proto = isr->saidx.proto;
2855 } else
2856 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2857 saidx.mode = isr->saidx.mode;
2858 saidx.reqid = isr->saidx.reqid;
2859 sin6 = (struct sockaddr_in6 *)&saidx.src;
2860 if (sin6->sin6_len == 0 || tunnel) {
2861 bzero(sin6, sizeof(*sin6));
2862 sin6->sin6_len = sizeof(*sin6);
2863 sin6->sin6_family = AF_INET6;
2864 sin6->sin6_port = IPSEC_PORT_ANY;
2865 sin6->sin6_addr = ip6->ip6_src;
2866 }
2867 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2868 if (sin6->sin6_len == 0 || tunnel) {
2869 bzero(sin6, sizeof(*sin6));
2870 sin6->sin6_len = sizeof(*sin6);
2871 sin6->sin6_family = AF_INET6;
2872 sin6->sin6_port = IPSEC_PORT_ANY;
2873 sin6->sin6_addr = ip6->ip6_dst;
2874 }
2875
2876 return key_checkrequest(isr, &saidx);
2877 }
2878 /*
2879 * IPsec output logic for IPv6, transport mode.
2880 */
2881 int
2882 ipsec6_output_trans(struct ipsec_output_state *state, u_char *nexthdrp,
2883 struct mbuf *mprev, struct secpolicy *sp, int flags, int *tun)
2884 {
2885 struct ip6_hdr *ip6;
2886 struct ipsecrequest *isr = NULL;
2887 int error = 0;
2888 int plen;
2889
2890 if (!state)
2891 panic("state == NULL in ipsec6_output_trans");
2892 if (!state->m)
2893 panic("state->m == NULL in ipsec6_output_trans");
2894 if (!nexthdrp)
2895 panic("nexthdrp == NULL in ipsec6_output_trans");
2896 if (!mprev)
2897 panic("mprev == NULL in ipsec6_output_trans");
2898 if (!sp)
2899 panic("sp == NULL in ipsec6_output_trans");
2900 if (!tun)
2901 panic("tun == NULL in ipsec6_output_trans");
2902
2903 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2904 printf("ipsec6_output_trans: applyed SP\n");
2905 kdebug_secpolicy(sp));
2906
2907 *tun = 0;
2908 for (isr = sp->req; isr; isr = isr->next) {
2909 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2910 /* the rest will be handled by ipsec6_output_tunnel() */
2911 break;
2912 }
2913
2914 error = ipsec6_checksa(isr, state, 0);
2915 if (error == ENOENT) {
2916 /*
2917 * IPsec processing is required, but no SA found.
2918 * I assume that key_acquire() had been called
2919 * to get/establish the SA. Here I discard
2920 * this packet because it is responsibility for
2921 * upper layer to retransmit the packet.
2922 */
2923 ipsec6stat.out_nosa++;
2924
2925 /*
2926 * Notify the fact that the packet is discarded
2927 * to ourselves. I believe this is better than
2928 * just silently discarding. (jinmei@kame.net)
2929 * XXX: should we restrict the error to TCP packets?
2930 * XXX: should we directly notify sockets via
2931 * pfctlinputs?
2932 *
2933 * Noone have initialized rcvif until this point,
2934 * so clear it.
2935 */
2936 if ((state->m->m_flags & M_PKTHDR) != 0)
2937 state->m->m_pkthdr.rcvif = NULL;
2938 icmp6_error(state->m, ICMP6_DST_UNREACH,
2939 ICMP6_DST_UNREACH_ADMIN, 0);
2940 state->m = NULL; /* icmp6_error freed the mbuf */
2941 goto bad;
2942 }
2943
2944 /* validity check */
2945 if (isr->sav == NULL) {
2946 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
2947 case IPSEC_LEVEL_USE:
2948 continue;
2949 case IPSEC_LEVEL_REQUIRE:
2950 /* must be not reached here. */
2951 panic("ipsec6_output_trans: no SA found, but required.");
2952 }
2953 }
2954
2955 /*
2956 * If there is no valid SA, we give up to process.
2957 * see same place at ipsec4_output().
2958 */
2959 if (isr->sav->state != SADB_SASTATE_MATURE
2960 && isr->sav->state != SADB_SASTATE_DYING) {
2961 ipsec6stat.out_nosa++;
2962 error = EINVAL;
2963 goto bad;
2964 }
2965
2966 switch (isr->saidx.proto) {
2967 case IPPROTO_ESP:
2968 #ifdef IPSEC_ESP
2969 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2970 #else
2971 m_freem(state->m);
2972 error = EINVAL;
2973 #endif
2974 break;
2975 case IPPROTO_AH:
2976 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2977 break;
2978 case IPPROTO_IPCOMP:
2979 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2980 break;
2981 default:
2982 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2983 "unknown ipsec protocol %d\n", isr->saidx.proto));
2984 m_freem(state->m);
2985 ipsec6stat.out_inval++;
2986 error = EINVAL;
2987 break;
2988 }
2989 if (error) {
2990 state->m = NULL;
2991 goto bad;
2992 }
2993 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2994 if (plen > IPV6_MAXPACKET) {
2995 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2996 "IPsec with IPv6 jumbogram is not supported\n"));
2997 ipsec6stat.out_inval++;
2998 error = EINVAL; /* XXX */
2999 goto bad;
3000 }
3001 ip6 = mtod(state->m, struct ip6_hdr *);
3002 ip6->ip6_plen = htons(plen);
3003 }
3004
3005 /* if we have more to go, we need a tunnel mode processing */
3006 if (isr != NULL)
3007 *tun = 1;
3008
3009 return 0;
3010
3011 bad:
3012 m_freem(state->m);
3013 state->m = NULL;
3014 return error;
3015 }
3016
3017 /*
3018 * IPsec output logic for IPv6, tunnel mode.
3019 */
3020 int
3021 ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp,
3022 int flags)
3023 {
3024 struct ip6_hdr *ip6;
3025 struct ipsecrequest *isr = NULL;
3026 int error = 0;
3027 int plen;
3028 struct sockaddr_in6* dst6;
3029 int s;
3030
3031 if (!state)
3032 panic("state == NULL in ipsec6_output_tunnel");
3033 if (!state->m)
3034 panic("state->m == NULL in ipsec6_output_tunnel");
3035 if (!sp)
3036 panic("sp == NULL in ipsec6_output_tunnel");
3037
3038 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3039 printf("ipsec6_output_tunnel: applyed SP\n");
3040 kdebug_secpolicy(sp));
3041
3042 /*
3043 * transport mode ipsec (before the 1st tunnel mode) is already
3044 * processed by ipsec6_output_trans().
3045 */
3046 for (isr = sp->req; isr; isr = isr->next) {
3047 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
3048 break;
3049 }
3050
3051 for (/* already initialized */; isr; isr = isr->next) {
3052 error = ipsec6_checksa(isr, state, 1);
3053 if (error == ENOENT) {
3054 /*
3055 * IPsec processing is required, but no SA found.
3056 * I assume that key_acquire() had been called
3057 * to get/establish the SA. Here I discard
3058 * this packet because it is responsibility for
3059 * upper layer to retransmit the packet.
3060 */
3061 ipsec6stat.out_nosa++;
3062 error = ENOENT;
3063 goto bad;
3064 }
3065
3066 /* validity check */
3067 if (isr->sav == NULL) {
3068 switch (ipsec_get_reqlevel(isr, AF_INET6)) {
3069 case IPSEC_LEVEL_USE:
3070 continue;
3071 case IPSEC_LEVEL_REQUIRE:
3072 /* must be not reached here. */
3073 panic("ipsec6_output_tunnel: no SA found, but required.");
3074 }
3075 }
3076
3077 /*
3078 * If there is no valid SA, we give up to process.
3079 * see same place at ipsec4_output().
3080 */
3081 if (isr->sav->state != SADB_SASTATE_MATURE
3082 && isr->sav->state != SADB_SASTATE_DYING) {
3083 ipsec6stat.out_nosa++;
3084 error = EINVAL;
3085 goto bad;
3086 }
3087
3088 /*
3089 * There may be the case that SA status will be changed when
3090 * we are refering to one. So calling splsoftnet().
3091 */
3092 s = splsoftnet();
3093
3094 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3095 /*
3096 * build IPsec tunnel.
3097 */
3098 /* XXX should be processed with other familiy */
3099 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
3100 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3101 "family mismatched between inner and outer, spi=%u\n",
3102 (u_int32_t)ntohl(isr->sav->spi)));
3103 splx(s);
3104 ipsec6stat.out_inval++;
3105 error = EAFNOSUPPORT;
3106 goto bad;
3107 }
3108
3109 state->m = ipsec6_splithdr(state->m);
3110 if (!state->m) {
3111 splx(s);
3112 ipsec6stat.out_nomem++;
3113 error = ENOMEM;
3114 goto bad;
3115 }
3116 error = ipsec6_encapsulate(state->m, isr->sav);
3117 splx(s);
3118 if (error) {
3119 state->m = 0;
3120 goto bad;
3121 }
3122 ip6 = mtod(state->m, struct ip6_hdr *);
3123
3124 state->ro = &isr->sav->sah->sa_route;
3125 state->dst = (struct sockaddr *)&state->ro->ro_dst;
3126 dst6 = (struct sockaddr_in6 *)state->dst;
3127 if (state->ro->ro_rt
3128 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
3129 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
3130 RTFREE(state->ro->ro_rt);
3131 bzero((caddr_t)state->ro, sizeof (*state->ro));
3132 }
3133 if (state->ro->ro_rt == 0) {
3134 bzero(dst6, sizeof(*dst6));
3135 dst6->sin6_family = AF_INET6;
3136 dst6->sin6_len = sizeof(*dst6);
3137 dst6->sin6_addr = ip6->ip6_dst;
3138 rtalloc(state->ro);
3139 }
3140 if (state->ro->ro_rt == 0) {
3141 ip6stat.ip6s_noroute++;
3142 ipsec6stat.out_noroute++;
3143 error = EHOSTUNREACH;
3144 goto bad;
3145 }
3146
3147 /* adjust state->dst if tunnel endpoint is offlink */
3148 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
3149 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
3150 dst6 = (struct sockaddr_in6 *)state->dst;
3151 }
3152 } else
3153 splx(s);
3154
3155 state->m = ipsec6_splithdr(state->m);
3156 if (!state->m) {
3157 ipsec6stat.out_nomem++;
3158 error = ENOMEM;
3159 goto bad;
3160 }
3161 ip6 = mtod(state->m, struct ip6_hdr *);
3162 switch (isr->saidx.proto) {
3163 case IPPROTO_ESP:
3164 #ifdef IPSEC_ESP
3165 error = esp6_output(state->m, &ip6->ip6_nxt,
3166 state->m->m_next, isr);
3167 #else
3168 m_freem(state->m);
3169 error = EINVAL;
3170 #endif
3171 break;
3172 case IPPROTO_AH:
3173 error = ah6_output(state->m, &ip6->ip6_nxt,
3174 state->m->m_next, isr);
3175 break;
3176 case IPPROTO_IPCOMP:
3177 /* XXX code should be here */
3178 /* FALLTHROUGH */
3179 default:
3180 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3181 "unknown ipsec protocol %d\n", isr->saidx.proto));
3182 m_freem(state->m);
3183 ipsec6stat.out_inval++;
3184 error = EINVAL;
3185 break;
3186 }
3187 if (error) {
3188 state->m = NULL;
3189 goto bad;
3190 }
3191 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3192 if (plen > IPV6_MAXPACKET) {
3193 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3194 "IPsec with IPv6 jumbogram is not supported\n"));
3195 ipsec6stat.out_inval++;
3196 error = EINVAL; /* XXX */
3197 goto bad;
3198 }
3199 ip6 = mtod(state->m, struct ip6_hdr *);
3200 ip6->ip6_plen = htons(plen);
3201 }
3202
3203 return 0;
3204
3205 bad:
3206 m_freem(state->m);
3207 state->m = NULL;
3208 return error;
3209 }
3210 #endif /* INET6 */
3211
3212 #ifdef INET
3213 /*
3214 * Chop IP header and option off from the payload.
3215 */
3216 static struct mbuf *
3217 ipsec4_splithdr(m)
3218 struct mbuf *m;
3219 {
3220 struct mbuf *mh;
3221 struct ip *ip;
3222 int hlen;
3223
3224 if (m->m_len < sizeof(struct ip)) {
3225 /* XXX Print and drop until we understand. */
3226 printf("ipsec4_splithdr: m->m_len %d m_length %d < %zu\n",
3227 m->m_len, m_length(m), sizeof(struct ip));
3228 m_freem(m);
3229 return NULL;
3230 #if 0
3231 panic("ipsec4_splithdr: first mbuf too short");
3232 #endif
3233 }
3234 ip = mtod(m, struct ip *);
3235 hlen = ip->ip_hl << 2;
3236 if (m->m_len > hlen) {
3237 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3238 if (!mh) {
3239 m_freem(m);
3240 return NULL;
3241 }
3242 M_MOVE_PKTHDR(mh, m);
3243 MH_ALIGN(mh, hlen);
3244 m->m_len -= hlen;
3245 m->m_data += hlen;
3246 mh->m_next = m;
3247 m = mh;
3248 m->m_len = hlen;
3249 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3250 } else if (m->m_len < hlen) {
3251 m = m_pullup(m, hlen);
3252 if (!m)
3253 return NULL;
3254 }
3255 return m;
3256 }
3257 #endif
3258
3259 #ifdef INET6
3260 static struct mbuf *
3261 ipsec6_splithdr(m)
3262 struct mbuf *m;
3263 {
3264 struct mbuf *mh;
3265 struct ip6_hdr *ip6;
3266 int hlen;
3267
3268 if (m->m_len < sizeof(struct ip6_hdr))
3269 panic("ipsec6_splithdr: first mbuf too short");
3270 ip6 = mtod(m, struct ip6_hdr *);
3271 hlen = sizeof(struct ip6_hdr);
3272 if (m->m_len > hlen) {
3273 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3274 if (!mh) {
3275 m_freem(m);
3276 return NULL;
3277 }
3278 M_MOVE_PKTHDR(mh, m);
3279 MH_ALIGN(mh, hlen);
3280 m->m_len -= hlen;
3281 m->m_data += hlen;
3282 mh->m_next = m;
3283 m = mh;
3284 m->m_len = hlen;
3285 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3286 } else if (m->m_len < hlen) {
3287 m = m_pullup(m, hlen);
3288 if (!m)
3289 return NULL;
3290 }
3291 return m;
3292 }
3293 #endif
3294
3295 /* validate inbound IPsec tunnel packet. */
3296 int
3297 ipsec4_tunnel_validate(ip, nxt0, sav)
3298 struct ip *ip;
3299 u_int nxt0;
3300 struct secasvar *sav;
3301 {
3302 u_int8_t nxt = nxt0 & 0xff;
3303 struct sockaddr_in *sin;
3304 int hlen;
3305
3306 if (nxt != IPPROTO_IPV4)
3307 return 0;
3308 /* do not decapsulate if the SA is for transport mode only */
3309 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3310 return 0;
3311 hlen = ip->ip_hl << 2;
3312 if (hlen != sizeof(struct ip))
3313 return 0;
3314 switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
3315 case AF_INET:
3316 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3317 if (bcmp(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)) != 0)
3318 return 0;
3319 break;
3320 #ifdef INET6
3321 case AF_INET6:
3322 /* should be supported, but at this moment we don't. */
3323 /*FALLTHROUGH*/
3324 #endif
3325 default:
3326 return 0;
3327 }
3328
3329 return 1;
3330 }
3331
3332 #ifdef INET6
3333 /* validate inbound IPsec tunnel packet. */
3334 int
3335 ipsec6_tunnel_validate(ip6, nxt0, sav)
3336 struct ip6_hdr *ip6;
3337 u_int nxt0;
3338 struct secasvar *sav;
3339 {
3340 u_int8_t nxt = nxt0 & 0xff;
3341 struct sockaddr_in6 sin6;
3342
3343 if (nxt != IPPROTO_IPV6)
3344 return 0;
3345 /* do not decapsulate if the SA is for transport mode only */
3346 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3347 return 0;
3348 switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
3349 case AF_INET6:
3350 sin6 = *((struct sockaddr_in6 *)&sav->sah->saidx.dst);
3351 if (sa6_embedscope(&sin6, 0) != 0)
3352 return 0;
3353 if (!IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &sin6.sin6_addr))
3354 return 0;
3355 break;
3356 case AF_INET:
3357 /* should be supported, but at this moment we don't. */
3358 /*FALLTHROUGH*/
3359 default:
3360 return 0;
3361 }
3362
3363 return 1;
3364 }
3365 #endif
3366
3367 /*
3368 * Make a mbuf chain for encryption.
3369 * If the original mbuf chain contains a mbuf with a cluster,
3370 * allocate a new cluster and copy the data to the new cluster.
3371 * XXX: this hack is inefficient, but is necessary to handle cases
3372 * of TCP retransmission...
3373 */
3374 struct mbuf *
3375 ipsec_copypkt(m)
3376 struct mbuf *m;
3377 {
3378 struct mbuf *n, **mpp, *mnew;
3379
3380 for (n = m, mpp = &m; n; n = n->m_next) {
3381 if (n->m_flags & M_EXT) {
3382 /*
3383 * Make a copy only if there is more than one
3384 * references to the cluster.
3385 * XXX: is this approach effective?
3386 */
3387 if (M_READONLY(n))
3388 {
3389 int remain, copied;
3390 struct mbuf *mm;
3391
3392 if (n->m_flags & M_PKTHDR) {
3393 MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3394 if (mnew == NULL)
3395 goto fail;
3396 mnew->m_pkthdr = n->m_pkthdr;
3397 #if 0
3398 /* XXX: convert to m_tag or delete? */
3399 if (n->m_pkthdr.aux) {
3400 mnew->m_pkthdr.aux =
3401 m_copym(n->m_pkthdr.aux,
3402 0, M_COPYALL, M_DONTWAIT);
3403 }
3404 #endif
3405 M_MOVE_PKTHDR(mnew, n);
3406 }
3407 else {
3408 MGET(mnew, M_DONTWAIT, MT_DATA);
3409 if (mnew == NULL)
3410 goto fail;
3411 }
3412 mnew->m_len = 0;
3413 mm = mnew;
3414
3415 /*
3416 * Copy data. If we don't have enough space to
3417 * store the whole data, allocate a cluster
3418 * or additional mbufs.
3419 * XXX: we don't use m_copyback(), since the
3420 * function does not use clusters and thus is
3421 * inefficient.
3422 */
3423 remain = n->m_len;
3424 copied = 0;
3425 while (1) {
3426 int len;
3427 struct mbuf *mn;
3428
3429 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3430 len = remain;
3431 else { /* allocate a cluster */
3432 MCLGET(mm, M_DONTWAIT);
3433 if (!(mm->m_flags & M_EXT)) {
3434 m_free(mm);
3435 goto fail;
3436 }
3437 len = remain < MCLBYTES ?
3438 remain : MCLBYTES;
3439 }
3440
3441 bcopy(n->m_data + copied, mm->m_data,
3442 len);
3443
3444 copied += len;
3445 remain -= len;
3446 mm->m_len = len;
3447
3448 if (remain <= 0) /* completed? */
3449 break;
3450
3451 /* need another mbuf */
3452 MGETHDR(mn, M_DONTWAIT, MT_HEADER);
3453 if (mn == NULL)
3454 goto fail;
3455 mn->m_pkthdr.rcvif = NULL;
3456 mm->m_next = mn;
3457 mm = mn;
3458 }
3459
3460 /* adjust chain */
3461 mm->m_next = m_free(n);
3462 n = mm;
3463 *mpp = mnew;
3464 mpp = &n->m_next;
3465
3466 continue;
3467 }
3468 }
3469 *mpp = n;
3470 mpp = &n->m_next;
3471 }
3472
3473 return (m);
3474 fail:
3475 m_freem(m);
3476 return (NULL);
3477 }
3478
3479 static struct m_tag *
3480 ipsec_addaux(m)
3481 struct mbuf *m;
3482 {
3483 struct m_tag *mtag;
3484
3485 mtag = m_tag_find(m, PACKET_TAG_ESP, NULL);
3486 if (mtag == NULL) {
3487 mtag = m_tag_get(PACKET_TAG_ESP, sizeof(struct ipsecaux),
3488 M_NOWAIT);
3489 if (mtag != NULL)
3490 m_tag_prepend(m, mtag);
3491 }
3492 if (mtag == NULL)
3493 return NULL; /* ENOBUFS */
3494 /* XXX is this necessary? */
3495 bzero((void *)(mtag + 1), sizeof(struct ipsecaux));
3496 return mtag;
3497 }
3498
3499 static struct m_tag *
3500 ipsec_findaux(m)
3501 struct mbuf *m;
3502 {
3503 return m_tag_find(m, PACKET_TAG_ESP, NULL);
3504 }
3505
3506 void
3507 ipsec_delaux(m)
3508 struct mbuf *m;
3509 {
3510 struct m_tag *mtag;
3511
3512 mtag = m_tag_find(m, PACKET_TAG_ESP, NULL);
3513 if (mtag != NULL)
3514 m_tag_delete(m, mtag);
3515 }
3516
3517 /* if the aux buffer is unnecessary, nuke it. */
3518 static void
3519 ipsec_optaux(m, mtag)
3520 struct mbuf *m;
3521 struct m_tag *mtag;
3522 {
3523 struct ipsecaux *aux;
3524
3525 if (mtag == NULL)
3526 return;
3527 aux = (struct ipsecaux *)(mtag + 1);
3528 if (!aux->so && !aux->sp)
3529 ipsec_delaux(m);
3530 }
3531
3532 int
3533 ipsec_addhist(struct mbuf *m, int proto, u_int32_t spi)
3534 {
3535 struct m_tag *mtag;
3536 struct ipsecaux *aux;
3537
3538 mtag = ipsec_addaux(m);
3539 if (mtag == NULL)
3540 return ENOBUFS;
3541 aux = (struct ipsecaux *)(mtag + 1);
3542 aux->hdrs++;
3543 return 0;
3544 }
3545
3546 int
3547 ipsec_getnhist(m)
3548 struct mbuf *m;
3549 {
3550 struct m_tag *mtag;
3551 struct ipsecaux *aux;
3552
3553 mtag = ipsec_findaux(m);
3554 if (mtag == NULL)
3555 return 0;
3556 aux = (struct ipsecaux *)(mtag + 1);
3557 return aux->hdrs;
3558 }
3559
3560 struct ipsec_history *
3561 ipsec_gethist(struct mbuf *m, int *lenp)
3562 {
3563
3564 panic("ipsec_gethist: obsolete API");
3565 }
3566
3567 void
3568 ipsec_clearhist(m)
3569 struct mbuf *m;
3570 {
3571 struct m_tag *mtag;
3572
3573 mtag = ipsec_findaux(m);
3574 ipsec_optaux(m, mtag);
3575 }
3576
3577 /*
3578 * System control for IPSEC
3579 */
3580 u_char ipsecctlermap[PRC_NCMDS] = {
3581 0, 0, 0, 0,
3582 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
3583 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
3584 EMSGSIZE, EHOSTUNREACH, 0, 0,
3585 0, 0, 0, 0,
3586 ENOPROTOOPT
3587 };
3588
3589 /*
3590 * sysctl helper routine for some net.inet.ipsec and net.inet6.ipnet6
3591 * nodes. ensures that the given value is correct and clears the
3592 * ipsec cache accordingly.
3593 */
3594 static int
3595 sysctl_ipsec(SYSCTLFN_ARGS)
3596 {
3597 int error, t;
3598 struct sysctlnode node;
3599
3600 node = *rnode;
3601 if (rnode->sysctl_num == IPSECCTL_DEF_POLICY)
3602 t = (*((struct secpolicy**)rnode->sysctl_data))->policy;
3603 else
3604 t = *(int*)rnode->sysctl_data;
3605 node.sysctl_data = &t;
3606 error = sysctl_lookup(SYSCTLFN_CALL(&node));
3607 if (error || newp == NULL)
3608 return (error);
3609
3610 switch (rnode->sysctl_num) {
3611 case IPSECCTL_DEF_ESP_TRANSLEV:
3612 case IPSECCTL_DEF_ESP_NETLEV:
3613 case IPSECCTL_DEF_AH_TRANSLEV:
3614 case IPSECCTL_DEF_AH_NETLEV:
3615 if (t != IPSEC_LEVEL_USE &&
3616 t != IPSEC_LEVEL_REQUIRE)
3617 return (EINVAL);
3618 ipsec_invalpcbcacheall();
3619 break;
3620 case IPSECCTL_DEF_POLICY:
3621 if (t != IPSEC_POLICY_DISCARD &&
3622 t != IPSEC_POLICY_NONE)
3623 return (EINVAL);
3624 ipsec_invalpcbcacheall();
3625 break;
3626 default:
3627 return (EINVAL);
3628 }
3629
3630 if (rnode->sysctl_num == IPSECCTL_DEF_POLICY)
3631 (*((struct secpolicy**)rnode->sysctl_data))->policy = t;
3632 else
3633 *(int*)rnode->sysctl_data = t;
3634
3635 return (0);
3636 }
3637
3638 SYSCTL_SETUP(sysctl_net_inet_ipsec_setup, "sysctl net.inet.ipsec subtree setup")
3639 {
3640
3641 sysctl_createv(clog, 0, NULL, NULL,
3642 CTLFLAG_PERMANENT,
3643 CTLTYPE_NODE, "net", NULL,
3644 NULL, 0, NULL, 0,
3645 CTL_NET, CTL_EOL);
3646 sysctl_createv(clog, 0, NULL, NULL,
3647 CTLFLAG_PERMANENT,
3648 CTLTYPE_NODE, "inet", NULL,
3649 NULL, 0, NULL, 0,
3650 CTL_NET, PF_INET, CTL_EOL);
3651 sysctl_createv(clog, 0, NULL, NULL,
3652 CTLFLAG_PERMANENT,
3653 CTLTYPE_NODE, "ipsec",
3654 SYSCTL_DESCR("IPv4 related IPSec settings"),
3655 NULL, 0, NULL, 0,
3656 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL);
3657
3658 sysctl_createv(clog, 0, NULL, NULL,
3659 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3660 CTLTYPE_STRUCT, "stats",
3661 SYSCTL_DESCR("IPSec statistics and counters"),
3662 NULL, 0, &ipsecstat, sizeof(ipsecstat),
3663 CTL_NET, PF_INET, IPPROTO_AH,
3664 IPSECCTL_STATS, CTL_EOL);
3665 sysctl_createv(clog, 0, NULL, NULL,
3666 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3667 CTLTYPE_INT, "def_policy",
3668 SYSCTL_DESCR("Default action for non-IPSec packets"),
3669 sysctl_ipsec, 0, &ip4_def_policy, 0,
3670 CTL_NET, PF_INET, IPPROTO_AH,
3671 IPSECCTL_DEF_POLICY, CTL_EOL);
3672 sysctl_createv(clog, 0, NULL, NULL,
3673 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3674 CTLTYPE_INT, "esp_trans_deflev",
3675 SYSCTL_DESCR("Default required security level for "
3676 "transport mode traffic"),
3677 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0,
3678 CTL_NET, PF_INET, IPPROTO_AH,
3679 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
3680 sysctl_createv(clog, 0, NULL, NULL,
3681 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3682 CTLTYPE_INT, "esp_net_deflev",
3683 SYSCTL_DESCR("Default required security level for "
3684 "tunneled traffic"),
3685 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0,
3686 CTL_NET, PF_INET, IPPROTO_AH,
3687 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
3688 sysctl_createv(clog, 0, NULL, NULL,
3689 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3690 CTLTYPE_INT, "ah_trans_deflev",
3691 SYSCTL_DESCR("Default required security level for "
3692 "transport mode headers"),
3693 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0,
3694 CTL_NET, PF_INET, IPPROTO_AH,
3695 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
3696 sysctl_createv(clog, 0, NULL, NULL,
3697 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3698 CTLTYPE_INT, "ah_net_deflev",
3699 SYSCTL_DESCR("Default required security level for "
3700 "tunneled headers"),
3701 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0,
3702 CTL_NET, PF_INET, IPPROTO_AH,
3703 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
3704 #if 0 /* obsolete, do not reuse */
3705 sysctl_createv(clog, 0, NULL, NULL,
3706 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3707 CTLTYPE_INT, "inbound_call_ike", NULL,
3708 NULL, 0, &ip4_inbound_call_ike, 0,
3709 CTL_NET, PF_INET, IPPROTO_AH,
3710 IPSECCTL_INBOUND_CALL_IKE, CTL_EOL);
3711 #endif
3712 sysctl_createv(clog, 0, NULL, NULL,
3713 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3714 CTLTYPE_INT, "ah_cleartos",
3715 SYSCTL_DESCR("Clear IP TOS field before calculating AH"),
3716 NULL, 0, &ip4_ah_cleartos, 0,
3717 CTL_NET, PF_INET, IPPROTO_AH,
3718 IPSECCTL_AH_CLEARTOS, CTL_EOL);
3719 sysctl_createv(clog, 0, NULL, NULL,
3720 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3721 CTLTYPE_INT, "ah_offsetmask",
3722 SYSCTL_DESCR("Mask for IP fragment offset field when "
3723 "calculating AH"),
3724 NULL, 0, &ip4_ah_offsetmask, 0,
3725 CTL_NET, PF_INET, IPPROTO_AH,
3726 IPSECCTL_AH_OFFSETMASK, CTL_EOL);
3727 sysctl_createv(clog, 0, NULL, NULL,
3728 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3729 CTLTYPE_INT, "dfbit",
3730 SYSCTL_DESCR("IP header DF bit setting for tunneled "
3731 "traffic"),
3732 NULL, 0, &ip4_ipsec_dfbit, 0,
3733 CTL_NET, PF_INET, IPPROTO_AH,
3734 IPSECCTL_DFBIT, CTL_EOL);
3735 sysctl_createv(clog, 0, NULL, NULL,
3736 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3737 CTLTYPE_INT, "ecn",
3738 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
3739 NULL, 0, &ip4_ipsec_ecn, 0,
3740 CTL_NET, PF_INET, IPPROTO_AH,
3741 IPSECCTL_ECN, CTL_EOL);
3742 sysctl_createv(clog, 0, NULL, NULL,
3743 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3744 CTLTYPE_INT, "debug",
3745 SYSCTL_DESCR("Enable IPSec debugging output"),
3746 NULL, 0, &ipsec_debug, 0,
3747 CTL_NET, PF_INET, IPPROTO_AH,
3748 IPSECCTL_DEBUG, CTL_EOL);
3749
3750 /*
3751 * "aliases" for the ipsec subtree
3752 */
3753 sysctl_createv(clog, 0, NULL, NULL,
3754 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3755 CTLTYPE_NODE, "esp", NULL,
3756 NULL, IPPROTO_AH, NULL, 0,
3757 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL);
3758 sysctl_createv(clog, 0, NULL, NULL,
3759 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3760 CTLTYPE_NODE, "ipcomp", NULL,
3761 NULL, IPPROTO_AH, NULL, 0,
3762 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL);
3763 sysctl_createv(clog, 0, NULL, NULL,
3764 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3765 CTLTYPE_NODE, "ah", NULL,
3766 NULL, IPPROTO_AH, NULL, 0,
3767 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL);
3768 }
3769
3770 #ifdef INET6
3771 /*
3772 * System control for IPSEC6
3773 */
3774 u_char ipsec6ctlermap[PRC_NCMDS] = {
3775 0, 0, 0, 0,
3776 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
3777 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
3778 EMSGSIZE, EHOSTUNREACH, 0, 0,
3779 0, 0, 0, 0,
3780 ENOPROTOOPT
3781 };
3782
3783 SYSCTL_SETUP(sysctl_net_inet6_ipsec6_setup,
3784 "sysctl net.inet6.ipsec6 subtree setup")
3785 {
3786
3787 sysctl_createv(clog, 0, NULL, NULL,
3788 CTLFLAG_PERMANENT,
3789 CTLTYPE_NODE, "net", NULL,
3790 NULL, 0, NULL, 0,
3791 CTL_NET, CTL_EOL);
3792 sysctl_createv(clog, 0, NULL, NULL,
3793 CTLFLAG_PERMANENT,
3794 CTLTYPE_NODE, "inet6", NULL,
3795 NULL, 0, NULL, 0,
3796 CTL_NET, PF_INET6, CTL_EOL);
3797 sysctl_createv(clog, 0, NULL, NULL,
3798 CTLFLAG_PERMANENT,
3799 CTLTYPE_NODE, "ipsec6",
3800 SYSCTL_DESCR("IPv6 related IPSec settings"),
3801 NULL, 0, NULL, 0,
3802 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL);
3803
3804 sysctl_createv(clog, 0, NULL, NULL,
3805 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3806 CTLTYPE_STRUCT, "stats",
3807 SYSCTL_DESCR("IPSec statistics and counters"),
3808 NULL, 0, &ipsec6stat, sizeof(ipsec6stat),
3809 CTL_NET, PF_INET6, IPPROTO_AH,
3810 IPSECCTL_STATS, CTL_EOL);
3811 sysctl_createv(clog, 0, NULL, NULL,
3812 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3813 CTLTYPE_INT, "def_policy",
3814 SYSCTL_DESCR("Default action for non-IPSec packets"),
3815 sysctl_ipsec, 0, &ip6_def_policy, 0,
3816 CTL_NET, PF_INET6, IPPROTO_AH,
3817 IPSECCTL_DEF_POLICY, CTL_EOL);
3818 sysctl_createv(clog, 0, NULL, NULL,
3819 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3820 CTLTYPE_INT, "esp_trans_deflev",
3821 SYSCTL_DESCR("Default required security level for "
3822 "transport mode traffic"),
3823 sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0,
3824 CTL_NET, PF_INET6, IPPROTO_AH,
3825 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
3826 sysctl_createv(clog, 0, NULL, NULL,
3827 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3828 CTLTYPE_INT, "esp_net_deflev",
3829 SYSCTL_DESCR("Default required security level for "
3830 "tunneled traffic"),
3831 sysctl_ipsec, 0, &ip6_esp_net_deflev, 0,
3832 CTL_NET, PF_INET6, IPPROTO_AH,
3833 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
3834 sysctl_createv(clog, 0, NULL, NULL,
3835 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3836 CTLTYPE_INT, "ah_trans_deflev",
3837 SYSCTL_DESCR("Default required security level for "
3838 "transport mode headers"),
3839 sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0,
3840 CTL_NET, PF_INET6, IPPROTO_AH,
3841 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
3842 sysctl_createv(clog, 0, NULL, NULL,
3843 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3844 CTLTYPE_INT, "ah_net_deflev",
3845 SYSCTL_DESCR("Default required security level for "
3846 "tunneled headers"),
3847 sysctl_ipsec, 0, &ip6_ah_net_deflev, 0,
3848 CTL_NET, PF_INET6, IPPROTO_AH,
3849 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
3850 sysctl_createv(clog, 0, NULL, NULL,
3851 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3852 CTLTYPE_INT, "ecn",
3853 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
3854 NULL, 0, &ip6_ipsec_ecn, 0,
3855 CTL_NET, PF_INET6, IPPROTO_AH,
3856 IPSECCTL_ECN, CTL_EOL);
3857 sysctl_createv(clog, 0, NULL, NULL,
3858 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
3859 CTLTYPE_INT, "debug",
3860 SYSCTL_DESCR("Enable IPSec debugging output"),
3861 NULL, 0, &ipsec_debug, 0,
3862 CTL_NET, PF_INET6, IPPROTO_AH,
3863 IPSECCTL_DEBUG, CTL_EOL);
3864
3865 /*
3866 * "aliases" for the ipsec6 subtree
3867 */
3868 sysctl_createv(clog, 0, NULL, NULL,
3869 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3870 CTLTYPE_NODE, "esp6", NULL,
3871 NULL, IPPROTO_AH, NULL, 0,
3872 CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL);
3873 sysctl_createv(clog, 0, NULL, NULL,
3874 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3875 CTLTYPE_NODE, "ipcomp6", NULL,
3876 NULL, IPPROTO_AH, NULL, 0,
3877 CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL);
3878 sysctl_createv(clog, 0, NULL, NULL,
3879 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
3880 CTLTYPE_NODE, "ah6", NULL,
3881 NULL, IPPROTO_AH, NULL, 0,
3882 CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL);
3883 }
3884 #endif /* INET6 */
Cache object: e1fae83187ef2662e2e14da2264968c9
|