The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netipsec/ipsec.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*      $FreeBSD: releng/11.2/sys/netipsec/ipsec.c 331722 2018-03-29 02:50:57Z eadler $ */
    2 /*      $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
    3 
    4 /*-
    5  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
    6  * All rights reserved.
    7  *
    8  * Redistribution and use in source and binary forms, with or without
    9  * modification, are permitted provided that the following conditions
   10  * are met:
   11  * 1. Redistributions of source code must retain the above copyright
   12  *    notice, this list of conditions and the following disclaimer.
   13  * 2. Redistributions in binary form must reproduce the above copyright
   14  *    notice, this list of conditions and the following disclaimer in the
   15  *    documentation and/or other materials provided with the distribution.
   16  * 3. Neither the name of the project nor the names of its contributors
   17  *    may be used to endorse or promote products derived from this software
   18  *    without specific prior written permission.
   19  *
   20  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
   21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
   24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   30  * SUCH DAMAGE.
   31  */
   32 
   33 /*
   34  * IPsec controller part.
   35  */
   36 
   37 #include "opt_inet.h"
   38 #include "opt_inet6.h"
   39 #include "opt_ipsec.h"
   40 
   41 #include <sys/param.h>
   42 #include <sys/systm.h>
   43 #include <sys/malloc.h>
   44 #include <sys/mbuf.h>
   45 #include <sys/domain.h>
   46 #include <sys/priv.h>
   47 #include <sys/protosw.h>
   48 #include <sys/socket.h>
   49 #include <sys/socketvar.h>
   50 #include <sys/errno.h>
   51 #include <sys/hhook.h>
   52 #include <sys/time.h>
   53 #include <sys/kernel.h>
   54 #include <sys/syslog.h>
   55 #include <sys/sysctl.h>
   56 #include <sys/proc.h>
   57 
   58 #include <net/if.h>
   59 #include <net/if_enc.h>
   60 #include <net/if_var.h>
   61 #include <net/vnet.h>
   62 
   63 #include <netinet/in.h>
   64 #include <netinet/in_systm.h>
   65 #include <netinet/ip.h>
   66 #include <netinet/ip_var.h>
   67 #include <netinet/in_var.h>
   68 #include <netinet/udp.h>
   69 #include <netinet/udp_var.h>
   70 #include <netinet/tcp.h>
   71 #include <netinet/udp.h>
   72 
   73 #include <netinet/ip6.h>
   74 #ifdef INET6
   75 #include <netinet6/ip6_var.h>
   76 #endif
   77 #include <netinet/in_pcb.h>
   78 #ifdef INET6
   79 #include <netinet/icmp6.h>
   80 #endif
   81 
   82 #include <sys/types.h>
   83 #include <netipsec/ipsec.h>
   84 #ifdef INET6
   85 #include <netipsec/ipsec6.h>
   86 #endif
   87 #include <netipsec/ah_var.h>
   88 #include <netipsec/esp_var.h>
   89 #include <netipsec/ipcomp.h>            /*XXX*/
   90 #include <netipsec/ipcomp_var.h>
   91 #include <netipsec/ipsec_support.h>
   92 
   93 #include <netipsec/key.h>
   94 #include <netipsec/keydb.h>
   95 #include <netipsec/key_debug.h>
   96 
   97 #include <netipsec/xform.h>
   98 
   99 #include <machine/in_cksum.h>
  100 
  101 #include <opencrypto/cryptodev.h>
  102 
  103 /* NB: name changed so netstat doesn't use it. */
  104 VNET_PCPUSTAT_DEFINE(struct ipsecstat, ipsec4stat);
  105 VNET_PCPUSTAT_SYSINIT(ipsec4stat);
  106 
  107 #ifdef VIMAGE
  108 VNET_PCPUSTAT_SYSUNINIT(ipsec4stat);
  109 #endif /* VIMAGE */
  110 
  111 /* DF bit on encap. 0: clear 1: set 2: copy */
  112 VNET_DEFINE(int, ip4_ipsec_dfbit) = 0;
  113 VNET_DEFINE(int, ip4_esp_trans_deflev) = IPSEC_LEVEL_USE;
  114 VNET_DEFINE(int, ip4_esp_net_deflev) = IPSEC_LEVEL_USE;
  115 VNET_DEFINE(int, ip4_ah_trans_deflev) = IPSEC_LEVEL_USE;
  116 VNET_DEFINE(int, ip4_ah_net_deflev) = IPSEC_LEVEL_USE;
  117 /* ECN ignore(-1)/forbidden(0)/allowed(1) */
  118 VNET_DEFINE(int, ip4_ipsec_ecn) = 0;
  119 
  120 static VNET_DEFINE(int, ip4_filtertunnel) = 0;
  121 #define V_ip4_filtertunnel VNET(ip4_filtertunnel)
  122 static VNET_DEFINE(int, check_policy_history) = 0;
  123 #define V_check_policy_history  VNET(check_policy_history)
  124 static VNET_DEFINE(struct secpolicy *, def_policy) = NULL;
  125 #define V_def_policy    VNET(def_policy)
  126 static int
  127 sysctl_def_policy(SYSCTL_HANDLER_ARGS)
  128 {
  129         int error, value;
  130 
  131         value = V_def_policy->policy;
  132         error = sysctl_handle_int(oidp, &value, 0, req);
  133         if (error == 0) {
  134                 if (value != IPSEC_POLICY_DISCARD &&
  135                     value != IPSEC_POLICY_NONE)
  136                         return (EINVAL);
  137                 V_def_policy->policy = value;
  138         }
  139         return (error);
  140 }
  141 
  142 /*
  143  * Crypto support requirements:
  144  *
  145  *  1   require hardware support
  146  * -1   require software support
  147  *  0   take anything
  148  */
  149 VNET_DEFINE(int, crypto_support) = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
  150 /*
  151  * TCP/UDP checksum handling policy for transport mode NAT-T (RFC3948)
  152  *
  153  * 0 - auto: incrementally recompute, when checksum delta is known;
  154  *     if checksum delta isn't known, reset checksum to zero for UDP,
  155  *     and mark csum_flags as valid for TCP.
  156  * 1 - fully recompute TCP/UDP checksum.
  157  */
  158 VNET_DEFINE(int, natt_cksum_policy) = 0;
  159 
  160 FEATURE(ipsec, "Internet Protocol Security (IPsec)");
  161 FEATURE(ipsec_natt, "UDP Encapsulation of IPsec ESP Packets ('NAT-T')");
  162 
  163 SYSCTL_DECL(_net_inet_ipsec);
  164 
  165 /* net.inet.ipsec */
  166 SYSCTL_PROC(_net_inet_ipsec, IPSECCTL_DEF_POLICY, def_policy,
  167         CTLTYPE_INT | CTLFLAG_VNET | CTLFLAG_RW, 0, 0, sysctl_def_policy, "I",
  168         "IPsec default policy.");
  169 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
  170         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_esp_trans_deflev), 0,
  171         "Default ESP transport mode level");
  172 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
  173         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_esp_net_deflev), 0,
  174         "Default ESP tunnel mode level.");
  175 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
  176         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ah_trans_deflev), 0,
  177         "AH transfer mode default level.");
  178 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
  179         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ah_net_deflev), 0,
  180         "AH tunnel mode default level.");
  181 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos,
  182         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0,
  183         "If set, clear type-of-service field when doing AH computation.");
  184 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, dfbit,
  185         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_dfbit), 0,
  186         "Do not fragment bit on encap.");
  187 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, ecn,
  188         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_ecn), 0,
  189         "Explicit Congestion Notification handling.");
  190 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, crypto_support,
  191         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(crypto_support), 0,
  192         "Crypto driver selection.");
  193 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, check_policy_history,
  194         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(check_policy_history), 0,
  195         "Use strict check of inbound packets to security policy compliance.");
  196 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, natt_cksum_policy,
  197         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(natt_cksum_policy), 0,
  198         "Method to fix TCP/UDP checksum for transport mode IPsec after NAT.");
  199 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, filtertunnel,
  200         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_filtertunnel), 0,
  201         "If set, filter packets from an IPsec tunnel.");
  202 SYSCTL_VNET_PCPUSTAT(_net_inet_ipsec, OID_AUTO, ipsecstats, struct ipsecstat,
  203     ipsec4stat, "IPsec IPv4 statistics.");
  204 
  205 #ifdef REGRESSION
  206 /*
  207  * When set to 1, IPsec will send packets with the same sequence number.
  208  * This allows to verify if the other side has proper replay attacks detection.
  209  */
  210 VNET_DEFINE(int, ipsec_replay) = 0;
  211 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_replay,
  212         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_replay), 0,
  213         "Emulate replay attack");
  214 /*
  215  * When set 1, IPsec will send packets with corrupted HMAC.
  216  * This allows to verify if the other side properly detects modified packets.
  217  */
  218 VNET_DEFINE(int, ipsec_integrity) = 0;
  219 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_integrity,
  220         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_integrity), 0,
  221         "Emulate man-in-the-middle attack");
  222 #endif
  223 
  224 #ifdef INET6 
  225 VNET_PCPUSTAT_DEFINE(struct ipsecstat, ipsec6stat);
  226 VNET_PCPUSTAT_SYSINIT(ipsec6stat);
  227 
  228 #ifdef VIMAGE
  229 VNET_PCPUSTAT_SYSUNINIT(ipsec6stat);
  230 #endif /* VIMAGE */
  231 
  232 VNET_DEFINE(int, ip6_esp_trans_deflev) = IPSEC_LEVEL_USE;
  233 VNET_DEFINE(int, ip6_esp_net_deflev) = IPSEC_LEVEL_USE;
  234 VNET_DEFINE(int, ip6_ah_trans_deflev) = IPSEC_LEVEL_USE;
  235 VNET_DEFINE(int, ip6_ah_net_deflev) = IPSEC_LEVEL_USE;
  236 VNET_DEFINE(int, ip6_ipsec_ecn) = 0;    /* ECN ignore(-1)/forbidden(0)/allowed(1) */
  237 
  238 static VNET_DEFINE(int, ip6_filtertunnel) = 0;
  239 #define V_ip6_filtertunnel      VNET(ip6_filtertunnel)
  240 
  241 SYSCTL_DECL(_net_inet6_ipsec6);
  242 
  243 /* net.inet6.ipsec6 */
  244 SYSCTL_PROC(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, def_policy,
  245         CTLTYPE_INT | CTLFLAG_VNET | CTLFLAG_RW, 0, 0, sysctl_def_policy, "I",
  246         "IPsec default policy.");
  247 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
  248         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6_esp_trans_deflev), 0,
  249         "Default ESP transport mode level.");
  250 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
  251         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6_esp_net_deflev), 0,
  252         "Default ESP tunnel mode level.");
  253 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
  254         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6_ah_trans_deflev), 0,
  255         "AH transfer mode default level.");
  256 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
  257         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6_ah_net_deflev), 0,
  258         "AH tunnel mode default level.");
  259 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN, ecn,
  260         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6_ipsec_ecn), 0,
  261         "Explicit Congestion Notification handling.");
  262 SYSCTL_INT(_net_inet6_ipsec6, OID_AUTO, filtertunnel,
  263         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6_filtertunnel),  0,
  264         "If set, filter packets from an IPsec tunnel.");
  265 SYSCTL_VNET_PCPUSTAT(_net_inet6_ipsec6, IPSECCTL_STATS, ipsecstats,
  266     struct ipsecstat, ipsec6stat, "IPsec IPv6 statistics.");
  267 #endif /* INET6 */
  268 
  269 static int ipsec_in_reject(struct secpolicy *, struct inpcb *,
  270     const struct mbuf *);
  271 
  272 #ifdef INET
  273 static void ipsec4_get_ulp(const struct mbuf *, struct secpolicyindex *, int);
  274 static void ipsec4_setspidx_ipaddr(const struct mbuf *,
  275     struct secpolicyindex *);
  276 #endif
  277 #ifdef INET6
  278 static void ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *, int);
  279 static void ipsec6_setspidx_ipaddr(const struct mbuf *,
  280     struct secpolicyindex *);
  281 #endif
  282 
  283 /*
  284  * Return a held reference to the default SP.
  285  */
  286 static struct secpolicy *
  287 key_allocsp_default(void)
  288 {
  289 
  290         key_addref(V_def_policy);
  291         return (V_def_policy);
  292 }
  293 
  294 static void
  295 ipsec_invalidate_cache(struct inpcb *inp, u_int dir)
  296 {
  297         struct secpolicy *sp;
  298 
  299         INP_WLOCK_ASSERT(inp);
  300         if (dir == IPSEC_DIR_OUTBOUND) {
  301                 if (inp->inp_sp->flags & INP_INBOUND_POLICY)
  302                         return;
  303                 sp = inp->inp_sp->sp_in;
  304                 inp->inp_sp->sp_in = NULL;
  305         } else {
  306                 if (inp->inp_sp->flags & INP_OUTBOUND_POLICY)
  307                         return;
  308                 sp = inp->inp_sp->sp_out;
  309                 inp->inp_sp->sp_out = NULL;
  310         }
  311         if (sp != NULL)
  312                 key_freesp(&sp); /* release extra reference */
  313 }
  314 
  315 static void
  316 ipsec_cachepolicy(struct inpcb *inp, struct secpolicy *sp, u_int dir)
  317 {
  318         uint32_t genid;
  319         int downgrade;
  320 
  321         INP_LOCK_ASSERT(inp);
  322 
  323         if (dir == IPSEC_DIR_OUTBOUND) {
  324                 /* Do we have configured PCB policy? */
  325                 if (inp->inp_sp->flags & INP_OUTBOUND_POLICY)
  326                         return;
  327                 /* Another thread has already set cached policy */
  328                 if (inp->inp_sp->sp_out != NULL)
  329                         return;
  330                 /*
  331                  * Do not cache OUTBOUND policy if PCB isn't connected,
  332                  * i.e. foreign address is INADDR_ANY/UNSPECIFIED.
  333                  */
  334 #ifdef INET
  335                 if ((inp->inp_vflag & INP_IPV4) != 0 &&
  336                     inp->inp_faddr.s_addr == INADDR_ANY)
  337                         return;
  338 #endif
  339 #ifdef INET6
  340                 if ((inp->inp_vflag & INP_IPV6) != 0 &&
  341                     IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_faddr))
  342                         return;
  343 #endif
  344         } else {
  345                 /* Do we have configured PCB policy? */
  346                 if (inp->inp_sp->flags & INP_INBOUND_POLICY)
  347                         return;
  348                 /* Another thread has already set cached policy */
  349                 if (inp->inp_sp->sp_in != NULL)
  350                         return;
  351                 /*
  352                  * Do not cache INBOUND policy for listen socket,
  353                  * that is bound to INADDR_ANY/UNSPECIFIED address.
  354                  */
  355 #ifdef INET
  356                 if ((inp->inp_vflag & INP_IPV4) != 0 &&
  357                     inp->inp_faddr.s_addr == INADDR_ANY)
  358                         return;
  359 #endif
  360 #ifdef INET6
  361                 if ((inp->inp_vflag & INP_IPV6) != 0 &&
  362                     IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_faddr))
  363                         return;
  364 #endif
  365         }
  366         downgrade = 0;
  367         if (!INP_WLOCKED(inp)) {
  368                 if ((downgrade = INP_TRY_UPGRADE(inp)) == 0)
  369                         return;
  370         }
  371         if (dir == IPSEC_DIR_OUTBOUND)
  372                 inp->inp_sp->sp_out = sp;
  373         else
  374                 inp->inp_sp->sp_in = sp;
  375         /*
  376          * SP is already referenced by the lookup code.
  377          * We take extra reference here to avoid race in the
  378          * ipsec_getpcbpolicy() function - SP will not be freed in the
  379          * time between we take SP pointer from the cache and key_addref()
  380          * call.
  381          */
  382         key_addref(sp);
  383         genid = key_getspgen();
  384         if (genid != inp->inp_sp->genid) {
  385                 ipsec_invalidate_cache(inp, dir);
  386                 inp->inp_sp->genid = genid;
  387         }
  388         KEYDBG(IPSEC_STAMP,
  389             printf("%s: PCB(%p): cached %s SP(%p)\n",
  390             __func__, inp, dir == IPSEC_DIR_OUTBOUND ? "OUTBOUND":
  391             "INBOUND", sp));
  392         if (downgrade != 0)
  393                 INP_DOWNGRADE(inp);
  394 }
  395 
  396 static struct secpolicy *
  397 ipsec_checkpolicy(struct secpolicy *sp, struct inpcb *inp, int *error)
  398 {
  399 
  400         /* Save found OUTBOUND policy into PCB SP cache. */
  401         if (inp != NULL && inp->inp_sp != NULL && inp->inp_sp->sp_out == NULL)
  402                 ipsec_cachepolicy(inp, sp, IPSEC_DIR_OUTBOUND);
  403 
  404         switch (sp->policy) {
  405         default:
  406                 printf("%s: invalid policy %u\n", __func__, sp->policy);
  407                 /* FALLTHROUGH */
  408         case IPSEC_POLICY_DISCARD:
  409                 *error = -EINVAL;       /* Packet is discarded by caller. */
  410                 /* FALLTHROUGH */
  411         case IPSEC_POLICY_BYPASS:
  412         case IPSEC_POLICY_NONE:
  413                 key_freesp(&sp);
  414                 sp = NULL;              /* NB: force NULL result. */
  415                 break;
  416         case IPSEC_POLICY_IPSEC:
  417                 /* XXXAE: handle LARVAL SP */
  418                 break;
  419         }
  420         KEYDBG(IPSEC_DUMP,
  421             printf("%s: get SP(%p), error %d\n", __func__, sp, *error));
  422         return (sp);
  423 }
  424 
  425 static struct secpolicy *
  426 ipsec_getpcbpolicy(struct inpcb *inp, u_int dir)
  427 {
  428         struct secpolicy *sp;
  429         int flags, downgrade;
  430 
  431         if (inp == NULL || inp->inp_sp == NULL)
  432                 return (NULL);
  433 
  434         INP_LOCK_ASSERT(inp);
  435 
  436         flags = inp->inp_sp->flags;
  437         if (dir == IPSEC_DIR_OUTBOUND) {
  438                 sp = inp->inp_sp->sp_out;
  439                 flags &= INP_OUTBOUND_POLICY;
  440         } else {
  441                 sp = inp->inp_sp->sp_in;
  442                 flags &= INP_INBOUND_POLICY;
  443         }
  444         /*
  445          * Check flags. If we have PCB SP, just return it.
  446          * Otherwise we need to check that cached SP entry isn't stale.
  447          */
  448         if (flags == 0) {
  449                 if (sp == NULL)
  450                         return (NULL);
  451                 if (inp->inp_sp->genid != key_getspgen()) {
  452                         /* Invalidate the cache. */
  453                         downgrade = 0;
  454                         if (!INP_WLOCKED(inp)) {
  455                                 if ((downgrade = INP_TRY_UPGRADE(inp)) == 0)
  456                                         return (NULL);
  457                         }
  458                         ipsec_invalidate_cache(inp, IPSEC_DIR_OUTBOUND);
  459                         ipsec_invalidate_cache(inp, IPSEC_DIR_INBOUND);
  460                         if (downgrade != 0)
  461                                 INP_DOWNGRADE(inp);
  462                         return (NULL);
  463                 }
  464                 KEYDBG(IPSEC_STAMP,
  465                     printf("%s: PCB(%p): cache hit SP(%p)\n",
  466                     __func__, inp, sp));
  467                 /* Return referenced cached policy */
  468         }
  469         key_addref(sp);
  470         return (sp);
  471 }
  472 
  473 #ifdef INET
  474 static void
  475 ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx,
  476     int needport)
  477 {
  478         uint8_t nxt;
  479         int off;
  480 
  481         /* Sanity check. */
  482         IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),
  483             ("packet too short"));
  484 
  485         if (m->m_len >= sizeof (struct ip)) {
  486                 const struct ip *ip = mtod(m, const struct ip *);
  487                 if (ip->ip_off & htons(IP_MF | IP_OFFMASK))
  488                         goto done;
  489                 off = ip->ip_hl << 2;
  490                 nxt = ip->ip_p;
  491         } else {
  492                 struct ip ih;
  493 
  494                 m_copydata(m, 0, sizeof (struct ip), (caddr_t) &ih);
  495                 if (ih.ip_off & htons(IP_MF | IP_OFFMASK))
  496                         goto done;
  497                 off = ih.ip_hl << 2;
  498                 nxt = ih.ip_p;
  499         }
  500 
  501         while (off < m->m_pkthdr.len) {
  502                 struct ip6_ext ip6e;
  503                 struct tcphdr th;
  504                 struct udphdr uh;
  505 
  506                 switch (nxt) {
  507                 case IPPROTO_TCP:
  508                         spidx->ul_proto = nxt;
  509                         if (!needport)
  510                                 goto done_proto;
  511                         if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
  512                                 goto done;
  513                         m_copydata(m, off, sizeof (th), (caddr_t) &th);
  514                         spidx->src.sin.sin_port = th.th_sport;
  515                         spidx->dst.sin.sin_port = th.th_dport;
  516                         return;
  517                 case IPPROTO_UDP:
  518                         spidx->ul_proto = nxt;
  519                         if (!needport)
  520                                 goto done_proto;
  521                         if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
  522                                 goto done;
  523                         m_copydata(m, off, sizeof (uh), (caddr_t) &uh);
  524                         spidx->src.sin.sin_port = uh.uh_sport;
  525                         spidx->dst.sin.sin_port = uh.uh_dport;
  526                         return;
  527                 case IPPROTO_AH:
  528                         if (off + sizeof(ip6e) > m->m_pkthdr.len)
  529                                 goto done;
  530                         /* XXX Sigh, this works but is totally bogus. */
  531                         m_copydata(m, off, sizeof(ip6e), (caddr_t) &ip6e);
  532                         off += (ip6e.ip6e_len + 2) << 2;
  533                         nxt = ip6e.ip6e_nxt;
  534                         break;
  535                 case IPPROTO_ICMP:
  536                 default:
  537                         /* XXX Intermediate headers??? */
  538                         spidx->ul_proto = nxt;
  539                         goto done_proto;
  540                 }
  541         }
  542 done:
  543         spidx->ul_proto = IPSEC_ULPROTO_ANY;
  544 done_proto:
  545         spidx->src.sin.sin_port = IPSEC_PORT_ANY;
  546         spidx->dst.sin.sin_port = IPSEC_PORT_ANY;
  547         KEYDBG(IPSEC_DUMP,
  548             printf("%s: ", __func__); kdebug_secpolicyindex(spidx, NULL));
  549 }
  550 
  551 static void
  552 ipsec4_setspidx_ipaddr(const struct mbuf *m, struct secpolicyindex *spidx)
  553 {
  554 
  555         ipsec4_setsockaddrs(m, &spidx->src, &spidx->dst);
  556         spidx->prefs = sizeof(struct in_addr) << 3;
  557         spidx->prefd = sizeof(struct in_addr) << 3;
  558 }
  559 
  560 static struct secpolicy *
  561 ipsec4_getpolicy(const struct mbuf *m, struct inpcb *inp, u_int dir,
  562     int needport)
  563 {
  564         struct secpolicyindex spidx;
  565         struct secpolicy *sp;
  566 
  567         sp = ipsec_getpcbpolicy(inp, dir);
  568         if (sp == NULL && key_havesp(dir)) {
  569                 /* Make an index to look for a policy. */
  570                 ipsec4_setspidx_ipaddr(m, &spidx);
  571                 ipsec4_get_ulp(m, &spidx, needport);
  572                 spidx.dir = dir;
  573                 sp = key_allocsp(&spidx, dir);
  574         }
  575         if (sp == NULL)         /* No SP found, use system default. */
  576                 sp = key_allocsp_default();
  577         return (sp);
  578 }
  579 
  580 /*
  581  * Check security policy for *OUTBOUND* IPv4 packet.
  582  */
  583 struct secpolicy *
  584 ipsec4_checkpolicy(const struct mbuf *m, struct inpcb *inp, int *error,
  585     int needport)
  586 {
  587         struct secpolicy *sp;
  588 
  589         *error = 0;
  590         sp = ipsec4_getpolicy(m, inp, IPSEC_DIR_OUTBOUND, needport);
  591         if (sp != NULL)
  592                 sp = ipsec_checkpolicy(sp, inp, error);
  593         if (sp == NULL) {
  594                 switch (*error) {
  595                 case 0: /* No IPsec required: BYPASS or NONE */
  596                         break;
  597                 case -EINVAL:
  598                         IPSECSTAT_INC(ips_out_polvio);
  599                         break;
  600                 default:
  601                         IPSECSTAT_INC(ips_out_inval);
  602                 }
  603         }
  604         KEYDBG(IPSEC_STAMP,
  605             printf("%s: using SP(%p), error %d\n", __func__, sp, *error));
  606         if (sp != NULL)
  607                 KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp));
  608         return (sp);
  609 }
  610 
  611 /*
  612  * Check IPv4 packet against *INBOUND* security policy.
  613  * This function is called from tcp_input(), udp_input(),
  614  * rip_input() and sctp_input().
  615  */
  616 int
  617 ipsec4_in_reject(const struct mbuf *m, struct inpcb *inp)
  618 {
  619         struct secpolicy *sp;
  620         int result;
  621 
  622         sp = ipsec4_getpolicy(m, inp, IPSEC_DIR_INBOUND, 0);
  623         result = ipsec_in_reject(sp, inp, m);
  624         key_freesp(&sp);
  625         if (result != 0)
  626                 IPSECSTAT_INC(ips_in_polvio);
  627         return (result);
  628 }
  629 
  630 /*
  631  * IPSEC_CAP() method implementation for IPv4.
  632  */
  633 int
  634 ipsec4_capability(struct mbuf *m, u_int cap)
  635 {
  636 
  637         switch (cap) {
  638         case IPSEC_CAP_BYPASS_FILTER:
  639                 /*
  640                  * Bypass packet filtering for packets previously handled
  641                  * by IPsec.
  642                  */
  643                 if (!V_ip4_filtertunnel &&
  644                     m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
  645                         return (1);
  646                 return (0);
  647         case IPSEC_CAP_OPERABLE:
  648                 /* Do we have active security policies? */
  649                 if (key_havesp(IPSEC_DIR_INBOUND) != 0 ||
  650                     key_havesp(IPSEC_DIR_OUTBOUND) != 0)
  651                         return (1);
  652                 return (0);
  653         };
  654         return (EOPNOTSUPP);
  655 }
  656 
  657 #endif /* INET */
  658 
  659 #ifdef INET6
  660 static void
  661 ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx,
  662     int needport)
  663 {
  664         struct tcphdr th;
  665         struct udphdr uh;
  666         struct icmp6_hdr ih;
  667         int off, nxt;
  668 
  669         IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip6_hdr),
  670             ("packet too short"));
  671 
  672         /* Set default. */
  673         spidx->ul_proto = IPSEC_ULPROTO_ANY;
  674         spidx->src.sin6.sin6_port = IPSEC_PORT_ANY;
  675         spidx->dst.sin6.sin6_port = IPSEC_PORT_ANY;
  676 
  677         nxt = -1;
  678         off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
  679         if (off < 0 || m->m_pkthdr.len < off)
  680                 return;
  681 
  682         switch (nxt) {
  683         case IPPROTO_TCP:
  684                 spidx->ul_proto = nxt;
  685                 if (!needport)
  686                         break;
  687                 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
  688                         break;
  689                 m_copydata(m, off, sizeof(th), (caddr_t)&th);
  690                 spidx->src.sin6.sin6_port = th.th_sport;
  691                 spidx->dst.sin6.sin6_port = th.th_dport;
  692                 break;
  693         case IPPROTO_UDP:
  694                 spidx->ul_proto = nxt;
  695                 if (!needport)
  696                         break;
  697                 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
  698                         break;
  699                 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
  700                 spidx->src.sin6.sin6_port = uh.uh_sport;
  701                 spidx->dst.sin6.sin6_port = uh.uh_dport;
  702                 break;
  703         case IPPROTO_ICMPV6:
  704                 spidx->ul_proto = nxt;
  705                 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len)
  706                         break;
  707                 m_copydata(m, off, sizeof(ih), (caddr_t)&ih);
  708                 spidx->src.sin6.sin6_port = htons((uint16_t)ih.icmp6_type);
  709                 spidx->dst.sin6.sin6_port = htons((uint16_t)ih.icmp6_code);
  710                 break;
  711         default:
  712                 /* XXX Intermediate headers??? */
  713                 spidx->ul_proto = nxt;
  714                 break;
  715         }
  716         KEYDBG(IPSEC_DUMP,
  717             printf("%s: ", __func__); kdebug_secpolicyindex(spidx, NULL));
  718 }
  719 
  720 static void
  721 ipsec6_setspidx_ipaddr(const struct mbuf *m, struct secpolicyindex *spidx)
  722 {
  723 
  724         ipsec6_setsockaddrs(m, &spidx->src, &spidx->dst);
  725         spidx->prefs = sizeof(struct in6_addr) << 3;
  726         spidx->prefd = sizeof(struct in6_addr) << 3;
  727 }
  728 
  729 static struct secpolicy *
  730 ipsec6_getpolicy(const struct mbuf *m, struct inpcb *inp, u_int dir,
  731     int needport)
  732 {
  733         struct secpolicyindex spidx;
  734         struct secpolicy *sp;
  735 
  736         sp = ipsec_getpcbpolicy(inp, dir);
  737         if (sp == NULL && key_havesp(dir)) {
  738                 /* Make an index to look for a policy. */
  739                 ipsec6_setspidx_ipaddr(m, &spidx);
  740                 ipsec6_get_ulp(m, &spidx, needport);
  741                 spidx.dir = dir;
  742                 sp = key_allocsp(&spidx, dir);
  743         }
  744         if (sp == NULL)         /* No SP found, use system default. */
  745                 sp = key_allocsp_default();
  746         return (sp);
  747 }
  748 
  749 /*
  750  * Check security policy for *OUTBOUND* IPv6 packet.
  751  */
  752 struct secpolicy *
  753 ipsec6_checkpolicy(const struct mbuf *m, struct inpcb *inp, int *error,
  754     int needport)
  755 {
  756         struct secpolicy *sp;
  757 
  758         *error = 0;
  759         sp = ipsec6_getpolicy(m, inp, IPSEC_DIR_OUTBOUND, needport);
  760         if (sp != NULL)
  761                 sp = ipsec_checkpolicy(sp, inp, error);
  762         if (sp == NULL) {
  763                 switch (*error) {
  764                 case 0: /* No IPsec required: BYPASS or NONE */
  765                         break;
  766                 case -EINVAL:
  767                         IPSEC6STAT_INC(ips_out_polvio);
  768                         break;
  769                 default:
  770                         IPSEC6STAT_INC(ips_out_inval);
  771                 }
  772         }
  773         KEYDBG(IPSEC_STAMP,
  774             printf("%s: using SP(%p), error %d\n", __func__, sp, *error));
  775         if (sp != NULL)
  776                 KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp));
  777         return (sp);
  778 }
  779 
  780 /*
  781  * Check IPv6 packet against inbound security policy.
  782  * This function is called from tcp6_input(), udp6_input(),
  783  * rip6_input() and sctp_input().
  784  */
  785 int
  786 ipsec6_in_reject(const struct mbuf *m, struct inpcb *inp)
  787 {
  788         struct secpolicy *sp;
  789         int result;
  790 
  791         sp = ipsec6_getpolicy(m, inp, IPSEC_DIR_INBOUND, 0);
  792         result = ipsec_in_reject(sp, inp, m);
  793         key_freesp(&sp);
  794         if (result)
  795                 IPSEC6STAT_INC(ips_in_polvio);
  796         return (result);
  797 }
  798 
  799 /*
  800  * IPSEC_CAP() method implementation for IPv6.
  801  */
  802 int
  803 ipsec6_capability(struct mbuf *m, u_int cap)
  804 {
  805 
  806         switch (cap) {
  807         case IPSEC_CAP_BYPASS_FILTER:
  808                 /*
  809                  * Bypass packet filtering for packets previously handled
  810                  * by IPsec.
  811                  */
  812                 if (!V_ip6_filtertunnel &&
  813                     m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
  814                         return (1);
  815                 return (0);
  816         case IPSEC_CAP_OPERABLE:
  817                 /* Do we have active security policies? */
  818                 if (key_havesp(IPSEC_DIR_INBOUND) != 0 ||
  819                     key_havesp(IPSEC_DIR_OUTBOUND) != 0)
  820                         return (1);
  821                 return (0);
  822         };
  823         return (EOPNOTSUPP);
  824 }
  825 #endif /* INET6 */
  826 
  827 int
  828 ipsec_run_hhooks(struct ipsec_ctx_data *ctx, int type)
  829 {
  830         int idx;
  831 
  832         switch (ctx->af) {
  833 #ifdef INET
  834         case AF_INET:
  835                 idx = HHOOK_IPSEC_INET;
  836                 break;
  837 #endif
  838 #ifdef INET6
  839         case AF_INET6:
  840                 idx = HHOOK_IPSEC_INET6;
  841                 break;
  842 #endif
  843         default:
  844                 return (EPFNOSUPPORT);
  845         }
  846         if (type == HHOOK_TYPE_IPSEC_IN)
  847                 HHOOKS_RUN_IF(V_ipsec_hhh_in[idx], ctx, NULL);
  848         else
  849                 HHOOKS_RUN_IF(V_ipsec_hhh_out[idx], ctx, NULL);
  850         if (*ctx->mp == NULL)
  851                 return (EACCES);
  852         return (0);
  853 }
  854 
  855 /*
  856  * Return current level.
  857  * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
  858  */
  859 u_int
  860 ipsec_get_reqlevel(struct secpolicy *sp, u_int idx)
  861 {
  862         struct ipsecrequest *isr;
  863         u_int esp_trans_deflev, esp_net_deflev;
  864         u_int ah_trans_deflev, ah_net_deflev;
  865         u_int level = 0;
  866 
  867         IPSEC_ASSERT(idx < sp->tcount, ("Wrong IPsec request index %d", idx));
  868 /* XXX Note that we have ipseclog() expanded here - code sync issue. */
  869 #define IPSEC_CHECK_DEFAULT(lev) \
  870         (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE &&   \
  871           (lev) != IPSEC_LEVEL_UNIQUE)                                  \
  872                 ? (V_ipsec_debug  ?                                     \
  873                 log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
  874                 (lev), IPSEC_LEVEL_REQUIRE) : 0),                       \
  875                 (lev) = IPSEC_LEVEL_REQUIRE, (lev) : (lev))
  876 
  877         /*
  878          * IPsec VTI uses unique security policy with fake spidx filled
  879          * with zeroes. Just return IPSEC_LEVEL_REQUIRE instead of doing
  880          * full level lookup for such policies.
  881          */
  882         if (sp->state == IPSEC_SPSTATE_IFNET) {
  883                 IPSEC_ASSERT(sp->req[idx]->level == IPSEC_LEVEL_UNIQUE,
  884                     ("Wrong IPsec request level %d", sp->req[idx]->level));
  885                 return (IPSEC_LEVEL_REQUIRE);
  886         }
  887 
  888         /* Set default level. */
  889         switch (sp->spidx.src.sa.sa_family) {
  890 #ifdef INET
  891         case AF_INET:
  892                 esp_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip4_esp_trans_deflev);
  893                 esp_net_deflev = IPSEC_CHECK_DEFAULT(V_ip4_esp_net_deflev);
  894                 ah_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip4_ah_trans_deflev);
  895                 ah_net_deflev = IPSEC_CHECK_DEFAULT(V_ip4_ah_net_deflev);
  896                 break;
  897 #endif
  898 #ifdef INET6
  899         case AF_INET6:
  900                 esp_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip6_esp_trans_deflev);
  901                 esp_net_deflev = IPSEC_CHECK_DEFAULT(V_ip6_esp_net_deflev);
  902                 ah_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip6_ah_trans_deflev);
  903                 ah_net_deflev = IPSEC_CHECK_DEFAULT(V_ip6_ah_net_deflev);
  904                 break;
  905 #endif /* INET6 */
  906         default:
  907                 panic("%s: unknown af %u",
  908                         __func__, sp->spidx.src.sa.sa_family);
  909         }
  910 
  911 #undef IPSEC_CHECK_DEFAULT
  912 
  913         isr = sp->req[idx];
  914         /* Set level. */
  915         switch (isr->level) {
  916         case IPSEC_LEVEL_DEFAULT:
  917                 switch (isr->saidx.proto) {
  918                 case IPPROTO_ESP:
  919                         if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
  920                                 level = esp_net_deflev;
  921                         else
  922                                 level = esp_trans_deflev;
  923                         break;
  924                 case IPPROTO_AH:
  925                         if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
  926                                 level = ah_net_deflev;
  927                         else
  928                                 level = ah_trans_deflev;
  929                         break;
  930                 case IPPROTO_IPCOMP:
  931                         /*
  932                          * We don't really care, as IPcomp document says that
  933                          * we shouldn't compress small packets.
  934                          */
  935                         level = IPSEC_LEVEL_USE;
  936                         break;
  937                 default:
  938                         panic("%s: Illegal protocol defined %u\n", __func__,
  939                                 isr->saidx.proto);
  940                 }
  941                 break;
  942 
  943         case IPSEC_LEVEL_USE:
  944         case IPSEC_LEVEL_REQUIRE:
  945                 level = isr->level;
  946                 break;
  947         case IPSEC_LEVEL_UNIQUE:
  948                 level = IPSEC_LEVEL_REQUIRE;
  949                 break;
  950 
  951         default:
  952                 panic("%s: Illegal IPsec level %u\n", __func__, isr->level);
  953         }
  954 
  955         return (level);
  956 }
  957 
  958 static int
  959 ipsec_check_history(const struct mbuf *m, struct secpolicy *sp, u_int idx)
  960 {
  961         struct xform_history *xh;
  962         struct m_tag *mtag;
  963 
  964         mtag = NULL;
  965         while ((mtag = m_tag_find(__DECONST(struct mbuf *, m),
  966             PACKET_TAG_IPSEC_IN_DONE, mtag)) != NULL) {
  967                 xh = (struct xform_history *)(mtag + 1);
  968                 KEYDBG(IPSEC_DATA,
  969                     char buf[IPSEC_ADDRSTRLEN];
  970                     printf("%s: mode %s proto %u dst %s\n", __func__,
  971                         kdebug_secasindex_mode(xh->mode), xh->proto,
  972                         ipsec_address(&xh->dst, buf, sizeof(buf))));
  973                 if (xh->proto != sp->req[idx]->saidx.proto)
  974                         continue;
  975                 /* If SA had IPSEC_MODE_ANY, consider this as match. */
  976                 if (xh->mode != sp->req[idx]->saidx.mode &&
  977                     xh->mode != IPSEC_MODE_ANY)
  978                         continue;
  979                 /*
  980                  * For transport mode IPsec request doesn't contain
  981                  * addresses. We need to use address from spidx.
  982                  */
  983                 if (sp->req[idx]->saidx.mode == IPSEC_MODE_TRANSPORT) {
  984                         if (key_sockaddrcmp_withmask(&xh->dst.sa,
  985                             &sp->spidx.dst.sa, sp->spidx.prefd) != 0)
  986                                 continue;
  987                 } else {
  988                         if (key_sockaddrcmp(&xh->dst.sa,
  989                             &sp->req[idx]->saidx.dst.sa, 0) != 0)
  990                                 continue;
  991                 }
  992                 return (0); /* matched */
  993         }
  994         return (1);
  995 }
  996 
  997 /*
  998  * Check security policy requirements against the actual
  999  * packet contents.  Return one if the packet should be
 1000  * reject as "invalid"; otherwiser return zero to have the
 1001  * packet treated as "valid".
 1002  *
 1003  * OUT:
 1004  *      0: valid
 1005  *      1: invalid
 1006  */
 1007 static int
 1008 ipsec_in_reject(struct secpolicy *sp, struct inpcb *inp, const struct mbuf *m)
 1009 {
 1010         int i;
 1011 
 1012         KEYDBG(IPSEC_STAMP,
 1013             printf("%s: PCB(%p): using SP(%p)\n", __func__, inp, sp));
 1014         KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp));
 1015 
 1016         if (inp != NULL && inp->inp_sp != NULL && inp->inp_sp->sp_in == NULL)
 1017                 ipsec_cachepolicy(inp, sp, IPSEC_DIR_INBOUND);
 1018 
 1019         /* Check policy. */
 1020         switch (sp->policy) {
 1021         case IPSEC_POLICY_DISCARD:
 1022                 return (1);
 1023         case IPSEC_POLICY_BYPASS:
 1024         case IPSEC_POLICY_NONE:
 1025                 return (0);
 1026         }
 1027 
 1028         IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC,
 1029                 ("invalid policy %u", sp->policy));
 1030 
 1031         /*
 1032          * ipsec[46]_common_input_cb after each transform adds
 1033          * PACKET_TAG_IPSEC_IN_DONE mbuf tag. It contains SPI, proto, mode
 1034          * and destination address from saidx. We can compare info from
 1035          * these tags with requirements in SP.
 1036          */
 1037         for (i = 0; i < sp->tcount; i++) {
 1038                 /*
 1039                  * Do not check IPcomp, since IPcomp document
 1040                  * says that we shouldn't compress small packets.
 1041                  * IPComp policy should always be treated as being
 1042                  * in "use" level.
 1043                  */
 1044                 if (sp->req[i]->saidx.proto == IPPROTO_IPCOMP ||
 1045                     ipsec_get_reqlevel(sp, i) != IPSEC_LEVEL_REQUIRE)
 1046                         continue;
 1047                 if (V_check_policy_history != 0 &&
 1048                     ipsec_check_history(m, sp, i) != 0)
 1049                         return (1);
 1050                 else switch (sp->req[i]->saidx.proto) {
 1051                 case IPPROTO_ESP:
 1052                         if ((m->m_flags & M_DECRYPTED) == 0) {
 1053                                 KEYDBG(IPSEC_DUMP,
 1054                                     printf("%s: ESP m_flags:%x\n", __func__,
 1055                                             m->m_flags));
 1056                                 return (1);
 1057                         }
 1058                         break;
 1059                 case IPPROTO_AH:
 1060                         if ((m->m_flags & M_AUTHIPHDR) == 0) {
 1061                                 KEYDBG(IPSEC_DUMP,
 1062                                     printf("%s: AH m_flags:%x\n", __func__,
 1063                                             m->m_flags));
 1064                                 return (1);
 1065                         }
 1066                         break;
 1067                 }
 1068         }
 1069         return (0);             /* Valid. */
 1070 }
 1071 
 1072 /*
 1073  * Compute the byte size to be occupied by IPsec header.
 1074  * In case it is tunnelled, it includes the size of outer IP header.
 1075  */
 1076 static size_t
 1077 ipsec_hdrsiz_internal(struct secpolicy *sp)
 1078 {
 1079         size_t size;
 1080         int i;
 1081 
 1082         KEYDBG(IPSEC_STAMP, printf("%s: using SP(%p)\n", __func__, sp));
 1083         KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp));
 1084 
 1085         switch (sp->policy) {
 1086         case IPSEC_POLICY_DISCARD:
 1087         case IPSEC_POLICY_BYPASS:
 1088         case IPSEC_POLICY_NONE:
 1089                 return (0);
 1090         }
 1091 
 1092         IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC,
 1093                 ("invalid policy %u", sp->policy));
 1094 
 1095         /*
 1096          * XXX: for each transform we need to lookup suitable SA
 1097          * and use info from SA to calculate headers size.
 1098          * XXX: for NAT-T we need to cosider UDP header size.
 1099          */
 1100         size = 0;
 1101         for (i = 0; i < sp->tcount; i++) {
 1102                 switch (sp->req[i]->saidx.proto) {
 1103                 case IPPROTO_ESP:
 1104                         size += esp_hdrsiz(NULL);
 1105                         break;
 1106                 case IPPROTO_AH:
 1107                         size += ah_hdrsiz(NULL);
 1108                         break;
 1109                 case IPPROTO_IPCOMP:
 1110                         size += sizeof(struct ipcomp);
 1111                         break;
 1112                 }
 1113 
 1114                 if (sp->req[i]->saidx.mode == IPSEC_MODE_TUNNEL) {
 1115                         switch (sp->req[i]->saidx.dst.sa.sa_family) {
 1116 #ifdef INET
 1117                         case AF_INET:
 1118                                 size += sizeof(struct ip);
 1119                                 break;
 1120 #endif
 1121 #ifdef INET6
 1122                         case AF_INET6:
 1123                                 size += sizeof(struct ip6_hdr);
 1124                                 break;
 1125 #endif
 1126                         default:
 1127                                 ipseclog((LOG_ERR, "%s: unknown AF %d in "
 1128                                     "IPsec tunnel SA\n", __func__,
 1129                                     sp->req[i]->saidx.dst.sa.sa_family));
 1130                                 break;
 1131                         }
 1132                 }
 1133         }
 1134         return (size);
 1135 }
 1136 
 1137 /*
 1138  * Compute ESP/AH header size for protocols with PCB, including
 1139  * outer IP header. Currently only tcp_output() uses it.
 1140  */
 1141 size_t
 1142 ipsec_hdrsiz_inpcb(struct inpcb *inp)
 1143 {
 1144         struct secpolicyindex spidx;
 1145         struct secpolicy *sp;
 1146         size_t sz;
 1147 
 1148         sp = ipsec_getpcbpolicy(inp, IPSEC_DIR_OUTBOUND);
 1149         if (sp == NULL && key_havesp(IPSEC_DIR_OUTBOUND)) {
 1150                 ipsec_setspidx_inpcb(inp, &spidx, IPSEC_DIR_OUTBOUND);
 1151                 sp = key_allocsp(&spidx, IPSEC_DIR_OUTBOUND);
 1152         }
 1153         if (sp == NULL)
 1154                 sp = key_allocsp_default();
 1155         sz = ipsec_hdrsiz_internal(sp);
 1156         key_freesp(&sp);
 1157         return (sz);
 1158 }
 1159 
 1160 /*
 1161  * Check the variable replay window.
 1162  * ipsec_chkreplay() performs replay check before ICV verification.
 1163  * ipsec_updatereplay() updates replay bitmap.  This must be called after
 1164  * ICV verification (it also performs replay check, which is usually done
 1165  * beforehand).
 1166  * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
 1167  *
 1168  * Based on RFC 6479. Blocks are 32 bits unsigned integers
 1169  */
 1170 
 1171 #define IPSEC_BITMAP_INDEX_MASK(w)      (w - 1)
 1172 #define IPSEC_REDUNDANT_BIT_SHIFTS      5
 1173 #define IPSEC_REDUNDANT_BITS            (1 << IPSEC_REDUNDANT_BIT_SHIFTS)
 1174 #define IPSEC_BITMAP_LOC_MASK           (IPSEC_REDUNDANT_BITS - 1)
 1175 
 1176 int
 1177 ipsec_chkreplay(uint32_t seq, struct secasvar *sav)
 1178 {
 1179         const struct secreplay *replay;
 1180         uint32_t wsizeb;                /* Constant: window size. */
 1181         int index, bit_location;
 1182 
 1183         IPSEC_ASSERT(sav != NULL, ("Null SA"));
 1184         IPSEC_ASSERT(sav->replay != NULL, ("Null replay state"));
 1185 
 1186         replay = sav->replay;
 1187 
 1188         /* No need to check replay if disabled. */
 1189         if (replay->wsize == 0)
 1190                 return (1);
 1191 
 1192         /* Constant. */
 1193         wsizeb = replay->wsize << 3;
 1194 
 1195         /* Sequence number of 0 is invalid. */
 1196         if (seq == 0)
 1197                 return (0);
 1198 
 1199         /* First time is always okay. */
 1200         if (replay->count == 0)
 1201                 return (1);
 1202 
 1203         /* Larger sequences are okay. */
 1204         if (seq > replay->lastseq)
 1205                 return (1);
 1206 
 1207         /* Over range to check, i.e. too old or wrapped. */
 1208         if (replay->lastseq - seq >= wsizeb)
 1209                 return (0);
 1210 
 1211         /* The sequence is inside the sliding window
 1212          * now check the bit in the bitmap
 1213          * bit location only depends on the sequence number
 1214          */
 1215         bit_location = seq & IPSEC_BITMAP_LOC_MASK;
 1216         index = (seq >> IPSEC_REDUNDANT_BIT_SHIFTS)
 1217                 & IPSEC_BITMAP_INDEX_MASK(replay->bitmap_size);
 1218 
 1219         /* This packet already seen? */
 1220         if ((replay->bitmap)[index] & (1 << bit_location))
 1221                 return (0);
 1222         return (1);
 1223 }
 1224 
 1225 /*
 1226  * Check replay counter whether to update or not.
 1227  * OUT: 0:      OK
 1228  *      1:      NG
 1229  */
 1230 int
 1231 ipsec_updatereplay(uint32_t seq, struct secasvar *sav)
 1232 {
 1233         char buf[128];
 1234         struct secreplay *replay;
 1235         uint32_t wsizeb;                /* Constant: window size. */
 1236         int diff, index, bit_location;
 1237 
 1238         IPSEC_ASSERT(sav != NULL, ("Null SA"));
 1239         IPSEC_ASSERT(sav->replay != NULL, ("Null replay state"));
 1240 
 1241         replay = sav->replay;
 1242 
 1243         if (replay->wsize == 0)
 1244                 goto ok;        /* No need to check replay. */
 1245 
 1246         /* Constant. */
 1247         wsizeb = replay->wsize << 3;
 1248 
 1249         /* Sequence number of 0 is invalid. */
 1250         if (seq == 0)
 1251                 return (1);
 1252 
 1253         /* The packet is too old, no need to update */
 1254         if (wsizeb + seq < replay->lastseq)
 1255                 goto ok;
 1256 
 1257         /* Now update the bit */
 1258         index = (seq >> IPSEC_REDUNDANT_BIT_SHIFTS);
 1259 
 1260         /* First check if the sequence number is in the range */
 1261         if (seq > replay->lastseq) {
 1262                 int id;
 1263                 int index_cur = replay->lastseq >> IPSEC_REDUNDANT_BIT_SHIFTS;
 1264 
 1265                 diff = index - index_cur;
 1266                 if (diff > replay->bitmap_size) {
 1267                         /* something unusual in this case */
 1268                         diff = replay->bitmap_size;
 1269                 }
 1270 
 1271                 for (id = 0; id < diff; ++id) {
 1272                         replay->bitmap[(id + index_cur + 1)
 1273                         & IPSEC_BITMAP_INDEX_MASK(replay->bitmap_size)] = 0;
 1274                 }
 1275 
 1276                 replay->lastseq = seq;
 1277         }
 1278 
 1279         index &= IPSEC_BITMAP_INDEX_MASK(replay->bitmap_size);
 1280         bit_location = seq & IPSEC_BITMAP_LOC_MASK;
 1281 
 1282         /* this packet has already been received */
 1283         if (replay->bitmap[index] & (1 << bit_location))
 1284                 return (1);
 1285 
 1286         replay->bitmap[index] |= (1 << bit_location);
 1287 
 1288 ok:
 1289         if (replay->count == ~0) {
 1290 
 1291                 /* Set overflow flag. */
 1292                 replay->overflow++;
 1293 
 1294                 /* Don't increment, no more packets accepted. */
 1295                 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
 1296                         if (sav->sah->saidx.proto == IPPROTO_AH)
 1297                                 AHSTAT_INC(ahs_wrap);
 1298                         else if (sav->sah->saidx.proto == IPPROTO_ESP)
 1299                                 ESPSTAT_INC(esps_wrap);
 1300                         return (1);
 1301                 }
 1302 
 1303                 ipseclog((LOG_WARNING, "%s: replay counter made %d cycle. %s\n",
 1304                     __func__, replay->overflow,
 1305                     ipsec_sa2str(sav, buf, sizeof(buf))));
 1306         }
 1307         return (0);
 1308 }
 1309 
 1310 int
 1311 ipsec_updateid(struct secasvar *sav, uint64_t *new, uint64_t *old)
 1312 {
 1313         uint64_t tmp;
 1314 
 1315         /*
 1316          * tdb_cryptoid is initialized by xform_init().
 1317          * Then it can be changed only when some crypto error occurred or
 1318          * when SA is deleted. We stored used cryptoid in the xform_data
 1319          * structure. In case when crypto error occurred and crypto
 1320          * subsystem has reinited the session, it returns new cryptoid
 1321          * and EAGAIN error code.
 1322          *
 1323          * This function will be called when we got EAGAIN from crypto
 1324          * subsystem.
 1325          * *new is cryptoid that was returned by crypto subsystem in
 1326          * the crp_sid.
 1327          * *old is the original cryptoid that we stored in xform_data.
 1328          *
 1329          * For first failed request *old == sav->tdb_cryptoid, then
 1330          * we update sav->tdb_cryptoid and redo crypto_dispatch().
 1331          * For next failed request *old != sav->tdb_cryptoid, then
 1332          * we store cryptoid from first request into the *new variable
 1333          * and crp_sid from this second session will be returned via
 1334          * *old pointer, so caller can release second session.
 1335          *
 1336          * XXXAE: check this more carefully.
 1337          */
 1338         KEYDBG(IPSEC_STAMP,
 1339             printf("%s: SA(%p) moves cryptoid %jd -> %jd\n",
 1340                 __func__, sav, (uintmax_t)(*old), (uintmax_t)(*new)));
 1341         KEYDBG(IPSEC_DATA, kdebug_secasv(sav));
 1342         SECASVAR_LOCK(sav);
 1343         if (sav->tdb_cryptoid != *old) {
 1344                 /* cryptoid was already updated */
 1345                 tmp = *new;
 1346                 *new = sav->tdb_cryptoid;
 1347                 *old = tmp;
 1348                 SECASVAR_UNLOCK(sav);
 1349                 return (1);
 1350         }
 1351         sav->tdb_cryptoid = *new;
 1352         SECASVAR_UNLOCK(sav);
 1353         return (0);
 1354 }
 1355 
 1356 int
 1357 ipsec_initialized(void)
 1358 {
 1359 
 1360         return (V_def_policy != NULL);
 1361 }
 1362 
 1363 static void
 1364 def_policy_init(const void *unused __unused)
 1365 {
 1366 
 1367         V_def_policy = key_newsp();
 1368         if (V_def_policy != NULL) {
 1369                 V_def_policy->policy = IPSEC_POLICY_NONE;
 1370                 /* Force INPCB SP cache invalidation */
 1371                 key_bumpspgen();
 1372         } else
 1373                 printf("%s: failed to initialize default policy\n", __func__);
 1374 }
 1375 
 1376 
 1377 static void
 1378 def_policy_uninit(const void *unused __unused)
 1379 {
 1380 
 1381         if (V_def_policy != NULL) {
 1382                 key_freesp(&V_def_policy);
 1383                 key_bumpspgen();
 1384         }
 1385 }
 1386 
 1387 VNET_SYSINIT(def_policy_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST,
 1388     def_policy_init, NULL);
 1389 VNET_SYSUNINIT(def_policy_uninit, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST,
 1390     def_policy_uninit, NULL);

Cache object: 7648cce075ea3dda041b60198ae6f150


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.