The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netipsec/xform_ipcomp.c

Version: -  FREEBSD  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-2  -  FREEBSD-11-1  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-4  -  FREEBSD-10-3  -  FREEBSD-10-2  -  FREEBSD-10-1  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-3  -  FREEBSD-9-2  -  FREEBSD-9-1  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-4  -  FREEBSD-8-3  -  FREEBSD-8-2  -  FREEBSD-8-1  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-4  -  FREEBSD-7-3  -  FREEBSD-7-2  -  FREEBSD-7-1  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-4  -  FREEBSD-6-3  -  FREEBSD-6-2  -  FREEBSD-6-1  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-5  -  FREEBSD-5-4  -  FREEBSD-5-3  -  FREEBSD-5-2  -  FREEBSD-5-1  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  linux-2.6  -  linux-2.4.22  -  MK83  -  MK84  -  PLAN9  -  DFBSD  -  NETBSD  -  NETBSD5  -  NETBSD4  -  NETBSD3  -  NETBSD20  -  OPENBSD  -  xnu-517  -  xnu-792  -  xnu-792.6.70  -  xnu-1228  -  xnu-1456.1.26  -  xnu-1699.24.8  -  xnu-2050.18.24  -  OPENSOLARIS  -  minix-3-1-1 
SearchContext: -  none  -  3  -  10 

    1 /*      $FreeBSD: stable/12/sys/netipsec/xform_ipcomp.c 336439 2018-07-18 00:56:25Z cem $       */
    2 /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
    3 
    4 /*-
    5  * SPDX-License-Identifier: BSD-3-Clause
    6  *
    7  * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
    8  *
    9  * Redistribution and use in source and binary forms, with or without
   10  * modification, are permitted provided that the following conditions
   11  * are met:
   12  *
   13  * 1. Redistributions of source code must retain the above copyright
   14  *   notice, this list of conditions and the following disclaimer.
   15  * 2. Redistributions in binary form must reproduce the above copyright
   16  *   notice, this list of conditions and the following disclaimer in the
   17  *   documentation and/or other materials provided with the distribution.
   18  * 3. The name of the author may not be used to endorse or promote products
   19  *   derived from this software without specific prior written permission.
   20  *
   21  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
   22  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   23  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
   24  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
   25  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
   26  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
   27  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
   28  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
   29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   30  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   31  */
   32 
   33 /* IP payload compression protocol (IPComp), see RFC 2393 */
   34 #include "opt_inet.h"
   35 #include "opt_inet6.h"
   36 
   37 #include <sys/param.h>
   38 #include <sys/systm.h>
   39 #include <sys/mbuf.h>
   40 #include <sys/lock.h>
   41 #include <sys/mutex.h>
   42 #include <sys/socket.h>
   43 #include <sys/kernel.h>
   44 #include <sys/protosw.h>
   45 #include <sys/sysctl.h>
   46 
   47 #include <netinet/in.h>
   48 #include <netinet/in_systm.h>
   49 #include <netinet/ip.h>
   50 #include <netinet/ip_var.h>
   51 #include <netinet/ip_encap.h>
   52 
   53 #include <net/netisr.h>
   54 #include <net/vnet.h>
   55 
   56 #include <netipsec/ipsec.h>
   57 #include <netipsec/xform.h>
   58 
   59 #ifdef INET6
   60 #include <netinet/ip6.h>
   61 #include <netinet6/ip6_var.h>
   62 #include <netipsec/ipsec6.h>
   63 #endif
   64 
   65 #include <netipsec/ipcomp.h>
   66 #include <netipsec/ipcomp_var.h>
   67 
   68 #include <netipsec/key.h>
   69 #include <netipsec/key_debug.h>
   70 
   71 #include <opencrypto/cryptodev.h>
   72 #include <opencrypto/deflate.h>
   73 #include <opencrypto/xform.h>
   74 
   75 VNET_DEFINE(int, ipcomp_enable) = 1;
   76 VNET_PCPUSTAT_DEFINE(struct ipcompstat, ipcompstat);
   77 VNET_PCPUSTAT_SYSINIT(ipcompstat);
   78 
   79 #ifdef VIMAGE
   80 VNET_PCPUSTAT_SYSUNINIT(ipcompstat);
   81 #endif /* VIMAGE */
   82 
   83 SYSCTL_DECL(_net_inet_ipcomp);
   84 SYSCTL_INT(_net_inet_ipcomp, OID_AUTO, ipcomp_enable,
   85         CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipcomp_enable), 0, "");
   86 SYSCTL_VNET_PCPUSTAT(_net_inet_ipcomp, IPSECCTL_STATS, stats,
   87     struct ipcompstat, ipcompstat,
   88     "IPCOMP statistics (struct ipcompstat, netipsec/ipcomp_var.h");
   89 
   90 static int ipcomp_input_cb(struct cryptop *crp);
   91 static int ipcomp_output_cb(struct cryptop *crp);
   92 
   93 /*
   94  * RFC 3173 p 2.2. Non-Expansion Policy:
   95  * If the total size of a compressed payload and the IPComp header, as
   96  * defined in section 3, is not smaller than the size of the original
   97  * payload, the IP datagram MUST be sent in the original non-compressed
   98  * form.
   99  *
  100  * When we use IPComp in tunnel mode, for small packets we will receive
  101  * encapsulated IP-IP datagrams without any compression and without IPComp
  102  * header.
  103  */
  104 static int
  105 ipcomp_encapcheck(union sockaddr_union *src, union sockaddr_union *dst)
  106 {
  107         struct secasvar *sav;
  108 
  109         sav = key_allocsa_tunnel(src, dst, IPPROTO_IPCOMP);
  110         if (sav == NULL)
  111                 return (0);
  112         key_freesav(&sav);
  113 
  114         if (src->sa.sa_family == AF_INET)
  115                 return (sizeof(struct in_addr) << 4);
  116         else
  117                 return (sizeof(struct in6_addr) << 4);
  118 }
  119 
  120 static int
  121 ipcomp_nonexp_input(struct mbuf *m, int off, int proto, void *arg __unused)
  122 {
  123         int isr;
  124 
  125         switch (proto) {
  126 #ifdef INET
  127         case IPPROTO_IPV4:
  128                 isr = NETISR_IP;
  129                 break;
  130 #endif
  131 #ifdef INET6
  132         case IPPROTO_IPV6:
  133                 isr = NETISR_IPV6;
  134                 break;
  135 #endif
  136         default:
  137                 IPCOMPSTAT_INC(ipcomps_nopf);
  138                 m_freem(m);
  139                 return (IPPROTO_DONE);
  140         }
  141         m_adj(m, off);
  142         IPCOMPSTAT_ADD(ipcomps_ibytes, m->m_pkthdr.len);
  143         IPCOMPSTAT_INC(ipcomps_input);
  144         netisr_dispatch(isr, m);
  145         return (IPPROTO_DONE);
  146 }
  147 
  148 /*
  149  * ipcomp_init() is called when an CPI is being set up.
  150  */
  151 static int
  152 ipcomp_init(struct secasvar *sav, struct xformsw *xsp)
  153 {
  154         const struct comp_algo *tcomp;
  155         struct cryptoini cric;
  156 
  157         /* NB: algorithm really comes in alg_enc and not alg_comp! */
  158         tcomp = comp_algorithm_lookup(sav->alg_enc);
  159         if (tcomp == NULL) {
  160                 DPRINTF(("%s: unsupported compression algorithm %d\n", __func__,
  161                          sav->alg_comp));
  162                 return EINVAL;
  163         }
  164         sav->alg_comp = sav->alg_enc;           /* set for doing histogram */
  165         sav->tdb_xform = xsp;
  166         sav->tdb_compalgxform = tcomp;
  167 
  168         /* Initialize crypto session */
  169         bzero(&cric, sizeof (cric));
  170         cric.cri_alg = sav->tdb_compalgxform->type;
  171 
  172         return crypto_newsession(&sav->tdb_cryptoid, &cric, V_crypto_support);
  173 }
  174 
  175 /*
  176  * ipcomp_zeroize() used when IPCA is deleted
  177  */
  178 static int
  179 ipcomp_zeroize(struct secasvar *sav)
  180 {
  181 
  182         crypto_freesession(sav->tdb_cryptoid);
  183         sav->tdb_cryptoid = NULL;
  184         return 0;
  185 }
  186 
  187 /*
  188  * ipcomp_input() gets called to uncompress an input packet
  189  */
  190 static int
  191 ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
  192 {
  193         struct xform_data *xd;
  194         struct cryptodesc *crdc;
  195         struct cryptop *crp;
  196         struct ipcomp *ipcomp;
  197         caddr_t addr;
  198         int error, hlen = IPCOMP_HLENGTH;
  199 
  200         /*
  201          * Check that the next header of the IPComp is not IPComp again, before
  202          * doing any real work.  Given it is not possible to do double
  203          * compression it means someone is playing tricks on us.
  204          */
  205         error = ENOBUFS;
  206         if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) {
  207                 IPCOMPSTAT_INC(ipcomps_hdrops);         /*XXX*/
  208                 DPRINTF(("%s: m_pullup failed\n", __func__));
  209                 key_freesav(&sav);
  210                 return (error);
  211         }
  212         addr = (caddr_t) mtod(m, struct ip *) + skip;
  213         ipcomp = (struct ipcomp *)addr;
  214         if (ipcomp->comp_nxt == IPPROTO_IPCOMP) {
  215                 IPCOMPSTAT_INC(ipcomps_pdrops); /* XXX have our own stats? */
  216                 DPRINTF(("%s: recursive compression detected\n", __func__));
  217                 error = EINVAL;
  218                 goto bad;
  219         }
  220 
  221         /* Get crypto descriptors */
  222         crp = crypto_getreq(1);
  223         if (crp == NULL) {
  224                 DPRINTF(("%s: no crypto descriptors\n", __func__));
  225                 IPCOMPSTAT_INC(ipcomps_crypto);
  226                 goto bad;
  227         }
  228         /* Get IPsec-specific opaque pointer */
  229         xd = malloc(sizeof(*xd), M_XDATA, M_NOWAIT | M_ZERO);
  230         if (xd == NULL) {
  231                 DPRINTF(("%s: cannot allocate xform_data\n", __func__));
  232                 IPCOMPSTAT_INC(ipcomps_crypto);
  233                 crypto_freereq(crp);
  234                 goto bad;
  235         }
  236         crdc = crp->crp_desc;
  237 
  238         crdc->crd_skip = skip + hlen;
  239         crdc->crd_len = m->m_pkthdr.len - (skip + hlen);
  240         crdc->crd_inject = skip;
  241 
  242         /* Decompression operation */
  243         crdc->crd_alg = sav->tdb_compalgxform->type;
  244 
  245 
  246         /* Crypto operation descriptor */
  247         crp->crp_ilen = m->m_pkthdr.len - (skip + hlen);
  248         crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
  249         crp->crp_buf = (caddr_t) m;
  250         crp->crp_callback = ipcomp_input_cb;
  251         crp->crp_opaque = (caddr_t) xd;
  252 
  253         /* These are passed as-is to the callback */
  254         xd->sav = sav;
  255         xd->protoff = protoff;
  256         xd->skip = skip;
  257         xd->vnet = curvnet;
  258 
  259         SECASVAR_LOCK(sav);
  260         crp->crp_session = xd->cryptoid = sav->tdb_cryptoid;
  261         SECASVAR_UNLOCK(sav);
  262 
  263         return crypto_dispatch(crp);
  264 bad:
  265         m_freem(m);
  266         key_freesav(&sav);
  267         return (error);
  268 }
  269 
  270 /*
  271  * IPComp input callback from the crypto driver.
  272  */
  273 static int
  274 ipcomp_input_cb(struct cryptop *crp)
  275 {
  276         IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
  277         struct xform_data *xd;
  278         struct mbuf *m;
  279         struct secasvar *sav;
  280         struct secasindex *saidx;
  281         caddr_t addr;
  282         crypto_session_t cryptoid;
  283         int hlen = IPCOMP_HLENGTH, error, clen;
  284         int skip, protoff;
  285         uint8_t nproto;
  286 
  287         m = (struct mbuf *) crp->crp_buf;
  288         xd = (struct xform_data *) crp->crp_opaque;
  289         CURVNET_SET(xd->vnet);
  290         sav = xd->sav;
  291         skip = xd->skip;
  292         protoff = xd->protoff;
  293         cryptoid = xd->cryptoid;
  294         saidx = &sav->sah->saidx;
  295         IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
  296                 saidx->dst.sa.sa_family == AF_INET6,
  297                 ("unexpected protocol family %u", saidx->dst.sa.sa_family));
  298 
  299         /* Check for crypto errors */
  300         if (crp->crp_etype) {
  301                 if (crp->crp_etype == EAGAIN) {
  302                         /* Reset the session ID */
  303                         if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
  304                                 crypto_freesession(cryptoid);
  305                         xd->cryptoid = crp->crp_session;
  306                         CURVNET_RESTORE();
  307                         return (crypto_dispatch(crp));
  308                 }
  309                 IPCOMPSTAT_INC(ipcomps_noxform);
  310                 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
  311                 error = crp->crp_etype;
  312                 goto bad;
  313         }
  314         /* Shouldn't happen... */
  315         if (m == NULL) {
  316                 IPCOMPSTAT_INC(ipcomps_crypto);
  317                 DPRINTF(("%s: null mbuf returned from crypto\n", __func__));
  318                 error = EINVAL;
  319                 goto bad;
  320         }
  321         IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]);
  322 
  323         clen = crp->crp_olen;           /* Length of data after processing */
  324 
  325         /* Release the crypto descriptors */
  326         free(xd, M_XDATA), xd = NULL;
  327         crypto_freereq(crp), crp = NULL;
  328 
  329         /* In case it's not done already, adjust the size of the mbuf chain */
  330         m->m_pkthdr.len = clen + hlen + skip;
  331 
  332         if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) {
  333                 IPCOMPSTAT_INC(ipcomps_hdrops);         /*XXX*/
  334                 DPRINTF(("%s: m_pullup failed\n", __func__));
  335                 error = EINVAL;                         /*XXX*/
  336                 goto bad;
  337         }
  338 
  339         /* Keep the next protocol field */
  340         addr = (caddr_t) mtod(m, struct ip *) + skip;
  341         nproto = ((struct ipcomp *) addr)->comp_nxt;
  342 
  343         /* Remove the IPCOMP header */
  344         error = m_striphdr(m, skip, hlen);
  345         if (error) {
  346                 IPCOMPSTAT_INC(ipcomps_hdrops);
  347                 DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__,
  348                     ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
  349                     (u_long) ntohl(sav->spi)));
  350                 goto bad;
  351         }
  352 
  353         /* Restore the Next Protocol field */
  354         m_copyback(m, protoff, sizeof (u_int8_t), (u_int8_t *) &nproto);
  355 
  356         switch (saidx->dst.sa.sa_family) {
  357 #ifdef INET6
  358         case AF_INET6:
  359                 error = ipsec6_common_input_cb(m, sav, skip, protoff);
  360                 break;
  361 #endif
  362 #ifdef INET
  363         case AF_INET:
  364                 error = ipsec4_common_input_cb(m, sav, skip, protoff);
  365                 break;
  366 #endif
  367         default:
  368                 panic("%s: Unexpected address family: %d saidx=%p", __func__,
  369                     saidx->dst.sa.sa_family, saidx);
  370         }
  371         CURVNET_RESTORE();
  372         return error;
  373 bad:
  374         CURVNET_RESTORE();
  375         if (sav != NULL)
  376                 key_freesav(&sav);
  377         if (m != NULL)
  378                 m_freem(m);
  379         if (xd != NULL)
  380                 free(xd, M_XDATA);
  381         if (crp != NULL)
  382                 crypto_freereq(crp);
  383         return error;
  384 }
  385 
  386 /*
  387  * IPComp output routine, called by ipsec[46]_perform_request()
  388  */
  389 static int
  390 ipcomp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
  391     u_int idx, int skip, int protoff)
  392 {
  393         IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
  394         const struct comp_algo *ipcompx;
  395         struct cryptodesc *crdc;
  396         struct cryptop *crp;
  397         struct xform_data *xd;
  398         int error, ralen, maxpacketsize;
  399 
  400         IPSEC_ASSERT(sav != NULL, ("null SA"));
  401         ipcompx = sav->tdb_compalgxform;
  402         IPSEC_ASSERT(ipcompx != NULL, ("null compression xform"));
  403 
  404         /*
  405          * Do not touch the packet in case our payload to compress
  406          * is lower than the minimal threshold of the compression
  407          * alogrithm.  We will just send out the data uncompressed.
  408          * See RFC 3173, 2.2. Non-Expansion Policy.
  409          */
  410         if (m->m_pkthdr.len <= ipcompx->minlen) {
  411                 IPCOMPSTAT_INC(ipcomps_threshold);
  412                 return ipsec_process_done(m, sp, sav, idx);
  413         }
  414 
  415         ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */
  416         IPCOMPSTAT_INC(ipcomps_output);
  417 
  418         /* Check for maximum packet size violations. */
  419         switch (sav->sah->saidx.dst.sa.sa_family) {
  420 #ifdef INET
  421         case AF_INET:
  422                 maxpacketsize = IP_MAXPACKET;
  423                 break;
  424 #endif /* INET */
  425 #ifdef INET6
  426         case AF_INET6:
  427                 maxpacketsize = IPV6_MAXPACKET;
  428                 break;
  429 #endif /* INET6 */
  430         default:
  431                 IPCOMPSTAT_INC(ipcomps_nopf);
  432                 DPRINTF(("%s: unknown/unsupported protocol family %d, "
  433                     "IPCA %s/%08lx\n", __func__,
  434                     sav->sah->saidx.dst.sa.sa_family,
  435                     ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
  436                     (u_long) ntohl(sav->spi)));
  437                 error = EPFNOSUPPORT;
  438                 goto bad;
  439         }
  440         if (ralen + skip + IPCOMP_HLENGTH > maxpacketsize) {
  441                 IPCOMPSTAT_INC(ipcomps_toobig);
  442                 DPRINTF(("%s: packet in IPCA %s/%08lx got too big "
  443                     "(len %u, max len %u)\n", __func__,
  444                     ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
  445                     (u_long) ntohl(sav->spi),
  446                     ralen + skip + IPCOMP_HLENGTH, maxpacketsize));
  447                 error = EMSGSIZE;
  448                 goto bad;
  449         }
  450 
  451         /* Update the counters */
  452         IPCOMPSTAT_ADD(ipcomps_obytes, m->m_pkthdr.len - skip);
  453 
  454         m = m_unshare(m, M_NOWAIT);
  455         if (m == NULL) {
  456                 IPCOMPSTAT_INC(ipcomps_hdrops);
  457                 DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n",
  458                     __func__, ipsec_address(&sav->sah->saidx.dst, buf,
  459                     sizeof(buf)), (u_long) ntohl(sav->spi)));
  460                 error = ENOBUFS;
  461                 goto bad;
  462         }
  463 
  464         /* Ok now, we can pass to the crypto processing. */
  465 
  466         /* Get crypto descriptors */
  467         crp = crypto_getreq(1);
  468         if (crp == NULL) {
  469                 IPCOMPSTAT_INC(ipcomps_crypto);
  470                 DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
  471                 error = ENOBUFS;
  472                 goto bad;
  473         }
  474         crdc = crp->crp_desc;
  475 
  476         /* Compression descriptor */
  477         crdc->crd_skip = skip;
  478         crdc->crd_len = ralen;
  479         crdc->crd_flags = CRD_F_COMP;
  480         crdc->crd_inject = skip;
  481 
  482         /* Compression operation */
  483         crdc->crd_alg = ipcompx->type;
  484 
  485         /* IPsec-specific opaque crypto info */
  486         xd =  malloc(sizeof(struct xform_data), M_XDATA, M_NOWAIT | M_ZERO);
  487         if (xd == NULL) {
  488                 IPCOMPSTAT_INC(ipcomps_crypto);
  489                 DPRINTF(("%s: failed to allocate xform_data\n", __func__));
  490                 crypto_freereq(crp);
  491                 error = ENOBUFS;
  492                 goto bad;
  493         }
  494 
  495         xd->sp = sp;
  496         xd->sav = sav;
  497         xd->idx = idx;
  498         xd->skip = skip;
  499         xd->protoff = protoff;
  500         xd->vnet = curvnet;
  501 
  502         /* Crypto operation descriptor */
  503         crp->crp_ilen = m->m_pkthdr.len;        /* Total input length */
  504         crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
  505         crp->crp_buf = (caddr_t) m;
  506         crp->crp_callback = ipcomp_output_cb;
  507         crp->crp_opaque = (caddr_t) xd;
  508 
  509         SECASVAR_LOCK(sav);
  510         crp->crp_session = xd->cryptoid = sav->tdb_cryptoid;
  511         SECASVAR_UNLOCK(sav);
  512 
  513         return crypto_dispatch(crp);
  514 bad:
  515         if (m)
  516                 m_freem(m);
  517         key_freesav(&sav);
  518         key_freesp(&sp);
  519         return (error);
  520 }
  521 
  522 /*
  523  * IPComp output callback from the crypto driver.
  524  */
  525 static int
  526 ipcomp_output_cb(struct cryptop *crp)
  527 {
  528         IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
  529         struct xform_data *xd;
  530         struct secpolicy *sp;
  531         struct secasvar *sav;
  532         struct mbuf *m;
  533         crypto_session_t cryptoid;
  534         u_int idx;
  535         int error, skip, protoff;
  536 
  537         m = (struct mbuf *) crp->crp_buf;
  538         xd = (struct xform_data *) crp->crp_opaque;
  539         CURVNET_SET(xd->vnet);
  540         idx = xd->idx;
  541         sp = xd->sp;
  542         sav = xd->sav;
  543         skip = xd->skip;
  544         protoff = xd->protoff;
  545         cryptoid = xd->cryptoid;
  546 
  547         /* Check for crypto errors */
  548         if (crp->crp_etype) {
  549                 if (crp->crp_etype == EAGAIN) {
  550                         /* Reset the session ID */
  551                         if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
  552                                 crypto_freesession(cryptoid);
  553                         xd->cryptoid = crp->crp_session;
  554                         CURVNET_RESTORE();
  555                         return (crypto_dispatch(crp));
  556                 }
  557                 IPCOMPSTAT_INC(ipcomps_noxform);
  558                 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
  559                 error = crp->crp_etype;
  560                 goto bad;
  561         }
  562         /* Shouldn't happen... */
  563         if (m == NULL) {
  564                 IPCOMPSTAT_INC(ipcomps_crypto);
  565                 DPRINTF(("%s: bogus return buffer from crypto\n", __func__));
  566                 error = EINVAL;
  567                 goto bad;
  568         }
  569         IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]);
  570 
  571         if (crp->crp_ilen - skip > crp->crp_olen) {
  572                 struct mbuf *mo;
  573                 struct ipcomp *ipcomp;
  574                 int roff;
  575                 uint8_t prot;
  576 
  577                 /* Compression helped, inject IPCOMP header. */
  578                 mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff);
  579                 if (mo == NULL) {
  580                         IPCOMPSTAT_INC(ipcomps_wrap);
  581                         DPRINTF(("%s: IPCOMP header inject failed "
  582                             "for IPCA %s/%08lx\n",
  583                             __func__, ipsec_address(&sav->sah->saidx.dst, buf,
  584                             sizeof(buf)), (u_long) ntohl(sav->spi)));
  585                         error = ENOBUFS;
  586                         goto bad;
  587                 }
  588                 ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff);
  589 
  590                 /* Initialize the IPCOMP header */
  591                 /* XXX alignment always correct? */
  592                 switch (sav->sah->saidx.dst.sa.sa_family) {
  593 #ifdef INET
  594                 case AF_INET:
  595                         ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
  596                         break;
  597 #endif /* INET */
  598 #ifdef INET6
  599                 case AF_INET6:
  600                         ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
  601                         break;
  602 #endif
  603                 }
  604                 ipcomp->comp_flags = 0;
  605                 ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi));
  606 
  607                 /* Fix Next Protocol in IPv4/IPv6 header */
  608                 prot = IPPROTO_IPCOMP;
  609                 m_copyback(m, protoff, sizeof(u_int8_t),
  610                     (u_char *)&prot);
  611 
  612                 /* Adjust the length in the IP header */
  613                 switch (sav->sah->saidx.dst.sa.sa_family) {
  614 #ifdef INET
  615                 case AF_INET:
  616                         mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len);
  617                         break;
  618 #endif /* INET */
  619 #ifdef INET6
  620                 case AF_INET6:
  621                         mtod(m, struct ip6_hdr *)->ip6_plen =
  622                                 htons(m->m_pkthdr.len) - sizeof(struct ip6_hdr);
  623                         break;
  624 #endif /* INET6 */
  625                 default:
  626                         IPCOMPSTAT_INC(ipcomps_nopf);
  627                         DPRINTF(("%s: unknown/unsupported protocol "
  628                             "family %d, IPCA %s/%08lx\n", __func__,
  629                             sav->sah->saidx.dst.sa.sa_family,
  630                             ipsec_address(&sav->sah->saidx.dst, buf,
  631                                 sizeof(buf)), (u_long) ntohl(sav->spi)));
  632                         error = EPFNOSUPPORT;
  633                         goto bad;
  634                 }
  635         } else {
  636                 /* Compression was useless, we have lost time. */
  637                 IPCOMPSTAT_INC(ipcomps_uncompr);
  638                 DPRINTF(("%s: compressions was useless %d - %d <= %d\n",
  639                     __func__, crp->crp_ilen, skip, crp->crp_olen));
  640                 /* XXX remember state to not compress the next couple
  641                  *     of packets, RFC 3173, 2.2. Non-Expansion Policy */
  642         }
  643 
  644         /* Release the crypto descriptor */
  645         free(xd, M_XDATA);
  646         crypto_freereq(crp);
  647 
  648         /* NB: m is reclaimed by ipsec_process_done. */
  649         error = ipsec_process_done(m, sp, sav, idx);
  650         CURVNET_RESTORE();
  651         return (error);
  652 bad:
  653         if (m)
  654                 m_freem(m);
  655         CURVNET_RESTORE();
  656         free(xd, M_XDATA);
  657         crypto_freereq(crp);
  658         key_freesav(&sav);
  659         key_freesp(&sp);
  660         return (error);
  661 }
  662 
  663 #ifdef INET
  664 static int
  665 ipcomp4_nonexp_encapcheck(const struct mbuf *m, int off, int proto,
  666     void *arg __unused)
  667 {
  668         union sockaddr_union src, dst;
  669         const struct ip *ip;
  670 
  671         if (V_ipcomp_enable == 0)
  672                 return (0);
  673         if (proto != IPPROTO_IPV4 && proto != IPPROTO_IPV6)
  674                 return (0);
  675         bzero(&src, sizeof(src));
  676         bzero(&dst, sizeof(dst));
  677         src.sa.sa_family = dst.sa.sa_family = AF_INET;
  678         src.sin.sin_len = dst.sin.sin_len = sizeof(struct sockaddr_in);
  679         ip = mtod(m, const struct ip *);
  680         src.sin.sin_addr = ip->ip_src;
  681         dst.sin.sin_addr = ip->ip_dst;
  682         return (ipcomp_encapcheck(&src, &dst));
  683 }
  684 
  685 static const struct encaptab *ipe4_cookie = NULL;
  686 static const struct encap_config ipv4_encap_cfg = {
  687         .proto = -1,
  688         .min_length = sizeof(struct ip),
  689         .exact_match = sizeof(in_addr_t) << 4,
  690         .check = ipcomp4_nonexp_encapcheck,
  691         .input = ipcomp_nonexp_input
  692 };
  693 #endif
  694 #ifdef INET6
  695 static int
  696 ipcomp6_nonexp_encapcheck(const struct mbuf *m, int off, int proto,
  697     void *arg __unused)
  698 {
  699         union sockaddr_union src, dst;
  700         const struct ip6_hdr *ip6;
  701 
  702         if (V_ipcomp_enable == 0)
  703                 return (0);
  704         if (proto != IPPROTO_IPV4 && proto != IPPROTO_IPV6)
  705                 return (0);
  706         bzero(&src, sizeof(src));
  707         bzero(&dst, sizeof(dst));
  708         src.sa.sa_family = dst.sa.sa_family = AF_INET;
  709         src.sin6.sin6_len = dst.sin6.sin6_len = sizeof(struct sockaddr_in6);
  710         ip6 = mtod(m, const struct ip6_hdr *);
  711         src.sin6.sin6_addr = ip6->ip6_src;
  712         dst.sin6.sin6_addr = ip6->ip6_dst;
  713         if (IN6_IS_SCOPE_LINKLOCAL(&src.sin6.sin6_addr)) {
  714                 /* XXX: sa6_recoverscope() */
  715                 src.sin6.sin6_scope_id =
  716                     ntohs(src.sin6.sin6_addr.s6_addr16[1]);
  717                 src.sin6.sin6_addr.s6_addr16[1] = 0;
  718         }
  719         if (IN6_IS_SCOPE_LINKLOCAL(&dst.sin6.sin6_addr)) {
  720                 /* XXX: sa6_recoverscope() */
  721                 dst.sin6.sin6_scope_id =
  722                     ntohs(dst.sin6.sin6_addr.s6_addr16[1]);
  723                 dst.sin6.sin6_addr.s6_addr16[1] = 0;
  724         }
  725         return (ipcomp_encapcheck(&src, &dst));
  726 }
  727 
  728 static const struct encaptab *ipe6_cookie = NULL;
  729 static const struct encap_config ipv6_encap_cfg = {
  730         .proto = -1,
  731         .min_length = sizeof(struct ip6_hdr),
  732         .exact_match = sizeof(struct in6_addr) << 4,
  733         .check = ipcomp6_nonexp_encapcheck,
  734         .input = ipcomp_nonexp_input
  735 };
  736 #endif
  737 
  738 static struct xformsw ipcomp_xformsw = {
  739         .xf_type =      XF_IPCOMP,
  740         .xf_name =      "IPcomp",
  741         .xf_init =      ipcomp_init,
  742         .xf_zeroize =   ipcomp_zeroize,
  743         .xf_input =     ipcomp_input,
  744         .xf_output =    ipcomp_output,
  745 };
  746 
  747 static void
  748 ipcomp_attach(void)
  749 {
  750 
  751 #ifdef INET
  752         ipe4_cookie = ip_encap_attach(&ipv4_encap_cfg, NULL, M_WAITOK);
  753 #endif
  754 #ifdef INET6
  755         ipe6_cookie = ip6_encap_attach(&ipv6_encap_cfg, NULL, M_WAITOK);
  756 #endif
  757         xform_attach(&ipcomp_xformsw);
  758 }
  759 
  760 static void
  761 ipcomp_detach(void)
  762 {
  763 
  764 #ifdef INET
  765         ip_encap_detach(ipe4_cookie);
  766 #endif
  767 #ifdef INET6
  768         ip6_encap_detach(ipe6_cookie);
  769 #endif
  770         xform_detach(&ipcomp_xformsw);
  771 }
  772 
  773 SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
  774     ipcomp_attach, NULL);
  775 SYSUNINIT(ipcomp_xform_uninit, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
  776     ipcomp_detach, NULL);

Cache object: 9eeaecbe4103cc5f4ea2553116d8b4f2


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.