]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/ipsec.c
projects / apple / xnu.git / blob
? search:


32683adc31c1bd52c8a2b2a1d8c5b722ef7a864c
[apple/xnu.git] / bsd / netinet6 / ipsec.c
1 /*
2 * Copyright (c) 2008-2018 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.7 2001/07/19 06:37:23 kris Exp $ */
30 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
31
32 /*
33 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
34 * All rights reserved.
35 *
36 * Redistribution and use in source and binary forms, with or without
37 * modification, are permitted provided that the following conditions
38 * are met:
39 * 1. Redistributions of source code must retain the above copyright
40 * notice, this list of conditions and the following disclaimer.
41 * 2. Redistributions in binary form must reproduce the above copyright
42 * notice, this list of conditions and the following disclaimer in the
43 * documentation and/or other materials provided with the distribution.
44 * 3. Neither the name of the project nor the names of its contributors
45 * may be used to endorse or promote products derived from this software
46 * without specific prior written permission.
47 *
48 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
58 * SUCH DAMAGE.
59 */
60
61 /*
62 * IPsec controller part.
63 */
64
65 #include <sys/param.h>
66 #include <sys/systm.h>
67 #include <sys/malloc.h>
68 #include <sys/mbuf.h>
69 #include <sys/mcache.h>
70 #include <sys/domain.h>
71 #include <sys/protosw.h>
72 #include <sys/socket.h>
73 #include <sys/socketvar.h>
74 #include <sys/errno.h>
75 #include <sys/time.h>
76 #include <sys/kernel.h>
77 #include <sys/syslog.h>
78 #include <sys/sysctl.h>
79 #include <kern/locks.h>
80 #include <sys/kauth.h>
81 #include <libkern/OSAtomic.h>
82
83 #include <net/if.h>
84 #include <net/route.h>
85 #include <net/if_ipsec.h>
86
87 #include <netinet/in.h>
88 #include <netinet/in_systm.h>
89 #include <netinet/ip.h>
90 #include <netinet/ip_var.h>
91 #include <netinet/in_var.h>
92 #include <netinet/udp.h>
93 #include <netinet/udp_var.h>
94 #include <netinet/ip_ecn.h>
95 #if INET6
96 #include <netinet6/ip6_ecn.h>
97 #endif
98 #include <netinet/tcp.h>
99 #include <netinet/udp.h>
100
101 #include <netinet/ip6.h>
102 #if INET6
103 #include <netinet6/ip6_var.h>
104 #endif
105 #include <netinet/in_pcb.h>
106 #if INET6
107 #include <netinet/icmp6.h>
108 #endif
109
110 #include <netinet6/ipsec.h>
111 #if INET6
112 #include <netinet6/ipsec6.h>
113 #endif
114 #include <netinet6/ah.h>
115 #if INET6
116 #include <netinet6/ah6.h>
117 #endif
118 #if IPSEC_ESP
119 #include <netinet6/esp.h>
120 #if INET6
121 #include <netinet6/esp6.h>
122 #endif
123 #endif
124 #include <netinet6/ipcomp.h>
125 #if INET6
126 #include <netinet6/ipcomp6.h>
127 #endif
128 #include <netkey/key.h>
129 #include <netkey/keydb.h>
130 #include <netkey/key_debug.h>
131
132 #include <net/net_osdep.h>
133
134 #if IPSEC_DEBUG
135 int ipsec_debug = 1;
136 #else
137 int ipsec_debug = 0;
138 #endif
139
140 #include <sys/kdebug.h>
141 #define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1)
142 #define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3)
143 #define DBG_FNC_GETPOL_SOCK NETDBG_CODE(DBG_NETIPSEC, (1 << 8))
144 #define DBG_FNC_GETPOL_ADDR NETDBG_CODE(DBG_NETIPSEC, (2 << 8))
145 #define DBG_FNC_IPSEC_OUT NETDBG_CODE(DBG_NETIPSEC, (3 << 8))
146
147 extern lck_mtx_t *sadb_mutex;
148
149 struct ipsecstat ipsecstat;
150 int ip4_ah_cleartos = 1;
151 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
152 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
153 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
154 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
155 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
156 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
157 struct secpolicy ip4_def_policy;
158 int ip4_ipsec_ecn = ECN_COMPATIBILITY; /* ECN ignore(-1)/compatibility(0)/normal(1) */
159 int ip4_esp_randpad = -1;
160 int esp_udp_encap_port = 0;
161 static int sysctl_def_policy SYSCTL_HANDLER_ARGS;
162 extern int natt_keepalive_interval;
163 extern u_int64_t natt_now;
164
165 struct ipsec_tag;
166
167 SYSCTL_DECL(_net_inet_ipsec);
168 #if INET6
169 SYSCTL_DECL(_net_inet6_ipsec6);
170 #endif
171 /* net.inet.ipsec */
172 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
173 stats, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsecstat, ipsecstat, "");
174 SYSCTL_PROC(_net_inet_ipsec, IPSECCTL_DEF_POLICY, def_policy, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED,
175 &ip4_def_policy.policy, 0, &sysctl_def_policy, "I", "");
176 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
177 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_trans_deflev, 0, "");
178 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
179 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_net_deflev, 0, "");
180 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
181 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_trans_deflev, 0, "");
182 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
183 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_net_deflev, 0, "");
184 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
185 ah_cleartos, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_cleartos, 0, "");
186 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
187 ah_offsetmask, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_offsetmask, 0, "");
188 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
189 dfbit, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ipsec_dfbit, 0, "");
190 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
191 ecn, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ipsec_ecn, 0, "");
192 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
193 debug, CTLFLAG_RW | CTLFLAG_LOCKED, &ipsec_debug, 0, "");
194 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
195 esp_randpad, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_randpad, 0, "");
196
197 /* for performance, we bypass ipsec until a security policy is set */
198 int ipsec_bypass = 1;
199 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, bypass, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsec_bypass, 0, "");
200
201 /*
202 * NAT Traversal requires a UDP port for encapsulation,
203 * esp_udp_encap_port controls which port is used. Racoon
204 * must set this port to the port racoon is using locally
205 * for nat traversal.
206 */
207 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, esp_port,
208 CTLFLAG_RW | CTLFLAG_LOCKED, &esp_udp_encap_port, 0, "");
209
210 #if INET6
211 struct ipsecstat ipsec6stat;
212 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
213 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
214 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
215 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
216 struct secpolicy ip6_def_policy;
217 int ip6_ipsec_ecn = ECN_COMPATIBILITY; /* ECN ignore(-1)/compatibility(0)/normal(1) */
218 int ip6_esp_randpad = -1;
219
220 /* net.inet6.ipsec6 */
221 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
222 stats, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsec6stat, ipsecstat, "");
223 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
224 def_policy, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_def_policy.policy, 0, "");
225 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
226 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_trans_deflev, 0, "");
227 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
228 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_net_deflev, 0, "");
229 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
230 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ah_trans_deflev, 0, "");
231 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
232 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ah_net_deflev, 0, "");
233 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
234 ecn, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ipsec_ecn, 0, "");
235 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
236 debug, CTLFLAG_RW | CTLFLAG_LOCKED, &ipsec_debug, 0, "");
237 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
238 esp_randpad, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_randpad, 0, "");
239 #endif /* INET6 */
240
241 static int ipsec_setspidx_interface(struct secpolicyindex *, u_int, struct mbuf *,
242 int, int, int);
243 static int ipsec_setspidx_mbuf(struct secpolicyindex *, u_int, u_int,
244 struct mbuf *, int);
245 static int ipsec4_setspidx_inpcb(struct mbuf *, struct inpcb *pcb);
246 #if INET6
247 static int ipsec6_setspidx_in6pcb(struct mbuf *, struct in6pcb *pcb);
248 #endif
249 static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int, int);
250 static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
251 static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
252 #if INET6
253 static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
254 static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
255 #endif
256 static struct inpcbpolicy *ipsec_newpcbpolicy(void);
257 static void ipsec_delpcbpolicy(struct inpcbpolicy *);
258 static struct secpolicy *ipsec_deepcopy_policy(struct secpolicy *src);
259 static int ipsec_set_policy(struct secpolicy **pcb_sp,
260 int optname, caddr_t request, size_t len, int priv);
261 static void vshiftl(unsigned char *, int, int);
262 static int ipsec_in_reject(struct secpolicy *, struct mbuf *);
263 #if INET6
264 static int ipsec64_encapsulate(struct mbuf *, struct secasvar *);
265 static int ipsec6_update_routecache_and_output(struct ipsec_output_state *state, struct secasvar *sav);
266 static int ipsec46_encapsulate(struct ipsec_output_state *state, struct secasvar *sav);
267 #endif
268 static struct ipsec_tag *ipsec_addaux(struct mbuf *);
269 static struct ipsec_tag *ipsec_findaux(struct mbuf *);
270 static void ipsec_optaux(struct mbuf *, struct ipsec_tag *);
271 int ipsec_send_natt_keepalive(struct secasvar *sav);
272 bool ipsec_fill_offload_frame(ifnet_t ifp, struct secasvar *sav, struct ifnet_keepalive_offload_frame *frame, size_t frame_data_offset);
273
274 static int
275 sysctl_def_policy SYSCTL_HANDLER_ARGS
276 {
277 int old_policy = ip4_def_policy.policy;
278 int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
279
280 #pragma unused(arg1, arg2)
281
282 if (ip4_def_policy.policy != IPSEC_POLICY_NONE &&
283 ip4_def_policy.policy != IPSEC_POLICY_DISCARD) {
284 ip4_def_policy.policy = old_policy;
285 return EINVAL;
286 }
287
288 /* Turn off the bypass if the default security policy changes */
289 if (ipsec_bypass != 0 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
290 ipsec_bypass = 0;
291 }
292
293 return error;
294 }
295
296 /*
297 * For OUTBOUND packet having a socket. Searching SPD for packet,
298 * and return a pointer to SP.
299 * OUT: NULL: no apropreate SP found, the following value is set to error.
300 * 0 : bypass
301 * EACCES : discard packet.
302 * ENOENT : ipsec_acquire() in progress, maybe.
303 * others : error occurred.
304 * others: a pointer to SP
305 *
306 * NOTE: IPv6 mapped adddress concern is implemented here.
307 */
308 struct secpolicy *
309 ipsec4_getpolicybysock(struct mbuf *m,
310 u_int dir,
311 struct socket *so,
312 int *error)
313 {
314 struct inpcbpolicy *pcbsp = NULL;
315 struct secpolicy *currsp = NULL; /* policy on socket */
316 struct secpolicy *kernsp = NULL; /* policy on kernel */
317
318 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
319 /* sanity check */
320 if (m == NULL || so == NULL || error == NULL) {
321 panic("ipsec4_getpolicybysock: NULL pointer was passed.\n");
322 }
323
324 if (so->so_pcb == NULL) {
325 printf("ipsec4_getpolicybysock: so->so_pcb == NULL\n");
326 return ipsec4_getpolicybyaddr(m, dir, 0, error);
327 }
328
329 switch (SOCK_DOM(so)) {
330 case PF_INET:
331 pcbsp = sotoinpcb(so)->inp_sp;
332 break;
333 #if INET6
334 case PF_INET6:
335 pcbsp = sotoin6pcb(so)->in6p_sp;
336 break;
337 #endif
338 }
339
340 if (!pcbsp) {
341 /* Socket has not specified an IPSEC policy */
342 return ipsec4_getpolicybyaddr(m, dir, 0, error);
343 }
344
345 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_START, 0, 0, 0, 0, 0);
346
347 switch (SOCK_DOM(so)) {
348 case PF_INET:
349 /* set spidx in pcb */
350 *error = ipsec4_setspidx_inpcb(m, sotoinpcb(so));
351 break;
352 #if INET6
353 case PF_INET6:
354 /* set spidx in pcb */
355 *error = ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
356 break;
357 #endif
358 default:
359 panic("ipsec4_getpolicybysock: unsupported address family\n");
360 }
361 if (*error) {
362 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 1, *error, 0, 0, 0);
363 return NULL;
364 }
365
366 /* sanity check */
367 if (pcbsp == NULL) {
368 panic("ipsec4_getpolicybysock: pcbsp is NULL.\n");
369 }
370
371 switch (dir) {
372 case IPSEC_DIR_INBOUND:
373 currsp = pcbsp->sp_in;
374 break;
375 case IPSEC_DIR_OUTBOUND:
376 currsp = pcbsp->sp_out;
377 break;
378 default:
379 panic("ipsec4_getpolicybysock: illegal direction.\n");
380 }
381
382 /* sanity check */
383 if (currsp == NULL) {
384 panic("ipsec4_getpolicybysock: currsp is NULL.\n");
385 }
386
387 /* when privilieged socket */
388 if (pcbsp->priv) {
389 switch (currsp->policy) {
390 case IPSEC_POLICY_BYPASS:
391 lck_mtx_lock(sadb_mutex);
392 currsp->refcnt++;
393 lck_mtx_unlock(sadb_mutex);
394 *error = 0;
395 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 2, *error, 0, 0, 0);
396 return currsp;
397
398 case IPSEC_POLICY_ENTRUST:
399 /* look for a policy in SPD */
400 kernsp = key_allocsp(&currsp->spidx, dir);
401
402 /* SP found */
403 if (kernsp != NULL) {
404 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
405 printf("DP ipsec4_getpolicybysock called "
406 "to allocate SP:0x%llx\n",
407 (uint64_t)VM_KERNEL_ADDRPERM(kernsp)));
408 *error = 0;
409 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 3, *error, 0, 0, 0);
410 return kernsp;
411 }
412
413 /* no SP found */
414 lck_mtx_lock(sadb_mutex);
415 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
416 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
417 ipseclog((LOG_INFO,
418 "fixed system default policy: %d->%d\n",
419 ip4_def_policy.policy, IPSEC_POLICY_NONE));
420 ip4_def_policy.policy = IPSEC_POLICY_NONE;
421 }
422 ip4_def_policy.refcnt++;
423 lck_mtx_unlock(sadb_mutex);
424 *error = 0;
425 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 4, *error, 0, 0, 0);
426 return &ip4_def_policy;
427
428 case IPSEC_POLICY_IPSEC:
429 lck_mtx_lock(sadb_mutex);
430 currsp->refcnt++;
431 lck_mtx_unlock(sadb_mutex);
432 *error = 0;
433 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 5, *error, 0, 0, 0);
434 return currsp;
435
436 default:
437 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
438 "Invalid policy for PCB %d\n", currsp->policy));
439 *error = EINVAL;
440 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 6, *error, 0, 0, 0);
441 return NULL;
442 }
443 /* NOTREACHED */
444 }
445
446 /* when non-privilieged socket */
447 /* look for a policy in SPD */
448 kernsp = key_allocsp(&currsp->spidx, dir);
449
450 /* SP found */
451 if (kernsp != NULL) {
452 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
453 printf("DP ipsec4_getpolicybysock called "
454 "to allocate SP:0x%llx\n",
455 (uint64_t)VM_KERNEL_ADDRPERM(kernsp)));
456 *error = 0;
457 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 7, *error, 0, 0, 0);
458 return kernsp;
459 }
460
461 /* no SP found */
462 switch (currsp->policy) {
463 case IPSEC_POLICY_BYPASS:
464 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
465 "Illegal policy for non-priviliged defined %d\n",
466 currsp->policy));
467 *error = EINVAL;
468 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 8, *error, 0, 0, 0);
469 return NULL;
470
471 case IPSEC_POLICY_ENTRUST:
472 lck_mtx_lock(sadb_mutex);
473 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
474 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
475 ipseclog((LOG_INFO,
476 "fixed system default policy: %d->%d\n",
477 ip4_def_policy.policy, IPSEC_POLICY_NONE));
478 ip4_def_policy.policy = IPSEC_POLICY_NONE;
479 }
480 ip4_def_policy.refcnt++;
481 lck_mtx_unlock(sadb_mutex);
482 *error = 0;
483 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 9, *error, 0, 0, 0);
484 return &ip4_def_policy;
485
486 case IPSEC_POLICY_IPSEC:
487 lck_mtx_lock(sadb_mutex);
488 currsp->refcnt++;
489 lck_mtx_unlock(sadb_mutex);
490 *error = 0;
491 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 10, *error, 0, 0, 0);
492 return currsp;
493
494 default:
495 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
496 "Invalid policy for PCB %d\n", currsp->policy));
497 *error = EINVAL;
498 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 11, *error, 0, 0, 0);
499 return NULL;
500 }
501 /* NOTREACHED */
502 }
503
504 /*
505 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
506 * and return a pointer to SP.
507 * OUT: positive: a pointer to the entry for security policy leaf matched.
508 * NULL: no apropreate SP found, the following value is set to error.
509 * 0 : bypass
510 * EACCES : discard packet.
511 * ENOENT : ipsec_acquire() in progress, maybe.
512 * others : error occurred.
513 */
514 struct secpolicy *
515 ipsec4_getpolicybyaddr(struct mbuf *m,
516 u_int dir,
517 int flag,
518 int *error)
519 {
520 struct secpolicy *sp = NULL;
521
522 if (ipsec_bypass != 0) {
523 return 0;
524 }
525
526 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
527
528 /* sanity check */
529 if (m == NULL || error == NULL) {
530 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.\n");
531 }
532 {
533 struct secpolicyindex spidx;
534
535 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0, 0, 0, 0, 0);
536 bzero(&spidx, sizeof(spidx));
537
538 /* make a index to look for a policy */
539 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
540 (flag & IP_FORWARDING) ? 0 : 1);
541
542 if (*error != 0) {
543 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1, *error, 0, 0, 0);
544 return NULL;
545 }
546
547 sp = key_allocsp(&spidx, dir);
548 }
549
550 /* SP found */
551 if (sp != NULL) {
552 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
553 printf("DP ipsec4_getpolicybyaddr called "
554 "to allocate SP:0x%llx\n",
555 (uint64_t)VM_KERNEL_ADDRPERM(sp)));
556 *error = 0;
557 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2, *error, 0, 0, 0);
558 return sp;
559 }
560
561 /* no SP found */
562 lck_mtx_lock(sadb_mutex);
563 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
564 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
565 ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
566 ip4_def_policy.policy,
567 IPSEC_POLICY_NONE));
568 ip4_def_policy.policy = IPSEC_POLICY_NONE;
569 }
570 ip4_def_policy.refcnt++;
571 lck_mtx_unlock(sadb_mutex);
572 *error = 0;
573 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 3, *error, 0, 0, 0);
574 return &ip4_def_policy;
575 }
576
577 /* Match with bound interface rather than src addr.
578 * Unlike getpolicybyaddr, do not set the default policy.
579 * Return 0 if should continue processing, or -1 if packet
580 * should be dropped.
581 */
582 int
583 ipsec4_getpolicybyinterface(struct mbuf *m,
584 u_int dir,
585 int *flags,
586 struct ip_out_args *ipoa,
587 struct secpolicy **sp)
588 {
589 struct secpolicyindex spidx;
590 int error = 0;
591
592 if (ipsec_bypass != 0) {
593 return 0;
594 }
595
596 /* Sanity check */
597 if (m == NULL || ipoa == NULL || sp == NULL) {
598 panic("ipsec4_getpolicybyinterface: NULL pointer was passed.\n");
599 }
600
601 if (ipoa->ipoa_boundif == IFSCOPE_NONE) {
602 return 0;
603 }
604
605 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0, 0, 0, 0, 0);
606 bzero(&spidx, sizeof(spidx));
607
608 /* make a index to look for a policy */
609 error = ipsec_setspidx_interface(&spidx, dir, m, (*flags & IP_FORWARDING) ? 0 : 1,
610 ipoa->ipoa_boundif, 4);
611
612 if (error != 0) {
613 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1, error, 0, 0, 0);
614 return 0;
615 }
616
617 *sp = key_allocsp(&spidx, dir);
618
619 /* Return SP, whether NULL or not */
620 if (*sp != NULL && (*sp)->policy == IPSEC_POLICY_IPSEC) {
621 if ((*sp)->ipsec_if == NULL) {
622 /* Invalid to capture on an interface without redirect */
623 key_freesp(*sp, KEY_SADB_UNLOCKED);
624 *sp = NULL;
625 return -1;
626 } else if ((*sp)->disabled) {
627 /* Disabled policies go in the clear */
628 key_freesp(*sp, KEY_SADB_UNLOCKED);
629 *sp = NULL;
630 *flags |= IP_NOIPSEC; /* Avoid later IPSec check */
631 } else {
632 /* If policy is enabled, redirect to ipsec interface */
633 ipoa->ipoa_boundif = (*sp)->ipsec_if->if_index;
634 }
635 }
636
637 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2, error, 0, 0, 0);
638
639 return 0;
640 }
641
642
643 #if INET6
644 /*
645 * For OUTBOUND packet having a socket. Searching SPD for packet,
646 * and return a pointer to SP.
647 * OUT: NULL: no apropreate SP found, the following value is set to error.
648 * 0 : bypass
649 * EACCES : discard packet.
650 * ENOENT : ipsec_acquire() in progress, maybe.
651 * others : error occurred.
652 * others: a pointer to SP
653 */
654 struct secpolicy *
655 ipsec6_getpolicybysock(struct mbuf *m,
656 u_int dir,
657 struct socket *so,
658 int *error)
659 {
660 struct inpcbpolicy *pcbsp = NULL;
661 struct secpolicy *currsp = NULL; /* policy on socket */
662 struct secpolicy *kernsp = NULL; /* policy on kernel */
663
664 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
665
666 /* sanity check */
667 if (m == NULL || so == NULL || error == NULL) {
668 panic("ipsec6_getpolicybysock: NULL pointer was passed.\n");
669 }
670
671 #if DIAGNOSTIC
672 if (SOCK_DOM(so) != PF_INET6) {
673 panic("ipsec6_getpolicybysock: socket domain != inet6\n");
674 }
675 #endif
676
677 pcbsp = sotoin6pcb(so)->in6p_sp;
678
679 if (!pcbsp) {
680 return ipsec6_getpolicybyaddr(m, dir, 0, error);
681 }
682
683 /* set spidx in pcb */
684 ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
685
686 /* sanity check */
687 if (pcbsp == NULL) {
688 panic("ipsec6_getpolicybysock: pcbsp is NULL.\n");
689 }
690
691 switch (dir) {
692 case IPSEC_DIR_INBOUND:
693 currsp = pcbsp->sp_in;
694 break;
695 case IPSEC_DIR_OUTBOUND:
696 currsp = pcbsp->sp_out;
697 break;
698 default:
699 panic("ipsec6_getpolicybysock: illegal direction.\n");
700 }
701
702 /* sanity check */
703 if (currsp == NULL) {
704 panic("ipsec6_getpolicybysock: currsp is NULL.\n");
705 }
706
707 /* when privilieged socket */
708 if (pcbsp->priv) {
709 switch (currsp->policy) {
710 case IPSEC_POLICY_BYPASS:
711 lck_mtx_lock(sadb_mutex);
712 currsp->refcnt++;
713 lck_mtx_unlock(sadb_mutex);
714 *error = 0;
715 return currsp;
716
717 case IPSEC_POLICY_ENTRUST:
718 /* look for a policy in SPD */
719 kernsp = key_allocsp(&currsp->spidx, dir);
720
721 /* SP found */
722 if (kernsp != NULL) {
723 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
724 printf("DP ipsec6_getpolicybysock called "
725 "to allocate SP:0x%llx\n",
726 (uint64_t)VM_KERNEL_ADDRPERM(kernsp)));
727 *error = 0;
728 return kernsp;
729 }
730
731 /* no SP found */
732 lck_mtx_lock(sadb_mutex);
733 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
734 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
735 ipseclog((LOG_INFO,
736 "fixed system default policy: %d->%d\n",
737 ip6_def_policy.policy, IPSEC_POLICY_NONE));
738 ip6_def_policy.policy = IPSEC_POLICY_NONE;
739 }
740 ip6_def_policy.refcnt++;
741 lck_mtx_unlock(sadb_mutex);
742 *error = 0;
743 return &ip6_def_policy;
744
745 case IPSEC_POLICY_IPSEC:
746 lck_mtx_lock(sadb_mutex);
747 currsp->refcnt++;
748 lck_mtx_unlock(sadb_mutex);
749 *error = 0;
750 return currsp;
751
752 default:
753 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
754 "Invalid policy for PCB %d\n", currsp->policy));
755 *error = EINVAL;
756 return NULL;
757 }
758 /* NOTREACHED */
759 }
760
761 /* when non-privilieged socket */
762 /* look for a policy in SPD */
763 kernsp = key_allocsp(&currsp->spidx, dir);
764
765 /* SP found */
766 if (kernsp != NULL) {
767 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
768 printf("DP ipsec6_getpolicybysock called "
769 "to allocate SP:0x%llx\n",
770 (uint64_t)VM_KERNEL_ADDRPERM(kernsp)));
771 *error = 0;
772 return kernsp;
773 }
774
775 /* no SP found */
776 switch (currsp->policy) {
777 case IPSEC_POLICY_BYPASS:
778 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
779 "Illegal policy for non-priviliged defined %d\n",
780 currsp->policy));
781 *error = EINVAL;
782 return NULL;
783
784 case IPSEC_POLICY_ENTRUST:
785 lck_mtx_lock(sadb_mutex);
786 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
787 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
788 ipseclog((LOG_INFO,
789 "fixed system default policy: %d->%d\n",
790 ip6_def_policy.policy, IPSEC_POLICY_NONE));
791 ip6_def_policy.policy = IPSEC_POLICY_NONE;
792 }
793 ip6_def_policy.refcnt++;
794 lck_mtx_unlock(sadb_mutex);
795 *error = 0;
796 return &ip6_def_policy;
797
798 case IPSEC_POLICY_IPSEC:
799 lck_mtx_lock(sadb_mutex);
800 currsp->refcnt++;
801 lck_mtx_unlock(sadb_mutex);
802 *error = 0;
803 return currsp;
804
805 default:
806 ipseclog((LOG_ERR,
807 "ipsec6_policybysock: Invalid policy for PCB %d\n",
808 currsp->policy));
809 *error = EINVAL;
810 return NULL;
811 }
812 /* NOTREACHED */
813 }
814
815 /*
816 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
817 * and return a pointer to SP.
818 * `flag' means that packet is to be forwarded whether or not.
819 * flag = 1: forwad
820 * OUT: positive: a pointer to the entry for security policy leaf matched.
821 * NULL: no apropreate SP found, the following value is set to error.
822 * 0 : bypass
823 * EACCES : discard packet.
824 * ENOENT : ipsec_acquire() in progress, maybe.
825 * others : error occurred.
826 */
827 #ifndef IP_FORWARDING
828 #define IP_FORWARDING 1
829 #endif
830
831 struct secpolicy *
832 ipsec6_getpolicybyaddr(struct mbuf *m,
833 u_int dir,
834 int flag,
835 int *error)
836 {
837 struct secpolicy *sp = NULL;
838
839 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
840
841 /* sanity check */
842 if (m == NULL || error == NULL) {
843 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.\n");
844 }
845
846 {
847 struct secpolicyindex spidx;
848
849 bzero(&spidx, sizeof(spidx));
850
851 /* make a index to look for a policy */
852 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m,
853 (flag & IP_FORWARDING) ? 0 : 1);
854
855 if (*error != 0) {
856 return NULL;
857 }
858
859 sp = key_allocsp(&spidx, dir);
860 }
861
862 /* SP found */
863 if (sp != NULL) {
864 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
865 printf("DP ipsec6_getpolicybyaddr called "
866 "to allocate SP:0x%llx\n",
867 (uint64_t)VM_KERNEL_ADDRPERM(sp)));
868 *error = 0;
869 return sp;
870 }
871
872 /* no SP found */
873 lck_mtx_lock(sadb_mutex);
874 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
875 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
876 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
877 ip6_def_policy.policy, IPSEC_POLICY_NONE));
878 ip6_def_policy.policy = IPSEC_POLICY_NONE;
879 }
880 ip6_def_policy.refcnt++;
881 lck_mtx_unlock(sadb_mutex);
882 *error = 0;
883 return &ip6_def_policy;
884 }
885
886 /* Match with bound interface rather than src addr.
887 * Unlike getpolicybyaddr, do not set the default policy.
888 * Return 0 if should continue processing, or -1 if packet
889 * should be dropped.
890 */
891 int
892 ipsec6_getpolicybyinterface(struct mbuf *m,
893 u_int dir,
894 int flag,
895 struct ip6_out_args *ip6oap,
896 int *noipsec,
897 struct secpolicy **sp)
898 {
899 struct secpolicyindex spidx;
900 int error = 0;
901
902 if (ipsec_bypass != 0) {
903 return 0;
904 }
905
906 /* Sanity check */
907 if (m == NULL || sp == NULL || noipsec == NULL || ip6oap == NULL) {
908 panic("ipsec6_getpolicybyinterface: NULL pointer was passed.\n");
909 }
910
911 *noipsec = 0;
912
913 if (ip6oap->ip6oa_boundif == IFSCOPE_NONE) {
914 return 0;
915 }
916
917 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0, 0, 0, 0, 0);
918 bzero(&spidx, sizeof(spidx));
919
920 /* make a index to look for a policy */
921 error = ipsec_setspidx_interface(&spidx, dir, m, (flag & IP_FORWARDING) ? 0 : 1,
922 ip6oap->ip6oa_boundif, 6);
923
924 if (error != 0) {
925 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1, error, 0, 0, 0);
926 return 0;
927 }
928
929 *sp = key_allocsp(&spidx, dir);
930
931 /* Return SP, whether NULL or not */
932 if (*sp != NULL && (*sp)->policy == IPSEC_POLICY_IPSEC) {
933 if ((*sp)->ipsec_if == NULL) {
934 /* Invalid to capture on an interface without redirect */
935 key_freesp(*sp, KEY_SADB_UNLOCKED);
936 *sp = NULL;
937 return -1;
938 } else if ((*sp)->disabled) {
939 /* Disabled policies go in the clear */
940 key_freesp(*sp, KEY_SADB_UNLOCKED);
941 *sp = NULL;
942 *noipsec = 1; /* Avoid later IPSec check */
943 } else {
944 /* If policy is enabled, redirect to ipsec interface */
945 ip6oap->ip6oa_boundif = (*sp)->ipsec_if->if_index;
946 }
947 }
948
949 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2, *error, 0, 0, 0);
950
951 return 0;
952 }
953 #endif /* INET6 */
954
955 /*
956 * set IP address into spidx from mbuf.
957 * When Forwarding packet and ICMP echo reply, this function is used.
958 *
959 * IN: get the followings from mbuf.
960 * protocol family, src, dst, next protocol
961 * OUT:
962 * 0: success.
963 * other: failure, and set errno.
964 */
965 static int
966 ipsec_setspidx_mbuf(
967 struct secpolicyindex *spidx,
968 u_int dir,
969 __unused u_int family,
970 struct mbuf *m,
971 int needport)
972 {
973 int error;
974
975 /* sanity check */
976 if (spidx == NULL || m == NULL) {
977 panic("ipsec_setspidx_mbuf: NULL pointer was passed.\n");
978 }
979
980 bzero(spidx, sizeof(*spidx));
981
982 error = ipsec_setspidx(m, spidx, needport, 0);
983 if (error) {
984 goto bad;
985 }
986 spidx->dir = dir;
987
988 return 0;
989
990 bad:
991 /* XXX initialize */
992 bzero(spidx, sizeof(*spidx));
993 return EINVAL;
994 }
995
996 static int
997 ipsec_setspidx_interface(
998 struct secpolicyindex *spidx,
999 u_int dir,
1000 struct mbuf *m,
1001 int needport,
1002 int ifindex,
1003 int ip_version)
1004 {
1005 int error;
1006
1007 /* sanity check */
1008 if (spidx == NULL || m == NULL) {
1009 panic("ipsec_setspidx_interface: NULL pointer was passed.\n");
1010 }
1011
1012 bzero(spidx, sizeof(*spidx));
1013
1014 error = ipsec_setspidx(m, spidx, needport, ip_version);
1015 if (error) {
1016 goto bad;
1017 }
1018 spidx->dir = dir;
1019
1020 if (ifindex != 0) {
1021 ifnet_head_lock_shared();
1022 spidx->internal_if = ifindex2ifnet[ifindex];
1023 ifnet_head_done();
1024 } else {
1025 spidx->internal_if = NULL;
1026 }
1027
1028 return 0;
1029
1030 bad:
1031 return EINVAL;
1032 }
1033
1034 static int
1035 ipsec4_setspidx_inpcb(struct mbuf *m, struct inpcb *pcb)
1036 {
1037 struct secpolicyindex *spidx;
1038 int error;
1039
1040 if (ipsec_bypass != 0) {
1041 return 0;
1042 }
1043
1044 /* sanity check */
1045 if (pcb == NULL) {
1046 panic("ipsec4_setspidx_inpcb: no PCB found.\n");
1047 }
1048 if (pcb->inp_sp == NULL) {
1049 panic("ipsec4_setspidx_inpcb: no inp_sp found.\n");
1050 }
1051 if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL) {
1052 panic("ipsec4_setspidx_inpcb: no sp_in/out found.\n");
1053 }
1054
1055 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
1056 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
1057
1058 spidx = &pcb->inp_sp->sp_in->spidx;
1059 error = ipsec_setspidx(m, spidx, 1, 0);
1060 if (error) {
1061 goto bad;
1062 }
1063 spidx->dir = IPSEC_DIR_INBOUND;
1064
1065 spidx = &pcb->inp_sp->sp_out->spidx;
1066 error = ipsec_setspidx(m, spidx, 1, 0);
1067 if (error) {
1068 goto bad;
1069 }
1070 spidx->dir = IPSEC_DIR_OUTBOUND;
1071
1072 return 0;
1073
1074 bad:
1075 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
1076 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
1077 return error;
1078 }
1079
1080 #if INET6
1081 static int
1082 ipsec6_setspidx_in6pcb(struct mbuf *m, struct in6pcb *pcb)
1083 {
1084 struct secpolicyindex *spidx;
1085 int error;
1086
1087 /* sanity check */
1088 if (pcb == NULL) {
1089 panic("ipsec6_setspidx_in6pcb: no PCB found.\n");
1090 }
1091 if (pcb->in6p_sp == NULL) {
1092 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.\n");
1093 }
1094 if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL) {
1095 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.\n");
1096 }
1097
1098 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
1099 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
1100
1101 spidx = &pcb->in6p_sp->sp_in->spidx;
1102 error = ipsec_setspidx(m, spidx, 1, 0);
1103 if (error) {
1104 goto bad;
1105 }
1106 spidx->dir = IPSEC_DIR_INBOUND;
1107
1108 spidx = &pcb->in6p_sp->sp_out->spidx;
1109 error = ipsec_setspidx(m, spidx, 1, 0);
1110 if (error) {
1111 goto bad;
1112 }
1113 spidx->dir = IPSEC_DIR_OUTBOUND;
1114
1115 return 0;
1116
1117 bad:
1118 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
1119 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
1120 return error;
1121 }
1122 #endif
1123
1124 /*
1125 * configure security policy index (src/dst/proto/sport/dport)
1126 * by looking at the content of mbuf.
1127 * the caller is responsible for error recovery (like clearing up spidx).
1128 */
1129 static int
1130 ipsec_setspidx(struct mbuf *m,
1131 struct secpolicyindex *spidx,
1132 int needport,
1133 int force_ip_version)
1134 {
1135 struct ip *ip = NULL;
1136 struct ip ipbuf;
1137 u_int v;
1138 struct mbuf *n;
1139 int len;
1140 int error;
1141
1142 if (m == NULL) {
1143 panic("ipsec_setspidx: m == 0 passed.\n");
1144 }
1145
1146 /*
1147 * validate m->m_pkthdr.len. we see incorrect length if we
1148 * mistakenly call this function with inconsistent mbuf chain
1149 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
1150 */
1151 len = 0;
1152 for (n = m; n; n = n->m_next) {
1153 len += n->m_len;
1154 }
1155 if (m->m_pkthdr.len != len) {
1156 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1157 printf("ipsec_setspidx: "
1158 "total of m_len(%d) != pkthdr.len(%d), "
1159 "ignored.\n",
1160 len, m->m_pkthdr.len));
1161 return EINVAL;
1162 }
1163
1164 if (m->m_pkthdr.len < sizeof(struct ip)) {
1165 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1166 printf("ipsec_setspidx: "
1167 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
1168 m->m_pkthdr.len));
1169 return EINVAL;
1170 }
1171
1172 if (m->m_len >= sizeof(*ip)) {
1173 ip = mtod(m, struct ip *);
1174 } else {
1175 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
1176 ip = &ipbuf;
1177 }
1178
1179 if (force_ip_version) {
1180 v = force_ip_version;
1181 } else {
1182 #ifdef _IP_VHL
1183 v = _IP_VHL_V(ip->ip_vhl);
1184 #else
1185 v = ip->ip_v;
1186 #endif
1187 }
1188 switch (v) {
1189 case 4:
1190 error = ipsec4_setspidx_ipaddr(m, spidx);
1191 if (error) {
1192 return error;
1193 }
1194 ipsec4_get_ulp(m, spidx, needport);
1195 return 0;
1196 #if INET6
1197 case 6:
1198 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
1199 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1200 printf("ipsec_setspidx: "
1201 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
1202 "ignored.\n", m->m_pkthdr.len));
1203 return EINVAL;
1204 }
1205 error = ipsec6_setspidx_ipaddr(m, spidx);
1206 if (error) {
1207 return error;
1208 }
1209 ipsec6_get_ulp(m, spidx, needport);
1210 return 0;
1211 #endif
1212 default:
1213 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1214 printf("ipsec_setspidx: "
1215 "unknown IP version %u, ignored.\n", v));
1216 return EINVAL;
1217 }
1218 }
1219
1220 static void
1221 ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
1222 {
1223 struct ip ip;
1224 struct ip6_ext ip6e;
1225 u_int8_t nxt;
1226 int off;
1227 struct tcphdr th;
1228 struct udphdr uh;
1229
1230 /* sanity check */
1231 if (m == NULL) {
1232 panic("ipsec4_get_ulp: NULL pointer was passed.\n");
1233 }
1234 if (m->m_pkthdr.len < sizeof(ip)) {
1235 panic("ipsec4_get_ulp: too short\n");
1236 }
1237
1238 /* set default */
1239 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1240 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
1241 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
1242
1243 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
1244 /* ip_input() flips it into host endian XXX need more checking */
1245 if (ip.ip_off & (IP_MF | IP_OFFMASK)) {
1246 return;
1247 }
1248
1249 nxt = ip.ip_p;
1250 #ifdef _IP_VHL
1251 off = _IP_VHL_HL(ip->ip_vhl) << 2;
1252 #else
1253 off = ip.ip_hl << 2;
1254 #endif
1255 while (off < m->m_pkthdr.len) {
1256 switch (nxt) {
1257 case IPPROTO_TCP:
1258 spidx->ul_proto = nxt;
1259 if (!needport) {
1260 return;
1261 }
1262 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) {
1263 return;
1264 }
1265 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1266 ((struct sockaddr_in *)&spidx->src)->sin_port =
1267 th.th_sport;
1268 ((struct sockaddr_in *)&spidx->dst)->sin_port =
1269 th.th_dport;
1270 return;
1271 case IPPROTO_UDP:
1272 spidx->ul_proto = nxt;
1273 if (!needport) {
1274 return;
1275 }
1276 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) {
1277 return;
1278 }
1279 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1280 ((struct sockaddr_in *)&spidx->src)->sin_port =
1281 uh.uh_sport;
1282 ((struct sockaddr_in *)&spidx->dst)->sin_port =
1283 uh.uh_dport;
1284 return;
1285 case IPPROTO_AH:
1286 if (off + sizeof(ip6e) > m->m_pkthdr.len) {
1287 return;
1288 }
1289 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1290 off += (ip6e.ip6e_len + 2) << 2;
1291 nxt = ip6e.ip6e_nxt;
1292 break;
1293 case IPPROTO_ICMP:
1294 default:
1295 /* XXX intermediate headers??? */
1296 spidx->ul_proto = nxt;
1297 return;
1298 }
1299 }
1300 }
1301
1302 /* assumes that m is sane */
1303 static int
1304 ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
1305 {
1306 struct ip *ip = NULL;
1307 struct ip ipbuf;
1308 struct sockaddr_in *sin;
1309
1310 if (m->m_len >= sizeof(*ip)) {
1311 ip = mtod(m, struct ip *);
1312 } else {
1313 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
1314 ip = &ipbuf;
1315 }
1316
1317 sin = (struct sockaddr_in *)&spidx->src;
1318 bzero(sin, sizeof(*sin));
1319 sin->sin_family = AF_INET;
1320 sin->sin_len = sizeof(struct sockaddr_in);
1321 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
1322 spidx->prefs = sizeof(struct in_addr) << 3;
1323
1324 sin = (struct sockaddr_in *)&spidx->dst;
1325 bzero(sin, sizeof(*sin));
1326 sin->sin_family = AF_INET;
1327 sin->sin_len = sizeof(struct sockaddr_in);
1328 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
1329 spidx->prefd = sizeof(struct in_addr) << 3;
1330
1331 return 0;
1332 }
1333
1334 #if INET6
1335 static void
1336 ipsec6_get_ulp(struct mbuf *m,
1337 struct secpolicyindex *spidx,
1338 int needport)
1339 {
1340 int off, nxt;
1341 struct tcphdr th;
1342 struct udphdr uh;
1343
1344 /* sanity check */
1345 if (m == NULL) {
1346 panic("ipsec6_get_ulp: NULL pointer was passed.\n");
1347 }
1348
1349 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1350 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
1351
1352 /* set default */
1353 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1354 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1355 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1356
1357 nxt = -1;
1358 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1359 if (off < 0 || m->m_pkthdr.len < off) {
1360 return;
1361 }
1362
1363 switch (nxt) {
1364 case IPPROTO_TCP:
1365 spidx->ul_proto = nxt;
1366 if (!needport) {
1367 break;
1368 }
1369 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) {
1370 break;
1371 }
1372 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1373 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1374 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1375 break;
1376 case IPPROTO_UDP:
1377 spidx->ul_proto = nxt;
1378 if (!needport) {
1379 break;
1380 }
1381 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) {
1382 break;
1383 }
1384 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1385 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1386 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1387 break;
1388 case IPPROTO_ICMPV6:
1389 default:
1390 /* XXX intermediate headers??? */
1391 spidx->ul_proto = nxt;
1392 break;
1393 }
1394 }
1395
1396 /* assumes that m is sane */
1397 static int
1398 ipsec6_setspidx_ipaddr(struct mbuf *m,
1399 struct secpolicyindex *spidx)
1400 {
1401 struct ip6_hdr *ip6 = NULL;
1402 struct ip6_hdr ip6buf;
1403 struct sockaddr_in6 *sin6;
1404
1405 if (m->m_len >= sizeof(*ip6)) {
1406 ip6 = mtod(m, struct ip6_hdr *);
1407 } else {
1408 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1409 ip6 = &ip6buf;
1410 }
1411
1412 sin6 = (struct sockaddr_in6 *)&spidx->src;
1413 bzero(sin6, sizeof(*sin6));
1414 sin6->sin6_family = AF_INET6;
1415 sin6->sin6_len = sizeof(struct sockaddr_in6);
1416 bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src));
1417 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1418 sin6->sin6_addr.s6_addr16[1] = 0;
1419 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
1420 }
1421 spidx->prefs = sizeof(struct in6_addr) << 3;
1422
1423 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1424 bzero(sin6, sizeof(*sin6));
1425 sin6->sin6_family = AF_INET6;
1426 sin6->sin6_len = sizeof(struct sockaddr_in6);
1427 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst));
1428 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1429 sin6->sin6_addr.s6_addr16[1] = 0;
1430 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
1431 }
1432 spidx->prefd = sizeof(struct in6_addr) << 3;
1433
1434 return 0;
1435 }
1436 #endif
1437
1438 static struct inpcbpolicy *
1439 ipsec_newpcbpolicy(void)
1440 {
1441 struct inpcbpolicy *p;
1442
1443 p = (struct inpcbpolicy *)_MALLOC(sizeof(*p), M_SECA, M_WAITOK);
1444 return p;
1445 }
1446
1447 static void
1448 ipsec_delpcbpolicy(struct inpcbpolicy *p)
1449 {
1450 FREE(p, M_SECA);
1451 }
1452
1453 /* initialize policy in PCB */
1454 int
1455 ipsec_init_policy(struct socket *so,
1456 struct inpcbpolicy **pcb_sp)
1457 {
1458 struct inpcbpolicy *new;
1459
1460 /* sanity check. */
1461 if (so == NULL || pcb_sp == NULL) {
1462 panic("ipsec_init_policy: NULL pointer was passed.\n");
1463 }
1464
1465 new = ipsec_newpcbpolicy();
1466 if (new == NULL) {
1467 ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n"));
1468 return ENOBUFS;
1469 }
1470 bzero(new, sizeof(*new));
1471
1472 #ifdef __APPLE__
1473 if (kauth_cred_issuser(so->so_cred))
1474 #else
1475 if (so->so_cred != 0 && !suser(so->so_cred->pc_ucred, NULL))
1476 #endif
1477 { new->priv = 1;} else {
1478 new->priv = 0;
1479 }
1480
1481 if ((new->sp_in = key_newsp()) == NULL) {
1482 ipsec_delpcbpolicy(new);
1483 return ENOBUFS;
1484 }
1485 new->sp_in->state = IPSEC_SPSTATE_ALIVE;
1486 new->sp_in->policy = IPSEC_POLICY_ENTRUST;
1487
1488 if ((new->sp_out = key_newsp()) == NULL) {
1489 key_freesp(new->sp_in, KEY_SADB_UNLOCKED);
1490 ipsec_delpcbpolicy(new);
1491 return ENOBUFS;
1492 }
1493 new->sp_out->state = IPSEC_SPSTATE_ALIVE;
1494 new->sp_out->policy = IPSEC_POLICY_ENTRUST;
1495
1496 *pcb_sp = new;
1497
1498 return 0;
1499 }
1500
1501 /* copy old ipsec policy into new */
1502 int
1503 ipsec_copy_policy(struct inpcbpolicy *old,
1504 struct inpcbpolicy *new)
1505 {
1506 struct secpolicy *sp;
1507
1508 if (ipsec_bypass != 0) {
1509 return 0;
1510 }
1511
1512 sp = ipsec_deepcopy_policy(old->sp_in);
1513 if (sp) {
1514 key_freesp(new->sp_in, KEY_SADB_UNLOCKED);
1515 new->sp_in = sp;
1516 } else {
1517 return ENOBUFS;
1518 }
1519
1520 sp = ipsec_deepcopy_policy(old->sp_out);
1521 if (sp) {
1522 key_freesp(new->sp_out, KEY_SADB_UNLOCKED);
1523 new->sp_out = sp;
1524 } else {
1525 return ENOBUFS;
1526 }
1527
1528 new->priv = old->priv;
1529
1530 return 0;
1531 }
1532
1533 /* deep-copy a policy in PCB */
1534 static struct secpolicy *
1535 ipsec_deepcopy_policy(struct secpolicy *src)
1536 {
1537 struct ipsecrequest *newchain = NULL;
1538 struct ipsecrequest *p;
1539 struct ipsecrequest **q;
1540 struct ipsecrequest *r;
1541 struct secpolicy *dst;
1542
1543 if (src == NULL) {
1544 return NULL;
1545 }
1546 dst = key_newsp();
1547 if (dst == NULL) {
1548 return NULL;
1549 }
1550
1551 /*
1552 * deep-copy IPsec request chain. This is required since struct
1553 * ipsecrequest is not reference counted.
1554 */
1555 q = &newchain;
1556 for (p = src->req; p; p = p->next) {
1557 *q = (struct ipsecrequest *)_MALLOC(sizeof(struct ipsecrequest),
1558 M_SECA, M_WAITOK | M_ZERO);
1559 if (*q == NULL) {
1560 goto fail;
1561 }
1562 (*q)->next = NULL;
1563
1564 (*q)->saidx.proto = p->saidx.proto;
1565 (*q)->saidx.mode = p->saidx.mode;
1566 (*q)->level = p->level;
1567 (*q)->saidx.reqid = p->saidx.reqid;
1568
1569 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1570 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1571
1572 (*q)->sp = dst;
1573
1574 q = &((*q)->next);
1575 }
1576
1577 dst->req = newchain;
1578 dst->state = src->state;
1579 dst->policy = src->policy;
1580 /* do not touch the refcnt fields */
1581
1582 return dst;
1583
1584 fail:
1585 for (p = newchain; p; p = r) {
1586 r = p->next;
1587 FREE(p, M_SECA);
1588 p = NULL;
1589 }
1590 key_freesp(dst, KEY_SADB_UNLOCKED);
1591 return NULL;
1592 }
1593
1594 /* set policy and ipsec request if present. */
1595 static int
1596 ipsec_set_policy(struct secpolicy **pcb_sp,
1597 __unused int optname,
1598 caddr_t request,
1599 size_t len,
1600 int priv)
1601 {
1602 struct sadb_x_policy *xpl;
1603 struct secpolicy *newsp = NULL;
1604 int error;
1605
1606 /* sanity check. */
1607 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL) {
1608 return EINVAL;
1609 }
1610 if (len < sizeof(*xpl)) {
1611 return EINVAL;
1612 }
1613 xpl = (struct sadb_x_policy *)(void *)request;
1614
1615 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1616 printf("ipsec_set_policy: passed policy\n");
1617 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1618
1619 /* check policy type */
1620 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1621 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
1622 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) {
1623 return EINVAL;
1624 }
1625
1626 /* check privileged socket */
1627 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) {
1628 return EACCES;
1629 }
1630
1631 /* allocation new SP entry */
1632 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) {
1633 return error;
1634 }
1635
1636 newsp->state = IPSEC_SPSTATE_ALIVE;
1637
1638 /* clear old SP and set new SP */
1639 key_freesp(*pcb_sp, KEY_SADB_UNLOCKED);
1640 *pcb_sp = newsp;
1641 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1642 printf("ipsec_set_policy: new policy\n");
1643 kdebug_secpolicy(newsp));
1644
1645 return 0;
1646 }
1647
1648 int
1649 ipsec4_set_policy(struct inpcb *inp,
1650 int optname,
1651 caddr_t request,
1652 size_t len,
1653 int priv)
1654 {
1655 struct sadb_x_policy *xpl;
1656 struct secpolicy **pcb_sp;
1657 int error = 0;
1658 struct sadb_x_policy xpl_aligned_buf;
1659 u_int8_t *xpl_unaligned;
1660
1661 /* sanity check. */
1662 if (inp == NULL || request == NULL) {
1663 return EINVAL;
1664 }
1665 if (len < sizeof(*xpl)) {
1666 return EINVAL;
1667 }
1668 xpl = (struct sadb_x_policy *)(void *)request;
1669
1670 /* This is a new mbuf allocated by soopt_getm() */
1671 if (IPSEC_IS_P2ALIGNED(xpl)) {
1672 xpl_unaligned = NULL;
1673 } else {
1674 xpl_unaligned = (__typeof__(xpl_unaligned))xpl;
1675 memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf));
1676 xpl = (__typeof__(xpl)) & xpl_aligned_buf;
1677 }
1678
1679 if (inp->inp_sp == NULL) {
1680 error = ipsec_init_policy(inp->inp_socket, &inp->inp_sp);
1681 if (error) {
1682 return error;
1683 }
1684 }
1685
1686 /* select direction */
1687 switch (xpl->sadb_x_policy_dir) {
1688 case IPSEC_DIR_INBOUND:
1689 pcb_sp = &inp->inp_sp->sp_in;
1690 break;
1691 case IPSEC_DIR_OUTBOUND:
1692 pcb_sp = &inp->inp_sp->sp_out;
1693 break;
1694 default:
1695 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1696 xpl->sadb_x_policy_dir));
1697 return EINVAL;
1698 }
1699
1700 /* turn bypass off */
1701 if (ipsec_bypass != 0) {
1702 ipsec_bypass = 0;
1703 }
1704
1705 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1706 }
1707
1708 /* delete policy in PCB */
1709 int
1710 ipsec4_delete_pcbpolicy(struct inpcb *inp)
1711 {
1712 /* sanity check. */
1713 if (inp == NULL) {
1714 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.\n");
1715 }
1716
1717 if (inp->inp_sp == NULL) {
1718 return 0;
1719 }
1720
1721 if (inp->inp_sp->sp_in != NULL) {
1722 key_freesp(inp->inp_sp->sp_in, KEY_SADB_UNLOCKED);
1723 inp->inp_sp->sp_in = NULL;
1724 }
1725
1726 if (inp->inp_sp->sp_out != NULL) {
1727 key_freesp(inp->inp_sp->sp_out, KEY_SADB_UNLOCKED);
1728 inp->inp_sp->sp_out = NULL;
1729 }
1730
1731 ipsec_delpcbpolicy(inp->inp_sp);
1732 inp->inp_sp = NULL;
1733
1734 return 0;
1735 }
1736
1737 #if INET6
1738 int
1739 ipsec6_set_policy(struct in6pcb *in6p,
1740 int optname,
1741 caddr_t request,
1742 size_t len,
1743 int priv)
1744 {
1745 struct sadb_x_policy *xpl;
1746 struct secpolicy **pcb_sp;
1747 int error = 0;
1748 struct sadb_x_policy xpl_aligned_buf;
1749 u_int8_t *xpl_unaligned;
1750
1751 /* sanity check. */
1752 if (in6p == NULL || request == NULL) {
1753 return EINVAL;
1754 }
1755 if (len < sizeof(*xpl)) {
1756 return EINVAL;
1757 }
1758 xpl = (struct sadb_x_policy *)(void *)request;
1759
1760 /* This is a new mbuf allocated by soopt_getm() */
1761 if (IPSEC_IS_P2ALIGNED(xpl)) {
1762 xpl_unaligned = NULL;
1763 } else {
1764 xpl_unaligned = (__typeof__(xpl_unaligned))xpl;
1765 memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf));
1766 xpl = (__typeof__(xpl)) & xpl_aligned_buf;
1767 }
1768
1769 if (in6p->in6p_sp == NULL) {
1770 error = ipsec_init_policy(in6p->inp_socket, &in6p->in6p_sp);
1771 if (error) {
1772 return error;
1773 }
1774 }
1775
1776 /* select direction */
1777 switch (xpl->sadb_x_policy_dir) {
1778 case IPSEC_DIR_INBOUND:
1779 pcb_sp = &in6p->in6p_sp->sp_in;
1780 break;
1781 case IPSEC_DIR_OUTBOUND:
1782 pcb_sp = &in6p->in6p_sp->sp_out;
1783 break;
1784 default:
1785 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1786 xpl->sadb_x_policy_dir));
1787 return EINVAL;
1788 }
1789
1790 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1791 }
1792
1793 int
1794 ipsec6_delete_pcbpolicy(struct in6pcb *in6p)
1795 {
1796 /* sanity check. */
1797 if (in6p == NULL) {
1798 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.\n");
1799 }
1800
1801 if (in6p->in6p_sp == NULL) {
1802 return 0;
1803 }
1804
1805 if (in6p->in6p_sp->sp_in != NULL) {
1806 key_freesp(in6p->in6p_sp->sp_in, KEY_SADB_UNLOCKED);
1807 in6p->in6p_sp->sp_in = NULL;
1808 }
1809
1810 if (in6p->in6p_sp->sp_out != NULL) {
1811 key_freesp(in6p->in6p_sp->sp_out, KEY_SADB_UNLOCKED);
1812 in6p->in6p_sp->sp_out = NULL;
1813 }
1814
1815 ipsec_delpcbpolicy(in6p->in6p_sp);
1816 in6p->in6p_sp = NULL;
1817
1818 return 0;
1819 }
1820 #endif
1821
1822 /*
1823 * return current level.
1824 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1825 */
1826 u_int
1827 ipsec_get_reqlevel(struct ipsecrequest *isr)
1828 {
1829 u_int level = 0;
1830 u_int esp_trans_deflev = 0, esp_net_deflev = 0, ah_trans_deflev = 0, ah_net_deflev = 0;
1831
1832 /* sanity check */
1833 if (isr == NULL || isr->sp == NULL) {
1834 panic("ipsec_get_reqlevel: NULL pointer is passed.\n");
1835 }
1836 if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family
1837 != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family) {
1838 panic("ipsec_get_reqlevel: family mismatched.\n");
1839 }
1840
1841 /* XXX note that we have ipseclog() expanded here - code sync issue */
1842 #define IPSEC_CHECK_DEFAULT(lev) \
1843 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1844 && (lev) != IPSEC_LEVEL_UNIQUE) \
1845 ? (ipsec_debug \
1846 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1847 (lev), IPSEC_LEVEL_REQUIRE) \
1848 : (void)0), \
1849 (lev) = IPSEC_LEVEL_REQUIRE, \
1850 (lev) \
1851 : (lev))
1852
1853 /* set default level */
1854 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1855 #if INET
1856 case AF_INET:
1857 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1858 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1859 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1860 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1861 break;
1862 #endif
1863 #if INET6
1864 case AF_INET6:
1865 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1866 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1867 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1868 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1869 break;
1870 #endif /* INET6 */
1871 default:
1872 panic("key_get_reqlevel: Unknown family. %d\n",
1873 ((struct sockaddr *)&isr->sp->spidx.src)->sa_family);
1874 }
1875
1876 #undef IPSEC_CHECK_DEFAULT
1877
1878 /* set level */
1879 switch (isr->level) {
1880 case IPSEC_LEVEL_DEFAULT:
1881 switch (isr->saidx.proto) {
1882 case IPPROTO_ESP:
1883 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1884 level = esp_net_deflev;
1885 } else {
1886 level = esp_trans_deflev;
1887 }
1888 break;
1889 case IPPROTO_AH:
1890 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1891 level = ah_net_deflev;
1892 } else {
1893 level = ah_trans_deflev;
1894 }
1895 break;
1896 case IPPROTO_IPCOMP:
1897 /*
1898 * we don't really care, as IPcomp document says that
1899 * we shouldn't compress small packets
1900 */
1901 level = IPSEC_LEVEL_USE;
1902 break;
1903 default:
1904 panic("ipsec_get_reqlevel: "
1905 "Illegal protocol defined %u\n",
1906 isr->saidx.proto);
1907 }
1908 break;
1909
1910 case IPSEC_LEVEL_USE:
1911 case IPSEC_LEVEL_REQUIRE:
1912 level = isr->level;
1913 break;
1914 case IPSEC_LEVEL_UNIQUE:
1915 level = IPSEC_LEVEL_REQUIRE;
1916 break;
1917
1918 default:
1919 panic("ipsec_get_reqlevel: Illegal IPsec level %u\n",
1920 isr->level);
1921 }
1922
1923 return level;
1924 }
1925
1926 /*
1927 * Check AH/ESP integrity.
1928 * OUT:
1929 * 0: valid
1930 * 1: invalid
1931 */
1932 static int
1933 ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
1934 {
1935 struct ipsecrequest *isr;
1936 u_int level;
1937 int need_auth, need_conf, need_icv;
1938
1939 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1940 printf("ipsec_in_reject: using SP\n");
1941 kdebug_secpolicy(sp));
1942
1943 /* check policy */
1944 switch (sp->policy) {
1945 case IPSEC_POLICY_DISCARD:
1946 case IPSEC_POLICY_GENERATE:
1947 return 1;
1948 case IPSEC_POLICY_BYPASS:
1949 case IPSEC_POLICY_NONE:
1950 return 0;
1951
1952 case IPSEC_POLICY_IPSEC:
1953 break;
1954
1955 case IPSEC_POLICY_ENTRUST:
1956 default:
1957 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy);
1958 }
1959
1960 need_auth = 0;
1961 need_conf = 0;
1962 need_icv = 0;
1963
1964 /* XXX should compare policy against ipsec header history */
1965
1966 for (isr = sp->req; isr != NULL; isr = isr->next) {
1967 /* get current level */
1968 level = ipsec_get_reqlevel(isr);
1969
1970 switch (isr->saidx.proto) {
1971 case IPPROTO_ESP:
1972 if (level == IPSEC_LEVEL_REQUIRE) {
1973 need_conf++;
1974
1975 #if 0
1976 /* this won't work with multiple input threads - isr->sav would change
1977 * with every packet and is not necessarily related to the current packet
1978 * being processed. If ESP processing is required - the esp code should
1979 * make sure that the integrity check is present and correct. I don't see
1980 * why it would be necessary to check for the presence of the integrity
1981 * check value here. I think this is just wrong.
1982 * isr->sav has been removed.
1983 * %%%%%% this needs to be re-worked at some point but I think the code below can
1984 * be ignored for now.
1985 */
1986 if (isr->sav != NULL
1987 && isr->sav->flags == SADB_X_EXT_NONE
1988 && isr->sav->alg_auth != SADB_AALG_NONE) {
1989 need_icv++;
1990 }
1991 #endif
1992 }
1993 break;
1994 case IPPROTO_AH:
1995 if (level == IPSEC_LEVEL_REQUIRE) {
1996 need_auth++;
1997 need_icv++;
1998 }
1999 break;
2000 case IPPROTO_IPCOMP:
2001 /*
2002 * we don't really care, as IPcomp document says that
2003 * we shouldn't compress small packets, IPComp policy
2004 * should always be treated as being in "use" level.
2005 */
2006 break;
2007 }
2008 }
2009
2010 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
2011 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
2012 need_auth, need_conf, need_icv, m->m_flags));
2013
2014 if ((need_conf && !(m->m_flags & M_DECRYPTED))
2015 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
2016 || (need_auth && !(m->m_flags & M_AUTHIPHDR))) {
2017 return 1;
2018 }
2019
2020 return 0;
2021 }
2022
2023 /*
2024 * Check AH/ESP integrity.
2025 * This function is called from tcp_input(), udp_input(),
2026 * and {ah,esp}4_input for tunnel mode
2027 */
2028 int
2029 ipsec4_in_reject_so(struct mbuf *m, struct socket *so)
2030 {
2031 struct secpolicy *sp = NULL;
2032 int error;
2033 int result;
2034
2035 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2036 /* sanity check */
2037 if (m == NULL) {
2038 return 0; /* XXX should be panic ? */
2039 }
2040 /* get SP for this packet.
2041 * When we are called from ip_forward(), we call
2042 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
2043 */
2044 if (so == NULL) {
2045 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
2046 } else {
2047 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 0, &error);
2048 }
2049
2050 if (sp == NULL) {
2051 return 0; /* XXX should be panic ?
2052 * -> No, there may be error. */
2053 }
2054 result = ipsec_in_reject(sp, m);
2055 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2056 printf("DP ipsec4_in_reject_so call free SP:0x%llx\n",
2057 (uint64_t)VM_KERNEL_ADDRPERM(sp)));
2058 key_freesp(sp, KEY_SADB_UNLOCKED);
2059
2060 return result;
2061 }
2062
2063 int
2064 ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
2065 {
2066 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2067 if (inp == NULL) {
2068 return ipsec4_in_reject_so(m, NULL);
2069 }
2070 if (inp->inp_socket) {
2071 return ipsec4_in_reject_so(m, inp->inp_socket);
2072 } else {
2073 panic("ipsec4_in_reject: invalid inpcb/socket");
2074 }
2075
2076 /* NOTREACHED */
2077 return 0;
2078 }
2079
2080 #if INET6
2081 /*
2082 * Check AH/ESP integrity.
2083 * This function is called from tcp6_input(), udp6_input(),
2084 * and {ah,esp}6_input for tunnel mode
2085 */
2086 int
2087 ipsec6_in_reject_so(struct mbuf *m, struct socket *so)
2088 {
2089 struct secpolicy *sp = NULL;
2090 int error;
2091 int result;
2092
2093 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2094 /* sanity check */
2095 if (m == NULL) {
2096 return 0; /* XXX should be panic ? */
2097 }
2098 /* get SP for this packet.
2099 * When we are called from ip_forward(), we call
2100 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
2101 */
2102 if (so == NULL) {
2103 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
2104 } else {
2105 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 0, &error);
2106 }
2107
2108 if (sp == NULL) {
2109 return 0; /* XXX should be panic ? */
2110 }
2111 result = ipsec_in_reject(sp, m);
2112 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2113 printf("DP ipsec6_in_reject_so call free SP:0x%llx\n",
2114 (uint64_t)VM_KERNEL_ADDRPERM(sp)));
2115 key_freesp(sp, KEY_SADB_UNLOCKED);
2116
2117 return result;
2118 }
2119
2120 int
2121 ipsec6_in_reject(struct mbuf *m, struct in6pcb *in6p)
2122 {
2123 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2124 if (in6p == NULL) {
2125 return ipsec6_in_reject_so(m, NULL);
2126 }
2127 if (in6p->in6p_socket) {
2128 return ipsec6_in_reject_so(m, in6p->in6p_socket);
2129 } else {
2130 panic("ipsec6_in_reject: invalid in6p/socket");
2131 }
2132
2133 /* NOTREACHED */
2134 return 0;
2135 }
2136 #endif
2137
2138 /*
2139 * compute the byte size to be occupied by IPsec header.
2140 * in case it is tunneled, it includes the size of outer IP header.
2141 * NOTE: SP passed is free in this function.
2142 */
2143 size_t
2144 ipsec_hdrsiz(struct secpolicy *sp)
2145 {
2146 struct ipsecrequest *isr;
2147 size_t siz, clen;
2148
2149 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2150 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2151 printf("ipsec_hdrsiz: using SP\n");
2152 kdebug_secpolicy(sp));
2153
2154 /* check policy */
2155 switch (sp->policy) {
2156 case IPSEC_POLICY_DISCARD:
2157 case IPSEC_POLICY_GENERATE:
2158 case IPSEC_POLICY_BYPASS:
2159 case IPSEC_POLICY_NONE:
2160 return 0;
2161
2162 case IPSEC_POLICY_IPSEC:
2163 break;
2164
2165 case IPSEC_POLICY_ENTRUST:
2166 default:
2167 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy);
2168 }
2169
2170 siz = 0;
2171
2172 for (isr = sp->req; isr != NULL; isr = isr->next) {
2173 clen = 0;
2174
2175 switch (isr->saidx.proto) {
2176 case IPPROTO_ESP:
2177 #if IPSEC_ESP
2178 clen = esp_hdrsiz(isr);
2179 #else
2180 clen = 0; /*XXX*/
2181 #endif
2182 break;
2183 case IPPROTO_AH:
2184 clen = ah_hdrsiz(isr);
2185 break;
2186 case IPPROTO_IPCOMP:
2187 clen = sizeof(struct ipcomp);
2188 break;
2189 }
2190
2191 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2192 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
2193 case AF_INET:
2194 clen += sizeof(struct ip);
2195 break;
2196 #if INET6
2197 case AF_INET6:
2198 clen += sizeof(struct ip6_hdr);
2199 break;
2200 #endif
2201 default:
2202 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
2203 "unknown AF %d in IPsec tunnel SA\n",
2204 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
2205 break;
2206 }
2207 }
2208 siz += clen;
2209 }
2210
2211 return siz;
2212 }
2213
2214 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
2215 size_t
2216 ipsec4_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp)
2217 {
2218 struct secpolicy *sp = NULL;
2219 int error;
2220 size_t size;
2221
2222 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2223 /* sanity check */
2224 if (m == NULL) {
2225 return 0; /* XXX should be panic ? */
2226 }
2227 if (inp != NULL && inp->inp_socket == NULL) {
2228 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
2229 }
2230
2231 /* get SP for this packet.
2232 * When we are called from ip_forward(), we call
2233 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
2234 */
2235 if (inp == NULL) {
2236 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2237 } else {
2238 sp = ipsec4_getpolicybyaddr(m, dir, 0, &error);
2239 }
2240
2241 if (sp == NULL) {
2242 return 0; /* XXX should be panic ? */
2243 }
2244 size = ipsec_hdrsiz(sp);
2245 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2246 printf("DP ipsec4_hdrsiz call free SP:0x%llx\n",
2247 (uint64_t)VM_KERNEL_ADDRPERM(sp)));
2248 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2249 printf("ipsec4_hdrsiz: size:%lu.\n", (u_int32_t)size));
2250 key_freesp(sp, KEY_SADB_UNLOCKED);
2251
2252 return size;
2253 }
2254
2255 #if INET6
2256 /* This function is called from ipsec6_hdrsize_tcp(),
2257 * and maybe from ip6_forward.()
2258 */
2259 size_t
2260 ipsec6_hdrsiz(struct mbuf *m, u_int dir, struct in6pcb *in6p)
2261 {
2262 struct secpolicy *sp = NULL;
2263 int error;
2264 size_t size;
2265
2266 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2267 /* sanity check */
2268 if (m == NULL) {
2269 return 0; /* XXX shoud be panic ? */
2270 }
2271 if (in6p != NULL && in6p->in6p_socket == NULL) {
2272 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
2273 }
2274
2275 /* get SP for this packet */
2276 /* XXX Is it right to call with IP_FORWARDING. */
2277 if (in6p == NULL) {
2278 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2279 } else {
2280 sp = ipsec6_getpolicybyaddr(m, dir, 0, &error);
2281 }
2282
2283 if (sp == NULL) {
2284 return 0;
2285 }
2286 size = ipsec_hdrsiz(sp);
2287 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2288 printf("DP ipsec6_hdrsiz call free SP:0x%llx\n",
2289 (uint64_t)VM_KERNEL_ADDRPERM(sp)));
2290 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2291 printf("ipsec6_hdrsiz: size:%lu.\n", (u_int32_t)size));
2292 key_freesp(sp, KEY_SADB_UNLOCKED);
2293
2294 return size;
2295 }
2296 #endif /*INET6*/
2297
2298 #if INET
2299 /*
2300 * encapsulate for ipsec tunnel.
2301 * ip->ip_src must be fixed later on.
2302 */
2303 int
2304 ipsec4_encapsulate(struct mbuf *m, struct secasvar *sav)
2305 {
2306 struct ip *oip;
2307 struct ip *ip;
2308 size_t hlen;
2309 size_t plen;
2310
2311 /* can't tunnel between different AFs */
2312 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2313 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2314 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2315 m_freem(m);
2316 return EINVAL;
2317 }
2318 #if 0
2319 /* XXX if the dst is myself, perform nothing. */
2320 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2321 m_freem(m);
2322 return EINVAL;
2323 }
2324 #endif
2325
2326 if (m->m_len < sizeof(*ip)) {
2327 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2328 }
2329
2330 ip = mtod(m, struct ip *);
2331 #ifdef _IP_VHL
2332 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
2333 #else
2334 hlen = ip->ip_hl << 2;
2335 #endif
2336
2337 if (m->m_len != hlen) {
2338 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2339 }
2340
2341 /* generate header checksum */
2342 ip->ip_sum = 0;
2343 #ifdef _IP_VHL
2344 ip->ip_sum = in_cksum(m, hlen);
2345 #else
2346 ip->ip_sum = in_cksum(m, hlen);
2347 #endif
2348
2349 plen = m->m_pkthdr.len;
2350
2351 /*
2352 * grow the mbuf to accomodate the new IPv4 header.
2353 * NOTE: IPv4 options will never be copied.
2354 */
2355 if (M_LEADINGSPACE(m->m_next) < hlen) {
2356 struct mbuf *n;
2357 MGET(n, M_DONTWAIT, MT_DATA);
2358 if (!n) {
2359 m_freem(m);
2360 return ENOBUFS;
2361 }
2362 n->m_len = hlen;
2363 n->m_next = m->m_next;
2364 m->m_next = n;
2365 m->m_pkthdr.len += hlen;
2366 oip = mtod(n, struct ip *);
2367 } else {
2368 m->m_next->m_len += hlen;
2369 m->m_next->m_data -= hlen;
2370 m->m_pkthdr.len += hlen;
2371 oip = mtod(m->m_next, struct ip *);
2372 }
2373 ip = mtod(m, struct ip *);
2374 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2375 m->m_len = sizeof(struct ip);
2376 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2377
2378 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2379 /* ECN consideration. */
2380 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2381 #ifdef _IP_VHL
2382 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
2383 #else
2384 ip->ip_hl = sizeof(struct ip) >> 2;
2385 #endif
2386 ip->ip_off &= htons(~IP_OFFMASK);
2387 ip->ip_off &= htons(~IP_MF);
2388 switch (ip4_ipsec_dfbit) {
2389 case 0: /* clear DF bit */
2390 ip->ip_off &= htons(~IP_DF);
2391 break;
2392 case 1: /* set DF bit */
2393 ip->ip_off |= htons(IP_DF);
2394 break;
2395 default: /* copy DF bit */
2396 break;
2397 }
2398 ip->ip_p = IPPROTO_IPIP;
2399 if (plen + sizeof(struct ip) < IP_MAXPACKET) {
2400 ip->ip_len = htons(plen + sizeof(struct ip));
2401 } else {
2402 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2403 "leave ip_len as is (invalid packet)\n"));
2404 }
2405 if (rfc6864 && IP_OFF_IS_ATOMIC(ntohs(ip->ip_off))) {
2406 ip->ip_id = 0;
2407 } else {
2408 ip->ip_id = ip_randomid();
2409 }
2410 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2411 &ip->ip_src, sizeof(ip->ip_src));
2412 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2413 &ip->ip_dst, sizeof(ip->ip_dst));
2414 ip->ip_ttl = IPDEFTTL;
2415
2416 /* XXX Should ip_src be updated later ? */
2417
2418 return 0;
2419 }
2420
2421 #endif /*INET*/
2422
2423 #if INET6
2424 int
2425 ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
2426 {
2427 struct ip6_hdr *oip6;
2428 struct ip6_hdr *ip6;
2429 size_t plen;
2430
2431 /* can't tunnel between different AFs */
2432 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2433 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2434 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2435 m_freem(m);
2436 return EINVAL;
2437 }
2438 #if 0
2439 /* XXX if the dst is myself, perform nothing. */
2440 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2441 m_freem(m);
2442 return EINVAL;
2443 }
2444 #endif
2445
2446 plen = m->m_pkthdr.len;
2447
2448 /*
2449 * grow the mbuf to accomodate the new IPv6 header.
2450 */
2451 if (m->m_len != sizeof(struct ip6_hdr)) {
2452 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2453 }
2454 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2455 struct mbuf *n;
2456 MGET(n, M_DONTWAIT, MT_DATA);
2457 if (!n) {
2458 m_freem(m);
2459 return ENOBUFS;
2460 }
2461 n->m_len = sizeof(struct ip6_hdr);
2462 n->m_next = m->m_next;
2463 m->m_next = n;
2464 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2465 oip6 = mtod(n, struct ip6_hdr *);
2466 } else {
2467 m->m_next->m_len += sizeof(struct ip6_hdr);
2468 m->m_next->m_data -= sizeof(struct ip6_hdr);
2469 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2470 oip6 = mtod(m->m_next, struct ip6_hdr *);
2471 }
2472 ip6 = mtod(m, struct ip6_hdr *);
2473 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2474
2475 /* Fake link-local scope-class addresses */
2476 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src)) {
2477 oip6->ip6_src.s6_addr16[1] = 0;
2478 }
2479 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst)) {
2480 oip6->ip6_dst.s6_addr16[1] = 0;
2481 }
2482
2483 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2484 /* ECN consideration. */
2485 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2486 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) {
2487 ip6->ip6_plen = htons(plen);
2488 } else {
2489 /* ip6->ip6_plen will be updated in ip6_output() */
2490 }
2491 ip6->ip6_nxt = IPPROTO_IPV6;
2492 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2493 &ip6->ip6_src, sizeof(ip6->ip6_src));
2494 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2495 &ip6->ip6_dst, sizeof(ip6->ip6_dst));
2496 ip6->ip6_hlim = IPV6_DEFHLIM;
2497
2498 /* XXX Should ip6_src be updated later ? */
2499
2500 return 0;
2501 }
2502
2503 static int
2504 ipsec64_encapsulate(struct mbuf *m, struct secasvar *sav)
2505 {
2506 struct ip6_hdr *ip6, *ip6i;
2507 struct ip *ip;
2508 size_t plen;
2509 u_int8_t hlim;
2510
2511 /* tunneling over IPv4 */
2512 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2513 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2514 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2515 m_freem(m);
2516 return EINVAL;
2517 }
2518 #if 0
2519 /* XXX if the dst is myself, perform nothing. */
2520 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2521 m_freem(m);
2522 return EINVAL;
2523 }
2524 #endif
2525
2526 plen = m->m_pkthdr.len;
2527 ip6 = mtod(m, struct ip6_hdr *);
2528 hlim = ip6->ip6_hlim;
2529 /*
2530 * grow the mbuf to accomodate the new IPv4 header.
2531 */
2532 if (m->m_len != sizeof(struct ip6_hdr)) {
2533 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2534 }
2535 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2536 struct mbuf *n;
2537 MGET(n, M_DONTWAIT, MT_DATA);
2538 if (!n) {
2539 m_freem(m);
2540 return ENOBUFS;
2541 }
2542 n->m_len = sizeof(struct ip6_hdr);
2543 n->m_next = m->m_next;
2544 m->m_next = n;
2545 m->m_pkthdr.len += sizeof(struct ip);
2546 ip6i = mtod(n, struct ip6_hdr *);
2547 } else {
2548 m->m_next->m_len += sizeof(struct ip6_hdr);
2549 m->m_next->m_data -= sizeof(struct ip6_hdr);
2550 m->m_pkthdr.len += sizeof(struct ip);
2551 ip6i = mtod(m->m_next, struct ip6_hdr *);
2552 }
2553
2554 bcopy(ip6, ip6i, sizeof(struct ip6_hdr));
2555 ip = mtod(m, struct ip *);
2556 m->m_len = sizeof(struct ip);
2557 /*
2558 * Fill in some of the IPv4 fields - we don't need all of them
2559 * because the rest will be filled in by ip_output
2560 */
2561 ip->ip_v = IPVERSION;
2562 ip->ip_hl = sizeof(struct ip) >> 2;
2563 ip->ip_id = 0;
2564 ip->ip_sum = 0;
2565 ip->ip_tos = 0;
2566 ip->ip_off = 0;
2567 ip->ip_ttl = hlim;
2568 ip->ip_p = IPPROTO_IPV6;
2569
2570 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2571 /* ECN consideration. */
2572 ip64_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &ip6->ip6_flow);
2573
2574 if (plen + sizeof(struct ip) < IP_MAXPACKET) {
2575 ip->ip_len = htons(plen + sizeof(struct ip));
2576 } else {
2577 ip->ip_len = htons(plen);
2578 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2579 "leave ip_len as is (invalid packet)\n"));
2580 }
2581 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2582 &ip->ip_src, sizeof(ip->ip_src));
2583 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2584 &ip->ip_dst, sizeof(ip->ip_dst));
2585
2586 return 0;
2587 }
2588
2589 int
2590 ipsec6_update_routecache_and_output(
2591 struct ipsec_output_state *state,
2592 struct secasvar *sav)
2593 {
2594 struct sockaddr_in6* dst6;
2595 struct route_in6 *ro6;
2596 struct ip6_hdr *ip6;
2597 errno_t error = 0;
2598
2599 int plen;
2600 struct ip6_out_args ip6oa;
2601 struct route_in6 ro6_new;
2602 struct flowadv *adv = NULL;
2603
2604 if (!state->m) {
2605 return EINVAL;
2606 }
2607 ip6 = mtod(state->m, struct ip6_hdr *);
2608
2609 // grab sadb_mutex, before updating sah's route cache
2610 lck_mtx_lock(sadb_mutex);
2611 ro6 = &sav->sah->sa_route;
2612 dst6 = (struct sockaddr_in6 *)(void *)&ro6->ro_dst;
2613 if (ro6->ro_rt) {
2614 RT_LOCK(ro6->ro_rt);
2615 }
2616 if (ROUTE_UNUSABLE(ro6) ||
2617 !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst)) {
2618 if (ro6->ro_rt != NULL) {
2619 RT_UNLOCK(ro6->ro_rt);
2620 }
2621 ROUTE_RELEASE(ro6);
2622 }
2623 if (ro6->ro_rt == 0) {
2624 bzero(dst6, sizeof(*dst6));
2625 dst6->sin6_family = AF_INET6;
2626 dst6->sin6_len = sizeof(*dst6);
2627 dst6->sin6_addr = ip6->ip6_dst;
2628 rtalloc_scoped((struct route *)ro6, sav->sah->outgoing_if);
2629 if (ro6->ro_rt) {
2630 RT_LOCK(ro6->ro_rt);
2631 }
2632 }
2633 if (ro6->ro_rt == 0) {
2634 ip6stat.ip6s_noroute++;
2635 IPSEC_STAT_INCREMENT(ipsec6stat.out_noroute);
2636 error = EHOSTUNREACH;
2637 // release sadb_mutex, after updating sah's route cache
2638 lck_mtx_unlock(sadb_mutex);
2639 return error;
2640 }
2641
2642 /*
2643 * adjust state->dst if tunnel endpoint is offlink
2644 *
2645 * XXX: caching rt_gateway value in the state is
2646 * not really good, since it may point elsewhere
2647 * when the gateway gets modified to a larger
2648 * sockaddr via rt_setgate(). This is currently
2649 * addressed by SA_SIZE roundup in that routine.
2650 */
2651 if (ro6->ro_rt->rt_flags & RTF_GATEWAY) {
2652 dst6 = (struct sockaddr_in6 *)(void *)ro6->ro_rt->rt_gateway;
2653 }
2654 RT_UNLOCK(ro6->ro_rt);
2655 ROUTE_RELEASE(&state->ro);
2656 route_copyout((struct route *)&state->ro, (struct route *)ro6, sizeof(struct route_in6));
2657 state->dst = (struct sockaddr *)dst6;
2658 state->tunneled = 6;
2659 // release sadb_mutex, after updating sah's route cache
2660 lck_mtx_unlock(sadb_mutex);
2661
2662 state->m = ipsec6_splithdr(state->m);
2663 if (!state->m) {
2664 IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem);
2665 error = ENOMEM;
2666 return error;
2667 }
2668
2669 ip6 = mtod(state->m, struct ip6_hdr *);
2670 switch (sav->sah->saidx.proto) {
2671 case IPPROTO_ESP:
2672 #if IPSEC_ESP
2673 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav);
2674 #else
2675 m_freem(state->m);
2676 error = EINVAL;
2677 #endif
2678 break;
2679 case IPPROTO_AH:
2680 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav);
2681 break;
2682 case IPPROTO_IPCOMP:
2683 /* XXX code should be here */
2684 /*FALLTHROUGH*/
2685 default:
2686 ipseclog((LOG_ERR, "%s: unknown ipsec protocol %d\n", __FUNCTION__, sav->sah->saidx.proto));
2687 m_freem(state->m);
2688 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
2689 error = EINVAL;
2690 break;
2691 }
2692 if (error) {
2693 // If error, packet already freed by above output routines
2694 state->m = NULL;
2695 return error;
2696 }
2697
2698 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2699 if (plen > IPV6_MAXPACKET) {
2700 ipseclog((LOG_ERR, "%s: IPsec with IPv6 jumbogram is not supported\n", __FUNCTION__));
2701 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
2702 error = EINVAL;/*XXX*/
2703 return error;
2704 }
2705 ip6 = mtod(state->m, struct ip6_hdr *);
2706 ip6->ip6_plen = htons(plen);
2707
2708 ipsec_set_pkthdr_for_interface(sav->sah->ipsec_if, state->m, AF_INET6);
2709 ipsec_set_ip6oa_for_interface(sav->sah->ipsec_if, &ip6oa);
2710
2711 /* Increment statistics */
2712 ifnet_stat_increment_out(sav->sah->ipsec_if, 1, mbuf_pkthdr_len(state->m), 0);
2713
2714 /* Send to ip6_output */
2715 bzero(&ro6_new, sizeof(ro6_new));
2716 bzero(&ip6oa, sizeof(ip6oa));
2717 ip6oa.ip6oa_flowadv.code = 0;
2718 ip6oa.ip6oa_flags = IP6OAF_SELECT_SRCIF | IP6OAF_BOUND_SRCADDR;
2719 if (state->outgoing_if) {
2720 ip6oa.ip6oa_boundif = state->outgoing_if;
2721 ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF;
2722 }
2723
2724 adv = &ip6oa.ip6oa_flowadv;
2725 (void) ip6_output(state->m, NULL, &ro6_new, IPV6_OUTARGS, NULL, NULL, &ip6oa);
2726 state->m = NULL;
2727
2728 if (adv->code == FADV_FLOW_CONTROLLED || adv->code == FADV_SUSPENDED) {
2729 error = ENOBUFS;
2730 ifnet_disable_output(sav->sah->ipsec_if);
2731 return error;
2732 }
2733
2734 return 0;
2735 }
2736
2737 int
2738 ipsec46_encapsulate(struct ipsec_output_state *state, struct secasvar *sav)
2739 {
2740 struct mbuf *m;
2741 struct ip6_hdr *ip6;
2742 struct ip *oip;
2743 struct ip *ip;
2744 size_t hlen;
2745 size_t plen;
2746
2747 m = state->m;
2748 if (!m) {
2749 return EINVAL;
2750 }
2751
2752 /* can't tunnel between different AFs */
2753 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2754 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2755 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2756 m_freem(m);
2757 return EINVAL;
2758 }
2759 #if 0
2760 /* XXX if the dst is myself, perform nothing. */
2761 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2762 m_freem(m);
2763 return EINVAL;
2764 }
2765 #endif
2766
2767 if (m->m_len < sizeof(*ip)) {
2768 panic("ipsec46_encapsulate: assumption failed (first mbuf length)");
2769 return EINVAL;
2770 }
2771
2772 ip = mtod(m, struct ip *);
2773 #ifdef _IP_VHL
2774 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
2775 #else
2776 hlen = ip->ip_hl << 2;
2777 #endif
2778
2779 if (m->m_len != hlen) {
2780 panic("ipsec46_encapsulate: assumption failed (first mbuf length)");
2781 return EINVAL;
2782 }
2783
2784 /* generate header checksum */
2785 ip->ip_sum = 0;
2786 #ifdef _IP_VHL
2787 ip->ip_sum = in_cksum(m, hlen);
2788 #else
2789 ip->ip_sum = in_cksum(m, hlen);
2790 #endif
2791
2792 plen = m->m_pkthdr.len; // save original IPv4 packet len, this will be ipv6 payload len
2793
2794 /*
2795 * First move the IPv4 header to the second mbuf in the chain
2796 */
2797 if (M_LEADINGSPACE(m->m_next) < hlen) {
2798 struct mbuf *n;
2799 MGET(n, M_DONTWAIT, MT_DATA);
2800 if (!n) {
2801 m_freem(m);
2802 return ENOBUFS;
2803 }
2804 n->m_len = hlen;
2805 n->m_next = m->m_next;
2806 m->m_next = n;
2807 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2808 oip = mtod(n, struct ip *);
2809 } else {
2810 m->m_next->m_len += hlen;
2811 m->m_next->m_data -= hlen;
2812 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2813 oip = mtod(m->m_next, struct ip *);
2814 }
2815 ip = mtod(m, struct ip *);
2816 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2817
2818 /*
2819 * Grow the first mbuf to accomodate the new IPv6 header.
2820 */
2821 if (M_LEADINGSPACE(m) < sizeof(struct ip6_hdr) - hlen) {
2822 struct mbuf *n;
2823 MGETHDR(n, M_DONTWAIT, MT_HEADER);
2824 if (!n) {
2825 m_freem(m);
2826 return ENOBUFS;
2827 }
2828 M_COPY_PKTHDR(n, m);
2829 MH_ALIGN(n, sizeof(struct ip6_hdr));
2830 n->m_len = sizeof(struct ip6_hdr);
2831 n->m_next = m->m_next;
2832 m->m_next = NULL;
2833 m_freem(m);
2834 state->m = n;
2835 m = state->m;
2836 } else {
2837 m->m_len += (sizeof(struct ip6_hdr) - hlen);
2838 m->m_data -= (sizeof(struct ip6_hdr) - hlen);
2839 }
2840 ip6 = mtod(m, struct ip6_hdr *);
2841 ip6->ip6_flow = 0;
2842 ip6->ip6_vfc &= ~IPV6_VERSION_MASK;
2843 ip6->ip6_vfc |= IPV6_VERSION;
2844
2845 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2846 /* ECN consideration. */
2847 ip46_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &ip->ip_tos);
2848 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) {
2849 ip6->ip6_plen = htons(plen);
2850 } else {
2851 /* ip6->ip6_plen will be updated in ip6_output() */
2852 }
2853
2854 ip6->ip6_nxt = IPPROTO_IPV4;
2855 ip6->ip6_hlim = IPV6_DEFHLIM;
2856
2857 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2858 &ip6->ip6_src, sizeof(ip6->ip6_src));
2859 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2860 &ip6->ip6_dst, sizeof(ip6->ip6_dst));
2861
2862 return 0;
2863 }
2864
2865 #endif /*INET6*/
2866
2867 /*
2868 * Check the variable replay window.
2869 * ipsec_chkreplay() performs replay check before ICV verification.
2870 * ipsec_updatereplay() updates replay bitmap. This must be called after
2871 * ICV verification (it also performs replay check, which is usually done
2872 * beforehand).
2873 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2874 *
2875 * based on RFC 2401.
2876 */
2877 int
2878 ipsec_chkreplay(u_int32_t seq, struct secasvar *sav)
2879 {
2880 const struct secreplay *replay;
2881 u_int32_t diff;
2882 int fr;
2883 u_int32_t wsizeb; /* constant: bits of window size */
2884 int frlast; /* constant: last frame */
2885
2886
2887 /* sanity check */
2888 if (sav == NULL) {
2889 panic("ipsec_chkreplay: NULL pointer was passed.\n");
2890 }
2891
2892 lck_mtx_lock(sadb_mutex);
2893 replay = sav->replay;
2894
2895 if (replay->wsize == 0) {
2896 lck_mtx_unlock(sadb_mutex);
2897 return 1; /* no need to check replay. */
2898 }
2899
2900 /* constant */
2901 frlast = replay->wsize - 1;
2902 wsizeb = replay->wsize << 3;
2903
2904 /* sequence number of 0 is invalid */
2905 if (seq == 0) {
2906 lck_mtx_unlock(sadb_mutex);
2907 return 0;
2908 }
2909
2910 /* first time is always okay */
2911 if (replay->count == 0) {
2912 lck_mtx_unlock(sadb_mutex);
2913 return 1;
2914 }
2915
2916 if (seq > replay->lastseq) {
2917 /* larger sequences are okay */
2918 lck_mtx_unlock(sadb_mutex);
2919 return 1;
2920 } else {
2921 /* seq is equal or less than lastseq. */
2922 diff = replay->lastseq - seq;
2923
2924 /* over range to check, i.e. too old or wrapped */
2925 if (diff >= wsizeb) {
2926 lck_mtx_unlock(sadb_mutex);
2927 return 0;
2928 }
2929
2930 fr = frlast - diff / 8;
2931
2932 /* this packet already seen ? */
2933 if ((replay->bitmap)[fr] & (1 << (diff % 8))) {
2934 lck_mtx_unlock(sadb_mutex);
2935 return 0;
2936 }
2937
2938 /* out of order but good */
2939 lck_mtx_unlock(sadb_mutex);
2940 return 1;
2941 }
2942 }
2943
2944 /*
2945 * check replay counter whether to update or not.
2946 * OUT: 0: OK
2947 * 1: NG
2948 */
2949 int
2950 ipsec_updatereplay(u_int32_t seq, struct secasvar *sav)
2951 {
2952 struct secreplay *replay;
2953 u_int32_t diff;
2954 int fr;
2955 u_int32_t wsizeb; /* constant: bits of window size */
2956 int frlast; /* constant: last frame */
2957
2958 /* sanity check */
2959 if (sav == NULL) {
2960 panic("ipsec_chkreplay: NULL pointer was passed.\n");
2961 }
2962
2963 lck_mtx_lock(sadb_mutex);
2964 replay = sav->replay;
2965
2966 if (replay->wsize == 0) {
2967 goto ok; /* no need to check replay. */
2968 }
2969 /* constant */
2970 frlast = replay->wsize - 1;
2971 wsizeb = replay->wsize << 3;
2972
2973 /* sequence number of 0 is invalid */
2974 if (seq == 0) {
2975 lck_mtx_unlock(sadb_mutex);
2976 return 1;
2977 }
2978
2979 /* first time */
2980 if (replay->count == 0) {
2981 replay->lastseq = seq;
2982 bzero(replay->bitmap, replay->wsize);
2983 (replay->bitmap)[frlast] = 1;
2984 goto ok;
2985 }
2986
2987 if (seq > replay->lastseq) {
2988 /* seq is larger than lastseq. */
2989 diff = seq - replay->lastseq;
2990
2991 /* new larger sequence number */
2992 if (diff < wsizeb) {
2993 /* In window */
2994 /* set bit for this packet */
2995 vshiftl((unsigned char *) replay->bitmap, diff, replay->wsize);
2996 (replay->bitmap)[frlast] |= 1;
2997 } else {
2998 /* this packet has a "way larger" */
2999 bzero(replay->bitmap, replay->wsize);
3000 (replay->bitmap)[frlast] = 1;
3001 }
3002 replay->lastseq = seq;
3003
3004 /* larger is good */
3005 } else {
3006 /* seq is equal or less than lastseq. */
3007 diff = replay->lastseq - seq;
3008
3009 /* over range to check, i.e. too old or wrapped */
3010 if (diff >= wsizeb) {
3011 lck_mtx_unlock(sadb_mutex);
3012 return 1;
3013 }
3014
3015 fr = frlast - diff / 8;
3016
3017 /* this packet already seen ? */
3018 if ((replay->bitmap)[fr] & (1 << (diff % 8))) {
3019 lck_mtx_unlock(sadb_mutex);
3020 return 1;
3021 }
3022
3023 /* mark as seen */
3024 (replay->bitmap)[fr] |= (1 << (diff % 8));
3025
3026 /* out of order but good */
3027 }
3028
3029 ok:
3030 if (replay->count == ~0) {
3031 /* set overflow flag */
3032 replay->overflow++;
3033
3034 /* don't increment, no more packets accepted */
3035 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
3036 lck_mtx_unlock(sadb_mutex);
3037 return 1;
3038 }
3039
3040 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
3041 replay->overflow, ipsec_logsastr(sav)));
3042 }
3043
3044 replay->count++;
3045
3046 lck_mtx_unlock(sadb_mutex);
3047 return 0;
3048 }
3049
3050 /*
3051 * shift variable length buffer to left.
3052 * IN: bitmap: pointer to the buffer
3053 * nbit: the number of to shift.
3054 * wsize: buffer size (bytes).
3055 */
3056 static void
3057 vshiftl(unsigned char *bitmap, int nbit, int wsize)
3058 {
3059 int s, j, i;
3060 unsigned char over;
3061
3062 for (j = 0; j < nbit; j += 8) {
3063 s = (nbit - j < 8) ? (nbit - j): 8;
3064 bitmap[0] <<= s;
3065 for (i = 1; i < wsize; i++) {
3066 over = (bitmap[i] >> (8 - s));
3067 bitmap[i] <<= s;
3068 bitmap[i - 1] |= over;
3069 }
3070 }
3071
3072 return;
3073 }
3074
3075 const char *
3076 ipsec4_logpacketstr(struct ip *ip, u_int32_t spi)
3077 {
3078 static char buf[256] __attribute__((aligned(4)));
3079 char *p;
3080 u_int8_t *s, *d;
3081
3082 s = (u_int8_t *)(&ip->ip_src);
3083 d = (u_int8_t *)(&ip->ip_dst);
3084
3085 p = buf;
3086 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
3087 while (p && *p) {
3088 p++;
3089 }
3090 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
3091 s[0], s[1], s[2], s[3]);
3092 while (p && *p) {
3093 p++;
3094 }
3095 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
3096 d[0], d[1], d[2], d[3]);
3097 while (p && *p) {
3098 p++;
3099 }
3100 snprintf(p, sizeof(buf) - (p - buf), ")");
3101
3102 return buf;
3103 }
3104
3105 #if INET6
3106 const char *
3107 ipsec6_logpacketstr(struct ip6_hdr *ip6, u_int32_t spi)
3108 {
3109 static char buf[256] __attribute__((aligned(4)));
3110 char *p;
3111
3112 p = buf;
3113 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
3114 while (p && *p) {
3115 p++;
3116 }
3117 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
3118 ip6_sprintf(&ip6->ip6_src));
3119 while (p && *p) {
3120 p++;
3121 }
3122 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
3123 ip6_sprintf(&ip6->ip6_dst));
3124 while (p && *p) {
3125 p++;
3126 }
3127 snprintf(p, sizeof(buf) - (p - buf), ")");
3128
3129 return buf;
3130 }
3131 #endif /*INET6*/
3132
3133 const char *
3134 ipsec_logsastr(struct secasvar *sav)
3135 {
3136 static char buf[256] __attribute__((aligned(4)));
3137 char *p;
3138 struct secasindex *saidx = &sav->sah->saidx;
3139
3140 /* validity check */
3141 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
3142 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
3143 panic("ipsec_logsastr: family mismatched.\n");
3144 }
3145
3146 p = buf;
3147 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
3148 while (p && *p) {
3149 p++;
3150 }
3151 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
3152 u_int8_t *s, *d;
3153 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
3154 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
3155 snprintf(p, sizeof(buf) - (p - buf),
3156 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
3157 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
3158 }
3159 #if INET6
3160 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
3161 snprintf(p, sizeof(buf) - (p - buf),
3162 "src=%s",
3163 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
3164 while (p && *p) {
3165 p++;
3166 }
3167 snprintf(p, sizeof(buf) - (p - buf),
3168 " dst=%s",
3169 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
3170 }
3171 #endif
3172 while (p && *p) {
3173 p++;
3174 }
3175 snprintf(p, sizeof(buf) - (p - buf), ")");
3176
3177 return buf;
3178 }
3179
3180 void
3181 ipsec_dumpmbuf(struct mbuf *m)
3182 {
3183 int totlen;
3184 int i;
3185 u_char *p;
3186
3187 totlen = 0;
3188 printf("---\n");
3189 while (m) {
3190 p = mtod(m, u_char *);
3191 for (i = 0; i < m->m_len; i++) {
3192 printf("%02x ", p[i]);
3193 totlen++;
3194 if (totlen % 16 == 0) {
3195 printf("\n");
3196 }
3197 }
3198 m = m->m_next;
3199 }
3200 if (totlen % 16 != 0) {
3201 printf("\n");
3202 }
3203 printf("---\n");
3204 }
3205
3206 #if INET
3207 /*
3208 * IPsec output logic for IPv4.
3209 */
3210 static int
3211 ipsec4_output_internal(struct ipsec_output_state *state, struct secasvar *sav)
3212 {
3213 struct ip *ip = NULL;
3214 int error = 0;
3215 struct sockaddr_in *dst4;
3216 struct route *ro4;
3217
3218 /* validity check */
3219 if (sav == NULL || sav->sah == NULL) {
3220 error = EINVAL;
3221 goto bad;
3222 }
3223
3224 /*
3225 * If there is no valid SA, we give up to process any
3226 * more. In such a case, the SA's status is changed
3227 * from DYING to DEAD after allocating. If a packet
3228 * send to the receiver by dead SA, the receiver can
3229 * not decode a packet because SA has been dead.
3230 */
3231 if (sav->state != SADB_SASTATE_MATURE
3232 && sav->state != SADB_SASTATE_DYING) {
3233 IPSEC_STAT_INCREMENT(ipsecstat.out_nosa);
3234 error = EINVAL;
3235 goto bad;
3236 }
3237
3238 state->outgoing_if = sav->sah->outgoing_if;
3239
3240 /*
3241 * There may be the case that SA status will be changed when
3242 * we are refering to one. So calling splsoftnet().
3243 */
3244
3245 if (sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) {
3246 /*
3247 * build IPsec tunnel.
3248 */
3249 state->m = ipsec4_splithdr(state->m);
3250 if (!state->m) {
3251 error = ENOMEM;
3252 goto bad;
3253 }
3254
3255 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET6) {
3256 error = ipsec46_encapsulate(state, sav);
3257 if (error) {
3258 // packet already freed by encapsulation error handling
3259 state->m = NULL;
3260 return error;
3261 }
3262
3263 error = ipsec6_update_routecache_and_output(state, sav);
3264 return error;
3265 } else if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET) {
3266 error = ipsec4_encapsulate(state->m, sav);
3267 if (error) {
3268 state->m = NULL;
3269 goto bad;
3270 }
3271 ip = mtod(state->m, struct ip *);
3272
3273 // grab sadb_mutex, before updating sah's route cache
3274 lck_mtx_lock(sadb_mutex);
3275 ro4 = (struct route *)&sav->sah->sa_route;
3276 dst4 = (struct sockaddr_in *)(void *)&ro4->ro_dst;
3277 if (ro4->ro_rt != NULL) {
3278 RT_LOCK(ro4->ro_rt);
3279 }
3280 if (ROUTE_UNUSABLE(ro4) ||
3281 dst4->sin_addr.s_addr != ip->ip_dst.s_addr) {
3282 if (ro4->ro_rt != NULL) {
3283 RT_UNLOCK(ro4->ro_rt);
3284 }
3285 ROUTE_RELEASE(ro4);
3286 }
3287 if (ro4->ro_rt == 0) {
3288 dst4->sin_family = AF_INET;
3289 dst4->sin_len = sizeof(*dst4);
3290 dst4->sin_addr = ip->ip_dst;
3291 rtalloc_scoped(ro4, sav->sah->outgoing_if);
3292 if (ro4->ro_rt == 0) {
3293 OSAddAtomic(1, &ipstat.ips_noroute);
3294 error = EHOSTUNREACH;
3295 // release sadb_mutex, after updating sah's route cache
3296 lck_mtx_unlock(sadb_mutex);
3297 goto bad;
3298 }
3299 RT_LOCK(ro4->ro_rt);
3300 }
3301
3302 /*
3303 * adjust state->dst if tunnel endpoint is offlink
3304 *
3305 * XXX: caching rt_gateway value in the state is
3306 * not really good, since it may point elsewhere
3307 * when the gateway gets modified to a larger
3308 * sockaddr via rt_setgate(). This is currently
3309 * addressed by SA_SIZE roundup in that routine.
3310 */
3311 if (ro4->ro_rt->rt_flags & RTF_GATEWAY) {
3312 dst4 = (struct sockaddr_in *)(void *)ro4->ro_rt->rt_gateway;
3313 }
3314 RT_UNLOCK(ro4->ro_rt);
3315 ROUTE_RELEASE(&state->ro);
3316 route_copyout((struct route *)&state->ro, ro4, sizeof(struct route));
3317 state->dst = (struct sockaddr *)dst4;
3318 state->tunneled = 4;
3319 // release sadb_mutex, after updating sah's route cache
3320 lck_mtx_unlock(sadb_mutex);
3321 } else {
3322 ipseclog((LOG_ERR, "%s: family mismatched between inner and outer spi=%u\n",
3323 __FUNCTION__, (u_int32_t)ntohl(sav->spi)));
3324 error = EAFNOSUPPORT;
3325 goto bad;
3326 }
3327 }
3328
3329 state->m = ipsec4_splithdr(state->m);
3330 if (!state->m) {
3331 error = ENOMEM;
3332 goto bad;
3333 }
3334 switch (sav->sah->saidx.proto) {
3335 case IPPROTO_ESP:
3336 #if IPSEC_ESP
3337 if ((error = esp4_output(state->m, sav)) != 0) {
3338 state->m = NULL;
3339 goto bad;
3340 }
3341 break;
3342 #else
3343 m_freem(state->m);
3344 state->m = NULL;
3345 error = EINVAL;
3346 goto bad;
3347 #endif
3348 case IPPROTO_AH:
3349 if ((error = ah4_output(state->m, sav)) != 0) {
3350 state->m = NULL;
3351 goto bad;
3352 }
3353 break;
3354 case IPPROTO_IPCOMP:
3355 if ((error = ipcomp4_output(state->m, sav)) != 0) {
3356 state->m = NULL;
3357 goto bad;
3358 }
3359 break;
3360 default:
3361 ipseclog((LOG_ERR,
3362 "ipsec4_output: unknown ipsec protocol %d\n",
3363 sav->sah->saidx.proto));
3364 m_freem(state->m);
3365 state->m = NULL;
3366 error = EINVAL;
3367 goto bad;
3368 }
3369
3370 if (state->m == 0) {
3371 error = ENOMEM;
3372 goto bad;
3373 }
3374
3375 return 0;
3376
3377 bad:
3378 return error;
3379 }
3380
3381 int
3382 ipsec4_interface_output(struct ipsec_output_state *state, ifnet_t interface)
3383 {
3384 int error = 0;
3385 struct secasvar *sav = NULL;
3386
3387 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
3388
3389 if (state == NULL) {
3390 panic("state == NULL in ipsec4_output");
3391 }
3392 if (state->m == NULL) {
3393 panic("state->m == NULL in ipsec4_output");
3394 }
3395 if (state->dst == NULL) {
3396 panic("state->dst == NULL in ipsec4_output");
3397 }
3398
3399 struct ip *ip = mtod(state->m, struct ip *);
3400
3401 struct sockaddr_in src = {};
3402 src.sin_family = AF_INET;
3403 src.sin_len = sizeof(src);
3404 memcpy(&src.sin_addr, &ip->ip_src, sizeof(src.sin_addr));
3405
3406 struct sockaddr_in dst = {};
3407 dst.sin_family = AF_INET;
3408 dst.sin_len = sizeof(dst);
3409 memcpy(&dst.sin_addr, &ip->ip_dst, sizeof(dst.sin_addr));
3410
3411 sav = key_alloc_outbound_sav_for_interface(interface, AF_INET,
3412 (struct sockaddr *)&src,
3413 (struct sockaddr *)&dst);
3414 if (sav == NULL) {
3415 goto bad;
3416 }
3417
3418 if ((error = ipsec4_output_internal(state, sav)) != 0) {
3419 goto bad;
3420 }
3421
3422 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, 0, 0, 0, 0, 0);
3423 if (sav) {
3424 key_freesav(sav, KEY_SADB_UNLOCKED);
3425 }
3426 return 0;
3427
3428 bad:
3429 if (sav) {
3430 key_freesav(sav, KEY_SADB_UNLOCKED);
3431 }
3432 m_freem(state->m);
3433 state->m = NULL;
3434 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, error, 0, 0, 0, 0);
3435 return error;
3436 }
3437
3438 int
3439 ipsec4_output(struct ipsec_output_state *state, struct secpolicy *sp, __unused int flags)
3440 {
3441 struct ip *ip = NULL;
3442 struct ipsecrequest *isr = NULL;
3443 struct secasindex saidx;
3444 struct secasvar *sav = NULL;
3445 int error = 0;
3446 struct sockaddr_in *sin;
3447
3448 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
3449
3450 if (!state) {
3451 panic("state == NULL in ipsec4_output");
3452 }
3453 if (!state->m) {
3454 panic("state->m == NULL in ipsec4_output");
3455 }
3456 if (!state->dst) {
3457 panic("state->dst == NULL in ipsec4_output");
3458 }
3459
3460 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_START, 0, 0, 0, 0, 0);
3461
3462 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3463 printf("ipsec4_output: applied SP\n");
3464 kdebug_secpolicy(sp));
3465
3466 for (isr = sp->req; isr != NULL; isr = isr->next) {
3467 /* make SA index for search proper SA */
3468 ip = mtod(state->m, struct ip *);
3469 bcopy(&isr->saidx, &saidx, sizeof(saidx));
3470 saidx.mode = isr->saidx.mode;
3471 saidx.reqid = isr->saidx.reqid;
3472 sin = (struct sockaddr_in *)&saidx.src;
3473 if (sin->sin_len == 0) {
3474 sin->sin_len = sizeof(*sin);
3475 sin->sin_family = AF_INET;
3476 sin->sin_port = IPSEC_PORT_ANY;
3477 bcopy(&ip->ip_src, &sin->sin_addr,
3478 sizeof(sin->sin_addr));
3479 }
3480 sin = (struct sockaddr_in *)&saidx.dst;
3481 if (sin->sin_len == 0) {
3482 sin->sin_len = sizeof(*sin);
3483 sin->sin_family = AF_INET;
3484 sin->sin_port = IPSEC_PORT_ANY;
3485 /*
3486 * Get port from packet if upper layer is UDP and nat traversal
3487 * is enabled and transport mode.
3488 */
3489
3490 if ((esp_udp_encap_port & 0xFFFF) != 0 &&
3491 isr->saidx.mode == IPSEC_MODE_TRANSPORT) {
3492 if (ip->ip_p == IPPROTO_UDP) {
3493 struct udphdr *udp;
3494 size_t hlen;
3495 #ifdef _IP_VHL
3496 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
3497 #else
3498 hlen = ip->ip_hl << 2;
3499 #endif
3500 if (state->m->m_len < hlen + sizeof(struct udphdr)) {
3501 state->m = m_pullup(state->m, hlen + sizeof(struct udphdr));
3502 if (!state->m) {
3503 ipseclog((LOG_DEBUG, "IPv4 output: can't pullup UDP header\n"));
3504 IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
3505 goto bad;
3506 }
3507 ip = mtod(state->m, struct ip *);
3508 }
3509 udp = (struct udphdr *)(void *)(((u_int8_t *)ip) + hlen);
3510 sin->sin_port = udp->uh_dport;
3511 }
3512 }
3513
3514 bcopy(&ip->ip_dst, &sin->sin_addr,
3515 sizeof(sin->sin_addr));
3516 }
3517
3518 if ((error = key_checkrequest(isr, &saidx, &sav)) != 0) {
3519 /*
3520 * IPsec processing is required, but no SA found.
3521 * I assume that key_acquire() had been called
3522 * to get/establish the SA. Here I discard
3523 * this packet because it is responsibility for
3524 * upper layer to retransmit the packet.
3525 */
3526 IPSEC_STAT_INCREMENT(ipsecstat.out_nosa);
3527 goto bad;
3528 }
3529
3530 /* validity check */
3531 if (sav == NULL) {
3532 switch (ipsec_get_reqlevel(isr)) {
3533 case IPSEC_LEVEL_USE:
3534 continue;
3535 case IPSEC_LEVEL_REQUIRE:
3536 /* must be not reached here. */
3537 panic("ipsec4_output: no SA found, but required.");
3538 }
3539 }
3540
3541 if ((error = ipsec4_output_internal(state, sav)) != 0) {
3542 goto bad;
3543 }
3544 }
3545
3546 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, 0, 0, 0, 0, 0);
3547 if (sav) {
3548 key_freesav(sav, KEY_SADB_UNLOCKED);
3549 }
3550 return 0;
3551
3552 bad:
3553 if (sav) {
3554 key_freesav(sav, KEY_SADB_UNLOCKED);
3555 }
3556 m_freem(state->m);
3557 state->m = NULL;
3558 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, error, 0, 0, 0, 0);
3559 return error;
3560 }
3561
3562 #endif
3563
3564 #if INET6
3565 /*
3566 * IPsec output logic for IPv6, transport mode.
3567 */
3568 static int
3569 ipsec6_output_trans_internal(
3570 struct ipsec_output_state *state,
3571 struct secasvar *sav,
3572 u_char *nexthdrp,
3573 struct mbuf *mprev)
3574 {
3575 struct ip6_hdr *ip6;
3576 int error = 0;
3577 int plen;
3578
3579 /* validity check */
3580 if (sav == NULL || sav->sah == NULL) {
3581 error = EINVAL;
3582 goto bad;
3583 }
3584
3585 /*
3586 * If there is no valid SA, we give up to process.
3587 * see same place at ipsec4_output().
3588 */
3589 if (sav->state != SADB_SASTATE_MATURE
3590 && sav->state != SADB_SASTATE_DYING) {
3591 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
3592 error = EINVAL;
3593 goto bad;
3594 }
3595
3596 state->outgoing_if = sav->sah->outgoing_if;
3597
3598 switch (sav->sah->saidx.proto) {
3599 case IPPROTO_ESP:
3600 #if IPSEC_ESP
3601 error = esp6_output(state->m, nexthdrp, mprev->m_next, sav);
3602 #else
3603 m_freem(state->m);
3604 error = EINVAL;
3605 #endif
3606 break;
3607 case IPPROTO_AH:
3608 error = ah6_output(state->m, nexthdrp, mprev->m_next, sav);
3609 break;
3610 case IPPROTO_IPCOMP:
3611 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, sav);
3612 break;
3613 default:
3614 ipseclog((LOG_ERR, "ipsec6_output_trans: "
3615 "unknown ipsec protocol %d\n", sav->sah->saidx.proto));
3616 m_freem(state->m);
3617 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
3618 error = EINVAL;
3619 break;
3620 }
3621 if (error) {
3622 state->m = NULL;
3623 goto bad;
3624 }
3625 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3626 if (plen > IPV6_MAXPACKET) {
3627 ipseclog((LOG_ERR, "ipsec6_output_trans: "
3628 "IPsec with IPv6 jumbogram is not supported\n"));
3629 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
3630 error = EINVAL; /*XXX*/
3631 goto bad;
3632 }
3633 ip6 = mtod(state->m, struct ip6_hdr *);
3634 ip6->ip6_plen = htons(plen);
3635
3636 return 0;
3637 bad:
3638 return error;
3639 }
3640
3641 int
3642 ipsec6_output_trans(
3643 struct ipsec_output_state *state,
3644 u_char *nexthdrp,
3645 struct mbuf *mprev,
3646 struct secpolicy *sp,
3647 __unused int flags,
3648 int *tun)
3649 {
3650 struct ip6_hdr *ip6;
3651 struct ipsecrequest *isr = NULL;
3652 struct secasindex saidx;
3653 int error = 0;
3654 struct sockaddr_in6 *sin6;
3655 struct secasvar *sav = NULL;
3656
3657 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
3658
3659 if (!state) {
3660 panic("state == NULL in ipsec6_output_trans");
3661 }
3662 if (!state->m) {
3663 panic("state->m == NULL in ipsec6_output_trans");
3664 }
3665 if (!nexthdrp) {
3666 panic("nexthdrp == NULL in ipsec6_output_trans");
3667 }
3668 if (!mprev) {
3669 panic("mprev == NULL in ipsec6_output_trans");
3670 }
3671 if (!sp) {
3672 panic("sp == NULL in ipsec6_output_trans");
3673 }
3674 if (!tun) {
3675 panic("tun == NULL in ipsec6_output_trans");
3676 }
3677
3678 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3679 printf("ipsec6_output_trans: applyed SP\n");
3680 kdebug_secpolicy(sp));
3681
3682 *tun = 0;
3683 for (isr = sp->req; isr; isr = isr->next) {
3684 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3685 /* the rest will be handled by ipsec6_output_tunnel() */
3686 break;
3687 }
3688
3689 /* make SA index for search proper SA */
3690 ip6 = mtod(state->m, struct ip6_hdr *);
3691 bcopy(&isr->saidx, &saidx, sizeof(saidx));
3692 saidx.mode = isr->saidx.mode;
3693 saidx.reqid = isr->saidx.reqid;
3694 sin6 = (struct sockaddr_in6 *)&saidx.src;
3695 if (sin6->sin6_len == 0) {
3696 sin6->sin6_len = sizeof(*sin6);
3697 sin6->sin6_family = AF_INET6;
3698 sin6->sin6_port = IPSEC_PORT_ANY;
3699 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
3700 sizeof(ip6->ip6_src));
3701 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
3702 /* fix scope id for comparing SPD */
3703 sin6->sin6_addr.s6_addr16[1] = 0;
3704 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
3705 }
3706 }
3707 sin6 = (struct sockaddr_in6 *)&saidx.dst;
3708 if (sin6->sin6_len == 0) {
3709 sin6->sin6_len = sizeof(*sin6);
3710 sin6->sin6_family = AF_INET6;
3711 sin6->sin6_port = IPSEC_PORT_ANY;
3712 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
3713 sizeof(ip6->ip6_dst));
3714 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
3715 /* fix scope id for comparing SPD */
3716 sin6->sin6_addr.s6_addr16[1] = 0;
3717 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
3718 }
3719 }
3720
3721 if (key_checkrequest(isr, &saidx, &sav) == ENOENT) {
3722 /*
3723 * IPsec processing is required, but no SA found.
3724 * I assume that key_acquire() had been called
3725 * to get/establish the SA. Here I discard
3726 * this packet because it is responsibility for
3727 * upper layer to retransmit the packet.
3728 */
3729 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
3730 error = ENOENT;
3731
3732 /*
3733 * Notify the fact that the packet is discarded
3734 * to ourselves. I believe this is better than
3735 * just silently discarding. (jinmei@kame.net)
3736 * XXX: should we restrict the error to TCP packets?
3737 * XXX: should we directly notify sockets via
3738 * pfctlinputs?
3739 */
3740 icmp6_error(state->m, ICMP6_DST_UNREACH,
3741 ICMP6_DST_UNREACH_ADMIN, 0);
3742 state->m = NULL; /* icmp6_error freed the mbuf */
3743 goto bad;
3744 }
3745
3746 /* validity check */
3747 if (sav == NULL) {
3748 switch (ipsec_get_reqlevel(isr)) {
3749 case IPSEC_LEVEL_USE:
3750 continue;
3751 case IPSEC_LEVEL_REQUIRE:
3752 /* must be not reached here. */
3753 panic("ipsec6_output_trans: no SA found, but required.");
3754 }
3755 }
3756
3757 if ((error = ipsec6_output_trans_internal(state, sav, nexthdrp, mprev)) != 0) {
3758 goto bad;
3759 }
3760 }
3761
3762 /* if we have more to go, we need a tunnel mode processing */
3763 if (isr != NULL) {
3764 *tun = 1;
3765 }
3766
3767 if (sav) {
3768 key_freesav(sav, KEY_SADB_UNLOCKED);
3769 }
3770 return 0;
3771
3772 bad:
3773 if (sav) {
3774 key_freesav(sav, KEY_SADB_UNLOCKED);
3775 }
3776 m_freem(state->m);
3777 state->m = NULL;
3778 return error;
3779 }
3780
3781 /*
3782 * IPsec output logic for IPv6, tunnel mode.
3783 */
3784 static int
3785 ipsec6_output_tunnel_internal(struct ipsec_output_state *state, struct secasvar *sav, int *must_be_last)
3786 {
3787 struct ip6_hdr *ip6;
3788 int error = 0;
3789 int plen;
3790 struct sockaddr_in6* dst6;
3791 struct route_in6 *ro6;
3792
3793 /* validity check */
3794 if (sav == NULL || sav->sah == NULL || sav->sah->saidx.mode != IPSEC_MODE_TUNNEL) {
3795 error = EINVAL;
3796 goto bad;
3797 }
3798
3799 /*
3800 * If there is no valid SA, we give up to process.
3801 * see same place at ipsec4_output().
3802 */
3803 if (sav->state != SADB_SASTATE_MATURE
3804 && sav->state != SADB_SASTATE_DYING) {
3805 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
3806 error = EINVAL;
3807 goto bad;
3808 }
3809
3810 state->outgoing_if = sav->sah->outgoing_if;
3811
3812 if (sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) {
3813 /*
3814 * build IPsec tunnel.
3815 */
3816 state->m = ipsec6_splithdr(state->m);
3817 if (!state->m) {
3818 IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem);
3819 error = ENOMEM;
3820 goto bad;
3821 }
3822
3823 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET6) {
3824 error = ipsec6_encapsulate(state->m, sav);
3825 if (error) {
3826 state->m = 0;
3827 goto bad;
3828 }
3829 ip6 = mtod(state->m, struct ip6_hdr *);
3830 } else if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET) {
3831 struct ip *ip;
3832 struct sockaddr_in* dst4;
3833 struct route *ro4 = NULL;
3834 struct route ro4_copy;
3835 struct ip_out_args ipoa;
3836
3837 bzero(&ipoa, sizeof(ipoa));
3838 ipoa.ipoa_boundif = IFSCOPE_NONE;
3839 ipoa.ipoa_flags = IPOAF_SELECT_SRCIF;
3840 ipoa.ipoa_sotc = SO_TC_UNSPEC;
3841 ipoa.ipoa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
3842
3843 if (must_be_last) {
3844 *must_be_last = 1;
3845 }
3846
3847 state->tunneled = 4; /* must not process any further in ip6_output */
3848 error = ipsec64_encapsulate(state->m, sav);
3849 if (error) {
3850 state->m = 0;
3851 goto bad;
3852 }
3853 /* Now we have an IPv4 packet */
3854 ip = mtod(state->m, struct ip *);
3855
3856 // grab sadb_mutex, to update sah's route cache and get a local copy of it
3857 lck_mtx_lock(sadb_mutex);
3858 ro4 = (struct route *)&sav->sah->sa_route;
3859 dst4 = (struct sockaddr_in *)(void *)&ro4->ro_dst;
3860 if (ro4->ro_rt) {
3861 RT_LOCK(ro4->ro_rt);
3862 }
3863 if (ROUTE_UNUSABLE(ro4) ||
3864 dst4->sin_addr.s_addr != ip->ip_dst.s_addr) {
3865 if (ro4->ro_rt != NULL) {
3866 RT_UNLOCK(ro4->ro_rt);
3867 }
3868 ROUTE_RELEASE(ro4);
3869 }
3870 if (ro4->ro_rt == NULL) {
3871 dst4->sin_family = AF_INET;
3872 dst4->sin_len = sizeof(*dst4);
3873 dst4->sin_addr = ip->ip_dst;
3874 } else {
3875 RT_UNLOCK(ro4->ro_rt);
3876 }
3877 route_copyout(&ro4_copy, ro4, sizeof(struct route));
3878 // release sadb_mutex, after updating sah's route cache and getting a local copy
3879 lck_mtx_unlock(sadb_mutex);
3880 state->m = ipsec4_splithdr(state->m);
3881 if (!state->m) {
3882 error = ENOMEM;
3883 ROUTE_RELEASE(&ro4_copy);
3884 goto bad;
3885 }
3886 switch (sav->sah->saidx.proto) {
3887 case IPPROTO_ESP:
3888 #if IPSEC_ESP
3889 if ((error = esp4_output(state->m, sav)) != 0) {
3890 state->m = NULL;
3891 ROUTE_RELEASE(&ro4_copy);
3892 goto bad;
3893 }
3894 break;
3895
3896 #else
3897 m_freem(state->m);
3898 state->m = NULL;
3899 error = EINVAL;
3900 ROUTE_RELEASE(&ro4_copy);
3901 goto bad;
3902 #endif
3903 case IPPROTO_AH:
3904 if ((error = ah4_output(state->m, sav)) != 0) {
3905 state->m = NULL;
3906 ROUTE_RELEASE(&ro4_copy);
3907 goto bad;
3908 }
3909 break;
3910 case IPPROTO_IPCOMP:
3911 if ((error = ipcomp4_output(state->m, sav)) != 0) {
3912 state->m = NULL;
3913 ROUTE_RELEASE(&ro4_copy);
3914 goto bad;
3915 }
3916 break;
3917 default:
3918 ipseclog((LOG_ERR,
3919 "ipsec4_output: unknown ipsec protocol %d\n",
3920 sav->sah->saidx.proto));
3921 m_freem(state->m);
3922 state->m = NULL;
3923 error = EINVAL;
3924 ROUTE_RELEASE(&ro4_copy);
3925 goto bad;
3926 }
3927
3928 if (state->m == 0) {
3929 error = ENOMEM;
3930 ROUTE_RELEASE(&ro4_copy);
3931 goto bad;
3932 }
3933 ipsec_set_pkthdr_for_interface(sav->sah->ipsec_if, state->m, AF_INET);
3934 ipsec_set_ipoa_for_interface(sav->sah->ipsec_if, &ipoa);
3935
3936 ip = mtod(state->m, struct ip *);
3937 ip->ip_len = ntohs(ip->ip_len); /* flip len field before calling ip_output */
3938 error = ip_output(state->m, NULL, &ro4_copy, IP_OUTARGS, NULL, &ipoa);
3939 state->m = NULL;
3940 // grab sadb_mutex, to synchronize the sah's route cache with the local copy
3941 lck_mtx_lock(sadb_mutex);
3942 route_copyin(&ro4_copy, ro4, sizeof(struct route));
3943 lck_mtx_unlock(sadb_mutex);
3944 if (error != 0) {
3945 goto bad;
3946 }
3947 goto done;
3948 } else {
3949 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3950 "unsupported inner family, spi=%u\n",
3951 (u_int32_t)ntohl(sav->spi)));
3952 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
3953 error = EAFNOSUPPORT;
3954 goto bad;
3955 }
3956
3957 // grab sadb_mutex, before updating sah's route cache
3958 lck_mtx_lock(sadb_mutex);
3959 ro6 = &sav->sah->sa_route;
3960 dst6 = (struct sockaddr_in6 *)(void *)&ro6->ro_dst;
3961 if (ro6->ro_rt) {
3962 RT_LOCK(ro6->ro_rt);
3963 }
3964 if (ROUTE_UNUSABLE(ro6) ||
3965 !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst)) {
3966 if (ro6->ro_rt != NULL) {
3967 RT_UNLOCK(ro6->ro_rt);
3968 }
3969 ROUTE_RELEASE(ro6);
3970 }
3971 if (ro6->ro_rt == 0) {
3972 bzero(dst6, sizeof(*dst6));
3973 dst6->sin6_family = AF_INET6;
3974 dst6->sin6_len = sizeof(*dst6);
3975 dst6->sin6_addr = ip6->ip6_dst;
3976 rtalloc_scoped((struct route *)ro6, sav->sah->outgoing_if);
3977 if (ro6->ro_rt) {
3978 RT_LOCK(ro6->ro_rt);
3979 }
3980 }
3981 if (ro6->ro_rt == 0) {
3982 ip6stat.ip6s_noroute++;
3983 IPSEC_STAT_INCREMENT(ipsec6stat.out_noroute);
3984 error = EHOSTUNREACH;
3985 // release sadb_mutex, after updating sah's route cache
3986 lck_mtx_unlock(sadb_mutex);
3987 goto bad;
3988 }
3989
3990 /*
3991 * adjust state->dst if tunnel endpoint is offlink
3992 *
3993 * XXX: caching rt_gateway value in the state is
3994 * not really good, since it may point elsewhere
3995 * when the gateway gets modified to a larger
3996 * sockaddr via rt_setgate(). This is currently
3997 * addressed by SA_SIZE roundup in that routine.
3998 */
3999 if (ro6->ro_rt->rt_flags & RTF_GATEWAY) {
4000 dst6 = (struct sockaddr_in6 *)(void *)ro6->ro_rt->rt_gateway;
4001 }
4002 RT_UNLOCK(ro6->ro_rt);
4003 ROUTE_RELEASE(&state->ro);
4004 route_copyout((struct route *)&state->ro, (struct route *)ro6, sizeof(struct route_in6));
4005 state->dst = (struct sockaddr *)dst6;
4006 state->tunneled = 6;
4007 // release sadb_mutex, after updating sah's route cache
4008 lck_mtx_unlock(sadb_mutex);
4009 }
4010
4011 state->m = ipsec6_splithdr(state->m);
4012 if (!state->m) {
4013 IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem);
4014 error = ENOMEM;
4015 goto bad;
4016 }
4017 ip6 = mtod(state->m, struct ip6_hdr *);
4018 switch (sav->sah->saidx.proto) {
4019 case IPPROTO_ESP:
4020 #if IPSEC_ESP
4021 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav);
4022 #else
4023 m_freem(state->m);
4024 error = EINVAL;
4025 #endif
4026 break;
4027 case IPPROTO_AH:
4028 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav);
4029 break;
4030 case IPPROTO_IPCOMP:
4031 /* XXX code should be here */
4032 /*FALLTHROUGH*/
4033 default:
4034 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
4035 "unknown ipsec protocol %d\n", sav->sah->saidx.proto));
4036 m_freem(state->m);
4037 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
4038 error = EINVAL;
4039 break;
4040 }
4041 if (error) {
4042 state->m = NULL;
4043 goto bad;
4044 }
4045 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
4046 if (plen > IPV6_MAXPACKET) {
4047 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
4048 "IPsec with IPv6 jumbogram is not supported\n"));
4049 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
4050 error = EINVAL; /*XXX*/
4051 goto bad;
4052 }
4053 ip6 = mtod(state->m, struct ip6_hdr *);
4054 ip6->ip6_plen = htons(plen);
4055 done:
4056 return 0;
4057
4058 bad:
4059 return error;
4060 }
4061
4062 int
4063 ipsec6_output_tunnel(
4064 struct ipsec_output_state *state,
4065 struct secpolicy *sp,
4066 __unused int flags)
4067 {
4068 struct ip6_hdr *ip6;
4069 struct ipsecrequest *isr = NULL;
4070 struct secasindex saidx;
4071 struct secasvar *sav = NULL;
4072 int error = 0;
4073
4074 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
4075
4076 if (!state) {
4077 panic("state == NULL in ipsec6_output_tunnel");
4078 }
4079 if (!state->m) {
4080 panic("state->m == NULL in ipsec6_output_tunnel");
4081 }
4082 if (!sp) {
4083 panic("sp == NULL in ipsec6_output_tunnel");
4084 }
4085
4086 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
4087 printf("ipsec6_output_tunnel: applyed SP\n");
4088 kdebug_secpolicy(sp));
4089
4090 /*
4091 * transport mode ipsec (before the 1st tunnel mode) is already
4092 * processed by ipsec6_output_trans().
4093 */
4094 for (isr = sp->req; isr; isr = isr->next) {
4095 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
4096 break;
4097 }
4098 }
4099
4100 for (/* already initialized */; isr; isr = isr->next) {
4101 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
4102 /* When tunnel mode, SA peers must be specified. */
4103 bcopy(&isr->saidx, &saidx, sizeof(saidx));
4104 } else {
4105 /* make SA index to look for a proper SA */
4106 struct sockaddr_in6 *sin6;
4107
4108 bzero(&saidx, sizeof(saidx));
4109 saidx.proto = isr->saidx.proto;
4110 saidx.mode = isr->saidx.mode;
4111 saidx.reqid = isr->saidx.reqid;
4112
4113 ip6 = mtod(state->m, struct ip6_hdr *);
4114 sin6 = (struct sockaddr_in6 *)&saidx.src;
4115 if (sin6->sin6_len == 0) {
4116 sin6->sin6_len = sizeof(*sin6);
4117 sin6->sin6_family = AF_INET6;
4118 sin6->sin6_port = IPSEC_PORT_ANY;
4119 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
4120 sizeof(ip6->ip6_src));
4121 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
4122 /* fix scope id for comparing SPD */
4123 sin6->sin6_addr.s6_addr16[1] = 0;
4124 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
4125 }
4126 }
4127 sin6 = (struct sockaddr_in6 *)&saidx.dst;
4128 if (sin6->sin6_len == 0) {
4129 sin6->sin6_len = sizeof(*sin6);
4130 sin6->sin6_family = AF_INET6;
4131 sin6->sin6_port = IPSEC_PORT_ANY;
4132 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
4133 sizeof(ip6->ip6_dst));
4134 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
4135 /* fix scope id for comparing SPD */
4136 sin6->sin6_addr.s6_addr16[1] = 0;
4137 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
4138 }
4139 }
4140 }
4141
4142 if (key_checkrequest(isr, &saidx, &sav) == ENOENT) {
4143 /*
4144 * IPsec processing is required, but no SA found.
4145 * I assume that key_acquire() had been called
4146 * to get/establish the SA. Here I discard
4147 * this packet because it is responsibility for
4148 * upper layer to retransmit the packet.
4149 */
4150 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
4151 error = ENOENT;
4152 goto bad;
4153 }
4154
4155 /* validity check */
4156 if (sav == NULL) {
4157 switch (ipsec_get_reqlevel(isr)) {
4158 case IPSEC_LEVEL_USE:
4159 continue;
4160 case IPSEC_LEVEL_REQUIRE:
4161 /* must be not reached here. */
4162 panic("ipsec6_output_tunnel: no SA found, but required.");
4163 }
4164 }
4165
4166 /*
4167 * If there is no valid SA, we give up to process.
4168 * see same place at ipsec4_output().
4169 */
4170 if (sav->state != SADB_SASTATE_MATURE
4171 && sav->state != SADB_SASTATE_DYING) {
4172 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
4173 error = EINVAL;
4174 goto bad;
4175 }
4176
4177 int must_be_last = 0;
4178
4179 if ((error = ipsec6_output_tunnel_internal(state, sav, &must_be_last)) != 0) {
4180 goto bad;
4181 }
4182
4183 if (must_be_last && isr->next) {
4184 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
4185 "IPv4 must be outer layer, spi=%u\n",
4186 (u_int32_t)ntohl(sav->spi)));
4187 error = EINVAL;
4188 goto bad;
4189 }
4190 }
4191
4192 if (sav) {
4193 key_freesav(sav, KEY_SADB_UNLOCKED);
4194 }
4195 return 0;
4196
4197 bad:
4198 if (sav) {
4199 key_freesav(sav, KEY_SADB_UNLOCKED);
4200 }
4201 if (state->m) {
4202 m_freem(state->m);
4203 }
4204 state->m = NULL;
4205 return error;
4206 }
4207
4208 int
4209 ipsec6_interface_output(struct ipsec_output_state *state, ifnet_t interface, u_char *nexthdrp, struct mbuf *mprev)
4210 {
4211 int error = 0;
4212 struct secasvar *sav = NULL;
4213
4214 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
4215
4216 if (state == NULL) {
4217 panic("state == NULL in ipsec6_output");
4218 }
4219 if (state->m == NULL) {
4220 panic("state->m == NULL in ipsec6_output");
4221 }
4222 if (nexthdrp == NULL) {
4223 panic("nexthdrp == NULL in ipsec6_output");
4224 }
4225 if (mprev == NULL) {
4226 panic("mprev == NULL in ipsec6_output");
4227 }
4228
4229 struct ip6_hdr *ip6 = mtod(state->m, struct ip6_hdr *);
4230
4231 struct sockaddr_in6 src = {};
4232 src.sin6_family = AF_INET6;
4233 src.sin6_len = sizeof(src);
4234 memcpy(&src.sin6_addr, &ip6->ip6_src, sizeof(src.sin6_addr));
4235
4236 struct sockaddr_in6 dst = {};
4237 dst.sin6_family = AF_INET6;
4238 dst.sin6_len = sizeof(dst);
4239 memcpy(&dst.sin6_addr, &ip6->ip6_dst, sizeof(dst.sin6_addr));
4240
4241 sav = key_alloc_outbound_sav_for_interface(interface, AF_INET6,
4242 (struct sockaddr *)&src,
4243 (struct sockaddr *)&dst);
4244 if (sav == NULL) {
4245 goto bad;
4246 }
4247
4248 if (sav->sah && sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) {
4249 if ((error = ipsec6_output_tunnel_internal(state, sav, NULL)) != 0) {
4250 goto bad;
4251 }
4252 } else {
4253 if ((error = ipsec6_output_trans_internal(state, sav, nexthdrp, mprev)) != 0) {
4254 goto bad;
4255 }
4256 }
4257
4258 if (sav) {
4259 key_freesav(sav, KEY_SADB_UNLOCKED);
4260 }
4261 return 0;
4262
4263 bad:
4264 if (sav) {
4265 key_freesav(sav, KEY_SADB_UNLOCKED);
4266 }
4267 m_freem(state->m);
4268 state->m = NULL;
4269 return error;
4270 }
4271 #endif /*INET6*/
4272
4273 #if INET
4274 /*
4275 * Chop IP header and option off from the payload.
4276 */
4277 struct mbuf *
4278 ipsec4_splithdr(struct mbuf *m)
4279 {
4280 struct mbuf *mh;
4281 struct ip *ip;
4282 int hlen;
4283
4284 if (m->m_len < sizeof(struct ip)) {
4285 panic("ipsec4_splithdr: first mbuf too short, m_len %d, pkt_len %d, m_flag %x", m->m_len, m->m_pkthdr.len, m->m_flags);
4286 }
4287 ip = mtod(m, struct ip *);
4288 #ifdef _IP_VHL
4289 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
4290 #else
4291 hlen = ip->ip_hl << 2;
4292 #endif
4293 if (m->m_len > hlen) {
4294 MGETHDR(mh, M_DONTWAIT, MT_HEADER); /* MAC-OK */
4295 if (!mh) {
4296 m_freem(m);
4297 return NULL;
4298 }
4299 M_COPY_PKTHDR(mh, m);
4300 MH_ALIGN(mh, hlen);
4301 m->m_flags &= ~M_PKTHDR;
4302 m_mchtype(m, MT_DATA);
4303 m->m_len -= hlen;
4304 m->m_data += hlen;
4305 mh->m_next = m;
4306 m = mh;
4307 m->m_len = hlen;
4308 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
4309 } else if (m->m_len < hlen) {
4310 m = m_pullup(m, hlen);
4311 if (!m) {
4312 return NULL;
4313 }
4314 }
4315 return m;
4316 }
4317 #endif
4318
4319 #if INET6
4320 struct mbuf *
4321 ipsec6_splithdr(struct mbuf *m)
4322 {
4323 struct mbuf *mh;
4324 struct ip6_hdr *ip6;
4325 int hlen;
4326
4327 if (m->m_len < sizeof(struct ip6_hdr)) {
4328 panic("ipsec6_splithdr: first mbuf too short");
4329 }
4330 ip6 = mtod(m, struct ip6_hdr *);
4331 hlen = sizeof(struct ip6_hdr);
4332 if (m->m_len > hlen) {
4333 MGETHDR(mh, M_DONTWAIT, MT_HEADER); /* MAC-OK */
4334 if (!mh) {
4335 m_freem(m);
4336 return NULL;
4337 }
4338 M_COPY_PKTHDR(mh, m);
4339 MH_ALIGN(mh, hlen);
4340 m->m_flags &= ~M_PKTHDR;
4341 m_mchtype(m, MT_DATA);
4342 m->m_len -= hlen;
4343 m->m_data += hlen;
4344 mh->m_next = m;
4345 m = mh;
4346 m->m_len = hlen;
4347 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
4348 } else if (m->m_len < hlen) {
4349 m = m_pullup(m, hlen);
4350 if (!m) {
4351 return NULL;
4352 }
4353 }
4354 return m;
4355 }
4356 #endif
4357
4358 /* validate inbound IPsec tunnel packet. */
4359 int
4360 ipsec4_tunnel_validate(
4361 struct mbuf *m, /* no pullup permitted, m->m_len >= ip */
4362 int off,
4363 u_int nxt0,
4364 struct secasvar *sav,
4365 sa_family_t *ifamily)
4366 {
4367 u_int8_t nxt = nxt0 & 0xff;
4368 struct sockaddr_in *sin;
4369 struct sockaddr_in osrc, odst, i4src, i4dst;
4370 struct sockaddr_in6 i6src, i6dst;
4371 int hlen;
4372 struct secpolicy *sp;
4373 struct ip *oip;
4374
4375 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
4376
4377 #if DIAGNOSTIC
4378 if (m->m_len < sizeof(struct ip)) {
4379 panic("too short mbuf on ipsec4_tunnel_validate");
4380 }
4381 #endif
4382 if (nxt != IPPROTO_IPV4 && nxt != IPPROTO_IPV6) {
4383 return 0;
4384 }
4385 if (m->m_pkthdr.len < off + sizeof(struct ip)) {
4386 return 0;
4387 }
4388 /* do not decapsulate if the SA is for transport mode only */
4389 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) {
4390 return 0;
4391 }
4392
4393 oip = mtod(m, struct ip *);
4394 #ifdef _IP_VHL
4395 hlen = _IP_VHL_HL(oip->ip_vhl) << 2;
4396 #else
4397 hlen = oip->ip_hl << 2;
4398 #endif
4399 if (hlen != sizeof(struct ip)) {
4400 return 0;
4401 }
4402
4403 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
4404 if (sin->sin_family != AF_INET) {
4405 return 0;
4406 }
4407 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0) {
4408 return 0;
4409 }
4410
4411 if (sav->sah->ipsec_if != NULL) {
4412 // the ipsec interface SAs don't have a policies.
4413 if (nxt == IPPROTO_IPV4) {
4414 *ifamily = AF_INET;
4415 } else if (nxt == IPPROTO_IPV6) {
4416 *ifamily = AF_INET6;
4417 } else {
4418 return 0;
4419 }
4420 return 1;
4421 }
4422
4423 /* XXX slow */
4424 bzero(&osrc, sizeof(osrc));
4425 bzero(&odst, sizeof(odst));
4426 osrc.sin_family = odst.sin_family = AF_INET;
4427 osrc.sin_len = odst.sin_len = sizeof(struct sockaddr_in);
4428 osrc.sin_addr = oip->ip_src;
4429 odst.sin_addr = oip->ip_dst;
4430 /*
4431 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
4432 * - if the inner destination is multicast address, there can be
4433 * multiple permissible inner source address. implementation
4434 * may want to skip verification of inner source address against
4435 * SPD selector.
4436 * - if the inner protocol is ICMP, the packet may be an error report
4437 * from routers on the other side of the VPN cloud (R in the
4438 * following diagram). in this case, we cannot verify inner source
4439 * address against SPD selector.
4440 * me -- gw === gw -- R -- you
4441 *
4442 * we consider the first bullet to be users responsibility on SPD entry
4443 * configuration (if you need to encrypt multicast traffic, set
4444 * the source range of SPD selector to 0.0.0.0/0, or have explicit
4445 * address ranges for possible senders).
4446 * the second bullet is not taken care of (yet).
4447 *
4448 * therefore, we do not do anything special about inner source.
4449 */
4450 if (nxt == IPPROTO_IPV4) {
4451 bzero(&i4src, sizeof(struct sockaddr_in));
4452 bzero(&i4dst, sizeof(struct sockaddr_in));
4453 i4src.sin_family = i4dst.sin_family = *ifamily = AF_INET;
4454 i4src.sin_len = i4dst.sin_len = sizeof(struct sockaddr_in);
4455 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(i4src.sin_addr),
4456 (caddr_t)&i4src.sin_addr);
4457 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(i4dst.sin_addr),
4458 (caddr_t)&i4dst.sin_addr);
4459 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
4460 (struct sockaddr *)&i4src, (struct sockaddr *)&i4dst);
4461 } else if (nxt == IPPROTO_IPV6) {
4462 bzero(&i6src, sizeof(struct sockaddr_in6));
4463 bzero(&i6dst, sizeof(struct sockaddr_in6));
4464 i6src.sin6_family = i6dst.sin6_family = *ifamily = AF_INET6;
4465 i6src.sin6_len = i6dst.sin6_len = sizeof(struct sockaddr_in6);
4466 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), sizeof(i6src.sin6_addr),
4467 (caddr_t)&i6src.sin6_addr);
4468 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), sizeof(i6dst.sin6_addr),
4469 (caddr_t)&i6dst.sin6_addr);
4470 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
4471 (struct sockaddr *)&i6src, (struct sockaddr *)&i6dst);
4472 } else {
4473 return 0; /* unsupported family */
4474 }
4475 if (!sp) {
4476 return 0;
4477 }
4478
4479 key_freesp(sp, KEY_SADB_UNLOCKED);
4480
4481 return 1;
4482 }
4483
4484 #if INET6
4485 /* validate inbound IPsec tunnel packet. */
4486 int
4487 ipsec6_tunnel_validate(
4488 struct mbuf *m, /* no pullup permitted, m->m_len >= ip */
4489 int off,
4490 u_int nxt0,
4491 struct secasvar *sav,
4492 sa_family_t *ifamily)
4493 {
4494 u_int8_t nxt = nxt0 & 0xff;
4495 struct sockaddr_in6 *sin6;
4496 struct sockaddr_in i4src, i4dst;
4497 struct sockaddr_in6 osrc, odst, i6src, i6dst;
4498 struct secpolicy *sp;
4499 struct ip6_hdr *oip6;
4500
4501 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
4502
4503 #if DIAGNOSTIC
4504 if (m->m_len < sizeof(struct ip6_hdr)) {
4505 panic("too short mbuf on ipsec6_tunnel_validate");
4506 }
4507 #endif
4508 if (nxt != IPPROTO_IPV4 && nxt != IPPROTO_IPV6) {
4509 return 0;
4510 }
4511
4512 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr)) {
4513 return 0;
4514 }
4515 /* do not decapsulate if the SA is for transport mode only */
4516 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) {
4517 return 0;
4518 }
4519
4520 oip6 = mtod(m, struct ip6_hdr *);
4521 /* AF_INET should be supported, but at this moment we don't. */
4522 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
4523 if (sin6->sin6_family != AF_INET6) {
4524 return 0;
4525 }
4526 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr)) {
4527 return 0;
4528 }
4529
4530 if (sav->sah->ipsec_if != NULL) {
4531 // the ipsec interface SAs don't have a policies.
4532 if (nxt == IPPROTO_IPV4) {
4533 *ifamily = AF_INET;
4534 } else if (nxt == IPPROTO_IPV6) {
4535 *ifamily = AF_INET6;
4536 } else {
4537 return 0;
4538 }
4539 return 1;
4540 }
4541
4542 /* XXX slow */
4543 bzero(&osrc, sizeof(osrc));
4544 bzero(&odst, sizeof(odst));
4545 osrc.sin6_family = odst.sin6_family = AF_INET6;
4546 osrc.sin6_len = odst.sin6_len = sizeof(struct sockaddr_in6);
4547 osrc.sin6_addr = oip6->ip6_src;
4548 odst.sin6_addr = oip6->ip6_dst;
4549
4550 /*
4551 * regarding to inner source address validation, see a long comment
4552 * in ipsec4_tunnel_validate.
4553 */
4554
4555 if (nxt == IPPROTO_IPV4) {
4556 bzero(&i4src, sizeof(struct sockaddr_in));
4557 bzero(&i4dst, sizeof(struct sockaddr_in));
4558 i4src.sin_family = i4dst.sin_family = *ifamily = AF_INET;
4559 i4src.sin_len = i4dst.sin_len = sizeof(struct sockaddr_in);
4560 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(i4src.sin_addr),
4561 (caddr_t)&i4src.sin_addr);
4562 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(i4dst.sin_addr),
4563 (caddr_t)&i4dst.sin_addr);
4564 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
4565 (struct sockaddr *)&i4src, (struct sockaddr *)&i4dst);
4566 } else if (nxt == IPPROTO_IPV6) {
4567 bzero(&i6src, sizeof(struct sockaddr_in6));
4568 bzero(&i6dst, sizeof(struct sockaddr_in6));
4569 i6src.sin6_family = i6dst.sin6_family = *ifamily = AF_INET6;
4570 i6src.sin6_len = i6dst.sin6_len = sizeof(struct sockaddr_in6);
4571 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), sizeof(i6src.sin6_addr),
4572 (caddr_t)&i6src.sin6_addr);
4573 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), sizeof(i6dst.sin6_addr),
4574 (caddr_t)&i6dst.sin6_addr);
4575 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
4576 (struct sockaddr *)&i6src, (struct sockaddr *)&i6dst);
4577 } else {
4578 return 0; /* unsupported family */
4579 }
4580 /*
4581 * when there is no suitable inbound policy for the packet of the ipsec
4582 * tunnel mode, the kernel never decapsulate the tunneled packet
4583 * as the ipsec tunnel mode even when the system wide policy is "none".
4584 * then the kernel leaves the generic tunnel module to process this
4585 * packet. if there is no rule of the generic tunnel, the packet
4586 * is rejected and the statistics will be counted up.
4587 */
4588 if (!sp) {
4589 return 0;
4590 }
4591 key_freesp(sp, KEY_SADB_UNLOCKED);
4592
4593 return 1;
4594 }
4595 #endif
4596
4597 /*
4598 * Make a mbuf chain for encryption.
4599 * If the original mbuf chain contains a mbuf with a cluster,
4600 * allocate a new cluster and copy the data to the new cluster.
4601 * XXX: this hack is inefficient, but is necessary to handle cases
4602 * of TCP retransmission...
4603 */
4604 struct mbuf *
4605 ipsec_copypkt(struct mbuf *m)
4606 {
4607 struct mbuf *n, **mpp, *mnew;
4608
4609 for (n = m, mpp = &m; n; n = n->m_next) {
4610 if (n->m_flags & M_EXT) {
4611 /*
4612 * Make a copy only if there are more than one references
4613 * to the cluster.
4614 * XXX: is this approach effective?
4615 */
4616 if (
4617 m_get_ext_free(n) != NULL ||
4618 m_mclhasreference(n)
4619 ) {
4620 int remain, copied;
4621 struct mbuf *mm;
4622
4623 if (n->m_flags & M_PKTHDR) {
4624 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); /* MAC-OK */
4625 if (mnew == NULL) {
4626 goto fail;
4627 }
4628 M_COPY_PKTHDR(mnew, n);
4629 } else {
4630 MGET(mnew, M_DONTWAIT, MT_DATA);
4631 if (mnew == NULL) {
4632 goto fail;
4633 }
4634 }
4635 mnew->m_len = 0;
4636 mm = mnew;
4637
4638 /*
4639 * Copy data. If we don't have enough space to
4640 * store the whole data, allocate a cluster
4641 * or additional mbufs.
4642 * XXX: we don't use m_copyback(), since the
4643 * function does not use clusters and thus is
4644 * inefficient.
4645 */
4646 remain = n->m_len;
4647 copied = 0;
4648 while (1) {
4649 int len;
4650 struct mbuf *mn;
4651
4652 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN)) {
4653 len = remain;
4654 } else { /* allocate a cluster */
4655 MCLGET(mm, M_DONTWAIT);
4656 if (!(mm->m_flags & M_EXT)) {
4657 m_free(mm);
4658 goto fail;
4659 }
4660 len = remain < MCLBYTES ?
4661 remain : MCLBYTES;
4662 }
4663
4664 bcopy(n->m_data + copied, mm->m_data,
4665 len);
4666
4667 copied += len;
4668 remain -= len;
4669 mm->m_len = len;
4670
4671 if (remain <= 0) { /* completed? */
4672 break;
4673 }
4674
4675 /* need another mbuf */
4676 MGETHDR(mn, M_DONTWAIT, MT_HEADER); /* XXXMAC: tags copied next time in loop? */
4677 if (mn == NULL) {
4678 goto fail;
4679 }
4680 mn->m_pkthdr.rcvif = NULL;
4681 mm->m_next = mn;
4682 mm = mn;
4683 }
4684
4685 /* adjust chain */
4686 mm->m_next = m_free(n);
4687 n = mm;
4688 *mpp = mnew;
4689 mpp = &n->m_next;
4690
4691 continue;
4692 }
4693 }
4694 *mpp = n;
4695 mpp = &n->m_next;
4696 }
4697
4698 return m;
4699 fail:
4700 m_freem(m);
4701 return NULL;
4702 }
4703
4704 /*
4705 * Tags are allocated as mbufs for now, since our minimum size is MLEN, we
4706 * should make use of up to that much space.
4707 */
4708 #define IPSEC_TAG_HEADER \
4709
4710 struct ipsec_tag {
4711 struct socket *socket;
4712 u_int32_t history_count;
4713 struct ipsec_history history[];
4714 #if __arm__ && (__BIGGEST_ALIGNMENT__ > 4)
4715 /* For the newer ARMv7k ABI where 64-bit types are 64-bit aligned, but pointers
4716 * are 32-bit:
4717 * Aligning to 64-bit since we case to m_tag which is 64-bit aligned.
4718 */
4719 } __attribute__ ((aligned(8)));
4720 #else
4721 };
4722 #endif
4723
4724 #define IPSEC_TAG_SIZE (MLEN - sizeof(struct m_tag))
4725 #define IPSEC_TAG_HDR_SIZE (offsetof(struct ipsec_tag, history[0]))
4726 #define IPSEC_HISTORY_MAX ((IPSEC_TAG_SIZE - IPSEC_TAG_HDR_SIZE) / \
4727 sizeof(struct ipsec_history))
4728
4729 static struct ipsec_tag *
4730 ipsec_addaux(
4731 struct mbuf *m)
4732 {
4733 struct m_tag *tag;
4734
4735 /* Check if the tag already exists */
4736 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL);
4737
4738 if (tag == NULL) {
4739 struct ipsec_tag *itag;
4740
4741 /* Allocate a tag */
4742 tag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC,
4743 IPSEC_TAG_SIZE, M_DONTWAIT, m);
4744
4745 if (tag) {
4746 itag = (struct ipsec_tag*)(tag + 1);
4747 itag->socket = 0;
4748 itag->history_count = 0;
4749
4750 m_tag_prepend(m, tag);
4751 }
4752 }
4753
4754 return tag ? (struct ipsec_tag*)(tag + 1) : NULL;
4755 }
4756
4757 static struct ipsec_tag *
4758 ipsec_findaux(
4759 struct mbuf *m)
4760 {
4761 struct m_tag *tag;
4762
4763 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL);
4764
4765 return tag ? (struct ipsec_tag*)(tag + 1) : NULL;
4766 }
4767
4768 void
4769 ipsec_delaux(
4770 struct mbuf *m)
4771 {
4772 struct m_tag *tag;
4773
4774 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL);
4775
4776 if (tag) {
4777 m_tag_delete(m, tag);
4778 }
4779 }
4780
4781 /* if the aux buffer is unnecessary, nuke it. */
4782 static void
4783 ipsec_optaux(
4784 struct mbuf *m,
4785 struct ipsec_tag *itag)
4786 {
4787 if (itag && itag->socket == NULL && itag->history_count == 0) {
4788 m_tag_delete(m, ((struct m_tag*)itag) - 1);
4789 }
4790 }
4791
4792 int
4793 ipsec_setsocket(struct mbuf *m, struct socket *so)
4794 {
4795 struct ipsec_tag *tag;
4796
4797 /* if so == NULL, don't insist on getting the aux mbuf */
4798 if (so) {
4799 tag = ipsec_addaux(m);
4800 if (!tag) {
4801 return ENOBUFS;
4802 }
4803 } else {
4804 tag = ipsec_findaux(m);
4805 }
4806 if (tag) {
4807 tag->socket = so;
4808 ipsec_optaux(m, tag);
4809 }
4810 return 0;
4811 }
4812
4813 struct socket *
4814 ipsec_getsocket(struct mbuf *m)
4815 {
4816 struct ipsec_tag *itag;
4817
4818 itag = ipsec_findaux(m);
4819 if (itag) {
4820 return itag->socket;
4821 } else {
4822 return NULL;
4823 }
4824 }
4825
4826 int
4827 ipsec_addhist(
4828 struct mbuf *m,
4829 int proto,
4830 u_int32_t spi)
4831 {
4832 struct ipsec_tag *itag;
4833 struct ipsec_history *p;
4834 itag = ipsec_addaux(m);
4835 if (!itag) {
4836 return ENOBUFS;
4837 }
4838 if (itag->history_count == IPSEC_HISTORY_MAX) {
4839 return ENOSPC; /* XXX */
4840 }
4841 p = &itag->history[itag->history_count];
4842 itag->history_count++;
4843
4844 bzero(p, sizeof(*p));
4845 p->ih_proto = proto;
4846 p->ih_spi = spi;
4847
4848 return 0;
4849 }
4850
4851 struct ipsec_history *
4852 ipsec_gethist(
4853 struct mbuf *m,
4854 int *lenp)
4855 {
4856 struct ipsec_tag *itag;
4857
4858 itag = ipsec_findaux(m);
4859 if (!itag) {
4860 return NULL;
4861 }
4862 if (itag->history_count == 0) {
4863 return NULL;
4864 }
4865 if (lenp) {
4866 *lenp = (int)(itag->history_count * sizeof(struct ipsec_history));
4867 }
4868 return itag->history;
4869 }
4870
4871 void
4872 ipsec_clearhist(
4873 struct mbuf *m)
4874 {
4875 struct ipsec_tag *itag;
4876
4877 itag = ipsec_findaux(m);
4878 if (itag) {
4879 itag->history_count = 0;
4880 }
4881 ipsec_optaux(m, itag);
4882 }
4883
4884 __private_extern__ boolean_t
4885 ipsec_send_natt_keepalive(
4886 struct secasvar *sav)
4887 {
4888 struct mbuf *m = NULL;
4889 int error = 0;
4890 int keepalive_interval = natt_keepalive_interval;
4891
4892 LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
4893 lck_mtx_lock(sadb_mutex);
4894
4895 if ((esp_udp_encap_port & 0xFFFF) == 0 || sav->remote_ike_port == 0) {
4896 lck_mtx_unlock(sadb_mutex);
4897 return FALSE;
4898 }
4899
4900 if (sav->natt_interval != 0) {
4901 keepalive_interval = (int)sav->natt_interval;
4902 }
4903
4904 // natt timestamp may have changed... reverify
4905 if ((natt_now - sav->natt_last_activity) < keepalive_interval) {
4906 lck_mtx_unlock(sadb_mutex);
4907 return FALSE;
4908 }
4909
4910 if (sav->flags & SADB_X_EXT_ESP_KEEPALIVE) {
4911 lck_mtx_unlock(sadb_mutex);
4912 return FALSE; // don't send these from the kernel
4913 }
4914
4915 lck_mtx_unlock(sadb_mutex);
4916
4917 m = m_gethdr(M_NOWAIT, MT_DATA);
4918 if (m == NULL) {
4919 return FALSE;
4920 }
4921
4922 lck_mtx_lock(sadb_mutex);
4923 if (sav->sah->saidx.dst.ss_family == AF_INET) {
4924 struct ip_out_args ipoa = {};
4925 struct route ro = {};
4926
4927 ipoa.ipoa_boundif = IFSCOPE_NONE;
4928 ipoa.ipoa_flags = IPOAF_SELECT_SRCIF;
4929 ipoa.ipoa_sotc = SO_TC_UNSPEC;
4930 ipoa.ipoa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
4931
4932 struct ip *ip = (__typeof__(ip))m_mtod(m);
4933
4934 /*
4935 * Type 2: a UDP packet complete with IP header.
4936 * We must do this because UDP output requires
4937 * an inpcb which we don't have. UDP packet
4938 * contains one byte payload. The byte is set
4939 * to 0xFF.
4940 */
4941 struct udphdr *uh = (__typeof__(uh))(void *)((char *)m_mtod(m) + sizeof(*ip));
4942 m->m_len = sizeof(struct udpiphdr) + 1;
4943 bzero(m_mtod(m), m->m_len);
4944 m->m_pkthdr.len = m->m_len;
4945
4946 ip->ip_len = m->m_len;
4947 ip->ip_ttl = ip_defttl;
4948 ip->ip_p = IPPROTO_UDP;
4949 if (sav->sah->dir != IPSEC_DIR_INBOUND) {
4950 ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
4951 ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
4952 } else {
4953 ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
4954 ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
4955 }
4956 uh->uh_sport = htons((u_short)esp_udp_encap_port);
4957 uh->uh_dport = htons(sav->remote_ike_port);
4958 uh->uh_ulen = htons(1 + sizeof(*uh));
4959 uh->uh_sum = 0;
4960 *(u_int8_t*)((char*)m_mtod(m) + sizeof(*ip) + sizeof(*uh)) = 0xFF;
4961
4962 if (ROUTE_UNUSABLE(&sav->sah->sa_route) ||
4963 rt_key(sav->sah->sa_route.ro_rt)->sa_family != AF_INET) {
4964 ROUTE_RELEASE(&sav->sah->sa_route);
4965 }
4966
4967 route_copyout(&ro, (struct route *)&sav->sah->sa_route, sizeof(struct route));
4968 lck_mtx_unlock(sadb_mutex);
4969
4970 necp_mark_packet_as_keepalive(m, TRUE);
4971 error = ip_output(m, NULL, &ro, IP_OUTARGS | IP_NOIPSEC, NULL, &ipoa);
4972
4973 lck_mtx_lock(sadb_mutex);
4974 route_copyin(&ro, (struct route *)&sav->sah->sa_route, sizeof(struct route));
4975 } else if (sav->sah->saidx.dst.ss_family == AF_INET6) {
4976 struct ip6_out_args ip6oa = {};
4977 struct route_in6 ro6 = {};
4978
4979 ip6oa.ip6oa_flowadv.code = 0;
4980 ip6oa.ip6oa_flags = IP6OAF_SELECT_SRCIF | IP6OAF_BOUND_SRCADDR;
4981 if (sav->sah->outgoing_if) {
4982 ip6oa.ip6oa_boundif = sav->sah->outgoing_if;
4983 ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF;
4984 }
4985
4986 struct ip6_hdr *ip6 = (__typeof__(ip6))m_mtod(m);
4987
4988 /*
4989 * Type 2: a UDP packet complete with IPv6 header.
4990 * We must do this because UDP output requires
4991 * an inpcb which we don't have. UDP packet
4992 * contains one byte payload. The byte is set
4993 * to 0xFF.
4994 */
4995 struct udphdr *uh = (__typeof__(uh))(void *)((char *)m_mtod(m) + sizeof(*ip6));
4996 m->m_len = sizeof(struct udphdr) + sizeof(struct ip6_hdr) + 1;
4997 bzero(m_mtod(m), m->m_len);
4998 m->m_pkthdr.len = m->m_len;
4999
5000 ip6->ip6_flow = 0;
5001 ip6->ip6_vfc &= ~IPV6_VERSION_MASK;
5002 ip6->ip6_vfc |= IPV6_VERSION;
5003 ip6->ip6_nxt = IPPROTO_UDP;
5004 ip6->ip6_hlim = ip6_defhlim;
5005 ip6->ip6_plen = htons(sizeof(struct udphdr) + 1);
5006 if (sav->sah->dir != IPSEC_DIR_INBOUND) {
5007 ip6->ip6_src = ((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr;
5008 ip6->ip6_dst = ((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr;
5009 } else {
5010 ip6->ip6_src = ((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr;
5011 ip6->ip6_dst = ((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr;
5012 }
5013
5014 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) {
5015 ip6->ip6_src.s6_addr16[1] = 0;
5016 }
5017 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) {
5018 ip6->ip6_dst.s6_addr16[1] = 0;
5019 }
5020
5021 uh->uh_sport = htons((u_short)esp_udp_encap_port);
5022 uh->uh_dport = htons(sav->remote_ike_port);
5023 uh->uh_ulen = htons(1 + sizeof(*uh));
5024 *(u_int8_t*)((char*)m_mtod(m) + sizeof(*ip6) + sizeof(*uh)) = 0xFF;
5025 uh->uh_sum = in6_pseudo(&ip6->ip6_src, &ip6->ip6_dst, htonl(ntohs(uh->uh_ulen) + IPPROTO_UDP));
5026 m->m_pkthdr.csum_flags = (CSUM_UDPIPV6 | CSUM_ZERO_INVERT);
5027 m->m_pkthdr.csum_data = offsetof(struct udphdr, uh_sum);
5028
5029 if (ROUTE_UNUSABLE(&sav->sah->sa_route) ||
5030 rt_key(sav->sah->sa_route.ro_rt)->sa_family != AF_INET6) {
5031 ROUTE_RELEASE(&sav->sah->sa_route);
5032 }
5033
5034 route_copyout((struct route *)&ro6, (struct route *)&sav->sah->sa_route, sizeof(struct route_in6));
5035 lck_mtx_unlock(sadb_mutex);
5036
5037 necp_mark_packet_as_keepalive(m, TRUE);
5038 error = ip6_output(m, NULL, &ro6, IPV6_OUTARGS, NULL, NULL, &ip6oa);
5039
5040 lck_mtx_lock(sadb_mutex);
5041 route_copyin((struct route *)&ro6, (struct route *)&sav->sah->sa_route, sizeof(struct route_in6));
5042 } else {
5043 ipseclog((LOG_ERR, "nat keepalive: invalid address family %u\n", sav->sah->saidx.dst.ss_family));
5044 lck_mtx_unlock(sadb_mutex);
5045 m_freem(m);
5046 return FALSE;
5047 }
5048
5049 if (error == 0) {
5050 sav->natt_last_activity = natt_now;
5051 lck_mtx_unlock(sadb_mutex);
5052 return TRUE;
5053 }
5054
5055 lck_mtx_unlock(sadb_mutex);
5056 return FALSE;
5057 }
5058
5059 __private_extern__ bool
5060 ipsec_fill_offload_frame(ifnet_t ifp,
5061 struct secasvar *sav,
5062 struct ifnet_keepalive_offload_frame *frame,
5063 size_t frame_data_offset)
5064 {
5065 u_int8_t *data = NULL;
5066 struct ip *ip = NULL;
5067 struct udphdr *uh = NULL;
5068
5069 if (sav == NULL || sav->sah == NULL || frame == NULL ||
5070 (ifp != NULL && ifp->if_index != sav->sah->outgoing_if) ||
5071 sav->sah->saidx.dst.ss_family != AF_INET ||
5072 !(sav->flags & SADB_X_EXT_NATT) ||
5073 !(sav->flags & SADB_X_EXT_NATT_KEEPALIVE) ||
5074 !(sav->flags & SADB_X_EXT_NATT_KEEPALIVE_OFFLOAD) ||
5075 sav->flags & SADB_X_EXT_ESP_KEEPALIVE ||
5076 (esp_udp_encap_port & 0xFFFF) == 0 ||
5077 sav->remote_ike_port == 0 ||
5078 (natt_keepalive_interval == 0 && sav->natt_interval == 0 && sav->natt_offload_interval == 0)) {
5079 /* SA is not eligible for keepalive offload on this interface */
5080 return FALSE;
5081 }
5082
5083 if (frame_data_offset + sizeof(struct udpiphdr) + 1 >
5084 IFNET_KEEPALIVE_OFFLOAD_FRAME_DATA_SIZE) {
5085 /* Not enough room in this data frame */
5086 return FALSE;
5087 }
5088
5089 data = frame->data;
5090 ip = (__typeof__(ip))(void *)(data + frame_data_offset);
5091 uh = (__typeof__(uh))(void *)(data + frame_data_offset + sizeof(*ip));
5092
5093 frame->length = frame_data_offset + sizeof(struct udpiphdr) + 1;
5094 frame->type = IFNET_KEEPALIVE_OFFLOAD_FRAME_IPSEC;
5095 frame->ether_type = IFNET_KEEPALIVE_OFFLOAD_FRAME_ETHERTYPE_IPV4;
5096
5097 bzero(data, IFNET_KEEPALIVE_OFFLOAD_FRAME_DATA_SIZE);
5098
5099 ip->ip_v = IPVERSION;
5100 ip->ip_hl = sizeof(struct ip) >> 2;
5101 ip->ip_off &= htons(~IP_OFFMASK);
5102 ip->ip_off &= htons(~IP_MF);
5103 switch (ip4_ipsec_dfbit) {
5104 case 0: /* clear DF bit */
5105 ip->ip_off &= htons(~IP_DF);
5106 break;
5107 case 1: /* set DF bit */
5108 ip->ip_off |= htons(IP_DF);
5109 break;
5110 default: /* copy DF bit */
5111 break;
5112 }
5113 ip->ip_len = htons(sizeof(struct udpiphdr) + 1);
5114 if (rfc6864 && IP_OFF_IS_ATOMIC(htons(ip->ip_off))) {
5115 ip->ip_id = 0;
5116 } else {
5117 ip->ip_id = ip_randomid();
5118 }
5119 ip->ip_ttl = ip_defttl;
5120 ip->ip_p = IPPROTO_UDP;
5121 ip->ip_sum = 0;
5122 if (sav->sah->dir != IPSEC_DIR_INBOUND) {
5123 ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
5124 ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
5125 } else {
5126 ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
5127 ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
5128 }
5129 ip->ip_sum = in_cksum_hdr_opt(ip);
5130 uh->uh_sport = htons((u_short)esp_udp_encap_port);
5131 uh->uh_dport = htons(sav->remote_ike_port);
5132 uh->uh_ulen = htons(1 + sizeof(*uh));
5133 uh->uh_sum = 0;
5134 *(u_int8_t*)(data + frame_data_offset + sizeof(*ip) + sizeof(*uh)) = 0xFF;
5135
5136 if (sav->natt_offload_interval != 0) {
5137 frame->interval = sav->natt_offload_interval;
5138 } else if (sav->natt_interval != 0) {
5139 frame->interval = sav->natt_interval;
5140 } else {
5141 frame->interval = natt_keepalive_interval;
5142 }
5143 return TRUE;
5144 }
mirror of XNU