]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/ipsec.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-2422.1.72.tar.gz
[apple/xnu.git] / bsd / netinet6 / ipsec.c
1 /*
2 * Copyright (c) 2008-2013 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.7 2001/07/19 06:37:23 kris Exp $ */
30 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
31
32 /*
33 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
34 * All rights reserved.
35 *
36 * Redistribution and use in source and binary forms, with or without
37 * modification, are permitted provided that the following conditions
38 * are met:
39 * 1. Redistributions of source code must retain the above copyright
40 * notice, this list of conditions and the following disclaimer.
41 * 2. Redistributions in binary form must reproduce the above copyright
42 * notice, this list of conditions and the following disclaimer in the
43 * documentation and/or other materials provided with the distribution.
44 * 3. Neither the name of the project nor the names of its contributors
45 * may be used to endorse or promote products derived from this software
46 * without specific prior written permission.
47 *
48 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
58 * SUCH DAMAGE.
59 */
60
61 /*
62 * IPsec controller part.
63 */
64
65 #include <sys/param.h>
66 #include <sys/systm.h>
67 #include <sys/malloc.h>
68 #include <sys/mbuf.h>
69 #include <sys/mcache.h>
70 #include <sys/domain.h>
71 #include <sys/protosw.h>
72 #include <sys/socket.h>
73 #include <sys/socketvar.h>
74 #include <sys/errno.h>
75 #include <sys/time.h>
76 #include <sys/kernel.h>
77 #include <sys/syslog.h>
78 #include <sys/sysctl.h>
79 #include <kern/locks.h>
80 #include <sys/kauth.h>
81 #include <libkern/OSAtomic.h>
82
83 #include <net/if.h>
84 #include <net/route.h>
85
86 #include <netinet/in.h>
87 #include <netinet/in_systm.h>
88 #include <netinet/ip.h>
89 #include <netinet/ip_var.h>
90 #include <netinet/in_var.h>
91 #include <netinet/udp.h>
92 #include <netinet/udp_var.h>
93 #include <netinet/ip_ecn.h>
94 #if INET6
95 #include <netinet6/ip6_ecn.h>
96 #endif
97 #include <netinet/tcp.h>
98 #include <netinet/udp.h>
99
100 #include <netinet/ip6.h>
101 #if INET6
102 #include <netinet6/ip6_var.h>
103 #endif
104 #include <netinet/in_pcb.h>
105 #if INET6
106 #include <netinet/icmp6.h>
107 #endif
108
109 #include <netinet6/ipsec.h>
110 #if INET6
111 #include <netinet6/ipsec6.h>
112 #endif
113 #include <netinet6/ah.h>
114 #if INET6
115 #include <netinet6/ah6.h>
116 #endif
117 #if IPSEC_ESP
118 #include <netinet6/esp.h>
119 #if INET6
120 #include <netinet6/esp6.h>
121 #endif
122 #endif
123 #include <netinet6/ipcomp.h>
124 #if INET6
125 #include <netinet6/ipcomp6.h>
126 #endif
127 #include <netkey/key.h>
128 #include <netkey/keydb.h>
129 #include <netkey/key_debug.h>
130
131 #include <net/net_osdep.h>
132
133 #if IPSEC_DEBUG
134 int ipsec_debug = 1;
135 #else
136 int ipsec_debug = 0;
137 #endif
138
139 #include <sys/kdebug.h>
140 #define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1)
141 #define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3)
142 #define DBG_FNC_GETPOL_SOCK NETDBG_CODE(DBG_NETIPSEC, (1 << 8))
143 #define DBG_FNC_GETPOL_ADDR NETDBG_CODE(DBG_NETIPSEC, (2 << 8))
144 #define DBG_FNC_IPSEC_OUT NETDBG_CODE(DBG_NETIPSEC, (3 << 8))
145
146 extern lck_mtx_t *sadb_mutex;
147
148 struct ipsecstat ipsecstat;
149 int ip4_ah_cleartos = 1;
150 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
151 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
152 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
153 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
154 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
155 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
156 struct secpolicy ip4_def_policy;
157 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
158 int ip4_esp_randpad = -1;
159 int esp_udp_encap_port = 0;
160 static int sysctl_def_policy SYSCTL_HANDLER_ARGS;
161 extern int natt_keepalive_interval;
162 extern u_int32_t natt_now;
163
164 struct ipsec_tag;
165
166 SYSCTL_DECL(_net_inet_ipsec);
167 #if INET6
168 SYSCTL_DECL(_net_inet6_ipsec6);
169 #endif
170 /* net.inet.ipsec */
171 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
172 stats, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsecstat, ipsecstat, "");
173 SYSCTL_PROC(_net_inet_ipsec, IPSECCTL_DEF_POLICY, def_policy, CTLTYPE_INT|CTLFLAG_RW | CTLFLAG_LOCKED,
174 &ip4_def_policy.policy, 0, &sysctl_def_policy, "I", "");
175 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
176 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_trans_deflev, 0, "");
177 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
178 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_net_deflev, 0, "");
179 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
180 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_trans_deflev, 0, "");
181 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
182 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_net_deflev, 0, "");
183 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
184 ah_cleartos, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_cleartos, 0, "");
185 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
186 ah_offsetmask, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_offsetmask, 0, "");
187 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
188 dfbit, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ipsec_dfbit, 0, "");
189 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
190 ecn, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ipsec_ecn, 0, "");
191 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
192 debug, CTLFLAG_RW | CTLFLAG_LOCKED, &ipsec_debug, 0, "");
193 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
194 esp_randpad, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_randpad, 0, "");
195
196 /* for performance, we bypass ipsec until a security policy is set */
197 int ipsec_bypass = 1;
198 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, bypass, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsec_bypass,0, "");
199
200 /*
201 * NAT Traversal requires a UDP port for encapsulation,
202 * esp_udp_encap_port controls which port is used. Racoon
203 * must set this port to the port racoon is using locally
204 * for nat traversal.
205 */
206 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, esp_port,
207 CTLFLAG_RW | CTLFLAG_LOCKED, &esp_udp_encap_port, 0, "");
208
209 #if INET6
210 struct ipsecstat ipsec6stat;
211 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
212 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
213 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
214 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
215 struct secpolicy ip6_def_policy;
216 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
217 int ip6_esp_randpad = -1;
218
219 /* net.inet6.ipsec6 */
220 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
221 stats, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsec6stat, ipsecstat, "");
222 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
223 def_policy, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_def_policy.policy, 0, "");
224 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
225 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_trans_deflev, 0, "");
226 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
227 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_net_deflev, 0, "");
228 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
229 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ah_trans_deflev, 0, "");
230 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
231 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ah_net_deflev, 0, "");
232 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
233 ecn, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ipsec_ecn, 0, "");
234 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
235 debug, CTLFLAG_RW | CTLFLAG_LOCKED, &ipsec_debug, 0, "");
236 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
237 esp_randpad, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_randpad, 0, "");
238 #endif /* INET6 */
239
240 static int ipsec_setspidx_interface(struct secpolicyindex *, u_int, struct mbuf *,
241 int, int, int);
242 static int ipsec_setspidx_mbuf(struct secpolicyindex *, u_int, u_int,
243 struct mbuf *, int);
244 static int ipsec4_setspidx_inpcb(struct mbuf *, struct inpcb *pcb);
245 #if INET6
246 static int ipsec6_setspidx_in6pcb(struct mbuf *, struct in6pcb *pcb);
247 #endif
248 static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int, int);
249 static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
250 static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
251 #if INET6
252 static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
253 static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
254 #endif
255 static struct inpcbpolicy *ipsec_newpcbpolicy(void);
256 static void ipsec_delpcbpolicy(struct inpcbpolicy *);
257 static struct secpolicy *ipsec_deepcopy_policy(struct secpolicy *src);
258 static int ipsec_set_policy(struct secpolicy **pcb_sp,
259 int optname, caddr_t request, size_t len, int priv);
260 static int ipsec_get_policy(struct secpolicy *pcb_sp, struct mbuf **mp);
261 static void vshiftl(unsigned char *, int, int);
262 static int ipsec_in_reject(struct secpolicy *, struct mbuf *);
263 #if INET6
264 static int ipsec64_encapsulate(struct mbuf *, struct secasvar *);
265 #endif
266 static struct ipsec_tag *ipsec_addaux(struct mbuf *);
267 static struct ipsec_tag *ipsec_findaux(struct mbuf *);
268 static void ipsec_optaux(struct mbuf *, struct ipsec_tag *);
269 int ipsec_send_natt_keepalive(struct secasvar *sav);
270
271 static int
272 sysctl_def_policy SYSCTL_HANDLER_ARGS
273 {
274 int old_policy = ip4_def_policy.policy;
275 int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
276
277 #pragma unused(arg1, arg2)
278
279 if (ip4_def_policy.policy != IPSEC_POLICY_NONE &&
280 ip4_def_policy.policy != IPSEC_POLICY_DISCARD) {
281 ip4_def_policy.policy = old_policy;
282 return EINVAL;
283 }
284
285 /* Turn off the bypass if the default security policy changes */
286 if (ipsec_bypass != 0 && ip4_def_policy.policy != IPSEC_POLICY_NONE)
287 ipsec_bypass = 0;
288
289 return error;
290 }
291
292 /*
293 * For OUTBOUND packet having a socket. Searching SPD for packet,
294 * and return a pointer to SP.
295 * OUT: NULL: no apropreate SP found, the following value is set to error.
296 * 0 : bypass
297 * EACCES : discard packet.
298 * ENOENT : ipsec_acquire() in progress, maybe.
299 * others : error occurred.
300 * others: a pointer to SP
301 *
302 * NOTE: IPv6 mapped adddress concern is implemented here.
303 */
304 struct secpolicy *
305 ipsec4_getpolicybysock(m, dir, so, error)
306 struct mbuf *m;
307 u_int dir;
308 struct socket *so;
309 int *error;
310 {
311 struct inpcbpolicy *pcbsp = NULL;
312 struct secpolicy *currsp = NULL; /* policy on socket */
313 struct secpolicy *kernsp = NULL; /* policy on kernel */
314
315 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
316 /* sanity check */
317 if (m == NULL || so == NULL || error == NULL)
318 panic("ipsec4_getpolicybysock: NULL pointer was passed.\n");
319
320 if (so->so_pcb == NULL) {
321 printf("ipsec4_getpolicybysock: so->so_pcb == NULL\n");
322 return ipsec4_getpolicybyaddr(m, dir, 0, error);
323 }
324
325 switch (SOCK_DOM(so)) {
326 case PF_INET:
327 pcbsp = sotoinpcb(so)->inp_sp;
328 break;
329 #if INET6
330 case PF_INET6:
331 pcbsp = sotoin6pcb(so)->in6p_sp;
332 break;
333 #endif
334 }
335
336 if (!pcbsp){
337 /* Socket has not specified an IPSEC policy */
338 return ipsec4_getpolicybyaddr(m, dir, 0, error);
339 }
340
341 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_START, 0,0,0,0,0);
342
343 switch (SOCK_DOM(so)) {
344 case PF_INET:
345 /* set spidx in pcb */
346 *error = ipsec4_setspidx_inpcb(m, sotoinpcb(so));
347 break;
348 #if INET6
349 case PF_INET6:
350 /* set spidx in pcb */
351 *error = ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
352 break;
353 #endif
354 default:
355 panic("ipsec4_getpolicybysock: unsupported address family\n");
356 }
357 if (*error) {
358 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 1,*error,0,0,0);
359 return NULL;
360 }
361
362 /* sanity check */
363 if (pcbsp == NULL)
364 panic("ipsec4_getpolicybysock: pcbsp is NULL.\n");
365
366 switch (dir) {
367 case IPSEC_DIR_INBOUND:
368 currsp = pcbsp->sp_in;
369 break;
370 case IPSEC_DIR_OUTBOUND:
371 currsp = pcbsp->sp_out;
372 break;
373 default:
374 panic("ipsec4_getpolicybysock: illegal direction.\n");
375 }
376
377 /* sanity check */
378 if (currsp == NULL)
379 panic("ipsec4_getpolicybysock: currsp is NULL.\n");
380
381 /* when privilieged socket */
382 if (pcbsp->priv) {
383 switch (currsp->policy) {
384 case IPSEC_POLICY_BYPASS:
385 lck_mtx_lock(sadb_mutex);
386 currsp->refcnt++;
387 lck_mtx_unlock(sadb_mutex);
388 *error = 0;
389 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 2,*error,0,0,0);
390 return currsp;
391
392 case IPSEC_POLICY_ENTRUST:
393 /* look for a policy in SPD */
394 kernsp = key_allocsp(&currsp->spidx, dir);
395
396 /* SP found */
397 if (kernsp != NULL) {
398 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
399 printf("DP ipsec4_getpolicybysock called "
400 "to allocate SP:0x%llx\n",
401 (uint64_t)VM_KERNEL_ADDRPERM(kernsp)));
402 *error = 0;
403 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 3,*error,0,0,0);
404 return kernsp;
405 }
406
407 /* no SP found */
408 lck_mtx_lock(sadb_mutex);
409 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
410 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
411 ipseclog((LOG_INFO,
412 "fixed system default policy: %d->%d\n",
413 ip4_def_policy.policy, IPSEC_POLICY_NONE));
414 ip4_def_policy.policy = IPSEC_POLICY_NONE;
415 }
416 ip4_def_policy.refcnt++;
417 lck_mtx_unlock(sadb_mutex);
418 *error = 0;
419 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 4,*error,0,0,0);
420 return &ip4_def_policy;
421
422 case IPSEC_POLICY_IPSEC:
423 lck_mtx_lock(sadb_mutex);
424 currsp->refcnt++;
425 lck_mtx_unlock(sadb_mutex);
426 *error = 0;
427 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 5,*error,0,0,0);
428 return currsp;
429
430 default:
431 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
432 "Invalid policy for PCB %d\n", currsp->policy));
433 *error = EINVAL;
434 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 6,*error,0,0,0);
435 return NULL;
436 }
437 /* NOTREACHED */
438 }
439
440 /* when non-privilieged socket */
441 /* look for a policy in SPD */
442 kernsp = key_allocsp(&currsp->spidx, dir);
443
444 /* SP found */
445 if (kernsp != NULL) {
446 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
447 printf("DP ipsec4_getpolicybysock called "
448 "to allocate SP:0x%llx\n",
449 (uint64_t)VM_KERNEL_ADDRPERM(kernsp)));
450 *error = 0;
451 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 7,*error,0,0,0);
452 return kernsp;
453 }
454
455 /* no SP found */
456 switch (currsp->policy) {
457 case IPSEC_POLICY_BYPASS:
458 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
459 "Illegal policy for non-priviliged defined %d\n",
460 currsp->policy));
461 *error = EINVAL;
462 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 8,*error,0,0,0);
463 return NULL;
464
465 case IPSEC_POLICY_ENTRUST:
466 lck_mtx_lock(sadb_mutex);
467 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
468 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
469 ipseclog((LOG_INFO,
470 "fixed system default policy: %d->%d\n",
471 ip4_def_policy.policy, IPSEC_POLICY_NONE));
472 ip4_def_policy.policy = IPSEC_POLICY_NONE;
473 }
474 ip4_def_policy.refcnt++;
475 lck_mtx_unlock(sadb_mutex);
476 *error = 0;
477 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 9,*error,0,0,0);
478 return &ip4_def_policy;
479
480 case IPSEC_POLICY_IPSEC:
481 lck_mtx_lock(sadb_mutex);
482 currsp->refcnt++;
483 lck_mtx_unlock(sadb_mutex);
484 *error = 0;
485 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 10,*error,0,0,0);
486 return currsp;
487
488 default:
489 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
490 "Invalid policy for PCB %d\n", currsp->policy));
491 *error = EINVAL;
492 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 11,*error,0,0,0);
493 return NULL;
494 }
495 /* NOTREACHED */
496 }
497
498 /*
499 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
500 * and return a pointer to SP.
501 * OUT: positive: a pointer to the entry for security policy leaf matched.
502 * NULL: no apropreate SP found, the following value is set to error.
503 * 0 : bypass
504 * EACCES : discard packet.
505 * ENOENT : ipsec_acquire() in progress, maybe.
506 * others : error occurred.
507 */
508 struct secpolicy *
509 ipsec4_getpolicybyaddr(struct mbuf *m,
510 u_int dir,
511 int flag,
512 int *error)
513 {
514 struct secpolicy *sp = NULL;
515
516 if (ipsec_bypass != 0)
517 return 0;
518
519 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
520
521 /* sanity check */
522 if (m == NULL || error == NULL)
523 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.\n");
524 {
525 struct secpolicyindex spidx;
526
527 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0);
528 bzero(&spidx, sizeof(spidx));
529
530 /* make a index to look for a policy */
531 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
532 (flag & IP_FORWARDING) ? 0 : 1);
533
534 if (*error != 0) {
535 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,*error,0,0,0);
536 return NULL;
537 }
538
539 sp = key_allocsp(&spidx, dir);
540 }
541
542 /* SP found */
543 if (sp != NULL) {
544 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
545 printf("DP ipsec4_getpolicybyaddr called "
546 "to allocate SP:0x%llx\n",
547 (uint64_t)VM_KERNEL_ADDRPERM(sp)));
548 *error = 0;
549 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,*error,0,0,0);
550 return sp;
551 }
552
553 /* no SP found */
554 lck_mtx_lock(sadb_mutex);
555 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
556 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
557 ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
558 ip4_def_policy.policy,
559 IPSEC_POLICY_NONE));
560 ip4_def_policy.policy = IPSEC_POLICY_NONE;
561 }
562 ip4_def_policy.refcnt++;
563 lck_mtx_unlock(sadb_mutex);
564 *error = 0;
565 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 3,*error,0,0,0);
566 return &ip4_def_policy;
567 }
568
569 /* Match with bound interface rather than src addr.
570 * Unlike getpolicybyaddr, do not set the default policy.
571 * Return 0 if should continue processing, or -1 if packet
572 * should be dropped.
573 */
574 int
575 ipsec4_getpolicybyinterface(struct mbuf *m,
576 u_int dir,
577 int *flags,
578 struct ip_out_args *ipoa,
579 struct secpolicy **sp)
580 {
581 struct secpolicyindex spidx;
582 int error = 0;
583
584 if (ipsec_bypass != 0)
585 return 0;
586
587 /* Sanity check */
588 if (m == NULL || ipoa == NULL || sp == NULL)
589 panic("ipsec4_getpolicybyinterface: NULL pointer was passed.\n");
590
591 if (ipoa->ipoa_boundif == IFSCOPE_NONE)
592 return 0;
593
594 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0);
595 bzero(&spidx, sizeof(spidx));
596
597 /* make a index to look for a policy */
598 error = ipsec_setspidx_interface(&spidx, dir, m, (*flags & IP_FORWARDING) ? 0 : 1,
599 ipoa->ipoa_boundif, 4);
600
601 if (error != 0) {
602 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,error,0,0,0);
603 return 0;
604 }
605
606 *sp = key_allocsp(&spidx, dir);
607
608 /* Return SP, whether NULL or not */
609 if (*sp != NULL && (*sp)->policy == IPSEC_POLICY_IPSEC) {
610 if ((*sp)->ipsec_if == NULL) {
611 /* Invalid to capture on an interface without redirect */
612 key_freesp(*sp, KEY_SADB_UNLOCKED);
613 *sp = NULL;
614 return -1;
615 } else if ((*sp)->disabled) {
616 /* Disabled policies go in the clear */
617 key_freesp(*sp, KEY_SADB_UNLOCKED);
618 *sp = NULL;
619 *flags |= IP_NOIPSEC; /* Avoid later IPSec check */
620 } else {
621 /* If policy is enabled, redirect to ipsec interface */
622 ipoa->ipoa_boundif = (*sp)->ipsec_if->if_index;
623 }
624 }
625
626 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,error,0,0,0);
627
628 return 0;
629 }
630
631
632 #if INET6
633 /*
634 * For OUTBOUND packet having a socket. Searching SPD for packet,
635 * and return a pointer to SP.
636 * OUT: NULL: no apropreate SP found, the following value is set to error.
637 * 0 : bypass
638 * EACCES : discard packet.
639 * ENOENT : ipsec_acquire() in progress, maybe.
640 * others : error occurred.
641 * others: a pointer to SP
642 */
643 struct secpolicy *
644 ipsec6_getpolicybysock(m, dir, so, error)
645 struct mbuf *m;
646 u_int dir;
647 struct socket *so;
648 int *error;
649 {
650 struct inpcbpolicy *pcbsp = NULL;
651 struct secpolicy *currsp = NULL; /* policy on socket */
652 struct secpolicy *kernsp = NULL; /* policy on kernel */
653
654 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
655
656 /* sanity check */
657 if (m == NULL || so == NULL || error == NULL)
658 panic("ipsec6_getpolicybysock: NULL pointer was passed.\n");
659
660 #if DIAGNOSTIC
661 if (SOCK_DOM(so) != PF_INET6)
662 panic("ipsec6_getpolicybysock: socket domain != inet6\n");
663 #endif
664
665 pcbsp = sotoin6pcb(so)->in6p_sp;
666
667 if (!pcbsp){
668 return ipsec6_getpolicybyaddr(m, dir, 0, error);
669 }
670
671 /* set spidx in pcb */
672 ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
673
674 /* sanity check */
675 if (pcbsp == NULL)
676 panic("ipsec6_getpolicybysock: pcbsp is NULL.\n");
677
678 switch (dir) {
679 case IPSEC_DIR_INBOUND:
680 currsp = pcbsp->sp_in;
681 break;
682 case IPSEC_DIR_OUTBOUND:
683 currsp = pcbsp->sp_out;
684 break;
685 default:
686 panic("ipsec6_getpolicybysock: illegal direction.\n");
687 }
688
689 /* sanity check */
690 if (currsp == NULL)
691 panic("ipsec6_getpolicybysock: currsp is NULL.\n");
692
693 /* when privilieged socket */
694 if (pcbsp->priv) {
695 switch (currsp->policy) {
696 case IPSEC_POLICY_BYPASS:
697 lck_mtx_lock(sadb_mutex);
698 currsp->refcnt++;
699 lck_mtx_unlock(sadb_mutex);
700 *error = 0;
701 return currsp;
702
703 case IPSEC_POLICY_ENTRUST:
704 /* look for a policy in SPD */
705 kernsp = key_allocsp(&currsp->spidx, dir);
706
707 /* SP found */
708 if (kernsp != NULL) {
709 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
710 printf("DP ipsec6_getpolicybysock called "
711 "to allocate SP:0x%llx\n",
712 (uint64_t)VM_KERNEL_ADDRPERM(kernsp)));
713 *error = 0;
714 return kernsp;
715 }
716
717 /* no SP found */
718 lck_mtx_lock(sadb_mutex);
719 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
720 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
721 ipseclog((LOG_INFO,
722 "fixed system default policy: %d->%d\n",
723 ip6_def_policy.policy, IPSEC_POLICY_NONE));
724 ip6_def_policy.policy = IPSEC_POLICY_NONE;
725 }
726 ip6_def_policy.refcnt++;
727 lck_mtx_unlock(sadb_mutex);
728 *error = 0;
729 return &ip6_def_policy;
730
731 case IPSEC_POLICY_IPSEC:
732 lck_mtx_lock(sadb_mutex);
733 currsp->refcnt++;
734 lck_mtx_unlock(sadb_mutex);
735 *error = 0;
736 return currsp;
737
738 default:
739 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
740 "Invalid policy for PCB %d\n", currsp->policy));
741 *error = EINVAL;
742 return NULL;
743 }
744 /* NOTREACHED */
745 }
746
747 /* when non-privilieged socket */
748 /* look for a policy in SPD */
749 kernsp = key_allocsp(&currsp->spidx, dir);
750
751 /* SP found */
752 if (kernsp != NULL) {
753 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
754 printf("DP ipsec6_getpolicybysock called "
755 "to allocate SP:0x%llx\n",
756 (uint64_t)VM_KERNEL_ADDRPERM(kernsp)));
757 *error = 0;
758 return kernsp;
759 }
760
761 /* no SP found */
762 switch (currsp->policy) {
763 case IPSEC_POLICY_BYPASS:
764 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
765 "Illegal policy for non-priviliged defined %d\n",
766 currsp->policy));
767 *error = EINVAL;
768 return NULL;
769
770 case IPSEC_POLICY_ENTRUST:
771 lck_mtx_lock(sadb_mutex);
772 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
773 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
774 ipseclog((LOG_INFO,
775 "fixed system default policy: %d->%d\n",
776 ip6_def_policy.policy, IPSEC_POLICY_NONE));
777 ip6_def_policy.policy = IPSEC_POLICY_NONE;
778 }
779 ip6_def_policy.refcnt++;
780 lck_mtx_unlock(sadb_mutex);
781 *error = 0;
782 return &ip6_def_policy;
783
784 case IPSEC_POLICY_IPSEC:
785 lck_mtx_lock(sadb_mutex);
786 currsp->refcnt++;
787 lck_mtx_unlock(sadb_mutex);
788 *error = 0;
789 return currsp;
790
791 default:
792 ipseclog((LOG_ERR,
793 "ipsec6_policybysock: Invalid policy for PCB %d\n",
794 currsp->policy));
795 *error = EINVAL;
796 return NULL;
797 }
798 /* NOTREACHED */
799 }
800
801 /*
802 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
803 * and return a pointer to SP.
804 * `flag' means that packet is to be forwarded whether or not.
805 * flag = 1: forwad
806 * OUT: positive: a pointer to the entry for security policy leaf matched.
807 * NULL: no apropreate SP found, the following value is set to error.
808 * 0 : bypass
809 * EACCES : discard packet.
810 * ENOENT : ipsec_acquire() in progress, maybe.
811 * others : error occurred.
812 */
813 #ifndef IP_FORWARDING
814 #define IP_FORWARDING 1
815 #endif
816
817 struct secpolicy *
818 ipsec6_getpolicybyaddr(struct mbuf *m,
819 u_int dir,
820 int flag,
821 int *error)
822 {
823 struct secpolicy *sp = NULL;
824
825 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
826
827 /* sanity check */
828 if (m == NULL || error == NULL)
829 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.\n");
830
831 {
832 struct secpolicyindex spidx;
833
834 bzero(&spidx, sizeof(spidx));
835
836 /* make a index to look for a policy */
837 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m,
838 (flag & IP_FORWARDING) ? 0 : 1);
839
840 if (*error != 0)
841 return NULL;
842
843 sp = key_allocsp(&spidx, dir);
844 }
845
846 /* SP found */
847 if (sp != NULL) {
848 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
849 printf("DP ipsec6_getpolicybyaddr called "
850 "to allocate SP:0x%llx\n",
851 (uint64_t)VM_KERNEL_ADDRPERM(sp)));
852 *error = 0;
853 return sp;
854 }
855
856 /* no SP found */
857 lck_mtx_lock(sadb_mutex);
858 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
859 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
860 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
861 ip6_def_policy.policy, IPSEC_POLICY_NONE));
862 ip6_def_policy.policy = IPSEC_POLICY_NONE;
863 }
864 ip6_def_policy.refcnt++;
865 lck_mtx_unlock(sadb_mutex);
866 *error = 0;
867 return &ip6_def_policy;
868 }
869
870 /* Match with bound interface rather than src addr.
871 * Unlike getpolicybyaddr, do not set the default policy.
872 * Return 0 if should continue processing, or -1 if packet
873 * should be dropped.
874 */
875 int
876 ipsec6_getpolicybyinterface(struct mbuf *m,
877 u_int dir,
878 int flag,
879 struct ip6_out_args *ip6oap,
880 int *noipsec,
881 struct secpolicy **sp)
882 {
883 struct secpolicyindex spidx;
884 int error = 0;
885
886 if (ipsec_bypass != 0)
887 return 0;
888
889 /* Sanity check */
890 if (m == NULL || sp == NULL || noipsec == NULL || ip6oap == NULL)
891 panic("ipsec6_getpolicybyinterface: NULL pointer was passed.\n");
892
893 *noipsec = 0;
894
895 if (ip6oap->ip6oa_boundif == IFSCOPE_NONE)
896 return 0;
897
898 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0);
899 bzero(&spidx, sizeof(spidx));
900
901 /* make a index to look for a policy */
902 error = ipsec_setspidx_interface(&spidx, dir, m, (flag & IP_FORWARDING) ? 0 : 1,
903 ip6oap->ip6oa_boundif, 6);
904
905 if (error != 0) {
906 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,error,0,0,0);
907 return 0;
908 }
909
910 *sp = key_allocsp(&spidx, dir);
911
912 /* Return SP, whether NULL or not */
913 if (*sp != NULL && (*sp)->policy == IPSEC_POLICY_IPSEC) {
914 if ((*sp)->ipsec_if == NULL) {
915 /* Invalid to capture on an interface without redirect */
916 key_freesp(*sp, KEY_SADB_UNLOCKED);
917 *sp = NULL;
918 return -1;
919 } else if ((*sp)->disabled) {
920 /* Disabled policies go in the clear */
921 key_freesp(*sp, KEY_SADB_UNLOCKED);
922 *sp = NULL;
923 *noipsec = 1; /* Avoid later IPSec check */
924 } else {
925 /* If policy is enabled, redirect to ipsec interface */
926 ip6oap->ip6oa_boundif = (*sp)->ipsec_if->if_index;
927 }
928 }
929
930 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,*error,0,0,0);
931
932 return 0;
933 }
934 #endif /* INET6 */
935
936 /*
937 * set IP address into spidx from mbuf.
938 * When Forwarding packet and ICMP echo reply, this function is used.
939 *
940 * IN: get the followings from mbuf.
941 * protocol family, src, dst, next protocol
942 * OUT:
943 * 0: success.
944 * other: failure, and set errno.
945 */
946 static int
947 ipsec_setspidx_mbuf(
948 struct secpolicyindex *spidx,
949 u_int dir,
950 __unused u_int family,
951 struct mbuf *m,
952 int needport)
953 {
954 int error;
955
956 /* sanity check */
957 if (spidx == NULL || m == NULL)
958 panic("ipsec_setspidx_mbuf: NULL pointer was passed.\n");
959
960 bzero(spidx, sizeof(*spidx));
961
962 error = ipsec_setspidx(m, spidx, needport, 0);
963 if (error)
964 goto bad;
965 spidx->dir = dir;
966
967 return 0;
968
969 bad:
970 /* XXX initialize */
971 bzero(spidx, sizeof(*spidx));
972 return EINVAL;
973 }
974
975 static int
976 ipsec_setspidx_interface(
977 struct secpolicyindex *spidx,
978 u_int dir,
979 struct mbuf *m,
980 int needport,
981 int ifindex,
982 int ip_version)
983 {
984 int error;
985
986 /* sanity check */
987 if (spidx == NULL || m == NULL)
988 panic("ipsec_setspidx_interface: NULL pointer was passed.\n");
989
990 bzero(spidx, sizeof(*spidx));
991
992 error = ipsec_setspidx(m, spidx, needport, ip_version);
993 if (error)
994 goto bad;
995 spidx->dir = dir;
996
997 if (ifindex != 0) {
998 ifnet_head_lock_shared();
999 spidx->internal_if = ifindex2ifnet[ifindex];
1000 ifnet_head_done();
1001 } else {
1002 spidx->internal_if = NULL;
1003 }
1004
1005 return 0;
1006
1007 bad:
1008 return EINVAL;
1009 }
1010
1011 static int
1012 ipsec4_setspidx_inpcb(m, pcb)
1013 struct mbuf *m;
1014 struct inpcb *pcb;
1015 {
1016 struct secpolicyindex *spidx;
1017 int error;
1018
1019 if (ipsec_bypass != 0)
1020 return 0;
1021
1022 /* sanity check */
1023 if (pcb == NULL)
1024 panic("ipsec4_setspidx_inpcb: no PCB found.\n");
1025 if (pcb->inp_sp == NULL)
1026 panic("ipsec4_setspidx_inpcb: no inp_sp found.\n");
1027 if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL)
1028 panic("ipsec4_setspidx_inpcb: no sp_in/out found.\n");
1029
1030 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
1031 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
1032
1033 spidx = &pcb->inp_sp->sp_in->spidx;
1034 error = ipsec_setspidx(m, spidx, 1, 0);
1035 if (error)
1036 goto bad;
1037 spidx->dir = IPSEC_DIR_INBOUND;
1038
1039 spidx = &pcb->inp_sp->sp_out->spidx;
1040 error = ipsec_setspidx(m, spidx, 1, 0);
1041 if (error)
1042 goto bad;
1043 spidx->dir = IPSEC_DIR_OUTBOUND;
1044
1045 return 0;
1046
1047 bad:
1048 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
1049 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
1050 return error;
1051 }
1052
1053 #if INET6
1054 static int
1055 ipsec6_setspidx_in6pcb(m, pcb)
1056 struct mbuf *m;
1057 struct in6pcb *pcb;
1058 {
1059 struct secpolicyindex *spidx;
1060 int error;
1061
1062 /* sanity check */
1063 if (pcb == NULL)
1064 panic("ipsec6_setspidx_in6pcb: no PCB found.\n");
1065 if (pcb->in6p_sp == NULL)
1066 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.\n");
1067 if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL)
1068 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.\n");
1069
1070 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
1071 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
1072
1073 spidx = &pcb->in6p_sp->sp_in->spidx;
1074 error = ipsec_setspidx(m, spidx, 1, 0);
1075 if (error)
1076 goto bad;
1077 spidx->dir = IPSEC_DIR_INBOUND;
1078
1079 spidx = &pcb->in6p_sp->sp_out->spidx;
1080 error = ipsec_setspidx(m, spidx, 1, 0);
1081 if (error)
1082 goto bad;
1083 spidx->dir = IPSEC_DIR_OUTBOUND;
1084
1085 return 0;
1086
1087 bad:
1088 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
1089 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
1090 return error;
1091 }
1092 #endif
1093
1094 /*
1095 * configure security policy index (src/dst/proto/sport/dport)
1096 * by looking at the content of mbuf.
1097 * the caller is responsible for error recovery (like clearing up spidx).
1098 */
1099 static int
1100 ipsec_setspidx(struct mbuf *m,
1101 struct secpolicyindex *spidx,
1102 int needport,
1103 int force_ip_version)
1104 {
1105 struct ip *ip = NULL;
1106 struct ip ipbuf;
1107 u_int v;
1108 struct mbuf *n;
1109 int len;
1110 int error;
1111
1112 if (m == NULL)
1113 panic("ipsec_setspidx: m == 0 passed.\n");
1114
1115 /*
1116 * validate m->m_pkthdr.len. we see incorrect length if we
1117 * mistakenly call this function with inconsistent mbuf chain
1118 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
1119 */
1120 len = 0;
1121 for (n = m; n; n = n->m_next)
1122 len += n->m_len;
1123 if (m->m_pkthdr.len != len) {
1124 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1125 printf("ipsec_setspidx: "
1126 "total of m_len(%d) != pkthdr.len(%d), "
1127 "ignored.\n",
1128 len, m->m_pkthdr.len));
1129 return EINVAL;
1130 }
1131
1132 if (m->m_pkthdr.len < sizeof(struct ip)) {
1133 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1134 printf("ipsec_setspidx: "
1135 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
1136 m->m_pkthdr.len));
1137 return EINVAL;
1138 }
1139
1140 if (m->m_len >= sizeof(*ip))
1141 ip = mtod(m, struct ip *);
1142 else {
1143 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
1144 ip = &ipbuf;
1145 }
1146
1147 if (force_ip_version) {
1148 v = force_ip_version;
1149 } else {
1150 #ifdef _IP_VHL
1151 v = _IP_VHL_V(ip->ip_vhl);
1152 #else
1153 v = ip->ip_v;
1154 #endif
1155 }
1156 switch (v) {
1157 case 4:
1158 error = ipsec4_setspidx_ipaddr(m, spidx);
1159 if (error)
1160 return error;
1161 ipsec4_get_ulp(m, spidx, needport);
1162 return 0;
1163 #if INET6
1164 case 6:
1165 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
1166 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1167 printf("ipsec_setspidx: "
1168 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
1169 "ignored.\n", m->m_pkthdr.len));
1170 return EINVAL;
1171 }
1172 error = ipsec6_setspidx_ipaddr(m, spidx);
1173 if (error)
1174 return error;
1175 ipsec6_get_ulp(m, spidx, needport);
1176 return 0;
1177 #endif
1178 default:
1179 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1180 printf("ipsec_setspidx: "
1181 "unknown IP version %u, ignored.\n", v));
1182 return EINVAL;
1183 }
1184 }
1185
1186 static void
1187 ipsec4_get_ulp(m, spidx, needport)
1188 struct mbuf *m;
1189 struct secpolicyindex *spidx;
1190 int needport;
1191 {
1192 struct ip ip;
1193 struct ip6_ext ip6e;
1194 u_int8_t nxt;
1195 int off;
1196 struct tcphdr th;
1197 struct udphdr uh;
1198
1199 /* sanity check */
1200 if (m == NULL)
1201 panic("ipsec4_get_ulp: NULL pointer was passed.\n");
1202 if (m->m_pkthdr.len < sizeof(ip))
1203 panic("ipsec4_get_ulp: too short\n");
1204
1205 /* set default */
1206 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1207 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
1208 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
1209
1210 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
1211 /* ip_input() flips it into host endian XXX need more checking */
1212 if (ip.ip_off & (IP_MF | IP_OFFMASK))
1213 return;
1214
1215 nxt = ip.ip_p;
1216 #ifdef _IP_VHL
1217 off = _IP_VHL_HL(ip->ip_vhl) << 2;
1218 #else
1219 off = ip.ip_hl << 2;
1220 #endif
1221 while (off < m->m_pkthdr.len) {
1222 switch (nxt) {
1223 case IPPROTO_TCP:
1224 spidx->ul_proto = nxt;
1225 if (!needport)
1226 return;
1227 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1228 return;
1229 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1230 ((struct sockaddr_in *)&spidx->src)->sin_port =
1231 th.th_sport;
1232 ((struct sockaddr_in *)&spidx->dst)->sin_port =
1233 th.th_dport;
1234 return;
1235 case IPPROTO_UDP:
1236 spidx->ul_proto = nxt;
1237 if (!needport)
1238 return;
1239 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1240 return;
1241 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1242 ((struct sockaddr_in *)&spidx->src)->sin_port =
1243 uh.uh_sport;
1244 ((struct sockaddr_in *)&spidx->dst)->sin_port =
1245 uh.uh_dport;
1246 return;
1247 case IPPROTO_AH:
1248 if (off + sizeof(ip6e) > m->m_pkthdr.len)
1249 return;
1250 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1251 off += (ip6e.ip6e_len + 2) << 2;
1252 nxt = ip6e.ip6e_nxt;
1253 break;
1254 case IPPROTO_ICMP:
1255 default:
1256 /* XXX intermediate headers??? */
1257 spidx->ul_proto = nxt;
1258 return;
1259 }
1260 }
1261 }
1262
1263 /* assumes that m is sane */
1264 static int
1265 ipsec4_setspidx_ipaddr(m, spidx)
1266 struct mbuf *m;
1267 struct secpolicyindex *spidx;
1268 {
1269 struct ip *ip = NULL;
1270 struct ip ipbuf;
1271 struct sockaddr_in *sin;
1272
1273 if (m->m_len >= sizeof(*ip))
1274 ip = mtod(m, struct ip *);
1275 else {
1276 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
1277 ip = &ipbuf;
1278 }
1279
1280 sin = (struct sockaddr_in *)&spidx->src;
1281 bzero(sin, sizeof(*sin));
1282 sin->sin_family = AF_INET;
1283 sin->sin_len = sizeof(struct sockaddr_in);
1284 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
1285 spidx->prefs = sizeof(struct in_addr) << 3;
1286
1287 sin = (struct sockaddr_in *)&spidx->dst;
1288 bzero(sin, sizeof(*sin));
1289 sin->sin_family = AF_INET;
1290 sin->sin_len = sizeof(struct sockaddr_in);
1291 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
1292 spidx->prefd = sizeof(struct in_addr) << 3;
1293
1294 return 0;
1295 }
1296
1297 #if INET6
1298 static void
1299 ipsec6_get_ulp(m, spidx, needport)
1300 struct mbuf *m;
1301 struct secpolicyindex *spidx;
1302 int needport;
1303 {
1304 int off, nxt;
1305 struct tcphdr th;
1306 struct udphdr uh;
1307
1308 /* sanity check */
1309 if (m == NULL)
1310 panic("ipsec6_get_ulp: NULL pointer was passed.\n");
1311
1312 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1313 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
1314
1315 /* set default */
1316 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1317 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1318 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1319
1320 nxt = -1;
1321 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1322 if (off < 0 || m->m_pkthdr.len < off)
1323 return;
1324
1325 switch (nxt) {
1326 case IPPROTO_TCP:
1327 spidx->ul_proto = nxt;
1328 if (!needport)
1329 break;
1330 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1331 break;
1332 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1333 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1334 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1335 break;
1336 case IPPROTO_UDP:
1337 spidx->ul_proto = nxt;
1338 if (!needport)
1339 break;
1340 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1341 break;
1342 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1343 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1344 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1345 break;
1346 case IPPROTO_ICMPV6:
1347 default:
1348 /* XXX intermediate headers??? */
1349 spidx->ul_proto = nxt;
1350 break;
1351 }
1352 }
1353
1354 /* assumes that m is sane */
1355 static int
1356 ipsec6_setspidx_ipaddr(m, spidx)
1357 struct mbuf *m;
1358 struct secpolicyindex *spidx;
1359 {
1360 struct ip6_hdr *ip6 = NULL;
1361 struct ip6_hdr ip6buf;
1362 struct sockaddr_in6 *sin6;
1363
1364 if (m->m_len >= sizeof(*ip6))
1365 ip6 = mtod(m, struct ip6_hdr *);
1366 else {
1367 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1368 ip6 = &ip6buf;
1369 }
1370
1371 sin6 = (struct sockaddr_in6 *)&spidx->src;
1372 bzero(sin6, sizeof(*sin6));
1373 sin6->sin6_family = AF_INET6;
1374 sin6->sin6_len = sizeof(struct sockaddr_in6);
1375 bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src));
1376 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1377 sin6->sin6_addr.s6_addr16[1] = 0;
1378 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
1379 }
1380 spidx->prefs = sizeof(struct in6_addr) << 3;
1381
1382 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1383 bzero(sin6, sizeof(*sin6));
1384 sin6->sin6_family = AF_INET6;
1385 sin6->sin6_len = sizeof(struct sockaddr_in6);
1386 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst));
1387 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1388 sin6->sin6_addr.s6_addr16[1] = 0;
1389 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
1390 }
1391 spidx->prefd = sizeof(struct in6_addr) << 3;
1392
1393 return 0;
1394 }
1395 #endif
1396
1397 static struct inpcbpolicy *
1398 ipsec_newpcbpolicy()
1399 {
1400 struct inpcbpolicy *p;
1401
1402 p = (struct inpcbpolicy *)_MALLOC(sizeof(*p), M_SECA, M_WAITOK);
1403 return p;
1404 }
1405
1406 static void
1407 ipsec_delpcbpolicy(p)
1408 struct inpcbpolicy *p;
1409 {
1410 FREE(p, M_SECA);
1411 }
1412
1413 /* initialize policy in PCB */
1414 int
1415 ipsec_init_policy(so, pcb_sp)
1416 struct socket *so;
1417 struct inpcbpolicy **pcb_sp;
1418 {
1419 struct inpcbpolicy *new;
1420
1421 /* sanity check. */
1422 if (so == NULL || pcb_sp == NULL)
1423 panic("ipsec_init_policy: NULL pointer was passed.\n");
1424
1425 new = ipsec_newpcbpolicy();
1426 if (new == NULL) {
1427 ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n"));
1428 return ENOBUFS;
1429 }
1430 bzero(new, sizeof(*new));
1431
1432 #ifdef __APPLE__
1433 if (kauth_cred_issuser(so->so_cred))
1434 #else
1435 if (so->so_cred != 0 && !suser(so->so_cred->pc_ucred, NULL))
1436 #endif
1437 new->priv = 1;
1438 else
1439 new->priv = 0;
1440
1441 if ((new->sp_in = key_newsp()) == NULL) {
1442 ipsec_delpcbpolicy(new);
1443 return ENOBUFS;
1444 }
1445 new->sp_in->state = IPSEC_SPSTATE_ALIVE;
1446 new->sp_in->policy = IPSEC_POLICY_ENTRUST;
1447
1448 if ((new->sp_out = key_newsp()) == NULL) {
1449 key_freesp(new->sp_in, KEY_SADB_UNLOCKED);
1450 ipsec_delpcbpolicy(new);
1451 return ENOBUFS;
1452 }
1453 new->sp_out->state = IPSEC_SPSTATE_ALIVE;
1454 new->sp_out->policy = IPSEC_POLICY_ENTRUST;
1455
1456 *pcb_sp = new;
1457
1458 return 0;
1459 }
1460
1461 /* copy old ipsec policy into new */
1462 int
1463 ipsec_copy_policy(old, new)
1464 struct inpcbpolicy *old, *new;
1465 {
1466 struct secpolicy *sp;
1467
1468 if (ipsec_bypass != 0)
1469 return 0;
1470
1471 sp = ipsec_deepcopy_policy(old->sp_in);
1472 if (sp) {
1473 key_freesp(new->sp_in, KEY_SADB_UNLOCKED);
1474 new->sp_in = sp;
1475 } else
1476 return ENOBUFS;
1477
1478 sp = ipsec_deepcopy_policy(old->sp_out);
1479 if (sp) {
1480 key_freesp(new->sp_out, KEY_SADB_UNLOCKED);
1481 new->sp_out = sp;
1482 } else
1483 return ENOBUFS;
1484
1485 new->priv = old->priv;
1486
1487 return 0;
1488 }
1489
1490 /* deep-copy a policy in PCB */
1491 static struct secpolicy *
1492 ipsec_deepcopy_policy(src)
1493 struct secpolicy *src;
1494 {
1495 struct ipsecrequest *newchain = NULL;
1496 struct ipsecrequest *p;
1497 struct ipsecrequest **q;
1498 struct ipsecrequest *r;
1499 struct secpolicy *dst;
1500
1501 if (src == NULL)
1502 return NULL;
1503 dst = key_newsp();
1504 if (dst == NULL)
1505 return NULL;
1506
1507 /*
1508 * deep-copy IPsec request chain. This is required since struct
1509 * ipsecrequest is not reference counted.
1510 */
1511 q = &newchain;
1512 for (p = src->req; p; p = p->next) {
1513 *q = (struct ipsecrequest *)_MALLOC(sizeof(struct ipsecrequest),
1514 M_SECA, M_WAITOK);
1515 if (*q == NULL)
1516 goto fail;
1517 bzero(*q, sizeof(**q));
1518 (*q)->next = NULL;
1519
1520 (*q)->saidx.proto = p->saidx.proto;
1521 (*q)->saidx.mode = p->saidx.mode;
1522 (*q)->level = p->level;
1523 (*q)->saidx.reqid = p->saidx.reqid;
1524
1525 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1526 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1527
1528 (*q)->sp = dst;
1529
1530 q = &((*q)->next);
1531 }
1532
1533 dst->req = newchain;
1534 dst->state = src->state;
1535 dst->policy = src->policy;
1536 /* do not touch the refcnt fields */
1537
1538 return dst;
1539
1540 fail:
1541 for (p = newchain; p; p = r) {
1542 r = p->next;
1543 FREE(p, M_SECA);
1544 p = NULL;
1545 }
1546 key_freesp(dst, KEY_SADB_UNLOCKED);
1547 return NULL;
1548 }
1549
1550 /* set policy and ipsec request if present. */
1551 static int
1552 ipsec_set_policy(
1553 struct secpolicy **pcb_sp,
1554 __unused int optname,
1555 caddr_t request,
1556 size_t len,
1557 int priv)
1558 {
1559 struct sadb_x_policy *xpl;
1560 struct secpolicy *newsp = NULL;
1561 int error;
1562
1563 /* sanity check. */
1564 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL)
1565 return EINVAL;
1566 if (len < sizeof(*xpl))
1567 return EINVAL;
1568 xpl = (struct sadb_x_policy *)(void *)request;
1569
1570 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1571 printf("ipsec_set_policy: passed policy\n");
1572 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1573
1574 /* check policy type */
1575 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1576 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
1577 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1578 return EINVAL;
1579
1580 /* check privileged socket */
1581 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1582 return EACCES;
1583
1584 /* allocation new SP entry */
1585 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1586 return error;
1587
1588 newsp->state = IPSEC_SPSTATE_ALIVE;
1589
1590 /* clear old SP and set new SP */
1591 key_freesp(*pcb_sp, KEY_SADB_UNLOCKED);
1592 *pcb_sp = newsp;
1593 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1594 printf("ipsec_set_policy: new policy\n");
1595 kdebug_secpolicy(newsp));
1596
1597 return 0;
1598 }
1599
1600 static int
1601 ipsec_get_policy(pcb_sp, mp)
1602 struct secpolicy *pcb_sp;
1603 struct mbuf **mp;
1604 {
1605
1606
1607 /* sanity check. */
1608 if (pcb_sp == NULL || mp == NULL)
1609 return EINVAL;
1610
1611 *mp = key_sp2msg(pcb_sp);
1612 if (!*mp) {
1613 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1614 return ENOBUFS;
1615 }
1616
1617 m_mchtype(*mp, MT_DATA);
1618 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1619 printf("ipsec_get_policy:\n");
1620 kdebug_mbuf(*mp));
1621
1622 return 0;
1623 }
1624
1625 int
1626 ipsec4_set_policy(inp, optname, request, len, priv)
1627 struct inpcb *inp;
1628 int optname;
1629 caddr_t request;
1630 size_t len;
1631 int priv;
1632 {
1633 struct sadb_x_policy *xpl;
1634 struct secpolicy **pcb_sp;
1635 int error = 0;
1636 struct sadb_x_policy xpl_aligned_buf;
1637 u_int8_t *xpl_unaligned;
1638
1639 /* sanity check. */
1640 if (inp == NULL || request == NULL)
1641 return EINVAL;
1642 if (len < sizeof(*xpl))
1643 return EINVAL;
1644 xpl = (struct sadb_x_policy *)(void *)request;
1645
1646 /* This is a new mbuf allocated by soopt_getm() */
1647 if (IPSEC_IS_P2ALIGNED(xpl)) {
1648 xpl_unaligned = NULL;
1649 } else {
1650 xpl_unaligned = (__typeof__(xpl_unaligned))xpl;
1651 memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf));
1652 xpl = (__typeof__(xpl))&xpl_aligned_buf;
1653 }
1654
1655 if (inp->inp_sp == NULL) {
1656 error = ipsec_init_policy(inp->inp_socket, &inp->inp_sp);
1657 if (error)
1658 return error;
1659 }
1660
1661 /* select direction */
1662 switch (xpl->sadb_x_policy_dir) {
1663 case IPSEC_DIR_INBOUND:
1664 pcb_sp = &inp->inp_sp->sp_in;
1665 break;
1666 case IPSEC_DIR_OUTBOUND:
1667 pcb_sp = &inp->inp_sp->sp_out;
1668 break;
1669 default:
1670 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1671 xpl->sadb_x_policy_dir));
1672 return EINVAL;
1673 }
1674
1675 /* turn bypass off */
1676 if (ipsec_bypass != 0)
1677 ipsec_bypass = 0;
1678
1679 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1680 }
1681
1682 int
1683 ipsec4_get_policy(inp, request, len, mp)
1684 struct inpcb *inp;
1685 caddr_t request;
1686 size_t len;
1687 struct mbuf **mp;
1688 {
1689 struct sadb_x_policy *xpl;
1690 struct secpolicy *pcb_sp;
1691 int error = 0;
1692 struct sadb_x_policy xpl_aligned_buf;
1693 u_int8_t *xpl_unaligned;
1694
1695 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
1696
1697 /* sanity check. */
1698 if (inp == NULL || request == NULL || mp == NULL)
1699 return EINVAL;
1700 if (len < sizeof(*xpl))
1701 return EINVAL;
1702 xpl = (struct sadb_x_policy *)(void *)request;
1703
1704 /* This is a new mbuf allocated by soopt_getm() */
1705 if (IPSEC_IS_P2ALIGNED(xpl)) {
1706 xpl_unaligned = NULL;
1707 } else {
1708 xpl_unaligned = (__typeof__(xpl_unaligned))xpl;
1709 memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf));
1710 xpl = (__typeof__(xpl))&xpl_aligned_buf;
1711 }
1712
1713 if (inp->inp_sp == NULL) {
1714 error = ipsec_init_policy(inp->inp_socket, &inp->inp_sp);
1715 if (error)
1716 return error;
1717 }
1718
1719 /* select direction */
1720 switch (xpl->sadb_x_policy_dir) {
1721 case IPSEC_DIR_INBOUND:
1722 pcb_sp = inp->inp_sp->sp_in;
1723 break;
1724 case IPSEC_DIR_OUTBOUND:
1725 pcb_sp = inp->inp_sp->sp_out;
1726 break;
1727 default:
1728 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1729 xpl->sadb_x_policy_dir));
1730 return EINVAL;
1731 }
1732
1733 return ipsec_get_policy(pcb_sp, mp);
1734 }
1735
1736 /* delete policy in PCB */
1737 int
1738 ipsec4_delete_pcbpolicy(inp)
1739 struct inpcb *inp;
1740 {
1741
1742 /* sanity check. */
1743 if (inp == NULL)
1744 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.\n");
1745
1746 if (inp->inp_sp == NULL)
1747 return 0;
1748
1749 if (inp->inp_sp->sp_in != NULL) {
1750 key_freesp(inp->inp_sp->sp_in, KEY_SADB_UNLOCKED);
1751 inp->inp_sp->sp_in = NULL;
1752 }
1753
1754 if (inp->inp_sp->sp_out != NULL) {
1755 key_freesp(inp->inp_sp->sp_out, KEY_SADB_UNLOCKED);
1756 inp->inp_sp->sp_out = NULL;
1757 }
1758
1759 ipsec_delpcbpolicy(inp->inp_sp);
1760 inp->inp_sp = NULL;
1761
1762 return 0;
1763 }
1764
1765 #if INET6
1766 int
1767 ipsec6_set_policy(in6p, optname, request, len, priv)
1768 struct in6pcb *in6p;
1769 int optname;
1770 caddr_t request;
1771 size_t len;
1772 int priv;
1773 {
1774 struct sadb_x_policy *xpl;
1775 struct secpolicy **pcb_sp;
1776 int error = 0;
1777 struct sadb_x_policy xpl_aligned_buf;
1778 u_int8_t *xpl_unaligned;
1779
1780 /* sanity check. */
1781 if (in6p == NULL || request == NULL)
1782 return EINVAL;
1783 if (len < sizeof(*xpl))
1784 return EINVAL;
1785 xpl = (struct sadb_x_policy *)(void *)request;
1786
1787 /* This is a new mbuf allocated by soopt_getm() */
1788 if (IPSEC_IS_P2ALIGNED(xpl)) {
1789 xpl_unaligned = NULL;
1790 } else {
1791 xpl_unaligned = (__typeof__(xpl_unaligned))xpl;
1792 memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf));
1793 xpl = (__typeof__(xpl))&xpl_aligned_buf;
1794 }
1795
1796 if (in6p->in6p_sp == NULL) {
1797 error = ipsec_init_policy(in6p->inp_socket, &in6p->in6p_sp);
1798 if (error)
1799 return error;
1800 }
1801
1802 /* select direction */
1803 switch (xpl->sadb_x_policy_dir) {
1804 case IPSEC_DIR_INBOUND:
1805 pcb_sp = &in6p->in6p_sp->sp_in;
1806 break;
1807 case IPSEC_DIR_OUTBOUND:
1808 pcb_sp = &in6p->in6p_sp->sp_out;
1809 break;
1810 default:
1811 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1812 xpl->sadb_x_policy_dir));
1813 return EINVAL;
1814 }
1815
1816 /* turn bypass off */
1817 if (ipsec_bypass != 0)
1818 ipsec_bypass = 0;
1819
1820 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1821 }
1822
1823 int
1824 ipsec6_get_policy(in6p, request, len, mp)
1825 struct in6pcb *in6p;
1826 caddr_t request;
1827 size_t len;
1828 struct mbuf **mp;
1829 {
1830 struct sadb_x_policy *xpl;
1831 struct secpolicy *pcb_sp;
1832 int error = 0;
1833 struct sadb_x_policy xpl_aligned_buf;
1834 u_int8_t *xpl_unaligned;
1835
1836 /* sanity check. */
1837 if (in6p == NULL || request == NULL || mp == NULL)
1838 return EINVAL;
1839 if (len < sizeof(*xpl))
1840 return EINVAL;
1841 xpl = (struct sadb_x_policy *)(void *)request;
1842
1843 /* This is a new mbuf allocated by soopt_getm() */
1844 if (IPSEC_IS_P2ALIGNED(xpl)) {
1845 xpl_unaligned = NULL;
1846 } else {
1847 xpl_unaligned = (__typeof__(xpl_unaligned))xpl;
1848 memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf));
1849 xpl = (__typeof__(xpl))&xpl_aligned_buf;
1850 }
1851
1852 if (in6p->in6p_sp == NULL) {
1853 error = ipsec_init_policy(in6p->inp_socket, &in6p->in6p_sp);
1854 if (error)
1855 return error;
1856 }
1857
1858 /* select direction */
1859 switch (xpl->sadb_x_policy_dir) {
1860 case IPSEC_DIR_INBOUND:
1861 pcb_sp = in6p->in6p_sp->sp_in;
1862 break;
1863 case IPSEC_DIR_OUTBOUND:
1864 pcb_sp = in6p->in6p_sp->sp_out;
1865 break;
1866 default:
1867 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1868 xpl->sadb_x_policy_dir));
1869 return EINVAL;
1870 }
1871
1872 return ipsec_get_policy(pcb_sp, mp);
1873 }
1874
1875 int
1876 ipsec6_delete_pcbpolicy(in6p)
1877 struct in6pcb *in6p;
1878 {
1879
1880 /* sanity check. */
1881 if (in6p == NULL)
1882 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.\n");
1883
1884 if (in6p->in6p_sp == NULL)
1885 return 0;
1886
1887 if (in6p->in6p_sp->sp_in != NULL) {
1888 key_freesp(in6p->in6p_sp->sp_in, KEY_SADB_UNLOCKED);
1889 in6p->in6p_sp->sp_in = NULL;
1890 }
1891
1892 if (in6p->in6p_sp->sp_out != NULL) {
1893 key_freesp(in6p->in6p_sp->sp_out, KEY_SADB_UNLOCKED);
1894 in6p->in6p_sp->sp_out = NULL;
1895 }
1896
1897 ipsec_delpcbpolicy(in6p->in6p_sp);
1898 in6p->in6p_sp = NULL;
1899
1900 return 0;
1901 }
1902 #endif
1903
1904 /*
1905 * return current level.
1906 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1907 */
1908 u_int
1909 ipsec_get_reqlevel(isr)
1910 struct ipsecrequest *isr;
1911 {
1912 u_int level = 0;
1913 u_int esp_trans_deflev = 0, esp_net_deflev = 0, ah_trans_deflev = 0, ah_net_deflev = 0;
1914
1915 /* sanity check */
1916 if (isr == NULL || isr->sp == NULL)
1917 panic("ipsec_get_reqlevel: NULL pointer is passed.\n");
1918 if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family
1919 != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family)
1920 panic("ipsec_get_reqlevel: family mismatched.\n");
1921
1922 /* XXX note that we have ipseclog() expanded here - code sync issue */
1923 #define IPSEC_CHECK_DEFAULT(lev) \
1924 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1925 && (lev) != IPSEC_LEVEL_UNIQUE) \
1926 ? (ipsec_debug \
1927 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1928 (lev), IPSEC_LEVEL_REQUIRE) \
1929 : (void)0), \
1930 (lev) = IPSEC_LEVEL_REQUIRE, \
1931 (lev) \
1932 : (lev))
1933
1934 /* set default level */
1935 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1936 #if INET
1937 case AF_INET:
1938 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1939 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1940 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1941 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1942 break;
1943 #endif
1944 #if INET6
1945 case AF_INET6:
1946 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1947 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1948 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1949 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1950 break;
1951 #endif /* INET6 */
1952 default:
1953 panic("key_get_reqlevel: Unknown family. %d\n",
1954 ((struct sockaddr *)&isr->sp->spidx.src)->sa_family);
1955 }
1956
1957 #undef IPSEC_CHECK_DEFAULT
1958
1959 /* set level */
1960 switch (isr->level) {
1961 case IPSEC_LEVEL_DEFAULT:
1962 switch (isr->saidx.proto) {
1963 case IPPROTO_ESP:
1964 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1965 level = esp_net_deflev;
1966 else
1967 level = esp_trans_deflev;
1968 break;
1969 case IPPROTO_AH:
1970 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1971 level = ah_net_deflev;
1972 else
1973 level = ah_trans_deflev;
1974 break;
1975 case IPPROTO_IPCOMP:
1976 /*
1977 * we don't really care, as IPcomp document says that
1978 * we shouldn't compress small packets
1979 */
1980 level = IPSEC_LEVEL_USE;
1981 break;
1982 default:
1983 panic("ipsec_get_reqlevel: "
1984 "Illegal protocol defined %u\n",
1985 isr->saidx.proto);
1986 }
1987 break;
1988
1989 case IPSEC_LEVEL_USE:
1990 case IPSEC_LEVEL_REQUIRE:
1991 level = isr->level;
1992 break;
1993 case IPSEC_LEVEL_UNIQUE:
1994 level = IPSEC_LEVEL_REQUIRE;
1995 break;
1996
1997 default:
1998 panic("ipsec_get_reqlevel: Illegal IPsec level %u\n",
1999 isr->level);
2000 }
2001
2002 return level;
2003 }
2004
2005 /*
2006 * Check AH/ESP integrity.
2007 * OUT:
2008 * 0: valid
2009 * 1: invalid
2010 */
2011 static int
2012 ipsec_in_reject(sp, m)
2013 struct secpolicy *sp;
2014 struct mbuf *m;
2015 {
2016 struct ipsecrequest *isr;
2017 u_int level;
2018 int need_auth, need_conf, need_icv;
2019
2020 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2021 printf("ipsec_in_reject: using SP\n");
2022 kdebug_secpolicy(sp));
2023
2024 /* check policy */
2025 switch (sp->policy) {
2026 case IPSEC_POLICY_DISCARD:
2027 case IPSEC_POLICY_GENERATE:
2028 return 1;
2029 case IPSEC_POLICY_BYPASS:
2030 case IPSEC_POLICY_NONE:
2031 return 0;
2032
2033 case IPSEC_POLICY_IPSEC:
2034 break;
2035
2036 case IPSEC_POLICY_ENTRUST:
2037 default:
2038 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy);
2039 }
2040
2041 need_auth = 0;
2042 need_conf = 0;
2043 need_icv = 0;
2044
2045 /* XXX should compare policy against ipsec header history */
2046
2047 for (isr = sp->req; isr != NULL; isr = isr->next) {
2048
2049 /* get current level */
2050 level = ipsec_get_reqlevel(isr);
2051
2052 switch (isr->saidx.proto) {
2053 case IPPROTO_ESP:
2054 if (level == IPSEC_LEVEL_REQUIRE) {
2055 need_conf++;
2056
2057 #if 0
2058 /* this won't work with multiple input threads - isr->sav would change
2059 * with every packet and is not necessarily related to the current packet
2060 * being processed. If ESP processing is required - the esp code should
2061 * make sure that the integrity check is present and correct. I don't see
2062 * why it would be necessary to check for the presence of the integrity
2063 * check value here. I think this is just wrong.
2064 * isr->sav has been removed.
2065 * %%%%%% this needs to be re-worked at some point but I think the code below can
2066 * be ignored for now.
2067 */
2068 if (isr->sav != NULL
2069 && isr->sav->flags == SADB_X_EXT_NONE
2070 && isr->sav->alg_auth != SADB_AALG_NONE)
2071 need_icv++;
2072 #endif
2073 }
2074 break;
2075 case IPPROTO_AH:
2076 if (level == IPSEC_LEVEL_REQUIRE) {
2077 need_auth++;
2078 need_icv++;
2079 }
2080 break;
2081 case IPPROTO_IPCOMP:
2082 /*
2083 * we don't really care, as IPcomp document says that
2084 * we shouldn't compress small packets, IPComp policy
2085 * should always be treated as being in "use" level.
2086 */
2087 break;
2088 }
2089 }
2090
2091 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
2092 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
2093 need_auth, need_conf, need_icv, m->m_flags));
2094
2095 if ((need_conf && !(m->m_flags & M_DECRYPTED))
2096 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
2097 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
2098 return 1;
2099
2100 return 0;
2101 }
2102
2103 /*
2104 * Check AH/ESP integrity.
2105 * This function is called from tcp_input(), udp_input(),
2106 * and {ah,esp}4_input for tunnel mode
2107 */
2108 int
2109 ipsec4_in_reject_so(m, so)
2110 struct mbuf *m;
2111 struct socket *so;
2112 {
2113 struct secpolicy *sp = NULL;
2114 int error;
2115 int result;
2116
2117 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2118 /* sanity check */
2119 if (m == NULL)
2120 return 0; /* XXX should be panic ? */
2121
2122 /* get SP for this packet.
2123 * When we are called from ip_forward(), we call
2124 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
2125 */
2126 if (so == NULL)
2127 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
2128 else
2129 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
2130
2131 if (sp == NULL)
2132 return 0; /* XXX should be panic ?
2133 * -> No, there may be error. */
2134
2135 result = ipsec_in_reject(sp, m);
2136 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2137 printf("DP ipsec4_in_reject_so call free SP:0x%llx\n",
2138 (uint64_t)VM_KERNEL_ADDRPERM(sp)));
2139 key_freesp(sp, KEY_SADB_UNLOCKED);
2140
2141 return result;
2142 }
2143
2144 int
2145 ipsec4_in_reject(m, inp)
2146 struct mbuf *m;
2147 struct inpcb *inp;
2148 {
2149
2150 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2151 if (inp == NULL)
2152 return ipsec4_in_reject_so(m, NULL);
2153 if (inp->inp_socket)
2154 return ipsec4_in_reject_so(m, inp->inp_socket);
2155 else
2156 panic("ipsec4_in_reject: invalid inpcb/socket");
2157
2158 /* NOTREACHED */
2159 return 0;
2160 }
2161
2162 #if INET6
2163 /*
2164 * Check AH/ESP integrity.
2165 * This function is called from tcp6_input(), udp6_input(),
2166 * and {ah,esp}6_input for tunnel mode
2167 */
2168 int
2169 ipsec6_in_reject_so(m, so)
2170 struct mbuf *m;
2171 struct socket *so;
2172 {
2173 struct secpolicy *sp = NULL;
2174 int error;
2175 int result;
2176
2177 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2178 /* sanity check */
2179 if (m == NULL)
2180 return 0; /* XXX should be panic ? */
2181
2182 /* get SP for this packet.
2183 * When we are called from ip_forward(), we call
2184 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
2185 */
2186 if (so == NULL)
2187 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
2188 else
2189 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
2190
2191 if (sp == NULL)
2192 return 0; /* XXX should be panic ? */
2193
2194 result = ipsec_in_reject(sp, m);
2195 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2196 printf("DP ipsec6_in_reject_so call free SP:0x%llx\n",
2197 (uint64_t)VM_KERNEL_ADDRPERM(sp)));
2198 key_freesp(sp, KEY_SADB_UNLOCKED);
2199
2200 return result;
2201 }
2202
2203 int
2204 ipsec6_in_reject(m, in6p)
2205 struct mbuf *m;
2206 struct in6pcb *in6p;
2207 {
2208
2209 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2210 if (in6p == NULL)
2211 return ipsec6_in_reject_so(m, NULL);
2212 if (in6p->in6p_socket)
2213 return ipsec6_in_reject_so(m, in6p->in6p_socket);
2214 else
2215 panic("ipsec6_in_reject: invalid in6p/socket");
2216
2217 /* NOTREACHED */
2218 return 0;
2219 }
2220 #endif
2221
2222 /*
2223 * compute the byte size to be occupied by IPsec header.
2224 * in case it is tunneled, it includes the size of outer IP header.
2225 * NOTE: SP passed is free in this function.
2226 */
2227 size_t
2228 ipsec_hdrsiz(sp)
2229 struct secpolicy *sp;
2230 {
2231 struct ipsecrequest *isr;
2232 size_t siz, clen;
2233
2234 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2235 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2236 printf("ipsec_hdrsiz: using SP\n");
2237 kdebug_secpolicy(sp));
2238
2239 /* check policy */
2240 switch (sp->policy) {
2241 case IPSEC_POLICY_DISCARD:
2242 case IPSEC_POLICY_GENERATE:
2243 case IPSEC_POLICY_BYPASS:
2244 case IPSEC_POLICY_NONE:
2245 return 0;
2246
2247 case IPSEC_POLICY_IPSEC:
2248 break;
2249
2250 case IPSEC_POLICY_ENTRUST:
2251 default:
2252 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy);
2253 }
2254
2255 siz = 0;
2256
2257 for (isr = sp->req; isr != NULL; isr = isr->next) {
2258
2259 clen = 0;
2260
2261 switch (isr->saidx.proto) {
2262 case IPPROTO_ESP:
2263 #if IPSEC_ESP
2264 clen = esp_hdrsiz(isr);
2265 #else
2266 clen = 0; /*XXX*/
2267 #endif
2268 break;
2269 case IPPROTO_AH:
2270 clen = ah_hdrsiz(isr);
2271 break;
2272 case IPPROTO_IPCOMP:
2273 clen = sizeof(struct ipcomp);
2274 break;
2275 }
2276
2277 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2278 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
2279 case AF_INET:
2280 clen += sizeof(struct ip);
2281 break;
2282 #if INET6
2283 case AF_INET6:
2284 clen += sizeof(struct ip6_hdr);
2285 break;
2286 #endif
2287 default:
2288 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
2289 "unknown AF %d in IPsec tunnel SA\n",
2290 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
2291 break;
2292 }
2293 }
2294 siz += clen;
2295 }
2296
2297 return siz;
2298 }
2299
2300 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
2301 size_t
2302 ipsec4_hdrsiz(m, dir, inp)
2303 struct mbuf *m;
2304 u_int dir;
2305 struct inpcb *inp;
2306 {
2307 struct secpolicy *sp = NULL;
2308 int error;
2309 size_t size;
2310
2311 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2312 /* sanity check */
2313 if (m == NULL)
2314 return 0; /* XXX should be panic ? */
2315 if (inp != NULL && inp->inp_socket == NULL)
2316 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
2317
2318 /* get SP for this packet.
2319 * When we are called from ip_forward(), we call
2320 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
2321 */
2322 if (inp == NULL)
2323 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2324 else
2325 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
2326
2327 if (sp == NULL)
2328 return 0; /* XXX should be panic ? */
2329
2330 size = ipsec_hdrsiz(sp);
2331 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2332 printf("DP ipsec4_hdrsiz call free SP:0x%llx\n",
2333 (uint64_t)VM_KERNEL_ADDRPERM(sp)));
2334 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2335 printf("ipsec4_hdrsiz: size:%lu.\n", (u_int32_t)size));
2336 key_freesp(sp, KEY_SADB_UNLOCKED);
2337
2338 return size;
2339 }
2340
2341 #if INET6
2342 /* This function is called from ipsec6_hdrsize_tcp(),
2343 * and maybe from ip6_forward.()
2344 */
2345 size_t
2346 ipsec6_hdrsiz(m, dir, in6p)
2347 struct mbuf *m;
2348 u_int dir;
2349 struct in6pcb *in6p;
2350 {
2351 struct secpolicy *sp = NULL;
2352 int error;
2353 size_t size;
2354
2355 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2356 /* sanity check */
2357 if (m == NULL)
2358 return 0; /* XXX shoud be panic ? */
2359 if (in6p != NULL && in6p->in6p_socket == NULL)
2360 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
2361
2362 /* get SP for this packet */
2363 /* XXX Is it right to call with IP_FORWARDING. */
2364 if (in6p == NULL)
2365 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2366 else
2367 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
2368
2369 if (sp == NULL)
2370 return 0;
2371 size = ipsec_hdrsiz(sp);
2372 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2373 printf("DP ipsec6_hdrsiz call free SP:0x%llx\n",
2374 (uint64_t)VM_KERNEL_ADDRPERM(sp)));
2375 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2376 printf("ipsec6_hdrsiz: size:%lu.\n", (u_int32_t)size));
2377 key_freesp(sp, KEY_SADB_UNLOCKED);
2378
2379 return size;
2380 }
2381 #endif /*INET6*/
2382
2383 #if INET
2384 /*
2385 * encapsulate for ipsec tunnel.
2386 * ip->ip_src must be fixed later on.
2387 */
2388 int
2389 ipsec4_encapsulate(m, sav)
2390 struct mbuf *m;
2391 struct secasvar *sav;
2392 {
2393 struct ip *oip;
2394 struct ip *ip;
2395 size_t hlen;
2396 size_t plen;
2397
2398 /* can't tunnel between different AFs */
2399 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2400 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2401 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2402 m_freem(m);
2403 return EINVAL;
2404 }
2405 #if 0
2406 /* XXX if the dst is myself, perform nothing. */
2407 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2408 m_freem(m);
2409 return EINVAL;
2410 }
2411 #endif
2412
2413 if (m->m_len < sizeof(*ip))
2414 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2415
2416 ip = mtod(m, struct ip *);
2417 #ifdef _IP_VHL
2418 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
2419 #else
2420 hlen = ip->ip_hl << 2;
2421 #endif
2422
2423 if (m->m_len != hlen)
2424 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2425
2426 /* generate header checksum */
2427 ip->ip_sum = 0;
2428 #ifdef _IP_VHL
2429 ip->ip_sum = in_cksum(m, hlen);
2430 #else
2431 ip->ip_sum = in_cksum(m, hlen);
2432 #endif
2433
2434 plen = m->m_pkthdr.len;
2435
2436 /*
2437 * grow the mbuf to accomodate the new IPv4 header.
2438 * NOTE: IPv4 options will never be copied.
2439 */
2440 if (M_LEADINGSPACE(m->m_next) < hlen) {
2441 struct mbuf *n;
2442 MGET(n, M_DONTWAIT, MT_DATA);
2443 if (!n) {
2444 m_freem(m);
2445 return ENOBUFS;
2446 }
2447 n->m_len = hlen;
2448 n->m_next = m->m_next;
2449 m->m_next = n;
2450 m->m_pkthdr.len += hlen;
2451 oip = mtod(n, struct ip *);
2452 } else {
2453 m->m_next->m_len += hlen;
2454 m->m_next->m_data -= hlen;
2455 m->m_pkthdr.len += hlen;
2456 oip = mtod(m->m_next, struct ip *);
2457 }
2458 ip = mtod(m, struct ip *);
2459 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2460 m->m_len = sizeof(struct ip);
2461 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2462
2463 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2464 /* ECN consideration. */
2465 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2466 #ifdef _IP_VHL
2467 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
2468 #else
2469 ip->ip_hl = sizeof(struct ip) >> 2;
2470 #endif
2471 ip->ip_off &= htons(~IP_OFFMASK);
2472 ip->ip_off &= htons(~IP_MF);
2473 switch (ip4_ipsec_dfbit) {
2474 case 0: /* clear DF bit */
2475 ip->ip_off &= htons(~IP_DF);
2476 break;
2477 case 1: /* set DF bit */
2478 ip->ip_off |= htons(IP_DF);
2479 break;
2480 default: /* copy DF bit */
2481 break;
2482 }
2483 ip->ip_p = IPPROTO_IPIP;
2484 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2485 ip->ip_len = htons(plen + sizeof(struct ip));
2486 else {
2487 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2488 "leave ip_len as is (invalid packet)\n"));
2489 }
2490 ip->ip_id = ip_randomid();
2491 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2492 &ip->ip_src, sizeof(ip->ip_src));
2493 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2494 &ip->ip_dst, sizeof(ip->ip_dst));
2495 ip->ip_ttl = IPDEFTTL;
2496
2497 /* XXX Should ip_src be updated later ? */
2498
2499 return 0;
2500 }
2501
2502 /*
2503 * encapsulate for ipsec tunnel.
2504 * ip->ip_src must be fixed later on.
2505 */
2506 int
2507 ipsec4_encapsulate_utun_esp_keepalive(m_ptr, sav)
2508 struct mbuf **m_ptr;
2509 struct secasvar *sav;
2510 {
2511 struct ip *ip;
2512 size_t plen;
2513 struct mbuf *m = *m_ptr;
2514
2515 /* can't tunnel between different AFs */
2516 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2517 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2518 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2519 m_freem(m);
2520 *m_ptr = NULL;
2521 return EINVAL;
2522 }
2523
2524 plen = m->m_pkthdr.len;
2525
2526 /*
2527 * grow the mbuf to accomodate the new IPv4 header.
2528 * NOTE: IPv4 options will never be copied.
2529 */
2530 {
2531 struct mbuf *n;
2532 MGETHDR(n, M_DONTWAIT, MT_HEADER); /* MAC-OK */
2533 if (!n) {
2534 m_freem(m);
2535 *m_ptr = NULL;
2536 return ENOBUFS;
2537 }
2538 if (m->m_flags & M_PKTHDR) {
2539 M_COPY_PKTHDR(n, m);
2540 m->m_flags &= ~M_PKTHDR;
2541 }
2542 MH_ALIGN(n, sizeof(*ip));
2543 n->m_len = sizeof(*ip);
2544 n->m_next = m;
2545 n->m_pkthdr.len = (plen + n->m_len);
2546 m_fixhdr(m);
2547 m = n;
2548 *m_ptr = m;
2549 plen = m->m_pkthdr.len;
2550 }
2551 ip = mtod(m, __typeof__(ip));
2552
2553 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2554 // ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2555 #ifdef _IP_VHL
2556 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(*ip) >> 2);
2557 #else
2558 ip->ip_hl = sizeof(*ip) >> 2;
2559 #endif
2560 ip->ip_off &= htons(~IP_OFFMASK);
2561 ip->ip_off &= htons(~IP_MF);
2562 switch (ip4_ipsec_dfbit) {
2563 case 0: /* clear DF bit */
2564 ip->ip_off &= htons(~IP_DF);
2565 break;
2566 case 1: /* set DF bit */
2567 ip->ip_off |= htons(IP_DF);
2568 break;
2569 default: /* copy DF bit */
2570 break;
2571 }
2572 ip->ip_p = IPPROTO_IPIP;
2573 if (plen < IP_MAXPACKET)
2574 ip->ip_len = htons(plen);
2575 else {
2576 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2577 "leave ip_len as is (invalid packet)\n"));
2578 }
2579 ip->ip_id = ip_randomid();
2580 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2581 &ip->ip_src, sizeof(ip->ip_src));
2582 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2583 &ip->ip_dst, sizeof(ip->ip_dst));
2584 ip->ip_ttl = IPDEFTTL;
2585
2586 /* XXX Should ip_src be updated later ? */
2587
2588 return 0;
2589 }
2590 #endif /*INET*/
2591
2592 #if INET6
2593 int
2594 ipsec6_encapsulate(m, sav)
2595 struct mbuf *m;
2596 struct secasvar *sav;
2597 {
2598 struct ip6_hdr *oip6;
2599 struct ip6_hdr *ip6;
2600 size_t plen;
2601
2602 /* can't tunnel between different AFs */
2603 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2604 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2605 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2606 m_freem(m);
2607 return EINVAL;
2608 }
2609 #if 0
2610 /* XXX if the dst is myself, perform nothing. */
2611 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2612 m_freem(m);
2613 return EINVAL;
2614 }
2615 #endif
2616
2617 plen = m->m_pkthdr.len;
2618
2619 /*
2620 * grow the mbuf to accomodate the new IPv6 header.
2621 */
2622 if (m->m_len != sizeof(struct ip6_hdr))
2623 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2624 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2625 struct mbuf *n;
2626 MGET(n, M_DONTWAIT, MT_DATA);
2627 if (!n) {
2628 m_freem(m);
2629 return ENOBUFS;
2630 }
2631 n->m_len = sizeof(struct ip6_hdr);
2632 n->m_next = m->m_next;
2633 m->m_next = n;
2634 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2635 oip6 = mtod(n, struct ip6_hdr *);
2636 } else {
2637 m->m_next->m_len += sizeof(struct ip6_hdr);
2638 m->m_next->m_data -= sizeof(struct ip6_hdr);
2639 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2640 oip6 = mtod(m->m_next, struct ip6_hdr *);
2641 }
2642 ip6 = mtod(m, struct ip6_hdr *);
2643 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2644
2645 /* Fake link-local scope-class addresses */
2646 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src))
2647 oip6->ip6_src.s6_addr16[1] = 0;
2648 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst))
2649 oip6->ip6_dst.s6_addr16[1] = 0;
2650
2651 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2652 /* ECN consideration. */
2653 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2654 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2655 ip6->ip6_plen = htons(plen);
2656 else {
2657 /* ip6->ip6_plen will be updated in ip6_output() */
2658 }
2659 ip6->ip6_nxt = IPPROTO_IPV6;
2660 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2661 &ip6->ip6_src, sizeof(ip6->ip6_src));
2662 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2663 &ip6->ip6_dst, sizeof(ip6->ip6_dst));
2664 ip6->ip6_hlim = IPV6_DEFHLIM;
2665
2666 /* XXX Should ip6_src be updated later ? */
2667
2668 return 0;
2669 }
2670
2671 static int
2672 ipsec64_encapsulate(m, sav)
2673 struct mbuf *m;
2674 struct secasvar *sav;
2675 {
2676 struct ip6_hdr *ip6, *ip6i;
2677 struct ip *ip;
2678 size_t plen;
2679 u_int8_t hlim;
2680
2681 /* tunneling over IPv4 */
2682 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2683 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2684 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2685 m_freem(m);
2686 return EINVAL;
2687 }
2688 #if 0
2689 /* XXX if the dst is myself, perform nothing. */
2690 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2691 m_freem(m);
2692 return EINVAL;
2693 }
2694 #endif
2695
2696 plen = m->m_pkthdr.len;
2697 ip6 = mtod(m, struct ip6_hdr *);
2698 hlim = ip6->ip6_hlim;
2699 /*
2700 * grow the mbuf to accomodate the new IPv4 header.
2701 */
2702 if (m->m_len != sizeof(struct ip6_hdr))
2703 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2704 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2705 struct mbuf *n;
2706 MGET(n, M_DONTWAIT, MT_DATA);
2707 if (!n) {
2708 m_freem(m);
2709 return ENOBUFS;
2710 }
2711 n->m_len = sizeof(struct ip6_hdr);
2712 n->m_next = m->m_next;
2713 m->m_next = n;
2714 m->m_pkthdr.len += sizeof(struct ip);
2715 ip6i = mtod(n, struct ip6_hdr *);
2716 } else {
2717 m->m_next->m_len += sizeof(struct ip6_hdr);
2718 m->m_next->m_data -= sizeof(struct ip6_hdr);
2719 m->m_pkthdr.len += sizeof(struct ip);
2720 ip6i = mtod(m->m_next, struct ip6_hdr *);
2721 }
2722 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2723 /* ECN consideration. */
2724 /* XXX To be fixed later if needed */
2725 // ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2726
2727 bcopy(ip6, ip6i, sizeof(struct ip6_hdr));
2728 ip = mtod(m, struct ip *);
2729 m->m_len = sizeof(struct ip);
2730 /*
2731 * Fill in some of the IPv4 fields - we don't need all of them
2732 * because the rest will be filled in by ip_output
2733 */
2734 ip->ip_v = IPVERSION;
2735 ip->ip_hl = sizeof(struct ip) >> 2;
2736 ip->ip_id = 0;
2737 ip->ip_sum = 0;
2738 ip->ip_tos = 0;
2739 ip->ip_off = 0;
2740 ip->ip_ttl = hlim;
2741 ip->ip_p = IPPROTO_IPV6;
2742 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2743 ip->ip_len = htons(plen + sizeof(struct ip));
2744 else {
2745 ip->ip_len = htons(plen);
2746 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2747 "leave ip_len as is (invalid packet)\n"));
2748 }
2749 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2750 &ip->ip_src, sizeof(ip->ip_src));
2751 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2752 &ip->ip_dst, sizeof(ip->ip_dst));
2753
2754 return 0;
2755 }
2756
2757 int
2758 ipsec6_encapsulate_utun_esp_keepalive(m_ptr, sav)
2759 struct mbuf **m_ptr;
2760 struct secasvar *sav;
2761 {
2762 struct ip6_hdr *ip6;
2763 size_t plen;
2764 struct mbuf *m = *m_ptr;
2765
2766 /* can't tunnel between different AFs */
2767 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2768 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2769 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2770 m_freem(m);
2771 *m_ptr = NULL;
2772 return EINVAL;
2773 }
2774
2775 plen = m->m_pkthdr.len;
2776
2777 /*
2778 * grow the mbuf to accomodate the new IPv6 header.
2779 */
2780 {
2781 struct mbuf *n;
2782 MGETHDR(n, M_DONTWAIT, MT_HEADER); /* MAC-OK */
2783 if (!n) {
2784 m_freem(m);
2785 *m_ptr = NULL;
2786 return ENOBUFS;
2787 }
2788 if (m->m_flags & M_PKTHDR) {
2789 M_COPY_PKTHDR(n, m);
2790 m->m_flags &= ~M_PKTHDR;
2791 }
2792 MH_ALIGN(n, sizeof(*ip6));
2793 n->m_len = sizeof(*ip6);
2794 n->m_next = m;
2795 n->m_pkthdr.len = (plen + n->m_len);
2796 m_fixhdr(m);
2797 m = n;
2798 *m_ptr = m;
2799 plen = m->m_pkthdr.len;
2800 }
2801 ip6 = mtod(m, __typeof__(ip6));
2802
2803 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2804 if (plen < IPV6_MAXPACKET)
2805 ip6->ip6_plen = htons(plen);
2806 else {
2807 /* ip6->ip6_plen will be updated in ip6_output() */
2808 }
2809 ip6->ip6_nxt = IPPROTO_IPV6;
2810 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2811 &ip6->ip6_src, sizeof(ip6->ip6_src));
2812 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2813 &ip6->ip6_dst, sizeof(ip6->ip6_dst));
2814 ip6->ip6_hlim = IPV6_DEFHLIM;
2815
2816 /* XXX Should ip6_src be updated later ? */
2817
2818 return 0;
2819 }
2820 #endif /*INET6*/
2821
2822 /*
2823 * Check the variable replay window.
2824 * ipsec_chkreplay() performs replay check before ICV verification.
2825 * ipsec_updatereplay() updates replay bitmap. This must be called after
2826 * ICV verification (it also performs replay check, which is usually done
2827 * beforehand).
2828 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2829 *
2830 * based on RFC 2401.
2831 */
2832 int
2833 ipsec_chkreplay(seq, sav)
2834 u_int32_t seq;
2835 struct secasvar *sav;
2836 {
2837 const struct secreplay *replay;
2838 u_int32_t diff;
2839 int fr;
2840 u_int32_t wsizeb; /* constant: bits of window size */
2841 int frlast; /* constant: last frame */
2842
2843
2844 /* sanity check */
2845 if (sav == NULL)
2846 panic("ipsec_chkreplay: NULL pointer was passed.\n");
2847
2848 lck_mtx_lock(sadb_mutex);
2849 replay = sav->replay;
2850
2851 if (replay->wsize == 0) {
2852 lck_mtx_unlock(sadb_mutex);
2853 return 1; /* no need to check replay. */
2854 }
2855
2856 /* constant */
2857 frlast = replay->wsize - 1;
2858 wsizeb = replay->wsize << 3;
2859
2860 /* sequence number of 0 is invalid */
2861 if (seq == 0) {
2862 lck_mtx_unlock(sadb_mutex);
2863 return 0;
2864 }
2865
2866 /* first time is always okay */
2867 if (replay->count == 0) {
2868 lck_mtx_unlock(sadb_mutex);
2869 return 1;
2870 }
2871
2872 if (seq > replay->lastseq) {
2873 /* larger sequences are okay */
2874 lck_mtx_unlock(sadb_mutex);
2875 return 1;
2876 } else {
2877 /* seq is equal or less than lastseq. */
2878 diff = replay->lastseq - seq;
2879
2880 /* over range to check, i.e. too old or wrapped */
2881 if (diff >= wsizeb) {
2882 lck_mtx_unlock(sadb_mutex);
2883 return 0;
2884 }
2885
2886 fr = frlast - diff / 8;
2887
2888 /* this packet already seen ? */
2889 if ((replay->bitmap)[fr] & (1 << (diff % 8))) {
2890 lck_mtx_unlock(sadb_mutex);
2891 return 0;
2892 }
2893
2894 /* out of order but good */
2895 lck_mtx_unlock(sadb_mutex);
2896 return 1;
2897 }
2898 }
2899
2900 /*
2901 * check replay counter whether to update or not.
2902 * OUT: 0: OK
2903 * 1: NG
2904 */
2905 int
2906 ipsec_updatereplay(seq, sav)
2907 u_int32_t seq;
2908 struct secasvar *sav;
2909 {
2910 struct secreplay *replay;
2911 u_int32_t diff;
2912 int fr;
2913 u_int32_t wsizeb; /* constant: bits of window size */
2914 int frlast; /* constant: last frame */
2915
2916 /* sanity check */
2917 if (sav == NULL)
2918 panic("ipsec_chkreplay: NULL pointer was passed.\n");
2919
2920 lck_mtx_lock(sadb_mutex);
2921 replay = sav->replay;
2922
2923 if (replay->wsize == 0)
2924 goto ok; /* no need to check replay. */
2925
2926 /* constant */
2927 frlast = replay->wsize - 1;
2928 wsizeb = replay->wsize << 3;
2929
2930 /* sequence number of 0 is invalid */
2931 if (seq == 0)
2932 return 1;
2933
2934 /* first time */
2935 if (replay->count == 0) {
2936 replay->lastseq = seq;
2937 bzero(replay->bitmap, replay->wsize);
2938 (replay->bitmap)[frlast] = 1;
2939 goto ok;
2940 }
2941
2942 if (seq > replay->lastseq) {
2943 /* seq is larger than lastseq. */
2944 diff = seq - replay->lastseq;
2945
2946 /* new larger sequence number */
2947 if (diff < wsizeb) {
2948 /* In window */
2949 /* set bit for this packet */
2950 vshiftl((unsigned char *) replay->bitmap, diff, replay->wsize);
2951 (replay->bitmap)[frlast] |= 1;
2952 } else {
2953 /* this packet has a "way larger" */
2954 bzero(replay->bitmap, replay->wsize);
2955 (replay->bitmap)[frlast] = 1;
2956 }
2957 replay->lastseq = seq;
2958
2959 /* larger is good */
2960 } else {
2961 /* seq is equal or less than lastseq. */
2962 diff = replay->lastseq - seq;
2963
2964 /* over range to check, i.e. too old or wrapped */
2965 if (diff >= wsizeb) {
2966 lck_mtx_unlock(sadb_mutex);
2967 return 1;
2968 }
2969
2970 fr = frlast - diff / 8;
2971
2972 /* this packet already seen ? */
2973 if ((replay->bitmap)[fr] & (1 << (diff % 8))) {
2974 lck_mtx_unlock(sadb_mutex);
2975 return 1;
2976 }
2977
2978 /* mark as seen */
2979 (replay->bitmap)[fr] |= (1 << (diff % 8));
2980
2981 /* out of order but good */
2982 }
2983
2984 ok:
2985 if (replay->count == ~0) {
2986
2987 /* set overflow flag */
2988 replay->overflow++;
2989
2990 /* don't increment, no more packets accepted */
2991 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
2992 lck_mtx_unlock(sadb_mutex);
2993 return 1;
2994 }
2995
2996 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2997 replay->overflow, ipsec_logsastr(sav)));
2998 }
2999
3000 replay->count++;
3001
3002 lck_mtx_unlock(sadb_mutex);
3003 return 0;
3004 }
3005
3006 /*
3007 * shift variable length buffer to left.
3008 * IN: bitmap: pointer to the buffer
3009 * nbit: the number of to shift.
3010 * wsize: buffer size (bytes).
3011 */
3012 static void
3013 vshiftl(bitmap, nbit, wsize)
3014 unsigned char *bitmap;
3015 int nbit, wsize;
3016 {
3017 int s, j, i;
3018 unsigned char over;
3019
3020 for (j = 0; j < nbit; j += 8) {
3021 s = (nbit - j < 8) ? (nbit - j): 8;
3022 bitmap[0] <<= s;
3023 for (i = 1; i < wsize; i++) {
3024 over = (bitmap[i] >> (8 - s));
3025 bitmap[i] <<= s;
3026 bitmap[i-1] |= over;
3027 }
3028 }
3029
3030 return;
3031 }
3032
3033 const char *
3034 ipsec4_logpacketstr(ip, spi)
3035 struct ip *ip;
3036 u_int32_t spi;
3037 {
3038 static char buf[256] __attribute__((aligned(4)));
3039 char *p;
3040 u_int8_t *s, *d;
3041
3042 s = (u_int8_t *)(&ip->ip_src);
3043 d = (u_int8_t *)(&ip->ip_dst);
3044
3045 p = buf;
3046 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
3047 while (p && *p)
3048 p++;
3049 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
3050 s[0], s[1], s[2], s[3]);
3051 while (p && *p)
3052 p++;
3053 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
3054 d[0], d[1], d[2], d[3]);
3055 while (p && *p)
3056 p++;
3057 snprintf(p, sizeof(buf) - (p - buf), ")");
3058
3059 return buf;
3060 }
3061
3062 #if INET6
3063 const char *
3064 ipsec6_logpacketstr(ip6, spi)
3065 struct ip6_hdr *ip6;
3066 u_int32_t spi;
3067 {
3068 static char buf[256] __attribute__((aligned(4)));
3069 char *p;
3070
3071 p = buf;
3072 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
3073 while (p && *p)
3074 p++;
3075 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
3076 ip6_sprintf(&ip6->ip6_src));
3077 while (p && *p)
3078 p++;
3079 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
3080 ip6_sprintf(&ip6->ip6_dst));
3081 while (p && *p)
3082 p++;
3083 snprintf(p, sizeof(buf) - (p - buf), ")");
3084
3085 return buf;
3086 }
3087 #endif /*INET6*/
3088
3089 const char *
3090 ipsec_logsastr(sav)
3091 struct secasvar *sav;
3092 {
3093 static char buf[256] __attribute__((aligned(4)));
3094 char *p;
3095 struct secasindex *saidx = &sav->sah->saidx;
3096
3097 /* validity check */
3098 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
3099 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
3100 panic("ipsec_logsastr: family mismatched.\n");
3101
3102 p = buf;
3103 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
3104 while (p && *p)
3105 p++;
3106 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
3107 u_int8_t *s, *d;
3108 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
3109 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
3110 snprintf(p, sizeof(buf) - (p - buf),
3111 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
3112 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
3113 }
3114 #if INET6
3115 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
3116 snprintf(p, sizeof(buf) - (p - buf),
3117 "src=%s",
3118 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
3119 while (p && *p)
3120 p++;
3121 snprintf(p, sizeof(buf) - (p - buf),
3122 " dst=%s",
3123 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
3124 }
3125 #endif
3126 while (p && *p)
3127 p++;
3128 snprintf(p, sizeof(buf) - (p - buf), ")");
3129
3130 return buf;
3131 }
3132
3133 void
3134 ipsec_dumpmbuf(m)
3135 struct mbuf *m;
3136 {
3137 int totlen;
3138 int i;
3139 u_char *p;
3140
3141 totlen = 0;
3142 printf("---\n");
3143 while (m) {
3144 p = mtod(m, u_char *);
3145 for (i = 0; i < m->m_len; i++) {
3146 printf("%02x ", p[i]);
3147 totlen++;
3148 if (totlen % 16 == 0)
3149 printf("\n");
3150 }
3151 m = m->m_next;
3152 }
3153 if (totlen % 16 != 0)
3154 printf("\n");
3155 printf("---\n");
3156 }
3157
3158 #if INET
3159 /*
3160 * IPsec output logic for IPv4.
3161 */
3162 int
3163 ipsec4_output(
3164 struct ipsec_output_state *state,
3165 struct secpolicy *sp,
3166 __unused int flags)
3167 {
3168 struct ip *ip = NULL;
3169 struct ipsecrequest *isr = NULL;
3170 struct secasindex saidx;
3171 struct secasvar *sav = NULL;
3172 int error = 0;
3173 struct sockaddr_in *dst4;
3174 struct sockaddr_in *sin;
3175 struct route *ro4;
3176
3177 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
3178
3179 if (!state)
3180 panic("state == NULL in ipsec4_output");
3181 if (!state->m)
3182 panic("state->m == NULL in ipsec4_output");
3183 if (!state->dst)
3184 panic("state->dst == NULL in ipsec4_output");
3185
3186 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_START, 0,0,0,0,0);
3187
3188 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3189 printf("ipsec4_output: applyed SP\n");
3190 kdebug_secpolicy(sp));
3191
3192 for (isr = sp->req; isr != NULL; isr = isr->next) {
3193
3194 #if 0 /* give up to check restriction of transport mode */
3195 /* XXX but should be checked somewhere */
3196 /*
3197 * some of the IPsec operation must be performed only in
3198 * originating case.
3199 */
3200 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
3201 && (flags & IP_FORWARDING))
3202 continue;
3203 #endif
3204
3205 /* make SA index for search proper SA */
3206 ip = mtod(state->m, struct ip *);
3207 bcopy(&isr->saidx, &saidx, sizeof(saidx));
3208 saidx.mode = isr->saidx.mode;
3209 saidx.reqid = isr->saidx.reqid;
3210 sin = (struct sockaddr_in *)&saidx.src;
3211 if (sin->sin_len == 0) {
3212 sin->sin_len = sizeof(*sin);
3213 sin->sin_family = AF_INET;
3214 sin->sin_port = IPSEC_PORT_ANY;
3215 bcopy(&ip->ip_src, &sin->sin_addr,
3216 sizeof(sin->sin_addr));
3217 }
3218 sin = (struct sockaddr_in *)&saidx.dst;
3219 if (sin->sin_len == 0) {
3220 sin->sin_len = sizeof(*sin);
3221 sin->sin_family = AF_INET;
3222 sin->sin_port = IPSEC_PORT_ANY;
3223 /*
3224 * Get port from packet if upper layer is UDP and nat traversal
3225 * is enabled and transport mode.
3226 */
3227
3228 if ((esp_udp_encap_port & 0xFFFF) != 0 &&
3229 isr->saidx.mode == IPSEC_MODE_TRANSPORT) {
3230
3231 if (ip->ip_p == IPPROTO_UDP) {
3232 struct udphdr *udp;
3233 size_t hlen;
3234 #ifdef _IP_VHL
3235 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
3236 #else
3237 hlen = ip->ip_hl << 2;
3238 #endif
3239 if (state->m->m_len < hlen + sizeof(struct udphdr)) {
3240 state->m = m_pullup(state->m, hlen + sizeof(struct udphdr));
3241 if (!state->m) {
3242 ipseclog((LOG_DEBUG,
3243 "IPv4 output: can't pullup UDP header\n"));
3244 IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
3245 goto bad;
3246 }
3247 ip = mtod(state->m, struct ip *);
3248 }
3249 udp = (struct udphdr *)(void *)(((u_int8_t *)ip) + hlen);
3250 sin->sin_port = udp->uh_dport;
3251 }
3252 }
3253
3254 bcopy(&ip->ip_dst, &sin->sin_addr,
3255 sizeof(sin->sin_addr));
3256 }
3257
3258 if ((error = key_checkrequest(isr, &saidx, &sav)) != 0) {
3259 /*
3260 * IPsec processing is required, but no SA found.
3261 * I assume that key_acquire() had been called
3262 * to get/establish the SA. Here I discard
3263 * this packet because it is responsibility for
3264 * upper layer to retransmit the packet.
3265 */
3266 IPSEC_STAT_INCREMENT(ipsecstat.out_nosa);
3267 goto bad;
3268 }
3269
3270 /* validity check */
3271 if (sav == NULL) {
3272 switch (ipsec_get_reqlevel(isr)) {
3273 case IPSEC_LEVEL_USE:
3274 continue;
3275 case IPSEC_LEVEL_REQUIRE:
3276 /* must be not reached here. */
3277 panic("ipsec4_output: no SA found, but required.");
3278 }
3279 }
3280
3281 /*
3282 * If there is no valid SA, we give up to process any
3283 * more. In such a case, the SA's status is changed
3284 * from DYING to DEAD after allocating. If a packet
3285 * send to the receiver by dead SA, the receiver can
3286 * not decode a packet because SA has been dead.
3287 */
3288 if (sav->state != SADB_SASTATE_MATURE
3289 && sav->state != SADB_SASTATE_DYING) {
3290 IPSEC_STAT_INCREMENT(ipsecstat.out_nosa);
3291 error = EINVAL;
3292 goto bad;
3293 }
3294
3295 /*
3296 * There may be the case that SA status will be changed when
3297 * we are refering to one. So calling splsoftnet().
3298 */
3299
3300 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3301 /*
3302 * build IPsec tunnel.
3303 */
3304 /* XXX should be processed with other familiy */
3305 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
3306 ipseclog((LOG_ERR, "ipsec4_output: "
3307 "family mismatched between inner and outer spi=%u\n",
3308 (u_int32_t)ntohl(sav->spi)));
3309 error = EAFNOSUPPORT;
3310 goto bad;
3311 }
3312
3313 state->m = ipsec4_splithdr(state->m);
3314 if (!state->m) {
3315 error = ENOMEM;
3316 goto bad;
3317 }
3318 error = ipsec4_encapsulate(state->m, sav);
3319 if (error) {
3320 state->m = NULL;
3321 goto bad;
3322 }
3323 ip = mtod(state->m, struct ip *);
3324
3325 // grab sadb_mutex, before updating sah's route cache
3326 lck_mtx_lock(sadb_mutex);
3327 ro4= &sav->sah->sa_route;
3328 dst4 = (struct sockaddr_in *)(void *)&ro4->ro_dst;
3329 if (ro4->ro_rt != NULL) {
3330 RT_LOCK(ro4->ro_rt);
3331 }
3332 if (ROUTE_UNUSABLE(ro4) ||
3333 dst4->sin_addr.s_addr != ip->ip_dst.s_addr) {
3334 if (ro4->ro_rt != NULL)
3335 RT_UNLOCK(ro4->ro_rt);
3336 ROUTE_RELEASE(ro4);
3337 }
3338 if (ro4->ro_rt == 0) {
3339 dst4->sin_family = AF_INET;
3340 dst4->sin_len = sizeof(*dst4);
3341 dst4->sin_addr = ip->ip_dst;
3342 rtalloc(ro4);
3343 if (ro4->ro_rt == 0) {
3344 OSAddAtomic(1, &ipstat.ips_noroute);
3345 error = EHOSTUNREACH;
3346 // release sadb_mutex, after updating sah's route cache
3347 lck_mtx_unlock(sadb_mutex);
3348 goto bad;
3349 }
3350 RT_LOCK(ro4->ro_rt);
3351 }
3352
3353 /*
3354 * adjust state->dst if tunnel endpoint is offlink
3355 *
3356 * XXX: caching rt_gateway value in the state is
3357 * not really good, since it may point elsewhere
3358 * when the gateway gets modified to a larger
3359 * sockaddr via rt_setgate(). This is currently
3360 * addressed by SA_SIZE roundup in that routine.
3361 */
3362 if (ro4->ro_rt->rt_flags & RTF_GATEWAY)
3363 dst4 = (struct sockaddr_in *)(void *)ro4->ro_rt->rt_gateway;
3364 RT_UNLOCK(ro4->ro_rt);
3365 ROUTE_RELEASE(&state->ro);
3366 route_copyout(&state->ro, ro4, sizeof(state->ro));
3367 state->dst = (struct sockaddr *)dst4;
3368 state->tunneled = 4;
3369 // release sadb_mutex, after updating sah's route cache
3370 lck_mtx_unlock(sadb_mutex);
3371 }
3372
3373 state->m = ipsec4_splithdr(state->m);
3374 if (!state->m) {
3375 error = ENOMEM;
3376 goto bad;
3377 }
3378 switch (isr->saidx.proto) {
3379 case IPPROTO_ESP:
3380 #if IPSEC_ESP
3381 if ((error = esp4_output(state->m, sav)) != 0) {
3382 state->m = NULL;
3383 goto bad;
3384 }
3385 break;
3386 #else
3387 m_freem(state->m);
3388 state->m = NULL;
3389 error = EINVAL;
3390 goto bad;
3391 #endif
3392 case IPPROTO_AH:
3393 if ((error = ah4_output(state->m, sav)) != 0) {
3394 state->m = NULL;
3395 goto bad;
3396 }
3397 break;
3398 case IPPROTO_IPCOMP:
3399 if ((error = ipcomp4_output(state->m, sav)) != 0) {
3400 state->m = NULL;
3401 goto bad;
3402 }
3403 break;
3404 default:
3405 ipseclog((LOG_ERR,
3406 "ipsec4_output: unknown ipsec protocol %d\n",
3407 isr->saidx.proto));
3408 m_freem(state->m);
3409 state->m = NULL;
3410 error = EINVAL;
3411 goto bad;
3412 }
3413
3414 if (state->m == 0) {
3415 error = ENOMEM;
3416 goto bad;
3417 }
3418 ip = mtod(state->m, struct ip *);
3419 }
3420
3421 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, 0,0,0,0,0);
3422 if (sav)
3423 key_freesav(sav, KEY_SADB_UNLOCKED);
3424 return 0;
3425
3426 bad:
3427 if (sav)
3428 key_freesav(sav, KEY_SADB_UNLOCKED);
3429 m_freem(state->m);
3430 state->m = NULL;
3431 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, error,0,0,0,0);
3432 return error;
3433 }
3434 #endif
3435
3436 #if INET6
3437 /*
3438 * IPsec output logic for IPv6, transport mode.
3439 */
3440 int
3441 ipsec6_output_trans(
3442 struct ipsec_output_state *state,
3443 u_char *nexthdrp,
3444 struct mbuf *mprev,
3445 struct secpolicy *sp,
3446 __unused int flags,
3447 int *tun)
3448 {
3449 struct ip6_hdr *ip6;
3450 struct ipsecrequest *isr = NULL;
3451 struct secasindex saidx;
3452 int error = 0;
3453 int plen;
3454 struct sockaddr_in6 *sin6;
3455 struct secasvar *sav = NULL;
3456
3457 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
3458
3459 if (!state)
3460 panic("state == NULL in ipsec6_output_trans");
3461 if (!state->m)
3462 panic("state->m == NULL in ipsec6_output_trans");
3463 if (!nexthdrp)
3464 panic("nexthdrp == NULL in ipsec6_output_trans");
3465 if (!mprev)
3466 panic("mprev == NULL in ipsec6_output_trans");
3467 if (!sp)
3468 panic("sp == NULL in ipsec6_output_trans");
3469 if (!tun)
3470 panic("tun == NULL in ipsec6_output_trans");
3471
3472 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3473 printf("ipsec6_output_trans: applyed SP\n");
3474 kdebug_secpolicy(sp));
3475
3476 *tun = 0;
3477 for (isr = sp->req; isr; isr = isr->next) {
3478 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3479 /* the rest will be handled by ipsec6_output_tunnel() */
3480 break;
3481 }
3482
3483 /* make SA index for search proper SA */
3484 ip6 = mtod(state->m, struct ip6_hdr *);
3485 bcopy(&isr->saidx, &saidx, sizeof(saidx));
3486 saidx.mode = isr->saidx.mode;
3487 saidx.reqid = isr->saidx.reqid;
3488 sin6 = (struct sockaddr_in6 *)&saidx.src;
3489 if (sin6->sin6_len == 0) {
3490 sin6->sin6_len = sizeof(*sin6);
3491 sin6->sin6_family = AF_INET6;
3492 sin6->sin6_port = IPSEC_PORT_ANY;
3493 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
3494 sizeof(ip6->ip6_src));
3495 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
3496 /* fix scope id for comparing SPD */
3497 sin6->sin6_addr.s6_addr16[1] = 0;
3498 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
3499 }
3500 }
3501 sin6 = (struct sockaddr_in6 *)&saidx.dst;
3502 if (sin6->sin6_len == 0) {
3503 sin6->sin6_len = sizeof(*sin6);
3504 sin6->sin6_family = AF_INET6;
3505 sin6->sin6_port = IPSEC_PORT_ANY;
3506 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
3507 sizeof(ip6->ip6_dst));
3508 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
3509 /* fix scope id for comparing SPD */
3510 sin6->sin6_addr.s6_addr16[1] = 0;
3511 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
3512 }
3513 }
3514
3515 if (key_checkrequest(isr, &saidx, &sav) == ENOENT) {
3516 /*
3517 * IPsec processing is required, but no SA found.
3518 * I assume that key_acquire() had been called
3519 * to get/establish the SA. Here I discard
3520 * this packet because it is responsibility for
3521 * upper layer to retransmit the packet.
3522 */
3523 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
3524 error = ENOENT;
3525
3526 /*
3527 * Notify the fact that the packet is discarded
3528 * to ourselves. I believe this is better than
3529 * just silently discarding. (jinmei@kame.net)
3530 * XXX: should we restrict the error to TCP packets?
3531 * XXX: should we directly notify sockets via
3532 * pfctlinputs?
3533 */
3534 icmp6_error(state->m, ICMP6_DST_UNREACH,
3535 ICMP6_DST_UNREACH_ADMIN, 0);
3536 state->m = NULL; /* icmp6_error freed the mbuf */
3537 goto bad;
3538 }
3539
3540 /* validity check */
3541 if (sav == NULL) {
3542 switch (ipsec_get_reqlevel(isr)) {
3543 case IPSEC_LEVEL_USE:
3544 continue;
3545 case IPSEC_LEVEL_REQUIRE:
3546 /* must be not reached here. */
3547 panic("ipsec6_output_trans: no SA found, but required.");
3548 }
3549 }
3550
3551 /*
3552 * If there is no valid SA, we give up to process.
3553 * see same place at ipsec4_output().
3554 */
3555 if (sav->state != SADB_SASTATE_MATURE
3556 && sav->state != SADB_SASTATE_DYING) {
3557 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
3558 error = EINVAL;
3559 goto bad;
3560 }
3561
3562 switch (isr->saidx.proto) {
3563 case IPPROTO_ESP:
3564 #if IPSEC_ESP
3565 error = esp6_output(state->m, nexthdrp, mprev->m_next, sav);
3566 #else
3567 m_freem(state->m);
3568 error = EINVAL;
3569 #endif
3570 break;
3571 case IPPROTO_AH:
3572 error = ah6_output(state->m, nexthdrp, mprev->m_next, sav);
3573 break;
3574 case IPPROTO_IPCOMP:
3575 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, sav);
3576 break;
3577 default:
3578 ipseclog((LOG_ERR, "ipsec6_output_trans: "
3579 "unknown ipsec protocol %d\n", isr->saidx.proto));
3580 m_freem(state->m);
3581 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
3582 error = EINVAL;
3583 break;
3584 }
3585 if (error) {
3586 state->m = NULL;
3587 goto bad;
3588 }
3589 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3590 if (plen > IPV6_MAXPACKET) {
3591 ipseclog((LOG_ERR, "ipsec6_output_trans: "
3592 "IPsec with IPv6 jumbogram is not supported\n"));
3593 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
3594 error = EINVAL; /*XXX*/
3595 goto bad;
3596 }
3597 ip6 = mtod(state->m, struct ip6_hdr *);
3598 ip6->ip6_plen = htons(plen);
3599 }
3600
3601 /* if we have more to go, we need a tunnel mode processing */
3602 if (isr != NULL)
3603 *tun = 1;
3604
3605 if (sav)
3606 key_freesav(sav, KEY_SADB_UNLOCKED);
3607 return 0;
3608
3609 bad:
3610 if (sav)
3611 key_freesav(sav, KEY_SADB_UNLOCKED);
3612 m_freem(state->m);
3613 state->m = NULL;
3614 return error;
3615 }
3616
3617 /*
3618 * IPsec output logic for IPv6, tunnel mode.
3619 */
3620 int
3621 ipsec6_output_tunnel(
3622 struct ipsec_output_state *state,
3623 struct secpolicy *sp,
3624 __unused int flags)
3625 {
3626 struct ip6_hdr *ip6;
3627 struct ipsecrequest *isr = NULL;
3628 struct secasindex saidx;
3629 struct secasvar *sav = NULL;
3630 int error = 0;
3631 int plen;
3632 struct sockaddr_in6* dst6;
3633 struct route *ro6;
3634
3635 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
3636
3637 if (!state)
3638 panic("state == NULL in ipsec6_output_tunnel");
3639 if (!state->m)
3640 panic("state->m == NULL in ipsec6_output_tunnel");
3641 if (!sp)
3642 panic("sp == NULL in ipsec6_output_tunnel");
3643
3644 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3645 printf("ipsec6_output_tunnel: applyed SP\n");
3646 kdebug_secpolicy(sp));
3647
3648 /*
3649 * transport mode ipsec (before the 1st tunnel mode) is already
3650 * processed by ipsec6_output_trans().
3651 */
3652 for (isr = sp->req; isr; isr = isr->next) {
3653 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
3654 break;
3655 }
3656
3657 for (/* already initialized */; isr; isr = isr->next) {
3658 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3659 /* When tunnel mode, SA peers must be specified. */
3660 bcopy(&isr->saidx, &saidx, sizeof(saidx));
3661 } else {
3662 /* make SA index to look for a proper SA */
3663 struct sockaddr_in6 *sin6;
3664
3665 bzero(&saidx, sizeof(saidx));
3666 saidx.proto = isr->saidx.proto;
3667 saidx.mode = isr->saidx.mode;
3668 saidx.reqid = isr->saidx.reqid;
3669
3670 ip6 = mtod(state->m, struct ip6_hdr *);
3671 sin6 = (struct sockaddr_in6 *)&saidx.src;
3672 if (sin6->sin6_len == 0) {
3673 sin6->sin6_len = sizeof(*sin6);
3674 sin6->sin6_family = AF_INET6;
3675 sin6->sin6_port = IPSEC_PORT_ANY;
3676 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
3677 sizeof(ip6->ip6_src));
3678 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
3679 /* fix scope id for comparing SPD */
3680 sin6->sin6_addr.s6_addr16[1] = 0;
3681 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
3682 }
3683 }
3684 sin6 = (struct sockaddr_in6 *)&saidx.dst;
3685 if (sin6->sin6_len == 0) {
3686 sin6->sin6_len = sizeof(*sin6);
3687 sin6->sin6_family = AF_INET6;
3688 sin6->sin6_port = IPSEC_PORT_ANY;
3689 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
3690 sizeof(ip6->ip6_dst));
3691 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
3692 /* fix scope id for comparing SPD */
3693 sin6->sin6_addr.s6_addr16[1] = 0;
3694 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
3695 }
3696 }
3697 }
3698
3699 if (key_checkrequest(isr, &saidx, &sav) == ENOENT) {
3700 /*
3701 * IPsec processing is required, but no SA found.
3702 * I assume that key_acquire() had been called
3703 * to get/establish the SA. Here I discard
3704 * this packet because it is responsibility for
3705 * upper layer to retransmit the packet.
3706 */
3707 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
3708 error = ENOENT;
3709 goto bad;
3710 }
3711
3712 /* validity check */
3713 if (sav == NULL) {
3714 switch (ipsec_get_reqlevel(isr)) {
3715 case IPSEC_LEVEL_USE:
3716 continue;
3717 case IPSEC_LEVEL_REQUIRE:
3718 /* must be not reached here. */
3719 panic("ipsec6_output_tunnel: no SA found, but required.");
3720 }
3721 }
3722
3723 /*
3724 * If there is no valid SA, we give up to process.
3725 * see same place at ipsec4_output().
3726 */
3727 if (sav->state != SADB_SASTATE_MATURE
3728 && sav->state != SADB_SASTATE_DYING) {
3729 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
3730 error = EINVAL;
3731 goto bad;
3732 }
3733
3734 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3735 /*
3736 * build IPsec tunnel.
3737 */
3738 state->m = ipsec6_splithdr(state->m);
3739 if (!state->m) {
3740 IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem);
3741 error = ENOMEM;
3742 goto bad;
3743 }
3744
3745 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET6) {
3746 error = ipsec6_encapsulate(state->m, sav);
3747 if (error) {
3748 state->m = 0;
3749 goto bad;
3750 }
3751 ip6 = mtod(state->m, struct ip6_hdr *);
3752 } else if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET) {
3753
3754 struct ip *ip;
3755 struct sockaddr_in* dst4;
3756 struct route *ro4 = NULL;
3757 struct route ro4_copy;
3758 struct ip_out_args ipoa = { IFSCOPE_NONE, { 0 },
3759 IPOAF_SELECT_SRCIF, 0 };
3760
3761 /*
3762 * must be last isr because encapsulated IPv6 packet
3763 * will be sent by calling ip_output
3764 */
3765 if (isr->next) {
3766 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3767 "IPv4 must be outer layer, spi=%u\n",
3768 (u_int32_t)ntohl(sav->spi)));
3769 error = EINVAL;
3770 goto bad;
3771 }
3772 state->tunneled = 4; /* must not process any further in ip6_output */
3773 error = ipsec64_encapsulate(state->m, sav);
3774 if (error) {
3775 state->m = 0;
3776 goto bad;
3777 }
3778 /* Now we have an IPv4 packet */
3779 ip = mtod(state->m, struct ip *);
3780
3781 // grab sadb_mutex, to update sah's route cache and get a local copy of it
3782 lck_mtx_lock(sadb_mutex);
3783 ro4 = &sav->sah->sa_route;
3784 dst4 = (struct sockaddr_in *)(void *)&ro4->ro_dst;
3785 if (ro4->ro_rt) {
3786 RT_LOCK(ro4->ro_rt);
3787 }
3788 if (ROUTE_UNUSABLE(ro4) ||
3789 dst4->sin_addr.s_addr != ip->ip_dst.s_addr) {
3790 if (ro4->ro_rt != NULL)
3791 RT_UNLOCK(ro4->ro_rt);
3792 ROUTE_RELEASE(ro4);
3793 }
3794 if (ro4->ro_rt == NULL) {
3795 dst4->sin_family = AF_INET;
3796 dst4->sin_len = sizeof(*dst4);
3797 dst4->sin_addr = ip->ip_dst;
3798 } else {
3799 RT_UNLOCK(ro4->ro_rt);
3800 }
3801 route_copyout(&ro4_copy, ro4, sizeof(ro4_copy));
3802 // release sadb_mutex, after updating sah's route cache and getting a local copy
3803 lck_mtx_unlock(sadb_mutex);
3804 state->m = ipsec4_splithdr(state->m);
3805 if (!state->m) {
3806 error = ENOMEM;
3807 ROUTE_RELEASE(&ro4_copy);
3808 goto bad;
3809 }
3810 switch (isr->saidx.proto) {
3811 case IPPROTO_ESP:
3812 #if IPSEC_ESP
3813 if ((error = esp4_output(state->m, sav)) != 0) {
3814 state->m = NULL;
3815 ROUTE_RELEASE(&ro4_copy);
3816 goto bad;
3817 }
3818 break;
3819
3820 #else
3821 m_freem(state->m);
3822 state->m = NULL;
3823 error = EINVAL;
3824 ROUTE_RELEASE(&ro4_copy);
3825 goto bad;
3826 #endif
3827 case IPPROTO_AH:
3828 if ((error = ah4_output(state->m, sav)) != 0) {
3829 state->m = NULL;
3830 ROUTE_RELEASE(&ro4_copy);
3831 goto bad;
3832 }
3833 break;
3834 case IPPROTO_IPCOMP:
3835 if ((error = ipcomp4_output(state->m, sav)) != 0) {
3836 state->m = NULL;
3837 ROUTE_RELEASE(&ro4_copy);
3838 goto bad;
3839 }
3840 break;
3841 default:
3842 ipseclog((LOG_ERR,
3843 "ipsec4_output: unknown ipsec protocol %d\n",
3844 isr->saidx.proto));
3845 m_freem(state->m);
3846 state->m = NULL;
3847 error = EINVAL;
3848 ROUTE_RELEASE(&ro4_copy);
3849 goto bad;
3850 }
3851
3852 if (state->m == 0) {
3853 error = ENOMEM;
3854 ROUTE_RELEASE(&ro4_copy);
3855 goto bad;
3856 }
3857 ip = mtod(state->m, struct ip *);
3858 ip->ip_len = ntohs(ip->ip_len); /* flip len field before calling ip_output */
3859 error = ip_output(state->m, NULL, &ro4_copy, IP_OUTARGS, NULL, &ipoa);
3860 state->m = NULL;
3861 // grab sadb_mutex, to synchronize the sah's route cache with the local copy
3862 lck_mtx_lock(sadb_mutex);
3863 route_copyin(&ro4_copy, ro4, sizeof(ro4_copy));
3864 lck_mtx_unlock(sadb_mutex);
3865 if (error != 0)
3866 goto bad;
3867 goto done;
3868 } else {
3869 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3870 "unsupported inner family, spi=%u\n",
3871 (u_int32_t)ntohl(sav->spi)));
3872 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
3873 error = EAFNOSUPPORT;
3874 goto bad;
3875 }
3876
3877 // grab sadb_mutex, before updating sah's route cache
3878 lck_mtx_lock(sadb_mutex);
3879 ro6 = &sav->sah->sa_route;
3880 dst6 = (struct sockaddr_in6 *)(void *)&ro6->ro_dst;
3881 if (ro6->ro_rt) {
3882 RT_LOCK(ro6->ro_rt);
3883 }
3884 if (ROUTE_UNUSABLE(ro6) ||
3885 !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst)) {
3886 if (ro6->ro_rt != NULL)
3887 RT_UNLOCK(ro6->ro_rt);
3888 ROUTE_RELEASE(ro6);
3889 }
3890 if (ro6->ro_rt == 0) {
3891 bzero(dst6, sizeof(*dst6));
3892 dst6->sin6_family = AF_INET6;
3893 dst6->sin6_len = sizeof(*dst6);
3894 dst6->sin6_addr = ip6->ip6_dst;
3895 rtalloc(ro6);
3896 if (ro6->ro_rt) {
3897 RT_LOCK(ro6->ro_rt);
3898 }
3899 }
3900 if (ro6->ro_rt == 0) {
3901 ip6stat.ip6s_noroute++;
3902 IPSEC_STAT_INCREMENT(ipsec6stat.out_noroute);
3903 error = EHOSTUNREACH;
3904 // release sadb_mutex, after updating sah's route cache
3905 lck_mtx_unlock(sadb_mutex);
3906 goto bad;
3907 }
3908
3909 /*
3910 * adjust state->dst if tunnel endpoint is offlink
3911 *
3912 * XXX: caching rt_gateway value in the state is
3913 * not really good, since it may point elsewhere
3914 * when the gateway gets modified to a larger
3915 * sockaddr via rt_setgate(). This is currently
3916 * addressed by SA_SIZE roundup in that routine.
3917 */
3918 if (ro6->ro_rt->rt_flags & RTF_GATEWAY)
3919 dst6 = (struct sockaddr_in6 *)(void *)ro6->ro_rt->rt_gateway;
3920 RT_UNLOCK(ro6->ro_rt);
3921 ROUTE_RELEASE(&state->ro);
3922 route_copyout(&state->ro, ro6, sizeof(state->ro));
3923 state->dst = (struct sockaddr *)dst6;
3924 state->tunneled = 6;
3925 // release sadb_mutex, after updating sah's route cache
3926 lck_mtx_unlock(sadb_mutex);
3927 }
3928
3929 state->m = ipsec6_splithdr(state->m);
3930 if (!state->m) {
3931 IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem);
3932 error = ENOMEM;
3933 goto bad;
3934 }
3935 ip6 = mtod(state->m, struct ip6_hdr *);
3936 switch (isr->saidx.proto) {
3937 case IPPROTO_ESP:
3938 #if IPSEC_ESP
3939 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav);
3940 #else
3941 m_freem(state->m);
3942 error = EINVAL;
3943 #endif
3944 break;
3945 case IPPROTO_AH:
3946 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav);
3947 break;
3948 case IPPROTO_IPCOMP:
3949 /* XXX code should be here */
3950 /*FALLTHROUGH*/
3951 default:
3952 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3953 "unknown ipsec protocol %d\n", isr->saidx.proto));
3954 m_freem(state->m);
3955 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
3956 error = EINVAL;
3957 break;
3958 }
3959 if (error) {
3960 state->m = NULL;
3961 goto bad;
3962 }
3963 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3964 if (plen > IPV6_MAXPACKET) {
3965 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3966 "IPsec with IPv6 jumbogram is not supported\n"));
3967 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
3968 error = EINVAL; /*XXX*/
3969 goto bad;
3970 }
3971 ip6 = mtod(state->m, struct ip6_hdr *);
3972 ip6->ip6_plen = htons(plen);
3973 }
3974 done:
3975 if (sav)
3976 key_freesav(sav, KEY_SADB_UNLOCKED);
3977 return 0;
3978
3979 bad:
3980 if (sav)
3981 key_freesav(sav, KEY_SADB_UNLOCKED);
3982 if (state->m)
3983 m_freem(state->m);
3984 state->m = NULL;
3985 return error;
3986 }
3987 #endif /*INET6*/
3988
3989 #if INET
3990 /*
3991 * Chop IP header and option off from the payload.
3992 */
3993 struct mbuf *
3994 ipsec4_splithdr(m)
3995 struct mbuf *m;
3996 {
3997 struct mbuf *mh;
3998 struct ip *ip;
3999 int hlen;
4000
4001 if (m->m_len < sizeof(struct ip))
4002 panic("ipsec4_splithdr: first mbuf too short, m_len %d, pkt_len %d, m_flag %x", m->m_len, m->m_pkthdr.len, m->m_flags);
4003 ip = mtod(m, struct ip *);
4004 #ifdef _IP_VHL
4005 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
4006 #else
4007 hlen = ip->ip_hl << 2;
4008 #endif
4009 if (m->m_len > hlen) {
4010 MGETHDR(mh, M_DONTWAIT, MT_HEADER); /* MAC-OK */
4011 if (!mh) {
4012 m_freem(m);
4013 return NULL;
4014 }
4015 M_COPY_PKTHDR(mh, m);
4016 MH_ALIGN(mh, hlen);
4017 m->m_flags &= ~M_PKTHDR;
4018 m_mchtype(m, MT_DATA);
4019 m->m_len -= hlen;
4020 m->m_data += hlen;
4021 mh->m_next = m;
4022 m = mh;
4023 m->m_len = hlen;
4024 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
4025 } else if (m->m_len < hlen) {
4026 m = m_pullup(m, hlen);
4027 if (!m)
4028 return NULL;
4029 }
4030 return m;
4031 }
4032 #endif
4033
4034 #if INET6
4035 struct mbuf *
4036 ipsec6_splithdr(m)
4037 struct mbuf *m;
4038 {
4039 struct mbuf *mh;
4040 struct ip6_hdr *ip6;
4041 int hlen;
4042
4043 if (m->m_len < sizeof(struct ip6_hdr))
4044 panic("ipsec6_splithdr: first mbuf too short");
4045 ip6 = mtod(m, struct ip6_hdr *);
4046 hlen = sizeof(struct ip6_hdr);
4047 if (m->m_len > hlen) {
4048 MGETHDR(mh, M_DONTWAIT, MT_HEADER); /* MAC-OK */
4049 if (!mh) {
4050 m_freem(m);
4051 return NULL;
4052 }
4053 M_COPY_PKTHDR(mh, m);
4054 MH_ALIGN(mh, hlen);
4055 m->m_flags &= ~M_PKTHDR;
4056 m_mchtype(m, MT_DATA);
4057 m->m_len -= hlen;
4058 m->m_data += hlen;
4059 mh->m_next = m;
4060 m = mh;
4061 m->m_len = hlen;
4062 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
4063 } else if (m->m_len < hlen) {
4064 m = m_pullup(m, hlen);
4065 if (!m)
4066 return NULL;
4067 }
4068 return m;
4069 }
4070 #endif
4071
4072 /* validate inbound IPsec tunnel packet. */
4073 int
4074 ipsec4_tunnel_validate(m, off, nxt0, sav, ifamily)
4075 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
4076 int off;
4077 u_int nxt0;
4078 struct secasvar *sav;
4079 sa_family_t *ifamily;
4080 {
4081 u_int8_t nxt = nxt0 & 0xff;
4082 struct sockaddr_in *sin;
4083 struct sockaddr_in osrc, odst, i4src, i4dst;
4084 struct sockaddr_in6 i6src, i6dst;
4085 int hlen;
4086 struct secpolicy *sp;
4087 struct ip *oip;
4088
4089 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
4090
4091 #if DIAGNOSTIC
4092 if (m->m_len < sizeof(struct ip))
4093 panic("too short mbuf on ipsec4_tunnel_validate");
4094 #endif
4095 if (nxt != IPPROTO_IPV4 && nxt != IPPROTO_IPV6)
4096 return 0;
4097 if (m->m_pkthdr.len < off + sizeof(struct ip))
4098 return 0;
4099 /* do not decapsulate if the SA is for transport mode only */
4100 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
4101 return 0;
4102
4103 oip = mtod(m, struct ip *);
4104 #ifdef _IP_VHL
4105 hlen = _IP_VHL_HL(oip->ip_vhl) << 2;
4106 #else
4107 hlen = oip->ip_hl << 2;
4108 #endif
4109 if (hlen != sizeof(struct ip))
4110 return 0;
4111
4112 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
4113 if (sin->sin_family != AF_INET)
4114 return 0;
4115 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
4116 return 0;
4117
4118 if (sav->utun_in_fn) {
4119 // the utun SAs don't have a policy (yet).
4120 if (nxt == IPPROTO_IPV4) {
4121 *ifamily = AF_INET;
4122 } else if (nxt == IPPROTO_IPV6) {
4123 *ifamily = AF_INET6;
4124 } else {
4125 return 0;
4126 }
4127 return 1;
4128 }
4129
4130 /* XXX slow */
4131 bzero(&osrc, sizeof(osrc));
4132 bzero(&odst, sizeof(odst));
4133 osrc.sin_family = odst.sin_family = AF_INET;
4134 osrc.sin_len = odst.sin_len = sizeof(struct sockaddr_in);
4135 osrc.sin_addr = oip->ip_src;
4136 odst.sin_addr = oip->ip_dst;
4137 /*
4138 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
4139 * - if the inner destination is multicast address, there can be
4140 * multiple permissible inner source address. implementation
4141 * may want to skip verification of inner source address against
4142 * SPD selector.
4143 * - if the inner protocol is ICMP, the packet may be an error report
4144 * from routers on the other side of the VPN cloud (R in the
4145 * following diagram). in this case, we cannot verify inner source
4146 * address against SPD selector.
4147 * me -- gw === gw -- R -- you
4148 *
4149 * we consider the first bullet to be users responsibility on SPD entry
4150 * configuration (if you need to encrypt multicast traffic, set
4151 * the source range of SPD selector to 0.0.0.0/0, or have explicit
4152 * address ranges for possible senders).
4153 * the second bullet is not taken care of (yet).
4154 *
4155 * therefore, we do not do anything special about inner source.
4156 */
4157 if (nxt == IPPROTO_IPV4) {
4158 bzero(&i4src, sizeof(struct sockaddr_in));
4159 bzero(&i4dst, sizeof(struct sockaddr_in));
4160 i4src.sin_family = i4dst.sin_family = *ifamily = AF_INET;
4161 i4src.sin_len = i4dst.sin_len = sizeof(struct sockaddr_in);
4162 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(i4src.sin_addr),
4163 (caddr_t)&i4src.sin_addr);
4164 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(i4dst.sin_addr),
4165 (caddr_t)&i4dst.sin_addr);
4166 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
4167 (struct sockaddr *)&i4src, (struct sockaddr *)&i4dst);
4168 } else if (nxt == IPPROTO_IPV6) {
4169 bzero(&i6src, sizeof(struct sockaddr_in6));
4170 bzero(&i6dst, sizeof(struct sockaddr_in6));
4171 i6src.sin6_family = i6dst.sin6_family = *ifamily = AF_INET6;
4172 i6src.sin6_len = i6dst.sin6_len = sizeof(struct sockaddr_in6);
4173 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), sizeof(i6src.sin6_addr),
4174 (caddr_t)&i6src.sin6_addr);
4175 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), sizeof(i6dst.sin6_addr),
4176 (caddr_t)&i6dst.sin6_addr);
4177 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
4178 (struct sockaddr *)&i6src, (struct sockaddr *)&i6dst);
4179 } else
4180 return 0; /* unsupported family */
4181
4182 if (!sp)
4183 return 0;
4184
4185 key_freesp(sp, KEY_SADB_UNLOCKED);
4186
4187 return 1;
4188 }
4189
4190 #if INET6
4191 /* validate inbound IPsec tunnel packet. */
4192 int
4193 ipsec6_tunnel_validate(m, off, nxt0, sav)
4194 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
4195 int off;
4196 u_int nxt0;
4197 struct secasvar *sav;
4198 {
4199 u_int8_t nxt = nxt0 & 0xff;
4200 struct sockaddr_in6 *sin6;
4201 struct sockaddr_in6 osrc, odst, isrc, idst;
4202 struct secpolicy *sp;
4203 struct ip6_hdr *oip6;
4204
4205 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
4206
4207 #if DIAGNOSTIC
4208 if (m->m_len < sizeof(struct ip6_hdr))
4209 panic("too short mbuf on ipsec6_tunnel_validate");
4210 #endif
4211 if (nxt != IPPROTO_IPV6)
4212 return 0;
4213 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
4214 return 0;
4215 /* do not decapsulate if the SA is for transport mode only */
4216 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
4217 return 0;
4218
4219 oip6 = mtod(m, struct ip6_hdr *);
4220 /* AF_INET should be supported, but at this moment we don't. */
4221 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
4222 if (sin6->sin6_family != AF_INET6)
4223 return 0;
4224 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
4225 return 0;
4226
4227 if (sav->utun_in_fn) {
4228 // the utun SAs don't have a policy (yet).
4229 return 1;
4230 }
4231
4232 /* XXX slow */
4233 bzero(&osrc, sizeof(osrc));
4234 bzero(&odst, sizeof(odst));
4235 bzero(&isrc, sizeof(isrc));
4236 bzero(&idst, sizeof(idst));
4237 osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
4238 idst.sin6_family = AF_INET6;
4239 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len =
4240 sizeof(struct sockaddr_in6);
4241 osrc.sin6_addr = oip6->ip6_src;
4242 odst.sin6_addr = oip6->ip6_dst;
4243 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
4244 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
4245 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
4246 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
4247
4248 /*
4249 * regarding to inner source address validation, see a long comment
4250 * in ipsec4_tunnel_validate.
4251 */
4252
4253 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
4254 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
4255 /*
4256 * when there is no suitable inbound policy for the packet of the ipsec
4257 * tunnel mode, the kernel never decapsulate the tunneled packet
4258 * as the ipsec tunnel mode even when the system wide policy is "none".
4259 * then the kernel leaves the generic tunnel module to process this
4260 * packet. if there is no rule of the generic tunnel, the packet
4261 * is rejected and the statistics will be counted up.
4262 */
4263 if (!sp)
4264 return 0;
4265 key_freesp(sp, KEY_SADB_UNLOCKED);
4266
4267 return 1;
4268 }
4269 #endif
4270
4271 /*
4272 * Make a mbuf chain for encryption.
4273 * If the original mbuf chain contains a mbuf with a cluster,
4274 * allocate a new cluster and copy the data to the new cluster.
4275 * XXX: this hack is inefficient, but is necessary to handle cases
4276 * of TCP retransmission...
4277 */
4278 struct mbuf *
4279 ipsec_copypkt(m)
4280 struct mbuf *m;
4281 {
4282 struct mbuf *n, **mpp, *mnew;
4283
4284 for (n = m, mpp = &m; n; n = n->m_next) {
4285 if (n->m_flags & M_EXT) {
4286 /*
4287 * Make a copy only if there are more than one references
4288 * to the cluster.
4289 * XXX: is this approach effective?
4290 */
4291 if (
4292 n->m_ext.ext_free ||
4293 m_mclhasreference(n)
4294 )
4295 {
4296 int remain, copied;
4297 struct mbuf *mm;
4298
4299 if (n->m_flags & M_PKTHDR) {
4300 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); /* MAC-OK */
4301 if (mnew == NULL)
4302 goto fail;
4303 M_COPY_PKTHDR(mnew, n);
4304 }
4305 else {
4306 MGET(mnew, M_DONTWAIT, MT_DATA);
4307 if (mnew == NULL)
4308 goto fail;
4309 }
4310 mnew->m_len = 0;
4311 mm = mnew;
4312
4313 /*
4314 * Copy data. If we don't have enough space to
4315 * store the whole data, allocate a cluster
4316 * or additional mbufs.
4317 * XXX: we don't use m_copyback(), since the
4318 * function does not use clusters and thus is
4319 * inefficient.
4320 */
4321 remain = n->m_len;
4322 copied = 0;
4323 while (1) {
4324 int len;
4325 struct mbuf *mn;
4326
4327 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
4328 len = remain;
4329 else { /* allocate a cluster */
4330 MCLGET(mm, M_DONTWAIT);
4331 if (!(mm->m_flags & M_EXT)) {
4332 m_free(mm);
4333 goto fail;
4334 }
4335 len = remain < MCLBYTES ?
4336 remain : MCLBYTES;
4337 }
4338
4339 bcopy(n->m_data + copied, mm->m_data,
4340 len);
4341
4342 copied += len;
4343 remain -= len;
4344 mm->m_len = len;
4345
4346 if (remain <= 0) /* completed? */
4347 break;
4348
4349 /* need another mbuf */
4350 MGETHDR(mn, M_DONTWAIT, MT_HEADER); /* XXXMAC: tags copied next time in loop? */
4351 if (mn == NULL)
4352 goto fail;
4353 mn->m_pkthdr.rcvif = NULL;
4354 mm->m_next = mn;
4355 mm = mn;
4356 }
4357
4358 /* adjust chain */
4359 mm->m_next = m_free(n);
4360 n = mm;
4361 *mpp = mnew;
4362 mpp = &n->m_next;
4363
4364 continue;
4365 }
4366 }
4367 *mpp = n;
4368 mpp = &n->m_next;
4369 }
4370
4371 return(m);
4372 fail:
4373 m_freem(m);
4374 return(NULL);
4375 }
4376
4377 /*
4378 * Tags are allocated as mbufs for now, since our minimum size is MLEN, we
4379 * should make use of up to that much space.
4380 */
4381 #define IPSEC_TAG_HEADER \
4382
4383 struct ipsec_tag {
4384 struct socket *socket;
4385 u_int32_t history_count;
4386 struct ipsec_history history[];
4387 };
4388
4389 #define IPSEC_TAG_SIZE (MLEN - sizeof(struct m_tag))
4390 #define IPSEC_TAG_HDR_SIZE (offsetof(struct ipsec_tag, history[0]))
4391 #define IPSEC_HISTORY_MAX ((IPSEC_TAG_SIZE - IPSEC_TAG_HDR_SIZE) / \
4392 sizeof(struct ipsec_history))
4393
4394 static struct ipsec_tag *
4395 ipsec_addaux(
4396 struct mbuf *m)
4397 {
4398 struct m_tag *tag;
4399
4400 /* Check if the tag already exists */
4401 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL);
4402
4403 if (tag == NULL) {
4404 struct ipsec_tag *itag;
4405
4406 /* Allocate a tag */
4407 tag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC,
4408 IPSEC_TAG_SIZE, M_DONTWAIT, m);
4409
4410 if (tag) {
4411 itag = (struct ipsec_tag*)(tag + 1);
4412 itag->socket = 0;
4413 itag->history_count = 0;
4414
4415 m_tag_prepend(m, tag);
4416 }
4417 }
4418
4419 return tag ? (struct ipsec_tag*)(tag + 1) : NULL;
4420 }
4421
4422 static struct ipsec_tag *
4423 ipsec_findaux(
4424 struct mbuf *m)
4425 {
4426 struct m_tag *tag;
4427
4428 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL);
4429
4430 return tag ? (struct ipsec_tag*)(tag + 1) : NULL;
4431 }
4432
4433 void
4434 ipsec_delaux(
4435 struct mbuf *m)
4436 {
4437 struct m_tag *tag;
4438
4439 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL);
4440
4441 if (tag) {
4442 m_tag_delete(m, tag);
4443 }
4444 }
4445
4446 /* if the aux buffer is unnecessary, nuke it. */
4447 static void
4448 ipsec_optaux(
4449 struct mbuf *m,
4450 struct ipsec_tag *itag)
4451 {
4452 if (itag && itag->socket == NULL && itag->history_count == 0) {
4453 m_tag_delete(m, ((struct m_tag*)itag) - 1);
4454 }
4455 }
4456
4457 int
4458 ipsec_setsocket(
4459 struct mbuf *m,
4460 struct socket *so)
4461 {
4462 struct ipsec_tag *tag;
4463
4464 /* if so == NULL, don't insist on getting the aux mbuf */
4465 if (so) {
4466 tag = ipsec_addaux(m);
4467 if (!tag)
4468 return ENOBUFS;
4469 } else
4470 tag = ipsec_findaux(m);
4471 if (tag) {
4472 tag->socket = so;
4473 ipsec_optaux(m, tag);
4474 }
4475 return 0;
4476 }
4477
4478 struct socket *
4479 ipsec_getsocket(
4480 struct mbuf *m)
4481 {
4482 struct ipsec_tag *itag;
4483
4484 itag = ipsec_findaux(m);
4485 if (itag)
4486 return itag->socket;
4487 else
4488 return NULL;
4489 }
4490
4491 int
4492 ipsec_addhist(
4493 struct mbuf *m,
4494 int proto,
4495 u_int32_t spi)
4496 {
4497 struct ipsec_tag *itag;
4498 struct ipsec_history *p;
4499 itag = ipsec_addaux(m);
4500 if (!itag)
4501 return ENOBUFS;
4502 if (itag->history_count == IPSEC_HISTORY_MAX)
4503 return ENOSPC; /* XXX */
4504
4505 p = &itag->history[itag->history_count];
4506 itag->history_count++;
4507
4508 bzero(p, sizeof(*p));
4509 p->ih_proto = proto;
4510 p->ih_spi = spi;
4511
4512 return 0;
4513 }
4514
4515 struct ipsec_history *
4516 ipsec_gethist(
4517 struct mbuf *m,
4518 int *lenp)
4519 {
4520 struct ipsec_tag *itag;
4521
4522 itag = ipsec_findaux(m);
4523 if (!itag)
4524 return NULL;
4525 if (itag->history_count == 0)
4526 return NULL;
4527 if (lenp)
4528 *lenp = (int)(itag->history_count * sizeof(struct ipsec_history));
4529 return itag->history;
4530 }
4531
4532 void
4533 ipsec_clearhist(
4534 struct mbuf *m)
4535 {
4536 struct ipsec_tag *itag;
4537
4538 itag = ipsec_findaux(m);
4539 if (itag) {
4540 itag->history_count = 0;
4541 }
4542 ipsec_optaux(m, itag);
4543 }
4544
4545 __private_extern__ int
4546 ipsec_send_natt_keepalive(
4547 struct secasvar *sav)
4548 {
4549 struct mbuf *m;
4550 struct ip *ip;
4551 int error;
4552 struct ip_out_args ipoa =
4553 { IFSCOPE_NONE, { 0 }, IPOAF_SELECT_SRCIF, 0 };
4554 struct route ro;
4555
4556 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
4557
4558 if ((esp_udp_encap_port & 0xFFFF) == 0 || sav->remote_ike_port == 0) return FALSE;
4559
4560 // natt timestamp may have changed... reverify
4561 if ((natt_now - sav->natt_last_activity) < natt_keepalive_interval) return FALSE;
4562
4563 if (sav->flags & SADB_X_EXT_ESP_KEEPALIVE) return FALSE; // don't send these from the kernel
4564
4565 m = m_gethdr(M_NOWAIT, MT_DATA);
4566 if (m == NULL) return FALSE;
4567
4568 ip = (__typeof__(ip))m_mtod(m);
4569
4570 // this sends one type of NATT keepalives (Type 1, ESP keepalives, aren't sent by kernel)
4571 if ((sav->flags & SADB_X_EXT_ESP_KEEPALIVE) == 0) {
4572 struct udphdr *uh;
4573
4574 /*
4575 * Type 2: a UDP packet complete with IP header.
4576 * We must do this because UDP output requires
4577 * an inpcb which we don't have. UDP packet
4578 * contains one byte payload. The byte is set
4579 * to 0xFF.
4580 */
4581 uh = (__typeof__(uh))(void *)((char *)m_mtod(m) + sizeof(*ip));
4582 m->m_len = sizeof(struct udpiphdr) + 1;
4583 bzero(m_mtod(m), m->m_len);
4584 m->m_pkthdr.len = m->m_len;
4585
4586 ip->ip_len = m->m_len;
4587 ip->ip_ttl = ip_defttl;
4588 ip->ip_p = IPPROTO_UDP;
4589 if (sav->sah->dir != IPSEC_DIR_INBOUND) {
4590 ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
4591 ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
4592 } else {
4593 ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
4594 ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
4595 }
4596 uh->uh_sport = htons((u_short)esp_udp_encap_port);
4597 uh->uh_dport = htons(sav->remote_ike_port);
4598 uh->uh_ulen = htons(1 + sizeof(*uh));
4599 uh->uh_sum = 0;
4600 *(u_int8_t*)((char*)m_mtod(m) + sizeof(*ip) + sizeof(*uh)) = 0xFF;
4601 }
4602
4603 // grab sadb_mutex, to get a local copy of sah's route cache
4604 lck_mtx_lock(sadb_mutex);
4605 if (ROUTE_UNUSABLE(&sav->sah->sa_route) ||
4606 rt_key(sav->sah->sa_route.ro_rt)->sa_family != AF_INET)
4607 ROUTE_RELEASE(&sav->sah->sa_route);
4608
4609 route_copyout(&ro, &sav->sah->sa_route, sizeof(ro));
4610 lck_mtx_unlock(sadb_mutex);
4611
4612 error = ip_output(m, NULL, &ro, IP_OUTARGS | IP_NOIPSEC, NULL, &ipoa);
4613
4614 // grab sadb_mutex, to synchronize the sah's route cache with the local copy
4615 lck_mtx_lock(sadb_mutex);
4616 route_copyin(&ro, &sav->sah->sa_route, sizeof(ro));
4617 lck_mtx_unlock(sadb_mutex);
4618 if (error == 0) {
4619 sav->natt_last_activity = natt_now;
4620 return TRUE;
4621 }
4622 return FALSE;
4623 }
mirror of XNU