]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/ipsec.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-517.12.7.tar.gz
[apple/xnu.git] / bsd / netinet6 / ipsec.c
1 /* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.7 2001/07/19 06:37:23 kris Exp $ */
2 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * IPsec controller part.
35 */
36
37 #include <sys/param.h>
38 #include <sys/systm.h>
39 #include <sys/malloc.h>
40 #include <sys/mbuf.h>
41 #include <sys/domain.h>
42 #include <sys/protosw.h>
43 #include <sys/socket.h>
44 #include <sys/socketvar.h>
45 #include <sys/errno.h>
46 #include <sys/time.h>
47 #include <sys/kernel.h>
48 #include <sys/syslog.h>
49 #include <sys/sysctl.h>
50
51 #include <net/if.h>
52 #include <net/route.h>
53
54 #include <netinet/in.h>
55 #include <netinet/in_systm.h>
56 #include <netinet/ip.h>
57 #include <netinet/ip_var.h>
58 #include <netinet/in_var.h>
59 #include <netinet/udp.h>
60 #include <netinet/udp_var.h>
61 #include <netinet/ip_ecn.h>
62 #if INET6
63 #include <netinet6/ip6_ecn.h>
64 #endif
65 #include <netinet/tcp.h>
66 #include <netinet/udp.h>
67
68 #include <netinet/ip6.h>
69 #if INET6
70 #include <netinet6/ip6_var.h>
71 #endif
72 #include <netinet/in_pcb.h>
73 #if INET6
74 #include <netinet/icmp6.h>
75 #endif
76
77 #include <netinet6/ipsec.h>
78 #if INET6
79 #include <netinet6/ipsec6.h>
80 #endif
81 #include <netinet6/ah.h>
82 #if INET6
83 #include <netinet6/ah6.h>
84 #endif
85 #if IPSEC_ESP
86 #include <netinet6/esp.h>
87 #if INET6
88 #include <netinet6/esp6.h>
89 #endif
90 #endif
91 #include <netinet6/ipcomp.h>
92 #if INET6
93 #include <netinet6/ipcomp6.h>
94 #endif
95 #include <netkey/key.h>
96 #include <netkey/keydb.h>
97 #include <netkey/key_debug.h>
98
99 #include <net/net_osdep.h>
100
101 #if IPSEC_DEBUG
102 int ipsec_debug = 1;
103 #else
104 int ipsec_debug = 0;
105 #endif
106
107 #include <sys/kdebug.h>
108 #define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1)
109 #define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3)
110 #define DBG_FNC_GETPOL_SOCK NETDBG_CODE(DBG_NETIPSEC, (1 << 8))
111 #define DBG_FNC_GETPOL_ADDR NETDBG_CODE(DBG_NETIPSEC, (2 << 8))
112 #define DBG_FNC_IPSEC_OUT NETDBG_CODE(DBG_NETIPSEC, (3 << 8))
113
114
115 struct ipsecstat ipsecstat;
116 int ip4_ah_cleartos = 1;
117 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
118 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
119 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
120 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
121 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
122 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
123 struct secpolicy ip4_def_policy;
124 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
125 int ip4_esp_randpad = -1;
126 int esp_udp_encap_port = 0;
127 static int sysctl_def_policy SYSCTL_HANDLER_ARGS;
128 extern u_int32_t natt_now;
129
130 SYSCTL_DECL(_net_inet_ipsec);
131 #if INET6
132 SYSCTL_DECL(_net_inet6_ipsec6);
133 #endif
134 /* net.inet.ipsec */
135 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
136 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, "");
137 SYSCTL_PROC(_net_inet_ipsec, IPSECCTL_DEF_POLICY, def_policy, CTLTYPE_INT|CTLFLAG_RW,
138 &ip4_def_policy.policy, 0, &sysctl_def_policy, "I", "");
139 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
140 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
141 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
142 CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
143 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
144 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
145 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
146 CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
147 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
148 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, "");
149 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
150 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
151 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
152 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
153 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
154 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
155 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
156 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
157 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
158 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, "");
159
160 /* for performance, we bypass ipsec until a security policy is set */
161 int ipsec_bypass = 1;
162 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, bypass, CTLFLAG_RD, &ipsec_bypass,0, "");
163
164 /*
165 * NAT Traversal requires a UDP port for encapsulation,
166 * esp_udp_encap_port controls which port is used. Racoon
167 * must set this port to the port racoon is using locally
168 * for nat traversal.
169 */
170 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, esp_port,
171 CTLFLAG_RW, &esp_udp_encap_port, 0, "");
172
173 #if INET6
174 struct ipsecstat ipsec6stat;
175 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
176 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
177 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
178 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
179 struct secpolicy ip6_def_policy;
180 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
181 int ip6_esp_randpad = -1;
182
183 /* net.inet6.ipsec6 */
184 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
185 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
186 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
187 def_policy, CTLFLAG_RW, &ip6_def_policy.policy, 0, "");
188 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
189 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
190 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
191 CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
192 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
193 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
194 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
195 CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
196 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
197 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
198 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
199 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
200 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
201 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
202 #endif /* INET6 */
203
204 static int ipsec_setspidx_mbuf
205 __P((struct secpolicyindex *, u_int, u_int, struct mbuf *, int));
206 static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb));
207 #if INET6
208 static int ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *pcb));
209 #endif
210 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
211 static void ipsec4_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
212 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
213 #if INET6
214 static void ipsec6_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
215 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
216 #endif
217 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
218 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
219 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *src));
220 static int ipsec_set_policy __P((struct secpolicy **pcb_sp,
221 int optname, caddr_t request, size_t len, int priv));
222 static int ipsec_get_policy __P((struct secpolicy *pcb_sp, struct mbuf **mp));
223 static void vshiftl __P((unsigned char *, int, int));
224 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
225 static size_t ipsec_hdrsiz __P((struct secpolicy *));
226 #if INET
227 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
228 #endif
229 #if INET6
230 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
231 #endif
232 #if INET
233 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
234 #endif
235 #if INET6
236 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
237 #endif
238 static struct mbuf *ipsec_addaux __P((struct mbuf *));
239 static struct mbuf *ipsec_findaux __P((struct mbuf *));
240 static void ipsec_optaux __P((struct mbuf *, struct mbuf *));
241 void ipsec_send_natt_keepalive(struct secasvar *sav);
242
243 static int
244 sysctl_def_policy SYSCTL_HANDLER_ARGS
245 {
246 int old_policy = ip4_def_policy.policy;
247 int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
248
249 if (ip4_def_policy.policy != IPSEC_POLICY_NONE &&
250 ip4_def_policy.policy != IPSEC_POLICY_DISCARD) {
251 ip4_def_policy.policy = old_policy;
252 return EINVAL;
253 }
254
255 /* Turn off the bypass if the default security policy changes */
256 if (ipsec_bypass != 0 && ip4_def_policy.policy != IPSEC_POLICY_NONE)
257 ipsec_bypass = 0;
258
259 return error;
260 }
261
262 /*
263 * For OUTBOUND packet having a socket. Searching SPD for packet,
264 * and return a pointer to SP.
265 * OUT: NULL: no apropreate SP found, the following value is set to error.
266 * 0 : bypass
267 * EACCES : discard packet.
268 * ENOENT : ipsec_acquire() in progress, maybe.
269 * others : error occured.
270 * others: a pointer to SP
271 *
272 * NOTE: IPv6 mapped adddress concern is implemented here.
273 */
274 struct secpolicy *
275 ipsec4_getpolicybysock(m, dir, so, error)
276 struct mbuf *m;
277 u_int dir;
278 struct socket *so;
279 int *error;
280 {
281 struct inpcbpolicy *pcbsp = NULL;
282 struct secpolicy *currsp = NULL; /* policy on socket */
283 struct secpolicy *kernsp = NULL; /* policy on kernel */
284
285 /* sanity check */
286 if (m == NULL || so == NULL || error == NULL)
287 panic("ipsec4_getpolicybysock: NULL pointer was passed.\n");
288
289 if (so->so_pcb == NULL) {
290 /* Socket may be closing or without PCB */
291 return ipsec4_getpolicybyaddr(m, dir, 0, error);
292 }
293
294 switch (so->so_proto->pr_domain->dom_family) {
295 case AF_INET:
296 pcbsp = sotoinpcb(so)->inp_sp;
297 break;
298 #if INET6
299 case AF_INET6:
300 pcbsp = sotoin6pcb(so)->in6p_sp;
301 break;
302 #endif
303 }
304
305 if (!pcbsp){
306 /* Socket has not specified an IPSEC policy */
307 return ipsec4_getpolicybyaddr(m, dir, 0, error);
308 }
309
310 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_START, 0,0,0,0,0);
311
312 switch (so->so_proto->pr_domain->dom_family) {
313 case AF_INET:
314 /* set spidx in pcb */
315 *error = ipsec4_setspidx_inpcb(m, sotoinpcb(so));
316 break;
317 #if INET6
318 case AF_INET6:
319 /* set spidx in pcb */
320 *error = ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
321 break;
322 #endif
323 default:
324 panic("ipsec4_getpolicybysock: unsupported address family\n");
325 }
326 if (*error) {
327 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 1,*error,0,0,0);
328 return NULL;
329 }
330
331 /* sanity check */
332 if (pcbsp == NULL)
333 panic("ipsec4_getpolicybysock: pcbsp is NULL.\n");
334
335 switch (dir) {
336 case IPSEC_DIR_INBOUND:
337 currsp = pcbsp->sp_in;
338 break;
339 case IPSEC_DIR_OUTBOUND:
340 currsp = pcbsp->sp_out;
341 break;
342 default:
343 panic("ipsec4_getpolicybysock: illegal direction.\n");
344 }
345
346 /* sanity check */
347 if (currsp == NULL)
348 panic("ipsec4_getpolicybysock: currsp is NULL.\n");
349
350 /* when privilieged socket */
351 if (pcbsp->priv) {
352 switch (currsp->policy) {
353 case IPSEC_POLICY_BYPASS:
354 currsp->refcnt++;
355 *error = 0;
356 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 2,*error,0,0,0);
357 return currsp;
358
359 case IPSEC_POLICY_ENTRUST:
360 /* look for a policy in SPD */
361 kernsp = key_allocsp(&currsp->spidx, dir);
362
363 /* SP found */
364 if (kernsp != NULL) {
365 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
366 printf("DP ipsec4_getpolicybysock called "
367 "to allocate SP:%p\n", kernsp));
368 *error = 0;
369 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 3,*error,0,0,0);
370 return kernsp;
371 }
372
373 /* no SP found */
374 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
375 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
376 ipseclog((LOG_INFO,
377 "fixed system default policy: %d->%d\n",
378 ip4_def_policy.policy, IPSEC_POLICY_NONE));
379 ip4_def_policy.policy = IPSEC_POLICY_NONE;
380 }
381 ip4_def_policy.refcnt++;
382 *error = 0;
383 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 4,*error,0,0,0);
384 return &ip4_def_policy;
385
386 case IPSEC_POLICY_IPSEC:
387 currsp->refcnt++;
388 *error = 0;
389 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 5,*error,0,0,0);
390 return currsp;
391
392 default:
393 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
394 "Invalid policy for PCB %d\n", currsp->policy));
395 *error = EINVAL;
396 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 6,*error,0,0,0);
397 return NULL;
398 }
399 /* NOTREACHED */
400 }
401
402 /* when non-privilieged socket */
403 /* look for a policy in SPD */
404 kernsp = key_allocsp(&currsp->spidx, dir);
405
406 /* SP found */
407 if (kernsp != NULL) {
408 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
409 printf("DP ipsec4_getpolicybysock called "
410 "to allocate SP:%p\n", kernsp));
411 *error = 0;
412 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 7,*error,0,0,0);
413 return kernsp;
414 }
415
416 /* no SP found */
417 switch (currsp->policy) {
418 case IPSEC_POLICY_BYPASS:
419 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
420 "Illegal policy for non-priviliged defined %d\n",
421 currsp->policy));
422 *error = EINVAL;
423 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 8,*error,0,0,0);
424 return NULL;
425
426 case IPSEC_POLICY_ENTRUST:
427 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
428 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
429 ipseclog((LOG_INFO,
430 "fixed system default policy: %d->%d\n",
431 ip4_def_policy.policy, IPSEC_POLICY_NONE));
432 ip4_def_policy.policy = IPSEC_POLICY_NONE;
433 }
434 ip4_def_policy.refcnt++;
435 *error = 0;
436 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 9,*error,0,0,0);
437 return &ip4_def_policy;
438
439 case IPSEC_POLICY_IPSEC:
440 currsp->refcnt++;
441 *error = 0;
442 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 10,*error,0,0,0);
443 return currsp;
444
445 default:
446 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
447 "Invalid policy for PCB %d\n", currsp->policy));
448 *error = EINVAL;
449 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 11,*error,0,0,0);
450 return NULL;
451 }
452 /* NOTREACHED */
453 }
454
455 /*
456 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
457 * and return a pointer to SP.
458 * OUT: positive: a pointer to the entry for security policy leaf matched.
459 * NULL: no apropreate SP found, the following value is set to error.
460 * 0 : bypass
461 * EACCES : discard packet.
462 * ENOENT : ipsec_acquire() in progress, maybe.
463 * others : error occured.
464 */
465 struct secpolicy *
466 ipsec4_getpolicybyaddr(m, dir, flag, error)
467 struct mbuf *m;
468 u_int dir;
469 int flag;
470 int *error;
471 {
472 struct secpolicy *sp = NULL;
473
474 if (ipsec_bypass != 0)
475 return 0;
476
477 /* sanity check */
478 if (m == NULL || error == NULL)
479 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.\n");
480
481 {
482 struct secpolicyindex spidx;
483
484 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0);
485 bzero(&spidx, sizeof(spidx));
486
487 /* make a index to look for a policy */
488 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
489 (flag & IP_FORWARDING) ? 0 : 1);
490
491 if (*error != 0) {
492 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,*error,0,0,0);
493 return NULL;
494 }
495
496 sp = key_allocsp(&spidx, dir);
497 }
498
499 /* SP found */
500 if (sp != NULL) {
501 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
502 printf("DP ipsec4_getpolicybyaddr called "
503 "to allocate SP:%p\n", sp));
504 *error = 0;
505 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,*error,0,0,0);
506 return sp;
507 }
508
509 /* no SP found */
510 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
511 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
512 ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
513 ip4_def_policy.policy,
514 IPSEC_POLICY_NONE));
515 ip4_def_policy.policy = IPSEC_POLICY_NONE;
516 }
517 ip4_def_policy.refcnt++;
518 *error = 0;
519 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 3,*error,0,0,0);
520 return &ip4_def_policy;
521 }
522
523 #if INET6
524 /*
525 * For OUTBOUND packet having a socket. Searching SPD for packet,
526 * and return a pointer to SP.
527 * OUT: NULL: no apropreate SP found, the following value is set to error.
528 * 0 : bypass
529 * EACCES : discard packet.
530 * ENOENT : ipsec_acquire() in progress, maybe.
531 * others : error occured.
532 * others: a pointer to SP
533 */
534 struct secpolicy *
535 ipsec6_getpolicybysock(m, dir, so, error)
536 struct mbuf *m;
537 u_int dir;
538 struct socket *so;
539 int *error;
540 {
541 struct inpcbpolicy *pcbsp = NULL;
542 struct secpolicy *currsp = NULL; /* policy on socket */
543 struct secpolicy *kernsp = NULL; /* policy on kernel */
544
545 /* sanity check */
546 if (m == NULL || so == NULL || error == NULL)
547 panic("ipsec6_getpolicybysock: NULL pointer was passed.\n");
548
549 #if DIAGNOSTIC
550 if (so->so_proto->pr_domain->dom_family != AF_INET6)
551 panic("ipsec6_getpolicybysock: socket domain != inet6\n");
552 #endif
553
554 pcbsp = sotoin6pcb(so)->in6p_sp;
555
556 if (!pcbsp){
557 return ipsec6_getpolicybyaddr(m, dir, 0, error);
558 }
559
560 /* set spidx in pcb */
561 ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
562
563 /* sanity check */
564 if (pcbsp == NULL)
565 panic("ipsec6_getpolicybysock: pcbsp is NULL.\n");
566
567 switch (dir) {
568 case IPSEC_DIR_INBOUND:
569 currsp = pcbsp->sp_in;
570 break;
571 case IPSEC_DIR_OUTBOUND:
572 currsp = pcbsp->sp_out;
573 break;
574 default:
575 panic("ipsec6_getpolicybysock: illegal direction.\n");
576 }
577
578 /* sanity check */
579 if (currsp == NULL)
580 panic("ipsec6_getpolicybysock: currsp is NULL.\n");
581
582 /* when privilieged socket */
583 if (pcbsp->priv) {
584 switch (currsp->policy) {
585 case IPSEC_POLICY_BYPASS:
586 currsp->refcnt++;
587 *error = 0;
588 return currsp;
589
590 case IPSEC_POLICY_ENTRUST:
591 /* look for a policy in SPD */
592 kernsp = key_allocsp(&currsp->spidx, dir);
593
594 /* SP found */
595 if (kernsp != NULL) {
596 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
597 printf("DP ipsec6_getpolicybysock called "
598 "to allocate SP:%p\n", kernsp));
599 *error = 0;
600 return kernsp;
601 }
602
603 /* no SP found */
604 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
605 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
606 ipseclog((LOG_INFO,
607 "fixed system default policy: %d->%d\n",
608 ip6_def_policy.policy, IPSEC_POLICY_NONE));
609 ip6_def_policy.policy = IPSEC_POLICY_NONE;
610 }
611 ip6_def_policy.refcnt++;
612 *error = 0;
613 return &ip6_def_policy;
614
615 case IPSEC_POLICY_IPSEC:
616 currsp->refcnt++;
617 *error = 0;
618 return currsp;
619
620 default:
621 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
622 "Invalid policy for PCB %d\n", currsp->policy));
623 *error = EINVAL;
624 return NULL;
625 }
626 /* NOTREACHED */
627 }
628
629 /* when non-privilieged socket */
630 /* look for a policy in SPD */
631 kernsp = key_allocsp(&currsp->spidx, dir);
632
633 /* SP found */
634 if (kernsp != NULL) {
635 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
636 printf("DP ipsec6_getpolicybysock called "
637 "to allocate SP:%p\n", kernsp));
638 *error = 0;
639 return kernsp;
640 }
641
642 /* no SP found */
643 switch (currsp->policy) {
644 case IPSEC_POLICY_BYPASS:
645 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
646 "Illegal policy for non-priviliged defined %d\n",
647 currsp->policy));
648 *error = EINVAL;
649 return NULL;
650
651 case IPSEC_POLICY_ENTRUST:
652 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
653 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
654 ipseclog((LOG_INFO,
655 "fixed system default policy: %d->%d\n",
656 ip6_def_policy.policy, IPSEC_POLICY_NONE));
657 ip6_def_policy.policy = IPSEC_POLICY_NONE;
658 }
659 ip6_def_policy.refcnt++;
660 *error = 0;
661 return &ip6_def_policy;
662
663 case IPSEC_POLICY_IPSEC:
664 currsp->refcnt++;
665 *error = 0;
666 return currsp;
667
668 default:
669 ipseclog((LOG_ERR,
670 "ipsec6_policybysock: Invalid policy for PCB %d\n",
671 currsp->policy));
672 *error = EINVAL;
673 return NULL;
674 }
675 /* NOTREACHED */
676 }
677
678 /*
679 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
680 * and return a pointer to SP.
681 * `flag' means that packet is to be forwarded whether or not.
682 * flag = 1: forwad
683 * OUT: positive: a pointer to the entry for security policy leaf matched.
684 * NULL: no apropreate SP found, the following value is set to error.
685 * 0 : bypass
686 * EACCES : discard packet.
687 * ENOENT : ipsec_acquire() in progress, maybe.
688 * others : error occured.
689 */
690 #ifndef IP_FORWARDING
691 #define IP_FORWARDING 1
692 #endif
693
694 struct secpolicy *
695 ipsec6_getpolicybyaddr(m, dir, flag, error)
696 struct mbuf *m;
697 u_int dir;
698 int flag;
699 int *error;
700 {
701 struct secpolicy *sp = NULL;
702
703 /* sanity check */
704 if (m == NULL || error == NULL)
705 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.\n");
706
707 {
708 struct secpolicyindex spidx;
709
710 bzero(&spidx, sizeof(spidx));
711
712 /* make a index to look for a policy */
713 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m,
714 (flag & IP_FORWARDING) ? 0 : 1);
715
716 if (*error != 0)
717 return NULL;
718
719 sp = key_allocsp(&spidx, dir);
720 }
721
722 /* SP found */
723 if (sp != NULL) {
724 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
725 printf("DP ipsec6_getpolicybyaddr called "
726 "to allocate SP:%p\n", sp));
727 *error = 0;
728 return sp;
729 }
730
731 /* no SP found */
732 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
733 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
734 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
735 ip6_def_policy.policy, IPSEC_POLICY_NONE));
736 ip6_def_policy.policy = IPSEC_POLICY_NONE;
737 }
738 ip6_def_policy.refcnt++;
739 *error = 0;
740 return &ip6_def_policy;
741 }
742 #endif /* INET6 */
743
744 /*
745 * set IP address into spidx from mbuf.
746 * When Forwarding packet and ICMP echo reply, this function is used.
747 *
748 * IN: get the followings from mbuf.
749 * protocol family, src, dst, next protocol
750 * OUT:
751 * 0: success.
752 * other: failure, and set errno.
753 */
754 int
755 ipsec_setspidx_mbuf(spidx, dir, family, m, needport)
756 struct secpolicyindex *spidx;
757 u_int dir, family;
758 struct mbuf *m;
759 int needport;
760 {
761 int error;
762
763 /* sanity check */
764 if (spidx == NULL || m == NULL)
765 panic("ipsec_setspidx_mbuf: NULL pointer was passed.\n");
766
767 bzero(spidx, sizeof(*spidx));
768
769 error = ipsec_setspidx(m, spidx, needport);
770 if (error)
771 goto bad;
772 spidx->dir = dir;
773
774 return 0;
775
776 bad:
777 /* XXX initialize */
778 bzero(spidx, sizeof(*spidx));
779 return EINVAL;
780 }
781
782 static int
783 ipsec4_setspidx_inpcb(m, pcb)
784 struct mbuf *m;
785 struct inpcb *pcb;
786 {
787 struct secpolicyindex *spidx;
788 int error;
789
790 if (ipsec_bypass != 0)
791 return 0;
792
793 /* sanity check */
794 if (pcb == NULL)
795 panic("ipsec4_setspidx_inpcb: no PCB found.\n");
796 if (pcb->inp_sp == NULL)
797 panic("ipsec4_setspidx_inpcb: no inp_sp found.\n");
798 if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL)
799 panic("ipsec4_setspidx_inpcb: no sp_in/out found.\n");
800
801 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
802 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
803
804 spidx = &pcb->inp_sp->sp_in->spidx;
805 error = ipsec_setspidx(m, spidx, 1);
806 if (error)
807 goto bad;
808 spidx->dir = IPSEC_DIR_INBOUND;
809
810 spidx = &pcb->inp_sp->sp_out->spidx;
811 error = ipsec_setspidx(m, spidx, 1);
812 if (error)
813 goto bad;
814 spidx->dir = IPSEC_DIR_OUTBOUND;
815
816 return 0;
817
818 bad:
819 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
820 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
821 return error;
822 }
823
824 #if INET6
825 static int
826 ipsec6_setspidx_in6pcb(m, pcb)
827 struct mbuf *m;
828 struct in6pcb *pcb;
829 {
830 struct secpolicyindex *spidx;
831 int error;
832
833 /* sanity check */
834 if (pcb == NULL)
835 panic("ipsec6_setspidx_in6pcb: no PCB found.\n");
836 if (pcb->in6p_sp == NULL)
837 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.\n");
838 if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL)
839 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.\n");
840
841 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
842 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
843
844 spidx = &pcb->in6p_sp->sp_in->spidx;
845 error = ipsec_setspidx(m, spidx, 1);
846 if (error)
847 goto bad;
848 spidx->dir = IPSEC_DIR_INBOUND;
849
850 spidx = &pcb->in6p_sp->sp_out->spidx;
851 error = ipsec_setspidx(m, spidx, 1);
852 if (error)
853 goto bad;
854 spidx->dir = IPSEC_DIR_OUTBOUND;
855
856 return 0;
857
858 bad:
859 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
860 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
861 return error;
862 }
863 #endif
864
865 /*
866 * configure security policy index (src/dst/proto/sport/dport)
867 * by looking at the content of mbuf.
868 * the caller is responsible for error recovery (like clearing up spidx).
869 */
870 static int
871 ipsec_setspidx(m, spidx, needport)
872 struct mbuf *m;
873 struct secpolicyindex *spidx;
874 int needport;
875 {
876 struct ip *ip = NULL;
877 struct ip ipbuf;
878 u_int v;
879 struct mbuf *n;
880 int len;
881 int error;
882
883 if (m == NULL)
884 panic("ipsec_setspidx: m == 0 passed.\n");
885
886 /*
887 * validate m->m_pkthdr.len. we see incorrect length if we
888 * mistakenly call this function with inconsistent mbuf chain
889 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
890 */
891 len = 0;
892 for (n = m; n; n = n->m_next)
893 len += n->m_len;
894 if (m->m_pkthdr.len != len) {
895 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
896 printf("ipsec_setspidx: "
897 "total of m_len(%d) != pkthdr.len(%d), "
898 "ignored.\n",
899 len, m->m_pkthdr.len));
900 return EINVAL;
901 }
902
903 if (m->m_pkthdr.len < sizeof(struct ip)) {
904 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
905 printf("ipsec_setspidx: "
906 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
907 m->m_pkthdr.len));
908 return EINVAL;
909 }
910
911 if (m->m_len >= sizeof(*ip))
912 ip = mtod(m, struct ip *);
913 else {
914 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
915 ip = &ipbuf;
916 }
917 #ifdef _IP_VHL
918 v = _IP_VHL_V(ip->ip_vhl);
919 #else
920 v = ip->ip_v;
921 #endif
922 switch (v) {
923 case 4:
924 error = ipsec4_setspidx_ipaddr(m, spidx);
925 if (error)
926 return error;
927 ipsec4_get_ulp(m, spidx, needport);
928 return 0;
929 #ifdef INET6
930 case 6:
931 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
932 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
933 printf("ipsec_setspidx: "
934 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
935 "ignored.\n", m->m_pkthdr.len));
936 return EINVAL;
937 }
938 error = ipsec6_setspidx_ipaddr(m, spidx);
939 if (error)
940 return error;
941 ipsec6_get_ulp(m, spidx, needport);
942 return 0;
943 #endif
944 default:
945 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
946 printf("ipsec_setspidx: "
947 "unknown IP version %u, ignored.\n", v));
948 return EINVAL;
949 }
950 }
951
952 static void
953 ipsec4_get_ulp(m, spidx, needport)
954 struct mbuf *m;
955 struct secpolicyindex *spidx;
956 int needport;
957 {
958 struct ip ip;
959 struct ip6_ext ip6e;
960 u_int8_t nxt;
961 int off;
962 struct tcphdr th;
963 struct udphdr uh;
964
965 /* sanity check */
966 if (m == NULL)
967 panic("ipsec4_get_ulp: NULL pointer was passed.\n");
968 if (m->m_pkthdr.len < sizeof(ip))
969 panic("ipsec4_get_ulp: too short\n");
970
971 /* set default */
972 spidx->ul_proto = IPSEC_ULPROTO_ANY;
973 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
974 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
975
976 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
977 /* ip_input() flips it into host endian XXX need more checking */
978 if (ip.ip_off & (IP_MF | IP_OFFMASK))
979 return;
980
981 nxt = ip.ip_p;
982 #ifdef _IP_VHL
983 off = _IP_VHL_HL(ip->ip_vhl) << 2;
984 #else
985 off = ip.ip_hl << 2;
986 #endif
987 while (off < m->m_pkthdr.len) {
988 switch (nxt) {
989 case IPPROTO_TCP:
990 spidx->ul_proto = nxt;
991 if (!needport)
992 return;
993 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
994 return;
995 m_copydata(m, off, sizeof(th), (caddr_t)&th);
996 ((struct sockaddr_in *)&spidx->src)->sin_port =
997 th.th_sport;
998 ((struct sockaddr_in *)&spidx->dst)->sin_port =
999 th.th_dport;
1000 return;
1001 case IPPROTO_UDP:
1002 spidx->ul_proto = nxt;
1003 if (!needport)
1004 return;
1005 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1006 return;
1007 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1008 ((struct sockaddr_in *)&spidx->src)->sin_port =
1009 uh.uh_sport;
1010 ((struct sockaddr_in *)&spidx->dst)->sin_port =
1011 uh.uh_dport;
1012 return;
1013 case IPPROTO_AH:
1014 if (m->m_pkthdr.len > off + sizeof(ip6e))
1015 return;
1016 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1017 off += (ip6e.ip6e_len + 2) << 2;
1018 nxt = ip6e.ip6e_nxt;
1019 break;
1020 case IPPROTO_ICMP:
1021 default:
1022 /* XXX intermediate headers??? */
1023 spidx->ul_proto = nxt;
1024 return;
1025 }
1026 }
1027 }
1028
1029 /* assumes that m is sane */
1030 static int
1031 ipsec4_setspidx_ipaddr(m, spidx)
1032 struct mbuf *m;
1033 struct secpolicyindex *spidx;
1034 {
1035 struct ip *ip = NULL;
1036 struct ip ipbuf;
1037 struct sockaddr_in *sin;
1038
1039 if (m->m_len >= sizeof(*ip))
1040 ip = mtod(m, struct ip *);
1041 else {
1042 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
1043 ip = &ipbuf;
1044 }
1045
1046 sin = (struct sockaddr_in *)&spidx->src;
1047 bzero(sin, sizeof(*sin));
1048 sin->sin_family = AF_INET;
1049 sin->sin_len = sizeof(struct sockaddr_in);
1050 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
1051 spidx->prefs = sizeof(struct in_addr) << 3;
1052
1053 sin = (struct sockaddr_in *)&spidx->dst;
1054 bzero(sin, sizeof(*sin));
1055 sin->sin_family = AF_INET;
1056 sin->sin_len = sizeof(struct sockaddr_in);
1057 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
1058 spidx->prefd = sizeof(struct in_addr) << 3;
1059 return 0;
1060 }
1061
1062 #if INET6
1063 static void
1064 ipsec6_get_ulp(m, spidx, needport)
1065 struct mbuf *m;
1066 struct secpolicyindex *spidx;
1067 int needport;
1068 {
1069 int off, nxt;
1070 struct tcphdr th;
1071 struct udphdr uh;
1072
1073 /* sanity check */
1074 if (m == NULL)
1075 panic("ipsec6_get_ulp: NULL pointer was passed.\n");
1076
1077 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1078 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
1079
1080 /* set default */
1081 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1082 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1083 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1084
1085 nxt = -1;
1086 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1087 if (off < 0 || m->m_pkthdr.len < off)
1088 return;
1089
1090 switch (nxt) {
1091 case IPPROTO_TCP:
1092 spidx->ul_proto = nxt;
1093 if (!needport)
1094 break;
1095 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1096 break;
1097 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1098 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1099 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1100 break;
1101 case IPPROTO_UDP:
1102 spidx->ul_proto = nxt;
1103 if (!needport)
1104 break;
1105 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1106 break;
1107 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1108 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1109 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1110 break;
1111 case IPPROTO_ICMPV6:
1112 default:
1113 /* XXX intermediate headers??? */
1114 spidx->ul_proto = nxt;
1115 break;
1116 }
1117 }
1118
1119 /* assumes that m is sane */
1120 static int
1121 ipsec6_setspidx_ipaddr(m, spidx)
1122 struct mbuf *m;
1123 struct secpolicyindex *spidx;
1124 {
1125 struct ip6_hdr *ip6 = NULL;
1126 struct ip6_hdr ip6buf;
1127 struct sockaddr_in6 *sin6;
1128
1129 if (m->m_len >= sizeof(*ip6))
1130 ip6 = mtod(m, struct ip6_hdr *);
1131 else {
1132 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1133 ip6 = &ip6buf;
1134 }
1135
1136 sin6 = (struct sockaddr_in6 *)&spidx->src;
1137 bzero(sin6, sizeof(*sin6));
1138 sin6->sin6_family = AF_INET6;
1139 sin6->sin6_len = sizeof(struct sockaddr_in6);
1140 bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src));
1141 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1142 sin6->sin6_addr.s6_addr16[1] = 0;
1143 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
1144 }
1145 spidx->prefs = sizeof(struct in6_addr) << 3;
1146
1147 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1148 bzero(sin6, sizeof(*sin6));
1149 sin6->sin6_family = AF_INET6;
1150 sin6->sin6_len = sizeof(struct sockaddr_in6);
1151 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst));
1152 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1153 sin6->sin6_addr.s6_addr16[1] = 0;
1154 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
1155 }
1156 spidx->prefd = sizeof(struct in6_addr) << 3;
1157
1158 return 0;
1159 }
1160 #endif
1161
1162 static struct inpcbpolicy *
1163 ipsec_newpcbpolicy()
1164 {
1165 struct inpcbpolicy *p;
1166
1167 p = (struct inpcbpolicy *)_MALLOC(sizeof(*p), M_SECA, M_WAITOK);
1168 return p;
1169 }
1170
1171 static void
1172 ipsec_delpcbpolicy(p)
1173 struct inpcbpolicy *p;
1174 {
1175 FREE(p, M_SECA);
1176 }
1177
1178 /* initialize policy in PCB */
1179 int
1180 ipsec_init_policy(so, pcb_sp)
1181 struct socket *so;
1182 struct inpcbpolicy **pcb_sp;
1183 {
1184 struct inpcbpolicy *new;
1185
1186 /* sanity check. */
1187 if (so == NULL || pcb_sp == NULL)
1188 panic("ipsec_init_policy: NULL pointer was passed.\n");
1189
1190 new = ipsec_newpcbpolicy();
1191 if (new == NULL) {
1192 ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n"));
1193 return ENOBUFS;
1194 }
1195 bzero(new, sizeof(*new));
1196
1197 #ifdef __APPLE__
1198 if (so->so_uid == 0)
1199 #else
1200 if (so->so_cred != 0 && so->so_cred->pc_ucred->cr_uid == 0)
1201 #endif
1202 new->priv = 1;
1203 else
1204 new->priv = 0;
1205
1206 if ((new->sp_in = key_newsp()) == NULL) {
1207 ipsec_delpcbpolicy(new);
1208 return ENOBUFS;
1209 }
1210 new->sp_in->state = IPSEC_SPSTATE_ALIVE;
1211 new->sp_in->policy = IPSEC_POLICY_ENTRUST;
1212
1213 if ((new->sp_out = key_newsp()) == NULL) {
1214 key_freesp(new->sp_in);
1215 ipsec_delpcbpolicy(new);
1216 return ENOBUFS;
1217 }
1218 new->sp_out->state = IPSEC_SPSTATE_ALIVE;
1219 new->sp_out->policy = IPSEC_POLICY_ENTRUST;
1220
1221 *pcb_sp = new;
1222
1223 return 0;
1224 }
1225
1226 /* copy old ipsec policy into new */
1227 int
1228 ipsec_copy_policy(old, new)
1229 struct inpcbpolicy *old, *new;
1230 {
1231 struct secpolicy *sp;
1232
1233 if (ipsec_bypass != 0)
1234 return 0;
1235
1236 sp = ipsec_deepcopy_policy(old->sp_in);
1237 if (sp) {
1238 key_freesp(new->sp_in);
1239 new->sp_in = sp;
1240 } else
1241 return ENOBUFS;
1242
1243 sp = ipsec_deepcopy_policy(old->sp_out);
1244 if (sp) {
1245 key_freesp(new->sp_out);
1246 new->sp_out = sp;
1247 } else
1248 return ENOBUFS;
1249
1250 new->priv = old->priv;
1251
1252 return 0;
1253 }
1254
1255 /* deep-copy a policy in PCB */
1256 static struct secpolicy *
1257 ipsec_deepcopy_policy(src)
1258 struct secpolicy *src;
1259 {
1260 struct ipsecrequest *newchain = NULL;
1261 struct ipsecrequest *p;
1262 struct ipsecrequest **q;
1263 struct ipsecrequest *r;
1264 struct secpolicy *dst;
1265
1266 dst = key_newsp();
1267 if (src == NULL || dst == NULL)
1268 return NULL;
1269
1270 /*
1271 * deep-copy IPsec request chain. This is required since struct
1272 * ipsecrequest is not reference counted.
1273 */
1274 q = &newchain;
1275 for (p = src->req; p; p = p->next) {
1276 *q = (struct ipsecrequest *)_MALLOC(sizeof(struct ipsecrequest),
1277 M_SECA, M_WAITOK);
1278 if (*q == NULL)
1279 goto fail;
1280 bzero(*q, sizeof(**q));
1281 (*q)->next = NULL;
1282
1283 (*q)->saidx.proto = p->saidx.proto;
1284 (*q)->saidx.mode = p->saidx.mode;
1285 (*q)->level = p->level;
1286 (*q)->saidx.reqid = p->saidx.reqid;
1287
1288 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1289 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1290
1291 (*q)->sav = NULL;
1292 (*q)->sp = dst;
1293
1294 q = &((*q)->next);
1295 }
1296
1297 dst->req = newchain;
1298 dst->state = src->state;
1299 dst->policy = src->policy;
1300 /* do not touch the refcnt fields */
1301
1302 return dst;
1303
1304 fail:
1305 for (p = newchain; p; p = r) {
1306 r = p->next;
1307 FREE(p, M_SECA);
1308 p = NULL;
1309 }
1310 return NULL;
1311 }
1312
1313 /* set policy and ipsec request if present. */
1314 static int
1315 ipsec_set_policy(pcb_sp, optname, request, len, priv)
1316 struct secpolicy **pcb_sp;
1317 int optname;
1318 caddr_t request;
1319 size_t len;
1320 int priv;
1321 {
1322 struct sadb_x_policy *xpl;
1323 struct secpolicy *newsp = NULL;
1324 int error;
1325
1326 /* sanity check. */
1327 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL)
1328 return EINVAL;
1329 if (len < sizeof(*xpl))
1330 return EINVAL;
1331 xpl = (struct sadb_x_policy *)request;
1332
1333 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1334 printf("ipsec_set_policy: passed policy\n");
1335 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1336
1337 /* check policy type */
1338 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1339 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
1340 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1341 return EINVAL;
1342
1343 /* check privileged socket */
1344 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1345 return EACCES;
1346
1347 /* allocation new SP entry */
1348 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1349 return error;
1350
1351 newsp->state = IPSEC_SPSTATE_ALIVE;
1352
1353 /* clear old SP and set new SP */
1354 key_freesp(*pcb_sp);
1355 *pcb_sp = newsp;
1356 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1357 printf("ipsec_set_policy: new policy\n");
1358 kdebug_secpolicy(newsp));
1359
1360 return 0;
1361 }
1362
1363 static int
1364 ipsec_get_policy(pcb_sp, mp)
1365 struct secpolicy *pcb_sp;
1366 struct mbuf **mp;
1367 {
1368
1369 /* sanity check. */
1370 if (pcb_sp == NULL || mp == NULL)
1371 return EINVAL;
1372
1373 *mp = key_sp2msg(pcb_sp);
1374 if (!*mp) {
1375 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1376 return ENOBUFS;
1377 }
1378
1379 (*mp)->m_type = MT_DATA;
1380 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1381 printf("ipsec_get_policy:\n");
1382 kdebug_mbuf(*mp));
1383
1384 return 0;
1385 }
1386
1387 int
1388 ipsec4_set_policy(inp, optname, request, len, priv)
1389 struct inpcb *inp;
1390 int optname;
1391 caddr_t request;
1392 size_t len;
1393 int priv;
1394 {
1395 struct sadb_x_policy *xpl;
1396 struct secpolicy **pcb_sp;
1397 int error = 0;
1398
1399 /* sanity check. */
1400 if (inp == NULL || request == NULL)
1401 return EINVAL;
1402 if (len < sizeof(*xpl))
1403 return EINVAL;
1404 xpl = (struct sadb_x_policy *)request;
1405
1406 if (inp->inp_sp == NULL) {
1407 error = ipsec_init_policy(inp->inp_socket, &inp->inp_sp);
1408 if (error)
1409 return error;
1410 }
1411
1412 /* select direction */
1413 switch (xpl->sadb_x_policy_dir) {
1414 case IPSEC_DIR_INBOUND:
1415 pcb_sp = &inp->inp_sp->sp_in;
1416 break;
1417 case IPSEC_DIR_OUTBOUND:
1418 pcb_sp = &inp->inp_sp->sp_out;
1419 break;
1420 default:
1421 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1422 xpl->sadb_x_policy_dir));
1423 return EINVAL;
1424 }
1425
1426 /* turn bypass off */
1427 if (ipsec_bypass != 0)
1428 ipsec_bypass = 0;
1429
1430 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1431 }
1432
1433 int
1434 ipsec4_get_policy(inp, request, len, mp)
1435 struct inpcb *inp;
1436 caddr_t request;
1437 size_t len;
1438 struct mbuf **mp;
1439 {
1440 struct sadb_x_policy *xpl;
1441 struct secpolicy *pcb_sp;
1442 int error = 0;
1443
1444 /* sanity check. */
1445 if (inp == NULL || request == NULL || mp == NULL)
1446 return EINVAL;
1447 if (len < sizeof(*xpl))
1448 return EINVAL;
1449 xpl = (struct sadb_x_policy *)request;
1450
1451 if (inp->inp_sp == NULL) {
1452 error = ipsec_init_policy(inp->inp_socket, &inp->inp_sp);
1453 if (error)
1454 return error;
1455 }
1456
1457 /* select direction */
1458 switch (xpl->sadb_x_policy_dir) {
1459 case IPSEC_DIR_INBOUND:
1460 pcb_sp = inp->inp_sp->sp_in;
1461 break;
1462 case IPSEC_DIR_OUTBOUND:
1463 pcb_sp = inp->inp_sp->sp_out;
1464 break;
1465 default:
1466 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1467 xpl->sadb_x_policy_dir));
1468 return EINVAL;
1469 }
1470
1471 return ipsec_get_policy(pcb_sp, mp);
1472 }
1473
1474 /* delete policy in PCB */
1475 int
1476 ipsec4_delete_pcbpolicy(inp)
1477 struct inpcb *inp;
1478 {
1479 /* sanity check. */
1480 if (inp == NULL)
1481 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.\n");
1482
1483 if (inp->inp_sp == NULL)
1484 return 0;
1485
1486 if (inp->inp_sp->sp_in != NULL) {
1487 key_freesp(inp->inp_sp->sp_in);
1488 inp->inp_sp->sp_in = NULL;
1489 }
1490
1491 if (inp->inp_sp->sp_out != NULL) {
1492 key_freesp(inp->inp_sp->sp_out);
1493 inp->inp_sp->sp_out = NULL;
1494 }
1495
1496 ipsec_delpcbpolicy(inp->inp_sp);
1497 inp->inp_sp = NULL;
1498
1499 return 0;
1500 }
1501
1502 #if INET6
1503 int
1504 ipsec6_set_policy(in6p, optname, request, len, priv)
1505 struct in6pcb *in6p;
1506 int optname;
1507 caddr_t request;
1508 size_t len;
1509 int priv;
1510 {
1511 struct sadb_x_policy *xpl;
1512 struct secpolicy **pcb_sp;
1513 int error = 0;
1514
1515 /* sanity check. */
1516 if (in6p == NULL || request == NULL)
1517 return EINVAL;
1518 if (len < sizeof(*xpl))
1519 return EINVAL;
1520 xpl = (struct sadb_x_policy *)request;
1521
1522 if (in6p->in6p_sp == NULL) {
1523 error = ipsec_init_policy(in6p->inp_socket, &in6p->in6p_sp);
1524 if (error)
1525 return error;
1526 }
1527
1528 /* select direction */
1529 switch (xpl->sadb_x_policy_dir) {
1530 case IPSEC_DIR_INBOUND:
1531 pcb_sp = &in6p->in6p_sp->sp_in;
1532 break;
1533 case IPSEC_DIR_OUTBOUND:
1534 pcb_sp = &in6p->in6p_sp->sp_out;
1535 break;
1536 default:
1537 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1538 xpl->sadb_x_policy_dir));
1539 return EINVAL;
1540 }
1541
1542 /* turn bypass off */
1543 if (ipsec_bypass != 0)
1544 ipsec_bypass = 0;
1545
1546 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1547 }
1548
1549 int
1550 ipsec6_get_policy(in6p, request, len, mp)
1551 struct in6pcb *in6p;
1552 caddr_t request;
1553 size_t len;
1554 struct mbuf **mp;
1555 {
1556 struct sadb_x_policy *xpl;
1557 struct secpolicy *pcb_sp;
1558 int error = 0;
1559
1560 /* sanity check. */
1561 if (in6p == NULL || request == NULL || mp == NULL)
1562 return EINVAL;
1563 if (len < sizeof(*xpl))
1564 return EINVAL;
1565 xpl = (struct sadb_x_policy *)request;
1566
1567 if (in6p->in6p_sp == NULL) {
1568 error = ipsec_init_policy(in6p->inp_socket, &in6p->in6p_sp);
1569 if (error)
1570 return error;
1571 }
1572
1573 /* select direction */
1574 switch (xpl->sadb_x_policy_dir) {
1575 case IPSEC_DIR_INBOUND:
1576 pcb_sp = in6p->in6p_sp->sp_in;
1577 break;
1578 case IPSEC_DIR_OUTBOUND:
1579 pcb_sp = in6p->in6p_sp->sp_out;
1580 break;
1581 default:
1582 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1583 xpl->sadb_x_policy_dir));
1584 return EINVAL;
1585 }
1586
1587 return ipsec_get_policy(pcb_sp, mp);
1588 }
1589
1590 int
1591 ipsec6_delete_pcbpolicy(in6p)
1592 struct in6pcb *in6p;
1593 {
1594 /* sanity check. */
1595 if (in6p == NULL)
1596 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.\n");
1597
1598 if (in6p->in6p_sp == NULL)
1599 return 0;
1600
1601 if (in6p->in6p_sp->sp_in != NULL) {
1602 key_freesp(in6p->in6p_sp->sp_in);
1603 in6p->in6p_sp->sp_in = NULL;
1604 }
1605
1606 if (in6p->in6p_sp->sp_out != NULL) {
1607 key_freesp(in6p->in6p_sp->sp_out);
1608 in6p->in6p_sp->sp_out = NULL;
1609 }
1610
1611 ipsec_delpcbpolicy(in6p->in6p_sp);
1612 in6p->in6p_sp = NULL;
1613
1614 return 0;
1615 }
1616 #endif
1617
1618 /*
1619 * return current level.
1620 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1621 */
1622 u_int
1623 ipsec_get_reqlevel(isr)
1624 struct ipsecrequest *isr;
1625 {
1626 u_int level = 0;
1627 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1628
1629 /* sanity check */
1630 if (isr == NULL || isr->sp == NULL)
1631 panic("ipsec_get_reqlevel: NULL pointer is passed.\n");
1632 if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family
1633 != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family)
1634 panic("ipsec_get_reqlevel: family mismatched.\n");
1635
1636 /* XXX note that we have ipseclog() expanded here - code sync issue */
1637 #define IPSEC_CHECK_DEFAULT(lev) \
1638 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1639 && (lev) != IPSEC_LEVEL_UNIQUE) \
1640 ? (ipsec_debug \
1641 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1642 (lev), IPSEC_LEVEL_REQUIRE) \
1643 : 0), \
1644 (lev) = IPSEC_LEVEL_REQUIRE, \
1645 (lev) \
1646 : (lev))
1647
1648 /* set default level */
1649 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1650 #if INET
1651 case AF_INET:
1652 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1653 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1654 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1655 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1656 break;
1657 #endif
1658 #if INET6
1659 case AF_INET6:
1660 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1661 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1662 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1663 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1664 break;
1665 #endif /* INET6 */
1666 default:
1667 panic("key_get_reqlevel: Unknown family. %d\n",
1668 ((struct sockaddr *)&isr->sp->spidx.src)->sa_family);
1669 }
1670
1671 #undef IPSEC_CHECK_DEFAULT
1672
1673 /* set level */
1674 switch (isr->level) {
1675 case IPSEC_LEVEL_DEFAULT:
1676 switch (isr->saidx.proto) {
1677 case IPPROTO_ESP:
1678 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1679 level = esp_net_deflev;
1680 else
1681 level = esp_trans_deflev;
1682 break;
1683 case IPPROTO_AH:
1684 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1685 level = ah_net_deflev;
1686 else
1687 level = ah_trans_deflev;
1688 case IPPROTO_IPCOMP:
1689 /*
1690 * we don't really care, as IPcomp document says that
1691 * we shouldn't compress small packets
1692 */
1693 level = IPSEC_LEVEL_USE;
1694 break;
1695 default:
1696 panic("ipsec_get_reqlevel: "
1697 "Illegal protocol defined %u\n",
1698 isr->saidx.proto);
1699 }
1700 break;
1701
1702 case IPSEC_LEVEL_USE:
1703 case IPSEC_LEVEL_REQUIRE:
1704 level = isr->level;
1705 break;
1706 case IPSEC_LEVEL_UNIQUE:
1707 level = IPSEC_LEVEL_REQUIRE;
1708 break;
1709
1710 default:
1711 panic("ipsec_get_reqlevel: Illegal IPsec level %u\n",
1712 isr->level);
1713 }
1714
1715 return level;
1716 }
1717
1718 /*
1719 * Check AH/ESP integrity.
1720 * OUT:
1721 * 0: valid
1722 * 1: invalid
1723 */
1724 static int
1725 ipsec_in_reject(sp, m)
1726 struct secpolicy *sp;
1727 struct mbuf *m;
1728 {
1729 struct ipsecrequest *isr;
1730 u_int level;
1731 int need_auth, need_conf, need_icv;
1732
1733 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1734 printf("ipsec_in_reject: using SP\n");
1735 kdebug_secpolicy(sp));
1736
1737 /* check policy */
1738 switch (sp->policy) {
1739 case IPSEC_POLICY_DISCARD:
1740 return 1;
1741 case IPSEC_POLICY_BYPASS:
1742 case IPSEC_POLICY_NONE:
1743 return 0;
1744
1745 case IPSEC_POLICY_IPSEC:
1746 break;
1747
1748 case IPSEC_POLICY_ENTRUST:
1749 default:
1750 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy);
1751 }
1752
1753 need_auth = 0;
1754 need_conf = 0;
1755 need_icv = 0;
1756
1757 /* XXX should compare policy against ipsec header history */
1758
1759 for (isr = sp->req; isr != NULL; isr = isr->next) {
1760
1761 /* get current level */
1762 level = ipsec_get_reqlevel(isr);
1763
1764 switch (isr->saidx.proto) {
1765 case IPPROTO_ESP:
1766 if (level == IPSEC_LEVEL_REQUIRE) {
1767 need_conf++;
1768
1769 if (isr->sav != NULL
1770 && isr->sav->flags == SADB_X_EXT_NONE
1771 && isr->sav->alg_auth != SADB_AALG_NONE)
1772 need_icv++;
1773 }
1774 break;
1775 case IPPROTO_AH:
1776 if (level == IPSEC_LEVEL_REQUIRE) {
1777 need_auth++;
1778 need_icv++;
1779 }
1780 break;
1781 case IPPROTO_IPCOMP:
1782 /*
1783 * we don't really care, as IPcomp document says that
1784 * we shouldn't compress small packets, IPComp policy
1785 * should always be treated as being in "use" level.
1786 */
1787 break;
1788 }
1789 }
1790
1791 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1792 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1793 need_auth, need_conf, need_icv, m->m_flags));
1794
1795 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1796 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1797 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1798 return 1;
1799
1800 return 0;
1801 }
1802
1803 /*
1804 * Check AH/ESP integrity.
1805 * This function is called from tcp_input(), udp_input(),
1806 * and {ah,esp}4_input for tunnel mode
1807 */
1808 int
1809 ipsec4_in_reject_so(m, so)
1810 struct mbuf *m;
1811 struct socket *so;
1812 {
1813 struct secpolicy *sp = NULL;
1814 int error;
1815 int result;
1816
1817 /* sanity check */
1818 if (m == NULL)
1819 return 0; /* XXX should be panic ? */
1820
1821 /* get SP for this packet.
1822 * When we are called from ip_forward(), we call
1823 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1824 */
1825 if (so == NULL)
1826 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1827 else
1828 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1829
1830 if (sp == NULL)
1831 return 0; /* XXX should be panic ?
1832 * -> No, there may be error. */
1833
1834 result = ipsec_in_reject(sp, m);
1835 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1836 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
1837 key_freesp(sp);
1838
1839 return result;
1840 }
1841
1842 int
1843 ipsec4_in_reject(m, inp)
1844 struct mbuf *m;
1845 struct inpcb *inp;
1846 {
1847 if (inp == NULL)
1848 return ipsec4_in_reject_so(m, NULL);
1849 if (inp->inp_socket)
1850 return ipsec4_in_reject_so(m, inp->inp_socket);
1851 else
1852 panic("ipsec4_in_reject: invalid inpcb/socket");
1853 }
1854
1855 #if INET6
1856 /*
1857 * Check AH/ESP integrity.
1858 * This function is called from tcp6_input(), udp6_input(),
1859 * and {ah,esp}6_input for tunnel mode
1860 */
1861 int
1862 ipsec6_in_reject_so(m, so)
1863 struct mbuf *m;
1864 struct socket *so;
1865 {
1866 struct secpolicy *sp = NULL;
1867 int error;
1868 int result;
1869
1870 /* sanity check */
1871 if (m == NULL)
1872 return 0; /* XXX should be panic ? */
1873
1874 /* get SP for this packet.
1875 * When we are called from ip_forward(), we call
1876 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1877 */
1878 if (so == NULL)
1879 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1880 else
1881 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1882
1883 if (sp == NULL)
1884 return 0; /* XXX should be panic ? */
1885
1886 result = ipsec_in_reject(sp, m);
1887 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1888 printf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
1889 key_freesp(sp);
1890
1891 return result;
1892 }
1893
1894 int
1895 ipsec6_in_reject(m, in6p)
1896 struct mbuf *m;
1897 struct in6pcb *in6p;
1898 {
1899 if (in6p == NULL)
1900 return ipsec6_in_reject_so(m, NULL);
1901 if (in6p->in6p_socket)
1902 return ipsec6_in_reject_so(m, in6p->in6p_socket);
1903 else
1904 panic("ipsec6_in_reject: invalid in6p/socket");
1905 }
1906 #endif
1907
1908 /*
1909 * compute the byte size to be occupied by IPsec header.
1910 * in case it is tunneled, it includes the size of outer IP header.
1911 * NOTE: SP passed is free in this function.
1912 */
1913 static size_t
1914 ipsec_hdrsiz(sp)
1915 struct secpolicy *sp;
1916 {
1917 struct ipsecrequest *isr;
1918 size_t siz, clen;
1919
1920 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1921 printf("ipsec_hdrsiz: using SP\n");
1922 kdebug_secpolicy(sp));
1923
1924 /* check policy */
1925 switch (sp->policy) {
1926 case IPSEC_POLICY_DISCARD:
1927 case IPSEC_POLICY_BYPASS:
1928 case IPSEC_POLICY_NONE:
1929 return 0;
1930
1931 case IPSEC_POLICY_IPSEC:
1932 break;
1933
1934 case IPSEC_POLICY_ENTRUST:
1935 default:
1936 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy);
1937 }
1938
1939 siz = 0;
1940
1941 for (isr = sp->req; isr != NULL; isr = isr->next) {
1942
1943 clen = 0;
1944
1945 switch (isr->saidx.proto) {
1946 case IPPROTO_ESP:
1947 #if IPSEC_ESP
1948 clen = esp_hdrsiz(isr);
1949 #else
1950 clen = 0; /*XXX*/
1951 #endif
1952 break;
1953 case IPPROTO_AH:
1954 clen = ah_hdrsiz(isr);
1955 break;
1956 case IPPROTO_IPCOMP:
1957 clen = sizeof(struct ipcomp);
1958 break;
1959 }
1960
1961 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1962 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1963 case AF_INET:
1964 clen += sizeof(struct ip);
1965 break;
1966 #if INET6
1967 case AF_INET6:
1968 clen += sizeof(struct ip6_hdr);
1969 break;
1970 #endif
1971 default:
1972 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1973 "unknown AF %d in IPsec tunnel SA\n",
1974 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1975 break;
1976 }
1977 }
1978 siz += clen;
1979 }
1980
1981 return siz;
1982 }
1983
1984 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1985 size_t
1986 ipsec4_hdrsiz(m, dir, inp)
1987 struct mbuf *m;
1988 u_int dir;
1989 struct inpcb *inp;
1990 {
1991 struct secpolicy *sp = NULL;
1992 int error;
1993 size_t size;
1994
1995 /* sanity check */
1996 if (m == NULL)
1997 return 0; /* XXX should be panic ? */
1998 if (inp != NULL && inp->inp_socket == NULL)
1999 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
2000
2001 /* get SP for this packet.
2002 * When we are called from ip_forward(), we call
2003 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
2004 */
2005 if (inp == NULL)
2006 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2007 else
2008 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
2009
2010 if (sp == NULL)
2011 return 0; /* XXX should be panic ? */
2012
2013 size = ipsec_hdrsiz(sp);
2014 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2015 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
2016 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2017 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
2018 key_freesp(sp);
2019
2020 return size;
2021 }
2022
2023 #if INET6
2024 /* This function is called from ipsec6_hdrsize_tcp(),
2025 * and maybe from ip6_forward.()
2026 */
2027 size_t
2028 ipsec6_hdrsiz(m, dir, in6p)
2029 struct mbuf *m;
2030 u_int dir;
2031 struct in6pcb *in6p;
2032 {
2033 struct secpolicy *sp = NULL;
2034 int error;
2035 size_t size;
2036
2037 /* sanity check */
2038 if (m == NULL)
2039 return 0; /* XXX shoud be panic ? */
2040 if (in6p != NULL && in6p->in6p_socket == NULL)
2041 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
2042
2043 /* get SP for this packet */
2044 /* XXX Is it right to call with IP_FORWARDING. */
2045 if (in6p == NULL)
2046 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2047 else
2048 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
2049
2050 if (sp == NULL)
2051 return 0;
2052 size = ipsec_hdrsiz(sp);
2053 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2054 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
2055 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2056 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
2057 key_freesp(sp);
2058
2059 return size;
2060 }
2061 #endif /*INET6*/
2062
2063 #if INET
2064 /*
2065 * encapsulate for ipsec tunnel.
2066 * ip->ip_src must be fixed later on.
2067 */
2068 static int
2069 ipsec4_encapsulate(m, sav)
2070 struct mbuf *m;
2071 struct secasvar *sav;
2072 {
2073 struct ip *oip;
2074 struct ip *ip;
2075 size_t hlen;
2076 size_t plen;
2077
2078 /* can't tunnel between different AFs */
2079 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2080 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2081 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2082 m_freem(m);
2083 return EINVAL;
2084 }
2085 #if 0
2086 /* XXX if the dst is myself, perform nothing. */
2087 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2088 m_freem(m);
2089 return EINVAL;
2090 }
2091 #endif
2092
2093 if (m->m_len < sizeof(*ip))
2094 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2095
2096 ip = mtod(m, struct ip *);
2097 #ifdef _IP_VHL
2098 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
2099 #else
2100 hlen = ip->ip_hl << 2;
2101 #endif
2102
2103 if (m->m_len != hlen)
2104 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2105
2106 /* generate header checksum */
2107 ip->ip_sum = 0;
2108 #ifdef _IP_VHL
2109 ip->ip_sum = in_cksum(m, hlen);
2110 #else
2111 ip->ip_sum = in_cksum(m, hlen);
2112 #endif
2113
2114 plen = m->m_pkthdr.len;
2115
2116 /*
2117 * grow the mbuf to accomodate the new IPv4 header.
2118 * NOTE: IPv4 options will never be copied.
2119 */
2120 if (M_LEADINGSPACE(m->m_next) < hlen) {
2121 struct mbuf *n;
2122 MGET(n, M_DONTWAIT, MT_DATA);
2123 if (!n) {
2124 m_freem(m);
2125 return ENOBUFS;
2126 }
2127 n->m_len = hlen;
2128 n->m_next = m->m_next;
2129 m->m_next = n;
2130 m->m_pkthdr.len += hlen;
2131 oip = mtod(n, struct ip *);
2132 } else {
2133 m->m_next->m_len += hlen;
2134 m->m_next->m_data -= hlen;
2135 m->m_pkthdr.len += hlen;
2136 oip = mtod(m->m_next, struct ip *);
2137 }
2138 ip = mtod(m, struct ip *);
2139 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2140 m->m_len = sizeof(struct ip);
2141 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2142
2143 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2144 /* ECN consideration. */
2145 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2146 #ifdef _IP_VHL
2147 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
2148 #else
2149 ip->ip_hl = sizeof(struct ip) >> 2;
2150 #endif
2151 ip->ip_off &= htons(~IP_OFFMASK);
2152 ip->ip_off &= htons(~IP_MF);
2153 switch (ip4_ipsec_dfbit) {
2154 case 0: /* clear DF bit */
2155 ip->ip_off &= htons(~IP_DF);
2156 break;
2157 case 1: /* set DF bit */
2158 ip->ip_off |= htons(IP_DF);
2159 break;
2160 default: /* copy DF bit */
2161 break;
2162 }
2163 ip->ip_p = IPPROTO_IPIP;
2164 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2165 ip->ip_len = htons(plen + sizeof(struct ip));
2166 else {
2167 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2168 "leave ip_len as is (invalid packet)\n"));
2169 }
2170 #ifdef RANDOM_IP_ID
2171 ip->ip_id = ip_randomid();
2172 #else
2173 ip->ip_id = htons(ip_id++);
2174 #endif
2175 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2176 &ip->ip_src, sizeof(ip->ip_src));
2177 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2178 &ip->ip_dst, sizeof(ip->ip_dst));
2179 ip->ip_ttl = IPDEFTTL;
2180
2181 /* XXX Should ip_src be updated later ? */
2182
2183 return 0;
2184 }
2185 #endif /*INET*/
2186
2187 #if INET6
2188 static int
2189 ipsec6_encapsulate(m, sav)
2190 struct mbuf *m;
2191 struct secasvar *sav;
2192 {
2193 struct ip6_hdr *oip6;
2194 struct ip6_hdr *ip6;
2195 size_t plen;
2196
2197 /* can't tunnel between different AFs */
2198 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2199 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2200 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2201 m_freem(m);
2202 return EINVAL;
2203 }
2204 #if 0
2205 /* XXX if the dst is myself, perform nothing. */
2206 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2207 m_freem(m);
2208 return EINVAL;
2209 }
2210 #endif
2211
2212 plen = m->m_pkthdr.len;
2213
2214 /*
2215 * grow the mbuf to accomodate the new IPv6 header.
2216 */
2217 if (m->m_len != sizeof(struct ip6_hdr))
2218 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2219 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2220 struct mbuf *n;
2221 MGET(n, M_DONTWAIT, MT_DATA);
2222 if (!n) {
2223 m_freem(m);
2224 return ENOBUFS;
2225 }
2226 n->m_len = sizeof(struct ip6_hdr);
2227 n->m_next = m->m_next;
2228 m->m_next = n;
2229 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2230 oip6 = mtod(n, struct ip6_hdr *);
2231 } else {
2232 m->m_next->m_len += sizeof(struct ip6_hdr);
2233 m->m_next->m_data -= sizeof(struct ip6_hdr);
2234 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2235 oip6 = mtod(m->m_next, struct ip6_hdr *);
2236 }
2237 ip6 = mtod(m, struct ip6_hdr *);
2238 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2239
2240 /* Fake link-local scope-class addresses */
2241 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src))
2242 oip6->ip6_src.s6_addr16[1] = 0;
2243 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst))
2244 oip6->ip6_dst.s6_addr16[1] = 0;
2245
2246 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2247 /* ECN consideration. */
2248 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2249 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2250 ip6->ip6_plen = htons(plen);
2251 else {
2252 /* ip6->ip6_plen will be updated in ip6_output() */
2253 }
2254 ip6->ip6_nxt = IPPROTO_IPV6;
2255 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2256 &ip6->ip6_src, sizeof(ip6->ip6_src));
2257 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2258 &ip6->ip6_dst, sizeof(ip6->ip6_dst));
2259 ip6->ip6_hlim = IPV6_DEFHLIM;
2260
2261 /* XXX Should ip6_src be updated later ? */
2262
2263 return 0;
2264 }
2265 #endif /*INET6*/
2266
2267 /*
2268 * Check the variable replay window.
2269 * ipsec_chkreplay() performs replay check before ICV verification.
2270 * ipsec_updatereplay() updates replay bitmap. This must be called after
2271 * ICV verification (it also performs replay check, which is usually done
2272 * beforehand).
2273 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2274 *
2275 * based on RFC 2401.
2276 */
2277 int
2278 ipsec_chkreplay(seq, sav)
2279 u_int32_t seq;
2280 struct secasvar *sav;
2281 {
2282 const struct secreplay *replay;
2283 u_int32_t diff;
2284 int fr;
2285 u_int32_t wsizeb; /* constant: bits of window size */
2286 int frlast; /* constant: last frame */
2287
2288 /* sanity check */
2289 if (sav == NULL)
2290 panic("ipsec_chkreplay: NULL pointer was passed.\n");
2291
2292 replay = sav->replay;
2293
2294 if (replay->wsize == 0)
2295 return 1; /* no need to check replay. */
2296
2297 /* constant */
2298 frlast = replay->wsize - 1;
2299 wsizeb = replay->wsize << 3;
2300
2301 /* sequence number of 0 is invalid */
2302 if (seq == 0)
2303 return 0;
2304
2305 /* first time is always okay */
2306 if (replay->count == 0)
2307 return 1;
2308
2309 if (seq > replay->lastseq) {
2310 /* larger sequences are okay */
2311 return 1;
2312 } else {
2313 /* seq is equal or less than lastseq. */
2314 diff = replay->lastseq - seq;
2315
2316 /* over range to check, i.e. too old or wrapped */
2317 if (diff >= wsizeb)
2318 return 0;
2319
2320 fr = frlast - diff / 8;
2321
2322 /* this packet already seen ? */
2323 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2324 return 0;
2325
2326 /* out of order but good */
2327 return 1;
2328 }
2329 }
2330
2331 /*
2332 * check replay counter whether to update or not.
2333 * OUT: 0: OK
2334 * 1: NG
2335 */
2336 int
2337 ipsec_updatereplay(seq, sav)
2338 u_int32_t seq;
2339 struct secasvar *sav;
2340 {
2341 struct secreplay *replay;
2342 u_int32_t diff;
2343 int fr;
2344 u_int32_t wsizeb; /* constant: bits of window size */
2345 int frlast; /* constant: last frame */
2346
2347 /* sanity check */
2348 if (sav == NULL)
2349 panic("ipsec_chkreplay: NULL pointer was passed.\n");
2350
2351 replay = sav->replay;
2352
2353 if (replay->wsize == 0)
2354 goto ok; /* no need to check replay. */
2355
2356 /* constant */
2357 frlast = replay->wsize - 1;
2358 wsizeb = replay->wsize << 3;
2359
2360 /* sequence number of 0 is invalid */
2361 if (seq == 0)
2362 return 1;
2363
2364 /* first time */
2365 if (replay->count == 0) {
2366 replay->lastseq = seq;
2367 bzero(replay->bitmap, replay->wsize);
2368 (replay->bitmap)[frlast] = 1;
2369 goto ok;
2370 }
2371
2372 if (seq > replay->lastseq) {
2373 /* seq is larger than lastseq. */
2374 diff = seq - replay->lastseq;
2375
2376 /* new larger sequence number */
2377 if (diff < wsizeb) {
2378 /* In window */
2379 /* set bit for this packet */
2380 vshiftl(replay->bitmap, diff, replay->wsize);
2381 (replay->bitmap)[frlast] |= 1;
2382 } else {
2383 /* this packet has a "way larger" */
2384 bzero(replay->bitmap, replay->wsize);
2385 (replay->bitmap)[frlast] = 1;
2386 }
2387 replay->lastseq = seq;
2388
2389 /* larger is good */
2390 } else {
2391 /* seq is equal or less than lastseq. */
2392 diff = replay->lastseq - seq;
2393
2394 /* over range to check, i.e. too old or wrapped */
2395 if (diff >= wsizeb)
2396 return 1;
2397
2398 fr = frlast - diff / 8;
2399
2400 /* this packet already seen ? */
2401 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2402 return 1;
2403
2404 /* mark as seen */
2405 (replay->bitmap)[fr] |= (1 << (diff % 8));
2406
2407 /* out of order but good */
2408 }
2409
2410 ok:
2411 if (replay->count == ~0) {
2412
2413 /* set overflow flag */
2414 replay->overflow++;
2415
2416 /* don't increment, no more packets accepted */
2417 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2418 return 1;
2419
2420 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2421 replay->overflow, ipsec_logsastr(sav)));
2422 }
2423
2424 replay->count++;
2425
2426 return 0;
2427 }
2428
2429 /*
2430 * shift variable length buffer to left.
2431 * IN: bitmap: pointer to the buffer
2432 * nbit: the number of to shift.
2433 * wsize: buffer size (bytes).
2434 */
2435 static void
2436 vshiftl(bitmap, nbit, wsize)
2437 unsigned char *bitmap;
2438 int nbit, wsize;
2439 {
2440 int s, j, i;
2441 unsigned char over;
2442
2443 for (j = 0; j < nbit; j += 8) {
2444 s = (nbit - j < 8) ? (nbit - j): 8;
2445 bitmap[0] <<= s;
2446 for (i = 1; i < wsize; i++) {
2447 over = (bitmap[i] >> (8 - s));
2448 bitmap[i] <<= s;
2449 bitmap[i-1] |= over;
2450 }
2451 }
2452
2453 return;
2454 }
2455
2456 const char *
2457 ipsec4_logpacketstr(ip, spi)
2458 struct ip *ip;
2459 u_int32_t spi;
2460 {
2461 static char buf[256];
2462 char *p;
2463 u_int8_t *s, *d;
2464
2465 s = (u_int8_t *)(&ip->ip_src);
2466 d = (u_int8_t *)(&ip->ip_dst);
2467
2468 p = buf;
2469 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2470 while (p && *p)
2471 p++;
2472 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2473 s[0], s[1], s[2], s[3]);
2474 while (p && *p)
2475 p++;
2476 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2477 d[0], d[1], d[2], d[3]);
2478 while (p && *p)
2479 p++;
2480 snprintf(p, sizeof(buf) - (p - buf), ")");
2481
2482 return buf;
2483 }
2484
2485 #if INET6
2486 const char *
2487 ipsec6_logpacketstr(ip6, spi)
2488 struct ip6_hdr *ip6;
2489 u_int32_t spi;
2490 {
2491 static char buf[256];
2492 char *p;
2493
2494 p = buf;
2495 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2496 while (p && *p)
2497 p++;
2498 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
2499 ip6_sprintf(&ip6->ip6_src));
2500 while (p && *p)
2501 p++;
2502 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2503 ip6_sprintf(&ip6->ip6_dst));
2504 while (p && *p)
2505 p++;
2506 snprintf(p, sizeof(buf) - (p - buf), ")");
2507
2508 return buf;
2509 }
2510 #endif /*INET6*/
2511
2512 const char *
2513 ipsec_logsastr(sav)
2514 struct secasvar *sav;
2515 {
2516 static char buf[256];
2517 char *p;
2518 struct secasindex *saidx = &sav->sah->saidx;
2519
2520 /* validity check */
2521 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2522 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2523 panic("ipsec_logsastr: family mismatched.\n");
2524
2525 p = buf;
2526 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2527 while (p && *p)
2528 p++;
2529 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2530 u_int8_t *s, *d;
2531 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2532 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2533 snprintf(p, sizeof(buf) - (p - buf),
2534 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2535 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2536 }
2537 #if INET6
2538 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2539 snprintf(p, sizeof(buf) - (p - buf),
2540 "src=%s",
2541 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2542 while (p && *p)
2543 p++;
2544 snprintf(p, sizeof(buf) - (p - buf),
2545 " dst=%s",
2546 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2547 }
2548 #endif
2549 while (p && *p)
2550 p++;
2551 snprintf(p, sizeof(buf) - (p - buf), ")");
2552
2553 return buf;
2554 }
2555
2556 void
2557 ipsec_dumpmbuf(m)
2558 struct mbuf *m;
2559 {
2560 int totlen;
2561 int i;
2562 u_char *p;
2563
2564 totlen = 0;
2565 printf("---\n");
2566 while (m) {
2567 p = mtod(m, u_char *);
2568 for (i = 0; i < m->m_len; i++) {
2569 printf("%02x ", p[i]);
2570 totlen++;
2571 if (totlen % 16 == 0)
2572 printf("\n");
2573 }
2574 m = m->m_next;
2575 }
2576 if (totlen % 16 != 0)
2577 printf("\n");
2578 printf("---\n");
2579 }
2580
2581 #if INET
2582 /*
2583 * IPsec output logic for IPv4.
2584 */
2585 int
2586 ipsec4_output(state, sp, flags)
2587 struct ipsec_output_state *state;
2588 struct secpolicy *sp;
2589 int flags;
2590 {
2591 struct ip *ip = NULL;
2592 struct ipsecrequest *isr = NULL;
2593 struct secasindex saidx;
2594 int s;
2595 int error;
2596 struct sockaddr_in *dst4;
2597 struct sockaddr_in *sin;
2598
2599 if (!state)
2600 panic("state == NULL in ipsec4_output");
2601 if (!state->m)
2602 panic("state->m == NULL in ipsec4_output");
2603 if (!state->ro)
2604 panic("state->ro == NULL in ipsec4_output");
2605 if (!state->dst)
2606 panic("state->dst == NULL in ipsec4_output");
2607
2608 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_START, 0,0,0,0,0);
2609
2610 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2611 printf("ipsec4_output: applyed SP\n");
2612 kdebug_secpolicy(sp));
2613
2614 for (isr = sp->req; isr != NULL; isr = isr->next) {
2615
2616 #if 0 /* give up to check restriction of transport mode */
2617 /* XXX but should be checked somewhere */
2618 /*
2619 * some of the IPsec operation must be performed only in
2620 * originating case.
2621 */
2622 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2623 && (flags & IP_FORWARDING))
2624 continue;
2625 #endif
2626
2627 /* make SA index for search proper SA */
2628 ip = mtod(state->m, struct ip *);
2629 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2630 saidx.mode = isr->saidx.mode;
2631 saidx.reqid = isr->saidx.reqid;
2632 sin = (struct sockaddr_in *)&saidx.src;
2633 if (sin->sin_len == 0) {
2634 sin->sin_len = sizeof(*sin);
2635 sin->sin_family = AF_INET;
2636 sin->sin_port = IPSEC_PORT_ANY;
2637 bcopy(&ip->ip_src, &sin->sin_addr,
2638 sizeof(sin->sin_addr));
2639 }
2640 sin = (struct sockaddr_in *)&saidx.dst;
2641 if (sin->sin_len == 0) {
2642 sin->sin_len = sizeof(*sin);
2643 sin->sin_family = AF_INET;
2644 sin->sin_port = IPSEC_PORT_ANY;
2645 bcopy(&ip->ip_dst, &sin->sin_addr,
2646 sizeof(sin->sin_addr));
2647 }
2648
2649 if ((error = key_checkrequest(isr, &saidx)) != 0) {
2650 /*
2651 * IPsec processing is required, but no SA found.
2652 * I assume that key_acquire() had been called
2653 * to get/establish the SA. Here I discard
2654 * this packet because it is responsibility for
2655 * upper layer to retransmit the packet.
2656 */
2657 ipsecstat.out_nosa++;
2658 goto bad;
2659 }
2660
2661 /* validity check */
2662 if (isr->sav == NULL) {
2663 switch (ipsec_get_reqlevel(isr)) {
2664 case IPSEC_LEVEL_USE:
2665 continue;
2666 case IPSEC_LEVEL_REQUIRE:
2667 /* must be not reached here. */
2668 panic("ipsec4_output: no SA found, but required.");
2669 }
2670 }
2671
2672 /*
2673 * If there is no valid SA, we give up to process any
2674 * more. In such a case, the SA's status is changed
2675 * from DYING to DEAD after allocating. If a packet
2676 * send to the receiver by dead SA, the receiver can
2677 * not decode a packet because SA has been dead.
2678 */
2679 if (isr->sav->state != SADB_SASTATE_MATURE
2680 && isr->sav->state != SADB_SASTATE_DYING) {
2681 ipsecstat.out_nosa++;
2682 error = EINVAL;
2683 goto bad;
2684 }
2685
2686 /*
2687 * There may be the case that SA status will be changed when
2688 * we are refering to one. So calling splsoftnet().
2689 */
2690 s = splnet();
2691
2692 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2693 /*
2694 * build IPsec tunnel.
2695 */
2696 /* XXX should be processed with other familiy */
2697 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2698 ipseclog((LOG_ERR, "ipsec4_output: "
2699 "family mismatched between inner and outer spi=%u\n",
2700 (u_int32_t)ntohl(isr->sav->spi)));
2701 splx(s);
2702 error = EAFNOSUPPORT;
2703 goto bad;
2704 }
2705
2706 state->m = ipsec4_splithdr(state->m);
2707 if (!state->m) {
2708 splx(s);
2709 error = ENOMEM;
2710 goto bad;
2711 }
2712 error = ipsec4_encapsulate(state->m, isr->sav);
2713 splx(s);
2714 if (error) {
2715 state->m = NULL;
2716 goto bad;
2717 }
2718 ip = mtod(state->m, struct ip *);
2719
2720 state->ro = &isr->sav->sah->sa_route;
2721 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2722 dst4 = (struct sockaddr_in *)state->dst;
2723 if (state->ro->ro_rt
2724 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2725 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2726 rtfree(state->ro->ro_rt);
2727 state->ro->ro_rt = NULL;
2728 }
2729 if (state->ro->ro_rt == 0) {
2730 dst4->sin_family = AF_INET;
2731 dst4->sin_len = sizeof(*dst4);
2732 dst4->sin_addr = ip->ip_dst;
2733 rtalloc(state->ro);
2734 }
2735 if (state->ro->ro_rt == 0) {
2736 ipstat.ips_noroute++;
2737 error = EHOSTUNREACH;
2738 goto bad;
2739 }
2740
2741 /* adjust state->dst if tunnel endpoint is offlink */
2742 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2743 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2744 dst4 = (struct sockaddr_in *)state->dst;
2745 }
2746 } else
2747 splx(s);
2748
2749 state->m = ipsec4_splithdr(state->m);
2750 if (!state->m) {
2751 error = ENOMEM;
2752 goto bad;
2753 }
2754 switch (isr->saidx.proto) {
2755 case IPPROTO_ESP:
2756 #if IPSEC_ESP
2757 if ((error = esp4_output(state->m, isr)) != 0) {
2758 state->m = NULL;
2759 goto bad;
2760 }
2761 break;
2762 #else
2763 m_freem(state->m);
2764 state->m = NULL;
2765 error = EINVAL;
2766 goto bad;
2767 #endif
2768 case IPPROTO_AH:
2769 if ((error = ah4_output(state->m, isr)) != 0) {
2770 state->m = NULL;
2771 goto bad;
2772 }
2773 break;
2774 case IPPROTO_IPCOMP:
2775 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2776 state->m = NULL;
2777 goto bad;
2778 }
2779 break;
2780 default:
2781 ipseclog((LOG_ERR,
2782 "ipsec4_output: unknown ipsec protocol %d\n",
2783 isr->saidx.proto));
2784 m_freem(state->m);
2785 state->m = NULL;
2786 error = EINVAL;
2787 goto bad;
2788 }
2789
2790 if (state->m == 0) {
2791 error = ENOMEM;
2792 goto bad;
2793 }
2794 ip = mtod(state->m, struct ip *);
2795 }
2796
2797 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, 0,0,0,0,0);
2798 return 0;
2799
2800 bad:
2801 m_freem(state->m);
2802 state->m = NULL;
2803 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, error,0,0,0,0);
2804 return error;
2805 }
2806 #endif
2807
2808 #if INET6
2809 /*
2810 * IPsec output logic for IPv6, transport mode.
2811 */
2812 int
2813 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
2814 struct ipsec_output_state *state;
2815 u_char *nexthdrp;
2816 struct mbuf *mprev;
2817 struct secpolicy *sp;
2818 int flags;
2819 int *tun;
2820 {
2821 struct ip6_hdr *ip6;
2822 struct ipsecrequest *isr = NULL;
2823 struct secasindex saidx;
2824 int error = 0;
2825 int plen;
2826 struct sockaddr_in6 *sin6;
2827
2828 if (!state)
2829 panic("state == NULL in ipsec6_output_trans");
2830 if (!state->m)
2831 panic("state->m == NULL in ipsec6_output_trans");
2832 if (!nexthdrp)
2833 panic("nexthdrp == NULL in ipsec6_output_trans");
2834 if (!mprev)
2835 panic("mprev == NULL in ipsec6_output_trans");
2836 if (!sp)
2837 panic("sp == NULL in ipsec6_output_trans");
2838 if (!tun)
2839 panic("tun == NULL in ipsec6_output_trans");
2840
2841 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2842 printf("ipsec6_output_trans: applyed SP\n");
2843 kdebug_secpolicy(sp));
2844
2845 *tun = 0;
2846 for (isr = sp->req; isr; isr = isr->next) {
2847 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2848 /* the rest will be handled by ipsec6_output_tunnel() */
2849 break;
2850 }
2851
2852 /* make SA index for search proper SA */
2853 ip6 = mtod(state->m, struct ip6_hdr *);
2854 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2855 saidx.mode = isr->saidx.mode;
2856 saidx.reqid = isr->saidx.reqid;
2857 sin6 = (struct sockaddr_in6 *)&saidx.src;
2858 if (sin6->sin6_len == 0) {
2859 sin6->sin6_len = sizeof(*sin6);
2860 sin6->sin6_family = AF_INET6;
2861 sin6->sin6_port = IPSEC_PORT_ANY;
2862 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2863 sizeof(ip6->ip6_src));
2864 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2865 /* fix scope id for comparing SPD */
2866 sin6->sin6_addr.s6_addr16[1] = 0;
2867 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2868 }
2869 }
2870 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2871 if (sin6->sin6_len == 0) {
2872 sin6->sin6_len = sizeof(*sin6);
2873 sin6->sin6_family = AF_INET6;
2874 sin6->sin6_port = IPSEC_PORT_ANY;
2875 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2876 sizeof(ip6->ip6_dst));
2877 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2878 /* fix scope id for comparing SPD */
2879 sin6->sin6_addr.s6_addr16[1] = 0;
2880 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2881 }
2882 }
2883
2884 if (key_checkrequest(isr, &saidx) == ENOENT) {
2885 /*
2886 * IPsec processing is required, but no SA found.
2887 * I assume that key_acquire() had been called
2888 * to get/establish the SA. Here I discard
2889 * this packet because it is responsibility for
2890 * upper layer to retransmit the packet.
2891 */
2892 ipsec6stat.out_nosa++;
2893 error = ENOENT;
2894
2895 /*
2896 * Notify the fact that the packet is discarded
2897 * to ourselves. I believe this is better than
2898 * just silently discarding. (jinmei@kame.net)
2899 * XXX: should we restrict the error to TCP packets?
2900 * XXX: should we directly notify sockets via
2901 * pfctlinputs?
2902 */
2903 icmp6_error(state->m, ICMP6_DST_UNREACH,
2904 ICMP6_DST_UNREACH_ADMIN, 0);
2905 state->m = NULL; /* icmp6_error freed the mbuf */
2906 goto bad;
2907 }
2908
2909 /* validity check */
2910 if (isr->sav == NULL) {
2911 switch (ipsec_get_reqlevel(isr)) {
2912 case IPSEC_LEVEL_USE:
2913 continue;
2914 case IPSEC_LEVEL_REQUIRE:
2915 /* must be not reached here. */
2916 panic("ipsec6_output_trans: no SA found, but required.");
2917 }
2918 }
2919
2920 /*
2921 * If there is no valid SA, we give up to process.
2922 * see same place at ipsec4_output().
2923 */
2924 if (isr->sav->state != SADB_SASTATE_MATURE
2925 && isr->sav->state != SADB_SASTATE_DYING) {
2926 ipsec6stat.out_nosa++;
2927 error = EINVAL;
2928 goto bad;
2929 }
2930
2931 switch (isr->saidx.proto) {
2932 case IPPROTO_ESP:
2933 #if IPSEC_ESP
2934 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2935 #else
2936 m_freem(state->m);
2937 error = EINVAL;
2938 #endif
2939 break;
2940 case IPPROTO_AH:
2941 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2942 break;
2943 case IPPROTO_IPCOMP:
2944 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2945 break;
2946 default:
2947 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2948 "unknown ipsec protocol %d\n", isr->saidx.proto));
2949 m_freem(state->m);
2950 ipsec6stat.out_inval++;
2951 error = EINVAL;
2952 break;
2953 }
2954 if (error) {
2955 state->m = NULL;
2956 goto bad;
2957 }
2958 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2959 if (plen > IPV6_MAXPACKET) {
2960 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2961 "IPsec with IPv6 jumbogram is not supported\n"));
2962 ipsec6stat.out_inval++;
2963 error = EINVAL; /*XXX*/
2964 goto bad;
2965 }
2966 ip6 = mtod(state->m, struct ip6_hdr *);
2967 ip6->ip6_plen = htons(plen);
2968 }
2969
2970 /* if we have more to go, we need a tunnel mode processing */
2971 if (isr != NULL)
2972 *tun = 1;
2973
2974 return 0;
2975
2976 bad:
2977 m_freem(state->m);
2978 state->m = NULL;
2979 return error;
2980 }
2981
2982 /*
2983 * IPsec output logic for IPv6, tunnel mode.
2984 */
2985 int
2986 ipsec6_output_tunnel(state, sp, flags)
2987 struct ipsec_output_state *state;
2988 struct secpolicy *sp;
2989 int flags;
2990 {
2991 struct ip6_hdr *ip6;
2992 struct ipsecrequest *isr = NULL;
2993 struct secasindex saidx;
2994 int error = 0;
2995 int plen;
2996 struct sockaddr_in6* dst6;
2997 int s;
2998
2999 if (!state)
3000 panic("state == NULL in ipsec6_output_tunnel");
3001 if (!state->m)
3002 panic("state->m == NULL in ipsec6_output_tunnel");
3003 if (!sp)
3004 panic("sp == NULL in ipsec6_output_tunnel");
3005
3006 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3007 printf("ipsec6_output_tunnel: applyed SP\n");
3008 kdebug_secpolicy(sp));
3009
3010 /*
3011 * transport mode ipsec (before the 1st tunnel mode) is already
3012 * processed by ipsec6_output_trans().
3013 */
3014 for (isr = sp->req; isr; isr = isr->next) {
3015 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
3016 break;
3017 }
3018
3019 for (/* already initialized */; isr; isr = isr->next) {
3020 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3021 /* When tunnel mode, SA peers must be specified. */
3022 bcopy(&isr->saidx, &saidx, sizeof(saidx));
3023 } else {
3024 /* make SA index to look for a proper SA */
3025 struct sockaddr_in6 *sin6;
3026
3027 bzero(&saidx, sizeof(saidx));
3028 saidx.proto = isr->saidx.proto;
3029 saidx.mode = isr->saidx.mode;
3030 saidx.reqid = isr->saidx.reqid;
3031
3032 ip6 = mtod(state->m, struct ip6_hdr *);
3033 sin6 = (struct sockaddr_in6 *)&saidx.src;
3034 if (sin6->sin6_len == 0) {
3035 sin6->sin6_len = sizeof(*sin6);
3036 sin6->sin6_family = AF_INET6;
3037 sin6->sin6_port = IPSEC_PORT_ANY;
3038 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
3039 sizeof(ip6->ip6_src));
3040 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
3041 /* fix scope id for comparing SPD */
3042 sin6->sin6_addr.s6_addr16[1] = 0;
3043 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
3044 }
3045 }
3046 sin6 = (struct sockaddr_in6 *)&saidx.dst;
3047 if (sin6->sin6_len == 0) {
3048 sin6->sin6_len = sizeof(*sin6);
3049 sin6->sin6_family = AF_INET6;
3050 sin6->sin6_port = IPSEC_PORT_ANY;
3051 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
3052 sizeof(ip6->ip6_dst));
3053 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
3054 /* fix scope id for comparing SPD */
3055 sin6->sin6_addr.s6_addr16[1] = 0;
3056 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
3057 }
3058 }
3059 }
3060
3061 if (key_checkrequest(isr, &saidx) == ENOENT) {
3062 /*
3063 * IPsec processing is required, but no SA found.
3064 * I assume that key_acquire() had been called
3065 * to get/establish the SA. Here I discard
3066 * this packet because it is responsibility for
3067 * upper layer to retransmit the packet.
3068 */
3069 ipsec6stat.out_nosa++;
3070 error = ENOENT;
3071 goto bad;
3072 }
3073
3074 /* validity check */
3075 if (isr->sav == NULL) {
3076 switch (ipsec_get_reqlevel(isr)) {
3077 case IPSEC_LEVEL_USE:
3078 continue;
3079 case IPSEC_LEVEL_REQUIRE:
3080 /* must be not reached here. */
3081 panic("ipsec6_output_tunnel: no SA found, but required.");
3082 }
3083 }
3084
3085 /*
3086 * If there is no valid SA, we give up to process.
3087 * see same place at ipsec4_output().
3088 */
3089 if (isr->sav->state != SADB_SASTATE_MATURE
3090 && isr->sav->state != SADB_SASTATE_DYING) {
3091 ipsec6stat.out_nosa++;
3092 error = EINVAL;
3093 goto bad;
3094 }
3095
3096 /*
3097 * There may be the case that SA status will be changed when
3098 * we are refering to one. So calling splsoftnet().
3099 */
3100 s = splnet();
3101
3102 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3103 /*
3104 * build IPsec tunnel.
3105 */
3106 /* XXX should be processed with other familiy */
3107 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
3108 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3109 "family mismatched between inner and outer, spi=%u\n",
3110 (u_int32_t)ntohl(isr->sav->spi)));
3111 splx(s);
3112 ipsec6stat.out_inval++;
3113 error = EAFNOSUPPORT;
3114 goto bad;
3115 }
3116
3117 state->m = ipsec6_splithdr(state->m);
3118 if (!state->m) {
3119 splx(s);
3120 ipsec6stat.out_nomem++;
3121 error = ENOMEM;
3122 goto bad;
3123 }
3124 error = ipsec6_encapsulate(state->m, isr->sav);
3125 splx(s);
3126 if (error) {
3127 state->m = 0;
3128 goto bad;
3129 }
3130 ip6 = mtod(state->m, struct ip6_hdr *);
3131
3132 state->ro = &isr->sav->sah->sa_route;
3133 state->dst = (struct sockaddr *)&state->ro->ro_dst;
3134 dst6 = (struct sockaddr_in6 *)state->dst;
3135 if (state->ro->ro_rt
3136 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
3137 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
3138 rtfree(state->ro->ro_rt);
3139 state->ro->ro_rt = NULL;
3140 }
3141 if (state->ro->ro_rt == 0) {
3142 bzero(dst6, sizeof(*dst6));
3143 dst6->sin6_family = AF_INET6;
3144 dst6->sin6_len = sizeof(*dst6);
3145 dst6->sin6_addr = ip6->ip6_dst;
3146 rtalloc(state->ro);
3147 }
3148 if (state->ro->ro_rt == 0) {
3149 ip6stat.ip6s_noroute++;
3150 ipsec6stat.out_noroute++;
3151 error = EHOSTUNREACH;
3152 goto bad;
3153 }
3154
3155 /* adjust state->dst if tunnel endpoint is offlink */
3156 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
3157 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
3158 dst6 = (struct sockaddr_in6 *)state->dst;
3159 }
3160 } else
3161 splx(s);
3162
3163 state->m = ipsec6_splithdr(state->m);
3164 if (!state->m) {
3165 ipsec6stat.out_nomem++;
3166 error = ENOMEM;
3167 goto bad;
3168 }
3169 ip6 = mtod(state->m, struct ip6_hdr *);
3170 switch (isr->saidx.proto) {
3171 case IPPROTO_ESP:
3172 #if IPSEC_ESP
3173 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
3174 #else
3175 m_freem(state->m);
3176 error = EINVAL;
3177 #endif
3178 break;
3179 case IPPROTO_AH:
3180 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
3181 break;
3182 case IPPROTO_IPCOMP:
3183 /* XXX code should be here */
3184 /*FALLTHROUGH*/
3185 default:
3186 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3187 "unknown ipsec protocol %d\n", isr->saidx.proto));
3188 m_freem(state->m);
3189 ipsec6stat.out_inval++;
3190 error = EINVAL;
3191 break;
3192 }
3193 if (error) {
3194 state->m = NULL;
3195 goto bad;
3196 }
3197 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3198 if (plen > IPV6_MAXPACKET) {
3199 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3200 "IPsec with IPv6 jumbogram is not supported\n"));
3201 ipsec6stat.out_inval++;
3202 error = EINVAL; /*XXX*/
3203 goto bad;
3204 }
3205 ip6 = mtod(state->m, struct ip6_hdr *);
3206 ip6->ip6_plen = htons(plen);
3207 }
3208
3209 return 0;
3210
3211 bad:
3212 m_freem(state->m);
3213 state->m = NULL;
3214 return error;
3215 }
3216 #endif /*INET6*/
3217
3218 #if INET
3219 /*
3220 * Chop IP header and option off from the payload.
3221 */
3222 static struct mbuf *
3223 ipsec4_splithdr(m)
3224 struct mbuf *m;
3225 {
3226 struct mbuf *mh;
3227 struct ip *ip;
3228 int hlen;
3229
3230 if (m->m_len < sizeof(struct ip))
3231 panic("ipsec4_splithdr: first mbuf too short");
3232 ip = mtod(m, struct ip *);
3233 #ifdef _IP_VHL
3234 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
3235 #else
3236 hlen = ip->ip_hl << 2;
3237 #endif
3238 if (m->m_len > hlen) {
3239 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3240 if (!mh) {
3241 m_freem(m);
3242 return NULL;
3243 }
3244 M_COPY_PKTHDR(mh, m);
3245 MH_ALIGN(mh, hlen);
3246 m->m_flags &= ~M_PKTHDR;
3247 m->m_len -= hlen;
3248 m->m_data += hlen;
3249 mh->m_next = m;
3250 m = mh;
3251 m->m_len = hlen;
3252 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3253 } else if (m->m_len < hlen) {
3254 m = m_pullup(m, hlen);
3255 if (!m)
3256 return NULL;
3257 }
3258 return m;
3259 }
3260 #endif
3261
3262 #if INET6
3263 static struct mbuf *
3264 ipsec6_splithdr(m)
3265 struct mbuf *m;
3266 {
3267 struct mbuf *mh;
3268 struct ip6_hdr *ip6;
3269 int hlen;
3270
3271 if (m->m_len < sizeof(struct ip6_hdr))
3272 panic("ipsec6_splithdr: first mbuf too short");
3273 ip6 = mtod(m, struct ip6_hdr *);
3274 hlen = sizeof(struct ip6_hdr);
3275 if (m->m_len > hlen) {
3276 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3277 if (!mh) {
3278 m_freem(m);
3279 return NULL;
3280 }
3281 M_COPY_PKTHDR(mh, m);
3282 MH_ALIGN(mh, hlen);
3283 m->m_flags &= ~M_PKTHDR;
3284 m->m_len -= hlen;
3285 m->m_data += hlen;
3286 mh->m_next = m;
3287 m = mh;
3288 m->m_len = hlen;
3289 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3290 } else if (m->m_len < hlen) {
3291 m = m_pullup(m, hlen);
3292 if (!m)
3293 return NULL;
3294 }
3295 return m;
3296 }
3297 #endif
3298
3299 /* validate inbound IPsec tunnel packet. */
3300 int
3301 ipsec4_tunnel_validate(m, off, nxt0, sav)
3302 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3303 int off;
3304 u_int nxt0;
3305 struct secasvar *sav;
3306 {
3307 u_int8_t nxt = nxt0 & 0xff;
3308 struct sockaddr_in *sin;
3309 struct sockaddr_in osrc, odst, isrc, idst;
3310 int hlen;
3311 struct secpolicy *sp;
3312 struct ip *oip;
3313
3314 #if DIAGNOSTIC
3315 if (m->m_len < sizeof(struct ip))
3316 panic("too short mbuf on ipsec4_tunnel_validate");
3317 #endif
3318 if (nxt != IPPROTO_IPV4)
3319 return 0;
3320 if (m->m_pkthdr.len < off + sizeof(struct ip))
3321 return 0;
3322 /* do not decapsulate if the SA is for transport mode only */
3323 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3324 return 0;
3325
3326 oip = mtod(m, struct ip *);
3327 #ifdef _IP_VHL
3328 hlen = _IP_VHL_HL(oip->ip_vhl) << 2;
3329 #else
3330 hlen = oip->ip_hl << 2;
3331 #endif
3332 if (hlen != sizeof(struct ip))
3333 return 0;
3334
3335 /* AF_INET6 should be supported, but at this moment we don't. */
3336 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3337 if (sin->sin_family != AF_INET)
3338 return 0;
3339 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
3340 return 0;
3341
3342 /* XXX slow */
3343 bzero(&osrc, sizeof(osrc));
3344 bzero(&odst, sizeof(odst));
3345 bzero(&isrc, sizeof(isrc));
3346 bzero(&idst, sizeof(idst));
3347 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
3348 AF_INET;
3349 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
3350 sizeof(struct sockaddr_in);
3351 osrc.sin_addr = oip->ip_src;
3352 odst.sin_addr = oip->ip_dst;
3353 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
3354 (caddr_t)&isrc.sin_addr);
3355 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
3356 (caddr_t)&idst.sin_addr);
3357
3358 /*
3359 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
3360 * - if the inner destination is multicast address, there can be
3361 * multiple permissible inner source address. implementation
3362 * may want to skip verification of inner source address against
3363 * SPD selector.
3364 * - if the inner protocol is ICMP, the packet may be an error report
3365 * from routers on the other side of the VPN cloud (R in the
3366 * following diagram). in this case, we cannot verify inner source
3367 * address against SPD selector.
3368 * me -- gw === gw -- R -- you
3369 *
3370 * we consider the first bullet to be users responsibility on SPD entry
3371 * configuration (if you need to encrypt multicast traffic, set
3372 * the source range of SPD selector to 0.0.0.0/0, or have explicit
3373 * address ranges for possible senders).
3374 * the second bullet is not taken care of (yet).
3375 *
3376 * therefore, we do not do anything special about inner source.
3377 */
3378
3379 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3380 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3381 if (!sp)
3382 return 0;
3383 key_freesp(sp);
3384
3385 return 1;
3386 }
3387
3388 #if INET6
3389 /* validate inbound IPsec tunnel packet. */
3390 int
3391 ipsec6_tunnel_validate(m, off, nxt0, sav)
3392 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3393 int off;
3394 u_int nxt0;
3395 struct secasvar *sav;
3396 {
3397 u_int8_t nxt = nxt0 & 0xff;
3398 struct sockaddr_in6 *sin6;
3399 struct sockaddr_in6 osrc, odst, isrc, idst;
3400 struct secpolicy *sp;
3401 struct ip6_hdr *oip6;
3402
3403 #if DIAGNOSTIC
3404 if (m->m_len < sizeof(struct ip6_hdr))
3405 panic("too short mbuf on ipsec6_tunnel_validate");
3406 #endif
3407 if (nxt != IPPROTO_IPV6)
3408 return 0;
3409 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
3410 return 0;
3411 /* do not decapsulate if the SA is for transport mode only */
3412 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3413 return 0;
3414
3415 oip6 = mtod(m, struct ip6_hdr *);
3416 /* AF_INET should be supported, but at this moment we don't. */
3417 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
3418 if (sin6->sin6_family != AF_INET6)
3419 return 0;
3420 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
3421 return 0;
3422
3423 /* XXX slow */
3424 bzero(&osrc, sizeof(osrc));
3425 bzero(&odst, sizeof(odst));
3426 bzero(&isrc, sizeof(isrc));
3427 bzero(&idst, sizeof(idst));
3428 osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
3429 idst.sin6_family = AF_INET6;
3430 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len =
3431 sizeof(struct sockaddr_in6);
3432 osrc.sin6_addr = oip6->ip6_src;
3433 odst.sin6_addr = oip6->ip6_dst;
3434 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
3435 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
3436 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
3437 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
3438
3439 /*
3440 * regarding to inner source address validation, see a long comment
3441 * in ipsec4_tunnel_validate.
3442 */
3443
3444 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3445 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3446 /*
3447 * when there is no suitable inbound policy for the packet of the ipsec
3448 * tunnel mode, the kernel never decapsulate the tunneled packet
3449 * as the ipsec tunnel mode even when the system wide policy is "none".
3450 * then the kernel leaves the generic tunnel module to process this
3451 * packet. if there is no rule of the generic tunnel, the packet
3452 * is rejected and the statistics will be counted up.
3453 */
3454 if (!sp)
3455 return 0;
3456 key_freesp(sp);
3457
3458 return 1;
3459 }
3460 #endif
3461
3462 /*
3463 * Make a mbuf chain for encryption.
3464 * If the original mbuf chain contains a mbuf with a cluster,
3465 * allocate a new cluster and copy the data to the new cluster.
3466 * XXX: this hack is inefficient, but is necessary to handle cases
3467 * of TCP retransmission...
3468 */
3469 struct mbuf *
3470 ipsec_copypkt(m)
3471 struct mbuf *m;
3472 {
3473 struct mbuf *n, **mpp, *mnew;
3474
3475 for (n = m, mpp = &m; n; n = n->m_next) {
3476 if (n->m_flags & M_EXT) {
3477 /*
3478 * Make a copy only if there are more than one references
3479 * to the cluster.
3480 * XXX: is this approach effective?
3481 */
3482 if (
3483 n->m_ext.ext_free ||
3484 m_mclhasreference(n)
3485 )
3486 {
3487 int remain, copied;
3488 struct mbuf *mm;
3489
3490 if (n->m_flags & M_PKTHDR) {
3491 MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3492 if (mnew == NULL)
3493 goto fail;
3494 mnew->m_pkthdr = n->m_pkthdr;
3495 #if 0
3496 if (n->m_pkthdr.aux) {
3497 mnew->m_pkthdr.aux =
3498 m_copym(n->m_pkthdr.aux,
3499 0, M_COPYALL, M_DONTWAIT);
3500 }
3501 #endif
3502 M_COPY_PKTHDR(mnew, n);
3503 mnew->m_flags = n->m_flags & M_COPYFLAGS;
3504 }
3505 else {
3506 MGET(mnew, M_DONTWAIT, MT_DATA);
3507 if (mnew == NULL)
3508 goto fail;
3509 }
3510 mnew->m_len = 0;
3511 mm = mnew;
3512
3513 /*
3514 * Copy data. If we don't have enough space to
3515 * store the whole data, allocate a cluster
3516 * or additional mbufs.
3517 * XXX: we don't use m_copyback(), since the
3518 * function does not use clusters and thus is
3519 * inefficient.
3520 */
3521 remain = n->m_len;
3522 copied = 0;
3523 while (1) {
3524 int len;
3525 struct mbuf *mn;
3526
3527 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3528 len = remain;
3529 else { /* allocate a cluster */
3530 MCLGET(mm, M_DONTWAIT);
3531 if (!(mm->m_flags & M_EXT)) {
3532 m_free(mm);
3533 goto fail;
3534 }
3535 len = remain < MCLBYTES ?
3536 remain : MCLBYTES;
3537 }
3538
3539 bcopy(n->m_data + copied, mm->m_data,
3540 len);
3541
3542 copied += len;
3543 remain -= len;
3544 mm->m_len = len;
3545
3546 if (remain <= 0) /* completed? */
3547 break;
3548
3549 /* need another mbuf */
3550 MGETHDR(mn, M_DONTWAIT, MT_HEADER);
3551 if (mn == NULL)
3552 goto fail;
3553 mn->m_pkthdr.rcvif = NULL;
3554 mm->m_next = mn;
3555 mm = mn;
3556 }
3557
3558 /* adjust chain */
3559 mm->m_next = m_free(n);
3560 n = mm;
3561 *mpp = mnew;
3562 mpp = &n->m_next;
3563
3564 continue;
3565 }
3566 }
3567 *mpp = n;
3568 mpp = &n->m_next;
3569 }
3570
3571 return(m);
3572 fail:
3573 m_freem(m);
3574 return(NULL);
3575 }
3576
3577 static struct mbuf *
3578 ipsec_addaux(m)
3579 struct mbuf *m;
3580 {
3581 struct mbuf *n;
3582
3583 n = m_aux_find(m, AF_INET, IPPROTO_ESP);
3584 if (!n)
3585 n = m_aux_add(m, AF_INET, IPPROTO_ESP);
3586 if (!n)
3587 return n; /* ENOBUFS */
3588 n->m_len = sizeof(struct socket *);
3589 bzero(mtod(n, void *), n->m_len);
3590 return n;
3591 }
3592
3593 static struct mbuf *
3594 ipsec_findaux(m)
3595 struct mbuf *m;
3596 {
3597 struct mbuf *n;
3598
3599 n = m_aux_find(m, AF_INET, IPPROTO_ESP);
3600 #if DIAGNOSTIC
3601 if (n && n->m_len < sizeof(struct socket *))
3602 panic("invalid ipsec m_aux");
3603 #endif
3604 return n;
3605 }
3606
3607 void
3608 ipsec_delaux(m)
3609 struct mbuf *m;
3610 {
3611 struct mbuf *n;
3612
3613 n = m_aux_find(m, AF_INET, IPPROTO_ESP);
3614 if (n)
3615 m_aux_delete(m, n);
3616 }
3617
3618 /* if the aux buffer is unnecessary, nuke it. */
3619 static void
3620 ipsec_optaux(m, n)
3621 struct mbuf *m;
3622 struct mbuf *n;
3623 {
3624
3625 if (!n)
3626 return;
3627 if (n->m_len == sizeof(struct socket *) && !*mtod(n, struct socket **))
3628 ipsec_delaux(m);
3629 }
3630
3631 int
3632 ipsec_setsocket(m, so)
3633 struct mbuf *m;
3634 struct socket *so;
3635 {
3636 struct mbuf *n;
3637
3638 /* if so == NULL, don't insist on getting the aux mbuf */
3639 if (so) {
3640 n = ipsec_addaux(m);
3641 if (!n)
3642 return ENOBUFS;
3643 } else
3644 n = ipsec_findaux(m);
3645 if (n && n->m_len >= sizeof(struct socket *))
3646 *mtod(n, struct socket **) = so;
3647 ipsec_optaux(m, n);
3648 return 0;
3649 }
3650
3651 struct socket *
3652 ipsec_getsocket(m)
3653 struct mbuf *m;
3654 {
3655 struct mbuf *n;
3656
3657 n = ipsec_findaux(m);
3658 if (n && n->m_len >= sizeof(struct socket *))
3659 return *mtod(n, struct socket **);
3660 else
3661 return NULL;
3662 }
3663
3664 int
3665 ipsec_addhist(m, proto, spi)
3666 struct mbuf *m;
3667 int proto;
3668 u_int32_t spi;
3669 {
3670 struct mbuf *n;
3671 struct ipsec_history *p;
3672
3673 n = ipsec_addaux(m);
3674 if (!n)
3675 return ENOBUFS;
3676 if (M_TRAILINGSPACE(n) < sizeof(*p))
3677 return ENOSPC; /* XXX */
3678 p = (struct ipsec_history *)(mtod(n, caddr_t) + n->m_len);
3679 n->m_len += sizeof(*p);
3680 bzero(p, sizeof(*p));
3681 p->ih_proto = proto;
3682 p->ih_spi = spi;
3683 return 0;
3684 }
3685
3686 struct ipsec_history *
3687 ipsec_gethist(m, lenp)
3688 struct mbuf *m;
3689 int *lenp;
3690 {
3691 struct mbuf *n;
3692 int l;
3693
3694 n = ipsec_findaux(m);
3695 if (!n)
3696 return NULL;
3697 l = n->m_len;
3698 if (sizeof(struct socket *) > l)
3699 return NULL;
3700 if ((l - sizeof(struct socket *)) % sizeof(struct ipsec_history))
3701 return NULL;
3702 /* XXX does it make more sense to divide by sizeof(ipsec_history)? */
3703 if (lenp)
3704 *lenp = l - sizeof(struct socket *);
3705 return (struct ipsec_history *)
3706 (mtod(n, caddr_t) + sizeof(struct socket *));
3707 }
3708
3709 void
3710 ipsec_clearhist(m)
3711 struct mbuf *m;
3712 {
3713 struct mbuf *n;
3714
3715 n = ipsec_findaux(m);
3716 if ((n) && n->m_len > sizeof(struct socket *))
3717 n->m_len = sizeof(struct socket *);
3718 ipsec_optaux(m, n);
3719 }
3720
3721 __private_extern__ void
3722 ipsec_send_natt_keepalive(
3723 struct secasvar *sav)
3724 {
3725 struct mbuf *m;
3726 struct udphdr *uh;
3727 struct ip *ip;
3728
3729 if ((esp_udp_encap_port & 0xFFFF) == 0 || sav->remote_ike_port == 0) return;
3730
3731 m = m_gethdr(M_NOWAIT, MT_DATA);
3732 if (m == NULL) return;
3733
3734 /*
3735 * Create a UDP packet complete with IP header.
3736 * We must do this because UDP output requires
3737 * an inpcb which we don't have. UDP packet
3738 * contains one byte payload. The byte is set
3739 * to 0xFF.
3740 */
3741 ip = (struct ip*)m_mtod(m);
3742 uh = (struct udphdr*)((char*)m_mtod(m) + sizeof(struct ip));
3743 m->m_len = sizeof(struct udpiphdr) + 1;
3744 bzero(m_mtod(m), m->m_len);
3745 ip->ip_len = ntohs(m->m_len);
3746 ip->ip_ttl = ip_defttl;
3747 ip->ip_p = IPPROTO_UDP;
3748 ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
3749 ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
3750 uh->uh_sport = ntohs((u_short)esp_udp_encap_port);
3751 uh->uh_dport = ntohs(sav->remote_ike_port);
3752 uh->uh_ulen = htons(1 + sizeof(struct udphdr));
3753 uh->uh_sum = 0;
3754 *(u_int8_t*)((char*)m_mtod(m) + sizeof(struct ip) + sizeof(struct udphdr)) = 0xFF;
3755
3756 if (ip_output(m, NULL, &sav->sah->sa_route, IP_NOIPSEC, NULL) == 0)
3757 sav->natt_last_activity = natt_now;
3758 }
mirror of XNU