]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/ipsec.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-517.3.7.tar.gz
[apple/xnu.git] / bsd / netinet6 / ipsec.c
1 /* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.7 2001/07/19 06:37:23 kris Exp $ */
2 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * IPsec controller part.
35 */
36
37 #include <sys/param.h>
38 #include <sys/systm.h>
39 #include <sys/malloc.h>
40 #include <sys/mbuf.h>
41 #include <sys/domain.h>
42 #include <sys/protosw.h>
43 #include <sys/socket.h>
44 #include <sys/socketvar.h>
45 #include <sys/errno.h>
46 #include <sys/time.h>
47 #include <sys/kernel.h>
48 #include <sys/syslog.h>
49 #include <sys/sysctl.h>
50
51 #include <net/if.h>
52 #include <net/route.h>
53
54 #include <netinet/in.h>
55 #include <netinet/in_systm.h>
56 #include <netinet/ip.h>
57 #include <netinet/ip_var.h>
58 #include <netinet/in_var.h>
59 #include <netinet/udp.h>
60 #include <netinet/udp_var.h>
61 #include <netinet/ip_ecn.h>
62 #if INET6
63 #include <netinet6/ip6_ecn.h>
64 #endif
65 #include <netinet/tcp.h>
66 #include <netinet/udp.h>
67
68 #include <netinet/ip6.h>
69 #if INET6
70 #include <netinet6/ip6_var.h>
71 #endif
72 #include <netinet/in_pcb.h>
73 #if INET6
74 #include <netinet/icmp6.h>
75 #endif
76
77 #include <netinet6/ipsec.h>
78 #if INET6
79 #include <netinet6/ipsec6.h>
80 #endif
81 #include <netinet6/ah.h>
82 #if INET6
83 #include <netinet6/ah6.h>
84 #endif
85 #if IPSEC_ESP
86 #include <netinet6/esp.h>
87 #if INET6
88 #include <netinet6/esp6.h>
89 #endif
90 #endif
91 #include <netinet6/ipcomp.h>
92 #if INET6
93 #include <netinet6/ipcomp6.h>
94 #endif
95 #include <netkey/key.h>
96 #include <netkey/keydb.h>
97 #include <netkey/key_debug.h>
98
99 #include <net/net_osdep.h>
100
101 #if IPSEC_DEBUG
102 int ipsec_debug = 1;
103 #else
104 int ipsec_debug = 0;
105 #endif
106
107 #include <sys/kdebug.h>
108 #define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1)
109 #define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3)
110 #define DBG_FNC_GETPOL_SOCK NETDBG_CODE(DBG_NETIPSEC, (1 << 8))
111 #define DBG_FNC_GETPOL_ADDR NETDBG_CODE(DBG_NETIPSEC, (2 << 8))
112 #define DBG_FNC_IPSEC_OUT NETDBG_CODE(DBG_NETIPSEC, (3 << 8))
113
114
115 struct ipsecstat ipsecstat;
116 int ip4_ah_cleartos = 1;
117 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
118 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
119 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
120 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
121 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
122 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
123 struct secpolicy ip4_def_policy;
124 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
125 int ip4_esp_randpad = -1;
126 int esp_udp_encap_port = 0;
127 static int sysctl_def_policy SYSCTL_HANDLER_ARGS;
128 extern u_int32_t natt_now;
129
130 SYSCTL_DECL(_net_inet_ipsec);
131 #if INET6
132 SYSCTL_DECL(_net_inet6_ipsec6);
133 #endif
134 /* net.inet.ipsec */
135 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
136 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, "");
137 SYSCTL_PROC(_net_inet_ipsec, IPSECCTL_DEF_POLICY, def_policy, CTLTYPE_INT|CTLFLAG_RW,
138 &ip4_def_policy.policy, 0, &sysctl_def_policy, "I", "");
139 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
140 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
141 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
142 CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
143 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
144 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
145 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
146 CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
147 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
148 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, "");
149 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
150 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
151 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
152 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
153 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
154 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
155 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
156 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
157 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
158 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, "");
159
160 /* for performance, we bypass ipsec until a security policy is set */
161 int ipsec_bypass = 1;
162 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, bypass, CTLFLAG_RD, &ipsec_bypass,0, "");
163
164 /*
165 * NAT Traversal requires a UDP port for encapsulation,
166 * esp_udp_encap_port controls which port is used. Racoon
167 * must set this port to the port racoon is using locally
168 * for nat traversal.
169 */
170 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, esp_port,
171 CTLFLAG_RW, &esp_udp_encap_port, 0, "");
172
173 #if INET6
174 struct ipsecstat ipsec6stat;
175 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
176 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
177 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
178 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
179 struct secpolicy ip6_def_policy;
180 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
181 int ip6_esp_randpad = -1;
182
183 /* net.inet6.ipsec6 */
184 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
185 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
186 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
187 def_policy, CTLFLAG_RW, &ip6_def_policy.policy, 0, "");
188 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
189 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
190 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
191 CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
192 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
193 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
194 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
195 CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
196 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
197 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
198 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
199 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
200 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
201 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
202 #endif /* INET6 */
203
204 static int ipsec_setspidx_mbuf
205 __P((struct secpolicyindex *, u_int, u_int, struct mbuf *, int));
206 static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb));
207 #if INET6
208 static int ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *pcb));
209 #endif
210 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
211 static void ipsec4_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
212 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
213 #if INET6
214 static void ipsec6_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
215 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
216 #endif
217 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
218 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
219 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *src));
220 static int ipsec_set_policy __P((struct secpolicy **pcb_sp,
221 int optname, caddr_t request, size_t len, int priv));
222 static int ipsec_get_policy __P((struct secpolicy *pcb_sp, struct mbuf **mp));
223 static void vshiftl __P((unsigned char *, int, int));
224 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
225 static size_t ipsec_hdrsiz __P((struct secpolicy *));
226 #if INET
227 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
228 #endif
229 #if INET6
230 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
231 #endif
232 #if INET
233 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
234 #endif
235 #if INET6
236 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
237 #endif
238 static struct mbuf *ipsec_addaux __P((struct mbuf *));
239 static struct mbuf *ipsec_findaux __P((struct mbuf *));
240 static void ipsec_optaux __P((struct mbuf *, struct mbuf *));
241 void ipsec_send_natt_keepalive(struct secasvar *sav);
242
243 static int
244 sysctl_def_policy SYSCTL_HANDLER_ARGS
245 {
246 int old_policy = ip4_def_policy.policy;
247 int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
248
249 if (ip4_def_policy.policy != IPSEC_POLICY_NONE &&
250 ip4_def_policy.policy != IPSEC_POLICY_DISCARD) {
251 ip4_def_policy.policy = old_policy;
252 return EINVAL;
253 }
254
255 /* Turn off the bypass if the default security policy changes */
256 if (ipsec_bypass != 0 && ip4_def_policy.policy != IPSEC_POLICY_NONE)
257 ipsec_bypass = 0;
258
259 return error;
260 }
261
262 /*
263 * For OUTBOUND packet having a socket. Searching SPD for packet,
264 * and return a pointer to SP.
265 * OUT: NULL: no apropreate SP found, the following value is set to error.
266 * 0 : bypass
267 * EACCES : discard packet.
268 * ENOENT : ipsec_acquire() in progress, maybe.
269 * others : error occured.
270 * others: a pointer to SP
271 *
272 * NOTE: IPv6 mapped adddress concern is implemented here.
273 */
274 struct secpolicy *
275 ipsec4_getpolicybysock(m, dir, so, error)
276 struct mbuf *m;
277 u_int dir;
278 struct socket *so;
279 int *error;
280 {
281 struct inpcbpolicy *pcbsp = NULL;
282 struct secpolicy *currsp = NULL; /* policy on socket */
283 struct secpolicy *kernsp = NULL; /* policy on kernel */
284
285 /* sanity check */
286 if (m == NULL || so == NULL || error == NULL)
287 panic("ipsec4_getpolicybysock: NULL pointer was passed.\n");
288
289 switch (so->so_proto->pr_domain->dom_family) {
290 case AF_INET:
291 pcbsp = sotoinpcb(so)->inp_sp;
292 break;
293 #if INET6
294 case AF_INET6:
295 pcbsp = sotoin6pcb(so)->in6p_sp;
296 break;
297 #endif
298 }
299
300 if (!pcbsp){
301 /* Socket has not specified an IPSEC policy */
302 return ipsec4_getpolicybyaddr(m, dir, 0, error);
303 }
304
305 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_START, 0,0,0,0,0);
306
307 switch (so->so_proto->pr_domain->dom_family) {
308 case AF_INET:
309 /* set spidx in pcb */
310 *error = ipsec4_setspidx_inpcb(m, sotoinpcb(so));
311 break;
312 #if INET6
313 case AF_INET6:
314 /* set spidx in pcb */
315 *error = ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
316 break;
317 #endif
318 default:
319 panic("ipsec4_getpolicybysock: unsupported address family\n");
320 }
321 if (*error) {
322 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 1,*error,0,0,0);
323 return NULL;
324 }
325
326 /* sanity check */
327 if (pcbsp == NULL)
328 panic("ipsec4_getpolicybysock: pcbsp is NULL.\n");
329
330 switch (dir) {
331 case IPSEC_DIR_INBOUND:
332 currsp = pcbsp->sp_in;
333 break;
334 case IPSEC_DIR_OUTBOUND:
335 currsp = pcbsp->sp_out;
336 break;
337 default:
338 panic("ipsec4_getpolicybysock: illegal direction.\n");
339 }
340
341 /* sanity check */
342 if (currsp == NULL)
343 panic("ipsec4_getpolicybysock: currsp is NULL.\n");
344
345 /* when privilieged socket */
346 if (pcbsp->priv) {
347 switch (currsp->policy) {
348 case IPSEC_POLICY_BYPASS:
349 currsp->refcnt++;
350 *error = 0;
351 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 2,*error,0,0,0);
352 return currsp;
353
354 case IPSEC_POLICY_ENTRUST:
355 /* look for a policy in SPD */
356 kernsp = key_allocsp(&currsp->spidx, dir);
357
358 /* SP found */
359 if (kernsp != NULL) {
360 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
361 printf("DP ipsec4_getpolicybysock called "
362 "to allocate SP:%p\n", kernsp));
363 *error = 0;
364 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 3,*error,0,0,0);
365 return kernsp;
366 }
367
368 /* no SP found */
369 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
370 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
371 ipseclog((LOG_INFO,
372 "fixed system default policy: %d->%d\n",
373 ip4_def_policy.policy, IPSEC_POLICY_NONE));
374 ip4_def_policy.policy = IPSEC_POLICY_NONE;
375 }
376 ip4_def_policy.refcnt++;
377 *error = 0;
378 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 4,*error,0,0,0);
379 return &ip4_def_policy;
380
381 case IPSEC_POLICY_IPSEC:
382 currsp->refcnt++;
383 *error = 0;
384 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 5,*error,0,0,0);
385 return currsp;
386
387 default:
388 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
389 "Invalid policy for PCB %d\n", currsp->policy));
390 *error = EINVAL;
391 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 6,*error,0,0,0);
392 return NULL;
393 }
394 /* NOTREACHED */
395 }
396
397 /* when non-privilieged socket */
398 /* look for a policy in SPD */
399 kernsp = key_allocsp(&currsp->spidx, dir);
400
401 /* SP found */
402 if (kernsp != NULL) {
403 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
404 printf("DP ipsec4_getpolicybysock called "
405 "to allocate SP:%p\n", kernsp));
406 *error = 0;
407 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 7,*error,0,0,0);
408 return kernsp;
409 }
410
411 /* no SP found */
412 switch (currsp->policy) {
413 case IPSEC_POLICY_BYPASS:
414 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
415 "Illegal policy for non-priviliged defined %d\n",
416 currsp->policy));
417 *error = EINVAL;
418 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 8,*error,0,0,0);
419 return NULL;
420
421 case IPSEC_POLICY_ENTRUST:
422 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
423 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
424 ipseclog((LOG_INFO,
425 "fixed system default policy: %d->%d\n",
426 ip4_def_policy.policy, IPSEC_POLICY_NONE));
427 ip4_def_policy.policy = IPSEC_POLICY_NONE;
428 }
429 ip4_def_policy.refcnt++;
430 *error = 0;
431 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 9,*error,0,0,0);
432 return &ip4_def_policy;
433
434 case IPSEC_POLICY_IPSEC:
435 currsp->refcnt++;
436 *error = 0;
437 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 10,*error,0,0,0);
438 return currsp;
439
440 default:
441 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
442 "Invalid policy for PCB %d\n", currsp->policy));
443 *error = EINVAL;
444 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 11,*error,0,0,0);
445 return NULL;
446 }
447 /* NOTREACHED */
448 }
449
450 /*
451 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
452 * and return a pointer to SP.
453 * OUT: positive: a pointer to the entry for security policy leaf matched.
454 * NULL: no apropreate SP found, the following value is set to error.
455 * 0 : bypass
456 * EACCES : discard packet.
457 * ENOENT : ipsec_acquire() in progress, maybe.
458 * others : error occured.
459 */
460 struct secpolicy *
461 ipsec4_getpolicybyaddr(m, dir, flag, error)
462 struct mbuf *m;
463 u_int dir;
464 int flag;
465 int *error;
466 {
467 struct secpolicy *sp = NULL;
468
469 if (ipsec_bypass != 0)
470 return 0;
471
472 /* sanity check */
473 if (m == NULL || error == NULL)
474 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.\n");
475
476 {
477 struct secpolicyindex spidx;
478
479 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0);
480 bzero(&spidx, sizeof(spidx));
481
482 /* make a index to look for a policy */
483 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
484 (flag & IP_FORWARDING) ? 0 : 1);
485
486 if (*error != 0) {
487 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,*error,0,0,0);
488 return NULL;
489 }
490
491 sp = key_allocsp(&spidx, dir);
492 }
493
494 /* SP found */
495 if (sp != NULL) {
496 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
497 printf("DP ipsec4_getpolicybyaddr called "
498 "to allocate SP:%p\n", sp));
499 *error = 0;
500 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,*error,0,0,0);
501 return sp;
502 }
503
504 /* no SP found */
505 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
506 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
507 ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
508 ip4_def_policy.policy,
509 IPSEC_POLICY_NONE));
510 ip4_def_policy.policy = IPSEC_POLICY_NONE;
511 }
512 ip4_def_policy.refcnt++;
513 *error = 0;
514 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 3,*error,0,0,0);
515 return &ip4_def_policy;
516 }
517
518 #if INET6
519 /*
520 * For OUTBOUND packet having a socket. Searching SPD for packet,
521 * and return a pointer to SP.
522 * OUT: NULL: no apropreate SP found, the following value is set to error.
523 * 0 : bypass
524 * EACCES : discard packet.
525 * ENOENT : ipsec_acquire() in progress, maybe.
526 * others : error occured.
527 * others: a pointer to SP
528 */
529 struct secpolicy *
530 ipsec6_getpolicybysock(m, dir, so, error)
531 struct mbuf *m;
532 u_int dir;
533 struct socket *so;
534 int *error;
535 {
536 struct inpcbpolicy *pcbsp = NULL;
537 struct secpolicy *currsp = NULL; /* policy on socket */
538 struct secpolicy *kernsp = NULL; /* policy on kernel */
539
540 /* sanity check */
541 if (m == NULL || so == NULL || error == NULL)
542 panic("ipsec6_getpolicybysock: NULL pointer was passed.\n");
543
544 #if DIAGNOSTIC
545 if (so->so_proto->pr_domain->dom_family != AF_INET6)
546 panic("ipsec6_getpolicybysock: socket domain != inet6\n");
547 #endif
548
549 pcbsp = sotoin6pcb(so)->in6p_sp;
550
551 if (!pcbsp){
552 return ipsec6_getpolicybyaddr(m, dir, 0, error);
553 }
554
555 /* set spidx in pcb */
556 ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
557
558 /* sanity check */
559 if (pcbsp == NULL)
560 panic("ipsec6_getpolicybysock: pcbsp is NULL.\n");
561
562 switch (dir) {
563 case IPSEC_DIR_INBOUND:
564 currsp = pcbsp->sp_in;
565 break;
566 case IPSEC_DIR_OUTBOUND:
567 currsp = pcbsp->sp_out;
568 break;
569 default:
570 panic("ipsec6_getpolicybysock: illegal direction.\n");
571 }
572
573 /* sanity check */
574 if (currsp == NULL)
575 panic("ipsec6_getpolicybysock: currsp is NULL.\n");
576
577 /* when privilieged socket */
578 if (pcbsp->priv) {
579 switch (currsp->policy) {
580 case IPSEC_POLICY_BYPASS:
581 currsp->refcnt++;
582 *error = 0;
583 return currsp;
584
585 case IPSEC_POLICY_ENTRUST:
586 /* look for a policy in SPD */
587 kernsp = key_allocsp(&currsp->spidx, dir);
588
589 /* SP found */
590 if (kernsp != NULL) {
591 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
592 printf("DP ipsec6_getpolicybysock called "
593 "to allocate SP:%p\n", kernsp));
594 *error = 0;
595 return kernsp;
596 }
597
598 /* no SP found */
599 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
600 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
601 ipseclog((LOG_INFO,
602 "fixed system default policy: %d->%d\n",
603 ip6_def_policy.policy, IPSEC_POLICY_NONE));
604 ip6_def_policy.policy = IPSEC_POLICY_NONE;
605 }
606 ip6_def_policy.refcnt++;
607 *error = 0;
608 return &ip6_def_policy;
609
610 case IPSEC_POLICY_IPSEC:
611 currsp->refcnt++;
612 *error = 0;
613 return currsp;
614
615 default:
616 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
617 "Invalid policy for PCB %d\n", currsp->policy));
618 *error = EINVAL;
619 return NULL;
620 }
621 /* NOTREACHED */
622 }
623
624 /* when non-privilieged socket */
625 /* look for a policy in SPD */
626 kernsp = key_allocsp(&currsp->spidx, dir);
627
628 /* SP found */
629 if (kernsp != NULL) {
630 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
631 printf("DP ipsec6_getpolicybysock called "
632 "to allocate SP:%p\n", kernsp));
633 *error = 0;
634 return kernsp;
635 }
636
637 /* no SP found */
638 switch (currsp->policy) {
639 case IPSEC_POLICY_BYPASS:
640 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
641 "Illegal policy for non-priviliged defined %d\n",
642 currsp->policy));
643 *error = EINVAL;
644 return NULL;
645
646 case IPSEC_POLICY_ENTRUST:
647 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
648 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
649 ipseclog((LOG_INFO,
650 "fixed system default policy: %d->%d\n",
651 ip6_def_policy.policy, IPSEC_POLICY_NONE));
652 ip6_def_policy.policy = IPSEC_POLICY_NONE;
653 }
654 ip6_def_policy.refcnt++;
655 *error = 0;
656 return &ip6_def_policy;
657
658 case IPSEC_POLICY_IPSEC:
659 currsp->refcnt++;
660 *error = 0;
661 return currsp;
662
663 default:
664 ipseclog((LOG_ERR,
665 "ipsec6_policybysock: Invalid policy for PCB %d\n",
666 currsp->policy));
667 *error = EINVAL;
668 return NULL;
669 }
670 /* NOTREACHED */
671 }
672
673 /*
674 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
675 * and return a pointer to SP.
676 * `flag' means that packet is to be forwarded whether or not.
677 * flag = 1: forwad
678 * OUT: positive: a pointer to the entry for security policy leaf matched.
679 * NULL: no apropreate SP found, the following value is set to error.
680 * 0 : bypass
681 * EACCES : discard packet.
682 * ENOENT : ipsec_acquire() in progress, maybe.
683 * others : error occured.
684 */
685 #ifndef IP_FORWARDING
686 #define IP_FORWARDING 1
687 #endif
688
689 struct secpolicy *
690 ipsec6_getpolicybyaddr(m, dir, flag, error)
691 struct mbuf *m;
692 u_int dir;
693 int flag;
694 int *error;
695 {
696 struct secpolicy *sp = NULL;
697
698 /* sanity check */
699 if (m == NULL || error == NULL)
700 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.\n");
701
702 {
703 struct secpolicyindex spidx;
704
705 bzero(&spidx, sizeof(spidx));
706
707 /* make a index to look for a policy */
708 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m,
709 (flag & IP_FORWARDING) ? 0 : 1);
710
711 if (*error != 0)
712 return NULL;
713
714 sp = key_allocsp(&spidx, dir);
715 }
716
717 /* SP found */
718 if (sp != NULL) {
719 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
720 printf("DP ipsec6_getpolicybyaddr called "
721 "to allocate SP:%p\n", sp));
722 *error = 0;
723 return sp;
724 }
725
726 /* no SP found */
727 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
728 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
729 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
730 ip6_def_policy.policy, IPSEC_POLICY_NONE));
731 ip6_def_policy.policy = IPSEC_POLICY_NONE;
732 }
733 ip6_def_policy.refcnt++;
734 *error = 0;
735 return &ip6_def_policy;
736 }
737 #endif /* INET6 */
738
739 /*
740 * set IP address into spidx from mbuf.
741 * When Forwarding packet and ICMP echo reply, this function is used.
742 *
743 * IN: get the followings from mbuf.
744 * protocol family, src, dst, next protocol
745 * OUT:
746 * 0: success.
747 * other: failure, and set errno.
748 */
749 int
750 ipsec_setspidx_mbuf(spidx, dir, family, m, needport)
751 struct secpolicyindex *spidx;
752 u_int dir, family;
753 struct mbuf *m;
754 int needport;
755 {
756 int error;
757
758 /* sanity check */
759 if (spidx == NULL || m == NULL)
760 panic("ipsec_setspidx_mbuf: NULL pointer was passed.\n");
761
762 bzero(spidx, sizeof(*spidx));
763
764 error = ipsec_setspidx(m, spidx, needport);
765 if (error)
766 goto bad;
767 spidx->dir = dir;
768
769 return 0;
770
771 bad:
772 /* XXX initialize */
773 bzero(spidx, sizeof(*spidx));
774 return EINVAL;
775 }
776
777 static int
778 ipsec4_setspidx_inpcb(m, pcb)
779 struct mbuf *m;
780 struct inpcb *pcb;
781 {
782 struct secpolicyindex *spidx;
783 int error;
784
785 if (ipsec_bypass != 0)
786 return 0;
787
788 /* sanity check */
789 if (pcb == NULL)
790 panic("ipsec4_setspidx_inpcb: no PCB found.\n");
791 if (pcb->inp_sp == NULL)
792 panic("ipsec4_setspidx_inpcb: no inp_sp found.\n");
793 if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL)
794 panic("ipsec4_setspidx_inpcb: no sp_in/out found.\n");
795
796 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
797 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
798
799 spidx = &pcb->inp_sp->sp_in->spidx;
800 error = ipsec_setspidx(m, spidx, 1);
801 if (error)
802 goto bad;
803 spidx->dir = IPSEC_DIR_INBOUND;
804
805 spidx = &pcb->inp_sp->sp_out->spidx;
806 error = ipsec_setspidx(m, spidx, 1);
807 if (error)
808 goto bad;
809 spidx->dir = IPSEC_DIR_OUTBOUND;
810
811 return 0;
812
813 bad:
814 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
815 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
816 return error;
817 }
818
819 #if INET6
820 static int
821 ipsec6_setspidx_in6pcb(m, pcb)
822 struct mbuf *m;
823 struct in6pcb *pcb;
824 {
825 struct secpolicyindex *spidx;
826 int error;
827
828 /* sanity check */
829 if (pcb == NULL)
830 panic("ipsec6_setspidx_in6pcb: no PCB found.\n");
831 if (pcb->in6p_sp == NULL)
832 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.\n");
833 if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL)
834 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.\n");
835
836 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
837 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
838
839 spidx = &pcb->in6p_sp->sp_in->spidx;
840 error = ipsec_setspidx(m, spidx, 1);
841 if (error)
842 goto bad;
843 spidx->dir = IPSEC_DIR_INBOUND;
844
845 spidx = &pcb->in6p_sp->sp_out->spidx;
846 error = ipsec_setspidx(m, spidx, 1);
847 if (error)
848 goto bad;
849 spidx->dir = IPSEC_DIR_OUTBOUND;
850
851 return 0;
852
853 bad:
854 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
855 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
856 return error;
857 }
858 #endif
859
860 /*
861 * configure security policy index (src/dst/proto/sport/dport)
862 * by looking at the content of mbuf.
863 * the caller is responsible for error recovery (like clearing up spidx).
864 */
865 static int
866 ipsec_setspidx(m, spidx, needport)
867 struct mbuf *m;
868 struct secpolicyindex *spidx;
869 int needport;
870 {
871 struct ip *ip = NULL;
872 struct ip ipbuf;
873 u_int v;
874 struct mbuf *n;
875 int len;
876 int error;
877
878 if (m == NULL)
879 panic("ipsec_setspidx: m == 0 passed.\n");
880
881 /*
882 * validate m->m_pkthdr.len. we see incorrect length if we
883 * mistakenly call this function with inconsistent mbuf chain
884 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
885 */
886 len = 0;
887 for (n = m; n; n = n->m_next)
888 len += n->m_len;
889 if (m->m_pkthdr.len != len) {
890 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
891 printf("ipsec_setspidx: "
892 "total of m_len(%d) != pkthdr.len(%d), "
893 "ignored.\n",
894 len, m->m_pkthdr.len));
895 return EINVAL;
896 }
897
898 if (m->m_pkthdr.len < sizeof(struct ip)) {
899 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
900 printf("ipsec_setspidx: "
901 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
902 m->m_pkthdr.len));
903 return EINVAL;
904 }
905
906 if (m->m_len >= sizeof(*ip))
907 ip = mtod(m, struct ip *);
908 else {
909 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
910 ip = &ipbuf;
911 }
912 #ifdef _IP_VHL
913 v = _IP_VHL_V(ip->ip_vhl);
914 #else
915 v = ip->ip_v;
916 #endif
917 switch (v) {
918 case 4:
919 error = ipsec4_setspidx_ipaddr(m, spidx);
920 if (error)
921 return error;
922 ipsec4_get_ulp(m, spidx, needport);
923 return 0;
924 #ifdef INET6
925 case 6:
926 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
927 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
928 printf("ipsec_setspidx: "
929 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
930 "ignored.\n", m->m_pkthdr.len));
931 return EINVAL;
932 }
933 error = ipsec6_setspidx_ipaddr(m, spidx);
934 if (error)
935 return error;
936 ipsec6_get_ulp(m, spidx, needport);
937 return 0;
938 #endif
939 default:
940 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
941 printf("ipsec_setspidx: "
942 "unknown IP version %u, ignored.\n", v));
943 return EINVAL;
944 }
945 }
946
947 static void
948 ipsec4_get_ulp(m, spidx, needport)
949 struct mbuf *m;
950 struct secpolicyindex *spidx;
951 int needport;
952 {
953 struct ip ip;
954 struct ip6_ext ip6e;
955 u_int8_t nxt;
956 int off;
957 struct tcphdr th;
958 struct udphdr uh;
959
960 /* sanity check */
961 if (m == NULL)
962 panic("ipsec4_get_ulp: NULL pointer was passed.\n");
963 if (m->m_pkthdr.len < sizeof(ip))
964 panic("ipsec4_get_ulp: too short\n");
965
966 /* set default */
967 spidx->ul_proto = IPSEC_ULPROTO_ANY;
968 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
969 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
970
971 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
972 /* ip_input() flips it into host endian XXX need more checking */
973 if (ip.ip_off & (IP_MF | IP_OFFMASK))
974 return;
975
976 nxt = ip.ip_p;
977 #ifdef _IP_VHL
978 off = _IP_VHL_HL(ip->ip_vhl) << 2;
979 #else
980 off = ip.ip_hl << 2;
981 #endif
982 while (off < m->m_pkthdr.len) {
983 switch (nxt) {
984 case IPPROTO_TCP:
985 spidx->ul_proto = nxt;
986 if (!needport)
987 return;
988 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
989 return;
990 m_copydata(m, off, sizeof(th), (caddr_t)&th);
991 ((struct sockaddr_in *)&spidx->src)->sin_port =
992 th.th_sport;
993 ((struct sockaddr_in *)&spidx->dst)->sin_port =
994 th.th_dport;
995 return;
996 case IPPROTO_UDP:
997 spidx->ul_proto = nxt;
998 if (!needport)
999 return;
1000 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1001 return;
1002 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1003 ((struct sockaddr_in *)&spidx->src)->sin_port =
1004 uh.uh_sport;
1005 ((struct sockaddr_in *)&spidx->dst)->sin_port =
1006 uh.uh_dport;
1007 return;
1008 case IPPROTO_AH:
1009 if (m->m_pkthdr.len > off + sizeof(ip6e))
1010 return;
1011 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1012 off += (ip6e.ip6e_len + 2) << 2;
1013 nxt = ip6e.ip6e_nxt;
1014 break;
1015 case IPPROTO_ICMP:
1016 default:
1017 /* XXX intermediate headers??? */
1018 spidx->ul_proto = nxt;
1019 return;
1020 }
1021 }
1022 }
1023
1024 /* assumes that m is sane */
1025 static int
1026 ipsec4_setspidx_ipaddr(m, spidx)
1027 struct mbuf *m;
1028 struct secpolicyindex *spidx;
1029 {
1030 struct ip *ip = NULL;
1031 struct ip ipbuf;
1032 struct sockaddr_in *sin;
1033
1034 if (m->m_len >= sizeof(*ip))
1035 ip = mtod(m, struct ip *);
1036 else {
1037 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
1038 ip = &ipbuf;
1039 }
1040
1041 sin = (struct sockaddr_in *)&spidx->src;
1042 bzero(sin, sizeof(*sin));
1043 sin->sin_family = AF_INET;
1044 sin->sin_len = sizeof(struct sockaddr_in);
1045 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
1046 spidx->prefs = sizeof(struct in_addr) << 3;
1047
1048 sin = (struct sockaddr_in *)&spidx->dst;
1049 bzero(sin, sizeof(*sin));
1050 sin->sin_family = AF_INET;
1051 sin->sin_len = sizeof(struct sockaddr_in);
1052 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
1053 spidx->prefd = sizeof(struct in_addr) << 3;
1054 return 0;
1055 }
1056
1057 #if INET6
1058 static void
1059 ipsec6_get_ulp(m, spidx, needport)
1060 struct mbuf *m;
1061 struct secpolicyindex *spidx;
1062 int needport;
1063 {
1064 int off, nxt;
1065 struct tcphdr th;
1066 struct udphdr uh;
1067
1068 /* sanity check */
1069 if (m == NULL)
1070 panic("ipsec6_get_ulp: NULL pointer was passed.\n");
1071
1072 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1073 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
1074
1075 /* set default */
1076 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1077 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1078 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1079
1080 nxt = -1;
1081 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1082 if (off < 0 || m->m_pkthdr.len < off)
1083 return;
1084
1085 switch (nxt) {
1086 case IPPROTO_TCP:
1087 spidx->ul_proto = nxt;
1088 if (!needport)
1089 break;
1090 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1091 break;
1092 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1093 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1094 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1095 break;
1096 case IPPROTO_UDP:
1097 spidx->ul_proto = nxt;
1098 if (!needport)
1099 break;
1100 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1101 break;
1102 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1103 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1104 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1105 break;
1106 case IPPROTO_ICMPV6:
1107 default:
1108 /* XXX intermediate headers??? */
1109 spidx->ul_proto = nxt;
1110 break;
1111 }
1112 }
1113
1114 /* assumes that m is sane */
1115 static int
1116 ipsec6_setspidx_ipaddr(m, spidx)
1117 struct mbuf *m;
1118 struct secpolicyindex *spidx;
1119 {
1120 struct ip6_hdr *ip6 = NULL;
1121 struct ip6_hdr ip6buf;
1122 struct sockaddr_in6 *sin6;
1123
1124 if (m->m_len >= sizeof(*ip6))
1125 ip6 = mtod(m, struct ip6_hdr *);
1126 else {
1127 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1128 ip6 = &ip6buf;
1129 }
1130
1131 sin6 = (struct sockaddr_in6 *)&spidx->src;
1132 bzero(sin6, sizeof(*sin6));
1133 sin6->sin6_family = AF_INET6;
1134 sin6->sin6_len = sizeof(struct sockaddr_in6);
1135 bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src));
1136 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1137 sin6->sin6_addr.s6_addr16[1] = 0;
1138 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
1139 }
1140 spidx->prefs = sizeof(struct in6_addr) << 3;
1141
1142 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1143 bzero(sin6, sizeof(*sin6));
1144 sin6->sin6_family = AF_INET6;
1145 sin6->sin6_len = sizeof(struct sockaddr_in6);
1146 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst));
1147 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1148 sin6->sin6_addr.s6_addr16[1] = 0;
1149 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
1150 }
1151 spidx->prefd = sizeof(struct in6_addr) << 3;
1152
1153 return 0;
1154 }
1155 #endif
1156
1157 static struct inpcbpolicy *
1158 ipsec_newpcbpolicy()
1159 {
1160 struct inpcbpolicy *p;
1161
1162 p = (struct inpcbpolicy *)_MALLOC(sizeof(*p), M_SECA, M_WAITOK);
1163 return p;
1164 }
1165
1166 static void
1167 ipsec_delpcbpolicy(p)
1168 struct inpcbpolicy *p;
1169 {
1170 FREE(p, M_SECA);
1171 }
1172
1173 /* initialize policy in PCB */
1174 int
1175 ipsec_init_policy(so, pcb_sp)
1176 struct socket *so;
1177 struct inpcbpolicy **pcb_sp;
1178 {
1179 struct inpcbpolicy *new;
1180
1181 /* sanity check. */
1182 if (so == NULL || pcb_sp == NULL)
1183 panic("ipsec_init_policy: NULL pointer was passed.\n");
1184
1185 new = ipsec_newpcbpolicy();
1186 if (new == NULL) {
1187 ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n"));
1188 return ENOBUFS;
1189 }
1190 bzero(new, sizeof(*new));
1191
1192 #ifdef __APPLE__
1193 if (so->so_uid == 0)
1194 #else
1195 if (so->so_cred != 0 && so->so_cred->pc_ucred->cr_uid == 0)
1196 #endif
1197 new->priv = 1;
1198 else
1199 new->priv = 0;
1200
1201 if ((new->sp_in = key_newsp()) == NULL) {
1202 ipsec_delpcbpolicy(new);
1203 return ENOBUFS;
1204 }
1205 new->sp_in->state = IPSEC_SPSTATE_ALIVE;
1206 new->sp_in->policy = IPSEC_POLICY_ENTRUST;
1207
1208 if ((new->sp_out = key_newsp()) == NULL) {
1209 key_freesp(new->sp_in);
1210 ipsec_delpcbpolicy(new);
1211 return ENOBUFS;
1212 }
1213 new->sp_out->state = IPSEC_SPSTATE_ALIVE;
1214 new->sp_out->policy = IPSEC_POLICY_ENTRUST;
1215
1216 *pcb_sp = new;
1217
1218 return 0;
1219 }
1220
1221 /* copy old ipsec policy into new */
1222 int
1223 ipsec_copy_policy(old, new)
1224 struct inpcbpolicy *old, *new;
1225 {
1226 struct secpolicy *sp;
1227
1228 if (ipsec_bypass != 0)
1229 return 0;
1230
1231 sp = ipsec_deepcopy_policy(old->sp_in);
1232 if (sp) {
1233 key_freesp(new->sp_in);
1234 new->sp_in = sp;
1235 } else
1236 return ENOBUFS;
1237
1238 sp = ipsec_deepcopy_policy(old->sp_out);
1239 if (sp) {
1240 key_freesp(new->sp_out);
1241 new->sp_out = sp;
1242 } else
1243 return ENOBUFS;
1244
1245 new->priv = old->priv;
1246
1247 return 0;
1248 }
1249
1250 /* deep-copy a policy in PCB */
1251 static struct secpolicy *
1252 ipsec_deepcopy_policy(src)
1253 struct secpolicy *src;
1254 {
1255 struct ipsecrequest *newchain = NULL;
1256 struct ipsecrequest *p;
1257 struct ipsecrequest **q;
1258 struct ipsecrequest *r;
1259 struct secpolicy *dst;
1260
1261 dst = key_newsp();
1262 if (src == NULL || dst == NULL)
1263 return NULL;
1264
1265 /*
1266 * deep-copy IPsec request chain. This is required since struct
1267 * ipsecrequest is not reference counted.
1268 */
1269 q = &newchain;
1270 for (p = src->req; p; p = p->next) {
1271 *q = (struct ipsecrequest *)_MALLOC(sizeof(struct ipsecrequest),
1272 M_SECA, M_WAITOK);
1273 if (*q == NULL)
1274 goto fail;
1275 bzero(*q, sizeof(**q));
1276 (*q)->next = NULL;
1277
1278 (*q)->saidx.proto = p->saidx.proto;
1279 (*q)->saidx.mode = p->saidx.mode;
1280 (*q)->level = p->level;
1281 (*q)->saidx.reqid = p->saidx.reqid;
1282
1283 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1284 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1285
1286 (*q)->sav = NULL;
1287 (*q)->sp = dst;
1288
1289 q = &((*q)->next);
1290 }
1291
1292 dst->req = newchain;
1293 dst->state = src->state;
1294 dst->policy = src->policy;
1295 /* do not touch the refcnt fields */
1296
1297 return dst;
1298
1299 fail:
1300 for (p = newchain; p; p = r) {
1301 r = p->next;
1302 FREE(p, M_SECA);
1303 p = NULL;
1304 }
1305 return NULL;
1306 }
1307
1308 /* set policy and ipsec request if present. */
1309 static int
1310 ipsec_set_policy(pcb_sp, optname, request, len, priv)
1311 struct secpolicy **pcb_sp;
1312 int optname;
1313 caddr_t request;
1314 size_t len;
1315 int priv;
1316 {
1317 struct sadb_x_policy *xpl;
1318 struct secpolicy *newsp = NULL;
1319 int error;
1320
1321 /* sanity check. */
1322 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL)
1323 return EINVAL;
1324 if (len < sizeof(*xpl))
1325 return EINVAL;
1326 xpl = (struct sadb_x_policy *)request;
1327
1328 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1329 printf("ipsec_set_policy: passed policy\n");
1330 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1331
1332 /* check policy type */
1333 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1334 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
1335 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1336 return EINVAL;
1337
1338 /* check privileged socket */
1339 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1340 return EACCES;
1341
1342 /* allocation new SP entry */
1343 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1344 return error;
1345
1346 newsp->state = IPSEC_SPSTATE_ALIVE;
1347
1348 /* clear old SP and set new SP */
1349 key_freesp(*pcb_sp);
1350 *pcb_sp = newsp;
1351 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1352 printf("ipsec_set_policy: new policy\n");
1353 kdebug_secpolicy(newsp));
1354
1355 return 0;
1356 }
1357
1358 static int
1359 ipsec_get_policy(pcb_sp, mp)
1360 struct secpolicy *pcb_sp;
1361 struct mbuf **mp;
1362 {
1363
1364 /* sanity check. */
1365 if (pcb_sp == NULL || mp == NULL)
1366 return EINVAL;
1367
1368 *mp = key_sp2msg(pcb_sp);
1369 if (!*mp) {
1370 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1371 return ENOBUFS;
1372 }
1373
1374 (*mp)->m_type = MT_DATA;
1375 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1376 printf("ipsec_get_policy:\n");
1377 kdebug_mbuf(*mp));
1378
1379 return 0;
1380 }
1381
1382 int
1383 ipsec4_set_policy(inp, optname, request, len, priv)
1384 struct inpcb *inp;
1385 int optname;
1386 caddr_t request;
1387 size_t len;
1388 int priv;
1389 {
1390 struct sadb_x_policy *xpl;
1391 struct secpolicy **pcb_sp;
1392 int error = 0;
1393
1394 /* sanity check. */
1395 if (inp == NULL || request == NULL)
1396 return EINVAL;
1397 if (len < sizeof(*xpl))
1398 return EINVAL;
1399 xpl = (struct sadb_x_policy *)request;
1400
1401 if (inp->inp_sp == NULL) {
1402 error = ipsec_init_policy(inp->inp_socket, &inp->inp_sp);
1403 if (error)
1404 return error;
1405 }
1406
1407 /* select direction */
1408 switch (xpl->sadb_x_policy_dir) {
1409 case IPSEC_DIR_INBOUND:
1410 pcb_sp = &inp->inp_sp->sp_in;
1411 break;
1412 case IPSEC_DIR_OUTBOUND:
1413 pcb_sp = &inp->inp_sp->sp_out;
1414 break;
1415 default:
1416 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1417 xpl->sadb_x_policy_dir));
1418 return EINVAL;
1419 }
1420
1421 /* turn bypass off */
1422 if (ipsec_bypass != 0)
1423 ipsec_bypass = 0;
1424
1425 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1426 }
1427
1428 int
1429 ipsec4_get_policy(inp, request, len, mp)
1430 struct inpcb *inp;
1431 caddr_t request;
1432 size_t len;
1433 struct mbuf **mp;
1434 {
1435 struct sadb_x_policy *xpl;
1436 struct secpolicy *pcb_sp;
1437 int error = 0;
1438
1439 /* sanity check. */
1440 if (inp == NULL || request == NULL || mp == NULL)
1441 return EINVAL;
1442 if (len < sizeof(*xpl))
1443 return EINVAL;
1444 xpl = (struct sadb_x_policy *)request;
1445
1446 if (inp->inp_sp == NULL) {
1447 error = ipsec_init_policy(inp->inp_socket, &inp->inp_sp);
1448 if (error)
1449 return error;
1450 }
1451
1452 /* select direction */
1453 switch (xpl->sadb_x_policy_dir) {
1454 case IPSEC_DIR_INBOUND:
1455 pcb_sp = inp->inp_sp->sp_in;
1456 break;
1457 case IPSEC_DIR_OUTBOUND:
1458 pcb_sp = inp->inp_sp->sp_out;
1459 break;
1460 default:
1461 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1462 xpl->sadb_x_policy_dir));
1463 return EINVAL;
1464 }
1465
1466 return ipsec_get_policy(pcb_sp, mp);
1467 }
1468
1469 /* delete policy in PCB */
1470 int
1471 ipsec4_delete_pcbpolicy(inp)
1472 struct inpcb *inp;
1473 {
1474 /* sanity check. */
1475 if (inp == NULL)
1476 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.\n");
1477
1478 if (inp->inp_sp == NULL)
1479 return 0;
1480
1481 if (inp->inp_sp->sp_in != NULL) {
1482 key_freesp(inp->inp_sp->sp_in);
1483 inp->inp_sp->sp_in = NULL;
1484 }
1485
1486 if (inp->inp_sp->sp_out != NULL) {
1487 key_freesp(inp->inp_sp->sp_out);
1488 inp->inp_sp->sp_out = NULL;
1489 }
1490
1491 ipsec_delpcbpolicy(inp->inp_sp);
1492 inp->inp_sp = NULL;
1493
1494 return 0;
1495 }
1496
1497 #if INET6
1498 int
1499 ipsec6_set_policy(in6p, optname, request, len, priv)
1500 struct in6pcb *in6p;
1501 int optname;
1502 caddr_t request;
1503 size_t len;
1504 int priv;
1505 {
1506 struct sadb_x_policy *xpl;
1507 struct secpolicy **pcb_sp;
1508 int error = 0;
1509
1510 /* sanity check. */
1511 if (in6p == NULL || request == NULL)
1512 return EINVAL;
1513 if (len < sizeof(*xpl))
1514 return EINVAL;
1515 xpl = (struct sadb_x_policy *)request;
1516
1517 if (in6p->in6p_sp == NULL) {
1518 error = ipsec_init_policy(in6p->inp_socket, &in6p->in6p_sp);
1519 if (error)
1520 return error;
1521 }
1522
1523 /* select direction */
1524 switch (xpl->sadb_x_policy_dir) {
1525 case IPSEC_DIR_INBOUND:
1526 pcb_sp = &in6p->in6p_sp->sp_in;
1527 break;
1528 case IPSEC_DIR_OUTBOUND:
1529 pcb_sp = &in6p->in6p_sp->sp_out;
1530 break;
1531 default:
1532 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1533 xpl->sadb_x_policy_dir));
1534 return EINVAL;
1535 }
1536
1537 /* turn bypass off */
1538 if (ipsec_bypass != 0)
1539 ipsec_bypass = 0;
1540
1541 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1542 }
1543
1544 int
1545 ipsec6_get_policy(in6p, request, len, mp)
1546 struct in6pcb *in6p;
1547 caddr_t request;
1548 size_t len;
1549 struct mbuf **mp;
1550 {
1551 struct sadb_x_policy *xpl;
1552 struct secpolicy *pcb_sp;
1553 int error = 0;
1554
1555 /* sanity check. */
1556 if (in6p == NULL || request == NULL || mp == NULL)
1557 return EINVAL;
1558 if (len < sizeof(*xpl))
1559 return EINVAL;
1560 xpl = (struct sadb_x_policy *)request;
1561
1562 if (in6p->in6p_sp == NULL) {
1563 error = ipsec_init_policy(in6p->inp_socket, &in6p->in6p_sp);
1564 if (error)
1565 return error;
1566 }
1567
1568 /* select direction */
1569 switch (xpl->sadb_x_policy_dir) {
1570 case IPSEC_DIR_INBOUND:
1571 pcb_sp = in6p->in6p_sp->sp_in;
1572 break;
1573 case IPSEC_DIR_OUTBOUND:
1574 pcb_sp = in6p->in6p_sp->sp_out;
1575 break;
1576 default:
1577 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1578 xpl->sadb_x_policy_dir));
1579 return EINVAL;
1580 }
1581
1582 return ipsec_get_policy(pcb_sp, mp);
1583 }
1584
1585 int
1586 ipsec6_delete_pcbpolicy(in6p)
1587 struct in6pcb *in6p;
1588 {
1589 /* sanity check. */
1590 if (in6p == NULL)
1591 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.\n");
1592
1593 if (in6p->in6p_sp == NULL)
1594 return 0;
1595
1596 if (in6p->in6p_sp->sp_in != NULL) {
1597 key_freesp(in6p->in6p_sp->sp_in);
1598 in6p->in6p_sp->sp_in = NULL;
1599 }
1600
1601 if (in6p->in6p_sp->sp_out != NULL) {
1602 key_freesp(in6p->in6p_sp->sp_out);
1603 in6p->in6p_sp->sp_out = NULL;
1604 }
1605
1606 ipsec_delpcbpolicy(in6p->in6p_sp);
1607 in6p->in6p_sp = NULL;
1608
1609 return 0;
1610 }
1611 #endif
1612
1613 /*
1614 * return current level.
1615 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1616 */
1617 u_int
1618 ipsec_get_reqlevel(isr)
1619 struct ipsecrequest *isr;
1620 {
1621 u_int level = 0;
1622 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1623
1624 /* sanity check */
1625 if (isr == NULL || isr->sp == NULL)
1626 panic("ipsec_get_reqlevel: NULL pointer is passed.\n");
1627 if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family
1628 != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family)
1629 panic("ipsec_get_reqlevel: family mismatched.\n");
1630
1631 /* XXX note that we have ipseclog() expanded here - code sync issue */
1632 #define IPSEC_CHECK_DEFAULT(lev) \
1633 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1634 && (lev) != IPSEC_LEVEL_UNIQUE) \
1635 ? (ipsec_debug \
1636 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1637 (lev), IPSEC_LEVEL_REQUIRE) \
1638 : 0), \
1639 (lev) = IPSEC_LEVEL_REQUIRE, \
1640 (lev) \
1641 : (lev))
1642
1643 /* set default level */
1644 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1645 #if INET
1646 case AF_INET:
1647 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1648 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1649 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1650 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1651 break;
1652 #endif
1653 #if INET6
1654 case AF_INET6:
1655 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1656 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1657 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1658 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1659 break;
1660 #endif /* INET6 */
1661 default:
1662 panic("key_get_reqlevel: Unknown family. %d\n",
1663 ((struct sockaddr *)&isr->sp->spidx.src)->sa_family);
1664 }
1665
1666 #undef IPSEC_CHECK_DEFAULT
1667
1668 /* set level */
1669 switch (isr->level) {
1670 case IPSEC_LEVEL_DEFAULT:
1671 switch (isr->saidx.proto) {
1672 case IPPROTO_ESP:
1673 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1674 level = esp_net_deflev;
1675 else
1676 level = esp_trans_deflev;
1677 break;
1678 case IPPROTO_AH:
1679 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1680 level = ah_net_deflev;
1681 else
1682 level = ah_trans_deflev;
1683 case IPPROTO_IPCOMP:
1684 /*
1685 * we don't really care, as IPcomp document says that
1686 * we shouldn't compress small packets
1687 */
1688 level = IPSEC_LEVEL_USE;
1689 break;
1690 default:
1691 panic("ipsec_get_reqlevel: "
1692 "Illegal protocol defined %u\n",
1693 isr->saidx.proto);
1694 }
1695 break;
1696
1697 case IPSEC_LEVEL_USE:
1698 case IPSEC_LEVEL_REQUIRE:
1699 level = isr->level;
1700 break;
1701 case IPSEC_LEVEL_UNIQUE:
1702 level = IPSEC_LEVEL_REQUIRE;
1703 break;
1704
1705 default:
1706 panic("ipsec_get_reqlevel: Illegal IPsec level %u\n",
1707 isr->level);
1708 }
1709
1710 return level;
1711 }
1712
1713 /*
1714 * Check AH/ESP integrity.
1715 * OUT:
1716 * 0: valid
1717 * 1: invalid
1718 */
1719 static int
1720 ipsec_in_reject(sp, m)
1721 struct secpolicy *sp;
1722 struct mbuf *m;
1723 {
1724 struct ipsecrequest *isr;
1725 u_int level;
1726 int need_auth, need_conf, need_icv;
1727
1728 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1729 printf("ipsec_in_reject: using SP\n");
1730 kdebug_secpolicy(sp));
1731
1732 /* check policy */
1733 switch (sp->policy) {
1734 case IPSEC_POLICY_DISCARD:
1735 return 1;
1736 case IPSEC_POLICY_BYPASS:
1737 case IPSEC_POLICY_NONE:
1738 return 0;
1739
1740 case IPSEC_POLICY_IPSEC:
1741 break;
1742
1743 case IPSEC_POLICY_ENTRUST:
1744 default:
1745 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy);
1746 }
1747
1748 need_auth = 0;
1749 need_conf = 0;
1750 need_icv = 0;
1751
1752 /* XXX should compare policy against ipsec header history */
1753
1754 for (isr = sp->req; isr != NULL; isr = isr->next) {
1755
1756 /* get current level */
1757 level = ipsec_get_reqlevel(isr);
1758
1759 switch (isr->saidx.proto) {
1760 case IPPROTO_ESP:
1761 if (level == IPSEC_LEVEL_REQUIRE) {
1762 need_conf++;
1763
1764 if (isr->sav != NULL
1765 && isr->sav->flags == SADB_X_EXT_NONE
1766 && isr->sav->alg_auth != SADB_AALG_NONE)
1767 need_icv++;
1768 }
1769 break;
1770 case IPPROTO_AH:
1771 if (level == IPSEC_LEVEL_REQUIRE) {
1772 need_auth++;
1773 need_icv++;
1774 }
1775 break;
1776 case IPPROTO_IPCOMP:
1777 /*
1778 * we don't really care, as IPcomp document says that
1779 * we shouldn't compress small packets, IPComp policy
1780 * should always be treated as being in "use" level.
1781 */
1782 break;
1783 }
1784 }
1785
1786 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1787 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1788 need_auth, need_conf, need_icv, m->m_flags));
1789
1790 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1791 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1792 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1793 return 1;
1794
1795 return 0;
1796 }
1797
1798 /*
1799 * Check AH/ESP integrity.
1800 * This function is called from tcp_input(), udp_input(),
1801 * and {ah,esp}4_input for tunnel mode
1802 */
1803 int
1804 ipsec4_in_reject_so(m, so)
1805 struct mbuf *m;
1806 struct socket *so;
1807 {
1808 struct secpolicy *sp = NULL;
1809 int error;
1810 int result;
1811
1812 /* sanity check */
1813 if (m == NULL)
1814 return 0; /* XXX should be panic ? */
1815
1816 /* get SP for this packet.
1817 * When we are called from ip_forward(), we call
1818 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1819 */
1820 if (so == NULL)
1821 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1822 else
1823 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1824
1825 if (sp == NULL)
1826 return 0; /* XXX should be panic ?
1827 * -> No, there may be error. */
1828
1829 result = ipsec_in_reject(sp, m);
1830 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1831 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
1832 key_freesp(sp);
1833
1834 return result;
1835 }
1836
1837 int
1838 ipsec4_in_reject(m, inp)
1839 struct mbuf *m;
1840 struct inpcb *inp;
1841 {
1842 if (inp == NULL)
1843 return ipsec4_in_reject_so(m, NULL);
1844 if (inp->inp_socket)
1845 return ipsec4_in_reject_so(m, inp->inp_socket);
1846 else
1847 panic("ipsec4_in_reject: invalid inpcb/socket");
1848 }
1849
1850 #if INET6
1851 /*
1852 * Check AH/ESP integrity.
1853 * This function is called from tcp6_input(), udp6_input(),
1854 * and {ah,esp}6_input for tunnel mode
1855 */
1856 int
1857 ipsec6_in_reject_so(m, so)
1858 struct mbuf *m;
1859 struct socket *so;
1860 {
1861 struct secpolicy *sp = NULL;
1862 int error;
1863 int result;
1864
1865 /* sanity check */
1866 if (m == NULL)
1867 return 0; /* XXX should be panic ? */
1868
1869 /* get SP for this packet.
1870 * When we are called from ip_forward(), we call
1871 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1872 */
1873 if (so == NULL)
1874 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1875 else
1876 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1877
1878 if (sp == NULL)
1879 return 0; /* XXX should be panic ? */
1880
1881 result = ipsec_in_reject(sp, m);
1882 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1883 printf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
1884 key_freesp(sp);
1885
1886 return result;
1887 }
1888
1889 int
1890 ipsec6_in_reject(m, in6p)
1891 struct mbuf *m;
1892 struct in6pcb *in6p;
1893 {
1894 if (in6p == NULL)
1895 return ipsec6_in_reject_so(m, NULL);
1896 if (in6p->in6p_socket)
1897 return ipsec6_in_reject_so(m, in6p->in6p_socket);
1898 else
1899 panic("ipsec6_in_reject: invalid in6p/socket");
1900 }
1901 #endif
1902
1903 /*
1904 * compute the byte size to be occupied by IPsec header.
1905 * in case it is tunneled, it includes the size of outer IP header.
1906 * NOTE: SP passed is free in this function.
1907 */
1908 static size_t
1909 ipsec_hdrsiz(sp)
1910 struct secpolicy *sp;
1911 {
1912 struct ipsecrequest *isr;
1913 size_t siz, clen;
1914
1915 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1916 printf("ipsec_hdrsiz: using SP\n");
1917 kdebug_secpolicy(sp));
1918
1919 /* check policy */
1920 switch (sp->policy) {
1921 case IPSEC_POLICY_DISCARD:
1922 case IPSEC_POLICY_BYPASS:
1923 case IPSEC_POLICY_NONE:
1924 return 0;
1925
1926 case IPSEC_POLICY_IPSEC:
1927 break;
1928
1929 case IPSEC_POLICY_ENTRUST:
1930 default:
1931 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy);
1932 }
1933
1934 siz = 0;
1935
1936 for (isr = sp->req; isr != NULL; isr = isr->next) {
1937
1938 clen = 0;
1939
1940 switch (isr->saidx.proto) {
1941 case IPPROTO_ESP:
1942 #if IPSEC_ESP
1943 clen = esp_hdrsiz(isr);
1944 #else
1945 clen = 0; /*XXX*/
1946 #endif
1947 break;
1948 case IPPROTO_AH:
1949 clen = ah_hdrsiz(isr);
1950 break;
1951 case IPPROTO_IPCOMP:
1952 clen = sizeof(struct ipcomp);
1953 break;
1954 }
1955
1956 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1957 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1958 case AF_INET:
1959 clen += sizeof(struct ip);
1960 break;
1961 #if INET6
1962 case AF_INET6:
1963 clen += sizeof(struct ip6_hdr);
1964 break;
1965 #endif
1966 default:
1967 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1968 "unknown AF %d in IPsec tunnel SA\n",
1969 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1970 break;
1971 }
1972 }
1973 siz += clen;
1974 }
1975
1976 return siz;
1977 }
1978
1979 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1980 size_t
1981 ipsec4_hdrsiz(m, dir, inp)
1982 struct mbuf *m;
1983 u_int dir;
1984 struct inpcb *inp;
1985 {
1986 struct secpolicy *sp = NULL;
1987 int error;
1988 size_t size;
1989
1990 /* sanity check */
1991 if (m == NULL)
1992 return 0; /* XXX should be panic ? */
1993 if (inp != NULL && inp->inp_socket == NULL)
1994 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
1995
1996 /* get SP for this packet.
1997 * When we are called from ip_forward(), we call
1998 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1999 */
2000 if (inp == NULL)
2001 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2002 else
2003 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
2004
2005 if (sp == NULL)
2006 return 0; /* XXX should be panic ? */
2007
2008 size = ipsec_hdrsiz(sp);
2009 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2010 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
2011 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2012 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
2013 key_freesp(sp);
2014
2015 return size;
2016 }
2017
2018 #if INET6
2019 /* This function is called from ipsec6_hdrsize_tcp(),
2020 * and maybe from ip6_forward.()
2021 */
2022 size_t
2023 ipsec6_hdrsiz(m, dir, in6p)
2024 struct mbuf *m;
2025 u_int dir;
2026 struct in6pcb *in6p;
2027 {
2028 struct secpolicy *sp = NULL;
2029 int error;
2030 size_t size;
2031
2032 /* sanity check */
2033 if (m == NULL)
2034 return 0; /* XXX shoud be panic ? */
2035 if (in6p != NULL && in6p->in6p_socket == NULL)
2036 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
2037
2038 /* get SP for this packet */
2039 /* XXX Is it right to call with IP_FORWARDING. */
2040 if (in6p == NULL)
2041 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2042 else
2043 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
2044
2045 if (sp == NULL)
2046 return 0;
2047 size = ipsec_hdrsiz(sp);
2048 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2049 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
2050 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2051 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
2052 key_freesp(sp);
2053
2054 return size;
2055 }
2056 #endif /*INET6*/
2057
2058 #if INET
2059 /*
2060 * encapsulate for ipsec tunnel.
2061 * ip->ip_src must be fixed later on.
2062 */
2063 static int
2064 ipsec4_encapsulate(m, sav)
2065 struct mbuf *m;
2066 struct secasvar *sav;
2067 {
2068 struct ip *oip;
2069 struct ip *ip;
2070 size_t hlen;
2071 size_t plen;
2072
2073 /* can't tunnel between different AFs */
2074 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2075 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2076 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2077 m_freem(m);
2078 return EINVAL;
2079 }
2080 #if 0
2081 /* XXX if the dst is myself, perform nothing. */
2082 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2083 m_freem(m);
2084 return EINVAL;
2085 }
2086 #endif
2087
2088 if (m->m_len < sizeof(*ip))
2089 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2090
2091 ip = mtod(m, struct ip *);
2092 #ifdef _IP_VHL
2093 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
2094 #else
2095 hlen = ip->ip_hl << 2;
2096 #endif
2097
2098 if (m->m_len != hlen)
2099 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2100
2101 /* generate header checksum */
2102 ip->ip_sum = 0;
2103 #ifdef _IP_VHL
2104 ip->ip_sum = in_cksum(m, hlen);
2105 #else
2106 ip->ip_sum = in_cksum(m, hlen);
2107 #endif
2108
2109 plen = m->m_pkthdr.len;
2110
2111 /*
2112 * grow the mbuf to accomodate the new IPv4 header.
2113 * NOTE: IPv4 options will never be copied.
2114 */
2115 if (M_LEADINGSPACE(m->m_next) < hlen) {
2116 struct mbuf *n;
2117 MGET(n, M_DONTWAIT, MT_DATA);
2118 if (!n) {
2119 m_freem(m);
2120 return ENOBUFS;
2121 }
2122 n->m_len = hlen;
2123 n->m_next = m->m_next;
2124 m->m_next = n;
2125 m->m_pkthdr.len += hlen;
2126 oip = mtod(n, struct ip *);
2127 } else {
2128 m->m_next->m_len += hlen;
2129 m->m_next->m_data -= hlen;
2130 m->m_pkthdr.len += hlen;
2131 oip = mtod(m->m_next, struct ip *);
2132 }
2133 ip = mtod(m, struct ip *);
2134 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2135 m->m_len = sizeof(struct ip);
2136 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2137
2138 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2139 /* ECN consideration. */
2140 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2141 #ifdef _IP_VHL
2142 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
2143 #else
2144 ip->ip_hl = sizeof(struct ip) >> 2;
2145 #endif
2146 ip->ip_off &= htons(~IP_OFFMASK);
2147 ip->ip_off &= htons(~IP_MF);
2148 switch (ip4_ipsec_dfbit) {
2149 case 0: /* clear DF bit */
2150 ip->ip_off &= htons(~IP_DF);
2151 break;
2152 case 1: /* set DF bit */
2153 ip->ip_off |= htons(IP_DF);
2154 break;
2155 default: /* copy DF bit */
2156 break;
2157 }
2158 ip->ip_p = IPPROTO_IPIP;
2159 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2160 ip->ip_len = htons(plen + sizeof(struct ip));
2161 else {
2162 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2163 "leave ip_len as is (invalid packet)\n"));
2164 }
2165 #ifdef RANDOM_IP_ID
2166 ip->ip_id = ip_randomid();
2167 #else
2168 ip->ip_id = htons(ip_id++);
2169 #endif
2170 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2171 &ip->ip_src, sizeof(ip->ip_src));
2172 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2173 &ip->ip_dst, sizeof(ip->ip_dst));
2174 ip->ip_ttl = IPDEFTTL;
2175
2176 /* XXX Should ip_src be updated later ? */
2177
2178 return 0;
2179 }
2180 #endif /*INET*/
2181
2182 #if INET6
2183 static int
2184 ipsec6_encapsulate(m, sav)
2185 struct mbuf *m;
2186 struct secasvar *sav;
2187 {
2188 struct ip6_hdr *oip6;
2189 struct ip6_hdr *ip6;
2190 size_t plen;
2191
2192 /* can't tunnel between different AFs */
2193 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2194 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2195 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2196 m_freem(m);
2197 return EINVAL;
2198 }
2199 #if 0
2200 /* XXX if the dst is myself, perform nothing. */
2201 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2202 m_freem(m);
2203 return EINVAL;
2204 }
2205 #endif
2206
2207 plen = m->m_pkthdr.len;
2208
2209 /*
2210 * grow the mbuf to accomodate the new IPv6 header.
2211 */
2212 if (m->m_len != sizeof(struct ip6_hdr))
2213 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2214 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2215 struct mbuf *n;
2216 MGET(n, M_DONTWAIT, MT_DATA);
2217 if (!n) {
2218 m_freem(m);
2219 return ENOBUFS;
2220 }
2221 n->m_len = sizeof(struct ip6_hdr);
2222 n->m_next = m->m_next;
2223 m->m_next = n;
2224 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2225 oip6 = mtod(n, struct ip6_hdr *);
2226 } else {
2227 m->m_next->m_len += sizeof(struct ip6_hdr);
2228 m->m_next->m_data -= sizeof(struct ip6_hdr);
2229 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2230 oip6 = mtod(m->m_next, struct ip6_hdr *);
2231 }
2232 ip6 = mtod(m, struct ip6_hdr *);
2233 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2234
2235 /* Fake link-local scope-class addresses */
2236 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src))
2237 oip6->ip6_src.s6_addr16[1] = 0;
2238 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst))
2239 oip6->ip6_dst.s6_addr16[1] = 0;
2240
2241 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2242 /* ECN consideration. */
2243 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2244 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2245 ip6->ip6_plen = htons(plen);
2246 else {
2247 /* ip6->ip6_plen will be updated in ip6_output() */
2248 }
2249 ip6->ip6_nxt = IPPROTO_IPV6;
2250 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2251 &ip6->ip6_src, sizeof(ip6->ip6_src));
2252 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2253 &ip6->ip6_dst, sizeof(ip6->ip6_dst));
2254 ip6->ip6_hlim = IPV6_DEFHLIM;
2255
2256 /* XXX Should ip6_src be updated later ? */
2257
2258 return 0;
2259 }
2260 #endif /*INET6*/
2261
2262 /*
2263 * Check the variable replay window.
2264 * ipsec_chkreplay() performs replay check before ICV verification.
2265 * ipsec_updatereplay() updates replay bitmap. This must be called after
2266 * ICV verification (it also performs replay check, which is usually done
2267 * beforehand).
2268 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2269 *
2270 * based on RFC 2401.
2271 */
2272 int
2273 ipsec_chkreplay(seq, sav)
2274 u_int32_t seq;
2275 struct secasvar *sav;
2276 {
2277 const struct secreplay *replay;
2278 u_int32_t diff;
2279 int fr;
2280 u_int32_t wsizeb; /* constant: bits of window size */
2281 int frlast; /* constant: last frame */
2282
2283 /* sanity check */
2284 if (sav == NULL)
2285 panic("ipsec_chkreplay: NULL pointer was passed.\n");
2286
2287 replay = sav->replay;
2288
2289 if (replay->wsize == 0)
2290 return 1; /* no need to check replay. */
2291
2292 /* constant */
2293 frlast = replay->wsize - 1;
2294 wsizeb = replay->wsize << 3;
2295
2296 /* sequence number of 0 is invalid */
2297 if (seq == 0)
2298 return 0;
2299
2300 /* first time is always okay */
2301 if (replay->count == 0)
2302 return 1;
2303
2304 if (seq > replay->lastseq) {
2305 /* larger sequences are okay */
2306 return 1;
2307 } else {
2308 /* seq is equal or less than lastseq. */
2309 diff = replay->lastseq - seq;
2310
2311 /* over range to check, i.e. too old or wrapped */
2312 if (diff >= wsizeb)
2313 return 0;
2314
2315 fr = frlast - diff / 8;
2316
2317 /* this packet already seen ? */
2318 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2319 return 0;
2320
2321 /* out of order but good */
2322 return 1;
2323 }
2324 }
2325
2326 /*
2327 * check replay counter whether to update or not.
2328 * OUT: 0: OK
2329 * 1: NG
2330 */
2331 int
2332 ipsec_updatereplay(seq, sav)
2333 u_int32_t seq;
2334 struct secasvar *sav;
2335 {
2336 struct secreplay *replay;
2337 u_int32_t diff;
2338 int fr;
2339 u_int32_t wsizeb; /* constant: bits of window size */
2340 int frlast; /* constant: last frame */
2341
2342 /* sanity check */
2343 if (sav == NULL)
2344 panic("ipsec_chkreplay: NULL pointer was passed.\n");
2345
2346 replay = sav->replay;
2347
2348 if (replay->wsize == 0)
2349 goto ok; /* no need to check replay. */
2350
2351 /* constant */
2352 frlast = replay->wsize - 1;
2353 wsizeb = replay->wsize << 3;
2354
2355 /* sequence number of 0 is invalid */
2356 if (seq == 0)
2357 return 1;
2358
2359 /* first time */
2360 if (replay->count == 0) {
2361 replay->lastseq = seq;
2362 bzero(replay->bitmap, replay->wsize);
2363 (replay->bitmap)[frlast] = 1;
2364 goto ok;
2365 }
2366
2367 if (seq > replay->lastseq) {
2368 /* seq is larger than lastseq. */
2369 diff = seq - replay->lastseq;
2370
2371 /* new larger sequence number */
2372 if (diff < wsizeb) {
2373 /* In window */
2374 /* set bit for this packet */
2375 vshiftl(replay->bitmap, diff, replay->wsize);
2376 (replay->bitmap)[frlast] |= 1;
2377 } else {
2378 /* this packet has a "way larger" */
2379 bzero(replay->bitmap, replay->wsize);
2380 (replay->bitmap)[frlast] = 1;
2381 }
2382 replay->lastseq = seq;
2383
2384 /* larger is good */
2385 } else {
2386 /* seq is equal or less than lastseq. */
2387 diff = replay->lastseq - seq;
2388
2389 /* over range to check, i.e. too old or wrapped */
2390 if (diff >= wsizeb)
2391 return 1;
2392
2393 fr = frlast - diff / 8;
2394
2395 /* this packet already seen ? */
2396 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2397 return 1;
2398
2399 /* mark as seen */
2400 (replay->bitmap)[fr] |= (1 << (diff % 8));
2401
2402 /* out of order but good */
2403 }
2404
2405 ok:
2406 if (replay->count == ~0) {
2407
2408 /* set overflow flag */
2409 replay->overflow++;
2410
2411 /* don't increment, no more packets accepted */
2412 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2413 return 1;
2414
2415 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2416 replay->overflow, ipsec_logsastr(sav)));
2417 }
2418
2419 replay->count++;
2420
2421 return 0;
2422 }
2423
2424 /*
2425 * shift variable length buffer to left.
2426 * IN: bitmap: pointer to the buffer
2427 * nbit: the number of to shift.
2428 * wsize: buffer size (bytes).
2429 */
2430 static void
2431 vshiftl(bitmap, nbit, wsize)
2432 unsigned char *bitmap;
2433 int nbit, wsize;
2434 {
2435 int s, j, i;
2436 unsigned char over;
2437
2438 for (j = 0; j < nbit; j += 8) {
2439 s = (nbit - j < 8) ? (nbit - j): 8;
2440 bitmap[0] <<= s;
2441 for (i = 1; i < wsize; i++) {
2442 over = (bitmap[i] >> (8 - s));
2443 bitmap[i] <<= s;
2444 bitmap[i-1] |= over;
2445 }
2446 }
2447
2448 return;
2449 }
2450
2451 const char *
2452 ipsec4_logpacketstr(ip, spi)
2453 struct ip *ip;
2454 u_int32_t spi;
2455 {
2456 static char buf[256];
2457 char *p;
2458 u_int8_t *s, *d;
2459
2460 s = (u_int8_t *)(&ip->ip_src);
2461 d = (u_int8_t *)(&ip->ip_dst);
2462
2463 p = buf;
2464 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2465 while (p && *p)
2466 p++;
2467 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2468 s[0], s[1], s[2], s[3]);
2469 while (p && *p)
2470 p++;
2471 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2472 d[0], d[1], d[2], d[3]);
2473 while (p && *p)
2474 p++;
2475 snprintf(p, sizeof(buf) - (p - buf), ")");
2476
2477 return buf;
2478 }
2479
2480 #if INET6
2481 const char *
2482 ipsec6_logpacketstr(ip6, spi)
2483 struct ip6_hdr *ip6;
2484 u_int32_t spi;
2485 {
2486 static char buf[256];
2487 char *p;
2488
2489 p = buf;
2490 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2491 while (p && *p)
2492 p++;
2493 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
2494 ip6_sprintf(&ip6->ip6_src));
2495 while (p && *p)
2496 p++;
2497 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2498 ip6_sprintf(&ip6->ip6_dst));
2499 while (p && *p)
2500 p++;
2501 snprintf(p, sizeof(buf) - (p - buf), ")");
2502
2503 return buf;
2504 }
2505 #endif /*INET6*/
2506
2507 const char *
2508 ipsec_logsastr(sav)
2509 struct secasvar *sav;
2510 {
2511 static char buf[256];
2512 char *p;
2513 struct secasindex *saidx = &sav->sah->saidx;
2514
2515 /* validity check */
2516 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2517 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2518 panic("ipsec_logsastr: family mismatched.\n");
2519
2520 p = buf;
2521 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2522 while (p && *p)
2523 p++;
2524 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2525 u_int8_t *s, *d;
2526 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2527 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2528 snprintf(p, sizeof(buf) - (p - buf),
2529 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2530 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2531 }
2532 #if INET6
2533 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2534 snprintf(p, sizeof(buf) - (p - buf),
2535 "src=%s",
2536 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2537 while (p && *p)
2538 p++;
2539 snprintf(p, sizeof(buf) - (p - buf),
2540 " dst=%s",
2541 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2542 }
2543 #endif
2544 while (p && *p)
2545 p++;
2546 snprintf(p, sizeof(buf) - (p - buf), ")");
2547
2548 return buf;
2549 }
2550
2551 void
2552 ipsec_dumpmbuf(m)
2553 struct mbuf *m;
2554 {
2555 int totlen;
2556 int i;
2557 u_char *p;
2558
2559 totlen = 0;
2560 printf("---\n");
2561 while (m) {
2562 p = mtod(m, u_char *);
2563 for (i = 0; i < m->m_len; i++) {
2564 printf("%02x ", p[i]);
2565 totlen++;
2566 if (totlen % 16 == 0)
2567 printf("\n");
2568 }
2569 m = m->m_next;
2570 }
2571 if (totlen % 16 != 0)
2572 printf("\n");
2573 printf("---\n");
2574 }
2575
2576 #if INET
2577 /*
2578 * IPsec output logic for IPv4.
2579 */
2580 int
2581 ipsec4_output(state, sp, flags)
2582 struct ipsec_output_state *state;
2583 struct secpolicy *sp;
2584 int flags;
2585 {
2586 struct ip *ip = NULL;
2587 struct ipsecrequest *isr = NULL;
2588 struct secasindex saidx;
2589 int s;
2590 int error;
2591 struct sockaddr_in *dst4;
2592 struct sockaddr_in *sin;
2593
2594 if (!state)
2595 panic("state == NULL in ipsec4_output");
2596 if (!state->m)
2597 panic("state->m == NULL in ipsec4_output");
2598 if (!state->ro)
2599 panic("state->ro == NULL in ipsec4_output");
2600 if (!state->dst)
2601 panic("state->dst == NULL in ipsec4_output");
2602
2603 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_START, 0,0,0,0,0);
2604
2605 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2606 printf("ipsec4_output: applyed SP\n");
2607 kdebug_secpolicy(sp));
2608
2609 for (isr = sp->req; isr != NULL; isr = isr->next) {
2610
2611 #if 0 /* give up to check restriction of transport mode */
2612 /* XXX but should be checked somewhere */
2613 /*
2614 * some of the IPsec operation must be performed only in
2615 * originating case.
2616 */
2617 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2618 && (flags & IP_FORWARDING))
2619 continue;
2620 #endif
2621
2622 /* make SA index for search proper SA */
2623 ip = mtod(state->m, struct ip *);
2624 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2625 saidx.mode = isr->saidx.mode;
2626 saidx.reqid = isr->saidx.reqid;
2627 sin = (struct sockaddr_in *)&saidx.src;
2628 if (sin->sin_len == 0) {
2629 sin->sin_len = sizeof(*sin);
2630 sin->sin_family = AF_INET;
2631 sin->sin_port = IPSEC_PORT_ANY;
2632 bcopy(&ip->ip_src, &sin->sin_addr,
2633 sizeof(sin->sin_addr));
2634 }
2635 sin = (struct sockaddr_in *)&saidx.dst;
2636 if (sin->sin_len == 0) {
2637 sin->sin_len = sizeof(*sin);
2638 sin->sin_family = AF_INET;
2639 sin->sin_port = IPSEC_PORT_ANY;
2640 bcopy(&ip->ip_dst, &sin->sin_addr,
2641 sizeof(sin->sin_addr));
2642 }
2643
2644 if ((error = key_checkrequest(isr, &saidx)) != 0) {
2645 /*
2646 * IPsec processing is required, but no SA found.
2647 * I assume that key_acquire() had been called
2648 * to get/establish the SA. Here I discard
2649 * this packet because it is responsibility for
2650 * upper layer to retransmit the packet.
2651 */
2652 ipsecstat.out_nosa++;
2653 goto bad;
2654 }
2655
2656 /* validity check */
2657 if (isr->sav == NULL) {
2658 switch (ipsec_get_reqlevel(isr)) {
2659 case IPSEC_LEVEL_USE:
2660 continue;
2661 case IPSEC_LEVEL_REQUIRE:
2662 /* must be not reached here. */
2663 panic("ipsec4_output: no SA found, but required.");
2664 }
2665 }
2666
2667 /*
2668 * If there is no valid SA, we give up to process any
2669 * more. In such a case, the SA's status is changed
2670 * from DYING to DEAD after allocating. If a packet
2671 * send to the receiver by dead SA, the receiver can
2672 * not decode a packet because SA has been dead.
2673 */
2674 if (isr->sav->state != SADB_SASTATE_MATURE
2675 && isr->sav->state != SADB_SASTATE_DYING) {
2676 ipsecstat.out_nosa++;
2677 error = EINVAL;
2678 goto bad;
2679 }
2680
2681 /*
2682 * There may be the case that SA status will be changed when
2683 * we are refering to one. So calling splsoftnet().
2684 */
2685 s = splnet();
2686
2687 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2688 /*
2689 * build IPsec tunnel.
2690 */
2691 /* XXX should be processed with other familiy */
2692 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2693 ipseclog((LOG_ERR, "ipsec4_output: "
2694 "family mismatched between inner and outer spi=%u\n",
2695 (u_int32_t)ntohl(isr->sav->spi)));
2696 splx(s);
2697 error = EAFNOSUPPORT;
2698 goto bad;
2699 }
2700
2701 state->m = ipsec4_splithdr(state->m);
2702 if (!state->m) {
2703 splx(s);
2704 error = ENOMEM;
2705 goto bad;
2706 }
2707 error = ipsec4_encapsulate(state->m, isr->sav);
2708 splx(s);
2709 if (error) {
2710 state->m = NULL;
2711 goto bad;
2712 }
2713 ip = mtod(state->m, struct ip *);
2714
2715 state->ro = &isr->sav->sah->sa_route;
2716 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2717 dst4 = (struct sockaddr_in *)state->dst;
2718 if (state->ro->ro_rt
2719 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2720 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2721 rtfree(state->ro->ro_rt);
2722 state->ro->ro_rt = NULL;
2723 }
2724 if (state->ro->ro_rt == 0) {
2725 dst4->sin_family = AF_INET;
2726 dst4->sin_len = sizeof(*dst4);
2727 dst4->sin_addr = ip->ip_dst;
2728 rtalloc(state->ro);
2729 }
2730 if (state->ro->ro_rt == 0) {
2731 ipstat.ips_noroute++;
2732 error = EHOSTUNREACH;
2733 goto bad;
2734 }
2735
2736 /* adjust state->dst if tunnel endpoint is offlink */
2737 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2738 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2739 dst4 = (struct sockaddr_in *)state->dst;
2740 }
2741 } else
2742 splx(s);
2743
2744 state->m = ipsec4_splithdr(state->m);
2745 if (!state->m) {
2746 error = ENOMEM;
2747 goto bad;
2748 }
2749 switch (isr->saidx.proto) {
2750 case IPPROTO_ESP:
2751 #if IPSEC_ESP
2752 if ((error = esp4_output(state->m, isr)) != 0) {
2753 state->m = NULL;
2754 goto bad;
2755 }
2756 break;
2757 #else
2758 m_freem(state->m);
2759 state->m = NULL;
2760 error = EINVAL;
2761 goto bad;
2762 #endif
2763 case IPPROTO_AH:
2764 if ((error = ah4_output(state->m, isr)) != 0) {
2765 state->m = NULL;
2766 goto bad;
2767 }
2768 break;
2769 case IPPROTO_IPCOMP:
2770 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2771 state->m = NULL;
2772 goto bad;
2773 }
2774 break;
2775 default:
2776 ipseclog((LOG_ERR,
2777 "ipsec4_output: unknown ipsec protocol %d\n",
2778 isr->saidx.proto));
2779 m_freem(state->m);
2780 state->m = NULL;
2781 error = EINVAL;
2782 goto bad;
2783 }
2784
2785 if (state->m == 0) {
2786 error = ENOMEM;
2787 goto bad;
2788 }
2789 ip = mtod(state->m, struct ip *);
2790 }
2791
2792 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, 0,0,0,0,0);
2793 return 0;
2794
2795 bad:
2796 m_freem(state->m);
2797 state->m = NULL;
2798 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, error,0,0,0,0);
2799 return error;
2800 }
2801 #endif
2802
2803 #if INET6
2804 /*
2805 * IPsec output logic for IPv6, transport mode.
2806 */
2807 int
2808 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
2809 struct ipsec_output_state *state;
2810 u_char *nexthdrp;
2811 struct mbuf *mprev;
2812 struct secpolicy *sp;
2813 int flags;
2814 int *tun;
2815 {
2816 struct ip6_hdr *ip6;
2817 struct ipsecrequest *isr = NULL;
2818 struct secasindex saidx;
2819 int error = 0;
2820 int plen;
2821 struct sockaddr_in6 *sin6;
2822
2823 if (!state)
2824 panic("state == NULL in ipsec6_output_trans");
2825 if (!state->m)
2826 panic("state->m == NULL in ipsec6_output_trans");
2827 if (!nexthdrp)
2828 panic("nexthdrp == NULL in ipsec6_output_trans");
2829 if (!mprev)
2830 panic("mprev == NULL in ipsec6_output_trans");
2831 if (!sp)
2832 panic("sp == NULL in ipsec6_output_trans");
2833 if (!tun)
2834 panic("tun == NULL in ipsec6_output_trans");
2835
2836 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2837 printf("ipsec6_output_trans: applyed SP\n");
2838 kdebug_secpolicy(sp));
2839
2840 *tun = 0;
2841 for (isr = sp->req; isr; isr = isr->next) {
2842 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2843 /* the rest will be handled by ipsec6_output_tunnel() */
2844 break;
2845 }
2846
2847 /* make SA index for search proper SA */
2848 ip6 = mtod(state->m, struct ip6_hdr *);
2849 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2850 saidx.mode = isr->saidx.mode;
2851 saidx.reqid = isr->saidx.reqid;
2852 sin6 = (struct sockaddr_in6 *)&saidx.src;
2853 if (sin6->sin6_len == 0) {
2854 sin6->sin6_len = sizeof(*sin6);
2855 sin6->sin6_family = AF_INET6;
2856 sin6->sin6_port = IPSEC_PORT_ANY;
2857 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2858 sizeof(ip6->ip6_src));
2859 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2860 /* fix scope id for comparing SPD */
2861 sin6->sin6_addr.s6_addr16[1] = 0;
2862 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2863 }
2864 }
2865 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2866 if (sin6->sin6_len == 0) {
2867 sin6->sin6_len = sizeof(*sin6);
2868 sin6->sin6_family = AF_INET6;
2869 sin6->sin6_port = IPSEC_PORT_ANY;
2870 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2871 sizeof(ip6->ip6_dst));
2872 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2873 /* fix scope id for comparing SPD */
2874 sin6->sin6_addr.s6_addr16[1] = 0;
2875 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2876 }
2877 }
2878
2879 if (key_checkrequest(isr, &saidx) == ENOENT) {
2880 /*
2881 * IPsec processing is required, but no SA found.
2882 * I assume that key_acquire() had been called
2883 * to get/establish the SA. Here I discard
2884 * this packet because it is responsibility for
2885 * upper layer to retransmit the packet.
2886 */
2887 ipsec6stat.out_nosa++;
2888 error = ENOENT;
2889
2890 /*
2891 * Notify the fact that the packet is discarded
2892 * to ourselves. I believe this is better than
2893 * just silently discarding. (jinmei@kame.net)
2894 * XXX: should we restrict the error to TCP packets?
2895 * XXX: should we directly notify sockets via
2896 * pfctlinputs?
2897 */
2898 icmp6_error(state->m, ICMP6_DST_UNREACH,
2899 ICMP6_DST_UNREACH_ADMIN, 0);
2900 state->m = NULL; /* icmp6_error freed the mbuf */
2901 goto bad;
2902 }
2903
2904 /* validity check */
2905 if (isr->sav == NULL) {
2906 switch (ipsec_get_reqlevel(isr)) {
2907 case IPSEC_LEVEL_USE:
2908 continue;
2909 case IPSEC_LEVEL_REQUIRE:
2910 /* must be not reached here. */
2911 panic("ipsec6_output_trans: no SA found, but required.");
2912 }
2913 }
2914
2915 /*
2916 * If there is no valid SA, we give up to process.
2917 * see same place at ipsec4_output().
2918 */
2919 if (isr->sav->state != SADB_SASTATE_MATURE
2920 && isr->sav->state != SADB_SASTATE_DYING) {
2921 ipsec6stat.out_nosa++;
2922 error = EINVAL;
2923 goto bad;
2924 }
2925
2926 switch (isr->saidx.proto) {
2927 case IPPROTO_ESP:
2928 #if IPSEC_ESP
2929 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2930 #else
2931 m_freem(state->m);
2932 error = EINVAL;
2933 #endif
2934 break;
2935 case IPPROTO_AH:
2936 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2937 break;
2938 case IPPROTO_IPCOMP:
2939 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2940 break;
2941 default:
2942 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2943 "unknown ipsec protocol %d\n", isr->saidx.proto));
2944 m_freem(state->m);
2945 ipsec6stat.out_inval++;
2946 error = EINVAL;
2947 break;
2948 }
2949 if (error) {
2950 state->m = NULL;
2951 goto bad;
2952 }
2953 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2954 if (plen > IPV6_MAXPACKET) {
2955 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2956 "IPsec with IPv6 jumbogram is not supported\n"));
2957 ipsec6stat.out_inval++;
2958 error = EINVAL; /*XXX*/
2959 goto bad;
2960 }
2961 ip6 = mtod(state->m, struct ip6_hdr *);
2962 ip6->ip6_plen = htons(plen);
2963 }
2964
2965 /* if we have more to go, we need a tunnel mode processing */
2966 if (isr != NULL)
2967 *tun = 1;
2968
2969 return 0;
2970
2971 bad:
2972 m_freem(state->m);
2973 state->m = NULL;
2974 return error;
2975 }
2976
2977 /*
2978 * IPsec output logic for IPv6, tunnel mode.
2979 */
2980 int
2981 ipsec6_output_tunnel(state, sp, flags)
2982 struct ipsec_output_state *state;
2983 struct secpolicy *sp;
2984 int flags;
2985 {
2986 struct ip6_hdr *ip6;
2987 struct ipsecrequest *isr = NULL;
2988 struct secasindex saidx;
2989 int error = 0;
2990 int plen;
2991 struct sockaddr_in6* dst6;
2992 int s;
2993
2994 if (!state)
2995 panic("state == NULL in ipsec6_output_tunnel");
2996 if (!state->m)
2997 panic("state->m == NULL in ipsec6_output_tunnel");
2998 if (!sp)
2999 panic("sp == NULL in ipsec6_output_tunnel");
3000
3001 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3002 printf("ipsec6_output_tunnel: applyed SP\n");
3003 kdebug_secpolicy(sp));
3004
3005 /*
3006 * transport mode ipsec (before the 1st tunnel mode) is already
3007 * processed by ipsec6_output_trans().
3008 */
3009 for (isr = sp->req; isr; isr = isr->next) {
3010 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
3011 break;
3012 }
3013
3014 for (/* already initialized */; isr; isr = isr->next) {
3015 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3016 /* When tunnel mode, SA peers must be specified. */
3017 bcopy(&isr->saidx, &saidx, sizeof(saidx));
3018 } else {
3019 /* make SA index to look for a proper SA */
3020 struct sockaddr_in6 *sin6;
3021
3022 bzero(&saidx, sizeof(saidx));
3023 saidx.proto = isr->saidx.proto;
3024 saidx.mode = isr->saidx.mode;
3025 saidx.reqid = isr->saidx.reqid;
3026
3027 ip6 = mtod(state->m, struct ip6_hdr *);
3028 sin6 = (struct sockaddr_in6 *)&saidx.src;
3029 if (sin6->sin6_len == 0) {
3030 sin6->sin6_len = sizeof(*sin6);
3031 sin6->sin6_family = AF_INET6;
3032 sin6->sin6_port = IPSEC_PORT_ANY;
3033 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
3034 sizeof(ip6->ip6_src));
3035 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
3036 /* fix scope id for comparing SPD */
3037 sin6->sin6_addr.s6_addr16[1] = 0;
3038 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
3039 }
3040 }
3041 sin6 = (struct sockaddr_in6 *)&saidx.dst;
3042 if (sin6->sin6_len == 0) {
3043 sin6->sin6_len = sizeof(*sin6);
3044 sin6->sin6_family = AF_INET6;
3045 sin6->sin6_port = IPSEC_PORT_ANY;
3046 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
3047 sizeof(ip6->ip6_dst));
3048 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
3049 /* fix scope id for comparing SPD */
3050 sin6->sin6_addr.s6_addr16[1] = 0;
3051 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
3052 }
3053 }
3054 }
3055
3056 if (key_checkrequest(isr, &saidx) == ENOENT) {
3057 /*
3058 * IPsec processing is required, but no SA found.
3059 * I assume that key_acquire() had been called
3060 * to get/establish the SA. Here I discard
3061 * this packet because it is responsibility for
3062 * upper layer to retransmit the packet.
3063 */
3064 ipsec6stat.out_nosa++;
3065 error = ENOENT;
3066 goto bad;
3067 }
3068
3069 /* validity check */
3070 if (isr->sav == NULL) {
3071 switch (ipsec_get_reqlevel(isr)) {
3072 case IPSEC_LEVEL_USE:
3073 continue;
3074 case IPSEC_LEVEL_REQUIRE:
3075 /* must be not reached here. */
3076 panic("ipsec6_output_tunnel: no SA found, but required.");
3077 }
3078 }
3079
3080 /*
3081 * If there is no valid SA, we give up to process.
3082 * see same place at ipsec4_output().
3083 */
3084 if (isr->sav->state != SADB_SASTATE_MATURE
3085 && isr->sav->state != SADB_SASTATE_DYING) {
3086 ipsec6stat.out_nosa++;
3087 error = EINVAL;
3088 goto bad;
3089 }
3090
3091 /*
3092 * There may be the case that SA status will be changed when
3093 * we are refering to one. So calling splsoftnet().
3094 */
3095 s = splnet();
3096
3097 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3098 /*
3099 * build IPsec tunnel.
3100 */
3101 /* XXX should be processed with other familiy */
3102 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
3103 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3104 "family mismatched between inner and outer, spi=%u\n",
3105 (u_int32_t)ntohl(isr->sav->spi)));
3106 splx(s);
3107 ipsec6stat.out_inval++;
3108 error = EAFNOSUPPORT;
3109 goto bad;
3110 }
3111
3112 state->m = ipsec6_splithdr(state->m);
3113 if (!state->m) {
3114 splx(s);
3115 ipsec6stat.out_nomem++;
3116 error = ENOMEM;
3117 goto bad;
3118 }
3119 error = ipsec6_encapsulate(state->m, isr->sav);
3120 splx(s);
3121 if (error) {
3122 state->m = 0;
3123 goto bad;
3124 }
3125 ip6 = mtod(state->m, struct ip6_hdr *);
3126
3127 state->ro = &isr->sav->sah->sa_route;
3128 state->dst = (struct sockaddr *)&state->ro->ro_dst;
3129 dst6 = (struct sockaddr_in6 *)state->dst;
3130 if (state->ro->ro_rt
3131 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
3132 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
3133 rtfree(state->ro->ro_rt);
3134 state->ro->ro_rt = NULL;
3135 }
3136 if (state->ro->ro_rt == 0) {
3137 bzero(dst6, sizeof(*dst6));
3138 dst6->sin6_family = AF_INET6;
3139 dst6->sin6_len = sizeof(*dst6);
3140 dst6->sin6_addr = ip6->ip6_dst;
3141 rtalloc(state->ro);
3142 }
3143 if (state->ro->ro_rt == 0) {
3144 ip6stat.ip6s_noroute++;
3145 ipsec6stat.out_noroute++;
3146 error = EHOSTUNREACH;
3147 goto bad;
3148 }
3149
3150 /* adjust state->dst if tunnel endpoint is offlink */
3151 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
3152 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
3153 dst6 = (struct sockaddr_in6 *)state->dst;
3154 }
3155 } else
3156 splx(s);
3157
3158 state->m = ipsec6_splithdr(state->m);
3159 if (!state->m) {
3160 ipsec6stat.out_nomem++;
3161 error = ENOMEM;
3162 goto bad;
3163 }
3164 ip6 = mtod(state->m, struct ip6_hdr *);
3165 switch (isr->saidx.proto) {
3166 case IPPROTO_ESP:
3167 #if IPSEC_ESP
3168 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
3169 #else
3170 m_freem(state->m);
3171 error = EINVAL;
3172 #endif
3173 break;
3174 case IPPROTO_AH:
3175 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
3176 break;
3177 case IPPROTO_IPCOMP:
3178 /* XXX code should be here */
3179 /*FALLTHROUGH*/
3180 default:
3181 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3182 "unknown ipsec protocol %d\n", isr->saidx.proto));
3183 m_freem(state->m);
3184 ipsec6stat.out_inval++;
3185 error = EINVAL;
3186 break;
3187 }
3188 if (error) {
3189 state->m = NULL;
3190 goto bad;
3191 }
3192 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3193 if (plen > IPV6_MAXPACKET) {
3194 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3195 "IPsec with IPv6 jumbogram is not supported\n"));
3196 ipsec6stat.out_inval++;
3197 error = EINVAL; /*XXX*/
3198 goto bad;
3199 }
3200 ip6 = mtod(state->m, struct ip6_hdr *);
3201 ip6->ip6_plen = htons(plen);
3202 }
3203
3204 return 0;
3205
3206 bad:
3207 m_freem(state->m);
3208 state->m = NULL;
3209 return error;
3210 }
3211 #endif /*INET6*/
3212
3213 #if INET
3214 /*
3215 * Chop IP header and option off from the payload.
3216 */
3217 static struct mbuf *
3218 ipsec4_splithdr(m)
3219 struct mbuf *m;
3220 {
3221 struct mbuf *mh;
3222 struct ip *ip;
3223 int hlen;
3224
3225 if (m->m_len < sizeof(struct ip))
3226 panic("ipsec4_splithdr: first mbuf too short");
3227 ip = mtod(m, struct ip *);
3228 #ifdef _IP_VHL
3229 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
3230 #else
3231 hlen = ip->ip_hl << 2;
3232 #endif
3233 if (m->m_len > hlen) {
3234 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3235 if (!mh) {
3236 m_freem(m);
3237 return NULL;
3238 }
3239 M_COPY_PKTHDR(mh, m);
3240 MH_ALIGN(mh, hlen);
3241 m->m_flags &= ~M_PKTHDR;
3242 m->m_len -= hlen;
3243 m->m_data += hlen;
3244 mh->m_next = m;
3245 m = mh;
3246 m->m_len = hlen;
3247 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3248 } else if (m->m_len < hlen) {
3249 m = m_pullup(m, hlen);
3250 if (!m)
3251 return NULL;
3252 }
3253 return m;
3254 }
3255 #endif
3256
3257 #if INET6
3258 static struct mbuf *
3259 ipsec6_splithdr(m)
3260 struct mbuf *m;
3261 {
3262 struct mbuf *mh;
3263 struct ip6_hdr *ip6;
3264 int hlen;
3265
3266 if (m->m_len < sizeof(struct ip6_hdr))
3267 panic("ipsec6_splithdr: first mbuf too short");
3268 ip6 = mtod(m, struct ip6_hdr *);
3269 hlen = sizeof(struct ip6_hdr);
3270 if (m->m_len > hlen) {
3271 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3272 if (!mh) {
3273 m_freem(m);
3274 return NULL;
3275 }
3276 M_COPY_PKTHDR(mh, m);
3277 MH_ALIGN(mh, hlen);
3278 m->m_flags &= ~M_PKTHDR;
3279 m->m_len -= hlen;
3280 m->m_data += hlen;
3281 mh->m_next = m;
3282 m = mh;
3283 m->m_len = hlen;
3284 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3285 } else if (m->m_len < hlen) {
3286 m = m_pullup(m, hlen);
3287 if (!m)
3288 return NULL;
3289 }
3290 return m;
3291 }
3292 #endif
3293
3294 /* validate inbound IPsec tunnel packet. */
3295 int
3296 ipsec4_tunnel_validate(m, off, nxt0, sav)
3297 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3298 int off;
3299 u_int nxt0;
3300 struct secasvar *sav;
3301 {
3302 u_int8_t nxt = nxt0 & 0xff;
3303 struct sockaddr_in *sin;
3304 struct sockaddr_in osrc, odst, isrc, idst;
3305 int hlen;
3306 struct secpolicy *sp;
3307 struct ip *oip;
3308
3309 #if DIAGNOSTIC
3310 if (m->m_len < sizeof(struct ip))
3311 panic("too short mbuf on ipsec4_tunnel_validate");
3312 #endif
3313 if (nxt != IPPROTO_IPV4)
3314 return 0;
3315 if (m->m_pkthdr.len < off + sizeof(struct ip))
3316 return 0;
3317 /* do not decapsulate if the SA is for transport mode only */
3318 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3319 return 0;
3320
3321 oip = mtod(m, struct ip *);
3322 #ifdef _IP_VHL
3323 hlen = _IP_VHL_HL(oip->ip_vhl) << 2;
3324 #else
3325 hlen = oip->ip_hl << 2;
3326 #endif
3327 if (hlen != sizeof(struct ip))
3328 return 0;
3329
3330 /* AF_INET6 should be supported, but at this moment we don't. */
3331 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3332 if (sin->sin_family != AF_INET)
3333 return 0;
3334 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
3335 return 0;
3336
3337 /* XXX slow */
3338 bzero(&osrc, sizeof(osrc));
3339 bzero(&odst, sizeof(odst));
3340 bzero(&isrc, sizeof(isrc));
3341 bzero(&idst, sizeof(idst));
3342 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
3343 AF_INET;
3344 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
3345 sizeof(struct sockaddr_in);
3346 osrc.sin_addr = oip->ip_src;
3347 odst.sin_addr = oip->ip_dst;
3348 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
3349 (caddr_t)&isrc.sin_addr);
3350 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
3351 (caddr_t)&idst.sin_addr);
3352
3353 /*
3354 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
3355 * - if the inner destination is multicast address, there can be
3356 * multiple permissible inner source address. implementation
3357 * may want to skip verification of inner source address against
3358 * SPD selector.
3359 * - if the inner protocol is ICMP, the packet may be an error report
3360 * from routers on the other side of the VPN cloud (R in the
3361 * following diagram). in this case, we cannot verify inner source
3362 * address against SPD selector.
3363 * me -- gw === gw -- R -- you
3364 *
3365 * we consider the first bullet to be users responsibility on SPD entry
3366 * configuration (if you need to encrypt multicast traffic, set
3367 * the source range of SPD selector to 0.0.0.0/0, or have explicit
3368 * address ranges for possible senders).
3369 * the second bullet is not taken care of (yet).
3370 *
3371 * therefore, we do not do anything special about inner source.
3372 */
3373
3374 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3375 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3376 if (!sp)
3377 return 0;
3378 key_freesp(sp);
3379
3380 return 1;
3381 }
3382
3383 #if INET6
3384 /* validate inbound IPsec tunnel packet. */
3385 int
3386 ipsec6_tunnel_validate(m, off, nxt0, sav)
3387 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3388 int off;
3389 u_int nxt0;
3390 struct secasvar *sav;
3391 {
3392 u_int8_t nxt = nxt0 & 0xff;
3393 struct sockaddr_in6 *sin6;
3394 struct sockaddr_in6 osrc, odst, isrc, idst;
3395 struct secpolicy *sp;
3396 struct ip6_hdr *oip6;
3397
3398 #if DIAGNOSTIC
3399 if (m->m_len < sizeof(struct ip6_hdr))
3400 panic("too short mbuf on ipsec6_tunnel_validate");
3401 #endif
3402 if (nxt != IPPROTO_IPV6)
3403 return 0;
3404 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
3405 return 0;
3406 /* do not decapsulate if the SA is for transport mode only */
3407 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3408 return 0;
3409
3410 oip6 = mtod(m, struct ip6_hdr *);
3411 /* AF_INET should be supported, but at this moment we don't. */
3412 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
3413 if (sin6->sin6_family != AF_INET6)
3414 return 0;
3415 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
3416 return 0;
3417
3418 /* XXX slow */
3419 bzero(&osrc, sizeof(osrc));
3420 bzero(&odst, sizeof(odst));
3421 bzero(&isrc, sizeof(isrc));
3422 bzero(&idst, sizeof(idst));
3423 osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
3424 idst.sin6_family = AF_INET6;
3425 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len =
3426 sizeof(struct sockaddr_in6);
3427 osrc.sin6_addr = oip6->ip6_src;
3428 odst.sin6_addr = oip6->ip6_dst;
3429 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
3430 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
3431 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
3432 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
3433
3434 /*
3435 * regarding to inner source address validation, see a long comment
3436 * in ipsec4_tunnel_validate.
3437 */
3438
3439 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3440 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3441 /*
3442 * when there is no suitable inbound policy for the packet of the ipsec
3443 * tunnel mode, the kernel never decapsulate the tunneled packet
3444 * as the ipsec tunnel mode even when the system wide policy is "none".
3445 * then the kernel leaves the generic tunnel module to process this
3446 * packet. if there is no rule of the generic tunnel, the packet
3447 * is rejected and the statistics will be counted up.
3448 */
3449 if (!sp)
3450 return 0;
3451 key_freesp(sp);
3452
3453 return 1;
3454 }
3455 #endif
3456
3457 /*
3458 * Make a mbuf chain for encryption.
3459 * If the original mbuf chain contains a mbuf with a cluster,
3460 * allocate a new cluster and copy the data to the new cluster.
3461 * XXX: this hack is inefficient, but is necessary to handle cases
3462 * of TCP retransmission...
3463 */
3464 struct mbuf *
3465 ipsec_copypkt(m)
3466 struct mbuf *m;
3467 {
3468 struct mbuf *n, **mpp, *mnew;
3469
3470 for (n = m, mpp = &m; n; n = n->m_next) {
3471 if (n->m_flags & M_EXT) {
3472 /*
3473 * Make a copy only if there are more than one references
3474 * to the cluster.
3475 * XXX: is this approach effective?
3476 */
3477 if (
3478 n->m_ext.ext_free ||
3479 m_mclhasreference(n)
3480 )
3481 {
3482 int remain, copied;
3483 struct mbuf *mm;
3484
3485 if (n->m_flags & M_PKTHDR) {
3486 MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3487 if (mnew == NULL)
3488 goto fail;
3489 mnew->m_pkthdr = n->m_pkthdr;
3490 #if 0
3491 if (n->m_pkthdr.aux) {
3492 mnew->m_pkthdr.aux =
3493 m_copym(n->m_pkthdr.aux,
3494 0, M_COPYALL, M_DONTWAIT);
3495 }
3496 #endif
3497 M_COPY_PKTHDR(mnew, n);
3498 mnew->m_flags = n->m_flags & M_COPYFLAGS;
3499 }
3500 else {
3501 MGET(mnew, M_DONTWAIT, MT_DATA);
3502 if (mnew == NULL)
3503 goto fail;
3504 }
3505 mnew->m_len = 0;
3506 mm = mnew;
3507
3508 /*
3509 * Copy data. If we don't have enough space to
3510 * store the whole data, allocate a cluster
3511 * or additional mbufs.
3512 * XXX: we don't use m_copyback(), since the
3513 * function does not use clusters and thus is
3514 * inefficient.
3515 */
3516 remain = n->m_len;
3517 copied = 0;
3518 while (1) {
3519 int len;
3520 struct mbuf *mn;
3521
3522 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3523 len = remain;
3524 else { /* allocate a cluster */
3525 MCLGET(mm, M_DONTWAIT);
3526 if (!(mm->m_flags & M_EXT)) {
3527 m_free(mm);
3528 goto fail;
3529 }
3530 len = remain < MCLBYTES ?
3531 remain : MCLBYTES;
3532 }
3533
3534 bcopy(n->m_data + copied, mm->m_data,
3535 len);
3536
3537 copied += len;
3538 remain -= len;
3539 mm->m_len = len;
3540
3541 if (remain <= 0) /* completed? */
3542 break;
3543
3544 /* need another mbuf */
3545 MGETHDR(mn, M_DONTWAIT, MT_HEADER);
3546 if (mn == NULL)
3547 goto fail;
3548 mn->m_pkthdr.rcvif = NULL;
3549 mm->m_next = mn;
3550 mm = mn;
3551 }
3552
3553 /* adjust chain */
3554 mm->m_next = m_free(n);
3555 n = mm;
3556 *mpp = mnew;
3557 mpp = &n->m_next;
3558
3559 continue;
3560 }
3561 }
3562 *mpp = n;
3563 mpp = &n->m_next;
3564 }
3565
3566 return(m);
3567 fail:
3568 m_freem(m);
3569 return(NULL);
3570 }
3571
3572 static struct mbuf *
3573 ipsec_addaux(m)
3574 struct mbuf *m;
3575 {
3576 struct mbuf *n;
3577
3578 n = m_aux_find(m, AF_INET, IPPROTO_ESP);
3579 if (!n)
3580 n = m_aux_add(m, AF_INET, IPPROTO_ESP);
3581 if (!n)
3582 return n; /* ENOBUFS */
3583 n->m_len = sizeof(struct socket *);
3584 bzero(mtod(n, void *), n->m_len);
3585 return n;
3586 }
3587
3588 static struct mbuf *
3589 ipsec_findaux(m)
3590 struct mbuf *m;
3591 {
3592 struct mbuf *n;
3593
3594 n = m_aux_find(m, AF_INET, IPPROTO_ESP);
3595 #if DIAGNOSTIC
3596 if (n && n->m_len < sizeof(struct socket *))
3597 panic("invalid ipsec m_aux");
3598 #endif
3599 return n;
3600 }
3601
3602 void
3603 ipsec_delaux(m)
3604 struct mbuf *m;
3605 {
3606 struct mbuf *n;
3607
3608 n = m_aux_find(m, AF_INET, IPPROTO_ESP);
3609 if (n)
3610 m_aux_delete(m, n);
3611 }
3612
3613 /* if the aux buffer is unnecessary, nuke it. */
3614 static void
3615 ipsec_optaux(m, n)
3616 struct mbuf *m;
3617 struct mbuf *n;
3618 {
3619
3620 if (!n)
3621 return;
3622 if (n->m_len == sizeof(struct socket *) && !*mtod(n, struct socket **))
3623 ipsec_delaux(m);
3624 }
3625
3626 int
3627 ipsec_setsocket(m, so)
3628 struct mbuf *m;
3629 struct socket *so;
3630 {
3631 struct mbuf *n;
3632
3633 /* if so == NULL, don't insist on getting the aux mbuf */
3634 if (so) {
3635 n = ipsec_addaux(m);
3636 if (!n)
3637 return ENOBUFS;
3638 } else
3639 n = ipsec_findaux(m);
3640 if (n && n->m_len >= sizeof(struct socket *))
3641 *mtod(n, struct socket **) = so;
3642 ipsec_optaux(m, n);
3643 return 0;
3644 }
3645
3646 struct socket *
3647 ipsec_getsocket(m)
3648 struct mbuf *m;
3649 {
3650 struct mbuf *n;
3651
3652 n = ipsec_findaux(m);
3653 if (n && n->m_len >= sizeof(struct socket *))
3654 return *mtod(n, struct socket **);
3655 else
3656 return NULL;
3657 }
3658
3659 int
3660 ipsec_addhist(m, proto, spi)
3661 struct mbuf *m;
3662 int proto;
3663 u_int32_t spi;
3664 {
3665 struct mbuf *n;
3666 struct ipsec_history *p;
3667
3668 n = ipsec_addaux(m);
3669 if (!n)
3670 return ENOBUFS;
3671 if (M_TRAILINGSPACE(n) < sizeof(*p))
3672 return ENOSPC; /* XXX */
3673 p = (struct ipsec_history *)(mtod(n, caddr_t) + n->m_len);
3674 n->m_len += sizeof(*p);
3675 bzero(p, sizeof(*p));
3676 p->ih_proto = proto;
3677 p->ih_spi = spi;
3678 return 0;
3679 }
3680
3681 struct ipsec_history *
3682 ipsec_gethist(m, lenp)
3683 struct mbuf *m;
3684 int *lenp;
3685 {
3686 struct mbuf *n;
3687 int l;
3688
3689 n = ipsec_findaux(m);
3690 if (!n)
3691 return NULL;
3692 l = n->m_len;
3693 if (sizeof(struct socket *) > l)
3694 return NULL;
3695 if ((l - sizeof(struct socket *)) % sizeof(struct ipsec_history))
3696 return NULL;
3697 /* XXX does it make more sense to divide by sizeof(ipsec_history)? */
3698 if (lenp)
3699 *lenp = l - sizeof(struct socket *);
3700 return (struct ipsec_history *)
3701 (mtod(n, caddr_t) + sizeof(struct socket *));
3702 }
3703
3704 void
3705 ipsec_clearhist(m)
3706 struct mbuf *m;
3707 {
3708 struct mbuf *n;
3709
3710 n = ipsec_findaux(m);
3711 if ((n) && n->m_len > sizeof(struct socket *))
3712 n->m_len = sizeof(struct socket *);
3713 ipsec_optaux(m, n);
3714 }
3715
3716 __private_extern__ void
3717 ipsec_send_natt_keepalive(
3718 struct secasvar *sav)
3719 {
3720 struct mbuf *m;
3721 struct udphdr *uh;
3722 struct ip *ip;
3723
3724 if ((esp_udp_encap_port & 0xFFFF) == 0 || sav->remote_ike_port == 0) return;
3725
3726 m = m_gethdr(M_NOWAIT, MT_DATA);
3727 if (m == NULL) return;
3728
3729 /*
3730 * Create a UDP packet complete with IP header.
3731 * We must do this because UDP output requires
3732 * an inpcb which we don't have. UDP packet
3733 * contains one byte payload. The byte is set
3734 * to 0xFF.
3735 */
3736 ip = (struct ip*)m_mtod(m);
3737 uh = (struct udphdr*)((char*)m_mtod(m) + sizeof(struct ip));
3738 m->m_len = sizeof(struct udpiphdr) + 1;
3739 bzero(m_mtod(m), m->m_len);
3740 ip->ip_len = ntohs(m->m_len);
3741 ip->ip_ttl = ip_defttl;
3742 ip->ip_p = IPPROTO_UDP;
3743 ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
3744 ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
3745 uh->uh_sport = ntohs((u_short)esp_udp_encap_port);
3746 uh->uh_dport = ntohs(sav->remote_ike_port);
3747 uh->uh_ulen = htons(1 + sizeof(struct udphdr));
3748 uh->uh_sum = 0;
3749 *(u_int8_t*)((char*)m_mtod(m) + sizeof(struct ip) + sizeof(struct udphdr)) = 0xFF;
3750
3751 if (ip_output(m, NULL, &sav->sah->sa_route, IP_NOIPSEC, NULL) == 0)
3752 sav->natt_last_activity = natt_now;
3753 }
mirror of XNU