]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/ipsec.c
projects / apple / xnu.git / blob
? search:


c494fb4dabc69ce9a5b0040d42245a8c79ffe604
[apple/xnu.git] / bsd / netinet6 / ipsec.c
1 /* $KAME: ipsec.c,v 1.56 2000/04/04 08:47:34 itojun Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 /*
33 * IPsec controller part.
34 */
35 #define _IP_VHL
36
37 #if (defined(__FreeBSD__) && __FreeBSD__ >= 3) || defined(__NetBSD__)
38 #include "opt_inet.h"
39 #if __NetBSD__ /*XXX*/
40 #include "opt_ipsec.h"
41 #endif
42 #endif
43
44 #include <sys/param.h>
45 #include <sys/systm.h>
46 #include <sys/malloc.h>
47 #include <sys/mbuf.h>
48 #include <sys/domain.h>
49 #include <sys/protosw.h>
50 #include <sys/socket.h>
51 #include <sys/socketvar.h>
52 #include <sys/errno.h>
53 #include <sys/time.h>
54 #include <sys/kernel.h>
55 #include <sys/syslog.h>
56 #ifdef __NetBSD__
57 #include <vm/vm.h>
58 #endif
59 #if defined(__NetBSD__) || defined(__FreeBSD__) || defined (__APPLE__)
60 #include <sys/sysctl.h>
61 #endif
62
63 #include <net/if.h>
64 #include <net/route.h>
65
66 #include <netinet/in.h>
67 #include <netinet/in_systm.h>
68 #include <netinet/ip.h>
69 #include <netinet/ip_var.h>
70 #include <netinet/in_var.h>
71 #include <netinet/udp.h>
72 #include <netinet/udp_var.h>
73 #include <netinet/ip_ecn.h>
74
75 #if INET6
76 #include <netinet/ip6.h>
77 #include <netinet6/ip6_var.h>
78 #endif
79 #include <netinet/in_pcb.h>
80 #if INET6
81 #if !((defined(__FreeBSD__) && __FreeBSD__ >= 3) || defined(__OpenBSD__) || (defined(__bsdi__) && _BSDI_VERSION >= 199802)) || defined (__APPLE__)
82 #include <netinet6/in6_pcb.h>
83 #endif
84 #include <netinet/icmp6.h>
85 #endif
86
87 #include <netinet6/ipsec.h>
88 #include <netinet6/ah.h>
89 #if IPSEC_ESP
90 #include <netinet6/esp.h>
91 #endif
92 #include <netinet6/ipcomp.h>
93 #include <netkey/key.h>
94 #include <netkey/keydb.h>
95 #include <netkey/key_debug.h>
96
97 #include <net/net_osdep.h>
98
99 #ifdef HAVE_NRL_INPCB
100 #define in6pcb inpcb
101 #define in6p_sp inp_sp
102 #define in6p_fport inp_fport
103 #define in6p_lport inp_lport
104 #define in6p_socket inp_socket
105 #define sotoin6pcb(so) ((struct inpcb *)(so)->so_pcb)
106 #endif
107
108 #ifdef __NetBSD__
109 #define ovbcopy bcopy
110 #endif
111
112 #ifdef IPSEC_DEBUG
113 int ipsec_debug = 1;
114 #else
115 int ipsec_debug = 0;
116 #endif
117
118 struct ipsecstat ipsecstat;
119 int ip4_inbound_call_ike = 0;
120 int ip4_ah_cleartos = 1;
121 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
122 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
123 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
124 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
125 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
126 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
127 struct secpolicy ip4_def_policy;
128 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
129
130 #if defined(__FreeBSD__) || defined(__APPLE__)
131 SYSCTL_DECL(_net_inet_ipsec);
132 /* net.inet.ipsec */
133 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
134 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, "");
135 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
136 def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, "");
137 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
138 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
139 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
140 CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
141 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
142 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
143 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
144 CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
145 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_INBOUND_CALL_IKE,
146 inbound_call_ike, CTLFLAG_RW, &ip4_inbound_call_ike, 0, "");
147 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
148 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, "");
149 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
150 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
151 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
152 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
153 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
154 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
155 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
156 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
157 #endif /* __FreeBSD__ */
158
159 #if INET6
160 struct ipsecstat ipsec6stat;
161 int ip6_inbound_call_ike = 0;
162 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
163 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
164 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
165 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
166 struct secpolicy ip6_def_policy;
167 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
168
169 #if defined(__FreeBSD__) || defined(__APPLE__)
170 SYSCTL_DECL(_net_inet6_ipsec6);
171 /* net.inet6.ipsec6 */
172 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
173 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
174 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
175 def_policy, CTLFLAG_RW, &ip6_def_policy.policy, 0, "");
176 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
177 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
178 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
179 CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
180 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
181 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
182 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
183 CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
184 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_INBOUND_CALL_IKE,
185 inbound_call_ike, CTLFLAG_RW, &ip6_inbound_call_ike, 0, "");
186 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
187 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
188 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
189 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
190 #endif /*__FreeBSD__*/
191 #endif /* INET6 */
192
193 static int ipsec_setspidx_mbuf
194 __P((struct secpolicyindex *, u_int, u_int, struct mbuf *));
195 static void ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb));
196 static void ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
197 #if INET6
198 static void ipsec6_get_ulp __P((struct mbuf *m, struct secpolicyindex *));
199 static void ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *pcb));
200 static void ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
201 #endif
202 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
203 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
204 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *src));
205 static int ipsec_set_policy __P((struct secpolicy **pcb_sp,
206 int optname, caddr_t request, size_t len, int priv));
207 static int ipsec_get_policy __P((struct secpolicy *pcb_sp, struct mbuf **mp));
208 static void vshiftl __P((unsigned char *, int, int));
209 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
210 static size_t ipsec_hdrsiz __P((struct secpolicy *));
211 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
212 #if INET6
213 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
214 #endif
215 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
216 #if INET6
217 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
218 #endif
219
220 /*
221 * For OUTBOUND packet having a socket. Searching SPD for packet,
222 * and return a pointer to SP.
223 * OUT: NULL: no apropreate SP found, the following value is set to error.
224 * 0 : bypass
225 * EACCES : discard packet.
226 * ENOENT : ipsec_acquire() in progress, maybe.
227 * others : error occured.
228 * others: a pointer to SP
229 *
230 * NOTE: IPv6 mapped adddress concern is implemented here.
231 */
232 struct secpolicy *
233 ipsec4_getpolicybysock(m, dir, so, error)
234 struct mbuf *m;
235 u_int dir;
236 struct socket *so;
237 int *error;
238 {
239 struct inpcbpolicy *pcbsp = NULL;
240 struct secpolicy *currsp = NULL; /* policy on socket */
241 struct secpolicy *kernsp = NULL; /* policy on kernel */
242
243 /* sanity check */
244 if (m == NULL || so == NULL || error == NULL)
245 panic("ipsec4_getpolicybysock: NULL pointer was passed.\n");
246
247 switch (so->so_proto->pr_domain->dom_family) {
248 case AF_INET:
249 /* set spidx in pcb */
250 ipsec4_setspidx_inpcb(m, sotoinpcb(so));
251 pcbsp = sotoinpcb(so)->inp_sp;
252 break;
253 #if INET6
254 case AF_INET6:
255 /* set spidx in pcb */
256 ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
257 pcbsp = sotoin6pcb(so)->in6p_sp;
258 break;
259 #endif
260 default:
261 panic("ipsec4_getpolicybysock: unsupported address family\n");
262 }
263
264 /* sanity check */
265 if (pcbsp == NULL)
266 panic("ipsec4_getpolicybysock: pcbsp is NULL.\n");
267
268 #if defined(__FreeBSD__) && __FreeBSD__ >= 3 || defined(__APPLE__)
269 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
270 printf("send: priv=%d ", pcbsp->priv);
271 if (so->so_cred) {
272 printf("p_ruid=%d ", so->so_cred->p_ruid);
273 printf("p_svuid=%d ", so->so_cred->p_svuid);
274 printf("cr_uid=%d\n", so->so_cred->pc_ucred->cr_uid);
275 });
276 #endif
277 switch (dir) {
278 case IPSEC_DIR_INBOUND:
279 currsp = pcbsp->sp_in;
280 break;
281 case IPSEC_DIR_OUTBOUND:
282 currsp = pcbsp->sp_out;
283 break;
284 default:
285 panic("ipsec4_getpolicybysock: illegal direction.\n");
286 }
287
288 /* sanity check */
289 if (currsp == NULL)
290 panic("ipsec4_getpolicybysock: currsp is NULL.\n");
291
292 /* when privilieged socket */
293 if (pcbsp->priv) {
294 switch (currsp->policy) {
295 case IPSEC_POLICY_BYPASS:
296 currsp->refcnt++;
297 *error = 0;
298 return currsp;
299
300 case IPSEC_POLICY_ENTRUST:
301 /* look for a policy in SPD */
302 kernsp = key_allocsp(&currsp->spidx, dir);
303
304 /* SP found */
305 if (kernsp != NULL) {
306 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
307 printf("DP ipsec4_getpolicybysock called "
308 "to allocate SP:%p\n", kernsp));
309 *error = 0;
310 return kernsp;
311 }
312
313 /* no SP found */
314 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
315 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
316 ipseclog((LOG_INFO,
317 "fixed system default policy: %d->%d\n",
318 ip4_def_policy.policy, IPSEC_POLICY_NONE));
319 ip4_def_policy.policy = IPSEC_POLICY_NONE;
320 }
321 ip4_def_policy.refcnt++;
322 *error = 0;
323 return &ip4_def_policy;
324
325 case IPSEC_POLICY_IPSEC:
326 currsp->refcnt++;
327 *error = 0;
328 return currsp;
329
330 default:
331 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
332 "Invalid policy for PCB %d\n", currsp->policy));
333 *error = EINVAL;
334 return NULL;
335 }
336 /* NOTREACHED */
337 }
338
339 /* when non-privilieged socket */
340 /* look for a policy in SPD */
341 kernsp = key_allocsp(&currsp->spidx, dir);
342
343 /* SP found */
344 if (kernsp != NULL) {
345 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
346 printf("DP ipsec4_getpolicybysock called "
347 "to allocate SP:%p\n", kernsp));
348 *error = 0;
349 return kernsp;
350 }
351
352 /* no SP found */
353 switch (currsp->policy) {
354 case IPSEC_POLICY_BYPASS:
355 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
356 "Illegal policy for non-priviliged defined %d\n",
357 currsp->policy));
358 *error = EINVAL;
359 return NULL;
360
361 case IPSEC_POLICY_ENTRUST:
362 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
363 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
364 ipseclog((LOG_INFO,
365 "fixed system default policy: %d->%d\n",
366 ip4_def_policy.policy, IPSEC_POLICY_NONE));
367 ip4_def_policy.policy = IPSEC_POLICY_NONE;
368 }
369 ip4_def_policy.refcnt++;
370 *error = 0;
371 return &ip4_def_policy;
372
373 case IPSEC_POLICY_IPSEC:
374 currsp->refcnt++;
375 *error = 0;
376 return currsp;
377
378 default:
379 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
380 "Invalid policy for PCB %d\n", currsp->policy));
381 *error = EINVAL;
382 return NULL;
383 }
384 /* NOTREACHED */
385 }
386
387 /*
388 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
389 * and return a pointer to SP.
390 * OUT: positive: a pointer to the entry for security policy leaf matched.
391 * NULL: no apropreate SP found, the following value is set to error.
392 * 0 : bypass
393 * EACCES : discard packet.
394 * ENOENT : ipsec_acquire() in progress, maybe.
395 * others : error occured.
396 */
397 struct secpolicy *
398 ipsec4_getpolicybyaddr(m, dir, flag, error)
399 struct mbuf *m;
400 u_int dir;
401 int flag;
402 int *error;
403 {
404 struct secpolicy *sp = NULL;
405
406 /* sanity check */
407 if (m == NULL || error == NULL)
408 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.\n");
409
410 {
411 struct secpolicyindex spidx;
412
413 bzero(&spidx, sizeof(spidx));
414
415 /* make a index to look for a policy */
416 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m);
417
418 if (*error != 0)
419 return NULL;
420
421 sp = key_allocsp(&spidx, dir);
422 }
423
424 /* SP found */
425 if (sp != NULL) {
426 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
427 printf("DP ipsec4_getpolicybyaddr called "
428 "to allocate SP:%p\n", sp));
429 *error = 0;
430 return sp;
431 }
432
433 /* no SP found */
434 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
435 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
436 ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
437 ip4_def_policy.policy,
438 IPSEC_POLICY_NONE));
439 ip4_def_policy.policy = IPSEC_POLICY_NONE;
440 }
441 ip4_def_policy.refcnt++;
442 *error = 0;
443 return &ip4_def_policy;
444 }
445
446 #if INET6
447 /*
448 * For OUTBOUND packet having a socket. Searching SPD for packet,
449 * and return a pointer to SP.
450 * OUT: NULL: no apropreate SP found, the following value is set to error.
451 * 0 : bypass
452 * EACCES : discard packet.
453 * ENOENT : ipsec_acquire() in progress, maybe.
454 * others : error occured.
455 * others: a pointer to SP
456 */
457 struct secpolicy *
458 ipsec6_getpolicybysock(m, dir, so, error)
459 struct mbuf *m;
460 u_int dir;
461 struct socket *so;
462 int *error;
463 {
464 struct inpcbpolicy *pcbsp = NULL;
465 struct secpolicy *currsp = NULL; /* policy on socket */
466 struct secpolicy *kernsp = NULL; /* policy on kernel */
467
468 /* sanity check */
469 if (m == NULL || so == NULL || error == NULL)
470 panic("ipsec6_getpolicybysock: NULL pointer was passed.\n");
471
472 /* set spidx in pcb */
473 ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
474
475 pcbsp = sotoin6pcb(so)->in6p_sp;
476
477 /* sanity check */
478 if (pcbsp == NULL)
479 panic("ipsec6_getpolicybysock: pcbsp is NULL.\n");
480
481 switch (dir) {
482 case IPSEC_DIR_INBOUND:
483 currsp = pcbsp->sp_in;
484 break;
485 case IPSEC_DIR_OUTBOUND:
486 currsp = pcbsp->sp_out;
487 break;
488 default:
489 panic("ipsec6_getpolicybysock: illegal direction.\n");
490 }
491
492 /* sanity check */
493 if (currsp == NULL)
494 panic("ipsec6_getpolicybysock: currsp is NULL.\n");
495
496 /* when privilieged socket */
497 if (pcbsp->priv) {
498 switch (currsp->policy) {
499 case IPSEC_POLICY_BYPASS:
500 currsp->refcnt++;
501 *error = 0;
502 return currsp;
503
504 case IPSEC_POLICY_ENTRUST:
505 /* look for a policy in SPD */
506 kernsp = key_allocsp(&currsp->spidx, dir);
507
508 /* SP found */
509 if (kernsp != NULL) {
510 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
511 printf("DP ipsec6_getpolicybysock called "
512 "to allocate SP:%p\n", kernsp));
513 *error = 0;
514 return kernsp;
515 }
516
517 /* no SP found */
518 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
519 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
520 ipseclog((LOG_INFO,
521 "fixed system default policy: %d->%d\n",
522 ip6_def_policy.policy, IPSEC_POLICY_NONE));
523 ip6_def_policy.policy = IPSEC_POLICY_NONE;
524 }
525 ip6_def_policy.refcnt++;
526 *error = 0;
527 return &ip6_def_policy;
528
529 case IPSEC_POLICY_IPSEC:
530 currsp->refcnt++;
531 *error = 0;
532 return currsp;
533
534 default:
535 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
536 "Invalid policy for PCB %d\n", currsp->policy));
537 *error = EINVAL;
538 return NULL;
539 }
540 /* NOTREACHED */
541 }
542
543 /* when non-privilieged socket */
544 /* look for a policy in SPD */
545 kernsp = key_allocsp(&currsp->spidx, dir);
546
547 /* SP found */
548 if (kernsp != NULL) {
549 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
550 printf("DP ipsec6_getpolicybysock called "
551 "to allocate SP:%p\n", kernsp));
552 *error = 0;
553 return kernsp;
554 }
555
556 /* no SP found */
557 switch (currsp->policy) {
558 case IPSEC_POLICY_BYPASS:
559 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
560 "Illegal policy for non-priviliged defined %d\n",
561 currsp->policy));
562 *error = EINVAL;
563 return NULL;
564
565 case IPSEC_POLICY_ENTRUST:
566 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
567 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
568 ipseclog((LOG_INFO,
569 "fixed system default policy: %d->%d\n",
570 ip6_def_policy.policy, IPSEC_POLICY_NONE));
571 ip6_def_policy.policy = IPSEC_POLICY_NONE;
572 }
573 ip6_def_policy.refcnt++;
574 *error = 0;
575 return &ip6_def_policy;
576
577 case IPSEC_POLICY_IPSEC:
578 currsp->refcnt++;
579 *error = 0;
580 return currsp;
581
582 default:
583 ipseclog((LOG_ERR,
584 "ipsec6_policybysock: Invalid policy for PCB %d\n",
585 currsp->policy));
586 *error = EINVAL;
587 return NULL;
588 }
589 /* NOTREACHED */
590 }
591
592 /*
593 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
594 * and return a pointer to SP.
595 * `flag' means that packet is to be forwarded whether or not.
596 * flag = 1: forwad
597 * OUT: positive: a pointer to the entry for security policy leaf matched.
598 * NULL: no apropreate SP found, the following value is set to error.
599 * 0 : bypass
600 * EACCES : discard packet.
601 * ENOENT : ipsec_acquire() in progress, maybe.
602 * others : error occured.
603 */
604 #ifndef IP_FORWARDING
605 #define IP_FORWARDING 1
606 #endif
607
608 struct secpolicy *
609 ipsec6_getpolicybyaddr(m, dir, flag, error)
610 struct mbuf *m;
611 u_int dir;
612 int flag;
613 int *error;
614 {
615 struct secpolicy *sp = NULL;
616
617 /* sanity check */
618 if (m == NULL || error == NULL)
619 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.\n");
620
621 {
622 struct secpolicyindex spidx;
623
624 bzero(&spidx, sizeof(spidx));
625
626 /* make a index to look for a policy */
627 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m);
628
629 if (*error != 0)
630 return NULL;
631
632 sp = key_allocsp(&spidx, dir);
633 }
634
635 /* SP found */
636 if (sp != NULL) {
637 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
638 printf("DP ipsec6_getpolicybyaddr called "
639 "to allocate SP:%p\n", sp));
640 *error = 0;
641 return sp;
642 }
643
644 /* no SP found */
645 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
646 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
647 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
648 ip6_def_policy.policy, IPSEC_POLICY_NONE));
649 ip6_def_policy.policy = IPSEC_POLICY_NONE;
650 }
651 ip6_def_policy.refcnt++;
652 *error = 0;
653 return &ip6_def_policy;
654 }
655 #endif /* INET6 */
656
657 /*
658 * set IP address into spidx from mbuf.
659 * When Forwarding packet and ICMP echo reply, this function is used.
660 *
661 * IN: get the followings from mbuf.
662 * protocol family, src, dst, next protocol
663 * OUT:
664 * 0: success.
665 * other: failure, and set errno.
666 */
667 int
668 ipsec_setspidx_mbuf(spidx, dir, family, m)
669 struct secpolicyindex *spidx;
670 u_int dir, family;
671 struct mbuf *m;
672 {
673 struct sockaddr *sa1, *sa2;
674
675 /* sanity check */
676 if (spidx == NULL || m == NULL)
677 panic("ipsec_setspidx_mbuf: NULL pointer was passed.\n");
678
679 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
680 printf("ipsec_setspidx_mbuf: begin\n"); kdebug_mbuf(m));
681
682 /* initialize */
683 bzero(spidx, sizeof(*spidx));
684
685 spidx->dir = dir;
686 sa1 = (struct sockaddr *)&spidx->src;
687 sa2 = (struct sockaddr *)&spidx->dst;
688 sa1->sa_len = sa2->sa_len = _SALENBYAF(family);
689 sa1->sa_family = sa2->sa_family = family;
690 spidx->prefs = spidx->prefd = _INALENBYAF(family) << 3;
691
692 {
693 /* sanity check for packet length. */
694 struct mbuf *n;
695 int tlen;
696
697 tlen = 0;
698 for (n = m; n; n = n->m_next)
699 tlen += n->m_len;
700 if (m->m_pkthdr.len != tlen) {
701 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
702 printf("ipsec_setspidx_mbuf: "
703 "total of m_len(%d) != pkthdr.len(%d), "
704 "ignored.\n",
705 tlen, m->m_pkthdr.len));
706 goto bad;
707 }
708 }
709
710 switch (family) {
711 case AF_INET:
712 {
713 struct ip *ip;
714 struct ip ipbuf;
715
716 /* sanity check 1 for minimum ip header length */
717 if (m->m_pkthdr.len < sizeof(struct ip)) {
718 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
719 printf("ipsec_setspidx_mbuf: "
720 "pkthdr.len(%d) < sizeof(struct ip), "
721 "ignored.\n",
722 m->m_pkthdr.len));
723 goto bad;
724 }
725
726 /*
727 * get IPv4 header packet. usually the mbuf is contiguous
728 * and we need no copies.
729 */
730 if (m->m_len >= sizeof(*ip))
731 ip = mtod(m, struct ip *);
732 else {
733 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
734 ip = &ipbuf;
735 }
736
737 /* some more checks on IPv4 header. */
738 bcopy(&ip->ip_src, _INADDRBYSA(&spidx->src),
739 sizeof(ip->ip_src));
740 bcopy(&ip->ip_dst, _INADDRBYSA(&spidx->dst),
741 sizeof(ip->ip_dst));
742
743 spidx->ul_proto = ip->ip_p;
744 _INPORTBYSA(&spidx->src) = IPSEC_PORT_ANY;
745 _INPORTBYSA(&spidx->dst) = IPSEC_PORT_ANY;
746 break;
747 }
748
749 #if INET6
750 case AF_INET6:
751 {
752 struct ip6_hdr *ip6;
753 struct ip6_hdr ip6buf;
754
755 /* sanity check 1 for minimum ip header length */
756 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
757 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
758 printf("ipsec_setspidx_mbuf: "
759 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
760 "ignored.\n",
761 m->m_pkthdr.len));
762 goto bad;
763 }
764
765 /*
766 * get IPv6 header packet. usually the mbuf is contiguous
767 * and we need no copies.
768 */
769 if (m->m_len >= sizeof(*ip6))
770 ip6 = mtod(m, struct ip6_hdr *);
771 else {
772 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
773 ip6 = &ip6buf;
774 }
775
776 /* some more checks on IPv4 header. */
777 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
778 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
779 printf("ipsec_setspidx_mbuf: "
780 "wrong ip version on packet "
781 "(expected IPv6), ignored.\n"));
782 goto bad;
783 }
784
785 bcopy(&ip6->ip6_src, _INADDRBYSA(&spidx->src),
786 sizeof(ip6->ip6_src));
787 bcopy(&ip6->ip6_dst, _INADDRBYSA(&spidx->dst),
788 sizeof(ip6->ip6_dst));
789
790 ipsec6_get_ulp(m, spidx);
791 break;
792 }
793 #endif /* INET6 */
794 default:
795 panic("ipsec_secsecidx: no supported family passed.\n");
796 }
797
798 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
799 printf("ipsec_setspidx_mbuf: end\n");
800 kdebug_secpolicyindex(spidx));
801
802 return 0;
803
804 bad:
805 /* XXX initialize */
806 bzero(spidx, sizeof(*spidx));
807 return EINVAL;
808 }
809
810 #if INET6
811 /*
812 * Get upper layer protocol number and port number if there.
813 * Assumed all extension headers are in single mbuf.
814 */
815 #include <netinet/tcp.h>
816 #include <netinet/udp.h>
817 static void
818 ipsec6_get_ulp(m, spidx)
819 struct mbuf *m;
820 struct secpolicyindex *spidx;
821 {
822 int off, nxt;
823
824 /* sanity check */
825 if (m == NULL)
826 panic("ipsec6_get_ulp: NULL pointer was passed.\n");
827
828 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
829 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
830
831 /* set default */
832 spidx->ul_proto = IPSEC_ULPROTO_ANY;
833 _INPORTBYSA(&spidx->src) = IPSEC_PORT_ANY;
834 _INPORTBYSA(&spidx->dst) = IPSEC_PORT_ANY;
835
836 nxt = -1;
837 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
838 if (off < 0 || m->m_pkthdr.len < off)
839 return;
840
841 switch (nxt) {
842 case IPPROTO_TCP:
843 spidx->ul_proto = nxt;
844 if (off + sizeof(struct tcphdr) <= m->m_pkthdr.len) {
845 struct tcphdr th;
846 m_copydata(m, off, sizeof(th), (caddr_t)&th);
847 _INPORTBYSA(&spidx->src) = th.th_sport;
848 _INPORTBYSA(&spidx->dst) = th.th_dport;
849 }
850 break;
851 case IPPROTO_UDP:
852 spidx->ul_proto = nxt;
853 if (off + sizeof(struct udphdr) <= m->m_pkthdr.len) {
854 struct udphdr uh;
855 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
856 _INPORTBYSA(&spidx->src) = uh.uh_sport;
857 _INPORTBYSA(&spidx->dst) = uh.uh_dport;
858 }
859 break;
860 case IPPROTO_ICMPV6:
861 spidx->ul_proto = nxt;
862 break;
863 default:
864 break;
865 }
866 }
867 #endif
868
869 static void
870 ipsec4_setspidx_inpcb(m, pcb)
871 struct mbuf *m;
872 struct inpcb *pcb;
873 {
874 struct secpolicyindex *spidx;
875 struct sockaddr *sa1, *sa2;
876
877 /* sanity check */
878 if (pcb == NULL)
879 panic("ipsec4_setspidx_inpcb: no PCB found.\n");
880 if (pcb->inp_sp == NULL)
881 panic("ipsec4_setspidx_inpcb: no inp_sp found.\n");
882 if (pcb->inp_sp->sp_out ==NULL || pcb->inp_sp->sp_in == NULL)
883 panic("ipsec4_setspidx_inpcb: no sp_in/out found.\n");
884
885 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
886 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
887
888 spidx = &pcb->inp_sp->sp_in->spidx;
889 spidx->dir = IPSEC_DIR_INBOUND;
890 sa1 = (struct sockaddr *)&spidx->src;
891 sa2 = (struct sockaddr *)&spidx->dst;
892 sa1->sa_len = sa2->sa_len = _SALENBYAF(AF_INET);
893 sa1->sa_family = sa2->sa_family = AF_INET;
894 spidx->prefs = _INALENBYAF(AF_INET) << 3;
895 spidx->prefd = _INALENBYAF(AF_INET) << 3;
896 spidx->ul_proto = pcb->inp_socket->so_proto->pr_protocol;
897 _INPORTBYSA(&spidx->src) = pcb->inp_fport;
898 _INPORTBYSA(&spidx->dst) = pcb->inp_lport;
899 ipsec4_setspidx_ipaddr(m, spidx);
900
901 spidx = &pcb->inp_sp->sp_out->spidx;
902 spidx->dir = IPSEC_DIR_OUTBOUND;
903 sa1 = (struct sockaddr *)&spidx->src;
904 sa2 = (struct sockaddr *)&spidx->dst;
905 sa1->sa_len = sa2->sa_len = _SALENBYAF(AF_INET);
906 sa1->sa_family = sa2->sa_family = AF_INET;
907 spidx->prefs = _INALENBYAF(AF_INET) << 3;
908 spidx->prefd = _INALENBYAF(AF_INET) << 3;
909 spidx->ul_proto = pcb->inp_socket->so_proto->pr_protocol;
910 _INPORTBYSA(&spidx->src) = pcb->inp_lport;
911 _INPORTBYSA(&spidx->dst) = pcb->inp_fport;
912 ipsec4_setspidx_ipaddr(m, spidx);
913
914 return;
915 }
916
917 static void
918 ipsec4_setspidx_ipaddr(m, spidx)
919 struct mbuf *m;
920 struct secpolicyindex *spidx;
921 {
922 struct ip *ip = NULL;
923 struct ip ipbuf;
924
925 /* sanity check 1 for minimum ip header length */
926 if (m == NULL)
927 panic("ipsec4_setspidx_ipaddr: m == 0 passed.\n");
928
929 if (m->m_pkthdr.len < sizeof(struct ip)) {
930 printf("ipsec4_setspidx_ipaddr: "
931 "pkthdr.len(%d) < sizeof(struct ip), "
932 "ignored.\n",
933 m->m_pkthdr.len);
934 return;
935 }
936
937 if (m && m->m_len >= sizeof(*ip))
938 ip = mtod(m, struct ip *);
939 else {
940 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
941 ip = &ipbuf;
942 }
943
944 bcopy(&ip->ip_src, _INADDRBYSA(&spidx->src), sizeof(ip->ip_src));
945 bcopy(&ip->ip_dst, _INADDRBYSA(&spidx->dst), sizeof(ip->ip_dst));
946
947 return;
948 }
949
950 #if INET6
951 static void
952 ipsec6_setspidx_in6pcb(m, pcb)
953 struct mbuf *m;
954 struct in6pcb *pcb;
955 {
956 struct secpolicyindex *spidx;
957 struct sockaddr *sa1, *sa2;
958
959 /* sanity check */
960 if (pcb == NULL)
961 panic("ipsec6_setspidx_in6pcb: no PCB found.\n");
962 if (pcb->in6p_sp == NULL)
963 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.\n");
964 if (pcb->in6p_sp->sp_out ==NULL || pcb->in6p_sp->sp_in == NULL)
965 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.\n");
966
967 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
968 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
969
970 spidx = &pcb->in6p_sp->sp_in->spidx;
971 spidx->dir = IPSEC_DIR_INBOUND;
972 sa1 = (struct sockaddr *)&spidx->src;
973 sa2 = (struct sockaddr *)&spidx->dst;
974 sa1->sa_len = sa2->sa_len = _SALENBYAF(AF_INET6);
975 sa1->sa_family = sa2->sa_family = AF_INET6;
976 spidx->prefs = _INALENBYAF(AF_INET6) << 3;
977 spidx->prefd = _INALENBYAF(AF_INET6) << 3;
978 spidx->ul_proto = pcb->in6p_socket->so_proto->pr_protocol;
979 _INPORTBYSA(&spidx->src) = pcb->in6p_fport;
980 _INPORTBYSA(&spidx->dst) = pcb->in6p_lport;
981 ipsec6_setspidx_ipaddr(m, spidx);
982
983 spidx = &pcb->in6p_sp->sp_out->spidx;
984 spidx->dir = IPSEC_DIR_OUTBOUND;
985 sa1 = (struct sockaddr *)&spidx->src;
986 sa2 = (struct sockaddr *)&spidx->dst;
987 sa1->sa_len = sa2->sa_len = _SALENBYAF(AF_INET6);
988 sa1->sa_family = sa2->sa_family = AF_INET6;
989 spidx->prefs = _INALENBYAF(AF_INET6) << 3;
990 spidx->prefd = _INALENBYAF(AF_INET6) << 3;
991 spidx->ul_proto = pcb->in6p_socket->so_proto->pr_protocol;
992 _INPORTBYSA(&spidx->src) = pcb->in6p_lport;
993 _INPORTBYSA(&spidx->dst) = pcb->in6p_fport;
994 ipsec6_setspidx_ipaddr(m, spidx);
995
996 return;
997 }
998
999 static void
1000 ipsec6_setspidx_ipaddr(m, spidx)
1001 struct mbuf *m;
1002 struct secpolicyindex *spidx;
1003 {
1004 struct ip6_hdr *ip6 = NULL;
1005 struct ip6_hdr ip6buf;
1006
1007 /* sanity check 1 for minimum ip header length */
1008 if (m == NULL)
1009 panic("ipsec6_setspidx_in6pcb: m == 0 passed.\n");
1010
1011 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
1012 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1013 printf("ipsec6_setspidx_ipaddr: "
1014 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
1015 "ignored.\n",
1016 m->m_pkthdr.len));
1017 return;
1018 }
1019
1020 if (m->m_len >= sizeof(*ip6))
1021 ip6 = mtod(m, struct ip6_hdr *);
1022 else {
1023 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1024 ip6 = &ip6buf;
1025 }
1026
1027 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
1028 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1029 printf("ipsec_setspidx_mbuf: "
1030 "wrong ip version on packet "
1031 "(expected IPv6), ignored.\n"));
1032 return;
1033 }
1034
1035 bcopy(&ip6->ip6_src, _INADDRBYSA(&spidx->src), sizeof(ip6->ip6_src));
1036 bcopy(&ip6->ip6_dst, _INADDRBYSA(&spidx->dst), sizeof(ip6->ip6_dst));
1037
1038 return;
1039 }
1040 #endif
1041
1042 static struct inpcbpolicy *
1043 ipsec_newpcbpolicy()
1044 {
1045 struct inpcbpolicy *p;
1046
1047 p = (struct inpcbpolicy *)_MALLOC(sizeof(*p), M_SECA, M_WAITOK);
1048 return p;
1049 }
1050
1051 static void
1052 ipsec_delpcbpolicy(p)
1053 struct inpcbpolicy *p;
1054 {
1055 _FREE(p, M_SECA);
1056 }
1057
1058 /* initialize policy in PCB */
1059 int
1060 ipsec_init_policy(so, pcb_sp)
1061 struct socket *so;
1062 struct inpcbpolicy **pcb_sp;
1063 {
1064 struct inpcbpolicy *new;
1065
1066 /* sanity check. */
1067 if (so == NULL || pcb_sp == NULL)
1068 panic("ipsec_init_policy: NULL pointer was passed.\n");
1069
1070 new = ipsec_newpcbpolicy();
1071 if (new == NULL) {
1072 ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n"));
1073 return ENOBUFS;
1074 }
1075 bzero(new, sizeof(*new));
1076
1077 #if defined(__NetBSD__) || defined (__APPLE__)
1078 if (so->so_uid == 0) /*XXX*/
1079 new->priv = 1;
1080 else
1081 new->priv = 0;
1082 #elif defined(__FreeBSD__) && __FreeBSD__ >= 3
1083 if (so->so_cred != 0 && so->so_cred->pc_ucred->cr_uid == 0)
1084 new->priv = 1;
1085 else
1086 new->priv = 0;
1087
1088 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1089 printf("init: priv=%d ", new->priv);
1090 if (so->so_cred) {
1091 printf("p_ruid=%d ", so->so_cred->p_ruid);
1092 printf("p_svuid=%d ", so->so_cred->p_svuid);
1093 printf("cr_uid=%d\n", so->so_cred->pc_ucred->cr_uid);
1094 } else
1095 printf("so_cred is NULL\n");
1096 );
1097 #else
1098 new->priv = so->so_state & SS_PRIV;
1099 #endif
1100
1101 if ((new->sp_in = key_newsp()) == NULL) {
1102 ipsec_delpcbpolicy(new);
1103 return ENOBUFS;
1104 }
1105 new->sp_in->state = IPSEC_SPSTATE_ALIVE;
1106 new->sp_in->policy = IPSEC_POLICY_ENTRUST;
1107
1108 if ((new->sp_out = key_newsp()) == NULL) {
1109 key_freesp(new->sp_in);
1110 ipsec_delpcbpolicy(new);
1111 return ENOBUFS;
1112 }
1113 new->sp_out->state = IPSEC_SPSTATE_ALIVE;
1114 new->sp_out->policy = IPSEC_POLICY_ENTRUST;
1115
1116 *pcb_sp = new;
1117
1118 return 0;
1119 }
1120
1121 /* copy old ipsec policy into new */
1122 int
1123 ipsec_copy_policy(old, new)
1124 struct inpcbpolicy *old, *new;
1125 {
1126 struct secpolicy *sp;
1127
1128 sp = ipsec_deepcopy_policy(old->sp_in);
1129 if (sp) {
1130 key_freesp(new->sp_in);
1131 new->sp_in = sp;
1132 } else
1133 return ENOBUFS;
1134
1135 sp = ipsec_deepcopy_policy(old->sp_out);
1136 if (sp) {
1137 key_freesp(new->sp_out);
1138 new->sp_out = sp;
1139 } else
1140 return ENOBUFS;
1141
1142 new->priv = old->priv;
1143
1144 return 0;
1145 }
1146
1147 /* deep-copy a policy in PCB */
1148 static struct secpolicy *
1149 ipsec_deepcopy_policy(src)
1150 struct secpolicy *src;
1151 {
1152 struct ipsecrequest *newchain = NULL;
1153 struct ipsecrequest *p;
1154 struct ipsecrequest **q;
1155 struct ipsecrequest *r;
1156 struct secpolicy *dst;
1157
1158 dst = key_newsp();
1159 if (src == NULL || dst == NULL)
1160 return NULL;
1161
1162 /*
1163 * deep-copy IPsec request chain. This is required since struct
1164 * ipsecrequest is not reference counted.
1165 */
1166 q = &newchain;
1167 for (p = src->req; p; p = p->next) {
1168 *q = (struct ipsecrequest *)_MALLOC(sizeof(struct ipsecrequest),
1169 M_SECA, M_WAITOK);
1170 if (*q == NULL)
1171 goto fail;
1172 bzero(*q, sizeof(**q));
1173 (*q)->next = NULL;
1174
1175 (*q)->saidx.proto = p->saidx.proto;
1176 (*q)->saidx.mode = p->saidx.mode;
1177 (*q)->level = p->level;
1178 (*q)->saidx.reqid = p->saidx.reqid;
1179
1180 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1181 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1182
1183 (*q)->sav = NULL;
1184 (*q)->sp = dst;
1185
1186 q = &((*q)->next);
1187 }
1188
1189 dst->req = newchain;
1190 dst->state = src->state;
1191 dst->policy = src->policy;
1192 /* do not touch the refcnt fields */
1193
1194 return dst;
1195
1196 fail:
1197 for (p = newchain; p; p = r) {
1198 r = p->next;
1199 _FREE(p, M_SECA);
1200 p = NULL;
1201 }
1202 return NULL;
1203 }
1204
1205 /* set policy and ipsec request if present. */
1206 static int
1207 ipsec_set_policy(pcb_sp, optname, request, len, priv)
1208 struct secpolicy **pcb_sp;
1209 int optname;
1210 caddr_t request;
1211 size_t len;
1212 int priv;
1213 {
1214 struct sadb_x_policy *xpl;
1215 struct secpolicy *newsp = NULL;
1216 int error;
1217
1218 /* sanity check. */
1219 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL)
1220 return EINVAL;
1221 if (len < sizeof(*xpl))
1222 return EINVAL;
1223 xpl = (struct sadb_x_policy *)request;
1224
1225 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1226 printf("ipsec_set_policy: passed policy\n");
1227 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1228
1229 /* check policy type */
1230 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1231 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
1232 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1233 return EINVAL;
1234
1235 /* check privileged socket */
1236 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1237 return EACCES;
1238
1239 /* allocation new SP entry */
1240 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1241 return error;
1242
1243 newsp->state = IPSEC_SPSTATE_ALIVE;
1244
1245 /* clear old SP and set new SP */
1246 key_freesp(*pcb_sp);
1247 *pcb_sp = newsp;
1248 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1249 printf("ipsec_set_policy: new policy\n");
1250 kdebug_secpolicy(newsp));
1251
1252 return 0;
1253 }
1254
1255 static int
1256 ipsec_get_policy(pcb_sp, mp)
1257 struct secpolicy *pcb_sp;
1258 struct mbuf **mp;
1259 {
1260
1261 /* sanity check. */
1262 if (pcb_sp == NULL || mp == NULL)
1263 return EINVAL;
1264
1265 *mp = key_sp2msg(pcb_sp);
1266 if (!*mp) {
1267 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1268 return ENOBUFS;
1269 }
1270
1271 #if defined(__FreeBSD__) && __FreeBSD__ >= 3 || defined (__APPLE__)
1272 (*mp)->m_type = MT_DATA;
1273 #else
1274 (*mp)->m_type = MT_SOOPTS;
1275 #endif
1276 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1277 printf("ipsec_get_policy:\n");
1278 kdebug_mbuf(*mp));
1279
1280 return 0;
1281 }
1282
1283 int
1284 ipsec4_set_policy(inp, optname, request, len, priv)
1285 struct inpcb *inp;
1286 int optname;
1287 caddr_t request;
1288 size_t len;
1289 int priv;
1290 {
1291 struct sadb_x_policy *xpl;
1292 struct secpolicy **pcb_sp;
1293
1294 /* sanity check. */
1295 if (inp == NULL || request == NULL)
1296 return EINVAL;
1297 if (len < sizeof(*xpl))
1298 return EINVAL;
1299 xpl = (struct sadb_x_policy *)request;
1300
1301 /* select direction */
1302 switch (xpl->sadb_x_policy_dir) {
1303 case IPSEC_DIR_INBOUND:
1304 pcb_sp = &inp->inp_sp->sp_in;
1305 break;
1306 case IPSEC_DIR_OUTBOUND:
1307 pcb_sp = &inp->inp_sp->sp_out;
1308 break;
1309 default:
1310 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1311 xpl->sadb_x_policy_dir));
1312 return EINVAL;
1313 }
1314
1315 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1316 }
1317
1318 int
1319 ipsec4_get_policy(inp, request, len, mp)
1320 struct inpcb *inp;
1321 caddr_t request;
1322 size_t len;
1323 struct mbuf **mp;
1324 {
1325 struct sadb_x_policy *xpl;
1326 struct secpolicy *pcb_sp;
1327
1328 /* sanity check. */
1329 if (inp == NULL || request == NULL || mp == NULL)
1330 return EINVAL;
1331 if (inp->inp_sp == NULL)
1332 panic("policy in PCB is NULL\n");
1333 if (len < sizeof(*xpl))
1334 return EINVAL;
1335 xpl = (struct sadb_x_policy *)request;
1336
1337 /* select direction */
1338 switch (xpl->sadb_x_policy_dir) {
1339 case IPSEC_DIR_INBOUND:
1340 pcb_sp = inp->inp_sp->sp_in;
1341 break;
1342 case IPSEC_DIR_OUTBOUND:
1343 pcb_sp = inp->inp_sp->sp_out;
1344 break;
1345 default:
1346 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1347 xpl->sadb_x_policy_dir));
1348 return EINVAL;
1349 }
1350
1351 return ipsec_get_policy(pcb_sp, mp);
1352 }
1353
1354 /* delete policy in PCB */
1355 int
1356 ipsec4_delete_pcbpolicy(inp)
1357 struct inpcb *inp;
1358 {
1359 /* sanity check. */
1360 if (inp == NULL)
1361 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.\n");
1362
1363 if (inp->inp_sp == NULL)
1364 return 0;
1365
1366 if (inp->inp_sp->sp_in != NULL) {
1367 key_freesp(inp->inp_sp->sp_in);
1368 inp->inp_sp->sp_in = NULL;
1369 }
1370
1371 if (inp->inp_sp->sp_out != NULL) {
1372 key_freesp(inp->inp_sp->sp_out);
1373 inp->inp_sp->sp_out = NULL;
1374 }
1375
1376 ipsec_delpcbpolicy(inp->inp_sp);
1377 inp->inp_sp = NULL;
1378
1379 return 0;
1380 }
1381
1382 #if INET6
1383 int
1384 ipsec6_set_policy(in6p, optname, request, len, priv)
1385 struct in6pcb *in6p;
1386 int optname;
1387 caddr_t request;
1388 size_t len;
1389 int priv;
1390 {
1391 struct sadb_x_policy *xpl;
1392 struct secpolicy **pcb_sp;
1393
1394 /* sanity check. */
1395 if (in6p == NULL || request == NULL)
1396 return EINVAL;
1397 if (len < sizeof(*xpl))
1398 return EINVAL;
1399 xpl = (struct sadb_x_policy *)request;
1400
1401 /* select direction */
1402 switch (xpl->sadb_x_policy_dir) {
1403 case IPSEC_DIR_INBOUND:
1404 pcb_sp = &in6p->in6p_sp->sp_in;
1405 break;
1406 case IPSEC_DIR_OUTBOUND:
1407 pcb_sp = &in6p->in6p_sp->sp_out;
1408 break;
1409 default:
1410 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1411 xpl->sadb_x_policy_dir));
1412 return EINVAL;
1413 }
1414
1415 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1416 }
1417
1418 int
1419 ipsec6_get_policy(in6p, request, len, mp)
1420 struct in6pcb *in6p;
1421 caddr_t request;
1422 size_t len;
1423 struct mbuf **mp;
1424 {
1425 struct sadb_x_policy *xpl;
1426 struct secpolicy *pcb_sp;
1427
1428 /* sanity check. */
1429 if (in6p == NULL || request == NULL || mp == NULL)
1430 return EINVAL;
1431 if (in6p->in6p_sp == NULL)
1432 panic("policy in PCB is NULL\n");
1433 if (len < sizeof(*xpl))
1434 return EINVAL;
1435 xpl = (struct sadb_x_policy *)request;
1436
1437 /* select direction */
1438 switch (xpl->sadb_x_policy_dir) {
1439 case IPSEC_DIR_INBOUND:
1440 pcb_sp = in6p->in6p_sp->sp_in;
1441 break;
1442 case IPSEC_DIR_OUTBOUND:
1443 pcb_sp = in6p->in6p_sp->sp_out;
1444 break;
1445 default:
1446 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1447 xpl->sadb_x_policy_dir));
1448 return EINVAL;
1449 }
1450
1451 return ipsec_get_policy(pcb_sp, mp);
1452 }
1453
1454 int
1455 ipsec6_delete_pcbpolicy(in6p)
1456 struct in6pcb *in6p;
1457 {
1458 /* sanity check. */
1459 if (in6p == NULL)
1460 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.\n");
1461
1462 if (in6p->in6p_sp == NULL)
1463 return 0;
1464
1465 if (in6p->in6p_sp->sp_in != NULL) {
1466 key_freesp(in6p->in6p_sp->sp_in);
1467 in6p->in6p_sp->sp_in = NULL;
1468 }
1469
1470 if (in6p->in6p_sp->sp_out != NULL) {
1471 key_freesp(in6p->in6p_sp->sp_out);
1472 in6p->in6p_sp->sp_out = NULL;
1473 }
1474
1475 ipsec_delpcbpolicy(in6p->in6p_sp);
1476 in6p->in6p_sp = NULL;
1477
1478 return 0;
1479 }
1480 #endif
1481
1482 /*
1483 * return current level.
1484 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1485 */
1486 u_int
1487 ipsec_get_reqlevel(isr)
1488 struct ipsecrequest *isr;
1489 {
1490 u_int level = 0;
1491 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1492
1493 /* sanity check */
1494 if (isr == NULL || isr->sp == NULL)
1495 panic("ipsec_get_reqlevel: NULL pointer is passed.\n");
1496 if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family
1497 != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family)
1498 panic("ipsec_get_reqlevel: family mismatched.\n");
1499
1500 /* XXX note that we have ipseclog() expanded here - code sync issue */
1501 #define IPSEC_CHECK_DEFAULT(lev) \
1502 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1503 && (lev) != IPSEC_LEVEL_UNIQUE) \
1504 ? (ipsec_debug \
1505 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1506 (lev), IPSEC_LEVEL_REQUIRE) \
1507 : 0), \
1508 (lev) = IPSEC_LEVEL_REQUIRE, \
1509 (lev) \
1510 : (lev))
1511
1512 /* set default level */
1513 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1514 #if INET
1515 case AF_INET:
1516 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1517 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1518 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1519 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1520 break;
1521 #endif
1522 #if INET6
1523 case AF_INET6:
1524 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1525 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1526 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1527 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1528 break;
1529 #endif /* INET6 */
1530 default:
1531 panic("key_get_reqlevel: Unknown family. %d\n",
1532 ((struct sockaddr *)&isr->sp->spidx.src)->sa_family);
1533 }
1534
1535 #undef IPSEC_CHECK_DEFAULT(lev)
1536
1537 /* set level */
1538 switch (isr->level) {
1539 case IPSEC_LEVEL_DEFAULT:
1540 switch (isr->saidx.proto) {
1541 case IPPROTO_ESP:
1542 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1543 level = esp_net_deflev;
1544 else
1545 level = esp_trans_deflev;
1546 break;
1547 case IPPROTO_AH:
1548 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1549 level = ah_net_deflev;
1550 else
1551 level = ah_trans_deflev;
1552 case IPPROTO_IPCOMP:
1553 /*
1554 * we don't really care, as IPcomp document says that
1555 * we shouldn't compress small packets
1556 */
1557 level = IPSEC_LEVEL_USE;
1558 break;
1559 default:
1560 panic("ipsec_get_reqlevel: "
1561 "Illegal protocol defined %u\n",
1562 isr->saidx.proto);
1563 }
1564 break;
1565
1566 case IPSEC_LEVEL_USE:
1567 case IPSEC_LEVEL_REQUIRE:
1568 level = isr->level;
1569 break;
1570 case IPSEC_LEVEL_UNIQUE:
1571 level = IPSEC_LEVEL_REQUIRE;
1572 break;
1573
1574 default:
1575 panic("ipsec_get_reqlevel: Illegal IPsec level %u\n",
1576 isr->level);
1577 }
1578
1579 return level;
1580 }
1581
1582 /*
1583 * Check AH/ESP integrity.
1584 * OUT:
1585 * 0: valid
1586 * 1: invalid
1587 */
1588 static int
1589 ipsec_in_reject(sp, m)
1590 struct secpolicy *sp;
1591 struct mbuf *m;
1592 {
1593 struct ipsecrequest *isr;
1594 u_int level;
1595 int need_auth, need_conf, need_icv;
1596
1597 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1598 printf("ipsec_in_reject: using SP\n");
1599 kdebug_secpolicy(sp));
1600
1601 /* check policy */
1602 switch (sp->policy) {
1603 case IPSEC_POLICY_DISCARD:
1604 return 1;
1605 case IPSEC_POLICY_BYPASS:
1606 case IPSEC_POLICY_NONE:
1607 return 0;
1608
1609 case IPSEC_POLICY_IPSEC:
1610 break;
1611
1612 case IPSEC_POLICY_ENTRUST:
1613 default:
1614 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy);
1615 }
1616
1617 need_auth = 0;
1618 need_conf = 0;
1619 need_icv = 0;
1620
1621 for (isr = sp->req; isr != NULL; isr = isr->next) {
1622
1623 /* get current level */
1624 level = ipsec_get_reqlevel(isr);
1625
1626 switch (isr->saidx.proto) {
1627 case IPPROTO_ESP:
1628 if (level == IPSEC_LEVEL_REQUIRE) {
1629 need_conf++;
1630
1631 if (isr->sav != NULL
1632 && isr->sav->flags == SADB_X_EXT_NONE
1633 && isr->sav->alg_auth != SADB_AALG_NONE)
1634 need_icv++;
1635 }
1636 break;
1637 case IPPROTO_AH:
1638 if (level == IPSEC_LEVEL_REQUIRE) {
1639 need_auth++;
1640 need_icv++;
1641 }
1642 break;
1643 case IPPROTO_IPCOMP:
1644 /*
1645 * we don't really care, as IPcomp document says that
1646 * we shouldn't compress small packets
1647 */
1648 break;
1649 }
1650 }
1651
1652 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1653 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1654 need_auth, need_conf, need_icv, m->m_flags));
1655
1656 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1657 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1658 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1659 return 1;
1660
1661 return 0;
1662 }
1663
1664 /*
1665 * Check AH/ESP integrity.
1666 * This function is called from tcp_input(), udp_input(),
1667 * and {ah,esp}4_input for tunnel mode
1668 */
1669 int
1670 ipsec4_in_reject_so(m, so)
1671 struct mbuf *m;
1672 struct socket *so;
1673 {
1674 struct secpolicy *sp = NULL;
1675 int error;
1676 int result;
1677
1678 /* sanity check */
1679 if (m == NULL)
1680 return 0; /* XXX should be panic ? */
1681
1682 /* get SP for this packet.
1683 * When we are called from ip_forward(), we call
1684 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1685 */
1686 if (so == NULL)
1687 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1688 else
1689 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1690
1691 if (sp == NULL)
1692 return 0; /* XXX should be panic ?
1693 * -> No, there may be error. */
1694
1695 result = ipsec_in_reject(sp, m);
1696 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1697 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
1698 key_freesp(sp);
1699
1700 return result;
1701 }
1702
1703 int
1704 ipsec4_in_reject(m, inp)
1705 struct mbuf *m;
1706 struct inpcb *inp;
1707 {
1708 if (inp == NULL)
1709 return ipsec4_in_reject_so(m, NULL);
1710 else {
1711 if (inp->inp_socket)
1712 return ipsec4_in_reject_so(m, inp->inp_socket);
1713 else
1714 panic("ipsec4_in_reject: invalid inpcb/socket");
1715 }
1716 }
1717
1718 #if INET6
1719 /*
1720 * Check AH/ESP integrity.
1721 * This function is called from tcp6_input(), udp6_input(),
1722 * and {ah,esp}6_input for tunnel mode
1723 */
1724 int
1725 ipsec6_in_reject_so(m, so)
1726 struct mbuf *m;
1727 struct socket *so;
1728 {
1729 struct secpolicy *sp = NULL;
1730 int error;
1731 int result;
1732
1733 /* sanity check */
1734 if (m == NULL)
1735 return 0; /* XXX should be panic ? */
1736
1737 /* get SP for this packet.
1738 * When we are called from ip_forward(), we call
1739 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1740 */
1741 if (so == NULL)
1742 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1743 else
1744 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1745
1746 if (sp == NULL)
1747 return 0; /* XXX should be panic ? */
1748
1749 result = ipsec_in_reject(sp, m);
1750 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1751 printf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
1752 key_freesp(sp);
1753
1754 return result;
1755 }
1756
1757 int
1758 ipsec6_in_reject(m, in6p)
1759 struct mbuf *m;
1760 struct in6pcb *in6p;
1761 {
1762 if (in6p == NULL)
1763 return ipsec6_in_reject_so(m, NULL);
1764 else {
1765 if (in6p->in6p_socket)
1766 return ipsec6_in_reject_so(m, in6p->in6p_socket);
1767 else
1768 panic("ipsec6_in_reject: invalid in6p/socket");
1769 }
1770 }
1771 #endif
1772
1773 /*
1774 * compute the byte size to be occupied by IPsec header.
1775 * in case it is tunneled, it includes the size of outer IP header.
1776 * NOTE: SP passed is free in this function.
1777 */
1778 static size_t
1779 ipsec_hdrsiz(sp)
1780 struct secpolicy *sp;
1781 {
1782 struct ipsecrequest *isr;
1783 size_t siz, clen;
1784
1785 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1786 printf("ipsec_in_reject: using SP\n");
1787 kdebug_secpolicy(sp));
1788
1789 /* check policy */
1790 switch (sp->policy) {
1791 case IPSEC_POLICY_DISCARD:
1792 case IPSEC_POLICY_BYPASS:
1793 case IPSEC_POLICY_NONE:
1794 return 0;
1795
1796 case IPSEC_POLICY_IPSEC:
1797 break;
1798
1799 case IPSEC_POLICY_ENTRUST:
1800 default:
1801 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy);
1802 }
1803
1804 siz = 0;
1805
1806 for (isr = sp->req; isr != NULL; isr = isr->next) {
1807
1808 clen = 0;
1809
1810 switch (isr->saidx.proto) {
1811 case IPPROTO_ESP:
1812 #if IPSEC_ESP
1813 clen = esp_hdrsiz(isr);
1814 #else
1815 clen = 0; /*XXX*/
1816 #endif
1817 break;
1818 case IPPROTO_AH:
1819 clen = ah_hdrsiz(isr);
1820 break;
1821 case IPPROTO_IPCOMP:
1822 clen = sizeof(struct ipcomp);
1823 break;
1824 }
1825
1826 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1827 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1828 case AF_INET:
1829 clen += sizeof(struct ip);
1830 break;
1831 #if INET6
1832 case AF_INET6:
1833 clen += sizeof(struct ip6_hdr);
1834 break;
1835 #endif
1836 default:
1837 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1838 "unknown AF %d in IPsec tunnel SA\n",
1839 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1840 break;
1841 }
1842 }
1843 siz += clen;
1844 }
1845
1846 return siz;
1847 }
1848
1849 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1850 size_t
1851 ipsec4_hdrsiz(m, dir, inp)
1852 struct mbuf *m;
1853 u_int dir;
1854 struct inpcb *inp;
1855 {
1856 struct secpolicy *sp = NULL;
1857 int error;
1858 size_t size;
1859
1860 /* sanity check */
1861 if (m == NULL)
1862 return 0; /* XXX should be panic ? */
1863 if (inp != NULL && inp->inp_socket == NULL)
1864 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
1865
1866 /* get SP for this packet.
1867 * When we are called from ip_forward(), we call
1868 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1869 */
1870 if (inp == NULL)
1871 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1872 else
1873 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
1874
1875 if (sp == NULL)
1876 return 0; /* XXX should be panic ? */
1877
1878 size = ipsec_hdrsiz(sp);
1879 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1880 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
1881 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1882 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
1883 key_freesp(sp);
1884
1885 return size;
1886 }
1887
1888 #if INET6
1889 /* This function is called from ipsec6_hdrsize_tcp(),
1890 * and maybe from ip6_forward.()
1891 */
1892 size_t
1893 ipsec6_hdrsiz(m, dir, in6p)
1894 struct mbuf *m;
1895 u_int dir;
1896 struct in6pcb *in6p;
1897 {
1898 struct secpolicy *sp = NULL;
1899 int error;
1900 size_t size;
1901
1902 /* sanity check */
1903 if (m == NULL)
1904 return 0; /* XXX shoud be panic ? */
1905 if (in6p != NULL && in6p->in6p_socket == NULL)
1906 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
1907
1908 /* get SP for this packet */
1909 /* XXX Is it right to call with IP_FORWARDING. */
1910 if (in6p == NULL)
1911 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1912 else
1913 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
1914
1915 if (sp == NULL)
1916 return 0;
1917 size = ipsec_hdrsiz(sp);
1918 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1919 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
1920 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1921 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
1922 key_freesp(sp);
1923
1924 return size;
1925 }
1926 #endif /*INET6*/
1927
1928 #if INET
1929 /*
1930 * encapsulate for ipsec tunnel.
1931 * ip->ip_src must be fixed later on.
1932 */
1933 static int
1934 ipsec4_encapsulate(m, sav)
1935 struct mbuf *m;
1936 struct secasvar *sav;
1937 {
1938 struct ip *oip;
1939 struct ip *ip;
1940 size_t hlen;
1941 size_t plen;
1942
1943 /* can't tunnel between different AFs */
1944 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
1945 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
1946 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
1947 m_freem(m);
1948 return EINVAL;
1949 }
1950 #if 0
1951 /* XXX if the dst is myself, perform nothing. */
1952 if (key_ismyaddr(AF_INET, _INADDRBYSA(&sav->sah->saidx.dst))) {
1953 m_freem(m);
1954 return EINVAL;
1955 }
1956 #endif
1957
1958 if (m->m_len < sizeof(*ip))
1959 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1960
1961 ip = mtod(m, struct ip *);
1962 #ifdef _IP_VHL
1963 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
1964 #else
1965 hlen = ip->ip_hl << 2;
1966 #endif
1967
1968 if (m->m_len != hlen)
1969 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1970
1971 /* generate header checksum */
1972 ip->ip_sum = 0;
1973 #ifdef _IP_VHL
1974 ip->ip_sum = in_cksum(m, hlen);
1975 #else
1976 ip->ip_sum = in_cksum(m, hlen);
1977 #endif
1978
1979 plen = m->m_pkthdr.len;
1980
1981 /*
1982 * grow the mbuf to accomodate the new IPv4 header.
1983 * NOTE: IPv4 options will never be copied.
1984 */
1985 if (M_LEADINGSPACE(m->m_next) < hlen) {
1986 struct mbuf *n;
1987 MGET(n, M_DONTWAIT, MT_DATA);
1988 if (!n) {
1989 m_freem(m);
1990 return ENOBUFS;
1991 }
1992 n->m_len = hlen;
1993 n->m_next = m->m_next;
1994 m->m_next = n;
1995 m->m_pkthdr.len += hlen;
1996 oip = mtod(n, struct ip *);
1997 } else {
1998 m->m_next->m_len += hlen;
1999 m->m_next->m_data -= hlen;
2000 m->m_pkthdr.len += hlen;
2001 oip = mtod(m->m_next, struct ip *);
2002 }
2003 ip = mtod(m, struct ip *);
2004 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2005 m->m_len = sizeof(struct ip);
2006 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2007
2008 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2009 /* ECN consideration. */
2010 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2011 #ifdef _IP_VHL
2012 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
2013 #else
2014 ip->ip_hl = sizeof(struct ip) >> 2;
2015 #endif
2016 ip->ip_off &= htons(~IP_OFFMASK);
2017 ip->ip_off &= htons(~IP_MF);
2018 switch (ip4_ipsec_dfbit) {
2019 case 0: /*clear DF bit*/
2020 ip->ip_off &= htons(~IP_DF);
2021 break;
2022 case 1: /*set DF bit*/
2023 ip->ip_off |= htons(IP_DF);
2024 break;
2025 default: /*copy DF bit*/
2026 break;
2027 }
2028 ip->ip_p = IPPROTO_IPIP;
2029 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2030 ip->ip_len = htons(plen + sizeof(struct ip));
2031 else {
2032 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2033 "leave ip_len as is (invalid packet)\n"));
2034 }
2035 ip->ip_id = htons(ip_id++);
2036 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2037 &ip->ip_src, sizeof(ip->ip_src));
2038 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2039 &ip->ip_dst, sizeof(ip->ip_dst));
2040
2041 /* XXX Should ip_src be updated later ? */
2042
2043 return 0;
2044 }
2045 #endif /*INET*/
2046
2047 #if INET6
2048 static int
2049 ipsec6_encapsulate(m, sav)
2050 struct mbuf *m;
2051 struct secasvar *sav;
2052 {
2053 struct ip6_hdr *oip6;
2054 struct ip6_hdr *ip6;
2055 size_t plen;
2056
2057 /* can't tunnel between different AFs */
2058 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2059 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2060 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2061 m_freem(m);
2062 return EINVAL;
2063 }
2064 #if 0
2065 /* XXX if the dst is myself, perform nothing. */
2066 if (key_ismyaddr(AF_INET6, _INADDRBYSA(&sav->sah->saidx.dst))) {
2067 m_freem(m);
2068 return EINVAL;
2069 }
2070 #endif
2071
2072 plen = m->m_pkthdr.len;
2073
2074 /*
2075 * grow the mbuf to accomodate the new IPv6 header.
2076 */
2077 if (m->m_len != sizeof(struct ip6_hdr))
2078 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2079 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2080 struct mbuf *n;
2081 MGET(n, M_DONTWAIT, MT_DATA);
2082 if (!n) {
2083 m_freem(m);
2084 return ENOBUFS;
2085 }
2086 n->m_len = sizeof(struct ip6_hdr);
2087 n->m_next = m->m_next;
2088 m->m_next = n;
2089 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2090 oip6 = mtod(n, struct ip6_hdr *);
2091 } else {
2092 m->m_next->m_len += sizeof(struct ip6_hdr);
2093 m->m_next->m_data -= sizeof(struct ip6_hdr);
2094 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2095 oip6 = mtod(m->m_next, struct ip6_hdr *);
2096 }
2097 ip6 = mtod(m, struct ip6_hdr *);
2098 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2099
2100 /* Fake link-local scope-class addresses */
2101 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src))
2102 oip6->ip6_src.s6_addr16[1] = 0;
2103 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst))
2104 oip6->ip6_dst.s6_addr16[1] = 0;
2105
2106 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2107 /* ECN consideration. */
2108 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2109 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2110 ip6->ip6_plen = htons(plen);
2111 else {
2112 /* ip6->ip6_plen will be updated in ip6_output() */
2113 }
2114 ip6->ip6_nxt = IPPROTO_IPV6;
2115 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2116 &ip6->ip6_src, sizeof(ip6->ip6_src));
2117 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2118 &ip6->ip6_dst, sizeof(ip6->ip6_dst));
2119
2120 /* XXX Should ip6_src be updated later ? */
2121
2122 return 0;
2123 }
2124 #endif /*INET6*/
2125
2126 /*
2127 * Check the variable replay window.
2128 * ipsec_chkreplay() performs replay check before ICV verification.
2129 * ipsec_updatereplay() updates replay bitmap. This must be called after
2130 * ICV verification (it also performs replay check, which is usually done
2131 * beforehand).
2132 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2133 *
2134 * based on RFC 2401.
2135 */
2136 int
2137 ipsec_chkreplay(seq, sav)
2138 u_int32_t seq;
2139 struct secasvar *sav;
2140 {
2141 const struct secreplay *replay;
2142 u_int32_t diff;
2143 int fr;
2144 u_int32_t wsizeb; /* constant: bits of window size */
2145 int frlast; /* constant: last frame */
2146
2147 /* sanity check */
2148 if (sav == NULL)
2149 panic("ipsec_chkreplay: NULL pointer was passed.\n");
2150
2151 replay = sav->replay;
2152
2153 if (replay->wsize == 0)
2154 return 1; /* no need to check replay. */
2155
2156 /* constant */
2157 frlast = replay->wsize - 1;
2158 wsizeb = replay->wsize << 3;
2159
2160 /* sequence number of 0 is invalid */
2161 if (seq == 0)
2162 return 0;
2163
2164 /* first time is always okay */
2165 if (replay->count == 0)
2166 return 1;
2167
2168 if (seq > replay->lastseq) {
2169 /* larger sequences are okay */
2170 return 1;
2171 } else {
2172 /* seq is equal or less than lastseq. */
2173 diff = replay->lastseq - seq;
2174
2175 /* over range to check, i.e. too old or wrapped */
2176 if (diff >= wsizeb)
2177 return 0;
2178
2179 fr = frlast - diff / 8;
2180
2181 /* this packet already seen ? */
2182 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2183 return 0;
2184
2185 /* out of order but good */
2186 return 1;
2187 }
2188 }
2189
2190 /*
2191 * check replay counter whether to update or not.
2192 * OUT: 0: OK
2193 * 1: NG
2194 */
2195 int
2196 ipsec_updatereplay(seq, sav)
2197 u_int32_t seq;
2198 struct secasvar *sav;
2199 {
2200 struct secreplay *replay;
2201 u_int32_t diff;
2202 int fr;
2203 u_int32_t wsizeb; /* constant: bits of window size */
2204 int frlast; /* constant: last frame */
2205
2206 /* sanity check */
2207 if (sav == NULL)
2208 panic("ipsec_chkreplay: NULL pointer was passed.\n");
2209
2210 replay = sav->replay;
2211
2212 if (replay->wsize == 0)
2213 goto ok; /* no need to check replay. */
2214
2215 /* constant */
2216 frlast = replay->wsize - 1;
2217 wsizeb = replay->wsize << 3;
2218
2219 /* sequence number of 0 is invalid */
2220 if (seq == 0)
2221 return 1;
2222
2223 /* first time */
2224 if (replay->count == 0) {
2225 replay->lastseq = seq;
2226 bzero(replay->bitmap, replay->wsize);
2227 (replay->bitmap)[frlast] = 1;
2228 goto ok;
2229 }
2230
2231 if (seq > replay->lastseq) {
2232 /* seq is larger than lastseq. */
2233 diff = seq - replay->lastseq;
2234
2235 /* new larger sequence number */
2236 if (diff < wsizeb) {
2237 /* In window */
2238 /* set bit for this packet */
2239 vshiftl(replay->bitmap, diff, replay->wsize);
2240 (replay->bitmap)[frlast] |= 1;
2241 } else {
2242 /* this packet has a "way larger" */
2243 bzero(replay->bitmap, replay->wsize);
2244 (replay->bitmap)[frlast] = 1;
2245 }
2246 replay->lastseq = seq;
2247
2248 /* larger is good */
2249 } else {
2250 /* seq is equal or less than lastseq. */
2251 diff = replay->lastseq - seq;
2252
2253 /* over range to check, i.e. too old or wrapped */
2254 if (diff >= wsizeb)
2255 return 1;
2256
2257 fr = frlast - diff / 8;
2258
2259 /* this packet already seen ? */
2260 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2261 return 1;
2262
2263 /* mark as seen */
2264 (replay->bitmap)[fr] |= (1 << (diff % 8));
2265
2266 /* out of order but good */
2267 }
2268
2269 ok:
2270 if (replay->count == ~0) {
2271
2272 /* set overflow flag */
2273 replay->overflow++;
2274
2275 /* don't increment, no more packets accepted */
2276 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2277 return 1;
2278
2279 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2280 replay->overflow, ipsec_logsastr(sav)));
2281 }
2282
2283 replay->count++;
2284
2285 return 0;
2286 }
2287
2288 /*
2289 * shift variable length bunffer to left.
2290 * IN: bitmap: pointer to the buffer
2291 * nbit: the number of to shift.
2292 * wsize: buffer size (bytes).
2293 */
2294 static void
2295 vshiftl(bitmap, nbit, wsize)
2296 unsigned char *bitmap;
2297 int nbit, wsize;
2298 {
2299 int s, j, i;
2300 unsigned char over;
2301
2302 for (j = 0; j < nbit; j += 8) {
2303 s = (nbit - j < 8) ? (nbit - j): 8;
2304 bitmap[0] <<= s;
2305 for (i = 1; i < wsize; i++) {
2306 over = (bitmap[i] >> (8 - s));
2307 bitmap[i] <<= s;
2308 bitmap[i-1] |= over;
2309 }
2310 }
2311
2312 return;
2313 }
2314
2315 const char *
2316 ipsec4_logpacketstr(ip, spi)
2317 struct ip *ip;
2318 u_int32_t spi;
2319 {
2320 static char buf[256];
2321 char *p;
2322 u_int8_t *s, *d;
2323
2324 s = (u_int8_t *)(&ip->ip_src);
2325 d = (u_int8_t *)(&ip->ip_dst);
2326
2327 p = buf;
2328 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2329 while (p && *p)
2330 p++;
2331 snprintf(p, sizeof(buf) - (p - buf), "src=%d.%d.%d.%d",
2332 s[0], s[1], s[2], s[3]);
2333 while (p && *p)
2334 p++;
2335 snprintf(p, sizeof(buf) - (p - buf), " dst=%d.%d.%d.%d",
2336 d[0], d[1], d[2], d[3]);
2337 while (p && *p)
2338 p++;
2339 snprintf(p, sizeof(buf) - (p - buf), ")");
2340
2341 return buf;
2342 }
2343
2344 #if INET6
2345 const char *
2346 ipsec6_logpacketstr(ip6, spi)
2347 struct ip6_hdr *ip6;
2348 u_int32_t spi;
2349 {
2350 static char buf[256];
2351 char *p;
2352
2353 p = buf;
2354 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2355 while (p && *p)
2356 p++;
2357 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
2358 ip6_sprintf(&ip6->ip6_src));
2359 while (p && *p)
2360 p++;
2361 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2362 ip6_sprintf(&ip6->ip6_dst));
2363 while (p && *p)
2364 p++;
2365 snprintf(p, sizeof(buf) - (p - buf), ")");
2366
2367 return buf;
2368 }
2369 #endif /*INET6*/
2370
2371 const char *
2372 ipsec_logsastr(sav)
2373 struct secasvar *sav;
2374 {
2375 static char buf[256];
2376 char *p;
2377 struct secasindex *saidx = &sav->sah->saidx;
2378
2379 /* validity check */
2380 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2381 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2382 panic("ipsec_logsastr: family mismatched.\n");
2383
2384 p = buf;
2385 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2386 while (p && *p)
2387 p++;
2388 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2389 u_int8_t *s, *d;
2390 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2391 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2392 snprintf(p, sizeof(buf) - (p - buf),
2393 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2394 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2395 }
2396 #if INET6
2397 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2398 snprintf(p, sizeof(buf) - (p - buf),
2399 "src=%s",
2400 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2401 while (p && *p)
2402 p++;
2403 snprintf(p, sizeof(buf) - (p - buf),
2404 " dst=%s",
2405 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2406 }
2407 #endif
2408 while (p && *p)
2409 p++;
2410 snprintf(p, sizeof(buf) - (p - buf), ")");
2411
2412 return buf;
2413 }
2414
2415 void
2416 ipsec_dumpmbuf(m)
2417 struct mbuf *m;
2418 {
2419 int totlen;
2420 int i;
2421 u_char *p;
2422
2423 totlen = 0;
2424 printf("---\n");
2425 while (m) {
2426 p = mtod(m, u_char *);
2427 for (i = 0; i < m->m_len; i++) {
2428 printf("%02x ", p[i]);
2429 totlen++;
2430 if (totlen % 16 == 0)
2431 printf("\n");
2432 }
2433 m = m->m_next;
2434 }
2435 if (totlen % 16 != 0)
2436 printf("\n");
2437 printf("---\n");
2438 }
2439
2440 /*
2441 * IPsec output logic for IPv4.
2442 */
2443 int
2444 ipsec4_output(state, sp, flags)
2445 struct ipsec_output_state *state;
2446 struct secpolicy *sp;
2447 int flags;
2448 {
2449 struct ip *ip = NULL;
2450 struct ipsecrequest *isr = NULL;
2451 struct secasindex saidx;
2452 int s;
2453 int error;
2454 #if IPSEC_SRCSEL
2455 struct in_ifaddr *ia;
2456 #endif
2457 struct sockaddr_in *dst4;
2458 struct sockaddr *sa;
2459
2460 if (!state)
2461 panic("state == NULL in ipsec4_output");
2462 if (!state->m)
2463 panic("state->m == NULL in ipsec4_output");
2464 if (!state->ro)
2465 panic("state->ro == NULL in ipsec4_output");
2466 if (!state->dst)
2467 panic("state->dst == NULL in ipsec4_output");
2468
2469 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2470 printf("ipsec4_output: applyed SP\n");
2471 kdebug_secpolicy(sp));
2472
2473 for (isr = sp->req; isr != NULL; isr = isr->next) {
2474
2475 #if 0 /* give up to check restriction of transport mode */
2476 /* XXX but should be checked somewhere */
2477 /*
2478 * some of the IPsec operation must be performed only in
2479 * originating case.
2480 */
2481 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2482 && (flags & IP_FORWARDING))
2483 continue;
2484 #endif
2485
2486 /* make SA index for search proper SA */
2487 ip = mtod(state->m, struct ip *);
2488 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2489 sa = (struct sockaddr *)&saidx.src;
2490 if (sa->sa_len == 0) {
2491 sa->sa_len = _SALENBYAF(AF_INET);
2492 sa->sa_family = AF_INET;
2493 _INPORTBYSA(&saidx.src) = IPSEC_PORT_ANY;
2494 bcopy(&ip->ip_src, _INADDRBYSA(&saidx.src),
2495 sizeof(ip->ip_src));
2496 }
2497 sa = (struct sockaddr *)&saidx.dst;
2498 if (sa->sa_len == 0) {
2499 sa->sa_len = _SALENBYAF(AF_INET);
2500 sa->sa_family = AF_INET;
2501 _INPORTBYSA(&saidx.dst) = IPSEC_PORT_ANY;
2502 bcopy(&ip->ip_dst, _INADDRBYSA(&saidx.dst),
2503 sizeof(ip->ip_dst));
2504 }
2505
2506 if ((error = key_checkrequest(isr, &saidx)) != 0) {
2507 /*
2508 * IPsec processing is required, but no SA found.
2509 * I assume that key_acquire() had been called
2510 * to get/establish the SA. Here I discard
2511 * this packet because it is responsibility for
2512 * upper layer to retransmit the packet.
2513 */
2514 ipsecstat.out_nosa++;
2515 goto bad;
2516 }
2517
2518 /* validity check */
2519 if (isr->sav == NULL) {
2520 switch (ipsec_get_reqlevel(isr)) {
2521 case IPSEC_LEVEL_USE:
2522 continue;
2523 case IPSEC_LEVEL_REQUIRE:
2524 /* must be not reached here. */
2525 panic("ipsec4_output: no SA found, but required.");
2526 }
2527 }
2528
2529 /*
2530 * If there is no valid SA, we give up to process any
2531 * more. In such a case, the SA's status is changed
2532 * from DYING to DEAD after allocating. If a packet
2533 * send to the receiver by dead SA, the receiver can
2534 * not decode a packet because SA has been dead.
2535 */
2536 if (isr->sav->state != SADB_SASTATE_MATURE
2537 && isr->sav->state != SADB_SASTATE_DYING) {
2538 ipsecstat.out_nosa++;
2539 error = EINVAL;
2540 goto bad;
2541 }
2542
2543 /*
2544 * There may be the case that SA status will be changed when
2545 * we are refering to one. So calling splsoftnet().
2546 */
2547 #if __NetBSD__
2548 s = splsoftnet();
2549 #else
2550 s = splnet();
2551 #endif
2552
2553 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2554 /*
2555 * build IPsec tunnel.
2556 */
2557 /* XXX should be processed with other familiy */
2558 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2559 ipseclog((LOG_ERR, "ipsec4_output: "
2560 "family mismatched between inner and outer spi=%u\n",
2561 (u_int32_t)ntohl(isr->sav->spi)));
2562 splx(s);
2563 error = EAFNOSUPPORT;
2564 goto bad;
2565 }
2566
2567 ip = mtod(state->m, struct ip *);
2568
2569 state->m = ipsec4_splithdr(state->m);
2570 if (!state->m) {
2571 splx(s);
2572 error = ENOMEM;
2573 goto bad;
2574 }
2575 error = ipsec4_encapsulate(state->m, isr->sav);
2576 splx(s);
2577 if (error) {
2578 state->m = NULL;
2579 goto bad;
2580 }
2581 ip = mtod(state->m, struct ip *);
2582
2583 state->ro = &isr->sav->sah->sa_route;
2584 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2585 dst4 = (struct sockaddr_in *)state->dst;
2586 if (state->ro->ro_rt
2587 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2588 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2589 RTFREE(state->ro->ro_rt);
2590 bzero((caddr_t)state->ro, sizeof (*state->ro));
2591 }
2592 if (state->ro->ro_rt == 0) {
2593 dst4->sin_family = AF_INET;
2594 dst4->sin_len = sizeof(*dst4);
2595 dst4->sin_addr = ip->ip_dst;
2596 rtalloc(state->ro);
2597 }
2598 if (state->ro->ro_rt == 0) {
2599 ipstat.ips_noroute++;
2600 error = EHOSTUNREACH;
2601 goto bad;
2602 }
2603
2604 #if IPSEC_SRCSEL
2605 /*
2606 * Which address in SA or in routing table should I
2607 * select from ? But I had set from SA at
2608 * ipsec4_encapsulate().
2609 */
2610 ia = (struct in_ifaddr *)(state->ro->ro_rt->rt_ifa);
2611 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2612 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2613 dst4 = (struct sockaddr_in *)state->dst;
2614 }
2615 ip->ip_src = IA_SIN(ia)->sin_addr;
2616 #endif
2617 } else
2618 splx(s);
2619
2620 state->m = ipsec4_splithdr(state->m);
2621 if (!state->m) {
2622 error = ENOMEM;
2623 goto bad;
2624 }
2625 switch (isr->saidx.proto) {
2626 case IPPROTO_ESP:
2627 #if IPSEC_ESP
2628 if ((error = esp4_output(state->m, isr)) != 0) {
2629 state->m = NULL;
2630 goto bad;
2631 }
2632 break;
2633 #else
2634 m_freem(state->m);
2635 state->m = NULL;
2636 error = EINVAL;
2637 goto bad;
2638 #endif
2639 case IPPROTO_AH:
2640 if ((error = ah4_output(state->m, isr)) != 0) {
2641 state->m = NULL;
2642 goto bad;
2643 }
2644 break;
2645 case IPPROTO_IPCOMP:
2646 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2647 state->m = NULL;
2648 goto bad;
2649 }
2650 break;
2651 default:
2652 ipseclog((LOG_ERR,
2653 "ipsec4_output: unknown ipsec protocol %d\n",
2654 isr->saidx.proto));
2655 m_freem(state->m);
2656 state->m = NULL;
2657 error = EINVAL;
2658 goto bad;
2659 }
2660
2661 if (state->m == 0) {
2662 error = ENOMEM;
2663 goto bad;
2664 }
2665 ip = mtod(state->m, struct ip *);
2666 }
2667
2668 return 0;
2669
2670 bad:
2671 m_freem(state->m);
2672 state->m = NULL;
2673 return error;
2674 }
2675
2676 #if INET6
2677 /*
2678 * IPsec output logic for IPv6, transport mode.
2679 */
2680 int
2681 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
2682 struct ipsec_output_state *state;
2683 u_char *nexthdrp;
2684 struct mbuf *mprev;
2685 struct secpolicy *sp;
2686 int flags;
2687 int *tun;
2688 {
2689 struct ip6_hdr *ip6;
2690 struct ipsecrequest *isr = NULL;
2691 struct secasindex saidx;
2692 int error = 0;
2693 int plen;
2694 struct sockaddr *sa;
2695
2696 if (!state)
2697 panic("state == NULL in ipsec6_output");
2698 if (!state->m)
2699 panic("state->m == NULL in ipsec6_output");
2700 if (!nexthdrp)
2701 panic("nexthdrp == NULL in ipsec6_output");
2702 if (!mprev)
2703 panic("mprev == NULL in ipsec6_output");
2704 if (!sp)
2705 panic("sp == NULL in ipsec6_output");
2706 if (!tun)
2707 panic("tun == NULL in ipsec6_output");
2708
2709 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2710 printf("ipsec6_output_trans: applyed SP\n");
2711 kdebug_secpolicy(sp));
2712
2713 *tun = 0;
2714 for (isr = sp->req; isr; isr = isr->next) {
2715 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2716 /* the rest will be handled by ipsec6_output_tunnel() */
2717 break;
2718 }
2719
2720 /* make SA index for search proper SA */
2721 ip6 = mtod(state->m, struct ip6_hdr *);
2722 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2723 sa = (struct sockaddr *)&saidx.src;
2724 if (sa->sa_len == 0) {
2725 sa->sa_len = _SALENBYAF(AF_INET6);
2726 sa->sa_family = AF_INET6;
2727 _INPORTBYSA(&saidx.src) = IPSEC_PORT_ANY;
2728 bcopy(&ip6->ip6_src, _INADDRBYSA(&saidx.src),
2729 sizeof(ip6->ip6_src));
2730 }
2731 sa = (struct sockaddr *)&saidx.dst;
2732 if (sa->sa_len == 0) {
2733 sa->sa_len = _SALENBYAF(AF_INET6);
2734 sa->sa_family = AF_INET6;
2735 _INPORTBYSA(&saidx.dst) = IPSEC_PORT_ANY;
2736 bcopy(&ip6->ip6_dst, _INADDRBYSA(&saidx.dst),
2737 sizeof(ip6->ip6_dst));
2738 }
2739
2740 if (key_checkrequest(isr, &saidx) == ENOENT) {
2741 /*
2742 * IPsec processing is required, but no SA found.
2743 * I assume that key_acquire() had been called
2744 * to get/establish the SA. Here I discard
2745 * this packet because it is responsibility for
2746 * upper layer to retransmit the packet.
2747 */
2748 ipsec6stat.out_nosa++;
2749 error = ENOENT;
2750 goto bad;
2751 }
2752
2753 /* validity check */
2754 if (isr->sav == NULL) {
2755 switch (ipsec_get_reqlevel(isr)) {
2756 case IPSEC_LEVEL_USE:
2757 continue;
2758 case IPSEC_LEVEL_REQUIRE:
2759 /* must be not reached here. */
2760 panic("ipsec6_output_trans: no SA found, but required.");
2761 }
2762 }
2763
2764 /*
2765 * If there is no valid SA, we give up to process.
2766 * see same place at ipsec4_output().
2767 */
2768 if (isr->sav->state != SADB_SASTATE_MATURE
2769 && isr->sav->state != SADB_SASTATE_DYING) {
2770 ipsec6stat.out_nosa++;
2771 error = EINVAL;
2772 goto bad;
2773 }
2774
2775 switch (isr->saidx.proto) {
2776 case IPPROTO_ESP:
2777 #if IPSEC_ESP
2778 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2779 #else
2780 m_freem(state->m);
2781 error = EINVAL;
2782 #endif
2783 break;
2784 case IPPROTO_AH:
2785 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2786 break;
2787 case IPPROTO_IPCOMP:
2788 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2789 break;
2790 default:
2791 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2792 "unknown ipsec protocol %d\n", isr->saidx.proto));
2793 m_freem(state->m);
2794 ipsec6stat.out_inval++;
2795 error = EINVAL;
2796 break;
2797 }
2798 if (error) {
2799 state->m = NULL;
2800 goto bad;
2801 }
2802 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2803 if (plen > IPV6_MAXPACKET) {
2804 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2805 "IPsec with IPv6 jumbogram is not supported\n"));
2806 ipsec6stat.out_inval++;
2807 error = EINVAL; /*XXX*/
2808 goto bad;
2809 }
2810 ip6 = mtod(state->m, struct ip6_hdr *);
2811 ip6->ip6_plen = htons(plen);
2812 }
2813
2814 /* if we have more to go, we need a tunnel mode processing */
2815 if (isr != NULL)
2816 *tun = 1;
2817
2818 return 0;
2819
2820 bad:
2821 m_freem(state->m);
2822 state->m = NULL;
2823 return error;
2824 }
2825
2826 /*
2827 * IPsec output logic for IPv6, tunnel mode.
2828 */
2829 int
2830 ipsec6_output_tunnel(state, sp, flags)
2831 struct ipsec_output_state *state;
2832 struct secpolicy *sp;
2833 int flags;
2834 {
2835 struct ip6_hdr *ip6;
2836 struct ipsecrequest *isr = NULL;
2837 struct secasindex saidx;
2838 int error = 0;
2839 int plen;
2840 #if IPSEC_SRCSEL
2841 struct in6_addr *ia6;
2842 #endif
2843 struct sockaddr_in6* dst6;
2844 int s;
2845
2846 if (!state)
2847 panic("state == NULL in ipsec6_output");
2848 if (!state->m)
2849 panic("state->m == NULL in ipsec6_output");
2850 if (!sp)
2851 panic("sp == NULL in ipsec6_output");
2852
2853 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2854 printf("ipsec6_output_tunnel: applyed SP\n");
2855 kdebug_secpolicy(sp));
2856
2857 /*
2858 * transport mode ipsec (before the 1st tunnel mode) is already
2859 * processed by ipsec6_output_trans().
2860 */
2861 for (isr = sp->req; isr; isr = isr->next) {
2862 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
2863 break;
2864 }
2865
2866 for (/*already initialized*/; isr; isr = isr->next) {
2867 /* When tunnel mode, SA peers must be specified. */
2868 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2869 if (key_checkrequest(isr, &saidx) == ENOENT) {
2870 /*
2871 * IPsec processing is required, but no SA found.
2872 * I assume that key_acquire() had been called
2873 * to get/establish the SA. Here I discard
2874 * this packet because it is responsibility for
2875 * upper layer to retransmit the packet.
2876 */
2877 ipsec6stat.out_nosa++;
2878 error = ENOENT;
2879 goto bad;
2880 }
2881
2882 /* validity check */
2883 if (isr->sav == NULL) {
2884 switch (ipsec_get_reqlevel(isr)) {
2885 case IPSEC_LEVEL_USE:
2886 continue;
2887 case IPSEC_LEVEL_REQUIRE:
2888 /* must be not reached here. */
2889 panic("ipsec6_output_tunnel: no SA found, but required.");
2890 }
2891 }
2892
2893 /*
2894 * If there is no valid SA, we give up to process.
2895 * see same place at ipsec4_output().
2896 */
2897 if (isr->sav->state != SADB_SASTATE_MATURE
2898 && isr->sav->state != SADB_SASTATE_DYING) {
2899 ipsec6stat.out_nosa++;
2900 error = EINVAL;
2901 goto bad;
2902 }
2903
2904 /*
2905 * There may be the case that SA status will be changed when
2906 * we are refering to one. So calling splsoftnet().
2907 */
2908 #if __NetBSD__
2909 s = splsoftnet();
2910 #else
2911 s = splnet();
2912 #endif
2913
2914 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2915 /*
2916 * build IPsec tunnel.
2917 */
2918 /* XXX should be processed with other familiy */
2919 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
2920 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
2921 "family mismatched between inner and outer, spi=%u\n",
2922 (u_int32_t)ntohl(isr->sav->spi)));
2923 splx(s);
2924 ipsec6stat.out_inval++;
2925 error = EAFNOSUPPORT;
2926 goto bad;
2927 }
2928
2929 ip6 = mtod(state->m, struct ip6_hdr *);
2930
2931 state->m = ipsec6_splithdr(state->m);
2932 if (!state->m) {
2933 splx(s);
2934 ipsec6stat.out_nomem++;
2935 error = ENOMEM;
2936 goto bad;
2937 }
2938 error = ipsec6_encapsulate(state->m, isr->sav);
2939 splx(s);
2940 if (error) {
2941 state->m = 0;
2942 goto bad;
2943 }
2944 ip6 = mtod(state->m, struct ip6_hdr *);
2945
2946 state->ro = &isr->sav->sah->sa_route;
2947 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2948 dst6 = (struct sockaddr_in6 *)state->dst;
2949 if (state->ro->ro_rt
2950 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2951 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
2952 RTFREE(state->ro->ro_rt);
2953 bzero((caddr_t)state->ro, sizeof (*state->ro));
2954 }
2955 if (state->ro->ro_rt == 0) {
2956 bzero(dst6, sizeof(*dst6));
2957 dst6->sin6_family = AF_INET6;
2958 dst6->sin6_len = sizeof(*dst6);
2959 dst6->sin6_addr = ip6->ip6_dst;
2960 rtalloc(state->ro);
2961 }
2962 if (state->ro->ro_rt == 0) {
2963 ip6stat.ip6s_noroute++;
2964 ipsec6stat.out_noroute++;
2965 error = EHOSTUNREACH;
2966 goto bad;
2967 }
2968 #if 0 /* XXX Is the following need ? */
2969 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2970 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2971 dst6 = (struct sockaddr_in6 *)state->dst;
2972 }
2973 #endif
2974 #if IPSEC_SRCSEL
2975 /*
2976 * Which address in SA or in routing table should I
2977 * select from ? But I had set from SA at
2978 * ipsec6_encapsulate().
2979 */
2980 ia6 = in6_selectsrc(dst6, NULL, NULL,
2981 (struct route_in6 *)state->ro,
2982 NULL, &error);
2983 if (ia6 == NULL) {
2984 ip6stat.ip6s_noroute++;
2985 ipsec6stat.out_noroute++;
2986 goto bad;
2987 }
2988 ip6->ip6_src = *ia6;
2989 #endif
2990 } else
2991 splx(s);
2992
2993 state->m = ipsec6_splithdr(state->m);
2994 if (!state->m) {
2995 ipsec6stat.out_nomem++;
2996 error = ENOMEM;
2997 goto bad;
2998 }
2999 ip6 = mtod(state->m, struct ip6_hdr *);
3000 switch (isr->saidx.proto) {
3001 case IPPROTO_ESP:
3002 #if IPSEC_ESP
3003 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
3004 #else
3005 m_freem(state->m);
3006 error = EINVAL;
3007 #endif
3008 break;
3009 case IPPROTO_AH:
3010 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
3011 break;
3012 case IPPROTO_IPCOMP:
3013 /* XXX code should be here */
3014 /*FALLTHROUGH*/
3015 default:
3016 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3017 "unknown ipsec protocol %d\n", isr->saidx.proto));
3018 m_freem(state->m);
3019 ipsec6stat.out_inval++;
3020 error = EINVAL;
3021 break;
3022 }
3023 if (error) {
3024 state->m = NULL;
3025 goto bad;
3026 }
3027 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3028 if (plen > IPV6_MAXPACKET) {
3029 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3030 "IPsec with IPv6 jumbogram is not supported\n"));
3031 ipsec6stat.out_inval++;
3032 error = EINVAL; /*XXX*/
3033 goto bad;
3034 }
3035 ip6 = mtod(state->m, struct ip6_hdr *);
3036 ip6->ip6_plen = htons(plen);
3037 }
3038
3039 return 0;
3040
3041 bad:
3042 m_freem(state->m);
3043 state->m = NULL;
3044 return error;
3045 }
3046 #endif /*INET6*/
3047
3048 /*
3049 * Chop IP header and option off from the payload.
3050 */
3051 static struct mbuf *
3052 ipsec4_splithdr(m)
3053 struct mbuf *m;
3054 {
3055 struct mbuf *mh;
3056 struct ip *ip;
3057 int hlen;
3058
3059 if (m->m_len < sizeof(struct ip))
3060 panic("ipsec4_splithdr: first mbuf too short");
3061 ip = mtod(m, struct ip *);
3062 #ifdef _IP_VHL
3063 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
3064 #else
3065 hlen = ip->ip_hl << 2;
3066 #endif
3067 if (m->m_len > hlen) {
3068 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3069 if (!mh) {
3070 m_freem(m);
3071 return NULL;
3072 }
3073 M_COPY_PKTHDR(mh, m);
3074 MH_ALIGN(mh, hlen);
3075 m->m_flags &= ~M_PKTHDR;
3076 m->m_len -= hlen;
3077 m->m_data += hlen;
3078 mh->m_next = m;
3079 m = mh;
3080 m->m_len = hlen;
3081 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3082 } else if (m->m_len < hlen) {
3083 m = m_pullup(m, hlen);
3084 if (!m)
3085 return NULL;
3086 }
3087 return m;
3088 }
3089
3090 #if INET6
3091 static struct mbuf *
3092 ipsec6_splithdr(m)
3093 struct mbuf *m;
3094 {
3095 struct mbuf *mh;
3096 struct ip6_hdr *ip6;
3097 int hlen;
3098
3099 if (m->m_len < sizeof(struct ip6_hdr))
3100 panic("ipsec6_splithdr: first mbuf too short");
3101 ip6 = mtod(m, struct ip6_hdr *);
3102 hlen = sizeof(struct ip6_hdr);
3103 if (m->m_len > hlen) {
3104 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3105 if (!mh) {
3106 m_freem(m);
3107 return NULL;
3108 }
3109 M_COPY_PKTHDR(mh, m);
3110 MH_ALIGN(mh, hlen);
3111 m->m_flags &= ~M_PKTHDR;
3112 m->m_len -= hlen;
3113 m->m_data += hlen;
3114 mh->m_next = m;
3115 m = mh;
3116 m->m_len = hlen;
3117 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3118 } else if (m->m_len < hlen) {
3119 m = m_pullup(m, hlen);
3120 if (!m)
3121 return NULL;
3122 }
3123 return m;
3124 }
3125 #endif
3126
3127 /* validate inbound IPsec tunnel packet. */
3128 int
3129 ipsec4_tunnel_validate(ip, nxt0, sav)
3130 struct ip *ip;
3131 u_int nxt0;
3132 struct secasvar *sav;
3133 {
3134 u_int8_t nxt = nxt0 & 0xff;
3135 struct sockaddr_in *sin;
3136 int hlen;
3137
3138 if (nxt != IPPROTO_IPV4)
3139 return 0;
3140 #ifdef _IP_VHL
3141 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
3142 #else
3143 hlen = ip->ip_hl << 2;
3144 #endif
3145 if (hlen != sizeof(struct ip))
3146 return 0;
3147 switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
3148 case AF_INET:
3149 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3150 if (bcmp(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)) != 0)
3151 return 0;
3152 break;
3153 #if INET6
3154 case AF_INET6:
3155 /* should be supported, but at this moment we don't. */
3156 /*FALLTHROUGH*/
3157 #endif
3158 default:
3159 return 0;
3160 }
3161
3162 return 1;
3163 }
3164
3165 #if INET6
3166 /* validate inbound IPsec tunnel packet. */
3167 int
3168 ipsec6_tunnel_validate(ip6, nxt0, sav)
3169 struct ip6_hdr *ip6;
3170 u_int nxt0;
3171 struct secasvar *sav;
3172 {
3173 u_int8_t nxt = nxt0 & 0xff;
3174 struct sockaddr_in6 *sin6;
3175
3176 if (nxt != IPPROTO_IPV6)
3177 return 0;
3178 switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
3179 case AF_INET6:
3180 sin6 = ((struct sockaddr_in6 *)&sav->sah->saidx.dst);
3181 if (!IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &sin6->sin6_addr))
3182 return 0;
3183 break;
3184 case AF_INET:
3185 /* should be supported, but at this moment we don't. */
3186 /*FALLTHROUGH*/
3187 default:
3188 return 0;
3189 }
3190
3191 return 1;
3192 }
3193 #endif
3194
3195 /*
3196 * Make a mbuf chain for encryption.
3197 * If the original mbuf chain contains a mbuf with a cluster,
3198 * allocate a new cluster and copy the data to the new cluster.
3199 * XXX: this hack is inefficient, but is necessary to handle cases
3200 * of TCP retransmission...
3201 */
3202 struct mbuf *
3203 ipsec_copypkt(m)
3204 struct mbuf *m;
3205 {
3206 struct mbuf *n, **mpp, *mnew;
3207
3208 for (n = m, mpp = &m; n; n = n->m_next) {
3209 if (n->m_flags & M_EXT) {
3210 /*
3211 * Make a copy only if there are more than one references
3212 * to the cluster.
3213 * XXX: is this approach effective?
3214 */
3215 if (
3216 #if __bsdi__
3217 n->m_ext.ext_func ||
3218 #else
3219 n->m_ext.ext_free ||
3220 #endif
3221 #if __NetBSD__
3222 MCLISREFERENCED(n)
3223 #else
3224 mclrefcnt[mtocl(n->m_ext.ext_buf)] > 1
3225 #endif
3226 )
3227 {
3228 int remain, copied;
3229 struct mbuf *mm;
3230
3231 if (n->m_flags & M_PKTHDR) {
3232 MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3233 if (mnew == NULL)
3234 goto fail;
3235 mnew->m_pkthdr = n->m_pkthdr;
3236 #if 0
3237 if (n->m_pkthdr.aux) {
3238 mnew->m_pkthdr.aux =
3239 m_copym(n->m_pkthdr.aux,
3240 0, M_COPYALL, M_DONTWAIT);
3241 }
3242 #endif
3243 M_COPY_PKTHDR(mnew, n);
3244 mnew->m_flags = n->m_flags & M_COPYFLAGS;
3245 }
3246 else {
3247 MGET(mnew, M_DONTWAIT, MT_DATA);
3248 if (mnew == NULL)
3249 goto fail;
3250 }
3251 mnew->m_len = 0;
3252 mm = mnew;
3253
3254 /*
3255 * Copy data. If we don't have enough space to
3256 * store the whole data, allocate a cluster
3257 * or additional mbufs.
3258 * XXX: we don't use m_copyback(), since the
3259 * function does not use clusters and thus is
3260 * inefficient.
3261 */
3262 remain = n->m_len;
3263 copied = 0;
3264 while(1) {
3265 int len;
3266 struct mbuf *mn;
3267
3268 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3269 len = remain;
3270 else { /* allocate a cluster */
3271 MCLGET(mm, M_DONTWAIT);
3272 if (!(mm->m_flags & M_EXT)) {
3273 m_free(mm);
3274 goto fail;
3275 }
3276 len = remain < MCLBYTES ?
3277 remain : MCLBYTES;
3278 }
3279
3280 bcopy(n->m_data + copied, mm->m_data,
3281 len);
3282
3283 copied += len;
3284 remain -= len;
3285 mm->m_len = len;
3286
3287 if (remain <= 0) /* completed? */
3288 break;
3289
3290 /* need another mbuf */
3291 MGETHDR(mn, M_DONTWAIT, MT_HEADER);
3292 if (mn == NULL)
3293 goto fail;
3294 mm->m_next = mn;
3295 mm = mn;
3296 }
3297
3298 /* adjust chain */
3299 mm->m_next = m_free(n);
3300 n = mm;
3301 *mpp = mnew;
3302 mpp = &n->m_next;
3303
3304 continue;
3305 }
3306 }
3307 *mpp = n;
3308 mpp = &n->m_next;
3309 }
3310
3311 return(m);
3312 fail:
3313 m_freem(m);
3314 return(NULL);
3315 }
3316
3317 void
3318 ipsec_setsocket(m, so)
3319 struct mbuf *m;
3320 struct socket *so;
3321 {
3322 struct mbuf *n;
3323
3324 n = m_aux_find(m, AF_INET, IPPROTO_ESP);
3325 if (so && !n)
3326 n = m_aux_add(m, AF_INET, IPPROTO_ESP);
3327 if (n) {
3328 if (so) {
3329 *mtod(n, struct socket **) = so;
3330 /*
3331 * XXX think again about it when we put decryption
3332 * histrory into aux mbuf
3333 */
3334 n->m_len = sizeof(struct socket *);
3335 } else
3336 m_aux_delete(m, n);
3337 }
3338 }
3339
3340 struct socket *
3341 ipsec_getsocket(m)
3342 struct mbuf *m;
3343 {
3344 struct mbuf *n;
3345
3346 n = m_aux_find(m, AF_INET, IPPROTO_ESP);
3347 if (n && n->m_len >= sizeof(struct socket *))
3348 return *mtod(n, struct socket **);
3349 else
3350 return NULL;
3351 }
3352
3353 #ifdef __bsdi__
3354 /*
3355 * System control for IP
3356 */
3357 u_char ipsecctlerrmap[PRC_NCMDS] = {
3358 0, 0, 0, 0,
3359 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
3360 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
3361 EMSGSIZE, EHOSTUNREACH, 0, 0,
3362 0, 0, 0, 0,
3363 ENOPROTOOPT
3364 };
3365
3366 int *ipsec_sysvars[] = IPSECCTL_VARS;
3367
3368 int
3369 ipsec_sysctl(name, namelen, oldp, oldlenp, newp, newlen)
3370 int *name;
3371 u_int namelen;
3372 void *oldp;
3373 size_t *oldlenp;
3374 void *newp;
3375 size_t newlen;
3376 {
3377 if (name[0] >= IPSECCTL_MAXID)
3378 return (EOPNOTSUPP);
3379
3380 switch (name[0]) {
3381 case IPSECCTL_STATS:
3382 return sysctl_rdtrunc(oldp, oldlenp, newp, &ipsecstat,
3383 sizeof(ipsecstat));
3384 case IPSECCTL_DEF_POLICY:
3385 if (newp != NULL && newlen == sizeof(int)) {
3386 switch (*(int *)newp) {
3387 case IPSEC_POLICY_DISCARD:
3388 case IPSEC_POLICY_NONE:
3389 break;
3390 default:
3391 return EINVAL;
3392 }
3393 }
3394 return (sysctl_int_arr(ipsec_sysvars, name, namelen,
3395 oldp, oldlenp, newp, newlen));
3396 case IPSECCTL_DEF_ESP_TRANSLEV:
3397 case IPSECCTL_DEF_ESP_NETLEV:
3398 case IPSECCTL_DEF_AH_TRANSLEV:
3399 case IPSECCTL_DEF_AH_NETLEV:
3400 if (newp != NULL && newlen == sizeof(int)) {
3401 switch (*(int *)newp) {
3402 case IPSEC_LEVEL_USE:
3403 case IPSEC_LEVEL_REQUIRE:
3404 break;
3405 default:
3406 return EINVAL;
3407 }
3408 }
3409 return (sysctl_int_arr(ipsec_sysvars, name, namelen,
3410 oldp, oldlenp, newp, newlen));
3411 default:
3412 return (sysctl_int_arr(ipsec_sysvars, name, namelen,
3413 oldp, oldlenp, newp, newlen));
3414 }
3415 }
3416
3417 #if INET6
3418 /*
3419 * System control for IP6
3420 */
3421 u_char ipsec6ctlerrmap[PRC_NCMDS] = {
3422 0, 0, 0, 0,
3423 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
3424 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
3425 EMSGSIZE, EHOSTUNREACH, 0, 0,
3426 0, 0, 0, 0,
3427 ENOPROTOOPT
3428 };
3429
3430 int *ipsec6_sysvars[] = IPSEC6CTL_VARS;
3431
3432 int
3433 ipsec6_sysctl(name, namelen, oldp, oldlenp, newp, newlen)
3434 int *name;
3435 u_int namelen;
3436 void *oldp;
3437 size_t *oldlenp;
3438 void *newp;
3439 size_t newlen;
3440 {
3441 if (name[0] >= IPSECCTL_MAXID) /* xxx no 6 in this definition */
3442 return (EOPNOTSUPP);
3443
3444 switch (name[0]) {
3445 case IPSECCTL_STATS: /* xxx no 6 in this definition */
3446 return sysctl_rdtrunc(oldp, oldlenp, newp, &ipsec6stat,
3447 sizeof(ipsec6stat));
3448 case IPSECCTL_DEF_POLICY:
3449 if (newp != NULL && newlen == sizeof(int)) {
3450 switch (*(int *)newp) {
3451 case IPSEC_POLICY_DISCARD:
3452 case IPSEC_POLICY_NONE:
3453 break;
3454 default:
3455 return EINVAL;
3456 }
3457 }
3458 return (sysctl_int_arr(ipsec6_sysvars, name, namelen,
3459 oldp, oldlenp, newp, newlen));
3460 case IPSECCTL_DEF_ESP_TRANSLEV:
3461 case IPSECCTL_DEF_ESP_NETLEV:
3462 case IPSECCTL_DEF_AH_TRANSLEV:
3463 case IPSECCTL_DEF_AH_NETLEV:
3464 if (newp != NULL && newlen == sizeof(int)) {
3465 switch (*(int *)newp) {
3466 case IPSEC_LEVEL_USE:
3467 case IPSEC_LEVEL_REQUIRE:
3468 break;
3469 default:
3470 return EINVAL;
3471 }
3472 }
3473 return (sysctl_int_arr(ipsec6_sysvars, name, namelen,
3474 oldp, oldlenp, newp, newlen));
3475 default:
3476 return (sysctl_int_arr(ipsec6_sysvars, name, namelen,
3477 oldp, oldlenp, newp, newlen));
3478 }
3479 }
3480 #endif /*INET6*/
3481 #endif /*__bsdi__*/
3482
3483
3484 #if __NetBSD__
3485 /*
3486 * System control for IPSEC
3487 */
3488 u_char ipsecctlermap[PRC_NCMDS] = {
3489 0, 0, 0, 0,
3490 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
3491 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
3492 EMSGSIZE, EHOSTUNREACH, 0, 0,
3493 0, 0, 0, 0,
3494 ENOPROTOOPT
3495 };
3496
3497 int *ipsec_sysvars[] = IPSECCTL_VARS;
3498
3499 int
3500 ipsec_sysctl(name, namelen, oldp, oldlenp, newp, newlen)
3501 int *name;
3502 u_int namelen;
3503 void *oldp;
3504 size_t *oldlenp;
3505 void *newp;
3506 size_t newlen;
3507 {
3508 /* All sysctl names at this level are terminal. */
3509 if (namelen != 1)
3510 return ENOTDIR;
3511
3512 /* common sanity checks */
3513 switch (name[0]) {
3514 case IPSECCTL_DEF_ESP_TRANSLEV:
3515 case IPSECCTL_DEF_ESP_NETLEV:
3516 case IPSECCTL_DEF_AH_TRANSLEV:
3517 case IPSECCTL_DEF_AH_NETLEV:
3518 if (newp != NULL && newlen == sizeof(int)) {
3519 switch (*(int *)newp) {
3520 case IPSEC_LEVEL_USE:
3521 case IPSEC_LEVEL_REQUIRE:
3522 break;
3523 default:
3524 return EINVAL;
3525 }
3526 }
3527 }
3528
3529 switch (name[0]) {
3530
3531 case IPSECCTL_STATS:
3532 return sysctl_struct(oldp, oldlenp, newp, newlen,
3533 &ipsecstat, sizeof(ipsecstat));
3534 case IPSECCTL_DEF_POLICY:
3535 if (newp != NULL && newlen == sizeof(int)) {
3536 switch (*(int *)newp) {
3537 case IPSEC_POLICY_DISCARD:
3538 case IPSEC_POLICY_NONE:
3539 break;
3540 default:
3541 return EINVAL;
3542 }
3543 }
3544 return sysctl_int(oldp, oldlenp, newp, newlen,
3545 &ip4_def_policy.policy);
3546 case IPSECCTL_DEF_ESP_TRANSLEV:
3547 return sysctl_int(oldp, oldlenp, newp, newlen,
3548 &ip4_esp_trans_deflev);
3549 case IPSECCTL_DEF_ESP_NETLEV:
3550 return sysctl_int(oldp, oldlenp, newp, newlen,
3551 &ip4_esp_net_deflev);
3552 case IPSECCTL_DEF_AH_TRANSLEV:
3553 return sysctl_int(oldp, oldlenp, newp, newlen,
3554 &ip4_ah_trans_deflev);
3555 case IPSECCTL_DEF_AH_NETLEV:
3556 return sysctl_int(oldp, oldlenp, newp, newlen,
3557 &ip4_ah_net_deflev);
3558 case IPSECCTL_INBOUND_CALL_IKE:
3559 return sysctl_int(oldp, oldlenp, newp, newlen,
3560 &ip4_inbound_call_ike);
3561 case IPSECCTL_AH_CLEARTOS:
3562 return sysctl_int(oldp, oldlenp, newp, newlen,
3563 &ip4_ah_cleartos);
3564 case IPSECCTL_AH_OFFSETMASK:
3565 return sysctl_int(oldp, oldlenp, newp, newlen,
3566 &ip4_ah_offsetmask);
3567 case IPSECCTL_DFBIT:
3568 return sysctl_int(oldp, oldlenp, newp, newlen,
3569 &ip4_ipsec_dfbit);
3570 case IPSECCTL_ECN:
3571 return sysctl_int(oldp, oldlenp, newp, newlen, &ip4_ipsec_ecn);
3572 case IPSECCTL_DEBUG:
3573 return sysctl_int(oldp, oldlenp, newp, newlen, &ipsec_debug);
3574 default:
3575 return EOPNOTSUPP;
3576 }
3577 /* NOTREACHED */
3578 }
3579
3580 #if INET6
3581 /*
3582 * System control for IPSEC6
3583 */
3584 u_char ipsec6ctlermap[PRC_NCMDS] = {
3585 0, 0, 0, 0,
3586 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
3587 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
3588 EMSGSIZE, EHOSTUNREACH, 0, 0,
3589 0, 0, 0, 0,
3590 ENOPROTOOPT
3591 };
3592
3593 int *ipsec6_sysvars[] = IPSEC6CTL_VARS;
3594
3595 int
3596 ipsec6_sysctl(name, namelen, oldp, oldlenp, newp, newlen)
3597 int *name;
3598 u_int namelen;
3599 void *oldp;
3600 size_t *oldlenp;
3601 void *newp;
3602 size_t newlen;
3603 {
3604 /* All sysctl names at this level are terminal. */
3605 if (namelen != 1)
3606 return ENOTDIR;
3607
3608 /* common sanity checks */
3609 switch (name[0]) {
3610 case IPSECCTL_DEF_ESP_TRANSLEV:
3611 case IPSECCTL_DEF_ESP_NETLEV:
3612 case IPSECCTL_DEF_AH_TRANSLEV:
3613 case IPSECCTL_DEF_AH_NETLEV:
3614 if (newp != NULL && newlen == sizeof(int)) {
3615 switch (*(int *)newp) {
3616 case IPSEC_LEVEL_USE:
3617 case IPSEC_LEVEL_REQUIRE:
3618 break;
3619 default:
3620 return EINVAL;
3621 }
3622 }
3623 }
3624
3625 switch (name[0]) {
3626
3627 case IPSECCTL_STATS:
3628 return sysctl_struct(oldp, oldlenp, newp, newlen,
3629 &ipsec6stat, sizeof(ipsec6stat));
3630 case IPSECCTL_DEF_POLICY:
3631 if (newp != NULL && newlen == sizeof(int)) {
3632 switch (*(int *)newp) {
3633 case IPSEC_POLICY_DISCARD:
3634 case IPSEC_POLICY_NONE:
3635 break;
3636 default:
3637 return EINVAL;
3638 }
3639 }
3640 return sysctl_int(oldp, oldlenp, newp, newlen,
3641 &ip6_def_policy.policy);
3642 case IPSECCTL_DEF_ESP_TRANSLEV:
3643 return sysctl_int(oldp, oldlenp, newp, newlen,
3644 &ip6_esp_trans_deflev);
3645 case IPSECCTL_DEF_ESP_NETLEV:
3646 return sysctl_int(oldp, oldlenp, newp, newlen,
3647 &ip6_esp_net_deflev);
3648 case IPSECCTL_DEF_AH_TRANSLEV:
3649 return sysctl_int(oldp, oldlenp, newp, newlen,
3650 &ip6_ah_trans_deflev);
3651 case IPSECCTL_DEF_AH_NETLEV:
3652 return sysctl_int(oldp, oldlenp, newp, newlen,
3653 &ip6_ah_net_deflev);
3654 case IPSECCTL_INBOUND_CALL_IKE:
3655 return sysctl_int(oldp, oldlenp, newp, newlen,
3656 &ip6_inbound_call_ike);
3657 case IPSECCTL_ECN:
3658 return sysctl_int(oldp, oldlenp, newp, newlen, &ip6_ipsec_ecn);
3659 case IPSECCTL_DEBUG:
3660 return sysctl_int(oldp, oldlenp, newp, newlen, &ipsec_debug);
3661 default:
3662 return EOPNOTSUPP;
3663 }
3664 /* NOTREACHED */
3665 }
3666 #endif /*INET6*/
3667
3668 #endif /* __NetBSD__ */
mirror of XNU