2 * Copyright (c) 2008-2016 Apple Inc. All rights reserved.
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
29 /* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.7 2001/07/19 06:37:23 kris Exp $ */
30 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
33 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
34 * All rights reserved.
36 * Redistribution and use in source and binary forms, with or without
37 * modification, are permitted provided that the following conditions
39 * 1. Redistributions of source code must retain the above copyright
40 * notice, this list of conditions and the following disclaimer.
41 * 2. Redistributions in binary form must reproduce the above copyright
42 * notice, this list of conditions and the following disclaimer in the
43 * documentation and/or other materials provided with the distribution.
44 * 3. Neither the name of the project nor the names of its contributors
45 * may be used to endorse or promote products derived from this software
46 * without specific prior written permission.
48 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
62 * IPsec controller part.
65 #include <sys/param.h>
66 #include <sys/systm.h>
67 #include <sys/malloc.h>
69 #include <sys/mcache.h>
70 #include <sys/domain.h>
71 #include <sys/protosw.h>
72 #include <sys/socket.h>
73 #include <sys/socketvar.h>
74 #include <sys/errno.h>
76 #include <sys/kernel.h>
77 #include <sys/syslog.h>
78 #include <sys/sysctl.h>
79 #include <kern/locks.h>
80 #include <sys/kauth.h>
81 #include <libkern/OSAtomic.h>
84 #include <net/route.h>
85 #include <net/if_ipsec.h>
87 #include <netinet/in.h>
88 #include <netinet/in_systm.h>
89 #include <netinet/ip.h>
90 #include <netinet/ip_var.h>
91 #include <netinet/in_var.h>
92 #include <netinet/udp.h>
93 #include <netinet/udp_var.h>
94 #include <netinet/ip_ecn.h>
96 #include <netinet6/ip6_ecn.h>
98 #include <netinet/tcp.h>
99 #include <netinet/udp.h>
101 #include <netinet/ip6.h>
103 #include <netinet6/ip6_var.h>
105 #include <netinet/in_pcb.h>
107 #include <netinet/icmp6.h>
110 #include <netinet6/ipsec.h>
112 #include <netinet6/ipsec6.h>
114 #include <netinet6/ah.h>
116 #include <netinet6/ah6.h>
119 #include <netinet6/esp.h>
121 #include <netinet6/esp6.h>
124 #include <netinet6/ipcomp.h>
126 #include <netinet6/ipcomp6.h>
128 #include <netkey/key.h>
129 #include <netkey/keydb.h>
130 #include <netkey/key_debug.h>
132 #include <net/net_osdep.h>
140 #include <sys/kdebug.h>
141 #define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1)
142 #define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3)
143 #define DBG_FNC_GETPOL_SOCK NETDBG_CODE(DBG_NETIPSEC, (1 << 8))
144 #define DBG_FNC_GETPOL_ADDR NETDBG_CODE(DBG_NETIPSEC, (2 << 8))
145 #define DBG_FNC_IPSEC_OUT NETDBG_CODE(DBG_NETIPSEC, (3 << 8))
147 extern lck_mtx_t
*sadb_mutex
;
149 struct ipsecstat ipsecstat
;
150 int ip4_ah_cleartos
= 1;
151 int ip4_ah_offsetmask
= 0; /* maybe IP_DF? */
152 int ip4_ipsec_dfbit
= 0; /* DF bit on encap. 0: clear 1: set 2: copy */
153 int ip4_esp_trans_deflev
= IPSEC_LEVEL_USE
;
154 int ip4_esp_net_deflev
= IPSEC_LEVEL_USE
;
155 int ip4_ah_trans_deflev
= IPSEC_LEVEL_USE
;
156 int ip4_ah_net_deflev
= IPSEC_LEVEL_USE
;
157 struct secpolicy ip4_def_policy
;
158 int ip4_ipsec_ecn
= ECN_COMPATIBILITY
; /* ECN ignore(-1)/compatibility(0)/normal(1) */
159 int ip4_esp_randpad
= -1;
160 int esp_udp_encap_port
= 0;
161 static int sysctl_def_policy SYSCTL_HANDLER_ARGS
;
162 extern int natt_keepalive_interval
;
163 extern u_int64_t natt_now
;
167 SYSCTL_DECL(_net_inet_ipsec
);
169 SYSCTL_DECL(_net_inet6_ipsec6
);
172 SYSCTL_STRUCT(_net_inet_ipsec
, IPSECCTL_STATS
,
173 stats
, CTLFLAG_RD
| CTLFLAG_LOCKED
, &ipsecstat
, ipsecstat
, "");
174 SYSCTL_PROC(_net_inet_ipsec
, IPSECCTL_DEF_POLICY
, def_policy
, CTLTYPE_INT
|CTLFLAG_RW
| CTLFLAG_LOCKED
,
175 &ip4_def_policy
.policy
, 0, &sysctl_def_policy
, "I", "");
176 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEF_ESP_TRANSLEV
, esp_trans_deflev
,
177 CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip4_esp_trans_deflev
, 0, "");
178 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEF_ESP_NETLEV
, esp_net_deflev
,
179 CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip4_esp_net_deflev
, 0, "");
180 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEF_AH_TRANSLEV
, ah_trans_deflev
,
181 CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip4_ah_trans_deflev
, 0, "");
182 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEF_AH_NETLEV
, ah_net_deflev
,
183 CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip4_ah_net_deflev
, 0, "");
184 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_AH_CLEARTOS
,
185 ah_cleartos
, CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip4_ah_cleartos
, 0, "");
186 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_AH_OFFSETMASK
,
187 ah_offsetmask
, CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip4_ah_offsetmask
, 0, "");
188 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DFBIT
,
189 dfbit
, CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip4_ipsec_dfbit
, 0, "");
190 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_ECN
,
191 ecn
, CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip4_ipsec_ecn
, 0, "");
192 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEBUG
,
193 debug
, CTLFLAG_RW
| CTLFLAG_LOCKED
, &ipsec_debug
, 0, "");
194 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_ESP_RANDPAD
,
195 esp_randpad
, CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip4_esp_randpad
, 0, "");
197 /* for performance, we bypass ipsec until a security policy is set */
198 int ipsec_bypass
= 1;
199 SYSCTL_INT(_net_inet_ipsec
, OID_AUTO
, bypass
, CTLFLAG_RD
| CTLFLAG_LOCKED
, &ipsec_bypass
,0, "");
202 * NAT Traversal requires a UDP port for encapsulation,
203 * esp_udp_encap_port controls which port is used. Racoon
204 * must set this port to the port racoon is using locally
207 SYSCTL_INT(_net_inet_ipsec
, OID_AUTO
, esp_port
,
208 CTLFLAG_RW
| CTLFLAG_LOCKED
, &esp_udp_encap_port
, 0, "");
211 struct ipsecstat ipsec6stat
;
212 int ip6_esp_trans_deflev
= IPSEC_LEVEL_USE
;
213 int ip6_esp_net_deflev
= IPSEC_LEVEL_USE
;
214 int ip6_ah_trans_deflev
= IPSEC_LEVEL_USE
;
215 int ip6_ah_net_deflev
= IPSEC_LEVEL_USE
;
216 struct secpolicy ip6_def_policy
;
217 int ip6_ipsec_ecn
= ECN_COMPATIBILITY
; /* ECN ignore(-1)/compatibility(0)/normal(1) */
218 int ip6_esp_randpad
= -1;
220 /* net.inet6.ipsec6 */
221 SYSCTL_STRUCT(_net_inet6_ipsec6
, IPSECCTL_STATS
,
222 stats
, CTLFLAG_RD
| CTLFLAG_LOCKED
, &ipsec6stat
, ipsecstat
, "");
223 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEF_POLICY
,
224 def_policy
, CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip6_def_policy
.policy
, 0, "");
225 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEF_ESP_TRANSLEV
, esp_trans_deflev
,
226 CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip6_esp_trans_deflev
, 0, "");
227 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEF_ESP_NETLEV
, esp_net_deflev
,
228 CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip6_esp_net_deflev
, 0, "");
229 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEF_AH_TRANSLEV
, ah_trans_deflev
,
230 CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip6_ah_trans_deflev
, 0, "");
231 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEF_AH_NETLEV
, ah_net_deflev
,
232 CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip6_ah_net_deflev
, 0, "");
233 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_ECN
,
234 ecn
, CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip6_ipsec_ecn
, 0, "");
235 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEBUG
,
236 debug
, CTLFLAG_RW
| CTLFLAG_LOCKED
, &ipsec_debug
, 0, "");
237 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_ESP_RANDPAD
,
238 esp_randpad
, CTLFLAG_RW
| CTLFLAG_LOCKED
, &ip6_esp_randpad
, 0, "");
241 static int ipsec_setspidx_interface(struct secpolicyindex
*, u_int
, struct mbuf
*,
243 static int ipsec_setspidx_mbuf(struct secpolicyindex
*, u_int
, u_int
,
245 static int ipsec4_setspidx_inpcb(struct mbuf
*, struct inpcb
*pcb
);
247 static int ipsec6_setspidx_in6pcb(struct mbuf
*, struct in6pcb
*pcb
);
249 static int ipsec_setspidx(struct mbuf
*, struct secpolicyindex
*, int, int);
250 static void ipsec4_get_ulp(struct mbuf
*m
, struct secpolicyindex
*, int);
251 static int ipsec4_setspidx_ipaddr(struct mbuf
*, struct secpolicyindex
*);
253 static void ipsec6_get_ulp(struct mbuf
*m
, struct secpolicyindex
*, int);
254 static int ipsec6_setspidx_ipaddr(struct mbuf
*, struct secpolicyindex
*);
256 static struct inpcbpolicy
*ipsec_newpcbpolicy(void);
257 static void ipsec_delpcbpolicy(struct inpcbpolicy
*);
258 static struct secpolicy
*ipsec_deepcopy_policy(struct secpolicy
*src
);
259 static int ipsec_set_policy(struct secpolicy
**pcb_sp
,
260 int optname
, caddr_t request
, size_t len
, int priv
);
261 static void vshiftl(unsigned char *, int, int);
262 static int ipsec_in_reject(struct secpolicy
*, struct mbuf
*);
264 static int ipsec64_encapsulate(struct mbuf
*, struct secasvar
*);
265 static int ipsec6_update_routecache_and_output(struct ipsec_output_state
*state
, struct secasvar
*sav
);
266 static int ipsec46_encapsulate(struct ipsec_output_state
*state
, struct secasvar
*sav
);
268 static struct ipsec_tag
*ipsec_addaux(struct mbuf
*);
269 static struct ipsec_tag
*ipsec_findaux(struct mbuf
*);
270 static void ipsec_optaux(struct mbuf
*, struct ipsec_tag
*);
271 int ipsec_send_natt_keepalive(struct secasvar
*sav
);
272 bool ipsec_fill_offload_frame(ifnet_t ifp
, struct secasvar
*sav
, struct ifnet_keepalive_offload_frame
*frame
, size_t frame_data_offset
);
275 sysctl_def_policy SYSCTL_HANDLER_ARGS
277 int old_policy
= ip4_def_policy
.policy
;
278 int error
= sysctl_handle_int(oidp
, oidp
->oid_arg1
, oidp
->oid_arg2
, req
);
280 #pragma unused(arg1, arg2)
282 if (ip4_def_policy
.policy
!= IPSEC_POLICY_NONE
&&
283 ip4_def_policy
.policy
!= IPSEC_POLICY_DISCARD
) {
284 ip4_def_policy
.policy
= old_policy
;
288 /* Turn off the bypass if the default security policy changes */
289 if (ipsec_bypass
!= 0 && ip4_def_policy
.policy
!= IPSEC_POLICY_NONE
)
296 * For OUTBOUND packet having a socket. Searching SPD for packet,
297 * and return a pointer to SP.
298 * OUT: NULL: no apropreate SP found, the following value is set to error.
300 * EACCES : discard packet.
301 * ENOENT : ipsec_acquire() in progress, maybe.
302 * others : error occurred.
303 * others: a pointer to SP
305 * NOTE: IPv6 mapped adddress concern is implemented here.
308 ipsec4_getpolicybysock(struct mbuf
*m
,
313 struct inpcbpolicy
*pcbsp
= NULL
;
314 struct secpolicy
*currsp
= NULL
; /* policy on socket */
315 struct secpolicy
*kernsp
= NULL
; /* policy on kernel */
317 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
319 if (m
== NULL
|| so
== NULL
|| error
== NULL
)
320 panic("ipsec4_getpolicybysock: NULL pointer was passed.\n");
322 if (so
->so_pcb
== NULL
) {
323 printf("ipsec4_getpolicybysock: so->so_pcb == NULL\n");
324 return ipsec4_getpolicybyaddr(m
, dir
, 0, error
);
327 switch (SOCK_DOM(so
)) {
329 pcbsp
= sotoinpcb(so
)->inp_sp
;
333 pcbsp
= sotoin6pcb(so
)->in6p_sp
;
339 /* Socket has not specified an IPSEC policy */
340 return ipsec4_getpolicybyaddr(m
, dir
, 0, error
);
343 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK
| DBG_FUNC_START
, 0,0,0,0,0);
345 switch (SOCK_DOM(so
)) {
347 /* set spidx in pcb */
348 *error
= ipsec4_setspidx_inpcb(m
, sotoinpcb(so
));
352 /* set spidx in pcb */
353 *error
= ipsec6_setspidx_in6pcb(m
, sotoin6pcb(so
));
357 panic("ipsec4_getpolicybysock: unsupported address family\n");
360 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK
| DBG_FUNC_END
, 1,*error
,0,0,0);
366 panic("ipsec4_getpolicybysock: pcbsp is NULL.\n");
369 case IPSEC_DIR_INBOUND
:
370 currsp
= pcbsp
->sp_in
;
372 case IPSEC_DIR_OUTBOUND
:
373 currsp
= pcbsp
->sp_out
;
376 panic("ipsec4_getpolicybysock: illegal direction.\n");
381 panic("ipsec4_getpolicybysock: currsp is NULL.\n");
383 /* when privilieged socket */
385 switch (currsp
->policy
) {
386 case IPSEC_POLICY_BYPASS
:
387 lck_mtx_lock(sadb_mutex
);
389 lck_mtx_unlock(sadb_mutex
);
391 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK
| DBG_FUNC_END
, 2,*error
,0,0,0);
394 case IPSEC_POLICY_ENTRUST
:
395 /* look for a policy in SPD */
396 kernsp
= key_allocsp(&currsp
->spidx
, dir
);
399 if (kernsp
!= NULL
) {
400 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
401 printf("DP ipsec4_getpolicybysock called "
402 "to allocate SP:0x%llx\n",
403 (uint64_t)VM_KERNEL_ADDRPERM(kernsp
)));
405 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK
| DBG_FUNC_END
, 3,*error
,0,0,0);
410 lck_mtx_lock(sadb_mutex
);
411 if (ip4_def_policy
.policy
!= IPSEC_POLICY_DISCARD
412 && ip4_def_policy
.policy
!= IPSEC_POLICY_NONE
) {
414 "fixed system default policy: %d->%d\n",
415 ip4_def_policy
.policy
, IPSEC_POLICY_NONE
));
416 ip4_def_policy
.policy
= IPSEC_POLICY_NONE
;
418 ip4_def_policy
.refcnt
++;
419 lck_mtx_unlock(sadb_mutex
);
421 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK
| DBG_FUNC_END
, 4,*error
,0,0,0);
422 return &ip4_def_policy
;
424 case IPSEC_POLICY_IPSEC
:
425 lck_mtx_lock(sadb_mutex
);
427 lck_mtx_unlock(sadb_mutex
);
429 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK
| DBG_FUNC_END
, 5,*error
,0,0,0);
433 ipseclog((LOG_ERR
, "ipsec4_getpolicybysock: "
434 "Invalid policy for PCB %d\n", currsp
->policy
));
436 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK
| DBG_FUNC_END
, 6,*error
,0,0,0);
442 /* when non-privilieged socket */
443 /* look for a policy in SPD */
444 kernsp
= key_allocsp(&currsp
->spidx
, dir
);
447 if (kernsp
!= NULL
) {
448 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
449 printf("DP ipsec4_getpolicybysock called "
450 "to allocate SP:0x%llx\n",
451 (uint64_t)VM_KERNEL_ADDRPERM(kernsp
)));
453 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK
| DBG_FUNC_END
, 7,*error
,0,0,0);
458 switch (currsp
->policy
) {
459 case IPSEC_POLICY_BYPASS
:
460 ipseclog((LOG_ERR
, "ipsec4_getpolicybysock: "
461 "Illegal policy for non-priviliged defined %d\n",
464 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK
| DBG_FUNC_END
, 8,*error
,0,0,0);
467 case IPSEC_POLICY_ENTRUST
:
468 lck_mtx_lock(sadb_mutex
);
469 if (ip4_def_policy
.policy
!= IPSEC_POLICY_DISCARD
470 && ip4_def_policy
.policy
!= IPSEC_POLICY_NONE
) {
472 "fixed system default policy: %d->%d\n",
473 ip4_def_policy
.policy
, IPSEC_POLICY_NONE
));
474 ip4_def_policy
.policy
= IPSEC_POLICY_NONE
;
476 ip4_def_policy
.refcnt
++;
477 lck_mtx_unlock(sadb_mutex
);
479 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK
| DBG_FUNC_END
, 9,*error
,0,0,0);
480 return &ip4_def_policy
;
482 case IPSEC_POLICY_IPSEC
:
483 lck_mtx_lock(sadb_mutex
);
485 lck_mtx_unlock(sadb_mutex
);
487 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK
| DBG_FUNC_END
, 10,*error
,0,0,0);
491 ipseclog((LOG_ERR
, "ipsec4_getpolicybysock: "
492 "Invalid policy for PCB %d\n", currsp
->policy
));
494 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK
| DBG_FUNC_END
, 11,*error
,0,0,0);
501 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
502 * and return a pointer to SP.
503 * OUT: positive: a pointer to the entry for security policy leaf matched.
504 * NULL: no apropreate SP found, the following value is set to error.
506 * EACCES : discard packet.
507 * ENOENT : ipsec_acquire() in progress, maybe.
508 * others : error occurred.
511 ipsec4_getpolicybyaddr(struct mbuf
*m
,
516 struct secpolicy
*sp
= NULL
;
518 if (ipsec_bypass
!= 0)
521 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
524 if (m
== NULL
|| error
== NULL
)
525 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.\n");
527 struct secpolicyindex spidx
;
529 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR
| DBG_FUNC_START
, 0,0,0,0,0);
530 bzero(&spidx
, sizeof(spidx
));
532 /* make a index to look for a policy */
533 *error
= ipsec_setspidx_mbuf(&spidx
, dir
, AF_INET
, m
,
534 (flag
& IP_FORWARDING
) ? 0 : 1);
537 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR
| DBG_FUNC_END
, 1,*error
,0,0,0);
541 sp
= key_allocsp(&spidx
, dir
);
546 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
547 printf("DP ipsec4_getpolicybyaddr called "
548 "to allocate SP:0x%llx\n",
549 (uint64_t)VM_KERNEL_ADDRPERM(sp
)));
551 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR
| DBG_FUNC_END
, 2,*error
,0,0,0);
556 lck_mtx_lock(sadb_mutex
);
557 if (ip4_def_policy
.policy
!= IPSEC_POLICY_DISCARD
558 && ip4_def_policy
.policy
!= IPSEC_POLICY_NONE
) {
559 ipseclog((LOG_INFO
, "fixed system default policy:%d->%d\n",
560 ip4_def_policy
.policy
,
562 ip4_def_policy
.policy
= IPSEC_POLICY_NONE
;
564 ip4_def_policy
.refcnt
++;
565 lck_mtx_unlock(sadb_mutex
);
567 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR
| DBG_FUNC_END
, 3,*error
,0,0,0);
568 return &ip4_def_policy
;
571 /* Match with bound interface rather than src addr.
572 * Unlike getpolicybyaddr, do not set the default policy.
573 * Return 0 if should continue processing, or -1 if packet
577 ipsec4_getpolicybyinterface(struct mbuf
*m
,
580 struct ip_out_args
*ipoa
,
581 struct secpolicy
**sp
)
583 struct secpolicyindex spidx
;
586 if (ipsec_bypass
!= 0)
590 if (m
== NULL
|| ipoa
== NULL
|| sp
== NULL
)
591 panic("ipsec4_getpolicybyinterface: NULL pointer was passed.\n");
593 if (ipoa
->ipoa_boundif
== IFSCOPE_NONE
)
596 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR
| DBG_FUNC_START
, 0,0,0,0,0);
597 bzero(&spidx
, sizeof(spidx
));
599 /* make a index to look for a policy */
600 error
= ipsec_setspidx_interface(&spidx
, dir
, m
, (*flags
& IP_FORWARDING
) ? 0 : 1,
601 ipoa
->ipoa_boundif
, 4);
604 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR
| DBG_FUNC_END
, 1,error
,0,0,0);
608 *sp
= key_allocsp(&spidx
, dir
);
610 /* Return SP, whether NULL or not */
611 if (*sp
!= NULL
&& (*sp
)->policy
== IPSEC_POLICY_IPSEC
) {
612 if ((*sp
)->ipsec_if
== NULL
) {
613 /* Invalid to capture on an interface without redirect */
614 key_freesp(*sp
, KEY_SADB_UNLOCKED
);
617 } else if ((*sp
)->disabled
) {
618 /* Disabled policies go in the clear */
619 key_freesp(*sp
, KEY_SADB_UNLOCKED
);
621 *flags
|= IP_NOIPSEC
; /* Avoid later IPSec check */
623 /* If policy is enabled, redirect to ipsec interface */
624 ipoa
->ipoa_boundif
= (*sp
)->ipsec_if
->if_index
;
628 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR
| DBG_FUNC_END
, 2,error
,0,0,0);
636 * For OUTBOUND packet having a socket. Searching SPD for packet,
637 * and return a pointer to SP.
638 * OUT: NULL: no apropreate SP found, the following value is set to error.
640 * EACCES : discard packet.
641 * ENOENT : ipsec_acquire() in progress, maybe.
642 * others : error occurred.
643 * others: a pointer to SP
646 ipsec6_getpolicybysock(struct mbuf
*m
,
651 struct inpcbpolicy
*pcbsp
= NULL
;
652 struct secpolicy
*currsp
= NULL
; /* policy on socket */
653 struct secpolicy
*kernsp
= NULL
; /* policy on kernel */
655 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
658 if (m
== NULL
|| so
== NULL
|| error
== NULL
)
659 panic("ipsec6_getpolicybysock: NULL pointer was passed.\n");
662 if (SOCK_DOM(so
) != PF_INET6
)
663 panic("ipsec6_getpolicybysock: socket domain != inet6\n");
666 pcbsp
= sotoin6pcb(so
)->in6p_sp
;
669 return ipsec6_getpolicybyaddr(m
, dir
, 0, error
);
672 /* set spidx in pcb */
673 ipsec6_setspidx_in6pcb(m
, sotoin6pcb(so
));
677 panic("ipsec6_getpolicybysock: pcbsp is NULL.\n");
680 case IPSEC_DIR_INBOUND
:
681 currsp
= pcbsp
->sp_in
;
683 case IPSEC_DIR_OUTBOUND
:
684 currsp
= pcbsp
->sp_out
;
687 panic("ipsec6_getpolicybysock: illegal direction.\n");
692 panic("ipsec6_getpolicybysock: currsp is NULL.\n");
694 /* when privilieged socket */
696 switch (currsp
->policy
) {
697 case IPSEC_POLICY_BYPASS
:
698 lck_mtx_lock(sadb_mutex
);
700 lck_mtx_unlock(sadb_mutex
);
704 case IPSEC_POLICY_ENTRUST
:
705 /* look for a policy in SPD */
706 kernsp
= key_allocsp(&currsp
->spidx
, dir
);
709 if (kernsp
!= NULL
) {
710 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
711 printf("DP ipsec6_getpolicybysock called "
712 "to allocate SP:0x%llx\n",
713 (uint64_t)VM_KERNEL_ADDRPERM(kernsp
)));
719 lck_mtx_lock(sadb_mutex
);
720 if (ip6_def_policy
.policy
!= IPSEC_POLICY_DISCARD
721 && ip6_def_policy
.policy
!= IPSEC_POLICY_NONE
) {
723 "fixed system default policy: %d->%d\n",
724 ip6_def_policy
.policy
, IPSEC_POLICY_NONE
));
725 ip6_def_policy
.policy
= IPSEC_POLICY_NONE
;
727 ip6_def_policy
.refcnt
++;
728 lck_mtx_unlock(sadb_mutex
);
730 return &ip6_def_policy
;
732 case IPSEC_POLICY_IPSEC
:
733 lck_mtx_lock(sadb_mutex
);
735 lck_mtx_unlock(sadb_mutex
);
740 ipseclog((LOG_ERR
, "ipsec6_getpolicybysock: "
741 "Invalid policy for PCB %d\n", currsp
->policy
));
748 /* when non-privilieged socket */
749 /* look for a policy in SPD */
750 kernsp
= key_allocsp(&currsp
->spidx
, dir
);
753 if (kernsp
!= NULL
) {
754 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
755 printf("DP ipsec6_getpolicybysock called "
756 "to allocate SP:0x%llx\n",
757 (uint64_t)VM_KERNEL_ADDRPERM(kernsp
)));
763 switch (currsp
->policy
) {
764 case IPSEC_POLICY_BYPASS
:
765 ipseclog((LOG_ERR
, "ipsec6_getpolicybysock: "
766 "Illegal policy for non-priviliged defined %d\n",
771 case IPSEC_POLICY_ENTRUST
:
772 lck_mtx_lock(sadb_mutex
);
773 if (ip6_def_policy
.policy
!= IPSEC_POLICY_DISCARD
774 && ip6_def_policy
.policy
!= IPSEC_POLICY_NONE
) {
776 "fixed system default policy: %d->%d\n",
777 ip6_def_policy
.policy
, IPSEC_POLICY_NONE
));
778 ip6_def_policy
.policy
= IPSEC_POLICY_NONE
;
780 ip6_def_policy
.refcnt
++;
781 lck_mtx_unlock(sadb_mutex
);
783 return &ip6_def_policy
;
785 case IPSEC_POLICY_IPSEC
:
786 lck_mtx_lock(sadb_mutex
);
788 lck_mtx_unlock(sadb_mutex
);
794 "ipsec6_policybysock: Invalid policy for PCB %d\n",
803 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
804 * and return a pointer to SP.
805 * `flag' means that packet is to be forwarded whether or not.
807 * OUT: positive: a pointer to the entry for security policy leaf matched.
808 * NULL: no apropreate SP found, the following value is set to error.
810 * EACCES : discard packet.
811 * ENOENT : ipsec_acquire() in progress, maybe.
812 * others : error occurred.
814 #ifndef IP_FORWARDING
815 #define IP_FORWARDING 1
819 ipsec6_getpolicybyaddr(struct mbuf
*m
,
824 struct secpolicy
*sp
= NULL
;
826 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
829 if (m
== NULL
|| error
== NULL
)
830 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.\n");
833 struct secpolicyindex spidx
;
835 bzero(&spidx
, sizeof(spidx
));
837 /* make a index to look for a policy */
838 *error
= ipsec_setspidx_mbuf(&spidx
, dir
, AF_INET6
, m
,
839 (flag
& IP_FORWARDING
) ? 0 : 1);
844 sp
= key_allocsp(&spidx
, dir
);
849 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
850 printf("DP ipsec6_getpolicybyaddr called "
851 "to allocate SP:0x%llx\n",
852 (uint64_t)VM_KERNEL_ADDRPERM(sp
)));
858 lck_mtx_lock(sadb_mutex
);
859 if (ip6_def_policy
.policy
!= IPSEC_POLICY_DISCARD
860 && ip6_def_policy
.policy
!= IPSEC_POLICY_NONE
) {
861 ipseclog((LOG_INFO
, "fixed system default policy: %d->%d\n",
862 ip6_def_policy
.policy
, IPSEC_POLICY_NONE
));
863 ip6_def_policy
.policy
= IPSEC_POLICY_NONE
;
865 ip6_def_policy
.refcnt
++;
866 lck_mtx_unlock(sadb_mutex
);
868 return &ip6_def_policy
;
871 /* Match with bound interface rather than src addr.
872 * Unlike getpolicybyaddr, do not set the default policy.
873 * Return 0 if should continue processing, or -1 if packet
877 ipsec6_getpolicybyinterface(struct mbuf
*m
,
880 struct ip6_out_args
*ip6oap
,
882 struct secpolicy
**sp
)
884 struct secpolicyindex spidx
;
887 if (ipsec_bypass
!= 0)
891 if (m
== NULL
|| sp
== NULL
|| noipsec
== NULL
|| ip6oap
== NULL
)
892 panic("ipsec6_getpolicybyinterface: NULL pointer was passed.\n");
896 if (ip6oap
->ip6oa_boundif
== IFSCOPE_NONE
)
899 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR
| DBG_FUNC_START
, 0,0,0,0,0);
900 bzero(&spidx
, sizeof(spidx
));
902 /* make a index to look for a policy */
903 error
= ipsec_setspidx_interface(&spidx
, dir
, m
, (flag
& IP_FORWARDING
) ? 0 : 1,
904 ip6oap
->ip6oa_boundif
, 6);
907 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR
| DBG_FUNC_END
, 1,error
,0,0,0);
911 *sp
= key_allocsp(&spidx
, dir
);
913 /* Return SP, whether NULL or not */
914 if (*sp
!= NULL
&& (*sp
)->policy
== IPSEC_POLICY_IPSEC
) {
915 if ((*sp
)->ipsec_if
== NULL
) {
916 /* Invalid to capture on an interface without redirect */
917 key_freesp(*sp
, KEY_SADB_UNLOCKED
);
920 } else if ((*sp
)->disabled
) {
921 /* Disabled policies go in the clear */
922 key_freesp(*sp
, KEY_SADB_UNLOCKED
);
924 *noipsec
= 1; /* Avoid later IPSec check */
926 /* If policy is enabled, redirect to ipsec interface */
927 ip6oap
->ip6oa_boundif
= (*sp
)->ipsec_if
->if_index
;
931 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR
| DBG_FUNC_END
, 2,*error
,0,0,0);
938 * set IP address into spidx from mbuf.
939 * When Forwarding packet and ICMP echo reply, this function is used.
941 * IN: get the followings from mbuf.
942 * protocol family, src, dst, next protocol
945 * other: failure, and set errno.
949 struct secpolicyindex
*spidx
,
951 __unused u_int family
,
958 if (spidx
== NULL
|| m
== NULL
)
959 panic("ipsec_setspidx_mbuf: NULL pointer was passed.\n");
961 bzero(spidx
, sizeof(*spidx
));
963 error
= ipsec_setspidx(m
, spidx
, needport
, 0);
972 bzero(spidx
, sizeof(*spidx
));
977 ipsec_setspidx_interface(
978 struct secpolicyindex
*spidx
,
988 if (spidx
== NULL
|| m
== NULL
)
989 panic("ipsec_setspidx_interface: NULL pointer was passed.\n");
991 bzero(spidx
, sizeof(*spidx
));
993 error
= ipsec_setspidx(m
, spidx
, needport
, ip_version
);
999 ifnet_head_lock_shared();
1000 spidx
->internal_if
= ifindex2ifnet
[ifindex
];
1003 spidx
->internal_if
= NULL
;
1013 ipsec4_setspidx_inpcb(struct mbuf
*m
, struct inpcb
*pcb
)
1015 struct secpolicyindex
*spidx
;
1018 if (ipsec_bypass
!= 0)
1023 panic("ipsec4_setspidx_inpcb: no PCB found.\n");
1024 if (pcb
->inp_sp
== NULL
)
1025 panic("ipsec4_setspidx_inpcb: no inp_sp found.\n");
1026 if (pcb
->inp_sp
->sp_out
== NULL
|| pcb
->inp_sp
->sp_in
== NULL
)
1027 panic("ipsec4_setspidx_inpcb: no sp_in/out found.\n");
1029 bzero(&pcb
->inp_sp
->sp_in
->spidx
, sizeof(*spidx
));
1030 bzero(&pcb
->inp_sp
->sp_out
->spidx
, sizeof(*spidx
));
1032 spidx
= &pcb
->inp_sp
->sp_in
->spidx
;
1033 error
= ipsec_setspidx(m
, spidx
, 1, 0);
1036 spidx
->dir
= IPSEC_DIR_INBOUND
;
1038 spidx
= &pcb
->inp_sp
->sp_out
->spidx
;
1039 error
= ipsec_setspidx(m
, spidx
, 1, 0);
1042 spidx
->dir
= IPSEC_DIR_OUTBOUND
;
1047 bzero(&pcb
->inp_sp
->sp_in
->spidx
, sizeof(*spidx
));
1048 bzero(&pcb
->inp_sp
->sp_out
->spidx
, sizeof(*spidx
));
1054 ipsec6_setspidx_in6pcb(struct mbuf
*m
, struct in6pcb
*pcb
)
1056 struct secpolicyindex
*spidx
;
1061 panic("ipsec6_setspidx_in6pcb: no PCB found.\n");
1062 if (pcb
->in6p_sp
== NULL
)
1063 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.\n");
1064 if (pcb
->in6p_sp
->sp_out
== NULL
|| pcb
->in6p_sp
->sp_in
== NULL
)
1065 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.\n");
1067 bzero(&pcb
->in6p_sp
->sp_in
->spidx
, sizeof(*spidx
));
1068 bzero(&pcb
->in6p_sp
->sp_out
->spidx
, sizeof(*spidx
));
1070 spidx
= &pcb
->in6p_sp
->sp_in
->spidx
;
1071 error
= ipsec_setspidx(m
, spidx
, 1, 0);
1074 spidx
->dir
= IPSEC_DIR_INBOUND
;
1076 spidx
= &pcb
->in6p_sp
->sp_out
->spidx
;
1077 error
= ipsec_setspidx(m
, spidx
, 1, 0);
1080 spidx
->dir
= IPSEC_DIR_OUTBOUND
;
1085 bzero(&pcb
->in6p_sp
->sp_in
->spidx
, sizeof(*spidx
));
1086 bzero(&pcb
->in6p_sp
->sp_out
->spidx
, sizeof(*spidx
));
1092 * configure security policy index (src/dst/proto/sport/dport)
1093 * by looking at the content of mbuf.
1094 * the caller is responsible for error recovery (like clearing up spidx).
1097 ipsec_setspidx(struct mbuf
*m
,
1098 struct secpolicyindex
*spidx
,
1100 int force_ip_version
)
1102 struct ip
*ip
= NULL
;
1110 panic("ipsec_setspidx: m == 0 passed.\n");
1113 * validate m->m_pkthdr.len. we see incorrect length if we
1114 * mistakenly call this function with inconsistent mbuf chain
1115 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
1118 for (n
= m
; n
; n
= n
->m_next
)
1120 if (m
->m_pkthdr
.len
!= len
) {
1121 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1122 printf("ipsec_setspidx: "
1123 "total of m_len(%d) != pkthdr.len(%d), "
1125 len
, m
->m_pkthdr
.len
));
1129 if (m
->m_pkthdr
.len
< sizeof(struct ip
)) {
1130 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1131 printf("ipsec_setspidx: "
1132 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
1137 if (m
->m_len
>= sizeof(*ip
))
1138 ip
= mtod(m
, struct ip
*);
1140 m_copydata(m
, 0, sizeof(ipbuf
), (caddr_t
)&ipbuf
);
1144 if (force_ip_version
) {
1145 v
= force_ip_version
;
1148 v
= _IP_VHL_V(ip
->ip_vhl
);
1155 error
= ipsec4_setspidx_ipaddr(m
, spidx
);
1158 ipsec4_get_ulp(m
, spidx
, needport
);
1162 if (m
->m_pkthdr
.len
< sizeof(struct ip6_hdr
)) {
1163 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1164 printf("ipsec_setspidx: "
1165 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
1166 "ignored.\n", m
->m_pkthdr
.len
));
1169 error
= ipsec6_setspidx_ipaddr(m
, spidx
);
1172 ipsec6_get_ulp(m
, spidx
, needport
);
1176 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1177 printf("ipsec_setspidx: "
1178 "unknown IP version %u, ignored.\n", v
));
1184 ipsec4_get_ulp(struct mbuf
*m
, struct secpolicyindex
*spidx
, int needport
)
1187 struct ip6_ext ip6e
;
1195 panic("ipsec4_get_ulp: NULL pointer was passed.\n");
1196 if (m
->m_pkthdr
.len
< sizeof(ip
))
1197 panic("ipsec4_get_ulp: too short\n");
1200 spidx
->ul_proto
= IPSEC_ULPROTO_ANY
;
1201 ((struct sockaddr_in
*)&spidx
->src
)->sin_port
= IPSEC_PORT_ANY
;
1202 ((struct sockaddr_in
*)&spidx
->dst
)->sin_port
= IPSEC_PORT_ANY
;
1204 m_copydata(m
, 0, sizeof(ip
), (caddr_t
)&ip
);
1205 /* ip_input() flips it into host endian XXX need more checking */
1206 if (ip
.ip_off
& (IP_MF
| IP_OFFMASK
))
1211 off
= _IP_VHL_HL(ip
->ip_vhl
) << 2;
1213 off
= ip
.ip_hl
<< 2;
1215 while (off
< m
->m_pkthdr
.len
) {
1218 spidx
->ul_proto
= nxt
;
1221 if (off
+ sizeof(struct tcphdr
) > m
->m_pkthdr
.len
)
1223 m_copydata(m
, off
, sizeof(th
), (caddr_t
)&th
);
1224 ((struct sockaddr_in
*)&spidx
->src
)->sin_port
=
1226 ((struct sockaddr_in
*)&spidx
->dst
)->sin_port
=
1230 spidx
->ul_proto
= nxt
;
1233 if (off
+ sizeof(struct udphdr
) > m
->m_pkthdr
.len
)
1235 m_copydata(m
, off
, sizeof(uh
), (caddr_t
)&uh
);
1236 ((struct sockaddr_in
*)&spidx
->src
)->sin_port
=
1238 ((struct sockaddr_in
*)&spidx
->dst
)->sin_port
=
1242 if (off
+ sizeof(ip6e
) > m
->m_pkthdr
.len
)
1244 m_copydata(m
, off
, sizeof(ip6e
), (caddr_t
)&ip6e
);
1245 off
+= (ip6e
.ip6e_len
+ 2) << 2;
1246 nxt
= ip6e
.ip6e_nxt
;
1250 /* XXX intermediate headers??? */
1251 spidx
->ul_proto
= nxt
;
1257 /* assumes that m is sane */
1259 ipsec4_setspidx_ipaddr(struct mbuf
*m
, struct secpolicyindex
*spidx
)
1261 struct ip
*ip
= NULL
;
1263 struct sockaddr_in
*sin
;
1265 if (m
->m_len
>= sizeof(*ip
))
1266 ip
= mtod(m
, struct ip
*);
1268 m_copydata(m
, 0, sizeof(ipbuf
), (caddr_t
)&ipbuf
);
1272 sin
= (struct sockaddr_in
*)&spidx
->src
;
1273 bzero(sin
, sizeof(*sin
));
1274 sin
->sin_family
= AF_INET
;
1275 sin
->sin_len
= sizeof(struct sockaddr_in
);
1276 bcopy(&ip
->ip_src
, &sin
->sin_addr
, sizeof(ip
->ip_src
));
1277 spidx
->prefs
= sizeof(struct in_addr
) << 3;
1279 sin
= (struct sockaddr_in
*)&spidx
->dst
;
1280 bzero(sin
, sizeof(*sin
));
1281 sin
->sin_family
= AF_INET
;
1282 sin
->sin_len
= sizeof(struct sockaddr_in
);
1283 bcopy(&ip
->ip_dst
, &sin
->sin_addr
, sizeof(ip
->ip_dst
));
1284 spidx
->prefd
= sizeof(struct in_addr
) << 3;
1291 ipsec6_get_ulp(struct mbuf
*m
,
1292 struct secpolicyindex
*spidx
,
1301 panic("ipsec6_get_ulp: NULL pointer was passed.\n");
1303 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1304 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m
));
1307 spidx
->ul_proto
= IPSEC_ULPROTO_ANY
;
1308 ((struct sockaddr_in6
*)&spidx
->src
)->sin6_port
= IPSEC_PORT_ANY
;
1309 ((struct sockaddr_in6
*)&spidx
->dst
)->sin6_port
= IPSEC_PORT_ANY
;
1312 off
= ip6_lasthdr(m
, 0, IPPROTO_IPV6
, &nxt
);
1313 if (off
< 0 || m
->m_pkthdr
.len
< off
)
1318 spidx
->ul_proto
= nxt
;
1321 if (off
+ sizeof(struct tcphdr
) > m
->m_pkthdr
.len
)
1323 m_copydata(m
, off
, sizeof(th
), (caddr_t
)&th
);
1324 ((struct sockaddr_in6
*)&spidx
->src
)->sin6_port
= th
.th_sport
;
1325 ((struct sockaddr_in6
*)&spidx
->dst
)->sin6_port
= th
.th_dport
;
1328 spidx
->ul_proto
= nxt
;
1331 if (off
+ sizeof(struct udphdr
) > m
->m_pkthdr
.len
)
1333 m_copydata(m
, off
, sizeof(uh
), (caddr_t
)&uh
);
1334 ((struct sockaddr_in6
*)&spidx
->src
)->sin6_port
= uh
.uh_sport
;
1335 ((struct sockaddr_in6
*)&spidx
->dst
)->sin6_port
= uh
.uh_dport
;
1337 case IPPROTO_ICMPV6
:
1339 /* XXX intermediate headers??? */
1340 spidx
->ul_proto
= nxt
;
1345 /* assumes that m is sane */
1347 ipsec6_setspidx_ipaddr(struct mbuf
*m
,
1348 struct secpolicyindex
*spidx
)
1350 struct ip6_hdr
*ip6
= NULL
;
1351 struct ip6_hdr ip6buf
;
1352 struct sockaddr_in6
*sin6
;
1354 if (m
->m_len
>= sizeof(*ip6
))
1355 ip6
= mtod(m
, struct ip6_hdr
*);
1357 m_copydata(m
, 0, sizeof(ip6buf
), (caddr_t
)&ip6buf
);
1361 sin6
= (struct sockaddr_in6
*)&spidx
->src
;
1362 bzero(sin6
, sizeof(*sin6
));
1363 sin6
->sin6_family
= AF_INET6
;
1364 sin6
->sin6_len
= sizeof(struct sockaddr_in6
);
1365 bcopy(&ip6
->ip6_src
, &sin6
->sin6_addr
, sizeof(ip6
->ip6_src
));
1366 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
->ip6_src
)) {
1367 sin6
->sin6_addr
.s6_addr16
[1] = 0;
1368 sin6
->sin6_scope_id
= ntohs(ip6
->ip6_src
.s6_addr16
[1]);
1370 spidx
->prefs
= sizeof(struct in6_addr
) << 3;
1372 sin6
= (struct sockaddr_in6
*)&spidx
->dst
;
1373 bzero(sin6
, sizeof(*sin6
));
1374 sin6
->sin6_family
= AF_INET6
;
1375 sin6
->sin6_len
= sizeof(struct sockaddr_in6
);
1376 bcopy(&ip6
->ip6_dst
, &sin6
->sin6_addr
, sizeof(ip6
->ip6_dst
));
1377 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
->ip6_dst
)) {
1378 sin6
->sin6_addr
.s6_addr16
[1] = 0;
1379 sin6
->sin6_scope_id
= ntohs(ip6
->ip6_dst
.s6_addr16
[1]);
1381 spidx
->prefd
= sizeof(struct in6_addr
) << 3;
1387 static struct inpcbpolicy
*
1388 ipsec_newpcbpolicy(void)
1390 struct inpcbpolicy
*p
;
1392 p
= (struct inpcbpolicy
*)_MALLOC(sizeof(*p
), M_SECA
, M_WAITOK
);
1397 ipsec_delpcbpolicy(struct inpcbpolicy
*p
)
1402 /* initialize policy in PCB */
1404 ipsec_init_policy(struct socket
*so
,
1405 struct inpcbpolicy
**pcb_sp
)
1407 struct inpcbpolicy
*new;
1410 if (so
== NULL
|| pcb_sp
== NULL
)
1411 panic("ipsec_init_policy: NULL pointer was passed.\n");
1413 new = ipsec_newpcbpolicy();
1415 ipseclog((LOG_DEBUG
, "ipsec_init_policy: No more memory.\n"));
1418 bzero(new, sizeof(*new));
1421 if (kauth_cred_issuser(so
->so_cred
))
1423 if (so
->so_cred
!= 0 && !suser(so
->so_cred
->pc_ucred
, NULL
))
1429 if ((new->sp_in
= key_newsp()) == NULL
) {
1430 ipsec_delpcbpolicy(new);
1433 new->sp_in
->state
= IPSEC_SPSTATE_ALIVE
;
1434 new->sp_in
->policy
= IPSEC_POLICY_ENTRUST
;
1436 if ((new->sp_out
= key_newsp()) == NULL
) {
1437 key_freesp(new->sp_in
, KEY_SADB_UNLOCKED
);
1438 ipsec_delpcbpolicy(new);
1441 new->sp_out
->state
= IPSEC_SPSTATE_ALIVE
;
1442 new->sp_out
->policy
= IPSEC_POLICY_ENTRUST
;
1449 /* copy old ipsec policy into new */
1451 ipsec_copy_policy(struct inpcbpolicy
*old
,
1452 struct inpcbpolicy
*new)
1454 struct secpolicy
*sp
;
1456 if (ipsec_bypass
!= 0)
1459 sp
= ipsec_deepcopy_policy(old
->sp_in
);
1461 key_freesp(new->sp_in
, KEY_SADB_UNLOCKED
);
1466 sp
= ipsec_deepcopy_policy(old
->sp_out
);
1468 key_freesp(new->sp_out
, KEY_SADB_UNLOCKED
);
1473 new->priv
= old
->priv
;
1478 /* deep-copy a policy in PCB */
1479 static struct secpolicy
*
1480 ipsec_deepcopy_policy(struct secpolicy
*src
)
1482 struct ipsecrequest
*newchain
= NULL
;
1483 struct ipsecrequest
*p
;
1484 struct ipsecrequest
**q
;
1485 struct ipsecrequest
*r
;
1486 struct secpolicy
*dst
;
1495 * deep-copy IPsec request chain. This is required since struct
1496 * ipsecrequest is not reference counted.
1499 for (p
= src
->req
; p
; p
= p
->next
) {
1500 *q
= (struct ipsecrequest
*)_MALLOC(sizeof(struct ipsecrequest
),
1501 M_SECA
, M_WAITOK
| M_ZERO
);
1506 (*q
)->saidx
.proto
= p
->saidx
.proto
;
1507 (*q
)->saidx
.mode
= p
->saidx
.mode
;
1508 (*q
)->level
= p
->level
;
1509 (*q
)->saidx
.reqid
= p
->saidx
.reqid
;
1511 bcopy(&p
->saidx
.src
, &(*q
)->saidx
.src
, sizeof((*q
)->saidx
.src
));
1512 bcopy(&p
->saidx
.dst
, &(*q
)->saidx
.dst
, sizeof((*q
)->saidx
.dst
));
1519 dst
->req
= newchain
;
1520 dst
->state
= src
->state
;
1521 dst
->policy
= src
->policy
;
1522 /* do not touch the refcnt fields */
1527 for (p
= newchain
; p
; p
= r
) {
1532 key_freesp(dst
, KEY_SADB_UNLOCKED
);
1536 /* set policy and ipsec request if present. */
1538 ipsec_set_policy(struct secpolicy
**pcb_sp
,
1539 __unused
int optname
,
1544 struct sadb_x_policy
*xpl
;
1545 struct secpolicy
*newsp
= NULL
;
1549 if (pcb_sp
== NULL
|| *pcb_sp
== NULL
|| request
== NULL
)
1551 if (len
< sizeof(*xpl
))
1553 xpl
= (struct sadb_x_policy
*)(void *)request
;
1555 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1556 printf("ipsec_set_policy: passed policy\n");
1557 kdebug_sadb_x_policy((struct sadb_ext
*)xpl
));
1559 /* check policy type */
1560 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1561 if (xpl
->sadb_x_policy_type
== IPSEC_POLICY_DISCARD
1562 || xpl
->sadb_x_policy_type
== IPSEC_POLICY_NONE
)
1565 /* check privileged socket */
1566 if (priv
== 0 && xpl
->sadb_x_policy_type
== IPSEC_POLICY_BYPASS
)
1569 /* allocation new SP entry */
1570 if ((newsp
= key_msg2sp(xpl
, len
, &error
)) == NULL
)
1573 newsp
->state
= IPSEC_SPSTATE_ALIVE
;
1575 /* clear old SP and set new SP */
1576 key_freesp(*pcb_sp
, KEY_SADB_UNLOCKED
);
1578 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1579 printf("ipsec_set_policy: new policy\n");
1580 kdebug_secpolicy(newsp
));
1586 ipsec4_set_policy(struct inpcb
*inp
,
1592 struct sadb_x_policy
*xpl
;
1593 struct secpolicy
**pcb_sp
;
1595 struct sadb_x_policy xpl_aligned_buf
;
1596 u_int8_t
*xpl_unaligned
;
1599 if (inp
== NULL
|| request
== NULL
)
1601 if (len
< sizeof(*xpl
))
1603 xpl
= (struct sadb_x_policy
*)(void *)request
;
1605 /* This is a new mbuf allocated by soopt_getm() */
1606 if (IPSEC_IS_P2ALIGNED(xpl
)) {
1607 xpl_unaligned
= NULL
;
1609 xpl_unaligned
= (__typeof__(xpl_unaligned
))xpl
;
1610 memcpy(&xpl_aligned_buf
, xpl
, sizeof(xpl_aligned_buf
));
1611 xpl
= (__typeof__(xpl
))&xpl_aligned_buf
;
1614 if (inp
->inp_sp
== NULL
) {
1615 error
= ipsec_init_policy(inp
->inp_socket
, &inp
->inp_sp
);
1620 /* select direction */
1621 switch (xpl
->sadb_x_policy_dir
) {
1622 case IPSEC_DIR_INBOUND
:
1623 pcb_sp
= &inp
->inp_sp
->sp_in
;
1625 case IPSEC_DIR_OUTBOUND
:
1626 pcb_sp
= &inp
->inp_sp
->sp_out
;
1629 ipseclog((LOG_ERR
, "ipsec4_set_policy: invalid direction=%u\n",
1630 xpl
->sadb_x_policy_dir
));
1634 /* turn bypass off */
1635 if (ipsec_bypass
!= 0)
1638 return ipsec_set_policy(pcb_sp
, optname
, request
, len
, priv
);
1641 /* delete policy in PCB */
1643 ipsec4_delete_pcbpolicy(struct inpcb
*inp
)
1648 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.\n");
1650 if (inp
->inp_sp
== NULL
)
1653 if (inp
->inp_sp
->sp_in
!= NULL
) {
1654 key_freesp(inp
->inp_sp
->sp_in
, KEY_SADB_UNLOCKED
);
1655 inp
->inp_sp
->sp_in
= NULL
;
1658 if (inp
->inp_sp
->sp_out
!= NULL
) {
1659 key_freesp(inp
->inp_sp
->sp_out
, KEY_SADB_UNLOCKED
);
1660 inp
->inp_sp
->sp_out
= NULL
;
1663 ipsec_delpcbpolicy(inp
->inp_sp
);
1671 ipsec6_set_policy(struct in6pcb
*in6p
,
1677 struct sadb_x_policy
*xpl
;
1678 struct secpolicy
**pcb_sp
;
1680 struct sadb_x_policy xpl_aligned_buf
;
1681 u_int8_t
*xpl_unaligned
;
1684 if (in6p
== NULL
|| request
== NULL
)
1686 if (len
< sizeof(*xpl
))
1688 xpl
= (struct sadb_x_policy
*)(void *)request
;
1690 /* This is a new mbuf allocated by soopt_getm() */
1691 if (IPSEC_IS_P2ALIGNED(xpl
)) {
1692 xpl_unaligned
= NULL
;
1694 xpl_unaligned
= (__typeof__(xpl_unaligned
))xpl
;
1695 memcpy(&xpl_aligned_buf
, xpl
, sizeof(xpl_aligned_buf
));
1696 xpl
= (__typeof__(xpl
))&xpl_aligned_buf
;
1699 if (in6p
->in6p_sp
== NULL
) {
1700 error
= ipsec_init_policy(in6p
->inp_socket
, &in6p
->in6p_sp
);
1705 /* select direction */
1706 switch (xpl
->sadb_x_policy_dir
) {
1707 case IPSEC_DIR_INBOUND
:
1708 pcb_sp
= &in6p
->in6p_sp
->sp_in
;
1710 case IPSEC_DIR_OUTBOUND
:
1711 pcb_sp
= &in6p
->in6p_sp
->sp_out
;
1714 ipseclog((LOG_ERR
, "ipsec6_set_policy: invalid direction=%u\n",
1715 xpl
->sadb_x_policy_dir
));
1719 return ipsec_set_policy(pcb_sp
, optname
, request
, len
, priv
);
1723 ipsec6_delete_pcbpolicy(struct in6pcb
*in6p
)
1728 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.\n");
1730 if (in6p
->in6p_sp
== NULL
)
1733 if (in6p
->in6p_sp
->sp_in
!= NULL
) {
1734 key_freesp(in6p
->in6p_sp
->sp_in
, KEY_SADB_UNLOCKED
);
1735 in6p
->in6p_sp
->sp_in
= NULL
;
1738 if (in6p
->in6p_sp
->sp_out
!= NULL
) {
1739 key_freesp(in6p
->in6p_sp
->sp_out
, KEY_SADB_UNLOCKED
);
1740 in6p
->in6p_sp
->sp_out
= NULL
;
1743 ipsec_delpcbpolicy(in6p
->in6p_sp
);
1744 in6p
->in6p_sp
= NULL
;
1751 * return current level.
1752 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1755 ipsec_get_reqlevel(struct ipsecrequest
*isr
)
1758 u_int esp_trans_deflev
= 0, esp_net_deflev
= 0, ah_trans_deflev
= 0, ah_net_deflev
= 0;
1761 if (isr
== NULL
|| isr
->sp
== NULL
)
1762 panic("ipsec_get_reqlevel: NULL pointer is passed.\n");
1763 if (((struct sockaddr
*)&isr
->sp
->spidx
.src
)->sa_family
1764 != ((struct sockaddr
*)&isr
->sp
->spidx
.dst
)->sa_family
)
1765 panic("ipsec_get_reqlevel: family mismatched.\n");
1767 /* XXX note that we have ipseclog() expanded here - code sync issue */
1768 #define IPSEC_CHECK_DEFAULT(lev) \
1769 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1770 && (lev) != IPSEC_LEVEL_UNIQUE) \
1772 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1773 (lev), IPSEC_LEVEL_REQUIRE) \
1775 (lev) = IPSEC_LEVEL_REQUIRE, \
1779 /* set default level */
1780 switch (((struct sockaddr
*)&isr
->sp
->spidx
.src
)->sa_family
) {
1783 esp_trans_deflev
= IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev
);
1784 esp_net_deflev
= IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev
);
1785 ah_trans_deflev
= IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev
);
1786 ah_net_deflev
= IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev
);
1791 esp_trans_deflev
= IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev
);
1792 esp_net_deflev
= IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev
);
1793 ah_trans_deflev
= IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev
);
1794 ah_net_deflev
= IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev
);
1798 panic("key_get_reqlevel: Unknown family. %d\n",
1799 ((struct sockaddr
*)&isr
->sp
->spidx
.src
)->sa_family
);
1802 #undef IPSEC_CHECK_DEFAULT
1805 switch (isr
->level
) {
1806 case IPSEC_LEVEL_DEFAULT
:
1807 switch (isr
->saidx
.proto
) {
1809 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
)
1810 level
= esp_net_deflev
;
1812 level
= esp_trans_deflev
;
1815 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
)
1816 level
= ah_net_deflev
;
1818 level
= ah_trans_deflev
;
1820 case IPPROTO_IPCOMP
:
1822 * we don't really care, as IPcomp document says that
1823 * we shouldn't compress small packets
1825 level
= IPSEC_LEVEL_USE
;
1828 panic("ipsec_get_reqlevel: "
1829 "Illegal protocol defined %u\n",
1834 case IPSEC_LEVEL_USE
:
1835 case IPSEC_LEVEL_REQUIRE
:
1838 case IPSEC_LEVEL_UNIQUE
:
1839 level
= IPSEC_LEVEL_REQUIRE
;
1843 panic("ipsec_get_reqlevel: Illegal IPsec level %u\n",
1851 * Check AH/ESP integrity.
1857 ipsec_in_reject(struct secpolicy
*sp
, struct mbuf
*m
)
1859 struct ipsecrequest
*isr
;
1861 int need_auth
, need_conf
, need_icv
;
1863 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
1864 printf("ipsec_in_reject: using SP\n");
1865 kdebug_secpolicy(sp
));
1868 switch (sp
->policy
) {
1869 case IPSEC_POLICY_DISCARD
:
1870 case IPSEC_POLICY_GENERATE
:
1872 case IPSEC_POLICY_BYPASS
:
1873 case IPSEC_POLICY_NONE
:
1876 case IPSEC_POLICY_IPSEC
:
1879 case IPSEC_POLICY_ENTRUST
:
1881 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp
->policy
);
1888 /* XXX should compare policy against ipsec header history */
1890 for (isr
= sp
->req
; isr
!= NULL
; isr
= isr
->next
) {
1892 /* get current level */
1893 level
= ipsec_get_reqlevel(isr
);
1895 switch (isr
->saidx
.proto
) {
1897 if (level
== IPSEC_LEVEL_REQUIRE
) {
1901 /* this won't work with multiple input threads - isr->sav would change
1902 * with every packet and is not necessarily related to the current packet
1903 * being processed. If ESP processing is required - the esp code should
1904 * make sure that the integrity check is present and correct. I don't see
1905 * why it would be necessary to check for the presence of the integrity
1906 * check value here. I think this is just wrong.
1907 * isr->sav has been removed.
1908 * %%%%%% this needs to be re-worked at some point but I think the code below can
1909 * be ignored for now.
1911 if (isr
->sav
!= NULL
1912 && isr
->sav
->flags
== SADB_X_EXT_NONE
1913 && isr
->sav
->alg_auth
!= SADB_AALG_NONE
)
1919 if (level
== IPSEC_LEVEL_REQUIRE
) {
1924 case IPPROTO_IPCOMP
:
1926 * we don't really care, as IPcomp document says that
1927 * we shouldn't compress small packets, IPComp policy
1928 * should always be treated as being in "use" level.
1934 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1935 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1936 need_auth
, need_conf
, need_icv
, m
->m_flags
));
1938 if ((need_conf
&& !(m
->m_flags
& M_DECRYPTED
))
1939 || (!need_auth
&& need_icv
&& !(m
->m_flags
& M_AUTHIPDGM
))
1940 || (need_auth
&& !(m
->m_flags
& M_AUTHIPHDR
)))
1947 * Check AH/ESP integrity.
1948 * This function is called from tcp_input(), udp_input(),
1949 * and {ah,esp}4_input for tunnel mode
1952 ipsec4_in_reject_so(struct mbuf
*m
, struct socket
*so
)
1954 struct secpolicy
*sp
= NULL
;
1958 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
1961 return 0; /* XXX should be panic ? */
1963 /* get SP for this packet.
1964 * When we are called from ip_forward(), we call
1965 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1968 sp
= ipsec4_getpolicybyaddr(m
, IPSEC_DIR_INBOUND
, IP_FORWARDING
, &error
);
1970 sp
= ipsec4_getpolicybyaddr(m
, IPSEC_DIR_INBOUND
, 0, &error
);
1973 return 0; /* XXX should be panic ?
1974 * -> No, there may be error. */
1976 result
= ipsec_in_reject(sp
, m
);
1977 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
1978 printf("DP ipsec4_in_reject_so call free SP:0x%llx\n",
1979 (uint64_t)VM_KERNEL_ADDRPERM(sp
)));
1980 key_freesp(sp
, KEY_SADB_UNLOCKED
);
1986 ipsec4_in_reject(struct mbuf
*m
, struct inpcb
*inp
)
1988 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
1990 return ipsec4_in_reject_so(m
, NULL
);
1991 if (inp
->inp_socket
)
1992 return ipsec4_in_reject_so(m
, inp
->inp_socket
);
1994 panic("ipsec4_in_reject: invalid inpcb/socket");
2002 * Check AH/ESP integrity.
2003 * This function is called from tcp6_input(), udp6_input(),
2004 * and {ah,esp}6_input for tunnel mode
2007 ipsec6_in_reject_so(struct mbuf
*m
, struct socket
*so
)
2009 struct secpolicy
*sp
= NULL
;
2013 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
2016 return 0; /* XXX should be panic ? */
2018 /* get SP for this packet.
2019 * When we are called from ip_forward(), we call
2020 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
2023 sp
= ipsec6_getpolicybyaddr(m
, IPSEC_DIR_INBOUND
, IP_FORWARDING
, &error
);
2025 sp
= ipsec6_getpolicybyaddr(m
, IPSEC_DIR_INBOUND
, 0, &error
);
2028 return 0; /* XXX should be panic ? */
2030 result
= ipsec_in_reject(sp
, m
);
2031 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
2032 printf("DP ipsec6_in_reject_so call free SP:0x%llx\n",
2033 (uint64_t)VM_KERNEL_ADDRPERM(sp
)));
2034 key_freesp(sp
, KEY_SADB_UNLOCKED
);
2040 ipsec6_in_reject(struct mbuf
*m
, struct in6pcb
*in6p
)
2043 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
2045 return ipsec6_in_reject_so(m
, NULL
);
2046 if (in6p
->in6p_socket
)
2047 return ipsec6_in_reject_so(m
, in6p
->in6p_socket
);
2049 panic("ipsec6_in_reject: invalid in6p/socket");
2057 * compute the byte size to be occupied by IPsec header.
2058 * in case it is tunneled, it includes the size of outer IP header.
2059 * NOTE: SP passed is free in this function.
2062 ipsec_hdrsiz(struct secpolicy
*sp
)
2064 struct ipsecrequest
*isr
;
2067 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
2068 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
2069 printf("ipsec_hdrsiz: using SP\n");
2070 kdebug_secpolicy(sp
));
2073 switch (sp
->policy
) {
2074 case IPSEC_POLICY_DISCARD
:
2075 case IPSEC_POLICY_GENERATE
:
2076 case IPSEC_POLICY_BYPASS
:
2077 case IPSEC_POLICY_NONE
:
2080 case IPSEC_POLICY_IPSEC
:
2083 case IPSEC_POLICY_ENTRUST
:
2085 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp
->policy
);
2090 for (isr
= sp
->req
; isr
!= NULL
; isr
= isr
->next
) {
2094 switch (isr
->saidx
.proto
) {
2097 clen
= esp_hdrsiz(isr
);
2103 clen
= ah_hdrsiz(isr
);
2105 case IPPROTO_IPCOMP
:
2106 clen
= sizeof(struct ipcomp
);
2110 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
) {
2111 switch (((struct sockaddr
*)&isr
->saidx
.dst
)->sa_family
) {
2113 clen
+= sizeof(struct ip
);
2117 clen
+= sizeof(struct ip6_hdr
);
2121 ipseclog((LOG_ERR
, "ipsec_hdrsiz: "
2122 "unknown AF %d in IPsec tunnel SA\n",
2123 ((struct sockaddr
*)&isr
->saidx
.dst
)->sa_family
));
2133 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
2135 ipsec4_hdrsiz(struct mbuf
*m
, u_int dir
, struct inpcb
*inp
)
2137 struct secpolicy
*sp
= NULL
;
2141 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
2144 return 0; /* XXX should be panic ? */
2145 if (inp
!= NULL
&& inp
->inp_socket
== NULL
)
2146 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
2148 /* get SP for this packet.
2149 * When we are called from ip_forward(), we call
2150 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
2153 sp
= ipsec4_getpolicybyaddr(m
, dir
, IP_FORWARDING
, &error
);
2155 sp
= ipsec4_getpolicybyaddr(m
, dir
, 0, &error
);
2158 return 0; /* XXX should be panic ? */
2160 size
= ipsec_hdrsiz(sp
);
2161 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
2162 printf("DP ipsec4_hdrsiz call free SP:0x%llx\n",
2163 (uint64_t)VM_KERNEL_ADDRPERM(sp
)));
2164 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
2165 printf("ipsec4_hdrsiz: size:%lu.\n", (u_int32_t
)size
));
2166 key_freesp(sp
, KEY_SADB_UNLOCKED
);
2172 /* This function is called from ipsec6_hdrsize_tcp(),
2173 * and maybe from ip6_forward.()
2176 ipsec6_hdrsiz(struct mbuf
*m
, u_int dir
, struct in6pcb
*in6p
)
2178 struct secpolicy
*sp
= NULL
;
2182 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
2185 return 0; /* XXX shoud be panic ? */
2186 if (in6p
!= NULL
&& in6p
->in6p_socket
== NULL
)
2187 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
2189 /* get SP for this packet */
2190 /* XXX Is it right to call with IP_FORWARDING. */
2192 sp
= ipsec6_getpolicybyaddr(m
, dir
, IP_FORWARDING
, &error
);
2194 sp
= ipsec6_getpolicybyaddr(m
, dir
, 0, &error
);
2198 size
= ipsec_hdrsiz(sp
);
2199 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
2200 printf("DP ipsec6_hdrsiz call free SP:0x%llx\n",
2201 (uint64_t)VM_KERNEL_ADDRPERM(sp
)));
2202 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
2203 printf("ipsec6_hdrsiz: size:%lu.\n", (u_int32_t
)size
));
2204 key_freesp(sp
, KEY_SADB_UNLOCKED
);
2212 * encapsulate for ipsec tunnel.
2213 * ip->ip_src must be fixed later on.
2216 ipsec4_encapsulate(struct mbuf
*m
, struct secasvar
*sav
)
2223 /* can't tunnel between different AFs */
2224 if (((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
2225 != ((struct sockaddr
*)&sav
->sah
->saidx
.dst
)->sa_family
2226 || ((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
!= AF_INET
) {
2231 /* XXX if the dst is myself, perform nothing. */
2232 if (key_ismyaddr((struct sockaddr
*)&sav
->sah
->saidx
.dst
)) {
2238 if (m
->m_len
< sizeof(*ip
))
2239 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2241 ip
= mtod(m
, struct ip
*);
2243 hlen
= _IP_VHL_HL(ip
->ip_vhl
) << 2;
2245 hlen
= ip
->ip_hl
<< 2;
2248 if (m
->m_len
!= hlen
)
2249 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2251 /* generate header checksum */
2254 ip
->ip_sum
= in_cksum(m
, hlen
);
2256 ip
->ip_sum
= in_cksum(m
, hlen
);
2259 plen
= m
->m_pkthdr
.len
;
2262 * grow the mbuf to accomodate the new IPv4 header.
2263 * NOTE: IPv4 options will never be copied.
2265 if (M_LEADINGSPACE(m
->m_next
) < hlen
) {
2267 MGET(n
, M_DONTWAIT
, MT_DATA
);
2273 n
->m_next
= m
->m_next
;
2275 m
->m_pkthdr
.len
+= hlen
;
2276 oip
= mtod(n
, struct ip
*);
2278 m
->m_next
->m_len
+= hlen
;
2279 m
->m_next
->m_data
-= hlen
;
2280 m
->m_pkthdr
.len
+= hlen
;
2281 oip
= mtod(m
->m_next
, struct ip
*);
2283 ip
= mtod(m
, struct ip
*);
2284 ovbcopy((caddr_t
)ip
, (caddr_t
)oip
, hlen
);
2285 m
->m_len
= sizeof(struct ip
);
2286 m
->m_pkthdr
.len
-= (hlen
- sizeof(struct ip
));
2288 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2289 /* ECN consideration. */
2290 ip_ecn_ingress(ip4_ipsec_ecn
, &ip
->ip_tos
, &oip
->ip_tos
);
2292 ip
->ip_vhl
= IP_MAKE_VHL(IPVERSION
, sizeof(struct ip
) >> 2);
2294 ip
->ip_hl
= sizeof(struct ip
) >> 2;
2296 ip
->ip_off
&= htons(~IP_OFFMASK
);
2297 ip
->ip_off
&= htons(~IP_MF
);
2298 switch (ip4_ipsec_dfbit
) {
2299 case 0: /* clear DF bit */
2300 ip
->ip_off
&= htons(~IP_DF
);
2302 case 1: /* set DF bit */
2303 ip
->ip_off
|= htons(IP_DF
);
2305 default: /* copy DF bit */
2308 ip
->ip_p
= IPPROTO_IPIP
;
2309 if (plen
+ sizeof(struct ip
) < IP_MAXPACKET
)
2310 ip
->ip_len
= htons(plen
+ sizeof(struct ip
));
2312 ipseclog((LOG_ERR
, "IPv4 ipsec: size exceeds limit: "
2313 "leave ip_len as is (invalid packet)\n"));
2315 ip
->ip_id
= ip_randomid();
2316 bcopy(&((struct sockaddr_in
*)&sav
->sah
->saidx
.src
)->sin_addr
,
2317 &ip
->ip_src
, sizeof(ip
->ip_src
));
2318 bcopy(&((struct sockaddr_in
*)&sav
->sah
->saidx
.dst
)->sin_addr
,
2319 &ip
->ip_dst
, sizeof(ip
->ip_dst
));
2320 ip
->ip_ttl
= IPDEFTTL
;
2322 /* XXX Should ip_src be updated later ? */
2331 ipsec6_encapsulate(struct mbuf
*m
, struct secasvar
*sav
)
2333 struct ip6_hdr
*oip6
;
2334 struct ip6_hdr
*ip6
;
2337 /* can't tunnel between different AFs */
2338 if (((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
2339 != ((struct sockaddr
*)&sav
->sah
->saidx
.dst
)->sa_family
2340 || ((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
!= AF_INET6
) {
2345 /* XXX if the dst is myself, perform nothing. */
2346 if (key_ismyaddr((struct sockaddr
*)&sav
->sah
->saidx
.dst
)) {
2352 plen
= m
->m_pkthdr
.len
;
2355 * grow the mbuf to accomodate the new IPv6 header.
2357 if (m
->m_len
!= sizeof(struct ip6_hdr
))
2358 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2359 if (M_LEADINGSPACE(m
->m_next
) < sizeof(struct ip6_hdr
)) {
2361 MGET(n
, M_DONTWAIT
, MT_DATA
);
2366 n
->m_len
= sizeof(struct ip6_hdr
);
2367 n
->m_next
= m
->m_next
;
2369 m
->m_pkthdr
.len
+= sizeof(struct ip6_hdr
);
2370 oip6
= mtod(n
, struct ip6_hdr
*);
2372 m
->m_next
->m_len
+= sizeof(struct ip6_hdr
);
2373 m
->m_next
->m_data
-= sizeof(struct ip6_hdr
);
2374 m
->m_pkthdr
.len
+= sizeof(struct ip6_hdr
);
2375 oip6
= mtod(m
->m_next
, struct ip6_hdr
*);
2377 ip6
= mtod(m
, struct ip6_hdr
*);
2378 ovbcopy((caddr_t
)ip6
, (caddr_t
)oip6
, sizeof(struct ip6_hdr
));
2380 /* Fake link-local scope-class addresses */
2381 if (IN6_IS_SCOPE_LINKLOCAL(&oip6
->ip6_src
))
2382 oip6
->ip6_src
.s6_addr16
[1] = 0;
2383 if (IN6_IS_SCOPE_LINKLOCAL(&oip6
->ip6_dst
))
2384 oip6
->ip6_dst
.s6_addr16
[1] = 0;
2386 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2387 /* ECN consideration. */
2388 ip6_ecn_ingress(ip6_ipsec_ecn
, &ip6
->ip6_flow
, &oip6
->ip6_flow
);
2389 if (plen
< IPV6_MAXPACKET
- sizeof(struct ip6_hdr
))
2390 ip6
->ip6_plen
= htons(plen
);
2392 /* ip6->ip6_plen will be updated in ip6_output() */
2394 ip6
->ip6_nxt
= IPPROTO_IPV6
;
2395 bcopy(&((struct sockaddr_in6
*)&sav
->sah
->saidx
.src
)->sin6_addr
,
2396 &ip6
->ip6_src
, sizeof(ip6
->ip6_src
));
2397 bcopy(&((struct sockaddr_in6
*)&sav
->sah
->saidx
.dst
)->sin6_addr
,
2398 &ip6
->ip6_dst
, sizeof(ip6
->ip6_dst
));
2399 ip6
->ip6_hlim
= IPV6_DEFHLIM
;
2401 /* XXX Should ip6_src be updated later ? */
2407 ipsec64_encapsulate(struct mbuf
*m
, struct secasvar
*sav
)
2409 struct ip6_hdr
*ip6
, *ip6i
;
2414 /* tunneling over IPv4 */
2415 if (((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
2416 != ((struct sockaddr
*)&sav
->sah
->saidx
.dst
)->sa_family
2417 || ((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
!= AF_INET
) {
2422 /* XXX if the dst is myself, perform nothing. */
2423 if (key_ismyaddr((struct sockaddr
*)&sav
->sah
->saidx
.dst
)) {
2429 plen
= m
->m_pkthdr
.len
;
2430 ip6
= mtod(m
, struct ip6_hdr
*);
2431 hlim
= ip6
->ip6_hlim
;
2433 * grow the mbuf to accomodate the new IPv4 header.
2435 if (m
->m_len
!= sizeof(struct ip6_hdr
))
2436 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2437 if (M_LEADINGSPACE(m
->m_next
) < sizeof(struct ip6_hdr
)) {
2439 MGET(n
, M_DONTWAIT
, MT_DATA
);
2444 n
->m_len
= sizeof(struct ip6_hdr
);
2445 n
->m_next
= m
->m_next
;
2447 m
->m_pkthdr
.len
+= sizeof(struct ip
);
2448 ip6i
= mtod(n
, struct ip6_hdr
*);
2450 m
->m_next
->m_len
+= sizeof(struct ip6_hdr
);
2451 m
->m_next
->m_data
-= sizeof(struct ip6_hdr
);
2452 m
->m_pkthdr
.len
+= sizeof(struct ip
);
2453 ip6i
= mtod(m
->m_next
, struct ip6_hdr
*);
2456 bcopy(ip6
, ip6i
, sizeof(struct ip6_hdr
));
2457 ip
= mtod(m
, struct ip
*);
2458 m
->m_len
= sizeof(struct ip
);
2460 * Fill in some of the IPv4 fields - we don't need all of them
2461 * because the rest will be filled in by ip_output
2463 ip
->ip_v
= IPVERSION
;
2464 ip
->ip_hl
= sizeof(struct ip
) >> 2;
2470 ip
->ip_p
= IPPROTO_IPV6
;
2472 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2473 /* ECN consideration. */
2474 ip64_ecn_ingress(ip4_ipsec_ecn
, &ip
->ip_tos
, &ip6
->ip6_flow
);
2476 if (plen
+ sizeof(struct ip
) < IP_MAXPACKET
)
2477 ip
->ip_len
= htons(plen
+ sizeof(struct ip
));
2479 ip
->ip_len
= htons(plen
);
2480 ipseclog((LOG_ERR
, "IPv4 ipsec: size exceeds limit: "
2481 "leave ip_len as is (invalid packet)\n"));
2483 bcopy(&((struct sockaddr_in
*)&sav
->sah
->saidx
.src
)->sin_addr
,
2484 &ip
->ip_src
, sizeof(ip
->ip_src
));
2485 bcopy(&((struct sockaddr_in
*)&sav
->sah
->saidx
.dst
)->sin_addr
,
2486 &ip
->ip_dst
, sizeof(ip
->ip_dst
));
2492 ipsec6_update_routecache_and_output(
2493 struct ipsec_output_state
*state
,
2494 struct secasvar
*sav
)
2496 struct sockaddr_in6
* dst6
;
2498 struct ip6_hdr
*ip6
;
2502 struct ip6_out_args ip6oa
;
2503 struct route_in6 ro6_new
;
2504 struct flowadv
*adv
= NULL
;
2509 ip6
= mtod(state
->m
, struct ip6_hdr
*);
2511 // grab sadb_mutex, before updating sah's route cache
2512 lck_mtx_lock(sadb_mutex
);
2513 ro6
= &sav
->sah
->sa_route
;
2514 dst6
= (struct sockaddr_in6
*)(void *)&ro6
->ro_dst
;
2516 RT_LOCK(ro6
->ro_rt
);
2518 if (ROUTE_UNUSABLE(ro6
) ||
2519 !IN6_ARE_ADDR_EQUAL(&dst6
->sin6_addr
, &ip6
->ip6_dst
)) {
2520 if (ro6
->ro_rt
!= NULL
)
2521 RT_UNLOCK(ro6
->ro_rt
);
2524 if (ro6
->ro_rt
== 0) {
2525 bzero(dst6
, sizeof(*dst6
));
2526 dst6
->sin6_family
= AF_INET6
;
2527 dst6
->sin6_len
= sizeof(*dst6
);
2528 dst6
->sin6_addr
= ip6
->ip6_dst
;
2529 rtalloc_scoped(ro6
, sav
->sah
->outgoing_if
);
2531 RT_LOCK(ro6
->ro_rt
);
2534 if (ro6
->ro_rt
== 0) {
2535 ip6stat
.ip6s_noroute
++;
2536 IPSEC_STAT_INCREMENT(ipsec6stat
.out_noroute
);
2537 error
= EHOSTUNREACH
;
2538 // release sadb_mutex, after updating sah's route cache
2539 lck_mtx_unlock(sadb_mutex
);
2544 * adjust state->dst if tunnel endpoint is offlink
2546 * XXX: caching rt_gateway value in the state is
2547 * not really good, since it may point elsewhere
2548 * when the gateway gets modified to a larger
2549 * sockaddr via rt_setgate(). This is currently
2550 * addressed by SA_SIZE roundup in that routine.
2552 if (ro6
->ro_rt
->rt_flags
& RTF_GATEWAY
)
2553 dst6
= (struct sockaddr_in6
*)(void *)ro6
->ro_rt
->rt_gateway
;
2554 RT_UNLOCK(ro6
->ro_rt
);
2555 ROUTE_RELEASE(&state
->ro
);
2556 route_copyout(&state
->ro
, ro6
, sizeof(state
->ro
));
2557 state
->dst
= (struct sockaddr
*)dst6
;
2558 state
->tunneled
= 6;
2559 // release sadb_mutex, after updating sah's route cache
2560 lck_mtx_unlock(sadb_mutex
);
2562 state
->m
= ipsec6_splithdr(state
->m
);
2564 IPSEC_STAT_INCREMENT(ipsec6stat
.out_nomem
);
2569 ip6
= mtod(state
->m
, struct ip6_hdr
*);
2570 switch (sav
->sah
->saidx
.proto
) {
2573 error
= esp6_output(state
->m
, &ip6
->ip6_nxt
, state
->m
->m_next
, sav
);
2580 error
= ah6_output(state
->m
, &ip6
->ip6_nxt
, state
->m
->m_next
, sav
);
2582 case IPPROTO_IPCOMP
:
2583 /* XXX code should be here */
2586 ipseclog((LOG_ERR
, "%s: unknown ipsec protocol %d\n", __FUNCTION__
, sav
->sah
->saidx
.proto
));
2588 IPSEC_STAT_INCREMENT(ipsec6stat
.out_inval
);
2593 // If error, packet already freed by above output routines
2598 plen
= state
->m
->m_pkthdr
.len
- sizeof(struct ip6_hdr
);
2599 if (plen
> IPV6_MAXPACKET
) {
2600 ipseclog((LOG_ERR
, "%s: IPsec with IPv6 jumbogram is not supported\n", __FUNCTION__
));
2601 IPSEC_STAT_INCREMENT(ipsec6stat
.out_inval
);
2602 error
= EINVAL
;/*XXX*/
2605 ip6
= mtod(state
->m
, struct ip6_hdr
*);
2606 ip6
->ip6_plen
= htons(plen
);
2608 ipsec_set_pkthdr_for_interface(sav
->sah
->ipsec_if
, state
->m
, AF_INET6
);
2609 ipsec_set_ip6oa_for_interface(sav
->sah
->ipsec_if
, &ip6oa
);
2611 /* Increment statistics */
2612 ifnet_stat_increment_out(sav
->sah
->ipsec_if
, 1, mbuf_pkthdr_len(state
->m
), 0);
2614 /* Send to ip6_output */
2615 bzero(&ro6_new
, sizeof(ro6_new
));
2616 bzero(&ip6oa
, sizeof(ip6oa
));
2617 ip6oa
.ip6oa_flowadv
.code
= 0;
2618 ip6oa
.ip6oa_flags
= IP6OAF_SELECT_SRCIF
| IP6OAF_BOUND_SRCADDR
;
2619 if (state
->outgoing_if
) {
2620 ip6oa
.ip6oa_boundif
= state
->outgoing_if
;
2621 ip6oa
.ip6oa_flags
|= IP6OAF_BOUND_IF
;
2624 adv
= &ip6oa
.ip6oa_flowadv
;
2625 (void) ip6_output(state
->m
, NULL
, &ro6_new
, IPV6_OUTARGS
, NULL
, NULL
, &ip6oa
);
2627 if (adv
->code
== FADV_FLOW_CONTROLLED
|| adv
->code
== FADV_SUSPENDED
) {
2629 ifnet_disable_output(sav
->sah
->ipsec_if
);
2637 ipsec46_encapsulate(struct ipsec_output_state
*state
, struct secasvar
*sav
)
2640 struct ip6_hdr
*ip6
;
2651 /* can't tunnel between different AFs */
2652 if (((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
2653 != ((struct sockaddr
*)&sav
->sah
->saidx
.dst
)->sa_family
2654 || ((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
!= AF_INET6
) {
2659 /* XXX if the dst is myself, perform nothing. */
2660 if (key_ismyaddr((struct sockaddr
*)&sav
->sah
->saidx
.dst
)) {
2666 if (m
->m_len
< sizeof(*ip
)) {
2667 panic("ipsec46_encapsulate: assumption failed (first mbuf length)");
2671 ip
= mtod(m
, struct ip
*);
2673 hlen
= _IP_VHL_HL(ip
->ip_vhl
) << 2;
2675 hlen
= ip
->ip_hl
<< 2;
2678 if (m
->m_len
!= hlen
) {
2679 panic("ipsec46_encapsulate: assumption failed (first mbuf length)");
2683 /* generate header checksum */
2686 ip
->ip_sum
= in_cksum(m
, hlen
);
2688 ip
->ip_sum
= in_cksum(m
, hlen
);
2691 plen
= m
->m_pkthdr
.len
; // save original IPv4 packet len, this will be ipv6 payload len
2694 * First move the IPv4 header to the second mbuf in the chain
2696 if (M_LEADINGSPACE(m
->m_next
) < hlen
) {
2698 MGET(n
, M_DONTWAIT
, MT_DATA
);
2704 n
->m_next
= m
->m_next
;
2706 m
->m_pkthdr
.len
+= sizeof(struct ip6_hdr
);
2707 oip
= mtod(n
, struct ip
*);
2709 m
->m_next
->m_len
+= hlen
;
2710 m
->m_next
->m_data
-= hlen
;
2711 m
->m_pkthdr
.len
+= sizeof(struct ip6_hdr
);
2712 oip
= mtod(m
->m_next
, struct ip
*);
2714 ip
= mtod(m
, struct ip
*);
2715 ovbcopy((caddr_t
)ip
, (caddr_t
)oip
, hlen
);
2718 * Grow the first mbuf to accomodate the new IPv6 header.
2720 if (M_LEADINGSPACE(m
) < sizeof(struct ip6_hdr
) - hlen
) {
2722 MGETHDR(n
, M_DONTWAIT
, MT_HEADER
);
2727 M_COPY_PKTHDR(n
, m
);
2728 MH_ALIGN(n
, sizeof(struct ip6_hdr
));
2729 n
->m_len
= sizeof(struct ip6_hdr
);
2730 n
->m_next
= m
->m_next
;
2736 m
->m_len
+= (sizeof(struct ip6_hdr
) - hlen
);
2737 m
->m_data
-= (sizeof(struct ip6_hdr
) - hlen
);
2739 ip6
= mtod(m
, struct ip6_hdr
*);
2741 ip6
->ip6_vfc
&= ~IPV6_VERSION_MASK
;
2742 ip6
->ip6_vfc
|= IPV6_VERSION
;
2744 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2745 /* ECN consideration. */
2746 ip46_ecn_ingress(ip6_ipsec_ecn
, &ip6
->ip6_flow
, &ip
->ip_tos
);
2747 if (plen
< IPV6_MAXPACKET
- sizeof(struct ip6_hdr
))
2748 ip6
->ip6_plen
= htons(plen
);
2750 /* ip6->ip6_plen will be updated in ip6_output() */
2753 ip6
->ip6_nxt
= IPPROTO_IPV4
;
2754 ip6
->ip6_hlim
= IPV6_DEFHLIM
;
2756 bcopy(&((struct sockaddr_in6
*)&sav
->sah
->saidx
.src
)->sin6_addr
,
2757 &ip6
->ip6_src
, sizeof(ip6
->ip6_src
));
2758 bcopy(&((struct sockaddr_in6
*)&sav
->sah
->saidx
.dst
)->sin6_addr
,
2759 &ip6
->ip6_dst
, sizeof(ip6
->ip6_dst
));
2767 * Check the variable replay window.
2768 * ipsec_chkreplay() performs replay check before ICV verification.
2769 * ipsec_updatereplay() updates replay bitmap. This must be called after
2770 * ICV verification (it also performs replay check, which is usually done
2772 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2774 * based on RFC 2401.
2777 ipsec_chkreplay(u_int32_t seq
, struct secasvar
*sav
)
2779 const struct secreplay
*replay
;
2782 u_int32_t wsizeb
; /* constant: bits of window size */
2783 int frlast
; /* constant: last frame */
2788 panic("ipsec_chkreplay: NULL pointer was passed.\n");
2790 lck_mtx_lock(sadb_mutex
);
2791 replay
= sav
->replay
;
2793 if (replay
->wsize
== 0) {
2794 lck_mtx_unlock(sadb_mutex
);
2795 return 1; /* no need to check replay. */
2799 frlast
= replay
->wsize
- 1;
2800 wsizeb
= replay
->wsize
<< 3;
2802 /* sequence number of 0 is invalid */
2804 lck_mtx_unlock(sadb_mutex
);
2808 /* first time is always okay */
2809 if (replay
->count
== 0) {
2810 lck_mtx_unlock(sadb_mutex
);
2814 if (seq
> replay
->lastseq
) {
2815 /* larger sequences are okay */
2816 lck_mtx_unlock(sadb_mutex
);
2819 /* seq is equal or less than lastseq. */
2820 diff
= replay
->lastseq
- seq
;
2822 /* over range to check, i.e. too old or wrapped */
2823 if (diff
>= wsizeb
) {
2824 lck_mtx_unlock(sadb_mutex
);
2828 fr
= frlast
- diff
/ 8;
2830 /* this packet already seen ? */
2831 if ((replay
->bitmap
)[fr
] & (1 << (diff
% 8))) {
2832 lck_mtx_unlock(sadb_mutex
);
2836 /* out of order but good */
2837 lck_mtx_unlock(sadb_mutex
);
2843 * check replay counter whether to update or not.
2848 ipsec_updatereplay(u_int32_t seq
, struct secasvar
*sav
)
2850 struct secreplay
*replay
;
2853 u_int32_t wsizeb
; /* constant: bits of window size */
2854 int frlast
; /* constant: last frame */
2858 panic("ipsec_chkreplay: NULL pointer was passed.\n");
2860 lck_mtx_lock(sadb_mutex
);
2861 replay
= sav
->replay
;
2863 if (replay
->wsize
== 0)
2864 goto ok
; /* no need to check replay. */
2867 frlast
= replay
->wsize
- 1;
2868 wsizeb
= replay
->wsize
<< 3;
2870 /* sequence number of 0 is invalid */
2875 if (replay
->count
== 0) {
2876 replay
->lastseq
= seq
;
2877 bzero(replay
->bitmap
, replay
->wsize
);
2878 (replay
->bitmap
)[frlast
] = 1;
2882 if (seq
> replay
->lastseq
) {
2883 /* seq is larger than lastseq. */
2884 diff
= seq
- replay
->lastseq
;
2886 /* new larger sequence number */
2887 if (diff
< wsizeb
) {
2889 /* set bit for this packet */
2890 vshiftl((unsigned char *) replay
->bitmap
, diff
, replay
->wsize
);
2891 (replay
->bitmap
)[frlast
] |= 1;
2893 /* this packet has a "way larger" */
2894 bzero(replay
->bitmap
, replay
->wsize
);
2895 (replay
->bitmap
)[frlast
] = 1;
2897 replay
->lastseq
= seq
;
2899 /* larger is good */
2901 /* seq is equal or less than lastseq. */
2902 diff
= replay
->lastseq
- seq
;
2904 /* over range to check, i.e. too old or wrapped */
2905 if (diff
>= wsizeb
) {
2906 lck_mtx_unlock(sadb_mutex
);
2910 fr
= frlast
- diff
/ 8;
2912 /* this packet already seen ? */
2913 if ((replay
->bitmap
)[fr
] & (1 << (diff
% 8))) {
2914 lck_mtx_unlock(sadb_mutex
);
2919 (replay
->bitmap
)[fr
] |= (1 << (diff
% 8));
2921 /* out of order but good */
2925 if (replay
->count
== ~0) {
2927 /* set overflow flag */
2930 /* don't increment, no more packets accepted */
2931 if ((sav
->flags
& SADB_X_EXT_CYCSEQ
) == 0) {
2932 lck_mtx_unlock(sadb_mutex
);
2936 ipseclog((LOG_WARNING
, "replay counter made %d cycle. %s\n",
2937 replay
->overflow
, ipsec_logsastr(sav
)));
2942 lck_mtx_unlock(sadb_mutex
);
2947 * shift variable length buffer to left.
2948 * IN: bitmap: pointer to the buffer
2949 * nbit: the number of to shift.
2950 * wsize: buffer size (bytes).
2953 vshiftl(unsigned char *bitmap
, int nbit
, int wsize
)
2958 for (j
= 0; j
< nbit
; j
+= 8) {
2959 s
= (nbit
- j
< 8) ? (nbit
- j
): 8;
2961 for (i
= 1; i
< wsize
; i
++) {
2962 over
= (bitmap
[i
] >> (8 - s
));
2964 bitmap
[i
-1] |= over
;
2972 ipsec4_logpacketstr(struct ip
*ip
, u_int32_t spi
)
2974 static char buf
[256] __attribute__((aligned(4)));
2978 s
= (u_int8_t
*)(&ip
->ip_src
);
2979 d
= (u_int8_t
*)(&ip
->ip_dst
);
2982 snprintf(buf
, sizeof(buf
), "packet(SPI=%u ", (u_int32_t
)ntohl(spi
));
2985 snprintf(p
, sizeof(buf
) - (p
- buf
), "src=%u.%u.%u.%u",
2986 s
[0], s
[1], s
[2], s
[3]);
2989 snprintf(p
, sizeof(buf
) - (p
- buf
), " dst=%u.%u.%u.%u",
2990 d
[0], d
[1], d
[2], d
[3]);
2993 snprintf(p
, sizeof(buf
) - (p
- buf
), ")");
3000 ipsec6_logpacketstr(struct ip6_hdr
*ip6
, u_int32_t spi
)
3002 static char buf
[256] __attribute__((aligned(4)));
3006 snprintf(buf
, sizeof(buf
), "packet(SPI=%u ", (u_int32_t
)ntohl(spi
));
3009 snprintf(p
, sizeof(buf
) - (p
- buf
), "src=%s",
3010 ip6_sprintf(&ip6
->ip6_src
));
3013 snprintf(p
, sizeof(buf
) - (p
- buf
), " dst=%s",
3014 ip6_sprintf(&ip6
->ip6_dst
));
3017 snprintf(p
, sizeof(buf
) - (p
- buf
), ")");
3024 ipsec_logsastr(struct secasvar
*sav
)
3026 static char buf
[256] __attribute__((aligned(4)));
3028 struct secasindex
*saidx
= &sav
->sah
->saidx
;
3030 /* validity check */
3031 if (((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
3032 != ((struct sockaddr
*)&sav
->sah
->saidx
.dst
)->sa_family
)
3033 panic("ipsec_logsastr: family mismatched.\n");
3036 snprintf(buf
, sizeof(buf
), "SA(SPI=%u ", (u_int32_t
)ntohl(sav
->spi
));
3039 if (((struct sockaddr
*)&saidx
->src
)->sa_family
== AF_INET
) {
3041 s
= (u_int8_t
*)&((struct sockaddr_in
*)&saidx
->src
)->sin_addr
;
3042 d
= (u_int8_t
*)&((struct sockaddr_in
*)&saidx
->dst
)->sin_addr
;
3043 snprintf(p
, sizeof(buf
) - (p
- buf
),
3044 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
3045 s
[0], s
[1], s
[2], s
[3], d
[0], d
[1], d
[2], d
[3]);
3048 else if (((struct sockaddr
*)&saidx
->src
)->sa_family
== AF_INET6
) {
3049 snprintf(p
, sizeof(buf
) - (p
- buf
),
3051 ip6_sprintf(&((struct sockaddr_in6
*)&saidx
->src
)->sin6_addr
));
3054 snprintf(p
, sizeof(buf
) - (p
- buf
),
3056 ip6_sprintf(&((struct sockaddr_in6
*)&saidx
->dst
)->sin6_addr
));
3061 snprintf(p
, sizeof(buf
) - (p
- buf
), ")");
3067 ipsec_dumpmbuf(struct mbuf
*m
)
3076 p
= mtod(m
, u_char
*);
3077 for (i
= 0; i
< m
->m_len
; i
++) {
3078 printf("%02x ", p
[i
]);
3080 if (totlen
% 16 == 0)
3085 if (totlen
% 16 != 0)
3092 * IPsec output logic for IPv4.
3095 ipsec4_output_internal(struct ipsec_output_state
*state
, struct secasvar
*sav
)
3097 struct ip
*ip
= NULL
;
3099 struct sockaddr_in
*dst4
;
3102 /* validity check */
3103 if (sav
== NULL
|| sav
->sah
== NULL
) {
3109 * If there is no valid SA, we give up to process any
3110 * more. In such a case, the SA's status is changed
3111 * from DYING to DEAD after allocating. If a packet
3112 * send to the receiver by dead SA, the receiver can
3113 * not decode a packet because SA has been dead.
3115 if (sav
->state
!= SADB_SASTATE_MATURE
3116 && sav
->state
!= SADB_SASTATE_DYING
) {
3117 IPSEC_STAT_INCREMENT(ipsecstat
.out_nosa
);
3122 state
->outgoing_if
= sav
->sah
->outgoing_if
;
3125 * There may be the case that SA status will be changed when
3126 * we are refering to one. So calling splsoftnet().
3129 if (sav
->sah
->saidx
.mode
== IPSEC_MODE_TUNNEL
) {
3131 * build IPsec tunnel.
3133 state
->m
= ipsec4_splithdr(state
->m
);
3139 if (((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
== AF_INET6
) {
3140 error
= ipsec46_encapsulate(state
, sav
);
3142 // packet already freed by encapsulation error handling
3147 error
= ipsec6_update_routecache_and_output(state
, sav
);
3150 } else if (((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
== AF_INET
) {
3151 error
= ipsec4_encapsulate(state
->m
, sav
);
3156 ip
= mtod(state
->m
, struct ip
*);
3158 // grab sadb_mutex, before updating sah's route cache
3159 lck_mtx_lock(sadb_mutex
);
3160 ro4
= &sav
->sah
->sa_route
;
3161 dst4
= (struct sockaddr_in
*)(void *)&ro4
->ro_dst
;
3162 if (ro4
->ro_rt
!= NULL
) {
3163 RT_LOCK(ro4
->ro_rt
);
3165 if (ROUTE_UNUSABLE(ro4
) ||
3166 dst4
->sin_addr
.s_addr
!= ip
->ip_dst
.s_addr
) {
3167 if (ro4
->ro_rt
!= NULL
)
3168 RT_UNLOCK(ro4
->ro_rt
);
3171 if (ro4
->ro_rt
== 0) {
3172 dst4
->sin_family
= AF_INET
;
3173 dst4
->sin_len
= sizeof(*dst4
);
3174 dst4
->sin_addr
= ip
->ip_dst
;
3175 rtalloc_scoped(ro4
, sav
->sah
->outgoing_if
);
3176 if (ro4
->ro_rt
== 0) {
3177 OSAddAtomic(1, &ipstat
.ips_noroute
);
3178 error
= EHOSTUNREACH
;
3179 // release sadb_mutex, after updating sah's route cache
3180 lck_mtx_unlock(sadb_mutex
);
3183 RT_LOCK(ro4
->ro_rt
);
3187 * adjust state->dst if tunnel endpoint is offlink
3189 * XXX: caching rt_gateway value in the state is
3190 * not really good, since it may point elsewhere
3191 * when the gateway gets modified to a larger
3192 * sockaddr via rt_setgate(). This is currently
3193 * addressed by SA_SIZE roundup in that routine.
3195 if (ro4
->ro_rt
->rt_flags
& RTF_GATEWAY
)
3196 dst4
= (struct sockaddr_in
*)(void *)ro4
->ro_rt
->rt_gateway
;
3197 RT_UNLOCK(ro4
->ro_rt
);
3198 ROUTE_RELEASE(&state
->ro
);
3199 route_copyout(&state
->ro
, ro4
, sizeof(state
->ro
));
3200 state
->dst
= (struct sockaddr
*)dst4
;
3201 state
->tunneled
= 4;
3202 // release sadb_mutex, after updating sah's route cache
3203 lck_mtx_unlock(sadb_mutex
);
3205 ipseclog((LOG_ERR
, "%s: family mismatched between inner and outer spi=%u\n",
3206 __FUNCTION__
, (u_int32_t
)ntohl(sav
->spi
)));
3207 error
= EAFNOSUPPORT
;
3212 state
->m
= ipsec4_splithdr(state
->m
);
3217 switch (sav
->sah
->saidx
.proto
) {
3220 if ((error
= esp4_output(state
->m
, sav
)) != 0) {
3232 if ((error
= ah4_output(state
->m
, sav
)) != 0) {
3237 case IPPROTO_IPCOMP
:
3238 if ((error
= ipcomp4_output(state
->m
, sav
)) != 0) {
3245 "ipsec4_output: unknown ipsec protocol %d\n",
3246 sav
->sah
->saidx
.proto
));
3253 if (state
->m
== 0) {
3265 ipsec4_interface_output(struct ipsec_output_state
*state
, ifnet_t interface
)
3268 struct secasvar
*sav
= NULL
;
3270 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
3273 panic("state == NULL in ipsec4_output");
3275 panic("state->m == NULL in ipsec4_output");
3277 panic("state->dst == NULL in ipsec4_output");
3279 sav
= key_alloc_outbound_sav_for_interface(interface
, AF_INET
);
3284 if ((error
= ipsec4_output_internal(state
, sav
)) != 0) {
3288 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT
| DBG_FUNC_END
, 0,0,0,0,0);
3290 key_freesav(sav
, KEY_SADB_UNLOCKED
);
3295 key_freesav(sav
, KEY_SADB_UNLOCKED
);
3298 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT
| DBG_FUNC_END
, error
,0,0,0,0);
3303 ipsec4_output(struct ipsec_output_state
*state
, struct secpolicy
*sp
, __unused
int flags
)
3305 struct ip
*ip
= NULL
;
3306 struct ipsecrequest
*isr
= NULL
;
3307 struct secasindex saidx
;
3308 struct secasvar
*sav
= NULL
;
3310 struct sockaddr_in
*sin
;
3312 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
3315 panic("state == NULL in ipsec4_output");
3317 panic("state->m == NULL in ipsec4_output");
3319 panic("state->dst == NULL in ipsec4_output");
3321 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT
| DBG_FUNC_START
, 0,0,0,0,0);
3323 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
3324 printf("ipsec4_output: applied SP\n");
3325 kdebug_secpolicy(sp
));
3327 for (isr
= sp
->req
; isr
!= NULL
; isr
= isr
->next
) {
3328 /* make SA index for search proper SA */
3329 ip
= mtod(state
->m
, struct ip
*);
3330 bcopy(&isr
->saidx
, &saidx
, sizeof(saidx
));
3331 saidx
.mode
= isr
->saidx
.mode
;
3332 saidx
.reqid
= isr
->saidx
.reqid
;
3333 sin
= (struct sockaddr_in
*)&saidx
.src
;
3334 if (sin
->sin_len
== 0) {
3335 sin
->sin_len
= sizeof(*sin
);
3336 sin
->sin_family
= AF_INET
;
3337 sin
->sin_port
= IPSEC_PORT_ANY
;
3338 bcopy(&ip
->ip_src
, &sin
->sin_addr
,
3339 sizeof(sin
->sin_addr
));
3341 sin
= (struct sockaddr_in
*)&saidx
.dst
;
3342 if (sin
->sin_len
== 0) {
3343 sin
->sin_len
= sizeof(*sin
);
3344 sin
->sin_family
= AF_INET
;
3345 sin
->sin_port
= IPSEC_PORT_ANY
;
3347 * Get port from packet if upper layer is UDP and nat traversal
3348 * is enabled and transport mode.
3351 if ((esp_udp_encap_port
& 0xFFFF) != 0 &&
3352 isr
->saidx
.mode
== IPSEC_MODE_TRANSPORT
) {
3354 if (ip
->ip_p
== IPPROTO_UDP
) {
3358 hlen
= IP_VHL_HL(ip
->ip_vhl
) << 2;
3360 hlen
= ip
->ip_hl
<< 2;
3362 if (state
->m
->m_len
< hlen
+ sizeof(struct udphdr
)) {
3363 state
->m
= m_pullup(state
->m
, hlen
+ sizeof(struct udphdr
));
3365 ipseclog((LOG_DEBUG
, "IPv4 output: can't pullup UDP header\n"));
3366 IPSEC_STAT_INCREMENT(ipsecstat
.in_inval
);
3369 ip
= mtod(state
->m
, struct ip
*);
3371 udp
= (struct udphdr
*)(void *)(((u_int8_t
*)ip
) + hlen
);
3372 sin
->sin_port
= udp
->uh_dport
;
3376 bcopy(&ip
->ip_dst
, &sin
->sin_addr
,
3377 sizeof(sin
->sin_addr
));
3380 if ((error
= key_checkrequest(isr
, &saidx
, &sav
)) != 0) {
3382 * IPsec processing is required, but no SA found.
3383 * I assume that key_acquire() had been called
3384 * to get/establish the SA. Here I discard
3385 * this packet because it is responsibility for
3386 * upper layer to retransmit the packet.
3388 IPSEC_STAT_INCREMENT(ipsecstat
.out_nosa
);
3392 /* validity check */
3394 switch (ipsec_get_reqlevel(isr
)) {
3395 case IPSEC_LEVEL_USE
:
3397 case IPSEC_LEVEL_REQUIRE
:
3398 /* must be not reached here. */
3399 panic("ipsec4_output: no SA found, but required.");
3403 if ((error
= ipsec4_output_internal(state
, sav
)) != 0) {
3408 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT
| DBG_FUNC_END
, 0,0,0,0,0);
3410 key_freesav(sav
, KEY_SADB_UNLOCKED
);
3415 key_freesav(sav
, KEY_SADB_UNLOCKED
);
3418 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT
| DBG_FUNC_END
, error
,0,0,0,0);
3426 * IPsec output logic for IPv6, transport mode.
3429 ipsec6_output_trans_internal(
3430 struct ipsec_output_state
*state
,
3431 struct secasvar
*sav
,
3435 struct ip6_hdr
*ip6
;
3439 /* validity check */
3440 if (sav
== NULL
|| sav
->sah
== NULL
) {
3446 * If there is no valid SA, we give up to process.
3447 * see same place at ipsec4_output().
3449 if (sav
->state
!= SADB_SASTATE_MATURE
3450 && sav
->state
!= SADB_SASTATE_DYING
) {
3451 IPSEC_STAT_INCREMENT(ipsec6stat
.out_nosa
);
3456 state
->outgoing_if
= sav
->sah
->outgoing_if
;
3458 switch (sav
->sah
->saidx
.proto
) {
3461 error
= esp6_output(state
->m
, nexthdrp
, mprev
->m_next
, sav
);
3468 error
= ah6_output(state
->m
, nexthdrp
, mprev
->m_next
, sav
);
3470 case IPPROTO_IPCOMP
:
3471 error
= ipcomp6_output(state
->m
, nexthdrp
, mprev
->m_next
, sav
);
3474 ipseclog((LOG_ERR
, "ipsec6_output_trans: "
3475 "unknown ipsec protocol %d\n", sav
->sah
->saidx
.proto
));
3477 IPSEC_STAT_INCREMENT(ipsec6stat
.out_inval
);
3485 plen
= state
->m
->m_pkthdr
.len
- sizeof(struct ip6_hdr
);
3486 if (plen
> IPV6_MAXPACKET
) {
3487 ipseclog((LOG_ERR
, "ipsec6_output_trans: "
3488 "IPsec with IPv6 jumbogram is not supported\n"));
3489 IPSEC_STAT_INCREMENT(ipsec6stat
.out_inval
);
3490 error
= EINVAL
; /*XXX*/
3493 ip6
= mtod(state
->m
, struct ip6_hdr
*);
3494 ip6
->ip6_plen
= htons(plen
);
3502 ipsec6_output_trans(
3503 struct ipsec_output_state
*state
,
3506 struct secpolicy
*sp
,
3510 struct ip6_hdr
*ip6
;
3511 struct ipsecrequest
*isr
= NULL
;
3512 struct secasindex saidx
;
3514 struct sockaddr_in6
*sin6
;
3515 struct secasvar
*sav
= NULL
;
3517 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
3520 panic("state == NULL in ipsec6_output_trans");
3522 panic("state->m == NULL in ipsec6_output_trans");
3524 panic("nexthdrp == NULL in ipsec6_output_trans");
3526 panic("mprev == NULL in ipsec6_output_trans");
3528 panic("sp == NULL in ipsec6_output_trans");
3530 panic("tun == NULL in ipsec6_output_trans");
3532 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
3533 printf("ipsec6_output_trans: applyed SP\n");
3534 kdebug_secpolicy(sp
));
3537 for (isr
= sp
->req
; isr
; isr
= isr
->next
) {
3538 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
) {
3539 /* the rest will be handled by ipsec6_output_tunnel() */
3543 /* make SA index for search proper SA */
3544 ip6
= mtod(state
->m
, struct ip6_hdr
*);
3545 bcopy(&isr
->saidx
, &saidx
, sizeof(saidx
));
3546 saidx
.mode
= isr
->saidx
.mode
;
3547 saidx
.reqid
= isr
->saidx
.reqid
;
3548 sin6
= (struct sockaddr_in6
*)&saidx
.src
;
3549 if (sin6
->sin6_len
== 0) {
3550 sin6
->sin6_len
= sizeof(*sin6
);
3551 sin6
->sin6_family
= AF_INET6
;
3552 sin6
->sin6_port
= IPSEC_PORT_ANY
;
3553 bcopy(&ip6
->ip6_src
, &sin6
->sin6_addr
,
3554 sizeof(ip6
->ip6_src
));
3555 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
->ip6_src
)) {
3556 /* fix scope id for comparing SPD */
3557 sin6
->sin6_addr
.s6_addr16
[1] = 0;
3558 sin6
->sin6_scope_id
= ntohs(ip6
->ip6_src
.s6_addr16
[1]);
3561 sin6
= (struct sockaddr_in6
*)&saidx
.dst
;
3562 if (sin6
->sin6_len
== 0) {
3563 sin6
->sin6_len
= sizeof(*sin6
);
3564 sin6
->sin6_family
= AF_INET6
;
3565 sin6
->sin6_port
= IPSEC_PORT_ANY
;
3566 bcopy(&ip6
->ip6_dst
, &sin6
->sin6_addr
,
3567 sizeof(ip6
->ip6_dst
));
3568 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
->ip6_dst
)) {
3569 /* fix scope id for comparing SPD */
3570 sin6
->sin6_addr
.s6_addr16
[1] = 0;
3571 sin6
->sin6_scope_id
= ntohs(ip6
->ip6_dst
.s6_addr16
[1]);
3575 if (key_checkrequest(isr
, &saidx
, &sav
) == ENOENT
) {
3577 * IPsec processing is required, but no SA found.
3578 * I assume that key_acquire() had been called
3579 * to get/establish the SA. Here I discard
3580 * this packet because it is responsibility for
3581 * upper layer to retransmit the packet.
3583 IPSEC_STAT_INCREMENT(ipsec6stat
.out_nosa
);
3587 * Notify the fact that the packet is discarded
3588 * to ourselves. I believe this is better than
3589 * just silently discarding. (jinmei@kame.net)
3590 * XXX: should we restrict the error to TCP packets?
3591 * XXX: should we directly notify sockets via
3594 icmp6_error(state
->m
, ICMP6_DST_UNREACH
,
3595 ICMP6_DST_UNREACH_ADMIN
, 0);
3596 state
->m
= NULL
; /* icmp6_error freed the mbuf */
3600 /* validity check */
3602 switch (ipsec_get_reqlevel(isr
)) {
3603 case IPSEC_LEVEL_USE
:
3605 case IPSEC_LEVEL_REQUIRE
:
3606 /* must be not reached here. */
3607 panic("ipsec6_output_trans: no SA found, but required.");
3611 if ((error
= ipsec6_output_trans_internal(state
, sav
, nexthdrp
, mprev
)) != 0) {
3616 /* if we have more to go, we need a tunnel mode processing */
3621 key_freesav(sav
, KEY_SADB_UNLOCKED
);
3626 key_freesav(sav
, KEY_SADB_UNLOCKED
);
3633 * IPsec output logic for IPv6, tunnel mode.
3636 ipsec6_output_tunnel_internal(struct ipsec_output_state
*state
, struct secasvar
*sav
, int *must_be_last
)
3638 struct ip6_hdr
*ip6
;
3641 struct sockaddr_in6
* dst6
;
3644 /* validity check */
3645 if (sav
== NULL
|| sav
->sah
== NULL
|| sav
->sah
->saidx
.mode
!= IPSEC_MODE_TUNNEL
) {
3651 * If there is no valid SA, we give up to process.
3652 * see same place at ipsec4_output().
3654 if (sav
->state
!= SADB_SASTATE_MATURE
3655 && sav
->state
!= SADB_SASTATE_DYING
) {
3656 IPSEC_STAT_INCREMENT(ipsec6stat
.out_nosa
);
3661 state
->outgoing_if
= sav
->sah
->outgoing_if
;
3663 if (sav
->sah
->saidx
.mode
== IPSEC_MODE_TUNNEL
) {
3665 * build IPsec tunnel.
3667 state
->m
= ipsec6_splithdr(state
->m
);
3669 IPSEC_STAT_INCREMENT(ipsec6stat
.out_nomem
);
3674 if (((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
== AF_INET6
) {
3675 error
= ipsec6_encapsulate(state
->m
, sav
);
3680 ip6
= mtod(state
->m
, struct ip6_hdr
*);
3681 } else if (((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
== AF_INET
) {
3684 struct sockaddr_in
* dst4
;
3685 struct route
*ro4
= NULL
;
3686 struct route ro4_copy
;
3687 struct ip_out_args ipoa
= { IFSCOPE_NONE
, { 0 }, IPOAF_SELECT_SRCIF
, 0,
3688 SO_TC_UNSPEC
, _NET_SERVICE_TYPE_UNSPEC
};
3693 state
->tunneled
= 4; /* must not process any further in ip6_output */
3694 error
= ipsec64_encapsulate(state
->m
, sav
);
3699 /* Now we have an IPv4 packet */
3700 ip
= mtod(state
->m
, struct ip
*);
3702 // grab sadb_mutex, to update sah's route cache and get a local copy of it
3703 lck_mtx_lock(sadb_mutex
);
3704 ro4
= &sav
->sah
->sa_route
;
3705 dst4
= (struct sockaddr_in
*)(void *)&ro4
->ro_dst
;
3707 RT_LOCK(ro4
->ro_rt
);
3709 if (ROUTE_UNUSABLE(ro4
) ||
3710 dst4
->sin_addr
.s_addr
!= ip
->ip_dst
.s_addr
) {
3711 if (ro4
->ro_rt
!= NULL
)
3712 RT_UNLOCK(ro4
->ro_rt
);
3715 if (ro4
->ro_rt
== NULL
) {
3716 dst4
->sin_family
= AF_INET
;
3717 dst4
->sin_len
= sizeof(*dst4
);
3718 dst4
->sin_addr
= ip
->ip_dst
;
3720 RT_UNLOCK(ro4
->ro_rt
);
3722 route_copyout(&ro4_copy
, ro4
, sizeof(ro4_copy
));
3723 // release sadb_mutex, after updating sah's route cache and getting a local copy
3724 lck_mtx_unlock(sadb_mutex
);
3725 state
->m
= ipsec4_splithdr(state
->m
);
3728 ROUTE_RELEASE(&ro4_copy
);
3731 switch (sav
->sah
->saidx
.proto
) {
3734 if ((error
= esp4_output(state
->m
, sav
)) != 0) {
3736 ROUTE_RELEASE(&ro4_copy
);
3745 ROUTE_RELEASE(&ro4_copy
);
3749 if ((error
= ah4_output(state
->m
, sav
)) != 0) {
3751 ROUTE_RELEASE(&ro4_copy
);
3755 case IPPROTO_IPCOMP
:
3756 if ((error
= ipcomp4_output(state
->m
, sav
)) != 0) {
3758 ROUTE_RELEASE(&ro4_copy
);
3764 "ipsec4_output: unknown ipsec protocol %d\n",
3765 sav
->sah
->saidx
.proto
));
3769 ROUTE_RELEASE(&ro4_copy
);
3773 if (state
->m
== 0) {
3775 ROUTE_RELEASE(&ro4_copy
);
3778 ipsec_set_pkthdr_for_interface(sav
->sah
->ipsec_if
, state
->m
, AF_INET
);
3779 ipsec_set_ipoa_for_interface(sav
->sah
->ipsec_if
, &ipoa
);
3781 ip
= mtod(state
->m
, struct ip
*);
3782 ip
->ip_len
= ntohs(ip
->ip_len
); /* flip len field before calling ip_output */
3783 error
= ip_output(state
->m
, NULL
, &ro4_copy
, IP_OUTARGS
, NULL
, &ipoa
);
3785 // grab sadb_mutex, to synchronize the sah's route cache with the local copy
3786 lck_mtx_lock(sadb_mutex
);
3787 route_copyin(&ro4_copy
, ro4
, sizeof(ro4_copy
));
3788 lck_mtx_unlock(sadb_mutex
);
3793 ipseclog((LOG_ERR
, "ipsec6_output_tunnel: "
3794 "unsupported inner family, spi=%u\n",
3795 (u_int32_t
)ntohl(sav
->spi
)));
3796 IPSEC_STAT_INCREMENT(ipsec6stat
.out_inval
);
3797 error
= EAFNOSUPPORT
;
3801 // grab sadb_mutex, before updating sah's route cache
3802 lck_mtx_lock(sadb_mutex
);
3803 ro6
= &sav
->sah
->sa_route
;
3804 dst6
= (struct sockaddr_in6
*)(void *)&ro6
->ro_dst
;
3806 RT_LOCK(ro6
->ro_rt
);
3808 if (ROUTE_UNUSABLE(ro6
) ||
3809 !IN6_ARE_ADDR_EQUAL(&dst6
->sin6_addr
, &ip6
->ip6_dst
)) {
3810 if (ro6
->ro_rt
!= NULL
)
3811 RT_UNLOCK(ro6
->ro_rt
);
3814 if (ro6
->ro_rt
== 0) {
3815 bzero(dst6
, sizeof(*dst6
));
3816 dst6
->sin6_family
= AF_INET6
;
3817 dst6
->sin6_len
= sizeof(*dst6
);
3818 dst6
->sin6_addr
= ip6
->ip6_dst
;
3819 rtalloc_scoped(ro6
, sav
->sah
->outgoing_if
);
3821 RT_LOCK(ro6
->ro_rt
);
3824 if (ro6
->ro_rt
== 0) {
3825 ip6stat
.ip6s_noroute
++;
3826 IPSEC_STAT_INCREMENT(ipsec6stat
.out_noroute
);
3827 error
= EHOSTUNREACH
;
3828 // release sadb_mutex, after updating sah's route cache
3829 lck_mtx_unlock(sadb_mutex
);
3834 * adjust state->dst if tunnel endpoint is offlink
3836 * XXX: caching rt_gateway value in the state is
3837 * not really good, since it may point elsewhere
3838 * when the gateway gets modified to a larger
3839 * sockaddr via rt_setgate(). This is currently
3840 * addressed by SA_SIZE roundup in that routine.
3842 if (ro6
->ro_rt
->rt_flags
& RTF_GATEWAY
)
3843 dst6
= (struct sockaddr_in6
*)(void *)ro6
->ro_rt
->rt_gateway
;
3844 RT_UNLOCK(ro6
->ro_rt
);
3845 ROUTE_RELEASE(&state
->ro
);
3846 route_copyout(&state
->ro
, ro6
, sizeof(state
->ro
));
3847 state
->dst
= (struct sockaddr
*)dst6
;
3848 state
->tunneled
= 6;
3849 // release sadb_mutex, after updating sah's route cache
3850 lck_mtx_unlock(sadb_mutex
);
3853 state
->m
= ipsec6_splithdr(state
->m
);
3855 IPSEC_STAT_INCREMENT(ipsec6stat
.out_nomem
);
3859 ip6
= mtod(state
->m
, struct ip6_hdr
*);
3860 switch (sav
->sah
->saidx
.proto
) {
3863 error
= esp6_output(state
->m
, &ip6
->ip6_nxt
, state
->m
->m_next
, sav
);
3870 error
= ah6_output(state
->m
, &ip6
->ip6_nxt
, state
->m
->m_next
, sav
);
3872 case IPPROTO_IPCOMP
:
3873 /* XXX code should be here */
3876 ipseclog((LOG_ERR
, "ipsec6_output_tunnel: "
3877 "unknown ipsec protocol %d\n", sav
->sah
->saidx
.proto
));
3879 IPSEC_STAT_INCREMENT(ipsec6stat
.out_inval
);
3887 plen
= state
->m
->m_pkthdr
.len
- sizeof(struct ip6_hdr
);
3888 if (plen
> IPV6_MAXPACKET
) {
3889 ipseclog((LOG_ERR
, "ipsec6_output_tunnel: "
3890 "IPsec with IPv6 jumbogram is not supported\n"));
3891 IPSEC_STAT_INCREMENT(ipsec6stat
.out_inval
);
3892 error
= EINVAL
; /*XXX*/
3895 ip6
= mtod(state
->m
, struct ip6_hdr
*);
3896 ip6
->ip6_plen
= htons(plen
);
3905 ipsec6_output_tunnel(
3906 struct ipsec_output_state
*state
,
3907 struct secpolicy
*sp
,
3910 struct ip6_hdr
*ip6
;
3911 struct ipsecrequest
*isr
= NULL
;
3912 struct secasindex saidx
;
3913 struct secasvar
*sav
= NULL
;
3916 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
3919 panic("state == NULL in ipsec6_output_tunnel");
3921 panic("state->m == NULL in ipsec6_output_tunnel");
3923 panic("sp == NULL in ipsec6_output_tunnel");
3925 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
3926 printf("ipsec6_output_tunnel: applyed SP\n");
3927 kdebug_secpolicy(sp
));
3930 * transport mode ipsec (before the 1st tunnel mode) is already
3931 * processed by ipsec6_output_trans().
3933 for (isr
= sp
->req
; isr
; isr
= isr
->next
) {
3934 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
)
3938 for (/* already initialized */; isr
; isr
= isr
->next
) {
3939 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
) {
3940 /* When tunnel mode, SA peers must be specified. */
3941 bcopy(&isr
->saidx
, &saidx
, sizeof(saidx
));
3943 /* make SA index to look for a proper SA */
3944 struct sockaddr_in6
*sin6
;
3946 bzero(&saidx
, sizeof(saidx
));
3947 saidx
.proto
= isr
->saidx
.proto
;
3948 saidx
.mode
= isr
->saidx
.mode
;
3949 saidx
.reqid
= isr
->saidx
.reqid
;
3951 ip6
= mtod(state
->m
, struct ip6_hdr
*);
3952 sin6
= (struct sockaddr_in6
*)&saidx
.src
;
3953 if (sin6
->sin6_len
== 0) {
3954 sin6
->sin6_len
= sizeof(*sin6
);
3955 sin6
->sin6_family
= AF_INET6
;
3956 sin6
->sin6_port
= IPSEC_PORT_ANY
;
3957 bcopy(&ip6
->ip6_src
, &sin6
->sin6_addr
,
3958 sizeof(ip6
->ip6_src
));
3959 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
->ip6_src
)) {
3960 /* fix scope id for comparing SPD */
3961 sin6
->sin6_addr
.s6_addr16
[1] = 0;
3962 sin6
->sin6_scope_id
= ntohs(ip6
->ip6_src
.s6_addr16
[1]);
3965 sin6
= (struct sockaddr_in6
*)&saidx
.dst
;
3966 if (sin6
->sin6_len
== 0) {
3967 sin6
->sin6_len
= sizeof(*sin6
);
3968 sin6
->sin6_family
= AF_INET6
;
3969 sin6
->sin6_port
= IPSEC_PORT_ANY
;
3970 bcopy(&ip6
->ip6_dst
, &sin6
->sin6_addr
,
3971 sizeof(ip6
->ip6_dst
));
3972 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
->ip6_dst
)) {
3973 /* fix scope id for comparing SPD */
3974 sin6
->sin6_addr
.s6_addr16
[1] = 0;
3975 sin6
->sin6_scope_id
= ntohs(ip6
->ip6_dst
.s6_addr16
[1]);
3980 if (key_checkrequest(isr
, &saidx
, &sav
) == ENOENT
) {
3982 * IPsec processing is required, but no SA found.
3983 * I assume that key_acquire() had been called
3984 * to get/establish the SA. Here I discard
3985 * this packet because it is responsibility for
3986 * upper layer to retransmit the packet.
3988 IPSEC_STAT_INCREMENT(ipsec6stat
.out_nosa
);
3993 /* validity check */
3995 switch (ipsec_get_reqlevel(isr
)) {
3996 case IPSEC_LEVEL_USE
:
3998 case IPSEC_LEVEL_REQUIRE
:
3999 /* must be not reached here. */
4000 panic("ipsec6_output_tunnel: no SA found, but required.");
4005 * If there is no valid SA, we give up to process.
4006 * see same place at ipsec4_output().
4008 if (sav
->state
!= SADB_SASTATE_MATURE
4009 && sav
->state
!= SADB_SASTATE_DYING
) {
4010 IPSEC_STAT_INCREMENT(ipsec6stat
.out_nosa
);
4015 int must_be_last
= 0;
4017 if ((error
= ipsec6_output_tunnel_internal(state
, sav
, &must_be_last
)) != 0) {
4021 if (must_be_last
&& isr
->next
) {
4022 ipseclog((LOG_ERR
, "ipsec6_output_tunnel: "
4023 "IPv4 must be outer layer, spi=%u\n",
4024 (u_int32_t
)ntohl(sav
->spi
)));
4031 key_freesav(sav
, KEY_SADB_UNLOCKED
);
4036 key_freesav(sav
, KEY_SADB_UNLOCKED
);
4044 ipsec6_interface_output(struct ipsec_output_state
*state
, ifnet_t interface
, u_char
*nexthdrp
, struct mbuf
*mprev
)
4047 struct secasvar
*sav
= NULL
;
4049 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
4052 panic("state == NULL in ipsec6_output");
4054 panic("state->m == NULL in ipsec6_output");
4056 panic("nexthdrp == NULL in ipsec6_output");
4058 panic("mprev == NULL in ipsec6_output");
4060 sav
= key_alloc_outbound_sav_for_interface(interface
, AF_INET6
);
4065 if (sav
->sah
&& sav
->sah
->saidx
.mode
== IPSEC_MODE_TUNNEL
) {
4066 if ((error
= ipsec6_output_tunnel_internal(state
, sav
, NULL
)) != 0) {
4071 if ((error
= ipsec6_output_trans_internal(state
, sav
, nexthdrp
, mprev
)) != 0) {
4077 key_freesav(sav
, KEY_SADB_UNLOCKED
);
4082 key_freesav(sav
, KEY_SADB_UNLOCKED
);
4091 * Chop IP header and option off from the payload.
4094 ipsec4_splithdr(struct mbuf
*m
)
4100 if (m
->m_len
< sizeof(struct ip
))
4101 panic("ipsec4_splithdr: first mbuf too short, m_len %d, pkt_len %d, m_flag %x", m
->m_len
, m
->m_pkthdr
.len
, m
->m_flags
);
4102 ip
= mtod(m
, struct ip
*);
4104 hlen
= _IP_VHL_HL(ip
->ip_vhl
) << 2;
4106 hlen
= ip
->ip_hl
<< 2;
4108 if (m
->m_len
> hlen
) {
4109 MGETHDR(mh
, M_DONTWAIT
, MT_HEADER
); /* MAC-OK */
4114 M_COPY_PKTHDR(mh
, m
);
4116 m
->m_flags
&= ~M_PKTHDR
;
4117 m_mchtype(m
, MT_DATA
);
4123 bcopy((caddr_t
)ip
, mtod(m
, caddr_t
), hlen
);
4124 } else if (m
->m_len
< hlen
) {
4125 m
= m_pullup(m
, hlen
);
4135 ipsec6_splithdr(struct mbuf
*m
)
4138 struct ip6_hdr
*ip6
;
4141 if (m
->m_len
< sizeof(struct ip6_hdr
))
4142 panic("ipsec6_splithdr: first mbuf too short");
4143 ip6
= mtod(m
, struct ip6_hdr
*);
4144 hlen
= sizeof(struct ip6_hdr
);
4145 if (m
->m_len
> hlen
) {
4146 MGETHDR(mh
, M_DONTWAIT
, MT_HEADER
); /* MAC-OK */
4151 M_COPY_PKTHDR(mh
, m
);
4153 m
->m_flags
&= ~M_PKTHDR
;
4154 m_mchtype(m
, MT_DATA
);
4160 bcopy((caddr_t
)ip6
, mtod(m
, caddr_t
), hlen
);
4161 } else if (m
->m_len
< hlen
) {
4162 m
= m_pullup(m
, hlen
);
4170 /* validate inbound IPsec tunnel packet. */
4172 ipsec4_tunnel_validate(
4173 struct mbuf
*m
, /* no pullup permitted, m->m_len >= ip */
4176 struct secasvar
*sav
,
4177 sa_family_t
*ifamily
)
4179 u_int8_t nxt
= nxt0
& 0xff;
4180 struct sockaddr_in
*sin
;
4181 struct sockaddr_in osrc
, odst
, i4src
, i4dst
;
4182 struct sockaddr_in6 i6src
, i6dst
;
4184 struct secpolicy
*sp
;
4187 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
4190 if (m
->m_len
< sizeof(struct ip
))
4191 panic("too short mbuf on ipsec4_tunnel_validate");
4193 if (nxt
!= IPPROTO_IPV4
&& nxt
!= IPPROTO_IPV6
)
4195 if (m
->m_pkthdr
.len
< off
+ sizeof(struct ip
))
4197 /* do not decapsulate if the SA is for transport mode only */
4198 if (sav
->sah
->saidx
.mode
== IPSEC_MODE_TRANSPORT
)
4201 oip
= mtod(m
, struct ip
*);
4203 hlen
= _IP_VHL_HL(oip
->ip_vhl
) << 2;
4205 hlen
= oip
->ip_hl
<< 2;
4207 if (hlen
!= sizeof(struct ip
))
4210 sin
= (struct sockaddr_in
*)&sav
->sah
->saidx
.dst
;
4211 if (sin
->sin_family
!= AF_INET
)
4213 if (bcmp(&oip
->ip_dst
, &sin
->sin_addr
, sizeof(oip
->ip_dst
)) != 0)
4216 if (sav
->sah
->ipsec_if
!= NULL
) {
4217 // the ipsec interface SAs don't have a policies.
4218 if (nxt
== IPPROTO_IPV4
) {
4220 } else if (nxt
== IPPROTO_IPV6
) {
4221 *ifamily
= AF_INET6
;
4229 bzero(&osrc
, sizeof(osrc
));
4230 bzero(&odst
, sizeof(odst
));
4231 osrc
.sin_family
= odst
.sin_family
= AF_INET
;
4232 osrc
.sin_len
= odst
.sin_len
= sizeof(struct sockaddr_in
);
4233 osrc
.sin_addr
= oip
->ip_src
;
4234 odst
.sin_addr
= oip
->ip_dst
;
4236 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
4237 * - if the inner destination is multicast address, there can be
4238 * multiple permissible inner source address. implementation
4239 * may want to skip verification of inner source address against
4241 * - if the inner protocol is ICMP, the packet may be an error report
4242 * from routers on the other side of the VPN cloud (R in the
4243 * following diagram). in this case, we cannot verify inner source
4244 * address against SPD selector.
4245 * me -- gw === gw -- R -- you
4247 * we consider the first bullet to be users responsibility on SPD entry
4248 * configuration (if you need to encrypt multicast traffic, set
4249 * the source range of SPD selector to 0.0.0.0/0, or have explicit
4250 * address ranges for possible senders).
4251 * the second bullet is not taken care of (yet).
4253 * therefore, we do not do anything special about inner source.
4255 if (nxt
== IPPROTO_IPV4
) {
4256 bzero(&i4src
, sizeof(struct sockaddr_in
));
4257 bzero(&i4dst
, sizeof(struct sockaddr_in
));
4258 i4src
.sin_family
= i4dst
.sin_family
= *ifamily
= AF_INET
;
4259 i4src
.sin_len
= i4dst
.sin_len
= sizeof(struct sockaddr_in
);
4260 m_copydata(m
, off
+ offsetof(struct ip
, ip_src
), sizeof(i4src
.sin_addr
),
4261 (caddr_t
)&i4src
.sin_addr
);
4262 m_copydata(m
, off
+ offsetof(struct ip
, ip_dst
), sizeof(i4dst
.sin_addr
),
4263 (caddr_t
)&i4dst
.sin_addr
);
4264 sp
= key_gettunnel((struct sockaddr
*)&osrc
, (struct sockaddr
*)&odst
,
4265 (struct sockaddr
*)&i4src
, (struct sockaddr
*)&i4dst
);
4266 } else if (nxt
== IPPROTO_IPV6
) {
4267 bzero(&i6src
, sizeof(struct sockaddr_in6
));
4268 bzero(&i6dst
, sizeof(struct sockaddr_in6
));
4269 i6src
.sin6_family
= i6dst
.sin6_family
= *ifamily
= AF_INET6
;
4270 i6src
.sin6_len
= i6dst
.sin6_len
= sizeof(struct sockaddr_in6
);
4271 m_copydata(m
, off
+ offsetof(struct ip6_hdr
, ip6_src
), sizeof(i6src
.sin6_addr
),
4272 (caddr_t
)&i6src
.sin6_addr
);
4273 m_copydata(m
, off
+ offsetof(struct ip6_hdr
, ip6_dst
), sizeof(i6dst
.sin6_addr
),
4274 (caddr_t
)&i6dst
.sin6_addr
);
4275 sp
= key_gettunnel((struct sockaddr
*)&osrc
, (struct sockaddr
*)&odst
,
4276 (struct sockaddr
*)&i6src
, (struct sockaddr
*)&i6dst
);
4278 return 0; /* unsupported family */
4283 key_freesp(sp
, KEY_SADB_UNLOCKED
);
4289 /* validate inbound IPsec tunnel packet. */
4291 ipsec6_tunnel_validate(
4292 struct mbuf
*m
, /* no pullup permitted, m->m_len >= ip */
4295 struct secasvar
*sav
,
4296 sa_family_t
*ifamily
)
4298 u_int8_t nxt
= nxt0
& 0xff;
4299 struct sockaddr_in6
*sin6
;
4300 struct sockaddr_in i4src
, i4dst
;
4301 struct sockaddr_in6 osrc
, odst
, i6src
, i6dst
;
4302 struct secpolicy
*sp
;
4303 struct ip6_hdr
*oip6
;
4305 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
4308 if (m
->m_len
< sizeof(struct ip6_hdr
))
4309 panic("too short mbuf on ipsec6_tunnel_validate");
4311 if (nxt
!= IPPROTO_IPV4
&& nxt
!= IPPROTO_IPV6
)
4314 if (m
->m_pkthdr
.len
< off
+ sizeof(struct ip6_hdr
))
4316 /* do not decapsulate if the SA is for transport mode only */
4317 if (sav
->sah
->saidx
.mode
== IPSEC_MODE_TRANSPORT
)
4320 oip6
= mtod(m
, struct ip6_hdr
*);
4321 /* AF_INET should be supported, but at this moment we don't. */
4322 sin6
= (struct sockaddr_in6
*)&sav
->sah
->saidx
.dst
;
4323 if (sin6
->sin6_family
!= AF_INET6
)
4325 if (!IN6_ARE_ADDR_EQUAL(&oip6
->ip6_dst
, &sin6
->sin6_addr
))
4328 if (sav
->sah
->ipsec_if
!= NULL
) {
4329 // the ipsec interface SAs don't have a policies.
4330 if (nxt
== IPPROTO_IPV4
) {
4332 } else if (nxt
== IPPROTO_IPV6
) {
4333 *ifamily
= AF_INET6
;
4341 bzero(&osrc
, sizeof(osrc
));
4342 bzero(&odst
, sizeof(odst
));
4343 osrc
.sin6_family
= odst
.sin6_family
= AF_INET6
;
4344 osrc
.sin6_len
= odst
.sin6_len
= sizeof(struct sockaddr_in6
);
4345 osrc
.sin6_addr
= oip6
->ip6_src
;
4346 odst
.sin6_addr
= oip6
->ip6_dst
;
4349 * regarding to inner source address validation, see a long comment
4350 * in ipsec4_tunnel_validate.
4353 if (nxt
== IPPROTO_IPV4
) {
4354 bzero(&i4src
, sizeof(struct sockaddr_in
));
4355 bzero(&i4dst
, sizeof(struct sockaddr_in
));
4356 i4src
.sin_family
= i4dst
.sin_family
= *ifamily
= AF_INET
;
4357 i4src
.sin_len
= i4dst
.sin_len
= sizeof(struct sockaddr_in
);
4358 m_copydata(m
, off
+ offsetof(struct ip
, ip_src
), sizeof(i4src
.sin_addr
),
4359 (caddr_t
)&i4src
.sin_addr
);
4360 m_copydata(m
, off
+ offsetof(struct ip
, ip_dst
), sizeof(i4dst
.sin_addr
),
4361 (caddr_t
)&i4dst
.sin_addr
);
4362 sp
= key_gettunnel((struct sockaddr
*)&osrc
, (struct sockaddr
*)&odst
,
4363 (struct sockaddr
*)&i4src
, (struct sockaddr
*)&i4dst
);
4364 } else if (nxt
== IPPROTO_IPV6
) {
4365 bzero(&i6src
, sizeof(struct sockaddr_in6
));
4366 bzero(&i6dst
, sizeof(struct sockaddr_in6
));
4367 i6src
.sin6_family
= i6dst
.sin6_family
= *ifamily
= AF_INET6
;
4368 i6src
.sin6_len
= i6dst
.sin6_len
= sizeof(struct sockaddr_in6
);
4369 m_copydata(m
, off
+ offsetof(struct ip6_hdr
, ip6_src
), sizeof(i6src
.sin6_addr
),
4370 (caddr_t
)&i6src
.sin6_addr
);
4371 m_copydata(m
, off
+ offsetof(struct ip6_hdr
, ip6_dst
), sizeof(i6dst
.sin6_addr
),
4372 (caddr_t
)&i6dst
.sin6_addr
);
4373 sp
= key_gettunnel((struct sockaddr
*)&osrc
, (struct sockaddr
*)&odst
,
4374 (struct sockaddr
*)&i6src
, (struct sockaddr
*)&i6dst
);
4376 return 0; /* unsupported family */
4378 * when there is no suitable inbound policy for the packet of the ipsec
4379 * tunnel mode, the kernel never decapsulate the tunneled packet
4380 * as the ipsec tunnel mode even when the system wide policy is "none".
4381 * then the kernel leaves the generic tunnel module to process this
4382 * packet. if there is no rule of the generic tunnel, the packet
4383 * is rejected and the statistics will be counted up.
4387 key_freesp(sp
, KEY_SADB_UNLOCKED
);
4394 * Make a mbuf chain for encryption.
4395 * If the original mbuf chain contains a mbuf with a cluster,
4396 * allocate a new cluster and copy the data to the new cluster.
4397 * XXX: this hack is inefficient, but is necessary to handle cases
4398 * of TCP retransmission...
4401 ipsec_copypkt(struct mbuf
*m
)
4403 struct mbuf
*n
, **mpp
, *mnew
;
4405 for (n
= m
, mpp
= &m
; n
; n
= n
->m_next
) {
4406 if (n
->m_flags
& M_EXT
) {
4408 * Make a copy only if there are more than one references
4410 * XXX: is this approach effective?
4413 n
->m_ext
.ext_free
||
4414 m_mclhasreference(n
)
4420 if (n
->m_flags
& M_PKTHDR
) {
4421 MGETHDR(mnew
, M_DONTWAIT
, MT_HEADER
); /* MAC-OK */
4424 M_COPY_PKTHDR(mnew
, n
);
4427 MGET(mnew
, M_DONTWAIT
, MT_DATA
);
4435 * Copy data. If we don't have enough space to
4436 * store the whole data, allocate a cluster
4437 * or additional mbufs.
4438 * XXX: we don't use m_copyback(), since the
4439 * function does not use clusters and thus is
4448 if (remain
<= (mm
->m_flags
& M_PKTHDR
? MHLEN
: MLEN
))
4450 else { /* allocate a cluster */
4451 MCLGET(mm
, M_DONTWAIT
);
4452 if (!(mm
->m_flags
& M_EXT
)) {
4456 len
= remain
< MCLBYTES
?
4460 bcopy(n
->m_data
+ copied
, mm
->m_data
,
4467 if (remain
<= 0) /* completed? */
4470 /* need another mbuf */
4471 MGETHDR(mn
, M_DONTWAIT
, MT_HEADER
); /* XXXMAC: tags copied next time in loop? */
4474 mn
->m_pkthdr
.rcvif
= NULL
;
4480 mm
->m_next
= m_free(n
);
4499 * Tags are allocated as mbufs for now, since our minimum size is MLEN, we
4500 * should make use of up to that much space.
4502 #define IPSEC_TAG_HEADER \
4505 struct socket
*socket
;
4506 u_int32_t history_count
;
4507 struct ipsec_history history
[];
4510 #define IPSEC_TAG_SIZE (MLEN - sizeof(struct m_tag))
4511 #define IPSEC_TAG_HDR_SIZE (offsetof(struct ipsec_tag, history[0]))
4512 #define IPSEC_HISTORY_MAX ((IPSEC_TAG_SIZE - IPSEC_TAG_HDR_SIZE) / \
4513 sizeof(struct ipsec_history))
4515 static struct ipsec_tag
*
4521 /* Check if the tag already exists */
4522 tag
= m_tag_locate(m
, KERNEL_MODULE_TAG_ID
, KERNEL_TAG_TYPE_IPSEC
, NULL
);
4525 struct ipsec_tag
*itag
;
4527 /* Allocate a tag */
4528 tag
= m_tag_create(KERNEL_MODULE_TAG_ID
, KERNEL_TAG_TYPE_IPSEC
,
4529 IPSEC_TAG_SIZE
, M_DONTWAIT
, m
);
4532 itag
= (struct ipsec_tag
*)(tag
+ 1);
4534 itag
->history_count
= 0;
4536 m_tag_prepend(m
, tag
);
4540 return tag
? (struct ipsec_tag
*)(tag
+ 1) : NULL
;
4543 static struct ipsec_tag
*
4549 tag
= m_tag_locate(m
, KERNEL_MODULE_TAG_ID
, KERNEL_TAG_TYPE_IPSEC
, NULL
);
4551 return tag
? (struct ipsec_tag
*)(tag
+ 1) : NULL
;
4560 tag
= m_tag_locate(m
, KERNEL_MODULE_TAG_ID
, KERNEL_TAG_TYPE_IPSEC
, NULL
);
4563 m_tag_delete(m
, tag
);
4567 /* if the aux buffer is unnecessary, nuke it. */
4571 struct ipsec_tag
*itag
)
4573 if (itag
&& itag
->socket
== NULL
&& itag
->history_count
== 0) {
4574 m_tag_delete(m
, ((struct m_tag
*)itag
) - 1);
4579 ipsec_setsocket(struct mbuf
*m
, struct socket
*so
)
4581 struct ipsec_tag
*tag
;
4583 /* if so == NULL, don't insist on getting the aux mbuf */
4585 tag
= ipsec_addaux(m
);
4589 tag
= ipsec_findaux(m
);
4592 ipsec_optaux(m
, tag
);
4598 ipsec_getsocket(struct mbuf
*m
)
4600 struct ipsec_tag
*itag
;
4602 itag
= ipsec_findaux(m
);
4604 return itag
->socket
;
4615 struct ipsec_tag
*itag
;
4616 struct ipsec_history
*p
;
4617 itag
= ipsec_addaux(m
);
4620 if (itag
->history_count
== IPSEC_HISTORY_MAX
)
4621 return ENOSPC
; /* XXX */
4623 p
= &itag
->history
[itag
->history_count
];
4624 itag
->history_count
++;
4626 bzero(p
, sizeof(*p
));
4627 p
->ih_proto
= proto
;
4633 struct ipsec_history
*
4638 struct ipsec_tag
*itag
;
4640 itag
= ipsec_findaux(m
);
4643 if (itag
->history_count
== 0)
4646 *lenp
= (int)(itag
->history_count
* sizeof(struct ipsec_history
));
4647 return itag
->history
;
4654 struct ipsec_tag
*itag
;
4656 itag
= ipsec_findaux(m
);
4658 itag
->history_count
= 0;
4660 ipsec_optaux(m
, itag
);
4663 __private_extern__
int
4664 ipsec_send_natt_keepalive(
4665 struct secasvar
*sav
)
4670 struct ip_out_args ipoa
=
4671 { IFSCOPE_NONE
, { 0 }, IPOAF_SELECT_SRCIF
, 0,
4672 SO_TC_UNSPEC
, _NET_SERVICE_TYPE_UNSPEC
};
4674 int keepalive_interval
= natt_keepalive_interval
;
4676 lck_mtx_assert(sadb_mutex
, LCK_MTX_ASSERT_NOTOWNED
);
4678 if ((esp_udp_encap_port
& 0xFFFF) == 0 || sav
->remote_ike_port
== 0) return FALSE
;
4680 if (sav
->natt_interval
!= 0) {
4681 keepalive_interval
= (int)sav
->natt_interval
;
4684 // natt timestamp may have changed... reverify
4685 if ((natt_now
- sav
->natt_last_activity
) < keepalive_interval
) return FALSE
;
4687 if (sav
->flags
& SADB_X_EXT_ESP_KEEPALIVE
) return FALSE
; // don't send these from the kernel
4689 m
= m_gethdr(M_NOWAIT
, MT_DATA
);
4690 if (m
== NULL
) return FALSE
;
4692 ip
= (__typeof__(ip
))m_mtod(m
);
4694 // this sends one type of NATT keepalives (Type 1, ESP keepalives, aren't sent by kernel)
4695 if ((sav
->flags
& SADB_X_EXT_ESP_KEEPALIVE
) == 0) {
4699 * Type 2: a UDP packet complete with IP header.
4700 * We must do this because UDP output requires
4701 * an inpcb which we don't have. UDP packet
4702 * contains one byte payload. The byte is set
4705 uh
= (__typeof__(uh
))(void *)((char *)m_mtod(m
) + sizeof(*ip
));
4706 m
->m_len
= sizeof(struct udpiphdr
) + 1;
4707 bzero(m_mtod(m
), m
->m_len
);
4708 m
->m_pkthdr
.len
= m
->m_len
;
4710 ip
->ip_len
= m
->m_len
;
4711 ip
->ip_ttl
= ip_defttl
;
4712 ip
->ip_p
= IPPROTO_UDP
;
4713 if (sav
->sah
->dir
!= IPSEC_DIR_INBOUND
) {
4714 ip
->ip_src
= ((struct sockaddr_in
*)&sav
->sah
->saidx
.src
)->sin_addr
;
4715 ip
->ip_dst
= ((struct sockaddr_in
*)&sav
->sah
->saidx
.dst
)->sin_addr
;
4717 ip
->ip_src
= ((struct sockaddr_in
*)&sav
->sah
->saidx
.dst
)->sin_addr
;
4718 ip
->ip_dst
= ((struct sockaddr_in
*)&sav
->sah
->saidx
.src
)->sin_addr
;
4720 uh
->uh_sport
= htons((u_short
)esp_udp_encap_port
);
4721 uh
->uh_dport
= htons(sav
->remote_ike_port
);
4722 uh
->uh_ulen
= htons(1 + sizeof(*uh
));
4724 *(u_int8_t
*)((char*)m_mtod(m
) + sizeof(*ip
) + sizeof(*uh
)) = 0xFF;
4727 // grab sadb_mutex, to get a local copy of sah's route cache
4728 lck_mtx_lock(sadb_mutex
);
4729 if (ROUTE_UNUSABLE(&sav
->sah
->sa_route
) ||
4730 rt_key(sav
->sah
->sa_route
.ro_rt
)->sa_family
!= AF_INET
)
4731 ROUTE_RELEASE(&sav
->sah
->sa_route
);
4733 route_copyout(&ro
, &sav
->sah
->sa_route
, sizeof(ro
));
4734 lck_mtx_unlock(sadb_mutex
);
4736 necp_mark_packet_as_keepalive(m
, TRUE
);
4738 error
= ip_output(m
, NULL
, &ro
, IP_OUTARGS
| IP_NOIPSEC
, NULL
, &ipoa
);
4740 // grab sadb_mutex, to synchronize the sah's route cache with the local copy
4741 lck_mtx_lock(sadb_mutex
);
4742 route_copyin(&ro
, &sav
->sah
->sa_route
, sizeof(ro
));
4743 lck_mtx_unlock(sadb_mutex
);
4745 sav
->natt_last_activity
= natt_now
;
4751 __private_extern__
bool
4752 ipsec_fill_offload_frame(ifnet_t ifp
,
4753 struct secasvar
*sav
,
4754 struct ifnet_keepalive_offload_frame
*frame
,
4755 size_t frame_data_offset
)
4757 u_int8_t
*data
= NULL
;
4758 struct ip
*ip
= NULL
;
4759 struct udphdr
*uh
= NULL
;
4761 if (sav
== NULL
|| sav
->sah
== NULL
|| frame
== NULL
||
4762 (ifp
!= NULL
&& ifp
->if_index
!= sav
->sah
->outgoing_if
) ||
4763 sav
->sah
->saidx
.dst
.ss_family
!= AF_INET
||
4764 !(sav
->flags
& SADB_X_EXT_NATT
) ||
4765 !(sav
->flags
& SADB_X_EXT_NATT_KEEPALIVE
) ||
4766 !(sav
->flags
& SADB_X_EXT_NATT_KEEPALIVE_OFFLOAD
) ||
4767 sav
->flags
& SADB_X_EXT_ESP_KEEPALIVE
||
4768 (esp_udp_encap_port
& 0xFFFF) == 0 ||
4769 sav
->remote_ike_port
== 0 ||
4770 (natt_keepalive_interval
== 0 && sav
->natt_interval
== 0 && sav
->natt_offload_interval
== 0)) {
4771 /* SA is not eligible for keepalive offload on this interface */
4775 if (frame_data_offset
+ sizeof(struct udpiphdr
) + 1 >
4776 IFNET_KEEPALIVE_OFFLOAD_FRAME_DATA_SIZE
) {
4777 /* Not enough room in this data frame */
4782 ip
= (__typeof__(ip
))(void *)(data
+ frame_data_offset
);
4783 uh
= (__typeof__(uh
))(void *)(data
+ frame_data_offset
+ sizeof(*ip
));
4785 frame
->length
= frame_data_offset
+ sizeof(struct udpiphdr
) + 1;
4786 frame
->type
= IFNET_KEEPALIVE_OFFLOAD_FRAME_IPSEC
;
4787 frame
->ether_type
= IFNET_KEEPALIVE_OFFLOAD_FRAME_ETHERTYPE_IPV4
;
4789 bzero(data
, IFNET_KEEPALIVE_OFFLOAD_FRAME_DATA_SIZE
);
4791 ip
->ip_v
= IPVERSION
;
4792 ip
->ip_hl
= sizeof(struct ip
) >> 2;
4793 ip
->ip_off
&= htons(~IP_OFFMASK
);
4794 ip
->ip_off
&= htons(~IP_MF
);
4795 switch (ip4_ipsec_dfbit
) {
4796 case 0: /* clear DF bit */
4797 ip
->ip_off
&= htons(~IP_DF
);
4799 case 1: /* set DF bit */
4800 ip
->ip_off
|= htons(IP_DF
);
4802 default: /* copy DF bit */
4805 ip
->ip_len
= htons(sizeof(struct udpiphdr
) + 1);
4806 ip
->ip_id
= ip_randomid();
4807 ip
->ip_ttl
= ip_defttl
;
4808 ip
->ip_p
= IPPROTO_UDP
;
4810 if (sav
->sah
->dir
!= IPSEC_DIR_INBOUND
) {
4811 ip
->ip_src
= ((struct sockaddr_in
*)&sav
->sah
->saidx
.src
)->sin_addr
;
4812 ip
->ip_dst
= ((struct sockaddr_in
*)&sav
->sah
->saidx
.dst
)->sin_addr
;
4814 ip
->ip_src
= ((struct sockaddr_in
*)&sav
->sah
->saidx
.dst
)->sin_addr
;
4815 ip
->ip_dst
= ((struct sockaddr_in
*)&sav
->sah
->saidx
.src
)->sin_addr
;
4817 ip
->ip_sum
= in_cksum_hdr_opt(ip
);
4818 uh
->uh_sport
= htons((u_short
)esp_udp_encap_port
);
4819 uh
->uh_dport
= htons(sav
->remote_ike_port
);
4820 uh
->uh_ulen
= htons(1 + sizeof(*uh
));
4822 *(u_int8_t
*)(data
+ frame_data_offset
+ sizeof(*ip
) + sizeof(*uh
)) = 0xFF;
4824 if (sav
->natt_offload_interval
!= 0) {
4825 frame
->interval
= sav
->natt_offload_interval
;
4826 } else if (sav
->natt_interval
!= 0) {
4827 frame
->interval
= sav
->natt_interval
;
4829 frame
->interval
= natt_keepalive_interval
;