search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Kernel part of bluetooth stack ported by Dmitry Komissaroff. Very much work
[dragonfly.git] / sys / netinet6 / ipsec.c
blob65d5d9c5ec46640929fb9c0242edc97a44445048
1 /* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.12 2003/05/06 06:46:58 suz Exp $ */
2 /* $DragonFly: src/sys/netinet6/ipsec.c,v 1.20 2007/10/20 10:28:44 sephe Exp $ */
3 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /*
35 * IPsec controller part.
36 */
37
38 #include "opt_inet.h"
39 #include "opt_inet6.h"
40 #include "opt_ipsec.h"
41
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/malloc.h>
45 #include <sys/mbuf.h>
46 #include <sys/domain.h>
47 #include <sys/protosw.h>
48 #include <sys/socket.h>
49 #include <sys/socketvar.h>
50 #include <sys/errno.h>
51 #include <sys/time.h>
52 #include <sys/kernel.h>
53 #include <sys/syslog.h>
54 #include <sys/sysctl.h>
55 #include <sys/proc.h>
56 #include <sys/in_cksum.h>
57 #include <sys/thread2.h>
58
59 #include <net/if.h>
60 #include <net/route.h>
61
62 #include <netinet/in.h>
63 #include <netinet/in_systm.h>
64 #include <netinet/ip.h>
65 #include <netinet/ip_var.h>
66 #include <netinet/in_var.h>
67 #include <netinet/udp.h>
68 #include <netinet/udp_var.h>
69 #include <netinet/ip_ecn.h>
70 #ifdef INET6
71 #include <netinet6/ip6_ecn.h>
72 #endif
73 #include <netinet/tcp.h>
74 #include <netinet/udp.h>
75
76 #include <netinet/ip6.h>
77 #ifdef INET6
78 #include <netinet6/ip6_var.h>
79 #endif
80 #include <netinet/in_pcb.h>
81 #ifdef INET6
82 #include <netinet/icmp6.h>
83 #endif
84
85 #include <netinet6/ipsec.h>
86 #ifdef INET6
87 #include <netinet6/ipsec6.h>
88 #endif
89 #include <netinet6/ah.h>
90 #ifdef INET6
91 #include <netinet6/ah6.h>
92 #endif
93 #ifdef IPSEC_ESP
94 #include <netinet6/esp.h>
95 #ifdef INET6
96 #include <netinet6/esp6.h>
97 #endif
98 #endif
99 #include <netinet6/ipcomp.h>
100 #ifdef INET6
101 #include <netinet6/ipcomp6.h>
102 #endif
103 #include <netproto/key/key.h>
104 #include <netproto/key/keydb.h>
105 #include <netproto/key/key_debug.h>
106
107 #include <net/net_osdep.h>
108
109 #ifdef IPSEC_DEBUG
110 int ipsec_debug = 1;
111 #else
112 int ipsec_debug = 0;
113 #endif
114
115 struct ipsecstat ipsecstat;
116 int ip4_ah_cleartos = 1;
117 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
118 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
119 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
120 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
121 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
122 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
123 struct secpolicy ip4_def_policy;
124 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
125 int ip4_esp_randpad = -1;
126
127 #ifdef SYSCTL_DECL
128 SYSCTL_DECL(_net_inet_ipsec);
129 #ifdef INET6
130 SYSCTL_DECL(_net_inet6_ipsec6);
131 #endif
132 #endif
133
134 /* net.inet.ipsec */
135 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
136 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, "");
137 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
138 def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, "");
139 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
140 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
141 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
142 CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
143 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
144 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
145 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
146 CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
147 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
148 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, "");
149 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
150 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
151 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
152 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
153 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
154 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
155 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
156 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
157 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
158 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, "");
159
160 #ifdef INET6
161 struct ipsecstat ipsec6stat;
162 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
163 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
164 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
165 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
166 struct secpolicy ip6_def_policy;
167 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
168 int ip6_esp_randpad = -1;
169
170 /* net.inet6.ipsec6 */
171 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
172 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
173 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
174 def_policy, CTLFLAG_RW, &ip6_def_policy.policy, 0, "");
175 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
176 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
177 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
178 CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
179 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
180 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
181 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
182 CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
183 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
184 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
185 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
186 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
187 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
188 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
189 #endif /* INET6 */
190
191 static int ipsec_setspidx_mbuf
192 (struct secpolicyindex *, u_int, u_int, struct mbuf *, int);
193 static int ipsec4_setspidx_inpcb (struct mbuf *, struct inpcb *pcb);
194 #ifdef INET6
195 static int ipsec6_setspidx_in6pcb (struct mbuf *, struct in6pcb *pcb);
196 #endif
197 static int ipsec_setspidx (struct mbuf *, struct secpolicyindex *, int);
198 static void ipsec4_get_ulp (struct mbuf *m, struct secpolicyindex *, int);
199 static int ipsec4_setspidx_ipaddr (struct mbuf *, struct secpolicyindex *);
200 #ifdef INET6
201 static void ipsec6_get_ulp (struct mbuf *m, struct secpolicyindex *, int);
202 static int ipsec6_setspidx_ipaddr (struct mbuf *, struct secpolicyindex *);
203 #endif
204 static struct inpcbpolicy *ipsec_newpcbpolicy (void);
205 static void ipsec_delpcbpolicy (struct inpcbpolicy *);
206 static struct secpolicy *ipsec_deepcopy_policy (struct secpolicy *src);
207 static int ipsec_set_policy (struct secpolicy **pcb_sp,
208 int optname, caddr_t request, size_t len, int priv);
209 static int ipsec_get_policy (struct secpolicy *pcb_sp, struct mbuf **mp);
210 static void vshiftl (unsigned char *, int, int);
211 static int ipsec_in_reject (struct secpolicy *, struct mbuf *);
212 static size_t ipsec_hdrsiz (struct secpolicy *);
213 #ifdef INET
214 static struct mbuf *ipsec4_splithdr (struct mbuf *);
215 #endif
216 #ifdef INET6
217 static struct mbuf *ipsec6_splithdr (struct mbuf *);
218 #endif
219 #ifdef INET
220 static int ipsec4_encapsulate (struct mbuf *, struct secasvar *);
221 #endif
222 #ifdef INET6
223 static int ipsec6_encapsulate (struct mbuf *, struct secasvar *);
224 #endif
225
226 /*
227 * For OUTBOUND packet having a socket. Searching SPD for packet,
228 * and return a pointer to SP.
229 * OUT: NULL: no apropreate SP found, the following value is set to error.
230 * 0 : bypass
231 * EACCES : discard packet.
232 * ENOENT : ipsec_acquire() in progress, maybe.
233 * others : error occured.
234 * others: a pointer to SP
235 *
236 * NOTE: IPv6 mapped adddress concern is implemented here.
237 */
238 struct secpolicy *
239 ipsec4_getpolicybysock(struct mbuf *m, u_int dir, struct socket *so, int *error)
240 {
241 struct inpcbpolicy *pcbsp = NULL;
242 struct secpolicy *currsp = NULL; /* policy on socket */
243 struct secpolicy *kernsp = NULL; /* policy on kernel */
244
245 /* sanity check */
246 if (m == NULL || so == NULL || error == NULL)
247 panic("ipsec4_getpolicybysock: NULL pointer was passed.");
248
249 switch (so->so_proto->pr_domain->dom_family) {
250 case AF_INET:
251 /* set spidx in pcb */
252 *error = ipsec4_setspidx_inpcb(m, so->so_pcb);
253 break;
254 #ifdef INET6
255 case AF_INET6:
256 /* set spidx in pcb */
257 *error = ipsec6_setspidx_in6pcb(m, so->so_pcb);
258 break;
259 #endif
260 default:
261 panic("ipsec4_getpolicybysock: unsupported address family\n");
262 }
263 if (*error)
264 return NULL;
265 switch (so->so_proto->pr_domain->dom_family) {
266 case AF_INET:
267 pcbsp = sotoinpcb(so)->inp_sp;
268 break;
269 #ifdef INET6
270 case AF_INET6:
271 pcbsp = sotoin6pcb(so)->in6p_sp;
272 break;
273 #endif
274 }
275
276 /* sanity check */
277 if (pcbsp == NULL)
278 panic("ipsec4_getpolicybysock: pcbsp is NULL.");
279
280 switch (dir) {
281 case IPSEC_DIR_INBOUND:
282 currsp = pcbsp->sp_in;
283 break;
284 case IPSEC_DIR_OUTBOUND:
285 currsp = pcbsp->sp_out;
286 break;
287 default:
288 panic("ipsec4_getpolicybysock: illegal direction.");
289 }
290
291 /* sanity check */
292 if (currsp == NULL)
293 panic("ipsec4_getpolicybysock: currsp is NULL.");
294
295 /* when privilieged socket */
296 if (pcbsp->priv) {
297 switch (currsp->policy) {
298 case IPSEC_POLICY_BYPASS:
299 currsp->refcnt++;
300 *error = 0;
301 return currsp;
302
303 case IPSEC_POLICY_ENTRUST:
304 /* look for a policy in SPD */
305 kernsp = key_allocsp(&currsp->spidx, dir);
306
307 /* SP found */
308 if (kernsp != NULL) {
309 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
310 kprintf("DP ipsec4_getpolicybysock called "
311 "to allocate SP:%p\n", kernsp));
312 *error = 0;
313 return kernsp;
314 }
315
316 /* no SP found */
317 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
318 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
319 ipseclog((LOG_INFO,
320 "fixed system default policy: %d->%d\n",
321 ip4_def_policy.policy, IPSEC_POLICY_NONE));
322 ip4_def_policy.policy = IPSEC_POLICY_NONE;
323 }
324 ip4_def_policy.refcnt++;
325 *error = 0;
326 return &ip4_def_policy;
327
328 case IPSEC_POLICY_IPSEC:
329 currsp->refcnt++;
330 *error = 0;
331 return currsp;
332
333 default:
334 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
335 "Invalid policy for PCB %d\n", currsp->policy));
336 *error = EINVAL;
337 return NULL;
338 }
339 /* NOTREACHED */
340 }
341
342 /* when non-privilieged socket */
343 /* look for a policy in SPD */
344 kernsp = key_allocsp(&currsp->spidx, dir);
345
346 /* SP found */
347 if (kernsp != NULL) {
348 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
349 kprintf("DP ipsec4_getpolicybysock called "
350 "to allocate SP:%p\n", kernsp));
351 *error = 0;
352 return kernsp;
353 }
354
355 /* no SP found */
356 switch (currsp->policy) {
357 case IPSEC_POLICY_BYPASS:
358 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
359 "Illegal policy for non-priviliged defined %d\n",
360 currsp->policy));
361 *error = EINVAL;
362 return NULL;
363
364 case IPSEC_POLICY_ENTRUST:
365 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
366 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
367 ipseclog((LOG_INFO,
368 "fixed system default policy: %d->%d\n",
369 ip4_def_policy.policy, IPSEC_POLICY_NONE));
370 ip4_def_policy.policy = IPSEC_POLICY_NONE;
371 }
372 ip4_def_policy.refcnt++;
373 *error = 0;
374 return &ip4_def_policy;
375
376 case IPSEC_POLICY_IPSEC:
377 currsp->refcnt++;
378 *error = 0;
379 return currsp;
380
381 default:
382 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
383 "Invalid policy for PCB %d\n", currsp->policy));
384 *error = EINVAL;
385 return NULL;
386 }
387 /* NOTREACHED */
388 }
389
390 /*
391 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
392 * and return a pointer to SP.
393 * OUT: positive: a pointer to the entry for security policy leaf matched.
394 * NULL: no apropreate SP found, the following value is set to error.
395 * 0 : bypass
396 * EACCES : discard packet.
397 * ENOENT : ipsec_acquire() in progress, maybe.
398 * others : error occured.
399 */
400 struct secpolicy *
401 ipsec4_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
402 {
403 struct secpolicy *sp = NULL;
404
405 /* sanity check */
406 if (m == NULL || error == NULL)
407 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
408
409 {
410 struct secpolicyindex spidx;
411
412 bzero(&spidx, sizeof(spidx));
413
414 /* make a index to look for a policy */
415 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
416 (flag & IP_FORWARDING) ? 0 : 1);
417
418 if (*error != 0)
419 return NULL;
420
421 sp = key_allocsp(&spidx, dir);
422 }
423
424 /* SP found */
425 if (sp != NULL) {
426 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
427 kprintf("DP ipsec4_getpolicybyaddr called "
428 "to allocate SP:%p\n", sp));
429 *error = 0;
430 return sp;
431 }
432
433 /* no SP found */
434 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
435 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
436 ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
437 ip4_def_policy.policy,
438 IPSEC_POLICY_NONE));
439 ip4_def_policy.policy = IPSEC_POLICY_NONE;
440 }
441 ip4_def_policy.refcnt++;
442 *error = 0;
443 return &ip4_def_policy;
444 }
445
446 #ifdef INET6
447 /*
448 * For OUTBOUND packet having a socket. Searching SPD for packet,
449 * and return a pointer to SP.
450 * OUT: NULL: no apropreate SP found, the following value is set to error.
451 * 0 : bypass
452 * EACCES : discard packet.
453 * ENOENT : ipsec_acquire() in progress, maybe.
454 * others : error occured.
455 * others: a pointer to SP
456 */
457 struct secpolicy *
458 ipsec6_getpolicybysock(struct mbuf *m, u_int dir, struct socket *so, int *error)
459 {
460 struct inpcbpolicy *pcbsp = NULL;
461 struct secpolicy *currsp = NULL; /* policy on socket */
462 struct secpolicy *kernsp = NULL; /* policy on kernel */
463
464 /* sanity check */
465 if (m == NULL || so == NULL || error == NULL)
466 panic("ipsec6_getpolicybysock: NULL pointer was passed.");
467
468 #ifdef DIAGNOSTIC
469 if (so->so_proto->pr_domain->dom_family != AF_INET6)
470 panic("ipsec6_getpolicybysock: socket domain != inet6");
471 #endif
472
473 /* set spidx in pcb */
474 ipsec6_setspidx_in6pcb(m, so->so_pcb);
475
476 pcbsp = sotoin6pcb(so)->in6p_sp;
477
478 /* sanity check */
479 if (pcbsp == NULL)
480 panic("ipsec6_getpolicybysock: pcbsp is NULL.");
481
482 switch (dir) {
483 case IPSEC_DIR_INBOUND:
484 currsp = pcbsp->sp_in;
485 break;
486 case IPSEC_DIR_OUTBOUND:
487 currsp = pcbsp->sp_out;
488 break;
489 default:
490 panic("ipsec6_getpolicybysock: illegal direction.");
491 }
492
493 /* sanity check */
494 if (currsp == NULL)
495 panic("ipsec6_getpolicybysock: currsp is NULL.");
496
497 /* when privilieged socket */
498 if (pcbsp->priv) {
499 switch (currsp->policy) {
500 case IPSEC_POLICY_BYPASS:
501 currsp->refcnt++;
502 *error = 0;
503 return currsp;
504
505 case IPSEC_POLICY_ENTRUST:
506 /* look for a policy in SPD */
507 kernsp = key_allocsp(&currsp->spidx, dir);
508
509 /* SP found */
510 if (kernsp != NULL) {
511 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
512 kprintf("DP ipsec6_getpolicybysock called "
513 "to allocate SP:%p\n", kernsp));
514 *error = 0;
515 return kernsp;
516 }
517
518 /* no SP found */
519 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
520 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
521 ipseclog((LOG_INFO,
522 "fixed system default policy: %d->%d\n",
523 ip6_def_policy.policy, IPSEC_POLICY_NONE));
524 ip6_def_policy.policy = IPSEC_POLICY_NONE;
525 }
526 ip6_def_policy.refcnt++;
527 *error = 0;
528 return &ip6_def_policy;
529
530 case IPSEC_POLICY_IPSEC:
531 currsp->refcnt++;
532 *error = 0;
533 return currsp;
534
535 default:
536 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
537 "Invalid policy for PCB %d\n", currsp->policy));
538 *error = EINVAL;
539 return NULL;
540 }
541 /* NOTREACHED */
542 }
543
544 /* when non-privilieged socket */
545 /* look for a policy in SPD */
546 kernsp = key_allocsp(&currsp->spidx, dir);
547
548 /* SP found */
549 if (kernsp != NULL) {
550 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
551 kprintf("DP ipsec6_getpolicybysock called "
552 "to allocate SP:%p\n", kernsp));
553 *error = 0;
554 return kernsp;
555 }
556
557 /* no SP found */
558 switch (currsp->policy) {
559 case IPSEC_POLICY_BYPASS:
560 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
561 "Illegal policy for non-priviliged defined %d\n",
562 currsp->policy));
563 *error = EINVAL;
564 return NULL;
565
566 case IPSEC_POLICY_ENTRUST:
567 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
568 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
569 ipseclog((LOG_INFO,
570 "fixed system default policy: %d->%d\n",
571 ip6_def_policy.policy, IPSEC_POLICY_NONE));
572 ip6_def_policy.policy = IPSEC_POLICY_NONE;
573 }
574 ip6_def_policy.refcnt++;
575 *error = 0;
576 return &ip6_def_policy;
577
578 case IPSEC_POLICY_IPSEC:
579 currsp->refcnt++;
580 *error = 0;
581 return currsp;
582
583 default:
584 ipseclog((LOG_ERR,
585 "ipsec6_policybysock: Invalid policy for PCB %d\n",
586 currsp->policy));
587 *error = EINVAL;
588 return NULL;
589 }
590 /* NOTREACHED */
591 }
592
593 /*
594 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
595 * and return a pointer to SP.
596 * `flag' means that packet is to be forwarded whether or not.
597 * flag = 1: forwad
598 * OUT: positive: a pointer to the entry for security policy leaf matched.
599 * NULL: no apropreate SP found, the following value is set to error.
600 * 0 : bypass
601 * EACCES : discard packet.
602 * ENOENT : ipsec_acquire() in progress, maybe.
603 * others : error occured.
604 */
605 #ifndef IP_FORWARDING
606 #define IP_FORWARDING 1
607 #endif
608
609 struct secpolicy *
610 ipsec6_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
611 {
612 struct secpolicy *sp = NULL;
613
614 /* sanity check */
615 if (m == NULL || error == NULL)
616 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
617
618 {
619 struct secpolicyindex spidx;
620
621 bzero(&spidx, sizeof(spidx));
622
623 /* make a index to look for a policy */
624 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m,
625 (flag & IP_FORWARDING) ? 0 : 1);
626
627 if (*error != 0)
628 return NULL;
629
630 sp = key_allocsp(&spidx, dir);
631 }
632
633 /* SP found */
634 if (sp != NULL) {
635 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
636 kprintf("DP ipsec6_getpolicybyaddr called "
637 "to allocate SP:%p\n", sp));
638 *error = 0;
639 return sp;
640 }
641
642 /* no SP found */
643 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
644 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
645 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
646 ip6_def_policy.policy, IPSEC_POLICY_NONE));
647 ip6_def_policy.policy = IPSEC_POLICY_NONE;
648 }
649 ip6_def_policy.refcnt++;
650 *error = 0;
651 return &ip6_def_policy;
652 }
653 #endif /* INET6 */
654
655 /*
656 * set IP address into spidx from mbuf.
657 * When Forwarding packet and ICMP echo reply, this function is used.
658 *
659 * IN: get the followings from mbuf.
660 * protocol family, src, dst, next protocol
661 * OUT:
662 * 0: success.
663 * other: failure, and set errno.
664 */
665 int
666 ipsec_setspidx_mbuf(struct secpolicyindex *spidx, u_int dir, u_int family,
667 struct mbuf *m, int needport)
668 {
669 int error;
670
671 /* sanity check */
672 if (spidx == NULL || m == NULL)
673 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
674
675 bzero(spidx, sizeof(*spidx));
676
677 error = ipsec_setspidx(m, spidx, needport);
678 if (error)
679 goto bad;
680 spidx->dir = dir;
681
682 return 0;
683
684 bad:
685 /* XXX initialize */
686 bzero(spidx, sizeof(*spidx));
687 return EINVAL;
688 }
689
690 static int
691 ipsec4_setspidx_inpcb(struct mbuf *m, struct inpcb *pcb)
692 {
693 struct secpolicyindex *spidx;
694 int error;
695
696 /* sanity check */
697 if (pcb == NULL)
698 panic("ipsec4_setspidx_inpcb: no PCB found.");
699 if (pcb->inp_sp == NULL)
700 panic("ipsec4_setspidx_inpcb: no inp_sp found.");
701 if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL)
702 panic("ipsec4_setspidx_inpcb: no sp_in/out found.");
703
704 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
705 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
706
707 spidx = &pcb->inp_sp->sp_in->spidx;
708 error = ipsec_setspidx(m, spidx, 1);
709 if (error)
710 goto bad;
711 spidx->dir = IPSEC_DIR_INBOUND;
712
713 spidx = &pcb->inp_sp->sp_out->spidx;
714 error = ipsec_setspidx(m, spidx, 1);
715 if (error)
716 goto bad;
717 spidx->dir = IPSEC_DIR_OUTBOUND;
718
719 return 0;
720
721 bad:
722 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
723 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
724 return error;
725 }
726
727 #ifdef INET6
728 static int
729 ipsec6_setspidx_in6pcb(struct mbuf *m, struct in6pcb *pcb)
730 {
731 struct secpolicyindex *spidx;
732 int error;
733
734 /* sanity check */
735 if (pcb == NULL)
736 panic("ipsec6_setspidx_in6pcb: no PCB found.");
737 if (pcb->in6p_sp == NULL)
738 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.");
739 if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL)
740 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.");
741
742 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
743 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
744
745 spidx = &pcb->in6p_sp->sp_in->spidx;
746 error = ipsec_setspidx(m, spidx, 1);
747 if (error)
748 goto bad;
749 spidx->dir = IPSEC_DIR_INBOUND;
750
751 spidx = &pcb->in6p_sp->sp_out->spidx;
752 error = ipsec_setspidx(m, spidx, 1);
753 if (error)
754 goto bad;
755 spidx->dir = IPSEC_DIR_OUTBOUND;
756
757 return 0;
758
759 bad:
760 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
761 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
762 return error;
763 }
764 #endif
765
766 /*
767 * configure security policy index (src/dst/proto/sport/dport)
768 * by looking at the content of mbuf.
769 * the caller is responsible for error recovery (like clearing up spidx).
770 */
771 static int
772 ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport)
773 {
774 struct ip *ip = NULL;
775 struct ip ipbuf;
776 u_int v;
777 struct mbuf *n;
778 int len;
779 int error;
780
781 if (m == NULL)
782 panic("ipsec_setspidx: m == 0 passed.");
783
784 /*
785 * validate m->m_pkthdr.len. we see incorrect length if we
786 * mistakenly call this function with inconsistent mbuf chain
787 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
788 */
789 len = 0;
790 for (n = m; n; n = n->m_next)
791 len += n->m_len;
792 if (m->m_pkthdr.len != len) {
793 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
794 kprintf("ipsec_setspidx: "
795 "total of m_len(%d) != pkthdr.len(%d), "
796 "ignored.\n",
797 len, m->m_pkthdr.len));
798 return EINVAL;
799 }
800
801 if (m->m_pkthdr.len < sizeof(struct ip)) {
802 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
803 kprintf("ipsec_setspidx: "
804 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
805 m->m_pkthdr.len));
806 return EINVAL;
807 }
808
809 if (m->m_len >= sizeof(*ip))
810 ip = mtod(m, struct ip *);
811 else {
812 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
813 ip = &ipbuf;
814 }
815 #ifdef _IP_VHL
816 v = _IP_VHL_V(ip->ip_vhl);
817 #else
818 v = ip->ip_v;
819 #endif
820 switch (v) {
821 case 4:
822 error = ipsec4_setspidx_ipaddr(m, spidx);
823 if (error)
824 return error;
825 ipsec4_get_ulp(m, spidx, needport);
826 return 0;
827 #ifdef INET6
828 case 6:
829 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
830 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
831 kprintf("ipsec_setspidx: "
832 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
833 "ignored.\n", m->m_pkthdr.len));
834 return EINVAL;
835 }
836 error = ipsec6_setspidx_ipaddr(m, spidx);
837 if (error)
838 return error;
839 ipsec6_get_ulp(m, spidx, needport);
840 return 0;
841 #endif
842 default:
843 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
844 kprintf("ipsec_setspidx: "
845 "unknown IP version %u, ignored.\n", v));
846 return EINVAL;
847 }
848 }
849
850 static void
851 ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
852 {
853 struct ip ip;
854 struct ip6_ext ip6e;
855 u_int8_t nxt;
856 int off;
857 struct tcphdr th;
858 struct udphdr uh;
859
860 /* sanity check */
861 if (m == NULL)
862 panic("ipsec4_get_ulp: NULL pointer was passed.");
863 if (m->m_pkthdr.len < sizeof(ip))
864 panic("ipsec4_get_ulp: too short");
865
866 /* set default */
867 spidx->ul_proto = IPSEC_ULPROTO_ANY;
868 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
869 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
870
871 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
872 /* ip_input() flips it into host endian XXX need more checking */
873 if (ip.ip_off & (IP_MF | IP_OFFMASK))
874 return;
875
876 nxt = ip.ip_p;
877 #ifdef _IP_VHL
878 off = _IP_VHL_HL(ip->ip_vhl) << 2;
879 #else
880 off = ip.ip_hl << 2;
881 #endif
882 while (off < m->m_pkthdr.len) {
883 switch (nxt) {
884 case IPPROTO_TCP:
885 spidx->ul_proto = nxt;
886 if (!needport)
887 return;
888 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
889 return;
890 m_copydata(m, off, sizeof(th), (caddr_t)&th);
891 ((struct sockaddr_in *)&spidx->src)->sin_port =
892 th.th_sport;
893 ((struct sockaddr_in *)&spidx->dst)->sin_port =
894 th.th_dport;
895 return;
896 case IPPROTO_UDP:
897 spidx->ul_proto = nxt;
898 if (!needport)
899 return;
900 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
901 return;
902 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
903 ((struct sockaddr_in *)&spidx->src)->sin_port =
904 uh.uh_sport;
905 ((struct sockaddr_in *)&spidx->dst)->sin_port =
906 uh.uh_dport;
907 return;
908 case IPPROTO_AH:
909 if (off + sizeof(ip6e) > m->m_pkthdr.len)
910 return;
911 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
912 off += (ip6e.ip6e_len + 2) << 2;
913 nxt = ip6e.ip6e_nxt;
914 break;
915 case IPPROTO_ICMP:
916 default:
917 /* XXX intermediate headers??? */
918 spidx->ul_proto = nxt;
919 return;
920 }
921 }
922 }
923
924 /* assumes that m is sane */
925 static int
926 ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
927 {
928 struct ip *ip = NULL;
929 struct ip ipbuf;
930 struct sockaddr_in *sin;
931
932 if (m->m_len >= sizeof(*ip))
933 ip = mtod(m, struct ip *);
934 else {
935 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
936 ip = &ipbuf;
937 }
938
939 sin = (struct sockaddr_in *)&spidx->src;
940 bzero(sin, sizeof(*sin));
941 sin->sin_family = AF_INET;
942 sin->sin_len = sizeof(struct sockaddr_in);
943 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
944 spidx->prefs = sizeof(struct in_addr) << 3;
945
946 sin = (struct sockaddr_in *)&spidx->dst;
947 bzero(sin, sizeof(*sin));
948 sin->sin_family = AF_INET;
949 sin->sin_len = sizeof(struct sockaddr_in);
950 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
951 spidx->prefd = sizeof(struct in_addr) << 3;
952 return 0;
953 }
954
955 #ifdef INET6
956 static void
957 ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
958 {
959 int off, nxt;
960 struct tcphdr th;
961 struct udphdr uh;
962
963 /* sanity check */
964 if (m == NULL)
965 panic("ipsec6_get_ulp: NULL pointer was passed.");
966
967 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
968 kprintf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
969
970 /* set default */
971 spidx->ul_proto = IPSEC_ULPROTO_ANY;
972 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
973 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
974
975 nxt = -1;
976 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
977 if (off < 0 || m->m_pkthdr.len < off)
978 return;
979
980 switch (nxt) {
981 case IPPROTO_TCP:
982 spidx->ul_proto = nxt;
983 if (!needport)
984 break;
985 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
986 break;
987 m_copydata(m, off, sizeof(th), (caddr_t)&th);
988 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
989 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
990 break;
991 case IPPROTO_UDP:
992 spidx->ul_proto = nxt;
993 if (!needport)
994 break;
995 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
996 break;
997 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
998 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
999 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1000 break;
1001 case IPPROTO_ICMPV6:
1002 default:
1003 /* XXX intermediate headers??? */
1004 spidx->ul_proto = nxt;
1005 break;
1006 }
1007 }
1008
1009 /* assumes that m is sane */
1010 static int
1011 ipsec6_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
1012 {
1013 struct ip6_hdr *ip6 = NULL;
1014 struct ip6_hdr ip6buf;
1015 struct sockaddr_in6 *sin6;
1016
1017 if (m->m_len >= sizeof(*ip6))
1018 ip6 = mtod(m, struct ip6_hdr *);
1019 else {
1020 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1021 ip6 = &ip6buf;
1022 }
1023
1024 sin6 = (struct sockaddr_in6 *)&spidx->src;
1025 bzero(sin6, sizeof(*sin6));
1026 sin6->sin6_family = AF_INET6;
1027 sin6->sin6_len = sizeof(struct sockaddr_in6);
1028 bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src));
1029 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1030 sin6->sin6_addr.s6_addr16[1] = 0;
1031 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
1032 }
1033 spidx->prefs = sizeof(struct in6_addr) << 3;
1034
1035 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1036 bzero(sin6, sizeof(*sin6));
1037 sin6->sin6_family = AF_INET6;
1038 sin6->sin6_len = sizeof(struct sockaddr_in6);
1039 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst));
1040 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1041 sin6->sin6_addr.s6_addr16[1] = 0;
1042 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
1043 }
1044 spidx->prefd = sizeof(struct in6_addr) << 3;
1045
1046 return 0;
1047 }
1048 #endif
1049
1050 static struct inpcbpolicy *
1051 ipsec_newpcbpolicy(void)
1052 {
1053 struct inpcbpolicy *p;
1054
1055 p = (struct inpcbpolicy *)kmalloc(sizeof(*p), M_SECA, M_NOWAIT);
1056 return p;
1057 }
1058
1059 static void
1060 ipsec_delpcbpolicy(struct inpcbpolicy *p)
1061 {
1062 kfree(p, M_SECA);
1063 }
1064
1065 /* initialize policy in PCB */
1066 int
1067 ipsec_init_policy(struct socket *so, struct inpcbpolicy **pcb_sp)
1068 {
1069 struct inpcbpolicy *new;
1070
1071 /* sanity check. */
1072 if (so == NULL || pcb_sp == NULL)
1073 panic("ipsec_init_policy: NULL pointer was passed.");
1074
1075 new = ipsec_newpcbpolicy();
1076 if (new == NULL) {
1077 ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n"));
1078 return ENOBUFS;
1079 }
1080 bzero(new, sizeof(*new));
1081
1082 if (so->so_cred != 0 && so->so_cred->cr_uid == 0)
1083 new->priv = 1;
1084 else
1085 new->priv = 0;
1086
1087 if ((new->sp_in = key_newsp()) == NULL) {
1088 ipsec_delpcbpolicy(new);
1089 return ENOBUFS;
1090 }
1091 new->sp_in->state = IPSEC_SPSTATE_ALIVE;
1092 new->sp_in->policy = IPSEC_POLICY_ENTRUST;
1093
1094 if ((new->sp_out = key_newsp()) == NULL) {
1095 key_freesp(new->sp_in);
1096 ipsec_delpcbpolicy(new);
1097 return ENOBUFS;
1098 }
1099 new->sp_out->state = IPSEC_SPSTATE_ALIVE;
1100 new->sp_out->policy = IPSEC_POLICY_ENTRUST;
1101
1102 *pcb_sp = new;
1103
1104 return 0;
1105 }
1106
1107 /* copy old ipsec policy into new */
1108 int
1109 ipsec_copy_policy(struct inpcbpolicy *old, struct inpcbpolicy *new)
1110 {
1111 struct secpolicy *sp;
1112
1113 sp = ipsec_deepcopy_policy(old->sp_in);
1114 if (sp) {
1115 key_freesp(new->sp_in);
1116 new->sp_in = sp;
1117 } else
1118 return ENOBUFS;
1119
1120 sp = ipsec_deepcopy_policy(old->sp_out);
1121 if (sp) {
1122 key_freesp(new->sp_out);
1123 new->sp_out = sp;
1124 } else
1125 return ENOBUFS;
1126
1127 new->priv = old->priv;
1128
1129 return 0;
1130 }
1131
1132 /* deep-copy a policy in PCB */
1133 static struct secpolicy *
1134 ipsec_deepcopy_policy(struct secpolicy *src)
1135 {
1136 struct ipsecrequest *newchain = NULL;
1137 struct ipsecrequest *p;
1138 struct ipsecrequest **q;
1139 struct ipsecrequest *r;
1140 struct secpolicy *dst;
1141
1142 dst = key_newsp();
1143 if (src == NULL || dst == NULL)
1144 return NULL;
1145
1146 /*
1147 * deep-copy IPsec request chain. This is required since struct
1148 * ipsecrequest is not reference counted.
1149 */
1150 q = &newchain;
1151 for (p = src->req; p; p = p->next) {
1152 *q = (struct ipsecrequest *)kmalloc(sizeof(struct ipsecrequest),
1153 M_SECA, M_NOWAIT);
1154 if (*q == NULL)
1155 goto fail;
1156 bzero(*q, sizeof(**q));
1157 (*q)->next = NULL;
1158
1159 (*q)->saidx.proto = p->saidx.proto;
1160 (*q)->saidx.mode = p->saidx.mode;
1161 (*q)->level = p->level;
1162 (*q)->saidx.reqid = p->saidx.reqid;
1163
1164 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1165 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1166
1167 (*q)->sav = NULL;
1168 (*q)->sp = dst;
1169
1170 q = &((*q)->next);
1171 }
1172
1173 dst->req = newchain;
1174 dst->state = src->state;
1175 dst->policy = src->policy;
1176 /* do not touch the refcnt fields */
1177
1178 return dst;
1179
1180 fail:
1181 for (p = newchain; p; p = r) {
1182 r = p->next;
1183 kfree(p, M_SECA);
1184 p = NULL;
1185 }
1186 return NULL;
1187 }
1188
1189 /* set policy and ipsec request if present. */
1190 static int
1191 ipsec_set_policy(struct secpolicy **pcb_sp, int optname, caddr_t request,
1192 size_t len, int priv)
1193 {
1194 struct sadb_x_policy *xpl;
1195 struct secpolicy *newsp = NULL;
1196 int error;
1197
1198 /* sanity check. */
1199 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL)
1200 return EINVAL;
1201 if (len < sizeof(*xpl))
1202 return EINVAL;
1203 xpl = (struct sadb_x_policy *)request;
1204
1205 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1206 kprintf("ipsec_set_policy: passed policy\n");
1207 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1208
1209 /* check policy type */
1210 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1211 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
1212 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1213 return EINVAL;
1214
1215 /* check privileged socket */
1216 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1217 return EACCES;
1218
1219 /* allocation new SP entry */
1220 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1221 return error;
1222
1223 newsp->state = IPSEC_SPSTATE_ALIVE;
1224
1225 /* clear old SP and set new SP */
1226 key_freesp(*pcb_sp);
1227 *pcb_sp = newsp;
1228 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1229 kprintf("ipsec_set_policy: new policy\n");
1230 kdebug_secpolicy(newsp));
1231
1232 return 0;
1233 }
1234
1235 static int
1236 ipsec_get_policy(struct secpolicy *pcb_sp, struct mbuf **mp)
1237 {
1238
1239 /* sanity check. */
1240 if (pcb_sp == NULL || mp == NULL)
1241 return EINVAL;
1242
1243 *mp = key_sp2msg(pcb_sp);
1244 if (!*mp) {
1245 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1246 return ENOBUFS;
1247 }
1248
1249 KKASSERT((*mp)->m_type == MT_DATA);
1250 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1251 kprintf("ipsec_get_policy:\n");
1252 kdebug_mbuf(*mp));
1253
1254 return 0;
1255 }
1256
1257 int
1258 ipsec4_set_policy(struct inpcb *inp, int optname, caddr_t request, size_t len,
1259 int priv)
1260 {
1261 struct sadb_x_policy *xpl;
1262 struct secpolicy **pcb_sp;
1263
1264 /* sanity check. */
1265 if (inp == NULL || request == NULL)
1266 return EINVAL;
1267 if (len < sizeof(*xpl))
1268 return EINVAL;
1269 xpl = (struct sadb_x_policy *)request;
1270
1271 /* select direction */
1272 switch (xpl->sadb_x_policy_dir) {
1273 case IPSEC_DIR_INBOUND:
1274 pcb_sp = &inp->inp_sp->sp_in;
1275 break;
1276 case IPSEC_DIR_OUTBOUND:
1277 pcb_sp = &inp->inp_sp->sp_out;
1278 break;
1279 default:
1280 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1281 xpl->sadb_x_policy_dir));
1282 return EINVAL;
1283 }
1284
1285 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1286 }
1287
1288 int
1289 ipsec4_get_policy(struct inpcb *inp, caddr_t request, size_t len,
1290 struct mbuf **mp)
1291 {
1292 struct sadb_x_policy *xpl;
1293 struct secpolicy *pcb_sp;
1294
1295 /* sanity check. */
1296 if (inp == NULL || request == NULL || mp == NULL)
1297 return EINVAL;
1298 if (inp->inp_sp == NULL)
1299 panic("policy in PCB is NULL");
1300 if (len < sizeof(*xpl))
1301 return EINVAL;
1302 xpl = (struct sadb_x_policy *)request;
1303
1304 /* select direction */
1305 switch (xpl->sadb_x_policy_dir) {
1306 case IPSEC_DIR_INBOUND:
1307 pcb_sp = inp->inp_sp->sp_in;
1308 break;
1309 case IPSEC_DIR_OUTBOUND:
1310 pcb_sp = inp->inp_sp->sp_out;
1311 break;
1312 default:
1313 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1314 xpl->sadb_x_policy_dir));
1315 return EINVAL;
1316 }
1317
1318 return ipsec_get_policy(pcb_sp, mp);
1319 }
1320
1321 /* delete policy in PCB */
1322 int
1323 ipsec4_delete_pcbpolicy(struct inpcb *inp)
1324 {
1325 /* sanity check. */
1326 if (inp == NULL)
1327 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
1328
1329 if (inp->inp_sp == NULL)
1330 return 0;
1331
1332 if (inp->inp_sp->sp_in != NULL) {
1333 key_freesp(inp->inp_sp->sp_in);
1334 inp->inp_sp->sp_in = NULL;
1335 }
1336
1337 if (inp->inp_sp->sp_out != NULL) {
1338 key_freesp(inp->inp_sp->sp_out);
1339 inp->inp_sp->sp_out = NULL;
1340 }
1341
1342 ipsec_delpcbpolicy(inp->inp_sp);
1343 inp->inp_sp = NULL;
1344
1345 return 0;
1346 }
1347
1348 #ifdef INET6
1349 int
1350 ipsec6_set_policy(struct in6pcb *in6p, int optname, caddr_t request, size_t len,
1351 int priv)
1352 {
1353 struct sadb_x_policy *xpl;
1354 struct secpolicy **pcb_sp;
1355
1356 /* sanity check. */
1357 if (in6p == NULL || request == NULL)
1358 return EINVAL;
1359 if (len < sizeof(*xpl))
1360 return EINVAL;
1361 xpl = (struct sadb_x_policy *)request;
1362
1363 /* select direction */
1364 switch (xpl->sadb_x_policy_dir) {
1365 case IPSEC_DIR_INBOUND:
1366 pcb_sp = &in6p->in6p_sp->sp_in;
1367 break;
1368 case IPSEC_DIR_OUTBOUND:
1369 pcb_sp = &in6p->in6p_sp->sp_out;
1370 break;
1371 default:
1372 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1373 xpl->sadb_x_policy_dir));
1374 return EINVAL;
1375 }
1376
1377 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1378 }
1379
1380 int
1381 ipsec6_get_policy(struct in6pcb *in6p, caddr_t request, size_t len,
1382 struct mbuf **mp)
1383 {
1384 struct sadb_x_policy *xpl;
1385 struct secpolicy *pcb_sp;
1386
1387 /* sanity check. */
1388 if (in6p == NULL || request == NULL || mp == NULL)
1389 return EINVAL;
1390 if (in6p->in6p_sp == NULL)
1391 panic("policy in PCB is NULL");
1392 if (len < sizeof(*xpl))
1393 return EINVAL;
1394 xpl = (struct sadb_x_policy *)request;
1395
1396 /* select direction */
1397 switch (xpl->sadb_x_policy_dir) {
1398 case IPSEC_DIR_INBOUND:
1399 pcb_sp = in6p->in6p_sp->sp_in;
1400 break;
1401 case IPSEC_DIR_OUTBOUND:
1402 pcb_sp = in6p->in6p_sp->sp_out;
1403 break;
1404 default:
1405 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1406 xpl->sadb_x_policy_dir));
1407 return EINVAL;
1408 }
1409
1410 return ipsec_get_policy(pcb_sp, mp);
1411 }
1412
1413 int
1414 ipsec6_delete_pcbpolicy(struct in6pcb *in6p)
1415 {
1416 /* sanity check. */
1417 if (in6p == NULL)
1418 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
1419
1420 if (in6p->in6p_sp == NULL)
1421 return 0;
1422
1423 if (in6p->in6p_sp->sp_in != NULL) {
1424 key_freesp(in6p->in6p_sp->sp_in);
1425 in6p->in6p_sp->sp_in = NULL;
1426 }
1427
1428 if (in6p->in6p_sp->sp_out != NULL) {
1429 key_freesp(in6p->in6p_sp->sp_out);
1430 in6p->in6p_sp->sp_out = NULL;
1431 }
1432
1433 ipsec_delpcbpolicy(in6p->in6p_sp);
1434 in6p->in6p_sp = NULL;
1435
1436 return 0;
1437 }
1438 #endif
1439
1440 /*
1441 * return current level.
1442 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1443 */
1444 u_int
1445 ipsec_get_reqlevel(struct ipsecrequest *isr)
1446 {
1447 u_int level = 0;
1448 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1449
1450 /* sanity check */
1451 if (isr == NULL || isr->sp == NULL)
1452 panic("ipsec_get_reqlevel: NULL pointer is passed.");
1453 if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family
1454 != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family)
1455 panic("ipsec_get_reqlevel: family mismatched.");
1456
1457 /* XXX note that we have ipseclog() expanded here - code sync issue */
1458 #define IPSEC_CHECK_DEFAULT(lev) \
1459 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1460 && (lev) != IPSEC_LEVEL_UNIQUE) \
1461 ? (ipsec_debug \
1462 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1463 (lev), IPSEC_LEVEL_REQUIRE) \
1464 : 0), \
1465 (lev) = IPSEC_LEVEL_REQUIRE, \
1466 (lev) \
1467 : (lev))
1468
1469 /* set default level */
1470 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1471 #ifdef INET
1472 case AF_INET:
1473 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1474 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1475 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1476 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1477 break;
1478 #endif
1479 #ifdef INET6
1480 case AF_INET6:
1481 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1482 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1483 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1484 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1485 break;
1486 #endif /* INET6 */
1487 default:
1488 panic("key_get_reqlevel: Unknown family. %d",
1489 ((struct sockaddr *)&isr->sp->spidx.src)->sa_family);
1490 }
1491
1492 #undef IPSEC_CHECK_DEFAULT
1493
1494 /* set level */
1495 switch (isr->level) {
1496 case IPSEC_LEVEL_DEFAULT:
1497 switch (isr->saidx.proto) {
1498 case IPPROTO_ESP:
1499 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1500 level = esp_net_deflev;
1501 else
1502 level = esp_trans_deflev;
1503 break;
1504 case IPPROTO_AH:
1505 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1506 level = ah_net_deflev;
1507 else
1508 level = ah_trans_deflev;
1509 case IPPROTO_IPCOMP:
1510 /*
1511 * we don't really care, as IPcomp document says that
1512 * we shouldn't compress small packets
1513 */
1514 level = IPSEC_LEVEL_USE;
1515 break;
1516 default:
1517 panic("ipsec_get_reqlevel: "
1518 "Illegal protocol defined %u",
1519 isr->saidx.proto);
1520 }
1521 break;
1522
1523 case IPSEC_LEVEL_USE:
1524 case IPSEC_LEVEL_REQUIRE:
1525 level = isr->level;
1526 break;
1527 case IPSEC_LEVEL_UNIQUE:
1528 level = IPSEC_LEVEL_REQUIRE;
1529 break;
1530
1531 default:
1532 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
1533 isr->level);
1534 }
1535
1536 return level;
1537 }
1538
1539 /*
1540 * Check AH/ESP integrity.
1541 * OUT:
1542 * 0: valid
1543 * 1: invalid
1544 */
1545 static int
1546 ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
1547 {
1548 struct ipsecrequest *isr;
1549 u_int level;
1550 int need_auth, need_conf, need_icv;
1551
1552 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1553 kprintf("ipsec_in_reject: using SP\n");
1554 kdebug_secpolicy(sp));
1555
1556 /* check policy */
1557 switch (sp->policy) {
1558 case IPSEC_POLICY_DISCARD:
1559 return 1;
1560 case IPSEC_POLICY_BYPASS:
1561 case IPSEC_POLICY_NONE:
1562 return 0;
1563
1564 case IPSEC_POLICY_IPSEC:
1565 break;
1566
1567 case IPSEC_POLICY_ENTRUST:
1568 default:
1569 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1570 }
1571
1572 need_auth = 0;
1573 need_conf = 0;
1574 need_icv = 0;
1575
1576 /* XXX should compare policy against ipsec header history */
1577
1578 for (isr = sp->req; isr != NULL; isr = isr->next) {
1579
1580 /* get current level */
1581 level = ipsec_get_reqlevel(isr);
1582
1583 switch (isr->saidx.proto) {
1584 case IPPROTO_ESP:
1585 if (level == IPSEC_LEVEL_REQUIRE) {
1586 need_conf++;
1587
1588 if (isr->sav != NULL
1589 && isr->sav->flags == SADB_X_EXT_NONE
1590 && isr->sav->alg_auth != SADB_AALG_NONE)
1591 need_icv++;
1592 }
1593 break;
1594 case IPPROTO_AH:
1595 if (level == IPSEC_LEVEL_REQUIRE) {
1596 need_auth++;
1597 need_icv++;
1598 }
1599 break;
1600 case IPPROTO_IPCOMP:
1601 /*
1602 * we don't really care, as IPcomp document says that
1603 * we shouldn't compress small packets, IPComp policy
1604 * should always be treated as being in "use" level.
1605 */
1606 break;
1607 }
1608 }
1609
1610 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1611 kprintf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1612 need_auth, need_conf, need_icv, m->m_flags));
1613
1614 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1615 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1616 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1617 return 1;
1618
1619 return 0;
1620 }
1621
1622 /*
1623 * Check AH/ESP integrity.
1624 * This function is called from tcp_input(), udp_input(),
1625 * and {ah,esp}4_input for tunnel mode
1626 */
1627 int
1628 ipsec4_in_reject_so(struct mbuf *m, struct socket *so)
1629 {
1630 struct secpolicy *sp = NULL;
1631 int error;
1632 int result;
1633
1634 /* sanity check */
1635 if (m == NULL)
1636 return 0; /* XXX should be panic ? */
1637
1638 /* get SP for this packet.
1639 * When we are called from ip_forward(), we call
1640 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1641 */
1642 if (so == NULL)
1643 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1644 else
1645 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1646
1647 if (sp == NULL)
1648 return 0; /* XXX should be panic ?
1649 * -> No, there may be error. */
1650
1651 result = ipsec_in_reject(sp, m);
1652 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1653 kprintf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
1654 key_freesp(sp);
1655
1656 return result;
1657 }
1658
1659 int
1660 ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
1661 {
1662 if (inp == NULL)
1663 return ipsec4_in_reject_so(m, NULL);
1664 if (inp->inp_socket)
1665 return ipsec4_in_reject_so(m, inp->inp_socket);
1666 else
1667 panic("ipsec4_in_reject: invalid inpcb/socket");
1668 }
1669
1670 #ifdef INET6
1671 /*
1672 * Check AH/ESP integrity.
1673 * This function is called from tcp6_input(), udp6_input(),
1674 * and {ah,esp}6_input for tunnel mode
1675 */
1676 int
1677 ipsec6_in_reject_so(struct mbuf *m, struct socket *so)
1678 {
1679 struct secpolicy *sp = NULL;
1680 int error;
1681 int result;
1682
1683 /* sanity check */
1684 if (m == NULL)
1685 return 0; /* XXX should be panic ? */
1686
1687 /* get SP for this packet.
1688 * When we are called from ip_forward(), we call
1689 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1690 */
1691 if (so == NULL)
1692 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1693 else
1694 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1695
1696 if (sp == NULL)
1697 return 0; /* XXX should be panic ? */
1698
1699 result = ipsec_in_reject(sp, m);
1700 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1701 kprintf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
1702 key_freesp(sp);
1703
1704 return result;
1705 }
1706
1707 int
1708 ipsec6_in_reject(struct mbuf *m, struct in6pcb *in6p)
1709 {
1710 if (in6p == NULL)
1711 return ipsec6_in_reject_so(m, NULL);
1712 if (in6p->in6p_socket)
1713 return ipsec6_in_reject_so(m, in6p->in6p_socket);
1714 else
1715 panic("ipsec6_in_reject: invalid in6p/socket");
1716 }
1717 #endif
1718
1719 /*
1720 * compute the byte size to be occupied by IPsec header.
1721 * in case it is tunneled, it includes the size of outer IP header.
1722 * NOTE: SP passed is free in this function.
1723 */
1724 static size_t
1725 ipsec_hdrsiz(struct secpolicy *sp)
1726 {
1727 struct ipsecrequest *isr;
1728 size_t siz, clen;
1729
1730 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1731 kprintf("ipsec_hdrsiz: using SP\n");
1732 kdebug_secpolicy(sp));
1733
1734 /* check policy */
1735 switch (sp->policy) {
1736 case IPSEC_POLICY_DISCARD:
1737 case IPSEC_POLICY_BYPASS:
1738 case IPSEC_POLICY_NONE:
1739 return 0;
1740
1741 case IPSEC_POLICY_IPSEC:
1742 break;
1743
1744 case IPSEC_POLICY_ENTRUST:
1745 default:
1746 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1747 }
1748
1749 siz = 0;
1750
1751 for (isr = sp->req; isr != NULL; isr = isr->next) {
1752
1753 clen = 0;
1754
1755 switch (isr->saidx.proto) {
1756 case IPPROTO_ESP:
1757 #ifdef IPSEC_ESP
1758 clen = esp_hdrsiz(isr);
1759 #else
1760 clen = 0; /* XXX */
1761 #endif
1762 break;
1763 case IPPROTO_AH:
1764 clen = ah_hdrsiz(isr);
1765 break;
1766 case IPPROTO_IPCOMP:
1767 clen = sizeof(struct ipcomp);
1768 break;
1769 }
1770
1771 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1772 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1773 case AF_INET:
1774 clen += sizeof(struct ip);
1775 break;
1776 #ifdef INET6
1777 case AF_INET6:
1778 clen += sizeof(struct ip6_hdr);
1779 break;
1780 #endif
1781 default:
1782 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1783 "unknown AF %d in IPsec tunnel SA\n",
1784 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1785 break;
1786 }
1787 }
1788 siz += clen;
1789 }
1790
1791 return siz;
1792 }
1793
1794 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1795 size_t
1796 ipsec4_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp)
1797 {
1798 struct secpolicy *sp = NULL;
1799 int error;
1800 size_t size;
1801
1802 /* sanity check */
1803 if (m == NULL)
1804 return 0; /* XXX should be panic ? */
1805 if (inp != NULL && inp->inp_socket == NULL)
1806 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
1807
1808 /* get SP for this packet.
1809 * When we are called from ip_forward(), we call
1810 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1811 */
1812 if (inp == NULL)
1813 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1814 else
1815 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
1816
1817 if (sp == NULL)
1818 return 0; /* XXX should be panic ? */
1819
1820 size = ipsec_hdrsiz(sp);
1821 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1822 kprintf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
1823 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1824 kprintf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
1825 key_freesp(sp);
1826
1827 return size;
1828 }
1829
1830 #ifdef INET6
1831 /* This function is called from ipsec6_hdrsize_tcp(),
1832 * and maybe from ip6_forward.()
1833 */
1834 size_t
1835 ipsec6_hdrsiz(struct mbuf *m, u_int dir, struct in6pcb *in6p)
1836 {
1837 struct secpolicy *sp = NULL;
1838 int error;
1839 size_t size;
1840
1841 /* sanity check */
1842 if (m == NULL)
1843 return 0; /* XXX shoud be panic ? */
1844 if (in6p != NULL && in6p->in6p_socket == NULL)
1845 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
1846
1847 /* get SP for this packet */
1848 /* XXX Is it right to call with IP_FORWARDING. */
1849 if (in6p == NULL)
1850 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1851 else
1852 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
1853
1854 if (sp == NULL)
1855 return 0;
1856 size = ipsec_hdrsiz(sp);
1857 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1858 kprintf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
1859 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1860 kprintf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
1861 key_freesp(sp);
1862
1863 return size;
1864 }
1865 #endif /* INET6 */
1866
1867 #ifdef INET
1868 /*
1869 * encapsulate for ipsec tunnel.
1870 * ip->ip_src must be fixed later on.
1871 */
1872 static int
1873 ipsec4_encapsulate(struct mbuf *m, struct secasvar *sav)
1874 {
1875 struct ip *oip;
1876 struct ip *ip;
1877 size_t hlen;
1878 size_t plen;
1879
1880 /* can't tunnel between different AFs */
1881 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
1882 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
1883 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
1884 m_freem(m);
1885 return EINVAL;
1886 }
1887 #if 0
1888 /* XXX if the dst is myself, perform nothing. */
1889 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
1890 m_freem(m);
1891 return EINVAL;
1892 }
1893 #endif
1894
1895 if (m->m_len < sizeof(*ip))
1896 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1897
1898 ip = mtod(m, struct ip *);
1899 #ifdef _IP_VHL
1900 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
1901 #else
1902 hlen = ip->ip_hl << 2;
1903 #endif
1904
1905 if (m->m_len != hlen)
1906 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1907
1908 /* generate header checksum */
1909 ip->ip_sum = 0;
1910 #ifdef _IP_VHL
1911 if (ip->ip_vhl == IP_VHL_BORING)
1912 ip->ip_sum = in_cksum_hdr(ip);
1913 else
1914 ip->ip_sum = in_cksum(m, hlen);
1915 #else
1916 ip->ip_sum = in_cksum(m, hlen);
1917 #endif
1918
1919 plen = m->m_pkthdr.len;
1920
1921 /*
1922 * grow the mbuf to accomodate the new IPv4 header.
1923 * NOTE: IPv4 options will never be copied.
1924 */
1925 if (M_LEADINGSPACE(m->m_next) < hlen) {
1926 struct mbuf *n;
1927 MGET(n, MB_DONTWAIT, MT_DATA);
1928 if (!n) {
1929 m_freem(m);
1930 return ENOBUFS;
1931 }
1932 n->m_len = hlen;
1933 n->m_next = m->m_next;
1934 m->m_next = n;
1935 m->m_pkthdr.len += hlen;
1936 oip = mtod(n, struct ip *);
1937 } else {
1938 m->m_next->m_len += hlen;
1939 m->m_next->m_data -= hlen;
1940 m->m_pkthdr.len += hlen;
1941 oip = mtod(m->m_next, struct ip *);
1942 }
1943 ip = mtod(m, struct ip *);
1944 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
1945 m->m_len = sizeof(struct ip);
1946 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
1947
1948 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
1949 /* ECN consideration. */
1950 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
1951 #ifdef _IP_VHL
1952 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
1953 #else
1954 ip->ip_hl = sizeof(struct ip) >> 2;
1955 #endif
1956 ip->ip_off &= htons(~IP_OFFMASK);
1957 ip->ip_off &= htons(~IP_MF);
1958 switch (ip4_ipsec_dfbit) {
1959 case 0: /* clear DF bit */
1960 ip->ip_off &= htons(~IP_DF);
1961 break;
1962 case 1: /* set DF bit */
1963 ip->ip_off |= htons(IP_DF);
1964 break;
1965 default: /* copy DF bit */
1966 break;
1967 }
1968 ip->ip_p = IPPROTO_IPIP;
1969 if (plen + sizeof(struct ip) < IP_MAXPACKET)
1970 ip->ip_len = htons(plen + sizeof(struct ip));
1971 else {
1972 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
1973 "leave ip_len as is (invalid packet)\n"));
1974 }
1975 #ifdef RANDOM_IP_ID
1976 ip->ip_id = ip_randomid();
1977 #else
1978 ip->ip_id = htons(ip_id++);
1979 #endif
1980 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
1981 &ip->ip_src, sizeof(ip->ip_src));
1982 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
1983 &ip->ip_dst, sizeof(ip->ip_dst));
1984 ip->ip_ttl = IPDEFTTL;
1985
1986 /* XXX Should ip_src be updated later ? */
1987
1988 return 0;
1989 }
1990 #endif /* INET */
1991
1992 #ifdef INET6
1993 static int
1994 ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
1995 {
1996 struct ip6_hdr *oip6;
1997 struct ip6_hdr *ip6;
1998 size_t plen;
1999
2000 /* can't tunnel between different AFs */
2001 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2002 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2003 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2004 m_freem(m);
2005 return EINVAL;
2006 }
2007 #if 0
2008 /* XXX if the dst is myself, perform nothing. */
2009 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2010 m_freem(m);
2011 return EINVAL;
2012 }
2013 #endif
2014
2015 plen = m->m_pkthdr.len;
2016
2017 /*
2018 * grow the mbuf to accomodate the new IPv6 header.
2019 */
2020 if (m->m_len != sizeof(struct ip6_hdr))
2021 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2022 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2023 struct mbuf *n;
2024 MGET(n, MB_DONTWAIT, MT_DATA);
2025 if (!n) {
2026 m_freem(m);
2027 return ENOBUFS;
2028 }
2029 n->m_len = sizeof(struct ip6_hdr);
2030 n->m_next = m->m_next;
2031 m->m_next = n;
2032 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2033 oip6 = mtod(n, struct ip6_hdr *);
2034 } else {
2035 m->m_next->m_len += sizeof(struct ip6_hdr);
2036 m->m_next->m_data -= sizeof(struct ip6_hdr);
2037 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2038 oip6 = mtod(m->m_next, struct ip6_hdr *);
2039 }
2040 ip6 = mtod(m, struct ip6_hdr *);
2041 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2042
2043 /* Fake link-local scope-class addresses */
2044 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src))
2045 oip6->ip6_src.s6_addr16[1] = 0;
2046 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst))
2047 oip6->ip6_dst.s6_addr16[1] = 0;
2048
2049 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2050 /* ECN consideration. */
2051 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2052 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2053 ip6->ip6_plen = htons(plen);
2054 else {
2055 /* ip6->ip6_plen will be updated in ip6_output() */
2056 }
2057 ip6->ip6_nxt = IPPROTO_IPV6;
2058 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2059 &ip6->ip6_src, sizeof(ip6->ip6_src));
2060 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2061 &ip6->ip6_dst, sizeof(ip6->ip6_dst));
2062 ip6->ip6_hlim = IPV6_DEFHLIM;
2063
2064 /* XXX Should ip6_src be updated later ? */
2065
2066 return 0;
2067 }
2068 #endif /* INET6 */
2069
2070 /*
2071 * Check the variable replay window.
2072 * ipsec_chkreplay() performs replay check before ICV verification.
2073 * ipsec_updatereplay() updates replay bitmap. This must be called after
2074 * ICV verification (it also performs replay check, which is usually done
2075 * beforehand).
2076 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2077 *
2078 * based on RFC 2401.
2079 */
2080 int
2081 ipsec_chkreplay(u_int32_t seq, struct secasvar *sav)
2082 {
2083 const struct secreplay *replay;
2084 u_int32_t diff;
2085 int fr;
2086 u_int32_t wsizeb; /* constant: bits of window size */
2087 int frlast; /* constant: last frame */
2088
2089 /* sanity check */
2090 if (sav == NULL)
2091 panic("ipsec_chkreplay: NULL pointer was passed.");
2092
2093 replay = sav->replay;
2094
2095 if (replay->wsize == 0)
2096 return 1; /* no need to check replay. */
2097
2098 /* constant */
2099 frlast = replay->wsize - 1;
2100 wsizeb = replay->wsize << 3;
2101
2102 /* sequence number of 0 is invalid */
2103 if (seq == 0)
2104 return 0;
2105
2106 /* first time is always okay */
2107 if (replay->count == 0)
2108 return 1;
2109
2110 if (seq > replay->lastseq) {
2111 /* larger sequences are okay */
2112 return 1;
2113 } else {
2114 /* seq is equal or less than lastseq. */
2115 diff = replay->lastseq - seq;
2116
2117 /* over range to check, i.e. too old or wrapped */
2118 if (diff >= wsizeb)
2119 return 0;
2120
2121 fr = frlast - diff / 8;
2122
2123 /* this packet already seen ? */
2124 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2125 return 0;
2126
2127 /* out of order but good */
2128 return 1;
2129 }
2130 }
2131
2132 /*
2133 * check replay counter whether to update or not.
2134 * OUT: 0: OK
2135 * 1: NG
2136 */
2137 int
2138 ipsec_updatereplay(u_int32_t seq, struct secasvar *sav)
2139 {
2140 struct secreplay *replay;
2141 u_int32_t diff;
2142 int fr;
2143 u_int32_t wsizeb; /* constant: bits of window size */
2144 int frlast; /* constant: last frame */
2145
2146 /* sanity check */
2147 if (sav == NULL)
2148 panic("ipsec_chkreplay: NULL pointer was passed.");
2149
2150 replay = sav->replay;
2151
2152 if (replay->wsize == 0)
2153 goto ok; /* no need to check replay. */
2154
2155 /* constant */
2156 frlast = replay->wsize - 1;
2157 wsizeb = replay->wsize << 3;
2158
2159 /* sequence number of 0 is invalid */
2160 if (seq == 0)
2161 return 1;
2162
2163 /* first time */
2164 if (replay->count == 0) {
2165 replay->lastseq = seq;
2166 bzero(replay->bitmap, replay->wsize);
2167 (replay->bitmap)[frlast] = 1;
2168 goto ok;
2169 }
2170
2171 if (seq > replay->lastseq) {
2172 /* seq is larger than lastseq. */
2173 diff = seq - replay->lastseq;
2174
2175 /* new larger sequence number */
2176 if (diff < wsizeb) {
2177 /* In window */
2178 /* set bit for this packet */
2179 vshiftl(replay->bitmap, diff, replay->wsize);
2180 (replay->bitmap)[frlast] |= 1;
2181 } else {
2182 /* this packet has a "way larger" */
2183 bzero(replay->bitmap, replay->wsize);
2184 (replay->bitmap)[frlast] = 1;
2185 }
2186 replay->lastseq = seq;
2187
2188 /* larger is good */
2189 } else {
2190 /* seq is equal or less than lastseq. */
2191 diff = replay->lastseq - seq;
2192
2193 /* over range to check, i.e. too old or wrapped */
2194 if (diff >= wsizeb)
2195 return 1;
2196
2197 fr = frlast - diff / 8;
2198
2199 /* this packet already seen ? */
2200 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2201 return 1;
2202
2203 /* mark as seen */
2204 (replay->bitmap)[fr] |= (1 << (diff % 8));
2205
2206 /* out of order but good */
2207 }
2208
2209 ok:
2210 if (replay->count == ~0) {
2211
2212 /* set overflow flag */
2213 replay->overflow++;
2214
2215 /* don't increment, no more packets accepted */
2216 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2217 return 1;
2218
2219 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2220 replay->overflow, ipsec_logsastr(sav)));
2221 }
2222
2223 replay->count++;
2224
2225 return 0;
2226 }
2227
2228 /*
2229 * shift variable length buffer to left.
2230 * IN: bitmap: pointer to the buffer
2231 * nbit: the number of to shift.
2232 * wsize: buffer size (bytes).
2233 */
2234 static void
2235 vshiftl(unsigned char *bitmap, int nbit, int wsize)
2236 {
2237 int s, j, i;
2238 unsigned char over;
2239
2240 for (j = 0; j < nbit; j += 8) {
2241 s = (nbit - j < 8) ? (nbit - j): 8;
2242 bitmap[0] <<= s;
2243 for (i = 1; i < wsize; i++) {
2244 over = (bitmap[i] >> (8 - s));
2245 bitmap[i] <<= s;
2246 bitmap[i-1] |= over;
2247 }
2248 }
2249
2250 return;
2251 }
2252
2253 const char *
2254 ipsec4_logpacketstr(struct ip *ip, u_int32_t spi)
2255 {
2256 static char buf[256];
2257 char *p;
2258 u_int8_t *s, *d;
2259
2260 s = (u_int8_t *)(&ip->ip_src);
2261 d = (u_int8_t *)(&ip->ip_dst);
2262
2263 p = buf;
2264 ksnprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2265 while (p && *p)
2266 p++;
2267 ksnprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2268 s[0], s[1], s[2], s[3]);
2269 while (p && *p)
2270 p++;
2271 ksnprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2272 d[0], d[1], d[2], d[3]);
2273 while (p && *p)
2274 p++;
2275 ksnprintf(p, sizeof(buf) - (p - buf), ")");
2276
2277 return buf;
2278 }
2279
2280 #ifdef INET6
2281 const char *
2282 ipsec6_logpacketstr(struct ip6_hdr *ip6, u_int32_t spi)
2283 {
2284 static char buf[256];
2285 char *p;
2286
2287 p = buf;
2288 ksnprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2289 while (p && *p)
2290 p++;
2291 ksnprintf(p, sizeof(buf) - (p - buf), "src=%s",
2292 ip6_sprintf(&ip6->ip6_src));
2293 while (p && *p)
2294 p++;
2295 ksnprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2296 ip6_sprintf(&ip6->ip6_dst));
2297 while (p && *p)
2298 p++;
2299 ksnprintf(p, sizeof(buf) - (p - buf), ")");
2300
2301 return buf;
2302 }
2303 #endif /* INET6 */
2304
2305 const char *
2306 ipsec_logsastr(struct secasvar *sav)
2307 {
2308 static char buf[256];
2309 char *p;
2310 struct secasindex *saidx = &sav->sah->saidx;
2311
2312 /* validity check */
2313 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2314 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2315 panic("ipsec_logsastr: family mismatched.");
2316
2317 p = buf;
2318 ksnprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2319 while (p && *p)
2320 p++;
2321 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2322 u_int8_t *s, *d;
2323 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2324 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2325 ksnprintf(p, sizeof(buf) - (p - buf),
2326 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2327 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2328 }
2329 #ifdef INET6
2330 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2331 ksnprintf(p, sizeof(buf) - (p - buf),
2332 "src=%s",
2333 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2334 while (p && *p)
2335 p++;
2336 ksnprintf(p, sizeof(buf) - (p - buf),
2337 " dst=%s",
2338 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2339 }
2340 #endif
2341 while (p && *p)
2342 p++;
2343 ksnprintf(p, sizeof(buf) - (p - buf), ")");
2344
2345 return buf;
2346 }
2347
2348 void
2349 ipsec_dumpmbuf(struct mbuf *m)
2350 {
2351 int totlen;
2352 int i;
2353 u_char *p;
2354
2355 totlen = 0;
2356 kprintf("---\n");
2357 while (m) {
2358 p = mtod(m, u_char *);
2359 for (i = 0; i < m->m_len; i++) {
2360 kprintf("%02x ", p[i]);
2361 totlen++;
2362 if (totlen % 16 == 0)
2363 kprintf("\n");
2364 }
2365 m = m->m_next;
2366 }
2367 if (totlen % 16 != 0)
2368 kprintf("\n");
2369 kprintf("---\n");
2370 }
2371
2372 #ifdef INET
2373 /*
2374 * IPsec output logic for IPv4.
2375 */
2376 int
2377 ipsec4_output(struct ipsec_output_state *state, struct secpolicy *sp, int flags)
2378 {
2379 struct ip *ip = NULL;
2380 struct ipsecrequest *isr = NULL;
2381 struct secasindex saidx;
2382 int error;
2383 struct sockaddr_in *dst4;
2384 struct sockaddr_in *sin;
2385
2386 if (!state)
2387 panic("state == NULL in ipsec4_output");
2388 if (!state->m)
2389 panic("state->m == NULL in ipsec4_output");
2390 if (!state->ro)
2391 panic("state->ro == NULL in ipsec4_output");
2392 if (!state->dst)
2393 panic("state->dst == NULL in ipsec4_output");
2394
2395 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2396 kprintf("ipsec4_output: applyed SP\n");
2397 kdebug_secpolicy(sp));
2398
2399 for (isr = sp->req; isr != NULL; isr = isr->next) {
2400
2401 #if 0 /* give up to check restriction of transport mode */
2402 /* XXX but should be checked somewhere */
2403 /*
2404 * some of the IPsec operation must be performed only in
2405 * originating case.
2406 */
2407 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2408 && (flags & IP_FORWARDING))
2409 continue;
2410 #endif
2411
2412 /* make SA index for search proper SA */
2413 ip = mtod(state->m, struct ip *);
2414 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2415 saidx.mode = isr->saidx.mode;
2416 saidx.reqid = isr->saidx.reqid;
2417 sin = (struct sockaddr_in *)&saidx.src;
2418 if (sin->sin_len == 0) {
2419 sin->sin_len = sizeof(*sin);
2420 sin->sin_family = AF_INET;
2421 sin->sin_port = IPSEC_PORT_ANY;
2422 bcopy(&ip->ip_src, &sin->sin_addr,
2423 sizeof(sin->sin_addr));
2424 }
2425 sin = (struct sockaddr_in *)&saidx.dst;
2426 if (sin->sin_len == 0) {
2427 sin->sin_len = sizeof(*sin);
2428 sin->sin_family = AF_INET;
2429 sin->sin_port = IPSEC_PORT_ANY;
2430 bcopy(&ip->ip_dst, &sin->sin_addr,
2431 sizeof(sin->sin_addr));
2432 }
2433
2434 if ((error = key_checkrequest(isr, &saidx)) != 0) {
2435 /*
2436 * IPsec processing is required, but no SA found.
2437 * I assume that key_acquire() had been called
2438 * to get/establish the SA. Here I discard
2439 * this packet because it is responsibility for
2440 * upper layer to retransmit the packet.
2441 */
2442 ipsecstat.out_nosa++;
2443 goto bad;
2444 }
2445
2446 /* validity check */
2447 if (isr->sav == NULL) {
2448 switch (ipsec_get_reqlevel(isr)) {
2449 case IPSEC_LEVEL_USE:
2450 continue;
2451 case IPSEC_LEVEL_REQUIRE:
2452 /* must be not reached here. */
2453 panic("ipsec4_output: no SA found, but required.");
2454 }
2455 }
2456
2457 /*
2458 * If there is no valid SA, we give up to process any
2459 * more. In such a case, the SA's status is changed
2460 * from DYING to DEAD after allocating. If a packet
2461 * send to the receiver by dead SA, the receiver can
2462 * not decode a packet because SA has been dead.
2463 */
2464 if (isr->sav->state != SADB_SASTATE_MATURE
2465 && isr->sav->state != SADB_SASTATE_DYING) {
2466 ipsecstat.out_nosa++;
2467 error = EINVAL;
2468 goto bad;
2469 }
2470
2471 /*
2472 * There may be the case that SA status will be changed when
2473 * we are refering to one. So calling crit_enter().
2474 */
2475 crit_enter();
2476
2477 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2478 /*
2479 * build IPsec tunnel.
2480 */
2481 /* XXX should be processed with other familiy */
2482 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2483 ipseclog((LOG_ERR, "ipsec4_output: "
2484 "family mismatched between inner and outer spi=%u\n",
2485 (u_int32_t)ntohl(isr->sav->spi)));
2486 crit_exit();
2487 error = EAFNOSUPPORT;
2488 goto bad;
2489 }
2490
2491 state->m = ipsec4_splithdr(state->m);
2492 if (!state->m) {
2493 crit_exit();
2494 error = ENOMEM;
2495 goto bad;
2496 }
2497 error = ipsec4_encapsulate(state->m, isr->sav);
2498 crit_exit();
2499 if (error) {
2500 state->m = NULL;
2501 goto bad;
2502 }
2503 ip = mtod(state->m, struct ip *);
2504
2505 state->ro = &isr->sav->sah->sa_route;
2506 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2507 dst4 = (struct sockaddr_in *)state->dst;
2508 if (state->ro->ro_rt
2509 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2510 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2511 RTFREE(state->ro->ro_rt);
2512 state->ro->ro_rt = NULL;
2513 }
2514 if (state->ro->ro_rt == 0) {
2515 dst4->sin_family = AF_INET;
2516 dst4->sin_len = sizeof(*dst4);
2517 dst4->sin_addr = ip->ip_dst;
2518 rtalloc(state->ro);
2519 }
2520 if (state->ro->ro_rt == 0) {
2521 ipstat.ips_noroute++;
2522 error = EHOSTUNREACH;
2523 goto bad;
2524 }
2525
2526 /* adjust state->dst if tunnel endpoint is offlink */
2527 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2528 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2529 dst4 = (struct sockaddr_in *)state->dst;
2530 }
2531 } else
2532 crit_exit();
2533
2534 state->m = ipsec4_splithdr(state->m);
2535 if (!state->m) {
2536 error = ENOMEM;
2537 goto bad;
2538 }
2539 switch (isr->saidx.proto) {
2540 case IPPROTO_ESP:
2541 #ifdef IPSEC_ESP
2542 if ((error = esp4_output(state->m, isr)) != 0) {
2543 state->m = NULL;
2544 goto bad;
2545 }
2546 break;
2547 #else
2548 m_freem(state->m);
2549 state->m = NULL;
2550 error = EINVAL;
2551 goto bad;
2552 #endif
2553 case IPPROTO_AH:
2554 if ((error = ah4_output(state->m, isr)) != 0) {
2555 state->m = NULL;
2556 goto bad;
2557 }
2558 break;
2559 case IPPROTO_IPCOMP:
2560 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2561 state->m = NULL;
2562 goto bad;
2563 }
2564 break;
2565 default:
2566 ipseclog((LOG_ERR,
2567 "ipsec4_output: unknown ipsec protocol %d\n",
2568 isr->saidx.proto));
2569 m_freem(state->m);
2570 state->m = NULL;
2571 error = EINVAL;
2572 goto bad;
2573 }
2574
2575 if (state->m == 0) {
2576 error = ENOMEM;
2577 goto bad;
2578 }
2579 ip = mtod(state->m, struct ip *);
2580 }
2581
2582 return 0;
2583
2584 bad:
2585 m_freem(state->m);
2586 state->m = NULL;
2587 return error;
2588 }
2589 #endif
2590
2591 #ifdef INET6
2592 /*
2593 * IPsec output logic for IPv6, transport mode.
2594 */
2595 int
2596 ipsec6_output_trans(struct ipsec_output_state *state, u_char *nexthdrp,
2597 struct mbuf *mprev, struct secpolicy *sp, int flags,
2598 int *tun)
2599 {
2600 struct ip6_hdr *ip6;
2601 struct ipsecrequest *isr = NULL;
2602 struct secasindex saidx;
2603 int error = 0;
2604 int plen;
2605 struct sockaddr_in6 *sin6;
2606
2607 if (!state)
2608 panic("state == NULL in ipsec6_output_trans");
2609 if (!state->m)
2610 panic("state->m == NULL in ipsec6_output_trans");
2611 if (!nexthdrp)
2612 panic("nexthdrp == NULL in ipsec6_output_trans");
2613 if (!mprev)
2614 panic("mprev == NULL in ipsec6_output_trans");
2615 if (!sp)
2616 panic("sp == NULL in ipsec6_output_trans");
2617 if (!tun)
2618 panic("tun == NULL in ipsec6_output_trans");
2619
2620 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2621 kprintf("ipsec6_output_trans: applyed SP\n");
2622 kdebug_secpolicy(sp));
2623
2624 *tun = 0;
2625 for (isr = sp->req; isr; isr = isr->next) {
2626 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2627 /* the rest will be handled by ipsec6_output_tunnel() */
2628 break;
2629 }
2630
2631 /* make SA index for search proper SA */
2632 ip6 = mtod(state->m, struct ip6_hdr *);
2633 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2634 saidx.mode = isr->saidx.mode;
2635 saidx.reqid = isr->saidx.reqid;
2636 sin6 = (struct sockaddr_in6 *)&saidx.src;
2637 if (sin6->sin6_len == 0) {
2638 sin6->sin6_len = sizeof(*sin6);
2639 sin6->sin6_family = AF_INET6;
2640 sin6->sin6_port = IPSEC_PORT_ANY;
2641 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2642 sizeof(ip6->ip6_src));
2643 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2644 /* fix scope id for comparing SPD */
2645 sin6->sin6_addr.s6_addr16[1] = 0;
2646 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2647 }
2648 }
2649 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2650 if (sin6->sin6_len == 0) {
2651 sin6->sin6_len = sizeof(*sin6);
2652 sin6->sin6_family = AF_INET6;
2653 sin6->sin6_port = IPSEC_PORT_ANY;
2654 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2655 sizeof(ip6->ip6_dst));
2656 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2657 /* fix scope id for comparing SPD */
2658 sin6->sin6_addr.s6_addr16[1] = 0;
2659 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2660 }
2661 }
2662
2663 if (key_checkrequest(isr, &saidx) == ENOENT) {
2664 /*
2665 * IPsec processing is required, but no SA found.
2666 * I assume that key_acquire() had been called
2667 * to get/establish the SA. Here I discard
2668 * this packet because it is responsibility for
2669 * upper layer to retransmit the packet.
2670 */
2671 ipsec6stat.out_nosa++;
2672 error = ENOENT;
2673
2674 /*
2675 * Notify the fact that the packet is discarded
2676 * to ourselves. I believe this is better than
2677 * just silently discarding. (jinmei@kame.net)
2678 * XXX: should we restrict the error to TCP packets?
2679 * XXX: should we directly notify sockets via
2680 * pfctlinputs?
2681 */
2682 icmp6_error(state->m, ICMP6_DST_UNREACH,
2683 ICMP6_DST_UNREACH_ADMIN, 0);
2684 state->m = NULL; /* icmp6_error freed the mbuf */
2685 goto bad;
2686 }
2687
2688 /* validity check */
2689 if (isr->sav == NULL) {
2690 switch (ipsec_get_reqlevel(isr)) {
2691 case IPSEC_LEVEL_USE:
2692 continue;
2693 case IPSEC_LEVEL_REQUIRE:
2694 /* must be not reached here. */
2695 panic("ipsec6_output_trans: no SA found, but required.");
2696 }
2697 }
2698
2699 /*
2700 * If there is no valid SA, we give up to process.
2701 * see same place at ipsec4_output().
2702 */
2703 if (isr->sav->state != SADB_SASTATE_MATURE
2704 && isr->sav->state != SADB_SASTATE_DYING) {
2705 ipsec6stat.out_nosa++;
2706 error = EINVAL;
2707 goto bad;
2708 }
2709
2710 switch (isr->saidx.proto) {
2711 case IPPROTO_ESP:
2712 #ifdef IPSEC_ESP
2713 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2714 #else
2715 m_freem(state->m);
2716 error = EINVAL;
2717 #endif
2718 break;
2719 case IPPROTO_AH:
2720 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2721 break;
2722 case IPPROTO_IPCOMP:
2723 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2724 break;
2725 default:
2726 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2727 "unknown ipsec protocol %d\n", isr->saidx.proto));
2728 m_freem(state->m);
2729 ipsec6stat.out_inval++;
2730 error = EINVAL;
2731 break;
2732 }
2733 if (error) {
2734 state->m = NULL;
2735 goto bad;
2736 }
2737 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2738 if (plen > IPV6_MAXPACKET) {
2739 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2740 "IPsec with IPv6 jumbogram is not supported\n"));
2741 ipsec6stat.out_inval++;
2742 error = EINVAL; /* XXX */
2743 goto bad;
2744 }
2745 ip6 = mtod(state->m, struct ip6_hdr *);
2746 ip6->ip6_plen = htons(plen);
2747 }
2748
2749 /* if we have more to go, we need a tunnel mode processing */
2750 if (isr != NULL)
2751 *tun = 1;
2752
2753 return 0;
2754
2755 bad:
2756 m_freem(state->m);
2757 state->m = NULL;
2758 return error;
2759 }
2760
2761 /*
2762 * IPsec output logic for IPv6, tunnel mode.
2763 */
2764 int
2765 ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp,
2766 int flags)
2767 {
2768 struct ip6_hdr *ip6;
2769 struct ipsecrequest *isr = NULL;
2770 struct secasindex saidx;
2771 int error = 0;
2772 int plen;
2773 struct sockaddr_in6* dst6;
2774
2775 if (!state)
2776 panic("state == NULL in ipsec6_output_tunnel");
2777 if (!state->m)
2778 panic("state->m == NULL in ipsec6_output_tunnel");
2779 if (!sp)
2780 panic("sp == NULL in ipsec6_output_tunnel");
2781
2782 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2783 kprintf("ipsec6_output_tunnel: applyed SP\n");
2784 kdebug_secpolicy(sp));
2785
2786 /*
2787 * transport mode ipsec (before the 1st tunnel mode) is already
2788 * processed by ipsec6_output_trans().
2789 */
2790 for (isr = sp->req; isr; isr = isr->next) {
2791 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
2792 break;
2793 }
2794
2795 for (/* already initialized */; isr; isr = isr->next) {
2796 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2797 /* When tunnel mode, SA peers must be specified. */
2798 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2799 } else {
2800 /* make SA index to look for a proper SA */
2801 struct sockaddr_in6 *sin6;
2802
2803 bzero(&saidx, sizeof(saidx));
2804 saidx.proto = isr->saidx.proto;
2805 saidx.mode = isr->saidx.mode;
2806 saidx.reqid = isr->saidx.reqid;
2807
2808 ip6 = mtod(state->m, struct ip6_hdr *);
2809 sin6 = (struct sockaddr_in6 *)&saidx.src;
2810 if (sin6->sin6_len == 0) {
2811 sin6->sin6_len = sizeof(*sin6);
2812 sin6->sin6_family = AF_INET6;
2813 sin6->sin6_port = IPSEC_PORT_ANY;
2814 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2815 sizeof(ip6->ip6_src));
2816 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2817 /* fix scope id for comparing SPD */
2818 sin6->sin6_addr.s6_addr16[1] = 0;
2819 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2820 }
2821 }
2822 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2823 if (sin6->sin6_len == 0) {
2824 sin6->sin6_len = sizeof(*sin6);
2825 sin6->sin6_family = AF_INET6;
2826 sin6->sin6_port = IPSEC_PORT_ANY;
2827 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2828 sizeof(ip6->ip6_dst));
2829 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2830 /* fix scope id for comparing SPD */
2831 sin6->sin6_addr.s6_addr16[1] = 0;
2832 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2833 }
2834 }
2835 }
2836
2837 if (key_checkrequest(isr, &saidx) == ENOENT) {
2838 /*
2839 * IPsec processing is required, but no SA found.
2840 * I assume that key_acquire() had been called
2841 * to get/establish the SA. Here I discard
2842 * this packet because it is responsibility for
2843 * upper layer to retransmit the packet.
2844 */
2845 ipsec6stat.out_nosa++;
2846 error = ENOENT;
2847 goto bad;
2848 }
2849
2850 /* validity check */
2851 if (isr->sav == NULL) {
2852 switch (ipsec_get_reqlevel(isr)) {
2853 case IPSEC_LEVEL_USE:
2854 continue;
2855 case IPSEC_LEVEL_REQUIRE:
2856 /* must be not reached here. */
2857 panic("ipsec6_output_tunnel: no SA found, but required.");
2858 }
2859 }
2860
2861 /*
2862 * If there is no valid SA, we give up to process.
2863 * see same place at ipsec4_output().
2864 */
2865 if (isr->sav->state != SADB_SASTATE_MATURE
2866 && isr->sav->state != SADB_SASTATE_DYING) {
2867 ipsec6stat.out_nosa++;
2868 error = EINVAL;
2869 goto bad;
2870 }
2871
2872 /*
2873 * There may be the case that SA status will be changed when
2874 * we are refering to one. So calling crit_enter().
2875 */
2876 crit_enter();
2877
2878 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2879 /*
2880 * build IPsec tunnel.
2881 */
2882 /* XXX should be processed with other familiy */
2883 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
2884 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
2885 "family mismatched between inner and outer, spi=%u\n",
2886 (u_int32_t)ntohl(isr->sav->spi)));
2887 crit_exit();
2888 ipsec6stat.out_inval++;
2889 error = EAFNOSUPPORT;
2890 goto bad;
2891 }
2892
2893 state->m = ipsec6_splithdr(state->m);
2894 if (!state->m) {
2895 crit_exit();
2896 ipsec6stat.out_nomem++;
2897 error = ENOMEM;
2898 goto bad;
2899 }
2900 error = ipsec6_encapsulate(state->m, isr->sav);
2901 crit_exit();
2902 if (error) {
2903 state->m = 0;
2904 goto bad;
2905 }
2906 ip6 = mtod(state->m, struct ip6_hdr *);
2907
2908 state->ro = &isr->sav->sah->sa_route;
2909 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2910 dst6 = (struct sockaddr_in6 *)state->dst;
2911 if (state->ro->ro_rt
2912 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2913 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
2914 RTFREE(state->ro->ro_rt);
2915 state->ro->ro_rt = NULL;
2916 }
2917 if (state->ro->ro_rt == 0) {
2918 bzero(dst6, sizeof(*dst6));
2919 dst6->sin6_family = AF_INET6;
2920 dst6->sin6_len = sizeof(*dst6);
2921 dst6->sin6_addr = ip6->ip6_dst;
2922 rtalloc(state->ro);
2923 }
2924 if (state->ro->ro_rt == 0) {
2925 ip6stat.ip6s_noroute++;
2926 ipsec6stat.out_noroute++;
2927 error = EHOSTUNREACH;
2928 goto bad;
2929 }
2930
2931 /* adjust state->dst if tunnel endpoint is offlink */
2932 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2933 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2934 dst6 = (struct sockaddr_in6 *)state->dst;
2935 }
2936 } else
2937 crit_exit();
2938
2939 state->m = ipsec6_splithdr(state->m);
2940 if (!state->m) {
2941 ipsec6stat.out_nomem++;
2942 error = ENOMEM;
2943 goto bad;
2944 }
2945 ip6 = mtod(state->m, struct ip6_hdr *);
2946 switch (isr->saidx.proto) {
2947 case IPPROTO_ESP:
2948 #ifdef IPSEC_ESP
2949 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
2950 #else
2951 m_freem(state->m);
2952 error = EINVAL;
2953 #endif
2954 break;
2955 case IPPROTO_AH:
2956 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
2957 break;
2958 case IPPROTO_IPCOMP:
2959 /* XXX code should be here */
2960 /* FALLTHROUGH */
2961 default:
2962 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
2963 "unknown ipsec protocol %d\n", isr->saidx.proto));
2964 m_freem(state->m);
2965 ipsec6stat.out_inval++;
2966 error = EINVAL;
2967 break;
2968 }
2969 if (error) {
2970 state->m = NULL;
2971 goto bad;
2972 }
2973 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2974 if (plen > IPV6_MAXPACKET) {
2975 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
2976 "IPsec with IPv6 jumbogram is not supported\n"));
2977 ipsec6stat.out_inval++;
2978 error = EINVAL; /* XXX */
2979 goto bad;
2980 }
2981 ip6 = mtod(state->m, struct ip6_hdr *);
2982 ip6->ip6_plen = htons(plen);
2983 }
2984
2985 return 0;
2986
2987 bad:
2988 m_freem(state->m);
2989 state->m = NULL;
2990 return error;
2991 }
2992 #endif /* INET6 */
2993
2994 #ifdef INET
2995 /*
2996 * Chop IP header and option off from the payload.
2997 */
2998 static struct mbuf *
2999 ipsec4_splithdr(struct mbuf *m)
3000 {
3001 struct mbuf *mh;
3002 struct ip *ip;
3003 int hlen;
3004
3005 if (m->m_len < sizeof(struct ip))
3006 panic("ipsec4_splithdr: first mbuf too short");
3007 ip = mtod(m, struct ip *);
3008 #ifdef _IP_VHL
3009 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
3010 #else
3011 hlen = ip->ip_hl << 2;
3012 #endif
3013 if (m->m_len > hlen) {
3014 MGETHDR(mh, MB_DONTWAIT, MT_HEADER);
3015 if (!mh) {
3016 m_freem(m);
3017 return NULL;
3018 }
3019 M_MOVE_PKTHDR(mh, m);
3020 MH_ALIGN(mh, hlen);
3021 m->m_len -= hlen;
3022 m->m_data += hlen;
3023 mh->m_next = m;
3024 m = mh;
3025 m->m_len = hlen;
3026 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3027 } else if (m->m_len < hlen) {
3028 m = m_pullup(m, hlen);
3029 if (!m)
3030 return NULL;
3031 }
3032 return m;
3033 }
3034 #endif
3035
3036 #ifdef INET6
3037 static struct mbuf *
3038 ipsec6_splithdr(struct mbuf *m)
3039 {
3040 struct mbuf *mh;
3041 struct ip6_hdr *ip6;
3042 int hlen;
3043
3044 if (m->m_len < sizeof(struct ip6_hdr))
3045 panic("ipsec6_splithdr: first mbuf too short");
3046 ip6 = mtod(m, struct ip6_hdr *);
3047 hlen = sizeof(struct ip6_hdr);
3048 if (m->m_len > hlen) {
3049 MGETHDR(mh, MB_DONTWAIT, MT_HEADER);
3050 if (!mh) {
3051 m_freem(m);
3052 return NULL;
3053 }
3054 M_MOVE_PKTHDR(mh, m);
3055 MH_ALIGN(mh, hlen);
3056 m->m_len -= hlen;
3057 m->m_data += hlen;
3058 mh->m_next = m;
3059 m = mh;
3060 m->m_len = hlen;
3061 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3062 } else if (m->m_len < hlen) {
3063 m = m_pullup(m, hlen);
3064 if (!m)
3065 return NULL;
3066 }
3067 return m;
3068 }
3069 #endif
3070
3071 /* validate inbound IPsec tunnel packet. */
3072 int
3073 ipsec4_tunnel_validate(struct mbuf *m, /* no pullup permitted, m->m_len >= ip */
3074 int off, u_int nxt0, struct secasvar *sav)
3075 {
3076 u_int8_t nxt = nxt0 & 0xff;
3077 struct sockaddr_in *sin;
3078 struct sockaddr_in osrc, odst, isrc, idst;
3079 int hlen;
3080 struct secpolicy *sp;
3081 struct ip *oip;
3082
3083 #ifdef DIAGNOSTIC
3084 if (m->m_len < sizeof(struct ip))
3085 panic("too short mbuf on ipsec4_tunnel_validate");
3086 #endif
3087 if (nxt != IPPROTO_IPV4)
3088 return 0;
3089 if (m->m_pkthdr.len < off + sizeof(struct ip))
3090 return 0;
3091 /* do not decapsulate if the SA is for transport mode only */
3092 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3093 return 0;
3094
3095 oip = mtod(m, struct ip *);
3096 #ifdef _IP_VHL
3097 hlen = _IP_VHL_HL(oip->ip_vhl) << 2;
3098 #else
3099 hlen = oip->ip_hl << 2;
3100 #endif
3101 if (hlen != sizeof(struct ip))
3102 return 0;
3103
3104 /* AF_INET6 should be supported, but at this moment we don't. */
3105 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3106 if (sin->sin_family != AF_INET)
3107 return 0;
3108 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
3109 return 0;
3110
3111 /* XXX slow */
3112 bzero(&osrc, sizeof(osrc));
3113 bzero(&odst, sizeof(odst));
3114 bzero(&isrc, sizeof(isrc));
3115 bzero(&idst, sizeof(idst));
3116 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
3117 AF_INET;
3118 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
3119 sizeof(struct sockaddr_in);
3120 osrc.sin_addr = oip->ip_src;
3121 odst.sin_addr = oip->ip_dst;
3122 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
3123 (caddr_t)&isrc.sin_addr);
3124 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
3125 (caddr_t)&idst.sin_addr);
3126
3127 /*
3128 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
3129 * - if the inner destination is multicast address, there can be
3130 * multiple permissible inner source address. implementation
3131 * may want to skip verification of inner source address against
3132 * SPD selector.
3133 * - if the inner protocol is ICMP, the packet may be an error report
3134 * from routers on the other side of the VPN cloud (R in the
3135 * following diagram). in this case, we cannot verify inner source
3136 * address against SPD selector.
3137 * me -- gw === gw -- R -- you
3138 *
3139 * we consider the first bullet to be users responsibility on SPD entry
3140 * configuration (if you need to encrypt multicast traffic, set
3141 * the source range of SPD selector to 0.0.0.0/0, or have explicit
3142 * address ranges for possible senders).
3143 * the second bullet is not taken care of (yet).
3144 *
3145 * therefore, we do not do anything special about inner source.
3146 */
3147
3148 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3149 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3150 if (!sp)
3151 return 0;
3152 key_freesp(sp);
3153
3154 return 1;
3155 }
3156
3157 #ifdef INET6
3158 /* validate inbound IPsec tunnel packet. */
3159 int
3160 ipsec6_tunnel_validate(struct mbuf *m, /* no pullup permitted, m->m_len >= ip */
3161 int off, u_int nxt0, struct secasvar *sav)
3162 {
3163 u_int8_t nxt = nxt0 & 0xff;
3164 struct sockaddr_in6 *sin6;
3165 struct sockaddr_in6 osrc, odst, isrc, idst;
3166 struct secpolicy *sp;
3167 struct ip6_hdr *oip6;
3168
3169 #ifdef DIAGNOSTIC
3170 if (m->m_len < sizeof(struct ip6_hdr))
3171 panic("too short mbuf on ipsec6_tunnel_validate");
3172 #endif
3173 if (nxt != IPPROTO_IPV6)
3174 return 0;
3175 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
3176 return 0;
3177 /* do not decapsulate if the SA is for transport mode only */
3178 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3179 return 0;
3180
3181 oip6 = mtod(m, struct ip6_hdr *);
3182 /* AF_INET should be supported, but at this moment we don't. */
3183 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
3184 if (sin6->sin6_family != AF_INET6)
3185 return 0;
3186 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
3187 return 0;
3188
3189 /* XXX slow */
3190 bzero(&osrc, sizeof(osrc));
3191 bzero(&odst, sizeof(odst));
3192 bzero(&isrc, sizeof(isrc));
3193 bzero(&idst, sizeof(idst));
3194 osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
3195 idst.sin6_family = AF_INET6;
3196 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len =
3197 sizeof(struct sockaddr_in6);
3198 osrc.sin6_addr = oip6->ip6_src;
3199 odst.sin6_addr = oip6->ip6_dst;
3200 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
3201 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
3202 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
3203 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
3204
3205 /*
3206 * regarding to inner source address validation, see a long comment
3207 * in ipsec4_tunnel_validate.
3208 */
3209
3210 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3211 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3212 /*
3213 * when there is no suitable inbound policy for the packet of the ipsec
3214 * tunnel mode, the kernel never decapsulate the tunneled packet
3215 * as the ipsec tunnel mode even when the system wide policy is "none".
3216 * then the kernel leaves the generic tunnel module to process this
3217 * packet. if there is no rule of the generic tunnel, the packet
3218 * is rejected and the statistics will be counted up.
3219 */
3220 if (!sp)
3221 return 0;
3222 key_freesp(sp);
3223
3224 return 1;
3225 }
3226 #endif
3227
3228 /*
3229 * Make a mbuf chain for encryption.
3230 * If the original mbuf chain contains a mbuf with a cluster,
3231 * allocate a new cluster and copy the data to the new cluster.
3232 * XXX: this hack is inefficient, but is necessary to handle cases
3233 * of TCP retransmission...
3234 */
3235 struct mbuf *
3236 ipsec_copypkt(struct mbuf *m)
3237 {
3238 struct mbuf *n, **mpp, *mnew;
3239
3240 for (n = m, mpp = &m; n; n = n->m_next) {
3241 if (n->m_flags & M_EXT) {
3242 /*
3243 * Make a copy only if there are more than one
3244 * references to the cluster.
3245 * XXX: is this approach effective?
3246 */
3247 if (m_sharecount(n) > 1) {
3248 int remain, copied;
3249 struct mbuf *mm;
3250
3251 if (n->m_flags & M_PKTHDR) {
3252 MGETHDR(mnew, MB_DONTWAIT, MT_HEADER);
3253 if (mnew == NULL)
3254 goto fail;
3255 if (!m_dup_pkthdr(mnew, n, MB_DONTWAIT)) {
3256 m_free(mnew);
3257 goto fail;
3258 }
3259 }
3260 else {
3261 MGET(mnew, MB_DONTWAIT, MT_DATA);
3262 if (mnew == NULL)
3263 goto fail;
3264 }
3265 mnew->m_len = 0;
3266 mm = mnew;
3267
3268 /*
3269 * Copy data. If we don't have enough space to
3270 * store the whole data, allocate a cluster
3271 * or additional mbufs.
3272 * XXX: we don't use m_copyback(), since the
3273 * function does not use clusters and thus is
3274 * inefficient.
3275 */
3276 remain = n->m_len;
3277 copied = 0;
3278 while (1) {
3279 int len;
3280 struct mbuf *mn;
3281
3282 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3283 len = remain;
3284 else { /* allocate a cluster */
3285 MCLGET(mm, MB_DONTWAIT);
3286 if (!(mm->m_flags & M_EXT)) {
3287 m_free(mm);
3288 goto fail;
3289 }
3290 len = remain < MCLBYTES ?
3291 remain : MCLBYTES;
3292 }
3293
3294 bcopy(n->m_data + copied, mm->m_data,
3295 len);
3296
3297 copied += len;
3298 remain -= len;
3299 mm->m_len = len;
3300
3301 if (remain <= 0) /* completed? */
3302 break;
3303
3304 /* need another mbuf */
3305 MGETHDR(mn, MB_DONTWAIT, MT_HEADER);
3306 if (mn == NULL)
3307 goto fail;
3308 mn->m_pkthdr.rcvif = NULL;
3309 mm->m_next = mn;
3310 mm = mn;
3311 }
3312
3313 /* adjust chain */
3314 mm->m_next = m_free(n);
3315 n = mm;
3316 *mpp = mnew;
3317 mpp = &n->m_next;
3318
3319 continue;
3320 }
3321 }
3322 *mpp = n;
3323 mpp = &n->m_next;
3324 }
3325
3326 return (m);
3327 fail:
3328 m_freem(m);
3329 return (NULL);
3330 }
3331
3332 void
3333 ipsec_delaux(struct mbuf *m)
3334 {
3335 struct m_tag *tag;
3336
3337 while ((tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL)) != NULL)
3338 m_tag_delete(m, tag);
3339 }
3340
3341 int
3342 ipsec_addhist(struct mbuf *m, int proto, u_int32_t spi)
3343 {
3344 struct m_tag *tag;
3345 struct ipsec_history *p;
3346
3347 tag = m_tag_get(PACKET_TAG_IPSEC_HISTORY,
3348 sizeof (struct ipsec_history), MB_DONTWAIT);
3349 if (tag == NULL)
3350 return ENOBUFS;
3351 p = (struct ipsec_history *)m_tag_data(tag);
3352 bzero(p, sizeof(*p));
3353 p->ih_proto = proto;
3354 p->ih_spi = spi;
3355 m_tag_prepend(m, tag);
3356 return 0;
3357 }
3358
3359 struct ipsec_history *
3360 ipsec_gethist(struct mbuf *m, int *lenp)
3361 {
3362 struct m_tag *tag;
3363
3364 tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3365 if (tag == NULL)
3366 return NULL;
3367 /* XXX NB: noone uses this so fake it */
3368 if (lenp)
3369 *lenp = sizeof (struct ipsec_history);
3370 return ((struct ipsec_history *)(tag+1));
3371 }
DragonFly BSD