1 /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.1 2003/01/24 05:11:35 sam Exp $ */
2 /* $DragonFly: src/sys/netproto/ipsec/ipsec.c,v 1.19 2006/12/22 23:57:54 swildner Exp $ */
3 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * IPsec controller part.
39 #include "opt_inet6.h"
40 #include "opt_ipsec.h"
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/malloc.h>
46 #include <sys/domain.h>
47 #include <sys/protosw.h>
48 #include <sys/socket.h>
49 #include <sys/socketvar.h>
50 #include <sys/errno.h>
52 #include <sys/kernel.h>
53 #include <sys/syslog.h>
54 #include <sys/sysctl.h>
56 #include <sys/in_cksum.h>
59 #include <net/route.h>
61 #include <netinet/in.h>
62 #include <netinet/in_systm.h>
63 #include <netinet/ip.h>
64 #include <netinet/ip_var.h>
65 #include <netinet/in_var.h>
66 #include <netinet/udp.h>
67 #include <netinet/udp_var.h>
68 #include <netinet/tcp.h>
69 #include <netinet/udp.h>
71 #include <netinet/ip6.h>
73 #include <netinet6/ip6_var.h>
75 #include <netinet/in_pcb.h>
77 #include <netinet/icmp6.h>
80 #include <netproto/ipsec/ipsec.h>
82 #include <netproto/ipsec/ipsec6.h>
84 #include <netproto/ipsec/ah_var.h>
85 #include <netproto/ipsec/esp_var.h>
86 #include <netproto/ipsec/ipcomp.h> /*XXX*/
87 #include <netproto/ipsec/ipcomp_var.h>
89 #include <netproto/ipsec/key.h>
90 #include <netproto/ipsec/keydb.h>
91 #include <netproto/ipsec/key_debug.h>
93 #include <netproto/ipsec/xform.h>
95 #include <net/net_osdep.h>
103 /* NB: name changed so netstat doesn't use it */
104 struct newipsecstat newipsecstat
;
105 int ip4_ah_offsetmask
= 0; /* maybe IP_DF? */
106 int ip4_ipsec_dfbit
= 0; /* DF bit on encap. 0: clear 1: set 2: copy */
107 int ip4_esp_trans_deflev
= IPSEC_LEVEL_USE
;
108 int ip4_esp_net_deflev
= IPSEC_LEVEL_USE
;
109 int ip4_ah_trans_deflev
= IPSEC_LEVEL_USE
;
110 int ip4_ah_net_deflev
= IPSEC_LEVEL_USE
;
111 struct secpolicy ip4_def_policy
;
112 int ip4_ipsec_ecn
= 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
113 int ip4_esp_randpad
= -1;
115 * Crypto support requirements:
117 * 1 require hardware support
118 * -1 require software support
121 int crypto_support
= 0;
123 SYSCTL_DECL(_net_inet_ipsec
);
126 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEF_POLICY
,
127 def_policy
, CTLFLAG_RW
, &ip4_def_policy
.policy
, 0, "");
128 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEF_ESP_TRANSLEV
, esp_trans_deflev
,
129 CTLFLAG_RW
, &ip4_esp_trans_deflev
, 0, "");
130 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEF_ESP_NETLEV
, esp_net_deflev
,
131 CTLFLAG_RW
, &ip4_esp_net_deflev
, 0, "");
132 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEF_AH_TRANSLEV
, ah_trans_deflev
,
133 CTLFLAG_RW
, &ip4_ah_trans_deflev
, 0, "");
134 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEF_AH_NETLEV
, ah_net_deflev
,
135 CTLFLAG_RW
, &ip4_ah_net_deflev
, 0, "");
136 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_AH_CLEARTOS
,
137 ah_cleartos
, CTLFLAG_RW
, &ah_cleartos
, 0, "");
138 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_AH_OFFSETMASK
,
139 ah_offsetmask
, CTLFLAG_RW
, &ip4_ah_offsetmask
, 0, "");
140 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DFBIT
,
141 dfbit
, CTLFLAG_RW
, &ip4_ipsec_dfbit
, 0, "");
142 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_ECN
,
143 ecn
, CTLFLAG_RW
, &ip4_ipsec_ecn
, 0, "");
144 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEBUG
,
145 debug
, CTLFLAG_RW
, &ipsec_debug
, 0, "");
146 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_ESP_RANDPAD
,
147 esp_randpad
, CTLFLAG_RW
, &ip4_esp_randpad
, 0, "");
148 SYSCTL_INT(_net_inet_ipsec
, OID_AUTO
,
149 crypto_support
, CTLFLAG_RW
, &crypto_support
,0, "");
150 SYSCTL_STRUCT(_net_inet_ipsec
, OID_AUTO
,
151 ipsecstats
, CTLFLAG_RD
, &newipsecstat
, newipsecstat
, "");
154 int ip6_esp_trans_deflev
= IPSEC_LEVEL_USE
;
155 int ip6_esp_net_deflev
= IPSEC_LEVEL_USE
;
156 int ip6_ah_trans_deflev
= IPSEC_LEVEL_USE
;
157 int ip6_ah_net_deflev
= IPSEC_LEVEL_USE
;
158 int ip6_ipsec_ecn
= 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
159 int ip6_esp_randpad
= -1;
161 SYSCTL_DECL(_net_inet6_ipsec6
);
163 /* net.inet6.ipsec6 */
165 SYSCTL_OID(_net_inet6_ipsec6
, IPSECCTL_STATS
, stats
, CTLFLAG_RD
,
166 0,0, compat_ipsecstats_sysctl
, "S", "");
167 #endif /* COMPAT_KAME */
168 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEF_POLICY
,
169 def_policy
, CTLFLAG_RW
, &ip4_def_policy
.policy
, 0, "");
170 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEF_ESP_TRANSLEV
, esp_trans_deflev
,
171 CTLFLAG_RW
, &ip6_esp_trans_deflev
, 0, "");
172 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEF_ESP_NETLEV
, esp_net_deflev
,
173 CTLFLAG_RW
, &ip6_esp_net_deflev
, 0, "");
174 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEF_AH_TRANSLEV
, ah_trans_deflev
,
175 CTLFLAG_RW
, &ip6_ah_trans_deflev
, 0, "");
176 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEF_AH_NETLEV
, ah_net_deflev
,
177 CTLFLAG_RW
, &ip6_ah_net_deflev
, 0, "");
178 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_ECN
,
179 ecn
, CTLFLAG_RW
, &ip6_ipsec_ecn
, 0, "");
180 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEBUG
,
181 debug
, CTLFLAG_RW
, &ipsec_debug
, 0, "");
182 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_ESP_RANDPAD
,
183 esp_randpad
, CTLFLAG_RW
, &ip6_esp_randpad
, 0, "");
186 static int ipsec4_setspidx_inpcb (struct mbuf
*, struct inpcb
*pcb
);
188 static int ipsec6_setspidx_in6pcb (struct mbuf
*, struct in6pcb
*pcb
);
190 static int ipsec_setspidx (struct mbuf
*, struct secpolicyindex
*, int);
191 static void ipsec4_get_ulp (struct mbuf
*m
, struct secpolicyindex
*, int);
192 static int ipsec4_setspidx_ipaddr (struct mbuf
*, struct secpolicyindex
*);
194 static void ipsec6_get_ulp (struct mbuf
*m
, struct secpolicyindex
*, int);
195 static int ipsec6_setspidx_ipaddr (struct mbuf
*, struct secpolicyindex
*);
197 static void ipsec_delpcbpolicy (struct inpcbpolicy
*);
198 static struct secpolicy
*ipsec_deepcopy_policy (struct secpolicy
*src
);
199 static int ipsec_set_policy (struct secpolicy
**pcb_sp
,
200 int optname
, caddr_t request
, size_t len
, int priv
);
201 static int ipsec_get_policy (struct secpolicy
*pcb_sp
, struct mbuf
**mp
);
202 static void vshiftl (unsigned char *, int, int);
203 static size_t ipsec_hdrsiz (struct secpolicy
*);
206 * Return a held reference to the default SP.
208 static struct secpolicy
*
209 key_allocsp_default(const char* where
, int tag
)
211 struct secpolicy
*sp
;
213 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
214 kprintf("DP key_allocsp_default from %s:%u\n", where
, tag
));
216 sp
= &ip4_def_policy
;
217 if (sp
->policy
!= IPSEC_POLICY_DISCARD
&&
218 sp
->policy
!= IPSEC_POLICY_NONE
) {
219 ipseclog((LOG_INFO
, "fixed system default policy: %d->%d\n",
220 sp
->policy
, IPSEC_POLICY_NONE
));
221 sp
->policy
= IPSEC_POLICY_NONE
;
225 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
226 kprintf("DP key_allocsp_default returns SP:%p (%u)\n",
230 #define KEY_ALLOCSP_DEFAULT() \
231 key_allocsp_default(__FILE__, __LINE__)
234 * For OUTBOUND packet having a socket. Searching SPD for packet,
235 * and return a pointer to SP.
236 * OUT: NULL: no apropreate SP found, the following value is set to error.
238 * EACCES : discard packet.
239 * ENOENT : ipsec_acquire() in progress, maybe.
240 * others : error occured.
241 * others: a pointer to SP
243 * NOTE: IPv6 mapped adddress concern is implemented here.
246 ipsec_getpolicy(struct tdb_ident
*tdbi
, u_int dir
)
248 struct secpolicy
*sp
;
250 KASSERT(tdbi
!= NULL
, ("ipsec_getpolicy: null tdbi"));
251 KASSERT(dir
== IPSEC_DIR_INBOUND
|| dir
== IPSEC_DIR_OUTBOUND
,
252 ("ipsec_getpolicy: invalid direction %u", dir
));
254 sp
= KEY_ALLOCSP2(tdbi
->spi
, &tdbi
->dst
, tdbi
->proto
, dir
);
255 if (sp
== NULL
) /*XXX????*/
256 sp
= KEY_ALLOCSP_DEFAULT();
257 KASSERT(sp
!= NULL
, ("ipsec_getpolicy: null SP"));
262 * For OUTBOUND packet having a socket. Searching SPD for packet,
263 * and return a pointer to SP.
264 * OUT: NULL: no apropreate SP found, the following value is set to error.
266 * EACCES : discard packet.
267 * ENOENT : ipsec_acquire() in progress, maybe.
268 * others : error occured.
269 * others: a pointer to SP
271 * NOTE: IPv6 mapped adddress concern is implemented here.
274 ipsec_getpolicybysock(struct mbuf
*m
, u_int dir
, struct inpcb
*inp
,
277 struct inpcbpolicy
*pcbsp
= NULL
;
278 struct secpolicy
*currsp
= NULL
; /* policy on socket */
279 struct secpolicy
*sp
;
282 KASSERT(m
!= NULL
, ("ipsec_getpolicybysock: null mbuf"));
283 KASSERT(inp
!= NULL
, ("ipsec_getpolicybysock: null inpcb"));
284 KASSERT(error
!= NULL
, ("ipsec_getpolicybysock: null error"));
285 KASSERT(dir
== IPSEC_DIR_INBOUND
|| dir
== IPSEC_DIR_OUTBOUND
,
286 ("ipsec_getpolicybysock: invalid direction %u", dir
));
288 af
= inp
->inp_socket
->so_proto
->pr_domain
->dom_family
;
289 KASSERT(af
== AF_INET
|| af
== AF_INET6
,
290 ("ipsec_getpolicybysock: unexpected protocol family %u", af
));
294 /* set spidx in pcb */
295 *error
= ipsec4_setspidx_inpcb(m
, inp
);
300 /* set spidx in pcb */
301 *error
= ipsec6_setspidx_in6pcb(m
, inp
);
302 pcbsp
= inp
->in6p_sp
;
306 *error
= EPFNOSUPPORT
;
312 KASSERT(pcbsp
!= NULL
, ("ipsec_getpolicybysock: null pcbsp"));
314 case IPSEC_DIR_INBOUND
:
315 currsp
= pcbsp
->sp_in
;
317 case IPSEC_DIR_OUTBOUND
:
318 currsp
= pcbsp
->sp_out
;
321 KASSERT(currsp
!= NULL
, ("ipsec_getpolicybysock: null currsp"));
323 if (pcbsp
->priv
) { /* when privilieged socket */
324 switch (currsp
->policy
) {
325 case IPSEC_POLICY_BYPASS
:
326 case IPSEC_POLICY_IPSEC
:
331 case IPSEC_POLICY_ENTRUST
:
332 /* look for a policy in SPD */
333 sp
= KEY_ALLOCSP(&currsp
->spidx
, dir
);
334 if (sp
== NULL
) /* no SP found */
335 sp
= KEY_ALLOCSP_DEFAULT();
339 ipseclog((LOG_ERR
, "ipsec_getpolicybysock: "
340 "Invalid policy for PCB %d\n", currsp
->policy
));
344 } else { /* unpriv, SPD has policy */
345 sp
= KEY_ALLOCSP(&currsp
->spidx
, dir
);
346 if (sp
== NULL
) { /* no SP found */
347 switch (currsp
->policy
) {
348 case IPSEC_POLICY_BYPASS
:
349 ipseclog((LOG_ERR
, "ipsec_getpolicybysock: "
350 "Illegal policy for non-priviliged defined %d\n",
355 case IPSEC_POLICY_ENTRUST
:
356 sp
= KEY_ALLOCSP_DEFAULT();
359 case IPSEC_POLICY_IPSEC
:
365 ipseclog((LOG_ERR
, "ipsec_getpolicybysock: "
366 "Invalid policy for PCB %d\n", currsp
->policy
));
373 ("ipsec_getpolicybysock: null SP (priv %u policy %u",
374 pcbsp
->priv
, currsp
->policy
));
375 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
376 kprintf("DP ipsec_getpolicybysock (priv %u policy %u) allocates "
377 "SP:%p (refcnt %u)\n", pcbsp
->priv
, currsp
->policy
,
383 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
384 * and return a pointer to SP.
385 * OUT: positive: a pointer to the entry for security policy leaf matched.
386 * NULL: no apropreate SP found, the following value is set to error.
388 * EACCES : discard packet.
389 * ENOENT : ipsec_acquire() in progress, maybe.
390 * others : error occured.
393 ipsec_getpolicybyaddr(struct mbuf
*m
, u_int dir
, int flag
, int *error
)
395 struct secpolicyindex spidx
;
396 struct secpolicy
*sp
;
398 KASSERT(m
!= NULL
, ("ipsec_getpolicybyaddr: null mbuf"));
399 KASSERT(error
!= NULL
, ("ipsec_getpolicybyaddr: null error"));
400 KASSERT(dir
== IPSEC_DIR_INBOUND
|| dir
== IPSEC_DIR_OUTBOUND
,
401 ("ipsec4_getpolicybaddr: invalid direction %u", dir
));
404 if (key_havesp(dir
)) {
405 /* Make an index to look for a policy. */
406 *error
= ipsec_setspidx(m
, &spidx
,
407 (flag
& IP_FORWARDING
) ? 0 : 1);
409 DPRINTF(("ipsec_getpolicybyaddr: setpidx failed,"
410 " dir %u flag %u\n", dir
, flag
));
411 bzero(&spidx
, sizeof (spidx
));
416 sp
= KEY_ALLOCSP(&spidx
, dir
);
418 if (sp
== NULL
) /* no SP found, use system default */
419 sp
= KEY_ALLOCSP_DEFAULT();
420 KASSERT(sp
!= NULL
, ("ipsec_getpolicybyaddr: null SP"));
425 ipsec4_checkpolicy(struct mbuf
*m
, u_int dir
, u_int flag
, int *error
,
428 struct secpolicy
*sp
;
432 sp
= ipsec_getpolicybyaddr(m
, dir
, flag
, error
);
434 sp
= ipsec_getpolicybysock(m
, dir
, inp
, error
);
437 ("ipsec4_checkpolicy: getpolicy failed w/o error"));
438 newipsecstat
.ips_out_inval
++;
442 ("ipsec4_checkpolicy: sp w/ error set to %u", *error
));
443 switch (sp
->policy
) {
444 case IPSEC_POLICY_ENTRUST
:
446 kprintf("ipsec4_checkpolicy: invalid policy %u\n", sp
->policy
);
448 case IPSEC_POLICY_DISCARD
:
449 newipsecstat
.ips_out_polvio
++;
450 *error
= -EINVAL
; /* packet is discarded by caller */
452 case IPSEC_POLICY_BYPASS
:
453 case IPSEC_POLICY_NONE
:
455 sp
= NULL
; /* NB: force NULL result */
457 case IPSEC_POLICY_IPSEC
:
458 if (sp
->req
== NULL
) /* acquire an SA */
459 *error
= key_spdacquire(sp
);
470 ipsec4_setspidx_inpcb(struct mbuf
*m
, struct inpcb
*pcb
)
474 KASSERT(pcb
!= NULL
, ("ipsec4_setspidx_inpcb: null pcb"));
475 KASSERT(pcb
->inp_sp
!= NULL
, ("ipsec4_setspidx_inpcb: null inp_sp"));
476 KASSERT(pcb
->inp_sp
->sp_out
!= NULL
&& pcb
->inp_sp
->sp_in
!= NULL
,
477 ("ipsec4_setspidx_inpcb: null sp_in || sp_out"));
479 error
= ipsec_setspidx(m
, &pcb
->inp_sp
->sp_in
->spidx
, 1);
481 pcb
->inp_sp
->sp_in
->spidx
.dir
= IPSEC_DIR_INBOUND
;
482 pcb
->inp_sp
->sp_out
->spidx
= pcb
->inp_sp
->sp_in
->spidx
;
483 pcb
->inp_sp
->sp_out
->spidx
.dir
= IPSEC_DIR_OUTBOUND
;
485 bzero(&pcb
->inp_sp
->sp_in
->spidx
,
486 sizeof (pcb
->inp_sp
->sp_in
->spidx
));
487 bzero(&pcb
->inp_sp
->sp_out
->spidx
,
488 sizeof (pcb
->inp_sp
->sp_in
->spidx
));
495 ipsec6_setspidx_in6pcb(struct mbuf
*m
, struct in6pcb
*pcb
)
497 struct secpolicyindex
*spidx
;
500 KASSERT(pcb
!= NULL
, ("ipsec6_setspidx_in6pcb: null pcb"));
501 KASSERT(pcb
->in6p_sp
!= NULL
, ("ipsec6_setspidx_in6pcb: null inp_sp"));
502 KASSERT(pcb
->in6p_sp
->sp_out
!= NULL
&& pcb
->in6p_sp
->sp_in
!= NULL
,
503 ("ipsec6_setspidx_in6pcb: null sp_in || sp_out"));
505 bzero(&pcb
->in6p_sp
->sp_in
->spidx
, sizeof(*spidx
));
506 bzero(&pcb
->in6p_sp
->sp_out
->spidx
, sizeof(*spidx
));
508 spidx
= &pcb
->in6p_sp
->sp_in
->spidx
;
509 error
= ipsec_setspidx(m
, spidx
, 1);
512 spidx
->dir
= IPSEC_DIR_INBOUND
;
514 spidx
= &pcb
->in6p_sp
->sp_out
->spidx
;
515 error
= ipsec_setspidx(m
, spidx
, 1);
518 spidx
->dir
= IPSEC_DIR_OUTBOUND
;
523 bzero(&pcb
->in6p_sp
->sp_in
->spidx
, sizeof(*spidx
));
524 bzero(&pcb
->in6p_sp
->sp_out
->spidx
, sizeof(*spidx
));
530 * configure security policy index (src/dst/proto/sport/dport)
531 * by looking at the content of mbuf.
532 * the caller is responsible for error recovery (like clearing up spidx).
535 ipsec_setspidx(struct mbuf
*m
, struct secpolicyindex
*spidx
, int needport
)
537 struct ip
*ip
= NULL
;
544 KASSERT(m
!= NULL
, ("ipsec_setspidx: null mbuf"));
547 * validate m->m_pkthdr.len. we see incorrect length if we
548 * mistakenly call this function with inconsistent mbuf chain
549 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
552 for (n
= m
; n
; n
= n
->m_next
)
554 if (m
->m_pkthdr
.len
!= len
) {
555 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
556 kprintf("ipsec_setspidx: "
557 "total of m_len(%d) != pkthdr.len(%d), "
559 len
, m
->m_pkthdr
.len
));
563 if (m
->m_pkthdr
.len
< sizeof(struct ip
)) {
564 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
565 kprintf("ipsec_setspidx: "
566 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
571 if (m
->m_len
>= sizeof(*ip
))
572 ip
= mtod(m
, struct ip
*);
574 m_copydata(m
, 0, sizeof(ipbuf
), (caddr_t
)&ipbuf
);
578 v
= _IP_VHL_V(ip
->ip_vhl
);
584 error
= ipsec4_setspidx_ipaddr(m
, spidx
);
587 ipsec4_get_ulp(m
, spidx
, needport
);
591 if (m
->m_pkthdr
.len
< sizeof(struct ip6_hdr
)) {
592 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
593 kprintf("ipsec_setspidx: "
594 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
595 "ignored.\n", m
->m_pkthdr
.len
));
598 error
= ipsec6_setspidx_ipaddr(m
, spidx
);
601 ipsec6_get_ulp(m
, spidx
, needport
);
605 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
606 kprintf("ipsec_setspidx: "
607 "unknown IP version %u, ignored.\n", v
));
613 ipsec4_get_ulp(struct mbuf
*m
, struct secpolicyindex
*spidx
, int needport
)
619 KASSERT(m
!= NULL
, ("ipsec4_get_ulp: null mbuf"));
620 KASSERT(m
->m_pkthdr
.len
>= sizeof(struct ip
),
621 ("ipsec4_get_ulp: packet too short"));
623 /* NB: ip_input() flips it into host endian XXX need more checking */
624 if (m
->m_len
< sizeof (struct ip
)) {
625 struct ip
*ip
= mtod(m
, struct ip
*);
626 if (ip
->ip_off
& (IP_MF
| IP_OFFMASK
))
629 off
= _IP_VHL_HL(ip
->ip_vhl
) << 2;
631 off
= ip
->ip_hl
<< 2;
637 m_copydata(m
, 0, sizeof (struct ip
), (caddr_t
) &ih
);
638 if (ih
.ip_off
& (IP_MF
| IP_OFFMASK
))
641 off
= _IP_VHL_HL(ih
.ip_vhl
) << 2;
648 while (off
< m
->m_pkthdr
.len
) {
655 spidx
->ul_proto
= nxt
;
658 if (off
+ sizeof(struct tcphdr
) > m
->m_pkthdr
.len
)
660 m_copydata(m
, off
, sizeof (th
), (caddr_t
) &th
);
661 spidx
->src
.sin
.sin_port
= th
.th_sport
;
662 spidx
->dst
.sin
.sin_port
= th
.th_dport
;
665 spidx
->ul_proto
= nxt
;
668 if (off
+ sizeof(struct udphdr
) > m
->m_pkthdr
.len
)
670 m_copydata(m
, off
, sizeof (uh
), (caddr_t
) &uh
);
671 spidx
->src
.sin
.sin_port
= uh
.uh_sport
;
672 spidx
->dst
.sin
.sin_port
= uh
.uh_dport
;
675 if (off
+ sizeof(ip6e
) > m
->m_pkthdr
.len
)
677 /* XXX sigh, this works but is totally bogus */
678 m_copydata(m
, off
, sizeof(ip6e
), (caddr_t
) &ip6e
);
679 off
+= (ip6e
.ip6e_len
+ 2) << 2;
684 /* XXX intermediate headers??? */
685 spidx
->ul_proto
= nxt
;
690 spidx
->ul_proto
= IPSEC_ULPROTO_ANY
;
692 spidx
->src
.sin
.sin_port
= IPSEC_PORT_ANY
;
693 spidx
->dst
.sin
.sin_port
= IPSEC_PORT_ANY
;
696 /* assumes that m is sane */
698 ipsec4_setspidx_ipaddr(struct mbuf
*m
, struct secpolicyindex
*spidx
)
700 static const struct sockaddr_in
template = {
701 sizeof (struct sockaddr_in
),
703 0, { 0 }, { 0, 0, 0, 0, 0, 0, 0, 0 }
706 spidx
->src
.sin
= template;
707 spidx
->dst
.sin
= template;
709 if (m
->m_len
< sizeof (struct ip
)) {
710 m_copydata(m
, offsetof(struct ip
, ip_src
),
711 sizeof (struct in_addr
),
712 (caddr_t
) &spidx
->src
.sin
.sin_addr
);
713 m_copydata(m
, offsetof(struct ip
, ip_dst
),
714 sizeof (struct in_addr
),
715 (caddr_t
) &spidx
->dst
.sin
.sin_addr
);
717 struct ip
*ip
= mtod(m
, struct ip
*);
718 spidx
->src
.sin
.sin_addr
= ip
->ip_src
;
719 spidx
->dst
.sin
.sin_addr
= ip
->ip_dst
;
722 spidx
->prefs
= sizeof(struct in_addr
) << 3;
723 spidx
->prefd
= sizeof(struct in_addr
) << 3;
730 ipsec6_get_ulp(struct mbuf
*m
, struct secpolicyindex
*spidx
, int needport
)
738 panic("ipsec6_get_ulp: NULL pointer was passed.\n");
740 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
741 kprintf("ipsec6_get_ulp:\n"); kdebug_mbuf(m
));
744 spidx
->ul_proto
= IPSEC_ULPROTO_ANY
;
745 ((struct sockaddr_in6
*)&spidx
->src
)->sin6_port
= IPSEC_PORT_ANY
;
746 ((struct sockaddr_in6
*)&spidx
->dst
)->sin6_port
= IPSEC_PORT_ANY
;
749 off
= ip6_lasthdr(m
, 0, IPPROTO_IPV6
, &nxt
);
750 if (off
< 0 || m
->m_pkthdr
.len
< off
)
755 spidx
->ul_proto
= nxt
;
758 if (off
+ sizeof(struct tcphdr
) > m
->m_pkthdr
.len
)
760 m_copydata(m
, off
, sizeof(th
), (caddr_t
)&th
);
761 ((struct sockaddr_in6
*)&spidx
->src
)->sin6_port
= th
.th_sport
;
762 ((struct sockaddr_in6
*)&spidx
->dst
)->sin6_port
= th
.th_dport
;
765 spidx
->ul_proto
= nxt
;
768 if (off
+ sizeof(struct udphdr
) > m
->m_pkthdr
.len
)
770 m_copydata(m
, off
, sizeof(uh
), (caddr_t
)&uh
);
771 ((struct sockaddr_in6
*)&spidx
->src
)->sin6_port
= uh
.uh_sport
;
772 ((struct sockaddr_in6
*)&spidx
->dst
)->sin6_port
= uh
.uh_dport
;
776 /* XXX intermediate headers??? */
777 spidx
->ul_proto
= nxt
;
782 /* assumes that m is sane */
784 ipsec6_setspidx_ipaddr(struct mbuf
*m
, struct secpolicyindex
*spidx
)
786 struct ip6_hdr
*ip6
= NULL
;
787 struct ip6_hdr ip6buf
;
788 struct sockaddr_in6
*sin6
;
790 if (m
->m_len
>= sizeof(*ip6
))
791 ip6
= mtod(m
, struct ip6_hdr
*);
793 m_copydata(m
, 0, sizeof(ip6buf
), (caddr_t
)&ip6buf
);
797 sin6
= (struct sockaddr_in6
*)&spidx
->src
;
798 bzero(sin6
, sizeof(*sin6
));
799 sin6
->sin6_family
= AF_INET6
;
800 sin6
->sin6_len
= sizeof(struct sockaddr_in6
);
801 bcopy(&ip6
->ip6_src
, &sin6
->sin6_addr
, sizeof(ip6
->ip6_src
));
802 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
->ip6_src
)) {
803 sin6
->sin6_addr
.s6_addr16
[1] = 0;
804 sin6
->sin6_scope_id
= ntohs(ip6
->ip6_src
.s6_addr16
[1]);
806 spidx
->prefs
= sizeof(struct in6_addr
) << 3;
808 sin6
= (struct sockaddr_in6
*)&spidx
->dst
;
809 bzero(sin6
, sizeof(*sin6
));
810 sin6
->sin6_family
= AF_INET6
;
811 sin6
->sin6_len
= sizeof(struct sockaddr_in6
);
812 bcopy(&ip6
->ip6_dst
, &sin6
->sin6_addr
, sizeof(ip6
->ip6_dst
));
813 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
->ip6_dst
)) {
814 sin6
->sin6_addr
.s6_addr16
[1] = 0;
815 sin6
->sin6_scope_id
= ntohs(ip6
->ip6_dst
.s6_addr16
[1]);
817 spidx
->prefd
= sizeof(struct in6_addr
) << 3;
824 ipsec_delpcbpolicy(struct inpcbpolicy
*p
)
829 /* initialize policy in PCB */
831 ipsec_init_policy(struct socket
*so
, struct inpcbpolicy
**pcb_sp
)
833 struct inpcbpolicy
*new;
836 if (so
== NULL
|| pcb_sp
== NULL
)
837 panic("ipsec_init_policy: NULL pointer was passed.\n");
839 new = kmalloc(sizeof(struct inpcbpolicy
),
840 M_SECA
, M_INTWAIT
| M_ZERO
| M_NULLOK
);
842 ipseclog((LOG_DEBUG
, "ipsec_init_policy: No more memory.\n"));
846 if (so
->so_cred
!= 0 && so
->so_cred
->cr_uid
== 0)
851 if ((new->sp_in
= KEY_NEWSP()) == NULL
) {
852 ipsec_delpcbpolicy(new);
855 new->sp_in
->state
= IPSEC_SPSTATE_ALIVE
;
856 new->sp_in
->policy
= IPSEC_POLICY_ENTRUST
;
858 if ((new->sp_out
= KEY_NEWSP()) == NULL
) {
859 KEY_FREESP(&new->sp_in
);
860 ipsec_delpcbpolicy(new);
863 new->sp_out
->state
= IPSEC_SPSTATE_ALIVE
;
864 new->sp_out
->policy
= IPSEC_POLICY_ENTRUST
;
871 /* copy old ipsec policy into new */
873 ipsec_copy_policy(struct inpcbpolicy
*old
, struct inpcbpolicy
*new)
875 struct secpolicy
*sp
;
877 sp
= ipsec_deepcopy_policy(old
->sp_in
);
879 KEY_FREESP(&new->sp_in
);
884 sp
= ipsec_deepcopy_policy(old
->sp_out
);
886 KEY_FREESP(&new->sp_out
);
891 new->priv
= old
->priv
;
896 /* deep-copy a policy in PCB */
897 static struct secpolicy
*
898 ipsec_deepcopy_policy(struct secpolicy
*src
)
900 struct ipsecrequest
*newchain
= NULL
;
901 struct ipsecrequest
*p
;
902 struct ipsecrequest
**q
;
903 struct ipsecrequest
*r
;
904 struct secpolicy
*dst
;
913 * deep-copy IPsec request chain. This is required since struct
914 * ipsecrequest is not reference counted.
917 for (p
= src
->req
; p
; p
= p
->next
) {
918 *q
= kmalloc(sizeof(struct ipsecrequest
),
919 M_SECA
, M_INTWAIT
| M_ZERO
| M_NULLOK
);
924 (*q
)->saidx
.proto
= p
->saidx
.proto
;
925 (*q
)->saidx
.mode
= p
->saidx
.mode
;
926 (*q
)->level
= p
->level
;
927 (*q
)->saidx
.reqid
= p
->saidx
.reqid
;
929 bcopy(&p
->saidx
.src
, &(*q
)->saidx
.src
, sizeof((*q
)->saidx
.src
));
930 bcopy(&p
->saidx
.dst
, &(*q
)->saidx
.dst
, sizeof((*q
)->saidx
.dst
));
939 dst
->state
= src
->state
;
940 dst
->policy
= src
->policy
;
941 /* do not touch the refcnt fields */
946 for (p
= newchain
; p
; p
= r
) {
954 /* set policy and ipsec request if present. */
956 ipsec_set_policy(struct secpolicy
**pcb_sp
, int optname
, caddr_t request
,
957 size_t len
, int priv
)
959 struct sadb_x_policy
*xpl
;
960 struct secpolicy
*newsp
= NULL
;
964 if (pcb_sp
== NULL
|| *pcb_sp
== NULL
|| request
== NULL
)
966 if (len
< sizeof(*xpl
))
968 xpl
= (struct sadb_x_policy
*)request
;
970 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
971 kprintf("ipsec_set_policy: passed policy\n");
972 kdebug_sadb_x_policy((struct sadb_ext
*)xpl
));
974 /* check policy type */
975 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
976 if (xpl
->sadb_x_policy_type
== IPSEC_POLICY_DISCARD
977 || xpl
->sadb_x_policy_type
== IPSEC_POLICY_NONE
)
980 /* check privileged socket */
981 if (priv
== 0 && xpl
->sadb_x_policy_type
== IPSEC_POLICY_BYPASS
)
984 /* allocation new SP entry */
985 if ((newsp
= key_msg2sp(xpl
, len
, &error
)) == NULL
)
988 newsp
->state
= IPSEC_SPSTATE_ALIVE
;
990 /* clear old SP and set new SP */
993 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
994 kprintf("ipsec_set_policy: new policy\n");
995 kdebug_secpolicy(newsp
));
1001 ipsec_get_policy(struct secpolicy
*pcb_sp
, struct mbuf
**mp
)
1005 if (pcb_sp
== NULL
|| mp
== NULL
)
1008 *mp
= key_sp2msg(pcb_sp
);
1010 ipseclog((LOG_DEBUG
, "ipsec_get_policy: No more memory.\n"));
1014 KKASSERT((*mp
)->m_type
== MT_DATA
);
1015 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1016 kprintf("ipsec_get_policy:\n");
1023 ipsec4_set_policy(struct inpcb
*inp
, int optname
, caddr_t request
,
1024 size_t len
, int priv
)
1026 struct sadb_x_policy
*xpl
;
1027 struct secpolicy
**pcb_sp
;
1030 if (inp
== NULL
|| request
== NULL
)
1032 if (len
< sizeof(*xpl
))
1034 xpl
= (struct sadb_x_policy
*)request
;
1036 /* select direction */
1037 switch (xpl
->sadb_x_policy_dir
) {
1038 case IPSEC_DIR_INBOUND
:
1039 pcb_sp
= &inp
->inp_sp
->sp_in
;
1041 case IPSEC_DIR_OUTBOUND
:
1042 pcb_sp
= &inp
->inp_sp
->sp_out
;
1045 ipseclog((LOG_ERR
, "ipsec4_set_policy: invalid direction=%u\n",
1046 xpl
->sadb_x_policy_dir
));
1050 return ipsec_set_policy(pcb_sp
, optname
, request
, len
, priv
);
1054 ipsec4_get_policy(struct inpcb
*inp
, caddr_t request
, size_t len
,
1057 struct sadb_x_policy
*xpl
;
1058 struct secpolicy
*pcb_sp
;
1061 if (inp
== NULL
|| request
== NULL
|| mp
== NULL
)
1063 KASSERT(inp
->inp_sp
!= NULL
, ("ipsec4_get_policy: null inp_sp"));
1064 if (len
< sizeof(*xpl
))
1066 xpl
= (struct sadb_x_policy
*)request
;
1068 /* select direction */
1069 switch (xpl
->sadb_x_policy_dir
) {
1070 case IPSEC_DIR_INBOUND
:
1071 pcb_sp
= inp
->inp_sp
->sp_in
;
1073 case IPSEC_DIR_OUTBOUND
:
1074 pcb_sp
= inp
->inp_sp
->sp_out
;
1077 ipseclog((LOG_ERR
, "ipsec4_set_policy: invalid direction=%u\n",
1078 xpl
->sadb_x_policy_dir
));
1082 return ipsec_get_policy(pcb_sp
, mp
);
1085 /* delete policy in PCB */
1087 ipsec4_delete_pcbpolicy(struct inpcb
*inp
)
1089 KASSERT(inp
!= NULL
, ("ipsec4_delete_pcbpolicy: null inp"));
1091 if (inp
->inp_sp
== NULL
)
1094 if (inp
->inp_sp
->sp_in
!= NULL
)
1095 KEY_FREESP(&inp
->inp_sp
->sp_in
);
1097 if (inp
->inp_sp
->sp_out
!= NULL
)
1098 KEY_FREESP(&inp
->inp_sp
->sp_out
);
1100 ipsec_delpcbpolicy(inp
->inp_sp
);
1108 ipsec6_set_policy(struct in6pcb
*in6p
, int optname
, caddr_t request
,
1109 size_t len
, int priv
)
1111 struct sadb_x_policy
*xpl
;
1112 struct secpolicy
**pcb_sp
;
1115 if (in6p
== NULL
|| request
== NULL
)
1117 if (len
< sizeof(*xpl
))
1119 xpl
= (struct sadb_x_policy
*)request
;
1121 /* select direction */
1122 switch (xpl
->sadb_x_policy_dir
) {
1123 case IPSEC_DIR_INBOUND
:
1124 pcb_sp
= &in6p
->in6p_sp
->sp_in
;
1126 case IPSEC_DIR_OUTBOUND
:
1127 pcb_sp
= &in6p
->in6p_sp
->sp_out
;
1130 ipseclog((LOG_ERR
, "ipsec6_set_policy: invalid direction=%u\n",
1131 xpl
->sadb_x_policy_dir
));
1135 return ipsec_set_policy(pcb_sp
, optname
, request
, len
, priv
);
1139 ipsec6_get_policy(struct in6pcb
*in6p
, caddr_t request
, size_t len
,
1142 struct sadb_x_policy
*xpl
;
1143 struct secpolicy
*pcb_sp
;
1146 if (in6p
== NULL
|| request
== NULL
|| mp
== NULL
)
1148 KASSERT(in6p
->in6p_sp
!= NULL
, ("ipsec6_get_policy: null in6p_sp"));
1149 if (len
< sizeof(*xpl
))
1151 xpl
= (struct sadb_x_policy
*)request
;
1153 /* select direction */
1154 switch (xpl
->sadb_x_policy_dir
) {
1155 case IPSEC_DIR_INBOUND
:
1156 pcb_sp
= in6p
->in6p_sp
->sp_in
;
1158 case IPSEC_DIR_OUTBOUND
:
1159 pcb_sp
= in6p
->in6p_sp
->sp_out
;
1162 ipseclog((LOG_ERR
, "ipsec6_set_policy: invalid direction=%u\n",
1163 xpl
->sadb_x_policy_dir
));
1167 return ipsec_get_policy(pcb_sp
, mp
);
1171 ipsec6_delete_pcbpolicy(struct in6pcb
*in6p
)
1173 KASSERT(in6p
!= NULL
, ("ipsec6_delete_pcbpolicy: null in6p"));
1175 if (in6p
->in6p_sp
== NULL
)
1178 if (in6p
->in6p_sp
->sp_in
!= NULL
)
1179 KEY_FREESP(&in6p
->in6p_sp
->sp_in
);
1181 if (in6p
->in6p_sp
->sp_out
!= NULL
)
1182 KEY_FREESP(&in6p
->in6p_sp
->sp_out
);
1184 ipsec_delpcbpolicy(in6p
->in6p_sp
);
1185 in6p
->in6p_sp
= NULL
;
1192 * return current level.
1193 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1196 ipsec_get_reqlevel(struct ipsecrequest
*isr
)
1199 u_int esp_trans_deflev
, esp_net_deflev
;
1200 u_int ah_trans_deflev
, ah_net_deflev
;
1202 KASSERT(isr
!= NULL
&& isr
->sp
!= NULL
,
1203 ("ipsec_get_reqlevel: null argument"));
1204 KASSERT(isr
->sp
->spidx
.src
.sa
.sa_family
== isr
->sp
->spidx
.dst
.sa
.sa_family
,
1205 ("ipsec_get_reqlevel: af family mismatch, src %u, dst %u",
1206 isr
->sp
->spidx
.src
.sa
.sa_family
,
1207 isr
->sp
->spidx
.dst
.sa
.sa_family
));
1209 /* XXX note that we have ipseclog() expanded here - code sync issue */
1210 #define IPSEC_CHECK_DEFAULT(lev) \
1211 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1212 && (lev) != IPSEC_LEVEL_UNIQUE) \
1214 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1215 (lev), IPSEC_LEVEL_REQUIRE) \
1217 (lev) = IPSEC_LEVEL_REQUIRE, \
1221 /* set default level */
1222 switch (((struct sockaddr
*)&isr
->sp
->spidx
.src
)->sa_family
) {
1225 esp_trans_deflev
= IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev
);
1226 esp_net_deflev
= IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev
);
1227 ah_trans_deflev
= IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev
);
1228 ah_net_deflev
= IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev
);
1233 esp_trans_deflev
= IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev
);
1234 esp_net_deflev
= IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev
);
1235 ah_trans_deflev
= IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev
);
1236 ah_net_deflev
= IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev
);
1240 panic("key_get_reqlevel: unknown af %u",
1241 isr
->sp
->spidx
.src
.sa
.sa_family
);
1244 #undef IPSEC_CHECK_DEFAULT
1247 switch (isr
->level
) {
1248 case IPSEC_LEVEL_DEFAULT
:
1249 switch (isr
->saidx
.proto
) {
1251 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
)
1252 level
= esp_net_deflev
;
1254 level
= esp_trans_deflev
;
1257 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
)
1258 level
= ah_net_deflev
;
1260 level
= ah_trans_deflev
;
1262 case IPPROTO_IPCOMP
:
1264 * we don't really care, as IPcomp document says that
1265 * we shouldn't compress small packets
1267 level
= IPSEC_LEVEL_USE
;
1270 panic("ipsec_get_reqlevel: "
1271 "Illegal protocol defined %u\n",
1276 case IPSEC_LEVEL_USE
:
1277 case IPSEC_LEVEL_REQUIRE
:
1280 case IPSEC_LEVEL_UNIQUE
:
1281 level
= IPSEC_LEVEL_REQUIRE
;
1285 panic("ipsec_get_reqlevel: Illegal IPsec level %u\n",
1293 * Check security policy requirements against the actual
1294 * packet contents. Return one if the packet should be
1295 * reject as "invalid"; otherwiser return zero to have the
1296 * packet treated as "valid".
1303 ipsec_in_reject(struct secpolicy
*sp
, struct mbuf
*m
)
1305 struct ipsecrequest
*isr
;
1308 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
1309 kprintf("ipsec_in_reject: using SP\n");
1310 kdebug_secpolicy(sp
));
1313 switch (sp
->policy
) {
1314 case IPSEC_POLICY_DISCARD
:
1316 case IPSEC_POLICY_BYPASS
:
1317 case IPSEC_POLICY_NONE
:
1321 KASSERT(sp
->policy
== IPSEC_POLICY_IPSEC
,
1322 ("ipsec_in_reject: invalid policy %u", sp
->policy
));
1324 /* XXX should compare policy against ipsec header history */
1327 for (isr
= sp
->req
; isr
!= NULL
; isr
= isr
->next
) {
1328 if (ipsec_get_reqlevel(isr
) != IPSEC_LEVEL_REQUIRE
)
1330 switch (isr
->saidx
.proto
) {
1332 if ((m
->m_flags
& M_DECRYPTED
) == 0) {
1333 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1334 kprintf("ipsec_in_reject: ESP m_flags:%x\n",
1341 isr
->sav
->tdb_authalgxform
!= NULL
&&
1342 (m
->m_flags
& M_AUTHIPDGM
) == 0) {
1343 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1344 kprintf("ipsec_in_reject: ESP/AH m_flags:%x\n",
1351 if ((m
->m_flags
& M_AUTHIPHDR
) == 0) {
1352 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1353 kprintf("ipsec_in_reject: AH m_flags:%x\n",
1358 case IPPROTO_IPCOMP
:
1360 * we don't really care, as IPcomp document
1361 * says that we shouldn't compress small
1362 * packets, IPComp policy should always be
1363 * treated as being in "use" level.
1368 return 0; /* valid */
1372 * Check AH/ESP integrity.
1373 * This function is called from tcp_input(), udp_input(),
1374 * and {ah,esp}4_input for tunnel mode
1377 ipsec4_in_reject(struct mbuf
*m
, struct inpcb
*inp
)
1379 struct secpolicy
*sp
;
1383 KASSERT(m
!= NULL
, ("ipsec4_in_reject_so: null mbuf"));
1385 /* get SP for this packet.
1386 * When we are called from ip_forward(), we call
1387 * ipsec_getpolicybyaddr() with IP_FORWARDING flag.
1390 sp
= ipsec_getpolicybyaddr(m
, IPSEC_DIR_INBOUND
, IP_FORWARDING
, &error
);
1392 sp
= ipsec_getpolicybysock(m
, IPSEC_DIR_INBOUND
, inp
, &error
);
1395 result
= ipsec_in_reject(sp
, m
);
1397 newipsecstat
.ips_in_polvio
++;
1400 result
= 0; /* XXX should be panic ?
1401 * -> No, there may be error. */
1408 * Check AH/ESP integrity.
1409 * This function is called from tcp6_input(), udp6_input(),
1410 * and {ah,esp}6_input for tunnel mode
1413 ipsec6_in_reject(struct mbuf
*m
, struct inpcb
*inp
)
1415 struct secpolicy
*sp
= NULL
;
1421 return 0; /* XXX should be panic ? */
1423 /* get SP for this packet.
1424 * When we are called from ip_forward(), we call
1425 * ipsec_getpolicybyaddr() with IP_FORWARDING flag.
1428 sp
= ipsec_getpolicybyaddr(m
, IPSEC_DIR_INBOUND
, IP_FORWARDING
, &error
);
1430 sp
= ipsec_getpolicybysock(m
, IPSEC_DIR_INBOUND
, inp
, &error
);
1433 result
= ipsec_in_reject(sp
, m
);
1435 newipsecstat
.ips_in_polvio
++;
1445 * compute the byte size to be occupied by IPsec header.
1446 * in case it is tunneled, it includes the size of outer IP header.
1447 * NOTE: SP passed is free in this function.
1450 ipsec_hdrsiz(struct secpolicy
*sp
)
1452 struct ipsecrequest
*isr
;
1455 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
1456 kprintf("ipsec_hdrsiz: using SP\n");
1457 kdebug_secpolicy(sp
));
1459 switch (sp
->policy
) {
1460 case IPSEC_POLICY_DISCARD
:
1461 case IPSEC_POLICY_BYPASS
:
1462 case IPSEC_POLICY_NONE
:
1466 KASSERT(sp
->policy
== IPSEC_POLICY_IPSEC
,
1467 ("ipsec_hdrsiz: invalid policy %u", sp
->policy
));
1470 for (isr
= sp
->req
; isr
!= NULL
; isr
= isr
->next
) {
1473 switch (isr
->saidx
.proto
) {
1475 clen
= esp_hdrsiz(isr
->sav
);
1478 clen
= ah_hdrsiz(isr
->sav
);
1480 case IPPROTO_IPCOMP
:
1481 clen
= sizeof(struct ipcomp
);
1485 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
) {
1486 switch (isr
->saidx
.dst
.sa
.sa_family
) {
1488 clen
+= sizeof(struct ip
);
1492 clen
+= sizeof(struct ip6_hdr
);
1496 ipseclog((LOG_ERR
, "ipsec_hdrsiz: "
1497 "unknown AF %d in IPsec tunnel SA\n",
1498 ((struct sockaddr
*)&isr
->saidx
.dst
)->sa_family
));
1508 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1510 ipsec4_hdrsiz(struct mbuf
*m
, u_int dir
, struct inpcb
*inp
)
1512 struct secpolicy
*sp
;
1516 KASSERT(m
!= NULL
, ("ipsec4_hdrsiz: null mbuf"));
1517 KASSERT(inp
== NULL
|| inp
->inp_socket
!= NULL
,
1518 ("ipsec4_hdrsize: socket w/o inpcb"));
1520 /* get SP for this packet.
1521 * When we are called from ip_forward(), we call
1522 * ipsec_getpolicybyaddr() with IP_FORWARDING flag.
1525 sp
= ipsec_getpolicybyaddr(m
, dir
, IP_FORWARDING
, &error
);
1527 sp
= ipsec_getpolicybysock(m
, dir
, inp
, &error
);
1530 size
= ipsec_hdrsiz(sp
);
1531 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
1532 kprintf("ipsec4_hdrsiz: size:%lu.\n",
1533 (unsigned long)size
));
1537 size
= 0; /* XXX should be panic ? */
1543 /* This function is called from ipsec6_hdrsize_tcp(),
1544 * and maybe from ip6_forward.()
1547 ipsec6_hdrsiz(struct mbuf
*m
, u_int dir
, struct in6pcb
*in6p
)
1549 struct secpolicy
*sp
;
1553 KASSERT(m
!= NULL
, ("ipsec6_hdrsiz: null mbuf"));
1554 KASSERT(in6p
== NULL
|| in6p
->in6p_socket
!= NULL
,
1555 ("ipsec6_hdrsize: socket w/o inpcb"));
1557 /* get SP for this packet */
1558 /* XXX Is it right to call with IP_FORWARDING. */
1560 sp
= ipsec_getpolicybyaddr(m
, dir
, IP_FORWARDING
, &error
);
1562 sp
= ipsec_getpolicybysock(m
, dir
, in6p
, &error
);
1566 size
= ipsec_hdrsiz(sp
);
1567 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
1568 kprintf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size
));
1576 * Check the variable replay window.
1577 * ipsec_chkreplay() performs replay check before ICV verification.
1578 * ipsec_updatereplay() updates replay bitmap. This must be called after
1579 * ICV verification (it also performs replay check, which is usually done
1581 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
1583 * based on RFC 2401.
1586 ipsec_chkreplay(u_int32_t seq
, struct secasvar
*sav
)
1588 const struct secreplay
*replay
;
1591 u_int32_t wsizeb
; /* constant: bits of window size */
1592 int frlast
; /* constant: last frame */
1594 KASSERT(sav
!= NULL
, ("ipsec_chkreplay: Null SA"));
1595 KASSERT(sav
->replay
!= NULL
, ("ipsec_chkreplay: Null replay state"));
1597 replay
= sav
->replay
;
1599 if (replay
->wsize
== 0)
1600 return 1; /* no need to check replay. */
1603 frlast
= replay
->wsize
- 1;
1604 wsizeb
= replay
->wsize
<< 3;
1606 /* sequence number of 0 is invalid */
1610 /* first time is always okay */
1611 if (replay
->count
== 0)
1614 if (seq
> replay
->lastseq
) {
1615 /* larger sequences are okay */
1618 /* seq is equal or less than lastseq. */
1619 diff
= replay
->lastseq
- seq
;
1621 /* over range to check, i.e. too old or wrapped */
1625 fr
= frlast
- diff
/ 8;
1627 /* this packet already seen ? */
1628 if ((replay
->bitmap
)[fr
] & (1 << (diff
% 8)))
1631 /* out of order but good */
1637 * check replay counter whether to update or not.
1642 ipsec_updatereplay(u_int32_t seq
, struct secasvar
*sav
)
1644 struct secreplay
*replay
;
1647 u_int32_t wsizeb
; /* constant: bits of window size */
1648 int frlast
; /* constant: last frame */
1650 KASSERT(sav
!= NULL
, ("ipsec_updatereplay: Null SA"));
1651 KASSERT(sav
->replay
!= NULL
, ("ipsec_updatereplay: Null replay state"));
1653 replay
= sav
->replay
;
1655 if (replay
->wsize
== 0)
1656 goto ok
; /* no need to check replay. */
1659 frlast
= replay
->wsize
- 1;
1660 wsizeb
= replay
->wsize
<< 3;
1662 /* sequence number of 0 is invalid */
1667 if (replay
->count
== 0) {
1668 replay
->lastseq
= seq
;
1669 bzero(replay
->bitmap
, replay
->wsize
);
1670 (replay
->bitmap
)[frlast
] = 1;
1674 if (seq
> replay
->lastseq
) {
1675 /* seq is larger than lastseq. */
1676 diff
= seq
- replay
->lastseq
;
1678 /* new larger sequence number */
1679 if (diff
< wsizeb
) {
1681 /* set bit for this packet */
1682 vshiftl(replay
->bitmap
, diff
, replay
->wsize
);
1683 (replay
->bitmap
)[frlast
] |= 1;
1685 /* this packet has a "way larger" */
1686 bzero(replay
->bitmap
, replay
->wsize
);
1687 (replay
->bitmap
)[frlast
] = 1;
1689 replay
->lastseq
= seq
;
1691 /* larger is good */
1693 /* seq is equal or less than lastseq. */
1694 diff
= replay
->lastseq
- seq
;
1696 /* over range to check, i.e. too old or wrapped */
1700 fr
= frlast
- diff
/ 8;
1702 /* this packet already seen ? */
1703 if ((replay
->bitmap
)[fr
] & (1 << (diff
% 8)))
1707 (replay
->bitmap
)[fr
] |= (1 << (diff
% 8));
1709 /* out of order but good */
1713 if (replay
->count
== ~0) {
1715 /* set overflow flag */
1718 /* don't increment, no more packets accepted */
1719 if ((sav
->flags
& SADB_X_EXT_CYCSEQ
) == 0)
1722 ipseclog((LOG_WARNING
, "replay counter made %d cycle. %s\n",
1723 replay
->overflow
, ipsec_logsastr(sav
)));
1732 * shift variable length buffer to left.
1733 * IN: bitmap: pointer to the buffer
1734 * nbit: the number of to shift.
1735 * wsize: buffer size (bytes).
1738 vshiftl(unsigned char *bitmap
, int nbit
, int wsize
)
1743 for (j
= 0; j
< nbit
; j
+= 8) {
1744 s
= (nbit
- j
< 8) ? (nbit
- j
): 8;
1746 for (i
= 1; i
< wsize
; i
++) {
1747 over
= (bitmap
[i
] >> (8 - s
));
1749 bitmap
[i
-1] |= over
;
1756 /* Return a printable string for the address. */
1758 ipsec_address(union sockaddr_union
* sa
)
1760 switch (sa
->sa
.sa_family
) {
1763 return inet_ntoa(sa
->sin
.sin_addr
);
1768 return ip6_sprintf(&sa
->sin6
.sin6_addr
);
1772 return "(unknown address family)";
1777 ipsec_logsastr(struct secasvar
*sav
)
1779 static char buf
[256];
1781 struct secasindex
*saidx
= &sav
->sah
->saidx
;
1783 KASSERT(saidx
->src
.sa
.sa_family
== saidx
->dst
.sa
.sa_family
,
1784 ("ipsec_logsastr: address family mismatch"));
1787 ksnprintf(buf
, sizeof(buf
), "SA(SPI=%u ", (u_int32_t
)ntohl(sav
->spi
));
1790 /* NB: only use ipsec_address on one address at a time */
1791 ksnprintf(p
, sizeof (buf
) - (p
- buf
), "src=%s ",
1792 ipsec_address(&saidx
->src
));
1795 ksnprintf(p
, sizeof (buf
) - (p
- buf
), "dst=%s)",
1796 ipsec_address(&saidx
->dst
));
1802 ipsec_dumpmbuf(struct mbuf
*m
)
1811 p
= mtod(m
, u_char
*);
1812 for (i
= 0; i
< m
->m_len
; i
++) {
1813 kprintf("%02x ", p
[i
]);
1815 if (totlen
% 16 == 0)
1820 if (totlen
% 16 != 0)
1825 /* XXX this stuff doesn't belong here... */
1827 static struct xformsw
* xforms
= NULL
;
1830 * Register a transform; typically at system startup.
1833 xform_register(struct xformsw
* xsp
)
1835 xsp
->xf_next
= xforms
;
1840 * Initialize transform support in an sav.
1843 xform_init(struct secasvar
*sav
, int xftype
)
1845 struct xformsw
*xsp
;
1847 if (sav
->tdb_xform
!= NULL
) /* previously initialized */
1849 for (xsp
= xforms
; xsp
; xsp
= xsp
->xf_next
)
1850 if (xsp
->xf_type
== xftype
)
1851 return (*xsp
->xf_init
)(sav
, xsp
);