1 /* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.12 2003/05/06 06:46:58 suz Exp $ */
2 /* $DragonFly: src/sys/netinet6/ipsec.c,v 1.22 2008/05/27 01:10:43 dillon Exp $ */
3 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * IPsec controller part.
39 #include "opt_inet6.h"
40 #include "opt_ipsec.h"
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/malloc.h>
46 #include <sys/domain.h>
47 #include <sys/protosw.h>
48 #include <sys/socket.h>
49 #include <sys/socketvar.h>
50 #include <sys/errno.h>
52 #include <sys/kernel.h>
53 #include <sys/syslog.h>
54 #include <sys/sysctl.h>
56 #include <sys/in_cksum.h>
57 #include <sys/thread2.h>
60 #include <net/route.h>
62 #include <netinet/in.h>
63 #include <netinet/in_systm.h>
64 #include <netinet/ip.h>
65 #include <netinet/ip_var.h>
66 #include <netinet/in_var.h>
67 #include <netinet/udp.h>
68 #include <netinet/udp_var.h>
69 #include <netinet/ip_ecn.h>
71 #include <netinet6/ip6_ecn.h>
73 #include <netinet/tcp.h>
74 #include <netinet/udp.h>
76 #include <netinet/ip6.h>
78 #include <netinet6/ip6_var.h>
80 #include <netinet/in_pcb.h>
82 #include <netinet/icmp6.h>
85 #include <netinet6/ipsec.h>
87 #include <netinet6/ipsec6.h>
89 #include <netinet6/ah.h>
91 #include <netinet6/ah6.h>
94 #include <netinet6/esp.h>
96 #include <netinet6/esp6.h>
99 #include <netinet6/ipcomp.h>
101 #include <netinet6/ipcomp6.h>
103 #include <netproto/key/key.h>
104 #include <netproto/key/keydb.h>
105 #include <netproto/key/key_debug.h>
107 #include <net/net_osdep.h>
115 struct ipsecstat ipsecstat
;
116 int ip4_ah_cleartos
= 1;
117 int ip4_ah_offsetmask
= 0; /* maybe IP_DF? */
118 int ip4_ipsec_dfbit
= 0; /* DF bit on encap. 0: clear 1: set 2: copy */
119 int ip4_esp_trans_deflev
= IPSEC_LEVEL_USE
;
120 int ip4_esp_net_deflev
= IPSEC_LEVEL_USE
;
121 int ip4_ah_trans_deflev
= IPSEC_LEVEL_USE
;
122 int ip4_ah_net_deflev
= IPSEC_LEVEL_USE
;
123 struct secpolicy ip4_def_policy
;
124 int ip4_ipsec_ecn
= 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
125 int ip4_esp_randpad
= -1;
128 SYSCTL_DECL(_net_inet_ipsec
);
130 SYSCTL_DECL(_net_inet6_ipsec6
);
135 SYSCTL_STRUCT(_net_inet_ipsec
, IPSECCTL_STATS
,
136 stats
, CTLFLAG_RD
, &ipsecstat
, ipsecstat
, "");
137 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEF_POLICY
,
138 def_policy
, CTLFLAG_RW
, &ip4_def_policy
.policy
, 0, "");
139 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEF_ESP_TRANSLEV
, esp_trans_deflev
,
140 CTLFLAG_RW
, &ip4_esp_trans_deflev
, 0, "");
141 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEF_ESP_NETLEV
, esp_net_deflev
,
142 CTLFLAG_RW
, &ip4_esp_net_deflev
, 0, "");
143 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEF_AH_TRANSLEV
, ah_trans_deflev
,
144 CTLFLAG_RW
, &ip4_ah_trans_deflev
, 0, "");
145 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEF_AH_NETLEV
, ah_net_deflev
,
146 CTLFLAG_RW
, &ip4_ah_net_deflev
, 0, "");
147 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_AH_CLEARTOS
,
148 ah_cleartos
, CTLFLAG_RW
, &ip4_ah_cleartos
, 0, "");
149 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_AH_OFFSETMASK
,
150 ah_offsetmask
, CTLFLAG_RW
, &ip4_ah_offsetmask
, 0, "");
151 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DFBIT
,
152 dfbit
, CTLFLAG_RW
, &ip4_ipsec_dfbit
, 0, "");
153 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_ECN
,
154 ecn
, CTLFLAG_RW
, &ip4_ipsec_ecn
, 0, "");
155 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_DEBUG
,
156 debug
, CTLFLAG_RW
, &ipsec_debug
, 0, "");
157 SYSCTL_INT(_net_inet_ipsec
, IPSECCTL_ESP_RANDPAD
,
158 esp_randpad
, CTLFLAG_RW
, &ip4_esp_randpad
, 0, "");
161 struct ipsecstat ipsec6stat
;
162 int ip6_esp_trans_deflev
= IPSEC_LEVEL_USE
;
163 int ip6_esp_net_deflev
= IPSEC_LEVEL_USE
;
164 int ip6_ah_trans_deflev
= IPSEC_LEVEL_USE
;
165 int ip6_ah_net_deflev
= IPSEC_LEVEL_USE
;
166 struct secpolicy ip6_def_policy
;
167 int ip6_ipsec_ecn
= 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
168 int ip6_esp_randpad
= -1;
170 /* net.inet6.ipsec6 */
171 SYSCTL_STRUCT(_net_inet6_ipsec6
, IPSECCTL_STATS
,
172 stats
, CTLFLAG_RD
, &ipsec6stat
, ipsecstat
, "");
173 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEF_POLICY
,
174 def_policy
, CTLFLAG_RW
, &ip6_def_policy
.policy
, 0, "");
175 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEF_ESP_TRANSLEV
, esp_trans_deflev
,
176 CTLFLAG_RW
, &ip6_esp_trans_deflev
, 0, "");
177 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEF_ESP_NETLEV
, esp_net_deflev
,
178 CTLFLAG_RW
, &ip6_esp_net_deflev
, 0, "");
179 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEF_AH_TRANSLEV
, ah_trans_deflev
,
180 CTLFLAG_RW
, &ip6_ah_trans_deflev
, 0, "");
181 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEF_AH_NETLEV
, ah_net_deflev
,
182 CTLFLAG_RW
, &ip6_ah_net_deflev
, 0, "");
183 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_ECN
,
184 ecn
, CTLFLAG_RW
, &ip6_ipsec_ecn
, 0, "");
185 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_DEBUG
,
186 debug
, CTLFLAG_RW
, &ipsec_debug
, 0, "");
187 SYSCTL_INT(_net_inet6_ipsec6
, IPSECCTL_ESP_RANDPAD
,
188 esp_randpad
, CTLFLAG_RW
, &ip6_esp_randpad
, 0, "");
191 static int ipsec_setspidx_mbuf
192 (struct secpolicyindex
*, u_int
, u_int
, struct mbuf
*, int);
193 static int ipsec4_setspidx_inpcb (struct mbuf
*, struct inpcb
*pcb
);
195 static int ipsec6_setspidx_in6pcb (struct mbuf
*, struct in6pcb
*pcb
);
197 static int ipsec_setspidx (struct mbuf
*, struct secpolicyindex
*, int);
198 static void ipsec4_get_ulp (struct mbuf
*m
, struct secpolicyindex
*, int);
199 static int ipsec4_setspidx_ipaddr (struct mbuf
*, struct secpolicyindex
*);
201 static void ipsec6_get_ulp (struct mbuf
*m
, struct secpolicyindex
*, int);
202 static int ipsec6_setspidx_ipaddr (struct mbuf
*, struct secpolicyindex
*);
204 static struct inpcbpolicy
*ipsec_newpcbpolicy (void);
205 static void ipsec_delpcbpolicy (struct inpcbpolicy
*);
206 static struct secpolicy
*ipsec_deepcopy_policy (struct secpolicy
*src
);
207 static int ipsec_set_policy (struct secpolicy
**pcb_sp
,
208 int optname
, caddr_t request
, size_t len
, int priv
);
209 static int ipsec_get_policy (struct secpolicy
*pcb_sp
, struct mbuf
**mp
);
210 static void vshiftl (unsigned char *, int, int);
211 static int ipsec_in_reject (struct secpolicy
*, struct mbuf
*);
212 static size_t ipsec_hdrsiz (struct secpolicy
*);
214 static struct mbuf
*ipsec4_splithdr (struct mbuf
*);
217 static struct mbuf
*ipsec6_splithdr (struct mbuf
*);
220 static int ipsec4_encapsulate (struct mbuf
*, struct secasvar
*);
223 static int ipsec6_encapsulate (struct mbuf
*, struct secasvar
*);
227 * For OUTBOUND packet having a socket. Searching SPD for packet,
228 * and return a pointer to SP.
229 * OUT: NULL: no apropreate SP found, the following value is set to error.
231 * EACCES : discard packet.
232 * ENOENT : ipsec_acquire() in progress, maybe.
233 * others : error occured.
234 * others: a pointer to SP
236 * NOTE: IPv6 mapped adddress concern is implemented here.
239 ipsec4_getpolicybysock(struct mbuf
*m
, u_int dir
, struct socket
*so
, int *error
)
241 struct inpcbpolicy
*pcbsp
= NULL
;
242 struct secpolicy
*currsp
= NULL
; /* policy on socket */
243 struct secpolicy
*kernsp
= NULL
; /* policy on kernel */
246 if (m
== NULL
|| so
== NULL
|| error
== NULL
)
247 panic("ipsec4_getpolicybysock: NULL pointer was passed.");
249 switch (so
->so_proto
->pr_domain
->dom_family
) {
251 /* set spidx in pcb */
252 *error
= ipsec4_setspidx_inpcb(m
, so
->so_pcb
);
256 /* set spidx in pcb */
257 *error
= ipsec6_setspidx_in6pcb(m
, so
->so_pcb
);
261 panic("ipsec4_getpolicybysock: unsupported address family\n");
265 switch (so
->so_proto
->pr_domain
->dom_family
) {
267 pcbsp
= sotoinpcb(so
)->inp_sp
;
271 pcbsp
= sotoin6pcb(so
)->in6p_sp
;
278 panic("ipsec4_getpolicybysock: pcbsp is NULL.");
281 case IPSEC_DIR_INBOUND
:
282 currsp
= pcbsp
->sp_in
;
284 case IPSEC_DIR_OUTBOUND
:
285 currsp
= pcbsp
->sp_out
;
288 panic("ipsec4_getpolicybysock: illegal direction.");
293 panic("ipsec4_getpolicybysock: currsp is NULL.");
295 lwkt_gettoken(&key_token
);
297 /* when privilieged socket */
299 switch (currsp
->policy
) {
300 case IPSEC_POLICY_BYPASS
:
303 lwkt_reltoken(&key_token
);
306 case IPSEC_POLICY_ENTRUST
:
307 /* look for a policy in SPD */
308 kernsp
= key_allocsp(&currsp
->spidx
, dir
);
311 if (kernsp
!= NULL
) {
312 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
313 kprintf("DP ipsec4_getpolicybysock called "
314 "to allocate SP:%p\n", kernsp
));
316 lwkt_reltoken(&key_token
);
321 if (ip4_def_policy
.policy
!= IPSEC_POLICY_DISCARD
322 && ip4_def_policy
.policy
!= IPSEC_POLICY_NONE
) {
324 "fixed system default policy: %d->%d\n",
325 ip4_def_policy
.policy
, IPSEC_POLICY_NONE
));
326 ip4_def_policy
.policy
= IPSEC_POLICY_NONE
;
328 ip4_def_policy
.refcnt
++;
330 lwkt_reltoken(&key_token
);
331 return &ip4_def_policy
;
333 case IPSEC_POLICY_IPSEC
:
336 lwkt_reltoken(&key_token
);
340 ipseclog((LOG_ERR
, "ipsec4_getpolicybysock: "
341 "Invalid policy for PCB %d\n", currsp
->policy
));
343 lwkt_reltoken(&key_token
);
349 /* when non-privilieged socket */
350 /* look for a policy in SPD */
351 kernsp
= key_allocsp(&currsp
->spidx
, dir
);
354 if (kernsp
!= NULL
) {
355 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
356 kprintf("DP ipsec4_getpolicybysock called "
357 "to allocate SP:%p\n", kernsp
));
359 lwkt_reltoken(&key_token
);
364 switch (currsp
->policy
) {
365 case IPSEC_POLICY_BYPASS
:
366 ipseclog((LOG_ERR
, "ipsec4_getpolicybysock: "
367 "Illegal policy for non-priviliged defined %d\n",
370 lwkt_reltoken(&key_token
);
373 case IPSEC_POLICY_ENTRUST
:
374 if (ip4_def_policy
.policy
!= IPSEC_POLICY_DISCARD
375 && ip4_def_policy
.policy
!= IPSEC_POLICY_NONE
) {
377 "fixed system default policy: %d->%d\n",
378 ip4_def_policy
.policy
, IPSEC_POLICY_NONE
));
379 ip4_def_policy
.policy
= IPSEC_POLICY_NONE
;
381 ip4_def_policy
.refcnt
++;
383 lwkt_reltoken(&key_token
);
384 return &ip4_def_policy
;
386 case IPSEC_POLICY_IPSEC
:
389 lwkt_reltoken(&key_token
);
393 ipseclog((LOG_ERR
, "ipsec4_getpolicybysock: "
394 "Invalid policy for PCB %d\n", currsp
->policy
));
396 lwkt_reltoken(&key_token
);
403 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
404 * and return a pointer to SP.
405 * OUT: positive: a pointer to the entry for security policy leaf matched.
406 * NULL: no apropreate SP found, the following value is set to error.
408 * EACCES : discard packet.
409 * ENOENT : ipsec_acquire() in progress, maybe.
410 * others : error occured.
413 ipsec4_getpolicybyaddr(struct mbuf
*m
, u_int dir
, int flag
, int *error
)
415 struct secpolicy
*sp
= NULL
;
416 struct secpolicyindex spidx
;
419 if (m
== NULL
|| error
== NULL
)
420 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
422 bzero(&spidx
, sizeof(spidx
));
424 /* make a index to look for a policy */
425 *error
= ipsec_setspidx_mbuf(&spidx
, dir
, AF_INET
, m
,
426 (flag
& IP_FORWARDING
) ? 0 : 1);
431 lwkt_gettoken(&key_token
);
432 sp
= key_allocsp(&spidx
, dir
);
436 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
437 kprintf("DP ipsec4_getpolicybyaddr called "
438 "to allocate SP:%p\n", sp
));
440 lwkt_reltoken(&key_token
);
445 if (ip4_def_policy
.policy
!= IPSEC_POLICY_DISCARD
446 && ip4_def_policy
.policy
!= IPSEC_POLICY_NONE
) {
447 ipseclog((LOG_INFO
, "fixed system default policy:%d->%d\n",
448 ip4_def_policy
.policy
,
450 ip4_def_policy
.policy
= IPSEC_POLICY_NONE
;
452 ip4_def_policy
.refcnt
++;
454 lwkt_reltoken(&key_token
);
455 return &ip4_def_policy
;
460 * For OUTBOUND packet having a socket. Searching SPD for packet,
461 * and return a pointer to SP.
462 * OUT: NULL: no apropreate SP found, the following value is set to error.
464 * EACCES : discard packet.
465 * ENOENT : ipsec_acquire() in progress, maybe.
466 * others : error occured.
467 * others: a pointer to SP
470 ipsec6_getpolicybysock(struct mbuf
*m
, u_int dir
, struct socket
*so
, int *error
)
472 struct inpcbpolicy
*pcbsp
= NULL
;
473 struct secpolicy
*currsp
= NULL
; /* policy on socket */
474 struct secpolicy
*kernsp
= NULL
; /* policy on kernel */
477 if (m
== NULL
|| so
== NULL
|| error
== NULL
)
478 panic("ipsec6_getpolicybysock: NULL pointer was passed.");
481 if (so
->so_proto
->pr_domain
->dom_family
!= AF_INET6
)
482 panic("ipsec6_getpolicybysock: socket domain != inet6");
485 lwkt_gettoken(&key_token
);
487 /* set spidx in pcb */
488 ipsec6_setspidx_in6pcb(m
, so
->so_pcb
);
489 pcbsp
= sotoin6pcb(so
)->in6p_sp
;
493 panic("ipsec6_getpolicybysock: pcbsp is NULL.");
496 case IPSEC_DIR_INBOUND
:
497 currsp
= pcbsp
->sp_in
;
499 case IPSEC_DIR_OUTBOUND
:
500 currsp
= pcbsp
->sp_out
;
503 panic("ipsec6_getpolicybysock: illegal direction.");
508 panic("ipsec6_getpolicybysock: currsp is NULL.");
510 /* when privilieged socket */
512 switch (currsp
->policy
) {
513 case IPSEC_POLICY_BYPASS
:
517 case IPSEC_POLICY_ENTRUST
:
518 /* look for a policy in SPD */
519 kernsp
= key_allocsp(&currsp
->spidx
, dir
);
522 if (kernsp
!= NULL
) {
523 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
524 kprintf("DP ipsec6_getpolicybysock called "
525 "to allocate SP:%p\n", kernsp
));
532 if (ip6_def_policy
.policy
!= IPSEC_POLICY_DISCARD
533 && ip6_def_policy
.policy
!= IPSEC_POLICY_NONE
) {
535 "fixed system default policy: %d->%d\n",
536 ip6_def_policy
.policy
, IPSEC_POLICY_NONE
));
537 ip6_def_policy
.policy
= IPSEC_POLICY_NONE
;
539 currsp
= &ip6_def_policy
;
543 case IPSEC_POLICY_IPSEC
:
548 ipseclog((LOG_ERR
, "ipsec6_getpolicybysock: "
549 "Invalid policy for PCB %d\n", currsp
->policy
));
551 lwkt_reltoken(&key_token
);
555 lwkt_reltoken(&key_token
);
560 /* when non-privilieged socket */
561 /* look for a policy in SPD */
562 kernsp
= key_allocsp(&currsp
->spidx
, dir
);
565 if (kernsp
!= NULL
) {
566 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
567 kprintf("DP ipsec6_getpolicybysock called "
568 "to allocate SP:%p\n", kernsp
));
570 lwkt_reltoken(&key_token
);
575 switch (currsp
->policy
) {
576 case IPSEC_POLICY_BYPASS
:
577 ipseclog((LOG_ERR
, "ipsec6_getpolicybysock: "
578 "Illegal policy for non-priviliged defined %d\n",
583 case IPSEC_POLICY_ENTRUST
:
584 if (ip6_def_policy
.policy
!= IPSEC_POLICY_DISCARD
585 && ip6_def_policy
.policy
!= IPSEC_POLICY_NONE
) {
587 "fixed system default policy: %d->%d\n",
588 ip6_def_policy
.policy
, IPSEC_POLICY_NONE
));
589 ip6_def_policy
.policy
= IPSEC_POLICY_NONE
;
591 currsp
= &ip6_def_policy
;
595 case IPSEC_POLICY_IPSEC
:
601 "ipsec6_policybysock: Invalid policy for PCB %d\n",
607 lwkt_reltoken(&key_token
);
612 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
613 * and return a pointer to SP.
614 * `flag' means that packet is to be forwarded whether or not.
616 * OUT: positive: a pointer to the entry for security policy leaf matched.
617 * NULL: no apropreate SP found, the following value is set to error.
619 * EACCES : discard packet.
620 * ENOENT : ipsec_acquire() in progress, maybe.
621 * others : error occured.
623 #ifndef IP_FORWARDING
624 #define IP_FORWARDING 1
628 ipsec6_getpolicybyaddr(struct mbuf
*m
, u_int dir
, int flag
, int *error
)
630 struct secpolicy
*sp
= NULL
;
631 struct secpolicyindex spidx
;
634 if (m
== NULL
|| error
== NULL
)
635 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
636 bzero(&spidx
, sizeof(spidx
));
638 lwkt_gettoken(&key_token
);
640 /* make a index to look for a policy */
641 *error
= ipsec_setspidx_mbuf(&spidx
, dir
, AF_INET6
, m
,
642 (flag
& IP_FORWARDING
) ? 0 : 1);
644 lwkt_reltoken(&key_token
);
648 sp
= key_allocsp(&spidx
, dir
);
652 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
653 kprintf("DP ipsec6_getpolicybyaddr called "
654 "to allocate SP:%p\n", sp
));
656 lwkt_reltoken(&key_token
);
661 if (ip6_def_policy
.policy
!= IPSEC_POLICY_DISCARD
662 && ip6_def_policy
.policy
!= IPSEC_POLICY_NONE
) {
663 ipseclog((LOG_INFO
, "fixed system default policy: %d->%d\n",
664 ip6_def_policy
.policy
, IPSEC_POLICY_NONE
));
665 ip6_def_policy
.policy
= IPSEC_POLICY_NONE
;
667 sp
= &ip6_def_policy
;
670 lwkt_reltoken(&key_token
);
677 * set IP address into spidx from mbuf.
678 * When Forwarding packet and ICMP echo reply, this function is used.
680 * IN: get the followings from mbuf.
681 * protocol family, src, dst, next protocol
684 * other: failure, and set errno.
687 ipsec_setspidx_mbuf(struct secpolicyindex
*spidx
, u_int dir
, u_int family
,
688 struct mbuf
*m
, int needport
)
693 if (spidx
== NULL
|| m
== NULL
)
694 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
696 bzero(spidx
, sizeof(*spidx
));
698 error
= ipsec_setspidx(m
, spidx
, needport
);
707 bzero(spidx
, sizeof(*spidx
));
712 ipsec4_setspidx_inpcb(struct mbuf
*m
, struct inpcb
*pcb
)
714 struct secpolicyindex
*spidx
;
719 panic("ipsec4_setspidx_inpcb: no PCB found.");
720 if (pcb
->inp_sp
== NULL
)
721 panic("ipsec4_setspidx_inpcb: no inp_sp found.");
722 if (pcb
->inp_sp
->sp_out
== NULL
|| pcb
->inp_sp
->sp_in
== NULL
)
723 panic("ipsec4_setspidx_inpcb: no sp_in/out found.");
725 bzero(&pcb
->inp_sp
->sp_in
->spidx
, sizeof(*spidx
));
726 bzero(&pcb
->inp_sp
->sp_out
->spidx
, sizeof(*spidx
));
728 spidx
= &pcb
->inp_sp
->sp_in
->spidx
;
729 error
= ipsec_setspidx(m
, spidx
, 1);
732 spidx
->dir
= IPSEC_DIR_INBOUND
;
734 spidx
= &pcb
->inp_sp
->sp_out
->spidx
;
735 error
= ipsec_setspidx(m
, spidx
, 1);
738 spidx
->dir
= IPSEC_DIR_OUTBOUND
;
743 bzero(&pcb
->inp_sp
->sp_in
->spidx
, sizeof(*spidx
));
744 bzero(&pcb
->inp_sp
->sp_out
->spidx
, sizeof(*spidx
));
750 ipsec6_setspidx_in6pcb(struct mbuf
*m
, struct in6pcb
*pcb
)
752 struct secpolicyindex
*spidx
;
757 panic("ipsec6_setspidx_in6pcb: no PCB found.");
758 if (pcb
->in6p_sp
== NULL
)
759 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.");
760 if (pcb
->in6p_sp
->sp_out
== NULL
|| pcb
->in6p_sp
->sp_in
== NULL
)
761 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.");
763 bzero(&pcb
->in6p_sp
->sp_in
->spidx
, sizeof(*spidx
));
764 bzero(&pcb
->in6p_sp
->sp_out
->spidx
, sizeof(*spidx
));
766 spidx
= &pcb
->in6p_sp
->sp_in
->spidx
;
767 error
= ipsec_setspidx(m
, spidx
, 1);
770 spidx
->dir
= IPSEC_DIR_INBOUND
;
772 spidx
= &pcb
->in6p_sp
->sp_out
->spidx
;
773 error
= ipsec_setspidx(m
, spidx
, 1);
776 spidx
->dir
= IPSEC_DIR_OUTBOUND
;
781 bzero(&pcb
->in6p_sp
->sp_in
->spidx
, sizeof(*spidx
));
782 bzero(&pcb
->in6p_sp
->sp_out
->spidx
, sizeof(*spidx
));
788 * configure security policy index (src/dst/proto/sport/dport)
789 * by looking at the content of mbuf.
790 * the caller is responsible for error recovery (like clearing up spidx).
793 ipsec_setspidx(struct mbuf
*m
, struct secpolicyindex
*spidx
, int needport
)
795 struct ip
*ip
= NULL
;
803 panic("ipsec_setspidx: m == 0 passed.");
806 * validate m->m_pkthdr.len. we see incorrect length if we
807 * mistakenly call this function with inconsistent mbuf chain
808 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
811 for (n
= m
; n
; n
= n
->m_next
)
813 if (m
->m_pkthdr
.len
!= len
) {
814 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
815 kprintf("ipsec_setspidx: "
816 "total of m_len(%d) != pkthdr.len(%d), "
818 len
, m
->m_pkthdr
.len
));
822 if (m
->m_pkthdr
.len
< sizeof(struct ip
)) {
823 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
824 kprintf("ipsec_setspidx: "
825 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
830 if (m
->m_len
>= sizeof(*ip
))
831 ip
= mtod(m
, struct ip
*);
833 m_copydata(m
, 0, sizeof(ipbuf
), (caddr_t
)&ipbuf
);
837 v
= _IP_VHL_V(ip
->ip_vhl
);
843 error
= ipsec4_setspidx_ipaddr(m
, spidx
);
846 ipsec4_get_ulp(m
, spidx
, needport
);
850 if (m
->m_pkthdr
.len
< sizeof(struct ip6_hdr
)) {
851 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
852 kprintf("ipsec_setspidx: "
853 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
854 "ignored.\n", m
->m_pkthdr
.len
));
857 error
= ipsec6_setspidx_ipaddr(m
, spidx
);
860 ipsec6_get_ulp(m
, spidx
, needport
);
864 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
865 kprintf("ipsec_setspidx: "
866 "unknown IP version %u, ignored.\n", v
));
872 ipsec4_get_ulp(struct mbuf
*m
, struct secpolicyindex
*spidx
, int needport
)
883 panic("ipsec4_get_ulp: NULL pointer was passed.");
884 if (m
->m_pkthdr
.len
< sizeof(ip
))
885 panic("ipsec4_get_ulp: too short");
888 spidx
->ul_proto
= IPSEC_ULPROTO_ANY
;
889 ((struct sockaddr_in
*)&spidx
->src
)->sin_port
= IPSEC_PORT_ANY
;
890 ((struct sockaddr_in
*)&spidx
->dst
)->sin_port
= IPSEC_PORT_ANY
;
892 m_copydata(m
, 0, sizeof(ip
), (caddr_t
)&ip
);
893 /* ip_input() flips it into host endian XXX need more checking */
894 if (ip
.ip_off
& (IP_MF
| IP_OFFMASK
))
899 off
= _IP_VHL_HL(ip
->ip_vhl
) << 2;
903 while (off
< m
->m_pkthdr
.len
) {
906 spidx
->ul_proto
= nxt
;
909 if (off
+ sizeof(struct tcphdr
) > m
->m_pkthdr
.len
)
911 m_copydata(m
, off
, sizeof(th
), (caddr_t
)&th
);
912 ((struct sockaddr_in
*)&spidx
->src
)->sin_port
=
914 ((struct sockaddr_in
*)&spidx
->dst
)->sin_port
=
918 spidx
->ul_proto
= nxt
;
921 if (off
+ sizeof(struct udphdr
) > m
->m_pkthdr
.len
)
923 m_copydata(m
, off
, sizeof(uh
), (caddr_t
)&uh
);
924 ((struct sockaddr_in
*)&spidx
->src
)->sin_port
=
926 ((struct sockaddr_in
*)&spidx
->dst
)->sin_port
=
930 if (off
+ sizeof(ip6e
) > m
->m_pkthdr
.len
)
932 m_copydata(m
, off
, sizeof(ip6e
), (caddr_t
)&ip6e
);
933 off
+= (ip6e
.ip6e_len
+ 2) << 2;
938 /* XXX intermediate headers??? */
939 spidx
->ul_proto
= nxt
;
945 /* assumes that m is sane */
947 ipsec4_setspidx_ipaddr(struct mbuf
*m
, struct secpolicyindex
*spidx
)
949 struct ip
*ip
= NULL
;
951 struct sockaddr_in
*sin
;
953 if (m
->m_len
>= sizeof(*ip
))
954 ip
= mtod(m
, struct ip
*);
956 m_copydata(m
, 0, sizeof(ipbuf
), (caddr_t
)&ipbuf
);
960 sin
= (struct sockaddr_in
*)&spidx
->src
;
961 bzero(sin
, sizeof(*sin
));
962 sin
->sin_family
= AF_INET
;
963 sin
->sin_len
= sizeof(struct sockaddr_in
);
964 bcopy(&ip
->ip_src
, &sin
->sin_addr
, sizeof(ip
->ip_src
));
965 spidx
->prefs
= sizeof(struct in_addr
) << 3;
967 sin
= (struct sockaddr_in
*)&spidx
->dst
;
968 bzero(sin
, sizeof(*sin
));
969 sin
->sin_family
= AF_INET
;
970 sin
->sin_len
= sizeof(struct sockaddr_in
);
971 bcopy(&ip
->ip_dst
, &sin
->sin_addr
, sizeof(ip
->ip_dst
));
972 spidx
->prefd
= sizeof(struct in_addr
) << 3;
978 ipsec6_get_ulp(struct mbuf
*m
, struct secpolicyindex
*spidx
, int needport
)
986 panic("ipsec6_get_ulp: NULL pointer was passed.");
988 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
989 kprintf("ipsec6_get_ulp:\n"); kdebug_mbuf(m
));
992 spidx
->ul_proto
= IPSEC_ULPROTO_ANY
;
993 ((struct sockaddr_in6
*)&spidx
->src
)->sin6_port
= IPSEC_PORT_ANY
;
994 ((struct sockaddr_in6
*)&spidx
->dst
)->sin6_port
= IPSEC_PORT_ANY
;
997 off
= ip6_lasthdr(m
, 0, IPPROTO_IPV6
, &nxt
);
998 if (off
< 0 || m
->m_pkthdr
.len
< off
)
1003 spidx
->ul_proto
= nxt
;
1006 if (off
+ sizeof(struct tcphdr
) > m
->m_pkthdr
.len
)
1008 m_copydata(m
, off
, sizeof(th
), (caddr_t
)&th
);
1009 ((struct sockaddr_in6
*)&spidx
->src
)->sin6_port
= th
.th_sport
;
1010 ((struct sockaddr_in6
*)&spidx
->dst
)->sin6_port
= th
.th_dport
;
1013 spidx
->ul_proto
= nxt
;
1016 if (off
+ sizeof(struct udphdr
) > m
->m_pkthdr
.len
)
1018 m_copydata(m
, off
, sizeof(uh
), (caddr_t
)&uh
);
1019 ((struct sockaddr_in6
*)&spidx
->src
)->sin6_port
= uh
.uh_sport
;
1020 ((struct sockaddr_in6
*)&spidx
->dst
)->sin6_port
= uh
.uh_dport
;
1022 case IPPROTO_ICMPV6
:
1024 /* XXX intermediate headers??? */
1025 spidx
->ul_proto
= nxt
;
1030 /* assumes that m is sane */
1032 ipsec6_setspidx_ipaddr(struct mbuf
*m
, struct secpolicyindex
*spidx
)
1034 struct ip6_hdr
*ip6
= NULL
;
1035 struct ip6_hdr ip6buf
;
1036 struct sockaddr_in6
*sin6
;
1038 if (m
->m_len
>= sizeof(*ip6
))
1039 ip6
= mtod(m
, struct ip6_hdr
*);
1041 m_copydata(m
, 0, sizeof(ip6buf
), (caddr_t
)&ip6buf
);
1045 sin6
= (struct sockaddr_in6
*)&spidx
->src
;
1046 bzero(sin6
, sizeof(*sin6
));
1047 sin6
->sin6_family
= AF_INET6
;
1048 sin6
->sin6_len
= sizeof(struct sockaddr_in6
);
1049 bcopy(&ip6
->ip6_src
, &sin6
->sin6_addr
, sizeof(ip6
->ip6_src
));
1050 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
->ip6_src
)) {
1051 sin6
->sin6_addr
.s6_addr16
[1] = 0;
1052 sin6
->sin6_scope_id
= ntohs(ip6
->ip6_src
.s6_addr16
[1]);
1054 spidx
->prefs
= sizeof(struct in6_addr
) << 3;
1056 sin6
= (struct sockaddr_in6
*)&spidx
->dst
;
1057 bzero(sin6
, sizeof(*sin6
));
1058 sin6
->sin6_family
= AF_INET6
;
1059 sin6
->sin6_len
= sizeof(struct sockaddr_in6
);
1060 bcopy(&ip6
->ip6_dst
, &sin6
->sin6_addr
, sizeof(ip6
->ip6_dst
));
1061 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
->ip6_dst
)) {
1062 sin6
->sin6_addr
.s6_addr16
[1] = 0;
1063 sin6
->sin6_scope_id
= ntohs(ip6
->ip6_dst
.s6_addr16
[1]);
1065 spidx
->prefd
= sizeof(struct in6_addr
) << 3;
1071 static struct inpcbpolicy
*
1072 ipsec_newpcbpolicy(void)
1074 struct inpcbpolicy
*p
;
1076 p
= (struct inpcbpolicy
*)kmalloc(sizeof(*p
), M_SECA
, M_NOWAIT
);
1081 ipsec_delpcbpolicy(struct inpcbpolicy
*p
)
1086 /* initialize policy in PCB */
1088 ipsec_init_policy(struct socket
*so
, struct inpcbpolicy
**pcb_sp
)
1090 struct inpcbpolicy
*new;
1093 if (so
== NULL
|| pcb_sp
== NULL
)
1094 panic("ipsec_init_policy: NULL pointer was passed.");
1096 lwkt_gettoken(&key_token
);
1098 new = ipsec_newpcbpolicy();
1100 ipseclog((LOG_DEBUG
, "ipsec_init_policy: No more memory.\n"));
1101 lwkt_reltoken(&key_token
);
1104 bzero(new, sizeof(*new));
1106 if (so
->so_cred
!= 0 && so
->so_cred
->cr_uid
== 0)
1111 if ((new->sp_in
= key_newsp()) == NULL
) {
1112 ipsec_delpcbpolicy(new);
1113 lwkt_reltoken(&key_token
);
1116 new->sp_in
->state
= IPSEC_SPSTATE_ALIVE
;
1117 new->sp_in
->policy
= IPSEC_POLICY_ENTRUST
;
1119 if ((new->sp_out
= key_newsp()) == NULL
) {
1120 key_freesp(new->sp_in
);
1121 ipsec_delpcbpolicy(new);
1122 lwkt_reltoken(&key_token
);
1125 new->sp_out
->state
= IPSEC_SPSTATE_ALIVE
;
1126 new->sp_out
->policy
= IPSEC_POLICY_ENTRUST
;
1129 lwkt_reltoken(&key_token
);
1134 /* copy old ipsec policy into new */
1136 ipsec_copy_policy(struct inpcbpolicy
*old
, struct inpcbpolicy
*new)
1138 struct secpolicy
*sp
;
1140 lwkt_gettoken(&key_token
);
1141 sp
= ipsec_deepcopy_policy(old
->sp_in
);
1143 key_freesp(new->sp_in
);
1146 lwkt_reltoken(&key_token
);
1150 sp
= ipsec_deepcopy_policy(old
->sp_out
);
1152 key_freesp(new->sp_out
);
1155 lwkt_reltoken(&key_token
);
1159 new->priv
= old
->priv
;
1160 lwkt_reltoken(&key_token
);
1165 /* deep-copy a policy in PCB */
1166 static struct secpolicy
*
1167 ipsec_deepcopy_policy(struct secpolicy
*src
)
1169 struct ipsecrequest
*newchain
= NULL
;
1170 struct ipsecrequest
*p
;
1171 struct ipsecrequest
**q
;
1172 struct ipsecrequest
*r
;
1173 struct secpolicy
*dst
;
1175 lwkt_gettoken(&key_token
);
1177 if (src
== NULL
|| dst
== NULL
) {
1178 lwkt_reltoken(&key_token
);
1183 * deep-copy IPsec request chain. This is required since struct
1184 * ipsecrequest is not reference counted.
1187 for (p
= src
->req
; p
; p
= p
->next
) {
1188 *q
= (struct ipsecrequest
*)kmalloc(sizeof(struct ipsecrequest
),
1189 M_SECA
, M_NOWAIT
| M_ZERO
);
1194 (*q
)->saidx
.proto
= p
->saidx
.proto
;
1195 (*q
)->saidx
.mode
= p
->saidx
.mode
;
1196 (*q
)->level
= p
->level
;
1197 (*q
)->saidx
.reqid
= p
->saidx
.reqid
;
1199 bcopy(&p
->saidx
.src
, &(*q
)->saidx
.src
, sizeof((*q
)->saidx
.src
));
1200 bcopy(&p
->saidx
.dst
, &(*q
)->saidx
.dst
, sizeof((*q
)->saidx
.dst
));
1208 dst
->req
= newchain
;
1209 dst
->state
= src
->state
;
1210 dst
->policy
= src
->policy
;
1211 /* do not touch the refcnt fields */
1212 lwkt_reltoken(&key_token
);
1217 lwkt_reltoken(&key_token
);
1218 for (p
= newchain
; p
; p
= r
) {
1226 /* set policy and ipsec request if present. */
1228 ipsec_set_policy(struct secpolicy
**pcb_sp
, int optname
, caddr_t request
,
1229 size_t len
, int priv
)
1231 struct sadb_x_policy
*xpl
;
1232 struct secpolicy
*newsp
= NULL
;
1236 if (pcb_sp
== NULL
|| *pcb_sp
== NULL
|| request
== NULL
)
1238 if (len
< sizeof(*xpl
))
1240 xpl
= (struct sadb_x_policy
*)request
;
1242 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1243 kprintf("ipsec_set_policy: passed policy\n");
1244 kdebug_sadb_x_policy((struct sadb_ext
*)xpl
));
1246 /* check policy type */
1247 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1248 if (xpl
->sadb_x_policy_type
== IPSEC_POLICY_DISCARD
1249 || xpl
->sadb_x_policy_type
== IPSEC_POLICY_NONE
)
1252 /* check privileged socket */
1253 if (priv
== 0 && xpl
->sadb_x_policy_type
== IPSEC_POLICY_BYPASS
)
1256 /* allocation new SP entry */
1257 if ((newsp
= key_msg2sp(xpl
, len
, &error
)) == NULL
)
1260 newsp
->state
= IPSEC_SPSTATE_ALIVE
;
1262 /* clear old SP and set new SP */
1263 key_freesp(*pcb_sp
);
1265 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1266 kprintf("ipsec_set_policy: new policy\n");
1267 kdebug_secpolicy(newsp
));
1273 ipsec_get_policy(struct secpolicy
*pcb_sp
, struct mbuf
**mp
)
1277 if (pcb_sp
== NULL
|| mp
== NULL
)
1280 *mp
= key_sp2msg(pcb_sp
);
1282 ipseclog((LOG_DEBUG
, "ipsec_get_policy: No more memory.\n"));
1286 KKASSERT((*mp
)->m_type
== MT_DATA
);
1287 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1288 kprintf("ipsec_get_policy:\n");
1295 ipsec4_set_policy(struct inpcb
*inp
, int optname
, caddr_t request
, size_t len
,
1298 struct sadb_x_policy
*xpl
;
1299 struct secpolicy
**pcb_sp
;
1303 if (inp
== NULL
|| request
== NULL
)
1305 if (len
< sizeof(*xpl
))
1307 xpl
= (struct sadb_x_policy
*)request
;
1309 lwkt_gettoken(&key_token
);
1310 /* select direction */
1311 switch (xpl
->sadb_x_policy_dir
) {
1312 case IPSEC_DIR_INBOUND
:
1313 pcb_sp
= &inp
->inp_sp
->sp_in
;
1315 case IPSEC_DIR_OUTBOUND
:
1316 pcb_sp
= &inp
->inp_sp
->sp_out
;
1319 ipseclog((LOG_ERR
, "ipsec4_set_policy: invalid direction=%u\n",
1320 xpl
->sadb_x_policy_dir
));
1321 lwkt_reltoken(&key_token
);
1324 error
= ipsec_set_policy(pcb_sp
, optname
, request
, len
, priv
);
1325 lwkt_reltoken(&key_token
);
1330 ipsec4_get_policy(struct inpcb
*inp
, caddr_t request
, size_t len
,
1333 struct sadb_x_policy
*xpl
;
1334 struct secpolicy
*pcb_sp
;
1338 if (inp
== NULL
|| request
== NULL
|| mp
== NULL
)
1340 if (inp
->inp_sp
== NULL
)
1341 panic("policy in PCB is NULL");
1342 if (len
< sizeof(*xpl
))
1344 xpl
= (struct sadb_x_policy
*)request
;
1346 lwkt_gettoken(&key_token
);
1348 /* select direction */
1349 switch (xpl
->sadb_x_policy_dir
) {
1350 case IPSEC_DIR_INBOUND
:
1351 pcb_sp
= inp
->inp_sp
->sp_in
;
1353 case IPSEC_DIR_OUTBOUND
:
1354 pcb_sp
= inp
->inp_sp
->sp_out
;
1357 ipseclog((LOG_ERR
, "ipsec4_set_policy: invalid direction=%u\n",
1358 xpl
->sadb_x_policy_dir
));
1359 lwkt_reltoken(&key_token
);
1362 error
= ipsec_get_policy(pcb_sp
, mp
);
1363 lwkt_reltoken(&key_token
);
1367 /* delete policy in PCB */
1369 ipsec4_delete_pcbpolicy(struct inpcb
*inp
)
1371 struct inpcbpolicy
*isp
;
1375 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
1377 lwkt_gettoken(&key_token
);
1379 if ((isp
= inp
->inp_sp
) == NULL
) {
1380 lwkt_reltoken(&key_token
);
1384 if (isp
->sp_in
!= NULL
) {
1385 key_freesp(isp
->sp_in
);
1389 if (isp
->sp_out
!= NULL
) {
1390 key_freesp(isp
->sp_out
);
1393 KKASSERT(inp
->inp_sp
== isp
);
1395 ipsec_delpcbpolicy(isp
);
1396 lwkt_reltoken(&key_token
);
1403 ipsec6_set_policy(struct in6pcb
*in6p
, int optname
, caddr_t request
, size_t len
,
1406 struct sadb_x_policy
*xpl
;
1407 struct secpolicy
**pcb_sp
;
1411 if (in6p
== NULL
|| request
== NULL
)
1413 if (len
< sizeof(*xpl
))
1415 xpl
= (struct sadb_x_policy
*)request
;
1417 lwkt_gettoken(&key_token
);
1419 /* select direction */
1420 switch (xpl
->sadb_x_policy_dir
) {
1421 case IPSEC_DIR_INBOUND
:
1422 pcb_sp
= &in6p
->in6p_sp
->sp_in
;
1424 case IPSEC_DIR_OUTBOUND
:
1425 pcb_sp
= &in6p
->in6p_sp
->sp_out
;
1428 ipseclog((LOG_ERR
, "ipsec6_set_policy: invalid direction=%u\n",
1429 xpl
->sadb_x_policy_dir
));
1430 lwkt_reltoken(&key_token
);
1434 error
= ipsec_set_policy(pcb_sp
, optname
, request
, len
, priv
);
1435 lwkt_reltoken(&key_token
);
1440 ipsec6_get_policy(struct in6pcb
*in6p
, caddr_t request
, size_t len
,
1443 struct sadb_x_policy
*xpl
;
1444 struct secpolicy
*pcb_sp
;
1448 if (in6p
== NULL
|| request
== NULL
|| mp
== NULL
)
1450 if (in6p
->in6p_sp
== NULL
)
1451 panic("policy in PCB is NULL");
1452 if (len
< sizeof(*xpl
))
1454 xpl
= (struct sadb_x_policy
*)request
;
1456 lwkt_gettoken(&key_token
);
1458 /* select direction */
1459 switch (xpl
->sadb_x_policy_dir
) {
1460 case IPSEC_DIR_INBOUND
:
1461 pcb_sp
= in6p
->in6p_sp
->sp_in
;
1463 case IPSEC_DIR_OUTBOUND
:
1464 pcb_sp
= in6p
->in6p_sp
->sp_out
;
1467 ipseclog((LOG_ERR
, "ipsec6_set_policy: invalid direction=%u\n",
1468 xpl
->sadb_x_policy_dir
));
1469 lwkt_reltoken(&key_token
);
1473 error
= ipsec_get_policy(pcb_sp
, mp
);
1474 lwkt_reltoken(&key_token
);
1479 ipsec6_delete_pcbpolicy(struct in6pcb
*in6p
)
1481 struct inpcbpolicy
*isp
;
1485 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
1487 lwkt_gettoken(&key_token
);
1489 if ((isp
= in6p
->in6p_sp
) == NULL
) {
1490 lwkt_reltoken(&key_token
);
1494 if (isp
->sp_in
!= NULL
) {
1495 key_freesp(isp
->sp_in
);
1499 if (isp
->sp_out
!= NULL
) {
1500 key_freesp(isp
->sp_out
);
1503 KKASSERT(in6p
->in6p_sp
== isp
);
1504 in6p
->in6p_sp
= NULL
;
1505 ipsec_delpcbpolicy(isp
);
1506 lwkt_reltoken(&key_token
);
1513 * return current level.
1514 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1517 ipsec_get_reqlevel(struct ipsecrequest
*isr
)
1520 u_int esp_trans_deflev
, esp_net_deflev
, ah_trans_deflev
, ah_net_deflev
;
1523 if (isr
== NULL
|| isr
->sp
== NULL
)
1524 panic("ipsec_get_reqlevel: NULL pointer is passed.");
1525 if (((struct sockaddr
*)&isr
->sp
->spidx
.src
)->sa_family
1526 != ((struct sockaddr
*)&isr
->sp
->spidx
.dst
)->sa_family
)
1527 panic("ipsec_get_reqlevel: family mismatched.");
1529 /* XXX note that we have ipseclog() expanded here - code sync issue */
1530 #define IPSEC_CHECK_DEFAULT(lev) \
1531 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1532 && (lev) != IPSEC_LEVEL_UNIQUE) \
1534 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1535 (lev), IPSEC_LEVEL_REQUIRE) \
1537 (lev) = IPSEC_LEVEL_REQUIRE, \
1541 /* set default level */
1542 switch (((struct sockaddr
*)&isr
->sp
->spidx
.src
)->sa_family
) {
1545 esp_trans_deflev
= IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev
);
1546 esp_net_deflev
= IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev
);
1547 ah_trans_deflev
= IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev
);
1548 ah_net_deflev
= IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev
);
1553 esp_trans_deflev
= IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev
);
1554 esp_net_deflev
= IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev
);
1555 ah_trans_deflev
= IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev
);
1556 ah_net_deflev
= IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev
);
1560 panic("key_get_reqlevel: Unknown family. %d",
1561 ((struct sockaddr
*)&isr
->sp
->spidx
.src
)->sa_family
);
1564 #undef IPSEC_CHECK_DEFAULT
1567 switch (isr
->level
) {
1568 case IPSEC_LEVEL_DEFAULT
:
1569 switch (isr
->saidx
.proto
) {
1571 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
)
1572 level
= esp_net_deflev
;
1574 level
= esp_trans_deflev
;
1577 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
)
1578 level
= ah_net_deflev
;
1580 level
= ah_trans_deflev
;
1581 case IPPROTO_IPCOMP
:
1583 * we don't really care, as IPcomp document says that
1584 * we shouldn't compress small packets
1586 level
= IPSEC_LEVEL_USE
;
1589 panic("ipsec_get_reqlevel: "
1590 "Illegal protocol defined %u",
1595 case IPSEC_LEVEL_USE
:
1596 case IPSEC_LEVEL_REQUIRE
:
1599 case IPSEC_LEVEL_UNIQUE
:
1600 level
= IPSEC_LEVEL_REQUIRE
;
1604 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
1612 * Check AH/ESP integrity.
1618 ipsec_in_reject(struct secpolicy
*sp
, struct mbuf
*m
)
1620 struct ipsecrequest
*isr
;
1622 int need_auth
, need_conf
, need_icv
;
1624 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
1625 kprintf("ipsec_in_reject: using SP\n");
1626 kdebug_secpolicy(sp
));
1629 switch (sp
->policy
) {
1630 case IPSEC_POLICY_DISCARD
:
1632 case IPSEC_POLICY_BYPASS
:
1633 case IPSEC_POLICY_NONE
:
1636 case IPSEC_POLICY_IPSEC
:
1639 case IPSEC_POLICY_ENTRUST
:
1641 panic("ipsec_hdrsiz: Invalid policy found. %d", sp
->policy
);
1648 /* XXX should compare policy against ipsec header history */
1650 for (isr
= sp
->req
; isr
!= NULL
; isr
= isr
->next
) {
1652 /* get current level */
1653 level
= ipsec_get_reqlevel(isr
);
1655 switch (isr
->saidx
.proto
) {
1657 if (level
== IPSEC_LEVEL_REQUIRE
) {
1660 if (isr
->sav
!= NULL
1661 && isr
->sav
->flags
== SADB_X_EXT_NONE
1662 && isr
->sav
->alg_auth
!= SADB_AALG_NONE
)
1667 if (level
== IPSEC_LEVEL_REQUIRE
) {
1672 case IPPROTO_IPCOMP
:
1674 * we don't really care, as IPcomp document says that
1675 * we shouldn't compress small packets, IPComp policy
1676 * should always be treated as being in "use" level.
1682 KEYDEBUG(KEYDEBUG_IPSEC_DUMP
,
1683 kprintf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1684 need_auth
, need_conf
, need_icv
, m
->m_flags
));
1686 if ((need_conf
&& !(m
->m_flags
& M_DECRYPTED
))
1687 || (!need_auth
&& need_icv
&& !(m
->m_flags
& M_AUTHIPDGM
))
1688 || (need_auth
&& !(m
->m_flags
& M_AUTHIPHDR
)))
1695 * Check AH/ESP integrity.
1696 * This function is called from tcp_input(), udp_input(),
1697 * and {ah,esp}4_input for tunnel mode
1700 ipsec4_in_reject_so(struct mbuf
*m
, struct socket
*so
)
1702 struct secpolicy
*sp
= NULL
;
1708 return 0; /* XXX should be panic ? */
1710 /* get SP for this packet.
1711 * When we are called from ip_forward(), we call
1712 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1714 lwkt_gettoken(&key_token
);
1716 sp
= ipsec4_getpolicybyaddr(m
, IPSEC_DIR_INBOUND
, IP_FORWARDING
, &error
);
1718 sp
= ipsec4_getpolicybysock(m
, IPSEC_DIR_INBOUND
, so
, &error
);
1721 lwkt_reltoken(&key_token
);
1725 result
= ipsec_in_reject(sp
, m
);
1726 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
1727 kprintf("DP ipsec4_in_reject_so call free SP:%p\n", sp
));
1729 lwkt_reltoken(&key_token
);
1735 ipsec4_in_reject(struct mbuf
*m
, struct inpcb
*inp
)
1738 return ipsec4_in_reject_so(m
, NULL
);
1739 if (inp
->inp_socket
)
1740 return ipsec4_in_reject_so(m
, inp
->inp_socket
);
1742 panic("ipsec4_in_reject: invalid inpcb/socket");
1747 * Check AH/ESP integrity.
1748 * This function is called from tcp6_input(), udp6_input(),
1749 * and {ah,esp}6_input for tunnel mode
1752 ipsec6_in_reject_so(struct mbuf
*m
, struct socket
*so
)
1754 struct secpolicy
*sp
= NULL
;
1760 return 0; /* XXX should be panic ? */
1762 /* get SP for this packet.
1763 * When we are called from ip_forward(), we call
1764 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1766 lwkt_gettoken(&key_token
);
1768 sp
= ipsec6_getpolicybyaddr(m
, IPSEC_DIR_INBOUND
, IP_FORWARDING
, &error
);
1770 sp
= ipsec6_getpolicybysock(m
, IPSEC_DIR_INBOUND
, so
, &error
);
1773 lwkt_reltoken(&key_token
);
1774 return 0; /* XXX should be panic ? */
1777 result
= ipsec_in_reject(sp
, m
);
1778 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
1779 kprintf("DP ipsec6_in_reject_so call free SP:%p\n", sp
));
1781 lwkt_reltoken(&key_token
);
1787 ipsec6_in_reject(struct mbuf
*m
, struct in6pcb
*in6p
)
1790 return ipsec6_in_reject_so(m
, NULL
);
1791 if (in6p
->in6p_socket
)
1792 return ipsec6_in_reject_so(m
, in6p
->in6p_socket
);
1794 panic("ipsec6_in_reject: invalid in6p/socket");
1799 * compute the byte size to be occupied by IPsec header.
1800 * in case it is tunneled, it includes the size of outer IP header.
1801 * NOTE: SP passed is free in this function.
1804 ipsec_hdrsiz(struct secpolicy
*sp
)
1806 struct ipsecrequest
*isr
;
1809 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
1810 kprintf("ipsec_hdrsiz: using SP\n");
1811 kdebug_secpolicy(sp
));
1814 switch (sp
->policy
) {
1815 case IPSEC_POLICY_DISCARD
:
1816 case IPSEC_POLICY_BYPASS
:
1817 case IPSEC_POLICY_NONE
:
1820 case IPSEC_POLICY_IPSEC
:
1823 case IPSEC_POLICY_ENTRUST
:
1825 panic("ipsec_hdrsiz: Invalid policy found. %d", sp
->policy
);
1830 for (isr
= sp
->req
; isr
!= NULL
; isr
= isr
->next
) {
1834 switch (isr
->saidx
.proto
) {
1837 clen
= esp_hdrsiz(isr
);
1843 clen
= ah_hdrsiz(isr
);
1845 case IPPROTO_IPCOMP
:
1846 clen
= sizeof(struct ipcomp
);
1850 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
) {
1851 switch (((struct sockaddr
*)&isr
->saidx
.dst
)->sa_family
) {
1853 clen
+= sizeof(struct ip
);
1857 clen
+= sizeof(struct ip6_hdr
);
1861 ipseclog((LOG_ERR
, "ipsec_hdrsiz: "
1862 "unknown AF %d in IPsec tunnel SA\n",
1863 ((struct sockaddr
*)&isr
->saidx
.dst
)->sa_family
));
1873 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1875 ipsec4_hdrsiz(struct mbuf
*m
, u_int dir
, struct inpcb
*inp
)
1877 struct secpolicy
*sp
= NULL
;
1883 return 0; /* XXX should be panic ? */
1884 if (inp
!= NULL
&& inp
->inp_socket
== NULL
)
1885 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
1887 /* get SP for this packet.
1888 * When we are called from ip_forward(), we call
1889 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1891 lwkt_gettoken(&key_token
);
1893 sp
= ipsec4_getpolicybyaddr(m
, dir
, IP_FORWARDING
, &error
);
1895 sp
= ipsec4_getpolicybysock(m
, dir
, inp
->inp_socket
, &error
);
1898 lwkt_reltoken(&key_token
);
1899 return 0; /* XXX should be panic ? */
1902 size
= ipsec_hdrsiz(sp
);
1903 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
1904 kprintf("DP ipsec4_hdrsiz call free SP:%p\n", sp
));
1905 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
1906 kprintf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size
));
1908 lwkt_reltoken(&key_token
);
1914 /* This function is called from ipsec6_hdrsize_tcp(),
1915 * and maybe from ip6_forward.()
1918 ipsec6_hdrsiz(struct mbuf
*m
, u_int dir
, struct in6pcb
*in6p
)
1920 struct secpolicy
*sp
= NULL
;
1926 return 0; /* XXX shoud be panic ? */
1927 if (in6p
!= NULL
&& in6p
->in6p_socket
== NULL
)
1928 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
1930 /* get SP for this packet */
1931 /* XXX Is it right to call with IP_FORWARDING. */
1932 lwkt_gettoken(&key_token
);
1934 sp
= ipsec6_getpolicybyaddr(m
, dir
, IP_FORWARDING
, &error
);
1936 sp
= ipsec6_getpolicybysock(m
, dir
, in6p
->in6p_socket
, &error
);
1939 lwkt_reltoken(&key_token
);
1942 size
= ipsec_hdrsiz(sp
);
1943 KEYDEBUG(KEYDEBUG_IPSEC_STAMP
,
1944 kprintf("DP ipsec6_hdrsiz call free SP:%p\n", sp
));
1945 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
1946 kprintf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size
));
1948 lwkt_reltoken(&key_token
);
1956 * encapsulate for ipsec tunnel.
1957 * ip->ip_src must be fixed later on.
1960 ipsec4_encapsulate(struct mbuf
*m
, struct secasvar
*sav
)
1967 /* can't tunnel between different AFs */
1968 if (((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
1969 != ((struct sockaddr
*)&sav
->sah
->saidx
.dst
)->sa_family
1970 || ((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
!= AF_INET
) {
1975 /* XXX if the dst is myself, perform nothing. */
1976 if (key_ismyaddr((struct sockaddr
*)&sav
->sah
->saidx
.dst
)) {
1982 if (m
->m_len
< sizeof(*ip
))
1983 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1985 ip
= mtod(m
, struct ip
*);
1987 hlen
= _IP_VHL_HL(ip
->ip_vhl
) << 2;
1989 hlen
= ip
->ip_hl
<< 2;
1992 if (m
->m_len
!= hlen
)
1993 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1995 /* generate header checksum */
1998 if (ip
->ip_vhl
== IP_VHL_BORING
)
1999 ip
->ip_sum
= in_cksum_hdr(ip
);
2001 ip
->ip_sum
= in_cksum(m
, hlen
);
2003 ip
->ip_sum
= in_cksum(m
, hlen
);
2006 plen
= m
->m_pkthdr
.len
;
2009 * grow the mbuf to accomodate the new IPv4 header.
2010 * NOTE: IPv4 options will never be copied.
2012 if (M_LEADINGSPACE(m
->m_next
) < hlen
) {
2014 MGET(n
, MB_DONTWAIT
, MT_DATA
);
2020 n
->m_next
= m
->m_next
;
2022 m
->m_pkthdr
.len
+= hlen
;
2023 oip
= mtod(n
, struct ip
*);
2025 m
->m_next
->m_len
+= hlen
;
2026 m
->m_next
->m_data
-= hlen
;
2027 m
->m_pkthdr
.len
+= hlen
;
2028 oip
= mtod(m
->m_next
, struct ip
*);
2030 ip
= mtod(m
, struct ip
*);
2031 ovbcopy((caddr_t
)ip
, (caddr_t
)oip
, hlen
);
2032 m
->m_len
= sizeof(struct ip
);
2033 m
->m_pkthdr
.len
-= (hlen
- sizeof(struct ip
));
2035 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2036 /* ECN consideration. */
2037 ip_ecn_ingress(ip4_ipsec_ecn
, &ip
->ip_tos
, &oip
->ip_tos
);
2039 ip
->ip_vhl
= IP_MAKE_VHL(IPVERSION
, sizeof(struct ip
) >> 2);
2041 ip
->ip_hl
= sizeof(struct ip
) >> 2;
2043 ip
->ip_off
&= htons(~IP_OFFMASK
);
2044 ip
->ip_off
&= htons(~IP_MF
);
2045 switch (ip4_ipsec_dfbit
) {
2046 case 0: /* clear DF bit */
2047 ip
->ip_off
&= htons(~IP_DF
);
2049 case 1: /* set DF bit */
2050 ip
->ip_off
|= htons(IP_DF
);
2052 default: /* copy DF bit */
2055 ip
->ip_p
= IPPROTO_IPIP
;
2056 if (plen
+ sizeof(struct ip
) < IP_MAXPACKET
)
2057 ip
->ip_len
= htons(plen
+ sizeof(struct ip
));
2059 ipseclog((LOG_ERR
, "IPv4 ipsec: size exceeds limit: "
2060 "leave ip_len as is (invalid packet)\n"));
2063 ip
->ip_id
= ip_randomid();
2065 ip
->ip_id
= htons(ip_id
++);
2067 bcopy(&((struct sockaddr_in
*)&sav
->sah
->saidx
.src
)->sin_addr
,
2068 &ip
->ip_src
, sizeof(ip
->ip_src
));
2069 bcopy(&((struct sockaddr_in
*)&sav
->sah
->saidx
.dst
)->sin_addr
,
2070 &ip
->ip_dst
, sizeof(ip
->ip_dst
));
2071 ip
->ip_ttl
= IPDEFTTL
;
2073 /* XXX Should ip_src be updated later ? */
2081 ipsec6_encapsulate(struct mbuf
*m
, struct secasvar
*sav
)
2083 struct ip6_hdr
*oip6
;
2084 struct ip6_hdr
*ip6
;
2087 /* can't tunnel between different AFs */
2088 if (((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
2089 != ((struct sockaddr
*)&sav
->sah
->saidx
.dst
)->sa_family
2090 || ((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
!= AF_INET6
) {
2095 /* XXX if the dst is myself, perform nothing. */
2096 if (key_ismyaddr((struct sockaddr
*)&sav
->sah
->saidx
.dst
)) {
2102 plen
= m
->m_pkthdr
.len
;
2105 * grow the mbuf to accomodate the new IPv6 header.
2107 if (m
->m_len
!= sizeof(struct ip6_hdr
))
2108 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2109 if (M_LEADINGSPACE(m
->m_next
) < sizeof(struct ip6_hdr
)) {
2111 MGET(n
, MB_DONTWAIT
, MT_DATA
);
2116 n
->m_len
= sizeof(struct ip6_hdr
);
2117 n
->m_next
= m
->m_next
;
2119 m
->m_pkthdr
.len
+= sizeof(struct ip6_hdr
);
2120 oip6
= mtod(n
, struct ip6_hdr
*);
2122 m
->m_next
->m_len
+= sizeof(struct ip6_hdr
);
2123 m
->m_next
->m_data
-= sizeof(struct ip6_hdr
);
2124 m
->m_pkthdr
.len
+= sizeof(struct ip6_hdr
);
2125 oip6
= mtod(m
->m_next
, struct ip6_hdr
*);
2127 ip6
= mtod(m
, struct ip6_hdr
*);
2128 ovbcopy((caddr_t
)ip6
, (caddr_t
)oip6
, sizeof(struct ip6_hdr
));
2130 /* Fake link-local scope-class addresses */
2131 if (IN6_IS_SCOPE_LINKLOCAL(&oip6
->ip6_src
))
2132 oip6
->ip6_src
.s6_addr16
[1] = 0;
2133 if (IN6_IS_SCOPE_LINKLOCAL(&oip6
->ip6_dst
))
2134 oip6
->ip6_dst
.s6_addr16
[1] = 0;
2136 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2137 /* ECN consideration. */
2138 ip6_ecn_ingress(ip6_ipsec_ecn
, &ip6
->ip6_flow
, &oip6
->ip6_flow
);
2139 if (plen
< IPV6_MAXPACKET
- sizeof(struct ip6_hdr
))
2140 ip6
->ip6_plen
= htons(plen
);
2142 /* ip6->ip6_plen will be updated in ip6_output() */
2144 ip6
->ip6_nxt
= IPPROTO_IPV6
;
2145 bcopy(&((struct sockaddr_in6
*)&sav
->sah
->saidx
.src
)->sin6_addr
,
2146 &ip6
->ip6_src
, sizeof(ip6
->ip6_src
));
2147 bcopy(&((struct sockaddr_in6
*)&sav
->sah
->saidx
.dst
)->sin6_addr
,
2148 &ip6
->ip6_dst
, sizeof(ip6
->ip6_dst
));
2149 ip6
->ip6_hlim
= IPV6_DEFHLIM
;
2151 /* XXX Should ip6_src be updated later ? */
2158 * Check the variable replay window.
2159 * ipsec_chkreplay() performs replay check before ICV verification.
2160 * ipsec_updatereplay() updates replay bitmap. This must be called after
2161 * ICV verification (it also performs replay check, which is usually done
2163 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2165 * based on RFC 2401.
2168 ipsec_chkreplay(u_int32_t seq
, struct secasvar
*sav
)
2170 const struct secreplay
*replay
;
2173 u_int32_t wsizeb
; /* constant: bits of window size */
2174 int frlast
; /* constant: last frame */
2178 panic("ipsec_chkreplay: NULL pointer was passed.");
2180 replay
= sav
->replay
;
2182 if (replay
->wsize
== 0)
2183 return 1; /* no need to check replay. */
2186 frlast
= replay
->wsize
- 1;
2187 wsizeb
= replay
->wsize
<< 3;
2189 /* sequence number of 0 is invalid */
2193 /* first time is always okay */
2194 if (replay
->count
== 0)
2197 if (seq
> replay
->lastseq
) {
2198 /* larger sequences are okay */
2201 /* seq is equal or less than lastseq. */
2202 diff
= replay
->lastseq
- seq
;
2204 /* over range to check, i.e. too old or wrapped */
2208 fr
= frlast
- diff
/ 8;
2210 /* this packet already seen ? */
2211 if ((replay
->bitmap
)[fr
] & (1 << (diff
% 8)))
2214 /* out of order but good */
2220 * check replay counter whether to update or not.
2225 ipsec_updatereplay(u_int32_t seq
, struct secasvar
*sav
)
2227 struct secreplay
*replay
;
2230 u_int32_t wsizeb
; /* constant: bits of window size */
2231 int frlast
; /* constant: last frame */
2235 panic("ipsec_chkreplay: NULL pointer was passed.");
2237 replay
= sav
->replay
;
2239 if (replay
->wsize
== 0)
2240 goto ok
; /* no need to check replay. */
2243 frlast
= replay
->wsize
- 1;
2244 wsizeb
= replay
->wsize
<< 3;
2246 /* sequence number of 0 is invalid */
2251 if (replay
->count
== 0) {
2252 replay
->lastseq
= seq
;
2253 bzero(replay
->bitmap
, replay
->wsize
);
2254 (replay
->bitmap
)[frlast
] = 1;
2258 if (seq
> replay
->lastseq
) {
2259 /* seq is larger than lastseq. */
2260 diff
= seq
- replay
->lastseq
;
2262 /* new larger sequence number */
2263 if (diff
< wsizeb
) {
2265 /* set bit for this packet */
2266 vshiftl(replay
->bitmap
, diff
, replay
->wsize
);
2267 (replay
->bitmap
)[frlast
] |= 1;
2269 /* this packet has a "way larger" */
2270 bzero(replay
->bitmap
, replay
->wsize
);
2271 (replay
->bitmap
)[frlast
] = 1;
2273 replay
->lastseq
= seq
;
2275 /* larger is good */
2277 /* seq is equal or less than lastseq. */
2278 diff
= replay
->lastseq
- seq
;
2280 /* over range to check, i.e. too old or wrapped */
2284 fr
= frlast
- diff
/ 8;
2286 /* this packet already seen ? */
2287 if ((replay
->bitmap
)[fr
] & (1 << (diff
% 8)))
2291 (replay
->bitmap
)[fr
] |= (1 << (diff
% 8));
2293 /* out of order but good */
2297 if (replay
->count
== ~0) {
2299 /* set overflow flag */
2302 /* don't increment, no more packets accepted */
2303 if ((sav
->flags
& SADB_X_EXT_CYCSEQ
) == 0)
2306 ipseclog((LOG_WARNING
, "replay counter made %d cycle. %s\n",
2307 replay
->overflow
, ipsec_logsastr(sav
)));
2316 * shift variable length buffer to left.
2317 * IN: bitmap: pointer to the buffer
2318 * nbit: the number of to shift.
2319 * wsize: buffer size (bytes).
2322 vshiftl(unsigned char *bitmap
, int nbit
, int wsize
)
2327 for (j
= 0; j
< nbit
; j
+= 8) {
2328 s
= (nbit
- j
< 8) ? (nbit
- j
): 8;
2330 for (i
= 1; i
< wsize
; i
++) {
2331 over
= (bitmap
[i
] >> (8 - s
));
2333 bitmap
[i
-1] |= over
;
2341 ipsec4_logpacketstr(struct ip
*ip
, u_int32_t spi
)
2343 static char buf
[256];
2347 s
= (u_int8_t
*)(&ip
->ip_src
);
2348 d
= (u_int8_t
*)(&ip
->ip_dst
);
2351 ksnprintf(buf
, sizeof(buf
), "packet(SPI=%u ", (u_int32_t
)ntohl(spi
));
2354 ksnprintf(p
, sizeof(buf
) - (p
- buf
), "src=%u.%u.%u.%u",
2355 s
[0], s
[1], s
[2], s
[3]);
2358 ksnprintf(p
, sizeof(buf
) - (p
- buf
), " dst=%u.%u.%u.%u",
2359 d
[0], d
[1], d
[2], d
[3]);
2362 ksnprintf(p
, sizeof(buf
) - (p
- buf
), ")");
2369 ipsec6_logpacketstr(struct ip6_hdr
*ip6
, u_int32_t spi
)
2371 static char buf
[256];
2375 ksnprintf(buf
, sizeof(buf
), "packet(SPI=%u ", (u_int32_t
)ntohl(spi
));
2378 ksnprintf(p
, sizeof(buf
) - (p
- buf
), "src=%s",
2379 ip6_sprintf(&ip6
->ip6_src
));
2382 ksnprintf(p
, sizeof(buf
) - (p
- buf
), " dst=%s",
2383 ip6_sprintf(&ip6
->ip6_dst
));
2386 ksnprintf(p
, sizeof(buf
) - (p
- buf
), ")");
2393 ipsec_logsastr(struct secasvar
*sav
)
2395 static char buf
[256];
2397 struct secasindex
*saidx
= &sav
->sah
->saidx
;
2399 /* validity check */
2400 if (((struct sockaddr
*)&sav
->sah
->saidx
.src
)->sa_family
2401 != ((struct sockaddr
*)&sav
->sah
->saidx
.dst
)->sa_family
)
2402 panic("ipsec_logsastr: family mismatched.");
2405 ksnprintf(buf
, sizeof(buf
), "SA(SPI=%u ", (u_int32_t
)ntohl(sav
->spi
));
2408 if (((struct sockaddr
*)&saidx
->src
)->sa_family
== AF_INET
) {
2410 s
= (u_int8_t
*)&((struct sockaddr_in
*)&saidx
->src
)->sin_addr
;
2411 d
= (u_int8_t
*)&((struct sockaddr_in
*)&saidx
->dst
)->sin_addr
;
2412 ksnprintf(p
, sizeof(buf
) - (p
- buf
),
2413 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2414 s
[0], s
[1], s
[2], s
[3], d
[0], d
[1], d
[2], d
[3]);
2417 else if (((struct sockaddr
*)&saidx
->src
)->sa_family
== AF_INET6
) {
2418 ksnprintf(p
, sizeof(buf
) - (p
- buf
),
2420 ip6_sprintf(&((struct sockaddr_in6
*)&saidx
->src
)->sin6_addr
));
2423 ksnprintf(p
, sizeof(buf
) - (p
- buf
),
2425 ip6_sprintf(&((struct sockaddr_in6
*)&saidx
->dst
)->sin6_addr
));
2430 ksnprintf(p
, sizeof(buf
) - (p
- buf
), ")");
2436 ipsec_dumpmbuf(struct mbuf
*m
)
2445 p
= mtod(m
, u_char
*);
2446 for (i
= 0; i
< m
->m_len
; i
++) {
2447 kprintf("%02x ", p
[i
]);
2449 if (totlen
% 16 == 0)
2454 if (totlen
% 16 != 0)
2461 * IPsec output logic for IPv4.
2464 ipsec4_output(struct ipsec_output_state
*state
, struct secpolicy
*sp
, int flags
)
2466 struct ip
*ip
= NULL
;
2467 struct ipsecrequest
*isr
= NULL
;
2468 struct secasindex saidx
;
2470 struct sockaddr_in
*dst4
;
2471 struct sockaddr_in
*sin
;
2474 panic("state == NULL in ipsec4_output");
2476 panic("state->m == NULL in ipsec4_output");
2478 panic("state->ro == NULL in ipsec4_output");
2480 panic("state->dst == NULL in ipsec4_output");
2482 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
2483 kprintf("ipsec4_output: applyed SP\n");
2484 kdebug_secpolicy(sp
));
2486 for (isr
= sp
->req
; isr
!= NULL
; isr
= isr
->next
) {
2488 #if 0 /* give up to check restriction of transport mode */
2489 /* XXX but should be checked somewhere */
2491 * some of the IPsec operation must be performed only in
2494 if (isr
->saidx
.mode
== IPSEC_MODE_TRANSPORT
2495 && (flags
& IP_FORWARDING
))
2499 /* make SA index for search proper SA */
2500 ip
= mtod(state
->m
, struct ip
*);
2501 bcopy(&isr
->saidx
, &saidx
, sizeof(saidx
));
2502 saidx
.mode
= isr
->saidx
.mode
;
2503 saidx
.reqid
= isr
->saidx
.reqid
;
2504 sin
= (struct sockaddr_in
*)&saidx
.src
;
2505 if (sin
->sin_len
== 0) {
2506 sin
->sin_len
= sizeof(*sin
);
2507 sin
->sin_family
= AF_INET
;
2508 sin
->sin_port
= IPSEC_PORT_ANY
;
2509 bcopy(&ip
->ip_src
, &sin
->sin_addr
,
2510 sizeof(sin
->sin_addr
));
2512 sin
= (struct sockaddr_in
*)&saidx
.dst
;
2513 if (sin
->sin_len
== 0) {
2514 sin
->sin_len
= sizeof(*sin
);
2515 sin
->sin_family
= AF_INET
;
2516 sin
->sin_port
= IPSEC_PORT_ANY
;
2517 bcopy(&ip
->ip_dst
, &sin
->sin_addr
,
2518 sizeof(sin
->sin_addr
));
2521 if ((error
= key_checkrequest(isr
, &saidx
)) != 0) {
2523 * IPsec processing is required, but no SA found.
2524 * I assume that key_acquire() had been called
2525 * to get/establish the SA. Here I discard
2526 * this packet because it is responsibility for
2527 * upper layer to retransmit the packet.
2529 ipsecstat
.out_nosa
++;
2533 /* validity check */
2534 if (isr
->sav
== NULL
) {
2535 switch (ipsec_get_reqlevel(isr
)) {
2536 case IPSEC_LEVEL_USE
:
2538 case IPSEC_LEVEL_REQUIRE
:
2539 /* must be not reached here. */
2540 panic("ipsec4_output: no SA found, but required.");
2545 * If there is no valid SA, we give up to process any
2546 * more. In such a case, the SA's status is changed
2547 * from DYING to DEAD after allocating. If a packet
2548 * send to the receiver by dead SA, the receiver can
2549 * not decode a packet because SA has been dead.
2551 if (isr
->sav
->state
!= SADB_SASTATE_MATURE
2552 && isr
->sav
->state
!= SADB_SASTATE_DYING
) {
2553 ipsecstat
.out_nosa
++;
2559 * There may be the case that SA status will be changed when
2560 * we are refering to one. So calling crit_enter().
2564 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
) {
2566 * build IPsec tunnel.
2568 /* XXX should be processed with other familiy */
2569 if (((struct sockaddr
*)&isr
->sav
->sah
->saidx
.src
)->sa_family
!= AF_INET
) {
2570 ipseclog((LOG_ERR
, "ipsec4_output: "
2571 "family mismatched between inner and outer spi=%u\n",
2572 (u_int32_t
)ntohl(isr
->sav
->spi
)));
2574 error
= EAFNOSUPPORT
;
2578 state
->m
= ipsec4_splithdr(state
->m
);
2584 error
= ipsec4_encapsulate(state
->m
, isr
->sav
);
2590 ip
= mtod(state
->m
, struct ip
*);
2592 state
->ro
= &isr
->sav
->sah
->sa_route
;
2593 state
->dst
= (struct sockaddr
*)&state
->ro
->ro_dst
;
2594 dst4
= (struct sockaddr_in
*)state
->dst
;
2595 if (state
->ro
->ro_rt
2596 && ((state
->ro
->ro_rt
->rt_flags
& RTF_UP
) == 0
2597 || dst4
->sin_addr
.s_addr
!= ip
->ip_dst
.s_addr
)) {
2598 RTFREE(state
->ro
->ro_rt
);
2599 state
->ro
->ro_rt
= NULL
;
2601 if (state
->ro
->ro_rt
== 0) {
2602 dst4
->sin_family
= AF_INET
;
2603 dst4
->sin_len
= sizeof(*dst4
);
2604 dst4
->sin_addr
= ip
->ip_dst
;
2607 if (state
->ro
->ro_rt
== 0) {
2608 ipstat
.ips_noroute
++;
2609 error
= EHOSTUNREACH
;
2613 /* adjust state->dst if tunnel endpoint is offlink */
2614 if (state
->ro
->ro_rt
->rt_flags
& RTF_GATEWAY
) {
2615 state
->dst
= (struct sockaddr
*)state
->ro
->ro_rt
->rt_gateway
;
2616 dst4
= (struct sockaddr_in
*)state
->dst
;
2621 state
->m
= ipsec4_splithdr(state
->m
);
2626 switch (isr
->saidx
.proto
) {
2629 if ((error
= esp4_output(state
->m
, isr
)) != 0) {
2641 if ((error
= ah4_output(state
->m
, isr
)) != 0) {
2646 case IPPROTO_IPCOMP
:
2647 if ((error
= ipcomp4_output(state
->m
, isr
)) != 0) {
2654 "ipsec4_output: unknown ipsec protocol %d\n",
2662 if (state
->m
== 0) {
2666 ip
= mtod(state
->m
, struct ip
*);
2680 * IPsec output logic for IPv6, transport mode.
2683 ipsec6_output_trans(struct ipsec_output_state
*state
, u_char
*nexthdrp
,
2684 struct mbuf
*mprev
, struct secpolicy
*sp
, int flags
,
2687 struct ip6_hdr
*ip6
;
2688 struct ipsecrequest
*isr
= NULL
;
2689 struct secasindex saidx
;
2692 struct sockaddr_in6
*sin6
;
2695 panic("state == NULL in ipsec6_output_trans");
2697 panic("state->m == NULL in ipsec6_output_trans");
2699 panic("nexthdrp == NULL in ipsec6_output_trans");
2701 panic("mprev == NULL in ipsec6_output_trans");
2703 panic("sp == NULL in ipsec6_output_trans");
2705 panic("tun == NULL in ipsec6_output_trans");
2707 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
2708 kprintf("ipsec6_output_trans: applyed SP\n");
2709 kdebug_secpolicy(sp
));
2711 lwkt_gettoken(&key_token
);
2714 for (isr
= sp
->req
; isr
; isr
= isr
->next
) {
2715 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
) {
2716 /* the rest will be handled by ipsec6_output_tunnel() */
2720 /* make SA index for search proper SA */
2721 ip6
= mtod(state
->m
, struct ip6_hdr
*);
2722 bcopy(&isr
->saidx
, &saidx
, sizeof(saidx
));
2723 saidx
.mode
= isr
->saidx
.mode
;
2724 saidx
.reqid
= isr
->saidx
.reqid
;
2725 sin6
= (struct sockaddr_in6
*)&saidx
.src
;
2726 if (sin6
->sin6_len
== 0) {
2727 sin6
->sin6_len
= sizeof(*sin6
);
2728 sin6
->sin6_family
= AF_INET6
;
2729 sin6
->sin6_port
= IPSEC_PORT_ANY
;
2730 bcopy(&ip6
->ip6_src
, &sin6
->sin6_addr
,
2731 sizeof(ip6
->ip6_src
));
2732 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
->ip6_src
)) {
2733 /* fix scope id for comparing SPD */
2734 sin6
->sin6_addr
.s6_addr16
[1] = 0;
2735 sin6
->sin6_scope_id
= ntohs(ip6
->ip6_src
.s6_addr16
[1]);
2738 sin6
= (struct sockaddr_in6
*)&saidx
.dst
;
2739 if (sin6
->sin6_len
== 0) {
2740 sin6
->sin6_len
= sizeof(*sin6
);
2741 sin6
->sin6_family
= AF_INET6
;
2742 sin6
->sin6_port
= IPSEC_PORT_ANY
;
2743 bcopy(&ip6
->ip6_dst
, &sin6
->sin6_addr
,
2744 sizeof(ip6
->ip6_dst
));
2745 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
->ip6_dst
)) {
2746 /* fix scope id for comparing SPD */
2747 sin6
->sin6_addr
.s6_addr16
[1] = 0;
2748 sin6
->sin6_scope_id
= ntohs(ip6
->ip6_dst
.s6_addr16
[1]);
2752 if (key_checkrequest(isr
, &saidx
) == ENOENT
) {
2754 * IPsec processing is required, but no SA found.
2755 * I assume that key_acquire() had been called
2756 * to get/establish the SA. Here I discard
2757 * this packet because it is responsibility for
2758 * upper layer to retransmit the packet.
2760 ipsec6stat
.out_nosa
++;
2764 * Notify the fact that the packet is discarded
2765 * to ourselves. I believe this is better than
2766 * just silently discarding. (jinmei@kame.net)
2767 * XXX: should we restrict the error to TCP packets?
2768 * XXX: should we directly notify sockets via
2771 icmp6_error(state
->m
, ICMP6_DST_UNREACH
,
2772 ICMP6_DST_UNREACH_ADMIN
, 0);
2773 state
->m
= NULL
; /* icmp6_error freed the mbuf */
2777 /* validity check */
2778 if (isr
->sav
== NULL
) {
2779 switch (ipsec_get_reqlevel(isr
)) {
2780 case IPSEC_LEVEL_USE
:
2782 case IPSEC_LEVEL_REQUIRE
:
2783 /* must be not reached here. */
2784 panic("ipsec6_output_trans: no SA found, but required.");
2789 * If there is no valid SA, we give up to process.
2790 * see same place at ipsec4_output().
2792 if (isr
->sav
->state
!= SADB_SASTATE_MATURE
2793 && isr
->sav
->state
!= SADB_SASTATE_DYING
) {
2794 ipsec6stat
.out_nosa
++;
2799 switch (isr
->saidx
.proto
) {
2802 error
= esp6_output(state
->m
, nexthdrp
, mprev
->m_next
, isr
);
2809 error
= ah6_output(state
->m
, nexthdrp
, mprev
->m_next
, isr
);
2811 case IPPROTO_IPCOMP
:
2812 error
= ipcomp6_output(state
->m
, nexthdrp
, mprev
->m_next
, isr
);
2815 ipseclog((LOG_ERR
, "ipsec6_output_trans: "
2816 "unknown ipsec protocol %d\n", isr
->saidx
.proto
));
2818 ipsec6stat
.out_inval
++;
2826 plen
= state
->m
->m_pkthdr
.len
- sizeof(struct ip6_hdr
);
2827 if (plen
> IPV6_MAXPACKET
) {
2828 ipseclog((LOG_ERR
, "ipsec6_output_trans: "
2829 "IPsec with IPv6 jumbogram is not supported\n"));
2830 ipsec6stat
.out_inval
++;
2831 error
= EINVAL
; /* XXX */
2834 ip6
= mtod(state
->m
, struct ip6_hdr
*);
2835 ip6
->ip6_plen
= htons(plen
);
2838 /* if we have more to go, we need a tunnel mode processing */
2841 lwkt_reltoken(&key_token
);
2845 lwkt_reltoken(&key_token
);
2852 * IPsec output logic for IPv6, tunnel mode.
2855 ipsec6_output_tunnel(struct ipsec_output_state
*state
, struct secpolicy
*sp
,
2858 struct ip6_hdr
*ip6
;
2859 struct ipsecrequest
*isr
= NULL
;
2860 struct secasindex saidx
;
2863 struct sockaddr_in6
* dst6
;
2866 panic("state == NULL in ipsec6_output_tunnel");
2868 panic("state->m == NULL in ipsec6_output_tunnel");
2870 panic("sp == NULL in ipsec6_output_tunnel");
2872 KEYDEBUG(KEYDEBUG_IPSEC_DATA
,
2873 kprintf("ipsec6_output_tunnel: applyed SP\n");
2874 kdebug_secpolicy(sp
));
2877 * transport mode ipsec (before the 1st tunnel mode) is already
2878 * processed by ipsec6_output_trans().
2880 lwkt_gettoken(&key_token
);
2881 for (isr
= sp
->req
; isr
; isr
= isr
->next
) {
2882 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
)
2886 for (/* already initialized */; isr
; isr
= isr
->next
) {
2887 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
) {
2888 /* When tunnel mode, SA peers must be specified. */
2889 bcopy(&isr
->saidx
, &saidx
, sizeof(saidx
));
2891 /* make SA index to look for a proper SA */
2892 struct sockaddr_in6
*sin6
;
2894 bzero(&saidx
, sizeof(saidx
));
2895 saidx
.proto
= isr
->saidx
.proto
;
2896 saidx
.mode
= isr
->saidx
.mode
;
2897 saidx
.reqid
= isr
->saidx
.reqid
;
2899 ip6
= mtod(state
->m
, struct ip6_hdr
*);
2900 sin6
= (struct sockaddr_in6
*)&saidx
.src
;
2901 if (sin6
->sin6_len
== 0) {
2902 sin6
->sin6_len
= sizeof(*sin6
);
2903 sin6
->sin6_family
= AF_INET6
;
2904 sin6
->sin6_port
= IPSEC_PORT_ANY
;
2905 bcopy(&ip6
->ip6_src
, &sin6
->sin6_addr
,
2906 sizeof(ip6
->ip6_src
));
2907 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
->ip6_src
)) {
2908 /* fix scope id for comparing SPD */
2909 sin6
->sin6_addr
.s6_addr16
[1] = 0;
2910 sin6
->sin6_scope_id
= ntohs(ip6
->ip6_src
.s6_addr16
[1]);
2913 sin6
= (struct sockaddr_in6
*)&saidx
.dst
;
2914 if (sin6
->sin6_len
== 0) {
2915 sin6
->sin6_len
= sizeof(*sin6
);
2916 sin6
->sin6_family
= AF_INET6
;
2917 sin6
->sin6_port
= IPSEC_PORT_ANY
;
2918 bcopy(&ip6
->ip6_dst
, &sin6
->sin6_addr
,
2919 sizeof(ip6
->ip6_dst
));
2920 if (IN6_IS_SCOPE_LINKLOCAL(&ip6
->ip6_dst
)) {
2921 /* fix scope id for comparing SPD */
2922 sin6
->sin6_addr
.s6_addr16
[1] = 0;
2923 sin6
->sin6_scope_id
= ntohs(ip6
->ip6_dst
.s6_addr16
[1]);
2928 if (key_checkrequest(isr
, &saidx
) == ENOENT
) {
2930 * IPsec processing is required, but no SA found.
2931 * I assume that key_acquire() had been called
2932 * to get/establish the SA. Here I discard
2933 * this packet because it is responsibility for
2934 * upper layer to retransmit the packet.
2936 ipsec6stat
.out_nosa
++;
2941 /* validity check */
2942 if (isr
->sav
== NULL
) {
2943 switch (ipsec_get_reqlevel(isr
)) {
2944 case IPSEC_LEVEL_USE
:
2946 case IPSEC_LEVEL_REQUIRE
:
2947 /* must be not reached here. */
2948 panic("ipsec6_output_tunnel: no SA found, but required.");
2953 * If there is no valid SA, we give up to process.
2954 * see same place at ipsec4_output().
2956 if (isr
->sav
->state
!= SADB_SASTATE_MATURE
2957 && isr
->sav
->state
!= SADB_SASTATE_DYING
) {
2958 ipsec6stat
.out_nosa
++;
2964 * There may be the case that SA status will be changed when
2965 * we are refering to one. So calling crit_enter().
2969 if (isr
->saidx
.mode
== IPSEC_MODE_TUNNEL
) {
2971 * build IPsec tunnel.
2973 /* XXX should be processed with other familiy */
2974 if (((struct sockaddr
*)&isr
->sav
->sah
->saidx
.src
)->sa_family
!= AF_INET6
) {
2975 ipseclog((LOG_ERR
, "ipsec6_output_tunnel: "
2976 "family mismatched between inner and outer, spi=%u\n",
2977 (u_int32_t
)ntohl(isr
->sav
->spi
)));
2979 ipsec6stat
.out_inval
++;
2980 error
= EAFNOSUPPORT
;
2984 state
->m
= ipsec6_splithdr(state
->m
);
2987 ipsec6stat
.out_nomem
++;
2991 error
= ipsec6_encapsulate(state
->m
, isr
->sav
);
2997 ip6
= mtod(state
->m
, struct ip6_hdr
*);
2999 state
->ro
= &isr
->sav
->sah
->sa_route
;
3000 state
->dst
= (struct sockaddr
*)&state
->ro
->ro_dst
;
3001 dst6
= (struct sockaddr_in6
*)state
->dst
;
3002 if (state
->ro
->ro_rt
3003 && ((state
->ro
->ro_rt
->rt_flags
& RTF_UP
) == 0
3004 || !IN6_ARE_ADDR_EQUAL(&dst6
->sin6_addr
, &ip6
->ip6_dst
))) {
3005 RTFREE(state
->ro
->ro_rt
);
3006 state
->ro
->ro_rt
= NULL
;
3008 if (state
->ro
->ro_rt
== 0) {
3009 bzero(dst6
, sizeof(*dst6
));
3010 dst6
->sin6_family
= AF_INET6
;
3011 dst6
->sin6_len
= sizeof(*dst6
);
3012 dst6
->sin6_addr
= ip6
->ip6_dst
;
3015 if (state
->ro
->ro_rt
== 0) {
3016 ip6stat
.ip6s_noroute
++;
3017 ipsec6stat
.out_noroute
++;
3018 error
= EHOSTUNREACH
;
3022 /* adjust state->dst if tunnel endpoint is offlink */
3023 if (state
->ro
->ro_rt
->rt_flags
& RTF_GATEWAY
) {
3024 state
->dst
= (struct sockaddr
*)state
->ro
->ro_rt
->rt_gateway
;
3025 dst6
= (struct sockaddr_in6
*)state
->dst
;
3030 state
->m
= ipsec6_splithdr(state
->m
);
3032 ipsec6stat
.out_nomem
++;
3036 ip6
= mtod(state
->m
, struct ip6_hdr
*);
3037 switch (isr
->saidx
.proto
) {
3040 error
= esp6_output(state
->m
, &ip6
->ip6_nxt
, state
->m
->m_next
, isr
);
3047 error
= ah6_output(state
->m
, &ip6
->ip6_nxt
, state
->m
->m_next
, isr
);
3049 case IPPROTO_IPCOMP
:
3050 /* XXX code should be here */
3053 ipseclog((LOG_ERR
, "ipsec6_output_tunnel: "
3054 "unknown ipsec protocol %d\n", isr
->saidx
.proto
));
3056 ipsec6stat
.out_inval
++;
3064 plen
= state
->m
->m_pkthdr
.len
- sizeof(struct ip6_hdr
);
3065 if (plen
> IPV6_MAXPACKET
) {
3066 ipseclog((LOG_ERR
, "ipsec6_output_tunnel: "
3067 "IPsec with IPv6 jumbogram is not supported\n"));
3068 ipsec6stat
.out_inval
++;
3069 error
= EINVAL
; /* XXX */
3072 ip6
= mtod(state
->m
, struct ip6_hdr
*);
3073 ip6
->ip6_plen
= htons(plen
);
3075 lwkt_reltoken(&key_token
);
3080 lwkt_reltoken(&key_token
);
3089 * Chop IP header and option off from the payload.
3091 static struct mbuf
*
3092 ipsec4_splithdr(struct mbuf
*m
)
3098 if (m
->m_len
< sizeof(struct ip
))
3099 panic("ipsec4_splithdr: first mbuf too short");
3100 ip
= mtod(m
, struct ip
*);
3102 hlen
= _IP_VHL_HL(ip
->ip_vhl
) << 2;
3104 hlen
= ip
->ip_hl
<< 2;
3106 if (m
->m_len
> hlen
) {
3107 MGETHDR(mh
, MB_DONTWAIT
, MT_HEADER
);
3112 M_MOVE_PKTHDR(mh
, m
);
3119 bcopy((caddr_t
)ip
, mtod(m
, caddr_t
), hlen
);
3120 } else if (m
->m_len
< hlen
) {
3121 m
= m_pullup(m
, hlen
);
3130 static struct mbuf
*
3131 ipsec6_splithdr(struct mbuf
*m
)
3134 struct ip6_hdr
*ip6
;
3137 if (m
->m_len
< sizeof(struct ip6_hdr
))
3138 panic("ipsec6_splithdr: first mbuf too short");
3139 ip6
= mtod(m
, struct ip6_hdr
*);
3140 hlen
= sizeof(struct ip6_hdr
);
3141 if (m
->m_len
> hlen
) {
3142 MGETHDR(mh
, MB_DONTWAIT
, MT_HEADER
);
3147 M_MOVE_PKTHDR(mh
, m
);
3154 bcopy((caddr_t
)ip6
, mtod(m
, caddr_t
), hlen
);
3155 } else if (m
->m_len
< hlen
) {
3156 m
= m_pullup(m
, hlen
);
3164 /* validate inbound IPsec tunnel packet. */
3166 ipsec4_tunnel_validate(struct mbuf
*m
, /* no pullup permitted, m->m_len >= ip */
3167 int off
, u_int nxt0
, struct secasvar
*sav
)
3169 u_int8_t nxt
= nxt0
& 0xff;
3170 struct sockaddr_in
*sin
;
3171 struct sockaddr_in osrc
, odst
, isrc
, idst
;
3173 struct secpolicy
*sp
;
3177 if (m
->m_len
< sizeof(struct ip
))
3178 panic("too short mbuf on ipsec4_tunnel_validate");
3180 if (nxt
!= IPPROTO_IPV4
)
3182 if (m
->m_pkthdr
.len
< off
+ sizeof(struct ip
))
3184 /* do not decapsulate if the SA is for transport mode only */
3185 if (sav
->sah
->saidx
.mode
== IPSEC_MODE_TRANSPORT
)
3188 oip
= mtod(m
, struct ip
*);
3190 hlen
= _IP_VHL_HL(oip
->ip_vhl
) << 2;
3192 hlen
= oip
->ip_hl
<< 2;
3194 if (hlen
!= sizeof(struct ip
))
3197 /* AF_INET6 should be supported, but at this moment we don't. */
3198 sin
= (struct sockaddr_in
*)&sav
->sah
->saidx
.dst
;
3199 if (sin
->sin_family
!= AF_INET
)
3201 if (bcmp(&oip
->ip_dst
, &sin
->sin_addr
, sizeof(oip
->ip_dst
)) != 0)
3205 bzero(&osrc
, sizeof(osrc
));
3206 bzero(&odst
, sizeof(odst
));
3207 bzero(&isrc
, sizeof(isrc
));
3208 bzero(&idst
, sizeof(idst
));
3209 osrc
.sin_family
= odst
.sin_family
= isrc
.sin_family
= idst
.sin_family
=
3211 osrc
.sin_len
= odst
.sin_len
= isrc
.sin_len
= idst
.sin_len
=
3212 sizeof(struct sockaddr_in
);
3213 osrc
.sin_addr
= oip
->ip_src
;
3214 odst
.sin_addr
= oip
->ip_dst
;
3215 m_copydata(m
, off
+ offsetof(struct ip
, ip_src
), sizeof(isrc
.sin_addr
),
3216 (caddr_t
)&isrc
.sin_addr
);
3217 m_copydata(m
, off
+ offsetof(struct ip
, ip_dst
), sizeof(idst
.sin_addr
),
3218 (caddr_t
)&idst
.sin_addr
);
3221 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
3222 * - if the inner destination is multicast address, there can be
3223 * multiple permissible inner source address. implementation
3224 * may want to skip verification of inner source address against
3226 * - if the inner protocol is ICMP, the packet may be an error report
3227 * from routers on the other side of the VPN cloud (R in the
3228 * following diagram). in this case, we cannot verify inner source
3229 * address against SPD selector.
3230 * me -- gw === gw -- R -- you
3232 * we consider the first bullet to be users responsibility on SPD entry
3233 * configuration (if you need to encrypt multicast traffic, set
3234 * the source range of SPD selector to 0.0.0.0/0, or have explicit
3235 * address ranges for possible senders).
3236 * the second bullet is not taken care of (yet).
3238 * therefore, we do not do anything special about inner source.
3241 lwkt_gettoken(&key_token
);
3242 sp
= key_gettunnel((struct sockaddr
*)&osrc
, (struct sockaddr
*)&odst
,
3243 (struct sockaddr
*)&isrc
, (struct sockaddr
*)&idst
);
3246 lwkt_reltoken(&key_token
);
3249 lwkt_reltoken(&key_token
);
3255 /* validate inbound IPsec tunnel packet. */
3257 ipsec6_tunnel_validate(struct mbuf
*m
, /* no pullup permitted, m->m_len >= ip */
3258 int off
, u_int nxt0
, struct secasvar
*sav
)
3260 u_int8_t nxt
= nxt0
& 0xff;
3261 struct sockaddr_in6
*sin6
;
3262 struct sockaddr_in6 osrc
, odst
, isrc
, idst
;
3263 struct secpolicy
*sp
;
3264 struct ip6_hdr
*oip6
;
3267 if (m
->m_len
< sizeof(struct ip6_hdr
))
3268 panic("too short mbuf on ipsec6_tunnel_validate");
3270 if (nxt
!= IPPROTO_IPV6
)
3272 if (m
->m_pkthdr
.len
< off
+ sizeof(struct ip6_hdr
))
3274 /* do not decapsulate if the SA is for transport mode only */
3275 if (sav
->sah
->saidx
.mode
== IPSEC_MODE_TRANSPORT
)
3278 oip6
= mtod(m
, struct ip6_hdr
*);
3279 /* AF_INET should be supported, but at this moment we don't. */
3280 sin6
= (struct sockaddr_in6
*)&sav
->sah
->saidx
.dst
;
3281 if (sin6
->sin6_family
!= AF_INET6
)
3283 if (!IN6_ARE_ADDR_EQUAL(&oip6
->ip6_dst
, &sin6
->sin6_addr
))
3287 bzero(&osrc
, sizeof(osrc
));
3288 bzero(&odst
, sizeof(odst
));
3289 bzero(&isrc
, sizeof(isrc
));
3290 bzero(&idst
, sizeof(idst
));
3291 osrc
.sin6_family
= odst
.sin6_family
= isrc
.sin6_family
=
3292 idst
.sin6_family
= AF_INET6
;
3293 osrc
.sin6_len
= odst
.sin6_len
= isrc
.sin6_len
= idst
.sin6_len
=
3294 sizeof(struct sockaddr_in6
);
3295 osrc
.sin6_addr
= oip6
->ip6_src
;
3296 odst
.sin6_addr
= oip6
->ip6_dst
;
3297 m_copydata(m
, off
+ offsetof(struct ip6_hdr
, ip6_src
),
3298 sizeof(isrc
.sin6_addr
), (caddr_t
)&isrc
.sin6_addr
);
3299 m_copydata(m
, off
+ offsetof(struct ip6_hdr
, ip6_dst
),
3300 sizeof(idst
.sin6_addr
), (caddr_t
)&idst
.sin6_addr
);
3303 * regarding to inner source address validation, see a long comment
3304 * in ipsec4_tunnel_validate.
3307 lwkt_gettoken(&key_token
);
3308 sp
= key_gettunnel((struct sockaddr
*)&osrc
, (struct sockaddr
*)&odst
,
3309 (struct sockaddr
*)&isrc
, (struct sockaddr
*)&idst
);
3311 * when there is no suitable inbound policy for the packet of the ipsec
3312 * tunnel mode, the kernel never decapsulate the tunneled packet
3313 * as the ipsec tunnel mode even when the system wide policy is "none".
3314 * then the kernel leaves the generic tunnel module to process this
3315 * packet. if there is no rule of the generic tunnel, the packet
3316 * is rejected and the statistics will be counted up.
3320 lwkt_reltoken(&key_token
);
3323 lwkt_reltoken(&key_token
);
3330 * Make a mbuf chain for encryption.
3331 * If the original mbuf chain contains a mbuf with a cluster,
3332 * allocate a new cluster and copy the data to the new cluster.
3333 * XXX: this hack is inefficient, but is necessary to handle cases
3334 * of TCP retransmission...
3337 ipsec_copypkt(struct mbuf
*m
)
3339 struct mbuf
*n
, **mpp
, *mnew
;
3341 for (n
= m
, mpp
= &m
; n
; n
= n
->m_next
) {
3342 if (n
->m_flags
& M_EXT
) {
3344 * Make a copy only if there are more than one
3345 * references to the cluster.
3346 * XXX: is this approach effective?
3348 if (m_sharecount(n
) > 1) {
3352 if (n
->m_flags
& M_PKTHDR
) {
3353 MGETHDR(mnew
, MB_DONTWAIT
, MT_HEADER
);
3356 if (!m_dup_pkthdr(mnew
, n
, MB_DONTWAIT
)) {
3362 MGET(mnew
, MB_DONTWAIT
, MT_DATA
);
3370 * Copy data. If we don't have enough space to
3371 * store the whole data, allocate a cluster
3372 * or additional mbufs.
3373 * XXX: we don't use m_copyback(), since the
3374 * function does not use clusters and thus is
3383 if (remain
<= (mm
->m_flags
& M_PKTHDR
? MHLEN
: MLEN
))
3385 else { /* allocate a cluster */
3386 MCLGET(mm
, MB_DONTWAIT
);
3387 if (!(mm
->m_flags
& M_EXT
)) {
3391 len
= remain
< MCLBYTES
?
3395 bcopy(n
->m_data
+ copied
, mm
->m_data
,
3402 if (remain
<= 0) /* completed? */
3405 /* need another mbuf */
3406 MGETHDR(mn
, MB_DONTWAIT
, MT_HEADER
);
3409 mn
->m_pkthdr
.rcvif
= NULL
;
3415 mm
->m_next
= m_free(n
);
3434 ipsec_delaux(struct mbuf
*m
)
3438 while ((tag
= m_tag_find(m
, PACKET_TAG_IPSEC_HISTORY
, NULL
)) != NULL
)
3439 m_tag_delete(m
, tag
);
3443 ipsec_addhist(struct mbuf
*m
, int proto
, u_int32_t spi
)
3446 struct ipsec_history
*p
;
3448 tag
= m_tag_get(PACKET_TAG_IPSEC_HISTORY
,
3449 sizeof (struct ipsec_history
), MB_DONTWAIT
);
3452 p
= (struct ipsec_history
*)m_tag_data(tag
);
3453 bzero(p
, sizeof(*p
));
3454 p
->ih_proto
= proto
;
3456 m_tag_prepend(m
, tag
);
3460 struct ipsec_history
*
3461 ipsec_gethist(struct mbuf
*m
, int *lenp
)
3465 tag
= m_tag_find(m
, PACKET_TAG_IPSEC_HISTORY
, NULL
);
3468 /* XXX NB: noone uses this so fake it */
3470 *lenp
= sizeof (struct ipsec_history
);
3471 return ((struct ipsec_history
*)(tag
+1));