For kmalloc(), MALLOC() and contigmalloc(), use M_ZERO instead of
[dragonfly.git] / sys / netinet6 / ipsec.c
CommitLineData
984263bc 1/* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.12 2003/05/06 06:46:58 suz Exp $ */
e7b4468c 2/* $DragonFly: src/sys/netinet6/ipsec.c,v 1.21 2008/01/05 14:02:40 swildner Exp $ */
984263bc
MD
3/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34/*
35 * IPsec controller part.
36 */
37
38#include "opt_inet.h"
39#include "opt_inet6.h"
40#include "opt_ipsec.h"
41
42#include <sys/param.h>
43#include <sys/systm.h>
44#include <sys/malloc.h>
45#include <sys/mbuf.h>
46#include <sys/domain.h>
47#include <sys/protosw.h>
48#include <sys/socket.h>
49#include <sys/socketvar.h>
50#include <sys/errno.h>
51#include <sys/time.h>
52#include <sys/kernel.h>
53#include <sys/syslog.h>
54#include <sys/sysctl.h>
55#include <sys/proc.h>
3f9db7f8 56#include <sys/in_cksum.h>
abf782b3 57#include <sys/thread2.h>
984263bc
MD
58
59#include <net/if.h>
60#include <net/route.h>
61
62#include <netinet/in.h>
63#include <netinet/in_systm.h>
64#include <netinet/ip.h>
65#include <netinet/ip_var.h>
66#include <netinet/in_var.h>
67#include <netinet/udp.h>
68#include <netinet/udp_var.h>
69#include <netinet/ip_ecn.h>
70#ifdef INET6
71#include <netinet6/ip6_ecn.h>
72#endif
73#include <netinet/tcp.h>
74#include <netinet/udp.h>
75
76#include <netinet/ip6.h>
77#ifdef INET6
78#include <netinet6/ip6_var.h>
79#endif
80#include <netinet/in_pcb.h>
81#ifdef INET6
82#include <netinet/icmp6.h>
83#endif
84
85#include <netinet6/ipsec.h>
86#ifdef INET6
87#include <netinet6/ipsec6.h>
88#endif
89#include <netinet6/ah.h>
90#ifdef INET6
91#include <netinet6/ah6.h>
92#endif
93#ifdef IPSEC_ESP
94#include <netinet6/esp.h>
95#ifdef INET6
96#include <netinet6/esp6.h>
97#endif
98#endif
99#include <netinet6/ipcomp.h>
100#ifdef INET6
101#include <netinet6/ipcomp6.h>
102#endif
d2438d69
MD
103#include <netproto/key/key.h>
104#include <netproto/key/keydb.h>
105#include <netproto/key/key_debug.h>
984263bc 106
984263bc
MD
107#include <net/net_osdep.h>
108
109#ifdef IPSEC_DEBUG
110int ipsec_debug = 1;
111#else
112int ipsec_debug = 0;
113#endif
114
115struct ipsecstat ipsecstat;
116int ip4_ah_cleartos = 1;
117int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
118int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
119int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
120int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
121int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
122int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
123struct secpolicy ip4_def_policy;
124int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
125int ip4_esp_randpad = -1;
126
127#ifdef SYSCTL_DECL
128SYSCTL_DECL(_net_inet_ipsec);
129#ifdef INET6
130SYSCTL_DECL(_net_inet6_ipsec6);
131#endif
132#endif
133
134/* net.inet.ipsec */
135SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
136 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, "");
137SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
138 def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, "");
139SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
140 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
141SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
142 CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
143SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
144 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
145SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
146 CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
147SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
148 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, "");
149SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
150 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
151SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
152 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
153SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
154 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
155SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
156 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
157SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
158 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, "");
159
160#ifdef INET6
161struct ipsecstat ipsec6stat;
162int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
163int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
164int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
165int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
166struct secpolicy ip6_def_policy;
167int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
168int ip6_esp_randpad = -1;
169
170/* net.inet6.ipsec6 */
171SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
172 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
173SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
174 def_policy, CTLFLAG_RW, &ip6_def_policy.policy, 0, "");
175SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
176 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
177SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
178 CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
179SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
180 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
181SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
182 CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
183SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
184 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
185SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
186 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
187SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
188 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
189#endif /* INET6 */
190
191static int ipsec_setspidx_mbuf
56d702cc
RG
192 (struct secpolicyindex *, u_int, u_int, struct mbuf *, int);
193static int ipsec4_setspidx_inpcb (struct mbuf *, struct inpcb *pcb);
984263bc 194#ifdef INET6
56d702cc 195static int ipsec6_setspidx_in6pcb (struct mbuf *, struct in6pcb *pcb);
984263bc 196#endif
56d702cc
RG
197static int ipsec_setspidx (struct mbuf *, struct secpolicyindex *, int);
198static void ipsec4_get_ulp (struct mbuf *m, struct secpolicyindex *, int);
199static int ipsec4_setspidx_ipaddr (struct mbuf *, struct secpolicyindex *);
984263bc 200#ifdef INET6
56d702cc
RG
201static void ipsec6_get_ulp (struct mbuf *m, struct secpolicyindex *, int);
202static int ipsec6_setspidx_ipaddr (struct mbuf *, struct secpolicyindex *);
203#endif
204static struct inpcbpolicy *ipsec_newpcbpolicy (void);
205static void ipsec_delpcbpolicy (struct inpcbpolicy *);
206static struct secpolicy *ipsec_deepcopy_policy (struct secpolicy *src);
207static int ipsec_set_policy (struct secpolicy **pcb_sp,
208 int optname, caddr_t request, size_t len, int priv);
209static int ipsec_get_policy (struct secpolicy *pcb_sp, struct mbuf **mp);
210static void vshiftl (unsigned char *, int, int);
211static int ipsec_in_reject (struct secpolicy *, struct mbuf *);
212static size_t ipsec_hdrsiz (struct secpolicy *);
984263bc 213#ifdef INET
56d702cc 214static struct mbuf *ipsec4_splithdr (struct mbuf *);
984263bc
MD
215#endif
216#ifdef INET6
56d702cc 217static struct mbuf *ipsec6_splithdr (struct mbuf *);
984263bc
MD
218#endif
219#ifdef INET
56d702cc 220static int ipsec4_encapsulate (struct mbuf *, struct secasvar *);
984263bc
MD
221#endif
222#ifdef INET6
56d702cc 223static int ipsec6_encapsulate (struct mbuf *, struct secasvar *);
984263bc
MD
224#endif
225
226/*
227 * For OUTBOUND packet having a socket. Searching SPD for packet,
228 * and return a pointer to SP.
229 * OUT: NULL: no apropreate SP found, the following value is set to error.
230 * 0 : bypass
231 * EACCES : discard packet.
232 * ENOENT : ipsec_acquire() in progress, maybe.
233 * others : error occured.
234 * others: a pointer to SP
235 *
236 * NOTE: IPv6 mapped adddress concern is implemented here.
237 */
238struct secpolicy *
122ebd49 239ipsec4_getpolicybysock(struct mbuf *m, u_int dir, struct socket *so, int *error)
984263bc
MD
240{
241 struct inpcbpolicy *pcbsp = NULL;
242 struct secpolicy *currsp = NULL; /* policy on socket */
243 struct secpolicy *kernsp = NULL; /* policy on kernel */
244
245 /* sanity check */
246 if (m == NULL || so == NULL || error == NULL)
247 panic("ipsec4_getpolicybysock: NULL pointer was passed.");
248
249 switch (so->so_proto->pr_domain->dom_family) {
250 case AF_INET:
251 /* set spidx in pcb */
ed894f8c 252 *error = ipsec4_setspidx_inpcb(m, so->so_pcb);
984263bc
MD
253 break;
254#ifdef INET6
255 case AF_INET6:
256 /* set spidx in pcb */
ed894f8c 257 *error = ipsec6_setspidx_in6pcb(m, so->so_pcb);
984263bc
MD
258 break;
259#endif
260 default:
261 panic("ipsec4_getpolicybysock: unsupported address family\n");
262 }
263 if (*error)
264 return NULL;
265 switch (so->so_proto->pr_domain->dom_family) {
266 case AF_INET:
267 pcbsp = sotoinpcb(so)->inp_sp;
268 break;
269#ifdef INET6
270 case AF_INET6:
271 pcbsp = sotoin6pcb(so)->in6p_sp;
272 break;
273#endif
274 }
275
276 /* sanity check */
277 if (pcbsp == NULL)
278 panic("ipsec4_getpolicybysock: pcbsp is NULL.");
279
280 switch (dir) {
281 case IPSEC_DIR_INBOUND:
282 currsp = pcbsp->sp_in;
283 break;
284 case IPSEC_DIR_OUTBOUND:
285 currsp = pcbsp->sp_out;
286 break;
287 default:
288 panic("ipsec4_getpolicybysock: illegal direction.");
289 }
290
291 /* sanity check */
292 if (currsp == NULL)
293 panic("ipsec4_getpolicybysock: currsp is NULL.");
294
295 /* when privilieged socket */
296 if (pcbsp->priv) {
297 switch (currsp->policy) {
298 case IPSEC_POLICY_BYPASS:
299 currsp->refcnt++;
300 *error = 0;
301 return currsp;
302
303 case IPSEC_POLICY_ENTRUST:
304 /* look for a policy in SPD */
305 kernsp = key_allocsp(&currsp->spidx, dir);
306
307 /* SP found */
308 if (kernsp != NULL) {
309 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
a6ec04bc 310 kprintf("DP ipsec4_getpolicybysock called "
984263bc
MD
311 "to allocate SP:%p\n", kernsp));
312 *error = 0;
313 return kernsp;
314 }
315
316 /* no SP found */
317 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
318 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
319 ipseclog((LOG_INFO,
320 "fixed system default policy: %d->%d\n",
321 ip4_def_policy.policy, IPSEC_POLICY_NONE));
322 ip4_def_policy.policy = IPSEC_POLICY_NONE;
323 }
324 ip4_def_policy.refcnt++;
325 *error = 0;
326 return &ip4_def_policy;
327
328 case IPSEC_POLICY_IPSEC:
329 currsp->refcnt++;
330 *error = 0;
331 return currsp;
332
333 default:
334 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
335 "Invalid policy for PCB %d\n", currsp->policy));
336 *error = EINVAL;
337 return NULL;
338 }
339 /* NOTREACHED */
340 }
341
342 /* when non-privilieged socket */
343 /* look for a policy in SPD */
344 kernsp = key_allocsp(&currsp->spidx, dir);
345
346 /* SP found */
347 if (kernsp != NULL) {
348 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
a6ec04bc 349 kprintf("DP ipsec4_getpolicybysock called "
984263bc
MD
350 "to allocate SP:%p\n", kernsp));
351 *error = 0;
352 return kernsp;
353 }
354
355 /* no SP found */
356 switch (currsp->policy) {
357 case IPSEC_POLICY_BYPASS:
358 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
359 "Illegal policy for non-priviliged defined %d\n",
360 currsp->policy));
361 *error = EINVAL;
362 return NULL;
363
364 case IPSEC_POLICY_ENTRUST:
365 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
366 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
367 ipseclog((LOG_INFO,
368 "fixed system default policy: %d->%d\n",
369 ip4_def_policy.policy, IPSEC_POLICY_NONE));
370 ip4_def_policy.policy = IPSEC_POLICY_NONE;
371 }
372 ip4_def_policy.refcnt++;
373 *error = 0;
374 return &ip4_def_policy;
375
376 case IPSEC_POLICY_IPSEC:
377 currsp->refcnt++;
378 *error = 0;
379 return currsp;
380
381 default:
382 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
383 "Invalid policy for PCB %d\n", currsp->policy));
384 *error = EINVAL;
385 return NULL;
386 }
387 /* NOTREACHED */
388}
389
390/*
391 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
392 * and return a pointer to SP.
393 * OUT: positive: a pointer to the entry for security policy leaf matched.
394 * NULL: no apropreate SP found, the following value is set to error.
395 * 0 : bypass
396 * EACCES : discard packet.
397 * ENOENT : ipsec_acquire() in progress, maybe.
398 * others : error occured.
399 */
400struct secpolicy *
122ebd49 401ipsec4_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
984263bc
MD
402{
403 struct secpolicy *sp = NULL;
404
405 /* sanity check */
406 if (m == NULL || error == NULL)
407 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
408
409 {
410 struct secpolicyindex spidx;
411
412 bzero(&spidx, sizeof(spidx));
413
414 /* make a index to look for a policy */
415 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
416 (flag & IP_FORWARDING) ? 0 : 1);
417
418 if (*error != 0)
419 return NULL;
420
421 sp = key_allocsp(&spidx, dir);
422 }
423
424 /* SP found */
425 if (sp != NULL) {
426 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
a6ec04bc 427 kprintf("DP ipsec4_getpolicybyaddr called "
984263bc
MD
428 "to allocate SP:%p\n", sp));
429 *error = 0;
430 return sp;
431 }
432
433 /* no SP found */
434 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
435 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
436 ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
437 ip4_def_policy.policy,
438 IPSEC_POLICY_NONE));
439 ip4_def_policy.policy = IPSEC_POLICY_NONE;
440 }
441 ip4_def_policy.refcnt++;
442 *error = 0;
443 return &ip4_def_policy;
444}
445
446#ifdef INET6
447/*
448 * For OUTBOUND packet having a socket. Searching SPD for packet,
449 * and return a pointer to SP.
450 * OUT: NULL: no apropreate SP found, the following value is set to error.
451 * 0 : bypass
452 * EACCES : discard packet.
453 * ENOENT : ipsec_acquire() in progress, maybe.
454 * others : error occured.
455 * others: a pointer to SP
456 */
457struct secpolicy *
122ebd49 458ipsec6_getpolicybysock(struct mbuf *m, u_int dir, struct socket *so, int *error)
984263bc
MD
459{
460 struct inpcbpolicy *pcbsp = NULL;
461 struct secpolicy *currsp = NULL; /* policy on socket */
462 struct secpolicy *kernsp = NULL; /* policy on kernel */
463
464 /* sanity check */
465 if (m == NULL || so == NULL || error == NULL)
466 panic("ipsec6_getpolicybysock: NULL pointer was passed.");
467
468#ifdef DIAGNOSTIC
469 if (so->so_proto->pr_domain->dom_family != AF_INET6)
470 panic("ipsec6_getpolicybysock: socket domain != inet6");
471#endif
472
473 /* set spidx in pcb */
ed894f8c 474 ipsec6_setspidx_in6pcb(m, so->so_pcb);
984263bc
MD
475
476 pcbsp = sotoin6pcb(so)->in6p_sp;
477
478 /* sanity check */
479 if (pcbsp == NULL)
480 panic("ipsec6_getpolicybysock: pcbsp is NULL.");
481
482 switch (dir) {
483 case IPSEC_DIR_INBOUND:
484 currsp = pcbsp->sp_in;
485 break;
486 case IPSEC_DIR_OUTBOUND:
487 currsp = pcbsp->sp_out;
488 break;
489 default:
490 panic("ipsec6_getpolicybysock: illegal direction.");
491 }
492
493 /* sanity check */
494 if (currsp == NULL)
495 panic("ipsec6_getpolicybysock: currsp is NULL.");
496
497 /* when privilieged socket */
498 if (pcbsp->priv) {
499 switch (currsp->policy) {
500 case IPSEC_POLICY_BYPASS:
501 currsp->refcnt++;
502 *error = 0;
503 return currsp;
504
505 case IPSEC_POLICY_ENTRUST:
506 /* look for a policy in SPD */
507 kernsp = key_allocsp(&currsp->spidx, dir);
508
509 /* SP found */
510 if (kernsp != NULL) {
511 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
a6ec04bc 512 kprintf("DP ipsec6_getpolicybysock called "
984263bc
MD
513 "to allocate SP:%p\n", kernsp));
514 *error = 0;
515 return kernsp;
516 }
517
518 /* no SP found */
519 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
520 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
521 ipseclog((LOG_INFO,
522 "fixed system default policy: %d->%d\n",
523 ip6_def_policy.policy, IPSEC_POLICY_NONE));
524 ip6_def_policy.policy = IPSEC_POLICY_NONE;
525 }
526 ip6_def_policy.refcnt++;
527 *error = 0;
528 return &ip6_def_policy;
529
530 case IPSEC_POLICY_IPSEC:
531 currsp->refcnt++;
532 *error = 0;
533 return currsp;
534
535 default:
536 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
537 "Invalid policy for PCB %d\n", currsp->policy));
538 *error = EINVAL;
539 return NULL;
540 }
541 /* NOTREACHED */
542 }
543
544 /* when non-privilieged socket */
545 /* look for a policy in SPD */
546 kernsp = key_allocsp(&currsp->spidx, dir);
547
548 /* SP found */
549 if (kernsp != NULL) {
550 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
a6ec04bc 551 kprintf("DP ipsec6_getpolicybysock called "
984263bc
MD
552 "to allocate SP:%p\n", kernsp));
553 *error = 0;
554 return kernsp;
555 }
556
557 /* no SP found */
558 switch (currsp->policy) {
559 case IPSEC_POLICY_BYPASS:
560 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
561 "Illegal policy for non-priviliged defined %d\n",
562 currsp->policy));
563 *error = EINVAL;
564 return NULL;
565
566 case IPSEC_POLICY_ENTRUST:
567 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
568 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
569 ipseclog((LOG_INFO,
570 "fixed system default policy: %d->%d\n",
571 ip6_def_policy.policy, IPSEC_POLICY_NONE));
572 ip6_def_policy.policy = IPSEC_POLICY_NONE;
573 }
574 ip6_def_policy.refcnt++;
575 *error = 0;
576 return &ip6_def_policy;
577
578 case IPSEC_POLICY_IPSEC:
579 currsp->refcnt++;
580 *error = 0;
581 return currsp;
582
583 default:
584 ipseclog((LOG_ERR,
585 "ipsec6_policybysock: Invalid policy for PCB %d\n",
586 currsp->policy));
587 *error = EINVAL;
588 return NULL;
589 }
590 /* NOTREACHED */
591}
592
593/*
594 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
595 * and return a pointer to SP.
596 * `flag' means that packet is to be forwarded whether or not.
597 * flag = 1: forwad
598 * OUT: positive: a pointer to the entry for security policy leaf matched.
599 * NULL: no apropreate SP found, the following value is set to error.
600 * 0 : bypass
601 * EACCES : discard packet.
602 * ENOENT : ipsec_acquire() in progress, maybe.
603 * others : error occured.
604 */
605#ifndef IP_FORWARDING
606#define IP_FORWARDING 1
607#endif
608
609struct secpolicy *
122ebd49 610ipsec6_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
984263bc
MD
611{
612 struct secpolicy *sp = NULL;
613
614 /* sanity check */
615 if (m == NULL || error == NULL)
616 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
617
618 {
619 struct secpolicyindex spidx;
620
621 bzero(&spidx, sizeof(spidx));
622
623 /* make a index to look for a policy */
624 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m,
625 (flag & IP_FORWARDING) ? 0 : 1);
626
627 if (*error != 0)
628 return NULL;
629
630 sp = key_allocsp(&spidx, dir);
631 }
632
633 /* SP found */
634 if (sp != NULL) {
635 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
a6ec04bc 636 kprintf("DP ipsec6_getpolicybyaddr called "
984263bc
MD
637 "to allocate SP:%p\n", sp));
638 *error = 0;
639 return sp;
640 }
641
642 /* no SP found */
643 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
644 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
645 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
646 ip6_def_policy.policy, IPSEC_POLICY_NONE));
647 ip6_def_policy.policy = IPSEC_POLICY_NONE;
648 }
649 ip6_def_policy.refcnt++;
650 *error = 0;
651 return &ip6_def_policy;
652}
653#endif /* INET6 */
654
655/*
656 * set IP address into spidx from mbuf.
657 * When Forwarding packet and ICMP echo reply, this function is used.
658 *
659 * IN: get the followings from mbuf.
660 * protocol family, src, dst, next protocol
661 * OUT:
662 * 0: success.
663 * other: failure, and set errno.
664 */
665int
122ebd49
CP
666ipsec_setspidx_mbuf(struct secpolicyindex *spidx, u_int dir, u_int family,
667 struct mbuf *m, int needport)
984263bc
MD
668{
669 int error;
670
671 /* sanity check */
672 if (spidx == NULL || m == NULL)
673 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
674
675 bzero(spidx, sizeof(*spidx));
676
677 error = ipsec_setspidx(m, spidx, needport);
678 if (error)
679 goto bad;
680 spidx->dir = dir;
681
682 return 0;
683
bde3511a 684bad:
984263bc
MD
685 /* XXX initialize */
686 bzero(spidx, sizeof(*spidx));
687 return EINVAL;
688}
689
690static int
122ebd49 691ipsec4_setspidx_inpcb(struct mbuf *m, struct inpcb *pcb)
984263bc
MD
692{
693 struct secpolicyindex *spidx;
694 int error;
695
696 /* sanity check */
697 if (pcb == NULL)
698 panic("ipsec4_setspidx_inpcb: no PCB found.");
699 if (pcb->inp_sp == NULL)
700 panic("ipsec4_setspidx_inpcb: no inp_sp found.");
701 if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL)
702 panic("ipsec4_setspidx_inpcb: no sp_in/out found.");
703
704 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
705 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
706
707 spidx = &pcb->inp_sp->sp_in->spidx;
708 error = ipsec_setspidx(m, spidx, 1);
709 if (error)
710 goto bad;
711 spidx->dir = IPSEC_DIR_INBOUND;
712
713 spidx = &pcb->inp_sp->sp_out->spidx;
714 error = ipsec_setspidx(m, spidx, 1);
715 if (error)
716 goto bad;
717 spidx->dir = IPSEC_DIR_OUTBOUND;
718
719 return 0;
720
721bad:
722 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
723 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
724 return error;
725}
726
727#ifdef INET6
728static int
122ebd49 729ipsec6_setspidx_in6pcb(struct mbuf *m, struct in6pcb *pcb)
984263bc
MD
730{
731 struct secpolicyindex *spidx;
732 int error;
733
734 /* sanity check */
735 if (pcb == NULL)
736 panic("ipsec6_setspidx_in6pcb: no PCB found.");
737 if (pcb->in6p_sp == NULL)
738 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.");
739 if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL)
740 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.");
741
742 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
743 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
744
745 spidx = &pcb->in6p_sp->sp_in->spidx;
746 error = ipsec_setspidx(m, spidx, 1);
747 if (error)
748 goto bad;
749 spidx->dir = IPSEC_DIR_INBOUND;
750
751 spidx = &pcb->in6p_sp->sp_out->spidx;
752 error = ipsec_setspidx(m, spidx, 1);
753 if (error)
754 goto bad;
755 spidx->dir = IPSEC_DIR_OUTBOUND;
756
757 return 0;
758
759bad:
760 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
761 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
762 return error;
763}
764#endif
765
766/*
767 * configure security policy index (src/dst/proto/sport/dport)
768 * by looking at the content of mbuf.
769 * the caller is responsible for error recovery (like clearing up spidx).
770 */
771static int
122ebd49 772ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport)
984263bc
MD
773{
774 struct ip *ip = NULL;
775 struct ip ipbuf;
776 u_int v;
777 struct mbuf *n;
778 int len;
779 int error;
780
781 if (m == NULL)
782 panic("ipsec_setspidx: m == 0 passed.");
783
784 /*
785 * validate m->m_pkthdr.len. we see incorrect length if we
786 * mistakenly call this function with inconsistent mbuf chain
787 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
788 */
789 len = 0;
790 for (n = m; n; n = n->m_next)
791 len += n->m_len;
792 if (m->m_pkthdr.len != len) {
793 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
a6ec04bc 794 kprintf("ipsec_setspidx: "
984263bc
MD
795 "total of m_len(%d) != pkthdr.len(%d), "
796 "ignored.\n",
797 len, m->m_pkthdr.len));
798 return EINVAL;
799 }
800
801 if (m->m_pkthdr.len < sizeof(struct ip)) {
802 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
a6ec04bc 803 kprintf("ipsec_setspidx: "
984263bc
MD
804 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
805 m->m_pkthdr.len));
806 return EINVAL;
807 }
808
809 if (m->m_len >= sizeof(*ip))
810 ip = mtod(m, struct ip *);
811 else {
812 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
813 ip = &ipbuf;
814 }
815#ifdef _IP_VHL
816 v = _IP_VHL_V(ip->ip_vhl);
817#else
818 v = ip->ip_v;
819#endif
820 switch (v) {
821 case 4:
822 error = ipsec4_setspidx_ipaddr(m, spidx);
823 if (error)
824 return error;
825 ipsec4_get_ulp(m, spidx, needport);
826 return 0;
827#ifdef INET6
828 case 6:
829 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
830 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
a6ec04bc 831 kprintf("ipsec_setspidx: "
984263bc
MD
832 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
833 "ignored.\n", m->m_pkthdr.len));
834 return EINVAL;
835 }
836 error = ipsec6_setspidx_ipaddr(m, spidx);
837 if (error)
838 return error;
839 ipsec6_get_ulp(m, spidx, needport);
840 return 0;
841#endif
842 default:
843 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
a6ec04bc 844 kprintf("ipsec_setspidx: "
984263bc
MD
845 "unknown IP version %u, ignored.\n", v));
846 return EINVAL;
847 }
848}
849
850static void
122ebd49 851ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
984263bc
MD
852{
853 struct ip ip;
854 struct ip6_ext ip6e;
855 u_int8_t nxt;
856 int off;
857 struct tcphdr th;
858 struct udphdr uh;
859
860 /* sanity check */
861 if (m == NULL)
862 panic("ipsec4_get_ulp: NULL pointer was passed.");
863 if (m->m_pkthdr.len < sizeof(ip))
864 panic("ipsec4_get_ulp: too short");
865
866 /* set default */
867 spidx->ul_proto = IPSEC_ULPROTO_ANY;
868 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
869 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
870
871 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
872 /* ip_input() flips it into host endian XXX need more checking */
873 if (ip.ip_off & (IP_MF | IP_OFFMASK))
874 return;
875
876 nxt = ip.ip_p;
877#ifdef _IP_VHL
878 off = _IP_VHL_HL(ip->ip_vhl) << 2;
879#else
880 off = ip.ip_hl << 2;
881#endif
882 while (off < m->m_pkthdr.len) {
883 switch (nxt) {
884 case IPPROTO_TCP:
885 spidx->ul_proto = nxt;
886 if (!needport)
887 return;
888 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
889 return;
890 m_copydata(m, off, sizeof(th), (caddr_t)&th);
891 ((struct sockaddr_in *)&spidx->src)->sin_port =
892 th.th_sport;
893 ((struct sockaddr_in *)&spidx->dst)->sin_port =
894 th.th_dport;
895 return;
896 case IPPROTO_UDP:
897 spidx->ul_proto = nxt;
898 if (!needport)
899 return;
900 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
901 return;
902 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
903 ((struct sockaddr_in *)&spidx->src)->sin_port =
904 uh.uh_sport;
905 ((struct sockaddr_in *)&spidx->dst)->sin_port =
906 uh.uh_dport;
907 return;
908 case IPPROTO_AH:
b657cba1 909 if (off + sizeof(ip6e) > m->m_pkthdr.len)
984263bc
MD
910 return;
911 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
912 off += (ip6e.ip6e_len + 2) << 2;
913 nxt = ip6e.ip6e_nxt;
914 break;
915 case IPPROTO_ICMP:
916 default:
917 /* XXX intermediate headers??? */
918 spidx->ul_proto = nxt;
919 return;
920 }
921 }
922}
923
924/* assumes that m is sane */
925static int
122ebd49 926ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
984263bc
MD
927{
928 struct ip *ip = NULL;
929 struct ip ipbuf;
930 struct sockaddr_in *sin;
931
932 if (m->m_len >= sizeof(*ip))
933 ip = mtod(m, struct ip *);
934 else {
935 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
936 ip = &ipbuf;
937 }
938
939 sin = (struct sockaddr_in *)&spidx->src;
940 bzero(sin, sizeof(*sin));
941 sin->sin_family = AF_INET;
942 sin->sin_len = sizeof(struct sockaddr_in);
943 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
944 spidx->prefs = sizeof(struct in_addr) << 3;
945
946 sin = (struct sockaddr_in *)&spidx->dst;
947 bzero(sin, sizeof(*sin));
948 sin->sin_family = AF_INET;
949 sin->sin_len = sizeof(struct sockaddr_in);
950 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
951 spidx->prefd = sizeof(struct in_addr) << 3;
952 return 0;
953}
954
955#ifdef INET6
956static void
122ebd49 957ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
984263bc
MD
958{
959 int off, nxt;
960 struct tcphdr th;
961 struct udphdr uh;
962
963 /* sanity check */
964 if (m == NULL)
965 panic("ipsec6_get_ulp: NULL pointer was passed.");
966
967 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
a6ec04bc 968 kprintf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
984263bc
MD
969
970 /* set default */
971 spidx->ul_proto = IPSEC_ULPROTO_ANY;
972 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
973 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
974
975 nxt = -1;
976 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
977 if (off < 0 || m->m_pkthdr.len < off)
978 return;
979
980 switch (nxt) {
981 case IPPROTO_TCP:
982 spidx->ul_proto = nxt;
983 if (!needport)
984 break;
985 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
986 break;
987 m_copydata(m, off, sizeof(th), (caddr_t)&th);
988 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
989 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
990 break;
991 case IPPROTO_UDP:
992 spidx->ul_proto = nxt;
993 if (!needport)
994 break;
995 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
996 break;
997 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
998 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
999 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1000 break;
1001 case IPPROTO_ICMPV6:
1002 default:
1003 /* XXX intermediate headers??? */
1004 spidx->ul_proto = nxt;
1005 break;
1006 }
1007}
1008
1009/* assumes that m is sane */
1010static int
122ebd49 1011ipsec6_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
984263bc
MD
1012{
1013 struct ip6_hdr *ip6 = NULL;
1014 struct ip6_hdr ip6buf;
1015 struct sockaddr_in6 *sin6;
1016
1017 if (m->m_len >= sizeof(*ip6))
1018 ip6 = mtod(m, struct ip6_hdr *);
1019 else {
1020 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1021 ip6 = &ip6buf;
1022 }
1023
1024 sin6 = (struct sockaddr_in6 *)&spidx->src;
1025 bzero(sin6, sizeof(*sin6));
1026 sin6->sin6_family = AF_INET6;
1027 sin6->sin6_len = sizeof(struct sockaddr_in6);
1028 bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src));
1029 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1030 sin6->sin6_addr.s6_addr16[1] = 0;
1031 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
1032 }
1033 spidx->prefs = sizeof(struct in6_addr) << 3;
1034
1035 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1036 bzero(sin6, sizeof(*sin6));
1037 sin6->sin6_family = AF_INET6;
1038 sin6->sin6_len = sizeof(struct sockaddr_in6);
1039 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst));
1040 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1041 sin6->sin6_addr.s6_addr16[1] = 0;
1042 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
1043 }
1044 spidx->prefd = sizeof(struct in6_addr) << 3;
1045
1046 return 0;
1047}
1048#endif
1049
1050static struct inpcbpolicy *
122ebd49 1051ipsec_newpcbpolicy(void)
984263bc
MD
1052{
1053 struct inpcbpolicy *p;
1054
efda3bd0 1055 p = (struct inpcbpolicy *)kmalloc(sizeof(*p), M_SECA, M_NOWAIT);
984263bc
MD
1056 return p;
1057}
1058
1059static void
122ebd49 1060ipsec_delpcbpolicy(struct inpcbpolicy *p)
984263bc 1061{
efda3bd0 1062 kfree(p, M_SECA);
984263bc
MD
1063}
1064
1065/* initialize policy in PCB */
1066int
122ebd49 1067ipsec_init_policy(struct socket *so, struct inpcbpolicy **pcb_sp)
984263bc
MD
1068{
1069 struct inpcbpolicy *new;
1070
1071 /* sanity check. */
1072 if (so == NULL || pcb_sp == NULL)
1073 panic("ipsec_init_policy: NULL pointer was passed.");
1074
1075 new = ipsec_newpcbpolicy();
1076 if (new == NULL) {
1077 ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n"));
1078 return ENOBUFS;
1079 }
1080 bzero(new, sizeof(*new));
1081
1082 if (so->so_cred != 0 && so->so_cred->cr_uid == 0)
1083 new->priv = 1;
1084 else
1085 new->priv = 0;
1086
1087 if ((new->sp_in = key_newsp()) == NULL) {
1088 ipsec_delpcbpolicy(new);
1089 return ENOBUFS;
1090 }
1091 new->sp_in->state = IPSEC_SPSTATE_ALIVE;
1092 new->sp_in->policy = IPSEC_POLICY_ENTRUST;
1093
1094 if ((new->sp_out = key_newsp()) == NULL) {
1095 key_freesp(new->sp_in);
1096 ipsec_delpcbpolicy(new);
1097 return ENOBUFS;
1098 }
1099 new->sp_out->state = IPSEC_SPSTATE_ALIVE;
1100 new->sp_out->policy = IPSEC_POLICY_ENTRUST;
1101
1102 *pcb_sp = new;
1103
1104 return 0;
1105}
1106
1107/* copy old ipsec policy into new */
1108int
122ebd49 1109ipsec_copy_policy(struct inpcbpolicy *old, struct inpcbpolicy *new)
984263bc
MD
1110{
1111 struct secpolicy *sp;
1112
1113 sp = ipsec_deepcopy_policy(old->sp_in);
1114 if (sp) {
1115 key_freesp(new->sp_in);
1116 new->sp_in = sp;
1117 } else
1118 return ENOBUFS;
1119
1120 sp = ipsec_deepcopy_policy(old->sp_out);
1121 if (sp) {
1122 key_freesp(new->sp_out);
1123 new->sp_out = sp;
1124 } else
1125 return ENOBUFS;
1126
1127 new->priv = old->priv;
1128
1129 return 0;
1130}
1131
1132/* deep-copy a policy in PCB */
1133static struct secpolicy *
122ebd49 1134ipsec_deepcopy_policy(struct secpolicy *src)
984263bc
MD
1135{
1136 struct ipsecrequest *newchain = NULL;
1137 struct ipsecrequest *p;
1138 struct ipsecrequest **q;
1139 struct ipsecrequest *r;
1140 struct secpolicy *dst;
1141
1142 dst = key_newsp();
1143 if (src == NULL || dst == NULL)
1144 return NULL;
1145
1146 /*
1147 * deep-copy IPsec request chain. This is required since struct
1148 * ipsecrequest is not reference counted.
1149 */
1150 q = &newchain;
1151 for (p = src->req; p; p = p->next) {
77652cad 1152 *q = (struct ipsecrequest *)kmalloc(sizeof(struct ipsecrequest),
e7b4468c 1153 M_SECA, M_NOWAIT | M_ZERO);
984263bc
MD
1154 if (*q == NULL)
1155 goto fail;
984263bc
MD
1156 (*q)->next = NULL;
1157
1158 (*q)->saidx.proto = p->saidx.proto;
1159 (*q)->saidx.mode = p->saidx.mode;
1160 (*q)->level = p->level;
1161 (*q)->saidx.reqid = p->saidx.reqid;
1162
1163 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1164 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1165
1166 (*q)->sav = NULL;
1167 (*q)->sp = dst;
1168
1169 q = &((*q)->next);
1170 }
1171
1172 dst->req = newchain;
1173 dst->state = src->state;
1174 dst->policy = src->policy;
1175 /* do not touch the refcnt fields */
1176
1177 return dst;
1178
1179fail:
1180 for (p = newchain; p; p = r) {
1181 r = p->next;
efda3bd0 1182 kfree(p, M_SECA);
984263bc
MD
1183 p = NULL;
1184 }
1185 return NULL;
1186}
1187
1188/* set policy and ipsec request if present. */
1189static int
122ebd49
CP
1190ipsec_set_policy(struct secpolicy **pcb_sp, int optname, caddr_t request,
1191 size_t len, int priv)
984263bc
MD
1192{
1193 struct sadb_x_policy *xpl;
1194 struct secpolicy *newsp = NULL;
1195 int error;
1196
1197 /* sanity check. */
1198 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL)
1199 return EINVAL;
1200 if (len < sizeof(*xpl))
1201 return EINVAL;
1202 xpl = (struct sadb_x_policy *)request;
1203
1204 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
a6ec04bc 1205 kprintf("ipsec_set_policy: passed policy\n");
984263bc
MD
1206 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1207
1208 /* check policy type */
1209 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1210 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
1211 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1212 return EINVAL;
1213
1214 /* check privileged socket */
1215 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1216 return EACCES;
1217
1218 /* allocation new SP entry */
1219 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1220 return error;
1221
1222 newsp->state = IPSEC_SPSTATE_ALIVE;
1223
1224 /* clear old SP and set new SP */
1225 key_freesp(*pcb_sp);
1226 *pcb_sp = newsp;
1227 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
a6ec04bc 1228 kprintf("ipsec_set_policy: new policy\n");
984263bc
MD
1229 kdebug_secpolicy(newsp));
1230
1231 return 0;
1232}
1233
1234static int
122ebd49 1235ipsec_get_policy(struct secpolicy *pcb_sp, struct mbuf **mp)
984263bc
MD
1236{
1237
1238 /* sanity check. */
1239 if (pcb_sp == NULL || mp == NULL)
1240 return EINVAL;
1241
1242 *mp = key_sp2msg(pcb_sp);
1243 if (!*mp) {
1244 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1245 return ENOBUFS;
1246 }
1247
c2999a86 1248 KKASSERT((*mp)->m_type == MT_DATA);
984263bc 1249 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
a6ec04bc 1250 kprintf("ipsec_get_policy:\n");
984263bc
MD
1251 kdebug_mbuf(*mp));
1252
1253 return 0;
1254}
1255
1256int
122ebd49
CP
1257ipsec4_set_policy(struct inpcb *inp, int optname, caddr_t request, size_t len,
1258 int priv)
984263bc
MD
1259{
1260 struct sadb_x_policy *xpl;
1261 struct secpolicy **pcb_sp;
1262
1263 /* sanity check. */
1264 if (inp == NULL || request == NULL)
1265 return EINVAL;
1266 if (len < sizeof(*xpl))
1267 return EINVAL;
1268 xpl = (struct sadb_x_policy *)request;
1269
1270 /* select direction */
1271 switch (xpl->sadb_x_policy_dir) {
1272 case IPSEC_DIR_INBOUND:
1273 pcb_sp = &inp->inp_sp->sp_in;
1274 break;
1275 case IPSEC_DIR_OUTBOUND:
1276 pcb_sp = &inp->inp_sp->sp_out;
1277 break;
1278 default:
1279 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1280 xpl->sadb_x_policy_dir));
1281 return EINVAL;
1282 }
1283
1284 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1285}
1286
1287int
122ebd49
CP
1288ipsec4_get_policy(struct inpcb *inp, caddr_t request, size_t len,
1289 struct mbuf **mp)
984263bc
MD
1290{
1291 struct sadb_x_policy *xpl;
1292 struct secpolicy *pcb_sp;
1293
1294 /* sanity check. */
1295 if (inp == NULL || request == NULL || mp == NULL)
1296 return EINVAL;
1297 if (inp->inp_sp == NULL)
1298 panic("policy in PCB is NULL");
1299 if (len < sizeof(*xpl))
1300 return EINVAL;
1301 xpl = (struct sadb_x_policy *)request;
1302
1303 /* select direction */
1304 switch (xpl->sadb_x_policy_dir) {
1305 case IPSEC_DIR_INBOUND:
1306 pcb_sp = inp->inp_sp->sp_in;
1307 break;
1308 case IPSEC_DIR_OUTBOUND:
1309 pcb_sp = inp->inp_sp->sp_out;
1310 break;
1311 default:
1312 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1313 xpl->sadb_x_policy_dir));
1314 return EINVAL;
1315 }
1316
1317 return ipsec_get_policy(pcb_sp, mp);
1318}
1319
1320/* delete policy in PCB */
1321int
122ebd49 1322ipsec4_delete_pcbpolicy(struct inpcb *inp)
984263bc
MD
1323{
1324 /* sanity check. */
1325 if (inp == NULL)
1326 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
1327
1328 if (inp->inp_sp == NULL)
1329 return 0;
1330
1331 if (inp->inp_sp->sp_in != NULL) {
1332 key_freesp(inp->inp_sp->sp_in);
1333 inp->inp_sp->sp_in = NULL;
1334 }
1335
1336 if (inp->inp_sp->sp_out != NULL) {
1337 key_freesp(inp->inp_sp->sp_out);
1338 inp->inp_sp->sp_out = NULL;
1339 }
1340
1341 ipsec_delpcbpolicy(inp->inp_sp);
1342 inp->inp_sp = NULL;
1343
1344 return 0;
1345}
1346
1347#ifdef INET6
1348int
122ebd49
CP
1349ipsec6_set_policy(struct in6pcb *in6p, int optname, caddr_t request, size_t len,
1350 int priv)
984263bc
MD
1351{
1352 struct sadb_x_policy *xpl;
1353 struct secpolicy **pcb_sp;
1354
1355 /* sanity check. */
1356 if (in6p == NULL || request == NULL)
1357 return EINVAL;
1358 if (len < sizeof(*xpl))
1359 return EINVAL;
1360 xpl = (struct sadb_x_policy *)request;
1361
1362 /* select direction */
1363 switch (xpl->sadb_x_policy_dir) {
1364 case IPSEC_DIR_INBOUND:
1365 pcb_sp = &in6p->in6p_sp->sp_in;
1366 break;
1367 case IPSEC_DIR_OUTBOUND:
1368 pcb_sp = &in6p->in6p_sp->sp_out;
1369 break;
1370 default:
1371 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1372 xpl->sadb_x_policy_dir));
1373 return EINVAL;
1374 }
1375
1376 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1377}
1378
1379int
122ebd49
CP
1380ipsec6_get_policy(struct in6pcb *in6p, caddr_t request, size_t len,
1381 struct mbuf **mp)
984263bc
MD
1382{
1383 struct sadb_x_policy *xpl;
1384 struct secpolicy *pcb_sp;
1385
1386 /* sanity check. */
1387 if (in6p == NULL || request == NULL || mp == NULL)
1388 return EINVAL;
1389 if (in6p->in6p_sp == NULL)
1390 panic("policy in PCB is NULL");
1391 if (len < sizeof(*xpl))
1392 return EINVAL;
1393 xpl = (struct sadb_x_policy *)request;
1394
1395 /* select direction */
1396 switch (xpl->sadb_x_policy_dir) {
1397 case IPSEC_DIR_INBOUND:
1398 pcb_sp = in6p->in6p_sp->sp_in;
1399 break;
1400 case IPSEC_DIR_OUTBOUND:
1401 pcb_sp = in6p->in6p_sp->sp_out;
1402 break;
1403 default:
1404 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1405 xpl->sadb_x_policy_dir));
1406 return EINVAL;
1407 }
1408
1409 return ipsec_get_policy(pcb_sp, mp);
1410}
1411
1412int
122ebd49 1413ipsec6_delete_pcbpolicy(struct in6pcb *in6p)
984263bc
MD
1414{
1415 /* sanity check. */
1416 if (in6p == NULL)
1417 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
1418
1419 if (in6p->in6p_sp == NULL)
1420 return 0;
1421
1422 if (in6p->in6p_sp->sp_in != NULL) {
1423 key_freesp(in6p->in6p_sp->sp_in);
1424 in6p->in6p_sp->sp_in = NULL;
1425 }
1426
1427 if (in6p->in6p_sp->sp_out != NULL) {
1428 key_freesp(in6p->in6p_sp->sp_out);
1429 in6p->in6p_sp->sp_out = NULL;
1430 }
1431
1432 ipsec_delpcbpolicy(in6p->in6p_sp);
1433 in6p->in6p_sp = NULL;
1434
1435 return 0;
1436}
1437#endif
1438
1439/*
1440 * return current level.
1441 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1442 */
1443u_int
122ebd49 1444ipsec_get_reqlevel(struct ipsecrequest *isr)
984263bc
MD
1445{
1446 u_int level = 0;
1447 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1448
1449 /* sanity check */
1450 if (isr == NULL || isr->sp == NULL)
1451 panic("ipsec_get_reqlevel: NULL pointer is passed.");
1452 if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family
1453 != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family)
1454 panic("ipsec_get_reqlevel: family mismatched.");
1455
1456/* XXX note that we have ipseclog() expanded here - code sync issue */
1457#define IPSEC_CHECK_DEFAULT(lev) \
1458 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1459 && (lev) != IPSEC_LEVEL_UNIQUE) \
1460 ? (ipsec_debug \
1461 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1462 (lev), IPSEC_LEVEL_REQUIRE) \
1463 : 0), \
1464 (lev) = IPSEC_LEVEL_REQUIRE, \
1465 (lev) \
1466 : (lev))
1467
1468 /* set default level */
1469 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1470#ifdef INET
1471 case AF_INET:
1472 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1473 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1474 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1475 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1476 break;
1477#endif
1478#ifdef INET6
1479 case AF_INET6:
1480 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1481 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1482 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1483 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1484 break;
1485#endif /* INET6 */
1486 default:
1487 panic("key_get_reqlevel: Unknown family. %d",
1488 ((struct sockaddr *)&isr->sp->spidx.src)->sa_family);
1489 }
1490
1491#undef IPSEC_CHECK_DEFAULT
1492
1493 /* set level */
1494 switch (isr->level) {
1495 case IPSEC_LEVEL_DEFAULT:
1496 switch (isr->saidx.proto) {
1497 case IPPROTO_ESP:
1498 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1499 level = esp_net_deflev;
1500 else
1501 level = esp_trans_deflev;
1502 break;
1503 case IPPROTO_AH:
1504 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1505 level = ah_net_deflev;
1506 else
1507 level = ah_trans_deflev;
1508 case IPPROTO_IPCOMP:
1509 /*
1510 * we don't really care, as IPcomp document says that
1511 * we shouldn't compress small packets
1512 */
1513 level = IPSEC_LEVEL_USE;
1514 break;
1515 default:
1516 panic("ipsec_get_reqlevel: "
1517 "Illegal protocol defined %u",
1518 isr->saidx.proto);
1519 }
1520 break;
1521
1522 case IPSEC_LEVEL_USE:
1523 case IPSEC_LEVEL_REQUIRE:
1524 level = isr->level;
1525 break;
1526 case IPSEC_LEVEL_UNIQUE:
1527 level = IPSEC_LEVEL_REQUIRE;
1528 break;
1529
1530 default:
1531 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
1532 isr->level);
1533 }
1534
1535 return level;
1536}
1537
1538/*
1539 * Check AH/ESP integrity.
1540 * OUT:
1541 * 0: valid
1542 * 1: invalid
1543 */
1544static int
122ebd49 1545ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
984263bc
MD
1546{
1547 struct ipsecrequest *isr;
1548 u_int level;
1549 int need_auth, need_conf, need_icv;
1550
1551 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
a6ec04bc 1552 kprintf("ipsec_in_reject: using SP\n");
984263bc
MD
1553 kdebug_secpolicy(sp));
1554
1555 /* check policy */
1556 switch (sp->policy) {
1557 case IPSEC_POLICY_DISCARD:
1558 return 1;
1559 case IPSEC_POLICY_BYPASS:
1560 case IPSEC_POLICY_NONE:
1561 return 0;
1562
1563 case IPSEC_POLICY_IPSEC:
1564 break;
1565
1566 case IPSEC_POLICY_ENTRUST:
1567 default:
1568 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1569 }
1570
1571 need_auth = 0;
1572 need_conf = 0;
1573 need_icv = 0;
1574
1575 /* XXX should compare policy against ipsec header history */
1576
1577 for (isr = sp->req; isr != NULL; isr = isr->next) {
1578
1579 /* get current level */
1580 level = ipsec_get_reqlevel(isr);
1581
1582 switch (isr->saidx.proto) {
1583 case IPPROTO_ESP:
1584 if (level == IPSEC_LEVEL_REQUIRE) {
1585 need_conf++;
1586
1587 if (isr->sav != NULL
1588 && isr->sav->flags == SADB_X_EXT_NONE
1589 && isr->sav->alg_auth != SADB_AALG_NONE)
1590 need_icv++;
1591 }
1592 break;
1593 case IPPROTO_AH:
1594 if (level == IPSEC_LEVEL_REQUIRE) {
1595 need_auth++;
1596 need_icv++;
1597 }
1598 break;
1599 case IPPROTO_IPCOMP:
1600 /*
1601 * we don't really care, as IPcomp document says that
1602 * we shouldn't compress small packets, IPComp policy
1603 * should always be treated as being in "use" level.
1604 */
1605 break;
1606 }
1607 }
1608
1609 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
a6ec04bc 1610 kprintf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
984263bc
MD
1611 need_auth, need_conf, need_icv, m->m_flags));
1612
1613 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1614 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1615 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1616 return 1;
1617
1618 return 0;
1619}
1620
1621/*
1622 * Check AH/ESP integrity.
1623 * This function is called from tcp_input(), udp_input(),
1624 * and {ah,esp}4_input for tunnel mode
1625 */
1626int
122ebd49 1627ipsec4_in_reject_so(struct mbuf *m, struct socket *so)
984263bc
MD
1628{
1629 struct secpolicy *sp = NULL;
1630 int error;
1631 int result;
1632
1633 /* sanity check */
1634 if (m == NULL)
1635 return 0; /* XXX should be panic ? */
1636
1637 /* get SP for this packet.
1638 * When we are called from ip_forward(), we call
1639 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1640 */
1641 if (so == NULL)
1642 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1643 else
1644 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1645
1646 if (sp == NULL)
1647 return 0; /* XXX should be panic ?
1648 * -> No, there may be error. */
1649
1650 result = ipsec_in_reject(sp, m);
1651 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
a6ec04bc 1652 kprintf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
984263bc
MD
1653 key_freesp(sp);
1654
1655 return result;
1656}
1657
1658int
122ebd49 1659ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
984263bc
MD
1660{
1661 if (inp == NULL)
1662 return ipsec4_in_reject_so(m, NULL);
1663 if (inp->inp_socket)
1664 return ipsec4_in_reject_so(m, inp->inp_socket);
1665 else
1666 panic("ipsec4_in_reject: invalid inpcb/socket");
1667}
1668
1669#ifdef INET6
1670/*
1671 * Check AH/ESP integrity.
1672 * This function is called from tcp6_input(), udp6_input(),
1673 * and {ah,esp}6_input for tunnel mode
1674 */
1675int
122ebd49 1676ipsec6_in_reject_so(struct mbuf *m, struct socket *so)
984263bc
MD
1677{
1678 struct secpolicy *sp = NULL;
1679 int error;
1680 int result;
1681
1682 /* sanity check */
1683 if (m == NULL)
1684 return 0; /* XXX should be panic ? */
1685
1686 /* get SP for this packet.
1687 * When we are called from ip_forward(), we call
1688 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1689 */
1690 if (so == NULL)
1691 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1692 else
1693 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1694
1695 if (sp == NULL)
1696 return 0; /* XXX should be panic ? */
1697
1698 result = ipsec_in_reject(sp, m);
1699 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
a6ec04bc 1700 kprintf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
984263bc
MD
1701 key_freesp(sp);
1702
1703 return result;
1704}
1705
1706int
122ebd49 1707ipsec6_in_reject(struct mbuf *m, struct in6pcb *in6p)
984263bc
MD
1708{
1709 if (in6p == NULL)
1710 return ipsec6_in_reject_so(m, NULL);
1711 if (in6p->in6p_socket)
1712 return ipsec6_in_reject_so(m, in6p->in6p_socket);
1713 else
1714 panic("ipsec6_in_reject: invalid in6p/socket");
1715}
1716#endif
1717
1718/*
1719 * compute the byte size to be occupied by IPsec header.
1720 * in case it is tunneled, it includes the size of outer IP header.
1721 * NOTE: SP passed is free in this function.
1722 */
1723static size_t
122ebd49 1724ipsec_hdrsiz(struct secpolicy *sp)
984263bc
MD
1725{
1726 struct ipsecrequest *isr;
1727 size_t siz, clen;
1728
1729 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
a6ec04bc 1730 kprintf("ipsec_hdrsiz: using SP\n");
984263bc
MD
1731 kdebug_secpolicy(sp));
1732
1733 /* check policy */
1734 switch (sp->policy) {
1735 case IPSEC_POLICY_DISCARD:
1736 case IPSEC_POLICY_BYPASS:
1737 case IPSEC_POLICY_NONE:
1738 return 0;
1739
1740 case IPSEC_POLICY_IPSEC:
1741 break;
1742
1743 case IPSEC_POLICY_ENTRUST:
1744 default:
1745 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1746 }
1747
1748 siz = 0;
1749
1750 for (isr = sp->req; isr != NULL; isr = isr->next) {
1751
1752 clen = 0;
1753
1754 switch (isr->saidx.proto) {
1755 case IPPROTO_ESP:
1756#ifdef IPSEC_ESP
1757 clen = esp_hdrsiz(isr);
1758#else
1759 clen = 0; /* XXX */
1760#endif
1761 break;
1762 case IPPROTO_AH:
1763 clen = ah_hdrsiz(isr);
1764 break;
1765 case IPPROTO_IPCOMP:
1766 clen = sizeof(struct ipcomp);
1767 break;
1768 }
1769
1770 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1771 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1772 case AF_INET:
1773 clen += sizeof(struct ip);
1774 break;
1775#ifdef INET6
1776 case AF_INET6:
1777 clen += sizeof(struct ip6_hdr);
1778 break;
1779#endif
1780 default:
1781 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1782 "unknown AF %d in IPsec tunnel SA\n",
1783 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1784 break;
1785 }
1786 }
1787 siz += clen;
1788 }
1789
1790 return siz;
1791}
1792
1793/* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1794size_t
122ebd49 1795ipsec4_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp)
984263bc
MD
1796{
1797 struct secpolicy *sp = NULL;
1798 int error;
1799 size_t size;
1800
1801 /* sanity check */
1802 if (m == NULL)
1803 return 0; /* XXX should be panic ? */
1804 if (inp != NULL && inp->inp_socket == NULL)
1805 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
1806
1807 /* get SP for this packet.
1808 * When we are called from ip_forward(), we call
1809 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1810 */
1811 if (inp == NULL)
1812 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1813 else
1814 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
1815
1816 if (sp == NULL)
1817 return 0; /* XXX should be panic ? */
1818
1819 size = ipsec_hdrsiz(sp);
1820 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
a6ec04bc 1821 kprintf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
984263bc 1822 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
a6ec04bc 1823 kprintf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
984263bc
MD
1824 key_freesp(sp);
1825
1826 return size;
1827}
1828
1829#ifdef INET6
1830/* This function is called from ipsec6_hdrsize_tcp(),
1831 * and maybe from ip6_forward.()
1832 */
1833size_t
122ebd49 1834ipsec6_hdrsiz(struct mbuf *m, u_int dir, struct in6pcb *in6p)
984263bc
MD
1835{
1836 struct secpolicy *sp = NULL;
1837 int error;
1838 size_t size;
1839
1840 /* sanity check */
1841 if (m == NULL)
1842 return 0; /* XXX shoud be panic ? */
1843 if (in6p != NULL && in6p->in6p_socket == NULL)
1844 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
1845
1846 /* get SP for this packet */
1847 /* XXX Is it right to call with IP_FORWARDING. */
1848 if (in6p == NULL)
1849 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1850 else
1851 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
1852
1853 if (sp == NULL)
1854 return 0;
1855 size = ipsec_hdrsiz(sp);
1856 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
a6ec04bc 1857 kprintf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
984263bc 1858 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
a6ec04bc 1859 kprintf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
984263bc
MD
1860 key_freesp(sp);
1861
1862 return size;
1863}
1864#endif /* INET6 */
1865
1866#ifdef INET
1867/*
1868 * encapsulate for ipsec tunnel.
1869 * ip->ip_src must be fixed later on.
1870 */
1871static int
122ebd49 1872ipsec4_encapsulate(struct mbuf *m, struct secasvar *sav)
984263bc
MD
1873{
1874 struct ip *oip;
1875 struct ip *ip;
1876 size_t hlen;
1877 size_t plen;
1878
1879 /* can't tunnel between different AFs */
1880 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
1881 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
1882 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
1883 m_freem(m);
1884 return EINVAL;
1885 }
1886#if 0
1887 /* XXX if the dst is myself, perform nothing. */
1888 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
1889 m_freem(m);
1890 return EINVAL;
1891 }
1892#endif
1893
1894 if (m->m_len < sizeof(*ip))
1895 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1896
1897 ip = mtod(m, struct ip *);
1898#ifdef _IP_VHL
1899 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
1900#else
1901 hlen = ip->ip_hl << 2;
1902#endif
1903
1904 if (m->m_len != hlen)
1905 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1906
1907 /* generate header checksum */
1908 ip->ip_sum = 0;
1909#ifdef _IP_VHL
1910 if (ip->ip_vhl == IP_VHL_BORING)
1911 ip->ip_sum = in_cksum_hdr(ip);
1912 else
1913 ip->ip_sum = in_cksum(m, hlen);
1914#else
1915 ip->ip_sum = in_cksum(m, hlen);
1916#endif
1917
1918 plen = m->m_pkthdr.len;
1919
1920 /*
1921 * grow the mbuf to accomodate the new IPv4 header.
1922 * NOTE: IPv4 options will never be copied.
1923 */
1924 if (M_LEADINGSPACE(m->m_next) < hlen) {
1925 struct mbuf *n;
74f1caca 1926 MGET(n, MB_DONTWAIT, MT_DATA);
984263bc
MD
1927 if (!n) {
1928 m_freem(m);
1929 return ENOBUFS;
1930 }
1931 n->m_len = hlen;
1932 n->m_next = m->m_next;
1933 m->m_next = n;
1934 m->m_pkthdr.len += hlen;
1935 oip = mtod(n, struct ip *);
1936 } else {
1937 m->m_next->m_len += hlen;
1938 m->m_next->m_data -= hlen;
1939 m->m_pkthdr.len += hlen;
1940 oip = mtod(m->m_next, struct ip *);
1941 }
1942 ip = mtod(m, struct ip *);
1943 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
1944 m->m_len = sizeof(struct ip);
1945 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
1946
1947 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
1948 /* ECN consideration. */
1949 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
1950#ifdef _IP_VHL
1951 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
1952#else
1953 ip->ip_hl = sizeof(struct ip) >> 2;
1954#endif
1955 ip->ip_off &= htons(~IP_OFFMASK);
1956 ip->ip_off &= htons(~IP_MF);
1957 switch (ip4_ipsec_dfbit) {
1958 case 0: /* clear DF bit */
1959 ip->ip_off &= htons(~IP_DF);
1960 break;
1961 case 1: /* set DF bit */
1962 ip->ip_off |= htons(IP_DF);
1963 break;
1964 default: /* copy DF bit */
1965 break;
1966 }
1967 ip->ip_p = IPPROTO_IPIP;
1968 if (plen + sizeof(struct ip) < IP_MAXPACKET)
1969 ip->ip_len = htons(plen + sizeof(struct ip));
1970 else {
1971 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
1972 "leave ip_len as is (invalid packet)\n"));
1973 }
1974#ifdef RANDOM_IP_ID
1975 ip->ip_id = ip_randomid();
1976#else
1977 ip->ip_id = htons(ip_id++);
1978#endif
1979 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
1980 &ip->ip_src, sizeof(ip->ip_src));
1981 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
1982 &ip->ip_dst, sizeof(ip->ip_dst));
1983 ip->ip_ttl = IPDEFTTL;
1984
1985 /* XXX Should ip_src be updated later ? */
1986
1987 return 0;
1988}
1989#endif /* INET */
1990
1991#ifdef INET6
1992static int
122ebd49 1993ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
984263bc
MD
1994{
1995 struct ip6_hdr *oip6;
1996 struct ip6_hdr *ip6;
1997 size_t plen;
1998
1999 /* can't tunnel between different AFs */
2000 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2001 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2002 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2003 m_freem(m);
2004 return EINVAL;
2005 }
2006#if 0
2007 /* XXX if the dst is myself, perform nothing. */
2008 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2009 m_freem(m);
2010 return EINVAL;
2011 }
2012#endif
2013
2014 plen = m->m_pkthdr.len;
2015
2016 /*
2017 * grow the mbuf to accomodate the new IPv6 header.
2018 */
2019 if (m->m_len != sizeof(struct ip6_hdr))
2020 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2021 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2022 struct mbuf *n;
74f1caca 2023 MGET(n, MB_DONTWAIT, MT_DATA);
984263bc
MD
2024 if (!n) {
2025 m_freem(m);
2026 return ENOBUFS;
2027 }
2028 n->m_len = sizeof(struct ip6_hdr);
2029 n->m_next = m->m_next;
2030 m->m_next = n;
2031 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2032 oip6 = mtod(n, struct ip6_hdr *);
2033 } else {
2034 m->m_next->m_len += sizeof(struct ip6_hdr);
2035 m->m_next->m_data -= sizeof(struct ip6_hdr);
2036 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2037 oip6 = mtod(m->m_next, struct ip6_hdr *);
2038 }
2039 ip6 = mtod(m, struct ip6_hdr *);
2040 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2041
2042 /* Fake link-local scope-class addresses */
2043 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src))
2044 oip6->ip6_src.s6_addr16[1] = 0;
2045 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst))
2046 oip6->ip6_dst.s6_addr16[1] = 0;
2047
2048 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2049 /* ECN consideration. */
2050 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2051 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2052 ip6->ip6_plen = htons(plen);
2053 else {
2054 /* ip6->ip6_plen will be updated in ip6_output() */
2055 }
2056 ip6->ip6_nxt = IPPROTO_IPV6;
2057 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2058 &ip6->ip6_src, sizeof(ip6->ip6_src));
2059 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2060 &ip6->ip6_dst, sizeof(ip6->ip6_dst));
2061 ip6->ip6_hlim = IPV6_DEFHLIM;
2062
2063 /* XXX Should ip6_src be updated later ? */
2064
2065 return 0;
2066}
2067#endif /* INET6 */
2068
2069/*
2070 * Check the variable replay window.
2071 * ipsec_chkreplay() performs replay check before ICV verification.
2072 * ipsec_updatereplay() updates replay bitmap. This must be called after
2073 * ICV verification (it also performs replay check, which is usually done
2074 * beforehand).
2075 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2076 *
2077 * based on RFC 2401.
2078 */
2079int
122ebd49 2080ipsec_chkreplay(u_int32_t seq, struct secasvar *sav)
984263bc
MD
2081{
2082 const struct secreplay *replay;
2083 u_int32_t diff;
2084 int fr;
2085 u_int32_t wsizeb; /* constant: bits of window size */
2086 int frlast; /* constant: last frame */
2087
2088 /* sanity check */
2089 if (sav == NULL)
2090 panic("ipsec_chkreplay: NULL pointer was passed.");
2091
2092 replay = sav->replay;
2093
2094 if (replay->wsize == 0)
2095 return 1; /* no need to check replay. */
2096
2097 /* constant */
2098 frlast = replay->wsize - 1;
2099 wsizeb = replay->wsize << 3;
2100
2101 /* sequence number of 0 is invalid */
2102 if (seq == 0)
2103 return 0;
2104
2105 /* first time is always okay */
2106 if (replay->count == 0)
2107 return 1;
2108
2109 if (seq > replay->lastseq) {
2110 /* larger sequences are okay */
2111 return 1;
2112 } else {
2113 /* seq is equal or less than lastseq. */
2114 diff = replay->lastseq - seq;
2115
2116 /* over range to check, i.e. too old or wrapped */
2117 if (diff >= wsizeb)
2118 return 0;
2119
2120 fr = frlast - diff / 8;
2121
2122 /* this packet already seen ? */
2123 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2124 return 0;
2125
2126 /* out of order but good */
2127 return 1;
2128 }
2129}
2130
2131/*
2132 * check replay counter whether to update or not.
2133 * OUT: 0: OK
2134 * 1: NG
2135 */
2136int
122ebd49 2137ipsec_updatereplay(u_int32_t seq, struct secasvar *sav)
984263bc
MD
2138{
2139 struct secreplay *replay;
2140 u_int32_t diff;
2141 int fr;
2142 u_int32_t wsizeb; /* constant: bits of window size */
2143 int frlast; /* constant: last frame */
2144
2145 /* sanity check */
2146 if (sav == NULL)
2147 panic("ipsec_chkreplay: NULL pointer was passed.");
2148
2149 replay = sav->replay;
2150
2151 if (replay->wsize == 0)
2152 goto ok; /* no need to check replay. */
2153
2154 /* constant */
2155 frlast = replay->wsize - 1;
2156 wsizeb = replay->wsize << 3;
2157
2158 /* sequence number of 0 is invalid */
2159 if (seq == 0)
2160 return 1;
2161
2162 /* first time */
2163 if (replay->count == 0) {
2164 replay->lastseq = seq;
2165 bzero(replay->bitmap, replay->wsize);
2166 (replay->bitmap)[frlast] = 1;
2167 goto ok;
2168 }
2169
2170 if (seq > replay->lastseq) {
2171 /* seq is larger than lastseq. */
2172 diff = seq - replay->lastseq;
2173
2174 /* new larger sequence number */
2175 if (diff < wsizeb) {
2176 /* In window */
2177 /* set bit for this packet */
2178 vshiftl(replay->bitmap, diff, replay->wsize);
2179 (replay->bitmap)[frlast] |= 1;
2180 } else {
2181 /* this packet has a "way larger" */
2182 bzero(replay->bitmap, replay->wsize);
2183 (replay->bitmap)[frlast] = 1;
2184 }
2185 replay->lastseq = seq;
2186
2187 /* larger is good */
2188 } else {
2189 /* seq is equal or less than lastseq. */
2190 diff = replay->lastseq - seq;
2191
2192 /* over range to check, i.e. too old or wrapped */
2193 if (diff >= wsizeb)
2194 return 1;
2195
2196 fr = frlast - diff / 8;
2197
2198 /* this packet already seen ? */
2199 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2200 return 1;
2201
2202 /* mark as seen */
2203 (replay->bitmap)[fr] |= (1 << (diff % 8));
2204
2205 /* out of order but good */
2206 }
2207
2208ok:
2209 if (replay->count == ~0) {
2210
2211 /* set overflow flag */
2212 replay->overflow++;
2213
2214 /* don't increment, no more packets accepted */
2215 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2216 return 1;
2217
2218 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2219 replay->overflow, ipsec_logsastr(sav)));
2220 }
2221
2222 replay->count++;
2223
2224 return 0;
2225}
2226
2227/*
2228 * shift variable length buffer to left.
2229 * IN: bitmap: pointer to the buffer
2230 * nbit: the number of to shift.
2231 * wsize: buffer size (bytes).
2232 */
2233static void
122ebd49 2234vshiftl(unsigned char *bitmap, int nbit, int wsize)
984263bc
MD
2235{
2236 int s, j, i;
2237 unsigned char over;
2238
2239 for (j = 0; j < nbit; j += 8) {
2240 s = (nbit - j < 8) ? (nbit - j): 8;
2241 bitmap[0] <<= s;
2242 for (i = 1; i < wsize; i++) {
2243 over = (bitmap[i] >> (8 - s));
2244 bitmap[i] <<= s;
2245 bitmap[i-1] |= over;
2246 }
2247 }
2248
2249 return;
2250}
2251
2252const char *
122ebd49 2253ipsec4_logpacketstr(struct ip *ip, u_int32_t spi)
984263bc
MD
2254{
2255 static char buf[256];
2256 char *p;
2257 u_int8_t *s, *d;
2258
2259 s = (u_int8_t *)(&ip->ip_src);
2260 d = (u_int8_t *)(&ip->ip_dst);
2261
2262 p = buf;
f8c7a42d 2263 ksnprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
984263bc
MD
2264 while (p && *p)
2265 p++;
f8c7a42d 2266 ksnprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
984263bc
MD
2267 s[0], s[1], s[2], s[3]);
2268 while (p && *p)
2269 p++;
f8c7a42d 2270 ksnprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
984263bc
MD
2271 d[0], d[1], d[2], d[3]);
2272 while (p && *p)
2273 p++;
f8c7a42d 2274 ksnprintf(p, sizeof(buf) - (p - buf), ")");
984263bc
MD
2275
2276 return buf;
2277}
2278
2279#ifdef INET6
2280const char *
122ebd49 2281ipsec6_logpacketstr(struct ip6_hdr *ip6, u_int32_t spi)
984263bc
MD
2282{
2283 static char buf[256];
2284 char *p;
2285
2286 p = buf;
f8c7a42d 2287 ksnprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
984263bc
MD
2288 while (p && *p)
2289 p++;
f8c7a42d 2290 ksnprintf(p, sizeof(buf) - (p - buf), "src=%s",
984263bc
MD
2291 ip6_sprintf(&ip6->ip6_src));
2292 while (p && *p)
2293 p++;
f8c7a42d 2294 ksnprintf(p, sizeof(buf) - (p - buf), " dst=%s",
984263bc
MD
2295 ip6_sprintf(&ip6->ip6_dst));
2296 while (p && *p)
2297 p++;
f8c7a42d 2298 ksnprintf(p, sizeof(buf) - (p - buf), ")");
984263bc
MD
2299
2300 return buf;
2301}
2302#endif /* INET6 */
2303
2304const char *
122ebd49 2305ipsec_logsastr(struct secasvar *sav)
984263bc
MD
2306{
2307 static char buf[256];
2308 char *p;
2309 struct secasindex *saidx = &sav->sah->saidx;
2310
2311 /* validity check */
2312 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2313 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2314 panic("ipsec_logsastr: family mismatched.");
2315
2316 p = buf;
f8c7a42d 2317 ksnprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
984263bc
MD
2318 while (p && *p)
2319 p++;
2320 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2321 u_int8_t *s, *d;
2322 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2323 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
f8c7a42d 2324 ksnprintf(p, sizeof(buf) - (p - buf),
984263bc
MD
2325 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2326 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2327 }
2328#ifdef INET6
2329 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
f8c7a42d 2330 ksnprintf(p, sizeof(buf) - (p - buf),
984263bc
MD
2331 "src=%s",
2332 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2333 while (p && *p)
2334 p++;
f8c7a42d 2335 ksnprintf(p, sizeof(buf) - (p - buf),
984263bc
MD
2336 " dst=%s",
2337 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2338 }
2339#endif
2340 while (p && *p)
2341 p++;
f8c7a42d 2342 ksnprintf(p, sizeof(buf) - (p - buf), ")");
984263bc
MD
2343
2344 return buf;
2345}
2346
2347void
122ebd49 2348ipsec_dumpmbuf(struct mbuf *m)
984263bc
MD
2349{
2350 int totlen;
2351 int i;
2352 u_char *p;
2353
2354 totlen = 0;
a6ec04bc 2355 kprintf("---\n");
984263bc
MD
2356 while (m) {
2357 p = mtod(m, u_char *);
2358 for (i = 0; i < m->m_len; i++) {
a6ec04bc 2359 kprintf("%02x ", p[i]);
984263bc
MD
2360 totlen++;
2361 if (totlen % 16 == 0)
a6ec04bc 2362 kprintf("\n");
984263bc
MD
2363 }
2364 m = m->m_next;
2365 }
2366 if (totlen % 16 != 0)
a6ec04bc
SW
2367 kprintf("\n");
2368 kprintf("---\n");
984263bc
MD
2369}
2370
2371#ifdef INET
2372/*
2373 * IPsec output logic for IPv4.
2374 */
2375int
122ebd49 2376ipsec4_output(struct ipsec_output_state *state, struct secpolicy *sp, int flags)
984263bc
MD
2377{
2378 struct ip *ip = NULL;
2379 struct ipsecrequest *isr = NULL;
2380 struct secasindex saidx;
984263bc
MD
2381 int error;
2382 struct sockaddr_in *dst4;
2383 struct sockaddr_in *sin;
2384
2385 if (!state)
2386 panic("state == NULL in ipsec4_output");
2387 if (!state->m)
2388 panic("state->m == NULL in ipsec4_output");
2389 if (!state->ro)
2390 panic("state->ro == NULL in ipsec4_output");
2391 if (!state->dst)
2392 panic("state->dst == NULL in ipsec4_output");
2393
2394 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
a6ec04bc 2395 kprintf("ipsec4_output: applyed SP\n");
984263bc
MD
2396 kdebug_secpolicy(sp));
2397
2398 for (isr = sp->req; isr != NULL; isr = isr->next) {
2399
2400#if 0 /* give up to check restriction of transport mode */
2401 /* XXX but should be checked somewhere */
2402 /*
2403 * some of the IPsec operation must be performed only in
2404 * originating case.
2405 */
2406 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2407 && (flags & IP_FORWARDING))
2408 continue;
2409#endif
2410
2411 /* make SA index for search proper SA */
2412 ip = mtod(state->m, struct ip *);
2413 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2414 saidx.mode = isr->saidx.mode;
2415 saidx.reqid = isr->saidx.reqid;
2416 sin = (struct sockaddr_in *)&saidx.src;
2417 if (sin->sin_len == 0) {
2418 sin->sin_len = sizeof(*sin);
2419 sin->sin_family = AF_INET;
2420 sin->sin_port = IPSEC_PORT_ANY;
2421 bcopy(&ip->ip_src, &sin->sin_addr,
2422 sizeof(sin->sin_addr));
2423 }
2424 sin = (struct sockaddr_in *)&saidx.dst;
2425 if (sin->sin_len == 0) {
2426 sin->sin_len = sizeof(*sin);
2427 sin->sin_family = AF_INET;
2428 sin->sin_port = IPSEC_PORT_ANY;
2429 bcopy(&ip->ip_dst, &sin->sin_addr,
2430 sizeof(sin->sin_addr));
2431 }
2432
2433 if ((error = key_checkrequest(isr, &saidx)) != 0) {
2434 /*
2435 * IPsec processing is required, but no SA found.
2436 * I assume that key_acquire() had been called
2437 * to get/establish the SA. Here I discard
2438 * this packet because it is responsibility for
2439 * upper layer to retransmit the packet.
2440 */
2441 ipsecstat.out_nosa++;
2442 goto bad;
2443 }
2444
2445 /* validity check */
2446 if (isr->sav == NULL) {
2447 switch (ipsec_get_reqlevel(isr)) {
2448 case IPSEC_LEVEL_USE:
2449 continue;
2450 case IPSEC_LEVEL_REQUIRE:
2451 /* must be not reached here. */
2452 panic("ipsec4_output: no SA found, but required.");
2453 }
2454 }
2455
2456 /*
2457 * If there is no valid SA, we give up to process any
2458 * more. In such a case, the SA's status is changed
2459 * from DYING to DEAD after allocating. If a packet
2460 * send to the receiver by dead SA, the receiver can
2461 * not decode a packet because SA has been dead.
2462 */
2463 if (isr->sav->state != SADB_SASTATE_MATURE
2464 && isr->sav->state != SADB_SASTATE_DYING) {
2465 ipsecstat.out_nosa++;
2466 error = EINVAL;
2467 goto bad;
2468 }
2469
2470 /*
2471 * There may be the case that SA status will be changed when
abf782b3 2472 * we are refering to one. So calling crit_enter().
984263bc 2473 */
abf782b3 2474 crit_enter();
984263bc
MD
2475
2476 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2477 /*
2478 * build IPsec tunnel.
2479 */
2480 /* XXX should be processed with other familiy */
2481 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2482 ipseclog((LOG_ERR, "ipsec4_output: "
2483 "family mismatched between inner and outer spi=%u\n",
2484 (u_int32_t)ntohl(isr->sav->spi)));
abf782b3 2485 crit_exit();
984263bc
MD
2486 error = EAFNOSUPPORT;
2487 goto bad;
2488 }
2489
2490 state->m = ipsec4_splithdr(state->m);
2491 if (!state->m) {
abf782b3 2492 crit_exit();
984263bc
MD
2493 error = ENOMEM;
2494 goto bad;
2495 }
2496 error = ipsec4_encapsulate(state->m, isr->sav);
abf782b3 2497 crit_exit();
984263bc
MD
2498 if (error) {
2499 state->m = NULL;
2500 goto bad;
2501 }
2502 ip = mtod(state->m, struct ip *);
2503
2504 state->ro = &isr->sav->sah->sa_route;
2505 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2506 dst4 = (struct sockaddr_in *)state->dst;
2507 if (state->ro->ro_rt
2508 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2509 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2510 RTFREE(state->ro->ro_rt);
2511 state->ro->ro_rt = NULL;
2512 }
2513 if (state->ro->ro_rt == 0) {
2514 dst4->sin_family = AF_INET;
2515 dst4->sin_len = sizeof(*dst4);
2516 dst4->sin_addr = ip->ip_dst;
2517 rtalloc(state->ro);
2518 }
2519 if (state->ro->ro_rt == 0) {
2520 ipstat.ips_noroute++;
2521 error = EHOSTUNREACH;
2522 goto bad;
2523 }
2524
2525 /* adjust state->dst if tunnel endpoint is offlink */
2526 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2527 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2528 dst4 = (struct sockaddr_in *)state->dst;
2529 }
2530 } else
abf782b3 2531 crit_exit();
984263bc
MD
2532
2533 state->m = ipsec4_splithdr(state->m);
2534 if (!state->m) {
2535 error = ENOMEM;
2536 goto bad;
2537 }
2538 switch (isr->saidx.proto) {
2539 case IPPROTO_ESP:
2540#ifdef IPSEC_ESP
2541 if ((error = esp4_output(state->m, isr)) != 0) {
2542 state->m = NULL;
2543 goto bad;
2544 }
2545 break;
2546#else
2547 m_freem(state->m);
2548 state->m = NULL;
2549 error = EINVAL;
2550 goto bad;
2551#endif
2552 case IPPROTO_AH:
2553 if ((error = ah4_output(state->m, isr)) != 0) {
2554 state->m = NULL;
2555 goto bad;
2556 }
2557 break;
2558 case IPPROTO_IPCOMP:
2559 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2560 state->m = NULL;
2561 goto bad;
2562 }
2563 break;
2564 default:
2565 ipseclog((LOG_ERR,
2566 "ipsec4_output: unknown ipsec protocol %d\n",
2567 isr->saidx.proto));
2568 m_freem(state->m);
2569 state->m = NULL;
2570 error = EINVAL;
2571 goto bad;
2572 }
2573
2574 if (state->m == 0) {
2575 error = ENOMEM;
2576 goto bad;
2577 }
2578 ip = mtod(state->m, struct ip *);
2579 }
2580
2581 return 0;
2582
2583bad:
2584 m_freem(state->m);
2585 state->m = NULL;
2586 return error;
2587}
2588#endif
2589
2590#ifdef INET6
2591/*
2592 * IPsec output logic for IPv6, transport mode.
2593 */
2594int
122ebd49
CP
2595ipsec6_output_trans(struct ipsec_output_state *state, u_char *nexthdrp,
2596 struct mbuf *mprev, struct secpolicy *sp, int flags,
2597 int *tun)
984263bc
MD
2598{
2599 struct ip6_hdr *ip6;
2600 struct ipsecrequest *isr = NULL;
2601 struct secasindex saidx;
2602 int error = 0;
2603 int plen;
2604 struct sockaddr_in6 *sin6;
2605
2606 if (!state)
2607 panic("state == NULL in ipsec6_output_trans");
2608 if (!state->m)
2609 panic("state->m == NULL in ipsec6_output_trans");
2610 if (!nexthdrp)
2611 panic("nexthdrp == NULL in ipsec6_output_trans");
2612 if (!mprev)
2613 panic("mprev == NULL in ipsec6_output_trans");
2614 if (!sp)
2615 panic("sp == NULL in ipsec6_output_trans");
2616 if (!tun)
2617 panic("tun == NULL in ipsec6_output_trans");
2618
2619 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
a6ec04bc 2620 kprintf("ipsec6_output_trans: applyed SP\n");
984263bc
MD
2621 kdebug_secpolicy(sp));
2622
2623 *tun = 0;
2624 for (isr = sp->req; isr; isr = isr->next) {
2625 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2626 /* the rest will be handled by ipsec6_output_tunnel() */
2627 break;
2628 }
2629
2630 /* make SA index for search proper SA */
2631 ip6 = mtod(state->m, struct ip6_hdr *);
2632 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2633 saidx.mode = isr->saidx.mode;
2634 saidx.reqid = isr->saidx.reqid;
2635 sin6 = (struct sockaddr_in6 *)&saidx.src;
2636 if (sin6->sin6_len == 0) {
2637 sin6->sin6_len = sizeof(*sin6);
2638 sin6->sin6_family = AF_INET6;
2639 sin6->sin6_port = IPSEC_PORT_ANY;
2640 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2641 sizeof(ip6->ip6_src));
2642 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2643 /* fix scope id for comparing SPD */
2644 sin6->sin6_addr.s6_addr16[1] = 0;
2645 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2646 }
2647 }
2648 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2649 if (sin6->sin6_len == 0) {
2650 sin6->sin6_len = sizeof(*sin6);
2651 sin6->sin6_family = AF_INET6;
2652 sin6->sin6_port = IPSEC_PORT_ANY;
2653 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2654 sizeof(ip6->ip6_dst));
2655 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2656 /* fix scope id for comparing SPD */
2657 sin6->sin6_addr.s6_addr16[1] = 0;
2658 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2659 }
2660 }
2661
2662 if (key_checkrequest(isr, &saidx) == ENOENT) {
2663 /*
2664 * IPsec processing is required, but no SA found.
2665 * I assume that key_acquire() had been called
2666 * to get/establish the SA. Here I discard
2667 * this packet because it is responsibility for
2668 * upper layer to retransmit the packet.
2669 */
2670 ipsec6stat.out_nosa++;
2671 error = ENOENT;
2672
2673 /*
2674 * Notify the fact that the packet is discarded
2675 * to ourselves. I believe this is better than
2676 * just silently discarding. (jinmei@kame.net)
2677 * XXX: should we restrict the error to TCP packets?
2678 * XXX: should we directly notify sockets via
2679 * pfctlinputs?
2680 */
2681 icmp6_error(state->m, ICMP6_DST_UNREACH,
2682 ICMP6_DST_UNREACH_ADMIN, 0);
2683 state->m = NULL; /* icmp6_error freed the mbuf */
2684 goto bad;
2685 }
2686
2687 /* validity check */
2688 if (isr->sav == NULL) {
2689 switch (ipsec_get_reqlevel(isr)) {
2690 case IPSEC_LEVEL_USE:
2691 continue;
2692 case IPSEC_LEVEL_REQUIRE:
2693 /* must be not reached here. */
2694 panic("ipsec6_output_trans: no SA found, but required.");
2695 }
2696 }
2697
2698 /*
2699 * If there is no valid SA, we give up to process.
2700 * see same place at ipsec4_output().
2701 */
2702 if (isr->sav->state != SADB_SASTATE_MATURE
2703 && isr->sav->state != SADB_SASTATE_DYING) {
2704 ipsec6stat.out_nosa++;
2705 error = EINVAL;
2706 goto bad;
2707 }
2708
2709 switch (isr->saidx.proto) {
2710 case IPPROTO_ESP:
2711#ifdef IPSEC_ESP
2712 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2713#else
2714 m_freem(state->m);
2715 error = EINVAL;
2716#endif
2717 break;
2718 case IPPROTO_AH:
2719 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2720 break;
2721 case IPPROTO_IPCOMP:
2722 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2723 break;
2724 default:
2725 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2726 "unknown ipsec protocol %d\n", isr->saidx.proto));
2727 m_freem(state->m);
2728 ipsec6stat.out_inval++;
2729 error = EINVAL;
2730 break;
2731 }
2732 if (error) {
2733 state->m = NULL;
2734 goto bad;
2735 }
2736 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2737 if (plen > IPV6_MAXPACKET) {
2738 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2739 "IPsec with IPv6 jumbogram is not supported\n"));
2740 ipsec6stat.out_inval++;
2741 error = EINVAL; /* XXX */
2742 goto bad;
2743 }
2744 ip6 = mtod(state->m, struct ip6_hdr *);
2745 ip6->ip6_plen = htons(plen);
2746 }
2747
2748 /* if we have more to go, we need a tunnel mode processing */
2749 if (isr != NULL)
2750 *tun = 1;
2751
2752 return 0;
2753
2754bad:
2755 m_freem(state->m);
2756 state->m = NULL;
2757 return error;
2758}
2759
2760/*
2761 * IPsec output logic for IPv6, tunnel mode.
2762 */
2763int
122ebd49
CP
2764ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp,
2765 int flags)
984263bc
MD
2766{
2767 struct ip6_hdr *ip6;
2768 struct ipsecrequest *isr = NULL;
2769 struct secasindex saidx;
2770 int error = 0;
2771 int plen;
2772 struct sockaddr_in6* dst6;
984263bc
MD
2773
2774 if (!state)
2775 panic("state == NULL in ipsec6_output_tunnel");
2776 if (!state->m)
2777 panic("state->m == NULL in ipsec6_output_tunnel");
2778 if (!sp)
2779 panic("sp == NULL in ipsec6_output_tunnel");
2780
2781 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
a6ec04bc 2782 kprintf("ipsec6_output_tunnel: applyed SP\n");
984263bc
MD
2783 kdebug_secpolicy(sp));
2784
2785 /*
2786 * transport mode ipsec (before the 1st tunnel mode) is already
2787 * processed by ipsec6_output_trans().
2788 */
2789 for (isr = sp->req; isr; isr = isr->next) {
2790 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
2791 break;
2792 }
2793
2794 for (/* already initialized */; isr; isr = isr->next) {
2795 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2796 /* When tunnel mode, SA peers must be specified. */
2797 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2798 } else {
2799 /* make SA index to look for a proper SA */
2800 struct sockaddr_in6 *sin6;
2801
2802 bzero(&saidx, sizeof(saidx));
2803 saidx.proto = isr->saidx.proto;
2804 saidx.mode = isr->saidx.mode;
2805 saidx.reqid = isr->saidx.reqid;
2806
2807 ip6 = mtod(state->m, struct ip6_hdr *);
2808 sin6 = (struct sockaddr_in6 *)&saidx.src;
2809 if (sin6->sin6_len == 0) {
2810 sin6->sin6_len = sizeof(*sin6);
2811 sin6->sin6_family = AF_INET6;
2812 sin6->sin6_port = IPSEC_PORT_ANY;
2813 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2814 sizeof(ip6->ip6_src));
2815 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2816 /* fix scope id for comparing SPD */
2817 sin6->sin6_addr.s6_addr16[1] = 0;
2818 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2819 }
2820 }
2821 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2822 if (sin6->sin6_len == 0) {
2823 sin6->sin6_len = sizeof(*sin6);
2824 sin6->sin6_family = AF_INET6;
2825 sin6->sin6_port = IPSEC_PORT_ANY;
2826 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2827 sizeof(ip6->ip6_dst));
2828 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2829 /* fix scope id for comparing SPD */
2830 sin6->sin6_addr.s6_addr16[1] = 0;
2831 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2832 }
2833 }
2834 }
2835
2836 if (key_checkrequest(isr, &saidx) == ENOENT) {
2837 /*
2838 * IPsec processing is required, but no SA found.
2839 * I assume that key_acquire() had been called
2840 * to get/establish the SA. Here I discard
2841 * this packet because it is responsibility for
2842 * upper layer to retransmit the packet.
2843 */
2844 ipsec6stat.out_nosa++;
2845 error = ENOENT;
2846 goto bad;
2847 }
2848
2849 /* validity check */
2850 if (isr->sav == NULL) {
2851 switch (ipsec_get_reqlevel(isr)) {
2852 case IPSEC_LEVEL_USE:
2853 continue;
2854 case IPSEC_LEVEL_REQUIRE:
2855 /* must be not reached here. */
2856 panic("ipsec6_output_tunnel: no SA found, but required.");
2857 }
2858 }
2859
2860 /*
2861 * If there is no valid SA, we give up to process.
2862 * see same place at ipsec4_output().
2863 */
2864 if (isr->sav->state != SADB_SASTATE_MATURE
2865 && isr->sav->state != SADB_SASTATE_DYING) {
2866 ipsec6stat.out_nosa++;
2867 error = EINVAL;
2868 goto bad;
2869 }
2870
2871 /*
2872 * There may be the case that SA status will be changed when
abf782b3 2873 * we are refering to one. So calling crit_enter().
984263bc 2874 */
abf782b3 2875 crit_enter();
984263bc
MD
2876
2877 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2878 /*
2879 * build IPsec tunnel.
2880 */
2881 /* XXX should be processed with other familiy */
2882 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
2883 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
2884 "family mismatched between inner and outer, spi=%u\n",
2885 (u_int32_t)ntohl(isr->sav->spi)));
abf782b3 2886 crit_exit();
984263bc
MD
2887 ipsec6stat.out_inval++;
2888 error = EAFNOSUPPORT;
2889 goto bad;
2890 }
2891
2892 state->m = ipsec6_splithdr(state->m);
2893 if (!state->m) {
abf782b3 2894 crit_exit();
984263bc
MD
2895 ipsec6stat.out_nomem++;
2896 error = ENOMEM;
2897 goto bad;
2898 }
2899 error = ipsec6_encapsulate(state->m, isr->sav);
abf782b3 2900 crit_exit();
984263bc
MD
2901 if (error) {
2902 state->m = 0;
2903 goto bad;
2904 }
2905 ip6 = mtod(state->m, struct ip6_hdr *);
2906
2907 state->ro = &isr->sav->sah->sa_route;
2908 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2909 dst6 = (struct sockaddr_in6 *)state->dst;
2910 if (state->ro->ro_rt
2911 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2912 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
2913 RTFREE(state->ro->ro_rt);
2914 state->ro->ro_rt = NULL;
2915 }
2916 if (state->ro->ro_rt == 0) {
2917 bzero(dst6, sizeof(*dst6));
2918 dst6->sin6_family = AF_INET6;
2919 dst6->sin6_len = sizeof(*dst6);
2920 dst6->sin6_addr = ip6->ip6_dst;
2921 rtalloc(state->ro);
2922 }
2923 if (state->ro->ro_rt == 0) {
2924 ip6stat.ip6s_noroute++;
2925 ipsec6stat.out_noroute++;
2926 error = EHOSTUNREACH;
2927 goto bad;
2928 }
2929
2930 /* adjust state->dst if tunnel endpoint is offlink */
2931 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2932 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2933 dst6 = (struct sockaddr_in6 *)state->dst;
2934 }
2935 } else
abf782b3 2936 crit_exit();
984263bc
MD
2937
2938 state->m = ipsec6_splithdr(state->m);
2939 if (!state->m) {
2940 ipsec6stat.out_nomem++;
2941 error = ENOMEM;
2942 goto bad;
2943 }
2944 ip6 = mtod(state->m, struct ip6_hdr *);
2945 switch (isr->saidx.proto) {
2946 case IPPROTO_ESP:
2947#ifdef IPSEC_ESP
2948 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
2949#else
2950 m_freem(state->m);
2951 error = EINVAL;
2952#endif
2953 break;
2954 case IPPROTO_AH:
2955 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
2956 break;
2957 case IPPROTO_IPCOMP:
2958 /* XXX code should be here */
2959 /* FALLTHROUGH */
2960 default:
2961 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
2962 "unknown ipsec protocol %d\n", isr->saidx.proto));
2963 m_freem(state->m);
2964 ipsec6stat.out_inval++;
2965 error = EINVAL;
2966 break;
2967 }
2968 if (error) {
2969 state->m = NULL;
2970 goto bad;
2971 }
2972 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2973 if (plen > IPV6_MAXPACKET) {
2974 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
2975 "IPsec with IPv6 jumbogram is not supported\n"));
2976 ipsec6stat.out_inval++;
2977 error = EINVAL; /* XXX */
2978 goto bad;
2979 }
2980 ip6 = mtod(state->m, struct ip6_hdr *);
2981 ip6->ip6_plen = htons(plen);
2982 }
2983
2984 return 0;
2985
2986bad:
2987 m_freem(state->m);
2988 state->m = NULL;
2989 return error;
2990}
2991#endif /* INET6 */
2992
2993#ifdef INET
2994/*
2995 * Chop IP header and option off from the payload.
2996 */
2997static struct mbuf *
122ebd49 2998ipsec4_splithdr(struct mbuf *m)
984263bc
MD
2999{
3000 struct mbuf *mh;
3001 struct ip *ip;
3002 int hlen;
3003
3004 if (m->m_len < sizeof(struct ip))
3005 panic("ipsec4_splithdr: first mbuf too short");
3006 ip = mtod(m, struct ip *);
3007#ifdef _IP_VHL
3008 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
3009#else
3010 hlen = ip->ip_hl << 2;
3011#endif
3012 if (m->m_len > hlen) {
74f1caca 3013 MGETHDR(mh, MB_DONTWAIT, MT_HEADER);
984263bc
MD
3014 if (!mh) {
3015 m_freem(m);
3016 return NULL;
3017 }
3018 M_MOVE_PKTHDR(mh, m);
3019 MH_ALIGN(mh, hlen);
3020 m->m_len -= hlen;
3021 m->m_data += hlen;
3022 mh->m_next = m;
3023 m = mh;
3024 m->m_len = hlen;
3025 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3026 } else if (m->m_len < hlen) {
3027 m = m_pullup(m, hlen);
3028 if (!m)
3029 return NULL;
3030 }
3031 return m;
3032}
3033#endif
3034
3035#ifdef INET6
3036static struct mbuf *
122ebd49 3037ipsec6_splithdr(struct mbuf *m)
984263bc
MD
3038{
3039 struct mbuf *mh;
3040 struct ip6_hdr *ip6;
3041 int hlen;
3042
3043 if (m->m_len < sizeof(struct ip6_hdr))
3044 panic("ipsec6_splithdr: first mbuf too short");
3045 ip6 = mtod(m, struct ip6_hdr *);
3046 hlen = sizeof(struct ip6_hdr);
3047 if (m->m_len > hlen) {
74f1caca 3048 MGETHDR(mh, MB_DONTWAIT, MT_HEADER);
984263bc
MD
3049 if (!mh) {
3050 m_freem(m);
3051 return NULL;
3052 }
3053 M_MOVE_PKTHDR(mh, m);
3054 MH_ALIGN(mh, hlen);
3055 m->m_len -= hlen;
3056 m->m_data += hlen;
3057 mh->m_next = m;
3058 m = mh;
3059 m->m_len = hlen;
3060 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3061 } else if (m->m_len < hlen) {
3062 m = m_pullup(m, hlen);
3063 if (!m)
3064 return NULL;
3065 }
3066 return m;
3067}
3068#endif
3069
3070/* validate inbound IPsec tunnel packet. */
3071int
122ebd49
CP
3072ipsec4_tunnel_validate(struct mbuf *m, /* no pullup permitted, m->m_len >= ip */
3073 int off, u_int nxt0, struct secasvar *sav)
984263bc
MD
3074{
3075 u_int8_t nxt = nxt0 & 0xff;
3076 struct sockaddr_in *sin;
3077 struct sockaddr_in osrc, odst, isrc, idst;
3078 int hlen;
3079 struct secpolicy *sp;
3080 struct ip *oip;
3081
3082#ifdef DIAGNOSTIC
3083 if (m->m_len < sizeof(struct ip))
3084 panic("too short mbuf on ipsec4_tunnel_validate");
3085#endif
3086 if (nxt != IPPROTO_IPV4)
3087 return 0;
3088 if (m->m_pkthdr.len < off + sizeof(struct ip))
3089 return 0;
3090 /* do not decapsulate if the SA is for transport mode only */
3091 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3092 return 0;
3093
3094 oip = mtod(m, struct ip *);
3095#ifdef _IP_VHL
3096 hlen = _IP_VHL_HL(oip->ip_vhl) << 2;
3097#else
3098 hlen = oip->ip_hl << 2;
3099#endif
3100 if (hlen != sizeof(struct ip))
3101 return 0;
3102
3103 /* AF_INET6 should be supported, but at this moment we don't. */
3104 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3105 if (sin->sin_family != AF_INET)
3106 return 0;
3107 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
3108 return 0;
3109
3110 /* XXX slow */
3111 bzero(&osrc, sizeof(osrc));
3112 bzero(&odst, sizeof(odst));
3113 bzero(&isrc, sizeof(isrc));
3114 bzero(&idst, sizeof(idst));
bde3511a 3115 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
984263bc 3116 AF_INET;
bde3511a 3117 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
984263bc
MD
3118 sizeof(struct sockaddr_in);
3119 osrc.sin_addr = oip->ip_src;
3120 odst.sin_addr = oip->ip_dst;
3121 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
3122 (caddr_t)&isrc.sin_addr);
3123 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
3124 (caddr_t)&idst.sin_addr);
3125
3126 /*
3127 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
3128 * - if the inner destination is multicast address, there can be
3129 * multiple permissible inner source address. implementation
3130 * may want to skip verification of inner source address against
3131 * SPD selector.
3132 * - if the inner protocol is ICMP, the packet may be an error report
3133 * from routers on the other side of the VPN cloud (R in the
3134 * following diagram). in this case, we cannot verify inner source
3135 * address against SPD selector.
3136 * me -- gw === gw -- R -- you
3137 *
3138 * we consider the first bullet to be users responsibility on SPD entry
3139 * configuration (if you need to encrypt multicast traffic, set
3140 * the source range of SPD selector to 0.0.0.0/0, or have explicit
3141 * address ranges for possible senders).
3142 * the second bullet is not taken care of (yet).
3143 *
3144 * therefore, we do not do anything special about inner source.
3145 */
3146
3147 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3148 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3149 if (!sp)
3150 return 0;
3151 key_freesp(sp);
3152
3153 return 1;
3154}
3155
3156#ifdef INET6
3157/* validate inbound IPsec tunnel packet. */
3158int
122ebd49
CP
3159ipsec6_tunnel_validate(struct mbuf *m, /* no pullup permitted, m->m_len >= ip */
3160 int off, u_int nxt0, struct secasvar *sav)
984263bc
MD
3161{
3162 u_int8_t nxt = nxt0 & 0xff;
3163 struct sockaddr_in6 *sin6;
3164 struct sockaddr_in6 osrc, odst, isrc, idst;
3165 struct secpolicy *sp;
3166 struct ip6_hdr *oip6;
3167
3168#ifdef DIAGNOSTIC
3169 if (m->m_len < sizeof(struct ip6_hdr))
3170 panic("too short mbuf on ipsec6_tunnel_validate");
3171#endif
3172 if (nxt != IPPROTO_IPV6)
3173 return 0;
3174 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
3175 return 0;
3176 /* do not decapsulate if the SA is for transport mode only */
3177 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3178 return 0;
3179
3180 oip6 = mtod(m, struct ip6_hdr *);
3181 /* AF_INET should be supported, but at this moment we don't. */
3182 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
3183 if (sin6->sin6_family != AF_INET6)
3184 return 0;
3185 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
3186 return 0;
3187
3188 /* XXX slow */
3189 bzero(&osrc, sizeof(osrc));
3190 bzero(&odst, sizeof(odst));
3191 bzero(&isrc, sizeof(isrc));
3192 bzero(&idst, sizeof(idst));
3193 osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
3194 idst.sin6_family = AF_INET6;
bde3511a 3195 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len =
984263bc
MD
3196 sizeof(struct sockaddr_in6);
3197 osrc.sin6_addr = oip6->ip6_src;
3198 odst.sin6_addr = oip6->ip6_dst;
3199 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
3200 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
3201 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
3202 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
3203
3204 /*
3205 * regarding to inner source address validation, see a long comment
3206 * in ipsec4_tunnel_validate.
3207 */
3208
3209 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3210 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3211 /*
3212 * when there is no suitable inbound policy for the packet of the ipsec
3213 * tunnel mode, the kernel never decapsulate the tunneled packet
3214 * as the ipsec tunnel mode even when the system wide policy is "none".
3215 * then the kernel leaves the generic tunnel module to process this
3216 * packet. if there is no rule of the generic tunnel, the packet
3217 * is rejected and the statistics will be counted up.
3218 */
3219 if (!sp)
3220 return 0;
3221 key_freesp(sp);
3222
3223 return 1;
3224}
3225#endif
3226
3227/*
3228 * Make a mbuf chain for encryption.
3229 * If the original mbuf chain contains a mbuf with a cluster,
3230 * allocate a new cluster and copy the data to the new cluster.
3231 * XXX: this hack is inefficient, but is necessary to handle cases
3232 * of TCP retransmission...
3233 */
3234struct mbuf *
122ebd49 3235ipsec_copypkt(struct mbuf *m)
984263bc
MD
3236{
3237 struct mbuf *n, **mpp, *mnew;
3238
3239 for (n = m, mpp = &m; n; n = n->m_next) {
3240 if (n->m_flags & M_EXT) {
3241 /*
bde3511a 3242 * Make a copy only if there are more than one
90775e29 3243 * references to the cluster.
984263bc
MD
3244 * XXX: is this approach effective?
3245 */
90775e29 3246 if (m_sharecount(n) > 1) {
984263bc
MD
3247 int remain, copied;
3248 struct mbuf *mm;
3249
3250 if (n->m_flags & M_PKTHDR) {
74f1caca 3251 MGETHDR(mnew, MB_DONTWAIT, MT_HEADER);
984263bc
MD
3252 if (mnew == NULL)
3253 goto fail;
74f1caca 3254 if (!m_dup_pkthdr(mnew, n, MB_DONTWAIT)) {
984263bc
MD
3255 m_free(mnew);
3256 goto fail;
3257 }
3258 }
3259 else {
74f1caca 3260 MGET(mnew, MB_DONTWAIT, MT_DATA);
984263bc
MD
3261 if (mnew == NULL)
3262 goto fail;
3263 }
3264 mnew->m_len = 0;
3265 mm = mnew;
3266
3267 /*
3268 * Copy data. If we don't have enough space to
3269 * store the whole data, allocate a cluster
3270 * or additional mbufs.
3271 * XXX: we don't use m_copyback(), since the
3272 * function does not use clusters and thus is
3273 * inefficient.
3274 */
3275 remain = n->m_len;
3276 copied = 0;
3277 while (1) {
3278 int len;
3279 struct mbuf *mn;
3280
3281 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3282 len = remain;
3283 else { /* allocate a cluster */
74f1caca 3284 MCLGET(mm, MB_DONTWAIT);
984263bc
MD
3285 if (!(mm->m_flags & M_EXT)) {
3286 m_free(mm);
3287 goto fail;
3288 }
3289 len = remain < MCLBYTES ?
3290 remain : MCLBYTES;
3291 }
3292
3293 bcopy(n->m_data + copied, mm->m_data,
3294 len);
3295
3296 copied += len;
3297 remain -= len;
3298 mm->m_len = len;
3299
3300 if (remain <= 0) /* completed? */
3301 break;
3302
3303 /* need another mbuf */
74f1caca 3304 MGETHDR(mn, MB_DONTWAIT, MT_HEADER);
984263bc
MD
3305 if (mn == NULL)
3306 goto fail;
3307 mn->m_pkthdr.rcvif = NULL;
3308 mm->m_next = mn;
3309 mm = mn;
3310 }
3311
3312 /* adjust chain */
3313 mm->m_next = m_free(n);
3314 n = mm;
3315 *mpp = mnew;
3316 mpp = &n->m_next;
3317
3318 continue;
3319 }
3320 }
3321 *mpp = n;
3322 mpp = &n->m_next;
3323 }
3324
bde3511a
JH
3325 return (m);
3326fail:
984263bc 3327 m_freem(m);
bde3511a 3328 return (NULL);
984263bc
MD
3329}
3330
3331void
122ebd49 3332ipsec_delaux(struct mbuf *m)
984263bc
MD
3333{
3334 struct m_tag *tag;
3335
3336 while ((tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL)) != NULL)
3337 m_tag_delete(m, tag);
3338}
3339
3340int
122ebd49 3341ipsec_addhist(struct mbuf *m, int proto, u_int32_t spi)
984263bc
MD
3342{
3343 struct m_tag *tag;
3344 struct ipsec_history *p;
3345
3346 tag = m_tag_get(PACKET_TAG_IPSEC_HISTORY,
11f57810 3347 sizeof (struct ipsec_history), MB_DONTWAIT);
984263bc
MD
3348 if (tag == NULL)
3349 return ENOBUFS;
d031aa80 3350 p = (struct ipsec_history *)m_tag_data(tag);
984263bc
MD
3351 bzero(p, sizeof(*p));
3352 p->ih_proto = proto;
3353 p->ih_spi = spi;
3354 m_tag_prepend(m, tag);
3355 return 0;
3356}
3357
3358struct ipsec_history *
122ebd49 3359ipsec_gethist(struct mbuf *m, int *lenp)
984263bc
MD
3360{
3361 struct m_tag *tag;
3362
3363 tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3364 if (tag == NULL)
3365 return NULL;
3366 /* XXX NB: noone uses this so fake it */
3367 if (lenp)
3368 *lenp = sizeof (struct ipsec_history);
3369 return ((struct ipsec_history *)(tag+1));
3370}