1/* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.7 2001/07/19 06:37:23 kris Exp $ */ 2/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ 3 4/* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33/* 34 * IPsec controller part. 35 */ 36 37#include <sys/param.h> 38#include <sys/systm.h> 39#include <sys/malloc.h> 40#include <sys/mbuf.h> 41#include <sys/domain.h> 42#include <sys/protosw.h> 43#include <sys/socket.h> 44#include <sys/socketvar.h> 45#include <sys/errno.h> 46#include <sys/time.h> 47#include <sys/kernel.h> 48#include <sys/syslog.h> 49#include <sys/sysctl.h> 50#include <kern/locks.h> 51#include <sys/kauth.h> 52#include <libkern/OSAtomic.h> 53 54#include <net/if.h> 55#include <net/route.h> 56 57#include <netinet/in.h> 58#include <netinet/in_systm.h> 59#include <netinet/ip.h> 60#include <netinet/ip_var.h> 61#include <netinet/in_var.h> 62#include <netinet/udp.h> 63#include <netinet/udp_var.h> 64#include <netinet/ip_ecn.h> 65#if INET6 66#include <netinet6/ip6_ecn.h> 67#endif 68#include <netinet/tcp.h> 69#include <netinet/udp.h> 70 71#include <netinet/ip6.h> 72#if INET6 73#include <netinet6/ip6_var.h> 74#endif 75#include <netinet/in_pcb.h> 76#if INET6 77#include <netinet/icmp6.h> 78#endif 79 80#include <netinet6/ipsec.h> 81#if INET6 82#include <netinet6/ipsec6.h> 83#endif 84#include <netinet6/ah.h> 85#if INET6 86#include <netinet6/ah6.h> 87#endif 88#if IPSEC_ESP 89#include <netinet6/esp.h> 90#if INET6 91#include <netinet6/esp6.h> 92#endif 93#endif 94#include <netinet6/ipcomp.h> 95#if INET6 96#include <netinet6/ipcomp6.h> 97#endif 98#include <netkey/key.h> 99#include <netkey/keydb.h> 100#include <netkey/key_debug.h> 101 102#include <net/net_osdep.h> 103 104#if IPSEC_DEBUG 105int ipsec_debug = 1; 106#else 107int ipsec_debug = 0; 108#endif 109 110#include <sys/kdebug.h> 111#define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1) 112#define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3) 113#define DBG_FNC_GETPOL_SOCK NETDBG_CODE(DBG_NETIPSEC, (1 << 8)) 114#define DBG_FNC_GETPOL_ADDR NETDBG_CODE(DBG_NETIPSEC, (2 << 8)) 115#define DBG_FNC_IPSEC_OUT NETDBG_CODE(DBG_NETIPSEC, (3 << 8)) 116 117extern lck_mtx_t *sadb_mutex; 118extern lck_mtx_t *ip6_mutex; 119 120struct ipsecstat ipsecstat; 121int ip4_ah_cleartos = 1; 122int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ 123int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ 124int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; 125int ip4_esp_net_deflev = IPSEC_LEVEL_USE; 126int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; 127int ip4_ah_net_deflev = IPSEC_LEVEL_USE; 128struct secpolicy ip4_def_policy; 129int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 130int ip4_esp_randpad = -1; 131int esp_udp_encap_port = 0; 132static int sysctl_def_policy SYSCTL_HANDLER_ARGS; 133extern u_int32_t natt_now; 134 135struct ipsec_tag; 136 137SYSCTL_DECL(_net_inet_ipsec); 138#if INET6 139SYSCTL_DECL(_net_inet6_ipsec6); 140#endif 141/* net.inet.ipsec */ 142SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS, 143 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, ""); 144SYSCTL_PROC(_net_inet_ipsec, IPSECCTL_DEF_POLICY, def_policy, CTLTYPE_INT|CTLFLAG_RW, 145 &ip4_def_policy.policy, 0, &sysctl_def_policy, "I", ""); 146SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, 147 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, ""); 148SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, 149 CTLFLAG_RW, &ip4_esp_net_deflev, 0, ""); 150SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, 151 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, ""); 152SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, 153 CTLFLAG_RW, &ip4_ah_net_deflev, 0, ""); 154SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, 155 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, ""); 156SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, 157 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, ""); 158SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, 159 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, ""); 160SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, 161 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, ""); 162SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, 163 debug, CTLFLAG_RW, &ipsec_debug, 0, ""); 164SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD, 165 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, ""); 166 167/* for performance, we bypass ipsec until a security policy is set */ 168int ipsec_bypass = 1; 169SYSCTL_INT(_net_inet_ipsec, OID_AUTO, bypass, CTLFLAG_RD, &ipsec_bypass,0, ""); 170 171/* 172 * NAT Traversal requires a UDP port for encapsulation, 173 * esp_udp_encap_port controls which port is used. Racoon 174 * must set this port to the port racoon is using locally 175 * for nat traversal. 176 */ 177SYSCTL_INT(_net_inet_ipsec, OID_AUTO, esp_port, 178 CTLFLAG_RW, &esp_udp_encap_port, 0, ""); 179 180#if INET6 181struct ipsecstat ipsec6stat; 182int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; 183int ip6_esp_net_deflev = IPSEC_LEVEL_USE; 184int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; 185int ip6_ah_net_deflev = IPSEC_LEVEL_USE; 186struct secpolicy ip6_def_policy; 187int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 188int ip6_esp_randpad = -1; 189 190/* net.inet6.ipsec6 */ 191SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, 192 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, ""); 193SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, 194 def_policy, CTLFLAG_RW, &ip6_def_policy.policy, 0, ""); 195SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, 196 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, ""); 197SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, 198 CTLFLAG_RW, &ip6_esp_net_deflev, 0, ""); 199SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, 200 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, ""); 201SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, 202 CTLFLAG_RW, &ip6_ah_net_deflev, 0, ""); 203SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN, 204 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, ""); 205SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, 206 debug, CTLFLAG_RW, &ipsec_debug, 0, ""); 207SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, 208 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, ""); 209#endif /* INET6 */ 210 211static int ipsec_setspidx_mbuf(struct secpolicyindex *, u_int, u_int, 212 struct mbuf *, int); 213static int ipsec4_setspidx_inpcb(struct mbuf *, struct inpcb *pcb); 214#if INET6 215static int ipsec6_setspidx_in6pcb(struct mbuf *, struct in6pcb *pcb); 216#endif 217static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int); 218static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int); 219static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *); 220#if INET6 221static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *, int); 222static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *); 223#endif 224static struct inpcbpolicy *ipsec_newpcbpolicy(void); 225static void ipsec_delpcbpolicy(struct inpcbpolicy *); 226static struct secpolicy *ipsec_deepcopy_policy(struct secpolicy *src); 227static int ipsec_set_policy(struct secpolicy **pcb_sp, 228 int optname, caddr_t request, size_t len, int priv); 229static int ipsec_get_policy(struct secpolicy *pcb_sp, struct mbuf **mp); 230static void vshiftl(unsigned char *, int, int); 231static int ipsec_in_reject(struct secpolicy *, struct mbuf *); 232#if INET 233static struct mbuf *ipsec4_splithdr(struct mbuf *); 234#endif 235#if INET6 236static struct mbuf *ipsec6_splithdr(struct mbuf *); 237#endif 238#if INET 239static int ipsec4_encapsulate(struct mbuf *, struct secasvar *); 240#endif 241#if INET6 242static int ipsec6_encapsulate(struct mbuf *, struct secasvar *); 243static int ipsec64_encapsulate(struct mbuf *, struct secasvar *); 244#endif 245static struct ipsec_tag *ipsec_addaux(struct mbuf *); 246static struct ipsec_tag *ipsec_findaux(struct mbuf *); 247static void ipsec_optaux(struct mbuf *, struct ipsec_tag *); 248void ipsec_send_natt_keepalive(struct secasvar *sav); 249 250static int 251sysctl_def_policy SYSCTL_HANDLER_ARGS 252{ 253 int old_policy = ip4_def_policy.policy; 254 int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req); 255 256 if (ip4_def_policy.policy != IPSEC_POLICY_NONE && 257 ip4_def_policy.policy != IPSEC_POLICY_DISCARD) { 258 ip4_def_policy.policy = old_policy; 259 return EINVAL; 260 } 261 262 /* Turn off the bypass if the default security policy changes */ 263 if (ipsec_bypass != 0 && ip4_def_policy.policy != IPSEC_POLICY_NONE) 264 ipsec_bypass = 0; 265 266 return error; 267} 268 269/* 270 * For OUTBOUND packet having a socket. Searching SPD for packet, 271 * and return a pointer to SP. 272 * OUT: NULL: no apropreate SP found, the following value is set to error. 273 * 0 : bypass 274 * EACCES : discard packet. 275 * ENOENT : ipsec_acquire() in progress, maybe. 276 * others : error occurred. 277 * others: a pointer to SP 278 * 279 * NOTE: IPv6 mapped adddress concern is implemented here. 280 */ 281struct secpolicy * 282ipsec4_getpolicybysock(m, dir, so, error) 283 struct mbuf *m; 284 u_int dir; 285 struct socket *so; 286 int *error; 287{ 288 struct inpcbpolicy *pcbsp = NULL; 289 struct secpolicy *currsp = NULL; /* policy on socket */ 290 struct secpolicy *kernsp = NULL; /* policy on kernel */ 291 292 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 293 /* sanity check */ 294 if (m == NULL || so == NULL || error == NULL) 295 panic("ipsec4_getpolicybysock: NULL pointer was passed.\n"); 296 297 if (so->so_pcb == NULL) { 298 printf("ipsec4_getpolicybysock: so->so_pcb == NULL\n"); 299 return ipsec4_getpolicybyaddr(m, dir, 0, error); 300 } 301 302 switch (so->so_proto->pr_domain->dom_family) { 303 case AF_INET: 304 pcbsp = sotoinpcb(so)->inp_sp; 305 break; 306#if INET6 307 case AF_INET6: 308 pcbsp = sotoin6pcb(so)->in6p_sp; 309 break; 310#endif 311 } 312 313 if (!pcbsp){ 314 /* Socket has not specified an IPSEC policy */ 315 return ipsec4_getpolicybyaddr(m, dir, 0, error); 316 } 317 318 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_START, 0,0,0,0,0); 319 320 switch (so->so_proto->pr_domain->dom_family) { 321 case AF_INET: 322 /* set spidx in pcb */ 323 *error = ipsec4_setspidx_inpcb(m, sotoinpcb(so)); 324 break; 325#if INET6 326 case AF_INET6: 327 /* set spidx in pcb */ 328 *error = ipsec6_setspidx_in6pcb(m, sotoin6pcb(so)); 329 break; 330#endif 331 default: 332 panic("ipsec4_getpolicybysock: unsupported address family\n"); 333 } 334 if (*error) { 335 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 1,*error,0,0,0); 336 return NULL; 337 } 338 339 /* sanity check */ 340 if (pcbsp == NULL) 341 panic("ipsec4_getpolicybysock: pcbsp is NULL.\n"); 342 343 switch (dir) { 344 case IPSEC_DIR_INBOUND: 345 currsp = pcbsp->sp_in; 346 break; 347 case IPSEC_DIR_OUTBOUND: 348 currsp = pcbsp->sp_out; 349 break; 350 default: 351 panic("ipsec4_getpolicybysock: illegal direction.\n"); 352 } 353 354 /* sanity check */ 355 if (currsp == NULL) 356 panic("ipsec4_getpolicybysock: currsp is NULL.\n"); 357 358 /* when privilieged socket */ 359 if (pcbsp->priv) { 360 switch (currsp->policy) { 361 case IPSEC_POLICY_BYPASS: 362 lck_mtx_lock(sadb_mutex); 363 currsp->refcnt++; 364 lck_mtx_unlock(sadb_mutex); 365 *error = 0; 366 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 2,*error,0,0,0); 367 return currsp; 368 369 case IPSEC_POLICY_ENTRUST: 370 /* look for a policy in SPD */ 371 kernsp = key_allocsp(&currsp->spidx, dir); 372 373 /* SP found */ 374 if (kernsp != NULL) { 375 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 376 printf("DP ipsec4_getpolicybysock called " 377 "to allocate SP:%p\n", kernsp)); 378 *error = 0; 379 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 3,*error,0,0,0); 380 return kernsp; 381 } 382 383 /* no SP found */ 384 lck_mtx_lock(sadb_mutex); 385 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD 386 && ip4_def_policy.policy != IPSEC_POLICY_NONE) { 387 ipseclog((LOG_INFO, 388 "fixed system default policy: %d->%d\n", 389 ip4_def_policy.policy, IPSEC_POLICY_NONE)); 390 ip4_def_policy.policy = IPSEC_POLICY_NONE; 391 } 392 ip4_def_policy.refcnt++; 393 lck_mtx_unlock(sadb_mutex); 394 *error = 0; 395 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 4,*error,0,0,0); 396 return &ip4_def_policy; 397 398 case IPSEC_POLICY_IPSEC: 399 lck_mtx_lock(sadb_mutex); 400 currsp->refcnt++; 401 lck_mtx_unlock(sadb_mutex); 402 *error = 0; 403 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 5,*error,0,0,0); 404 return currsp; 405 406 default: 407 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 408 "Invalid policy for PCB %d\n", currsp->policy)); 409 *error = EINVAL; 410 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 6,*error,0,0,0); 411 return NULL; 412 } 413 /* NOTREACHED */ 414 } 415 416 /* when non-privilieged socket */ 417 /* look for a policy in SPD */ 418 kernsp = key_allocsp(&currsp->spidx, dir); 419 420 /* SP found */ 421 if (kernsp != NULL) { 422 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 423 printf("DP ipsec4_getpolicybysock called " 424 "to allocate SP:%p\n", kernsp)); 425 *error = 0; 426 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 7,*error,0,0,0); 427 return kernsp; 428 } 429 430 /* no SP found */ 431 switch (currsp->policy) { 432 case IPSEC_POLICY_BYPASS: 433 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 434 "Illegal policy for non-priviliged defined %d\n", 435 currsp->policy)); 436 *error = EINVAL; 437 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 8,*error,0,0,0); 438 return NULL; 439 440 case IPSEC_POLICY_ENTRUST: 441 lck_mtx_lock(sadb_mutex); 442 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD 443 && ip4_def_policy.policy != IPSEC_POLICY_NONE) { 444 ipseclog((LOG_INFO, 445 "fixed system default policy: %d->%d\n", 446 ip4_def_policy.policy, IPSEC_POLICY_NONE)); 447 ip4_def_policy.policy = IPSEC_POLICY_NONE; 448 } 449 ip4_def_policy.refcnt++; 450 lck_mtx_unlock(sadb_mutex); 451 *error = 0; 452 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 9,*error,0,0,0); 453 return &ip4_def_policy; 454 455 case IPSEC_POLICY_IPSEC: 456 lck_mtx_lock(sadb_mutex); 457 currsp->refcnt++; 458 lck_mtx_unlock(sadb_mutex); 459 *error = 0; 460 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 10,*error,0,0,0); 461 return currsp; 462 463 default: 464 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 465 "Invalid policy for PCB %d\n", currsp->policy)); 466 *error = EINVAL; 467 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 11,*error,0,0,0); 468 return NULL; 469 } 470 /* NOTREACHED */ 471} 472 473/* 474 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 475 * and return a pointer to SP. 476 * OUT: positive: a pointer to the entry for security policy leaf matched. 477 * NULL: no apropreate SP found, the following value is set to error. 478 * 0 : bypass 479 * EACCES : discard packet. 480 * ENOENT : ipsec_acquire() in progress, maybe. 481 * others : error occurred. 482 */ 483struct secpolicy * 484ipsec4_getpolicybyaddr(m, dir, flag, error) 485 struct mbuf *m; 486 u_int dir; 487 int flag; 488 int *error; 489{ 490 struct secpolicy *sp = NULL; 491 492 if (ipsec_bypass != 0) 493 return 0; 494 495 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 496 497 /* sanity check */ 498 if (m == NULL || error == NULL) 499 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.\n"); 500 501 { 502 struct secpolicyindex spidx; 503 504 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0); 505 bzero(&spidx, sizeof(spidx)); 506 507 /* make a index to look for a policy */ 508 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m, 509 (flag & IP_FORWARDING) ? 0 : 1); 510 511 if (*error != 0) { 512 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,*error,0,0,0); 513 return NULL; 514 } 515 516 sp = key_allocsp(&spidx, dir); 517 } 518 519 /* SP found */ 520 if (sp != NULL) { 521 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 522 printf("DP ipsec4_getpolicybyaddr called " 523 "to allocate SP:%p\n", sp)); 524 *error = 0; 525 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,*error,0,0,0); 526 return sp; 527 } 528 529 /* no SP found */ 530 lck_mtx_lock(sadb_mutex); 531 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD 532 && ip4_def_policy.policy != IPSEC_POLICY_NONE) { 533 ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n", 534 ip4_def_policy.policy, 535 IPSEC_POLICY_NONE)); 536 ip4_def_policy.policy = IPSEC_POLICY_NONE; 537 } 538 ip4_def_policy.refcnt++; 539 lck_mtx_unlock(sadb_mutex); 540 *error = 0; 541 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 3,*error,0,0,0); 542 return &ip4_def_policy; 543} 544 545#if INET6 546/* 547 * For OUTBOUND packet having a socket. Searching SPD for packet, 548 * and return a pointer to SP. 549 * OUT: NULL: no apropreate SP found, the following value is set to error. 550 * 0 : bypass 551 * EACCES : discard packet. 552 * ENOENT : ipsec_acquire() in progress, maybe. 553 * others : error occurred. 554 * others: a pointer to SP 555 */ 556struct secpolicy * 557ipsec6_getpolicybysock(m, dir, so, error) 558 struct mbuf *m; 559 u_int dir; 560 struct socket *so; 561 int *error; 562{ 563 struct inpcbpolicy *pcbsp = NULL; 564 struct secpolicy *currsp = NULL; /* policy on socket */ 565 struct secpolicy *kernsp = NULL; /* policy on kernel */ 566 567 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 568 569 /* sanity check */ 570 if (m == NULL || so == NULL || error == NULL) 571 panic("ipsec6_getpolicybysock: NULL pointer was passed.\n"); 572 573#if DIAGNOSTIC 574 if (so->so_proto->pr_domain->dom_family != AF_INET6) 575 panic("ipsec6_getpolicybysock: socket domain != inet6\n"); 576#endif 577 578 pcbsp = sotoin6pcb(so)->in6p_sp; 579 580 if (!pcbsp){ 581 return ipsec6_getpolicybyaddr(m, dir, 0, error); 582 } 583 584 /* set spidx in pcb */ 585 ipsec6_setspidx_in6pcb(m, sotoin6pcb(so)); 586 587 /* sanity check */ 588 if (pcbsp == NULL) 589 panic("ipsec6_getpolicybysock: pcbsp is NULL.\n"); 590 591 switch (dir) { 592 case IPSEC_DIR_INBOUND: 593 currsp = pcbsp->sp_in; 594 break; 595 case IPSEC_DIR_OUTBOUND: 596 currsp = pcbsp->sp_out; 597 break; 598 default: 599 panic("ipsec6_getpolicybysock: illegal direction.\n"); 600 } 601 602 /* sanity check */ 603 if (currsp == NULL) 604 panic("ipsec6_getpolicybysock: currsp is NULL.\n"); 605 606 /* when privilieged socket */ 607 if (pcbsp->priv) { 608 switch (currsp->policy) { 609 case IPSEC_POLICY_BYPASS: 610 lck_mtx_lock(sadb_mutex); 611 currsp->refcnt++; 612 lck_mtx_unlock(sadb_mutex); 613 *error = 0; 614 return currsp; 615 616 case IPSEC_POLICY_ENTRUST: 617 /* look for a policy in SPD */ 618 kernsp = key_allocsp(&currsp->spidx, dir); 619 620 /* SP found */ 621 if (kernsp != NULL) { 622 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 623 printf("DP ipsec6_getpolicybysock called " 624 "to allocate SP:%p\n", kernsp)); 625 *error = 0; 626 return kernsp; 627 } 628 629 /* no SP found */ 630 lck_mtx_lock(sadb_mutex); 631 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD 632 && ip6_def_policy.policy != IPSEC_POLICY_NONE) { 633 ipseclog((LOG_INFO, 634 "fixed system default policy: %d->%d\n", 635 ip6_def_policy.policy, IPSEC_POLICY_NONE)); 636 ip6_def_policy.policy = IPSEC_POLICY_NONE; 637 } 638 ip6_def_policy.refcnt++; 639 lck_mtx_unlock(sadb_mutex); 640 *error = 0; 641 return &ip6_def_policy; 642 643 case IPSEC_POLICY_IPSEC: 644 lck_mtx_lock(sadb_mutex); 645 currsp->refcnt++; 646 lck_mtx_unlock(sadb_mutex); 647 *error = 0; 648 return currsp; 649 650 default: 651 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " 652 "Invalid policy for PCB %d\n", currsp->policy)); 653 *error = EINVAL; 654 return NULL; 655 } 656 /* NOTREACHED */ 657 } 658 659 /* when non-privilieged socket */ 660 /* look for a policy in SPD */ 661 kernsp = key_allocsp(&currsp->spidx, dir); 662 663 /* SP found */ 664 if (kernsp != NULL) { 665 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 666 printf("DP ipsec6_getpolicybysock called " 667 "to allocate SP:%p\n", kernsp)); 668 *error = 0; 669 return kernsp; 670 } 671 672 /* no SP found */ 673 switch (currsp->policy) { 674 case IPSEC_POLICY_BYPASS: 675 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " 676 "Illegal policy for non-priviliged defined %d\n", 677 currsp->policy)); 678 *error = EINVAL; 679 return NULL; 680 681 case IPSEC_POLICY_ENTRUST: 682 lck_mtx_lock(sadb_mutex); 683 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD 684 && ip6_def_policy.policy != IPSEC_POLICY_NONE) { 685 ipseclog((LOG_INFO, 686 "fixed system default policy: %d->%d\n", 687 ip6_def_policy.policy, IPSEC_POLICY_NONE)); 688 ip6_def_policy.policy = IPSEC_POLICY_NONE; 689 } 690 ip6_def_policy.refcnt++; 691 lck_mtx_unlock(sadb_mutex); 692 *error = 0; 693 return &ip6_def_policy; 694 695 case IPSEC_POLICY_IPSEC: 696 lck_mtx_lock(sadb_mutex); 697 currsp->refcnt++; 698 lck_mtx_unlock(sadb_mutex); 699 *error = 0; 700 return currsp; 701 702 default: 703 ipseclog((LOG_ERR, 704 "ipsec6_policybysock: Invalid policy for PCB %d\n", 705 currsp->policy)); 706 *error = EINVAL; 707 return NULL; 708 } 709 /* NOTREACHED */ 710} 711 712/* 713 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 714 * and return a pointer to SP. 715 * `flag' means that packet is to be forwarded whether or not. 716 * flag = 1: forwad 717 * OUT: positive: a pointer to the entry for security policy leaf matched. 718 * NULL: no apropreate SP found, the following value is set to error. 719 * 0 : bypass 720 * EACCES : discard packet. 721 * ENOENT : ipsec_acquire() in progress, maybe. 722 * others : error occurred. 723 */ 724#ifndef IP_FORWARDING 725#define IP_FORWARDING 1 726#endif 727 728struct secpolicy * 729ipsec6_getpolicybyaddr(m, dir, flag, error) 730 struct mbuf *m; 731 u_int dir; 732 int flag; 733 int *error; 734{ 735 struct secpolicy *sp = NULL; 736 737 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 738 739 /* sanity check */ 740 if (m == NULL || error == NULL) 741 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.\n"); 742 743 { 744 struct secpolicyindex spidx; 745 746 bzero(&spidx, sizeof(spidx)); 747 748 /* make a index to look for a policy */ 749 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m, 750 (flag & IP_FORWARDING) ? 0 : 1); 751 752 if (*error != 0) 753 return NULL; 754 755 sp = key_allocsp(&spidx, dir); 756 } 757 758 /* SP found */ 759 if (sp != NULL) { 760 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 761 printf("DP ipsec6_getpolicybyaddr called " 762 "to allocate SP:%p\n", sp)); 763 *error = 0; 764 return sp; 765 } 766 767 /* no SP found */ 768 lck_mtx_lock(sadb_mutex); 769 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD 770 && ip6_def_policy.policy != IPSEC_POLICY_NONE) { 771 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n", 772 ip6_def_policy.policy, IPSEC_POLICY_NONE)); 773 ip6_def_policy.policy = IPSEC_POLICY_NONE; 774 } 775 ip6_def_policy.refcnt++; 776 lck_mtx_unlock(sadb_mutex); 777 *error = 0; 778 return &ip6_def_policy; 779} 780#endif /* INET6 */ 781 782/* 783 * set IP address into spidx from mbuf. 784 * When Forwarding packet and ICMP echo reply, this function is used. 785 * 786 * IN: get the followings from mbuf. 787 * protocol family, src, dst, next protocol 788 * OUT: 789 * 0: success. 790 * other: failure, and set errno. 791 */ 792int 793ipsec_setspidx_mbuf( 794 struct secpolicyindex *spidx, 795 u_int dir, 796 __unused u_int family, 797 struct mbuf *m, 798 int needport) 799{ 800 int error; 801 802 /* sanity check */ 803 if (spidx == NULL || m == NULL) 804 panic("ipsec_setspidx_mbuf: NULL pointer was passed.\n"); 805 806 bzero(spidx, sizeof(*spidx)); 807 808 error = ipsec_setspidx(m, spidx, needport); 809 if (error) 810 goto bad; 811 spidx->dir = dir; 812 813 return 0; 814 815 bad: 816 /* XXX initialize */ 817 bzero(spidx, sizeof(*spidx)); 818 return EINVAL; 819} 820 821static int 822ipsec4_setspidx_inpcb(m, pcb) 823 struct mbuf *m; 824 struct inpcb *pcb; 825{ 826 struct secpolicyindex *spidx; 827 int error; 828 829 if (ipsec_bypass != 0) 830 return 0; 831 832 /* sanity check */ 833 if (pcb == NULL) 834 panic("ipsec4_setspidx_inpcb: no PCB found.\n"); 835 if (pcb->inp_sp == NULL) 836 panic("ipsec4_setspidx_inpcb: no inp_sp found.\n"); 837 if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL) 838 panic("ipsec4_setspidx_inpcb: no sp_in/out found.\n"); 839 840 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx)); 841 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx)); 842 843 spidx = &pcb->inp_sp->sp_in->spidx; 844 error = ipsec_setspidx(m, spidx, 1); 845 if (error) 846 goto bad; 847 spidx->dir = IPSEC_DIR_INBOUND; 848 849 spidx = &pcb->inp_sp->sp_out->spidx; 850 error = ipsec_setspidx(m, spidx, 1); 851 if (error) 852 goto bad; 853 spidx->dir = IPSEC_DIR_OUTBOUND; 854 855 return 0; 856 857bad: 858 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx)); 859 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx)); 860 return error; 861} 862 863#if INET6 864static int 865ipsec6_setspidx_in6pcb(m, pcb) 866 struct mbuf *m; 867 struct in6pcb *pcb; 868{ 869 struct secpolicyindex *spidx; 870 int error; 871 872 /* sanity check */ 873 if (pcb == NULL) 874 panic("ipsec6_setspidx_in6pcb: no PCB found.\n"); 875 if (pcb->in6p_sp == NULL) 876 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.\n"); 877 if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL) 878 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.\n"); 879 880 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx)); 881 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx)); 882 883 spidx = &pcb->in6p_sp->sp_in->spidx; 884 error = ipsec_setspidx(m, spidx, 1); 885 if (error) 886 goto bad; 887 spidx->dir = IPSEC_DIR_INBOUND; 888 889 spidx = &pcb->in6p_sp->sp_out->spidx; 890 error = ipsec_setspidx(m, spidx, 1); 891 if (error) 892 goto bad; 893 spidx->dir = IPSEC_DIR_OUTBOUND; 894 895 return 0; 896 897bad: 898 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx)); 899 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx)); 900 return error; 901} 902#endif 903 904/* 905 * configure security policy index (src/dst/proto/sport/dport) 906 * by looking at the content of mbuf. 907 * the caller is responsible for error recovery (like clearing up spidx). 908 */ 909static int 910ipsec_setspidx(m, spidx, needport) 911 struct mbuf *m; 912 struct secpolicyindex *spidx; 913 int needport; 914{ 915 struct ip *ip = NULL; 916 struct ip ipbuf; 917 u_int v; 918 struct mbuf *n; 919 int len; 920 int error; 921 922 if (m == NULL) 923 panic("ipsec_setspidx: m == 0 passed.\n"); 924 925 /* 926 * validate m->m_pkthdr.len. we see incorrect length if we 927 * mistakenly call this function with inconsistent mbuf chain 928 * (like 4.4BSD tcp/udp processing). XXX should we panic here? 929 */ 930 len = 0; 931 for (n = m; n; n = n->m_next) 932 len += n->m_len; 933 if (m->m_pkthdr.len != len) { 934 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 935 printf("ipsec_setspidx: " 936 "total of m_len(%d) != pkthdr.len(%d), " 937 "ignored.\n", 938 len, m->m_pkthdr.len)); 939 return EINVAL; 940 } 941 942 if (m->m_pkthdr.len < sizeof(struct ip)) { 943 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 944 printf("ipsec_setspidx: " 945 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n", 946 m->m_pkthdr.len)); 947 return EINVAL; 948 } 949 950 if (m->m_len >= sizeof(*ip)) 951 ip = mtod(m, struct ip *); 952 else { 953 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 954 ip = &ipbuf; 955 } 956#ifdef _IP_VHL 957 v = _IP_VHL_V(ip->ip_vhl); 958#else 959 v = ip->ip_v; 960#endif 961 switch (v) { 962 case 4: 963 error = ipsec4_setspidx_ipaddr(m, spidx); 964 if (error) 965 return error; 966 ipsec4_get_ulp(m, spidx, needport); 967 return 0; 968#if INET6 969 case 6: 970 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { 971 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 972 printf("ipsec_setspidx: " 973 "pkthdr.len(%d) < sizeof(struct ip6_hdr), " 974 "ignored.\n", m->m_pkthdr.len)); 975 return EINVAL; 976 } 977 error = ipsec6_setspidx_ipaddr(m, spidx); 978 if (error) 979 return error; 980 ipsec6_get_ulp(m, spidx, needport); 981 return 0; 982#endif 983 default: 984 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 985 printf("ipsec_setspidx: " 986 "unknown IP version %u, ignored.\n", v)); 987 return EINVAL; 988 } 989} 990 991static void 992ipsec4_get_ulp(m, spidx, needport) 993 struct mbuf *m; 994 struct secpolicyindex *spidx; 995 int needport; 996{ 997 struct ip ip; 998 struct ip6_ext ip6e; 999 u_int8_t nxt; 1000 int off; 1001 struct tcphdr th; 1002 struct udphdr uh; 1003 1004 /* sanity check */ 1005 if (m == NULL) 1006 panic("ipsec4_get_ulp: NULL pointer was passed.\n"); 1007 if (m->m_pkthdr.len < sizeof(ip)) 1008 panic("ipsec4_get_ulp: too short\n"); 1009 1010 /* set default */ 1011 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1012 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY; 1013 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY; 1014 1015 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip); 1016 /* ip_input() flips it into host endian XXX need more checking */ 1017 if (ip.ip_off & (IP_MF | IP_OFFMASK)) 1018 return; 1019 1020 nxt = ip.ip_p; 1021#ifdef _IP_VHL 1022 off = _IP_VHL_HL(ip->ip_vhl) << 2; 1023#else 1024 off = ip.ip_hl << 2; 1025#endif 1026 while (off < m->m_pkthdr.len) { 1027 switch (nxt) { 1028 case IPPROTO_TCP: 1029 spidx->ul_proto = nxt; 1030 if (!needport) 1031 return; 1032 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1033 return; 1034 m_copydata(m, off, sizeof(th), (caddr_t)&th); 1035 ((struct sockaddr_in *)&spidx->src)->sin_port = 1036 th.th_sport; 1037 ((struct sockaddr_in *)&spidx->dst)->sin_port = 1038 th.th_dport; 1039 return; 1040 case IPPROTO_UDP: 1041 spidx->ul_proto = nxt; 1042 if (!needport) 1043 return; 1044 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1045 return; 1046 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1047 ((struct sockaddr_in *)&spidx->src)->sin_port = 1048 uh.uh_sport; 1049 ((struct sockaddr_in *)&spidx->dst)->sin_port = 1050 uh.uh_dport; 1051 return; 1052 case IPPROTO_AH: 1053 if (off + sizeof(ip6e) > m->m_pkthdr.len) 1054 return; 1055 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1056 off += (ip6e.ip6e_len + 2) << 2; 1057 nxt = ip6e.ip6e_nxt; 1058 break; 1059 case IPPROTO_ICMP: 1060 default: 1061 /* XXX intermediate headers??? */ 1062 spidx->ul_proto = nxt; 1063 return; 1064 } 1065 } 1066} 1067 1068/* assumes that m is sane */ 1069static int 1070ipsec4_setspidx_ipaddr(m, spidx) 1071 struct mbuf *m; 1072 struct secpolicyindex *spidx; 1073{ 1074 struct ip *ip = NULL; 1075 struct ip ipbuf; 1076 struct sockaddr_in *sin; 1077 1078 if (m->m_len >= sizeof(*ip)) 1079 ip = mtod(m, struct ip *); 1080 else { 1081 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 1082 ip = &ipbuf; 1083 } 1084 1085 sin = (struct sockaddr_in *)&spidx->src; 1086 bzero(sin, sizeof(*sin)); 1087 sin->sin_family = AF_INET; 1088 sin->sin_len = sizeof(struct sockaddr_in); 1089 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src)); 1090 spidx->prefs = sizeof(struct in_addr) << 3; 1091 1092 sin = (struct sockaddr_in *)&spidx->dst; 1093 bzero(sin, sizeof(*sin)); 1094 sin->sin_family = AF_INET; 1095 sin->sin_len = sizeof(struct sockaddr_in); 1096 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)); 1097 spidx->prefd = sizeof(struct in_addr) << 3; 1098 return 0; 1099} 1100 1101#if INET6 1102static void 1103ipsec6_get_ulp(m, spidx, needport) 1104 struct mbuf *m; 1105 struct secpolicyindex *spidx; 1106 int needport; 1107{ 1108 int off, nxt; 1109 struct tcphdr th; 1110 struct udphdr uh; 1111 1112 /* sanity check */ 1113 if (m == NULL) 1114 panic("ipsec6_get_ulp: NULL pointer was passed.\n"); 1115 1116 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1117 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m)); 1118 1119 /* set default */ 1120 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1121 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY; 1122 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY; 1123 1124 nxt = -1; 1125 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt); 1126 if (off < 0 || m->m_pkthdr.len < off) 1127 return; 1128 1129 switch (nxt) { 1130 case IPPROTO_TCP: 1131 spidx->ul_proto = nxt; 1132 if (!needport) 1133 break; 1134 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1135 break; 1136 m_copydata(m, off, sizeof(th), (caddr_t)&th); 1137 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport; 1138 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport; 1139 break; 1140 case IPPROTO_UDP: 1141 spidx->ul_proto = nxt; 1142 if (!needport) 1143 break; 1144 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1145 break; 1146 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1147 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport; 1148 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport; 1149 break; 1150 case IPPROTO_ICMPV6: 1151 default: 1152 /* XXX intermediate headers??? */ 1153 spidx->ul_proto = nxt; 1154 break; 1155 } 1156} 1157 1158/* assumes that m is sane */ 1159static int 1160ipsec6_setspidx_ipaddr(m, spidx) 1161 struct mbuf *m; 1162 struct secpolicyindex *spidx; 1163{ 1164 struct ip6_hdr *ip6 = NULL; 1165 struct ip6_hdr ip6buf; 1166 struct sockaddr_in6 *sin6; 1167 1168 if (m->m_len >= sizeof(*ip6)) 1169 ip6 = mtod(m, struct ip6_hdr *); 1170 else { 1171 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf); 1172 ip6 = &ip6buf; 1173 } 1174 1175 sin6 = (struct sockaddr_in6 *)&spidx->src; 1176 bzero(sin6, sizeof(*sin6)); 1177 sin6->sin6_family = AF_INET6; 1178 sin6->sin6_len = sizeof(struct sockaddr_in6); 1179 bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src)); 1180 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { 1181 sin6->sin6_addr.s6_addr16[1] = 0; 1182 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); 1183 } 1184 spidx->prefs = sizeof(struct in6_addr) << 3; 1185 1186 sin6 = (struct sockaddr_in6 *)&spidx->dst; 1187 bzero(sin6, sizeof(*sin6)); 1188 sin6->sin6_family = AF_INET6; 1189 sin6->sin6_len = sizeof(struct sockaddr_in6); 1190 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst)); 1191 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { 1192 sin6->sin6_addr.s6_addr16[1] = 0; 1193 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); 1194 } 1195 spidx->prefd = sizeof(struct in6_addr) << 3; 1196 1197 return 0; 1198} 1199#endif 1200 1201static struct inpcbpolicy * 1202ipsec_newpcbpolicy() 1203{ 1204 struct inpcbpolicy *p; 1205 1206 p = (struct inpcbpolicy *)_MALLOC(sizeof(*p), M_SECA, M_WAITOK); 1207 return p; 1208} 1209 1210static void 1211ipsec_delpcbpolicy(p) 1212 struct inpcbpolicy *p; 1213{ 1214 FREE(p, M_SECA); 1215} 1216 1217/* initialize policy in PCB */ 1218int 1219ipsec_init_policy(so, pcb_sp) 1220 struct socket *so; 1221 struct inpcbpolicy **pcb_sp; 1222{ 1223 struct inpcbpolicy *new; 1224 1225 /* sanity check. */ 1226 if (so == NULL || pcb_sp == NULL) 1227 panic("ipsec_init_policy: NULL pointer was passed.\n"); 1228 1229 new = ipsec_newpcbpolicy(); 1230 if (new == NULL) { 1231 ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n")); 1232 return ENOBUFS; 1233 } 1234 bzero(new, sizeof(*new)); 1235 1236#ifdef __APPLE__ 1237 if (so->so_uid == 0) 1238#else 1239 if (so->so_cred != 0 && !suser(so->so_cred->pc_ucred, NULL)) 1240#endif 1241 new->priv = 1; 1242 else 1243 new->priv = 0; 1244 1245 if ((new->sp_in = key_newsp()) == NULL) { 1246 ipsec_delpcbpolicy(new); 1247 return ENOBUFS; 1248 } 1249 new->sp_in->state = IPSEC_SPSTATE_ALIVE; 1250 new->sp_in->policy = IPSEC_POLICY_ENTRUST; 1251 1252 if ((new->sp_out = key_newsp()) == NULL) { 1253 key_freesp(new->sp_in, KEY_SADB_UNLOCKED); 1254 ipsec_delpcbpolicy(new); 1255 return ENOBUFS; 1256 } 1257 new->sp_out->state = IPSEC_SPSTATE_ALIVE; 1258 new->sp_out->policy = IPSEC_POLICY_ENTRUST; 1259 1260 *pcb_sp = new; 1261 1262 return 0; 1263} 1264 1265/* copy old ipsec policy into new */ 1266int 1267ipsec_copy_policy(old, new) 1268 struct inpcbpolicy *old, *new; 1269{ 1270 struct secpolicy *sp; 1271 1272 if (ipsec_bypass != 0) 1273 return 0; 1274 1275 sp = ipsec_deepcopy_policy(old->sp_in); 1276 if (sp) { 1277 key_freesp(new->sp_in, KEY_SADB_UNLOCKED); 1278 new->sp_in = sp; 1279 } else 1280 return ENOBUFS; 1281 1282 sp = ipsec_deepcopy_policy(old->sp_out); 1283 if (sp) { 1284 key_freesp(new->sp_out, KEY_SADB_UNLOCKED); 1285 new->sp_out = sp; 1286 } else 1287 return ENOBUFS; 1288 1289 new->priv = old->priv; 1290 1291 return 0; 1292} 1293 1294/* deep-copy a policy in PCB */ 1295static struct secpolicy * 1296ipsec_deepcopy_policy(src) 1297 struct secpolicy *src; 1298{ 1299 struct ipsecrequest *newchain = NULL; 1300 struct ipsecrequest *p; 1301 struct ipsecrequest **q; 1302 struct ipsecrequest *r; 1303 struct secpolicy *dst; 1304 1305 if (src == NULL) 1306 return NULL; 1307 dst = key_newsp(); 1308 if (dst == NULL) 1309 return NULL; 1310 1311 /* 1312 * deep-copy IPsec request chain. This is required since struct 1313 * ipsecrequest is not reference counted. 1314 */ 1315 q = &newchain; 1316 for (p = src->req; p; p = p->next) { 1317 *q = (struct ipsecrequest *)_MALLOC(sizeof(struct ipsecrequest), 1318 M_SECA, M_WAITOK); 1319 if (*q == NULL) 1320 goto fail; 1321 bzero(*q, sizeof(**q)); 1322 (*q)->next = NULL; 1323 1324 (*q)->saidx.proto = p->saidx.proto; 1325 (*q)->saidx.mode = p->saidx.mode; 1326 (*q)->level = p->level; 1327 (*q)->saidx.reqid = p->saidx.reqid; 1328 1329 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src)); 1330 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst)); 1331 1332 (*q)->sp = dst; 1333 1334 q = &((*q)->next); 1335 } 1336 1337 dst->req = newchain; 1338 dst->state = src->state; 1339 dst->policy = src->policy; 1340 /* do not touch the refcnt fields */ 1341 1342 return dst; 1343 1344fail: 1345 for (p = newchain; p; p = r) { 1346 r = p->next; 1347 FREE(p, M_SECA); 1348 p = NULL; 1349 } 1350 key_freesp(dst, KEY_SADB_UNLOCKED); 1351 return NULL; 1352} 1353 1354/* set policy and ipsec request if present. */ 1355static int 1356ipsec_set_policy( 1357 struct secpolicy **pcb_sp, 1358 __unused int optname, 1359 caddr_t request, 1360 size_t len, 1361 int priv) 1362{ 1363 struct sadb_x_policy *xpl; 1364 struct secpolicy *newsp = NULL; 1365 int error; 1366 1367 /* sanity check. */ 1368 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL) 1369 return EINVAL; 1370 if (len < sizeof(*xpl)) 1371 return EINVAL; 1372 xpl = (struct sadb_x_policy *)request; 1373 1374 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1375 printf("ipsec_set_policy: passed policy\n"); 1376 kdebug_sadb_x_policy((struct sadb_ext *)xpl)); 1377 1378 /* check policy type */ 1379 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */ 1380 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD 1381 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) 1382 return EINVAL; 1383 1384 /* check privileged socket */ 1385 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) 1386 return EACCES; 1387 1388 /* allocation new SP entry */ 1389 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) 1390 return error; 1391 1392 newsp->state = IPSEC_SPSTATE_ALIVE; 1393 1394 /* clear old SP and set new SP */ 1395 key_freesp(*pcb_sp, KEY_SADB_UNLOCKED); 1396 *pcb_sp = newsp; 1397 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1398 printf("ipsec_set_policy: new policy\n"); 1399 kdebug_secpolicy(newsp)); 1400 1401 return 0; 1402} 1403 1404static int 1405ipsec_get_policy(pcb_sp, mp) 1406 struct secpolicy *pcb_sp; 1407 struct mbuf **mp; 1408{ 1409 1410 1411 /* sanity check. */ 1412 if (pcb_sp == NULL || mp == NULL) 1413 return EINVAL; 1414 1415 *mp = key_sp2msg(pcb_sp); 1416 if (!*mp) { 1417 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n")); 1418 return ENOBUFS; 1419 } 1420 1421 m_mchtype(*mp, MT_DATA); 1422 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1423 printf("ipsec_get_policy:\n"); 1424 kdebug_mbuf(*mp)); 1425 1426 return 0; 1427} 1428 1429int 1430ipsec4_set_policy(inp, optname, request, len, priv) 1431 struct inpcb *inp; 1432 int optname; 1433 caddr_t request; 1434 size_t len; 1435 int priv; 1436{ 1437 struct sadb_x_policy *xpl; 1438 struct secpolicy **pcb_sp; 1439 int error = 0; 1440 1441 /* sanity check. */ 1442 if (inp == NULL || request == NULL) 1443 return EINVAL; 1444 if (len < sizeof(*xpl)) 1445 return EINVAL; 1446 xpl = (struct sadb_x_policy *)request; 1447 1448 if (inp->inp_sp == NULL) { 1449 error = ipsec_init_policy(inp->inp_socket, &inp->inp_sp); 1450 if (error) 1451 return error; 1452 } 1453 1454 /* select direction */ 1455 switch (xpl->sadb_x_policy_dir) { 1456 case IPSEC_DIR_INBOUND: 1457 pcb_sp = &inp->inp_sp->sp_in; 1458 break; 1459 case IPSEC_DIR_OUTBOUND: 1460 pcb_sp = &inp->inp_sp->sp_out; 1461 break; 1462 default: 1463 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n", 1464 xpl->sadb_x_policy_dir)); 1465 return EINVAL; 1466 } 1467 1468 /* turn bypass off */ 1469 if (ipsec_bypass != 0) 1470 ipsec_bypass = 0; 1471 1472 return ipsec_set_policy(pcb_sp, optname, request, len, priv); 1473} 1474 1475int 1476ipsec4_get_policy(inp, request, len, mp) 1477 struct inpcb *inp; 1478 caddr_t request; 1479 size_t len; 1480 struct mbuf **mp; 1481{ 1482 struct sadb_x_policy *xpl; 1483 struct secpolicy *pcb_sp; 1484 int error = 0; 1485 1486 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 1487 1488 /* sanity check. */ 1489 if (inp == NULL || request == NULL || mp == NULL) 1490 return EINVAL; 1491 if (len < sizeof(*xpl)) 1492 return EINVAL; 1493 xpl = (struct sadb_x_policy *)request; 1494 1495 if (inp->inp_sp == NULL) { 1496 error = ipsec_init_policy(inp->inp_socket, &inp->inp_sp); 1497 if (error) 1498 return error; 1499 } 1500 1501 /* select direction */ 1502 switch (xpl->sadb_x_policy_dir) { 1503 case IPSEC_DIR_INBOUND: 1504 pcb_sp = inp->inp_sp->sp_in; 1505 break; 1506 case IPSEC_DIR_OUTBOUND: 1507 pcb_sp = inp->inp_sp->sp_out; 1508 break; 1509 default: 1510 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n", 1511 xpl->sadb_x_policy_dir)); 1512 return EINVAL; 1513 } 1514 1515 return ipsec_get_policy(pcb_sp, mp); 1516} 1517 1518/* delete policy in PCB */ 1519int 1520ipsec4_delete_pcbpolicy(inp) 1521 struct inpcb *inp; 1522{ 1523 1524 /* sanity check. */ 1525 if (inp == NULL) 1526 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.\n"); 1527 1528 if (inp->inp_sp == NULL) 1529 return 0; 1530 1531 if (inp->inp_sp->sp_in != NULL) { 1532 key_freesp(inp->inp_sp->sp_in, KEY_SADB_UNLOCKED); 1533 inp->inp_sp->sp_in = NULL; 1534 } 1535 1536 if (inp->inp_sp->sp_out != NULL) { 1537 key_freesp(inp->inp_sp->sp_out, KEY_SADB_UNLOCKED); 1538 inp->inp_sp->sp_out = NULL; 1539 } 1540 1541 ipsec_delpcbpolicy(inp->inp_sp); 1542 inp->inp_sp = NULL; 1543 1544 return 0; 1545} 1546 1547#if INET6 1548int 1549ipsec6_set_policy(in6p, optname, request, len, priv) 1550 struct in6pcb *in6p; 1551 int optname; 1552 caddr_t request; 1553 size_t len; 1554 int priv; 1555{ 1556 struct sadb_x_policy *xpl; 1557 struct secpolicy **pcb_sp; 1558 int error = 0; 1559 1560 /* sanity check. */ 1561 if (in6p == NULL || request == NULL) 1562 return EINVAL; 1563 if (len < sizeof(*xpl)) 1564 return EINVAL; 1565 xpl = (struct sadb_x_policy *)request; 1566 1567 if (in6p->in6p_sp == NULL) { 1568 error = ipsec_init_policy(in6p->inp_socket, &in6p->in6p_sp); 1569 if (error) 1570 return error; 1571 } 1572 1573 /* select direction */ 1574 switch (xpl->sadb_x_policy_dir) { 1575 case IPSEC_DIR_INBOUND: 1576 pcb_sp = &in6p->in6p_sp->sp_in; 1577 break; 1578 case IPSEC_DIR_OUTBOUND: 1579 pcb_sp = &in6p->in6p_sp->sp_out; 1580 break; 1581 default: 1582 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n", 1583 xpl->sadb_x_policy_dir)); 1584 return EINVAL; 1585 } 1586 1587 /* turn bypass off */ 1588 if (ipsec_bypass != 0) 1589 ipsec_bypass = 0; 1590 1591 return ipsec_set_policy(pcb_sp, optname, request, len, priv); 1592} 1593 1594int 1595ipsec6_get_policy(in6p, request, len, mp) 1596 struct in6pcb *in6p; 1597 caddr_t request; 1598 size_t len; 1599 struct mbuf **mp; 1600{ 1601 struct sadb_x_policy *xpl; 1602 struct secpolicy *pcb_sp; 1603 int error = 0; 1604 1605 /* sanity check. */ 1606 if (in6p == NULL || request == NULL || mp == NULL) 1607 return EINVAL; 1608 if (len < sizeof(*xpl)) 1609 return EINVAL; 1610 xpl = (struct sadb_x_policy *)request; 1611 1612 if (in6p->in6p_sp == NULL) { 1613 error = ipsec_init_policy(in6p->inp_socket, &in6p->in6p_sp); 1614 if (error) 1615 return error; 1616 } 1617 1618 /* select direction */ 1619 switch (xpl->sadb_x_policy_dir) { 1620 case IPSEC_DIR_INBOUND: 1621 pcb_sp = in6p->in6p_sp->sp_in; 1622 break; 1623 case IPSEC_DIR_OUTBOUND: 1624 pcb_sp = in6p->in6p_sp->sp_out; 1625 break; 1626 default: 1627 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n", 1628 xpl->sadb_x_policy_dir)); 1629 return EINVAL; 1630 } 1631 1632 return ipsec_get_policy(pcb_sp, mp); 1633} 1634 1635int 1636ipsec6_delete_pcbpolicy(in6p) 1637 struct in6pcb *in6p; 1638{ 1639 1640 /* sanity check. */ 1641 if (in6p == NULL) 1642 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.\n"); 1643 1644 if (in6p->in6p_sp == NULL) 1645 return 0; 1646 1647 if (in6p->in6p_sp->sp_in != NULL) { 1648 key_freesp(in6p->in6p_sp->sp_in, KEY_SADB_UNLOCKED); 1649 in6p->in6p_sp->sp_in = NULL; 1650 } 1651 1652 if (in6p->in6p_sp->sp_out != NULL) { 1653 key_freesp(in6p->in6p_sp->sp_out, KEY_SADB_UNLOCKED); 1654 in6p->in6p_sp->sp_out = NULL; 1655 } 1656 1657 ipsec_delpcbpolicy(in6p->in6p_sp); 1658 in6p->in6p_sp = NULL; 1659 1660 return 0; 1661} 1662#endif 1663 1664/* 1665 * return current level. 1666 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. 1667 */ 1668u_int 1669ipsec_get_reqlevel(isr) 1670 struct ipsecrequest *isr; 1671{ 1672 u_int level = 0; 1673 u_int esp_trans_deflev = 0, esp_net_deflev = 0, ah_trans_deflev = 0, ah_net_deflev = 0; 1674 1675 /* sanity check */ 1676 if (isr == NULL || isr->sp == NULL) 1677 panic("ipsec_get_reqlevel: NULL pointer is passed.\n"); 1678 if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family 1679 != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family) 1680 panic("ipsec_get_reqlevel: family mismatched.\n"); 1681 1682/* XXX note that we have ipseclog() expanded here - code sync issue */ 1683#define IPSEC_CHECK_DEFAULT(lev) \ 1684 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \ 1685 && (lev) != IPSEC_LEVEL_UNIQUE) \ 1686 ? (ipsec_debug \ 1687 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\ 1688 (lev), IPSEC_LEVEL_REQUIRE) \ 1689 : 0), \ 1690 (lev) = IPSEC_LEVEL_REQUIRE, \ 1691 (lev) \ 1692 : (lev)) 1693 1694 /* set default level */ 1695 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) { 1696#if INET 1697 case AF_INET: 1698 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev); 1699 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev); 1700 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev); 1701 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev); 1702 break; 1703#endif 1704#if INET6 1705 case AF_INET6: 1706 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev); 1707 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev); 1708 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev); 1709 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev); 1710 break; 1711#endif /* INET6 */ 1712 default: 1713 panic("key_get_reqlevel: Unknown family. %d\n", 1714 ((struct sockaddr *)&isr->sp->spidx.src)->sa_family); 1715 } 1716 1717#undef IPSEC_CHECK_DEFAULT 1718 1719 /* set level */ 1720 switch (isr->level) { 1721 case IPSEC_LEVEL_DEFAULT: 1722 switch (isr->saidx.proto) { 1723 case IPPROTO_ESP: 1724 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1725 level = esp_net_deflev; 1726 else 1727 level = esp_trans_deflev; 1728 break; 1729 case IPPROTO_AH: 1730 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1731 level = ah_net_deflev; 1732 else 1733 level = ah_trans_deflev; 1734 break; 1735 case IPPROTO_IPCOMP: 1736 /* 1737 * we don't really care, as IPcomp document says that 1738 * we shouldn't compress small packets 1739 */ 1740 level = IPSEC_LEVEL_USE; 1741 break; 1742 default: 1743 panic("ipsec_get_reqlevel: " 1744 "Illegal protocol defined %u\n", 1745 isr->saidx.proto); 1746 } 1747 break; 1748 1749 case IPSEC_LEVEL_USE: 1750 case IPSEC_LEVEL_REQUIRE: 1751 level = isr->level; 1752 break; 1753 case IPSEC_LEVEL_UNIQUE: 1754 level = IPSEC_LEVEL_REQUIRE; 1755 break; 1756 1757 default: 1758 panic("ipsec_get_reqlevel: Illegal IPsec level %u\n", 1759 isr->level); 1760 } 1761 1762 return level; 1763} 1764 1765/* 1766 * Check AH/ESP integrity. 1767 * OUT: 1768 * 0: valid 1769 * 1: invalid 1770 */ 1771static int 1772ipsec_in_reject(sp, m) 1773 struct secpolicy *sp; 1774 struct mbuf *m; 1775{ 1776 struct ipsecrequest *isr; 1777 u_int level; 1778 int need_auth, need_conf, need_icv; 1779 1780 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1781 printf("ipsec_in_reject: using SP\n"); 1782 kdebug_secpolicy(sp)); 1783 1784 /* check policy */ 1785 switch (sp->policy) { 1786 case IPSEC_POLICY_DISCARD: 1787 case IPSEC_POLICY_GENERATE: 1788 return 1; 1789 case IPSEC_POLICY_BYPASS: 1790 case IPSEC_POLICY_NONE: 1791 return 0; 1792 1793 case IPSEC_POLICY_IPSEC: 1794 break; 1795 1796 case IPSEC_POLICY_ENTRUST: 1797 default: 1798 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy); 1799 } 1800 1801 need_auth = 0; 1802 need_conf = 0; 1803 need_icv = 0; 1804 1805 /* XXX should compare policy against ipsec header history */ 1806 1807 for (isr = sp->req; isr != NULL; isr = isr->next) { 1808 1809 /* get current level */ 1810 level = ipsec_get_reqlevel(isr); 1811 1812 switch (isr->saidx.proto) { 1813 case IPPROTO_ESP: 1814 if (level == IPSEC_LEVEL_REQUIRE) { 1815 need_conf++; 1816 1817#if 0 1818 /* this won't work with multiple input threads - isr->sav would change 1819 * with every packet and is not necessarily related to the current packet 1820 * being processed. If ESP processing is required - the esp code should 1821 * make sure that the integrity check is present and correct. I don't see 1822 * why it would be necessary to check for the presence of the integrity 1823 * check value here. I think this is just wrong. 1824 * isr->sav has been removed. 1825 * %%%%%% this needs to be re-worked at some point but I think the code below can 1826 * be ignored for now. 1827 */ 1828 if (isr->sav != NULL 1829 && isr->sav->flags == SADB_X_EXT_NONE 1830 && isr->sav->alg_auth != SADB_AALG_NONE) 1831 need_icv++; 1832#endif 1833 } 1834 break; 1835 case IPPROTO_AH: 1836 if (level == IPSEC_LEVEL_REQUIRE) { 1837 need_auth++; 1838 need_icv++; 1839 } 1840 break; 1841 case IPPROTO_IPCOMP: 1842 /* 1843 * we don't really care, as IPcomp document says that 1844 * we shouldn't compress small packets, IPComp policy 1845 * should always be treated as being in "use" level. 1846 */ 1847 break; 1848 } 1849 } 1850 1851 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1852 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n", 1853 need_auth, need_conf, need_icv, m->m_flags)); 1854 1855 if ((need_conf && !(m->m_flags & M_DECRYPTED)) 1856 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM)) 1857 || (need_auth && !(m->m_flags & M_AUTHIPHDR))) 1858 return 1; 1859 1860 return 0; 1861} 1862 1863/* 1864 * Check AH/ESP integrity. 1865 * This function is called from tcp_input(), udp_input(), 1866 * and {ah,esp}4_input for tunnel mode 1867 */ 1868int 1869ipsec4_in_reject_so(m, so) 1870 struct mbuf *m; 1871 struct socket *so; 1872{ 1873 struct secpolicy *sp = NULL; 1874 int error; 1875 int result; 1876 1877 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 1878 /* sanity check */ 1879 if (m == NULL) 1880 return 0; /* XXX should be panic ? */ 1881 1882 /* get SP for this packet. 1883 * When we are called from ip_forward(), we call 1884 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 1885 */ 1886 if (so == NULL) 1887 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 1888 else 1889 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error); 1890 1891 if (sp == NULL) 1892 return 0; /* XXX should be panic ? 1893 * -> No, there may be error. */ 1894 1895 result = ipsec_in_reject(sp, m); 1896 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1897 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp)); 1898 key_freesp(sp, KEY_SADB_UNLOCKED); 1899 1900 return result; 1901} 1902 1903int 1904ipsec4_in_reject(m, inp) 1905 struct mbuf *m; 1906 struct inpcb *inp; 1907{ 1908 1909 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 1910 if (inp == NULL) 1911 return ipsec4_in_reject_so(m, NULL); 1912 if (inp->inp_socket) 1913 return ipsec4_in_reject_so(m, inp->inp_socket); 1914 else 1915 panic("ipsec4_in_reject: invalid inpcb/socket"); 1916 1917 /* NOTREACHED */ 1918 return 0; 1919} 1920 1921#if INET6 1922/* 1923 * Check AH/ESP integrity. 1924 * This function is called from tcp6_input(), udp6_input(), 1925 * and {ah,esp}6_input for tunnel mode 1926 */ 1927int 1928ipsec6_in_reject_so(m, so) 1929 struct mbuf *m; 1930 struct socket *so; 1931{ 1932 struct secpolicy *sp = NULL; 1933 int error; 1934 int result; 1935 1936 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 1937 /* sanity check */ 1938 if (m == NULL) 1939 return 0; /* XXX should be panic ? */ 1940 1941 /* get SP for this packet. 1942 * When we are called from ip_forward(), we call 1943 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag. 1944 */ 1945 if (so == NULL) 1946 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 1947 else 1948 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error); 1949 1950 if (sp == NULL) 1951 return 0; /* XXX should be panic ? */ 1952 1953 result = ipsec_in_reject(sp, m); 1954 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1955 printf("DP ipsec6_in_reject_so call free SP:%p\n", sp)); 1956 key_freesp(sp, KEY_SADB_UNLOCKED); 1957 1958 return result; 1959} 1960 1961int 1962ipsec6_in_reject(m, in6p) 1963 struct mbuf *m; 1964 struct in6pcb *in6p; 1965{ 1966 1967 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 1968 if (in6p == NULL) 1969 return ipsec6_in_reject_so(m, NULL); 1970 if (in6p->in6p_socket) 1971 return ipsec6_in_reject_so(m, in6p->in6p_socket); 1972 else 1973 panic("ipsec6_in_reject: invalid in6p/socket"); 1974 1975 /* NOTREACHED */ 1976 return 0; 1977} 1978#endif 1979 1980/* 1981 * compute the byte size to be occupied by IPsec header. 1982 * in case it is tunneled, it includes the size of outer IP header. 1983 * NOTE: SP passed is free in this function. 1984 */ 1985size_t 1986ipsec_hdrsiz(sp) 1987 struct secpolicy *sp; 1988{ 1989 struct ipsecrequest *isr; 1990 size_t siz, clen; 1991 1992 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 1993 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1994 printf("ipsec_hdrsiz: using SP\n"); 1995 kdebug_secpolicy(sp)); 1996 1997 /* check policy */ 1998 switch (sp->policy) { 1999 case IPSEC_POLICY_DISCARD: 2000 case IPSEC_POLICY_GENERATE: 2001 case IPSEC_POLICY_BYPASS: 2002 case IPSEC_POLICY_NONE: 2003 return 0; 2004 2005 case IPSEC_POLICY_IPSEC: 2006 break; 2007 2008 case IPSEC_POLICY_ENTRUST: 2009 default: 2010 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy); 2011 } 2012 2013 siz = 0; 2014 2015 for (isr = sp->req; isr != NULL; isr = isr->next) { 2016 2017 clen = 0; 2018 2019 switch (isr->saidx.proto) { 2020 case IPPROTO_ESP: 2021#if IPSEC_ESP 2022 clen = esp_hdrsiz(isr); 2023#else 2024 clen = 0; /*XXX*/ 2025#endif 2026 break; 2027 case IPPROTO_AH: 2028 clen = ah_hdrsiz(isr); 2029 break; 2030 case IPPROTO_IPCOMP: 2031 clen = sizeof(struct ipcomp); 2032 break; 2033 } 2034 2035 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2036 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) { 2037 case AF_INET: 2038 clen += sizeof(struct ip); 2039 break; 2040#if INET6 2041 case AF_INET6: 2042 clen += sizeof(struct ip6_hdr); 2043 break; 2044#endif 2045 default: 2046 ipseclog((LOG_ERR, "ipsec_hdrsiz: " 2047 "unknown AF %d in IPsec tunnel SA\n", 2048 ((struct sockaddr *)&isr->saidx.dst)->sa_family)); 2049 break; 2050 } 2051 } 2052 siz += clen; 2053 } 2054 2055 return siz; 2056} 2057 2058/* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */ 2059size_t 2060ipsec4_hdrsiz(m, dir, inp) 2061 struct mbuf *m; 2062 u_int dir; 2063 struct inpcb *inp; 2064{ 2065 struct secpolicy *sp = NULL; 2066 int error; 2067 size_t size; 2068 2069 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2070 /* sanity check */ 2071 if (m == NULL) 2072 return 0; /* XXX should be panic ? */ 2073 if (inp != NULL && inp->inp_socket == NULL) 2074 panic("ipsec4_hdrsize: why is socket NULL but there is PCB."); 2075 2076 /* get SP for this packet. 2077 * When we are called from ip_forward(), we call 2078 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 2079 */ 2080 if (inp == NULL) 2081 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 2082 else 2083 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error); 2084 2085 if (sp == NULL) 2086 return 0; /* XXX should be panic ? */ 2087 2088 size = ipsec_hdrsiz(sp); 2089 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2090 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp)); 2091 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2092 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size)); 2093 key_freesp(sp, KEY_SADB_UNLOCKED); 2094 2095 return size; 2096} 2097 2098#if INET6 2099/* This function is called from ipsec6_hdrsize_tcp(), 2100 * and maybe from ip6_forward.() 2101 */ 2102size_t 2103ipsec6_hdrsiz(m, dir, in6p) 2104 struct mbuf *m; 2105 u_int dir; 2106 struct in6pcb *in6p; 2107{ 2108 struct secpolicy *sp = NULL; 2109 int error; 2110 size_t size; 2111 2112 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2113 /* sanity check */ 2114 if (m == NULL) 2115 return 0; /* XXX shoud be panic ? */ 2116 if (in6p != NULL && in6p->in6p_socket == NULL) 2117 panic("ipsec6_hdrsize: why is socket NULL but there is PCB."); 2118 2119 /* get SP for this packet */ 2120 /* XXX Is it right to call with IP_FORWARDING. */ 2121 if (in6p == NULL) 2122 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 2123 else 2124 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error); 2125 2126 if (sp == NULL) 2127 return 0; 2128 size = ipsec_hdrsiz(sp); 2129 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2130 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp)); 2131 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2132 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size)); 2133 key_freesp(sp, KEY_SADB_UNLOCKED); 2134 2135 return size; 2136} 2137#endif /*INET6*/ 2138 2139#if INET 2140/* 2141 * encapsulate for ipsec tunnel. 2142 * ip->ip_src must be fixed later on. 2143 */ 2144static int 2145ipsec4_encapsulate(m, sav) 2146 struct mbuf *m; 2147 struct secasvar *sav; 2148{ 2149 struct ip *oip; 2150 struct ip *ip; 2151 size_t hlen; 2152 size_t plen; 2153 2154 /* can't tunnel between different AFs */ 2155 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2156 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2157 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 2158 m_freem(m); 2159 return EINVAL; 2160 } 2161#if 0 2162 /* XXX if the dst is myself, perform nothing. */ 2163 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2164 m_freem(m); 2165 return EINVAL; 2166 } 2167#endif 2168 2169 if (m->m_len < sizeof(*ip)) 2170 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2171 2172 ip = mtod(m, struct ip *); 2173#ifdef _IP_VHL 2174 hlen = _IP_VHL_HL(ip->ip_vhl) << 2; 2175#else 2176 hlen = ip->ip_hl << 2; 2177#endif 2178 2179 if (m->m_len != hlen) 2180 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2181 2182 /* generate header checksum */ 2183 ip->ip_sum = 0; 2184#ifdef _IP_VHL 2185 ip->ip_sum = in_cksum(m, hlen); 2186#else 2187 ip->ip_sum = in_cksum(m, hlen); 2188#endif 2189 2190 plen = m->m_pkthdr.len; 2191 2192 /* 2193 * grow the mbuf to accomodate the new IPv4 header. 2194 * NOTE: IPv4 options will never be copied. 2195 */ 2196 if (M_LEADINGSPACE(m->m_next) < hlen) { 2197 struct mbuf *n; 2198 MGET(n, M_DONTWAIT, MT_DATA); 2199 if (!n) { 2200 m_freem(m); 2201 return ENOBUFS; 2202 } 2203 n->m_len = hlen; 2204 n->m_next = m->m_next; 2205 m->m_next = n; 2206 m->m_pkthdr.len += hlen; 2207 oip = mtod(n, struct ip *); 2208 } else { 2209 m->m_next->m_len += hlen; 2210 m->m_next->m_data -= hlen; 2211 m->m_pkthdr.len += hlen; 2212 oip = mtod(m->m_next, struct ip *); 2213 } 2214 ip = mtod(m, struct ip *); 2215 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen); 2216 m->m_len = sizeof(struct ip); 2217 m->m_pkthdr.len -= (hlen - sizeof(struct ip)); 2218 2219 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ 2220 /* ECN consideration. */ 2221 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); 2222#ifdef _IP_VHL 2223 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2); 2224#else 2225 ip->ip_hl = sizeof(struct ip) >> 2; 2226#endif 2227 ip->ip_off &= htons(~IP_OFFMASK); 2228 ip->ip_off &= htons(~IP_MF); 2229 switch (ip4_ipsec_dfbit) { 2230 case 0: /* clear DF bit */ 2231 ip->ip_off &= htons(~IP_DF); 2232 break; 2233 case 1: /* set DF bit */ 2234 ip->ip_off |= htons(IP_DF); 2235 break; 2236 default: /* copy DF bit */ 2237 break; 2238 } 2239 ip->ip_p = IPPROTO_IPIP; 2240 if (plen + sizeof(struct ip) < IP_MAXPACKET) 2241 ip->ip_len = htons(plen + sizeof(struct ip)); 2242 else { 2243 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " 2244 "leave ip_len as is (invalid packet)\n")); 2245 } 2246#ifdef RANDOM_IP_ID 2247 ip->ip_id = ip_randomid(); 2248#else 2249 ip->ip_id = htons(ip_id++); 2250#endif 2251 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, 2252 &ip->ip_src, sizeof(ip->ip_src)); 2253 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, 2254 &ip->ip_dst, sizeof(ip->ip_dst)); 2255 ip->ip_ttl = IPDEFTTL; 2256 2257 /* XXX Should ip_src be updated later ? */ 2258 2259 return 0; 2260} 2261#endif /*INET*/ 2262 2263#if INET6 2264static int 2265ipsec6_encapsulate(m, sav) 2266 struct mbuf *m; 2267 struct secasvar *sav; 2268{ 2269 struct ip6_hdr *oip6; 2270 struct ip6_hdr *ip6; 2271 size_t plen; 2272 2273 /* can't tunnel between different AFs */ 2274 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2275 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2276 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) { 2277 m_freem(m); 2278 return EINVAL; 2279 } 2280#if 0 2281 /* XXX if the dst is myself, perform nothing. */ 2282 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2283 m_freem(m); 2284 return EINVAL; 2285 } 2286#endif 2287 2288 plen = m->m_pkthdr.len; 2289 2290 /* 2291 * grow the mbuf to accomodate the new IPv6 header. 2292 */ 2293 if (m->m_len != sizeof(struct ip6_hdr)) 2294 panic("ipsec6_encapsulate: assumption failed (first mbuf length)"); 2295 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { 2296 struct mbuf *n; 2297 MGET(n, M_DONTWAIT, MT_DATA); 2298 if (!n) { 2299 m_freem(m); 2300 return ENOBUFS; 2301 } 2302 n->m_len = sizeof(struct ip6_hdr); 2303 n->m_next = m->m_next; 2304 m->m_next = n; 2305 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2306 oip6 = mtod(n, struct ip6_hdr *); 2307 } else { 2308 m->m_next->m_len += sizeof(struct ip6_hdr); 2309 m->m_next->m_data -= sizeof(struct ip6_hdr); 2310 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2311 oip6 = mtod(m->m_next, struct ip6_hdr *); 2312 } 2313 ip6 = mtod(m, struct ip6_hdr *); 2314 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr)); 2315 2316 /* Fake link-local scope-class addresses */ 2317 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src)) 2318 oip6->ip6_src.s6_addr16[1] = 0; 2319 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst)) 2320 oip6->ip6_dst.s6_addr16[1] = 0; 2321 2322 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ 2323 /* ECN consideration. */ 2324 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow); 2325 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) 2326 ip6->ip6_plen = htons(plen); 2327 else { 2328 /* ip6->ip6_plen will be updated in ip6_output() */ 2329 } 2330 ip6->ip6_nxt = IPPROTO_IPV6; 2331 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr, 2332 &ip6->ip6_src, sizeof(ip6->ip6_src)); 2333 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr, 2334 &ip6->ip6_dst, sizeof(ip6->ip6_dst)); 2335 ip6->ip6_hlim = IPV6_DEFHLIM; 2336 2337 /* XXX Should ip6_src be updated later ? */ 2338 2339 return 0; 2340} 2341 2342static int 2343ipsec64_encapsulate(m, sav) 2344 struct mbuf *m; 2345 struct secasvar *sav; 2346{ 2347 struct ip6_hdr *ip6, *ip6i; 2348 struct ip *ip; 2349 size_t plen; 2350 u_int8_t hlim; 2351 2352 /* tunneling over IPv4 */ 2353 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2354 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2355 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 2356 m_freem(m); 2357 return EINVAL; 2358 } 2359#if 0 2360 /* XXX if the dst is myself, perform nothing. */ 2361 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2362 m_freem(m); 2363 return EINVAL; 2364 } 2365#endif 2366 2367 plen = m->m_pkthdr.len; 2368 ip6 = mtod(m, struct ip6_hdr *); 2369 hlim = ip6->ip6_hlim; 2370 /* 2371 * grow the mbuf to accomodate the new IPv4 header. 2372 */ 2373 if (m->m_len != sizeof(struct ip6_hdr)) 2374 panic("ipsec6_encapsulate: assumption failed (first mbuf length)"); 2375 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { 2376 struct mbuf *n; 2377 MGET(n, M_DONTWAIT, MT_DATA); 2378 if (!n) { 2379 m_freem(m); 2380 return ENOBUFS; 2381 } 2382 n->m_len = sizeof(struct ip6_hdr); 2383 n->m_next = m->m_next; 2384 m->m_next = n; 2385 m->m_pkthdr.len += sizeof(struct ip); 2386 ip6i = mtod(n, struct ip6_hdr *); 2387 } else { 2388 m->m_next->m_len += sizeof(struct ip6_hdr); 2389 m->m_next->m_data -= sizeof(struct ip6_hdr); 2390 m->m_pkthdr.len += sizeof(struct ip); 2391 ip6i = mtod(m->m_next, struct ip6_hdr *); 2392 } 2393 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ 2394 /* ECN consideration. */ 2395 /* XXX To be fixed later if needed */ 2396 // ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); 2397 2398 bcopy(ip6, ip6i, sizeof(struct ip6_hdr)); 2399 ip = mtod(m, struct ip *); 2400 m->m_len = sizeof(struct ip); 2401 /* 2402 * Fill in some of the IPv4 fields - we don't need all of them 2403 * because the rest will be filled in by ip_output 2404 */ 2405 ip->ip_v = IPVERSION; 2406 ip->ip_hl = sizeof(struct ip) >> 2; 2407 ip->ip_id = 0; 2408 ip->ip_sum = 0; 2409 ip->ip_tos = 0; 2410 ip->ip_off = 0; 2411 ip->ip_ttl = hlim; 2412 ip->ip_p = IPPROTO_IPV6; 2413 if (plen + sizeof(struct ip) < IP_MAXPACKET) 2414 ip->ip_len = htons(plen + sizeof(struct ip)); 2415 else { 2416 ip->ip_len = htons(plen); 2417 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " 2418 "leave ip_len as is (invalid packet)\n")); 2419 } 2420 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, 2421 &ip->ip_src, sizeof(ip->ip_src)); 2422 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, 2423 &ip->ip_dst, sizeof(ip->ip_dst)); 2424 2425 return 0; 2426} 2427#endif /*INET6*/ 2428 2429/* 2430 * Check the variable replay window. 2431 * ipsec_chkreplay() performs replay check before ICV verification. 2432 * ipsec_updatereplay() updates replay bitmap. This must be called after 2433 * ICV verification (it also performs replay check, which is usually done 2434 * beforehand). 2435 * 0 (zero) is returned if packet disallowed, 1 if packet permitted. 2436 * 2437 * based on RFC 2401. 2438 */ 2439int 2440ipsec_chkreplay(seq, sav) 2441 u_int32_t seq; 2442 struct secasvar *sav; 2443{ 2444 const struct secreplay *replay; 2445 u_int32_t diff; 2446 int fr; 2447 u_int32_t wsizeb; /* constant: bits of window size */ 2448 int frlast; /* constant: last frame */ 2449 2450 2451 /* sanity check */ 2452 if (sav == NULL) 2453 panic("ipsec_chkreplay: NULL pointer was passed.\n"); 2454 2455 lck_mtx_lock(sadb_mutex); 2456 replay = sav->replay; 2457 2458 if (replay->wsize == 0) { 2459 lck_mtx_unlock(sadb_mutex); 2460 return 1; /* no need to check replay. */ 2461 } 2462 2463 /* constant */ 2464 frlast = replay->wsize - 1; 2465 wsizeb = replay->wsize << 3; 2466 2467 /* sequence number of 0 is invalid */ 2468 if (seq == 0) { 2469 lck_mtx_unlock(sadb_mutex); 2470 return 0; 2471 } 2472 2473 /* first time is always okay */ 2474 if (replay->count == 0) { 2475 lck_mtx_unlock(sadb_mutex); 2476 return 1; 2477 } 2478 2479 if (seq > replay->lastseq) { 2480 /* larger sequences are okay */ 2481 lck_mtx_unlock(sadb_mutex); 2482 return 1; 2483 } else { 2484 /* seq is equal or less than lastseq. */ 2485 diff = replay->lastseq - seq; 2486 2487 /* over range to check, i.e. too old or wrapped */ 2488 if (diff >= wsizeb) { 2489 lck_mtx_unlock(sadb_mutex); 2490 return 0; 2491 } 2492 2493 fr = frlast - diff / 8; 2494 2495 /* this packet already seen ? */ 2496 if ((replay->bitmap)[fr] & (1 << (diff % 8))) { 2497 lck_mtx_unlock(sadb_mutex); 2498 return 0; 2499 } 2500 2501 /* out of order but good */ 2502 lck_mtx_unlock(sadb_mutex); 2503 return 1; 2504 } 2505} 2506 2507/* 2508 * check replay counter whether to update or not. 2509 * OUT: 0: OK 2510 * 1: NG 2511 */ 2512int 2513ipsec_updatereplay(seq, sav) 2514 u_int32_t seq; 2515 struct secasvar *sav; 2516{ 2517 struct secreplay *replay; 2518 u_int32_t diff; 2519 int fr; 2520 u_int32_t wsizeb; /* constant: bits of window size */ 2521 int frlast; /* constant: last frame */ 2522 2523 /* sanity check */ 2524 if (sav == NULL) 2525 panic("ipsec_chkreplay: NULL pointer was passed.\n"); 2526 2527 lck_mtx_lock(sadb_mutex); 2528 replay = sav->replay; 2529 2530 if (replay->wsize == 0) 2531 goto ok; /* no need to check replay. */ 2532 2533 /* constant */ 2534 frlast = replay->wsize - 1; 2535 wsizeb = replay->wsize << 3; 2536 2537 /* sequence number of 0 is invalid */ 2538 if (seq == 0) 2539 return 1; 2540 2541 /* first time */ 2542 if (replay->count == 0) { 2543 replay->lastseq = seq; 2544 bzero(replay->bitmap, replay->wsize); 2545 (replay->bitmap)[frlast] = 1; 2546 goto ok; 2547 } 2548 2549 if (seq > replay->lastseq) { 2550 /* seq is larger than lastseq. */ 2551 diff = seq - replay->lastseq; 2552 2553 /* new larger sequence number */ 2554 if (diff < wsizeb) { 2555 /* In window */ 2556 /* set bit for this packet */ 2557 vshiftl((unsigned char *) replay->bitmap, diff, replay->wsize); 2558 (replay->bitmap)[frlast] |= 1; 2559 } else { 2560 /* this packet has a "way larger" */ 2561 bzero(replay->bitmap, replay->wsize); 2562 (replay->bitmap)[frlast] = 1; 2563 } 2564 replay->lastseq = seq; 2565 2566 /* larger is good */ 2567 } else { 2568 /* seq is equal or less than lastseq. */ 2569 diff = replay->lastseq - seq; 2570 2571 /* over range to check, i.e. too old or wrapped */ 2572 if (diff >= wsizeb) { 2573 lck_mtx_unlock(sadb_mutex); 2574 return 1; 2575 } 2576 2577 fr = frlast - diff / 8; 2578 2579 /* this packet already seen ? */ 2580 if ((replay->bitmap)[fr] & (1 << (diff % 8))) { 2581 lck_mtx_unlock(sadb_mutex); 2582 return 1; 2583 } 2584 2585 /* mark as seen */ 2586 (replay->bitmap)[fr] |= (1 << (diff % 8)); 2587 2588 /* out of order but good */ 2589 } 2590 2591ok: 2592 if (replay->count == ~0) { 2593 2594 /* set overflow flag */ 2595 replay->overflow++; 2596 2597 /* don't increment, no more packets accepted */ 2598 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) { 2599 lck_mtx_unlock(sadb_mutex); 2600 return 1; 2601 } 2602 2603 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n", 2604 replay->overflow, ipsec_logsastr(sav))); 2605 } 2606 2607 replay->count++; 2608 2609 lck_mtx_unlock(sadb_mutex); 2610 return 0; 2611} 2612 2613/* 2614 * shift variable length buffer to left. 2615 * IN: bitmap: pointer to the buffer 2616 * nbit: the number of to shift. 2617 * wsize: buffer size (bytes). 2618 */ 2619static void 2620vshiftl(bitmap, nbit, wsize) 2621 unsigned char *bitmap; 2622 int nbit, wsize; 2623{ 2624 int s, j, i; 2625 unsigned char over; 2626 2627 for (j = 0; j < nbit; j += 8) { 2628 s = (nbit - j < 8) ? (nbit - j): 8; 2629 bitmap[0] <<= s; 2630 for (i = 1; i < wsize; i++) { 2631 over = (bitmap[i] >> (8 - s)); 2632 bitmap[i] <<= s; 2633 bitmap[i-1] |= over; 2634 } 2635 } 2636 2637 return; 2638} 2639 2640const char * 2641ipsec4_logpacketstr(ip, spi) 2642 struct ip *ip; 2643 u_int32_t spi; 2644{ 2645 static char buf[256]; 2646 char *p; 2647 u_int8_t *s, *d; 2648 2649 s = (u_int8_t *)(&ip->ip_src); 2650 d = (u_int8_t *)(&ip->ip_dst); 2651 2652 p = buf; 2653 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2654 while (p && *p) 2655 p++; 2656 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u", 2657 s[0], s[1], s[2], s[3]); 2658 while (p && *p) 2659 p++; 2660 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u", 2661 d[0], d[1], d[2], d[3]); 2662 while (p && *p) 2663 p++; 2664 snprintf(p, sizeof(buf) - (p - buf), ")"); 2665 2666 return buf; 2667} 2668 2669#if INET6 2670const char * 2671ipsec6_logpacketstr(ip6, spi) 2672 struct ip6_hdr *ip6; 2673 u_int32_t spi; 2674{ 2675 static char buf[256]; 2676 char *p; 2677 2678 p = buf; 2679 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2680 while (p && *p) 2681 p++; 2682 snprintf(p, sizeof(buf) - (p - buf), "src=%s", 2683 ip6_sprintf(&ip6->ip6_src)); 2684 while (p && *p) 2685 p++; 2686 snprintf(p, sizeof(buf) - (p - buf), " dst=%s", 2687 ip6_sprintf(&ip6->ip6_dst)); 2688 while (p && *p) 2689 p++; 2690 snprintf(p, sizeof(buf) - (p - buf), ")"); 2691 2692 return buf; 2693} 2694#endif /*INET6*/ 2695 2696const char * 2697ipsec_logsastr(sav) 2698 struct secasvar *sav; 2699{ 2700 static char buf[256]; 2701 char *p; 2702 struct secasindex *saidx = &sav->sah->saidx; 2703 2704 /* validity check */ 2705 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2706 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) 2707 panic("ipsec_logsastr: family mismatched.\n"); 2708 2709 p = buf; 2710 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi)); 2711 while (p && *p) 2712 p++; 2713 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) { 2714 u_int8_t *s, *d; 2715 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr; 2716 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr; 2717 snprintf(p, sizeof(buf) - (p - buf), 2718 "src=%d.%d.%d.%d dst=%d.%d.%d.%d", 2719 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]); 2720 } 2721#if INET6 2722 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) { 2723 snprintf(p, sizeof(buf) - (p - buf), 2724 "src=%s", 2725 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr)); 2726 while (p && *p) 2727 p++; 2728 snprintf(p, sizeof(buf) - (p - buf), 2729 " dst=%s", 2730 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr)); 2731 } 2732#endif 2733 while (p && *p) 2734 p++; 2735 snprintf(p, sizeof(buf) - (p - buf), ")"); 2736 2737 return buf; 2738} 2739 2740void 2741ipsec_dumpmbuf(m) 2742 struct mbuf *m; 2743{ 2744 int totlen; 2745 int i; 2746 u_char *p; 2747 2748 totlen = 0; 2749 printf("---\n"); 2750 while (m) { 2751 p = mtod(m, u_char *); 2752 for (i = 0; i < m->m_len; i++) { 2753 printf("%02x ", p[i]); 2754 totlen++; 2755 if (totlen % 16 == 0) 2756 printf("\n"); 2757 } 2758 m = m->m_next; 2759 } 2760 if (totlen % 16 != 0) 2761 printf("\n"); 2762 printf("---\n"); 2763} 2764 2765#if INET 2766/* 2767 * IPsec output logic for IPv4. 2768 */ 2769int 2770ipsec4_output( 2771 struct ipsec_output_state *state, 2772 struct secpolicy *sp, 2773 __unused int flags) 2774{ 2775 struct ip *ip = NULL; 2776 struct ipsecrequest *isr = NULL; 2777 struct secasindex saidx; 2778 struct secasvar *sav = NULL; 2779 int error = 0; 2780 struct sockaddr_in *dst4; 2781 struct sockaddr_in *sin; 2782 2783 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2784 2785 if (!state) 2786 panic("state == NULL in ipsec4_output"); 2787 if (!state->m) 2788 panic("state->m == NULL in ipsec4_output"); 2789 if (!state->ro) 2790 panic("state->ro == NULL in ipsec4_output"); 2791 if (!state->dst) 2792 panic("state->dst == NULL in ipsec4_output"); 2793 2794 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_START, 0,0,0,0,0); 2795 2796 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2797 printf("ipsec4_output: applyed SP\n"); 2798 kdebug_secpolicy(sp)); 2799 2800 for (isr = sp->req; isr != NULL; isr = isr->next) { 2801 2802#if 0 /* give up to check restriction of transport mode */ 2803 /* XXX but should be checked somewhere */ 2804 /* 2805 * some of the IPsec operation must be performed only in 2806 * originating case. 2807 */ 2808 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT 2809 && (flags & IP_FORWARDING)) 2810 continue; 2811#endif 2812 2813 /* make SA index for search proper SA */ 2814 ip = mtod(state->m, struct ip *); 2815 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 2816 saidx.mode = isr->saidx.mode; 2817 saidx.reqid = isr->saidx.reqid; 2818 sin = (struct sockaddr_in *)&saidx.src; 2819 if (sin->sin_len == 0) { 2820 sin->sin_len = sizeof(*sin); 2821 sin->sin_family = AF_INET; 2822 sin->sin_port = IPSEC_PORT_ANY; 2823 bcopy(&ip->ip_src, &sin->sin_addr, 2824 sizeof(sin->sin_addr)); 2825 } 2826 sin = (struct sockaddr_in *)&saidx.dst; 2827 if (sin->sin_len == 0) { 2828 sin->sin_len = sizeof(*sin); 2829 sin->sin_family = AF_INET; 2830 sin->sin_port = IPSEC_PORT_ANY; 2831 /* 2832 * Get port from packet if upper layer is UDP and nat traversal 2833 * is enabled and transport mode. 2834 */ 2835 2836 if ((esp_udp_encap_port & 0xFFFF) != 0 && 2837 isr->saidx.mode == IPSEC_MODE_TRANSPORT) { 2838 2839 if (ip->ip_p == IPPROTO_UDP) { 2840 struct udphdr *udp; 2841 size_t hlen; 2842#ifdef _IP_VHL 2843 hlen = IP_VHL_HL(ip->ip_vhl) << 2; 2844#else 2845 hlen = ip->ip_hl << 2; 2846#endif 2847 if (state->m->m_len < hlen + sizeof(struct udphdr)) { 2848 state->m = m_pullup(state->m, hlen + sizeof(struct udphdr)); 2849 if (!state->m) { 2850 ipseclog((LOG_DEBUG, 2851 "IPv4 output: can't pullup UDP header\n")); 2852 IPSEC_STAT_INCREMENT(ipsecstat.in_inval); 2853 goto bad; 2854 } 2855 ip = mtod(state->m, struct ip *); 2856 } 2857 udp = (struct udphdr *)(((u_int8_t *)ip) + hlen); 2858 sin->sin_port = udp->uh_dport; 2859 } 2860 } 2861 2862 bcopy(&ip->ip_dst, &sin->sin_addr, 2863 sizeof(sin->sin_addr)); 2864 } 2865 2866 if ((error = key_checkrequest(isr, &saidx, &sav)) != 0) { 2867 /* 2868 * IPsec processing is required, but no SA found. 2869 * I assume that key_acquire() had been called 2870 * to get/establish the SA. Here I discard 2871 * this packet because it is responsibility for 2872 * upper layer to retransmit the packet. 2873 */ 2874 IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); 2875 goto bad; 2876 } 2877 2878 /* validity check */ 2879 if (sav == NULL) { 2880 switch (ipsec_get_reqlevel(isr)) { 2881 case IPSEC_LEVEL_USE: 2882 continue; 2883 case IPSEC_LEVEL_REQUIRE: 2884 /* must be not reached here. */ 2885 panic("ipsec4_output: no SA found, but required."); 2886 } 2887 } 2888 2889 /* 2890 * If there is no valid SA, we give up to process any 2891 * more. In such a case, the SA's status is changed 2892 * from DYING to DEAD after allocating. If a packet 2893 * send to the receiver by dead SA, the receiver can 2894 * not decode a packet because SA has been dead. 2895 */ 2896 if (sav->state != SADB_SASTATE_MATURE 2897 && sav->state != SADB_SASTATE_DYING) { 2898 IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); 2899 error = EINVAL; 2900 goto bad; 2901 } 2902 2903 /* 2904 * There may be the case that SA status will be changed when 2905 * we are refering to one. So calling splsoftnet(). 2906 */ 2907 2908 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2909 /* 2910 * build IPsec tunnel. 2911 */ 2912 /* XXX should be processed with other familiy */ 2913 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 2914 ipseclog((LOG_ERR, "ipsec4_output: " 2915 "family mismatched between inner and outer spi=%u\n", 2916 (u_int32_t)ntohl(sav->spi))); 2917 error = EAFNOSUPPORT; 2918 goto bad; 2919 } 2920 2921 state->m = ipsec4_splithdr(state->m); 2922 if (!state->m) { 2923 error = ENOMEM; 2924 goto bad; 2925 } 2926 error = ipsec4_encapsulate(state->m, sav); 2927 if (error) { 2928 state->m = NULL; 2929 goto bad; 2930 } 2931 ip = mtod(state->m, struct ip *); 2932 2933 state->ro = &sav->sah->sa_route; 2934 state->dst = (struct sockaddr *)&state->ro->ro_dst; 2935 dst4 = (struct sockaddr_in *)state->dst; 2936 if (state->ro->ro_rt 2937 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0 2938 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) { 2939 rtfree(state->ro->ro_rt); 2940 state->ro->ro_rt = NULL; 2941 } 2942 if (state->ro->ro_rt == 0) { 2943 dst4->sin_family = AF_INET; 2944 dst4->sin_len = sizeof(*dst4); 2945 dst4->sin_addr = ip->ip_dst; 2946 rtalloc(state->ro); 2947 } 2948 if (state->ro->ro_rt == 0) { 2949 OSAddAtomic(1, (SInt32*)&ipstat.ips_noroute); 2950 error = EHOSTUNREACH; 2951 goto bad; 2952 } 2953 2954 /* adjust state->dst if tunnel endpoint is offlink */ 2955 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) { 2956 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway; 2957 dst4 = (struct sockaddr_in *)state->dst; 2958 } 2959 } 2960 2961 state->m = ipsec4_splithdr(state->m); 2962 if (!state->m) { 2963 error = ENOMEM; 2964 goto bad; 2965 } 2966 switch (isr->saidx.proto) { 2967 case IPPROTO_ESP: 2968#if IPSEC_ESP 2969 if ((error = esp4_output(state->m, sav)) != 0) { 2970 state->m = NULL; 2971 goto bad; 2972 } 2973 break; 2974#else 2975 m_freem(state->m); 2976 state->m = NULL; 2977 error = EINVAL; 2978 goto bad; 2979#endif 2980 case IPPROTO_AH: 2981 if ((error = ah4_output(state->m, sav)) != 0) { 2982 state->m = NULL; 2983 goto bad; 2984 } 2985 break; 2986 case IPPROTO_IPCOMP: 2987 if ((error = ipcomp4_output(state->m, sav)) != 0) { 2988 state->m = NULL; 2989 goto bad; 2990 } 2991 break; 2992 default: 2993 ipseclog((LOG_ERR, 2994 "ipsec4_output: unknown ipsec protocol %d\n", 2995 isr->saidx.proto)); 2996 m_freem(state->m); 2997 state->m = NULL; 2998 error = EINVAL; 2999 goto bad; 3000 } 3001 3002 if (state->m == 0) { 3003 error = ENOMEM; 3004 goto bad; 3005 } 3006 ip = mtod(state->m, struct ip *); 3007 } 3008 3009 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, 0,0,0,0,0); 3010 if (sav) 3011 key_freesav(sav, KEY_SADB_UNLOCKED); 3012 return 0; 3013 3014bad: 3015 if (sav) 3016 key_freesav(sav, KEY_SADB_UNLOCKED); 3017 m_freem(state->m); 3018 state->m = NULL; 3019 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, error,0,0,0,0); 3020 return error; 3021} 3022#endif 3023 3024#if INET6 3025/* 3026 * IPsec output logic for IPv6, transport mode. 3027 */ 3028int 3029ipsec6_output_trans( 3030 struct ipsec_output_state *state, 3031 u_char *nexthdrp, 3032 struct mbuf *mprev, 3033 struct secpolicy *sp, 3034 __unused int flags, 3035 int *tun) 3036{ 3037 struct ip6_hdr *ip6; 3038 struct ipsecrequest *isr = NULL; 3039 struct secasindex saidx; 3040 int error = 0; 3041 int plen; 3042 struct sockaddr_in6 *sin6; 3043 struct secasvar *sav = NULL; 3044 3045 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 3046 3047 if (!state) 3048 panic("state == NULL in ipsec6_output_trans"); 3049 if (!state->m) 3050 panic("state->m == NULL in ipsec6_output_trans"); 3051 if (!nexthdrp) 3052 panic("nexthdrp == NULL in ipsec6_output_trans"); 3053 if (!mprev) 3054 panic("mprev == NULL in ipsec6_output_trans"); 3055 if (!sp) 3056 panic("sp == NULL in ipsec6_output_trans"); 3057 if (!tun) 3058 panic("tun == NULL in ipsec6_output_trans"); 3059 3060 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 3061 printf("ipsec6_output_trans: applyed SP\n"); 3062 kdebug_secpolicy(sp)); 3063 3064 *tun = 0; 3065 for (isr = sp->req; isr; isr = isr->next) { 3066 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 3067 /* the rest will be handled by ipsec6_output_tunnel() */ 3068 break; 3069 } 3070 3071 /* make SA index for search proper SA */ 3072 ip6 = mtod(state->m, struct ip6_hdr *); 3073 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 3074 saidx.mode = isr->saidx.mode; 3075 saidx.reqid = isr->saidx.reqid; 3076 sin6 = (struct sockaddr_in6 *)&saidx.src; 3077 if (sin6->sin6_len == 0) { 3078 sin6->sin6_len = sizeof(*sin6); 3079 sin6->sin6_family = AF_INET6; 3080 sin6->sin6_port = IPSEC_PORT_ANY; 3081 bcopy(&ip6->ip6_src, &sin6->sin6_addr, 3082 sizeof(ip6->ip6_src)); 3083 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { 3084 /* fix scope id for comparing SPD */ 3085 sin6->sin6_addr.s6_addr16[1] = 0; 3086 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); 3087 } 3088 } 3089 sin6 = (struct sockaddr_in6 *)&saidx.dst; 3090 if (sin6->sin6_len == 0) { 3091 sin6->sin6_len = sizeof(*sin6); 3092 sin6->sin6_family = AF_INET6; 3093 sin6->sin6_port = IPSEC_PORT_ANY; 3094 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, 3095 sizeof(ip6->ip6_dst)); 3096 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { 3097 /* fix scope id for comparing SPD */ 3098 sin6->sin6_addr.s6_addr16[1] = 0; 3099 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); 3100 } 3101 } 3102 3103 if (key_checkrequest(isr, &saidx, &sav) == ENOENT) { 3104 /* 3105 * IPsec processing is required, but no SA found. 3106 * I assume that key_acquire() had been called 3107 * to get/establish the SA. Here I discard 3108 * this packet because it is responsibility for 3109 * upper layer to retransmit the packet. 3110 */ 3111 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); 3112 error = ENOENT; 3113 3114 /* 3115 * Notify the fact that the packet is discarded 3116 * to ourselves. I believe this is better than 3117 * just silently discarding. (jinmei@kame.net) 3118 * XXX: should we restrict the error to TCP packets? 3119 * XXX: should we directly notify sockets via 3120 * pfctlinputs? 3121 */ 3122 icmp6_error(state->m, ICMP6_DST_UNREACH, 3123 ICMP6_DST_UNREACH_ADMIN, 0); 3124 state->m = NULL; /* icmp6_error freed the mbuf */ 3125 goto bad; 3126 } 3127 3128 /* validity check */ 3129 if (sav == NULL) { 3130 switch (ipsec_get_reqlevel(isr)) { 3131 case IPSEC_LEVEL_USE: 3132 continue; 3133 case IPSEC_LEVEL_REQUIRE: 3134 /* must be not reached here. */ 3135 panic("ipsec6_output_trans: no SA found, but required."); 3136 } 3137 } 3138 3139 /* 3140 * If there is no valid SA, we give up to process. 3141 * see same place at ipsec4_output(). 3142 */ 3143 if (sav->state != SADB_SASTATE_MATURE 3144 && sav->state != SADB_SASTATE_DYING) { 3145 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); 3146 error = EINVAL; 3147 goto bad; 3148 } 3149 3150 switch (isr->saidx.proto) { 3151 case IPPROTO_ESP: 3152#if IPSEC_ESP 3153 error = esp6_output(state->m, nexthdrp, mprev->m_next, sav); 3154#else 3155 m_freem(state->m); 3156 error = EINVAL; 3157#endif 3158 break; 3159 case IPPROTO_AH: 3160 error = ah6_output(state->m, nexthdrp, mprev->m_next, sav); 3161 break; 3162 case IPPROTO_IPCOMP: 3163 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, sav); 3164 break; 3165 default: 3166 ipseclog((LOG_ERR, "ipsec6_output_trans: " 3167 "unknown ipsec protocol %d\n", isr->saidx.proto)); 3168 m_freem(state->m); 3169 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); 3170 error = EINVAL; 3171 break; 3172 } 3173 if (error) { 3174 state->m = NULL; 3175 goto bad; 3176 } 3177 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 3178 if (plen > IPV6_MAXPACKET) { 3179 ipseclog((LOG_ERR, "ipsec6_output_trans: " 3180 "IPsec with IPv6 jumbogram is not supported\n")); 3181 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); 3182 error = EINVAL; /*XXX*/ 3183 goto bad; 3184 } 3185 ip6 = mtod(state->m, struct ip6_hdr *); 3186 ip6->ip6_plen = htons(plen); 3187 } 3188 3189 /* if we have more to go, we need a tunnel mode processing */ 3190 if (isr != NULL) 3191 *tun = 1; 3192 3193 if (sav) 3194 key_freesav(sav, KEY_SADB_UNLOCKED); 3195 return 0; 3196 3197bad: 3198 if (sav) 3199 key_freesav(sav, KEY_SADB_UNLOCKED); 3200 m_freem(state->m); 3201 state->m = NULL; 3202 return error; 3203} 3204 3205/* 3206 * IPsec output logic for IPv6, tunnel mode. 3207 */ 3208int 3209ipsec6_output_tunnel( 3210 struct ipsec_output_state *state, 3211 struct secpolicy *sp, 3212 __unused int flags, 3213 int *tunneledv4) 3214{ 3215 struct ip6_hdr *ip6; 3216 struct ipsecrequest *isr = NULL; 3217 struct secasindex saidx; 3218 struct secasvar *sav = NULL; 3219 int error = 0; 3220 int plen; 3221 struct sockaddr_in6* dst6; 3222 3223 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 3224 3225 *tunneledv4 = 0; 3226 3227 if (!state) 3228 panic("state == NULL in ipsec6_output_tunnel"); 3229 if (!state->m) 3230 panic("state->m == NULL in ipsec6_output_tunnel"); 3231 if (!sp) 3232 panic("sp == NULL in ipsec6_output_tunnel"); 3233 3234 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 3235 printf("ipsec6_output_tunnel: applyed SP\n"); 3236 kdebug_secpolicy(sp)); 3237 3238 /* 3239 * transport mode ipsec (before the 1st tunnel mode) is already 3240 * processed by ipsec6_output_trans(). 3241 */ 3242 for (isr = sp->req; isr; isr = isr->next) { 3243 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 3244 break; 3245 } 3246 3247 for (/* already initialized */; isr; isr = isr->next) { 3248 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 3249 /* When tunnel mode, SA peers must be specified. */ 3250 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 3251 } else { 3252 /* make SA index to look for a proper SA */ 3253 struct sockaddr_in6 *sin6; 3254 3255 bzero(&saidx, sizeof(saidx)); 3256 saidx.proto = isr->saidx.proto; 3257 saidx.mode = isr->saidx.mode; 3258 saidx.reqid = isr->saidx.reqid; 3259 3260 ip6 = mtod(state->m, struct ip6_hdr *); 3261 sin6 = (struct sockaddr_in6 *)&saidx.src; 3262 if (sin6->sin6_len == 0) { 3263 sin6->sin6_len = sizeof(*sin6); 3264 sin6->sin6_family = AF_INET6; 3265 sin6->sin6_port = IPSEC_PORT_ANY; 3266 bcopy(&ip6->ip6_src, &sin6->sin6_addr, 3267 sizeof(ip6->ip6_src)); 3268 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { 3269 /* fix scope id for comparing SPD */ 3270 sin6->sin6_addr.s6_addr16[1] = 0; 3271 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); 3272 } 3273 } 3274 sin6 = (struct sockaddr_in6 *)&saidx.dst; 3275 if (sin6->sin6_len == 0) { 3276 sin6->sin6_len = sizeof(*sin6); 3277 sin6->sin6_family = AF_INET6; 3278 sin6->sin6_port = IPSEC_PORT_ANY; 3279 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, 3280 sizeof(ip6->ip6_dst)); 3281 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { 3282 /* fix scope id for comparing SPD */ 3283 sin6->sin6_addr.s6_addr16[1] = 0; 3284 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); 3285 } 3286 } 3287 } 3288 3289 if (key_checkrequest(isr, &saidx, &sav) == ENOENT) { 3290 /* 3291 * IPsec processing is required, but no SA found. 3292 * I assume that key_acquire() had been called 3293 * to get/establish the SA. Here I discard 3294 * this packet because it is responsibility for 3295 * upper layer to retransmit the packet. 3296 */ 3297 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); 3298 error = ENOENT; 3299 goto bad; 3300 } 3301 3302 /* validity check */ 3303 if (sav == NULL) { 3304 switch (ipsec_get_reqlevel(isr)) { 3305 case IPSEC_LEVEL_USE: 3306 continue; 3307 case IPSEC_LEVEL_REQUIRE: 3308 /* must be not reached here. */ 3309 panic("ipsec6_output_tunnel: no SA found, but required."); 3310 } 3311 } 3312 3313 /* 3314 * If there is no valid SA, we give up to process. 3315 * see same place at ipsec4_output(). 3316 */ 3317 if (sav->state != SADB_SASTATE_MATURE 3318 && sav->state != SADB_SASTATE_DYING) { 3319 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); 3320 error = EINVAL; 3321 goto bad; 3322 } 3323 3324 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 3325 /* 3326 * build IPsec tunnel. 3327 */ 3328 state->m = ipsec6_splithdr(state->m); 3329 if (!state->m) { 3330 IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem); 3331 error = ENOMEM; 3332 goto bad; 3333 } 3334 3335 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET6) { 3336 error = ipsec6_encapsulate(state->m, sav); 3337 if (error) { 3338 state->m = 0; 3339 goto bad; 3340 } 3341 ip6 = mtod(state->m, struct ip6_hdr *); 3342 } else if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET) { 3343 3344 struct ip *ip; 3345 struct sockaddr_in* dst4; 3346 struct route *ro4 = NULL; 3347 3348 /* 3349 * must be last isr because encapsulated IPv6 packet 3350 * will be sent by calling ip_output 3351 */ 3352 if (isr->next) { 3353 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3354 "IPv4 must be outer layer, spi=%u\n", 3355 (u_int32_t)ntohl(sav->spi))); 3356 error = EINVAL; 3357 goto bad; 3358 } 3359 *tunneledv4 = 1; /* must not process any further in ip6_output */ 3360 error = ipsec64_encapsulate(state->m, sav); 3361 if (error) { 3362 state->m = 0; 3363 goto bad; 3364 } 3365 /* Now we have an IPv4 packet */ 3366 ip = mtod(state->m, struct ip *); 3367 3368 ro4 = &sav->sah->sa_route; 3369 dst4 = (struct sockaddr_in *)&ro4->ro_dst; 3370 if (ro4->ro_rt 3371 && ((ro4->ro_rt->rt_flags & RTF_UP) == 0 3372 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) { 3373 rtfree(ro4->ro_rt); 3374 ro4->ro_rt = NULL; 3375 } 3376 if (ro4->ro_rt == NULL) { 3377 dst4->sin_family = AF_INET; 3378 dst4->sin_len = sizeof(*dst4); 3379 dst4->sin_addr = ip->ip_dst; 3380 rtalloc(ro4); 3381 } 3382 if (ro4->ro_rt == NULL) { 3383 OSAddAtomic(1, (SInt32*)&ipstat.ips_noroute); 3384 error = EHOSTUNREACH; 3385 goto bad; 3386 } 3387 3388 state->m = ipsec4_splithdr(state->m); 3389 if (!state->m) { 3390 error = ENOMEM; 3391 goto bad; 3392 } 3393 switch (isr->saidx.proto) { 3394 case IPPROTO_ESP: 3395#if IPSEC_ESP 3396 if ((error = esp4_output(state->m, sav)) != 0) { 3397 state->m = NULL; 3398 goto bad; 3399 } 3400 break; 3401 3402#else 3403 m_freem(state->m); 3404 state->m = NULL; 3405 error = EINVAL; 3406 goto bad; 3407#endif 3408 case IPPROTO_AH: 3409 if ((error = ah4_output(state->m, sav)) != 0) { 3410 state->m = NULL; 3411 goto bad; 3412 } 3413 break; 3414 case IPPROTO_IPCOMP: 3415 if ((error = ipcomp4_output(state->m, sav)) != 0) { 3416 state->m = NULL; 3417 goto bad; 3418 } 3419 break; 3420 default: 3421 ipseclog((LOG_ERR, 3422 "ipsec4_output: unknown ipsec protocol %d\n", 3423 isr->saidx.proto)); 3424 m_freem(state->m); 3425 state->m = NULL; 3426 error = EINVAL; 3427 goto bad; 3428 } 3429 3430 if (state->m == 0) { 3431 error = ENOMEM; 3432 goto bad; 3433 } 3434 ip = mtod(state->m, struct ip *); 3435 ip->ip_len = ntohs(ip->ip_len); /* flip len field before calling ip_output */ 3436 ip_output(state->m, NULL, ro4, 0, NULL, NULL); 3437 state->m = NULL; 3438 goto done; 3439 } else { 3440 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3441 "unsupported inner family, spi=%u\n", 3442 (u_int32_t)ntohl(sav->spi))); 3443 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); 3444 error = EAFNOSUPPORT; 3445 goto bad; 3446 } 3447 3448 state->ro = &sav->sah->sa_route; 3449 state->dst = (struct sockaddr *)&state->ro->ro_dst; 3450 dst6 = (struct sockaddr_in6 *)state->dst; 3451 if (state->ro->ro_rt 3452 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0 3453 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) { 3454 rtfree(state->ro->ro_rt); 3455 state->ro->ro_rt = NULL; 3456 } 3457 if (state->ro->ro_rt == 0) { 3458 bzero(dst6, sizeof(*dst6)); 3459 dst6->sin6_family = AF_INET6; 3460 dst6->sin6_len = sizeof(*dst6); 3461 dst6->sin6_addr = ip6->ip6_dst; 3462 rtalloc(state->ro); 3463 } 3464 if (state->ro->ro_rt == 0) { 3465 ip6stat.ip6s_noroute++; 3466 IPSEC_STAT_INCREMENT(ipsec6stat.out_noroute); 3467 error = EHOSTUNREACH; 3468 goto bad; 3469 } 3470 3471 /* adjust state->dst if tunnel endpoint is offlink */ 3472 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) { 3473 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway; 3474 dst6 = (struct sockaddr_in6 *)state->dst; 3475 } 3476 } 3477 3478 state->m = ipsec6_splithdr(state->m); 3479 if (!state->m) { 3480 IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem); 3481 error = ENOMEM; 3482 goto bad; 3483 } 3484 ip6 = mtod(state->m, struct ip6_hdr *); 3485 switch (isr->saidx.proto) { 3486 case IPPROTO_ESP: 3487#if IPSEC_ESP 3488 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav); 3489#else 3490 m_freem(state->m); 3491 error = EINVAL; 3492#endif 3493 break; 3494 case IPPROTO_AH: 3495 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav); 3496 break; 3497 case IPPROTO_IPCOMP: 3498 /* XXX code should be here */ 3499 /*FALLTHROUGH*/ 3500 default: 3501 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3502 "unknown ipsec protocol %d\n", isr->saidx.proto)); 3503 m_freem(state->m); 3504 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); 3505 error = EINVAL; 3506 break; 3507 } 3508 if (error) { 3509 state->m = NULL; 3510 goto bad; 3511 } 3512 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 3513 if (plen > IPV6_MAXPACKET) { 3514 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3515 "IPsec with IPv6 jumbogram is not supported\n")); 3516 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); 3517 error = EINVAL; /*XXX*/ 3518 goto bad; 3519 } 3520 ip6 = mtod(state->m, struct ip6_hdr *); 3521 ip6->ip6_plen = htons(plen); 3522 } 3523done: 3524 if (sav) 3525 key_freesav(sav, KEY_SADB_UNLOCKED); 3526 return 0; 3527 3528bad: 3529 if (sav) 3530 key_freesav(sav, KEY_SADB_UNLOCKED); 3531 if (state->m) 3532 m_freem(state->m); 3533 state->m = NULL; 3534 return error; 3535} 3536#endif /*INET6*/ 3537 3538#if INET 3539/* 3540 * Chop IP header and option off from the payload. 3541 */ 3542static struct mbuf * 3543ipsec4_splithdr(m) 3544 struct mbuf *m; 3545{ 3546 struct mbuf *mh; 3547 struct ip *ip; 3548 int hlen; 3549 3550 if (m->m_len < sizeof(struct ip)) 3551 panic("ipsec4_splithdr: first mbuf too short"); 3552 ip = mtod(m, struct ip *); 3553#ifdef _IP_VHL 3554 hlen = _IP_VHL_HL(ip->ip_vhl) << 2; 3555#else 3556 hlen = ip->ip_hl << 2; 3557#endif 3558 if (m->m_len > hlen) { 3559 MGETHDR(mh, M_DONTWAIT, MT_HEADER); /* MAC-OK */ 3560 if (!mh) { 3561 m_freem(m); 3562 return NULL; 3563 } 3564 M_COPY_PKTHDR(mh, m); 3565 MH_ALIGN(mh, hlen); 3566 m->m_flags &= ~M_PKTHDR; 3567 m_mchtype(m, MT_DATA); 3568 m->m_len -= hlen; 3569 m->m_data += hlen; 3570 mh->m_next = m; 3571 m = mh; 3572 m->m_len = hlen; 3573 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen); 3574 } else if (m->m_len < hlen) { 3575 m = m_pullup(m, hlen); 3576 if (!m) 3577 return NULL; 3578 } 3579 return m; 3580} 3581#endif 3582 3583#if INET6 3584static struct mbuf * 3585ipsec6_splithdr(m) 3586 struct mbuf *m; 3587{ 3588 struct mbuf *mh; 3589 struct ip6_hdr *ip6; 3590 int hlen; 3591 3592 if (m->m_len < sizeof(struct ip6_hdr)) 3593 panic("ipsec6_splithdr: first mbuf too short"); 3594 ip6 = mtod(m, struct ip6_hdr *); 3595 hlen = sizeof(struct ip6_hdr); 3596 if (m->m_len > hlen) { 3597 MGETHDR(mh, M_DONTWAIT, MT_HEADER); /* MAC-OK */ 3598 if (!mh) { 3599 m_freem(m); 3600 return NULL; 3601 } 3602 M_COPY_PKTHDR(mh, m); 3603 MH_ALIGN(mh, hlen); 3604 m->m_flags &= ~M_PKTHDR; 3605 m_mchtype(m, MT_DATA); 3606 m->m_len -= hlen; 3607 m->m_data += hlen; 3608 mh->m_next = m; 3609 m = mh; 3610 m->m_len = hlen; 3611 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen); 3612 } else if (m->m_len < hlen) { 3613 m = m_pullup(m, hlen); 3614 if (!m) 3615 return NULL; 3616 } 3617 return m; 3618} 3619#endif 3620 3621/* validate inbound IPsec tunnel packet. */ 3622int 3623ipsec4_tunnel_validate(m, off, nxt0, sav, ifamily) 3624 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */ 3625 int off; 3626 u_int nxt0; 3627 struct secasvar *sav; 3628 sa_family_t *ifamily; 3629{ 3630 u_int8_t nxt = nxt0 & 0xff; 3631 struct sockaddr_in *sin; 3632 struct sockaddr_in osrc, odst, i4src, i4dst; 3633 struct sockaddr_in6 i6src, i6dst; 3634 int hlen; 3635 struct secpolicy *sp; 3636 struct ip *oip; 3637 3638 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 3639 3640#if DIAGNOSTIC 3641 if (m->m_len < sizeof(struct ip)) 3642 panic("too short mbuf on ipsec4_tunnel_validate"); 3643#endif 3644 if (nxt != IPPROTO_IPV4 && nxt != IPPROTO_IPV6) 3645 return 0; 3646 if (m->m_pkthdr.len < off + sizeof(struct ip)) 3647 return 0; 3648 /* do not decapsulate if the SA is for transport mode only */ 3649 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 3650 return 0; 3651 3652 oip = mtod(m, struct ip *); 3653#ifdef _IP_VHL 3654 hlen = _IP_VHL_HL(oip->ip_vhl) << 2; 3655#else 3656 hlen = oip->ip_hl << 2; 3657#endif 3658 if (hlen != sizeof(struct ip)) 3659 return 0; 3660 3661 sin = (struct sockaddr_in *)&sav->sah->saidx.dst; 3662 if (sin->sin_family != AF_INET) 3663 return 0; 3664 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0) 3665 return 0; 3666 3667 /* XXX slow */ 3668 bzero(&osrc, sizeof(osrc)); 3669 bzero(&odst, sizeof(odst)); 3670 osrc.sin_family = odst.sin_family = AF_INET; 3671 osrc.sin_len = odst.sin_len = sizeof(struct sockaddr_in); 3672 osrc.sin_addr = oip->ip_src; 3673 odst.sin_addr = oip->ip_dst; 3674 /* 3675 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode) 3676 * - if the inner destination is multicast address, there can be 3677 * multiple permissible inner source address. implementation 3678 * may want to skip verification of inner source address against 3679 * SPD selector. 3680 * - if the inner protocol is ICMP, the packet may be an error report 3681 * from routers on the other side of the VPN cloud (R in the 3682 * following diagram). in this case, we cannot verify inner source 3683 * address against SPD selector. 3684 * me -- gw === gw -- R -- you 3685 * 3686 * we consider the first bullet to be users responsibility on SPD entry 3687 * configuration (if you need to encrypt multicast traffic, set 3688 * the source range of SPD selector to 0.0.0.0/0, or have explicit 3689 * address ranges for possible senders). 3690 * the second bullet is not taken care of (yet). 3691 * 3692 * therefore, we do not do anything special about inner source. 3693 */ 3694 if (nxt == IPPROTO_IPV4) { 3695 bzero(&i4src, sizeof(struct sockaddr_in)); 3696 bzero(&i4dst, sizeof(struct sockaddr_in)); 3697 i4src.sin_family = i4dst.sin_family = *ifamily = AF_INET; 3698 i4src.sin_len = i4dst.sin_len = sizeof(struct sockaddr_in); 3699 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(i4src.sin_addr), 3700 (caddr_t)&i4src.sin_addr); 3701 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(i4dst.sin_addr), 3702 (caddr_t)&i4dst.sin_addr); 3703 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 3704 (struct sockaddr *)&i4src, (struct sockaddr *)&i4dst); 3705 } else if (nxt == IPPROTO_IPV6) { 3706 bzero(&i6src, sizeof(struct sockaddr_in6)); 3707 bzero(&i6dst, sizeof(struct sockaddr_in6)); 3708 i6src.sin6_family = i6dst.sin6_family = *ifamily = AF_INET6; 3709 i6src.sin6_len = i6dst.sin6_len = sizeof(struct sockaddr_in6); 3710 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), sizeof(i6src.sin6_addr), 3711 (caddr_t)&i6src.sin6_addr); 3712 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), sizeof(i6dst.sin6_addr), 3713 (caddr_t)&i6dst.sin6_addr); 3714 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 3715 (struct sockaddr *)&i6src, (struct sockaddr *)&i6dst); 3716 } else 3717 return 0; /* unsupported family */ 3718 3719 if (!sp) 3720 return 0; 3721 3722 key_freesp(sp, KEY_SADB_UNLOCKED); 3723 3724 return 1; 3725} 3726 3727#if INET6 3728/* validate inbound IPsec tunnel packet. */ 3729int 3730ipsec6_tunnel_validate(m, off, nxt0, sav) 3731 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */ 3732 int off; 3733 u_int nxt0; 3734 struct secasvar *sav; 3735{ 3736 u_int8_t nxt = nxt0 & 0xff; 3737 struct sockaddr_in6 *sin6; 3738 struct sockaddr_in6 osrc, odst, isrc, idst; 3739 struct secpolicy *sp; 3740 struct ip6_hdr *oip6; 3741 3742 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 3743 3744#if DIAGNOSTIC 3745 if (m->m_len < sizeof(struct ip6_hdr)) 3746 panic("too short mbuf on ipsec6_tunnel_validate"); 3747#endif 3748 if (nxt != IPPROTO_IPV6) 3749 return 0; 3750 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr)) 3751 return 0; 3752 /* do not decapsulate if the SA is for transport mode only */ 3753 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 3754 return 0; 3755 3756 oip6 = mtod(m, struct ip6_hdr *); 3757 /* AF_INET should be supported, but at this moment we don't. */ 3758 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst; 3759 if (sin6->sin6_family != AF_INET6) 3760 return 0; 3761 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr)) 3762 return 0; 3763 3764 /* XXX slow */ 3765 bzero(&osrc, sizeof(osrc)); 3766 bzero(&odst, sizeof(odst)); 3767 bzero(&isrc, sizeof(isrc)); 3768 bzero(&idst, sizeof(idst)); 3769 osrc.sin6_family = odst.sin6_family = isrc.sin6_family = 3770 idst.sin6_family = AF_INET6; 3771 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len = 3772 sizeof(struct sockaddr_in6); 3773 osrc.sin6_addr = oip6->ip6_src; 3774 odst.sin6_addr = oip6->ip6_dst; 3775 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), 3776 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr); 3777 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), 3778 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr); 3779 3780 /* 3781 * regarding to inner source address validation, see a long comment 3782 * in ipsec4_tunnel_validate. 3783 */ 3784 3785 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 3786 (struct sockaddr *)&isrc, (struct sockaddr *)&idst); 3787 /* 3788 * when there is no suitable inbound policy for the packet of the ipsec 3789 * tunnel mode, the kernel never decapsulate the tunneled packet 3790 * as the ipsec tunnel mode even when the system wide policy is "none". 3791 * then the kernel leaves the generic tunnel module to process this 3792 * packet. if there is no rule of the generic tunnel, the packet 3793 * is rejected and the statistics will be counted up. 3794 */ 3795 if (!sp) 3796 return 0; 3797 key_freesp(sp, KEY_SADB_UNLOCKED); 3798 3799 return 1; 3800} 3801#endif 3802 3803/* 3804 * Make a mbuf chain for encryption. 3805 * If the original mbuf chain contains a mbuf with a cluster, 3806 * allocate a new cluster and copy the data to the new cluster. 3807 * XXX: this hack is inefficient, but is necessary to handle cases 3808 * of TCP retransmission... 3809 */ 3810struct mbuf * 3811ipsec_copypkt(m) 3812 struct mbuf *m; 3813{ 3814 struct mbuf *n, **mpp, *mnew; 3815 3816 for (n = m, mpp = &m; n; n = n->m_next) { 3817 if (n->m_flags & M_EXT) { 3818 /* 3819 * Make a copy only if there are more than one references 3820 * to the cluster. 3821 * XXX: is this approach effective? 3822 */ 3823 if ( 3824 n->m_ext.ext_free || 3825 m_mclhasreference(n) 3826 ) 3827 { 3828 int remain, copied; 3829 struct mbuf *mm; 3830 3831 if (n->m_flags & M_PKTHDR) { 3832 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); /* MAC-OK */ 3833 if (mnew == NULL) 3834 goto fail; 3835 mnew->m_pkthdr = n->m_pkthdr; 3836 M_COPY_PKTHDR(mnew, n); 3837 mnew->m_flags = n->m_flags & M_COPYFLAGS; 3838 } 3839 else { 3840 MGET(mnew, M_DONTWAIT, MT_DATA); 3841 if (mnew == NULL) 3842 goto fail; 3843 } 3844 mnew->m_len = 0; 3845 mm = mnew; 3846 3847 /* 3848 * Copy data. If we don't have enough space to 3849 * store the whole data, allocate a cluster 3850 * or additional mbufs. 3851 * XXX: we don't use m_copyback(), since the 3852 * function does not use clusters and thus is 3853 * inefficient. 3854 */ 3855 remain = n->m_len; 3856 copied = 0; 3857 while (1) { 3858 int len; 3859 struct mbuf *mn; 3860 3861 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN)) 3862 len = remain; 3863 else { /* allocate a cluster */ 3864 MCLGET(mm, M_DONTWAIT); 3865 if (!(mm->m_flags & M_EXT)) { 3866 m_free(mm); 3867 goto fail; 3868 } 3869 len = remain < MCLBYTES ? 3870 remain : MCLBYTES; 3871 } 3872 3873 bcopy(n->m_data + copied, mm->m_data, 3874 len); 3875 3876 copied += len; 3877 remain -= len; 3878 mm->m_len = len; 3879 3880 if (remain <= 0) /* completed? */ 3881 break; 3882 3883 /* need another mbuf */ 3884 MGETHDR(mn, M_DONTWAIT, MT_HEADER); /* XXXMAC: tags copied next time in loop? */ 3885 if (mn == NULL) 3886 goto fail; 3887 mn->m_pkthdr.rcvif = NULL; 3888 mm->m_next = mn; 3889 mm = mn; 3890 } 3891 3892 /* adjust chain */ 3893 mm->m_next = m_free(n); 3894 n = mm; 3895 *mpp = mnew; 3896 mpp = &n->m_next; 3897 3898 continue; 3899 } 3900 } 3901 *mpp = n; 3902 mpp = &n->m_next; 3903 } 3904 3905 return(m); 3906 fail: 3907 m_freem(m); 3908 return(NULL); 3909} 3910 3911/* 3912 * Tags are allocated as mbufs for now, since our minimum size is MLEN, we 3913 * should make use of up to that much space. 3914 */ 3915#define IPSEC_TAG_HEADER \ 3916 3917struct ipsec_tag { 3918 struct socket *socket; 3919 u_int32_t history_count; 3920 struct ipsec_history history[]; 3921}; 3922 3923#define IPSEC_TAG_SIZE (MLEN - sizeof(struct m_tag)) 3924#define IPSEC_TAG_HDR_SIZE (offsetof(struct ipsec_tag, history[0])) 3925#define IPSEC_HISTORY_MAX ((IPSEC_TAG_SIZE - IPSEC_TAG_HDR_SIZE) / \ 3926 sizeof(struct ipsec_history)) 3927 3928static struct ipsec_tag * 3929ipsec_addaux( 3930 struct mbuf *m) 3931{ 3932 struct m_tag *tag; 3933 3934 /* Check if the tag already exists */ 3935 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL); 3936 3937 if (tag == NULL) { 3938 struct ipsec_tag *itag; 3939 3940 /* Allocate a tag */ 3941 tag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, 3942 IPSEC_TAG_SIZE, M_DONTWAIT); 3943 3944 if (tag) { 3945 itag = (struct ipsec_tag*)(tag + 1); 3946 itag->socket = 0; 3947 itag->history_count = 0; 3948 3949 m_tag_prepend(m, tag); 3950 } 3951 } 3952 3953 return tag ? (struct ipsec_tag*)(tag + 1) : NULL; 3954} 3955 3956static struct ipsec_tag * 3957ipsec_findaux( 3958 struct mbuf *m) 3959{ 3960 struct m_tag *tag; 3961 3962 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL); 3963 3964 return tag ? (struct ipsec_tag*)(tag + 1) : NULL; 3965} 3966 3967void 3968ipsec_delaux( 3969 struct mbuf *m) 3970{ 3971 struct m_tag *tag; 3972 3973 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL); 3974 3975 if (tag) { 3976 m_tag_delete(m, tag); 3977 } 3978} 3979 3980/* if the aux buffer is unnecessary, nuke it. */ 3981static void 3982ipsec_optaux( 3983 struct mbuf *m, 3984 struct ipsec_tag *itag) 3985{ 3986 if (itag && itag->socket == NULL && itag->history_count == 0) { 3987 m_tag_delete(m, ((struct m_tag*)itag) - 1); 3988 } 3989} 3990 3991int 3992ipsec_setsocket( 3993 struct mbuf *m, 3994 struct socket *so) 3995{ 3996 struct ipsec_tag *tag; 3997 3998 /* if so == NULL, don't insist on getting the aux mbuf */ 3999 if (so) { 4000 tag = ipsec_addaux(m); 4001 if (!tag) 4002 return ENOBUFS; 4003 } else 4004 tag = ipsec_findaux(m); 4005 if (tag) { 4006 tag->socket = so; 4007 ipsec_optaux(m, tag); 4008 } 4009 return 0; 4010} 4011 4012struct socket * 4013ipsec_getsocket( 4014 struct mbuf *m) 4015{ 4016 struct ipsec_tag *itag; 4017 4018 itag = ipsec_findaux(m); 4019 if (itag) 4020 return itag->socket; 4021 else 4022 return NULL; 4023} 4024 4025int 4026ipsec_addhist( 4027 struct mbuf *m, 4028 int proto, 4029 u_int32_t spi) 4030{ 4031 struct ipsec_tag *itag; 4032 struct ipsec_history *p; 4033 itag = ipsec_addaux(m); 4034 if (!itag) 4035 return ENOBUFS; 4036 if (itag->history_count == IPSEC_HISTORY_MAX) 4037 return ENOSPC; /* XXX */ 4038 4039 p = &itag->history[itag->history_count]; 4040 itag->history_count++; 4041 4042 bzero(p, sizeof(*p)); 4043 p->ih_proto = proto; 4044 p->ih_spi = spi; 4045 4046 return 0; 4047} 4048 4049struct ipsec_history * 4050ipsec_gethist( 4051 struct mbuf *m, 4052 int *lenp) 4053{ 4054 struct ipsec_tag *itag; 4055 4056 itag = ipsec_findaux(m); 4057 if (!itag) 4058 return NULL; 4059 if (itag->history_count == 0) 4060 return NULL; 4061 if (lenp) 4062 *lenp = (int)(itag->history_count * sizeof(struct ipsec_history)); 4063 return itag->history; 4064} 4065 4066void 4067ipsec_clearhist( 4068 struct mbuf *m) 4069{ 4070 struct ipsec_tag *itag; 4071 4072 itag = ipsec_findaux(m); 4073 if (itag) { 4074 itag->history_count = 0; 4075 } 4076 ipsec_optaux(m, itag); 4077} 4078 4079__private_extern__ void 4080ipsec_send_natt_keepalive( 4081 struct secasvar *sav) 4082{ 4083 struct mbuf *m; 4084 struct udphdr *uh; 4085 struct ip *ip; 4086 int error; 4087 4088 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 4089 4090 if ((esp_udp_encap_port & 0xFFFF) == 0 || sav->remote_ike_port == 0) return; 4091 4092 m = m_gethdr(M_NOWAIT, MT_DATA); 4093 if (m == NULL) return; 4094 4095 /* 4096 * Create a UDP packet complete with IP header. 4097 * We must do this because UDP output requires 4098 * an inpcb which we don't have. UDP packet 4099 * contains one byte payload. The byte is set 4100 * to 0xFF. 4101 */ 4102 ip = (struct ip*)m_mtod(m); 4103 uh = (struct udphdr*)((char*)m_mtod(m) + sizeof(struct ip)); 4104 m->m_len = sizeof(struct udpiphdr) + 1; 4105 bzero(m_mtod(m), m->m_len); 4106 m->m_pkthdr.len = m->m_len; 4107 4108 ip->ip_len = m->m_len; 4109 ip->ip_ttl = ip_defttl; 4110 ip->ip_p = IPPROTO_UDP; 4111 ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr; 4112 ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr; 4113 uh->uh_sport = htons((u_short)esp_udp_encap_port); 4114 uh->uh_dport = htons(sav->remote_ike_port); 4115 uh->uh_ulen = htons(1 + sizeof(struct udphdr)); 4116 uh->uh_sum = 0; 4117 *(u_int8_t*)((char*)m_mtod(m) + sizeof(struct ip) + sizeof(struct udphdr)) = 0xFF; 4118 4119 error = ip_output(m, NULL, &sav->sah->sa_route, IP_NOIPSEC, NULL, NULL); 4120 if (error == 0) 4121 sav->natt_last_activity = natt_now; 4122 4123} 4124