1/* 2 * Copyright (c) 2008-2013 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28 29/* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.7 2001/07/19 06:37:23 kris Exp $ */ 30/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ 31 32/* 33 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 34 * All rights reserved. 35 * 36 * Redistribution and use in source and binary forms, with or without 37 * modification, are permitted provided that the following conditions 38 * are met: 39 * 1. Redistributions of source code must retain the above copyright 40 * notice, this list of conditions and the following disclaimer. 41 * 2. Redistributions in binary form must reproduce the above copyright 42 * notice, this list of conditions and the following disclaimer in the 43 * documentation and/or other materials provided with the distribution. 44 * 3. Neither the name of the project nor the names of its contributors 45 * may be used to endorse or promote products derived from this software 46 * without specific prior written permission. 47 * 48 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 51 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 58 * SUCH DAMAGE. 59 */ 60 61/* 62 * IPsec controller part. 63 */ 64 65#include <sys/param.h> 66#include <sys/systm.h> 67#include <sys/malloc.h> 68#include <sys/mbuf.h> 69#include <sys/mcache.h> 70#include <sys/domain.h> 71#include <sys/protosw.h> 72#include <sys/socket.h> 73#include <sys/socketvar.h> 74#include <sys/errno.h> 75#include <sys/time.h> 76#include <sys/kernel.h> 77#include <sys/syslog.h> 78#include <sys/sysctl.h> 79#include <kern/locks.h> 80#include <sys/kauth.h> 81#include <libkern/OSAtomic.h> 82 83#include <net/if.h> 84#include <net/route.h> 85 86#include <netinet/in.h> 87#include <netinet/in_systm.h> 88#include <netinet/ip.h> 89#include <netinet/ip_var.h> 90#include <netinet/in_var.h> 91#include <netinet/udp.h> 92#include <netinet/udp_var.h> 93#include <netinet/ip_ecn.h> 94#if INET6 95#include <netinet6/ip6_ecn.h> 96#endif 97#include <netinet/tcp.h> 98#include <netinet/udp.h> 99 100#include <netinet/ip6.h> 101#if INET6 102#include <netinet6/ip6_var.h> 103#endif 104#include <netinet/in_pcb.h> 105#if INET6 106#include <netinet/icmp6.h> 107#endif 108 109#include <netinet6/ipsec.h> 110#if INET6 111#include <netinet6/ipsec6.h> 112#endif 113#include <netinet6/ah.h> 114#if INET6 115#include <netinet6/ah6.h> 116#endif 117#if IPSEC_ESP 118#include <netinet6/esp.h> 119#if INET6 120#include <netinet6/esp6.h> 121#endif 122#endif 123#include <netinet6/ipcomp.h> 124#if INET6 125#include <netinet6/ipcomp6.h> 126#endif 127#include <netkey/key.h> 128#include <netkey/keydb.h> 129#include <netkey/key_debug.h> 130 131#include <net/net_osdep.h> 132 133#if IPSEC_DEBUG 134int ipsec_debug = 1; 135#else 136int ipsec_debug = 0; 137#endif 138 139#include <sys/kdebug.h> 140#define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1) 141#define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3) 142#define DBG_FNC_GETPOL_SOCK NETDBG_CODE(DBG_NETIPSEC, (1 << 8)) 143#define DBG_FNC_GETPOL_ADDR NETDBG_CODE(DBG_NETIPSEC, (2 << 8)) 144#define DBG_FNC_IPSEC_OUT NETDBG_CODE(DBG_NETIPSEC, (3 << 8)) 145 146extern lck_mtx_t *sadb_mutex; 147 148struct ipsecstat ipsecstat; 149int ip4_ah_cleartos = 1; 150int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ 151int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ 152int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; 153int ip4_esp_net_deflev = IPSEC_LEVEL_USE; 154int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; 155int ip4_ah_net_deflev = IPSEC_LEVEL_USE; 156struct secpolicy ip4_def_policy; 157int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 158int ip4_esp_randpad = -1; 159int esp_udp_encap_port = 0; 160static int sysctl_def_policy SYSCTL_HANDLER_ARGS; 161extern int natt_keepalive_interval; 162extern u_int32_t natt_now; 163 164struct ipsec_tag; 165 166SYSCTL_DECL(_net_inet_ipsec); 167#if INET6 168SYSCTL_DECL(_net_inet6_ipsec6); 169#endif 170/* net.inet.ipsec */ 171SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS, 172 stats, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsecstat, ipsecstat, ""); 173SYSCTL_PROC(_net_inet_ipsec, IPSECCTL_DEF_POLICY, def_policy, CTLTYPE_INT|CTLFLAG_RW | CTLFLAG_LOCKED, 174 &ip4_def_policy.policy, 0, &sysctl_def_policy, "I", ""); 175SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, 176 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_trans_deflev, 0, ""); 177SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, 178 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_net_deflev, 0, ""); 179SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, 180 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_trans_deflev, 0, ""); 181SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, 182 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_net_deflev, 0, ""); 183SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, 184 ah_cleartos, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_cleartos, 0, ""); 185SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, 186 ah_offsetmask, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_offsetmask, 0, ""); 187SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, 188 dfbit, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ipsec_dfbit, 0, ""); 189SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, 190 ecn, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ipsec_ecn, 0, ""); 191SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, 192 debug, CTLFLAG_RW | CTLFLAG_LOCKED, &ipsec_debug, 0, ""); 193SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD, 194 esp_randpad, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_randpad, 0, ""); 195 196/* for performance, we bypass ipsec until a security policy is set */ 197int ipsec_bypass = 1; 198SYSCTL_INT(_net_inet_ipsec, OID_AUTO, bypass, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsec_bypass,0, ""); 199 200/* 201 * NAT Traversal requires a UDP port for encapsulation, 202 * esp_udp_encap_port controls which port is used. Racoon 203 * must set this port to the port racoon is using locally 204 * for nat traversal. 205 */ 206SYSCTL_INT(_net_inet_ipsec, OID_AUTO, esp_port, 207 CTLFLAG_RW | CTLFLAG_LOCKED, &esp_udp_encap_port, 0, ""); 208 209#if INET6 210struct ipsecstat ipsec6stat; 211int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; 212int ip6_esp_net_deflev = IPSEC_LEVEL_USE; 213int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; 214int ip6_ah_net_deflev = IPSEC_LEVEL_USE; 215struct secpolicy ip6_def_policy; 216int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 217int ip6_esp_randpad = -1; 218 219/* net.inet6.ipsec6 */ 220SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, 221 stats, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsec6stat, ipsecstat, ""); 222SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, 223 def_policy, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_def_policy.policy, 0, ""); 224SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, 225 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_trans_deflev, 0, ""); 226SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, 227 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_net_deflev, 0, ""); 228SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, 229 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ah_trans_deflev, 0, ""); 230SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, 231 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ah_net_deflev, 0, ""); 232SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN, 233 ecn, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ipsec_ecn, 0, ""); 234SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, 235 debug, CTLFLAG_RW | CTLFLAG_LOCKED, &ipsec_debug, 0, ""); 236SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, 237 esp_randpad, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_randpad, 0, ""); 238#endif /* INET6 */ 239 240static int ipsec_setspidx_interface(struct secpolicyindex *, u_int, struct mbuf *, 241 int, int, int); 242static int ipsec_setspidx_mbuf(struct secpolicyindex *, u_int, u_int, 243 struct mbuf *, int); 244static int ipsec4_setspidx_inpcb(struct mbuf *, struct inpcb *pcb); 245#if INET6 246static int ipsec6_setspidx_in6pcb(struct mbuf *, struct in6pcb *pcb); 247#endif 248static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int, int); 249static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int); 250static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *); 251#if INET6 252static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *, int); 253static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *); 254#endif 255static struct inpcbpolicy *ipsec_newpcbpolicy(void); 256static void ipsec_delpcbpolicy(struct inpcbpolicy *); 257static struct secpolicy *ipsec_deepcopy_policy(struct secpolicy *src); 258static int ipsec_set_policy(struct secpolicy **pcb_sp, 259 int optname, caddr_t request, size_t len, int priv); 260static int ipsec_get_policy(struct secpolicy *pcb_sp, struct mbuf **mp); 261static void vshiftl(unsigned char *, int, int); 262static int ipsec_in_reject(struct secpolicy *, struct mbuf *); 263#if INET6 264static int ipsec64_encapsulate(struct mbuf *, struct secasvar *); 265#endif 266static struct ipsec_tag *ipsec_addaux(struct mbuf *); 267static struct ipsec_tag *ipsec_findaux(struct mbuf *); 268static void ipsec_optaux(struct mbuf *, struct ipsec_tag *); 269int ipsec_send_natt_keepalive(struct secasvar *sav); 270 271static int 272sysctl_def_policy SYSCTL_HANDLER_ARGS 273{ 274 int old_policy = ip4_def_policy.policy; 275 int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req); 276 277#pragma unused(arg1, arg2) 278 279 if (ip4_def_policy.policy != IPSEC_POLICY_NONE && 280 ip4_def_policy.policy != IPSEC_POLICY_DISCARD) { 281 ip4_def_policy.policy = old_policy; 282 return EINVAL; 283 } 284 285 /* Turn off the bypass if the default security policy changes */ 286 if (ipsec_bypass != 0 && ip4_def_policy.policy != IPSEC_POLICY_NONE) 287 ipsec_bypass = 0; 288 289 return error; 290} 291 292/* 293 * For OUTBOUND packet having a socket. Searching SPD for packet, 294 * and return a pointer to SP. 295 * OUT: NULL: no apropreate SP found, the following value is set to error. 296 * 0 : bypass 297 * EACCES : discard packet. 298 * ENOENT : ipsec_acquire() in progress, maybe. 299 * others : error occurred. 300 * others: a pointer to SP 301 * 302 * NOTE: IPv6 mapped adddress concern is implemented here. 303 */ 304struct secpolicy * 305ipsec4_getpolicybysock(m, dir, so, error) 306 struct mbuf *m; 307 u_int dir; 308 struct socket *so; 309 int *error; 310{ 311 struct inpcbpolicy *pcbsp = NULL; 312 struct secpolicy *currsp = NULL; /* policy on socket */ 313 struct secpolicy *kernsp = NULL; /* policy on kernel */ 314 315 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 316 /* sanity check */ 317 if (m == NULL || so == NULL || error == NULL) 318 panic("ipsec4_getpolicybysock: NULL pointer was passed.\n"); 319 320 if (so->so_pcb == NULL) { 321 printf("ipsec4_getpolicybysock: so->so_pcb == NULL\n"); 322 return ipsec4_getpolicybyaddr(m, dir, 0, error); 323 } 324 325 switch (SOCK_DOM(so)) { 326 case PF_INET: 327 pcbsp = sotoinpcb(so)->inp_sp; 328 break; 329#if INET6 330 case PF_INET6: 331 pcbsp = sotoin6pcb(so)->in6p_sp; 332 break; 333#endif 334 } 335 336 if (!pcbsp){ 337 /* Socket has not specified an IPSEC policy */ 338 return ipsec4_getpolicybyaddr(m, dir, 0, error); 339 } 340 341 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_START, 0,0,0,0,0); 342 343 switch (SOCK_DOM(so)) { 344 case PF_INET: 345 /* set spidx in pcb */ 346 *error = ipsec4_setspidx_inpcb(m, sotoinpcb(so)); 347 break; 348#if INET6 349 case PF_INET6: 350 /* set spidx in pcb */ 351 *error = ipsec6_setspidx_in6pcb(m, sotoin6pcb(so)); 352 break; 353#endif 354 default: 355 panic("ipsec4_getpolicybysock: unsupported address family\n"); 356 } 357 if (*error) { 358 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 1,*error,0,0,0); 359 return NULL; 360 } 361 362 /* sanity check */ 363 if (pcbsp == NULL) 364 panic("ipsec4_getpolicybysock: pcbsp is NULL.\n"); 365 366 switch (dir) { 367 case IPSEC_DIR_INBOUND: 368 currsp = pcbsp->sp_in; 369 break; 370 case IPSEC_DIR_OUTBOUND: 371 currsp = pcbsp->sp_out; 372 break; 373 default: 374 panic("ipsec4_getpolicybysock: illegal direction.\n"); 375 } 376 377 /* sanity check */ 378 if (currsp == NULL) 379 panic("ipsec4_getpolicybysock: currsp is NULL.\n"); 380 381 /* when privilieged socket */ 382 if (pcbsp->priv) { 383 switch (currsp->policy) { 384 case IPSEC_POLICY_BYPASS: 385 lck_mtx_lock(sadb_mutex); 386 currsp->refcnt++; 387 lck_mtx_unlock(sadb_mutex); 388 *error = 0; 389 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 2,*error,0,0,0); 390 return currsp; 391 392 case IPSEC_POLICY_ENTRUST: 393 /* look for a policy in SPD */ 394 kernsp = key_allocsp(&currsp->spidx, dir); 395 396 /* SP found */ 397 if (kernsp != NULL) { 398 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 399 printf("DP ipsec4_getpolicybysock called " 400 "to allocate SP:0x%llx\n", 401 (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); 402 *error = 0; 403 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 3,*error,0,0,0); 404 return kernsp; 405 } 406 407 /* no SP found */ 408 lck_mtx_lock(sadb_mutex); 409 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD 410 && ip4_def_policy.policy != IPSEC_POLICY_NONE) { 411 ipseclog((LOG_INFO, 412 "fixed system default policy: %d->%d\n", 413 ip4_def_policy.policy, IPSEC_POLICY_NONE)); 414 ip4_def_policy.policy = IPSEC_POLICY_NONE; 415 } 416 ip4_def_policy.refcnt++; 417 lck_mtx_unlock(sadb_mutex); 418 *error = 0; 419 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 4,*error,0,0,0); 420 return &ip4_def_policy; 421 422 case IPSEC_POLICY_IPSEC: 423 lck_mtx_lock(sadb_mutex); 424 currsp->refcnt++; 425 lck_mtx_unlock(sadb_mutex); 426 *error = 0; 427 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 5,*error,0,0,0); 428 return currsp; 429 430 default: 431 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 432 "Invalid policy for PCB %d\n", currsp->policy)); 433 *error = EINVAL; 434 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 6,*error,0,0,0); 435 return NULL; 436 } 437 /* NOTREACHED */ 438 } 439 440 /* when non-privilieged socket */ 441 /* look for a policy in SPD */ 442 kernsp = key_allocsp(&currsp->spidx, dir); 443 444 /* SP found */ 445 if (kernsp != NULL) { 446 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 447 printf("DP ipsec4_getpolicybysock called " 448 "to allocate SP:0x%llx\n", 449 (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); 450 *error = 0; 451 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 7,*error,0,0,0); 452 return kernsp; 453 } 454 455 /* no SP found */ 456 switch (currsp->policy) { 457 case IPSEC_POLICY_BYPASS: 458 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 459 "Illegal policy for non-priviliged defined %d\n", 460 currsp->policy)); 461 *error = EINVAL; 462 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 8,*error,0,0,0); 463 return NULL; 464 465 case IPSEC_POLICY_ENTRUST: 466 lck_mtx_lock(sadb_mutex); 467 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD 468 && ip4_def_policy.policy != IPSEC_POLICY_NONE) { 469 ipseclog((LOG_INFO, 470 "fixed system default policy: %d->%d\n", 471 ip4_def_policy.policy, IPSEC_POLICY_NONE)); 472 ip4_def_policy.policy = IPSEC_POLICY_NONE; 473 } 474 ip4_def_policy.refcnt++; 475 lck_mtx_unlock(sadb_mutex); 476 *error = 0; 477 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 9,*error,0,0,0); 478 return &ip4_def_policy; 479 480 case IPSEC_POLICY_IPSEC: 481 lck_mtx_lock(sadb_mutex); 482 currsp->refcnt++; 483 lck_mtx_unlock(sadb_mutex); 484 *error = 0; 485 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 10,*error,0,0,0); 486 return currsp; 487 488 default: 489 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 490 "Invalid policy for PCB %d\n", currsp->policy)); 491 *error = EINVAL; 492 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 11,*error,0,0,0); 493 return NULL; 494 } 495 /* NOTREACHED */ 496} 497 498/* 499 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 500 * and return a pointer to SP. 501 * OUT: positive: a pointer to the entry for security policy leaf matched. 502 * NULL: no apropreate SP found, the following value is set to error. 503 * 0 : bypass 504 * EACCES : discard packet. 505 * ENOENT : ipsec_acquire() in progress, maybe. 506 * others : error occurred. 507 */ 508struct secpolicy * 509ipsec4_getpolicybyaddr(struct mbuf *m, 510 u_int dir, 511 int flag, 512 int *error) 513{ 514 struct secpolicy *sp = NULL; 515 516 if (ipsec_bypass != 0) 517 return 0; 518 519 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 520 521 /* sanity check */ 522 if (m == NULL || error == NULL) 523 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.\n"); 524 { 525 struct secpolicyindex spidx; 526 527 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0); 528 bzero(&spidx, sizeof(spidx)); 529 530 /* make a index to look for a policy */ 531 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m, 532 (flag & IP_FORWARDING) ? 0 : 1); 533 534 if (*error != 0) { 535 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,*error,0,0,0); 536 return NULL; 537 } 538 539 sp = key_allocsp(&spidx, dir); 540 } 541 542 /* SP found */ 543 if (sp != NULL) { 544 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 545 printf("DP ipsec4_getpolicybyaddr called " 546 "to allocate SP:0x%llx\n", 547 (uint64_t)VM_KERNEL_ADDRPERM(sp))); 548 *error = 0; 549 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,*error,0,0,0); 550 return sp; 551 } 552 553 /* no SP found */ 554 lck_mtx_lock(sadb_mutex); 555 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD 556 && ip4_def_policy.policy != IPSEC_POLICY_NONE) { 557 ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n", 558 ip4_def_policy.policy, 559 IPSEC_POLICY_NONE)); 560 ip4_def_policy.policy = IPSEC_POLICY_NONE; 561 } 562 ip4_def_policy.refcnt++; 563 lck_mtx_unlock(sadb_mutex); 564 *error = 0; 565 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 3,*error,0,0,0); 566 return &ip4_def_policy; 567} 568 569/* Match with bound interface rather than src addr. 570 * Unlike getpolicybyaddr, do not set the default policy. 571 * Return 0 if should continue processing, or -1 if packet 572 * should be dropped. 573 */ 574int 575ipsec4_getpolicybyinterface(struct mbuf *m, 576 u_int dir, 577 int *flags, 578 struct ip_out_args *ipoa, 579 struct secpolicy **sp) 580{ 581 struct secpolicyindex spidx; 582 int error = 0; 583 584 if (ipsec_bypass != 0) 585 return 0; 586 587 /* Sanity check */ 588 if (m == NULL || ipoa == NULL || sp == NULL) 589 panic("ipsec4_getpolicybyinterface: NULL pointer was passed.\n"); 590 591 if (ipoa->ipoa_boundif == IFSCOPE_NONE) 592 return 0; 593 594 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0); 595 bzero(&spidx, sizeof(spidx)); 596 597 /* make a index to look for a policy */ 598 error = ipsec_setspidx_interface(&spidx, dir, m, (*flags & IP_FORWARDING) ? 0 : 1, 599 ipoa->ipoa_boundif, 4); 600 601 if (error != 0) { 602 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,error,0,0,0); 603 return 0; 604 } 605 606 *sp = key_allocsp(&spidx, dir); 607 608 /* Return SP, whether NULL or not */ 609 if (*sp != NULL && (*sp)->policy == IPSEC_POLICY_IPSEC) { 610 if ((*sp)->ipsec_if == NULL) { 611 /* Invalid to capture on an interface without redirect */ 612 key_freesp(*sp, KEY_SADB_UNLOCKED); 613 *sp = NULL; 614 return -1; 615 } else if ((*sp)->disabled) { 616 /* Disabled policies go in the clear */ 617 key_freesp(*sp, KEY_SADB_UNLOCKED); 618 *sp = NULL; 619 *flags |= IP_NOIPSEC; /* Avoid later IPSec check */ 620 } else { 621 /* If policy is enabled, redirect to ipsec interface */ 622 ipoa->ipoa_boundif = (*sp)->ipsec_if->if_index; 623 } 624 } 625 626 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,error,0,0,0); 627 628 return 0; 629} 630 631 632#if INET6 633/* 634 * For OUTBOUND packet having a socket. Searching SPD for packet, 635 * and return a pointer to SP. 636 * OUT: NULL: no apropreate SP found, the following value is set to error. 637 * 0 : bypass 638 * EACCES : discard packet. 639 * ENOENT : ipsec_acquire() in progress, maybe. 640 * others : error occurred. 641 * others: a pointer to SP 642 */ 643struct secpolicy * 644ipsec6_getpolicybysock(m, dir, so, error) 645 struct mbuf *m; 646 u_int dir; 647 struct socket *so; 648 int *error; 649{ 650 struct inpcbpolicy *pcbsp = NULL; 651 struct secpolicy *currsp = NULL; /* policy on socket */ 652 struct secpolicy *kernsp = NULL; /* policy on kernel */ 653 654 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 655 656 /* sanity check */ 657 if (m == NULL || so == NULL || error == NULL) 658 panic("ipsec6_getpolicybysock: NULL pointer was passed.\n"); 659 660#if DIAGNOSTIC 661 if (SOCK_DOM(so) != PF_INET6) 662 panic("ipsec6_getpolicybysock: socket domain != inet6\n"); 663#endif 664 665 pcbsp = sotoin6pcb(so)->in6p_sp; 666 667 if (!pcbsp){ 668 return ipsec6_getpolicybyaddr(m, dir, 0, error); 669 } 670 671 /* set spidx in pcb */ 672 ipsec6_setspidx_in6pcb(m, sotoin6pcb(so)); 673 674 /* sanity check */ 675 if (pcbsp == NULL) 676 panic("ipsec6_getpolicybysock: pcbsp is NULL.\n"); 677 678 switch (dir) { 679 case IPSEC_DIR_INBOUND: 680 currsp = pcbsp->sp_in; 681 break; 682 case IPSEC_DIR_OUTBOUND: 683 currsp = pcbsp->sp_out; 684 break; 685 default: 686 panic("ipsec6_getpolicybysock: illegal direction.\n"); 687 } 688 689 /* sanity check */ 690 if (currsp == NULL) 691 panic("ipsec6_getpolicybysock: currsp is NULL.\n"); 692 693 /* when privilieged socket */ 694 if (pcbsp->priv) { 695 switch (currsp->policy) { 696 case IPSEC_POLICY_BYPASS: 697 lck_mtx_lock(sadb_mutex); 698 currsp->refcnt++; 699 lck_mtx_unlock(sadb_mutex); 700 *error = 0; 701 return currsp; 702 703 case IPSEC_POLICY_ENTRUST: 704 /* look for a policy in SPD */ 705 kernsp = key_allocsp(&currsp->spidx, dir); 706 707 /* SP found */ 708 if (kernsp != NULL) { 709 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 710 printf("DP ipsec6_getpolicybysock called " 711 "to allocate SP:0x%llx\n", 712 (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); 713 *error = 0; 714 return kernsp; 715 } 716 717 /* no SP found */ 718 lck_mtx_lock(sadb_mutex); 719 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD 720 && ip6_def_policy.policy != IPSEC_POLICY_NONE) { 721 ipseclog((LOG_INFO, 722 "fixed system default policy: %d->%d\n", 723 ip6_def_policy.policy, IPSEC_POLICY_NONE)); 724 ip6_def_policy.policy = IPSEC_POLICY_NONE; 725 } 726 ip6_def_policy.refcnt++; 727 lck_mtx_unlock(sadb_mutex); 728 *error = 0; 729 return &ip6_def_policy; 730 731 case IPSEC_POLICY_IPSEC: 732 lck_mtx_lock(sadb_mutex); 733 currsp->refcnt++; 734 lck_mtx_unlock(sadb_mutex); 735 *error = 0; 736 return currsp; 737 738 default: 739 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " 740 "Invalid policy for PCB %d\n", currsp->policy)); 741 *error = EINVAL; 742 return NULL; 743 } 744 /* NOTREACHED */ 745 } 746 747 /* when non-privilieged socket */ 748 /* look for a policy in SPD */ 749 kernsp = key_allocsp(&currsp->spidx, dir); 750 751 /* SP found */ 752 if (kernsp != NULL) { 753 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 754 printf("DP ipsec6_getpolicybysock called " 755 "to allocate SP:0x%llx\n", 756 (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); 757 *error = 0; 758 return kernsp; 759 } 760 761 /* no SP found */ 762 switch (currsp->policy) { 763 case IPSEC_POLICY_BYPASS: 764 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " 765 "Illegal policy for non-priviliged defined %d\n", 766 currsp->policy)); 767 *error = EINVAL; 768 return NULL; 769 770 case IPSEC_POLICY_ENTRUST: 771 lck_mtx_lock(sadb_mutex); 772 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD 773 && ip6_def_policy.policy != IPSEC_POLICY_NONE) { 774 ipseclog((LOG_INFO, 775 "fixed system default policy: %d->%d\n", 776 ip6_def_policy.policy, IPSEC_POLICY_NONE)); 777 ip6_def_policy.policy = IPSEC_POLICY_NONE; 778 } 779 ip6_def_policy.refcnt++; 780 lck_mtx_unlock(sadb_mutex); 781 *error = 0; 782 return &ip6_def_policy; 783 784 case IPSEC_POLICY_IPSEC: 785 lck_mtx_lock(sadb_mutex); 786 currsp->refcnt++; 787 lck_mtx_unlock(sadb_mutex); 788 *error = 0; 789 return currsp; 790 791 default: 792 ipseclog((LOG_ERR, 793 "ipsec6_policybysock: Invalid policy for PCB %d\n", 794 currsp->policy)); 795 *error = EINVAL; 796 return NULL; 797 } 798 /* NOTREACHED */ 799} 800 801/* 802 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 803 * and return a pointer to SP. 804 * `flag' means that packet is to be forwarded whether or not. 805 * flag = 1: forwad 806 * OUT: positive: a pointer to the entry for security policy leaf matched. 807 * NULL: no apropreate SP found, the following value is set to error. 808 * 0 : bypass 809 * EACCES : discard packet. 810 * ENOENT : ipsec_acquire() in progress, maybe. 811 * others : error occurred. 812 */ 813#ifndef IP_FORWARDING 814#define IP_FORWARDING 1 815#endif 816 817struct secpolicy * 818ipsec6_getpolicybyaddr(struct mbuf *m, 819 u_int dir, 820 int flag, 821 int *error) 822{ 823 struct secpolicy *sp = NULL; 824 825 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 826 827 /* sanity check */ 828 if (m == NULL || error == NULL) 829 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.\n"); 830 831 { 832 struct secpolicyindex spidx; 833 834 bzero(&spidx, sizeof(spidx)); 835 836 /* make a index to look for a policy */ 837 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m, 838 (flag & IP_FORWARDING) ? 0 : 1); 839 840 if (*error != 0) 841 return NULL; 842 843 sp = key_allocsp(&spidx, dir); 844 } 845 846 /* SP found */ 847 if (sp != NULL) { 848 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 849 printf("DP ipsec6_getpolicybyaddr called " 850 "to allocate SP:0x%llx\n", 851 (uint64_t)VM_KERNEL_ADDRPERM(sp))); 852 *error = 0; 853 return sp; 854 } 855 856 /* no SP found */ 857 lck_mtx_lock(sadb_mutex); 858 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD 859 && ip6_def_policy.policy != IPSEC_POLICY_NONE) { 860 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n", 861 ip6_def_policy.policy, IPSEC_POLICY_NONE)); 862 ip6_def_policy.policy = IPSEC_POLICY_NONE; 863 } 864 ip6_def_policy.refcnt++; 865 lck_mtx_unlock(sadb_mutex); 866 *error = 0; 867 return &ip6_def_policy; 868} 869 870/* Match with bound interface rather than src addr. 871 * Unlike getpolicybyaddr, do not set the default policy. 872 * Return 0 if should continue processing, or -1 if packet 873 * should be dropped. 874 */ 875int 876ipsec6_getpolicybyinterface(struct mbuf *m, 877 u_int dir, 878 int flag, 879 struct ip6_out_args *ip6oap, 880 int *noipsec, 881 struct secpolicy **sp) 882{ 883 struct secpolicyindex spidx; 884 int error = 0; 885 886 if (ipsec_bypass != 0) 887 return 0; 888 889 /* Sanity check */ 890 if (m == NULL || sp == NULL || noipsec == NULL || ip6oap == NULL) 891 panic("ipsec6_getpolicybyinterface: NULL pointer was passed.\n"); 892 893 *noipsec = 0; 894 895 if (ip6oap->ip6oa_boundif == IFSCOPE_NONE) 896 return 0; 897 898 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0); 899 bzero(&spidx, sizeof(spidx)); 900 901 /* make a index to look for a policy */ 902 error = ipsec_setspidx_interface(&spidx, dir, m, (flag & IP_FORWARDING) ? 0 : 1, 903 ip6oap->ip6oa_boundif, 6); 904 905 if (error != 0) { 906 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,error,0,0,0); 907 return 0; 908 } 909 910 *sp = key_allocsp(&spidx, dir); 911 912 /* Return SP, whether NULL or not */ 913 if (*sp != NULL && (*sp)->policy == IPSEC_POLICY_IPSEC) { 914 if ((*sp)->ipsec_if == NULL) { 915 /* Invalid to capture on an interface without redirect */ 916 key_freesp(*sp, KEY_SADB_UNLOCKED); 917 *sp = NULL; 918 return -1; 919 } else if ((*sp)->disabled) { 920 /* Disabled policies go in the clear */ 921 key_freesp(*sp, KEY_SADB_UNLOCKED); 922 *sp = NULL; 923 *noipsec = 1; /* Avoid later IPSec check */ 924 } else { 925 /* If policy is enabled, redirect to ipsec interface */ 926 ip6oap->ip6oa_boundif = (*sp)->ipsec_if->if_index; 927 } 928 } 929 930 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,*error,0,0,0); 931 932 return 0; 933} 934#endif /* INET6 */ 935 936/* 937 * set IP address into spidx from mbuf. 938 * When Forwarding packet and ICMP echo reply, this function is used. 939 * 940 * IN: get the followings from mbuf. 941 * protocol family, src, dst, next protocol 942 * OUT: 943 * 0: success. 944 * other: failure, and set errno. 945 */ 946static int 947ipsec_setspidx_mbuf( 948 struct secpolicyindex *spidx, 949 u_int dir, 950 __unused u_int family, 951 struct mbuf *m, 952 int needport) 953{ 954 int error; 955 956 /* sanity check */ 957 if (spidx == NULL || m == NULL) 958 panic("ipsec_setspidx_mbuf: NULL pointer was passed.\n"); 959 960 bzero(spidx, sizeof(*spidx)); 961 962 error = ipsec_setspidx(m, spidx, needport, 0); 963 if (error) 964 goto bad; 965 spidx->dir = dir; 966 967 return 0; 968 969 bad: 970 /* XXX initialize */ 971 bzero(spidx, sizeof(*spidx)); 972 return EINVAL; 973} 974 975static int 976ipsec_setspidx_interface( 977 struct secpolicyindex *spidx, 978 u_int dir, 979 struct mbuf *m, 980 int needport, 981 int ifindex, 982 int ip_version) 983{ 984 int error; 985 986 /* sanity check */ 987 if (spidx == NULL || m == NULL) 988 panic("ipsec_setspidx_interface: NULL pointer was passed.\n"); 989 990 bzero(spidx, sizeof(*spidx)); 991 992 error = ipsec_setspidx(m, spidx, needport, ip_version); 993 if (error) 994 goto bad; 995 spidx->dir = dir; 996 997 if (ifindex != 0) { 998 ifnet_head_lock_shared(); 999 spidx->internal_if = ifindex2ifnet[ifindex]; 1000 ifnet_head_done(); 1001 } else { 1002 spidx->internal_if = NULL; 1003 } 1004 1005 return 0; 1006 1007bad: 1008 return EINVAL; 1009} 1010 1011static int 1012ipsec4_setspidx_inpcb(m, pcb) 1013 struct mbuf *m; 1014 struct inpcb *pcb; 1015{ 1016 struct secpolicyindex *spidx; 1017 int error; 1018 1019 if (ipsec_bypass != 0) 1020 return 0; 1021 1022 /* sanity check */ 1023 if (pcb == NULL) 1024 panic("ipsec4_setspidx_inpcb: no PCB found.\n"); 1025 if (pcb->inp_sp == NULL) 1026 panic("ipsec4_setspidx_inpcb: no inp_sp found.\n"); 1027 if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL) 1028 panic("ipsec4_setspidx_inpcb: no sp_in/out found.\n"); 1029 1030 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx)); 1031 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx)); 1032 1033 spidx = &pcb->inp_sp->sp_in->spidx; 1034 error = ipsec_setspidx(m, spidx, 1, 0); 1035 if (error) 1036 goto bad; 1037 spidx->dir = IPSEC_DIR_INBOUND; 1038 1039 spidx = &pcb->inp_sp->sp_out->spidx; 1040 error = ipsec_setspidx(m, spidx, 1, 0); 1041 if (error) 1042 goto bad; 1043 spidx->dir = IPSEC_DIR_OUTBOUND; 1044 1045 return 0; 1046 1047bad: 1048 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx)); 1049 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx)); 1050 return error; 1051} 1052 1053#if INET6 1054static int 1055ipsec6_setspidx_in6pcb(m, pcb) 1056 struct mbuf *m; 1057 struct in6pcb *pcb; 1058{ 1059 struct secpolicyindex *spidx; 1060 int error; 1061 1062 /* sanity check */ 1063 if (pcb == NULL) 1064 panic("ipsec6_setspidx_in6pcb: no PCB found.\n"); 1065 if (pcb->in6p_sp == NULL) 1066 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.\n"); 1067 if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL) 1068 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.\n"); 1069 1070 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx)); 1071 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx)); 1072 1073 spidx = &pcb->in6p_sp->sp_in->spidx; 1074 error = ipsec_setspidx(m, spidx, 1, 0); 1075 if (error) 1076 goto bad; 1077 spidx->dir = IPSEC_DIR_INBOUND; 1078 1079 spidx = &pcb->in6p_sp->sp_out->spidx; 1080 error = ipsec_setspidx(m, spidx, 1, 0); 1081 if (error) 1082 goto bad; 1083 spidx->dir = IPSEC_DIR_OUTBOUND; 1084 1085 return 0; 1086 1087bad: 1088 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx)); 1089 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx)); 1090 return error; 1091} 1092#endif 1093 1094/* 1095 * configure security policy index (src/dst/proto/sport/dport) 1096 * by looking at the content of mbuf. 1097 * the caller is responsible for error recovery (like clearing up spidx). 1098 */ 1099static int 1100ipsec_setspidx(struct mbuf *m, 1101 struct secpolicyindex *spidx, 1102 int needport, 1103 int force_ip_version) 1104{ 1105 struct ip *ip = NULL; 1106 struct ip ipbuf; 1107 u_int v; 1108 struct mbuf *n; 1109 int len; 1110 int error; 1111 1112 if (m == NULL) 1113 panic("ipsec_setspidx: m == 0 passed.\n"); 1114 1115 /* 1116 * validate m->m_pkthdr.len. we see incorrect length if we 1117 * mistakenly call this function with inconsistent mbuf chain 1118 * (like 4.4BSD tcp/udp processing). XXX should we panic here? 1119 */ 1120 len = 0; 1121 for (n = m; n; n = n->m_next) 1122 len += n->m_len; 1123 if (m->m_pkthdr.len != len) { 1124 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1125 printf("ipsec_setspidx: " 1126 "total of m_len(%d) != pkthdr.len(%d), " 1127 "ignored.\n", 1128 len, m->m_pkthdr.len)); 1129 return EINVAL; 1130 } 1131 1132 if (m->m_pkthdr.len < sizeof(struct ip)) { 1133 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1134 printf("ipsec_setspidx: " 1135 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n", 1136 m->m_pkthdr.len)); 1137 return EINVAL; 1138 } 1139 1140 if (m->m_len >= sizeof(*ip)) 1141 ip = mtod(m, struct ip *); 1142 else { 1143 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 1144 ip = &ipbuf; 1145 } 1146 1147 if (force_ip_version) { 1148 v = force_ip_version; 1149 } else { 1150#ifdef _IP_VHL 1151 v = _IP_VHL_V(ip->ip_vhl); 1152#else 1153 v = ip->ip_v; 1154#endif 1155 } 1156 switch (v) { 1157 case 4: 1158 error = ipsec4_setspidx_ipaddr(m, spidx); 1159 if (error) 1160 return error; 1161 ipsec4_get_ulp(m, spidx, needport); 1162 return 0; 1163#if INET6 1164 case 6: 1165 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { 1166 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1167 printf("ipsec_setspidx: " 1168 "pkthdr.len(%d) < sizeof(struct ip6_hdr), " 1169 "ignored.\n", m->m_pkthdr.len)); 1170 return EINVAL; 1171 } 1172 error = ipsec6_setspidx_ipaddr(m, spidx); 1173 if (error) 1174 return error; 1175 ipsec6_get_ulp(m, spidx, needport); 1176 return 0; 1177#endif 1178 default: 1179 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1180 printf("ipsec_setspidx: " 1181 "unknown IP version %u, ignored.\n", v)); 1182 return EINVAL; 1183 } 1184} 1185 1186static void 1187ipsec4_get_ulp(m, spidx, needport) 1188 struct mbuf *m; 1189 struct secpolicyindex *spidx; 1190 int needport; 1191{ 1192 struct ip ip; 1193 struct ip6_ext ip6e; 1194 u_int8_t nxt; 1195 int off; 1196 struct tcphdr th; 1197 struct udphdr uh; 1198 1199 /* sanity check */ 1200 if (m == NULL) 1201 panic("ipsec4_get_ulp: NULL pointer was passed.\n"); 1202 if (m->m_pkthdr.len < sizeof(ip)) 1203 panic("ipsec4_get_ulp: too short\n"); 1204 1205 /* set default */ 1206 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1207 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY; 1208 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY; 1209 1210 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip); 1211 /* ip_input() flips it into host endian XXX need more checking */ 1212 if (ip.ip_off & (IP_MF | IP_OFFMASK)) 1213 return; 1214 1215 nxt = ip.ip_p; 1216#ifdef _IP_VHL 1217 off = _IP_VHL_HL(ip->ip_vhl) << 2; 1218#else 1219 off = ip.ip_hl << 2; 1220#endif 1221 while (off < m->m_pkthdr.len) { 1222 switch (nxt) { 1223 case IPPROTO_TCP: 1224 spidx->ul_proto = nxt; 1225 if (!needport) 1226 return; 1227 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1228 return; 1229 m_copydata(m, off, sizeof(th), (caddr_t)&th); 1230 ((struct sockaddr_in *)&spidx->src)->sin_port = 1231 th.th_sport; 1232 ((struct sockaddr_in *)&spidx->dst)->sin_port = 1233 th.th_dport; 1234 return; 1235 case IPPROTO_UDP: 1236 spidx->ul_proto = nxt; 1237 if (!needport) 1238 return; 1239 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1240 return; 1241 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1242 ((struct sockaddr_in *)&spidx->src)->sin_port = 1243 uh.uh_sport; 1244 ((struct sockaddr_in *)&spidx->dst)->sin_port = 1245 uh.uh_dport; 1246 return; 1247 case IPPROTO_AH: 1248 if (off + sizeof(ip6e) > m->m_pkthdr.len) 1249 return; 1250 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1251 off += (ip6e.ip6e_len + 2) << 2; 1252 nxt = ip6e.ip6e_nxt; 1253 break; 1254 case IPPROTO_ICMP: 1255 default: 1256 /* XXX intermediate headers??? */ 1257 spidx->ul_proto = nxt; 1258 return; 1259 } 1260 } 1261} 1262 1263/* assumes that m is sane */ 1264static int 1265ipsec4_setspidx_ipaddr(m, spidx) 1266 struct mbuf *m; 1267 struct secpolicyindex *spidx; 1268{ 1269 struct ip *ip = NULL; 1270 struct ip ipbuf; 1271 struct sockaddr_in *sin; 1272 1273 if (m->m_len >= sizeof(*ip)) 1274 ip = mtod(m, struct ip *); 1275 else { 1276 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 1277 ip = &ipbuf; 1278 } 1279 1280 sin = (struct sockaddr_in *)&spidx->src; 1281 bzero(sin, sizeof(*sin)); 1282 sin->sin_family = AF_INET; 1283 sin->sin_len = sizeof(struct sockaddr_in); 1284 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src)); 1285 spidx->prefs = sizeof(struct in_addr) << 3; 1286 1287 sin = (struct sockaddr_in *)&spidx->dst; 1288 bzero(sin, sizeof(*sin)); 1289 sin->sin_family = AF_INET; 1290 sin->sin_len = sizeof(struct sockaddr_in); 1291 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)); 1292 spidx->prefd = sizeof(struct in_addr) << 3; 1293 1294 return 0; 1295} 1296 1297#if INET6 1298static void 1299ipsec6_get_ulp(m, spidx, needport) 1300 struct mbuf *m; 1301 struct secpolicyindex *spidx; 1302 int needport; 1303{ 1304 int off, nxt; 1305 struct tcphdr th; 1306 struct udphdr uh; 1307 1308 /* sanity check */ 1309 if (m == NULL) 1310 panic("ipsec6_get_ulp: NULL pointer was passed.\n"); 1311 1312 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1313 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m)); 1314 1315 /* set default */ 1316 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1317 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY; 1318 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY; 1319 1320 nxt = -1; 1321 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt); 1322 if (off < 0 || m->m_pkthdr.len < off) 1323 return; 1324 1325 switch (nxt) { 1326 case IPPROTO_TCP: 1327 spidx->ul_proto = nxt; 1328 if (!needport) 1329 break; 1330 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1331 break; 1332 m_copydata(m, off, sizeof(th), (caddr_t)&th); 1333 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport; 1334 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport; 1335 break; 1336 case IPPROTO_UDP: 1337 spidx->ul_proto = nxt; 1338 if (!needport) 1339 break; 1340 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1341 break; 1342 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1343 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport; 1344 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport; 1345 break; 1346 case IPPROTO_ICMPV6: 1347 default: 1348 /* XXX intermediate headers??? */ 1349 spidx->ul_proto = nxt; 1350 break; 1351 } 1352} 1353 1354/* assumes that m is sane */ 1355static int 1356ipsec6_setspidx_ipaddr(m, spidx) 1357 struct mbuf *m; 1358 struct secpolicyindex *spidx; 1359{ 1360 struct ip6_hdr *ip6 = NULL; 1361 struct ip6_hdr ip6buf; 1362 struct sockaddr_in6 *sin6; 1363 1364 if (m->m_len >= sizeof(*ip6)) 1365 ip6 = mtod(m, struct ip6_hdr *); 1366 else { 1367 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf); 1368 ip6 = &ip6buf; 1369 } 1370 1371 sin6 = (struct sockaddr_in6 *)&spidx->src; 1372 bzero(sin6, sizeof(*sin6)); 1373 sin6->sin6_family = AF_INET6; 1374 sin6->sin6_len = sizeof(struct sockaddr_in6); 1375 bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src)); 1376 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { 1377 sin6->sin6_addr.s6_addr16[1] = 0; 1378 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); 1379 } 1380 spidx->prefs = sizeof(struct in6_addr) << 3; 1381 1382 sin6 = (struct sockaddr_in6 *)&spidx->dst; 1383 bzero(sin6, sizeof(*sin6)); 1384 sin6->sin6_family = AF_INET6; 1385 sin6->sin6_len = sizeof(struct sockaddr_in6); 1386 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst)); 1387 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { 1388 sin6->sin6_addr.s6_addr16[1] = 0; 1389 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); 1390 } 1391 spidx->prefd = sizeof(struct in6_addr) << 3; 1392 1393 return 0; 1394} 1395#endif 1396 1397static struct inpcbpolicy * 1398ipsec_newpcbpolicy() 1399{ 1400 struct inpcbpolicy *p; 1401 1402 p = (struct inpcbpolicy *)_MALLOC(sizeof(*p), M_SECA, M_WAITOK); 1403 return p; 1404} 1405 1406static void 1407ipsec_delpcbpolicy(p) 1408 struct inpcbpolicy *p; 1409{ 1410 FREE(p, M_SECA); 1411} 1412 1413/* initialize policy in PCB */ 1414int 1415ipsec_init_policy(so, pcb_sp) 1416 struct socket *so; 1417 struct inpcbpolicy **pcb_sp; 1418{ 1419 struct inpcbpolicy *new; 1420 1421 /* sanity check. */ 1422 if (so == NULL || pcb_sp == NULL) 1423 panic("ipsec_init_policy: NULL pointer was passed.\n"); 1424 1425 new = ipsec_newpcbpolicy(); 1426 if (new == NULL) { 1427 ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n")); 1428 return ENOBUFS; 1429 } 1430 bzero(new, sizeof(*new)); 1431 1432#ifdef __APPLE__ 1433 if (kauth_cred_issuser(so->so_cred)) 1434#else 1435 if (so->so_cred != 0 && !suser(so->so_cred->pc_ucred, NULL)) 1436#endif 1437 new->priv = 1; 1438 else 1439 new->priv = 0; 1440 1441 if ((new->sp_in = key_newsp()) == NULL) { 1442 ipsec_delpcbpolicy(new); 1443 return ENOBUFS; 1444 } 1445 new->sp_in->state = IPSEC_SPSTATE_ALIVE; 1446 new->sp_in->policy = IPSEC_POLICY_ENTRUST; 1447 1448 if ((new->sp_out = key_newsp()) == NULL) { 1449 key_freesp(new->sp_in, KEY_SADB_UNLOCKED); 1450 ipsec_delpcbpolicy(new); 1451 return ENOBUFS; 1452 } 1453 new->sp_out->state = IPSEC_SPSTATE_ALIVE; 1454 new->sp_out->policy = IPSEC_POLICY_ENTRUST; 1455 1456 *pcb_sp = new; 1457 1458 return 0; 1459} 1460 1461/* copy old ipsec policy into new */ 1462int 1463ipsec_copy_policy(old, new) 1464 struct inpcbpolicy *old, *new; 1465{ 1466 struct secpolicy *sp; 1467 1468 if (ipsec_bypass != 0) 1469 return 0; 1470 1471 sp = ipsec_deepcopy_policy(old->sp_in); 1472 if (sp) { 1473 key_freesp(new->sp_in, KEY_SADB_UNLOCKED); 1474 new->sp_in = sp; 1475 } else 1476 return ENOBUFS; 1477 1478 sp = ipsec_deepcopy_policy(old->sp_out); 1479 if (sp) { 1480 key_freesp(new->sp_out, KEY_SADB_UNLOCKED); 1481 new->sp_out = sp; 1482 } else 1483 return ENOBUFS; 1484 1485 new->priv = old->priv; 1486 1487 return 0; 1488} 1489 1490/* deep-copy a policy in PCB */ 1491static struct secpolicy * 1492ipsec_deepcopy_policy(src) 1493 struct secpolicy *src; 1494{ 1495 struct ipsecrequest *newchain = NULL; 1496 struct ipsecrequest *p; 1497 struct ipsecrequest **q; 1498 struct ipsecrequest *r; 1499 struct secpolicy *dst; 1500 1501 if (src == NULL) 1502 return NULL; 1503 dst = key_newsp(); 1504 if (dst == NULL) 1505 return NULL; 1506 1507 /* 1508 * deep-copy IPsec request chain. This is required since struct 1509 * ipsecrequest is not reference counted. 1510 */ 1511 q = &newchain; 1512 for (p = src->req; p; p = p->next) { 1513 *q = (struct ipsecrequest *)_MALLOC(sizeof(struct ipsecrequest), 1514 M_SECA, M_WAITOK); 1515 if (*q == NULL) 1516 goto fail; 1517 bzero(*q, sizeof(**q)); 1518 (*q)->next = NULL; 1519 1520 (*q)->saidx.proto = p->saidx.proto; 1521 (*q)->saidx.mode = p->saidx.mode; 1522 (*q)->level = p->level; 1523 (*q)->saidx.reqid = p->saidx.reqid; 1524 1525 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src)); 1526 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst)); 1527 1528 (*q)->sp = dst; 1529 1530 q = &((*q)->next); 1531 } 1532 1533 dst->req = newchain; 1534 dst->state = src->state; 1535 dst->policy = src->policy; 1536 /* do not touch the refcnt fields */ 1537 1538 return dst; 1539 1540fail: 1541 for (p = newchain; p; p = r) { 1542 r = p->next; 1543 FREE(p, M_SECA); 1544 p = NULL; 1545 } 1546 key_freesp(dst, KEY_SADB_UNLOCKED); 1547 return NULL; 1548} 1549 1550/* set policy and ipsec request if present. */ 1551static int 1552ipsec_set_policy( 1553 struct secpolicy **pcb_sp, 1554 __unused int optname, 1555 caddr_t request, 1556 size_t len, 1557 int priv) 1558{ 1559 struct sadb_x_policy *xpl; 1560 struct secpolicy *newsp = NULL; 1561 int error; 1562 1563 /* sanity check. */ 1564 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL) 1565 return EINVAL; 1566 if (len < sizeof(*xpl)) 1567 return EINVAL; 1568 xpl = (struct sadb_x_policy *)(void *)request; 1569 1570 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1571 printf("ipsec_set_policy: passed policy\n"); 1572 kdebug_sadb_x_policy((struct sadb_ext *)xpl)); 1573 1574 /* check policy type */ 1575 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */ 1576 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD 1577 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) 1578 return EINVAL; 1579 1580 /* check privileged socket */ 1581 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) 1582 return EACCES; 1583 1584 /* allocation new SP entry */ 1585 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) 1586 return error; 1587 1588 newsp->state = IPSEC_SPSTATE_ALIVE; 1589 1590 /* clear old SP and set new SP */ 1591 key_freesp(*pcb_sp, KEY_SADB_UNLOCKED); 1592 *pcb_sp = newsp; 1593 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1594 printf("ipsec_set_policy: new policy\n"); 1595 kdebug_secpolicy(newsp)); 1596 1597 return 0; 1598} 1599 1600static int 1601ipsec_get_policy(pcb_sp, mp) 1602 struct secpolicy *pcb_sp; 1603 struct mbuf **mp; 1604{ 1605 1606 1607 /* sanity check. */ 1608 if (pcb_sp == NULL || mp == NULL) 1609 return EINVAL; 1610 1611 *mp = key_sp2msg(pcb_sp); 1612 if (!*mp) { 1613 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n")); 1614 return ENOBUFS; 1615 } 1616 1617 m_mchtype(*mp, MT_DATA); 1618 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1619 printf("ipsec_get_policy:\n"); 1620 kdebug_mbuf(*mp)); 1621 1622 return 0; 1623} 1624 1625int 1626ipsec4_set_policy(inp, optname, request, len, priv) 1627 struct inpcb *inp; 1628 int optname; 1629 caddr_t request; 1630 size_t len; 1631 int priv; 1632{ 1633 struct sadb_x_policy *xpl; 1634 struct secpolicy **pcb_sp; 1635 int error = 0; 1636 struct sadb_x_policy xpl_aligned_buf; 1637 u_int8_t *xpl_unaligned; 1638 1639 /* sanity check. */ 1640 if (inp == NULL || request == NULL) 1641 return EINVAL; 1642 if (len < sizeof(*xpl)) 1643 return EINVAL; 1644 xpl = (struct sadb_x_policy *)(void *)request; 1645 1646 /* This is a new mbuf allocated by soopt_getm() */ 1647 if (IPSEC_IS_P2ALIGNED(xpl)) { 1648 xpl_unaligned = NULL; 1649 } else { 1650 xpl_unaligned = (__typeof__(xpl_unaligned))xpl; 1651 memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf)); 1652 xpl = (__typeof__(xpl))&xpl_aligned_buf; 1653 } 1654 1655 if (inp->inp_sp == NULL) { 1656 error = ipsec_init_policy(inp->inp_socket, &inp->inp_sp); 1657 if (error) 1658 return error; 1659 } 1660 1661 /* select direction */ 1662 switch (xpl->sadb_x_policy_dir) { 1663 case IPSEC_DIR_INBOUND: 1664 pcb_sp = &inp->inp_sp->sp_in; 1665 break; 1666 case IPSEC_DIR_OUTBOUND: 1667 pcb_sp = &inp->inp_sp->sp_out; 1668 break; 1669 default: 1670 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n", 1671 xpl->sadb_x_policy_dir)); 1672 return EINVAL; 1673 } 1674 1675 /* turn bypass off */ 1676 if (ipsec_bypass != 0) 1677 ipsec_bypass = 0; 1678 1679 return ipsec_set_policy(pcb_sp, optname, request, len, priv); 1680} 1681 1682int 1683ipsec4_get_policy(inp, request, len, mp) 1684 struct inpcb *inp; 1685 caddr_t request; 1686 size_t len; 1687 struct mbuf **mp; 1688{ 1689 struct sadb_x_policy *xpl; 1690 struct secpolicy *pcb_sp; 1691 int error = 0; 1692 struct sadb_x_policy xpl_aligned_buf; 1693 u_int8_t *xpl_unaligned; 1694 1695 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 1696 1697 /* sanity check. */ 1698 if (inp == NULL || request == NULL || mp == NULL) 1699 return EINVAL; 1700 if (len < sizeof(*xpl)) 1701 return EINVAL; 1702 xpl = (struct sadb_x_policy *)(void *)request; 1703 1704 /* This is a new mbuf allocated by soopt_getm() */ 1705 if (IPSEC_IS_P2ALIGNED(xpl)) { 1706 xpl_unaligned = NULL; 1707 } else { 1708 xpl_unaligned = (__typeof__(xpl_unaligned))xpl; 1709 memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf)); 1710 xpl = (__typeof__(xpl))&xpl_aligned_buf; 1711 } 1712 1713 if (inp->inp_sp == NULL) { 1714 error = ipsec_init_policy(inp->inp_socket, &inp->inp_sp); 1715 if (error) 1716 return error; 1717 } 1718 1719 /* select direction */ 1720 switch (xpl->sadb_x_policy_dir) { 1721 case IPSEC_DIR_INBOUND: 1722 pcb_sp = inp->inp_sp->sp_in; 1723 break; 1724 case IPSEC_DIR_OUTBOUND: 1725 pcb_sp = inp->inp_sp->sp_out; 1726 break; 1727 default: 1728 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n", 1729 xpl->sadb_x_policy_dir)); 1730 return EINVAL; 1731 } 1732 1733 return ipsec_get_policy(pcb_sp, mp); 1734} 1735 1736/* delete policy in PCB */ 1737int 1738ipsec4_delete_pcbpolicy(inp) 1739 struct inpcb *inp; 1740{ 1741 1742 /* sanity check. */ 1743 if (inp == NULL) 1744 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.\n"); 1745 1746 if (inp->inp_sp == NULL) 1747 return 0; 1748 1749 if (inp->inp_sp->sp_in != NULL) { 1750 key_freesp(inp->inp_sp->sp_in, KEY_SADB_UNLOCKED); 1751 inp->inp_sp->sp_in = NULL; 1752 } 1753 1754 if (inp->inp_sp->sp_out != NULL) { 1755 key_freesp(inp->inp_sp->sp_out, KEY_SADB_UNLOCKED); 1756 inp->inp_sp->sp_out = NULL; 1757 } 1758 1759 ipsec_delpcbpolicy(inp->inp_sp); 1760 inp->inp_sp = NULL; 1761 1762 return 0; 1763} 1764 1765#if INET6 1766int 1767ipsec6_set_policy(in6p, optname, request, len, priv) 1768 struct in6pcb *in6p; 1769 int optname; 1770 caddr_t request; 1771 size_t len; 1772 int priv; 1773{ 1774 struct sadb_x_policy *xpl; 1775 struct secpolicy **pcb_sp; 1776 int error = 0; 1777 struct sadb_x_policy xpl_aligned_buf; 1778 u_int8_t *xpl_unaligned; 1779 1780 /* sanity check. */ 1781 if (in6p == NULL || request == NULL) 1782 return EINVAL; 1783 if (len < sizeof(*xpl)) 1784 return EINVAL; 1785 xpl = (struct sadb_x_policy *)(void *)request; 1786 1787 /* This is a new mbuf allocated by soopt_getm() */ 1788 if (IPSEC_IS_P2ALIGNED(xpl)) { 1789 xpl_unaligned = NULL; 1790 } else { 1791 xpl_unaligned = (__typeof__(xpl_unaligned))xpl; 1792 memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf)); 1793 xpl = (__typeof__(xpl))&xpl_aligned_buf; 1794 } 1795 1796 if (in6p->in6p_sp == NULL) { 1797 error = ipsec_init_policy(in6p->inp_socket, &in6p->in6p_sp); 1798 if (error) 1799 return error; 1800 } 1801 1802 /* select direction */ 1803 switch (xpl->sadb_x_policy_dir) { 1804 case IPSEC_DIR_INBOUND: 1805 pcb_sp = &in6p->in6p_sp->sp_in; 1806 break; 1807 case IPSEC_DIR_OUTBOUND: 1808 pcb_sp = &in6p->in6p_sp->sp_out; 1809 break; 1810 default: 1811 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n", 1812 xpl->sadb_x_policy_dir)); 1813 return EINVAL; 1814 } 1815 1816 /* turn bypass off */ 1817 if (ipsec_bypass != 0) 1818 ipsec_bypass = 0; 1819 1820 return ipsec_set_policy(pcb_sp, optname, request, len, priv); 1821} 1822 1823int 1824ipsec6_get_policy(in6p, request, len, mp) 1825 struct in6pcb *in6p; 1826 caddr_t request; 1827 size_t len; 1828 struct mbuf **mp; 1829{ 1830 struct sadb_x_policy *xpl; 1831 struct secpolicy *pcb_sp; 1832 int error = 0; 1833 struct sadb_x_policy xpl_aligned_buf; 1834 u_int8_t *xpl_unaligned; 1835 1836 /* sanity check. */ 1837 if (in6p == NULL || request == NULL || mp == NULL) 1838 return EINVAL; 1839 if (len < sizeof(*xpl)) 1840 return EINVAL; 1841 xpl = (struct sadb_x_policy *)(void *)request; 1842 1843 /* This is a new mbuf allocated by soopt_getm() */ 1844 if (IPSEC_IS_P2ALIGNED(xpl)) { 1845 xpl_unaligned = NULL; 1846 } else { 1847 xpl_unaligned = (__typeof__(xpl_unaligned))xpl; 1848 memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf)); 1849 xpl = (__typeof__(xpl))&xpl_aligned_buf; 1850 } 1851 1852 if (in6p->in6p_sp == NULL) { 1853 error = ipsec_init_policy(in6p->inp_socket, &in6p->in6p_sp); 1854 if (error) 1855 return error; 1856 } 1857 1858 /* select direction */ 1859 switch (xpl->sadb_x_policy_dir) { 1860 case IPSEC_DIR_INBOUND: 1861 pcb_sp = in6p->in6p_sp->sp_in; 1862 break; 1863 case IPSEC_DIR_OUTBOUND: 1864 pcb_sp = in6p->in6p_sp->sp_out; 1865 break; 1866 default: 1867 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n", 1868 xpl->sadb_x_policy_dir)); 1869 return EINVAL; 1870 } 1871 1872 return ipsec_get_policy(pcb_sp, mp); 1873} 1874 1875int 1876ipsec6_delete_pcbpolicy(in6p) 1877 struct in6pcb *in6p; 1878{ 1879 1880 /* sanity check. */ 1881 if (in6p == NULL) 1882 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.\n"); 1883 1884 if (in6p->in6p_sp == NULL) 1885 return 0; 1886 1887 if (in6p->in6p_sp->sp_in != NULL) { 1888 key_freesp(in6p->in6p_sp->sp_in, KEY_SADB_UNLOCKED); 1889 in6p->in6p_sp->sp_in = NULL; 1890 } 1891 1892 if (in6p->in6p_sp->sp_out != NULL) { 1893 key_freesp(in6p->in6p_sp->sp_out, KEY_SADB_UNLOCKED); 1894 in6p->in6p_sp->sp_out = NULL; 1895 } 1896 1897 ipsec_delpcbpolicy(in6p->in6p_sp); 1898 in6p->in6p_sp = NULL; 1899 1900 return 0; 1901} 1902#endif 1903 1904/* 1905 * return current level. 1906 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. 1907 */ 1908u_int 1909ipsec_get_reqlevel(isr) 1910 struct ipsecrequest *isr; 1911{ 1912 u_int level = 0; 1913 u_int esp_trans_deflev = 0, esp_net_deflev = 0, ah_trans_deflev = 0, ah_net_deflev = 0; 1914 1915 /* sanity check */ 1916 if (isr == NULL || isr->sp == NULL) 1917 panic("ipsec_get_reqlevel: NULL pointer is passed.\n"); 1918 if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family 1919 != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family) 1920 panic("ipsec_get_reqlevel: family mismatched.\n"); 1921 1922/* XXX note that we have ipseclog() expanded here - code sync issue */ 1923#define IPSEC_CHECK_DEFAULT(lev) \ 1924 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \ 1925 && (lev) != IPSEC_LEVEL_UNIQUE) \ 1926 ? (ipsec_debug \ 1927 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\ 1928 (lev), IPSEC_LEVEL_REQUIRE) \ 1929 : (void)0), \ 1930 (lev) = IPSEC_LEVEL_REQUIRE, \ 1931 (lev) \ 1932 : (lev)) 1933 1934 /* set default level */ 1935 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) { 1936#if INET 1937 case AF_INET: 1938 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev); 1939 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev); 1940 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev); 1941 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev); 1942 break; 1943#endif 1944#if INET6 1945 case AF_INET6: 1946 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev); 1947 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev); 1948 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev); 1949 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev); 1950 break; 1951#endif /* INET6 */ 1952 default: 1953 panic("key_get_reqlevel: Unknown family. %d\n", 1954 ((struct sockaddr *)&isr->sp->spidx.src)->sa_family); 1955 } 1956 1957#undef IPSEC_CHECK_DEFAULT 1958 1959 /* set level */ 1960 switch (isr->level) { 1961 case IPSEC_LEVEL_DEFAULT: 1962 switch (isr->saidx.proto) { 1963 case IPPROTO_ESP: 1964 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1965 level = esp_net_deflev; 1966 else 1967 level = esp_trans_deflev; 1968 break; 1969 case IPPROTO_AH: 1970 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1971 level = ah_net_deflev; 1972 else 1973 level = ah_trans_deflev; 1974 break; 1975 case IPPROTO_IPCOMP: 1976 /* 1977 * we don't really care, as IPcomp document says that 1978 * we shouldn't compress small packets 1979 */ 1980 level = IPSEC_LEVEL_USE; 1981 break; 1982 default: 1983 panic("ipsec_get_reqlevel: " 1984 "Illegal protocol defined %u\n", 1985 isr->saidx.proto); 1986 } 1987 break; 1988 1989 case IPSEC_LEVEL_USE: 1990 case IPSEC_LEVEL_REQUIRE: 1991 level = isr->level; 1992 break; 1993 case IPSEC_LEVEL_UNIQUE: 1994 level = IPSEC_LEVEL_REQUIRE; 1995 break; 1996 1997 default: 1998 panic("ipsec_get_reqlevel: Illegal IPsec level %u\n", 1999 isr->level); 2000 } 2001 2002 return level; 2003} 2004 2005/* 2006 * Check AH/ESP integrity. 2007 * OUT: 2008 * 0: valid 2009 * 1: invalid 2010 */ 2011static int 2012ipsec_in_reject(sp, m) 2013 struct secpolicy *sp; 2014 struct mbuf *m; 2015{ 2016 struct ipsecrequest *isr; 2017 u_int level; 2018 int need_auth, need_conf, need_icv; 2019 2020 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2021 printf("ipsec_in_reject: using SP\n"); 2022 kdebug_secpolicy(sp)); 2023 2024 /* check policy */ 2025 switch (sp->policy) { 2026 case IPSEC_POLICY_DISCARD: 2027 case IPSEC_POLICY_GENERATE: 2028 return 1; 2029 case IPSEC_POLICY_BYPASS: 2030 case IPSEC_POLICY_NONE: 2031 return 0; 2032 2033 case IPSEC_POLICY_IPSEC: 2034 break; 2035 2036 case IPSEC_POLICY_ENTRUST: 2037 default: 2038 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy); 2039 } 2040 2041 need_auth = 0; 2042 need_conf = 0; 2043 need_icv = 0; 2044 2045 /* XXX should compare policy against ipsec header history */ 2046 2047 for (isr = sp->req; isr != NULL; isr = isr->next) { 2048 2049 /* get current level */ 2050 level = ipsec_get_reqlevel(isr); 2051 2052 switch (isr->saidx.proto) { 2053 case IPPROTO_ESP: 2054 if (level == IPSEC_LEVEL_REQUIRE) { 2055 need_conf++; 2056 2057#if 0 2058 /* this won't work with multiple input threads - isr->sav would change 2059 * with every packet and is not necessarily related to the current packet 2060 * being processed. If ESP processing is required - the esp code should 2061 * make sure that the integrity check is present and correct. I don't see 2062 * why it would be necessary to check for the presence of the integrity 2063 * check value here. I think this is just wrong. 2064 * isr->sav has been removed. 2065 * %%%%%% this needs to be re-worked at some point but I think the code below can 2066 * be ignored for now. 2067 */ 2068 if (isr->sav != NULL 2069 && isr->sav->flags == SADB_X_EXT_NONE 2070 && isr->sav->alg_auth != SADB_AALG_NONE) 2071 need_icv++; 2072#endif 2073 } 2074 break; 2075 case IPPROTO_AH: 2076 if (level == IPSEC_LEVEL_REQUIRE) { 2077 need_auth++; 2078 need_icv++; 2079 } 2080 break; 2081 case IPPROTO_IPCOMP: 2082 /* 2083 * we don't really care, as IPcomp document says that 2084 * we shouldn't compress small packets, IPComp policy 2085 * should always be treated as being in "use" level. 2086 */ 2087 break; 2088 } 2089 } 2090 2091 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 2092 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n", 2093 need_auth, need_conf, need_icv, m->m_flags)); 2094 2095 if ((need_conf && !(m->m_flags & M_DECRYPTED)) 2096 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM)) 2097 || (need_auth && !(m->m_flags & M_AUTHIPHDR))) 2098 return 1; 2099 2100 return 0; 2101} 2102 2103/* 2104 * Check AH/ESP integrity. 2105 * This function is called from tcp_input(), udp_input(), 2106 * and {ah,esp}4_input for tunnel mode 2107 */ 2108int 2109ipsec4_in_reject_so(m, so) 2110 struct mbuf *m; 2111 struct socket *so; 2112{ 2113 struct secpolicy *sp = NULL; 2114 int error; 2115 int result; 2116 2117 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2118 /* sanity check */ 2119 if (m == NULL) 2120 return 0; /* XXX should be panic ? */ 2121 2122 /* get SP for this packet. 2123 * When we are called from ip_forward(), we call 2124 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 2125 */ 2126 if (so == NULL) 2127 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 2128 else 2129 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error); 2130 2131 if (sp == NULL) 2132 return 0; /* XXX should be panic ? 2133 * -> No, there may be error. */ 2134 2135 result = ipsec_in_reject(sp, m); 2136 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2137 printf("DP ipsec4_in_reject_so call free SP:0x%llx\n", 2138 (uint64_t)VM_KERNEL_ADDRPERM(sp))); 2139 key_freesp(sp, KEY_SADB_UNLOCKED); 2140 2141 return result; 2142} 2143 2144int 2145ipsec4_in_reject(m, inp) 2146 struct mbuf *m; 2147 struct inpcb *inp; 2148{ 2149 2150 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2151 if (inp == NULL) 2152 return ipsec4_in_reject_so(m, NULL); 2153 if (inp->inp_socket) 2154 return ipsec4_in_reject_so(m, inp->inp_socket); 2155 else 2156 panic("ipsec4_in_reject: invalid inpcb/socket"); 2157 2158 /* NOTREACHED */ 2159 return 0; 2160} 2161 2162#if INET6 2163/* 2164 * Check AH/ESP integrity. 2165 * This function is called from tcp6_input(), udp6_input(), 2166 * and {ah,esp}6_input for tunnel mode 2167 */ 2168int 2169ipsec6_in_reject_so(m, so) 2170 struct mbuf *m; 2171 struct socket *so; 2172{ 2173 struct secpolicy *sp = NULL; 2174 int error; 2175 int result; 2176 2177 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2178 /* sanity check */ 2179 if (m == NULL) 2180 return 0; /* XXX should be panic ? */ 2181 2182 /* get SP for this packet. 2183 * When we are called from ip_forward(), we call 2184 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag. 2185 */ 2186 if (so == NULL) 2187 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 2188 else 2189 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error); 2190 2191 if (sp == NULL) 2192 return 0; /* XXX should be panic ? */ 2193 2194 result = ipsec_in_reject(sp, m); 2195 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2196 printf("DP ipsec6_in_reject_so call free SP:0x%llx\n", 2197 (uint64_t)VM_KERNEL_ADDRPERM(sp))); 2198 key_freesp(sp, KEY_SADB_UNLOCKED); 2199 2200 return result; 2201} 2202 2203int 2204ipsec6_in_reject(m, in6p) 2205 struct mbuf *m; 2206 struct in6pcb *in6p; 2207{ 2208 2209 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2210 if (in6p == NULL) 2211 return ipsec6_in_reject_so(m, NULL); 2212 if (in6p->in6p_socket) 2213 return ipsec6_in_reject_so(m, in6p->in6p_socket); 2214 else 2215 panic("ipsec6_in_reject: invalid in6p/socket"); 2216 2217 /* NOTREACHED */ 2218 return 0; 2219} 2220#endif 2221 2222/* 2223 * compute the byte size to be occupied by IPsec header. 2224 * in case it is tunneled, it includes the size of outer IP header. 2225 * NOTE: SP passed is free in this function. 2226 */ 2227size_t 2228ipsec_hdrsiz(sp) 2229 struct secpolicy *sp; 2230{ 2231 struct ipsecrequest *isr; 2232 size_t siz, clen; 2233 2234 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2235 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2236 printf("ipsec_hdrsiz: using SP\n"); 2237 kdebug_secpolicy(sp)); 2238 2239 /* check policy */ 2240 switch (sp->policy) { 2241 case IPSEC_POLICY_DISCARD: 2242 case IPSEC_POLICY_GENERATE: 2243 case IPSEC_POLICY_BYPASS: 2244 case IPSEC_POLICY_NONE: 2245 return 0; 2246 2247 case IPSEC_POLICY_IPSEC: 2248 break; 2249 2250 case IPSEC_POLICY_ENTRUST: 2251 default: 2252 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy); 2253 } 2254 2255 siz = 0; 2256 2257 for (isr = sp->req; isr != NULL; isr = isr->next) { 2258 2259 clen = 0; 2260 2261 switch (isr->saidx.proto) { 2262 case IPPROTO_ESP: 2263#if IPSEC_ESP 2264 clen = esp_hdrsiz(isr); 2265#else 2266 clen = 0; /*XXX*/ 2267#endif 2268 break; 2269 case IPPROTO_AH: 2270 clen = ah_hdrsiz(isr); 2271 break; 2272 case IPPROTO_IPCOMP: 2273 clen = sizeof(struct ipcomp); 2274 break; 2275 } 2276 2277 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2278 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) { 2279 case AF_INET: 2280 clen += sizeof(struct ip); 2281 break; 2282#if INET6 2283 case AF_INET6: 2284 clen += sizeof(struct ip6_hdr); 2285 break; 2286#endif 2287 default: 2288 ipseclog((LOG_ERR, "ipsec_hdrsiz: " 2289 "unknown AF %d in IPsec tunnel SA\n", 2290 ((struct sockaddr *)&isr->saidx.dst)->sa_family)); 2291 break; 2292 } 2293 } 2294 siz += clen; 2295 } 2296 2297 return siz; 2298} 2299 2300/* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */ 2301size_t 2302ipsec4_hdrsiz(m, dir, inp) 2303 struct mbuf *m; 2304 u_int dir; 2305 struct inpcb *inp; 2306{ 2307 struct secpolicy *sp = NULL; 2308 int error; 2309 size_t size; 2310 2311 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2312 /* sanity check */ 2313 if (m == NULL) 2314 return 0; /* XXX should be panic ? */ 2315 if (inp != NULL && inp->inp_socket == NULL) 2316 panic("ipsec4_hdrsize: why is socket NULL but there is PCB."); 2317 2318 /* get SP for this packet. 2319 * When we are called from ip_forward(), we call 2320 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 2321 */ 2322 if (inp == NULL) 2323 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 2324 else 2325 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error); 2326 2327 if (sp == NULL) 2328 return 0; /* XXX should be panic ? */ 2329 2330 size = ipsec_hdrsiz(sp); 2331 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2332 printf("DP ipsec4_hdrsiz call free SP:0x%llx\n", 2333 (uint64_t)VM_KERNEL_ADDRPERM(sp))); 2334 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2335 printf("ipsec4_hdrsiz: size:%lu.\n", (u_int32_t)size)); 2336 key_freesp(sp, KEY_SADB_UNLOCKED); 2337 2338 return size; 2339} 2340 2341#if INET6 2342/* This function is called from ipsec6_hdrsize_tcp(), 2343 * and maybe from ip6_forward.() 2344 */ 2345size_t 2346ipsec6_hdrsiz(m, dir, in6p) 2347 struct mbuf *m; 2348 u_int dir; 2349 struct in6pcb *in6p; 2350{ 2351 struct secpolicy *sp = NULL; 2352 int error; 2353 size_t size; 2354 2355 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2356 /* sanity check */ 2357 if (m == NULL) 2358 return 0; /* XXX shoud be panic ? */ 2359 if (in6p != NULL && in6p->in6p_socket == NULL) 2360 panic("ipsec6_hdrsize: why is socket NULL but there is PCB."); 2361 2362 /* get SP for this packet */ 2363 /* XXX Is it right to call with IP_FORWARDING. */ 2364 if (in6p == NULL) 2365 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 2366 else 2367 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error); 2368 2369 if (sp == NULL) 2370 return 0; 2371 size = ipsec_hdrsiz(sp); 2372 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2373 printf("DP ipsec6_hdrsiz call free SP:0x%llx\n", 2374 (uint64_t)VM_KERNEL_ADDRPERM(sp))); 2375 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2376 printf("ipsec6_hdrsiz: size:%lu.\n", (u_int32_t)size)); 2377 key_freesp(sp, KEY_SADB_UNLOCKED); 2378 2379 return size; 2380} 2381#endif /*INET6*/ 2382 2383#if INET 2384/* 2385 * encapsulate for ipsec tunnel. 2386 * ip->ip_src must be fixed later on. 2387 */ 2388int 2389ipsec4_encapsulate(m, sav) 2390 struct mbuf *m; 2391 struct secasvar *sav; 2392{ 2393 struct ip *oip; 2394 struct ip *ip; 2395 size_t hlen; 2396 size_t plen; 2397 2398 /* can't tunnel between different AFs */ 2399 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2400 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2401 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 2402 m_freem(m); 2403 return EINVAL; 2404 } 2405#if 0 2406 /* XXX if the dst is myself, perform nothing. */ 2407 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2408 m_freem(m); 2409 return EINVAL; 2410 } 2411#endif 2412 2413 if (m->m_len < sizeof(*ip)) 2414 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2415 2416 ip = mtod(m, struct ip *); 2417#ifdef _IP_VHL 2418 hlen = _IP_VHL_HL(ip->ip_vhl) << 2; 2419#else 2420 hlen = ip->ip_hl << 2; 2421#endif 2422 2423 if (m->m_len != hlen) 2424 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2425 2426 /* generate header checksum */ 2427 ip->ip_sum = 0; 2428#ifdef _IP_VHL 2429 ip->ip_sum = in_cksum(m, hlen); 2430#else 2431 ip->ip_sum = in_cksum(m, hlen); 2432#endif 2433 2434 plen = m->m_pkthdr.len; 2435 2436 /* 2437 * grow the mbuf to accomodate the new IPv4 header. 2438 * NOTE: IPv4 options will never be copied. 2439 */ 2440 if (M_LEADINGSPACE(m->m_next) < hlen) { 2441 struct mbuf *n; 2442 MGET(n, M_DONTWAIT, MT_DATA); 2443 if (!n) { 2444 m_freem(m); 2445 return ENOBUFS; 2446 } 2447 n->m_len = hlen; 2448 n->m_next = m->m_next; 2449 m->m_next = n; 2450 m->m_pkthdr.len += hlen; 2451 oip = mtod(n, struct ip *); 2452 } else { 2453 m->m_next->m_len += hlen; 2454 m->m_next->m_data -= hlen; 2455 m->m_pkthdr.len += hlen; 2456 oip = mtod(m->m_next, struct ip *); 2457 } 2458 ip = mtod(m, struct ip *); 2459 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen); 2460 m->m_len = sizeof(struct ip); 2461 m->m_pkthdr.len -= (hlen - sizeof(struct ip)); 2462 2463 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ 2464 /* ECN consideration. */ 2465 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); 2466#ifdef _IP_VHL 2467 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2); 2468#else 2469 ip->ip_hl = sizeof(struct ip) >> 2; 2470#endif 2471 ip->ip_off &= htons(~IP_OFFMASK); 2472 ip->ip_off &= htons(~IP_MF); 2473 switch (ip4_ipsec_dfbit) { 2474 case 0: /* clear DF bit */ 2475 ip->ip_off &= htons(~IP_DF); 2476 break; 2477 case 1: /* set DF bit */ 2478 ip->ip_off |= htons(IP_DF); 2479 break; 2480 default: /* copy DF bit */ 2481 break; 2482 } 2483 ip->ip_p = IPPROTO_IPIP; 2484 if (plen + sizeof(struct ip) < IP_MAXPACKET) 2485 ip->ip_len = htons(plen + sizeof(struct ip)); 2486 else { 2487 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " 2488 "leave ip_len as is (invalid packet)\n")); 2489 } 2490 ip->ip_id = ip_randomid(); 2491 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, 2492 &ip->ip_src, sizeof(ip->ip_src)); 2493 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, 2494 &ip->ip_dst, sizeof(ip->ip_dst)); 2495 ip->ip_ttl = IPDEFTTL; 2496 2497 /* XXX Should ip_src be updated later ? */ 2498 2499 return 0; 2500} 2501 2502/* 2503 * encapsulate for ipsec tunnel. 2504 * ip->ip_src must be fixed later on. 2505 */ 2506int 2507ipsec4_encapsulate_utun_esp_keepalive(m_ptr, sav) 2508 struct mbuf **m_ptr; 2509 struct secasvar *sav; 2510{ 2511 struct ip *ip; 2512 size_t plen; 2513 struct mbuf *m = *m_ptr; 2514 2515 /* can't tunnel between different AFs */ 2516 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2517 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2518 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 2519 m_freem(m); 2520 *m_ptr = NULL; 2521 return EINVAL; 2522 } 2523 2524 plen = m->m_pkthdr.len; 2525 2526 /* 2527 * grow the mbuf to accomodate the new IPv4 header. 2528 * NOTE: IPv4 options will never be copied. 2529 */ 2530 { 2531 struct mbuf *n; 2532 MGETHDR(n, M_DONTWAIT, MT_HEADER); /* MAC-OK */ 2533 if (!n) { 2534 m_freem(m); 2535 *m_ptr = NULL; 2536 return ENOBUFS; 2537 } 2538 if (m->m_flags & M_PKTHDR) { 2539 M_COPY_PKTHDR(n, m); 2540 m->m_flags &= ~M_PKTHDR; 2541 } 2542 MH_ALIGN(n, sizeof(*ip)); 2543 n->m_len = sizeof(*ip); 2544 n->m_next = m; 2545 n->m_pkthdr.len = (plen + n->m_len); 2546 m_fixhdr(m); 2547 m = n; 2548 *m_ptr = m; 2549 plen = m->m_pkthdr.len; 2550 } 2551 ip = mtod(m, __typeof__(ip)); 2552 2553 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ 2554 // ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); 2555#ifdef _IP_VHL 2556 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(*ip) >> 2); 2557#else 2558 ip->ip_hl = sizeof(*ip) >> 2; 2559#endif 2560 ip->ip_off &= htons(~IP_OFFMASK); 2561 ip->ip_off &= htons(~IP_MF); 2562 switch (ip4_ipsec_dfbit) { 2563 case 0: /* clear DF bit */ 2564 ip->ip_off &= htons(~IP_DF); 2565 break; 2566 case 1: /* set DF bit */ 2567 ip->ip_off |= htons(IP_DF); 2568 break; 2569 default: /* copy DF bit */ 2570 break; 2571 } 2572 ip->ip_p = IPPROTO_IPIP; 2573 if (plen < IP_MAXPACKET) 2574 ip->ip_len = htons(plen); 2575 else { 2576 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " 2577 "leave ip_len as is (invalid packet)\n")); 2578 } 2579 ip->ip_id = ip_randomid(); 2580 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, 2581 &ip->ip_src, sizeof(ip->ip_src)); 2582 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, 2583 &ip->ip_dst, sizeof(ip->ip_dst)); 2584 ip->ip_ttl = IPDEFTTL; 2585 2586 /* XXX Should ip_src be updated later ? */ 2587 2588 return 0; 2589} 2590#endif /*INET*/ 2591 2592#if INET6 2593int 2594ipsec6_encapsulate(m, sav) 2595 struct mbuf *m; 2596 struct secasvar *sav; 2597{ 2598 struct ip6_hdr *oip6; 2599 struct ip6_hdr *ip6; 2600 size_t plen; 2601 2602 /* can't tunnel between different AFs */ 2603 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2604 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2605 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) { 2606 m_freem(m); 2607 return EINVAL; 2608 } 2609#if 0 2610 /* XXX if the dst is myself, perform nothing. */ 2611 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2612 m_freem(m); 2613 return EINVAL; 2614 } 2615#endif 2616 2617 plen = m->m_pkthdr.len; 2618 2619 /* 2620 * grow the mbuf to accomodate the new IPv6 header. 2621 */ 2622 if (m->m_len != sizeof(struct ip6_hdr)) 2623 panic("ipsec6_encapsulate: assumption failed (first mbuf length)"); 2624 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { 2625 struct mbuf *n; 2626 MGET(n, M_DONTWAIT, MT_DATA); 2627 if (!n) { 2628 m_freem(m); 2629 return ENOBUFS; 2630 } 2631 n->m_len = sizeof(struct ip6_hdr); 2632 n->m_next = m->m_next; 2633 m->m_next = n; 2634 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2635 oip6 = mtod(n, struct ip6_hdr *); 2636 } else { 2637 m->m_next->m_len += sizeof(struct ip6_hdr); 2638 m->m_next->m_data -= sizeof(struct ip6_hdr); 2639 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2640 oip6 = mtod(m->m_next, struct ip6_hdr *); 2641 } 2642 ip6 = mtod(m, struct ip6_hdr *); 2643 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr)); 2644 2645 /* Fake link-local scope-class addresses */ 2646 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src)) 2647 oip6->ip6_src.s6_addr16[1] = 0; 2648 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst)) 2649 oip6->ip6_dst.s6_addr16[1] = 0; 2650 2651 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ 2652 /* ECN consideration. */ 2653 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow); 2654 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) 2655 ip6->ip6_plen = htons(plen); 2656 else { 2657 /* ip6->ip6_plen will be updated in ip6_output() */ 2658 } 2659 ip6->ip6_nxt = IPPROTO_IPV6; 2660 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr, 2661 &ip6->ip6_src, sizeof(ip6->ip6_src)); 2662 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr, 2663 &ip6->ip6_dst, sizeof(ip6->ip6_dst)); 2664 ip6->ip6_hlim = IPV6_DEFHLIM; 2665 2666 /* XXX Should ip6_src be updated later ? */ 2667 2668 return 0; 2669} 2670 2671static int 2672ipsec64_encapsulate(m, sav) 2673 struct mbuf *m; 2674 struct secasvar *sav; 2675{ 2676 struct ip6_hdr *ip6, *ip6i; 2677 struct ip *ip; 2678 size_t plen; 2679 u_int8_t hlim; 2680 2681 /* tunneling over IPv4 */ 2682 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2683 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2684 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 2685 m_freem(m); 2686 return EINVAL; 2687 } 2688#if 0 2689 /* XXX if the dst is myself, perform nothing. */ 2690 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2691 m_freem(m); 2692 return EINVAL; 2693 } 2694#endif 2695 2696 plen = m->m_pkthdr.len; 2697 ip6 = mtod(m, struct ip6_hdr *); 2698 hlim = ip6->ip6_hlim; 2699 /* 2700 * grow the mbuf to accomodate the new IPv4 header. 2701 */ 2702 if (m->m_len != sizeof(struct ip6_hdr)) 2703 panic("ipsec6_encapsulate: assumption failed (first mbuf length)"); 2704 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { 2705 struct mbuf *n; 2706 MGET(n, M_DONTWAIT, MT_DATA); 2707 if (!n) { 2708 m_freem(m); 2709 return ENOBUFS; 2710 } 2711 n->m_len = sizeof(struct ip6_hdr); 2712 n->m_next = m->m_next; 2713 m->m_next = n; 2714 m->m_pkthdr.len += sizeof(struct ip); 2715 ip6i = mtod(n, struct ip6_hdr *); 2716 } else { 2717 m->m_next->m_len += sizeof(struct ip6_hdr); 2718 m->m_next->m_data -= sizeof(struct ip6_hdr); 2719 m->m_pkthdr.len += sizeof(struct ip); 2720 ip6i = mtod(m->m_next, struct ip6_hdr *); 2721 } 2722 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ 2723 /* ECN consideration. */ 2724 /* XXX To be fixed later if needed */ 2725 // ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); 2726 2727 bcopy(ip6, ip6i, sizeof(struct ip6_hdr)); 2728 ip = mtod(m, struct ip *); 2729 m->m_len = sizeof(struct ip); 2730 /* 2731 * Fill in some of the IPv4 fields - we don't need all of them 2732 * because the rest will be filled in by ip_output 2733 */ 2734 ip->ip_v = IPVERSION; 2735 ip->ip_hl = sizeof(struct ip) >> 2; 2736 ip->ip_id = 0; 2737 ip->ip_sum = 0; 2738 ip->ip_tos = 0; 2739 ip->ip_off = 0; 2740 ip->ip_ttl = hlim; 2741 ip->ip_p = IPPROTO_IPV6; 2742 if (plen + sizeof(struct ip) < IP_MAXPACKET) 2743 ip->ip_len = htons(plen + sizeof(struct ip)); 2744 else { 2745 ip->ip_len = htons(plen); 2746 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " 2747 "leave ip_len as is (invalid packet)\n")); 2748 } 2749 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, 2750 &ip->ip_src, sizeof(ip->ip_src)); 2751 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, 2752 &ip->ip_dst, sizeof(ip->ip_dst)); 2753 2754 return 0; 2755} 2756 2757int 2758ipsec6_encapsulate_utun_esp_keepalive(m_ptr, sav) 2759 struct mbuf **m_ptr; 2760 struct secasvar *sav; 2761{ 2762 struct ip6_hdr *ip6; 2763 size_t plen; 2764 struct mbuf *m = *m_ptr; 2765 2766 /* can't tunnel between different AFs */ 2767 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2768 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2769 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) { 2770 m_freem(m); 2771 *m_ptr = NULL; 2772 return EINVAL; 2773 } 2774 2775 plen = m->m_pkthdr.len; 2776 2777 /* 2778 * grow the mbuf to accomodate the new IPv6 header. 2779 */ 2780 { 2781 struct mbuf *n; 2782 MGETHDR(n, M_DONTWAIT, MT_HEADER); /* MAC-OK */ 2783 if (!n) { 2784 m_freem(m); 2785 *m_ptr = NULL; 2786 return ENOBUFS; 2787 } 2788 if (m->m_flags & M_PKTHDR) { 2789 M_COPY_PKTHDR(n, m); 2790 m->m_flags &= ~M_PKTHDR; 2791 } 2792 MH_ALIGN(n, sizeof(*ip6)); 2793 n->m_len = sizeof(*ip6); 2794 n->m_next = m; 2795 n->m_pkthdr.len = (plen + n->m_len); 2796 m_fixhdr(m); 2797 m = n; 2798 *m_ptr = m; 2799 plen = m->m_pkthdr.len; 2800 } 2801 ip6 = mtod(m, __typeof__(ip6)); 2802 2803 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ 2804 if (plen < IPV6_MAXPACKET) 2805 ip6->ip6_plen = htons(plen); 2806 else { 2807 /* ip6->ip6_plen will be updated in ip6_output() */ 2808 } 2809 ip6->ip6_nxt = IPPROTO_IPV6; 2810 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr, 2811 &ip6->ip6_src, sizeof(ip6->ip6_src)); 2812 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr, 2813 &ip6->ip6_dst, sizeof(ip6->ip6_dst)); 2814 ip6->ip6_hlim = IPV6_DEFHLIM; 2815 2816 /* XXX Should ip6_src be updated later ? */ 2817 2818 return 0; 2819} 2820#endif /*INET6*/ 2821 2822/* 2823 * Check the variable replay window. 2824 * ipsec_chkreplay() performs replay check before ICV verification. 2825 * ipsec_updatereplay() updates replay bitmap. This must be called after 2826 * ICV verification (it also performs replay check, which is usually done 2827 * beforehand). 2828 * 0 (zero) is returned if packet disallowed, 1 if packet permitted. 2829 * 2830 * based on RFC 2401. 2831 */ 2832int 2833ipsec_chkreplay(seq, sav) 2834 u_int32_t seq; 2835 struct secasvar *sav; 2836{ 2837 const struct secreplay *replay; 2838 u_int32_t diff; 2839 int fr; 2840 u_int32_t wsizeb; /* constant: bits of window size */ 2841 int frlast; /* constant: last frame */ 2842 2843 2844 /* sanity check */ 2845 if (sav == NULL) 2846 panic("ipsec_chkreplay: NULL pointer was passed.\n"); 2847 2848 lck_mtx_lock(sadb_mutex); 2849 replay = sav->replay; 2850 2851 if (replay->wsize == 0) { 2852 lck_mtx_unlock(sadb_mutex); 2853 return 1; /* no need to check replay. */ 2854 } 2855 2856 /* constant */ 2857 frlast = replay->wsize - 1; 2858 wsizeb = replay->wsize << 3; 2859 2860 /* sequence number of 0 is invalid */ 2861 if (seq == 0) { 2862 lck_mtx_unlock(sadb_mutex); 2863 return 0; 2864 } 2865 2866 /* first time is always okay */ 2867 if (replay->count == 0) { 2868 lck_mtx_unlock(sadb_mutex); 2869 return 1; 2870 } 2871 2872 if (seq > replay->lastseq) { 2873 /* larger sequences are okay */ 2874 lck_mtx_unlock(sadb_mutex); 2875 return 1; 2876 } else { 2877 /* seq is equal or less than lastseq. */ 2878 diff = replay->lastseq - seq; 2879 2880 /* over range to check, i.e. too old or wrapped */ 2881 if (diff >= wsizeb) { 2882 lck_mtx_unlock(sadb_mutex); 2883 return 0; 2884 } 2885 2886 fr = frlast - diff / 8; 2887 2888 /* this packet already seen ? */ 2889 if ((replay->bitmap)[fr] & (1 << (diff % 8))) { 2890 lck_mtx_unlock(sadb_mutex); 2891 return 0; 2892 } 2893 2894 /* out of order but good */ 2895 lck_mtx_unlock(sadb_mutex); 2896 return 1; 2897 } 2898} 2899 2900/* 2901 * check replay counter whether to update or not. 2902 * OUT: 0: OK 2903 * 1: NG 2904 */ 2905int 2906ipsec_updatereplay(seq, sav) 2907 u_int32_t seq; 2908 struct secasvar *sav; 2909{ 2910 struct secreplay *replay; 2911 u_int32_t diff; 2912 int fr; 2913 u_int32_t wsizeb; /* constant: bits of window size */ 2914 int frlast; /* constant: last frame */ 2915 2916 /* sanity check */ 2917 if (sav == NULL) 2918 panic("ipsec_chkreplay: NULL pointer was passed.\n"); 2919 2920 lck_mtx_lock(sadb_mutex); 2921 replay = sav->replay; 2922 2923 if (replay->wsize == 0) 2924 goto ok; /* no need to check replay. */ 2925 2926 /* constant */ 2927 frlast = replay->wsize - 1; 2928 wsizeb = replay->wsize << 3; 2929 2930 /* sequence number of 0 is invalid */ 2931 if (seq == 0) 2932 return 1; 2933 2934 /* first time */ 2935 if (replay->count == 0) { 2936 replay->lastseq = seq; 2937 bzero(replay->bitmap, replay->wsize); 2938 (replay->bitmap)[frlast] = 1; 2939 goto ok; 2940 } 2941 2942 if (seq > replay->lastseq) { 2943 /* seq is larger than lastseq. */ 2944 diff = seq - replay->lastseq; 2945 2946 /* new larger sequence number */ 2947 if (diff < wsizeb) { 2948 /* In window */ 2949 /* set bit for this packet */ 2950 vshiftl((unsigned char *) replay->bitmap, diff, replay->wsize); 2951 (replay->bitmap)[frlast] |= 1; 2952 } else { 2953 /* this packet has a "way larger" */ 2954 bzero(replay->bitmap, replay->wsize); 2955 (replay->bitmap)[frlast] = 1; 2956 } 2957 replay->lastseq = seq; 2958 2959 /* larger is good */ 2960 } else { 2961 /* seq is equal or less than lastseq. */ 2962 diff = replay->lastseq - seq; 2963 2964 /* over range to check, i.e. too old or wrapped */ 2965 if (diff >= wsizeb) { 2966 lck_mtx_unlock(sadb_mutex); 2967 return 1; 2968 } 2969 2970 fr = frlast - diff / 8; 2971 2972 /* this packet already seen ? */ 2973 if ((replay->bitmap)[fr] & (1 << (diff % 8))) { 2974 lck_mtx_unlock(sadb_mutex); 2975 return 1; 2976 } 2977 2978 /* mark as seen */ 2979 (replay->bitmap)[fr] |= (1 << (diff % 8)); 2980 2981 /* out of order but good */ 2982 } 2983 2984ok: 2985 if (replay->count == ~0) { 2986 2987 /* set overflow flag */ 2988 replay->overflow++; 2989 2990 /* don't increment, no more packets accepted */ 2991 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) { 2992 lck_mtx_unlock(sadb_mutex); 2993 return 1; 2994 } 2995 2996 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n", 2997 replay->overflow, ipsec_logsastr(sav))); 2998 } 2999 3000 replay->count++; 3001 3002 lck_mtx_unlock(sadb_mutex); 3003 return 0; 3004} 3005 3006/* 3007 * shift variable length buffer to left. 3008 * IN: bitmap: pointer to the buffer 3009 * nbit: the number of to shift. 3010 * wsize: buffer size (bytes). 3011 */ 3012static void 3013vshiftl(bitmap, nbit, wsize) 3014 unsigned char *bitmap; 3015 int nbit, wsize; 3016{ 3017 int s, j, i; 3018 unsigned char over; 3019 3020 for (j = 0; j < nbit; j += 8) { 3021 s = (nbit - j < 8) ? (nbit - j): 8; 3022 bitmap[0] <<= s; 3023 for (i = 1; i < wsize; i++) { 3024 over = (bitmap[i] >> (8 - s)); 3025 bitmap[i] <<= s; 3026 bitmap[i-1] |= over; 3027 } 3028 } 3029 3030 return; 3031} 3032 3033const char * 3034ipsec4_logpacketstr(ip, spi) 3035 struct ip *ip; 3036 u_int32_t spi; 3037{ 3038 static char buf[256] __attribute__((aligned(4))); 3039 char *p; 3040 u_int8_t *s, *d; 3041 3042 s = (u_int8_t *)(&ip->ip_src); 3043 d = (u_int8_t *)(&ip->ip_dst); 3044 3045 p = buf; 3046 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 3047 while (p && *p) 3048 p++; 3049 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u", 3050 s[0], s[1], s[2], s[3]); 3051 while (p && *p) 3052 p++; 3053 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u", 3054 d[0], d[1], d[2], d[3]); 3055 while (p && *p) 3056 p++; 3057 snprintf(p, sizeof(buf) - (p - buf), ")"); 3058 3059 return buf; 3060} 3061 3062#if INET6 3063const char * 3064ipsec6_logpacketstr(ip6, spi) 3065 struct ip6_hdr *ip6; 3066 u_int32_t spi; 3067{ 3068 static char buf[256] __attribute__((aligned(4))); 3069 char *p; 3070 3071 p = buf; 3072 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 3073 while (p && *p) 3074 p++; 3075 snprintf(p, sizeof(buf) - (p - buf), "src=%s", 3076 ip6_sprintf(&ip6->ip6_src)); 3077 while (p && *p) 3078 p++; 3079 snprintf(p, sizeof(buf) - (p - buf), " dst=%s", 3080 ip6_sprintf(&ip6->ip6_dst)); 3081 while (p && *p) 3082 p++; 3083 snprintf(p, sizeof(buf) - (p - buf), ")"); 3084 3085 return buf; 3086} 3087#endif /*INET6*/ 3088 3089const char * 3090ipsec_logsastr(sav) 3091 struct secasvar *sav; 3092{ 3093 static char buf[256] __attribute__((aligned(4))); 3094 char *p; 3095 struct secasindex *saidx = &sav->sah->saidx; 3096 3097 /* validity check */ 3098 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 3099 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) 3100 panic("ipsec_logsastr: family mismatched.\n"); 3101 3102 p = buf; 3103 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi)); 3104 while (p && *p) 3105 p++; 3106 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) { 3107 u_int8_t *s, *d; 3108 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr; 3109 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr; 3110 snprintf(p, sizeof(buf) - (p - buf), 3111 "src=%d.%d.%d.%d dst=%d.%d.%d.%d", 3112 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]); 3113 } 3114#if INET6 3115 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) { 3116 snprintf(p, sizeof(buf) - (p - buf), 3117 "src=%s", 3118 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr)); 3119 while (p && *p) 3120 p++; 3121 snprintf(p, sizeof(buf) - (p - buf), 3122 " dst=%s", 3123 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr)); 3124 } 3125#endif 3126 while (p && *p) 3127 p++; 3128 snprintf(p, sizeof(buf) - (p - buf), ")"); 3129 3130 return buf; 3131} 3132 3133void 3134ipsec_dumpmbuf(m) 3135 struct mbuf *m; 3136{ 3137 int totlen; 3138 int i; 3139 u_char *p; 3140 3141 totlen = 0; 3142 printf("---\n"); 3143 while (m) { 3144 p = mtod(m, u_char *); 3145 for (i = 0; i < m->m_len; i++) { 3146 printf("%02x ", p[i]); 3147 totlen++; 3148 if (totlen % 16 == 0) 3149 printf("\n"); 3150 } 3151 m = m->m_next; 3152 } 3153 if (totlen % 16 != 0) 3154 printf("\n"); 3155 printf("---\n"); 3156} 3157 3158#if INET 3159/* 3160 * IPsec output logic for IPv4. 3161 */ 3162int 3163ipsec4_output( 3164 struct ipsec_output_state *state, 3165 struct secpolicy *sp, 3166 __unused int flags) 3167{ 3168 struct ip *ip = NULL; 3169 struct ipsecrequest *isr = NULL; 3170 struct secasindex saidx; 3171 struct secasvar *sav = NULL; 3172 int error = 0; 3173 struct sockaddr_in *dst4; 3174 struct sockaddr_in *sin; 3175 struct route *ro4; 3176 3177 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 3178 3179 if (!state) 3180 panic("state == NULL in ipsec4_output"); 3181 if (!state->m) 3182 panic("state->m == NULL in ipsec4_output"); 3183 if (!state->dst) 3184 panic("state->dst == NULL in ipsec4_output"); 3185 3186 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_START, 0,0,0,0,0); 3187 3188 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 3189 printf("ipsec4_output: applyed SP\n"); 3190 kdebug_secpolicy(sp)); 3191 3192 for (isr = sp->req; isr != NULL; isr = isr->next) { 3193 3194#if 0 /* give up to check restriction of transport mode */ 3195 /* XXX but should be checked somewhere */ 3196 /* 3197 * some of the IPsec operation must be performed only in 3198 * originating case. 3199 */ 3200 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT 3201 && (flags & IP_FORWARDING)) 3202 continue; 3203#endif 3204 3205 /* make SA index for search proper SA */ 3206 ip = mtod(state->m, struct ip *); 3207 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 3208 saidx.mode = isr->saidx.mode; 3209 saidx.reqid = isr->saidx.reqid; 3210 sin = (struct sockaddr_in *)&saidx.src; 3211 if (sin->sin_len == 0) { 3212 sin->sin_len = sizeof(*sin); 3213 sin->sin_family = AF_INET; 3214 sin->sin_port = IPSEC_PORT_ANY; 3215 bcopy(&ip->ip_src, &sin->sin_addr, 3216 sizeof(sin->sin_addr)); 3217 } 3218 sin = (struct sockaddr_in *)&saidx.dst; 3219 if (sin->sin_len == 0) { 3220 sin->sin_len = sizeof(*sin); 3221 sin->sin_family = AF_INET; 3222 sin->sin_port = IPSEC_PORT_ANY; 3223 /* 3224 * Get port from packet if upper layer is UDP and nat traversal 3225 * is enabled and transport mode. 3226 */ 3227 3228 if ((esp_udp_encap_port & 0xFFFF) != 0 && 3229 isr->saidx.mode == IPSEC_MODE_TRANSPORT) { 3230 3231 if (ip->ip_p == IPPROTO_UDP) { 3232 struct udphdr *udp; 3233 size_t hlen; 3234#ifdef _IP_VHL 3235 hlen = IP_VHL_HL(ip->ip_vhl) << 2; 3236#else 3237 hlen = ip->ip_hl << 2; 3238#endif 3239 if (state->m->m_len < hlen + sizeof(struct udphdr)) { 3240 state->m = m_pullup(state->m, hlen + sizeof(struct udphdr)); 3241 if (!state->m) { 3242 ipseclog((LOG_DEBUG, 3243 "IPv4 output: can't pullup UDP header\n")); 3244 IPSEC_STAT_INCREMENT(ipsecstat.in_inval); 3245 goto bad; 3246 } 3247 ip = mtod(state->m, struct ip *); 3248 } 3249 udp = (struct udphdr *)(void *)(((u_int8_t *)ip) + hlen); 3250 sin->sin_port = udp->uh_dport; 3251 } 3252 } 3253 3254 bcopy(&ip->ip_dst, &sin->sin_addr, 3255 sizeof(sin->sin_addr)); 3256 } 3257 3258 if ((error = key_checkrequest(isr, &saidx, &sav)) != 0) { 3259 /* 3260 * IPsec processing is required, but no SA found. 3261 * I assume that key_acquire() had been called 3262 * to get/establish the SA. Here I discard 3263 * this packet because it is responsibility for 3264 * upper layer to retransmit the packet. 3265 */ 3266 IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); 3267 goto bad; 3268 } 3269 3270 /* validity check */ 3271 if (sav == NULL) { 3272 switch (ipsec_get_reqlevel(isr)) { 3273 case IPSEC_LEVEL_USE: 3274 continue; 3275 case IPSEC_LEVEL_REQUIRE: 3276 /* must be not reached here. */ 3277 panic("ipsec4_output: no SA found, but required."); 3278 } 3279 } 3280 3281 /* 3282 * If there is no valid SA, we give up to process any 3283 * more. In such a case, the SA's status is changed 3284 * from DYING to DEAD after allocating. If a packet 3285 * send to the receiver by dead SA, the receiver can 3286 * not decode a packet because SA has been dead. 3287 */ 3288 if (sav->state != SADB_SASTATE_MATURE 3289 && sav->state != SADB_SASTATE_DYING) { 3290 IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); 3291 error = EINVAL; 3292 goto bad; 3293 } 3294 3295 /* 3296 * There may be the case that SA status will be changed when 3297 * we are refering to one. So calling splsoftnet(). 3298 */ 3299 3300 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 3301 /* 3302 * build IPsec tunnel. 3303 */ 3304 /* XXX should be processed with other familiy */ 3305 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 3306 ipseclog((LOG_ERR, "ipsec4_output: " 3307 "family mismatched between inner and outer spi=%u\n", 3308 (u_int32_t)ntohl(sav->spi))); 3309 error = EAFNOSUPPORT; 3310 goto bad; 3311 } 3312 3313 state->m = ipsec4_splithdr(state->m); 3314 if (!state->m) { 3315 error = ENOMEM; 3316 goto bad; 3317 } 3318 error = ipsec4_encapsulate(state->m, sav); 3319 if (error) { 3320 state->m = NULL; 3321 goto bad; 3322 } 3323 ip = mtod(state->m, struct ip *); 3324 3325 // grab sadb_mutex, before updating sah's route cache 3326 lck_mtx_lock(sadb_mutex); 3327 ro4= &sav->sah->sa_route; 3328 dst4 = (struct sockaddr_in *)(void *)&ro4->ro_dst; 3329 if (ro4->ro_rt != NULL) { 3330 RT_LOCK(ro4->ro_rt); 3331 } 3332 if (ROUTE_UNUSABLE(ro4) || 3333 dst4->sin_addr.s_addr != ip->ip_dst.s_addr) { 3334 if (ro4->ro_rt != NULL) 3335 RT_UNLOCK(ro4->ro_rt); 3336 ROUTE_RELEASE(ro4); 3337 } 3338 if (ro4->ro_rt == 0) { 3339 dst4->sin_family = AF_INET; 3340 dst4->sin_len = sizeof(*dst4); 3341 dst4->sin_addr = ip->ip_dst; 3342 rtalloc(ro4); 3343 if (ro4->ro_rt == 0) { 3344 OSAddAtomic(1, &ipstat.ips_noroute); 3345 error = EHOSTUNREACH; 3346 // release sadb_mutex, after updating sah's route cache 3347 lck_mtx_unlock(sadb_mutex); 3348 goto bad; 3349 } 3350 RT_LOCK(ro4->ro_rt); 3351 } 3352 3353 /* 3354 * adjust state->dst if tunnel endpoint is offlink 3355 * 3356 * XXX: caching rt_gateway value in the state is 3357 * not really good, since it may point elsewhere 3358 * when the gateway gets modified to a larger 3359 * sockaddr via rt_setgate(). This is currently 3360 * addressed by SA_SIZE roundup in that routine. 3361 */ 3362 if (ro4->ro_rt->rt_flags & RTF_GATEWAY) 3363 dst4 = (struct sockaddr_in *)(void *)ro4->ro_rt->rt_gateway; 3364 RT_UNLOCK(ro4->ro_rt); 3365 ROUTE_RELEASE(&state->ro); 3366 route_copyout(&state->ro, ro4, sizeof(state->ro)); 3367 state->dst = (struct sockaddr *)dst4; 3368 state->tunneled = 4; 3369 // release sadb_mutex, after updating sah's route cache 3370 lck_mtx_unlock(sadb_mutex); 3371 } 3372 3373 state->m = ipsec4_splithdr(state->m); 3374 if (!state->m) { 3375 error = ENOMEM; 3376 goto bad; 3377 } 3378 switch (isr->saidx.proto) { 3379 case IPPROTO_ESP: 3380#if IPSEC_ESP 3381 if ((error = esp4_output(state->m, sav)) != 0) { 3382 state->m = NULL; 3383 goto bad; 3384 } 3385 break; 3386#else 3387 m_freem(state->m); 3388 state->m = NULL; 3389 error = EINVAL; 3390 goto bad; 3391#endif 3392 case IPPROTO_AH: 3393 if ((error = ah4_output(state->m, sav)) != 0) { 3394 state->m = NULL; 3395 goto bad; 3396 } 3397 break; 3398 case IPPROTO_IPCOMP: 3399 if ((error = ipcomp4_output(state->m, sav)) != 0) { 3400 state->m = NULL; 3401 goto bad; 3402 } 3403 break; 3404 default: 3405 ipseclog((LOG_ERR, 3406 "ipsec4_output: unknown ipsec protocol %d\n", 3407 isr->saidx.proto)); 3408 m_freem(state->m); 3409 state->m = NULL; 3410 error = EINVAL; 3411 goto bad; 3412 } 3413 3414 if (state->m == 0) { 3415 error = ENOMEM; 3416 goto bad; 3417 } 3418 ip = mtod(state->m, struct ip *); 3419 } 3420 3421 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, 0,0,0,0,0); 3422 if (sav) 3423 key_freesav(sav, KEY_SADB_UNLOCKED); 3424 return 0; 3425 3426bad: 3427 if (sav) 3428 key_freesav(sav, KEY_SADB_UNLOCKED); 3429 m_freem(state->m); 3430 state->m = NULL; 3431 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, error,0,0,0,0); 3432 return error; 3433} 3434#endif 3435 3436#if INET6 3437/* 3438 * IPsec output logic for IPv6, transport mode. 3439 */ 3440int 3441ipsec6_output_trans( 3442 struct ipsec_output_state *state, 3443 u_char *nexthdrp, 3444 struct mbuf *mprev, 3445 struct secpolicy *sp, 3446 __unused int flags, 3447 int *tun) 3448{ 3449 struct ip6_hdr *ip6; 3450 struct ipsecrequest *isr = NULL; 3451 struct secasindex saidx; 3452 int error = 0; 3453 int plen; 3454 struct sockaddr_in6 *sin6; 3455 struct secasvar *sav = NULL; 3456 3457 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 3458 3459 if (!state) 3460 panic("state == NULL in ipsec6_output_trans"); 3461 if (!state->m) 3462 panic("state->m == NULL in ipsec6_output_trans"); 3463 if (!nexthdrp) 3464 panic("nexthdrp == NULL in ipsec6_output_trans"); 3465 if (!mprev) 3466 panic("mprev == NULL in ipsec6_output_trans"); 3467 if (!sp) 3468 panic("sp == NULL in ipsec6_output_trans"); 3469 if (!tun) 3470 panic("tun == NULL in ipsec6_output_trans"); 3471 3472 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 3473 printf("ipsec6_output_trans: applyed SP\n"); 3474 kdebug_secpolicy(sp)); 3475 3476 *tun = 0; 3477 for (isr = sp->req; isr; isr = isr->next) { 3478 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 3479 /* the rest will be handled by ipsec6_output_tunnel() */ 3480 break; 3481 } 3482 3483 /* make SA index for search proper SA */ 3484 ip6 = mtod(state->m, struct ip6_hdr *); 3485 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 3486 saidx.mode = isr->saidx.mode; 3487 saidx.reqid = isr->saidx.reqid; 3488 sin6 = (struct sockaddr_in6 *)&saidx.src; 3489 if (sin6->sin6_len == 0) { 3490 sin6->sin6_len = sizeof(*sin6); 3491 sin6->sin6_family = AF_INET6; 3492 sin6->sin6_port = IPSEC_PORT_ANY; 3493 bcopy(&ip6->ip6_src, &sin6->sin6_addr, 3494 sizeof(ip6->ip6_src)); 3495 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { 3496 /* fix scope id for comparing SPD */ 3497 sin6->sin6_addr.s6_addr16[1] = 0; 3498 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); 3499 } 3500 } 3501 sin6 = (struct sockaddr_in6 *)&saidx.dst; 3502 if (sin6->sin6_len == 0) { 3503 sin6->sin6_len = sizeof(*sin6); 3504 sin6->sin6_family = AF_INET6; 3505 sin6->sin6_port = IPSEC_PORT_ANY; 3506 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, 3507 sizeof(ip6->ip6_dst)); 3508 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { 3509 /* fix scope id for comparing SPD */ 3510 sin6->sin6_addr.s6_addr16[1] = 0; 3511 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); 3512 } 3513 } 3514 3515 if (key_checkrequest(isr, &saidx, &sav) == ENOENT) { 3516 /* 3517 * IPsec processing is required, but no SA found. 3518 * I assume that key_acquire() had been called 3519 * to get/establish the SA. Here I discard 3520 * this packet because it is responsibility for 3521 * upper layer to retransmit the packet. 3522 */ 3523 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); 3524 error = ENOENT; 3525 3526 /* 3527 * Notify the fact that the packet is discarded 3528 * to ourselves. I believe this is better than 3529 * just silently discarding. (jinmei@kame.net) 3530 * XXX: should we restrict the error to TCP packets? 3531 * XXX: should we directly notify sockets via 3532 * pfctlinputs? 3533 */ 3534 icmp6_error(state->m, ICMP6_DST_UNREACH, 3535 ICMP6_DST_UNREACH_ADMIN, 0); 3536 state->m = NULL; /* icmp6_error freed the mbuf */ 3537 goto bad; 3538 } 3539 3540 /* validity check */ 3541 if (sav == NULL) { 3542 switch (ipsec_get_reqlevel(isr)) { 3543 case IPSEC_LEVEL_USE: 3544 continue; 3545 case IPSEC_LEVEL_REQUIRE: 3546 /* must be not reached here. */ 3547 panic("ipsec6_output_trans: no SA found, but required."); 3548 } 3549 } 3550 3551 /* 3552 * If there is no valid SA, we give up to process. 3553 * see same place at ipsec4_output(). 3554 */ 3555 if (sav->state != SADB_SASTATE_MATURE 3556 && sav->state != SADB_SASTATE_DYING) { 3557 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); 3558 error = EINVAL; 3559 goto bad; 3560 } 3561 3562 switch (isr->saidx.proto) { 3563 case IPPROTO_ESP: 3564#if IPSEC_ESP 3565 error = esp6_output(state->m, nexthdrp, mprev->m_next, sav); 3566#else 3567 m_freem(state->m); 3568 error = EINVAL; 3569#endif 3570 break; 3571 case IPPROTO_AH: 3572 error = ah6_output(state->m, nexthdrp, mprev->m_next, sav); 3573 break; 3574 case IPPROTO_IPCOMP: 3575 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, sav); 3576 break; 3577 default: 3578 ipseclog((LOG_ERR, "ipsec6_output_trans: " 3579 "unknown ipsec protocol %d\n", isr->saidx.proto)); 3580 m_freem(state->m); 3581 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); 3582 error = EINVAL; 3583 break; 3584 } 3585 if (error) { 3586 state->m = NULL; 3587 goto bad; 3588 } 3589 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 3590 if (plen > IPV6_MAXPACKET) { 3591 ipseclog((LOG_ERR, "ipsec6_output_trans: " 3592 "IPsec with IPv6 jumbogram is not supported\n")); 3593 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); 3594 error = EINVAL; /*XXX*/ 3595 goto bad; 3596 } 3597 ip6 = mtod(state->m, struct ip6_hdr *); 3598 ip6->ip6_plen = htons(plen); 3599 } 3600 3601 /* if we have more to go, we need a tunnel mode processing */ 3602 if (isr != NULL) 3603 *tun = 1; 3604 3605 if (sav) 3606 key_freesav(sav, KEY_SADB_UNLOCKED); 3607 return 0; 3608 3609bad: 3610 if (sav) 3611 key_freesav(sav, KEY_SADB_UNLOCKED); 3612 m_freem(state->m); 3613 state->m = NULL; 3614 return error; 3615} 3616 3617/* 3618 * IPsec output logic for IPv6, tunnel mode. 3619 */ 3620int 3621ipsec6_output_tunnel( 3622 struct ipsec_output_state *state, 3623 struct secpolicy *sp, 3624 __unused int flags) 3625{ 3626 struct ip6_hdr *ip6; 3627 struct ipsecrequest *isr = NULL; 3628 struct secasindex saidx; 3629 struct secasvar *sav = NULL; 3630 int error = 0; 3631 int plen; 3632 struct sockaddr_in6* dst6; 3633 struct route *ro6; 3634 3635 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 3636 3637 if (!state) 3638 panic("state == NULL in ipsec6_output_tunnel"); 3639 if (!state->m) 3640 panic("state->m == NULL in ipsec6_output_tunnel"); 3641 if (!sp) 3642 panic("sp == NULL in ipsec6_output_tunnel"); 3643 3644 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 3645 printf("ipsec6_output_tunnel: applyed SP\n"); 3646 kdebug_secpolicy(sp)); 3647 3648 /* 3649 * transport mode ipsec (before the 1st tunnel mode) is already 3650 * processed by ipsec6_output_trans(). 3651 */ 3652 for (isr = sp->req; isr; isr = isr->next) { 3653 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 3654 break; 3655 } 3656 3657 for (/* already initialized */; isr; isr = isr->next) { 3658 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 3659 /* When tunnel mode, SA peers must be specified. */ 3660 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 3661 } else { 3662 /* make SA index to look for a proper SA */ 3663 struct sockaddr_in6 *sin6; 3664 3665 bzero(&saidx, sizeof(saidx)); 3666 saidx.proto = isr->saidx.proto; 3667 saidx.mode = isr->saidx.mode; 3668 saidx.reqid = isr->saidx.reqid; 3669 3670 ip6 = mtod(state->m, struct ip6_hdr *); 3671 sin6 = (struct sockaddr_in6 *)&saidx.src; 3672 if (sin6->sin6_len == 0) { 3673 sin6->sin6_len = sizeof(*sin6); 3674 sin6->sin6_family = AF_INET6; 3675 sin6->sin6_port = IPSEC_PORT_ANY; 3676 bcopy(&ip6->ip6_src, &sin6->sin6_addr, 3677 sizeof(ip6->ip6_src)); 3678 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { 3679 /* fix scope id for comparing SPD */ 3680 sin6->sin6_addr.s6_addr16[1] = 0; 3681 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); 3682 } 3683 } 3684 sin6 = (struct sockaddr_in6 *)&saidx.dst; 3685 if (sin6->sin6_len == 0) { 3686 sin6->sin6_len = sizeof(*sin6); 3687 sin6->sin6_family = AF_INET6; 3688 sin6->sin6_port = IPSEC_PORT_ANY; 3689 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, 3690 sizeof(ip6->ip6_dst)); 3691 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { 3692 /* fix scope id for comparing SPD */ 3693 sin6->sin6_addr.s6_addr16[1] = 0; 3694 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); 3695 } 3696 } 3697 } 3698 3699 if (key_checkrequest(isr, &saidx, &sav) == ENOENT) { 3700 /* 3701 * IPsec processing is required, but no SA found. 3702 * I assume that key_acquire() had been called 3703 * to get/establish the SA. Here I discard 3704 * this packet because it is responsibility for 3705 * upper layer to retransmit the packet. 3706 */ 3707 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); 3708 error = ENOENT; 3709 goto bad; 3710 } 3711 3712 /* validity check */ 3713 if (sav == NULL) { 3714 switch (ipsec_get_reqlevel(isr)) { 3715 case IPSEC_LEVEL_USE: 3716 continue; 3717 case IPSEC_LEVEL_REQUIRE: 3718 /* must be not reached here. */ 3719 panic("ipsec6_output_tunnel: no SA found, but required."); 3720 } 3721 } 3722 3723 /* 3724 * If there is no valid SA, we give up to process. 3725 * see same place at ipsec4_output(). 3726 */ 3727 if (sav->state != SADB_SASTATE_MATURE 3728 && sav->state != SADB_SASTATE_DYING) { 3729 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); 3730 error = EINVAL; 3731 goto bad; 3732 } 3733 3734 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 3735 /* 3736 * build IPsec tunnel. 3737 */ 3738 state->m = ipsec6_splithdr(state->m); 3739 if (!state->m) { 3740 IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem); 3741 error = ENOMEM; 3742 goto bad; 3743 } 3744 3745 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET6) { 3746 error = ipsec6_encapsulate(state->m, sav); 3747 if (error) { 3748 state->m = 0; 3749 goto bad; 3750 } 3751 ip6 = mtod(state->m, struct ip6_hdr *); 3752 } else if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET) { 3753 3754 struct ip *ip; 3755 struct sockaddr_in* dst4; 3756 struct route *ro4 = NULL; 3757 struct route ro4_copy; 3758 struct ip_out_args ipoa = { IFSCOPE_NONE, { 0 }, 3759 IPOAF_SELECT_SRCIF, 0 }; 3760 3761 /* 3762 * must be last isr because encapsulated IPv6 packet 3763 * will be sent by calling ip_output 3764 */ 3765 if (isr->next) { 3766 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3767 "IPv4 must be outer layer, spi=%u\n", 3768 (u_int32_t)ntohl(sav->spi))); 3769 error = EINVAL; 3770 goto bad; 3771 } 3772 state->tunneled = 4; /* must not process any further in ip6_output */ 3773 error = ipsec64_encapsulate(state->m, sav); 3774 if (error) { 3775 state->m = 0; 3776 goto bad; 3777 } 3778 /* Now we have an IPv4 packet */ 3779 ip = mtod(state->m, struct ip *); 3780 3781 // grab sadb_mutex, to update sah's route cache and get a local copy of it 3782 lck_mtx_lock(sadb_mutex); 3783 ro4 = &sav->sah->sa_route; 3784 dst4 = (struct sockaddr_in *)(void *)&ro4->ro_dst; 3785 if (ro4->ro_rt) { 3786 RT_LOCK(ro4->ro_rt); 3787 } 3788 if (ROUTE_UNUSABLE(ro4) || 3789 dst4->sin_addr.s_addr != ip->ip_dst.s_addr) { 3790 if (ro4->ro_rt != NULL) 3791 RT_UNLOCK(ro4->ro_rt); 3792 ROUTE_RELEASE(ro4); 3793 } 3794 if (ro4->ro_rt == NULL) { 3795 dst4->sin_family = AF_INET; 3796 dst4->sin_len = sizeof(*dst4); 3797 dst4->sin_addr = ip->ip_dst; 3798 } else { 3799 RT_UNLOCK(ro4->ro_rt); 3800 } 3801 route_copyout(&ro4_copy, ro4, sizeof(ro4_copy)); 3802 // release sadb_mutex, after updating sah's route cache and getting a local copy 3803 lck_mtx_unlock(sadb_mutex); 3804 state->m = ipsec4_splithdr(state->m); 3805 if (!state->m) { 3806 error = ENOMEM; 3807 ROUTE_RELEASE(&ro4_copy); 3808 goto bad; 3809 } 3810 switch (isr->saidx.proto) { 3811 case IPPROTO_ESP: 3812#if IPSEC_ESP 3813 if ((error = esp4_output(state->m, sav)) != 0) { 3814 state->m = NULL; 3815 ROUTE_RELEASE(&ro4_copy); 3816 goto bad; 3817 } 3818 break; 3819 3820#else 3821 m_freem(state->m); 3822 state->m = NULL; 3823 error = EINVAL; 3824 ROUTE_RELEASE(&ro4_copy); 3825 goto bad; 3826#endif 3827 case IPPROTO_AH: 3828 if ((error = ah4_output(state->m, sav)) != 0) { 3829 state->m = NULL; 3830 ROUTE_RELEASE(&ro4_copy); 3831 goto bad; 3832 } 3833 break; 3834 case IPPROTO_IPCOMP: 3835 if ((error = ipcomp4_output(state->m, sav)) != 0) { 3836 state->m = NULL; 3837 ROUTE_RELEASE(&ro4_copy); 3838 goto bad; 3839 } 3840 break; 3841 default: 3842 ipseclog((LOG_ERR, 3843 "ipsec4_output: unknown ipsec protocol %d\n", 3844 isr->saidx.proto)); 3845 m_freem(state->m); 3846 state->m = NULL; 3847 error = EINVAL; 3848 ROUTE_RELEASE(&ro4_copy); 3849 goto bad; 3850 } 3851 3852 if (state->m == 0) { 3853 error = ENOMEM; 3854 ROUTE_RELEASE(&ro4_copy); 3855 goto bad; 3856 } 3857 ip = mtod(state->m, struct ip *); 3858 ip->ip_len = ntohs(ip->ip_len); /* flip len field before calling ip_output */ 3859 error = ip_output(state->m, NULL, &ro4_copy, IP_OUTARGS, NULL, &ipoa); 3860 state->m = NULL; 3861 // grab sadb_mutex, to synchronize the sah's route cache with the local copy 3862 lck_mtx_lock(sadb_mutex); 3863 route_copyin(&ro4_copy, ro4, sizeof(ro4_copy)); 3864 lck_mtx_unlock(sadb_mutex); 3865 if (error != 0) 3866 goto bad; 3867 goto done; 3868 } else { 3869 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3870 "unsupported inner family, spi=%u\n", 3871 (u_int32_t)ntohl(sav->spi))); 3872 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); 3873 error = EAFNOSUPPORT; 3874 goto bad; 3875 } 3876 3877 // grab sadb_mutex, before updating sah's route cache 3878 lck_mtx_lock(sadb_mutex); 3879 ro6 = &sav->sah->sa_route; 3880 dst6 = (struct sockaddr_in6 *)(void *)&ro6->ro_dst; 3881 if (ro6->ro_rt) { 3882 RT_LOCK(ro6->ro_rt); 3883 } 3884 if (ROUTE_UNUSABLE(ro6) || 3885 !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst)) { 3886 if (ro6->ro_rt != NULL) 3887 RT_UNLOCK(ro6->ro_rt); 3888 ROUTE_RELEASE(ro6); 3889 } 3890 if (ro6->ro_rt == 0) { 3891 bzero(dst6, sizeof(*dst6)); 3892 dst6->sin6_family = AF_INET6; 3893 dst6->sin6_len = sizeof(*dst6); 3894 dst6->sin6_addr = ip6->ip6_dst; 3895 rtalloc(ro6); 3896 if (ro6->ro_rt) { 3897 RT_LOCK(ro6->ro_rt); 3898 } 3899 } 3900 if (ro6->ro_rt == 0) { 3901 ip6stat.ip6s_noroute++; 3902 IPSEC_STAT_INCREMENT(ipsec6stat.out_noroute); 3903 error = EHOSTUNREACH; 3904 // release sadb_mutex, after updating sah's route cache 3905 lck_mtx_unlock(sadb_mutex); 3906 goto bad; 3907 } 3908 3909 /* 3910 * adjust state->dst if tunnel endpoint is offlink 3911 * 3912 * XXX: caching rt_gateway value in the state is 3913 * not really good, since it may point elsewhere 3914 * when the gateway gets modified to a larger 3915 * sockaddr via rt_setgate(). This is currently 3916 * addressed by SA_SIZE roundup in that routine. 3917 */ 3918 if (ro6->ro_rt->rt_flags & RTF_GATEWAY) 3919 dst6 = (struct sockaddr_in6 *)(void *)ro6->ro_rt->rt_gateway; 3920 RT_UNLOCK(ro6->ro_rt); 3921 ROUTE_RELEASE(&state->ro); 3922 route_copyout(&state->ro, ro6, sizeof(state->ro)); 3923 state->dst = (struct sockaddr *)dst6; 3924 state->tunneled = 6; 3925 // release sadb_mutex, after updating sah's route cache 3926 lck_mtx_unlock(sadb_mutex); 3927 } 3928 3929 state->m = ipsec6_splithdr(state->m); 3930 if (!state->m) { 3931 IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem); 3932 error = ENOMEM; 3933 goto bad; 3934 } 3935 ip6 = mtod(state->m, struct ip6_hdr *); 3936 switch (isr->saidx.proto) { 3937 case IPPROTO_ESP: 3938#if IPSEC_ESP 3939 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav); 3940#else 3941 m_freem(state->m); 3942 error = EINVAL; 3943#endif 3944 break; 3945 case IPPROTO_AH: 3946 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav); 3947 break; 3948 case IPPROTO_IPCOMP: 3949 /* XXX code should be here */ 3950 /*FALLTHROUGH*/ 3951 default: 3952 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3953 "unknown ipsec protocol %d\n", isr->saidx.proto)); 3954 m_freem(state->m); 3955 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); 3956 error = EINVAL; 3957 break; 3958 } 3959 if (error) { 3960 state->m = NULL; 3961 goto bad; 3962 } 3963 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 3964 if (plen > IPV6_MAXPACKET) { 3965 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3966 "IPsec with IPv6 jumbogram is not supported\n")); 3967 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); 3968 error = EINVAL; /*XXX*/ 3969 goto bad; 3970 } 3971 ip6 = mtod(state->m, struct ip6_hdr *); 3972 ip6->ip6_plen = htons(plen); 3973 } 3974done: 3975 if (sav) 3976 key_freesav(sav, KEY_SADB_UNLOCKED); 3977 return 0; 3978 3979bad: 3980 if (sav) 3981 key_freesav(sav, KEY_SADB_UNLOCKED); 3982 if (state->m) 3983 m_freem(state->m); 3984 state->m = NULL; 3985 return error; 3986} 3987#endif /*INET6*/ 3988 3989#if INET 3990/* 3991 * Chop IP header and option off from the payload. 3992 */ 3993struct mbuf * 3994ipsec4_splithdr(m) 3995 struct mbuf *m; 3996{ 3997 struct mbuf *mh; 3998 struct ip *ip; 3999 int hlen; 4000 4001 if (m->m_len < sizeof(struct ip)) 4002 panic("ipsec4_splithdr: first mbuf too short, m_len %d, pkt_len %d, m_flag %x", m->m_len, m->m_pkthdr.len, m->m_flags); 4003 ip = mtod(m, struct ip *); 4004#ifdef _IP_VHL 4005 hlen = _IP_VHL_HL(ip->ip_vhl) << 2; 4006#else 4007 hlen = ip->ip_hl << 2; 4008#endif 4009 if (m->m_len > hlen) { 4010 MGETHDR(mh, M_DONTWAIT, MT_HEADER); /* MAC-OK */ 4011 if (!mh) { 4012 m_freem(m); 4013 return NULL; 4014 } 4015 M_COPY_PKTHDR(mh, m); 4016 MH_ALIGN(mh, hlen); 4017 m->m_flags &= ~M_PKTHDR; 4018 m_mchtype(m, MT_DATA); 4019 m->m_len -= hlen; 4020 m->m_data += hlen; 4021 mh->m_next = m; 4022 m = mh; 4023 m->m_len = hlen; 4024 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen); 4025 } else if (m->m_len < hlen) { 4026 m = m_pullup(m, hlen); 4027 if (!m) 4028 return NULL; 4029 } 4030 return m; 4031} 4032#endif 4033 4034#if INET6 4035struct mbuf * 4036ipsec6_splithdr(m) 4037 struct mbuf *m; 4038{ 4039 struct mbuf *mh; 4040 struct ip6_hdr *ip6; 4041 int hlen; 4042 4043 if (m->m_len < sizeof(struct ip6_hdr)) 4044 panic("ipsec6_splithdr: first mbuf too short"); 4045 ip6 = mtod(m, struct ip6_hdr *); 4046 hlen = sizeof(struct ip6_hdr); 4047 if (m->m_len > hlen) { 4048 MGETHDR(mh, M_DONTWAIT, MT_HEADER); /* MAC-OK */ 4049 if (!mh) { 4050 m_freem(m); 4051 return NULL; 4052 } 4053 M_COPY_PKTHDR(mh, m); 4054 MH_ALIGN(mh, hlen); 4055 m->m_flags &= ~M_PKTHDR; 4056 m_mchtype(m, MT_DATA); 4057 m->m_len -= hlen; 4058 m->m_data += hlen; 4059 mh->m_next = m; 4060 m = mh; 4061 m->m_len = hlen; 4062 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen); 4063 } else if (m->m_len < hlen) { 4064 m = m_pullup(m, hlen); 4065 if (!m) 4066 return NULL; 4067 } 4068 return m; 4069} 4070#endif 4071 4072/* validate inbound IPsec tunnel packet. */ 4073int 4074ipsec4_tunnel_validate(m, off, nxt0, sav, ifamily) 4075 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */ 4076 int off; 4077 u_int nxt0; 4078 struct secasvar *sav; 4079 sa_family_t *ifamily; 4080{ 4081 u_int8_t nxt = nxt0 & 0xff; 4082 struct sockaddr_in *sin; 4083 struct sockaddr_in osrc, odst, i4src, i4dst; 4084 struct sockaddr_in6 i6src, i6dst; 4085 int hlen; 4086 struct secpolicy *sp; 4087 struct ip *oip; 4088 4089 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 4090 4091#if DIAGNOSTIC 4092 if (m->m_len < sizeof(struct ip)) 4093 panic("too short mbuf on ipsec4_tunnel_validate"); 4094#endif 4095 if (nxt != IPPROTO_IPV4 && nxt != IPPROTO_IPV6) 4096 return 0; 4097 if (m->m_pkthdr.len < off + sizeof(struct ip)) 4098 return 0; 4099 /* do not decapsulate if the SA is for transport mode only */ 4100 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 4101 return 0; 4102 4103 oip = mtod(m, struct ip *); 4104#ifdef _IP_VHL 4105 hlen = _IP_VHL_HL(oip->ip_vhl) << 2; 4106#else 4107 hlen = oip->ip_hl << 2; 4108#endif 4109 if (hlen != sizeof(struct ip)) 4110 return 0; 4111 4112 sin = (struct sockaddr_in *)&sav->sah->saidx.dst; 4113 if (sin->sin_family != AF_INET) 4114 return 0; 4115 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0) 4116 return 0; 4117 4118 if (sav->utun_in_fn) { 4119 // the utun SAs don't have a policy (yet). 4120 if (nxt == IPPROTO_IPV4) { 4121 *ifamily = AF_INET; 4122 } else if (nxt == IPPROTO_IPV6) { 4123 *ifamily = AF_INET6; 4124 } else { 4125 return 0; 4126 } 4127 return 1; 4128 } 4129 4130 /* XXX slow */ 4131 bzero(&osrc, sizeof(osrc)); 4132 bzero(&odst, sizeof(odst)); 4133 osrc.sin_family = odst.sin_family = AF_INET; 4134 osrc.sin_len = odst.sin_len = sizeof(struct sockaddr_in); 4135 osrc.sin_addr = oip->ip_src; 4136 odst.sin_addr = oip->ip_dst; 4137 /* 4138 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode) 4139 * - if the inner destination is multicast address, there can be 4140 * multiple permissible inner source address. implementation 4141 * may want to skip verification of inner source address against 4142 * SPD selector. 4143 * - if the inner protocol is ICMP, the packet may be an error report 4144 * from routers on the other side of the VPN cloud (R in the 4145 * following diagram). in this case, we cannot verify inner source 4146 * address against SPD selector. 4147 * me -- gw === gw -- R -- you 4148 * 4149 * we consider the first bullet to be users responsibility on SPD entry 4150 * configuration (if you need to encrypt multicast traffic, set 4151 * the source range of SPD selector to 0.0.0.0/0, or have explicit 4152 * address ranges for possible senders). 4153 * the second bullet is not taken care of (yet). 4154 * 4155 * therefore, we do not do anything special about inner source. 4156 */ 4157 if (nxt == IPPROTO_IPV4) { 4158 bzero(&i4src, sizeof(struct sockaddr_in)); 4159 bzero(&i4dst, sizeof(struct sockaddr_in)); 4160 i4src.sin_family = i4dst.sin_family = *ifamily = AF_INET; 4161 i4src.sin_len = i4dst.sin_len = sizeof(struct sockaddr_in); 4162 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(i4src.sin_addr), 4163 (caddr_t)&i4src.sin_addr); 4164 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(i4dst.sin_addr), 4165 (caddr_t)&i4dst.sin_addr); 4166 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 4167 (struct sockaddr *)&i4src, (struct sockaddr *)&i4dst); 4168 } else if (nxt == IPPROTO_IPV6) { 4169 bzero(&i6src, sizeof(struct sockaddr_in6)); 4170 bzero(&i6dst, sizeof(struct sockaddr_in6)); 4171 i6src.sin6_family = i6dst.sin6_family = *ifamily = AF_INET6; 4172 i6src.sin6_len = i6dst.sin6_len = sizeof(struct sockaddr_in6); 4173 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), sizeof(i6src.sin6_addr), 4174 (caddr_t)&i6src.sin6_addr); 4175 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), sizeof(i6dst.sin6_addr), 4176 (caddr_t)&i6dst.sin6_addr); 4177 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 4178 (struct sockaddr *)&i6src, (struct sockaddr *)&i6dst); 4179 } else 4180 return 0; /* unsupported family */ 4181 4182 if (!sp) 4183 return 0; 4184 4185 key_freesp(sp, KEY_SADB_UNLOCKED); 4186 4187 return 1; 4188} 4189 4190#if INET6 4191/* validate inbound IPsec tunnel packet. */ 4192int 4193ipsec6_tunnel_validate(m, off, nxt0, sav) 4194 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */ 4195 int off; 4196 u_int nxt0; 4197 struct secasvar *sav; 4198{ 4199 u_int8_t nxt = nxt0 & 0xff; 4200 struct sockaddr_in6 *sin6; 4201 struct sockaddr_in6 osrc, odst, isrc, idst; 4202 struct secpolicy *sp; 4203 struct ip6_hdr *oip6; 4204 4205 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 4206 4207#if DIAGNOSTIC 4208 if (m->m_len < sizeof(struct ip6_hdr)) 4209 panic("too short mbuf on ipsec6_tunnel_validate"); 4210#endif 4211 if (nxt != IPPROTO_IPV6) 4212 return 0; 4213 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr)) 4214 return 0; 4215 /* do not decapsulate if the SA is for transport mode only */ 4216 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 4217 return 0; 4218 4219 oip6 = mtod(m, struct ip6_hdr *); 4220 /* AF_INET should be supported, but at this moment we don't. */ 4221 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst; 4222 if (sin6->sin6_family != AF_INET6) 4223 return 0; 4224 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr)) 4225 return 0; 4226 4227 if (sav->utun_in_fn) { 4228 // the utun SAs don't have a policy (yet). 4229 return 1; 4230 } 4231 4232 /* XXX slow */ 4233 bzero(&osrc, sizeof(osrc)); 4234 bzero(&odst, sizeof(odst)); 4235 bzero(&isrc, sizeof(isrc)); 4236 bzero(&idst, sizeof(idst)); 4237 osrc.sin6_family = odst.sin6_family = isrc.sin6_family = 4238 idst.sin6_family = AF_INET6; 4239 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len = 4240 sizeof(struct sockaddr_in6); 4241 osrc.sin6_addr = oip6->ip6_src; 4242 odst.sin6_addr = oip6->ip6_dst; 4243 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), 4244 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr); 4245 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), 4246 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr); 4247 4248 /* 4249 * regarding to inner source address validation, see a long comment 4250 * in ipsec4_tunnel_validate. 4251 */ 4252 4253 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 4254 (struct sockaddr *)&isrc, (struct sockaddr *)&idst); 4255 /* 4256 * when there is no suitable inbound policy for the packet of the ipsec 4257 * tunnel mode, the kernel never decapsulate the tunneled packet 4258 * as the ipsec tunnel mode even when the system wide policy is "none". 4259 * then the kernel leaves the generic tunnel module to process this 4260 * packet. if there is no rule of the generic tunnel, the packet 4261 * is rejected and the statistics will be counted up. 4262 */ 4263 if (!sp) 4264 return 0; 4265 key_freesp(sp, KEY_SADB_UNLOCKED); 4266 4267 return 1; 4268} 4269#endif 4270 4271/* 4272 * Make a mbuf chain for encryption. 4273 * If the original mbuf chain contains a mbuf with a cluster, 4274 * allocate a new cluster and copy the data to the new cluster. 4275 * XXX: this hack is inefficient, but is necessary to handle cases 4276 * of TCP retransmission... 4277 */ 4278struct mbuf * 4279ipsec_copypkt(m) 4280 struct mbuf *m; 4281{ 4282 struct mbuf *n, **mpp, *mnew; 4283 4284 for (n = m, mpp = &m; n; n = n->m_next) { 4285 if (n->m_flags & M_EXT) { 4286 /* 4287 * Make a copy only if there are more than one references 4288 * to the cluster. 4289 * XXX: is this approach effective? 4290 */ 4291 if ( 4292 n->m_ext.ext_free || 4293 m_mclhasreference(n) 4294 ) 4295 { 4296 int remain, copied; 4297 struct mbuf *mm; 4298 4299 if (n->m_flags & M_PKTHDR) { 4300 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); /* MAC-OK */ 4301 if (mnew == NULL) 4302 goto fail; 4303 M_COPY_PKTHDR(mnew, n); 4304 } 4305 else { 4306 MGET(mnew, M_DONTWAIT, MT_DATA); 4307 if (mnew == NULL) 4308 goto fail; 4309 } 4310 mnew->m_len = 0; 4311 mm = mnew; 4312 4313 /* 4314 * Copy data. If we don't have enough space to 4315 * store the whole data, allocate a cluster 4316 * or additional mbufs. 4317 * XXX: we don't use m_copyback(), since the 4318 * function does not use clusters and thus is 4319 * inefficient. 4320 */ 4321 remain = n->m_len; 4322 copied = 0; 4323 while (1) { 4324 int len; 4325 struct mbuf *mn; 4326 4327 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN)) 4328 len = remain; 4329 else { /* allocate a cluster */ 4330 MCLGET(mm, M_DONTWAIT); 4331 if (!(mm->m_flags & M_EXT)) { 4332 m_free(mm); 4333 goto fail; 4334 } 4335 len = remain < MCLBYTES ? 4336 remain : MCLBYTES; 4337 } 4338 4339 bcopy(n->m_data + copied, mm->m_data, 4340 len); 4341 4342 copied += len; 4343 remain -= len; 4344 mm->m_len = len; 4345 4346 if (remain <= 0) /* completed? */ 4347 break; 4348 4349 /* need another mbuf */ 4350 MGETHDR(mn, M_DONTWAIT, MT_HEADER); /* XXXMAC: tags copied next time in loop? */ 4351 if (mn == NULL) 4352 goto fail; 4353 mn->m_pkthdr.rcvif = NULL; 4354 mm->m_next = mn; 4355 mm = mn; 4356 } 4357 4358 /* adjust chain */ 4359 mm->m_next = m_free(n); 4360 n = mm; 4361 *mpp = mnew; 4362 mpp = &n->m_next; 4363 4364 continue; 4365 } 4366 } 4367 *mpp = n; 4368 mpp = &n->m_next; 4369 } 4370 4371 return(m); 4372 fail: 4373 m_freem(m); 4374 return(NULL); 4375} 4376 4377/* 4378 * Tags are allocated as mbufs for now, since our minimum size is MLEN, we 4379 * should make use of up to that much space. 4380 */ 4381#define IPSEC_TAG_HEADER \ 4382 4383struct ipsec_tag { 4384 struct socket *socket; 4385 u_int32_t history_count; 4386 struct ipsec_history history[]; 4387}; 4388 4389#define IPSEC_TAG_SIZE (MLEN - sizeof(struct m_tag)) 4390#define IPSEC_TAG_HDR_SIZE (offsetof(struct ipsec_tag, history[0])) 4391#define IPSEC_HISTORY_MAX ((IPSEC_TAG_SIZE - IPSEC_TAG_HDR_SIZE) / \ 4392 sizeof(struct ipsec_history)) 4393 4394static struct ipsec_tag * 4395ipsec_addaux( 4396 struct mbuf *m) 4397{ 4398 struct m_tag *tag; 4399 4400 /* Check if the tag already exists */ 4401 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL); 4402 4403 if (tag == NULL) { 4404 struct ipsec_tag *itag; 4405 4406 /* Allocate a tag */ 4407 tag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, 4408 IPSEC_TAG_SIZE, M_DONTWAIT, m); 4409 4410 if (tag) { 4411 itag = (struct ipsec_tag*)(tag + 1); 4412 itag->socket = 0; 4413 itag->history_count = 0; 4414 4415 m_tag_prepend(m, tag); 4416 } 4417 } 4418 4419 return tag ? (struct ipsec_tag*)(tag + 1) : NULL; 4420} 4421 4422static struct ipsec_tag * 4423ipsec_findaux( 4424 struct mbuf *m) 4425{ 4426 struct m_tag *tag; 4427 4428 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL); 4429 4430 return tag ? (struct ipsec_tag*)(tag + 1) : NULL; 4431} 4432 4433void 4434ipsec_delaux( 4435 struct mbuf *m) 4436{ 4437 struct m_tag *tag; 4438 4439 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL); 4440 4441 if (tag) { 4442 m_tag_delete(m, tag); 4443 } 4444} 4445 4446/* if the aux buffer is unnecessary, nuke it. */ 4447static void 4448ipsec_optaux( 4449 struct mbuf *m, 4450 struct ipsec_tag *itag) 4451{ 4452 if (itag && itag->socket == NULL && itag->history_count == 0) { 4453 m_tag_delete(m, ((struct m_tag*)itag) - 1); 4454 } 4455} 4456 4457int 4458ipsec_setsocket( 4459 struct mbuf *m, 4460 struct socket *so) 4461{ 4462 struct ipsec_tag *tag; 4463 4464 /* if so == NULL, don't insist on getting the aux mbuf */ 4465 if (so) { 4466 tag = ipsec_addaux(m); 4467 if (!tag) 4468 return ENOBUFS; 4469 } else 4470 tag = ipsec_findaux(m); 4471 if (tag) { 4472 tag->socket = so; 4473 ipsec_optaux(m, tag); 4474 } 4475 return 0; 4476} 4477 4478struct socket * 4479ipsec_getsocket( 4480 struct mbuf *m) 4481{ 4482 struct ipsec_tag *itag; 4483 4484 itag = ipsec_findaux(m); 4485 if (itag) 4486 return itag->socket; 4487 else 4488 return NULL; 4489} 4490 4491int 4492ipsec_addhist( 4493 struct mbuf *m, 4494 int proto, 4495 u_int32_t spi) 4496{ 4497 struct ipsec_tag *itag; 4498 struct ipsec_history *p; 4499 itag = ipsec_addaux(m); 4500 if (!itag) 4501 return ENOBUFS; 4502 if (itag->history_count == IPSEC_HISTORY_MAX) 4503 return ENOSPC; /* XXX */ 4504 4505 p = &itag->history[itag->history_count]; 4506 itag->history_count++; 4507 4508 bzero(p, sizeof(*p)); 4509 p->ih_proto = proto; 4510 p->ih_spi = spi; 4511 4512 return 0; 4513} 4514 4515struct ipsec_history * 4516ipsec_gethist( 4517 struct mbuf *m, 4518 int *lenp) 4519{ 4520 struct ipsec_tag *itag; 4521 4522 itag = ipsec_findaux(m); 4523 if (!itag) 4524 return NULL; 4525 if (itag->history_count == 0) 4526 return NULL; 4527 if (lenp) 4528 *lenp = (int)(itag->history_count * sizeof(struct ipsec_history)); 4529 return itag->history; 4530} 4531 4532void 4533ipsec_clearhist( 4534 struct mbuf *m) 4535{ 4536 struct ipsec_tag *itag; 4537 4538 itag = ipsec_findaux(m); 4539 if (itag) { 4540 itag->history_count = 0; 4541 } 4542 ipsec_optaux(m, itag); 4543} 4544 4545__private_extern__ int 4546ipsec_send_natt_keepalive( 4547 struct secasvar *sav) 4548{ 4549 struct mbuf *m; 4550 struct ip *ip; 4551 int error; 4552 struct ip_out_args ipoa = 4553 { IFSCOPE_NONE, { 0 }, IPOAF_SELECT_SRCIF, 0 }; 4554 struct route ro; 4555 4556 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 4557 4558 if ((esp_udp_encap_port & 0xFFFF) == 0 || sav->remote_ike_port == 0) return FALSE; 4559 4560 // natt timestamp may have changed... reverify 4561 if ((natt_now - sav->natt_last_activity) < natt_keepalive_interval) return FALSE; 4562 4563 if (sav->flags & SADB_X_EXT_ESP_KEEPALIVE) return FALSE; // don't send these from the kernel 4564 4565 m = m_gethdr(M_NOWAIT, MT_DATA); 4566 if (m == NULL) return FALSE; 4567 4568 ip = (__typeof__(ip))m_mtod(m); 4569 4570 // this sends one type of NATT keepalives (Type 1, ESP keepalives, aren't sent by kernel) 4571 if ((sav->flags & SADB_X_EXT_ESP_KEEPALIVE) == 0) { 4572 struct udphdr *uh; 4573 4574 /* 4575 * Type 2: a UDP packet complete with IP header. 4576 * We must do this because UDP output requires 4577 * an inpcb which we don't have. UDP packet 4578 * contains one byte payload. The byte is set 4579 * to 0xFF. 4580 */ 4581 uh = (__typeof__(uh))(void *)((char *)m_mtod(m) + sizeof(*ip)); 4582 m->m_len = sizeof(struct udpiphdr) + 1; 4583 bzero(m_mtod(m), m->m_len); 4584 m->m_pkthdr.len = m->m_len; 4585 4586 ip->ip_len = m->m_len; 4587 ip->ip_ttl = ip_defttl; 4588 ip->ip_p = IPPROTO_UDP; 4589 if (sav->sah->dir != IPSEC_DIR_INBOUND) { 4590 ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr; 4591 ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr; 4592 } else { 4593 ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr; 4594 ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr; 4595 } 4596 uh->uh_sport = htons((u_short)esp_udp_encap_port); 4597 uh->uh_dport = htons(sav->remote_ike_port); 4598 uh->uh_ulen = htons(1 + sizeof(*uh)); 4599 uh->uh_sum = 0; 4600 *(u_int8_t*)((char*)m_mtod(m) + sizeof(*ip) + sizeof(*uh)) = 0xFF; 4601 } 4602 4603 // grab sadb_mutex, to get a local copy of sah's route cache 4604 lck_mtx_lock(sadb_mutex); 4605 if (ROUTE_UNUSABLE(&sav->sah->sa_route) || 4606 rt_key(sav->sah->sa_route.ro_rt)->sa_family != AF_INET) 4607 ROUTE_RELEASE(&sav->sah->sa_route); 4608 4609 route_copyout(&ro, &sav->sah->sa_route, sizeof(ro)); 4610 lck_mtx_unlock(sadb_mutex); 4611 4612 error = ip_output(m, NULL, &ro, IP_OUTARGS | IP_NOIPSEC, NULL, &ipoa); 4613 4614 // grab sadb_mutex, to synchronize the sah's route cache with the local copy 4615 lck_mtx_lock(sadb_mutex); 4616 route_copyin(&ro, &sav->sah->sa_route, sizeof(ro)); 4617 lck_mtx_unlock(sadb_mutex); 4618 if (error == 0) { 4619 sav->natt_last_activity = natt_now; 4620 return TRUE; 4621 } 4622 return FALSE; 4623} 4624