1/* 2 * Copyright (c) 2008-2014 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28 29/* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.7 2001/07/19 06:37:23 kris Exp $ */ 30/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ 31 32/* 33 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 34 * All rights reserved. 35 * 36 * Redistribution and use in source and binary forms, with or without 37 * modification, are permitted provided that the following conditions 38 * are met: 39 * 1. Redistributions of source code must retain the above copyright 40 * notice, this list of conditions and the following disclaimer. 41 * 2. Redistributions in binary form must reproduce the above copyright 42 * notice, this list of conditions and the following disclaimer in the 43 * documentation and/or other materials provided with the distribution. 44 * 3. Neither the name of the project nor the names of its contributors 45 * may be used to endorse or promote products derived from this software 46 * without specific prior written permission. 47 * 48 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 51 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 58 * SUCH DAMAGE. 59 */ 60 61/* 62 * IPsec controller part. 63 */ 64 65#include <sys/param.h> 66#include <sys/systm.h> 67#include <sys/malloc.h> 68#include <sys/mbuf.h> 69#include <sys/mcache.h> 70#include <sys/domain.h> 71#include <sys/protosw.h> 72#include <sys/socket.h> 73#include <sys/socketvar.h> 74#include <sys/errno.h> 75#include <sys/time.h> 76#include <sys/kernel.h> 77#include <sys/syslog.h> 78#include <sys/sysctl.h> 79#include <kern/locks.h> 80#include <sys/kauth.h> 81#include <libkern/OSAtomic.h> 82 83#include <net/if.h> 84#include <net/route.h> 85#include <net/if_ipsec.h> 86 87#include <netinet/in.h> 88#include <netinet/in_systm.h> 89#include <netinet/ip.h> 90#include <netinet/ip_var.h> 91#include <netinet/in_var.h> 92#include <netinet/udp.h> 93#include <netinet/udp_var.h> 94#include <netinet/ip_ecn.h> 95#if INET6 96#include <netinet6/ip6_ecn.h> 97#endif 98#include <netinet/tcp.h> 99#include <netinet/udp.h> 100 101#include <netinet/ip6.h> 102#if INET6 103#include <netinet6/ip6_var.h> 104#endif 105#include <netinet/in_pcb.h> 106#if INET6 107#include <netinet/icmp6.h> 108#endif 109 110#include <netinet6/ipsec.h> 111#if INET6 112#include <netinet6/ipsec6.h> 113#endif 114#include <netinet6/ah.h> 115#if INET6 116#include <netinet6/ah6.h> 117#endif 118#if IPSEC_ESP 119#include <netinet6/esp.h> 120#if INET6 121#include <netinet6/esp6.h> 122#endif 123#endif 124#include <netinet6/ipcomp.h> 125#if INET6 126#include <netinet6/ipcomp6.h> 127#endif 128#include <netkey/key.h> 129#include <netkey/keydb.h> 130#include <netkey/key_debug.h> 131 132#include <net/net_osdep.h> 133 134#if IPSEC_DEBUG 135int ipsec_debug = 1; 136#else 137int ipsec_debug = 0; 138#endif 139 140#include <sys/kdebug.h> 141#define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1) 142#define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3) 143#define DBG_FNC_GETPOL_SOCK NETDBG_CODE(DBG_NETIPSEC, (1 << 8)) 144#define DBG_FNC_GETPOL_ADDR NETDBG_CODE(DBG_NETIPSEC, (2 << 8)) 145#define DBG_FNC_IPSEC_OUT NETDBG_CODE(DBG_NETIPSEC, (3 << 8)) 146 147extern lck_mtx_t *sadb_mutex; 148 149struct ipsecstat ipsecstat; 150int ip4_ah_cleartos = 1; 151int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ 152int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ 153int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; 154int ip4_esp_net_deflev = IPSEC_LEVEL_USE; 155int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; 156int ip4_ah_net_deflev = IPSEC_LEVEL_USE; 157struct secpolicy ip4_def_policy; 158int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 159int ip4_esp_randpad = -1; 160int esp_udp_encap_port = 0; 161static int sysctl_def_policy SYSCTL_HANDLER_ARGS; 162extern int natt_keepalive_interval; 163extern u_int32_t natt_now; 164 165struct ipsec_tag; 166 167SYSCTL_DECL(_net_inet_ipsec); 168#if INET6 169SYSCTL_DECL(_net_inet6_ipsec6); 170#endif 171/* net.inet.ipsec */ 172SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS, 173 stats, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsecstat, ipsecstat, ""); 174SYSCTL_PROC(_net_inet_ipsec, IPSECCTL_DEF_POLICY, def_policy, CTLTYPE_INT|CTLFLAG_RW | CTLFLAG_LOCKED, 175 &ip4_def_policy.policy, 0, &sysctl_def_policy, "I", ""); 176SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, 177 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_trans_deflev, 0, ""); 178SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, 179 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_net_deflev, 0, ""); 180SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, 181 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_trans_deflev, 0, ""); 182SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, 183 CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_net_deflev, 0, ""); 184SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, 185 ah_cleartos, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_cleartos, 0, ""); 186SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, 187 ah_offsetmask, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_offsetmask, 0, ""); 188SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, 189 dfbit, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ipsec_dfbit, 0, ""); 190SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, 191 ecn, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ipsec_ecn, 0, ""); 192SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, 193 debug, CTLFLAG_RW | CTLFLAG_LOCKED, &ipsec_debug, 0, ""); 194SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD, 195 esp_randpad, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_randpad, 0, ""); 196 197/* for performance, we bypass ipsec until a security policy is set */ 198int ipsec_bypass = 1; 199SYSCTL_INT(_net_inet_ipsec, OID_AUTO, bypass, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsec_bypass,0, ""); 200 201/* 202 * NAT Traversal requires a UDP port for encapsulation, 203 * esp_udp_encap_port controls which port is used. Racoon 204 * must set this port to the port racoon is using locally 205 * for nat traversal. 206 */ 207SYSCTL_INT(_net_inet_ipsec, OID_AUTO, esp_port, 208 CTLFLAG_RW | CTLFLAG_LOCKED, &esp_udp_encap_port, 0, ""); 209 210#if INET6 211struct ipsecstat ipsec6stat; 212int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; 213int ip6_esp_net_deflev = IPSEC_LEVEL_USE; 214int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; 215int ip6_ah_net_deflev = IPSEC_LEVEL_USE; 216struct secpolicy ip6_def_policy; 217int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 218int ip6_esp_randpad = -1; 219 220/* net.inet6.ipsec6 */ 221SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, 222 stats, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsec6stat, ipsecstat, ""); 223SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, 224 def_policy, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_def_policy.policy, 0, ""); 225SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, 226 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_trans_deflev, 0, ""); 227SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, 228 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_net_deflev, 0, ""); 229SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, 230 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ah_trans_deflev, 0, ""); 231SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, 232 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ah_net_deflev, 0, ""); 233SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN, 234 ecn, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ipsec_ecn, 0, ""); 235SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, 236 debug, CTLFLAG_RW | CTLFLAG_LOCKED, &ipsec_debug, 0, ""); 237SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, 238 esp_randpad, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_randpad, 0, ""); 239#endif /* INET6 */ 240 241static int ipsec_setspidx_interface(struct secpolicyindex *, u_int, struct mbuf *, 242 int, int, int); 243static int ipsec_setspidx_mbuf(struct secpolicyindex *, u_int, u_int, 244 struct mbuf *, int); 245static int ipsec4_setspidx_inpcb(struct mbuf *, struct inpcb *pcb); 246#if INET6 247static int ipsec6_setspidx_in6pcb(struct mbuf *, struct in6pcb *pcb); 248#endif 249static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int, int); 250static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int); 251static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *); 252#if INET6 253static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *, int); 254static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *); 255#endif 256static struct inpcbpolicy *ipsec_newpcbpolicy(void); 257static void ipsec_delpcbpolicy(struct inpcbpolicy *); 258static struct secpolicy *ipsec_deepcopy_policy(struct secpolicy *src); 259static int ipsec_set_policy(struct secpolicy **pcb_sp, 260 int optname, caddr_t request, size_t len, int priv); 261static void vshiftl(unsigned char *, int, int); 262static int ipsec_in_reject(struct secpolicy *, struct mbuf *); 263#if INET6 264static int ipsec64_encapsulate(struct mbuf *, struct secasvar *); 265#endif 266static struct ipsec_tag *ipsec_addaux(struct mbuf *); 267static struct ipsec_tag *ipsec_findaux(struct mbuf *); 268static void ipsec_optaux(struct mbuf *, struct ipsec_tag *); 269int ipsec_send_natt_keepalive(struct secasvar *sav); 270bool ipsec_fill_offload_frame(ifnet_t ifp, struct secasvar *sav, struct ipsec_offload_frame *frame, size_t frame_data_offset); 271 272static int 273sysctl_def_policy SYSCTL_HANDLER_ARGS 274{ 275 int old_policy = ip4_def_policy.policy; 276 int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req); 277 278#pragma unused(arg1, arg2) 279 280 if (ip4_def_policy.policy != IPSEC_POLICY_NONE && 281 ip4_def_policy.policy != IPSEC_POLICY_DISCARD) { 282 ip4_def_policy.policy = old_policy; 283 return EINVAL; 284 } 285 286 /* Turn off the bypass if the default security policy changes */ 287 if (ipsec_bypass != 0 && ip4_def_policy.policy != IPSEC_POLICY_NONE) 288 ipsec_bypass = 0; 289 290 return error; 291} 292 293/* 294 * For OUTBOUND packet having a socket. Searching SPD for packet, 295 * and return a pointer to SP. 296 * OUT: NULL: no apropreate SP found, the following value is set to error. 297 * 0 : bypass 298 * EACCES : discard packet. 299 * ENOENT : ipsec_acquire() in progress, maybe. 300 * others : error occurred. 301 * others: a pointer to SP 302 * 303 * NOTE: IPv6 mapped adddress concern is implemented here. 304 */ 305struct secpolicy * 306ipsec4_getpolicybysock(struct mbuf *m, 307 u_int dir, 308 struct socket *so, 309 int *error) 310{ 311 struct inpcbpolicy *pcbsp = NULL; 312 struct secpolicy *currsp = NULL; /* policy on socket */ 313 struct secpolicy *kernsp = NULL; /* policy on kernel */ 314 315 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 316 /* sanity check */ 317 if (m == NULL || so == NULL || error == NULL) 318 panic("ipsec4_getpolicybysock: NULL pointer was passed.\n"); 319 320 if (so->so_pcb == NULL) { 321 printf("ipsec4_getpolicybysock: so->so_pcb == NULL\n"); 322 return ipsec4_getpolicybyaddr(m, dir, 0, error); 323 } 324 325 switch (SOCK_DOM(so)) { 326 case PF_INET: 327 pcbsp = sotoinpcb(so)->inp_sp; 328 break; 329#if INET6 330 case PF_INET6: 331 pcbsp = sotoin6pcb(so)->in6p_sp; 332 break; 333#endif 334 } 335 336 if (!pcbsp){ 337 /* Socket has not specified an IPSEC policy */ 338 return ipsec4_getpolicybyaddr(m, dir, 0, error); 339 } 340 341 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_START, 0,0,0,0,0); 342 343 switch (SOCK_DOM(so)) { 344 case PF_INET: 345 /* set spidx in pcb */ 346 *error = ipsec4_setspidx_inpcb(m, sotoinpcb(so)); 347 break; 348#if INET6 349 case PF_INET6: 350 /* set spidx in pcb */ 351 *error = ipsec6_setspidx_in6pcb(m, sotoin6pcb(so)); 352 break; 353#endif 354 default: 355 panic("ipsec4_getpolicybysock: unsupported address family\n"); 356 } 357 if (*error) { 358 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 1,*error,0,0,0); 359 return NULL; 360 } 361 362 /* sanity check */ 363 if (pcbsp == NULL) 364 panic("ipsec4_getpolicybysock: pcbsp is NULL.\n"); 365 366 switch (dir) { 367 case IPSEC_DIR_INBOUND: 368 currsp = pcbsp->sp_in; 369 break; 370 case IPSEC_DIR_OUTBOUND: 371 currsp = pcbsp->sp_out; 372 break; 373 default: 374 panic("ipsec4_getpolicybysock: illegal direction.\n"); 375 } 376 377 /* sanity check */ 378 if (currsp == NULL) 379 panic("ipsec4_getpolicybysock: currsp is NULL.\n"); 380 381 /* when privilieged socket */ 382 if (pcbsp->priv) { 383 switch (currsp->policy) { 384 case IPSEC_POLICY_BYPASS: 385 lck_mtx_lock(sadb_mutex); 386 currsp->refcnt++; 387 lck_mtx_unlock(sadb_mutex); 388 *error = 0; 389 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 2,*error,0,0,0); 390 return currsp; 391 392 case IPSEC_POLICY_ENTRUST: 393 /* look for a policy in SPD */ 394 kernsp = key_allocsp(&currsp->spidx, dir); 395 396 /* SP found */ 397 if (kernsp != NULL) { 398 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 399 printf("DP ipsec4_getpolicybysock called " 400 "to allocate SP:0x%llx\n", 401 (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); 402 *error = 0; 403 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 3,*error,0,0,0); 404 return kernsp; 405 } 406 407 /* no SP found */ 408 lck_mtx_lock(sadb_mutex); 409 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD 410 && ip4_def_policy.policy != IPSEC_POLICY_NONE) { 411 ipseclog((LOG_INFO, 412 "fixed system default policy: %d->%d\n", 413 ip4_def_policy.policy, IPSEC_POLICY_NONE)); 414 ip4_def_policy.policy = IPSEC_POLICY_NONE; 415 } 416 ip4_def_policy.refcnt++; 417 lck_mtx_unlock(sadb_mutex); 418 *error = 0; 419 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 4,*error,0,0,0); 420 return &ip4_def_policy; 421 422 case IPSEC_POLICY_IPSEC: 423 lck_mtx_lock(sadb_mutex); 424 currsp->refcnt++; 425 lck_mtx_unlock(sadb_mutex); 426 *error = 0; 427 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 5,*error,0,0,0); 428 return currsp; 429 430 default: 431 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 432 "Invalid policy for PCB %d\n", currsp->policy)); 433 *error = EINVAL; 434 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 6,*error,0,0,0); 435 return NULL; 436 } 437 /* NOTREACHED */ 438 } 439 440 /* when non-privilieged socket */ 441 /* look for a policy in SPD */ 442 kernsp = key_allocsp(&currsp->spidx, dir); 443 444 /* SP found */ 445 if (kernsp != NULL) { 446 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 447 printf("DP ipsec4_getpolicybysock called " 448 "to allocate SP:0x%llx\n", 449 (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); 450 *error = 0; 451 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 7,*error,0,0,0); 452 return kernsp; 453 } 454 455 /* no SP found */ 456 switch (currsp->policy) { 457 case IPSEC_POLICY_BYPASS: 458 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 459 "Illegal policy for non-priviliged defined %d\n", 460 currsp->policy)); 461 *error = EINVAL; 462 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 8,*error,0,0,0); 463 return NULL; 464 465 case IPSEC_POLICY_ENTRUST: 466 lck_mtx_lock(sadb_mutex); 467 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD 468 && ip4_def_policy.policy != IPSEC_POLICY_NONE) { 469 ipseclog((LOG_INFO, 470 "fixed system default policy: %d->%d\n", 471 ip4_def_policy.policy, IPSEC_POLICY_NONE)); 472 ip4_def_policy.policy = IPSEC_POLICY_NONE; 473 } 474 ip4_def_policy.refcnt++; 475 lck_mtx_unlock(sadb_mutex); 476 *error = 0; 477 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 9,*error,0,0,0); 478 return &ip4_def_policy; 479 480 case IPSEC_POLICY_IPSEC: 481 lck_mtx_lock(sadb_mutex); 482 currsp->refcnt++; 483 lck_mtx_unlock(sadb_mutex); 484 *error = 0; 485 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 10,*error,0,0,0); 486 return currsp; 487 488 default: 489 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " 490 "Invalid policy for PCB %d\n", currsp->policy)); 491 *error = EINVAL; 492 KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 11,*error,0,0,0); 493 return NULL; 494 } 495 /* NOTREACHED */ 496} 497 498/* 499 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 500 * and return a pointer to SP. 501 * OUT: positive: a pointer to the entry for security policy leaf matched. 502 * NULL: no apropreate SP found, the following value is set to error. 503 * 0 : bypass 504 * EACCES : discard packet. 505 * ENOENT : ipsec_acquire() in progress, maybe. 506 * others : error occurred. 507 */ 508struct secpolicy * 509ipsec4_getpolicybyaddr(struct mbuf *m, 510 u_int dir, 511 int flag, 512 int *error) 513{ 514 struct secpolicy *sp = NULL; 515 516 if (ipsec_bypass != 0) 517 return 0; 518 519 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 520 521 /* sanity check */ 522 if (m == NULL || error == NULL) 523 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.\n"); 524 { 525 struct secpolicyindex spidx; 526 527 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0); 528 bzero(&spidx, sizeof(spidx)); 529 530 /* make a index to look for a policy */ 531 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m, 532 (flag & IP_FORWARDING) ? 0 : 1); 533 534 if (*error != 0) { 535 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,*error,0,0,0); 536 return NULL; 537 } 538 539 sp = key_allocsp(&spidx, dir); 540 } 541 542 /* SP found */ 543 if (sp != NULL) { 544 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 545 printf("DP ipsec4_getpolicybyaddr called " 546 "to allocate SP:0x%llx\n", 547 (uint64_t)VM_KERNEL_ADDRPERM(sp))); 548 *error = 0; 549 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,*error,0,0,0); 550 return sp; 551 } 552 553 /* no SP found */ 554 lck_mtx_lock(sadb_mutex); 555 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD 556 && ip4_def_policy.policy != IPSEC_POLICY_NONE) { 557 ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n", 558 ip4_def_policy.policy, 559 IPSEC_POLICY_NONE)); 560 ip4_def_policy.policy = IPSEC_POLICY_NONE; 561 } 562 ip4_def_policy.refcnt++; 563 lck_mtx_unlock(sadb_mutex); 564 *error = 0; 565 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 3,*error,0,0,0); 566 return &ip4_def_policy; 567} 568 569/* Match with bound interface rather than src addr. 570 * Unlike getpolicybyaddr, do not set the default policy. 571 * Return 0 if should continue processing, or -1 if packet 572 * should be dropped. 573 */ 574int 575ipsec4_getpolicybyinterface(struct mbuf *m, 576 u_int dir, 577 int *flags, 578 struct ip_out_args *ipoa, 579 struct secpolicy **sp) 580{ 581 struct secpolicyindex spidx; 582 int error = 0; 583 584 if (ipsec_bypass != 0) 585 return 0; 586 587 /* Sanity check */ 588 if (m == NULL || ipoa == NULL || sp == NULL) 589 panic("ipsec4_getpolicybyinterface: NULL pointer was passed.\n"); 590 591 if (ipoa->ipoa_boundif == IFSCOPE_NONE) 592 return 0; 593 594 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0); 595 bzero(&spidx, sizeof(spidx)); 596 597 /* make a index to look for a policy */ 598 error = ipsec_setspidx_interface(&spidx, dir, m, (*flags & IP_FORWARDING) ? 0 : 1, 599 ipoa->ipoa_boundif, 4); 600 601 if (error != 0) { 602 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,error,0,0,0); 603 return 0; 604 } 605 606 *sp = key_allocsp(&spidx, dir); 607 608 /* Return SP, whether NULL or not */ 609 if (*sp != NULL && (*sp)->policy == IPSEC_POLICY_IPSEC) { 610 if ((*sp)->ipsec_if == NULL) { 611 /* Invalid to capture on an interface without redirect */ 612 key_freesp(*sp, KEY_SADB_UNLOCKED); 613 *sp = NULL; 614 return -1; 615 } else if ((*sp)->disabled) { 616 /* Disabled policies go in the clear */ 617 key_freesp(*sp, KEY_SADB_UNLOCKED); 618 *sp = NULL; 619 *flags |= IP_NOIPSEC; /* Avoid later IPSec check */ 620 } else { 621 /* If policy is enabled, redirect to ipsec interface */ 622 ipoa->ipoa_boundif = (*sp)->ipsec_if->if_index; 623 } 624 } 625 626 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,error,0,0,0); 627 628 return 0; 629} 630 631 632#if INET6 633/* 634 * For OUTBOUND packet having a socket. Searching SPD for packet, 635 * and return a pointer to SP. 636 * OUT: NULL: no apropreate SP found, the following value is set to error. 637 * 0 : bypass 638 * EACCES : discard packet. 639 * ENOENT : ipsec_acquire() in progress, maybe. 640 * others : error occurred. 641 * others: a pointer to SP 642 */ 643struct secpolicy * 644ipsec6_getpolicybysock(struct mbuf *m, 645 u_int dir, 646 struct socket *so, 647 int *error) 648{ 649 struct inpcbpolicy *pcbsp = NULL; 650 struct secpolicy *currsp = NULL; /* policy on socket */ 651 struct secpolicy *kernsp = NULL; /* policy on kernel */ 652 653 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 654 655 /* sanity check */ 656 if (m == NULL || so == NULL || error == NULL) 657 panic("ipsec6_getpolicybysock: NULL pointer was passed.\n"); 658 659#if DIAGNOSTIC 660 if (SOCK_DOM(so) != PF_INET6) 661 panic("ipsec6_getpolicybysock: socket domain != inet6\n"); 662#endif 663 664 pcbsp = sotoin6pcb(so)->in6p_sp; 665 666 if (!pcbsp){ 667 return ipsec6_getpolicybyaddr(m, dir, 0, error); 668 } 669 670 /* set spidx in pcb */ 671 ipsec6_setspidx_in6pcb(m, sotoin6pcb(so)); 672 673 /* sanity check */ 674 if (pcbsp == NULL) 675 panic("ipsec6_getpolicybysock: pcbsp is NULL.\n"); 676 677 switch (dir) { 678 case IPSEC_DIR_INBOUND: 679 currsp = pcbsp->sp_in; 680 break; 681 case IPSEC_DIR_OUTBOUND: 682 currsp = pcbsp->sp_out; 683 break; 684 default: 685 panic("ipsec6_getpolicybysock: illegal direction.\n"); 686 } 687 688 /* sanity check */ 689 if (currsp == NULL) 690 panic("ipsec6_getpolicybysock: currsp is NULL.\n"); 691 692 /* when privilieged socket */ 693 if (pcbsp->priv) { 694 switch (currsp->policy) { 695 case IPSEC_POLICY_BYPASS: 696 lck_mtx_lock(sadb_mutex); 697 currsp->refcnt++; 698 lck_mtx_unlock(sadb_mutex); 699 *error = 0; 700 return currsp; 701 702 case IPSEC_POLICY_ENTRUST: 703 /* look for a policy in SPD */ 704 kernsp = key_allocsp(&currsp->spidx, dir); 705 706 /* SP found */ 707 if (kernsp != NULL) { 708 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 709 printf("DP ipsec6_getpolicybysock called " 710 "to allocate SP:0x%llx\n", 711 (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); 712 *error = 0; 713 return kernsp; 714 } 715 716 /* no SP found */ 717 lck_mtx_lock(sadb_mutex); 718 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD 719 && ip6_def_policy.policy != IPSEC_POLICY_NONE) { 720 ipseclog((LOG_INFO, 721 "fixed system default policy: %d->%d\n", 722 ip6_def_policy.policy, IPSEC_POLICY_NONE)); 723 ip6_def_policy.policy = IPSEC_POLICY_NONE; 724 } 725 ip6_def_policy.refcnt++; 726 lck_mtx_unlock(sadb_mutex); 727 *error = 0; 728 return &ip6_def_policy; 729 730 case IPSEC_POLICY_IPSEC: 731 lck_mtx_lock(sadb_mutex); 732 currsp->refcnt++; 733 lck_mtx_unlock(sadb_mutex); 734 *error = 0; 735 return currsp; 736 737 default: 738 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " 739 "Invalid policy for PCB %d\n", currsp->policy)); 740 *error = EINVAL; 741 return NULL; 742 } 743 /* NOTREACHED */ 744 } 745 746 /* when non-privilieged socket */ 747 /* look for a policy in SPD */ 748 kernsp = key_allocsp(&currsp->spidx, dir); 749 750 /* SP found */ 751 if (kernsp != NULL) { 752 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 753 printf("DP ipsec6_getpolicybysock called " 754 "to allocate SP:0x%llx\n", 755 (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); 756 *error = 0; 757 return kernsp; 758 } 759 760 /* no SP found */ 761 switch (currsp->policy) { 762 case IPSEC_POLICY_BYPASS: 763 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " 764 "Illegal policy for non-priviliged defined %d\n", 765 currsp->policy)); 766 *error = EINVAL; 767 return NULL; 768 769 case IPSEC_POLICY_ENTRUST: 770 lck_mtx_lock(sadb_mutex); 771 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD 772 && ip6_def_policy.policy != IPSEC_POLICY_NONE) { 773 ipseclog((LOG_INFO, 774 "fixed system default policy: %d->%d\n", 775 ip6_def_policy.policy, IPSEC_POLICY_NONE)); 776 ip6_def_policy.policy = IPSEC_POLICY_NONE; 777 } 778 ip6_def_policy.refcnt++; 779 lck_mtx_unlock(sadb_mutex); 780 *error = 0; 781 return &ip6_def_policy; 782 783 case IPSEC_POLICY_IPSEC: 784 lck_mtx_lock(sadb_mutex); 785 currsp->refcnt++; 786 lck_mtx_unlock(sadb_mutex); 787 *error = 0; 788 return currsp; 789 790 default: 791 ipseclog((LOG_ERR, 792 "ipsec6_policybysock: Invalid policy for PCB %d\n", 793 currsp->policy)); 794 *error = EINVAL; 795 return NULL; 796 } 797 /* NOTREACHED */ 798} 799 800/* 801 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 802 * and return a pointer to SP. 803 * `flag' means that packet is to be forwarded whether or not. 804 * flag = 1: forwad 805 * OUT: positive: a pointer to the entry for security policy leaf matched. 806 * NULL: no apropreate SP found, the following value is set to error. 807 * 0 : bypass 808 * EACCES : discard packet. 809 * ENOENT : ipsec_acquire() in progress, maybe. 810 * others : error occurred. 811 */ 812#ifndef IP_FORWARDING 813#define IP_FORWARDING 1 814#endif 815 816struct secpolicy * 817ipsec6_getpolicybyaddr(struct mbuf *m, 818 u_int dir, 819 int flag, 820 int *error) 821{ 822 struct secpolicy *sp = NULL; 823 824 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 825 826 /* sanity check */ 827 if (m == NULL || error == NULL) 828 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.\n"); 829 830 { 831 struct secpolicyindex spidx; 832 833 bzero(&spidx, sizeof(spidx)); 834 835 /* make a index to look for a policy */ 836 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m, 837 (flag & IP_FORWARDING) ? 0 : 1); 838 839 if (*error != 0) 840 return NULL; 841 842 sp = key_allocsp(&spidx, dir); 843 } 844 845 /* SP found */ 846 if (sp != NULL) { 847 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 848 printf("DP ipsec6_getpolicybyaddr called " 849 "to allocate SP:0x%llx\n", 850 (uint64_t)VM_KERNEL_ADDRPERM(sp))); 851 *error = 0; 852 return sp; 853 } 854 855 /* no SP found */ 856 lck_mtx_lock(sadb_mutex); 857 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD 858 && ip6_def_policy.policy != IPSEC_POLICY_NONE) { 859 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n", 860 ip6_def_policy.policy, IPSEC_POLICY_NONE)); 861 ip6_def_policy.policy = IPSEC_POLICY_NONE; 862 } 863 ip6_def_policy.refcnt++; 864 lck_mtx_unlock(sadb_mutex); 865 *error = 0; 866 return &ip6_def_policy; 867} 868 869/* Match with bound interface rather than src addr. 870 * Unlike getpolicybyaddr, do not set the default policy. 871 * Return 0 if should continue processing, or -1 if packet 872 * should be dropped. 873 */ 874int 875ipsec6_getpolicybyinterface(struct mbuf *m, 876 u_int dir, 877 int flag, 878 struct ip6_out_args *ip6oap, 879 int *noipsec, 880 struct secpolicy **sp) 881{ 882 struct secpolicyindex spidx; 883 int error = 0; 884 885 if (ipsec_bypass != 0) 886 return 0; 887 888 /* Sanity check */ 889 if (m == NULL || sp == NULL || noipsec == NULL || ip6oap == NULL) 890 panic("ipsec6_getpolicybyinterface: NULL pointer was passed.\n"); 891 892 *noipsec = 0; 893 894 if (ip6oap->ip6oa_boundif == IFSCOPE_NONE) 895 return 0; 896 897 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0); 898 bzero(&spidx, sizeof(spidx)); 899 900 /* make a index to look for a policy */ 901 error = ipsec_setspidx_interface(&spidx, dir, m, (flag & IP_FORWARDING) ? 0 : 1, 902 ip6oap->ip6oa_boundif, 6); 903 904 if (error != 0) { 905 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,error,0,0,0); 906 return 0; 907 } 908 909 *sp = key_allocsp(&spidx, dir); 910 911 /* Return SP, whether NULL or not */ 912 if (*sp != NULL && (*sp)->policy == IPSEC_POLICY_IPSEC) { 913 if ((*sp)->ipsec_if == NULL) { 914 /* Invalid to capture on an interface without redirect */ 915 key_freesp(*sp, KEY_SADB_UNLOCKED); 916 *sp = NULL; 917 return -1; 918 } else if ((*sp)->disabled) { 919 /* Disabled policies go in the clear */ 920 key_freesp(*sp, KEY_SADB_UNLOCKED); 921 *sp = NULL; 922 *noipsec = 1; /* Avoid later IPSec check */ 923 } else { 924 /* If policy is enabled, redirect to ipsec interface */ 925 ip6oap->ip6oa_boundif = (*sp)->ipsec_if->if_index; 926 } 927 } 928 929 KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,*error,0,0,0); 930 931 return 0; 932} 933#endif /* INET6 */ 934 935/* 936 * set IP address into spidx from mbuf. 937 * When Forwarding packet and ICMP echo reply, this function is used. 938 * 939 * IN: get the followings from mbuf. 940 * protocol family, src, dst, next protocol 941 * OUT: 942 * 0: success. 943 * other: failure, and set errno. 944 */ 945static int 946ipsec_setspidx_mbuf( 947 struct secpolicyindex *spidx, 948 u_int dir, 949 __unused u_int family, 950 struct mbuf *m, 951 int needport) 952{ 953 int error; 954 955 /* sanity check */ 956 if (spidx == NULL || m == NULL) 957 panic("ipsec_setspidx_mbuf: NULL pointer was passed.\n"); 958 959 bzero(spidx, sizeof(*spidx)); 960 961 error = ipsec_setspidx(m, spidx, needport, 0); 962 if (error) 963 goto bad; 964 spidx->dir = dir; 965 966 return 0; 967 968 bad: 969 /* XXX initialize */ 970 bzero(spidx, sizeof(*spidx)); 971 return EINVAL; 972} 973 974static int 975ipsec_setspidx_interface( 976 struct secpolicyindex *spidx, 977 u_int dir, 978 struct mbuf *m, 979 int needport, 980 int ifindex, 981 int ip_version) 982{ 983 int error; 984 985 /* sanity check */ 986 if (spidx == NULL || m == NULL) 987 panic("ipsec_setspidx_interface: NULL pointer was passed.\n"); 988 989 bzero(spidx, sizeof(*spidx)); 990 991 error = ipsec_setspidx(m, spidx, needport, ip_version); 992 if (error) 993 goto bad; 994 spidx->dir = dir; 995 996 if (ifindex != 0) { 997 ifnet_head_lock_shared(); 998 spidx->internal_if = ifindex2ifnet[ifindex]; 999 ifnet_head_done(); 1000 } else { 1001 spidx->internal_if = NULL; 1002 } 1003 1004 return 0; 1005 1006bad: 1007 return EINVAL; 1008} 1009 1010static int 1011ipsec4_setspidx_inpcb(m, pcb) 1012struct mbuf *m; 1013struct inpcb *pcb; 1014{ 1015 struct secpolicyindex *spidx; 1016 int error; 1017 1018 if (ipsec_bypass != 0) 1019 return 0; 1020 1021 /* sanity check */ 1022 if (pcb == NULL) 1023 panic("ipsec4_setspidx_inpcb: no PCB found.\n"); 1024 if (pcb->inp_sp == NULL) 1025 panic("ipsec4_setspidx_inpcb: no inp_sp found.\n"); 1026 if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL) 1027 panic("ipsec4_setspidx_inpcb: no sp_in/out found.\n"); 1028 1029 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx)); 1030 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx)); 1031 1032 spidx = &pcb->inp_sp->sp_in->spidx; 1033 error = ipsec_setspidx(m, spidx, 1, 0); 1034 if (error) 1035 goto bad; 1036 spidx->dir = IPSEC_DIR_INBOUND; 1037 1038 spidx = &pcb->inp_sp->sp_out->spidx; 1039 error = ipsec_setspidx(m, spidx, 1, 0); 1040 if (error) 1041 goto bad; 1042 spidx->dir = IPSEC_DIR_OUTBOUND; 1043 1044 return 0; 1045 1046bad: 1047 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx)); 1048 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx)); 1049 return error; 1050} 1051 1052#if INET6 1053static int 1054ipsec6_setspidx_in6pcb(m, pcb) 1055struct mbuf *m; 1056struct in6pcb *pcb; 1057{ 1058 struct secpolicyindex *spidx; 1059 int error; 1060 1061 /* sanity check */ 1062 if (pcb == NULL) 1063 panic("ipsec6_setspidx_in6pcb: no PCB found.\n"); 1064 if (pcb->in6p_sp == NULL) 1065 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.\n"); 1066 if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL) 1067 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.\n"); 1068 1069 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx)); 1070 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx)); 1071 1072 spidx = &pcb->in6p_sp->sp_in->spidx; 1073 error = ipsec_setspidx(m, spidx, 1, 0); 1074 if (error) 1075 goto bad; 1076 spidx->dir = IPSEC_DIR_INBOUND; 1077 1078 spidx = &pcb->in6p_sp->sp_out->spidx; 1079 error = ipsec_setspidx(m, spidx, 1, 0); 1080 if (error) 1081 goto bad; 1082 spidx->dir = IPSEC_DIR_OUTBOUND; 1083 1084 return 0; 1085 1086bad: 1087 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx)); 1088 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx)); 1089 return error; 1090} 1091#endif 1092 1093/* 1094 * configure security policy index (src/dst/proto/sport/dport) 1095 * by looking at the content of mbuf. 1096 * the caller is responsible for error recovery (like clearing up spidx). 1097 */ 1098static int 1099ipsec_setspidx(struct mbuf *m, 1100 struct secpolicyindex *spidx, 1101 int needport, 1102 int force_ip_version) 1103{ 1104 struct ip *ip = NULL; 1105 struct ip ipbuf; 1106 u_int v; 1107 struct mbuf *n; 1108 int len; 1109 int error; 1110 1111 if (m == NULL) 1112 panic("ipsec_setspidx: m == 0 passed.\n"); 1113 1114 /* 1115 * validate m->m_pkthdr.len. we see incorrect length if we 1116 * mistakenly call this function with inconsistent mbuf chain 1117 * (like 4.4BSD tcp/udp processing). XXX should we panic here? 1118 */ 1119 len = 0; 1120 for (n = m; n; n = n->m_next) 1121 len += n->m_len; 1122 if (m->m_pkthdr.len != len) { 1123 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1124 printf("ipsec_setspidx: " 1125 "total of m_len(%d) != pkthdr.len(%d), " 1126 "ignored.\n", 1127 len, m->m_pkthdr.len)); 1128 return EINVAL; 1129 } 1130 1131 if (m->m_pkthdr.len < sizeof(struct ip)) { 1132 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1133 printf("ipsec_setspidx: " 1134 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n", 1135 m->m_pkthdr.len)); 1136 return EINVAL; 1137 } 1138 1139 if (m->m_len >= sizeof(*ip)) 1140 ip = mtod(m, struct ip *); 1141 else { 1142 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 1143 ip = &ipbuf; 1144 } 1145 1146 if (force_ip_version) { 1147 v = force_ip_version; 1148 } else { 1149#ifdef _IP_VHL 1150 v = _IP_VHL_V(ip->ip_vhl); 1151#else 1152 v = ip->ip_v; 1153#endif 1154 } 1155 switch (v) { 1156 case 4: 1157 error = ipsec4_setspidx_ipaddr(m, spidx); 1158 if (error) 1159 return error; 1160 ipsec4_get_ulp(m, spidx, needport); 1161 return 0; 1162#if INET6 1163 case 6: 1164 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { 1165 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1166 printf("ipsec_setspidx: " 1167 "pkthdr.len(%d) < sizeof(struct ip6_hdr), " 1168 "ignored.\n", m->m_pkthdr.len)); 1169 return EINVAL; 1170 } 1171 error = ipsec6_setspidx_ipaddr(m, spidx); 1172 if (error) 1173 return error; 1174 ipsec6_get_ulp(m, spidx, needport); 1175 return 0; 1176#endif 1177 default: 1178 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1179 printf("ipsec_setspidx: " 1180 "unknown IP version %u, ignored.\n", v)); 1181 return EINVAL; 1182 } 1183} 1184 1185static void 1186ipsec4_get_ulp(m, spidx, needport) 1187 struct mbuf *m; 1188 struct secpolicyindex *spidx; 1189 int needport; 1190{ 1191 struct ip ip; 1192 struct ip6_ext ip6e; 1193 u_int8_t nxt; 1194 int off; 1195 struct tcphdr th; 1196 struct udphdr uh; 1197 1198 /* sanity check */ 1199 if (m == NULL) 1200 panic("ipsec4_get_ulp: NULL pointer was passed.\n"); 1201 if (m->m_pkthdr.len < sizeof(ip)) 1202 panic("ipsec4_get_ulp: too short\n"); 1203 1204 /* set default */ 1205 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1206 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY; 1207 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY; 1208 1209 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip); 1210 /* ip_input() flips it into host endian XXX need more checking */ 1211 if (ip.ip_off & (IP_MF | IP_OFFMASK)) 1212 return; 1213 1214 nxt = ip.ip_p; 1215#ifdef _IP_VHL 1216 off = _IP_VHL_HL(ip->ip_vhl) << 2; 1217#else 1218 off = ip.ip_hl << 2; 1219#endif 1220 while (off < m->m_pkthdr.len) { 1221 switch (nxt) { 1222 case IPPROTO_TCP: 1223 spidx->ul_proto = nxt; 1224 if (!needport) 1225 return; 1226 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1227 return; 1228 m_copydata(m, off, sizeof(th), (caddr_t)&th); 1229 ((struct sockaddr_in *)&spidx->src)->sin_port = 1230 th.th_sport; 1231 ((struct sockaddr_in *)&spidx->dst)->sin_port = 1232 th.th_dport; 1233 return; 1234 case IPPROTO_UDP: 1235 spidx->ul_proto = nxt; 1236 if (!needport) 1237 return; 1238 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1239 return; 1240 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1241 ((struct sockaddr_in *)&spidx->src)->sin_port = 1242 uh.uh_sport; 1243 ((struct sockaddr_in *)&spidx->dst)->sin_port = 1244 uh.uh_dport; 1245 return; 1246 case IPPROTO_AH: 1247 if (off + sizeof(ip6e) > m->m_pkthdr.len) 1248 return; 1249 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1250 off += (ip6e.ip6e_len + 2) << 2; 1251 nxt = ip6e.ip6e_nxt; 1252 break; 1253 case IPPROTO_ICMP: 1254 default: 1255 /* XXX intermediate headers??? */ 1256 spidx->ul_proto = nxt; 1257 return; 1258 } 1259 } 1260} 1261 1262/* assumes that m is sane */ 1263static int 1264ipsec4_setspidx_ipaddr(m, spidx) 1265 struct mbuf *m; 1266 struct secpolicyindex *spidx; 1267{ 1268 struct ip *ip = NULL; 1269 struct ip ipbuf; 1270 struct sockaddr_in *sin; 1271 1272 if (m->m_len >= sizeof(*ip)) 1273 ip = mtod(m, struct ip *); 1274 else { 1275 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 1276 ip = &ipbuf; 1277 } 1278 1279 sin = (struct sockaddr_in *)&spidx->src; 1280 bzero(sin, sizeof(*sin)); 1281 sin->sin_family = AF_INET; 1282 sin->sin_len = sizeof(struct sockaddr_in); 1283 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src)); 1284 spidx->prefs = sizeof(struct in_addr) << 3; 1285 1286 sin = (struct sockaddr_in *)&spidx->dst; 1287 bzero(sin, sizeof(*sin)); 1288 sin->sin_family = AF_INET; 1289 sin->sin_len = sizeof(struct sockaddr_in); 1290 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)); 1291 spidx->prefd = sizeof(struct in_addr) << 3; 1292 1293 return 0; 1294} 1295 1296#if INET6 1297static void 1298ipsec6_get_ulp(struct mbuf *m, 1299 struct secpolicyindex *spidx, 1300 int needport) 1301{ 1302 int off, nxt; 1303 struct tcphdr th; 1304 struct udphdr uh; 1305 1306 /* sanity check */ 1307 if (m == NULL) 1308 panic("ipsec6_get_ulp: NULL pointer was passed.\n"); 1309 1310 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1311 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m)); 1312 1313 /* set default */ 1314 spidx->ul_proto = IPSEC_ULPROTO_ANY; 1315 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY; 1316 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY; 1317 1318 nxt = -1; 1319 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt); 1320 if (off < 0 || m->m_pkthdr.len < off) 1321 return; 1322 1323 switch (nxt) { 1324 case IPPROTO_TCP: 1325 spidx->ul_proto = nxt; 1326 if (!needport) 1327 break; 1328 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 1329 break; 1330 m_copydata(m, off, sizeof(th), (caddr_t)&th); 1331 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport; 1332 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport; 1333 break; 1334 case IPPROTO_UDP: 1335 spidx->ul_proto = nxt; 1336 if (!needport) 1337 break; 1338 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 1339 break; 1340 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 1341 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport; 1342 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport; 1343 break; 1344 case IPPROTO_ICMPV6: 1345 default: 1346 /* XXX intermediate headers??? */ 1347 spidx->ul_proto = nxt; 1348 break; 1349 } 1350} 1351 1352/* assumes that m is sane */ 1353static int 1354ipsec6_setspidx_ipaddr(struct mbuf *m, 1355 struct secpolicyindex *spidx) 1356{ 1357 struct ip6_hdr *ip6 = NULL; 1358 struct ip6_hdr ip6buf; 1359 struct sockaddr_in6 *sin6; 1360 1361 if (m->m_len >= sizeof(*ip6)) 1362 ip6 = mtod(m, struct ip6_hdr *); 1363 else { 1364 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf); 1365 ip6 = &ip6buf; 1366 } 1367 1368 sin6 = (struct sockaddr_in6 *)&spidx->src; 1369 bzero(sin6, sizeof(*sin6)); 1370 sin6->sin6_family = AF_INET6; 1371 sin6->sin6_len = sizeof(struct sockaddr_in6); 1372 bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src)); 1373 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { 1374 sin6->sin6_addr.s6_addr16[1] = 0; 1375 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); 1376 } 1377 spidx->prefs = sizeof(struct in6_addr) << 3; 1378 1379 sin6 = (struct sockaddr_in6 *)&spidx->dst; 1380 bzero(sin6, sizeof(*sin6)); 1381 sin6->sin6_family = AF_INET6; 1382 sin6->sin6_len = sizeof(struct sockaddr_in6); 1383 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst)); 1384 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { 1385 sin6->sin6_addr.s6_addr16[1] = 0; 1386 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); 1387 } 1388 spidx->prefd = sizeof(struct in6_addr) << 3; 1389 1390 return 0; 1391} 1392#endif 1393 1394static struct inpcbpolicy * 1395ipsec_newpcbpolicy() 1396{ 1397 struct inpcbpolicy *p; 1398 1399 p = (struct inpcbpolicy *)_MALLOC(sizeof(*p), M_SECA, M_WAITOK); 1400 return p; 1401} 1402 1403static void 1404ipsec_delpcbpolicy(struct inpcbpolicy *p) 1405{ 1406 FREE(p, M_SECA); 1407} 1408 1409/* initialize policy in PCB */ 1410int 1411ipsec_init_policy(struct socket *so, 1412 struct inpcbpolicy **pcb_sp) 1413{ 1414 struct inpcbpolicy *new; 1415 1416 /* sanity check. */ 1417 if (so == NULL || pcb_sp == NULL) 1418 panic("ipsec_init_policy: NULL pointer was passed.\n"); 1419 1420 new = ipsec_newpcbpolicy(); 1421 if (new == NULL) { 1422 ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n")); 1423 return ENOBUFS; 1424 } 1425 bzero(new, sizeof(*new)); 1426 1427#ifdef __APPLE__ 1428 if (kauth_cred_issuser(so->so_cred)) 1429#else 1430 if (so->so_cred != 0 && !suser(so->so_cred->pc_ucred, NULL)) 1431#endif 1432 new->priv = 1; 1433 else 1434 new->priv = 0; 1435 1436 if ((new->sp_in = key_newsp()) == NULL) { 1437 ipsec_delpcbpolicy(new); 1438 return ENOBUFS; 1439 } 1440 new->sp_in->state = IPSEC_SPSTATE_ALIVE; 1441 new->sp_in->policy = IPSEC_POLICY_ENTRUST; 1442 1443 if ((new->sp_out = key_newsp()) == NULL) { 1444 key_freesp(new->sp_in, KEY_SADB_UNLOCKED); 1445 ipsec_delpcbpolicy(new); 1446 return ENOBUFS; 1447 } 1448 new->sp_out->state = IPSEC_SPSTATE_ALIVE; 1449 new->sp_out->policy = IPSEC_POLICY_ENTRUST; 1450 1451 *pcb_sp = new; 1452 1453 return 0; 1454} 1455 1456/* copy old ipsec policy into new */ 1457int 1458ipsec_copy_policy(struct inpcbpolicy *old, 1459 struct inpcbpolicy *new) 1460{ 1461 struct secpolicy *sp; 1462 1463 if (ipsec_bypass != 0) 1464 return 0; 1465 1466 sp = ipsec_deepcopy_policy(old->sp_in); 1467 if (sp) { 1468 key_freesp(new->sp_in, KEY_SADB_UNLOCKED); 1469 new->sp_in = sp; 1470 } else 1471 return ENOBUFS; 1472 1473 sp = ipsec_deepcopy_policy(old->sp_out); 1474 if (sp) { 1475 key_freesp(new->sp_out, KEY_SADB_UNLOCKED); 1476 new->sp_out = sp; 1477 } else 1478 return ENOBUFS; 1479 1480 new->priv = old->priv; 1481 1482 return 0; 1483} 1484 1485/* deep-copy a policy in PCB */ 1486static struct secpolicy * 1487ipsec_deepcopy_policy(struct secpolicy *src) 1488{ 1489 struct ipsecrequest *newchain = NULL; 1490 struct ipsecrequest *p; 1491 struct ipsecrequest **q; 1492 struct ipsecrequest *r; 1493 struct secpolicy *dst; 1494 1495 if (src == NULL) 1496 return NULL; 1497 dst = key_newsp(); 1498 if (dst == NULL) 1499 return NULL; 1500 1501 /* 1502 * deep-copy IPsec request chain. This is required since struct 1503 * ipsecrequest is not reference counted. 1504 */ 1505 q = &newchain; 1506 for (p = src->req; p; p = p->next) { 1507 *q = (struct ipsecrequest *)_MALLOC(sizeof(struct ipsecrequest), 1508 M_SECA, M_WAITOK); 1509 if (*q == NULL) 1510 goto fail; 1511 bzero(*q, sizeof(**q)); 1512 (*q)->next = NULL; 1513 1514 (*q)->saidx.proto = p->saidx.proto; 1515 (*q)->saidx.mode = p->saidx.mode; 1516 (*q)->level = p->level; 1517 (*q)->saidx.reqid = p->saidx.reqid; 1518 1519 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src)); 1520 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst)); 1521 1522 (*q)->sp = dst; 1523 1524 q = &((*q)->next); 1525 } 1526 1527 dst->req = newchain; 1528 dst->state = src->state; 1529 dst->policy = src->policy; 1530 /* do not touch the refcnt fields */ 1531 1532 return dst; 1533 1534fail: 1535 for (p = newchain; p; p = r) { 1536 r = p->next; 1537 FREE(p, M_SECA); 1538 p = NULL; 1539 } 1540 key_freesp(dst, KEY_SADB_UNLOCKED); 1541 return NULL; 1542} 1543 1544/* set policy and ipsec request if present. */ 1545static int 1546ipsec_set_policy(struct secpolicy **pcb_sp, 1547 __unused int optname, 1548 caddr_t request, 1549 size_t len, 1550 int priv) 1551{ 1552 struct sadb_x_policy *xpl; 1553 struct secpolicy *newsp = NULL; 1554 int error; 1555 1556 /* sanity check. */ 1557 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL) 1558 return EINVAL; 1559 if (len < sizeof(*xpl)) 1560 return EINVAL; 1561 xpl = (struct sadb_x_policy *)(void *)request; 1562 1563 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1564 printf("ipsec_set_policy: passed policy\n"); 1565 kdebug_sadb_x_policy((struct sadb_ext *)xpl)); 1566 1567 /* check policy type */ 1568 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */ 1569 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD 1570 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) 1571 return EINVAL; 1572 1573 /* check privileged socket */ 1574 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) 1575 return EACCES; 1576 1577 /* allocation new SP entry */ 1578 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) 1579 return error; 1580 1581 newsp->state = IPSEC_SPSTATE_ALIVE; 1582 1583 /* clear old SP and set new SP */ 1584 key_freesp(*pcb_sp, KEY_SADB_UNLOCKED); 1585 *pcb_sp = newsp; 1586 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1587 printf("ipsec_set_policy: new policy\n"); 1588 kdebug_secpolicy(newsp)); 1589 1590 return 0; 1591} 1592 1593int 1594ipsec4_set_policy(struct inpcb *inp, 1595 int optname, 1596 caddr_t request, 1597 size_t len, 1598 int priv) 1599{ 1600 struct sadb_x_policy *xpl; 1601 struct secpolicy **pcb_sp; 1602 int error = 0; 1603 struct sadb_x_policy xpl_aligned_buf; 1604 u_int8_t *xpl_unaligned; 1605 1606 /* sanity check. */ 1607 if (inp == NULL || request == NULL) 1608 return EINVAL; 1609 if (len < sizeof(*xpl)) 1610 return EINVAL; 1611 xpl = (struct sadb_x_policy *)(void *)request; 1612 1613 /* This is a new mbuf allocated by soopt_getm() */ 1614 if (IPSEC_IS_P2ALIGNED(xpl)) { 1615 xpl_unaligned = NULL; 1616 } else { 1617 xpl_unaligned = (__typeof__(xpl_unaligned))xpl; 1618 memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf)); 1619 xpl = (__typeof__(xpl))&xpl_aligned_buf; 1620 } 1621 1622 if (inp->inp_sp == NULL) { 1623 error = ipsec_init_policy(inp->inp_socket, &inp->inp_sp); 1624 if (error) 1625 return error; 1626 } 1627 1628 /* select direction */ 1629 switch (xpl->sadb_x_policy_dir) { 1630 case IPSEC_DIR_INBOUND: 1631 pcb_sp = &inp->inp_sp->sp_in; 1632 break; 1633 case IPSEC_DIR_OUTBOUND: 1634 pcb_sp = &inp->inp_sp->sp_out; 1635 break; 1636 default: 1637 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n", 1638 xpl->sadb_x_policy_dir)); 1639 return EINVAL; 1640 } 1641 1642 /* turn bypass off */ 1643 if (ipsec_bypass != 0) 1644 ipsec_bypass = 0; 1645 1646 return ipsec_set_policy(pcb_sp, optname, request, len, priv); 1647} 1648 1649/* delete policy in PCB */ 1650int 1651ipsec4_delete_pcbpolicy(struct inpcb *inp) 1652{ 1653 1654 /* sanity check. */ 1655 if (inp == NULL) 1656 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.\n"); 1657 1658 if (inp->inp_sp == NULL) 1659 return 0; 1660 1661 if (inp->inp_sp->sp_in != NULL) { 1662 key_freesp(inp->inp_sp->sp_in, KEY_SADB_UNLOCKED); 1663 inp->inp_sp->sp_in = NULL; 1664 } 1665 1666 if (inp->inp_sp->sp_out != NULL) { 1667 key_freesp(inp->inp_sp->sp_out, KEY_SADB_UNLOCKED); 1668 inp->inp_sp->sp_out = NULL; 1669 } 1670 1671 ipsec_delpcbpolicy(inp->inp_sp); 1672 inp->inp_sp = NULL; 1673 1674 return 0; 1675} 1676 1677#if INET6 1678int 1679ipsec6_set_policy(struct in6pcb *in6p, 1680 int optname, 1681 caddr_t request, 1682 size_t len, 1683 int priv) 1684{ 1685 struct sadb_x_policy *xpl; 1686 struct secpolicy **pcb_sp; 1687 int error = 0; 1688 struct sadb_x_policy xpl_aligned_buf; 1689 u_int8_t *xpl_unaligned; 1690 1691 /* sanity check. */ 1692 if (in6p == NULL || request == NULL) 1693 return EINVAL; 1694 if (len < sizeof(*xpl)) 1695 return EINVAL; 1696 xpl = (struct sadb_x_policy *)(void *)request; 1697 1698 /* This is a new mbuf allocated by soopt_getm() */ 1699 if (IPSEC_IS_P2ALIGNED(xpl)) { 1700 xpl_unaligned = NULL; 1701 } else { 1702 xpl_unaligned = (__typeof__(xpl_unaligned))xpl; 1703 memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf)); 1704 xpl = (__typeof__(xpl))&xpl_aligned_buf; 1705 } 1706 1707 if (in6p->in6p_sp == NULL) { 1708 error = ipsec_init_policy(in6p->inp_socket, &in6p->in6p_sp); 1709 if (error) 1710 return error; 1711 } 1712 1713 /* select direction */ 1714 switch (xpl->sadb_x_policy_dir) { 1715 case IPSEC_DIR_INBOUND: 1716 pcb_sp = &in6p->in6p_sp->sp_in; 1717 break; 1718 case IPSEC_DIR_OUTBOUND: 1719 pcb_sp = &in6p->in6p_sp->sp_out; 1720 break; 1721 default: 1722 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n", 1723 xpl->sadb_x_policy_dir)); 1724 return EINVAL; 1725 } 1726 1727 return ipsec_set_policy(pcb_sp, optname, request, len, priv); 1728} 1729 1730int 1731ipsec6_delete_pcbpolicy(struct in6pcb *in6p) 1732{ 1733 1734 /* sanity check. */ 1735 if (in6p == NULL) 1736 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.\n"); 1737 1738 if (in6p->in6p_sp == NULL) 1739 return 0; 1740 1741 if (in6p->in6p_sp->sp_in != NULL) { 1742 key_freesp(in6p->in6p_sp->sp_in, KEY_SADB_UNLOCKED); 1743 in6p->in6p_sp->sp_in = NULL; 1744 } 1745 1746 if (in6p->in6p_sp->sp_out != NULL) { 1747 key_freesp(in6p->in6p_sp->sp_out, KEY_SADB_UNLOCKED); 1748 in6p->in6p_sp->sp_out = NULL; 1749 } 1750 1751 ipsec_delpcbpolicy(in6p->in6p_sp); 1752 in6p->in6p_sp = NULL; 1753 1754 return 0; 1755} 1756#endif 1757 1758/* 1759 * return current level. 1760 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. 1761 */ 1762u_int 1763ipsec_get_reqlevel(isr) 1764 struct ipsecrequest *isr; 1765{ 1766 u_int level = 0; 1767 u_int esp_trans_deflev = 0, esp_net_deflev = 0, ah_trans_deflev = 0, ah_net_deflev = 0; 1768 1769 /* sanity check */ 1770 if (isr == NULL || isr->sp == NULL) 1771 panic("ipsec_get_reqlevel: NULL pointer is passed.\n"); 1772 if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family 1773 != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family) 1774 panic("ipsec_get_reqlevel: family mismatched.\n"); 1775 1776/* XXX note that we have ipseclog() expanded here - code sync issue */ 1777#define IPSEC_CHECK_DEFAULT(lev) \ 1778 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \ 1779 && (lev) != IPSEC_LEVEL_UNIQUE) \ 1780 ? (ipsec_debug \ 1781 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\ 1782 (lev), IPSEC_LEVEL_REQUIRE) \ 1783 : (void)0), \ 1784 (lev) = IPSEC_LEVEL_REQUIRE, \ 1785 (lev) \ 1786 : (lev)) 1787 1788 /* set default level */ 1789 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) { 1790#if INET 1791 case AF_INET: 1792 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev); 1793 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev); 1794 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev); 1795 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev); 1796 break; 1797#endif 1798#if INET6 1799 case AF_INET6: 1800 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev); 1801 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev); 1802 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev); 1803 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev); 1804 break; 1805#endif /* INET6 */ 1806 default: 1807 panic("key_get_reqlevel: Unknown family. %d\n", 1808 ((struct sockaddr *)&isr->sp->spidx.src)->sa_family); 1809 } 1810 1811#undef IPSEC_CHECK_DEFAULT 1812 1813 /* set level */ 1814 switch (isr->level) { 1815 case IPSEC_LEVEL_DEFAULT: 1816 switch (isr->saidx.proto) { 1817 case IPPROTO_ESP: 1818 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1819 level = esp_net_deflev; 1820 else 1821 level = esp_trans_deflev; 1822 break; 1823 case IPPROTO_AH: 1824 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1825 level = ah_net_deflev; 1826 else 1827 level = ah_trans_deflev; 1828 break; 1829 case IPPROTO_IPCOMP: 1830 /* 1831 * we don't really care, as IPcomp document says that 1832 * we shouldn't compress small packets 1833 */ 1834 level = IPSEC_LEVEL_USE; 1835 break; 1836 default: 1837 panic("ipsec_get_reqlevel: " 1838 "Illegal protocol defined %u\n", 1839 isr->saidx.proto); 1840 } 1841 break; 1842 1843 case IPSEC_LEVEL_USE: 1844 case IPSEC_LEVEL_REQUIRE: 1845 level = isr->level; 1846 break; 1847 case IPSEC_LEVEL_UNIQUE: 1848 level = IPSEC_LEVEL_REQUIRE; 1849 break; 1850 1851 default: 1852 panic("ipsec_get_reqlevel: Illegal IPsec level %u\n", 1853 isr->level); 1854 } 1855 1856 return level; 1857} 1858 1859/* 1860 * Check AH/ESP integrity. 1861 * OUT: 1862 * 0: valid 1863 * 1: invalid 1864 */ 1865static int 1866ipsec_in_reject(sp, m) 1867 struct secpolicy *sp; 1868 struct mbuf *m; 1869{ 1870 struct ipsecrequest *isr; 1871 u_int level; 1872 int need_auth, need_conf, need_icv; 1873 1874 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1875 printf("ipsec_in_reject: using SP\n"); 1876 kdebug_secpolicy(sp)); 1877 1878 /* check policy */ 1879 switch (sp->policy) { 1880 case IPSEC_POLICY_DISCARD: 1881 case IPSEC_POLICY_GENERATE: 1882 return 1; 1883 case IPSEC_POLICY_BYPASS: 1884 case IPSEC_POLICY_NONE: 1885 return 0; 1886 1887 case IPSEC_POLICY_IPSEC: 1888 break; 1889 1890 case IPSEC_POLICY_ENTRUST: 1891 default: 1892 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy); 1893 } 1894 1895 need_auth = 0; 1896 need_conf = 0; 1897 need_icv = 0; 1898 1899 /* XXX should compare policy against ipsec header history */ 1900 1901 for (isr = sp->req; isr != NULL; isr = isr->next) { 1902 1903 /* get current level */ 1904 level = ipsec_get_reqlevel(isr); 1905 1906 switch (isr->saidx.proto) { 1907 case IPPROTO_ESP: 1908 if (level == IPSEC_LEVEL_REQUIRE) { 1909 need_conf++; 1910 1911#if 0 1912 /* this won't work with multiple input threads - isr->sav would change 1913 * with every packet and is not necessarily related to the current packet 1914 * being processed. If ESP processing is required - the esp code should 1915 * make sure that the integrity check is present and correct. I don't see 1916 * why it would be necessary to check for the presence of the integrity 1917 * check value here. I think this is just wrong. 1918 * isr->sav has been removed. 1919 * %%%%%% this needs to be re-worked at some point but I think the code below can 1920 * be ignored for now. 1921 */ 1922 if (isr->sav != NULL 1923 && isr->sav->flags == SADB_X_EXT_NONE 1924 && isr->sav->alg_auth != SADB_AALG_NONE) 1925 need_icv++; 1926#endif 1927 } 1928 break; 1929 case IPPROTO_AH: 1930 if (level == IPSEC_LEVEL_REQUIRE) { 1931 need_auth++; 1932 need_icv++; 1933 } 1934 break; 1935 case IPPROTO_IPCOMP: 1936 /* 1937 * we don't really care, as IPcomp document says that 1938 * we shouldn't compress small packets, IPComp policy 1939 * should always be treated as being in "use" level. 1940 */ 1941 break; 1942 } 1943 } 1944 1945 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1946 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n", 1947 need_auth, need_conf, need_icv, m->m_flags)); 1948 1949 if ((need_conf && !(m->m_flags & M_DECRYPTED)) 1950 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM)) 1951 || (need_auth && !(m->m_flags & M_AUTHIPHDR))) 1952 return 1; 1953 1954 return 0; 1955} 1956 1957/* 1958 * Check AH/ESP integrity. 1959 * This function is called from tcp_input(), udp_input(), 1960 * and {ah,esp}4_input for tunnel mode 1961 */ 1962int 1963ipsec4_in_reject_so(m, so) 1964 struct mbuf *m; 1965 struct socket *so; 1966{ 1967 struct secpolicy *sp = NULL; 1968 int error; 1969 int result; 1970 1971 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 1972 /* sanity check */ 1973 if (m == NULL) 1974 return 0; /* XXX should be panic ? */ 1975 1976 /* get SP for this packet. 1977 * When we are called from ip_forward(), we call 1978 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 1979 */ 1980 if (so == NULL) 1981 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 1982 else 1983 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 0, &error); 1984 1985 if (sp == NULL) 1986 return 0; /* XXX should be panic ? 1987 * -> No, there may be error. */ 1988 1989 result = ipsec_in_reject(sp, m); 1990 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 1991 printf("DP ipsec4_in_reject_so call free SP:0x%llx\n", 1992 (uint64_t)VM_KERNEL_ADDRPERM(sp))); 1993 key_freesp(sp, KEY_SADB_UNLOCKED); 1994 1995 return result; 1996} 1997 1998int 1999ipsec4_in_reject(m, inp) 2000 struct mbuf *m; 2001 struct inpcb *inp; 2002{ 2003 2004 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2005 if (inp == NULL) 2006 return ipsec4_in_reject_so(m, NULL); 2007 if (inp->inp_socket) 2008 return ipsec4_in_reject_so(m, inp->inp_socket); 2009 else 2010 panic("ipsec4_in_reject: invalid inpcb/socket"); 2011 2012 /* NOTREACHED */ 2013 return 0; 2014} 2015 2016#if INET6 2017/* 2018 * Check AH/ESP integrity. 2019 * This function is called from tcp6_input(), udp6_input(), 2020 * and {ah,esp}6_input for tunnel mode 2021 */ 2022int 2023ipsec6_in_reject_so(m, so) 2024 struct mbuf *m; 2025 struct socket *so; 2026{ 2027 struct secpolicy *sp = NULL; 2028 int error; 2029 int result; 2030 2031 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2032 /* sanity check */ 2033 if (m == NULL) 2034 return 0; /* XXX should be panic ? */ 2035 2036 /* get SP for this packet. 2037 * When we are called from ip_forward(), we call 2038 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag. 2039 */ 2040 if (so == NULL) 2041 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 2042 else 2043 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 0, &error); 2044 2045 if (sp == NULL) 2046 return 0; /* XXX should be panic ? */ 2047 2048 result = ipsec_in_reject(sp, m); 2049 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2050 printf("DP ipsec6_in_reject_so call free SP:0x%llx\n", 2051 (uint64_t)VM_KERNEL_ADDRPERM(sp))); 2052 key_freesp(sp, KEY_SADB_UNLOCKED); 2053 2054 return result; 2055} 2056 2057int 2058ipsec6_in_reject(m, in6p) 2059 struct mbuf *m; 2060 struct in6pcb *in6p; 2061{ 2062 2063 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2064 if (in6p == NULL) 2065 return ipsec6_in_reject_so(m, NULL); 2066 if (in6p->in6p_socket) 2067 return ipsec6_in_reject_so(m, in6p->in6p_socket); 2068 else 2069 panic("ipsec6_in_reject: invalid in6p/socket"); 2070 2071 /* NOTREACHED */ 2072 return 0; 2073} 2074#endif 2075 2076/* 2077 * compute the byte size to be occupied by IPsec header. 2078 * in case it is tunneled, it includes the size of outer IP header. 2079 * NOTE: SP passed is free in this function. 2080 */ 2081size_t 2082ipsec_hdrsiz(sp) 2083 struct secpolicy *sp; 2084{ 2085 struct ipsecrequest *isr; 2086 size_t siz, clen; 2087 2088 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2089 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2090 printf("ipsec_hdrsiz: using SP\n"); 2091 kdebug_secpolicy(sp)); 2092 2093 /* check policy */ 2094 switch (sp->policy) { 2095 case IPSEC_POLICY_DISCARD: 2096 case IPSEC_POLICY_GENERATE: 2097 case IPSEC_POLICY_BYPASS: 2098 case IPSEC_POLICY_NONE: 2099 return 0; 2100 2101 case IPSEC_POLICY_IPSEC: 2102 break; 2103 2104 case IPSEC_POLICY_ENTRUST: 2105 default: 2106 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy); 2107 } 2108 2109 siz = 0; 2110 2111 for (isr = sp->req; isr != NULL; isr = isr->next) { 2112 2113 clen = 0; 2114 2115 switch (isr->saidx.proto) { 2116 case IPPROTO_ESP: 2117#if IPSEC_ESP 2118 clen = esp_hdrsiz(isr); 2119#else 2120 clen = 0; /*XXX*/ 2121#endif 2122 break; 2123 case IPPROTO_AH: 2124 clen = ah_hdrsiz(isr); 2125 break; 2126 case IPPROTO_IPCOMP: 2127 clen = sizeof(struct ipcomp); 2128 break; 2129 } 2130 2131 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 2132 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) { 2133 case AF_INET: 2134 clen += sizeof(struct ip); 2135 break; 2136#if INET6 2137 case AF_INET6: 2138 clen += sizeof(struct ip6_hdr); 2139 break; 2140#endif 2141 default: 2142 ipseclog((LOG_ERR, "ipsec_hdrsiz: " 2143 "unknown AF %d in IPsec tunnel SA\n", 2144 ((struct sockaddr *)&isr->saidx.dst)->sa_family)); 2145 break; 2146 } 2147 } 2148 siz += clen; 2149 } 2150 2151 return siz; 2152} 2153 2154/* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */ 2155size_t 2156ipsec4_hdrsiz(m, dir, inp) 2157 struct mbuf *m; 2158 u_int dir; 2159 struct inpcb *inp; 2160{ 2161 struct secpolicy *sp = NULL; 2162 int error; 2163 size_t size; 2164 2165 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2166 /* sanity check */ 2167 if (m == NULL) 2168 return 0; /* XXX should be panic ? */ 2169 if (inp != NULL && inp->inp_socket == NULL) 2170 panic("ipsec4_hdrsize: why is socket NULL but there is PCB."); 2171 2172 /* get SP for this packet. 2173 * When we are called from ip_forward(), we call 2174 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. 2175 */ 2176 if (inp == NULL) 2177 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 2178 else 2179 sp = ipsec4_getpolicybyaddr(m, dir, 0, &error); 2180 2181 if (sp == NULL) 2182 return 0; /* XXX should be panic ? */ 2183 2184 size = ipsec_hdrsiz(sp); 2185 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2186 printf("DP ipsec4_hdrsiz call free SP:0x%llx\n", 2187 (uint64_t)VM_KERNEL_ADDRPERM(sp))); 2188 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2189 printf("ipsec4_hdrsiz: size:%lu.\n", (u_int32_t)size)); 2190 key_freesp(sp, KEY_SADB_UNLOCKED); 2191 2192 return size; 2193} 2194 2195#if INET6 2196/* This function is called from ipsec6_hdrsize_tcp(), 2197 * and maybe from ip6_forward.() 2198 */ 2199size_t 2200ipsec6_hdrsiz(m, dir, in6p) 2201 struct mbuf *m; 2202 u_int dir; 2203 struct in6pcb *in6p; 2204{ 2205 struct secpolicy *sp = NULL; 2206 int error; 2207 size_t size; 2208 2209 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 2210 /* sanity check */ 2211 if (m == NULL) 2212 return 0; /* XXX shoud be panic ? */ 2213 if (in6p != NULL && in6p->in6p_socket == NULL) 2214 panic("ipsec6_hdrsize: why is socket NULL but there is PCB."); 2215 2216 /* get SP for this packet */ 2217 /* XXX Is it right to call with IP_FORWARDING. */ 2218 if (in6p == NULL) 2219 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 2220 else 2221 sp = ipsec6_getpolicybyaddr(m, dir, 0, &error); 2222 2223 if (sp == NULL) 2224 return 0; 2225 size = ipsec_hdrsiz(sp); 2226 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 2227 printf("DP ipsec6_hdrsiz call free SP:0x%llx\n", 2228 (uint64_t)VM_KERNEL_ADDRPERM(sp))); 2229 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 2230 printf("ipsec6_hdrsiz: size:%lu.\n", (u_int32_t)size)); 2231 key_freesp(sp, KEY_SADB_UNLOCKED); 2232 2233 return size; 2234} 2235#endif /*INET6*/ 2236 2237#if INET 2238/* 2239 * encapsulate for ipsec tunnel. 2240 * ip->ip_src must be fixed later on. 2241 */ 2242int 2243ipsec4_encapsulate(m, sav) 2244 struct mbuf *m; 2245 struct secasvar *sav; 2246{ 2247 struct ip *oip; 2248 struct ip *ip; 2249 size_t hlen; 2250 size_t plen; 2251 2252 /* can't tunnel between different AFs */ 2253 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2254 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2255 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 2256 m_freem(m); 2257 return EINVAL; 2258 } 2259#if 0 2260 /* XXX if the dst is myself, perform nothing. */ 2261 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2262 m_freem(m); 2263 return EINVAL; 2264 } 2265#endif 2266 2267 if (m->m_len < sizeof(*ip)) 2268 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2269 2270 ip = mtod(m, struct ip *); 2271#ifdef _IP_VHL 2272 hlen = _IP_VHL_HL(ip->ip_vhl) << 2; 2273#else 2274 hlen = ip->ip_hl << 2; 2275#endif 2276 2277 if (m->m_len != hlen) 2278 panic("ipsec4_encapsulate: assumption failed (first mbuf length)"); 2279 2280 /* generate header checksum */ 2281 ip->ip_sum = 0; 2282#ifdef _IP_VHL 2283 ip->ip_sum = in_cksum(m, hlen); 2284#else 2285 ip->ip_sum = in_cksum(m, hlen); 2286#endif 2287 2288 plen = m->m_pkthdr.len; 2289 2290 /* 2291 * grow the mbuf to accomodate the new IPv4 header. 2292 * NOTE: IPv4 options will never be copied. 2293 */ 2294 if (M_LEADINGSPACE(m->m_next) < hlen) { 2295 struct mbuf *n; 2296 MGET(n, M_DONTWAIT, MT_DATA); 2297 if (!n) { 2298 m_freem(m); 2299 return ENOBUFS; 2300 } 2301 n->m_len = hlen; 2302 n->m_next = m->m_next; 2303 m->m_next = n; 2304 m->m_pkthdr.len += hlen; 2305 oip = mtod(n, struct ip *); 2306 } else { 2307 m->m_next->m_len += hlen; 2308 m->m_next->m_data -= hlen; 2309 m->m_pkthdr.len += hlen; 2310 oip = mtod(m->m_next, struct ip *); 2311 } 2312 ip = mtod(m, struct ip *); 2313 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen); 2314 m->m_len = sizeof(struct ip); 2315 m->m_pkthdr.len -= (hlen - sizeof(struct ip)); 2316 2317 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ 2318 /* ECN consideration. */ 2319 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); 2320#ifdef _IP_VHL 2321 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2); 2322#else 2323 ip->ip_hl = sizeof(struct ip) >> 2; 2324#endif 2325 ip->ip_off &= htons(~IP_OFFMASK); 2326 ip->ip_off &= htons(~IP_MF); 2327 switch (ip4_ipsec_dfbit) { 2328 case 0: /* clear DF bit */ 2329 ip->ip_off &= htons(~IP_DF); 2330 break; 2331 case 1: /* set DF bit */ 2332 ip->ip_off |= htons(IP_DF); 2333 break; 2334 default: /* copy DF bit */ 2335 break; 2336 } 2337 ip->ip_p = IPPROTO_IPIP; 2338 if (plen + sizeof(struct ip) < IP_MAXPACKET) 2339 ip->ip_len = htons(plen + sizeof(struct ip)); 2340 else { 2341 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " 2342 "leave ip_len as is (invalid packet)\n")); 2343 } 2344 ip->ip_id = ip_randomid(); 2345 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, 2346 &ip->ip_src, sizeof(ip->ip_src)); 2347 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, 2348 &ip->ip_dst, sizeof(ip->ip_dst)); 2349 ip->ip_ttl = IPDEFTTL; 2350 2351 /* XXX Should ip_src be updated later ? */ 2352 2353 return 0; 2354} 2355 2356/* 2357 * encapsulate for ipsec tunnel. 2358 * ip->ip_src must be fixed later on. 2359 */ 2360int 2361ipsec4_encapsulate_utun_esp_keepalive(m_ptr, sav) 2362 struct mbuf **m_ptr; 2363 struct secasvar *sav; 2364{ 2365 struct ip *ip; 2366 size_t plen; 2367 struct mbuf *m = *m_ptr; 2368 2369 /* can't tunnel between different AFs */ 2370 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2371 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2372 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 2373 m_freem(m); 2374 *m_ptr = NULL; 2375 return EINVAL; 2376 } 2377 2378 plen = m->m_pkthdr.len; 2379 2380 /* 2381 * grow the mbuf to accomodate the new IPv4 header. 2382 * NOTE: IPv4 options will never be copied. 2383 */ 2384 { 2385 struct mbuf *n; 2386 MGETHDR(n, M_DONTWAIT, MT_HEADER); /* MAC-OK */ 2387 if (!n) { 2388 m_freem(m); 2389 *m_ptr = NULL; 2390 return ENOBUFS; 2391 } 2392 if (m->m_flags & M_PKTHDR) { 2393 M_COPY_PKTHDR(n, m); 2394 m->m_flags &= ~M_PKTHDR; 2395 } 2396 MH_ALIGN(n, sizeof(*ip)); 2397 n->m_len = sizeof(*ip); 2398 n->m_next = m; 2399 n->m_pkthdr.len = (plen + n->m_len); 2400 m_fixhdr(m); 2401 m = n; 2402 *m_ptr = m; 2403 plen = m->m_pkthdr.len; 2404 } 2405 ip = mtod(m, __typeof__(ip)); 2406 2407 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ 2408 // ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); 2409#ifdef _IP_VHL 2410 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(*ip) >> 2); 2411#else 2412 ip->ip_hl = sizeof(*ip) >> 2; 2413#endif 2414 ip->ip_off &= htons(~IP_OFFMASK); 2415 ip->ip_off &= htons(~IP_MF); 2416 switch (ip4_ipsec_dfbit) { 2417 case 0: /* clear DF bit */ 2418 ip->ip_off &= htons(~IP_DF); 2419 break; 2420 case 1: /* set DF bit */ 2421 ip->ip_off |= htons(IP_DF); 2422 break; 2423 default: /* copy DF bit */ 2424 break; 2425 } 2426 ip->ip_p = IPPROTO_IPIP; 2427 if (plen < IP_MAXPACKET) 2428 ip->ip_len = htons(plen); 2429 else { 2430 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " 2431 "leave ip_len as is (invalid packet)\n")); 2432 } 2433 ip->ip_id = ip_randomid(); 2434 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, 2435 &ip->ip_src, sizeof(ip->ip_src)); 2436 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, 2437 &ip->ip_dst, sizeof(ip->ip_dst)); 2438 ip->ip_ttl = IPDEFTTL; 2439 2440 /* XXX Should ip_src be updated later ? */ 2441 2442 return 0; 2443} 2444#endif /*INET*/ 2445 2446#if INET6 2447int 2448ipsec6_encapsulate(m, sav) 2449 struct mbuf *m; 2450 struct secasvar *sav; 2451{ 2452 struct ip6_hdr *oip6; 2453 struct ip6_hdr *ip6; 2454 size_t plen; 2455 2456 /* can't tunnel between different AFs */ 2457 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2458 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2459 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) { 2460 m_freem(m); 2461 return EINVAL; 2462 } 2463#if 0 2464 /* XXX if the dst is myself, perform nothing. */ 2465 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2466 m_freem(m); 2467 return EINVAL; 2468 } 2469#endif 2470 2471 plen = m->m_pkthdr.len; 2472 2473 /* 2474 * grow the mbuf to accomodate the new IPv6 header. 2475 */ 2476 if (m->m_len != sizeof(struct ip6_hdr)) 2477 panic("ipsec6_encapsulate: assumption failed (first mbuf length)"); 2478 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { 2479 struct mbuf *n; 2480 MGET(n, M_DONTWAIT, MT_DATA); 2481 if (!n) { 2482 m_freem(m); 2483 return ENOBUFS; 2484 } 2485 n->m_len = sizeof(struct ip6_hdr); 2486 n->m_next = m->m_next; 2487 m->m_next = n; 2488 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2489 oip6 = mtod(n, struct ip6_hdr *); 2490 } else { 2491 m->m_next->m_len += sizeof(struct ip6_hdr); 2492 m->m_next->m_data -= sizeof(struct ip6_hdr); 2493 m->m_pkthdr.len += sizeof(struct ip6_hdr); 2494 oip6 = mtod(m->m_next, struct ip6_hdr *); 2495 } 2496 ip6 = mtod(m, struct ip6_hdr *); 2497 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr)); 2498 2499 /* Fake link-local scope-class addresses */ 2500 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src)) 2501 oip6->ip6_src.s6_addr16[1] = 0; 2502 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst)) 2503 oip6->ip6_dst.s6_addr16[1] = 0; 2504 2505 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ 2506 /* ECN consideration. */ 2507 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow); 2508 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) 2509 ip6->ip6_plen = htons(plen); 2510 else { 2511 /* ip6->ip6_plen will be updated in ip6_output() */ 2512 } 2513 ip6->ip6_nxt = IPPROTO_IPV6; 2514 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr, 2515 &ip6->ip6_src, sizeof(ip6->ip6_src)); 2516 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr, 2517 &ip6->ip6_dst, sizeof(ip6->ip6_dst)); 2518 ip6->ip6_hlim = IPV6_DEFHLIM; 2519 2520 /* XXX Should ip6_src be updated later ? */ 2521 2522 return 0; 2523} 2524 2525static int 2526ipsec64_encapsulate(m, sav) 2527 struct mbuf *m; 2528 struct secasvar *sav; 2529{ 2530 struct ip6_hdr *ip6, *ip6i; 2531 struct ip *ip; 2532 size_t plen; 2533 u_int8_t hlim; 2534 2535 /* tunneling over IPv4 */ 2536 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2537 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2538 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 2539 m_freem(m); 2540 return EINVAL; 2541 } 2542#if 0 2543 /* XXX if the dst is myself, perform nothing. */ 2544 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { 2545 m_freem(m); 2546 return EINVAL; 2547 } 2548#endif 2549 2550 plen = m->m_pkthdr.len; 2551 ip6 = mtod(m, struct ip6_hdr *); 2552 hlim = ip6->ip6_hlim; 2553 /* 2554 * grow the mbuf to accomodate the new IPv4 header. 2555 */ 2556 if (m->m_len != sizeof(struct ip6_hdr)) 2557 panic("ipsec6_encapsulate: assumption failed (first mbuf length)"); 2558 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { 2559 struct mbuf *n; 2560 MGET(n, M_DONTWAIT, MT_DATA); 2561 if (!n) { 2562 m_freem(m); 2563 return ENOBUFS; 2564 } 2565 n->m_len = sizeof(struct ip6_hdr); 2566 n->m_next = m->m_next; 2567 m->m_next = n; 2568 m->m_pkthdr.len += sizeof(struct ip); 2569 ip6i = mtod(n, struct ip6_hdr *); 2570 } else { 2571 m->m_next->m_len += sizeof(struct ip6_hdr); 2572 m->m_next->m_data -= sizeof(struct ip6_hdr); 2573 m->m_pkthdr.len += sizeof(struct ip); 2574 ip6i = mtod(m->m_next, struct ip6_hdr *); 2575 } 2576 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ 2577 /* ECN consideration. */ 2578 /* XXX To be fixed later if needed */ 2579 // ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); 2580 2581 bcopy(ip6, ip6i, sizeof(struct ip6_hdr)); 2582 ip = mtod(m, struct ip *); 2583 m->m_len = sizeof(struct ip); 2584 /* 2585 * Fill in some of the IPv4 fields - we don't need all of them 2586 * because the rest will be filled in by ip_output 2587 */ 2588 ip->ip_v = IPVERSION; 2589 ip->ip_hl = sizeof(struct ip) >> 2; 2590 ip->ip_id = 0; 2591 ip->ip_sum = 0; 2592 ip->ip_tos = 0; 2593 ip->ip_off = 0; 2594 ip->ip_ttl = hlim; 2595 ip->ip_p = IPPROTO_IPV6; 2596 if (plen + sizeof(struct ip) < IP_MAXPACKET) 2597 ip->ip_len = htons(plen + sizeof(struct ip)); 2598 else { 2599 ip->ip_len = htons(plen); 2600 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " 2601 "leave ip_len as is (invalid packet)\n")); 2602 } 2603 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, 2604 &ip->ip_src, sizeof(ip->ip_src)); 2605 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, 2606 &ip->ip_dst, sizeof(ip->ip_dst)); 2607 2608 return 0; 2609} 2610 2611int 2612ipsec6_encapsulate_utun_esp_keepalive(m_ptr, sav) 2613 struct mbuf **m_ptr; 2614 struct secasvar *sav; 2615{ 2616 struct ip6_hdr *ip6; 2617 size_t plen; 2618 struct mbuf *m = *m_ptr; 2619 2620 /* can't tunnel between different AFs */ 2621 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2622 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family 2623 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) { 2624 m_freem(m); 2625 *m_ptr = NULL; 2626 return EINVAL; 2627 } 2628 2629 plen = m->m_pkthdr.len; 2630 2631 /* 2632 * grow the mbuf to accomodate the new IPv6 header. 2633 */ 2634 { 2635 struct mbuf *n; 2636 MGETHDR(n, M_DONTWAIT, MT_HEADER); /* MAC-OK */ 2637 if (!n) { 2638 m_freem(m); 2639 *m_ptr = NULL; 2640 return ENOBUFS; 2641 } 2642 if (m->m_flags & M_PKTHDR) { 2643 M_COPY_PKTHDR(n, m); 2644 m->m_flags &= ~M_PKTHDR; 2645 } 2646 MH_ALIGN(n, sizeof(*ip6)); 2647 n->m_len = sizeof(*ip6); 2648 n->m_next = m; 2649 n->m_pkthdr.len = (plen + n->m_len); 2650 m_fixhdr(m); 2651 m = n; 2652 *m_ptr = m; 2653 plen = m->m_pkthdr.len; 2654 } 2655 ip6 = mtod(m, __typeof__(ip6)); 2656 2657 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ 2658 if (plen < IPV6_MAXPACKET) 2659 ip6->ip6_plen = htons(plen); 2660 else { 2661 /* ip6->ip6_plen will be updated in ip6_output() */ 2662 } 2663 ip6->ip6_nxt = IPPROTO_IPV6; 2664 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr, 2665 &ip6->ip6_src, sizeof(ip6->ip6_src)); 2666 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr, 2667 &ip6->ip6_dst, sizeof(ip6->ip6_dst)); 2668 ip6->ip6_hlim = IPV6_DEFHLIM; 2669 2670 /* XXX Should ip6_src be updated later ? */ 2671 2672 return 0; 2673} 2674#endif /*INET6*/ 2675 2676/* 2677 * Check the variable replay window. 2678 * ipsec_chkreplay() performs replay check before ICV verification. 2679 * ipsec_updatereplay() updates replay bitmap. This must be called after 2680 * ICV verification (it also performs replay check, which is usually done 2681 * beforehand). 2682 * 0 (zero) is returned if packet disallowed, 1 if packet permitted. 2683 * 2684 * based on RFC 2401. 2685 */ 2686int 2687ipsec_chkreplay(seq, sav) 2688 u_int32_t seq; 2689 struct secasvar *sav; 2690{ 2691 const struct secreplay *replay; 2692 u_int32_t diff; 2693 int fr; 2694 u_int32_t wsizeb; /* constant: bits of window size */ 2695 int frlast; /* constant: last frame */ 2696 2697 2698 /* sanity check */ 2699 if (sav == NULL) 2700 panic("ipsec_chkreplay: NULL pointer was passed.\n"); 2701 2702 lck_mtx_lock(sadb_mutex); 2703 replay = sav->replay; 2704 2705 if (replay->wsize == 0) { 2706 lck_mtx_unlock(sadb_mutex); 2707 return 1; /* no need to check replay. */ 2708 } 2709 2710 /* constant */ 2711 frlast = replay->wsize - 1; 2712 wsizeb = replay->wsize << 3; 2713 2714 /* sequence number of 0 is invalid */ 2715 if (seq == 0) { 2716 lck_mtx_unlock(sadb_mutex); 2717 return 0; 2718 } 2719 2720 /* first time is always okay */ 2721 if (replay->count == 0) { 2722 lck_mtx_unlock(sadb_mutex); 2723 return 1; 2724 } 2725 2726 if (seq > replay->lastseq) { 2727 /* larger sequences are okay */ 2728 lck_mtx_unlock(sadb_mutex); 2729 return 1; 2730 } else { 2731 /* seq is equal or less than lastseq. */ 2732 diff = replay->lastseq - seq; 2733 2734 /* over range to check, i.e. too old or wrapped */ 2735 if (diff >= wsizeb) { 2736 lck_mtx_unlock(sadb_mutex); 2737 return 0; 2738 } 2739 2740 fr = frlast - diff / 8; 2741 2742 /* this packet already seen ? */ 2743 if ((replay->bitmap)[fr] & (1 << (diff % 8))) { 2744 lck_mtx_unlock(sadb_mutex); 2745 return 0; 2746 } 2747 2748 /* out of order but good */ 2749 lck_mtx_unlock(sadb_mutex); 2750 return 1; 2751 } 2752} 2753 2754/* 2755 * check replay counter whether to update or not. 2756 * OUT: 0: OK 2757 * 1: NG 2758 */ 2759int 2760ipsec_updatereplay(seq, sav) 2761 u_int32_t seq; 2762 struct secasvar *sav; 2763{ 2764 struct secreplay *replay; 2765 u_int32_t diff; 2766 int fr; 2767 u_int32_t wsizeb; /* constant: bits of window size */ 2768 int frlast; /* constant: last frame */ 2769 2770 /* sanity check */ 2771 if (sav == NULL) 2772 panic("ipsec_chkreplay: NULL pointer was passed.\n"); 2773 2774 lck_mtx_lock(sadb_mutex); 2775 replay = sav->replay; 2776 2777 if (replay->wsize == 0) 2778 goto ok; /* no need to check replay. */ 2779 2780 /* constant */ 2781 frlast = replay->wsize - 1; 2782 wsizeb = replay->wsize << 3; 2783 2784 /* sequence number of 0 is invalid */ 2785 if (seq == 0) 2786 return 1; 2787 2788 /* first time */ 2789 if (replay->count == 0) { 2790 replay->lastseq = seq; 2791 bzero(replay->bitmap, replay->wsize); 2792 (replay->bitmap)[frlast] = 1; 2793 goto ok; 2794 } 2795 2796 if (seq > replay->lastseq) { 2797 /* seq is larger than lastseq. */ 2798 diff = seq - replay->lastseq; 2799 2800 /* new larger sequence number */ 2801 if (diff < wsizeb) { 2802 /* In window */ 2803 /* set bit for this packet */ 2804 vshiftl((unsigned char *) replay->bitmap, diff, replay->wsize); 2805 (replay->bitmap)[frlast] |= 1; 2806 } else { 2807 /* this packet has a "way larger" */ 2808 bzero(replay->bitmap, replay->wsize); 2809 (replay->bitmap)[frlast] = 1; 2810 } 2811 replay->lastseq = seq; 2812 2813 /* larger is good */ 2814 } else { 2815 /* seq is equal or less than lastseq. */ 2816 diff = replay->lastseq - seq; 2817 2818 /* over range to check, i.e. too old or wrapped */ 2819 if (diff >= wsizeb) { 2820 lck_mtx_unlock(sadb_mutex); 2821 return 1; 2822 } 2823 2824 fr = frlast - diff / 8; 2825 2826 /* this packet already seen ? */ 2827 if ((replay->bitmap)[fr] & (1 << (diff % 8))) { 2828 lck_mtx_unlock(sadb_mutex); 2829 return 1; 2830 } 2831 2832 /* mark as seen */ 2833 (replay->bitmap)[fr] |= (1 << (diff % 8)); 2834 2835 /* out of order but good */ 2836 } 2837 2838ok: 2839 if (replay->count == ~0) { 2840 2841 /* set overflow flag */ 2842 replay->overflow++; 2843 2844 /* don't increment, no more packets accepted */ 2845 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) { 2846 lck_mtx_unlock(sadb_mutex); 2847 return 1; 2848 } 2849 2850 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n", 2851 replay->overflow, ipsec_logsastr(sav))); 2852 } 2853 2854 replay->count++; 2855 2856 lck_mtx_unlock(sadb_mutex); 2857 return 0; 2858} 2859 2860/* 2861 * shift variable length buffer to left. 2862 * IN: bitmap: pointer to the buffer 2863 * nbit: the number of to shift. 2864 * wsize: buffer size (bytes). 2865 */ 2866static void 2867vshiftl(bitmap, nbit, wsize) 2868 unsigned char *bitmap; 2869 int nbit, wsize; 2870{ 2871 int s, j, i; 2872 unsigned char over; 2873 2874 for (j = 0; j < nbit; j += 8) { 2875 s = (nbit - j < 8) ? (nbit - j): 8; 2876 bitmap[0] <<= s; 2877 for (i = 1; i < wsize; i++) { 2878 over = (bitmap[i] >> (8 - s)); 2879 bitmap[i] <<= s; 2880 bitmap[i-1] |= over; 2881 } 2882 } 2883 2884 return; 2885} 2886 2887const char * 2888ipsec4_logpacketstr(ip, spi) 2889 struct ip *ip; 2890 u_int32_t spi; 2891{ 2892 static char buf[256] __attribute__((aligned(4))); 2893 char *p; 2894 u_int8_t *s, *d; 2895 2896 s = (u_int8_t *)(&ip->ip_src); 2897 d = (u_int8_t *)(&ip->ip_dst); 2898 2899 p = buf; 2900 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2901 while (p && *p) 2902 p++; 2903 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u", 2904 s[0], s[1], s[2], s[3]); 2905 while (p && *p) 2906 p++; 2907 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u", 2908 d[0], d[1], d[2], d[3]); 2909 while (p && *p) 2910 p++; 2911 snprintf(p, sizeof(buf) - (p - buf), ")"); 2912 2913 return buf; 2914} 2915 2916#if INET6 2917const char * 2918ipsec6_logpacketstr(ip6, spi) 2919 struct ip6_hdr *ip6; 2920 u_int32_t spi; 2921{ 2922 static char buf[256] __attribute__((aligned(4))); 2923 char *p; 2924 2925 p = buf; 2926 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi)); 2927 while (p && *p) 2928 p++; 2929 snprintf(p, sizeof(buf) - (p - buf), "src=%s", 2930 ip6_sprintf(&ip6->ip6_src)); 2931 while (p && *p) 2932 p++; 2933 snprintf(p, sizeof(buf) - (p - buf), " dst=%s", 2934 ip6_sprintf(&ip6->ip6_dst)); 2935 while (p && *p) 2936 p++; 2937 snprintf(p, sizeof(buf) - (p - buf), ")"); 2938 2939 return buf; 2940} 2941#endif /*INET6*/ 2942 2943const char * 2944ipsec_logsastr(sav) 2945 struct secasvar *sav; 2946{ 2947 static char buf[256] __attribute__((aligned(4))); 2948 char *p; 2949 struct secasindex *saidx = &sav->sah->saidx; 2950 2951 /* validity check */ 2952 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family 2953 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) 2954 panic("ipsec_logsastr: family mismatched.\n"); 2955 2956 p = buf; 2957 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi)); 2958 while (p && *p) 2959 p++; 2960 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) { 2961 u_int8_t *s, *d; 2962 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr; 2963 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr; 2964 snprintf(p, sizeof(buf) - (p - buf), 2965 "src=%d.%d.%d.%d dst=%d.%d.%d.%d", 2966 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]); 2967 } 2968#if INET6 2969 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) { 2970 snprintf(p, sizeof(buf) - (p - buf), 2971 "src=%s", 2972 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr)); 2973 while (p && *p) 2974 p++; 2975 snprintf(p, sizeof(buf) - (p - buf), 2976 " dst=%s", 2977 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr)); 2978 } 2979#endif 2980 while (p && *p) 2981 p++; 2982 snprintf(p, sizeof(buf) - (p - buf), ")"); 2983 2984 return buf; 2985} 2986 2987void 2988ipsec_dumpmbuf(m) 2989 struct mbuf *m; 2990{ 2991 int totlen; 2992 int i; 2993 u_char *p; 2994 2995 totlen = 0; 2996 printf("---\n"); 2997 while (m) { 2998 p = mtod(m, u_char *); 2999 for (i = 0; i < m->m_len; i++) { 3000 printf("%02x ", p[i]); 3001 totlen++; 3002 if (totlen % 16 == 0) 3003 printf("\n"); 3004 } 3005 m = m->m_next; 3006 } 3007 if (totlen % 16 != 0) 3008 printf("\n"); 3009 printf("---\n"); 3010} 3011 3012#if INET 3013/* 3014 * IPsec output logic for IPv4. 3015 */ 3016static int 3017ipsec4_output_internal(struct ipsec_output_state *state, struct secasvar *sav) 3018{ 3019 struct ip *ip = NULL; 3020 int error = 0; 3021 struct sockaddr_in *dst4; 3022 struct route *ro4; 3023 3024 /* validity check */ 3025 if (sav == NULL || sav->sah == NULL) { 3026 error = EINVAL; 3027 goto bad; 3028 } 3029 3030 /* 3031 * If there is no valid SA, we give up to process any 3032 * more. In such a case, the SA's status is changed 3033 * from DYING to DEAD after allocating. If a packet 3034 * send to the receiver by dead SA, the receiver can 3035 * not decode a packet because SA has been dead. 3036 */ 3037 if (sav->state != SADB_SASTATE_MATURE 3038 && sav->state != SADB_SASTATE_DYING) { 3039 IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); 3040 error = EINVAL; 3041 goto bad; 3042 } 3043 3044 state->outgoing_if = sav->sah->outgoing_if; 3045 3046 /* 3047 * There may be the case that SA status will be changed when 3048 * we are refering to one. So calling splsoftnet(). 3049 */ 3050 3051 if (sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) { 3052 /* 3053 * build IPsec tunnel. 3054 */ 3055 /* XXX should be processed with other familiy */ 3056 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { 3057 ipseclog((LOG_ERR, "ipsec4_output: " 3058 "family mismatched between inner and outer spi=%u\n", 3059 (u_int32_t)ntohl(sav->spi))); 3060 error = EAFNOSUPPORT; 3061 goto bad; 3062 } 3063 3064 state->m = ipsec4_splithdr(state->m); 3065 if (!state->m) { 3066 error = ENOMEM; 3067 goto bad; 3068 } 3069 error = ipsec4_encapsulate(state->m, sav); 3070 if (error) { 3071 state->m = NULL; 3072 goto bad; 3073 } 3074 ip = mtod(state->m, struct ip *); 3075 3076 // grab sadb_mutex, before updating sah's route cache 3077 lck_mtx_lock(sadb_mutex); 3078 ro4= &sav->sah->sa_route; 3079 dst4 = (struct sockaddr_in *)(void *)&ro4->ro_dst; 3080 if (ro4->ro_rt != NULL) { 3081 RT_LOCK(ro4->ro_rt); 3082 } 3083 if (ROUTE_UNUSABLE(ro4) || 3084 dst4->sin_addr.s_addr != ip->ip_dst.s_addr) { 3085 if (ro4->ro_rt != NULL) 3086 RT_UNLOCK(ro4->ro_rt); 3087 ROUTE_RELEASE(ro4); 3088 } 3089 if (ro4->ro_rt == 0) { 3090 dst4->sin_family = AF_INET; 3091 dst4->sin_len = sizeof(*dst4); 3092 dst4->sin_addr = ip->ip_dst; 3093 rtalloc(ro4); 3094 if (ro4->ro_rt == 0) { 3095 OSAddAtomic(1, &ipstat.ips_noroute); 3096 error = EHOSTUNREACH; 3097 // release sadb_mutex, after updating sah's route cache 3098 lck_mtx_unlock(sadb_mutex); 3099 goto bad; 3100 } 3101 RT_LOCK(ro4->ro_rt); 3102 } 3103 3104 /* 3105 * adjust state->dst if tunnel endpoint is offlink 3106 * 3107 * XXX: caching rt_gateway value in the state is 3108 * not really good, since it may point elsewhere 3109 * when the gateway gets modified to a larger 3110 * sockaddr via rt_setgate(). This is currently 3111 * addressed by SA_SIZE roundup in that routine. 3112 */ 3113 if (ro4->ro_rt->rt_flags & RTF_GATEWAY) 3114 dst4 = (struct sockaddr_in *)(void *)ro4->ro_rt->rt_gateway; 3115 RT_UNLOCK(ro4->ro_rt); 3116 ROUTE_RELEASE(&state->ro); 3117 route_copyout(&state->ro, ro4, sizeof(state->ro)); 3118 state->dst = (struct sockaddr *)dst4; 3119 state->tunneled = 4; 3120 // release sadb_mutex, after updating sah's route cache 3121 lck_mtx_unlock(sadb_mutex); 3122 } 3123 3124 state->m = ipsec4_splithdr(state->m); 3125 if (!state->m) { 3126 error = ENOMEM; 3127 goto bad; 3128 } 3129 switch (sav->sah->saidx.proto) { 3130 case IPPROTO_ESP: 3131#if IPSEC_ESP 3132 if ((error = esp4_output(state->m, sav)) != 0) { 3133 state->m = NULL; 3134 goto bad; 3135 } 3136 break; 3137#else 3138 m_freem(state->m); 3139 state->m = NULL; 3140 error = EINVAL; 3141 goto bad; 3142#endif 3143 case IPPROTO_AH: 3144 if ((error = ah4_output(state->m, sav)) != 0) { 3145 state->m = NULL; 3146 goto bad; 3147 } 3148 break; 3149 case IPPROTO_IPCOMP: 3150 if ((error = ipcomp4_output(state->m, sav)) != 0) { 3151 state->m = NULL; 3152 goto bad; 3153 } 3154 break; 3155 default: 3156 ipseclog((LOG_ERR, 3157 "ipsec4_output: unknown ipsec protocol %d\n", 3158 sav->sah->saidx.proto)); 3159 m_freem(state->m); 3160 state->m = NULL; 3161 error = EINVAL; 3162 goto bad; 3163 } 3164 3165 if (state->m == 0) { 3166 error = ENOMEM; 3167 goto bad; 3168 } 3169 3170 return 0; 3171 3172bad: 3173 return error; 3174} 3175 3176int 3177ipsec4_interface_output(struct ipsec_output_state *state, ifnet_t interface) 3178{ 3179 int error = 0; 3180 struct secasvar *sav = NULL; 3181 3182 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 3183 3184 if (!state) 3185 panic("state == NULL in ipsec4_output"); 3186 if (!state->m) 3187 panic("state->m == NULL in ipsec4_output"); 3188 if (!state->dst) 3189 panic("state->dst == NULL in ipsec4_output"); 3190 3191 sav = key_alloc_outbound_sav_for_interface(interface, AF_INET); 3192 if (sav == NULL) { 3193 goto bad; 3194 } 3195 3196 if ((error = ipsec4_output_internal(state, sav)) != 0) { 3197 goto bad; 3198 } 3199 3200 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, 0,0,0,0,0); 3201 if (sav) 3202 key_freesav(sav, KEY_SADB_UNLOCKED); 3203 return 0; 3204 3205bad: 3206 if (sav) 3207 key_freesav(sav, KEY_SADB_UNLOCKED); 3208 m_freem(state->m); 3209 state->m = NULL; 3210 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, error,0,0,0,0); 3211 return error; 3212} 3213 3214int 3215ipsec4_output(struct ipsec_output_state *state, struct secpolicy *sp, __unused int flags) 3216{ 3217 struct ip *ip = NULL; 3218 struct ipsecrequest *isr = NULL; 3219 struct secasindex saidx; 3220 struct secasvar *sav = NULL; 3221 int error = 0; 3222 struct sockaddr_in *sin; 3223 3224 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 3225 3226 if (!state) 3227 panic("state == NULL in ipsec4_output"); 3228 if (!state->m) 3229 panic("state->m == NULL in ipsec4_output"); 3230 if (!state->dst) 3231 panic("state->dst == NULL in ipsec4_output"); 3232 3233 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_START, 0,0,0,0,0); 3234 3235 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 3236 printf("ipsec4_output: applied SP\n"); 3237 kdebug_secpolicy(sp)); 3238 3239 for (isr = sp->req; isr != NULL; isr = isr->next) { 3240 /* make SA index for search proper SA */ 3241 ip = mtod(state->m, struct ip *); 3242 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 3243 saidx.mode = isr->saidx.mode; 3244 saidx.reqid = isr->saidx.reqid; 3245 sin = (struct sockaddr_in *)&saidx.src; 3246 if (sin->sin_len == 0) { 3247 sin->sin_len = sizeof(*sin); 3248 sin->sin_family = AF_INET; 3249 sin->sin_port = IPSEC_PORT_ANY; 3250 bcopy(&ip->ip_src, &sin->sin_addr, 3251 sizeof(sin->sin_addr)); 3252 } 3253 sin = (struct sockaddr_in *)&saidx.dst; 3254 if (sin->sin_len == 0) { 3255 sin->sin_len = sizeof(*sin); 3256 sin->sin_family = AF_INET; 3257 sin->sin_port = IPSEC_PORT_ANY; 3258 /* 3259 * Get port from packet if upper layer is UDP and nat traversal 3260 * is enabled and transport mode. 3261 */ 3262 3263 if ((esp_udp_encap_port & 0xFFFF) != 0 && 3264 isr->saidx.mode == IPSEC_MODE_TRANSPORT) { 3265 3266 if (ip->ip_p == IPPROTO_UDP) { 3267 struct udphdr *udp; 3268 size_t hlen; 3269#ifdef _IP_VHL 3270 hlen = IP_VHL_HL(ip->ip_vhl) << 2; 3271#else 3272 hlen = ip->ip_hl << 2; 3273#endif 3274 if (state->m->m_len < hlen + sizeof(struct udphdr)) { 3275 state->m = m_pullup(state->m, hlen + sizeof(struct udphdr)); 3276 if (!state->m) { 3277 ipseclog((LOG_DEBUG, "IPv4 output: can't pullup UDP header\n")); 3278 IPSEC_STAT_INCREMENT(ipsecstat.in_inval); 3279 goto bad; 3280 } 3281 ip = mtod(state->m, struct ip *); 3282 } 3283 udp = (struct udphdr *)(void *)(((u_int8_t *)ip) + hlen); 3284 sin->sin_port = udp->uh_dport; 3285 } 3286 } 3287 3288 bcopy(&ip->ip_dst, &sin->sin_addr, 3289 sizeof(sin->sin_addr)); 3290 } 3291 3292 if ((error = key_checkrequest(isr, &saidx, &sav)) != 0) { 3293 /* 3294 * IPsec processing is required, but no SA found. 3295 * I assume that key_acquire() had been called 3296 * to get/establish the SA. Here I discard 3297 * this packet because it is responsibility for 3298 * upper layer to retransmit the packet. 3299 */ 3300 IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); 3301 goto bad; 3302 } 3303 3304 /* validity check */ 3305 if (sav == NULL) { 3306 switch (ipsec_get_reqlevel(isr)) { 3307 case IPSEC_LEVEL_USE: 3308 continue; 3309 case IPSEC_LEVEL_REQUIRE: 3310 /* must be not reached here. */ 3311 panic("ipsec4_output: no SA found, but required."); 3312 } 3313 } 3314 3315 if ((error = ipsec4_output_internal(state, sav)) != 0) { 3316 goto bad; 3317 } 3318 } 3319 3320 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, 0,0,0,0,0); 3321 if (sav) 3322 key_freesav(sav, KEY_SADB_UNLOCKED); 3323 return 0; 3324 3325bad: 3326 if (sav) 3327 key_freesav(sav, KEY_SADB_UNLOCKED); 3328 m_freem(state->m); 3329 state->m = NULL; 3330 KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, error,0,0,0,0); 3331 return error; 3332} 3333 3334#endif 3335 3336#if INET6 3337/* 3338 * IPsec output logic for IPv6, transport mode. 3339 */ 3340static int 3341ipsec6_output_trans_internal( 3342 struct ipsec_output_state *state, 3343 struct secasvar *sav, 3344 u_char *nexthdrp, 3345 struct mbuf *mprev) 3346{ 3347 struct ip6_hdr *ip6; 3348 int error = 0; 3349 int plen; 3350 3351 /* validity check */ 3352 if (sav == NULL || sav->sah == NULL) { 3353 error = EINVAL; 3354 goto bad; 3355 } 3356 3357 /* 3358 * If there is no valid SA, we give up to process. 3359 * see same place at ipsec4_output(). 3360 */ 3361 if (sav->state != SADB_SASTATE_MATURE 3362 && sav->state != SADB_SASTATE_DYING) { 3363 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); 3364 error = EINVAL; 3365 goto bad; 3366 } 3367 3368 state->outgoing_if = sav->sah->outgoing_if; 3369 3370 switch (sav->sah->saidx.proto) { 3371 case IPPROTO_ESP: 3372#if IPSEC_ESP 3373 error = esp6_output(state->m, nexthdrp, mprev->m_next, sav); 3374#else 3375 m_freem(state->m); 3376 error = EINVAL; 3377#endif 3378 break; 3379 case IPPROTO_AH: 3380 error = ah6_output(state->m, nexthdrp, mprev->m_next, sav); 3381 break; 3382 case IPPROTO_IPCOMP: 3383 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, sav); 3384 break; 3385 default: 3386 ipseclog((LOG_ERR, "ipsec6_output_trans: " 3387 "unknown ipsec protocol %d\n", sav->sah->saidx.proto)); 3388 m_freem(state->m); 3389 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); 3390 error = EINVAL; 3391 break; 3392 } 3393 if (error) { 3394 state->m = NULL; 3395 goto bad; 3396 } 3397 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 3398 if (plen > IPV6_MAXPACKET) { 3399 ipseclog((LOG_ERR, "ipsec6_output_trans: " 3400 "IPsec with IPv6 jumbogram is not supported\n")); 3401 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); 3402 error = EINVAL; /*XXX*/ 3403 goto bad; 3404 } 3405 ip6 = mtod(state->m, struct ip6_hdr *); 3406 ip6->ip6_plen = htons(plen); 3407 3408 return 0; 3409bad: 3410 return error; 3411} 3412 3413int 3414ipsec6_output_trans( 3415 struct ipsec_output_state *state, 3416 u_char *nexthdrp, 3417 struct mbuf *mprev, 3418 struct secpolicy *sp, 3419 __unused int flags, 3420 int *tun) 3421{ 3422 struct ip6_hdr *ip6; 3423 struct ipsecrequest *isr = NULL; 3424 struct secasindex saidx; 3425 int error = 0; 3426 struct sockaddr_in6 *sin6; 3427 struct secasvar *sav = NULL; 3428 3429 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 3430 3431 if (!state) 3432 panic("state == NULL in ipsec6_output_trans"); 3433 if (!state->m) 3434 panic("state->m == NULL in ipsec6_output_trans"); 3435 if (!nexthdrp) 3436 panic("nexthdrp == NULL in ipsec6_output_trans"); 3437 if (!mprev) 3438 panic("mprev == NULL in ipsec6_output_trans"); 3439 if (!sp) 3440 panic("sp == NULL in ipsec6_output_trans"); 3441 if (!tun) 3442 panic("tun == NULL in ipsec6_output_trans"); 3443 3444 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 3445 printf("ipsec6_output_trans: applyed SP\n"); 3446 kdebug_secpolicy(sp)); 3447 3448 *tun = 0; 3449 for (isr = sp->req; isr; isr = isr->next) { 3450 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 3451 /* the rest will be handled by ipsec6_output_tunnel() */ 3452 break; 3453 } 3454 3455 /* make SA index for search proper SA */ 3456 ip6 = mtod(state->m, struct ip6_hdr *); 3457 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 3458 saidx.mode = isr->saidx.mode; 3459 saidx.reqid = isr->saidx.reqid; 3460 sin6 = (struct sockaddr_in6 *)&saidx.src; 3461 if (sin6->sin6_len == 0) { 3462 sin6->sin6_len = sizeof(*sin6); 3463 sin6->sin6_family = AF_INET6; 3464 sin6->sin6_port = IPSEC_PORT_ANY; 3465 bcopy(&ip6->ip6_src, &sin6->sin6_addr, 3466 sizeof(ip6->ip6_src)); 3467 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { 3468 /* fix scope id for comparing SPD */ 3469 sin6->sin6_addr.s6_addr16[1] = 0; 3470 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); 3471 } 3472 } 3473 sin6 = (struct sockaddr_in6 *)&saidx.dst; 3474 if (sin6->sin6_len == 0) { 3475 sin6->sin6_len = sizeof(*sin6); 3476 sin6->sin6_family = AF_INET6; 3477 sin6->sin6_port = IPSEC_PORT_ANY; 3478 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, 3479 sizeof(ip6->ip6_dst)); 3480 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { 3481 /* fix scope id for comparing SPD */ 3482 sin6->sin6_addr.s6_addr16[1] = 0; 3483 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); 3484 } 3485 } 3486 3487 if (key_checkrequest(isr, &saidx, &sav) == ENOENT) { 3488 /* 3489 * IPsec processing is required, but no SA found. 3490 * I assume that key_acquire() had been called 3491 * to get/establish the SA. Here I discard 3492 * this packet because it is responsibility for 3493 * upper layer to retransmit the packet. 3494 */ 3495 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); 3496 error = ENOENT; 3497 3498 /* 3499 * Notify the fact that the packet is discarded 3500 * to ourselves. I believe this is better than 3501 * just silently discarding. (jinmei@kame.net) 3502 * XXX: should we restrict the error to TCP packets? 3503 * XXX: should we directly notify sockets via 3504 * pfctlinputs? 3505 */ 3506 icmp6_error(state->m, ICMP6_DST_UNREACH, 3507 ICMP6_DST_UNREACH_ADMIN, 0); 3508 state->m = NULL; /* icmp6_error freed the mbuf */ 3509 goto bad; 3510 } 3511 3512 /* validity check */ 3513 if (sav == NULL) { 3514 switch (ipsec_get_reqlevel(isr)) { 3515 case IPSEC_LEVEL_USE: 3516 continue; 3517 case IPSEC_LEVEL_REQUIRE: 3518 /* must be not reached here. */ 3519 panic("ipsec6_output_trans: no SA found, but required."); 3520 } 3521 } 3522 3523 if ((error = ipsec6_output_trans_internal(state, sav, nexthdrp, mprev)) != 0) { 3524 goto bad; 3525 } 3526 } 3527 3528 /* if we have more to go, we need a tunnel mode processing */ 3529 if (isr != NULL) 3530 *tun = 1; 3531 3532 if (sav) 3533 key_freesav(sav, KEY_SADB_UNLOCKED); 3534 return 0; 3535 3536bad: 3537 if (sav) 3538 key_freesav(sav, KEY_SADB_UNLOCKED); 3539 m_freem(state->m); 3540 state->m = NULL; 3541 return error; 3542} 3543 3544/* 3545 * IPsec output logic for IPv6, tunnel mode. 3546 */ 3547static int 3548ipsec6_output_tunnel_internal(struct ipsec_output_state *state, struct secasvar *sav, int *must_be_last) 3549{ 3550 struct ip6_hdr *ip6; 3551 int error = 0; 3552 int plen; 3553 struct sockaddr_in6* dst6; 3554 struct route *ro6; 3555 3556 /* validity check */ 3557 if (sav == NULL || sav->sah == NULL || sav->sah->saidx.mode != IPSEC_MODE_TUNNEL) { 3558 error = EINVAL; 3559 goto bad; 3560 } 3561 3562 /* 3563 * If there is no valid SA, we give up to process. 3564 * see same place at ipsec4_output(). 3565 */ 3566 if (sav->state != SADB_SASTATE_MATURE 3567 && sav->state != SADB_SASTATE_DYING) { 3568 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); 3569 error = EINVAL; 3570 goto bad; 3571 } 3572 3573 state->outgoing_if = sav->sah->outgoing_if; 3574 3575 if (sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) { 3576 /* 3577 * build IPsec tunnel. 3578 */ 3579 state->m = ipsec6_splithdr(state->m); 3580 if (!state->m) { 3581 IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem); 3582 error = ENOMEM; 3583 goto bad; 3584 } 3585 3586 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET6) { 3587 error = ipsec6_encapsulate(state->m, sav); 3588 if (error) { 3589 state->m = 0; 3590 goto bad; 3591 } 3592 ip6 = mtod(state->m, struct ip6_hdr *); 3593 } else if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET) { 3594 3595 struct ip *ip; 3596 struct sockaddr_in* dst4; 3597 struct route *ro4 = NULL; 3598 struct route ro4_copy; 3599 struct ip_out_args ipoa = { IFSCOPE_NONE, { 0 }, 3600 IPOAF_SELECT_SRCIF, 0 }; 3601 3602 if (must_be_last) 3603 *must_be_last = 1; 3604 3605 state->tunneled = 4; /* must not process any further in ip6_output */ 3606 error = ipsec64_encapsulate(state->m, sav); 3607 if (error) { 3608 state->m = 0; 3609 goto bad; 3610 } 3611 /* Now we have an IPv4 packet */ 3612 ip = mtod(state->m, struct ip *); 3613 3614 // grab sadb_mutex, to update sah's route cache and get a local copy of it 3615 lck_mtx_lock(sadb_mutex); 3616 ro4 = &sav->sah->sa_route; 3617 dst4 = (struct sockaddr_in *)(void *)&ro4->ro_dst; 3618 if (ro4->ro_rt) { 3619 RT_LOCK(ro4->ro_rt); 3620 } 3621 if (ROUTE_UNUSABLE(ro4) || 3622 dst4->sin_addr.s_addr != ip->ip_dst.s_addr) { 3623 if (ro4->ro_rt != NULL) 3624 RT_UNLOCK(ro4->ro_rt); 3625 ROUTE_RELEASE(ro4); 3626 } 3627 if (ro4->ro_rt == NULL) { 3628 dst4->sin_family = AF_INET; 3629 dst4->sin_len = sizeof(*dst4); 3630 dst4->sin_addr = ip->ip_dst; 3631 } else { 3632 RT_UNLOCK(ro4->ro_rt); 3633 } 3634 route_copyout(&ro4_copy, ro4, sizeof(ro4_copy)); 3635 // release sadb_mutex, after updating sah's route cache and getting a local copy 3636 lck_mtx_unlock(sadb_mutex); 3637 state->m = ipsec4_splithdr(state->m); 3638 if (!state->m) { 3639 error = ENOMEM; 3640 ROUTE_RELEASE(&ro4_copy); 3641 goto bad; 3642 } 3643 switch (sav->sah->saidx.proto) { 3644 case IPPROTO_ESP: 3645#if IPSEC_ESP 3646 if ((error = esp4_output(state->m, sav)) != 0) { 3647 state->m = NULL; 3648 ROUTE_RELEASE(&ro4_copy); 3649 goto bad; 3650 } 3651 break; 3652 3653#else 3654 m_freem(state->m); 3655 state->m = NULL; 3656 error = EINVAL; 3657 ROUTE_RELEASE(&ro4_copy); 3658 goto bad; 3659#endif 3660 case IPPROTO_AH: 3661 if ((error = ah4_output(state->m, sav)) != 0) { 3662 state->m = NULL; 3663 ROUTE_RELEASE(&ro4_copy); 3664 goto bad; 3665 } 3666 break; 3667 case IPPROTO_IPCOMP: 3668 if ((error = ipcomp4_output(state->m, sav)) != 0) { 3669 state->m = NULL; 3670 ROUTE_RELEASE(&ro4_copy); 3671 goto bad; 3672 } 3673 break; 3674 default: 3675 ipseclog((LOG_ERR, 3676 "ipsec4_output: unknown ipsec protocol %d\n", 3677 sav->sah->saidx.proto)); 3678 m_freem(state->m); 3679 state->m = NULL; 3680 error = EINVAL; 3681 ROUTE_RELEASE(&ro4_copy); 3682 goto bad; 3683 } 3684 3685 if (state->m == 0) { 3686 error = ENOMEM; 3687 ROUTE_RELEASE(&ro4_copy); 3688 goto bad; 3689 } 3690 ipsec_set_pkthdr_for_interface(sav->sah->ipsec_if, state->m, AF_INET); 3691 ip = mtod(state->m, struct ip *); 3692 ip->ip_len = ntohs(ip->ip_len); /* flip len field before calling ip_output */ 3693 error = ip_output(state->m, NULL, &ro4_copy, IP_OUTARGS, NULL, &ipoa); 3694 state->m = NULL; 3695 // grab sadb_mutex, to synchronize the sah's route cache with the local copy 3696 lck_mtx_lock(sadb_mutex); 3697 route_copyin(&ro4_copy, ro4, sizeof(ro4_copy)); 3698 lck_mtx_unlock(sadb_mutex); 3699 if (error != 0) 3700 goto bad; 3701 goto done; 3702 } else { 3703 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3704 "unsupported inner family, spi=%u\n", 3705 (u_int32_t)ntohl(sav->spi))); 3706 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); 3707 error = EAFNOSUPPORT; 3708 goto bad; 3709 } 3710 3711 // grab sadb_mutex, before updating sah's route cache 3712 lck_mtx_lock(sadb_mutex); 3713 ro6 = &sav->sah->sa_route; 3714 dst6 = (struct sockaddr_in6 *)(void *)&ro6->ro_dst; 3715 if (ro6->ro_rt) { 3716 RT_LOCK(ro6->ro_rt); 3717 } 3718 if (ROUTE_UNUSABLE(ro6) || 3719 !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst)) { 3720 if (ro6->ro_rt != NULL) 3721 RT_UNLOCK(ro6->ro_rt); 3722 ROUTE_RELEASE(ro6); 3723 } 3724 if (ro6->ro_rt == 0) { 3725 bzero(dst6, sizeof(*dst6)); 3726 dst6->sin6_family = AF_INET6; 3727 dst6->sin6_len = sizeof(*dst6); 3728 dst6->sin6_addr = ip6->ip6_dst; 3729 rtalloc(ro6); 3730 if (ro6->ro_rt) { 3731 RT_LOCK(ro6->ro_rt); 3732 } 3733 } 3734 if (ro6->ro_rt == 0) { 3735 ip6stat.ip6s_noroute++; 3736 IPSEC_STAT_INCREMENT(ipsec6stat.out_noroute); 3737 error = EHOSTUNREACH; 3738 // release sadb_mutex, after updating sah's route cache 3739 lck_mtx_unlock(sadb_mutex); 3740 goto bad; 3741 } 3742 3743 /* 3744 * adjust state->dst if tunnel endpoint is offlink 3745 * 3746 * XXX: caching rt_gateway value in the state is 3747 * not really good, since it may point elsewhere 3748 * when the gateway gets modified to a larger 3749 * sockaddr via rt_setgate(). This is currently 3750 * addressed by SA_SIZE roundup in that routine. 3751 */ 3752 if (ro6->ro_rt->rt_flags & RTF_GATEWAY) 3753 dst6 = (struct sockaddr_in6 *)(void *)ro6->ro_rt->rt_gateway; 3754 RT_UNLOCK(ro6->ro_rt); 3755 ROUTE_RELEASE(&state->ro); 3756 route_copyout(&state->ro, ro6, sizeof(state->ro)); 3757 state->dst = (struct sockaddr *)dst6; 3758 state->tunneled = 6; 3759 // release sadb_mutex, after updating sah's route cache 3760 lck_mtx_unlock(sadb_mutex); 3761 } 3762 3763 state->m = ipsec6_splithdr(state->m); 3764 if (!state->m) { 3765 IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem); 3766 error = ENOMEM; 3767 goto bad; 3768 } 3769 ip6 = mtod(state->m, struct ip6_hdr *); 3770 switch (sav->sah->saidx.proto) { 3771 case IPPROTO_ESP: 3772#if IPSEC_ESP 3773 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav); 3774#else 3775 m_freem(state->m); 3776 error = EINVAL; 3777#endif 3778 break; 3779 case IPPROTO_AH: 3780 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav); 3781 break; 3782 case IPPROTO_IPCOMP: 3783 /* XXX code should be here */ 3784 /*FALLTHROUGH*/ 3785 default: 3786 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3787 "unknown ipsec protocol %d\n", sav->sah->saidx.proto)); 3788 m_freem(state->m); 3789 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); 3790 error = EINVAL; 3791 break; 3792 } 3793 if (error) { 3794 state->m = NULL; 3795 goto bad; 3796 } 3797 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); 3798 if (plen > IPV6_MAXPACKET) { 3799 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3800 "IPsec with IPv6 jumbogram is not supported\n")); 3801 IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); 3802 error = EINVAL; /*XXX*/ 3803 goto bad; 3804 } 3805 ip6 = mtod(state->m, struct ip6_hdr *); 3806 ip6->ip6_plen = htons(plen); 3807done: 3808 return 0; 3809 3810bad: 3811 return error; 3812} 3813 3814int 3815ipsec6_output_tunnel( 3816 struct ipsec_output_state *state, 3817 struct secpolicy *sp, 3818 __unused int flags) 3819{ 3820 struct ip6_hdr *ip6; 3821 struct ipsecrequest *isr = NULL; 3822 struct secasindex saidx; 3823 struct secasvar *sav = NULL; 3824 int error = 0; 3825 3826 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 3827 3828 if (!state) 3829 panic("state == NULL in ipsec6_output_tunnel"); 3830 if (!state->m) 3831 panic("state->m == NULL in ipsec6_output_tunnel"); 3832 if (!sp) 3833 panic("sp == NULL in ipsec6_output_tunnel"); 3834 3835 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 3836 printf("ipsec6_output_tunnel: applyed SP\n"); 3837 kdebug_secpolicy(sp)); 3838 3839 /* 3840 * transport mode ipsec (before the 1st tunnel mode) is already 3841 * processed by ipsec6_output_trans(). 3842 */ 3843 for (isr = sp->req; isr; isr = isr->next) { 3844 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 3845 break; 3846 } 3847 3848 for (/* already initialized */; isr; isr = isr->next) { 3849 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 3850 /* When tunnel mode, SA peers must be specified. */ 3851 bcopy(&isr->saidx, &saidx, sizeof(saidx)); 3852 } else { 3853 /* make SA index to look for a proper SA */ 3854 struct sockaddr_in6 *sin6; 3855 3856 bzero(&saidx, sizeof(saidx)); 3857 saidx.proto = isr->saidx.proto; 3858 saidx.mode = isr->saidx.mode; 3859 saidx.reqid = isr->saidx.reqid; 3860 3861 ip6 = mtod(state->m, struct ip6_hdr *); 3862 sin6 = (struct sockaddr_in6 *)&saidx.src; 3863 if (sin6->sin6_len == 0) { 3864 sin6->sin6_len = sizeof(*sin6); 3865 sin6->sin6_family = AF_INET6; 3866 sin6->sin6_port = IPSEC_PORT_ANY; 3867 bcopy(&ip6->ip6_src, &sin6->sin6_addr, 3868 sizeof(ip6->ip6_src)); 3869 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { 3870 /* fix scope id for comparing SPD */ 3871 sin6->sin6_addr.s6_addr16[1] = 0; 3872 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); 3873 } 3874 } 3875 sin6 = (struct sockaddr_in6 *)&saidx.dst; 3876 if (sin6->sin6_len == 0) { 3877 sin6->sin6_len = sizeof(*sin6); 3878 sin6->sin6_family = AF_INET6; 3879 sin6->sin6_port = IPSEC_PORT_ANY; 3880 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, 3881 sizeof(ip6->ip6_dst)); 3882 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { 3883 /* fix scope id for comparing SPD */ 3884 sin6->sin6_addr.s6_addr16[1] = 0; 3885 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); 3886 } 3887 } 3888 } 3889 3890 if (key_checkrequest(isr, &saidx, &sav) == ENOENT) { 3891 /* 3892 * IPsec processing is required, but no SA found. 3893 * I assume that key_acquire() had been called 3894 * to get/establish the SA. Here I discard 3895 * this packet because it is responsibility for 3896 * upper layer to retransmit the packet. 3897 */ 3898 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); 3899 error = ENOENT; 3900 goto bad; 3901 } 3902 3903 /* validity check */ 3904 if (sav == NULL) { 3905 switch (ipsec_get_reqlevel(isr)) { 3906 case IPSEC_LEVEL_USE: 3907 continue; 3908 case IPSEC_LEVEL_REQUIRE: 3909 /* must be not reached here. */ 3910 panic("ipsec6_output_tunnel: no SA found, but required."); 3911 } 3912 } 3913 3914 /* 3915 * If there is no valid SA, we give up to process. 3916 * see same place at ipsec4_output(). 3917 */ 3918 if (sav->state != SADB_SASTATE_MATURE 3919 && sav->state != SADB_SASTATE_DYING) { 3920 IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); 3921 error = EINVAL; 3922 goto bad; 3923 } 3924 3925 int must_be_last = 0; 3926 3927 if ((error = ipsec6_output_tunnel_internal(state, sav, &must_be_last)) != 0) { 3928 goto bad; 3929 } 3930 3931 if (must_be_last && isr->next) { 3932 ipseclog((LOG_ERR, "ipsec6_output_tunnel: " 3933 "IPv4 must be outer layer, spi=%u\n", 3934 (u_int32_t)ntohl(sav->spi))); 3935 error = EINVAL; 3936 goto bad; 3937 } 3938 } 3939 3940 if (sav) 3941 key_freesav(sav, KEY_SADB_UNLOCKED); 3942 return 0; 3943 3944bad: 3945 if (sav) 3946 key_freesav(sav, KEY_SADB_UNLOCKED); 3947 if (state->m) 3948 m_freem(state->m); 3949 state->m = NULL; 3950 return error; 3951} 3952 3953int 3954ipsec6_interface_output(struct ipsec_output_state *state, ifnet_t interface, u_char *nexthdrp, struct mbuf *mprev) 3955{ 3956 int error = 0; 3957 struct secasvar *sav = NULL; 3958 3959 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 3960 3961 if (!state) 3962 panic("state == NULL in ipsec6_output"); 3963 if (!state->m) 3964 panic("state->m == NULL in ipsec6_output"); 3965 if (!nexthdrp) 3966 panic("nexthdrp == NULL in ipsec6_output"); 3967 if (!mprev) 3968 panic("mprev == NULL in ipsec6_output"); 3969 3970 sav = key_alloc_outbound_sav_for_interface(interface, AF_INET6); 3971 if (sav == NULL) { 3972 goto bad; 3973 } 3974 3975 if (sav->sah && sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) { 3976 if ((error = ipsec6_output_tunnel_internal(state, sav, NULL)) != 0) { 3977 goto bad; 3978 } 3979 } 3980 else { 3981 if ((error = ipsec6_output_trans_internal(state, sav, nexthdrp, mprev)) != 0) { 3982 goto bad; 3983 } 3984 } 3985 3986 if (sav) 3987 key_freesav(sav, KEY_SADB_UNLOCKED); 3988 return 0; 3989 3990bad: 3991 if (sav) 3992 key_freesav(sav, KEY_SADB_UNLOCKED); 3993 m_freem(state->m); 3994 state->m = NULL; 3995 return error; 3996} 3997#endif /*INET6*/ 3998 3999#if INET 4000/* 4001 * Chop IP header and option off from the payload. 4002 */ 4003struct mbuf * 4004ipsec4_splithdr(m) 4005 struct mbuf *m; 4006{ 4007 struct mbuf *mh; 4008 struct ip *ip; 4009 int hlen; 4010 4011 if (m->m_len < sizeof(struct ip)) 4012 panic("ipsec4_splithdr: first mbuf too short, m_len %d, pkt_len %d, m_flag %x", m->m_len, m->m_pkthdr.len, m->m_flags); 4013 ip = mtod(m, struct ip *); 4014#ifdef _IP_VHL 4015 hlen = _IP_VHL_HL(ip->ip_vhl) << 2; 4016#else 4017 hlen = ip->ip_hl << 2; 4018#endif 4019 if (m->m_len > hlen) { 4020 MGETHDR(mh, M_DONTWAIT, MT_HEADER); /* MAC-OK */ 4021 if (!mh) { 4022 m_freem(m); 4023 return NULL; 4024 } 4025 M_COPY_PKTHDR(mh, m); 4026 MH_ALIGN(mh, hlen); 4027 m->m_flags &= ~M_PKTHDR; 4028 m_mchtype(m, MT_DATA); 4029 m->m_len -= hlen; 4030 m->m_data += hlen; 4031 mh->m_next = m; 4032 m = mh; 4033 m->m_len = hlen; 4034 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen); 4035 } else if (m->m_len < hlen) { 4036 m = m_pullup(m, hlen); 4037 if (!m) 4038 return NULL; 4039 } 4040 return m; 4041} 4042#endif 4043 4044#if INET6 4045struct mbuf * 4046ipsec6_splithdr(m) 4047 struct mbuf *m; 4048{ 4049 struct mbuf *mh; 4050 struct ip6_hdr *ip6; 4051 int hlen; 4052 4053 if (m->m_len < sizeof(struct ip6_hdr)) 4054 panic("ipsec6_splithdr: first mbuf too short"); 4055 ip6 = mtod(m, struct ip6_hdr *); 4056 hlen = sizeof(struct ip6_hdr); 4057 if (m->m_len > hlen) { 4058 MGETHDR(mh, M_DONTWAIT, MT_HEADER); /* MAC-OK */ 4059 if (!mh) { 4060 m_freem(m); 4061 return NULL; 4062 } 4063 M_COPY_PKTHDR(mh, m); 4064 MH_ALIGN(mh, hlen); 4065 m->m_flags &= ~M_PKTHDR; 4066 m_mchtype(m, MT_DATA); 4067 m->m_len -= hlen; 4068 m->m_data += hlen; 4069 mh->m_next = m; 4070 m = mh; 4071 m->m_len = hlen; 4072 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen); 4073 } else if (m->m_len < hlen) { 4074 m = m_pullup(m, hlen); 4075 if (!m) 4076 return NULL; 4077 } 4078 return m; 4079} 4080#endif 4081 4082/* validate inbound IPsec tunnel packet. */ 4083int 4084ipsec4_tunnel_validate(m, off, nxt0, sav, ifamily) 4085 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */ 4086 int off; 4087 u_int nxt0; 4088 struct secasvar *sav; 4089 sa_family_t *ifamily; 4090{ 4091 u_int8_t nxt = nxt0 & 0xff; 4092 struct sockaddr_in *sin; 4093 struct sockaddr_in osrc, odst, i4src, i4dst; 4094 struct sockaddr_in6 i6src, i6dst; 4095 int hlen; 4096 struct secpolicy *sp; 4097 struct ip *oip; 4098 4099 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 4100 4101#if DIAGNOSTIC 4102 if (m->m_len < sizeof(struct ip)) 4103 panic("too short mbuf on ipsec4_tunnel_validate"); 4104#endif 4105 if (nxt != IPPROTO_IPV4 && nxt != IPPROTO_IPV6) 4106 return 0; 4107 if (m->m_pkthdr.len < off + sizeof(struct ip)) 4108 return 0; 4109 /* do not decapsulate if the SA is for transport mode only */ 4110 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 4111 return 0; 4112 4113 oip = mtod(m, struct ip *); 4114#ifdef _IP_VHL 4115 hlen = _IP_VHL_HL(oip->ip_vhl) << 2; 4116#else 4117 hlen = oip->ip_hl << 2; 4118#endif 4119 if (hlen != sizeof(struct ip)) 4120 return 0; 4121 4122 sin = (struct sockaddr_in *)&sav->sah->saidx.dst; 4123 if (sin->sin_family != AF_INET) 4124 return 0; 4125 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0) 4126 return 0; 4127 4128 if (sav->utun_in_fn || 4129 sav->sah->ipsec_if != NULL) { 4130 // the ipsec/utun interface SAs don't have a policies. 4131 if (nxt == IPPROTO_IPV4) { 4132 *ifamily = AF_INET; 4133 } else if (nxt == IPPROTO_IPV6) { 4134 *ifamily = AF_INET6; 4135 } else { 4136 return 0; 4137 } 4138 return 1; 4139 } 4140 4141 /* XXX slow */ 4142 bzero(&osrc, sizeof(osrc)); 4143 bzero(&odst, sizeof(odst)); 4144 osrc.sin_family = odst.sin_family = AF_INET; 4145 osrc.sin_len = odst.sin_len = sizeof(struct sockaddr_in); 4146 osrc.sin_addr = oip->ip_src; 4147 odst.sin_addr = oip->ip_dst; 4148 /* 4149 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode) 4150 * - if the inner destination is multicast address, there can be 4151 * multiple permissible inner source address. implementation 4152 * may want to skip verification of inner source address against 4153 * SPD selector. 4154 * - if the inner protocol is ICMP, the packet may be an error report 4155 * from routers on the other side of the VPN cloud (R in the 4156 * following diagram). in this case, we cannot verify inner source 4157 * address against SPD selector. 4158 * me -- gw === gw -- R -- you 4159 * 4160 * we consider the first bullet to be users responsibility on SPD entry 4161 * configuration (if you need to encrypt multicast traffic, set 4162 * the source range of SPD selector to 0.0.0.0/0, or have explicit 4163 * address ranges for possible senders). 4164 * the second bullet is not taken care of (yet). 4165 * 4166 * therefore, we do not do anything special about inner source. 4167 */ 4168 if (nxt == IPPROTO_IPV4) { 4169 bzero(&i4src, sizeof(struct sockaddr_in)); 4170 bzero(&i4dst, sizeof(struct sockaddr_in)); 4171 i4src.sin_family = i4dst.sin_family = *ifamily = AF_INET; 4172 i4src.sin_len = i4dst.sin_len = sizeof(struct sockaddr_in); 4173 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(i4src.sin_addr), 4174 (caddr_t)&i4src.sin_addr); 4175 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(i4dst.sin_addr), 4176 (caddr_t)&i4dst.sin_addr); 4177 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 4178 (struct sockaddr *)&i4src, (struct sockaddr *)&i4dst); 4179 } else if (nxt == IPPROTO_IPV6) { 4180 bzero(&i6src, sizeof(struct sockaddr_in6)); 4181 bzero(&i6dst, sizeof(struct sockaddr_in6)); 4182 i6src.sin6_family = i6dst.sin6_family = *ifamily = AF_INET6; 4183 i6src.sin6_len = i6dst.sin6_len = sizeof(struct sockaddr_in6); 4184 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), sizeof(i6src.sin6_addr), 4185 (caddr_t)&i6src.sin6_addr); 4186 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), sizeof(i6dst.sin6_addr), 4187 (caddr_t)&i6dst.sin6_addr); 4188 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 4189 (struct sockaddr *)&i6src, (struct sockaddr *)&i6dst); 4190 } else 4191 return 0; /* unsupported family */ 4192 4193 if (!sp) 4194 return 0; 4195 4196 key_freesp(sp, KEY_SADB_UNLOCKED); 4197 4198 return 1; 4199} 4200 4201#if INET6 4202/* validate inbound IPsec tunnel packet. */ 4203int 4204ipsec6_tunnel_validate(m, off, nxt0, sav) 4205 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */ 4206 int off; 4207 u_int nxt0; 4208 struct secasvar *sav; 4209{ 4210 u_int8_t nxt = nxt0 & 0xff; 4211 struct sockaddr_in6 *sin6; 4212 struct sockaddr_in6 osrc, odst, isrc, idst; 4213 struct secpolicy *sp; 4214 struct ip6_hdr *oip6; 4215 4216 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 4217 4218#if DIAGNOSTIC 4219 if (m->m_len < sizeof(struct ip6_hdr)) 4220 panic("too short mbuf on ipsec6_tunnel_validate"); 4221#endif 4222 if (nxt != IPPROTO_IPV6) 4223 return 0; 4224 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr)) 4225 return 0; 4226 /* do not decapsulate if the SA is for transport mode only */ 4227 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) 4228 return 0; 4229 4230 oip6 = mtod(m, struct ip6_hdr *); 4231 /* AF_INET should be supported, but at this moment we don't. */ 4232 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst; 4233 if (sin6->sin6_family != AF_INET6) 4234 return 0; 4235 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr)) 4236 return 0; 4237 4238 if (sav->utun_in_fn) { 4239 // the utun SAs don't have a policy (yet). 4240 return 1; 4241 } 4242 4243 /* XXX slow */ 4244 bzero(&osrc, sizeof(osrc)); 4245 bzero(&odst, sizeof(odst)); 4246 bzero(&isrc, sizeof(isrc)); 4247 bzero(&idst, sizeof(idst)); 4248 osrc.sin6_family = odst.sin6_family = isrc.sin6_family = 4249 idst.sin6_family = AF_INET6; 4250 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len = 4251 sizeof(struct sockaddr_in6); 4252 osrc.sin6_addr = oip6->ip6_src; 4253 odst.sin6_addr = oip6->ip6_dst; 4254 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), 4255 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr); 4256 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), 4257 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr); 4258 4259 /* 4260 * regarding to inner source address validation, see a long comment 4261 * in ipsec4_tunnel_validate. 4262 */ 4263 4264 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, 4265 (struct sockaddr *)&isrc, (struct sockaddr *)&idst); 4266 /* 4267 * when there is no suitable inbound policy for the packet of the ipsec 4268 * tunnel mode, the kernel never decapsulate the tunneled packet 4269 * as the ipsec tunnel mode even when the system wide policy is "none". 4270 * then the kernel leaves the generic tunnel module to process this 4271 * packet. if there is no rule of the generic tunnel, the packet 4272 * is rejected and the statistics will be counted up. 4273 */ 4274 if (!sp) 4275 return 0; 4276 key_freesp(sp, KEY_SADB_UNLOCKED); 4277 4278 return 1; 4279} 4280#endif 4281 4282/* 4283 * Make a mbuf chain for encryption. 4284 * If the original mbuf chain contains a mbuf with a cluster, 4285 * allocate a new cluster and copy the data to the new cluster. 4286 * XXX: this hack is inefficient, but is necessary to handle cases 4287 * of TCP retransmission... 4288 */ 4289struct mbuf * 4290ipsec_copypkt(m) 4291 struct mbuf *m; 4292{ 4293 struct mbuf *n, **mpp, *mnew; 4294 4295 for (n = m, mpp = &m; n; n = n->m_next) { 4296 if (n->m_flags & M_EXT) { 4297 /* 4298 * Make a copy only if there are more than one references 4299 * to the cluster. 4300 * XXX: is this approach effective? 4301 */ 4302 if ( 4303 n->m_ext.ext_free || 4304 m_mclhasreference(n) 4305 ) 4306 { 4307 int remain, copied; 4308 struct mbuf *mm; 4309 4310 if (n->m_flags & M_PKTHDR) { 4311 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); /* MAC-OK */ 4312 if (mnew == NULL) 4313 goto fail; 4314 M_COPY_PKTHDR(mnew, n); 4315 } 4316 else { 4317 MGET(mnew, M_DONTWAIT, MT_DATA); 4318 if (mnew == NULL) 4319 goto fail; 4320 } 4321 mnew->m_len = 0; 4322 mm = mnew; 4323 4324 /* 4325 * Copy data. If we don't have enough space to 4326 * store the whole data, allocate a cluster 4327 * or additional mbufs. 4328 * XXX: we don't use m_copyback(), since the 4329 * function does not use clusters and thus is 4330 * inefficient. 4331 */ 4332 remain = n->m_len; 4333 copied = 0; 4334 while (1) { 4335 int len; 4336 struct mbuf *mn; 4337 4338 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN)) 4339 len = remain; 4340 else { /* allocate a cluster */ 4341 MCLGET(mm, M_DONTWAIT); 4342 if (!(mm->m_flags & M_EXT)) { 4343 m_free(mm); 4344 goto fail; 4345 } 4346 len = remain < MCLBYTES ? 4347 remain : MCLBYTES; 4348 } 4349 4350 bcopy(n->m_data + copied, mm->m_data, 4351 len); 4352 4353 copied += len; 4354 remain -= len; 4355 mm->m_len = len; 4356 4357 if (remain <= 0) /* completed? */ 4358 break; 4359 4360 /* need another mbuf */ 4361 MGETHDR(mn, M_DONTWAIT, MT_HEADER); /* XXXMAC: tags copied next time in loop? */ 4362 if (mn == NULL) 4363 goto fail; 4364 mn->m_pkthdr.rcvif = NULL; 4365 mm->m_next = mn; 4366 mm = mn; 4367 } 4368 4369 /* adjust chain */ 4370 mm->m_next = m_free(n); 4371 n = mm; 4372 *mpp = mnew; 4373 mpp = &n->m_next; 4374 4375 continue; 4376 } 4377 } 4378 *mpp = n; 4379 mpp = &n->m_next; 4380 } 4381 4382 return(m); 4383 fail: 4384 m_freem(m); 4385 return(NULL); 4386} 4387 4388/* 4389 * Tags are allocated as mbufs for now, since our minimum size is MLEN, we 4390 * should make use of up to that much space. 4391 */ 4392#define IPSEC_TAG_HEADER \ 4393 4394struct ipsec_tag { 4395 struct socket *socket; 4396 u_int32_t history_count; 4397 struct ipsec_history history[]; 4398}; 4399 4400#define IPSEC_TAG_SIZE (MLEN - sizeof(struct m_tag)) 4401#define IPSEC_TAG_HDR_SIZE (offsetof(struct ipsec_tag, history[0])) 4402#define IPSEC_HISTORY_MAX ((IPSEC_TAG_SIZE - IPSEC_TAG_HDR_SIZE) / \ 4403 sizeof(struct ipsec_history)) 4404 4405static struct ipsec_tag * 4406ipsec_addaux( 4407 struct mbuf *m) 4408{ 4409 struct m_tag *tag; 4410 4411 /* Check if the tag already exists */ 4412 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL); 4413 4414 if (tag == NULL) { 4415 struct ipsec_tag *itag; 4416 4417 /* Allocate a tag */ 4418 tag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, 4419 IPSEC_TAG_SIZE, M_DONTWAIT, m); 4420 4421 if (tag) { 4422 itag = (struct ipsec_tag*)(tag + 1); 4423 itag->socket = 0; 4424 itag->history_count = 0; 4425 4426 m_tag_prepend(m, tag); 4427 } 4428 } 4429 4430 return tag ? (struct ipsec_tag*)(tag + 1) : NULL; 4431} 4432 4433static struct ipsec_tag * 4434ipsec_findaux( 4435 struct mbuf *m) 4436{ 4437 struct m_tag *tag; 4438 4439 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL); 4440 4441 return tag ? (struct ipsec_tag*)(tag + 1) : NULL; 4442} 4443 4444void 4445ipsec_delaux( 4446 struct mbuf *m) 4447{ 4448 struct m_tag *tag; 4449 4450 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL); 4451 4452 if (tag) { 4453 m_tag_delete(m, tag); 4454 } 4455} 4456 4457/* if the aux buffer is unnecessary, nuke it. */ 4458static void 4459ipsec_optaux( 4460 struct mbuf *m, 4461 struct ipsec_tag *itag) 4462{ 4463 if (itag && itag->socket == NULL && itag->history_count == 0) { 4464 m_tag_delete(m, ((struct m_tag*)itag) - 1); 4465 } 4466} 4467 4468int 4469ipsec_setsocket(struct mbuf *m, struct socket *so) 4470{ 4471 struct ipsec_tag *tag; 4472 4473 /* if so == NULL, don't insist on getting the aux mbuf */ 4474 if (so) { 4475 tag = ipsec_addaux(m); 4476 if (!tag) 4477 return ENOBUFS; 4478 } else 4479 tag = ipsec_findaux(m); 4480 if (tag) { 4481 tag->socket = so; 4482 ipsec_optaux(m, tag); 4483 } 4484 return 0; 4485} 4486 4487struct socket * 4488ipsec_getsocket(struct mbuf *m) 4489{ 4490 struct ipsec_tag *itag; 4491 4492 itag = ipsec_findaux(m); 4493 if (itag) 4494 return itag->socket; 4495 else 4496 return NULL; 4497} 4498 4499int 4500ipsec_addhist( 4501 struct mbuf *m, 4502 int proto, 4503 u_int32_t spi) 4504{ 4505 struct ipsec_tag *itag; 4506 struct ipsec_history *p; 4507 itag = ipsec_addaux(m); 4508 if (!itag) 4509 return ENOBUFS; 4510 if (itag->history_count == IPSEC_HISTORY_MAX) 4511 return ENOSPC; /* XXX */ 4512 4513 p = &itag->history[itag->history_count]; 4514 itag->history_count++; 4515 4516 bzero(p, sizeof(*p)); 4517 p->ih_proto = proto; 4518 p->ih_spi = spi; 4519 4520 return 0; 4521} 4522 4523struct ipsec_history * 4524ipsec_gethist( 4525 struct mbuf *m, 4526 int *lenp) 4527{ 4528 struct ipsec_tag *itag; 4529 4530 itag = ipsec_findaux(m); 4531 if (!itag) 4532 return NULL; 4533 if (itag->history_count == 0) 4534 return NULL; 4535 if (lenp) 4536 *lenp = (int)(itag->history_count * sizeof(struct ipsec_history)); 4537 return itag->history; 4538} 4539 4540void 4541ipsec_clearhist( 4542 struct mbuf *m) 4543{ 4544 struct ipsec_tag *itag; 4545 4546 itag = ipsec_findaux(m); 4547 if (itag) { 4548 itag->history_count = 0; 4549 } 4550 ipsec_optaux(m, itag); 4551} 4552 4553__private_extern__ int 4554ipsec_send_natt_keepalive( 4555 struct secasvar *sav) 4556{ 4557 struct mbuf *m; 4558 struct ip *ip; 4559 int error; 4560 struct ip_out_args ipoa = 4561 { IFSCOPE_NONE, { 0 }, IPOAF_SELECT_SRCIF, 0 }; 4562 struct route ro; 4563 int keepalive_interval = natt_keepalive_interval; 4564 4565 lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); 4566 4567 if ((esp_udp_encap_port & 0xFFFF) == 0 || sav->remote_ike_port == 0) return FALSE; 4568 4569 if (sav->natt_interval != 0) { 4570 keepalive_interval = (int)sav->natt_interval; 4571 } 4572 4573 // natt timestamp may have changed... reverify 4574 if ((natt_now - sav->natt_last_activity) < keepalive_interval) return FALSE; 4575 4576 if (sav->flags & SADB_X_EXT_ESP_KEEPALIVE) return FALSE; // don't send these from the kernel 4577 4578 m = m_gethdr(M_NOWAIT, MT_DATA); 4579 if (m == NULL) return FALSE; 4580 4581 ip = (__typeof__(ip))m_mtod(m); 4582 4583 // this sends one type of NATT keepalives (Type 1, ESP keepalives, aren't sent by kernel) 4584 if ((sav->flags & SADB_X_EXT_ESP_KEEPALIVE) == 0) { 4585 struct udphdr *uh; 4586 4587 /* 4588 * Type 2: a UDP packet complete with IP header. 4589 * We must do this because UDP output requires 4590 * an inpcb which we don't have. UDP packet 4591 * contains one byte payload. The byte is set 4592 * to 0xFF. 4593 */ 4594 uh = (__typeof__(uh))(void *)((char *)m_mtod(m) + sizeof(*ip)); 4595 m->m_len = sizeof(struct udpiphdr) + 1; 4596 bzero(m_mtod(m), m->m_len); 4597 m->m_pkthdr.len = m->m_len; 4598 4599 ip->ip_len = m->m_len; 4600 ip->ip_ttl = ip_defttl; 4601 ip->ip_p = IPPROTO_UDP; 4602 if (sav->sah->dir != IPSEC_DIR_INBOUND) { 4603 ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr; 4604 ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr; 4605 } else { 4606 ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr; 4607 ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr; 4608 } 4609 uh->uh_sport = htons((u_short)esp_udp_encap_port); 4610 uh->uh_dport = htons(sav->remote_ike_port); 4611 uh->uh_ulen = htons(1 + sizeof(*uh)); 4612 uh->uh_sum = 0; 4613 *(u_int8_t*)((char*)m_mtod(m) + sizeof(*ip) + sizeof(*uh)) = 0xFF; 4614 } 4615 4616 // grab sadb_mutex, to get a local copy of sah's route cache 4617 lck_mtx_lock(sadb_mutex); 4618 if (ROUTE_UNUSABLE(&sav->sah->sa_route) || 4619 rt_key(sav->sah->sa_route.ro_rt)->sa_family != AF_INET) 4620 ROUTE_RELEASE(&sav->sah->sa_route); 4621 4622 route_copyout(&ro, &sav->sah->sa_route, sizeof(ro)); 4623 lck_mtx_unlock(sadb_mutex); 4624 4625 necp_mark_packet_as_keepalive(m, TRUE); 4626 4627 error = ip_output(m, NULL, &ro, IP_OUTARGS | IP_NOIPSEC, NULL, &ipoa); 4628 4629 // grab sadb_mutex, to synchronize the sah's route cache with the local copy 4630 lck_mtx_lock(sadb_mutex); 4631 route_copyin(&ro, &sav->sah->sa_route, sizeof(ro)); 4632 lck_mtx_unlock(sadb_mutex); 4633 if (error == 0) { 4634 sav->natt_last_activity = natt_now; 4635 return TRUE; 4636 } 4637 return FALSE; 4638} 4639 4640__private_extern__ bool 4641ipsec_fill_offload_frame(ifnet_t ifp, 4642 struct secasvar *sav, 4643 struct ipsec_offload_frame *frame, 4644 size_t frame_data_offset) 4645{ 4646 u_int8_t *data = NULL; 4647 struct ip *ip = NULL; 4648 struct udphdr *uh = NULL; 4649 4650 if (sav == NULL || sav->sah == NULL || frame == NULL || 4651 (ifp != NULL && ifp->if_index != sav->sah->outgoing_if) || 4652 sav->sah->saidx.dst.ss_family != AF_INET || 4653 !(sav->flags & SADB_X_EXT_NATT) || 4654 !(sav->flags & SADB_X_EXT_NATT_KEEPALIVE) || 4655 !(sav->flags & SADB_X_EXT_NATT_KEEPALIVE_OFFLOAD) || 4656 sav->flags & SADB_X_EXT_ESP_KEEPALIVE || 4657 (esp_udp_encap_port & 0xFFFF) == 0 || 4658 sav->remote_ike_port == 0 || 4659 (natt_keepalive_interval == 0 && sav->natt_interval == 0)) { 4660 /* SA is not eligible for keepalive offload on this interface */ 4661 return (FALSE); 4662 } 4663 4664 if (frame_data_offset + sizeof(struct udpiphdr) + 1 > IPSEC_OFFLOAD_FRAME_DATA_SIZE) { 4665 /* Not enough room in this data frame */ 4666 return (FALSE); 4667 } 4668 4669 data = frame->data; 4670 ip = (__typeof__(ip))(void *)(data + frame_data_offset); 4671 uh = (__typeof__(uh))(void *)(data + frame_data_offset + sizeof(*ip)); 4672 4673 frame->length = frame_data_offset + sizeof(struct udpiphdr) + 1; 4674 bzero(data, IPSEC_OFFLOAD_FRAME_DATA_SIZE); 4675 4676 ip->ip_v = IPVERSION; 4677 ip->ip_hl = sizeof(struct ip) >> 2; 4678 ip->ip_off &= htons(~IP_OFFMASK); 4679 ip->ip_off &= htons(~IP_MF); 4680 switch (ip4_ipsec_dfbit) { 4681 case 0: /* clear DF bit */ 4682 ip->ip_off &= htons(~IP_DF); 4683 break; 4684 case 1: /* set DF bit */ 4685 ip->ip_off |= htons(IP_DF); 4686 break; 4687 default: /* copy DF bit */ 4688 break; 4689 } 4690 ip->ip_len = htons(sizeof(struct udpiphdr) + 1); 4691 ip->ip_id = ip_randomid(); 4692 ip->ip_ttl = ip_defttl; 4693 ip->ip_p = IPPROTO_UDP; 4694 ip->ip_sum = 0; 4695 if (sav->sah->dir != IPSEC_DIR_INBOUND) { 4696 ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr; 4697 ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr; 4698 } else { 4699 ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr; 4700 ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr; 4701 } 4702 ip->ip_sum = in_cksum_hdr_opt(ip); 4703 uh->uh_sport = htons((u_short)esp_udp_encap_port); 4704 uh->uh_dport = htons(sav->remote_ike_port); 4705 uh->uh_ulen = htons(1 + sizeof(*uh)); 4706 uh->uh_sum = 0; 4707 *(u_int8_t*)(data + frame_data_offset + sizeof(*ip) + sizeof(*uh)) = 0xFF; 4708 4709 if (sav->natt_interval != 0) { 4710 frame->interval = sav->natt_interval; 4711 } else { 4712 frame->interval = natt_keepalive_interval; 4713 } 4714 return (TRUE); 4715} 4716