Annotation of src/sys/netipsec/ipsec.c, Revision 1.136
1.136 ! maxv 1: /* $NetBSD: ipsec.c,v 1.135 2018/02/26 06:17:01 maxv Exp $ */
1.129 maxv 2: /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
3: /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
1.1 jonathan 4:
5: /*
6: * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7: * All rights reserved.
8: *
9: * Redistribution and use in source and binary forms, with or without
10: * modification, are permitted provided that the following conditions
11: * are met:
12: * 1. Redistributions of source code must retain the above copyright
1.26 degroote 13: * notice, this list of conditions and the following disclaimer.
1.1 jonathan 14: * 2. Redistributions in binary form must reproduce the above copyright
1.26 degroote 15: * notice, this list of conditions and the following disclaimer in the
16: * documentation and/or other materials provided with the distribution.
1.1 jonathan 17: * 3. Neither the name of the project nor the names of its contributors
1.26 degroote 18: * may be used to endorse or promote products derived from this software
19: * without specific prior written permission.
1.1 jonathan 20: *
21: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31: * SUCH DAMAGE.
32: */
33:
34: #include <sys/cdefs.h>
1.136 ! maxv 35: __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.135 2018/02/26 06:17:01 maxv Exp $");
1.1 jonathan 36:
37: /*
38: * IPsec controller part.
39: */
40:
1.71 ozaki-r 41: #if defined(_KERNEL_OPT)
1.1 jonathan 42: #include "opt_inet.h"
43: #include "opt_ipsec.h"
1.71 ozaki-r 44: #endif
1.1 jonathan 45:
46: #include <sys/param.h>
47: #include <sys/systm.h>
48: #include <sys/mbuf.h>
49: #include <sys/domain.h>
50: #include <sys/protosw.h>
51: #include <sys/socket.h>
52: #include <sys/socketvar.h>
53: #include <sys/errno.h>
54: #include <sys/time.h>
55: #include <sys/kernel.h>
56: #include <sys/syslog.h>
57: #include <sys/sysctl.h>
58: #include <sys/proc.h>
1.44 elad 59: #include <sys/kauth.h>
1.90 ozaki-r 60: #include <sys/cpu.h>
61: #include <sys/kmem.h>
1.113 ozaki-r 62: #include <sys/pserialize.h>
1.1 jonathan 63:
64: #include <net/if.h>
65: #include <net/route.h>
66:
67: #include <netinet/in.h>
68: #include <netinet/in_systm.h>
69: #include <netinet/ip.h>
70: #include <netinet/ip_var.h>
71: #include <netinet/in_var.h>
72: #include <netinet/udp.h>
73: #include <netinet/udp_var.h>
74: #include <netinet/tcp.h>
75: #include <netinet/udp.h>
1.38 mlelstv 76: #include <netinet/ip_icmp.h>
1.60 rmind 77: #include <netinet/ip_private.h>
1.1 jonathan 78:
79: #include <netinet/ip6.h>
80: #ifdef INET6
81: #include <netinet6/ip6_var.h>
82: #endif
83: #include <netinet/in_pcb.h>
84: #ifdef INET6
1.5 jonathan 85: #include <netinet6/in6_pcb.h>
1.1 jonathan 86: #include <netinet/icmp6.h>
87: #endif
88:
89: #include <netipsec/ipsec.h>
1.13 jonathan 90: #include <netipsec/ipsec_var.h>
1.37 thorpej 91: #include <netipsec/ipsec_private.h>
1.1 jonathan 92: #ifdef INET6
93: #include <netipsec/ipsec6.h>
94: #endif
95: #include <netipsec/ah_var.h>
96: #include <netipsec/esp_var.h>
97: #include <netipsec/ipcomp.h> /*XXX*/
98: #include <netipsec/ipcomp_var.h>
99:
1.4 tls 100: #include <netipsec/key.h>
101: #include <netipsec/keydb.h>
102: #include <netipsec/key_debug.h>
1.1 jonathan 103:
104: #include <netipsec/xform.h>
105:
1.63 christos 106: int ipsec_used = 0;
107: int ipsec_enabled = 1;
108:
1.1 jonathan 109: #ifdef IPSEC_DEBUG
110: int ipsec_debug = 1;
1.21 rpaulo 111:
1.129 maxv 112: /*
1.21 rpaulo 113: * When set to 1, IPsec will send packets with the same sequence number.
114: * This allows to verify if the other side has proper replay attacks detection.
115: */
116: int ipsec_replay = 0;
117:
1.129 maxv 118: /*
1.21 rpaulo 119: * When set 1, IPsec will send packets with corrupted HMAC.
120: * This allows to verify if the other side properly detects modified packets.
121: */
122: int ipsec_integrity = 0;
1.1 jonathan 123: #else
124: int ipsec_debug = 0;
125: #endif
126:
1.37 thorpej 127: percpu_t *ipsecstat_percpu;
1.129 maxv 128:
1.1 jonathan 129: int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
1.18 christos 130: int ip4_ipsec_dfbit = 2; /* DF bit on encap. 0: clear 1: set 2: copy */
1.1 jonathan 131: int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
132: int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
133: int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
134: int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
135: struct secpolicy ip4_def_policy;
136: int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
1.9 thorpej 137:
138: u_int ipsec_spdgen = 1; /* SPD generation # */
139:
1.119 ozaki-r 140: static struct secpolicy ipsec_dummy_sp __read_mostly = {
141: .state = IPSEC_SPSTATE_ALIVE,
142: /* If ENTRUST, the dummy SP never be used. See ipsec_getpolicybysock. */
143: .policy = IPSEC_POLICY_ENTRUST,
144: };
145:
1.129 maxv 146: static struct secpolicy *ipsec_checkpcbcache(struct mbuf *,
147: struct inpcbpolicy *, int);
148: static int ipsec_fillpcbcache(struct inpcbpolicy *, struct mbuf *,
149: struct secpolicy *, int);
150: static int ipsec_invalpcbcache(struct inpcbpolicy *, int);
1.9 thorpej 151:
1.1 jonathan 152: /*
153: * Crypto support requirements:
154: *
155: * 1 require hardware support
156: * -1 require software support
157: * 0 take anything
158: */
1.129 maxv 159: int crypto_support = 0;
1.1 jonathan 160:
1.5 jonathan 161: static struct secpolicy *ipsec_getpolicybysock(struct mbuf *, u_int,
1.75 ozaki-r 162: struct inpcb_hdr *, int *);
1.5 jonathan 163:
1.1 jonathan 164: #ifdef INET6
165: int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
166: int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
167: int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
168: int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
1.5 jonathan 169: struct secpolicy ip6_def_policy;
1.1 jonathan 170: int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
1.129 maxv 171: #endif
1.1 jonathan 172:
1.129 maxv 173: static int ipsec4_setspidx_inpcb(struct mbuf *, struct inpcb *);
1.1 jonathan 174: #ifdef INET6
1.129 maxv 175: static int ipsec6_setspidx_in6pcb(struct mbuf *, struct in6pcb *);
1.1 jonathan 176: #endif
1.129 maxv 177: static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int);
178: static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
179: static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
1.1 jonathan 180: #ifdef INET6
1.129 maxv 181: static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
182: static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
1.1 jonathan 183: #endif
1.129 maxv 184: static void ipsec_delpcbpolicy(struct inpcbpolicy *);
1.115 ozaki-r 185: #if 0 /* unused */
1.129 maxv 186: static struct secpolicy *ipsec_deepcopy_policy(const struct secpolicy *);
1.115 ozaki-r 187: #endif
1.129 maxv 188: static int ipsec_set_policy(struct secpolicy **, int, const void *, size_t,
1.55 drochner 189: kauth_cred_t);
1.129 maxv 190: static int ipsec_get_policy(struct secpolicy *, struct mbuf **);
1.113 ozaki-r 191: static void ipsec_destroy_policy(struct secpolicy *);
1.132 maxv 192: static int ipsec_sp_reject(const struct secpolicy *, const struct mbuf *);
1.129 maxv 193: static void vshiftl(unsigned char *, int, int);
1.132 maxv 194: static size_t ipsec_sp_hdrsiz(const struct secpolicy *, const struct mbuf *);
1.1 jonathan 195:
1.9 thorpej 196: /*
197: * Try to validate and use cached policy on a PCB.
198: */
199: static struct secpolicy *
200: ipsec_checkpcbcache(struct mbuf *m, struct inpcbpolicy *pcbsp, int dir)
201: {
202: struct secpolicyindex spidx;
1.113 ozaki-r 203: struct secpolicy *sp = NULL;
204: int s;
1.9 thorpej 205:
1.81 ozaki-r 206: KASSERT(IPSEC_DIR_IS_VALID(dir));
1.76 ozaki-r 207: KASSERT(pcbsp != NULL);
1.94 ozaki-r 208: KASSERT(dir < __arraycount(pcbsp->sp_cache));
1.84 ozaki-r 209: KASSERT(inph_locked(pcbsp->sp_inph));
1.76 ozaki-r 210:
1.113 ozaki-r 211: /*
212: * Checking the generation and sp->state and taking a reference to an SP
213: * must be in a critical section of pserialize. See key_unlink_sp.
214: */
215: s = pserialize_read_enter();
1.9 thorpej 216: /* SPD table change invalidate all the caches. */
217: if (ipsec_spdgen != pcbsp->sp_cache[dir].cachegen) {
218: ipsec_invalpcbcache(pcbsp, dir);
1.113 ozaki-r 219: goto out;
1.9 thorpej 220: }
1.113 ozaki-r 221: sp = pcbsp->sp_cache[dir].cachesp;
222: if (sp == NULL)
223: goto out;
224: if (sp->state != IPSEC_SPSTATE_ALIVE) {
225: sp = NULL;
1.9 thorpej 226: ipsec_invalpcbcache(pcbsp, dir);
1.113 ozaki-r 227: goto out;
1.9 thorpej 228: }
229: if ((pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
1.113 ozaki-r 230: /* NB: assume ipsec_setspidx never sleep */
231: if (ipsec_setspidx(m, &spidx, 1) != 0) {
232: sp = NULL;
233: goto out;
234: }
1.29 degroote 235:
236: /*
237: * We have to make an exact match here since the cached rule
238: * might have lower priority than a rule that would otherwise
1.129 maxv 239: * have matched the packet.
1.29 degroote 240: */
1.113 ozaki-r 241: if (memcmp(&pcbsp->sp_cache[dir].cacheidx, &spidx,
242: sizeof(spidx))) {
243: sp = NULL;
244: goto out;
245: }
1.9 thorpej 246: } else {
247: /*
248: * The pcb is connected, and the L4 code is sure that:
249: * - outgoing side uses inp_[lf]addr
250: * - incoming side looks up policy after inpcb lookup
251: * and address pair is know to be stable. We do not need
252: * to generate spidx again, nor check the address match again.
253: *
254: * For IPv4/v6 SOCK_STREAM sockets, this assumptions holds
255: * and there are calls to ipsec_pcbconn() from in_pcbconnect().
256: */
257: }
258:
1.113 ozaki-r 259: sp->lastused = time_second;
260: KEY_SP_REF(sp);
1.77 ozaki-r 261: KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
262: "DP cause refcnt++:%d SP:%p\n",
1.113 ozaki-r 263: key_sp_refcnt(sp), pcbsp->sp_cache[dir].cachesp);
264: out:
265: pserialize_read_exit(s);
266: return sp;
1.9 thorpej 267: }
268:
269: static int
270: ipsec_fillpcbcache(struct inpcbpolicy *pcbsp, struct mbuf *m,
1.129 maxv 271: struct secpolicy *sp, int dir)
1.9 thorpej 272: {
273:
1.81 ozaki-r 274: KASSERT(IPSEC_DIR_IS_INOROUT(dir));
1.94 ozaki-r 275: KASSERT(dir < __arraycount(pcbsp->sp_cache));
1.84 ozaki-r 276: KASSERT(inph_locked(pcbsp->sp_inph));
1.9 thorpej 277:
278: pcbsp->sp_cache[dir].cachesp = NULL;
1.98 ozaki-r 279: pcbsp->sp_cache[dir].cachehint = IPSEC_PCBHINT_UNKNOWN;
1.9 thorpej 280: if (ipsec_setspidx(m, &pcbsp->sp_cache[dir].cacheidx, 1) != 0) {
281: return EINVAL;
282: }
283: pcbsp->sp_cache[dir].cachesp = sp;
284: if (pcbsp->sp_cache[dir].cachesp) {
285: /*
286: * If the PCB is connected, we can remember a hint to
287: * possibly short-circuit IPsec processing in other places.
288: */
289: if (pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) {
290: switch (pcbsp->sp_cache[dir].cachesp->policy) {
291: case IPSEC_POLICY_NONE:
292: case IPSEC_POLICY_BYPASS:
293: pcbsp->sp_cache[dir].cachehint =
1.100 ozaki-r 294: IPSEC_PCBHINT_NO;
1.9 thorpej 295: break;
296: default:
297: pcbsp->sp_cache[dir].cachehint =
1.100 ozaki-r 298: IPSEC_PCBHINT_YES;
1.9 thorpej 299: }
300: }
301: }
302: pcbsp->sp_cache[dir].cachegen = ipsec_spdgen;
303:
304: return 0;
305: }
306:
307: static int
308: ipsec_invalpcbcache(struct inpcbpolicy *pcbsp, int dir)
309: {
310: int i;
311:
1.84 ozaki-r 312: KASSERT(inph_locked(pcbsp->sp_inph));
313:
1.9 thorpej 314: for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
315: if (dir != IPSEC_DIR_ANY && i != dir)
316: continue;
317: pcbsp->sp_cache[i].cachesp = NULL;
1.98 ozaki-r 318: pcbsp->sp_cache[i].cachehint = IPSEC_PCBHINT_UNKNOWN;
1.9 thorpej 319: pcbsp->sp_cache[i].cachegen = 0;
1.41 cegger 320: memset(&pcbsp->sp_cache[i].cacheidx, 0,
1.100 ozaki-r 321: sizeof(pcbsp->sp_cache[i].cacheidx));
1.9 thorpej 322: }
323: return 0;
324: }
325:
326: void
327: ipsec_pcbconn(struct inpcbpolicy *pcbsp)
328: {
329:
1.84 ozaki-r 330: KASSERT(inph_locked(pcbsp->sp_inph));
331:
1.9 thorpej 332: pcbsp->sp_cacheflags |= IPSEC_PCBSP_CONNECTED;
333: ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
334: }
335:
336: void
337: ipsec_pcbdisconn(struct inpcbpolicy *pcbsp)
338: {
339:
1.84 ozaki-r 340: KASSERT(inph_locked(pcbsp->sp_inph));
341:
1.9 thorpej 342: pcbsp->sp_cacheflags &= ~IPSEC_PCBSP_CONNECTED;
343: ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
344: }
345:
346: void
347: ipsec_invalpcbcacheall(void)
348: {
349:
350: if (ipsec_spdgen == UINT_MAX)
351: ipsec_spdgen = 1;
352: else
353: ipsec_spdgen++;
354: }
355:
1.1 jonathan 356: /*
357: * Return a held reference to the default SP.
358: */
359: static struct secpolicy *
1.101 ozaki-r 360: key_get_default_sp(int af, const char *where, int tag)
1.1 jonathan 361: {
362: struct secpolicy *sp;
363:
1.77 ozaki-r 364: KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag);
1.1 jonathan 365:
1.78 ozaki-r 366: switch(af) {
367: case AF_INET:
368: sp = &ip4_def_policy;
369: break;
1.31 degroote 370: #ifdef INET6
1.78 ozaki-r 371: case AF_INET6:
372: sp = &ip6_def_policy;
373: break;
1.31 degroote 374: #endif
1.78 ozaki-r 375: default:
1.77 ozaki-r 376: KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
377: "unexpected protocol family %u\n", af);
1.78 ozaki-r 378: return NULL;
379: }
1.31 degroote 380:
1.1 jonathan 381: if (sp->policy != IPSEC_POLICY_DISCARD &&
1.132 maxv 382: sp->policy != IPSEC_POLICY_NONE) {
1.92 ozaki-r 383: IPSECLOG(LOG_INFO, "fixed system default policy: %d->%d\n",
384: sp->policy, IPSEC_POLICY_NONE);
1.1 jonathan 385: sp->policy = IPSEC_POLICY_NONE;
386: }
1.95 ozaki-r 387: KEY_SP_REF(sp);
1.1 jonathan 388:
1.77 ozaki-r 389: KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP returns SP:%p (%u)\n",
1.111 ozaki-r 390: sp, key_sp_refcnt(sp));
1.1 jonathan 391: return sp;
392: }
1.129 maxv 393:
1.101 ozaki-r 394: #define KEY_GET_DEFAULT_SP(af) \
395: key_get_default_sp((af), __func__, __LINE__)
1.1 jonathan 396:
397: /*
398: * For OUTBOUND packet having a socket. Searching SPD for packet,
399: * and return a pointer to SP.
400: * OUT: NULL: no apropreate SP found, the following value is set to error.
401: * 0 : bypass
402: * EACCES : discard packet.
403: * ENOENT : ipsec_acquire() in progress, maybe.
1.7 wiz 404: * others : error occurred.
1.1 jonathan 405: * others: a pointer to SP
406: *
1.20 wiz 407: * NOTE: IPv6 mapped address concern is implemented here.
1.1 jonathan 408: */
1.5 jonathan 409: static struct secpolicy *
1.83 ozaki-r 410: ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb_hdr *inph,
1.75 ozaki-r 411: int *error)
1.1 jonathan 412: {
413: struct inpcbpolicy *pcbsp = NULL;
414: struct secpolicy *currsp = NULL; /* policy on socket */
415: struct secpolicy *sp;
416: int af;
417:
1.73 ozaki-r 418: KASSERT(m != NULL);
1.83 ozaki-r 419: KASSERT(inph != NULL);
1.73 ozaki-r 420: KASSERT(error != NULL);
1.81 ozaki-r 421: KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir);
1.1 jonathan 422:
1.83 ozaki-r 423: KASSERT(inph->inph_socket != NULL);
1.84 ozaki-r 424: KASSERT(inph_locked(inph));
1.5 jonathan 425:
426: /* XXX FIXME inpcb/in6pcb vs socket*/
1.83 ozaki-r 427: af = inph->inph_af;
1.73 ozaki-r 428: KASSERTMSG(af == AF_INET || af == AF_INET6,
429: "unexpected protocol family %u", af);
1.1 jonathan 430:
1.83 ozaki-r 431: KASSERT(inph->inph_sp != NULL);
1.9 thorpej 432: /* If we have a cached entry, and if it is still valid, use it. */
1.37 thorpej 433: IPSEC_STATINC(IPSEC_STAT_SPDCACHELOOKUP);
1.83 ozaki-r 434: currsp = ipsec_checkpcbcache(m, inph->inph_sp, dir);
1.9 thorpej 435: if (currsp) {
436: *error = 0;
437: return currsp;
438: }
1.37 thorpej 439: IPSEC_STATINC(IPSEC_STAT_SPDCACHEMISS);
1.9 thorpej 440:
1.1 jonathan 441: switch (af) {
1.5 jonathan 442: case AF_INET: {
1.83 ozaki-r 443: struct inpcb *in4p = (struct inpcb *)inph;
1.1 jonathan 444: /* set spidx in pcb */
1.5 jonathan 445: *error = ipsec4_setspidx_inpcb(m, in4p);
446: pcbsp = in4p->inp_sp;
1.1 jonathan 447: break;
1.5 jonathan 448: }
449: #if defined(INET6)
450: case AF_INET6: {
1.83 ozaki-r 451: struct in6pcb *in6p = (struct in6pcb *)inph;
1.1 jonathan 452: /* set spidx in pcb */
1.5 jonathan 453: *error = ipsec6_setspidx_in6pcb(m, in6p);
454: pcbsp = in6p->in6p_sp;
1.1 jonathan 455: break;
1.5 jonathan 456: }
1.1 jonathan 457: #endif
458: default:
459: *error = EPFNOSUPPORT;
460: break;
461: }
462: if (*error)
463: return NULL;
464:
1.73 ozaki-r 465: KASSERT(pcbsp != NULL);
1.1 jonathan 466: switch (dir) {
467: case IPSEC_DIR_INBOUND:
468: currsp = pcbsp->sp_in;
469: break;
470: case IPSEC_DIR_OUTBOUND:
471: currsp = pcbsp->sp_out;
472: break;
473: }
1.73 ozaki-r 474: KASSERT(currsp != NULL);
1.1 jonathan 475:
476: if (pcbsp->priv) { /* when privilieged socket */
477: switch (currsp->policy) {
478: case IPSEC_POLICY_BYPASS:
479: case IPSEC_POLICY_IPSEC:
1.95 ozaki-r 480: KEY_SP_REF(currsp);
1.1 jonathan 481: sp = currsp;
482: break;
483:
484: case IPSEC_POLICY_ENTRUST:
485: /* look for a policy in SPD */
1.101 ozaki-r 486: sp = KEY_LOOKUP_SP_BYSPIDX(&currsp->spidx, dir);
1.1 jonathan 487: if (sp == NULL) /* no SP found */
1.101 ozaki-r 488: sp = KEY_GET_DEFAULT_SP(af);
1.1 jonathan 489: break;
490:
491: default:
1.92 ozaki-r 492: IPSECLOG(LOG_ERR, "Invalid policy for PCB %d\n",
493: currsp->policy);
1.1 jonathan 494: *error = EINVAL;
495: return NULL;
496: }
497: } else { /* unpriv, SPD has policy */
1.101 ozaki-r 498: sp = KEY_LOOKUP_SP_BYSPIDX(&currsp->spidx, dir);
1.1 jonathan 499: if (sp == NULL) { /* no SP found */
500: switch (currsp->policy) {
501: case IPSEC_POLICY_BYPASS:
1.92 ozaki-r 502: IPSECLOG(LOG_ERR, "Illegal policy for "
503: "non-priviliged defined %d\n",
504: currsp->policy);
1.1 jonathan 505: *error = EINVAL;
506: return NULL;
507:
508: case IPSEC_POLICY_ENTRUST:
1.101 ozaki-r 509: sp = KEY_GET_DEFAULT_SP(af);
1.1 jonathan 510: break;
511:
512: case IPSEC_POLICY_IPSEC:
1.95 ozaki-r 513: KEY_SP_REF(currsp);
1.1 jonathan 514: sp = currsp;
515: break;
516:
517: default:
1.92 ozaki-r 518: IPSECLOG(LOG_ERR, "Invalid policy for "
519: "PCB %d\n", currsp->policy);
1.1 jonathan 520: *error = EINVAL;
521: return NULL;
522: }
523: }
524: }
1.73 ozaki-r 525: KASSERTMSG(sp != NULL, "null SP (priv %u policy %u", pcbsp->priv,
526: currsp->policy);
1.77 ozaki-r 527: KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
528: "DP (priv %u policy %u) allocates SP:%p (refcnt %u)\n",
1.111 ozaki-r 529: pcbsp->priv, currsp->policy, sp, key_sp_refcnt(sp));
1.9 thorpej 530: ipsec_fillpcbcache(pcbsp, m, sp, dir);
1.1 jonathan 531: return sp;
532: }
533:
534: /*
1.132 maxv 535: * For FORWARDING packet or OUTBOUND without a socket. Searching SPD for packet,
1.1 jonathan 536: * and return a pointer to SP.
537: * OUT: positive: a pointer to the entry for security policy leaf matched.
538: * NULL: no apropreate SP found, the following value is set to error.
539: * 0 : bypass
540: * EACCES : discard packet.
541: * ENOENT : ipsec_acquire() in progress, maybe.
1.7 wiz 542: * others : error occurred.
1.1 jonathan 543: */
1.131 maxv 544: static struct secpolicy *
1.33 degroote 545: ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
1.1 jonathan 546: {
547: struct secpolicyindex spidx;
548: struct secpolicy *sp;
549:
1.73 ozaki-r 550: KASSERT(m != NULL);
551: KASSERT(error != NULL);
1.81 ozaki-r 552: KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir);
1.1 jonathan 553:
554: sp = NULL;
1.32 degroote 555:
556: /* Make an index to look for a policy. */
557: *error = ipsec_setspidx(m, &spidx, (flag & IP_FORWARDING) ? 0 : 1);
558: if (*error != 0) {
1.92 ozaki-r 559: IPSECLOG(LOG_DEBUG, "setpidx failed, dir %u flag %u\n", dir, flag);
1.129 maxv 560: memset(&spidx, 0, sizeof(spidx));
1.32 degroote 561: return NULL;
562: }
563:
564: spidx.dir = dir;
565:
1.1 jonathan 566: if (key_havesp(dir)) {
1.101 ozaki-r 567: sp = KEY_LOOKUP_SP_BYSPIDX(&spidx, dir);
1.1 jonathan 568: }
1.32 degroote 569:
1.1 jonathan 570: if (sp == NULL) /* no SP found, use system default */
1.101 ozaki-r 571: sp = KEY_GET_DEFAULT_SP(spidx.dst.sa.sa_family);
1.73 ozaki-r 572: KASSERT(sp != NULL);
1.1 jonathan 573: return sp;
574: }
575:
1.131 maxv 576: static struct secpolicy *
1.33 degroote 577: ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error,
1.129 maxv 578: struct inpcb *inp)
1.1 jonathan 579: {
580: struct secpolicy *sp;
581:
582: *error = 0;
1.5 jonathan 583:
1.82 ozaki-r 584: if (inp == NULL) {
1.1 jonathan 585: sp = ipsec_getpolicybyaddr(m, dir, flag, error);
1.82 ozaki-r 586: } else {
1.133 maxv 587: struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
588: KASSERT(inph->inph_socket != NULL);
589: sp = ipsec_getpolicybysock(m, dir, inph, error);
1.82 ozaki-r 590: }
1.1 jonathan 591: if (sp == NULL) {
1.73 ozaki-r 592: KASSERTMSG(*error != 0, "getpolicy failed w/o error");
1.37 thorpej 593: IPSEC_STATINC(IPSEC_STAT_OUT_INVAL);
1.1 jonathan 594: return NULL;
595: }
1.73 ozaki-r 596: KASSERTMSG(*error == 0, "sp w/ error set to %u", *error);
1.135 maxv 597:
1.1 jonathan 598: switch (sp->policy) {
599: case IPSEC_POLICY_ENTRUST:
600: default:
1.62 christos 601: printf("%s: invalid policy %u\n", __func__, sp->policy);
1.1 jonathan 602: /* fall thru... */
603: case IPSEC_POLICY_DISCARD:
1.37 thorpej 604: IPSEC_STATINC(IPSEC_STAT_OUT_POLVIO);
1.1 jonathan 605: *error = -EINVAL; /* packet is discarded by caller */
606: break;
607: case IPSEC_POLICY_BYPASS:
608: case IPSEC_POLICY_NONE:
1.113 ozaki-r 609: KEY_SP_UNREF(&sp);
1.1 jonathan 610: sp = NULL; /* NB: force NULL result */
611: break;
612: case IPSEC_POLICY_IPSEC:
1.93 ozaki-r 613: KASSERT(sp->req != NULL);
1.1 jonathan 614: break;
615: }
1.135 maxv 616:
1.1 jonathan 617: if (*error != 0) {
1.113 ozaki-r 618: KEY_SP_UNREF(&sp);
1.1 jonathan 619: sp = NULL;
1.92 ozaki-r 620: IPSECLOG(LOG_DEBUG, "done, error %d\n", *error);
1.1 jonathan 621: }
1.135 maxv 622:
1.1 jonathan 623: return sp;
624: }
625:
1.59 rmind 626: int
1.70 ozaki-r 627: ipsec4_output(struct mbuf *m, struct inpcb *inp, int flags,
1.87 ozaki-r 628: u_long *mtu, bool *natt_frag, bool *done)
1.59 rmind 629: {
630: struct secpolicy *sp = NULL;
631: int error, s;
632:
633: /*
634: * Check the security policy (SP) for the packet and, if required,
635: * do IPsec-related processing. There are two cases here; the first
636: * time a packet is sent through it will be untagged and handled by
637: * ipsec4_checkpolicy(). If the packet is resubmitted to ip_output
638: * (e.g. after AH, ESP, etc. processing), there will be a tag to
639: * bypass the lookup and related policy checking.
640: */
641: if (ipsec_outdone(m)) {
642: return 0;
643: }
644: s = splsoftnet();
1.99 ozaki-r 645: if (inp && ipsec_pcb_skip_ipsec(inp->inp_sp, IPSEC_DIR_OUTBOUND)) {
1.59 rmind 646: splx(s);
647: return 0;
648: }
649: sp = ipsec4_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, inp);
650:
651: /*
652: * There are four return cases:
653: * sp != NULL apply IPsec policy
654: * sp == NULL, error == 0 no IPsec handling needed
655: * sp == NULL, error == -EINVAL discard packet w/o error
656: * sp == NULL, error != 0 discard packet, report error
657: */
658: if (sp == NULL) {
659: splx(s);
660: if (error) {
661: /*
662: * Hack: -EINVAL is used to signal that a packet
663: * should be silently discarded. This is typically
664: * because we asked key management for an SA and
665: * it was delayed (e.g. kicked up to IKE).
666: */
667: if (error == -EINVAL)
668: error = 0;
669: m_freem(m);
670: *done = true;
671: return error;
672: }
673: /* No IPsec processing for this packet. */
674: return 0;
675: }
676:
677: /*
678: * Do delayed checksums now because we send before
679: * this is done in the normal processing path.
680: */
681: if (m->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
682: in_delayed_cksum(m);
683: m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
684: }
685:
1.108 ozaki-r 686: {
687: u_long _mtu = 0;
688:
689: error = ipsec4_process_packet(m, sp->req, &_mtu);
690:
691: if (error == 0 && _mtu != 0) {
692: /*
693: * NAT-T ESP fragmentation: do not do IPSec processing
694: * now, we will do it on each fragmented packet.
695: */
696: *mtu = _mtu;
697: *natt_frag = true;
1.113 ozaki-r 698: KEY_SP_UNREF(&sp);
1.108 ozaki-r 699: splx(s);
700: return 0;
1.112 ozaki-r 701: }
1.108 ozaki-r 702: }
1.135 maxv 703:
1.59 rmind 704: /*
705: * Preserve KAME behaviour: ENOENT can be returned
706: * when an SA acquire is in progress. Don't propagate
707: * this to user-level; it confuses applications.
708: *
709: * XXX this will go away when the SADB is redone.
710: */
711: if (error == ENOENT)
712: error = 0;
1.113 ozaki-r 713: KEY_SP_UNREF(&sp);
1.59 rmind 714: splx(s);
715: *done = true;
716: return error;
717: }
718:
1.60 rmind 719: int
720: ipsec4_input(struct mbuf *m, int flags)
721: {
722: struct secpolicy *sp;
723: int error, s;
724:
725: s = splsoftnet();
1.109 ozaki-r 726: sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1.60 rmind 727: if (sp == NULL) {
728: splx(s);
729: return EINVAL;
730: }
731:
732: /*
733: * Check security policy against packet attributes.
734: */
1.132 maxv 735: error = ipsec_sp_reject(sp, m);
1.113 ozaki-r 736: KEY_SP_UNREF(&sp);
1.60 rmind 737: splx(s);
738: if (error) {
739: return error;
740: }
741:
742: if (flags == 0) {
743: /* We are done. */
744: return 0;
745: }
746:
1.104 ozaki-r 747: /*
748: * Peek at the outbound SP for this packet to determine if
749: * it is a Fast Forward candidate.
750: */
1.60 rmind 751: s = splsoftnet();
752: sp = ipsec4_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, NULL);
753: if (sp != NULL) {
754: m->m_flags &= ~M_CANFASTFWD;
1.113 ozaki-r 755: KEY_SP_UNREF(&sp);
1.60 rmind 756: }
757: splx(s);
758: return 0;
759: }
760:
761: int
762: ipsec4_forward(struct mbuf *m, int *destmtu)
763: {
764: /*
765: * If the packet is routed over IPsec tunnel, tell the
766: * originator the tunnel MTU.
767: * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
768: * XXX quickhack!!!
769: */
770: struct secpolicy *sp;
771: size_t ipsechdr;
772: int error;
773:
1.135 maxv 774: sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING,
775: &error);
1.60 rmind 776: if (sp == NULL) {
777: return EINVAL;
778: }
779:
780: /* Count IPsec header size. */
781: ipsechdr = ipsec4_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL);
782:
783: /*
784: * Find the correct route for outer IPv4 header, compute tunnel MTU.
785: */
1.106 ozaki-r 786: if (sp->req) {
1.121 ozaki-r 787: struct secasvar *sav;
1.60 rmind 788:
1.121 ozaki-r 789: sav = ipsec_lookup_sa(sp->req, m);
790: if (sav != NULL) {
791: struct route *ro;
792: struct rtentry *rt;
793:
794: ro = &sav->sah->sa_route;
795: rt = rtcache_validate(ro);
796: if (rt && rt->rt_ifp) {
797: *destmtu = rt->rt_rmx.rmx_mtu ?
798: rt->rt_rmx.rmx_mtu : rt->rt_ifp->if_mtu;
799: *destmtu -= ipsechdr;
800: }
801: rtcache_unref(rt, ro);
802: KEY_SA_UNREF(&sav);
1.60 rmind 803: }
804: }
1.113 ozaki-r 805: KEY_SP_UNREF(&sp);
1.60 rmind 806: return 0;
807: }
808:
1.26 degroote 809: #ifdef INET6
810: struct secpolicy *
1.33 degroote 811: ipsec6_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error,
1.129 maxv 812: struct in6pcb *in6p)
1.26 degroote 813: {
814: struct secpolicy *sp;
815:
816: *error = 0;
817:
1.82 ozaki-r 818: if (in6p == NULL) {
1.26 degroote 819: sp = ipsec_getpolicybyaddr(m, dir, flag, error);
1.82 ozaki-r 820: } else {
1.133 maxv 821: struct inpcb_hdr *inph = (struct inpcb_hdr *)in6p;
822: KASSERT(inph->inph_socket != NULL);
823: sp = ipsec_getpolicybysock(m, dir, inph, error);
1.82 ozaki-r 824: }
1.26 degroote 825: if (sp == NULL) {
1.73 ozaki-r 826: KASSERTMSG(*error != 0, "getpolicy failed w/o error");
1.37 thorpej 827: IPSEC_STATINC(IPSEC_STAT_OUT_INVAL);
1.26 degroote 828: return NULL;
829: }
1.73 ozaki-r 830: KASSERTMSG(*error == 0, "sp w/ error set to %u", *error);
1.26 degroote 831: switch (sp->policy) {
832: case IPSEC_POLICY_ENTRUST:
833: default:
1.62 christos 834: printf("%s: invalid policy %u\n", __func__, sp->policy);
1.26 degroote 835: /* fall thru... */
836: case IPSEC_POLICY_DISCARD:
1.37 thorpej 837: IPSEC_STATINC(IPSEC_STAT_OUT_POLVIO);
1.26 degroote 838: *error = -EINVAL; /* packet is discarded by caller */
839: break;
840: case IPSEC_POLICY_BYPASS:
841: case IPSEC_POLICY_NONE:
1.113 ozaki-r 842: KEY_SP_UNREF(&sp);
1.133 maxv 843: sp = NULL; /* NB: force NULL result */
1.26 degroote 844: break;
845: case IPSEC_POLICY_IPSEC:
1.93 ozaki-r 846: KASSERT(sp->req != NULL);
1.26 degroote 847: break;
848: }
849: if (*error != 0) {
1.113 ozaki-r 850: KEY_SP_UNREF(&sp);
1.26 degroote 851: sp = NULL;
1.92 ozaki-r 852: IPSECLOG(LOG_DEBUG, "done, error %d\n", *error);
1.26 degroote 853: }
854: return sp;
855: }
856: #endif /* INET6 */
857:
1.1 jonathan 858: static int
1.55 drochner 859: ipsec4_setspidx_inpcb(struct mbuf *m, struct inpcb *pcb)
1.1 jonathan 860: {
861: int error;
862:
1.73 ozaki-r 863: KASSERT(pcb != NULL);
864: KASSERT(pcb->inp_sp != NULL);
865: KASSERT(pcb->inp_sp->sp_out != NULL);
866: KASSERT(pcb->inp_sp->sp_in != NULL);
1.1 jonathan 867:
868: error = ipsec_setspidx(m, &pcb->inp_sp->sp_in->spidx, 1);
869: if (error == 0) {
870: pcb->inp_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND;
871: pcb->inp_sp->sp_out->spidx = pcb->inp_sp->sp_in->spidx;
872: pcb->inp_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND;
873: } else {
1.41 cegger 874: memset(&pcb->inp_sp->sp_in->spidx, 0,
1.100 ozaki-r 875: sizeof(pcb->inp_sp->sp_in->spidx));
1.41 cegger 876: memset(&pcb->inp_sp->sp_out->spidx, 0,
1.100 ozaki-r 877: sizeof(pcb->inp_sp->sp_in->spidx));
1.1 jonathan 878: }
879: return error;
880: }
881:
882: #ifdef INET6
883: static int
1.33 degroote 884: ipsec6_setspidx_in6pcb(struct mbuf *m, struct in6pcb *pcb)
1.1 jonathan 885: {
886: struct secpolicyindex *spidx;
887: int error;
888:
1.73 ozaki-r 889: KASSERT(pcb != NULL);
890: KASSERT(pcb->in6p_sp != NULL);
891: KASSERT(pcb->in6p_sp->sp_out != NULL);
892: KASSERT(pcb->in6p_sp->sp_in != NULL);
1.1 jonathan 893:
1.41 cegger 894: memset(&pcb->in6p_sp->sp_in->spidx, 0, sizeof(*spidx));
895: memset(&pcb->in6p_sp->sp_out->spidx, 0, sizeof(*spidx));
1.1 jonathan 896:
897: spidx = &pcb->in6p_sp->sp_in->spidx;
898: error = ipsec_setspidx(m, spidx, 1);
899: if (error)
900: goto bad;
901: spidx->dir = IPSEC_DIR_INBOUND;
902:
903: spidx = &pcb->in6p_sp->sp_out->spidx;
904: error = ipsec_setspidx(m, spidx, 1);
905: if (error)
906: goto bad;
907: spidx->dir = IPSEC_DIR_OUTBOUND;
908:
909: return 0;
910:
911: bad:
1.41 cegger 912: memset(&pcb->in6p_sp->sp_in->spidx, 0, sizeof(*spidx));
913: memset(&pcb->in6p_sp->sp_out->spidx, 0, sizeof(*spidx));
1.1 jonathan 914: return error;
915: }
916: #endif
917:
918: /*
919: * configure security policy index (src/dst/proto/sport/dport)
920: * by looking at the content of mbuf.
921: * the caller is responsible for error recovery (like clearing up spidx).
922: */
923: static int
1.33 degroote 924: ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport)
1.1 jonathan 925: {
926: struct ip *ip = NULL;
927: struct ip ipbuf;
928: u_int v;
929: struct mbuf *n;
930: int len;
931: int error;
932:
1.73 ozaki-r 933: KASSERT(m != NULL);
1.1 jonathan 934:
935: /*
936: * validate m->m_pkthdr.len. we see incorrect length if we
937: * mistakenly call this function with inconsistent mbuf chain
938: * (like 4.4BSD tcp/udp processing). XXX should we panic here?
939: */
940: len = 0;
941: for (n = m; n; n = n->m_next)
942: len += n->m_len;
943: if (m->m_pkthdr.len != len) {
1.77 ozaki-r 944: KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
945: "total of m_len(%d) != pkthdr.len(%d), ignored.\n",
946: len, m->m_pkthdr.len);
1.135 maxv 947: KASSERTMSG(0, "impossible");
1.1 jonathan 948: return EINVAL;
949: }
950:
951: if (m->m_pkthdr.len < sizeof(struct ip)) {
1.77 ozaki-r 952: KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
953: "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
954: m->m_pkthdr.len);
1.1 jonathan 955: return EINVAL;
956: }
957:
1.129 maxv 958: if (m->m_len >= sizeof(*ip)) {
1.1 jonathan 959: ip = mtod(m, struct ip *);
1.129 maxv 960: } else {
1.28 degroote 961: m_copydata(m, 0, sizeof(ipbuf), &ipbuf);
1.1 jonathan 962: ip = &ipbuf;
963: }
964: v = ip->ip_v;
965: switch (v) {
966: case 4:
967: error = ipsec4_setspidx_ipaddr(m, spidx);
968: if (error)
969: return error;
970: ipsec4_get_ulp(m, spidx, needport);
971: return 0;
972: #ifdef INET6
973: case 6:
974: if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
1.77 ozaki-r 975: KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
1.62 christos 976: "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
1.77 ozaki-r 977: "ignored.\n", m->m_pkthdr.len);
1.1 jonathan 978: return EINVAL;
979: }
980: error = ipsec6_setspidx_ipaddr(m, spidx);
981: if (error)
982: return error;
983: ipsec6_get_ulp(m, spidx, needport);
984: return 0;
985: #endif
986: default:
1.77 ozaki-r 987: KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
988: "unknown IP version %u, ignored.\n", v);
1.1 jonathan 989: return EINVAL;
990: }
991: }
992:
993: static void
994: ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
995: {
996: u_int8_t nxt;
997: int off;
998:
1.73 ozaki-r 999: KASSERT(m != NULL);
1000: KASSERTMSG(m->m_pkthdr.len >= sizeof(struct ip), "packet too short");
1.1 jonathan 1001:
1002: /* NB: ip_input() flips it into host endian XXX need more checking */
1.8 thorpej 1003: if (m->m_len >= sizeof(struct ip)) {
1.1 jonathan 1004: struct ip *ip = mtod(m, struct ip *);
1.75 ozaki-r 1005: if (ip->ip_off & htons(IP_MF | IP_OFFMASK))
1.1 jonathan 1006: goto done;
1007: off = ip->ip_hl << 2;
1008: nxt = ip->ip_p;
1009: } else {
1010: struct ip ih;
1011:
1.129 maxv 1012: m_copydata(m, 0, sizeof(struct ip), &ih);
1.75 ozaki-r 1013: if (ih.ip_off & htons(IP_MF | IP_OFFMASK))
1.1 jonathan 1014: goto done;
1015: off = ih.ip_hl << 2;
1016: nxt = ih.ip_p;
1017: }
1018:
1019: while (off < m->m_pkthdr.len) {
1020: struct ip6_ext ip6e;
1021: struct tcphdr th;
1022: struct udphdr uh;
1.38 mlelstv 1023: struct icmp icmph;
1.1 jonathan 1024:
1025: switch (nxt) {
1026: case IPPROTO_TCP:
1027: spidx->ul_proto = nxt;
1028: if (!needport)
1029: goto done_proto;
1030: if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1031: goto done;
1.129 maxv 1032: m_copydata(m, off, sizeof(th), &th);
1.1 jonathan 1033: spidx->src.sin.sin_port = th.th_sport;
1034: spidx->dst.sin.sin_port = th.th_dport;
1035: return;
1036: case IPPROTO_UDP:
1037: spidx->ul_proto = nxt;
1038: if (!needport)
1039: goto done_proto;
1040: if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1041: goto done;
1.129 maxv 1042: m_copydata(m, off, sizeof(uh), &uh);
1.1 jonathan 1043: spidx->src.sin.sin_port = uh.uh_sport;
1044: spidx->dst.sin.sin_port = uh.uh_dport;
1045: return;
1046: case IPPROTO_AH:
1.130 maxv 1047: if (off + sizeof(ip6e) > m->m_pkthdr.len)
1.1 jonathan 1048: goto done;
1049: /* XXX sigh, this works but is totally bogus */
1.28 degroote 1050: m_copydata(m, off, sizeof(ip6e), &ip6e);
1.1 jonathan 1051: off += (ip6e.ip6e_len + 2) << 2;
1052: nxt = ip6e.ip6e_nxt;
1053: break;
1054: case IPPROTO_ICMP:
1.38 mlelstv 1055: spidx->ul_proto = nxt;
1056: if (off + sizeof(struct icmp) > m->m_pkthdr.len)
1.134 maxv 1057: goto done;
1.39 degroote 1058: m_copydata(m, off, sizeof(icmph), &icmph);
1.38 mlelstv 1059: ((struct sockaddr_in *)&spidx->src)->sin_port =
1060: htons((uint16_t)icmph.icmp_type);
1061: ((struct sockaddr_in *)&spidx->dst)->sin_port =
1062: htons((uint16_t)icmph.icmp_code);
1063: return;
1.1 jonathan 1064: default:
1065: /* XXX intermediate headers??? */
1066: spidx->ul_proto = nxt;
1067: goto done_proto;
1068: }
1069: }
1070: done:
1071: spidx->ul_proto = IPSEC_ULPROTO_ANY;
1072: done_proto:
1073: spidx->src.sin.sin_port = IPSEC_PORT_ANY;
1074: spidx->dst.sin.sin_port = IPSEC_PORT_ANY;
1075: }
1076:
1077: static int
1078: ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
1079: {
1080: static const struct sockaddr_in template = {
1.129 maxv 1081: sizeof(struct sockaddr_in),
1.1 jonathan 1082: AF_INET,
1083: 0, { 0 }, { 0, 0, 0, 0, 0, 0, 0, 0 }
1084: };
1085:
1086: spidx->src.sin = template;
1087: spidx->dst.sin = template;
1088:
1.129 maxv 1089: if (m->m_len < sizeof(struct ip)) {
1.1 jonathan 1090: m_copydata(m, offsetof(struct ip, ip_src),
1.100 ozaki-r 1091: sizeof(struct in_addr), &spidx->src.sin.sin_addr);
1.1 jonathan 1092: m_copydata(m, offsetof(struct ip, ip_dst),
1.100 ozaki-r 1093: sizeof(struct in_addr), &spidx->dst.sin.sin_addr);
1.1 jonathan 1094: } else {
1095: struct ip *ip = mtod(m, struct ip *);
1096: spidx->src.sin.sin_addr = ip->ip_src;
1097: spidx->dst.sin.sin_addr = ip->ip_dst;
1098: }
1099:
1100: spidx->prefs = sizeof(struct in_addr) << 3;
1101: spidx->prefd = sizeof(struct in_addr) << 3;
1102:
1103: return 0;
1104: }
1105:
1106: #ifdef INET6
1107: static void
1.129 maxv 1108: ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
1.1 jonathan 1109: {
1110: int off, nxt;
1111: struct tcphdr th;
1112: struct udphdr uh;
1.38 mlelstv 1113: struct icmp6_hdr icmph;
1.1 jonathan 1114:
1.80 ozaki-r 1115: KASSERT(m != NULL);
1.1 jonathan 1116:
1.77 ozaki-r 1117: if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
1.120 christos 1118: kdebug_mbuf(__func__, m);
1.77 ozaki-r 1119: }
1.1 jonathan 1120:
1121: /* set default */
1122: spidx->ul_proto = IPSEC_ULPROTO_ANY;
1123: ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1124: ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1125:
1126: nxt = -1;
1127: off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1128: if (off < 0 || m->m_pkthdr.len < off)
1129: return;
1130:
1131: switch (nxt) {
1132: case IPPROTO_TCP:
1133: spidx->ul_proto = nxt;
1134: if (!needport)
1135: break;
1136: if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1137: break;
1.28 degroote 1138: m_copydata(m, off, sizeof(th), &th);
1.1 jonathan 1139: ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1140: ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1141: break;
1142: case IPPROTO_UDP:
1143: spidx->ul_proto = nxt;
1144: if (!needport)
1145: break;
1146: if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1147: break;
1.28 degroote 1148: m_copydata(m, off, sizeof(uh), &uh);
1.1 jonathan 1149: ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1150: ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1151: break;
1152: case IPPROTO_ICMPV6:
1.38 mlelstv 1153: spidx->ul_proto = nxt;
1154: if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len)
1155: break;
1.39 degroote 1156: m_copydata(m, off, sizeof(icmph), &icmph);
1.38 mlelstv 1157: ((struct sockaddr_in6 *)&spidx->src)->sin6_port =
1158: htons((uint16_t)icmph.icmp6_type);
1159: ((struct sockaddr_in6 *)&spidx->dst)->sin6_port =
1160: htons((uint16_t)icmph.icmp6_code);
1161: break;
1.1 jonathan 1162: default:
1163: /* XXX intermediate headers??? */
1164: spidx->ul_proto = nxt;
1165: break;
1166: }
1167: }
1168:
1169: static int
1.33 degroote 1170: ipsec6_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
1.1 jonathan 1171: {
1172: struct ip6_hdr *ip6 = NULL;
1173: struct ip6_hdr ip6buf;
1174: struct sockaddr_in6 *sin6;
1175:
1176: if (m->m_len >= sizeof(*ip6))
1177: ip6 = mtod(m, struct ip6_hdr *);
1178: else {
1.28 degroote 1179: m_copydata(m, 0, sizeof(ip6buf), &ip6buf);
1.1 jonathan 1180: ip6 = &ip6buf;
1181: }
1182:
1183: sin6 = (struct sockaddr_in6 *)&spidx->src;
1.41 cegger 1184: memset(sin6, 0, sizeof(*sin6));
1.1 jonathan 1185: sin6->sin6_family = AF_INET6;
1186: sin6->sin6_len = sizeof(struct sockaddr_in6);
1.43 tsutsui 1187: memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
1.1 jonathan 1188: if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1189: sin6->sin6_addr.s6_addr16[1] = 0;
1190: sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
1191: }
1192: spidx->prefs = sizeof(struct in6_addr) << 3;
1193:
1194: sin6 = (struct sockaddr_in6 *)&spidx->dst;
1.41 cegger 1195: memset(sin6, 0, sizeof(*sin6));
1.1 jonathan 1196: sin6->sin6_family = AF_INET6;
1197: sin6->sin6_len = sizeof(struct sockaddr_in6);
1.43 tsutsui 1198: memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
1.1 jonathan 1199: if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1200: sin6->sin6_addr.s6_addr16[1] = 0;
1201: sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
1202: }
1203: spidx->prefd = sizeof(struct in6_addr) << 3;
1204:
1205: return 0;
1206: }
1207: #endif
1208:
1209: static void
1.33 degroote 1210: ipsec_delpcbpolicy(struct inpcbpolicy *p)
1.1 jonathan 1211: {
1.90 ozaki-r 1212:
1.91 ozaki-r 1213: kmem_intr_free(p, sizeof(*p));
1.1 jonathan 1214: }
1215:
1216: /* initialize policy in PCB */
1217: int
1.57 christos 1218: ipsec_init_policy(struct socket *so, struct inpcbpolicy **policy)
1.1 jonathan 1219: {
1220: struct inpcbpolicy *new;
1221:
1.80 ozaki-r 1222: KASSERT(so != NULL);
1223: KASSERT(policy != NULL);
1.1 jonathan 1224:
1.91 ozaki-r 1225: new = kmem_intr_zalloc(sizeof(*new), KM_NOSLEEP);
1226: if (new == NULL) {
1.92 ozaki-r 1227: IPSECLOG(LOG_DEBUG, "No more memory.\n");
1.91 ozaki-r 1228: return ENOBUFS;
1229: }
1.1 jonathan 1230:
1231: if (IPSEC_PRIVILEGED_SO(so))
1232: new->priv = 1;
1233: else
1234: new->priv = 0;
1235:
1.113 ozaki-r 1236: /*
1.119 ozaki-r 1237: * Set dummy SPs. Actual SPs will be allocated later if needed.
1.113 ozaki-r 1238: */
1.119 ozaki-r 1239: new->sp_in = &ipsec_dummy_sp;
1240: new->sp_out = &ipsec_dummy_sp;
1.1 jonathan 1241:
1.57 christos 1242: *policy = new;
1.1 jonathan 1243:
1244: return 0;
1245: }
1246:
1.115 ozaki-r 1247: #if 0 /* unused */
1.1 jonathan 1248: /* copy old ipsec policy into new */
1249: int
1.52 christos 1250: ipsec_copy_policy(const struct inpcbpolicy *old, struct inpcbpolicy *new)
1.1 jonathan 1251: {
1252: struct secpolicy *sp;
1253:
1254: sp = ipsec_deepcopy_policy(old->sp_in);
1255: if (sp) {
1.113 ozaki-r 1256: KEY_SP_UNREF(&new->sp_in);
1.1 jonathan 1257: new->sp_in = sp;
1258: } else
1259: return ENOBUFS;
1260:
1261: sp = ipsec_deepcopy_policy(old->sp_out);
1262: if (sp) {
1.113 ozaki-r 1263: KEY_SP_UNREF(&new->sp_out);
1.1 jonathan 1264: new->sp_out = sp;
1265: } else
1266: return ENOBUFS;
1267:
1268: new->priv = old->priv;
1269:
1270: return 0;
1271: }
1272:
1273: /* deep-copy a policy in PCB */
1274: static struct secpolicy *
1.52 christos 1275: ipsec_deepcopy_policy(const struct secpolicy *src)
1.1 jonathan 1276: {
1277: struct ipsecrequest *newchain = NULL;
1.55 drochner 1278: const struct ipsecrequest *p;
1.1 jonathan 1279: struct ipsecrequest **q;
1280: struct secpolicy *dst;
1281:
1282: if (src == NULL)
1283: return NULL;
1284: dst = KEY_NEWSP();
1285: if (dst == NULL)
1286: return NULL;
1287:
1288: /*
1289: * deep-copy IPsec request chain. This is required since struct
1290: * ipsecrequest is not reference counted.
1291: */
1292: q = &newchain;
1293: for (p = src->req; p; p = p->next) {
1.90 ozaki-r 1294: *q = kmem_zalloc(sizeof(**q), KM_SLEEP);
1.1 jonathan 1295: (*q)->next = NULL;
1296:
1297: (*q)->saidx.proto = p->saidx.proto;
1298: (*q)->saidx.mode = p->saidx.mode;
1299: (*q)->level = p->level;
1300: (*q)->saidx.reqid = p->saidx.reqid;
1301:
1.43 tsutsui 1302: memcpy(&(*q)->saidx.src, &p->saidx.src, sizeof((*q)->saidx.src));
1303: memcpy(&(*q)->saidx.dst, &p->saidx.dst, sizeof((*q)->saidx.dst));
1.1 jonathan 1304:
1305: (*q)->sp = dst;
1306:
1307: q = &((*q)->next);
1308: }
1309:
1310: dst->req = newchain;
1311: dst->state = src->state;
1312: dst->policy = src->policy;
1313: /* do not touch the refcnt fields */
1314:
1315: return dst;
1316: }
1.115 ozaki-r 1317: #endif
1.1 jonathan 1318:
1.113 ozaki-r 1319: static void
1320: ipsec_destroy_policy(struct secpolicy *sp)
1321: {
1322:
1.119 ozaki-r 1323: if (sp == &ipsec_dummy_sp)
1324: ; /* It's dummy. No need to free it. */
1.113 ozaki-r 1325: else {
1326: /*
1327: * We cannot destroy here because it can be called in
1328: * softint. So mark the SP as DEAD and let the timer
1329: * destroy it. See key_timehandler_spd.
1330: */
1331: sp->state = IPSEC_SPSTATE_DEAD;
1332: }
1333: }
1334:
1.1 jonathan 1335: /* set policy and ipsec request if present. */
1336: static int
1.129 maxv 1337: ipsec_set_policy(struct secpolicy **policy, int optname, const void *request,
1338: size_t len, kauth_cred_t cred)
1.1 jonathan 1339: {
1.55 drochner 1340: const struct sadb_x_policy *xpl;
1.113 ozaki-r 1341: struct secpolicy *newsp = NULL, *oldsp;
1.1 jonathan 1342: int error;
1343:
1.90 ozaki-r 1344: KASSERT(!cpu_softintr_p());
1345:
1.1 jonathan 1346: /* sanity check. */
1.57 christos 1347: if (policy == NULL || *policy == NULL || request == NULL)
1.1 jonathan 1348: return EINVAL;
1349: if (len < sizeof(*xpl))
1350: return EINVAL;
1.55 drochner 1351: xpl = (const struct sadb_x_policy *)request;
1.1 jonathan 1352:
1.77 ozaki-r 1353: if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
1.120 christos 1354: kdebug_sadb_xpolicy("set passed policy", request);
1.77 ozaki-r 1355: }
1.1 jonathan 1356:
1357: /* check policy type */
1358: /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1.129 maxv 1359: if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
1360: xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1.1 jonathan 1361: return EINVAL;
1362:
1363: /* check privileged socket */
1.44 elad 1364: if (xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) {
1.56 elad 1365: error = kauth_authorize_network(cred, KAUTH_NETWORK_IPSEC,
1366: KAUTH_REQ_NETWORK_IPSEC_BYPASS, NULL, NULL, NULL);
1.44 elad 1367: if (error)
1.129 maxv 1368: return error;
1.44 elad 1369: }
1.1 jonathan 1370:
1371: /* allocation new SP entry */
1372: if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1373: return error;
1374:
1.113 ozaki-r 1375: key_init_sp(newsp);
1376: newsp->created = time_uptime;
1377: /* Insert the global list for SPs for sockets */
1378: key_socksplist_add(newsp);
1.1 jonathan 1379:
1380: /* clear old SP and set new SP */
1.113 ozaki-r 1381: oldsp = *policy;
1.57 christos 1382: *policy = newsp;
1.113 ozaki-r 1383: ipsec_destroy_policy(oldsp);
1384:
1.77 ozaki-r 1385: if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
1386: printf("%s: new policy\n", __func__);
1387: kdebug_secpolicy(newsp);
1388: }
1.1 jonathan 1389:
1390: return 0;
1391: }
1392:
1393: static int
1.57 christos 1394: ipsec_get_policy(struct secpolicy *policy, struct mbuf **mp)
1.1 jonathan 1395: {
1396:
1397: /* sanity check. */
1.57 christos 1398: if (policy == NULL || mp == NULL)
1.1 jonathan 1399: return EINVAL;
1400:
1.123 ozaki-r 1401: *mp = key_sp2msg(policy, M_NOWAIT);
1.1 jonathan 1402: if (!*mp) {
1.92 ozaki-r 1403: IPSECLOG(LOG_DEBUG, "No more memory.\n");
1.1 jonathan 1404: return ENOBUFS;
1405: }
1406:
1407: (*mp)->m_type = MT_DATA;
1.77 ozaki-r 1408: if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
1.120 christos 1409: kdebug_mbuf(__func__, *mp);
1.77 ozaki-r 1410: }
1.1 jonathan 1411:
1412: return 0;
1413: }
1414:
1415: int
1.55 drochner 1416: ipsec4_set_policy(struct inpcb *inp, int optname, const void *request,
1.129 maxv 1417: size_t len, kauth_cred_t cred)
1.1 jonathan 1418: {
1.55 drochner 1419: const struct sadb_x_policy *xpl;
1.57 christos 1420: struct secpolicy **policy;
1.1 jonathan 1421:
1.90 ozaki-r 1422: KASSERT(!cpu_softintr_p());
1.124 ozaki-r 1423: KASSERT(inp != NULL);
1.113 ozaki-r 1424: KASSERT(inp_locked(inp));
1.124 ozaki-r 1425: KASSERT(request != NULL);
1.90 ozaki-r 1426:
1.1 jonathan 1427: if (len < sizeof(*xpl))
1428: return EINVAL;
1.55 drochner 1429: xpl = (const struct sadb_x_policy *)request;
1.1 jonathan 1430:
1.73 ozaki-r 1431: KASSERT(inp->inp_sp != NULL);
1.1 jonathan 1432:
1433: /* select direction */
1434: switch (xpl->sadb_x_policy_dir) {
1435: case IPSEC_DIR_INBOUND:
1.57 christos 1436: policy = &inp->inp_sp->sp_in;
1.1 jonathan 1437: break;
1438: case IPSEC_DIR_OUTBOUND:
1.57 christos 1439: policy = &inp->inp_sp->sp_out;
1.1 jonathan 1440: break;
1441: default:
1.92 ozaki-r 1442: IPSECLOG(LOG_ERR, "invalid direction=%u\n",
1443: xpl->sadb_x_policy_dir);
1.1 jonathan 1444: return EINVAL;
1445: }
1446:
1.57 christos 1447: return ipsec_set_policy(policy, optname, request, len, cred);
1.1 jonathan 1448: }
1449:
1450: int
1.129 maxv 1451: ipsec4_get_policy(struct inpcb *inp, const void *request, size_t len,
1452: struct mbuf **mp)
1.1 jonathan 1453: {
1.55 drochner 1454: const struct sadb_x_policy *xpl;
1.57 christos 1455: struct secpolicy *policy;
1.1 jonathan 1456:
1457: /* sanity check. */
1458: if (inp == NULL || request == NULL || mp == NULL)
1459: return EINVAL;
1.73 ozaki-r 1460: KASSERT(inp->inp_sp != NULL);
1.1 jonathan 1461: if (len < sizeof(*xpl))
1462: return EINVAL;
1.55 drochner 1463: xpl = (const struct sadb_x_policy *)request;
1.1 jonathan 1464:
1465: /* select direction */
1466: switch (xpl->sadb_x_policy_dir) {
1467: case IPSEC_DIR_INBOUND:
1.57 christos 1468: policy = inp->inp_sp->sp_in;
1.1 jonathan 1469: break;
1470: case IPSEC_DIR_OUTBOUND:
1.57 christos 1471: policy = inp->inp_sp->sp_out;
1.1 jonathan 1472: break;
1473: default:
1.92 ozaki-r 1474: IPSECLOG(LOG_ERR, "invalid direction=%u\n",
1475: xpl->sadb_x_policy_dir);
1.1 jonathan 1476: return EINVAL;
1477: }
1478:
1.57 christos 1479: return ipsec_get_policy(policy, mp);
1.1 jonathan 1480: }
1481:
1482: int
1.33 degroote 1483: ipsec4_delete_pcbpolicy(struct inpcb *inp)
1.1 jonathan 1484: {
1.73 ozaki-r 1485:
1486: KASSERT(inp != NULL);
1.1 jonathan 1487:
1488: if (inp->inp_sp == NULL)
1489: return 0;
1490:
1491: if (inp->inp_sp->sp_in != NULL)
1.113 ozaki-r 1492: ipsec_destroy_policy(inp->inp_sp->sp_in);
1.1 jonathan 1493:
1494: if (inp->inp_sp->sp_out != NULL)
1.113 ozaki-r 1495: ipsec_destroy_policy(inp->inp_sp->sp_out);
1.1 jonathan 1496:
1.49 drochner 1497: ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1498:
1.1 jonathan 1499: ipsec_delpcbpolicy(inp->inp_sp);
1500: inp->inp_sp = NULL;
1501:
1502: return 0;
1503: }
1504:
1505: #ifdef INET6
1506: int
1.55 drochner 1507: ipsec6_set_policy(struct in6pcb *in6p, int optname, const void *request,
1.129 maxv 1508: size_t len, kauth_cred_t cred)
1.1 jonathan 1509: {
1.55 drochner 1510: const struct sadb_x_policy *xpl;
1.57 christos 1511: struct secpolicy **policy;
1.1 jonathan 1512:
1.90 ozaki-r 1513: KASSERT(!cpu_softintr_p());
1.136 ! maxv 1514: KASSERT(in6p != NULL);
1.113 ozaki-r 1515: KASSERT(in6p_locked(in6p));
1.136 ! maxv 1516: KASSERT(request != NULL);
1.90 ozaki-r 1517:
1.1 jonathan 1518: if (len < sizeof(*xpl))
1519: return EINVAL;
1.55 drochner 1520: xpl = (const struct sadb_x_policy *)request;
1.1 jonathan 1521:
1522: /* select direction */
1523: switch (xpl->sadb_x_policy_dir) {
1524: case IPSEC_DIR_INBOUND:
1.57 christos 1525: policy = &in6p->in6p_sp->sp_in;
1.1 jonathan 1526: break;
1527: case IPSEC_DIR_OUTBOUND:
1.57 christos 1528: policy = &in6p->in6p_sp->sp_out;
1.1 jonathan 1529: break;
1530: default:
1.92 ozaki-r 1531: IPSECLOG(LOG_ERR, "invalid direction=%u\n",
1532: xpl->sadb_x_policy_dir);
1.1 jonathan 1533: return EINVAL;
1534: }
1535:
1.57 christos 1536: return ipsec_set_policy(policy, optname, request, len, cred);
1.1 jonathan 1537: }
1538:
1539: int
1.55 drochner 1540: ipsec6_get_policy(struct in6pcb *in6p, const void *request, size_t len,
1.129 maxv 1541: struct mbuf **mp)
1.1 jonathan 1542: {
1.55 drochner 1543: const struct sadb_x_policy *xpl;
1.57 christos 1544: struct secpolicy *policy;
1.1 jonathan 1545:
1546: /* sanity check. */
1547: if (in6p == NULL || request == NULL || mp == NULL)
1548: return EINVAL;
1.73 ozaki-r 1549: KASSERT(in6p->in6p_sp != NULL);
1.1 jonathan 1550: if (len < sizeof(*xpl))
1551: return EINVAL;
1.55 drochner 1552: xpl = (const struct sadb_x_policy *)request;
1.1 jonathan 1553:
1554: /* select direction */
1555: switch (xpl->sadb_x_policy_dir) {
1556: case IPSEC_DIR_INBOUND:
1.57 christos 1557: policy = in6p->in6p_sp->sp_in;
1.1 jonathan 1558: break;
1559: case IPSEC_DIR_OUTBOUND:
1.57 christos 1560: policy = in6p->in6p_sp->sp_out;
1.1 jonathan 1561: break;
1562: default:
1.92 ozaki-r 1563: IPSECLOG(LOG_ERR, "invalid direction=%u\n",
1564: xpl->sadb_x_policy_dir);
1.1 jonathan 1565: return EINVAL;
1566: }
1567:
1.57 christos 1568: return ipsec_get_policy(policy, mp);
1.1 jonathan 1569: }
1570:
1571: int
1.33 degroote 1572: ipsec6_delete_pcbpolicy(struct in6pcb *in6p)
1.1 jonathan 1573: {
1.73 ozaki-r 1574:
1575: KASSERT(in6p != NULL);
1.1 jonathan 1576:
1577: if (in6p->in6p_sp == NULL)
1578: return 0;
1579:
1580: if (in6p->in6p_sp->sp_in != NULL)
1.113 ozaki-r 1581: ipsec_destroy_policy(in6p->in6p_sp->sp_in);
1.1 jonathan 1582:
1583: if (in6p->in6p_sp->sp_out != NULL)
1.113 ozaki-r 1584: ipsec_destroy_policy(in6p->in6p_sp->sp_out);
1.1 jonathan 1585:
1.49 drochner 1586: ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1587:
1.1 jonathan 1588: ipsec_delpcbpolicy(in6p->in6p_sp);
1589: in6p->in6p_sp = NULL;
1590:
1591: return 0;
1592: }
1593: #endif
1594:
1595: /*
1.135 maxv 1596: * Return the current level (either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE).
1.1 jonathan 1597: */
1598: u_int
1.52 christos 1599: ipsec_get_reqlevel(const struct ipsecrequest *isr)
1.1 jonathan 1600: {
1601: u_int level = 0;
1602: u_int esp_trans_deflev, esp_net_deflev;
1603: u_int ah_trans_deflev, ah_net_deflev;
1604:
1.73 ozaki-r 1605: KASSERT(isr != NULL);
1606: KASSERT(isr->sp != NULL);
1607: KASSERTMSG(
1608: isr->sp->spidx.src.sa.sa_family == isr->sp->spidx.dst.sa.sa_family,
1609: "af family mismatch, src %u, dst %u",
1610: isr->sp->spidx.src.sa.sa_family, isr->sp->spidx.dst.sa.sa_family);
1.1 jonathan 1611:
1612: /* XXX note that we have ipseclog() expanded here - code sync issue */
1.135 maxv 1613: #define IPSEC_CHECK_DEFAULT(lev) \
1.62 christos 1614: (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1615: && (lev) != IPSEC_LEVEL_UNIQUE) ? \
1616: (ipsec_debug ? log(LOG_INFO, "fixed system default level " #lev \
1.64 plunky 1617: ":%d->%d\n", (lev), IPSEC_LEVEL_REQUIRE) : (void)0), \
1.62 christos 1618: (lev) = IPSEC_LEVEL_REQUIRE, (lev) \
1619: : (lev))
1.1 jonathan 1620:
1621: /* set default level */
1622: switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1623: #ifdef INET
1624: case AF_INET:
1625: esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1626: esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1627: ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1628: ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1629: break;
1630: #endif
1631: #ifdef INET6
1632: case AF_INET6:
1633: esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1634: esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1635: ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1636: ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1637: break;
1638: #endif /* INET6 */
1639: default:
1.62 christos 1640: panic("%s: unknown af %u", __func__,
1641: isr->sp->spidx.src.sa.sa_family);
1.1 jonathan 1642: }
1643:
1644: #undef IPSEC_CHECK_DEFAULT
1645:
1646: /* set level */
1647: switch (isr->level) {
1648: case IPSEC_LEVEL_DEFAULT:
1649: switch (isr->saidx.proto) {
1650: case IPPROTO_ESP:
1651: if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1652: level = esp_net_deflev;
1653: else
1654: level = esp_trans_deflev;
1655: break;
1656: case IPPROTO_AH:
1657: if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1658: level = ah_net_deflev;
1659: else
1660: level = ah_trans_deflev;
1.14 jonathan 1661: break;
1.1 jonathan 1662: case IPPROTO_IPCOMP:
1663: /*
1664: * we don't really care, as IPcomp document says that
1665: * we shouldn't compress small packets
1666: */
1667: level = IPSEC_LEVEL_USE;
1668: break;
1669: default:
1.62 christos 1670: panic("%s: Illegal protocol defined %u", __func__,
1671: isr->saidx.proto);
1.1 jonathan 1672: }
1673: break;
1674:
1675: case IPSEC_LEVEL_USE:
1676: case IPSEC_LEVEL_REQUIRE:
1677: level = isr->level;
1678: break;
1679: case IPSEC_LEVEL_UNIQUE:
1680: level = IPSEC_LEVEL_REQUIRE;
1681: break;
1682:
1683: default:
1.62 christos 1684: panic("%s: Illegal IPsec level %u", __func__, isr->level);
1.1 jonathan 1685: }
1686:
1687: return level;
1688: }
1689:
1690: /*
1.131 maxv 1691: * Check security policy requirements against the actual packet contents.
1.1 jonathan 1692: *
1.131 maxv 1693: * If the SP requires an IPsec packet, and the packet was neither AH nor ESP,
1694: * then kick it.
1.1 jonathan 1695: */
1696: int
1.132 maxv 1697: ipsec_sp_reject(const struct secpolicy *sp, const struct mbuf *m)
1.1 jonathan 1698: {
1699: struct ipsecrequest *isr;
1700:
1.77 ozaki-r 1701: if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
1702: printf("%s: using SP\n", __func__);
1703: kdebug_secpolicy(sp);
1704: }
1.1 jonathan 1705:
1706: /* check policy */
1707: switch (sp->policy) {
1708: case IPSEC_POLICY_DISCARD:
1709: return 1;
1710: case IPSEC_POLICY_BYPASS:
1711: case IPSEC_POLICY_NONE:
1712: return 0;
1713: }
1714:
1.73 ozaki-r 1715: KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC,
1716: "invalid policy %u", sp->policy);
1.1 jonathan 1717:
1718: /* XXX should compare policy against ipsec header history */
1719:
1720: for (isr = sp->req; isr != NULL; isr = isr->next) {
1721: if (ipsec_get_reqlevel(isr) != IPSEC_LEVEL_REQUIRE)
1722: continue;
1723: switch (isr->saidx.proto) {
1724: case IPPROTO_ESP:
1725: if ((m->m_flags & M_DECRYPTED) == 0) {
1.77 ozaki-r 1726: KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
1727: "ESP m_flags:%x\n", m->m_flags);
1.1 jonathan 1728: return 1;
1729: }
1730: break;
1731: case IPPROTO_AH:
1732: if ((m->m_flags & M_AUTHIPHDR) == 0) {
1.77 ozaki-r 1733: KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
1734: "AH m_flags:%x\n", m->m_flags);
1.1 jonathan 1735: return 1;
1736: }
1737: break;
1738: case IPPROTO_IPCOMP:
1739: /*
1.131 maxv 1740: * We don't really care, as IPcomp document
1.1 jonathan 1741: * says that we shouldn't compress small
1742: * packets, IPComp policy should always be
1743: * treated as being in "use" level.
1744: */
1745: break;
1746: }
1747: }
1.132 maxv 1748:
1749: return 0;
1.1 jonathan 1750: }
1751:
1752: /*
1753: * Check AH/ESP integrity.
1754: * This function is called from tcp_input(), udp_input(),
1755: * and {ah,esp}4_input for tunnel mode
1756: */
1757: int
1.33 degroote 1758: ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
1.1 jonathan 1759: {
1.133 maxv 1760: struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
1.1 jonathan 1761: struct secpolicy *sp;
1762: int error;
1763: int result;
1764:
1.73 ozaki-r 1765: KASSERT(m != NULL);
1.1 jonathan 1766:
1.133 maxv 1767: if (inph == NULL)
1.131 maxv 1768: sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1769: IP_FORWARDING, &error);
1.1 jonathan 1770: else
1.5 jonathan 1771: sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND,
1.133 maxv 1772: inph, &error);
1.1 jonathan 1773:
1774: if (sp != NULL) {
1.132 maxv 1775: result = ipsec_sp_reject(sp, m);
1.1 jonathan 1776: if (result)
1.37 thorpej 1777: IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
1.113 ozaki-r 1778: KEY_SP_UNREF(&sp);
1.1 jonathan 1779: } else {
1.131 maxv 1780: result = 0;
1.1 jonathan 1781: }
1782: return result;
1783: }
1784:
1785: #ifdef INET6
1786: /*
1787: * Check AH/ESP integrity.
1788: * This function is called from tcp6_input(), udp6_input(),
1789: * and {ah,esp}6_input for tunnel mode
1790: */
1791: int
1.33 degroote 1792: ipsec6_in_reject(struct mbuf *m, struct in6pcb *in6p)
1.1 jonathan 1793: {
1.133 maxv 1794: struct inpcb_hdr *inph = (struct inpcb_hdr *)in6p;
1.131 maxv 1795: struct secpolicy *sp;
1.1 jonathan 1796: int error;
1797: int result;
1798:
1.80 ozaki-r 1799: KASSERT(m != NULL);
1.1 jonathan 1800:
1.133 maxv 1801: if (inph == NULL)
1.131 maxv 1802: sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1803: IP_FORWARDING, &error);
1.1 jonathan 1804: else
1.5 jonathan 1805: sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND,
1.133 maxv 1806: inph, &error);
1.1 jonathan 1807:
1808: if (sp != NULL) {
1.132 maxv 1809: result = ipsec_sp_reject(sp, m);
1.1 jonathan 1810: if (result)
1.37 thorpej 1811: IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
1.113 ozaki-r 1812: KEY_SP_UNREF(&sp);
1.1 jonathan 1813: } else {
1814: result = 0;
1815: }
1816: return result;
1817: }
1818: #endif
1819:
1820: /*
1.132 maxv 1821: * Compute the byte size to be occupied by the IPsec header. If it is
1822: * tunneled, it includes the size of outer IP header.
1.1 jonathan 1823: */
1824: static size_t
1.132 maxv 1825: ipsec_sp_hdrsiz(const struct secpolicy *sp, const struct mbuf *m)
1.1 jonathan 1826: {
1.107 ozaki-r 1827: struct ipsecrequest *isr;
1.1 jonathan 1828: size_t siz;
1829:
1.77 ozaki-r 1830: if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
1831: printf("%s: using SP\n", __func__);
1832: kdebug_secpolicy(sp);
1833: }
1.1 jonathan 1834:
1835: switch (sp->policy) {
1836: case IPSEC_POLICY_DISCARD:
1837: case IPSEC_POLICY_BYPASS:
1838: case IPSEC_POLICY_NONE:
1839: return 0;
1840: }
1841:
1.73 ozaki-r 1842: KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC,
1843: "invalid policy %u", sp->policy);
1.1 jonathan 1844:
1845: siz = 0;
1846: for (isr = sp->req; isr != NULL; isr = isr->next) {
1847: size_t clen = 0;
1.121 ozaki-r 1848: struct secasvar *sav;
1.1 jonathan 1849:
1850: switch (isr->saidx.proto) {
1851: case IPPROTO_ESP:
1.121 ozaki-r 1852: sav = ipsec_lookup_sa(isr, m);
1853: if (sav != NULL) {
1.107 ozaki-r 1854: clen = esp_hdrsiz(sav);
1.116 ozaki-r 1855: KEY_SA_UNREF(&sav);
1.107 ozaki-r 1856: } else
1857: clen = esp_hdrsiz(NULL);
1.1 jonathan 1858: break;
1859: case IPPROTO_AH:
1.121 ozaki-r 1860: sav = ipsec_lookup_sa(isr, m);
1861: if (sav != NULL) {
1.107 ozaki-r 1862: clen = ah_hdrsiz(sav);
1.116 ozaki-r 1863: KEY_SA_UNREF(&sav);
1.107 ozaki-r 1864: } else
1865: clen = ah_hdrsiz(NULL);
1.1 jonathan 1866: break;
1867: case IPPROTO_IPCOMP:
1868: clen = sizeof(struct ipcomp);
1869: break;
1870: }
1871:
1872: if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1873: switch (isr->saidx.dst.sa.sa_family) {
1874: case AF_INET:
1875: clen += sizeof(struct ip);
1876: break;
1877: #ifdef INET6
1878: case AF_INET6:
1879: clen += sizeof(struct ip6_hdr);
1880: break;
1881: #endif
1882: default:
1.92 ozaki-r 1883: IPSECLOG(LOG_ERR, "unknown AF %d in "
1884: "IPsec tunnel SA\n",
1.62 christos 1885: ((const struct sockaddr *)&isr->saidx.dst)
1.92 ozaki-r 1886: ->sa_family);
1.1 jonathan 1887: break;
1888: }
1889: }
1890: siz += clen;
1891: }
1892:
1893: return siz;
1894: }
1895:
1896: size_t
1.33 degroote 1897: ipsec4_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp)
1.1 jonathan 1898: {
1.133 maxv 1899: struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
1.1 jonathan 1900: struct secpolicy *sp;
1901: int error;
1902: size_t size;
1903:
1.73 ozaki-r 1904: KASSERT(m != NULL);
1.133 maxv 1905: KASSERTMSG(inph == NULL || inph->inph_socket != NULL,
1906: "socket w/o inpcb");
1.1 jonathan 1907:
1.133 maxv 1908: if (inph == NULL)
1.1 jonathan 1909: sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1910: else
1.133 maxv 1911: sp = ipsec_getpolicybysock(m, dir, inph, &error);
1.1 jonathan 1912:
1913: if (sp != NULL) {
1.132 maxv 1914: size = ipsec_sp_hdrsiz(sp, m);
1.131 maxv 1915: KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DATA, "size:%zu.\n", size);
1.113 ozaki-r 1916: KEY_SP_UNREF(&sp);
1.1 jonathan 1917: } else {
1.133 maxv 1918: size = 0;
1.1 jonathan 1919: }
1.131 maxv 1920:
1.1 jonathan 1921: return size;
1922: }
1923:
1924: #ifdef INET6
1925: size_t
1.33 degroote 1926: ipsec6_hdrsiz(struct mbuf *m, u_int dir, struct in6pcb *in6p)
1.1 jonathan 1927: {
1.133 maxv 1928: struct inpcb_hdr *inph = (struct inpcb_hdr *)in6p;
1.1 jonathan 1929: struct secpolicy *sp;
1930: int error;
1931: size_t size;
1932:
1.73 ozaki-r 1933: KASSERT(m != NULL);
1.133 maxv 1934: KASSERTMSG(inph == NULL || inph->inph_socket != NULL,
1.73 ozaki-r 1935: "socket w/o inpcb");
1.1 jonathan 1936:
1.133 maxv 1937: if (inph == NULL)
1.1 jonathan 1938: sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1939: else
1.133 maxv 1940: sp = ipsec_getpolicybysock(m, dir, inph, &error);
1.1 jonathan 1941:
1.131 maxv 1942: if (sp != NULL) {
1.132 maxv 1943: size = ipsec_sp_hdrsiz(sp, m);
1.131 maxv 1944: KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DATA, "size:%zu.\n", size);
1945: KEY_SP_UNREF(&sp);
1946: } else {
1947: size = 0;
1948: }
1.1 jonathan 1949:
1950: return size;
1951: }
1.131 maxv 1952: #endif
1.1 jonathan 1953:
1954: /*
1955: * Check the variable replay window.
1956: * ipsec_chkreplay() performs replay check before ICV verification.
1957: * ipsec_updatereplay() updates replay bitmap. This must be called after
1958: * ICV verification (it also performs replay check, which is usually done
1959: * beforehand).
1960: * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
1961: *
1962: * based on RFC 2401.
1963: */
1964: int
1.50 drochner 1965: ipsec_chkreplay(u_int32_t seq, const struct secasvar *sav)
1.1 jonathan 1966: {
1967: const struct secreplay *replay;
1968: u_int32_t diff;
1969: int fr;
1970: u_int32_t wsizeb; /* constant: bits of window size */
1971: int frlast; /* constant: last frame */
1972:
1.62 christos 1973: IPSEC_SPLASSERT_SOFTNET(__func__);
1.1 jonathan 1974:
1.73 ozaki-r 1975: KASSERT(sav != NULL);
1976: KASSERT(sav->replay != NULL);
1.1 jonathan 1977:
1978: replay = sav->replay;
1979:
1980: if (replay->wsize == 0)
1981: return 1; /* no need to check replay. */
1982:
1983: /* constant */
1984: frlast = replay->wsize - 1;
1985: wsizeb = replay->wsize << 3;
1986:
1987: /* sequence number of 0 is invalid */
1988: if (seq == 0)
1989: return 0;
1990:
1991: /* first time is always okay */
1992: if (replay->count == 0)
1993: return 1;
1994:
1995: if (seq > replay->lastseq) {
1996: /* larger sequences are okay */
1997: return 1;
1998: } else {
1999: /* seq is equal or less than lastseq. */
2000: diff = replay->lastseq - seq;
2001:
2002: /* over range to check, i.e. too old or wrapped */
2003: if (diff >= wsizeb)
2004: return 0;
2005:
2006: fr = frlast - diff / 8;
2007:
2008: /* this packet already seen ? */
2009: if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2010: return 0;
2011:
2012: /* out of order but good */
2013: return 1;
2014: }
2015: }
2016:
2017: /*
2018: * check replay counter whether to update or not.
2019: * OUT: 0: OK
2020: * 1: NG
2021: */
2022: int
1.50 drochner 2023: ipsec_updatereplay(u_int32_t seq, const struct secasvar *sav)
1.1 jonathan 2024: {
2025: struct secreplay *replay;
2026: u_int32_t diff;
2027: int fr;
2028: u_int32_t wsizeb; /* constant: bits of window size */
2029: int frlast; /* constant: last frame */
2030:
1.62 christos 2031: IPSEC_SPLASSERT_SOFTNET(__func__);
1.1 jonathan 2032:
1.73 ozaki-r 2033: KASSERT(sav != NULL);
2034: KASSERT(sav->replay != NULL);
1.1 jonathan 2035:
2036: replay = sav->replay;
2037:
2038: if (replay->wsize == 0)
2039: goto ok; /* no need to check replay. */
2040:
2041: /* constant */
2042: frlast = replay->wsize - 1;
2043: wsizeb = replay->wsize << 3;
2044:
2045: /* sequence number of 0 is invalid */
2046: if (seq == 0)
2047: return 1;
2048:
2049: /* first time */
2050: if (replay->count == 0) {
2051: replay->lastseq = seq;
1.41 cegger 2052: memset(replay->bitmap, 0, replay->wsize);
1.1 jonathan 2053: (replay->bitmap)[frlast] = 1;
2054: goto ok;
2055: }
2056:
2057: if (seq > replay->lastseq) {
2058: /* seq is larger than lastseq. */
2059: diff = seq - replay->lastseq;
2060:
2061: /* new larger sequence number */
2062: if (diff < wsizeb) {
2063: /* In window */
2064: /* set bit for this packet */
2065: vshiftl(replay->bitmap, diff, replay->wsize);
2066: (replay->bitmap)[frlast] |= 1;
2067: } else {
2068: /* this packet has a "way larger" */
1.41 cegger 2069: memset(replay->bitmap, 0, replay->wsize);
1.1 jonathan 2070: (replay->bitmap)[frlast] = 1;
2071: }
2072: replay->lastseq = seq;
2073:
2074: /* larger is good */
2075: } else {
2076: /* seq is equal or less than lastseq. */
2077: diff = replay->lastseq - seq;
2078:
2079: /* over range to check, i.e. too old or wrapped */
2080: if (diff >= wsizeb)
2081: return 1;
2082:
2083: fr = frlast - diff / 8;
2084:
2085: /* this packet already seen ? */
2086: if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2087: return 1;
2088:
2089: /* mark as seen */
2090: (replay->bitmap)[fr] |= (1 << (diff % 8));
2091:
2092: /* out of order but good */
2093: }
2094:
2095: ok:
2096: if (replay->count == ~0) {
1.122 ozaki-r 2097: char buf[IPSEC_LOGSASTRLEN];
1.1 jonathan 2098:
2099: /* set overflow flag */
2100: replay->overflow++;
2101:
2102: /* don't increment, no more packets accepted */
2103: if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2104: return 1;
2105:
1.92 ozaki-r 2106: IPSECLOG(LOG_WARNING, "replay counter made %d cycle. %s\n",
2107: replay->overflow, ipsec_logsastr(sav, buf, sizeof(buf)));
1.1 jonathan 2108: }
2109:
2110: replay->count++;
2111:
2112: return 0;
2113: }
2114:
2115: /*
1.132 maxv 2116: * shift variable length buffer to left.
1.1 jonathan 2117: * IN: bitmap: pointer to the buffer
1.129 maxv 2118: * nbit: the number of to shift.
1.1 jonathan 2119: * wsize: buffer size (bytes).
2120: */
2121: static void
1.33 degroote 2122: vshiftl(unsigned char *bitmap, int nbit, int wsize)
1.1 jonathan 2123: {
2124: int s, j, i;
2125: unsigned char over;
2126:
2127: for (j = 0; j < nbit; j += 8) {
2128: s = (nbit - j < 8) ? (nbit - j): 8;
2129: bitmap[0] <<= s;
2130: for (i = 1; i < wsize; i++) {
2131: over = (bitmap[i] >> (8 - s));
2132: bitmap[i] <<= s;
2133: bitmap[i-1] |= over;
2134: }
2135: }
2136:
2137: return;
2138: }
2139:
2140: /* Return a printable string for the address. */
1.17 christos 2141: const char *
1.88 ryo 2142: ipsec_address(const union sockaddr_union *sa, char *buf, size_t size)
1.1 jonathan 2143: {
2144: switch (sa->sa.sa_family) {
2145: #if INET
2146: case AF_INET:
1.88 ryo 2147: in_print(buf, size, &sa->sin.sin_addr);
2148: return buf;
1.129 maxv 2149: #endif
1.1 jonathan 2150: #if INET6
2151: case AF_INET6:
1.88 ryo 2152: in6_print(buf, size, &sa->sin6.sin6_addr);
2153: return buf;
1.129 maxv 2154: #endif
1.1 jonathan 2155: default:
2156: return "(unknown address family)";
2157: }
2158: }
2159:
2160: const char *
1.88 ryo 2161: ipsec_logsastr(const struct secasvar *sav, char *buf, size_t size)
1.1 jonathan 2162: {
1.50 drochner 2163: const struct secasindex *saidx = &sav->sah->saidx;
1.88 ryo 2164: char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
1.1 jonathan 2165:
1.74 ozaki-r 2166: KASSERTMSG(saidx->src.sa.sa_family == saidx->dst.sa.sa_family,
2167: "af family mismatch, src %u, dst %u",
2168: saidx->src.sa.sa_family, saidx->dst.sa.sa_family);
1.1 jonathan 2169:
1.88 ryo 2170: snprintf(buf, size, "SA(SPI=%u src=%s dst=%s)",
2171: (u_int32_t)ntohl(sav->spi),
2172: ipsec_address(&saidx->src, sbuf, sizeof(sbuf)),
2173: ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)));
1.1 jonathan 2174:
2175: return buf;
2176: }
2177:
2178: void
1.33 degroote 2179: ipsec_dumpmbuf(struct mbuf *m)
1.1 jonathan 2180: {
2181: int totlen;
2182: int i;
2183: u_char *p;
2184:
2185: totlen = 0;
2186: printf("---\n");
2187: while (m) {
2188: p = mtod(m, u_char *);
2189: for (i = 0; i < m->m_len; i++) {
2190: printf("%02x ", p[i]);
2191: totlen++;
2192: if (totlen % 16 == 0)
2193: printf("\n");
2194: }
2195: m = m->m_next;
2196: }
2197: if (totlen % 16 != 0)
2198: printf("\n");
2199: printf("---\n");
2200: }
2201:
1.26 degroote 2202: #ifdef INET6
1.129 maxv 2203: struct secpolicy *
2204: ipsec6_check_policy(struct mbuf *m, struct in6pcb *in6p, int flags,
2205: int *needipsecp, int *errorp)
1.26 degroote 2206: {
2207: struct secpolicy *sp = NULL;
2208: int s;
2209: int error = 0;
2210: int needipsec = 0;
2211:
1.36 degroote 2212: if (!ipsec_outdone(m)) {
2213: s = splsoftnet();
1.26 degroote 2214: if (in6p != NULL &&
1.99 ozaki-r 2215: ipsec_pcb_skip_ipsec(in6p->in6p_sp, IPSEC_DIR_OUTBOUND)) {
1.46 jakllsch 2216: splx(s);
1.26 degroote 2217: goto skippolicycheck;
1.46 jakllsch 2218: }
1.135 maxv 2219: sp = ipsec6_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error,
2220: in6p);
1.26 degroote 2221:
1.36 degroote 2222: /*
2223: * There are four return cases:
2224: * sp != NULL apply IPsec policy
2225: * sp == NULL, error == 0 no IPsec handling needed
2226: * sp == NULL, error == -EINVAL discard packet w/o error
2227: * sp == NULL, error != 0 discard packet, report error
2228: */
2229:
1.26 degroote 2230: splx(s);
1.36 degroote 2231: if (sp == NULL) {
1.129 maxv 2232: /*
1.36 degroote 2233: * Caller must check the error return to see if it needs to discard
2234: * the packet.
2235: */
1.26 degroote 2236: needipsec = 0;
2237: } else {
1.36 degroote 2238: needipsec = 1;
1.26 degroote 2239: }
2240: }
2241: skippolicycheck:;
2242:
2243: *errorp = error;
2244: *needipsecp = needipsec;
2245: return sp;
2246: }
1.66 ozaki-r 2247:
2248: int
2249: ipsec6_input(struct mbuf *m)
2250: {
2251: struct secpolicy *sp;
2252: int s, error;
2253:
2254: s = splsoftnet();
1.109 ozaki-r 2255: sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1.66 ozaki-r 2256: if (sp != NULL) {
2257: /*
2258: * Check security policy against packet
2259: * attributes.
2260: */
1.132 maxv 2261: error = ipsec_sp_reject(sp, m);
1.113 ozaki-r 2262: KEY_SP_UNREF(&sp);
1.66 ozaki-r 2263: } else {
2264: /* XXX error stat??? */
2265: error = EINVAL;
1.92 ozaki-r 2266: IPSECLOG(LOG_DEBUG, "no SP, packet discarded\n");/*XXX*/
1.66 ozaki-r 2267: }
2268: splx(s);
2269:
2270: return error;
2271: }
2272: #endif /* INET6 */
1.26 degroote 2273:
1.135 maxv 2274: /*
2275: * -----------------------------------------------------------------------------
2276: */
1.26 degroote 2277:
1.1 jonathan 2278: /* XXX this stuff doesn't belong here... */
2279:
1.135 maxv 2280: static struct xformsw *xforms = NULL;
1.1 jonathan 2281:
2282: /*
2283: * Register a transform; typically at system startup.
2284: */
2285: void
1.51 drochner 2286: xform_register(struct xformsw *xsp)
1.1 jonathan 2287: {
2288: xsp->xf_next = xforms;
2289: xforms = xsp;
2290: }
2291:
2292: /*
2293: * Initialize transform support in an sav.
2294: */
2295: int
2296: xform_init(struct secasvar *sav, int xftype)
2297: {
2298: struct xformsw *xsp;
2299:
2300: if (sav->tdb_xform != NULL) /* previously initialized */
2301: return 0;
2302: for (xsp = xforms; xsp; xsp = xsp->xf_next)
2303: if (xsp->xf_type == xftype)
2304: return (*xsp->xf_init)(sav, xsp);
2305:
1.92 ozaki-r 2306: IPSECLOG(LOG_DEBUG, "no match for xform type %d\n", xftype);
1.1 jonathan 2307: return EINVAL;
2308: }
2309:
1.58 christos 2310: void
1.129 maxv 2311: nat_t_ports_get(struct mbuf *m, u_int16_t *dport, u_int16_t *sport)
2312: {
1.58 christos 2313: struct m_tag *tag;
2314:
2315: if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
2316: *sport = ((u_int16_t *)(tag + 1))[0];
2317: *dport = ((u_int16_t *)(tag + 1))[1];
2318: } else
2319: *sport = *dport = 0;
2320: }
2321:
1.37 thorpej 2322: /*
2323: * XXXJRT This should be done as a protosw init call.
2324: */
1.1 jonathan 2325: void
2326: ipsec_attach(void)
2327: {
1.37 thorpej 2328:
1.118 ozaki-r 2329: ipsec_output_init();
2330:
1.37 thorpej 2331: ipsecstat_percpu = percpu_alloc(sizeof(uint64_t) * IPSEC_NSTATS);
2332:
1.71 ozaki-r 2333: sysctl_net_inet_ipsec_setup(NULL);
2334: #ifdef INET6
2335: sysctl_net_inet6_ipsec6_setup(NULL);
2336: #endif
2337:
1.1 jonathan 2338: ah_attach();
2339: esp_attach();
2340: ipcomp_attach();
2341: ipe4_attach();
1.12 jonathan 2342: #ifdef TCP_SIGNATURE
2343: tcpsignature_attach();
2344: #endif
1.1 jonathan 2345: }
CVSweb <webmaster@jp.NetBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to ipsec.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / sys / netipsec