1 /* $FreeBSD$ */ 2 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ 3 4 /*- 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * IPsec controller part. 35 */ 36 37 #include "opt_inet.h" 38 #include "opt_inet6.h" 39 #include "opt_ipsec.h" 40 41 #include <sys/param.h> 42 #include <sys/systm.h> 43 #include <sys/malloc.h> 44 #include <sys/mbuf.h> 45 #include <sys/domain.h> 46 #include <sys/priv.h> 47 #include <sys/protosw.h> 48 #include <sys/socket.h> 49 #include <sys/socketvar.h> 50 #include <sys/errno.h> 51 #include <sys/time.h> 52 #include <sys/kernel.h> 53 #include <sys/syslog.h> 54 #include <sys/sysctl.h> 55 #include <sys/proc.h> 56 #include <sys/vimage.h> 57 58 #include <net/if.h> 59 #include <net/route.h> 60 61 #include <netinet/in.h> 62 #include <netinet/in_systm.h> 63 #include <netinet/ip.h> 64 #include <netinet/ip_var.h> 65 #include <netinet/in_var.h> 66 #include <netinet/udp.h> 67 #include <netinet/udp_var.h> 68 #include <netinet/tcp.h> 69 #include <netinet/udp.h> 70 71 #include <netinet/ip6.h> 72 #ifdef INET6 73 #include <netinet6/ip6_var.h> 74 #endif 75 #include <netinet/in_pcb.h> 76 #ifdef INET6 77 #include <netinet/icmp6.h> 78 #endif 79 80 #include <sys/types.h> 81 #include <netipsec/ipsec.h> 82 #ifdef INET6 83 #include <netipsec/ipsec6.h> 84 #endif 85 #include <netipsec/ah_var.h> 86 #include <netipsec/esp_var.h> 87 #include <netipsec/ipcomp.h> /*XXX*/ 88 #include <netipsec/ipcomp_var.h> 89 90 #include <netipsec/key.h> 91 #include <netipsec/keydb.h> 92 #include <netipsec/key_debug.h> 93 94 #include <netipsec/xform.h> 95 96 #include <machine/in_cksum.h> 97 98 #include <opencrypto/cryptodev.h> 99 100 #ifndef VIMAGE 101 #ifndef VIMAGE_GLOBALS 102 struct vnet_ipsec vnet_ipsec_0; 103 #endif 104 #endif 105 106 #ifdef VIMAGE_GLOBALS 107 /* NB: name changed so netstat doesn't use it */ 108 struct ipsecstat ipsec4stat; 109 struct secpolicy ip4_def_policy; 110 int ipsec_debug; 111 int ip4_ah_offsetmask; 112 int ip4_ipsec_dfbit; 113 int ip4_esp_trans_deflev; 114 int ip4_esp_net_deflev; 115 int ip4_ah_trans_deflev; 116 int ip4_ah_net_deflev; 117 int ip4_ipsec_ecn; 118 int ip4_esp_randpad; 119 /* 120 * Crypto support requirements: 121 * 122 * 1 require hardware support 123 * -1 require software support 124 * 0 take anything 125 */ 126 int crypto_support; 127 #endif /* VIMAGE_GLOBALS */ 128 129 SYSCTL_DECL(_net_inet_ipsec); 130 131 /* net.inet.ipsec */ 132 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_POLICY, 133 def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0, 134 "IPsec default policy."); 135 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, 136 esp_trans_deflev, CTLFLAG_RW, ip4_esp_trans_deflev, 0, 137 "Default ESP transport mode level"); 138 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, 139 esp_net_deflev, CTLFLAG_RW, ip4_esp_net_deflev, 0, 140 "Default ESP tunnel mode level."); 141 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, 142 ah_trans_deflev, CTLFLAG_RW, ip4_ah_trans_deflev, 0, 143 "AH transfer mode default level."); 144 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, 145 ah_net_deflev, CTLFLAG_RW, ip4_ah_net_deflev, 0, 146 "AH tunnel mode default level."); 147 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_CLEARTOS, 148 ah_cleartos, CTLFLAG_RW, ah_cleartos, 0, 149 "If set clear type-of-service field when doing AH computation."); 150 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, 151 ah_offsetmask, CTLFLAG_RW, ip4_ah_offsetmask, 0, 152 "If not set clear offset field mask when doing AH computation."); 153 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DFBIT, 154 dfbit, CTLFLAG_RW, ip4_ipsec_dfbit, 0, 155 "Do not fragment bit on encap."); 156 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_ECN, 157 ecn, CTLFLAG_RW, ip4_ipsec_ecn, 0, 158 "Explicit Congestion Notification handling."); 159 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEBUG, 160 debug, CTLFLAG_RW, ipsec_debug, 0, 161 "Enable IPsec debugging output when set."); 162 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, 163 crypto_support, CTLFLAG_RW, crypto_support,0, 164 "Crypto driver selection."); 165 SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, 166 ipsecstats, CTLFLAG_RD, ipsec4stat, ipsecstat, 167 "IPsec IPv4 statistics."); 168 169 #ifdef REGRESSION 170 #ifdef VIMAGE_GLOBALS 171 int ipsec_replay; 172 int ipsec_integrity; 173 #endif 174 /* 175 * When set to 1, IPsec will send packets with the same sequence number. 176 * This allows to verify if the other side has proper replay attacks detection. 177 */ 178 SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay, 179 CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack"); 180 /* 181 * When set 1, IPsec will send packets with corrupted HMAC. 182 * This allows to verify if the other side properly detects modified packets. 183 */ 184 SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity, 185 CTLFLAG_RW, ipsec_integrity, 0, "Emulate man-in-the-middle attack"); 186 #endif 187 188 #ifdef INET6 189 #ifdef VIMAGE_GLOBALS 190 struct ipsecstat ipsec6stat; 191 int ip6_esp_trans_deflev; 192 int ip6_esp_net_deflev; 193 int ip6_ah_trans_deflev; 194 int ip6_ah_net_deflev; 195 int ip6_ipsec_ecn; 196 #endif 197 198 SYSCTL_DECL(_net_inet6_ipsec6); 199 200 /* net.inet6.ipsec6 */ 201 #ifdef COMPAT_KAME 202 SYSCTL_OID(_net_inet6_ipsec6, IPSECCTL_STATS, stats, CTLFLAG_RD, 203 0, 0, compat_ipsecstats_sysctl, "S", "IPsec IPv6 statistics."); 204 #endif /* COMPAT_KAME */ 205 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_POLICY, 206 def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0, 207 "IPsec default policy."); 208 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, 209 esp_trans_deflev, CTLFLAG_RW, ip6_esp_trans_deflev, 0, 210 "Default ESP transport mode level."); 211 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, 212 esp_net_deflev, CTLFLAG_RW, ip6_esp_net_deflev, 0, 213 "Default ESP tunnel mode level."); 214 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, 215 ah_trans_deflev, CTLFLAG_RW, ip6_ah_trans_deflev, 0, 216 "AH transfer mode default level."); 217 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, 218 ah_net_deflev, CTLFLAG_RW, ip6_ah_net_deflev, 0, 219 "AH tunnel mode default level."); 220 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_ECN, 221 ecn, CTLFLAG_RW, ip6_ipsec_ecn, 0, 222 "Explicit Congestion Notification handling."); 223 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG, 224 debug, CTLFLAG_RW, ipsec_debug, 0, 225 "Enable IPsec debugging output when set."); 226 SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS, 227 ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat, 228 "IPsec IPv6 statistics."); 229 #endif /* INET6 */ 230 231 static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb)); 232 #ifdef INET6 233 static int ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *pcb)); 234 #endif 235 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int)); 236 static void ipsec4_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int)); 237 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); 238 #ifdef INET6 239 static void ipsec6_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int)); 240 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); 241 #endif 242 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *)); 243 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *src)); 244 static int ipsec_set_policy __P((struct secpolicy **pcb_sp, 245 int optname, caddr_t request, size_t len, struct ucred *cred)); 246 static int ipsec_get_policy __P((struct secpolicy *pcb_sp, struct mbuf **mp)); 247 static void vshiftl __P((unsigned char *, int, int)); 248 static size_t ipsec_hdrsiz __P((struct secpolicy *)); 249 250 MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy"); 251 252 void 253 ipsec_init(void) 254 { 255 INIT_VNET_IPSEC(curvnet); 256 257 #ifdef IPSEC_DEBUG 258 V_ipsec_debug = 1; 259 #else 260 V_ipsec_debug = 0; 261 #endif 262 263 V_ip4_ah_offsetmask = 0; /* maybe IP_DF? */ 264 V_ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ 265 V_ip4_esp_trans_deflev = IPSEC_LEVEL_USE; 266 V_ip4_esp_net_deflev = IPSEC_LEVEL_USE; 267 V_ip4_ah_trans_deflev = IPSEC_LEVEL_USE; 268 V_ip4_ah_net_deflev = IPSEC_LEVEL_USE; 269 V_ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 270 V_ip4_esp_randpad = -1; 271 272 V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; 273 274 #ifdef REGRESSION 275 V_ipsec_replay = 0; 276 V_ipsec_integrity = 0; 277 #endif 278 279 #ifdef INET6 280 V_ip6_esp_trans_deflev = IPSEC_LEVEL_USE; 281 V_ip6_esp_net_deflev = IPSEC_LEVEL_USE; 282 V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE; 283 V_ip6_ah_net_deflev = IPSEC_LEVEL_USE; 284 V_ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ 285 #endif 286 } 287 288 /* 289 * Return a held reference to the default SP. 290 */ 291 static struct secpolicy * 292 key_allocsp_default(const char* where, int tag) 293 { 294 INIT_VNET_IPSEC(curvnet); 295 struct secpolicy *sp; 296 297 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 298 printf("DP key_allocsp_default from %s:%u\n", where, tag)); 299 300 sp = &V_ip4_def_policy; 301 if (sp->policy != IPSEC_POLICY_DISCARD && 302 sp->policy != IPSEC_POLICY_NONE) { 303 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n", 304 sp->policy, IPSEC_POLICY_NONE)); 305 sp->policy = IPSEC_POLICY_NONE; 306 } 307 key_addref(sp); 308 309 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 310 printf("DP key_allocsp_default returns SP:%p (%u)\n", 311 sp, sp->refcnt)); 312 return sp; 313 } 314 #define KEY_ALLOCSP_DEFAULT() \ 315 key_allocsp_default(__FILE__, __LINE__) 316 317 /* 318 * For OUTBOUND packet having a socket. Searching SPD for packet, 319 * and return a pointer to SP. 320 * OUT: NULL: no apropreate SP found, the following value is set to error. 321 * 0 : bypass 322 * EACCES : discard packet. 323 * ENOENT : ipsec_acquire() in progress, maybe. 324 * others : error occured. 325 * others: a pointer to SP 326 * 327 * NOTE: IPv6 mapped adddress concern is implemented here. 328 */ 329 struct secpolicy * 330 ipsec_getpolicy(struct tdb_ident *tdbi, u_int dir) 331 { 332 struct secpolicy *sp; 333 334 IPSEC_ASSERT(tdbi != NULL, ("null tdbi")); 335 IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, 336 ("invalid direction %u", dir)); 337 338 sp = KEY_ALLOCSP2(tdbi->spi, &tdbi->dst, tdbi->proto, dir); 339 if (sp == NULL) /*XXX????*/ 340 sp = KEY_ALLOCSP_DEFAULT(); 341 IPSEC_ASSERT(sp != NULL, ("null SP")); 342 return sp; 343 } 344 345 /* 346 * For OUTBOUND packet having a socket. Searching SPD for packet, 347 * and return a pointer to SP. 348 * OUT: NULL: no apropreate SP found, the following value is set to error. 349 * 0 : bypass 350 * EACCES : discard packet. 351 * ENOENT : ipsec_acquire() in progress, maybe. 352 * others : error occured. 353 * others: a pointer to SP 354 * 355 * NOTE: IPv6 mapped adddress concern is implemented here. 356 */ 357 struct secpolicy * 358 ipsec_getpolicybysock(m, dir, inp, error) 359 struct mbuf *m; 360 u_int dir; 361 struct inpcb *inp; 362 int *error; 363 { 364 INIT_VNET_IPSEC(curvnet); 365 struct inpcbpolicy *pcbsp = NULL; 366 struct secpolicy *currsp = NULL; /* policy on socket */ 367 struct secpolicy *sp; 368 369 IPSEC_ASSERT(m != NULL, ("null mbuf")); 370 IPSEC_ASSERT(inp != NULL, ("null inpcb")); 371 IPSEC_ASSERT(error != NULL, ("null error")); 372 IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, 373 ("invalid direction %u", dir)); 374 375 /* set spidx in pcb */ 376 if (inp->inp_vflag & INP_IPV6PROTO) { 377 #ifdef INET6 378 *error = ipsec6_setspidx_in6pcb(m, inp); 379 pcbsp = inp->in6p_sp; 380 #else 381 *error = EINVAL; /* should not happen */ 382 #endif 383 } else { 384 *error = ipsec4_setspidx_inpcb(m, inp); 385 pcbsp = inp->inp_sp; 386 } 387 if (*error) 388 return NULL; 389 390 IPSEC_ASSERT(pcbsp != NULL, ("null pcbsp")); 391 switch (dir) { 392 case IPSEC_DIR_INBOUND: 393 currsp = pcbsp->sp_in; 394 break; 395 case IPSEC_DIR_OUTBOUND: 396 currsp = pcbsp->sp_out; 397 break; 398 } 399 IPSEC_ASSERT(currsp != NULL, ("null currsp")); 400 401 if (pcbsp->priv) { /* when privilieged socket */ 402 switch (currsp->policy) { 403 case IPSEC_POLICY_BYPASS: 404 case IPSEC_POLICY_IPSEC: 405 key_addref(currsp); 406 sp = currsp; 407 break; 408 409 case IPSEC_POLICY_ENTRUST: 410 /* look for a policy in SPD */ 411 sp = KEY_ALLOCSP(&currsp->spidx, dir); 412 if (sp == NULL) /* no SP found */ 413 sp = KEY_ALLOCSP_DEFAULT(); 414 break; 415 416 default: 417 ipseclog((LOG_ERR, "%s: Invalid policy for PCB %d\n", 418 __func__, currsp->policy)); 419 *error = EINVAL; 420 return NULL; 421 } 422 } else { /* unpriv, SPD has policy */ 423 sp = KEY_ALLOCSP(&currsp->spidx, dir); 424 if (sp == NULL) { /* no SP found */ 425 switch (currsp->policy) { 426 case IPSEC_POLICY_BYPASS: 427 ipseclog((LOG_ERR, "%s: Illegal policy for " 428 "non-priviliged defined %d\n", 429 __func__, currsp->policy)); 430 *error = EINVAL; 431 return NULL; 432 433 case IPSEC_POLICY_ENTRUST: 434 sp = KEY_ALLOCSP_DEFAULT(); 435 break; 436 437 case IPSEC_POLICY_IPSEC: 438 key_addref(currsp); 439 sp = currsp; 440 break; 441 442 default: 443 ipseclog((LOG_ERR, "%s: Invalid policy for " 444 "PCB %d\n", __func__, currsp->policy)); 445 *error = EINVAL; 446 return NULL; 447 } 448 } 449 } 450 IPSEC_ASSERT(sp != NULL, 451 ("null SP (priv %u policy %u", pcbsp->priv, currsp->policy)); 452 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 453 printf("DP %s (priv %u policy %u) allocate SP:%p (refcnt %u)\n", 454 __func__, pcbsp->priv, currsp->policy, sp, sp->refcnt)); 455 return sp; 456 } 457 458 /* 459 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, 460 * and return a pointer to SP. 461 * OUT: positive: a pointer to the entry for security policy leaf matched. 462 * NULL: no apropreate SP found, the following value is set to error. 463 * 0 : bypass 464 * EACCES : discard packet. 465 * ENOENT : ipsec_acquire() in progress, maybe. 466 * others : error occured. 467 */ 468 struct secpolicy * 469 ipsec_getpolicybyaddr(m, dir, flag, error) 470 struct mbuf *m; 471 u_int dir; 472 int flag; 473 int *error; 474 { 475 INIT_VNET_IPSEC(curvnet); 476 struct secpolicyindex spidx; 477 struct secpolicy *sp; 478 479 IPSEC_ASSERT(m != NULL, ("null mbuf")); 480 IPSEC_ASSERT(error != NULL, ("null error")); 481 IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, 482 ("invalid direction %u", dir)); 483 484 sp = NULL; 485 if (key_havesp(dir)) { 486 /* Make an index to look for a policy. */ 487 *error = ipsec_setspidx(m, &spidx, 488 (flag & IP_FORWARDING) ? 0 : 1); 489 if (*error != 0) { 490 DPRINTF(("%s: setpidx failed, dir %u flag %u\n", 491 __func__, dir, flag)); 492 return NULL; 493 } 494 spidx.dir = dir; 495 496 sp = KEY_ALLOCSP(&spidx, dir); 497 } 498 if (sp == NULL) /* no SP found, use system default */ 499 sp = KEY_ALLOCSP_DEFAULT(); 500 IPSEC_ASSERT(sp != NULL, ("null SP")); 501 return sp; 502 } 503 504 struct secpolicy * 505 ipsec4_checkpolicy(m, dir, flag, error, inp) 506 struct mbuf *m; 507 u_int dir, flag; 508 int *error; 509 struct inpcb *inp; 510 { 511 INIT_VNET_IPSEC(curvnet); 512 struct secpolicy *sp; 513 514 *error = 0; 515 if (inp == NULL) 516 sp = ipsec_getpolicybyaddr(m, dir, flag, error); 517 else 518 sp = ipsec_getpolicybysock(m, dir, inp, error); 519 if (sp == NULL) { 520 IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error")); 521 V_ipsec4stat.ips_out_inval++; 522 return NULL; 523 } 524 IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error)); 525 switch (sp->policy) { 526 case IPSEC_POLICY_ENTRUST: 527 default: 528 printf("%s: invalid policy %u\n", __func__, sp->policy); 529 /* fall thru... */ 530 case IPSEC_POLICY_DISCARD: 531 V_ipsec4stat.ips_out_polvio++; 532 *error = -EINVAL; /* packet is discarded by caller */ 533 break; 534 case IPSEC_POLICY_BYPASS: 535 case IPSEC_POLICY_NONE: 536 KEY_FREESP(&sp); 537 sp = NULL; /* NB: force NULL result */ 538 break; 539 case IPSEC_POLICY_IPSEC: 540 if (sp->req == NULL) /* acquire an SA */ 541 *error = key_spdacquire(sp); 542 break; 543 } 544 if (*error != 0) { 545 KEY_FREESP(&sp); 546 sp = NULL; 547 } 548 return sp; 549 } 550 551 static int 552 ipsec4_setspidx_inpcb(m, pcb) 553 struct mbuf *m; 554 struct inpcb *pcb; 555 { 556 int error; 557 558 IPSEC_ASSERT(pcb != NULL, ("null pcb")); 559 IPSEC_ASSERT(pcb->inp_sp != NULL, ("null inp_sp")); 560 IPSEC_ASSERT(pcb->inp_sp->sp_out != NULL && pcb->inp_sp->sp_in != NULL, 561 ("null sp_in || sp_out")); 562 563 error = ipsec_setspidx(m, &pcb->inp_sp->sp_in->spidx, 1); 564 if (error == 0) { 565 pcb->inp_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND; 566 pcb->inp_sp->sp_out->spidx = pcb->inp_sp->sp_in->spidx; 567 pcb->inp_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND; 568 } else { 569 bzero(&pcb->inp_sp->sp_in->spidx, 570 sizeof (pcb->inp_sp->sp_in->spidx)); 571 bzero(&pcb->inp_sp->sp_out->spidx, 572 sizeof (pcb->inp_sp->sp_in->spidx)); 573 } 574 return error; 575 } 576 577 #ifdef INET6 578 static int 579 ipsec6_setspidx_in6pcb(m, pcb) 580 struct mbuf *m; 581 struct in6pcb *pcb; 582 { 583 //INIT_VNET_IPSEC(curvnet); 584 struct secpolicyindex *spidx; 585 int error; 586 587 IPSEC_ASSERT(pcb != NULL, ("null pcb")); 588 IPSEC_ASSERT(pcb->in6p_sp != NULL, ("null inp_sp")); 589 IPSEC_ASSERT(pcb->in6p_sp->sp_out != NULL && pcb->in6p_sp->sp_in != NULL, 590 ("null sp_in || sp_out")); 591 592 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx)); 593 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx)); 594 595 spidx = &pcb->in6p_sp->sp_in->spidx; 596 error = ipsec_setspidx(m, spidx, 1); 597 if (error) 598 goto bad; 599 spidx->dir = IPSEC_DIR_INBOUND; 600 601 spidx = &pcb->in6p_sp->sp_out->spidx; 602 error = ipsec_setspidx(m, spidx, 1); 603 if (error) 604 goto bad; 605 spidx->dir = IPSEC_DIR_OUTBOUND; 606 607 return 0; 608 609 bad: 610 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx)); 611 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx)); 612 return error; 613 } 614 #endif 615 616 /* 617 * configure security policy index (src/dst/proto/sport/dport) 618 * by looking at the content of mbuf. 619 * the caller is responsible for error recovery (like clearing up spidx). 620 */ 621 static int 622 ipsec_setspidx(m, spidx, needport) 623 struct mbuf *m; 624 struct secpolicyindex *spidx; 625 int needport; 626 { 627 INIT_VNET_IPSEC(curvnet); 628 struct ip *ip = NULL; 629 struct ip ipbuf; 630 u_int v; 631 struct mbuf *n; 632 int len; 633 int error; 634 635 IPSEC_ASSERT(m != NULL, ("null mbuf")); 636 637 /* 638 * validate m->m_pkthdr.len. we see incorrect length if we 639 * mistakenly call this function with inconsistent mbuf chain 640 * (like 4.4BSD tcp/udp processing). XXX should we panic here? 641 */ 642 len = 0; 643 for (n = m; n; n = n->m_next) 644 len += n->m_len; 645 if (m->m_pkthdr.len != len) { 646 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 647 printf("%s: pkthdr len(%d) mismatch (%d), ignored.\n", 648 __func__, len, m->m_pkthdr.len)); 649 return EINVAL; 650 } 651 652 if (m->m_pkthdr.len < sizeof(struct ip)) { 653 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 654 printf("%s: pkthdr len(%d) too small (v4), ignored.\n", 655 __func__, m->m_pkthdr.len)); 656 return EINVAL; 657 } 658 659 if (m->m_len >= sizeof(*ip)) 660 ip = mtod(m, struct ip *); 661 else { 662 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); 663 ip = &ipbuf; 664 } 665 #ifdef _IP_VHL 666 v = _IP_VHL_V(ip->ip_vhl); 667 #else 668 v = ip->ip_v; 669 #endif 670 switch (v) { 671 case 4: 672 error = ipsec4_setspidx_ipaddr(m, spidx); 673 if (error) 674 return error; 675 ipsec4_get_ulp(m, spidx, needport); 676 return 0; 677 #ifdef INET6 678 case 6: 679 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { 680 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 681 printf("%s: pkthdr len(%d) too small (v6), " 682 "ignored\n", __func__, m->m_pkthdr.len)); 683 return EINVAL; 684 } 685 error = ipsec6_setspidx_ipaddr(m, spidx); 686 if (error) 687 return error; 688 ipsec6_get_ulp(m, spidx, needport); 689 return 0; 690 #endif 691 default: 692 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 693 printf("%s: " "unknown IP version %u, ignored.\n", 694 __func__, v)); 695 return EINVAL; 696 } 697 } 698 699 static void 700 ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) 701 { 702 u_int8_t nxt; 703 int off; 704 705 /* sanity check */ 706 IPSEC_ASSERT(m != NULL, ("null mbuf")); 707 IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),("packet too short")); 708 709 /* NB: ip_input() flips it into host endian XXX need more checking */ 710 if (m->m_len < sizeof (struct ip)) { 711 struct ip *ip = mtod(m, struct ip *); 712 if (ip->ip_off & (IP_MF | IP_OFFMASK)) 713 goto done; 714 #ifdef _IP_VHL 715 off = _IP_VHL_HL(ip->ip_vhl) << 2; 716 #else 717 off = ip->ip_hl << 2; 718 #endif 719 nxt = ip->ip_p; 720 } else { 721 struct ip ih; 722 723 m_copydata(m, 0, sizeof (struct ip), (caddr_t) &ih); 724 if (ih.ip_off & (IP_MF | IP_OFFMASK)) 725 goto done; 726 #ifdef _IP_VHL 727 off = _IP_VHL_HL(ih.ip_vhl) << 2; 728 #else 729 off = ih.ip_hl << 2; 730 #endif 731 nxt = ih.ip_p; 732 } 733 734 while (off < m->m_pkthdr.len) { 735 struct ip6_ext ip6e; 736 struct tcphdr th; 737 struct udphdr uh; 738 739 switch (nxt) { 740 case IPPROTO_TCP: 741 spidx->ul_proto = nxt; 742 if (!needport) 743 goto done_proto; 744 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 745 goto done; 746 m_copydata(m, off, sizeof (th), (caddr_t) &th); 747 spidx->src.sin.sin_port = th.th_sport; 748 spidx->dst.sin.sin_port = th.th_dport; 749 return; 750 case IPPROTO_UDP: 751 spidx->ul_proto = nxt; 752 if (!needport) 753 goto done_proto; 754 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 755 goto done; 756 m_copydata(m, off, sizeof (uh), (caddr_t) &uh); 757 spidx->src.sin.sin_port = uh.uh_sport; 758 spidx->dst.sin.sin_port = uh.uh_dport; 759 return; 760 case IPPROTO_AH: 761 if (off + sizeof(ip6e) > m->m_pkthdr.len) 762 goto done; 763 /* XXX sigh, this works but is totally bogus */ 764 m_copydata(m, off, sizeof(ip6e), (caddr_t) &ip6e); 765 off += (ip6e.ip6e_len + 2) << 2; 766 nxt = ip6e.ip6e_nxt; 767 break; 768 case IPPROTO_ICMP: 769 default: 770 /* XXX intermediate headers??? */ 771 spidx->ul_proto = nxt; 772 goto done_proto; 773 } 774 } 775 done: 776 spidx->ul_proto = IPSEC_ULPROTO_ANY; 777 done_proto: 778 spidx->src.sin.sin_port = IPSEC_PORT_ANY; 779 spidx->dst.sin.sin_port = IPSEC_PORT_ANY; 780 } 781 782 /* assumes that m is sane */ 783 static int 784 ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx) 785 { 786 static const struct sockaddr_in template = { 787 sizeof (struct sockaddr_in), 788 AF_INET, 789 0, { 0 }, { 0, 0, 0, 0, 0, 0, 0, 0 } 790 }; 791 792 spidx->src.sin = template; 793 spidx->dst.sin = template; 794 795 if (m->m_len < sizeof (struct ip)) { 796 m_copydata(m, offsetof(struct ip, ip_src), 797 sizeof (struct in_addr), 798 (caddr_t) &spidx->src.sin.sin_addr); 799 m_copydata(m, offsetof(struct ip, ip_dst), 800 sizeof (struct in_addr), 801 (caddr_t) &spidx->dst.sin.sin_addr); 802 } else { 803 struct ip *ip = mtod(m, struct ip *); 804 spidx->src.sin.sin_addr = ip->ip_src; 805 spidx->dst.sin.sin_addr = ip->ip_dst; 806 } 807 808 spidx->prefs = sizeof(struct in_addr) << 3; 809 spidx->prefd = sizeof(struct in_addr) << 3; 810 811 return 0; 812 } 813 814 #ifdef INET6 815 static void 816 ipsec6_get_ulp(m, spidx, needport) 817 struct mbuf *m; 818 struct secpolicyindex *spidx; 819 int needport; 820 { 821 INIT_VNET_IPSEC(curvnet); 822 int off, nxt; 823 struct tcphdr th; 824 struct udphdr uh; 825 struct icmp6_hdr ih; 826 827 /* sanity check */ 828 if (m == NULL) 829 panic("%s: NULL pointer was passed.\n", __func__); 830 831 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 832 printf("%s:\n", __func__); kdebug_mbuf(m)); 833 834 /* set default */ 835 spidx->ul_proto = IPSEC_ULPROTO_ANY; 836 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY; 837 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY; 838 839 nxt = -1; 840 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt); 841 if (off < 0 || m->m_pkthdr.len < off) 842 return; 843 844 switch (nxt) { 845 case IPPROTO_TCP: 846 spidx->ul_proto = nxt; 847 if (!needport) 848 break; 849 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) 850 break; 851 m_copydata(m, off, sizeof(th), (caddr_t)&th); 852 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport; 853 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport; 854 break; 855 case IPPROTO_UDP: 856 spidx->ul_proto = nxt; 857 if (!needport) 858 break; 859 if (off + sizeof(struct udphdr) > m->m_pkthdr.len) 860 break; 861 m_copydata(m, off, sizeof(uh), (caddr_t)&uh); 862 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport; 863 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport; 864 break; 865 case IPPROTO_ICMPV6: 866 spidx->ul_proto = nxt; 867 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len) 868 break; 869 m_copydata(m, off, sizeof(ih), (caddr_t)&ih); 870 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = 871 htons((uint16_t)ih.icmp6_type); 872 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = 873 htons((uint16_t)ih.icmp6_code); 874 break; 875 default: 876 /* XXX intermediate headers??? */ 877 spidx->ul_proto = nxt; 878 break; 879 } 880 } 881 882 /* assumes that m is sane */ 883 static int 884 ipsec6_setspidx_ipaddr(m, spidx) 885 struct mbuf *m; 886 struct secpolicyindex *spidx; 887 { 888 struct ip6_hdr *ip6 = NULL; 889 struct ip6_hdr ip6buf; 890 struct sockaddr_in6 *sin6; 891 892 if (m->m_len >= sizeof(*ip6)) 893 ip6 = mtod(m, struct ip6_hdr *); 894 else { 895 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf); 896 ip6 = &ip6buf; 897 } 898 899 sin6 = (struct sockaddr_in6 *)&spidx->src; 900 bzero(sin6, sizeof(*sin6)); 901 sin6->sin6_family = AF_INET6; 902 sin6->sin6_len = sizeof(struct sockaddr_in6); 903 bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src)); 904 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { 905 sin6->sin6_addr.s6_addr16[1] = 0; 906 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); 907 } 908 spidx->prefs = sizeof(struct in6_addr) << 3; 909 910 sin6 = (struct sockaddr_in6 *)&spidx->dst; 911 bzero(sin6, sizeof(*sin6)); 912 sin6->sin6_family = AF_INET6; 913 sin6->sin6_len = sizeof(struct sockaddr_in6); 914 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst)); 915 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { 916 sin6->sin6_addr.s6_addr16[1] = 0; 917 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); 918 } 919 spidx->prefd = sizeof(struct in6_addr) << 3; 920 921 return 0; 922 } 923 #endif 924 925 static void 926 ipsec_delpcbpolicy(p) 927 struct inpcbpolicy *p; 928 { 929 free(p, M_IPSEC_INPCB); 930 } 931 932 /* initialize policy in PCB */ 933 int 934 ipsec_init_policy(so, pcb_sp) 935 struct socket *so; 936 struct inpcbpolicy **pcb_sp; 937 { 938 INIT_VNET_IPSEC(curvnet); 939 struct inpcbpolicy *new; 940 941 /* sanity check. */ 942 if (so == NULL || pcb_sp == NULL) 943 panic("%s: NULL pointer was passed.\n", __func__); 944 945 new = (struct inpcbpolicy *) malloc(sizeof(struct inpcbpolicy), 946 M_IPSEC_INPCB, M_NOWAIT|M_ZERO); 947 if (new == NULL) { 948 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 949 return ENOBUFS; 950 } 951 952 new->priv = IPSEC_IS_PRIVILEGED_SO(so); 953 954 if ((new->sp_in = KEY_NEWSP()) == NULL) { 955 ipsec_delpcbpolicy(new); 956 return ENOBUFS; 957 } 958 new->sp_in->state = IPSEC_SPSTATE_ALIVE; 959 new->sp_in->policy = IPSEC_POLICY_ENTRUST; 960 961 if ((new->sp_out = KEY_NEWSP()) == NULL) { 962 KEY_FREESP(&new->sp_in); 963 ipsec_delpcbpolicy(new); 964 return ENOBUFS; 965 } 966 new->sp_out->state = IPSEC_SPSTATE_ALIVE; 967 new->sp_out->policy = IPSEC_POLICY_ENTRUST; 968 969 *pcb_sp = new; 970 971 return 0; 972 } 973 974 /* copy old ipsec policy into new */ 975 int 976 ipsec_copy_policy(old, new) 977 struct inpcbpolicy *old, *new; 978 { 979 struct secpolicy *sp; 980 981 sp = ipsec_deepcopy_policy(old->sp_in); 982 if (sp) { 983 KEY_FREESP(&new->sp_in); 984 new->sp_in = sp; 985 } else 986 return ENOBUFS; 987 988 sp = ipsec_deepcopy_policy(old->sp_out); 989 if (sp) { 990 KEY_FREESP(&new->sp_out); 991 new->sp_out = sp; 992 } else 993 return ENOBUFS; 994 995 new->priv = old->priv; 996 997 return 0; 998 } 999 1000 struct ipsecrequest * 1001 ipsec_newisr(void) 1002 { 1003 struct ipsecrequest *p; 1004 1005 p = malloc(sizeof(struct ipsecrequest), M_IPSEC_SR, M_NOWAIT|M_ZERO); 1006 if (p != NULL) 1007 IPSECREQUEST_LOCK_INIT(p); 1008 return p; 1009 } 1010 1011 void 1012 ipsec_delisr(struct ipsecrequest *p) 1013 { 1014 IPSECREQUEST_LOCK_DESTROY(p); 1015 free(p, M_IPSEC_SR); 1016 } 1017 1018 /* deep-copy a policy in PCB */ 1019 static struct secpolicy * 1020 ipsec_deepcopy_policy(src) 1021 struct secpolicy *src; 1022 { 1023 struct ipsecrequest *newchain = NULL; 1024 struct ipsecrequest *p; 1025 struct ipsecrequest **q; 1026 struct ipsecrequest *r; 1027 struct secpolicy *dst; 1028 1029 if (src == NULL) 1030 return NULL; 1031 dst = KEY_NEWSP(); 1032 if (dst == NULL) 1033 return NULL; 1034 1035 /* 1036 * deep-copy IPsec request chain. This is required since struct 1037 * ipsecrequest is not reference counted. 1038 */ 1039 q = &newchain; 1040 for (p = src->req; p; p = p->next) { 1041 *q = ipsec_newisr(); 1042 if (*q == NULL) 1043 goto fail; 1044 (*q)->saidx.proto = p->saidx.proto; 1045 (*q)->saidx.mode = p->saidx.mode; 1046 (*q)->level = p->level; 1047 (*q)->saidx.reqid = p->saidx.reqid; 1048 1049 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src)); 1050 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst)); 1051 1052 (*q)->sp = dst; 1053 1054 q = &((*q)->next); 1055 } 1056 1057 dst->req = newchain; 1058 dst->state = src->state; 1059 dst->policy = src->policy; 1060 /* do not touch the refcnt fields */ 1061 1062 return dst; 1063 1064 fail: 1065 for (p = newchain; p; p = r) { 1066 r = p->next; 1067 ipsec_delisr(p); 1068 p = NULL; 1069 } 1070 return NULL; 1071 } 1072 1073 /* set policy and ipsec request if present. */ 1074 static int 1075 ipsec_set_policy(pcb_sp, optname, request, len, cred) 1076 struct secpolicy **pcb_sp; 1077 int optname; 1078 caddr_t request; 1079 size_t len; 1080 struct ucred *cred; 1081 { 1082 INIT_VNET_IPSEC(curvnet); 1083 struct sadb_x_policy *xpl; 1084 struct secpolicy *newsp = NULL; 1085 int error; 1086 1087 /* sanity check. */ 1088 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL) 1089 return EINVAL; 1090 if (len < sizeof(*xpl)) 1091 return EINVAL; 1092 xpl = (struct sadb_x_policy *)request; 1093 1094 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1095 printf("%s: passed policy\n", __func__); 1096 kdebug_sadb_x_policy((struct sadb_ext *)xpl)); 1097 1098 /* check policy type */ 1099 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */ 1100 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD 1101 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) 1102 return EINVAL; 1103 1104 /* check privileged socket */ 1105 if (cred != NULL && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) { 1106 error = priv_check_cred(cred, PRIV_NETINET_IPSEC, 0); 1107 if (error) 1108 return EACCES; 1109 } 1110 1111 /* allocation new SP entry */ 1112 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) 1113 return error; 1114 1115 newsp->state = IPSEC_SPSTATE_ALIVE; 1116 1117 /* clear old SP and set new SP */ 1118 KEY_FREESP(pcb_sp); 1119 *pcb_sp = newsp; 1120 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1121 printf("%s: new policy\n", __func__); 1122 kdebug_secpolicy(newsp)); 1123 1124 return 0; 1125 } 1126 1127 static int 1128 ipsec_get_policy(pcb_sp, mp) 1129 struct secpolicy *pcb_sp; 1130 struct mbuf **mp; 1131 { 1132 INIT_VNET_IPSEC(curvnet); 1133 1134 /* sanity check. */ 1135 if (pcb_sp == NULL || mp == NULL) 1136 return EINVAL; 1137 1138 *mp = key_sp2msg(pcb_sp); 1139 if (!*mp) { 1140 ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); 1141 return ENOBUFS; 1142 } 1143 1144 (*mp)->m_type = MT_DATA; 1145 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1146 printf("%s:\n", __func__); kdebug_mbuf(*mp)); 1147 1148 return 0; 1149 } 1150 1151 int 1152 ipsec4_set_policy(inp, optname, request, len, cred) 1153 struct inpcb *inp; 1154 int optname; 1155 caddr_t request; 1156 size_t len; 1157 struct ucred *cred; 1158 { 1159 INIT_VNET_IPSEC(curvnet); 1160 struct sadb_x_policy *xpl; 1161 struct secpolicy **pcb_sp; 1162 1163 /* sanity check. */ 1164 if (inp == NULL || request == NULL) 1165 return EINVAL; 1166 if (len < sizeof(*xpl)) 1167 return EINVAL; 1168 xpl = (struct sadb_x_policy *)request; 1169 1170 /* select direction */ 1171 switch (xpl->sadb_x_policy_dir) { 1172 case IPSEC_DIR_INBOUND: 1173 pcb_sp = &inp->inp_sp->sp_in; 1174 break; 1175 case IPSEC_DIR_OUTBOUND: 1176 pcb_sp = &inp->inp_sp->sp_out; 1177 break; 1178 default: 1179 ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__, 1180 xpl->sadb_x_policy_dir)); 1181 return EINVAL; 1182 } 1183 1184 return ipsec_set_policy(pcb_sp, optname, request, len, cred); 1185 } 1186 1187 int 1188 ipsec4_get_policy(inp, request, len, mp) 1189 struct inpcb *inp; 1190 caddr_t request; 1191 size_t len; 1192 struct mbuf **mp; 1193 { 1194 INIT_VNET_IPSEC(curvnet); 1195 struct sadb_x_policy *xpl; 1196 struct secpolicy *pcb_sp; 1197 1198 /* sanity check. */ 1199 if (inp == NULL || request == NULL || mp == NULL) 1200 return EINVAL; 1201 IPSEC_ASSERT(inp->inp_sp != NULL, ("null inp_sp")); 1202 if (len < sizeof(*xpl)) 1203 return EINVAL; 1204 xpl = (struct sadb_x_policy *)request; 1205 1206 /* select direction */ 1207 switch (xpl->sadb_x_policy_dir) { 1208 case IPSEC_DIR_INBOUND: 1209 pcb_sp = inp->inp_sp->sp_in; 1210 break; 1211 case IPSEC_DIR_OUTBOUND: 1212 pcb_sp = inp->inp_sp->sp_out; 1213 break; 1214 default: 1215 ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__, 1216 xpl->sadb_x_policy_dir)); 1217 return EINVAL; 1218 } 1219 1220 return ipsec_get_policy(pcb_sp, mp); 1221 } 1222 1223 /* delete policy in PCB */ 1224 int 1225 ipsec_delete_pcbpolicy(inp) 1226 struct inpcb *inp; 1227 { 1228 IPSEC_ASSERT(inp != NULL, ("null inp")); 1229 1230 if (inp->inp_sp == NULL) 1231 return 0; 1232 1233 if (inp->inp_sp->sp_in != NULL) 1234 KEY_FREESP(&inp->inp_sp->sp_in); 1235 1236 if (inp->inp_sp->sp_out != NULL) 1237 KEY_FREESP(&inp->inp_sp->sp_out); 1238 1239 ipsec_delpcbpolicy(inp->inp_sp); 1240 inp->inp_sp = NULL; 1241 1242 return 0; 1243 } 1244 1245 #ifdef INET6 1246 int 1247 ipsec6_set_policy(in6p, optname, request, len, cred) 1248 struct in6pcb *in6p; 1249 int optname; 1250 caddr_t request; 1251 size_t len; 1252 struct ucred *cred; 1253 { 1254 INIT_VNET_IPSEC(curvnet); 1255 struct sadb_x_policy *xpl; 1256 struct secpolicy **pcb_sp; 1257 1258 /* sanity check. */ 1259 if (in6p == NULL || request == NULL) 1260 return EINVAL; 1261 if (len < sizeof(*xpl)) 1262 return EINVAL; 1263 xpl = (struct sadb_x_policy *)request; 1264 1265 /* select direction */ 1266 switch (xpl->sadb_x_policy_dir) { 1267 case IPSEC_DIR_INBOUND: 1268 pcb_sp = &in6p->in6p_sp->sp_in; 1269 break; 1270 case IPSEC_DIR_OUTBOUND: 1271 pcb_sp = &in6p->in6p_sp->sp_out; 1272 break; 1273 default: 1274 ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__, 1275 xpl->sadb_x_policy_dir)); 1276 return EINVAL; 1277 } 1278 1279 return ipsec_set_policy(pcb_sp, optname, request, len, cred); 1280 } 1281 1282 int 1283 ipsec6_get_policy(in6p, request, len, mp) 1284 struct in6pcb *in6p; 1285 caddr_t request; 1286 size_t len; 1287 struct mbuf **mp; 1288 { 1289 INIT_VNET_IPSEC(curvnet); 1290 struct sadb_x_policy *xpl; 1291 struct secpolicy *pcb_sp; 1292 1293 /* sanity check. */ 1294 if (in6p == NULL || request == NULL || mp == NULL) 1295 return EINVAL; 1296 IPSEC_ASSERT(in6p->in6p_sp != NULL, ("null in6p_sp")); 1297 if (len < sizeof(*xpl)) 1298 return EINVAL; 1299 xpl = (struct sadb_x_policy *)request; 1300 1301 /* select direction */ 1302 switch (xpl->sadb_x_policy_dir) { 1303 case IPSEC_DIR_INBOUND: 1304 pcb_sp = in6p->in6p_sp->sp_in; 1305 break; 1306 case IPSEC_DIR_OUTBOUND: 1307 pcb_sp = in6p->in6p_sp->sp_out; 1308 break; 1309 default: 1310 ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__, 1311 xpl->sadb_x_policy_dir)); 1312 return EINVAL; 1313 } 1314 1315 return ipsec_get_policy(pcb_sp, mp); 1316 } 1317 #endif 1318 1319 /* 1320 * return current level. 1321 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. 1322 */ 1323 u_int 1324 ipsec_get_reqlevel(isr) 1325 struct ipsecrequest *isr; 1326 { 1327 INIT_VNET_IPSEC(curvnet); 1328 u_int level = 0; 1329 u_int esp_trans_deflev, esp_net_deflev; 1330 u_int ah_trans_deflev, ah_net_deflev; 1331 1332 IPSEC_ASSERT(isr != NULL && isr->sp != NULL, ("null argument")); 1333 IPSEC_ASSERT(isr->sp->spidx.src.sa.sa_family == isr->sp->spidx.dst.sa.sa_family, 1334 ("af family mismatch, src %u, dst %u", 1335 isr->sp->spidx.src.sa.sa_family, 1336 isr->sp->spidx.dst.sa.sa_family)); 1337 1338 /* XXX note that we have ipseclog() expanded here - code sync issue */ 1339 #define IPSEC_CHECK_DEFAULT(lev) \ 1340 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \ 1341 && (lev) != IPSEC_LEVEL_UNIQUE) \ 1342 ? (V_ipsec_debug \ 1343 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\ 1344 (lev), IPSEC_LEVEL_REQUIRE) \ 1345 : 0), \ 1346 (lev) = IPSEC_LEVEL_REQUIRE, \ 1347 (lev) \ 1348 : (lev)) 1349 1350 /* set default level */ 1351 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) { 1352 #ifdef INET 1353 case AF_INET: 1354 esp_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip4_esp_trans_deflev); 1355 esp_net_deflev = IPSEC_CHECK_DEFAULT(V_ip4_esp_net_deflev); 1356 ah_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip4_ah_trans_deflev); 1357 ah_net_deflev = IPSEC_CHECK_DEFAULT(V_ip4_ah_net_deflev); 1358 break; 1359 #endif 1360 #ifdef INET6 1361 case AF_INET6: 1362 esp_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip6_esp_trans_deflev); 1363 esp_net_deflev = IPSEC_CHECK_DEFAULT(V_ip6_esp_net_deflev); 1364 ah_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip6_ah_trans_deflev); 1365 ah_net_deflev = IPSEC_CHECK_DEFAULT(V_ip6_ah_net_deflev); 1366 break; 1367 #endif /* INET6 */ 1368 default: 1369 panic("%s: unknown af %u", 1370 __func__, isr->sp->spidx.src.sa.sa_family); 1371 } 1372 1373 #undef IPSEC_CHECK_DEFAULT 1374 1375 /* set level */ 1376 switch (isr->level) { 1377 case IPSEC_LEVEL_DEFAULT: 1378 switch (isr->saidx.proto) { 1379 case IPPROTO_ESP: 1380 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1381 level = esp_net_deflev; 1382 else 1383 level = esp_trans_deflev; 1384 break; 1385 case IPPROTO_AH: 1386 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 1387 level = ah_net_deflev; 1388 else 1389 level = ah_trans_deflev; 1390 break; 1391 case IPPROTO_IPCOMP: 1392 /* 1393 * we don't really care, as IPcomp document says that 1394 * we shouldn't compress small packets 1395 */ 1396 level = IPSEC_LEVEL_USE; 1397 break; 1398 default: 1399 panic("%s: Illegal protocol defined %u\n", __func__, 1400 isr->saidx.proto); 1401 } 1402 break; 1403 1404 case IPSEC_LEVEL_USE: 1405 case IPSEC_LEVEL_REQUIRE: 1406 level = isr->level; 1407 break; 1408 case IPSEC_LEVEL_UNIQUE: 1409 level = IPSEC_LEVEL_REQUIRE; 1410 break; 1411 1412 default: 1413 panic("%s: Illegal IPsec level %u\n", __func__, isr->level); 1414 } 1415 1416 return level; 1417 } 1418 1419 /* 1420 * Check security policy requirements against the actual 1421 * packet contents. Return one if the packet should be 1422 * reject as "invalid"; otherwiser return zero to have the 1423 * packet treated as "valid". 1424 * 1425 * OUT: 1426 * 0: valid 1427 * 1: invalid 1428 */ 1429 int 1430 ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) 1431 { 1432 INIT_VNET_IPSEC(curvnet); 1433 struct ipsecrequest *isr; 1434 int need_auth; 1435 1436 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1437 printf("%s: using SP\n", __func__); kdebug_secpolicy(sp)); 1438 1439 /* check policy */ 1440 switch (sp->policy) { 1441 case IPSEC_POLICY_DISCARD: 1442 return 1; 1443 case IPSEC_POLICY_BYPASS: 1444 case IPSEC_POLICY_NONE: 1445 return 0; 1446 } 1447 1448 IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC, 1449 ("invalid policy %u", sp->policy)); 1450 1451 /* XXX should compare policy against ipsec header history */ 1452 1453 need_auth = 0; 1454 for (isr = sp->req; isr != NULL; isr = isr->next) { 1455 if (ipsec_get_reqlevel(isr) != IPSEC_LEVEL_REQUIRE) 1456 continue; 1457 switch (isr->saidx.proto) { 1458 case IPPROTO_ESP: 1459 if ((m->m_flags & M_DECRYPTED) == 0) { 1460 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1461 printf("%s: ESP m_flags:%x\n", __func__, 1462 m->m_flags)); 1463 return 1; 1464 } 1465 1466 if (!need_auth && 1467 isr->sav != NULL && 1468 isr->sav->tdb_authalgxform != NULL && 1469 (m->m_flags & M_AUTHIPDGM) == 0) { 1470 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1471 printf("%s: ESP/AH m_flags:%x\n", __func__, 1472 m->m_flags)); 1473 return 1; 1474 } 1475 break; 1476 case IPPROTO_AH: 1477 need_auth = 1; 1478 if ((m->m_flags & M_AUTHIPHDR) == 0) { 1479 KEYDEBUG(KEYDEBUG_IPSEC_DUMP, 1480 printf("%s: AH m_flags:%x\n", __func__, 1481 m->m_flags)); 1482 return 1; 1483 } 1484 break; 1485 case IPPROTO_IPCOMP: 1486 /* 1487 * we don't really care, as IPcomp document 1488 * says that we shouldn't compress small 1489 * packets, IPComp policy should always be 1490 * treated as being in "use" level. 1491 */ 1492 break; 1493 } 1494 } 1495 return 0; /* valid */ 1496 } 1497 1498 /* 1499 * Check AH/ESP integrity. 1500 * This function is called from tcp_input(), udp_input(), 1501 * and {ah,esp}4_input for tunnel mode 1502 */ 1503 int 1504 ipsec4_in_reject(m, inp) 1505 struct mbuf *m; 1506 struct inpcb *inp; 1507 { 1508 INIT_VNET_IPSEC(curvnet); 1509 struct secpolicy *sp; 1510 int error; 1511 int result; 1512 1513 IPSEC_ASSERT(m != NULL, ("null mbuf")); 1514 1515 /* get SP for this packet. 1516 * When we are called from ip_forward(), we call 1517 * ipsec_getpolicybyaddr() with IP_FORWARDING flag. 1518 */ 1519 if (inp == NULL) 1520 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 1521 else 1522 sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND, inp, &error); 1523 1524 if (sp != NULL) { 1525 result = ipsec_in_reject(sp, m); 1526 if (result) 1527 V_ipsec4stat.ips_in_polvio++; 1528 KEY_FREESP(&sp); 1529 } else { 1530 result = 0; /* XXX should be panic ? 1531 * -> No, there may be error. */ 1532 } 1533 return result; 1534 } 1535 1536 #ifdef INET6 1537 /* 1538 * Check AH/ESP integrity. 1539 * This function is called from tcp6_input(), udp6_input(), 1540 * and {ah,esp}6_input for tunnel mode 1541 */ 1542 int 1543 ipsec6_in_reject(m, inp) 1544 struct mbuf *m; 1545 struct inpcb *inp; 1546 { 1547 INIT_VNET_IPSEC(curvnet); 1548 struct secpolicy *sp = NULL; 1549 int error; 1550 int result; 1551 1552 /* sanity check */ 1553 if (m == NULL) 1554 return 0; /* XXX should be panic ? */ 1555 1556 /* get SP for this packet. 1557 * When we are called from ip_forward(), we call 1558 * ipsec_getpolicybyaddr() with IP_FORWARDING flag. 1559 */ 1560 if (inp == NULL) 1561 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); 1562 else 1563 sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND, inp, &error); 1564 1565 if (sp != NULL) { 1566 result = ipsec_in_reject(sp, m); 1567 if (result) 1568 V_ipsec6stat.ips_in_polvio++; 1569 KEY_FREESP(&sp); 1570 } else { 1571 result = 0; 1572 } 1573 return result; 1574 } 1575 #endif 1576 1577 /* 1578 * compute the byte size to be occupied by IPsec header. 1579 * in case it is tunneled, it includes the size of outer IP header. 1580 * NOTE: SP passed is free in this function. 1581 */ 1582 static size_t 1583 ipsec_hdrsiz(struct secpolicy *sp) 1584 { 1585 INIT_VNET_IPSEC(curvnet); 1586 struct ipsecrequest *isr; 1587 size_t siz; 1588 1589 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1590 printf("%s: using SP\n", __func__); kdebug_secpolicy(sp)); 1591 1592 switch (sp->policy) { 1593 case IPSEC_POLICY_DISCARD: 1594 case IPSEC_POLICY_BYPASS: 1595 case IPSEC_POLICY_NONE: 1596 return 0; 1597 } 1598 1599 IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC, 1600 ("invalid policy %u", sp->policy)); 1601 1602 siz = 0; 1603 for (isr = sp->req; isr != NULL; isr = isr->next) { 1604 size_t clen = 0; 1605 1606 switch (isr->saidx.proto) { 1607 case IPPROTO_ESP: 1608 clen = esp_hdrsiz(isr->sav); 1609 break; 1610 case IPPROTO_AH: 1611 clen = ah_hdrsiz(isr->sav); 1612 break; 1613 case IPPROTO_IPCOMP: 1614 clen = sizeof(struct ipcomp); 1615 break; 1616 } 1617 1618 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { 1619 switch (isr->saidx.dst.sa.sa_family) { 1620 case AF_INET: 1621 clen += sizeof(struct ip); 1622 break; 1623 #ifdef INET6 1624 case AF_INET6: 1625 clen += sizeof(struct ip6_hdr); 1626 break; 1627 #endif 1628 default: 1629 ipseclog((LOG_ERR, "%s: unknown AF %d in " 1630 "IPsec tunnel SA\n", __func__, 1631 ((struct sockaddr *)&isr->saidx.dst)->sa_family)); 1632 break; 1633 } 1634 } 1635 siz += clen; 1636 } 1637 1638 return siz; 1639 } 1640 1641 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */ 1642 size_t 1643 ipsec4_hdrsiz(m, dir, inp) 1644 struct mbuf *m; 1645 u_int dir; 1646 struct inpcb *inp; 1647 { 1648 INIT_VNET_IPSEC(curvnet); 1649 struct secpolicy *sp; 1650 int error; 1651 size_t size; 1652 1653 IPSEC_ASSERT(m != NULL, ("null mbuf")); 1654 1655 /* get SP for this packet. 1656 * When we are called from ip_forward(), we call 1657 * ipsec_getpolicybyaddr() with IP_FORWARDING flag. 1658 */ 1659 if (inp == NULL) 1660 sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 1661 else 1662 sp = ipsec_getpolicybysock(m, dir, inp, &error); 1663 1664 if (sp != NULL) { 1665 size = ipsec_hdrsiz(sp); 1666 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1667 printf("%s: size:%lu.\n", __func__, 1668 (unsigned long)size)); 1669 1670 KEY_FREESP(&sp); 1671 } else { 1672 size = 0; /* XXX should be panic ? 1673 * -> No, we are called w/o knowing if 1674 * IPsec processing is needed. */ 1675 } 1676 return size; 1677 } 1678 1679 #ifdef INET6 1680 /* This function is called from ipsec6_hdrsize_tcp(), 1681 * and maybe from ip6_forward.() 1682 */ 1683 size_t 1684 ipsec6_hdrsiz(m, dir, in6p) 1685 struct mbuf *m; 1686 u_int dir; 1687 struct in6pcb *in6p; 1688 { 1689 INIT_VNET_IPSEC(curvnet); 1690 struct secpolicy *sp; 1691 int error; 1692 size_t size; 1693 1694 IPSEC_ASSERT(m != NULL, ("null mbuf")); 1695 IPSEC_ASSERT(in6p == NULL || in6p->in6p_socket != NULL, 1696 ("socket w/o inpcb")); 1697 1698 /* get SP for this packet */ 1699 /* XXX Is it right to call with IP_FORWARDING. */ 1700 if (in6p == NULL) 1701 sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error); 1702 else 1703 sp = ipsec_getpolicybysock(m, dir, in6p, &error); 1704 1705 if (sp == NULL) 1706 return 0; 1707 size = ipsec_hdrsiz(sp); 1708 KEYDEBUG(KEYDEBUG_IPSEC_DATA, 1709 printf("%s: size:%lu.\n", __func__, (unsigned long)size)); 1710 KEY_FREESP(&sp); 1711 1712 return size; 1713 } 1714 #endif /*INET6*/ 1715 1716 /* 1717 * Check the variable replay window. 1718 * ipsec_chkreplay() performs replay check before ICV verification. 1719 * ipsec_updatereplay() updates replay bitmap. This must be called after 1720 * ICV verification (it also performs replay check, which is usually done 1721 * beforehand). 1722 * 0 (zero) is returned if packet disallowed, 1 if packet permitted. 1723 * 1724 * based on RFC 2401. 1725 */ 1726 int 1727 ipsec_chkreplay(seq, sav) 1728 u_int32_t seq; 1729 struct secasvar *sav; 1730 { 1731 const struct secreplay *replay; 1732 u_int32_t diff; 1733 int fr; 1734 u_int32_t wsizeb; /* constant: bits of window size */ 1735 int frlast; /* constant: last frame */ 1736 1737 IPSEC_ASSERT(sav != NULL, ("Null SA")); 1738 IPSEC_ASSERT(sav->replay != NULL, ("Null replay state")); 1739 1740 replay = sav->replay; 1741 1742 if (replay->wsize == 0) 1743 return 1; /* no need to check replay. */ 1744 1745 /* constant */ 1746 frlast = replay->wsize - 1; 1747 wsizeb = replay->wsize << 3; 1748 1749 /* sequence number of 0 is invalid */ 1750 if (seq == 0) 1751 return 0; 1752 1753 /* first time is always okay */ 1754 if (replay->count == 0) 1755 return 1; 1756 1757 if (seq > replay->lastseq) { 1758 /* larger sequences are okay */ 1759 return 1; 1760 } else { 1761 /* seq is equal or less than lastseq. */ 1762 diff = replay->lastseq - seq; 1763 1764 /* over range to check, i.e. too old or wrapped */ 1765 if (diff >= wsizeb) 1766 return 0; 1767 1768 fr = frlast - diff / 8; 1769 1770 /* this packet already seen ? */ 1771 if ((replay->bitmap)[fr] & (1 << (diff % 8))) 1772 return 0; 1773 1774 /* out of order but good */ 1775 return 1; 1776 } 1777 } 1778 1779 /* 1780 * check replay counter whether to update or not. 1781 * OUT: 0: OK 1782 * 1: NG 1783 */ 1784 int 1785 ipsec_updatereplay(seq, sav) 1786 u_int32_t seq; 1787 struct secasvar *sav; 1788 { 1789 INIT_VNET_IPSEC(curvnet); 1790 struct secreplay *replay; 1791 u_int32_t diff; 1792 int fr; 1793 u_int32_t wsizeb; /* constant: bits of window size */ 1794 int frlast; /* constant: last frame */ 1795 1796 IPSEC_ASSERT(sav != NULL, ("Null SA")); 1797 IPSEC_ASSERT(sav->replay != NULL, ("Null replay state")); 1798 1799 replay = sav->replay; 1800 1801 if (replay->wsize == 0) 1802 goto ok; /* no need to check replay. */ 1803 1804 /* constant */ 1805 frlast = replay->wsize - 1; 1806 wsizeb = replay->wsize << 3; 1807 1808 /* sequence number of 0 is invalid */ 1809 if (seq == 0) 1810 return 1; 1811 1812 /* first time */ 1813 if (replay->count == 0) { 1814 replay->lastseq = seq; 1815 bzero(replay->bitmap, replay->wsize); 1816 (replay->bitmap)[frlast] = 1; 1817 goto ok; 1818 } 1819 1820 if (seq > replay->lastseq) { 1821 /* seq is larger than lastseq. */ 1822 diff = seq - replay->lastseq; 1823 1824 /* new larger sequence number */ 1825 if (diff < wsizeb) { 1826 /* In window */ 1827 /* set bit for this packet */ 1828 vshiftl(replay->bitmap, diff, replay->wsize); 1829 (replay->bitmap)[frlast] |= 1; 1830 } else { 1831 /* this packet has a "way larger" */ 1832 bzero(replay->bitmap, replay->wsize); 1833 (replay->bitmap)[frlast] = 1; 1834 } 1835 replay->lastseq = seq; 1836 1837 /* larger is good */ 1838 } else { 1839 /* seq is equal or less than lastseq. */ 1840 diff = replay->lastseq - seq; 1841 1842 /* over range to check, i.e. too old or wrapped */ 1843 if (diff >= wsizeb) 1844 return 1; 1845 1846 fr = frlast - diff / 8; 1847 1848 /* this packet already seen ? */ 1849 if ((replay->bitmap)[fr] & (1 << (diff % 8))) 1850 return 1; 1851 1852 /* mark as seen */ 1853 (replay->bitmap)[fr] |= (1 << (diff % 8)); 1854 1855 /* out of order but good */ 1856 } 1857 1858 ok: 1859 if (replay->count == ~0) { 1860 1861 /* set overflow flag */ 1862 replay->overflow++; 1863 1864 /* don't increment, no more packets accepted */ 1865 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) 1866 return 1; 1867 1868 ipseclog((LOG_WARNING, "%s: replay counter made %d cycle. %s\n", 1869 __func__, replay->overflow, ipsec_logsastr(sav))); 1870 } 1871 1872 replay->count++; 1873 1874 return 0; 1875 } 1876 1877 /* 1878 * shift variable length buffer to left. 1879 * IN: bitmap: pointer to the buffer 1880 * nbit: the number of to shift. 1881 * wsize: buffer size (bytes). 1882 */ 1883 static void 1884 vshiftl(bitmap, nbit, wsize) 1885 unsigned char *bitmap; 1886 int nbit, wsize; 1887 { 1888 int s, j, i; 1889 unsigned char over; 1890 1891 for (j = 0; j < nbit; j += 8) { 1892 s = (nbit - j < 8) ? (nbit - j): 8; 1893 bitmap[0] <<= s; 1894 for (i = 1; i < wsize; i++) { 1895 over = (bitmap[i] >> (8 - s)); 1896 bitmap[i] <<= s; 1897 bitmap[i-1] |= over; 1898 } 1899 } 1900 1901 return; 1902 } 1903 1904 /* Return a printable string for the IPv4 address. */ 1905 static char * 1906 inet_ntoa4(struct in_addr ina) 1907 { 1908 static char buf[4][4 * sizeof "123" + 4]; 1909 unsigned char *ucp = (unsigned char *) &ina; 1910 static int i = 3; 1911 1912 /* XXX-BZ returns static buffer. */ 1913 i = (i + 1) % 4; 1914 sprintf(buf[i], "%d.%d.%d.%d", ucp[0] & 0xff, ucp[1] & 0xff, 1915 ucp[2] & 0xff, ucp[3] & 0xff); 1916 return (buf[i]); 1917 } 1918 1919 /* Return a printable string for the address. */ 1920 char * 1921 ipsec_address(union sockaddr_union* sa) 1922 { 1923 #ifdef INET6 1924 char ip6buf[INET6_ADDRSTRLEN]; 1925 #endif 1926 switch (sa->sa.sa_family) { 1927 #ifdef INET 1928 case AF_INET: 1929 return inet_ntoa4(sa->sin.sin_addr); 1930 #endif /* INET */ 1931 1932 #ifdef INET6 1933 case AF_INET6: 1934 return ip6_sprintf(ip6buf, &sa->sin6.sin6_addr); 1935 #endif /* INET6 */ 1936 1937 default: 1938 return "(unknown address family)"; 1939 } 1940 } 1941 1942 const char * 1943 ipsec_logsastr(sav) 1944 struct secasvar *sav; 1945 { 1946 static char buf[256]; 1947 char *p; 1948 struct secasindex *saidx = &sav->sah->saidx; 1949 1950 IPSEC_ASSERT(saidx->src.sa.sa_family == saidx->dst.sa.sa_family, 1951 ("address family mismatch")); 1952 1953 p = buf; 1954 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi)); 1955 while (p && *p) 1956 p++; 1957 /* NB: only use ipsec_address on one address at a time */ 1958 snprintf(p, sizeof (buf) - (p - buf), "src=%s ", 1959 ipsec_address(&saidx->src)); 1960 while (p && *p) 1961 p++; 1962 snprintf(p, sizeof (buf) - (p - buf), "dst=%s)", 1963 ipsec_address(&saidx->dst)); 1964 1965 return buf; 1966 } 1967 1968 void 1969 ipsec_dumpmbuf(m) 1970 struct mbuf *m; 1971 { 1972 int totlen; 1973 int i; 1974 u_char *p; 1975 1976 totlen = 0; 1977 printf("---\n"); 1978 while (m) { 1979 p = mtod(m, u_char *); 1980 for (i = 0; i < m->m_len; i++) { 1981 printf("%02x ", p[i]); 1982 totlen++; 1983 if (totlen % 16 == 0) 1984 printf("\n"); 1985 } 1986 m = m->m_next; 1987 } 1988 if (totlen % 16 != 0) 1989 printf("\n"); 1990 printf("---\n"); 1991 } 1992 1993 static void 1994 ipsec_attach(void) 1995 { 1996 SECPOLICY_LOCK_INIT(&V_ip4_def_policy); 1997 V_ip4_def_policy.refcnt = 1; /* NB: disallow free */ 1998 } 1999 SYSINIT(ipsec, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, ipsec_attach, NULL); 2000 2001 2002 /* XXX this stuff doesn't belong here... */ 2003 2004 static struct xformsw* xforms = NULL; 2005 2006 /* 2007 * Register a transform; typically at system startup. 2008 */ 2009 void 2010 xform_register(struct xformsw* xsp) 2011 { 2012 xsp->xf_next = xforms; 2013 xforms = xsp; 2014 } 2015 2016 /* 2017 * Initialize transform support in an sav. 2018 */ 2019 int 2020 xform_init(struct secasvar *sav, int xftype) 2021 { 2022 struct xformsw *xsp; 2023 2024 if (sav->tdb_xform != NULL) /* previously initialized */ 2025 return 0; 2026 for (xsp = xforms; xsp; xsp = xsp->xf_next) 2027 if (xsp->xf_type == xftype) 2028 return (*xsp->xf_init)(sav, xsp); 2029 return EINVAL; 2030 } 2031