1 | /* |
2 | * Copyright (c) 2008-2018 Apple Inc. All rights reserved. |
3 | * |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
5 | * |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License |
8 | * Version 2.0 (the 'License'). You may not use this file except in |
9 | * compliance with the License. The rights granted to you under the License |
10 | * may not be used to create, or enable the creation or redistribution of, |
11 | * unlawful or unlicensed copies of an Apple operating system, or to |
12 | * circumvent, violate, or enable the circumvention or violation of, any |
13 | * terms of an Apple operating system software license agreement. |
14 | * |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
17 | * |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and |
24 | * limitations under the License. |
25 | * |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
27 | */ |
28 | |
29 | /* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.7 2001/07/19 06:37:23 kris Exp $ */ |
30 | /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ |
31 | |
32 | /* |
33 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
34 | * All rights reserved. |
35 | * |
36 | * Redistribution and use in source and binary forms, with or without |
37 | * modification, are permitted provided that the following conditions |
38 | * are met: |
39 | * 1. Redistributions of source code must retain the above copyright |
40 | * notice, this list of conditions and the following disclaimer. |
41 | * 2. Redistributions in binary form must reproduce the above copyright |
42 | * notice, this list of conditions and the following disclaimer in the |
43 | * documentation and/or other materials provided with the distribution. |
44 | * 3. Neither the name of the project nor the names of its contributors |
45 | * may be used to endorse or promote products derived from this software |
46 | * without specific prior written permission. |
47 | * |
48 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
49 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
50 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
51 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
52 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
53 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
54 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
55 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
56 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
57 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
58 | * SUCH DAMAGE. |
59 | */ |
60 | |
61 | /* |
62 | * IPsec controller part. |
63 | */ |
64 | |
65 | #include <sys/param.h> |
66 | #include <sys/systm.h> |
67 | #include <sys/malloc.h> |
68 | #include <sys/mbuf.h> |
69 | #include <sys/mcache.h> |
70 | #include <sys/domain.h> |
71 | #include <sys/protosw.h> |
72 | #include <sys/socket.h> |
73 | #include <sys/socketvar.h> |
74 | #include <sys/errno.h> |
75 | #include <sys/time.h> |
76 | #include <sys/kernel.h> |
77 | #include <sys/syslog.h> |
78 | #include <sys/sysctl.h> |
79 | #include <kern/locks.h> |
80 | #include <sys/kauth.h> |
81 | #include <libkern/OSAtomic.h> |
82 | |
83 | #include <net/if.h> |
84 | #include <net/route.h> |
85 | #include <net/if_ipsec.h> |
86 | |
87 | #include <netinet/in.h> |
88 | #include <netinet/in_systm.h> |
89 | #include <netinet/ip.h> |
90 | #include <netinet/ip_var.h> |
91 | #include <netinet/in_var.h> |
92 | #include <netinet/udp.h> |
93 | #include <netinet/udp_var.h> |
94 | #include <netinet/ip_ecn.h> |
95 | #if INET6 |
96 | #include <netinet6/ip6_ecn.h> |
97 | #endif |
98 | #include <netinet/tcp.h> |
99 | #include <netinet/udp.h> |
100 | |
101 | #include <netinet/ip6.h> |
102 | #if INET6 |
103 | #include <netinet6/ip6_var.h> |
104 | #endif |
105 | #include <netinet/in_pcb.h> |
106 | #if INET6 |
107 | #include <netinet/icmp6.h> |
108 | #endif |
109 | |
110 | #include <netinet6/ipsec.h> |
111 | #if INET6 |
112 | #include <netinet6/ipsec6.h> |
113 | #endif |
114 | #include <netinet6/ah.h> |
115 | #if INET6 |
116 | #include <netinet6/ah6.h> |
117 | #endif |
118 | #if IPSEC_ESP |
119 | #include <netinet6/esp.h> |
120 | #if INET6 |
121 | #include <netinet6/esp6.h> |
122 | #endif |
123 | #endif |
124 | #include <netinet6/ipcomp.h> |
125 | #if INET6 |
126 | #include <netinet6/ipcomp6.h> |
127 | #endif |
128 | #include <netkey/key.h> |
129 | #include <netkey/keydb.h> |
130 | #include <netkey/key_debug.h> |
131 | |
132 | #include <net/net_osdep.h> |
133 | |
134 | #if IPSEC_DEBUG |
135 | int ipsec_debug = 1; |
136 | #else |
137 | int ipsec_debug = 0; |
138 | #endif |
139 | |
140 | #include <sys/kdebug.h> |
141 | #define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1) |
142 | #define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3) |
143 | #define DBG_FNC_GETPOL_SOCK NETDBG_CODE(DBG_NETIPSEC, (1 << 8)) |
144 | #define DBG_FNC_GETPOL_ADDR NETDBG_CODE(DBG_NETIPSEC, (2 << 8)) |
145 | #define DBG_FNC_IPSEC_OUT NETDBG_CODE(DBG_NETIPSEC, (3 << 8)) |
146 | |
147 | extern lck_mtx_t *sadb_mutex; |
148 | |
149 | struct ipsecstat ipsecstat; |
150 | int ip4_ah_cleartos = 1; |
151 | int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ |
152 | int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ |
153 | int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; |
154 | int ip4_esp_net_deflev = IPSEC_LEVEL_USE; |
155 | int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; |
156 | int ip4_ah_net_deflev = IPSEC_LEVEL_USE; |
157 | struct secpolicy ip4_def_policy; |
158 | int ip4_ipsec_ecn = ECN_COMPATIBILITY; /* ECN ignore(-1)/compatibility(0)/normal(1) */ |
159 | int ip4_esp_randpad = -1; |
160 | int esp_udp_encap_port = 0; |
161 | static int sysctl_def_policy SYSCTL_HANDLER_ARGS; |
162 | extern int natt_keepalive_interval; |
163 | extern u_int64_t natt_now; |
164 | |
165 | struct ipsec_tag; |
166 | |
167 | SYSCTL_DECL(_net_inet_ipsec); |
168 | #if INET6 |
169 | SYSCTL_DECL(_net_inet6_ipsec6); |
170 | #endif |
171 | /* net.inet.ipsec */ |
172 | SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS, |
173 | stats, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsecstat, ipsecstat, "" ); |
174 | SYSCTL_PROC(_net_inet_ipsec, IPSECCTL_DEF_POLICY, def_policy, CTLTYPE_INT|CTLFLAG_RW | CTLFLAG_LOCKED, |
175 | &ip4_def_policy.policy, 0, &sysctl_def_policy, "I" , "" ); |
176 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, |
177 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_trans_deflev, 0, "" ); |
178 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, |
179 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_net_deflev, 0, "" ); |
180 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, |
181 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_trans_deflev, 0, "" ); |
182 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, |
183 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_net_deflev, 0, "" ); |
184 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, |
185 | ah_cleartos, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_cleartos, 0, "" ); |
186 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, |
187 | ah_offsetmask, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_offsetmask, 0, "" ); |
188 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, |
189 | dfbit, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ipsec_dfbit, 0, "" ); |
190 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, |
191 | ecn, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ipsec_ecn, 0, "" ); |
192 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, |
193 | debug, CTLFLAG_RW | CTLFLAG_LOCKED, &ipsec_debug, 0, "" ); |
194 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD, |
195 | esp_randpad, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_randpad, 0, "" ); |
196 | |
197 | /* for performance, we bypass ipsec until a security policy is set */ |
198 | int ipsec_bypass = 1; |
199 | SYSCTL_INT(_net_inet_ipsec, OID_AUTO, bypass, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsec_bypass,0, "" ); |
200 | |
201 | /* |
202 | * NAT Traversal requires a UDP port for encapsulation, |
203 | * esp_udp_encap_port controls which port is used. Racoon |
204 | * must set this port to the port racoon is using locally |
205 | * for nat traversal. |
206 | */ |
207 | SYSCTL_INT(_net_inet_ipsec, OID_AUTO, esp_port, |
208 | CTLFLAG_RW | CTLFLAG_LOCKED, &esp_udp_encap_port, 0, "" ); |
209 | |
210 | #if INET6 |
211 | struct ipsecstat ipsec6stat; |
212 | int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; |
213 | int ip6_esp_net_deflev = IPSEC_LEVEL_USE; |
214 | int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; |
215 | int ip6_ah_net_deflev = IPSEC_LEVEL_USE; |
216 | struct secpolicy ip6_def_policy; |
217 | int ip6_ipsec_ecn = ECN_COMPATIBILITY; /* ECN ignore(-1)/compatibility(0)/normal(1) */ |
218 | int ip6_esp_randpad = -1; |
219 | |
220 | /* net.inet6.ipsec6 */ |
221 | SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, |
222 | stats, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsec6stat, ipsecstat, "" ); |
223 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, |
224 | def_policy, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_def_policy.policy, 0, "" ); |
225 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, |
226 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_trans_deflev, 0, "" ); |
227 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, |
228 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_net_deflev, 0, "" ); |
229 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, |
230 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ah_trans_deflev, 0, "" ); |
231 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, |
232 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ah_net_deflev, 0, "" ); |
233 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN, |
234 | ecn, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ipsec_ecn, 0, "" ); |
235 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, |
236 | debug, CTLFLAG_RW | CTLFLAG_LOCKED, &ipsec_debug, 0, "" ); |
237 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, |
238 | esp_randpad, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_randpad, 0, "" ); |
239 | #endif /* INET6 */ |
240 | |
241 | static int ipsec_setspidx_interface(struct secpolicyindex *, u_int, struct mbuf *, |
242 | int, int, int); |
243 | static int ipsec_setspidx_mbuf(struct secpolicyindex *, u_int, u_int, |
244 | struct mbuf *, int); |
245 | static int ipsec4_setspidx_inpcb(struct mbuf *, struct inpcb *pcb); |
246 | #if INET6 |
247 | static int ipsec6_setspidx_in6pcb(struct mbuf *, struct in6pcb *pcb); |
248 | #endif |
249 | static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int, int); |
250 | static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int); |
251 | static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *); |
252 | #if INET6 |
253 | static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *, int); |
254 | static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *); |
255 | #endif |
256 | static struct inpcbpolicy *ipsec_newpcbpolicy(void); |
257 | static void ipsec_delpcbpolicy(struct inpcbpolicy *); |
258 | static struct secpolicy *ipsec_deepcopy_policy(struct secpolicy *src); |
259 | static int ipsec_set_policy(struct secpolicy **pcb_sp, |
260 | int optname, caddr_t request, size_t len, int priv); |
261 | static void vshiftl(unsigned char *, int, int); |
262 | static int ipsec_in_reject(struct secpolicy *, struct mbuf *); |
263 | #if INET6 |
264 | static int ipsec64_encapsulate(struct mbuf *, struct secasvar *); |
265 | static int ipsec6_update_routecache_and_output(struct ipsec_output_state *state, struct secasvar *sav); |
266 | static int ipsec46_encapsulate(struct ipsec_output_state *state, struct secasvar *sav); |
267 | #endif |
268 | static struct ipsec_tag *ipsec_addaux(struct mbuf *); |
269 | static struct ipsec_tag *ipsec_findaux(struct mbuf *); |
270 | static void ipsec_optaux(struct mbuf *, struct ipsec_tag *); |
271 | int ipsec_send_natt_keepalive(struct secasvar *sav); |
272 | bool ipsec_fill_offload_frame(ifnet_t ifp, struct secasvar *sav, struct ifnet_keepalive_offload_frame *frame, size_t frame_data_offset); |
273 | |
274 | static int |
275 | sysctl_def_policy SYSCTL_HANDLER_ARGS |
276 | { |
277 | int old_policy = ip4_def_policy.policy; |
278 | int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req); |
279 | |
280 | #pragma unused(arg1, arg2) |
281 | |
282 | if (ip4_def_policy.policy != IPSEC_POLICY_NONE && |
283 | ip4_def_policy.policy != IPSEC_POLICY_DISCARD) { |
284 | ip4_def_policy.policy = old_policy; |
285 | return EINVAL; |
286 | } |
287 | |
288 | /* Turn off the bypass if the default security policy changes */ |
289 | if (ipsec_bypass != 0 && ip4_def_policy.policy != IPSEC_POLICY_NONE) |
290 | ipsec_bypass = 0; |
291 | |
292 | return error; |
293 | } |
294 | |
295 | /* |
296 | * For OUTBOUND packet having a socket. Searching SPD for packet, |
297 | * and return a pointer to SP. |
298 | * OUT: NULL: no apropreate SP found, the following value is set to error. |
299 | * 0 : bypass |
300 | * EACCES : discard packet. |
301 | * ENOENT : ipsec_acquire() in progress, maybe. |
302 | * others : error occurred. |
303 | * others: a pointer to SP |
304 | * |
305 | * NOTE: IPv6 mapped adddress concern is implemented here. |
306 | */ |
307 | struct secpolicy * |
308 | ipsec4_getpolicybysock(struct mbuf *m, |
309 | u_int dir, |
310 | struct socket *so, |
311 | int *error) |
312 | { |
313 | struct inpcbpolicy *pcbsp = NULL; |
314 | struct secpolicy *currsp = NULL; /* policy on socket */ |
315 | struct secpolicy *kernsp = NULL; /* policy on kernel */ |
316 | |
317 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
318 | /* sanity check */ |
319 | if (m == NULL || so == NULL || error == NULL) |
320 | panic("ipsec4_getpolicybysock: NULL pointer was passed.\n" ); |
321 | |
322 | if (so->so_pcb == NULL) { |
323 | printf("ipsec4_getpolicybysock: so->so_pcb == NULL\n" ); |
324 | return ipsec4_getpolicybyaddr(m, dir, 0, error); |
325 | } |
326 | |
327 | switch (SOCK_DOM(so)) { |
328 | case PF_INET: |
329 | pcbsp = sotoinpcb(so)->inp_sp; |
330 | break; |
331 | #if INET6 |
332 | case PF_INET6: |
333 | pcbsp = sotoin6pcb(so)->in6p_sp; |
334 | break; |
335 | #endif |
336 | } |
337 | |
338 | if (!pcbsp){ |
339 | /* Socket has not specified an IPSEC policy */ |
340 | return ipsec4_getpolicybyaddr(m, dir, 0, error); |
341 | } |
342 | |
343 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_START, 0,0,0,0,0); |
344 | |
345 | switch (SOCK_DOM(so)) { |
346 | case PF_INET: |
347 | /* set spidx in pcb */ |
348 | *error = ipsec4_setspidx_inpcb(m, sotoinpcb(so)); |
349 | break; |
350 | #if INET6 |
351 | case PF_INET6: |
352 | /* set spidx in pcb */ |
353 | *error = ipsec6_setspidx_in6pcb(m, sotoin6pcb(so)); |
354 | break; |
355 | #endif |
356 | default: |
357 | panic("ipsec4_getpolicybysock: unsupported address family\n" ); |
358 | } |
359 | if (*error) { |
360 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 1,*error,0,0,0); |
361 | return NULL; |
362 | } |
363 | |
364 | /* sanity check */ |
365 | if (pcbsp == NULL) |
366 | panic("ipsec4_getpolicybysock: pcbsp is NULL.\n" ); |
367 | |
368 | switch (dir) { |
369 | case IPSEC_DIR_INBOUND: |
370 | currsp = pcbsp->sp_in; |
371 | break; |
372 | case IPSEC_DIR_OUTBOUND: |
373 | currsp = pcbsp->sp_out; |
374 | break; |
375 | default: |
376 | panic("ipsec4_getpolicybysock: illegal direction.\n" ); |
377 | } |
378 | |
379 | /* sanity check */ |
380 | if (currsp == NULL) |
381 | panic("ipsec4_getpolicybysock: currsp is NULL.\n" ); |
382 | |
383 | /* when privilieged socket */ |
384 | if (pcbsp->priv) { |
385 | switch (currsp->policy) { |
386 | case IPSEC_POLICY_BYPASS: |
387 | lck_mtx_lock(sadb_mutex); |
388 | currsp->refcnt++; |
389 | lck_mtx_unlock(sadb_mutex); |
390 | *error = 0; |
391 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 2,*error,0,0,0); |
392 | return currsp; |
393 | |
394 | case IPSEC_POLICY_ENTRUST: |
395 | /* look for a policy in SPD */ |
396 | kernsp = key_allocsp(&currsp->spidx, dir); |
397 | |
398 | /* SP found */ |
399 | if (kernsp != NULL) { |
400 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
401 | printf("DP ipsec4_getpolicybysock called " |
402 | "to allocate SP:0x%llx\n" , |
403 | (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); |
404 | *error = 0; |
405 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 3,*error,0,0,0); |
406 | return kernsp; |
407 | } |
408 | |
409 | /* no SP found */ |
410 | lck_mtx_lock(sadb_mutex); |
411 | if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD |
412 | && ip4_def_policy.policy != IPSEC_POLICY_NONE) { |
413 | ipseclog((LOG_INFO, |
414 | "fixed system default policy: %d->%d\n" , |
415 | ip4_def_policy.policy, IPSEC_POLICY_NONE)); |
416 | ip4_def_policy.policy = IPSEC_POLICY_NONE; |
417 | } |
418 | ip4_def_policy.refcnt++; |
419 | lck_mtx_unlock(sadb_mutex); |
420 | *error = 0; |
421 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 4,*error,0,0,0); |
422 | return &ip4_def_policy; |
423 | |
424 | case IPSEC_POLICY_IPSEC: |
425 | lck_mtx_lock(sadb_mutex); |
426 | currsp->refcnt++; |
427 | lck_mtx_unlock(sadb_mutex); |
428 | *error = 0; |
429 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 5,*error,0,0,0); |
430 | return currsp; |
431 | |
432 | default: |
433 | ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " |
434 | "Invalid policy for PCB %d\n" , currsp->policy)); |
435 | *error = EINVAL; |
436 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 6,*error,0,0,0); |
437 | return NULL; |
438 | } |
439 | /* NOTREACHED */ |
440 | } |
441 | |
442 | /* when non-privilieged socket */ |
443 | /* look for a policy in SPD */ |
444 | kernsp = key_allocsp(&currsp->spidx, dir); |
445 | |
446 | /* SP found */ |
447 | if (kernsp != NULL) { |
448 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
449 | printf("DP ipsec4_getpolicybysock called " |
450 | "to allocate SP:0x%llx\n" , |
451 | (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); |
452 | *error = 0; |
453 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 7,*error,0,0,0); |
454 | return kernsp; |
455 | } |
456 | |
457 | /* no SP found */ |
458 | switch (currsp->policy) { |
459 | case IPSEC_POLICY_BYPASS: |
460 | ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " |
461 | "Illegal policy for non-priviliged defined %d\n" , |
462 | currsp->policy)); |
463 | *error = EINVAL; |
464 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 8,*error,0,0,0); |
465 | return NULL; |
466 | |
467 | case IPSEC_POLICY_ENTRUST: |
468 | lck_mtx_lock(sadb_mutex); |
469 | if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD |
470 | && ip4_def_policy.policy != IPSEC_POLICY_NONE) { |
471 | ipseclog((LOG_INFO, |
472 | "fixed system default policy: %d->%d\n" , |
473 | ip4_def_policy.policy, IPSEC_POLICY_NONE)); |
474 | ip4_def_policy.policy = IPSEC_POLICY_NONE; |
475 | } |
476 | ip4_def_policy.refcnt++; |
477 | lck_mtx_unlock(sadb_mutex); |
478 | *error = 0; |
479 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 9,*error,0,0,0); |
480 | return &ip4_def_policy; |
481 | |
482 | case IPSEC_POLICY_IPSEC: |
483 | lck_mtx_lock(sadb_mutex); |
484 | currsp->refcnt++; |
485 | lck_mtx_unlock(sadb_mutex); |
486 | *error = 0; |
487 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 10,*error,0,0,0); |
488 | return currsp; |
489 | |
490 | default: |
491 | ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " |
492 | "Invalid policy for PCB %d\n" , currsp->policy)); |
493 | *error = EINVAL; |
494 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 11,*error,0,0,0); |
495 | return NULL; |
496 | } |
497 | /* NOTREACHED */ |
498 | } |
499 | |
500 | /* |
501 | * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, |
502 | * and return a pointer to SP. |
503 | * OUT: positive: a pointer to the entry for security policy leaf matched. |
504 | * NULL: no apropreate SP found, the following value is set to error. |
505 | * 0 : bypass |
506 | * EACCES : discard packet. |
507 | * ENOENT : ipsec_acquire() in progress, maybe. |
508 | * others : error occurred. |
509 | */ |
510 | struct secpolicy * |
511 | ipsec4_getpolicybyaddr(struct mbuf *m, |
512 | u_int dir, |
513 | int flag, |
514 | int *error) |
515 | { |
516 | struct secpolicy *sp = NULL; |
517 | |
518 | if (ipsec_bypass != 0) |
519 | return 0; |
520 | |
521 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
522 | |
523 | /* sanity check */ |
524 | if (m == NULL || error == NULL) |
525 | panic("ipsec4_getpolicybyaddr: NULL pointer was passed.\n" ); |
526 | { |
527 | struct secpolicyindex spidx; |
528 | |
529 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0); |
530 | bzero(&spidx, sizeof(spidx)); |
531 | |
532 | /* make a index to look for a policy */ |
533 | *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m, |
534 | (flag & IP_FORWARDING) ? 0 : 1); |
535 | |
536 | if (*error != 0) { |
537 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,*error,0,0,0); |
538 | return NULL; |
539 | } |
540 | |
541 | sp = key_allocsp(&spidx, dir); |
542 | } |
543 | |
544 | /* SP found */ |
545 | if (sp != NULL) { |
546 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
547 | printf("DP ipsec4_getpolicybyaddr called " |
548 | "to allocate SP:0x%llx\n" , |
549 | (uint64_t)VM_KERNEL_ADDRPERM(sp))); |
550 | *error = 0; |
551 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,*error,0,0,0); |
552 | return sp; |
553 | } |
554 | |
555 | /* no SP found */ |
556 | lck_mtx_lock(sadb_mutex); |
557 | if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD |
558 | && ip4_def_policy.policy != IPSEC_POLICY_NONE) { |
559 | ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n" , |
560 | ip4_def_policy.policy, |
561 | IPSEC_POLICY_NONE)); |
562 | ip4_def_policy.policy = IPSEC_POLICY_NONE; |
563 | } |
564 | ip4_def_policy.refcnt++; |
565 | lck_mtx_unlock(sadb_mutex); |
566 | *error = 0; |
567 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 3,*error,0,0,0); |
568 | return &ip4_def_policy; |
569 | } |
570 | |
571 | /* Match with bound interface rather than src addr. |
572 | * Unlike getpolicybyaddr, do not set the default policy. |
573 | * Return 0 if should continue processing, or -1 if packet |
574 | * should be dropped. |
575 | */ |
576 | int |
577 | ipsec4_getpolicybyinterface(struct mbuf *m, |
578 | u_int dir, |
579 | int *flags, |
580 | struct ip_out_args *ipoa, |
581 | struct secpolicy **sp) |
582 | { |
583 | struct secpolicyindex spidx; |
584 | int error = 0; |
585 | |
586 | if (ipsec_bypass != 0) |
587 | return 0; |
588 | |
589 | /* Sanity check */ |
590 | if (m == NULL || ipoa == NULL || sp == NULL) |
591 | panic("ipsec4_getpolicybyinterface: NULL pointer was passed.\n" ); |
592 | |
593 | if (ipoa->ipoa_boundif == IFSCOPE_NONE) |
594 | return 0; |
595 | |
596 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0); |
597 | bzero(&spidx, sizeof(spidx)); |
598 | |
599 | /* make a index to look for a policy */ |
600 | error = ipsec_setspidx_interface(&spidx, dir, m, (*flags & IP_FORWARDING) ? 0 : 1, |
601 | ipoa->ipoa_boundif, 4); |
602 | |
603 | if (error != 0) { |
604 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,error,0,0,0); |
605 | return 0; |
606 | } |
607 | |
608 | *sp = key_allocsp(&spidx, dir); |
609 | |
610 | /* Return SP, whether NULL or not */ |
611 | if (*sp != NULL && (*sp)->policy == IPSEC_POLICY_IPSEC) { |
612 | if ((*sp)->ipsec_if == NULL) { |
613 | /* Invalid to capture on an interface without redirect */ |
614 | key_freesp(*sp, KEY_SADB_UNLOCKED); |
615 | *sp = NULL; |
616 | return -1; |
617 | } else if ((*sp)->disabled) { |
618 | /* Disabled policies go in the clear */ |
619 | key_freesp(*sp, KEY_SADB_UNLOCKED); |
620 | *sp = NULL; |
621 | *flags |= IP_NOIPSEC; /* Avoid later IPSec check */ |
622 | } else { |
623 | /* If policy is enabled, redirect to ipsec interface */ |
624 | ipoa->ipoa_boundif = (*sp)->ipsec_if->if_index; |
625 | } |
626 | } |
627 | |
628 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,error,0,0,0); |
629 | |
630 | return 0; |
631 | } |
632 | |
633 | |
634 | #if INET6 |
635 | /* |
636 | * For OUTBOUND packet having a socket. Searching SPD for packet, |
637 | * and return a pointer to SP. |
638 | * OUT: NULL: no apropreate SP found, the following value is set to error. |
639 | * 0 : bypass |
640 | * EACCES : discard packet. |
641 | * ENOENT : ipsec_acquire() in progress, maybe. |
642 | * others : error occurred. |
643 | * others: a pointer to SP |
644 | */ |
645 | struct secpolicy * |
646 | ipsec6_getpolicybysock(struct mbuf *m, |
647 | u_int dir, |
648 | struct socket *so, |
649 | int *error) |
650 | { |
651 | struct inpcbpolicy *pcbsp = NULL; |
652 | struct secpolicy *currsp = NULL; /* policy on socket */ |
653 | struct secpolicy *kernsp = NULL; /* policy on kernel */ |
654 | |
655 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
656 | |
657 | /* sanity check */ |
658 | if (m == NULL || so == NULL || error == NULL) |
659 | panic("ipsec6_getpolicybysock: NULL pointer was passed.\n" ); |
660 | |
661 | #if DIAGNOSTIC |
662 | if (SOCK_DOM(so) != PF_INET6) |
663 | panic("ipsec6_getpolicybysock: socket domain != inet6\n" ); |
664 | #endif |
665 | |
666 | pcbsp = sotoin6pcb(so)->in6p_sp; |
667 | |
668 | if (!pcbsp){ |
669 | return ipsec6_getpolicybyaddr(m, dir, 0, error); |
670 | } |
671 | |
672 | /* set spidx in pcb */ |
673 | ipsec6_setspidx_in6pcb(m, sotoin6pcb(so)); |
674 | |
675 | /* sanity check */ |
676 | if (pcbsp == NULL) |
677 | panic("ipsec6_getpolicybysock: pcbsp is NULL.\n" ); |
678 | |
679 | switch (dir) { |
680 | case IPSEC_DIR_INBOUND: |
681 | currsp = pcbsp->sp_in; |
682 | break; |
683 | case IPSEC_DIR_OUTBOUND: |
684 | currsp = pcbsp->sp_out; |
685 | break; |
686 | default: |
687 | panic("ipsec6_getpolicybysock: illegal direction.\n" ); |
688 | } |
689 | |
690 | /* sanity check */ |
691 | if (currsp == NULL) |
692 | panic("ipsec6_getpolicybysock: currsp is NULL.\n" ); |
693 | |
694 | /* when privilieged socket */ |
695 | if (pcbsp->priv) { |
696 | switch (currsp->policy) { |
697 | case IPSEC_POLICY_BYPASS: |
698 | lck_mtx_lock(sadb_mutex); |
699 | currsp->refcnt++; |
700 | lck_mtx_unlock(sadb_mutex); |
701 | *error = 0; |
702 | return currsp; |
703 | |
704 | case IPSEC_POLICY_ENTRUST: |
705 | /* look for a policy in SPD */ |
706 | kernsp = key_allocsp(&currsp->spidx, dir); |
707 | |
708 | /* SP found */ |
709 | if (kernsp != NULL) { |
710 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
711 | printf("DP ipsec6_getpolicybysock called " |
712 | "to allocate SP:0x%llx\n" , |
713 | (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); |
714 | *error = 0; |
715 | return kernsp; |
716 | } |
717 | |
718 | /* no SP found */ |
719 | lck_mtx_lock(sadb_mutex); |
720 | if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD |
721 | && ip6_def_policy.policy != IPSEC_POLICY_NONE) { |
722 | ipseclog((LOG_INFO, |
723 | "fixed system default policy: %d->%d\n" , |
724 | ip6_def_policy.policy, IPSEC_POLICY_NONE)); |
725 | ip6_def_policy.policy = IPSEC_POLICY_NONE; |
726 | } |
727 | ip6_def_policy.refcnt++; |
728 | lck_mtx_unlock(sadb_mutex); |
729 | *error = 0; |
730 | return &ip6_def_policy; |
731 | |
732 | case IPSEC_POLICY_IPSEC: |
733 | lck_mtx_lock(sadb_mutex); |
734 | currsp->refcnt++; |
735 | lck_mtx_unlock(sadb_mutex); |
736 | *error = 0; |
737 | return currsp; |
738 | |
739 | default: |
740 | ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " |
741 | "Invalid policy for PCB %d\n" , currsp->policy)); |
742 | *error = EINVAL; |
743 | return NULL; |
744 | } |
745 | /* NOTREACHED */ |
746 | } |
747 | |
748 | /* when non-privilieged socket */ |
749 | /* look for a policy in SPD */ |
750 | kernsp = key_allocsp(&currsp->spidx, dir); |
751 | |
752 | /* SP found */ |
753 | if (kernsp != NULL) { |
754 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
755 | printf("DP ipsec6_getpolicybysock called " |
756 | "to allocate SP:0x%llx\n" , |
757 | (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); |
758 | *error = 0; |
759 | return kernsp; |
760 | } |
761 | |
762 | /* no SP found */ |
763 | switch (currsp->policy) { |
764 | case IPSEC_POLICY_BYPASS: |
765 | ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " |
766 | "Illegal policy for non-priviliged defined %d\n" , |
767 | currsp->policy)); |
768 | *error = EINVAL; |
769 | return NULL; |
770 | |
771 | case IPSEC_POLICY_ENTRUST: |
772 | lck_mtx_lock(sadb_mutex); |
773 | if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD |
774 | && ip6_def_policy.policy != IPSEC_POLICY_NONE) { |
775 | ipseclog((LOG_INFO, |
776 | "fixed system default policy: %d->%d\n" , |
777 | ip6_def_policy.policy, IPSEC_POLICY_NONE)); |
778 | ip6_def_policy.policy = IPSEC_POLICY_NONE; |
779 | } |
780 | ip6_def_policy.refcnt++; |
781 | lck_mtx_unlock(sadb_mutex); |
782 | *error = 0; |
783 | return &ip6_def_policy; |
784 | |
785 | case IPSEC_POLICY_IPSEC: |
786 | lck_mtx_lock(sadb_mutex); |
787 | currsp->refcnt++; |
788 | lck_mtx_unlock(sadb_mutex); |
789 | *error = 0; |
790 | return currsp; |
791 | |
792 | default: |
793 | ipseclog((LOG_ERR, |
794 | "ipsec6_policybysock: Invalid policy for PCB %d\n" , |
795 | currsp->policy)); |
796 | *error = EINVAL; |
797 | return NULL; |
798 | } |
799 | /* NOTREACHED */ |
800 | } |
801 | |
802 | /* |
803 | * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, |
804 | * and return a pointer to SP. |
805 | * `flag' means that packet is to be forwarded whether or not. |
806 | * flag = 1: forwad |
807 | * OUT: positive: a pointer to the entry for security policy leaf matched. |
808 | * NULL: no apropreate SP found, the following value is set to error. |
809 | * 0 : bypass |
810 | * EACCES : discard packet. |
811 | * ENOENT : ipsec_acquire() in progress, maybe. |
812 | * others : error occurred. |
813 | */ |
814 | #ifndef IP_FORWARDING |
815 | #define IP_FORWARDING 1 |
816 | #endif |
817 | |
818 | struct secpolicy * |
819 | ipsec6_getpolicybyaddr(struct mbuf *m, |
820 | u_int dir, |
821 | int flag, |
822 | int *error) |
823 | { |
824 | struct secpolicy *sp = NULL; |
825 | |
826 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
827 | |
828 | /* sanity check */ |
829 | if (m == NULL || error == NULL) |
830 | panic("ipsec6_getpolicybyaddr: NULL pointer was passed.\n" ); |
831 | |
832 | { |
833 | struct secpolicyindex spidx; |
834 | |
835 | bzero(&spidx, sizeof(spidx)); |
836 | |
837 | /* make a index to look for a policy */ |
838 | *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m, |
839 | (flag & IP_FORWARDING) ? 0 : 1); |
840 | |
841 | if (*error != 0) |
842 | return NULL; |
843 | |
844 | sp = key_allocsp(&spidx, dir); |
845 | } |
846 | |
847 | /* SP found */ |
848 | if (sp != NULL) { |
849 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
850 | printf("DP ipsec6_getpolicybyaddr called " |
851 | "to allocate SP:0x%llx\n" , |
852 | (uint64_t)VM_KERNEL_ADDRPERM(sp))); |
853 | *error = 0; |
854 | return sp; |
855 | } |
856 | |
857 | /* no SP found */ |
858 | lck_mtx_lock(sadb_mutex); |
859 | if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD |
860 | && ip6_def_policy.policy != IPSEC_POLICY_NONE) { |
861 | ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n" , |
862 | ip6_def_policy.policy, IPSEC_POLICY_NONE)); |
863 | ip6_def_policy.policy = IPSEC_POLICY_NONE; |
864 | } |
865 | ip6_def_policy.refcnt++; |
866 | lck_mtx_unlock(sadb_mutex); |
867 | *error = 0; |
868 | return &ip6_def_policy; |
869 | } |
870 | |
871 | /* Match with bound interface rather than src addr. |
872 | * Unlike getpolicybyaddr, do not set the default policy. |
873 | * Return 0 if should continue processing, or -1 if packet |
874 | * should be dropped. |
875 | */ |
876 | int |
877 | ipsec6_getpolicybyinterface(struct mbuf *m, |
878 | u_int dir, |
879 | int flag, |
880 | struct ip6_out_args *ip6oap, |
881 | int *noipsec, |
882 | struct secpolicy **sp) |
883 | { |
884 | struct secpolicyindex spidx; |
885 | int error = 0; |
886 | |
887 | if (ipsec_bypass != 0) |
888 | return 0; |
889 | |
890 | /* Sanity check */ |
891 | if (m == NULL || sp == NULL || noipsec == NULL || ip6oap == NULL) |
892 | panic("ipsec6_getpolicybyinterface: NULL pointer was passed.\n" ); |
893 | |
894 | *noipsec = 0; |
895 | |
896 | if (ip6oap->ip6oa_boundif == IFSCOPE_NONE) |
897 | return 0; |
898 | |
899 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0); |
900 | bzero(&spidx, sizeof(spidx)); |
901 | |
902 | /* make a index to look for a policy */ |
903 | error = ipsec_setspidx_interface(&spidx, dir, m, (flag & IP_FORWARDING) ? 0 : 1, |
904 | ip6oap->ip6oa_boundif, 6); |
905 | |
906 | if (error != 0) { |
907 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,error,0,0,0); |
908 | return 0; |
909 | } |
910 | |
911 | *sp = key_allocsp(&spidx, dir); |
912 | |
913 | /* Return SP, whether NULL or not */ |
914 | if (*sp != NULL && (*sp)->policy == IPSEC_POLICY_IPSEC) { |
915 | if ((*sp)->ipsec_if == NULL) { |
916 | /* Invalid to capture on an interface without redirect */ |
917 | key_freesp(*sp, KEY_SADB_UNLOCKED); |
918 | *sp = NULL; |
919 | return -1; |
920 | } else if ((*sp)->disabled) { |
921 | /* Disabled policies go in the clear */ |
922 | key_freesp(*sp, KEY_SADB_UNLOCKED); |
923 | *sp = NULL; |
924 | *noipsec = 1; /* Avoid later IPSec check */ |
925 | } else { |
926 | /* If policy is enabled, redirect to ipsec interface */ |
927 | ip6oap->ip6oa_boundif = (*sp)->ipsec_if->if_index; |
928 | } |
929 | } |
930 | |
931 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,*error,0,0,0); |
932 | |
933 | return 0; |
934 | } |
935 | #endif /* INET6 */ |
936 | |
937 | /* |
938 | * set IP address into spidx from mbuf. |
939 | * When Forwarding packet and ICMP echo reply, this function is used. |
940 | * |
941 | * IN: get the followings from mbuf. |
942 | * protocol family, src, dst, next protocol |
943 | * OUT: |
944 | * 0: success. |
945 | * other: failure, and set errno. |
946 | */ |
947 | static int |
948 | ipsec_setspidx_mbuf( |
949 | struct secpolicyindex *spidx, |
950 | u_int dir, |
951 | __unused u_int family, |
952 | struct mbuf *m, |
953 | int needport) |
954 | { |
955 | int error; |
956 | |
957 | /* sanity check */ |
958 | if (spidx == NULL || m == NULL) |
959 | panic("ipsec_setspidx_mbuf: NULL pointer was passed.\n" ); |
960 | |
961 | bzero(spidx, sizeof(*spidx)); |
962 | |
963 | error = ipsec_setspidx(m, spidx, needport, 0); |
964 | if (error) |
965 | goto bad; |
966 | spidx->dir = dir; |
967 | |
968 | return 0; |
969 | |
970 | bad: |
971 | /* XXX initialize */ |
972 | bzero(spidx, sizeof(*spidx)); |
973 | return EINVAL; |
974 | } |
975 | |
976 | static int |
977 | ipsec_setspidx_interface( |
978 | struct secpolicyindex *spidx, |
979 | u_int dir, |
980 | struct mbuf *m, |
981 | int needport, |
982 | int ifindex, |
983 | int ip_version) |
984 | { |
985 | int error; |
986 | |
987 | /* sanity check */ |
988 | if (spidx == NULL || m == NULL) |
989 | panic("ipsec_setspidx_interface: NULL pointer was passed.\n" ); |
990 | |
991 | bzero(spidx, sizeof(*spidx)); |
992 | |
993 | error = ipsec_setspidx(m, spidx, needport, ip_version); |
994 | if (error) |
995 | goto bad; |
996 | spidx->dir = dir; |
997 | |
998 | if (ifindex != 0) { |
999 | ifnet_head_lock_shared(); |
1000 | spidx->internal_if = ifindex2ifnet[ifindex]; |
1001 | ifnet_head_done(); |
1002 | } else { |
1003 | spidx->internal_if = NULL; |
1004 | } |
1005 | |
1006 | return 0; |
1007 | |
1008 | bad: |
1009 | return EINVAL; |
1010 | } |
1011 | |
1012 | static int |
1013 | ipsec4_setspidx_inpcb(struct mbuf *m, struct inpcb *pcb) |
1014 | { |
1015 | struct secpolicyindex *spidx; |
1016 | int error; |
1017 | |
1018 | if (ipsec_bypass != 0) |
1019 | return 0; |
1020 | |
1021 | /* sanity check */ |
1022 | if (pcb == NULL) |
1023 | panic("ipsec4_setspidx_inpcb: no PCB found.\n" ); |
1024 | if (pcb->inp_sp == NULL) |
1025 | panic("ipsec4_setspidx_inpcb: no inp_sp found.\n" ); |
1026 | if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL) |
1027 | panic("ipsec4_setspidx_inpcb: no sp_in/out found.\n" ); |
1028 | |
1029 | bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx)); |
1030 | bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx)); |
1031 | |
1032 | spidx = &pcb->inp_sp->sp_in->spidx; |
1033 | error = ipsec_setspidx(m, spidx, 1, 0); |
1034 | if (error) |
1035 | goto bad; |
1036 | spidx->dir = IPSEC_DIR_INBOUND; |
1037 | |
1038 | spidx = &pcb->inp_sp->sp_out->spidx; |
1039 | error = ipsec_setspidx(m, spidx, 1, 0); |
1040 | if (error) |
1041 | goto bad; |
1042 | spidx->dir = IPSEC_DIR_OUTBOUND; |
1043 | |
1044 | return 0; |
1045 | |
1046 | bad: |
1047 | bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx)); |
1048 | bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx)); |
1049 | return error; |
1050 | } |
1051 | |
1052 | #if INET6 |
1053 | static int |
1054 | ipsec6_setspidx_in6pcb(struct mbuf *m, struct in6pcb *pcb) |
1055 | { |
1056 | struct secpolicyindex *spidx; |
1057 | int error; |
1058 | |
1059 | /* sanity check */ |
1060 | if (pcb == NULL) |
1061 | panic("ipsec6_setspidx_in6pcb: no PCB found.\n" ); |
1062 | if (pcb->in6p_sp == NULL) |
1063 | panic("ipsec6_setspidx_in6pcb: no in6p_sp found.\n" ); |
1064 | if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL) |
1065 | panic("ipsec6_setspidx_in6pcb: no sp_in/out found.\n" ); |
1066 | |
1067 | bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx)); |
1068 | bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx)); |
1069 | |
1070 | spidx = &pcb->in6p_sp->sp_in->spidx; |
1071 | error = ipsec_setspidx(m, spidx, 1, 0); |
1072 | if (error) |
1073 | goto bad; |
1074 | spidx->dir = IPSEC_DIR_INBOUND; |
1075 | |
1076 | spidx = &pcb->in6p_sp->sp_out->spidx; |
1077 | error = ipsec_setspidx(m, spidx, 1, 0); |
1078 | if (error) |
1079 | goto bad; |
1080 | spidx->dir = IPSEC_DIR_OUTBOUND; |
1081 | |
1082 | return 0; |
1083 | |
1084 | bad: |
1085 | bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx)); |
1086 | bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx)); |
1087 | return error; |
1088 | } |
1089 | #endif |
1090 | |
1091 | /* |
1092 | * configure security policy index (src/dst/proto/sport/dport) |
1093 | * by looking at the content of mbuf. |
1094 | * the caller is responsible for error recovery (like clearing up spidx). |
1095 | */ |
1096 | static int |
1097 | ipsec_setspidx(struct mbuf *m, |
1098 | struct secpolicyindex *spidx, |
1099 | int needport, |
1100 | int force_ip_version) |
1101 | { |
1102 | struct ip *ip = NULL; |
1103 | struct ip ipbuf; |
1104 | u_int v; |
1105 | struct mbuf *n; |
1106 | int len; |
1107 | int error; |
1108 | |
1109 | if (m == NULL) |
1110 | panic("ipsec_setspidx: m == 0 passed.\n" ); |
1111 | |
1112 | /* |
1113 | * validate m->m_pkthdr.len. we see incorrect length if we |
1114 | * mistakenly call this function with inconsistent mbuf chain |
1115 | * (like 4.4BSD tcp/udp processing). XXX should we panic here? |
1116 | */ |
1117 | len = 0; |
1118 | for (n = m; n; n = n->m_next) |
1119 | len += n->m_len; |
1120 | if (m->m_pkthdr.len != len) { |
1121 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1122 | printf("ipsec_setspidx: " |
1123 | "total of m_len(%d) != pkthdr.len(%d), " |
1124 | "ignored.\n" , |
1125 | len, m->m_pkthdr.len)); |
1126 | return EINVAL; |
1127 | } |
1128 | |
1129 | if (m->m_pkthdr.len < sizeof(struct ip)) { |
1130 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1131 | printf("ipsec_setspidx: " |
1132 | "pkthdr.len(%d) < sizeof(struct ip), ignored.\n" , |
1133 | m->m_pkthdr.len)); |
1134 | return EINVAL; |
1135 | } |
1136 | |
1137 | if (m->m_len >= sizeof(*ip)) |
1138 | ip = mtod(m, struct ip *); |
1139 | else { |
1140 | m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); |
1141 | ip = &ipbuf; |
1142 | } |
1143 | |
1144 | if (force_ip_version) { |
1145 | v = force_ip_version; |
1146 | } else { |
1147 | #ifdef _IP_VHL |
1148 | v = _IP_VHL_V(ip->ip_vhl); |
1149 | #else |
1150 | v = ip->ip_v; |
1151 | #endif |
1152 | } |
1153 | switch (v) { |
1154 | case 4: |
1155 | error = ipsec4_setspidx_ipaddr(m, spidx); |
1156 | if (error) |
1157 | return error; |
1158 | ipsec4_get_ulp(m, spidx, needport); |
1159 | return 0; |
1160 | #if INET6 |
1161 | case 6: |
1162 | if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { |
1163 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1164 | printf("ipsec_setspidx: " |
1165 | "pkthdr.len(%d) < sizeof(struct ip6_hdr), " |
1166 | "ignored.\n" , m->m_pkthdr.len)); |
1167 | return EINVAL; |
1168 | } |
1169 | error = ipsec6_setspidx_ipaddr(m, spidx); |
1170 | if (error) |
1171 | return error; |
1172 | ipsec6_get_ulp(m, spidx, needport); |
1173 | return 0; |
1174 | #endif |
1175 | default: |
1176 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1177 | printf("ipsec_setspidx: " |
1178 | "unknown IP version %u, ignored.\n" , v)); |
1179 | return EINVAL; |
1180 | } |
1181 | } |
1182 | |
1183 | static void |
1184 | ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) |
1185 | { |
1186 | struct ip ip; |
1187 | struct ip6_ext ip6e; |
1188 | u_int8_t nxt; |
1189 | int off; |
1190 | struct tcphdr th; |
1191 | struct udphdr uh; |
1192 | |
1193 | /* sanity check */ |
1194 | if (m == NULL) |
1195 | panic("ipsec4_get_ulp: NULL pointer was passed.\n" ); |
1196 | if (m->m_pkthdr.len < sizeof(ip)) |
1197 | panic("ipsec4_get_ulp: too short\n" ); |
1198 | |
1199 | /* set default */ |
1200 | spidx->ul_proto = IPSEC_ULPROTO_ANY; |
1201 | ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY; |
1202 | ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY; |
1203 | |
1204 | m_copydata(m, 0, sizeof(ip), (caddr_t)&ip); |
1205 | /* ip_input() flips it into host endian XXX need more checking */ |
1206 | if (ip.ip_off & (IP_MF | IP_OFFMASK)) |
1207 | return; |
1208 | |
1209 | nxt = ip.ip_p; |
1210 | #ifdef _IP_VHL |
1211 | off = _IP_VHL_HL(ip->ip_vhl) << 2; |
1212 | #else |
1213 | off = ip.ip_hl << 2; |
1214 | #endif |
1215 | while (off < m->m_pkthdr.len) { |
1216 | switch (nxt) { |
1217 | case IPPROTO_TCP: |
1218 | spidx->ul_proto = nxt; |
1219 | if (!needport) |
1220 | return; |
1221 | if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) |
1222 | return; |
1223 | m_copydata(m, off, sizeof(th), (caddr_t)&th); |
1224 | ((struct sockaddr_in *)&spidx->src)->sin_port = |
1225 | th.th_sport; |
1226 | ((struct sockaddr_in *)&spidx->dst)->sin_port = |
1227 | th.th_dport; |
1228 | return; |
1229 | case IPPROTO_UDP: |
1230 | spidx->ul_proto = nxt; |
1231 | if (!needport) |
1232 | return; |
1233 | if (off + sizeof(struct udphdr) > m->m_pkthdr.len) |
1234 | return; |
1235 | m_copydata(m, off, sizeof(uh), (caddr_t)&uh); |
1236 | ((struct sockaddr_in *)&spidx->src)->sin_port = |
1237 | uh.uh_sport; |
1238 | ((struct sockaddr_in *)&spidx->dst)->sin_port = |
1239 | uh.uh_dport; |
1240 | return; |
1241 | case IPPROTO_AH: |
1242 | if (off + sizeof(ip6e) > m->m_pkthdr.len) |
1243 | return; |
1244 | m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); |
1245 | off += (ip6e.ip6e_len + 2) << 2; |
1246 | nxt = ip6e.ip6e_nxt; |
1247 | break; |
1248 | case IPPROTO_ICMP: |
1249 | default: |
1250 | /* XXX intermediate headers??? */ |
1251 | spidx->ul_proto = nxt; |
1252 | return; |
1253 | } |
1254 | } |
1255 | } |
1256 | |
1257 | /* assumes that m is sane */ |
1258 | static int |
1259 | ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx) |
1260 | { |
1261 | struct ip *ip = NULL; |
1262 | struct ip ipbuf; |
1263 | struct sockaddr_in *sin; |
1264 | |
1265 | if (m->m_len >= sizeof(*ip)) |
1266 | ip = mtod(m, struct ip *); |
1267 | else { |
1268 | m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); |
1269 | ip = &ipbuf; |
1270 | } |
1271 | |
1272 | sin = (struct sockaddr_in *)&spidx->src; |
1273 | bzero(sin, sizeof(*sin)); |
1274 | sin->sin_family = AF_INET; |
1275 | sin->sin_len = sizeof(struct sockaddr_in); |
1276 | bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src)); |
1277 | spidx->prefs = sizeof(struct in_addr) << 3; |
1278 | |
1279 | sin = (struct sockaddr_in *)&spidx->dst; |
1280 | bzero(sin, sizeof(*sin)); |
1281 | sin->sin_family = AF_INET; |
1282 | sin->sin_len = sizeof(struct sockaddr_in); |
1283 | bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)); |
1284 | spidx->prefd = sizeof(struct in_addr) << 3; |
1285 | |
1286 | return 0; |
1287 | } |
1288 | |
1289 | #if INET6 |
1290 | static void |
1291 | ipsec6_get_ulp(struct mbuf *m, |
1292 | struct secpolicyindex *spidx, |
1293 | int needport) |
1294 | { |
1295 | int off, nxt; |
1296 | struct tcphdr th; |
1297 | struct udphdr uh; |
1298 | |
1299 | /* sanity check */ |
1300 | if (m == NULL) |
1301 | panic("ipsec6_get_ulp: NULL pointer was passed.\n" ); |
1302 | |
1303 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1304 | printf("ipsec6_get_ulp:\n" ); kdebug_mbuf(m)); |
1305 | |
1306 | /* set default */ |
1307 | spidx->ul_proto = IPSEC_ULPROTO_ANY; |
1308 | ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY; |
1309 | ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY; |
1310 | |
1311 | nxt = -1; |
1312 | off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt); |
1313 | if (off < 0 || m->m_pkthdr.len < off) |
1314 | return; |
1315 | |
1316 | switch (nxt) { |
1317 | case IPPROTO_TCP: |
1318 | spidx->ul_proto = nxt; |
1319 | if (!needport) |
1320 | break; |
1321 | if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) |
1322 | break; |
1323 | m_copydata(m, off, sizeof(th), (caddr_t)&th); |
1324 | ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport; |
1325 | ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport; |
1326 | break; |
1327 | case IPPROTO_UDP: |
1328 | spidx->ul_proto = nxt; |
1329 | if (!needport) |
1330 | break; |
1331 | if (off + sizeof(struct udphdr) > m->m_pkthdr.len) |
1332 | break; |
1333 | m_copydata(m, off, sizeof(uh), (caddr_t)&uh); |
1334 | ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport; |
1335 | ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport; |
1336 | break; |
1337 | case IPPROTO_ICMPV6: |
1338 | default: |
1339 | /* XXX intermediate headers??? */ |
1340 | spidx->ul_proto = nxt; |
1341 | break; |
1342 | } |
1343 | } |
1344 | |
1345 | /* assumes that m is sane */ |
1346 | static int |
1347 | ipsec6_setspidx_ipaddr(struct mbuf *m, |
1348 | struct secpolicyindex *spidx) |
1349 | { |
1350 | struct ip6_hdr *ip6 = NULL; |
1351 | struct ip6_hdr ip6buf; |
1352 | struct sockaddr_in6 *sin6; |
1353 | |
1354 | if (m->m_len >= sizeof(*ip6)) |
1355 | ip6 = mtod(m, struct ip6_hdr *); |
1356 | else { |
1357 | m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf); |
1358 | ip6 = &ip6buf; |
1359 | } |
1360 | |
1361 | sin6 = (struct sockaddr_in6 *)&spidx->src; |
1362 | bzero(sin6, sizeof(*sin6)); |
1363 | sin6->sin6_family = AF_INET6; |
1364 | sin6->sin6_len = sizeof(struct sockaddr_in6); |
1365 | bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src)); |
1366 | if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { |
1367 | sin6->sin6_addr.s6_addr16[1] = 0; |
1368 | sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); |
1369 | } |
1370 | spidx->prefs = sizeof(struct in6_addr) << 3; |
1371 | |
1372 | sin6 = (struct sockaddr_in6 *)&spidx->dst; |
1373 | bzero(sin6, sizeof(*sin6)); |
1374 | sin6->sin6_family = AF_INET6; |
1375 | sin6->sin6_len = sizeof(struct sockaddr_in6); |
1376 | bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst)); |
1377 | if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { |
1378 | sin6->sin6_addr.s6_addr16[1] = 0; |
1379 | sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); |
1380 | } |
1381 | spidx->prefd = sizeof(struct in6_addr) << 3; |
1382 | |
1383 | return 0; |
1384 | } |
1385 | #endif |
1386 | |
1387 | static struct inpcbpolicy * |
1388 | ipsec_newpcbpolicy(void) |
1389 | { |
1390 | struct inpcbpolicy *p; |
1391 | |
1392 | p = (struct inpcbpolicy *)_MALLOC(sizeof(*p), M_SECA, M_WAITOK); |
1393 | return p; |
1394 | } |
1395 | |
1396 | static void |
1397 | ipsec_delpcbpolicy(struct inpcbpolicy *p) |
1398 | { |
1399 | FREE(p, M_SECA); |
1400 | } |
1401 | |
1402 | /* initialize policy in PCB */ |
1403 | int |
1404 | ipsec_init_policy(struct socket *so, |
1405 | struct inpcbpolicy **pcb_sp) |
1406 | { |
1407 | struct inpcbpolicy *new; |
1408 | |
1409 | /* sanity check. */ |
1410 | if (so == NULL || pcb_sp == NULL) |
1411 | panic("ipsec_init_policy: NULL pointer was passed.\n" ); |
1412 | |
1413 | new = ipsec_newpcbpolicy(); |
1414 | if (new == NULL) { |
1415 | ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n" )); |
1416 | return ENOBUFS; |
1417 | } |
1418 | bzero(new, sizeof(*new)); |
1419 | |
1420 | #ifdef __APPLE__ |
1421 | if (kauth_cred_issuser(so->so_cred)) |
1422 | #else |
1423 | if (so->so_cred != 0 && !suser(so->so_cred->pc_ucred, NULL)) |
1424 | #endif |
1425 | new->priv = 1; |
1426 | else |
1427 | new->priv = 0; |
1428 | |
1429 | if ((new->sp_in = key_newsp()) == NULL) { |
1430 | ipsec_delpcbpolicy(new); |
1431 | return ENOBUFS; |
1432 | } |
1433 | new->sp_in->state = IPSEC_SPSTATE_ALIVE; |
1434 | new->sp_in->policy = IPSEC_POLICY_ENTRUST; |
1435 | |
1436 | if ((new->sp_out = key_newsp()) == NULL) { |
1437 | key_freesp(new->sp_in, KEY_SADB_UNLOCKED); |
1438 | ipsec_delpcbpolicy(new); |
1439 | return ENOBUFS; |
1440 | } |
1441 | new->sp_out->state = IPSEC_SPSTATE_ALIVE; |
1442 | new->sp_out->policy = IPSEC_POLICY_ENTRUST; |
1443 | |
1444 | *pcb_sp = new; |
1445 | |
1446 | return 0; |
1447 | } |
1448 | |
1449 | /* copy old ipsec policy into new */ |
1450 | int |
1451 | ipsec_copy_policy(struct inpcbpolicy *old, |
1452 | struct inpcbpolicy *new) |
1453 | { |
1454 | struct secpolicy *sp; |
1455 | |
1456 | if (ipsec_bypass != 0) |
1457 | return 0; |
1458 | |
1459 | sp = ipsec_deepcopy_policy(old->sp_in); |
1460 | if (sp) { |
1461 | key_freesp(new->sp_in, KEY_SADB_UNLOCKED); |
1462 | new->sp_in = sp; |
1463 | } else |
1464 | return ENOBUFS; |
1465 | |
1466 | sp = ipsec_deepcopy_policy(old->sp_out); |
1467 | if (sp) { |
1468 | key_freesp(new->sp_out, KEY_SADB_UNLOCKED); |
1469 | new->sp_out = sp; |
1470 | } else |
1471 | return ENOBUFS; |
1472 | |
1473 | new->priv = old->priv; |
1474 | |
1475 | return 0; |
1476 | } |
1477 | |
1478 | /* deep-copy a policy in PCB */ |
1479 | static struct secpolicy * |
1480 | ipsec_deepcopy_policy(struct secpolicy *src) |
1481 | { |
1482 | struct ipsecrequest *newchain = NULL; |
1483 | struct ipsecrequest *p; |
1484 | struct ipsecrequest **q; |
1485 | struct ipsecrequest *r; |
1486 | struct secpolicy *dst; |
1487 | |
1488 | if (src == NULL) |
1489 | return NULL; |
1490 | dst = key_newsp(); |
1491 | if (dst == NULL) |
1492 | return NULL; |
1493 | |
1494 | /* |
1495 | * deep-copy IPsec request chain. This is required since struct |
1496 | * ipsecrequest is not reference counted. |
1497 | */ |
1498 | q = &newchain; |
1499 | for (p = src->req; p; p = p->next) { |
1500 | *q = (struct ipsecrequest *)_MALLOC(sizeof(struct ipsecrequest), |
1501 | M_SECA, M_WAITOK | M_ZERO); |
1502 | if (*q == NULL) |
1503 | goto fail; |
1504 | (*q)->next = NULL; |
1505 | |
1506 | (*q)->saidx.proto = p->saidx.proto; |
1507 | (*q)->saidx.mode = p->saidx.mode; |
1508 | (*q)->level = p->level; |
1509 | (*q)->saidx.reqid = p->saidx.reqid; |
1510 | |
1511 | bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src)); |
1512 | bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst)); |
1513 | |
1514 | (*q)->sp = dst; |
1515 | |
1516 | q = &((*q)->next); |
1517 | } |
1518 | |
1519 | dst->req = newchain; |
1520 | dst->state = src->state; |
1521 | dst->policy = src->policy; |
1522 | /* do not touch the refcnt fields */ |
1523 | |
1524 | return dst; |
1525 | |
1526 | fail: |
1527 | for (p = newchain; p; p = r) { |
1528 | r = p->next; |
1529 | FREE(p, M_SECA); |
1530 | p = NULL; |
1531 | } |
1532 | key_freesp(dst, KEY_SADB_UNLOCKED); |
1533 | return NULL; |
1534 | } |
1535 | |
1536 | /* set policy and ipsec request if present. */ |
1537 | static int |
1538 | ipsec_set_policy(struct secpolicy **pcb_sp, |
1539 | __unused int optname, |
1540 | caddr_t request, |
1541 | size_t len, |
1542 | int priv) |
1543 | { |
1544 | struct sadb_x_policy *xpl; |
1545 | struct secpolicy *newsp = NULL; |
1546 | int error; |
1547 | |
1548 | /* sanity check. */ |
1549 | if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL) |
1550 | return EINVAL; |
1551 | if (len < sizeof(*xpl)) |
1552 | return EINVAL; |
1553 | xpl = (struct sadb_x_policy *)(void *)request; |
1554 | |
1555 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1556 | printf("ipsec_set_policy: passed policy\n" ); |
1557 | kdebug_sadb_x_policy((struct sadb_ext *)xpl)); |
1558 | |
1559 | /* check policy type */ |
1560 | /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */ |
1561 | if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD |
1562 | || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) |
1563 | return EINVAL; |
1564 | |
1565 | /* check privileged socket */ |
1566 | if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) |
1567 | return EACCES; |
1568 | |
1569 | /* allocation new SP entry */ |
1570 | if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) |
1571 | return error; |
1572 | |
1573 | newsp->state = IPSEC_SPSTATE_ALIVE; |
1574 | |
1575 | /* clear old SP and set new SP */ |
1576 | key_freesp(*pcb_sp, KEY_SADB_UNLOCKED); |
1577 | *pcb_sp = newsp; |
1578 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1579 | printf("ipsec_set_policy: new policy\n" ); |
1580 | kdebug_secpolicy(newsp)); |
1581 | |
1582 | return 0; |
1583 | } |
1584 | |
1585 | int |
1586 | ipsec4_set_policy(struct inpcb *inp, |
1587 | int optname, |
1588 | caddr_t request, |
1589 | size_t len, |
1590 | int priv) |
1591 | { |
1592 | struct sadb_x_policy *xpl; |
1593 | struct secpolicy **pcb_sp; |
1594 | int error = 0; |
1595 | struct sadb_x_policy xpl_aligned_buf; |
1596 | u_int8_t *xpl_unaligned; |
1597 | |
1598 | /* sanity check. */ |
1599 | if (inp == NULL || request == NULL) |
1600 | return EINVAL; |
1601 | if (len < sizeof(*xpl)) |
1602 | return EINVAL; |
1603 | xpl = (struct sadb_x_policy *)(void *)request; |
1604 | |
1605 | /* This is a new mbuf allocated by soopt_getm() */ |
1606 | if (IPSEC_IS_P2ALIGNED(xpl)) { |
1607 | xpl_unaligned = NULL; |
1608 | } else { |
1609 | xpl_unaligned = (__typeof__(xpl_unaligned))xpl; |
1610 | memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf)); |
1611 | xpl = (__typeof__(xpl))&xpl_aligned_buf; |
1612 | } |
1613 | |
1614 | if (inp->inp_sp == NULL) { |
1615 | error = ipsec_init_policy(inp->inp_socket, &inp->inp_sp); |
1616 | if (error) |
1617 | return error; |
1618 | } |
1619 | |
1620 | /* select direction */ |
1621 | switch (xpl->sadb_x_policy_dir) { |
1622 | case IPSEC_DIR_INBOUND: |
1623 | pcb_sp = &inp->inp_sp->sp_in; |
1624 | break; |
1625 | case IPSEC_DIR_OUTBOUND: |
1626 | pcb_sp = &inp->inp_sp->sp_out; |
1627 | break; |
1628 | default: |
1629 | ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n" , |
1630 | xpl->sadb_x_policy_dir)); |
1631 | return EINVAL; |
1632 | } |
1633 | |
1634 | /* turn bypass off */ |
1635 | if (ipsec_bypass != 0) |
1636 | ipsec_bypass = 0; |
1637 | |
1638 | return ipsec_set_policy(pcb_sp, optname, request, len, priv); |
1639 | } |
1640 | |
1641 | /* delete policy in PCB */ |
1642 | int |
1643 | ipsec4_delete_pcbpolicy(struct inpcb *inp) |
1644 | { |
1645 | |
1646 | /* sanity check. */ |
1647 | if (inp == NULL) |
1648 | panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.\n" ); |
1649 | |
1650 | if (inp->inp_sp == NULL) |
1651 | return 0; |
1652 | |
1653 | if (inp->inp_sp->sp_in != NULL) { |
1654 | key_freesp(inp->inp_sp->sp_in, KEY_SADB_UNLOCKED); |
1655 | inp->inp_sp->sp_in = NULL; |
1656 | } |
1657 | |
1658 | if (inp->inp_sp->sp_out != NULL) { |
1659 | key_freesp(inp->inp_sp->sp_out, KEY_SADB_UNLOCKED); |
1660 | inp->inp_sp->sp_out = NULL; |
1661 | } |
1662 | |
1663 | ipsec_delpcbpolicy(inp->inp_sp); |
1664 | inp->inp_sp = NULL; |
1665 | |
1666 | return 0; |
1667 | } |
1668 | |
1669 | #if INET6 |
1670 | int |
1671 | ipsec6_set_policy(struct in6pcb *in6p, |
1672 | int optname, |
1673 | caddr_t request, |
1674 | size_t len, |
1675 | int priv) |
1676 | { |
1677 | struct sadb_x_policy *xpl; |
1678 | struct secpolicy **pcb_sp; |
1679 | int error = 0; |
1680 | struct sadb_x_policy xpl_aligned_buf; |
1681 | u_int8_t *xpl_unaligned; |
1682 | |
1683 | /* sanity check. */ |
1684 | if (in6p == NULL || request == NULL) |
1685 | return EINVAL; |
1686 | if (len < sizeof(*xpl)) |
1687 | return EINVAL; |
1688 | xpl = (struct sadb_x_policy *)(void *)request; |
1689 | |
1690 | /* This is a new mbuf allocated by soopt_getm() */ |
1691 | if (IPSEC_IS_P2ALIGNED(xpl)) { |
1692 | xpl_unaligned = NULL; |
1693 | } else { |
1694 | xpl_unaligned = (__typeof__(xpl_unaligned))xpl; |
1695 | memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf)); |
1696 | xpl = (__typeof__(xpl))&xpl_aligned_buf; |
1697 | } |
1698 | |
1699 | if (in6p->in6p_sp == NULL) { |
1700 | error = ipsec_init_policy(in6p->inp_socket, &in6p->in6p_sp); |
1701 | if (error) |
1702 | return error; |
1703 | } |
1704 | |
1705 | /* select direction */ |
1706 | switch (xpl->sadb_x_policy_dir) { |
1707 | case IPSEC_DIR_INBOUND: |
1708 | pcb_sp = &in6p->in6p_sp->sp_in; |
1709 | break; |
1710 | case IPSEC_DIR_OUTBOUND: |
1711 | pcb_sp = &in6p->in6p_sp->sp_out; |
1712 | break; |
1713 | default: |
1714 | ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n" , |
1715 | xpl->sadb_x_policy_dir)); |
1716 | return EINVAL; |
1717 | } |
1718 | |
1719 | return ipsec_set_policy(pcb_sp, optname, request, len, priv); |
1720 | } |
1721 | |
1722 | int |
1723 | ipsec6_delete_pcbpolicy(struct in6pcb *in6p) |
1724 | { |
1725 | |
1726 | /* sanity check. */ |
1727 | if (in6p == NULL) |
1728 | panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.\n" ); |
1729 | |
1730 | if (in6p->in6p_sp == NULL) |
1731 | return 0; |
1732 | |
1733 | if (in6p->in6p_sp->sp_in != NULL) { |
1734 | key_freesp(in6p->in6p_sp->sp_in, KEY_SADB_UNLOCKED); |
1735 | in6p->in6p_sp->sp_in = NULL; |
1736 | } |
1737 | |
1738 | if (in6p->in6p_sp->sp_out != NULL) { |
1739 | key_freesp(in6p->in6p_sp->sp_out, KEY_SADB_UNLOCKED); |
1740 | in6p->in6p_sp->sp_out = NULL; |
1741 | } |
1742 | |
1743 | ipsec_delpcbpolicy(in6p->in6p_sp); |
1744 | in6p->in6p_sp = NULL; |
1745 | |
1746 | return 0; |
1747 | } |
1748 | #endif |
1749 | |
1750 | /* |
1751 | * return current level. |
1752 | * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. |
1753 | */ |
1754 | u_int |
1755 | ipsec_get_reqlevel(struct ipsecrequest *isr) |
1756 | { |
1757 | u_int level = 0; |
1758 | u_int esp_trans_deflev = 0, esp_net_deflev = 0, ah_trans_deflev = 0, ah_net_deflev = 0; |
1759 | |
1760 | /* sanity check */ |
1761 | if (isr == NULL || isr->sp == NULL) |
1762 | panic("ipsec_get_reqlevel: NULL pointer is passed.\n" ); |
1763 | if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family |
1764 | != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family) |
1765 | panic("ipsec_get_reqlevel: family mismatched.\n" ); |
1766 | |
1767 | /* XXX note that we have ipseclog() expanded here - code sync issue */ |
1768 | #define IPSEC_CHECK_DEFAULT(lev) \ |
1769 | (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \ |
1770 | && (lev) != IPSEC_LEVEL_UNIQUE) \ |
1771 | ? (ipsec_debug \ |
1772 | ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\ |
1773 | (lev), IPSEC_LEVEL_REQUIRE) \ |
1774 | : (void)0), \ |
1775 | (lev) = IPSEC_LEVEL_REQUIRE, \ |
1776 | (lev) \ |
1777 | : (lev)) |
1778 | |
1779 | /* set default level */ |
1780 | switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) { |
1781 | #if INET |
1782 | case AF_INET: |
1783 | esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev); |
1784 | esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev); |
1785 | ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev); |
1786 | ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev); |
1787 | break; |
1788 | #endif |
1789 | #if INET6 |
1790 | case AF_INET6: |
1791 | esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev); |
1792 | esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev); |
1793 | ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev); |
1794 | ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev); |
1795 | break; |
1796 | #endif /* INET6 */ |
1797 | default: |
1798 | panic("key_get_reqlevel: Unknown family. %d\n" , |
1799 | ((struct sockaddr *)&isr->sp->spidx.src)->sa_family); |
1800 | } |
1801 | |
1802 | #undef IPSEC_CHECK_DEFAULT |
1803 | |
1804 | /* set level */ |
1805 | switch (isr->level) { |
1806 | case IPSEC_LEVEL_DEFAULT: |
1807 | switch (isr->saidx.proto) { |
1808 | case IPPROTO_ESP: |
1809 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL) |
1810 | level = esp_net_deflev; |
1811 | else |
1812 | level = esp_trans_deflev; |
1813 | break; |
1814 | case IPPROTO_AH: |
1815 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL) |
1816 | level = ah_net_deflev; |
1817 | else |
1818 | level = ah_trans_deflev; |
1819 | break; |
1820 | case IPPROTO_IPCOMP: |
1821 | /* |
1822 | * we don't really care, as IPcomp document says that |
1823 | * we shouldn't compress small packets |
1824 | */ |
1825 | level = IPSEC_LEVEL_USE; |
1826 | break; |
1827 | default: |
1828 | panic("ipsec_get_reqlevel: " |
1829 | "Illegal protocol defined %u\n" , |
1830 | isr->saidx.proto); |
1831 | } |
1832 | break; |
1833 | |
1834 | case IPSEC_LEVEL_USE: |
1835 | case IPSEC_LEVEL_REQUIRE: |
1836 | level = isr->level; |
1837 | break; |
1838 | case IPSEC_LEVEL_UNIQUE: |
1839 | level = IPSEC_LEVEL_REQUIRE; |
1840 | break; |
1841 | |
1842 | default: |
1843 | panic("ipsec_get_reqlevel: Illegal IPsec level %u\n" , |
1844 | isr->level); |
1845 | } |
1846 | |
1847 | return level; |
1848 | } |
1849 | |
1850 | /* |
1851 | * Check AH/ESP integrity. |
1852 | * OUT: |
1853 | * 0: valid |
1854 | * 1: invalid |
1855 | */ |
1856 | static int |
1857 | ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) |
1858 | { |
1859 | struct ipsecrequest *isr; |
1860 | u_int level; |
1861 | int need_auth, need_conf, need_icv; |
1862 | |
1863 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
1864 | printf("ipsec_in_reject: using SP\n" ); |
1865 | kdebug_secpolicy(sp)); |
1866 | |
1867 | /* check policy */ |
1868 | switch (sp->policy) { |
1869 | case IPSEC_POLICY_DISCARD: |
1870 | case IPSEC_POLICY_GENERATE: |
1871 | return 1; |
1872 | case IPSEC_POLICY_BYPASS: |
1873 | case IPSEC_POLICY_NONE: |
1874 | return 0; |
1875 | |
1876 | case IPSEC_POLICY_IPSEC: |
1877 | break; |
1878 | |
1879 | case IPSEC_POLICY_ENTRUST: |
1880 | default: |
1881 | panic("ipsec_hdrsiz: Invalid policy found. %d\n" , sp->policy); |
1882 | } |
1883 | |
1884 | need_auth = 0; |
1885 | need_conf = 0; |
1886 | need_icv = 0; |
1887 | |
1888 | /* XXX should compare policy against ipsec header history */ |
1889 | |
1890 | for (isr = sp->req; isr != NULL; isr = isr->next) { |
1891 | |
1892 | /* get current level */ |
1893 | level = ipsec_get_reqlevel(isr); |
1894 | |
1895 | switch (isr->saidx.proto) { |
1896 | case IPPROTO_ESP: |
1897 | if (level == IPSEC_LEVEL_REQUIRE) { |
1898 | need_conf++; |
1899 | |
1900 | #if 0 |
1901 | /* this won't work with multiple input threads - isr->sav would change |
1902 | * with every packet and is not necessarily related to the current packet |
1903 | * being processed. If ESP processing is required - the esp code should |
1904 | * make sure that the integrity check is present and correct. I don't see |
1905 | * why it would be necessary to check for the presence of the integrity |
1906 | * check value here. I think this is just wrong. |
1907 | * isr->sav has been removed. |
1908 | * %%%%%% this needs to be re-worked at some point but I think the code below can |
1909 | * be ignored for now. |
1910 | */ |
1911 | if (isr->sav != NULL |
1912 | && isr->sav->flags == SADB_X_EXT_NONE |
1913 | && isr->sav->alg_auth != SADB_AALG_NONE) |
1914 | need_icv++; |
1915 | #endif |
1916 | } |
1917 | break; |
1918 | case IPPROTO_AH: |
1919 | if (level == IPSEC_LEVEL_REQUIRE) { |
1920 | need_auth++; |
1921 | need_icv++; |
1922 | } |
1923 | break; |
1924 | case IPPROTO_IPCOMP: |
1925 | /* |
1926 | * we don't really care, as IPcomp document says that |
1927 | * we shouldn't compress small packets, IPComp policy |
1928 | * should always be treated as being in "use" level. |
1929 | */ |
1930 | break; |
1931 | } |
1932 | } |
1933 | |
1934 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1935 | printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n" , |
1936 | need_auth, need_conf, need_icv, m->m_flags)); |
1937 | |
1938 | if ((need_conf && !(m->m_flags & M_DECRYPTED)) |
1939 | || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM)) |
1940 | || (need_auth && !(m->m_flags & M_AUTHIPHDR))) |
1941 | return 1; |
1942 | |
1943 | return 0; |
1944 | } |
1945 | |
1946 | /* |
1947 | * Check AH/ESP integrity. |
1948 | * This function is called from tcp_input(), udp_input(), |
1949 | * and {ah,esp}4_input for tunnel mode |
1950 | */ |
1951 | int |
1952 | ipsec4_in_reject_so(struct mbuf *m, struct socket *so) |
1953 | { |
1954 | struct secpolicy *sp = NULL; |
1955 | int error; |
1956 | int result; |
1957 | |
1958 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
1959 | /* sanity check */ |
1960 | if (m == NULL) |
1961 | return 0; /* XXX should be panic ? */ |
1962 | |
1963 | /* get SP for this packet. |
1964 | * When we are called from ip_forward(), we call |
1965 | * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. |
1966 | */ |
1967 | if (so == NULL) |
1968 | sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); |
1969 | else |
1970 | sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 0, &error); |
1971 | |
1972 | if (sp == NULL) |
1973 | return 0; /* XXX should be panic ? |
1974 | * -> No, there may be error. */ |
1975 | |
1976 | result = ipsec_in_reject(sp, m); |
1977 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
1978 | printf("DP ipsec4_in_reject_so call free SP:0x%llx\n" , |
1979 | (uint64_t)VM_KERNEL_ADDRPERM(sp))); |
1980 | key_freesp(sp, KEY_SADB_UNLOCKED); |
1981 | |
1982 | return result; |
1983 | } |
1984 | |
1985 | int |
1986 | ipsec4_in_reject(struct mbuf *m, struct inpcb *inp) |
1987 | { |
1988 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
1989 | if (inp == NULL) |
1990 | return ipsec4_in_reject_so(m, NULL); |
1991 | if (inp->inp_socket) |
1992 | return ipsec4_in_reject_so(m, inp->inp_socket); |
1993 | else |
1994 | panic("ipsec4_in_reject: invalid inpcb/socket" ); |
1995 | |
1996 | /* NOTREACHED */ |
1997 | return 0; |
1998 | } |
1999 | |
2000 | #if INET6 |
2001 | /* |
2002 | * Check AH/ESP integrity. |
2003 | * This function is called from tcp6_input(), udp6_input(), |
2004 | * and {ah,esp}6_input for tunnel mode |
2005 | */ |
2006 | int |
2007 | ipsec6_in_reject_so(struct mbuf *m, struct socket *so) |
2008 | { |
2009 | struct secpolicy *sp = NULL; |
2010 | int error; |
2011 | int result; |
2012 | |
2013 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
2014 | /* sanity check */ |
2015 | if (m == NULL) |
2016 | return 0; /* XXX should be panic ? */ |
2017 | |
2018 | /* get SP for this packet. |
2019 | * When we are called from ip_forward(), we call |
2020 | * ipsec6_getpolicybyaddr() with IP_FORWARDING flag. |
2021 | */ |
2022 | if (so == NULL) |
2023 | sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); |
2024 | else |
2025 | sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, 0, &error); |
2026 | |
2027 | if (sp == NULL) |
2028 | return 0; /* XXX should be panic ? */ |
2029 | |
2030 | result = ipsec_in_reject(sp, m); |
2031 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
2032 | printf("DP ipsec6_in_reject_so call free SP:0x%llx\n" , |
2033 | (uint64_t)VM_KERNEL_ADDRPERM(sp))); |
2034 | key_freesp(sp, KEY_SADB_UNLOCKED); |
2035 | |
2036 | return result; |
2037 | } |
2038 | |
2039 | int |
2040 | ipsec6_in_reject(struct mbuf *m, struct in6pcb *in6p) |
2041 | { |
2042 | |
2043 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
2044 | if (in6p == NULL) |
2045 | return ipsec6_in_reject_so(m, NULL); |
2046 | if (in6p->in6p_socket) |
2047 | return ipsec6_in_reject_so(m, in6p->in6p_socket); |
2048 | else |
2049 | panic("ipsec6_in_reject: invalid in6p/socket" ); |
2050 | |
2051 | /* NOTREACHED */ |
2052 | return 0; |
2053 | } |
2054 | #endif |
2055 | |
2056 | /* |
2057 | * compute the byte size to be occupied by IPsec header. |
2058 | * in case it is tunneled, it includes the size of outer IP header. |
2059 | * NOTE: SP passed is free in this function. |
2060 | */ |
2061 | size_t |
2062 | ipsec_hdrsiz(struct secpolicy *sp) |
2063 | { |
2064 | struct ipsecrequest *isr; |
2065 | size_t siz, clen; |
2066 | |
2067 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
2068 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
2069 | printf("ipsec_hdrsiz: using SP\n" ); |
2070 | kdebug_secpolicy(sp)); |
2071 | |
2072 | /* check policy */ |
2073 | switch (sp->policy) { |
2074 | case IPSEC_POLICY_DISCARD: |
2075 | case IPSEC_POLICY_GENERATE: |
2076 | case IPSEC_POLICY_BYPASS: |
2077 | case IPSEC_POLICY_NONE: |
2078 | return 0; |
2079 | |
2080 | case IPSEC_POLICY_IPSEC: |
2081 | break; |
2082 | |
2083 | case IPSEC_POLICY_ENTRUST: |
2084 | default: |
2085 | panic("ipsec_hdrsiz: Invalid policy found. %d\n" , sp->policy); |
2086 | } |
2087 | |
2088 | siz = 0; |
2089 | |
2090 | for (isr = sp->req; isr != NULL; isr = isr->next) { |
2091 | |
2092 | clen = 0; |
2093 | |
2094 | switch (isr->saidx.proto) { |
2095 | case IPPROTO_ESP: |
2096 | #if IPSEC_ESP |
2097 | clen = esp_hdrsiz(isr); |
2098 | #else |
2099 | clen = 0; /*XXX*/ |
2100 | #endif |
2101 | break; |
2102 | case IPPROTO_AH: |
2103 | clen = ah_hdrsiz(isr); |
2104 | break; |
2105 | case IPPROTO_IPCOMP: |
2106 | clen = sizeof(struct ipcomp); |
2107 | break; |
2108 | } |
2109 | |
2110 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { |
2111 | switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) { |
2112 | case AF_INET: |
2113 | clen += sizeof(struct ip); |
2114 | break; |
2115 | #if INET6 |
2116 | case AF_INET6: |
2117 | clen += sizeof(struct ip6_hdr); |
2118 | break; |
2119 | #endif |
2120 | default: |
2121 | ipseclog((LOG_ERR, "ipsec_hdrsiz: " |
2122 | "unknown AF %d in IPsec tunnel SA\n" , |
2123 | ((struct sockaddr *)&isr->saidx.dst)->sa_family)); |
2124 | break; |
2125 | } |
2126 | } |
2127 | siz += clen; |
2128 | } |
2129 | |
2130 | return siz; |
2131 | } |
2132 | |
2133 | /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */ |
2134 | size_t |
2135 | ipsec4_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp) |
2136 | { |
2137 | struct secpolicy *sp = NULL; |
2138 | int error; |
2139 | size_t size; |
2140 | |
2141 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
2142 | /* sanity check */ |
2143 | if (m == NULL) |
2144 | return 0; /* XXX should be panic ? */ |
2145 | if (inp != NULL && inp->inp_socket == NULL) |
2146 | panic("ipsec4_hdrsize: why is socket NULL but there is PCB." ); |
2147 | |
2148 | /* get SP for this packet. |
2149 | * When we are called from ip_forward(), we call |
2150 | * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. |
2151 | */ |
2152 | if (inp == NULL) |
2153 | sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error); |
2154 | else |
2155 | sp = ipsec4_getpolicybyaddr(m, dir, 0, &error); |
2156 | |
2157 | if (sp == NULL) |
2158 | return 0; /* XXX should be panic ? */ |
2159 | |
2160 | size = ipsec_hdrsiz(sp); |
2161 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
2162 | printf("DP ipsec4_hdrsiz call free SP:0x%llx\n" , |
2163 | (uint64_t)VM_KERNEL_ADDRPERM(sp))); |
2164 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
2165 | printf("ipsec4_hdrsiz: size:%lu.\n" , (u_int32_t)size)); |
2166 | key_freesp(sp, KEY_SADB_UNLOCKED); |
2167 | |
2168 | return size; |
2169 | } |
2170 | |
2171 | #if INET6 |
2172 | /* This function is called from ipsec6_hdrsize_tcp(), |
2173 | * and maybe from ip6_forward.() |
2174 | */ |
2175 | size_t |
2176 | ipsec6_hdrsiz(struct mbuf *m, u_int dir, struct in6pcb *in6p) |
2177 | { |
2178 | struct secpolicy *sp = NULL; |
2179 | int error; |
2180 | size_t size; |
2181 | |
2182 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
2183 | /* sanity check */ |
2184 | if (m == NULL) |
2185 | return 0; /* XXX shoud be panic ? */ |
2186 | if (in6p != NULL && in6p->in6p_socket == NULL) |
2187 | panic("ipsec6_hdrsize: why is socket NULL but there is PCB." ); |
2188 | |
2189 | /* get SP for this packet */ |
2190 | /* XXX Is it right to call with IP_FORWARDING. */ |
2191 | if (in6p == NULL) |
2192 | sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error); |
2193 | else |
2194 | sp = ipsec6_getpolicybyaddr(m, dir, 0, &error); |
2195 | |
2196 | if (sp == NULL) |
2197 | return 0; |
2198 | size = ipsec_hdrsiz(sp); |
2199 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
2200 | printf("DP ipsec6_hdrsiz call free SP:0x%llx\n" , |
2201 | (uint64_t)VM_KERNEL_ADDRPERM(sp))); |
2202 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
2203 | printf("ipsec6_hdrsiz: size:%lu.\n" , (u_int32_t)size)); |
2204 | key_freesp(sp, KEY_SADB_UNLOCKED); |
2205 | |
2206 | return size; |
2207 | } |
2208 | #endif /*INET6*/ |
2209 | |
2210 | #if INET |
2211 | /* |
2212 | * encapsulate for ipsec tunnel. |
2213 | * ip->ip_src must be fixed later on. |
2214 | */ |
2215 | int |
2216 | ipsec4_encapsulate(struct mbuf *m, struct secasvar *sav) |
2217 | { |
2218 | struct ip *oip; |
2219 | struct ip *ip; |
2220 | size_t hlen; |
2221 | size_t plen; |
2222 | |
2223 | /* can't tunnel between different AFs */ |
2224 | if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family |
2225 | != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family |
2226 | || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { |
2227 | m_freem(m); |
2228 | return EINVAL; |
2229 | } |
2230 | #if 0 |
2231 | /* XXX if the dst is myself, perform nothing. */ |
2232 | if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { |
2233 | m_freem(m); |
2234 | return EINVAL; |
2235 | } |
2236 | #endif |
2237 | |
2238 | if (m->m_len < sizeof(*ip)) |
2239 | panic("ipsec4_encapsulate: assumption failed (first mbuf length)" ); |
2240 | |
2241 | ip = mtod(m, struct ip *); |
2242 | #ifdef _IP_VHL |
2243 | hlen = _IP_VHL_HL(ip->ip_vhl) << 2; |
2244 | #else |
2245 | hlen = ip->ip_hl << 2; |
2246 | #endif |
2247 | |
2248 | if (m->m_len != hlen) |
2249 | panic("ipsec4_encapsulate: assumption failed (first mbuf length)" ); |
2250 | |
2251 | /* generate header checksum */ |
2252 | ip->ip_sum = 0; |
2253 | #ifdef _IP_VHL |
2254 | ip->ip_sum = in_cksum(m, hlen); |
2255 | #else |
2256 | ip->ip_sum = in_cksum(m, hlen); |
2257 | #endif |
2258 | |
2259 | plen = m->m_pkthdr.len; |
2260 | |
2261 | /* |
2262 | * grow the mbuf to accomodate the new IPv4 header. |
2263 | * NOTE: IPv4 options will never be copied. |
2264 | */ |
2265 | if (M_LEADINGSPACE(m->m_next) < hlen) { |
2266 | struct mbuf *n; |
2267 | MGET(n, M_DONTWAIT, MT_DATA); |
2268 | if (!n) { |
2269 | m_freem(m); |
2270 | return ENOBUFS; |
2271 | } |
2272 | n->m_len = hlen; |
2273 | n->m_next = m->m_next; |
2274 | m->m_next = n; |
2275 | m->m_pkthdr.len += hlen; |
2276 | oip = mtod(n, struct ip *); |
2277 | } else { |
2278 | m->m_next->m_len += hlen; |
2279 | m->m_next->m_data -= hlen; |
2280 | m->m_pkthdr.len += hlen; |
2281 | oip = mtod(m->m_next, struct ip *); |
2282 | } |
2283 | ip = mtod(m, struct ip *); |
2284 | ovbcopy((caddr_t)ip, (caddr_t)oip, hlen); |
2285 | m->m_len = sizeof(struct ip); |
2286 | m->m_pkthdr.len -= (hlen - sizeof(struct ip)); |
2287 | |
2288 | /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ |
2289 | /* ECN consideration. */ |
2290 | ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); |
2291 | #ifdef _IP_VHL |
2292 | ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2); |
2293 | #else |
2294 | ip->ip_hl = sizeof(struct ip) >> 2; |
2295 | #endif |
2296 | ip->ip_off &= htons(~IP_OFFMASK); |
2297 | ip->ip_off &= htons(~IP_MF); |
2298 | switch (ip4_ipsec_dfbit) { |
2299 | case 0: /* clear DF bit */ |
2300 | ip->ip_off &= htons(~IP_DF); |
2301 | break; |
2302 | case 1: /* set DF bit */ |
2303 | ip->ip_off |= htons(IP_DF); |
2304 | break; |
2305 | default: /* copy DF bit */ |
2306 | break; |
2307 | } |
2308 | ip->ip_p = IPPROTO_IPIP; |
2309 | if (plen + sizeof(struct ip) < IP_MAXPACKET) |
2310 | ip->ip_len = htons(plen + sizeof(struct ip)); |
2311 | else { |
2312 | ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " |
2313 | "leave ip_len as is (invalid packet)\n" )); |
2314 | } |
2315 | if (rfc6864 && IP_OFF_IS_ATOMIC(ntohs(ip->ip_off))) { |
2316 | ip->ip_id = 0; |
2317 | } else { |
2318 | ip->ip_id = ip_randomid(); |
2319 | } |
2320 | bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, |
2321 | &ip->ip_src, sizeof(ip->ip_src)); |
2322 | bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, |
2323 | &ip->ip_dst, sizeof(ip->ip_dst)); |
2324 | ip->ip_ttl = IPDEFTTL; |
2325 | |
2326 | /* XXX Should ip_src be updated later ? */ |
2327 | |
2328 | return 0; |
2329 | } |
2330 | |
2331 | #endif /*INET*/ |
2332 | |
2333 | #if INET6 |
2334 | int |
2335 | ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav) |
2336 | { |
2337 | struct ip6_hdr *oip6; |
2338 | struct ip6_hdr *ip6; |
2339 | size_t plen; |
2340 | |
2341 | /* can't tunnel between different AFs */ |
2342 | if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family |
2343 | != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family |
2344 | || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) { |
2345 | m_freem(m); |
2346 | return EINVAL; |
2347 | } |
2348 | #if 0 |
2349 | /* XXX if the dst is myself, perform nothing. */ |
2350 | if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { |
2351 | m_freem(m); |
2352 | return EINVAL; |
2353 | } |
2354 | #endif |
2355 | |
2356 | plen = m->m_pkthdr.len; |
2357 | |
2358 | /* |
2359 | * grow the mbuf to accomodate the new IPv6 header. |
2360 | */ |
2361 | if (m->m_len != sizeof(struct ip6_hdr)) |
2362 | panic("ipsec6_encapsulate: assumption failed (first mbuf length)" ); |
2363 | if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { |
2364 | struct mbuf *n; |
2365 | MGET(n, M_DONTWAIT, MT_DATA); |
2366 | if (!n) { |
2367 | m_freem(m); |
2368 | return ENOBUFS; |
2369 | } |
2370 | n->m_len = sizeof(struct ip6_hdr); |
2371 | n->m_next = m->m_next; |
2372 | m->m_next = n; |
2373 | m->m_pkthdr.len += sizeof(struct ip6_hdr); |
2374 | oip6 = mtod(n, struct ip6_hdr *); |
2375 | } else { |
2376 | m->m_next->m_len += sizeof(struct ip6_hdr); |
2377 | m->m_next->m_data -= sizeof(struct ip6_hdr); |
2378 | m->m_pkthdr.len += sizeof(struct ip6_hdr); |
2379 | oip6 = mtod(m->m_next, struct ip6_hdr *); |
2380 | } |
2381 | ip6 = mtod(m, struct ip6_hdr *); |
2382 | ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr)); |
2383 | |
2384 | /* Fake link-local scope-class addresses */ |
2385 | if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src)) |
2386 | oip6->ip6_src.s6_addr16[1] = 0; |
2387 | if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst)) |
2388 | oip6->ip6_dst.s6_addr16[1] = 0; |
2389 | |
2390 | /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ |
2391 | /* ECN consideration. */ |
2392 | ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow); |
2393 | if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) |
2394 | ip6->ip6_plen = htons(plen); |
2395 | else { |
2396 | /* ip6->ip6_plen will be updated in ip6_output() */ |
2397 | } |
2398 | ip6->ip6_nxt = IPPROTO_IPV6; |
2399 | bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr, |
2400 | &ip6->ip6_src, sizeof(ip6->ip6_src)); |
2401 | bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr, |
2402 | &ip6->ip6_dst, sizeof(ip6->ip6_dst)); |
2403 | ip6->ip6_hlim = IPV6_DEFHLIM; |
2404 | |
2405 | /* XXX Should ip6_src be updated later ? */ |
2406 | |
2407 | return 0; |
2408 | } |
2409 | |
2410 | static int |
2411 | ipsec64_encapsulate(struct mbuf *m, struct secasvar *sav) |
2412 | { |
2413 | struct ip6_hdr *ip6, *ip6i; |
2414 | struct ip *ip; |
2415 | size_t plen; |
2416 | u_int8_t hlim; |
2417 | |
2418 | /* tunneling over IPv4 */ |
2419 | if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family |
2420 | != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family |
2421 | || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { |
2422 | m_freem(m); |
2423 | return EINVAL; |
2424 | } |
2425 | #if 0 |
2426 | /* XXX if the dst is myself, perform nothing. */ |
2427 | if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { |
2428 | m_freem(m); |
2429 | return EINVAL; |
2430 | } |
2431 | #endif |
2432 | |
2433 | plen = m->m_pkthdr.len; |
2434 | ip6 = mtod(m, struct ip6_hdr *); |
2435 | hlim = ip6->ip6_hlim; |
2436 | /* |
2437 | * grow the mbuf to accomodate the new IPv4 header. |
2438 | */ |
2439 | if (m->m_len != sizeof(struct ip6_hdr)) |
2440 | panic("ipsec6_encapsulate: assumption failed (first mbuf length)" ); |
2441 | if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { |
2442 | struct mbuf *n; |
2443 | MGET(n, M_DONTWAIT, MT_DATA); |
2444 | if (!n) { |
2445 | m_freem(m); |
2446 | return ENOBUFS; |
2447 | } |
2448 | n->m_len = sizeof(struct ip6_hdr); |
2449 | n->m_next = m->m_next; |
2450 | m->m_next = n; |
2451 | m->m_pkthdr.len += sizeof(struct ip); |
2452 | ip6i = mtod(n, struct ip6_hdr *); |
2453 | } else { |
2454 | m->m_next->m_len += sizeof(struct ip6_hdr); |
2455 | m->m_next->m_data -= sizeof(struct ip6_hdr); |
2456 | m->m_pkthdr.len += sizeof(struct ip); |
2457 | ip6i = mtod(m->m_next, struct ip6_hdr *); |
2458 | } |
2459 | |
2460 | bcopy(ip6, ip6i, sizeof(struct ip6_hdr)); |
2461 | ip = mtod(m, struct ip *); |
2462 | m->m_len = sizeof(struct ip); |
2463 | /* |
2464 | * Fill in some of the IPv4 fields - we don't need all of them |
2465 | * because the rest will be filled in by ip_output |
2466 | */ |
2467 | ip->ip_v = IPVERSION; |
2468 | ip->ip_hl = sizeof(struct ip) >> 2; |
2469 | ip->ip_id = 0; |
2470 | ip->ip_sum = 0; |
2471 | ip->ip_tos = 0; |
2472 | ip->ip_off = 0; |
2473 | ip->ip_ttl = hlim; |
2474 | ip->ip_p = IPPROTO_IPV6; |
2475 | |
2476 | /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ |
2477 | /* ECN consideration. */ |
2478 | ip64_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &ip6->ip6_flow); |
2479 | |
2480 | if (plen + sizeof(struct ip) < IP_MAXPACKET) |
2481 | ip->ip_len = htons(plen + sizeof(struct ip)); |
2482 | else { |
2483 | ip->ip_len = htons(plen); |
2484 | ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " |
2485 | "leave ip_len as is (invalid packet)\n" )); |
2486 | } |
2487 | bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, |
2488 | &ip->ip_src, sizeof(ip->ip_src)); |
2489 | bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, |
2490 | &ip->ip_dst, sizeof(ip->ip_dst)); |
2491 | |
2492 | return 0; |
2493 | } |
2494 | |
2495 | int |
2496 | ipsec6_update_routecache_and_output( |
2497 | struct ipsec_output_state *state, |
2498 | struct secasvar *sav) |
2499 | { |
2500 | struct sockaddr_in6* dst6; |
2501 | struct route_in6 *ro6; |
2502 | struct ip6_hdr *ip6; |
2503 | errno_t error = 0; |
2504 | |
2505 | int plen; |
2506 | struct ip6_out_args ip6oa; |
2507 | struct route_in6 ro6_new; |
2508 | struct flowadv *adv = NULL; |
2509 | |
2510 | if (!state->m) { |
2511 | return EINVAL; |
2512 | } |
2513 | ip6 = mtod(state->m, struct ip6_hdr *); |
2514 | |
2515 | // grab sadb_mutex, before updating sah's route cache |
2516 | lck_mtx_lock(sadb_mutex); |
2517 | ro6 = &sav->sah->sa_route; |
2518 | dst6 = (struct sockaddr_in6 *)(void *)&ro6->ro_dst; |
2519 | if (ro6->ro_rt) { |
2520 | RT_LOCK(ro6->ro_rt); |
2521 | } |
2522 | if (ROUTE_UNUSABLE(ro6) || |
2523 | !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst)) { |
2524 | if (ro6->ro_rt != NULL) |
2525 | RT_UNLOCK(ro6->ro_rt); |
2526 | ROUTE_RELEASE(ro6); |
2527 | } |
2528 | if (ro6->ro_rt == 0) { |
2529 | bzero(dst6, sizeof(*dst6)); |
2530 | dst6->sin6_family = AF_INET6; |
2531 | dst6->sin6_len = sizeof(*dst6); |
2532 | dst6->sin6_addr = ip6->ip6_dst; |
2533 | rtalloc_scoped((struct route *)ro6, sav->sah->outgoing_if); |
2534 | if (ro6->ro_rt) { |
2535 | RT_LOCK(ro6->ro_rt); |
2536 | } |
2537 | } |
2538 | if (ro6->ro_rt == 0) { |
2539 | ip6stat.ip6s_noroute++; |
2540 | IPSEC_STAT_INCREMENT(ipsec6stat.out_noroute); |
2541 | error = EHOSTUNREACH; |
2542 | // release sadb_mutex, after updating sah's route cache |
2543 | lck_mtx_unlock(sadb_mutex); |
2544 | return error; |
2545 | } |
2546 | |
2547 | /* |
2548 | * adjust state->dst if tunnel endpoint is offlink |
2549 | * |
2550 | * XXX: caching rt_gateway value in the state is |
2551 | * not really good, since it may point elsewhere |
2552 | * when the gateway gets modified to a larger |
2553 | * sockaddr via rt_setgate(). This is currently |
2554 | * addressed by SA_SIZE roundup in that routine. |
2555 | */ |
2556 | if (ro6->ro_rt->rt_flags & RTF_GATEWAY) |
2557 | dst6 = (struct sockaddr_in6 *)(void *)ro6->ro_rt->rt_gateway; |
2558 | RT_UNLOCK(ro6->ro_rt); |
2559 | ROUTE_RELEASE(&state->ro); |
2560 | route_copyout((struct route *)&state->ro, (struct route *)ro6, sizeof(struct route_in6)); |
2561 | state->dst = (struct sockaddr *)dst6; |
2562 | state->tunneled = 6; |
2563 | // release sadb_mutex, after updating sah's route cache |
2564 | lck_mtx_unlock(sadb_mutex); |
2565 | |
2566 | state->m = ipsec6_splithdr(state->m); |
2567 | if (!state->m) { |
2568 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem); |
2569 | error = ENOMEM; |
2570 | return error; |
2571 | } |
2572 | |
2573 | ip6 = mtod(state->m, struct ip6_hdr *); |
2574 | switch (sav->sah->saidx.proto) { |
2575 | case IPPROTO_ESP: |
2576 | #if IPSEC_ESP |
2577 | error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav); |
2578 | #else |
2579 | m_freem(state->m); |
2580 | error = EINVAL; |
2581 | #endif |
2582 | break; |
2583 | case IPPROTO_AH: |
2584 | error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav); |
2585 | break; |
2586 | case IPPROTO_IPCOMP: |
2587 | /* XXX code should be here */ |
2588 | /*FALLTHROUGH*/ |
2589 | default: |
2590 | ipseclog((LOG_ERR, "%s: unknown ipsec protocol %d\n" , __FUNCTION__, sav->sah->saidx.proto)); |
2591 | m_freem(state->m); |
2592 | IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); |
2593 | error = EINVAL; |
2594 | break; |
2595 | } |
2596 | if (error) { |
2597 | // If error, packet already freed by above output routines |
2598 | state->m = NULL; |
2599 | return error; |
2600 | } |
2601 | |
2602 | plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); |
2603 | if (plen > IPV6_MAXPACKET) { |
2604 | ipseclog((LOG_ERR, "%s: IPsec with IPv6 jumbogram is not supported\n" , __FUNCTION__)); |
2605 | IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); |
2606 | error = EINVAL;/*XXX*/ |
2607 | return error; |
2608 | } |
2609 | ip6 = mtod(state->m, struct ip6_hdr *); |
2610 | ip6->ip6_plen = htons(plen); |
2611 | |
2612 | ipsec_set_pkthdr_for_interface(sav->sah->ipsec_if, state->m, AF_INET6); |
2613 | ipsec_set_ip6oa_for_interface(sav->sah->ipsec_if, &ip6oa); |
2614 | |
2615 | /* Increment statistics */ |
2616 | ifnet_stat_increment_out(sav->sah->ipsec_if, 1, mbuf_pkthdr_len(state->m), 0); |
2617 | |
2618 | /* Send to ip6_output */ |
2619 | bzero(&ro6_new, sizeof(ro6_new)); |
2620 | bzero(&ip6oa, sizeof(ip6oa)); |
2621 | ip6oa.ip6oa_flowadv.code = 0; |
2622 | ip6oa.ip6oa_flags = IP6OAF_SELECT_SRCIF | IP6OAF_BOUND_SRCADDR; |
2623 | if (state->outgoing_if) { |
2624 | ip6oa.ip6oa_boundif = state->outgoing_if; |
2625 | ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF; |
2626 | } |
2627 | |
2628 | adv = &ip6oa.ip6oa_flowadv; |
2629 | (void) ip6_output(state->m, NULL, &ro6_new, IPV6_OUTARGS, NULL, NULL, &ip6oa); |
2630 | state->m = NULL; |
2631 | |
2632 | if (adv->code == FADV_FLOW_CONTROLLED || adv->code == FADV_SUSPENDED) { |
2633 | error = ENOBUFS; |
2634 | ifnet_disable_output(sav->sah->ipsec_if); |
2635 | return error; |
2636 | } |
2637 | |
2638 | return 0; |
2639 | } |
2640 | |
2641 | int |
2642 | ipsec46_encapsulate(struct ipsec_output_state *state, struct secasvar *sav) |
2643 | { |
2644 | struct mbuf *m; |
2645 | struct ip6_hdr *ip6; |
2646 | struct ip *oip; |
2647 | struct ip *ip; |
2648 | size_t hlen; |
2649 | size_t plen; |
2650 | |
2651 | m = state->m; |
2652 | if (!m) { |
2653 | return EINVAL; |
2654 | } |
2655 | |
2656 | /* can't tunnel between different AFs */ |
2657 | if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family |
2658 | != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family |
2659 | || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) { |
2660 | m_freem(m); |
2661 | return EINVAL; |
2662 | } |
2663 | #if 0 |
2664 | /* XXX if the dst is myself, perform nothing. */ |
2665 | if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) { |
2666 | m_freem(m); |
2667 | return EINVAL; |
2668 | } |
2669 | #endif |
2670 | |
2671 | if (m->m_len < sizeof(*ip)) { |
2672 | panic("ipsec46_encapsulate: assumption failed (first mbuf length)" ); |
2673 | return EINVAL; |
2674 | } |
2675 | |
2676 | ip = mtod(m, struct ip *); |
2677 | #ifdef _IP_VHL |
2678 | hlen = _IP_VHL_HL(ip->ip_vhl) << 2; |
2679 | #else |
2680 | hlen = ip->ip_hl << 2; |
2681 | #endif |
2682 | |
2683 | if (m->m_len != hlen) { |
2684 | panic("ipsec46_encapsulate: assumption failed (first mbuf length)" ); |
2685 | return EINVAL; |
2686 | } |
2687 | |
2688 | /* generate header checksum */ |
2689 | ip->ip_sum = 0; |
2690 | #ifdef _IP_VHL |
2691 | ip->ip_sum = in_cksum(m, hlen); |
2692 | #else |
2693 | ip->ip_sum = in_cksum(m, hlen); |
2694 | #endif |
2695 | |
2696 | plen = m->m_pkthdr.len; // save original IPv4 packet len, this will be ipv6 payload len |
2697 | |
2698 | /* |
2699 | * First move the IPv4 header to the second mbuf in the chain |
2700 | */ |
2701 | if (M_LEADINGSPACE(m->m_next) < hlen) { |
2702 | struct mbuf *n; |
2703 | MGET(n, M_DONTWAIT, MT_DATA); |
2704 | if (!n) { |
2705 | m_freem(m); |
2706 | return ENOBUFS; |
2707 | } |
2708 | n->m_len = hlen; |
2709 | n->m_next = m->m_next; |
2710 | m->m_next = n; |
2711 | m->m_pkthdr.len += sizeof(struct ip6_hdr); |
2712 | oip = mtod(n, struct ip *); |
2713 | } else { |
2714 | m->m_next->m_len += hlen; |
2715 | m->m_next->m_data -= hlen; |
2716 | m->m_pkthdr.len += sizeof(struct ip6_hdr); |
2717 | oip = mtod(m->m_next, struct ip *); |
2718 | } |
2719 | ip = mtod(m, struct ip *); |
2720 | ovbcopy((caddr_t)ip, (caddr_t)oip, hlen); |
2721 | |
2722 | /* |
2723 | * Grow the first mbuf to accomodate the new IPv6 header. |
2724 | */ |
2725 | if (M_LEADINGSPACE(m) < sizeof(struct ip6_hdr) - hlen) { |
2726 | struct mbuf *n; |
2727 | MGETHDR(n, M_DONTWAIT, MT_HEADER); |
2728 | if (!n) { |
2729 | m_freem(m); |
2730 | return ENOBUFS; |
2731 | } |
2732 | M_COPY_PKTHDR(n, m); |
2733 | MH_ALIGN(n, sizeof(struct ip6_hdr)); |
2734 | n->m_len = sizeof(struct ip6_hdr); |
2735 | n->m_next = m->m_next; |
2736 | m->m_next = NULL; |
2737 | m_freem(m); |
2738 | state->m = n; |
2739 | m = state->m; |
2740 | } else { |
2741 | m->m_len += (sizeof(struct ip6_hdr) - hlen); |
2742 | m->m_data -= (sizeof(struct ip6_hdr) - hlen); |
2743 | } |
2744 | ip6 = mtod(m, struct ip6_hdr *); |
2745 | ip6->ip6_flow = 0; |
2746 | ip6->ip6_vfc &= ~IPV6_VERSION_MASK; |
2747 | ip6->ip6_vfc |= IPV6_VERSION; |
2748 | |
2749 | /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ |
2750 | /* ECN consideration. */ |
2751 | ip46_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &ip->ip_tos); |
2752 | if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) |
2753 | ip6->ip6_plen = htons(plen); |
2754 | else { |
2755 | /* ip6->ip6_plen will be updated in ip6_output() */ |
2756 | } |
2757 | |
2758 | ip6->ip6_nxt = IPPROTO_IPV4; |
2759 | ip6->ip6_hlim = IPV6_DEFHLIM; |
2760 | |
2761 | bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr, |
2762 | &ip6->ip6_src, sizeof(ip6->ip6_src)); |
2763 | bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr, |
2764 | &ip6->ip6_dst, sizeof(ip6->ip6_dst)); |
2765 | |
2766 | return 0; |
2767 | } |
2768 | |
2769 | #endif /*INET6*/ |
2770 | |
2771 | /* |
2772 | * Check the variable replay window. |
2773 | * ipsec_chkreplay() performs replay check before ICV verification. |
2774 | * ipsec_updatereplay() updates replay bitmap. This must be called after |
2775 | * ICV verification (it also performs replay check, which is usually done |
2776 | * beforehand). |
2777 | * 0 (zero) is returned if packet disallowed, 1 if packet permitted. |
2778 | * |
2779 | * based on RFC 2401. |
2780 | */ |
2781 | int |
2782 | ipsec_chkreplay(u_int32_t seq, struct secasvar *sav) |
2783 | { |
2784 | const struct secreplay *replay; |
2785 | u_int32_t diff; |
2786 | int fr; |
2787 | u_int32_t wsizeb; /* constant: bits of window size */ |
2788 | int frlast; /* constant: last frame */ |
2789 | |
2790 | |
2791 | /* sanity check */ |
2792 | if (sav == NULL) |
2793 | panic("ipsec_chkreplay: NULL pointer was passed.\n" ); |
2794 | |
2795 | lck_mtx_lock(sadb_mutex); |
2796 | replay = sav->replay; |
2797 | |
2798 | if (replay->wsize == 0) { |
2799 | lck_mtx_unlock(sadb_mutex); |
2800 | return 1; /* no need to check replay. */ |
2801 | } |
2802 | |
2803 | /* constant */ |
2804 | frlast = replay->wsize - 1; |
2805 | wsizeb = replay->wsize << 3; |
2806 | |
2807 | /* sequence number of 0 is invalid */ |
2808 | if (seq == 0) { |
2809 | lck_mtx_unlock(sadb_mutex); |
2810 | return 0; |
2811 | } |
2812 | |
2813 | /* first time is always okay */ |
2814 | if (replay->count == 0) { |
2815 | lck_mtx_unlock(sadb_mutex); |
2816 | return 1; |
2817 | } |
2818 | |
2819 | if (seq > replay->lastseq) { |
2820 | /* larger sequences are okay */ |
2821 | lck_mtx_unlock(sadb_mutex); |
2822 | return 1; |
2823 | } else { |
2824 | /* seq is equal or less than lastseq. */ |
2825 | diff = replay->lastseq - seq; |
2826 | |
2827 | /* over range to check, i.e. too old or wrapped */ |
2828 | if (diff >= wsizeb) { |
2829 | lck_mtx_unlock(sadb_mutex); |
2830 | return 0; |
2831 | } |
2832 | |
2833 | fr = frlast - diff / 8; |
2834 | |
2835 | /* this packet already seen ? */ |
2836 | if ((replay->bitmap)[fr] & (1 << (diff % 8))) { |
2837 | lck_mtx_unlock(sadb_mutex); |
2838 | return 0; |
2839 | } |
2840 | |
2841 | /* out of order but good */ |
2842 | lck_mtx_unlock(sadb_mutex); |
2843 | return 1; |
2844 | } |
2845 | } |
2846 | |
2847 | /* |
2848 | * check replay counter whether to update or not. |
2849 | * OUT: 0: OK |
2850 | * 1: NG |
2851 | */ |
2852 | int |
2853 | ipsec_updatereplay(u_int32_t seq, struct secasvar *sav) |
2854 | { |
2855 | struct secreplay *replay; |
2856 | u_int32_t diff; |
2857 | int fr; |
2858 | u_int32_t wsizeb; /* constant: bits of window size */ |
2859 | int frlast; /* constant: last frame */ |
2860 | |
2861 | /* sanity check */ |
2862 | if (sav == NULL) |
2863 | panic("ipsec_chkreplay: NULL pointer was passed.\n" ); |
2864 | |
2865 | lck_mtx_lock(sadb_mutex); |
2866 | replay = sav->replay; |
2867 | |
2868 | if (replay->wsize == 0) |
2869 | goto ok; /* no need to check replay. */ |
2870 | |
2871 | /* constant */ |
2872 | frlast = replay->wsize - 1; |
2873 | wsizeb = replay->wsize << 3; |
2874 | |
2875 | /* sequence number of 0 is invalid */ |
2876 | if (seq == 0) { |
2877 | lck_mtx_unlock(sadb_mutex); |
2878 | return 1; |
2879 | } |
2880 | |
2881 | /* first time */ |
2882 | if (replay->count == 0) { |
2883 | replay->lastseq = seq; |
2884 | bzero(replay->bitmap, replay->wsize); |
2885 | (replay->bitmap)[frlast] = 1; |
2886 | goto ok; |
2887 | } |
2888 | |
2889 | if (seq > replay->lastseq) { |
2890 | /* seq is larger than lastseq. */ |
2891 | diff = seq - replay->lastseq; |
2892 | |
2893 | /* new larger sequence number */ |
2894 | if (diff < wsizeb) { |
2895 | /* In window */ |
2896 | /* set bit for this packet */ |
2897 | vshiftl((unsigned char *) replay->bitmap, diff, replay->wsize); |
2898 | (replay->bitmap)[frlast] |= 1; |
2899 | } else { |
2900 | /* this packet has a "way larger" */ |
2901 | bzero(replay->bitmap, replay->wsize); |
2902 | (replay->bitmap)[frlast] = 1; |
2903 | } |
2904 | replay->lastseq = seq; |
2905 | |
2906 | /* larger is good */ |
2907 | } else { |
2908 | /* seq is equal or less than lastseq. */ |
2909 | diff = replay->lastseq - seq; |
2910 | |
2911 | /* over range to check, i.e. too old or wrapped */ |
2912 | if (diff >= wsizeb) { |
2913 | lck_mtx_unlock(sadb_mutex); |
2914 | return 1; |
2915 | } |
2916 | |
2917 | fr = frlast - diff / 8; |
2918 | |
2919 | /* this packet already seen ? */ |
2920 | if ((replay->bitmap)[fr] & (1 << (diff % 8))) { |
2921 | lck_mtx_unlock(sadb_mutex); |
2922 | return 1; |
2923 | } |
2924 | |
2925 | /* mark as seen */ |
2926 | (replay->bitmap)[fr] |= (1 << (diff % 8)); |
2927 | |
2928 | /* out of order but good */ |
2929 | } |
2930 | |
2931 | ok: |
2932 | if (replay->count == ~0) { |
2933 | |
2934 | /* set overflow flag */ |
2935 | replay->overflow++; |
2936 | |
2937 | /* don't increment, no more packets accepted */ |
2938 | if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) { |
2939 | lck_mtx_unlock(sadb_mutex); |
2940 | return 1; |
2941 | } |
2942 | |
2943 | ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n" , |
2944 | replay->overflow, ipsec_logsastr(sav))); |
2945 | } |
2946 | |
2947 | replay->count++; |
2948 | |
2949 | lck_mtx_unlock(sadb_mutex); |
2950 | return 0; |
2951 | } |
2952 | |
2953 | /* |
2954 | * shift variable length buffer to left. |
2955 | * IN: bitmap: pointer to the buffer |
2956 | * nbit: the number of to shift. |
2957 | * wsize: buffer size (bytes). |
2958 | */ |
2959 | static void |
2960 | vshiftl(unsigned char *bitmap, int nbit, int wsize) |
2961 | { |
2962 | int s, j, i; |
2963 | unsigned char over; |
2964 | |
2965 | for (j = 0; j < nbit; j += 8) { |
2966 | s = (nbit - j < 8) ? (nbit - j): 8; |
2967 | bitmap[0] <<= s; |
2968 | for (i = 1; i < wsize; i++) { |
2969 | over = (bitmap[i] >> (8 - s)); |
2970 | bitmap[i] <<= s; |
2971 | bitmap[i-1] |= over; |
2972 | } |
2973 | } |
2974 | |
2975 | return; |
2976 | } |
2977 | |
2978 | const char * |
2979 | ipsec4_logpacketstr(struct ip *ip, u_int32_t spi) |
2980 | { |
2981 | static char buf[256] __attribute__((aligned(4))); |
2982 | char *p; |
2983 | u_int8_t *s, *d; |
2984 | |
2985 | s = (u_int8_t *)(&ip->ip_src); |
2986 | d = (u_int8_t *)(&ip->ip_dst); |
2987 | |
2988 | p = buf; |
2989 | snprintf(buf, sizeof(buf), "packet(SPI=%u " , (u_int32_t)ntohl(spi)); |
2990 | while (p && *p) |
2991 | p++; |
2992 | snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u" , |
2993 | s[0], s[1], s[2], s[3]); |
2994 | while (p && *p) |
2995 | p++; |
2996 | snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u" , |
2997 | d[0], d[1], d[2], d[3]); |
2998 | while (p && *p) |
2999 | p++; |
3000 | snprintf(p, sizeof(buf) - (p - buf), ")" ); |
3001 | |
3002 | return buf; |
3003 | } |
3004 | |
3005 | #if INET6 |
3006 | const char * |
3007 | ipsec6_logpacketstr(struct ip6_hdr *ip6, u_int32_t spi) |
3008 | { |
3009 | static char buf[256] __attribute__((aligned(4))); |
3010 | char *p; |
3011 | |
3012 | p = buf; |
3013 | snprintf(buf, sizeof(buf), "packet(SPI=%u " , (u_int32_t)ntohl(spi)); |
3014 | while (p && *p) |
3015 | p++; |
3016 | snprintf(p, sizeof(buf) - (p - buf), "src=%s" , |
3017 | ip6_sprintf(&ip6->ip6_src)); |
3018 | while (p && *p) |
3019 | p++; |
3020 | snprintf(p, sizeof(buf) - (p - buf), " dst=%s" , |
3021 | ip6_sprintf(&ip6->ip6_dst)); |
3022 | while (p && *p) |
3023 | p++; |
3024 | snprintf(p, sizeof(buf) - (p - buf), ")" ); |
3025 | |
3026 | return buf; |
3027 | } |
3028 | #endif /*INET6*/ |
3029 | |
3030 | const char * |
3031 | ipsec_logsastr(struct secasvar *sav) |
3032 | { |
3033 | static char buf[256] __attribute__((aligned(4))); |
3034 | char *p; |
3035 | struct secasindex *saidx = &sav->sah->saidx; |
3036 | |
3037 | /* validity check */ |
3038 | if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family |
3039 | != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) |
3040 | panic("ipsec_logsastr: family mismatched.\n" ); |
3041 | |
3042 | p = buf; |
3043 | snprintf(buf, sizeof(buf), "SA(SPI=%u " , (u_int32_t)ntohl(sav->spi)); |
3044 | while (p && *p) |
3045 | p++; |
3046 | if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) { |
3047 | u_int8_t *s, *d; |
3048 | s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr; |
3049 | d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr; |
3050 | snprintf(p, sizeof(buf) - (p - buf), |
3051 | "src=%d.%d.%d.%d dst=%d.%d.%d.%d" , |
3052 | s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]); |
3053 | } |
3054 | #if INET6 |
3055 | else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) { |
3056 | snprintf(p, sizeof(buf) - (p - buf), |
3057 | "src=%s" , |
3058 | ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr)); |
3059 | while (p && *p) |
3060 | p++; |
3061 | snprintf(p, sizeof(buf) - (p - buf), |
3062 | " dst=%s" , |
3063 | ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr)); |
3064 | } |
3065 | #endif |
3066 | while (p && *p) |
3067 | p++; |
3068 | snprintf(p, sizeof(buf) - (p - buf), ")" ); |
3069 | |
3070 | return buf; |
3071 | } |
3072 | |
3073 | void |
3074 | ipsec_dumpmbuf(struct mbuf *m) |
3075 | { |
3076 | int totlen; |
3077 | int i; |
3078 | u_char *p; |
3079 | |
3080 | totlen = 0; |
3081 | printf("---\n" ); |
3082 | while (m) { |
3083 | p = mtod(m, u_char *); |
3084 | for (i = 0; i < m->m_len; i++) { |
3085 | printf("%02x " , p[i]); |
3086 | totlen++; |
3087 | if (totlen % 16 == 0) |
3088 | printf("\n" ); |
3089 | } |
3090 | m = m->m_next; |
3091 | } |
3092 | if (totlen % 16 != 0) |
3093 | printf("\n" ); |
3094 | printf("---\n" ); |
3095 | } |
3096 | |
3097 | #if INET |
3098 | /* |
3099 | * IPsec output logic for IPv4. |
3100 | */ |
3101 | static int |
3102 | ipsec4_output_internal(struct ipsec_output_state *state, struct secasvar *sav) |
3103 | { |
3104 | struct ip *ip = NULL; |
3105 | int error = 0; |
3106 | struct sockaddr_in *dst4; |
3107 | struct route *ro4; |
3108 | |
3109 | /* validity check */ |
3110 | if (sav == NULL || sav->sah == NULL) { |
3111 | error = EINVAL; |
3112 | goto bad; |
3113 | } |
3114 | |
3115 | /* |
3116 | * If there is no valid SA, we give up to process any |
3117 | * more. In such a case, the SA's status is changed |
3118 | * from DYING to DEAD after allocating. If a packet |
3119 | * send to the receiver by dead SA, the receiver can |
3120 | * not decode a packet because SA has been dead. |
3121 | */ |
3122 | if (sav->state != SADB_SASTATE_MATURE |
3123 | && sav->state != SADB_SASTATE_DYING) { |
3124 | IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); |
3125 | error = EINVAL; |
3126 | goto bad; |
3127 | } |
3128 | |
3129 | state->outgoing_if = sav->sah->outgoing_if; |
3130 | |
3131 | /* |
3132 | * There may be the case that SA status will be changed when |
3133 | * we are refering to one. So calling splsoftnet(). |
3134 | */ |
3135 | |
3136 | if (sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) { |
3137 | /* |
3138 | * build IPsec tunnel. |
3139 | */ |
3140 | state->m = ipsec4_splithdr(state->m); |
3141 | if (!state->m) { |
3142 | error = ENOMEM; |
3143 | goto bad; |
3144 | } |
3145 | |
3146 | if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET6) { |
3147 | error = ipsec46_encapsulate(state, sav); |
3148 | if (error) { |
3149 | // packet already freed by encapsulation error handling |
3150 | state->m = NULL; |
3151 | return error; |
3152 | } |
3153 | |
3154 | error = ipsec6_update_routecache_and_output(state, sav); |
3155 | return error; |
3156 | |
3157 | } else if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET) { |
3158 | error = ipsec4_encapsulate(state->m, sav); |
3159 | if (error) { |
3160 | state->m = NULL; |
3161 | goto bad; |
3162 | } |
3163 | ip = mtod(state->m, struct ip *); |
3164 | |
3165 | // grab sadb_mutex, before updating sah's route cache |
3166 | lck_mtx_lock(sadb_mutex); |
3167 | ro4= (struct route *)&sav->sah->sa_route; |
3168 | dst4 = (struct sockaddr_in *)(void *)&ro4->ro_dst; |
3169 | if (ro4->ro_rt != NULL) { |
3170 | RT_LOCK(ro4->ro_rt); |
3171 | } |
3172 | if (ROUTE_UNUSABLE(ro4) || |
3173 | dst4->sin_addr.s_addr != ip->ip_dst.s_addr) { |
3174 | if (ro4->ro_rt != NULL) |
3175 | RT_UNLOCK(ro4->ro_rt); |
3176 | ROUTE_RELEASE(ro4); |
3177 | } |
3178 | if (ro4->ro_rt == 0) { |
3179 | dst4->sin_family = AF_INET; |
3180 | dst4->sin_len = sizeof(*dst4); |
3181 | dst4->sin_addr = ip->ip_dst; |
3182 | rtalloc_scoped(ro4, sav->sah->outgoing_if); |
3183 | if (ro4->ro_rt == 0) { |
3184 | OSAddAtomic(1, &ipstat.ips_noroute); |
3185 | error = EHOSTUNREACH; |
3186 | // release sadb_mutex, after updating sah's route cache |
3187 | lck_mtx_unlock(sadb_mutex); |
3188 | goto bad; |
3189 | } |
3190 | RT_LOCK(ro4->ro_rt); |
3191 | } |
3192 | |
3193 | /* |
3194 | * adjust state->dst if tunnel endpoint is offlink |
3195 | * |
3196 | * XXX: caching rt_gateway value in the state is |
3197 | * not really good, since it may point elsewhere |
3198 | * when the gateway gets modified to a larger |
3199 | * sockaddr via rt_setgate(). This is currently |
3200 | * addressed by SA_SIZE roundup in that routine. |
3201 | */ |
3202 | if (ro4->ro_rt->rt_flags & RTF_GATEWAY) |
3203 | dst4 = (struct sockaddr_in *)(void *)ro4->ro_rt->rt_gateway; |
3204 | RT_UNLOCK(ro4->ro_rt); |
3205 | ROUTE_RELEASE(&state->ro); |
3206 | route_copyout((struct route *)&state->ro, ro4, sizeof(struct route)); |
3207 | state->dst = (struct sockaddr *)dst4; |
3208 | state->tunneled = 4; |
3209 | // release sadb_mutex, after updating sah's route cache |
3210 | lck_mtx_unlock(sadb_mutex); |
3211 | } else { |
3212 | ipseclog((LOG_ERR, "%s: family mismatched between inner and outer spi=%u\n" , |
3213 | __FUNCTION__, (u_int32_t)ntohl(sav->spi))); |
3214 | error = EAFNOSUPPORT; |
3215 | goto bad; |
3216 | } |
3217 | } |
3218 | |
3219 | state->m = ipsec4_splithdr(state->m); |
3220 | if (!state->m) { |
3221 | error = ENOMEM; |
3222 | goto bad; |
3223 | } |
3224 | switch (sav->sah->saidx.proto) { |
3225 | case IPPROTO_ESP: |
3226 | #if IPSEC_ESP |
3227 | if ((error = esp4_output(state->m, sav)) != 0) { |
3228 | state->m = NULL; |
3229 | goto bad; |
3230 | } |
3231 | break; |
3232 | #else |
3233 | m_freem(state->m); |
3234 | state->m = NULL; |
3235 | error = EINVAL; |
3236 | goto bad; |
3237 | #endif |
3238 | case IPPROTO_AH: |
3239 | if ((error = ah4_output(state->m, sav)) != 0) { |
3240 | state->m = NULL; |
3241 | goto bad; |
3242 | } |
3243 | break; |
3244 | case IPPROTO_IPCOMP: |
3245 | if ((error = ipcomp4_output(state->m, sav)) != 0) { |
3246 | state->m = NULL; |
3247 | goto bad; |
3248 | } |
3249 | break; |
3250 | default: |
3251 | ipseclog((LOG_ERR, |
3252 | "ipsec4_output: unknown ipsec protocol %d\n" , |
3253 | sav->sah->saidx.proto)); |
3254 | m_freem(state->m); |
3255 | state->m = NULL; |
3256 | error = EINVAL; |
3257 | goto bad; |
3258 | } |
3259 | |
3260 | if (state->m == 0) { |
3261 | error = ENOMEM; |
3262 | goto bad; |
3263 | } |
3264 | |
3265 | return 0; |
3266 | |
3267 | bad: |
3268 | return error; |
3269 | } |
3270 | |
3271 | int |
3272 | ipsec4_interface_output(struct ipsec_output_state *state, ifnet_t interface) |
3273 | { |
3274 | int error = 0; |
3275 | struct secasvar *sav = NULL; |
3276 | |
3277 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
3278 | |
3279 | if (state == NULL) { |
3280 | panic("state == NULL in ipsec4_output" ); |
3281 | } |
3282 | if (state->m == NULL) { |
3283 | panic("state->m == NULL in ipsec4_output" ); |
3284 | } |
3285 | if (state->dst == NULL) { |
3286 | panic("state->dst == NULL in ipsec4_output" ); |
3287 | } |
3288 | |
3289 | struct ip *ip = mtod(state->m, struct ip *); |
3290 | |
3291 | struct sockaddr_in src = {}; |
3292 | src.sin_family = AF_INET; |
3293 | src.sin_len = sizeof(src); |
3294 | memcpy(&src.sin_addr, &ip->ip_src, sizeof(src.sin_addr)); |
3295 | |
3296 | struct sockaddr_in dst = {}; |
3297 | dst.sin_family = AF_INET; |
3298 | dst.sin_len = sizeof(dst); |
3299 | memcpy(&dst.sin_addr, &ip->ip_dst, sizeof(dst.sin_addr)); |
3300 | |
3301 | sav = key_alloc_outbound_sav_for_interface(interface, AF_INET, |
3302 | (struct sockaddr *)&src, |
3303 | (struct sockaddr *)&dst); |
3304 | if (sav == NULL) { |
3305 | goto bad; |
3306 | } |
3307 | |
3308 | if ((error = ipsec4_output_internal(state, sav)) != 0) { |
3309 | goto bad; |
3310 | } |
3311 | |
3312 | KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, 0,0,0,0,0); |
3313 | if (sav) { |
3314 | key_freesav(sav, KEY_SADB_UNLOCKED); |
3315 | } |
3316 | return 0; |
3317 | |
3318 | bad: |
3319 | if (sav) { |
3320 | key_freesav(sav, KEY_SADB_UNLOCKED); |
3321 | } |
3322 | m_freem(state->m); |
3323 | state->m = NULL; |
3324 | KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, error,0,0,0,0); |
3325 | return error; |
3326 | } |
3327 | |
3328 | int |
3329 | ipsec4_output(struct ipsec_output_state *state, struct secpolicy *sp, __unused int flags) |
3330 | { |
3331 | struct ip *ip = NULL; |
3332 | struct ipsecrequest *isr = NULL; |
3333 | struct secasindex saidx; |
3334 | struct secasvar *sav = NULL; |
3335 | int error = 0; |
3336 | struct sockaddr_in *sin; |
3337 | |
3338 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
3339 | |
3340 | if (!state) |
3341 | panic("state == NULL in ipsec4_output" ); |
3342 | if (!state->m) |
3343 | panic("state->m == NULL in ipsec4_output" ); |
3344 | if (!state->dst) |
3345 | panic("state->dst == NULL in ipsec4_output" ); |
3346 | |
3347 | KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_START, 0,0,0,0,0); |
3348 | |
3349 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
3350 | printf("ipsec4_output: applied SP\n" ); |
3351 | kdebug_secpolicy(sp)); |
3352 | |
3353 | for (isr = sp->req; isr != NULL; isr = isr->next) { |
3354 | /* make SA index for search proper SA */ |
3355 | ip = mtod(state->m, struct ip *); |
3356 | bcopy(&isr->saidx, &saidx, sizeof(saidx)); |
3357 | saidx.mode = isr->saidx.mode; |
3358 | saidx.reqid = isr->saidx.reqid; |
3359 | sin = (struct sockaddr_in *)&saidx.src; |
3360 | if (sin->sin_len == 0) { |
3361 | sin->sin_len = sizeof(*sin); |
3362 | sin->sin_family = AF_INET; |
3363 | sin->sin_port = IPSEC_PORT_ANY; |
3364 | bcopy(&ip->ip_src, &sin->sin_addr, |
3365 | sizeof(sin->sin_addr)); |
3366 | } |
3367 | sin = (struct sockaddr_in *)&saidx.dst; |
3368 | if (sin->sin_len == 0) { |
3369 | sin->sin_len = sizeof(*sin); |
3370 | sin->sin_family = AF_INET; |
3371 | sin->sin_port = IPSEC_PORT_ANY; |
3372 | /* |
3373 | * Get port from packet if upper layer is UDP and nat traversal |
3374 | * is enabled and transport mode. |
3375 | */ |
3376 | |
3377 | if ((esp_udp_encap_port & 0xFFFF) != 0 && |
3378 | isr->saidx.mode == IPSEC_MODE_TRANSPORT) { |
3379 | |
3380 | if (ip->ip_p == IPPROTO_UDP) { |
3381 | struct udphdr *udp; |
3382 | size_t hlen; |
3383 | #ifdef _IP_VHL |
3384 | hlen = IP_VHL_HL(ip->ip_vhl) << 2; |
3385 | #else |
3386 | hlen = ip->ip_hl << 2; |
3387 | #endif |
3388 | if (state->m->m_len < hlen + sizeof(struct udphdr)) { |
3389 | state->m = m_pullup(state->m, hlen + sizeof(struct udphdr)); |
3390 | if (!state->m) { |
3391 | ipseclog((LOG_DEBUG, "IPv4 output: can't pullup UDP header\n" )); |
3392 | IPSEC_STAT_INCREMENT(ipsecstat.in_inval); |
3393 | goto bad; |
3394 | } |
3395 | ip = mtod(state->m, struct ip *); |
3396 | } |
3397 | udp = (struct udphdr *)(void *)(((u_int8_t *)ip) + hlen); |
3398 | sin->sin_port = udp->uh_dport; |
3399 | } |
3400 | } |
3401 | |
3402 | bcopy(&ip->ip_dst, &sin->sin_addr, |
3403 | sizeof(sin->sin_addr)); |
3404 | } |
3405 | |
3406 | if ((error = key_checkrequest(isr, &saidx, &sav)) != 0) { |
3407 | /* |
3408 | * IPsec processing is required, but no SA found. |
3409 | * I assume that key_acquire() had been called |
3410 | * to get/establish the SA. Here I discard |
3411 | * this packet because it is responsibility for |
3412 | * upper layer to retransmit the packet. |
3413 | */ |
3414 | IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); |
3415 | goto bad; |
3416 | } |
3417 | |
3418 | /* validity check */ |
3419 | if (sav == NULL) { |
3420 | switch (ipsec_get_reqlevel(isr)) { |
3421 | case IPSEC_LEVEL_USE: |
3422 | continue; |
3423 | case IPSEC_LEVEL_REQUIRE: |
3424 | /* must be not reached here. */ |
3425 | panic("ipsec4_output: no SA found, but required." ); |
3426 | } |
3427 | } |
3428 | |
3429 | if ((error = ipsec4_output_internal(state, sav)) != 0) { |
3430 | goto bad; |
3431 | } |
3432 | } |
3433 | |
3434 | KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, 0,0,0,0,0); |
3435 | if (sav) |
3436 | key_freesav(sav, KEY_SADB_UNLOCKED); |
3437 | return 0; |
3438 | |
3439 | bad: |
3440 | if (sav) |
3441 | key_freesav(sav, KEY_SADB_UNLOCKED); |
3442 | m_freem(state->m); |
3443 | state->m = NULL; |
3444 | KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, error,0,0,0,0); |
3445 | return error; |
3446 | } |
3447 | |
3448 | #endif |
3449 | |
3450 | #if INET6 |
3451 | /* |
3452 | * IPsec output logic for IPv6, transport mode. |
3453 | */ |
3454 | static int |
3455 | ipsec6_output_trans_internal( |
3456 | struct ipsec_output_state *state, |
3457 | struct secasvar *sav, |
3458 | u_char *nexthdrp, |
3459 | struct mbuf *mprev) |
3460 | { |
3461 | struct ip6_hdr *ip6; |
3462 | int error = 0; |
3463 | int plen; |
3464 | |
3465 | /* validity check */ |
3466 | if (sav == NULL || sav->sah == NULL) { |
3467 | error = EINVAL; |
3468 | goto bad; |
3469 | } |
3470 | |
3471 | /* |
3472 | * If there is no valid SA, we give up to process. |
3473 | * see same place at ipsec4_output(). |
3474 | */ |
3475 | if (sav->state != SADB_SASTATE_MATURE |
3476 | && sav->state != SADB_SASTATE_DYING) { |
3477 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); |
3478 | error = EINVAL; |
3479 | goto bad; |
3480 | } |
3481 | |
3482 | state->outgoing_if = sav->sah->outgoing_if; |
3483 | |
3484 | switch (sav->sah->saidx.proto) { |
3485 | case IPPROTO_ESP: |
3486 | #if IPSEC_ESP |
3487 | error = esp6_output(state->m, nexthdrp, mprev->m_next, sav); |
3488 | #else |
3489 | m_freem(state->m); |
3490 | error = EINVAL; |
3491 | #endif |
3492 | break; |
3493 | case IPPROTO_AH: |
3494 | error = ah6_output(state->m, nexthdrp, mprev->m_next, sav); |
3495 | break; |
3496 | case IPPROTO_IPCOMP: |
3497 | error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, sav); |
3498 | break; |
3499 | default: |
3500 | ipseclog((LOG_ERR, "ipsec6_output_trans: " |
3501 | "unknown ipsec protocol %d\n" , sav->sah->saidx.proto)); |
3502 | m_freem(state->m); |
3503 | IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); |
3504 | error = EINVAL; |
3505 | break; |
3506 | } |
3507 | if (error) { |
3508 | state->m = NULL; |
3509 | goto bad; |
3510 | } |
3511 | plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); |
3512 | if (plen > IPV6_MAXPACKET) { |
3513 | ipseclog((LOG_ERR, "ipsec6_output_trans: " |
3514 | "IPsec with IPv6 jumbogram is not supported\n" )); |
3515 | IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); |
3516 | error = EINVAL; /*XXX*/ |
3517 | goto bad; |
3518 | } |
3519 | ip6 = mtod(state->m, struct ip6_hdr *); |
3520 | ip6->ip6_plen = htons(plen); |
3521 | |
3522 | return 0; |
3523 | bad: |
3524 | return error; |
3525 | } |
3526 | |
3527 | int |
3528 | ipsec6_output_trans( |
3529 | struct ipsec_output_state *state, |
3530 | u_char *nexthdrp, |
3531 | struct mbuf *mprev, |
3532 | struct secpolicy *sp, |
3533 | __unused int flags, |
3534 | int *tun) |
3535 | { |
3536 | struct ip6_hdr *ip6; |
3537 | struct ipsecrequest *isr = NULL; |
3538 | struct secasindex saidx; |
3539 | int error = 0; |
3540 | struct sockaddr_in6 *sin6; |
3541 | struct secasvar *sav = NULL; |
3542 | |
3543 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
3544 | |
3545 | if (!state) |
3546 | panic("state == NULL in ipsec6_output_trans" ); |
3547 | if (!state->m) |
3548 | panic("state->m == NULL in ipsec6_output_trans" ); |
3549 | if (!nexthdrp) |
3550 | panic("nexthdrp == NULL in ipsec6_output_trans" ); |
3551 | if (!mprev) |
3552 | panic("mprev == NULL in ipsec6_output_trans" ); |
3553 | if (!sp) |
3554 | panic("sp == NULL in ipsec6_output_trans" ); |
3555 | if (!tun) |
3556 | panic("tun == NULL in ipsec6_output_trans" ); |
3557 | |
3558 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
3559 | printf("ipsec6_output_trans: applyed SP\n" ); |
3560 | kdebug_secpolicy(sp)); |
3561 | |
3562 | *tun = 0; |
3563 | for (isr = sp->req; isr; isr = isr->next) { |
3564 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { |
3565 | /* the rest will be handled by ipsec6_output_tunnel() */ |
3566 | break; |
3567 | } |
3568 | |
3569 | /* make SA index for search proper SA */ |
3570 | ip6 = mtod(state->m, struct ip6_hdr *); |
3571 | bcopy(&isr->saidx, &saidx, sizeof(saidx)); |
3572 | saidx.mode = isr->saidx.mode; |
3573 | saidx.reqid = isr->saidx.reqid; |
3574 | sin6 = (struct sockaddr_in6 *)&saidx.src; |
3575 | if (sin6->sin6_len == 0) { |
3576 | sin6->sin6_len = sizeof(*sin6); |
3577 | sin6->sin6_family = AF_INET6; |
3578 | sin6->sin6_port = IPSEC_PORT_ANY; |
3579 | bcopy(&ip6->ip6_src, &sin6->sin6_addr, |
3580 | sizeof(ip6->ip6_src)); |
3581 | if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { |
3582 | /* fix scope id for comparing SPD */ |
3583 | sin6->sin6_addr.s6_addr16[1] = 0; |
3584 | sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); |
3585 | } |
3586 | } |
3587 | sin6 = (struct sockaddr_in6 *)&saidx.dst; |
3588 | if (sin6->sin6_len == 0) { |
3589 | sin6->sin6_len = sizeof(*sin6); |
3590 | sin6->sin6_family = AF_INET6; |
3591 | sin6->sin6_port = IPSEC_PORT_ANY; |
3592 | bcopy(&ip6->ip6_dst, &sin6->sin6_addr, |
3593 | sizeof(ip6->ip6_dst)); |
3594 | if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { |
3595 | /* fix scope id for comparing SPD */ |
3596 | sin6->sin6_addr.s6_addr16[1] = 0; |
3597 | sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); |
3598 | } |
3599 | } |
3600 | |
3601 | if (key_checkrequest(isr, &saidx, &sav) == ENOENT) { |
3602 | /* |
3603 | * IPsec processing is required, but no SA found. |
3604 | * I assume that key_acquire() had been called |
3605 | * to get/establish the SA. Here I discard |
3606 | * this packet because it is responsibility for |
3607 | * upper layer to retransmit the packet. |
3608 | */ |
3609 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); |
3610 | error = ENOENT; |
3611 | |
3612 | /* |
3613 | * Notify the fact that the packet is discarded |
3614 | * to ourselves. I believe this is better than |
3615 | * just silently discarding. (jinmei@kame.net) |
3616 | * XXX: should we restrict the error to TCP packets? |
3617 | * XXX: should we directly notify sockets via |
3618 | * pfctlinputs? |
3619 | */ |
3620 | icmp6_error(state->m, ICMP6_DST_UNREACH, |
3621 | ICMP6_DST_UNREACH_ADMIN, 0); |
3622 | state->m = NULL; /* icmp6_error freed the mbuf */ |
3623 | goto bad; |
3624 | } |
3625 | |
3626 | /* validity check */ |
3627 | if (sav == NULL) { |
3628 | switch (ipsec_get_reqlevel(isr)) { |
3629 | case IPSEC_LEVEL_USE: |
3630 | continue; |
3631 | case IPSEC_LEVEL_REQUIRE: |
3632 | /* must be not reached here. */ |
3633 | panic("ipsec6_output_trans: no SA found, but required." ); |
3634 | } |
3635 | } |
3636 | |
3637 | if ((error = ipsec6_output_trans_internal(state, sav, nexthdrp, mprev)) != 0) { |
3638 | goto bad; |
3639 | } |
3640 | } |
3641 | |
3642 | /* if we have more to go, we need a tunnel mode processing */ |
3643 | if (isr != NULL) |
3644 | *tun = 1; |
3645 | |
3646 | if (sav) |
3647 | key_freesav(sav, KEY_SADB_UNLOCKED); |
3648 | return 0; |
3649 | |
3650 | bad: |
3651 | if (sav) |
3652 | key_freesav(sav, KEY_SADB_UNLOCKED); |
3653 | m_freem(state->m); |
3654 | state->m = NULL; |
3655 | return error; |
3656 | } |
3657 | |
3658 | /* |
3659 | * IPsec output logic for IPv6, tunnel mode. |
3660 | */ |
3661 | static int |
3662 | ipsec6_output_tunnel_internal(struct ipsec_output_state *state, struct secasvar *sav, int *must_be_last) |
3663 | { |
3664 | struct ip6_hdr *ip6; |
3665 | int error = 0; |
3666 | int plen; |
3667 | struct sockaddr_in6* dst6; |
3668 | struct route_in6 *ro6; |
3669 | |
3670 | /* validity check */ |
3671 | if (sav == NULL || sav->sah == NULL || sav->sah->saidx.mode != IPSEC_MODE_TUNNEL) { |
3672 | error = EINVAL; |
3673 | goto bad; |
3674 | } |
3675 | |
3676 | /* |
3677 | * If there is no valid SA, we give up to process. |
3678 | * see same place at ipsec4_output(). |
3679 | */ |
3680 | if (sav->state != SADB_SASTATE_MATURE |
3681 | && sav->state != SADB_SASTATE_DYING) { |
3682 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); |
3683 | error = EINVAL; |
3684 | goto bad; |
3685 | } |
3686 | |
3687 | state->outgoing_if = sav->sah->outgoing_if; |
3688 | |
3689 | if (sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) { |
3690 | /* |
3691 | * build IPsec tunnel. |
3692 | */ |
3693 | state->m = ipsec6_splithdr(state->m); |
3694 | if (!state->m) { |
3695 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem); |
3696 | error = ENOMEM; |
3697 | goto bad; |
3698 | } |
3699 | |
3700 | if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET6) { |
3701 | error = ipsec6_encapsulate(state->m, sav); |
3702 | if (error) { |
3703 | state->m = 0; |
3704 | goto bad; |
3705 | } |
3706 | ip6 = mtod(state->m, struct ip6_hdr *); |
3707 | } else if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET) { |
3708 | |
3709 | struct ip *ip; |
3710 | struct sockaddr_in* dst4; |
3711 | struct route *ro4 = NULL; |
3712 | struct route ro4_copy; |
3713 | struct ip_out_args ipoa; |
3714 | |
3715 | bzero(&ipoa, sizeof(ipoa)); |
3716 | ipoa.ipoa_boundif = IFSCOPE_NONE; |
3717 | ipoa.ipoa_flags = IPOAF_SELECT_SRCIF; |
3718 | ipoa.ipoa_sotc = SO_TC_UNSPEC; |
3719 | ipoa.ipoa_netsvctype = _NET_SERVICE_TYPE_UNSPEC; |
3720 | |
3721 | if (must_be_last) |
3722 | *must_be_last = 1; |
3723 | |
3724 | state->tunneled = 4; /* must not process any further in ip6_output */ |
3725 | error = ipsec64_encapsulate(state->m, sav); |
3726 | if (error) { |
3727 | state->m = 0; |
3728 | goto bad; |
3729 | } |
3730 | /* Now we have an IPv4 packet */ |
3731 | ip = mtod(state->m, struct ip *); |
3732 | |
3733 | // grab sadb_mutex, to update sah's route cache and get a local copy of it |
3734 | lck_mtx_lock(sadb_mutex); |
3735 | ro4 = (struct route *)&sav->sah->sa_route; |
3736 | dst4 = (struct sockaddr_in *)(void *)&ro4->ro_dst; |
3737 | if (ro4->ro_rt) { |
3738 | RT_LOCK(ro4->ro_rt); |
3739 | } |
3740 | if (ROUTE_UNUSABLE(ro4) || |
3741 | dst4->sin_addr.s_addr != ip->ip_dst.s_addr) { |
3742 | if (ro4->ro_rt != NULL) |
3743 | RT_UNLOCK(ro4->ro_rt); |
3744 | ROUTE_RELEASE(ro4); |
3745 | } |
3746 | if (ro4->ro_rt == NULL) { |
3747 | dst4->sin_family = AF_INET; |
3748 | dst4->sin_len = sizeof(*dst4); |
3749 | dst4->sin_addr = ip->ip_dst; |
3750 | } else { |
3751 | RT_UNLOCK(ro4->ro_rt); |
3752 | } |
3753 | route_copyout(&ro4_copy, ro4, sizeof(struct route)); |
3754 | // release sadb_mutex, after updating sah's route cache and getting a local copy |
3755 | lck_mtx_unlock(sadb_mutex); |
3756 | state->m = ipsec4_splithdr(state->m); |
3757 | if (!state->m) { |
3758 | error = ENOMEM; |
3759 | ROUTE_RELEASE(&ro4_copy); |
3760 | goto bad; |
3761 | } |
3762 | switch (sav->sah->saidx.proto) { |
3763 | case IPPROTO_ESP: |
3764 | #if IPSEC_ESP |
3765 | if ((error = esp4_output(state->m, sav)) != 0) { |
3766 | state->m = NULL; |
3767 | ROUTE_RELEASE(&ro4_copy); |
3768 | goto bad; |
3769 | } |
3770 | break; |
3771 | |
3772 | #else |
3773 | m_freem(state->m); |
3774 | state->m = NULL; |
3775 | error = EINVAL; |
3776 | ROUTE_RELEASE(&ro4_copy); |
3777 | goto bad; |
3778 | #endif |
3779 | case IPPROTO_AH: |
3780 | if ((error = ah4_output(state->m, sav)) != 0) { |
3781 | state->m = NULL; |
3782 | ROUTE_RELEASE(&ro4_copy); |
3783 | goto bad; |
3784 | } |
3785 | break; |
3786 | case IPPROTO_IPCOMP: |
3787 | if ((error = ipcomp4_output(state->m, sav)) != 0) { |
3788 | state->m = NULL; |
3789 | ROUTE_RELEASE(&ro4_copy); |
3790 | goto bad; |
3791 | } |
3792 | break; |
3793 | default: |
3794 | ipseclog((LOG_ERR, |
3795 | "ipsec4_output: unknown ipsec protocol %d\n" , |
3796 | sav->sah->saidx.proto)); |
3797 | m_freem(state->m); |
3798 | state->m = NULL; |
3799 | error = EINVAL; |
3800 | ROUTE_RELEASE(&ro4_copy); |
3801 | goto bad; |
3802 | } |
3803 | |
3804 | if (state->m == 0) { |
3805 | error = ENOMEM; |
3806 | ROUTE_RELEASE(&ro4_copy); |
3807 | goto bad; |
3808 | } |
3809 | ipsec_set_pkthdr_for_interface(sav->sah->ipsec_if, state->m, AF_INET); |
3810 | ipsec_set_ipoa_for_interface(sav->sah->ipsec_if, &ipoa); |
3811 | |
3812 | ip = mtod(state->m, struct ip *); |
3813 | ip->ip_len = ntohs(ip->ip_len); /* flip len field before calling ip_output */ |
3814 | error = ip_output(state->m, NULL, &ro4_copy, IP_OUTARGS, NULL, &ipoa); |
3815 | state->m = NULL; |
3816 | // grab sadb_mutex, to synchronize the sah's route cache with the local copy |
3817 | lck_mtx_lock(sadb_mutex); |
3818 | route_copyin(&ro4_copy, ro4, sizeof(struct route)); |
3819 | lck_mtx_unlock(sadb_mutex); |
3820 | if (error != 0) |
3821 | goto bad; |
3822 | goto done; |
3823 | } else { |
3824 | ipseclog((LOG_ERR, "ipsec6_output_tunnel: " |
3825 | "unsupported inner family, spi=%u\n" , |
3826 | (u_int32_t)ntohl(sav->spi))); |
3827 | IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); |
3828 | error = EAFNOSUPPORT; |
3829 | goto bad; |
3830 | } |
3831 | |
3832 | // grab sadb_mutex, before updating sah's route cache |
3833 | lck_mtx_lock(sadb_mutex); |
3834 | ro6 = &sav->sah->sa_route; |
3835 | dst6 = (struct sockaddr_in6 *)(void *)&ro6->ro_dst; |
3836 | if (ro6->ro_rt) { |
3837 | RT_LOCK(ro6->ro_rt); |
3838 | } |
3839 | if (ROUTE_UNUSABLE(ro6) || |
3840 | !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst)) { |
3841 | if (ro6->ro_rt != NULL) |
3842 | RT_UNLOCK(ro6->ro_rt); |
3843 | ROUTE_RELEASE(ro6); |
3844 | } |
3845 | if (ro6->ro_rt == 0) { |
3846 | bzero(dst6, sizeof(*dst6)); |
3847 | dst6->sin6_family = AF_INET6; |
3848 | dst6->sin6_len = sizeof(*dst6); |
3849 | dst6->sin6_addr = ip6->ip6_dst; |
3850 | rtalloc_scoped((struct route *)ro6, sav->sah->outgoing_if); |
3851 | if (ro6->ro_rt) { |
3852 | RT_LOCK(ro6->ro_rt); |
3853 | } |
3854 | } |
3855 | if (ro6->ro_rt == 0) { |
3856 | ip6stat.ip6s_noroute++; |
3857 | IPSEC_STAT_INCREMENT(ipsec6stat.out_noroute); |
3858 | error = EHOSTUNREACH; |
3859 | // release sadb_mutex, after updating sah's route cache |
3860 | lck_mtx_unlock(sadb_mutex); |
3861 | goto bad; |
3862 | } |
3863 | |
3864 | /* |
3865 | * adjust state->dst if tunnel endpoint is offlink |
3866 | * |
3867 | * XXX: caching rt_gateway value in the state is |
3868 | * not really good, since it may point elsewhere |
3869 | * when the gateway gets modified to a larger |
3870 | * sockaddr via rt_setgate(). This is currently |
3871 | * addressed by SA_SIZE roundup in that routine. |
3872 | */ |
3873 | if (ro6->ro_rt->rt_flags & RTF_GATEWAY) |
3874 | dst6 = (struct sockaddr_in6 *)(void *)ro6->ro_rt->rt_gateway; |
3875 | RT_UNLOCK(ro6->ro_rt); |
3876 | ROUTE_RELEASE(&state->ro); |
3877 | route_copyout((struct route *)&state->ro, (struct route *)ro6, sizeof(struct route_in6)); |
3878 | state->dst = (struct sockaddr *)dst6; |
3879 | state->tunneled = 6; |
3880 | // release sadb_mutex, after updating sah's route cache |
3881 | lck_mtx_unlock(sadb_mutex); |
3882 | } |
3883 | |
3884 | state->m = ipsec6_splithdr(state->m); |
3885 | if (!state->m) { |
3886 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem); |
3887 | error = ENOMEM; |
3888 | goto bad; |
3889 | } |
3890 | ip6 = mtod(state->m, struct ip6_hdr *); |
3891 | switch (sav->sah->saidx.proto) { |
3892 | case IPPROTO_ESP: |
3893 | #if IPSEC_ESP |
3894 | error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav); |
3895 | #else |
3896 | m_freem(state->m); |
3897 | error = EINVAL; |
3898 | #endif |
3899 | break; |
3900 | case IPPROTO_AH: |
3901 | error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav); |
3902 | break; |
3903 | case IPPROTO_IPCOMP: |
3904 | /* XXX code should be here */ |
3905 | /*FALLTHROUGH*/ |
3906 | default: |
3907 | ipseclog((LOG_ERR, "ipsec6_output_tunnel: " |
3908 | "unknown ipsec protocol %d\n" , sav->sah->saidx.proto)); |
3909 | m_freem(state->m); |
3910 | IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); |
3911 | error = EINVAL; |
3912 | break; |
3913 | } |
3914 | if (error) { |
3915 | state->m = NULL; |
3916 | goto bad; |
3917 | } |
3918 | plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); |
3919 | if (plen > IPV6_MAXPACKET) { |
3920 | ipseclog((LOG_ERR, "ipsec6_output_tunnel: " |
3921 | "IPsec with IPv6 jumbogram is not supported\n" )); |
3922 | IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); |
3923 | error = EINVAL; /*XXX*/ |
3924 | goto bad; |
3925 | } |
3926 | ip6 = mtod(state->m, struct ip6_hdr *); |
3927 | ip6->ip6_plen = htons(plen); |
3928 | done: |
3929 | return 0; |
3930 | |
3931 | bad: |
3932 | return error; |
3933 | } |
3934 | |
3935 | int |
3936 | ipsec6_output_tunnel( |
3937 | struct ipsec_output_state *state, |
3938 | struct secpolicy *sp, |
3939 | __unused int flags) |
3940 | { |
3941 | struct ip6_hdr *ip6; |
3942 | struct ipsecrequest *isr = NULL; |
3943 | struct secasindex saidx; |
3944 | struct secasvar *sav = NULL; |
3945 | int error = 0; |
3946 | |
3947 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
3948 | |
3949 | if (!state) |
3950 | panic("state == NULL in ipsec6_output_tunnel" ); |
3951 | if (!state->m) |
3952 | panic("state->m == NULL in ipsec6_output_tunnel" ); |
3953 | if (!sp) |
3954 | panic("sp == NULL in ipsec6_output_tunnel" ); |
3955 | |
3956 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
3957 | printf("ipsec6_output_tunnel: applyed SP\n" ); |
3958 | kdebug_secpolicy(sp)); |
3959 | |
3960 | /* |
3961 | * transport mode ipsec (before the 1st tunnel mode) is already |
3962 | * processed by ipsec6_output_trans(). |
3963 | */ |
3964 | for (isr = sp->req; isr; isr = isr->next) { |
3965 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL) |
3966 | break; |
3967 | } |
3968 | |
3969 | for (/* already initialized */; isr; isr = isr->next) { |
3970 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { |
3971 | /* When tunnel mode, SA peers must be specified. */ |
3972 | bcopy(&isr->saidx, &saidx, sizeof(saidx)); |
3973 | } else { |
3974 | /* make SA index to look for a proper SA */ |
3975 | struct sockaddr_in6 *sin6; |
3976 | |
3977 | bzero(&saidx, sizeof(saidx)); |
3978 | saidx.proto = isr->saidx.proto; |
3979 | saidx.mode = isr->saidx.mode; |
3980 | saidx.reqid = isr->saidx.reqid; |
3981 | |
3982 | ip6 = mtod(state->m, struct ip6_hdr *); |
3983 | sin6 = (struct sockaddr_in6 *)&saidx.src; |
3984 | if (sin6->sin6_len == 0) { |
3985 | sin6->sin6_len = sizeof(*sin6); |
3986 | sin6->sin6_family = AF_INET6; |
3987 | sin6->sin6_port = IPSEC_PORT_ANY; |
3988 | bcopy(&ip6->ip6_src, &sin6->sin6_addr, |
3989 | sizeof(ip6->ip6_src)); |
3990 | if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { |
3991 | /* fix scope id for comparing SPD */ |
3992 | sin6->sin6_addr.s6_addr16[1] = 0; |
3993 | sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); |
3994 | } |
3995 | } |
3996 | sin6 = (struct sockaddr_in6 *)&saidx.dst; |
3997 | if (sin6->sin6_len == 0) { |
3998 | sin6->sin6_len = sizeof(*sin6); |
3999 | sin6->sin6_family = AF_INET6; |
4000 | sin6->sin6_port = IPSEC_PORT_ANY; |
4001 | bcopy(&ip6->ip6_dst, &sin6->sin6_addr, |
4002 | sizeof(ip6->ip6_dst)); |
4003 | if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { |
4004 | /* fix scope id for comparing SPD */ |
4005 | sin6->sin6_addr.s6_addr16[1] = 0; |
4006 | sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); |
4007 | } |
4008 | } |
4009 | } |
4010 | |
4011 | if (key_checkrequest(isr, &saidx, &sav) == ENOENT) { |
4012 | /* |
4013 | * IPsec processing is required, but no SA found. |
4014 | * I assume that key_acquire() had been called |
4015 | * to get/establish the SA. Here I discard |
4016 | * this packet because it is responsibility for |
4017 | * upper layer to retransmit the packet. |
4018 | */ |
4019 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); |
4020 | error = ENOENT; |
4021 | goto bad; |
4022 | } |
4023 | |
4024 | /* validity check */ |
4025 | if (sav == NULL) { |
4026 | switch (ipsec_get_reqlevel(isr)) { |
4027 | case IPSEC_LEVEL_USE: |
4028 | continue; |
4029 | case IPSEC_LEVEL_REQUIRE: |
4030 | /* must be not reached here. */ |
4031 | panic("ipsec6_output_tunnel: no SA found, but required." ); |
4032 | } |
4033 | } |
4034 | |
4035 | /* |
4036 | * If there is no valid SA, we give up to process. |
4037 | * see same place at ipsec4_output(). |
4038 | */ |
4039 | if (sav->state != SADB_SASTATE_MATURE |
4040 | && sav->state != SADB_SASTATE_DYING) { |
4041 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); |
4042 | error = EINVAL; |
4043 | goto bad; |
4044 | } |
4045 | |
4046 | int must_be_last = 0; |
4047 | |
4048 | if ((error = ipsec6_output_tunnel_internal(state, sav, &must_be_last)) != 0) { |
4049 | goto bad; |
4050 | } |
4051 | |
4052 | if (must_be_last && isr->next) { |
4053 | ipseclog((LOG_ERR, "ipsec6_output_tunnel: " |
4054 | "IPv4 must be outer layer, spi=%u\n" , |
4055 | (u_int32_t)ntohl(sav->spi))); |
4056 | error = EINVAL; |
4057 | goto bad; |
4058 | } |
4059 | } |
4060 | |
4061 | if (sav) |
4062 | key_freesav(sav, KEY_SADB_UNLOCKED); |
4063 | return 0; |
4064 | |
4065 | bad: |
4066 | if (sav) |
4067 | key_freesav(sav, KEY_SADB_UNLOCKED); |
4068 | if (state->m) |
4069 | m_freem(state->m); |
4070 | state->m = NULL; |
4071 | return error; |
4072 | } |
4073 | |
4074 | int |
4075 | ipsec6_interface_output(struct ipsec_output_state *state, ifnet_t interface, u_char *nexthdrp, struct mbuf *mprev) |
4076 | { |
4077 | int error = 0; |
4078 | struct secasvar *sav = NULL; |
4079 | |
4080 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
4081 | |
4082 | if (state == NULL) { |
4083 | panic("state == NULL in ipsec6_output" ); |
4084 | } |
4085 | if (state->m == NULL) { |
4086 | panic("state->m == NULL in ipsec6_output" ); |
4087 | } |
4088 | if (nexthdrp == NULL) { |
4089 | panic("nexthdrp == NULL in ipsec6_output" ); |
4090 | } |
4091 | if (mprev == NULL) { |
4092 | panic("mprev == NULL in ipsec6_output" ); |
4093 | } |
4094 | |
4095 | struct ip6_hdr *ip6 = mtod(state->m, struct ip6_hdr *); |
4096 | |
4097 | struct sockaddr_in6 src = {}; |
4098 | src.sin6_family = AF_INET6; |
4099 | src.sin6_len = sizeof(src); |
4100 | memcpy(&src.sin6_addr, &ip6->ip6_src, sizeof(src.sin6_addr)); |
4101 | |
4102 | struct sockaddr_in6 dst = {}; |
4103 | dst.sin6_family = AF_INET6; |
4104 | dst.sin6_len = sizeof(dst); |
4105 | memcpy(&dst.sin6_addr, &ip6->ip6_dst, sizeof(dst.sin6_addr)); |
4106 | |
4107 | sav = key_alloc_outbound_sav_for_interface(interface, AF_INET6, |
4108 | (struct sockaddr *)&src, |
4109 | (struct sockaddr *)&dst); |
4110 | if (sav == NULL) { |
4111 | goto bad; |
4112 | } |
4113 | |
4114 | if (sav->sah && sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) { |
4115 | if ((error = ipsec6_output_tunnel_internal(state, sav, NULL)) != 0) { |
4116 | goto bad; |
4117 | } |
4118 | } |
4119 | else { |
4120 | if ((error = ipsec6_output_trans_internal(state, sav, nexthdrp, mprev)) != 0) { |
4121 | goto bad; |
4122 | } |
4123 | } |
4124 | |
4125 | if (sav) { |
4126 | key_freesav(sav, KEY_SADB_UNLOCKED); |
4127 | } |
4128 | return 0; |
4129 | |
4130 | bad: |
4131 | if (sav) { |
4132 | key_freesav(sav, KEY_SADB_UNLOCKED); |
4133 | } |
4134 | m_freem(state->m); |
4135 | state->m = NULL; |
4136 | return error; |
4137 | } |
4138 | #endif /*INET6*/ |
4139 | |
4140 | #if INET |
4141 | /* |
4142 | * Chop IP header and option off from the payload. |
4143 | */ |
4144 | struct mbuf * |
4145 | ipsec4_splithdr(struct mbuf *m) |
4146 | { |
4147 | struct mbuf *mh; |
4148 | struct ip *ip; |
4149 | int hlen; |
4150 | |
4151 | if (m->m_len < sizeof(struct ip)) |
4152 | panic("ipsec4_splithdr: first mbuf too short, m_len %d, pkt_len %d, m_flag %x" , m->m_len, m->m_pkthdr.len, m->m_flags); |
4153 | ip = mtod(m, struct ip *); |
4154 | #ifdef _IP_VHL |
4155 | hlen = _IP_VHL_HL(ip->ip_vhl) << 2; |
4156 | #else |
4157 | hlen = ip->ip_hl << 2; |
4158 | #endif |
4159 | if (m->m_len > hlen) { |
4160 | MGETHDR(mh, M_DONTWAIT, MT_HEADER); /* MAC-OK */ |
4161 | if (!mh) { |
4162 | m_freem(m); |
4163 | return NULL; |
4164 | } |
4165 | M_COPY_PKTHDR(mh, m); |
4166 | MH_ALIGN(mh, hlen); |
4167 | m->m_flags &= ~M_PKTHDR; |
4168 | m_mchtype(m, MT_DATA); |
4169 | m->m_len -= hlen; |
4170 | m->m_data += hlen; |
4171 | mh->m_next = m; |
4172 | m = mh; |
4173 | m->m_len = hlen; |
4174 | bcopy((caddr_t)ip, mtod(m, caddr_t), hlen); |
4175 | } else if (m->m_len < hlen) { |
4176 | m = m_pullup(m, hlen); |
4177 | if (!m) |
4178 | return NULL; |
4179 | } |
4180 | return m; |
4181 | } |
4182 | #endif |
4183 | |
4184 | #if INET6 |
4185 | struct mbuf * |
4186 | ipsec6_splithdr(struct mbuf *m) |
4187 | { |
4188 | struct mbuf *mh; |
4189 | struct ip6_hdr *ip6; |
4190 | int hlen; |
4191 | |
4192 | if (m->m_len < sizeof(struct ip6_hdr)) |
4193 | panic("ipsec6_splithdr: first mbuf too short" ); |
4194 | ip6 = mtod(m, struct ip6_hdr *); |
4195 | hlen = sizeof(struct ip6_hdr); |
4196 | if (m->m_len > hlen) { |
4197 | MGETHDR(mh, M_DONTWAIT, MT_HEADER); /* MAC-OK */ |
4198 | if (!mh) { |
4199 | m_freem(m); |
4200 | return NULL; |
4201 | } |
4202 | M_COPY_PKTHDR(mh, m); |
4203 | MH_ALIGN(mh, hlen); |
4204 | m->m_flags &= ~M_PKTHDR; |
4205 | m_mchtype(m, MT_DATA); |
4206 | m->m_len -= hlen; |
4207 | m->m_data += hlen; |
4208 | mh->m_next = m; |
4209 | m = mh; |
4210 | m->m_len = hlen; |
4211 | bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen); |
4212 | } else if (m->m_len < hlen) { |
4213 | m = m_pullup(m, hlen); |
4214 | if (!m) |
4215 | return NULL; |
4216 | } |
4217 | return m; |
4218 | } |
4219 | #endif |
4220 | |
4221 | /* validate inbound IPsec tunnel packet. */ |
4222 | int |
4223 | ipsec4_tunnel_validate( |
4224 | struct mbuf *m, /* no pullup permitted, m->m_len >= ip */ |
4225 | int off, |
4226 | u_int nxt0, |
4227 | struct secasvar *sav, |
4228 | sa_family_t *ifamily) |
4229 | { |
4230 | u_int8_t nxt = nxt0 & 0xff; |
4231 | struct sockaddr_in *sin; |
4232 | struct sockaddr_in osrc, odst, i4src, i4dst; |
4233 | struct sockaddr_in6 i6src, i6dst; |
4234 | int hlen; |
4235 | struct secpolicy *sp; |
4236 | struct ip *oip; |
4237 | |
4238 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
4239 | |
4240 | #if DIAGNOSTIC |
4241 | if (m->m_len < sizeof(struct ip)) |
4242 | panic("too short mbuf on ipsec4_tunnel_validate" ); |
4243 | #endif |
4244 | if (nxt != IPPROTO_IPV4 && nxt != IPPROTO_IPV6) |
4245 | return 0; |
4246 | if (m->m_pkthdr.len < off + sizeof(struct ip)) |
4247 | return 0; |
4248 | /* do not decapsulate if the SA is for transport mode only */ |
4249 | if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) |
4250 | return 0; |
4251 | |
4252 | oip = mtod(m, struct ip *); |
4253 | #ifdef _IP_VHL |
4254 | hlen = _IP_VHL_HL(oip->ip_vhl) << 2; |
4255 | #else |
4256 | hlen = oip->ip_hl << 2; |
4257 | #endif |
4258 | if (hlen != sizeof(struct ip)) |
4259 | return 0; |
4260 | |
4261 | sin = (struct sockaddr_in *)&sav->sah->saidx.dst; |
4262 | if (sin->sin_family != AF_INET) |
4263 | return 0; |
4264 | if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0) |
4265 | return 0; |
4266 | |
4267 | if (sav->sah->ipsec_if != NULL) { |
4268 | // the ipsec interface SAs don't have a policies. |
4269 | if (nxt == IPPROTO_IPV4) { |
4270 | *ifamily = AF_INET; |
4271 | } else if (nxt == IPPROTO_IPV6) { |
4272 | *ifamily = AF_INET6; |
4273 | } else { |
4274 | return 0; |
4275 | } |
4276 | return 1; |
4277 | } |
4278 | |
4279 | /* XXX slow */ |
4280 | bzero(&osrc, sizeof(osrc)); |
4281 | bzero(&odst, sizeof(odst)); |
4282 | osrc.sin_family = odst.sin_family = AF_INET; |
4283 | osrc.sin_len = odst.sin_len = sizeof(struct sockaddr_in); |
4284 | osrc.sin_addr = oip->ip_src; |
4285 | odst.sin_addr = oip->ip_dst; |
4286 | /* |
4287 | * RFC2401 5.2.1 (b): (assume that we are using tunnel mode) |
4288 | * - if the inner destination is multicast address, there can be |
4289 | * multiple permissible inner source address. implementation |
4290 | * may want to skip verification of inner source address against |
4291 | * SPD selector. |
4292 | * - if the inner protocol is ICMP, the packet may be an error report |
4293 | * from routers on the other side of the VPN cloud (R in the |
4294 | * following diagram). in this case, we cannot verify inner source |
4295 | * address against SPD selector. |
4296 | * me -- gw === gw -- R -- you |
4297 | * |
4298 | * we consider the first bullet to be users responsibility on SPD entry |
4299 | * configuration (if you need to encrypt multicast traffic, set |
4300 | * the source range of SPD selector to 0.0.0.0/0, or have explicit |
4301 | * address ranges for possible senders). |
4302 | * the second bullet is not taken care of (yet). |
4303 | * |
4304 | * therefore, we do not do anything special about inner source. |
4305 | */ |
4306 | if (nxt == IPPROTO_IPV4) { |
4307 | bzero(&i4src, sizeof(struct sockaddr_in)); |
4308 | bzero(&i4dst, sizeof(struct sockaddr_in)); |
4309 | i4src.sin_family = i4dst.sin_family = *ifamily = AF_INET; |
4310 | i4src.sin_len = i4dst.sin_len = sizeof(struct sockaddr_in); |
4311 | m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(i4src.sin_addr), |
4312 | (caddr_t)&i4src.sin_addr); |
4313 | m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(i4dst.sin_addr), |
4314 | (caddr_t)&i4dst.sin_addr); |
4315 | sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, |
4316 | (struct sockaddr *)&i4src, (struct sockaddr *)&i4dst); |
4317 | } else if (nxt == IPPROTO_IPV6) { |
4318 | bzero(&i6src, sizeof(struct sockaddr_in6)); |
4319 | bzero(&i6dst, sizeof(struct sockaddr_in6)); |
4320 | i6src.sin6_family = i6dst.sin6_family = *ifamily = AF_INET6; |
4321 | i6src.sin6_len = i6dst.sin6_len = sizeof(struct sockaddr_in6); |
4322 | m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), sizeof(i6src.sin6_addr), |
4323 | (caddr_t)&i6src.sin6_addr); |
4324 | m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), sizeof(i6dst.sin6_addr), |
4325 | (caddr_t)&i6dst.sin6_addr); |
4326 | sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, |
4327 | (struct sockaddr *)&i6src, (struct sockaddr *)&i6dst); |
4328 | } else |
4329 | return 0; /* unsupported family */ |
4330 | |
4331 | if (!sp) |
4332 | return 0; |
4333 | |
4334 | key_freesp(sp, KEY_SADB_UNLOCKED); |
4335 | |
4336 | return 1; |
4337 | } |
4338 | |
4339 | #if INET6 |
4340 | /* validate inbound IPsec tunnel packet. */ |
4341 | int |
4342 | ipsec6_tunnel_validate( |
4343 | struct mbuf *m, /* no pullup permitted, m->m_len >= ip */ |
4344 | int off, |
4345 | u_int nxt0, |
4346 | struct secasvar *sav, |
4347 | sa_family_t *ifamily) |
4348 | { |
4349 | u_int8_t nxt = nxt0 & 0xff; |
4350 | struct sockaddr_in6 *sin6; |
4351 | struct sockaddr_in i4src, i4dst; |
4352 | struct sockaddr_in6 osrc, odst, i6src, i6dst; |
4353 | struct secpolicy *sp; |
4354 | struct ip6_hdr *oip6; |
4355 | |
4356 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
4357 | |
4358 | #if DIAGNOSTIC |
4359 | if (m->m_len < sizeof(struct ip6_hdr)) |
4360 | panic("too short mbuf on ipsec6_tunnel_validate" ); |
4361 | #endif |
4362 | if (nxt != IPPROTO_IPV4 && nxt != IPPROTO_IPV6) |
4363 | return 0; |
4364 | |
4365 | if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr)) |
4366 | return 0; |
4367 | /* do not decapsulate if the SA is for transport mode only */ |
4368 | if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) |
4369 | return 0; |
4370 | |
4371 | oip6 = mtod(m, struct ip6_hdr *); |
4372 | /* AF_INET should be supported, but at this moment we don't. */ |
4373 | sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst; |
4374 | if (sin6->sin6_family != AF_INET6) |
4375 | return 0; |
4376 | if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr)) |
4377 | return 0; |
4378 | |
4379 | if (sav->sah->ipsec_if != NULL) { |
4380 | // the ipsec interface SAs don't have a policies. |
4381 | if (nxt == IPPROTO_IPV4) { |
4382 | *ifamily = AF_INET; |
4383 | } else if (nxt == IPPROTO_IPV6) { |
4384 | *ifamily = AF_INET6; |
4385 | } else { |
4386 | return 0; |
4387 | } |
4388 | return 1; |
4389 | } |
4390 | |
4391 | /* XXX slow */ |
4392 | bzero(&osrc, sizeof(osrc)); |
4393 | bzero(&odst, sizeof(odst)); |
4394 | osrc.sin6_family = odst.sin6_family = AF_INET6; |
4395 | osrc.sin6_len = odst.sin6_len = sizeof(struct sockaddr_in6); |
4396 | osrc.sin6_addr = oip6->ip6_src; |
4397 | odst.sin6_addr = oip6->ip6_dst; |
4398 | |
4399 | /* |
4400 | * regarding to inner source address validation, see a long comment |
4401 | * in ipsec4_tunnel_validate. |
4402 | */ |
4403 | |
4404 | if (nxt == IPPROTO_IPV4) { |
4405 | bzero(&i4src, sizeof(struct sockaddr_in)); |
4406 | bzero(&i4dst, sizeof(struct sockaddr_in)); |
4407 | i4src.sin_family = i4dst.sin_family = *ifamily = AF_INET; |
4408 | i4src.sin_len = i4dst.sin_len = sizeof(struct sockaddr_in); |
4409 | m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(i4src.sin_addr), |
4410 | (caddr_t)&i4src.sin_addr); |
4411 | m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(i4dst.sin_addr), |
4412 | (caddr_t)&i4dst.sin_addr); |
4413 | sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, |
4414 | (struct sockaddr *)&i4src, (struct sockaddr *)&i4dst); |
4415 | } else if (nxt == IPPROTO_IPV6) { |
4416 | bzero(&i6src, sizeof(struct sockaddr_in6)); |
4417 | bzero(&i6dst, sizeof(struct sockaddr_in6)); |
4418 | i6src.sin6_family = i6dst.sin6_family = *ifamily = AF_INET6; |
4419 | i6src.sin6_len = i6dst.sin6_len = sizeof(struct sockaddr_in6); |
4420 | m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), sizeof(i6src.sin6_addr), |
4421 | (caddr_t)&i6src.sin6_addr); |
4422 | m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), sizeof(i6dst.sin6_addr), |
4423 | (caddr_t)&i6dst.sin6_addr); |
4424 | sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, |
4425 | (struct sockaddr *)&i6src, (struct sockaddr *)&i6dst); |
4426 | } else |
4427 | return 0; /* unsupported family */ |
4428 | /* |
4429 | * when there is no suitable inbound policy for the packet of the ipsec |
4430 | * tunnel mode, the kernel never decapsulate the tunneled packet |
4431 | * as the ipsec tunnel mode even when the system wide policy is "none". |
4432 | * then the kernel leaves the generic tunnel module to process this |
4433 | * packet. if there is no rule of the generic tunnel, the packet |
4434 | * is rejected and the statistics will be counted up. |
4435 | */ |
4436 | if (!sp) |
4437 | return 0; |
4438 | key_freesp(sp, KEY_SADB_UNLOCKED); |
4439 | |
4440 | return 1; |
4441 | } |
4442 | #endif |
4443 | |
4444 | /* |
4445 | * Make a mbuf chain for encryption. |
4446 | * If the original mbuf chain contains a mbuf with a cluster, |
4447 | * allocate a new cluster and copy the data to the new cluster. |
4448 | * XXX: this hack is inefficient, but is necessary to handle cases |
4449 | * of TCP retransmission... |
4450 | */ |
4451 | struct mbuf * |
4452 | ipsec_copypkt(struct mbuf *m) |
4453 | { |
4454 | struct mbuf *n, **mpp, *mnew; |
4455 | |
4456 | for (n = m, mpp = &m; n; n = n->m_next) { |
4457 | if (n->m_flags & M_EXT) { |
4458 | /* |
4459 | * Make a copy only if there are more than one references |
4460 | * to the cluster. |
4461 | * XXX: is this approach effective? |
4462 | */ |
4463 | if ( |
4464 | m_get_ext_free(n) != NULL || |
4465 | m_mclhasreference(n) |
4466 | ) |
4467 | { |
4468 | int remain, copied; |
4469 | struct mbuf *mm; |
4470 | |
4471 | if (n->m_flags & M_PKTHDR) { |
4472 | MGETHDR(mnew, M_DONTWAIT, MT_HEADER); /* MAC-OK */ |
4473 | if (mnew == NULL) |
4474 | goto fail; |
4475 | M_COPY_PKTHDR(mnew, n); |
4476 | } |
4477 | else { |
4478 | MGET(mnew, M_DONTWAIT, MT_DATA); |
4479 | if (mnew == NULL) |
4480 | goto fail; |
4481 | } |
4482 | mnew->m_len = 0; |
4483 | mm = mnew; |
4484 | |
4485 | /* |
4486 | * Copy data. If we don't have enough space to |
4487 | * store the whole data, allocate a cluster |
4488 | * or additional mbufs. |
4489 | * XXX: we don't use m_copyback(), since the |
4490 | * function does not use clusters and thus is |
4491 | * inefficient. |
4492 | */ |
4493 | remain = n->m_len; |
4494 | copied = 0; |
4495 | while (1) { |
4496 | int len; |
4497 | struct mbuf *mn; |
4498 | |
4499 | if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN)) |
4500 | len = remain; |
4501 | else { /* allocate a cluster */ |
4502 | MCLGET(mm, M_DONTWAIT); |
4503 | if (!(mm->m_flags & M_EXT)) { |
4504 | m_free(mm); |
4505 | goto fail; |
4506 | } |
4507 | len = remain < MCLBYTES ? |
4508 | remain : MCLBYTES; |
4509 | } |
4510 | |
4511 | bcopy(n->m_data + copied, mm->m_data, |
4512 | len); |
4513 | |
4514 | copied += len; |
4515 | remain -= len; |
4516 | mm->m_len = len; |
4517 | |
4518 | if (remain <= 0) /* completed? */ |
4519 | break; |
4520 | |
4521 | /* need another mbuf */ |
4522 | MGETHDR(mn, M_DONTWAIT, MT_HEADER); /* XXXMAC: tags copied next time in loop? */ |
4523 | if (mn == NULL) |
4524 | goto fail; |
4525 | mn->m_pkthdr.rcvif = NULL; |
4526 | mm->m_next = mn; |
4527 | mm = mn; |
4528 | } |
4529 | |
4530 | /* adjust chain */ |
4531 | mm->m_next = m_free(n); |
4532 | n = mm; |
4533 | *mpp = mnew; |
4534 | mpp = &n->m_next; |
4535 | |
4536 | continue; |
4537 | } |
4538 | } |
4539 | *mpp = n; |
4540 | mpp = &n->m_next; |
4541 | } |
4542 | |
4543 | return(m); |
4544 | fail: |
4545 | m_freem(m); |
4546 | return(NULL); |
4547 | } |
4548 | |
4549 | /* |
4550 | * Tags are allocated as mbufs for now, since our minimum size is MLEN, we |
4551 | * should make use of up to that much space. |
4552 | */ |
4553 | #define \ |
4554 | |
4555 | struct ipsec_tag { |
4556 | struct socket *socket; |
4557 | u_int32_t history_count; |
4558 | struct ipsec_history history[]; |
4559 | #if __arm__ && (__BIGGEST_ALIGNMENT__ > 4) |
4560 | /* For the newer ARMv7k ABI where 64-bit types are 64-bit aligned, but pointers |
4561 | * are 32-bit: |
4562 | * Aligning to 64-bit since we case to m_tag which is 64-bit aligned. |
4563 | */ |
4564 | } __attribute__ ((aligned(8))); |
4565 | #else |
4566 | }; |
4567 | #endif |
4568 | |
4569 | #define IPSEC_TAG_SIZE (MLEN - sizeof(struct m_tag)) |
4570 | #define IPSEC_TAG_HDR_SIZE (offsetof(struct ipsec_tag, history[0])) |
4571 | #define IPSEC_HISTORY_MAX ((IPSEC_TAG_SIZE - IPSEC_TAG_HDR_SIZE) / \ |
4572 | sizeof(struct ipsec_history)) |
4573 | |
4574 | static struct ipsec_tag * |
4575 | ipsec_addaux( |
4576 | struct mbuf *m) |
4577 | { |
4578 | struct m_tag *tag; |
4579 | |
4580 | /* Check if the tag already exists */ |
4581 | tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL); |
4582 | |
4583 | if (tag == NULL) { |
4584 | struct ipsec_tag *itag; |
4585 | |
4586 | /* Allocate a tag */ |
4587 | tag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, |
4588 | IPSEC_TAG_SIZE, M_DONTWAIT, m); |
4589 | |
4590 | if (tag) { |
4591 | itag = (struct ipsec_tag*)(tag + 1); |
4592 | itag->socket = 0; |
4593 | itag->history_count = 0; |
4594 | |
4595 | m_tag_prepend(m, tag); |
4596 | } |
4597 | } |
4598 | |
4599 | return tag ? (struct ipsec_tag*)(tag + 1) : NULL; |
4600 | } |
4601 | |
4602 | static struct ipsec_tag * |
4603 | ipsec_findaux( |
4604 | struct mbuf *m) |
4605 | { |
4606 | struct m_tag *tag; |
4607 | |
4608 | tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL); |
4609 | |
4610 | return tag ? (struct ipsec_tag*)(tag + 1) : NULL; |
4611 | } |
4612 | |
4613 | void |
4614 | ipsec_delaux( |
4615 | struct mbuf *m) |
4616 | { |
4617 | struct m_tag *tag; |
4618 | |
4619 | tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL); |
4620 | |
4621 | if (tag) { |
4622 | m_tag_delete(m, tag); |
4623 | } |
4624 | } |
4625 | |
4626 | /* if the aux buffer is unnecessary, nuke it. */ |
4627 | static void |
4628 | ipsec_optaux( |
4629 | struct mbuf *m, |
4630 | struct ipsec_tag *itag) |
4631 | { |
4632 | if (itag && itag->socket == NULL && itag->history_count == 0) { |
4633 | m_tag_delete(m, ((struct m_tag*)itag) - 1); |
4634 | } |
4635 | } |
4636 | |
4637 | int |
4638 | ipsec_setsocket(struct mbuf *m, struct socket *so) |
4639 | { |
4640 | struct ipsec_tag *tag; |
4641 | |
4642 | /* if so == NULL, don't insist on getting the aux mbuf */ |
4643 | if (so) { |
4644 | tag = ipsec_addaux(m); |
4645 | if (!tag) |
4646 | return ENOBUFS; |
4647 | } else |
4648 | tag = ipsec_findaux(m); |
4649 | if (tag) { |
4650 | tag->socket = so; |
4651 | ipsec_optaux(m, tag); |
4652 | } |
4653 | return 0; |
4654 | } |
4655 | |
4656 | struct socket * |
4657 | ipsec_getsocket(struct mbuf *m) |
4658 | { |
4659 | struct ipsec_tag *itag; |
4660 | |
4661 | itag = ipsec_findaux(m); |
4662 | if (itag) |
4663 | return itag->socket; |
4664 | else |
4665 | return NULL; |
4666 | } |
4667 | |
4668 | int |
4669 | ipsec_addhist( |
4670 | struct mbuf *m, |
4671 | int proto, |
4672 | u_int32_t spi) |
4673 | { |
4674 | struct ipsec_tag *itag; |
4675 | struct ipsec_history *p; |
4676 | itag = ipsec_addaux(m); |
4677 | if (!itag) |
4678 | return ENOBUFS; |
4679 | if (itag->history_count == IPSEC_HISTORY_MAX) |
4680 | return ENOSPC; /* XXX */ |
4681 | |
4682 | p = &itag->history[itag->history_count]; |
4683 | itag->history_count++; |
4684 | |
4685 | bzero(p, sizeof(*p)); |
4686 | p->ih_proto = proto; |
4687 | p->ih_spi = spi; |
4688 | |
4689 | return 0; |
4690 | } |
4691 | |
4692 | struct ipsec_history * |
4693 | ipsec_gethist( |
4694 | struct mbuf *m, |
4695 | int *lenp) |
4696 | { |
4697 | struct ipsec_tag *itag; |
4698 | |
4699 | itag = ipsec_findaux(m); |
4700 | if (!itag) |
4701 | return NULL; |
4702 | if (itag->history_count == 0) |
4703 | return NULL; |
4704 | if (lenp) |
4705 | *lenp = (int)(itag->history_count * sizeof(struct ipsec_history)); |
4706 | return itag->history; |
4707 | } |
4708 | |
4709 | void |
4710 | ipsec_clearhist( |
4711 | struct mbuf *m) |
4712 | { |
4713 | struct ipsec_tag *itag; |
4714 | |
4715 | itag = ipsec_findaux(m); |
4716 | if (itag) { |
4717 | itag->history_count = 0; |
4718 | } |
4719 | ipsec_optaux(m, itag); |
4720 | } |
4721 | |
4722 | __private_extern__ int |
4723 | ipsec_send_natt_keepalive( |
4724 | struct secasvar *sav) |
4725 | { |
4726 | struct mbuf *m; |
4727 | struct ip *ip; |
4728 | int error; |
4729 | struct ip_out_args ipoa; |
4730 | struct route ro; |
4731 | int keepalive_interval = natt_keepalive_interval; |
4732 | |
4733 | bzero(&ipoa, sizeof(ipoa)); |
4734 | ipoa.ipoa_boundif = IFSCOPE_NONE; |
4735 | ipoa.ipoa_flags = IPOAF_SELECT_SRCIF; |
4736 | ipoa.ipoa_sotc = SO_TC_UNSPEC; |
4737 | ipoa.ipoa_netsvctype = _NET_SERVICE_TYPE_UNSPEC; |
4738 | |
4739 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
4740 | |
4741 | if ((esp_udp_encap_port & 0xFFFF) == 0 || sav->remote_ike_port == 0) return FALSE; |
4742 | |
4743 | if (sav->natt_interval != 0) { |
4744 | keepalive_interval = (int)sav->natt_interval; |
4745 | } |
4746 | |
4747 | // natt timestamp may have changed... reverify |
4748 | if ((natt_now - sav->natt_last_activity) < keepalive_interval) return FALSE; |
4749 | |
4750 | if (sav->flags & SADB_X_EXT_ESP_KEEPALIVE) return FALSE; // don't send these from the kernel |
4751 | |
4752 | m = m_gethdr(M_NOWAIT, MT_DATA); |
4753 | if (m == NULL) return FALSE; |
4754 | |
4755 | ip = (__typeof__(ip))m_mtod(m); |
4756 | |
4757 | // this sends one type of NATT keepalives (Type 1, ESP keepalives, aren't sent by kernel) |
4758 | if ((sav->flags & SADB_X_EXT_ESP_KEEPALIVE) == 0) { |
4759 | struct udphdr *uh; |
4760 | |
4761 | /* |
4762 | * Type 2: a UDP packet complete with IP header. |
4763 | * We must do this because UDP output requires |
4764 | * an inpcb which we don't have. UDP packet |
4765 | * contains one byte payload. The byte is set |
4766 | * to 0xFF. |
4767 | */ |
4768 | uh = (__typeof__(uh))(void *)((char *)m_mtod(m) + sizeof(*ip)); |
4769 | m->m_len = sizeof(struct udpiphdr) + 1; |
4770 | bzero(m_mtod(m), m->m_len); |
4771 | m->m_pkthdr.len = m->m_len; |
4772 | |
4773 | ip->ip_len = m->m_len; |
4774 | ip->ip_ttl = ip_defttl; |
4775 | ip->ip_p = IPPROTO_UDP; |
4776 | if (sav->sah->dir != IPSEC_DIR_INBOUND) { |
4777 | ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr; |
4778 | ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr; |
4779 | } else { |
4780 | ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr; |
4781 | ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr; |
4782 | } |
4783 | uh->uh_sport = htons((u_short)esp_udp_encap_port); |
4784 | uh->uh_dport = htons(sav->remote_ike_port); |
4785 | uh->uh_ulen = htons(1 + sizeof(*uh)); |
4786 | uh->uh_sum = 0; |
4787 | *(u_int8_t*)((char*)m_mtod(m) + sizeof(*ip) + sizeof(*uh)) = 0xFF; |
4788 | } |
4789 | |
4790 | // grab sadb_mutex, to get a local copy of sah's route cache |
4791 | lck_mtx_lock(sadb_mutex); |
4792 | if (ROUTE_UNUSABLE(&sav->sah->sa_route) || |
4793 | rt_key(sav->sah->sa_route.ro_rt)->sa_family != AF_INET) |
4794 | ROUTE_RELEASE(&sav->sah->sa_route); |
4795 | |
4796 | route_copyout(&ro, (struct route *)&sav->sah->sa_route, sizeof(struct route)); |
4797 | lck_mtx_unlock(sadb_mutex); |
4798 | |
4799 | necp_mark_packet_as_keepalive(m, TRUE); |
4800 | |
4801 | error = ip_output(m, NULL, &ro, IP_OUTARGS | IP_NOIPSEC, NULL, &ipoa); |
4802 | |
4803 | // grab sadb_mutex, to synchronize the sah's route cache with the local copy |
4804 | lck_mtx_lock(sadb_mutex); |
4805 | route_copyin(&ro, (struct route *)&sav->sah->sa_route, sizeof(struct route)); |
4806 | lck_mtx_unlock(sadb_mutex); |
4807 | if (error == 0) { |
4808 | sav->natt_last_activity = natt_now; |
4809 | return TRUE; |
4810 | } |
4811 | return FALSE; |
4812 | } |
4813 | |
4814 | __private_extern__ bool |
4815 | ipsec_fill_offload_frame(ifnet_t ifp, |
4816 | struct secasvar *sav, |
4817 | struct ifnet_keepalive_offload_frame *frame, |
4818 | size_t frame_data_offset) |
4819 | { |
4820 | u_int8_t *data = NULL; |
4821 | struct ip *ip = NULL; |
4822 | struct udphdr *uh = NULL; |
4823 | |
4824 | if (sav == NULL || sav->sah == NULL || frame == NULL || |
4825 | (ifp != NULL && ifp->if_index != sav->sah->outgoing_if) || |
4826 | sav->sah->saidx.dst.ss_family != AF_INET || |
4827 | !(sav->flags & SADB_X_EXT_NATT) || |
4828 | !(sav->flags & SADB_X_EXT_NATT_KEEPALIVE) || |
4829 | !(sav->flags & SADB_X_EXT_NATT_KEEPALIVE_OFFLOAD) || |
4830 | sav->flags & SADB_X_EXT_ESP_KEEPALIVE || |
4831 | (esp_udp_encap_port & 0xFFFF) == 0 || |
4832 | sav->remote_ike_port == 0 || |
4833 | (natt_keepalive_interval == 0 && sav->natt_interval == 0 && sav->natt_offload_interval == 0)) { |
4834 | /* SA is not eligible for keepalive offload on this interface */ |
4835 | return (FALSE); |
4836 | } |
4837 | |
4838 | if (frame_data_offset + sizeof(struct udpiphdr) + 1 > |
4839 | IFNET_KEEPALIVE_OFFLOAD_FRAME_DATA_SIZE) { |
4840 | /* Not enough room in this data frame */ |
4841 | return (FALSE); |
4842 | } |
4843 | |
4844 | data = frame->data; |
4845 | ip = (__typeof__(ip))(void *)(data + frame_data_offset); |
4846 | uh = (__typeof__(uh))(void *)(data + frame_data_offset + sizeof(*ip)); |
4847 | |
4848 | frame->length = frame_data_offset + sizeof(struct udpiphdr) + 1; |
4849 | frame->type = IFNET_KEEPALIVE_OFFLOAD_FRAME_IPSEC; |
4850 | frame->ether_type = IFNET_KEEPALIVE_OFFLOAD_FRAME_ETHERTYPE_IPV4; |
4851 | |
4852 | bzero(data, IFNET_KEEPALIVE_OFFLOAD_FRAME_DATA_SIZE); |
4853 | |
4854 | ip->ip_v = IPVERSION; |
4855 | ip->ip_hl = sizeof(struct ip) >> 2; |
4856 | ip->ip_off &= htons(~IP_OFFMASK); |
4857 | ip->ip_off &= htons(~IP_MF); |
4858 | switch (ip4_ipsec_dfbit) { |
4859 | case 0: /* clear DF bit */ |
4860 | ip->ip_off &= htons(~IP_DF); |
4861 | break; |
4862 | case 1: /* set DF bit */ |
4863 | ip->ip_off |= htons(IP_DF); |
4864 | break; |
4865 | default: /* copy DF bit */ |
4866 | break; |
4867 | } |
4868 | ip->ip_len = htons(sizeof(struct udpiphdr) + 1); |
4869 | if (rfc6864 && IP_OFF_IS_ATOMIC(htons(ip->ip_off))) { |
4870 | ip->ip_id = 0; |
4871 | } else { |
4872 | ip->ip_id = ip_randomid(); |
4873 | } |
4874 | ip->ip_ttl = ip_defttl; |
4875 | ip->ip_p = IPPROTO_UDP; |
4876 | ip->ip_sum = 0; |
4877 | if (sav->sah->dir != IPSEC_DIR_INBOUND) { |
4878 | ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr; |
4879 | ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr; |
4880 | } else { |
4881 | ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr; |
4882 | ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr; |
4883 | } |
4884 | ip->ip_sum = in_cksum_hdr_opt(ip); |
4885 | uh->uh_sport = htons((u_short)esp_udp_encap_port); |
4886 | uh->uh_dport = htons(sav->remote_ike_port); |
4887 | uh->uh_ulen = htons(1 + sizeof(*uh)); |
4888 | uh->uh_sum = 0; |
4889 | *(u_int8_t*)(data + frame_data_offset + sizeof(*ip) + sizeof(*uh)) = 0xFF; |
4890 | |
4891 | if (sav->natt_offload_interval != 0) { |
4892 | frame->interval = sav->natt_offload_interval; |
4893 | } else if (sav->natt_interval != 0) { |
4894 | frame->interval = sav->natt_interval; |
4895 | } else { |
4896 | frame->interval = natt_keepalive_interval; |
4897 | } |
4898 | return (TRUE); |
4899 | } |
4900 | |