1 | /* |
2 | * Copyright (c) 2008-2023 Apple Inc. All rights reserved. |
3 | * |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
5 | * |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License |
8 | * Version 2.0 (the 'License'). You may not use this file except in |
9 | * compliance with the License. The rights granted to you under the License |
10 | * may not be used to create, or enable the creation or redistribution of, |
11 | * unlawful or unlicensed copies of an Apple operating system, or to |
12 | * circumvent, violate, or enable the circumvention or violation of, any |
13 | * terms of an Apple operating system software license agreement. |
14 | * |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
17 | * |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and |
24 | * limitations under the License. |
25 | * |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
27 | */ |
28 | |
29 | /* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.7 2001/07/19 06:37:23 kris Exp $ */ |
30 | /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ |
31 | |
32 | /* |
33 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
34 | * All rights reserved. |
35 | * |
36 | * Redistribution and use in source and binary forms, with or without |
37 | * modification, are permitted provided that the following conditions |
38 | * are met: |
39 | * 1. Redistributions of source code must retain the above copyright |
40 | * notice, this list of conditions and the following disclaimer. |
41 | * 2. Redistributions in binary form must reproduce the above copyright |
42 | * notice, this list of conditions and the following disclaimer in the |
43 | * documentation and/or other materials provided with the distribution. |
44 | * 3. Neither the name of the project nor the names of its contributors |
45 | * may be used to endorse or promote products derived from this software |
46 | * without specific prior written permission. |
47 | * |
48 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
49 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
50 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
51 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
52 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
53 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
54 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
55 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
56 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
57 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
58 | * SUCH DAMAGE. |
59 | */ |
60 | |
61 | /* |
62 | * IPsec controller part. |
63 | */ |
64 | |
65 | #include <sys/param.h> |
66 | #include <sys/systm.h> |
67 | #include <sys/malloc.h> |
68 | #include <sys/mbuf.h> |
69 | #include <sys/mcache.h> |
70 | #include <sys/domain.h> |
71 | #include <sys/protosw.h> |
72 | #include <sys/socket.h> |
73 | #include <sys/socketvar.h> |
74 | #include <sys/errno.h> |
75 | #include <sys/time.h> |
76 | #include <sys/kernel.h> |
77 | #include <sys/syslog.h> |
78 | #include <sys/sysctl.h> |
79 | #include <sys/priv.h> |
80 | #include <kern/locks.h> |
81 | #include <sys/kauth.h> |
82 | #include <sys/bitstring.h> |
83 | |
84 | #include <libkern/OSAtomic.h> |
85 | #include <libkern/sysctl.h> |
86 | |
87 | #include <net/if.h> |
88 | #include <net/route.h> |
89 | #include <net/if_ipsec.h> |
90 | #include <net/if_ports_used.h> |
91 | |
92 | #include <netinet/in.h> |
93 | #include <netinet/in_systm.h> |
94 | #include <netinet/ip.h> |
95 | #include <netinet/ip_var.h> |
96 | #include <netinet/in_var.h> |
97 | #include <netinet/udp.h> |
98 | #include <netinet/udp_var.h> |
99 | #include <netinet/ip_ecn.h> |
100 | #include <netinet6/ip6_ecn.h> |
101 | #include <netinet/tcp.h> |
102 | #include <netinet/udp.h> |
103 | |
104 | #include <netinet/ip6.h> |
105 | #include <netinet6/ip6_var.h> |
106 | #include <netinet/in_pcb.h> |
107 | #include <netinet/icmp6.h> |
108 | |
109 | #include <netinet6/ipsec.h> |
110 | #include <netinet6/ipsec6.h> |
111 | #include <netinet6/ah.h> |
112 | #include <netinet6/ah6.h> |
113 | #if IPSEC_ESP |
114 | #include <netinet6/esp.h> |
115 | #include <netinet6/esp6.h> |
116 | #endif |
117 | #include <netkey/key.h> |
118 | #include <netkey/keydb.h> |
119 | #include <netkey/key_debug.h> |
120 | |
121 | #include <net/net_osdep.h> |
122 | |
123 | #include <IOKit/pwr_mgt/IOPM.h> |
124 | |
125 | #include <os/log_private.h> |
126 | |
127 | #include <kern/assert.h> |
128 | #if SKYWALK |
129 | #include <skywalk/os_skywalk_private.h> |
130 | #endif // SKYWALK |
131 | |
132 | #if IPSEC_DEBUG |
133 | int ipsec_debug = 1; |
134 | #else |
135 | int ipsec_debug = 0; |
136 | #endif |
137 | |
138 | #include <sys/kdebug.h> |
139 | #define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1) |
140 | #define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3) |
141 | #define DBG_FNC_GETPOL_SOCK NETDBG_CODE(DBG_NETIPSEC, (1 << 8)) |
142 | #define DBG_FNC_GETPOL_ADDR NETDBG_CODE(DBG_NETIPSEC, (2 << 8)) |
143 | #define DBG_FNC_IPSEC_OUT NETDBG_CODE(DBG_NETIPSEC, (3 << 8)) |
144 | |
145 | struct ipsecstat ipsecstat; |
146 | int ip4_ah_cleartos = 1; |
147 | int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ |
148 | int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ |
149 | int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; |
150 | int ip4_esp_net_deflev = IPSEC_LEVEL_USE; |
151 | int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; |
152 | int ip4_ah_net_deflev = IPSEC_LEVEL_USE; |
153 | struct secpolicy ip4_def_policy; |
154 | int ip4_ipsec_ecn = ECN_COMPATIBILITY; /* ECN ignore(-1)/compatibility(0)/normal(1) */ |
155 | int ip4_esp_randpad = -1; |
156 | int esp_udp_encap_port = 0; |
157 | static int sysctl_def_policy SYSCTL_HANDLER_ARGS; |
158 | extern int natt_keepalive_interval; |
159 | extern u_int64_t natt_now; |
160 | |
161 | struct ipsec_tag; |
162 | |
163 | void *sleep_wake_handle = NULL; |
164 | |
165 | SYSCTL_DECL(_net_inet_ipsec); |
166 | SYSCTL_DECL(_net_inet6_ipsec6); |
167 | /* net.inet.ipsec */ |
168 | SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS, |
169 | stats, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsecstat, ipsecstat, "" ); |
170 | SYSCTL_PROC(_net_inet_ipsec, IPSECCTL_DEF_POLICY, def_policy, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED, |
171 | &ip4_def_policy.policy, 0, &sysctl_def_policy, "I" , "" ); |
172 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, |
173 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_trans_deflev, 0, "" ); |
174 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, |
175 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_net_deflev, 0, "" ); |
176 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, |
177 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_trans_deflev, 0, "" ); |
178 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, |
179 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_net_deflev, 0, "" ); |
180 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, |
181 | ah_cleartos, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_cleartos, 0, "" ); |
182 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, |
183 | ah_offsetmask, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ah_offsetmask, 0, "" ); |
184 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, |
185 | dfbit, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ipsec_dfbit, 0, "" ); |
186 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, |
187 | ecn, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_ipsec_ecn, 0, "" ); |
188 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, |
189 | debug, CTLFLAG_RW | CTLFLAG_LOCKED, &ipsec_debug, 0, "" ); |
190 | SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD, |
191 | esp_randpad, CTLFLAG_RW | CTLFLAG_LOCKED, &ip4_esp_randpad, 0, "" ); |
192 | |
193 | /* for performance, we bypass ipsec until a security policy is set */ |
194 | int ipsec_bypass = 1; |
195 | SYSCTL_INT(_net_inet_ipsec, OID_AUTO, bypass, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsec_bypass, 0, "" ); |
196 | |
197 | /* |
198 | * NAT Traversal requires a UDP port for encapsulation, |
199 | * esp_udp_encap_port controls which port is used. Racoon |
200 | * must set this port to the port racoon is using locally |
201 | * for nat traversal. |
202 | */ |
203 | SYSCTL_INT(_net_inet_ipsec, OID_AUTO, esp_port, |
204 | CTLFLAG_RW | CTLFLAG_LOCKED, &esp_udp_encap_port, 0, "" ); |
205 | |
206 | struct ipsecstat ipsec6stat; |
207 | int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; |
208 | int ip6_esp_net_deflev = IPSEC_LEVEL_USE; |
209 | int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; |
210 | int ip6_ah_net_deflev = IPSEC_LEVEL_USE; |
211 | struct secpolicy ip6_def_policy; |
212 | int ip6_ipsec_ecn = ECN_COMPATIBILITY; /* ECN ignore(-1)/compatibility(0)/normal(1) */ |
213 | int ip6_esp_randpad = -1; |
214 | |
215 | /* net.inet6.ipsec6 */ |
216 | SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, |
217 | stats, CTLFLAG_RD | CTLFLAG_LOCKED, &ipsec6stat, ipsecstat, "" ); |
218 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, |
219 | def_policy, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_def_policy.policy, 0, "" ); |
220 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, |
221 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_trans_deflev, 0, "" ); |
222 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, |
223 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_net_deflev, 0, "" ); |
224 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, |
225 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ah_trans_deflev, 0, "" ); |
226 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, |
227 | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ah_net_deflev, 0, "" ); |
228 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN, |
229 | ecn, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ipsec_ecn, 0, "" ); |
230 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, |
231 | debug, CTLFLAG_RW | CTLFLAG_LOCKED, &ipsec_debug, 0, "" ); |
232 | SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, |
233 | esp_randpad, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_esp_randpad, 0, "" ); |
234 | |
235 | SYSCTL_DECL(_net_link_generic_system); |
236 | |
237 | static int ipsec_setspidx_interface(struct secpolicyindex *, u_int8_t, struct mbuf *, |
238 | int, int, int); |
239 | static int ipsec_setspidx_mbuf(struct secpolicyindex *, u_int8_t, u_int, |
240 | struct mbuf *, int); |
241 | static int ipsec4_setspidx_inpcb(struct mbuf *, struct inpcb *pcb); |
242 | static int ipsec6_setspidx_in6pcb(struct mbuf *, struct in6pcb *pcb); |
243 | static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int, int); |
244 | static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int); |
245 | static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *); |
246 | static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *, int); |
247 | static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *); |
248 | static struct inpcbpolicy *ipsec_newpcbpolicy(void); |
249 | static void ipsec_delpcbpolicy(struct inpcbpolicy *); |
250 | static struct secpolicy *ipsec_deepcopy_policy(struct secpolicy *src); |
251 | static int ipsec_set_policy(struct secpolicy **pcb_sp, |
252 | int optname, caddr_t request, size_t len, int priv); |
253 | static void vshiftl(unsigned char *, int, size_t); |
254 | static int ipsec_in_reject(struct secpolicy *, struct mbuf *); |
255 | static int ipsec64_encapsulate(struct mbuf *, struct secasvar *, uint32_t); |
256 | static int ipsec6_update_routecache_and_output(struct ipsec_output_state *state, struct secasvar *sav); |
257 | static int ipsec46_encapsulate(struct ipsec_output_state *state, struct secasvar *sav); |
258 | static struct ipsec_tag *ipsec_addaux(struct mbuf *); |
259 | static struct ipsec_tag *ipsec_findaux(struct mbuf *); |
260 | static void ipsec_optaux(struct mbuf *, struct ipsec_tag *); |
261 | int ipsec_send_natt_keepalive(struct secasvar *sav); |
262 | bool ipsec_fill_offload_frame(ifnet_t ifp, struct secasvar *sav, struct ifnet_keepalive_offload_frame *frame, size_t frame_data_offset); |
263 | |
264 | extern bool IOPMCopySleepWakeUUIDKey(char *, size_t); |
265 | |
266 | typedef IOReturn (*IOServiceInterestHandler)( void * target, void * refCon, |
267 | UInt32 messageType, void * provider, |
268 | void * messageArgument, vm_size_t argSize ); |
269 | extern void *registerSleepWakeInterest(IOServiceInterestHandler, void *, void *); |
270 | |
271 | static int |
272 | sysctl_def_policy SYSCTL_HANDLER_ARGS |
273 | { |
274 | int new_policy = ip4_def_policy.policy; |
275 | int error = sysctl_handle_int(oidp, arg1: &new_policy, arg2: 0, req); |
276 | |
277 | #pragma unused(arg1, arg2) |
278 | if (error == 0) { |
279 | if (new_policy != IPSEC_POLICY_NONE && |
280 | new_policy != IPSEC_POLICY_DISCARD) { |
281 | return EINVAL; |
282 | } |
283 | ip4_def_policy.policy = new_policy; |
284 | |
285 | /* Turn off the bypass if the default security policy changes */ |
286 | if (ipsec_bypass != 0 && ip4_def_policy.policy != IPSEC_POLICY_NONE) { |
287 | ipsec_bypass = 0; |
288 | } |
289 | } |
290 | |
291 | return error; |
292 | } |
293 | |
294 | /* |
295 | * For OUTBOUND packet having a socket. Searching SPD for packet, |
296 | * and return a pointer to SP. |
297 | * OUT: NULL: no apropreate SP found, the following value is set to error. |
298 | * 0 : bypass |
299 | * EACCES : discard packet. |
300 | * ENOENT : ipsec_acquire() in progress, maybe. |
301 | * others : error occurred. |
302 | * others: a pointer to SP |
303 | * |
304 | * NOTE: IPv6 mapped adddress concern is implemented here. |
305 | */ |
306 | struct secpolicy * |
307 | ipsec4_getpolicybysock(struct mbuf *m, |
308 | u_int8_t dir, |
309 | struct socket *so, |
310 | int *error) |
311 | { |
312 | struct inpcbpolicy *pcbsp = NULL; |
313 | struct secpolicy *currsp = NULL; /* policy on socket */ |
314 | struct secpolicy *kernsp = NULL; /* policy on kernel */ |
315 | |
316 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
317 | /* sanity check */ |
318 | if (m == NULL || so == NULL || error == NULL) { |
319 | panic("ipsec4_getpolicybysock: NULL pointer was passed." ); |
320 | } |
321 | |
322 | if (so->so_pcb == NULL) { |
323 | printf("ipsec4_getpolicybysock: so->so_pcb == NULL\n" ); |
324 | return ipsec4_getpolicybyaddr(m, dir, 0, error); |
325 | } |
326 | |
327 | switch (SOCK_DOM(so)) { |
328 | case PF_INET: |
329 | pcbsp = sotoinpcb(so)->inp_sp; |
330 | break; |
331 | case PF_INET6: |
332 | pcbsp = sotoin6pcb(so)->in6p_sp; |
333 | break; |
334 | } |
335 | |
336 | if (!pcbsp) { |
337 | /* Socket has not specified an IPSEC policy */ |
338 | return ipsec4_getpolicybyaddr(m, dir, 0, error); |
339 | } |
340 | |
341 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_START, 0, 0, 0, 0, 0); |
342 | |
343 | switch (SOCK_DOM(so)) { |
344 | case PF_INET: |
345 | /* set spidx in pcb */ |
346 | *error = ipsec4_setspidx_inpcb(m, sotoinpcb(so)); |
347 | break; |
348 | case PF_INET6: |
349 | /* set spidx in pcb */ |
350 | *error = ipsec6_setspidx_in6pcb(m, sotoin6pcb(so)); |
351 | break; |
352 | default: |
353 | panic("ipsec4_getpolicybysock: unsupported address family" ); |
354 | } |
355 | if (*error) { |
356 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 1, *error, 0, 0, 0); |
357 | return NULL; |
358 | } |
359 | |
360 | /* sanity check */ |
361 | if (pcbsp == NULL) { |
362 | panic("ipsec4_getpolicybysock: pcbsp is NULL." ); |
363 | } |
364 | |
365 | switch (dir) { |
366 | case IPSEC_DIR_INBOUND: |
367 | currsp = pcbsp->sp_in; |
368 | break; |
369 | case IPSEC_DIR_OUTBOUND: |
370 | currsp = pcbsp->sp_out; |
371 | break; |
372 | default: |
373 | panic("ipsec4_getpolicybysock: illegal direction." ); |
374 | } |
375 | |
376 | /* sanity check */ |
377 | if (currsp == NULL) { |
378 | panic("ipsec4_getpolicybysock: currsp is NULL." ); |
379 | } |
380 | |
381 | /* when privilieged socket */ |
382 | if (pcbsp->priv) { |
383 | switch (currsp->policy) { |
384 | case IPSEC_POLICY_BYPASS: |
385 | lck_mtx_lock(sadb_mutex); |
386 | currsp->refcnt++; |
387 | lck_mtx_unlock(sadb_mutex); |
388 | *error = 0; |
389 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 2, *error, 0, 0, 0); |
390 | return currsp; |
391 | |
392 | case IPSEC_POLICY_ENTRUST: |
393 | /* look for a policy in SPD */ |
394 | kernsp = key_allocsp(&currsp->spidx, dir); |
395 | |
396 | /* SP found */ |
397 | if (kernsp != NULL) { |
398 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
399 | printf("DP ipsec4_getpolicybysock called " |
400 | "to allocate SP:0x%llx\n" , |
401 | (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); |
402 | *error = 0; |
403 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 3, *error, 0, 0, 0); |
404 | return kernsp; |
405 | } |
406 | |
407 | /* no SP found */ |
408 | lck_mtx_lock(sadb_mutex); |
409 | if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD |
410 | && ip4_def_policy.policy != IPSEC_POLICY_NONE) { |
411 | ipseclog((LOG_INFO, |
412 | "fixed system default policy: %d->%d\n" , |
413 | ip4_def_policy.policy, IPSEC_POLICY_NONE)); |
414 | ip4_def_policy.policy = IPSEC_POLICY_NONE; |
415 | } |
416 | ip4_def_policy.refcnt++; |
417 | lck_mtx_unlock(sadb_mutex); |
418 | *error = 0; |
419 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 4, *error, 0, 0, 0); |
420 | return &ip4_def_policy; |
421 | |
422 | case IPSEC_POLICY_IPSEC: |
423 | lck_mtx_lock(sadb_mutex); |
424 | currsp->refcnt++; |
425 | lck_mtx_unlock(sadb_mutex); |
426 | *error = 0; |
427 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 5, *error, 0, 0, 0); |
428 | return currsp; |
429 | |
430 | default: |
431 | ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " |
432 | "Invalid policy for PCB %d\n" , currsp->policy)); |
433 | *error = EINVAL; |
434 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 6, *error, 0, 0, 0); |
435 | return NULL; |
436 | } |
437 | /* NOTREACHED */ |
438 | } |
439 | |
440 | /* when non-privilieged socket */ |
441 | /* look for a policy in SPD */ |
442 | kernsp = key_allocsp(&currsp->spidx, dir); |
443 | |
444 | /* SP found */ |
445 | if (kernsp != NULL) { |
446 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
447 | printf("DP ipsec4_getpolicybysock called " |
448 | "to allocate SP:0x%llx\n" , |
449 | (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); |
450 | *error = 0; |
451 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 7, *error, 0, 0, 0); |
452 | return kernsp; |
453 | } |
454 | |
455 | /* no SP found */ |
456 | switch (currsp->policy) { |
457 | case IPSEC_POLICY_BYPASS: |
458 | ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " |
459 | "Illegal policy for non-priviliged defined %d\n" , |
460 | currsp->policy)); |
461 | *error = EINVAL; |
462 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 8, *error, 0, 0, 0); |
463 | return NULL; |
464 | |
465 | case IPSEC_POLICY_ENTRUST: |
466 | lck_mtx_lock(sadb_mutex); |
467 | if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD |
468 | && ip4_def_policy.policy != IPSEC_POLICY_NONE) { |
469 | ipseclog((LOG_INFO, |
470 | "fixed system default policy: %d->%d\n" , |
471 | ip4_def_policy.policy, IPSEC_POLICY_NONE)); |
472 | ip4_def_policy.policy = IPSEC_POLICY_NONE; |
473 | } |
474 | ip4_def_policy.refcnt++; |
475 | lck_mtx_unlock(sadb_mutex); |
476 | *error = 0; |
477 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 9, *error, 0, 0, 0); |
478 | return &ip4_def_policy; |
479 | |
480 | case IPSEC_POLICY_IPSEC: |
481 | lck_mtx_lock(sadb_mutex); |
482 | currsp->refcnt++; |
483 | lck_mtx_unlock(sadb_mutex); |
484 | *error = 0; |
485 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 10, *error, 0, 0, 0); |
486 | return currsp; |
487 | |
488 | default: |
489 | ipseclog((LOG_ERR, "ipsec4_getpolicybysock: " |
490 | "Invalid policy for PCB %d\n" , currsp->policy)); |
491 | *error = EINVAL; |
492 | KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 11, *error, 0, 0, 0); |
493 | return NULL; |
494 | } |
495 | /* NOTREACHED */ |
496 | } |
497 | |
498 | /* |
499 | * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, |
500 | * and return a pointer to SP. |
501 | * OUT: positive: a pointer to the entry for security policy leaf matched. |
502 | * NULL: no apropreate SP found, the following value is set to error. |
503 | * 0 : bypass |
504 | * EACCES : discard packet. |
505 | * ENOENT : ipsec_acquire() in progress, maybe. |
506 | * others : error occurred. |
507 | */ |
508 | struct secpolicy * |
509 | ipsec4_getpolicybyaddr(struct mbuf *m, |
510 | u_int8_t dir, |
511 | int flag, |
512 | int *error) |
513 | { |
514 | struct secpolicy *sp = NULL; |
515 | |
516 | if (ipsec_bypass != 0) { |
517 | return 0; |
518 | } |
519 | |
520 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
521 | |
522 | /* sanity check */ |
523 | if (m == NULL || error == NULL) { |
524 | panic("ipsec4_getpolicybyaddr: NULL pointer was passed." ); |
525 | } |
526 | { |
527 | struct secpolicyindex spidx; |
528 | |
529 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0, 0, 0, 0, 0); |
530 | bzero(s: &spidx, n: sizeof(spidx)); |
531 | |
532 | /* make a index to look for a policy */ |
533 | *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m, |
534 | (flag & IP_FORWARDING) ? 0 : 1); |
535 | |
536 | if (*error != 0) { |
537 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1, *error, 0, 0, 0); |
538 | return NULL; |
539 | } |
540 | |
541 | sp = key_allocsp(&spidx, dir); |
542 | } |
543 | |
544 | /* SP found */ |
545 | if (sp != NULL) { |
546 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
547 | printf("DP ipsec4_getpolicybyaddr called " |
548 | "to allocate SP:0x%llx\n" , |
549 | (uint64_t)VM_KERNEL_ADDRPERM(sp))); |
550 | *error = 0; |
551 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2, *error, 0, 0, 0); |
552 | return sp; |
553 | } |
554 | |
555 | /* no SP found */ |
556 | lck_mtx_lock(sadb_mutex); |
557 | if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD |
558 | && ip4_def_policy.policy != IPSEC_POLICY_NONE) { |
559 | ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n" , |
560 | ip4_def_policy.policy, |
561 | IPSEC_POLICY_NONE)); |
562 | ip4_def_policy.policy = IPSEC_POLICY_NONE; |
563 | } |
564 | ip4_def_policy.refcnt++; |
565 | lck_mtx_unlock(sadb_mutex); |
566 | *error = 0; |
567 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 3, *error, 0, 0, 0); |
568 | return &ip4_def_policy; |
569 | } |
570 | |
571 | /* Match with bound interface rather than src addr. |
572 | * Unlike getpolicybyaddr, do not set the default policy. |
573 | * Return 0 if should continue processing, or -1 if packet |
574 | * should be dropped. |
575 | */ |
576 | int |
577 | ipsec4_getpolicybyinterface(struct mbuf *m, |
578 | u_int8_t dir, |
579 | int *flags, |
580 | struct ip_out_args *ipoa, |
581 | struct secpolicy **sp) |
582 | { |
583 | struct secpolicyindex spidx; |
584 | int error = 0; |
585 | |
586 | if (ipsec_bypass != 0) { |
587 | return 0; |
588 | } |
589 | |
590 | /* Sanity check */ |
591 | if (m == NULL || ipoa == NULL || sp == NULL) { |
592 | panic("ipsec4_getpolicybyinterface: NULL pointer was passed." ); |
593 | } |
594 | |
595 | if (ipoa->ipoa_boundif == IFSCOPE_NONE) { |
596 | return 0; |
597 | } |
598 | |
599 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0, 0, 0, 0, 0); |
600 | bzero(s: &spidx, n: sizeof(spidx)); |
601 | |
602 | /* make a index to look for a policy */ |
603 | error = ipsec_setspidx_interface(&spidx, dir, m, (*flags & IP_FORWARDING) ? 0 : 1, |
604 | ipoa->ipoa_boundif, 4); |
605 | |
606 | if (error != 0) { |
607 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1, error, 0, 0, 0); |
608 | return 0; |
609 | } |
610 | |
611 | *sp = key_allocsp(&spidx, dir); |
612 | |
613 | /* Return SP, whether NULL or not */ |
614 | if (*sp != NULL && (*sp)->policy == IPSEC_POLICY_IPSEC) { |
615 | if ((*sp)->ipsec_if == NULL) { |
616 | /* Invalid to capture on an interface without redirect */ |
617 | key_freesp(*sp, KEY_SADB_UNLOCKED); |
618 | *sp = NULL; |
619 | return -1; |
620 | } else if ((*sp)->disabled) { |
621 | /* Disabled policies go in the clear */ |
622 | key_freesp(*sp, KEY_SADB_UNLOCKED); |
623 | *sp = NULL; |
624 | *flags |= IP_NOIPSEC; /* Avoid later IPsec check */ |
625 | } else { |
626 | /* If policy is enabled, redirect to ipsec interface */ |
627 | ipoa->ipoa_boundif = (*sp)->ipsec_if->if_index; |
628 | } |
629 | } |
630 | |
631 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2, error, 0, 0, 0); |
632 | |
633 | return 0; |
634 | } |
635 | |
636 | |
637 | /* |
638 | * For OUTBOUND packet having a socket. Searching SPD for packet, |
639 | * and return a pointer to SP. |
640 | * OUT: NULL: no apropreate SP found, the following value is set to error. |
641 | * 0 : bypass |
642 | * EACCES : discard packet. |
643 | * ENOENT : ipsec_acquire() in progress, maybe. |
644 | * others : error occurred. |
645 | * others: a pointer to SP |
646 | */ |
647 | struct secpolicy * |
648 | ipsec6_getpolicybysock(struct mbuf *m, |
649 | u_int8_t dir, |
650 | struct socket *so, |
651 | int *error) |
652 | { |
653 | struct inpcbpolicy *pcbsp = NULL; |
654 | struct secpolicy *currsp = NULL; /* policy on socket */ |
655 | struct secpolicy *kernsp = NULL; /* policy on kernel */ |
656 | |
657 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
658 | |
659 | /* sanity check */ |
660 | if (m == NULL || so == NULL || error == NULL) { |
661 | panic("ipsec6_getpolicybysock: NULL pointer was passed." ); |
662 | } |
663 | |
664 | #if DIAGNOSTIC |
665 | if (SOCK_DOM(so) != PF_INET6) { |
666 | panic("ipsec6_getpolicybysock: socket domain != inet6" ); |
667 | } |
668 | #endif |
669 | |
670 | pcbsp = sotoin6pcb(so)->in6p_sp; |
671 | |
672 | if (!pcbsp) { |
673 | return ipsec6_getpolicybyaddr(m, dir, 0, error); |
674 | } |
675 | |
676 | /* set spidx in pcb */ |
677 | ipsec6_setspidx_in6pcb(m, sotoin6pcb(so)); |
678 | |
679 | /* sanity check */ |
680 | if (pcbsp == NULL) { |
681 | panic("ipsec6_getpolicybysock: pcbsp is NULL." ); |
682 | } |
683 | |
684 | switch (dir) { |
685 | case IPSEC_DIR_INBOUND: |
686 | currsp = pcbsp->sp_in; |
687 | break; |
688 | case IPSEC_DIR_OUTBOUND: |
689 | currsp = pcbsp->sp_out; |
690 | break; |
691 | default: |
692 | panic("ipsec6_getpolicybysock: illegal direction." ); |
693 | } |
694 | |
695 | /* sanity check */ |
696 | if (currsp == NULL) { |
697 | panic("ipsec6_getpolicybysock: currsp is NULL." ); |
698 | } |
699 | |
700 | /* when privilieged socket */ |
701 | if (pcbsp->priv) { |
702 | switch (currsp->policy) { |
703 | case IPSEC_POLICY_BYPASS: |
704 | lck_mtx_lock(sadb_mutex); |
705 | currsp->refcnt++; |
706 | lck_mtx_unlock(sadb_mutex); |
707 | *error = 0; |
708 | return currsp; |
709 | |
710 | case IPSEC_POLICY_ENTRUST: |
711 | /* look for a policy in SPD */ |
712 | kernsp = key_allocsp(&currsp->spidx, dir); |
713 | |
714 | /* SP found */ |
715 | if (kernsp != NULL) { |
716 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
717 | printf("DP ipsec6_getpolicybysock called " |
718 | "to allocate SP:0x%llx\n" , |
719 | (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); |
720 | *error = 0; |
721 | return kernsp; |
722 | } |
723 | |
724 | /* no SP found */ |
725 | lck_mtx_lock(sadb_mutex); |
726 | if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD |
727 | && ip6_def_policy.policy != IPSEC_POLICY_NONE) { |
728 | ipseclog((LOG_INFO, |
729 | "fixed system default policy: %d->%d\n" , |
730 | ip6_def_policy.policy, IPSEC_POLICY_NONE)); |
731 | ip6_def_policy.policy = IPSEC_POLICY_NONE; |
732 | } |
733 | ip6_def_policy.refcnt++; |
734 | lck_mtx_unlock(sadb_mutex); |
735 | *error = 0; |
736 | return &ip6_def_policy; |
737 | |
738 | case IPSEC_POLICY_IPSEC: |
739 | lck_mtx_lock(sadb_mutex); |
740 | currsp->refcnt++; |
741 | lck_mtx_unlock(sadb_mutex); |
742 | *error = 0; |
743 | return currsp; |
744 | |
745 | default: |
746 | ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " |
747 | "Invalid policy for PCB %d\n" , currsp->policy)); |
748 | *error = EINVAL; |
749 | return NULL; |
750 | } |
751 | /* NOTREACHED */ |
752 | } |
753 | |
754 | /* when non-privilieged socket */ |
755 | /* look for a policy in SPD */ |
756 | kernsp = key_allocsp(&currsp->spidx, dir); |
757 | |
758 | /* SP found */ |
759 | if (kernsp != NULL) { |
760 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
761 | printf("DP ipsec6_getpolicybysock called " |
762 | "to allocate SP:0x%llx\n" , |
763 | (uint64_t)VM_KERNEL_ADDRPERM(kernsp))); |
764 | *error = 0; |
765 | return kernsp; |
766 | } |
767 | |
768 | /* no SP found */ |
769 | switch (currsp->policy) { |
770 | case IPSEC_POLICY_BYPASS: |
771 | ipseclog((LOG_ERR, "ipsec6_getpolicybysock: " |
772 | "Illegal policy for non-priviliged defined %d\n" , |
773 | currsp->policy)); |
774 | *error = EINVAL; |
775 | return NULL; |
776 | |
777 | case IPSEC_POLICY_ENTRUST: |
778 | lck_mtx_lock(sadb_mutex); |
779 | if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD |
780 | && ip6_def_policy.policy != IPSEC_POLICY_NONE) { |
781 | ipseclog((LOG_INFO, |
782 | "fixed system default policy: %d->%d\n" , |
783 | ip6_def_policy.policy, IPSEC_POLICY_NONE)); |
784 | ip6_def_policy.policy = IPSEC_POLICY_NONE; |
785 | } |
786 | ip6_def_policy.refcnt++; |
787 | lck_mtx_unlock(sadb_mutex); |
788 | *error = 0; |
789 | return &ip6_def_policy; |
790 | |
791 | case IPSEC_POLICY_IPSEC: |
792 | lck_mtx_lock(sadb_mutex); |
793 | currsp->refcnt++; |
794 | lck_mtx_unlock(sadb_mutex); |
795 | *error = 0; |
796 | return currsp; |
797 | |
798 | default: |
799 | ipseclog((LOG_ERR, |
800 | "ipsec6_policybysock: Invalid policy for PCB %d\n" , |
801 | currsp->policy)); |
802 | *error = EINVAL; |
803 | return NULL; |
804 | } |
805 | /* NOTREACHED */ |
806 | } |
807 | |
808 | /* |
809 | * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, |
810 | * and return a pointer to SP. |
811 | * `flag' means that packet is to be forwarded whether or not. |
812 | * flag = 1: forwad |
813 | * OUT: positive: a pointer to the entry for security policy leaf matched. |
814 | * NULL: no apropreate SP found, the following value is set to error. |
815 | * 0 : bypass |
816 | * EACCES : discard packet. |
817 | * ENOENT : ipsec_acquire() in progress, maybe. |
818 | * others : error occurred. |
819 | */ |
820 | #ifndef IP_FORWARDING |
821 | #define IP_FORWARDING 1 |
822 | #endif |
823 | |
824 | struct secpolicy * |
825 | ipsec6_getpolicybyaddr(struct mbuf *m, |
826 | u_int8_t dir, |
827 | int flag, |
828 | int *error) |
829 | { |
830 | struct secpolicy *sp = NULL; |
831 | |
832 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
833 | |
834 | /* sanity check */ |
835 | if (m == NULL || error == NULL) { |
836 | panic("ipsec6_getpolicybyaddr: NULL pointer was passed." ); |
837 | } |
838 | |
839 | { |
840 | struct secpolicyindex spidx; |
841 | |
842 | bzero(s: &spidx, n: sizeof(spidx)); |
843 | |
844 | /* make a index to look for a policy */ |
845 | *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m, |
846 | (flag & IP_FORWARDING) ? 0 : 1); |
847 | |
848 | if (*error != 0) { |
849 | return NULL; |
850 | } |
851 | |
852 | sp = key_allocsp(&spidx, dir); |
853 | } |
854 | |
855 | /* SP found */ |
856 | if (sp != NULL) { |
857 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
858 | printf("DP ipsec6_getpolicybyaddr called " |
859 | "to allocate SP:0x%llx\n" , |
860 | (uint64_t)VM_KERNEL_ADDRPERM(sp))); |
861 | *error = 0; |
862 | return sp; |
863 | } |
864 | |
865 | /* no SP found */ |
866 | lck_mtx_lock(sadb_mutex); |
867 | if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD |
868 | && ip6_def_policy.policy != IPSEC_POLICY_NONE) { |
869 | ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n" , |
870 | ip6_def_policy.policy, IPSEC_POLICY_NONE)); |
871 | ip6_def_policy.policy = IPSEC_POLICY_NONE; |
872 | } |
873 | ip6_def_policy.refcnt++; |
874 | lck_mtx_unlock(sadb_mutex); |
875 | *error = 0; |
876 | return &ip6_def_policy; |
877 | } |
878 | |
879 | /* Match with bound interface rather than src addr. |
880 | * Unlike getpolicybyaddr, do not set the default policy. |
881 | * Return 0 if should continue processing, or -1 if packet |
882 | * should be dropped. |
883 | */ |
884 | int |
885 | ipsec6_getpolicybyinterface(struct mbuf *m, |
886 | u_int8_t dir, |
887 | int flag, |
888 | struct ip6_out_args *ip6oap, |
889 | int *noipsec, |
890 | struct secpolicy **sp) |
891 | { |
892 | struct secpolicyindex spidx; |
893 | int error = 0; |
894 | |
895 | if (ipsec_bypass != 0) { |
896 | return 0; |
897 | } |
898 | |
899 | /* Sanity check */ |
900 | if (m == NULL || sp == NULL || noipsec == NULL || ip6oap == NULL) { |
901 | panic("ipsec6_getpolicybyinterface: NULL pointer was passed." ); |
902 | } |
903 | |
904 | *noipsec = 0; |
905 | |
906 | if (ip6oap->ip6oa_boundif == IFSCOPE_NONE) { |
907 | return 0; |
908 | } |
909 | |
910 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0, 0, 0, 0, 0); |
911 | bzero(s: &spidx, n: sizeof(spidx)); |
912 | |
913 | /* make a index to look for a policy */ |
914 | error = ipsec_setspidx_interface(&spidx, dir, m, (flag & IP_FORWARDING) ? 0 : 1, |
915 | ip6oap->ip6oa_boundif, 6); |
916 | |
917 | if (error != 0) { |
918 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1, error, 0, 0, 0); |
919 | return 0; |
920 | } |
921 | |
922 | *sp = key_allocsp(&spidx, dir); |
923 | |
924 | /* Return SP, whether NULL or not */ |
925 | if (*sp != NULL && (*sp)->policy == IPSEC_POLICY_IPSEC) { |
926 | if ((*sp)->ipsec_if == NULL) { |
927 | /* Invalid to capture on an interface without redirect */ |
928 | key_freesp(*sp, KEY_SADB_UNLOCKED); |
929 | *sp = NULL; |
930 | return -1; |
931 | } else if ((*sp)->disabled) { |
932 | /* Disabled policies go in the clear */ |
933 | key_freesp(*sp, KEY_SADB_UNLOCKED); |
934 | *sp = NULL; |
935 | *noipsec = 1; /* Avoid later IPsec check */ |
936 | } else { |
937 | /* If policy is enabled, redirect to ipsec interface */ |
938 | ip6oap->ip6oa_boundif = (*sp)->ipsec_if->if_index; |
939 | } |
940 | } |
941 | |
942 | KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2, *error, 0, 0, 0); |
943 | |
944 | return 0; |
945 | } |
946 | |
947 | /* |
948 | * set IP address into spidx from mbuf. |
949 | * When Forwarding packet and ICMP echo reply, this function is used. |
950 | * |
951 | * IN: get the followings from mbuf. |
952 | * protocol family, src, dst, next protocol |
953 | * OUT: |
954 | * 0: success. |
955 | * other: failure, and set errno. |
956 | */ |
957 | static int |
958 | ipsec_setspidx_mbuf( |
959 | struct secpolicyindex *spidx, |
960 | u_int8_t dir, |
961 | __unused u_int family, |
962 | struct mbuf *m, |
963 | int needport) |
964 | { |
965 | int error; |
966 | |
967 | /* sanity check */ |
968 | if (spidx == NULL || m == NULL) { |
969 | panic("ipsec_setspidx_mbuf: NULL pointer was passed." ); |
970 | } |
971 | |
972 | bzero(s: spidx, n: sizeof(*spidx)); |
973 | |
974 | error = ipsec_setspidx(m, spidx, needport, 0); |
975 | if (error) { |
976 | goto bad; |
977 | } |
978 | spidx->dir = dir; |
979 | |
980 | return 0; |
981 | |
982 | bad: |
983 | /* XXX initialize */ |
984 | bzero(s: spidx, n: sizeof(*spidx)); |
985 | return EINVAL; |
986 | } |
987 | |
988 | static int |
989 | ipsec_setspidx_interface( |
990 | struct secpolicyindex *spidx, |
991 | u_int8_t dir, |
992 | struct mbuf *m, |
993 | int needport, |
994 | int ifindex, |
995 | int ip_version) |
996 | { |
997 | int error; |
998 | |
999 | /* sanity check */ |
1000 | if (spidx == NULL || m == NULL) { |
1001 | panic("ipsec_setspidx_interface: NULL pointer was passed." ); |
1002 | } |
1003 | |
1004 | bzero(s: spidx, n: sizeof(*spidx)); |
1005 | |
1006 | error = ipsec_setspidx(m, spidx, needport, ip_version); |
1007 | if (error) { |
1008 | goto bad; |
1009 | } |
1010 | spidx->dir = dir; |
1011 | |
1012 | if (ifindex != 0) { |
1013 | ifnet_head_lock_shared(); |
1014 | spidx->internal_if = ifindex2ifnet[ifindex]; |
1015 | ifnet_head_done(); |
1016 | } else { |
1017 | spidx->internal_if = NULL; |
1018 | } |
1019 | |
1020 | return 0; |
1021 | |
1022 | bad: |
1023 | return EINVAL; |
1024 | } |
1025 | |
1026 | static int |
1027 | ipsec4_setspidx_inpcb(struct mbuf *m, struct inpcb *pcb) |
1028 | { |
1029 | struct secpolicyindex *spidx; |
1030 | int error; |
1031 | |
1032 | if (ipsec_bypass != 0) { |
1033 | return 0; |
1034 | } |
1035 | |
1036 | /* sanity check */ |
1037 | if (pcb == NULL) { |
1038 | panic("ipsec4_setspidx_inpcb: no PCB found." ); |
1039 | } |
1040 | if (pcb->inp_sp == NULL) { |
1041 | panic("ipsec4_setspidx_inpcb: no inp_sp found." ); |
1042 | } |
1043 | if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL) { |
1044 | panic("ipsec4_setspidx_inpcb: no sp_in/out found." ); |
1045 | } |
1046 | |
1047 | bzero(s: &pcb->inp_sp->sp_in->spidx, n: sizeof(*spidx)); |
1048 | bzero(s: &pcb->inp_sp->sp_out->spidx, n: sizeof(*spidx)); |
1049 | |
1050 | spidx = &pcb->inp_sp->sp_in->spidx; |
1051 | error = ipsec_setspidx(m, spidx, 1, 0); |
1052 | if (error) { |
1053 | goto bad; |
1054 | } |
1055 | spidx->dir = IPSEC_DIR_INBOUND; |
1056 | |
1057 | spidx = &pcb->inp_sp->sp_out->spidx; |
1058 | error = ipsec_setspidx(m, spidx, 1, 0); |
1059 | if (error) { |
1060 | goto bad; |
1061 | } |
1062 | spidx->dir = IPSEC_DIR_OUTBOUND; |
1063 | |
1064 | return 0; |
1065 | |
1066 | bad: |
1067 | bzero(s: &pcb->inp_sp->sp_in->spidx, n: sizeof(*spidx)); |
1068 | bzero(s: &pcb->inp_sp->sp_out->spidx, n: sizeof(*spidx)); |
1069 | return error; |
1070 | } |
1071 | |
1072 | static int |
1073 | ipsec6_setspidx_in6pcb(struct mbuf *m, struct in6pcb *pcb) |
1074 | { |
1075 | struct secpolicyindex *spidx; |
1076 | int error; |
1077 | |
1078 | /* sanity check */ |
1079 | if (pcb == NULL) { |
1080 | panic("ipsec6_setspidx_in6pcb: no PCB found." ); |
1081 | } |
1082 | if (pcb->in6p_sp == NULL) { |
1083 | panic("ipsec6_setspidx_in6pcb: no in6p_sp found." ); |
1084 | } |
1085 | if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL) { |
1086 | panic("ipsec6_setspidx_in6pcb: no sp_in/out found." ); |
1087 | } |
1088 | |
1089 | bzero(s: &pcb->in6p_sp->sp_in->spidx, n: sizeof(*spidx)); |
1090 | bzero(s: &pcb->in6p_sp->sp_out->spidx, n: sizeof(*spidx)); |
1091 | |
1092 | spidx = &pcb->in6p_sp->sp_in->spidx; |
1093 | error = ipsec_setspidx(m, spidx, 1, 0); |
1094 | if (error) { |
1095 | goto bad; |
1096 | } |
1097 | spidx->dir = IPSEC_DIR_INBOUND; |
1098 | |
1099 | spidx = &pcb->in6p_sp->sp_out->spidx; |
1100 | error = ipsec_setspidx(m, spidx, 1, 0); |
1101 | if (error) { |
1102 | goto bad; |
1103 | } |
1104 | spidx->dir = IPSEC_DIR_OUTBOUND; |
1105 | |
1106 | return 0; |
1107 | |
1108 | bad: |
1109 | bzero(s: &pcb->in6p_sp->sp_in->spidx, n: sizeof(*spidx)); |
1110 | bzero(s: &pcb->in6p_sp->sp_out->spidx, n: sizeof(*spidx)); |
1111 | return error; |
1112 | } |
1113 | |
1114 | /* |
1115 | * configure security policy index (src/dst/proto/sport/dport) |
1116 | * by looking at the content of mbuf. |
1117 | * the caller is responsible for error recovery (like clearing up spidx). |
1118 | */ |
1119 | static int |
1120 | ipsec_setspidx(struct mbuf *m, |
1121 | struct secpolicyindex *spidx, |
1122 | int needport, |
1123 | int force_ip_version) |
1124 | { |
1125 | struct ip *ip = NULL; |
1126 | struct ip ipbuf; |
1127 | u_int v; |
1128 | struct mbuf *n; |
1129 | int len; |
1130 | int error; |
1131 | |
1132 | if (m == NULL) { |
1133 | panic("ipsec_setspidx: m == 0 passed." ); |
1134 | } |
1135 | |
1136 | /* |
1137 | * validate m->m_pkthdr.len. we see incorrect length if we |
1138 | * mistakenly call this function with inconsistent mbuf chain |
1139 | * (like 4.4BSD tcp/udp processing). XXX should we panic here? |
1140 | */ |
1141 | len = 0; |
1142 | for (n = m; n; n = n->m_next) { |
1143 | len += n->m_len; |
1144 | } |
1145 | if (m->m_pkthdr.len != len) { |
1146 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1147 | printf("ipsec_setspidx: " |
1148 | "total of m_len(%d) != pkthdr.len(%d), " |
1149 | "ignored.\n" , |
1150 | len, m->m_pkthdr.len)); |
1151 | return EINVAL; |
1152 | } |
1153 | |
1154 | if (m->m_pkthdr.len < sizeof(struct ip)) { |
1155 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1156 | printf("ipsec_setspidx: " |
1157 | "pkthdr.len(%d) < sizeof(struct ip), ignored.\n" , |
1158 | m->m_pkthdr.len)); |
1159 | return EINVAL; |
1160 | } |
1161 | |
1162 | if (m->m_len >= sizeof(*ip)) { |
1163 | ip = mtod(m, struct ip *); |
1164 | } else { |
1165 | m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); |
1166 | ip = &ipbuf; |
1167 | } |
1168 | |
1169 | if (force_ip_version) { |
1170 | v = force_ip_version; |
1171 | } else { |
1172 | #ifdef _IP_VHL |
1173 | v = _IP_VHL_V(ip->ip_vhl); |
1174 | #else |
1175 | v = ip->ip_v; |
1176 | #endif |
1177 | } |
1178 | switch (v) { |
1179 | case 4: |
1180 | error = ipsec4_setspidx_ipaddr(m, spidx); |
1181 | if (error) { |
1182 | return error; |
1183 | } |
1184 | ipsec4_get_ulp(m, spidx, needport); |
1185 | return 0; |
1186 | case 6: |
1187 | if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { |
1188 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1189 | printf("ipsec_setspidx: " |
1190 | "pkthdr.len(%d) < sizeof(struct ip6_hdr), " |
1191 | "ignored.\n" , m->m_pkthdr.len)); |
1192 | return EINVAL; |
1193 | } |
1194 | error = ipsec6_setspidx_ipaddr(m, spidx); |
1195 | if (error) { |
1196 | return error; |
1197 | } |
1198 | ipsec6_get_ulp(m, spidx, needport); |
1199 | return 0; |
1200 | default: |
1201 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1202 | printf("ipsec_setspidx: " |
1203 | "unknown IP version %u, ignored.\n" , v)); |
1204 | return EINVAL; |
1205 | } |
1206 | } |
1207 | |
1208 | static void |
1209 | ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) |
1210 | { |
1211 | struct ip ip; |
1212 | struct ip6_ext ip6e; |
1213 | u_int8_t nxt; |
1214 | int off; |
1215 | struct tcphdr th; |
1216 | struct udphdr uh; |
1217 | |
1218 | /* sanity check */ |
1219 | if (m == NULL) { |
1220 | panic("ipsec4_get_ulp: NULL pointer was passed." ); |
1221 | } |
1222 | if (m->m_pkthdr.len < sizeof(ip)) { |
1223 | panic("ipsec4_get_ulp: too short" ); |
1224 | } |
1225 | |
1226 | /* set default */ |
1227 | spidx->ul_proto = IPSEC_ULPROTO_ANY; |
1228 | ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY; |
1229 | ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY; |
1230 | |
1231 | m_copydata(m, 0, sizeof(ip), (caddr_t)&ip); |
1232 | /* ip_input() flips it into host endian XXX need more checking */ |
1233 | if (ip.ip_off & (IP_MF | IP_OFFMASK)) { |
1234 | return; |
1235 | } |
1236 | |
1237 | nxt = ip.ip_p; |
1238 | #ifdef _IP_VHL |
1239 | off = _IP_VHL_HL(ip->ip_vhl) << 2; |
1240 | #else |
1241 | off = ip.ip_hl << 2; |
1242 | #endif |
1243 | while (off < m->m_pkthdr.len) { |
1244 | switch (nxt) { |
1245 | case IPPROTO_TCP: |
1246 | spidx->ul_proto = nxt; |
1247 | if (!needport) { |
1248 | return; |
1249 | } |
1250 | if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) { |
1251 | return; |
1252 | } |
1253 | m_copydata(m, off, sizeof(th), (caddr_t)&th); |
1254 | ((struct sockaddr_in *)&spidx->src)->sin_port = |
1255 | th.th_sport; |
1256 | ((struct sockaddr_in *)&spidx->dst)->sin_port = |
1257 | th.th_dport; |
1258 | return; |
1259 | case IPPROTO_UDP: |
1260 | spidx->ul_proto = nxt; |
1261 | if (!needport) { |
1262 | return; |
1263 | } |
1264 | if (off + sizeof(struct udphdr) > m->m_pkthdr.len) { |
1265 | return; |
1266 | } |
1267 | m_copydata(m, off, sizeof(uh), (caddr_t)&uh); |
1268 | ((struct sockaddr_in *)&spidx->src)->sin_port = |
1269 | uh.uh_sport; |
1270 | ((struct sockaddr_in *)&spidx->dst)->sin_port = |
1271 | uh.uh_dport; |
1272 | return; |
1273 | case IPPROTO_AH: |
1274 | if (off + sizeof(ip6e) > m->m_pkthdr.len) { |
1275 | return; |
1276 | } |
1277 | m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); |
1278 | off += (ip6e.ip6e_len + 2) << 2; |
1279 | nxt = ip6e.ip6e_nxt; |
1280 | break; |
1281 | case IPPROTO_ICMP: |
1282 | default: |
1283 | /* XXX intermediate headers??? */ |
1284 | spidx->ul_proto = nxt; |
1285 | return; |
1286 | } |
1287 | } |
1288 | } |
1289 | |
1290 | /* assumes that m is sane */ |
1291 | static int |
1292 | ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx) |
1293 | { |
1294 | struct ip *ip = NULL; |
1295 | struct ip ipbuf; |
1296 | struct sockaddr_in *sin; |
1297 | |
1298 | if (m->m_len >= sizeof(*ip)) { |
1299 | ip = mtod(m, struct ip *); |
1300 | } else { |
1301 | m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); |
1302 | ip = &ipbuf; |
1303 | } |
1304 | |
1305 | sin = (struct sockaddr_in *)&spidx->src; |
1306 | bzero(s: sin, n: sizeof(*sin)); |
1307 | sin->sin_family = AF_INET; |
1308 | sin->sin_len = sizeof(struct sockaddr_in); |
1309 | bcopy(src: &ip->ip_src, dst: &sin->sin_addr, n: sizeof(ip->ip_src)); |
1310 | spidx->prefs = sizeof(struct in_addr) << 3; |
1311 | |
1312 | sin = (struct sockaddr_in *)&spidx->dst; |
1313 | bzero(s: sin, n: sizeof(*sin)); |
1314 | sin->sin_family = AF_INET; |
1315 | sin->sin_len = sizeof(struct sockaddr_in); |
1316 | bcopy(src: &ip->ip_dst, dst: &sin->sin_addr, n: sizeof(ip->ip_dst)); |
1317 | spidx->prefd = sizeof(struct in_addr) << 3; |
1318 | |
1319 | return 0; |
1320 | } |
1321 | |
1322 | static void |
1323 | ipsec6_get_ulp(struct mbuf *m, |
1324 | struct secpolicyindex *spidx, |
1325 | int needport) |
1326 | { |
1327 | int off, nxt; |
1328 | struct tcphdr th; |
1329 | struct udphdr uh; |
1330 | |
1331 | /* sanity check */ |
1332 | if (m == NULL) { |
1333 | panic("ipsec6_get_ulp: NULL pointer was passed." ); |
1334 | } |
1335 | |
1336 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1337 | printf("ipsec6_get_ulp:\n" ); kdebug_mbuf(m)); |
1338 | |
1339 | /* set default */ |
1340 | spidx->ul_proto = IPSEC_ULPROTO_ANY; |
1341 | ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY; |
1342 | ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY; |
1343 | |
1344 | nxt = -1; |
1345 | off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt); |
1346 | if (off < 0 || m->m_pkthdr.len < off) { |
1347 | return; |
1348 | } |
1349 | |
1350 | VERIFY(nxt <= UINT8_MAX); |
1351 | switch (nxt) { |
1352 | case IPPROTO_TCP: |
1353 | spidx->ul_proto = (u_int8_t)nxt; |
1354 | if (!needport) { |
1355 | break; |
1356 | } |
1357 | if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) { |
1358 | break; |
1359 | } |
1360 | m_copydata(m, off, sizeof(th), (caddr_t)&th); |
1361 | ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport; |
1362 | ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport; |
1363 | break; |
1364 | case IPPROTO_UDP: |
1365 | spidx->ul_proto = (u_int8_t)nxt; |
1366 | if (!needport) { |
1367 | break; |
1368 | } |
1369 | if (off + sizeof(struct udphdr) > m->m_pkthdr.len) { |
1370 | break; |
1371 | } |
1372 | m_copydata(m, off, sizeof(uh), (caddr_t)&uh); |
1373 | ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport; |
1374 | ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport; |
1375 | break; |
1376 | case IPPROTO_ICMPV6: |
1377 | default: |
1378 | /* XXX intermediate headers??? */ |
1379 | spidx->ul_proto = (u_int8_t)nxt; |
1380 | break; |
1381 | } |
1382 | } |
1383 | |
1384 | /* assumes that m is sane */ |
1385 | static int |
1386 | ipsec6_setspidx_ipaddr(struct mbuf *m, |
1387 | struct secpolicyindex *spidx) |
1388 | { |
1389 | struct ip6_hdr *ip6 = NULL; |
1390 | struct ip6_hdr ip6buf; |
1391 | struct sockaddr_in6 *sin6; |
1392 | |
1393 | if (m->m_len >= sizeof(*ip6)) { |
1394 | ip6 = mtod(m, struct ip6_hdr *); |
1395 | } else { |
1396 | m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf); |
1397 | ip6 = &ip6buf; |
1398 | } |
1399 | |
1400 | sin6 = (struct sockaddr_in6 *)&spidx->src; |
1401 | bzero(s: sin6, n: sizeof(*sin6)); |
1402 | sin6->sin6_family = AF_INET6; |
1403 | sin6->sin6_len = sizeof(struct sockaddr_in6); |
1404 | bcopy(src: &ip6->ip6_src, dst: &sin6->sin6_addr, n: sizeof(ip6->ip6_src)); |
1405 | if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { |
1406 | if (m->m_pkthdr.pkt_flags & PKTF_IFAINFO) { |
1407 | ip6_getsrcifaddr_info(m, &sin6->sin6_scope_id, NULL); |
1408 | } else if (m->m_pkthdr.pkt_ext_flags & PKTF_EXT_OUTPUT_SCOPE) { |
1409 | sin6->sin6_scope_id = ip6_output_getsrcifscope(m); |
1410 | } |
1411 | in6_verify_ifscope(&ip6->ip6_src, sin6->sin6_scope_id); |
1412 | if (in6_embedded_scope) { |
1413 | sin6->sin6_addr.s6_addr16[1] = 0; |
1414 | sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); |
1415 | } |
1416 | } |
1417 | spidx->prefs = sizeof(struct in6_addr) << 3; |
1418 | |
1419 | sin6 = (struct sockaddr_in6 *)&spidx->dst; |
1420 | bzero(s: sin6, n: sizeof(*sin6)); |
1421 | sin6->sin6_family = AF_INET6; |
1422 | sin6->sin6_len = sizeof(struct sockaddr_in6); |
1423 | bcopy(src: &ip6->ip6_dst, dst: &sin6->sin6_addr, n: sizeof(ip6->ip6_dst)); |
1424 | if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { |
1425 | if (m->m_pkthdr.pkt_flags & PKTF_IFAINFO) { |
1426 | ip6_getdstifaddr_info(m, &sin6->sin6_scope_id, NULL); |
1427 | } else if (m->m_pkthdr.pkt_ext_flags & PKTF_EXT_OUTPUT_SCOPE) { |
1428 | sin6->sin6_scope_id = ip6_output_getdstifscope(m); |
1429 | } |
1430 | in6_verify_ifscope(&ip6->ip6_dst, sin6->sin6_scope_id); |
1431 | if (in6_embedded_scope) { |
1432 | sin6->sin6_addr.s6_addr16[1] = 0; |
1433 | sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); |
1434 | } |
1435 | } |
1436 | spidx->prefd = sizeof(struct in6_addr) << 3; |
1437 | |
1438 | return 0; |
1439 | } |
1440 | |
1441 | static struct inpcbpolicy * |
1442 | ipsec_newpcbpolicy(void) |
1443 | { |
1444 | struct inpcbpolicy *p; |
1445 | |
1446 | p = kalloc_type(struct inpcbpolicy, Z_WAITOK | Z_ZERO); |
1447 | return p; |
1448 | } |
1449 | |
1450 | static void |
1451 | ipsec_delpcbpolicy(struct inpcbpolicy *p) |
1452 | { |
1453 | kfree_type(struct inpcbpolicy, p); |
1454 | } |
1455 | |
1456 | /* initialize policy in PCB */ |
1457 | int |
1458 | ipsec_init_policy(struct socket *so, |
1459 | struct inpcbpolicy **pcb_sp) |
1460 | { |
1461 | struct inpcbpolicy *new; |
1462 | |
1463 | /* sanity check. */ |
1464 | if (so == NULL || pcb_sp == NULL) { |
1465 | panic("ipsec_init_policy: NULL pointer was passed." ); |
1466 | } |
1467 | |
1468 | new = ipsec_newpcbpolicy(); |
1469 | if (new == NULL) { |
1470 | ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n" )); |
1471 | return ENOBUFS; |
1472 | } |
1473 | |
1474 | #ifdef __APPLE__ |
1475 | if (kauth_cred_issuser(cred: so->so_cred)) |
1476 | #else |
1477 | if (so->so_cred != 0 && !suser(so->so_cred->pc_ucred, NULL)) |
1478 | #endif |
1479 | { new->priv = 1;} else { |
1480 | new->priv = 0; |
1481 | } |
1482 | |
1483 | if ((new->sp_in = key_newsp()) == NULL) { |
1484 | ipsec_delpcbpolicy(p: new); |
1485 | return ENOBUFS; |
1486 | } |
1487 | new->sp_in->state = IPSEC_SPSTATE_ALIVE; |
1488 | new->sp_in->policy = IPSEC_POLICY_ENTRUST; |
1489 | |
1490 | if ((new->sp_out = key_newsp()) == NULL) { |
1491 | key_freesp(new->sp_in, KEY_SADB_UNLOCKED); |
1492 | ipsec_delpcbpolicy(p: new); |
1493 | return ENOBUFS; |
1494 | } |
1495 | new->sp_out->state = IPSEC_SPSTATE_ALIVE; |
1496 | new->sp_out->policy = IPSEC_POLICY_ENTRUST; |
1497 | |
1498 | *pcb_sp = new; |
1499 | |
1500 | return 0; |
1501 | } |
1502 | |
1503 | /* copy old ipsec policy into new */ |
1504 | int |
1505 | ipsec_copy_policy(struct inpcbpolicy *old, |
1506 | struct inpcbpolicy *new) |
1507 | { |
1508 | struct secpolicy *sp; |
1509 | |
1510 | if (ipsec_bypass != 0) { |
1511 | return 0; |
1512 | } |
1513 | |
1514 | sp = ipsec_deepcopy_policy(src: old->sp_in); |
1515 | if (sp) { |
1516 | key_freesp(new->sp_in, KEY_SADB_UNLOCKED); |
1517 | new->sp_in = sp; |
1518 | } else { |
1519 | return ENOBUFS; |
1520 | } |
1521 | |
1522 | sp = ipsec_deepcopy_policy(src: old->sp_out); |
1523 | if (sp) { |
1524 | key_freesp(new->sp_out, KEY_SADB_UNLOCKED); |
1525 | new->sp_out = sp; |
1526 | } else { |
1527 | return ENOBUFS; |
1528 | } |
1529 | |
1530 | new->priv = old->priv; |
1531 | |
1532 | return 0; |
1533 | } |
1534 | |
1535 | /* deep-copy a policy in PCB */ |
1536 | static struct secpolicy * |
1537 | ipsec_deepcopy_policy(struct secpolicy *src) |
1538 | { |
1539 | struct ipsecrequest *newchain = NULL; |
1540 | struct ipsecrequest *p; |
1541 | struct ipsecrequest **q; |
1542 | struct secpolicy *dst; |
1543 | |
1544 | if (src == NULL) { |
1545 | return NULL; |
1546 | } |
1547 | dst = key_newsp(); |
1548 | if (dst == NULL) { |
1549 | return NULL; |
1550 | } |
1551 | |
1552 | /* |
1553 | * deep-copy IPsec request chain. This is required since struct |
1554 | * ipsecrequest is not reference counted. |
1555 | */ |
1556 | q = &newchain; |
1557 | for (p = src->req; p; p = p->next) { |
1558 | *q = kalloc_type(struct ipsecrequest, Z_WAITOK_ZERO_NOFAIL); |
1559 | |
1560 | (*q)->saidx.proto = p->saidx.proto; |
1561 | (*q)->saidx.mode = p->saidx.mode; |
1562 | (*q)->level = p->level; |
1563 | (*q)->saidx.reqid = p->saidx.reqid; |
1564 | |
1565 | bcopy(src: &p->saidx.src, dst: &(*q)->saidx.src, n: sizeof((*q)->saidx.src)); |
1566 | bcopy(src: &p->saidx.dst, dst: &(*q)->saidx.dst, n: sizeof((*q)->saidx.dst)); |
1567 | |
1568 | (*q)->sp = dst; |
1569 | |
1570 | q = &((*q)->next); |
1571 | } |
1572 | |
1573 | dst->req = newchain; |
1574 | dst->state = src->state; |
1575 | dst->policy = src->policy; |
1576 | /* do not touch the refcnt fields */ |
1577 | |
1578 | return dst; |
1579 | } |
1580 | |
1581 | /* set policy and ipsec request if present. */ |
1582 | static int |
1583 | ipsec_set_policy(struct secpolicy **pcb_sp, |
1584 | __unused int optname, |
1585 | caddr_t request, |
1586 | size_t len, |
1587 | int priv) |
1588 | { |
1589 | struct sadb_x_policy *xpl; |
1590 | struct secpolicy *newsp = NULL; |
1591 | int error; |
1592 | |
1593 | /* sanity check. */ |
1594 | if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL) { |
1595 | return EINVAL; |
1596 | } |
1597 | if (len < sizeof(*xpl)) { |
1598 | return EINVAL; |
1599 | } |
1600 | xpl = (struct sadb_x_policy *)(void *)request; |
1601 | |
1602 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1603 | printf("ipsec_set_policy: passed policy\n" ); |
1604 | kdebug_sadb_x_policy((struct sadb_ext *)xpl)); |
1605 | |
1606 | /* check policy type */ |
1607 | /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */ |
1608 | if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD |
1609 | || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) { |
1610 | return EINVAL; |
1611 | } |
1612 | |
1613 | /* check privileged socket */ |
1614 | if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) { |
1615 | return EACCES; |
1616 | } |
1617 | |
1618 | /* allocation new SP entry */ |
1619 | if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) { |
1620 | return error; |
1621 | } |
1622 | |
1623 | newsp->state = IPSEC_SPSTATE_ALIVE; |
1624 | |
1625 | /* clear old SP and set new SP */ |
1626 | key_freesp(*pcb_sp, KEY_SADB_UNLOCKED); |
1627 | *pcb_sp = newsp; |
1628 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1629 | printf("ipsec_set_policy: new policy\n" ); |
1630 | kdebug_secpolicy(newsp)); |
1631 | |
1632 | return 0; |
1633 | } |
1634 | |
1635 | int |
1636 | ipsec4_set_policy(struct inpcb *inp, |
1637 | int optname, |
1638 | caddr_t request, |
1639 | size_t len, |
1640 | int priv) |
1641 | { |
1642 | struct sadb_x_policy *xpl; |
1643 | struct secpolicy **pcb_sp; |
1644 | int error = 0; |
1645 | struct sadb_x_policy xpl_aligned_buf; |
1646 | u_int8_t *xpl_unaligned; |
1647 | |
1648 | /* sanity check. */ |
1649 | if (inp == NULL || request == NULL) { |
1650 | return EINVAL; |
1651 | } |
1652 | if (len < sizeof(*xpl)) { |
1653 | return EINVAL; |
1654 | } |
1655 | xpl = (struct sadb_x_policy *)(void *)request; |
1656 | |
1657 | /* This is a new mbuf allocated by soopt_getm() */ |
1658 | if (IPSEC_IS_P2ALIGNED(xpl)) { |
1659 | xpl_unaligned = NULL; |
1660 | } else { |
1661 | xpl_unaligned = (__typeof__(xpl_unaligned))xpl; |
1662 | memcpy(dst: &xpl_aligned_buf, src: xpl, n: sizeof(xpl_aligned_buf)); |
1663 | xpl = (__typeof__(xpl)) & xpl_aligned_buf; |
1664 | } |
1665 | |
1666 | if (inp->inp_sp == NULL) { |
1667 | error = ipsec_init_policy(so: inp->inp_socket, pcb_sp: &inp->inp_sp); |
1668 | if (error) { |
1669 | return error; |
1670 | } |
1671 | } |
1672 | |
1673 | /* select direction */ |
1674 | switch (xpl->sadb_x_policy_dir) { |
1675 | case IPSEC_DIR_INBOUND: |
1676 | pcb_sp = &inp->inp_sp->sp_in; |
1677 | break; |
1678 | case IPSEC_DIR_OUTBOUND: |
1679 | pcb_sp = &inp->inp_sp->sp_out; |
1680 | break; |
1681 | default: |
1682 | ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n" , |
1683 | xpl->sadb_x_policy_dir)); |
1684 | return EINVAL; |
1685 | } |
1686 | |
1687 | /* turn bypass off */ |
1688 | if (ipsec_bypass != 0) { |
1689 | ipsec_bypass = 0; |
1690 | } |
1691 | |
1692 | return ipsec_set_policy(pcb_sp, optname, request, len, priv); |
1693 | } |
1694 | |
1695 | /* delete policy in PCB */ |
1696 | int |
1697 | ipsec4_delete_pcbpolicy(struct inpcb *inp) |
1698 | { |
1699 | /* sanity check. */ |
1700 | if (inp == NULL) { |
1701 | panic("ipsec4_delete_pcbpolicy: NULL pointer was passed." ); |
1702 | } |
1703 | |
1704 | if (inp->inp_sp == NULL) { |
1705 | return 0; |
1706 | } |
1707 | |
1708 | if (inp->inp_sp->sp_in != NULL) { |
1709 | key_freesp(inp->inp_sp->sp_in, KEY_SADB_UNLOCKED); |
1710 | inp->inp_sp->sp_in = NULL; |
1711 | } |
1712 | |
1713 | if (inp->inp_sp->sp_out != NULL) { |
1714 | key_freesp(inp->inp_sp->sp_out, KEY_SADB_UNLOCKED); |
1715 | inp->inp_sp->sp_out = NULL; |
1716 | } |
1717 | |
1718 | ipsec_delpcbpolicy(p: inp->inp_sp); |
1719 | inp->inp_sp = NULL; |
1720 | |
1721 | return 0; |
1722 | } |
1723 | |
1724 | int |
1725 | ipsec6_set_policy(struct in6pcb *in6p, |
1726 | int optname, |
1727 | caddr_t request, |
1728 | size_t len, |
1729 | int priv) |
1730 | { |
1731 | struct sadb_x_policy *xpl; |
1732 | struct secpolicy **pcb_sp; |
1733 | int error = 0; |
1734 | struct sadb_x_policy xpl_aligned_buf; |
1735 | u_int8_t *xpl_unaligned; |
1736 | |
1737 | /* sanity check. */ |
1738 | if (in6p == NULL || request == NULL) { |
1739 | return EINVAL; |
1740 | } |
1741 | if (len < sizeof(*xpl)) { |
1742 | return EINVAL; |
1743 | } |
1744 | xpl = (struct sadb_x_policy *)(void *)request; |
1745 | |
1746 | /* This is a new mbuf allocated by soopt_getm() */ |
1747 | if (IPSEC_IS_P2ALIGNED(xpl)) { |
1748 | xpl_unaligned = NULL; |
1749 | } else { |
1750 | xpl_unaligned = (__typeof__(xpl_unaligned))xpl; |
1751 | memcpy(dst: &xpl_aligned_buf, src: xpl, n: sizeof(xpl_aligned_buf)); |
1752 | xpl = (__typeof__(xpl)) & xpl_aligned_buf; |
1753 | } |
1754 | |
1755 | if (in6p->in6p_sp == NULL) { |
1756 | error = ipsec_init_policy(so: in6p->inp_socket, pcb_sp: &in6p->in6p_sp); |
1757 | if (error) { |
1758 | return error; |
1759 | } |
1760 | } |
1761 | |
1762 | /* select direction */ |
1763 | switch (xpl->sadb_x_policy_dir) { |
1764 | case IPSEC_DIR_INBOUND: |
1765 | pcb_sp = &in6p->in6p_sp->sp_in; |
1766 | break; |
1767 | case IPSEC_DIR_OUTBOUND: |
1768 | pcb_sp = &in6p->in6p_sp->sp_out; |
1769 | break; |
1770 | default: |
1771 | ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n" , |
1772 | xpl->sadb_x_policy_dir)); |
1773 | return EINVAL; |
1774 | } |
1775 | |
1776 | return ipsec_set_policy(pcb_sp, optname, request, len, priv); |
1777 | } |
1778 | |
1779 | int |
1780 | ipsec6_delete_pcbpolicy(struct in6pcb *in6p) |
1781 | { |
1782 | /* sanity check. */ |
1783 | if (in6p == NULL) { |
1784 | panic("ipsec6_delete_pcbpolicy: NULL pointer was passed." ); |
1785 | } |
1786 | |
1787 | if (in6p->in6p_sp == NULL) { |
1788 | return 0; |
1789 | } |
1790 | |
1791 | if (in6p->in6p_sp->sp_in != NULL) { |
1792 | key_freesp(in6p->in6p_sp->sp_in, KEY_SADB_UNLOCKED); |
1793 | in6p->in6p_sp->sp_in = NULL; |
1794 | } |
1795 | |
1796 | if (in6p->in6p_sp->sp_out != NULL) { |
1797 | key_freesp(in6p->in6p_sp->sp_out, KEY_SADB_UNLOCKED); |
1798 | in6p->in6p_sp->sp_out = NULL; |
1799 | } |
1800 | |
1801 | ipsec_delpcbpolicy(p: in6p->in6p_sp); |
1802 | in6p->in6p_sp = NULL; |
1803 | |
1804 | return 0; |
1805 | } |
1806 | |
1807 | /* |
1808 | * return current level. |
1809 | * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. |
1810 | */ |
1811 | u_int |
1812 | ipsec_get_reqlevel(struct ipsecrequest *isr) |
1813 | { |
1814 | u_int level = 0; |
1815 | u_int esp_trans_deflev = 0, esp_net_deflev = 0, ah_trans_deflev = 0, ah_net_deflev = 0; |
1816 | |
1817 | /* sanity check */ |
1818 | if (isr == NULL || isr->sp == NULL) { |
1819 | panic("ipsec_get_reqlevel: NULL pointer is passed." ); |
1820 | } |
1821 | if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family |
1822 | != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family) { |
1823 | panic("ipsec_get_reqlevel: family mismatched." ); |
1824 | } |
1825 | |
1826 | /* XXX note that we have ipseclog() expanded here - code sync issue */ |
1827 | #define IPSEC_CHECK_DEFAULT(lev) \ |
1828 | (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \ |
1829 | && (lev) != IPSEC_LEVEL_UNIQUE) \ |
1830 | ? (ipsec_debug \ |
1831 | ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\ |
1832 | (lev), IPSEC_LEVEL_REQUIRE) \ |
1833 | : (void)0), \ |
1834 | (lev) = IPSEC_LEVEL_REQUIRE, \ |
1835 | (lev) \ |
1836 | : (lev)) |
1837 | |
1838 | /* set default level */ |
1839 | switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) { |
1840 | case AF_INET: |
1841 | esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev); |
1842 | esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev); |
1843 | ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev); |
1844 | ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev); |
1845 | break; |
1846 | case AF_INET6: |
1847 | esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev); |
1848 | esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev); |
1849 | ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev); |
1850 | ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev); |
1851 | break; |
1852 | default: |
1853 | panic("key_get_reqlevel: Unknown family. %d" , |
1854 | ((struct sockaddr *)&isr->sp->spidx.src)->sa_family); |
1855 | } |
1856 | |
1857 | #undef IPSEC_CHECK_DEFAULT |
1858 | |
1859 | /* set level */ |
1860 | switch (isr->level) { |
1861 | case IPSEC_LEVEL_DEFAULT: |
1862 | switch (isr->saidx.proto) { |
1863 | case IPPROTO_ESP: |
1864 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { |
1865 | level = esp_net_deflev; |
1866 | } else { |
1867 | level = esp_trans_deflev; |
1868 | } |
1869 | break; |
1870 | case IPPROTO_AH: |
1871 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { |
1872 | level = ah_net_deflev; |
1873 | } else { |
1874 | level = ah_trans_deflev; |
1875 | } |
1876 | break; |
1877 | case IPPROTO_IPCOMP: |
1878 | ipseclog((LOG_ERR, "ipsec_get_reqlevel: " |
1879 | "still got IPCOMP - exiting\n" )); |
1880 | break; |
1881 | default: |
1882 | panic("ipsec_get_reqlevel: " |
1883 | "Illegal protocol defined %u\n" , |
1884 | isr->saidx.proto); |
1885 | } |
1886 | break; |
1887 | |
1888 | case IPSEC_LEVEL_USE: |
1889 | case IPSEC_LEVEL_REQUIRE: |
1890 | level = isr->level; |
1891 | break; |
1892 | case IPSEC_LEVEL_UNIQUE: |
1893 | level = IPSEC_LEVEL_REQUIRE; |
1894 | break; |
1895 | |
1896 | default: |
1897 | panic("ipsec_get_reqlevel: Illegal IPsec level %u" , |
1898 | isr->level); |
1899 | } |
1900 | |
1901 | return level; |
1902 | } |
1903 | |
1904 | /* |
1905 | * Check AH/ESP integrity. |
1906 | * OUT: |
1907 | * 0: valid |
1908 | * 1: invalid |
1909 | */ |
1910 | static int |
1911 | ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) |
1912 | { |
1913 | struct ipsecrequest *isr; |
1914 | u_int level; |
1915 | int need_auth, need_conf, need_icv; |
1916 | |
1917 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
1918 | printf("ipsec_in_reject: using SP\n" ); |
1919 | kdebug_secpolicy(sp)); |
1920 | |
1921 | /* check policy */ |
1922 | switch (sp->policy) { |
1923 | case IPSEC_POLICY_DISCARD: |
1924 | case IPSEC_POLICY_GENERATE: |
1925 | return 1; |
1926 | case IPSEC_POLICY_BYPASS: |
1927 | case IPSEC_POLICY_NONE: |
1928 | return 0; |
1929 | |
1930 | case IPSEC_POLICY_IPSEC: |
1931 | break; |
1932 | |
1933 | case IPSEC_POLICY_ENTRUST: |
1934 | default: |
1935 | panic("ipsec_hdrsiz: Invalid policy found. %d" , sp->policy); |
1936 | } |
1937 | |
1938 | need_auth = 0; |
1939 | need_conf = 0; |
1940 | need_icv = 0; |
1941 | |
1942 | /* XXX should compare policy against ipsec header history */ |
1943 | |
1944 | for (isr = sp->req; isr != NULL; isr = isr->next) { |
1945 | /* get current level */ |
1946 | level = ipsec_get_reqlevel(isr); |
1947 | |
1948 | switch (isr->saidx.proto) { |
1949 | case IPPROTO_ESP: |
1950 | if (level == IPSEC_LEVEL_REQUIRE) { |
1951 | need_conf++; |
1952 | |
1953 | #if 0 |
1954 | /* this won't work with multiple input threads - isr->sav would change |
1955 | * with every packet and is not necessarily related to the current packet |
1956 | * being processed. If ESP processing is required - the esp code should |
1957 | * make sure that the integrity check is present and correct. I don't see |
1958 | * why it would be necessary to check for the presence of the integrity |
1959 | * check value here. I think this is just wrong. |
1960 | * isr->sav has been removed. |
1961 | * %%%%%% this needs to be re-worked at some point but I think the code below can |
1962 | * be ignored for now. |
1963 | */ |
1964 | if (isr->sav != NULL |
1965 | && isr->sav->flags == SADB_X_EXT_NONE |
1966 | && isr->sav->alg_auth != SADB_AALG_NONE) { |
1967 | need_icv++; |
1968 | } |
1969 | #endif |
1970 | } |
1971 | break; |
1972 | case IPPROTO_AH: |
1973 | if (level == IPSEC_LEVEL_REQUIRE) { |
1974 | need_auth++; |
1975 | need_icv++; |
1976 | } |
1977 | break; |
1978 | case IPPROTO_IPCOMP: |
1979 | /* |
1980 | * we don't really care, as IPcomp document says that |
1981 | * we shouldn't compress small packets, IPComp policy |
1982 | * should always be treated as being in "use" level. |
1983 | */ |
1984 | break; |
1985 | } |
1986 | } |
1987 | |
1988 | KEYDEBUG(KEYDEBUG_IPSEC_DUMP, |
1989 | printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n" , |
1990 | need_auth, need_conf, need_icv, m->m_flags)); |
1991 | |
1992 | if ((need_conf && !(m->m_flags & M_DECRYPTED)) |
1993 | || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM)) |
1994 | || (need_auth && !(m->m_flags & M_AUTHIPHDR))) { |
1995 | return 1; |
1996 | } |
1997 | |
1998 | return 0; |
1999 | } |
2000 | |
2001 | /* |
2002 | * Check AH/ESP integrity. |
2003 | * This function is called from tcp_input(), udp_input(), |
2004 | * and {ah,esp}4_input for tunnel mode |
2005 | */ |
2006 | int |
2007 | ipsec4_in_reject_so(struct mbuf *m, struct socket *so) |
2008 | { |
2009 | struct secpolicy *sp = NULL; |
2010 | int error; |
2011 | int result; |
2012 | |
2013 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
2014 | /* sanity check */ |
2015 | if (m == NULL) { |
2016 | return 0; /* XXX should be panic ? */ |
2017 | } |
2018 | /* get SP for this packet. |
2019 | * When we are called from ip_forward(), we call |
2020 | * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. |
2021 | */ |
2022 | if (so == NULL) { |
2023 | sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, error: &error); |
2024 | } else { |
2025 | sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, flag: 0, error: &error); |
2026 | } |
2027 | |
2028 | if (sp == NULL) { |
2029 | return 0; /* XXX should be panic ? |
2030 | * -> No, there may be error. */ |
2031 | } |
2032 | result = ipsec_in_reject(sp, m); |
2033 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
2034 | printf("DP ipsec4_in_reject_so call free SP:0x%llx\n" , |
2035 | (uint64_t)VM_KERNEL_ADDRPERM(sp))); |
2036 | key_freesp(sp, KEY_SADB_UNLOCKED); |
2037 | |
2038 | return result; |
2039 | } |
2040 | |
2041 | int |
2042 | ipsec4_in_reject(struct mbuf *m, struct inpcb *inp) |
2043 | { |
2044 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
2045 | if (inp == NULL) { |
2046 | return ipsec4_in_reject_so(m, NULL); |
2047 | } |
2048 | if (inp->inp_socket) { |
2049 | return ipsec4_in_reject_so(m, so: inp->inp_socket); |
2050 | } else { |
2051 | panic("ipsec4_in_reject: invalid inpcb/socket" ); |
2052 | } |
2053 | |
2054 | /* NOTREACHED */ |
2055 | return 0; |
2056 | } |
2057 | |
2058 | /* |
2059 | * Check AH/ESP integrity. |
2060 | * This function is called from tcp6_input(), udp6_input(), |
2061 | * and {ah,esp}6_input for tunnel mode |
2062 | */ |
2063 | int |
2064 | ipsec6_in_reject_so(struct mbuf *m, struct socket *so) |
2065 | { |
2066 | struct secpolicy *sp = NULL; |
2067 | int error; |
2068 | int result; |
2069 | |
2070 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
2071 | /* sanity check */ |
2072 | if (m == NULL) { |
2073 | return 0; /* XXX should be panic ? */ |
2074 | } |
2075 | /* get SP for this packet. |
2076 | * When we are called from ip_forward(), we call |
2077 | * ipsec6_getpolicybyaddr() with IP_FORWARDING flag. |
2078 | */ |
2079 | if (so == NULL) { |
2080 | sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, error: &error); |
2081 | } else { |
2082 | sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, flag: 0, error: &error); |
2083 | } |
2084 | |
2085 | if (sp == NULL) { |
2086 | return 0; /* XXX should be panic ? */ |
2087 | } |
2088 | result = ipsec_in_reject(sp, m); |
2089 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
2090 | printf("DP ipsec6_in_reject_so call free SP:0x%llx\n" , |
2091 | (uint64_t)VM_KERNEL_ADDRPERM(sp))); |
2092 | key_freesp(sp, KEY_SADB_UNLOCKED); |
2093 | |
2094 | return result; |
2095 | } |
2096 | |
2097 | int |
2098 | ipsec6_in_reject(struct mbuf *m, struct in6pcb *in6p) |
2099 | { |
2100 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
2101 | if (in6p == NULL) { |
2102 | return ipsec6_in_reject_so(m, NULL); |
2103 | } |
2104 | if (in6p->in6p_socket) { |
2105 | return ipsec6_in_reject_so(m, so: in6p->in6p_socket); |
2106 | } else { |
2107 | panic("ipsec6_in_reject: invalid in6p/socket" ); |
2108 | } |
2109 | |
2110 | /* NOTREACHED */ |
2111 | return 0; |
2112 | } |
2113 | |
2114 | /* |
2115 | * compute the byte size to be occupied by IPsec header. |
2116 | * in case it is tunneled, it includes the size of outer IP header. |
2117 | * NOTE: SP passed is free in this function. |
2118 | */ |
2119 | size_t |
2120 | ipsec_hdrsiz(struct secpolicy *sp) |
2121 | { |
2122 | struct ipsecrequest *isr; |
2123 | size_t siz, clen; |
2124 | |
2125 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
2126 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
2127 | printf("ipsec_hdrsiz: using SP\n" ); |
2128 | kdebug_secpolicy(sp)); |
2129 | |
2130 | /* check policy */ |
2131 | switch (sp->policy) { |
2132 | case IPSEC_POLICY_DISCARD: |
2133 | case IPSEC_POLICY_GENERATE: |
2134 | case IPSEC_POLICY_BYPASS: |
2135 | case IPSEC_POLICY_NONE: |
2136 | return 0; |
2137 | |
2138 | case IPSEC_POLICY_IPSEC: |
2139 | break; |
2140 | |
2141 | case IPSEC_POLICY_ENTRUST: |
2142 | default: |
2143 | panic("ipsec_hdrsiz: Invalid policy found. %d" , sp->policy); |
2144 | } |
2145 | |
2146 | siz = 0; |
2147 | |
2148 | for (isr = sp->req; isr != NULL; isr = isr->next) { |
2149 | clen = 0; |
2150 | |
2151 | switch (isr->saidx.proto) { |
2152 | case IPPROTO_ESP: |
2153 | #if IPSEC_ESP |
2154 | clen = esp_hdrsiz(isr); |
2155 | #else |
2156 | clen = 0; /*XXX*/ |
2157 | #endif |
2158 | break; |
2159 | case IPPROTO_AH: |
2160 | clen = ah_hdrsiz(isr); |
2161 | break; |
2162 | default: |
2163 | ipseclog((LOG_ERR, "ipsec_hdrsiz: " |
2164 | "unknown protocol %u\n" , |
2165 | isr->saidx.proto)); |
2166 | break; |
2167 | } |
2168 | |
2169 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { |
2170 | switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) { |
2171 | case AF_INET: |
2172 | clen += sizeof(struct ip); |
2173 | break; |
2174 | case AF_INET6: |
2175 | clen += sizeof(struct ip6_hdr); |
2176 | break; |
2177 | default: |
2178 | ipseclog((LOG_ERR, "ipsec_hdrsiz: " |
2179 | "unknown AF %d in IPsec tunnel SA\n" , |
2180 | ((struct sockaddr *)&isr->saidx.dst)->sa_family)); |
2181 | break; |
2182 | } |
2183 | } |
2184 | siz += clen; |
2185 | } |
2186 | |
2187 | return siz; |
2188 | } |
2189 | |
2190 | /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */ |
2191 | size_t |
2192 | ipsec4_hdrsiz(struct mbuf *m, u_int8_t dir, struct inpcb *inp) |
2193 | { |
2194 | struct secpolicy *sp = NULL; |
2195 | int error; |
2196 | size_t size; |
2197 | |
2198 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
2199 | /* sanity check */ |
2200 | if (m == NULL) { |
2201 | return 0; /* XXX should be panic ? */ |
2202 | } |
2203 | if (inp != NULL && inp->inp_socket == NULL) { |
2204 | panic("ipsec4_hdrsize: why is socket NULL but there is PCB." ); |
2205 | } |
2206 | |
2207 | /* get SP for this packet. |
2208 | * When we are called from ip_forward(), we call |
2209 | * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. |
2210 | */ |
2211 | if (inp == NULL) { |
2212 | sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, error: &error); |
2213 | } else { |
2214 | sp = ipsec4_getpolicybyaddr(m, dir, flag: 0, error: &error); |
2215 | } |
2216 | |
2217 | if (sp == NULL) { |
2218 | return 0; /* XXX should be panic ? */ |
2219 | } |
2220 | size = ipsec_hdrsiz(sp); |
2221 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
2222 | printf("DP ipsec4_hdrsiz call free SP:0x%llx\n" , |
2223 | (uint64_t)VM_KERNEL_ADDRPERM(sp))); |
2224 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
2225 | printf("ipsec4_hdrsiz: size:%lu.\n" , (u_int32_t)size)); |
2226 | key_freesp(sp, KEY_SADB_UNLOCKED); |
2227 | |
2228 | return size; |
2229 | } |
2230 | |
2231 | /* This function is called from ipsec6_hdrsize_tcp(), |
2232 | * and maybe from ip6_forward.() |
2233 | */ |
2234 | size_t |
2235 | ipsec6_hdrsiz(struct mbuf *m, u_int8_t dir, struct in6pcb *in6p) |
2236 | { |
2237 | struct secpolicy *sp = NULL; |
2238 | int error; |
2239 | size_t size; |
2240 | |
2241 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
2242 | /* sanity check */ |
2243 | if (m == NULL) { |
2244 | return 0; /* XXX shoud be panic ? */ |
2245 | } |
2246 | if (in6p != NULL && in6p->in6p_socket == NULL) { |
2247 | panic("ipsec6_hdrsize: why is socket NULL but there is PCB." ); |
2248 | } |
2249 | |
2250 | /* get SP for this packet */ |
2251 | /* XXX Is it right to call with IP_FORWARDING. */ |
2252 | if (in6p == NULL) { |
2253 | sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, error: &error); |
2254 | } else { |
2255 | sp = ipsec6_getpolicybyaddr(m, dir, flag: 0, error: &error); |
2256 | } |
2257 | |
2258 | if (sp == NULL) { |
2259 | return 0; |
2260 | } |
2261 | size = ipsec_hdrsiz(sp); |
2262 | KEYDEBUG(KEYDEBUG_IPSEC_STAMP, |
2263 | printf("DP ipsec6_hdrsiz call free SP:0x%llx\n" , |
2264 | (uint64_t)VM_KERNEL_ADDRPERM(sp))); |
2265 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
2266 | printf("ipsec6_hdrsiz: size:%lu.\n" , (u_int32_t)size)); |
2267 | key_freesp(sp, KEY_SADB_UNLOCKED); |
2268 | |
2269 | return size; |
2270 | } |
2271 | |
2272 | /* |
2273 | * encapsulate for ipsec tunnel. |
2274 | * ip->ip_src must be fixed later on. |
2275 | */ |
2276 | int |
2277 | ipsec4_encapsulate(struct mbuf *m, struct secasvar *sav) |
2278 | { |
2279 | struct ip *oip; |
2280 | struct ip *ip; |
2281 | size_t plen; |
2282 | u_int32_t hlen; |
2283 | |
2284 | /* can't tunnel between different AFs */ |
2285 | if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family |
2286 | != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family |
2287 | || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { |
2288 | m_freem(m); |
2289 | return EINVAL; |
2290 | } |
2291 | |
2292 | if (m->m_len < sizeof(*ip)) { |
2293 | panic("ipsec4_encapsulate: assumption failed (first mbuf length)" ); |
2294 | } |
2295 | |
2296 | ip = mtod(m, struct ip *); |
2297 | #ifdef _IP_VHL |
2298 | hlen = _IP_VHL_HL(ip->ip_vhl) << 2; |
2299 | #else |
2300 | hlen = ip->ip_hl << 2; |
2301 | #endif |
2302 | |
2303 | if (m->m_len != hlen) { |
2304 | panic("ipsec4_encapsulate: assumption failed (first mbuf length)" ); |
2305 | } |
2306 | |
2307 | /* generate header checksum */ |
2308 | ip->ip_sum = 0; |
2309 | #ifdef _IP_VHL |
2310 | ip->ip_sum = in_cksum(m, hlen); |
2311 | #else |
2312 | ip->ip_sum = in_cksum(m, hlen); |
2313 | #endif |
2314 | |
2315 | plen = m->m_pkthdr.len; |
2316 | |
2317 | /* |
2318 | * grow the mbuf to accomodate the new IPv4 header. |
2319 | * NOTE: IPv4 options will never be copied. |
2320 | */ |
2321 | if (M_LEADINGSPACE(m->m_next) < hlen) { |
2322 | struct mbuf *n; |
2323 | MGET(n, M_DONTWAIT, MT_DATA); |
2324 | if (!n) { |
2325 | m_freem(m); |
2326 | return ENOBUFS; |
2327 | } |
2328 | n->m_len = hlen; |
2329 | n->m_next = m->m_next; |
2330 | m->m_next = n; |
2331 | m->m_pkthdr.len += hlen; |
2332 | oip = mtod(n, struct ip *); |
2333 | } else { |
2334 | m->m_next->m_len += hlen; |
2335 | m->m_next->m_data -= hlen; |
2336 | m->m_pkthdr.len += hlen; |
2337 | oip = mtod(m->m_next, struct ip *); |
2338 | } |
2339 | ip = mtod(m, struct ip *); |
2340 | ovbcopy(from: (caddr_t)ip, to: (caddr_t)oip, len: hlen); |
2341 | m->m_len = sizeof(struct ip); |
2342 | m->m_pkthdr.len -= (hlen - sizeof(struct ip)); |
2343 | |
2344 | /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ |
2345 | /* ECN consideration. */ |
2346 | ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos); |
2347 | #ifdef _IP_VHL |
2348 | ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2); |
2349 | #else |
2350 | ip->ip_hl = sizeof(struct ip) >> 2; |
2351 | #endif |
2352 | ip->ip_off &= htons(~IP_OFFMASK); |
2353 | ip->ip_off &= htons(~IP_MF); |
2354 | switch (ip4_ipsec_dfbit) { |
2355 | case 0: /* clear DF bit */ |
2356 | ip->ip_off &= htons(~IP_DF); |
2357 | break; |
2358 | case 1: /* set DF bit */ |
2359 | ip->ip_off |= htons(IP_DF); |
2360 | break; |
2361 | default: /* copy DF bit */ |
2362 | break; |
2363 | } |
2364 | ip->ip_p = IPPROTO_IPIP; |
2365 | if (plen + sizeof(struct ip) < IP_MAXPACKET) { |
2366 | ip->ip_len = htons((u_int16_t)(plen + sizeof(struct ip))); |
2367 | } else { |
2368 | ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " |
2369 | "leave ip_len as is (invalid packet)\n" )); |
2370 | } |
2371 | if (rfc6864 && IP_OFF_IS_ATOMIC(ntohs(ip->ip_off))) { |
2372 | ip->ip_id = 0; |
2373 | } else { |
2374 | ip->ip_id = ip_randomid((uint64_t)m); |
2375 | } |
2376 | bcopy(src: &((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, |
2377 | dst: &ip->ip_src, n: sizeof(ip->ip_src)); |
2378 | bcopy(src: &((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, |
2379 | dst: &ip->ip_dst, n: sizeof(ip->ip_dst)); |
2380 | ip->ip_ttl = IPDEFTTL; |
2381 | |
2382 | /* XXX Should ip_src be updated later ? */ |
2383 | |
2384 | return 0; |
2385 | } |
2386 | |
2387 | |
2388 | int |
2389 | ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav) |
2390 | { |
2391 | struct ip6_hdr *oip6; |
2392 | struct ip6_hdr *ip6; |
2393 | size_t plen; |
2394 | |
2395 | /* can't tunnel between different AFs */ |
2396 | if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family |
2397 | != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family |
2398 | || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) { |
2399 | m_freem(m); |
2400 | return EINVAL; |
2401 | } |
2402 | |
2403 | plen = m->m_pkthdr.len; |
2404 | |
2405 | /* |
2406 | * grow the mbuf to accomodate the new IPv6 header. |
2407 | */ |
2408 | if (m->m_len != sizeof(struct ip6_hdr)) { |
2409 | panic("ipsec6_encapsulate: assumption failed (first mbuf length)" ); |
2410 | } |
2411 | if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { |
2412 | struct mbuf *n; |
2413 | MGET(n, M_DONTWAIT, MT_DATA); |
2414 | if (!n) { |
2415 | m_freem(m); |
2416 | return ENOBUFS; |
2417 | } |
2418 | n->m_len = sizeof(struct ip6_hdr); |
2419 | n->m_next = m->m_next; |
2420 | m->m_next = n; |
2421 | m->m_pkthdr.len += sizeof(struct ip6_hdr); |
2422 | oip6 = mtod(n, struct ip6_hdr *); |
2423 | } else { |
2424 | m->m_next->m_len += sizeof(struct ip6_hdr); |
2425 | m->m_next->m_data -= sizeof(struct ip6_hdr); |
2426 | m->m_pkthdr.len += sizeof(struct ip6_hdr); |
2427 | oip6 = mtod(m->m_next, struct ip6_hdr *); |
2428 | } |
2429 | ip6 = mtod(m, struct ip6_hdr *); |
2430 | ovbcopy(from: (caddr_t)ip6, to: (caddr_t)oip6, len: sizeof(struct ip6_hdr)); |
2431 | |
2432 | /* Fake link-local scope-class addresses */ |
2433 | if (in6_embedded_scope && IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src)) { |
2434 | oip6->ip6_src.s6_addr16[1] = 0; |
2435 | } |
2436 | if (in6_embedded_scope && IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst)) { |
2437 | oip6->ip6_dst.s6_addr16[1] = 0; |
2438 | } |
2439 | |
2440 | /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ |
2441 | /* ECN consideration. */ |
2442 | ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow); |
2443 | if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) { |
2444 | ip6->ip6_plen = htons((u_int16_t)plen); |
2445 | } else { |
2446 | /* ip6->ip6_plen will be updated in ip6_output() */ |
2447 | } |
2448 | ip6->ip6_nxt = IPPROTO_IPV6; |
2449 | bcopy(src: &((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr, |
2450 | dst: &ip6->ip6_src, n: sizeof(ip6->ip6_src)); |
2451 | bcopy(src: &((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr, |
2452 | dst: &ip6->ip6_dst, n: sizeof(ip6->ip6_dst)); |
2453 | ip6->ip6_hlim = IPV6_DEFHLIM; |
2454 | |
2455 | if (in6_embedded_scope && IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { |
2456 | ip6->ip6_src.s6_addr16[1] = htons((u_int16_t)sav->sah->outgoing_if); |
2457 | ip6->ip6_dst.s6_addr16[1] = htons((u_int16_t)sav->sah->outgoing_if); |
2458 | } |
2459 | |
2460 | /* XXX Should ip6_src be updated later ? */ |
2461 | |
2462 | return 0; |
2463 | } |
2464 | |
2465 | static int |
2466 | ipsec64_encapsulate(struct mbuf *m, struct secasvar *sav, u_int32_t dscp_mapping) |
2467 | { |
2468 | struct ip6_hdr *ip6, *ip6i; |
2469 | struct ip *ip; |
2470 | size_t plen; |
2471 | |
2472 | /* tunneling over IPv4 */ |
2473 | if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family |
2474 | != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family |
2475 | || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) { |
2476 | m_freem(m); |
2477 | return EINVAL; |
2478 | } |
2479 | |
2480 | plen = m->m_pkthdr.len; |
2481 | ip6 = mtod(m, struct ip6_hdr *); |
2482 | /* |
2483 | * grow the mbuf to accomodate the new IPv4 header. |
2484 | */ |
2485 | if (m->m_len != sizeof(struct ip6_hdr)) { |
2486 | panic("ipsec6_encapsulate: assumption failed (first mbuf length)" ); |
2487 | } |
2488 | if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) { |
2489 | struct mbuf *n; |
2490 | MGET(n, M_DONTWAIT, MT_DATA); |
2491 | if (!n) { |
2492 | m_freem(m); |
2493 | return ENOBUFS; |
2494 | } |
2495 | n->m_len = sizeof(struct ip6_hdr); |
2496 | n->m_next = m->m_next; |
2497 | m->m_next = n; |
2498 | m->m_pkthdr.len += sizeof(struct ip); |
2499 | ip6i = mtod(n, struct ip6_hdr *); |
2500 | } else { |
2501 | m->m_next->m_len += sizeof(struct ip6_hdr); |
2502 | m->m_next->m_data -= sizeof(struct ip6_hdr); |
2503 | m->m_pkthdr.len += sizeof(struct ip); |
2504 | ip6i = mtod(m->m_next, struct ip6_hdr *); |
2505 | } |
2506 | |
2507 | bcopy(src: ip6, dst: ip6i, n: sizeof(struct ip6_hdr)); |
2508 | ip = mtod(m, struct ip *); |
2509 | m->m_len = sizeof(struct ip); |
2510 | /* |
2511 | * Fill in some of the IPv4 fields - we don't need all of them |
2512 | * because the rest will be filled in by ip_output |
2513 | */ |
2514 | ip->ip_v = IPVERSION; |
2515 | ip->ip_hl = sizeof(struct ip) >> 2; |
2516 | ip->ip_id = 0; |
2517 | ip->ip_sum = 0; |
2518 | ip->ip_tos = 0; |
2519 | ip->ip_off = 0; |
2520 | ip->ip_ttl = IPDEFTTL; |
2521 | ip->ip_p = IPPROTO_IPV6; |
2522 | |
2523 | /* construct new IPv4 header. see RFC 2401 5.1.2.1 */ |
2524 | /* ECN consideration. */ |
2525 | if (dscp_mapping == IPSEC_DSCP_MAPPING_COPY) { |
2526 | // Copy DSCP bits from inner IP to outer IP packet. |
2527 | ip64_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &ip6i->ip6_flow); |
2528 | } else if (dscp_mapping == IPSEC_DSCP_MAPPING_LEGACY) { |
2529 | // Copy DSCP bits in legacy style. |
2530 | ip64_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &ip6->ip6_flow); |
2531 | } |
2532 | |
2533 | if (plen + sizeof(struct ip) < IP_MAXPACKET) { |
2534 | ip->ip_len = htons((u_int16_t)(plen + sizeof(struct ip))); |
2535 | } else { |
2536 | ip->ip_len = htons((u_int16_t)plen); |
2537 | ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " |
2538 | "leave ip_len as is (invalid packet)\n" )); |
2539 | } |
2540 | bcopy(src: &((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, |
2541 | dst: &ip->ip_src, n: sizeof(ip->ip_src)); |
2542 | bcopy(src: &((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, |
2543 | dst: &ip->ip_dst, n: sizeof(ip->ip_dst)); |
2544 | |
2545 | return 0; |
2546 | } |
2547 | |
2548 | int |
2549 | ipsec6_update_routecache_and_output( |
2550 | struct ipsec_output_state *state, |
2551 | struct secasvar *sav) |
2552 | { |
2553 | struct sockaddr_in6* dst6; |
2554 | struct route_in6 *ro6; |
2555 | struct ip6_hdr *ip6; |
2556 | errno_t error = 0; |
2557 | |
2558 | int plen; |
2559 | struct ip6_out_args ip6oa; |
2560 | struct route_in6 ro6_new; |
2561 | struct flowadv *adv = NULL; |
2562 | |
2563 | if (!state->m) { |
2564 | return EINVAL; |
2565 | } |
2566 | ip6 = mtod(state->m, struct ip6_hdr *); |
2567 | |
2568 | // grab sadb_mutex, before updating sah's route cache |
2569 | lck_mtx_lock(sadb_mutex); |
2570 | ro6 = &sav->sah->sa_route; |
2571 | dst6 = (struct sockaddr_in6 *)(void *)&ro6->ro_dst; |
2572 | if (ro6->ro_rt) { |
2573 | RT_LOCK(ro6->ro_rt); |
2574 | } |
2575 | if (ROUTE_UNUSABLE(ro6) || |
2576 | !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst)) { |
2577 | if (ro6->ro_rt != NULL) { |
2578 | RT_UNLOCK(ro6->ro_rt); |
2579 | } |
2580 | ROUTE_RELEASE(ro6); |
2581 | } |
2582 | if (ro6->ro_rt == 0) { |
2583 | bzero(s: dst6, n: sizeof(*dst6)); |
2584 | dst6->sin6_family = AF_INET6; |
2585 | dst6->sin6_len = sizeof(*dst6); |
2586 | dst6->sin6_addr = ip6->ip6_dst; |
2587 | rtalloc_scoped((struct route *)ro6, sav->sah->outgoing_if); |
2588 | if (ro6->ro_rt) { |
2589 | RT_LOCK(ro6->ro_rt); |
2590 | } |
2591 | } |
2592 | if (ro6->ro_rt == 0) { |
2593 | ip6stat.ip6s_noroute++; |
2594 | IPSEC_STAT_INCREMENT(ipsec6stat.out_noroute); |
2595 | error = EHOSTUNREACH; |
2596 | // release sadb_mutex, after updating sah's route cache |
2597 | lck_mtx_unlock(sadb_mutex); |
2598 | return error; |
2599 | } |
2600 | |
2601 | /* |
2602 | * adjust state->dst if tunnel endpoint is offlink |
2603 | * |
2604 | * XXX: caching rt_gateway value in the state is |
2605 | * not really good, since it may point elsewhere |
2606 | * when the gateway gets modified to a larger |
2607 | * sockaddr via rt_setgate(). This is currently |
2608 | * addressed by SA_SIZE roundup in that routine. |
2609 | */ |
2610 | if (ro6->ro_rt->rt_flags & RTF_GATEWAY) { |
2611 | dst6 = (struct sockaddr_in6 *)(void *)ro6->ro_rt->rt_gateway; |
2612 | } |
2613 | RT_UNLOCK(ro6->ro_rt); |
2614 | ROUTE_RELEASE(&state->ro); |
2615 | route_copyout((struct route *)&state->ro, (struct route *)ro6, sizeof(struct route_in6)); |
2616 | state->dst = (struct sockaddr *)dst6; |
2617 | state->tunneled = 6; |
2618 | // release sadb_mutex, after updating sah's route cache |
2619 | lck_mtx_unlock(sadb_mutex); |
2620 | |
2621 | state->m = ipsec6_splithdr(state->m); |
2622 | if (!state->m) { |
2623 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem); |
2624 | error = ENOMEM; |
2625 | return error; |
2626 | } |
2627 | |
2628 | ip6 = mtod(state->m, struct ip6_hdr *); |
2629 | switch (sav->sah->saidx.proto) { |
2630 | case IPPROTO_ESP: |
2631 | #if IPSEC_ESP |
2632 | error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav); |
2633 | #else |
2634 | m_freem(state->m); |
2635 | error = EINVAL; |
2636 | #endif |
2637 | break; |
2638 | case IPPROTO_AH: |
2639 | error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav); |
2640 | break; |
2641 | default: |
2642 | ipseclog((LOG_ERR, "%s: unknown ipsec protocol %d\n" , __FUNCTION__, sav->sah->saidx.proto)); |
2643 | m_freem(state->m); |
2644 | IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); |
2645 | error = EINVAL; |
2646 | break; |
2647 | } |
2648 | if (error) { |
2649 | // If error, packet already freed by above output routines |
2650 | state->m = NULL; |
2651 | return error; |
2652 | } |
2653 | |
2654 | plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); |
2655 | if (plen > IPV6_MAXPACKET) { |
2656 | ipseclog((LOG_ERR, "%s: IPsec with IPv6 jumbogram is not supported\n" , __FUNCTION__)); |
2657 | IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); |
2658 | error = EINVAL;/*XXX*/ |
2659 | return error; |
2660 | } |
2661 | ip6 = mtod(state->m, struct ip6_hdr *); |
2662 | ip6->ip6_plen = htons((u_int16_t)plen); |
2663 | |
2664 | ipsec_set_pkthdr_for_interface(interface: sav->sah->ipsec_if, packet: state->m, AF_INET6, |
2665 | flowid: sav->flowid); |
2666 | ipsec_set_ip6oa_for_interface(interface: sav->sah->ipsec_if, ip6oa: &ip6oa); |
2667 | |
2668 | /* Increment statistics */ |
2669 | ifnet_stat_increment_out(interface: sav->sah->ipsec_if, packets_out: 1, bytes_out: (u_int32_t)mbuf_pkthdr_len(mbuf: state->m), errors_out: 0); |
2670 | |
2671 | /* Send to ip6_output */ |
2672 | bzero(s: &ro6_new, n: sizeof(ro6_new)); |
2673 | bzero(s: &ip6oa, n: sizeof(ip6oa)); |
2674 | ip6oa.ip6oa_flowadv.code = 0; |
2675 | ip6oa.ip6oa_flags = IP6OAF_SELECT_SRCIF | IP6OAF_BOUND_SRCADDR; |
2676 | if (state->outgoing_if) { |
2677 | ip6oa.ip6oa_boundif = state->outgoing_if; |
2678 | ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF; |
2679 | ip6_output_setsrcifscope(state->m, state->outgoing_if, NULL); |
2680 | ip6_output_setdstifscope(state->m, state->outgoing_if, NULL); |
2681 | } |
2682 | |
2683 | adv = &ip6oa.ip6oa_flowadv; |
2684 | (void) ip6_output(state->m, NULL, &ro6_new, IPV6_OUTARGS, NULL, NULL, &ip6oa); |
2685 | state->m = NULL; |
2686 | |
2687 | if (adv->code == FADV_FLOW_CONTROLLED || adv->code == FADV_SUSPENDED) { |
2688 | error = ENOBUFS; |
2689 | ifnet_disable_output(interface: sav->sah->ipsec_if); |
2690 | return error; |
2691 | } |
2692 | |
2693 | return 0; |
2694 | } |
2695 | |
2696 | int |
2697 | ipsec46_encapsulate(struct ipsec_output_state *state, struct secasvar *sav) |
2698 | { |
2699 | struct mbuf *m; |
2700 | struct ip6_hdr *ip6; |
2701 | struct ip *oip; |
2702 | struct ip *ip; |
2703 | size_t plen; |
2704 | u_int32_t hlen; |
2705 | |
2706 | m = state->m; |
2707 | if (!m) { |
2708 | return EINVAL; |
2709 | } |
2710 | |
2711 | /* can't tunnel between different AFs */ |
2712 | if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family |
2713 | != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family |
2714 | || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) { |
2715 | m_freem(m); |
2716 | return EINVAL; |
2717 | } |
2718 | |
2719 | if (m->m_len < sizeof(*ip)) { |
2720 | panic("ipsec46_encapsulate: assumption failed (first mbuf length)" ); |
2721 | return EINVAL; |
2722 | } |
2723 | |
2724 | ip = mtod(m, struct ip *); |
2725 | #ifdef _IP_VHL |
2726 | hlen = _IP_VHL_HL(ip->ip_vhl) << 2; |
2727 | #else |
2728 | hlen = ip->ip_hl << 2; |
2729 | #endif |
2730 | |
2731 | if (m->m_len != hlen) { |
2732 | panic("ipsec46_encapsulate: assumption failed (first mbuf length)" ); |
2733 | return EINVAL; |
2734 | } |
2735 | |
2736 | /* generate header checksum */ |
2737 | ip->ip_sum = 0; |
2738 | #ifdef _IP_VHL |
2739 | ip->ip_sum = in_cksum(m, hlen); |
2740 | #else |
2741 | ip->ip_sum = in_cksum(m, hlen); |
2742 | #endif |
2743 | |
2744 | plen = m->m_pkthdr.len; // save original IPv4 packet len, this will be ipv6 payload len |
2745 | |
2746 | /* |
2747 | * First move the IPv4 header to the second mbuf in the chain |
2748 | */ |
2749 | if (M_LEADINGSPACE(m->m_next) < hlen) { |
2750 | struct mbuf *n; |
2751 | MGET(n, M_DONTWAIT, MT_DATA); |
2752 | if (!n) { |
2753 | m_freem(m); |
2754 | return ENOBUFS; |
2755 | } |
2756 | n->m_len = hlen; |
2757 | n->m_next = m->m_next; |
2758 | m->m_next = n; |
2759 | m->m_pkthdr.len += sizeof(struct ip6_hdr); |
2760 | oip = mtod(n, struct ip *); |
2761 | } else { |
2762 | m->m_next->m_len += hlen; |
2763 | m->m_next->m_data -= hlen; |
2764 | m->m_pkthdr.len += sizeof(struct ip6_hdr); |
2765 | oip = mtod(m->m_next, struct ip *); |
2766 | } |
2767 | ip = mtod(m, struct ip *); |
2768 | ovbcopy(from: (caddr_t)ip, to: (caddr_t)oip, len: hlen); |
2769 | |
2770 | /* |
2771 | * Grow the first mbuf to accomodate the new IPv6 header. |
2772 | */ |
2773 | if (M_LEADINGSPACE(m) < sizeof(struct ip6_hdr) - hlen) { |
2774 | struct mbuf *n; |
2775 | MGETHDR(n, M_DONTWAIT, MT_HEADER); |
2776 | if (!n) { |
2777 | m_freem(m); |
2778 | return ENOBUFS; |
2779 | } |
2780 | M_COPY_PKTHDR(n, m); |
2781 | MH_ALIGN(n, sizeof(struct ip6_hdr)); |
2782 | n->m_len = sizeof(struct ip6_hdr); |
2783 | n->m_next = m->m_next; |
2784 | m->m_next = NULL; |
2785 | m_freem(m); |
2786 | state->m = n; |
2787 | m = state->m; |
2788 | } else { |
2789 | m->m_len += (sizeof(struct ip6_hdr) - hlen); |
2790 | m->m_data -= (sizeof(struct ip6_hdr) - hlen); |
2791 | } |
2792 | ip6 = mtod(m, struct ip6_hdr *); |
2793 | ip6->ip6_flow = 0; |
2794 | ip6->ip6_vfc &= ~IPV6_VERSION_MASK; |
2795 | ip6->ip6_vfc |= IPV6_VERSION; |
2796 | |
2797 | /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ |
2798 | /* ECN consideration. */ |
2799 | if (state->dscp_mapping == IPSEC_DSCP_MAPPING_COPY) { |
2800 | // Copy DSCP bits from inner IP to outer IP packet. |
2801 | ip46_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip->ip_tos); |
2802 | } else if (state->dscp_mapping == IPSEC_DSCP_MAPPING_LEGACY) { |
2803 | // Copy DSCP bits in legacy style. |
2804 | ip46_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &ip->ip_tos); |
2805 | } |
2806 | if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) { |
2807 | ip6->ip6_plen = htons((u_int16_t)plen); |
2808 | } else { |
2809 | /* ip6->ip6_plen will be updated in ip6_output() */ |
2810 | } |
2811 | |
2812 | ip6->ip6_nxt = IPPROTO_IPV4; |
2813 | ip6->ip6_hlim = IPV6_DEFHLIM; |
2814 | |
2815 | bcopy(src: &((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr, |
2816 | dst: &ip6->ip6_src, n: sizeof(ip6->ip6_src)); |
2817 | bcopy(src: &((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr, |
2818 | dst: &ip6->ip6_dst, n: sizeof(ip6->ip6_dst)); |
2819 | |
2820 | if (in6_embedded_scope && IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { |
2821 | ip6->ip6_src.s6_addr16[1] = htons((u_int16_t)sav->sah->outgoing_if); |
2822 | ip6->ip6_dst.s6_addr16[1] = htons((u_int16_t)sav->sah->outgoing_if); |
2823 | } |
2824 | |
2825 | return 0; |
2826 | } |
2827 | |
2828 | /* |
2829 | * Check the variable replay window. |
2830 | * ipsec_chkreplay() performs replay check before ICV verification. |
2831 | * ipsec_updatereplay() updates replay bitmap. This must be called after |
2832 | * ICV verification (it also performs replay check, which is usually done |
2833 | * beforehand). |
2834 | * 0 (zero) is returned if packet disallowed, 1 if packet permitted. |
2835 | * |
2836 | * based on RFC 2401. |
2837 | */ |
2838 | int |
2839 | ipsec_chkreplay(u_int32_t seq, struct secasvar *sav, u_int8_t replay_index) |
2840 | { |
2841 | const struct secreplay *replay; |
2842 | u_int32_t diff; |
2843 | size_t fr; |
2844 | size_t wsizeb; /* constant: bits of window size */ |
2845 | size_t frlast; /* constant: last frame */ |
2846 | |
2847 | |
2848 | /* sanity check */ |
2849 | if (sav == NULL) { |
2850 | panic("ipsec_chkreplay: NULL pointer was passed." ); |
2851 | } |
2852 | |
2853 | lck_mtx_lock(sadb_mutex); |
2854 | replay = sav->replay[replay_index]; |
2855 | |
2856 | if (replay->wsize == 0) { |
2857 | lck_mtx_unlock(sadb_mutex); |
2858 | return 1; /* no need to check replay. */ |
2859 | } |
2860 | |
2861 | /* constant */ |
2862 | frlast = replay->wsize - 1; |
2863 | wsizeb = replay->wsize << 3; |
2864 | |
2865 | /* sequence number of 0 is invalid */ |
2866 | if (seq == 0) { |
2867 | lck_mtx_unlock(sadb_mutex); |
2868 | return 0; |
2869 | } |
2870 | |
2871 | /* first time is always okay */ |
2872 | if (replay->count == 0) { |
2873 | lck_mtx_unlock(sadb_mutex); |
2874 | return 1; |
2875 | } |
2876 | |
2877 | if (seq > replay->lastseq) { |
2878 | /* larger sequences are okay */ |
2879 | lck_mtx_unlock(sadb_mutex); |
2880 | return 1; |
2881 | } else { |
2882 | /* seq is equal or less than lastseq. */ |
2883 | diff = replay->lastseq - seq; |
2884 | |
2885 | /* over range to check, i.e. too old or wrapped */ |
2886 | if (diff >= wsizeb) { |
2887 | lck_mtx_unlock(sadb_mutex); |
2888 | return 0; |
2889 | } |
2890 | |
2891 | fr = frlast - diff / 8; |
2892 | |
2893 | /* this packet already seen ? */ |
2894 | if ((replay->bitmap)[fr] & (1 << (diff % 8))) { |
2895 | lck_mtx_unlock(sadb_mutex); |
2896 | return 0; |
2897 | } |
2898 | |
2899 | /* out of order but good */ |
2900 | lck_mtx_unlock(sadb_mutex); |
2901 | return 1; |
2902 | } |
2903 | } |
2904 | |
2905 | /* |
2906 | * check replay counter whether to update or not. |
2907 | * OUT: 0: OK |
2908 | * 1: NG |
2909 | */ |
2910 | int |
2911 | ipsec_updatereplay(u_int32_t seq, struct secasvar *sav, u_int8_t replay_index) |
2912 | { |
2913 | struct secreplay *replay; |
2914 | u_int32_t diff; |
2915 | size_t fr; |
2916 | size_t wsizeb; /* constant: bits of window size */ |
2917 | size_t frlast; /* constant: last frame */ |
2918 | |
2919 | /* sanity check */ |
2920 | if (sav == NULL) { |
2921 | panic("ipsec_chkreplay: NULL pointer was passed." ); |
2922 | } |
2923 | |
2924 | lck_mtx_lock(sadb_mutex); |
2925 | replay = sav->replay[replay_index]; |
2926 | |
2927 | if (replay->wsize == 0) { |
2928 | goto ok; /* no need to check replay. */ |
2929 | } |
2930 | /* constant */ |
2931 | frlast = replay->wsize - 1; |
2932 | wsizeb = replay->wsize << 3; |
2933 | |
2934 | /* sequence number of 0 is invalid */ |
2935 | if (seq == 0) { |
2936 | lck_mtx_unlock(sadb_mutex); |
2937 | return 1; |
2938 | } |
2939 | |
2940 | /* first time */ |
2941 | if (replay->count == 0) { |
2942 | replay->lastseq = seq; |
2943 | bzero(s: replay->bitmap, n: replay->wsize); |
2944 | (replay->bitmap)[frlast] = 1; |
2945 | goto ok; |
2946 | } |
2947 | |
2948 | if (seq > replay->lastseq) { |
2949 | /* seq is larger than lastseq. */ |
2950 | diff = seq - replay->lastseq; |
2951 | |
2952 | /* new larger sequence number */ |
2953 | if (diff < wsizeb) { |
2954 | /* In window */ |
2955 | /* set bit for this packet */ |
2956 | vshiftl((unsigned char *) replay->bitmap, diff, replay->wsize); |
2957 | (replay->bitmap)[frlast] |= 1; |
2958 | } else { |
2959 | /* this packet has a "way larger" */ |
2960 | bzero(s: replay->bitmap, n: replay->wsize); |
2961 | (replay->bitmap)[frlast] = 1; |
2962 | } |
2963 | replay->lastseq = seq; |
2964 | |
2965 | /* larger is good */ |
2966 | } else { |
2967 | /* seq is equal or less than lastseq. */ |
2968 | diff = replay->lastseq - seq; |
2969 | |
2970 | /* over range to check, i.e. too old or wrapped */ |
2971 | if (diff >= wsizeb) { |
2972 | lck_mtx_unlock(sadb_mutex); |
2973 | return 1; |
2974 | } |
2975 | |
2976 | fr = frlast - diff / 8; |
2977 | |
2978 | /* this packet already seen ? */ |
2979 | if ((replay->bitmap)[fr] & (1 << (diff % 8))) { |
2980 | lck_mtx_unlock(sadb_mutex); |
2981 | return 1; |
2982 | } |
2983 | |
2984 | /* mark as seen */ |
2985 | (replay->bitmap)[fr] |= (1 << (diff % 8)); |
2986 | |
2987 | /* out of order but good */ |
2988 | } |
2989 | |
2990 | ok: |
2991 | { |
2992 | u_int32_t max_count = ~0; |
2993 | if ((sav->flags2 & SADB_X_EXT_SA2_SEQ_PER_TRAFFIC_CLASS) == |
2994 | SADB_X_EXT_SA2_SEQ_PER_TRAFFIC_CLASS) { |
2995 | max_count = PER_TC_REPLAY_WINDOW_RANGE; |
2996 | } |
2997 | |
2998 | if (replay->count == max_count) { |
2999 | /* set overflow flag */ |
3000 | replay->overflow++; |
3001 | |
3002 | /* don't increment, no more packets accepted */ |
3003 | if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) { |
3004 | lck_mtx_unlock(sadb_mutex); |
3005 | return 1; |
3006 | } |
3007 | |
3008 | ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n" , |
3009 | replay->overflow, ipsec_logsastr(sav))); |
3010 | } |
3011 | } |
3012 | |
3013 | replay->count++; |
3014 | |
3015 | lck_mtx_unlock(sadb_mutex); |
3016 | return 0; |
3017 | } |
3018 | |
3019 | /* |
3020 | * shift variable length buffer to left. |
3021 | * IN: bitmap: pointer to the buffer |
3022 | * nbit: the number of to shift. |
3023 | * wsize: buffer size (bytes). |
3024 | */ |
3025 | static void |
3026 | vshiftl(unsigned char *bitmap, int nbit, size_t wsize) |
3027 | { |
3028 | size_t i; |
3029 | int s, j; |
3030 | unsigned char over; |
3031 | |
3032 | for (j = 0; j < nbit; j += 8) { |
3033 | s = (nbit - j < 8) ? (nbit - j): 8; |
3034 | bitmap[0] <<= s; |
3035 | for (i = 1; i < wsize; i++) { |
3036 | over = (bitmap[i] >> (8 - s)); |
3037 | bitmap[i] <<= s; |
3038 | bitmap[i - 1] |= over; |
3039 | } |
3040 | } |
3041 | |
3042 | return; |
3043 | } |
3044 | |
3045 | const char * |
3046 | ipsec4_logpacketstr(struct ip *ip, u_int32_t spi) |
3047 | { |
3048 | static char buf[256] __attribute__((aligned(4))); |
3049 | char *p; |
3050 | u_int8_t *s, *d; |
3051 | |
3052 | s = (u_int8_t *)(&ip->ip_src); |
3053 | d = (u_int8_t *)(&ip->ip_dst); |
3054 | |
3055 | p = buf; |
3056 | snprintf(buf, count: sizeof(buf), "packet(SPI=%u " , (u_int32_t)ntohl(spi)); |
3057 | while (p && *p) { |
3058 | p++; |
3059 | } |
3060 | snprintf(p, count: sizeof(buf) - (p - buf), "src=%u.%u.%u.%u" , |
3061 | s[0], s[1], s[2], s[3]); |
3062 | while (p && *p) { |
3063 | p++; |
3064 | } |
3065 | snprintf(p, count: sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u" , |
3066 | d[0], d[1], d[2], d[3]); |
3067 | while (p && *p) { |
3068 | p++; |
3069 | } |
3070 | snprintf(p, count: sizeof(buf) - (p - buf), ")" ); |
3071 | |
3072 | return buf; |
3073 | } |
3074 | |
3075 | const char * |
3076 | ipsec6_logpacketstr(struct ip6_hdr *ip6, u_int32_t spi) |
3077 | { |
3078 | static char buf[256] __attribute__((aligned(4))); |
3079 | char *p; |
3080 | |
3081 | p = buf; |
3082 | snprintf(buf, count: sizeof(buf), "packet(SPI=%u " , (u_int32_t)ntohl(spi)); |
3083 | while (p && *p) { |
3084 | p++; |
3085 | } |
3086 | snprintf(p, count: sizeof(buf) - (p - buf), "src=%s" , |
3087 | ip6_sprintf(&ip6->ip6_src)); |
3088 | while (p && *p) { |
3089 | p++; |
3090 | } |
3091 | snprintf(p, count: sizeof(buf) - (p - buf), " dst=%s" , |
3092 | ip6_sprintf(&ip6->ip6_dst)); |
3093 | while (p && *p) { |
3094 | p++; |
3095 | } |
3096 | snprintf(p, count: sizeof(buf) - (p - buf), ")" ); |
3097 | |
3098 | return buf; |
3099 | } |
3100 | |
3101 | const char * |
3102 | ipsec_logsastr(struct secasvar *sav) |
3103 | { |
3104 | static char buf[256] __attribute__((aligned(4))); |
3105 | char *p; |
3106 | struct secasindex *saidx = &sav->sah->saidx; |
3107 | |
3108 | /* validity check */ |
3109 | if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family |
3110 | != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) { |
3111 | panic("ipsec_logsastr: family mismatched." ); |
3112 | } |
3113 | |
3114 | p = buf; |
3115 | snprintf(buf, count: sizeof(buf), "SA(SPI=%u " , (u_int32_t)ntohl(sav->spi)); |
3116 | while (p && *p) { |
3117 | p++; |
3118 | } |
3119 | if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) { |
3120 | u_int8_t *s, *d; |
3121 | s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr; |
3122 | d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr; |
3123 | snprintf(p, count: sizeof(buf) - (p - buf), |
3124 | "src=%d.%d.%d.%d dst=%d.%d.%d.%d" , |
3125 | s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]); |
3126 | } else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) { |
3127 | snprintf(p, count: sizeof(buf) - (p - buf), |
3128 | "src=%s" , |
3129 | ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr)); |
3130 | while (p && *p) { |
3131 | p++; |
3132 | } |
3133 | snprintf(p, count: sizeof(buf) - (p - buf), |
3134 | " dst=%s" , |
3135 | ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr)); |
3136 | } |
3137 | while (p && *p) { |
3138 | p++; |
3139 | } |
3140 | snprintf(p, count: sizeof(buf) - (p - buf), ")" ); |
3141 | |
3142 | return buf; |
3143 | } |
3144 | |
3145 | void |
3146 | ipsec_dumpmbuf(struct mbuf *m) |
3147 | { |
3148 | int totlen; |
3149 | int i; |
3150 | u_char *p; |
3151 | |
3152 | totlen = 0; |
3153 | printf("---\n" ); |
3154 | while (m) { |
3155 | p = mtod(m, u_char *); |
3156 | for (i = 0; i < m->m_len; i++) { |
3157 | printf("%02x " , p[i]); |
3158 | totlen++; |
3159 | if (totlen % 16 == 0) { |
3160 | printf("\n" ); |
3161 | } |
3162 | } |
3163 | m = m->m_next; |
3164 | } |
3165 | if (totlen % 16 != 0) { |
3166 | printf("\n" ); |
3167 | } |
3168 | printf("---\n" ); |
3169 | } |
3170 | |
3171 | #if INET |
3172 | /* |
3173 | * IPsec output logic for IPv4. |
3174 | */ |
3175 | static int |
3176 | ipsec4_output_internal(struct ipsec_output_state *state, struct secasvar *sav) |
3177 | { |
3178 | struct ip *ip = NULL; |
3179 | int error = 0; |
3180 | struct sockaddr_in *dst4; |
3181 | struct route *ro4; |
3182 | |
3183 | /* validity check */ |
3184 | if (sav == NULL || sav->sah == NULL) { |
3185 | error = EINVAL; |
3186 | goto bad; |
3187 | } |
3188 | |
3189 | /* |
3190 | * If there is no valid SA, we give up to process any |
3191 | * more. In such a case, the SA's status is changed |
3192 | * from DYING to DEAD after allocating. If a packet |
3193 | * send to the receiver by dead SA, the receiver can |
3194 | * not decode a packet because SA has been dead. |
3195 | */ |
3196 | if (sav->state != SADB_SASTATE_MATURE |
3197 | && sav->state != SADB_SASTATE_DYING) { |
3198 | IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); |
3199 | error = EINVAL; |
3200 | goto bad; |
3201 | } |
3202 | |
3203 | state->outgoing_if = sav->sah->outgoing_if; |
3204 | |
3205 | /* |
3206 | * There may be the case that SA status will be changed when |
3207 | * we are refering to one. So calling splsoftnet(). |
3208 | */ |
3209 | |
3210 | if (sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) { |
3211 | /* |
3212 | * build IPsec tunnel. |
3213 | */ |
3214 | state->m = ipsec4_splithdr(state->m); |
3215 | if (!state->m) { |
3216 | error = ENOMEM; |
3217 | goto bad; |
3218 | } |
3219 | |
3220 | if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET6) { |
3221 | error = ipsec46_encapsulate(state, sav); |
3222 | if (error) { |
3223 | // packet already freed by encapsulation error handling |
3224 | state->m = NULL; |
3225 | return error; |
3226 | } |
3227 | |
3228 | error = ipsec6_update_routecache_and_output(state, sav); |
3229 | return error; |
3230 | } else if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET) { |
3231 | error = ipsec4_encapsulate(m: state->m, sav); |
3232 | if (error) { |
3233 | state->m = NULL; |
3234 | goto bad; |
3235 | } |
3236 | ip = mtod(state->m, struct ip *); |
3237 | |
3238 | // grab sadb_mutex, before updating sah's route cache |
3239 | lck_mtx_lock(sadb_mutex); |
3240 | ro4 = (struct route *)&sav->sah->sa_route; |
3241 | dst4 = (struct sockaddr_in *)(void *)&ro4->ro_dst; |
3242 | if (ro4->ro_rt != NULL) { |
3243 | RT_LOCK(ro4->ro_rt); |
3244 | } |
3245 | if (ROUTE_UNUSABLE(ro4) || |
3246 | dst4->sin_addr.s_addr != ip->ip_dst.s_addr) { |
3247 | if (ro4->ro_rt != NULL) { |
3248 | RT_UNLOCK(ro4->ro_rt); |
3249 | } |
3250 | ROUTE_RELEASE(ro4); |
3251 | } |
3252 | if (ro4->ro_rt == 0) { |
3253 | dst4->sin_family = AF_INET; |
3254 | dst4->sin_len = sizeof(*dst4); |
3255 | dst4->sin_addr = ip->ip_dst; |
3256 | rtalloc_scoped(ro4, sav->sah->outgoing_if); |
3257 | if (ro4->ro_rt == 0) { |
3258 | OSAddAtomic(1, &ipstat.ips_noroute); |
3259 | error = EHOSTUNREACH; |
3260 | // release sadb_mutex, after updating sah's route cache |
3261 | lck_mtx_unlock(sadb_mutex); |
3262 | goto bad; |
3263 | } |
3264 | RT_LOCK(ro4->ro_rt); |
3265 | } |
3266 | |
3267 | /* |
3268 | * adjust state->dst if tunnel endpoint is offlink |
3269 | * |
3270 | * XXX: caching rt_gateway value in the state is |
3271 | * not really good, since it may point elsewhere |
3272 | * when the gateway gets modified to a larger |
3273 | * sockaddr via rt_setgate(). This is currently |
3274 | * addressed by SA_SIZE roundup in that routine. |
3275 | */ |
3276 | if (ro4->ro_rt->rt_flags & RTF_GATEWAY) { |
3277 | dst4 = (struct sockaddr_in *)(void *)ro4->ro_rt->rt_gateway; |
3278 | } |
3279 | RT_UNLOCK(ro4->ro_rt); |
3280 | ROUTE_RELEASE(&state->ro); |
3281 | route_copyout((struct route *)&state->ro, ro4, sizeof(struct route)); |
3282 | state->dst = (struct sockaddr *)dst4; |
3283 | state->tunneled = 4; |
3284 | // release sadb_mutex, after updating sah's route cache |
3285 | lck_mtx_unlock(sadb_mutex); |
3286 | } else { |
3287 | ipseclog((LOG_ERR, "%s: family mismatched between inner and outer spi=%u\n" , |
3288 | __FUNCTION__, (u_int32_t)ntohl(sav->spi))); |
3289 | error = EAFNOSUPPORT; |
3290 | goto bad; |
3291 | } |
3292 | } |
3293 | |
3294 | state->m = ipsec4_splithdr(state->m); |
3295 | if (!state->m) { |
3296 | error = ENOMEM; |
3297 | goto bad; |
3298 | } |
3299 | switch (sav->sah->saidx.proto) { |
3300 | case IPPROTO_ESP: |
3301 | #if IPSEC_ESP |
3302 | if ((error = esp4_output(state->m, sav)) != 0) { |
3303 | state->m = NULL; |
3304 | goto bad; |
3305 | } |
3306 | break; |
3307 | #else |
3308 | m_freem(state->m); |
3309 | state->m = NULL; |
3310 | error = EINVAL; |
3311 | goto bad; |
3312 | #endif |
3313 | case IPPROTO_AH: |
3314 | if ((error = ah4_output(state->m, sav)) != 0) { |
3315 | state->m = NULL; |
3316 | goto bad; |
3317 | } |
3318 | break; |
3319 | default: |
3320 | ipseclog((LOG_ERR, |
3321 | "ipsec4_output: unknown ipsec protocol %d\n" , |
3322 | sav->sah->saidx.proto)); |
3323 | m_freem(state->m); |
3324 | state->m = NULL; |
3325 | error = EPROTONOSUPPORT; |
3326 | goto bad; |
3327 | } |
3328 | |
3329 | if (state->m == 0) { |
3330 | error = ENOMEM; |
3331 | goto bad; |
3332 | } |
3333 | |
3334 | #if SKYWALK |
3335 | state->m->m_pkthdr.pkt_flowid = sav->flowid; |
3336 | state->m->m_pkthdr.pkt_flags |= PKTF_FLOW_ID; |
3337 | #endif /* !SKYWALK */ |
3338 | |
3339 | return 0; |
3340 | |
3341 | bad: |
3342 | return error; |
3343 | } |
3344 | |
3345 | int |
3346 | ipsec4_interface_kpipe_output(ifnet_t interface, kern_packet_t sph, |
3347 | kern_packet_t dph) |
3348 | { |
3349 | struct sockaddr_in src = {}; |
3350 | struct sockaddr_in dst = {}; |
3351 | struct secasvar *sav = NULL; |
3352 | uint8_t *sbaddr = NULL; |
3353 | uint8_t *dbaddr = NULL; |
3354 | size_t hlen = 0; |
3355 | uint32_t slen = 0; |
3356 | uint32_t dlim = 0, doff = 0, dlen = 0; |
3357 | int err = 0; |
3358 | |
3359 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
3360 | |
3361 | MD_BUFLET_ADDR(SK_PTR_ADDR_KPKT(sph), sbaddr); |
3362 | kern_buflet_t sbuf = __packet_get_next_buflet(ph: sph, NULL); |
3363 | VERIFY(sbuf != NULL); |
3364 | slen = __buflet_get_data_length(buf: sbuf); |
3365 | |
3366 | if (__improbable(slen < sizeof(struct ip))) { |
3367 | os_log_info(OS_LOG_DEFAULT, "ipsec4 interface kpipe output: " |
3368 | "source buffer shorter than ip header, %u\n" , slen); |
3369 | err = EINVAL; |
3370 | goto bad; |
3371 | } |
3372 | |
3373 | struct ip *ip = (struct ip *)(void *)sbaddr; |
3374 | ASSERT(IP_HDR_ALIGNED_P(ip)); |
3375 | |
3376 | /* Find security association matching source and destination address */ |
3377 | src.sin_family = AF_INET; |
3378 | src.sin_len = sizeof(src); |
3379 | src.sin_addr.s_addr = ip->ip_src.s_addr; |
3380 | |
3381 | dst.sin_family = AF_INET; |
3382 | dst.sin_len = sizeof(dst); |
3383 | dst.sin_addr.s_addr = ip->ip_dst.s_addr; |
3384 | |
3385 | sav = key_alloc_outbound_sav_for_interface(interface, AF_INET, |
3386 | src: (struct sockaddr *)&src, dst: (struct sockaddr *)&dst); |
3387 | if (__improbable(sav == NULL)) { |
3388 | os_log_info(OS_LOG_DEFAULT, "ipsec4 interface kpipe output: " |
3389 | "failed to find outbound sav\n" ); |
3390 | IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); |
3391 | err = ENOENT; |
3392 | goto bad; |
3393 | } |
3394 | |
3395 | if (__improbable(sav->sah == NULL)) { |
3396 | os_log_info(OS_LOG_DEFAULT, "ipsec4 interface kpipe output: " |
3397 | "sah is NULL\n" ); |
3398 | IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); |
3399 | err = ENOENT; |
3400 | goto bad; |
3401 | } |
3402 | |
3403 | if (__improbable(sav->sah->saidx.mode != IPSEC_MODE_TRANSPORT)) { |
3404 | os_log_info(OS_LOG_DEFAULT, "ipsec tunnel mode not supported " |
3405 | "in kpipe mode, SPI=%x\n" , ntohl(sav->spi)); |
3406 | IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); |
3407 | err = EINVAL; |
3408 | goto bad; |
3409 | } |
3410 | if (__improbable((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_DERIV | |
3411 | SADB_X_EXT_NATT | SADB_X_EXT_NATT_MULTIPLEUSERS | |
3412 | SADB_X_EXT_CYCSEQ | SADB_X_EXT_PMASK)) != 0)) { |
3413 | os_log_info(OS_LOG_DEFAULT, "sadb flag %x not supported in " |
3414 | "kpipe mode, SPI=%x\n" , sav->flags, ntohl(sav->spi)); |
3415 | IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); |
3416 | err = EINVAL; |
3417 | goto bad; |
3418 | } |
3419 | |
3420 | /* |
3421 | * If there is no valid SA, we give up to process any |
3422 | * more. In such a case, the SA's status is changed |
3423 | * from DYING to DEAD after allocating. If a packet |
3424 | * send to the receiver by dead SA, the receiver can |
3425 | * not decode a packet because SA has been dead. |
3426 | */ |
3427 | if (__improbable(sav->state != SADB_SASTATE_MATURE |
3428 | && sav->state != SADB_SASTATE_DYING)) { |
3429 | IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); |
3430 | err = EINVAL; |
3431 | goto bad; |
3432 | } |
3433 | |
3434 | #ifdef _IP_VHL |
3435 | hlen = IP_VHL_HL(ip->ip_vhl) << 2; |
3436 | #else |
3437 | hlen = ip->ip_hl << 2; |
3438 | #endif |
3439 | /* Copy the IP header from source packet to destination packet */ |
3440 | MD_BUFLET_ADDR(SK_PTR_ADDR_KPKT(dph), dbaddr); |
3441 | kern_buflet_t dbuf = __packet_get_next_buflet(ph: dph, NULL); |
3442 | doff = __buflet_get_data_offset(buf: dbuf); |
3443 | VERIFY(doff == 0); |
3444 | dlen = __buflet_get_data_length(buf: dbuf); |
3445 | VERIFY(dlen == 0); |
3446 | |
3447 | dlim = __buflet_get_data_limit(buf: dbuf); |
3448 | if (__improbable(dlim < hlen)) { |
3449 | os_log_info(OS_LOG_DEFAULT, "ipsec4 interface kpipe output: " |
3450 | "buflet size shorter than hlen %u, SPI=%x\n" , dlim, ntohl(sav->spi)); |
3451 | err = EMSGSIZE; |
3452 | goto bad; |
3453 | } |
3454 | |
3455 | VERIFY(hlen <= UINT16_MAX); |
3456 | memcpy(dst: dbaddr, src: sbaddr, n: hlen); |
3457 | __buflet_set_data_length(buf: dbuf, dlen: (uint16_t)hlen); |
3458 | |
3459 | switch (sav->sah->saidx.proto) { |
3460 | case IPPROTO_ESP: { |
3461 | if (__improbable((err = esp_kpipe_output(sav, sph, dph)) != 0)) { |
3462 | goto bad; |
3463 | } |
3464 | break; |
3465 | } |
3466 | case IPPROTO_AH: { |
3467 | os_log_info(OS_LOG_DEFAULT, "AH not supported in kpipe mode\n" ); |
3468 | err = EPROTONOSUPPORT; |
3469 | goto bad; |
3470 | } |
3471 | default: { |
3472 | os_log_info(OS_LOG_DEFAULT, "unknown ipsec protocol %d\n" , |
3473 | sav->sah->saidx.proto); |
3474 | err = EPROTONOSUPPORT; |
3475 | goto bad; |
3476 | } |
3477 | } |
3478 | |
3479 | key_freesav(sav, KEY_SADB_UNLOCKED); |
3480 | return 0; |
3481 | bad: |
3482 | if (sav != NULL) { |
3483 | key_freesav(sav, KEY_SADB_UNLOCKED); |
3484 | sav = NULL; |
3485 | } |
3486 | |
3487 | return err; |
3488 | } |
3489 | |
3490 | int |
3491 | ipsec6_interface_kpipe_output(ifnet_t interface, kern_packet_t sph, |
3492 | kern_packet_t dph) |
3493 | { |
3494 | struct sockaddr_in6 src = {}; |
3495 | struct sockaddr_in6 dst = {}; |
3496 | struct secasvar *sav = NULL; |
3497 | uint8_t *sbaddr = NULL; |
3498 | uint8_t *dbaddr = NULL; |
3499 | uint32_t slen = 0; |
3500 | uint32_t dlim = 0, doff = 0, dlen = 0; |
3501 | int err = 0; |
3502 | |
3503 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
3504 | |
3505 | MD_BUFLET_ADDR(SK_PTR_ADDR_KPKT(sph), sbaddr); |
3506 | kern_buflet_t sbuf = __packet_get_next_buflet(ph: sph, NULL); |
3507 | VERIFY(sbuf != NULL); |
3508 | slen = __buflet_get_data_length(buf: sbuf); |
3509 | |
3510 | if (__improbable(slen < sizeof(struct ip6_hdr))) { |
3511 | os_log_info(OS_LOG_DEFAULT, "ipsec6 interface kpipe output: " |
3512 | "source buffer shorter than ipv6 header, %u\n" , slen); |
3513 | err = EINVAL; |
3514 | goto bad; |
3515 | } |
3516 | |
3517 | struct ip6_hdr *ip6 = (struct ip6_hdr *)sbaddr; |
3518 | |
3519 | /* Find security association matching source and destination address */ |
3520 | src.sin6_family = AF_INET6; |
3521 | src.sin6_len = sizeof(src); |
3522 | memcpy(dst: &src.sin6_addr, src: &ip6->ip6_src, n: sizeof(src.sin6_addr)); |
3523 | |
3524 | dst.sin6_family = AF_INET6; |
3525 | dst.sin6_len = sizeof(dst); |
3526 | memcpy(dst: &dst.sin6_addr, src: &ip6->ip6_dst, n: sizeof(dst.sin6_addr)); |
3527 | |
3528 | sav = key_alloc_outbound_sav_for_interface(interface, AF_INET6, |
3529 | src: (struct sockaddr *)&src, dst: (struct sockaddr *)&dst); |
3530 | if (__improbable(sav == NULL)) { |
3531 | os_log_info(OS_LOG_DEFAULT, "ipsec6 interface kpipe output: " |
3532 | "failed to find outbound sav\n" ); |
3533 | IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); |
3534 | err = ENOENT; |
3535 | goto bad; |
3536 | } |
3537 | |
3538 | if (__improbable(sav->sah == NULL)) { |
3539 | os_log_info(OS_LOG_DEFAULT, "ipsec6 interface kpipe output: " |
3540 | "sah is NULL\n" ); |
3541 | IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); |
3542 | err = ENOENT; |
3543 | goto bad; |
3544 | } |
3545 | |
3546 | if (__improbable(sav->sah->saidx.mode != IPSEC_MODE_TRANSPORT)) { |
3547 | os_log_info(OS_LOG_DEFAULT, "ipsec tunnel mode not supported " |
3548 | "in kpipe mode, SPI=%x\n" , ntohl(sav->spi)); |
3549 | IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); |
3550 | err = EINVAL; |
3551 | goto bad; |
3552 | } |
3553 | if (__improbable((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_DERIV | |
3554 | SADB_X_EXT_NATT | SADB_X_EXT_NATT_MULTIPLEUSERS | |
3555 | SADB_X_EXT_CYCSEQ | SADB_X_EXT_PMASK)) != 0)) { |
3556 | os_log_info(OS_LOG_DEFAULT, "sadb flag %x not supported in " |
3557 | "kpipe mode, SPI=%x\n" , sav->flags, ntohl(sav->spi)); |
3558 | IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); |
3559 | err = EINVAL; |
3560 | goto bad; |
3561 | } |
3562 | |
3563 | /* |
3564 | * If there is no valid SA, we give up to process any |
3565 | * more. In such a case, the SA's status is changed |
3566 | * from DYING to DEAD after allocating. If a packet |
3567 | * send to the receiver by dead SA, the receiver can |
3568 | * not decode a packet because SA has been dead. |
3569 | */ |
3570 | if (__improbable(sav->state != SADB_SASTATE_MATURE |
3571 | && sav->state != SADB_SASTATE_DYING)) { |
3572 | IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); |
3573 | err = EINVAL; |
3574 | goto bad; |
3575 | } |
3576 | |
3577 | /* Copy the IPv6 header from source packet to destination packet */ |
3578 | MD_BUFLET_ADDR(SK_PTR_ADDR_KPKT(dph), dbaddr); |
3579 | kern_buflet_t dbuf = __packet_get_next_buflet(ph: dph, NULL); |
3580 | doff = __buflet_get_data_offset(buf: dbuf); |
3581 | VERIFY(doff == 0); |
3582 | dlen = __buflet_get_data_length(buf: dbuf); |
3583 | VERIFY(dlen == 0); |
3584 | |
3585 | dlim = __buflet_get_data_limit(buf: dbuf); |
3586 | if (__improbable(dlim < sizeof(struct ip6_hdr))) { |
3587 | os_log_info(OS_LOG_DEFAULT, "ipsec6 interface kpipe output" |
3588 | "buflet size shorter than hlen %u, SPI=%x\n" , dlim, ntohl(sav->spi)); |
3589 | err = EMSGSIZE; |
3590 | goto bad; |
3591 | } |
3592 | |
3593 | memcpy(dst: dbaddr, src: sbaddr, n: sizeof(struct ip6_hdr)); |
3594 | __buflet_set_data_length(buf: dbuf, dlen: sizeof(struct ip6_hdr)); |
3595 | |
3596 | switch (sav->sah->saidx.proto) { |
3597 | case IPPROTO_ESP: { |
3598 | if (__improbable((err = esp_kpipe_output(sav, sph, dph)) != 0)) { |
3599 | goto bad; |
3600 | } |
3601 | break; |
3602 | } |
3603 | case IPPROTO_AH: { |
3604 | os_log_info(OS_LOG_DEFAULT, "AH not supported in kpipe mode\n" ); |
3605 | err = EPROTONOSUPPORT; |
3606 | goto bad; |
3607 | } |
3608 | default: { |
3609 | os_log_info(OS_LOG_DEFAULT, "unknown ipsec protocol %d\n" , |
3610 | sav->sah->saidx.proto); |
3611 | err = EPROTONOSUPPORT; |
3612 | goto bad; |
3613 | } |
3614 | } |
3615 | |
3616 | key_freesav(sav, KEY_SADB_UNLOCKED); |
3617 | return 0; |
3618 | bad: |
3619 | if (sav != NULL) { |
3620 | key_freesav(sav, KEY_SADB_UNLOCKED); |
3621 | sav = NULL; |
3622 | } |
3623 | |
3624 | return err; |
3625 | } |
3626 | |
3627 | int |
3628 | ipsec4_interface_output(struct ipsec_output_state *state, ifnet_t interface) |
3629 | { |
3630 | int error = 0; |
3631 | struct secasvar *sav = NULL; |
3632 | |
3633 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
3634 | |
3635 | if (state == NULL) { |
3636 | panic("state == NULL in ipsec4_output" ); |
3637 | } |
3638 | if (state->m == NULL) { |
3639 | panic("state->m == NULL in ipsec4_output" ); |
3640 | } |
3641 | if (state->dst == NULL) { |
3642 | panic("state->dst == NULL in ipsec4_output" ); |
3643 | } |
3644 | |
3645 | struct ip *ip = mtod(state->m, struct ip *); |
3646 | |
3647 | struct sockaddr_in src = {}; |
3648 | src.sin_family = AF_INET; |
3649 | src.sin_len = sizeof(src); |
3650 | memcpy(dst: &src.sin_addr, src: &ip->ip_src, n: sizeof(src.sin_addr)); |
3651 | |
3652 | struct sockaddr_in dst = {}; |
3653 | dst.sin_family = AF_INET; |
3654 | dst.sin_len = sizeof(dst); |
3655 | memcpy(dst: &dst.sin_addr, src: &ip->ip_dst, n: sizeof(dst.sin_addr)); |
3656 | |
3657 | sav = key_alloc_outbound_sav_for_interface(interface, AF_INET, |
3658 | src: (struct sockaddr *)&src, |
3659 | dst: (struct sockaddr *)&dst); |
3660 | if (sav == NULL) { |
3661 | goto bad; |
3662 | } |
3663 | |
3664 | if ((error = ipsec4_output_internal(state, sav)) != 0) { |
3665 | goto bad; |
3666 | } |
3667 | |
3668 | KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, 0, 0, 0, 0, 0); |
3669 | if (sav) { |
3670 | key_freesav(sav, KEY_SADB_UNLOCKED); |
3671 | } |
3672 | return 0; |
3673 | |
3674 | bad: |
3675 | if (sav) { |
3676 | key_freesav(sav, KEY_SADB_UNLOCKED); |
3677 | } |
3678 | m_freem(state->m); |
3679 | state->m = NULL; |
3680 | KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, error, 0, 0, 0, 0); |
3681 | return error; |
3682 | } |
3683 | |
3684 | int |
3685 | ipsec4_output(struct ipsec_output_state *state, struct secpolicy *sp, __unused int flags) |
3686 | { |
3687 | struct ip *ip = NULL; |
3688 | struct ipsecrequest *isr = NULL; |
3689 | struct secasindex saidx; |
3690 | struct secasvar *sav = NULL; |
3691 | int error = 0; |
3692 | struct sockaddr_in *sin; |
3693 | |
3694 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
3695 | |
3696 | if (!state) { |
3697 | panic("state == NULL in ipsec4_output" ); |
3698 | } |
3699 | if (!state->m) { |
3700 | panic("state->m == NULL in ipsec4_output" ); |
3701 | } |
3702 | if (!state->dst) { |
3703 | panic("state->dst == NULL in ipsec4_output" ); |
3704 | } |
3705 | |
3706 | KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_START, 0, 0, 0, 0, 0); |
3707 | |
3708 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
3709 | printf("ipsec4_output: applied SP\n" ); |
3710 | kdebug_secpolicy(sp)); |
3711 | |
3712 | for (isr = sp->req; isr != NULL; isr = isr->next) { |
3713 | /* make SA index for search proper SA */ |
3714 | ip = mtod(state->m, struct ip *); |
3715 | bcopy(src: &isr->saidx, dst: &saidx, n: sizeof(saidx)); |
3716 | saidx.mode = isr->saidx.mode; |
3717 | saidx.reqid = isr->saidx.reqid; |
3718 | sin = (struct sockaddr_in *)&saidx.src; |
3719 | if (sin->sin_len == 0) { |
3720 | sin->sin_len = sizeof(*sin); |
3721 | sin->sin_family = AF_INET; |
3722 | sin->sin_port = IPSEC_PORT_ANY; |
3723 | bcopy(src: &ip->ip_src, dst: &sin->sin_addr, |
3724 | n: sizeof(sin->sin_addr)); |
3725 | } |
3726 | sin = (struct sockaddr_in *)&saidx.dst; |
3727 | if (sin->sin_len == 0) { |
3728 | sin->sin_len = sizeof(*sin); |
3729 | sin->sin_family = AF_INET; |
3730 | sin->sin_port = IPSEC_PORT_ANY; |
3731 | /* |
3732 | * Get port from packet if upper layer is UDP and nat traversal |
3733 | * is enabled and transport mode. |
3734 | */ |
3735 | |
3736 | if ((esp_udp_encap_port & 0xFFFF) != 0 && |
3737 | isr->saidx.mode == IPSEC_MODE_TRANSPORT) { |
3738 | if (ip->ip_p == IPPROTO_UDP) { |
3739 | struct udphdr *udp; |
3740 | u_int32_t hlen; |
3741 | #ifdef _IP_VHL |
3742 | hlen = IP_VHL_HL(ip->ip_vhl) << 2; |
3743 | #else |
3744 | hlen = ip->ip_hl << 2; |
3745 | #endif |
3746 | if (state->m->m_len < hlen + sizeof(struct udphdr)) { |
3747 | state->m = m_pullup(state->m, hlen + sizeof(struct udphdr)); |
3748 | if (!state->m) { |
3749 | ipseclog((LOG_DEBUG, "IPv4 output: can't pullup UDP header\n" )); |
3750 | IPSEC_STAT_INCREMENT(ipsecstat.in_inval); |
3751 | goto bad; |
3752 | } |
3753 | ip = mtod(state->m, struct ip *); |
3754 | } |
3755 | udp = (struct udphdr *)(void *)(((u_int8_t *)ip) + hlen); |
3756 | sin->sin_port = udp->uh_dport; |
3757 | } |
3758 | } |
3759 | |
3760 | bcopy(src: &ip->ip_dst, dst: &sin->sin_addr, |
3761 | n: sizeof(sin->sin_addr)); |
3762 | } |
3763 | |
3764 | if ((error = key_checkrequest(isr, &saidx, sav: &sav)) != 0) { |
3765 | /* |
3766 | * IPsec processing is required, but no SA found. |
3767 | * I assume that key_acquire() had been called |
3768 | * to get/establish the SA. Here I discard |
3769 | * this packet because it is responsibility for |
3770 | * upper layer to retransmit the packet. |
3771 | */ |
3772 | IPSEC_STAT_INCREMENT(ipsecstat.out_nosa); |
3773 | goto bad; |
3774 | } |
3775 | |
3776 | /* validity check */ |
3777 | if (sav == NULL) { |
3778 | switch (ipsec_get_reqlevel(isr)) { |
3779 | case IPSEC_LEVEL_USE: |
3780 | continue; |
3781 | case IPSEC_LEVEL_REQUIRE: |
3782 | /* must be not reached here. */ |
3783 | panic("ipsec4_output: no SA found, but required." ); |
3784 | } |
3785 | } |
3786 | |
3787 | if ((error = ipsec4_output_internal(state, sav)) != 0) { |
3788 | goto bad; |
3789 | } |
3790 | } |
3791 | |
3792 | KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, 0, 0, 0, 0, 0); |
3793 | if (sav) { |
3794 | key_freesav(sav, KEY_SADB_UNLOCKED); |
3795 | } |
3796 | return 0; |
3797 | |
3798 | bad: |
3799 | if (sav) { |
3800 | key_freesav(sav, KEY_SADB_UNLOCKED); |
3801 | } |
3802 | m_freem(state->m); |
3803 | state->m = NULL; |
3804 | KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, error, 0, 0, 0, 0); |
3805 | return error; |
3806 | } |
3807 | |
3808 | #endif |
3809 | |
3810 | /* |
3811 | * IPsec output logic for IPv6, transport mode. |
3812 | */ |
3813 | static int |
3814 | ipsec6_output_trans_internal( |
3815 | struct ipsec_output_state *state, |
3816 | struct secasvar *sav, |
3817 | u_char *nexthdrp, |
3818 | struct mbuf *mprev) |
3819 | { |
3820 | struct ip6_hdr *ip6; |
3821 | size_t plen; |
3822 | int error = 0; |
3823 | |
3824 | /* validity check */ |
3825 | if (sav == NULL || sav->sah == NULL) { |
3826 | error = EINVAL; |
3827 | goto bad; |
3828 | } |
3829 | |
3830 | /* |
3831 | * If there is no valid SA, we give up to process. |
3832 | * see same place at ipsec4_output(). |
3833 | */ |
3834 | if (sav->state != SADB_SASTATE_MATURE |
3835 | && sav->state != SADB_SASTATE_DYING) { |
3836 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); |
3837 | error = EINVAL; |
3838 | goto bad; |
3839 | } |
3840 | |
3841 | state->outgoing_if = sav->sah->outgoing_if; |
3842 | |
3843 | switch (sav->sah->saidx.proto) { |
3844 | case IPPROTO_ESP: |
3845 | #if IPSEC_ESP |
3846 | error = esp6_output(state->m, nexthdrp, mprev->m_next, sav); |
3847 | #else |
3848 | m_freem(state->m); |
3849 | error = EINVAL; |
3850 | #endif |
3851 | break; |
3852 | case IPPROTO_AH: |
3853 | error = ah6_output(state->m, nexthdrp, mprev->m_next, sav); |
3854 | break; |
3855 | default: |
3856 | ipseclog((LOG_ERR, "ipsec6_output_trans: " |
3857 | "unknown ipsec protocol %d\n" , sav->sah->saidx.proto)); |
3858 | m_freem(state->m); |
3859 | IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); |
3860 | error = EPROTONOSUPPORT; |
3861 | break; |
3862 | } |
3863 | if (error) { |
3864 | state->m = NULL; |
3865 | goto bad; |
3866 | } |
3867 | plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); |
3868 | if (plen > IPV6_MAXPACKET) { |
3869 | ipseclog((LOG_ERR, "ipsec6_output_trans: " |
3870 | "IPsec with IPv6 jumbogram is not supported\n" )); |
3871 | IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); |
3872 | error = EINVAL; /*XXX*/ |
3873 | goto bad; |
3874 | } |
3875 | ip6 = mtod(state->m, struct ip6_hdr *); |
3876 | ip6->ip6_plen = htons((u_int16_t)plen); |
3877 | |
3878 | #if SKYWALK |
3879 | ASSERT(state->m != NULL); |
3880 | state->m->m_pkthdr.pkt_flowid = sav->flowid; |
3881 | state->m->m_pkthdr.pkt_flags |= PKTF_FLOW_ID; |
3882 | #endif /* !SKYWALK */ |
3883 | return 0; |
3884 | bad: |
3885 | return error; |
3886 | } |
3887 | |
3888 | int |
3889 | ipsec6_output_trans( |
3890 | struct ipsec_output_state *state, |
3891 | u_char *nexthdrp, |
3892 | struct mbuf *mprev, |
3893 | struct secpolicy *sp, |
3894 | __unused int flags, |
3895 | int *tun) |
3896 | { |
3897 | struct ip6_hdr *ip6; |
3898 | struct ipsecrequest *isr = NULL; |
3899 | struct secasindex saidx; |
3900 | int error = 0; |
3901 | struct sockaddr_in6 *sin6; |
3902 | struct secasvar *sav = NULL; |
3903 | |
3904 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
3905 | |
3906 | if (!state) { |
3907 | panic("state == NULL in ipsec6_output_trans" ); |
3908 | } |
3909 | if (!state->m) { |
3910 | panic("state->m == NULL in ipsec6_output_trans" ); |
3911 | } |
3912 | if (!nexthdrp) { |
3913 | panic("nexthdrp == NULL in ipsec6_output_trans" ); |
3914 | } |
3915 | if (!mprev) { |
3916 | panic("mprev == NULL in ipsec6_output_trans" ); |
3917 | } |
3918 | if (!sp) { |
3919 | panic("sp == NULL in ipsec6_output_trans" ); |
3920 | } |
3921 | if (!tun) { |
3922 | panic("tun == NULL in ipsec6_output_trans" ); |
3923 | } |
3924 | |
3925 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
3926 | printf("ipsec6_output_trans: applyed SP\n" ); |
3927 | kdebug_secpolicy(sp)); |
3928 | |
3929 | *tun = 0; |
3930 | for (isr = sp->req; isr; isr = isr->next) { |
3931 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { |
3932 | /* the rest will be handled by ipsec6_output_tunnel() */ |
3933 | break; |
3934 | } |
3935 | |
3936 | /* make SA index for search proper SA */ |
3937 | ip6 = mtod(state->m, struct ip6_hdr *); |
3938 | bcopy(src: &isr->saidx, dst: &saidx, n: sizeof(saidx)); |
3939 | saidx.mode = isr->saidx.mode; |
3940 | saidx.reqid = isr->saidx.reqid; |
3941 | sin6 = (struct sockaddr_in6 *)&saidx.src; |
3942 | if (sin6->sin6_len == 0) { |
3943 | sin6->sin6_len = sizeof(*sin6); |
3944 | sin6->sin6_family = AF_INET6; |
3945 | sin6->sin6_port = IPSEC_PORT_ANY; |
3946 | bcopy(src: &ip6->ip6_src, dst: &sin6->sin6_addr, |
3947 | n: sizeof(ip6->ip6_src)); |
3948 | if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { |
3949 | /* fix scope id for comparing SPD */ |
3950 | sin6->sin6_scope_id = ip6_output_getsrcifscope(state->m); |
3951 | in6_verify_ifscope(&ip6->ip6_src, sin6->sin6_scope_id); |
3952 | if (in6_embedded_scope) { |
3953 | sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); |
3954 | sin6->sin6_addr.s6_addr16[1] = 0; |
3955 | } |
3956 | } |
3957 | } |
3958 | sin6 = (struct sockaddr_in6 *)&saidx.dst; |
3959 | if (sin6->sin6_len == 0) { |
3960 | sin6->sin6_len = sizeof(*sin6); |
3961 | sin6->sin6_family = AF_INET6; |
3962 | sin6->sin6_port = IPSEC_PORT_ANY; |
3963 | bcopy(src: &ip6->ip6_dst, dst: &sin6->sin6_addr, |
3964 | n: sizeof(ip6->ip6_dst)); |
3965 | if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { |
3966 | /* fix scope id for comparing SPD */ |
3967 | sin6->sin6_scope_id = ip6_output_getdstifscope(state->m); |
3968 | in6_verify_ifscope(&ip6->ip6_dst, sin6->sin6_scope_id); |
3969 | if (in6_embedded_scope) { |
3970 | sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); |
3971 | sin6->sin6_addr.s6_addr16[1] = 0; |
3972 | } |
3973 | } |
3974 | } |
3975 | |
3976 | if (key_checkrequest(isr, &saidx, sav: &sav) == ENOENT) { |
3977 | /* |
3978 | * IPsec processing is required, but no SA found. |
3979 | * I assume that key_acquire() had been called |
3980 | * to get/establish the SA. Here I discard |
3981 | * this packet because it is responsibility for |
3982 | * upper layer to retransmit the packet. |
3983 | */ |
3984 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); |
3985 | error = ENOENT; |
3986 | |
3987 | /* |
3988 | * Notify the fact that the packet is discarded |
3989 | * to ourselves. I believe this is better than |
3990 | * just silently discarding. (jinmei@kame.net) |
3991 | * XXX: should we restrict the error to TCP packets? |
3992 | * XXX: should we directly notify sockets via |
3993 | * pfctlinputs? |
3994 | */ |
3995 | icmp6_error(state->m, ICMP6_DST_UNREACH, |
3996 | ICMP6_DST_UNREACH_ADMIN, 0); |
3997 | state->m = NULL; /* icmp6_error freed the mbuf */ |
3998 | goto bad; |
3999 | } |
4000 | |
4001 | /* validity check */ |
4002 | if (sav == NULL) { |
4003 | switch (ipsec_get_reqlevel(isr)) { |
4004 | case IPSEC_LEVEL_USE: |
4005 | continue; |
4006 | case IPSEC_LEVEL_REQUIRE: |
4007 | /* must be not reached here. */ |
4008 | panic("ipsec6_output_trans: no SA found, but required." ); |
4009 | } |
4010 | } |
4011 | |
4012 | if ((error = ipsec6_output_trans_internal(state, sav, nexthdrp, mprev)) != 0) { |
4013 | goto bad; |
4014 | } |
4015 | } |
4016 | |
4017 | /* if we have more to go, we need a tunnel mode processing */ |
4018 | if (isr != NULL) { |
4019 | *tun = 1; |
4020 | } |
4021 | |
4022 | if (sav) { |
4023 | key_freesav(sav, KEY_SADB_UNLOCKED); |
4024 | } |
4025 | return 0; |
4026 | |
4027 | bad: |
4028 | if (sav) { |
4029 | key_freesav(sav, KEY_SADB_UNLOCKED); |
4030 | } |
4031 | m_freem(state->m); |
4032 | state->m = NULL; |
4033 | return error; |
4034 | } |
4035 | |
4036 | /* |
4037 | * IPsec output logic for IPv6, tunnel mode. |
4038 | */ |
4039 | static int |
4040 | ipsec6_output_tunnel_internal(struct ipsec_output_state *state, struct secasvar *sav, int *must_be_last) |
4041 | { |
4042 | struct ip6_hdr *ip6; |
4043 | struct sockaddr_in6* dst6; |
4044 | struct route_in6 *ro6; |
4045 | size_t plen; |
4046 | int error = 0; |
4047 | |
4048 | /* validity check */ |
4049 | if (sav == NULL || sav->sah == NULL || sav->sah->saidx.mode != IPSEC_MODE_TUNNEL) { |
4050 | error = EINVAL; |
4051 | goto bad; |
4052 | } |
4053 | |
4054 | /* |
4055 | * If there is no valid SA, we give up to process. |
4056 | * see same place at ipsec4_output(). |
4057 | */ |
4058 | if (sav->state != SADB_SASTATE_MATURE |
4059 | && sav->state != SADB_SASTATE_DYING) { |
4060 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); |
4061 | error = EINVAL; |
4062 | goto bad; |
4063 | } |
4064 | |
4065 | state->outgoing_if = sav->sah->outgoing_if; |
4066 | |
4067 | if (sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) { |
4068 | /* |
4069 | * build IPsec tunnel. |
4070 | */ |
4071 | state->m = ipsec6_splithdr(state->m); |
4072 | if (!state->m) { |
4073 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem); |
4074 | error = ENOMEM; |
4075 | goto bad; |
4076 | } |
4077 | |
4078 | if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET6) { |
4079 | error = ipsec6_encapsulate(m: state->m, sav); |
4080 | if (error) { |
4081 | state->m = 0; |
4082 | goto bad; |
4083 | } |
4084 | ip6 = mtod(state->m, struct ip6_hdr *); |
4085 | } else if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET) { |
4086 | struct ip *ip; |
4087 | struct sockaddr_in* dst4; |
4088 | struct route *ro4 = NULL; |
4089 | struct route ro4_copy; |
4090 | struct ip_out_args ipoa; |
4091 | |
4092 | bzero(s: &ipoa, n: sizeof(ipoa)); |
4093 | ipoa.ipoa_boundif = IFSCOPE_NONE; |
4094 | ipoa.ipoa_flags = IPOAF_SELECT_SRCIF; |
4095 | ipoa.ipoa_sotc = SO_TC_UNSPEC; |
4096 | ipoa.ipoa_netsvctype = _NET_SERVICE_TYPE_UNSPEC; |
4097 | |
4098 | if (must_be_last) { |
4099 | *must_be_last = 1; |
4100 | } |
4101 | |
4102 | state->tunneled = 4; /* must not process any further in ip6_output */ |
4103 | error = ipsec64_encapsulate(m: state->m, sav, dscp_mapping: state->dscp_mapping); |
4104 | if (error) { |
4105 | state->m = 0; |
4106 | goto bad; |
4107 | } |
4108 | /* Now we have an IPv4 packet */ |
4109 | ip = mtod(state->m, struct ip *); |
4110 | |
4111 | // grab sadb_mutex, to update sah's route cache and get a local copy of it |
4112 | lck_mtx_lock(sadb_mutex); |
4113 | ro4 = (struct route *)&sav->sah->sa_route; |
4114 | dst4 = (struct sockaddr_in *)(void *)&ro4->ro_dst; |
4115 | if (ro4->ro_rt) { |
4116 | RT_LOCK(ro4->ro_rt); |
4117 | } |
4118 | if (ROUTE_UNUSABLE(ro4) || |
4119 | dst4->sin_addr.s_addr != ip->ip_dst.s_addr) { |
4120 | if (ro4->ro_rt != NULL) { |
4121 | RT_UNLOCK(ro4->ro_rt); |
4122 | } |
4123 | ROUTE_RELEASE(ro4); |
4124 | } |
4125 | if (ro4->ro_rt == NULL) { |
4126 | dst4->sin_family = AF_INET; |
4127 | dst4->sin_len = sizeof(*dst4); |
4128 | dst4->sin_addr = ip->ip_dst; |
4129 | } else { |
4130 | RT_UNLOCK(ro4->ro_rt); |
4131 | } |
4132 | route_copyout(&ro4_copy, ro4, sizeof(struct route)); |
4133 | // release sadb_mutex, after updating sah's route cache and getting a local copy |
4134 | lck_mtx_unlock(sadb_mutex); |
4135 | state->m = ipsec4_splithdr(state->m); |
4136 | if (!state->m) { |
4137 | error = ENOMEM; |
4138 | ROUTE_RELEASE(&ro4_copy); |
4139 | goto bad; |
4140 | } |
4141 | switch (sav->sah->saidx.proto) { |
4142 | case IPPROTO_ESP: |
4143 | #if IPSEC_ESP |
4144 | if ((error = esp4_output(state->m, sav)) != 0) { |
4145 | state->m = NULL; |
4146 | ROUTE_RELEASE(&ro4_copy); |
4147 | goto bad; |
4148 | } |
4149 | break; |
4150 | |
4151 | #else |
4152 | m_freem(state->m); |
4153 | state->m = NULL; |
4154 | error = EINVAL; |
4155 | ROUTE_RELEASE(&ro4_copy); |
4156 | goto bad; |
4157 | #endif |
4158 | case IPPROTO_AH: |
4159 | if ((error = ah4_output(state->m, sav)) != 0) { |
4160 | state->m = NULL; |
4161 | ROUTE_RELEASE(&ro4_copy); |
4162 | goto bad; |
4163 | } |
4164 | break; |
4165 | default: |
4166 | ipseclog((LOG_ERR, |
4167 | "ipsec4_output: unknown ipsec protocol %d\n" , |
4168 | sav->sah->saidx.proto)); |
4169 | m_freem(state->m); |
4170 | state->m = NULL; |
4171 | error = EPROTONOSUPPORT; |
4172 | ROUTE_RELEASE(&ro4_copy); |
4173 | goto bad; |
4174 | } |
4175 | |
4176 | if (state->m == 0) { |
4177 | error = ENOMEM; |
4178 | ROUTE_RELEASE(&ro4_copy); |
4179 | goto bad; |
4180 | } |
4181 | ipsec_set_pkthdr_for_interface(interface: sav->sah->ipsec_if, packet: state->m, |
4182 | AF_INET, flowid: sav->flowid); |
4183 | ipsec_set_ipoa_for_interface(interface: sav->sah->ipsec_if, ipoa: &ipoa); |
4184 | |
4185 | ip = mtod(state->m, struct ip *); |
4186 | ip->ip_len = ntohs(ip->ip_len); /* flip len field before calling ip_output */ |
4187 | error = ip_output(state->m, NULL, &ro4_copy, IP_OUTARGS, NULL, &ipoa); |
4188 | state->m = NULL; |
4189 | // grab sadb_mutex, to synchronize the sah's route cache with the local copy |
4190 | lck_mtx_lock(sadb_mutex); |
4191 | route_copyin(&ro4_copy, ro4, sizeof(struct route)); |
4192 | lck_mtx_unlock(sadb_mutex); |
4193 | if (error != 0) { |
4194 | goto bad; |
4195 | } |
4196 | goto done; |
4197 | } else { |
4198 | ipseclog((LOG_ERR, "ipsec6_output_tunnel: " |
4199 | "unsupported inner family, spi=%u\n" , |
4200 | (u_int32_t)ntohl(sav->spi))); |
4201 | IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); |
4202 | error = EAFNOSUPPORT; |
4203 | goto bad; |
4204 | } |
4205 | |
4206 | // grab sadb_mutex, before updating sah's route cache |
4207 | lck_mtx_lock(sadb_mutex); |
4208 | ro6 = &sav->sah->sa_route; |
4209 | dst6 = (struct sockaddr_in6 *)(void *)&ro6->ro_dst; |
4210 | if (ro6->ro_rt) { |
4211 | RT_LOCK(ro6->ro_rt); |
4212 | } |
4213 | if (ROUTE_UNUSABLE(ro6) || |
4214 | !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst)) { |
4215 | if (ro6->ro_rt != NULL) { |
4216 | RT_UNLOCK(ro6->ro_rt); |
4217 | } |
4218 | ROUTE_RELEASE(ro6); |
4219 | } |
4220 | if (ro6->ro_rt == 0) { |
4221 | bzero(s: dst6, n: sizeof(*dst6)); |
4222 | dst6->sin6_family = AF_INET6; |
4223 | dst6->sin6_len = sizeof(*dst6); |
4224 | dst6->sin6_addr = ip6->ip6_dst; |
4225 | rtalloc_scoped((struct route *)ro6, sav->sah->outgoing_if); |
4226 | if (ro6->ro_rt) { |
4227 | RT_LOCK(ro6->ro_rt); |
4228 | } |
4229 | } |
4230 | if (ro6->ro_rt == 0) { |
4231 | ip6stat.ip6s_noroute++; |
4232 | IPSEC_STAT_INCREMENT(ipsec6stat.out_noroute); |
4233 | error = EHOSTUNREACH; |
4234 | // release sadb_mutex, after updating sah's route cache |
4235 | lck_mtx_unlock(sadb_mutex); |
4236 | goto bad; |
4237 | } |
4238 | |
4239 | /* |
4240 | * adjust state->dst if tunnel endpoint is offlink |
4241 | * |
4242 | * XXX: caching rt_gateway value in the state is |
4243 | * not really good, since it may point elsewhere |
4244 | * when the gateway gets modified to a larger |
4245 | * sockaddr via rt_setgate(). This is currently |
4246 | * addressed by SA_SIZE roundup in that routine. |
4247 | */ |
4248 | if (ro6->ro_rt->rt_flags & RTF_GATEWAY) { |
4249 | dst6 = (struct sockaddr_in6 *)(void *)ro6->ro_rt->rt_gateway; |
4250 | } |
4251 | RT_UNLOCK(ro6->ro_rt); |
4252 | ROUTE_RELEASE(&state->ro); |
4253 | route_copyout((struct route *)&state->ro, (struct route *)ro6, sizeof(struct route_in6)); |
4254 | state->dst = (struct sockaddr *)dst6; |
4255 | state->tunneled = 6; |
4256 | // release sadb_mutex, after updating sah's route cache |
4257 | lck_mtx_unlock(sadb_mutex); |
4258 | } |
4259 | |
4260 | state->m = ipsec6_splithdr(state->m); |
4261 | if (!state->m) { |
4262 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem); |
4263 | error = ENOMEM; |
4264 | goto bad; |
4265 | } |
4266 | ip6 = mtod(state->m, struct ip6_hdr *); |
4267 | switch (sav->sah->saidx.proto) { |
4268 | case IPPROTO_ESP: |
4269 | #if IPSEC_ESP |
4270 | error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav); |
4271 | #else |
4272 | m_freem(state->m); |
4273 | error = EINVAL; |
4274 | #endif |
4275 | break; |
4276 | case IPPROTO_AH: |
4277 | error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav); |
4278 | break; |
4279 | default: |
4280 | ipseclog((LOG_ERR, "ipsec6_output_tunnel: " |
4281 | "unknown ipsec protocol %d\n" , sav->sah->saidx.proto)); |
4282 | m_freem(state->m); |
4283 | IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); |
4284 | error = EINVAL; |
4285 | break; |
4286 | } |
4287 | if (error) { |
4288 | state->m = NULL; |
4289 | goto bad; |
4290 | } |
4291 | plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr); |
4292 | if (plen > IPV6_MAXPACKET) { |
4293 | ipseclog((LOG_ERR, "ipsec6_output_tunnel: " |
4294 | "IPsec with IPv6 jumbogram is not supported\n" )); |
4295 | IPSEC_STAT_INCREMENT(ipsec6stat.out_inval); |
4296 | error = EINVAL; /*XXX*/ |
4297 | goto bad; |
4298 | } |
4299 | ip6 = mtod(state->m, struct ip6_hdr *); |
4300 | ip6->ip6_plen = htons((u_int16_t)plen); |
4301 | done: |
4302 | #if SKYWALK |
4303 | if (state->m != NULL) { |
4304 | state->m->m_pkthdr.pkt_flowid = sav->flowid; |
4305 | state->m->m_pkthdr.pkt_flags |= PKTF_FLOW_ID; |
4306 | } |
4307 | #endif /* !SKYWALK */ |
4308 | |
4309 | return 0; |
4310 | |
4311 | bad: |
4312 | return error; |
4313 | } |
4314 | |
4315 | int |
4316 | ipsec6_output_tunnel( |
4317 | struct ipsec_output_state *state, |
4318 | struct secpolicy *sp, |
4319 | __unused int flags) |
4320 | { |
4321 | struct ip6_hdr *ip6; |
4322 | struct ipsecrequest *isr = NULL; |
4323 | struct secasindex saidx; |
4324 | struct secasvar *sav = NULL; |
4325 | int error = 0; |
4326 | |
4327 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
4328 | |
4329 | if (!state) { |
4330 | panic("state == NULL in ipsec6_output_tunnel" ); |
4331 | } |
4332 | if (!state->m) { |
4333 | panic("state->m == NULL in ipsec6_output_tunnel" ); |
4334 | } |
4335 | if (!sp) { |
4336 | panic("sp == NULL in ipsec6_output_tunnel" ); |
4337 | } |
4338 | |
4339 | KEYDEBUG(KEYDEBUG_IPSEC_DATA, |
4340 | printf("ipsec6_output_tunnel: applyed SP\n" ); |
4341 | kdebug_secpolicy(sp)); |
4342 | |
4343 | /* |
4344 | * transport mode ipsec (before the 1st tunnel mode) is already |
4345 | * processed by ipsec6_output_trans(). |
4346 | */ |
4347 | for (isr = sp->req; isr; isr = isr->next) { |
4348 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { |
4349 | break; |
4350 | } |
4351 | } |
4352 | |
4353 | for (/* already initialized */; isr; isr = isr->next) { |
4354 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { |
4355 | /* When tunnel mode, SA peers must be specified. */ |
4356 | bcopy(src: &isr->saidx, dst: &saidx, n: sizeof(saidx)); |
4357 | } else { |
4358 | /* make SA index to look for a proper SA */ |
4359 | struct sockaddr_in6 *sin6; |
4360 | |
4361 | bzero(s: &saidx, n: sizeof(saidx)); |
4362 | saidx.proto = isr->saidx.proto; |
4363 | saidx.mode = isr->saidx.mode; |
4364 | saidx.reqid = isr->saidx.reqid; |
4365 | |
4366 | ip6 = mtod(state->m, struct ip6_hdr *); |
4367 | sin6 = (struct sockaddr_in6 *)&saidx.src; |
4368 | if (sin6->sin6_len == 0) { |
4369 | sin6->sin6_len = sizeof(*sin6); |
4370 | sin6->sin6_family = AF_INET6; |
4371 | sin6->sin6_port = IPSEC_PORT_ANY; |
4372 | bcopy(src: &ip6->ip6_src, dst: &sin6->sin6_addr, |
4373 | n: sizeof(ip6->ip6_src)); |
4374 | if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { |
4375 | /* fix scope id for comparing SPD */ |
4376 | sin6->sin6_scope_id = ip6_output_getsrcifscope(state->m); |
4377 | in6_verify_ifscope(&ip6->ip6_src, sin6->sin6_scope_id); |
4378 | if (in6_embedded_scope) { |
4379 | sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); |
4380 | sin6->sin6_addr.s6_addr16[1] = 0; |
4381 | } |
4382 | } |
4383 | } |
4384 | sin6 = (struct sockaddr_in6 *)&saidx.dst; |
4385 | if (sin6->sin6_len == 0) { |
4386 | sin6->sin6_len = sizeof(*sin6); |
4387 | sin6->sin6_family = AF_INET6; |
4388 | sin6->sin6_port = IPSEC_PORT_ANY; |
4389 | bcopy(src: &ip6->ip6_dst, dst: &sin6->sin6_addr, |
4390 | n: sizeof(ip6->ip6_dst)); |
4391 | if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { |
4392 | /* fix scope id for comparing SPD */ |
4393 | sin6->sin6_scope_id = ip6_output_getdstifscope(state->m); |
4394 | in6_verify_ifscope(&ip6->ip6_dst, sin6->sin6_scope_id); |
4395 | if (in6_embedded_scope) { |
4396 | sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); |
4397 | sin6->sin6_addr.s6_addr16[1] = 0; |
4398 | } |
4399 | } |
4400 | } |
4401 | } |
4402 | |
4403 | if (key_checkrequest(isr, &saidx, sav: &sav) == ENOENT) { |
4404 | /* |
4405 | * IPsec processing is required, but no SA found. |
4406 | * I assume that key_acquire() had been called |
4407 | * to get/establish the SA. Here I discard |
4408 | * this packet because it is responsibility for |
4409 | * upper layer to retransmit the packet. |
4410 | */ |
4411 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); |
4412 | error = ENOENT; |
4413 | goto bad; |
4414 | } |
4415 | |
4416 | /* validity check */ |
4417 | if (sav == NULL) { |
4418 | switch (ipsec_get_reqlevel(isr)) { |
4419 | case IPSEC_LEVEL_USE: |
4420 | continue; |
4421 | case IPSEC_LEVEL_REQUIRE: |
4422 | /* must be not reached here. */ |
4423 | panic("ipsec6_output_tunnel: no SA found, but required." ); |
4424 | } |
4425 | } |
4426 | |
4427 | /* |
4428 | * If there is no valid SA, we give up to process. |
4429 | * see same place at ipsec4_output(). |
4430 | */ |
4431 | if (sav->state != SADB_SASTATE_MATURE |
4432 | && sav->state != SADB_SASTATE_DYING) { |
4433 | IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa); |
4434 | error = EINVAL; |
4435 | goto bad; |
4436 | } |
4437 | |
4438 | int must_be_last = 0; |
4439 | |
4440 | if ((error = ipsec6_output_tunnel_internal(state, sav, must_be_last: &must_be_last)) != 0) { |
4441 | goto bad; |
4442 | } |
4443 | |
4444 | if (must_be_last && isr->next) { |
4445 | ipseclog((LOG_ERR, "ipsec6_output_tunnel: " |
4446 | "IPv4 must be outer layer, spi=%u\n" , |
4447 | (u_int32_t)ntohl(sav->spi))); |
4448 | error = EINVAL; |
4449 | goto bad; |
4450 | } |
4451 | } |
4452 | |
4453 | if (sav) { |
4454 | key_freesav(sav, KEY_SADB_UNLOCKED); |
4455 | } |
4456 | return 0; |
4457 | |
4458 | bad: |
4459 | if (sav) { |
4460 | key_freesav(sav, KEY_SADB_UNLOCKED); |
4461 | } |
4462 | if (state->m) { |
4463 | m_freem(state->m); |
4464 | } |
4465 | state->m = NULL; |
4466 | return error; |
4467 | } |
4468 | |
4469 | int |
4470 | ipsec6_interface_output(struct ipsec_output_state *state, ifnet_t interface, u_char *nexthdrp, struct mbuf *mprev) |
4471 | { |
4472 | int error = 0; |
4473 | struct secasvar *sav = NULL; |
4474 | |
4475 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
4476 | |
4477 | if (state == NULL) { |
4478 | panic("state == NULL in ipsec6_output" ); |
4479 | } |
4480 | if (state->m == NULL) { |
4481 | panic("state->m == NULL in ipsec6_output" ); |
4482 | } |
4483 | if (nexthdrp == NULL) { |
4484 | panic("nexthdrp == NULL in ipsec6_output" ); |
4485 | } |
4486 | if (mprev == NULL) { |
4487 | panic("mprev == NULL in ipsec6_output" ); |
4488 | } |
4489 | |
4490 | struct ip6_hdr *ip6 = mtod(state->m, struct ip6_hdr *); |
4491 | |
4492 | struct sockaddr_in6 src = {}; |
4493 | src.sin6_family = AF_INET6; |
4494 | src.sin6_len = sizeof(src); |
4495 | memcpy(dst: &src.sin6_addr, src: &ip6->ip6_src, n: sizeof(src.sin6_addr)); |
4496 | |
4497 | struct sockaddr_in6 dst = {}; |
4498 | dst.sin6_family = AF_INET6; |
4499 | dst.sin6_len = sizeof(dst); |
4500 | memcpy(dst: &dst.sin6_addr, src: &ip6->ip6_dst, n: sizeof(dst.sin6_addr)); |
4501 | |
4502 | sav = key_alloc_outbound_sav_for_interface(interface, AF_INET6, |
4503 | src: (struct sockaddr *)&src, |
4504 | dst: (struct sockaddr *)&dst); |
4505 | if (sav == NULL) { |
4506 | goto bad; |
4507 | } |
4508 | |
4509 | if (sav->sah && sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) { |
4510 | if ((error = ipsec6_output_tunnel_internal(state, sav, NULL)) != 0) { |
4511 | goto bad; |
4512 | } |
4513 | } else { |
4514 | if ((error = ipsec6_output_trans_internal(state, sav, nexthdrp, mprev)) != 0) { |
4515 | goto bad; |
4516 | } |
4517 | } |
4518 | |
4519 | if (sav) { |
4520 | key_freesav(sav, KEY_SADB_UNLOCKED); |
4521 | } |
4522 | return 0; |
4523 | |
4524 | bad: |
4525 | if (sav) { |
4526 | key_freesav(sav, KEY_SADB_UNLOCKED); |
4527 | } |
4528 | m_freem(state->m); |
4529 | state->m = NULL; |
4530 | return error; |
4531 | } |
4532 | |
4533 | #if INET |
4534 | /* |
4535 | * Chop IP header and option off from the payload. |
4536 | */ |
4537 | struct mbuf * |
4538 | ipsec4_splithdr(struct mbuf *m) |
4539 | { |
4540 | struct mbuf *mh; |
4541 | struct ip *ip; |
4542 | int hlen; |
4543 | |
4544 | if (m->m_len < sizeof(struct ip)) { |
4545 | panic("ipsec4_splithdr: first mbuf too short, m_len %d, pkt_len %d, m_flag %x" , m->m_len, m->m_pkthdr.len, m->m_flags); |
4546 | } |
4547 | ip = mtod(m, struct ip *); |
4548 | #ifdef _IP_VHL |
4549 | hlen = _IP_VHL_HL(ip->ip_vhl) << 2; |
4550 | #else |
4551 | hlen = ip->ip_hl << 2; |
4552 | #endif |
4553 | if (m->m_len > hlen) { |
4554 | MGETHDR(mh, M_DONTWAIT, MT_HEADER); /* MAC-OK */ |
4555 | if (!mh) { |
4556 | m_freem(m); |
4557 | return NULL; |
4558 | } |
4559 | M_COPY_PKTHDR(mh, m); |
4560 | MH_ALIGN(mh, hlen); |
4561 | m->m_flags &= ~M_PKTHDR; |
4562 | m_mchtype(m, MT_DATA); |
4563 | m->m_len -= hlen; |
4564 | m->m_data += hlen; |
4565 | mh->m_next = m; |
4566 | m = mh; |
4567 | m->m_len = hlen; |
4568 | bcopy(src: (caddr_t)ip, mtod(m, caddr_t), n: hlen); |
4569 | } else if (m->m_len < hlen) { |
4570 | m = m_pullup(m, hlen); |
4571 | if (!m) { |
4572 | return NULL; |
4573 | } |
4574 | } |
4575 | return m; |
4576 | } |
4577 | #endif |
4578 | |
4579 | struct mbuf * |
4580 | ipsec6_splithdr(struct mbuf *m) |
4581 | { |
4582 | struct mbuf *mh; |
4583 | struct ip6_hdr *ip6; |
4584 | int hlen; |
4585 | |
4586 | if (m->m_len < sizeof(struct ip6_hdr)) { |
4587 | panic("ipsec6_splithdr: first mbuf too short" ); |
4588 | } |
4589 | ip6 = mtod(m, struct ip6_hdr *); |
4590 | hlen = sizeof(struct ip6_hdr); |
4591 | if (m->m_len > hlen) { |
4592 | MGETHDR(mh, M_DONTWAIT, MT_HEADER); /* MAC-OK */ |
4593 | if (!mh) { |
4594 | m_freem(m); |
4595 | return NULL; |
4596 | } |
4597 | M_COPY_PKTHDR(mh, m); |
4598 | MH_ALIGN(mh, hlen); |
4599 | m->m_flags &= ~M_PKTHDR; |
4600 | m_mchtype(m, MT_DATA); |
4601 | m->m_len -= hlen; |
4602 | m->m_data += hlen; |
4603 | mh->m_next = m; |
4604 | m = mh; |
4605 | m->m_len = hlen; |
4606 | bcopy(src: (caddr_t)ip6, mtod(m, caddr_t), n: hlen); |
4607 | } else if (m->m_len < hlen) { |
4608 | m = m_pullup(m, hlen); |
4609 | if (!m) { |
4610 | return NULL; |
4611 | } |
4612 | } |
4613 | return m; |
4614 | } |
4615 | |
4616 | /* validate inbound IPsec tunnel packet. */ |
4617 | int |
4618 | ipsec4_tunnel_validate( |
4619 | struct mbuf *m, /* no pullup permitted, m->m_len >= ip */ |
4620 | int off, |
4621 | u_int nxt0, |
4622 | struct secasvar *sav, |
4623 | sa_family_t *ifamily) |
4624 | { |
4625 | u_int8_t nxt = nxt0 & 0xff; |
4626 | struct sockaddr_in *sin; |
4627 | struct sockaddr_in osrc, odst, i4src, i4dst; |
4628 | struct sockaddr_in6 i6src, i6dst; |
4629 | int hlen; |
4630 | struct secpolicy *sp; |
4631 | struct ip *oip; |
4632 | |
4633 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
4634 | |
4635 | /* do not decapsulate if the SA is for transport mode only */ |
4636 | if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) { |
4637 | return 0; |
4638 | } |
4639 | |
4640 | #if DIAGNOSTIC |
4641 | if (m->m_len < sizeof(struct ip)) { |
4642 | panic("too short mbuf on ipsec4_tunnel_validate" ); |
4643 | } |
4644 | #endif |
4645 | if (nxt != IPPROTO_IPV4 && nxt != IPPROTO_IPV6) { |
4646 | return 0; |
4647 | } |
4648 | if (m->m_pkthdr.len < off + sizeof(struct ip)) { |
4649 | return 0; |
4650 | } |
4651 | |
4652 | oip = mtod(m, struct ip *); |
4653 | #ifdef _IP_VHL |
4654 | hlen = _IP_VHL_HL(oip->ip_vhl) << 2; |
4655 | #else |
4656 | hlen = oip->ip_hl << 2; |
4657 | #endif |
4658 | if (hlen != sizeof(struct ip)) { |
4659 | return 0; |
4660 | } |
4661 | |
4662 | sin = (struct sockaddr_in *)&sav->sah->saidx.dst; |
4663 | if (sin->sin_family != AF_INET) { |
4664 | return 0; |
4665 | } |
4666 | if (bcmp(s1: &oip->ip_dst, s2: &sin->sin_addr, n: sizeof(oip->ip_dst)) != 0) { |
4667 | return 0; |
4668 | } |
4669 | |
4670 | if (sav->sah->ipsec_if != NULL) { |
4671 | // the ipsec interface SAs don't have a policies. |
4672 | if (nxt == IPPROTO_IPV4) { |
4673 | *ifamily = AF_INET; |
4674 | } else if (nxt == IPPROTO_IPV6) { |
4675 | *ifamily = AF_INET6; |
4676 | } else { |
4677 | return 0; |
4678 | } |
4679 | return 1; |
4680 | } |
4681 | |
4682 | /* XXX slow */ |
4683 | bzero(s: &osrc, n: sizeof(osrc)); |
4684 | bzero(s: &odst, n: sizeof(odst)); |
4685 | osrc.sin_family = odst.sin_family = AF_INET; |
4686 | osrc.sin_len = odst.sin_len = sizeof(struct sockaddr_in); |
4687 | osrc.sin_addr = oip->ip_src; |
4688 | odst.sin_addr = oip->ip_dst; |
4689 | /* |
4690 | * RFC2401 5.2.1 (b): (assume that we are using tunnel mode) |
4691 | * - if the inner destination is multicast address, there can be |
4692 | * multiple permissible inner source address. implementation |
4693 | * may want to skip verification of inner source address against |
4694 | * SPD selector. |
4695 | * - if the inner protocol is ICMP, the packet may be an error report |
4696 | * from routers on the other side of the VPN cloud (R in the |
4697 | * following diagram). in this case, we cannot verify inner source |
4698 | * address against SPD selector. |
4699 | * me -- gw === gw -- R -- you |
4700 | * |
4701 | * we consider the first bullet to be users responsibility on SPD entry |
4702 | * configuration (if you need to encrypt multicast traffic, set |
4703 | * the source range of SPD selector to 0.0.0.0/0, or have explicit |
4704 | * address ranges for possible senders). |
4705 | * the second bullet is not taken care of (yet). |
4706 | * |
4707 | * therefore, we do not do anything special about inner source. |
4708 | */ |
4709 | if (nxt == IPPROTO_IPV4) { |
4710 | bzero(s: &i4src, n: sizeof(struct sockaddr_in)); |
4711 | bzero(s: &i4dst, n: sizeof(struct sockaddr_in)); |
4712 | i4src.sin_family = i4dst.sin_family = *ifamily = AF_INET; |
4713 | i4src.sin_len = i4dst.sin_len = sizeof(struct sockaddr_in); |
4714 | m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(i4src.sin_addr), |
4715 | (caddr_t)&i4src.sin_addr); |
4716 | m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(i4dst.sin_addr), |
4717 | (caddr_t)&i4dst.sin_addr); |
4718 | sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, |
4719 | (struct sockaddr *)&i4src, (struct sockaddr *)&i4dst); |
4720 | } else if (nxt == IPPROTO_IPV6) { |
4721 | bzero(s: &i6src, n: sizeof(struct sockaddr_in6)); |
4722 | bzero(s: &i6dst, n: sizeof(struct sockaddr_in6)); |
4723 | i6src.sin6_family = i6dst.sin6_family = *ifamily = AF_INET6; |
4724 | i6src.sin6_len = i6dst.sin6_len = sizeof(struct sockaddr_in6); |
4725 | m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), sizeof(i6src.sin6_addr), |
4726 | (caddr_t)&i6src.sin6_addr); |
4727 | m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), sizeof(i6dst.sin6_addr), |
4728 | (caddr_t)&i6dst.sin6_addr); |
4729 | sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, |
4730 | (struct sockaddr *)&i6src, (struct sockaddr *)&i6dst); |
4731 | } else { |
4732 | return 0; /* unsupported family */ |
4733 | } |
4734 | if (!sp) { |
4735 | return 0; |
4736 | } |
4737 | |
4738 | key_freesp(sp, KEY_SADB_UNLOCKED); |
4739 | |
4740 | return 1; |
4741 | } |
4742 | |
4743 | /* validate inbound IPsec tunnel packet. */ |
4744 | int |
4745 | ipsec6_tunnel_validate( |
4746 | struct mbuf *m, /* no pullup permitted, m->m_len >= ip */ |
4747 | int off, |
4748 | u_int nxt0, |
4749 | struct secasvar *sav, |
4750 | sa_family_t *ifamily) |
4751 | { |
4752 | u_int8_t nxt = nxt0 & 0xff; |
4753 | struct sockaddr_in6 *sin6; |
4754 | struct sockaddr_in i4src, i4dst; |
4755 | struct sockaddr_in6 osrc, odst, i6src, i6dst; |
4756 | struct secpolicy *sp; |
4757 | struct ip6_hdr *oip6; |
4758 | |
4759 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
4760 | |
4761 | /* do not decapsulate if the SA is for transport mode only */ |
4762 | if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT) { |
4763 | return 0; |
4764 | } |
4765 | |
4766 | #if DIAGNOSTIC |
4767 | if (m->m_len < sizeof(struct ip6_hdr)) { |
4768 | panic("too short mbuf on ipsec6_tunnel_validate" ); |
4769 | } |
4770 | #endif |
4771 | if (nxt == IPPROTO_IPV4) { |
4772 | if (m->m_pkthdr.len < off + sizeof(struct ip)) { |
4773 | ipseclog((LOG_NOTICE, "ipsec6_tunnel_validate pkthdr %d off %d ip6hdr %zu" , m->m_pkthdr.len, off, sizeof(struct ip6_hdr))); |
4774 | return 0; |
4775 | } |
4776 | } else if (nxt == IPPROTO_IPV6) { |
4777 | if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr)) { |
4778 | ipseclog((LOG_NOTICE, "ipsec6_tunnel_validate pkthdr %d off %d ip6hdr %zu" , m->m_pkthdr.len, off, sizeof(struct ip6_hdr))); |
4779 | return 0; |
4780 | } |
4781 | } else { |
4782 | ipseclog((LOG_NOTICE, "ipsec6_tunnel_validate invalid nxt(%u) protocol" , nxt)); |
4783 | return 0; |
4784 | } |
4785 | |
4786 | oip6 = mtod(m, struct ip6_hdr *); |
4787 | /* AF_INET should be supported, but at this moment we don't. */ |
4788 | sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst; |
4789 | if (sin6->sin6_family != AF_INET6) { |
4790 | return 0; |
4791 | } |
4792 | |
4793 | struct in6_addr tmp_sah_dst_addr = {}; |
4794 | struct in6_addr *sah_dst_addr = &((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr; |
4795 | if (in6_embedded_scope && IN6_IS_SCOPE_LINKLOCAL(sah_dst_addr)) { |
4796 | memcpy(dst: &tmp_sah_dst_addr, src: sah_dst_addr, n: sizeof(tmp_sah_dst_addr)); |
4797 | tmp_sah_dst_addr.s6_addr16[1] = htons((u_int16_t)sav->sah->outgoing_if); |
4798 | sah_dst_addr = &tmp_sah_dst_addr; |
4799 | } |
4800 | if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, sah_dst_addr)) { |
4801 | return 0; |
4802 | } |
4803 | |
4804 | if (sav->sah->ipsec_if != NULL) { |
4805 | // the ipsec interface SAs don't have a policies. |
4806 | if (nxt == IPPROTO_IPV4) { |
4807 | *ifamily = AF_INET; |
4808 | } else if (nxt == IPPROTO_IPV6) { |
4809 | *ifamily = AF_INET6; |
4810 | } else { |
4811 | return 0; |
4812 | } |
4813 | return 1; |
4814 | } |
4815 | |
4816 | /* XXX slow */ |
4817 | bzero(s: &osrc, n: sizeof(osrc)); |
4818 | bzero(s: &odst, n: sizeof(odst)); |
4819 | osrc.sin6_family = odst.sin6_family = AF_INET6; |
4820 | osrc.sin6_len = odst.sin6_len = sizeof(struct sockaddr_in6); |
4821 | osrc.sin6_addr = oip6->ip6_src; |
4822 | odst.sin6_addr = oip6->ip6_dst; |
4823 | |
4824 | /* |
4825 | * regarding to inner source address validation, see a long comment |
4826 | * in ipsec4_tunnel_validate. |
4827 | */ |
4828 | |
4829 | if (nxt == IPPROTO_IPV4) { |
4830 | bzero(s: &i4src, n: sizeof(struct sockaddr_in)); |
4831 | bzero(s: &i4dst, n: sizeof(struct sockaddr_in)); |
4832 | i4src.sin_family = i4dst.sin_family = *ifamily = AF_INET; |
4833 | i4src.sin_len = i4dst.sin_len = sizeof(struct sockaddr_in); |
4834 | m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(i4src.sin_addr), |
4835 | (caddr_t)&i4src.sin_addr); |
4836 | m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(i4dst.sin_addr), |
4837 | (caddr_t)&i4dst.sin_addr); |
4838 | sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, |
4839 | (struct sockaddr *)&i4src, (struct sockaddr *)&i4dst); |
4840 | } else if (nxt == IPPROTO_IPV6) { |
4841 | bzero(s: &i6src, n: sizeof(struct sockaddr_in6)); |
4842 | bzero(s: &i6dst, n: sizeof(struct sockaddr_in6)); |
4843 | i6src.sin6_family = i6dst.sin6_family = *ifamily = AF_INET6; |
4844 | i6src.sin6_len = i6dst.sin6_len = sizeof(struct sockaddr_in6); |
4845 | m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), sizeof(i6src.sin6_addr), |
4846 | (caddr_t)&i6src.sin6_addr); |
4847 | m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), sizeof(i6dst.sin6_addr), |
4848 | (caddr_t)&i6dst.sin6_addr); |
4849 | sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst, |
4850 | (struct sockaddr *)&i6src, (struct sockaddr *)&i6dst); |
4851 | } else { |
4852 | return 0; /* unsupported family */ |
4853 | } |
4854 | /* |
4855 | * when there is no suitable inbound policy for the packet of the ipsec |
4856 | * tunnel mode, the kernel never decapsulate the tunneled packet |
4857 | * as the ipsec tunnel mode even when the system wide policy is "none". |
4858 | * then the kernel leaves the generic tunnel module to process this |
4859 | * packet. if there is no rule of the generic tunnel, the packet |
4860 | * is rejected and the statistics will be counted up. |
4861 | */ |
4862 | if (!sp) { |
4863 | return 0; |
4864 | } |
4865 | key_freesp(sp, KEY_SADB_UNLOCKED); |
4866 | |
4867 | return 1; |
4868 | } |
4869 | |
4870 | /* |
4871 | * Make a mbuf chain for encryption. |
4872 | * If the original mbuf chain contains a mbuf with a cluster, |
4873 | * allocate a new cluster and copy the data to the new cluster. |
4874 | * XXX: this hack is inefficient, but is necessary to handle cases |
4875 | * of TCP retransmission... |
4876 | */ |
4877 | struct mbuf * |
4878 | ipsec_copypkt(struct mbuf *m) |
4879 | { |
4880 | struct mbuf *n, **mpp, *mnew; |
4881 | |
4882 | for (n = m, mpp = &m; n; n = n->m_next) { |
4883 | if (n->m_flags & M_EXT) { |
4884 | /* |
4885 | * Make a copy only if there are more than one references |
4886 | * to the cluster. |
4887 | * XXX: is this approach effective? |
4888 | */ |
4889 | if ( |
4890 | m_get_ext_free(n) != NULL || |
4891 | m_mclhasreference(n) |
4892 | ) { |
4893 | int remain, copied; |
4894 | struct mbuf *mm; |
4895 | |
4896 | if (n->m_flags & M_PKTHDR) { |
4897 | MGETHDR(mnew, M_DONTWAIT, MT_HEADER); /* MAC-OK */ |
4898 | if (mnew == NULL) { |
4899 | goto fail; |
4900 | } |
4901 | M_COPY_PKTHDR(mnew, n); |
4902 | } else { |
4903 | MGET(mnew, M_DONTWAIT, MT_DATA); |
4904 | if (mnew == NULL) { |
4905 | goto fail; |
4906 | } |
4907 | } |
4908 | mnew->m_len = 0; |
4909 | mm = mnew; |
4910 | |
4911 | /* |
4912 | * Copy data. If we don't have enough space to |
4913 | * store the whole data, allocate a cluster |
4914 | * or additional mbufs. |
4915 | * XXX: we don't use m_copyback(), since the |
4916 | * function does not use clusters and thus is |
4917 | * inefficient. |
4918 | */ |
4919 | remain = n->m_len; |
4920 | copied = 0; |
4921 | while (1) { |
4922 | int len; |
4923 | struct mbuf *mn; |
4924 | |
4925 | if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN)) { |
4926 | len = remain; |
4927 | } else { /* allocate a cluster */ |
4928 | MCLGET(mm, M_DONTWAIT); |
4929 | if (!(mm->m_flags & M_EXT)) { |
4930 | m_free(mm); |
4931 | goto fail; |
4932 | } |
4933 | len = remain < MCLBYTES ? |
4934 | remain : MCLBYTES; |
4935 | } |
4936 | |
4937 | bcopy(src: m_mtod_current(m: n) + copied, dst: m_mtod_current(m: mm), n: len); |
4938 | |
4939 | copied += len; |
4940 | remain -= len; |
4941 | mm->m_len = len; |
4942 | |
4943 | if (remain <= 0) { /* completed? */ |
4944 | break; |
4945 | } |
4946 | |
4947 | /* need another mbuf */ |
4948 | MGETHDR(mn, M_DONTWAIT, MT_HEADER); /* XXXMAC: tags copied next time in loop? */ |
4949 | if (mn == NULL) { |
4950 | goto fail; |
4951 | } |
4952 | mn->m_pkthdr.rcvif = NULL; |
4953 | mm->m_next = mn; |
4954 | mm = mn; |
4955 | } |
4956 | |
4957 | /* adjust chain */ |
4958 | mm->m_next = m_free(n); |
4959 | n = mm; |
4960 | *mpp = mnew; |
4961 | mpp = &n->m_next; |
4962 | |
4963 | continue; |
4964 | } |
4965 | } |
4966 | *mpp = n; |
4967 | mpp = &n->m_next; |
4968 | } |
4969 | |
4970 | return m; |
4971 | fail: |
4972 | m_freem(m); |
4973 | return NULL; |
4974 | } |
4975 | |
4976 | /* Used to avoid processing the packet over again */ |
4977 | #define IPSEC_HISTORY_MAX 8 |
4978 | |
4979 | struct ipsec_tag { |
4980 | struct socket *socket; |
4981 | u_int32_t history_count; |
4982 | }; |
4983 | |
4984 | static struct ipsec_tag * |
4985 | ipsec_addaux( |
4986 | struct mbuf *m) |
4987 | { |
4988 | struct m_tag *tag; |
4989 | |
4990 | /* Check if the tag already exists */ |
4991 | tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC); |
4992 | |
4993 | if (tag == NULL) { |
4994 | struct ipsec_tag *itag; |
4995 | |
4996 | /* Allocate a tag */ |
4997 | tag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, |
4998 | sizeof(struct ipsec_tag), M_DONTWAIT, m); |
4999 | |
5000 | if (tag) { |
5001 | itag = (struct ipsec_tag*)(tag->m_tag_data); |
5002 | itag->socket = 0; |
5003 | itag->history_count = 0; |
5004 | |
5005 | m_tag_prepend(m, tag); |
5006 | } |
5007 | } |
5008 | |
5009 | return tag ? (struct ipsec_tag*)(tag->m_tag_data) : NULL; |
5010 | } |
5011 | |
5012 | static struct ipsec_tag * |
5013 | ipsec_findaux( |
5014 | struct mbuf *m) |
5015 | { |
5016 | struct m_tag *tag; |
5017 | |
5018 | tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC); |
5019 | |
5020 | return tag != NULL ? (struct ipsec_tag*)(tag->m_tag_data) : NULL; |
5021 | } |
5022 | |
5023 | void |
5024 | ipsec_delaux( |
5025 | struct mbuf *m) |
5026 | { |
5027 | struct m_tag *tag; |
5028 | |
5029 | tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC); |
5030 | |
5031 | if (tag != NULL) { |
5032 | m_tag_delete(m, tag); |
5033 | } |
5034 | } |
5035 | |
5036 | /* if the aux buffer is unnecessary, nuke it. */ |
5037 | static void |
5038 | ipsec_optaux( |
5039 | struct mbuf *m, |
5040 | struct ipsec_tag *itag) |
5041 | { |
5042 | if (itag != NULL && itag->socket == NULL && itag->history_count == 0) { |
5043 | ipsec_delaux(m); |
5044 | } |
5045 | } |
5046 | |
5047 | int |
5048 | ipsec_setsocket(struct mbuf *m, struct socket *so) |
5049 | { |
5050 | struct ipsec_tag *tag; |
5051 | |
5052 | /* if so == NULL, don't insist on getting the aux mbuf */ |
5053 | if (so != NULL) { |
5054 | tag = ipsec_addaux(m); |
5055 | if (!tag) { |
5056 | return ENOBUFS; |
5057 | } |
5058 | } else { |
5059 | tag = ipsec_findaux(m); |
5060 | } |
5061 | if (tag != NULL) { |
5062 | tag->socket = so; |
5063 | ipsec_optaux(m, itag: tag); |
5064 | } |
5065 | return 0; |
5066 | } |
5067 | |
5068 | struct socket * |
5069 | ipsec_getsocket(struct mbuf *m) |
5070 | { |
5071 | struct ipsec_tag *itag; |
5072 | |
5073 | itag = ipsec_findaux(m); |
5074 | if (itag) { |
5075 | return itag->socket; |
5076 | } else { |
5077 | return NULL; |
5078 | } |
5079 | } |
5080 | |
5081 | int |
5082 | ipsec_incr_history_count( |
5083 | struct mbuf *m, |
5084 | __unused int proto, |
5085 | __unused u_int32_t spi) |
5086 | { |
5087 | struct ipsec_tag *itag; |
5088 | |
5089 | itag = ipsec_addaux(m); |
5090 | if (itag == NULL) { |
5091 | return ENOBUFS; |
5092 | } |
5093 | if (itag->history_count == IPSEC_HISTORY_MAX) { |
5094 | return ENOSPC; /* XXX */ |
5095 | } |
5096 | itag->history_count++; |
5097 | |
5098 | return 0; |
5099 | } |
5100 | |
5101 | u_int32_t |
5102 | ipsec_get_history_count( |
5103 | struct mbuf *m) |
5104 | { |
5105 | struct ipsec_tag *itag; |
5106 | |
5107 | itag = ipsec_findaux(m); |
5108 | if (itag == NULL) { |
5109 | return 0; |
5110 | } |
5111 | return itag->history_count; |
5112 | } |
5113 | |
5114 | struct ipsec_tag_container { |
5115 | struct m_tag ipsec_m_tag; |
5116 | struct ipsec_tag ipsec_tag; |
5117 | }; |
5118 | |
5119 | static struct m_tag * |
5120 | m_tag_kalloc_ipsec(u_int32_t id, u_int16_t type, uint16_t len, int wait) |
5121 | { |
5122 | struct ipsec_tag_container *tag_container; |
5123 | struct m_tag *tag = NULL; |
5124 | |
5125 | assert3u(id, ==, KERNEL_MODULE_TAG_ID); |
5126 | assert3u(type, ==, KERNEL_TAG_TYPE_IPSEC); |
5127 | assert3u(len, ==, sizeof(struct ipsec_tag)); |
5128 | |
5129 | if (len != sizeof(struct ipsec_tag)) { |
5130 | return NULL; |
5131 | } |
5132 | |
5133 | tag_container = kalloc_type(struct ipsec_tag_container, wait | M_ZERO); |
5134 | if (tag_container != NULL) { |
5135 | tag = &tag_container->ipsec_m_tag; |
5136 | |
5137 | assert3p(tag, ==, tag_container); |
5138 | |
5139 | M_TAG_INIT(tag, id, type, len, &tag_container->ipsec_tag, NULL); |
5140 | } |
5141 | |
5142 | return tag; |
5143 | } |
5144 | |
5145 | static void |
5146 | m_tag_kfree_ipsec(struct m_tag *tag) |
5147 | { |
5148 | struct ipsec_tag_container *tag_container = (struct ipsec_tag_container *)tag; |
5149 | |
5150 | assert3u(tag->m_tag_len, ==, sizeof(struct ipsec_tag)); |
5151 | |
5152 | kfree_type(struct ipsec_tag_container, tag_container); |
5153 | } |
5154 | |
5155 | void |
5156 | ipsec_register_m_tag(void) |
5157 | { |
5158 | int error; |
5159 | |
5160 | error = m_register_internal_tag_type(type: KERNEL_TAG_TYPE_IPSEC, len: sizeof(struct ipsec_tag), |
5161 | alloc_func: m_tag_kalloc_ipsec, free_func: m_tag_kfree_ipsec); |
5162 | |
5163 | assert3u(error, ==, 0); |
5164 | } |
5165 | |
5166 | __private_extern__ boolean_t |
5167 | ipsec_send_natt_keepalive( |
5168 | struct secasvar *sav) |
5169 | { |
5170 | struct mbuf *m = NULL; |
5171 | int error = 0; |
5172 | int keepalive_interval = natt_keepalive_interval; |
5173 | |
5174 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED); |
5175 | lck_mtx_lock(sadb_mutex); |
5176 | |
5177 | if (((esp_udp_encap_port & 0xFFFF) == 0 && sav->natt_encapsulated_src_port == 0) || sav->remote_ike_port == 0) { |
5178 | lck_mtx_unlock(sadb_mutex); |
5179 | return FALSE; |
5180 | } |
5181 | |
5182 | if (sav->natt_interval != 0) { |
5183 | keepalive_interval = (int)sav->natt_interval; |
5184 | } |
5185 | |
5186 | // natt timestamp may have changed... reverify |
5187 | if ((natt_now - sav->natt_last_activity) < keepalive_interval) { |
5188 | lck_mtx_unlock(sadb_mutex); |
5189 | return FALSE; |
5190 | } |
5191 | |
5192 | if (sav->flags & SADB_X_EXT_ESP_KEEPALIVE) { |
5193 | lck_mtx_unlock(sadb_mutex); |
5194 | return FALSE; // don't send these from the kernel |
5195 | } |
5196 | |
5197 | lck_mtx_unlock(sadb_mutex); |
5198 | |
5199 | m = m_gethdr(M_NOWAIT, MT_DATA); |
5200 | if (m == NULL) { |
5201 | return FALSE; |
5202 | } |
5203 | |
5204 | lck_mtx_lock(sadb_mutex); |
5205 | if (sav->sah->saidx.dst.ss_family == AF_INET) { |
5206 | struct ip_out_args ipoa = {}; |
5207 | struct route ro = {}; |
5208 | |
5209 | ipoa.ipoa_boundif = IFSCOPE_NONE; |
5210 | ipoa.ipoa_flags = IPOAF_SELECT_SRCIF; |
5211 | ipoa.ipoa_sotc = SO_TC_UNSPEC; |
5212 | ipoa.ipoa_netsvctype = _NET_SERVICE_TYPE_UNSPEC; |
5213 | |
5214 | struct ip *ip = (__typeof__(ip))m_mtod(m); |
5215 | |
5216 | /* |
5217 | * Type 2: a UDP packet complete with IP header. |
5218 | * We must do this because UDP output requires |
5219 | * an inpcb which we don't have. UDP packet |
5220 | * contains one byte payload. The byte is set |
5221 | * to 0xFF. |
5222 | */ |
5223 | struct udphdr *uh = (__typeof__(uh))(void *)((char *)m_mtod(m) + sizeof(*ip)); |
5224 | m->m_len = sizeof(struct udpiphdr) + 1; |
5225 | bzero(s: m_mtod(m), n: m->m_len); |
5226 | m->m_pkthdr.len = m->m_len; |
5227 | |
5228 | ip->ip_len = (u_short)m->m_len; |
5229 | ip->ip_ttl = (u_char)ip_defttl; |
5230 | ip->ip_p = IPPROTO_UDP; |
5231 | if (sav->sah->dir != IPSEC_DIR_INBOUND) { |
5232 | ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr; |
5233 | ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr; |
5234 | } else { |
5235 | ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr; |
5236 | ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr; |
5237 | } |
5238 | if (sav->natt_encapsulated_src_port != 0) { |
5239 | uh->uh_sport = (u_short)sav->natt_encapsulated_src_port; |
5240 | } else { |
5241 | uh->uh_sport = htons((u_short)esp_udp_encap_port); |
5242 | } |
5243 | uh->uh_sport = htons((u_short)esp_udp_encap_port); |
5244 | uh->uh_dport = htons(sav->remote_ike_port); |
5245 | uh->uh_ulen = htons(1 + sizeof(*uh)); |
5246 | uh->uh_sum = 0; |
5247 | *(u_int8_t*)((char*)m_mtod(m) + sizeof(*ip) + sizeof(*uh)) = 0xFF; |
5248 | |
5249 | if (ROUTE_UNUSABLE(&sav->sah->sa_route) || |
5250 | rt_key(sav->sah->sa_route.ro_rt)->sa_family != AF_INET) { |
5251 | ROUTE_RELEASE(&sav->sah->sa_route); |
5252 | } |
5253 | |
5254 | route_copyout(&ro, (struct route *)&sav->sah->sa_route, sizeof(struct route)); |
5255 | lck_mtx_unlock(sadb_mutex); |
5256 | |
5257 | necp_mark_packet_as_keepalive(packet: m, TRUE); |
5258 | error = ip_output(m, NULL, &ro, IP_OUTARGS | IP_NOIPSEC, NULL, &ipoa); |
5259 | |
5260 | lck_mtx_lock(sadb_mutex); |
5261 | route_copyin(&ro, (struct route *)&sav->sah->sa_route, sizeof(struct route)); |
5262 | } else if (sav->sah->saidx.dst.ss_family == AF_INET6) { |
5263 | struct ip6_out_args ip6oa = {}; |
5264 | struct route_in6 ro6 = {}; |
5265 | |
5266 | ip6oa.ip6oa_flowadv.code = 0; |
5267 | ip6oa.ip6oa_flags = IP6OAF_SELECT_SRCIF | IP6OAF_BOUND_SRCADDR; |
5268 | if (sav->sah->outgoing_if) { |
5269 | ip6oa.ip6oa_boundif = sav->sah->outgoing_if; |
5270 | ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF; |
5271 | } |
5272 | |
5273 | struct ip6_hdr *ip6 = (__typeof__(ip6))m_mtod(m); |
5274 | |
5275 | /* |
5276 | * Type 2: a UDP packet complete with IPv6 header. |
5277 | * We must do this because UDP output requires |
5278 | * an inpcb which we don't have. UDP packet |
5279 | * contains one byte payload. The byte is set |
5280 | * to 0xFF. |
5281 | */ |
5282 | struct udphdr *uh = (__typeof__(uh))(void *)((char *)m_mtod(m) + sizeof(*ip6)); |
5283 | m->m_len = sizeof(struct udphdr) + sizeof(struct ip6_hdr) + 1; |
5284 | bzero(s: m_mtod(m), n: m->m_len); |
5285 | m->m_pkthdr.len = m->m_len; |
5286 | |
5287 | ip6->ip6_flow = 0; |
5288 | ip6->ip6_vfc &= ~IPV6_VERSION_MASK; |
5289 | ip6->ip6_vfc |= IPV6_VERSION; |
5290 | ip6->ip6_nxt = IPPROTO_UDP; |
5291 | ip6->ip6_hlim = (u_int8_t)ip6_defhlim; |
5292 | ip6->ip6_plen = htons(sizeof(struct udphdr) + 1); |
5293 | if (sav->sah->dir != IPSEC_DIR_INBOUND) { |
5294 | ip6->ip6_src = ((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr; |
5295 | ip6->ip6_dst = ((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr; |
5296 | ip6_output_setsrcifscope(m, ((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_scope_id, NULL); |
5297 | ip6_output_setdstifscope(m, ((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_scope_id, NULL); |
5298 | } else { |
5299 | ip6->ip6_src = ((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr; |
5300 | ip6->ip6_dst = ((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr; |
5301 | ip6_output_setdstifscope(m, ((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_scope_id, NULL); |
5302 | ip6_output_setsrcifscope(m, ((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_scope_id, NULL); |
5303 | } |
5304 | |
5305 | if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) { |
5306 | ip6->ip6_src.s6_addr16[1] = 0; |
5307 | } |
5308 | if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) { |
5309 | ip6->ip6_dst.s6_addr16[1] = 0; |
5310 | } |
5311 | |
5312 | if (sav->natt_encapsulated_src_port != 0) { |
5313 | uh->uh_sport = (u_short)sav->natt_encapsulated_src_port; |
5314 | } else { |
5315 | uh->uh_sport = htons((u_short)esp_udp_encap_port); |
5316 | } |
5317 | uh->uh_dport = htons(sav->remote_ike_port); |
5318 | uh->uh_ulen = htons(1 + sizeof(*uh)); |
5319 | *(u_int8_t*)((char*)m_mtod(m) + sizeof(*ip6) + sizeof(*uh)) = 0xFF; |
5320 | uh->uh_sum = in6_pseudo(&ip6->ip6_src, &ip6->ip6_dst, htonl(ntohs(uh->uh_ulen) + IPPROTO_UDP)); |
5321 | m->m_pkthdr.csum_flags = (CSUM_UDPIPV6 | CSUM_ZERO_INVERT); |
5322 | m->m_pkthdr.csum_data = offsetof(struct udphdr, uh_sum); |
5323 | |
5324 | if (ROUTE_UNUSABLE(&sav->sah->sa_route) || |
5325 | rt_key(sav->sah->sa_route.ro_rt)->sa_family != AF_INET6) { |
5326 | ROUTE_RELEASE(&sav->sah->sa_route); |
5327 | } |
5328 | |
5329 | route_copyout((struct route *)&ro6, (struct route *)&sav->sah->sa_route, sizeof(struct route_in6)); |
5330 | lck_mtx_unlock(sadb_mutex); |
5331 | |
5332 | necp_mark_packet_as_keepalive(packet: m, TRUE); |
5333 | error = ip6_output(m, NULL, &ro6, IPV6_OUTARGS, NULL, NULL, &ip6oa); |
5334 | |
5335 | lck_mtx_lock(sadb_mutex); |
5336 | route_copyin((struct route *)&ro6, (struct route *)&sav->sah->sa_route, sizeof(struct route_in6)); |
5337 | } else { |
5338 | ipseclog((LOG_ERR, "nat keepalive: invalid address family %u\n" , sav->sah->saidx.dst.ss_family)); |
5339 | lck_mtx_unlock(sadb_mutex); |
5340 | m_freem(m); |
5341 | return FALSE; |
5342 | } |
5343 | |
5344 | if (error == 0) { |
5345 | sav->natt_last_activity = natt_now; |
5346 | lck_mtx_unlock(sadb_mutex); |
5347 | return TRUE; |
5348 | } |
5349 | |
5350 | lck_mtx_unlock(sadb_mutex); |
5351 | return FALSE; |
5352 | } |
5353 | |
5354 | __private_extern__ bool |
5355 | ipsec_fill_offload_frame(ifnet_t ifp, |
5356 | struct secasvar *sav, |
5357 | struct ifnet_keepalive_offload_frame *frame, |
5358 | size_t frame_data_offset) |
5359 | { |
5360 | u_int8_t *data = NULL; |
5361 | struct ip *ip = NULL; |
5362 | struct udphdr *uh = NULL; |
5363 | |
5364 | if (sav == NULL || sav->sah == NULL || frame == NULL || |
5365 | (ifp != NULL && ifp->if_index != sav->sah->outgoing_if) || |
5366 | sav->sah->saidx.dst.ss_family != AF_INET || |
5367 | !(sav->flags & SADB_X_EXT_NATT) || |
5368 | !(sav->flags & SADB_X_EXT_NATT_KEEPALIVE) || |
5369 | !(sav->flags & SADB_X_EXT_NATT_KEEPALIVE_OFFLOAD) || |
5370 | sav->flags & SADB_X_EXT_ESP_KEEPALIVE || |
5371 | ((esp_udp_encap_port & 0xFFFF) == 0 && sav->natt_encapsulated_src_port == 0) || |
5372 | sav->remote_ike_port == 0 || |
5373 | (natt_keepalive_interval == 0 && sav->natt_interval == 0 && sav->natt_offload_interval == 0)) { |
5374 | /* SA is not eligible for keepalive offload on this interface */ |
5375 | return FALSE; |
5376 | } |
5377 | |
5378 | if (frame_data_offset + sizeof(struct udpiphdr) + 1 > |
5379 | IFNET_KEEPALIVE_OFFLOAD_FRAME_DATA_SIZE) { |
5380 | /* Not enough room in this data frame */ |
5381 | return FALSE; |
5382 | } |
5383 | |
5384 | data = frame->data; |
5385 | ip = (__typeof__(ip))(void *)(data + frame_data_offset); |
5386 | uh = (__typeof__(uh))(void *)(data + frame_data_offset + sizeof(*ip)); |
5387 | |
5388 | frame->length = (u_int8_t)(frame_data_offset + sizeof(struct udpiphdr) + 1); |
5389 | frame->type = IFNET_KEEPALIVE_OFFLOAD_FRAME_IPSEC; |
5390 | frame->ether_type = IFNET_KEEPALIVE_OFFLOAD_FRAME_ETHERTYPE_IPV4; |
5391 | |
5392 | bzero(s: data, IFNET_KEEPALIVE_OFFLOAD_FRAME_DATA_SIZE); |
5393 | |
5394 | ip->ip_v = IPVERSION; |
5395 | ip->ip_hl = sizeof(struct ip) >> 2; |
5396 | ip->ip_off &= htons(~IP_OFFMASK); |
5397 | ip->ip_off &= htons(~IP_MF); |
5398 | switch (ip4_ipsec_dfbit) { |
5399 | case 0: /* clear DF bit */ |
5400 | ip->ip_off &= htons(~IP_DF); |
5401 | break; |
5402 | case 1: /* set DF bit */ |
5403 | ip->ip_off |= htons(IP_DF); |
5404 | break; |
5405 | default: /* copy DF bit */ |
5406 | break; |
5407 | } |
5408 | ip->ip_len = htons(sizeof(struct udpiphdr) + 1); |
5409 | if (rfc6864 && IP_OFF_IS_ATOMIC(htons(ip->ip_off))) { |
5410 | ip->ip_id = 0; |
5411 | } else { |
5412 | ip->ip_id = ip_randomid((uint64_t)data); |
5413 | } |
5414 | ip->ip_ttl = (u_char)ip_defttl; |
5415 | ip->ip_p = IPPROTO_UDP; |
5416 | ip->ip_sum = 0; |
5417 | if (sav->sah->dir != IPSEC_DIR_INBOUND) { |
5418 | ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr; |
5419 | ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr; |
5420 | } else { |
5421 | ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr; |
5422 | ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr; |
5423 | } |
5424 | ip->ip_sum = in_cksum_hdr_opt(ip); |
5425 | /* Fill out the UDP header */ |
5426 | if (sav->natt_encapsulated_src_port != 0) { |
5427 | uh->uh_sport = (u_short)sav->natt_encapsulated_src_port; |
5428 | } else { |
5429 | uh->uh_sport = htons((u_short)esp_udp_encap_port); |
5430 | } |
5431 | uh->uh_dport = htons(sav->remote_ike_port); |
5432 | uh->uh_ulen = htons(1 + sizeof(*uh)); |
5433 | uh->uh_sum = 0; |
5434 | *(u_int8_t*)(data + frame_data_offset + sizeof(*ip) + sizeof(*uh)) = 0xFF; |
5435 | |
5436 | if (sav->natt_offload_interval != 0) { |
5437 | frame->interval = sav->natt_offload_interval; |
5438 | } else if (sav->natt_interval != 0) { |
5439 | frame->interval = sav->natt_interval; |
5440 | } else { |
5441 | frame->interval = (u_int16_t)natt_keepalive_interval; |
5442 | } |
5443 | return TRUE; |
5444 | } |
5445 | |
5446 | static void |
5447 | ipsec_get_local_ports(void) |
5448 | { |
5449 | errno_t error; |
5450 | ifnet_t *ifp_list; |
5451 | uint32_t count, i; |
5452 | static uint8_t port_bitmap[bitstr_size(IP_PORTRANGE_SIZE)]; |
5453 | |
5454 | error = ifnet_list_get_all(family: IFNET_FAMILY_IPSEC, interfaces: &ifp_list, count: &count); |
5455 | if (error != 0) { |
5456 | os_log_error(OS_LOG_DEFAULT, "%s: ifnet_list_get_all() failed %d" , |
5457 | __func__, error); |
5458 | return; |
5459 | } |
5460 | for (i = 0; i < count; i++) { |
5461 | ifnet_t ifp = ifp_list[i]; |
5462 | |
5463 | /* |
5464 | * Get all the TCP and UDP ports for IPv4 and IPv6 |
5465 | */ |
5466 | error = ifnet_get_local_ports_extended(ifp, PF_UNSPEC, |
5467 | IFNET_GET_LOCAL_PORTS_WILDCARDOK | |
5468 | IFNET_GET_LOCAL_PORTS_NOWAKEUPOK | |
5469 | IFNET_GET_LOCAL_PORTS_ANYTCPSTATEOK, |
5470 | bitfield: port_bitmap); |
5471 | if (error != 0) { |
5472 | os_log_error(OS_LOG_DEFAULT, "%s: ifnet_get_local_ports_extended(%s) failed %d" , |
5473 | __func__, if_name(ifp), error); |
5474 | } |
5475 | } |
5476 | ifnet_list_free(interfaces: ifp_list); |
5477 | } |
5478 | |
5479 | static IOReturn |
5480 | ipsec_sleep_wake_handler(void *target, void *refCon, UInt32 messageType, |
5481 | void *provider, void *messageArgument, vm_size_t argSize) |
5482 | { |
5483 | #pragma unused(target, refCon, provider, messageArgument, argSize) |
5484 | switch (messageType) { |
5485 | case kIOMessageSystemWillSleep: |
5486 | { |
5487 | ipsec_get_local_ports(); |
5488 | break; |
5489 | } |
5490 | default: |
5491 | break; |
5492 | } |
5493 | |
5494 | return IOPMAckImplied; |
5495 | } |
5496 | |
5497 | void |
5498 | ipsec_monitor_sleep_wake(void) |
5499 | { |
5500 | LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_OWNED); |
5501 | |
5502 | if (sleep_wake_handle == NULL) { |
5503 | sleep_wake_handle = registerSleepWakeInterest(ipsec_sleep_wake_handler, |
5504 | NULL, NULL); |
5505 | if (sleep_wake_handle != NULL) { |
5506 | ipseclog((LOG_INFO, |
5507 | "ipsec: monitoring sleep wake" )); |
5508 | } |
5509 | } |
5510 | } |
5511 | |
5512 | void |
5513 | ipsec_init(void) |
5514 | { |
5515 | ipsec_register_control(); |
5516 | } |
5517 | |