xform_ipcomp.c revision 1.4.4.2
1 1.4.4.2 skrll /* $NetBSD: xform_ipcomp.c,v 1.4.4.2 2004/08/03 10:55:29 skrll Exp $ */ 2 1.4.4.2 skrll /* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ 3 1.4.4.2 skrll /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */ 4 1.4.4.2 skrll 5 1.4.4.2 skrll /* 6 1.4.4.2 skrll * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj (at) wabbitt.org) 7 1.4.4.2 skrll * 8 1.4.4.2 skrll * Redistribution and use in source and binary forms, with or without 9 1.4.4.2 skrll * modification, are permitted provided that the following conditions 10 1.4.4.2 skrll * are met: 11 1.4.4.2 skrll * 12 1.4.4.2 skrll * 1. Redistributions of source code must retain the above copyright 13 1.4.4.2 skrll * notice, this list of conditions and the following disclaimer. 14 1.4.4.2 skrll * 2. Redistributions in binary form must reproduce the above copyright 15 1.4.4.2 skrll * notice, this list of conditions and the following disclaimer in the 16 1.4.4.2 skrll * documentation and/or other materials provided with the distribution. 17 1.4.4.2 skrll * 3. The name of the author may not be used to endorse or promote products 18 1.4.4.2 skrll * derived from this software without specific prior written permission. 19 1.4.4.2 skrll * 20 1.4.4.2 skrll * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 1.4.4.2 skrll * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 1.4.4.2 skrll * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 1.4.4.2 skrll * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 1.4.4.2 skrll * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 1.4.4.2 skrll * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 1.4.4.2 skrll * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 1.4.4.2 skrll * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 1.4.4.2 skrll * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 1.4.4.2 skrll * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 1.4.4.2 skrll */ 31 1.4.4.2 skrll 32 1.4.4.2 skrll #include <sys/cdefs.h> 33 1.4.4.2 skrll __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.4.4.2 2004/08/03 10:55:29 skrll Exp $"); 34 1.4.4.2 skrll 35 1.4.4.2 skrll /* IP payload compression protocol (IPComp), see RFC 2393 */ 36 1.4.4.2 skrll #include "opt_inet.h" 37 1.4.4.2 skrll #ifdef __FreeBSD__ 38 1.4.4.2 skrll #include "opt_inet6.h" 39 1.4.4.2 skrll #endif 40 1.4.4.2 skrll 41 1.4.4.2 skrll #include <sys/param.h> 42 1.4.4.2 skrll #include <sys/systm.h> 43 1.4.4.2 skrll #include <sys/mbuf.h> 44 1.4.4.2 skrll #include <sys/socket.h> 45 1.4.4.2 skrll #include <sys/kernel.h> 46 1.4.4.2 skrll #include <sys/protosw.h> 47 1.4.4.2 skrll #include <sys/sysctl.h> 48 1.4.4.2 skrll 49 1.4.4.2 skrll #include <netinet/in.h> 50 1.4.4.2 skrll #include <netinet/in_systm.h> 51 1.4.4.2 skrll #include <netinet/ip.h> 52 1.4.4.2 skrll #include <netinet/ip_var.h> 53 1.4.4.2 skrll 54 1.4.4.2 skrll #include <net/route.h> 55 1.4.4.2 skrll #include <netipsec/ipsec.h> 56 1.4.4.2 skrll #include <netipsec/xform.h> 57 1.4.4.2 skrll 58 1.4.4.2 skrll #ifdef INET6 59 1.4.4.2 skrll #include <netinet/ip6.h> 60 1.4.4.2 skrll #include <netipsec/ipsec6.h> 61 1.4.4.2 skrll #endif 62 1.4.4.2 skrll 63 1.4.4.2 skrll #include <netipsec/ipcomp.h> 64 1.4.4.2 skrll #include <netipsec/ipcomp_var.h> 65 1.4.4.2 skrll 66 1.4.4.2 skrll #include <netipsec/key.h> 67 1.4.4.2 skrll #include <netipsec/key_debug.h> 68 1.4.4.2 skrll 69 1.4.4.2 skrll #include <netipsec/ipsec_osdep.h> 70 1.4.4.2 skrll 71 1.4.4.2 skrll #include <opencrypto/cryptodev.h> 72 1.4.4.2 skrll #include <opencrypto/deflate.h> 73 1.4.4.2 skrll #include <opencrypto/xform.h> 74 1.4.4.2 skrll 75 1.4.4.2 skrll int ipcomp_enable = 0; 76 1.4.4.2 skrll struct ipcompstat ipcompstat; 77 1.4.4.2 skrll 78 1.4.4.2 skrll #ifdef __FreeBSD__ 79 1.4.4.2 skrll SYSCTL_DECL(_net_inet_ipcomp); 80 1.4.4.2 skrll SYSCTL_INT(_net_inet_ipcomp, OID_AUTO, 81 1.4.4.2 skrll ipcomp_enable, CTLFLAG_RW, &ipcomp_enable, 0, ""); 82 1.4.4.2 skrll SYSCTL_STRUCT(_net_inet_ipcomp, IPSECCTL_STATS, 83 1.4.4.2 skrll stats, CTLFLAG_RD, &ipcompstat, ipcompstat, ""); 84 1.4.4.2 skrll #endif /* __FreeBSD__ */ 85 1.4.4.2 skrll 86 1.4.4.2 skrll static int ipcomp_input_cb(struct cryptop *crp); 87 1.4.4.2 skrll static int ipcomp_output_cb(struct cryptop *crp); 88 1.4.4.2 skrll 89 1.4.4.2 skrll struct comp_algo * 90 1.4.4.2 skrll ipcomp_algorithm_lookup(int alg) 91 1.4.4.2 skrll { 92 1.4.4.2 skrll if (alg >= IPCOMP_ALG_MAX) 93 1.4.4.2 skrll return NULL; 94 1.4.4.2 skrll switch (alg) { 95 1.4.4.2 skrll case SADB_X_CALG_DEFLATE: 96 1.4.4.2 skrll return &comp_algo_deflate; 97 1.4.4.2 skrll } 98 1.4.4.2 skrll return NULL; 99 1.4.4.2 skrll } 100 1.4.4.2 skrll 101 1.4.4.2 skrll /* 102 1.4.4.2 skrll * ipcomp_init() is called when an CPI is being set up. 103 1.4.4.2 skrll */ 104 1.4.4.2 skrll static int 105 1.4.4.2 skrll ipcomp_init(struct secasvar *sav, struct xformsw *xsp) 106 1.4.4.2 skrll { 107 1.4.4.2 skrll struct comp_algo *tcomp; 108 1.4.4.2 skrll struct cryptoini cric; 109 1.4.4.2 skrll 110 1.4.4.2 skrll /* NB: algorithm really comes in alg_enc and not alg_comp! */ 111 1.4.4.2 skrll tcomp = ipcomp_algorithm_lookup(sav->alg_enc); 112 1.4.4.2 skrll if (tcomp == NULL) { 113 1.4.4.2 skrll DPRINTF(("ipcomp_init: unsupported compression algorithm %d\n", 114 1.4.4.2 skrll sav->alg_comp)); 115 1.4.4.2 skrll return EINVAL; 116 1.4.4.2 skrll } 117 1.4.4.2 skrll sav->alg_comp = sav->alg_enc; /* set for doing histogram */ 118 1.4.4.2 skrll sav->tdb_xform = xsp; 119 1.4.4.2 skrll sav->tdb_compalgxform = tcomp; 120 1.4.4.2 skrll 121 1.4.4.2 skrll /* Initialize crypto session */ 122 1.4.4.2 skrll bzero(&cric, sizeof (cric)); 123 1.4.4.2 skrll cric.cri_alg = sav->tdb_compalgxform->type; 124 1.4.4.2 skrll 125 1.4.4.2 skrll return crypto_newsession(&sav->tdb_cryptoid, &cric, crypto_support); 126 1.4.4.2 skrll } 127 1.4.4.2 skrll 128 1.4.4.2 skrll /* 129 1.4.4.2 skrll * ipcomp_zeroize() used when IPCA is deleted 130 1.4.4.2 skrll */ 131 1.4.4.2 skrll static int 132 1.4.4.2 skrll ipcomp_zeroize(struct secasvar *sav) 133 1.4.4.2 skrll { 134 1.4.4.2 skrll int err; 135 1.4.4.2 skrll 136 1.4.4.2 skrll err = crypto_freesession(sav->tdb_cryptoid); 137 1.4.4.2 skrll sav->tdb_cryptoid = 0; 138 1.4.4.2 skrll return err; 139 1.4.4.2 skrll } 140 1.4.4.2 skrll 141 1.4.4.2 skrll /* 142 1.4.4.2 skrll * ipcomp_input() gets called to uncompress an input packet 143 1.4.4.2 skrll */ 144 1.4.4.2 skrll static int 145 1.4.4.2 skrll ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) 146 1.4.4.2 skrll { 147 1.4.4.2 skrll struct tdb_crypto *tc; 148 1.4.4.2 skrll struct cryptodesc *crdc; 149 1.4.4.2 skrll struct cryptop *crp; 150 1.4.4.2 skrll int hlen = IPCOMP_HLENGTH; 151 1.4.4.2 skrll 152 1.4.4.2 skrll IPSEC_SPLASSERT_SOFTNET("ipcomp_input"); 153 1.4.4.2 skrll 154 1.4.4.2 skrll /* Get crypto descriptors */ 155 1.4.4.2 skrll crp = crypto_getreq(1); 156 1.4.4.2 skrll if (crp == NULL) { 157 1.4.4.2 skrll m_freem(m); 158 1.4.4.2 skrll DPRINTF(("ipcomp_input: no crypto descriptors\n")); 159 1.4.4.2 skrll ipcompstat.ipcomps_crypto++; 160 1.4.4.2 skrll return ENOBUFS; 161 1.4.4.2 skrll } 162 1.4.4.2 skrll /* Get IPsec-specific opaque pointer */ 163 1.4.4.2 skrll tc = (struct tdb_crypto *) malloc(sizeof (*tc), M_XDATA, M_NOWAIT|M_ZERO); 164 1.4.4.2 skrll if (tc == NULL) { 165 1.4.4.2 skrll m_freem(m); 166 1.4.4.2 skrll crypto_freereq(crp); 167 1.4.4.2 skrll DPRINTF(("ipcomp_input: cannot allocate tdb_crypto\n")); 168 1.4.4.2 skrll ipcompstat.ipcomps_crypto++; 169 1.4.4.2 skrll return ENOBUFS; 170 1.4.4.2 skrll } 171 1.4.4.2 skrll crdc = crp->crp_desc; 172 1.4.4.2 skrll 173 1.4.4.2 skrll crdc->crd_skip = skip + hlen; 174 1.4.4.2 skrll crdc->crd_len = m->m_pkthdr.len - (skip + hlen); 175 1.4.4.2 skrll crdc->crd_inject = skip; 176 1.4.4.2 skrll 177 1.4.4.2 skrll tc->tc_ptr = 0; 178 1.4.4.2 skrll 179 1.4.4.2 skrll /* Decompression operation */ 180 1.4.4.2 skrll crdc->crd_alg = sav->tdb_compalgxform->type; 181 1.4.4.2 skrll 182 1.4.4.2 skrll /* Crypto operation descriptor */ 183 1.4.4.2 skrll crp->crp_ilen = m->m_pkthdr.len - (skip + hlen); 184 1.4.4.2 skrll crp->crp_flags = CRYPTO_F_IMBUF; 185 1.4.4.2 skrll crp->crp_buf = (caddr_t) m; 186 1.4.4.2 skrll crp->crp_callback = ipcomp_input_cb; 187 1.4.4.2 skrll crp->crp_sid = sav->tdb_cryptoid; 188 1.4.4.2 skrll crp->crp_opaque = (caddr_t) tc; 189 1.4.4.2 skrll 190 1.4.4.2 skrll /* These are passed as-is to the callback */ 191 1.4.4.2 skrll tc->tc_spi = sav->spi; 192 1.4.4.2 skrll tc->tc_dst = sav->sah->saidx.dst; 193 1.4.4.2 skrll tc->tc_proto = sav->sah->saidx.proto; 194 1.4.4.2 skrll tc->tc_protoff = protoff; 195 1.4.4.2 skrll tc->tc_skip = skip; 196 1.4.4.2 skrll 197 1.4.4.2 skrll return crypto_dispatch(crp); 198 1.4.4.2 skrll } 199 1.4.4.2 skrll 200 1.4.4.2 skrll #ifdef INET6 201 1.4.4.2 skrll #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ 202 1.4.4.2 skrll if (saidx->dst.sa.sa_family == AF_INET6) { \ 203 1.4.4.2 skrll error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ 204 1.4.4.2 skrll } else { \ 205 1.4.4.2 skrll error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ 206 1.4.4.2 skrll } \ 207 1.4.4.2 skrll } while (0) 208 1.4.4.2 skrll #else 209 1.4.4.2 skrll #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ 210 1.4.4.2 skrll (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) 211 1.4.4.2 skrll #endif 212 1.4.4.2 skrll 213 1.4.4.2 skrll /* 214 1.4.4.2 skrll * IPComp input callback from the crypto driver. 215 1.4.4.2 skrll */ 216 1.4.4.2 skrll static int 217 1.4.4.2 skrll ipcomp_input_cb(struct cryptop *crp) 218 1.4.4.2 skrll { 219 1.4.4.2 skrll struct cryptodesc *crd; 220 1.4.4.2 skrll struct tdb_crypto *tc; 221 1.4.4.2 skrll int skip, protoff; 222 1.4.4.2 skrll struct mtag *mtag; 223 1.4.4.2 skrll struct mbuf *m; 224 1.4.4.2 skrll struct secasvar *sav; 225 1.4.4.2 skrll struct secasindex *saidx; 226 1.4.4.2 skrll int s, hlen = IPCOMP_HLENGTH, error, clen; 227 1.4.4.2 skrll u_int8_t nproto; 228 1.4.4.2 skrll caddr_t addr; 229 1.4.4.2 skrll 230 1.4.4.2 skrll crd = crp->crp_desc; 231 1.4.4.2 skrll 232 1.4.4.2 skrll tc = (struct tdb_crypto *) crp->crp_opaque; 233 1.4.4.2 skrll IPSEC_ASSERT(tc != NULL, ("ipcomp_input_cb: null opaque crypto data area!")); 234 1.4.4.2 skrll skip = tc->tc_skip; 235 1.4.4.2 skrll protoff = tc->tc_protoff; 236 1.4.4.2 skrll mtag = (struct mtag *) tc->tc_ptr; 237 1.4.4.2 skrll m = (struct mbuf *) crp->crp_buf; 238 1.4.4.2 skrll 239 1.4.4.2 skrll s = splsoftnet(); 240 1.4.4.2 skrll 241 1.4.4.2 skrll sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); 242 1.4.4.2 skrll if (sav == NULL) { 243 1.4.4.2 skrll ipcompstat.ipcomps_notdb++; 244 1.4.4.2 skrll DPRINTF(("ipcomp_input_cb: SA expired while in crypto\n")); 245 1.4.4.2 skrll error = ENOBUFS; /*XXX*/ 246 1.4.4.2 skrll goto bad; 247 1.4.4.2 skrll } 248 1.4.4.2 skrll 249 1.4.4.2 skrll saidx = &sav->sah->saidx; 250 1.4.4.2 skrll IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET || 251 1.4.4.2 skrll saidx->dst.sa.sa_family == AF_INET6, 252 1.4.4.2 skrll ("ah_input_cb: unexpected protocol family %u", 253 1.4.4.2 skrll saidx->dst.sa.sa_family)); 254 1.4.4.2 skrll 255 1.4.4.2 skrll /* Check for crypto errors */ 256 1.4.4.2 skrll if (crp->crp_etype) { 257 1.4.4.2 skrll /* Reset the session ID */ 258 1.4.4.2 skrll if (sav->tdb_cryptoid != 0) 259 1.4.4.2 skrll sav->tdb_cryptoid = crp->crp_sid; 260 1.4.4.2 skrll 261 1.4.4.2 skrll if (crp->crp_etype == EAGAIN) { 262 1.4.4.2 skrll KEY_FREESAV(&sav); 263 1.4.4.2 skrll splx(s); 264 1.4.4.2 skrll return crypto_dispatch(crp); 265 1.4.4.2 skrll } 266 1.4.4.2 skrll 267 1.4.4.2 skrll ipcompstat.ipcomps_noxform++; 268 1.4.4.2 skrll DPRINTF(("ipcomp_input_cb: crypto error %d\n", crp->crp_etype)); 269 1.4.4.2 skrll error = crp->crp_etype; 270 1.4.4.2 skrll goto bad; 271 1.4.4.2 skrll } 272 1.4.4.2 skrll /* Shouldn't happen... */ 273 1.4.4.2 skrll if (m == NULL) { 274 1.4.4.2 skrll ipcompstat.ipcomps_crypto++; 275 1.4.4.2 skrll DPRINTF(("ipcomp_input_cb: null mbuf returned from crypto\n")); 276 1.4.4.2 skrll error = EINVAL; 277 1.4.4.2 skrll goto bad; 278 1.4.4.2 skrll } 279 1.4.4.2 skrll ipcompstat.ipcomps_hist[sav->alg_comp]++; 280 1.4.4.2 skrll 281 1.4.4.2 skrll clen = crp->crp_olen; /* Length of data after processing */ 282 1.4.4.2 skrll 283 1.4.4.2 skrll /* Release the crypto descriptors */ 284 1.4.4.2 skrll free(tc, M_XDATA), tc = NULL; 285 1.4.4.2 skrll crypto_freereq(crp), crp = NULL; 286 1.4.4.2 skrll 287 1.4.4.2 skrll /* In case it's not done already, adjust the size of the mbuf chain */ 288 1.4.4.2 skrll m->m_pkthdr.len = clen + hlen + skip; 289 1.4.4.2 skrll 290 1.4.4.2 skrll if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) { 291 1.4.4.2 skrll ipcompstat.ipcomps_hdrops++; /*XXX*/ 292 1.4.4.2 skrll DPRINTF(("ipcomp_input_cb: m_pullup failed\n")); 293 1.4.4.2 skrll error = EINVAL; /*XXX*/ 294 1.4.4.2 skrll goto bad; 295 1.4.4.2 skrll } 296 1.4.4.2 skrll 297 1.4.4.2 skrll /* Keep the next protocol field */ 298 1.4.4.2 skrll addr = (caddr_t) mtod(m, struct ip *) + skip; 299 1.4.4.2 skrll nproto = ((struct ipcomp *) addr)->comp_nxt; 300 1.4.4.2 skrll 301 1.4.4.2 skrll /* Remove the IPCOMP header */ 302 1.4.4.2 skrll error = m_striphdr(m, skip, hlen); 303 1.4.4.2 skrll if (error) { 304 1.4.4.2 skrll ipcompstat.ipcomps_hdrops++; 305 1.4.4.2 skrll DPRINTF(("ipcomp_input_cb: bad mbuf chain, IPCA %s/%08lx\n", 306 1.4.4.2 skrll ipsec_address(&sav->sah->saidx.dst), 307 1.4.4.2 skrll (u_long) ntohl(sav->spi))); 308 1.4.4.2 skrll goto bad; 309 1.4.4.2 skrll } 310 1.4.4.2 skrll 311 1.4.4.2 skrll /* Restore the Next Protocol field */ 312 1.4.4.2 skrll m_copyback(m, protoff, sizeof (u_int8_t), (u_int8_t *) &nproto); 313 1.4.4.2 skrll 314 1.4.4.2 skrll IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, NULL); 315 1.4.4.2 skrll 316 1.4.4.2 skrll KEY_FREESAV(&sav); 317 1.4.4.2 skrll splx(s); 318 1.4.4.2 skrll return error; 319 1.4.4.2 skrll bad: 320 1.4.4.2 skrll if (sav) 321 1.4.4.2 skrll KEY_FREESAV(&sav); 322 1.4.4.2 skrll splx(s); 323 1.4.4.2 skrll if (m) 324 1.4.4.2 skrll m_freem(m); 325 1.4.4.2 skrll if (tc != NULL) 326 1.4.4.2 skrll free(tc, M_XDATA); 327 1.4.4.2 skrll if (crp) 328 1.4.4.2 skrll crypto_freereq(crp); 329 1.4.4.2 skrll return error; 330 1.4.4.2 skrll } 331 1.4.4.2 skrll 332 1.4.4.2 skrll /* 333 1.4.4.2 skrll * IPComp output routine, called by ipsec[46]_process_packet() 334 1.4.4.2 skrll */ 335 1.4.4.2 skrll static int 336 1.4.4.2 skrll ipcomp_output( 337 1.4.4.2 skrll struct mbuf *m, 338 1.4.4.2 skrll struct ipsecrequest *isr, 339 1.4.4.2 skrll struct mbuf **mp, 340 1.4.4.2 skrll int skip, 341 1.4.4.2 skrll int protoff 342 1.4.4.2 skrll ) 343 1.4.4.2 skrll { 344 1.4.4.2 skrll struct secasvar *sav; 345 1.4.4.2 skrll struct comp_algo *ipcompx; 346 1.4.4.2 skrll int error, ralen, hlen, maxpacketsize, roff; 347 1.4.4.2 skrll u_int8_t prot; 348 1.4.4.2 skrll struct cryptodesc *crdc; 349 1.4.4.2 skrll struct cryptop *crp; 350 1.4.4.2 skrll struct tdb_crypto *tc; 351 1.4.4.2 skrll struct mbuf *mo; 352 1.4.4.2 skrll struct ipcomp *ipcomp; 353 1.4.4.2 skrll 354 1.4.4.2 skrll IPSEC_SPLASSERT_SOFTNET("ipcomp_output"); 355 1.4.4.2 skrll sav = isr->sav; 356 1.4.4.2 skrll IPSEC_ASSERT(sav != NULL, ("ipcomp_output: null SA")); 357 1.4.4.2 skrll ipcompx = sav->tdb_compalgxform; 358 1.4.4.2 skrll IPSEC_ASSERT(ipcompx != NULL, ("ipcomp_output: null compression xform")); 359 1.4.4.2 skrll 360 1.4.4.2 skrll ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */ 361 1.4.4.2 skrll hlen = IPCOMP_HLENGTH; 362 1.4.4.2 skrll 363 1.4.4.2 skrll ipcompstat.ipcomps_output++; 364 1.4.4.2 skrll 365 1.4.4.2 skrll /* Check for maximum packet size violations. */ 366 1.4.4.2 skrll switch (sav->sah->saidx.dst.sa.sa_family) { 367 1.4.4.2 skrll #ifdef INET 368 1.4.4.2 skrll case AF_INET: 369 1.4.4.2 skrll maxpacketsize = IP_MAXPACKET; 370 1.4.4.2 skrll break; 371 1.4.4.2 skrll #endif /* INET */ 372 1.4.4.2 skrll #ifdef INET6 373 1.4.4.2 skrll case AF_INET6: 374 1.4.4.2 skrll maxpacketsize = IPV6_MAXPACKET; 375 1.4.4.2 skrll break; 376 1.4.4.2 skrll #endif /* INET6 */ 377 1.4.4.2 skrll default: 378 1.4.4.2 skrll ipcompstat.ipcomps_nopf++; 379 1.4.4.2 skrll DPRINTF(("ipcomp_output: unknown/unsupported protocol family %d" 380 1.4.4.2 skrll ", IPCA %s/%08lx\n", 381 1.4.4.2 skrll sav->sah->saidx.dst.sa.sa_family, 382 1.4.4.2 skrll ipsec_address(&sav->sah->saidx.dst), 383 1.4.4.2 skrll (u_long) ntohl(sav->spi))); 384 1.4.4.2 skrll error = EPFNOSUPPORT; 385 1.4.4.2 skrll goto bad; 386 1.4.4.2 skrll } 387 1.4.4.2 skrll if (skip + hlen + ralen > maxpacketsize) { 388 1.4.4.2 skrll ipcompstat.ipcomps_toobig++; 389 1.4.4.2 skrll DPRINTF(("ipcomp_output: packet in IPCA %s/%08lx got too big " 390 1.4.4.2 skrll "(len %u, max len %u)\n", 391 1.4.4.2 skrll ipsec_address(&sav->sah->saidx.dst), 392 1.4.4.2 skrll (u_long) ntohl(sav->spi), 393 1.4.4.2 skrll skip + hlen + ralen, maxpacketsize)); 394 1.4.4.2 skrll error = EMSGSIZE; 395 1.4.4.2 skrll goto bad; 396 1.4.4.2 skrll } 397 1.4.4.2 skrll 398 1.4.4.2 skrll /* Update the counters */ 399 1.4.4.2 skrll ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip; 400 1.4.4.2 skrll 401 1.4.4.2 skrll m = m_clone(m); 402 1.4.4.2 skrll if (m == NULL) { 403 1.4.4.2 skrll ipcompstat.ipcomps_hdrops++; 404 1.4.4.2 skrll DPRINTF(("ipcomp_output: cannot clone mbuf chain, IPCA %s/%08lx\n", 405 1.4.4.2 skrll ipsec_address(&sav->sah->saidx.dst), 406 1.4.4.2 skrll (u_long) ntohl(sav->spi))); 407 1.4.4.2 skrll error = ENOBUFS; 408 1.4.4.2 skrll goto bad; 409 1.4.4.2 skrll } 410 1.4.4.2 skrll 411 1.4.4.2 skrll /* Inject IPCOMP header */ 412 1.4.4.2 skrll mo = m_makespace(m, skip, hlen, &roff); 413 1.4.4.2 skrll if (mo == NULL) { 414 1.4.4.2 skrll ipcompstat.ipcomps_wrap++; 415 1.4.4.2 skrll DPRINTF(("ipcomp_output: failed to inject IPCOMP header for " 416 1.4.4.2 skrll "IPCA %s/%08lx\n", 417 1.4.4.2 skrll ipsec_address(&sav->sah->saidx.dst), 418 1.4.4.2 skrll (u_long) ntohl(sav->spi))); 419 1.4.4.2 skrll error = ENOBUFS; 420 1.4.4.2 skrll goto bad; 421 1.4.4.2 skrll } 422 1.4.4.2 skrll ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff); 423 1.4.4.2 skrll 424 1.4.4.2 skrll /* Initialize the IPCOMP header */ 425 1.4.4.2 skrll /* XXX alignment always correct? */ 426 1.4.4.2 skrll switch (sav->sah->saidx.dst.sa.sa_family) { 427 1.4.4.2 skrll #ifdef INET 428 1.4.4.2 skrll case AF_INET: 429 1.4.4.2 skrll ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p; 430 1.4.4.2 skrll break; 431 1.4.4.2 skrll #endif /* INET */ 432 1.4.4.2 skrll #ifdef INET6 433 1.4.4.2 skrll case AF_INET6: 434 1.4.4.2 skrll ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt; 435 1.4.4.2 skrll break; 436 1.4.4.2 skrll #endif 437 1.4.4.2 skrll } 438 1.4.4.2 skrll ipcomp->comp_flags = 0; 439 1.4.4.2 skrll ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi)); 440 1.4.4.2 skrll 441 1.4.4.2 skrll /* Fix Next Protocol in IPv4/IPv6 header */ 442 1.4.4.2 skrll prot = IPPROTO_IPCOMP; 443 1.4.4.2 skrll m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot); 444 1.4.4.2 skrll 445 1.4.4.2 skrll /* Ok now, we can pass to the crypto processing */ 446 1.4.4.2 skrll 447 1.4.4.2 skrll /* Get crypto descriptors */ 448 1.4.4.2 skrll crp = crypto_getreq(1); 449 1.4.4.2 skrll if (crp == NULL) { 450 1.4.4.2 skrll ipcompstat.ipcomps_crypto++; 451 1.4.4.2 skrll DPRINTF(("ipcomp_output: failed to acquire crypto descriptor\n")); 452 1.4.4.2 skrll error = ENOBUFS; 453 1.4.4.2 skrll goto bad; 454 1.4.4.2 skrll } 455 1.4.4.2 skrll crdc = crp->crp_desc; 456 1.4.4.2 skrll 457 1.4.4.2 skrll /* Compression descriptor */ 458 1.4.4.2 skrll crdc->crd_skip = skip + hlen; 459 1.4.4.2 skrll crdc->crd_len = m->m_pkthdr.len - (skip + hlen); 460 1.4.4.2 skrll crdc->crd_flags = CRD_F_COMP; 461 1.4.4.2 skrll crdc->crd_inject = skip + hlen; 462 1.4.4.2 skrll 463 1.4.4.2 skrll /* Compression operation */ 464 1.4.4.2 skrll crdc->crd_alg = ipcompx->type; 465 1.4.4.2 skrll 466 1.4.4.2 skrll /* IPsec-specific opaque crypto info */ 467 1.4.4.2 skrll tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), 468 1.4.4.2 skrll M_XDATA, M_NOWAIT|M_ZERO); 469 1.4.4.2 skrll if (tc == NULL) { 470 1.4.4.2 skrll ipcompstat.ipcomps_crypto++; 471 1.4.4.2 skrll DPRINTF(("ipcomp_output: failed to allocate tdb_crypto\n")); 472 1.4.4.2 skrll crypto_freereq(crp); 473 1.4.4.2 skrll error = ENOBUFS; 474 1.4.4.2 skrll goto bad; 475 1.4.4.2 skrll } 476 1.4.4.2 skrll 477 1.4.4.2 skrll tc->tc_isr = isr; 478 1.4.4.2 skrll tc->tc_spi = sav->spi; 479 1.4.4.2 skrll tc->tc_dst = sav->sah->saidx.dst; 480 1.4.4.2 skrll tc->tc_proto = sav->sah->saidx.proto; 481 1.4.4.2 skrll tc->tc_skip = skip + hlen; 482 1.4.4.2 skrll 483 1.4.4.2 skrll /* Crypto operation descriptor */ 484 1.4.4.2 skrll crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ 485 1.4.4.2 skrll crp->crp_flags = CRYPTO_F_IMBUF; 486 1.4.4.2 skrll crp->crp_buf = (caddr_t) m; 487 1.4.4.2 skrll crp->crp_callback = ipcomp_output_cb; 488 1.4.4.2 skrll crp->crp_opaque = (caddr_t) tc; 489 1.4.4.2 skrll crp->crp_sid = sav->tdb_cryptoid; 490 1.4.4.2 skrll 491 1.4.4.2 skrll return crypto_dispatch(crp); 492 1.4.4.2 skrll bad: 493 1.4.4.2 skrll if (m) 494 1.4.4.2 skrll m_freem(m); 495 1.4.4.2 skrll return (error); 496 1.4.4.2 skrll } 497 1.4.4.2 skrll 498 1.4.4.2 skrll /* 499 1.4.4.2 skrll * IPComp output callback from the crypto driver. 500 1.4.4.2 skrll */ 501 1.4.4.2 skrll static int 502 1.4.4.2 skrll ipcomp_output_cb(struct cryptop *crp) 503 1.4.4.2 skrll { 504 1.4.4.2 skrll struct tdb_crypto *tc; 505 1.4.4.2 skrll struct ipsecrequest *isr; 506 1.4.4.2 skrll struct secasvar *sav; 507 1.4.4.2 skrll struct mbuf *m; 508 1.4.4.2 skrll int s, error, skip, rlen; 509 1.4.4.2 skrll 510 1.4.4.2 skrll tc = (struct tdb_crypto *) crp->crp_opaque; 511 1.4.4.2 skrll IPSEC_ASSERT(tc != NULL, ("ipcomp_output_cb: null opaque data area!")); 512 1.4.4.2 skrll m = (struct mbuf *) crp->crp_buf; 513 1.4.4.2 skrll skip = tc->tc_skip; 514 1.4.4.2 skrll rlen = crp->crp_ilen - skip; 515 1.4.4.2 skrll 516 1.4.4.2 skrll s = splsoftnet(); 517 1.4.4.2 skrll 518 1.4.4.2 skrll isr = tc->tc_isr; 519 1.4.4.2 skrll sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); 520 1.4.4.2 skrll if (sav == NULL) { 521 1.4.4.2 skrll ipcompstat.ipcomps_notdb++; 522 1.4.4.2 skrll DPRINTF(("ipcomp_output_cb: SA expired while in crypto\n")); 523 1.4.4.2 skrll error = ENOBUFS; /*XXX*/ 524 1.4.4.2 skrll goto bad; 525 1.4.4.2 skrll } 526 1.4.4.2 skrll IPSEC_ASSERT(isr->sav == sav, ("ipcomp_output_cb: SA changed\n")); 527 1.4.4.2 skrll 528 1.4.4.2 skrll /* Check for crypto errors */ 529 1.4.4.2 skrll if (crp->crp_etype) { 530 1.4.4.2 skrll /* Reset session ID */ 531 1.4.4.2 skrll if (sav->tdb_cryptoid != 0) 532 1.4.4.2 skrll sav->tdb_cryptoid = crp->crp_sid; 533 1.4.4.2 skrll 534 1.4.4.2 skrll if (crp->crp_etype == EAGAIN) { 535 1.4.4.2 skrll KEY_FREESAV(&sav); 536 1.4.4.2 skrll splx(s); 537 1.4.4.2 skrll return crypto_dispatch(crp); 538 1.4.4.2 skrll } 539 1.4.4.2 skrll ipcompstat.ipcomps_noxform++; 540 1.4.4.2 skrll DPRINTF(("ipcomp_output_cb: crypto error %d\n", crp->crp_etype)); 541 1.4.4.2 skrll error = crp->crp_etype; 542 1.4.4.2 skrll goto bad; 543 1.4.4.2 skrll } 544 1.4.4.2 skrll /* Shouldn't happen... */ 545 1.4.4.2 skrll if (m == NULL) { 546 1.4.4.2 skrll ipcompstat.ipcomps_crypto++; 547 1.4.4.2 skrll DPRINTF(("ipcomp_output_cb: bogus return buffer from crypto\n")); 548 1.4.4.2 skrll error = EINVAL; 549 1.4.4.2 skrll goto bad; 550 1.4.4.2 skrll } 551 1.4.4.2 skrll ipcompstat.ipcomps_hist[sav->alg_comp]++; 552 1.4.4.2 skrll 553 1.4.4.2 skrll if (rlen > crp->crp_olen) { 554 1.4.4.2 skrll /* Adjust the length in the IP header */ 555 1.4.4.2 skrll switch (sav->sah->saidx.dst.sa.sa_family) { 556 1.4.4.2 skrll #ifdef INET 557 1.4.4.2 skrll case AF_INET: 558 1.4.4.2 skrll mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len); 559 1.4.4.2 skrll break; 560 1.4.4.2 skrll #endif /* INET */ 561 1.4.4.2 skrll #ifdef INET6 562 1.4.4.2 skrll case AF_INET6: 563 1.4.4.2 skrll mtod(m, struct ip6_hdr *)->ip6_plen = 564 1.4.4.2 skrll htons(m->m_pkthdr.len) - sizeof(struct ip6_hdr); 565 1.4.4.2 skrll break; 566 1.4.4.2 skrll #endif /* INET6 */ 567 1.4.4.2 skrll default: 568 1.4.4.2 skrll ipcompstat.ipcomps_nopf++; 569 1.4.4.2 skrll DPRINTF(("ipcomp_output: unknown/unsupported protocol " 570 1.4.4.2 skrll "family %d, IPCA %s/%08lx\n", 571 1.4.4.2 skrll sav->sah->saidx.dst.sa.sa_family, 572 1.4.4.2 skrll ipsec_address(&sav->sah->saidx.dst), 573 1.4.4.2 skrll (u_long) ntohl(sav->spi))); 574 1.4.4.2 skrll error = EPFNOSUPPORT; 575 1.4.4.2 skrll goto bad; 576 1.4.4.2 skrll } 577 1.4.4.2 skrll } else { 578 1.4.4.2 skrll /* compression was useless, we have lost time */ 579 1.4.4.2 skrll /* XXX add statistic */ 580 1.4.4.2 skrll } 581 1.4.4.2 skrll 582 1.4.4.2 skrll /* Release the crypto descriptor */ 583 1.4.4.2 skrll free(tc, M_XDATA); 584 1.4.4.2 skrll crypto_freereq(crp); 585 1.4.4.2 skrll 586 1.4.4.2 skrll /* NB: m is reclaimed by ipsec_process_done. */ 587 1.4.4.2 skrll error = ipsec_process_done(m, isr); 588 1.4.4.2 skrll KEY_FREESAV(&sav); 589 1.4.4.2 skrll splx(s); 590 1.4.4.2 skrll return error; 591 1.4.4.2 skrll bad: 592 1.4.4.2 skrll if (sav) 593 1.4.4.2 skrll KEY_FREESAV(&sav); 594 1.4.4.2 skrll splx(s); 595 1.4.4.2 skrll if (m) 596 1.4.4.2 skrll m_freem(m); 597 1.4.4.2 skrll free(tc, M_XDATA); 598 1.4.4.2 skrll crypto_freereq(crp); 599 1.4.4.2 skrll return error; 600 1.4.4.2 skrll } 601 1.4.4.2 skrll 602 1.4.4.2 skrll static struct xformsw ipcomp_xformsw = { 603 1.4.4.2 skrll XF_IPCOMP, XFT_COMP, "IPcomp", 604 1.4.4.2 skrll ipcomp_init, ipcomp_zeroize, ipcomp_input, 605 1.4.4.2 skrll ipcomp_output 606 1.4.4.2 skrll }; 607 1.4.4.2 skrll 608 1.4.4.2 skrll INITFN void 609 1.4.4.2 skrll ipcomp_attach(void) 610 1.4.4.2 skrll { 611 1.4.4.2 skrll xform_register(&ipcomp_xformsw); 612 1.4.4.2 skrll } 613 1.4.4.2 skrll 614 1.4.4.2 skrll #ifdef __FreeBSD__ 615 1.4.4.2 skrll SYSINIT(ipcomp_xform_init, SI_SUB_DRIVERS, SI_ORDER_FIRST, ipcomp_attach, NULL) 616 1.4.4.2 skrll #endif /* __FreeBSD__ */ 617
Indexes created Tue Sep 30 20:09:53 GMT 2025