ah_output.c

eCos/RedBoot for勤研ARM AnywhereII(4510) 含全部源代码

	 * the IPv4 header to the final destination.
	 * Note that we do not need to update source routing option itself
	 * (as done in IPv4 AH processing -- see ip6_output()), since
	 * source routing option is not part of the ICV computation.
	 */
	finaldst = ah4_finaldst(m);
	if (finaldst) {
		dst.s_addr = ip->ip_dst.s_addr;
		ip->ip_dst.s_addr = finaldst->s_addr;
	}

	/*
	 * calcurate the checksum, based on security association
	 * and the algorithm specified.
	 */
	error = ah4_calccksum(m, (caddr_t)ahsumpos, plen, algo, sav);
	if (error) {
		ipseclog((LOG_ERR,
		    "error after ah4_calccksum, called from ah4_output"));
		m_freem(m);
		m = NULL;
		ipsecstat.out_inval++;
		return error;
	}

	if (finaldst) {
		ip = mtod(m, struct ip *);	/* just to make sure */
		ip->ip_dst.s_addr = dst.s_addr;
	}
	ipsecstat.out_success++;
	ipsecstat.out_ahhist[sav->alg_auth]++;
	key_sa_recordxfer(sav, m);

	return 0;
}
#endif

/* Calculate AH length */
int
ah_hdrlen(sav)
	struct secasvar *sav;
{
	const struct ah_algorithm *algo;
	int plen, ahlen;
	
	algo = ah_algorithm_lookup(sav->alg_auth);
	if (!algo)
		return 0;
	if (sav->flags & SADB_X_EXT_OLD) {
		/* RFC 1826 */
		plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1);	/* XXX pad to 8byte? */
		ahlen = plen + sizeof(struct ah);
	} else {
		/* RFC 2402 */
		plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1);	/* XXX pad to 8byte? */
		ahlen = plen + sizeof(struct newah);
	}

	return(ahlen);
}

#ifdef INET6
/*
 * Fill in the Authentication Header and calculate checksum.
 */
int
ah6_output(m, nexthdrp, md, isr)
	struct mbuf *m;
	u_char *nexthdrp;
	struct mbuf *md;
	struct ipsecrequest *isr;
{
	struct mbuf *mprev;
	struct mbuf *mah;
	struct secasvar *sav = isr->sav;
	const struct ah_algorithm *algo;
	u_int32_t spi;
	u_char *ahsumpos = NULL;
	size_t plen;	/* AH payload size in bytes */
	int error = 0;
	int ahlen;
	struct ip6_hdr *ip6;

	if (m->m_len < sizeof(struct ip6_hdr)) {
		ipseclog((LOG_DEBUG, "ah6_output: first mbuf too short\n"));
		m_freem(m);
		return EINVAL;
	}

	ahlen = ah_hdrlen(sav);
	if (ahlen == 0)
		return 0;

	for (mprev = m; mprev && mprev->m_next != md; mprev = mprev->m_next)
		;
	if (!mprev || mprev->m_next != md) {
		ipseclog((LOG_DEBUG, "ah6_output: md is not in chain\n"));
		m_freem(m);
		return EINVAL;
	}

	MGET(mah, M_DONTWAIT, MT_DATA);
	if (!mah) {
		m_freem(m);
		return ENOBUFS;
	}
	if (ahlen > MLEN) {
		MCLGET(mah, M_DONTWAIT);
		if ((mah->m_flags & M_EXT) == 0) {
			m_free(mah);
			m_freem(m);
			return ENOBUFS;
		}
	}
	mah->m_len = ahlen;
	mah->m_next = md;
	mprev->m_next = mah;
	m->m_pkthdr.len += ahlen;

	/* fix plen */
	if (m->m_pkthdr.len - sizeof(struct ip6_hdr) > IPV6_MAXPACKET) {
		ipseclog((LOG_ERR,
		    "ip6_output: AH with IPv6 jumbogram is not supported\n"));
		m_freem(m);
		return EINVAL;
	}
	ip6 = mtod(m, struct ip6_hdr *);
	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));

	if ((sav->flags & SADB_X_EXT_OLD) == 0 && !sav->replay) {
		ipseclog((LOG_DEBUG, "ah6_output: internal error: "
			"sav->replay is null: SPI=%u\n",
			(u_int32_t)ntohl(sav->spi)));
		ipsec6stat.out_inval++;
		m_freem(m);
		return EINVAL;
	}

	algo = ah_algorithm_lookup(sav->alg_auth);
	if (!algo) {
		ipseclog((LOG_ERR, "ah6_output: unsupported algorithm: "
		    "SPI=%u\n", (u_int32_t)ntohl(sav->spi)));
		ipsec6stat.out_inval++;
		m_freem(m);
		return EINVAL;
	}
	spi = sav->spi;

	/*
	 * initialize AH.
	 */
	if (sav->flags & SADB_X_EXT_OLD) {
		struct ah *ahdr = mtod(mah, struct ah *);

		plen = mah->m_len - sizeof(struct ah);
		ahsumpos = (u_char *)(ahdr + 1);
		ahdr->ah_nxt = *nexthdrp;
		*nexthdrp = IPPROTO_AH;
		ahdr->ah_len = plen >> 2;
		ahdr->ah_reserve = htons(0);
		ahdr->ah_spi = spi;
		bzero(ahdr + 1, plen);
	} else {
		struct newah *ahdr = mtod(mah, struct newah *);

		plen = mah->m_len - sizeof(struct newah);
		ahsumpos = (u_char *)(ahdr + 1);
		ahdr->ah_nxt = *nexthdrp;
		*nexthdrp = IPPROTO_AH;
		ahdr->ah_len = (plen >> 2) + 1;	/* plus one for seq# */
		ahdr->ah_reserve = htons(0);
		ahdr->ah_spi = spi;
		if (sav->replay->count == ~0) {
			if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
				/* XXX Is it noisy ? */
				ipseclog((LOG_WARNING,
				    "replay counter overflowed. %s\n",
				    ipsec_logsastr(sav)));
				ipsec6stat.out_inval++;
				m_freem(m);
				return EINVAL;
			}
		}
		sav->replay->count++;
		/*
		 * XXX sequence number must not be cycled, if the SA is
		 * installed by IKE daemon.
		 */
		ahdr->ah_seq = htonl(sav->replay->count);
		bzero(ahdr + 1, plen);
	}

	/*
	 * calcurate the checksum, based on security association
	 * and the algorithm specified.
	 */
	error = ah6_calccksum(m, (caddr_t)ahsumpos, plen, algo, sav);
	if (error) {
		ipsec6stat.out_inval++;
		m_freem(m);
	} else {
		ipsec6stat.out_success++;
		key_sa_recordxfer(sav, m);
	}
	ipsec6stat.out_ahhist[sav->alg_auth]++;

	return(error);
}
#endif

#ifdef INET
/*
 * Find the final destination if there is loose/strict source routing option.
 * Returns NULL if there's no source routing options.
 * Returns NULL on errors too.
 * Note that this function will return a pointer INTO the given parameter,
 * struct mbuf *m.
 * The mbuf must be pulled up toward, at least, ip option part.
 */
static struct in_addr *
ah4_finaldst(m)
	struct mbuf *m;
{
	struct ip *ip;
	int optlen;
	u_char *q;
	int i;
	int hlen;

	if (!m)
		panic("ah4_finaldst: m == NULL");
	ip = mtod(m, struct ip *);
	hlen = (ip->ip_hl << 2);

	if (m->m_len < hlen) {
		ipseclog((LOG_DEBUG,
		    "ah4_finaldst: parameter mbuf wrong (not pulled up)\n"));
		return NULL;
	}

	if (hlen == sizeof(struct ip))
		return NULL;

	optlen = hlen - sizeof(struct ip);
	if (optlen < 0) {
		ipseclog((LOG_DEBUG, "ah4_finaldst: wrong optlen %d\n",
		    optlen));
		return NULL;
	}

	q = (u_char *)(ip + 1);
	i = 0;
	while (i < optlen) {
		if (i + IPOPT_OPTVAL >= optlen)
			return NULL;
		if (q[i + IPOPT_OPTVAL] == IPOPT_EOL ||
		    q[i + IPOPT_OPTVAL] == IPOPT_NOP ||
		    i + IPOPT_OLEN < optlen)
			;
		else
			return NULL;

		switch (q[i + IPOPT_OPTVAL]) {
		case IPOPT_EOL:
			i = optlen;	/* bye */
			break;
		case IPOPT_NOP:
			i++;
			break;
		case IPOPT_LSRR:
		case IPOPT_SSRR:
			if (q[i + IPOPT_OLEN] < 2 + sizeof(struct in_addr) ||
			    optlen - i < q[i + IPOPT_OLEN]) {
				ipseclog((LOG_ERR,
				    "ip_finaldst: invalid IP option "
				    "(code=%02x len=%02x)\n",
				    q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]));
				return NULL;
			}
			i += q[i + IPOPT_OLEN] - sizeof(struct in_addr);
			return (struct in_addr *)(q + i);
		default:
			if (q[i + IPOPT_OLEN] < 2 ||
			    optlen - i < q[i + IPOPT_OLEN]) {
				ipseclog((LOG_ERR,
				    "ip_finaldst: invalid IP option "
				    "(code=%02x len=%02x)\n",
				    q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]));
				return NULL;
			}
			i += q[i + IPOPT_OLEN];
			break;
		}
	}
	return NULL;
}
#endif