tn_ipopt.c revision 222c5bce8762079550e5ccd485a12de1fff5a82e
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include <inet/ipclassifier.h>
#include <inet/ip_ftable.h>
/*
* This routine takes a sensitivity label as input and creates a CIPSO
* option in the specified buffer. It returns the size of the CIPSO option.
* If the sensitivity label is too large for the CIPSO option, then 0
* is returned.
*
* tsol2cipso_tt1 returns 0 for failure and greater than 0 for success
* (more accurately, success means a return value between 10 and 40).
*/
static int
{
struct cipso_tag_type_1 *tt1;
const _bslabel_impl_t *bsl;
int i;
if (doi == 0)
return (0);
/* check for Admin High sensitivity label */
return (0);
/* check whether classification will fit in one octet */
return (0);
/*
* Check whether compartments will fit in 30 octets.
* Compartments 241 - 256 are not allowed.
*/
return (0);
/*
* Compute option length and tag length.
* 'p' points to the last two bytes in the Sensitivity Label's
* compartments; these cannot be mapped into CIPSO compartments.
*/
if (*ucp != 0)
break;
return (10 + i);
return (cop[IPOPT_OLEN]);
}
/*
* The following routine copies a datagram's option into the specified buffer
* (if buffer pointer is non-null), or returns a pointer to the label within
* the streams message (if buffer is null). In both cases, tsol_get_option
* returns the option's type.
*
* tsol_get_option assumes that the specified buffer is large enough to
* hold the largest valid CIPSO option. Since the total number of
* IP header options cannot exceed 40 bytes, a 40 byte buffer is a good choice.
*/
{
/*
* Get length (in 4 byte octets) of IP header options.
* If header doesn't contain options, then return OPT_NONE.
*/
if (totallen == 0)
return (OPT_NONE);
totallen <<= 2;
/*
* Search for CIPSO option.
* If no such option is present, then return OPT_NONE.
*/
while (totallen != 0) {
case IPOPT_EOL:
return (OPT_NONE);
case IPOPT_NOP:
optlen = 1;
break;
default:
if (totallen <= IPOPT_OLEN)
return (OPT_NONE);
if (optlen < 2)
return (OPT_NONE);
}
return (OPT_NONE);
/*
* Copy pointer to option into '*buffer' and
* return the option type.
*/
switch (optval) {
case IPOPT_COMSEC:
if (TSOL_CIPSO_TAG_OFFSET < optlen &&
return (OPT_CIPSO);
return (OPT_NONE);
}
}
return (OPT_NONE);
}
/*
* tsol_compute_label()
*
* This routine computes the IP label that should be on a packet based on the
* connection and destination information.
*
* Returns:
* 0 Fetched label
* EACCES The packet failed the remote host accreditation
* ENOMEM Memory allocation failure
* EINVAL Label cannot be computed
*/
int
{
if (opt_storage != NULL)
opt_storage[IPOPT_OLEN] = 0;
return (0);
/* always pass multicast */
return (0);
char *, "destination ip(1) not in database (with creds(2))",
return (EINVAL);
}
/*
* For exclusive stacks we set the zoneid to zero
* to operate as if in the global zone for IRE and conn_t comparisons.
*/
else
case UNLABELED:
/*
* Only add a label if the unlabeled destination is
* not on the same subnet, and that the next-hop
* gateway is labeled.
*/
IRE_LOOPBACK | IRE_INTERFACE)) != 0) {
return (0);
}
/* no route to destination */
char *, "No route to unlabeled dest ip(1)/tpc(2) "
return (EINVAL);
}
/*
* Prefix IRE from f-table lookup means that the destination
* is not directly connected; check the next-hop attributes.
*/
}
/*
* Can talk to unlabeled hosts if
* (1) zone's label matches the default label, or
* (2) SO_MAC_EXEMPT is on and we dominate the peer's label
* (3) SO_MAC_EXEMPT is on and this is the global zone
*/
char *, "unlabeled dest ip(1)/tpc(2) "
return (EACCES);
}
break;
case SUN_CIPSO:
/*
* Can talk to labeled hosts if zone's label is within target's
* label range or set.
*/
char *, "labeled dest ip(1)/tpc(2) "
return (EACCES);
}
break;
default:
return (EACCES);
}
if (!compute_label) {
return (0);
}
/* compute the CIPSO option */
else
if (sec_opt_len == 0) {
char *,
"options lack length for dest ip(1)/tpc(2) with creds(3).",
return (EINVAL);
}
return (0);
}
/*
* Remove any existing security option (CIPSO) from the given IP
* header, move the 'buflen' bytes back to fill the gap, and return the number
* of bytes removed (as zero or negative number). Assumes that the headers are
* sane.
*/
int
{
while (remlen > 0) {
/* terminate on end of list */
break;
/*
* Delete any no-ops following a deleted option, at least up
* to a 4 octet alignment; copy others.
*/
if (noop_keep)
fptr++;
remlen--;
continue;
}
/* stop on corrupted list; just do nothing. */
if (remlen < 2)
return (0);
return (0);
/* skip over security options to delete them */
continue;
}
/* copy the rest */
}
/* figure how much padding we'll need for header alignment */
if (olen > 0) {
/* pad with end-of-list */
}
/* slide back the headers that follow and update the IP header */
if (delta != 0) {
}
return (-delta);
}
/*
* Insert the option in 'optbuf' into the IP header pointed to by 'ipha', and
* move the data following the IP header (up to buflen) to accomodate the new
* option. Assumes that up to IP_MAX_OPT_LENGTH bytes are available (in total)
* for IP options. Returns the number of bytes actually inserted, or -1 if the
* option cannot be inserted. (Note that negative return values are possible
* when noops must be compressed, and that only -1 indicates error. Successful
* return value is always evenly divisible by 4, by definition.)
*/
int
{
int delta;
optbuf[IPOPT_OLEN] == 0)
return (0);
/* first find the real (unpadded) length of the existing options */
while (remlen > 0) {
/* stop at end of list */
break;
/* skip no-ops, noting that length byte isn't present */
optr++;
padding++;
lastpad++;
totlen++;
remlen--;
continue;
}
/* give up on a corrupted list; report failure */
if (remlen < 2)
return (-1);
return (-1);
lastpad = 0;
}
/* completely ignore any trailing padding */
/*
* If some sort of inter-option alignment was present, try to preserve
* that alignment. If alignment pushes us out past the maximum, then
* discard it and try to compress to fit. (We just "assume" that any
* padding added was attempting to get 32 bit alignment. If that's
* wrong, that's just too bad.)
*/
if (padding > 0) {
return (-1);
padding = 0;
}
}
/*
* Since we may need to compress or expand the option list, we write to
* a temporary buffer and then copy the results back to the IP header.
*/
/* compute actual option to insert */
if (padding > 0) {
while ((olen & 3) != 0) {
olen++;
}
}
/* copy over the existing options */
while (totlen > 0) {
/* totlen doesn't include end-of-list marker */
/* handle no-ops; copy if desired, ignore otherwise */
if (padding > 0) {
/* note: cannot overflow due to checks above */
}
optr++;
totlen--;
continue;
}
/* list cannot be corrupt at this point */
/* cannot run out of room due to tests above */
}
/* figure how much padding we'll need for header alignment */
if (olen > 0) {
/* pad with end-of-list value */
}
/* move the headers as needed and update IP header */
if (delta != 0) {
}
/* slap in the new options */
return (delta);
}
/*
* tsol_check_label()
*
* This routine computes the IP label that should be on the packet based on the
* connection and destination information. If the label is there, it returns
* zero, so the caller knows that the label is syncronized, and further calls
* are not required. If the label isn't right, then the right one is inserted.
*
* The packet's header is clear before entering IPsec's engine.
*
* Returns:
* 0 Label on packet (was|is now) correct
* EACCES The packet failed the remote host accreditation.
* ENOMEM Memory allocation failure.
* EINVAL Label cannot be computed
*/
int
{
int retv;
opt_storage[IPOPT_OPTVAL] = 0;
ipst);
if (retv != 0)
return (retv);
if (hlen >= sec_opt_len) {
/* If no option is supposed to be there, make sure it's not */
if (sec_opt_len == 0 && hlen > 0 &&
return (0);
/* if the option is there, it's always first */
if (sec_opt_len != 0 &&
return (0);
}
/*
* If there is an option there, then it must be the wrong one; delete.
*/
if (hlen > 0) {
}
/* Make sure we have room for the worst-case addition */
if (hlen > IP_MAX_HDR_LENGTH)
int copylen;
/* allocate enough to be meaningful, but not *too* much */
if (copylen > 256)
copylen = 256;
return (ENOMEM);
/* keep the bias */
}
}
if (delta_add == -1)
goto param_prob;
return (0);
return (EINVAL);
}
/*
* IPv6 HopOpt extension header for the label option layout:
* - One octet giving the type of the 'next extension header'
* - Header extension length in 8-byte words, not including the
* 1st 8 bytes, but including any pad bytes at the end.
* Eg. A value of 2 means 16 bytes not including the 1st 8 bytes.
* - Followed by TLV encoded IPv6 label option. Option layout is
* * One octet, IP6OPT_LS
* * One octet option length in bytes of the option data following
* the length, but not including any pad bytes at the end.
* * Four-octet DOI (IP6LS_DOI_V4)
* * One octet suboption, IP6LS_TT_V4
* * One octet suboption length in bytes of the suboption
* following the suboption length, including the suboption
* header length, but not including any pad bytes at the end.
* - Pad to make the extension header a multiple of 8 bytes.
*
* This function returns the contents of 'IPv6 option structure' in the above.
* i.e starting from the IP6OPT_LS but not including the pad at the end.
* The user must prepend two octets (either padding or next header / length)
* and append padding out to the next 8 octet boundary.
*/
int
{
if (ip6opt_ls == 0)
return (EINVAL);
if (opt_storage != NULL)
opt_storage[IPOPT_OLEN] = 0;
return (0);
/* Always pass multicast */
if (IN6_IS_ADDR_MULTICAST(dst))
return (0);
char *, "destination ip6(1) not in database with creds(2)",
return (EINVAL);
}
/*
* For exclusive stacks we set the zoneid to zero
* to operate as if in the global zone for IRE and conn_t comparisons.
*/
else
/*
* Fill in a V6 label. If a new format is added here, make certain
* as TSOL_MAX_IPV6_OPTION.
*/
case UNLABELED:
/*
* Only add a label if the unlabeled destination is
* not local or loopback address, that it is
* not on the same subnet, and that the next-hop
* gateway is labeled.
*/
IRE_LOOPBACK | IRE_INTERFACE)) != 0) {
return (0);
}
/* no route to destination */
char *, "No route to unlabeled dest ip6(1)/tpc(2) "
return (EINVAL);
}
/*
* Prefix IRE from f-table lookup means that the destination
* is not directly connected; check the next-hop attributes.
*/
}
char *, "unlabeled dest ip6(1)/tpc(2) "
return (EACCES);
}
break;
case SUN_CIPSO:
char *,
"labeled dest ip6(1)/tpc(2) non-matching creds(3).",
return (EACCES);
}
break;
default:
return (EACCES);
}
if (!compute_label) {
return (0);
}
/* compute the CIPSO option */
if (opt_storage != NULL)
opt_storage += 8;
} else {
}
if (sec_opt_len == 0) {
char *,
"options lack length for dest ip6(1)/tpc(2) with creds(3).",
return (EINVAL);
}
if (opt_storage == NULL)
return (0);
if (sec_opt_len < IP_MAX_OPT_LENGTH)
/*
* Just in case the option length is odd, round it up to the next even
* multiple. The IPv6 option definition doesn't like odd numbers for
* some reason.
*
* Length in the overall option header (IP6OPT_LS) does not include the
* option header itself, but the length in the suboption does include
* the suboption header. Thus, when there's just one suboption, the
* length in the option header is the suboption length plus 4 (for the
* DOI value).
*/
return (0);
}
/*
* Locate the start of the IP6OPT_LS label option and return it.
* Also return the start of the next non-pad option in after_secoptp.
* Usually the label option is the first option at least when packets
* are generated, but for generality we don't assume that on received packets.
*/
uchar_t *
{
*hbh_needed = B_FALSE;
*after_secoptp = NULL;
while (optlen != 0) {
if (opt_type == IP6OPT_PAD1) {
optptr++;
optlen--;
continue;
}
if (optlen == 1)
break;
break;
/*
* if we get here, ip6opt_ls can
* not be 0 because it will always
* match the IP6OPT_PAD1 above.
* Therefore ip6opt_ls == 0 forces
* this test to always fail here.
*/
else switch (opt_type) {
case IP6OPT_PADN:
break;
default:
/*
* There is at least 1 option other than
* the label option. So the hop-by-hop header is needed
*/
*hbh_needed = B_TRUE;
}
break;
}
}
}
/*
* Remove the label option from the hop-by-hop options header if it exists.
* 'buflen' is the total length of the packet typically b_wptr - b_rptr.
* Header and data following the label option that is deleted are copied
* (i.e. slid backward) to the right position, and returns the number
* of bytes removed (as zero or negative number.)
*/
int
{
/*
* hop-by-hop extension header must appear first, if it does not
* exist, there is no label option.
*/
return (0);
/*
* Locate the start of the label option if it exists and the end
* of the label option including pads if any.
*/
&hbh_needed);
return (0);
if (!hbh_needed) {
/*
* The label option was the only option in the hop-by-hop
* header. We don't need the hop-by-hop header itself any
* longer.
*/
return (-hbhlen);
}
if (after_secopt == NULL) {
/* There is no option following the label option */
}
/*
* After deleting the label option, we need to slide the headers
* and data back, while still maintaining the same alignment (module 8)
* for the other options. So we slide the headers and data back only
* by an integral multiple of 8 bytes, and fill the remaining bytes
* with pads.
*/
if (pad == 1) {
secopt[0] = IP6OPT_PAD1;
} else if (pad > 1) {
secopt[0] = IP6OPT_PADN;
if (pad > 2)
}
return (-delta);
}
/*
* 'optbuf' contains a CIPSO label embedded in an IPv6 hop-by-hop option,
* starting with the IP6OPT_LS option type. The format of this hop-by-hop
* option is described in the block comment above tsol_compute_label_v6.
* This function prepends this hop-by-hop option before any other hop-by-hop
* options in the hop-by-hop header if one already exists, else a new
* hop-by-hop header is created and stuffed into the packet following
* the IPv6 header. 'buflen' is the total length of the packet i.e.
* b_wptr - b_rptr. The caller ensures that there is enough space for the
* extra option being added. Header and data following the position where
* the label option is inserted are copied (i.e. slid forward) to the right
* position.
*/
int
{
/*
* rawlen is the length of the label option in bytes, not including
* any pads, starting from the IP6OPT_LS (option type) byte.
*/
int delta; /* Actual number of bytes inserted */
/*
* There is a hop-by-hop header present already. In order to
* preserve the alignment of the other options at the existing
* value (modulo 8) we need to pad the label option to a
* multiple of 8 bytes before prepending it to the other
* options. Slide the extension headers and data forward to
* accomodate the label option at the start of the hop-by-hop
* header
*/
/*
* Bump up the hop-by-hop extension header length by
* the number of 8-byte words added
*/
optlen >>= 3;
return (-1);
} else {
/*
* There is no hop-by-hop header in the packet. Construct a
* new Hop-by-hop extension header (a multiple of 8 bytes).
* Slide any other extension headers and data forward to
* accomodate this hop-by-hop header
*/
/*
* hop-by-hop extension header length in 8-byte words, not
* including the 1st 8 bytes of the hop-by-hop header.
*/
}
/*
* Copy the label option into the hop-by-hop header and insert any
* needed pads
*/
if (pad_len == 1) {
pad_position[0] = IP6OPT_PAD1;
} else if (pad_len > 1) {
pad_position[0] = IP6OPT_PADN;
if (pad_len > 2)
}
return (delta);
}
/*
* tsol_check_label_v6()
*
* This routine computes the IP label that should be on the packet based on the
* connection and destination information. It's called only by the IP
* forwarding logic, because all internal modules atop IP know how to generate
* their own labels.
*
* Returns:
* 0 Label on packet was already correct
* EACCESS The packet failed the remote host accreditation.
* ENOMEM Memory allocation failure.
*/
int
{
/*
* Label option length is limited to IP_MAX_OPT_LENGTH for
* symmetry with IPv4. Can be relaxed if needed
*/
int delta_remove = 0, delta_add;
int retv;
if (retv != 0)
return (retv);
&hbh_needed);
}
/*
* The packet is not supposed to have a label, and it
* does not have one currently
*/
return (0);
}
/* The packet has the correct label already */
return (0);
}
/*
* If there is an option there, then it must be the wrong one; delete.
*/
}
/*
* Make sure we have room for the worst-case addition. Add 2 bytes for
* the hop-by-hop ext header's next header and length fields. Add
* another 2 bytes for the label option type, len and then round
* up to the next 8-byte multiple.
*/
int copylen;
/*
* Allocate enough to be meaningful, but not *too* much.
* Also all the IPv6 extension headers must be in the same mblk
*/
if (copylen > 256)
copylen = 256;
return (ENOMEM);
/* keep the bias */
}
}
if (delta_add == -1)
goto param_prob;
return (0);
return (EINVAL);
}
/*
* Update the given IPv6 "sticky options" structure to contain the provided
* label, which is encoded as an IPv6 option. Existing label is removed if
*
* Returns 0 on success, errno on failure.
*/
int
{
/*
* rawlen is the size of the IPv6 label to be inserted from labelopt.
* optlen is the total length of that option, including any necessary
* headers and padding. newlen is the new size of the total hop-by-hop
* options buffer, including user options.
*/
} else {
optlen = 0;
}
/* Deleting all existing hop-by-hop options */
/* If the label not same size as last time, then reallocate */
if (newlen > IP6_MAX_OPT_LENGTH)
return (EHOSTUNREACH);
return (ENOMEM);
/*
* If the user has hop-by-hop stickyoptions set, then copy his
* options in after the security label.
*/
/*
* Stomp out any header gunk here - this was the
* previous next-header and option length field.
*/
}
}
/* If there are any options, then fix up reported length */
if (newlen > 0) {
}
/* If there's a label, then insert it now */
if (optlen > 0) {
/* skip next-header and length fields */
newopts += 2;
/* make sure padding comes out right */
if (optlen == 1) {
newopts[0] = IP6OPT_PAD1;
} else if (optlen > 1) {
newopts[0] = IP6OPT_PADN;
optlen -= 2;
if (optlen > 0)
}
}
return (0);
}
int
{
if (newlen > IP_MAX_OPT_LENGTH)
return (EHOSTUNREACH);
return (ENOMEM);
}
}
}
}
if (optlen > 0) {
/* check if there are user-supplied options that follow */
/* compute amount of embedded alignment needed */
while (--optlen >= 0)
/*
* The label option is the only option and it is
* not a multiple of 4 bytes.
*/
while (--optlen >= 0)
}
}
return (0);
}
/*
* This does the bulk of the processing for setting IPPROTO_IP {T_,}IP_OPTIONS.
*/
{
int newlen;
/* need more room */
return (B_FALSE);
/*
* The supplied *opts can't be NULL in this case,
* since there's an existing label.
*/
if (labellen > 0)
}
if (newlen == 0) {
/* special case -- no remaining IP options at all */
}
} else if (userlen > 0) {
/* merge in the user's options */
if (labellen > 0) {
while (--extra >= 0)
}
}
return (B_TRUE);
}