The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*      $FreeBSD$       */
    2 /*      $KAME: ipsec.c,v 1.207 2004/01/13 03:30:42 itojun Exp $ */
    3 
    4 /*-
    5  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
    6  * All rights reserved.
    7  *
    8  * Redistribution and use in source and binary forms, with or without
    9  * modification, are permitted provided that the following conditions
   10  * are met:
   11  * 1. Redistributions of source code must retain the above copyright
   12  *    notice, this list of conditions and the following disclaimer.
   13  * 2. Redistributions in binary form must reproduce the above copyright
   14  *    notice, this list of conditions and the following disclaimer in the
   15  *    documentation and/or other materials provided with the distribution.
   16  * 3. Neither the name of the project nor the names of its contributors
   17  *    may be used to endorse or promote products derived from this software
   18  *    without specific prior written permission.
   19  *
   20  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
   21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
   24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   30  * SUCH DAMAGE.
   31  */
   32 
   33 /*
   34  * IPsec controller part.
   35  */
   36 
   37 #include "opt_inet.h"
   38 #include "opt_inet6.h"
   39 #include "opt_ipsec.h"
   40 
   41 #include <sys/param.h>
   42 #include <sys/systm.h>
   43 #include <sys/malloc.h>
   44 #include <sys/mbuf.h>
   45 #include <sys/domain.h>
   46 #include <sys/protosw.h>
   47 #include <sys/socket.h>
   48 #include <sys/socketvar.h>
   49 #include <sys/errno.h>
   50 #include <sys/time.h>
   51 #include <sys/kernel.h>
   52 #include <sys/syslog.h>
   53 #include <sys/sysctl.h>
   54 #include <sys/proc.h>
   55 
   56 #include <net/if.h>
   57 #include <net/route.h>
   58 
   59 #include <netinet/in.h>
   60 #include <netinet/in_systm.h>
   61 #include <netinet/ip.h>
   62 #include <netinet/ip_var.h>
   63 #include <netinet/in_var.h>
   64 #include <netinet/udp.h>
   65 #include <netinet/udp_var.h>
   66 #include <netinet/ip_ecn.h>
   67 #ifdef INET6
   68 #include <netinet6/ip6_ecn.h>
   69 #endif
   70 #include <netinet/tcp.h>
   71 #include <netinet/udp.h>
   72 
   73 #include <netinet/ip6.h>
   74 #ifdef INET6
   75 #include <netinet6/ip6_var.h>
   76 #endif
   77 #include <netinet/in_pcb.h>
   78 #ifdef INET6
   79 #include <netinet/icmp6.h>
   80 #endif
   81 
   82 #include <netinet6/ipsec.h>
   83 #ifdef INET6
   84 #include <netinet6/ipsec6.h>
   85 #endif
   86 #include <netinet6/ah.h>
   87 #ifdef INET6
   88 #include <netinet6/ah6.h>
   89 #endif
   90 #ifdef IPSEC_ESP
   91 #include <netinet6/esp.h>
   92 #ifdef INET6
   93 #include <netinet6/esp6.h>
   94 #endif
   95 #endif
   96 #include <netinet6/ipcomp.h>
   97 #ifdef INET6
   98 #include <netinet6/ipcomp6.h>
   99 #endif
  100 #include <netkey/key.h>
  101 #include <netkey/keydb.h>
  102 #include <netkey/key_debug.h>
  103 
  104 #include <machine/in_cksum.h>
  105 #include <net/net_osdep.h>
  106 
  107 #ifdef IPSEC_DEBUG
  108 int ipsec_debug = 1;
  109 #else
  110 int ipsec_debug = 0;
  111 #endif
  112 
  113 NET_NEEDS_GIANT("ipsec");
  114 
  115 struct ipsecstat ipsecstat;
  116 int ip4_ah_cleartos = 1;
  117 int ip4_ah_offsetmask = 0;      /* maybe IP_DF? */
  118 int ip4_ipsec_dfbit = 0;        /* DF bit on encap. 0: clear 1: set 2: copy */
  119 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
  120 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
  121 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
  122 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
  123 struct secpolicy *ip4_def_policy;
  124 int ip4_ipsec_ecn = 0;          /* ECN ignore(-1)/forbidden(0)/allowed(1) */
  125 int ip4_esp_randpad = -1;
  126 
  127 static int sp_cachegen = 1;     /* cache generation # */
  128 
  129 SYSCTL_DECL(_net_inet_ipsec);
  130 #ifdef INET6
  131 SYSCTL_DECL(_net_inet6_ipsec6);
  132 #endif
  133 
  134 /* net.inet.ipsec */
  135 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
  136         stats, CTLFLAG_RD,      &ipsecstat,     ipsecstat, "");
  137 #if 0
  138 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
  139         def_policy, CTLFLAG_RW, &ip4_def_policy->policy,        0, "");
  140 #endif
  141 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
  142         CTLFLAG_RW, &ip4_esp_trans_deflev,      0, "");
  143 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
  144         CTLFLAG_RW, &ip4_esp_net_deflev,        0, "");
  145 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
  146         CTLFLAG_RW, &ip4_ah_trans_deflev,       0, "");
  147 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
  148         CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
  149 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
  150         ah_cleartos, CTLFLAG_RW,        &ip4_ah_cleartos,       0, "");
  151 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
  152         ah_offsetmask, CTLFLAG_RW,      &ip4_ah_offsetmask,     0, "");
  153 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
  154         dfbit, CTLFLAG_RW,      &ip4_ipsec_dfbit,       0, "");
  155 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
  156         ecn, CTLFLAG_RW,        &ip4_ipsec_ecn, 0, "");
  157 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
  158         debug, CTLFLAG_RW,      &ipsec_debug,   0, "");
  159 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
  160         esp_randpad, CTLFLAG_RW,        &ip4_esp_randpad,       0, "");
  161 
  162 #ifdef INET6
  163 struct ipsecstat ipsec6stat;
  164 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
  165 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
  166 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
  167 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
  168 struct secpolicy *ip6_def_policy;
  169 int ip6_ipsec_ecn = 0;          /* ECN ignore(-1)/forbidden(0)/allowed(1) */
  170 int ip6_esp_randpad = -1;
  171 
  172 /* net.inet6.ipsec6 */
  173 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
  174         stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
  175 #if 0
  176 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
  177         def_policy, CTLFLAG_RW, &ip6_def_policy->policy,        0, "");
  178 #endif
  179 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
  180         CTLFLAG_RW, &ip6_esp_trans_deflev,      0, "");
  181 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
  182         CTLFLAG_RW, &ip6_esp_net_deflev,        0, "");
  183 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
  184         CTLFLAG_RW, &ip6_ah_trans_deflev,       0, "");
  185 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
  186         CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
  187 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
  188         ecn, CTLFLAG_RW,        &ip6_ipsec_ecn, 0, "");
  189 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
  190         debug, CTLFLAG_RW,      &ipsec_debug,   0, "");
  191 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
  192         esp_randpad, CTLFLAG_RW,        &ip6_esp_randpad,       0, "");
  193 #endif /* INET6 */
  194 
  195 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *,
  196         struct inpcbpolicy *, int));
  197 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *,
  198         struct secpolicy *, int));
  199 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int));
  200 static int ipsec_setspidx_mbuf
  201         __P((struct secpolicyindex *, int, struct mbuf *, int));
  202 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
  203 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
  204 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
  205 #ifdef INET6
  206 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
  207 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
  208 #endif
  209 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
  210 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
  211 #if 0
  212 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *));
  213 #endif
  214 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *));
  215 static int ipsec_set_policy
  216         __P((struct secpolicy **, int, caddr_t, size_t, int));
  217 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **));
  218 static void vshiftl __P((unsigned char *, int, int));
  219 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
  220 static size_t ipsec_hdrsiz __P((struct secpolicy *));
  221 #ifdef INET
  222 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
  223 #endif
  224 #ifdef INET6
  225 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
  226 #endif
  227 #ifdef INET
  228 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
  229 #endif
  230 #ifdef INET6
  231 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
  232 #endif
  233 static struct ipsecaux *ipsec_addaux __P((struct mbuf *));
  234 static struct ipsecaux *ipsec_findaux __P((struct mbuf *));
  235 static void ipsec_optaux __P((struct mbuf *, struct ipsecaux *));
  236 #ifdef INET
  237 static int ipsec4_checksa __P((struct ipsecrequest *,
  238         struct ipsec_output_state *));
  239 #endif
  240 #ifdef INET6
  241 static int ipsec6_checksa __P((struct ipsecrequest *,
  242         struct ipsec_output_state *, int));
  243 #endif
  244 
  245 /*
  246  * try to validate and use cached policy on a pcb.
  247  */
  248 static struct secpolicy *
  249 ipsec_checkpcbcache(m, pcbsp, dir)
  250         struct mbuf *m;
  251         struct inpcbpolicy *pcbsp;
  252         int dir;
  253 {
  254         struct secpolicyindex spidx;
  255         struct timeval mono_time;
  256 
  257         microtime(&mono_time);
  258 
  259         switch (dir) {
  260         case IPSEC_DIR_INBOUND:
  261         case IPSEC_DIR_OUTBOUND:
  262         case IPSEC_DIR_ANY:
  263                 break;
  264         default:
  265                 return NULL;
  266         }
  267 #ifdef DIAGNOSTIC
  268         if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0]))
  269                 panic("dir too big in ipsec_checkpcbcache");
  270 #endif
  271         /* SPD table change invalidates all the caches */
  272         if (pcbsp->cachegen[dir] == 0 || sp_cachegen > pcbsp->cachegen[dir]) {
  273                 ipsec_invalpcbcache(pcbsp, dir);
  274                 return NULL;
  275         }
  276         if (!pcbsp->cache[dir])
  277                 return NULL;
  278         if (pcbsp->cache[dir]->state != IPSEC_SPSTATE_ALIVE) {
  279                 ipsec_invalpcbcache(pcbsp, dir);
  280                 return NULL;
  281         }
  282         if ((pcbsp->cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
  283                 if (!pcbsp->cache[dir])
  284                         return NULL;
  285                 if (ipsec_setspidx(m, &spidx, 1) != 0)
  286                         return NULL;
  287                 if (bcmp(&pcbsp->cacheidx[dir], &spidx, sizeof(spidx))) {
  288                         if (!pcbsp->cache[dir]->spidx ||
  289                             !key_cmpspidx_withmask(pcbsp->cache[dir]->spidx,
  290                             &spidx))
  291                                 return NULL;
  292                         pcbsp->cacheidx[dir] = spidx;
  293                 }
  294         } else {
  295                 /*
  296                  * The pcb is connected, and the L4 code is sure that:
  297                  * - outgoing side uses inp_[lf]addr
  298                  * - incoming side looks up policy after inpcb lookup
  299                  * and address pair is known to be stable.  We do not need
  300                  * to generate spidx again, nor check the address match again.
  301                  *
  302                  * For IPv4/v6 SOCK_STREAM sockets, this assumption holds
  303                  * and there are calls to ipsec_pcbconn() from in_pcbconnect().
  304                  */
  305         }
  306 
  307         pcbsp->cache[dir]->lastused = mono_time.tv_sec;
  308         pcbsp->cache[dir]->refcnt++;
  309         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  310                 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n",
  311                 pcbsp->cache[dir]->refcnt, pcbsp->cache[dir]));
  312         return pcbsp->cache[dir];
  313 }
  314 
  315 static int
  316 ipsec_fillpcbcache(pcbsp, m, sp, dir)
  317         struct inpcbpolicy *pcbsp;
  318         struct mbuf *m;
  319         struct secpolicy *sp;
  320         int dir;
  321 {
  322 
  323         switch (dir) {
  324         case IPSEC_DIR_INBOUND:
  325         case IPSEC_DIR_OUTBOUND:
  326                 break;
  327         default:
  328                 return EINVAL;
  329         }
  330 #ifdef DIAGNOSTIC
  331         if (dir >= sizeof(pcbsp->cache)/sizeof(pcbsp->cache[0]))
  332                 panic("dir too big in ipsec_checkpcbcache");
  333 #endif
  334 
  335         if (pcbsp->cache[dir])
  336                 key_freesp(pcbsp->cache[dir]);
  337         pcbsp->cache[dir] = NULL;
  338         if (ipsec_setspidx(m, &pcbsp->cacheidx[dir], 1) != 0) {
  339                 return EINVAL;
  340         }
  341         pcbsp->cache[dir] = sp;
  342         if (pcbsp->cache[dir]) {
  343                 pcbsp->cache[dir]->refcnt++;
  344                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  345                         printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n",
  346                         pcbsp->cache[dir]->refcnt, pcbsp->cache[dir]));
  347         }
  348         pcbsp->cachegen[dir] = sp_cachegen;
  349 
  350         return 0;
  351 }
  352 
  353 static int
  354 ipsec_invalpcbcache(pcbsp, dir)
  355         struct inpcbpolicy *pcbsp;
  356         int dir;
  357 {
  358         int i;
  359 
  360         for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
  361                 if (dir != IPSEC_DIR_ANY && i != dir)
  362                         continue;
  363                 if (pcbsp->cache[i])
  364                         key_freesp(pcbsp->cache[i]);
  365                 pcbsp->cache[i] = NULL;
  366                 pcbsp->cachegen[i] = 0;
  367                 bzero(&pcbsp->cacheidx[i], sizeof(pcbsp->cacheidx[i]));
  368         }
  369         return 0;
  370 }
  371 
  372 int
  373 ipsec_pcbconn(pcbsp)
  374         struct inpcbpolicy *pcbsp;
  375 {
  376 
  377         pcbsp->cacheflags |= IPSEC_PCBSP_CONNECTED;
  378         ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
  379         return 0;
  380 }
  381 
  382 int
  383 ipsec_pcbdisconn(pcbsp)
  384         struct inpcbpolicy *pcbsp;
  385 {
  386 
  387         pcbsp->cacheflags &= ~IPSEC_PCBSP_CONNECTED;
  388         ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
  389         return 0;
  390 }
  391 
  392 int
  393 ipsec_invalpcbcacheall()
  394 {
  395 
  396         sp_cachegen++;
  397         return 0;
  398 }
  399 
  400 /*
  401  * For OUTBOUND packet having a socket. Searching SPD for packet,
  402  * and return a pointer to SP.
  403  * OUT: NULL:   no apropreate SP found, the following value is set to error.
  404  *              0       : bypass
  405  *              EACCES  : discard packet.
  406  *              ENOENT  : ipsec_acquire() in progress, maybe.
  407  *              others  : error occured.
  408  *      others: a pointer to SP
  409  *
  410  * NOTE: IPv6 mapped adddress concern is implemented here.
  411  */
  412 struct secpolicy *
  413 ipsec4_getpolicybypcb(m, dir, inp, error)
  414         struct mbuf *m;
  415         u_int dir;
  416         struct inpcb *inp;
  417         int *error;
  418 {
  419         struct inpcbpolicy *pcbsp = NULL;
  420         struct secpolicy *currsp = NULL;        /* policy on socket */
  421         struct secpolicy *kernsp = NULL;        /* policy on kernel */
  422         struct secpolicyindex spidx;
  423         u_int16_t tag;
  424 
  425         /* sanity check */
  426         if (m == NULL || inp == NULL || error == NULL)
  427                 panic("ipsec4_getpolicybypcb: NULL pointer was passed.");
  428 
  429         pcbsp = inp->inp_sp;
  430 
  431 #ifdef DIAGNOSTIC
  432         if (pcbsp == NULL)
  433                 panic("ipsec4_getpolicybypcb: pcbsp is NULL.");
  434 #endif
  435 
  436         tag = 0;
  437 
  438         /* if we have a cached entry, and if it is still valid, use it. */
  439         ipsecstat.spdcachelookup++;
  440         currsp = ipsec_checkpcbcache(m, pcbsp, dir);
  441         if (currsp) {
  442                 *error = 0;
  443                 return currsp;
  444         }
  445         ipsecstat.spdcachemiss++;
  446 
  447         switch (dir) {
  448         case IPSEC_DIR_INBOUND:
  449                 currsp = pcbsp->sp_in;
  450                 break;
  451         case IPSEC_DIR_OUTBOUND:
  452                 currsp = pcbsp->sp_out;
  453                 break;
  454         default:
  455                 panic("ipsec4_getpolicybypcb: illegal direction.");
  456         }
  457 
  458         /* sanity check */
  459         if (currsp == NULL)
  460                 panic("ipsec4_getpolicybypcb: currsp is NULL.");
  461 
  462         /* when privileged socket */
  463         if (pcbsp->priv) {
  464                 switch (currsp->policy) {
  465                 case IPSEC_POLICY_BYPASS:
  466                         currsp->refcnt++;
  467                         *error = 0;
  468                         ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  469                         return currsp;
  470 
  471                 case IPSEC_POLICY_ENTRUST:
  472                         /* look for a policy in SPD */
  473                         if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
  474                             (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
  475                                 /* SP found */
  476                                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  477                                         printf("DP ipsec4_getpolicybypcb called "
  478                                                "to allocate SP:%p\n", kernsp));
  479                                 *error = 0;
  480                                 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
  481                                 return kernsp;
  482                         }
  483 
  484                         /* no SP found */
  485                         ip4_def_policy->refcnt++;
  486                         *error = 0;
  487                         ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
  488                         return ip4_def_policy;
  489 
  490                 case IPSEC_POLICY_IPSEC:
  491                         currsp->refcnt++;
  492                         *error = 0;
  493                         ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  494                         return currsp;
  495 
  496                 default:
  497                         ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: "
  498                               "Invalid policy for PCB %d\n", currsp->policy));
  499                         *error = EINVAL;
  500                         return NULL;
  501                 }
  502                 /* NOTREACHED */
  503         }
  504 
  505         /* when non-privileged socket */
  506         /* look for a policy in SPD */
  507         if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
  508             (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
  509                 /* SP found */
  510                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  511                         printf("DP ipsec4_getpolicybypcb called "
  512                                "to allocate SP:%p\n", kernsp));
  513                 *error = 0;
  514                 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
  515                 return kernsp;
  516         }
  517 
  518         /* no SP found */
  519         switch (currsp->policy) {
  520         case IPSEC_POLICY_BYPASS:
  521                 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: "
  522                        "Illegal policy for non-privileged defined %d\n",
  523                         currsp->policy));
  524                 *error = EINVAL;
  525                 return NULL;
  526 
  527         case IPSEC_POLICY_ENTRUST:
  528                 ip4_def_policy->refcnt++;
  529                 *error = 0;
  530                 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
  531                 return ip4_def_policy;
  532 
  533         case IPSEC_POLICY_IPSEC:
  534                 currsp->refcnt++;
  535                 *error = 0;
  536                 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  537                 return currsp;
  538 
  539         default:
  540                 ipseclog((LOG_ERR, "ipsec4_getpolicybypcb: "
  541                    "Invalid policy for PCB %d\n", currsp->policy));
  542                 *error = EINVAL;
  543                 return NULL;
  544         }
  545         /* NOTREACHED */
  546 }
  547 
  548 /*
  549  * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
  550  * and return a pointer to SP.
  551  * OUT: positive: a pointer to the entry for security policy leaf matched.
  552  *      NULL:   no apropreate SP found, the following value is set to error.
  553  *              0       : bypass
  554  *              EACCES  : discard packet.
  555  *              ENOENT  : ipsec_acquire() in progress, maybe.
  556  *              others  : error occured.
  557  */
  558 struct secpolicy *
  559 ipsec4_getpolicybyaddr(m, dir, flag, error)
  560         struct mbuf *m;
  561         u_int dir;
  562         int flag;
  563         int *error;
  564 {
  565         struct secpolicy *sp = NULL;
  566         u_int16_t tag;
  567 
  568         /* sanity check */
  569         if (m == NULL || error == NULL)
  570                 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
  571 
  572         /* get a policy entry matched with the packet */
  573     {
  574         struct secpolicyindex spidx;
  575 
  576         bzero(&spidx, sizeof(spidx));
  577 
  578         /* make an index to look for a policy */
  579         *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m,
  580             (flag & IP_FORWARDING) ? 0 : 1);
  581 
  582         if (*error != 0)
  583                 return NULL;
  584 
  585         tag = 0;
  586 
  587         sp = key_allocsp(tag, &spidx, dir);
  588     }
  589 
  590         /* SP found */
  591         if (sp != NULL) {
  592                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  593                         printf("DP ipsec4_getpolicybyaddr called "
  594                                "to allocate SP:%p\n", sp));
  595                 *error = 0;
  596                 return sp;
  597         }
  598 
  599         /* no SP found */
  600         ip4_def_policy->refcnt++;
  601         *error = 0;
  602         return ip4_def_policy;
  603 }
  604 
  605 #ifdef INET6
  606 /*
  607  * For OUTBOUND packet having a socket. Searching SPD for packet,
  608  * and return a pointer to SP.
  609  * OUT: NULL:   no apropreate SP found, the following value is set to error.
  610  *              0       : bypass
  611  *              EACCES  : discard packet.
  612  *              ENOENT  : ipsec_acquire() in progress, maybe.
  613  *              others  : error occured.
  614  *      others: a pointer to SP
  615  */
  616 struct secpolicy *
  617 ipsec6_getpolicybypcb(m, dir, inp, error)
  618         struct mbuf *m;
  619         u_int dir;
  620         struct inpcb *inp;
  621         int *error;
  622 {
  623         struct inpcbpolicy *pcbsp = NULL;
  624         struct secpolicy *currsp = NULL;        /* policy on socket */
  625         struct secpolicy *kernsp = NULL;        /* policy on kernel */
  626         struct secpolicyindex spidx;
  627         u_int16_t tag;
  628 
  629         /* sanity check */
  630         if (m == NULL || inp == NULL || error == NULL)
  631                 panic("ipsec6_getpolicybypcb: NULL pointer was passed.");
  632 
  633 #ifdef DIAGNOSTIC
  634         if ((inp->inp_vflag & INP_IPV6PROTO) == 0)
  635                 panic("ipsec6_getpolicybypcb: socket domain != inet6");
  636 #endif
  637 
  638         pcbsp = inp->in6p_sp;
  639 
  640 #ifdef DIAGNOSTIC
  641         if (pcbsp == NULL)
  642                 panic("ipsec6_getpolicybypcb: pcbsp is NULL.");
  643 #endif
  644 
  645         tag = 0;
  646 
  647         /* if we have a cached entry, and if it is still valid, use it. */
  648         ipsec6stat.spdcachelookup++;
  649         currsp = ipsec_checkpcbcache(m, pcbsp, dir);
  650         if (currsp) {
  651                 *error = 0;
  652                 return currsp;
  653         }
  654         ipsec6stat.spdcachemiss++;
  655 
  656         switch (dir) {
  657         case IPSEC_DIR_INBOUND:
  658                 currsp = pcbsp->sp_in;
  659                 break;
  660         case IPSEC_DIR_OUTBOUND:
  661                 currsp = pcbsp->sp_out;
  662                 break;
  663         default:
  664                 panic("ipsec6_getpolicybypcb: illegal direction.");
  665         }
  666 
  667         /* sanity check */
  668         if (currsp == NULL)
  669                 panic("ipsec6_getpolicybypcb: currsp is NULL.");
  670 
  671         /* when privileged socket */
  672         if (pcbsp->priv) {
  673                 switch (currsp->policy) {
  674                 case IPSEC_POLICY_BYPASS:
  675                         currsp->refcnt++;
  676                         *error = 0;
  677                         ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  678                         return currsp;
  679 
  680                 case IPSEC_POLICY_ENTRUST:
  681                         /* look for a policy in SPD */
  682                         if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
  683                             (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
  684                                 /* SP found */
  685                                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  686                                         printf("DP ipsec6_getpolicybypcb called "
  687                                                "to allocate SP:%p\n", kernsp));
  688                                 *error = 0;
  689                                 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
  690                                 return kernsp;
  691                         }
  692 
  693                         /* no SP found */
  694                         ip6_def_policy->refcnt++;
  695                         *error = 0;
  696                         ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
  697                         return ip6_def_policy;
  698 
  699                 case IPSEC_POLICY_IPSEC:
  700                         currsp->refcnt++;
  701                         *error = 0;
  702                         ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  703                         return currsp;
  704 
  705                 default:
  706                         ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: "
  707                             "Invalid policy for PCB %d\n", currsp->policy));
  708                         *error = EINVAL;
  709                         return NULL;
  710                 }
  711                 /* NOTREACHED */
  712         }
  713 
  714         /* when non-privileged socket */
  715         /* look for a policy in SPD */
  716         if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
  717             (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
  718                 /* SP found */
  719                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  720                         printf("DP ipsec6_getpolicybypcb called "
  721                                "to allocate SP:%p\n", kernsp));
  722                 *error = 0;
  723                 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
  724                 return kernsp;
  725         }
  726 
  727         /* no SP found */
  728         switch (currsp->policy) {
  729         case IPSEC_POLICY_BYPASS:
  730                 ipseclog((LOG_ERR, "ipsec6_getpolicybypcb: "
  731                     "Illegal policy for non-privileged defined %d\n",
  732                     currsp->policy));
  733                 *error = EINVAL;
  734                 return NULL;
  735 
  736         case IPSEC_POLICY_ENTRUST:
  737                 ip6_def_policy->refcnt++;
  738                 *error = 0;
  739                 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
  740                 return ip6_def_policy;
  741 
  742         case IPSEC_POLICY_IPSEC:
  743                 currsp->refcnt++;
  744                 *error = 0;
  745                 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  746                 return currsp;
  747 
  748         default:
  749                 ipseclog((LOG_ERR,
  750                     "ipsec6_policybysock: Invalid policy for PCB %d\n",
  751                     currsp->policy));
  752                 *error = EINVAL;
  753                 return NULL;
  754         }
  755         /* NOTREACHED */
  756 }
  757 
  758 /*
  759  * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
  760  * and return a pointer to SP.
  761  * `flag' means that packet is to be forwarded whether or not.
  762  *      flag = 1: forwad
  763  * OUT: positive: a pointer to the entry for security policy leaf matched.
  764  *      NULL:   no apropreate SP found, the following value is set to error.
  765  *              0       : bypass
  766  *              EACCES  : discard packet.
  767  *              ENOENT  : ipsec_acquire() in progress, maybe.
  768  *              others  : error occured.
  769  */
  770 #ifndef IP_FORWARDING
  771 #define IP_FORWARDING 1
  772 #endif
  773 
  774 struct secpolicy *
  775 ipsec6_getpolicybyaddr(m, dir, flag, error)
  776         struct mbuf *m;
  777         u_int dir;
  778         int flag;
  779         int *error;
  780 {
  781         struct secpolicy *sp = NULL;
  782         u_int16_t tag;
  783 
  784         /* sanity check */
  785         if (m == NULL || error == NULL)
  786                 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
  787 
  788         /* get a policy entry matched with the packet */
  789     {
  790         struct secpolicyindex spidx;
  791 
  792         bzero(&spidx, sizeof(spidx));
  793 
  794         /* make an index to look for a policy */
  795         *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m,
  796             (flag & IP_FORWARDING) ? 0 : 1);
  797 
  798         if (*error != 0)
  799                 return NULL;
  800 
  801         tag = 0;
  802 
  803         sp = key_allocsp(tag, &spidx, dir);
  804     }
  805 
  806         /* SP found */
  807         if (sp != NULL) {
  808                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  809                         printf("DP ipsec6_getpolicybyaddr called "
  810                                "to allocate SP:%p\n", sp));
  811                 *error = 0;
  812                 return sp;
  813         }
  814 
  815         /* no SP found */
  816         ip6_def_policy->refcnt++;
  817         *error = 0;
  818         return ip6_def_policy;
  819 }
  820 #endif /* INET6 */
  821 
  822 /*
  823  * set IP address into spidx from mbuf.
  824  * When Forwarding packet and ICMP echo reply, this function is used.
  825  *
  826  * IN:  get the followings from mbuf.
  827  *      protocol family, src, dst, next protocol
  828  * OUT:
  829  *      0:      success.
  830  *      other:  failure, and set errno.
  831  */
  832 int
  833 ipsec_setspidx_mbuf(spidx, family, m, needport)
  834         struct secpolicyindex *spidx;
  835         int family;
  836         struct mbuf *m;
  837         int needport;
  838 {
  839         int error;
  840 
  841         /* sanity check */
  842         if (spidx == NULL || m == NULL)
  843                 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
  844 
  845         bzero(spidx, sizeof(*spidx));
  846 
  847         error = ipsec_setspidx(m, spidx, needport);
  848         if (error)
  849                 goto bad;
  850 
  851         return 0;
  852 
  853     bad:
  854         /* XXX initialize */
  855         bzero(spidx, sizeof(*spidx));
  856         return EINVAL;
  857 }
  858 
  859 /*
  860  * configure security policy index (src/dst/proto/sport/dport)
  861  * by looking at the content of mbuf.
  862  * the caller is responsible for error recovery (like clearing up spidx).
  863  */
  864 static int
  865 ipsec_setspidx(m, spidx, needport)
  866         struct mbuf *m;
  867         struct secpolicyindex *spidx;
  868         int needport;
  869 {
  870         struct ip *ip = NULL;
  871         struct ip ipbuf;
  872         u_int v;
  873         struct mbuf *n;
  874         int len;
  875         int error;
  876 
  877         if (m == NULL)
  878                 panic("ipsec_setspidx: m == 0 passed.");
  879 
  880         bzero(spidx, sizeof(*spidx));
  881 
  882         /*
  883          * validate m->m_pkthdr.len.  we see incorrect length if we
  884          * mistakenly call this function with inconsistent mbuf chain
  885          * (like 4.4BSD tcp/udp processing).  XXX should we panic here?
  886          */
  887         len = 0;
  888         for (n = m; n; n = n->m_next)
  889                 len += n->m_len;
  890         if (m->m_pkthdr.len != len) {
  891                 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
  892                         printf("ipsec_setspidx: "
  893                                "total of m_len(%d) != pkthdr.len(%d), "
  894                                "ignored.\n",
  895                                 len, m->m_pkthdr.len));
  896                 return EINVAL;
  897         }
  898 
  899         if (m->m_pkthdr.len < sizeof(struct ip)) {
  900                 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
  901                         printf("ipsec_setspidx: "
  902                             "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
  903                             m->m_pkthdr.len));
  904                 return EINVAL;
  905         }
  906 
  907         if (m->m_len >= sizeof(*ip))
  908                 ip = mtod(m, struct ip *);
  909         else {
  910                 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
  911                 ip = &ipbuf;
  912         }
  913 #ifdef _IP_VHL
  914         v = _IP_VHL_V(ip->ip_vhl);
  915 #else
  916         v = ip->ip_v;
  917 #endif
  918         switch (v) {
  919         case 4:
  920                 error = ipsec4_setspidx_ipaddr(m, spidx);
  921                 if (error)
  922                         return error;
  923                 ipsec4_get_ulp(m, spidx, needport);
  924                 return 0;
  925 #ifdef INET6
  926         case 6:
  927                 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
  928                         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
  929                                 printf("ipsec_setspidx: "
  930                                     "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
  931                                     "ignored.\n", m->m_pkthdr.len));
  932                         return EINVAL;
  933                 }
  934                 error = ipsec6_setspidx_ipaddr(m, spidx);
  935                 if (error)
  936                         return error;
  937                 ipsec6_get_ulp(m, spidx, needport);
  938                 return 0;
  939 #endif
  940         default:
  941                 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
  942                         printf("ipsec_setspidx: "
  943                             "unknown IP version %u, ignored.\n", v));
  944                 return EINVAL;
  945         }
  946 }
  947 
  948 static void
  949 ipsec4_get_ulp(m, spidx, needport)
  950         struct mbuf *m;
  951         struct secpolicyindex *spidx;
  952         int needport;
  953 {
  954         struct ip ip;
  955         struct ip6_ext ip6e;
  956         u_int8_t nxt;
  957         int off;
  958         struct tcphdr th;
  959         struct udphdr uh;
  960 
  961         /* sanity check */
  962         if (m == NULL)
  963                 panic("ipsec4_get_ulp: NULL pointer was passed.");
  964         if (m->m_pkthdr.len < sizeof(ip))
  965                 panic("ipsec4_get_ulp: too short");
  966 
  967         /* set default */
  968         spidx->ul_proto = IPSEC_ULPROTO_ANY;
  969         ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
  970         ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
  971 
  972         m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
  973         /* ip_input() flips it into host endian XXX need more checking */
  974         if (ip.ip_off & (IP_MF | IP_OFFMASK))
  975                 return;
  976 
  977         nxt = ip.ip_p;
  978 #ifdef _IP_VHL
  979         off = _IP_VHL_HL(ip->ip_vhl) << 2;
  980 #else
  981         off = ip.ip_hl << 2;
  982 #endif
  983         while (off < m->m_pkthdr.len) {
  984                 switch (nxt) {
  985                 case IPPROTO_TCP:
  986                         spidx->ul_proto = nxt;
  987                         if (!needport)
  988                                 return;
  989                         if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
  990                                 return;
  991                         m_copydata(m, off, sizeof(th), (caddr_t)&th);
  992                         ((struct sockaddr_in *)&spidx->src)->sin_port =
  993                             th.th_sport;
  994                         ((struct sockaddr_in *)&spidx->dst)->sin_port =
  995                             th.th_dport;
  996                         return;
  997                 case IPPROTO_UDP:
  998                         spidx->ul_proto = nxt;
  999                         if (!needport)
 1000                                 return;
 1001                         if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
 1002                                 return;
 1003                         m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
 1004                         ((struct sockaddr_in *)&spidx->src)->sin_port =
 1005                             uh.uh_sport;
 1006                         ((struct sockaddr_in *)&spidx->dst)->sin_port =
 1007                             uh.uh_dport;
 1008                         return;
 1009                 case IPPROTO_AH:
 1010                         if (off + sizeof(ip6e) > m->m_pkthdr.len)
 1011                                 return;
 1012                         m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
 1013                         off += (ip6e.ip6e_len + 2) << 2;
 1014                         nxt = ip6e.ip6e_nxt;
 1015                         break;
 1016                 case IPPROTO_ICMP:
 1017                 default:
 1018                         /* XXX intermediate headers??? */
 1019                         spidx->ul_proto = nxt;
 1020                         return;
 1021                 }
 1022         }
 1023 }
 1024 
 1025 /* assumes that m is sane */
 1026 static int
 1027 ipsec4_setspidx_ipaddr(m, spidx)
 1028         struct mbuf *m;
 1029         struct secpolicyindex *spidx;
 1030 {
 1031         struct ip *ip = NULL;
 1032         struct ip ipbuf;
 1033         struct sockaddr_in *sin;
 1034 
 1035         if (m->m_len >= sizeof(*ip))
 1036                 ip = mtod(m, struct ip *);
 1037         else {
 1038                 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
 1039                 ip = &ipbuf;
 1040         }
 1041 
 1042         sin = (struct sockaddr_in *)&spidx->src;
 1043         bzero(sin, sizeof(*sin));
 1044         sin->sin_family = AF_INET;
 1045         sin->sin_len = sizeof(struct sockaddr_in);
 1046         bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
 1047         spidx->prefs = sizeof(struct in_addr) << 3;
 1048 
 1049         sin = (struct sockaddr_in *)&spidx->dst;
 1050         bzero(sin, sizeof(*sin));
 1051         sin->sin_family = AF_INET;
 1052         sin->sin_len = sizeof(struct sockaddr_in);
 1053         bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
 1054         spidx->prefd = sizeof(struct in_addr) << 3;
 1055         return 0;
 1056 }
 1057 
 1058 #ifdef INET6
 1059 static void
 1060 ipsec6_get_ulp(m, spidx, needport)
 1061         struct mbuf *m;
 1062         struct secpolicyindex *spidx;
 1063         int needport;
 1064 {
 1065         int off, nxt;
 1066         struct tcphdr th;
 1067         struct udphdr uh;
 1068         struct icmp6_hdr ih;
 1069 
 1070         /* sanity check */
 1071         if (m == NULL)
 1072                 panic("ipsec6_get_ulp: NULL pointer was passed.");
 1073 
 1074         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
 1075                 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
 1076 
 1077         /* set default */
 1078         spidx->ul_proto = IPSEC_ULPROTO_ANY;
 1079         ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
 1080         ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
 1081 
 1082         nxt = -1;
 1083         off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
 1084         if (off < 0 || m->m_pkthdr.len < off)
 1085                 return;
 1086 
 1087         switch (nxt) {
 1088         case IPPROTO_TCP:
 1089                 spidx->ul_proto = nxt;
 1090                 if (!needport)
 1091                         break;
 1092                 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
 1093                         break;
 1094                 m_copydata(m, off, sizeof(th), (caddr_t)&th);
 1095                 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
 1096                 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
 1097                 break;
 1098         case IPPROTO_UDP:
 1099                 spidx->ul_proto = nxt;
 1100                 if (!needport)
 1101                         break;
 1102                 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
 1103                         break;
 1104                 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
 1105                 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
 1106                 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
 1107                 break;
 1108         case IPPROTO_ICMPV6:
 1109                 spidx->ul_proto = nxt;
 1110                 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len)
 1111                         break;
 1112                 m_copydata(m, off, sizeof(ih), (caddr_t)&ih);
 1113                 ((struct sockaddr_in6 *)&spidx->src)->sin6_port =
 1114                         htons((u_int16_t)ih.icmp6_type);
 1115                 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port =
 1116                         htons((u_int16_t)ih.icmp6_code);
 1117                 break;
 1118         default:
 1119                 /* XXX intermediate headers??? */
 1120                 spidx->ul_proto = nxt;
 1121                 break;
 1122         }
 1123 }
 1124 
 1125 /* assumes that m is sane */
 1126 static int
 1127 ipsec6_setspidx_ipaddr(m, spidx)
 1128         struct mbuf *m;
 1129         struct secpolicyindex *spidx;
 1130 {
 1131         struct ip6_hdr *ip6 = NULL;
 1132         struct ip6_hdr ip6buf;
 1133         struct sockaddr_in6 *sin6;
 1134 
 1135         if (m->m_len >= sizeof(*ip6))
 1136                 ip6 = mtod(m, struct ip6_hdr *);
 1137         else {
 1138                 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
 1139                 ip6 = &ip6buf;
 1140         }
 1141 
 1142         sin6 = (struct sockaddr_in6 *)&spidx->src;
 1143         bzero(sin6, sizeof(*sin6));
 1144         sin6->sin6_family = AF_INET6;
 1145         sin6->sin6_len = sizeof(struct sockaddr_in6);
 1146         in6_recoverscope(sin6, &ip6->ip6_src, NULL);
 1147         spidx->prefs = sizeof(struct in6_addr) << 3;
 1148 
 1149         sin6 = (struct sockaddr_in6 *)&spidx->dst;
 1150         bzero(sin6, sizeof(*sin6));
 1151         sin6->sin6_family = AF_INET6;
 1152         sin6->sin6_len = sizeof(struct sockaddr_in6);
 1153         in6_recoverscope(sin6, &ip6->ip6_dst, NULL);
 1154         spidx->prefd = sizeof(struct in6_addr) << 3;
 1155 
 1156         return 0;
 1157 }
 1158 #endif
 1159 
 1160 static struct inpcbpolicy *
 1161 ipsec_newpcbpolicy()
 1162 {
 1163         struct inpcbpolicy *p;
 1164 
 1165         p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
 1166         return p;
 1167 }
 1168 
 1169 static void
 1170 ipsec_delpcbpolicy(p)
 1171         struct inpcbpolicy *p;
 1172 {
 1173 
 1174         free(p, M_SECA);
 1175 }
 1176 
 1177 /* initialize policy in PCB */
 1178 int
 1179 ipsec_init_pcbpolicy(so, pcb_sp)
 1180         struct socket *so;
 1181         struct inpcbpolicy **pcb_sp;
 1182 {
 1183         struct inpcbpolicy *new;
 1184         static int initialized = 0;
 1185         static struct secpolicy *in = NULL, *out = NULL;
 1186 
 1187         /* sanity check. */
 1188         if (so == NULL || pcb_sp == NULL)
 1189                 panic("ipsec_init_pcbpolicy: NULL pointer was passed.");
 1190 
 1191         if (!initialized) {
 1192                 if ((in = key_newsp(0)) == NULL)
 1193                         return ENOBUFS;
 1194                 if ((out = key_newsp(0)) == NULL) {
 1195                         key_freesp(in);
 1196                         in = NULL;
 1197                         return ENOBUFS;
 1198                 }
 1199 
 1200                 in->state = IPSEC_SPSTATE_ALIVE;
 1201                 in->policy = IPSEC_POLICY_ENTRUST;
 1202                 in->dir = IPSEC_DIR_INBOUND;
 1203                 in->readonly = 1;
 1204                 in->persist = 1;
 1205                 in->so = NULL;
 1206 
 1207                 out->state = IPSEC_SPSTATE_ALIVE;
 1208                 out->policy = IPSEC_POLICY_ENTRUST;
 1209                 out->dir = IPSEC_DIR_OUTBOUND;
 1210                 out->readonly = 1;
 1211                 out->persist = 1;
 1212                 out->so = NULL;
 1213 
 1214                 initialized++;
 1215         }
 1216 
 1217         new = ipsec_newpcbpolicy();
 1218         if (new == NULL) {
 1219                 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n"));
 1220                 return ENOBUFS;
 1221         }
 1222         bzero(new, sizeof(*new));
 1223 
 1224         if (so->so_cred != 0 && so->so_cred->cr_uid == 0)
 1225                 new->priv = 1;
 1226         else
 1227                 new->priv = 0;
 1228 
 1229         new->sp_in = in;
 1230         new->sp_in->refcnt++;
 1231         new->sp_out = out;
 1232         new->sp_out->refcnt++;
 1233 
 1234         *pcb_sp = new;
 1235 
 1236         return 0;
 1237 }
 1238 
 1239 /* copy old ipsec policy into new */
 1240 int
 1241 ipsec_copy_pcbpolicy(old, new)
 1242         struct inpcbpolicy *old, *new;
 1243 {
 1244 
 1245         if (new->sp_in)
 1246                 key_freesp(new->sp_in);
 1247         if (old->sp_in->policy == IPSEC_POLICY_IPSEC)
 1248                 new->sp_in = ipsec_deepcopy_policy(old->sp_in);
 1249         else {
 1250                 new->sp_in = old->sp_in;
 1251                 new->sp_in->refcnt++;
 1252         }
 1253 
 1254         if (new->sp_out)
 1255                 key_freesp(new->sp_out);
 1256         if (old->sp_out->policy == IPSEC_POLICY_IPSEC)
 1257                 new->sp_out = ipsec_deepcopy_policy(old->sp_out);
 1258         else {
 1259                 new->sp_out = old->sp_out;
 1260                 new->sp_out->refcnt++;
 1261         }
 1262 
 1263         new->priv = old->priv;
 1264 
 1265         return 0;
 1266 }
 1267 
 1268 #if 0
 1269 static int
 1270 ipsec_deepcopy_pcbpolicy(pcb_sp)
 1271         struct inpcbpolicy *pcb_sp;
 1272 {
 1273         struct secpolicy *sp;
 1274 
 1275         sp = ipsec_deepcopy_policy(pcb_sp->sp_in);
 1276         if (sp) {
 1277                 key_freesp(pcb_sp->sp_in);
 1278                 pcb_sp->sp_in = sp;
 1279         } else
 1280                 return ENOBUFS;
 1281 
 1282         sp = ipsec_deepcopy_policy(pcb_sp->sp_out);
 1283         if (sp) {
 1284                 key_freesp(pcb_sp->sp_out);
 1285                 pcb_sp->sp_out = sp;
 1286         } else
 1287                 return ENOBUFS;
 1288 
 1289         return 0;
 1290 }
 1291 #endif
 1292 
 1293 /* deep-copy a policy in PCB */
 1294 static struct secpolicy *
 1295 ipsec_deepcopy_policy(src)
 1296         struct secpolicy *src;
 1297 {
 1298         struct ipsecrequest *newchain = NULL;
 1299         struct ipsecrequest *p;
 1300         struct ipsecrequest **q;
 1301         struct ipsecrequest *r;
 1302         struct secpolicy *dst;
 1303 
 1304         if (src == NULL)
 1305                 return NULL;
 1306 
 1307         dst = key_newsp(0);
 1308         if (dst == NULL)
 1309                 return NULL;
 1310 
 1311         /*
 1312          * deep-copy IPsec request chain.  This is required since struct
 1313          * ipsecrequest is not reference counted.
 1314          */
 1315         q = &newchain;
 1316         for (p = src->req; p; p = p->next) {
 1317                 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest),
 1318                         M_SECA, M_NOWAIT);
 1319                 if (*q == NULL)
 1320                         goto fail;
 1321                 bzero(*q, sizeof(**q));
 1322                 (*q)->next = NULL;
 1323 
 1324                 (*q)->saidx.proto = p->saidx.proto;
 1325                 (*q)->saidx.mode = p->saidx.mode;
 1326                 (*q)->level = p->level;
 1327                 (*q)->saidx.reqid = p->saidx.reqid;
 1328 
 1329                 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
 1330                 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
 1331 
 1332                 (*q)->sav = NULL;
 1333                 (*q)->sp = dst;
 1334 
 1335                 q = &((*q)->next);
 1336         }
 1337 
 1338         if (src->spidx)
 1339                 if (keydb_setsecpolicyindex(dst, src->spidx) != 0)
 1340                         goto fail;
 1341 
 1342         dst->req = newchain;
 1343         dst->state = src->state;
 1344         dst->policy = src->policy;
 1345         dst->dir = src->dir;
 1346         dst->so = src->so;
 1347         /* do not touch the refcnt fields */
 1348 
 1349         return dst;
 1350 
 1351 fail:
 1352         for (p = newchain; p; p = r) {
 1353                 r = p->next;
 1354                 free(p, M_SECA);
 1355                 p = NULL;
 1356         }
 1357         key_freesp(dst);
 1358         return NULL;
 1359 }
 1360 
 1361 /* set policy and ipsec request if present. */
 1362 static int
 1363 ipsec_set_policy(spp, optname, request, len, priv)
 1364         struct secpolicy **spp;
 1365         int optname;
 1366         caddr_t request;
 1367         size_t len;
 1368         int priv;
 1369 {
 1370         struct sadb_x_policy *xpl;
 1371         struct secpolicy *newsp = NULL;
 1372         int error;
 1373 
 1374         /* sanity check. */
 1375         if (spp == NULL || *spp == NULL || request == NULL)
 1376                 return EINVAL;
 1377         if (len < sizeof(*xpl))
 1378                 return EINVAL;
 1379         xpl = (struct sadb_x_policy *)request;
 1380 
 1381         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
 1382                 printf("ipsec_set_policy: passed policy\n");
 1383                 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
 1384 
 1385         /* check policy type */
 1386         /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
 1387         if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
 1388             xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
 1389                 return EINVAL;
 1390 
 1391         /* check privileged socket */
 1392         if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
 1393                 return EACCES;
 1394 
 1395         /* allocation new SP entry */
 1396         if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
 1397                 return error;
 1398 
 1399         newsp->state = IPSEC_SPSTATE_ALIVE;
 1400 
 1401         /* clear old SP and set new SP */
 1402         key_freesp(*spp);
 1403         *spp = newsp;
 1404         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
 1405                 printf("ipsec_set_policy: new policy\n");
 1406                 kdebug_secpolicy(newsp));
 1407 
 1408         return 0;
 1409 }
 1410 
 1411 static int
 1412 ipsec_get_policy(sp, mp)
 1413         struct secpolicy *sp;
 1414         struct mbuf **mp;
 1415 {
 1416 
 1417         /* sanity check. */
 1418         if (sp == NULL || mp == NULL)
 1419                 return EINVAL;
 1420 
 1421         *mp = key_sp2msg(sp);
 1422         if (!*mp) {
 1423                 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
 1424                 return ENOBUFS;
 1425         }
 1426 
 1427         (*mp)->m_type = MT_DATA;
 1428         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
 1429                 printf("ipsec_get_policy:\n");
 1430                 kdebug_mbuf(*mp));
 1431 
 1432         return 0;
 1433 }
 1434 
 1435 int
 1436 ipsec4_set_policy(inp, optname, request, len, priv)
 1437         struct inpcb *inp;
 1438         int optname;
 1439         caddr_t request;
 1440         size_t len;
 1441         int priv;
 1442 {
 1443         struct sadb_x_policy *xpl;
 1444         struct secpolicy **spp;
 1445 
 1446         /* sanity check. */
 1447         if (inp == NULL || request == NULL)
 1448                 return EINVAL;
 1449         if (len < sizeof(*xpl))
 1450                 return EINVAL;
 1451         xpl = (struct sadb_x_policy *)request;
 1452 
 1453         /* select direction */
 1454         switch (xpl->sadb_x_policy_dir) {
 1455         case IPSEC_DIR_INBOUND:
 1456                 spp = &inp->inp_sp->sp_in;
 1457                 break;
 1458         case IPSEC_DIR_OUTBOUND:
 1459                 spp = &inp->inp_sp->sp_out;
 1460                 break;
 1461         default:
 1462                 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
 1463                         xpl->sadb_x_policy_dir));
 1464                 return EINVAL;
 1465         }
 1466 
 1467         ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
 1468         return ipsec_set_policy(spp, optname, request, len, priv);
 1469 }
 1470 
 1471 int
 1472 ipsec4_get_policy(inp, request, len, mp)
 1473         struct inpcb *inp;
 1474         caddr_t request;
 1475         size_t len;
 1476         struct mbuf **mp;
 1477 {
 1478         struct sadb_x_policy *xpl;
 1479         struct secpolicy *sp;
 1480 
 1481         /* sanity check. */
 1482         if (inp == NULL || request == NULL || mp == NULL)
 1483                 return EINVAL;
 1484         if (inp->inp_sp == NULL)
 1485                 panic("policy in PCB is NULL");
 1486         if (len < sizeof(*xpl))
 1487                 return EINVAL;
 1488         xpl = (struct sadb_x_policy *)request;
 1489 
 1490         /* select direction */
 1491         switch (xpl->sadb_x_policy_dir) {
 1492         case IPSEC_DIR_INBOUND:
 1493                 sp = inp->inp_sp->sp_in;
 1494                 break;
 1495         case IPSEC_DIR_OUTBOUND:
 1496                 sp = inp->inp_sp->sp_out;
 1497                 break;
 1498         default:
 1499                 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n",
 1500                         xpl->sadb_x_policy_dir));
 1501                 return EINVAL;
 1502         }
 1503 
 1504         return ipsec_get_policy(sp, mp);
 1505 }
 1506 
 1507 /* delete policy in PCB */
 1508 int
 1509 ipsec4_delete_pcbpolicy(inp)
 1510         struct inpcb *inp;
 1511 {
 1512         /* sanity check. */
 1513         if (inp == NULL)
 1514                 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
 1515 
 1516         if (inp->inp_sp == NULL)
 1517                 return 0;
 1518 
 1519         if (inp->inp_sp->sp_in != NULL) {
 1520                 key_freesp(inp->inp_sp->sp_in);
 1521                 inp->inp_sp->sp_in = NULL;
 1522         }
 1523 
 1524         if (inp->inp_sp->sp_out != NULL) {
 1525                 key_freesp(inp->inp_sp->sp_out);
 1526                 inp->inp_sp->sp_out = NULL;
 1527         }
 1528 
 1529         ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
 1530 
 1531         ipsec_delpcbpolicy(inp->inp_sp);
 1532         inp->inp_sp = NULL;
 1533 
 1534         return 0;
 1535 }
 1536 
 1537 #ifdef INET6
 1538 int
 1539 ipsec6_set_policy(in6p, optname, request, len, priv)
 1540         struct in6pcb *in6p;
 1541         int optname;
 1542         caddr_t request;
 1543         size_t len;
 1544         int priv;
 1545 {
 1546         struct sadb_x_policy *xpl;
 1547         struct secpolicy **spp;
 1548 
 1549         /* sanity check. */
 1550         if (in6p == NULL || request == NULL)
 1551                 return EINVAL;
 1552         if (len < sizeof(*xpl))
 1553                 return EINVAL;
 1554         xpl = (struct sadb_x_policy *)request;
 1555 
 1556         /* select direction */
 1557         switch (xpl->sadb_x_policy_dir) {
 1558         case IPSEC_DIR_INBOUND:
 1559                 spp = &in6p->in6p_sp->sp_in;
 1560                 break;
 1561         case IPSEC_DIR_OUTBOUND:
 1562                 spp = &in6p->in6p_sp->sp_out;
 1563                 break;
 1564         default:
 1565                 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
 1566                         xpl->sadb_x_policy_dir));
 1567                 return EINVAL;
 1568         }
 1569 
 1570         ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
 1571         return ipsec_set_policy(spp, optname, request, len, priv);
 1572 }
 1573 
 1574 int
 1575 ipsec6_get_policy(in6p, request, len, mp)
 1576         struct in6pcb *in6p;
 1577         caddr_t request;
 1578         size_t len;
 1579         struct mbuf **mp;
 1580 {
 1581         struct sadb_x_policy *xpl;
 1582         struct secpolicy *sp;
 1583 
 1584         /* sanity check. */
 1585         if (in6p == NULL || request == NULL || mp == NULL)
 1586                 return EINVAL;
 1587         if (in6p->in6p_sp == NULL)
 1588                 panic("policy in PCB is NULL");
 1589         if (len < sizeof(*xpl))
 1590                 return EINVAL;
 1591         xpl = (struct sadb_x_policy *)request;
 1592 
 1593         /* select direction */
 1594         switch (xpl->sadb_x_policy_dir) {
 1595         case IPSEC_DIR_INBOUND:
 1596                 sp = in6p->in6p_sp->sp_in;
 1597                 break;
 1598         case IPSEC_DIR_OUTBOUND:
 1599                 sp = in6p->in6p_sp->sp_out;
 1600                 break;
 1601         default:
 1602                 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n",
 1603                         xpl->sadb_x_policy_dir));
 1604                 return EINVAL;
 1605         }
 1606 
 1607         return ipsec_get_policy(sp, mp);
 1608 }
 1609 
 1610 int
 1611 ipsec6_delete_pcbpolicy(in6p)
 1612         struct in6pcb *in6p;
 1613 {
 1614         /* sanity check. */
 1615         if (in6p == NULL)
 1616                 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
 1617 
 1618         if (in6p->in6p_sp == NULL)
 1619                 return 0;
 1620 
 1621         if (in6p->in6p_sp->sp_in != NULL) {
 1622                 key_freesp(in6p->in6p_sp->sp_in);
 1623                 in6p->in6p_sp->sp_in = NULL;
 1624         }
 1625 
 1626         if (in6p->in6p_sp->sp_out != NULL) {
 1627                 key_freesp(in6p->in6p_sp->sp_out);
 1628                 in6p->in6p_sp->sp_out = NULL;
 1629         }
 1630 
 1631         ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
 1632 
 1633         ipsec_delpcbpolicy(in6p->in6p_sp);
 1634         in6p->in6p_sp = NULL;
 1635 
 1636         return 0;
 1637 }
 1638 #endif
 1639 
 1640 /*
 1641  * return current level.
 1642  * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
 1643  */
 1644 u_int
 1645 ipsec_get_reqlevel(isr, af)
 1646         struct ipsecrequest *isr;
 1647         int af;
 1648 {
 1649         u_int level = 0;
 1650         u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
 1651 
 1652         /* sanity check */
 1653         if (isr == NULL || isr->sp == NULL)
 1654                 panic("ipsec_get_reqlevel: NULL pointer is passed.");
 1655 
 1656         /* set default level */
 1657         switch (af) {
 1658 #ifdef INET
 1659         case AF_INET:
 1660                 esp_trans_deflev = ip4_esp_trans_deflev;
 1661                 esp_net_deflev = ip4_esp_net_deflev;
 1662                 ah_trans_deflev = ip4_ah_trans_deflev;
 1663                 ah_net_deflev = ip4_ah_net_deflev;
 1664                 break;
 1665 #endif
 1666 #ifdef INET6
 1667         case AF_INET6:
 1668                 esp_trans_deflev = ip6_esp_trans_deflev;
 1669                 esp_net_deflev = ip6_esp_net_deflev;
 1670                 ah_trans_deflev = ip6_ah_trans_deflev;
 1671                 ah_net_deflev = ip6_ah_net_deflev;
 1672                 break;
 1673 #endif /* INET6 */
 1674         default:
 1675                 panic("key_get_reqlevel: Unknown family. %d",
 1676                         ((struct sockaddr *)&isr->sp->spidx->src)->sa_family);
 1677         }
 1678 
 1679         /* set level */
 1680         switch (isr->level) {
 1681         case IPSEC_LEVEL_DEFAULT:
 1682                 switch (isr->saidx.proto) {
 1683                 case IPPROTO_ESP:
 1684                         if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
 1685                                 level = esp_net_deflev;
 1686                         else
 1687                                 level = esp_trans_deflev;
 1688                         break;
 1689                 case IPPROTO_AH:
 1690                         if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
 1691                                 level = ah_net_deflev;
 1692                         else
 1693                                 level = ah_trans_deflev;
 1694                         break;
 1695                 case IPPROTO_IPCOMP:
 1696                         /*
 1697                          * we don't really care, as IPcomp document says that
 1698                          * we shouldn't compress small packets
 1699                          */
 1700                         level = IPSEC_LEVEL_USE;
 1701                         break;
 1702                 default:
 1703                         panic("ipsec_get_reqlevel: "
 1704                                 "Illegal protocol defined %u\n",
 1705                                 isr->saidx.proto);
 1706                 }
 1707                 break;
 1708 
 1709         case IPSEC_LEVEL_USE:
 1710         case IPSEC_LEVEL_REQUIRE:
 1711                 level = isr->level;
 1712                 break;
 1713         case IPSEC_LEVEL_UNIQUE:
 1714                 level = IPSEC_LEVEL_REQUIRE;
 1715                 break;
 1716 
 1717         default:
 1718                 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
 1719                         isr->level);
 1720         }
 1721 
 1722         return level;
 1723 }
 1724 
 1725 /*
 1726  * Check AH/ESP integrity.
 1727  * OUT:
 1728  *      0: valid
 1729  *      1: invalid
 1730  */
 1731 static int
 1732 ipsec_in_reject(sp, m)
 1733         struct secpolicy *sp;
 1734         struct mbuf *m;
 1735 {
 1736         struct ipsecrequest *isr;
 1737         u_int level;
 1738         int need_auth, need_conf, need_icv;
 1739 
 1740         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 1741                 printf("ipsec_in_reject: using SP\n");
 1742                 kdebug_secpolicy(sp));
 1743 
 1744         /* check policy */
 1745         switch (sp->policy) {
 1746         case IPSEC_POLICY_DISCARD:
 1747                 return 1;
 1748         case IPSEC_POLICY_BYPASS:
 1749         case IPSEC_POLICY_NONE:
 1750                 return 0;
 1751 
 1752         case IPSEC_POLICY_IPSEC:
 1753                 break;
 1754 
 1755         case IPSEC_POLICY_ENTRUST:
 1756         default:
 1757                 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy);
 1758         }
 1759 
 1760         need_auth = 0;
 1761         need_conf = 0;
 1762         need_icv = 0;
 1763 
 1764         /* XXX should compare policy against ipsec header history */
 1765 
 1766         for (isr = sp->req; isr != NULL; isr = isr->next) {
 1767                 /* get current level */
 1768                 level = ipsec_get_reqlevel(isr, AF_INET);
 1769 
 1770                 switch (isr->saidx.proto) {
 1771                 case IPPROTO_ESP:
 1772                         if (level == IPSEC_LEVEL_REQUIRE) {
 1773                                 need_conf++;
 1774 
 1775                                 if (isr->sav != NULL
 1776                                  && isr->sav->flags == SADB_X_EXT_NONE
 1777                                  && isr->sav->alg_auth != SADB_AALG_NONE)
 1778                                         need_icv++;
 1779                         }
 1780                         break;
 1781                 case IPPROTO_AH:
 1782                         if (level == IPSEC_LEVEL_REQUIRE) {
 1783                                 need_auth++;
 1784                                 need_icv++;
 1785                         }
 1786                         break;
 1787                 case IPPROTO_IPCOMP:
 1788                         /*
 1789                          * we don't really care, as IPcomp document says that
 1790                          * we shouldn't compress small packets, IPComp policy
 1791                          * should always be treated as being in "use" level.
 1792                          */
 1793                         break;
 1794                 }
 1795         }
 1796 
 1797         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
 1798                 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
 1799                         need_auth, need_conf, need_icv, m->m_flags));
 1800 
 1801         if ((need_conf && !(m->m_flags & M_DECRYPTED))
 1802          || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
 1803          || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
 1804                 return 1;
 1805 
 1806         return 0;
 1807 }
 1808 
 1809 /*
 1810  * Check AH/ESP integrity.
 1811  * This function is called from tcp_input(), udp_input(),
 1812  * and {ah,esp}4_input for tunnel mode
 1813  */
 1814 int
 1815 ipsec4_in_reject(m, inp)
 1816         struct mbuf *m;
 1817         struct inpcb *inp;
 1818 {
 1819         struct secpolicy *sp = NULL;
 1820         int error;
 1821         int result;
 1822 
 1823         /* sanity check */
 1824         if (m == NULL)
 1825                 return 0;       /* XXX should be panic ? */
 1826 
 1827         /* get SP for this packet.
 1828          * When we are called from ip_forward(), we call
 1829          * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
 1830          */
 1831         if (inp == NULL)
 1832                 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
 1833                     IP_FORWARDING, &error);
 1834         else
 1835                 sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_INBOUND, inp, &error);
 1836 
 1837         /* XXX should be panic ? -> No, there may be error. */
 1838         if (sp == NULL)
 1839                 return 0;
 1840 
 1841         result = ipsec_in_reject(sp, m);
 1842         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 1843                 printf("DP ipsec4_in_reject call free SP:%p\n", sp));
 1844         key_freesp(sp);
 1845 
 1846         return result;
 1847 }
 1848 
 1849 #ifdef INET6
 1850 /*
 1851  * Check AH/ESP integrity.
 1852  * This function is called from tcp6_input(), udp6_input(),
 1853  * and {ah,esp}6_input for tunnel mode
 1854  */
 1855 int
 1856 ipsec6_in_reject(m, in6p)
 1857         struct mbuf *m;
 1858         struct in6pcb *in6p;
 1859 {
 1860         struct secpolicy *sp = NULL;
 1861         int error;
 1862         int result;
 1863 
 1864         /* sanity check */
 1865         if (m == NULL)
 1866                 return 0;       /* XXX should be panic ? */
 1867 
 1868         /* get SP for this packet.
 1869          * When we are called from ip_forward(), we call
 1870          * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
 1871          */
 1872         if (in6p == NULL)
 1873                 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
 1874                     IP_FORWARDING, &error);
 1875         else
 1876                 sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_INBOUND, in6p, &error);
 1877 
 1878         if (sp == NULL)
 1879                 return 0;       /* XXX should be panic ? */
 1880 
 1881         result = ipsec_in_reject(sp, m);
 1882         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 1883                 printf("DP ipsec6_in_reject call free SP:%p\n", sp));
 1884         key_freesp(sp);
 1885 
 1886         return result;
 1887 }
 1888 #endif
 1889 
 1890 /*
 1891  * compute the byte size to be occupied by IPsec header.
 1892  * in case it is tunneled, it includes the size of outer IP header.
 1893  * NOTE: SP passed is free in this function.
 1894  */
 1895 static size_t
 1896 ipsec_hdrsiz(sp)
 1897         struct secpolicy *sp;
 1898 {
 1899         struct ipsecrequest *isr;
 1900         size_t siz, clen;
 1901 
 1902         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 1903                 printf("ipsec_hdrsiz: using SP\n");
 1904                 kdebug_secpolicy(sp));
 1905 
 1906         /* check policy */
 1907         switch (sp->policy) {
 1908         case IPSEC_POLICY_DISCARD:
 1909         case IPSEC_POLICY_BYPASS:
 1910         case IPSEC_POLICY_NONE:
 1911                 return 0;
 1912 
 1913         case IPSEC_POLICY_IPSEC:
 1914                 break;
 1915 
 1916         case IPSEC_POLICY_ENTRUST:
 1917         default:
 1918                 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
 1919         }
 1920 
 1921         siz = 0;
 1922 
 1923         for (isr = sp->req; isr != NULL; isr = isr->next) {
 1924 
 1925                 clen = 0;
 1926 
 1927                 switch (isr->saidx.proto) {
 1928                 case IPPROTO_ESP:
 1929 #ifdef IPSEC_ESP
 1930                         clen = esp_hdrsiz(isr);
 1931 #else
 1932                         clen = 0;       /* XXX */
 1933 #endif
 1934                         break;
 1935                 case IPPROTO_AH:
 1936                         clen = ah_hdrsiz(isr);
 1937                         break;
 1938                 case IPPROTO_IPCOMP:
 1939                         clen = sizeof(struct ipcomp);
 1940                         break;
 1941                 }
 1942 
 1943                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 1944                         switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
 1945                         case AF_INET:
 1946                                 clen += sizeof(struct ip);
 1947                                 break;
 1948 #ifdef INET6
 1949                         case AF_INET6:
 1950                                 clen += sizeof(struct ip6_hdr);
 1951                                 break;
 1952 #endif
 1953                         default:
 1954                                 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
 1955                                     "unknown AF %d in IPsec tunnel SA\n",
 1956                                     ((struct sockaddr *)&isr->saidx.dst)->sa_family));
 1957                                 break;
 1958                         }
 1959                 }
 1960                 siz += clen;
 1961         }
 1962 
 1963         return siz;
 1964 }
 1965 
 1966 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
 1967 size_t
 1968 ipsec4_hdrsiz(m, dir, inp)
 1969         struct mbuf *m;
 1970         u_int dir;
 1971         struct inpcb *inp;
 1972 {
 1973         struct secpolicy *sp = NULL;
 1974         int error;
 1975         size_t size;
 1976 
 1977         /* sanity check */
 1978         if (m == NULL)
 1979                 return 0;       /* XXX should be panic ? */
 1980 #if 0
 1981         /* this is possible in TIME_WAIT state */
 1982         if (inp != NULL && inp->inp_socket == NULL)
 1983                 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
 1984 #endif
 1985 
 1986         /* get SP for this packet.
 1987          * When we are called from ip_forward(), we call
 1988          * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
 1989          */
 1990         if (inp == NULL)
 1991                 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
 1992         else
 1993                 sp = ipsec4_getpolicybypcb(m, dir, inp, &error);
 1994 
 1995         if (sp == NULL)
 1996                 return 0;       /* XXX should be panic ? */
 1997 
 1998         size = ipsec_hdrsiz(sp);
 1999         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 2000                 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
 2001         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 2002                 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
 2003         key_freesp(sp);
 2004 
 2005         return size;
 2006 }
 2007 
 2008 #ifdef INET6
 2009 /* This function is called from ipsec6_hdrsize_tcp(),
 2010  * and maybe from ip6_forward.()
 2011  */
 2012 size_t
 2013 ipsec6_hdrsiz(m, dir, in6p)
 2014         struct mbuf *m;
 2015         u_int dir;
 2016         struct in6pcb *in6p;
 2017 {
 2018         struct secpolicy *sp = NULL;
 2019         int error;
 2020         size_t size;
 2021 
 2022         /* sanity check */
 2023         if (m == NULL)
 2024                 return 0;       /* XXX should be panic ? */
 2025 #if 0
 2026         /* this is possible in TIME_WAIT state */
 2027         if (in6p != NULL && in6p->in6p_socket == NULL)
 2028                 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
 2029 #endif
 2030 
 2031         /* get SP for this packet */
 2032         /* XXX Is it right to call with IP_FORWARDING. */
 2033         if (in6p == NULL)
 2034                 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
 2035         else
 2036                 sp = ipsec6_getpolicybypcb(m, dir, in6p, &error);
 2037 
 2038         if (sp == NULL)
 2039                 return 0;
 2040         size = ipsec_hdrsiz(sp);
 2041         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 2042                 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
 2043         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 2044                 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
 2045         key_freesp(sp);
 2046 
 2047         return size;
 2048 }
 2049 #endif /* INET6 */
 2050 
 2051 #ifdef INET
 2052 /*
 2053  * encapsulate for ipsec tunnel.
 2054  * ip->ip_src must be fixed later on.
 2055  */
 2056 static int
 2057 ipsec4_encapsulate(m, sav)
 2058         struct mbuf *m;
 2059         struct secasvar *sav;
 2060 {
 2061         struct ip *oip;
 2062         struct ip *ip;
 2063         size_t hlen;
 2064         size_t plen;
 2065 
 2066         /* can't tunnel between different AFs */
 2067         if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
 2068                 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
 2069          || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
 2070                 m_freem(m);
 2071                 return EINVAL;
 2072         }
 2073 #if 0
 2074         /* XXX if the dst is myself, perform nothing. */
 2075         if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
 2076                 m_freem(m);
 2077                 return EINVAL;
 2078         }
 2079 #endif
 2080 
 2081         if (m->m_len < sizeof(*ip))
 2082                 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
 2083 
 2084         ip = mtod(m, struct ip *);
 2085 #ifdef _IP_VHL
 2086         hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
 2087 #else
 2088         hlen = ip->ip_hl << 2;
 2089 #endif
 2090 
 2091         if (m->m_len != hlen)
 2092                 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
 2093 
 2094         /* generate header checksum */
 2095         ip->ip_sum = 0;
 2096 #ifdef _IP_VHL
 2097         if (ip->ip_vhl == IP_VHL_BORING)
 2098                 ip->ip_sum = in_cksum_hdr(ip);
 2099         else
 2100                 ip->ip_sum = in_cksum(m, hlen);
 2101 #else
 2102         ip->ip_sum = in_cksum(m, hlen);
 2103 #endif
 2104 
 2105         plen = m->m_pkthdr.len;
 2106 
 2107         /*
 2108          * grow the mbuf to accomodate the new IPv4 header.
 2109          * NOTE: IPv4 options will never be copied.
 2110          */
 2111         if (M_LEADINGSPACE(m->m_next) < hlen) {
 2112                 struct mbuf *n;
 2113                 MGET(n, M_DONTWAIT, MT_DATA);
 2114                 if (!n) {
 2115                         m_freem(m);
 2116                         return ENOBUFS;
 2117                 }
 2118                 n->m_len = hlen;
 2119                 n->m_next = m->m_next;
 2120                 m->m_next = n;
 2121                 m->m_pkthdr.len += hlen;
 2122                 oip = mtod(n, struct ip *);
 2123         } else {
 2124                 m->m_next->m_len += hlen;
 2125                 m->m_next->m_data -= hlen;
 2126                 m->m_pkthdr.len += hlen;
 2127                 oip = mtod(m->m_next, struct ip *);
 2128         }
 2129         ip = mtod(m, struct ip *);
 2130         ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
 2131         m->m_len = sizeof(struct ip);
 2132         m->m_pkthdr.len -= (hlen - sizeof(struct ip));
 2133 
 2134         /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
 2135         /* ECN consideration. */
 2136         ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
 2137 #ifdef _IP_VHL
 2138         ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
 2139 #else
 2140         ip->ip_hl = sizeof(struct ip) >> 2;
 2141 #endif
 2142         ip->ip_off &= htons(~IP_OFFMASK);
 2143         ip->ip_off &= htons(~IP_MF);
 2144         switch (ip4_ipsec_dfbit) {
 2145         case 0: /* clear DF bit */
 2146                 ip->ip_off &= htons(~IP_DF);
 2147                 break;
 2148         case 1: /* set DF bit */
 2149                 ip->ip_off |= htons(IP_DF);
 2150                 break;
 2151         default:        /* copy DF bit */
 2152                 break;
 2153         }
 2154         ip->ip_p = IPPROTO_IPIP;
 2155         if (plen + sizeof(struct ip) < IP_MAXPACKET)
 2156                 ip->ip_len = htons(plen + sizeof(struct ip));
 2157         else {
 2158                 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
 2159                     "leave ip_len as is (invalid packet)\n"));
 2160         }
 2161         ip->ip_id = ip_newid();
 2162         bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
 2163                 &ip->ip_src, sizeof(ip->ip_src));
 2164         bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
 2165                 &ip->ip_dst, sizeof(ip->ip_dst));
 2166         ip->ip_ttl = IPDEFTTL;
 2167 
 2168         /* XXX Should ip_src be updated later ? */
 2169 
 2170         return 0;
 2171 }
 2172 #endif /* INET */
 2173 
 2174 #ifdef INET6
 2175 static int
 2176 ipsec6_encapsulate(m, sav)
 2177         struct mbuf *m;
 2178         struct secasvar *sav;
 2179 {
 2180         struct ip6_hdr *oip6;
 2181         struct ip6_hdr *ip6;
 2182         size_t plen;
 2183 
 2184         /* can't tunnel between different AFs */
 2185         if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
 2186                 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
 2187          || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
 2188                 m_freem(m);
 2189                 return EINVAL;
 2190         }
 2191 #if 0
 2192         /* XXX if the dst is myself, perform nothing. */
 2193         if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
 2194                 m_freem(m);
 2195                 return EINVAL;
 2196         }
 2197 #endif
 2198 
 2199         plen = m->m_pkthdr.len;
 2200 
 2201         /*
 2202          * grow the mbuf to accomodate the new IPv6 header.
 2203          */
 2204         if (m->m_len != sizeof(struct ip6_hdr))
 2205                 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
 2206         if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
 2207                 struct mbuf *n;
 2208                 MGET(n, M_DONTWAIT, MT_DATA);
 2209                 if (!n) {
 2210                         m_freem(m);
 2211                         return ENOBUFS;
 2212                 }
 2213                 n->m_len = sizeof(struct ip6_hdr);
 2214                 n->m_next = m->m_next;
 2215                 m->m_next = n;
 2216                 m->m_pkthdr.len += sizeof(struct ip6_hdr);
 2217                 oip6 = mtod(n, struct ip6_hdr *);
 2218         } else {
 2219                 m->m_next->m_len += sizeof(struct ip6_hdr);
 2220                 m->m_next->m_data -= sizeof(struct ip6_hdr);
 2221                 m->m_pkthdr.len += sizeof(struct ip6_hdr);
 2222                 oip6 = mtod(m->m_next, struct ip6_hdr *);
 2223         }
 2224         ip6 = mtod(m, struct ip6_hdr *);
 2225         ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
 2226 
 2227         /* XXX: Fake scoped addresses */
 2228         in6_clearscope(&oip6->ip6_src);
 2229         in6_clearscope(&oip6->ip6_dst);
 2230 
 2231         /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
 2232         /* ECN consideration. */
 2233         ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
 2234         if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
 2235                 ip6->ip6_plen = htons(plen);
 2236         else {
 2237                 /* ip6->ip6_plen will be updated in ip6_output() */
 2238         }
 2239         ip6->ip6_nxt = IPPROTO_IPV6;
 2240         in6_embedscope(&ip6->ip6_src,
 2241             (struct sockaddr_in6 *)&sav->sah->saidx.src, NULL, NULL);
 2242         in6_embedscope(&ip6->ip6_dst,
 2243             (struct sockaddr_in6 *)&sav->sah->saidx.dst, NULL, NULL);
 2244         ip6->ip6_hlim = IPV6_DEFHLIM;
 2245 
 2246         /* XXX Should ip6_src be updated later ? */
 2247 
 2248         return 0;
 2249 }
 2250 #endif /* INET6 */
 2251 
 2252 /*
 2253  * Check the variable replay window.
 2254  * ipsec_chkreplay() performs replay check before ICV verification.
 2255  * ipsec_updatereplay() updates replay bitmap.  This must be called after
 2256  * ICV verification (it also performs replay check, which is usually done
 2257  * beforehand).
 2258  * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
 2259  *
 2260  * based on RFC 2401.
 2261  *
 2262  * XXX need to update for 64bit sequence number - 2401bis
 2263  */
 2264 int
 2265 ipsec_chkreplay(seq, sav)
 2266         u_int32_t seq;
 2267         struct secasvar *sav;
 2268 {
 2269         const struct secreplay *replay;
 2270         u_int32_t diff;
 2271         int fr;
 2272         u_int32_t wsizeb;       /* constant: bits of window size */
 2273         int frlast;             /* constant: last frame */
 2274 
 2275         /* sanity check */
 2276         if (sav == NULL)
 2277                 panic("ipsec_chkreplay: NULL pointer was passed.");
 2278 
 2279         replay = sav->replay;
 2280 
 2281         if (replay->wsize == 0)
 2282                 return 1;       /* no need to check replay. */
 2283 
 2284         /* constant */
 2285         frlast = replay->wsize - 1;
 2286         wsizeb = replay->wsize << 3;
 2287 
 2288         /* sequence number of 0 is invalid */
 2289         if (seq == 0)
 2290                 return 0;
 2291 
 2292         /* first time is always okay */
 2293         if (replay->count == 0)
 2294                 return 1;
 2295 
 2296         if (seq > replay->lastseq) {
 2297                 /* larger sequences are okay */
 2298                 return 1;
 2299         } else {
 2300                 /* seq is equal or less than lastseq. */
 2301                 diff = replay->lastseq - seq;
 2302 
 2303                 /* over range to check, i.e. too old or wrapped */
 2304                 if (diff >= wsizeb)
 2305                         return 0;
 2306 
 2307                 fr = frlast - diff / 8;
 2308 
 2309                 /* this packet already seen ? */
 2310                 if (replay->bitmap[fr] & (1 << (diff % 8)))
 2311                         return 0;
 2312 
 2313                 /* out of order but good */
 2314                 return 1;
 2315         }
 2316 }
 2317 
 2318 /*
 2319  * check replay counter whether to update or not.
 2320  * OUT: 0:      OK
 2321  *      1:      NG
 2322  * XXX need to update for 64bit sequence number - 2401bis
 2323  */
 2324 int
 2325 ipsec_updatereplay(seq, sav)
 2326         u_int32_t seq;
 2327         struct secasvar *sav;
 2328 {
 2329         struct secreplay *replay;
 2330         u_int64_t diff;
 2331         int fr;
 2332         u_int32_t wsizeb;       /* constant: bits of window size */
 2333         int frlast;             /* constant: last frame */
 2334 
 2335         /* sanity check */
 2336         if (sav == NULL)
 2337                 panic("ipsec_chkreplay: NULL pointer was passed.");
 2338 
 2339         replay = sav->replay;
 2340 
 2341         if (replay->wsize == 0)
 2342                 goto ok;        /* no need to check replay. */
 2343 
 2344         /* constant */
 2345         frlast = replay->wsize - 1;
 2346         wsizeb = replay->wsize << 3;
 2347 
 2348         /* sequence number of 0 is invalid */
 2349         if (seq == 0)
 2350                 return 1;
 2351 
 2352         /* first time */
 2353         if (replay->count == 0) {
 2354                 replay->lastseq = seq;
 2355                 bzero(replay->bitmap, replay->wsize);
 2356                 replay->bitmap[frlast] = 1;
 2357                 goto ok;
 2358         }
 2359 
 2360         if (seq > replay->lastseq) {
 2361                 /* seq is larger than lastseq. */
 2362                 diff = seq - replay->lastseq;
 2363 
 2364                 /* new larger sequence number */
 2365                 if (diff < wsizeb) {
 2366                         /* In window */
 2367                         /* set bit for this packet */
 2368                         vshiftl(replay->bitmap, diff, replay->wsize);
 2369                         replay->bitmap[frlast] |= 1;
 2370                 } else {
 2371                         /* this packet has a "way larger" */
 2372                         bzero(replay->bitmap, replay->wsize);
 2373                         replay->bitmap[frlast] = 1;
 2374                 }
 2375                 replay->lastseq = seq;
 2376 
 2377                 /* larger is good */
 2378         } else {
 2379                 /* seq is equal or less than lastseq. */
 2380                 diff = replay->lastseq - seq;
 2381 
 2382                 /* over range to check, i.e. too old or wrapped */
 2383                 if (diff >= wsizeb)
 2384                         return 1;
 2385 
 2386                 fr = frlast - diff / 8;
 2387 
 2388                 /* this packet already seen ? */
 2389                 if (replay->bitmap[fr] & (1 << (diff % 8)))
 2390                         return 1;
 2391 
 2392                 /* mark as seen */
 2393                 replay->bitmap[fr] |= (1 << (diff % 8));
 2394 
 2395                 /* out of order but good */
 2396         }
 2397 
 2398 ok:
 2399         if (replay->count == 0xffffffff) {
 2400 
 2401                 /* set overflow flag */
 2402                 replay->overflow++;
 2403 
 2404                 /* don't increment, no more packets accepted */
 2405                 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
 2406                         return 1;
 2407 
 2408                 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
 2409                     replay->overflow, ipsec_logsastr(sav)));
 2410         }
 2411 
 2412         replay->count++;
 2413 
 2414         return 0;
 2415 }
 2416 
 2417 /*
 2418  * shift variable length buffer to left.
 2419  * IN:  bitmap: pointer to the buffer
 2420  *      nbit:   the number of to shift.
 2421  *      wsize:  buffer size (bytes).
 2422  */
 2423 static void
 2424 vshiftl(bitmap, nbit, wsize)
 2425         unsigned char *bitmap;
 2426         int nbit, wsize;
 2427 {
 2428         int s, j, i;
 2429         unsigned char over;
 2430 
 2431         for (j = 0; j < nbit; j += 8) {
 2432                 s = (nbit - j < 8) ? (nbit - j): 8;
 2433                 bitmap[0] <<= s;
 2434                 for (i = 1; i < wsize; i++) {
 2435                         over = (bitmap[i] >> (8 - s));
 2436                         bitmap[i] <<= s;
 2437                         bitmap[i - 1] |= over;
 2438                 }
 2439         }
 2440 
 2441         return;
 2442 }
 2443 
 2444 const char *
 2445 ipsec4_logpacketstr(ip, spi)
 2446         struct ip *ip;
 2447         u_int32_t spi;
 2448 {
 2449         static char buf[256];
 2450         char *p;
 2451         u_int8_t *s, *d;
 2452 
 2453         s = (u_int8_t *)(&ip->ip_src);
 2454         d = (u_int8_t *)(&ip->ip_dst);
 2455 
 2456         p = buf;
 2457         snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
 2458         while (p && *p)
 2459                 p++;
 2460         snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
 2461                 s[0], s[1], s[2], s[3]);
 2462         while (p && *p)
 2463                 p++;
 2464         snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
 2465                 d[0], d[1], d[2], d[3]);
 2466         while (p && *p)
 2467                 p++;
 2468         snprintf(p, sizeof(buf) - (p - buf), ")");
 2469 
 2470         return buf;
 2471 }
 2472 
 2473 #ifdef INET6
 2474 const char *
 2475 ipsec6_logpacketstr(ip6, spi)
 2476         struct ip6_hdr *ip6;
 2477         u_int32_t spi;
 2478 {
 2479         static char buf[256];
 2480         char *p;
 2481 
 2482         p = buf;
 2483         snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
 2484         while (p && *p)
 2485                 p++;
 2486         snprintf(p, sizeof(buf) - (p - buf), "src=%s",
 2487                 ip6_sprintf(&ip6->ip6_src));
 2488         while (p && *p)
 2489                 p++;
 2490         snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
 2491                 ip6_sprintf(&ip6->ip6_dst));
 2492         while (p && *p)
 2493                 p++;
 2494         snprintf(p, sizeof(buf) - (p - buf), ")");
 2495 
 2496         return buf;
 2497 }
 2498 #endif /* INET6 */
 2499 
 2500 const char *
 2501 ipsec_logsastr(sav)
 2502         struct secasvar *sav;
 2503 {
 2504         static char buf[256];
 2505         char *p;
 2506         struct secasindex *saidx = &sav->sah->saidx;
 2507 
 2508         /* validity check */
 2509         if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
 2510                         != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
 2511                 panic("ipsec_logsastr: family mismatched.");
 2512 
 2513         p = buf;
 2514         snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
 2515         while (p && *p)
 2516                 p++;
 2517         if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
 2518                 u_int8_t *s, *d;
 2519                 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
 2520                 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
 2521                 snprintf(p, sizeof(buf) - (p - buf),
 2522                         "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
 2523                         s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
 2524         }
 2525 #ifdef INET6
 2526         else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
 2527                 snprintf(p, sizeof(buf) - (p - buf),
 2528                         "src=%s",
 2529                         ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
 2530                 while (p && *p)
 2531                         p++;
 2532                 snprintf(p, sizeof(buf) - (p - buf),
 2533                         " dst=%s",
 2534                         ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
 2535         }
 2536 #endif
 2537         while (p && *p)
 2538                 p++;
 2539         snprintf(p, sizeof(buf) - (p - buf), ")");
 2540 
 2541         return buf;
 2542 }
 2543 
 2544 void
 2545 ipsec_dumpmbuf(m)
 2546         struct mbuf *m;
 2547 {
 2548         int totlen;
 2549         int i;
 2550         u_char *p;
 2551 
 2552         totlen = 0;
 2553         printf("---\n");
 2554         while (m) {
 2555                 p = mtod(m, u_char *);
 2556                 for (i = 0; i < m->m_len; i++) {
 2557                         printf("%02x ", p[i]);
 2558                         totlen++;
 2559                         if (totlen % 16 == 0)
 2560                                 printf("\n");
 2561                 }
 2562                 m = m->m_next;
 2563         }
 2564         if (totlen % 16 != 0)
 2565                 printf("\n");
 2566         printf("---\n");
 2567 }
 2568 
 2569 #ifdef INET
 2570 static int
 2571 ipsec4_checksa(isr, state)
 2572         struct ipsecrequest *isr;
 2573         struct ipsec_output_state *state;
 2574 {
 2575         struct ip *ip;
 2576         struct secasindex saidx;
 2577         struct sockaddr_in *sin;
 2578 
 2579         /* make SA index for search proper SA */
 2580         ip = mtod(state->m, struct ip *);
 2581         bcopy(&isr->saidx, &saidx, sizeof(saidx));
 2582         saidx.mode = isr->saidx.mode;
 2583         saidx.reqid = isr->saidx.reqid;
 2584         sin = (struct sockaddr_in *)&saidx.src;
 2585         if (sin->sin_len == 0) {
 2586                 sin->sin_len = sizeof(*sin);
 2587                 sin->sin_family = AF_INET;
 2588                 sin->sin_port = IPSEC_PORT_ANY;
 2589                 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr));
 2590         }
 2591         sin = (struct sockaddr_in *)&saidx.dst;
 2592         if (sin->sin_len == 0) {
 2593                 sin->sin_len = sizeof(*sin);
 2594                 sin->sin_family = AF_INET;
 2595                 sin->sin_port = IPSEC_PORT_ANY;
 2596                 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr));
 2597         }
 2598 
 2599         return key_checkrequest(isr, &saidx);
 2600 }
 2601 /*
 2602  * IPsec output logic for IPv4.
 2603  */
 2604 int
 2605 ipsec4_output(state, sp, flags)
 2606         struct ipsec_output_state *state;
 2607         struct secpolicy *sp;
 2608         int flags;
 2609 {
 2610         struct ip *ip = NULL;
 2611         struct ipsecrequest *isr = NULL;
 2612         int s;
 2613         int error;
 2614         struct sockaddr_in *dst4;
 2615 
 2616         if (!state)
 2617                 panic("state == NULL in ipsec4_output");
 2618         if (!state->m)
 2619                 panic("state->m == NULL in ipsec4_output");
 2620         if (!state->ro)
 2621                 panic("state->ro == NULL in ipsec4_output");
 2622         if (!state->dst)
 2623                 panic("state->dst == NULL in ipsec4_output");
 2624         state->encap = 0;
 2625 
 2626         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 2627                 printf("ipsec4_output: applyed SP\n");
 2628                 kdebug_secpolicy(sp));
 2629 
 2630         for (isr = sp->req; isr != NULL; isr = isr->next) {
 2631 
 2632 #if 0   /* give up to check restriction of transport mode */
 2633         /* XXX but should be checked somewhere */
 2634                 /*
 2635                  * some of the IPsec operation must be performed only in
 2636                  * originating case.
 2637                  */
 2638                 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
 2639                  && (flags & IP_FORWARDING))
 2640                         continue;
 2641 #endif
 2642                 error = ipsec4_checksa(isr, state);
 2643                 if (error != 0) {
 2644                         /*
 2645                          * IPsec processing is required, but no SA found.
 2646                          * I assume that key_acquire() had been called
 2647                          * to get/establish the SA. Here I discard
 2648                          * this packet because it is responsibility for
 2649                          * upper layer to retransmit the packet.
 2650                          */
 2651                         ipsecstat.out_nosa++;
 2652                         goto bad;
 2653                 }
 2654 
 2655                 /* validity check */
 2656                 if (isr->sav == NULL) {
 2657                         switch (ipsec_get_reqlevel(isr, AF_INET)) {
 2658                         case IPSEC_LEVEL_USE:
 2659                                 continue;
 2660                         case IPSEC_LEVEL_REQUIRE:
 2661                                 /* must be not reached here. */
 2662                                 panic("ipsec4_output: no SA found, but required.");
 2663                         }
 2664                 }
 2665 
 2666                 /*
 2667                  * If there is no valid SA, we give up to process any
 2668                  * more.  In such a case, the SA's status is changed
 2669                  * from DYING to DEAD after allocating.  If a packet
 2670                  * send to the receiver by dead SA, the receiver can
 2671                  * not decode a packet because SA has been dead.
 2672                  */
 2673                 if (isr->sav->state != SADB_SASTATE_MATURE
 2674                  && isr->sav->state != SADB_SASTATE_DYING) {
 2675                         ipsecstat.out_nosa++;
 2676                         error = EINVAL;
 2677                         goto bad;
 2678                 }
 2679 
 2680                 /*
 2681                  * There may be the case that SA status will be changed when
 2682                  * we are refering to one. So calling splsoftnet().
 2683                  */
 2684                 s = splnet();
 2685 
 2686                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 2687                         /*
 2688                          * build IPsec tunnel.
 2689                          */
 2690                         /* XXX should be processed with other familiy */
 2691                         if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
 2692                                 ipseclog((LOG_ERR, "ipsec4_output: "
 2693                                     "family mismatched between inner and outer spi=%u\n",
 2694                                     (u_int32_t)ntohl(isr->sav->spi)));
 2695                                 splx(s);
 2696                                 error = EAFNOSUPPORT;
 2697                                 goto bad;
 2698                         }
 2699 
 2700                         state->m = ipsec4_splithdr(state->m);
 2701                         if (!state->m) {
 2702                                 splx(s);
 2703                                 error = ENOMEM;
 2704                                 goto bad;
 2705                         }
 2706                         error = ipsec4_encapsulate(state->m, isr->sav);
 2707                         splx(s);
 2708                         if (error) {
 2709                                 state->m = NULL;
 2710                                 goto bad;
 2711                         }
 2712                         ip = mtod(state->m, struct ip *);
 2713 
 2714                         state->ro = &isr->sav->sah->sa_route;
 2715                         state->dst = (struct sockaddr *)&state->ro->ro_dst;
 2716                         dst4 = (struct sockaddr_in *)state->dst;
 2717                         if (state->ro->ro_rt
 2718                          && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
 2719                           || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
 2720                                 RTFREE(state->ro->ro_rt);
 2721                                 state->ro->ro_rt = NULL;
 2722                         }
 2723                         if (state->ro->ro_rt == 0) {
 2724                                 dst4->sin_family = AF_INET;
 2725                                 dst4->sin_len = sizeof(*dst4);
 2726                                 dst4->sin_addr = ip->ip_dst;
 2727                                 rtalloc(state->ro);
 2728                         }
 2729                         if (state->ro->ro_rt == 0) {
 2730                                 ipstat.ips_noroute++;
 2731                                 error = EHOSTUNREACH;
 2732                                 goto bad;
 2733                         }
 2734 
 2735                         /* adjust state->dst if tunnel endpoint is offlink */
 2736                         if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
 2737                                 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
 2738                                 dst4 = (struct sockaddr_in *)state->dst;
 2739                         }
 2740 
 2741                         state->encap++;
 2742                 } else
 2743                         splx(s);
 2744 
 2745                 state->m = ipsec4_splithdr(state->m);
 2746                 if (!state->m) {
 2747                         error = ENOMEM;
 2748                         goto bad;
 2749                 }
 2750                 switch (isr->saidx.proto) {
 2751                 case IPPROTO_ESP:
 2752 #ifdef IPSEC_ESP
 2753                         if ((error = esp4_output(state->m, isr)) != 0) {
 2754                                 state->m = NULL;
 2755                                 goto bad;
 2756                         }
 2757                         break;
 2758 #else
 2759                         m_freem(state->m);
 2760                         state->m = NULL;
 2761                         error = EINVAL;
 2762                         goto bad;
 2763 #endif
 2764                 case IPPROTO_AH:
 2765                         if ((error = ah4_output(state->m, isr)) != 0) {
 2766                                 state->m = NULL;
 2767                                 goto bad;
 2768                         }
 2769                         break;
 2770                 case IPPROTO_IPCOMP:
 2771                         if ((error = ipcomp4_output(state->m, isr)) != 0) {
 2772                                 state->m = NULL;
 2773                                 goto bad;
 2774                         }
 2775                         break;
 2776                 default:
 2777                         ipseclog((LOG_ERR,
 2778                             "ipsec4_output: unknown ipsec protocol %d\n",
 2779                             isr->saidx.proto));
 2780                         m_freem(state->m);
 2781                         state->m = NULL;
 2782                         error = EINVAL;
 2783                         goto bad;
 2784                 }
 2785 
 2786                 if (state->m == 0) {
 2787                         error = ENOMEM;
 2788                         goto bad;
 2789                 }
 2790                 ip = mtod(state->m, struct ip *);
 2791         }
 2792 
 2793         return 0;
 2794 
 2795 bad:
 2796         m_freem(state->m);
 2797         state->m = NULL;
 2798         return error;
 2799 }
 2800 #endif
 2801 
 2802 #ifdef INET6
 2803 static int
 2804 ipsec6_checksa(isr, state, tunnel)
 2805         struct ipsecrequest *isr;
 2806         struct ipsec_output_state *state;
 2807         int tunnel;
 2808 {
 2809         struct ip6_hdr *ip6;
 2810         struct secasindex saidx;
 2811         struct sockaddr_in6 *sin6;
 2812 
 2813         if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 2814 #ifdef DIAGNOSTIC
 2815                 if (!tunnel)
 2816                         panic("ipsec6_checksa/inconsistent tunnel attribute");
 2817 #endif
 2818                 /* When tunnel mode, SA peers must be specified. */
 2819                 return key_checkrequest(isr, &isr->saidx);
 2820         }
 2821 
 2822         /* make SA index for search proper SA */
 2823         ip6 = mtod(state->m, struct ip6_hdr *);
 2824         if (tunnel) {
 2825                 bzero(&saidx, sizeof(saidx));
 2826                 saidx.proto = isr->saidx.proto;
 2827         } else
 2828                 bcopy(&isr->saidx, &saidx, sizeof(saidx));
 2829         saidx.mode = isr->saidx.mode;
 2830         saidx.reqid = isr->saidx.reqid;
 2831         sin6 = (struct sockaddr_in6 *)&saidx.src;
 2832         if (sin6->sin6_len == 0 || tunnel) {
 2833                 sin6->sin6_len = sizeof(*sin6);
 2834                 sin6->sin6_family = AF_INET6;
 2835                 sin6->sin6_port = IPSEC_PORT_ANY;
 2836                 in6_recoverscope(sin6, &ip6->ip6_src, NULL);
 2837         }
 2838         sin6 = (struct sockaddr_in6 *)&saidx.dst;
 2839         if (sin6->sin6_len == 0 || tunnel) {
 2840                 sin6->sin6_len = sizeof(*sin6);
 2841                 sin6->sin6_family = AF_INET6;
 2842                 sin6->sin6_port = IPSEC_PORT_ANY;
 2843                 in6_recoverscope(sin6, &ip6->ip6_dst, NULL);
 2844         }
 2845 
 2846         return key_checkrequest(isr, &saidx);
 2847 }
 2848 
 2849 /*
 2850  * IPsec output logic for IPv6, transport mode.
 2851  */
 2852 int
 2853 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
 2854         struct ipsec_output_state *state;
 2855         u_char *nexthdrp;
 2856         struct mbuf *mprev;
 2857         struct secpolicy *sp;
 2858         int flags;
 2859         int *tun;
 2860 {
 2861         struct ip6_hdr *ip6;
 2862         struct ipsecrequest *isr = NULL;
 2863         int error = 0;
 2864         int plen;
 2865 
 2866         if (!state)
 2867                 panic("state == NULL in ipsec6_output_trans");
 2868         if (!state->m)
 2869                 panic("state->m == NULL in ipsec6_output_trans");
 2870         if (!nexthdrp)
 2871                 panic("nexthdrp == NULL in ipsec6_output_trans");
 2872         if (!mprev)
 2873                 panic("mprev == NULL in ipsec6_output_trans");
 2874         if (!sp)
 2875                 panic("sp == NULL in ipsec6_output_trans");
 2876         if (!tun)
 2877                 panic("tun == NULL in ipsec6_output_trans");
 2878 
 2879         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 2880                 printf("ipsec6_output_trans: applyed SP\n");
 2881                 kdebug_secpolicy(sp));
 2882 
 2883         *tun = 0;
 2884         for (isr = sp->req; isr; isr = isr->next) {
 2885                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 2886                         /* the rest will be handled by ipsec6_output_tunnel() */
 2887                         break;
 2888                 }
 2889 
 2890                 error = ipsec6_checksa(isr, state, 0);
 2891                 if (error == EIO)
 2892                         goto bad;
 2893                 if (error == ENOENT) {
 2894                         /*
 2895                          * IPsec processing is required, but no SA found.
 2896                          * I assume that key_acquire() had been called
 2897                          * to get/establish the SA. Here I discard
 2898                          * this packet because it is responsibility for
 2899                          * upper layer to retransmit the packet.
 2900                          */
 2901                         ipsec6stat.out_nosa++;
 2902 
 2903                         /*
 2904                          * Notify the fact that the packet is discarded
 2905                          * to ourselves. I believe this is better than
 2906                          * just silently discarding. (jinmei@kame.net)
 2907                          * XXX: should we restrict the error to TCP packets?
 2908                          * XXX: should we directly notify sockets via
 2909                          *      pfctlinputs?
 2910                          *
 2911                          * Noone have initialized rcvif until this point,
 2912                          * so clear it.
 2913                          */
 2914                         if ((state->m->m_flags & M_PKTHDR) != 0)
 2915                                 state->m->m_pkthdr.rcvif = NULL;
 2916                         icmp6_error(state->m, ICMP6_DST_UNREACH,
 2917                                     ICMP6_DST_UNREACH_ADMIN, 0);
 2918                         state->m = NULL; /* icmp6_error freed the mbuf */
 2919                         goto bad;
 2920                 }
 2921 
 2922                 /* validity check */
 2923                 if (isr->sav == NULL) {
 2924                         switch (ipsec_get_reqlevel(isr, AF_INET6)) {
 2925                         case IPSEC_LEVEL_USE:
 2926                                 continue;
 2927                         case IPSEC_LEVEL_REQUIRE:
 2928                                 /* must be not reached here. */
 2929                                 panic("ipsec6_output_trans: no SA found, but required.");
 2930                         }
 2931                 }
 2932 
 2933                 /*
 2934                  * If there is no valid SA, we give up to process.
 2935                  * see same place at ipsec4_output().
 2936                  */
 2937                 if (isr->sav->state != SADB_SASTATE_MATURE
 2938                  && isr->sav->state != SADB_SASTATE_DYING) {
 2939                         ipsec6stat.out_nosa++;
 2940                         error = EINVAL;
 2941                         goto bad;
 2942                 }
 2943 
 2944                 switch (isr->saidx.proto) {
 2945                 case IPPROTO_ESP:
 2946 #ifdef IPSEC_ESP
 2947                         error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
 2948 #else
 2949                         m_freem(state->m);
 2950                         error = EINVAL;
 2951 #endif
 2952                         break;
 2953                 case IPPROTO_AH:
 2954                         error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
 2955                         break;
 2956                 case IPPROTO_IPCOMP:
 2957                         error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
 2958                         break;
 2959                 default:
 2960                         ipseclog((LOG_ERR, "ipsec6_output_trans: "
 2961                             "unknown ipsec protocol %d\n", isr->saidx.proto));
 2962                         m_freem(state->m);
 2963                         ipsec6stat.out_inval++;
 2964                         error = EINVAL;
 2965                         break;
 2966                 }
 2967                 if (error) {
 2968                         state->m = NULL;
 2969                         goto bad;
 2970                 }
 2971                 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
 2972                 if (plen > IPV6_MAXPACKET) {
 2973                         ipseclog((LOG_ERR, "ipsec6_output_trans: "
 2974                             "IPsec with IPv6 jumbogram is not supported\n"));
 2975                         ipsec6stat.out_inval++;
 2976                         error = EINVAL; /* XXX */
 2977                         goto bad;
 2978                 }
 2979                 ip6 = mtod(state->m, struct ip6_hdr *);
 2980                 ip6->ip6_plen = htons(plen);
 2981         }
 2982 
 2983         /* if we have more to go, we need a tunnel mode processing */
 2984         if (isr != NULL)
 2985                 *tun = 1;
 2986 
 2987         return 0;
 2988 
 2989 bad:
 2990         m_freem(state->m);
 2991         state->m = NULL;
 2992         return error;
 2993 }
 2994 
 2995 /*
 2996  * IPsec output logic for IPv6, tunnel mode.
 2997  */
 2998 int
 2999 ipsec6_output_tunnel(state, sp, flags)
 3000         struct ipsec_output_state *state;
 3001         struct secpolicy *sp;
 3002         int flags;
 3003 {
 3004         struct ip6_hdr *ip6;
 3005         struct ipsecrequest *isr = NULL;
 3006         int error = 0;
 3007         int plen;
 3008         struct sockaddr_in6 *dst6;
 3009         int s;
 3010 
 3011         if (!state)
 3012                 panic("state == NULL in ipsec6_output_tunnel");
 3013         if (!state->m)
 3014                 panic("state->m == NULL in ipsec6_output_tunnel");
 3015         if (!sp)
 3016                 panic("sp == NULL in ipsec6_output_tunnel");
 3017 
 3018         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 3019                 printf("ipsec6_output_tunnel: applyed SP\n");
 3020                 kdebug_secpolicy(sp));
 3021 
 3022         /*
 3023          * transport mode ipsec (before the 1st tunnel mode) is already
 3024          * processed by ipsec6_output_trans().
 3025          */
 3026         for (isr = sp->req; isr; isr = isr->next) {
 3027                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
 3028                         break;
 3029         }
 3030 
 3031         for (/* already initialized */; isr; isr = isr->next) {
 3032                 error = ipsec6_checksa(isr, state, 1);
 3033                 if (error == EIO)
 3034                         goto bad;
 3035                 if (error == ENOENT) {
 3036                         /*
 3037                          * IPsec processing is required, but no SA found.
 3038                          * I assume that key_acquire() had been called
 3039                          * to get/establish the SA. Here I discard
 3040                          * this packet because it is responsibility for
 3041                          * upper layer to retransmit the packet.
 3042                          */
 3043                         ipsec6stat.out_nosa++;
 3044                         error = ENOENT;
 3045                         goto bad;
 3046                 }
 3047 
 3048                 /* validity check */
 3049                 if (isr->sav == NULL) {
 3050                         switch (ipsec_get_reqlevel(isr, AF_INET6)) {
 3051                         case IPSEC_LEVEL_USE:
 3052                                 continue;
 3053                         case IPSEC_LEVEL_REQUIRE:
 3054                                 /* must be not reached here. */
 3055                                 panic("ipsec6_output_tunnel: no SA found, but required.");
 3056                         }
 3057                 }
 3058 
 3059                 /*
 3060                  * If there is no valid SA, we give up to process.
 3061                  * see same place at ipsec4_output().
 3062                  */
 3063                 if (isr->sav->state != SADB_SASTATE_MATURE
 3064                  && isr->sav->state != SADB_SASTATE_DYING) {
 3065                         ipsec6stat.out_nosa++;
 3066                         error = EINVAL;
 3067                         goto bad;
 3068                 }
 3069 
 3070                 /*
 3071                  * There may be the case that SA status will be changed when
 3072                  * we are refering to one. So calling splsoftnet().
 3073                  */
 3074                 s = splnet();
 3075 
 3076                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 3077                         /*
 3078                          * build IPsec tunnel.
 3079                          */
 3080                         /* XXX should be processed with other familiy */
 3081                         if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
 3082                                 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
 3083                                     "family mismatched between inner and outer, spi=%u\n",
 3084                                     (u_int32_t)ntohl(isr->sav->spi)));
 3085                                 splx(s);
 3086                                 ipsec6stat.out_inval++;
 3087                                 error = EAFNOSUPPORT;
 3088                                 goto bad;
 3089                         }
 3090 
 3091                         state->m = ipsec6_splithdr(state->m);
 3092                         if (!state->m) {
 3093                                 splx(s);
 3094                                 ipsec6stat.out_nomem++;
 3095                                 error = ENOMEM;
 3096                                 goto bad;
 3097                         }
 3098                         error = ipsec6_encapsulate(state->m, isr->sav);
 3099                         splx(s);
 3100                         if (error) {
 3101                                 state->m = 0;
 3102                                 goto bad;
 3103                         }
 3104                         ip6 = mtod(state->m, struct ip6_hdr *);
 3105 
 3106                         state->ro = &isr->sav->sah->sa_route;
 3107                         state->dst = (struct sockaddr *)&state->ro->ro_dst;
 3108                         dst6 = (struct sockaddr_in6 *)state->dst;
 3109                         if (state->ro->ro_rt &&
 3110                             (!(state->ro->ro_rt->rt_flags & RTF_UP) ||
 3111                              !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr,
 3112                                                  &ip6->ip6_dst))) {
 3113                                 RTFREE(state->ro->ro_rt);
 3114                                 state->ro->ro_rt = NULL;
 3115                         }
 3116                         if (state->ro->ro_rt == 0) {
 3117                                 bzero(dst6, sizeof(*dst6));
 3118                                 dst6->sin6_family = AF_INET6;
 3119                                 dst6->sin6_len = sizeof(*dst6);
 3120                                 dst6->sin6_addr = ip6->ip6_dst;
 3121                                 rtalloc(state->ro);
 3122                         }
 3123                         if (state->ro->ro_rt == 0) {
 3124                                 ip6stat.ip6s_noroute++;
 3125                                 ipsec6stat.out_noroute++;
 3126                                 error = EHOSTUNREACH;
 3127                                 goto bad;
 3128                         }
 3129 
 3130                         /* adjust state->dst if tunnel endpoint is offlink */
 3131                         if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
 3132                                 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
 3133                                 dst6 = (struct sockaddr_in6 *)state->dst;
 3134                         }
 3135                 } else
 3136                         splx(s);
 3137 
 3138                 state->m = ipsec6_splithdr(state->m);
 3139                 if (!state->m) {
 3140                         ipsec6stat.out_nomem++;
 3141                         error = ENOMEM;
 3142                         goto bad;
 3143                 }
 3144                 ip6 = mtod(state->m, struct ip6_hdr *);
 3145                 switch (isr->saidx.proto) {
 3146                 case IPPROTO_ESP:
 3147 #ifdef IPSEC_ESP
 3148                         error = esp6_output(state->m, &ip6->ip6_nxt,
 3149                             state->m->m_next, isr);
 3150 #else
 3151                         m_freem(state->m);
 3152                         error = EINVAL;
 3153 #endif
 3154                         break;
 3155                 case IPPROTO_AH:
 3156                         error = ah6_output(state->m, &ip6->ip6_nxt,
 3157                             state->m->m_next, isr);
 3158                         break;
 3159                 case IPPROTO_IPCOMP:
 3160                         /* XXX code should be here */
 3161                         /* FALLTHROUGH */
 3162                 default:
 3163                         ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
 3164                             "unknown ipsec protocol %d\n", isr->saidx.proto));
 3165                         m_freem(state->m);
 3166                         ipsec6stat.out_inval++;
 3167                         error = EINVAL;
 3168                         break;
 3169                 }
 3170                 if (error) {
 3171                         state->m = NULL;
 3172                         goto bad;
 3173                 }
 3174                 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
 3175                 if (plen > IPV6_MAXPACKET) {
 3176                         ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
 3177                             "IPsec with IPv6 jumbogram is not supported\n"));
 3178                         ipsec6stat.out_inval++;
 3179                         error = EINVAL; /* XXX */
 3180                         goto bad;
 3181                 }
 3182                 ip6 = mtod(state->m, struct ip6_hdr *);
 3183                 ip6->ip6_plen = htons(plen);
 3184         }
 3185 
 3186         return 0;
 3187 
 3188 bad:
 3189         m_freem(state->m);
 3190         state->m = NULL;
 3191         return error;
 3192 }
 3193 #endif /* INET6 */
 3194 
 3195 #ifdef INET
 3196 /*
 3197  * Chop IP header and option off from the payload.
 3198  */
 3199 static struct mbuf *
 3200 ipsec4_splithdr(m)
 3201         struct mbuf *m;
 3202 {
 3203         struct mbuf *mh;
 3204         struct ip *ip;
 3205         int hlen;
 3206 
 3207         if (m->m_len < sizeof(struct ip))
 3208                 panic("ipsec4_splithdr: first mbuf too short");
 3209         ip = mtod(m, struct ip *);
 3210 #ifdef _IP_VHL
 3211         hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
 3212 #else
 3213         hlen = ip->ip_hl << 2;
 3214 #endif
 3215         if (m->m_len > hlen) {
 3216                 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
 3217                 if (!mh) {
 3218                         m_freem(m);
 3219                         return NULL;
 3220                 }
 3221                 M_MOVE_PKTHDR(mh, m);
 3222                 MH_ALIGN(mh, hlen);
 3223                 m->m_len -= hlen;
 3224                 m->m_data += hlen;
 3225                 mh->m_next = m;
 3226                 m = mh;
 3227                 m->m_len = hlen;
 3228                 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
 3229         } else if (m->m_len < hlen) {
 3230                 m = m_pullup(m, hlen);
 3231                 if (!m)
 3232                         return NULL;
 3233         }
 3234         return m;
 3235 }
 3236 #endif
 3237 
 3238 #ifdef INET6
 3239 static struct mbuf *
 3240 ipsec6_splithdr(m)
 3241         struct mbuf *m;
 3242 {
 3243         struct mbuf *mh;
 3244         struct ip6_hdr *ip6;
 3245         int hlen;
 3246 
 3247         if (m->m_len < sizeof(struct ip6_hdr))
 3248                 panic("ipsec6_splithdr: first mbuf too short");
 3249         ip6 = mtod(m, struct ip6_hdr *);
 3250         hlen = sizeof(struct ip6_hdr);
 3251         if (m->m_len > hlen) {
 3252                 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
 3253                 if (!mh) {
 3254                         m_freem(m);
 3255                         return NULL;
 3256                 }
 3257                 M_MOVE_PKTHDR(mh, m);
 3258                 MH_ALIGN(mh, hlen);
 3259                 m->m_len -= hlen;
 3260                 m->m_data += hlen;
 3261                 mh->m_next = m;
 3262                 m = mh;
 3263                 m->m_len = hlen;
 3264                 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
 3265         } else if (m->m_len < hlen) {
 3266                 m = m_pullup(m, hlen);
 3267                 if (!m)
 3268                         return NULL;
 3269         }
 3270         return m;
 3271 }
 3272 #endif
 3273 
 3274 /* validate inbound IPsec tunnel packet. */
 3275 int
 3276 ipsec4_tunnel_validate(m, off, nxt0, sav)
 3277         struct mbuf *m;         /* no pullup permitted, m->m_len >= ip */
 3278         int off;
 3279         u_int nxt0;
 3280         struct secasvar *sav;
 3281 {
 3282         u_int8_t nxt = nxt0 & 0xff;
 3283         struct sockaddr_in *sin;
 3284         struct sockaddr_in osrc, odst, isrc, idst;
 3285         int hlen;
 3286         struct secpolicy *sp;
 3287         struct ip *oip;
 3288 
 3289 #ifdef DIAGNOSTIC
 3290         if (m->m_len < sizeof(struct ip))
 3291                 panic("too short mbuf on ipsec4_tunnel_validate");
 3292 #endif
 3293         if (nxt != IPPROTO_IPV4)
 3294                 return 0;
 3295         if (m->m_pkthdr.len < off + sizeof(struct ip))
 3296                 return 0;
 3297         /* do not decapsulate if the SA is for transport mode only */
 3298         if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
 3299                 return 0;
 3300 
 3301         oip = mtod(m, struct ip *);
 3302         hlen = oip->ip_hl << 2;
 3303         if (hlen != sizeof(struct ip))
 3304                 return 0;
 3305 
 3306         /* AF_INET6 should be supported, but at this moment we don't. */
 3307         sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
 3308         if (sin->sin_family != AF_INET)
 3309                 return 0;
 3310         if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
 3311                 return 0;
 3312 
 3313         /* XXX slow */
 3314         bzero(&osrc, sizeof(osrc));
 3315         bzero(&odst, sizeof(odst));
 3316         bzero(&isrc, sizeof(isrc));
 3317         bzero(&idst, sizeof(idst));
 3318         osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
 3319             AF_INET;
 3320         osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
 3321             sizeof(struct sockaddr_in);
 3322         osrc.sin_addr = oip->ip_src;
 3323         odst.sin_addr = oip->ip_dst;
 3324         m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
 3325             (caddr_t)&isrc.sin_addr);
 3326         m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
 3327             (caddr_t)&idst.sin_addr);
 3328 
 3329         /*
 3330          * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
 3331          * - if the inner destination is multicast address, there can be
 3332          *   multiple permissible inner source address.  implementation
 3333          *   may want to skip verification of inner source address against
 3334          *   SPD selector.
 3335          * - if the inner protocol is ICMP, the packet may be an error report
 3336          *   from routers on the other side of the VPN cloud (R in the
 3337          *   following diagram).  in this case, we cannot verify inner source
 3338          *   address against SPD selector.
 3339          *      me -- gw === gw -- R -- you
 3340          *
 3341          * we consider the first bullet to be users responsibility on SPD entry
 3342          * configuration (if you need to encrypt multicast traffic, set
 3343          * the source range of SPD selector to 0.0.0.0/0, or have explicit
 3344          * address ranges for possible senders).
 3345          * the second bullet is not taken care of (yet).
 3346          *
 3347          * therefore, we do not do anything special about inner source.
 3348          */
 3349 
 3350         sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
 3351             (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
 3352         /*
 3353          * when there is no suitable inbound policy for the packet of the ipsec
 3354          * tunnel mode, the kernel never decapsulate the tunneled packet
 3355          * as the ipsec tunnel mode even when the system wide policy is "none".
 3356          * then the kernel leaves the generic tunnel module to process this
 3357          * packet.  if there is no rule of the generic tunnel, the packet
 3358          * is rejected and the statistics will be counted up.
 3359          */
 3360         if (!sp)
 3361                 return 0;
 3362         key_freesp(sp);
 3363 
 3364         return 1;
 3365 }
 3366 
 3367 #ifdef INET6
 3368 /* validate inbound IPsec tunnel packet. */
 3369 int
 3370 ipsec6_tunnel_validate(m, off, nxt0, sav)
 3371         struct mbuf *m;         /* no pullup permitted, m->m_len >= ip */
 3372         int off;
 3373         u_int nxt0;
 3374         struct secasvar *sav;
 3375 {
 3376         u_int8_t nxt = nxt0 & 0xff;
 3377         struct sockaddr_in6 *sin6;
 3378         struct sockaddr_in6 osrc, odst, isrc, idst;
 3379         struct secpolicy *sp;
 3380         struct ip6_hdr *oip6;
 3381 
 3382 #ifdef DIAGNOSTIC
 3383         if (m->m_len < sizeof(struct ip6_hdr))
 3384                 panic("too short mbuf on ipsec6_tunnel_validate");
 3385 #endif
 3386         if (nxt != IPPROTO_IPV6)
 3387                 return 0;
 3388         if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
 3389                 return 0;
 3390         /* do not decapsulate if the SA is for transport mode only */
 3391         if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
 3392                 return 0;
 3393 
 3394         oip6 = mtod(m, struct ip6_hdr *);
 3395 
 3396         /* AF_INET should be supported, but at this moment we don't. */
 3397         sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
 3398         if (sin6->sin6_family != AF_INET6)
 3399                 return 0;
 3400         if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
 3401                 return 0;
 3402 
 3403         /* XXX slow */
 3404         bzero(&osrc, sizeof(osrc));
 3405         bzero(&odst, sizeof(odst));
 3406         bzero(&isrc, sizeof(isrc));
 3407         bzero(&idst, sizeof(idst));
 3408         osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
 3409             idst.sin6_family = AF_INET6;
 3410         osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len = 
 3411             sizeof(struct sockaddr_in6);
 3412         osrc.sin6_addr = oip6->ip6_src;
 3413         odst.sin6_addr = oip6->ip6_dst;
 3414         m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
 3415             sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
 3416         m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
 3417             sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
 3418 
 3419         /*
 3420          * regarding to inner source address validation, see a long comment
 3421          * in ipsec4_tunnel_validate.
 3422          */
 3423 
 3424         sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
 3425             (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
 3426         if (!sp)
 3427                 return 0;
 3428         key_freesp(sp);
 3429 
 3430         return 1;
 3431 }
 3432 #endif
 3433 
 3434 /*
 3435  * Make a mbuf chain for encryption.
 3436  * If the original mbuf chain contains a mbuf with a cluster,
 3437  * allocate a new cluster and copy the data to the new cluster.
 3438  * XXX: this hack is inefficient, but is necessary to handle cases
 3439  * of TCP retransmission...
 3440  */
 3441 struct mbuf *
 3442 ipsec_copypkt(m)
 3443         struct mbuf *m;
 3444 {
 3445         struct mbuf *n, **mpp, *mnew;
 3446 
 3447         for (n = m, mpp = &m; n; n = n->m_next) {
 3448                 if (n->m_flags & M_EXT) {
 3449                         /*
 3450                          * Make a copy only if there is more than one
 3451                          * references to the cluster.
 3452                          * XXX: is this approach effective?
 3453                          */
 3454                         if (!M_WRITABLE(n)) {
 3455                                 int remain, copied;
 3456                                 struct mbuf *mm;
 3457 
 3458                                 if (n->m_flags & M_PKTHDR) {
 3459                                         MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
 3460                                         if (mnew == NULL)
 3461                                                 goto fail;
 3462                                         M_MOVE_PKTHDR(mnew, n);
 3463                                 }
 3464                                 else {
 3465                                         MGET(mnew, M_DONTWAIT, MT_DATA);
 3466                                         if (mnew == NULL)
 3467                                                 goto fail;
 3468                                 }
 3469                                 mnew->m_len = 0;
 3470                                 mm = mnew;
 3471 
 3472                                 /*
 3473                                  * Copy data. If we don't have enough space to
 3474                                  * store the whole data, allocate a cluster
 3475                                  * or additional mbufs.
 3476                                  * XXX: we don't use m_copyback(), since the
 3477                                  * function does not use clusters and thus is
 3478                                  * inefficient.
 3479                                  */
 3480                                 remain = n->m_len;
 3481                                 copied = 0;
 3482                                 while (1) {
 3483                                         int len;
 3484                                         struct mbuf *mn;
 3485 
 3486                                         if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
 3487                                                 len = remain;
 3488                                         else { /* allocate a cluster */
 3489                                                 MCLGET(mm, M_DONTWAIT);
 3490                                                 if (!(mm->m_flags & M_EXT)) {
 3491                                                         m_free(mm);
 3492                                                         goto fail;
 3493                                                 }
 3494                                                 len = remain < MCLBYTES ?
 3495                                                         remain : MCLBYTES;
 3496                                         }
 3497 
 3498                                         bcopy(n->m_data + copied, mm->m_data,
 3499                                               len);
 3500 
 3501                                         copied += len;
 3502                                         remain -= len;
 3503                                         mm->m_len = len;
 3504 
 3505                                         if (remain <= 0) /* completed? */
 3506                                                 break;
 3507 
 3508                                         /* need another mbuf */
 3509                                         MGETHDR(mn, M_DONTWAIT, MT_HEADER);
 3510                                         if (mn == NULL)
 3511                                                 goto fail;
 3512                                         mn->m_pkthdr.rcvif = NULL;
 3513                                         mm->m_next = mn;
 3514                                         mm = mn;
 3515                                 }
 3516 
 3517                                 /* adjust chain */
 3518                                 mm->m_next = m_free(n);
 3519                                 n = mm;
 3520                                 *mpp = mnew;
 3521                                 mpp = &n->m_next;
 3522 
 3523                                 continue;
 3524                         }
 3525                 }
 3526                 *mpp = n;
 3527                 mpp = &n->m_next;
 3528         }
 3529 
 3530         return (m);
 3531   fail:
 3532         m_freem(m);
 3533         return (NULL);
 3534 }
 3535 
 3536 static struct ipsecaux *
 3537 ipsec_addaux(m)
 3538         struct mbuf *m;
 3539 {
 3540         struct m_tag *mtag;
 3541 
 3542         mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
 3543         if (mtag == NULL) {
 3544                 mtag = m_tag_get(PACKET_TAG_IPSEC_HISTORY,
 3545                     sizeof(struct ipsecaux), M_NOWAIT);
 3546                 if (mtag != NULL)
 3547                         m_tag_prepend(m, mtag);
 3548         }
 3549         if (mtag == NULL)
 3550                 return NULL;    /* ENOBUFS */
 3551         /* XXX is this necessary? */
 3552         bzero((void *)(mtag + 1), sizeof(struct ipsecaux));
 3553         return mtag ? (struct ipsecaux *)(mtag + 1) : NULL;
 3554 }
 3555 
 3556 static struct ipsecaux *
 3557 ipsec_findaux(m)
 3558         struct mbuf *m;
 3559 {
 3560         struct m_tag *mtag;
 3561 
 3562         mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
 3563         return mtag ? (struct ipsecaux *)(mtag + 1) : NULL;
 3564 }
 3565 
 3566 void
 3567 ipsec_delaux(m)
 3568         struct mbuf *m;
 3569 {
 3570         struct m_tag *mtag;
 3571 
 3572         mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
 3573         if (mtag != NULL)
 3574                 m_tag_delete(m, mtag);
 3575 }
 3576 
 3577 /* if the aux buffer is unnecessary, nuke it. */
 3578 static void
 3579 ipsec_optaux(m, aux)
 3580         struct mbuf *m;
 3581         struct ipsecaux *aux;
 3582 {
 3583 
 3584         if (aux == NULL)
 3585                 return;
 3586         ipsec_delaux(m);
 3587 }
 3588 
 3589 int
 3590 ipsec_addhist(m, proto, spi)
 3591         struct mbuf *m;
 3592         int proto;
 3593         u_int32_t spi;
 3594 {
 3595         struct ipsecaux *aux;
 3596 
 3597         aux = ipsec_addaux(m);
 3598         if (aux == NULL)
 3599                 return ENOBUFS;
 3600         aux->hdrs++;
 3601         return 0;
 3602 }
 3603 
 3604 int
 3605 ipsec_getnhist(m)
 3606         struct mbuf *m;
 3607 {
 3608         struct ipsecaux *aux;
 3609 
 3610         aux = ipsec_findaux(m);
 3611         if (aux == NULL)
 3612                 return 0;
 3613         return aux->hdrs;
 3614 }
 3615 
 3616 void
 3617 ipsec_clearhist(m)
 3618         struct mbuf *m;
 3619 {
 3620         struct ipsecaux *aux;
 3621 
 3622         aux = ipsec_findaux(m);
 3623         ipsec_optaux(m, aux);
 3624 }

Cache object: 10a068bcdb70c861d5b6dc126556473a


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.